A collection of useful information, Tips and “How To’s” gathered during my time as an IT consultant. You can navigate the site via the “Categories” menu on the right, or you can use the search box in the top right. I welcome articles from others – feel free to create an account and post. I hope you find this site useful it’s also now smart phone friendly so you can access it on the move!

This article talks through the creation of a Route-Based VPN between Azure and an On Premise Sonicwall firewall. This is done using the Resource Manager deployment.

IP Schema

In this example I have used the below Azure subnets. You should plan your subnets before starting this process.

  • Full “virtual network” subnet    (e.g. 172.26.0.0/16)
  • Gateway Subnet        (e.g. 172.26.0.0/24)
  • Subnet for servers in Azure     (e.g. 172.26.1.0/24)

Azure Configuration

NB – you may want to consider creating a dedicated resource group for the below if you have existing resource groups. In this example we are installing servers into the “UK West” Azure location.

Create Virtual Network

You will need to create a new virtual network. Obviously make sure the IP range doesn’t overlap with any existing subnets.

Go to “more services”, then “Virtual Networks”. For the deployment model select “Resource Manager”. Enter your new subnet details.

You will need to create an address space to include all your subnets, and an initial subnet – e.g. for servers. In the example above I have an address space or 172.25.0.0/16 with a subnet of 172.26.1.0/16 to store my servers.

Note if you need to add additional subnets you are able to do this after the Virtual Network is created.

Create Gateway Subnet

Within the Virtual network go to subnets and then click “Gateway Subnet”

The gateway subnet you create must be named GatewaySubnet or it won’t work.

In this example I have used a subnet of 172.26.0.0/24

Create Virtual Network Gateway

Go to “more services”, “virtual network gateway”. Click Add. Fill out as below – you will probably want to create a new public IP. Note this is policy-based.

Note provisioning virtual network gateway may take up to 45 minutes.

Create Local Gateway

Create an entry for your on-premise subnets.

Go to “more services”, “local network gateway” then click “add”.

  • IP Address = External interface of your VPN device/firewall
  • Address Space = e.g. the subnet used in the office you are connecting to
  • Resource group = select your existing resource group.

Note it may take a while to provision a public IP – be patient! Once the IP is display in the portal you can move on to the next step.

Configure Azure VPN

Go to “more services”, “connections”. Click “Add”. Fill out details as below.

Configure Sonicwall

Create Address Object

Create an address object for the Azure vNet subnet

Create VPN

Note the policy type is “tunnel interface

Create Route

Finally create a route to tell the sonicwall to use the VPN tunnel for the Azure subnets. Note for testing you might want to restrict the “source” to a single test maching on your on premise network.

Testing

If the VPN connects successfully you should see a green “dot” as below.

For testing it is helpful to have a VM running on the Azure subnet. Note that you will need to allow pings through the firewall of this VM.

netsh advfirewall firewall add rule name=”All ICMP V4″ protocol=icmpv4:any,any dir=in action=allow

END

Install Azure Powershell Modules

If you haven’t already installed the modules, open an elevated powershell window and enter

Install-Module AzureRM

Enter “Y” then “A” to install all modules. Then enter

Install-Module Azure

Again enter “A” to install al modules.

Connect to Azure

Enter the powershell cmd

Login-AzureRmAccount

You will be promted to login. Once logged in you are connected.

Following on from my previous post once connected to office365 you can load the modules for the below services using these powershell commands. Please note you will need to have the relevant software installed – see the bottom of the article.

sharepoint online

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking

Connect-SPOService -Url https://domainhost-admin.sharepoint.com -credential $credential

Note substitute domainhost for your company sharepoint name BUT LEAVE THE -admin IN

skype for business

Import-Module SkypeOnlineConnector

$sfboSession = New-CsOnlineSession -Credential $credential

Import-PSSession $sfboSession

exchange online

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri “https://outlook.office365.com/powershell-liveid/” -Credential $credential -Authentication “Basic” -AllowRedirection

Import-PSSession $exchangeSession -DisableNameChecking

security & compliance

$ccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection

Import-PSSession $ccSession -Prefix cc

 

Pre-Requisites

Pre-Requisites

You will need to have the below installed on your PC

Microsoft Online Services Sign-in Assistant: 

Azure AD Module for Windows PowerShell 

 

Connect to Office 365

  1. Open powershell (I always run as admin)
  2. Paste the below into the powershell window

    $cred = Get-Credential

    Import-Module MSOnline

    Connect-MsolService -Credential $cred

    $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic -AllowRedirection

    $importresults = Import-PSSession $s

 

You will be prompted to enter the office365 username and password and then you should connect up as shown below.

We recently got sent a server with a Windows 2012 license and a Windows 2012 R2 media kit. Obviously we had to load the non-R2 version of Windows which presented us with a problem. We solved this by:-

  • Downloading the evaluation ISO from Microsoft, here: https://www.microsoft.com/en-gb/evalcenter/evaluate-windows-server-2012 (there are numerous versions of windows here including Windows 2012 and 2016.
  • Once installed, run the following command from an elevated prompt:
    • Standard edition: DISM /online /Set-Edition:ServerStandard /ProductKey:YOUR-PRODUCT-KEY-HERE /AcceptEula
    • Datacenter edition: DISM /online /Set-Edition:ServerDatacenter /ProductKey:YOUR-PRODUCT-KEY-HERE /AcceptEula
  • Confirm restarts when prompted

 
 

Assuming your infrastructure has been setup to support Voicemail, the below instructions detail how to enable Voicemail for an individual user. In this scenario the mailboxes are hosted on Office365 and Lync 2013 is used on premise.

 1.       Enable users for Unified Messaging

Ensure the user has Unified Messaging enabled in the Exchange admin center.

 
 

 
 

 2.       Grant Users with Hosted Voicemail Policy and enable for UM within Lync

Once the users have been enabled within Office 365, the user’s Lync account will need to be amended to use the new hosted voicemail platform. Below are the Lync Management Shell commands required to complete this. Substitute domain\username with the actual details. Policyname is the name of the UM policy created.

 
 

To grant the policy to a user, run:

Grant-CsHostedVoicemailPolicy –Identity domain\username –Policyname policyname

 
 

To enable the user for Hosted Voicemail, run:

Set-CsUser –identity domain\username –HostedVoicemail $true

 
 

 They should now have voicemail options in the Skype client


 
 


 

On a domain controller you can use Powershell to determine the Windows versions of systems on your domain

Command
Notes
Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,

OperatingSystemVersion -Wrap –Auto

Display info for all OSes. Output is formatted into columns
Get-ADComputer -Filter {OperatingSystem -Like “Windows Server*”} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto
Display all Windows Servers devices
Get-ADComputer -Filter {OperatingSystem -Like “Windows Server*”} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto > c:\servers.txt Display all Windows Servers devices with output to txt file.

VCP6 Study Notes

No comments

Below are the quick study notes I made whilst studying for my VCP6 (2V0-621D). I’ve tried to focus on the key areas to keep them as short as possible.

ESXi 6.0

Installation Requirements

  • Requires a minimum of 4GB RAM
  • At least two CPU CORES
  • 64-bit x86 processor released after September 2006
  • Requires the NX/XD bit to be enabled for the CPU in the BIOS

Scripted Installation

Performing a Scripted Install requires:

  • Creating a script ( ks.cfg) using the supported commands.
  • Editing the installation script as needed to change settings that are unique for each host.
  • Running the scripted installation process by either specifying boot options, or automatically booting using PXE boot.
  • The installation script ( ks.cfg) can reside in any of these locations:
    • FTP
    • HTTP/HTTPS
    • NFS Share
    • USB flash drive
    • CD/DVD device

Files

Resolve.conf

Holds IP address of DNS servers

 

Passwords

The default option for ESXi 6 = retry=3 min=disabled,disabled,disabled,7,7

To explain the fields retry=3 min=disabled,disabled,disabled,7,7,passphrase=2

Retry=3min

Disabled

Disabled

Disabled

7

7

Passphrase=2

A user is allowed 3 attempts to enter a sufficient password.

Passwords containing characters from one character class must be at least eight characters long. For example: vmwareee

Passwords containing characters from two character classes must be at least eight characters long. For example: vmware12

Passphrases must contain words that are each at least eight characters long. For example: vmwareee

Passwords containing characters from all three character classes must be at least seven characters long. For example: VMware12

Passwords containing characters from all four character classes must be at least six characters long. For example: VMware1!

Require minimum of 2 “words”

 

The word “disabled” can be used to not use specific password complexity.

Lockdown Mode

  • Normal mode –
  • Strict mode –

Updates

ESXi can be updated via a VIB file (vSphere Installation Bundle). This is a collection of files packaged together in an archive. An offline bundle contains a VIB and the metadata required to manage the installation of the VIB.

Use the command esxcli software vib install -d to manually install an offline bundle on ESXi

Firewall

List of incoming connections

vSphere Management Appliance

Key commands

Vicfg-dns

View DNS addresses of host

 

Virtual Machines

Max number of CPUs = 128

VM Disks

Independent – means cannot be snapshotted.

  • Independent Persistent Mode – changes are persistent
  • Independent Non-persistent mode – when the VM is powered off or reverted to snapshot the contents of the disk revert to their original settings.

DirectPath I/O

Allows VMs to directly access hardware – e.g. physical NIC

Unexposed Features

Along with vsphere VMs are designed to run on workstation and fusion systems. There are certain VMS features that do not need to be enabled on a vsphere system.

CPU Affinity

Specifies VM to process placement

Reservation & LImits

A reservation = a guarantee on either memory or CPU

Virtual Machine Upgrade

Recommended pre-requisites

  • Create a backup or snapshot of the virtual machine.
  • Upgrade VMware Tools. On Microsoft Windows virtual machines, if you upgrade the virtual hardware before you upgrade VMware Tools, the virtual machine might lose its network settings.
  • Verify that all .vmdk files are available to the ESXi/ESX hosts on a VMFS 3, VMFS 5, or NFS datastore.
  • Verify that the virtual machines are stored on VMFS 3, VMFS 5 or NFS datastores.
  • Determine the version of the virtual hardware by selecting the virtual machine from the vSphere Client or vSphere Web Client and clicking the Summary tab. The VM Version label in the Compatibility field displays the virtual hardware version.

vCenter

Linked mode enables windows and appliance-based VCs to communicate. Integrated with platform controller and no longer requires ADAM.

Communicates with ESXi hosts using ports 902, 903 and 443

Minimum requirement (Tiny with embedded controller):-

  • 120GB Disk space
  • 10GB RAM
  • 2 CPUs
  • If installing on Windows needs 2008 SP2 or higher

Upgrading

  • You can upgrade Vcenter appliances version 5.1 Update 3 and higher to 6.0
  • To upgrade a distributed vcenter server from 5.5 to 6.0 you must manually stop and remove the vcenter inventory service.
  • To triage installation problems look in the firstboot directory, or at the log files
    • Vminst.log – custom actions
    • vim-vcs-msi.log – vcenter service
    • pkgmgr.log

Platform Services Controller

Contains shared services such as SSO, licensing, certificate management. Can be embedded or installed separately. Recommend installing separately for large deployments with multiple VCs.

VCSA

Database used can be embedded (postgres) or Oracle

VUM

Cannot be installed on a DC

Content Library

A Content Library is a place to store templates, vApps, OVA / OVF, as well as other files. You can subscribe to other content libraries via a subscription URL

AD Integration

When configuring note you can use a machine account or an SPN

vSphere Distributed Switch (VDS)

Requires Enterprise plus license

  • Host Networking Rollbacks – Any change that disconnects a host’s management connection will be automatically rolled back.
  • Distributed Switch Roll Backs – rolls back changes made to vds that cause the management connection to be dropped

     

Network I/O Control v3 –

Bandwidth guarantee to virtual machines using contructs of shares, reservation and limit.

  • IGMP/MLD Snooping –

Resource Pools

Resource Pools can be used for :-

  • Prioritising VMs
  • Selling resource inside or outside an organisation
  • Performance guarantee – i.e. create a “dev” and a “biz critical” resource pool

Key terms:-

  • Reservation – Amount of resource guaranteed to be available. If utilisation is lower than the guarantee the resource can be used elsewhere.
  • Expandable Reservation – can request addition CPU/RAM from parent over and above the memory reservation.

 

Field

Description

Shares

See below

Reservation

Guaranteed CPU or memory for this resource pool

Expandable Reservation

Can use resources from parent – e.g. if powering on VM exceeds threshold

Limit

Upper limit of CPU or memory

 

Share allocation:-

 

CPU

Memory

Low

2000

81920

Medium

4000

163840

High

8000

327680

 

  • Low = 2000
  • Medium = 4000
  • High = 8000

HA

A slot is the maximum memory required by any VM and the maximum CPU resources required by any powered on VM in a cluster.

Cluster

HA VM Monitoring

Will restart a VM if the heartbeat is not received in a certain interval and no storage or network IO is generated. The default interval for storage/network IO is 120 seconds although this can be changed via the cluster setting: das.iostatsinterval

Failure Interval – HA will restart the VM if the VMs Tools heartbeat is not received in this interval

Minimum uptime – after this time HA begins moniroing the VM

VM Overrides

To remove a VM from HA monitoring

Troubleshooting

vCenter 5.x & 6.0 use Fault Domain Manager (FDM) agents for HA. The log for these is found in /var/log/fdm.log

Storage DRS

  • Can balance VMs across datastores based on I/o metrics.
  • SDRS uses SIOC to evaluate datastore capabilitiesand latency info.
  • By default SDRS will not move VMs with independent disks
  • SDRS will not move VMs with fault tolerance enabled
  • When attempting to put a datastore into maintenance mode the task remains at 1%. This could be due to:-
    • SDRS being disabled on the disk
    • SDRS rules prevent the migration recommendations for the disk
  • Old Affinity rules take precedence over newer ones
  • Anti-affinity rules take precedence over affinity rules

Alarms

Can set alarms at various levels including host.

Host Power Management

VLANs

  • A private VLAN can be primary or secondary.
  • PVLANs can only be configured on vDS
  • Secondary VLANs only exist within primary vlans. Note a primary vlan can be promiscuous – meaning it can send and receive on all secondary vlans. Routers are typically attached to promiscuous ports.

Secondary PVLANs can be either:-

  • Isolated – Can only communicate with the promiscuous PVLAN
  • Community. – can communicate with other ports on the same secondary PVLAN

LACP on VDS

  • LACP works with IP Hash load balancing and link status failover detection.
  • It is not compatible with iSCSI multipathing and host profiles

Storage I/O Control

Requirements

  • Enterprise plus licensing
  • ESXi 4.1 or later (block storage)
  • ESXi 5.0 or later (NAS)
  • If using tiering, check SAN compatibility guide to confirm certification of your array
  • Datastore must be managed by a single vCenter server

Not Supported

  • More than 1 extent
  • RDM

Will start at 90% of peak throughput by default

Storage

  • Permanent Device Loss (PDL) – when an array reports a LUN no longer exists
  • All Paths Down (APD) – cannot communicate with the storage device

Performance Management

You can edit the “shares” allocation of a VM here.

Multipathing

  • Pluggable Storage Architecture (PSA) – Used to manage storage multipathing. VMware provides a generic Multipathing Plugin (MPP) called Native Multipathing Plugin (NMP).
  • Storage Array Type Plug-Ins (SATPs) run in conjunction with the VMware NMP and are responsible for array-specific operations. ESXi offers a SATP for every type of array that VMware supports
  • If no SATP is assigned to the device by the claim rules, the default SATP for iSCSI or FC devices is VMW_SATP_DEFAULT_AA. The default PSP is VMW_PSP_FIXED
  • The default PSP for all devices claimed by VMW_SATP_ALUA is VMW_PSP_MRU
  • esxcli storage core plugin list –plugin-class=MP – Use to list multipathing modules

vSphere On-Disk Metadata Analyser (VOMA)

  • Introduced in vSphere 5.1
  • Allows you to check the metadata on a LUN – e.g. if you suspect corruption
  • Is a read-only tool
  • Requires exclusive access by 1 host (i.e. you need to unmount the LUN from the others)

partedUtil –

A cmd-line disk partitioning tool for ESXi

Storage IO Control

Requirements: –

  • Enterprise+ licensing
  • Hosts must be ESXi 4.1 or higher
  • Managed by single VC
  • NFS and RDM not supported
  • Only 1 extent allowed
  • Array must be SIOC certified

Auto Deploy

  • Can be used to deploy 100s of ESXi hosts
  • Rules can assign image profiles and host profiles to a set of hosts, or specify the location (folder or cluster) of a host on the target vCenter Server system. A rule can identify target hosts by boot MAC address, SMBIOS information, BIOS UUID, Vendor, Model, or fixed DHCP IP address.
  • Use Export-EsximageProfile to ensure imgage projfiles are saved after closing a powercli session

FCoE

In vSphere 5.0 VMWare introduced a software FCoE adaptor. This means that with a NIC (that supports partial FCoE offload) you can access LUNs without the need to buy an expensive dedicated HBA or by using 3rd party drivers.

Configuration guidelines

  • Disable STP
  • Turn on Prirotiy-based Flow Control (PFC) and set to AUTO
  • Add each NIC port to separate vSwitch (for redundancy)
  • If moving a NIC from one vSwitch to another (when using FCOE) you will need to reboot (!)

vSphere Replication

Replicates virtual machines:-

  • From a source site to a target site
  • Within a single site from one cluster to another
  • From multiple source sites to a shared remote target site

Key features

  • License included in Essentials plus and up.
  • Supports a max of 24 snapshots\replicas
  • No need for VC at remote office (can use intra-VC replication)

Bandwdith

The amount of bandwidth required will depend on:-

  • Network-based storage
  • Size of dataset
  • Data change rate
  • Recovery point objective (RPO)
  • Link speed

There is a vSphere Replication Capacity Planning Appliance that can be used to estimate the amount of bandwidth required.

Uses FastLZ compression library to provide balance of speed, CPU overhead and compression efficiency.

Certificates

vSphere Replication uses (PKCS#12) certificate based authentication for all connections to vCenter Servers.

The keystore and truststore passwords might be stored in an access restricted config file. vSphere Replication has the following keystores:

  • /opt/vmware/hms/security/hms-keystore.jks, which contains the vSphere Replication appliance private key and certificate.
  • /opt/vmware/hms/security/hms-truststore.jks, which contains additional CA certificates besides the ones that Java already trusts.

Virtual SAN (VSAN)

 

A virtual SAN fault domain enables Virtual SAN to tolerate failures of entire physical rack as well as failures of a single host, capacity device, network link or a network switch.

When you configure a fault domain VSAN ensures protection objects (e.g. replicas and witnesses) are placed in different fault domains.

VSAN Requirements

  • 3 ESXi hosts
  • Requires a minimum of 1 SSD AND 1 HDD per host. Make sure the SSD is not used by the flash read cache.
  • 6GB RAM

Managing Disk Groups

  • You can chose 1 SSD and up to 6 HDDs per disk group
  • Best practise is to have multiple disk groups with fewer disks – otherwise rebuild times are awful

vSphere Flash Read Cache (vFlash)

  • New from vSphere 5.5 vFlash allows you to leverage local host SSDs as a cache.
  • Uses Virtual Flash File System (VFFS)
  • Needs Enterprise Plus
  • You must enable it at host and then on vm (hardware version 10 required)

VMKernel Ports

Useful CLI Cmds

esxcli software vib list –rebooting-image

Displays information for the ESXi image which becomes active after a reboot, or nothing if the pending-reboot image has not been created yet. If not specified, information from the current ESXi image in memory will be returned.

esxcli software vib update -d /vmfs/volumes/<your_volume>/VMware-ESXi-6.0.0-2494585-depot.zip

Update version of ESXi using cmd line

Esxcli network nic list

Show info on physical adaptors

Passwd

Change password

Esxcfg-vswitch -l

Or

Esxcli network vswitch standard list

Shows vSwitch info

Df -h

Show LUN info

Esxcli network vm list

 

Esxcli software vib install -d

 

Excli storage vmfs unmap

Claim back unused space from think provisioned lun

Log Files

Hostd.log

Host management service logs, including virtual machine and host Task and Events, communication with the vSphere Client and vCenter Server vpxa agent, and SDK connections.

Vmkernel

Core VMkernel logs, including device discovery, storage and networking device and driver events, and virtual machine startup

Vpxa.log

vCenter server agent logs

SSL Certificates

New to vSphere 6.0 are different SSL certificate options. They are:

  • VMware Certificate Authority mode – VMCA automatically provisions host certificates
  • Custom Certificate mode – Enabled you to use your own certificates
  • Thumbprint mode – Can be used to retain vSphere 5.5 certificates during upgrade

vNUMA

A NUMA (Non-Uniform Memory Access) is a design approach that places memory next to CPUs. For example on a dual-CPU server motherboard you will often see 2 banks of RAM around the 2 CPUs. In the example of a 2x CPU socket system with 6 cores per socket and 128GB RAM you have a 2x NUMA collections each with 1 socket, 6 cores and 64GB RAM.

When sizing “monster” VMs with many CPUs you should aim to avoid spanning physical CPUs as potentially introduces a performance hit.

Therefore in the above example for a VM that requires 8 CPUs it is better to create a VM with 2x virtual sockets and 4x virtual cores than to just create 8 virtual CPUs

Troubleshooting

ESXTOP

Modes

Mode

Key Fields

Notes

M = memory

MCTL?, MCTLSZ, SWCUR, SWR/s, SWW/s

 

C = CPU

%USED, %RDY, %CSTP, %MLMTD

%RDY – How much time the VM CPU spent waiting for CPU

%MLMTD – If larger than 0 is being throttled by CPU limits

D = Disk Adapter

GAVG/rd

GAVG/rd should not be > 30

N = Network

   

V = Disk VM

   

Key Fields

Area

Counter

Explanation

CPU

%CSTP

How long the vm was ready but was waiting for a physical CPU. (CPU STOP)

 

%RDY

Time VM unable to get access to physical CPU

 

%MLMTD

Percentage of time the vCPU was ready to run but had hit the CPU limit setting

 

WAIT

Amount of time the virtual machine is waiting for a VMkernel resource.

 

PCPU UTIL

If near 100% check CPU affinity

Memory

   
     

Disk

CMDS

In most cases CMDS = IOPs

 

DAVG

Average response time

 

KAVG

Amount of time the command spents in the VMKernel

Key Ports

Port

TCP/UDP

Description

902

TCP/UDP

Communication between vCenter and managed hosts

903

TCP

Remote Console

5480

 

vCenter Appliance web user interface

9443

 

vSphere Web Client default port (https)

Permissions

Authorization types:-

  • Global – across multiple solutions (VCs)
  • vCenter – the hierarchy contained in a VC
  • vSphere.local – predefined platform services controller groups

The vsphere.local domain includes several predefined groups. For services that are not managed by vCenter priviledges are set by group membership below. Be careful adding users to these groups as it is often not recommended.

Default Roles

Lockdown Mode

Exception accounts can be used as ‘service accounts’ to connect to an ESXi server during lockdown mode.

DCUI.Access

A list of users granted access to the DCUI. By default this is only the “root” account

License Comparison

In this example I am creating a Certificate Signing Request on a Windows 2008 R2 server.

Choose “create custom request” and set the options as below.

Note if installing on a TMG server you may need to change the above template to “legacy”.

On the next window click on “details” and then “properties”

You will need to enter the certificate details.

In the general section enter a friendly name for the certificate – this can be anything you want.

In the subject name section enter the below under the “type” drop down menu

  • Common name.  In the Value field, enter the primary name of your certificate – e.g. sip.mycompany.com  
  • Organization
  • State
  • Country
  • Email (Optional)

In the Alternative name drop down box, enter subject alternative names if you need them.  

You may need to change the below settings depending on the type of server you are adding the certificate to.

 

 

On the private key tab enter the details below.

 

Click apply

 

Above I have selected “make private key exportable”.  This step is only required if you will use this certificate on another computer (e.g. in a clustered environment), or with an application that does not use the Windows certificate store (e.g. Mozilla Firefox).  

Click “ok” then “next”. Choose the location to store the CSR and click finish.

THE END

In this example I am creating an access list to restrict access to the “main” network from a “guest” vlan. The exception to this is the DHCP server that the guests will need to connect to pick up an address.

Main network subnets

10.100.10.0/24

192.168.252.201/22

10.99.10.0/24

Guest network subnet

10.40.0.0/21

DHCP server

10.99.10.101

 

Note that you will need to explicitly block every vlan. Any future vlans created will need to be added to this list.

Dell PowerConnect 6000 Series

Create access list:-

access-list Guest permit tcp 10.40.0.0 0.0.7.255 eq 67 10.99.10.101 0.0.0.0

access-list Guest deny ip 10.40.0.0 0.0.7.255 10.100.10.0 0.0.0.255

access-list Guest deny ip 10.40.0.0 0.0.7.255 10.99.10.0 0.0.0.255

access-list Guest deny ip 10.40.0.0 0.0.7.255 192.168.252.0 0.0.3.255

access-list Guest permit ip any any

Apply ACL:-

Int vlan 40

Ip access-group Guest

Dell Force10 S4810 Switches

Create ACL:-

ip access-list extended Guest

seq 10 permit tcp 10.40.0.0 255.255.248.0 eq 67 10.99.10.101 255.255.255.255

seq 20 deny ip 10.40.0.0 255.255.248.0 10.100.10.0 255.255.255.0

seq 30 deny ip 10.40.0.0 255.255.248.0 10.99.10.0 255.255.255.0

seq 40 deny ip 10.40.0.0 255.255.248.0 192.168.252.0 255.255.252.0

seq 100 permit ip any any

Apply ACL:-

Int vlan 40

Ip access-group Guest in

 

This should now work. Don’t forget to use copy run start to save your changes!