Monthly Archives: April 2014

[Tutorial] Deploying VMware vCloud Networking and Security 5.5

Here is a tutorial on deploying VMware vCloud Networking and Security 5.5 (formerlly called vShield).  Unlike other VMware products, this product must be installed as an appliance.  VMware provides you an OVA file that contains the entire virtual appliance, so minimal configuration is needed.  Here is a good overview of the product and how it works: http://vmwarelearning.com/vcloud_net_sec/

Before beginning, here are the following hardware prerequisites.  These prerequisites can be found from the official VMware deployment guide: http://www.vmware.com/pdf/vshield_51_quickstart.pdf

  • Memory
    • vShield Manager: 8GB allocated, 3GB reserved
    • vShield App: 1GB allocated, 1 GB reserved
    • vShield Edge compact: 256 MB, large: 1 GB, x-large: 8 GB
    • vShield Data Security: 512 MB
  • Disk Space
    • vShield Manager: 60 GB
    • vShield App: 5 GB per vShield App per ESX host
    • vShield Edge compact and large: 320 MB, lx-Large: 4.4 GB (with 4 GB swap file)
    • vShield Data Security: 6GB per ESX host
  • vCPU
    • vShield Manager: 2
    • vShield App: 2
    • vShield Edge compact: 1, large and x-Large: 2
    • vShield Data Security: 1

Installing VMware vCloud Networking and Security 5.5 Appliance

  1. Download the VMware vCloud Networking and Security 5.5 OVA file from myvmware.com
  2. Login to vCenter
  3. Select File->Deploy OVF Template...
    Deploy OVF Template...
  4. Click Browse...
    Deploy OVF Template - Browse
  5. Select the VMware-vShield-Manager-5.5.x-xxxxxxx.ova file you downloaded and click OK
    Deploy OVF Template - VMware vShield Manager Appliance
  6. Select Next >
    Deploy OVF Template - Browse - vShield Appliance
  7. Select Next >
    Deploy OVF Template - vShield Manager
  8. Select Accept and then click Next >
    Deploy OVF Template - vShield Manager - Accept EULA
  9. Enter a name for the VM and click Next >
    Deploy OVF Template - vShield Manager - Name and Location
  10. Select a datastore to place the VM on storage and click Next >
    Deploy OVF Template - vShield Manager - Deploy OVF Template
  11. Select how you want to provision the VM and click Next >
    Deploy OVF Template - vShield Manager - Disk Format
  12. Select the destination network and click Next >
    Deploy OVF Template - vShield Manager - Network Mapping
  13. Enter in a password for the default admin user and for privileged CLI access and click Next >
    Deploy OVF Template - vShield Manager - Properties - User Accounts
  14. Click Finish
    Deploy OVF Template - vShield Manager - Finish Deployment
  15. Power on the VM
    Power On vShield Appliance
  16. Open up a console the VM
  17. Login to the VM using the username admin and the "user password" you specified in step 13.
    Login vShield Appliance - CLI
  18. Type enable and hit enter (use the "privileged user password" you specified in step 13).
    Login vShield Appliance - CLI - Privileged
  19. Type setup and hit enter to launch the network configuration wizard
    Enter in the static IP Address you wish to assign to the appliance and hit enter
    Enter in the Subnet Mask for your network and hit enter
    Enter in the Default gateway for your network and hit enter
    Enter in your Primary DNS server's IP address and hit enter
    Enter in your Secondary DNS server's IP addres and hit enter
    Enter in your domain search list (DNS Suffix if you host your own internal DNS) and hit enter
    Login vShield Appliance - CLI - Network Setup
  20. Type y to confirm your changes and hit enter
    Login vShield Appliance - CLI - Network Setup - Confirm
  21. Press control+alt+insert to send the control+alt+delete command to the VM to restart the guest.
    Note: Logging out like the wizard tells you didn't work for me.  Had to do the reboot.
    Login vShield Appliance - CLI - Network Setup - Logout
  22. Open up your webbrowser and head over to the static IP address you gave your appliance
    VMware vShield Manager - Login
  23. Enter in the username admin and the password default to login
    VMware vShield Manager - Login - Default Credentials

Configuring VMware vCloud Networking and Security 5.5 for vCenter

  1. Click on the Edit button next to Lookup Service
    vShield Manager
  2. Check Configure Lookup Service and enter in the information to your vCenter's Lookup Service instance:
    Lookup Service Host
    Lookup Service Port
    SSO Administrator Username (should be admin@System-Domain or [email protected] if you used the default installation options)
    SSO Administrator Password.
    Click OK once configured.
    vShield Manager - Edit - Lookup Service
  3. Click Yes to trust the server's SSL certificate
    vShield Manager - Edit - Lookup Service - Verify SSL
  4. Click Edit next to vCenter Server
    vShield Manager - vCenter Server
  5. Enter in your vCenter info and click OK
    vCenter Server
    Administrator Username
    Administrator Password
    vShield Manager - Edit - vCenter Server
  6. Select Yes to trust the vCenter SSL certificate
    vShield Manager - Edit - vCenter Server - Verify SSL
  7. Check Install this certificate and do not display any security warnings and then click the Ignore button when prompted
    VMware Security Warning - SSL Certificate
  8. Click the Edit button next to NTP Server
    vShield Manager - NTP Server
  9. Specify the IP address of the NTP server you wish to sync to and click OK
    vShield Manager - Edit - NTP Server
  10. Click the Change Password link at the top to change the default admin password.  Click OK when you are done.
    vShield Manager - Edit - Admin Password

At this point, you can begin to install the vShield App, vShield Endpoint, and vShield Data Security services by selecting one of your hosts and clicking the Install links.  However, configuration of these options is outside the scope of this tutorial.

vShield Manager - vShield Host Prepartion Status

Note: One thing that I did notice that is different from vShield 5.1 is that once vShield Manager 5.5 is synchronized with vCenter, the management plugin will automatically be registered to vCenter and you can access vShield Manager from the vSphere Client.

[Tutorial] Adding firewall rules via system-config-firewall-tui on CentOS 6

Here is a quick tutorial on how to add an ingress firewall rule on your CentOS 6 machine.  In this example, we will be forwarding port 443 for HTTPS.

  1. Open up terminal if you are on the GUI version of CentOS 6
    CentOS6 - Terminal
  2. Execute the following command
    1. system-config-firewall-tui
      Terminal - system-config-firewall-tui
  3. Use your arrow keys to select Customize and hit enter
    system-config-firewall-tui - Customize Rules
  4. Use your arrow keys to select which service you would like to allow.  Hit the spacebar to enable or disable the rule and then select Close once you have enabled/disabled the rules you wish.
    1. In this case, I arrowed down to HTTPS and hit the spacebar.
      system-config-firewall-tui - Select Rules
  5. Select OK
    system-config-firewall-tui - Apply Rules
  6. Select Yes
    system-config-firewall-tui - Apply Rules - Confirmation

[Tutorial] How-to install VMTools on CentOS 6

Here is a quick tutorial on how to get VMware Tools up and running on a CentOS 6 Linux machine.  Although the instructions are shown with the GUI, we'll use terminal so the guide works with both gui and non-gui based installs.

  1. Mount the VM tools installer to your VM
    Install-Upgrade VMware Tools
  2. Open up Terminal
    CentOS6 - Terminal
  3. Execute the following command (this will create a mount point for our CD drive)
    1. mkdir /cdrom
      CentOS6 - VMware Tools - New Mount Point
  4. Execute the following command (this will map the CD drive to our cdrom mount point)
    1. mount /dev/cdrom /cdrom
      CentOS6 - VMware Tools - Map Mount Point cdrom
  5. Execute the following command to move to your temporary files folder
    1. cd /tmp
      CentOS6 - VMware Tools - Temporary Files
  6. Execute the following command to extract the VMware Tools tarball
    1. tar -xvf /cdrom/VMwareTools (tab to autofill the rest of the package)
      CentOS6 - VMware Tools - Extract VMware Tools
  7. Execute the following command to run the VMware Tools installer
    1.  ./vmware-tools-distrib/vmware-install.pl
      CentOS6 - VMware Tools - Install VMware Tools
  8. Press Enter/Return through each of the questions, using their defaults
    CentOS6 - VMware Tools - Install Default Values
    CentOS6 - VMware Tools - Install Default Values Continued
    CentOS6 - VMware Tools - Install Default Values Continued Continued
  9. Verify VMtools is running by looking at the client status in vSphere
    CentOS6 - VMware Tools - vSphere Status

[Tutorial] Upgrading the firmware on a Cisco 5508 Wireless LAN Controller

This guide will show you what steps are needed to get your Cisco 5508 Wireless LAN Controller to the latest and greatest state.

  1. Download and install a TFTP Server program
    1. TFTPD is the recommend program to be used by Cisco.  It is a free and can be obtained from here: http://tftpd32.jounin.net/tftpd32_download.html
  2. Ensure your TFTP server instance is running and pointed to a directory of your choice.
    In this tutorial, I will be using C:\TFTP-Root as my directory for hosting firmware.
    Tftpd32
  3. Ensure you have an inbound firewall created to allow incoming connections to your machine on UDP port 69 if you will be using the TFTP option.
    UDP 69 - TFTP - Windows Firewall with Advanced Security
  4. Copy the firmware you want to transfer to the WLC to the TFTP server's directory
    TFTP-Server Firmware Directory
  5. Login to your Cisco WLC and select the Commands tab
    Cisco WLC 5508 - Commands Tab
  6. Ensure the following settings are entered and then click the Download button
    1. File Type: Code
      Transfer Mode: TFTP
      IP Address: xxx.xxx.xxx.xxx (IP Address to your machine)
      File Path: / (Use a relative file path; for example, if your firmware was located at c:\tftp-server\cisco5508\AIR-CT5500-K9-7-6-110-0.aes, use /cisco5508/)
      File Name: AIR-CT5500-K9-7-6-110-0.aes (or whatever your firmware is called)
      TFTP File transfer is successful
  7. Click OK when prompted to transfer the firmware
    Please confirm that you want to initiated the Code download process
  8. Once the firmware has finished updating, click on the Click Here link to reboot the WLC.
    TFTP File transfer is successful
  9. On the System Reboot page, hit the Save and Reboot button.
    Cisco WLC 5508 - Commands - Save and Reboot
  10. Click OK on the Configuration will be saved and the controller will be rebooted prompt.
    Configuration will be saved and the controller will be rebooted - Click ok to confirm
  11. Once the wireless LAN controller reboots, you should now be on the firmware version you provided.  You can verify on the Monitor page.
    Latest WLC firmware with outdated FUS
  12. At this point, you can can be done with your upgrade, however, it is highly recommended you also upgrade to the latest (or compatibile), version of the Field Upgrade Software (FUS) in additional to the WLC firmware (provided Cisco has a new version). The same steps to upgrade the FUS are of steps 6-10.
    1. Additional note, the FUS takes a considerable amount of time to upgrade the WLC.  It is normal for the FUS to take 30-50 minutes to upgrade after applying the firmware.  If you are not busy or intersted, you can watch the FUS upgrade various components if you console into the WLC during boot to keep an eye on things.
  13. Once the WLC and FUS firmware versions have been upgraded to their compatbile versions, you should be good to go! 🙂

Pushing firmware through CLI

If you wish to push the firmware manually via TFTP or FTP, you can use the following commands below (order doesn't matter as long as transfer download start is entered last).  The process is the same for uploading the firmware to the WLC, you only need to swap out the filename for either the FUS firmware or WLC firmware.

(Cisco Controller) > transfer download datatype code
(Cisco Controller) > transfer download mode tftp (can use ftp as well)
(Cisco Controller) > transfer download username user (only needed if using ftp)
(Cisco Controller) > transfer download password password (only needed if using ftp)
(Cisco Controller) > transfer download filename AIR-CT5500-K9-1-9-0-0-FUS.aes
(Cisco Controller) > transfer download path /
(Cisco Controller) > 
transfer download start


As of 4/14/2014, here are the latest firmware versions:

Release 1.9.0.0 for the Field Upgrade Software

Release 7.6.110.0ED for the Wireless LAN Controller


Notes: While upgrading our WLC from stock firmware, I received a strange error stating % Error: Code file transfer failed – Error while writing output file.  Please see my other blog post in regards to upgrading really old firmware on this device to the latest version: http://jackstromberg.com/2014/04/cisco-wlc-firmware-upgrade-error-code-file-transfer-failed-error-while-writing-output-file/

Cisco WLC Firmware Upgrade - % Error: Code file transfer failed - Error while writing output file

Symptom: When trying to upgrade your 5508 Wireless LAN Controller from an older firmware version (6.0.199.4 in my case), you receive the following error:

% Error: Code file transfer failed - Error while writing output fileError Code file transfer failed - Error while writing output file

Solution: When upgrading the firmware on the 5508, greater versions need to be applied incrementally.  Stock 5508 WLCs appear to be shipping with Software Version 6.0.199.4, the following firmware versions should be applied to reach the latest and greatest versions.

I applied the following upgrades to reach higher versions:

6.0.x  to 7.2.x ED

7.2.x ED to 7.x