"Bridge Art Fair" Catalina Hotel, Miami Beach, FL, 12.06.08.





Special Thanks to Bridge Art Fair and the Orleans Street Gallery for facilitating the opportunity and Meghan Borato & Irene P�rez for assistance and photographic documentation.

Crazy Home Lab

Actually I found this site quite long time ago, I'm amazed by the craziness of the owner's home lab. You've probably seen this site before, since this site is quite famous.

This site is named Uber Geek, the owner of this site is Scott Morris. His resume alone is outstanding, he's a quadruple CCIE, meaning he owns all four of the CCIE tracks.
And he also wins all other networking certifications that you can dream of.

Once you see the lab he has, you'd understand what I'm saying:



I can't say anything but this lab is just crazy, not only Cisco devices but also Juniper, Sun, Dell, etc.
Some of the small ISPs in my country don't even have these kind of devices I think.

Of course with those four big racks and massive amount of devices comes a great requirements. From the heat come from the devices he made special air conditioning environment at his basement.

I know the idea to build this kind of lab is no where near possible for people that just want to pass certification exams like CCNA or even CCNP. Especially if you don't get enough income from your networking projects.
Nevertheless having a lab like this will make your future clients won't doubt about your expertise.

So I say, start building your home network lab, add in some Cisco or other devices one by one and maybe eventually you'll come close to Scott Morris' lab.

Configuring SSH for Cisco

In the CCNA level, we only know how to connect to Cisco devices using console connection and telnet connection.

We know that no one can tap on the console connection since it's directly connected to the Cisco device, but different story for the telnet connection.
Anyone can tap messages from the telnet session.

All messages send in clear text, so it's dangerous to leave default communication with Cisco devices just using telnet.

We can use SSH for secure connection to the Cisco devices. The SSH will encrypt all messages going from your computer to the Cisco devices.

First you're going to need Cisco IOS image that support SSH or IPSec, DES, or 3DES. How would you know that. Well you can just issue the following command:

router> ena
router# show ip ssh
% Invalid input detected at '^' marker.

If it's showing % Invalid input detected at '^' marker., then the IOS does not support SSH.

Now start with the configuration, you have to define a hostname for the Cisco device, and also the domain name for it.
In this example I use hostname of "netrouter" and domain name of "ciscolab.home".

router (config)# hostname netrouter
netrouter (config)# ip domain-name ciscolab.home

Next is to generate the rsa keypair used for the encryption, your device name plus the domain name will be the name of the key.
The modulus is the length of the key, the default value is 512 bits, Cisco recommends a length of 1024 bits.

netrouter (config)# crypto key generate rsa

The name for the keys will be: netrouter.ciscolab.home
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]

You can also configure some additional parameters for the SSH Connection:

netrouter (config)# ip ssh authentication-retries 5
netrouter (config)# ip ssh time-out 120
netrouter (config)# ip ssh version 2

The first command sets the number of retries if you failed or mistyped the username and password.
The second command sets the time out, the time required to enter the username and password in seconds.
The last command sets the version you want to use for the SSH.

Now we have generated keypair for the encryption, how will the Cisco device authenticates the users coming with SSH connection.
You can either use a AAA server like RADIUS or TACACS+ or you can just use the Cisco device local username and password. For now I'd just use local authentication, first set the username and password then configure the device to accept local authentication for the line vty connections.

netrouter (config)# username Cisco password homelab
netrouter (config)# line vty 0 4
netrouter (config-line)# login local

By now you have successfully configure SSH for Cisco, lets try the SSH, you can use putty for SSH connection, the default port for SSH is 22, you can use other port if you want by issuing ip ssh port 2000 from the global configuration mode.
Change the 2000 with other port ranging from 2000 to 10,000.

Here I'm using the default terminal from Macintosh:

Macintosh:~ krishananda$ ssh Cisco@192.168.1.1
Cisco@192.168.1.1's password:

netrouter>

There, the SSH is working. But the telnet session is also still working, now I want to restrict the Cisco device to only accept SSH connection and deny telnet connection.

WARNING!!!

Do not disconnect from your current connection especially if it's telnet session, in case you messed up with the configuration, you can always undo the changes.


netrouter (config)# line vty 0 4
netrouter (config-line)# transport input ssh

Now if I try to connect using telnet, the router will deny it:

Macintosh:~ krishananda$ telnet 192.168.1.1
Trying 192.168.1.1...
telnet: connect to address 192.168.1.1: Connection refused
telnet: Unable to connect to remote host

Hope this is useful for you.

TIPS:

If you're using macintosh, and you change the rsa key by issuing crypto key generate rsa again on the same device,
Your mac will deny the SSH connection, telling you a warning about a man in the middle attack or the rsa key has changed.
All you need to do is open your text editor, open a file /users/yourname/.ssh/known_hosts
wipe out the content of known_hosts file and save.
That should do the trick.

3 Books to Definitely Help You Pass CCNA Exam

You might be struggling to save money for joining the Cisco Networking Academy or other courses just to pass CCNA exam.

The Cisco Networking Academy is great, yet the other courses, well in my experience, I joined a CCNA course - not the Cisco academy - but to be honest the result was not as I expected.
I don't know if this happens in other countries or not, the instructors were not as qualified as they said, sure they passed the CCNA exam also but their experiences in handling Cisco devices were just poor.

So, not satisfied with the result, I browsed the internet and found these three books are valuable to help me passed the CCNA exam.

CCNA: Cisco Certified Network Associate Study Guide: Exam 640-802


The first book is CCNA study guide from Todd Lammle. If you search for CCNA guide from google then you'd find the name of Todd Lammle popping up everywhere.

Todd Lammle successfully authored books that can easily understand even by newbies, you can find all topics covered in the CCNA exam.

You can buy the book from amazon for US$ 31 for the new one and for the old one you can get for US$ 26.56.
I also provide the links to the amazon, you can click on the link above or the image to straightly go to the amazon site.

CCNA Practice Questions (Exam 640-802) (3rd Edition) (Exam Cram)


Now this is interesting, I bought this book because it is authored by Jeremy Ciaora, my all time favorite Cisco mentor.

Jeremy Ciaora authored successful series of video tutorials from CBTNuggets, and without any hesitation I bought this book, turns out great.

I practiced with questions provided in this book and the best part that it does not contain illegal materials according to certguard, I've checked.

I read the materials in the Todd Lammle's book and after I got myself deep in the subject I switched back to cram myself in exam questions in Jeremy Ciaora's book. This method works great for me.

Cisco Access Lists Field Guide


You might or might not need this book, but for me I had some difficulties in understanding about Cisco access list before the exam.

I bought this book and happily found that this book offers more than Cisco access list subject in CCNA exam.

I learned much more, time-based access list, encryption and IPSec, QoS, and others that help me in configuring my Cisco home lab and also preparing for the next CCNP exams.

Some people say that this book is not that great and blah blah, for me, I really like this book.

Those are the books that help me got through the CCNA exam, with budget of US$ 76.98 for new books and much less if you buy used ones in amazon you can prepare well for the CCNA exam.

Handy Commands for Cisco Initial Configuration

I found the following handy Cisco commands are very useful for initial configuration of Cisco devices.
I always use these commands to configure Cisco devices from fresh configuration.

router> enable
router> configure terminal
router (config)# no ip domain-lookup

The no ip domain-lookup is very useful, what this command does is tell the Cisco device not to do a domain lookup when you mistype something in the CLI. For example if you do this without the no ip domain-lookup:

router# pign
Translating "pign"... domain server (255.255.255.255)
%unknown command or computer name, or unable to find computer address


The Cisco device will try to find the computer name of pign, it doesn't know that you mistyped ping. This process could take a very long time.
If you apply the no ip domain-lookup, the Cisco device won't try to do the domain lookup.

The second command is the alias command. This command makes an alias of a command that you use frequently.
For example you often use the command show ip interface brief, you can make an alias of it to be "ship".

router (config)# alias exec ship show ip interface brief

You configure it by entering alias first, followed by which mode the command resides in - in this example the show command resides in the exec mode - type in the alias for the command, then you enter the full commands that you want to make alias.
Now you just have to type in ship instead of the long show ip interface brief command.

Next command is useful when you connect to the Cisco devices and you need a very long time to configure it.
The Cisco devices have a default time of how long you're allowed to get connected to them. Sometimes you don't want to reconnect again all the time, but mind you that the time limitation is set because of security concern.

router (config)# line vty 0 4
router (config-line)# no exec-timeout

The above commands tell the router to give you all the time that you need when configuring the router from the telnet session, it won't cut your connection. You can also configure it for the console connection.

Last one is my favorite one, you know when you're configuring a Cisco device sometimes you'd get some notifications from the device which is great, it tells you things going on in it.
But it gets annoying when you're trying to configure it and the notifications just cut down your halfway written command.
The following command tells the router to write back the command you entered before the notifications cut it:

router (config)# line vty 0 4
router (config-line)# logging synchronous

I hope these commands are useful for you.

Handy Cisco Command - Interface Range

There are many handy Cisco commands that you can use to help you in configuring Cisco devices, these commands well not exactly secret commands but you might not get it from the CCNA curriculum.

One of these handy commands I already posted it at my previous post. But I want to cover it again in case you missed the post.

This one is the interface range command. What this command does is to select a range of interfaces and apply the same commands to them.
This is very handy especially in a Cisco switch environment where you might want to set some ports to be access ports or apply the same security to those ports instead of doing it one by one for each interface.

For example, I want to select the interfaces fastethernet 0/2 to 0/8, with the interface range command I'd just do it like this:

2950> enable
2950# configure terminal
2950 (config)# interface range fa0/2 - 8
2950 (config-if-range)#

There, you notice that instead of displaying 2950 (config-if)# where you can get when you issue interface fa0/2, you'd get the 2950 (config-if-range)# prompt that shows you that you are selecting a range of interfaces.

When you want to select interfaces that are not in sequential order, like when you want to select interfaces fa0/2 to fa0/8, then interfaces fa0/10 to fa0/16, and the interface fa0/24 then you can do it like this:

2950 (config)# interface range fa0/2 -8, fa0/10 - 16, fa0/24
2950 (config-if-range)#

I'll be posting more handy Cisco commands again next time, hope this one is useful for you.

Do I Need Lightning and Surge Protection?

That was what I concerned when first building my Cisco home lab. I never concerned about this before since I only had my laptop, couple of PCs and the good old Linksys networking devices.

No matter what devices I have, I should have installed some lightning and surge protection for any electronic devices I have.

Lightning, power surges and spikes are the main enemy of electronic devices. Lightning can cause a major power surge and spike, meaning when a lightning strikes it causes a brief huge power spike which can reach a spike of 50 million volts, it's brief but deadly.

And not only surges from lightning, if you live in some old neighborhood, sometimes the electrician didn't do their work very well or perhaps the electrical installation is too old so power surges and spikes can happen any time.



Knowing this I immediately bought a power surge protector, it's a surge protector from Belkin and I use it to protect only my networking devices.

But you you never know, I only concerned about surges and spikes from electrical line, I forgot about the line that is coming from my internet cable.

About three days ago lightning stroke, I don't know where, it doesn't have to strike your home directly, it can strike your neighbor home some miles away and it can still get to you.

One lightning strike, one cable modem, one Phillips LCD TV, one computer, and one CATV splitter are dead. Warranty available for the modem and TV thank God.
Luckily my Cisco devices are okay, thanks to the power surge protector I think.

Man it was a nightmare, one big thunder and suddenly everything was down, the lights, computers, everything.
All suddenly dark, I spotted a spark somewhere, a large cracking sound, and everyone just went aaahhhhh.
Even the computers when turned on after a while, the NICs were not working for some times, luckily they do now.
Yet my laptop still mute, the speaker and some usb ports are dead.



So the moral of this story, buy some lightning and surge protectors, at least they provide protection to some degree.
You can also buy surge protectors that provide phone line protection for DSL connection or coaxial for your cable internet connection.

What about UPS, some UPS also provide lightning and surge protection, well I prefer to have both.
Plug in the surge protector first to the electric outlet and then the UPS goes to the surge protector.
And remember to buy them from a reputable vendors like APC or other brands, they cost more indeed but no doubt about the qualities.

If you don't want to buy them then the best protection when dealing with lightning strike in your home is to turn off all the devices and unplug all the power cables when it's raining heavy.

Hope this experience of mine won't happen to you.

Building HotSpot

Ever wonder how to build your very own wifi hotspot? If you followed my previous posts, I hope you manage to build your own home network and that is suffice for the first step in building wifi hotspot.

Next things to consider are how to manage your network, you certainly don't want anyone just joining your wireless network right? that is if you don't want to build free for all hotspot.

You also don't want people eating all your bandwidth, somehow you need to limit the hotspot users, and limit their access so they won't be able to join your internal LAN.

If you want these features in your hotspot, you probably going to need something that is called captive portal.

What captive portal does is like this, if someone join your wireless network, he or she then open a web browser, the captive portal would then redirect the browser to your html page, no matter what url requested.
That html page of yours is typically a welcome page or a login page so only certain people can make use of your wireless network.
This is great for public wifi hotspots.

There are many captive portals that you can find, free or commercial ones, the one that I'm familiar with is from publicIP, it's called ZoneCD.

Most of the captive portals that you can find might work the same way, they need you to put a PC between your wireless device and your internal network or internet router.
This is the image I got from the publicIP ZoneCD:


The PC should have 2 NIC (Network Interface Card), one goes to your internal LAN, the other goes to wireless LAN.
That PC would do all the authentication of the wireless users, the bandwidth limitation, etc.

What I like most about ZoneCD is that it's a Live CD, you just need a working PC, put in the CD and then the PC boots from the CD, nothing needs to be installed.
Sure it's based on Linux/UNIX, but you don't need to know anything about Linux, you only need to know how to operate a PC, so they say.

You can do homepage redirection, content filtering for porn sites or downloads, the ZoneCD has built in firewall, you can also modify the login page to conform your own taste or give it a logo of your company.

Configuring WPA and WPA2 on Cisco Aironet

The last post I talked about configuring WEP authentication on Cisco Aironet wireless access point.
Now I want to configure WPA and WPA2 to give more strength in the wireless security.

Just for a note I put an image of padlock on the last post and now I give a picture of a vault to give the image of stronger security.
You know what I mean, padlock versus vault, oh just forget it.

Back to the topic, when first posting about WEP I said that WEP encryption is weak, you better use encryption like WPA and WPA2.

WPA gives better key management and stronger cipher encryption. For those who don't know about cipher, it's kinda algorithm for encryption and decryption, we'll be configuring the cipher when dealing with WPA and WPA2. WPA uses what is called TKIP or Temporal Key Integrity Protocol for the cipher encryption.

WPA2 is even better than WPA, it uses a stronger encryption called AES or Advanced Encryption Standard, it creates fresh sessions key so every packet sent are encrypted with different key.

One other thing to know, the WPA and WPA2 come with two flavors, the Personal and Enterprise. In enterprise mode we need to have authentication server such as RADIUS, I don't have RADIUS server currently so I'll skip to the Personal mode instead.
The personal mode of WPA and WPA2 have what is called WPA-PSK the WPA Pre-Shared Key, we have to configure the WPA-PSK on both the Access Point and the clients.

So get on to the configuration of WPA first for my SSID Guest on VLAN 40:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface dot11radio 0
1240AG (config-if)# encryption vlan 40 mode ciphers tkip
1240AG (config-if)# ssid Guest
1240AG (config-if-ssid)# vlan 40
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# authentication key-management wpa
1240AG (config-if-ssid)# wpa-psk ascii your-key-here

That's it you've successfully configured WPA on Cisco Aironet Wireless Access Point. Just configure the ciphers to tkip, set the authentication to open, use the wpa key management and the great thing in WPA is that we can set ascii characters as the key instead of hexadecimal like we did on configuring WEP.

The difference of WPA with WPA2 configurations is just some small things. We have to set the ciphers to AES and the key management to WPA version 2. Let's get started to configure WPA2 for my SSID Admin on VLAN 30:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface dot11radio 0
1240AG (config-if)# encryption vlan 30 mode ciphers aes-ccm
1240AG (config-if)# ssid Admin
1240AG (config-if-ssid)# vlan 30
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# authentication key-management wpa version 2
1240AG (config-if-ssid)# wpa-psk ascii your-key-here

Don't forget to check out how to set up Wireless Network and the SSID on my last posts. Cheers.

Configuring WEP Authentication on Cisco Aironet

The wireless network you installed for your LAN can mean that you are directly exposing your network to the public.

Anyone can use a wireless sniffer and view all the traffics going between the wireless access point and the clients. That's why you need to add security in your wireless LAN.

This post will talk about WEP or Wired Equivalent Privacy, the name states that your wireless network will be as safe as your wired network but not in reality.
There are many WEP decryption tools available out there. Just capture some packets using wireless sniffer and use the the decryption tool to find out the WEP key.

So we know the WEP is not secure, nevertheless I want to show how to configure WEP authentication for Cisco Aironet wireless access point.

WEP uses 40 bits encryption key (10 hexadecimal characters) or 128 bits (26 hexadecimal characters).
Don't get a false sense of security with the length of the encryption, the longer the encryption key just mean the more packets you need to capture and more time to decrypt them.

There are two types authentication for security according the IEEE 802.11 committee, the shared-key and open authentication.

In a shared-key authentication, the access point will send a challenge packet to the client and the client must encrypt the packet with with the right key (WEP key) then return it to the access point.
This method is not secure since everything sent in clear text.

The other method is open authentication, just like the name the authentication is open or you can say no authentication required.
But when open authentication used with the WEP, the WEP key will be used to encrypt all data before sending them.

I have to admit, I get a little confused when first time configuring authentication in Cisco Aironet wireless access points since no one thought me so I had to browse all the configuration examples.

It's easier to use the web interface of the access point, but I want to configure it through CLI.
To configure WEP authentication you should do this by entering the dot11radio interface:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface dot11radio 0

Create the SSID and associate it with VLAN if you haven't done it:

1240AG (config-if)# ssid Guest
1240AG (config-if-ssid)# vlan 40
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# exit

Configure the WEP authentication:

1240AG (config-if)# encryption vlan 40 mode wep mandatory
1240AG (config-if)# encryption vlan 40 key 1 size 128bit 12345678901234567890123456 transmit-key

The above first command tell the Cisco Aironet to do WEP encryption on vlan 40 (SSID Guest) and set it as mandatory.
If you replace mandatory with optional, the use of WEP encryption depends on the client configuration, they can choose to encrypt the packets or not.

The second command tells the access point to use the WEP encryption key of 128 bit with the above 26 characters key. You can use whatever key you choose as long as it is hexadecimal characters (0-9 and A-F).

Don't forget to set up the access point as I did on the last post.

"Graduate Open House" Columbia College, Chicago, IL, 11.08.08.


Configuring Cisco Aironet in Home Lab - Part 2

Now it's time to configure Cisco Aironet Wireless Access Point for Cisco home lab.

What I'm going to do first is to configure the connectivity between the Cisco Aironet 1240AG wireless access point to the Cisco 2950 switch.

Here's the closer look of the network diagram of the wireless access point and the switch:


The network will be using VLAN 5 (192.168.5.0 network) as the native VLAN and the rest of the VLANs will be used for the SSIDs.

There's an interface called BVI or Bridge-group Virtual Interface, what this interface does is bridge all of the interfaces in the access point - the wired and wireless interfaces - so you can use the interface BVI IP address to manage all of those interfaces.

In Cisco Aironet 1240AG wireless access points, you have 1 interface fast ethernet port, 1 console port, 1 dot11radio 0 for the 802.11G, and 1 dot11radio 1 for 802.11A.

In this configuration I only going to configure the dot11radio 0 for the 802.11G wireless network since I only have the antennas for the 802.11G.
You can configure both 802.11A and 802.11G if you want.

First we configure the interface BVI 1 IP address:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface bvi 1
1240AG (config-if)# ip address 192.168.5.3 255.255.255.0
1240AG (config-if)# no shutdown

Now set the native VLAN (VLAN 5) to the wireless access point, we have to configure the native VLAN on both of the fastethernet sub interface and the dot11radio 0 sub interface:

1240AG (config)# interface fastethernet 0.5
1240AG (config-if)# encapsulation dot1q 5 native
1240AG (config-if)# interface dot11radio 0.5
1240AG (config-if)# encapsulation dot1q 5 native

Next is to set up the SSID starting from SSID for admin and associate it with VLAN 30.
We need to configure the SSID on the dot11radio 0 interface first then configure the VLAN on the dot11radio 0.30 sub interface and fast ethernet 0.30 sub interface.
Also I set up the SSID for open authentication first.

1240AG (config)# interface dot11radio 0
1240AG (config-if)# ssid ADMIN
1240AG (config-if-ssid)# vlan 30
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# end

1240AG (config)# interface fastethernet 0.30
1240AG (config-subif)# encapsulation dot1q 30
1240AG (config-subif)# bridge-group 30

1240AG (config-subif)# interface dot11radio 0.30
1240AG (config-subif)# encapsulation dot1q 30
1240AG (config-subif)# bridge-group 30

The bridge-group command allows you to group interfaces and bridge nonrouted traffic among the interfaces.
In this example traffic from dot11radio 0.30 sub interface to fastethernet 0.30 sub interface and vice versa.

Note: If you configure the SSID on the global configuration mode, the SSID will be both in the dot11radio 0 and 1.

Do the same with the SSID for guest and associate it with VLAN 40:

1240AG (config)# interface dot11radio 0
1240AG (config-if)# ssid GUEST
1240AG (config-if-ssid)# vlan 40
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# end

1240AG (config)# interface fastethernet 0.40
1240AG (config-subif)# encapsulation dot1q 40
1240AG (config-subif)# bridge-group 40

1240AG (config-subif)# interface dot11radio 0.40
1240AG (config-subif)# encapsulation dot1q 40
1240AG (config-subif)# bridge-group 40

Next step is to configure the switch port connected to the wireless access point as a trunk port with native VLAN 5.
I already posted about how to do this on the last post.

Also if you are going to use dynamic IP address, make sure you have configured router as DHCP server that serving clients for VLAN 30 and 40.

Right now if you have no problem pinging the switch and router from the wireless access point, your access point is broadcasting SSID and giving IP address from router for any client joining the SSID.

The SSIDs are not secure since they use open authentication, next time I'll configure it with stronger authentication.

Configuring Cisco Aironet in Home Lab - Part 1

I've configured my Cisco home lab with a router that connects to cable internet and a switch with VLANs.
Now it's time to add a new device to the Cisco home lab, a Cisco Aironet 1240AG wireless access point for wireless connection.

And by the way, the image on the left is not an official logo from Cisco or anything, I just made that up.

I won't configure anything fancy this time, only give basic administration configuration and set up an open SSIDs also associate the SSIDs to VLANs.

Since I want to configure two SSIDs - one is free for all SSID with no authentication and the other one with authentication - for the wireless network, I need to configure additional VLAN on the switch.

I have already the VLAN 30 for the wireless network and want to add VLAN 40, so in total there would be 5 VLANs in my Cisco home network lab.

I made a network diagram with Cisco Aironet 1240AG wireless access point added in the picture below:

So lets start the configuration on the next post, there are some steps to complete this Cisco home lab network diagram if you haven't done so.

Starting from the wireless access point I'm going to configure the basic administration configuration such as the access point's management IP address, SSIDs and associate them to VLANs, optionally configure the authentication security options for the SSIDs, and establish trunk connection to the switch.

For the switch I'll configure VLANs and the trunk connection to the access point and the router.

Last in the router I'll configure interVLAN routing, DHCP server for each VLAN, and other configurations like I've posted before.

Building on Diversity


Congratulations Mr. Community Organizer!

You beat them with the strategy they mocked.

Recently, I read an excellent book about Abe Lincoln -- Team of Rivals. In order to deal with a divided nation, Lincoln chose his cabinet from the best minds available. He ended up with a cabinet composed of mostly his rivals to the presidency. He chose these men for their abilities and experience. Lincoln knew the problems he faced were too much for one person. He knew he needed a team of experts -- all more capable than him in their specialities.

Lincoln was a master weaver in not only creating his team, but also managing them. A diverse team is difficult to manage, but usually produces better results than a team of like-thinkers. The key to Lincoln's diverse team was different thinking and different expertise and different styles. Yet, by appearance they were very similar -- all old white men. Same packaging, but different attributes.

Today's corporate world is full of apparently diverse individuals -- men, women, whites, blacks, asians, latinos, christians, jews, muslims, gay and straight. Yet, most corporations reward similar thinking -- which does not bring the rewards that diversity promises. We have organizations full of people that look different, but think the same. Everyone should read Team of Rivals to see how to mix, match and manage different skills, styles and abilities for maximum effectiveness.

We focus on Barack Obama's ethnicity -- but that is not why he won. It is his message, his vision, his leadership. 150 years ago, a tall skinny guy from Illinois focused on connecting a severely divided nation. Now, another tall skinny guy from Illinois faces a differently divided nation and needs the best team possible to move this country forward. I was glad to hear that Team of Rivals is one of Obama's favorite books. He will need to apply it's lessons learned to have an effective presidency in these tough times.

Wireless Home Network

At the last post I talked briefly about the wireless site survey in networking projects.

Now I want to share my view in things that I personally consider in building wireless home network.
The following points are just my considerations, most home or SOHO users just plug their wireless access points, configure them and they just work fine.

Which Standard to Use

Currently there are four common standards for wireless networking, the 802.11a, 802.11b, 802.11g, and the latest one is 802.11n. These standards use unlicensed frequencies meaning they're all free for all to use.

You can use the frequencies for your wireless networks and you can't complain if your neighbors used up all of the frequencies available and interfere with your wireless signal.
Later on this when I talk about the wireless channels in a moment.

802.11a uses the 5GHz operational frequency and has a data rate transfer of 54Mbps. This standard is not too popular anymore because it has a higher frequency meaning it has higher data rates but with shorter range.
The higher the frequency also makes it more easily absorbed by solid objects around it.

802.11b and 802.11g use 2.4GHz operational frequency. Most wireless access points support both the b and g standards since they both use the same frequency they're both interoperable.
The difference is that the 802.11b has data rate transfer of 11Mbps while the 802.11g has 54Mbps.

The latest one is 802.11n, it uses 5GHz and/or 2.4GHz frequencies and in terms of data rate and wireless range, it has biggest data rate the widest range, some vendors claim their 802.11n access points can have data rates up to 114Mbps.

I don't know the truth about that since I don't have any 802.11n devices yet.
For me I just love the sleek looking design of 802.11n wireless router from Linksys.
Cool, gotta have that someday.

Wireless Access Points Locations

Place the access points in locations that you think can reach all the clients in the network. Consider the interferences from microwave oven or cordless phones.
Also keep in mind about objects that can block, absorb or reflect the signals from the access points such as thick wall or metal surfaces.

The further you get from the access points and the more objects standing between you and the access point, the lower data rate you'd get.

Channels to Use

If one wireless access point is enough to cover your clients, check on the wireless channels that are used by access points installed near your network.
If your access point uses the same channel as your neighbor's, they will interfere the wireless signals.
If you're using more than one access points, set them to use different channels.

In 802.11b and g standards, the common channels or the clean channels that you can use are channel 1, 6, and 11. Use one for each of your access point, do not use the same channel if the signals.
What I mean by clean channels is that these channels are not overlapping each other.
The following is the graphical representation of 802.11b and g wireless channels:

The 802.11a offers more clean channels for you to choose. You can see the wireless channels that you can use for 802.11a:


More on subjects on channels you can find directly at the source at the FCC site.

SSID

Service Set Identifier or SSID is like an ID for your wireless network. I'm sure you already know this, to join wireless network you need to know the SSID or you can scan for the SSID and join it.

You can use many available wireless network sniffers to scan the SSID and the wireless channels used by the wireless networks. Some of them you can find at the list here.
Once again not every sniffer works with your wireless network card, check on it before downloading.

You can use any SSID for your wireless network, your name, company name, etc. The reason I brought this up because if you're using the upper end wireless access points like from Cisco, you can have multiple SSID broadcasted from a single wireless access point.

Maybe you need a free for all SSID for your guests, another SSID for your home users or employees, and another one just for you as the admin.

In Cisco, you can tie these SSIDs to VLANs, this can give you flexibility in deciding different security for each SSID, different access list for them, etc.

Wireless Security


Now this is the most important part of all, the wireless security or the encryption method you want to associate with your SSID.
There are some types of wireless network authentication for security from the open authentication that you can apply for guests on your WLAN to the WPA version 2.
There are also WEP that is not so secure nowadays since people can tap on your signals and decrypt them.
Best to say that WPA or WPA2 are more secure to use in your WLAN, you can also use 802.1x security.

Remember that not all hardware or wireless NIC support all authentication, most of them support the WPA authentication so it's more common to use nowadays.

I got to admit I'm too lazy to give all explanation of them here plus this post takes longer than I expected.
Smarter and more diligent people have describe about this, one of them you can find at wikipedia.

I don't want to make you bore and start on the configuration of Cisco wireless network on the next posts.

Planning for Wireless Network

If you're planning to deploy wireless access points in a networking project then I congrats you, you still have lots of works to be done before you get to configuring the access points sengihnampakgigi.

There are lots of things to consider if you're in a networking project, the location of the access points, channels to use, are there radio interferences in the locations, etc.

You need to do wireless site survey in a network project, see they even created their own science for this work.

To talk about wireless site survey could take its own blogs, books, tools and even specialized certification if you want to do it properly and professionally.
The tools software and hardware don't come in cheap I'm telling you.

There are softwares that can do wireless site survey, they can visually show you the range of access points that are installed in the site. Few that I've seen in work before are from ekahau and visiwave.

On the top of this post is the sample report from visiwave and the left picture here is from ekahau.

These pictures show you the range of the wireless access points on site. They're kinda like heat meter or something. With these you can then determine the best placement for the access points that can reach all clients.

From my experience not all of these softwares work with your wireless cards, so keep in mind before purchasing these softwares, do they support your wireless cards or not.

There also hardwares that can help you do the site survey and these hardwares can also scan for radio interferences such as that come from oven microwave, cordless phones, etc.
You got to check on yellowjacket from bvssystem, these things are cool.

The people in bvssystem integrates HP iPaq PDA with their yellowjacket to be used as wireless site survey tool.
This one is in the form of Tablet PC for spectrum analysis:

Both softwares and hardwares can provide you with detailed reports of the wireless site survey result.

Now that's when you're working in a network project, if you want to deploy wireless access points in your home or SOHO, you don't need to do all that troubles.

Next post I want to talk about the things to consider if you want to install wireless access points in your home or SOHO.

Get to Know Cisco Aironet Wireless Access Point

Ah, I just love these things the Cisco Aironet Wireless Access Points, on the left one you can see the Cisco Aironet 1240AG Access Point, one among every other Cisco Aironet series.

This is the very first Cisco device that I got, I thought that at least I can integrate it with my existing non-Cisco home network.

1240AG is not the prettiest access point that you can get, but I like the shape anyway. It reminds me of liquor bottles that I used to see in the movies.

Now why would you want to buy Cisco Aironet, it costs about ten times or more than the average home usage access points like Linksys or D-Link.

These Aironet things are great, for the 1240AG, it has one Fast Ethernet port and one console port.
It doesn't come with integrated antennas, you have to buy them. You can use the 802.11G antennas and/or 802.11A antennas. This gives you flexibility in choosing the antennas, you can even use both if you want to.
Mind you that not all countries allow the use of 802.11A standard.

The console port as usual used for configuring the Cisco Aironet Access Point through CLI. You can also use web browser to configure the Access Point, different from other Cisco devices' web interfaces, the Aironet web interface offers rich features configuration.
Other Cisco devices have not that good appearances, you definitely prefer configuring other Cisco devices through CLI.

Below is the example of the Cisco Aironet web interface:


Unlike other Cisco devices, Cisco Aironet Access Points are by default configure to accept IP address from DHCP server, if you have DHCP server in your LAN, that's great.
Just plug in a cable to connect the access point to your LAN and as soon as it receives IP address you can do configuration for it.

One tip, for the Cisco Aironet 1100 series Access Points, they have a default IP address of 10.0.0.1 that last for just 5 minutes.
So during that 5 minutes you can configure your computer NIC for an IP address of 10.0.0.2 or other, and connect a network cable from your computer NIC to the ethernet port of the access point.
Open the web browser and type in the 10.0.0.1 address, then you can do some configuration. Remember this only last for 5 minutes, after that the access point will request IP address from DHCP address indefinitely.

Now what other features the Aironet Access Points have, many features that the average home usage access points don't have.

You can configure the Access Points to be an Intrusion Detection System (IDS) to protect your network, use it for scanning your network for rogue access points that your neighbour use for stealing your bandwidth, and they also offer the powerful 802.1x to authenticate clients.

You can also set your own transmit power and data rates of the wireless radio interfaces.

Configure several SSIDs to segment your network. Each SSID can be correlated with VLAN. Provide SSID for your guests, another SSID for your home users, and a special SSID just for administration purpose.
Want another SSID? a special SSID just for handling your VoIP packets, cool.

If you have several Cisco Aironet Access Points in your disposal, set them up so your users can roam all over the place and jump from one area of access point to another without loosing connection.

Have hundreds of Aironet Access Points in a project? You don't need to configure them one by one. Upgrade or request from Cisco for Aironet with Cisco IOS Lightweight enable mode.
With Ligthweight feature and wireless LAN controller you just need to make one configuration on the wireless LAN controller and it will send the configuration to all access points in your network.
Saves you from lot of works.

So many features to tell, to try out all these features get your own Cisco Aironet Wireless Access Points now. You won't be sorry if you're a true techies, except that your wallet would be thinner a bit. sengihnampakgigi

The Danger of Broadcast Storm and the Solution

If you've taken the Cisco Academy program or been in the network world for a while, you must have heard about broadcast storm.

Broadcast storm is a state in a network where a frame broadcast in a switch environment is continually being flooded through the network.

This is mostly happen in a switch environment where you have redundant connection between switches, remember that routers segment or isolate broadcast between networks.

Redundant connections are important if you want to create a backup path between switches. If one path fails the other will take over.
This won't work out with switches that don't have any loop avoidance mechanism.

This is how a broadcast storm can happen, I have two switches connected with redundant links and one switch connected to a client and the other switch connected to a server.

Then the client sends a broadcast, say an Address Resolution Protocol or ARP to find out where the location of the server like this, pay attention to the red arrow, pretend that the arrow is a broadcast frame sent by the client.


Remember the rule of a switch, a switch forwards a broadcast frame to all ports except the port where it receives the request.

The Switch A receives the frame and forward it to the two links it has:


The broadcast frame received by the Switch B from two different ports and forward it again to other ports including the port where the Server is attached.

But it doesn't stop there, the frames are flooded again back to Switch A and back to the client.


From now on, back again to picture 2 then 3 and so on, this will keep going on forever until you shutdown the network.
This condition can also be called switch loop and it leads to broadcast storm.
Most likely you can find a question about this in the CCNA exam.

Luckily Cisco switches have loop avoidance mechanism called Spanning Tree Protocol or STP.

What STP does is eliminating loops in the network while allowing redundant links, the switches in the network will send out BPDU or Bridge Protocol Data Unit.

BPDU is like a boomerang send out to all ports in the switch. The BPDUs will travel all over the network and when the switch receive the BPDU it sent, then the switch knows that switch loop is occuring in the network and will block one of the ports where the loop occured.

Actually there's a set of session needed just to explain STP, there's even books specialized to explain STP considering that STP is very important in a redundant network.

STP eliminates redundant links in your network that's it, but if you don't carefully design your network even if you're using Cisco devices, your network will someday experience a melt down.

There's a great article about a network meltdown in a hospital related to STP that you can read here. In a hospital!! Man, that's serious business, we're talking about people lives here.
So the case study can be a valuable resource for you, just read it.

This happened to me once when I went on a client. They're just a small office kinda like SOHO, they're not using Cisco devices, they just using network devices from Linksys and D-Link.

So they called me and said for some reason the network went down.

After checking the network for a while, no problem with the configuration and the cabling but still no connectivity.
Then after tracing all the cables - it was not exactly a neat cabling they have there - I found that one cable was connected end to end to the same switch which created the broadcast storm.

So the moral of this story, it's very easy to take down an entire network with just a single network cable, especially if the networks are using average home usage network devices .

No need to say that it is very important to keep the physical security of your network devices. You can't trust the employees again nowadays.

Adding Switch to Cisco Home Lab - Part 5

Configure Router as DHCP Server for VLANs

Now this part of configuration is the most fun part of all. I just love the way that one router accepts requests from clients on different VLANs (with different subnets), and the router gives away the addresses based on what VLAN a client resides.

That's just cool, your average home usage routers can't do this kind of stuff, most of the average home usage routers can do is just give away IP addresses for one network.

At the previous post, I posted about how to make a router to be DHCP server. Now this post is similar but I'm going to make the router to give away IP addresses for clients on different networks.

The configuration is also the same, but now I'm going to make several IP DHCP pool. The amazing thing is that the router can differentiate each client request for IP address.

The router listens to the requests, which request comes from which sub interface (subnet or VLAN).
Then the router takes the available IP address from the DHCP pool and tells the client that it's now using this IP address.

At this example I'm using four networks in my local area network. I won't be giving away the addresses for the VLAN 5 since I'm only going to assign the IP addresses for management purpose only - I'll assign the addresses statically on the networking devices.
The 3 networks left, the VLAN 10, 20, and 30 IP addresses are configured using DHCP server.

Same as before, you need to exclude the IP addresses that you don't want to give out through DHCP. I conserve the first ten addresses for each network, I probably need it for something else in the future.

router> enable
router# configure terminal
router (config)# ip dhcp excluded-address 192.168.10.1 192.168.10.10
router (config)# ip dhcp excluded-address 192.168.20.1 192.168.20.10
router (config)# ip dhcp excluded-address 192.168.30.1 192.168.30.10

Now the DHCP will give out addresses to the clients starting from XXX.XXX.XXX.11

Next is to configure the DHCP pools for respective VLANs:

router (config)# ip dhcp pool OFFICE
router (dhcp-config)# network 192.168.10.0 255.255.255.0
router (dhcp-config)# default-router 192.168.10.1
router (dhcp-config)# dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

router (config)# ip dhcp pool HOME
router (dhcp-config)# network 192.168.20.0 255.255.255.0
router (dhcp-config)# default-router 192.168.20.1
router (dhcp-config)# dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

router (config)# ip dhcp pool OFFICE
router (dhcp-config)# network 192.168.30.0 255.255.255.0
router (dhcp-config)# default-router 192.168.30.1
router (dhcp-config)# dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

You can set the dns-server option to point to up to 6 dns servers.
The default-router command tells the clients to set the ip default gateway to point to the router's sub interface.

At this point, if you can ping all the sub interfaces of the router from the switch, the router will give IP addresses for requests coming from the clients for DHCP service.

The router differentiates the requests like this, if a request coming from the sub interface ethernet 0/1.10, then the router will give the IP address according to the ip address on that interface (192.168.10.0 network).

After this you need to configure the router for internet connection, if you haven't done it before.
Remember to apply access-list that allows all networks you have in the LAN to be translated by the NAT.

Adding Switch to Cisco Home Lab - Part 4

Configure Router for InterVLAN routing

If you only configure VLAN on the 2950 or other layer 2 switches, the clients can only communicate with other clients within the same VLAN.
If you want them to be able to communicate with other clients on different VLANs, then you need to configure a router for interVLAN routing.

Configuration of router for interVLAN routing often called router on a stick. The reason is the clients that want to communicate with other clients on different VLANs need to go through the router first and the router will route the packets to the appropriate VLANs back through the same line.

The disadvantage of this is that single line going to the router will be filled by requests from one VLAN going to other VLAN, and the router will be set for handling the routing for this.

No problem for the small LAN, but if you have a huge number of clients, you need to consider using Layer 3 or multilayer switches (Cisco Catalyst 3550 series or above) for interVLAN routing.

The concept of layer 3 switch routing is something that you'd find on the CCNP level, not the CCNA.
I don't have layer 3 switch, the cheapest one I can find in my local area is more than $600 yikes. But the configuration is so easy, I'll only want to give you some snippets later.

For now lets configure the router to do interVLAN routing.

We know that routers have limited amount of physical interfaces right? The 2611 have a default of 2 ethernet interfaces.
One interface is going to the internet and the other is supposedly connected to the internal LAN.
How come one interface can handle multiple VLANs a.k.a. multiple networks with different subnets.

There's a genius way to get around this, that is by using logical sub interfaces. That one port can be logically devided into many sub interfaces.
Each sub interface will handle one VLAN/subnet.

NOTE:

Previously the interVLAN routing can only be done by routers with Fast Ethernet interfaces (100 Mbps) and not intended for Ethernet interfaces (10 Mbps) due to small bandwidth consideration. But now we can configure it on the ethernet ports also.

Before configuring the router, lets see again how the network diagram looks like:

So we need to define four sub interfaces and the respective IP addresses, we also need to define the VLAN assigned to the sub interface using encapsulation dot1q VLAN_NUMBER, where the VLAN_NUMBER is the VLAN ID for the sub interface.
You need to define the VLAN first on the sub interface, then you can assign IP address there.
You don't need to assign IP address for the main interface ethernet 0/0 but do no shutdown and the sub interfaces will automatically apply the same no shutdown.
here's how we configure them:

router> enable
router# configure terminal
router (config)# interface ethernet0/0
router (config-if)# no ip address
router (config-if)# no shutdown
router (config-if)# interface ethernet0/0.5
router (config-if)# interface ethernet0/1.5
router (config-subif)# encapsulation dot1q 5
router (config-subif)# ip address 192.168.5.1 255.255.255.0
router (config-subif)# interface ethernet0/1.10
router (config-subif)# encapsulation dot1q 10
router (config-subif)# ip address 192.168.10.1 255.255.255.0
router (config-subif)# interface ethernet0/1.20
router (config-subif)# encapsulation dot1q 20
router (config-subif)# ip address 192.168.20.1 255.255.255.0
router (config-subif)# interface ethernet0/1.30
router (config-subif)# encapsulation dot1q 30
router (config-subif)# ip address 192.168.30.1 255.255.255.0

You can give sub interface number up to 4294967295, the reason is it gives you the flexibility on naming the sub interface to match the VLAN ID. You can easily identify the sub interface e0/1.5 is for VLAN 5 and so on.

Oh, don't forget to do the no shutdown command on the main interface ethernet 0/1, it will also do no shutdown for the sub interfaces.

Now if you can successfully ping the interface VLAN 5 on the switch (192.168.5.2 in this example) then you are done configuring the router for interVLAN routing.

For configuring interVLAN routing on Layer 3 switches you have to make interface VLAN for every VLAN that you want to route and give them IP addresses.

Layer3Switch> enable
Layer3Switch# configure terminal
Layer3Switch (config)# interface VLAN 5
Layer3Switch (config-if)# ip address 192.168.5.1 255.255.255.0
Layer3Switch (config-if)# no shutdown

Do this for every VLAN that you want to route, you don't need to configure sub interfaces on the router.
The layer 3 switch will do the routing for the VLANs without ever need to send anything to the router first.
But you need to activate the ip routing feature on the switch first, if it's not already activated using:

Layer3Switch (config)# ip routing

Very simple right?

Last things left is to configure the router for additional configuration, DHCP server for each subnet, connect to the cable internet, and other details on the next post.

Adding Switch to Cisco Home Lab - Part 3

Assigning Switch Ports to VLANs

After configuring VLANs on Cisco switch, now we need to assign the switch ports to VLANs.

We need to assign which ports should be in which VLAN, remember VLAN = broadcast domain = subnet.
So before making your own VLANs, consider the IP addressing scheme and which computer should be in which broadcast domain or network.

Next step is to configure the trunk port to connect to the router and access port to connect the switch ports to our clients' PCs or other network devices.

The trunk port is needed to carry all VLANs or selected VLANs (you can decide which VLANs are allowed to cross the trunk link) in one port and the native VLAN is assigned to "tag" untagged frames with the ID of the native VLAN.
You should also configure trunk if you want to connect a switch to another switch, you have to configure trunk port on both switches.

For the access port, one access port can only be a member for 1 VLAN, anything plug in to the access port will be assign with the configured VLAN ID.

You need to remember though, the devices attaced to the switch ports don't know anything about VLAN, it is only something the switch knows.
Before a frames are sent to the clients, the VLANs tags are stripped from the frames.

In this example I configure the FastEthernet port 0/1 to be the trunk port that connects to the router.

C2950> enable
C2950# configure terminal
C2950 (config)# interface fa0/1
C2950 (config-if)# switchport mode trunk

At this point you already configured the port FastEthernet or fa 0/1 to be trunk port.
There are two encapsulation method for trunking, the ISL which is proprietary method from Cisco - only for Cisco devices and the 802.1Q or dot1q for short which is the multi-vendor encapsulation method.

Since the 2950 switches only support dot1q method you don't need to define it again but if your switch support both methods then you need to configure it using switchport trunk encapsulation dot1q or you can replace the dot1q with isl if you want to use ISL.

Next is to define the native VLAN and if you want to, you can define which VLANs are allowed to cross that trunk port:

C2950 (config-if)# switchport trunk native vlan 5
C2950 (config-if)# switchport trunk allowed vlan add 5, 10, 20, 30

You can add or remove vlans on the trunk port, by default the trunk will carry all VLANs.

Finished with the trunk port configuration, now we assign ports to the VLANs we created. You can assign the ports one by one like this:

C2950 (config)# interface fa0/2
C2950 (config-if)# switchport mode access
C2950 (config-if)# switchport access vlan 10

Or you can define a range of interfaces at once, say I want to configure port 0/2 to 0/8 as the access port for VLAN 10, then I just have to do this:

C2950 (config)# interface range fa0/2 - 8
C2950 (config-if-range)# switchport mode access
C2950 (config-if-range)# switchport access vlan 10

Do the same thing with the VLAN 20 - the home network VLAN:

C2950 (config)# interface range fa0/9 - 16
C2950 (config-if-range)# switchport mode access
C2950 (config-if-range)# switchport access vlan 20

Very handy command right?

One trick I can give you, if you want to configure some ports that are not in sequential order, like you want to configure port 2 to 5 and 10 to 15 and port 24, you can do it like this:

C2950 (config)# interface range fa0/1 - 5, fa0/1 - 15, fa0/24

There, you successfully created access ports for VLAN 10 and 20. For the VLAN 30 or the VLAN used for wireless network, I need to safe it for another time since configuring wireless network with Cisco devices takes some tricks.

Now we're done with the Cisco switch configuration, next thing to do is configuring the router to accept VLANs and be DHCP server for all the networks.

 
Free Host | lasik surgery new york