Understanding Software Defined Storage (SDS)

Software defined storage is an evolution of storage technology in cloud era. It is a deployment of storage technology without any dependencies on storage hardware. Software defined storage (SDS) eliminates all traditional aspect of storage such as managing storage policy, security, provisioning, upgrading and scaling of storage without the headache of hardware layer. Software defined storage (SDS) is completely software based product instead of hardware based product. A software defined storage must have the following characteristics.

Characteristics of SDS

  • Management of complete stack of storage using software
  • Automation-policy driven storage provisioning with SLA
  • Ability to run private, public or hybrid cloud platform
  • Creation of uses metric and billing in control panel
  • Logical storage services and capabilities eliminating dependence on the underlying physical storage systems
  • Creation of logical storage pool
  • Creation of logical tiering of storage volumes
  • Aggregate various physical storage into one or multiple logical pool
  • Storage virtualization
  • Thin provisioning of volume from logical pool of storage
  • Scale out storage architecture such as Microsoft Scale out File Servers
  • Virtual volumes (vVols), a proposal from VMware for a more transparent mapping between large volumes and the VM disk images within them
  • Parallel NFS (pNFS), a specific implementation which evolved within the NFS
  • OpenStack APIs for storage interaction which have been applied to open-source projects as well as to vendor products.
  • Independent of underlying storage hardware

A software defined storage must not have the following limitations.

  • Glorified hardware which juggle between network and disk e.g. Dell Compellent
  • Dependent systems between hardware and software e.g. Dell Compellent
  • High latency and low IOPS for production VMs
  • Active-passive management controller
  • Repetitive hardware and software maintenance
  • Administrative and management overhead
  • Cost of retaining hardware and software e.g. life cycle management
  • Factory defined limitation e.g. can’t do situation
  • Production downtime for maintenance work e.g. Dell Compellent maintenance

The following vendors provides various software defined storage in current market.

Software Only vendor

  • Atlantis Computing
  • DataCore Software
  • SANBOLIC
  • Nexenta
  • Maxta
  • CloudByte
  • VMware
  • Microsoft

Mainstream Storage vendor

  • EMC ViPR
  • HP StoreVirtual
  • Hitachi
  • IBM SmartCloud Virtual Storage Center
  • NetApp Data ONTAP

Storage Appliance vendor

  • Tintri
  • Nimble
  • Solidfire
  • Nutanix
  • Zadara Storage

Hyper Converged Appliance

  • Cisco (Starting price from $59K for Hyperflex systems+1 year support inclusive)
  • Nutanix
  • VCE (Starting price from $60K for RXRAIL systems+support)
  • Simplivity Corporation
  • Maxta
  • Pivot3 Inc.
  • Scale Computing Inc
  • EMC Corporation
  • VMware Inc

Ultimately, SDS should and will provide businesses will worry free management of storage without limitation of hardware. There are compelling use cases of software defined storage for an enterprise to adopt software defined storage.

Relavent Articles

Understanding Software Defined Networking (SDN) and Network Virtualization

The evolution of virtualization lead to an evolution of wide range of virtualized technology including the key building block of a data center which is Network. A traditional network used be wired connection of physical switches and devices. A network administrator has nightmare making some configuration changes and possibility of breaking another configuration while doing same changes. Putting together a massive data center would have been expensive venture and lengthy project. Since the virtualization and cloud services on the horizon, anything can be offered as a service and almost anything can virtualised and software defined.

Since development of Microsoft SCVMM and VMware NSX, network function virtualization (NFV), network virtualization (NV) and software defined network (SDN) are making bold statement on-premises based customer and cloud based service provider. Out of all great benefits having a software defined network, two key benefits standout among all which are easy provisioning a network and easy change control of that network. You don’t have to fiddle around physical layer of network and you certainly don’t have to modify virtual host to provision a complete network with few mouse click. How does it work?

Software Defined Networking- Software defined networking (SDN) is a dynamic, manageable, cost-effective, and adaptable, high-bandwidth, agile open architecture. SDN architectures decouple network control and forwarding functions, enabling network control to become directly programmable and the underlying infrastructure to be abstracted from applications and network services. Examples of Cisco software defined networking is here.

The fundamental building block of SDN is:

  • Programmable: Network control is directly programmable because it is decoupled from forwarding functions.
  • Agile: Abstracting control from forwarding lets administrators dynamically adjust network-wide traffic flow to meet changing needs.
  • Centrally managed: Network intelligence is (logically) centralized in software-based SDN controllers that maintain a global view of the network, which appears to applications and policy engines as a single, logical switch.
  • Programmatically configured: SDN lets network managers configure, manage, secure, and optimize network resources very quickly via dynamic, automated SDN programs, which they can write themselves because the programs do not depend on proprietary software.
  • Open standards-based and vendor-neutral: When implemented through open standards, SDN simplifies network design and operation because instructions are provided by SDN controllers instead of multiple, vendor-specific devices and protocols.

Cisco SDN Capable Switches

Modular Switches

Cisco Nexus 9516
Cisco Nexus 9508
Cisco Nexus 9504

Fixed Switches

Cisco Nexus 9396PX
Cisco Nexus 9396TX
Cisco Nexus 93128TX
Cisco Nexus 9372PX
Cisco Nexus 9372TX
Cisco Nexus 9336PQ ACI Spine Switch
Cisco Nexus 9332PQ

Network Virtualization- A virtualized network is simply partitioning existing physical network and creating multiple logical network. Network virtualization literally tries to create logical segments in an existing network by dividing the network logically at the flow level. End goal is to allow multiple virtual machine in same logical segment or a private portion of network allocated by business. In a physical networking you cannot have same IP address range within same network and manage traffic for two different kind of services and application. But in a virtual world you can have same IP range segregated in logical network. Let’s say two different business/tenant have 10.124.3.x/24 IP address scheme in their internal network. But both business/tenant decided to migrate to Microsoft Azure platform and bring their own IP address scheme (10.124.3.x/24) with them. It is absolutely possible for them to retain their own IP address and migrate to Microsoft Azure. You will not see changes within Azure portal. You even don’t know that another organisation have same internal IP address scheme and possibly hosted in same Hyper-v host. It is programmatically and logically managed by Azure Stack and SCVMM network virtualization technology.

Network Functions Virtualization- Network function virtualization is virtualising layer 4 to layer 7 of OSI model in a software defined network. NFV runs on high-performance x86 platforms, and it enables users to turn up functions on selected tunnels in the network. The end goal is to allow administrator to create a service profile for a VM then create logical workflow within the network (the tunnel) and then build virtual services on that specific logical environment. NFV saves a lot of time on provisioning and managing application level of network. Functions like IDS, firewall and load balancer can be virtualised in Microsoft SCVMM and VMware NSX.

Here are some Cisco NFV products.

IOS-XRv Virtual Router: Scale your network when and where you need with this carrier-class router.

Network Service Virtualization- Network Service Virtualization (NSV) virtualizes a network service, for example, a firewall module or IPS software instance, by dividing the software image so that it may be accessed independently among different applications all from a common hardware base. NSV eliminates cost of acquiring a separate hardware for single purpose instead it uses same hardware to service different purpose every time a network is accessed or service is requested. It also open the door for service provider offer security as a service to various customer.

Network security appliances are now bundled as a set of security functions within one appliance. For example, firewalls were offered on special purpose hardware as were IPS (Intrusion Protection System), Web Filter, Content Filter, VPN (Virtual Private Network), NBAD (Network-Based Anomaly Detection) and other security products. This integration allows for greater software collaboration between security elements, lowers cost of acquisition and streamlines operations.

Cisco virtualized network services available on the Cisco Catalyst 6500 series platform.

Network security virtualization

  • Virtual firewall contexts also called security contexts
  • Up to 250 mixed-mode multiple virtual firewalls
  • Routed firewalls (Layer 3)
  • Transparent firewalls (Layer 2, or stealth)
  • Mixed-mode firewalls combination of both Layer 2 and Layer 3 firewalls coexisting on the same physical firewall. 

Virtual Route Forwarding (VRF) network services

  • NetFlow on VRF interfaces
  • VRF-aware syslog
  • VRF-aware TACACS
  • VRF-aware Telnet
  • Virtualized address management policies using VRF-aware DHCP
  • VRF-aware TACACS
  • Optimized traffic redirection using PBR-set VRF

Finally you can have all these in one basket without incurring cost for each component once you have System Center Virtual Machine Manager or Microsoft Azure Stack implemented in on-premises infrastructure or you choose to migrate to Microsoft Azure platform.

Relevant Articles

Comparing VMware vSwitch with SCVMM Network Virtualization

Understanding Network Virtualization in SCVMM 2012 R2

Cisco Nexus 1000V Switch for Microsoft Hyper-V

How to implement hardware load balancer in SCVMM

Understanding VLAN, Trunk, NIC Teaming, Virtual Switch Configuration in Hyper-v Server 2012 R2

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Cisco Nexus 1000V Switch for Microsoft Hyper-V provides following advanced feature in Microsoft Hyper-v and SCVMM.

  • Integrate physical, virtual, and mixed environments
  • Allow dynamic policy provisioning and mobility-aware network policies
  • Improves security through integrated virtual services and advanced Cisco NX-OS features

The following table summarizes the capabilities and benefits of the Cisco Nexus 1000V Switch deployed with Microsoft Hyper-V and SCVMM.

Capabilities Features Benefits
Advanced Switching Private VLANs, Quality of Service (QoS), access control lists (ACLs), portsecurity, and Cisco vPath Get granular control of virtual machine-to-virtual machine interaction
Security Dynamic Host Configuration Protocol (DHCP) Snooping, Dynamic Address Resolution Protocol Inspection, and IP Source Guard Reduce common security threats in data center environments.
Monitoring NetFlow, packet statistics, Switched Port Analyzer (SPAN), and Encapsulated Remote SPAN Gain visibility into virtual machine-to-virtual machine traffic to reduce troubleshooting time.
Manageability Simple Network Management Protocol, NetConf, syslog, and other troubleshooting command-line interfaces Use existing network management tools to manage physical and virtual environments.

The Cisco Nexus 1000V Series has two major components:

Virtual Ethernet Module (VEM)- The software component is embedded on each Hyper-V host as a forwarding extension. Each virtual machine on the host is connected to the VEM through a virtual Ethernet port.

Virtual Supervisor Module (VSM)- The management module controls multiple VEMs and helps in defining virtual machine (VM)-centric network policies.

Supported Configurations

  • Microsoft SCVMM 2012 SP1/R2
  • 64 Microsoft Windows Server 2012/R2 with Hyper-V hosts
  • 2048 virtual Ethernet ports per VSM, with 216 virtual Ethernet ports per physical host
  • 2048 active VLANs
  • 2048 port profiles
  • 32 physical NICs per physical host
  • Compatible all Cisco Nexus and Cisco Catalyst switches as well as switches from other vendors

Comparison between Cisco Nexus 1000V editions:

Features Essential

Free Version

Advanced
VLANs, PVLANs, ACLs, QoS, Link Aggregation Control Protocol (LACP), and multicast Yes Yes
Cisco vPath (for virtual services) Yes Yes
Cisco NetFlow, SPAN, and ERSPAN (for traffic visibility) Yes Yes
SNMP, NetConf, syslogs, etc. (for manageability) Yes Yes
Microsoft SCVMM integration Yes Yes
DHCP snooping Yes
IP source guard Yes
Dynamic ARP Inspection Yes
Cisco VSG* Yes

Installation Steps for Cisco Nexus 1000V Switch for Microsoft Hyper-V are:

Step1: Download Cisco Nexus 1000v Appliance/ISO

Log on to Cisco using cisco account. Download software from this URL

Step2: Install SCVMM Components

step2

Step3: Install and configure VSM

step3

Step4: Configure SCVMM Fabric and VM Network

step4

Step5: Prepare Hyper-v Hosts

step5

Step6: Create 1000v logical switch

step6

Step7: Create VMs or connect existing VMs with logical switch

step7

References & Getting Started with Nexus 1000V

Cisco Nexus 1000v Quick Start Guide

Cisco Nexus 1000V Switch for Microsoft Hyper-V Deployment Guide

Cisco Nexus 1000v datasheet

Understanding VLAN, Trunk, NIC Teaming, Virtual Switch Configuration in Hyper-v Server 2012 R2

 

Cisco 800 series router configuration guide

Just a short note readers, those who are struggling with Cisco 800 series below sites, config break down and tools would be life saver for you.

Configuration Examples and TechNotes

Cisco Config Generator

Free Network Config Generator  —-this tools for copy from existing Cisco router to new one. Also little break down for you as follows.

A sample PPoA configuration of an ADSL Cisco Router:

hostname Cisco877GC
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$Yu4E$WbHmuYLq9lyf/k52fzRwS1
enable password cisco
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1904177344
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1904177344
revocation-check none
rsakeypair TP-self-signed-1904177344
!
crypto pki certificate chain TP-self-signed-1904177344
certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  8864DF2D 43527611 127F1285 6084F469 D69A5A53 24319C8A E6
        quit
dot11 syslog
ip cef
!
ip domain name xx.wa.gov.au
ip name-server 139.130.x.x
ip name-server 203.50.x.x
!
multilink bundle-name authenticated
!
username admin privilege 15 secret 5 $1$F1JN$VrNqTI4MdyLVU0wRJjoQn0
!
archive
log config
  hidekeys
!
interface ATM0
description $ES_WAN$
no ip address
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
  tx-ring-limit 3
  encapsulation aal5mux ppp dialer    (Note: Change aal5mux if you are using PPoE)
  dialer pool-member 1
  max-reserved-bandwidth 90
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
!
interface Dialer0
bandwidth 1024
ip address 120.151.xx.xx 255.255.255.0     (Note: if you don’t have static IP just type ip address negotiated)
ip access-group InternetInbound in
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
no ip mroute-cache
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
username@direct.telstra.net
ppp chap password 0 yourpassword
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.3 22 interface Dialer0 22
ip nat inside source static tcp 10.10.10.3 80 interface Dialer0 80
ip nat outside source static tcp 120.151.xx.xx 22 10.10.10.3 22 extendable
!
access-list 1 permit 10.10.10.10
access-list 1 permit 10.10.10.3
access-list 1 permit 10.10.10.5
access-list 100 remark CCP_ACL Category=2
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit tcp any any eq www
access-list 101 permit ip host 10.10.10.3 any
snmp-server community public RO
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
password CiscoGC
login
transport input telnet ssh
!
scheduler max-task-time 5000

To Enable DHCP Type Following in privilege mode:

ip subnet-zero
no ip source-route
ip domain-name local
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool dhcppool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
update arp
exit

To Enable Site to Site VPN (AES+SHA)

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key 12345678 address 203.17.90.x no-xauth   (203.17.90.x remote router IP address, 12345678 is pre-shared key)
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac
!
crypto map cm-cryptomap 110 ipsec-isakmp
set peer 203.17.90.1
set transform-set tr-aes-sha
match address 110

access-list 110 remark Site to Site VPN
access-list 110 permit ip 10.10.10.0 0.0.0.255 10.10.9.0 0.0.0.255

access-list 102 permit ip any host 10.10.10.1

access-list 102 permit ip 10.10.10.0 0.0.0.255 10.10.9.0 0.0.0.255

ip access-group 102 in (Note: add this in interface vlan1)

Note: Both routers need similar configuration.

To Enable Remote Management:

line vty 0 4
access-class 2 in

password 12345678

login

transport input telnet ssh

access-list 2 permit host 192.168.100.1

To add PPoE Dialler in Cisco Router:

interface ATM0
dsl operating-mode auto
exit
!
interface ATM0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 1
!
exit
!
interface Dialer0
ip address negotiated
ip inspect firewall out
ip mtu 1492
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username
user@direct.telstra.net password 7 yourpassword
ppp ipcp dns request
ppp ipcp route default
no cdp enable
exit
!
ip nat inside source list 1 interface Dialer0 overload

ShareAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server

Pre-requisites:

  1. Microsoft Active Directory and DNS
  2. DHCP Server with new scope configured
  3. IP helper-address configured
  4. Microsoft Radius (IAS) Server 2003 or Microsoft Network Policy Server 2008
  5. Microsoft Enterprise root CA
  6. Cisco Wireless LAN controller (WLC) 5500
  7. Cisco AIR-LAP1142N wireless access point (AP)
  8. Separate VLAN for wireless infrastructure
  9. WLC, AP and IAS placed in same VLAN
  10. Windows 7 or Windows XP or Mac OSX/snow leopard client

Assumptions:

1) AD and DNS working perfect.

2) DHCP Server IP: 10.10.9.4

New scope for Wireless Network

IP range: 10.10.10.1-10.10.11.254 Subnet Mask:255.255.255.0

Gateway:10.10.10.1 Exclusion:10.10.10.1-10.10.10.10

NTP :10.10.9.5

3) WLC

IP:10.10.10.2 WLC subnet:255.255.255.0 Gateway:10.10.10.1

Time provider:10.10.9.5

4) IAS IP:10.10.10.3 subnet:255.255.255.0 Gateway:10.10.10.1

5) IP ranges 10.10.10.1-10.10.11.254 added in the internal networks in ISA or forefront TMG.

6)Interface 1 of WLC connected to a trunk port of Layer3 switch or core switch

7)wireless infrastructure VLAN ID/Tag 100

Add Lightweight Cisco Aironet 1142 in DHCP Server

Note: Follow these steps for newly added DHCP scope mentioned in assumptions.

1.In order to configure these options in the Windows DHCP server, open the DHCP Server Administration Tool or MMC. Right-click the DHCP root, and then choose Define Vendor Classes.

2.The DHCP Vendor Classes utility appears. Click Add.

3.A New Class configuration box appears. Enter a value for the Display Name field, for example, “Cisco Aironet c1142 AP”, and an appropriate description such as “Vendor Class identifier for Cisco Aironet c1142 AP”. Click the ASCII Section and enter the appropriate string value such as “Cisco AP c1142” (without inverted coma) for the Vendor Class Identifier. Click OK. Then, click Close on the DHCP Vendor Classes window.

4.Add an entry for the WLAN controller sub-type as a pre-defined option configured for the Vendor Class. Right-click the DHCP Server Root, and then choose Set Predefined Options.

5.Choose the newly created Vendor Option Class in the Option Class field, and then click Add.

6.The Option Type box appears. In the Name field, enter a string value, for example, Option 43. Choose IP Address as the Data Type. Check the Array check box. In the Code field, enter the sub-option code value 241 (0xf1). Enter a Description such as Wireless LAN Controller IP address. Click OK.

7.The Vendor Class and sub-option are now programmed into the DHCP server. Now, the vendor specific information must be defined for the AP DHCP scope. Choose the appropriate DHCP scope. Right-click Scope Options, and choose Configure Options.

8.Click the Advanced tab. Choose the Vendor Class you previously defined. Check the 241 Option 43 check box, and then enter each WLC management interface IP address(s) Example: 10.10.10.2. Click Apply.

9.Once you complete this step, the DHCP Option 43 is configured. This DHCP option is IP address, the DHCP server sends the option 43 as well as to the LAPs. Now the DHCP option 43 (241 Cisco Wireless AP) that is made available for a newly created DHCP scope for Cisco.

10. To verify, click on the scope options in the newly created DHCP scope, you will see 241 Cisco Wireless AP or what you mentioned in Description.

Add a new VLAN in core switch(example: Cisco 4506) or L3 switch:

Note: Entire wireless infrastructure will be placed in this VLAN.

Switch#vlan database

Switch(vlan)#vlan 100

Switch(vlan)#name Wireless Network

Switch(vlan)#exit

switch#configure terminal

Switch(config-if)#interface vlan 100

Switch(config-if)#Description Wireless Network

Switch(config-if)#ip helper-address 10.10.9.4

Switch(config-if)#IP address 10.10.10.1 255.255.255.0

Switch(config-if)#no shutdown

Switch(config-if)#end

switch#wr

Create a Trunk Port in Core switch (Cisco 4506) or L3 Switch

Note: This trunk will be connecting with Cisco WLC 5500 using CAT6 or Fibre optic.

Switch# configure terminal

Switch(config)#interface gigabitethernet  6/11

(6/11 means Module 6 and Port 11)

Switch(config)#switchport trunk encapsulation dot1q

Switch(config)#SwitchPort Mode trunk

Switch(config)#end

Switch# wr                                              

Switch#show run

Create VLAN  in a switch (Example: Cisco 2960G)

Note: This port will be connecting with Cisco 1142 AP. Wherever you want an wireless AP, configure a port with same vlan. For this article VLAN 100. connect AP with this port after configuring the following. repeat for all the APs.                     

Switch# configure terminal

Switch(config)#

Switch(config)#interface Gigabitethernet 0/7           

Switch(config)#switchport access vlan 100            

Switch(config)#end

Switch# wr             

Create AAA Server(s):

Authorization: IAS Policies (Remote Access Policies applied in IAS server for wireless 802.1x)

Authentication:Radius Server (EAP Type:PEAP,Encryption: MSCHAPv2)

Accounting:Radius server (Logs any successful and/or failed connection attempt)   

Use this link to configure Enterprise Root CA  

Install IAS in a member server. Install computer certificate in the IAS server and create new policy using this link Configure PEAP and EAP methods or follow step by step guide line in these links configure Microsoft Radius Server and Network Policy Server . It would redundant to write again.

Cisco 5500 Series Wireless Controller Installation Guide Using the Start-up Wizard

Mount Cisco 5500 in rack. Connect WLC with laptop using console port. Connect WLC with core switch or L3 switch using CAT6 cable or fibre optic if you have SFP. Now power on WLC.

Note The available options appear in brackets after each configuration parameter. The default value appears in all uppercase letters.

Note Press the hyphen key if you need to return to the previous command line. To configure the controller for basic operation using the Start-up Wizard, follow these steps:

Step 1 When prompted to terminate the Auto-Install process, enter yes. If you do not enter yes, the Auto-Install process begins after 30 seconds.

Note The Auto-Install feature downloads a configuration file from a TFTP server and then loads the configuration onto the controller automatically.

Step 2 Enter the system name, which is the name you want to assign to the controller. You can enter up to 32 ASCII characters. (Example:MS_5500)

Step 3 Enter the administrative username and password to be assigned to this controller. You can enter up to 24 ASCII characters for each. The default administrative username and password are admin and admin, respectively.(Example:username:Admin and password:cisco)

Step 4 If you want the controller’s service-port interface to obtain an IP address from a DHCP server, enter

DHCP. If you do not want to use the service port or if you want to assign a static IP address to the service-port interface, enter none.

Important! In Cisco 5500, management interface act as service interface also. No avoid any complicacy, just hit enter in this option. The service-port interface controls communications through the service port. Its IP address must be on a different subnet from the management interface. This configuration enables you to manage the controller directly or through a dedicated management network to ensure service access during network downtime.

Step 5 If you entered none in Step 4, enter the IP address and netmask for the service-port interface on the next two lines.

Step 6 Enable or disable link aggregation (LAG) by choosing yes or no. You may type No if you don’t have two or more Cisco WLC.

Step 7 Enter the IP address, netmask, default router IP address, and optional VLAN identifier (a valid VLAN identifier or 0 for an untagged VLAN) for the management interface.

Note The VLAN identifier should be set to match the switch interface configuration. Example: IP:10.10.10.2 WLC subnet:255.255.255.0 Gateway:10.10.10.1  and VLAN tag/ID 100

Step 8 Enter the IP address of the default DHCP server that will supply IP addresses to clients, the controller’s management interface, and optionally the service-port interface.

Note The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers.Example DHCP Server IP: 10.10.9.4

Step 9 Enter the IP address of the controller’s virtual interface, which will be used by all controller Layer 3 security and mobility managers. You should enter a fictitious, unassigned IP address, such as 1.1.1.1.

Note The virtual interface is used to support mobility management, DHCP relay, and embedded Layer 3 security such as guest web authentication and VPN termination. All controllers within a mobility group must be configured with the same virtual interface IP address.

Step 10 If desired, enter the name of the mobility group/RF group to which you want the controller to belong.

Note Although the name that you enter here is assigned to both the mobility group and the RF group, these groups are not identical. Both groups define clusters of controllers, but they have different purposes. All of the controllers in an RF group are usually also in the same mobility group and vice versa. However, a mobility group facilitates scalable, system-wide mobility and controller redundancy while an RF group facilitates scalable, system-wide dynamic RF management.

Step 11 Enter the network name, or service set identifier (SSID). The initial SSID enables basic functionality of the controller and allows access points that have joined the controller to enable their radios. (Example:Mycompanywireless)

Step 12 Enter yes to allow clients to assign their own IP address or no to make clients request an IP address from a DHCP server. (Type yes in the step)

Step 13 To configure a RADIUS server now, enter yes and then enter the IP address, communication port, and secret key of the RADIUS server. Otherwise, enter no. (Type yes, IAS IP:10.10.10.3 subnet:255.255.255.0 Gateway:10.10.10.1)

Step 14 Enter the code for the country in which the controller will be used.

Note Enter help to view the list of available country codes. (Example: For Australia Country code is AU)

Step 15 Enter yes to enable or no to disable each of the 802.11b, 802.11a, 802.11g, and 802.11n lightweight access point networks. (Type yes)

Step 16 Enter yes to enable or no to disable the controller’s radio resource management (RRM) auto RF feature. (Type yes)

Note The auto RF feature enables the controller to automatically form an RF group with other controllers. The group dynamically elects a leader to optimize RRM parameter settings, such as channel and transmit power assignment, for the group.

Step 17 If you want the controller to receive its time setting from an external Network Time Protocol (NTP) server when it powers up, enter yes to configure an NTP server. Otherwise, enter no. (Type yes,Time provider:10.10.9.5 )

Step 18 If you entered no in the previous step and want to manually configure the system time on your controller now, enter yes. If you do not want to configure the system time now, enter no.

Step 19 If you entered yes in the previous step, enter the current date in MM/DD/YY format and the current time in HH:MM:SS format.

Step 20 When prompted to verify that the configuration is correct, enter yes or no. The controller saves your configuration, reboots, and prompts you to log in.

Verifying Interface Settings and Port Operation

Follow these steps to verify that your interface configurations have been set properly and the controller’s ports are operational.

Step 1 Enter show interface summary. The controller’s current interface configurations appear:

Interface Name Port VLAN Id IP Address Type AP Mgr Guest

———-

management 1 100 10.10.10.2 Static Yes No

service-port N/A N/A 0.0.0.0 Static No No

virtual N/A N/A 1.1.1.1 Static No No

Step 2 Enter show port summary. The following information appears, showing the status of the controller’s distribution system ports, which serve as the data path between the controller and Cisco lightweight access points and to which the controller’s management interface is mapped.

STP Admin Physical Physical Link Link Mcast

Pr Type Stat Mode Mode Status Status Trap Appliance POE

— —

1 Normal Forw Enable Auto 1000 Full Up Enable Enable N/A

2 Normal Forw Enable Auto 1000 Full Up Enable Enable N/A

Configure Security and AAA Server in WLC 5500

1. Open IE or Firefox Type IP address of WLC in the address bar as https://10.10.10.2 (bypass proxy if you need to)and hit enter.

2. Click Login and provide login credentials you created in start-up wizard.

3. Click on Wireless. In the left hand pan click Authentication. You will see the IP address and port number 1812 of Radius Server.

4. In the left hand pan Click on Accounting. Click new on right hand top corner. You will be presented with a window to add Radius server. provide IP of Radius server, Shared secret and Port 1813. Apply changes.

5. Click on WLANs>Click on 1>Click on General Tab>Check Enable on Status and Check Enabled on broadcast SSID

6.Click on Security Tab>Click Layer2 Tab>Select WPA+WPA2 from Layer2  security drop-down list>Check WPA policy and TKIP or WPA2 policy and TKIP. In the same page, in Auth Key Mgmt, select 802.1x. Now click on Apply button.

7.Click on AAA Servers>Select Authentication and Accounting server from the server1 drop down list. here Authentication and Accounting server are Radius Server. Check Enabled in both Authentication and Accounting radio button. Click Apply.

8.In the left hand side top corner, click on to Monitor and scroll down to make sure you see the all APs.

Add WLC 5500 in the IAS server as a Radius Client

1. Log on to IAS server as an administrator.

2.Open Internet Authentication Service from Administrative Tools

3.Right click on Radius Clients>Click add Radius client. You will be presented with new radius client window. Type IP address of WLC 5500 and a Friendly Name such as WLC. Click Next.

4. In the this window, Select Radius Standard as Client-Vendor, Provide shared secret (must be same as WLC configuration in step 13) and repeat shared secret and click finish.

5.Close IAS console and log out.

Testing network

Log on to Windows XP or Windows 7 client as a domain users while client is connected via CAT5 or CAT6 . Make sure this domain user is a member of wireless access group and allowed to have remote access(dialin TAB of AD user property). Install computer and user certificate in that client. Now turn on wireless NIC. unplug CAT5 cable. View available wireless network. Select the SSID, you created in previous steps and double click. You will be connected.

Important! if you setup WPA and TKIP in WLC then you must setup WPA and TKIP in Client also. Similar for WPA2 and TKIP or WPA2 and AES. Both sides must match each other.

For Mac client, see my previous post in the link

Configure Group Policy for 802.1x wireless network

  1. Open the Group Policy Management Console (GPMC).
  2. Create and link a new group policy object with desired OU
  3. Right click on newly created GPO and edit
  4. Go to Computer Configuration, open Windows Settings, open Security Settings, and then select Wireless Network (IEEE 802.11) Policies.
  5. right-click Wireless Network (IEEE 802.11) Policies, and then click Create A New Policy and Type Policy name
  6. Open New Network Policy Properties >Click on preferred network Tab>To add a new profile, click Add>type the SSID that corresponds to the SSID configured on your WLC security tab.
  7. In the Wireless key network, select WPA and TKIP or whatever configured in WLC
  8. In the IEEE 802.1x tab,Set EAPOL start message to transmit per IEEE 802.1x
  9. In the EAP type select PEAP
  10. Check authenticate as computer when computer information is available and also computer authentication with user authentication from drop down box.
  11. Now press Ok, Apply and ok.

Work Around with WLC 5500 

Open IE, Type IP of WLC in the address bar (bypassing proxy), hit enter. Click on Logon. provide logon credentials, click ok.

 1 2 3 4 5 6 7 8 9 10

Accessing WLC using telnet.

Open command prompt and type telnet IP_Address

11

Necessary Links

Export a certificate with the private key

Import a certificate

Cisco 5500 WLC

Cisco Wireless AP

Microsoft Radius Server

Relevant Articles

WLAN Controller Failover for Lightweight Access Points Configuration Example

Wireless LAN Controller (WLC) Configuration Best Practices

How to configure Microsoft Radius Server (IAS) for Macintosh OSX 10.5, Windows 7 and windows XP Pro client

Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

Overview of the Wi-Fi Protected Access (WPA) security update in Windows XP

Share thisAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

How to backup and restore Cisco switch/router config in easy steps

Backup Cisco Router or Switch in a Text File

Step1: create a text file in C:\ drive or your preferred drive and name it like switch-config.txt  or your preferred name.

Step2: open command prompt and type as follows

Telnet –F c:\switch-config.txt IP-Address-of-switch

switch>Enable

provide privilege password

#Terminal Length 0

#Show run

#Show start

#show vlan brief

Now you can exit from telnet and go to c:\ drive and open switch-config.txt to view switch/router config.

Backing Up Configuration in TFTP Server

[Router name] #copy run tftp

Address or name of remote host []? X.X.X.X (the ip address of TFTP server)

Destination filename [routername-confg]? /CiscoBackup/router1.cfg (Total path and hit enter)

Restoring a configuration from TFTP Server

[router name]# show run

[router name]#copy tftp run

Address or name of remote host []?X.X.X.X (the ip address of TFTP server)

Source filename[]?/CiscoBackup/router1.cfg (Total path and hit enter)

[router name]#show run

[router name]#show interfaces

[router name]#copy run start

Cisco core 4506: Sample config

If you are thinking, you could see sample core switch config and modify according to your need. Here, I would like to share a sample config…

Building configuration…
Current configuration : 6599 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
!
hostname core-4506
!
enable secret 5 $1$XF/2$bxyvsqDf1LZ6n8TFyhwmg1
enable password 7 0518090035445D08000005
!
clock timezone WST 8
ip subnet-zero
no ip domain-lookup
ip domain-name YourDomainName
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
!
no file verify auto
!
spanning-tree mode pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1-3 priority 8192
power redundancy-mode redundant
!
!
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/2
!
interface GigabitEthernet2/1
!
more interface…………

interface GigabitEthernet3/1
!
interface GigabitEthernet3/2
!
interface GigabitEthernet4/1
!
more interface……………..
interface GigabitEthernet4/6
!
interface GigabitEthernet5/1
!
interface GigabitEthernet6/2
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/4
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/5
switchport access vlan 105
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/9
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
more interface config………….based how many modules you have….

interface GigabitEthernet6/15
switchport access vlan 5
switchport trunk encapsulation dot1q
!
interface GigabitEthernet6/23
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/24
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface Vlan1
description Admin VLAN
no ip address
!
interface Vlan2
no ip address
!
interface Vlan3
description Live Internet
no ip address
!
interface Vlan5
description Server VLAN
ip address 10.143.8.2 255.255.255.128

ip helper-address 10.143.8.24
!
interface Vlan6
description iMac_iPhone
ip address 10.143.7.1 255.255.255.128
ip helper-address 10.143.8.24
!
interface Vlan7
description Printer_SRV
ip address 10.143.6.1 255.255.255.128
ip helper-address 10.143.8.24
!
interface Vlan10
description thin client
no ip address
!
interface Vlan15
description thin client
no ip address
!
interface Vlan16
description thin client Relay
no ip address
!
interface Vlan50
description Admin Network
no ip address
shutdown
!
interface Vlan100
description Special Network
ip address 10.143.12.1 255.255.252.0
ip access-group 101 in
ip helper-address 10.143.8.24
ip helper-address 10.143.8.5
!
interface Vlan105
description staff Network
ip address 10.143.10.1 255.255.254.0
ip helper-address 10.143.8.24
ip helper-address 10.143.8.5
!
interface Vlan110
no ip address
!
interface Vlan200
description Wireless Network
no ip address
!
interface Vlan201
description MacWireless Network
no ip address
shutdown
!
interface Vlan900
description DMZ
no ip address
shutdown
!
ip default-gateway 10.142.8.31
ip route 0.0.0.0 0.0.0.0 10.143.8.1
ip route 10.1.9.105 255.255.255.255 10.143.8.1
ip route 10.142.8.0 255.255.248.0 Vlan1
ip route 10.143.6.0 255.255.255.128 Vlan7
ip route 10.143.7.0 255.255.255.128 Vlan6
ip route 10.143.8.0 255.255.255.128 Vlan5
ip route 10.143.10.0 255.255.254.0 Vlan105
ip route 10.143.12.0 255.255.252.0 Vlan100
ip http server
!
!
!
access-list 101 deny   ip 10.143.12.0 0.0.3.255 10.143.8.30 0.0.0.1
access-list 101 permit ip any any
!
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps stpx
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps flash insertion removal
snmp-server enable traps syslog
snmp-server enable traps bridge
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps hsrp
snmp-server enable traps bgp
snmp-server enable traps rtr
snmp-server enable traps vlan-membership
!
!
line con 0
password 7 030752452180500
login
stopbits 1
line vty 0 4
password 7 030754522180500
login
!
ntp clock-period 17179193
ntp peer 10.142.8.1
end