Kevsters Blog

My little part of the Internet

Driving Cisco ACI using PowerShell

One thing I have been working on for a long time is to create a set of PowerShell modules for Cisco ACI.

For those that don’t know ACI is Cisco’s Next Generation DataCentre switching fabric. Kind of the next step after Nexus in NX-OS mode. It uses modern tecnniques such as hardware controllers (APIC’s – C220 servers) along with Nexus 9500 and Nexus 93xxx switches to form a leaf-spine deployment.

Whilst ACI has a GUI, MO and NX-OS like CLI (not perfect at all !) along with Python and even Ansible, these quickly run out of steam. Whilst Python is a great language it still takes some learning. Its also not so intuative when passing results between methods.

I realised there is nothing for ACI to utilise PowerShell in a similar way that VMware’s NSX has the most excellent PowerNSX

Hence, my first cut of ACI-PoSH published to GitHub. There is a ton of work to do on this – documentation being a biggie – but it works.

Development Process

I am quite lucky to have been involved in some large scale ACI deploments however when offline from these I have two enviroments that I use.

  • The Cisco DevNet ACI Sandbox availible at This is a site that contains working examples of most Cisco products, one being the ACI Simulator (Always on) which in an Internet connected APIC. No charge but you do need to register or login. Just the job for testing, learning and development.
  • The Cisco ACI Simulator (see here) You need a valid CCO account and ACI software support to download. It will run in most Hypervisors (I use VMware Workstation and ESXi) but need at least 80GB HDD, 8 cores and 16GB RAM availble. You will also need your friendly Cisco Account Manager to authorise the activation code

Ill be adding more info here in later posts about just how to use it.

Azure Certification

Earlier this year, I decided to do some Microsoft Azure upskilling.   As part of our Microsoft Partner status, we get Azure credits along with other benefits.   We decided to re-platform our services and using Azure made sense.

It can be over whelming when first accessing Azure.  There are so many services, products and features it can be hard to see the wood for the trees!  One advantage is there is so much information availible out there, however Azure changes so frequently it can become out of date.

I was going to work towards the Azure Microsoft Certified Professional (MCP) then Microsoft Certified Systems Engineer (MCSE) however I learnt one morning that Microsoft was going to change their certification schemes.   I also learnt the new exams were in Beta AND there was a 80% discount for the first 300 applicants (worldwide)

I managed to bag both the AZ-100 and AZ-101 exams, with only just under one month to take them.  There was also no study guides as such, other than the exam synopsis.  Luckilly, I had been studying against the MCSE track and there was some overlap….. Lots and lots of studying however.

In August I took the exams not knowing if I had passed or not.   Microsoft only release exam results once the exams go public.  A week or so ago, i suddently had an email saying congrats on passing both of them.   I was pleased as it made the hard work worthwile.

So its another certification for the bag.   Not sure if Ill continue, but suspect I may or do one of the Amazon AWS exams to keep neutral 🙂

Funky badge

Must try harder….

Blogging – like most things in life – is hard.

Hard to keep discipined to post, hard to keep up to date.  Even hard to find the right thing to write.

I tried the blog every day for a month regime.  Impossible.  So thinking once a week ?

Ill try harder from now.  Honest 🙂

New Platform

I have moved to due to some changes in hosting provider.
Hopefully it will make me blog more !

Personal Tech Updates

Its been a long, long time since I blogged.  Lots changed and lots to update on.
One major thing is I finally bit the bullet and dropped Windows Mobile 10.  I was a long time user of W10M/8.1 Phone/8 Phone but I accepted fate and realised I am missing out on functionality, security, apps and tools. Whilst I still think Windows 10 is brilliant, I do use occasionally an Android tablet.  The flexability and app store is very impressive, plus there s no way i’m ever going back to Apple.
So having done some research a while back and nearly going for a Samsung Galaxy 8 (v v expensive) then being curious by OnePlus, I preordered a OnePlus Five.
If you don’t know about them, check them out at   Its bloody brilliant.
The OS is bang up to date, is fast and fluid.  No crapware on there and the camera is great.  Battery is brilliant, screen clear and nice and light.  Well designed and I must say I’m seriously impressed.   Ignore the crap about the ‘jelly effect’ as most of it comes from the fanboy sites and is hype over nothing.
More updates soon.

HP Microserver N40 Disk Upgrades ….. more than 4 disks ?

I use a HP Microserver N40 for use at our office.   Its a great peice of kit that I have had for a number of years and is used for a variety of purposes such as NAS, Media Sharing, Print/File Server and Virtual Machine host…
I recently decided to upgrade from Windows Home Server 2011 to Windows Server Essentials 2012 R2, as well as some hardware upgrades.

Sadly i found that Essentials 2012 R2 does not have a driver availible so support for this RAID card is not possible.  One thought was to use the Server 2008 R2 X64 driver but sounds a bad idea to me.   I then decided to look at using Windows Server Storage Spaces which is a technology Microsoft have been working on for a long time.  I had 2 x 4TB WD Green and 2 x 2TB WD Green drives in the 4 way SATA bay.
Not wanting to install the OS on the 4TB drives, I decided to make use of a spare SSD.  This was then connected to the motherboard SATA port.
I then realised there is an E-SATA port on the rear of the server.   With a bit of a Heath Robinson hack I managed to get this routed internally and then into a spare hot swap 3.5″ bay I had spare that I installed into the CD Drive 5 1/4″ bay.  The mod was to bend the left edge of the flap that covers the PCI slot screws outwards with a multitool which allows the E-SATA cable to be routed internally.

A quick addition of a SATA power splitter and job done.   Six drives in a four drive server !
I need to make sure recovery will work storage spaced going forward but the Heath Tools in Server Essentials seem to to quite good so time will tell.
Looking good so far….

Windows Phone 8.1 to Cisco ASA VPN – Part 2

AnyConnect-logo  Cisco have now released a BETA AnyConnect client for Windows Phone 8.1 availible here  at the Windows Phone store
I havn’t tested the latest builds but the initial version had a few showstoppers that look like to have been fixed.  Remember this uses SSL/TLS encryption only and your local security policy may mandate the use of IPsec, along with all its issues !
Also they dont appear to have fixed the session timeout bug so that may cause a few headaches with disconnects.

Windows Phone 8.1 to Cisco ASA VPN

[There is next to no information availible on this around so this was borne out of experimentation and a lot of packet capture analytics]
Update:  Since testing this I have since found that L2TP/IPsec does not work if the ASA is behind a NAT device.  This is because the WP81 device explicitly will not connect to a NAT-T device.  There is a registry key on Windows to enable this, however nothing on WP8.  
Windows Phone 8.1 introduced a Native VPN client to the operating system.  It allows L2TP/IPsec and IPSEC IKEv2 nativly, and various SSL VPN providers via plug ins downloaded from the Windows Store.  At the moment Juniper, Checkpoint and F5 have all made clients.  Sadly Cisco has not yet, although is due to release one by mid 2015.
This leaves organisations with a quandry not being able to support Windows Phone.   This is a shame as the platform appears to try to support strong authentication and encryption schemes where possible.
You would like to think that Windows Phone supporting IKEv2 and Cisco AnyConnect 3.x/4.x’s IPSEC implmentation using only IKEv2 that it would interoperate.  Sadly it does not.  The ASA – for some reason – always believes the Windows Phone to be a L2L (LAN to LAN/Site to Site) VPN.  Repeated attempts could not get this to work.
Since writing the above and reading the Cisco documentation more, you need ASA to be at 9.3(2) or above to support 3rd Party IPSec clients.
IKEv2 Proposals send from Windows Phone (just for information) are:

AES-CBC 128 SHA1 DH Gp 2
3DES SHA256 DH Gp 2
AES-CBC 128 SHA256 DH Gp 2
AES-CBC 128 SHA384 DH Gp 2

I’m still battling the ASA/WP81 connection using IKEv2 and certificates.   The configuration appears to be a little problematic and current working solutions rely on the use of EAP for the client authentication.   However, if you want to do plain, boring, RSA certificate authentication at both ends it does not work due to the ASA wanting to use RSA and the WP81 devices trying to ECDHA which the ASA dosent offer  ….. [currently talking to TAC]
This only leaves L2TP/IPsec as an option, which the ASA does support.  Effectivly this uses an IKEv1 IPSEC channel to tunnel L2TP over.  L2TP is not a very secure protocol but is very good for tunneling, but over IPSEC it should be fine for most environments.  As mentioned IKEv1 is used and the following modes are proposed from Windows Phone:

AES-CBC 256 28800  seconds SHA1 DH Gp 20
AES-CBC 128 28800 seconds SHA1 DH Gp 19
AES-CBC 256 28800 seconds SHA1 DH Gp 14
3DES 28800 seconds SHA1 DH Gp 14
3DES 28800 seconds SHA1 DH Gp 2

Testing with ASA code 9.2-ish (seems ok on 8.6-ish too), only the last mode (3DES, SHA1, DH Gp2) appears to work.   Not 100% sure of the reason, but I suspect Cisco only support DH Group 20, 19 and 14 when using IKEv2.  Thus on ASA side you need to add:

crypto ikev1 policy 5 (or whatever you have free)
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 28800

You then need to look at the IPSEC SA.  The ‘best’ I found to work was using AES128 with SHA1 hash.   The Windows client differs to a standard client in that it uses TRANSPORT mode, as apposed to TUNNEL mode.  Windows also has some values for SA lifetimes that need to be used.  Thus ASA config needs the following:

! Note:  My ASA external interface is called 'outside', YMMV
crypto dynamic-map outside_dyn_map 60000 set ikev1 transform-set ESP-AES-128-SHA-TRANS ESP-3DES-SHA-TRANS
crypto dynamic-map outside_dyn_map 60000 set security-association lifeftime seconds 3600
crypto dynamic-map outside_dyn_map 60000 set security-association lifeftime kilobytes 250000
! Note: No PFS is supported
! Note: NAT-T is enabled by default.

I could have ammended the standard dynamic crypto map to include these values but decides to keep it seperate.
Next challenge is authentication.   The ASA supports Certificate based, but Windows Phone only supports Pre Shared Key along with username and password.  This can be passed to whatever AAA solution you may have defined within the ASA (such as Active Directory/RADIUS/even SecurID) or could be a local username and password.   Also the L2TP/IPsec profile does not support the concept of a ‘group’ (which can be used to map to an ASA connection profile) thus the DefaultRAGroup has to be used.  Heres hoping haven’t used this group for any of your client access 🙂   If you have then you need to be very careful to break any existing access.
First you need to create a new group policy to attatch to the group

group-policy GP-WinPhone internal
group-policy GP-WinPhone attributes
 wins-server none
 dns-server value 10.x.x.x 192.168.x.x
 vpn-tunnel-protocol l2tp-ipsec
 pfs enable
 default-domain value yourdomain.local

This sets the protocol, client domain servers and name.  Next update the tunnel group

tunnel-group DefaultRAGroup general-attributes
 address-pool OneOfYourPools
 default-group-policy GP-WinPhone
 authentication-server-group LOCAL
 ! Set a different group here depending on local security policy
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key xxxxxxxxxx
 isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
 no authentication ppp
 no auuthentication ms-chap-v1
 authentication ms-chap-v2

This should be enough apart from adding a new local user for authentication.  In the above I used the local user database.

username myWinPhoUser password xxxxxxxxx nt-encrypted
username myWinPhoUser attributes
 service-type remote-access

That should get you a working connection ASA side.
From the Windows Phone side configure from Settings > VPN > Add:
wp_ss_20150223_0002  wp_ss_20150223_0001 wp_ss_20150223_0003 wp_ss_20150223_0004
You can decide to set a Proxy as need be.  As discussed before, there is no way to use L2TP/IPsec without a username and password being set.  So you may as well use them either using a local user as additional Pre Shared Key or Active Directory Username and Password as additional authentication.
Good luck !


Finally had notification that I now am offically CISSP certified !

I’m not a certification chaser but decided late last year I wanted to do something different to pure technical qualifiactions.  It was a very long (6 hour/250 questions – some interative) exam and certification process but now all done.  Very happy.
Next is keeping up with various things to gain CPE’s
I think Certified Ethical Hacker (CEH) next……

Private Network Address ranges

Most people will be familiilar with the RFC 1918 standard for private network addressing.
Reading through a lot of the RFC’s, they have now been superceeded with later versions.  The most current appears to be RFC6890 although badly formatted into tables.   The prior version RFC5735 has a section 4 which is much more usable.

Address Block       Present Use                Reference
 ------------------------------------------------------------------           "This" Network              RFC 1122, Section          Private-Use Networks       RFC 1918         Loopback                    RFC 1122, Section      Link Local                  RFC 3927       Private-Use Networks        RFC 1918        IETF Protocol Assignments   RFC 5736        TEST-NET-1                  RFC 5737      6to4 Relay Anycast          RFC 3068      Private-Use Networks        RFC 1918       Network Interconnect
                     Device Benchmark Testing    RFC 2544     TEST-NET-2                  RFC 5737      TEST-NET-3                  RFC 5737         Multicast                   RFC 3171         Reserved for Future Use     RFC 1112, Section 4  Limited Broadcast           RFC 919, Section 7
                                                 RFC 922, Section 7

For DEV, LAB and TEST networks this shows two more segments that can be used ( and along with one I have used often
Its amazing how ofter I have come accross organisations not taking these into account when planning schemes.

« Older posts

© 2019 Kevsters Blog

Theme by Anders NorénUp ↑