爆肝麥克菜的資訊手記: CISCO

顯示具有 CISCO 標籤的文章。顯示所有文章

2013年6月21日星期五

Cisco Aironet -SSID 設定

目前本範例為XX公司要建立一個區分IT、一般員工與外來客戶的的無線網路環境
因此在實施前有些主準備工作要做

1.L3 Switch 需要先劃分三個VLAN出來分別是10(for IT)、20(for Empolyee)、99(for Guest)
(在此就不多敘述L3 VLAN 如何建立)

2.本次使用GUI 方式建立Aironet 上如何設定

3.連線到Aironet GUI 介面

4.如果有需要修改BVI1 Interface可在EXPRESS SET-UP中修改,順便設定一下2.4G 的AP是 Access Point狀態

5.在NETWORK INTERFACES>Radio0-802.11N 2.4GHz >Seetings 下把一些基本相關設定給確認一下

2012年5月18日星期五

最近剛入手 Cisco Aironet 1262N 的無線Access Point ,很開心的把它拿出來,這體積還真的有點大
老實說我也是第一次碰到這種脫離SOHO的無線AP

但....要怎樣連接到GUI??

連接GUI 介面方法:

1.使用DHCP 進行IP配法: 如果有架設DHCP Server 網路一插上去就 BVI1 Interface就會自動派發到IP,所以查一下DHCP Server 對照一下Cisco Aironet背面的MAC Address就可以知道是哪個IP了。

2.使用Consol介面指定BVI1 介面IP /Mask 及Gateway

EWSW01#
EWSW01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
EWSW01(config)#int BVI1
EWSW01(config-if)#ip add
EWSW01(config-if)#ip address 10.10.11.203 255.255.255.224
EWSW01(config-if)#no sh
EWSW01(config-if)#exit

EWSW01(config)#ip default-gateway 10.10.10.254

這樣一來就可以連到Cisco Aironet 的GUI 介面,是不是很簡單呢.....

2012年5月15日星期二

Cisco Aironet 設定 SSH

Configure Secure Shell (SSH) on an Access Point

CLI Configuration
In this section, you are presented with the information to configure the features described in this document
with the use of CLI.Step−by−Step Instructions
In order to enable SSH−based access on the AP, you first must configure the AP as an SSH server. Follow
these steps in order to configure an SSH server on the AP from CLI:
Configure a host name and domain name for the AP.
AP#configure terminal

!−−− Enter global configuration mode on the AP.

AP<config>#hostname Test
!−−− This example uses "Test" as the AP host name.

Test<config>#ip domain name abc.com
!−−− This command configures the AP with the domain name "abc.com".
1.
Generate a Rivest, Shamir, and Adelman (RSA) key for your AP.
Generation of an RSA key enables SSH on the AP. Issue this command in global configuration mode:

Test<config>#crypto key generate rsa rsa_key_size
!−−− This generates an RSA key and enables the SSH server.
Note: The recommended minimum RSA key size is 1024.
2.
Configure user authentication on the AP.
On the AP, you can configure user authentication to use either the local list or an external
authentication, authorization, and accounting (AAA) server. This example uses a locally generated list
in order to authenticate the users:

Test<config>#aaa new−model

!−−− Enable AAA authentication.
Test<config>#aaa authentication login default local none
!−−− Use the local database in order to authenticate users.

Test<config>#username Test password Test123
!−−− Configure a user with the name "Test".

Test<config>#username ABC password xyz123
!−−− Configure a second user with the name "ABC".

This configuration configures the AP to perform user−based authentication with the use of a local
database that is configured on the AP. The example configures two users in the local database, "Test"
and "ABC".
3.
Configure the SSH parameters.
Test<config>#ip ssh {[timeout seconds] | [authentication−retries integer]}
!−−− Configure the SSH control variables on the AP.
4. Note: You can specify the timeout in seconds, but do not exceed 120 seconds. The default is 120.
This setting applies to the SSH negotiation phase. You can also specify the number of authentication
retries, but do not exceed five authentication retries. The default is three.
GUI Configuration
You can also use the GUI in order to enable SSH−based access on the AP.
Step−by−Step Instructions
Complete these steps:
Log in to the AP through the browser.
The Summary Status window displays.
1.
Click Services in the menu on the left.
The Services Summary window displays.
2. Click Telnet/SSH in order to enable and configure the Telnet/SSH parameters.
The Services: Telnet/SSH window displays. Scroll down to the Secure Shell Configuration area. Click
Enable beside Secure Shell, and enter the SSH parameters as this example shows:
This example uses these parameters: EXAMPLE
♦ System Name: Test
♦ Domain Name: abc.com
♦ RSA Key Size: 1024
♦ Authentication Timeout: 120
♦ Authentication Retries: 3
3. 4. Click Apply in order to save the changes.
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.
show ip ssh Verifies if SSH is enabled on the AP and enables you to check the version of SSH that
runs on the AP. This output provides an example:
•
show ssh Enables you to view the status of your SSH server connections. This output provides an
example:
•
Now, initiate a connection through a PC that runs third−party SSH software and then make an attempt to log
in to the AP. This verification uses the AP IP address, 10.0.0.2. Because you have configured the user name
Test, use this name in order to access the AP through SSH:Troubleshoot
Use this section to troubleshoot your configuration.
If your SSH configuration commands are rejected as illegal commands, you have not successfully generated
an RSA key pair for your AP. Refer to the Troubleshooting Tips section of the document Configuring Secure
Shell for a list of possible reasons for this problem.Disable SSH
In order to disable SSH on an AP, you must delete the RSA pair that is generated on the AP. In order to delete
the RSA pair, issue the crypto key zeroize rsa command in global configuration mode. When you delete the
RSA key pair, you automatically disable the SSH server. This output provides an example:
Related Information
• Configuring Secure Shell
• Configuring the Access Point for the First Time
• Secure Shell (SSH) Support Page
• Wireless Support Page
• Technical Support & Documentation − Cisco Systems
Contacts & Feedback | Help | Site Map
© 2009 − 2010 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: Nov 05, 2008 Document ID: 68789

2012年2月13日星期一

CISCO Port-channel 配置

今天要來說一下 Etherchannel 的 Port-channel 配置

這個是很好用的一项技術應用呢! 實在深感我心

這裡要先提到PAgP 與 LACP這兩種協定:

PAgP : 是Cisco 私有的協定,每30秒數據會發送一次進行偵測

適用範圍: Cisco device to Cisco device

mode:

Auto : 這種模式會使端口進入被動協商,對PagP數據包有反應但不會發起主動協商

Desirable : 這種模式會使端口進入主動協商。接口會透過發送PAgP來與其他接口進行協商

On: 不使用PAgP來形成Enterchannel

Non-silent: 如果交換機連接到有PAgP能力的設備，可以將接口配置為non silent。non silent為auto或desirable模式指定non-silent關鍵字,如果沒指定就會假設狀態為silent。而silent

。沉默設置被用於連接到文件服務器或包分析儀。該設置允許PAgP，將接口添加至Channel組，並使用接口進行傳輸

LACP: 是IEEE的開放協定的一部分 (802.3ad)

適用範圍: Cisco device to Cisco device

Cisco device to other device

other device to other device

mode:

Passive:會進入被動協商狀態,端口會對LACP數據包做出回應,但端口不會主動發起協商

Active:會進入主動協商狀態,端口會通過發送LCAP數據包來主動與其他接口進行協商

On: 強制形成EtherChannel ，並且不需要使用PAgP或LACP進行協商

範例:

CS1 是一台L3的Switch , ES1 L2的Switch

老闆說因為沒錢買10GB Lan的Switch ,但ES1的流量實在太大, 要不你自己想辦法改一改吧....讓Switch與Switch之間的水管通道大一點...越大越好越大越好越大越好

小麥克: 阿是要多大....OOXX

CS1: gi0/1 - gi0/2 Port

ES1: gi1/1- gi1/2 Port

做法如下:
=================================================================
1. 關閉CS1 gi0/1 - gi0/2 Port與ES1的 gi1/1 - gi1/2 Port

CS1設定

CS1(config)#int range gi0/1-2

CS1(config-if-range)#sh

CS1(config)#int port-channel 1

CS1(config-if)#switchport trunk encapsulation dot1q

CS1(config-if)#switchport mode trunk

CS1(config-if)#exit

CS1(config)#int range gi0/1-2

CS1(config-if-range)#switchport mode trunk

CS1(config-if-range)#channel-group 1 mode ?

active Enable LACP unconditionally

auto Enable PAgP only if a PAgP device is detected

desirable Enable PAgP unconditionally

on Enable Etherchannel only

passive Enable LACP only if a LACP device is detected

CS1(config-if-range)#channel-group 1 mode on

%LINK-5-CHANGED: Interface Port-channel 1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel 1, changed state state to up

ES1設定

ES1(config)# int range gi1/1-2

ES1(config-if-range)#shutdown

ES1(config)#int port-channel 1

ES1(config-if)#switchport mode trunk

ES1(config)#int range gi1/1-2

ES1(config-if-range)#switchport mode trunk

ES1(config-if-range)#channel-group 1 mode on

%LINK-5-CHANGED: Interface Port-channel 1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel 1, changed state to up

CS1與ES1檢查方式相同:

檢查1:
CS1#show interfaces etherchannel <<檢查一下所有etherchannel的狀態如何

GigabitEthernet0/1:
Port state = 1
Channel group = 1 Mode = On Gcchange = -
Port-channel = Po1 GC = - Pseudo port-channel = Po1
Port index = 0 Load = 0x0 Protocol = -

Age of the port in the current state: 00d:00h:06m:18s

GigabitEthernet0/2:
Port state = 1
Channel group = 1 Mode = On Gcchange = -
Port-channel = Po1 GC = - Pseudo port-channel = Po1
Port index = 0 Load = 0x0 Protocol = -

Age of the port in the current state: 00d:00h:06m:18s

----
Port-channel1:Port-channel1
Age of the Port-channel = 00d:00h:20m:15s
Logical slot/port = 2/1 Number of ports = 2
GC = 0x00000000 HotStandBy port = null
Port state =
Protocol = 3
Port Security = Disabled

Ports in the Port-channel:

Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gig0/1 On 0
0 00 Gig0/2 On 0
Time since last port bundled: 00d:00h:06m:18s Gig0/2

檢查2:

CS1#show etherchannel port-channel << 看一下etherchannel下的port-channel狀態
Channel-group listing:
----------------------

Group: 1
----------
Port-channels in the group:
---------------------------

Port-channel: Po1
------------

Age of the Port-channel = 00d:00h:29m:23s
Logical slot/port = 2/1 Number of ports = 2
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel
Protocol = PAGP
Port Security = Disabled

Ports in the Port-channel:

Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gig0/1 On 0
0 00 Gig0/2 On 0
Time since last port bundled: 00d:00h:15m:26s Gig0/2

檢查3:

CS1#show ip interfaces brief <<看一下state and protocol是否都upup
Interface IP-Address OK? Method Status Protocol

~中間省略~

Port-channel 1 unassigned YES unset up up

檢查4:

CS1#show interfaces trunk <<檢查一下Port-channel的 trunk是否正常

Port Mode Encapsulation Status Native vlan
Gig0/1 on 802.1q trunking 1
Gig0/2 on 802.1q trunking 1
Po1 on 802.1q trunking 1

Port Vlans allowed on trunk
Gig0/1 1-1005
Gig0/2 1-1005
Po1 1-1005

Port Vlans allowed and active in management domain
Gig0/1 1
Gig0/2 1
Po1 1

Port Vlans in spanning tree forwarding state and not pruned
Gig0/1 1
Gig0/2 1
Po1 1

檢查5:
CS1#show interfaces <<看一下Pore-channel1的介面詳細資訊

Port-channel 1 is up, line protocol is up (connected)
Hardware is Lance, address is 0010.1167.4c4a (bia 0010.1167.4c4a)
MTU 1500 bytes, BW 2100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 2100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:08, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
956 packets input, 193351 bytes, 0 no buffer
Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
2357 packets output, 263570 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

這樣完成 Port-channel 的設定了~ 幹的好阿小麥克
接下來...我們來實驗一下...斷掉其中一個Prot-group 的Port 會發生甚麼事
下圖接上兩台PC

PC-A:192.1680.1
PC-B: 192.168.0.2
讓PC-A不斷的ping PC-B 看起來都很正常

從ES1中showdown gi1/1 假裝這條線失憶了XD..沒想到這port-channel就掛掉了

所以說....有一好沒兩好...要解決這問題我看在建兩組Port-channel然後再做STP或RSTP就可解決增加頻寬也有備援,缺點當然是損失的Port會比較多一點

疑難排解:
=================================================================
目前建置都很順...我也不知道該產生出甚麼問題,有遇到問題

=================================================================

當然, 如果您有更好的方法,也請與我交流.....因為我只是菜鳥一個

2012年2月12日星期日

Cisco VTP 設定

今天要來說一下VTP的設定

下圖是個企業常見的架構(通常這跟口袋深淺或是規模比較有關係)

CS1 是一台L3的Switch , ES1 、ES2是一台L2的Switch , 老闆說想來切幾個VLAN要求你把VTP建置起來並只能以L3 Switch做為VLAN的新增、刪除...等等的

做法如下:
=================================================================

CS1設定
CS1(config)#vtp domain mmc.local <<建立一個VTP domain
CS1(config)#vtp password 12345 <<密碼 (所有mmc.local domain都要使用相同密碼)
Setting device VLAN database password to 12345
CS1(config)#vtp mode server << Server mode
CS1(config)#vtp version 2 <<使用VTP 版本為 version 2

ES1設定

ES1(config)#vtp domain mmc.local
Changing VTP domain name from NULL to mmc.local
ES1(config)#vtp password 12345
Setting device VLAN database password to 12345
ES1(config)#vtp mode client
Setting device to VTP CLIENT mode.
ES1(config)#vtp version 2

ES2設定
ES2(config)#vtp domain mmc.local
Changing VTP domain name from NULL to mmc.local
ES2(config)#vtp password 12345
Setting device VLAN database password to 12345
ES2(config)#vtp mode client
Setting device to VTP CLIENT mode.

ES2(config)#vtp version 2

你看VTP很簡單吧~但有人說話了...何以見得這樣就可以運作? 問的好
接下來驗證一下....

檢查CS1
CS1(config)#vlan 22 <<創建一個VLAN 名稱為TEST
CS1(config-vlan)#name test

CS1#show vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6 <<ES1、ES2為client mode 都應為相同值
VTP Operating Mode : Server
VTP Domain Name : mmc.local
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xBD 0x2F 0x6C 0xD0 0x59 0x7C 0x2A 0x17

CS1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
22 test active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
CS1#
CS1#

ES1與ES2檢查方式相同:
ES1#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 5
VTP Operating Mode : Client
VTP Domain Name : mmc.local
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xB4 0xC6 0xCC 0x3A 0x90 0x77 0x91 0x29
Configuration last modified by 0.0.0.0 at 3-1-93 00:56:35

看看有沒有同步VLAN ....答案是沒有................原因是沒Trunk

CS1(config-if)#exit
CS1(config)#int range gi0/1 - gi0/2
CS1(config-if)#switchport trunk encapsulation dot1q
CS1(config-if)#switchport mode trunk

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up

完成後再次檢視vlan同步了沒:
ES1#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/2
22 test active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
ES1#

這樣完成VTP的設定了~ 幹的好阿小麥克

疑難排解:
=================================================================
1.為什麼執行switchport mode trunk會出現下列這問題?

CS1(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk"

Ans: 兩邊至少有一邊要先設定802.1Q的協定,才有辦法自動,勤奮點的話兩邊都設定
switchport trunk encapsulation dot1q 後再執行switchport mode trunk

2.設定看起來都很正確但VTP就是沒辦法同步?
Ans:

a. 用 #show vtp status 確定所有的Switch都有設定 (domain、version)
b. 用 #show vtp password 確定兩邊的密碼都是一樣的
c. 用 debug sw-vlan vtp events 與 debug sw-vlan vtp events packets 來看錯誤資訊

=================================================================

當然, 如果您有更好的方法,也請與我交流.....因為我只是菜鳥一個

訂閱：文章 (Atom)

2013年6月21日 星期五

Cisco Aironet -SSID 設定

2012年5月18日 星期五

Cisco Aironet1262N-快速連接GUI

2012年5月15日 星期二