Sunday, November 27, 2011

ESXi 3.5 to 4.1 upgrade

Last year I wrote about my 3.5 to 4.0 upgrade adventures. This weekend we scheduled a 3.5 to 4.1 upgrade, assuming it will be a smooth ride (apart from moving 4TB of data).

The first issue was that 4.1 didn't want to boot from the new pendrive. Assuming I did something wrong with the imagedd.bz2 file, I tried it a few times more, wasting about 3 hours. Turns out the box didn't like the Veritech pendrive somehow. Running from a Silicon Power one went like a charm.

Second issue: the LVM.resignature config option disappeared from the ESXi advanced config. Our new friend is the esxcfg-volume command-line utility.

Use
exscfg-volume -l
to list the volumes, and
esxcfg-volume -r
to resignature (and rename) your volumes.

On a related note, ESXi 5.0 does not use the imagedd.bz2 file anymore, so I didn't even start to experiment with it (I wasted too much time on trivial stuff during the upgrade anyway).

Monday, November 7, 2011

ComWare authentication with Cisco Secure ACS

As I'm writing a presentation on Cisco-HP-3Com interoperability, I realized I forgot to post this config a while ago.

The basic setup: we have 2 Cisco ACS servers as RADIUS/TACACS servers, for network management purposes. Both the network devices and the VPN service on the ASA cluster authenticates with them. Setting up Cisco and HP Procurve to use RADIUS is almost the same, but Comware differs significantly.

After an afternoon well spent, here's what I've come up with:

#
local-server nas-ip 127.0.0.1 key 3com
#
radius scheme system
nas-ip 127.0.0.1
radius scheme ceu
server-type standard
primary authentication 10.0.0.10
secondary authentication 10.0.0.11
accounting optional
key authentication XXXXXXX
user-name-format without-domain
#
domain local
domain system
scheme radius-scheme ceu
#
user-interface aux 0
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme