Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server

Pre-requisites:

1. Microsoft Active Directory and DNS
2. DHCP Server with new scope configured
3. IP helper-address configured
4. Microsoft Radius (IAS) Server 2003 or Microsoft Network Policy Server 2008
5. Microsoft Enterprise root CA
6. Cisco Wireless LAN controller (WLC) 5500
7. Cisco AIR-LAP1142N wireless access point (AP)
8. Separate VLAN for wireless infrastructure
9. WLC, AP and IAS placed in same VLAN
10. Windows 7 or Windows XP or Mac OSX/snow leopard client

Assumptions:

1) AD and DNS working perfect.

2) DHCP Server IP: 10.10.9.4

New scope for Wireless Network

IP range: 10.10.10.1-10.10.11.254 Subnet Mask:255.255.255.0

Gateway:10.10.10.1 Exclusion:10.10.10.1-10.10.10.10

NTP :10.10.9.5

3) WLC

IP:10.10.10.2 WLC subnet:255.255.255.0 Gateway:10.10.10.1

Time provider:10.10.9.5

4) IAS IP:10.10.10.3 subnet:255.255.255.0 Gateway:10.10.10.1

5) IP ranges 10.10.10.1-10.10.11.254 added in the internal networks in ISA or forefront TMG.

6)Interface 1 of WLC connected to a trunk port of Layer3 switch or core switch

7)wireless infrastructure VLAN ID/Tag 100

Add Lightweight Cisco Aironet 1142 in DHCP Server

Note: Follow these steps for newly added DHCP scope mentioned in assumptions.

1.In order to configure these options in the Windows DHCP server, open the DHCP Server Administration Tool or MMC. Right-click the DHCP root, and then choose Define Vendor Classes.

2.The DHCP Vendor Classes utility appears. Click Add.

3.A New Class configuration box appears. Enter a value for the Display Name field, for example, “Cisco Aironet c1142 AP”, and an appropriate description such as “Vendor Class identifier for Cisco Aironet c1142 AP”. Click the ASCII Section and enter the appropriate string value such as “Cisco AP c1142” (without inverted coma) for the Vendor Class Identifier. Click OK. Then, click Close on the DHCP Vendor Classes window.

4.Add an entry for the WLAN controller sub-type as a pre-defined option configured for the Vendor Class. Right-click the DHCP Server Root, and then choose Set Predefined Options.

5.Choose the newly created Vendor Option Class in the Option Class field, and then click Add.

6.The Option Type box appears. In the Name field, enter a string value, for example, Option 43. Choose IP Address as the Data Type. Check the Array check box. In the Code field, enter the sub-option code value 241 (0xf1). Enter a Description such as Wireless LAN Controller IP address. Click OK.

7.The Vendor Class and sub-option are now programmed into the DHCP server. Now, the vendor specific information must be defined for the AP DHCP scope. Choose the appropriate DHCP scope. Right-click Scope Options, and choose Configure Options.

8.Click the Advanced tab. Choose the Vendor Class you previously defined. Check the 241 Option 43 check box, and then enter each WLC management interface IP address(s) Example: 10.10.10.2. Click Apply.

9.Once you complete this step, the DHCP Option 43 is configured. This DHCP option is IP address, the DHCP server sends the option 43 as well as to the LAPs. Now the DHCP option 43 (241 Cisco Wireless AP) that is made available for a newly created DHCP scope for Cisco.

10. To verify, click on the scope options in the newly created DHCP scope, you will see 241 Cisco Wireless AP or what you mentioned in Description.

Add a new VLAN in core switch(example: Cisco 4506) or L3 switch:

Note: Entire wireless infrastructure will be placed in this VLAN.

Switch#vlan database

Switch(vlan)#vlan 100

Switch(vlan)#name Wireless Network

Switch(vlan)#exit

switch#configure terminal

Switch(config-if)#interface vlan 100

Switch(config-if)#Description Wireless Network

Switch(config-if)#ip helper-address 10.10.9.4

Switch(config-if)#IP address 10.10.10.1 255.255.255.0

Switch(config-if)#no shutdown

Switch(config-if)#end

switch#wr

Create a Trunk Port in Core switch (Cisco 4506) or L3 Switch

Note: This trunk will be connecting with Cisco WLC 5500 using CAT6 or Fibre optic.

Switch# configure terminal

Switch(config)#interface gigabitethernet  6/11

(6/11 means Module 6 and Port 11)

Switch(config)#switchport trunk encapsulation dot1q

Switch(config)#SwitchPort Mode trunk

Switch(config)#end

Switch# wr                                              

Switch#show run

Create VLAN  in a switch (Example: Cisco 2960G)

Note: This port will be connecting with Cisco 1142 AP. Wherever you want an wireless AP, configure a port with same vlan. For this article VLAN 100. connect AP with this port after configuring the following. repeat for all the APs.                     

Switch# configure terminal

Switch(config)#

Switch(config)#interface Gigabitethernet 0/7           

Switch(config)#switchport access vlan 100            

Switch(config)#end

Switch# wr             

Create AAA Server(s):

Authorization: IAS Policies (Remote Access Policies applied in IAS server for wireless 802.1x)

Authentication:Radius Server (EAP Type:PEAP,Encryption: MSCHAPv2)

Accounting:Radius server (Logs any successful and/or failed connection attempt)   

Use this link to configure Enterprise Root CA  

Install IAS in a member server. Install computer certificate in the IAS server and create new policy using this link Configure PEAP and EAP methods or follow step by step guide line in these links configure Microsoft Radius Server and Network Policy Server . It would redundant to write again.

Cisco 5500 Series Wireless Controller Installation Guide Using the Start-up Wizard

Mount Cisco 5500 in rack. Connect WLC with laptop using console port. Connect WLC with core switch or L3 switch using CAT6 cable or fibre optic if you have SFP. Now power on WLC.

Note The available options appear in brackets after each configuration parameter. The default value appears in all uppercase letters.

Note Press the hyphen key if you need to return to the previous command line. To configure the controller for basic operation using the Start-up Wizard, follow these steps:

Step 1 When prompted to terminate the Auto-Install process, enter yes. If you do not enter yes, the Auto-Install process begins after 30 seconds.

Note The Auto-Install feature downloads a configuration file from a TFTP server and then loads the configuration onto the controller automatically.

Step 2 Enter the system name, which is the name you want to assign to the controller. You can enter up to 32 ASCII characters. (Example:MS_5500)

Step 3 Enter the administrative username and password to be assigned to this controller. You can enter up to 24 ASCII characters for each. The default administrative username and password are admin and admin, respectively.(Example:username:Admin and password:cisco)

Step 4 If you want the controller’s service-port interface to obtain an IP address from a DHCP server, enter

DHCP. If you do not want to use the service port or if you want to assign a static IP address to the service-port interface, enter none.

Important! In Cisco 5500, management interface act as service interface also. No avoid any complicacy, just hit enter in this option. The service-port interface controls communications through the service port. Its IP address must be on a different subnet from the management interface. This configuration enables you to manage the controller directly or through a dedicated management network to ensure service access during network downtime.

Step 5 If you entered none in Step 4, enter the IP address and netmask for the service-port interface on the next two lines.

Step 6 Enable or disable link aggregation (LAG) by choosing yes or no. You may type No if you don’t have two or more Cisco WLC.

Step 7 Enter the IP address, netmask, default router IP address, and optional VLAN identifier (a valid VLAN identifier or 0 for an untagged VLAN) for the management interface.

Note The VLAN identifier should be set to match the switch interface configuration. Example: IP:10.10.10.2 WLC subnet:255.255.255.0 Gateway:10.10.10.1  and VLAN tag/ID 100

Step 8 Enter the IP address of the default DHCP server that will supply IP addresses to clients, the controller’s management interface, and optionally the service-port interface.

Note The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers.Example DHCP Server IP: 10.10.9.4

Step 9 Enter the IP address of the controller’s virtual interface, which will be used by all controller Layer 3 security and mobility managers. You should enter a fictitious, unassigned IP address, such as 1.1.1.1.

Note The virtual interface is used to support mobility management, DHCP relay, and embedded Layer 3 security such as guest web authentication and VPN termination. All controllers within a mobility group must be configured with the same virtual interface IP address.

Step 10 If desired, enter the name of the mobility group/RF group to which you want the controller to belong.

Note Although the name that you enter here is assigned to both the mobility group and the RF group, these groups are not identical. Both groups define clusters of controllers, but they have different purposes. All of the controllers in an RF group are usually also in the same mobility group and vice versa. However, a mobility group facilitates scalable, system-wide mobility and controller redundancy while an RF group facilitates scalable, system-wide dynamic RF management.

Step 11 Enter the network name, or service set identifier (SSID). The initial SSID enables basic functionality of the controller and allows access points that have joined the controller to enable their radios. (Example:Mycompanywireless)

Step 12 Enter yes to allow clients to assign their own IP address or no to make clients request an IP address from a DHCP server. (Type yes in the step)

Step 13 To configure a RADIUS server now, enter yes and then enter the IP address, communication port, and secret key of the RADIUS server. Otherwise, enter no. (Type yes, IAS IP:10.10.10.3 subnet:255.255.255.0 Gateway:10.10.10.1)

Step 14 Enter the code for the country in which the controller will be used.

Note Enter help to view the list of available country codes. (Example: For Australia Country code is AU)

Step 15 Enter yes to enable or no to disable each of the 802.11b, 802.11a, 802.11g, and 802.11n lightweight access point networks. (Type yes)

Step 16 Enter yes to enable or no to disable the controller’s radio resource management (RRM) auto RF feature. (Type yes)

Note The auto RF feature enables the controller to automatically form an RF group with other controllers. The group dynamically elects a leader to optimize RRM parameter settings, such as channel and transmit power assignment, for the group.

Step 17 If you want the controller to receive its time setting from an external Network Time Protocol (NTP) server when it powers up, enter yes to configure an NTP server. Otherwise, enter no. (Type yes,Time provider:10.10.9.5 )

Step 18 If you entered no in the previous step and want to manually configure the system time on your controller now, enter yes. If you do not want to configure the system time now, enter no.

Step 19 If you entered yes in the previous step, enter the current date in MM/DD/YY format and the current time in HH:MM:SS format.

Step 20 When prompted to verify that the configuration is correct, enter yes or no. The controller saves your configuration, reboots, and prompts you to log in.

Verifying Interface Settings and Port Operation

Follow these steps to verify that your interface configurations have been set properly and the controller’s ports are operational.

Step 1 Enter show interface summary. The controller’s current interface configurations appear:

Interface Name Port VLAN Id IP Address Type AP Mgr Guest

———-

management 1 100 10.10.10.2 Static Yes No

service-port N/A N/A 0.0.0.0 Static No No

virtual N/A N/A 1.1.1.1 Static No No

Step 2 Enter show port summary. The following information appears, showing the status of the controller’s distribution system ports, which serve as the data path between the controller and Cisco lightweight access points and to which the controller’s management interface is mapped.

STP Admin Physical Physical Link Link Mcast

Pr Type Stat Mode Mode Status Status Trap Appliance POE

– —

1 Normal Forw Enable Auto 1000 Full Up Enable Enable N/A

2 Normal Forw Enable Auto 1000 Full Up Enable Enable N/A

Configure Security and AAA Server in WLC 5500

1. Open IE or Firefox Type IP address of WLC in the address bar as
https://10.10.10.2
(bypass proxy if you need to)and hit enter.

2. Click Login and provide login credentials you created in start-up wizard.

3. Click on Wireless. In the left hand pan click Authentication. You will see the IP address and port number 1812 of Radius Server.

4. In the left hand pan Click on Accounting. Click new on right hand top corner. You will be presented with a window to add Radius server. provide IP of Radius server, Shared secret and Port 1813. Apply changes.

5. Click on WLANs>Click on 1>Click on General Tab>Check Enable on Status and Check Enabled on broadcast SSID

6.Click on Security Tab>Click Layer2 Tab>Select WPA+WPA2 from Layer2  security drop-down list>Check WPA policy and TKIP or WPA2 policy and TKIP. In the same page, in Auth Key Mgmt, select 802.1x. Now click on Apply button.

7.Click on AAA Servers>Select Authentication and Accounting server from the server1 drop down list. here Authentication and Accounting server are Radius Server. Check Enabled in both Authentication and Accounting radio button. Click Apply.

8.In the left hand side top corner, click on to Monitor and scroll down to make sure you see the all APs.

Add WLC 5500 in the IAS server as a Radius Client

1. Log on to IAS server as an administrator.

2.Open Internet Authentication Service from Administrative Tools

3.Right click on Radius Clients>Click add Radius client. You will be presented with new radius client window. Type IP address of WLC 5500 and a Friendly Name such as WLC. Click Next.

4. In the this window, Select Radius Standard as Client-Vendor, Provide shared secret (must be same as WLC configuration in step 13) and repeat shared secret and click finish.

5.Close IAS console and log out.

Testing network

Log on to Windows XP or Windows 7 client as a domain users while client is connected via CAT5 or CAT6 . Make sure this domain user is a member of wireless access group and allowed to have remote access(dialin TAB of AD user property). Install computer and user certificate in that client. Now turn on wireless NIC. unplug CAT5 cable. View available wireless network. Select the SSID, you created in previous steps and double click. You will be connected.

Important! if you setup WPA and TKIP in WLC then you must setup WPA and TKIP in Client also. Similar for WPA2 and TKIP or WPA2 and AES. Both sides must match each other.

For Mac client, see my previous post in the link

Configure Group Policy for 802.1x wireless network

1. Open the Group Policy Management Console (GPMC).
2. Create and link a new group policy object with desired OU
3. Right click on newly created GPO and edit
4. Go to Computer Configuration, open Windows Settings, open Security Settings, and then select Wireless Network (IEEE 802.11) Policies.
5. right-click Wireless Network (IEEE 802.11) Policies, and then click Create A New Policy and Type Policy name
6. Open New Network Policy Properties >Click on preferred network Tab>To add a new profile, click Add>type the SSID that corresponds to the SSID configured on your WLC security tab.
7. In the Wireless key network, select WPA and TKIP or whatever configured in WLC
8. In the IEEE 802.1x tab,Set EAPOL start message to transmit per IEEE 802.1x
9. In the EAP type select PEAP
10. Check authenticate as computer when computer information is available and also computer authentication with user authentication from drop down box.
11. Now press Ok, Apply and ok.

Work Around with WLC 5500 

Open IE, Type IP of WLC in the address bar (bypassing proxy), hit enter. Click on Logon. provide logon credentials, click ok.

 

Accessing WLC using telnet.

Open command prompt and type telnet IP_Address

Necessary Links

Export a certificate with the private key

Import a certificate

Cisco 5500 WLC

Cisco Wireless AP

Microsoft Radius Server

Relevant Articles

WLAN Controller Failover for Lightweight Access Points Configuration Example

Wireless LAN Controller (WLC) Configuration Best Practices

How to configure Microsoft Radius Server (IAS) for Macintosh OSX 10.5, Windows 7 and windows XP Pro client

Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

Overview of the Wi-Fi Protected Access (WPA) security update in Windows XP

Share this

How to backup Cisco switch/router config in easy steps

Step1: create a text file in C:\ drive or your preferred drive and name it like switch-config.txt  or your preferred name.

Step2: open command prompt and type as follows

Telnet –F c:\switch-config.txt IP-Address-of-switch

switch>Enable

provide privilege password

#Terminal Length 0

#Show run

#Show start

#show vlan brief

Now you can exit from telnet and go to c:\ drive and open switch-config.txt to view switch/router config.

Cisco core 4506: Sample config

If you are thinking, you could see sample core switch config and modify according to your need. Here, I would like to share a sample config…

Building configuration…
Current configuration : 6599 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
!
hostname core-4506
!
enable secret 5 $1$XF/2$bxyvsqDf1LZ6n8TFyhwmg1
enable password 7 0518090035445D08000005
!
clock timezone WST 8
ip subnet-zero
no ip domain-lookup
ip domain-name YourDomainName
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
!
no file verify auto
!
spanning-tree mode pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1-3 priority 8192
power redundancy-mode redundant
!
!
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/2
!
interface GigabitEthernet2/1
!
more interface…………

interface GigabitEthernet3/1
!
interface GigabitEthernet3/2
!
interface GigabitEthernet4/1
!
more interface……………..
interface GigabitEthernet4/6
!
interface GigabitEthernet5/1
!
interface GigabitEthernet6/2
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/4
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/5
switchport access vlan 105
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/9
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
more interface config………….based how many modules you have….

interface GigabitEthernet6/15
switchport access vlan 5
switchport trunk encapsulation dot1q
!
interface GigabitEthernet6/23
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/24
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface Vlan1
description Admin VLAN
no ip address
!
interface Vlan2
no ip address
!
interface Vlan3
description Live Internet
no ip address
!
interface Vlan5
description Server VLAN
ip address 10.143.8.2 255.255.255.128

ip helper-address 10.143.8.24
!
interface Vlan6
description iMac_iPhone
ip address 10.143.7.1 255.255.255.128
ip helper-address 10.143.8.24
!
interface Vlan7
description Printer_SRV
ip address 10.143.6.1 255.255.255.128
ip helper-address 10.143.8.24
!
interface Vlan10
description thin client
no ip address
!
interface Vlan15
description thin client
no ip address
!
interface Vlan16
description thin client Relay
no ip address
!
interface Vlan50
description Admin Network
no ip address
shutdown
!
interface Vlan100
description Special Network
ip address 10.143.12.1 255.255.252.0
ip access-group 101 in
ip helper-address 10.143.8.24
ip helper-address 10.143.8.5
!
interface Vlan105
description staff Network
ip address 10.143.10.1 255.255.254.0
ip helper-address 10.143.8.24
ip helper-address 10.143.8.5
!
interface Vlan110
no ip address
!
interface Vlan200
description Wireless Network
no ip address
!
interface Vlan201
description MacWireless Network
no ip address
shutdown
!
interface Vlan900
description DMZ
no ip address
shutdown
!
ip default-gateway 10.142.8.31
ip route 0.0.0.0 0.0.0.0 10.143.8.1
ip route 10.1.9.105 255.255.255.255 10.143.8.1
ip route 10.142.8.0 255.255.248.0 Vlan1
ip route 10.143.6.0 255.255.255.128 Vlan7
ip route 10.143.7.0 255.255.255.128 Vlan6
ip route 10.143.8.0 255.255.255.128 Vlan5
ip route 10.143.10.0 255.255.254.0 Vlan105
ip route 10.143.12.0 255.255.252.0 Vlan100
ip http server
!
!
!
access-list 101 deny   ip 10.143.12.0 0.0.3.255 10.143.8.30 0.0.0.1
access-list 101 permit ip any any
!
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps stpx
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps flash insertion removal
snmp-server enable traps syslog
snmp-server enable traps bridge
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps hsrp
snmp-server enable traps bgp
snmp-server enable traps rtr
snmp-server enable traps vlan-membership
!
!
line con 0
password 7 030752452180500
login
stopbits 1
line vty 0 4
password 7 030754522180500
login
!
ntp clock-period 17179193
ntp peer 10.142.8.1
end

How to recover Cisco catalyst L2 and L3 switch password

Step1: Connect a PC with terminal emulation (for example, Hyper Terminal) to the console port of the switch using the following terminal settings:

• Bits per second (baud): 9600
• Data bits: 8
• Parity: None
• Stop bits: 1
• Flow Control: Xon/Xoff

Unplug the power cable and hold down the mode button located on the left side of the front panel, while you reconnect the power cable to the switch. Hold down for 5 seconds for Cisco 2950/2960 and 15 seconds for Cisco 3550/3750.

Step 2: Now you will be presented with Switch: Issue the flash_init command on switch: flash_init

Step3: Issue the load_helper command switch: load_helper

Step4: Type switch: dir flash: to see config file and .bin file of switch.

Step5: Type rename flash:config.text flash:config.old to rename the configuration file. It will keep existing config intact.

Step6: Issue the boot command to boot the system. switch: boot Now switch will start booting as it does normally. Enter “n” at the prompt to abort the initial configuration dialog. Continue with configuration dialog? [yes/no]: n  No initial configuration required as it is already configured.

Step7: At the switch prompt, type en to enter enable mode. Issue following command.

Switch>en

Switch#

Switch#rename flash:config.old flash:config.text

Press Enter

Switch#copy flash:config.text system:running-config

Press Enter

Sw1#

Sw1# conf t

Sw1(config)#enable secret <your_secret_password>

Sw1(config)#enable password <Your_enable_password>

To reset VTY password

Sw1(config)#line vty 0 15

Sw1(config-line)#password <your_vty_password>

Sw1(config-line)#login

To Reset Console Password

Sw1(config-line)#line con 0

Sw1(config-line)#password <your_console_password>

Sw1#wr

Note: This procedure works for for 2900XL, 3500XL, 2940, 2950, 2960, 2970, 3550, 3560, and 3750 series switches.

Keywords: Cisco, Layer 3 switch, Layer 2 switch, password recovery.

Choose right fibre optic for IT network

 

A reliable network is the basic requirement by entire computer systems. It come first in every layer of communication starting from core, distribution and access networks. If this is done done properly, later on you will get lots hassle maintaining and upgrading these glass fibre. 

Selecting the right type of fibre depends on individual need.  It is necessary to evaluate the current needs of the network and then look down the road to how it will be used in the future. The cable used to upgrade an existing backbone, for example, may be different from the cable used to connect directly to core switch modular. Future bandwidth requirements, transmission distances and network architecture influence fibre selection just as much as current needs. Therefore, a careful assessment of potential network usage will help avoid the costs of preventable upgrades.

Multimode OR single mode

Multi-mode (MM) optical fibre is a type of  fibre optic mostly used as backbone communication over shorter distances, such as within a building/campus. Typical multimode links have data rates of 10 megabit/second to 10 Gigabit/second over link lengths of up to 600 meters. multi-mode fibre are described using OM1, OM2, and OM3 which is based on the bandwidth of the multi-mode fibre. Among these three OM3 got higher network speed.

single-mode optical fibre is an optical fibre designed to carry only a single ray of light. In a single mode fibre data can travel up to 10 gigabits/second at a distances of over 60 km with commercially available transceivers and several hundred kilometres at 40 Gbit/second.

Duplex cable consists of two fibres, usually in a zip cord style. Use duplex multimode or single-mode fibre optic cable for applications that require simultaneous, bi-directional data transfer. Network Equipment require duplex cable. Duplex fibre is available in single-mode and multimode.

Simplex fibre optic cable consists of a single fibre and is used in applications that only require one-way data transfer. Simplex fibre is available in single-mode and multimode.

Connectors and modular

Connectors keep the information flowing from cable to cable or cable to device (switch/router/server/storage). Traditionally, networks have relied on ST connectors. Over time, they have moved to SC connectors, which provide slightly better performance against loss, more efficient installation, and easier maintenance. user embrace LC connector as data centre grows up. These connectors offer lower loss in a smaller form factor and provide higher performance and greater fibre density. Most network equipment can rely on modular Gigabit fibre-optic interfaces, called GBIC and SFP transceivers.

In practice, you have to study your needs and justify your investment for present and future. Choosing right fibre optic will help you to avoid any upgrade hassle and future cost of maintenance.

IP address and subnet

An IP address is an address used to uniquely identify a devices such as computer,server and printers on an IP network. The address is made up of 32 binary bits which can be divisible into a network portion and host portion with the help of a subnet mask. The 32 binary bits are broken into four octets (1 octet = 8 bits). Each octet is converted to decimal and separated by a period (dot). IP address divided into different classes. Class A (1.0.0.0-127.255.255.255), Class B (128.0.0.0-191.255.255.255), Class C (192.0.0.0-223.255.255.255), Class D (224.0.0.0-239.255.255.255), class D, Class E and Classless Inter-domain Routing (CIDR). 

• Class A—The first octet (8bits) denotes the network address, and the last three octets (24bits) are the host portion. Any IP address whose first octet is between 1 and 126 is a Class A address. Note that 0 is reserved as a part of the default address, and 127 is reserved for loopback.
• Class B—The first two octets (16 bits) denote the network address, and the last two octets (16 bits) are the host portion. Any address whose first octet is in the range 128 to 191 is a Class B address.
• Class C—The first three octets (24bits) denote the network address, and the last octet (8bits) is the host portion. The first octet range of 192 to 223 is a Class C address.
• Class D—Used for multicast. Multicast IP addresses have their first octets in the range 224 to 239.
• Class E—Reserved for future use and includes the range of addresses with a first octet from 240 to 255.

Network Masks 

A network mask identify which portion of the address is network and which portion is the node. Class A, B, and C networks have default masks, also known as natural masks, as shown here:

Class A: 255.0.0.0

Class B: 255.255.0.0

Class C: 255.255.255.0

Subnetting

By subnetting you will be able to create multiple logical networks in a single physically connected networks (a single Class A, B, or C network). If you do not have subnet, you are only able to use one network from your desired Class A, B, or C network, which is crap.  for example

10.143.8.1 – 00001010.10001111.00001000.00000001

255.255.255.128- 11111111.11111111.11111111.10000000

If you count number of 1 in the bitmask you will get total 25. So the mask of 255.255.255.128 can also be denoted as /25 as there are 25 bits that are set in the mask.                 

There is another method called CIDR. Classless Interdomain Routing (CIDR) was introduced to improve both address space utilization and routing scalability in the Internet. CIDR moves way from the traditional IP classes (Class A, Class B, Class C, and so on). In CIDR , an IP network is represented by a prefix, which is an IP address and some indication of the length of the mask. one of these networks can be described with the notation prefix/length. For example, 10.0.0.0/25 denotes the network 10.0.0.0 255.255.255.128

CIDR also depicts a more hierarchical Internet architecture, where each domain takes its IP addresses from a higher level. This allows for the summarization of the domains to be done at the higher level. For example, if an ISP owns network 203.17.0.0/16, then the ISP can offer 203.17.1.0/24, 203.17.2.0/24, and so on to their clients.

Class A subnet table and no of hosts/subnet

 

Source: Cisco

Class B subnet table and no of hosts/subnet

Source: Cisco

Class C subnet table and no of hosts/subnet

Source: Cisco

Real life implication

It is required to perform these sort of task as a network/systems administrator in any organisation. Consider, you work in a mid size organisation and you want to deploy 1500 desktop and 100 servers in an organisation. You have 80 network printers and iSCSI will be in operations. In this situation, I prefer to have 5 VLANs configured in core switch, distribution and access networks. why 5 because you need management vlan for all the switches you will be installing and rest four vlans. It is always good idea to get more IP then you need that will help you in future if your company expand.

Desktop:

Subnet	Mask	Subnet Size	Host Range	Broadcast
10.10.8.0	255.255.248.0	2046	10.10.8.1  to  10.10.15.254	10.10.15.255

Server:

Subnet	Mask	Subnet Size	Host Range	Broadcast
10.10.2.0	255.255.255.0	254	10.10.2.1  to  10.10.2.254	10.10.2.255

Printers:

Subnet	Mask	Subnet Size	Host Range	Broadcast
10.10.3.0	255.255.255.128	126	10.10.3.1  to  10.10.3.126	10.10.3.127

iSCSI:

Subnet	Mask	Subnet Size	Host Range	Broadcast
10.10.4.0	255.255.255.192	62	10.10.4.1  to  10.10.4.62	10.10.4.63

Management vlan

Subnet	Mask	Subnet Size	Host Range	Broadcast
10.10.0.0	255.255.254.0	510	10.10.0.1  to  10.10.1.254	10.10.1.255

This is just an example and passing my time. It will definitely be different in your circumstances. Don’t worry about this binary and decimal calculation. Download solarwinds subnet calculator free tool and do it smooth as silk.

Cisco command references for Cisco 2960, 3550, 3750, 4506

Enter the enable command to access privileged EXEC mode:

Switch> enable

Switch#

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Enable Telnet

Switch(config-if)#Line vty 5 15

Switch(config-if)#password yourpassword

Switch(config-if)#transport input telnet

Switch(config-if)#login

Add SNMP

Switch(config-if)#snmp-server community public RO

add NTP

Switch(config-if)#ntp peer IP-address

add name server

Switch(config-if)#ip name-server IP-address

Switch(config-if)#ip domain-name domain name

Create new VLAN

Switch(config-if)#vlan vlan-id

Switch(config-if)#name vlan-name

Switch(config-if)#interface vlan vlan-id

Switch(config-if)#description vlan-name

Adding IP helper

Switch(config-if)#interface vlan vlan-id

Switch(config-if)#ip helper-address IP-address

Adding sppaning-tree

Switch(config-if)#interface eth0/port-number

Switch(config-if)#spanning-tree portfast

delete VLAN

Switch#VLAN database

Switch(config-if)#no vlan vlan-id

Access List

This example shows how to configure an extended IP ACL that allows only TCP traffic to the destination IP address 128.88.1.2 with a TCP port number of 25 and how to apply it to an interface: 

 Switch(config)#access-list 102 permit tcp any host 128.88.1.2 eq 25  

 

 

Switch(config)#interface fastethernet0/8

 

 

 

Switch(config-if)#ip access-group 102 in 

 

 

 

 

This is an example of an extended ACL that allows TCP traffic only from two specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the ACL statements is denied.

 

 

access-list 104 permit tcp 192.5.0.0 0.0.255.255 any

access-list 104 permit tcp 128.88.0.0 0.0.255.255 any

Switch(config-if)#access-list 101 deny   ip 10.143.12.0 0.0.3.255 10.143.8.30 0.0.0.1

Switch(Config-if)#access-list 101 permit ip any any

IP Routing

ip default-gateway x.x.x.1
ip route 0.0.0.0 0.0.0.0 x.x.x.1
ip route x.x.x.x 255.255.255.255  x.x.x.1
ip route x.x.x.0 255.255.248.0 VlanX
ip route x.x.x.0 255.255.255.128 VlanX

VLAN IP setup

 interface VlanX
 description Server VLAN
 ip address x.x.x.1 255.255.255.128

ip helper-address x.x.x.x

view config

Switch#show vlan brief

Switch#show vlan

Switch#show running-config

Switch#show startup-config

write config permanently

switch#wr

How to Backup Startup-Configuration?

COPY/ERASE/BACKUP NVRAM @your own risk

=====================================

switch#copy startup-config tftp:

Address or name of remote host []? 192.168.100.1

Destination filename [dhaka-confg]?

!!

1558 bytes copied in 0.248 secs

switch#

How to Backup IOS?

====================================

switch#copy flash: tftp:

Source filename []? flash:c2500-jk8os-l.122-1d.bin

Address or name of remote host []? 192.168.100.1

Destination filename [c2500-jk8os-l.122-1d.bin]?

How to Restore Startup-Configuration?

=========================================

switch#copy tftp: startup-config

Address or name of remote host []? 192.168.100.1

Source filename []? switch-confg

Destination filename [startup-config]?

How to Erase the NVRAM?

==============================

switch#write erase

Erasing the nvram filesystem will remove all files! Continue? [confirm]

[OK]

Erase of nvram: complete

switch#

switch#reload

Proceed with reload? [confirm]