service console access  in a VRF environment

Version 1
    This document was generated from CDN thread

    Created by: ISMAIL PATEL on 17-06-2011 07:07:00 AM
    Upgraded module to version 2.0 and cannot access the service console, as the vmware console and service consoles have merged into the same interface.
     
    we run vrf on the router and prior to version 2.0.0 the management of the service module was done in the global vrf and the hypervisor was put into the customer's vrf instance for them to install and manage virtual machines.
     
    the "service-module sm 1/0 session" command  no longer works.
     
    The workaround is to create a loopback interface and telnet to this on port 2067
     
     

    Subject: RE: service console access  in a VRF environment
    Replied by: ISMAIL PATEL on 17-06-2011 02:18:44 PM
    Hi Brett

    The old router config was as below:

    interface SM1/0
    ip address 10.160.55.129 255.255.255.224
    service-module ip address 10.160.55.130 255.255.255.224
    !Application: SRE-V Running on SMV
    service-module ip default-gateway 10.160.55.129
    end

    interface SM1/1
    ip vrf forwarding DISTSCHOOLS
    ip address 10.44.7.65 255.255.255.192
    service-module ip address 10.44.7.66 255.255.255.192
    service-module ip default-gateway 10.44.7.65

    The network team managed the service module using the address configured on SM1/0. The customer would connect to the hypervisor using the vmware client using the address configured on sm1/1

    We would access the service console as below:

    service-module sm 1/0 session
    Trying 10.160.55.129, 2067 ... Open


    The new router config is as below:

    interface SM1/0

    ip vrf forwarding DISTSCHOOLS
    ip address 10.44.7.65 255.255.255.192
    service-module ip address 10.44.7.66 255.255.255.192
    service-module ip default-gateway 10.44.7.65

    interface SM1/1


    When we try access the service console from the router now  it tries to connect to the VRF address which fails:

    service-module sm 1/0 session
    Trying 10.44.7.66, 2067 ... Open


    The way around this is to create a loopback address

    interface loopback0
    ip address 1.1.1.1 255.255.255.255

    And use telnet 1.1.1.1 2067 to access the console.

    Not as issue - more cosmetic!

    Subject: RE: service console access  in a VRF environment
    Replied by: Brett Tiller on 17-06-2011 01:47:11 PM
    Hi Ismail,

    Thank you for your feedback.  I've provided some comments/questions below.

    As you've pointed out the console manager has been removed in the beta release as it is no longer required for configuration or licensing.  Sessioning into the service module now takes you directly into the ESXi DCUI.  To access the DCUI shell you can enable the remote technical support via the DCUI menu and then ssh into the shell from your workstation. 

    Regarding the vrf tables you've set up in the router, please provide clarification regarding how the beta release has negatively impacted this functionality.

    The ESXi hypervisor is still remains on the SRE-V platform, that has not changed.  Perhaps you're referring to the ESXi vSphere Client?  As you may know this client is freely available for download via VMware, and we also make it available for download in the beta files.

    Thanks,

    Brett

    Subject: RE: service console access  in a VRF environment
    Replied by: ISMAIL PATEL on 20-06-2011 05:35:58 PM
    Hi Brett

    I know that there is a workaround for this 'issue' but for usability it may be worth changing the servce-module sm x/x session command such that it does NOT use the address configured on interface sm 1/0, such that they do not get the following messages:

    interface SM1/0
    ip vrf forwarding DISTSCHOOLS
    ip address 10.24.7.17 255.255.255.240
    service-module ip address 10.24.7.18 255.255.255.240
    !Application: VMware ESXi 4.1.0 build-348481 running on SRE-V
    service-module ip default-gateway 10.24.7.17
    hold-queue 60 out
    end

    TESTSCHRTR101742#service-module sm 1/0 sess
    Trying 10.24.7.17, 2067 ...
    % Connection timed out; remote host not responding

    Somebody may think that the module is offline


    Regards

    Ismail

    Subject: RE: service console access  in a VRF environment
    Replied by: Brett Tiller on 20-06-2011 06:51:35 PM
    Hi Ismail,

    Would you mind attaching your router configuration and provide a high level view of your packet routing using the vrf tables in the SM interface, so that I can better understand what you're doing with router and module?  This way I can reproduce what you are seeing with a clearer understanding of your configuration as well.

    Thanks,

    Brett

    Subject: RE: New Message from Brett Tiller in Service Ready Engine Virtualization -
    Replied by: ISMAIL PATEL on 20-06-2011 07:51:22 PM
    Hi Brett



    Config as below.



    As ICT division we provide services into the various departments that make up the council. Corporate, Schools and Libraries are the top three biggest user groups. The service module has been purchased on behalf of the Schools IT team that wish to deploy windows servers , as oppose to traditional rack mounted servers.



    This is the prime reason that the service module has been configured on the schools vrf, to allow Schools IT staff full access to the hypervisor without given them access to the router itself. Corporate IT manage the router on the global vrf, which happens to be corporate!



    In terms of the issue reported, all the tests were undertaken from the router console itself hence there is no traffic flow outside of the router. Hope this makes sense.



    To overcome issue, I have created a loopback address and created the following host entry ¿ip host sm 2067 1.1.1.1¿ this allows me to use the command sm to access the service-module console.





    JUST NOTICED ¿ I am running ¿ boot system flash:c2900-universalk9-mz.SPA.151-3.T.bin¿. Not sure if this makes a difference.



    Many thanks



    Ismail



    Current configuration : 7721 bytes

    !

    ! Last configuration change at 22:21:32 BST Mon Jun 20 2011 by nst

    !

    version 15.1

    service timestamps debug datetime msec

    service timestamps log datetime msec

    service password-encryption

    !

    hostname TESTSCHRTR101742

    !

    boot-start-marker

    boot system flash:c2900-universalk9-mz.SPA.151-3.T.bin

    boot-end-marker

    !

    !

    enable secret 5 *********************

    !

    aaa new-model

    !

    !

    aaa authentication login default local group tacacs+ enable

    aaa authentication login local group tacacs+ enable

    !

    !

    !

    !

    !

    aaa session-id common

    !

    clock timezone GMT 0 0

    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00

    !

    no ipv6 cef

    ip source-route

    ip cef

    !

    !

    !

    ip vrf DISTSCHOOLS

    rd 211:211

    route-target export 211:211

    route-target import 211:211

    !

    !

    !

    !

    !

    no ip domain lookup

    ip host sm 2067 1.1.1.1

    !

    multilink bundle-name authenticated

    !

    !

    crypto pki token default removal timeout 0

    !

    crypto pki trustpoint TP-self-signed-89228508

    enrollment selfsigned

    subject-name cn=IOS-Self-Signed-Certificate-89228508

    revocation-check none

    rsakeypair TP-self-signed-89228508

    !

    !

    crypto pki certificate chain TP-self-signed-89228508

    certificate self-signed 01

      30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030

      2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274

      69666963 6174652D 38393232 38353038 301E170D 31303037 31323131 33363434

      5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53

      2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D383932 32383530

      3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100DED3

      22ED61B6 AE9103E5 ECF61185 2247B39E 7FF0DAF8 9193C71F 5F162EE7 A9AFEDEE

      6A50AC86 226108D1 3D3ED526 012737B6 E83BD91B 62668089 C7A64F9A 941D2F4A

      9E7B473D 9928A9A6 689AE73E A4C4AC34 D5F5CA1D 54BAC222 F1547E3B CEE25B3A

      770CBECE 34D2BF18 1EE4A00F FBEAAE2E 6ADD3FA3 71EF48B4 06B3A22B C3150203

      010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603 551D1104

      14301282 10544553 54534348 52545231 30313734 32301F06 03551D23 04183016

      8014A342 775D6D03 84F38104 DAD24AAD EE193DB1 2BCA301D 0603551D 0E041604

      14A34277 5D6D0384 F38104DA D24AADEE 193DB12B CA300D06 092A8648 86F70D01

      01040500 03818100 6EA68FC4 D3313E41 FBAD37C2 7A6B930C F03E9987 5AA7E925

      61391182 8DF45BC4 0854215C A20911D7 EDB0582B 06DA34CD B61D4B83 34F43254

      7CFAB3D8 740C7F5A A961E6AE 89857868 257BEE2F 6EC19F6E 8EFB30A5 16E07ED3

      C4EFE704 3F88FDBC 5CFAB27A E48A5BEF 531031AE 0D7FAF8A 067C27E0 752B53C4

      690AFF2C 55537A94

                    quit

    license udi pid CISCO2921/K9 sn FCZ1348713U

    license agent notify http://10.130.2.21:80/clm/servlet/HttpListenServlet dummy dummy

    hw-module sm 1

    !

    !

    !

    username nst password 7 ***************************************

    username cisco privilege 15 password 7 *******************

    !

    redundancy

    !

    !

    !

    !

    !

    !

    !

    !

    !

    !

    !

    interface Loopback0

    ip vrf forwarding DISTSCHOOLS

    ip address 10.24.7.1 255.255.255.255

    !

    interface Loopback1

    ip address 1.1.1.1 255.255.255.255

    !

    interface GigabitEthernet0/0

    no ip address

    ip accounting output-packets

    duplex full

    speed 10

    rj45-auto-detect-polarity disable

    !

    interface GigabitEthernet0/0.209

    encapsulation dot1Q 209

    ip address 172.31.12.39 255.255.255.0

    !

    interface GigabitEthernet0/0.211

    encapsulation dot1Q 211

    ip vrf forwarding DISTSCHOOLS

    ip address 172.31.14.39 255.255.255.0

    !

    interface GigabitEthernet0/1

    no ip address

    duplex auto

    speed auto

    !

    interface GigabitEthernet0/1.1

    encapsulation dot1Q 1 native

    no ip redirects

    !

    interface GigabitEthernet0/2

    ip address 10.151.15.33 255.255.255.240

    duplex auto

    speed auto

    !

    interface FastEthernet0/0/0

    switchport access vlan 2

    !

    interface FastEthernet0/0/1

    shutdown

    !

    interface FastEthernet0/0/2

    description laptop_f1

    switchport access vlan 2

    duplex full

    speed 100

    spanning-tree portfast

    !

    interface FastEthernet0/0/3

    switchport access vlan 2

    !

    interface SM1/0

    ip vrf forwarding DISTSCHOOLS

    ip address 10.24.7.17 255.255.255.240

    service-module ip address 10.24.7.18 255.255.255.240

    !Application: VMware ESXi 4.1.0 build-348481 running on SRE-V

    service-module ip default-gateway 10.24.7.17

    hold-queue 60 out

    !

    interface SM1/1

    no ip address

    !

    interface Vlan1

    no ip address

    !

    interface Vlan2

    ip vrf forwarding DISTSCHOOLS

    ip address 10.24.0.1 255.255.252.0

    !

    interface Vlan3

    ip vrf forwarding DISTSCHOOLS

    ip address 10.24.4.1 255.255.255.0

    !

    interface Vlan4

    ip vrf forwarding DISTSCHOOLS

    ip address 10.24.5.1 255.255.255.0

    !

    interface Vlan6

    ip vrf forwarding DISTSCHOOLS

    ip address 10.24.6.1 255.255.255.0

    !

    interface Vlan801

    ip address 10.151.8.1 255.255.255.0

    !

    ip default-gateway 172.23.0.2

    ip forward-protocol nd

    !

    ip http server

    no ip http secure-server

    ip flow-export source Loopback0

    ip flow-export version 5

    ip flow-export destination 172.22.0.51 9996

    !

    ip route 0.0.0.0 0.0.0.0 172.31.12.1

    ip route vrf DISTSCHOOLS 0.0.0.0 0.0.0.0 172.31.14.1

    ip tacacs source-interface Loopback0

    !

    ip access-list extended admin

    permit ip 10.0.5.0 0.127.248.255 172.18.0.0 0.0.255.255

    permit ip 10.0.5.0 0.127.248.255 172.24.1.0 0.0.0.255

    permit ip 10.0.5.0 0.127.248.255 62.232.224.0 0.0.7.255

    permit ip 10.0.5.0 0.127.248.255 10.24.24.0 0.0.3.255

    permit ip 10.0.5.0 0.127.248.255 host 193.164.125.38

    permit ip 10.0.5.0 0.127.248.255 10.34.22.0 0.0.0.255

    permit ip 10.0.5.0 0.127.248.255 172.20.32.0 0.0.15.255 log

    ip access-list extended curriculum

    permit ip 10.0.0.0 0.127.251.255 172.18.0.0 0.0.255.255

    permit ip 10.0.0.0 0.127.251.255 62.232.224.0 0.0.7.255

    permit ip 10.0.0.0 0.127.251.255 host 193.164.125.38

    permit ip 10.0.0.0 0.127.251.255 172.20.32.0 0.0.15.255 log

    ip access-list extended management

    permit ip 10.0.7.0 0.127.248.255 172.22.0.0 0.0.255.255

    permit ip 10.0.7.0 0.127.248.255 10.130.2.0 0.0.0.255

    permit ip 10.0.7.0 0.127.248.255 10.132.232.0 0.0.0.31

    permit ip 10.0.7.0 0.127.248.255 10.136.2.0 0.0.0.255

    permit ip 10.0.7.0 0.127.248.255 host 10.24.0.10

    ip access-list extended media

    permit ip 10.0.4.0 0.127.248.255 172.24.0.0 0.0.0.255

    permit ip 10.0.4.0 0.127.248.255 10.0.4.0 0.127.248.255

    ip access-list extended mediatraffic

    permit udp any 172.18.2.0 0.0.0.255 eq 554

    permit udp any 172.18.2.0 0.0.0.255 eq 1755

    ip access-list extended telnet

    deny   ip 10.0.0.0 0.255.255.255 any

    permit ip any any

    ip access-list extended voice

    permit ip 10.0.6.0 0.127.248.255 10.127.0.0 0.0.31.255

    permit ip 10.0.6.0 0.127.248.255 10.0.6.0 0.127.248.255

    permit ip 10.0.6.0 0.127.248.255 10.129.0.0 0.0.15.255

    permit ip 10.0.6.0 0.127.248.255 10.148.4.0 0.0.251.255

    deny   ip any any

    ip access-list extended webtraffic

    permit tcp any 172.18.2.0 0.0.0.255 eq www

    permit tcp any 172.18.2.0 0.0.0.255 eq 8335

    !

    logging 10.130.2.2

    access-list 99 permit 10.130.2.0 0.0.0.255

    access-list 99 permit 10.136.2.0 0.0.0.255

    access-list 99 permit 10.132.232.0 0.0.0.31

    !

    !

    !

    !

    !

    snmp-server community ****RO 99

    snmp-server community **** RW 99

    snmp-server trap-source Loopback0

    tacacs-server host 10.130.2.11

    tacacs-server host 10.136.2.11

    tacacs-server key 7 105900170B1200

    !

    !

    control-plane

    !

    !

    !

    line con 0

    password 7 *********

    line aux 0

    line 67

    no activation-character

    no exec

    transport preferred none

    transport input all

    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

    stopbits 1

    line vty 0 4

    password 7 07187842405C0B

    transport input all

    !

    exception data-corruption buffer truncate

    scheduler allocate 20000 1000

    ntp server 10.24.0.10

    end



    ---------------------------------------------------------------------
    DISCLAIMER: This email and files transmitted are
    confidential and are intended solely for the use of the
    intended recipient.  If you are not the intended
    recipient, or the person responsible for delivering it to
    the intended recipient, you may not copy, disclose,
    distribute or use it in any unauthorised manner.  If you
    have received this email in error please notify us by
    email to postmaster@wolverhampton.gov.uk and then delete
    it and any attachments accompanying it.  Please note that
    Wolverhampton City Council cannot guarantee that this
    message or any attachments are virus free or have not been
    intercepted and amended.
    Any views or opinions expressed within this email are
    those of the author and may not necessarily reflect those
    of Wolverhampton City Council and no contractual
    arrangement is intended to arise from this communication.
    ---------------------------------------------------------------------