Wednesday, September 28, 2011

Workaround for VMDKs Larger than 2 TB (2048 GB)

Largest virtual disk (VMDK) that VMware supports inside a virtual machine is 2TB - 512 KB unless you want to do RDM - Raw Device Mapping. However, you can get around this by spanning multiple disks inside Guest (Windows).

To do this, you need to do the following:

1. Create and attach 2 or more VMDKs of various sizes you want.
2. Start VM and go into Disk Management Utility (diskmgmt.msc)
3. Bring disks online and initialize.
4. Convert Basic disks to dynamic or the next step will do it for you.
4. Right click on one of the disks and click "New Spanned Volume"
5. Follow the wizard and assign drive letter.

You are done.

Thursday, September 15, 2011

Internet Edge Design: SSL VPN Placement?

Internet Edge Design: SSL VPN Placement?

This is another question that arose today. Where do you want place your VPN gateway (SSL or other VPN concentrators) in you internet edge for the network? Should they be placed next to firewalls on the edge, routers, or behind the firewall?

In my opinion, VPN concentrators should be behind a firewall with OOB - Out of Band Management - capabilities, especially if it's a SSL or Web VPN device. Because, HTTP/HTTPs are proned to web based attacks like ssl stripping and SSL VPN has two parts (Web Server and VPN Server).

However, I would like to know what others have to say about it in the community and if there is a better approach.

Please feel free to leave you suggestions and thoughts in the comment section.


How to add static ARP on a Nortel switch and other ARP operations?

Configuring ARP operations on Nortel Passport 8600 or any other Nortel switch on your network should be very easy thing but if you don't have much Nortel background, it can be a tedious task as there isn't much documentation out there for Nortel as it is for Cisco. So I thought it would be nice to post it in case someone is looking to add static ARP on their core or other Nortel switches on the Network.

Show ARP table
8600#show ip arp info

Clear ARP (Port or VLAN)
8600#clear ip arp vlan 444
8600#clear ip arp port 1/4

Configure Static ARP (Port or VLAN)
8600#config ip arp add ports 1/4 ip mac 00:00:00:44:44:44
8600#config ip arp add ports 1/4 ip mac 00:00:00:44:44:44 vlan 444

Delete an ARP Entry
8600#config ip arp delete

Set ARP Age Time
8600#config ip arp aging 4

Wednesday, September 14, 2011

Internet Edge Design: Single Firewall or Layered Firewalls?

Internet Edge Design: Single Firewall or Layered Firewalls?

While redesigning Internet Edge of our network many ideas came to the table. One was to use single firewall vs. layered (or dual) firewall design.

In my opinion and experience - if your company have the budget - opting for a layered firewall approach is a better and more secure design than just having a standalone firewall on your edge. In addition, I like to have at least different vendors for each firewall at different layers. Each firewall should be running in different mode (i.e. transparent vs routed).

In this post, I would like to know what others think? Please leave your opinions and ideas in the comment section.


Saturday, September 10, 2011

Internet Edge Design: Secure Web Gateway - Proxy or Not To Proxy?

Internet Edge Design: Proxy or Not To Proxy?We are building a new Enterprise Internet Edge for our organization and are debating whether to use a web proxy for Internet traffic or not. Here are some of the requirements we see fitting for proxy solution:

So far we have looked at following vendors which offer both appliances and cloud-based solutions. We like the cloud based solution because it's simple. But, we have concerns about performance during peak Internet hours for our network.

-Bluecoat (Expensive + Too many appliances)
-Websense (Very Expensive but well known and single clustered appliance)
-Zscalar (Cloud based + Cheaper than previous two + No appliance required)

In this post I would like to see what others are doing and thinking for a web proxy solution for their network.  Do you think a web proxy is still needed for a network where advanced firewalls on the edge have the capabilities to fight worms and viruses that can make their way into a network on HTTP/HTTPs ports?

Please leave your thoughts in the comment area.


Thursday, September 8, 2011

VMware ( vSphere and ESX ) VMDK Size Limit for NFS

There is a lot of confusion on the web about what is the largest size of a VMDK file on a NFS mounted datastore for VMware vSphere and ESX. Today, I was able to confirm that the largest vmdk you can create on an NFS mounted datastore is 2TB minus 512KB. Yes that's the same as for a VMFS formatted datastore.

There was lot confusion because I thought the size of a file on an NFS mounted export is restricted by the underlying storage device. I called both VMware and NetApp about this issue. VMware support told me what I already thought the answer was (Storage vendor restriction) and NetApp support said they are not sure and will research.

So I decided to try creating a 1.99, 2.0, 2.1, 3,4, and 5 TB vmdks on both NetApp and Windows 2008 NFS storage. I got the same error message stating

DiskCapControl: ... Out of Range ... ( )

for all sizes except 1.99 which is less than 2TB-512KB.
Hopefully someone out there will find this info helpful.

Monday, September 5, 2011

KDC Event ID 11 - Solved

If you are creating SPN records in AD and don't take pre-cautions, you may end with duplicate SPN records. This will prevent AD users from logging on to the machine.  Following event id is logged in event log.

Event Type: Error

Event Source: KDC
Event Category: None
Event ID: 11
Date: 4/11/2011
Time: 3:57:13 PM
User: N/A
Computer: DC00
There are multiple accounts with name cifs/ of type DS_SERVICE_PRINCIPAL_NAME.
For more information, see Help and Support Center at

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Date: 4/11/2011
Time: 3:31:53 PM
User: N/A
Computer: DC00
There are multiple accounts with name host/ of type DS_SERVICE_PRINCIPAL_NAME.
For more information, see Help and Support Center at

Refer to this Micrsoft KB article to reslove this issue.

Ad tools required are ldp.exe and adsi.msc.

Friday, September 2, 2011

NetApp Virtual Storage Console Plugin and Windows 7 64-bit

NetApp Virtual Storage Console - VSC - in vCenter would not load unless you install 32-bit version of JRE for Java. As it turns out, Virtual Infrastructure Client uses 32-bit Internet Explorer to display pages inside Windows frames. So if you have installed 64-bit of Java, you would also need to download and install 32-bit of Java. Latest version 1.7 as of the time this post was written works with NetApp VSC version 2.0.1.

Hope this helps someone out there struggling to make VSC work on a 64-bit Windows 7 machine.