Switching and Lab’in it

It has been 3 days since I have passed my CCNP Route exam. I still haven’t recovered from the stress that it has brought me but here I am at school already hammering through CCNP switch materials. The goal is the get switching within 60 days assuming nothing unexpected happens like flooding in the Philippines or something. Here are the materials and gear I will be using for this study:

  • CISCO press CCNP Switch book 
  • CISCO Netacad lab book
  • CISCO Netacad power point materials
  • CBTNuggets CCNP Switching with Jeremy Cioara
  • Chris Bryant CCNP Switch Boot Camp
  • 2×2960, 2×3560, 1×2911 (voice)
  • certprepare.com

Early observations, going through the materials I noticed there’s really not much different from the new CCNAX that Cisco just rolled out a couple of months ago. New stuff included Private VLANS, VACL, PACL, RACL and a couple of security and VoIP stuff. Honestly if I can do this within the month, I will take the exam as early as possible and move on the Tshoot. I just want to get my CCNP R&S as soon as possible. 

The plan for now is after finishing CCNP I wanna get MCSA for Windows 2012 just to balance me out. I am really passionate about learning and teaching all these stuff to students. Of course the end goal is to get my CCIE no. and maybe have my own consultancy company. 

I just received an email from a training organization in the city offering me a casual position teaching weeknights and a couple of weekends. According to the CEO classes might start in a month, I am so excited. 

 

 

Advertisements

642-902 done!

ImageThis was taken right after my exam at Mercury Gold Coast this morning. Yeah, I just cleared my CCNP route exam. All I can say is so far it has been the most humbling experience I’ve had since I started with my certification journey. I must admit I started to get cocky last week thinking that I can probably take on this exam and maybe get a perfect score for it.

It was originally schedule on June 5th then decided to move it earlier on 29th of May then last night I decided why not I will do it the next day and all the way to the Gold Coast which is like an hour drive. I took the 9:30am exam but I was so excited to take the exam I was there as early as 8:45am. I started around 9:00am and after I got my first lab which was questions 9, I got stuck for like 20 minutes trying to work out the requirements.

When I did my CCNA exam last Sept of 2013 I clearly remember I can use “write”/”wr” to save my running configs. I can even use the “do” commands. However, with this set it did not let me use them. What’s worst was “copy run start” is not even working. I was in complete panic mode. I was asking myself if it will only allow me to save if I got everything right, I was probably missing something that’s why its not allowing me to save or something along those lines. After spending 20 minutes on the first lab not saving, I just pushed on until I got to the next lab which was still not saving my configs. I was running out of time so I started to assume that the saving the running configs wasn’t a requirement.

The weird part was when I got into my 3rd lab it allowed me to save my config. It was really freaking me out. It was a mixture of blaming myself for taking on the exam earlier that I was supposed to and being really cocky about it. It was an internal battle of accepting that I will be failing this exam because of some command that does not work. 

The 4th lab which has something to do with redistribution, I accidentally misconfigured a redistribute command. When I tried removing it using the “no” command, its not doing it. Yes, it will allow me to type the command e.g. “no redistribute ospf 23 metric 1500 2000 255 1 1” but it will not do anything. I ended up having 2 redistribution commands. It must have been a bug because I got a perfect score in that lab. Its really weird. 

Overall, I still ended up passing ccnp route making me so far highest certified staff in terms of cisco at TAFE. I never had problems with the multiple choice, drag-n-drops and choose the best answer types of questions. It was really the clunky labs that really freaked me out. 

On to switch for me….here we go.

 

PRTG, Its awesome

Its a few minutes past midnight crossing over to Tuesday. Had a short chat with the CEO of Bay Technologies over coffee last night. He gave me a 10000 foot view of what the company is all about and its plans to move into the cloud. I can’t really tell details yet since it is still a long way to go before anything can get into fruition. I just find it refreshing and amazing having a chance to chat with a CEO of a tech company. 

Anyway, this morning I finished all the remaining CISCO bridging materials for the diploma guys taking Networking. I covered SNMP, Syslog, Netflow and IOS 15. What really got me excited was when I made a demo of PRTG. It is an enterprise level network monitoring software that does everything for you. If I get the chance I will post a blog on how to set-up a simple router and have all sorts of monitoring sensors. Pretty cool stuff. 

Route-map: interesting fact

“If the packets do not meet any of the defined match criteria (that is, if the packets fall off the end of a route map), then those packets are routed through the normal destination-based routing process. If it is desired not to revert to normal forwarding and to drop the packets that do not match the specified criteria, then interface Null 0 should be specified as the last interface in the list by using the set clause.”

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

So let us say you are creating a route-map condition where if a certain packet is received by the border router it has to go to a certain router as next-hop. Yes I know, for those guys studying CCNP Route this lab sounds familiar. You initially create your extended access-list: access-list 111 permit tcp any any eq 80

You then create your route-map:

route-map pbr permit 10

match ip add 111

set ip next-hop <to the ip add of the assigned router>

All along I thought you still need to create another route map, let us say sequence 20 without putting any match or set statement just to allow other packets to go through. Apparently according to cisco documentation, this not needed any more. Interesting….

Tera Term, Xmodem & a 3560

Image

One of the most annoying things that you can experience in a lab environment just when you are all set to configure a switch you find out that someone has intelligently wiped the entire OS on it. So this post is about how do you recover or should I say re-install a 3560 IOS to your wiped switch.

What you need:

  • Backed up 3560 .bin file
  • Windows 7 with tera term installed
  • your wiped 3560 switch (make sure you are installing the right .bin file to your switch)
  • roll-over cable

Plugged in my roll over cable at the console port of the switch and used tera term to gain access to the console. You’d know if the config is wiped if the first thing you see is: switch:

I copied my back up .bin file on my C: drive, and typed the following on the switch: prompt

set BAUD 115200

I am setting baud to this range or else its going to take me forever to transfer the file. Then on tera term go to:

set up > serial port… > then change the baud rate to 115200

Give the switch a minute for things to take into effect, don’t panic when you feel like the screen froze, that happened to me, I panicked thinking the screen’s not responding and I keep on restarting my work. Press enter a couple of times and you should have switch: displayed.

then type:

flash_init      note: some switches/routers have this activated already

copy xmodem: flash:<the image file>

Once you see CCCs displayed, on tera term menu click File > XMODEM > send

On the windows box, locate where your .bin file and make sure you choose CRC radio button. That’s it! To verify if .bin files were copied you can type:

dir flash:   and the .bin file should be there.

Depending on the link’s speed it may take up to 40minutes. Once everything is done. Do not forget to set the Baud rate back to 9200:

set BAUD 9200

You are almost there, last thing you need to do is type:

boot flash:<.bin file name>

 

 

FREERADIUS, CENTOS & CISCO

In this lab we are going to simulate running a radius server and authenticating users before they are allowed to configure a cisco device, in this case a switch.

 

Requirements for this lab, I would recommend the following:

  • Windows 7/8 installed with oracle virtual box or vmware vmplayer

  • Centos 6 iso

  • freeradius

  • gedit

  • cisco switch (you may also use a cisco router)

 

Assuming you have installed CENTOS OS on a virtual machine, I normally set my lab with 2 NIC cards, 1st one for NAT to access internet and 2nd one as bridged which we’ll connect to one of the ports of our switch.

 

Open a terminal session on your CENTOS: click Applications > System Tools > Terminal

 

 

INSTALL FREERADIUS

 

Make sure you are running root, install freeradius by typing:

 

yum install freeradius freeradius-utils -y

 

Also install gedit

 

yum install gedit

 

CREATE AND TEST A TEST/DUMMY USER

 

We have to test our radius server by adding a test user. Open the user file using gedit:

 

gedit /etc/raddb/users

 

At the top of the file insert:

 

<username> Cleartext-Password:=”<password>”

e.g.

 

hello Cleartext-Password:=”world”

 

Save and exit gedit editor. Whenever you are adding something in any of the radius files, make sure you restart your radius server by typing:

 

service radiusd restart

 

If all goes well you should be able to test your test user:

 

radtest <username> <password> localhost 0 testing123

 

e.g.

 

radtest hello world localhost 0 testing123

 

ADDING A CLIENT DEVICE

 

Lets configure our client, client in this case is a cisco device (switch) thats going to use our radius server to authenticate users before it can configure the device.

 

gedit /etc/raddb/clients.conf

 

and enter the following

 

client <client’s ip address> {

secret = <password>

nastype = cisco

shortname = <hostname>

}

 

e.g.

 

client 10.1.1.1 {

secret = secretkey

nastype = cisco

shortname = SW1

}

 

 

ADD A USER TO BE AUTHENTICATED

 

Save and close. Now lets add a user to be authenticated for our cisco switch. Again, lets go back to our user file:

 

gedit /etc/raddb/users

 

and add our user:

 

<username> Cleartext-Password:=”<password>”

service-type=NAS-Prompt-User,

Cisco-AVPair=”Shell:Priv-lvl=15”

 

e.g.

 

jamie Cleartext-Password:=”oliver”

service-type=NAS-Prompt-User,

Cisco-AVPair=”Shell:Priv-lvl=15”

 

Note: make sure you follow the exact syntax, linux is unforgiving in a way if an error won’t occur it won’t just work and won’t show you where the error is coming from.

 

Save, close gedit and run service radiusd restart for changes to take effect.

 

BTW, before we start configuring our client switch, lets turn off centos’ firewall by typing service iptables stop. I know we are not supposed to do this in production but again the purpose of this lab is to authenticate users using radius.

 

CONFIGURE YOUR CLIENT (CISCO SWITCH)

 

Console in to the switch, change the hostname (SW1), assign the ip address of 10.1.1.1/24 to vlan1 and plug the PC’s NIC card to one of the cisco switch’s ports. Make sure your CENTOS has a static ip and can ping your switch.

 

SW1(config)#username admin privilege 15 secret letmein

SW1(config)#enable secret cisco

 

This assigns a local user, password with privilege level 15, so in the event that our radius server is down or we don’t have a user entered in the server, we can still access the device.

 

Now lets start configuring SW1 for AAA:

 

SW1(config)# aaa new-model

SW1(config)# radius-server host 10.1.1.2 auth-port 1812 acc-port 1813 key secretkey

 

* remember secretkey is the password we assigned for this client

 

SW1(config)# aaa authentication login default group radius local

SW1(config)# line vty 0 4

SW1(config-line)# login authentication default

SW1(config-line)# line con 0

SW1(config-line)# login authentication default

SW1(config-line)#exit

 

SW1(config)# aaa authorization exec default group radius if-authenticated

SW1(config)# aaa accounting exec default start-stop group radius-server

SW1(config)# aaa accounting system default start-stop gropu radius-server

 

That wasn’t so bad right?:) Now all we have to do now is get into a PC who belongs to our 10.1.1.0/24 network and telnet into our switch using our user: jamie pw: oliver. Or….you can just go to your switch and telnet to yourself. Yes…you can do it this way just for testing purposes.