Keith Smith - My Blog


Keith Smith - My Blog > Network

My latest IT infrastructure refresh

Sunday, May 15, 2022 - Posted by Keith A. Smith, in Network, Automation, Microsoft

Two years ago, I took on a new opportunity where the infrastructure environment was stuck in what felt like the tech era of the 2000s, specifically around 2005 and older. Things like network segmentation for security, modern operating systems, applications, hardware, scanning from copiers, ubiquitous Wi-Fi, and more did not exist at any of the sites. It took me just shy of a year to complete this infrastructure refresh. As I write this post,  I'm glad to share that this refresh is done for now. I wanted to share some of the before and after shots.
I'll start from the server room and work my way outwards. This comparison shows the lack of cooling in the server room. Notice in the old pic the piece of cardboard on the vent. My guess is that it was supposed to redirect the air to another part of the room. The old A/C was failing and leaking refrigerant, so I replaced it with Redundant A/C units.

The racks were old, making it difficult to rack new equipment. I scheduled a maintenance window on a weekend to remove all the equipment and racks.

Here is a comparison of everything racked before and after. I had the electricians install LED lighting in the room. I moved a lot of services to the cloud but still needed a private cloud for certain services being provided to staff.

Here is a shot of all the racks and new equipment. I introduced virtualization, 1, 10 & 25 gig network connections, temperature and environment monitoring, and enterprise-wide Wi-Fi, which was a first for this org.

I decommissioned the legacy 100meg networking and cleaned up the cable spaghetti with color-coded cabling. I later upgraded the phone system software since it was due.

IDF1 - New 12-strand optical cables were run to this area, and I upgraded the network switches and cleaned up the cable spaghetti with color-coded cabling. Lastly, I added a cellular extender to help with signal strength.

IDF2 - New 12-strand optical cables were also run to this area, and I upgraded the network switches and cleaned up the cable spaghetti with color-coded cabling.

Remote site1 - All equipment had been exposed in a vehicle mechanic shop for years. I'm not sure how the old equipment stayed running in those conditions, but everything was full of dust and grease. I ordered a new 12U APC cabinet, upgraded the network switches, and cleaned up the cable spaghetti with color-coded cabling.

Remote site 2 - This site was the easiest to upgrade. I installed new network switches, added some remote site servers here, and replaced the cable spaghetti with color-coded cabling. 

I created a standardized zero-touch windows 10 image with automated application deployment by department and deployed dozens of laptops, VPN, etc., with docking stations for staff to work from anywhere during the pandemic.


View Comments 0 Comments
Share Post   

Let's Encrypt redirect with KEMP load balancer

Sunday, November 10, 2019 - Posted by Keith A. Smith, in Network, Automation, Microsoft

PKI Management is a huge PITA, in a near future I will post how I've automated PKI renewals and installation of certificates. In this post I wanted share a method managing certificate renewals in an environment that has multiple web servers and a KEMP load balancer in front with a central server for certificate management. The Load balancer rules will send traffic with the /.well-known/acme-challenge/ to the certificate management server and all other 80 traffic gets redirected to 443.

You will need to create a virtual service with two subVS's.

Open the virtual service then add the first SubVSs

The first subVS weight should be 1100 and Not Available Redirection Handling Error code set to 302 and the Redirect URL set to https://%h%s.

The second SubVS has a weight of 1000 and has the IIS server I use to create my Let's Encrypt certs set as the real server.

Create a content rule named Lets_Encrypt, Rule Type is Content Matching, Match Type is Regular Expression, Header Field is left blank, Matching String is /^\/.well-known/ and ignore case is checked.

Now enabled Content Switching at the VS. I then added all my Content rules for my domains to the first SubVS so they will be redirected to HTTPS then I added the Lets_Encrypt Content Rule to the second SubVS.

To download the exported file, visit my github repo


View Comments 0 Comments
Share Post   

Still a bunch of cool tools from Sysinternals

Friday, September 13, 2019 - Posted by Keith A. Smith, in Network, Microsoft

You can point your favorite browser to to access to any Sysinternals tool. If you would like do it the "old school way" you can open up Windows Explorer (if you are on windows) and point it to \\\ to browse and launch any Sysinternals app. These tools have been a staple for most of us that have been in field for a while now, it's good to see them still being developed.


View Comments 0 Comments
Share Post   

Unitrends to Nakivo

Wednesday, December 12, 2018 - Posted by Keith A. Smith, in Network, VMware, Microsoft

Six years ago I was still using LTO tapes as a primary backup method with backup exec to backup several terabytes of data from various servers. Some of the backups would take days to complete; some would complete successfully while others would complete with errors and on the flip side the recovery of data would take even longer than the backups would conclude with the high chance that the one wouldn't be able to recover anything at all. It was well past time to move from tapes to a D2D for backups; I started performing bake off's between may products at the time.

The unitrends solution beat all the other D2D solutions by a wide margin, one of the many things that I liked about unitrends was that they didn't charge per client and they had an appliance that they had built and would support. As time had progressed the unitrends solution started to show it's age and has become very costly at renewal time, this is something that I've experienced multiple times as I've implemented the solution at many organizations.

The renewal costs have pushed many customers to go back to the drawing board (as a lot of customers had built their entire DR/BC plans around the unitrends solution) and evaluate other solutions. The unitrends solution had been a go-to for me for a long time when it came to designing DR/BC architecture; I now find myself saying goodbye to the unitrends solution in favor of the Nakivo for a D2D solution. The Nakivo backup and recovery solution is entirely web-based and comes as a virtual appliance, a package on a NAS or can be installed on a server you provision running *nix or windows.

I've found the transition to quite pleasant, the support has been very knowledgeable, and the administration has been straightforward to navigate.


View Comments 0 Comments
Share Post   

Password Recovery in AOS

Wednesday, November 29, 2017 - Posted by Keith A. Smith, in Network

Recovering passwords requires direct physical access to a unit. This procedure cannot be performed remotely over Telnet, SSH, or the Web GUI. First, connect a straight through serial cable to the console port of the unit. Second, configure a VT100 session (i.e. HyperTerminal or ProComm) using the following settings: 9600 bps, 8 bits, no parity, 1 stop bit and no flow control. Lastly, reboot the unit by removing the power. As the unit boots, you will be given the opportunity to break into bootstrap mode by pressing the ESC key within 5 seconds. While in the monitor mode issue the following commands:

Bootstrap# bypass passwords

Bootstrap# boot
Notice that you are issuing the boot command not the reload command following the bypass passwords command. Once the unit has finished booting up, you can issue the enable command and you will not be required to enter the privileged (i.e. enable) password. Once you are in privileged mode, you can view the configured passwords by using the show run command. A new password can also be entered by going into global configuration mode by using config terminal command and issuing the enable password command where is the new password. Also remember to change any Telnet, SSH or Web GUI passwords if necessary.

Below is a sample output of these steps:

Router (1200990L1)
Executing bootstrap...
ram: 268435456 bytes of RAM detected.
Bootstrap version: 11.04.1.B2, checksum: 0F3C, Wed Nov 29
vfs: NONVOL: 120 tracks, 128 sectors/track, 1024 bytes/sector.
eth0/1: initializing...
eth0/1: MAC address is 00:A0:C8:XX:XX:XX
bootstrap: Checking boot configuration...
bootstrap: Primary image is 'NONVOL:/'.
bootstrap: User escaped to command line interface.
cli: starting command line interface...
cli: starting user interface

Press '?' for help.
bootstrap#bypass passwords

In case anyone comes across this in the future, instead of the command "bypass passwords", you can alternately use "bypass startup-config" then "boot". This will boot the system with a blank/default config. Once you get into enable mode you can enter  "copy running-config startup-config" to re-apply the default config while leaving you at the enable prompt (effectively skipping the login and enable password prompts), or you can just manually reconfigure the box in case you really messed things up.


View Comments 0 Comments
Share Post   

Page  123...4>