Author: Nguyễn Hải Thương

Controller Redundancy

For my first technical deep dive let’s get into controller redundancy. During this post I will define the different types of redundancy in the Aruba system.  Please no controller vs controller-less rants!

Let’s begin by defining redundancy.  According to Wikipedia, redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system.  Unfortunately redundancy is left off a lot of wireless network designs due to cost.  In today’s mobility first environments redundancy needs to be implemented properly to ensure the reliability of the mission critical WLAN.

In Aruba world we have four levels of controller redundancy:

1)      Fully redundant – includes both master and local redundancy

2)      Redundancy aggregation – local redundancy

3)      Hot Standby – Local access points fail-over to Master

4)      No Redundancy – self-explanatory (far too common)

Master Redundancy:

The first controller redundancy model we will look at is Master redundancy.  The master controller is the control plane of the centralized WLAN.  The master controller is responsible for handling the global configuration of the WLAN system, location tracking, IDS event correlation and alerting.  The first question we should ask ourselves is what happens if the master controller is unavailable?  If the master becomes unavailable all master functions are lost (configuration, location tracking, and IDS) but the WLAN itself will continue to function.  New and existing clients will still be able to access the WLAN while the master controller is down.

To provide redundancy for the master controller we will setup a master/standby relationship with two controllers.  The Standby Master is a hot standby controller.  The Standby Master will not terminate AP sessions while it is the backup unit.  Updates on the state of the network are sent from the active Master to the Backup.  The two controllers sync the databases (WMS and local user) at a configured interval (typically 30 minutes).

VRRP (Virtual Router Redundancy Protocol) is used as the redundancy mechanism between the two controllers.  VRRP requires Layer2 adjacency.  The two master controllers will use a shared VRRP interface address.  The VRRP address is used by local controllers, access points, and mobility access switches to discover the master controller on the network.  The VRRP address can also be used by network administrators to access the management interface for the current master controller.

Local Redundancy:

Next we will look at Local Controller Redundancy.  The Local Controllers in an Aruba WLAN are responsible for AP termination, user authentication, and policy enforcement.  If a local controller fails and there is no backup the WLAN will become unavailable.

Local controllers have three methods for redundancy

Active-Active

  • two locals share a set of APs,  divide the load, acts as a backup for each other
  • if the two controllers are L2 adjacent, run two instances of VRRP with each controller acting as a primary for one instance and backup for the other instance
  • if the two controllers are not L2 adjacent then you will need to setup a LMS/Backup LMS IP address in the AP System Profile
  • You can also combine VRRP and LMS/Backup LMS for a more robust redundancy design, the VRRP addresses can be used as the LMS/Backup LMS IP addresses

Active-Standby

  • similar to Active-Active except one controller sits idle while the primary controller supports the full loads of APs and users
  • this model has a larger failure domain (increases latency because the full load must failover to the backup
  • typically this model utilizes the LMS/Backup LMS configuration
  • you could also use a single VRRP instance if the controllers are L2 adjacent

Many to One

  • typically used in remote networks where branch offices have local mobility controllers but redundancy onsite is not feasible
  • a large controller is deployed as the +1 controller at the data center
  • failure typically occurs across a WAN link
  • preemption should be enabled in this scenario due to the possible delay introduced by failing over to a remote site

No Redundancy

  • if the local goes down, no users can connect
  • Any AMs associated go down

Now that we know the different types of redundancy options we need to be aware of a few rules to ensure our network stays up according to plan.  There are four major rules in dealing with controller redundancy:

  1. Make sure the redundant controller can support the additional AP load during a failover event
  2. Make sure the same VLANs exist on both controllers and that named VLANs are mapped on the redundant controller
  3. Make sure the controllers are running the same OS version
  4. Make sure the redundant controller has the same license features enable and ensure you have enough license capacity to support the additional AP load during a failover event (AOS 6.3 will address this previous limitation)

In my next post I will begin configuring each of the different redundancy methods.

SSL VPN configuration on SRX running 15.1X49-D80.4 or higher

Starting with version 15.1X49-D80.4 the Juniper SRX supports dialup vpn over a connection to port 443 with the NCP client. It needs some specific configuration to get that working and we found out the hard  way. So, we have decided to share it here.  Thank you Valentijn and Jasper for helping me.

The situation we want to achieve is this one:

To prepare for configuring a demo setup you need two things: A gateway running a Junos version that supports this feature and a NCP client. You should know how to get and install the SRX software, you can get the client here: https://www.ncp-e.com/en/resources/download-vpn-client/

The configuration we’re about to make gives us a dialup vpn where the client tries to connect to with standard IPsec. If that fails it will try to move the connection to SSL, which in many networks is allowed to travel freely…

Two profiles are configured to authenticate the user:
1)             lpdap-users: to authenticate against the AD control on 172.27.72.10, domain wsa.local

2)             local-users: In which two local users are defined.

Both profiles hand out IP addresses and DNS servers from the address assignment pool dyn-vpn-address-pool.
Please note we use rather weak proposals, just for testing purposes, in real life adjust them to your (companies) policy!

Phase 1 config
set security ike proposal my_ncp_proposals authentication-method pre-shared-keys

set security ike proposal my_ncp_proposals dh-group group2

set security ike proposal my_ncp_proposals authentication-algorithm md5

set security ike proposal my_ncp_proposals encryption-algorithm aes-128-cbc

set security ike proposal ncp-client authentication-method pre-shared-keys

set security ike proposal ncp-client dh-group group2

set security ike proposal ncp-client authentication-algorithm md5

set security ike proposal ncp-client encryption-algorithm aes-128-cbc

set security ike policy ike_ncp_client mode aggressive

set security ike policy ike_ncp_client proposals my_ncp_proposals

set security ike policy ike_ncp_client pre-shared-key ascii-text <key>

set security ike gateway ncp_test ike-policy ike_ncp_client

set security ike gateway ncp_test dynamic user-at-hostname “[email protected]

set security ike gateway ncp_test dynamic ike-user-type shared-ike-id

set security ike gateway ncp_test external-interface ge-0/0/0.0

set security ike gateway ncp_test aaa access-profile ldap-users   *

set security ike gateway ncp_test version v1-only

set security ike gateway ncp_test tcp-encap-profile ssl-vpn

* You can change this to profile local-users to authenticate the users locally instead of against LDAP.

The last line of configuration tells the device to accept TCP encapsulated traffic according the mentionedprofile. Here is how to configure that profile:

set security tcp-encap profile ssl-vpn log

Since ike and tcp encapsulated traffic will arrive at the external interface, both should be accepted as host inbound traffic:

set security zones security-zone untrust host-inbound-traffic system-services ike

set security zones security-zone untrust host-inbound-traffic system-services tcp-encap

Because we want ssl vpn traffic on the interface no other listener should be enabled on the interface: make sure system service web-management https is not enabled on the external interface. Enabling it   on that interface would be a bad idea anyway.

Let’s take a look at the authentication profiles, starting with the ldap profile:

set access profile ldap-users authentication-order ldap

set access profile ldap-users authentication-order password

set access profile ldap-users domain-name-server 172.27.72.16

set access profile ldap-users domain-name-server 172.27.72.17

set access profile ldap-users client mtepper firewall-user password “$9$.PQ30ORSyK36pB1hKv4aJ”

set access profile ldap-users address-assignment pool dyn-vpn-address-pool

set access profile ldap-users ldap-options base-distinguished-name DC=wsa,DC=local

set access profile ldap-users ldap-options search search-filter sAMAccountName=

set access profile ldap-users ldap-options search admin-search distinguished-name CN=administrator,CN=Users,DC=wsa,DC=local

set access profile ldap-users ldap-options search admin-search password “$9$Cze7uIheK87NbM8ZUDjq.uOB1SreKM”

set access profile ldap-users ldap-server 172.27.72.10 port 389

set access profile ldap-users ldap-server 172.27.72.11 port 389

As you can see the administrator account is used here for a lookup. In real life you might want to create an account with just the necessary rights in the Active Direcory domain. Also note that you need to adjust the base-distinguished-name to your own domain.

For a simple test you could use a profile with local users like this:

set access profile local-users client jverdonk firewall-user password “$9$m5nCOBESlMz3EyeW-dZUjkmTQFn/Ap”

set access profile local-users client mtepper firewall-user password “$9$xXNNbYDjqf5FYgGiHmF3cyr”

set access profile local-users address-assignment pool dyn-vpn-address-pool

Both profiles use the same address pool for address assignment configuring this pool isn’t a hard task as well:

set access address-assignment pool dyn-vpn-address-pool family inet network 192.168.3.0/24

set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 172.26.72.16/32

set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes secondary-dns 172.27.72.17/32

This makes the configuration complete for phase 1 and phase 1½ (meaning for Xauth, which asks for    authentication between phase 1 and phase 2). Time to look at phase 2 config then. According the documentation about SSL VPN we found a route based VPN with tunnel interface in point to point mode is needed to get things working. So, we configured this:

An interface in the security zone trust (best practice for production is creating a zone called VPN and use that to make clear what happing in your policies) and an intrazone security policy:

set interfaces st0 unit 0 family inet

set security zones security-zone trust interfaces st0.0

set security policies from-zone trust to-zone trust policy default-permit match source-address any

set security policies from-zone trust to-zone trust policy default-permit match destination-address any

set security policies from-zone trust to-zone trust policy default-permit match application any

set security policies from-zone trust to-zone trust policy default-permit then permit

 

Finally for the SRX we can configure the phase 2: (As in phase 1 in real use stronger proposols!)

set security ipsec proposal dialup-ncp protocol esp

set security ipsec proposal dialup-ncp authentication-algorithm hmac-md5-96

set security ipsec proposal dialup-ncp encryption-algorithm aes-128-cbc

set security ipsec proposal dialup-ncp lifetime-seconds 3600

set security ipsec policy ipsec_ncp perfect-forward-secrecy keys group2

set security ipsec policy ipsec_ncp proposals dialup-ncp

set security ipsec vpn Ipsec_ncp bind-interface st0.0

set security ipsec vpn Ipsec_ncp ike gateway ncp_test

set security ipsec vpn Ipsec_ncp ike ipsec-policy ipsec_ncp

set security ipsec vpn Ipsec_ncp traffic-selector test local-ip 0.0.0.0/0

set security ipsec vpn Ipsec_ncp traffic-selector test remote-ip 0.0.0.0/0

The gateway  is ready now, time to move to the client.

After installing the software, start it and go into the configuration of a profile. Configure things like shown here: any tab not shown is left default!

The relevant part of the config of the SRX should look like this:

security {
    ike {
        proposal my_ncp_proposals {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm aes-128-cbc;
        }
        proposal ncp-client {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm aes-128-cbc;
        }
        policy ike_ncp_client {
            mode aggressive;
            proposals my_ncp_proposals;
            pre-shared-key ascii-text "$9$MB7WdbUDk5T3P5M8"; ## SECRET-DATA
        }
        gateway ncp_test {
            ike-policy ike_ncp_client;
            dynamic {
                user-at-hostname "[email protected]";
                ike-user-type shared-ike-id;
            }
            external-interface ge-0/0/0.0;
            aaa {
                access-profile ldap-users;
            }
            version v1-only;
            tcp-encap-profile ssl-vpn;
        }
    }
    ipsec {
        proposal dialup-ncp {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec_ncp {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals dialup-ncp;
        }
        vpn Ipsec_ncp {
            bind-interface st0.0;
            ike {
                gateway ncp_test;
                ipsec-policy ipsec_ncp;
            }
            traffic-selector test {
                local-ip 0.0.0.0/0;
                remote-ip 0.0.0.0/0;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    tcp-encap {
        profile ssl-vpn {
            log;
        }
    }
    zones {
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ike;
                    tcp-encap;
                }
            }
        }
        security-zone trust {
            interfaces {
                st0.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.2.3.4/24;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}

access {
    profile ldap-users {
        authentication-order [ ldap password ];
        domain-name-server {
            172.27.72.16;
            172.27.72.17;
        }
        client mtepper {
            firewall-user {
                password "$9$.PQ30ORSyK36pB1hKv4aJ"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
        ldap-options {
            base-distinguished-name DC=wsa,DC=local;
            search {
                search-filter sAMAccountName=;
                admin-search {
                    distinguished-name CN=administrator,CN=Users,DC=wsa,DC=local;
                    password "$9$Cze7uIheK87NbM8ZUDjq.uOB1SreKM"; ## SECRET-DATA
                }
            }
        }
        ldap-server {
            172.27.72.10 port 389;
            172.27.72.11 port 389;
        }
    }
    profile local-users {
        client jverdonk {
            firewall-user {
                password "$9$m5nCOBESlMz3EyeW-dZUjkmTQFn/Ap"; ## SECRET-DATA
            }
        }
        client mtepper {
            firewall-user {
                password "$9$xXNNbYDjqf5FYgGiHmF3cyr"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.3.0/24;
                xauth-attributes {
                    primary-dns 172.26.72.16/32;
                    secondary-dns 172.27.72.17/32;
                }
            }
        }
    }
}

Documenting a Network with CDP

In this post I will use the information available from CDP to help me create a logical network diagram.

CDP is the Cisco Discovery Protocol and is enabled on all router and switch interfaces by default. The switch or router sends a CDP packet out of each interface every 60 seconds, any connected device records the delivery of these packets into a CDP table for a holdtime period of 180 seconds. If after 180 seconds the device has not received any more CDP packets on that interface it removes the entry from the table. CDP can be disabled entirely or on any individual interface.

I begin by connecting to my switch and I check the CDP settings.

switch1#sh cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled

From the output I can see the CDP time settings and the version. Next I look at the connected devices.

switch1#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch2.lab.localFas 0/1 160 S I WS-C2950-2Fas 0/1
switch2.lab.localFas 0/24 160 S I WS-C2950-2Fas 0/24

Here I can see that I have 2 ports (1 & 24) connected to switch2 (also using ports 1 & 24). I can also see that switch2 is a Catalyst 2950.

This is a great summary but for my diagram I could do with knowing the IP address of switch2.

switch1#sh cdp entry *
————————-
Device ID: switch2.lab.local
Entry address(es):
IP address: 10.0.1.211
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/1
Holdtime : 142 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000CCE3E3EC0FF0000
VTP Management Domain: ‘lab.local’
Native VLAN: 1
Duplex: full

————————-
Device ID: switch2.lab.local
Entry address(es):
IP address: 10.0.1.211
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/24, Port ID (outgoing port): FastEthernet0/24
Holdtime : 142 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 04-Mar-03 02:14 by yenanh

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000CCE3E3EC0FF0000
VTP Management Domain: ‘lab.local’
Native VLAN: 1
Duplex: full

This detailed output gives me additional useful information such as the VLAN and the IOS version.

Next I head over to switch2 and look at it’s CDP information.

switch2#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 168 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 168 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/2 175 R Cisco C831Eth 0
router1.lab.localFas 0/23 175 R Cisco C831Eth 1

Here I can see the connections to switch1 and additional connections to router1. Again I look at the detailed information to get the IP address of the router.

switch2#sh cdp entry *
————————-
Device ID: switch1
Entry address(es):
IP address: 10.0.1.210
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/24, Port ID (outgoing port): FastEthernet0/24
Holdtime : 152 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000C8582C600FF0000
VTP Management Domain: ‘lab.local’
Native VLAN: 1
Duplex: full

————————-
Device ID: switch1
Entry address(es):
IP address: 10.0.1.210
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/1
Holdtime : 152 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF01022505000000000000000C8582C600FF0000
VTP Management Domain: ‘lab.local’
Native VLAN: 1
Duplex: full

————————-
Device ID: router1.lab.local
Entry address(es):
IP address: 10.0.2.254
Platform: Cisco C831, Capabilities: Router
Interface: FastEthernet0/23, Port ID (outgoing port): Ethernet1
Holdtime : 176 sec

Version :
Cisco IOS Software, C831 Software (C831-K9O3Y6-M), Version 12.4(4)T1, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 22-Dec-05 01:39 by ccai

advertisement version: 2
Duplex: half

————————-
Device ID: router1.lab.local
Entry address(es):
IP address: 10.0.1.254
Platform: Cisco C831, Capabilities: Router
Interface: FastEthernet0/2, Port ID (outgoing port): Ethernet0
Holdtime : 176 sec

Version :
Cisco IOS Software, C831 Software (C831-K9O3Y6-M), Version 12.4(4)T1, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 22-Dec-05 01:39 by ccai

advertisement version: 2
Duplex: full

From the output I am able to determine the IP addresses of the connected router interfaces and I can also see that one interface is configured to half duplex. Now I have some good information to begin populating my diagram with.

From here I would probably move to the router and look at the CDP table. But supposing I want to prevent CDP packets from leaving an interface? After all, quite detailed information is included in CDP that you might not want everyone to view.

I connect to the device that I want to stop sending CDP packets and turn CDP off on that particular interface. In my case I would like to stop router1 from sending CDP packets on interface ethernet 1.

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#int ethernet 1
router1(config-if)#no cdp enable
router1(config-if)#end

Now when I check the switch that router1 is connected to I see that the holdtime decreases as the switch receives no CDP packet on the interface until after 180 seconds it reaches 0 and the entry is removed from the table.

switch2#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 159 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 159 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/23 6 R Cisco C831Eth 1
router1.lab.localFas 0/2 126 R Cisco C831Eth 0

switch2#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 153 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 152 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/23 0 R Cisco C831Eth 1
router1.lab.localFas 0/2 179 R Cisco C831Eth 0

switch2#sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
switch1 Fas 0/24 147 S I WS-C2950-2Fas 0/24
switch1 Fas 0/1 147 S I WS-C2950-2Fas 0/1
router1.lab.localFas 0/2 174 R Cisco C831Eth 0

Reset or recover password lost or forgotten alcatel OS6850 switch

Connect with putty.exe to the switch, make sure you are connected (press Enter key couple times)

Then reboot and press enter key almost immediately to stop Auto boot

Wait for the message Hit any key to stop autoboot: 0 and hit any key. Hit any key to stop autoboot: 0

Then type the following commands

=> fatls ide :1,0

=> fatls ide :1,0 /network

=> fatdelete ide :1,0 /network/usertable5 OR usertable4

Now powercycle the switch or type “run miniboot” on the U-Boot; => Reboot or =>boot Now back switch will be factory default “admin/switch”.

Alcatel omniswitch commands

These commands are for R6 & R7

——- general ———
ip interface vlan223 address 172.22.23.2 mask 255.255.255.0 admin-state enable vlan 223
ip interface vlan333 address 172.23.33.3 mask 255.255.255.0 admin enable vlan 333
vlan 13 members port 1/3 untagged
vlan 2 members port 1/4 tagged
vlan 13 port default 1/3
vlan 2 802.1q 1/4
modify running-directory working
ip route-map local-to-rip sequence-number 10 action permit
ip route-map local-to-rip sequence-number 10 match ip-address 0.0.0.0/0 redist-control all-subnets
ip redist local into rip route-map local-to-rip


— .1x —
vlan port mobile 1/1
vlan port 1/1 802.1x enable
aaa radius-server rad1 host 192.168.100.102 timeout 25 key alcatel-lucent
aaa authentication 802.1x rad1

ip helper … (no need to specify vlan ID)

— UNP —

no aaa user-network-profile name Berlin
no policy list policy-berlin
no policy rule policy-berlin
no policy action policy-berlin
no policy condition policy-berlin
policy condition policy-berlin source ip 192.168.4.0 mask 255.255.255.0 destination ip 192.168.2.0 mask 255.255.255.0
policy action policy-berlin disposition deny
policy rule policy-berlin condition policy-berlin action policy-berlin
policy list policy-berlin type unp enable rules policy-berlin

qos apply
aaa user-network-profile name Berlin vlan 4 policy-list-name policy-berlin
— traffic ACL —
! it’s automaticly applied to all ports !!
policy condition v10 source ip 10.0.10.0 mask 255.255.255.0 destination ip 10.0.30.0 mask 255.255.255.0
policy action v10 disposition drop
policy rule v10 condition v10 action v10

— MSTP —
spantree mode flat
spantree cist protocol mstp
spantree mst region name France
spantree msti 1
spantree msti 1 vlan 31
spantree msti 2
spantree msti 2 vlan 32
bridge mode flat
bridge cist protocol mstp
bridge mst region name France
bridge msti 1
bridge msti 1 vlan 31
bridge msti 2
bridge msti 2 vlan 32

— disable stp for a vlan —
spantree vlan 12 admin-state disable

vlan 12 stp disable

—- LACP —-
interfaces 1/3 admin-state enable
linkagg lacp port 1/3 actor admin-key 3
linkagg lacp agg 3 size 2 actor admin-key 3
vlan 31-32 members linkagg 3 tagged
interfaces 1/4 admin up
lacp linkagg 2 size 8 actor admin key 2
lacp agg 1/4 actor admin key 2
vlan 32 802.1q 2
— OSPF —-
ip load ospf
ip ospf area 0.0.0.13
ip router router-id 1.1.1.1
ip ospf admin-state enable
ip ospf interface vlan13
ip ospf interface vlan13 area 0.0.0.13
ip ospf interface vlan13 admin-state enable
ip ospf interface vlan13 auth-type md5
ip ospf interface vlan13 md5 1
ip ospf interface vlan13 md5 1 key 123456
ip ospf interface vlan13 admin-state enable
ip load ospf
ip ospf area 0.0.0.13
ip router router-id 3.3.3.3
ip ospf status enable
ip ospf interface vlan13
ip ospf interface vlan13 area 0.0.0.13
ip ospf interface vlan13 status enable
ip ospf interface vlan13 auth-type md5
ip ospf interface vlan13 md5 1
ip ospf interface vlan13 md5 1 key 123456
ip ospf interface vlan13 status enable
— ospf virtual link —-
ip ospf virtual-link 0.0.0.13 1.1.1.1
ip ospf virtual-link 0.0.0.13 1.1.1.1 auth-type simple
ip ospf virtual-link 0.0.0.13 1.1.1.1 auth-key 123456
— ospf summery —
ip ospf area 0.0.0.10 range summary 172.21.0.0 255.255.0.0

— ospf aggrigate —
ip access-list local_agg
ip access-list local_agg address 172.31.0.0/16
ip access-list local_agg address 172.31.0.0/16 redist-control agregate
ip route-map local-to-ospf-agg sequence-number 10 action permit
ip route-map local-to-ospf-agg sequence-number 10 match ip-addresss local_agg
ip redist local into ospf route-map local-to-ospf-agg admin-state enable

— IGMP —
ip multicast admin-state enable

ip multicast status enable
for PIM devices:
ip multicast querying enable

for L2 devices:
ip multicast querier-forwarding enable

— PIM —
ip load pim
ip pim sparse admin-state enable

ip pim sparse status enable
ip pim interface Loopback0
ip pim candidate-rp 1.1.1.1 225.2.2.0/24
ip pim cbsr 1.1.1.1 (this is must to advertise the rp address to all other routers)

— VRRP —-
vrrp 10 10
vrrp 10 10 priority 150 preempt interval 1
vrrp 10 10 address 172.25.10.254

— SLB —
ip slb admin enable
ip slb cluster “vip1” vip 172.25.30.100
ip slb server ip 172.25.30.10 cluster “vip1”
ip slb server ip 172.25.30.20 cluster “vip1”

—- snmp —-
user public password alcatel-lucent read-write all
aaa authentication snmp “local”
snmp security no-security
snmp community-map mode enable
snmp community-map “public” user “pablic” enable
snmp station 192.168.100.102 public v2 enable

Juniper EX switches configuration examples

General commands

show mac-address table

show ethernet-switching table brief

show switches that directly conected

show lldp neighbors

config vlan

set vlans  Floor_Users vlan-id 90
set vlans Floor_Users l3-interface vlan.90
set interfaces vlan unit 90 family inet address 10.10.10.254/24

assign vlan to port

set interfaces  unit 0 family ethernet-switching vlan members

upgrade (mybe needed – set system services ftp, when upgrading 8200 need to upgrage both Route Engines)

request system software add ftp://a:[email protected]/jinstall-ex-3200-9.6R1.13-domestic-signed.tgz

enable SSH

set system services ssh

show ip addresses

show interfaces terse

show all ports info

show interfaces extensive

load factory-default

load factory-default

show rollback 10

file show /var/db/config/juniper.conf.10.gz

show int statistics at real time

run monitor interface ge-0/0/0

like tcpdump

run monitor traffic interface ge-0/0/0

to add config from notepad

load update terminal

static route

 set routing-options static route 192.168.16/24 next-hop 1.1.1.1

start terminal monitor

monitor start /var/log/messages

stop terminal monitor

monitor stop

check what is going to be commited

show | compare

time

show system uptime

show modules / hardware

show chassis hardware

Show ospf interfaces

show ospf interface

ospf – redis static

set protocols ospf export redistribute-into-OSPF
set policy-options policy-statement redistribute-into-OSPF term static from protocol static
set policy-options policy-statement redistribute-into-OSPF term static then accept?

LACP -switches

set chassis aggregated-devices ethernet device-count 5
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-0/0/1 ether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 10.10.0.254/24

LACP – J routers

set chassis aggregated-devices ethernet device-count 5
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ge-0/0/0 gigether-options 802.3ad ae0
set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ae0 unit 0 family inet address 10.10.0.254/24

password recovery

* reload the switch
* stop the boot by presing the "space bar"
* choose 'recovery'
boot -s

NTP

set system ntp server 1.1.1.1
exit
set date ntp

create rescue config

request system configuration rescue save

set managment ip at stack

set interfaces vme unit 0 family inet address 10.10.10.235/24

connect to a specific switch from a stack

request session member

install image from USB

1. Put the new code(desired version of JUNOS) on a USB which is formatted under FAT32 and insert on the back of the switch where you can find the USB slot.
2. Reboot the device and when it says loading press spacebar to take us to loader prompt (loader>).
3. Type the following command to reinstall junos from this prompt
    loader>install --format file:///filename.tgz
    * where filename is like eg: jinstall-ex-9.2R1.5-domestic-signed.tgz

copy log files from specific unit

request session member 5
start shell user root
! -Password-
tar -zcvf varlog-mem5.tar.gz /var/log/
mv varlog-mem5.tar.gz /var/tmp/
exit
file copy fpc5:/var/tmp/varlog-mem5.tar.gz fpc0:/var/tmp 
! Then open with web - Maintain --> Files --> temp

show alarms

(use to check why the alarm led is red)-

show system alarms

vrrp

set interfaces vlan unit   family inet address x.x.x.x /24 vrrp-group  virtual-address x.x.x.x  priority < priority>

vrrp – backup master (Specify that the backup router can process packets with an IP destination address of the virtual address)

ip vrrp 22 accept-data

ECMP

(equal cost multi path)

set policy-options policy-statement load-balancing-policy then load-balance per-packet
set routing-options forwarding-table export load-balancing-policy

allow NSM to connect to the switch

set system services netconf ssh

dhcp snooping

set ethernet-switching-options secure-access-port vlan all examine-dhcp

bpdu guard

set protocols rstp bpdu-block-on-edge  
set protocols rstp interface all edge

port mirroring

set ethernet-switching analyzer analyzer1 input ingress interface ge-0/0/0
set ethernet-switching analyzer analyzer1 input egress interface ge-0/0/0
set ethernet-switching analyzer analyzer1  output interface ge-0/0/2

LLDP – MED

(the switch tells the ip phone what is the voice vlan)

set vlans  description voice-vlan
set vlans  interface ge-0/0/2.0
set interfaces  unit 0 family ethernet-switching vlan members 
set interfaces   unit 0 family ethernet-switching port-mode access
set ethernet-switching-options voip interface  .0 vlan 
set ethernet-switching-options voip interface  .0 forwarding-class assured-forwarding
set protocols lldp-med interface

tacacs

(use “load merge terminal” to load this format of config)

system {
    time-zone Asia/Jerusalem;
    authentication-order tacplus;
    root-authentication{
        encrypted-password "$1$gzwtefgipDYmub7XcCTEU4/"; ## SECRET-DATA
    }
    tacplus-server {
          secret "$9$y45645XxjqfT9CRhSyMX-dsYgJ"; 
         secret "$9$vD4574745dV.5Fnu0ylKvxdsYoaZj"; 
    }

    accounting {
        events [ login change-log interactive-commands ];
        destination {
            tacplus;
        }
    }
}

Voip QOS marking

class-of-service{
	classifiers {
	    dscp juniper_dscp_classifier {
	        import default;
	        forwarding-class voice {
	            loss-priority low code-points 101110;
	        }
	    }
	    ieee-802.1 juniper_ieee_classifier {
	        import default;
	        forwarding-class voice {
	            loss-priority low code-points 011;
	        }
	    }
	}
	forwarding-classes {
	    class voice queue-num 7;
	    class expedited-forwarding queue-num 5;
	    class assured-forwarding queue-num 1;
	    class best-effort queue-num 0;
	}
	interfaces {
	    vlan {
	        unit 12 {
	            classifiers {
	                dscp juniper_dscp_classifier;
	            }
	        }
	    }
	}
}

access-lists of ip addresses that allowd to access the switch (use “load merge terminal” to load that format of config)

interfaces{
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input Telnet-access-filter;
	}
           }
        }
    }
}
firewall {
  family inet {
    filter Telnet-access-filter {
        term team_X {
            from {
                source-address {
                    x.x.x.x/32;
                    x.x.x.x/32;
                  }
                protocol tcp;
            }
            then accept;
        }
        term team_Y {
            from {
                source-address {
                    y.y.y.y/32;
                    y.y.y.y/32;
                }
                protocol tcp;
            }
            then accept;
        }
        term Access_from_forbidden_addresses {
            from {
                source-address {
                    127.0.0.0/8;
                }
                protocol tcp;
            }
            then discard;
        }
        term OSPF {
            from {
                protocol ospf;
            }
            then accept;
        }
        term icmp {
            from {
                protocol icmp;
            }
            then accept;
        }
        term accept_DHCP {
            from {
                protocol udp;
            }
            then accept;
        }
    }
  }
}

4200 EX Switches

set that if disconnecting cascade cables from stack of 2 switches that the switches will not became layer 2

set virtual-chassis no-split-detection

show units at stack

show virtual-chassis                                   
0 (FPC 0)  Prsnt    BQ0209341890 ex4200-48p      128  Master*    1  vcp-0      
1 (FPC 1)  Prsnt    BN0209364440 ex4200-24p      128  Linecard   3  vcp-0      
2 (FPC 2)  Prsnt    BQ0209341900 ex4200-48p      128  Backup     0  vcp-0      
3 (FPC 3)  Prsnt    BQ0209341917 ex4200-48p      128  Linecard   2  vcp-0      

Member ID for next new member: 4 (FPC 4)

change units number

(the serial is also at the back of the switch, no restart needed, the new master became master after few minutes)

set virtual-chassis preprovisioned
set virtual-chassis member 0 serial-number BN0209364440 role routing-engine
set virtual-chassis member 1 serial-number BQ0209341917 role routing-engine
set virtual-chassis member 2 serial-number BQ0209341900
set virtual-chassis member 3 serial-number BQ0209341890

8200 EX Switches

set managment ip when having 2 routing engines

delete int me0
edit groups 
set re0 system host-name Name1 
set re0 interfaces me0 unit 0 family inet address 10.10.10.12/24 
set re1 system host-name Name2
set re1 interfaces me0 unit 0 family inet address 10.10.10.22/24 
top 
set apply-groups [re0 re1]

turn off a module

(disable)

set chassis fpc  power off

set the switchover without only 10 packet loss

set chassis redundancy graceful-switchover

connect to backup routing engine

request routing-engine login backup

show modules

show chassis hardware

change active CPU

request chassis routing-engine master switch

cancel switchover at fuiler/reload command

deactivate chassis redundancy graceful-switchover

Auto save config aldo to backup

(“commit” saves only to the present Routing Engine)

commit synchronize

Run commands at a linecard

root@st-grande06-scb0:RE:0% lcdd 2 chassism
chassism#show mac ge-2/0/1 
chassism#show phy ge-2/0/1

Configuring Dynamic VLAN assignment on ProCurve switches

Introduction

The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configure VLANs

Create VLANs, define IP address and IP helper-address

VLAN 30

name “VLAN30”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

VLAN 40

name “VLAN40”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20

Configure RADIUS/802.1x

Define RADIUS server IP address and shared secret

radius-server host 192.168.20.20 key secret12

Configure 802.1x authentication type

aaa authentication port-access eap-radius

Configure ethernet ports 1-2 as authenticator ports

aaa port-access authenticator 1-2

Activates 802.1x port-access authentication on ports

aaa port-access authenticator active

Create Active Directory Groups

Authentication to the individual VLANs will be by Active Directory group membership for user or computer, therefore we need to create the appropriate the groups for use later in the NPS radius server policy.

Add a user to each of the groups

070512_1543_configuring1

Windows 20008 R2 NPS (RADIUS) Configuration

Create an appropriately named NPS Policy to authorise users for each VLAN

070512_1543_configuring2

Configure a “Condition” of Windows Group value of DOMAINNAME\GroupName

070512_1543_configuring3

Configure the “Authentication Methods” as “Microsoft: Protected EAP (PEAP)”

070512_1543_configuring4

Configure “RADIUS Attributes”

Tunnel-Medium-Type = 802

Tunnel-Pvt-Group-ID = VLAN Name or VLAN ID e.g “VLAN30” or “30”

Tunnel-Type = Virtual LANs (VLAN)

070512_1543_configuring5

Configure Windows 7 computer to authenticate

Open Windows services and change the startup type of the service “Wired AutoConfig” to Automatic. Click Start service

Open “Network and Sharing Center”. Click “Change adapter settings”

Click “Local Area Connection” > “Properties” > “Authentication”

Ensure “Enable IEEE 802.1x authentication” is ticked

Ensure “Microsoft: Protected EAP (PEAP)” is selected from the dropdown box. Click Settings

If the client computers do not have a trusted root certificate un-check the tick box “Validate server certificate”. If you do have an internal CA and all client computers have the root CA in the computer certificate store leave checked.

If the client computer is not joined to the domain and you wish to prompt for authentication, select “Configure” and un-check “Automatic use my Windows logon….”

The steps above can also be configured via Group Policy

Testing

Connect a computer to a port configured for authentication

If using a non-domain joined computer and you have previously un-checked the tick box “Automatic use my Windows logon….” a balloon will appear “Additional information is needed to connect to this network”. Click the balloon and enter your domain credentials.

070512_1543_configuring6

If you are on a domain joined computer, the authentication will be transparent to the user (you will not see the prompt for authentication as above).

From the switch, the command “Show port-access authenticator” will display useful troubleshooting information

When a user account is a member of “VLAN30” windows group, they will be authorised on the RADIUS server and the port will be dynamically assigned to VLAN 30.

070512_1543_configuring7

If the user is successfully authenticated and is a member of “VLAN40” group the port would be dynamically assigned to VLAN 40.

070512_1543_configuring8

 

Junos Basics – Aggregated Ethernet Interfaces (LACP)

In my previous Junos Basics post I covered configuring an 802.1Q Trunk between a Juniper EX2200C and a Cisco 2960S. This post will expand upon the previous one by bundling two interfaces together on each switch to form an aggregated link for the trunk.

There are a few proprietary standards for aggregating ethernet links, but Juniper uses the IEEE 802.3ad standard and Cisco can also be configured to use this. The 802.3ad standard is known as Link Aggregation Control Protocol (LACP). LACP can be configured in either Active or Passive mode – in Active mode a switch will always try and form an LACP link with the other side, and in Passive mode a switch will form an LACP link if the other side is in Active mode.

microbfd-sessions

On the Cisco side, the config steps are very simple:

  • specify the interfaces to be aggregated
  • set the protocol to LACP
  • create a Channel Group and specify the LACP mode
  • set the Port Channel interface as a trunk
  • specify which VLAN’s are allowed over the trunk
Cisco2960S(config)#int range gi1/0/47-48
Cisco2960S(config-if-range)#channel-protocol lacp
Cisco2960S(config-if-range)#channel-group 1 mode passive
Cisco2960S(config)#interface po1
Cisco2960S(config-if)#switchport mode trunk
Cisco2960S(config-if)#switchport trunk allowed vlan 100,200

Onto the Juniper side, the first step is to specify the number of aggregated links on the switch:

rich@EX2200C# set chassis aggregated-devices ethernet device-count 1

Next, we have to remove the logical unit configuration from the interfaces that are to be bundled, as logical units are not allowed on aggregated links:

delete interfaces ge-0/1/1 unit 0
delete interfaces ge-0/1/0 unit 0

Next, set the interfaces to use LACP (802.3ad) and to be members of a logical aggregated ethernet port (ports begin with ae):

set interfaces ge-0/1/0 ether-options 802.3ad ae0
set interfaces ge-0/1/1 ether-options 802.3ad ae0

Then we need to set the LACP mode for our new aggregated interface. We’ll make the Juniper side Active, so that it initiates the transmissison of LACP packets:

set interfaces ae0 aggregated-ether-options lacp active

Finally, we need to set the aggregated link to be a trunk, and tell it which VLAN’s to trunk:

set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members [SALES IT]

To verify our config, we’ll start on the Cisco side and check the Etherchannel summary:

Cisco2960S#show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+------------------------
1      Po1(SU)         LACP      Gi1/0/47(P) Gi1/0/48(P)

Then we can confirm the trunk config:

Cisco2960S#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Po1         on               802.1q         trunking      1

Port        Vlans allowed on trunk
Po1         100,200

Port        Vlans allowed and active in management domain
Po1         100,200

Port        Vlans in spanning tree forwarding state and not pruned
Po1         100,200

And on the Juniper side:

rich@EX2200C> show lacp interfaces
Aggregated interface: ae0
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/1/0       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/1/0     Partner    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-0/1/1       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/1/1     Partner    No    No   Yes  Yes  Yes   Yes     Slow   Passive
    LACP protocol:        Receive State  Transmit State          Mux State
      ge-0/1/0                  Current   Slow periodic Collecting distributing
      ge-0/1/1                  Current   Slow periodic Collecting distributing

From the above output we can see that our individual interfaces are both Active, with the partner end Passive. For a detailed explanation of the output see this article from Juniper, but suffice to say the Mux State of Collecting and Distributing means the LACP protocol is working correctly.

We can also confirm the trunk is up and trunking for VLAN’s 100 and 200:

rich@EX2200C> show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ae0.0        up     IT                  200   tagged   unblocked
                    SALES               100   tagged   unblocked

I hope this has been a useful explanation.  In my next Junos Basics post I’ll cover first hop redundancy using VRRP.

Những việc cần làm để thiết kế hệ thống hạ tầng thông tin

is_18405380_lb_itsolut_netdesign-banner

Đã từng một thời, với những “thắc mắc biết hỏi cùng ai” về thiết kế mạng:

* Hệ thống mạng trên thực tế đang hoạt động được thiết kế như thế nào ?

* Mô hình mạng cần phải thiết kế ra sao cho từng đối tượng khách hàng (SMB, Enterprise, Banking, …) ?

* Phải chọn thiết bị mạng (Switch, Router, Firewall, …) tối ưu nhất trong từng thiết kế ?

* Ứng dụng những kiến thức đã học trong viêc thiết kế một hệ thống mạng trong thực tế như thế nào ?

Tại thời điểm đó, cũng có chút kiến thức học được, tuy nhiên việc áp dụng các kiến thức đã học áp dụng vào thực tế chỉ là con số 0 tròn trĩnh, hay nói cách khác, đó là một cảm giác “có võ công nhưng khi gặp cao thủ để tỉ thí thì không biết dùng như thế nào”, một cảm giác … thực sự rất khó chịu… đó là:

– Học về HSRP/VRRP/GLBP, hiểu rõ các giao thức này hoạt động ra sao, hiểu rõ phải cấu hình thế nào, hiểu rõ phải troubleshoot ra sao nếu có sự cố,… nhưng lại không biết phải dùng ở đâu trong mô hình mạng.

– Học về Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), PVST+, Rapid-PVST, MST: hiểu rõ làm sau để cấu hình Root Bridge, Root Port, Load Sharing với STP, sự khác biệt giữa STP, RSTP, PVST+, Rapid-PVST, MST, ưu và nhược điểm của từng loại. Nhưng… lại không hiểu phải dùng như thế nào trong thực tế…

– Học về thiết kế mạng mô hình 3 lớp: Core/Distribution/Access… hiểu rõ vai trò của từng lớp, nhưng lại không thể design nổi hệ thống mạng cho 1 doanh nghiệp vừa và nhỏ (SMB), hay thậm chí ngay cả khái niệm SMB, ENT, … cũng còn rất mơ mơ hồ hồ.

– Và rất nhiều những điều tương tự …

Đã từng tự hỏi, là do đâu có phải là:

– Thiếu kiến thức về sản phẩm: Vâng, tuy rằng tôi đã được trang bị 1 hệ thống kiến thức nền tảng tuy nhiên lại không biết hoặc chưa hiểu được:

– Khái niệm Modular Switch (Catalyst 6500, Catalyst 4500, Nexus 7000, …): thế nào là linecard, là supervisor, là fans tray, là power supply, vv..

– Một Switch thế nào được gọi là “mạnh”, cùng các khái niệm để định nghĩa độ “mạnh” này của 1 thiết bị

Ví dụ: trên dòng Switch 3750-X: 160 Gbps switching fabric, 101.2 mpps forwarding rate, 10GbE uplinks, …

– Khái niệm về VSS trên dòng Switch 6500, Stack-Wise trên dòng Switch 3750 series, Flex-Stack trên dòng Switch 2960S (lưu ý, đây là những tính năng cực kỳ quan trọng trong thiết kế hệ thống mạng với nhiều đặc điểm nổi trội mà sẽ được đề cập chi tiết trong các bài viết sau).

– Các tính năng (feature) hỗ trợ trên từng dòng thiết bị là khác nhau do được thiết kế với những mục đích khác nhau, như: Switch 2960 series chỉ hỗ trợ các tính năng Layer 3 ở mức rất hạn chế so với Switch 3750/4500/6500 series do 2960 được thiết cho lớp Access …

– Đặc trưng của từng đối tượng khách hàng, ví dụ: khi thiết kế hệ thống mạng cho khách hàng là SMB thì sẽ rất khác với khách hàng Enterprise,…

– Chưa có kinh nghiệm thực tế… -> vậy phải làm sao để có ?? Học từ ai ?? Học ở đâu ??

Và tôi đã trải qua 1 đoạn thời gian mò mẫm, như bước đi trong 1 đường hầm tối tăm như thế, và cho đến bây giờ, tôi vẫn đang đi trong đường hầm, có khác chăng đó là đường hầm với một “tia sáng le lói” dẫn đường

Hiểu rõ những khó khăn đã từng trải qua cùng với mong muốn được chia sẽ, trao đổi và học hỏi nhằm làm giàu thêm về kỹ năng thiết kế mạng.

Xin phép được bắt đầu chuỗi bài viết chuyên đề “Thiết kế mạng, từ lý thuyết đến thực tiễn”.

JunOS: Copy & Paste configuration directly on terminal.

The command load replace terminal can be used to copy a configuration from a text file to a Juniper device.

After executing this command the router will start accepting configuration data via the paste option.

To exit this mode use the CTRL-D or ^D, this will exit from the terminal mode and return back to device prompt.

Example Follows:

root@gw-srx-01# load replace terminal   
[Type ^D at a new line to end input]
interfaces {
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                filter {
                    input INPUT_RETH0.0_Filter;
                }
                address 10.0.0.1/24;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
}
^D
load complete
 
[edit]
root@gw-srx-01# commit