Author Archives: Maros Kukan

vCloud Air: OnDemand IaaS by VMware

Introduction

Cloud computing is currently a highly discussed topic in many IT strategy meetings. The ability to spin workloads in third party cloud and pay only for what you actually use certainly make sense from financial point of view. There are many great use cases for that.

Imagine you have a big event, something like Super Bowl and your current infrastructure would likely struggle to handle such load for the duration of the event. You have two options how to prepare for it, you can buy new assets – compute, storage and network spending a lot of dollars or you can build your application stacks in third party cloud and leave it running for certain period of time and then tear down when the event is over. The second option also gives you virtually unlimited resources if you need to use them. How cool is that?

There are many Infrastructure as a Service offerings in the market, one of the most popular include Amazon AWS, Microsoft Azure or Google Cloud Compute. It was only matter of time that other vendors would start offer the same thing to address the competition.

One of such vendors is VMware. Initially, the popular hypervisor vendor offered two flavors of their public cloud offering named vCloud Air. First was a Dedicated Cloud, targeted on customers who wanted to essentially lease the entire servers for better physical isolation and security. The second was a Virtual Private Cloud, which is cheaper, but the hypervisor would run other companies’ VMs as well and provide logical isolation.

In either case, both of the offering were targeted on larger customers and you and me did not have an easy option to just spin couple of VMs for testing without committing to some long term payment plant.

With the new OnDemand access flavor that model changes and you now have a true option to pay as you go. This flavor allows any individual from flesh and bone (with credit card) to spin a workload in VMware’s data center and pay only for what he uses.

safe_image.php

vCloud Air Common Use Cases

To support this idea, they even get you a nice started pack of $300 dollars worth of resources. It is like with gas provider, where they would get you certain number of gas for free to try their service out. Good move to attrack people like me to poke around and spin some workloads.

I think that many enterprise companies will consider this option, as their infrastructure teams are familiar with vSphere and this cloud is built upon the same foundations as their data centers, making migration and interoperability a little bit easier for both sides.

How does it feel to spin a couple of VMs in this environment? Lets have a look.

Signing Up

First, you need to go to super secret URL only know by 5 individuals in the world. I like my audience so I am going to share that URL with you and it is at http://vcloud.vmware.com.

The landing pages gives you couple of information what vCloud is, couple of testimonial and general information. Click on Service Offering/Virtual Private Cloud OnDemand to get started.

Lets take advantage of that $300 voucher shall we? For that we need a VMware Account First. You you have one log in now, otherwise make the clickie-clickie action and create one.

During the registration you need to enter a valid credit card and billing information.

vcloud-air-1

Creating a new account for vCloud Air

At this point you will have an options to select the Support Level Plan. I’ll go with the basic one OnDemand Online Support. Make sure that the promo code ondemand2015 has been applied. As so many people are trying to get the hands on, you likely end up in the queue with Sing up request pending. So wait for it.

Ok, it took around 5 minutes to get the confirmation email with the login page URL and initial links to set the password.

vcloud-air-2

You need to reset your temporary password

Entering to the vCloud

Now that you we have set the credentials, lets go back to to main login page at https://vca.vmware.com. If you would like to use VMware Remote Console, install it & enable the plugin in your browser.

vcloud-air-3

The Login Screen looks nice and clean, thumbs up for that.

Building our first vPC

After login you are presented by main dashboard, that includes Services, Subscriptions and Tools. After Clicking the Virtual Private Cloud Ondemand, you have an option to select in which physical location you want to build your vPC. Since I am located in UK I’ll go with UK Slough 1 6 option. Slough is small town in Berkshire.

vcloud-air-4

After couple of seconds a new vPC instance will be build. After the gears stop spinning you will receive the following handy infrastructure to play with.

Default vPC topology

Default vPC topology

The infrastructure is composed of one Gateway, that provides access to your private cell. This gateway is connected to public segment which is according Ripe a chunk of larger pool that VMware allocated for this particular cloud.

The second network, is a private segment where would build your VM. We will get to that later. I want to show you around the interface.

The first tab you find under vPC is the Resource Usage which shows you how much you resources you consume and how much for last hour/day or month. You also have option to view detailed report. Give that your financial department to sponsor your vCloud adventures.

vcloud-air-6

Creating new virtual machine

Next, looking at Virtual Machines tab, you have an option to spin your first workload or migrate it from your private data center. Lets keep things simple for now and select the first option.

Creating the first workload

Creating the first workload

As any good cloud offering, you will be presented by a catalog of virtual machines that you can select from. Most of the Linux flavors are free, and you pay same extra fees for Windows VMs for licensing. You also have an option to create an empty machine, called shell VM from scratch. I’ll go with CentOS 6.4 32 Bit for now.

Selecting a VM from catalog

Selecting a VM from catalog

In customization page, you have the options to name your VM and specifie resource it will consume. You also get a nice cost calculation to get an idea how much your new puppy it will cost you. In production workload size should meet the application demand that this VM will run. I am testing the functionality so I have selected the minimums, send me some bitcoins and next we will go crazy with 16vCPUs and 120GB RAM.

I’ll attach the VM to the default-routed-network.

Workload customization and estimated cost

Workload customization and estimated cost

The creation of this small VM took roughly 3 minutes. And the status is shown under main Virtual Machine tab.

New VM is up and running

New VM is up and running

If you got your hands dirty with Amazon AWS, you know that after creating a workload it will receive an elastic IP address that is publicly routable, and using an RSA key pair you can log in though SSH.

The vCloud Air, by default works a little bit differently, are you recalling some mumbling earlier in this post about Remote Console Plugin? That is exactly what we are going to use to access the VM. At least initially. While selecting the VM, open Actions menu and select Open In Console.

Accessing the console through Remote Console Plugin

Accessing the console through Remote Console Plugin

Allow pop-ups and vuala, you are at the VM console. It is that easy.

Sitting at the console

Sitting at the console

I was not able to figured out that the default credentials looking at my magic ball that I have on my table, but I know where to look for it.

For that we need to look further at the VM details.

Discovering the auto generated password

Discovering the auto generated password

Go back to Remote Console and login. To confirm that we indeed ended in the default routed network, lets look at NIC settings and try to reach default gateway.

vcloud-air-16

Tip: You are stuck in Remote Console, press CTRL+ALT to escape the window.

The default Edge configuration will not respond to ping, but you can verify layer 2 by examining the VM ARP table.

Connecting VM to Internet

Our VM is very lonely at the moment, it can only speak to the Edge Gateway in some sort of way. Wouldn’t be great if it could speak to everyone on the Internet? For that to happen, we need to perform some additional configuration on Edge Gateway.

First, we enable the communication from the VM to the internet by configuring Dynamic NAT Translation. On the main page navigate to Gateways tab and select the existing gateway.

Default vPC Gateway

Default vPC Gateway

You will be presented by Gateway specific options, such as NAT Rules, Firewall Rules, Networks, and Public IPs. Before you can add a NAT Translation, you need to add new Public IP address. So start by requesting one.

In the background a new job will be initiated in vCloud Director, which is doing the heavy lifting under this light web UI.

Note: I had some problems assigning a public IP address in my first VDC1, where the job would never finish and I could not do anything with the gateway anymore, therefore I have opened a ticket with vCloud support and they were able to fix the issue with public IP assignments

After the task finishes you are actually assigned the same public address that your edge gateway currently uses.

Public IP successfully assigned

Public IP has been successfully assigned

Lets revisit the  NAT Rules tab and create our first entry that will dynamically translate our internal VM to the public IP address above.

Adding Source NAT entry

Adding Source NAT entry

Simple as that, click Next and Finish.

Although the dynamic NAT rule is in place we are still unable to reach any external resource. We need to modify the default edge firewall policy to allow this communication.

Go to Firewall Rules tab and Add a new entry called Internal-to-Internet.
g

Allowing default internal network to talk to anything on the Internet

Click Next and Finish. With all per-requisites in place the VM can finally reach the internet.
vcloud-air-25

VM is happy happy now

The default vDC private network automatically assigns an address from a pool to newly create virtual machines. These pools are configured in vCloud Director under each Organization VDC Networks respectively. But by default they not include DNS server configuration. For now I will cheat a little bit and edit the list of servers manually in VM at /etc/resolv.conf. You are now fully equip to install additional packages.

Coping and Pasting to virtual console sucks, wouldn’t be great if we could SSH to our box? For that we need three things in place. OpenSSH installed and configured on the box, static NAT entry and a Firewall Policy. There are bunch of great tutorials out there showing how to setup the first part.

For the second part, we are going to create a DNAT entry for VM that will map an external IP address and its port 22 to VM internal address. The second entry will show in the list.

s

Newly added destination NAT for our SSH traffic.

Finally, add a new firewall rule to allow communication from outside on port TCP/22. For added security define only a single or a range of public addresses that you are connecting from.

s

Newly added firewall rule to allow SSH inbound.

Lets connect to our VM via SSH and install Apache web server shall we?

vcloud-air-28

Installing and starting apache

As with any new service, we need to add SNAT entry and Firewall rule to permit communication from the Internet.

You also need to modify the host firewall, iptables in this case to allow communication from outside to httpd service.

After repeating the same steps as above you have a web server running in vCloud Air. How cool is that?

Your first vSphere VM running in cloud.

Your first vSphere VM running in cloud.

Lets stop for a moment and imagine the possibilities, if you can build VM you can build an entire application stack. If you can build an entire application stack, you can build an entire virtual data center. And that is the way to go my friends.

This concludes the basics how to build inside this third party cloud. In next article I am going to focus on scaling and creating more complex network topologies as well as exploring some additional features and parameters available exclusively through the vCloud Director interface.

What you can learn from Networking for VMware Admins

Introduction

It was not so long ago when I was searching for good resource that would uncover what is happening at the hypervisor level from network point of view and how it all clicks together to provider connectivity to ever increasing number of virtual machines. I am happy to say that I have found that resource. It is called Networking for VMware Administrators by Chris Wahl and Steve Pantol.

Networking-for-VMware-Administrators 1

The book starts by discussing the very foundation of networking, what networks is and what benefits it provides. Continuing with with common models and protocol stacks like ISO OSI and TCP/IP and the concepts of layering.

Comparing ISO OSI to TCP/IP

Comparing ISO OSI to TCP/IP

Diving more deeply into the individual layers authors start with physical layer. Ethernet technology is explained in great detail as well as common physical connectivity options like copper or fiber. You will also gain some knowledge about most used network connectors such as RJ-45 and modules like older GBIC or SFP.

10Gbps Twinax Cable used for short interconnections

10Gbps Twinax Cable used for short connections

The chapters build on top of each other and after the foundation and physical network properties next chapter covers data-link operations in great detail. You learn about switching and common network challenges like preventing network loops with spanning tree or increasing network through put by utilizing link aggregation technologies.

Another layer that could not be forgotten is Layer 3 or Network layer. In this chapter IP addressing and routing is explained in detail. Other common services such as automatic address configuration thought DHCP or name resolution with DNS are well touched giving you as a reader better overall perspective.

With the foundation lied down in first 5 chapters the book continues to touch popular converged network infrastructures. Concept of stateless computing from Cisco is explained – the Unified Computing System as well as the HP’s Blade Chassis C7000. Both are compared to give you better insight on one over the other.

Cisco Unified Computing System

Cisco Unified Computing System

The true discussion on virtual networking begins with Chapter 7: How Virtual Switching Differs from Physical Switching. This is an excellent entry point chapter, which describes similarities and differences between both. It touches on common virtual vSwitch terms such as virtual machines’s NIC cards (vNIC), Port-Group, physical uplinks (pNIC), VM kernel ports (vmk) and generally how does the virtual architecture fits with physical.

vSwitch Architecture

vSwitch Architecture

vswitch-logic

vSwitch Forwarding Logic

Better yet, this chapter outlines various configuration options on vSwitch like number of uplinks, MTU and Security Settings. Last but not least trunking and VLAN tagging options are explained.

Chapter 9 focus on vSphere Distributed Switch which is commonly found in enterprise environments. It explains how it differs from Standard vSwitch in control and data plane operations. And elaborates on many extra features it provides. You can expect to gain knowledge on link discovery protocols CDP and LLDP, exporting traffic flows with NetFlow, monitoring traffic in virtual environment using Port Mirroring, segmenting traffic using VLANs and Private VLANs and finally Load Based teaming and Network IO Control for intelligent traffic management.

After you gain this strong foundation, you are free to enter to realm of third party virtual switch. Cisco Nexus 1000V is the topic of next chapter. Authors explain the reasons why you might consider using this third party switch from Cisco in your environment. It touches on core architecture concepts like Virtual Supervisor Module (VSM) and Virtual Ethernet Module (VEM) and various modes of deployment options.

Nexus 1000V deployment options

Nexus 1000V deployment options

If you are more practical type of person, you will definitely like the lab scenarios that authors put together. A step by stem approach is outlined how to build a basic vSphere environment using Cisco UCS as main computing platform. In later chapters you will also discover how to migrate workloads from standard virtual switch to distributed virtual switch without causing downtime.

After discussing general networking technologies with relevant examples, Chapter 14 moves our direction toward IP based storage, starting with iSCSI. General uses cases are explained as well the idea of initiators and targets. Best practices for setting up iSCSI storage adapters are also well explained giving you good confidence when planning in production environment.

The storage topics are then closed by discussing NFS based storage and its uses cases. I especially like the right depth of topics around storage. Practical demonstration at the end of the chapter is also a huge benefit to better put things together.

The next to last chapter deals with additional vSwitch design options, showing many different scenarios with or without IP based storage in place and using 1 Gbps or 10 Gbps network adapters.

One of many vSwitch design options

One of many vSwitch design options

Finally, the last chapter discusses additional design options when dealing with heavy load vMotion migrations. You will learn how to design multiple VM kernel adapters for moving workloads around in case you need to. Network IO Control is also revisited in relation of egress traffic shaping and protecting v host from traffic overload, in case of multiple hosts decide to migrate loads onto same destination hypervisor.

Although I am primarily a network guy I must admin I enjoyed this well written book from the first page to last. It gave exactly what I was looking for, a good foundation of vSphere networking which is the base for advanced technologies like virtual overlays with VXLAN.

OpenWRT: Spinning up Authoritative DNS server

Introduction

During last few months my small home infrastructure has grown in numbers. First there came a beefe virtualization host with 2x AMD Opteron CPUs and 48 GB RAM which runs all labs and is awesome for learning. I named it Sonic after the hedgehog. Then the idea for centralized storage was born, and Synology DS213J together with 2x WD 3TB REDs came on board and is packed with features. My popular ones are Download Station, File Station and Integrated IPSec VPN Server.

As the Internet of Things rises, I bought couple of Raspberry Pi, which one of them runs Openelec as home media center. The others are waiting for new exciting projects that will soon come.

Besides the physical infrastructure, the virtual one have grown even faster with more and more complex labs. Overall there was a need to manage all this stuff more easily and provide layer of abstraction, and home DNS service would make that happen.

After reading number of resources that explained the basics about DNS such as what is the difference between Authoritative, Cache and Forward server, I was confident enough to begin the process of changing the default combined DHCP+DNS service (dnsmasq) in my home router running Openwrt with more capable software. I have chosen bind for the job.

Installing packages

The installation process is very easy, first log into your router via SSH. I am running Barrier Breaker 14.07 on TP-LINK TL-WR941ND. Then using the package manager, install bind-server, bind-tools and isc-dhcp-server-ipv4.

By default, Openwrt includes vi test editor by default, if you are more a nano person, install that package as well. We will use to edit the configuration files later.

BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

  _______                     ________        __
 |       |.—–.—–.—–.|  |  |  |.—-.|  |_
 |   –   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 —————————————————–
 BARRIER BREAKER (14.07, r42625)
 —————————————————–
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao
 —————————————————–

root@soultrap:~# opkg update
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_base.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/luci/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_luci.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_packages.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/routing/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_routing.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/telephony/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_telephony.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/management/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_management.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_oldpackages.

root@soultrap:~# opkg install bind-server bind-tools Installing bind-server (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/oldpackages/bind-server_9.9.4-1_ar71xx.ipk. Installing bind-libs (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/oldpackages/bind-libs_9.9.4-1_ar71xx.ipk. Installing libopenssl (1.0.2-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/base/libopenssl_1.0.2-1_ar71xx.ipk. Installing zlib (1.2.8-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/zlib_1.2.8-1_ar71xx.ipk. Installing bind-tools (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/bind-tools_9.9.4-1_ar71xx.ipk. Configuring zlib. Configuring libopenssl. Configuring bind-libs. Configuring bind-tools. Configuring bind-server.
root@soultrap:~# opkg install isc-dhcp-server-ipv4 Installing isc-dhcp-server-ipv4 (4.2.4-3) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/isc-dhcp-server-ipv4_4.2.4-3_ar71xx.ipk. Configuring isc-dhcp-server-ipv4.

root@soultrap:~# opkg install nano
Installing nano (2.3.6-1) to root...
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/packages/nano_2.3.6-1_ar71xx.ipk.
Configuring nano.

Dnsmasq is a combined DHCP and DNS server and it would interfere with bind by default. To still have DHCP capabilities, we will configure the isc-dhcp server. But first uninstall dnsmasq. Clean up by removing the old dhcp leases file.

root@soultrap:~# /etc/init.d/dnsmasq stop
root@soultrap:~# opkg remove dnsmasq
Removing package dnsmasq from root...
Not deleting modified conffile /etc/config/dhcp.
root@soultrap:~# mv /etc/config/dhcp /etc/config/dhcp.backup
root@soultrap:~# rm /var/dhcp.leases

Configuring dhcp and bind

After package installation, we are going to configure dhcpd daemon, and the right place to do that is at /etc/dhcpd.conf.

root@soultrap:~# nano /etc/dhcpd.conf
# dhcpd.conf

authoritative;

default-lease-time 3600;
max-lease-time 86400;

option domain-name-servers 10.0.2.1, 8.8.8.8;
option domain-search “papuckovo.home”;

subnet 10.0.2.0 netmask 255.255.255.0 {
  range 10.0.2.128 10.0.2.191;
  option routers 10.0.2.1;
}

Then enable automatic service start after reboot and start the service.

root@soultrap:~# /etc/init.d/dhcpd enable
root@soultrap:~# /etc/init.d/dhcpd start

We will now focus on bind configuration and the main file to look at is located under /etc/bind/ directory.  The file named.conf will be in our particular interest.

First we will configure DNS forwarders that will be used when looking for something outside our authoritative domain. Popular choices are OpenDNS servers or Google Public DNS Servers, I will use the later one.

Next, we will add one forward and one reverse zone for our home domain papuckovo.home. As you can see they will point to files that will hold our records, and we need to create them.

root@soultrap:~# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
acl “RFC1918” {
        10.0.0.0/8;
};

options {
        directory “/tmp”;
        recursion yes;
        allow-recursion { RFC1918; };
        allow-transfer { none; };
        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing
        // the all-0’s placeholder.

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        auth-nxdomain no;    # conform to RFC1035
};
// prime the server with knowledge of the root servers
zone “.” {
        type hint;
        file “/etc/bind/db.root”;
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone “localhost” {
        type master;
        file “/etc/bind/db.local”;
};
zone “papuckovo.home” {
        type master;
        file “/etc/bind/zones/db.papuckovo.home”;
};
zone “127.in-addr.arpa” {
        type master;
        file “/etc/bind/db.127”;
};
zone “0.in-addr.arpa” {
        type master;
        file “/etc/bind/db.0”;
};
zone “255.in-addr.arpa” {
        type master;
        file “/etc/bind/db.255”;
};
zone “2.0.10.in-addr.arpa” {
        type master;
        file “/etc/bind/zones/db.2.0.10”;
}

Now we will create new folder zones and copy example files from main bind directory.

root@soultrap:~# mkdir /etc/zones
root@soultrap:~# cp /etc/bind/db.local /etc/bind/zones/db.papuckovo.home
root@soultrap:~# cp /etc/bind/db.127 /etc/bind/zones/db.2.0.10

Edit the copied files to suit your needs. The SOA record needs to include domain name and the administrator’s email. You should also increment the Serial number after each change to zone files.

root@soultrap:~# nano /etc/bind/zones/db.papuckovo.home
;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     papuckovo.home. root.papuckovo.home. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      soultrap.papuckovo.home.
@       IN      A       10.0.2.1
soultrap        IN     A       10.0.2.1
www01           IN     A       10.0.2.2

Do the same thing for reverse zone

root@soultrap:~# nano /etc/bind/zones/db.2.0.10
;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     papuckovo.home. root.papuckovo.home. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      soultrap.papuckovo.home.
1       IN      PTR     soultrap.papuckovo.home.
2       IN      PTR     www01.papuckovo.home.

Finally, enable automatic service start after boot and start the service

root@soultrap:~# /etc/init.d/named start
Starting isc-bind
root@soultrap:~# /etc/init.d/named enable

Verification

You can verify the operations of DHCP server by jumping on an internal client and issues ipconfig /renew. Or directly from the router listing dhcpd leases.

root@soultrap:~# head /var/dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.4

lease 10.0.2.129 {
  starts 1 2015/02/23 08:19:57;
  ends 1 2015/02/23 08:21:57;
  tstp 1 2015/02/23 08:21:57;
  cltt 1 2015/02/23 08:19:57;
  binding state free;
  hardware ethernet 14:7d:c5:11:19:7f;

You can also verify that DNS server is operating correctly using nslookup or dig.

root@soultrap:~# dig ANY papuckovo.home @localhost
; <<>> DiG 9.9.4 <<>> ANY papuckovo.home @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53030
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;papuckovo.home.                        IN      ANY

;; ANSWER SECTION:
papuckovo.home.         604800  IN      SOA     papuckovo.home. root.papuckovo.home. 5 604800 86400 2419200 604800
papuckovo.home.         604800  IN      NS      soultrap.papuckovo.home.
papuckovo.home.         604800  IN      A       10.0.2.1

;; ADDITIONAL SECTION:
soultrap.papuckovo.home. 604800 IN      A       10.0.2.1

;; Query time: 74 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 24 16:04:56 CET 2015
;; MSG SIZE  rcvd: 139

Troubleshooting

Sometimes, things do not go as we expected, it would be great to narrow down the problem.

root@soultrap:~# /etc/init.d/named start
Starting isc-bind
  isc-bind failed to start

The default error message is not very useful and you can investigate further in log file. In this case I have mistyped the allow-transfer keyword in the main configuration file.

root@soultrap:~# logread
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: BIND 9 is maintained by Internet Systems Consortium,
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: corporation.  Support and training for BIND 9 are
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: available at https://www.isc.org/support
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: —————————————————-
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: using 1 UDP listener per interface
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: using up to 4096 sockets
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: loading configuration from ‘/etc/bind/named.conf’
Tue Feb 24 16:20:30 2015 daemon.err named[13361]: /etc/bind/named.conf:10: unknown option ‘allow-trasfer’
Tue Feb 24 16:20:30 2015 daemon.crit named[13361]: loading configuration: failure
Tue Feb 24 16:20:30 2015 daemon.crit named[13361]: exiting (due to fatal error)

MACs – Moved Adds and Changes

When adding new records in reverse and forward zone files it is needed to increase the serial number and then reload bind with new configuration.

root@soultrap:~# /etc/init.d/named reload
Stopping isc-bind
Starting isc-bind

Conclusion

Adding name resolution service to your home router will give you great flexibility and easy to use, your everyday users won’t need to be bothered with IP addresses, they can simple type names.

Further Reading

https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts

Cisco ASAv firewall REST API: Bulk Requests

Introduction

Continuing on the same track with ASA REST API we are going to explore how to be more efficient when firing up the json code toward our firewalls. In previous example we created a small number of service and network objects and groups, today we are going to experiment with larger number of objects created by smaller number of calls. Lets get the ball rolling.

Bulk service object creation

To create a bulk request we need to adjust some parameters such as API endpoint URL. As you recall, when we created a new service object we were pointing to this URL: https://<management-ip>/api/objects/networkservices.

Now we are going to redesign the call a little bit and will always point to same endpoint regardless of object type. We will simply use https://<management-ip>/api and the more specific resource URI will be part request body. This allows us for example create bulk of service and network objects in one call.

[
  {
    "resourceUri": "/api/objects/networkservices",
    "data": {     
  "kind": "object#TcpUdpServiceObj",
  "name": "TCP-21",
  "value": "tcp/21"
}, "method": "Post" }, { "resourceUri": "/api/objects/networkservices",    "data": {
  "kind": "object#TcpUdpServiceObj",
  "name": "TCP-22",
  "value": "tcp/22"
}, "method": "Post" }, { "resourceUri": "/api/objects/networkservices",    "data": {
  "kind": "object#TcpUdpServiceObj",
  "name": "TCP-23",
  "value": "tcp/23"
}, "method": "Post" }, { "resourceUri": "/api/objects/networkservices", "data": {
  "kind": "object#TcpUdpServiceObj",
  "name": "TCP-24",
  "value": "tcp/24"
}, "method": "Post" }
]

If everything is hunky dory you will receive a Status Code 200 OK and response body will contain additional details.

{
"entryMessages":
[
     {
     "resourceUri":"/api/objects/networkservices",
     "method":"POST",
     "selfLink":"http://10.201.230.5/api/objects/networkservices/TCP-21",
     "messages":
     [
         {
         "level":"Info",
         "code":"201",
         "details":"Created (201) - The request has been fulfilled and resulted in a new resource being created"
          }
     ]
     },
     {
     "resourceUri":"/api/objects/networkservices",
     "method":"POST",
     "selfLink":"http://10.201.230.5/api/objects/networkservices/TCP-22",
     "messages":
     [
         {
         "level":"Info",
         "code":"201",
         "details":"Created (201) - The request has been fulfilled and resulted in a new resource being created"
         }
     ]
     },
     {
     "resourceUri":"/api/objects/networkservices",
     "method":"POST",
     "selfLink":"http://10.201.230.5/api/objects/networkservices/TCP-23",
     "messages":
     [
         {
         "level":"Info",
         "code":"201",
         "details":"Created (201) - The request has been fulfilled and resulted in a new resource being created"
         }
     ]
     },
     {
     "resourceUri":"/api/objects/networkservices",
     "method":"POST",
     "selfLink":"http://10.201.230.5/api/objects/networkservices/TCP-24",
     "messages":
     [
         {
         "level":"Info",
         "code":"201",
         "details":"Created (201) - The request has been fulfilled and resulted in a new resource being created"
         }
     ]
     }
],
"commonMessages":[]
}

Ideally your deployment script would examine the response and capture the self links that can be used to un-deploy this call. Also the message details are important to verify if objects were successfully created.

Now we are going to look at error handling by creating another request that will have one already existing object and one new in it.

[
  {
    "resourceUri": "/api/objects/networkservices",
    "data": {     
  "kind": "object#TcpUdpServiceObj",
  "name": "TCP-24",
  "value": "tcp/24"
}, "method": "Post" }, { "resourceUri": "/api/objects/networkservices", "data": {
  "kind": "object#TcpUdpServiceObj",
  "name": "TCP-25",
  "value": "tcp/25"
}, "method": "Post" }
]

The response header will contain 400 Bad Request status code and body will reveal some clues.

{
"entryMessages":
[
     {
     "resourceUri":"/api/objects/networkservices",
     "method":"POST",
     "messages":
     [
         {
         "level":"Error",
         "code":"DUPLICATE",
         "context":"objectId",
         "details":"TCP-24"
         }
     ]
     },
     {
     "resourceUri":"/api/objects/networkservices",
     "method":"POST"
     }
],
"commonMessages":[]
}

The result result is that even the second object did not exists it was not created. When you reverse the object order in request, it will not help either. This means that the entire request need to create unique objects otherwise it will fail. So watch for return codes.

I have tried to create 103 unique objects in one request and I have found that the upper limit for single request is 100 entries.

{
"commonMessages":
[
     {
     "level":"Error",
     "code":"MAX-ENTRIES-LIMIT-EXCEEDED",
     "details":"The number of entries found are, 103. The bulk entries limit:100"
     }
]
}

Lets go back to our first four service objects and undeploy them using four unique DELETE Requests. The resource URIs are as follows:

Note: So far I have not found way of performing multiple object removal in single request. It seems that bulk operation only supports POST method toward service objects at the moment. The following below did not work.

[
  {
    "resourceUri": "/api/objects/networkservices/TCP-21",
    "method": "Delete"
  },
  {
    "resourceUri": "/api/objects/networkservices/TCP-21",
    "method": "Delete"
  }
]

Response had status code 400 Bad Request even if those URI are indeed valid and you can query them with GET request.

{
"entryMessages":
[
     {
     "resourceUri":"/api/objects/networkservices/TCP-21",
     "method":"DELETE",
     "messages":
     [
         {
         "level":"Error",
         "code":"INVALID-INPUT",
         "details":"Invalid resourceUri:/api/objects/networkservices/TCP-21"
         }
     ]
     },
     {
     "resourceUri":"/api/objects/networkservices/TCP-21",
     "method":"DELETE",
     "messages":
     [
         {
         "level":"Error",
         "code":"INVALID-INPUT",
         "details":"Invalid resourceUri:/api/objects/networkservices/TCP-21"
         }
     ]
     }
],
"commonMessages":[]
}

The 100 objects limitations also affect how are the responses constructed. When you query the following resource https://<management-ip>/api/objects/networkservices you will see that the body contains only 100 items even if 110 exists. You can see this by examining the offset, limit and total fields on body.

{
   "kind": "collection#NetworkServiceObjects",
   "selfLink": "https://10.201.230.5/api/objects/networkservices",
   "rangeInfo":
   {
       "offset": 0,
       "limit": 100,
       "total": 110
   },

Funny enough, the list will not start with the first configure service objects, but started from TCP-100 up till TCP-200. To see other items you need to manipulate the offset value. We can demonstrate this using API Console at documentation page.

rest-api-offset

Now the item list will start from TCP-110 and will include our older objects such as TCP-21, TCP-22 etc. You can also play with the limit parameter to constrain number of returned objects. If you look at Inspector, you will see the request parameters have been modified to include our query parameters.

rest-api-offset-body

Conclusion

Bulk object creation and retrieval handling should help you build more efficient communication patters between the firewall and automation tool or network controller.

Cisco ASAv firewall HA Pair

Introduction

In previous post I have introduced and demonstrated the ASA in virtual form factor. This post will built on top of previous that one and will show you how to setup redundant high available pair of these firewalls.

The HA setup is ideal in situations where you are building virtual infrastructure hosted on private or public cloud that needs to be available all the time, surviving failure of one of the firewalls that run as virtual machines. Standard vSphere VM placement best practices should be also considered, such as anti-affinity rules and resource allocation. Consult these with you VMware administrators.

The following diagram outlines the final setup. My home lab only has one ESXi hosts, so everything is running over there.

ASAv HA Setup

Active Firewall rollout

Start with the deployment of first firewall which will be the active one. After downloading the OVA package from Cisco go to vSphere\Virtual Machines\Right Click on Cluster\Deploy OVF Template.

asav-ha-step1

After browsing and selecting the OVA package, I am using asav931.ova, you will be ask to accept the extra configuration options and estimated disk size requirements.

asav-ha-step2

Next, accept the license agreement and and click next. You will have an option to select the name of the new primary ASA which will be ASAv03-Active and the location of the VM.

asav-ha-step3

You will now have a choice to select deployment size, from 1vCPU Standalone all the way up to 4vCPU. If you are deploying in production, you should consult the deployment guide for the right flavor. I am deploying in lab, therefore I have selected 1vCPU HA Primary.

asav-ha-step4

After selecting the deployment size, we need to specify the resource that ASAv will consume. If you select a cluster DRS can automatically place the VM to least utilized hypervisor. You can also specify certain ESXi hosts. I have just one ESXi host, so the choice will be obvious.

asav-ha-step5

To same some storage space, change the default virtual disk format from Thick Provisioned to Thin Provision.

On the next page, we need to configure network mapping. ASAv has by default 10 vNIC adapters which first of them is the Management and the last Gig0/8 is used by HA Heartbeat. Remaining interfaces can be used for production traffic. We leave unused interface in DMZ for now.

asav-ha-step6

Now you have an option to Customize the template by typing configuration parameters such as Management Interface Settings, Device Manager IP Settings and HA Connection Settings.

The Management address of Primary Unit will be 172.16.2.1/24 and Secondary will be 172.16.2.2/24. The default gateway will not be required at this moment, our management station sits on the same virtual switch. To allow remote access from day 1, specify that the allowed management subnet is 172.16.2.0/24

The Primary Unit HA address will be 172.16.3.1/24 and the Secondary will be 172.16.3.2/24.

asav-ha-step7

In Ready to Complete page, you get the summary of all configuration options, and you will have a choice to Power VM after deployment. Congratulations you just deployed your first HA Pair Firewall. After first power on, ASAv will perform initial configuration and reboot.

If everything worked as expected, you should be able to log in from management station via SSH.

asav-ha-step8

By default, however, not username was configured in template therefore it is still needed to jump to virtual console and create one and point the AAA authentication for SSH to local user database.

It is also worth to mention that although ASDM https access was enable, it would still need to have an account and aaa authentication configured properly to work.

ciscoasa(config)# username admin password cisco privilege 15
ciscoasa(config)# enable password cisco
ciscoasa(config)# aaa authentication ssh console LOCAL

Now you can actually connect to the ASA remotely. If you examine the configuration a little bit you find that it has setup the failover interface and peer and currently shows that its mate is down/unknown.

ciscoasa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fover GigabitEthernet0/8 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.3(1), Mate Unknown
Last Failover at: 10:16:56 UTC Feb 20 2015
        This host: Primary – Active
                Active time: 873 (sec)
                slot 0: empty
                  Interface management (172.16.2.1): Unknown (Waiting)
        Other host: Secondary – Failed
                Active time: 0 (sec)
                  Interface management (172.16.2.2): Unknown (Waiting)
 

ciscoasa# show failover state

State          Last Failure Reason      Date/Time
This host  –   Primary
Active         None
Other host –   Secondary
Failed         Comm Failure             10:17:13 UTC Feb 20 2015

====Configuration State===
====Communication State===

Standby Firewall rollout

Before we are going to configure the other interfaces, lets set up the secondary unit. Again we are going to start by deploying a template from .OVA. To save some space, I will only show difference from deploying the primary unit.

The VM name will be set to ASAv03-Standby, and the deployment configuration will be set to 1vCPU HA Secondary. Selecting the right resource in production should be also considered to minimize that a single hypervisor failure will cause both firewalls go down. Therefore I recommended anti-affinity rules so those two VMs will never run on same machine.

The interface mapping will be exactly same as with primary unit. See the reference above. In the customization template page, enter the Management IP address and HA IP address settings for this unit.

asav-ha-step9

Deployment of this small flavor took no longer than 30 seconds, and after the initial reboot the Standby firewall is up an running.

While still setting remotely on primary unit we are going to check the failover pair state again.

Beginning configuration replication: Sending to mate.
ciscoasa# show failover
Failover On
Failover unit Primary
Failover LAN Interface: fover GigabitEthernet0/8 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.3(1), Mate 9.3(1)
Last Failover at: 10:16:56 UTC Feb 20 2015
        This host: Primary – Active
                Active time: 2111 (sec)
                slot 0: empty
                  Interface management (172.16.2.1): Normal (Monitored)
        Other host: Secondary – Standby Ready
                Active time: 0 (sec)
                  Interface management (172.16.2.2): Normal (Waiting)

ciscoasa# sh failover state

               State          Last Failure Reason      Date/Time
This host  –   Primary
               Active         None
Other host –   Secondary
               Standby Ready  Comm Failure             10:17:13 UTC Feb 20 2015

====Configuration State===
        Sync Done
====Communication State===
        Mac set

====VM Properties Compatibility===
vCPUs – This host:  1
        Other host: 1
Memory – This host:  2048 Mhz
         Other host: 2048 Mhz
Interfaces – This host:  9
             Other host: 9

Looking much better now. To see failover in action, lets first complete the configuration of other interfaces to get some traffic flowing through the firewall

prompt hostname priority state
!
interface GigabitEthernet0/0
 description OUTSIDE
 nameif outside
 security-level 0
 ip address 10.0.2.91 255.255.255.0 standby 10.0.2.92
!
interface GigabitEthernet0/1
 description INSIDE
 nameif inside
 security-level 100
 ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
!
interface GigabitEthernet0/2
 description DMZ
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
!
monitor-interface outside
monitor-interface inside
monitor-interface dmz
!
route outside 0 0 10.0.2.1
!
policy-map global_policy
 class inspection_default
  inspect icmp

My outside router does not have static routes to these private network behind ASA so a object NAT will help to mitigate that.

object network inside_net
 subnet 172.16.0.0 255.255.255.0
nat (inside,outside) source dynamic inside_net interface

Now we should have connectivity from inside host to Internet. We get verify that by pulling google web page from client and also checking the NAT or connection table.

ciscoasa# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic inside_net interface
    translate_hits = 12, untranslate_hits = 0
    Source – Origin: 172.16.0.0/24, Translated: 10.0.2.91/24

Now start continuous ping from inside machine and power off the primary firewall.

root@deb01:~# ping -c 100 8.8.8.8
100 packets transmitted, 85 received, 15% packet loss, time 99250ms
rtt min/avg/max/mdev = 10.771/11.988/21.956/2.426

From the output, I examined that from 100 packets, 15 was lost during switchover. With default pool and hold times it was not amazingly fast. We can do better.

failover polltime unit 1 holdtime 3
failover polltime interface 1 holdtime 5

Repeat the 100 ping test again and examine the results.

Now with adjusted timers, from 100 packets we lost 4 during switchover. Getting better :-). Lets see how this HA pair will cope with TCP sessions.

We are going to initiate a large file download from inside host and then shutdown the secondary (now active) ASA and examine the result on traffic flow.

The primary ASA took back the role of Active Firewall, but the TCP session has died. There is one another parameter that we need to tweak for HTTP sessions and to explicitly enable them.

ciscoasa/pri/act(config)# failover replication http
Now initiate the download again, and check that it will be re-established after failover.

Conclusion

After tweaking some default settings you have a highly available firewall cluster running in fully visualized environment.

s

Cisco ASAv firewall REST API – Resource Manipulation

Introduction

After the initial article about ASAv REST API we are going to explore how we can granularity manipulate various resources such as objects and object-groups. You will learn how to create modify, verify and delete each object type.

This can be useful when building an automation tool that needs to perform various configuration changes programmatically.

Service Object

Service objects are one of the most common objects types used in firewall. They can define OSI Layer 4 TCP and UDP ports as well as other protocols such as ARP, or GRE. We are going to demonstrate some basic operations that can be carried out with this type of object. CLI reference is also provided for comparison with REST API.

Create

CLI Reference

object service UDP-88
 service udp destination eq 80

Request Format

Header:
URL: https//<management-ip>/api/object/networkservices
Method: POST

Body:

{
  "kind": "object#TcpUdpServiceObj",
  "name": "UDP-88",
  "value": "udp/80"
}

Response Format

Header:
Status Code: 201 Created
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 09:52:01 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept

As you can see, when we created new object we got its location URI. We will reference this address when doing changes or object removal. For service object the reference name is the object ID.

Modify

CLI Reference

object service UDP-88
 service udp destination eq 88

Request Format

Header:
URL: https//<management-ip>/api/objects/networkservices/UDP-88
Method: PATCH

Body:

{
  “kind”: “object#TcpUdpServiceObj“,
  “name”: “UDP-88“,
  “value”: “udp/88
}

Response Header Format

Header:
Status Code: 204 No Content
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 09:52:48 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Patch request can be used to change resource attributes such as value or name.

Retrieve

CLI Reference

show run | be object service UDP-88
 Note: As ASA CLI does not include show object id command, this was the easiest way how to list object in running configuration.

Request Format

Header:

URL: https://<management-ip>>/api/objects/networkservices/UDP-88
Method: GET

Body: Empty

Response Format

Header:
Status Code: 200 OK
Accept-Ranges: bytes
Content-Length: 158
Content-Type: application/json; charset=UTF-8
Date: Wed, 18 Feb 2015 09:58:14 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Body:
{
   “kind”: “object#TcpUdpServiceObj“,
   “name”: “UDP-88“,
   “value”: “udp/88“,
   “objectId”: “UDP-80
}

GET request does not require anything in request body and when referencing certain object ID such as UDP-88 it will return just single resource. To get list of all resources under parent resource just remove the ID from the end of URL.

Delete

CLI Reference

no object service UDP-88

Request Format

Header
URL: https://<management-ip>/api/objects/networkservices/TCP-88
Method: DELETE

Body: Empty

Response Format

Header:
Status Code: 204 No Content
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 10:02:05 GMT
Server: CiscoASARestApiServer

With REST API Delete request, rules still apply that you cannot remove an object that is being used or referenced elsewhere in configuration.

Service Object Group

As name implies service object groups glue together multiple objets. This eases the configuration and provides a little abstraction and simplification when constructing access rules.

Create

CLI Reference

object-group service krb5-udp
 description Default Kerberos UDP port
 service-object object UDP-88

Request Format

(Object within object group)

Header:
URL: https://<management-ip>/api/objects/networkservicegroups
Method: POST

Body:

{
"kind": "object#NetworkServiceGroup",
"name": "krb5-udp",
"members":
[
{
"kind": "objectRef#TcpUdpServiceObj",
"objectId": "UDP-88"
}
],
"description": "Default Kerberos UDP port"
}

Response Format

Header:
Status Code: 200 OK
Accept-Ranges: bytes
Content-Length: 124
Content-Type: application/json; charset=UTF-8
Date: Wed, 18 Feb 2015 10:35:10 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept

Request Format

(Object group within another object group)

CLI Reference

object-group service krb5-udp
 group-object krb5-udp

Header:

URL: https://<management-ip>/api/objects/networkservicegroups
Method: POST

Body:

{
"kind": "object#NetworkServiceGroup",
"name": "active-directory",
"members":
[
{
"kind": "objectRef#NetworkServiceGroup",
"objectId": "krb5-udp"
}
],
"description": "Default Active Directory ports"
}

Response Format

Header:
Status Code: 201 Created
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 11:06:44 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept

Modify

CLI Reference

object-group service krb5-udp
 group-object krb5-udp
 group-object krb5-tcp

Request Format

(To change/add objects withing a group)

URL: https://<management-ip>/api/objects/networkservicegroups/active-directory
Method: PATCH

Body:

{
"kind": "object#NetworkServiceGroup",
"name": "active-directory",
"members":
[
{
"kind": "objectRef#NetworkServiceGroup",
"objectId": "krb5-udp"
},
{ "kind": "objectRef#NetworkServiceGroup", "objectId": "krb5-tcp" } ], "description": "Default Active Directory ports" }

Response Format

Header:
Status Code: 204 No Content
Content-Length: 0
Location: https://10.201.230.5/api/objects/networkservicegroups/active-directory
Server: CiscoASARestApiServer
Accept-Ranges: bytes
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Date: Wed, 18 Feb 2015 11:57:32 GMT

Retrieve

CLI Reference

show object-group id active-directory

Request Format

 

URL: https://<management-ip>>/api/objects/networkservicegroups/active-directory
Method: GET

Body: Empty

Response Format

Header:

Status Code: 200 OK
Accept-Ranges: bytes
Content-Length: 512
Content-Type: application/json; charset=UTF-8
Date: Wed, 18 Feb 2015 12:01:52 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Body:
{
   “kind”: “object#NetworkServiceGroup“,
   “name”: “active-directory“,
   “members”:
   [
       {
           “kind”: “objectRef#NetworkServiceGroup“,
           “objectId”: “krb5-tcp
       },
       {
           “kind”: “objectRef#NetworkServiceGroup“,
           “objectId”: “krb5-udp
       }
   ],
   “description”: “Default Active Directory ports“,
   “objectId”: “active-directory
}

Delete

(Entire object group)

CLI Reference

no object-group service active-directory

Request Format

URL: https://<management-ip>/api/objects/networkservicegroups/active-directory

Method: DELETE

Body: Empty

Response Format

Header:
Status Code: 204 No Content
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 12:11:13 GMT
Server: CiscoASARestApiServer
(Delete Object within a object group)

CLI Reference

object-group service active-directory
 no  group-object krb5-tcp

Request Format

Header:

URL: https://<management-ip>/api/objects/networkservicegroups/active-directory
Method: PATCH

Body:

{
     “kind”: “object#NetworkServiceGroup“,
     “name”: “active-directory“,
     “members”:
     [
         {
             “kind”: “objectRef#NetworkServiceGroup“,
             “objectId”: “krb5-udp
         }
      ],
      “description”: “Default Active Directory ports
}

Note: To delete an object within an object group, you can use Put operation with all existing objects except the ones you need to delete.In this particular example I am only leaving krb5-udp in the group.

Response Format

Header:
Status Code: 200 OK
Accept-Ranges: bytes
Content-Length: 374
Content-Type: application/json; charset=UTF-8
Date: Wed, 18 Feb 2015 12:07:46 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept

Object Network

Create

CLI Reference (host)

object network win-dc-01
 host 10.0.0.10

REST Request Format (host)

 

URL: https://<management-ip>/api/objects/networkobjects

Method: POST

Body:

{
  “host”: {
    “kind”: “IPv4Address“,
    “value”: “10.0.0.10
  },
  “kind”: “object#NetworkObj“,
  “name”: “win-dc-01
}

REST Response Header Format

Header:
Status Code: 201 Created
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 14:40:47 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept

CLI Reference (network)

object network web-tier
 subnet 172.16.0.0 255.255.255.0

REST Request Format

Method: POST
Body:
{
  “host”: {
    “kind”: “IPv4Network“,
    “value”: “172.16.0.0/24
  },
  “kind”: “object#NetworkObj“,
  “name”: “web-tier
}

REST Response Header Format

Header:
Status Code: 201 Created
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 14:48:08 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept

Modify

CLI Reference (host)

object network win-dc-01
 host 10.0.0.11

Request Format

(To change/add objects withing a group)

Header

URL: https://<management-ip>/api/objects/networkobjects/win-dc-01
Method: PATCH

Body:

{
  “host”: {
    “kind”: “IPv4Address“,
    “value”: “10.0.0.11
  },
  “kind”: “object#NetworkObj“,
  “name”: “win-dc-01
}

Response Format

Header:
Status Code: 204
Content-Length: 0
Location: https://10.201.230.5/api/objects/networkobjects/win-dc-01
Server: CiscoASARestApiServer
Accept-Ranges: bytes
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Date: Wed, 18 Feb 2015 14:43:44 GMT

Retrieve

CLI Reference

show run | be object network win-dc-01

Request Format

Method: GET
Body: Empty

Response Format

Header:

Status Code: 200 OK
Accept-Ranges: bytes
Content-Length: 191
Content-Type: application/json; charset=UTF-8
Date: Wed, 18 Feb 2015 14:49:59 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Body:
{
   “kind”: “object#NetworkObj“,
   “name”: “win-dc-01“,
   “host”:
   {
       “kind”: “IPv4Address“,
       “value”: “10.0.0.11
   },
   “objectId”: “win-dc-01
}

Delete

CLI Reference

no object network win-dc-01
Request Format
Method: DELETE
Body: Empty

Response Format

Header:
Status Code: 204 No Content
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 14:52:26 GMT
Server: CiscoASARestApiServer

Network Object Group

Create

CLI Reference

object-group network dc-win-servers
 network-object object dc-win-01

REST Request Format (host)

URL: https://<management-ip>/api/objects/networkobjectgroups
Method: POST

Body:

{
     “kind”: “object#NetworkObjGroup“,
     “name”: “dc-win-servers“,
     “members”:
     [
         {
             “kind”: “objectRef#NetworkObj“,
             “objectId”: “win-dc-01
         }
     ],
     “description”: “Corporate AD Servers
}

REST Response Header Format

Header:
Status Code: 201 Created
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 15:02:28 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept

Modify

CLI Reference (host)

object-group network dc-win-servers
 network-object object dc-win-01
 network-object object dc-win-02

Request Format

(To change/add objects withing a group)
Header:
Method: PATCH

 

Body:

{
           “kind”: “object#NetworkObjGroup“,
           “name”: “dc-win-servers“,
           “members”:
           [
               {
                   “kind”: “objectRef#NetworkObj“,
                   “objectId”: “win-dc-01
               },
               {
                   “kind”: “objectRef#NetworkObj“,
                   “objectId”: win-dc-02
               }
           ],
           “description”: “Corporate AD Servers
}

Response Format

Header:
Status Code: 204
Content-Length: 0
Location: https://10.201.230.5/api/objects/networkobjectgroups/dc-win-servers
Server: CiscoASARestApiServer
Accept-Ranges: bytes
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Date: Wed, 18 Feb 2015 15:09:07 GMT

Retrieve

 

CLI Reference

show object-group id dc-win-servers

Request Format

 
Method: GET
Body: Empty

Response Format

Header:

Status Code: 200 OK
Accept-Ranges: bytes
Content-Length: 465
Content-Type: application/json; charset=UTF-8
Date: Wed, 18 Feb 2015 15:12:39 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Body:
{
   “kind”: “object#NetworkObjGroup“,
   “name”: “dc-win-servers“,
   “members”:
   [
       {
           “kind”: “objectRef#NetworkObj“,
           “refLink”: “https://10.201.230.5/api/objects/networkobjects/win-dc-01“,
           “objectId”: “win-dc-01
       },
       {
           “kind”: “objectRef#NetworkObj“,
           “refLink”: “https://10.201.230.5/api/objects/networkobjects/win-dc-02“,
           “objectId”: “win-dc-02
       }
   ],
   “description”: “Corporate AD Servers“,
   “objectId”: “dc-win-servers
}

Delete

CLI Reference

no object-group network dc-win-servers

Request Format

Header:
Method: DELETE
Body: Empty

Response Format

Header:
Status Code: 204 No Content
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 15:16:43 GMT
Server: CiscoASARestApiServer

To delete an object within an object group you can use the same approach with Patch operations and listing only objects that you want to keep in object group.

Access Control List

Create

CLI Reference

access-list global_access remark Allow web-tier to Domain Controllers
access-list global_access extended permit object-group active-directory object-group web-and-db-tier object-group dc-win-servers log
access-group global_access global

REST Request Format (host)

Header:
Method: POST
Body:
{
        “sourceAddress”: {
        “kind”: “objectRef#NetworkObjGroup“,
        “objectId”: “web-and-db-tier
      },
      “destinationAddress”: {
        “kind”: “objectRef#NetworkObjGroup“,
        “objectId”: “dc-win-servers
      },
      “sourceService”: {
        “kind”: “objectRef#NetworkServiceGroup“,
        “objectId”: “active-directory
      },
      “destinationService”: {
        “kind”: “objectRef#NetworkServiceGroup“,
        “objectId”: “active-directory
      },
      “permit”: true,
      “active”: true,
      “remarks”: [“Allow web-tier to Domain Controllers“],
      “ruleLogging”: {
        “logInterval”: 300,
        “logStatus”: “Informational
      }
}
To create another line in same global ACL just modify the Request body and a new line will be added in the end of ACL. A reference value will be returned.

REST Response Header Format

Header:
Status Code: 201 Created
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 15:35:20 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept

Modify

CLI Reference

access-list global_access remark Allow Domain Controllers to Web-Tier
access-list global_access extended permit object-group active-directory object-group dc-win-servers object-group web-and-db-tier log
access-group global_access global

Request Format

(To change/add objects withing a group)
Header:
URL: https://<management-ip>/api/access/global/rules/3028343169
Method: PATCH

Body:

{
        “sourceAddress“: {
        “kind”: “objectRef#NetworkObjGroup“,
        “objectId”: “dc-win-servers
      },
      “destinationAddress“: {
        “kind”: “objectRef#NetworkObjGroup“,
        “objectId”: “web-and-db-tier
      },
      “sourceService”: {
        “kind”: “objectRef#NetworkServiceGroup“,
        “objectId”: “active-directory
      },
      “destinationService”: {
        “kind”: “objectRef#NetworkServiceGroup“,
        “objectId”: “active-directory
      },
      “permit”: true,
      “active”: true,
      “remarks”: [“Allow Domain Controllers to Web Tier“],
      “ruleLogging”: {
        “logInterval”: 300,
        “logStatus”: “Informational
      }
}

Response Format

Header:
Status Code: 204
Content-Length: 0
Location: https://10.201.230.5/api/access/global/rules/2372118638
Server: CiscoASARestApiServer
Accept-Ranges: bytes
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Date: Wed, 18 Feb 2015 15:44:50 GMT

Retrieve

 

CLI Reference

show access-list global_access

Request Format

 
Method: GET
Body: Empty

Response Format

Header:

Status Code: 200 OK
Accept-Ranges: bytes
Content-Length: 2088
Content-Type: application/json; charset=UTF-8
Date: Wed, 18 Feb 2015 15:55:03 GMT
Server: CiscoASARestApiServer
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Body:
{
   “kind”: “collection#ExtendedACE“,
   “rangeInfo”:
   {
       “offset”: 0,
       “limit”: 2,
       “total”: 2
   },
   “items”:
   [
       {
           “kind”: “object#ExtendedACE“,
           “selfLink”: “https://10.201.230.5/api/access/global/rules/3028343169“,
           “permit”: true,
           “sourceAddress”:
           {
               “kind”: “objectRef#NetworkObjGroup“,
               “objectId”: “web-and-db-tier
           },
           “destinationAddress”:
           {
               “kind”: “objectRef#NetworkObjGroup“,
               “refLink”: “https://10.201.230.5/api/objects/networkobjectgroups/dc-win-servers“,
               “objectId”: “dc-win-servers
           },
           “sourceService”:
           {
               “kind”: “objectRef#NetworkServiceGroup“,
               “objectId”: “active-directory
           },
           “destinationService”:
           {
               “kind”: “objectRef#NetworkServiceGroup“,
               “objectId”: “active-directory
           },
           “active”: true,
           “remarks”:
           [
               “Allow web-tier to Domain Controllers
           ],
           “ruleLogging”:
           {
               “logInterval”: 300,
               “logStatus”: “Informational
           },
           “isAccessRule”: true,
           “position”: 1,
           “objectId”: “3028343169
       },
       {
           “kind”: “object#ExtendedACE“,
           “selfLink”: “https://10.201.230.5/api/access/global/rules/2372118638“,
           “permit”: true,
           “sourceAddress”:
           {
               “kind”: “objectRef#NetworkObjGroup“,
               “refLink”: “https://10.201.230.5/api/objects/networkobjectgroups/dc-win-servers“,
               “objectId”: “dc-win-servers
           },
           “destinationAddress”:
           {
               “kind”: “objectRef#NetworkObjGroup“,
               “objectId”: “web-and-db-tier
           },
           “sourceService”:
           {
               “kind”: “objectRef#NetworkServiceGroup“,
               “objectId”: “active-directory
           },
           “destinationService”:
           {
               “kind”: “objectRef#NetworkServiceGroup“,
               “objectId”: “active-directory
           },
           “active”: true,
           “remarks”:
           [
               “Allow Domain Controllers to Web Tier
           ],
           “ruleLogging”:
           {
               “logInterval”: 300,
               “logStatus”: “Informational
           },
           “isAccessRule”: true,
           “position”: 2,
           “objectId”: “2372118638
       }
   ]
}

Delete

CLI Reference

no access-list global_access remark Allow Domain Controllers to Web Tier
no access-list global_access extended permit object-group active-directory object-group dc-win-servers object-group web-and-db-tier log

Request Format

Header:
Method: DELETE
Body: Empty

Response Format

Header:
Status Code: 204 No Content
Accept-Ranges: bytes
Content-Length: 0
Date: Wed, 18 Feb 2015 15:52:34 GMT
Server: CiscoASARestApiServer

Conclusion

ASA REST API is a very powerful interface, and as times goes I am sure that for customers that invested in this firewall product it will be the preferred way how to program their security policies automatically during application deployment.

Saving time with VM templates

Image that you need to provision 1000 virtual machines for new web server farm. Doing this manually can be boring and can take long time answering all installation questions, patching and updating base OS to get it in right shape.

There is a better way by utilizing VM templates. Templates are like golden images, you install the OS once, do all changes you need to and than you convert it into a template that can be later used to create identical clones.

There is however one problem with clones, and that is that they are same in almost every way. We need to modify these clones to include some uniqueness such as hostnames, ip addresses, public/private keys. Some operating system such as Windows support sysprep which are set of scripts that can modify the Operating System as it being deployed, which makes it easy to perform changes during deployment.

The support for most linux operating systems customization wizard was discontinued in vSphere 5. So you need to look at another way like Puppet or Chef.

Converting a virtual machine into a template is easy, just right click on it and select Clone to Template.  In this example I am using the previously updated Debian 7.8 guest that has open VM tools installed.

vm-templates

The vCenter will mark the virtual machine as a template and will remove it from the main Hosts and Clusters window to VMs and Templates. Browser to that location and highlight the newly created template.

You will now have an option to either Deploy Virtual Machine form this Template or Convert back to Virtual Machine.

vm-templates-1

We are going to select the first option, and after answering questions like how to name the new VM, and where to place it, validation check occurs and the new guest will be deployed.

This is also the one of the places to make changes virtual disk, such as migrating from Thick to Thin provisioning.

After switching to new VM Console, you will be be presented by deb01 login prompt. You can use the following script to rename the box to deb02. Execute and then do a quick reboot.

#!/bin/bash
# 
usage() {
   echo "usage : $0 <new hostname>"
   exit 1
}

[ "$1" ] || usage

old=$(hostname)
new=$1

for file in \
   /etc/exim4/update-exim4.conf.conf \
   /etc/printcap \
   /etc/hostname \
   /etc/hosts \
   /etc/ssh/ssh_host_rsa_key.pub \
   /etc/ssh/ssh_host_dsa_key.pub \
   /etc/motd \
   /etc/ssmtp/ssmtp.conf
do
   [ -f $file ] && sed -i.old -e "s:$old:$new:g" $file
done
Depending on our network configuration, you may also need to change IP addresses if you are not using DHCP to avoid collisions. And also shuffling SSH keys would be a good idea too.
Anyway, this is a great way for home lab when you want to create lots of test machines and test features like load balancing. You can create various flavors from the vanilla template like web server or database server.
Resources