Home Lab 2 – Ubiquiti UniFi networking and DNS considerations

IP Address Class consideration

Class is in session.

Every so often I see organizations using Class C private IP address ranges . When I see this it makes me think that I’ve run across a company where the business was so successful they had no time to work through developing an IP schema.

I’ve had some growth pains in using a Class C range and with a new home-lab this caused me to spend some time to decide which Private IP range and class I needed. Since I’ve run into issues dealing with conflicting ranges using the Class A 10.x.x.x and my corporate VPN tunnel that range was out of the running early on. Class C was too many small subnets and plainly grouping them into a supernet was overkill.

So, I chose to use a Private Class B network in my home network to allow me more flexibility in carving out various subnets. This will allow me to use a /21 CIDR block to carve up the 172.16.x.x network into multiple ranges. Some of these are overkill and some are possible future expansion that I wanted to have in for planning now.

IP Ranges
172.16.40.0/21 – Management Network – VLAN 40
172.16.48.0/21 – vMotion Network – VLAN 48
172.16.56.0/21 – ISCSI – Network 1 – VLAN 56
172.16.64.0/21 – ISCSI – Network 2 – VLAN 64
172.16.72.0/21 – NFS Network – VLAN 72
172.16.80.0/21 – VSAN Network – VLAN 80
172.16.88.0/21 – NSX Control – VLAN 88
172.16.96.0/21 – HCX – VLAN 96
172.16.128.0/21 – Guest Network 1 – VLAN 128
172.16.136.0/21 – Guest Network 2 – VLAN 136
172.16.144.0/21 – Guest Network 3 – VLAN 144
172.16.152.0/21 – Guest Network 4 – VLAN 152
172.16.160.0/21 – Guest Network 5 – VLAN 160

Ubiquiti UniFi network VLAN setup with DHCP and DNS Options

In order to work with the above stated IP address ranges, I tore down my existing UniFi Networking setup and replaced it with a basic Default network (VLAN 0) configuration of 172.16.0.0/21 and this is where all of my networking equipment management IP addresses live.

In the UniFi interface under setup and networking I created multiple networks for various uses in my home network such as a separate IoT network and a Guest network for Wi-Fi and associated SSID broadcast. Along with two different networks for my house and one for my in-laws who live here on property with us.

Here is an example of the setup for Guest Network 5 using the 172.16.160.0/21 Network and VLAN 160

I setup the DHCP ranges with a very large block of IP addresses. I may alter this later as I start to build out workloads in these various CIDR ranges. In each network I added the Raspberry PI IP address on that network as a DNS server, the Ubiquiti Dream Machine SE (UDM-SE) IP Gateway address and the overall UDM-SE IP address as fallback DNS servers. Currently each IP address range is routable internally and can reach the internet. Eventually I will add Firewall rules that will restrict internet and intra-VLAN access. Currently this is not needed.

Here is a screen shot of the Networks as shown in UniFi Network that comprise the section of my home-lab setup.

The next section will assume you have a running Raspberry Pi that is connected to your network and has been updated to a recent version of Rasbian. I am running this on a Raspberry Pi 3B+ with the Buster build of Raspbian.

Raspberry Pi Networking configuration

Add VLAN interfaces to the eth0 connection
Open a terminal session or connect to your Pi via SSH and then:

sudo nano /etc/rc.local
sudo ip link add link eth0 name eth48 type vlan id 48
sudo ip link add link eth0 name eth56 type vlan id 56
sudo ip link add link eth0 name eth64 type vlan id 64
sudo ip link add link eth0 name eth72 type vlan id 72
sudo ip link add link eth0 name eth80 type vlan id 80
sudo ip link add link eth0 name eth88 type vlan id 88
sudo ip link add link eth0 name eth96 type vlan id 96
sudo ip link add link eth0 name eth128 type vlan id 128
sudo ip link add link eth0 name eth136 type vlan id 136
sudo ip link add link eth0 name eth144 type vlan id 144
sudo ip link add link eth0 name eth152 type vlan id 152
sudo ip link add link eth0 name eth160 type vlan id 160

Save the file with a <Ctrl-O> and a <Ctrl-X> to exit the editor
Next is to edit and add the static IP address to each interface in the dhcpcd.conf file

sudo nano /etc/dhcpcd.conf
interface eth0
static ip_address=172.16.40.2/21
static routers=172.16.40.1
static domain_name_servers=8.8.8.8
static domain_search=
noipv6

interface eth48
static ip_address=172.16.48.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth56
static ip_address=172.16.56.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth64
static ip_address=172.16.64.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth72
static ip_address=172.16.72.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth80
static ip_address=172.16.80.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth88
static ip_address=172.16.88.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth96
static ip_address=172.16.96.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth128
static ip_address=172.16.128.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth136
static ip_address=172.16.136.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth144
static ip_address=172.16.144.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth152
static ip_address=172.16.152.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6

interface eth160
static ip_address=172.16.160.2/21
static routers=
static domain_name_servers=
static domain_search=
noipv6 

Save the file with a <Ctrl-O> and a <Ctrl-X> to exit the editor
Reboot for the configuration to take effect and then the next section can be started.

Raspberry Pi webmin installation

webmin is an application that will allow you to administer a number of server functions on your Raspberry Pi via a web interface. I am specifically going to use this for managing DNS/BIND for my home-lab environment. This will let me configure and change host records and reverse DNS lookups for my ESXi, vCenter, NSX and other infrastructure. Also, this will become the primary DNS for guests running in my home-lab. I chose to use the Raspberry Pi for this mainly for ease of use and allow me to stand up the environment quickly if I want to power down all of my hosts and vCenter. By having the DNS external to my virtual environment, I can easily isolate and troubleshoot DNS issues. Because as we all know when there are connectivity issues it is:

Here is what I did in to install webmin and head down the rabbit hole of DNS configuration:

sudo apt-get update 
sudo apt-get upgrade
sudo sh -c 'echo "deb http://ftp.au.debian.org/debian/ buster main non-free" > /etc/apt/sources.list.d/nonfree.list'
sudo apt update
sudo apt install wget

wget -qO - http://www.webmin.com/jcameron-key.asc | sudo apt-key add -
sudo sh -c 'echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list'
sudo apt update
sudo apt install webmin

These instructions come directly from the webmin Wiki (https://doxfer.webmin.com/Webmin/Installation) for installing using apt (Debian/Ubuntu/Mint).

To access webmin I will then open a web browser with the following URL

https://172.16.40.2:10000/

At this point the installation continues in webmin.

Raspberry Pi BIND9 installation

In the webmin interface select Un-uses Modules on the right-side menu and expand it.

Select BIND DNS Server.

Select Install Now.

Allow the system to determine which packages need to be installed or updated. Then select Install Now above the package list. The system will load the various packages using apt and will finish and start BIND and load the module in webmin.

Now that BIND has been installed the DNS can start to be configured.

BIND9/webmin basic setup, DNS Forwarder configuration

I had to select Refresh Modules at the bottom of the right-hand menu for BIND DNS Server to show up in the Servers list.

Once this has been done expand the Servers section and click on BIND DNS Server.

From here we have the basic setup of BIND. We will now setup the Forwarding and Transfers for this system so that it can reach other DNS servers on the network and if needed the internet.

I set mine up to use my local UDM-SE as the first location for DNS lookups and to use two of the public Google DNS servers at 8.8.8.8 and 8.8.4.4.
If these servers cannot lookup the DNS entry, I’ve set BIND to try looking these up directly using the internet root DNS servers.

First, I’ll create a Root Zone with the various hints for the root DNS servers on the internet. Just select the Create root zone Button.

I’m choosing to use the default root servers included in the BIND 9 installation files.

This completes the basic DNS setup, and the next part will detail the setup of the zones for DNS and IP lookup.

BIND9/webmin reverse DNS configuration

Before I start the configuration and setup of my virtsecurity DNS domain I want to setup reverse IP lookups. This will make it easier when setting up the A records for each host in my domain.

I choose the Zone type as “Reverse” and then fill out the first two octets of the Class B 172.16.x.x network in the Domain Name / Network field.
Then I fill in the Master server name of dns and the fake email address in this instance of admin@virtsecurity.home.arpa.
Then I select Create and the zone is created in BIND.

In the next screen presented I just return to the zone list and will continue in the next section with the creation of the virtsecurity.home.arpa dns domain.

BIND9/webmin virtsecurity.local configuration

Next I setup my local domain of virtsecurity.home.arpa. I’m using virtsecurity.home.arpa instead of virtsecurity.local as it complies with RFC 8375 https://www.rfc-editor.org/rfc/rfc8375.html
To do this I’ll select the Create master zone Button just as it was during the reverse DNS zone creation.

I choose the Zone type as “Forward” and then fill out the name of virtsecurity.home.arpa in the Domain Name / Network field.
Again I fill in the Master server name of dns and the fake email address in this instance of admin@virtsecurity.home.arpa.
Then I select Create and the zone is created in BIND.

This is the screen you return to after selecting Create.

Instead of returning to the zone list. I select the “Addresses” hyperlink where I can then start adding DNS A records for the hosts in my home-lab. Here below I start with creating a record for my Raspberry Pi DNS server with its name of dns. You can leave off the domain name as all systems in this group will have the same domain name appended of virtsecurity.home.arpa. I also input the IP address and select the radio button for Update Reverse (and replace existing). While in a newly created zone and with a newly created host I have often found it beneficial to force a replacement of the reverse lookup concurrently with the creation of these records.

I will now cycle through the input of the four ESXi hosts and my vCenter. Below is the IP addressing used for each:

vCenter 172.16.40.100
ESX1    172.16.40.101
ESX2    172.16.40.102
ESX3    172.16.40.103
ESX4    172.16.40.104

This is what the screen looks like while adding the last host.

At this point I can return to the zone list and setup is complete.

DNS Testing

Did it work? This is always the important question. To test I will open a command prompt on my laptop and use the nslookup tool in Windows. Another possible testing tool would be dig if you are using a Linux kernel-based system. Once I’ve opened a command prompt and run nslookup I change my default DNS server using the server {ip address} command. In my case this will be server 172.16.40.2
Then I will try and execute a lookup for vcenter, vcenter.virtsecurity.home.arpa and then 172.16.40.2

Notice that on the first attempt with just vcenter I had a “can’t find vcenter: Query refused” response. This is due to the fact that this is a short name, and the DNS system is only answering queries for Fully Qualified Domain Names. On the next attempts for vcenter.virtsecurity.home.arpa it provided the correct IP that was expected. In testing a reverse lookup of 172.16.40.2 it responded with the correct name of dns.virtsecurity.home.arpa.

I’ll call that success.

UniFi Port Aggregation LAG/LACP and vSphere considerations

I’ll have to wait on setting up the LAG/LACP on the 10GbE Switches until vCenter is up and running. I’m going to need to do some research on what type of Hashing should be set on the vCenter Distributed switch uplinks with the Ubiquiti Unifi networking stack. But that will be down the line a bit.

Next time vCenter / vSphere installation and basic networking

In the next installment I’ll be installing vSphere 8.x on each of the hosts and setting up vCenter with basic networking for vMotion, VSAN and one or two Guest networks.

Until next time y’all!

VMware Explore US 2023

For the first time since VMWorld 2019 I am planning on being back in person at VMware Explore US 2023 in Las Vegas. This is going to be my first time in person as a VMware employee. I am really looking forward to connecting with customer and fellow champions in the vExpert and VMUG communities.

I am going to be working in the VMware Cloud booth supporting and talking about OCVS (Oracle Cloud VMware Solution). Come by and find me in my cowboy hat and boots and let’s chat about how you could benefit from using OCVS and how it will tie into your multi-cloud strategy. I will also likely have some stickers for your laptop.

Some of my favorite things about events like this are seeing customers and partners that I have known over the years. Having the ability to learn new techniques and technologies during the general sessions is always exciting. The breakout sessions also add deeper understanding and access to Product Management and senior engineers and consultants. I’m currently scheduled to be co-presenting about OCVS with a peer from Oracle during a breakout session on Wednesday.

One of my favorite things to do is to wander around the expo floor and see new and upcoming software vendors and new hardware. There are many good nuggets of treasure that can be found while wandering. Remember that those who wander are not lost. And making connections and having random hallway conversations that often provide answers for problems or help brainstorm new methods. Putting so much brain power into one place is so powerful on influencing trends in architecture and design. I just love conferences like this. How about you? What are the things that make you excited about VMware Explore? Will you be attending? Let’s catch up in person and see all y’all soon!

VMworld 2018 Tips and Tricks

Bringing back a previous post and adding to it.  There are a few things to cover: (A/C and room cooling, hydration, walking, scheduling, community, packing and swag).

A/C and room cooling

First and foremost close the drapes on your room.  Remember you are in the middle of the dessert and in the hottest days of summer.  Block the sun from coming in while you are out of your room!!  It just makes sense. Secondly I am copying from a previous post I did last year on helping to really set your room’s thermostat.  Follow the instructions below:

Setting the room thermostat to VIP mode which allows you better control on your room A/C system.

  1. Hold down thee Display button. Keep it held down till the end of the proceedure.
  2. Press the Off button and release it.
  3. Press the Up button and release it.
  4. Now release the Display button.

This should put your thermostat into VIP mode and allow you to get your room temp down to a cooler temp if you like it that way. When I am in Vegas especially during the summer for shows like VMworld I can never get enough cool air around me. So far this seems to work.

Hydration

Again remember you are in the dessert in the middle of summer.  Even if the conference feels cool due to the extensive A/C systems running full blast your body will lose water!  Drink plenty of fluids.  This means not just alcohol based fluids but fluids that will replenish your body’s need for H20.  Think about bringing powdered Gatorade or other sportsdrinks and mixing them up onsite with the available water bottles.  While it is tempting to drink in the evening parties don’t forget to drink at least an equal amount of water to help your body detoxify over night.  You can easily end up with a headache and it may or may not be alcohol related.  Remember if you can’t concentrate or have a headache drink water.

Walking

I know of people at VMworld who easily hit 40K+ steps per day.  Wear comfortable shoes.  Do not bring brand new shoes!  Have a change of shoes and have plenty of changes of socks.  It may not be a bad idea to pack some band-aids or other bandages in case of the dreaded blisters on your feet!  I also know that some who shall remain nameless even go so far as to wear their compression socks to keep the swelling down to a minimum while on the expo floor.

Scheduling 

It is easy to fill your entire VMworld Schedule Builder up.  There is absolutely no way to do everything.  Many of the sessions are recorded for playback later.  Make room for time to walk the expo floor.  Make time to have conversations at breakfast and lunch.  These conversations lead to those hidden gems of a conference.  Things you won’t learn anywhere else but at a table you shared with a product manager or a developer of a new product.  Make some time for yourself too.  Maybe a 10-15 minute power nap in a beanbag chair in the VMTN Community area?  Sometimes that is exactly what you will need to keep going.  Don’t be afraid to drop sessions and add new sessions as the event goes on.  If something looks interesting and the Schedule Builder shows it is full and waitlisted go hang out at that  Session/Breakout and see if they end up with room for you once it starts. Make some time to visit the HOL.  If you don’t know what the HOL is ask!!!  It delivers more VMs in a day than many of us will in our lifetime.

Community

Stop and talk.  Offer to help find a location!  We are all 25K+ of the best community anywhere!  Ask a #vExpert in the VMTN area about their blog or what they are tweeting about.  Ask someone what their favorite session is?  There is a new 2018 #vTrailmap that will be out.  There are folks with stickers and cards.   Come see me I may still have some around once things get going. I mentioned sit at random tables during breakfast and lunch and meet new people. Follow @VMworld and @VMTNCommunity and @VMwareCode on twitter.  Ask!  Don’t be afraid some of the best support sessions happen through rapidly evolving crowdsourced twitter responses.

Packing and swag

I pack enough shirts to be able to change out for the evening events.  I get tired of wearing the same stuff all day for 18 hours a day.  I pack extra socks and shoes too.  I try to limit the amount of stuff I pack around in my backpack all day too.  And I generally bring an old ratty backpack and toss it while there.  This is due to the fact that generally the VMworld backpack is pretty decent quality.  I limit the amount of literature I bring home from vendors by taking pictures of the marketing slicks and then tossing them.  I do pack a collapsible bag in my outbound luggage for swag items.  I end up giving away a bunch to coworkers/customers when I come home but the number of t-shirts and other items seems to grow and I have been known to ship a bag home instead of checking it at the airport.

One last note I heard today from @WonderNerd Tony Foster is that to leave your backpack in your room for the General Session on Tuesday due to security screening concerns for the main speaker Malala Yousafzai.  This will speed up the entry into the main conference area.

Hope this helps someone!  See all y’all there!

VMworld VMTN Session – VMware Center for Advanced Learning – Advanced Architecture Course

I will be a Panelist with Daemon Behr (@DaemonBehr) discussion the very unique program of education regarding the VMware Center for Advanced Learning.  Specifically we will be talking about the new offering of the Advanced Architecture Course.  This is usually shortened to the VMware #CALAAC.  If you are attending @VMworld 2018 in Las Vegas next week 8/26/2018-8/30/2018 and have some time on Wednesday morning come visit us at the VMTN Communities area.  In the VMworld schedule builder it can be found by searching VMTN7703U.  Here is a shortened URL for the search. VMworld Schedule Builder Search for VMTN7703U

See all y’all there!

vExpert NSX – 2018

Honored to be included among the very smart crew of folks who champion the need for SDN on the VMware NSX-v and NSX-t platforms!  Such a great team of people and always great to work with the NBSU at VMware (@VMWareNSX).

                  

I love having NSX discussions with folks.  If you want to connect hit me up here on LinkedIn or on twitter @VirtSecurity.

At @ConnectionIT I am able to work with another fine VMware vExpert @MBLeib who also happens to be a VMware vExpert NSX member also.  If you haven’t gotten the understanding about what NSX and SDN can do for you ask your @ConnectionIT Account Manager to reach out to one of us.

I get excited to imagine what will be released next week while at @VMworld in Las Vegas.  I hope there will be further information on how NSX/SDN will be used in systems like #IoT and even down to endpoints with products like AirWatch.  Eventually we all will have to move off rule based firewall systems and onto policy based engines that will work throughout our corporate infrastructure no matter where we are connecting from.  Sometimes we just get focused on just the Data Center or even the edge of the Data Center and the DMZ where the largest amount of attacks happen but we need to look holistically into where all the traffic moves and most of this is East/West bound in between our VMs inside the rack servers/blade servers/HCI/converged infrastructure.  If we don’t how will we react not just when or if a breach happens or even more likely a badly configured application/buggy app is let loose.

Let’s keep the discussion going!

Here is a list of the other VMware vExperts for NSX.

https://blogs.vmware.com/vexpert/2018/08/17/vexpert-nsx-2018-award-announcement/

 

7th year as VMware vExpert

Very happy and humbled to be included in this group for the 7th year as a vExpert. I love talking about all things virtual.  Thanks to the VMware @vExpert team and the @VMTN team and the VMware Communities folks.  Also glad to be joined at @ConnectionIT to have fellow vExperts Tony D’Ancona (@IT_dancona) and Matt Leib (@MBLeib) on the team with me.

Since the vExpert 2018 logo hasn’t been released yet I made my own with 7 stars for my 7 years.

#VMWorld #vExpert #vmtn please donate extra trade show shirts to #HarveyRelief

So I had an idea last night that could help a lot of people out. South and Southeast Texas got hit hard with Hurricane Harvey right as VMworld got started. Cash and eletronic donations are awesome.  But what about the useable swag we get and is left over from the vendor booths? Much of it can get thrown away.  

Please if you are a vendor consider giving your unused shirts, bags, etc to a reilef organization to send to Harvey victims.  It will be months before things even get to a semblance of order there.   They will need all types of items and I know the @VMware community and #vExpert and @DellEMC and @HPE, @Cisco and all of the major vendors can pull together to help people in such need.  Isn’t fixing problems the reason many of us got into IT in the first place?

I know as soon as I get back and am allowed to go into the area I will be taking my chainsaw and other tools to go help with disaster relief.  What can YOU do?!?!?,

 

 

Quick pro tip for large hotel A/C systems. #vExpert

So I read somewhere that many hotels don’t actually let you set the temp above or below certain thresholds. Unless… you are a VIP. I googles for a while a found that most systems will allow you to reset your hotel room wall digital thermostat into VIP mode with the following steps:

 

  1. Hold down thee Display button. Keep it held down till the end of the proceedure.
  2. Press the Off button and release it.
  3. Press the Up button and release it.
  4. Now release the Display button.
This should put your thermostat into VIP mode and allow you to get your room temp down to a cooler temp if you like it that way. When I am in Vegas especially during the summer for shows like VMworld I can never get enough cool air around me. So far this seems to work.
 
If you find something other than these steps please let me know and I can add this to the blog page.
 

VMworld Day 2 – General Session

As the day kicks off at VMworld today here in lovely hot Las Vegas tons of people are filling the VM Village hang space area around the giant screens.

One of the most interesting quotes from Pat Gelsinger was that “Today is the slowest day in technology for the rest of your life.”  The rate of change in our lives due to technology will continue to increase and speed up.  Very true Pat!

What vSphere/ESX was for the first decades of VMware, NSX could be the same for the next decade.”

There was a long demo of the VMware Cloud on AWS and the integrated products using the “Elastic Sky Pizza Company”

News

VMware, Pivotal and Google Cloud, today unveiled Pivotal Container Service (PKS), which will enable enterprises and service providers to deliver production level  Kubernetes on VMware vSphere and Google Cloud Platform.  It will provide compatibility to Google Container Engine (GKE). This new product will be available later this year in Q4 of calendar year 2017. It will be a standalone product that will work with the Pivotal Cloud Foundry® (PCF). This was all jointly announced by Pat Gelsinger (VMware), Michael Dell (Dell/EMC of course), Rob Mee (CEO Pivotal) and Sam Ramji (Google Cloud). It was interesting the cultural differences seen on stage with the four executives.  Three had sportscoats and dress shirts/slacks on and one had a T-shirt and blue jeans.  Can anyone guess which company was the blue jeans style company?  Let me Google that for you… Yes it was the Google exec.  Now one concession to the Pivotal exec was that he was wearing tennis shoes with his slacks.

NSX, Kubernetes, vRealize Automation, Wavefront telemetry will all be in working in this environment together.

Pivotal and VMware were announced as Platinum Members of the Cloud Native Foundation (Home of the Kubernetes).

There may be additional announcements later in the day.

 

VMworld Day 1 – kickoff

So today was the day of big announcements.  Some things people already knew about and had been waiting for General Availability (GA) and some things that might have been a shock or surprise to some.

  1. VMConAWS – yes that means that organizations will be able to consume AWS services/API stacks running on VMware vSphere. Sewn together with NSX and some other magic sauce. I will have to dig into this further to see how this is provisioned, consumed, managed and what caveats there are. What will be the pros and cons with this. 
  2. VMware announced the release of AppDefense a new model to protect your apps running on virtualized and cloud environments. This will leverage virtualized infrastructure to monitor running applications and report deviations and correlations from known good states.  This was previewed last year at VMworld 2016 as Project Goldilocks. 
  3. Products also getting a new version were vRealize Network Insights, VMware Integrated Openstack, a new vSAN offering and a new product called: vSphere Scale-Out which will enhance BigData and HPC environments.
I will be digging into these new items further down the line.  
 
For me today was a pretty big day in that I took and passed my VCP-NV exam for VMware NSX.  This was a big step in getting back to the basics.  I hadn’t taken a vendor Professional level exam in almost 2 years. In fact the last exam I took was my VCAP-DCA5 exam at VMworld 2015.  I have already started on plans for the VCIX-NV. 
 
This evening I was able to have some time to celebrate and see some vendors at various parties.   Thanks to BigSwitchNetworks, Zerto, and Nutanix for their parties that I was able to attend and also a thanks to Tintri for the invitation but also apologies in that I wasn’t able to make it to your event.  See everyone online tomorrow with more breaking VMworld 2017 news.