HP Procurve switches and VLAN's

HP makes a decent enough line of switches that can be used for mid-size companies as a cheaper alternative to Cisco. I have used Cisco exclusively in the past and was recently tasked with completing a VLAN overhaul on some ProCurve switches. The terminology is a bit tricky so let me try to explain.

A port that is "untagged" means that it is physically attached to a single VLAN, in this case lets assume you have one VLAN for all of your business data. You would mark these ports as untagged inside of your ProCurve switch.

A port that is "tagged" means that the port can talk to more than 1 VLAN - for example, a trunk port that would connect two switches together. These ports would need to be able to pass traffic across all VLAN's and thus need the ability to tag these packets properly for routing.

You would also need to "tag" any port that would talk to multiple VLAN's - such as a VOIP phone (one VLAN for voice, the other for Data) or a VMWare server that has hosts on multiple VLAN's with a shared NIC.

Once you understand the terminology, the configuration of the switch becomes trivial.

Using CMAK to automate VPN rollouts

vpn.exe /q /c:"c:\windows\system32\cmstp.exe vpn.inf /s"

I recently was tasked with rolling out a Microsoft VPN connection across an enterprise to all laptop users. I am a big fan of BigFix but that is outside the scope of this blog. In any event, I wanted to build the connectoid through CMAK on Windows Server 2003 and give the user two vpn servers to select from with a default option already picked for them. Further, none of our users use dialup and we wanted a desktop shortcut created for them. It must be completely silent and transparent to the end users with no interaction required.

Not too bad except for the syntax of the connectoid executable which is shown above. This will accomplish a silent install through the command line via BigFix or any other software automation tool (even something as simple as psexec). One other gotcha was actually finding the right area to turn off the dialup option which is buried in the following:

20. On the Advanced Customization page (figure 30), ensure the name of your executable appears in the File name list box with the .cms file extension. In the Section name list box, select the Connect Manager entry. In the Key name list box, select the Dialup entry. Put 0 in the Value text box. The executable file will be compiled when you click Next.

Once you do all of this - you now have a full rollout of your VPN connectoid to your enterprise.

Sonicwall GMS 5.1

Sonicwall has a management product called GMS which is at version 5.1 as of today. This web-based utility attempts to keep track of your Sonicwall products via syslog and provide a central point for all administration. Unfortunately, the default install relies on MySQL and the default parameters are not effective in keeping the service stable.

One of my biggest gripes with the product is how it does heartbeat counts through Syslog. Syslog uses port 514 and is UDP traffic which is not the most reliable if something was to go wrong out on the WAN. The syslog traffic is then fed into the database platform and unfortunately MySQL does a really bad job of staying up long enough to capture everything.

If you look at the documentation for 5.1 there is a section detailing how to go about installing SQL Server 2005 and above which is apparently supported. However, unless you choose Multi Server install during the initial setup you will not be prompted for a database location other than using MySQL. This is obviously a big misstep on the part of Sonicwall to leave out something like this when most shops of any decent size will want to have a central database server for all of their apps. The documentation is very dry and does not give any detail around the SQL Server 2005 piece which is disappointing. Another problem is that there is no way to migrate the database using built in tools from MySQL to SQL Server which means you have to re-enter your data once you make this migration.

Those are my major gripes about the product but once you get it set up and functioning in an enterprise fashion it does seem to work well. Configuration changes are pushed out to your devices as you would expect so that you don't have to log in to all of your devices.