1 / 74

Alcatel OmniSwitch

Alcatel OmniSwitch. Boot Camp Labs Edoardo Berera April 2005. Command Line Interface (CLI) reload MiniBoot spacebar, then Y to break boot process jumper needed on Chassis Management Module (CMM) ? to view Commands change parameters default IP @ for EMP serial port settings

raleigh
Download Presentation

Alcatel OmniSwitch

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Alcatel OmniSwitch Boot Camp Labs Edoardo Berera April 2005

  2. Command Line Interface (CLI) reload MiniBoot spacebar, then Y to break boot process jumper needed on Chassis Management Module (CMM) ? to view Commands change parameters default IP @ for EMP serial port settings default password @ to continue Running, Working and Certified configuration versions Working and Certified directories show running-directory reload working no rollback-timeout Boot and connect a PC Console RS232 port Ethernet Management Port (EMP) requires cross-over cable requires authentication (see lab 3) Use MiniBoot locate and move jumper change default IP @ for EMP Check running, working and certified configuration versions CMM Boot Sequence - Lab 2 CLI switch RS232 EMP x

  3. CLI modify boot parameters ? boot empipaddress 10.1.1.1 boot empnetmask ffffff00 show commit system | file running system | NVRAM exit show http [no] http server aaa authenticate default local default | http | telnet | … [no] http ssl WebView https://10.1.1.1 Enable remote access use local database to check login use WebView over a secure connection local Enable Remote Access - Lab 3 CLI / WebView switch RS232 EMP x 10.1.1.1 10.1.1.10

  4. Check hardware, microcode, interface info test failover between primary and secondary CMM CLI show hardware info show microcode [history] show chassis|cmm|ni|power supply|… [no] power ni [slot #] interface slot/port speed […]|… reload primary|secondary|ni [slot #] takeover copy flash-synchro sync cert primary to sec working and certified directories WebView Physical group Chassis Mgmt Configuration menu Hardware Modules Network Interfaces Ethernet Interface Configuration Hardware Overview - Lab 1 and 5 CLI / Lab 1 WebView switch RS232 ENI GNI EMP Pri. CMM x Sec. CMM CATALINA net interfaces CORONADO classifier NANTUCKET switching fabric Flash MEMORY SPARC processor SDRAM MEMORY CMM

  5. CLI Show vlan vlan 2 running configuration configuration snapshot all snap1 ASCII file snap1.txt all | vlan | ... write memory , or copy running-config working writes to working/boot.cfg copy working certified only if config known to be good ! Configuration snapshot ? Configuration apply snap1 WebView System group System Mgmt Snapshot Save Config, then Apply Create VLANs create a configuration snapshot navigate directories copy files switch RS232 EMP Operating System - Lab 4 CLI / Lab 2 WebView VLAN 1 VLAN 2 x VLAN 4 VLAN 3

  6. Copy .img files to working directory and install CLI show microcode [history] rz with zmodem ftp is preferred over EMP or NI MiniBoot if necessary see manual install *.img WebView System group System Mgmt Configuration menu Loaded Images Images in Certified|Working Install, then Y, Add [all] and Apply Register and View Images Install and upgrade code upgrade should be performed first in the Working directory then, once the configuration has been verified, copy Working to Certified copy working certified Installing and Upgrading Code - Lab 6 CLI / Lab 4 WebView switch RS232 EMP x NI

  7. Test ASA (Authenticated Switch Access) Users: admin, default, new users Privileges: read-only, read-write Partition Management: domains End User Profiles Password Expiration default account cannot be used to login its privileges are applied to new users CLI show user user user1 password pass1 user user1 read-only all | domain-layer2 | … end-user profile profile1 read-write all user user1 end-user-profile profile1 user user1 expiration 5 [no] aaa authentication telnet WebView Security group ASA Local User DB View & Modify Family Privileges switch RS232 EMP Switch Security - Lab 7 CLI / Lab 4 WebView x

  8. Port type: default (static), mobile Group Mobility Rules CLI show vlan [#] show vlan [#] port [slot/port] vlan 1 router ip @ vlan 2 show vlan router ip vlan 2 port default slot/port static association vlan port mobile slot/port needs a traffic matching rule Show vlan rules vlan 2 ip 192.168.11.0 255.255.255.0 show mac-address-table [slot #] will show the mac @ the switch has learned WebView Layer 2 group VLAN Mgmt Configuration menu Vlan Config VLANs - Lab 8 CLI / Lab 5 WebView VLAN 1 192.168.10.0 / 24 192.168.10.101 switch 192.168.10.1 RS232 router EMP 192.168.11.1 192.168.11.0 / 24 VLAN 2 192.168.11.102

  9. Spanning Tree Protocol, 802.1d Multiple Spanning Tree, mode 1X1 Single Spanning Tree, mode flat Fast Spanning Tree, 802.1w CLI show spantree 1 show spantree ports [forward|blocking] vlan 1 stp on|off show spantree 2 [ports] bridge mode flat | 1X1 single | multiple spanning tree bridge 1 protocol 1w Next Best Root Cost and Port Root Port WebView Layer 2 group Spanning Tree Configuration menu Bridge Parameters Statistics -- Port Statistics Spanning Tree - Lab 9 CLI / Lab 6 WebView VLAN 1 VLAN 1 switch VID 1 VID 1 switch RS232 RS232 VID 2 EMP VID 2 EMP VLAN 2 VLAN 2

  10. Static - OmniChannel Dynamic - LACP CLI static linkagg 5 size 2 static agg slot/port agg num 5 twice (size 2) show linkagg port lacp linkagg 5 size 2 lacp agg slot/port actor admin key 0 twice (size 2) show mac [slot #] WebView Layer 2 group Link Aggregation Configuration menu Static Link Aggregation/LACP - Lab 10 & 11 CLI / Lab 7 WebView VLAN 1 VLAN 1 switch VID 1 VID 1 switch RS232 RS232 VID 2 EMP VID 2 EMP VLAN 2 VLAN 2

  11. Additional commands to allow a port to only receive tagged frames keep or replace tagged info on egress CLI vlan n 802.1q slot/port for each vlan slot/port of physical connection WebView Layer 2 group System Mgmt Configuration menu Port Tagging 802.1q Tagging - Lab 11 CLI / Lab 7 WebView VLAN 1 192.168.10.1 VLAN 1 192.168.10.2 Switch 1 Switch 2 RS232 RS232 router router EMP EMP 192.168.11.1 VLAN 2 192.168.11.2 VLAN 2 192.168.12.1 VLAN 3 192.168.12.2 VLAN 3

  12. Authenticated VLANs Telnet HTTP AVSS Client CLI vlan 99 router ip 192.168.11.1 vlan 2 router ip 192.168.12.1 vlan port mobile slot/port vlan port slot/port authenticate enable vlan 2 authentication enable aaa radius-server rad1 host 192.168.11.100 key alcatel aaa authentication vlan single-mode rad1 a single RADIUS server for all authenticated VLANs telnet 192.168.12.253 259 special address and port used for telnet authentication username user2 password user2 https://192.168.253 username user2 password user2 AVSS Client install, or just enable and login Network Security / AVLAN - Lab 12 CLI RADIUS 192.168.11.100 VLAN 99 192.168.11.1 switch RS232 router EMP 192.168.12.1 VLAN 2 VLAN 1 Before authentication After authentication 192.168.12.100

  13. Binding VLANs CLI vlan 2 binding ip-port 192.168.11.200 slot/port show vlan rule vlan port mobile slot/port ping will fail show vlan 2 port no ports associated vlan 2 no binding ip-port 192.168.11.200 disconnect and reconnect PC to break connection vlan 2 binding ip-port 192.168.11.100 slot/port ping will succeed vlan 2 binding ? To see a list of possible bind rules WebView Layer 2 group / ... Configuration menu Binding Rules Port-IP Network Security / Binding VLAN - Lab 12 CLI / Lab 8 WebView switch RS232 router EMP 192.168.11.1 VLAN 2 VLAN 1 Before authentication After authentication 192.168.11.100

  14. Test 802.1x authentication using a RADIUS server configure switch configure Win-XP client Login as test8021x/test8021x CLI vlan port mobile port/slot vlan port/slot 802.1x enable aaa authentication 802.1x open-unique rad1 open-global, any device open-unique, only authorized PC login: test8021x/test8021x show 802.1x Unauthorized/authorized Configure Windows XP 802.1x client see page 802.1x - Lab 13 CLI RADIUS 192.168.11.100 VLAN 99 192.168.11.1 switch RS232 router EMP VLAN 1 Authorized/ Unauthorized

  15. Test basic routing using RIP load and enable RIP configure and enable interfaces redistribute local routes using a redistribution filter and enable show routing tables before and after redistribution CLI create necessary IP VLANs show ip route | routes local show ip rip [interface] ip load rip ip rip status enable ip rip interface 192.168.10.1 status enable ip rip interface 192.168.10.2 status enable ip rip redist local ip rip redist-filter local 0.0.0.0 0.0.0.0 ip rip redist status enable show ip router database Basic Routing RIP - Lab 14 CLI VLAN 1 192.168.10.0 / 24 .1 .2 Switch 1 Switch 2 RS232 RS232 router router EMP EMP .1 .1 VLAN 2 192.168.11.0 / 24 VLAN 3 192.168.12.0 / 24

  16. Filter all traffic between two PC create policy condition, action and rule CLI show policy condition | action | rule qos enable | apply policy condition con1 source ip 192.168.10.100 dest ip 192.168.11.100 policy action act1 disposition drop policy rule rul1 condition con1 action act1 enable show policy classify l3 source ip 192.168.10.100 dest ip 192.168.11.100 to test before applying show qos config Access Control Lists (ACL) - Lab 15 CLI VLAN 1 192.168.10.0 / 24 .1 Switch 1 .100 RS232 router EMP .1 VLAN 2 192.168.11.0 / 24 .100

  17. Configure server load balancing create a cluster configure Windows 2000 servers with virtual IP addresses create a rule to do load balancing test CLI ip slb admin enable ip slb cluster WorldWideWeb vip 192.168.10.250 ip slb server ip 192.168.10.101 cluster WorldWideWeb ip slb server ip 192.168.10.102 cluster WorldWideWeb show ip slb [servers | cluster] show ip slb cluster WorldWideWeb server 192.168.10.101 qos enable policy condition slb_c destination 192.168.10.250 policy action slb_a load balance group WorldWideWeb policy rule slb_r condition slb_c action slb_a qos apply show applied policy rule slb_r Windows 2000 Server configure Virtual IP address to MS Loopback Adapter Server Load Balancing - Lab 17 CLI WorldWideWeb cluster SVR 1 SVR 2 Virtual IP .250 .102 .101 VLAN 1 192.168.10.0 / 24 .10 .1 switch RS232 router EMP .1 192.168.11.0 / 24 VLAN 2 .10

  18. Change process severity level Analyze switch logs Configure Port Mirroring Use Health feature Configure RMON Monitor system memory View a Post Mortem Dump CLI [no] swlog [output console] show swlog show log swlog to view swlog1.log file in flash memory swlog appid ip level 7 severity level of 7 or debug1 for IP application ping and view log (ARP messages) test Telnet and FTP port mirror 1 source slot/port destination slot/port connect a traffic analyzer show port mirror status 1 health ? show health [slot/port] rmon probes type enable | disable show rmon probes show rmon events debug memory monitor enable | disable debug memory monitor show log show log pmd filename Troubleshooting and Debugging - Lab 18 CLI switch RS232 router EMP VLAN 1

  19. Login remotely to an OmniSwitch using a secure mechanism CLI ssh 192.168.10.2 login as admin/switch who whoami sftp 192.168.10.2 Secure Shell - Lab 19 CLI Switch 1 RS232 router EMP .1 VLAN 1 192.168.10.0 /24 .2 Switch 2 RS232 router EMP

  20. Test Learned Port Security CLI port-security slot/port enable show port-security MAC address dynamically learned trying to connect another PC will fail Learned Port Security (LPS) - Lab 20 CLI switch RS232 router EMP .1 VLAN 1 192.168.10.0 /24 .100

  21. Load, enable RIP RIP Updates using V1, V2 CLI Load and enable RIP ip load rip ip rip status enable ip rip interface 192.168.10.1 status enable repeat appropriately for each switch show ip route ip rip redist local ip rip redist-filter local 0.0.0.0 0.0.0.0 ip rip redist status enable show ip rip interface to advertise RIP updates show ip rip peer show ip rip routes show ip router database RIP Updates using v1 and v2 ip rip interface 192.168.10.1 recv-version v1 bad packets ip rip status disable to flush and then enable no route updates, bad packets reconfigure to receive v2 and check RIP / RIP2 - Lab 21 CLI (Part 1) Switch 2 RS232 router EMP .2 VLAN 1192.168.10.0 .1 .3 Switch 1 Switch 3 RS232 RS232 router router EMP EMP

  22. RIP Redistribution Metrics RIP Authentication - Simple CLI RIP Redistribution ping between sw2 and sw3 using VLAN 102 show ip route no routes to remote nets on sw3 ip rip interface 192.168.102.2 status enable (sw2) ip rip interface 192.168.102.3 status enable (sw3) show ip rip peer show ip route net 192.168.101.0 should show up on sw3 Metrics show ip router database metric of 2 on sw1 for 192.168.102.0 ip rip interface 192.168.10.1 metric 5 RIP Authentication - Simple ip rip interface 192.168.10.3 auth-type simple ip rip interface 192.168.10.3 auth-key alcatel routes will be removed after their aging period show ip rip peer bad packets from sw2 configure sw2 for simple authentication now should receive valid RIP updates RIP / RIP2 - Lab 21 CLI (Part 2) Switch 2 RS232 router EMP .2 VLAN 102 192.168.102.0 .2 VLAN 1192.168.10.0 .3 .1 .3 Switch 1 Switch 3 RS232 RS232 router router EMP EMP .1 .1 VLAN 101 192.168.101.0 VLAN 103 192.168.103.0

  23. Configure OSPF Backbone Area Determine DR, BDR Test Hello and Dead intervals CLI Router ID ip router router-id 192.168.10.X (for ea. switch) Load, enable ospf and create backbone area (on ea. sw. ?) ip load ospf ip ospf status enable ip ospf area 0.0.0.0 ip ospf area 0.0.0.0 status enable Create and enable OSPF interfaces ip ospf interface 192.168.10.X ip ospf interface 192.168.10.X status enable Associate interfaces to backbone area ip ospf interface 192.168.10.X area 0.0.0.0 show ip route show ip ospf route / show ip ospf lsdb show ip ospf neighbor / show ip ospf interface show ip ospf area 0.0.0.0 Determine the current DR and lower its priority ip ospf interface 192.168.10.x priority 0 Test Hello and Dead intervals (default is 10) ip ospf interface 192.168.10.x hello-interval x check that communication is lost OSPF Backbone - Lab 22 CLI Switch 2 RS232 router EMP .2 VLAN 1192.168.10.0 Backbone Area 0.0.0.0 .1 .3 Switch 1 Switch 3 RS232 RS232 router router EMP EMP

  24. Configure OSPF Areas CLI ip ospf area x.x.x.x ip ospf area x.x.x.x status enable ip ospf interface x.x.x.x ip ospf interface x.x.x.x status enable ip ospf interface x.x.x.x area x.x.x.x show ip route show ip ospf route show ip ospf lsdb show ip router database OSPF Areas - Lab 23 CLI VLAN 2222 2.2.2.0 area 2.2.2.2 .2 Switch 2 RS232 router EMP .2 VLAN 1192.168.10.0 Backbone Area 0.0.0.0 .1 .3 Switch 1 Switch 3 RS232 RS232 router router EMP EMP .1 .3 VLAN 1111 1.1.1.0 area 1.1.1.1 VLAN 3333 3.3.3.0 area 3.3.3.3

  25. Redistribute Local Routes Change Costs Redistribute Static Routes CLI Switch 3 is an AS Border Router ip ospf asbr ip ospf redist status enable ip ospf redist local ip ospf redist-filter local 192.168.11.0 255.255.255.0 should now be visible on other switches show ip ospf routes AS External route Change metric to 5 for this route no ip ospf asbr ip ospf redist-filter local 192.168.11.0 255.255.255.0 metric 5 ip ospf asbr should now be visible on other switches Redistribute Static Routes Configure static route 11.11.11.0/24 on switch 1 ip static-route 11.11.11.0 255.255.255.0 gateway 192.168.10.1 ... ip ospf redist static ip ospf redist-filter static 11.11.11.0 255.255.255.0 should now be visible on other switches OSPF Redistribution - Lab 24 CLI VLAN 2222 2.2.2.0 area 2.2.2.2 .2 Switch 2 RS232 router EMP .2 VLAN 1192.168.10.0 Backbone Area 0.0.0.0 VLAN 3 192.168.11.0 .1 .3 .3 Switch 1 Switch 3 RS232 RS232 router router EMP EMP .1 .3 VLAN 1111 1.1.1.0 area 1.1.1.1 VLAN 3333 3.3.3.0 area 3.3.3.3

  26. Security Configurations Simple Password MD5 Debugging CLI Configure simple password On each switch ip ospf interface 192.168.10.X auth-type simple ip ospf debug-type auth ip ospf debug-level 99 should see errors because no password ip ospf interface 192.168.10.X auth-key alcatel stop seeing errors no ip ospf debug-type auth ip ospf debug-level 0 Configuring MD5 requires key number and key string ip ospf interface 192.168.10.X auth-type md5 ip ospf interface 192.168.10.X md5 7 ip ospf interface 192.168.10.X md5 7 key alcatel OSPF Authentication - Lab 25 CLI VLAN 2222 2.2.2.0 area 2.2.2.2 .2 Switch 2 RS232 router EMP .2 VLAN 1192.168.10.0 Backbone Area 0.0.0.0 VLAN 3 192.168.11.0 .1 .3 .3 Switch 1 Switch 3 RS232 RS232 router router EMP EMP .1 .3 VLAN 1111 1.1.1.0 area 1.1.1.1 VLAN 3333 3.3.3.0 area 3.3.3.3

  27. Configure Stub Area CLI Configure sw3 VLAN and area 2.2.2.2 with router-id 192.168.10.3 Configure switch 2 as ASBR ip ospf asbr ip ospf redist status enable ip ospf redist local ip ospf redist-filter local 2.2.4.0 255.255.255.0 2.2.4.0 should appear on sw1 and sw3 as AS-Ext route Configure Stub Area ip ospf area 2.2.2.2 type stub on both sw2 and sw3 2.2.4.0 should no longer appear on sw3 Configure static route on sw3 ip static-route 0.0.0.0 gateway 2.2.2.2 OSPF Stub Area - Lab 26 CLI VLAN 2242 2.2.4.0 .2 Switch 2 ASBR RS232 router VLAN 2222 2.2.2.0 stub area 2.2.2.2 .2 EMP .3 .2 VLAN 1192.168.10.0 Backbone Area 0.0.0.0 Switch 3 RS232 router .1 EMP Switch 1 RS232 router EMP .1 VLAN 1111 1.1.1.0 area 1.1.1.1

  28. Create a Virtual Link CLI Set the switch 3 router-id to 192.168.10.3 When creating area 3.3.3.3, switch may prompt to create a backbone area first Area 3.3.3.3 is not present on sw2 (or seen on sw1) ip ospf virtual-link 2.2.2.2 192.168.10.2 (on sw3) ip ospf virtual-link 2.2.2.2 192.168.10.3 (on sw2) creates a virtual link using area 2.2.2.2 as transit area and the router-id of the neighboring switch as the identifier show ospf virtual-link Check the routing tables for the other switches: area 3.3.3.3 should now be seen OSPF Virtual Link - Lab 27 CLI Switch 2 RS232 router VLAN 2222 2.2.2.0 area 2.2.2.2 .2 EMP .3 .2 VLAN 1192.168.10.0 Backbone Area 0.0.0.0 Switch 3 RS232 router .1 EMP Switch 1 RS232 .3 VLAN 3333 3.3.3.0 area 3.3.3.3 router EMP .1 VLAN 1111 1.1.1.0 area 1.1.1.1

  29. local switch RS232 EMP AP switch router switch RS232 VLAN N EMP router WLAN switch switch RS232 WLAN switch EMP router x VLAN N x

  30. Wireless LANs

  31. Use CLI and Switch Web to do initial system config and upgrade Startup Wizard Commands CLI <ESC> for boot options Primary image | Clear Config | ... show ? Switchconfig | interface summary | … clear ? Switch Web http://192.168.1.1 admin/admin Configuration Wizard System Info Service Interface Management Interface Misc Virtual Interface WLAN Policy RADIUS Server 802.11 Commands Download file Monitor Summary AP AP System Setup / System Upgrade Version 1 AAA Server RADIUS port 1812 .10 switch Management Network Vlan0 (Vlan1) untagged 10.9.4.0 / 24 router .1 .20 .70 SW2 SW7 RS232 . . . . . RS232 WLAN switch Virtual IP 1.1.1.2 WLAN switch Virtual IP 1.1.1.7 Service Interf. SI .7 .70 Switch Web192.168.1.1 Switch Web192.168.1.1 192.168.1.0 / 24 192.168.1.0 / 24 Mobility / RF Group Name training2 Mobility / RF Group Name training7

  32. CLI <ESC> for boot options Primary image | Clear Config | ... show ? Switchconfig | interface summary | … clear ? Switch Web http://192.168.1.1 admin/admin Configuration Wizard System Info Service Interface Management Interface Misc Virtual Interface WLAN Policy RADIUS Server 802.11 Commands Download file Monitor Summary Use CLI and Switch Web to do initial system config and upgrade Startup Wizard Commands AP AP System Setup / System Upgrade Version 2 RTR1 RADIUS port 1812 switch AAA Server router .10 .1 Port 1 Management Network vlan0 10.9.4.0 / 24 Port 14 Port 24 .20 Port 1 .70 Port 1 SW2 SW7 RS232 . . . . . RS232 WLAN switch Virtual IP 1.1.1.1 WLAN switch Virtual IP 1.1.1.1 SI .2 .20 SI .7 .70 Switch Web 192.168.1.1 Switch Web 192.168.1.1 192.168.1.0 / 24 192.168.1.0 / 24 Port 6 Port 6 Service Interf. Mobility / RF Group Name training2 Mobility / RF Group Name training7

  33. CLI <ESC> for boot options Primary image | Clear Config | ... show ? Switchconfig | interface summary | … clear ? Switch Web http://192.168.1.1 admin/admin Configuration Wizard System Info Service Interface Management Interface Misc Virtual Interface WLAN Policy RADIUS Server 802.11 Commands Download file Monitor Summary Use CLI and Switch Web to do initial system config and upgrade Startup Wizard Commands AP AP System Setup RADIUS port 1812 Version 3 AAA Server DHCP, AD WCS Mgmt Net (vlan1) 10.9.4.0 / 24 .1 .10 Port 1 switch Windows 2000 Server router RTR1 Catalyst 3550 Port 14 Port 24 Mgmt Net (vlan0) 10.9.4.0 / 24 .20 ISLs Mgmt Net (vlan0) 10.9.4.0 / 24 .70 Port 1 Port 1 RS232 RS232 SW7 Virtual IP 1.1.1.7 WLAN controller SW2 Virtual IP 1.1.1.2 WLAN controller Serv I/f .2 .20 Serv I/f .7 .70 Switch Web 192.168.1.1 Switch Web 192.168.1.1 192.168.1.0 / 24 192.168.1.0 / 24 Port 6 Port 6 Service Interf. . . . . . Mobility / RF Group Name training2 Mobility / RF Group Name training7

  34. Test open authentication create VLAN interface create and configure WLAN configure Windows-XP client Switch Web AP AP Open Authentication Version 1 AAA Server RADIUS port 1812 .10 switch Management Network vlan0 10.9.4.0 / 24 Open (Guest) Network vlan90 90.90.90.0 / 24 router .1 .20 .30 SW2 SW7 RS232 . . . . . RS232 WLAN switch Virtual IP 1.1.1.1 WLAN switch Virtual IP 1.1.1.1 SI .2 SI .7 .20 Switch Web192.168.1.1 Switch Web192.168.1.1 192.168.1.0 / 24 192.168.1.0 / 24 Service Interf. Vlan90 WLAN 2 SSID open2 Vlan90 WLAN 2 SSID open7 Mobility / RF Group Name training2 Mobility / RF Group Name training7

  35. Switch Web AP AP Open Authentication Version 2 RADIUS port 1812 DHCP RTR1 switch AAA Server router .10 .1 .1 Port 1 Management Network vlan0 10.9.4.0 / 24 Open (Guest) Network vlan90 90.90.90.0 / 24 Port 14 Port 14 Port 24 Port 24 .20 Port 1 .22 .70 .72 Port 1 SW2 SW7 RS232 . . . . . RS232 WLAN switch Virtual IP 1.1.1.1 WLAN switch Virtual IP 1.1.1.1 SI .2 .20 SI .7 .70 Switch Web 192.168.1.1 Switch Web 192.168.1.1 192.168.1.0 / 24 192.168.1.0 / 24 Port 6 Port 6 Service Interf. Vlan90 WLAN 2 SSID open2 Vlan90 WLAN 2 SSID open7 Mobility / RF Group Name training2 Mobility / RF Group Name training7 • Test open authentication • create VLAN interface • create and configure WLAN • configure Windows-XP client

  36. Switch Web SWITCH / Interfaces WLANS CLI configure serial timeout 160 show serial save configuration debug dot11 management enable debug dot11 state enable show debug debug disable-all ( d di) Windows-XP AP AP Open Authentication RADIUS port 1812 DHCP Server Version 3 AAA Server Mgmt Net vlan0 10.9.4.0 / 24 .1 .10 Port 1 switch Open (Guest) Net vlan90 90.90.90.0 /24 router .1 Port 14 Port 24 Mgmt Net vlan0 10.9.4.0 / 24 .20 Port 1 ISLs Mgmt Net vlan0 10.9.4.0 / 24 .70 Port 1 Port 1 Port 1 RS232 RS232 WLAN switch Virtual IP 1.1.1.1 WLAN switch Virtual IP 1.1.1.1 SI .2 .20 SI .7 .70 Switch Web 192.168.1.1 Switch Web 192.168.1.1 192.168.1.0 / 24 192.168.1.0 / 24 Port 6 Port 6 Service Interf. Port 1 Vlan90 .22 90.90.90.0 /24 WLAN 2 SSID open2 . . . . . Port 1 Vlan90 .72 90.90.90.0 /24 WLAN 2 SSID open7 .x .y Mobility / RF Group Name training2 Mobility / RF Group Name training7 • Test open authentication • create VLAN interface • create and configure WLAN • configure Windows-XP client

  37. Learn how to “Prime” an AP for layer 3 deployment Understand the different methods an Access Point can obtain an IP address Configure high availability into the network CLI show ap summary clear ap-config ap config ap reset ap Switch Web (on SW2) WIRELESS/Acces Points/Airespace APs Detail , Reset AP Now (button) SWITCH/General/LWAPP Transport Mode Layer 3, Apply, Save Configuration COMMANDS/Reboot SWITCH/Interfaces configure AP-Manager interface WIRELESS/Acces Points/Airespace APs Detail, Primary, Secondary switch SWITCH/Master Switch Mode only one Master switch SWITCH/General Disable Over The Air Provisioning of AP Enable AP Fallback RF Mobility Domain name: training23 SWITCH/Mobility Management/Mobility Groups New member:SW3, Apply, Save Conf, ping AP AP Layer 3 Configuration VERSION 1 SWn Master Mode SW2 SW3 RS232 RS232 WLAN Pri. switch Virtual IP 1.1.1.1 WLAN Sec. switch Virtual IP 1.1.1.1 SI .2 .20 SI .3 .30 Switch Web 192.168.1.1 Switch Web 192.168.1.1 192.168.1.0 / 24 192.168.1.0 / 24 Port 1 Port 1 Mgmt Net vlan0 10.9.4.0 / 24 .20 Port 1 Mgmt Net vlan0 10.9.4.0 / 24 .30 Port 1 Service Interf. ISLs Port 14 Port 16 switch router RTR1 AAA Server Mgmt Net vlan0 10.9.4.0 / 24 .1 .10 Port 1 Port 13 Port 15 .192 .193 L3 Mobility / RF Group Name training23 L3 Mobility / RF Group Name training23

  38. AP AP Layer 3 Configuration / Part 1 RADIUS port 1812 DHCP Server Version 2 • CLI • show ap summary • clear ap-config ap • config ap reset ap • Switch Web (on SW2) • WIRELESS/Acces Points/Airespace APs • Detail , Reset AP Now (button) • SWITCH/General/LWAPP Transport Mode • Layer 3, Apply, Save Configuration • COMMANDS/Reboot • SWITCH/Interfaces • configure AP-Manager interface • WIRELESS/Acces Points/Airespace APs • Detail, Primary, Secondary switch • SWITCH/Master Switch Mode • only one Master switch • SWITCH/General • Disable Over The Air Provisioning of AP • Enable AP Fallback • RF Mobility Domain name: training23 • SWITCH/Mobility Management/Mobility Groups • New member:SW3, Apply, Save Conf, ping AAA Server Mgmt Net vlan0 10.9.4.0 / 24 .1 .10 Port 1 switch router SWn Master Mode Port 14 Port 24 Mgmt Net vlan0 10.9.4.0 / 24 .20 Port 1 ISLs Mgmt Net vlan0 10.9.4.0 / 24 .30 Port 1 Port 1 Port 1 RS232 RS232 WLAN Pri. switch Virtual IP 1.1.1.1 WLAN Sec. switch Virtual IP 1.1.1.1 SW2 SW3 SI .2 .20 SI .3 .30 Switch Web 192.168.1.1 Switch Web 192.168.1.1 192.168.1.0 / 24 192.168.1.0 / 24 Port 6 Port 6 Service Interf. .x .y Mobility / RF Group Name training23 Mobility / RF Group Name training23 • Understand the different methods an Access Point can obtain an IP address • Learn how to “Prime” an AP for layer 3 deployment

  39. Configure high availability into the network AP AP Layer 3 Configuration / Part 2 Version 2 Secure User Net vlan20 20.20.20.0 /24 SWn Master Mode Secure User Net vlan20 30.30.30.0 /24 • CLI • start a console log APboot • config serial timeout 160, save • debug dhcp packet enable • debug lwapp packet enable • connect APs to ports 13 and 15 • Switch Web • Check to which switch did the APs connect to • Stop logging • Is there any DHCP info ? • Review the LWAPP trace • Compare with WLAN section • WLAN/… • WIRELESS/Global RF > Auto RF • Failover behavior • SWITCH/Ports • disable Port 1 Admin Status • watch AP’s LED and recovery • WIRELESS/Airespace Aps • Set AP config back to factory defaults and disconnect • Add VLAN 20 and VLAN 30 Secure User Network • SWITCH/Interfaces .2 .2 SW2 SW3 RS232 RS232 WLAN Pri. switch Virtual IP 1.1.1.1 WLAN Sec. switch Virtual IP 1.1.1.1 SI .2 .20 SI .3 .30 Switch Web 192.168.1.1 Switch Web 192.168.1.1 192.168.1.0 / 24 192.168.1.0 / 24 Port 1 Port 1 Mgmt Net vlan0 10.9.4.0 / 24 .20 Port 1 Mgmt Net vlan0 10.9.4.0 / 24 .30 Port 1 Service Interf. ISLs Port 14 Port 16 switch router RTR1 AAA Server Mgmt Net vlan0 10.9.4.0 / 24 .1 .10 Port 1 Port 13 Port 15 .192 .193 L3 Mobility / RF Group Name training23 L3 Mobility / RF Group Name training23

  40. Switch Web WLAN/New WLAN SSID: webauthx Interface Name: vlan90 L3 Security: Web Authentication WLAN/Summary Enable Admin Status webauthx Disable Admin status openx Apply, Save and Reboot SECURITY/AAA/Local Net User Username, psw, WLAN ID Windows-XP Wireless Networks/Preferred networks remove openx add webauthx disable WEP for Web authentication to work Client Login http://1.1.1.x (https://1.1.1.x) (https://1.1.1.1) Understand Security Alert Login page, logout page test correct and wrong passwords count number of max wrong attempts check SECURITY/AAA/User Login Policies AP AP Web Authentication Configuration RADIUS port 1812 DHCP Server AAA Server Mgmt Net vlan0 10.9.4.0 / 24 .1 .10 Port 1 switch Open (Guest) Net vlan90 90.90.90.0 /24 router .1 Port 14 Port 24 Mgmt Net vlan0 10.9.4.0 / 24 .20 Port 1 ISLs Mgmt Net vlan0 10.9.4.0 / 24 .70 Port 1 Port 1 Port 1 RS232 RS232 WLAN switch Virtual IP 1.1.1.1 WLAN switch Virtual IP 1.1.1.1 SI .2 .20 SI .7 .70 Switch Web 192.168.1.1 Switch Web 192.168.1.1 192.168.1.0 / 24 192.168.1.0 / 24 Port 6 Port 6 Service Interf. Port 1 Vlan90 .22 90.90.90.0 /24 WLAN 2 SSID webauth2 . . . . . Port 1 Vlan90 .72 90.90.90.0 /24 WLAN 7 SSID webauth7 .x .y Mobility / RF Group Name training2 Mobility / RF Group Name training7 • Test web authentication • create WLAN to support Web Auth subscriber • create a Local Net User • configure Windows-XP client and connect using the web browser

  41. Web Authentication Configuration

More Related