Archive for category Cisco

Mac Updates

Posted by carlosap in Cisco on August 27th, 2009

Mac Updates

http://www.macupdate.com/

No Comments

OIDS for global use CISCO

Posted by carlosap in Cisco on July 27th, 2009

#set the OIDS for global use
#Temperature
toid1=1.3.6.1.4.1.9.5.1.2.13.0 #Temp OID for 3550,3560-24/48, 3750
#2950’s have no temperature sensor
toid2=1.3.6.1.4.1.9.9.13.1.3.1.6.1 #Temp OID for 4506

#Fan
foid1=1.3.6.1.4.1.9.9.13.1.4.1.3 #Fan OID for 3550, 3560-24/48
foid2=1.3.6.1.4.1.9.9.13.1.4.1.3.1 #Fan OID for 2950
foid3=1.3.6.1.4.1.9.9.13.1.4.1.3.1004 #Fan OID for 3750
foid4=1.3.6.1.4.1.9.9.13.1.4.1.3.1 #fan OID for 4506

#Power Supply
poid1=1.3.6.1.4.1.9.9.13.1.5.1.3.1 #PS OID for 3550
poid2=1.3.6.1.4.1.9.5.1.2.4.0 #PS OID for 3560-24/48
poid3=1.3.6.1.4.1.9.9.13.1.5.1.4 #PS OID for 3750
poid4=1.3.6.1.4.1.9.9.13.1.5.1.3.1 #PS OID for 2950
poid5=1.3.6.1.4.1.9.9.13.1.5.1.3.1 #PS OID for 4506

No Comments

Clear DHCP

Posted by carlosap in Cisco on July 22nd, 2009

clear ip dhcp binding
clear arp

No Comments

IP NAT ADSL Cisco Router

Posted by carlosap in Cisco on June 7th, 2009

!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.1 172.16.1.50
!
ip dhcp pool VLAN10
network 172.16.1.0 255.255.255.0
default-router 172.16.1.254
dns-server 200.33.146.241 200.33.146.249
lease 2
!
!
!
!
!
!
interface FastEthernet0/0
description INFINITUM
ip address 192.168.10.254 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description RED LOCAL
ip address 172.16.1.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
ip http server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 172.16.1.0 0.0.0.255
!
control-plane
!
!

No Comments

Networking – 802.1q Trunking and 802.3ad Link Aggregation using Cisco Switches

Posted by carlosap in Cisco on May 26th, 2009

Virtualization Resources – VMware ESX and ESXi Server

Ok so your server probably has more than one physical NIC, by default most have two built in.
You may have been wondering what is the best network configuration for ESX/ESXi Servers.
How many physical NICs to use, which vSwitch to assigned them to and what vSwitch to use for certain traffic.
If you have more than one physical switch that supports link aggregation 802.3ad then you may want to take advantage of that too.

The number of network cards you have and what your requirements are may differ but I belive the 4 NIC setup is the best for performance, reliability and functionality. You can have more if you like but 4 will certainly suffice.

Why would you want to go to the trouble of setting this up and annoying the network team…

1. To present trunk ports to all ESX network interfaces. This is to segregate traffic to different VLANs for improved security (802.1q). Meaning you will be able to put virtual machines onto different VLANs (Maybe you have dev, test and production VLANs).
2. To load balance across NICs and physical switches using the IP hash (802.3ad). This will improve bandwidth usage and increase reliability.

Setup the network configuration as follows on each ESX/ESXi Server:

Virtual Switch Layout:
Virtual Switch Used For
vSwitch0 Virtual Machines
vSwitch1 Service Console and VMotion
vSwitch2 Internal

Virtual Switch to Physical NIC to Physical Switch Mapping:
Physical Network Interface Used by Virtual Switch Connected to Physical Switch Type
vmknic0 vSwitch0 Switch2 Trunk
vmknic1 vSwitch1 Switch2 Trunk
vmknic2 vSwitch0 Switch1 Trunk
vmknic3 vSwitch1 Switch1 Trunk

Virtual Networks:
Used For Port Group Type VLAN ID
Server Network Virtual Machines 11
VMotion Vmkernel 12
Service Console Service Console 12

Failover and Load Balancing Settings for vSwitchX:
Load Balancing: IP Hash
Network Failure Detection: Link Status Only
Notify Switches: Yes
Failback: Yes
Active Adaptors: vmnicX, vmnicX
Standby Adaptors: None
Unused Adaptors: None

NOTE: You cannot use VLAN 1 in virtual switches with trunking because the traffic is not tagged.

Switch Channel-Group Configuration for 802.3ad link aggregation
Create a port channel for each server.
interface Port-channel2
description ESX Server 1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
end

Switch Port Configuration for 802.1q trunking
Make the port a trunk port and assign to that servers channel group.
interface GigabitEthernet2/10
description ESX Server 1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
channel-group 2 mode on
end

No Comments

Configure Cisco routers to use Active Directory authentication — the Windows side

Posted by carlosap in Cisco on April 1st, 2009

Takeaway: Did you know that you can leverage the Windows Active Directory username/password database to log in to your Cisco routers and switches? In this two-part series, David Davis walks you through the process. This time, he explains how to install, configure, and troubleshoot Windows’ Internet Authentication Service (IAS).

If your organization uses Windows, you probably use your Active Directory (AD) username and password to log onto your PC every day. So why do you need separate credentials on your routers?

Even if you just need to remember an extra password, it can be annoying — but it doesn’t have to be. In fact, you can leverage the Windows AD username/password database to log in to your Cisco routers and switches.

In this two-part series, I’ll explain how to configure AD authentication on your routers and switches. This week, we’ll start off by discussing how to install, configure, and troubleshoot Windows’ Internet Authentication Service (IAS); next week, we’ll wrap it up by explaining how to configure your routers and switches to use the authentication.

Before we begin, let’s go over this article’s assumptions. For this configuration, we’ll use IAS, the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy, which comes built into Windows 2000 Server and Windows Server 2003.

In addition, we’re assuming that you’ve already connected your router or switch to the LAN, enabled its LAN interface, and have an IP address on that LAN interface. If access to the router or switch is through a routed network, it also needs a default gateway configured.

Install IAS

Start off by installing IAS if you haven’t already done so. For Windows Server 2003, follow these steps:

  1. Log in as an administrator.
  2. Go to Start | Control Panel, and double-click the Add Or Remove Programs applet.
  3. Click Add/Remove Windows Components.
  4. In the Windows Components Wizard, click Networking Services, and click Details.
  5. In the Networking Services dialog box, select Internet Authentication Service, click OK, and click Next.
  6. The system may prompt you to insert your Windows Server 2003 CD, so have it handy.
  7. After IAS is installed, click Finish, and then Close.

To keep track of who can log in to your Cisco network devices, I suggest creating an AD group called ciscoadmin. Then, make your existing Windows account a member of the ciscoadmin group.

Configure IAS

Now that we’ve installed IAS, we need to configure it. Begin by going to Start | Control Panel and double-clicking the Administrative Tools applet. Double-click the Internet Authentication Service applet, as shown in Figure A.

Figure A
To begin configuring IAS, go to Start | Control Panel | Administrative Tools | Internet Authentication Service.

This will open the Internet Authentication Service window, as shown in Figure B.

Figure B
You must open the Internet Authentication Service window to configure IAS.

Now we need to add a RADIUS client. Follow these steps:

  1. In the left pane, right-click RADIUS Clients, and select New RADIUS Client.
  2. In the New RADIUS Client dialog box, as shown in Figure C, enter a display name for the client (i.e., your router or switch). I suggest using the router’s hostname.
  3. Enter the LAN IP address of the client.
Figure C
Enter a friendly name for the new client, and enter the IP address.
  1. Click Next, and select Cisco for the Client-Vendor.
  2. Enter a password (called a key on a router or switch) that the two devices will share for the authentication process. For this example, I used cisco as my test password.
  3. Click Finish.

Figure D shows the Internet Authentication Service window with the newly added client.

Figure D
The Internet Authentication Service window displays the newly added client.

Next, we need to create a remote access policy. Follow these steps:

  1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
  2. In the right pane, right-click the default policy, and select Delete.
  3. Right-click inside the right pane, and select New Remote Access Policy.
  4. In the Remote Access Policy Wizard, click Next.
  5. Click Set Up A Custom Policy, name it ciscoauth, and click Next.
  6. Click Add, select Windows-Groups, and click Add, as shown in Figure E.
Figure E
Select Windows-Groups, and click the Add button.

Enter ciscoadmin (or whatever group you want to use). In this example, we’re using a local Windows server group. You can also use a Windows AD group — which, of course, is preferable. Figure F shows the Groups dialog group with the ciscoadmin group listed.

Figure F
The Groups dialog box will list the group you add.

Select the new group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard, as show in Figure G.

Figure G
Select Windows-Groups, and click the Add button.
  1. Click Next, select Grant Remote Access Permission, and click Next.
  2. Click Edit Profile, and select the Authentication tab.
  3. Deselect all check boxes; only select the Unencrypted Authentication (PAP/SPAP) check box, as shown in Figure H, and click OK.
Figure H
Select the Unencrypted Authentication (PAP/SPAP) check box only.
  1. Next, select the Advanced tab.
  2. Select Service-Type, and click Edit.
  3. In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list, as shown in Figure I, and click OK.
Figure I
Under Attribute Value, change it from Framed to Login.

Back on the Advanced tab, select Framed-Protocol, and click Remove. Figure J displays the resulting dialog box.

Figure J
All that’s left to do is click OK.

All you have to do now is click OK. The system will likely ask if you want to view Help topics, as shown in Figure K.

Figure K
For corresponding Help topics, click Yes.

We’re almost there. Click Next, click Finish, and that’s it!

Troubleshoot IAS

When it comes to troubleshooting IAS, its logs can be very cryptic. For example, Figure L shows a log created while testing this article.

Figure L
IAS logs can be a little hard to interpret.

To help out with reading these logs, I use DeepSoftware.com’s IAS Log Viewer. Figure M shows a screenshot of this tool.

Figure M
IAS Log Viewer helps simplify logs.

Stay tuned: Next time, we’ll wrap up this tutorial by explaining how to configure your routers and switches to use AD authentication.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis’ most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

No Comments

Posted by carlosap in Cisco on March 26th, 2009

http://www.cisco.com/en/US/products/ps6128/products_tech_note09186a0080846d7a.shtml

AD/LDAP Configuration Example

This illustrates a sample configuration using LDAP to communicate with the backend Active Directory:

  1. Create a Domain Admin user within Active Directory Users and Computers. Place this user into the Users folder.
  2. Within Active Directory Users and Computers, select Find from the Actions menu.Make sure that your results show the Group Membership column for the created user. Your search results should show the user and the associated Group Membership within Active Directory. This is the information you will need to transfer into the Clean Access Manager.

    cca-ldap-config1.gif

  3. From the Clean Access Manager web console, go to the User Management > Auth Servers > New Server form.
  4. Choose LDAP as the Server Type.
  5. For the Search(Admin) Full DN and Search Base Context fields, input the results from the Find within Active Directory Users and Computers.cca-ldap-config2.gif
  6. These fields are all that is necessary to properly set up this auth server within the CAM:
    • ServerURL: ldap://192.168.137.10:389 – This is the domain controller IP address and LDAP listening port.
    • Search(Admin) Full DN: CN=sheldon muir, CN=Users, DC=domainname, DC=com
    • Search Base Context: DC=domainname, DC=com
    • Default Role: Select the default role a user will be put into once authenticated.
    • Description: Used just for reference.
    • Provider Name: This is the name of the LDAP server used for User Page setup on the CAM.
    • Search Password: sheldon muir’s domain password
    • Search Filter: SAMAccountName=$user$
  7. Click Add Server.At this point, your Auth Test should work.
  8. In order to test authentication:
    1. From User Management > Auth Servers > Auth Test tab, select the provider against which you want to test credentials in the Provider list. If the provider does not appear, make sure it is correctly configured in the List of Servers tab.
    2. Enter the username and password for the user and if needed a VLAN ID value.
    3. Click Authenticate.The test results appear at the bottom of the window.

      cca-ldap-config3.gif

      Authentication Successful:

      For any provider type, Result: Authentication successful and Role of the user are displayed when the auth test succeeds.

      For LDAP/RADIUS servers, when authentication is successful and mapping rules are configured, the attributes/values specified in the mapping rule are also displayed if the auth server (LDAP/RADIUS) returns those values. For example:

      Result: Authentication successful
Role: <role name>
Attributes for Mapping:
<Attribute Name>=<Attribute value>

      Authentication Failed:

      When authentication fails, a message displays along with the Authentication failed result as shown.

      Message Description
      Message: Invalid User Credential Correct user name, incorrect password
      Message: Unable to find the full DN for user <User Name> Correct password, incorrect user name (LDAP provider)
      Message: Client Receive Exception: Packet Receive Failed (Receive timed out) Correct password, incorrect user name (RADIUS provider)
      Message: Invalid Admin(Search) Credential Correct user name, correct password, incorrect value configured in the Search(Admin) Full DN field of the Auth provider (e.g. incorrect CN configured for LDAP Server)
      Message: Naming Error (x.x.x.x: x) Correct user name, correct password, incorrect value configured in the Server URL field of the Auth provider (e.g. incorrect port or URL configured for LDAP)

No Comments

Posted by carlosap in Cisco on March 25th, 2009

Cisco NAC

Grupo de Nac Active Directory

CN=nacuser

Instalación automática de CIsco Nac Client

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_agntd.html#wp1281997

No Comments

search uid

Posted by carlosap in Cisco on March 25th, 2009

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_adsso.html#wp1155714

Step 9 Search Filter—The attribute to be authenticated. The search attribute to be matched with any user in the base of the LDAP tree. For example:

CN=$user$, or

uid=$user$, or

sAMAccountName=$user$

No Comments

port spanning

Posted by carlosap in Cisco on January 27th, 2009

he SPAN feature configuration commands are similar on the Catalyst 2950 and Catalyst 3550. However, the Catalyst 2950 cannot monitor the VLANs. You can configure the SPAN, as in this example:

C2950#configure terminal
C2950(config)#
C2950(config)#monitor session 1 source interface fastethernet 0/2

!— This configures interface Fast Ethernet 0/2 as source port.

C2950(config)#monitor session 1 destination interface fastethernet 0/3

!— This configures interface Fast Ethernet 0/3 as destination port.

C2950(config)#

The above is all it takes, directly from Cisco help.

Cheers,
Rajesh

No Comments