Wednesday, September 17, 2014

VRTX R1-2401 ssh & https

If you are in your VRTX CMC https and hit the "Launch I/O Module GUI" button to the internal switch you are passed over to a http login page. HTTP. Not secure.

As my workaround, I ssh'ed to the CMC and "connect switch-1" to link into the VRTX switch.

From there, configuring secure settings for the switch is pretty easy although I didn't see the commands all in one place so here they are. slashslash is my comment, do not copy-paste this directly.

# show crypto key  // show default ssh keys
# configure // config mode
(config)# crypto key generate rsa  // regenerate ssh key
(config)# crypto key generate dsa  // regenerate ssh key
(config)# ip ssh server // enables ssh server service
(config)# crypto certificate 1 generate key-generate // generate https key
(config)# ip https certificate 1 // associate key with https
(config)# ip http secure-server // enables https server service
(config)# no ip telnet server // turn off telnet service
(config)# no ip http server // turn off http access
(config)# exit
# copy running-config startup-config // ALWAYS

Also best link for VRTX manuals from Dell Support guy here: Drink me

The "Launch I/O Module GUI" button isn't smart enough to pass on to https and since we've turned off http it'll just die. But you'll have the IP and should be able to figure it out from there.

Wednesday, June 4, 2014

VRTX R1-2401 Loading data from the device

Setting up Dell VRTX, I've got (hopefully) the right scoop on the ESXi side and setting up the SPERC8. What baffled me for a few minutes was the internal switch gui R1-2401. All I saw after logging in was "Loading data from the device".
OK, I'll wait.

Whatever my Safari settings are, they triggered the same message as IE6 did for this guy on another Dell PowerSwitch. -> Ye Old Dell Switch Question

Switched to Firefox and into the UI without issue. Next step will be turning that shit off (after changing default password...sheesh).

Tuesday, June 3, 2014

Port changes between ESXi 5.1u2 and 5.5u1

The following "firewall labels" have been added and are defaulted to open to all networks in ESXi 5.5u1 (unsure about 5.5 GA):
  • DHCPv6 (self explanatory)[tcp/udp 546 in 547 out]
  • cmmds (VSAN) [udp 12345,23451 in/out]*
  • rtd (VSAN) [tcp 2233 in/out]
  • ipfam (NSX) [udp 6999 in/out]
  • vsanvp (VSAN) [tcp 8080 in/out]
  • rabbitmqproxy (vFabric) [tcp 5671 out]
I was not able to turn off vsanvp (Cannot change the host configuration. Call "HostFirewallSystem.DisableRuleset" for object "firewallSystem-152" on vCenter Server "X" failed.) but I could restrict it to the local management subnet. Close enough.

While it's nice of VMware to have the one button "enable VSAN" in the webUI -- Keep the ports locked until I check that box. If ever.

* Hey! That's the combination to my luggage!