Concept of Cisco Bridge Domain Interfaces (BDI)

Today, I came across a strange configuration on a Cisco ASR router. It's called "Bridge Domain Interfaces (BDI)". I did a search on Cisco website and the configuration looked simple. But it was short on concept explanation, which simply mentioned

"Bridge domain interface is a logical interface that allows bidirectional flow of traffic between a Layer 2 bridged network and a Layer 3 routed network traffic. Bridge domain interfaces are identified by the same index as the bridge domain. Each bridge domain represents a Layer 2 broadcast domain."

What is it used for? Why do we need it? After some thoughts and experiment, it seems to me that BDI is used to "bundle" one or more physical L2 interfaces and link it to a L3 logical interface for routing. And this L3 logical interface is the BDI. As Cisco routers won't allow you to configure IP address belonging to the same L2 subnet/domain on more than one routed interfaces, BDI is probably a workaround to overcome that limitation. It also reminds me of a routed port-channel. 

Consider the following diagram:

Both physical ports (Gi0/0/0 and Gi0/0/1) are linked to the same L2 domain (e.g. VLAN 100). 

According to Cisco, 

"An Ethernet Virtual Circuit (EVC) is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. In the Cisco EVC Framework, the bridge domains are made up of one or more Layer 2 interfaces known as service instances. A service instance is the instantiation of an EVC on a given port on a given router. Service instance is associated with a bridge domain based on the configuration."

I would interpret that a service instance is used to represent one L2 domain. More than 1 ports can belong to the same service instance.

Config mode:

interface range Gi0/0/0-1

  service instance 100 ethernet

    encapsulation dot1q 100 # get VLAN 100 tagged traffic

    rewrite ingress tag pop 1 symmetric #pop out all ingress VLAN 100 tags from switch

    bridge-domain 100 # identified as interface BDI 100 in below example config

Above config would create a service instance 100 that is linked to VLAN 100 L2 domain. Standard L3 config can be performed on interface BDI 100 for routing.

interface BDI100

  vrf forwarding VPNA

  ip address 1.1.1.1 255.255.255.0

  ip ospf 1 area 0

The physical interface can even join more than 1 bridge domain (up to 4096 per router). For example, connecting to VLAN 200 (also Bridge Domain 200) as well:

interface range Gi0/0/0-1

  service instance 100 ethernet

    encapsulation dot1q 100

    rewrite ingress tag pop 1 symmetric #pop out all ingress VLAN 100 tags from switch

    bridge-domain 100 # identify as BDI 100 in below example config

!
 service instance 200 ethernet

    encapsulation dot1q 200

    bridge-domain 200 # identified as BDI 200 

Host Cluster Over-committed with spare memory?

I've encountered an issue on SCVMM 2012. When I attempted to place a new VM on a Hyper-V cluster, there was an error "This configuration causes the host cluster to become overcommitted". I checked all the node properties and realized that there are still more than enough available RAM on each node. Why the overcommitted problem?

I came across the Technet forum page where Mike Briggs explained the memory calculation of SCVMM. First, SCVMM would sum up a new total memory requirement by adding up all memory used by all existing VMs and the new VM requirements to be deployed. It would then calculate whether the host cluster able to withstand the new requirement if the specified number of node failures are allowed to fail. The number of nodes allowed to fail is configured in the cluster reserve.

If you are confident of the overcommitted issue, simply adjust the cluster reserve number downward and the VM placement would continue successfully. The reserve number can be found on the the General tab of the host cluster properties of SCVMM console.

Hyper-V 3.0 with SOFS

I've tested Hyper-V clusters on WS2012 using Scale-Out File Server (SOFS) as SAN alternative for application server clusters like Hyper-V. My setup is as follows:

New VMs are created using Failover Cluster manager and attached to the SMB share on the SOFS cluster. I've also tested Quick and Live Migration over SMB3.0.

Here is the link for all necessary step-by-step. Please take note that SOFS is not suitable for all situations, especially for frequent small meta changes in files e.g. end-user file sharing etc (see "When to use Scale-Out File Server")

You might just ask why don't I attach the iSCSI LUN directly to the Hyper-V cluster i.e. 2 nodes instead of 4? Yes, I could also do.  I am trying to learn more about using SOFS. In future, I could just buy the cheaper non-RAID SAS disk arrays e.g. Dell MD12xx and directly attached them directly to SOFS using simple PCIe (i.e. non-RAID SAS HBA) to replace SAN storage for virtualization. See below TechNet Dell-Windows Server 2012 slide:

EFS Recovery

There are 2 types of recovery for Encrypting File System (EFS): Key Recovery and Data Recovery. When there is a designated Key Recovery Agent (KRA) on a CA server, the KRA is authorized to retrieve the user's certificate and private key from the CA database. The user would then be able to use the recovered key to decrypt EFS files. The "Archive subject's encryption private key" in the template "Request Handling" tab should be enabled for archival. In addition, CA server must be prepared for key archival before any rollout, as the key archival should be encrypted by KRA key. As the KRA can retrieve any archived keys, there should be at least 2 different persons to be the CA administrator and the KRA separately. See "Understanding User Key Recovery".

Extract:
The recovery of a private key is a manual process that requires the user(s) to contact an administrative authority to perform the necessary processes. It should be a best practice of any organization to separate the roles of CA Officer and KRA as a minimum of two physical persons.

On the other hand, the Data Recovery Agent (DRA) is authorized the recover and decrypt all encrypted files. The DRA must be enrolled and added to the AD Group Policy to allow DRA to decrypt files.  Furthermore, DRA can be updated subsequently using Group Policy if there are any changes.

For further comparison (pros and cons) and the details on both recovery methods, refer to "Key Recovery vs Data Recovery Differences".

WSUS Installation on Windows Server 2012 Failed

I was trying to install Windows Server Update Services (WSUS) on a fresh Windows Server 2012. I wasn't expecting any errors, as it was built on a fresh installation. To my surprise, the error prompted "Fatal Error: Failed to start and configure the WSUS service" when the installation was supposed to be completing. So far,  it wasn't a pleasant experience on deploying the new WS8, as there were minor annoying bugs around. When a service wasn't running properly, you'll probably do better to uninstall and install the same service again, especially for in place OS upgrade.

I did the same trick again but the problem still persisted. When I opened the temp log file, I saw

2012-11-14 11:25:12  StartServer encountered errors. Exception=The request failed with HTTP status 503: Service Unavailable.
2012-11-14 11:25:12  Microsoft.UpdateServices.Administration.CommandException: Failed to start and configure the WSUS service
   at Microsoft.UpdateServices.Administration.PostInstall.Run()
   at Microsoft.UpdateServices.Administration.PostInstall.Execute(String[] arguments)
Fatal Error: Failed to start and configure the WSUS service

It must have to do with the IIS service. I checked the service and it was running fine. Restarting IIS service won't help either. On the IIS manager console, I stopped and deleted the "WSUS Administration" site. Re-start WSUS installation service process. Finally, the installation is complete!

Tips: In Windows Server 2008, TCP port 80 is used by default. In Windows Server 2012, TCP 8530 is used for HTTP and TCP 8531 for HTTPS. Be sure to enable the necessary firewall ports and direct WSUS clients to the correct ports e.g. http://wsus-server:8530 for http update

Activating Windows 8 and Windows Server 2012 on existing AD environment

As we putting new Windows 8 and Windows Server 2012 into existing AD environment, there are 2 things that need to be done. First, if you're still using Windows Server 2008 as KMS host, download and install the update 2757817. Otherwise, you'll see the following error when you activate KMS with the new key:

Error: 0xC004F050 The Software Licensing Service reported that the product key is invalid

Next, upgrade the existing key on the KMS host by running:

1. "slmgr /upk" to uninstall existing key, 
2. "slmgr /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx" to install new KMS key and;
3. "slmgr /ato" to activate the new key.
4. "slmgr /dlv" to verify the key has been successfully upgraded to support the new Windows 8. You should see "VOLUME_KMS_2012_C_channel" on the description.

For detailed step-by-step, check out this blog post.

Hyper-V Network Virtualization

In one of my earlier posts, I talked about software-based network virtualizaton called "Nicira NVP". The key feature is about multi-tenancy Data Center Interconnect (DCI) by creating multiple layer 2 virtual networks (or pseudo-wire) across an IP network. Layer 2 networks are essential for many Data Center applications, especially for the "free" movement of Virtual Machines (VMs) across sites and IP topology. 

In the new Windows Server 2012, Hyper-V offers similar network virtualization capability using NVGRE, which is another standard L2-over-L3 tunnel. In short, Hyper-V in WS8 includes a "Nicira" software component for network virtualization that allows same virtual subnet addressing across sites and IP topology. For full long-winded story and presentation, please visit this TechEd 2012 site. 

Here, I would just extract a single slide that tells all:

As for joining the network virtualized environment to the non-network virtualized environment, Hyper-V Network Virtualization gateways are required to bridge the two environments. See "Hyper-V Network Virtualization Gateway Architectural Guide".

Gateways can come in different form factors. They can be built upon Windows Server 2012, incorporated into a Top of Rack (TOR) switch, put into an existing network appliance, or can be a stand-alone network appliance. F5 has announced one such network appliance (F5 To Deliver Microsoft Network Virtualization Gateway).

If you are looking for Technet reference,  click on "Network Virtualization technical details".