Documenting a Network with CDP

In this post I will use the information available from CDP to help me create a logical network diagram.

CDP is the Cisco Discovery Protocol and is enabled on all router and switch interfaces by default. The switch or router sends a CDP packet out of each interface every 60 seconds, any connected device records the delivery of these packets into a CDP table for a holdtime period of 180 seconds. If after 180 seconds the device has not received any more CDP packets on that interface it removes the entry from the table. CDP can be disabled entirely or on any individual interface.

I begin by connecting to my switch and I check the CDP settings.

switch1#sh cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled

From the output I can see the CDP time settings and the version. Next I look at the connected devices.

switch1#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch2.lab.localFas 0/1 160 S I WS-C2950-2Fas 0/1
switch2.lab.localFas 0/24 160 S I WS-C2950-2Fas 0/24

Here I can see that I have 2 ports (1 & 24) connected to switch2 (also using ports 1 & 24). I can also see that switch2 is a Catalyst 2950.

This is a great summary but for my diagram I could do with knowing the IP address of switch2.

switch1#sh cdp entry *
————————-
Device ID: switch2.lab.local
Entry address(es):
IP address: 10.0.1.211
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/1
Holdtime : 142 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000CCE3E3EC0FF0000
VTP Management Domain: ‘lab.local’
Native VLAN: 1
Duplex: full

————————-
Device ID: switch2.lab.local
Entry address(es):
IP address: 10.0.1.211
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/24, Port ID (outgoing port): FastEthernet0/24
Holdtime : 142 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000CCE3E3EC0FF0000
VTP Management Domain: ‘lab.local’
Native VLAN: 1
Duplex: full

This detailed output gives me additional useful information such as the VLAN and the IOS version.

Next I head over to switch2 and look at it’s CDP information.

switch2#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 168 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 168 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/2 175 R Cisco C831Eth 0
router1.lab.localFas 0/23 175 R Cisco C831Eth 1

Here I can see the connections to switch1 and additional connections to router1. Again I look at the detailed information to get the IP address of the router.

switch2#sh cdp entry *
————————-
Device ID: switch1
Entry address(es):
IP address: 10.0.1.210
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/24, Port ID (outgoing port): FastEthernet0/24
Holdtime : 152 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000C8582C600FF0000
VTP Management Domain: ‘lab.local’
Native VLAN: 1
Duplex: full

————————-
Device ID: switch1
Entry address(es):
IP address: 10.0.1.210
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/1
Holdtime : 152 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000C8582C600FF0000
VTP Management Domain: ‘lab.local’
Native VLAN: 1
Duplex: full

————————-
Device ID: router1.lab.local
Entry address(es):
IP address: 10.0.2.254
Platform: Cisco C831, Capabilities: Router
Interface: FastEthernet0/23, Port ID (outgoing port): Ethernet1
Holdtime : 176 sec

Version :
Cisco IOS Software, C831 Software (C831-K9O3Y6-M), Version 12.4(4)T1, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 22-Dec-05 01:39 by ccai

advertisement version: 2
Duplex: half

————————-
Device ID: router1.lab.local
Entry address(es):
IP address: 10.0.1.254
Platform: Cisco C831, Capabilities: Router
Interface: FastEthernet0/2, Port ID (outgoing port): Ethernet0
Holdtime : 176 sec

Version :
Cisco IOS Software, C831 Software (C831-K9O3Y6-M), Version 12.4(4)T1, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 22-Dec-05 01:39 by ccai

advertisement version: 2
Duplex: full

From the output I am able to determine the IP addresses of the connected router interfaces and I can also see that one interface is configured to half duplex. Now I have some good information to begin populating my diagram with.

From here I would probably move to the router and look at the CDP table. But supposing I want to prevent CDP packets from leaving an interface? After all, quite detailed information is included in CDP that you might not want everyone to view.

I connect to the device that I want to stop sending CDP packets and turn CDP off on that particular interface. In my case I would like to stop router1 from sending CDP packets on interface ethernet 1.

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#int ethernet 1
router1(config-if)#no cdp enable
router1(config-if)#end

Now when I check the switch that router1 is connected to I see that the holdtime decreases as the switch receives no CDP packet on the interface until after 180 seconds it reaches 0 and the entry is removed from the table.

switch2#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 159 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 159 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/23 6 R Cisco C831Eth 1
router1.lab.localFas 0/2 126 R Cisco C831Eth 0

switch2#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 153 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 152 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/23 0 R Cisco C831Eth 1
router1.lab.localFas 0/2 179 R Cisco C831Eth 0

switch2#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 147 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 147 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/2 174 R Cisco C831Eth 0

Reset or recover password lost or forgotten alcatel OS6850 switch

Connect with putty.exe to the switch, make sure you are connected (press Enter key couple times)

Then reboot and press enter key almost immediately to stop Auto boot

Wait for the message Hit any key to stop autoboot: 0 and hit any key. Hit any key to stop autoboot: 0

Then type the following commands

=> fatls ide :1,0

=> fatls ide :1,0 /network

=> fatdelete ide :1,0 /network/usertable5 OR usertable4

Now powercycle the switch or type “run miniboot” on the U-Boot; => Reboot or =>boot Now back switch will be factory default “admin/switch”.

Alcatel omniswitch commands

These commands are for R6 & R7

——- general ———
ip interface vlan223 address 172.22.23.2 mask 255.255.255.0 admin-state enable vlan 223
ip interface vlan333 address 172.23.33.3 mask 255.255.255.0 admin enable vlan 333
vlan 13 members port 1/3 untagged
vlan 2 members port 1/4 tagged
vlan 13 port default 1/3
vlan 2 802.1q 1/4
modify running-directory working
ip route-map local-to-rip sequence-number 10 action permit
ip route-map local-to-rip sequence-number 10 match ip-address 0.0.0.0/0 redist-control all-subnets
ip redist local into rip route-map local-to-rip


— .1x —
vlan port mobile 1/1
vlan port 1/1 802.1x enable
aaa radius-server rad1 host 192.168.100.102 timeout 25 key alcatel-lucent
aaa authentication 802.1x rad1

ip helper … (no need to specify vlan ID)

— UNP —

no aaa user-network-profile name Berlin
no policy list policy-berlin
no policy rule policy-berlin
no policy action policy-berlin
no policy condition policy-berlin
policy condition policy-berlin source ip 192.168.4.0 mask 255.255.255.0 destination ip 192.168.2.0 mask 255.255.255.0
policy action policy-berlin disposition deny
policy rule policy-berlin condition policy-berlin action policy-berlin
policy list policy-berlin type unp enable rules policy-berlin

qos apply
aaa user-network-profile name Berlin vlan 4 policy-list-name policy-berlin
— traffic ACL —
! it’s automaticly applied to all ports !!
policy condition v10 source ip 10.0.10.0 mask 255.255.255.0 destination ip 10.0.30.0 mask 255.255.255.0
policy action v10 disposition drop
policy rule v10 condition v10 action v10

— MSTP —
spantree mode flat
spantree cist protocol mstp
spantree mst region name France
spantree msti 1
spantree msti 1 vlan 31
spantree msti 2
spantree msti 2 vlan 32
bridge mode flat
bridge cist protocol mstp
bridge mst region name France
bridge msti 1
bridge msti 1 vlan 31
bridge msti 2
bridge msti 2 vlan 32

— disable stp for a vlan —
spantree vlan 12 admin-state disable

vlan 12 stp disable

—- LACP —-
interfaces 1/3 admin-state enable
linkagg lacp port 1/3 actor admin-key 3
linkagg lacp agg 3 size 2 actor admin-key 3
vlan 31-32 members linkagg 3 tagged
interfaces 1/4 admin up
lacp linkagg 2 size 8 actor admin key 2
lacp agg 1/4 actor admin key 2
vlan 32 802.1q 2
— OSPF —-
ip load ospf
ip ospf area 0.0.0.13
ip router router-id 1.1.1.1
ip ospf admin-state enable
ip ospf interface vlan13
ip ospf interface vlan13 area 0.0.0.13
ip ospf interface vlan13 admin-state enable
ip ospf interface vlan13 auth-type md5
ip ospf interface vlan13 md5 1
ip ospf interface vlan13 md5 1 key 123456
ip ospf interface vlan13 admin-state enable
ip load ospf
ip ospf area 0.0.0.13
ip router router-id 3.3.3.3
ip ospf status enable
ip ospf interface vlan13
ip ospf interface vlan13 area 0.0.0.13
ip ospf interface vlan13 status enable
ip ospf interface vlan13 auth-type md5
ip ospf interface vlan13 md5 1
ip ospf interface vlan13 md5 1 key 123456
ip ospf interface vlan13 status enable
— ospf virtual link —-
ip ospf virtual-link 0.0.0.13 1.1.1.1
ip ospf virtual-link 0.0.0.13 1.1.1.1 auth-type simple
ip ospf virtual-link 0.0.0.13 1.1.1.1 auth-key 123456
— ospf summery —
ip ospf area 0.0.0.10 range summary 172.21.0.0 255.255.0.0

— ospf aggrigate —
ip access-list local_agg
ip access-list local_agg address 172.31.0.0/16
ip access-list local_agg address 172.31.0.0/16 redist-control agregate
ip route-map local-to-ospf-agg sequence-number 10 action permit
ip route-map local-to-ospf-agg sequence-number 10 match ip-addresss local_agg
ip redist local into ospf route-map local-to-ospf-agg admin-state enable

— IGMP —
ip multicast admin-state enable

ip multicast status enable
for PIM devices:
ip multicast querying enable

for L2 devices:
ip multicast querier-forwarding enable

— PIM —
ip load pim
ip pim sparse admin-state enable

ip pim sparse status enable
ip pim interface Loopback0
ip pim candidate-rp 1.1.1.1 225.2.2.0/24
ip pim cbsr 1.1.1.1 (this is must to advertise the rp address to all other routers)

— VRRP —-
vrrp 10 10
vrrp 10 10 priority 150 preempt interval 1
vrrp 10 10 address 172.25.10.254

— SLB —
ip slb admin enable
ip slb cluster “vip1” vip 172.25.30.100
ip slb server ip 172.25.30.10 cluster “vip1”
ip slb server ip 172.25.30.20 cluster “vip1”

—- snmp —-
user public password alcatel-lucent read-write all
aaa authentication snmp “local”
snmp security no-security
snmp community-map mode enable
snmp community-map “public” user “pablic” enable
snmp station 192.168.100.102 public v2 enable

Juniper EX switches configuration examples

General commands

show mac-address table

show ethernet-switching table brief

show switches that directly conected

show lldp neighbors

config vlan

set vlans  Floor_Users vlan-id 90
set vlans Floor_Users l3-interface vlan.90
set interfaces vlan unit 90 family inet address 10.10.10.254/24

assign vlan to port

set interfaces  unit 0 family ethernet-switching vlan members

upgrade (mybe needed – set system services ftp, when upgrading 8200 need to upgrage both Route Engines)

request system software add ftp://a:123456@10.10.10.81/jinstall-ex-3200-9.6R1.13-domestic-signed.tgz

enable SSH

set system services ssh

show ip addresses

show interfaces terse

show all ports info

show interfaces extensive

load factory-default

load factory-default

show rollback 10

file show /var/db/config/juniper.conf.10.gz

show int statistics at real time

run monitor interface ge-0/0/0

like tcpdump

run monitor traffic interface ge-0/0/0

to add config from notepad

load update terminal

static route

 set routing-options static route 192.168.16/24 next-hop 1.1.1.1

start terminal monitor

monitor start /var/log/messages

stop terminal monitor

monitor stop

check what is going to be commited

show | compare

time

show system uptime

show modules / hardware

show chassis hardware

Show ospf interfaces

show ospf interface

ospf – redis static

set protocols ospf export redistribute-into-OSPF
set policy-options policy-statement redistribute-into-OSPF term static from protocol static
set policy-options policy-statement redistribute-into-OSPF term static then accept?

LACP -switches

set chassis aggregated-devices ethernet device-count 5
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-0/0/1 ether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 10.10.0.254/24

LACP – J routers

set chassis aggregated-devices ethernet device-count 5
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ge-0/0/0 gigether-options 802.3ad ae0
set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 10.10.0.254/24

password recovery

* reload the switch
* stop the boot by presing the "space bar"
* choose 'recovery'
boot -s

NTP

set system ntp server 1.1.1.1
exit
set date ntp

create rescue config

request system configuration rescue save

set managment ip at stack

set interfaces vme unit 0 family inet address 10.10.10.235/24

connect to a specific switch from a stack

request session member

install image from USB

1. Put the new code(desired version of JUNOS) on a USB which is formatted under FAT32 and insert on the back of the switch where you can find the USB slot.
2. Reboot the device and when it says loading press spacebar to take us to loader prompt (loader>).
3. Type the following command to reinstall junos from this prompt
    loader>install --format file:///filename.tgz
    * where filename is like eg: jinstall-ex-9.2R1.5-domestic-signed.tgz

copy log files from specific unit

request session member 5
start shell user root
! -Password-
tar -zcvf varlog-mem5.tar.gz /var/log/
mv varlog-mem5.tar.gz /var/tmp/
exit
file copy fpc5:/var/tmp/varlog-mem5.tar.gz fpc0:/var/tmp 
! Then open with web - Maintain --> Files --> temp

show alarms

(use to check why the alarm led is red)-

show system alarms

vrrp

set interfaces vlan unit   family inet address x.x.x.x /24 vrrp-group  virtual-address x.x.x.x  priority < priority>

vrrp – backup master (Specify that the backup router can process packets with an IP destination address of the virtual address)

ip vrrp 22 accept-data

ECMP

(equal cost multi path)

set policy-options policy-statement load-balancing-policy then load-balance per-packet
set routing-options forwarding-table export load-balancing-policy

allow NSM to connect to the switch

set system services netconf ssh

dhcp snooping

set ethernet-switching-options secure-access-port vlan all examine-dhcp

bpdu guard

set protocols rstp bpdu-block-on-edge  
set protocols rstp interface all edge

port mirroring

set ethernet-switching analyzer analyzer1 input ingress interface ge-0/0/0
set ethernet-switching analyzer analyzer1 input egress interface ge-0/0/0
set ethernet-switching analyzer analyzer1  output interface ge-0/0/2

LLDP – MED

(the switch tells the ip phone what is the voice vlan)

set vlans  description voice-vlan
set vlans  interface ge-0/0/2.0
set interfaces  unit 0 family ethernet-switching vlan members 
set interfaces   unit 0 family ethernet-switching port-mode access
set ethernet-switching-options voip interface  .0 vlan 
set ethernet-switching-options voip interface  .0 forwarding-class assured-forwarding
set protocols lldp-med interface

tacacs

(use “load merge terminal” to load this format of config)

system {
    time-zone Asia/Jerusalem;
    authentication-order tacplus;
    root-authentication{
        encrypted-password "$1$gzwtefgipDYmub7XcCTEU4/"; ## SECRET-DATA
    }
    tacplus-server {
          secret "$9$y45645XxjqfT9CRhSyMX-dsYgJ"; 
         secret "$9$vD4574745dV.5Fnu0ylKvxdsYoaZj"; 
    }

    accounting {
        events [ login change-log interactive-commands ];
        destination {
            tacplus;
        }
    }
}

Voip QOS marking

class-of-service{
	classifiers {
	    dscp juniper_dscp_classifier {
	        import default;
	        forwarding-class voice {
	            loss-priority low code-points 101110;
	        }
	    }
	    ieee-802.1 juniper_ieee_classifier {
	        import default;
	        forwarding-class voice {
	            loss-priority low code-points 011;
	        }
	    }
	}
	forwarding-classes {
	    class voice queue-num 7;
	    class expedited-forwarding queue-num 5;
	    class assured-forwarding queue-num 1;
	    class best-effort queue-num 0;
	}
	interfaces {
	    vlan {
	        unit 12 {
	            classifiers {
	                dscp juniper_dscp_classifier;
	            }
	        }
	    }
	}
}

access-lists of ip addresses that allowd to access the switch (use “load merge terminal” to load that format of config)

interfaces{
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input Telnet-access-filter;
	}
           }
        }
    }
}
firewall {
  family inet {
    filter Telnet-access-filter {
        term team_X {
            from {
                source-address {
                    x.x.x.x/32;
                    x.x.x.x/32;
                  }
                protocol tcp;
            }
            then accept;
        }
        term team_Y {
            from {
                source-address {
                    y.y.y.y/32;
                    y.y.y.y/32;
                }
                protocol tcp;
            }
            then accept;
        }
        term Access_from_forbidden_addresses {
            from {
                source-address {
                    127.0.0.0/8;
                }
                protocol tcp;
            }
            then discard;
        }
        term OSPF {
            from {
                protocol ospf;
            }
            then accept;
        }
        term icmp {
            from {
                protocol icmp;
            }
            then accept;
        }
        term accept_DHCP {
            from {
                protocol udp;
            }
            then accept;
        }
    }
  }
}

4200 EX Switches

set that if disconnecting cascade cables from stack of 2 switches that the switches will not became layer 2

set virtual-chassis no-split-detection

show units at stack

show virtual-chassis                                   
0 (FPC 0)  Prsnt    BQ0209341890 ex4200-48p      128  Master*    1  vcp-0      
1 (FPC 1)  Prsnt    BN0209364440 ex4200-24p      128  Linecard   3  vcp-0      
2 (FPC 2)  Prsnt    BQ0209341900 ex4200-48p      128  Backup     0  vcp-0      
3 (FPC 3)  Prsnt    BQ0209341917 ex4200-48p      128  Linecard   2  vcp-0      

Member ID for next new member: 4 (FPC 4)

change units number

(the serial is also at the back of the switch, no restart needed, the new master became master after few minutes)

set virtual-chassis preprovisioned
set virtual-chassis member 0 serial-number BN0209364440 role routing-engine
set virtual-chassis member 1 serial-number BQ0209341917 role routing-engine
set virtual-chassis member 2 serial-number BQ0209341900
set virtual-chassis member 3 serial-number BQ0209341890

8200 EX Switches

set managment ip when having 2 routing engines

delete int me0
edit groups 
set re0 system host-name Name1 
set re0 interfaces me0 unit 0 family inet address 10.10.10.12/24 
set re1 system host-name Name2
set re1 interfaces me0 unit 0 family inet address 10.10.10.22/24 
top 
set apply-groups [re0 re1]

turn off a module

(disable)

set chassis fpc  power off

set the switchover without only 10 packet loss

set chassis redundancy graceful-switchover

connect to backup routing engine

request routing-engine login backup

show modules

show chassis hardware

change active CPU

request chassis routing-engine master switch

cancel switchover at fuiler/reload command

deactivate chassis redundancy graceful-switchover

Auto save config aldo to backup

(“commit” saves only to the present Routing Engine)

commit synchronize

Run commands at a linecard

root@st-grande06-scb0:RE:0% lcdd 2 chassism
chassism#show mac ge-2/0/1 
chassism#show phy ge-2/0/1

Configuring Dynamic VLAN assignment on ProCurve switches

Introduction

The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configure VLANs

Create VLANs, define IP address and IP helper-address

VLAN 30

name “VLAN30”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

VLAN 40

name “VLAN40”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20

Configure RADIUS/802.1x

Define RADIUS server IP address and shared secret

radius-server host 192.168.20.20 key secret12

Configure 802.1x authentication type

aaa authentication port-access eap-radius

Configure ethernet ports 1-2 as authenticator ports

aaa port-access authenticator 1-2

Activates 802.1x port-access authentication on ports

aaa port-access authenticator active

Create Active Directory Groups

Authentication to the individual VLANs will be by Active Directory group membership for user or computer, therefore we need to create the appropriate the groups for use later in the NPS radius server policy.

Add a user to each of the groups

070512_1543_configuring1

Windows 20008 R2 NPS (RADIUS) Configuration

Create an appropriately named NPS Policy to authorise users for each VLAN

070512_1543_configuring2

Configure a “Condition” of Windows Group value of DOMAINNAME\GroupName

070512_1543_configuring3

Configure the “Authentication Methods” as “Microsoft: Protected EAP (PEAP)”

070512_1543_configuring4

Configure “RADIUS Attributes”

Tunnel-Medium-Type = 802

Tunnel-Pvt-Group-ID = VLAN Name or VLAN ID e.g “VLAN30” or “30”

Tunnel-Type = Virtual LANs (VLAN)

070512_1543_configuring5

Configure Windows 7 computer to authenticate

Open Windows services and change the startup type of the service “Wired AutoConfig” to Automatic. Click Start service

Open “Network and Sharing Center”. Click “Change adapter settings”

Click “Local Area Connection” > “Properties” > “Authentication”

Ensure “Enable IEEE 802.1x authentication” is ticked

Ensure “Microsoft: Protected EAP (PEAP)” is selected from the dropdown box. Click Settings

If the client computers do not have a trusted root certificate un-check the tick box “Validate server certificate”. If you do have an internal CA and all client computers have the root CA in the computer certificate store leave checked.

If the client computer is not joined to the domain and you wish to prompt for authentication, select “Configure” and un-check “Automatic use my Windows logon….”

The steps above can also be configured via Group Policy

Testing

Connect a computer to a port configured for authentication

If using a non-domain joined computer and you have previously un-checked the tick box “Automatic use my Windows logon….” a balloon will appear “Additional information is needed to connect to this network”. Click the balloon and enter your domain credentials.

070512_1543_configuring6

If you are on a domain joined computer, the authentication will be transparent to the user (you will not see the prompt for authentication as above).

From the switch, the command “Show port-access authenticator” will display useful troubleshooting information

When a user account is a member of “VLAN30” windows group, they will be authorised on the RADIUS server and the port will be dynamically assigned to VLAN 30.

070512_1543_configuring7

If the user is successfully authenticated and is a member of “VLAN40” group the port would be dynamically assigned to VLAN 40.

070512_1543_configuring8

 

Junos Basics – Aggregated Ethernet Interfaces (LACP)

In my previous Junos Basics post I covered configuring an 802.1Q Trunk between a Juniper EX2200C and a Cisco 2960S. This post will expand upon the previous one by bundling two interfaces together on each switch to form an aggregated link for the trunk.

There are a few proprietary standards for aggregating ethernet links, but Juniper uses the IEEE 802.3ad standard and Cisco can also be configured to use this. The 802.3ad standard is known as Link Aggregation Control Protocol (LACP). LACP can be configured in either Active or Passive mode – in Active mode a switch will always try and form an LACP link with the other side, and in Passive mode a switch will form an LACP link if the other side is in Active mode.

microbfd-sessions

On the Cisco side, the config steps are very simple:

  • specify the interfaces to be aggregated
  • set the protocol to LACP
  • create a Channel Group and specify the LACP mode
  • set the Port Channel interface as a trunk
  • specify which VLAN’s are allowed over the trunk
Cisco2960S(config)#int range gi1/0/47-48
Cisco2960S(config-if-range)#channel-protocol lacp
Cisco2960S(config-if-range)#channel-group 1 mode passive
Cisco2960S(config)#interface po1
Cisco2960S(config-if)#switchport mode trunk
Cisco2960S(config-if)#switchport trunk allowed vlan 100,200

Onto the Juniper side, the first step is to specify the number of aggregated links on the switch:

rich@EX2200C# set chassis aggregated-devices ethernet device-count 1

Next, we have to remove the logical unit configuration from the interfaces that are to be bundled, as logical units are not allowed on aggregated links:

delete interfaces ge-0/1/1 unit 0
delete interfaces ge-0/1/0 unit 0

Next, set the interfaces to use LACP (802.3ad) and to be members of a logical aggregated ethernet port (ports begin with ae):

set interfaces ge-0/1/0 ether-options 802.3ad ae0
set interfaces ge-0/1/1 ether-options 802.3ad ae0

Then we need to set the LACP mode for our new aggregated interface. We’ll make the Juniper side Active, so that it initiates the transmissison of LACP packets:

set interfaces ae0 aggregated-ether-options lacp active

Finally, we need to set the aggregated link to be a trunk, and tell it which VLAN’s to trunk:

set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members [SALES IT]

To verify our config, we’ll start on the Cisco side and check the Etherchannel summary:

Cisco2960S#show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+------------------------
1      Po1(SU)         LACP      Gi1/0/47(P) Gi1/0/48(P)

Then we can confirm the trunk config:

Cisco2960S#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Po1         on               802.1q         trunking      1

Port        Vlans allowed on trunk
Po1         100,200

Port        Vlans allowed and active in management domain
Po1         100,200

Port        Vlans in spanning tree forwarding state and not pruned
Po1         100,200

And on the Juniper side:

rich@EX2200C> show lacp interfaces
Aggregated interface: ae0
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/1/0       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/1/0     Partner    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-0/1/1       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/1/1     Partner    No    No   Yes  Yes  Yes   Yes     Slow   Passive
    LACP protocol:        Receive State  Transmit State          Mux State
      ge-0/1/0                  Current   Slow periodic Collecting distributing
      ge-0/1/1                  Current   Slow periodic Collecting distributing

From the above output we can see that our individual interfaces are both Active, with the partner end Passive. For a detailed explanation of the output see this article from Juniper, but suffice to say the Mux State of Collecting and Distributing means the LACP protocol is working correctly.

We can also confirm the trunk is up and trunking for VLAN’s 100 and 200:

rich@EX2200C> show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ae0.0        up     IT                  200   tagged   unblocked
                    SALES               100   tagged   unblocked

I hope this has been a useful explanation.  In my next Junos Basics post I’ll cover first hop redundancy using VRRP.

Những việc cần làm để thiết kế hệ thống hạ tầng thông tin

Đã từng một thời, với những “thắc mắc biết hỏi cùng ai” về thiết kế mạng:

* Hệ thống mạng trên thực tế đang hoạt động được thiết kế như thế nào ?

* Mô hình mạng cần phải thiết kế ra sao cho từng đối tượng khách hàng (SMB, Enterprise, Banking, …) ?

* Phải chọn thiết bị mạng (Switch, Router, Firewall, …) tối ưu nhất trong từng thiết kế ?

* Ứng dụng những kiến thức đã học trong viêc thiết kế một hệ thống mạng trong thực tế như thế nào ?

Tại thời điểm đó, cũng có chút kiến thức học được, tuy nhiên việc áp dụng các kiến thức đã học áp dụng vào thực tế chỉ là con số 0 tròn trĩnh, hay nói cách khác, đó là một cảm giác “có võ công nhưng khi gặp cao thủ để tỉ thí thì không biết dùng như thế nào”, một cảm giác … thực sự rất khó chịu… đó là:

– Học về HSRP/VRRP/GLBP, hiểu rõ các giao thức này hoạt động ra sao, hiểu rõ phải cấu hình thế nào, hiểu rõ phải troubleshoot ra sao nếu có sự cố,… nhưng lại không biết phải dùng ở đâu trong mô hình mạng.

– Học về Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), PVST+, Rapid-PVST, MST: hiểu rõ làm sau để cấu hình Root Bridge, Root Port, Load Sharing với STP, sự khác biệt giữa STP, RSTP, PVST+, Rapid-PVST, MST, ưu và nhược điểm của từng loại. Nhưng… lại không hiểu phải dùng như thế nào trong thực tế…

– Học về thiết kế mạng mô hình 3 lớp: Core/Distribution/Access… hiểu rõ vai trò của từng lớp, nhưng lại không thể design nổi hệ thống mạng cho 1 doanh nghiệp vừa và nhỏ (SMB), hay thậm chí ngay cả khái niệm SMB, ENT, … cũng còn rất mơ mơ hồ hồ.

– Và rất nhiều những điều tương tự …

Đã từng tự hỏi, là do đâu có phải là:

– Thiếu kiến thức về sản phẩm: Vâng, tuy rằng tôi đã được trang bị 1 hệ thống kiến thức nền tảng tuy nhiên lại không biết hoặc chưa hiểu được:

– Khái niệm Modular Switch (Catalyst 6500, Catalyst 4500, Nexus 7000, …): thế nào là linecard, là supervisor, là fans tray, là power supply, vv..

– Một Switch thế nào được gọi là “mạnh”, cùng các khái niệm để định nghĩa độ “mạnh” này của 1 thiết bị

Ví dụ: trên dòng Switch 3750-X: 160 Gbps switching fabric, 101.2 mpps forwarding rate, 10GbE uplinks, …

– Khái niệm về VSS trên dòng Switch 6500, Stack-Wise trên dòng Switch 3750 series, Flex-Stack trên dòng Switch 2960S (lưu ý, đây là những tính năng cực kỳ quan trọng trong thiết kế hệ thống mạng với nhiều đặc điểm nổi trội mà sẽ được đề cập chi tiết trong các bài viết sau).

– Các tính năng (feature) hỗ trợ trên từng dòng thiết bị là khác nhau do được thiết kế với những mục đích khác nhau, như: Switch 2960 series chỉ hỗ trợ các tính năng Layer 3 ở mức rất hạn chế so với Switch 3750/4500/6500 series do 2960 được thiết cho lớp Access …

– Đặc trưng của từng đối tượng khách hàng, ví dụ: khi thiết kế hệ thống mạng cho khách hàng là SMB thì sẽ rất khác với khách hàng Enterprise,…

– Chưa có kinh nghiệm thực tế… -> vậy phải làm sao để có ?? Học từ ai ?? Học ở đâu ??

Và tôi đã trải qua 1 đoạn thời gian mò mẫm, như bước đi trong 1 đường hầm tối tăm như thế, và cho đến bây giờ, tôi vẫn đang đi trong đường hầm, có khác chăng đó là đường hầm với một “tia sáng le lói” dẫn đường

Hiểu rõ những khó khăn đã từng trải qua cùng với mong muốn được chia sẽ, trao đổi và học hỏi nhằm làm giàu thêm về kỹ năng thiết kế mạng.

Xin phép được bắt đầu chuỗi bài viết chuyên đề “Thiết kế mạng, từ lý thuyết đến thực tiễn”.

JunOS: Copy & Paste configuration directly on terminal.

The command load replace terminal can be used to copy a configuration from a text file to a Juniper device.

After executing this command the router will start accepting configuration data via the paste option.

To exit this mode use the CTRL-D or ^D, this will exit from the terminal mode and return back to device prompt.

Example Follows:

root@gw-srx-01# load replace terminal   
[Type ^D at a new line to end input]
interfaces {
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                filter {
                    input INPUT_RETH0.0_Filter;
                }
                address 10.0.0.1/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
}
^D
load complete
 
[edit]
root@gw-srx-01# commit

VLAN Difference between Juniper and Cisco Switches

A VLAN (Virtual Local Area Network) is a logical LAN segment which have unique broadcast domain. Basically, VLAN divides one physical switch to multiple logical switch. You can configure hundreds of VLANs in one EX series switch. No matter if its EX4200, EX3200 or EX2200. Today I will show you VLAN difference between Juniper and Cisco switches.

VLAN Difference between Juniper and Cisco Switches

There are two port modes in Juniper switch i.e. access mode or trunk mode. The interface in access mode connects to a network device, such as laptop or an IP phone. The interface in trunk mode connects to other switches in the network. There are many differences between Juniper and Cisco switches.

  1. In Cisco switches the default port mode is dynamic desirable auto but in Juniper switch the default port mode is access mode.
  2. In Cisco switches the default VLAN is untagged and is the native VLAN i.e. VLAN 1 but in Juniper there is no default native VLAN. You must configure it manually.
  3. In Cisco switches the trunk ports accept all VLANs in the range of 1 to 4095 by default but in Juniper, trunk ports do not support any VLANs. You have to make it support manually.
  4. In Juniper switches, VLAN named Default is present by default and all the interfaces are under this default VLAN.
  5. Unlike Cisco switches Juniper switches doesn’t support VTP (VLAN Trunking Protocol) or DTP (Dynamic Trunking Protocol). Juniper switches support GVRP (Generic Attribute Registration Protocol) though.
  6. Juniper switches has two port modes i.e. access and trunk mode. Cisco switches have five port modes i.e. dynamic auto, dynamic desirable, access, trunk and nonegotiate mode.
  7. Juniper switches support 802.1Q protocol for trunk ports. Cisco switches support both 802.1Q and ISL (Inter Switched Link) protocols.

How to measure bandwidth between two computers on the same network

In this article we will explain you how to measure bandwidth between two computers on the same network, by using Iperf software and related utilities. Iperf is a free software tool that can measure the bandwidth between two nodes in a computer network and the quality of a network link.

Idea is to run Iperf on both computers and measure bandwidth between them, where one computer is a client and the other is a server. Computer is assigned as a client (or server) within the application by using appropriate switches.

Iperf is a console application, which means you have to type commands in terminal (command prompt). If you find that annoying, try a graphical front-end for Iperf called Jperf – a graphical front-end written in Java, and it will be mentioned in the section regarding how to measure bandwidth between computer and Android smartphone (I performed a test and took screenshots in my home network).

Iperf:

OK, let’s get to work and perform a simple bandwidth test, and other features will be provided in examples and the further reading section.

How to measure bandwidth between two computers in network by using Iperf

You can see this concept on how to measure bandwidth between two computers on the same network in the chart below:

IPERFmeasureBandwidth

OK, you’ve downloaded Iperf (I downloaded v2) and copied it on computers that you want to measure bandwidth between them; open command prompt and run Iperf on the computer you want to be a server (there is no formal rule on which computer must have a server or client role. Any computer can be a client or a server), and type the command: iperf.exe -s

iperfserver

Use this tip to open the command prompt on specific path (where you have put Iperf): navigate to folder which contains your Iperf executable (iperf205, in my case), hold the Shift key and right mouse click on that folder; extended contextual menu will appear where you have to click on Open command window here option.

OpenCommandWindow

In my case, I used a computer with Windows 7 as a server and computer with Windows 8.1 as a client. On the diagram above, you can see that server is marked with “1”, because that’s always the first step – to define a server. Take a note of your server’s IP address (if you don’t know it), and the easiest way to achieve that, provided that you are already in command prompt, is by typing ipconfig command (IP address on the diagram is: 10.1.1.1).

When it comes to a client, take a look at the diagram – I marked it as “2”; open your command prompt on the client computer and type: iperf -c server_address

iperfclient

And that’s it, default settings are enough to show you the bandwidth between two computers in your network. Of course, you can add some extra switches to use this software according to your needs.

This method we used to measure bandwidth is through TCP tests; besides that, you can measure jitter (latency variation) or datagram loss with an UDP test.

I mentioned iperf v3, which is a rewrite of Iperf from scratch, with the goal of a smaller, simpler code base and a library version of the functionality that can be used in other programs. Iperf3 is not backwards compatible with iperf2.x. Opinions on which version is better are divided, so many users would still recommend you Iperf 2.0.x. (Iperf 3 is not as well respected).

Iperf usage examples:

  • iperf -s —> runs iperf in the server mode.
  • iperf -c 10.1.1.1 –>  runs iperf in the client mode, where the server’s IP address is 10.1.1.1 (by default, only the bandwidth from the client to the server is measured).
  • iperf -c 10.1.1.1 -r –> connects back to the client allowing the bi-directional bandwidth measurement.
  • iperf -c 10.1.1.1 -d –> implies simultaneous bi-directional bandwidth measurement. If you want to test the bandwidths sequentially, use the -r argument (see the previous example).
  • iperf -c 10.1.1.1 -w 4000 –> w switch defines TCP window size – amount of data that can be buffered during a connection without a validation from the receiver (it can be between 2 and 65,535 bytes).
  • server side: iperf -s -p 12000 and client side: iperf -c 10.1.1.1 -p 12000 –> p switch must be set on both sides and its value defines a communication port. By default, the Iperf client connects to the Iperf server on the TCP port 5001 and the bandwidth displayed by Iperf is the bandwidth from the client to the server.
  • iperf -c 10.1.1.1 -t 30 –> specifies the test duration time in seconds (default is 10 seconds).
  • iperf -c 10.1.1.1 -t 30 -i 3 –> i argument specifies the interval in seconds between periodic bandwidth reports.
  • iperf -h –> provides you with detailed help starting with command format: iperf [-s|-c host] [options], then explanation of the arguments/switches, etc.

Great reference manual that describes how to use these switches (e.g. how to use -u switch to perform UDP test) can be found here: https://iperf.fr/ , and here: https://code.google.com/p/iperf/wiki/ManPage

How to measure bandwidth between computer and Android device on the same network

As I mentioned in the beginning (where I placed download links) there is a software Iperf for Android, that can turn your smartphone or tablet into a iperf server or client. My test environment is as follows:

  • Server: Samsung Galaxy S2 smartphone (GT-I9100), rooted and with Cyanogen Mod custom ROM,
  • Klijent: Fujitsu Amilo laptop, Windows 8.1, x64, where I tested both Iperf and Jperf.

Install Iperf for Android onto your Android device and run this application; type iperf -s or just -s in the text field and tap on off button (Aus, in my case, because my phone interface is in German). So you’ll get something similar to this (An is On):

Andriperf0

Note server’s IP address from the screenshot: 192.168.1.3

Run Iperf on the client computer and type the next command (make sure you use an IP from your server):

IperfForAndroid

Android application will show info when a client connects to it:

Show connected clients on Iperf for Android

Jperf can be associated with Iperf to provide a graphical frontend written in Java. So, if you’d like to try Jperf, you must have Java Runtime installed onto your operating system (I have Java JRE 8). Download Jperf from the download link I provided; extract the downloaded archive, find jperf.bat and run it:

JperfGraph-1024x576

In the screenshot above can be seen that I chose client mode, entered the IP address of my server (smartphone), and set test duration to 20 seconds (instead 10, which is default). Graph is provided to show you measured bandwidth between my computer and smartphone in my home network.

[ Further reading ]:

Wikipedia: http://en.wikipedia.org/wiki/Iperf
IPERF for Windows (native Windows port, not Cygwin), trial: http://www.iperfwindows.com/
Iperf3-Cygwin-GUI: http://sourceforge.net/projects/iperf3cygwingui/?source=recommended
Iperf2 vs Iperf3: https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/iperf-and-iperf3/
bwctl (ensures that just one test is executed in a moment): https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/bwctl/