NSX-T password reset

In NSX-T password reset is done through GRUB menu. By default GRUB menu is not enabled.We need to enable GRUB on root mode.To reset password for NSX-T manager first check the NSX-T version that is being in use.

Step1: Enable GRUB menu when you have root password

Step2:Reset password once you have GRUB mode enable

Step3:Enabled GRUB menu when root password is forgotten

The above steps are described in details as below

Step1: Enable GRUB menu when you have root password.

GRUB mode menu enabled by login to root mode. So root mode password is required.
However, if you have root mode password then you can easily reset admin password no need to bother about grub and all. So it seems chicken & egg problem.
Follow below VMware document based on your NSX version to enable GRUB menu.
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.0/installation/GUID-4630C9D5-71FB-4991-AC1D-9FDBA0B86120.html
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/installation/GUID-4630C9D5-71FB-4991-AC1D-9FDBA0B86120.html
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4630C9D5-71FB-4991-AC1D-9FDBA0B86120.html

Check if GRUB is enabled or not from grub file located at /etc/default/grub. Note If you see any value Infront of keyword GRUB_TIMEOUT or GRUB_HIDDEN_TIMEOUT it means grub menu is enabled.
Refer below snip

Step2: Reset password once you have GRUB mode enable.

Once you enable GRUB mode then you can easily reset the password following below document. Note you must authenticate with GRUB password before you reset root and admin password.

Each version of NSX-T has its own GRUB password. Follow below link to check GRUB password and reset steps.

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-8816B842-2EC4-40A8-A618-F68DB29FABD2.html

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-8816B842-2EC4-40A8-A618-F68DB29FABD2.html

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.0/administration/GUID-8816B842-2EC4-40A8-A618-F68DB29FABD2.html

In case you forget the root, password, and admin both and want to reset it then the only option we have is to enabled GRUB MENU. Follow below steps to enabled GRUB.

Note: this is not official recommended procedure, the steps mentioned below are taken from website https://thefluffyadmin.net/?p=1455

Continue reading “NSX-T password reset”

TCPdump commands and parameter

Today we will cover tcpdump tool. Tcpdump is a packet analyzer tool just like wireshark.
It run under command line interface. It help you to capture data packets on low level to understand what is going on inside the packet.
You can run tcpdump on linux/unix based operating systems.

Syntax for tcpdump
tcpdump <paramter>

e.g tcpdump -i eth0

Basic parameter of tcpdump
-i : Specify the network interface to listen on
-c : Number of packets which needs to be captured.
-w : Write the captured packets to a file for later analysis
-r : Read packets from a file instead of capturing from a network interface
-n: Do not resolve hostnames, display IP addresses only
-X: Display both hexadecimal and ASCII representations of packet data
-v: Increase verbosity level
-e: Print the link-level header on each dump line
-q: Quiet output, print less information

Operators in tcpdump:
– and ,&& —–This is used to concatenate two parameter
– or, ||         —–This is or operator used to match any one of the mentioned parameter
– not, !        —–This negate the mentioned parameter
– < – >          —-Less than ,greater then parameter

Let’s take some example
Lets capture packets for eth0 interface for count of 4 packet in default mode.
I will now use any parameter
1. tcpdump -i eth0

You can see we don’t have any header details here, lets add switch -e parameter to display link layer header.

Now you can see the header details, mac address and ether type. Let’s add parameter -n this will show the host name as ip address in out packet capture.

Now we see the source and destination as ip address instead of hostname. To get more details about the header we can add -v parameter

If you want to see more details about the header, then keep adding more verbose -v parameter.

Now I want to write these packet details into file, so that I can read later or I can open in wireshark. Let’s use -w parameter to write file of tcpdump packet. I will save these files with name test.pcap

Read this file test.pcap by using -r parameter.

By default, read parameter do not show all packet header details. Use verbose parameter and other parameter to see details.

Few examples for different combination

1.Capture using mac address filter.

2.Capture all packet with ip address 192.168.110.70

3.Capture packet with ip address 192.168.110.70 & 192.168.110.70. Here anyone can be source or destination.

4.Capture packet with source ip address

5.Capture packet with destination ip address

6.Capture packet of source and destination IP address

7.Capture packet by ports

8.Capture packet on ip and ports

9.Capture using or operator or combination of or and operator

10.Capture using protocol address

11.Using not operator to filter traffic

12.Capture the packets for range of ports

13.Capture packets of specific networks

ESXI command lists

1.Nic, Drivers, Stats,vmk,port_num related commands

2.Swtich related commands

3.NIC, vmk, up,down,lacp related commands

4.Module related commands

5.NSX firewall related commands

6.ESX routing related commands

7.VDR,vDL2 related commands

1.Nic, Drivers, Stats,vmk,port_num related commands

esxcli network nic list

Check the physical vmnic associated with the host. This will show all the vmnic physical adapter and its state.It will show the Admin and link status.

esxcli network nic get -n vmnic<vmnic_number>

This command will show you more details about physical vmnic adapter , like fireware version, driver, negotiation details etc.

esxcli network nic stats get -n <vmnic_number>

Now lets say customer have issue in his environment or there is intermittent packet drop on host level or any issue with host specific or vmnic. In that case you can run this command and see the active counter for drop in receive/transmit packet.

net-stats -l

Get the port number of particular VM , this portNum can be used to take packet capture on VM port or to get VM portNum stats.The command can be used with grep to find the portNum of specific VM.

esxcli network port stats get -p <port_number of particular VM>

Use the PortNum of of the VM to check the stats of VM Ports.Run this

NSX-T Upgrade step by Step

NSX-T upgrade from 3.2.1 to 3.2.2

Today we will perform NSX-T upgrade and its operation.

  1. Overview
  2. Upgrade coordinator
  3. Precheck
  4. Upgrade edge
  5. Upgrade host
  6. Upgrade management/controller
  7. Post check
  8. Rollback
  9. Log review in case of any issue.
  10. Summary
  1. Overview

NSX-T upgrade process depends on the number of components you have in your infrastructure. Before proceeding the upgrade you must check the upgrade path and interop matrix with respect to your NSX-T upgrade. Check if the component in your infrastructure is compatible with the new NSX-T version or not.

https://interopmatrix.vmware.com/Interoperability

The upgrade path will show if the upgrade of NSX-T is support from your current version to the target version or not. In our case the target version is 3.2.1.1

https://interopmatrix.vmware.com/Upgrade

Check the known issue and resolved issue for this version of NSX-T in release notes.You will find these details on VMware release notes.

Continue reading “NSX-T Upgrade step by Step”

HTTP Archive(HAR) File

HAR stands for http archive. This is a file format used to capture network/API information between browsers and web/application server.

This is also used for identifying performance issues such as slow load times and page  rendering problems etc.

The HAR file information is stored in JSON format which means in order to visualize the details we need some tool which have view the Jason file inside HAR. We say such tools as HAR viewer.

Steps to proceed with HAR file.

1.Capture the HAR file details in browsers

2.Save the HAR file

3.Analyze HAR file

Continue reading “HTTP Archive(HAR) File”

NSX-T Architecture

NSX-T Architecture

The diagram depicted above is a high level NSX-T architecture that I will explain today.

NSX manager and its cluster communication with transport nodes through APH server (Application Proxy Hub)

All transport node connect with NSX-T component using NSX-Proxy service.

Transport node connect with NSX-Manager on port 1234 and CCP(Central control plane) on port 1235

In NSX-T  have its own NSX-RPC for used as messaging queuing between manager and transport node.

Before NSX-T 2.5 or NSX-V it was rabbitmq messaging queuing protocol use for communication between manager and ESXI nodes

Continue reading “NSX-T Architecture”

All about MTU and Fragmentation.

Topology

So, in this post we will cover the mtu and fragmentation cases. So, every interface/port have its capacity to send data across the line or port. So, the Maximum transfer unit (MTU).

When I say MTU it usually means at layer 2 frame, but the actual data formation take place at layer 3. So, we have MTU at layer 2 and IP MTU at layer 3.

Bydefault the value of IP MTU is same as MTU, if not defined explicitly. MTU of port may varies depending on the platform or vendor. By default, most of the nodes support 1500 bytes of MTU.

Continue reading “All about MTU and Fragmentation.”

GARP(Gratuitous Address resolution Protocol)

Gratuitous ARP is either request or reply packet that is needed in some cases. usually when we assigned any ip on interface or host boot the first packet it send is GARP.

GARP packet have Sender and Target IP address same .Source mac address is of machine whereas destination mac is broadcast.

GARP IMP Question

1)GARP first packet is request or reply ?

2)GARP reply packet is unicast or broadcast ?

3)GARP opcode.

4)Why GARP is used ?

5) Messages or types of GARP packet ?

Learning acrimony—-Total 9 Field

HaPur HaPur SSOTT

In practical environment we only see GARP reply packet no GARP request is send.

https://tools.ietf.org/html/rfc5227#page-15

GARP have two opcode opcode 1 & 2. Remember opcode 1 is used for DAD(duplicate address detection) and opcode 2 is used for GARP.

There is two messages of GARP viz ARP probe (used for DAD) and ARP announcement (used to announce that machine own a particular ip address within the segment.

Consider one example where Switch has PC1 & PC2 and DHCP server connected.

Now PC1 is assigned with 192.168.174.111/24 ip address, PC2 is set to DHCP,

And DHCP server have only one ip i.e 192.168.174.111 left to assigned to PC2, and this ip is already configured on PC1 statically.

So what will DHCP assigned this ip address to PC2 or not.

Ans: DHCP won’t assigned this ip address to PC2 , because DHCP always do ARP probing to check if the ip which dhcp want to assigned is already assigned to any other host in the network or not. Since here 10.10.10.1 is already assigned to PC1 , then DHCP wont’t assigned this ip to PC2.

Now consider if 192.168.174.111 is not assigned to any host on the segment , in this case. DHCP will perform GARP probe message to check if there any duplicity of ip or if the ip that dhcp want to assigned it not used by any host. Let’s assume it is not used by any host, then DHCP will assigned 192.168.174.111 to PC2 and then once the PC2 have ip address assigned by DHCP, PC2 will send GARP announcement message to confirm other that PC2 own 192.168.174.111 ip. In return of GARP announcement it will get no reply which confirm only PC2 own this ip and no other host.

BGP Route-Reflector Design

A route learned by one ibgp peer won’t be advertised to another ibgp peer. This is called BGP split horizon rule. This rule is used to avoid loop in ibgp cases.

To mitigate this, we have following option by which one ibgp learned routes can be advertised to another ibgp peer.

  1. BGP full mesh
  2. BGP confederation
  3. BGP route-reflector

In this article we will discuss about the 3rd option i.e BGP route-reflector.

BGP route reflector rule.

Whenever a RR learn route from its client it adds two attributes to the route.

  1. Cluster id – (32-bit identifier, which can be set, by defaults its bgp router-id)
  2. Originator id- (router id of client who send the route)
Continue reading “BGP Route-Reflector Design”

Different Static Route Options

The IP assignment on interface is shown as above.

We will demonstrate the following case study.

Case Study 1: Static routes using exit interface

Case Study 2:Static routes using IP as next hop

Case Study 3:Static routes using exit interface and IP add as next hop

Let’s understand how the communication takes place in Ethernet or multi-access networks.

  1. Whenever router want to reach a particular destination, it basically needs two information viz the destination IP address where it wants to go and the L2 address with respect to the destination.
  2. The router must check first whether the outgoing interface is point to point or ethernet/multi-access. In case it is Ethernet then it must resolve L2 address
  3. For getting the L2 address the router must generated ARP request for the destination subset. The router must know on which outgoing interface it needs to generate ARP so the router do routing recursive process to know the outgoing interface for a particular destination.

Continue reading “Different Static Route Options”

OSI MODEL

OSI Stands for open system interconnection model.  This is reference or virtual model, you cannot see it , touch it ,but its exists conceptually just like electron, protons etc.

OSI model is invented by ISO(International standard organization). ISO is non profit organization that defines several  standards. It is just like other standard e.g ISI mark, IEEE, CE etc that you must have come across.These standard work for the welfare of society for setting different standard in different areas like food , electronic networks etc.

OSI model have seven layer describe as below.

1)Physical layer

2)Data link layer

3)Network layer

4)Transport layer

5)Session layer

6)Presentation layer

7)Application layer

Continue reading “OSI MODEL”

Site to Site IPsec VPN

Topology

Summary:

To implement Flex VPN or IPSEC VPN the topology shown above. The motive is to make the reachability between LAN to LAN network i.e from 20.20.20.0 to 30.30.30.0 & vice versa.

Currently we have configure simple connectivity in which R1 and R2 is reachable to each other via internet cloud.

The basic requirement of any VPN is the rechability between source and destination end point of tunnel.

Continue reading “Site to Site IPsec VPN”

Gre Tunnel

Topology

Objectives

Create Gre tunnel between Router A and Router c. We are creating tunnel to internal communication between two LAN segments without, advertising LAN IP in internet domain.

Steps:

  • Your end to end network should be reachable i.e the interface/node from where you are creating tunnel should reachable to destination interface/node. Here Router A ,B & C is configured and running eigrp under internet domain , we have advertised loopback on Router A &C under eigrp.
  • Ping 2.2.2.2 from Router A and 1.1.1.1 from Router C.

Continue reading “Gre Tunnel”