Recently I was asked to configure a switch to be used by our help desk staff for imaging new PC’s via PXE boot in preparation for a desktop roll out. Despite passing a CCNA and having some hands-on experience as a 2-and-a-half-line engineer, getting hands on with something is far more valuable than book theory.

This post aims to give you some best practice tips, links and help you avoid all the pitfalls I met whilst configuring a port channel/etherchannel on a new switch.

The below covers how to create a layer 2 VLAN extension using an etherchannel on a new switch. The etherchannel will link to a ‘main’ switch or incumbent switch, the purpose of doing this was to create a build area for PC’s to PXE boot for imaging in isolation from our production switch.

The encapsulation protocol is LCAP and it also contains some tips for troubleshooting if your etherchannel fails to reach an UP/UP state at both ends.

Part 1 – Switches are just a big text file

The prereqs were as follows –

• Reset the local password (aka password recovery in IOS) and clear the old config.
•  Create a Layer 2 Etherchannel (or port-channel, both terms mean the same thing in IOS lingo – thanks Cisco).
• Test it, then light a cigar!

Getting Started/High level steps:

1. Plug the switch in. Have a laptop with Z-Term or Putty installed. You’ll also need  a console to USB cable because  switches are so cool, they don’t use USB or the kind of connection you’d like them to 🙂
2. Plug your Console to USB into the Console port on the back of the switch.
3. Set your connection settings to 9600/8/1 and press return (if using z-term) if using Putty, select your Serial connection and repeat.
4. Once your connected, follow the below blog on how to reset the password. Cisco 3560 Password Reset
5. I assume you know a bit of IOS here, if you don’t, just lift it from the attached config at the bottom of the post. The basic steps are:
   1. Wipe VLAN.dat file – this will clear all stored VLAN information on switch and reload the switch.
   2. Set the hostname, domain name, and turn off DNSlookup.
   3. Configure a couple of local user accounts – make sure these match your organizations standardised user accounts.
   4. Configure the virtual-terminal lines i.e. how the connection behaves when you remote connect via Putty/Z-term connect to the switch.
   5. Configure the etherchannel, encapsulation protocol, and bundle in the interfaces that will be used in the channel.
   6. Test!

The config for setting up an etherchannel on a new switch is pasted at the bottom of this page.

Troubleshooting a Layer 2 Etherchannel

Here’s the annoying stuff that’s going to stop your etherchannel from showing UP/UP at both ends of the link. The attached config bundles 2 interfaces into a port channel using LACP protocol to negotiate the channel. Here’s the pitfalls that caused my Etherchannel to fail:

• Pruning – I only wanted VLAN 100 traffic to be sent along the port channel. By adding pruning via command: switchport trunk allowed vlan 100 I actually caused myself more problems. Try omitting this if your channel fails and instead, allow all VLAN traffic to traverse the link.
• Encapsulation mismatch – When adding an interface into a port-channel, it  should inherit the settings of the channel (i.e. it’s access mode will change to trunking and it’s encapsulation method to dot1q). Sometimes this doesn’t work and you need to explicitly set either the interfaces bundled in the port-channel, or the port channel itself to trunk. Also, check the encapsulation method on the port-channel, it should be dot1q.  Use the show log command to see encapsulation mis-match errors on interfaces.
• Protocol mismatch – decide between LACP or PAGP and make sure your port-channel is using the agreed protocol at both ends. A mismatch between the encapsulation modes active/passive/on/desirable/auto = fail to trunk.
• The port channel won’t negotiate or LACP fails –  Try doing a no shut on the port channel first. Then, no shut  against the interfaces that are bundled into the port-channel in unison example: interface range gi01-2 to select your channel member interfaces, then shut , no shut. 99% of the time this put the channel into an UP/UP state.

 

Config to create an etherchannel on the new switch:

#erase current config#

wr erase or erase startup-config
reload

#erase vlan data#

delete flash:vlan.dat
reload

#set STP priority to low (highest number) so the switch doesn’t become spanning-tree master for the VLAN instance you’re extending set mode to rapid-pvst. enable portfast (this will force ports to forward as soon as they’re up)#

spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 100 priority 61440
spanning-tree portfast default

#set hostname and domain name, disable DNS lookup#

hostname YOURHOSTNAMEHERE
no ip domain-lookup
ip domain-name YOURDOMAIN.COM
vtp domain VTODOMAINHERE
vtp mode transparent

#set ip default gateway – *this is the Default gateway on your management VLAN*#

ip default-gateway XX.XX.XX.XX

#Configure the connection lines e.g. virtual terminal (vty), console, set the timeout, turn off the on-screen logging (logging synchronous) and optionally, set the privilege level for the line. 15=admin, 0=read only 1=user exec#

line con 0
logging synchronous
line vty 0 4
exec-timeout 600 0
privilege level 15
logging synchronous
length 0
transport input all
line vty 5 15
login authentication cisco

#create the desired VLAN the etherchannel will extend, this VLAN should be present on the switch your port channel links to#

vlan 100
desc VDI

#create a new etherchannel 10, (number is unique) set encapsulation and set mode to trunk#

conf t
interface Port-channel10
switchport trunk encapsulation dot1q
switchport mode trunk

#assign 2xports to port-channel 10, add descriptions and use LACP protocol for the channel (the active statement defines this)#

conf t
interface range GigabitEthernet0/23-24
description **Uplink to Adjoining Switch**
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active

#verify etherchannel status, if they show (P) they are bundled into a channel=success,#

show etherchannel summary

#create local user accounts#

conf t
username AdminUser privilege 15 secret PasswordHere

#assign the spare ports on your build switch to the VLAN you are creating, set mode to access ports#

int gi1/0/1-22
switchport mode access
switchport access vlan 100

#ensure all the access ports have PortFast enabled explicitly on the port (as well as in the aforementioned spanning tree instance). The below may not be accurate#

int range g0/1-22
spanning-tree portfast enable

#write to config#

wr mem

I’ve spent a couple of years learning from scratch (with no prior knowledge of VDI environments) how to package applications, common stumbling blocks, best practices and picked up some very handy tricks along the way, which I’ll share below.

This post gives a newbies understanding of what non-persistent VDI is, what application layer is/does, and how to add Microsoft Office Add-Ins into your gold image.

What  are non-persistent VDI desktops?

Non-persistent desktops mean when you log off, the desktop is destroyed and rebuilt from a template. A persistent desktop means you can log back into the same machine (be it virtual or physical).

A primer on persistent vs non-persistent desktops

What is a master image or ‘Gold image’?

The master image or ‘Gold Image’ is a template that will be cloned to produce your virtual desktop. It contains the chosen OS (typically Windows or Linux), core applications  that are required by everyone in the business (typically MS office, plug-ins, anti-virus and any bespoke business apps that cannot be controlled or added at a later stage). To create a gold image there’s a number of best practices to follow. Read about How To Optimize A Gold Image

What is application layering?

Layering is the technical name for adding another application to a desktop without manually installing it. Common technologies in the marketplace that perform layering (in one way or another) are Microsoft App-V, VMWare Appvolumes, ProfileUnity FlexApp , Citrix XenApp – these tools can visualise an application for streaming/mounting/layering into a desktop that is cloned from your master image. This allows you to provide staff the software they need, when they need and retain control of the licencing, patching, updating and versioning of the software your company uses.

Liquidware’s Application Layering (FlexApp)

Microsoft App-V Overview

VMWare App Volumes

Why use layering? I like installing it!

Over time it’s easy for a typical desktop computer to become a graveyard of applications. A typical small company might have an IT estate of 20-50+ physical computers, each with different software installed on them based on ad-hoc requests from staff. This represents all kinds of challenges (licencing, maintenance, patching levels, vulnerabilities) and, what if someone decides to hot desk without taking their PC with them? Moving your IT to a non-persistent, virtual desktop model lets you work from anywhere,  from (just about) any device.

A bit about virtualizing your apps…

Citrix Application Layering Explained

Given what we’ve learned  so far, app layering sounds like the golden bullet for desktop delivery but it’s not quite the case. Lots of applications designed for Windows call upon files and frameworks that sit within the operating system (C++ libraries, .NET frameworks, Windows patching/OS files and .dll’s…you name it) – although a layered application can still read these files in the OS, you’ll often find apps that require Windows features like .NET Framework or a specific Microsoft KB update patch, and typically these cannot be virtualized using layer and must be installed into your image.

It’s important to try to discover what is installed in your current desktop estate per-use case. Each business will have dozens of use-cases, before you can move to a virtual platform you need to understand what your base image should contain.

 I recently discovered we could not package Microsoft Dynamics CRM Outlook 2011 plugin using FlexApp because it relies on Windows Foundation Identity service amongst other bizarre Microsoft prerequisites. 

We were forced to add the plug-in into the company’s master image, and find a method for toggling it on/off for those who required it…

Installing a Microsoft Office add-in on your Master Image and controlling load behaviour

1. Find out how to control the load behavior – the best way to do this is to use the registry. All applications write to the machine registry when they’re installed.
2. Open run > regedit
3. In this example we’ll look at a Microsoft Office Add-in. Browse to HKEY_Local_Machine\Software\Microsoft\Office\Excel\AddIns (the other suite apps will have their own keys within the \Office\ Root. This location is also valid under HKEY_Current_User. Some vendors use locations like HKLM\Software\VendorName
5. Search the registry for ‘LoadBehaviour’ or ‘Behavior’ or the plug-in name – we want to first find the key that controls it, then test if it works.
   1. Typically the registry data value of 0 is ‘Disabled’ – the plugin will not load when MS Office is opened. If LoadBehavior=1 this is enabled.  Other values such as 3 are common – vendor documentation can inform you on what the values are and how that affects the plugin. Here’s an example
   2. Now you understand load behaviour, you can configure group policy to set the value in the registry (as a machine or user policy) based on which users you want the plugin to be enabled for.
      1. Example: Create a new GPO that uses User > Preferences > Registry that includes Enable and Disable load behaviours based on a user group membership.  If the user is a member of PowerPivotExcel then set the registry value under HKEY_Local_Machine\Software\Microsoft\Office\Excel\AddIns\LoadBahavior to 1 (enable). Create another policy preference to default  the load behaviour for all users to 0 – remmeber, we always want this plugin to be disabled unless somebody needs  it, so you must configure a default rule.
      2. 1. Alternatively, you can set the load behaviour to 0 in HKLM settings when you first install the plugin. In a linked clone environment, your master image will be cloned with this default behaviour in place.

Application troubleshooting tools

if you have trouble finding which registry keys are changed during an installation these tools can help –

1. RegShot allows you to take a before-and-after snapshot of your registry and see a historical view of file system changes.
2. ProcMon provides a real-time log of all system internal processes.
   1. Ctrl+x to clear the log
   2. Ctrl+E to enable logging
   3. Then use the Filter option to sort the output by Operation >  ‘RegKeyAddValue’ or similar events. This can be used extensively for any other kind of troubleshooting, not just registry related.
3. WhatChanged is similar to RegShot.

Removing Start Menu Short Cuts in Windows 10

You don’t want all of your users  to see you’ve installed an app that they don’t use.

Removing Start Menu Shortcuts

Another location to check is %appdata%\Roaming\Microsoft\Windows\Start Menu

Best Practice Before You Deploy!

• Check the vendors administrative guide for any command line switches that can be used during the installation to minimise this. Remember, most software developers like to receive as much data about how their product is being used which causes bloat and unwanted features to be included in a ‘default’ installation i.e. diagnostics being sent over your network. Always check the vendor’s installation guide for command line switches or tricks for disabling unwanted features. Be weary!
• Is the default load behaviour set?
• Does your method for enabling the plugin work?
• Is the plugin the desired version, or can it be updated? Microsoft plugins can be patched and updated by running windows update.