Monday, February 28, 2011

Plaining For Wireless Network

If you're planning to deploy wireless access points in a networking project then I congrats you, you still have lots of works to be done before you get to configuring the access points

There are lots of things to consider if you're in a networking project, the location of the access points, channels to use, are there radio interferences in the locations, etc.

You need to do wireless site survey in a network project, see they even created their own science for this work.

To talk about wireless site survey could take its own blogs, books, tools and even specialized certification if you want to do it properly and professionally.
The tools software and hardware don't come in cheap I'm telling you.

There are softwares that can do wireless site survey, they can visually show you the range of access points that are installed in the site. Few that I've seen in work before are from ekahau and visiwave.

On the top of this post is the sample report from visiwave and the left picture here is from ekahau.

These pictures show you the range of the wireless access points on site. They're kinda like heat meter or something. With these you can then determine the best placement for the access points that can reach all clients.

From my experience not all of these softwares work with your wireless cards, so keep in mind before purchasing these softwares, do they support your wireless cards or not.

There also hardwares that can help you do the site survey and these hardwares can also scan for radio interferences such as that come from oven microwave, cordless phones, etc.
You got to check on yellowjacket from bvssystem, these things are cool.

The people in bvssystem integrates HP iPaq PDA with their yellowjacket to be used as wireless site survey tool.
This one is in the form of Tablet PC for spectrum analysis:

Both softwares and hardwares can provide you with detailed reports of the wireless site survey result.

Now that's when you're working in a network project, if you want to deploy wireless access points in your home or SOHO, you don't need to do all that troubles.

Next post I want to talk about the things to consider if you want to install wireless access points in your home or SOHO.

Get To Know CIsco Aironet Wireless Access Point


Ah, I just love these things the Cisco Aironet Wireless Access Points, on the left one you can see the Cisco Aironet 1240AG Access Point, one among every other Cisco Aironet series.

This is the very first Cisco device that I got, I thought that at least I can integrate it with my existing non-Cisco home network.

1240AG is not the prettiest access point that you can get, but I like the shape anyway. It reminds me of liquor bottles that I used to see in the movies.

Now why would you want to buy Cisco Aironet, it costs about ten times or more than the average home usage access points like Linksys or D-Link.

These Aironet things are great, for the 1240AG, it has one Fast Ethernet port and one console port.
It doesn't come with integrated antennas, you have to buy them. You can use the 802.11G antennas and/or 802.11A antennas. This gives you flexibility in choosing the antennas, you can even use both if you want to.
Mind you that not all countries allow the use of 802.11A standard.

The console port as usual used for configuring the Cisco Aironet Access Point through CLI. You can also use web browser to configure the Access Point, different from other Cisco devices' web interfaces, the Aironet web interface offers rich features configuration.
Other Cisco devices have not that good appearances, you definitely prefer configuring other Cisco devices through CLI.

Below is the example of the Cisco Aironet web interface:


Unlike other Cisco devices, Cisco Aironet Access Points are by default configure to accept IP address from DHCP server, if you have DHCP server in your LAN, that's great.
Just plug in a cable to connect the access point to your LAN and as soon as it receives IP address you can do configuration for it.

One tip, for the Cisco Aironet 1100 series Access Points, they have a default IP address of 10.0.0.1 that last for just 5 minutes.
So during that 5 minutes you can configure your computer NIC for an IP address of 10.0.0.2 or other, and connect a network cable from your computer NIC to the ethernet port of the access point.
Open the web browser and type in the 10.0.0.1 address, then you can do some configuration. Remember this only last for 5 minutes, after that the access point will request IP address from DHCP address indefinitely.

Now what other features the Aironet Access Points have, many features that the average home usage access points don't have.

You can configure the Access Points to be an Intrusion Detection System (IDS) to protect your network, use it for scanning your network for rogue access points that your neighbour use for stealing your bandwidth, and they also offer the powerful 802.1x to authenticate clients.

You can also set your own transmit power and data rates of the wireless radio interfaces.

Configure several SSIDs to segment your network. Each SSID can be correlated with VLAN. Provide SSID for your guests, another SSID for your home users, and a special SSID just for administration purpose.
Want another SSID? a special SSID just for handling your VoIP packets, cool.

If you have several Cisco Aironet Access Points in your disposal, set them up so your users can roam all over the place and jump from one area of access point to another without loosing connection.

Have hundreds of Aironet Access Points in a project? You don't need to configure them one by one. Upgrade or request from Cisco for Aironet with Cisco IOS Lightweight enable mode.
With Ligthweight feature and wireless LAN controller you just need to make one configuration on the wireless LAN controller and it will send the configuration to all access points in your network.
Saves you from lot of works.

So many features to tell, to try out all these features get your own Cisco Aironet Wireless Access Points now. You won't be sorry if you're a true techies, except that your wallet would be thinner a bit.

The Danger of Broadcost Storm and the Solution

If you've taken the Cisco Academy program or been in the network world for a while, you must have heard about broadcast storm.

Broadcast storm is a state in a network where a frame broadcast in a switch environment is continually being flooded through the network.

This is mostly happen in a switch environment where you have redundant connection between switches, remember that routers segment or isolate broadcast between networks.

Redundant connections are important if you want to create a backup path between switches. If one path fails the other will take over.
This won't work out with switches that don't have any loop avoidance mechanism.

This is how a broadcast storm can happen, I have two switches connected with redundant links and one switch connected to a client and the other switch connected to a server.

Then the client sends a broadcast, say an Address Resolution Protocol or ARP to find out where the location of the server like this, pay attention to the red arrow, pretend that the arrow is a broadcast frame sent by the client.


Remember the rule of a switch, a switch forwards a broadcast frame to all ports except the port where it receives the request.

The Switch A receives the frame and forward it to the two links it has:


The broadcast frame received by the Switch B from two different ports and forward it again to other ports including the port where the Server is attached.

But it doesn't stop there, the frames are flooded again back to Switch A and back to the client.


From now on, back again to picture 2 then 3 and so on, this will keep going on forever until you shutdown the network.
This condition can also be called switch loop and it leads to broadcast storm.
Most likely you can find a question about this in the CCNA exam.

Luckily Cisco switches have loop avoidance mechanism called Spanning Tree Protocol or STP.

What STP does is eliminating loops in the network while allowing redundant links, the switches in the network will send out BPDU or Bridge Protocol Data Unit.

BPDU is like a boomerang send out to all ports in the switch. The BPDUs will travel all over the network and when the switch receive the BPDU it sent, then the switch knows that switch loop is occuring in the network and will block one of the ports where the loop occured.

Actually there's a set of session needed just to explain STP, there's even books specialized to explain STP considering that STP is very important in a redundant network.

STP eliminates redundant links in your network that's it, but if you don't carefully design your network even if you're using Cisco devices, your network will someday experience a melt down.

There's a great article about a network meltdown in a hospital related to STP that you can read here. In a hospital!! Man, that's serious business, we're talking about people lives here.
So the case study can be a valuable resource for you, just read it.

This happened to me once when I went on a client. They're just a small office kinda like SOHO, they're not using Cisco devices, they just using network devices from Linksys and D-Link.

So they called me and said for some reason the network went down.

After checking the network for a while, no problem with the configuration and the cabling but still no connectivity.
Then after tracing all the cables - it was not exactly a neat cabling they have there - I found that one cable was connected end to end to the same switch which created the broadcast storm.

So the moral of this story, it's very easy to take down an entire network with just a single network cable, especially if the networks are using average home usage network devices .

No need to say that it is very important to keep the physical security of your network devices. You can't trust the employees again nowadays.

Monday, February 21, 2011

Adding Switch to Cisco Home Lab 5

Configure Router as DHCP Server for VLANs
Now this part of configuration is the most fun part of all. I just love the way that one router accepts requests from clients on different VLANs (with different subnets), and the router gives away the addresses based on what VLAN a client resides.
That's just cool, your average home usage routers can't do this kind of stuff, most of the average home usage routers can do is just give away IP addresses for one network.
At the previous post, I posted about how to make a router to be DHCP server. Now this post is similar but I'm going to make the router to give away IP addresses for clients on different networks.
The configuration is also the same, but now I'm going to make several IP DHCP pool. The amazing thing is that the router can differentiate each client request for IP address.
The router listens to the requests, which request comes from which sub interface (subnet or VLAN).
Then the router takes the available IP address from the DHCP pool and tells the client that it's now using this IP address.
At this example I'm using four networks in my local area network. I won't be giving away the addresses for the VLAN 5 since I'm only going to assign the IP addresses for management purpose only - I'll assign the addresses statically on the networking devices.
The 3 networks left, the VLAN 10, 20, and 30 IP addresses are configured using DHCP server.
Same as before, you need to exclude the IP addresses that you don't want to give out through DHCP. I conserve the first ten addresses for each network, I probably need it for something else in the future.
router> enable
router# configure terminal
router (config)# ip dhcp excluded-address 192.168.10.1 192.168.10.10
router (config)# ip dhcp excluded-address 192.168.20.1 192.168.20.10
router (config)# ip dhcp excluded-address 192.168.30.1 192.168.30.10

Now the DHCP will give out addresses to the clients starting from XXX.XXX.XXX.11
Next is to configure the DHCP pools for respective VLANs:
router (config)# ip dhcp pool OFFICE
router (dhcp-config)# network 192.168.10.0 255.255.255.0
router (dhcp-config)# default-router 192.168.10.1
router (dhcp-config)# dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
router (config)# ip dhcp pool HOME
router (dhcp-config)# network 192.168.20.0 255.255.255.0
router (dhcp-config)# default-router 192.168.20.1
router (dhcp-config)# dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
router (config)# ip dhcp pool OFFICE
router (dhcp-config)# network 192.168.30.0 255.255.255.0
router (dhcp-config)# default-router 192.168.30.1
router (dhcp-config)# dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

You can set the dns-server option to point to up to 6 dns servers.
The default-router command tells the clients to set the ip default gateway to point to the router's sub interface.
At this point, if you can ping all the sub interfaces of the router from the switch, the router will give IP addresses for requests coming from the clients for DHCP service.
The router differentiates the requests like this, if a request coming from the sub interface ethernet 0/1.10, then the router will give the IP address according to the ip address on that interface (192.168.10.0 network).
After this you need to configure the router for internet connection, if you haven't done it before.
Remember to apply access-list that allows all networks you have in the LAN to be translated by the NAT.

Adding Switch to Cisco Home Lab 4

Configure Router for InterVLAN routing
If you only configure VLAN on the 2950 or other layer 2 switches, the clients can only communicate with other clients within the same VLAN.
If you want them to be able to communicate with other clients on different VLANs, then you need to

configure a router for interVLAN routing.
Configuration of router for interVLAN routing often called router on a stick. The reason is the clients that want to communicate with other clients on different VLANs need to go through the router first and the router will route the packets to the appropriate VLANs back through the same line.

The disadvantage of this is that single line going to the router will be filled by requests from one VLAN going to other VLAN, and the router will be set for handling the routing for this.

No problem for the small LAN, but if you have a huge number of clients, you need to consider using Layer 3 or multilayer switches (Cisco Catalyst 3550 series or above) for interVLAN routing.

The concept of layer 3 switch routing is something that you'd find on the CCNP level, not the CCNA.
I don't have layer 3 switch, the cheapest one I can find in my local area is more than $600 yikes. But the configuration is so easy, I'll only want to give you some snippets later.
For now lets configure the router to do interVLAN routing.
We know that routers have limited amount of physical interfaces right? The 2611 have a default of 2 ethernet interfaces.
One interface is going to the internet and the other is supposedly connected to the internal LAN.
How come one interface can handle multiple VLANs a.k.a. multiple networks with different subnets.
There's a genius way to get around this, that is by using logical sub interfaces. That one port can be logically devided into many sub interfaces.
Each sub interface will handle one VLAN/subnet.

NOTE:
Previously the interVLAN routing can only be done by routers with Fast Ethernet interfaces (100 Mbps) and not intended for Ethernet interfaces (10 Mbps) due to small bandwidth consideration. But now we can configure it on the ethernet ports also.
Before configuring the router, lets see again how the network diagram looks like:

So we need to define four sub interfaces and the respective IP addresses, we also need to define the VLAN assigned to the sub interface using encapsulation dot1q VLAN_NUMBER, where the VLAN_NUMBER is the VLAN ID for the sub interface.
You need to define the VLAN first on the sub interface, then you can assign IP address there.
You don't need to assign IP address for the main interface ethernet 0/0 but do no shutdown and the sub interfaces will automatically apply the same no shutdown.
here's how we configure them:

router> enable
router# configure terminal
router (config)# interface ethernet0/0
router (config-if)# no ip address
router (config-if)# no shutdown
router (config-if)# interface ethernet0/1.5
router (config-subif)# encapsulation dot1q 5
router (config-subif)# ip address 192.168.5.1 255.255.255.0
router (config-subif)# interface ethernet0/1.10
router (config-subif)# encapsulation dot1q 10
router (config-subif)# ip address 192.168.10.1 255.255.255.0
router (config-subif)# interface ethernet0/1.20
router (config-subif)# encapsulation dot1q 20
router (config-subif)# ip address 192.168.20.1 255.255.255.0
router (config-subif)# interface ethernet0/1.30
router (config-subif)# encapsulation dot1q 30
router (config-subif)# ip address 192.168.30.1 255.255.255.0




You can give sub interface number up to 4294967295, the reason is it gives you the flexibility on naming the sub interface to match the VLAN ID. You can easily identify the sub interface e0/1.5 is for VLAN 5 and so on.
Oh, don't forget to do the no shutdown command on the main interface ethernet 0/1, it will also do no shutdown for the sub interfaces.
Now if you can successfully ping the interface VLAN 5 on the switch (192.168.5.2 in this example) then you are done configuring the router for interVLAN routing.
For configuring interVLAN routing on Layer 3 switches you have to make interface VLAN for every VLAN that you want to route and give them IP addresses.
Layer3Switch> enable
Layer3Switch# configure terminal
Layer3Switch (config)# interface VLAN 5
Layer3Switch (config-if)# ip address 192.168.5.1 255.255.255.0
Layer3Switch (config-if)# no shutdown



Do this for every VLAN that you want to route, you don't need to configure sub interfaces on the router.
The layer 3 switch will do the routing for the VLANs without ever need to send anything to the router first.
But you need to activate the ip routing feature on the switch first, if it's not already activated using:

Layer3Switch (config)# ip routing


Very simple right?

Last things left is to configure the router for additional configuration, DHCP server for each subnet, connect to the cable internet, and other details on the next post


Adding Switch to Cisco Home Lab 3

Assigning Switch Ports to VLANs

After configuring VLANs on Cisco switch, now we need to assign the switch ports to VLANs.
We need to assign which ports should be in which VLAN, remember VLAN = broadcast domain = subnet.
So before making your own VLANs, consider the IP addressing scheme and which computer should be in which broadcast domain or network.
Next step is to configure the trunk port to connect to the router and access port to connect the switch ports to our clients' PCs or other network devices.

The trunk port is needed to carry all VLANs or selected VLANs (you can decide which VLANs are allowed to cross the trunk link) in one port and the native VLAN is assigned to "tag" untagged frames with the ID of the native VLAN.
You should also configure trunk if you want to connect a switch to another switch, you have to configure trunk port on both switches.
For the access port, one access port can only be a member for 1 VLAN, anything plug in to the access port will be assign with the configured VLAN ID.
You need to remember though, the devices attaced to the switch ports don't know anything about VLAN, it is only something the switch knows.
Before a frames are sent to the clients, the VLANs tags are stripped from the frames.
In this example I configure the FastEthernet port 0/1 to be the trunk port that connects to the router.

C2950> enable
C2950# configure terminal
C2950 (config)# interface fa0/1
C2950 (config-if)# switchport mode trunk

 
At this point you already configured the port FastEthernet or fa 0/1 to be trunk port.
There are two encapsulation method for trunking, the ISL which is proprietary method from Cisco - only for Cisco devices and the 802.1Q or dot1q for short which is the multi-vendor encapsulation method.
Since the 2950 switches only support dot1q method you don't need to define it again but if your switch support both methods then you need to configure it using switchport trunk encapsulation dot1q or you can replace the dot1q with isl if you want to use ISL.
Next is to define the native VLAN and if you want to, you can define which VLANs are allowed to cross that trunk port:

C2950 (config-if)# switchport trunk native vlan 5
C2950 (config-if)# switchport trunk allowed vlan add 5, 10, 20, 30


You can add or remove vlans on the trunk port, by default the trunk will carry all VLANs.
Finished with the trunk port configuration, now we assign ports to the VLANs we created. You can assign the ports one by one like this:
 
C2950 (config)# interface fa0/2
C2950 (config-if)# switchport mode access
C2950 (config-if)# switchport access vlan 10
 

Or you can define a range of interfaces at once, say I want to configure port 0/2 to 0/8 as the access port for VLAN 10, then I just have to do this: 
C2950 (config)# interface range fa0/2 - 8
C2950 (config-if-range)# switchport mode access
C2950 (config-if-range)# switchport access vlan 10

Do the same thing with the VLAN 20 - the home network VLAN:
C2950 (config)# interface range fa0/9 - 16
C2950 (config-if-range)# switchport mode access
C2950 (config-if-range)# switchport access vlan 20

Very handy command right?
One trick I can give you, if you want to configure some ports that are not in sequential order, like you want to configure port 2 to 5 and 10 to 15 and port 24, you can do it like this:
C2950 (config)# interface range fa0/1 - 5, fa0/1 - 15, fa0/24

There, you successfully created access ports for VLAN 10 and 20. For the VLAN 30 or the VLAN used for wireless network, I need to safe it for another time since configuring wireless network with Cisco devices takes some tricks.
Now we're done with the Cisco switch configuration, next thing to do is configuring the router to accept VLANs and be DHCP server for all the networks.

Adding Switch to Cisco Home Lab 2

Configuring VLANs

I'll start the configuration of adding switch to my Cisco home lab by configuring the switch first. At the previous tutorial series, I posted about how to connect Cisco router to cable internet, and now here's how the network will look like again when added a switch to it:

The network will have 4 VLANs, with the VLAN 5 acting as the native VLAN.
By default, the native VLAN of Cisco switches is VLAN 1, you might want to change the native VLAN from VLAN 1 to other VLAN since there a security concern about this.
You can read a nice article about native VLAN security concern from cisco.
In 2950 switches, you have to type in these commands to create VLANs:


C2950> enable
C2950# configure terminal
C2950 (config)# vlan 5
C2950 (config-vlan)# name MANAGEMENT
C2950 (config-vlan)# vlan 10
C2950 (config-vlan)# name OFFICE
C2950 (config-vlan)# vlan 20
C2950 (config-vlan)# name HOME
C2950 (config-vlan)# vlan 30

C2950 (config-vlan)# name WIRELESS


You can verify that you successfully created the VLANs by issuing this command:

C2950# show vlan

Now to set the VLAN 5 as the native VLAN and assign it to be the native VLAN, we should do this:
C2950 (config)# interface VLAN 5
C2950 (config-if)# ip address 192.168.5.2 255.255.255.0
C2950 (config-if)# no shutdown

 
By issuing the no shutdown command, the VLAN 1 will be automatically shutdown and replaced by the VLAN 5.
Assigning an IP address to the VLAN other than VLAN 1 will make that VLAN as management VLAN so your switch can be accessible for configuration using telnet.
You can only alter the Native VLAN from VLAN 1 to other VLAN but you can't delete the VLAN 1.
Next thing you need to do is assigning those VLANs to the switch's ports.

Adding Switch to Cisco Home Lab 1

So I was sitting and thinking about what to post next in my blog, and hey why not continuing on the last posts about setting up Cisco home lab.

The network topology might not be the best topology for CCNA home lab, but the configuration should be similar with any other topologies.

Let's take a look at the last network topology where I connected 2611 router to the cable internet:
I'm going to add a Cisco switch, 2950 Cisco switch that is. And I'll be adding some VLANs to it, I'll separate the PCs in my LAN into four different networks.

  • VLAN 5 as the native VLAN - 192.168.5.0 network
  • VLAN 10 for the office - 192.168.10.0 network
  • VLAN 20 for the home - 192.168.20.0 network
  • VLAN 30 for wireless - 192.168.30 network
In network diagram view, you can see it like this:
This is just a very simple network diagram, but most SOHO networks are typically look like this, maybe with some additional switches here and there.

You can see above the details of the network with exception of the wireless network, I'll leave the wireless network configuration for later posts but still provide a VLAN for wireless connectivity.

Seven Reasons to choose Cisco for home or SOHO Network

After building my own Cisco home lab, I feel very satisfied with how they perform for my LAN.
So let me poison your mind, I'm going to show you why I think home network geeks - like my self - and SOHO network should consider to replace the network devices they have now with Cisco networking devices.

Actually Cisco has an article called Why Enterprise Choose Cisco, but frankly I don't quite understand what they're trying to say so I figured 7 reasons that I can think of why choose Cisco for Home or SOHO network.

1. Cisco Certification

The number one reason is of course to smooth your way in passing Cisco Certification exams. You can get away not having Cisco home lab for the CCNA exam, but above that, especially if you don't have a direct access to the real Cisco devices, at least you need to rent Cisco lab.

2. Wide Range of Products
Not just apply to Cisco, every vendor has wide range of products to offer, routers, switches, VPN concentrators, wireless, firewalls, you name it.
But wouldn't it be nice to have a room in your home or SOHO with that cool Cisco logo on all of the devices.
Imagine clients walking down your office and see the network rack or at least the picture of it, and shockingly say what the heck is that???
Oh, that's just our small data center you reply.
Surely make your business seems reliable enough or what??

3. Scalability
This is what I really like from Cisco, you can easily upgrade everything, well almost everything in the devices.
Say you bought a 2611 router, the chassis only, and later you found out you need WAN connectivity, DSL connection, additional switch ports, VPN, and even Voice card for VoIP, etc.
You can just buy the modules and slide in to your router, not all of them of course, but as much as the router permits.
The complete reference for the modules supported by 2600 routers can be found here.
You can buy and upgrade the IOS according to your needs. Routers such as linksys also can be upgraded (the firmware), many third party firmwares are also available, but the Cisco IOS can do much more functionalities no doubt.
Need more power for the Cisco routers, no problem, you can always upgrade the RAM, now this is hard to do on average home usage routers. You can easily slide in a bigger RAM in the router just like PCs.
My default amount of 2611 RAM provides me a great connectivity to the internet compared to my old router.
You know if you connect lots of clients to the internet, the router maintains a NAT table and if the RAM is not enough it should affect the connectivity.

4. Managabililty
Having Cisco devices in your LAN is like being a tyrant in your own kingdom. You can pretty much do anything in it at your wish.
Kick out a client, limit the connection to nearly bytes per second and let them come to you and beg for mercy.
No no that's not me.. I think. I don't know about you but controling network devices from the CLI is like having an unlimited power over the LAN.
You can configure anything right from nothing and seeing it connects successfuly, I'm telling you nothing beats the feel of it.

5. Reliability
No question about reliability for Cisco devices. In fact I just knew that Cisco Systems Sets Guinness World Record with the World's Highest Capacity Internet Router.
Now get this, with the show version command in the device you can view the uptime right? how long the router is up and running without shutting down or reloading.
A company has a record of about 10+ years, 10 years, man,

6. Enterprise Class Features
Depends on the router capabilities and the IOS image you have, you can have an enterprise class features in your LAN.
Advance firewall system, Intrusion Detection System, Multicast handling, VoIP, all of that you can have just by upgrading your Cisco routers later when your company got bigger.

7. Cost
No, I'm not talking about the cost of buying Cisco devices, the price for the new ones are insane for home usage and SOHO. But you can always buy the used ones from ebay or other used Cisco resellers.
What I want to say is the cost that you can save if you bought Cisco devices. Return of Investment what smarter people would say.
So the reasons are good enough for you? If you're working in a SOHO you might be able to persuade the finance department to upgrade the network devices you have now.
But you're just students or a techies want to get deeply intimate with Cisco, how could you ever afford them.
If you really really want it why not? Take a look at me, I'm currently just about a quarter of century old, living in a country where you wouldn't dream of having a real live Cisco home lab.
And no, my Dad is not a millionaire, I bought the Cisco lab purely from my own income, one by one at a time, you just need to know what to buy and where.

SNMP(Simple Network Manegement Protocol)for Cisco

When you've set up your Cisco devices, you might also want to monitor them. It's very inconvenient if you have to look at the lights blinking on your Cisco devices or logging to the devices and type in show ip interface brief just to see if the interfaces is running correctly.

To make monitoring network devices easier, the great people in network industry invented SNMP or Simple Network Management Protocol).

SNMP gives you great flexibility, you can allow a group of people to just monitor the network devices in your LAN (read-only rights) and allow other group for monitoring and making changes to the network devices (read-write rights).



The image above shows one of many networking tools that implements SNMP, this one if from solarwinds.
You can view in graphical form of CPU/memory usage, bandwidth usage, etc.
Some terms that you need to be familiar with in configuring SNMP:

GET
Gets are used to collect information from network devices, it's in a read-only mode. You need to configure a community string in a Cisco device so a network tool can identify it. Apply read-only rights so the users having this community string can only view information on network devices.

To set it in a Cisco device is very easy, just go to the global configuration mode and type in:

router (config)# snmp community public ro


The above command configure the router to have a community string of "public" with read-only rights.
You can also apply an access list to that community string.
Now that you have that community string, set this community string to the network tool so it can monitor the network device.

SET

The sets can be used to make changes to a network device such as shutting down an interface, etc.
Configuring sets is similar to the GET configuration, you only need to change the read-only rights to be read-write rights.

router (config)# snmp community private read-write



Since this command allows users who know the community string to be able to configure the network device, you should always apply an access list to the read-write command.

TRAPS

If the GETs and SETs are initiated by the admin, the traps are initiated by the network device itself.
This is very useful, in case an emergency situation pops out like an interface is shutdown, fan failure, etc. the device can immediately send message to a preconfigured destination.
Do this to send traps to host 192.168.1.10 with community string "public":

router (config)# snmp host 192.168.1.10 public

What is PPP and PPPoE?

Point To Point Protocol (PPP) and Point To Point Protocol over Ethernet (PPPoE) are network protocols that allow data communication between two network entities or points. Throughout the documentation for both protocols, points are referred to as nodes, computers, or hosts. The protocols are similar in design with a major difference - PPPoE is encapsulated in Ethernet frames. Both protocols exist at the network access layer (also known as the data link layer) that supports network layer protocols including IPv4 and IPv6.

Point To Point Protocol (PPP)

PPP was first proposed as a standard by the Internet Engineering Task Force (IETF) in 1989 and became a working standard in 1994. The IETF specification for PPP is RFC 1661. PPP is a protocol most widely used by Internet service providers (ISPs) to enable dial up connections to the Internet. PPP facilitates the transmission of data packets between point to point links. Originally designed to work with serial connections, PPP was adopted by ISPs to provide dial up Internet access. PPP can be encapsulated in a number of data link layer protocols, including Ethernet (PPPoE) and Asynchronous Transfer Mode (PPPoA).
PPP uses Link Control Protocol (LCP) to establish a session between a user's computer and an ISP. LCP is responsible for determining if the link is acceptable for data transmission. LCP packets are exchanged between multiple network points to determine link characteristics including device identity, packet size, and configuration errors.
PPP supports three types of user authentication protocols that provide varying levels of security. Password Authentication Protocol (PAP) is an access control protocol used to authenticate a user's password on the network access server. The network access server requests a password from the client machine and sends the retrieved password to an authentication server for verification. As an authentication protocol, PAP is considered the least secure because the password is not encrypted in transmission.
Challenge Handshake Authentication Protocol (CHAP) is similar to PAP with several unique characteristics. Instead of requesting a password, the network access server sends a challenge message to the client machine. The challenge message is a random value. The client machine encrypts the challenge message with a user's password and sends the combination back to the access server. The access server forwards the challenge/password combination to the authentication server. The authentication server encrypts the challenge with the user's password stored in the authentication database. If the user's response is a match, the password is considered authentic. CHAP uses the model of a shared secret (the user password) to authenticate the user. The use of CHAP is considered a moderately secure method of authentication.
Extensible Authentication Protocol (EAP) is considered an authentication framework used by a number of secure authentication protocols. EAP is most commonly used for authentication on wireless networks.

Point To Point Protocol over Ethernet (PPPoE)

The working standard for the PPPoE protocol was published by the IETF in 1999. The IETF specification for PPPoE is RFC 2516. PPPoE expands the original capability of PPP by allowing a virtual point to point connection over a multipoint Ethernet network architecture. PPPoE is a protocol that is widely used by ISPs to provision digital subscriber line (DSL) high speed Internet services, of which the most popular service is ADSL. The similarity between PPPoE and PPP has led to the widespread adoption of PPPoE as the preferred protocol for implementing high speed Internet access. Service providers can use the same authentication server for both PPP and PPPoE sessions, resulting in a cost savings. PPPoE uses standard methods of encryption, authentication, and compression specified by PPP.
PPPoE is configured as a point to point connection between two Ethernet ports. As a tunneling protocol, PPPoE is used as an effective foundation for the transport of IP packets at the network layer. IP is overlaid over a PPP connection and uses PPP as a virtual dial up connection between points on the network. From the user's perspective, a PPPoE session is initiated by using connection software on the client machine or router. PPPoE session initiation involves the identification of the Media Access Control (MAC) address of the remote device. This process, also known as PPPoE discovery, involves the following steps:
  1. Initiation - The client software sends a PPPoE Active Discovery Initiation (PADI) packet to the server to intitiate the session.
  2. Offer - The server responds with a PPPoE Active Discovery Offer (PADO) packet.
  3. Request - Upon receipt of the PADO packet, the client responds by sending a PPPoE Active Discovery Request (PADR) packet to the server.
  4. Confirmation - Upon receipt of the PADR packet, the server responds by generating a unique ID for the PPP session and sends it in a PPPoE Active Discovery Session (PADS) confirmation packet to the client.
When a PPPoE session is initiated, the destination IP address is only used when the session is active. The IP address is released after the session is closed, allowing for efficient re-use of IP addresses.

Sunday, February 20, 2011

Configure Cisco Router toWork With Cable Interner 4

Configuring NAT (Network Address Translation)

Continuing for the tutorial series of configuring Cisco router to work with cable internet, now we'll set the router to do NAT.
When connecting your router to the cable internet through cable modem, your router will receive a dynamic IP address from the ISP DHCP server according to the scenario.
While you only get one IP address from the ISP, you also need to connect more than one computer to the internet.
Plus the public IP address is different network with the private IP addresses in your LAN.
NAT can solve this problem, it stores the requesting private IP addresses in the address translation table of the router, translates every request from your LAN and forward it to the internet using the single public IP address.
Now NAT can be used in different scenario, but I'll save them for future posts, for now the NAT form that we'll use is many-to-one scenario of NAT.
Many private IP addresses translated to be one public IP address, some people call it overloading and/or Port Address Translation (PAT).

NAT Overload will assign a unique logical port number to every request from the LAN to the internet thus PAT.
For example, if you have a public IP address of 202.1.1.1, then for a request from the user of 192.168.1.20 in your LAN will be translated into 192.168.1.20:1720 for the incoming request to the router, and 202.1.1.1:1521.
This is how the router can identify which request goes to which device.

To configure it requires some steps, first lets see again how the network diagram looks like:

The image shows I only use one computer to connect to the internet, for now lets pretend I have a lot of computers in my LAN for internet connection.
You need to remember three basic steps for configuring NAT/PAT:
  1. Create access list to decide which private IP addresses are allowed to be translated by the router.
  2. Issue the NAT command to cooperate NAT with access list that we created and tell the router that we need to overload the requests if you use PAT.
  3. Identify which interface in the router that is connected to the LAN then issue ip nat inside command, and which interface is connected to the internet then issue ip nat outside command.
The steps are not necessarily be in that order, we can start with whichever step first. Here how you do those steps:

Create Access List
router> enable
router# configure terminal
router (config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Issue PAT command
router (config)# ip nat inside source list 101 interface Ethernet0/0 overload
 
Identify interfaces for ip nat inside and outside
router (config)# interface ethernet0/0
router (config-if)# ip nat outside
router (config-if)# interface ethernet0/1
router (config-if)# ip nat inside
 
That's it three easy to remember steps for configuring NAT/PAT, one last thing to do for connecting your router to the cable internet is configuring default route.

Configuring Default Route
I decided to include configuring default route into this post since I only have a simple network topology and we only need one line of command to configure the default route.
Here's how we do it, from the last command we jump back to the global configuration mode:
router (config-if)# exit
router (config)# ip route 0.0.0.0 0.0.0.0 ethernet0/0
 
What the above command does is to route all request that point to any ip address that the router doesn't know (0.0.0.0 0.0.0.0) to the ethernet0/0 interface.
If you have a static public IP address from the ISP then you can replace the ethernet0/0 with the IP address given by the ISP.
That concludes the tutorial series for connecting your router to the internet cable, thank you for following the series, and please give me feedback about my posts.
 
 

Configure Cisco Router toWork With Cable Interner 3

Setting Cisco Router as DHCP Server

This option really is optional if you want to set Cisco router to work with cable internet, but this is a good chance to add your skill in configuring Cisco devices.

From the previous post, you know how to configure your router's interface to accept IP address from DHCP server.
Now it's time to configure your router as DHCP server.

Once again you need to make sure your Router IOS image support the DHCP server feature if not then the command won't be available.
To set a DHCP server, you will configure a pool of network IP addresses that you want to give out to the clients (PC, printer, NAS, etc).
As shown on the image in the previous post, I want to give out the IP addresses from the network 192.168.1.0.
First thing you need to configure is to exclude the IP addresses that you dont want to give out.
For example, I've configured the router interface 0/1 to be 192.168.1.1, then I need to exclude 192.168.1.1 so the router won't give out this address.
You can configure the exclusion in the router's global configuration mode:
router> enable
router# configure terminal
router (config)# ip dhcp excluded-address 192.168.1.1



This command is very useful especially if you need to exclude a range of IP addresses, if you need to exclude say 192.168.1.1 until 192.168.1.10 you can do it like this:

router (config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10




After the ip dhcp excluded-address we give the low IP address and the high IP address, this way your router not give IP addresses from 192.168.1.1 to 192.168.1.10, the router will start giving out address from 192.168.1.11 and so on.

Next thing to do is creating a pool of addresses, when issuing the ip dhcp pool, you'll be taken to the dhcp configuration mode where you can set the additional parameters beside the ip address and subnet mask to the clients.
In this example I want to make a pool with the name of HOME_CLIENTS

router> enable
router# configure terminal
router (config)# ip dhcp pool HOME_CLIENTS
router (dhcp-config)# network 192.168.1.0 255.255.255.0
router (dhcp-config)# default-router 192.168.1.1
router (dhcp-config)# import all



At the third line above you can see the configuration command of a pool with the name HOME_CLIENTS.
Fourth line shows that the pool HOME_CLIENTS will give out the addresses in the network 192.168.1.0, with the exception of the addresses in the ip dhcp excluded-address 192.168.1.1 that I showed you previously.
Fifth line tells the clients should be given a default gateway address of 192.168.1.1 (the router's IP address).
The sixth line is the one important thing for configuring DHCP server in cable internet environment.
The import all command tells the router to give out other configuration received from the ISP cable internet DHCP server to the clients in the LAN.
For example, most ISP will give the DNS servers IP addresses from their DHCP server and this configuration might change depends on the ISP, so you definitely want to give this configuration out to the clients.
If you have your own DNS server in the LAN, you can tell the clients to use this DNS server using the following command:
router (dhcp-config)# dns-server 192.168.1.2 192.168.1.3
 

The above command will send out DNS server address of 192.168.1.2 and 192.168.1.3 to the clients.
You can also configure the router to use the above DNS server using the following command in the global configuration mode:
router (config)# ip name-server 192.168.1.2 192.168.1.3
 
You can get more information on Cisco IOS DHCP and DNS commands in the cisco site, please click here to go there.

Configure Cisco Router toWork With Cable Interner 2

We need to first set the IP address of the router's interfaces to begin configuring Cisco router to work with cable internet.
If you configure the router for the first time, connect to it using the console cable.
WARNING!!!
Not every Cisco IOS image supports the commands below, make sure your router's IOS support the commands, please read here first. If your image doesn't support it, the commands wont work.
Or check the features of your IOS image here.
Make sure your Cisco IOS image supports DHCP features (client/server).
As I said in the last post, the interface ethernet 0/0 is connected to the cable modem and interface ethernet 0/1 connected to my PC like shown below:



Ethernet 0/0 is using configuration got from the ISP so we'll set it to receive IP address from ISP's DHCP server. Always remember to give no shutdown command on the interface:

router> enable
router# configure terminal
router (config) # interface ethernet 0/0
router (config-if)# ip address dhcp
router (config-if)# no shutdown


Now to set the Ethernet 0/1 port as the picture above, we can just jump right to the interface 0/1 configuration mode:
router (config-if)# interface ethernet 0/1
router (config-if)# ip address 192.168.1.1 255.255.255.0
router (config-if)# no shutdown


You have successfully configure IP addresses to your interfaces, you can check it using the following command:

router# show ip interface brief

InterfaceIP-AddressOK?MethodStatusProtocol
Ethernet0xxx.xxx.xxx.xxxYESDHCPupup
Ethernet1192.168.1.1YESNVRAMupup  

The show ip interface brief is a very useful command, you would want to use it to check the status of your interfaces.
The interface column shows you all the interfaces you have, the IP-Address is of course shows the addresses of the respective interfaces.
The Method column shows whether the addresses given by a DHCP server or you configured it yourself (stored in NVRAM) or it can also shows TFTP - configuration from TFTP server.
When the status column is showing down then it indicates there is a problem with OSI Layer 2.
The protocol will show up if the interfaces are physically connected to other devices, if not they will show as down (a problem with the OSI Layer 1).
And there's also another state of the status column -administratively down - it means the interface is shutdown.
This is the most likely question you'd get in the CCNA exam.
You can read further about show ip interface brief command here.
When you finished this configuration, your router will be receiving IP address on interface 0/0 from DHCP server of the ISP, and the interface 0/1 will be ready to communicate with network 192.168.1.0

Configure Cisco Router toWork With Cable Interner 1


If you just bought your first used Cisco router, I bet one thing you want to immediately do is connecting the Cisco router to the cable internet.
I know I did, I have cable internet for my home network. Previously I used Linksys router to get my LAN connected to the internet.
Configuring Cisco router to connect to the cable internet is easy work, even if you know only the basic configuration stuff in Cisco.
I need to warn you that this configuration will be in series or else this configuration will be a very long post. And also this series will be a good chance to learn some aspects in configuring Cisco router.
All you need to do is to set the IP address of the interfaces, set the router as a DHCP server if you want it, configure NAT, and the last thing is routing. Very simple indeed.
I'm only going to show you to get your router up and running, I wont discuss about access list and other fancy stuff - that's for the next posts.
Also the devices involve in this tutorial is only the Cisco 2611 router, Motorola cable modem, and my PC. If you want to use other Cisco devices you might need to do more configuration.
In this Part 1, I'm going to review about the concept of this configuration, please look at the topology image below:

Configure IP Address of the Router's Interfaces
The router will get the ip configuration from DHCP server of the ISP, the Ethernet 0/0 port I use as the exit point to the internet.
The Ethernet 0/1 will be the port where my computer is connected. I'm going to set private IP address as the gateway for the computer.
Setting IP address of the interfaces is definitely a topic in the CCNA exam.
Configure the Router as DHCP Server
In this example I'm using the router as DHCP server, giving IP addresses to the computer along with other configuration such as subnet mask, gateway address, and the dns server ip address.
You won't be tested about setting router as DHCP Server in the CCNA exam, it will show up in the CCNP exam.
Configure NAT (Network Address Translation) in The Router
NAT is a powerful concept, you have one public IP address given by the ISP and also private IP addresses in your LAN.

What NAT will do is translate all your private IP address into the public IP address. If you're using overload - one public IP address used by many private IP address - the private IP address is converted into logical ports.
For example, if you got public IP address of 10.1.1.1, then the form of the translation might be like this 10.1.1.1:3000
NAT is also a topic in the CCNA exam and one of the thoughest that is.

Configure Routing
This example only shows the basic static routing, the router will send all request from the client (from port Ethernet 0/1) to the port Ethernet 0/0.
You surely want to learn about routing for the CCNA exam.

Need other Resources For learning Cisco?

During my vacation I also took my chance browsing all over the internet, I'm surprise to see that in the internet, quite a lot of people claiming that Cisco.com didn't give them enough information about the devices in their home labs.
Sure Cisco did stop supporting some of the older devices, but they still keep the information about them including the configuration examples, etc. But maybe they did stop posting the information.
That's not what I want to post about now, just sharing my opinion. But I do want to post about some resources that provide you with the information about Cisco devices.
Two good resources are the Packet magazine and iQ magazine from Cisco, they're free to download. Too bad they stop issuing on new issues because they said they want to evolve their customer communications to a more interactive, web based model or something. Read here.
I really do prefer to read their magazines, although you can't get new issues now but you can still download them from Cisco.
Sure they're maybe outdated reviews, for me, I can still learn a lot from them. For example I found this article about connected home from Packet magazine, making all devices in your home connected.


I actually took advantage of the article and start running my business by offering people this connected home network, turns out to be quite good.
There are many interesting articles like IPTV, VoIP, etc.
If you're aiming for cisco exams, joining in forums is important to get more information from people experienced with the exam.
Some forums that I recommend are from proprofs, sadikhov, and of course cisco. These are three of tons of cisco/networking forums out there.
The key is to find the forum best fit for you, some forums have different culture, some have very helpful people to help you while there are also grumpy people you might meet also.
Keep the list small, if you're like me, I often got confuse because I registered to many forums out there, quality not quantity.

Cisco IOS Naming Convention and Featurs

When you decided to buy Cisco devices for a home lab, it is very important to ask the reseller about the Cisco IOS image the devices are using.

This is something that most newbies are forgetting about when buying used Cisco devices for the first time.

This should be no problem if you buy Cisco kit/home lab package, since the reseller will optimize the requirements for you, including the IOS version.

Now what exactly is the differences in Cisco IOS package names and the features they have. To list every one of them here is a very tiring work since there might be hundreds if not thousands of IOS packages with different versions and features.

What I can tell you is that the above image shows the naming convention of Cisco IOS images. You will oftenly see the above format used in the naming of IOS image.

HARDWARE

The first part is quite self explanatory, hardware is the hardware supported by the IOS.

FEATURE SET

This is where you can find out the features supported by the IOS. This is the new naming convention of Cisco IOS, some older version still use letters to describe the features. The "Legacy naming convention" can be quite confusing, so it's good they decided to change the naming convention.

Cisco distributes IOS packages according their features, take a look at the following diagram:


The higher the features set, the more features it has. You can check the features of Cisco IOS image with the tool provided by Cisco.
Access the tool at cisco site, and you can search by features, IOS image name, platform, product code, and you can even compare features between images. Great tool you should try.

For the legacy naming convention, you can find it formated as yyyy, where the y can be replaced by the following letters:
  • b - For Apple talk support
  • c - For CommServer lite (CiscoPro)
  • g - For ISDN subset (SNMP, IP, Bridging, ISDN, PPP, IPX, and AppleTalk)
  • i - For IP sebset (SNMP, IP, Bridging, WAN, Remote Node, and Terminal Services)
  • n - For IPX support
  • q - For asynchronous support
  • t - For Telco return (12.0)
  • y - For reduced IP (SNMP, IP RIP/IGRP/EIGRP, Bridging, ISDN, and PPP)
  • (c1003 or c1004)
  • z - For managed modems
  • 40 - For 40 bit encryption
  • 50 - For 50 bit encryption 
  • MEMORY LOCATION and COMPRESSION FORMAT

    This section tells you from which memory location the IOS and what format of compression it uses. Check the following for the formats
    • f - flash
    • m - RAM
    • r - ROM
    • l - the image will be relocated at run time  
    • And these are the compression types:
      • z - zip compression
      • x - mzip compression
      • w - “STAC” compression
      MAINTENANCE RELEASE and INDIVIDUAL RELEASE

      These shows the release version number of the IOS image.

      RELEASE

      The last part shows whether the image is T Release (new feature release identifier), S (individual release), or XR (modular packages).

      For further reference you can see the complete list here and here.

      I've made a mistake when I first bought my router, I didn't ask about the IOS version of the router so I ended up with a very basic IOS version not having even DHCP server feature.
      You don't want to make same mistake, so get familiar with Cisco IOS naming convention.

      If you already bought it, check the features supported by the image with the Cisco tool I told you above.

      You need also consider the amount of DRAM of the device. The higher the version and features of an IOS, the more DRAM you need.

Password Recovery Procedure for Cisco router 2600 and 2800 series

If you buy used Cisco device for your Cisco home lab, your used router/switch configuration most likely already erased to default configuration by the reseller. But what if you got a router/switch with password in it, or you forgot the password you gave to the device.


Cisco devices have a password recovery procedure that you can use to overcome this problem, some devices might have different procedure for password recovery.

The steps that I'm showing here is for Cisco 2600 and 2800 series routers, but most routers have the common steps to follow.
Some Cisco switches series have a button on the chassis that you must press for password recovery.
WARNING!!!
The password recovery procedure will wipe out all configuration in the router/switch, it is always a good idea to backup your configuration regularly and use the backup to reconfigure the router/switch after password recovery procedure.


To recover the password first you need to enter the ROMmon mode, for 2600 and 2800 series routers you need to change the configuration register from 0x2102 to 0x2142, then reset the router.
rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 > reset



Changing the configuration register from 0x2102 to 0x2142 tells the router to ignore the configuration in the NVRAM - where you place the password for the router.
This is why you must backup the configuration file to TFTP server regularly, so you can recover the configuration file if something like this happen in the future.
Your router will reload after the "reset" command in the ROMmon mode with no configuration, so it will ask again whether you want to enter the initial configuration prompt again, just answer no to this:
Would you like to enter the initial configuration dialog? [yes/no]: no


At this point you can enter the router without providing the password, if you check with show version command you will get that the configuration register has changed:

router# show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.1(2)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Tue 16-May-00 15:15 by ccai
Image text-base: 0x80008088, data-base: 0x80865F64

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

Router uptime is 3 minutes
System returned to ROM by reload
System image file is "flash:c2600-i-mz.121-2.T.bin"
cisco 2611 (MPC860) processor (revision 0x202) with 20480K/4096K bytes of memory.
Processor board ID JAB0317052N (1135645455)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
  

Next thing is to fill in your new password or erase the password requirement from the router configuration mode. Use enable password or enable secret, saver to use enable secret.

router# configure terminal
router (config)# enable secret Cisco  


Don't forget to paste your backup configuration file to the terminal and save the running configuration:
router# write memory
or
router# copy running-config startup-config 
 


Last thing to do and the most important part is to change back the configuration register to 0x2102, or else everytime your router reloads it will ignore the configuration file.

router (config)# config-register 0x2142  


You can check with show version command that your configuration register value will change to 0x2102 after reloading the router.


router# show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.1(2)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Tue 16-May-00 15:15 by ccai
Image text-base: 0x80008088, data-base: 0x80865F64

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

Router uptime is 3 minutes
System returned to ROM by reload
System image file is "flash:c2600-i-mz.121-2.T.bin"
cisco 2611 (MPC860) processor (revision 0x202) with 20480K/4096K bytes of memory.
Processor board ID JAB0317052N (1135645455)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

 

Reload the router using reload command:

router# reload