Ahead of schedule

I dont know but it seems like this week has been pretty good in terms of study. I have been passing all my practice exams and labs have been going smoothly with no dramas at all. I would hit the books once in a while if I’d forget something but that’s it. 

It has been a month and 2 days since I did my route exam with the goal of finishing all three exams within the year. I am feeling more confident, even playing with the thought of taking the exam as early as two weeks from now.

That is just crazy but then again the thought of what happened during my route exam still haunts me. I don’t want to put myself in that situation of panic and for a time I doubted even passing the exam. 

So far the plan is, go through all the practice exam, read, labs and if all is good I will move my exam 2nd week of July.

Advertisements

L3 PVLAN configs

Another way of setting up private-vlans is with the use of a L3 switch. Commands are slightly the same only difference is you would be doing your mapping on primary vlan’s interface instead on the port itself.

vlan 150
name ServerFarm
private-vlan primary
primary-vlan association 151-150

vlan 150
private-vlan isolated

vlan 152
private-vlan community

int vlan 150
ip address 172.16.150.4 255.255.255.0
private-vlan mapping 151-152
standby 1 ip 172.16.150.1
standby 1 priority 150
standby 1 preempt

You will notice that I have included configs for HSRP, you would want to make sure that the switch is your active router.

PVLAN fun

Image

 

I find PVLAN as an interesting topic, interesting enough for me to post something about it. 

Private VLANs (PVLAN) is usually implemented in environments where hosts belonging to the same subnet can be group into a separate sub vlans. Application of such scenario would be in a data center where servers in a server farm can belong to the same vlan but since each server is serving particular clients, they are not suppose to talk to each other nor receive a broadcast from neighbouring servers. 

Another case is with ISPs, home subscribers would belong to a subnet but there should be a way where a subscriber can only access the gateway and not other clients within the subnet. 

All these is possible with the use of Private VLAN. Its fairly simple to set up

  • Determine your primary vlan (promiscuous port)
  • Determine your secondary vlans (isolated, community ports)

Promiscuous ports are ports connected to the router, firewall or gateway. They are mapped to secondary vlans. 

Isolated ports are associated with isolated vlans where  hosts would only communicate with the gateway, host in the isolated vlan won’t receive each others broadcast.

Community ports are ports connected to the community vlan where hosts can communicate with each other and the promiscuous port. 

Let begin configuring shall we? In my diagram above, let us say we are managing a mini-server farm and a couple of management hosts within the same switch using the same VLAN. All devices will use the router to reach the internet. Servers will be in isolated vlan 200, while management host will be in vlan 300. 

conf t
vlan 200
private-vlan isolated
vlan 300
private-vlan community
vlan 100
private-vlan primary
private-vlan association 100 200,300

! configure our server farm to vlan 200

int range fa0/2 – 4
switchport mode private-vlan host
switchport private-vlan host-association 100 200
exit

! now let us configure our management hosts to vlan 300

int range fa0/5 – 7
switchport mode private-vlan host
switchport private-vlan host-association 100 300

! configure the promiscuous port leading to the router

int fa0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 200,300

Oh yeah and the show commands that can be used to verify stuff:

show int fa0/2 switchport

show vlan private-vlan

show vlan int fa0/2

A good way to test your lab would be to connect a couple of host on each vlan, make sure hosts on vlan 300 can ping each other and the gateway but can’t ping hosts in vlan 200. 

host in vlan 200 won’t be able to ping anybody except the gateway. The whole point of this is all host should be in the same subnet. 

 

Simple DOT1X lab with Windows 7, Cisco 2950, CentOS w/ FreeRadius

IEEE dot1x is an authentication standard wherein a user is authenticated by an aaa server before it can gain layer 1 access to LAN/Switch. It is one of the topics covered in the CCNP Switch exam however Cisco only covered the switch configuration. In this lab we will try to see it in full action with clients and servers particularly the use of FreeRadius on Centos authenticating a Windows 7 machine. 

Requirements:

  • Centos running FreeRadius
  • Windows 7
  • 2950 Switch

The point of this lab is we just wanna see dot1x in action and what does it look like when its trying to authenticate a user accessing our LAN.

I won’t go over how to set up FreeRadius over Centos because I have already covered this in a previous blog:

https://delanajero.wordpress.com/2014/05/04/freeradius-centos-cisco/ 

For this lab I have username: hello password: world

It is basically the same topology like what I had in my freeradius blog. Make sure you can ping the switch from CentOS and vice-versa.

How do you set up your Windows 7?

Click start > on the search box type “services.msc” > look for “Wired AutoConfig”

Image

 

Change the startup type to Automatic and click the start button.

Image

 

Click ok…then close the service.msc windows. 

Click on the start button again and search for Network and Sharing Center, At the left hand corner click the “Change adapter setting” link. Look for your network adapter > right mouse click > choose properties > click the Authentication Tab

 Image

 

Click the Additional Settings… button, make sure tick the “Specify authentication mode” radio button and choose “User authentication”

Image

 

Click ok twice and that should be it for windows 7, plug the PCs NIC card to one of the switches’ port configured with dot1x authentication.

Let us console in to the switch and type the following commands:

Config t

aaa new-model
aaa authentication dot1x default group radius local
dot1x system-auth-control

interface FastEthernet0/1 (PC is connected here)
switchport mode access
dot1x port-control auto
spanning-tree portfast

Save your config and run debug dot1x error, just to monitor what error would come up in the event that authentication fails. 

Windows 7 will prompt you for a username and password, in my case it was asked twice. On the switch you can type “show dot1x int fa0/1” and expect to see this: 

Image

 

Windows 7 has been successfully authenticated by FreeRadius via dot1x. The PC has now access to LAN resources. 

Hard work beats talent when talent doesn’t work hard…

There are days when you just don’t feel like working, doing something. For the past couple of days I realized I have been more focused on what the other guy is doing. I was thinking its unfair how come I have to work hard and they don’t and still get away with it. 

There are even days when I start doubting myself if I can actually take my switch exam on schedule. I go through the practice exams and I end up empty, like I have no idea what the question is all about. 

Last Sunday at Church a visiting pastor said something about “work willingly”, meaning no matter how little/minuscule the job is give it your best. It reminded me of a quote from Don Bosco, the priest who championed the youth in his time, build schools which I am a product of.He said to do all things extra ordinarily well. He also said “Meliora Eligo” which means only the best.

Excellence always comes with the price of working hard and its a marathon not a sprint. Kevin Durant of OKC was right “Hard work beats talent with talent doesn’t work hard”….  

Recover the UC540

image

For the last two days I have not been focused on my CCNP switch exam however I have been busy with other Cisco related stuff. I have been playing around with UC540, all I can say is if there one device I can choose from Cisco this should be it. The ultimate ISR, it does switching, routing, VPN, voip, integrate with your PSTN and wireless. That is just sick technology in this small baby. Plus! it is quiet.

While going through all the UC540s making sure everything is running ‘A’ ok. One of them had a 128Mb flash obviously swapped. Found it in one of the 1841s erased, awesome! So I had this exciting job of restoring the thing. 

When a router is rebooted without an IOS image file, it will come up in ROMMON mode.
This can be a very frustrating experience for users who are not familar with this process.
Using this document, you should be able to put a new image on the UC540

Connect a PC/Laptop to the WAN port. Don’t worry if the port won’t do anything.

I have given the PC the following settings:
IP Address: 192.168.1.100
Netmask: 255.255.255.0
Default Gateway: 192.168.1.200

I made sure I have the TAR file of the UC540 to extract the phone files and the IOS image itself. I am also using Solarwinds TFTP server. Make sure this is started.

In my example, the file is uc500-advipservicesk9-mz.124-20.T2. This is case sensitive.
You can get image files from http://www.cisco.com/cgi-bin/tablebuild.pl/UC520.
They are inside of software packs but start off with uc500-advipservices.
You must have a CCO login to access that URL.

The following commands will configure the UC500 and start the TFTP download process. You must connect to the console port of the UC500 for the next steps.

rommon 10 > IP_ADDRESS=192.168.1.200 (This is the temporary IP address assigned to the UC500)
rommon 11 > IP_SUBNET_MASK=255.255.255.0 (Same as on the tftp server)
rommon 12 > DEFAULT_GATEWAY=192.168.1.100
rommon 13 > TFTP_SERVER=192.168.1.100 (Tftp server’s IP address)
rommon 14 > TFTP_FILE=uc500-advipservicesk9-mz.124-20.T2 (Exact name – case sensitive)
rommon 15 > TFTP_CHECKSUM=0
rommon 16 > tftpdnld
it will ask you then if you want to continue with the tftp download process

This text following text will allow you to cut and paste, making this process easier.

At this point, the router should reboot and come up with the new image.

At this point its not yet done, I still need to extract the phone files on the router via TFTP server with the command. 

Router# archive tar /extract tftp://192.168.1.100/uc540.tar flash:

Once everything is extracted, type dir and look for the file: UC540W-FXO-K9-factory-7.1.3.cfg then overwrite the start-up config

Router# copy flash:UC540W-FXO-K9-factory-7.1.3.cfg start

Router#reload

 

2 weeks since ccnp route

I was looking at my calendar last night without realizing its been only 2 weeks since I took my route exam. I am impressed how far I’ve gone with my switch study. I have gone through all the CBTNuggets videos and i think half way through Cris Bryant’s CCNP switch boot camp series. As much as possible I try to learn something new each day.

My thoughts, it clearly drew a line that differentiate ccna from ccnp. Going through route I realized that there were a lot of topics that was on the new ccna that overlapped on routing.  Switching introduced layer 3 switching, deeper understanding of security, voip which included quality of service, wireless and more access-list particularly vlan acls. ACLs are every where. If CCNA was big on subnetting, I could say CCNP was huge on ACLs, ACLs are in PBR, VACL, PACL, iACL, distributive list, prefix list and the list goes on.