My Blog: IT & T in Australia

Cisco 877W Sample Configuration for Telstra Business ADSL2+

Posted by Lal Antony in Blog on October 31, 2011

Below is a sample configuration I usually use as a template for Telstra Business ADSL2+ connections. I thought it is a good thing for others to have as a reference. Feel free to leave comments. Note this only covers the basic ADSL2+ setup with wireless. Access Control should be added as required.

Current configuration : 4508 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EdgeRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone aest 10
!
!
dot11 syslog
!
dot11 ssid WLAN
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 1234512345
!
no ip source-route
ip cef
ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.20
ip dhcp excluded-address 10.0.0.100 10.0.0.254
!
ip dhcp pool DHCPPool1
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.1
   domain-name mydomain.com.au
   dns-server 139.130.4.4 203.50.2.71
   lease 8
!
!
no ip domain lookup
ip domain name mydomain.com.au
ip name-server 139.130.4.4
ip name-server 203.50.2.71
!
!
!
username admin privilege 15 password 0 hellomydomain
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  dialer pool-member 1
  protocol ppp dialer
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 broadcast-key vlan 1 change 60
 !
 !
 ssid WOnyx
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 world-mode dot11d country AU outdoor
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1460
 bridge-group 1
!
interface Dialer0
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <username>@direct.telstra.net
 ppp chap password 0 <password>
 ppp pap sent-username <username>@direct.telstra.net password 0 <password>
!
interface BVI1
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Get Shareaholic

1 Comment

Windows 7 and Vista DHCP Issues When Using a Cisco Router as DHCP Server

Posted by Lal Antony in Blog on September 12, 2011

I wanted to put this post to highlight one of the issues with Windows 7 and Windows Vista that is caused when using Cisco Routers as DHCP server. All sorts of symptoms can indicate this issue, ranging from no DHCP address allocation to clients to no Gateway parameters passed on to client while issuing an DHCP address.

There is an easy fix for this. (Note there is an harder regedit version fix from this from Microsoft, but I think changing Cisco DHCP server side is much easier). Basically make sure in you Cisco DHCP pool setup you don’t have a subnet mask value against the default gateway option.

Example:

ip dhcp pool <PoolName>
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.254 255.255.255.0
   dns-server 192.168.0.2
   domain-name mydomain.com.au
   lease 8

Change in the pool configuration

default-router 192.168.0.254 255.255.255.0

default-router 192.168.0.254

That is should fix you issues.

Get Shareaholic

3 Comments

Video: ASA Port Forwarding for DMZ server access (versions 8.3 and 8.4)

Posted by Lal Antony in Blog on July 27, 2011

Below Cisco Community article by mirober2 is a great compression of Port Forwarding between the two versions of Firmware for ASA

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2011/07/26/video-asa-port-forwarding-for-dmz-server-access-versions-83-and-84

Get Shareaholic

No Comments

Keep Serial Interface up/up without cable

Posted by Joshua Morgan in Blog, Cisco on June 11, 2011

We know that to keep an Ethernet interface in the up/up (connected) state without any physical connectivity (that is, no cable is plugged into the interface), to issue the no keepalive command.

To do the same on a serial interface, no keepalive is required in addition to dialer dtr. Both these are configured in interface configuration mode.

Get Shareaholic

No Comments

IPv6 Day Tomorrow 8th of June 2011

Posted by Lal Antony in Blog on June 7, 2011

Just wanted to make a note that tomorrow is IPv6 Day and can’t wait to test out my lab IPv6 setup to connect to all the fancy IPv6 websites.

Get Shareaholic

IPv6, Lab

No Comments

A Summary of OSPF Areas and LSAs

Posted by Lal Antony in Cisco on May 15, 2011

OSPF is a link state dynamic routing protocol and it is an open standard. OSPF uses Dijkstra’s Shortest Path First (SPF) algorithm to calculate best path to get to an destination. OSPF uses areas to control and manage routing processes and every router in OSPF should belong to an area. Below is a list of areas and their characteristics.

Backbone Area: Also know as Area 0, which is every other area connects too.
Regular Area(s): Regular area is any other area beside area 0.
Stub Area: Routers in a Stub Area contains only intra-area routes and a default route. (Type 1/2 and 3 LSAs)
Totally Stubby Area: Routers in a Totally Stubby Area contains only intra-area routes and a default route. (Type 1/2 and 3 Default Route Only LSAs)
Not-So-Stubby-Area: Also know as NSSA, routers in a NSSA area contains only intra-area routes and summary 3 LSAs. Also it contains type 7 LSAs that are converted created by the ASBR in the NSSA area.
Totally NSSA: Routers in a Totally-NSSA area contains only intra-area routes and 3 Default Route only LSAs with type 7 LSAs.

Below table always helps me to understand different LSAs in an area.

Area	1/2 LSA	3 LSA	4 LSA	5 LSA	7 LSA
Backbone	Yes	Yes	Yes	Yes	No
Regular	Yes	Yes	Yes	Yes	No
Stub	Yes	Yes	No	No	No
T-Stub	Yes	Only Default Route	No	No	No
NSSA	Yes	Yes	No	No	Yes
T-NSSA	Yes	Only Default Route	No	No	Yes

Get Shareaholic

CCNP, Cicso, LSA, NSSA, OSPF, OSPF Areas, Stub, Totally NSSA, Totally Stub

No Comments

Fiber Cables Table

Posted by Lal Antony in Blog on May 13, 2011

This week below tables came handy when I was trying to figure out 10GE and fiber cabling requirements for them. I thought I should put it on here so in the future I know where to access it straight away.

OM1, OM2, OM3, OM4 and OS1, OS2 Fiber

In ANSI/TIA-568-C.3, the TIA adopted the nomenclature for fiber found in the international standard ISO/IEC 11801. The multimode fiber is prefixed with “OM” and the singlemode mode “OS”.

The new designation in ANSI/TIA-568-C.3 should alleviate some of the confusion associated with application support distance issues. Each “OM” has a minimum Modal Bandwidth (MBW) requirement. Why two values? What’s the difference between overfilled and effective? Overfilled is with an LED source, effective is with a VCSEL. New vs old. Loss length testing to ISO/IEC must be done with an LED and should be done with an LED for TIA testing.

		Minimum modal bandwidth MHz.km
Wavelength		Overfilled launch bandwidth		Effect laser launch bandwidth
Fiber Type	Core diameter	850 nm	1300 nm	850 nm
OM1	62.5 µm	200	500	Not specified
OM2	50 µm	500	500	Not specified
OM3	50 µm	1500	500	2,000
OM4	50 µm	3500	500	4,700

To most users, the following table may be of more benefit:

	1000BASE-SX	10GBASE-S	40GBASE-SR4	100GBASE-SR10
OM1	275 m	33 m	Not specified	Not specified
OM2	550 m	82 m	Not specified	Not specified
OM3	Not specified	300 m	100 m	100 m
OM4	Not specified	500 m*	150 m	150 m

* The IEEE has yet to officially give a distance for 10GBASE-S on OM4 fiber. The distances are decided by the IEEE in 802.3, not the TIA or ISO/IEC cabling standards. Some glass vendors say 500 m, but most are now quoting “up to 550 m”.

Cautionary note: In ANSI/TIA-568-B.3, the modal bandwidth of 62.5 µm fiber was 160 MHz.km, not the 200 MHz.km found in the current ANSI/TIA-568-C.3. This change was done to harmonize with ISO/IEC 11801. That would reduce the distance for 1000BASE-SX to 220 m and 10GBASE-S to 26 m.

There is also a loss limit associated with these distances too.

	1000BASE-SX	10GBASE-S	40GBASE-SR4	100GBASE-SR10
OM1	2.60 dB	2.5 dB	Not specified	Not specified
OM2	3.56 dB	2.3 dB	Not specified	Not specified
OM3	3.56 dB	2.6 dB	1.9 dB	1.9 dB
OM4	Not specified	Not specified	1.9 dB	1.9 dB

So in your design, you have to take into account BOTH distance and loss to ensure your application will work. OM4 fiber needs a reduced fiber loss in order to support 100GBASE-SR10 to 150 m.

	850 nm	1300 nm	1310 nm	1550 nm
OM1	3.5 dB/km	1.5 dB/km
OM2	3.5 dB/km	1.5 dB/km
OM3	3.5 dB/km	1.5 dB/km
OM4*	2.5 dB/km	0.8 dB/km
OS1 ISP			1.0 dB/km	1.0 dB/km
OS1 OSP			0.5 dB/km	0.5 dB/km
OS2 ISP			1.0 dB/km	1.0 dB/km
OS2 OSP			0.5 dB/km	0.5 dB/km

ISP = Inside plant, OSP = Outside plant (Applicable to TIA only)

* The values above for OM4 are taken from TIA-492AAAD. This is a minimum requirement. Some vendors are quoting 2.3 dB/km. Check with your vendor and work with them carefully on the design of the fiber plant.
OM4 fiber will be added as a Fiber Type in the next release of DTX code due end Q2 2010.

Disclaimer: This content is copied from this document and all rights belong to Flukenetworks for making this document.

Get Shareaholic

10G, 10GbE, Fiber, Fibre, OM1, OM3, OS1, OS3, SFP, SPF+

No Comments

Cisco Learning Labs

Posted by Lal Antony in Blog, Cisco on April 14, 2011

When I attended Cisco Live 2011 in Melbourne few weeks back, I got a sneak peek on the new Cisco offering. Just found out that on Cisco Learning Network Shop, it is now a real product to buy. What I am going on about is Cisco Virtual Labs. Cisco Virtual Labs (CVL) is powered by Cisco IOS Software on UNIX. Basically Cisco has gone ahead and recompiled the IOS code to run on UNIX boxes instead of hardware appliances as they use too.

In the sneak peak I got @ Cisco Live the only limitation they mentioned are in the switches. Switches in the new CVL comes in 4-port switches (From what I gathered it is using the Switch modules code used on Routers to create the base for these virtual switches), But not like the GNS3 versions these switches can run all of the features as far as I am aware or almost. Cisco representative said they are working on some of the feature which will be released soon before actual product comes out. Guess its all done now as I can see the CCNP SWITCH exam practice labs are there in the shop to buy.

I think Cisco saw how many people are going for GNS3 to create their practice labs and finally decided to make some money out of it. Also the Cisco preventative @ Cisco Live mentioned they are going to use this as the platform to carry out certification testing at testing centers in the future, rather than having expensive physical gear everywhere. This might make it possible for them to open new exam centers as well I hope.

I think this is great idea and good on you Cisco.

Get Shareaholic

Certification, Cisco, Cisco Live 2011, CVL, GNS3

No Comments

Cisco Live 2011 Melbourne

Posted by Lal Antony in Blog on March 31, 2011

I am here @ CLM2011 and having a blast. This is my first ever Cisco Networkers now knows as Cisco Live.

If you are @ CLM2011, please say hi. Always great to make new friends. Stay tuned I will be putting out more blog articles from the Exhibition floor.

Get Shareaholic

No Comments

Quicktip: IOS section output modifier

Posted by Joshua Morgan in Blog on March 2, 2011

I learnt this one the other day and I’ve rarely seen it mentioned – what I call the ‘IOS section output modifier’.

Essentially, it allows you to specify a section to return from the output of a command.

For example:

sh run | s ephone-dn

would return all the ephone-dn sections from the running-config and display it on screen.

You could also return all DHCP pools configured on the router:

sh run | s ip dhcp pool

Get Shareaholic

Cisco, IOS

No Comments

Mac: Active Directory integration and missing group membership

Posted by Joshua Morgan in Blog on March 2, 2011

This year I’ve been working on integrating our 100 iMac and Macbooks into our existing Windows network. In the past, we had an Xserve running OS X Server 10.6 that served as an Open Directory master and an AFP file server. Accounts were added to Open Directory on a request basis – if a student needed to use the Macs, they had to request an account. We’ve now integrated the Macs into Active Directory using the golden/magic triangle paradigm which means that students (and staff for that matter) use their Active Directory account to log onto the Macs.

The integration was quite easy – bind to Active Directory using Directory Utility (OS X 10.5 and below) or the Accounts preference pane in System Preferences (OS X 10.6), then bind to Open Directory. The Open Directory master server is also bound to Active Directory, and is then configured as an Open Directory master. This is known as a golden/magic triangle – both server and clients are bound to both directory services. Clients can then be managed using the OS X Server based upon their Active Directory group membership – you create Open Directory groups, assign Active Directory groups as members, and then configure preferences on that Open Directory group.

Everything was swell in integration land except for one thing – when users logged onto the Macs, the only group the Mac recognized the user as being apart of was Domain Users (specifically, the primary group). What then ensued was a few hours of troubleshooting and head scratching, trying to determine exactly why the Macs weren’t receiving the ‘full picture’ of the Active Directory user.

Troubleshooting started with the usual lead – checking the event log for anything that jumps out. In this case, I opened Console.app and checked the All Messages log and Directory Service logs – no issues. This is where the headaches started – without understanding how the authentication process works, it’s hard to determine where to look next. This is one of the main reasons why I like to understand *how things work* to a particular extent, rather than simply remembering a procedure on how to configure software/hardware or resolve an issue. Initially, and I don’t know why I thought this, I believed that the Macs were rather ‘primitive’ in the whole scenario and did a bind to LDAP with the entered credentials – if the bind succeeds, perform some more LDAP calls to determine more information about the user (such as group membership) and log the user in, if it fails then the credentials entered are incorrect.

Based on this theory, I checked the permissions on the Active Directory user object of the account I was testing with. In this example, testaccount. I checked the permissions on the testaccount object for the testaccount user and found that, as you would expect, testaccount can read the memberOf LDAP attribute (amongst others, but because this is a group membership issue I’m only interested in memberOf on user objects or member on group objects). Back to the drawing board, if you will. At this point I cracked out my trusty ol’ NETGEAR switch that does port mirroring – connected the iMac to the port I designated as SRC, my laptop to the port I designated as DST, and another port to the wall port as an uplink to the network. With this arrangement, ingress/egress traffic on the SRC port is copied to the DST port, for analysis using Wireshark. In particular, I wanted to see the LDAP calls the iMac was making to Active Directory and what Active Directory was returning to the iMac – that is, why is group membership information not being sent to the iMac. By default, the OS X Active Directory plug-in signs and encrypts LDAP packets. Thus, in order to read them I had to disable the signing and encryption using dsconfigad. Wireshark indicated that the LDAP calls being made returned standard attributes, givenName, sn, sAMAccountName, etc. but not memberOf. Interestingly, accounts that were members of Domain Admins did return memberOf attribute and group membership worked correctly. I compared the LDAP call for user account information for my account that was a member of Domain Admins and my test account – the call was identical so it wasn’t as if the iMac wasn’t requesting memberOf for my test account.

The next issue was to determine what account was being used to bind to LDAP. As per above, until now, I assumed the LDAP calls were being performed by the user authenticating to the Mac. This lead me off the track of believing it to be a permission issue. Even though packet signing and encryption were disabled the Mac doesn’t perform a simple LDAP bind (pass credentials over clear-text) and instead uses Kerberos to authenticate. Thus, there was no easy way to determine what account was being used to bind. I then enabled LDAP debugging (I can’t remember the registry key – will have to update post) and each LDAP bind (and call) was logged to the Event Log. What I then saw was that the computer account for the iMac was being used to bind to LDAP. This was a big ‘doh!’ moment for me, because this seems immediately obvious – when binding an Mac OS X system to Active Directory it creates a computer account – it doesn’t do this for no reason, it’s used for something, and in this case it’s used for the secure channel between it and the domain controller. I then did an Effective Permissions check again on my test account and found that the computer object could indeed NOT read the memberOf attribute. I decided to create a virtual machine and create my own test Active Directory domain and found that, by default, computer objects can read ALL properties on user objects, including memberOf. Thus, the issue was with the permissions in our production Active Directory.

Active Directory (and the entire network) is something we have inherited from the previous IT Department. After a bit more research and trial-and-error, I determined that by default Authenticated Users is a member of the Pre-Windows 2000 Compatible Access group and by default, this group is granted the Read all properties permission, among others, on user objects. Thus, any user or computer (or any other security principal) can read all properties on user objects in Active Directory. In our case, Authenticated Users wasn’t a member of the Pre-Windows 2000 Compatible Access group. After adding Authenticated Users back to the Pre-Windows 2000 Compatible Access group, everything was rosy – group membership was pulled correctly and client preferences were correctly managed based upon Active Directory group membership.

In this case, for whatever reason, the previous IT Department changed the group membership of a built-in Active Directory group without documenting it. This, for me, is a huge mistake as built-in groups are granted number of permissions by default on any number of objects in Active Directory and by changing this membership there is the potential to break things and in this case it did. It also made me realize that it’s a bit disappointing that vendors don’t supply more information on how things work (a primer on how OS X communicates with Active Directory would be good – to save troubleshooting time), and default settings (default group membership, ACL entries, etc. for Active Directory).

My next post will cover a Bash script to add printers as part of an image restoration workflow using DeployStudio. Surprisingly I couldn’t find any information on how to do this online. This may be because it’s so simple it’s obvious and thus there’s no need to document it, or because people deploy their printers to their Macs in a different manner (maybe using Managed Preferences – I’ve tried this in the past without luck as it used the Generic PostScript Driver rather than the proper print driver). I’ll then return to my coverage on how Cisco IP phone boot.

Until next time,

Josh

Get Shareaholic

Active Directory, Apple, Mac, Windows

No Comments

How to configure a Frame-Relay Switch using a Cisco Router

Posted by Lal Antony in Cisco, Demo Lab on February 27, 2011

Basic idea behind Frame-relay is simple, it is a router that is configured as a switch. Switching is carried using frame-relay route information that you configure. First step is to enable frame-relay switching on the router as shown below in the global configuration context.

FRSW(config)#frame-relay switching

Next step is to create your routes in the given interfaces. In order for you to do this properly it is best to write down the routes you want based on the topology you want to create.

In this example I have R1 connected to FRSW (Frame-relay Switch) interface s0/0 and BBR2 is connected to FRSW interface s0/3.

First setup the interface s0/0 on the FRSW as below. The way to interrupt the frame-relay route is incoming DLCI number and existing Interface and DLCI number, as for my example from R1 the incoming DLCI number is 116 and for BBR2 the outgoing DLCI number is 161 from interface s0/3. For the return trip of a packet or incoming from BBR2 the input/incoming DLCI number is 161 and outgoing interface is s0/0 with a DLCI number of 116.

Below is how to configure the interface s0/0 on the Frame-relay switch FRSW;

interface Serial0/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay intf-type dce
 frame-relay route 116 interface Serial0/3 161

Below is how to configure the interface s0/3 on the FRSW where BBR2 is connected.

interface Serial0/3
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay intf-type dce
 frame-relay route 161 interface Serial0/0 116

I thought its best to show how the connecting R1 and BBR2 routers are setup as well so you know the whole configuration.

Below configuration shows the R1 router interface s0/0 and sub-interface 0/0.2 where the BBR2 is linked too;

interface Serial0/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
!
interface Serial0/0.2 point-to-point
 description Link to BBR2
 ip address 10.1.116.1 255.255.255.0
 frame-relay interface-dlci 116

Below configuration shows the BBR2 router interface s0/0 and sub-interface s0/0.1 where the R1 is linked too;

interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.1 point-to-point
 description Link to R1
 ip address 10.1.116.2 255.255.255.0
 frame-relay interface-dlci 161

Hope above helps when you are looking for a simple Frame-relay switch configuration for your next lab exercise.

Get Shareaholic

Cisco, Frame-Relay, Router

No Comments

Upgrade Cisco Wireless Lightweight AP into Autonomous AP

Posted by Lal Antony in Cisco, Demo Lab on February 20, 2011

Most of the Cisco Wireless APs can be upgraded into Autonomous APs or also know as standalone APs. Last week I found this knowledge handy when I wanted to test out a simple configuration but all I have are Light weight APs. So I used the below steps/options to convert my LWAP into a Autonomous AP.

Option #1:

The PC on which your TFTP server software runs must be configured with a static IP address in the range of 10.0.0.2 to 10.0.0.30.
Make sure that the PC contains the access point image file (such as c1240-k9w7-tar.124-25d.JA.tar for a 1240 series access point) in the TFTP server folder and that the TFTP server is activated.
Rename the access point image file in the TFTP server folder to c1240-k9w7-tar.default for a 1240 series access point.
Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
Disconnect power from the access point.
Press and hold the MODE button while you reconnect power to the access point.
Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds), and release the MODE button.
Wait until the access point reboots as indicated by all LEDs turning green followed by the Status LED blinking green.
After the access point reboots, reconfigure the access point using the GUI or the CLI.

This is what happens in under the hood in the option; After putting the AP into recovery mode using the MODE button, the AP looks for c1240-k9w7.default file from a TFTP server in the range of 10.0.0.2/8 – 10.0.0.30/8 where 10.0.0.1 becomes the IP address of the AP for the transfer. When the TFTP server is contacted it goes through an image upgrade and restart itself.

I didn’t have much luck with this option, I resort to the option #2 to convert my AP from lightweight to autonomous.

Option #2:

Enable LWAPP console CLI allow/disallow debugging (This enables you to access the configuration mode in your AP)

#debug lwapp con cli

Enable LWAPP ignore internal reload debugging (This enables you to load new image)

#debug lwapp client no-reload

Configure IP Address on the interface

(config)#interface fa0
(config-if)#ip address 10.0.0.1 255.255.255.0

Download the image file from the TFTP server to the AP (Note: There are no auto complete for any of these commands as you will notice so type in the whole thing manually)

(config)#archive download-sw /overwrite /reload tftp://<TFTP SERVER IP ADDRESS>/c1240-k9w7-tar.124-25d.JA.tar

When the access point has finished copying the IOS, it should reload and boot up in IOS

NOTE: There are no auto complete or command line assistance for any of these commands in the AP, so don’t think that the command is not in your AP just manually type in the whole thing and you should be fine.

There you have it, you can convert your LWAP (most of the APs) into Autonomous APs with few easy steps. Let me know if you have any issues.

Get Shareaholic

AP, IOS AP, LWAP, Standalone, Wireless

No Comments

How it Works: Cisco IP Phone Boot Process (Part 1)

Posted by Joshua Morgan in Cisco on February 9, 2011

Woo, my first post!

I often find that by understanding in-depth/behind the scenes how a particular thing works it enables me to troubleshoot better. Thus, there is a distinction between simply knowing the steps a Cisco IP phone takes to boot and how the Cisco IP phone actually boots.

Beware this is going to be a lengthy post! I often put quite a bit of detail into my writing, perhaps I should write a book rather than a blog.

Powering the Cisco IP Phone

The Cisco IP phone must first receive power. As we know, Cisco IP phones can be powered using one of three methods:

Cisco Inline Power (pre-standard)
802.3af (IEEE standard)
Cisco Power Cube

The former two are Power over Ethernet (PoE) standards that rely on distributing power to the IP phones over Category 5e/6 Ethernet cables. In this case, a PoE capable switch can power the phones directly. If a PoE capable switch isn’t available, then a power patch panel or power injector can be used. A Cisco Power Cube is essentially a standard power supply that connects to an AC power point. Most IP phones do not ship with a Cisco Power Cube – these have to be purchased separately.

In the case of the Cisco Power Cube, it simply needs to be plugged into the phone and an AC power point and the Cisco IP phone receives power. Power over Ethernet is a bit more complex, and depending on whether Cisco Inline Power or 802.3af is used will determine how exactly the Cisco IP phone receives power. Power over Ethernet is deserving of a post of its own (or several!), so I’ll only include brief details on how it works – in particular, detecting the phone.

Cisco Inline Power

Power over Ethernet requires that the switch determines whether a powered or non-powered device is connected to any of its interfaces. Cisco Inline Power uses AC (alternating current) powered device detection, whilst 802.3af uses DC (direct current) powered device detection.

Cisco Inline Power sends a low frequency AC signal and expects the same signal to be looped back on the receive pair. Once it receives the looped back signal, the switch (power sourcing equipment, or PSE, in 802.3af terminology) knows that it can send current to the device.

Cisco Inline Power uses the pairs that 100BASE-T does not use to transmit data in order to send power to the device. This means that Cisco Inline Power does not support Gigabit speeds.

802.3af

Unlike Cisco Inline Power, 802.3af uses a phantom power technique to send power over the same pairs that data is transmitted on. This provides interoperability between 802.3af and 1000BASE-T, enabling Gigabit speeds whilst powering the device.

Whilst Cisco Inline Power relies on the device to loop back a low frequency AC signal, 802.3af relies on the device to place a 25 kΩ resistor between the powered pairs. This is known as a ‘signature resistance’. The power sourcing equipment (generally a switch) detects this resistance and can send electrical current to the device.

Determining the Voice VLAN and Obtaining a DHCP Lease

The Cisco IP phone, now that it has been powered on, needs to determine its voice VLAN and subsequently request a DHCP lease.

The link between the Cisco IP phone (the port marked SW on the IP phone) and the switch is a trunk. Packets within the voice VLAN are tagged, and packets on the access/data VLAN are untagged (for the PC attached to the IP phone). Configuration of these VLANs on the switch is simple:

interface FastEthernet0/1
! specify the voice VLAN for the switch interface
switchport voice vlan 8
! specify the access/data VLAN for the switch interface
switchport access vlan 5

In the example above, switch interface FastEthernet0/1 has VLAN 8 configured as its voice VLAN, and VLAN 5 configured as its access/data VLAN.

The Cisco Discovery Protocol, or CDP, is what the IP phone relies upon to receive its voice VLAN configuration. If CDP is disabled (either via the global configuration command no cdp run or the interface subcommand no cdp enable), then the voice VLAN must be manually configured on the IP phone. The switch periodically (every 60 seconds by default) sends out a CDP advertisement. Within the advertisement is the voice VLAN configured on that switch’s egress interface. The IP phone can also request the voice VLAN via CDP, although I’m not entirely sure how this works.

CDP Voice VLAN reply

Now that the IP phone has determined what its voice VLAN is, it can now determine its IP addressing information. To do so, the IP phone sends a DHCP request that is tagged with the voice VLAN (see packet capture below). The DHCP server, which can be any DHCP server – it does not necessarily have to be Cisco IOS, needs to reply with Option 150 in addition to the usual specifics (IP address, subnet mask, default gateway, DNS server IP addresses, etc.). Option 150 specifies the TFTP Server IP address.

Tagged DHCP request

To configure a DHCP pool for IP phones on a Cisco IOS router:

ip dhcp pool Voice
! specify the subnet
network 10.10.8.0 255.255.255.0
! specify the default gateway
default-router 10.10.8.1
! specify the TFTP server IP address
option 150 ip 10.10.8.1
! specify the DNS server IP address
dns-server 192.168.1.254

To the observant amongst us, you may have noticed that I didn’t have to specify a range of addresses to allocate within the pool. For instance, with Microsoft DHCP you would have to specify a start and end IP address which determines the range of addresses that the DHCP server can allocate. This is because Cisco IOS works in a different way: you need to exclude the addresses you don’t want to allocate/assign to hosts and then specify the entire subnet. The configuration above will allow Cisco IOS to allocate IP address 10.10.8.1 – 10.10.8.254. If I wanted to exclude IP addresses 10.10.8.1 – 10.10.8.9 from being allocated to hosts, I’d have to enter the command ip dhcp excluded-address 10.10.8.1 10.10.8.9 from within global configuration mode.

Now that the DHCP pool is configured, the Cisco IP phone can request a lease and receive IP addressing details, including the IP address of a TFTP server which is essential to the boot process being successful.

In the next part, we’ll complete our coverage on the Cisco IP phone boot process – stay tuned!

Get Shareaholic

ccna voice, Cisco, cme, iiuc, voice

No Comments

Deploying a FortiGate 50B Firewall

Posted by Lal Antony in Demo Lab, Security on February 9, 2011

FortiGate 50B is an Unified Threat Management (UTM) appliance for small to medium business by FortiNet. This is a good product to protect a small business which uses DSL connections for their internet as this firewall has a firewall throughput of 50Mbps with some good VPN and UTM features.

I will go through the basic setup required to get a FortiGate 50B appliance configured for your company or for your clients. Below setups will help you navigate the features bit easily so you can pick and choose what you want out of the complete configuration.

Booting up for the first time
Default access credentials and methods for accessing the appliance
Activate your UTM subscription services through FortiGuard service.
Setup basic network and routing setups
Basic NAT setup for users to access the external resources
Configure advance NAT/PAT rules for your servers and services
Enabling UTM features and basic Firewall policy management
Ready to deploy into the wild

Booting up for the first time

Un-box the unit and grab the power and console cables out so we can start the booting up. Before you power the unit up plug in the console cable to your laptop’s console you can check the booting process and power the unit. Below screenshot shows what the booting screen should looks like but note firmware versions and some other variables might change depending on the versions you are on.

Default access credentials and methods for accessing the appliance

Default access credentials for the FortiGate 50B is as below;

User Name: admin
Password: (Blank)

To access the appliance you can use Console access or GUI access, FortiGate products are much easier to manage using the GUI as the CLI is not that user friendly like the Cisco gear I usually configure. Out of the box your WAN interfaces comes with DHCP enabled. But the internal interface is set to 192.168.1.99, you can find the IP address set by using the following commands;

internal   static   192.168.1.99 255.255.255.0  up   disable   physical
modem   static   0.0.0.0 0.0.0.0  down   disable   physical
ssl.root   static   0.0.0.0 0.0.0.0  up   disable   tunnel
wan1   dhcp   192.168.99.138 255.255.255.0  up   disable   physical
wan2   static   0.0.0.0 0.0.0.0  up   disable   physical

So by setting your laptops IP address to be in the same subnet as 192.168.99.0/24 you can start accessing the GUI. Below video shows how to execute this command on your FortiGate.

FortiGate 50B Checking the Internal Interface IP Address

Below video shows how to setup the IP address on a interface using the CLI.

Activate your UTM subscription services through FortiGuard service.

Next step is to register and activate your product so you can start using the UTM update services from FortiGuard. If you brought the unit as a UTM bundle you should be getting access to these features. Basically these features keep the firewall up-to-date with IPS, IDS, Anti-Virus and Anti-Spam updates.

Easiest way to do this is to follow the below steps through the GUI;

Go to the Dashboard
Select License Information Widget
Select Registration
Create new account and fill in the details

After the registration is completed your services should start to be activated with the UTM package you brought (in order for the process to work you have to have the appliance WAN connection up).

Next step is to find the latest firmware and update your unit. https://support.fortinet.com/ is the FortiNet support website where you can grab the firmware and other useful updates to keep your appliance up to date.

Below video go through some basic appliance configuration and bit on the above process.

Basic appliance configuration

Basic NAT setup for users to access the external resources

Below video go through the basic NAT setup for users to access the external resources (Global NAT overloading)

Basic NAT setup for users to access the external resources

Setup basic network and routing setups

Below video go through the basic network and routing setup of the unit and basic Network Address Translation (NAT)/Port Address Translation (PAT) setup to publish your server(s) to outside.

Setup basic network and routing setups

Enabling UTM features and basic Firewall policy management

Below video go through basic UTM feature setup and enabling it on Firewall policies.

FortiGate 50B Basic UTM Features Enabling

Ready to deploy into the wild

Almost ready to send it to the wild, before you do just setup logging for a raining day at least basic logging on to the unit memory is good.

Get Shareaholic

50B, Firewall, FortiGate, FortiGuard, FortiNet, UTM

2 Comments

Cisco Basics – Password Recovery

Posted by Lal Antony in Cisco on January 18, 2011

You will never know when you need the basics, specially in the middle of the night when you are doing a project deployment.

Password recovery for Cisco 3560 came in handy when the onsite admin didn’t know the password so we can start our deployment. Luckily there wasn’t much of a configuration on it to start with and I had the configuration from a previous project we did for that client.

Remember on a 3560 or a 3750 how to reset configuration and recover the switch. FYI in steps below taken from Cisco website;

Power the switch and bring it to the switch: prompt:
Hold down the mode button located on the left side of the front panel, while you reconnect the power cable to the switch.
Release the Mode button after approximately 15 seconds when the SYST LED turns solid green. When you release the Mode button, the SYST LED blinks green.

There you have it. Believe me you will never know when it might come handy.

Cisco Link: http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_recovery09186a0080094184.shtml

Get Shareaholic

Cisco, Recovery, Switch

No Comments

Deploying a Wireless solution using IOS APs and Switch Configuration Notes

Posted by Lal Antony in Cisco on January 18, 2011

Basically below cases can be identified in deploying a Wireless solution using IOS APs.

Case 1:

Newly created Wireless VLAN and all clients and APs go in that VLAN.

New VLAN needs to be in setup on the Switch port where the AP connects using switchport access vlan XXX command
Inter-VLAN routing for the newly created VLAN so traffic flow through other VLANs and the new VLAN for wireless making it possible for wireless clients to access network resources
DHCP Scopes for the new VLAN as well as IP Helper Address setup so DHCP requests from the wireless clients go to the right DHCP server (this is if you have separate DHCP servers than AP)

Case 2:

More than one VLAN is setup on the AP and different WLANs are setup in the AP for those VLANs where wireless clients connects

Switch port where the AP connects has to be setup as a trunk port allowing all of the required VLANs to flow through to the AP. This can be achieved through switchport mode trunk and trunk allowed vlan commands on the switchport
Inter-VLAN routing for all newly created VLANs (Assumption that all existing VLANs already have inter-VLANS routing setup)
Appropriate DHCP scopes as well as IP Helper setup of VLANs

Furthermore below Cisco article might be useful to check your switch and AP configuration.

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815

This article can be found on Cisco Support Forum as well.

https://supportforums.cisco.com/message/3271361#3271361

Get Shareaholic

AP, Cisco, IOS AP, Switch, Trunk, VLAN, WCS, Wireless, WLC

1 Comment

New Year 2011 – My New Year Resolutions

Posted by Lal Antony in Blog on January 4, 2011

I am not a big fan of new year resolutions, as I have a tendency not to stick with them. But this year as all the years before I have set some new year resolutions. But this time I intend to keep it as I have to finish CCNP at the start of the year.

Lets see how I go with this one. I have till March and all of my exams dates are already set so I don’t have any excuses.

Happy New Year everyone and all the best.

Get Shareaholic

2011, New Year, NYE

No Comments

Emulex 10GbE Virtual Fabric Adapter and BNT Virtual Fabric 10Gb Switch Module for IBM BladeCenter

Posted by Lal Antony in Blog, New Technology on November 26, 2010

I been working on a 10GbE VFA for IBM BladeCenter convergence project in the past few days. Emulex 10GbE adapter which give two 10GbE ports per Blade while this adapter can auto-negotiate 1G or 10G with the fabric attached.

Below is a list of points I would like to highlight which will assists anyone who is deploying the new 10G fabric convergence cards with 10G Blade switch modules;

One of the critical thing I learnt was that you need the latest firmware on the BNT Virtual Fabric 10Gb Switch Module which enables the connectivity on the back side of the Blade Chassis. Guess I learnt it the hard way.
configuration of the BNT VFSM is easy after you got your head around it.
Also note that the Emulex NIC Manager (ENM) is in the Blade BIOS and it is NOT a software tool that you install on the OS. ENM lets you change between the two modes the adapter can work. vNIC mode which is the default which lets you carve up the two 10G physical ports into 8 virtual NICs ( each physical port is divided into 4 vNICs). or the pNIC mode where you can just have two 10G NICs.

Below is the Emulex 10GbE VFS for IBM Blades

Below is the BNT VF 10GbE Switch Module for BladeCentres.

Hope above assists someone in deploying 10G fabric convergence in your environment. Please leave comments and questions below.

Note: Pictures are copy right material of IBM, BNT and Emulex.

Get Shareaholic

10G, 10GbE, BladeCenter, BNT, Emulex, IBM, pNIC, Virtual Fabric, vNIC

1 Comment

My Lab Setup

Posted by Lal Antony in Blog, Demo Lab on November 25, 2010

I finally finished off my lab setup. Now I just need to study

Get Shareaholic

CCNP, Certification, Cisco, Demolab, Lab

1 Comment

Cisco Live 2011 in Melbourne

Posted by Lal Antony in Blog, Cisco on November 22, 2010

I am so excited for Cisco Live 2011 in Melbourne. Finally I don’t have to go to Brisbane to attend the conference. I have already booked in and looking forward to it. Let me know any of you guys are going, leave your details on the comments section so we can meet up at the conference and explore it together or just have a coffee. Cisco Live 2011 here I come

Get Shareaholic

2011, Cisco, Cisco Live, Melbourne

2 Comments

Cisco ASA Platform Limitations

Posted by Lal Antony in Cisco, Security on June 22, 2010

I been working on an enterprise scale Cisco ASA firewall deployment project. In the high level design I found that there is a big limitation in the platform. The solution requires the appliances to be in true active-active mode. The other main requirement was that it should carry out VPN feature set as well. I found out that when two ASA units are in Active-Active mode you cannot have VPN. Also no dynamic routing protocol implementation either (there is a few more limitations as well in the list). Active-Active setup for ASA platform is not true active-active (no load balancing at all). These limitations is enforced in an indirect manner making it harder to identify in quick over look. Mainly Active-Active setup requires ASA units to be in multi context mode and context mode has the above limitations.

Note this for your future projects I was lucky I did my research in my detail design, avoiding major disasters. Also note that ASA platform cannot do any load balancing and no ISP active-active setup either. Big disappointment on Cisco and their ASA platform.

Get Shareaholic

ASA, Cisco, HA, Limitation, Security, VPN

No Comments

VMware Network Blueprint

Posted by Lal Antony in Blog, Cisco, Virtualization on May 25, 2010

VMware network blueprint is an outcome from the best practice recommendation from VMware.
Below figure shows a high level overview of the proposed blueprint. Main points:
Best approach is using Virtual Switch VLAN Tagging (VST) model.
Recommended network integration is carried out using 5 VLANs.
- Service Console (SC)
- Fault Tolerance (FT)
- VMotion (VM)
- VM Network (Production)
- iSCSI (Storage)
Trunk ports are used on the connecting physical switch level
vSwitch is set to use “IP HASH” to carry out load balancing between physical NICs in a given Port Group (IP HASH works on the outgoing traffic from the ESX host).
Layer 3 core switch or external router should be used for inter-vlan routing.
Jumbo Frames should be switches on the iSCSI and VMotion VLANs to accommodate large file movements.

Figure 1: VMware Network High-level Blueprint

On the Physical Switch:

Link Aggregation is used to create a redundant physical link bundles
Trunk ports are implemented to carry out the VLAN traffic from the internal vSwitches to external network segments.
Trunk ports can be limited to carry only the required VLANs to enable some security on the ports.

Configuration

On the ESX Host:

To set port group properties

Log into the VMware VI Client, and select the server from the inventory panel. (The hardware configuration page for this server appears)
Click the Configuration tab, and then click Networking.
On the right side of the window, click Properties for a network.
The vSwitch Properties dialog box appears.
Click the Ports tab.
Select the port group and click Edit.
In the Properties dialog box for the port group, click the General tab to change:
1. Network Label — a name that identifies the port group that you are creating.
2. VLAN ID — identifies the VLAN that the port group’s network traffic will use.
3. NIC Teaming – Load Balancing to “Route based on IP HASH”
Click OK to exit the vSwitch Properties dialog box.

On the External Switch:

Cisco Switch:

On channel-group <group-id>:

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk native <vlan-id>

switchport trunk allowed add <vlan-id(s)>

switchport nonegotiate

spanning-tree portfast trunk

HP Switch:

trunk <port-list> < trunk-id > trunk

vlan <default-vlan-id> untagged <trunk-id>

vlan <vlan-id(s)> tagged <trunk-id>

Get Shareaholic

Blueprint, Cisco, Configuration, Switch, Trunks, VLAN, VMware

6 Comments

Spanning-Tree Proposed Setup for VMware Deployment with Existing Layer 2 Core

Posted by Lal Antony in Cisco, Virtualization on April 20, 2010

Background for the solution design

We deploy quite a few VMware virtualization solutions where there is an existing layer 2 network core, it is important that this solution design is looked at to create the required network changes to accommodate the new infrastructure.

The main reason behind the proposed changes is due to the major change introduced with the new infrastructure by centralizing the core network resources into the vitalized platform. This shift in network resources core should follow with a layer 2 network core movements to accommodate the changes in network traffic.

Solution Deployment

Solution based on the Spanning Tree Protocol (STP). STP dictates the root or the center (core) of the Layer 2 network. Root switch or core switch is elected using the STP and all the other switches in the network after the election process, create a logical path to the root switch for all network traffic. This process creates a more efficient switching fabric as less hops to get into the core network resources makes the network function at its optimum.

Deployment Scenario #1

Existing Core: Netgear GS748TS switch stack with 4 member switches

New Core: HP 2810-48 (Top Switch) and HP 2810-48 (Bottom Switch)

Diagram B: Scenario #1 switch deployment

In the existing network setup the Netgear Stack Master is the STP root, in order to move the core to the new switching infrastructure follow the below steps:

· Change the STP priority to a lower value than the default (32xxxx) on the HP Top Switch.

· If required, increase the STP root priority value to a higher value on the Netgear switch stack master.

· Check if the STP process carries out the election process as planned.

Network Link setup

In Diagram-B following inter switch links (Trunks) exist with STP forwarding and blocked state (after root change):

HP Top Switch:

Physical Interface	Trunk Group ID	STP State	Description
Ethernet Port #21	TRK1	Forwarding	Uplink trunk to old Core
Ethernet Port #22	TRK1	Forwarding	Uplink trunk to old Core
Ethernet Port #23	TRK2	Forwarding	Uplink trunk to HP Bottom SW
Ethernet Port #24	TRK2	Forwarding	Uplink trunk to HP Bottom SW

HP Bottom Switch:

Physical Interface	Trunk Group ID	STP State	Description
Ethernet Port #21	TRK1	Block	Uplink trunk to old Core
Ethernet Port #22	TRK1	Block	Uplink trunk to old Core
Ethernet Port #23	TRK2	Forwarding	Uplink trunk to HP Top SW
Ethernet Port #24	TRK2	Forwarding	Uplink trunk to HP Top SW

Old Core Switch (Stack):

Physical Interface	Trunk Group ID	STP State	Description
Ethernet Port #X1	TRK1	Forwarding	Uplink trunk to HP Top SW
Ethernet Port #X2	TRK1	Forwarding	Uplink trunk to HP Top SW
Ethernet Port #X3	TRK2	Block	Uplink trunk to HP Bottom SW
Ethernet Port #X4	TRK2	Block	Uplink trunk to HP Bottom SW

Get Shareaholic

Cisco, Spanning-tree, STP, Switch, Virtualization, VLAN, VMware

7 Comments

Cisco ASA NAT and PAT Configuration

Posted by Lal Antony in Blog, Cisco, Demo Lab on February 14, 2010

I thought I will put together a NAT and PAT example to assist anyone who is trying to implement NAT and PAT using a Cisco ASA product.

Mainly NAT (Network Address Translation) means you make an internal network talks to outside networks using a given public/outside IP or a pool of such IPs. Below diagram shows the most common use of NAT, Internet connectivity for a private network.

Lets get to it then… First how to configure PAT from the ASDM

Lets look at a scenario to understand the process properly in steps. My example scenario is to tunnel traffic which hits the outside interface to my interface FTP server.

First create an access-list to allow any traffic coming to the outside interface on a given service port to pass through. In my example I am using ftp (21). Apply that using the ASDM.

Next is to create a static nat to the statically nat the inside host (service server) to the outside interface.

First create a name object so it is easier to remember your mapping and make your configuration easier to read understand down the track.

Then create the static nat using the dialog box as below.

That is all there is to Port Address Translation (PAT) in order for you to open up a FTP server to the outside world in your private network using an ASA appliance.

Lets do the same using the command line (CLI).

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-group outside_access_in in interface outside

static (inside,outside) tcp interface ftp FTPServer ftp netmask 255.255.255.255

Next look at Network Address Translation.

This scenario is where the ISP has given you a block of public IPs and you want your network to use them in order to communicate with the public networks.

First step is to create the pool as belong using the “Edit Global Address Pool” dialog box.

After that add the dynamic nat as belong to use the previously created ip pool to nat to outside networks.

Now lets do the same using the CLI.

global (outside) 1 10.142.188.50-10.142.188.100 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

Simple as that.

Let me know if you want me to clear any NAT and PAT issues with any specific scenarios.

Get Shareaholic

ASA, Cisco, NAT, PAT, PIX

2 Comments

HSRP Configuration using Four Cisco 3750 Switches

Posted by Lal Antony in Cisco on October 24, 2009

Hot Standby Router Protocol (HSRP) is a technology by Cisco to implement router redundancy using layer 3 switches or routers.

Basic idea of HSRP is it lets an virtual IP be hosted and shared by two different hardware units. I deployed a solution using 4 Cisco 3750 stackwise switches for client. They had two 3750 switches at the core of their network. They were connected into a single virtual unit using the stackwise technology. Which increase the resilience of the core network to some extend. My solution added another set of 3750 switches in to the cluster creating a complete HSRP cluster while increasing reliability and extending the number of ports per vlan.

Below is the solution design diagram I put together for the client.

How to implement HSRP using Cisco 3750.

To enable HSRP on an interface use the following command;

(config-if)# standby ip

Mainly using HSRP in a organize manner it is advisable to implement the HSRP group. Specially if you are using HSRP clustering.

Clients network consisted of 7 vlans and each vlan’s default gateway address were set to the 7 HSRP virtual router addresses. Furthermore the HSRP can implement load sharing using the priority to select which physical units take ownership (active router) of the virtual router in normal operation (MHSRP). HSRP priority is between 1 and 255, highest numbered router interface per HSRP group becomes the active router which holds the virtual router process.

Don’t forget to set the preempt so when a active router recovers from a failure it can become the active router for that HSRP group automatically, keeping that load sharing in place in normal operation.

Below is a complete interface configuration in order to implement HSRP.

Switch# configure terminal

(config)# interface vlan 1

(config-if)# ip address 192.168.0.1 255.255.255.0

(config-if)# standby 1 ip 192.168.0.254

(config-if)# standby 1 priority 110


(config-if)# standby 1 preempt

(config-if)# standby 1 authentication word

(config-if)# standby 1 timers 5 15

(config-if)# standby 1 name VR_VLAN1

Timers set advertising time (heart-beat) between interfaces participating in the HSRP group and authentication keeps unauthorized routing interfaces participating in the HSRP group.

After configuring all of the interfaces in a cluster with the HSRP settings, enable the cluster HSRP using the command below.

(config)# cluster standby-group VR_VLAN1 routing-redundancy

I would like to add another note in HSRP which I learn through this project. If you have ACL applied to vlan or any interface which you are implementing HSRP, make sure you add the following line in to your ACL. This allows the HSRP multicasting packets between participating interfaces.

permit udp any eq 1985 host 224.0.0.2 eq 1985

All in all it was a good project. Learn a lot and it is always good to brush up on switch solutions and implementations. Cisco is not just routers and ISRs .

Get Shareaholic

3750, Cisco, GLBP, HA, HSRP, Load-Balancing, Switch, VRRP

1 Comment

Configure an Access Server using Cisco 2500 router

Posted by Lal Antony in Cisco, Demo Lab on October 4, 2009

I am starting to setup my lab now. First thing first, I want to connect all of my Cisco gear through an Access Server. It is pretty ease to do.

I am using a Cisco 2510 Router with IOS 12.2 with an Octal cable (8 serial ports).

First of all you need to configure a Loop Back interface as your internal IP address.

interface lo 0

ip address 10.0.0.1 255.255.255.0

Next is setting up the console and vty connections on the router

line con 0

line 1 9

session-timeout 20

no exec

exec-timeout 10

transport input all

After you set the lines you can start adding hosts into your configuration.

ip host Router1 2001 10.0.0.1

In the ip host command port number 2001 is number 1 cable and 2000 is reverse telnet ports.

Now you are ready to proceed. Save the config and from the Access Server console you are ready to access any of the hosts mapped.

Just use the host name you gave in the IP HOST command. (eg: Router1) and to move between sessions press Ctrl+Shift+6 then release and press x.

Get Shareaholic

2500, Access-Server, Cisco, Console, Router, Terminal-Access

1 Comment

Configuration

Background for the solution design

Solution Deployment

Deployment Scenario #1

Network Link setup

Categories

Twitter: Lal Antony

Control