Unable to negotiate with IP Address port 22: no matching cipher found error connecting to Cisco switch from Mac

Recently attempted to open an ssh session from my MacBook Pro with macOS Big Sur to a Cisco Catalyst WS-C2960CG-8TC compact switch running Cisco IOS 15.0 and received the following error message: “Unable to negotiate with <IP Address> port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes-256-cbc”.

Cisco IOS 15 secure shell (SSH) servers support the encryption algorithms (Advanced Encryption Standard Counter Mode [AES-CTR], AES Cipher Block Chaining [AES-CBC], Triple Data Encryption Standard [3DES]) in the following order:

1. aes128-ctr
2. aes192-ctr
3. aes256-ctr
4. aes128-cbc
5. 3des-cbc
6. aes192-cbc
7. aes256-cbc

Unfortunately, these ciphers were deprecated in the OpenSSH 7.6p1 release and Big Sur is using OpenSSH_8.1p1. If you use the command: ssh -V you will see ssh version your MacBook is running.

One way around the issue is to force my Macbook to use one of the listed ciphers by using the following command:

ssh -c 3des-cbc admin@<IP Address>

But I really didn’t want to have to type that for every SSH session I made to this switch so I modified the ssh configuration on my Macbook to allow the supported ciphers using the following steps:

1. nano /etc/ssh/ssh_config
2. Scroll down to the Ciphers line and remove the REM #, then save the file.

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

Now you can ssh without adding the cipher!

Connecting Cisco Catalyst 2960-CG and C3560-CX Series Switches

I currently have a Cisco Catalyst C3560-CX Series switch (WS-C3560CX-8XPD-S) in my lab environment. C3560-CG is a compact switch and only has eight (8) ethernet ports. I recently purchased four new HPE servers and currently do not have enough physical ports on my C3560-CX to connect them. To solve this problem I could replace my existing C3560-CX with a larger switch, or I could add an additional switch. Since the cost of a used 2960-CG switch is under $100, I opted to purchase an additional switch.

In my environment I am connecting a single port (gi0/9) from the 2960CG to (gi1/0/3) with a cross-over cable.

I am using a console cable from my laptop to configure the 2960-CG swith. First, I will configure port gi0/9 as a trunk port:

switch2>en

switch2#>conf t

switch2(config)>int gi0/9

switch2(config-if)#switchport mode trunk

switch2(config-if)#end

Next, I want the new 2960-CG switch to “inherit” all of the VLANs that were created on the C3560-CX. To do this I am going to configure VTP.

switch2#>conf t

switch2(config)>vtp version 3

switch2(config)#vtp domain SERVER

switch2(config)#vtp mode client

switch2(config)#end

switch2#>sh vtp status

Next, I want to enable JUMBO frames on the switch.

switch2#>conf t

switch2(config)>system mtu jumbo 9000

Finally I will save the changes and reload the switch (required for MTU size change)

switch2#>copy run start

switch2#>reload

Recover Cisco Catalyst 2960-CG Series Switch SYST FLASHING

I recently was unable to boot a Cisco Catalyst 2960-CG Series Compact Switch (WS-C2960CG-8TC-L v03). The IOS image would hang during loading causing the SYST light to flash constantly. To complicate matters further I was unable to issue a BREAK over my serial connection to stop the IOS from loading. Here is what I did to fix the issue:

1. Connect to the Console Port of the switch from your laptop using a Serial Adapter and a compatible Cisco Serial Cable. Note: There are many different ways to access a Cisco Switch from the console port and the differ based on the Operating System of your Laptop/Desktop, the Serial Adapter you choose, and the Terminal application you are using.
2. Boot the switch in ROMMODE by holding down the MODE button on the front of the switch until it boots.
3. DO NOT DO THIS IF YOU DON’T HAVE A BACKUP IOS IMAGE. At the switch> prompt I issued the command format flash:
4. Using my laptop, I downloaded the latest IOS image for this switch from Cisco onto a 1GB PNY Attache USB drive that was formatted with FAT.
5. I ejected the USB drive from my laptop and inserted it into the USB port on the front of the Cisco 2960CG switch.
6. I loaded the Cisco IOS image from the USB drive using the following command: boot usbflash0:c2960c405ex-universalk9-mz.150-2a.SE9.bin
7. Once the Cisco IOS image loaded I completed the basic setup.
8. Next entered enable mode by typing en, then I copied the IOS image from the USB drive to the Cisco 2960CG switch using the following command: copy usbflash0:c2960c405ex-universalk9-mz.150-2a.SE9.bin flash:c2960c405ex-universalk9-mz.150-2a.SE9.bin
9. I configured the switch to boot from the IOS image that was copied to flash using the following command: boot system flash:c2960c405ex-universalk9-mz.150-2a.SE9.bin
10. Finally I saved the running configuration as the device startup configuration using the following command: copy start run

QNAP TS-251 VAAI 10G Performance Test

The interesting finding was that when using a 10G NIC there wasn’t a significant reduction in the amount of time it took to clone the VM.

	VAAI OFF	VAAI ON
Start Time	11:00:28	4:26:37
End Time	11:59:47	5:21:15
Total Time	59m19s	54m38s

There was however a significant reduction in network traffic.  With VAAI is turned off, a VM it is read to the ESXi host and then written back to the datastore.

Here you can see the amount of network traffic being generated to copy the vApp with VAAI turned off.  The peak Data transmit rate is when the VMDK file is being cloned.

Once VAAI is turned on the traffic is near zero as the clone operation is offloaded to the QNAP TS-251b.

The disk is the bottleneck, even though it is a SSD the 10G Network Interface Card can transmit at a speeds of up to 637 MB/s while the disk is only advertised as being capable of 520 MB/s for sequential writes.

Note: Although this photo doesn’t illustrate it the combined read and write speed was close to the advertised speed.

Environment Details

• Dell PowerEdge T440

• • Two Intel(R) Xeon(R) Gold 5120 CPU @ 2.20GHz
    
  • 512GB RAM
  • SAMSUNG 6.4TB NVMe PM1725B PCIe 3.0 X8

• QNAP TS-251B
  • Intel® Celeron® J3355 dual-core 2.0 GHz processor
  • 8GB RAM
  • QNAP Single-Port 10 GbE Network Expansion Card
  • Samsung SSD 860 EVO 4TB 2.5 Inch SATA III Internal SSD (MZ-76E4T0B/AM)

• Cisco Catalyst 3560CX-12PD-S Switch

• VMware ESXi 6.7u3
  • QNAP-QVAAI_NFS3-3.0-2.vib

Documentation to install the .vib from QNAP is found here

 

 

 

 

 

Disk Space Requirements for NSX-v Based VI Workload Domain in Cloud Foundation 3.9.1

If you are creating a new NSX-v based VI Workload Domain you will need a minimum of 120GB of disk space in the Capacity Tier for your vSAN cluster.  In my lab environment I use 30GB capacity disks for the ESXi hosts, as a result I need to either use (4) hosts for the cluster or increase the size of the capacity disks.

Host sfo01w01esx01.sfo01.rainpole.local has available storage space of 30.0 GB.

2020-01-16T18:22:10.756+0000 WARN  [9bef000e354c17cb,6ac5] [c.v.v.v.c.h.i.HttpConfigurationCompilerBase$ConnectionMonitorThreadBase,dm-exec-7]  Shutting down the connection monitor.

2020-01-16T18:22:10.756+0000 WARN  [0000000000000000,0000] [c.v.v.v.c.h.i.HttpConfigurationCompilerBase$ConnectionMonitorThreadBase,VLSI-client-connection-monitor-224]  Interrupted, no more connection pool cleanups will be performed.

2020-01-16T18:22:10.756+0000 ERROR [9bef000e354c17cb,6ac5] [c.v.v.c.f.p.a.i.ValidateStorageSizeAction,dm-exec-7]  90.0 GB storage is less than the minimum required 120 GB for NSX-V based VI domain creation.

2020-01-16T18:22:10.757+0000 ERROR [9bef000e354c17cb,6ac5] [c.v.e.s.o.model.error.ErrorFactory,dm-exec-7]  [2BDHG8] VSPHERE_VALIDATE_STORAGE_SIZE_FAILED Failed to validate storage size required to create a NSX-V based VI domain for the storage type VSAN.

Change the Default Gateway of Cloud Builder VM

Recently I deployed a new Cloud Foundation Cloud Builder VM, after the deployment I was unable to ping it from my laptop.  I logged into the direct-console and verified the IP Address using the ifconfig command – the IP Address was correctly configured.  Next I verified the default gateway address using the route command and I noticed that it had been incorrectly configured.  To change the IP address of the default gateway on the Cloud Builder VM I used two commands:

1. route delete default gw IP Address

2. route add default gw IP Address

Deploy VMware Cloud Foundation Cloudbuilder VM with VMware OVF Tool

Download the VMware Cloud Foundation Cloudbuilder .ova file to the machine you will execute the OVF Tool from.

Here is a sample of the command I used:

./ovftool --acceptAllEulas -dm=thin -ds="NVMe-m01" --net:"Network 1"=DPortGroup --powerOn --prop:guestinfo.ROOT_PASSWORD=VMware123! --prop:guestinfo.ADMIN_PASSWORD=VMware123! --prop:guestinfo.ip0=172.16.11.252 --prop:guestinfo.netmask0=255.255.255.0 --prop:guestinfo.gateway=172.16.11.253 --prop:guestinfo.hostname=cloudbuilder --prop:guestinfo.DNS=172.16.11.8 --prop:guestinfo.ntp=172.16.15.211 /Users/toddsimmons/Downloads/VMware-Cloud-Builder-3.5.1.0-12051558_OVF10.ova vi://"administrator@vsphere.local":VMware123%21@vcsa.sfo01.rainpole.local/Datacenter/host/172.16.11.203

Note: The password is VMware123! however when you use URIs as locators, you must escape special characters using % followed by their ASCII hex value.  The hex value for ! is 21.  You can find a full list of ASCII hex values here https://www.ascii.cl/htmlcodes.htm

To get a list of all of the configurable properties run the ovftool without any parameters, using the following command:

./ovftool//Users/toddsimmons/Downloads/VMware-Cloud-Builder-3.5.1.0-12051558_OVF10.ova

Properties:

Key:         guestinfo.ROOT_PASSWORD

Category:    Application

Label:       Enter Root Password

Type:        password (8..65535)

Description: Password should be at least 8 characters long, containing

uppercase, lowercase, digits and special characters and not

contain common dictionary words. Appliance services will fail on

a non-compliant password. For example: VMware123!

 

Key:         guestinfo.ADMIN_PASSWORD

Category:    Application

Label:       Enter Admin Password

Type:        password(8..65535)

Description: Password should be atleast 8 characters long, containing

uppercase, lowercase, digits and special characters and not

contain common dictionary words. Appliance services will fail on

a non-compliant password. For example: VMware123!

 

Key:         guestinfo.ip0

Category:    Application

Label:       Network 1 IP Address

Type:        string

Description: The IP address for this interface.

 

Key:         guestinfo.netmask0

Category:    Application

Label:       Network 1 Subnet Mask

Type:        string

Description: Subnet Mask for this interface. Example: 255.255.252.0

 

Key:         guestinfo.gateway

Category:    Application

Label:       Default Gateway

Type:        string

Description: The default gateway address for this VM.

 

Key:         guestinfo.hostname

Category:    Application

Label:       Hostname

Type:        string

Description: Hostname for this VM.

 

Key:         guestinfo.DNS

Category:    Application

Label:       DNS

Type:        string

Description: The domain name servers for this VM (comma separated). WARNING:

Do not specify more than two DNS entries or no DNS entries will

be configured!

 

Key:         guestinfo.ntp

Category:    Application

Label:       NTP Sources

Type:        string

Description: NTP Sources for this VM (comma separated).

Failed to mount NFS datastore vSphere 6.7 Error Message

I recently changed the IP Address of a QNAP TS-231 NAS Appliance that I was using to mount .ISO files to virtual machines.  I disconnected all virtual machines from the datastore (SharedISO) and then successfully deleted the datastore in the vSphere WebUI.  When I attempted to re-add it using the new IP Address I received the following error:

To fix the problem I opened an SSH session to my ESXi host and executed the following command.

esxcfg-nas -d SharedISO

Building a Nested VMware Cloud Foundation Lab: Part 7 – Configure DNS

VMware Cloud Foundation 3.0 requires an External DNS server. In my lab environment I have a Windows Server 2012 R2 virtual machine that I use a a DNS Server.

If you are only planning on deploying the Management Workload Domain in your nested environment you only need to create the forward and reverse lookup records for Management Workload Domain.  If you plan on deploying a Virtual Infrastructure Workload Domain in the future then you will also need to create the Virtual Infrastructure forward and reverse lookup records.

Note: This is the minimum number of DNS Records required.  VMware Cloud Foundation does not require DNS Records for NSX Controllers.  For a more comprehensive list of DNS Requirements see the VMware Cloud Foundation Planning & Preparation Guide.

Workload Domain	Name	Type	Data
Management	sfo01m01esx01	Host (A)	172.16.11.101
Management	sfo01m01esx02	Host (A)	172.16.11.102
Management	sfo01m01esx03	Host (A)	172.16.11.103
Management	sfo01m01esx04	Host (A)	172.16.11.104
Management	sfo01m01psc01	Host (A)	172.16.11.61
Management	sfo01m01psc02	Host (A)	172.16.11.63
Management	sfo01m01vc01	Host (A)	172.16.11.62
Management	sfo01m01nsx01	Host (A)	172.16.11.65
Management	sfo01m01sddcmgr	Host (A)	172.16.11.60
Management	sfo01vrli01	Host (A)	172.16.11.10
Management	sfo01vrli01a	Host (A)	172.16.11.11
Management	sfo01vrli01b	Host (A)	172.16.11.12
Management	sfo01vrli01c	Host (A)	172.16.11.13
Virtual Infrastructure	sfo01w01esx01	Host (A)	172.16.31.101
Virtual Infrastructure	sfo01w01esx02	Host (A)	172.16.31.102
Virtual Infrastructure	sfo01w01esx03	Host (A)	172.16.31.103
Virtual Infrastructure	sfo01w01esx04	Host (A)	172.16.31.104
Virtual Infrastructure	sfo01w01vc01	Host (A)	172.16.11.66
Virtual Infrastructure	sfo01v01nsx01	Host (A)	172.16.11.64

 

 

Building a Nested VMware Cloud Foundation Lab: Part 6 – Install ESXi on the Nested Virtual Machines

If you followed the instructions in Part 5 – Create the Nested ESXi Virtual Machines you should be able to power-on each virtual machine and the installation of ESXi should begin.  Its important to remember to install the correct version of ESXi for VMware Cloud Foundation see the table below:

VCF Version (Build Number)	ESXi Version (Build Number)
3.5.1 | 07 FEB 2019 | Build 12051558	6.7 EP5 | 09 NOV 2018 | 10764712
3.5 | 13 DEC 2018 | Build 11215871	6.7 EP5 | 09 NOV 2018 | 10764712
3.0.1 | 18 OCT 2018 | Build 10426441	6.5 EP9 | 02 OCT 2018 | 10175896
3.0 | 20 SEPT 2018 | Build 10044179	6.5 EP8 | 16 AUG 2018 | 9298722

ESXi Installation 

• Configure the Password to VMware123!
• Configure the Management Network IP Address

Note: This is the IPv4 Address for sfo01m01esx01.

• Set the VLAN ID to 1611

• Configure DNS

• Enable SSH

Once you have finished installing ESXi, disconnect the ESXi Installer ISO from the VM.

Post-installation Tasks

Connect to the ESXi UI and perform the following tasks:

• Remove the local datastore (datastore1)
• Configure NTP by adding an NTP Server and starting the Service

• Configure the NTP Service to Start and Stop with host

• Configure the VLAN ID of VM Network Port Group to 1611
• Configure the MTU Size of vSwitch0 to 9000

After you have finished the Post-installation Tasks, now is a good time to create a vApp for the Virtual Machines and export the vApp as an OVF.  This will allow you to quickly re-deploy the environment in the future.  The size of the vApp is 1.51GB, and should include 18 files.