Date post: | 29-May-2018 |
Category: |
Documents |
Upload: | duongxuyen |
View: | 218 times |
Download: | 0 times |
Module Objectives
You will:
Identify the different hardware and
software components of the OS 6350 as well
as where it fits in different networks
OS 6350
High
Availability
Operating
System
Extensive
Manageability
Enhanced
Security
High
Availability
High
Availability
Operating
System
Extensive
Manageability
Enhanced
Security
AOS
OmniSwitch 6350 - Gigabit Ethernet switch
Overview
10 POE or Non-POE Triple-speed 10/100/1000 Gigabit interfaces
2 Gigabit RJ45/SFP combo ports
Low-power consumption
Fanless operation on the 6350-10
and 6350-P10 models
Delivering Power over Ethernet (PoE)
802.3af/802.3at compliant
65 W of power for PoE attached devices
Internal AC power supplies
No Backup power supply
Advanced QoS and security features
autoQoS IEEE
802.3af/at PoE
OmniSwitch 6350 - Gigabit Ethernet switch
Front panel
2 1Gig RJ45/SFP Combo Ports
OK Solid green (hardware status OK)
PWR Solid Green (power supply operational)
10 x 1G User Interface Ports 802.3at Support PoE on all 24 or 48 ports
RJ-45 Serial Console Port and
USB Flash drive port
User Port and SFP LED’s
Solid=Link/Blinking=Activity
Green=NonPoE/Amber=PoE
OmniSwitch 6350 - Gigabit Ethernet switch
Ports
OmniSwitch 6350
Distribution PortsCombo
ports
Nbr typeRJ45/SFP
1G
10 P10 10 10/100/1000 2
OS 6350-10
OS 6350-P10
AOS R6 for the OS 6350
VLANs IEEE 802.1Q
Policy rule based
802.1x/MAC Auth.
Spanning Tree IEEE 802.1D
IEEE 802.1w
IEEE 802.1s
PVST +
Link Aggregation IEEE 802.3ad (dynamic)
Multicast switching IPv4: IGMP v1/v2/v3
IPv6 MLD v1/v2
QoS / ACLs / Policies Classification on L1/L2/L3/L4
8 internal priorities
802.1p/ToS/DiffServ marking
Per COS Max bandwidth
Statistics (# of pkt, # of byte)
Ingress Policing / Egress Shaping
Multi-actions support
Server Load Balancing
Security IEEE 802.1x, A-VLANs
Access Guardian Host Integrity Check
User Network Profile
IP Anti-Spoofing
Learnt Port Security
sFlow ® , RMON (4 groups)
SNMP v2/v3
SSH, SSL, Radius, LDAP
IPv4 Static routing
IPv6 Tunneling (Configured, 6to4)
Static routing
Misc. ECMP (v4 & v6)
Loopback
Proxy ARP / Ext Proxy ARP
Router Discovery Protocol
Port mirroring (many-to-one)
Jumbo frames (9K)
Policy Based Mirroring
GVRP/MVRP
UDLD
Management Out-of-the-box Auto-provisioning
USB support
AMAP
LLDP
DHCP server
NTP server
CLI / WebView / OmniVista
AOS
R6OS 6350-10
OS 6350-P10
OmniAccess Wireless –Access Points
AP1101Dual Radio, 2x2:2 MIMO
Specification AP 1101
Antennas Built-in
Clients 64
Data rate per radio (Mbps) 1200
802.11n spatial streams 2
802.11n MIMO 2x2
802.11ac
2.4 + 5GHz WIPS
Cluster Network
RDA Feature
802.11e (QoS)
Full Capacity w/ 802.3af
Ethernet
OmniAccess Wireless –Hardware Overview
Hidden LED Location
Red Blue Green Time Line Status
ON Power on
ONBootloader-
OS loadingSystem start up
Flash System running Network abnormal (Interface down)
Flash System running Network normal, without SSID created
ON System runningNetwork normal, single band working,
either 2.4Ghz or 5Ghz working
ON System runningNetwork normal, dual bands working,
2.4Ghz and 5Ghz are both working
Flash Flash System runningRed and Blue LED rotate flash in a
specific frequency; OS upgrading
Flash Flash Flash System running3 LED rotate flash in a specific
frequency; Used for location an AP
Security Lock Slot
Reset Button
Ethernet
Console
DC Power Socket
DC Power Socket Console
Product Features - Hardware Features
AP Cluster Network Architecture
Scale
Limited to 16 AP1101 in a cluster
256 concurrent clients
16 WLANs (SSID)
Virtual Controller Architecture
Decentralized, Self Organizing System
Primary and Secondary Virtual Controller
Centralized Configuration & Monitoring Portal
Centralized Image Management
Mobility
Same L2 Domain with firewall and authentication state synchronization
Alcatel-Lucent Instant Technology
Over-the-air provisioning
Wizard driven setup: 5 minute WLAN configuration
Virtual Controller: virtual controller technology
Module Objectives
You will learn about:
Logging Into The Switch
Managing Files/Directories
If you want to know more:
Upgrading Software version
User Accounts
AAA Authentication
Role based management
AOS
Management Tools
Accessing the switch may be done locally or remotely
Management tools include:
CLI - May be accessed locally via the console port, or remotely via Telnet
Webview - which requires an HTTP client (browser) on a remote workstation
SNMP, which requires an SNMP manager (such as Alcatel-Lucent’s OmniVista or HP
OpenView) on the remote workstation
Secure Shell - Available using the Secure Shell interface
FTP - File transfers can be done via FTP or Secure Shell FTP
TFTP - File transfers can be done via TFTP
USB device - Disaster recovery, Upload/download image files
User Accounts
Admin and Default
Default user account
Admin
Full privileges
By default, access only allowed through console port
Cannot be modified except for password
Default password is ‘switch’
Ability to create new users with full or limited access rights
For more information, go to the next section “If you want to know more”
AOS File System
Flash Memory File System
Provides storage for system and
configuration files
2 versions are present on the flash, the
working and the certified
*.img files stored in both working and
certified directories
Configuration rollback
Based on the working and certified
Directories
Applies to system files and configuration
file
A certified version (SW + conf) will be used as a
backup when dealing with any changes
(modification, upgrades, …)
Swlog1.log
Jsecu.img
Jbase.img
Jeni.img
Jos.img
Working Directory
Jsecu.img
Jbase.img
Jeni.img
Jos.img
Certified Directory
Swlog2.log
Boot.params
network
switch
Flash Directory
System Boot Sequence
BootROM
Boot Sequence (Recalls)
Bootstrap Basic Operation
Initializes Hardware
Performs memory diagnostics
Selects a right Miniboot
Copy & execute MiniBoot
MiniBoot Basic Operation
Initializes basic kernel
Selection of image
Based on boot.params
Copy & load the OS
The image contains its own copy of the
kernel specific to the SW version
MiniBoot
root directory
boot.params
kernel.lnk from
OS package
/working directory
/certified directory
kernel.lnk from
OS package
Flash RAM
MiniBoot
Production
kernel
2
4
5
3
1
System Boot Sequence
Working and Certified directories are identical
Certified Directory
-base.img
-secu.img
-eni.img
-os.img
-boot.cfg
Working Directory
-base.img
-secu.img
-eni.img
-os.img
-boot.cfg
Working Directory
-base.img
-secu.img
-eni.img
-os.img
-boot.cfg
Certified Directory
-base.img
-secu.img
-eni.img
-os.img
-boot.cfg
Working and Certified
Contents are identical
The switch runs
from working
System Boot Sequence
Working and Certified directories are different
Certified Directory
-base.img
-secu.img
-eni.img
-os.img
-boot.cfg
Working Directory
-base.img
-secu.img
-eni.img
-os.img
-boot.cfg
Working Directory
-base.img
-secu.img
-eni.img
-os.img
-boot.cfg
Certified Directory
-base.img
-secu.img
-eni.img
-os.img
-boot.cfg
Working and Certified
Contents are different
The switch runs
from certified
System Boot Sequence
Working and Certified directories are different
Copying Running config to Working Directory (boot.cfg) and Certifying Working Directory
Working Certified
6350-10
Running configuration
boot.cfg
---> Now running config matches working and certified matches working
1. Switch will run from
Certified
12. Rebooting from
working directory
-> reload working no rollback-timeout
23. If Changes done on
running config ->
saved to working
directory
-> copy running-config
working
3
4. Then makes contents of working identica
to certified
-> copy working certified
4
OmniSwitch
Software System Architecture
-> show running-directoryCONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot : A
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Flash Between CMMs : SYNCHRONIZED,
Running Configuration : SYNCHRONIZED,
NIs Reload On Takeover : NONE
Swlog1.log
secu.img
base.img
eni.img
os.img
Working Directory
secu.img
base.img
eni.img
os.img
Certified Directory
Swlog2.log
Boot.params
network
switch
Flash Directory
System Commands
Directory Commands include:
pwd - display current directory
cd – change directory
dir – list directory contents
mkdir – create new directory
rmdir – remove existing directory
File Commands include:
ls – list directory content
cp – copy a file
mv – move a file
vi – invoke editor
rm – remove a file
Utility Commands include:
freespace - command displays the amount free file system memory
fsck – performs file system check
Managing Files and Directories
Upgrading/Registering Switch Software
File transfer available using
FTP
Secure FTP
TFTP
Zmodem
USB
The switch acts as
FTP Server
FTP/TFTP client
By default, an FTP session connects to the ‘working’ directory
CLI
WebView
OmniVista
Managing Files
FTP/TFTP Upgrading/Registering Switch Software
FTP Server
WebView
-> ftp {host_name | ip_address}
-> sftp {host_name | ip_address}
-> tftp {host_name | ip_address} {get | put} source-file [src_path/]src_file [destination-file [dest_path/] dest_file] [ascii]
USB support
Disaster recovery (requires miniboot-uboot upgrade and special directory structure in the
driver to store image files)
Upload/download image files
Upload/download configuration files
USB support is disabled by default
Only this USB device will be supported and guaranteed to function correctly
Any file management operation is supported including recursive operations
-> usb enable-> /uflash Bulk device is createdNode ID 0x2
LUN #0Vendor Info : PIXIKAProduct ID : USB Flash DriveProduct Revision : 4.00Number of Blocks : 509695Bytes per Block : 512Total Capacity : 260963840
TUE MAR 09 15:09:21 : SYSTEM (75) alert message:+++ USB Bulk Device mounted at 12 Mbps.
-> usb disableTUE MAR 09 15:13:12 : SYSTEM (75) alert message:+++ Device /uflash removed and uninstalled from FS
-> show usb statisticsUSB: EnabledUSB auto-copy: DisabledUSB disaster-recovery: EnabledNode ID 0x2
LUN #0Vendor Info : PIXIKAProduct ID : USB Flash DriveProduct Revision : 4.00Number of Blocks : 509695Bytes per Block : 512Total Capacity : 260963840
USB Flash Drive Management
Disaster-recovery
Switch configured to boot from the USB
flash device
-> usb enable
-> usb disaster-recovery enable
Create a directory named xxxx/certified* on the
USB flash drive with all the proper image files
Copy all of the files from the /uflash//certified
directory to the certified directory on /flash
Connect the USB flash drive to the CMM; The
flash will be reformatted and the images will be
copied to the /flash/certified directory of the
CMM and the switch will reboot from the
certified direct
* xxxx= 6350 - switch model
USB Flash Drive Management
Auto-copy
Upgrades the image files from the USB
device to the /flash/working directory
Create a file named aossignature in the root of
the USB flash drive
Create a directory named xxxx/working* on the
USB flash drive with all the proper image files
Run
-> usb enable
-> usb auto-copy enable
Connect the USB flash drive to the CMM; the
images will be validated and copied to the
/flash/working directory of the CMM and the
switch will reboot from the working directory
applying the code upgrade
* xxxx= 6350 - switch model
Managing Files and Directories
Upgrading Switch Software
Transfer new image files to the /flash/working directory
Use methods previously discussed
OS Package
KF3base.img Base Software
KF3eni.img Base Software NI image for all Ethernet-type NIs
KF3os.img Base Software Operating System
KF3secu.img Optional Security (AVLANS)
-> reload working no rollback-timeout
-> copy working certified
Swlog1.log
secu.img
base.img
eni.img
os.img
Working Directory
secu.img
base.img
eni.img
os.img
Certified Directory
Swlog2.log
Boot.params
network
switch
Flash Directory
Managing Files
Upgrading/Monitoring Switch Software
-> show microcode [working | certified | loaded]
-> show microcodePackage Release Size Description
-----------------+---------------+--------+-----------------------------------Kbase.img 6.4.5.402.R02 20599723 Alcatel-Lucent Base SoftwareKadvrout.img 6.4.5.402.R02 2991820 Alcatel-Lucent Advanced RoutingK2os.img 6.4.5.402.R02 1965391 Alcatel-Lucent OSKeni.img 6.4.5.402.R02 6093065 Alcatel-Lucent NI softwareKsecu.img 6.4.5.402.R02 649040 Alcatel-Lucent Security ManagementKencrypt.img 6.4.5.402.R02 3437 Alcatel-Lucent Encryption Management
sw5 (OS6450-A) -> show microcodePackage Release Size Description
-----------------+---------------+--------+-----------------------------------KF3base.img 6.7.1.146.R01 17108875 Alcatel-Lucent Base SoftwareKFos.img 6.7.1.146.R01 2604933 Alcatel-Lucent OSKFeni.img 6.7.1.146.R01 5880634 Alcatel-Lucent NI softwareKFsecu.img 6.7.1.146.R01 614320 Alcatel-Lucent Security ManagementKFdiag.img 6.7.1.146.R01 2411898 Alcatel-Lucent Diagnostic Software
Configuration Methods - Command Line Interface
Command Line Interface
Online configuration via real-time sessions using CLI commands
Console or Telnet
Offline configuration using text file holding CLI commands
Transfer to switch at a later time
Snapshot feature captures switch configurations in a text file
configuration snapshot feature_list [path/filename]
configuration apply filename
show configuration snapshot [feature_list]
Command Line Interface - Options
Command Line Editing
Use ‘!!’, arrow, delete, insert keys to recall and modify previous commands
Command Prefix Recognition
Remembers command prefixes to reduce typing
CLI Prompt Option
Modify the CLI prompt
Command Help
Use ‘?’ to display possible parameters
Keyword Completion
Use <TAB> key to auto complete keywords
Command History (up to 30 commands)
Display a list of previously entered commands
Command Logging (up to 100 commands; detailed information)
Logs command and results of the command entered
Syntax Error Display
Displays indicators showing what is wrong and where in the command
Alias Command Option
Substitute text for CLI command
More Command
Set the number of displayed lines
Command Line Interface - Basic Management Commands
-> show running-directory
-> write memory
-> copy working certified
-> copy flash-synchro
-> reload working no-rollback-timeout
-> reload primary at 08:43 july 24
Confirm delayed reload (Y/N): y
-> show configuration snapshot all
-> show ip interface
-> show vlan
….
Ethernet Ports - CLI Setting Port Options
-> interfaces slot[/port[-port2]] speed {auto | 10 | 100 | 1000 | 10000 | max {100 | 1000}}
-> interfaces slot[/port] mode {uplink | stacking}-> interfaces slot[/port[-port2]] autoneg {enable | disable | on | off}-> interfaces slot[/port[-port2]] crossover {auto | mdix | mdi}-> interfaces slot[/port[-port2]] pause {tx | rx | tx-and-rx | disable}-> interfaces slot[/port[-port2]] duplex {full | half | auto}-> interfaces slot[/port[-port2]] admin {up | down}-> interfaces slot/port alias description-> interfaces slot[/port[-port2]] no l2 statistics [cli]-> interfaces slot[/port[-port2]] max frame bytes-> interfaces slot[/port[-port2]] flood multicast {enable | disable}-> interfaces slot[/port[-port2]] flood [broadcast | multicast | unknown-unicast|all]
[enable | disable]-> interfaces violation-recovery-time-> interfaces violation-recovery-trap-> interfaces clear-violation-all
Port parameters setting
• Ethernet Ports
• SFP Ports
• Combo Ports
• XFP Ports10 Gbps Small Form Factor
Pluggable (XFP) transceivers
Fixed 10/100/1000BaseT
Combo RJ45/SFP connectors for
10/100/1000BaseT or 1000Base-X
SFP connectors for 100/1000 Base-
X SFP connectors
• SFP+ Ports10 Gbps Small Form Factor
Pluggable Plus (SFP+) transceivers
Ethernet Ports - CLI Monitoring
-> show interfaces-> show interfaces capability-> show interfaces flow control-> show interfaces pause-> show interfaces e2e-flow-vlan-> show interfaces accounting-> show interfaces counters-> show interfaces counters errors-> show interfaces collisions-> show interfaces status-> show interfaces port-> show interfaces ifg-> show interfaces flood rate-> show interfaces traffic-> show interfaces transceiver
-> show interfaces portSlot/ Admin Link Violations AliasPort Status Status-----+----------+---------+----------+-------------1/1 enable down none “ sales "1/2 enable down none " sales "1/3 enable down none " sales "1/4 enable down none " sales "1/5 enable down none " sales "1/6 enable down none " sales "1/7 enable down none " sales "1/8 enable down none " sales “
….….
-> show interfaces 1/10Slot/Port 1/10 :Operational Status : up,Last Time Link Changed : TUE NOV 22 12:19:52 ,Number of Status Change: 1,Type : Ethernet,SFP/XFP : Not Present,MAC address : 00:e0:b1:c5:3a:0b,BandWidth (Megabits) : 1000, Duplex : Full,Autonegotiation : 1 [ 1000-F 100-F 100-H 10-F 10-H ],Long Frame Size(Bytes) : 9216,Rx :Bytes Received : 233117328, Unicast Frames : 51104,Broadcast Frames: 22156, M-cast Frames : 3542048,UnderSize Frames: 0, OverSize Frames: 0,Lost Frames : 0, Error Frames : 0,CRC Error Frames: 0, Alignments Err : 0,Tx :Bytes Xmitted : 14720188, Unicast Frames : 12,Broadcast Frames: 1870, M-cast Frames : 227257,UnderSize Frames: 0, OverSize Frames: 0,Lost Frames : 0, Collided Frames: 0,Error Frames : 0
-> show interfaces 1/10 capabilitySlot/Port AutoNeg Flow Crossover Speed Duplex
-----------+---------+--------+-----------+----------+----------1/10 CAP EN/DIS EN/DIS MDI/X/Auto 10/100/1G Full/Half1/10 DEF EN DIS Auto Auto Auto
Pre-Banner Text
Provides ability to display custom message before user login
Any text stored in pre_banner.txt file in /flash directory will be displayed
before login prompt
Ex.
Please supply your user name and password at the prompts.
login : user123
password :*****
WebView
Monitoring and configuring the switch by using WebView
Embedded in switch software
Support following web browser
Internet Explorer 6.0 and later for Windows NT, 2000, XP, 2003
Firefox 2.0 for Windows and Solaris SunOS 5.10
WebView configuration -> ip http server or https server – Enables the WebView Application (default)
-> ip http ssl or https ssl – Forces ssl connection between browser and switch (default=disabled)
-> ip http port or https port - Changes the port number for the embedded Web server
-> aaa authentication http local – checks the local database for http authentication
-> show ip httpWeb Management = onWeb Management Force SSL = offWeb Management Http Port = 80Web Management Https Port = 443
Access Methods
Specifications
The switch may be set up to allow or deny access through any of the available
management interfaces
Console, Telnet, HTTP, HTTPS, FTP, Secure Shell, and SNMP
Configured through the Authenticated Switch Access (ASA) feature
Authentication and authorization
Local or external database
Switch Security Specifications
Telnet - 4 concurrent sessions
FTP - 4 concurrent sessions
HTTP - 4 concurrent sessions
SSH + SFTP - 8 concurrent sessions
Total sessions (Secure Shell, Telnet, FTP, HTTP, and console) - 20
SNMP - 50 concurrent sessions
User Accounts
Role Based Management – Account creation
-> user username [password password] [expiration {day | date}] [read-only | read-write
[families... |domains...| all | none]] [no snmp | no auth | sha | md5 | sha+des |
md5+des] [end-user profile name] [console-only {enable | disable}]
-> no user username
“admin” user restriction to console only
-> user admin console-only {enable | disable}
Minimum password length
-> user password-size min 10
Password expiration
-> user password-expiration 5 (Expires in 5 days for all users)
-> user user1 password userpass expiration 5 (Specific user)
-> user user1 password userpass expiration 12/01/2016 15:30
OMNIACCESS WLAN - OMNISWITCH
Contents
1 Objective .................................................................................................................................. 2
2 Equipment/Software required ................................................................................................. 2
3 Supported Platforms ................................................................................................................ 2
4 Lab Steps .................................................................................................................................. 2
2
Labs Overview
1 Objective
The objective of the following labs is to be able to configure an OmniSwitch 6350-10 with an AP 1101 which
contains three SSID‘s: Employee, Guest and Voice.
To do that, you will have to configure the needed vlans on the switch with the proper gateways and activate
power over Ethernet.
On the AP, you will have to configure the three SSID’s.
2 Equipment/Software required
One OmniSwitch 6350-P10
One AP 1101
One or Two Laptops or PCs
3 Supported Platforms
All – 6350-P10 in these labs
4 Lab Steps
To reach the objective, we are going to use the following diagram:
OS 6350-P10
Port 1/1 Port 1/3 Console Port
Client PC1 AP 1101 Admin Console PC
3
Labs Overview
We will also use the following table as reference for the VLANs:
VLAN Name VLAN ID IP Address Pool Gateway
IAP 11 192.168.11.0/24 192.168.11.1
Employee 12 192.168.12.0/24 192.168.12.1
Guest 13 192.168.13.0/24 192.168.13.1
Voice 14 192.168.14.0/24 192.168.14.1
The different steps to reach the objective are as follow:
LAB1 OmniSwitch Overview (optional)
This lab helps people who do not have any experience on OmniSwitches to discover the command line
interface through basic commands and to discover the redundant architecture of the AOS (Alcatel-Lucent
Operating System) using Working and Certified directories
LAB2 Configure VLANs and gateways on the switch
The first step will be to configure the needed VLANs on the switch. In this lab, we will see how to create
multiple VLANs and how to put some ports into the different VLANs
LAB3 Configure AP
The last step consists in configuring the different SSIDs on the AP. We will use the web based interface of the
AP to do so.
OMNISWITCH ACCESS
CONFIGURATION AND MANAGEMENT
Overview – Necessary Knowledge
How to
familiarize you with the code, WORKING and CERTIFIED directories, image files, USB drive support, GUI interface and user access rights
Contents 1 Lab Steps ....................................................................................... 3
1.1. Gathering Switch Information ....................................................................... 3 1.2. Ethernet Port Configuration ......................................................................... 4
2 Working/certified Directories ............................................................... 4 2.1. Working/CERTIFIED Directory ........................................................................ 4 2.2. Summary ................................................................................................. 5
3 Operating System ............................................................................. 6 3.1. Lab Steps ................................................................................................ 6
4 Annexes – If you want to know more ..................................................... 10
5 USB Flash Drive .............................................................................. 11 5.1. Lab Steps .............................................................................................. 11
6 Web View Remote Access .................................................................. 11 6.1. Lab Steps .............................................................................................. 11 6.2. Secure Socket Layer ................................................................................. 12
2
Overview – Necessary Knowledge
7 Switch Security Access ..................................................................... 13 7.1. Lab Steps .............................................................................................. 13 7.2. Creating/Deleting Users ............................................................................ 13 7.3. Partition Management .............................................................................. 16 7.4. Summary ............................................................................................... 18
3
Overview – Necessary Knowledge
Hardware Information and Operation It’s important to determine code versions and serial numbers of the switch. These can be helpful for troubleshooting when dealing with customer support or for upgrading switch hardware and software.
1 Lab Steps
The following will show you how to gather code and module information on a switch.
1.1. Gathering Switch Information
Enter the following commands to gather basic switch information about hardware and software.
Type the following:
-> show hardware info – Information on CPU, Memory, Miniboot.
-> show microcode – Code descriptions and versions.
-> show chassis – Chassis type and part numbers.
-> show cmm – Processor and fabric board information.
-> show ni – Networking interface information.
-> show power – Power supply information.
-> show fan – Fan Information.
-> show temperature – Temperature and temperature threshold.
-> show health – health statistics.
The commands listed on page 1 will tell you the version of code running on the switch as well as revision level and serial numbers for the modules, power supplies and fans.
OS 6350-10
Console Port
Admin Console PC
4
Overview – Necessary Knowledge
1.2. Ethernet Port Configuration
You can allow Ethernet ports to auto-negotiate the speed and duplex, or you can manually set them. Enter the following commands to change and view the configuration of the Ethernet ports as well as gather frame statistics and error counts:
Enter:
-> show interfaces slot/port – Tells whether the port is active or not as well as traffic statistics.
-> interfaces slot/port duplex [half,full,auto] – Sets the duplex mode.
-> interfaces slot/port speed [10,100,1000,auto] – Sets the speed.
-> interfaces slot/port admin [up,down] – enable or disable a port.
-> show interfaces status – Display line interface settings
-> show interfaces slot/port accounting – gather frame statistics.
-> show interfaces slot/port counters – gather error and frame counts.
Use ‘?’ to experiment with other interface commands
2 Working/certified Directories
An OmniSwitch provides the user with the ability to keep two separate configurations stored on the switch. These configurations are stored in the WORKING and CERTIFIED directories. The switch can boot from either configuration.
2.1. Working/CERTIFIED Directory
Ensure that there is a console connection to the switch, open your communication software such as HyperTerminal or ProComm and power cycle the switch.
Default Com Settings: BPS – 9600 Data Bits – 8 Parity – None Stop Bits – 1 Flow Control - None
Watch as the switch boots, take note of the various messages that scroll across the screen as well as which directory the switch is booting from. Once prompted, log in to the switch.
Type the following:
login: admin password: switch
-> exit login: admin password: switch
-> show system
After logging back in, check to see which directory the switch booted from. It will show either CERTIFIED or WORKING. The switch boots from the CERTIFIED directory when the configurations in the WORKING and CERTIFIED directories differ. If the configurations are identical, including code and the boot.cfg file, it will
boot from WORKING, this is shown under ‘Running Configuration’.
Type the following:
-> show running-directory CONFIGURATION STATUS Running CMM : PRIMARY, CMM Mode : DUAL CMMs, Current CMM Slot : A, Running configuration : WORKING, Certify/Restore Status : CERTIFIED
5
Overview – Necessary Knowledge
SYNCHRONIZATION STATUS Flash Between CMMs : NOT SYNCHRONIZED, Running Configuration : NOT SYNCHRONIZED, NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)
Now let’s check to see what version of code is running on the switch as well as what files are stored in both the WORKING and CERTIFIED directories. These topics will be discussed in more detail in a later lab.
Type the following:
-> show running-directory -> ls /flash/working -> ls /flash/certified
The switch can be forced to boot from the WORKING directory even if the configurations are different. If changes were made, but not saved, you will be prompted to confirm the reboot.
Type the following (on Release 6 switches):
-> reload working no rollback-timeout Confirm Activate (Y/N) : y
This will reboot the switch, but it will now boot from the WORKING directory. The ‘no rollback’ parameter tells the switch to continue running under the WORKING directory permanently rather than rebooting after a specified amount of time.
Once the switch boots, verify that it booted from the WORKING directory.
Type the following:
-> show running-directory CONFIGURATION STATUS Running CMM : PRIMARY, CMM Mode : DUAL CMMs, Current CMM Slot : A, Running configuration : WORKING, Certify/Restore Status : CERTIFIED SYNCHRONIZATION STATUS Flash Between CMMs : NOT SYNCHRONIZED, Running Configuration : NOT SYNCHRONIZED, NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)
To see what version of code is running, type:
-> show microcode
Make note of the version of code you are running (e.g. – 6.7.1.X. RX) - where X represents a minor code revision and release number. Note that older switch code versions will be different but still within the R6 code version stream.
2.2. Summary
The WORKING and CERTIFIED directories provide the opportunity to have two different configurations or versions of code on the switch. The CERTIFIED version can be used as a backup to the WORKING directory. These two directories will be discussed in more detail in a later lab.
6
Overview – Necessary Knowledge
3 Operating System
An OmniSwitch provides the user with the ability to keep two separate configurations stored on the switch. These configurations are stored in the WORKING and CERTIFIED directories. The switch can boot from either configuration.
3.1. Lab Steps
This lab will introduce the commands necessary to navigate the directory structure of the switch. Also, to introduce the CLI and line editing feature as well as saving and applying configuration files.
The switch can be configured using SNMP, WebView or the CLI. In this section, we’ll concentrate on the CLI, its syntax, and its line-editing feature. The CLI gives you the ability to search for parameters if the complete command is not known as well as recall and edit previous commands.
Using ‘?’
A ‘?’ can be used to get a list of possible commands. Additionally, a question mark can be entered after a command is started to get a list of available parameters.
Type the following:
login: admin password: switch
-> ? -> vlan ?
Notice the list of options available with the vlan command. Experiment with this for some other
commands such as ‘show?’, ‘aaa?’, or ‘copy?’; this can be a useful feature when you are unsure of the entire command.
Also, entering a ‘?’ after a letter or string of letters, will list all commands that begin with that string.
Type the following:
-> po?
Using <TAB>
Abbreviated commands are not allowed, however, pressing the <TAB> key will automatically complete any partial commands.
Type the following:
-> sh<TAB> vl<TAB>
CLI Line Editor and History
Some additional capabilities of the CLI are to display the last command entered, modify commands, scroll through previous commands, and to re-enter a specific previously entered command.
Display the previous command
Type the following:
-> !!
You can now modify the command as necessary. Additionally, you can use the arrow keys to scroll through previous commands.
You can also display a list of previously entered commands, copy one of those commands to the CLI, modify it if needed, and re-enter it.
Type the following:
-> show history -> !# (‘#’ = command number)
You now have the ability to edit the command as needed and re-enter it.You can bring up the last command that begins with a prefix. Bring up the last command previously entered that begins with ‘show’. Enter:
-> !show
7
Overview – Necessary Knowledge
Directory Structure
It is important to understand the directory structure of an OmniSwitch. Different directories store different configurations on the switch. There are two main directories, flash/Working and flash/Certified. Each contains a configuration for the switch. The switch uses basic UNIX commands to create, delete, move and copy files and directories.
pwd – show current directory.
cd – change directory.
mkdir – create a new directory.
ls – list contents of a directory.
dir – list contents of a directory.
mv – move a file.
cp – copy a file.
rm – remove a file.
Type the following:
-> ls -> pwd -> cd /flash/working -> ls -l (view file date/times including boot.cfg) -> pwd -> cd .. -> cd certified -> pwd -> cd /flash -> pwd
Note: Be careful not to move or delete any important files.
Configuration Basics
There are three different versions of a configuration on an OmniSwitch. They are the Working, Certified, and Running version. When the switch boots, (depending on the switch configurations), it will boot from either the WORKING or CERTIFIED Directory. Once it boots from one of these directories, that configuration then becomes the Running Configuration.
Running Configuration
Let’s create three new VLANs numbered VLAN 2, VLAN 3, and VLAN 99.
Type the following:
-> vlan 2 -> vlan 3 -> vlan 99 -> show vlan[Do you remember the shortcut using the <tab> key?]
The above commands created three VLANs with their respective numbers. Entering the commands makes changes to the Running Configuration. The changes take effect immediately, but have not been written permanently. To demonstrate this, reboot the switch.
Type the following :
-> reload working no rollback-timeout
When the switch reboots, login and check to see which VLANs have been created.
Type the following:
-> show vlan
Notice that the VLANs do not exist. This is because the changes were made to the Running Configuration, but not saved. Let’s do the same again, but this time we’ll save the changes to the WORKING directory.
Working Directory
The WORKING directory is a directory on the switch where the configuration file and code are stored. This directory can be read when the switch boots and the configuration stored in the boot.cfg file will be applied.
8
Overview – Necessary Knowledge
Re-Type the following:
-> vlan 2 -> vlan 3 -> vlan 99 -> show vlan
The configuration file the switch reads upon boot is called boot.cfg. The boot.cfg file can exist in either the WORKING or CERTIFIED directory.
Type the following:
-> write memory File /flash/working/boot.cfg replaced. This file may be overwritten if "takeover" is executed before "certify"
The command above writes the running configuration to the boot.cfg file in the WORKING directory. Now if the switch is rebooted from the WORKING directory, the configuration will be saved. Let’s reboot the switch, giving it the command to reboot from the configuration stored in the WORKING directory.
Type the following:
-> reload working no rollback-timeout
When the switch reboots log in and type the command to view the VLANs.
Type the following:
-> show vlan
Notice the VLANs are still there since they were saved to the boot.cfg file in the WORKING directory and the switch booted from the WORKING directory.
The boot.cfg file contains the switch configuration that gets read when the switch boots, we will view
this file in the next section. By using the parameter ‘no rollback-timeout’ with the reload command,
the switch will permanently run with that configuration. The ‘rollback-timeout’ parameter could be used to have the switch automatically reboot after a specified amount of time. The following command will cause the switch to reboot to the WORKING directory, then after 1 minute, reboot again.
-> reload working rollback-timeout 1
Certified Directory
Recall that the CERTIFIED directory can be used to store a backup configuration on the switch. When the switch boots, it compares the configurations in both the WORKING and CERTIFIED directories, if they’re the same it boots from the WORKING directory, if they differ, it boots from the CERTIFIED directory. Let’s reboot the switch, without telling it to specifically boot from the WORKING directory
Enter:
-> reload
When the switch reboots, check for the VLANs.
Enter:
-> show vlan
Notice they are gone, this is because the switch booted from the CERTIFIED directory. Enter the command to show what directory the switch booted from.
Enter:
-> show running-directory
The switch booted from the CERTIFIED directory because the changes saved to the WORKING directory have not been saved to the CERTIFIED directory, causing the two directories to be different.
Changes cannot be written directly to the CERTIFED directory, they can only be copied to the CERTIFIED directory from the WORKING directory. Let’s reboot the switch from the WORKING directory once again.
Enter:
-> reload working no rollback-timeout
When the switch reboots, log in and enter the command to see which directory the switch booted from as well the Certify/Restore status.
-> show running-directory
9
Overview – Necessary Knowledge
CONFIGURATION STATUS Running CMM : PRIMARY, CMM Mode : DUAL CMMs, Current CMM Slot : A, Running configuration : WORKING, Certify/Restore Status : CERTIFIED NEEDED SYNCHRONIZATION STATUS Flash Between CMMs : NOT SYNCHRONIZED, Running Configuration : NOT SYNCHRONIZED, NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)
Notice that the entry reads ‘CERTIFY NEEDED’. This indicates that the WORKING directory has not been copied to the CERTIFIED directory. Enter the command to copy the configuration in the WORKING directory to the CERTIFIFIED directory.
Enter:
-> copy working certified
The above command “Certifies” the WORKING directory. You now have a backup configuration stored in the CERTIFIED directory. Enter the command to check the Certify/Restore status, notice it reads ‘CERTIFIED’.
-> show running-directory CONFIGURATION STATUS Running CMM : PRIMARY, CMM Mode : DUAL CMMs, Current CMM Slot : A, Running configuration : WORKING, Certify/Restore Status : CERTIFIED SYNCHRONIZATION STATUS Flash Between CMMs : NOT SYNCHRONIZED, Running Configuration : NOT SYNCHRONIZED, NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)
Note: The ‘copy working certified’ command should be used only after the configuration in the WORKING directory is known to be good (or valid).
Snapshot / Text Based Configuration
The snapshot feature allows a text file to be created based on the current running configuration. This file can then be uploaded from the switch, manipulated, and applied to other switches.
The command “more” enables the more mode for your console screen display.
Type the following:
-> show configuration snapshot all -> write terminal
The commands above list your current running configuration on the screen. You can capture your configuration to a text file. Either command can be used.
Type the following.
-> configuration snapshot all snapall
The above command creates a snapshot of the entire switch configuration and copies it to a file called snapall in the current directory.
Type the following:
-> view snapall
The above command will bring up the vi editor but allows you to only view the file. Notice the syntax of
the ASCII file. Use the ‘j’ and ‘k’ keys to scroll up and down respectively.
Note: Entering ‘vi’ instead of ‘view’ will allow you to use the vi editor to edit the file. Exit
from viewing the snapshot file. If vi is used, ‘<esc> :q!’ exits the vi session.
Type the following:
10
Overview – Necessary Knowledge
-> :q
The ‘more’ command can be used as an alternative to view the file.
-> more snapall
It isn’t necessary to create a snapshot of the entire switch configuration. To create a snapshot of only the VLAN configuration enter the following.
Type the following:
-> vlan 5-7 -> show vlan -> configuration snapshot vlan snapvlan
This will copy only the VLAN configuration to a file called snapvlan in the current directory. Additional options can be specified for creating snapshots. Enter the following to see the additional parameters and experiment with creating additional snapshots.
Enter:
-> configuration snapshot ?
A syntax check can be run on a configuration snapshot before it is applied.
Enter:
-> configuration syntax check snapvlan verbose
After running a syntax check, the snapshot can be applied to the switch. Let’s delete some existing VLANs and then reapply them using the VLAN snapshot.
Enter:
-> no vlan 5-7 -> show vlan
Notice the VLANs have been removed. Apply the VLAN snapshot saved earlier.
-> configuration apply snapvlan -> show vlan
This will reapply the snapshot file used in the command and recreate VLANs 5, 6, and 7. This command can be used to apply a snapshot taken from another switch to help make configuration easier.
4 Annexes – If you want to know more
In this section, you will find optional labs.
11
Overview – Necessary Knowledge
5 USB Flash Drive
An Alcatel-Lucent certified USB flash drive can be connected the CMM and used to transfer images to and from the flash memory on the switch. This can be used for upgrading switch code or backing up files. Additionally, automatic code upgrades as well having the capability to boot from the USB flash drive for disaster recovery purposes are also supported.
This lab will introduce the Omniswitches usb port utilization. For this lab, we will only demonstrate how to copy a file from the switch to the USB memory stick.
5.1. Lab Steps
You will need to plug an USB memory stick to the USB port of the Omniswitch.
Then you will type the following commands on Omniswitches to mount and transfer files using USB flash drive. For this lab, we will only copy the configuration file (boot.cfg) from the switch to the usb flash driver.
-> usb enable -> cp /flash/working/boot.cfg /uflash/boot.cfg
Then check that files are well transferred on your USB drive.
-> cd /uflash -> ls
6 Web View Remote Access
By default, remote access is not allowed on an OmniSwitch. This is a security measure to prevent unauthorized access. In order to allow remote access, including Telnet and WebView (HTTP), the switch must be configured to allow it.
6.1. Lab Steps
Before beginning, reboot the switch from the WORKING directory. (Using your console connection)
Enter:
-> rm /flash/working/boot.cfg -> reload working no rollback-timeout
When the switch reboots, save the configuration to the boot.cfg file.
Enter:
-> write memory -> copy working certified
OS 6350-10
Port 1/1 Console Port
When ready to test WebView Admin Console PC
12
Overview – Necessary Knowledge
Steps for connecting to a virtual IP address on the switch
Create a virtual router IP address for VLAN 1 with a class C netmask.
Enter:
-> ip interface VLAN1 address 10.0.1.1/24 vlan 1 (using your console connection)
If you do not have a second PC move the connection from your PC to the Ethernet adapter and connect directly to port 1/1 of the switch. Change the settings on the PC Ethernet adapter to:
IP Address: 10.0.1.2
Netmask: 255.255.255.0
Def. Gateway: 10.0.1.1
If you do have a second PC available, perform the above on it and leave your console session connected as it was previously.
Ensure you have IP connectivity by pinging the switch via the PC attached to switch port 1/1. Once IP connectivity has been established, from your console connected PC enter the command to show the current status of Web Management.
Enter:
-> show http
Web Management = on Web Management Force SSL = off Web Management Http Port = 80 Web Management Https Port = 443
Bring up a web browser on the Ethernet connected PC, and enter the IP address of the switch (10.0.1.1) in the URL.
You should still not be able to access the switch. If a message in your browser displays telling you that Web Management is disabled enter the following to enable Web Management.
Enter:
-> ip http server
Now that Web Management has been enabled, try connecting again using a web browser using admin and switch to login. You still do not have the ability to login and configure the switch with WebView.
You should receive a message indicating an invalid username and password was entered. Display the current AAA authentication settings.
Enter:
-> show aaa authentication
Under the HTTP section, it indicates that HTTP access is denied. By default, all remote access is denied. Let’s enable remote access.
Enter:
-> aaa authentication http local -> show aaa authentication
This configures the switch to check the local database for any type of login. You could also have entered
‘aaa authentication default local’ to have it check the local database for all access methods such as FTP or TELNET. Take note of the various methods of access and their default values.
Attempt remote access via your browser again, you should have access to the switch.
6.2. Secure Socket Layer
The Secure Socket Layer feature of WebView allows for secure access to the switch by encrypting the HTML from the web browser to the switch. Keep in mind that the switch is capable of handling SSL at anytime. The following command forces SSL communication between the switch and browser, non-encrypted HTML will not be accepted. The force-ssl option is enabled by default on R7 switches.
Enter:
-> ip http ssl
13
Overview – Necessary Knowledge
-> ip -> show http Web Management = off Web Management Force SSL = on Web Management Http Port = 80 Web Management Https Port = 443
Try connecting by using https://{IP Address} in your web browser, the communication is now encrypted using SSL.
Now, look around:
Under Networking --- IP (vertical options on left) rollover IP (along horizontal at the top) and then click on Global. What are the IP Route Preferences?
Under Networking --- IP rollover IP and Interfaces then click on Configured.
Under System -- Interfaces, click on General. Make note of the MAC address of the port your PC is connected to. Also, take a look at Statistics (Input and Output).
7 Switch Security Access
This lab is designed to familiarize you with the switch security features of an OmniSwitch. With this feature, users with different access rights and configuration abilities can be created.
Security is an important element on an OmniSwitch. In this lab, we’ll discover how to create users and manipulate the read and write privileges on the switch.
7.1. Lab Steps
Before you begin this lab, remove the boot.cfg file in the working and certified directories, and type reload, to set your switch back to factory defaults. [You may also need to remove userTable5 from the network directory.
To view a list of users already created enter the following.
Enter:
-> show user
You should see at least 2 users: admin and default. Notice the read and write privileges for each user and domain, as well as the SNMP privileges.
Admin – Default user with full capability to configure the switch and create additional users.
Default – This account cannot be used to login to the switch. These privileges are applied to all new users created on the switch. By default, new users have no privileges; however the privileges of the default user can be modified if desired.
-> show user User name = admin Password expiration = None, Read-Only for domains = None, Read/Write for domains = All , SNMP allowed = NO User name = default Password expiration = None, Read-Only for domains = None, Read/Write for domains = None , Snmp Allowed = NO
As you can see, new users have no administrative rights by default. (In the next section we’ll see how to create new users and configure administrative rights for them).
7.2. Creating/Deleting Users
14
Overview – Necessary Knowledge
If the user accounts of userread and userwrite have already been created, then use the following commands to delete them before continuing.
Enter:
-> no user userread -> no user userwrite -> write memory
Next, we’ll create two new users called userread and userwrite, assign them passwords, and save the configuration.
Enter:
-> user userread password userread
(You have created a new user, but they can’t do anything yet. You don’t have privileges because the default user privileges get assigned to all new users, and the default user has no privileges. If you do not set the privilege for a user, that user will not even be able to login).
-> user userread read-only ip -> user userwrite password userwrite -> user userwriteIread-write ip -> write memory
You will now log back in with either of these users. Then attempt to enter four commands (show vlan, show ip interface, ip interface…, and reload).
Enter:
-> exit login: userread password: ******** -> show vlan -> show ip interface -> ip interface vlan-1-20 address 192.168.20.1/24 vlan 1 -> reload
Which of these four commands worked? Try running various commands to see what access your privileges have given you.
-> show vlan ERROR: Authorization failed. No functional privileges on this command
Login as userwrite and attempt the same three commands. What have you learned?
Now, log back in under the admin account and enter the command to see the new users.
Enter:
-> exit login: admin password: ***** -> show user
You will see the privileges you assigned to userread and userwrite.
User name = userread Password expiration = None, ReadOnly for domains = , Read only for families = ip , Read/Write for domains = None, SNMP allowed = NO User name = userwrite Password expiration = None, Read-Only for domains = None, Read/Write for domains = , Read/Write for families = ip , SNMP allowed = NO
15
Overview – Necessary Knowledge
Now let’s change the privileges of userread and then view the changes.
Enter:
-> user userread read-only all -> show user userread -> write memory
You should now see that this user has full read access.
-> show user userread User name = userread Password expiration = None, Read-Only for domains = All, Read/Write for domains = None , SNMP allowed = NO
Log in as userread and type the following commands. Notice you now have the ability to view the information.
Enter:
-> exit login: userread password: ********
-> show vlan -> show user -> show chassis
Now let’s test the ability of this user to make changes to the switch.
Enter:
-> vlan 2
You will get an error saying you’re not authorized. This is because userread only has read privileges, not write privileges.
-> vlan 2 ERROR: Authorization failed. No functional privileges on this command
Log back in under admin and modify the privileges of userwrite to allow changes to the switch.
Enter:
-> exit login:admin password: *****
-> user userwrite read-write all -> show user userwrite -> write memory
You should now see that this user has full write privileges.
-> show user userwrite User name = userwrite Password expiration = None, Read-Only for domains = None, Read/Write for domains = All , SNMP allowed = NO
Login as userwrite, and enter the command to create a VLAN. You can now create VLANs since you have full write privileges.
Enter:
-> exit login: userwrite password: ********* -> vlan 2
16
Overview – Necessary Knowledge
7.3. Partition Management
You can give users privileges based on specific commands or groups of commands known as domains. This is known as Partition Management.
Let’s modify the privileges of userread and only give permission to run commands in the Layer2 domain.
Enter:
-> user userread read-only none -> user userread read-only domain-layer2 -> show user userread -> write memory
This gives the user read-only privileges to the commands under the Layer2 domain.
-> show user userread User name = userread, Password expiration = None, Read-Only for domains = Layer 2, Read/Write for domains = All , SNMP allowed = NO
Login in as userread and run the following commands.
Enter:
login: userread password: ********
-> show vlan -> show running-directory
You have the ability to run VLAN commands since they are under the layer2 domain. However, the ‘running-directory’ command will fail since you do not have access to the admin domain.
-> show running-directory ERROR: Authorization failed. No functional privileges on this command
A list of the domains and the associated commands are available in the user guide. The same domain privileges can be applied for write access also.
Authenticated Switch Access
ASA provides the ability to restrict which users are able to configure the switch remotely. Switch login attempts can be challenged via the local database, or a remote database such as RADIUS or LDAP. ASA applies to Telnet, FTP, SNMP, SSH, HTTP, and the console and modem ports.
Enter the following to configure the switch to check the local database when a TELNET connection is attempted.
Enter:
-> aaa authentication telnet local
Ensure you have IP connectivity through a virtual router interface as shown in the Remote Access lab. Perform the following to test TELNET connectivity.
Telnet to the IP address on the switch from your PC login: admin password: *****
You will now be allowed to access the switch using a TELNET connection. This capability can be disabled if desired. From your console connection, perform the following to check the remote access status and then disable it.
Enter:
-> show aaa authentication
Notice that it shows TELNET authentication is being done locally, or by the switch’s internal database. No external authentication (RADIUS, LDAP) is being done at this time.
-> show aaa authentication Service type = Default 1rst authentication server = local
17
Overview – Necessary Knowledge
Service type = Console 1rst authentication server = local Service type = Telnet Authentication = Use Default, 1rst authentication server = local Service type = Ftp 1rst authentication server = local Service type = Http Authentication = Use Default, 1rst authentication server = local Service type = Snmp 1rst authentication server = local Service type = Ssh Authentication = Use Default, 1rst authentication server = local
Now, let’s disable TELNET access and try connecting once again. From your console connection enter the following.
Enter:
-> no aaa authentication telnet -> show aaa authentication Service type = Default 1rst authentication server = local Service type = Console 1rst authentication server = local Service type = Telnet Authentication = Denied, Service type = Ftp 1rst authentication server = local Service type = Http Authentication = Use Default, 1rst authentication server = local Service type = Snmp 1rst authentication server = local Service type = Ssh Authentication = Use Default, 1rst authentication server = local
Attempt to TELNET the switch again.
Notice you are no longer authorized. Experiment with this feature using FTP and HTTP.
End User Profiles
Partition Management allows the administrator to limit what commands users have access to. EUP is similar to Partition Management, but with the additional capability of limiting what VLANs and ports a user has access to.
Let’s begin by creating a few VLANs and a new user called customer1.
Enter:
-> vlan 100 -> vlan 200 -> vlan 300 -> user customer1 password customer1
Now, let’s create an End-User Profile with read-write access but limit the profile to VLANs 100-200.
Enter:
-> end-user profile profile1 read-write all -> end-user profile profile1 vlan-range 100-200 -> end-user profile profile1 port-list 1/1-12
18
Overview – Necessary Knowledge
Now associate the user to the profile and save the configuration.
-> user customer1 end-user-profile profile1 -> write memory
Logout out and then log back in under the newly created user account. Then run the commands listed below. Notice that you do not have access to VLAN 300 since it is not part of the user profile for client 1.
-> exit login: customer1 password: *********
-> show vlan -> vlan 300 port default [slot /port] ( port within the range 1-12 as specified in
the end-user-profile profile1) (For instance, use slot/port 1/5)
Password Expiration
An administrator has the ability to set the expiration date on passwords. It can be set in days or at a specific date and time. Let’s change the password expiration time to 5 days for customer1.
Log in under admin. -> user customer1 expiration 5 -> write memory Log in under customer1
The switch now informs you that your password expires in 5 days.
7.4. Summary
This lab introduced you to the Operating System of an OmniSwitch. The WORKING and CERTIFIED directories allow multiple configurations to be stored on the switch. The CERTIFIED configuration can be used as a backup in case of any mis-configurations to the WORKING directory. Once a WORKING configuration is known to be valid, it can then be copied to the CERTIFIED directory, and used as a backup.
The snapshot feature can be helpful if you have a number of switches with similar configurations, perhaps with only IP addresses having to be changed. Saving the configuration to an ASCII file, modifying it, then applying it to a different switch can make configuring a group of switches easier.
It introduced also the WebView remote access feature. WebView can be used to configure the switch using a Web Browser instead of the CLI. Additionally, using the SSL feature, the communication can be encrypted between the browser and the switch.
As well as the authenticated access feature of an OmniSwitch. Using this feature an administrator is able to configure a security scheme to allow only authorized users access to the switch. Additionally, read and write privileges as well as remote access can be strictly controlled.
VLAN Management - Module objectives
You will:
Understand the VLAN implementation and
features on OmniSwitch 6350
Learn how to:
Deploy static or dynamic VLAN in order to
segment a network
Configure VLAN Tagging over Ethernet links
If you want to know more:
DHCP Policy
802.1x authenticated VLAN
VLAN Mobility – Default behaviour
High
Availability
Operating
System
Extensive
Manageability
Enhanced
Security
High
Availability
High
Availability
Operating
System
Extensive
Manageability
Enhanced
Security
AOS
VLANs - Overview
VLAN - Virtual LAN
A broadcast domain
Ease of network management
Provide a more secure network
Ports become members of VLANs by
Static Configuration
Mobility/Authentication
802.1q
VLANs - Evolution to Virtual LANs
Switch-centric model with VLANs (Logical perspective)
Voic
e
VLA
N
Data
VLA
N
Managem
ent
VLA
N
VLAN Membership - Edge Devices
How do ports and devices join VLANs?
Port based VLAN (Static)
Group Mobility VLAN (Dynamic)
Authenticated VLAN (Dynamic + Security)
802.1Q VLAN (Tagged)
VLAN Mobile Tag
Static VLAN Membership
Static VLAN
VLAN is assigned to the data port whatever the connected user (aka the default VLAN
of the port)
Segmentation of VLANs is done according to topology, geography, etc.
-> VLAN 2 port default 1/2
-> VLAN 6 port default 1/4
-> VLAN 6 port default 1/6
1/2
1/4
1/6
VLAN 1
VLAN 2
VLAN
VLAN 4
VLAN 5
VLAN 6
Virtu
al R
oute
r
Dynamic VLAN Membership
Dynamic VLANs
VLAN is assigned depending on the device or the user
Device oriented: VLAN according to traffic criteria (MAC@, etc.).
User oriented: Authenticated VLAN (IEEE 802.1X for enhanced security)
VLAN 1
VLAN 2
VLAN
VLAN 4
VLAN 5
Virtu
al R
oute
r
VLAN 6
Dynamic VLAN Membership - Port Policy
Assignment policy is defined by port
0005d3:123456
192.168.10.0/24
Appletalk devices
VLANs
CLI
Defining a VLAN and its router interface
-> vlan 2
-> ip interface training_lab address 192.168.10.1 vlan 2
Assigning Ports to a VLAN
-> vlan 2 port default <slot>/<port>
Optional commands
-> vlan 4 enable
-> vlan 4 stp disable
-> vlan 4 name Engineering
Use quotes around string if the VLAN name contains multiple words with spaces between them
-> vlan 10-15 100-105 200 name “Training Network”
Monitoring
-> show vlan 4
-> show vlan port
-> show ip interface
Vlan with Static port - Example
-> vlan 2 name Data
-> vlan 2 port default 1/1
-> ip interface Data address 10.1.20.1 mask 255.255.255.0 vlan 2
-> vlan 3 name Voice
-> vlan 3 port default 1/10
-> ip interface Voice address 10.1.30.1 mask 255.255.255.0 vlan 3
-> show ip intrefaceTotal 6 interfacesName IP Address Subnet Mask Status Forward Device--------------+-------------+----------------+--------+--------+--------Data 10.1.20.1 255.255.255.0 UP NO vlan 2Voice 10.1.30.1 255.255.255.0 UP NO vlan 3
-> show vlan 2Name : Data,Administrative State : enabled,Operational State : enabled,1x1 Spanning Tree State : enabled,Flat Spanning Tree State : enabled,Authentication : disabled,IP Router Port : on,IP MTU : 1500,IPX Router Port : none,Mobile Tag : off,Source Learning : enabled
-> show vlan 2 portport type status
---------+---------+--------------1/1 default active
-> show vlanstree mble src
vlan type admin oper 1x1 flat auth ip tag lrn name----+-----+------+------+------+------+----+-----+-----+-----+---------1 std on on on on off on off on VLAN 12 std on on on on off on off on Data3 std on on on on off on off on Voice
Data VLAN
VLAN 2
Voice VLAN
VLAN 3
dynamic @IPdynamic @IP
VLAN
Voice
VLAN
Data
IP Phone
DHCP Server - oxo
VLAN rules - CLI
Enabling a mobile port-> vlan port mobile <slot>/<port>
Assigning a rule to a VLAN-> vlan 2 <rule>
Defining an IP protocol rule for VLAN 2-> vlan 2 protocol ?
snap ip-snap ip-e2 ethertype dsapssap decnet appletalk
Defining an IP network address rule for VLAN 25-> vlan 25 ip 21.0.0.0
-> vlan 25 ip 21.1.0.0 255.255.0.0
Monitoring-> show vlan 4
-> show vlan port
-> show vlan rules
-> show vlan 4 rules
-> show vlan port mobile
Vlan Mobility rules - Example
-> vlan 2 name Data
-> vlan 2 ip 10.1.20.0 255.255.255.0
-> vlan port mobile 1/1
-> ip interface Data address 10.1.20.1 mask 255.255.255.0 vlan 2
-> vlan 3 name Voice
-> vlan 3 mac-range 00:80:9f:00:00:00 00:80:9f:ff:ff:ff
-> vlan port mobile 1/10
-> ip interface Voice address 10.1.30.1 mask 255.255.255.0 vlan 3
-> show ip intrefaceTotal 6 interfacesName IP Address Subnet Mask Status Forward Device----------+--------------+----------------+---------+----------+--------Data 10.1.20.1 255.255.255.0 UP YES vlan 2Voice 10.1.30.1 255.255.255.0 UP YES vlan 3
-> show vlan 2Name : Data,Administrative State : enabled,Operational State : enabled,1x1 Spanning Tree State : enabled,Flat Spanning Tree State : enabled,Authentication : disabled,IP Router Port : on,IP MTU : 1500,IPX Router Port : none,Mobile Tag : off,Source Learning : enabled
-> show vlan 2 portport type status
---------+---------+--------------1/1 mobile active
sw1> show vlan rulestype vlan rule
-----------------+------+-------------------------------------------ip-net 2 10.1.20.0, 255.255.255.0mac-range 3 00:80:9f:00:00:00, 00:80:9f:ff:ff:ff
Data VLAN
VLAN 2
Voice VLAN
VLAN 3
DHCP Server
dynamic @IPdynamic @IP
VLAN
Voice
VLAN
Data
IP Phone
DHCP Server
VLAN Membership
802.1Q
How do ports join VLANs?
Port based VLAN (Static)
Group Mobility VLAN (Dynamic)
Authenticated VLAN (Dynamic + Security)
802.1Q VLAN (Tagged)
VLAN Mobile Tag
VLANs
IEEE 802.1Q
Aggregates multiple VLANs across Ethernet links
Combines traffic from multiple VLANs over a single link
Encapsulates bridged frames within standard IEEE 802.1Q frame
Enabled on fixed ports
Tags port traffic for destination VLAN
Tagged Frames
802.1Q
VLAN Tag
802.3 MAC header change
4096 unique VLAN Tags (addresses)
VLAN ID == GID == VLAN Tag
802.1P
Three bit field within 802.1Q header
Allows up to 8 different priorities
Feature must be implemented in hardware
802.1p (3 bits)
DA SA
VLAN ID (12 Bits)
4 Bytes
“Modified 802.3 MAC”
Ethertype, Priority, Tag
VLANs - Configuration
-> vlan 2 enable
-> vlan 3 enable
-> vlan 2 802.1q 1/4
-> vlan 3 802.1q 1/4
VLAN 3
VLAN 2
VLAN 1
VLAN 3
VLAN 2
VLAN 1
3/4
-> show vlan 3 port
-> show 802.1q 1/4
3/4
VLAN - Mobile Tag
Allows the dynamic assignment of mobile ports to more than one VLAN at the
same time
Enabled on mobile ports
-> vlan 3 mobile-tag enable
Allows mobile ports to receive 802.1Q tagged packets with
Enable the classification of mobile port packets based on 802.1Q VLAN ID tag 3
Takes precedence over all VLAN Rules
Voice VLAN
Default VLAN
Data VLAN
Communication
Server
Tagged packets
With tag=3
OmniPCXOffice
VLAN mobile - Tagging vs 802.1Q tagging
VLAN Mobile Tag 802.1Q Tag
Allows mobile ports to receive 802.1Q tagged
packets
Not supported on mobile ports
Enabled on the VLAN that will receive tagged
mobile port traffic
Enabled on fixed ports; tags port traffic for
destination VLAN
Triggers dynamic assignment of tagged mobile
port traffic to one or more VLANs
Statically assigns (tags) fixed ports to one or more
VLANs
Dynamic VLAN Membership - DHCP Policy
DHCP VLAN Membership
DHCP PORT policy
Devices generating DHCP requests on these ports
DHCP MAC/MAC Range policy
Devices with specified MAC addresses generating
DHCP requests
DHCP Generic policy
Any DHCP packet (one rule per switch)
DHCP request frames will not be
forwarded until a devices VLAN
membership is defined
Without internal BootP Relay entity DHCP
frames are only forwarded to ports within
the VLAN
With an internal BootP Relay entity DHCP
frames are forwarded to the Relay
1Client needing IP address appears
in default DHCP VLAN
3After receiving IP address, now
participates in authorized VLANs
2BootP Relay delivers request
to DHCP server
BootP Relay
BootP Relay
BootP Relay
Dynamic VLAN Membership
802.1x Authenticated VLANs
Applies to users connected on authenticated ports
Users must authenticate through 802.1x client
Authentication is based on either RADIUS, LDAP or TACACS+
Successful login
The client MAC is associated with the correct VLAN
Default
VLAN
Target
VLAN
Supplicant
Host
Using
802.1x
client
Switch running
Authentication Agent
RADIUS, TACACS+, or LDAP
Server
User
Precedence/Rule Type
Upon receiving a frame, Source Learning compares the frame with VLAN
Policies in Order
1. Frame Type
2. DHCP MAC
3. DHCP MAC Range
4. DHCP Port
5. DHCP Generic
6. MAC-Port-IP
7. MAC-Port Binding
8. Port-Protocol Binding
9. MAC Address
10. MAC Range
11. Network Address
12. Protocol
13. Default (No Match -> port default VLAN)
VLAN Mobility
Default behavior
Default VLAN handling (renaming)
Default VLAN
-> vlan port slot/port default vlan {enable | disable}
Enabled -> user will join default VLAN when no rule matches (default)
Disabled -> user’s traffic will be dropped, when no rule matches
Default VLAN restore
-> vlan port slot/port default vlan restore {enable | disable}
Enabled -> user will join default VLAN when traffic ages out (default)
Disabled -> user will remain in the VLAN membership even after traffic ages out
VLANS
Contents 1 Objective ....................................................................................... 2
2 VLANs ........................................................................................... 2
3 Equipment/Software Required .............................................................. 2
4 Related Commands............................................................................ 2
5 Supported Platforms .......................................................................... 2
6 Lab Steps ....................................................................................... 3 6.1. Creating Additional VLANs ........................................................................... 5 6.2. Configure 802.1Q ...................................................................................... 7
7 Summary ........................................................................................ 8
8 Lab Check ...................................................................................... 8
2
VLANs
1 Objective
This lab is designed to familiarize you with VLANs on an OmniSwitch.
2 VLANs
VLANs provide the ability to segregate a network into multiple broadcast domains. This can be done statically or dynamically by creating policies. Additionally, Virtual Router ports can be assigned to VLANs to allow traffic to be switched at Layer 3.
3 Equipment/Software Required
One OmniSwitch (Any Model)
2 or more PCs.
4 Related Commands
vlan, show vlan, show vlan [vid], ip interface,
show vlan [vid] ports, vlan [vid] ip, vlan [vid] mac
5 Supported Platforms
All
Connect a laptop or desktop PC to the 6350 console port. You will need a USB–to-Serial adapter if you do not have a standard serial comm port on your PC. For simplicity throughout the exercise if you have 2-3 laptops or PC to work with that would be preferred.
OS 6350-10
Port 1/1 Port 1/8 Console Port
Client PC1 Client PC2 Admin Console PC
3
VLANs
6 Lab Steps
Before continuing, remove the existing configuration from the WORKING directory and reboot. Connect your Admin laptop or PC to the console port of the 6350. Open a terminal emulator (Putty, HyperTerm, etc.). Open a serial connection to establish a console connection with the following settings:
9600 Baud, 8 Data Bits, No Parity, 1 Stop Bit, No Flow Control
Login to the switch by entering at the prompts:
-> Login: admin
-> Password: switch
Type the following:
-> rm /flash/working/boot.cfg -> reload working no rollback-timeout -> copy working certified
In its default configuration, the switch has only one VLAN; VLAN 1. This is the default VLAN and all ports are initially associated with it. This VLAN CANNOT be deleted, but it can be disabled if so desired.
Let’s run the command to see the VLANs that exist on the switch as well as information on a single VLAN.
Type the following:
-> show vlan stree mble src vlan type admin oper 1x1 flat auth ip tag lrn name -----+-----+------+------+------+------+----+-----+-----+------+---------- 1 std on off on on off on off on VLAN 1
Reference the User Guides for details on each column:
vlan – The VLAN ID number type - The type of VLAN (std, vstk, gvrp or ipmv) admin – Administrative status oper – Operational Status (Any active ports associated with the VLAN) 1X1 – 1X1 Spanning Tree Status – (on/off) flat – Flat Spanning Tree Status – (Is 802.1s Enabled) auth – Authenticated VLAN status ip – IP status (Has an IP address been associated with the VLAN) ipx – IPX status (Has an IPX address been associated with the VLAN) mble tag – mobility tag (on/off) name – VLAN name
To display information on a specific VLAN:
-> show vlan 1 Name : VLAN 1, Administrative State: enabled, Operational State : disabled, 1x1 Spanning Tree State : enabled, Flat Spanning Tree State : enabled, Authentication : disabled, IP Router Port : off, IPX Router Port : none, Mobile Tag : off, Source Learning : enabled Router Vlan : no
Notice the VLAN is Administrative State is enabled, however its Operational State is disabled. Without members the VLAN will be Operational down.
4
VLANs
You can also list the ports and their associated VLAN assignments (notice we have no active ports to operationally enable the VLAN):
-> show vlan port (or 'show vlan 1 port' to display just vlan 1 ports) vlan port type status ------+-------+---------+------------- 1 1/1 default inactive 1 1/2 default inactive 1 1/3 default inactive 1 1/4 default inactive 1 1/5 default inactive 1 1/6 default inactive 1 1/7 default inactive 1 1/8 default inactive 1 1/9 default inactive 1 1/10 default inactive
To display the VLAN assignment on a specific port (or ports):
-> show vlan port 1/1 vlan type status --------+---------+-------------- 1 default inactive
In order to have IP connectivity to a VLAN interface (not required for connectivity to other clients/servers within a VLAN), an IP address must be assigned to a Virtual Router port and associated to that VLAN. This IP address can then be used for IP connectivity as well as Layer 3 switching. In order to do this, we first create the IP address and then associate it to a VLAN.
Type the following (int_1 is the VLAN alias, 192.168.10.3 is the IP interface address):
-> ip interface int_1 address 192.168.10.3/24 -> show ip interface Total 3 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- Loopback 127.0.0.1 255.0.0.0 UP NO Loopback dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1 int_1 192.168.10.3 255.255.255.0 DOWN NO unbound
Notice we did not associate a VLAN with the interface yet, this is indicated by the 'unbound' status in the Device column. To bind a VLAN:
-> ip interface int_1 vlan 1
Note: The last two commands could have been consolidated as one command:
-> ip interface int_1 address 192.168.10.3/24 vlan 1 -> show ip interface Total 3 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- Loopback 127.0.0.1 255.0.0.0 UP NO Loopback dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1 int_1 192.168.10.3 255.255.255.0 DOWN NO vlan 1
Take note of the Status field. If it reads DOWN, this indicates no active ports or devices have been associated with the VLAN that the Virtual Router has been assigned to. If a Virtual Router interface is down, it cannot be connected to, will not reply to PING requests nor will it be advertised in any router updates. This will not affect the Layer 2 broadcast domain, however.
Let’s activate a port in VLAN 1 to change the status to UP.
5
VLANs
Perform the following:
Connect PC1 to an Ethernet port on the switch.
Remember, all ports by default are members of VLAN 1 so any port can be used.
Now, type:
-> show vlan 1 port port type status ---------+---------+-------------- 1/1 default forwarding 1/2 default inactive 1/3 default inactive 1/4 default inactive 1/5 default inactive 1/6 default inactive 1/7 default inactive 1/8 default inactive 1/9 default inactive 1/10 default inactive
Since all ports currently belong to VLAN 1, this will now cause VLAN 1 to become active. Run the command to check the status of the IP interface to see this.
Type the following:
-> show ip interface Total 3 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- Loopback 127.0.0.1 255.0.0.0 UP NO Loopback dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1 int_1 192.168.10.3 255.255.255.0 UP YES vlan 1
Now that the VLAN has an active port, let’s modify the IP information of PC1 and PING the router interface associated with VLAN 1. Perform the following:
Modify the IP information of client PC1:
PC1 - IP Address - 192.168.10.103
PC1 - Mask – 255.255.255.0
PC1 - Default Gateway – 192.168.10.3 (The IP address of VLAN 1 virtual router).
Ping the switch’s VLAN 1 Virtual Router IP address. You should now have IP connectivity.
6.1. Creating Additional VLANs
Currently there is only one VLAN created on the switch. The following steps will provide information on creating a second VLAN, enabling IP on the VLANs, moving ports into the VLAN, and forwarding IP packets between VLANs.
To begin, let’s create a new VLAN and assign an IP address to that VLAN as done previously;
-> vlan 11 name AP -> vlan 12 name Employee -> vlan 13 name Guest -> vlan 14 name Voice -> ip interface int_11 address 192.168.1.1/24 -> ip interface int_11 vlan 11
How would you enter the last two commands as one command?
-> ip interface int_12 address 192.168.12.1/24 vlan 12 -> ip interface int_13 address 192.168.13.1/24 vlan 13 -> ip interface int_14 address 192.168.14.1/24 vlan 14
6
VLANs
Let's look at what we have configured so far:
-> show ip interface Total 7 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- Loopback 127.0.0.1 255.0.0.0 UP NO Loopback dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1 int_1 192.168.10.3 255.255.255.0 UP YES vlan 1 int_11 192.168.1.1 255.255.255.0 DOWN NO vlan 11 int_12 192.168.12.1 255.255.255.0 DOWN NO vlan 12 int_13 192.168.13.1 255.255.255.0 DOWN NO vlan 13 int_14 192.168.14.1 255.255.255.0 DOWN NO vlan 14
-> show vlan stree mble src vlan type admin oper 1x1 flat auth ip ipx tag lrn name -----+------+------+------+------+------+----+-----+-----+-----+-----+---------- 1 std on on on on off on NA off on VLAN 1 11 std on off on on off on NA off on AP 12 std on off on on off on NA off on Employee 13 std on off on on off on NA off on Guest 14 std on off on on off on NA off on Voice
Now let’s assign a port to VLAN 11, connect a client to that port, and modify its IP addressing to allow communication to the Virtual Router interface. Remember from earlier that all ports belong to VLAN 1 by default so we must move a port into VLAN 11.
Type/Perform the following:
-> vlan 11 port default 1/8 (1/8 = slot/port the PC2 is connected to)
Make sure you have connected PC2 to the slot and port above. Modify the IP information of PC2 to match the following:
PC2 - IP Address – 192.168.1.100
PC2 - Mask – 255.255.255.0
PC2 - Default Gateway – 192.168.1.1 (The IP address of VLAN 11 Virtual Router for your station)
Review what you’ve done:
-> show vlan 11 port port type status ---------+---------+-------------- 1/8 default forwarding
-> show ip interface Total 7 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- Loopback 127.0.0.1 255.0.0.0 UP NO Loopback dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1 int_1 192.168.10.3 255.255.255.0 UP YES vlan 1 int_11 192.168.1.1 255.255.255.0 UP YES vlan 11 int_12 192.168.12.1 255.255.255.0 DOWN NO vlan 12 int_13 192.168.13.1 255.255.255.0 DOWN NO vlan 13 int_14 192.168.14.1 255.255.255.0 DOWN NO vlan 14
7
VLANs
-> show vlan
stree mble src vlan type admin oper 1x1 flat auth ip ipx tag lrn name -----+------+------+------+------+------+----+-----+-----+-----+-----+---------- 1 std on on on on off on NA off on VLAN 1 11 std on on on on off on NA off on AP 12 std on off on on off on NA off on Employee 13 std on off on on off on NA off on Guest 14 std on off on on off on NA off on Voice
By default the switch will route the packets between VLAN 1 and VLAN 11 using the Virtual IP interfaces you created.
Perform the following to test connectivity:
From client on VLAN 1 ping the Virtual Router port for VLAN 11. (For example, ping 192.168.11.1)
This should be successful since you’ve set the Default Gateway of PC2 to the virtual router interface of VLAN 11. The switch will route the packets to interface int_1.
From client on VLAN 1 ping client on VLAN 11. (For example, ping 192.168.11.103)
This should be successful since you’ve set the Default Gateway to the Virtual Router interface of VLAN 11. The switch will route the request packet to VLAN 1 in one direction, then route the echo back to VLAN 11.
You should receive successful responses to all the above PINGs. If the PINGs are not successful, check your IP addressing (and Gateway) on both the PC and the switch as well as checking the VLAN associations using the following commands. Again, you may type:
-> show vlan -> show vlan 1 -> show vlan 1 port -> show vlan 11 -> show vlan 11 port -> show ip interface
6.2. Configure 802.1Q
Normally, to have Layer 2 connectivity between the switch and the AP for all three VLANs, three physical links would be required. However, we will configure 802.1Q tagging to carry data from all three VLANs over one physical link.
Type the following: (we will use slot 1 port 3 for the connection to your AP)
-> vlan 11 port default 1/3 -> vlan 12-14 802.1q 1/3 -> show vlan 11 port port type status ---------+---------+-------------- 1/3 default forwarding
-> show vlan 12 port port type status ---------+---------+-------------- 1/3 qtagged forwarding
-> show vlan port 1/3 vlan type status --------+---------+-------------- 11 default inactive 12 qtagged inactive 13 qtagged inactive 14 qtagged inactive
You should see that slot 1 port 3 is carrying tagged information for VLANs 12,13 and 14 and bridging VLAN 11. Remember, a physical port MUST always have at least one VLAN (the default for the port) bridging.
8
VLANs
We have so far configured the switch to connect the IAP on port 1/3 and to transport:
VLAN 11 by default for IAP Configuration
VLAN 12, 13 and 14 for employee, guest and voice SSID’s
To activate Power Over Ethernet, type the following command:
-> lanpower start 1
This command activated POE for all the ports on the switch. We are now ready to plug in the IAP on port 1/3.
You can now proceed with the next LAB to configure the AP.
7 Summary
VLANs are an important concept to understand when configuring an OmniSwitch. They provide the ability to segregate the network into multiple broadcast domains. This can be done either statically or dynamically. Also, in order for devices in different VLANs to communicate, they must be routed. A virtual router interface can be associated for each VLAN to allow for the routing of traffic.
8 Lab Check
What is the purpose of a VLAN?
...............................................................................................................................
...............................................................................................................................
In this lab, name two methods that were used to associate a port with a VLAN?
1) ...........................................................................................................................
2) ...........................................................................................................................
What type of rule(s) were used to dynamically move a port into a VLAN?
...............................................................................................................................
Is it necessary to have a routing protocol configured in order to route between VLANs on the same switch?
........................................................................................................ (Yes or No – why?)
In order for a VLAN to route traffic, what must be created on the switch?
...............................................................................................................................
Which VLAN does a port belong to by default?
VLAN .......................................................................................................................
What is the command to move a port into a different default VLAN?
...............................................................................................................................
What are two commands to check which VLAN a port is associated with?
...............................................................................................................................
Module Objectives
In this module you will learn about
Access Points.
You will review and discuss:
AP Introduction
Hardware, security and radio features
Initial setup
Basic configuration
Product Features
Security Features
Authentication Type
802.1x, WPA, WPA2
MAC Address
Customizable Captive Portal
Encryption : WEP, TKIP, AES
Built-in User Database and External Radius Server Support
Firewall
Radio Features
Dynamic Frequency Adjustment (DFA) – Optimize available channel/transmission
power
Channel/transmission power manual assignment
Deployment Scenarios
Single Cluster
A Single Cluster
Contains a maximum of 16 AP1101
Supports 256 concurrent clients (64
per AP1101)
Broadcasts 16 WLANs (SSID)
L2 Mobility
Any client can roam between APs
and maintain it’s connection (IP
address and authentication)
Unpack and Power on the AP1101
Open the packing box and take out the AP1101
Power the AP by connecting it to a PoE port of the switch
Assigning an IP address to the AP
The AP needs an IP address for network connectivity
Connect the Switch to the Router
Ensure that the DHCP server is enabled on the Router
After few seconds, the AP gets an IP address
The AP start broacasting SSID « mywifi-xxxx »
xxxx: 4 last bytes of the AP MAC address
AP initial setup – Connection to the Web interface
Connect to “mywifi-xxxx” SSID (xxxx: last four bytes of AP MAC address), open
a web browser and enter the following:
http://mywifi.al-enterprise.com:8080
There are three login accounts:
Administrator : Configuration of the AP
Viewer : Checking configuration ONLY
GuestOperator : Checking configuration ONLY and creating Guests users
“admin” is the default password for all login accounts
Select “Administrator”:
Username = Administrator
Password = admin
AP initial setup – Wizard
A initialization wizard will pop up.
It is used for:
Modifying Administrator password
Creating a management WLAN (SSID)
AP initial setup – New SSID
Creation of additional SSID
Click “New” in the WLAN Window of the Dashboard
Configuration of a new WLAN
Click on « Advanced » to configure advanced parameters
AP initial setup – New WLAN
AP initial setup - Group
Group Network
In a Group deployment, APs of the Group are listed in the AP Window
The list displays the MAC address of the AP, it’s status and the number of clients
authenticated to this AP
AP initial setup - Group
Group Network
Double-click on the AP window to access the Advanced-Window Mode
The role of the AP in the Group is highlighted in red:
Primary Virtual Controller (PVC): Central point of management. One per Group.
Secondary Virtual Controller (SVC): Backup of the PVC. One per Group.
MEMBER: Others AP in the Group.
The AP with the highest MAC
address is elected PVC.
The AP with the second highest
MAC address is elected SVC.
Other APs of the cluster become
MEMBER.
Election Process
In the Advanced WLAN Window, you have the following parameters
WLAN Parameters
WLAN Parameter Specification
SSID The WiFi signal name
Band Check the radio that you want the WLAN to be broadcasted. The radio
won’t broadcast this WLAN when it’s unchecked.
Network Type There are three options for network type, they are Employee, Voice and
Guest, which indicates the WLAN application purpose. Once you specifed
a network type, the Security Method and optimized Qos Parameter will be
set accordingly.
Hiden Hidden broadcast or visible broadcast SSID.
Enable Turn on or Turn off the WLAN.
MaxClients The max concurrent user that the WLAN supports. When the quantity of
concurrent user is more than this value, the user connection will be
rejected.
Captive Portal Set the WLAN to enable portal authentication or not.
VLAN ID WLANs mapping Vlan ID.
Security Type It’s tree-pattern for security type. Basing on target customer scale, there
are three root types, Open, Personal and Enterprise. Once the root types
has been selected, you can select the corresponding authentication and
encryption method combination, while once an combination has been
selected, you have to configure the corresponding parameters.
Cancel The WLAN Creation Window will be closed if you click ‘Cancel’ button.
Save Click ‘Save’ to complete creating the WLAN.
CONFIGURE AP
Contents 1 Objective .......................................................................................1
2 Equipment/Software Required ..............................................................1
3 Supported Platforms ..........................................................................1
4 Lab Steps .......................................................................................1 4.1. AP Initialization ........................................................................................ 1 4.2. AP Initial Configuration ............................................................................... 2
5 Summary ........................................................................................9
1
RIP/RIP2
1 Objective
This lab will help you to configure an IAP with the three SSIDs based on the VLANs and IP addresses that you have already configured on the switch.
Part 1 - AP initialization: The first part is here to help you prepare your AP for configuration. You will reset the configuration and give IP connectivity to your AP.
Part 2 - AP initial configuration: In this section, you will create the three SSID’s employee, guest and voice.
2 Equipment/Software Required
One OmniSwitch
One AP1101
3 Supported Platforms
All
4 Lab Steps
4.1. AP Initialization
In this section you will switch the Instant AP back to factory default.
1. Plug the port “Ethernet” of your AP to the port 1/3 of the switch.
2. Wait for the boot process to be over. You can see it when the LED on the face of the AP turns into a solid green or blue. It will take less than a minute.
3. Press and hold the “Reset” button at the back of the AP for 5 secondes and then release it. The AP will reboot automatically and you will get a solid green on the LED after the boot process.
4. The default IP address of the AP is 192.168.1.254.
OS 6350-P10
Port 1/3 Port 1/8 Console Port
Client AP 1101 Admin Console PC
2
RIP/RIP2
4.2. AP Initial Configuration
In this section you will create an initial configuration. This configuration will provide a SSID for employees, guests and voice.
Each AP will broadcast the default “mywifi-xxxx” SSID at start up (xxxx refers to the 4 last values of the MAC address of the AP). To be sure to connect to your AP, you will use the Ethernet connection to configure the IAP.
1. Enable the ethernet interface on the laptop, change your IP address to be in the subnet of VLAN 11 (192.168.1.100) and set the gateway to 192.168.1.1. Plug in the laptop on port 8 of the OS 6350.
2. Open a web browser and connect to http://192.168.1.254:8080 (we are using the default IP address of the AP). Log in the AP using the login profile Administrator and password admin.
3. Press Next on the Welcome page of the Setup Wizard.
4. In the Step 1/3, you can change the default password of the Administrator profile. We will use the same password “admin”. Enter “admin” in the Passphrase and Confirm field. Click Save.
5. In the regulatory domain selection screen, select the country where you are (if you are not in the USA, Israel nor Japan) and click Save.
3
RIP/RIP2
6. The last step of the Setup Wizard is used to create a Management WLAN. We will create the admin network.
7. In the “Create New WLAN” wizard, enter the following:
a. WLAN Name: Admin
b. Band: 2.4GHz and 5GHz are already selected. Don’t change it.
c. Security Type and Passphrase format are already set. Don’t change it.
d. Passphrase: alcatel_lucent
e. Confirm : alcatel_lucent
f. Click Save
8. Login again on the main screen, using the login profile Administrator and the password admin.
9. To create the employee network, click New in the WLAN window (top left corner).
4
RIP/RIP2
10. In the “Create New WLAN” window, enter the following:
a. Click on Advance.
b. WLAN Name: Employee
c. Band: 2.4GHz and 5GHz are already selected. Don’t change it.
d. Network Type: Employee is already selected. Don’t change it.
e. Security Type and Passphrase format are already set. Don’t change it.
f. Passphrase: employee
g. Confirm : employee
h. VLAN ID: 12
i. Click Save
5
RIP/RIP2
11. To create the guest network, click New in the WLAN window (top left corner).
12. In the “Create New WLAN” window, enter the following:
a. Click on Advance.
b. WLAN Name: Guest
c. Band: 2.4GHz and 5GHz are already selected. Don’t change it.
d. Network Type: Select Guest.
e. Security Type: Select Personal and WPA/WPA2 Personal (Both TKIP AND AES).
f. Passphrase: guest_AP
g. Confirm : guest_AP
h. VLAN ID: 13
i. Click Save
6
RIP/RIP2
13. To create the voice network, click New in the WLAN window (top left corner).
14. In the “Create New WLAN” window, enter the following:
a. Click on Advance.
b. WLAN Name: Voice
c. Band: 2.4GHz and 5GHz are already selected. Don’t change it.
d. Network Type: Select Voice.
e. Security Type and Passphrase format are already set. Don’t change it.
f. Passphrase: voice_AP
g. Confirm : voice_AP
h. VLAN ID: 14
i. Click Save
7
RIP/RIP2
15. Check the WLAN list; the “mywifi-xxxx” SSID have disappeared from the list and you find the management SSID (Admin) as well as the three users SSID (Employee, Guest and Voice).
8
RIP/RIP2
16. Logout from the configuration page (top-right corner) and close the Web browser
17. We will now check that the 3 AP networks are available in the air.
a. Refresh the WLAN network list; Employee, Guest and Voice should be available.
b. Connect to Employee. Enter the network security key we have defined: employee.
c. Change the IP configuration of the wireless card with the address 192.168.12.100, mask 255.255.255.0 and gateway 192.168.12.1
9
RIP/RIP2
d. Try to ping 192.168.12.1
e. Disconnect from Employee
f. Connect to Guest. Enter the network security key we have defined: guest_AP
g. Change the IP configuration of the wireless card with the address 192.168.13.100, mask 255.255.255.0 and gateway 192.168.13.1
h. Try to ping 192.168.13.1
i. Disconnect from Guest
j. Connect to Voice. Enter the network security key we have defined: voice_AP
k. Change the IP configuration of the wireless card with the address 192.168.14.100, mask 255.255.255.0 and gateway 192.168.14.1
l. Try to ping 192.168.14.1
m. Disconnect from Voice
5 Summary
This lab introduced you to the Initialization of the AP and the initial configuration of the AP. You
ii SMB Configuration Guide September 2015
enterprise.alcatel-lucent.com Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of Alcatel-Lucent. To view other trademarks used by affiliated companies of ALE Holding, visit: enter-prise.alcatel-lucent.com/trademarks. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Neither ALE Holding nor any of its affiliates assumes any responsibility for inaccuracies contained herein. (July 2015)
Service & Support Contact Information
North America: 800-995-2696
Latin America: 877-919-9526
EMEA: +800 00200100 (Toll Free) or +1(650)385-2193
Asia Pacific: +65 6240 8484
Web: service.esd.alcatel-lucent.com
Email: [email protected]
SMB Configuration Guide September 2015 1
Contents
Chapter 1 SMB Overview and Quick Configuration .............................................................1-1
In This Chapter ................................................................................................................1-1
Overview .........................................................................................................................1-2
OmniPCX Office RCE Quick Configuration ..................................................................1-3
OmniSwitch Quick Configuration ..................................................................................1-3
OAW-IAP Quick Configuration .....................................................................................1-4
Upgrade Information .......................................................................................................1-5
Chapter 2 SMB Configuration With OmniPCX Office RCE ...................................................2-1
In This Chapter ................................................................................................................2-1
OmniPCX Office RCE Setup for OmniSwitch Auto Configuration ..............................2-2
OmniSwitch Auto Configuration through OmniPCX Office RCE .................................2-2
IAP Configuration ...........................................................................................................2-3Step 1. Power up IAP ...............................................................................................2-3Step 2. Connecting to instant ....................................................................................2-4Step 3. Configure IAP ..............................................................................................2-5
Chapter 3 SMB Configuration Without OmniPCX Office RCE .............................................3-1
In This Chapter ................................................................................................................3-1
OmniSwitch Configuration .............................................................................................3-2
IAP Configuration ...........................................................................................................3-3Step 1. Power up IAP ...............................................................................................3-3Step 2. Connecting to instant SSID ..........................................................................3-5Step 3. Configuring IAP ...........................................................................................3-6
SMB Configuration Guide September 2015 page 1-1
1 SMB Overview and Quick Configuration
This chapter provides a brief overview of the Alcatel-Lucent Enterprise SMB (small-medium business) solution along with the steps for quickly configuring the various components. For more detailed step-by-step instructions refer to the appropriate configuration chapter.
In This ChapterThe information described in this chapter includes:
• “Overview” on page 1-2
• “OmniPCX Office RCE Quick Configuration” on page 1-3
• “OmniSwitch Quick Configuration” on page 1-3
• “OAW-IAP Quick Configuration” on page 1-4
• “Upgrade Information” on page 1-5
Overview SMB Overview and Quick Configuration
page 1-2 SMB Configuration Guide September 2015
OverviewThis configuration guide covers how to install the various components of the Alcatel-Lucent Enterprise SMB (small-medium business) solution. The SMB market can be addressed via two Alcatel-Lucent Enter-prise solutions: one includes an OmniSwitch™ and OmniAccess™ Instant Access Points (IAPs), enabling high speed wired and wireless (Wi-Fi) LAN access, referred to as the Mobility solution, while the second includes OmniPCX™ Office RCE, providing IP Telephony, for a complete voice/data/Wi-Fi solution.
This SMB Configuration Guide describes the installation steps based on the following products.
• OmniPCX™ Office RCENote: Minimum version R10.2 is required for the OmniPCX Office RCE information described in this document. See “Upgrade Information” on page 1-5 for information on upgrading to R10.2.
• OmniSwitch OS6450-P24
• OmniSwitch OS6450-P48
• OmniSwitch OS6450-P10
• OmniSwitch OS6450-P10L
• OmniSwitch OS6250-P24
• OmniSwitch OS6450-P24L
• OmniSwitch OS6450-P48L
• OmniSwitch 6350-P24
• OmniSwitch 6350-P48
• OAW-IAP
Chapter 1 provides quick steps to configure these products, Chapter 2 provides a detailed procedure to configure OmniPCX Office RCE, the OmniSwitch and the OAW-IAP, and Chapter 3 provides a detailed procedure to configure the OmniSwitch and OAW-IAP when OmniPCX Office RCE is not installed.
For additional solution information please refer to the SMB Solution Sheet.
SMB Overview and Quick Configuration OmniPCX Office RCE Quick Configuration
SMB Configuration Guide September 2015 page 1-3
OmniPCX Office RCE Quick ConfigurationIf using OmniPCX Office RCE version R10.2 there is no configuration required, the necessary files are already included as part of the default configuration.
1 The os_conf configuration file contains the following commands and will be used to automatically configure the OmniSwitch:
system daylight savings time disablevlan 1 enable name "VLAN 1"ip service allip interface dhcp-client vlan 1 ifindex 1ip interface dhcp-client vsi-accept-filter "alcatel.a4400.0"aaa authentication default "local"aaa authentication console "local"bridge mode flatqos enableqos trust portsqos no phonesswlog console level infolanpower start 1
2 The os_script script file contains the following command for certifying the configuration:
copy working certified
3 The os_ins.alu instruction file contains the following entries describing the location and file names needed by the OmniSwitch:
Config filename: os_conf
Config location: /tftpboot
Script filename: os_script
Script location: /tftpboot
OmniSwitch Quick ConfigurationFollow the steps below to automatically configure the OmniSwitch:
1 Connect an Ethernet cable between the OmniPCX Office RCE and the OmniSwitch.
2 Connect AC power cord on the OmniSwitch.
3 The OmniSwitch will boot up and automatically download the configuration files from the OmniPCX Office RCE. Once the download is complete, the OmniSwitch will reboot again. This process will take approximately 6 to 8 minutes.
Note. DO NOT INTERUPT WHEN AUTO CONFIGURATION IS IN PROGRESS.
Note. Repeat these steps for the installation of each OmniSwitch.
OAW-IAP Quick Configuration SMB Overview and Quick Configuration
page 1-4 SMB Configuration Guide September 2015
OAW-IAP Quick Configuration1 Connect an Ethernet cable between IAP and OmniSwitch, wait for approximately 6 minutes for the IAP to initialize.
2 Using a wireless PC, scan the wireless networks and connect to the instant SSID.
3 Open a web browser to http://instant.alcatel-lucent.com.
4 Log in to the OAW-IAP UI with admin as the username and password.
Note. Alcatel-Lucent recommends that you change the administrator credentials after the initial configura-tion.
Note. If the country code window is displayed after a successful login, select a country from the list.
5 From the AOS-W Instant UI main window, click New under the Networks section. The New WLAN window is displayed.
6 In the New WLAN setting tab, enter an SSID name for the network and click Next.
7 In the VLAN tab, select the required Client IP assignment and Client VLAN assignment options and click Next.
8 In the Security tab, enter a unique passphrase and retype it to confirm and click Next.
9 In the Access tab, ensure that the Unrestricted access control is specified and click Finish.
10 The new network is added and displayed in the Networks window.
Note. After the secure wireless network access is configured, Alcatel-Lucent recommends deleting the instant SSID to protect from unauthorized wireless access.
SMB Overview and Quick Configuration Upgrade Information
SMB Configuration Guide September 2015 page 1-5
Upgrade InformationWhen upgrading to OmniPCX Office RCE version R10.2:
• The old default configuration files will be replaced with the new default configuration files of R10.2.
• Any customized configuration files will be retained in R10.2.
Upgrade Information SMB Overview and Quick Configuration
page 1-6 SMB Configuration Guide September 2015
SMB Configuration Guide September 2015 page 2-1
2 SMB Configuration With OmniPCX Office RCE
This chapter describes the detailed configuration steps to install the SMB solution with the OmniPCX Office RCE.
In This ChapterThe information described in this chapter includes:
• “OmniPCX Office RCE Setup for OmniSwitch Auto Configuration” on page 2-2
• “OmniSwitch Auto Configuration through OmniPCX Office RCE” on page 2-2
• “IAP Configuration” on page 2-3
OmniPCX Office RCE Setup for OmniSwitch Auto Configuration SMB Configuration With OmniPCX Office RCE
page 2-2 SMB Configuration Guide September 2015
OmniPCX Office RCE Setup for OmniSwitch Auto Configuration
If using OmniPCX Office RCE version R10.2 there is no configuration required, the necessary files are already included as part of the default configuration. See “OmniPCX Office RCE Quick Configuration” on page 1-3 for a description of the files and their contents.
OmniSwitch Auto Configuration through OmniPCX Office RCE
Follow the steps below auto configure the OmniSwitch:
1 The OmniSwitch should be in factory default mode with no boot.cfg file.
2 Connect an Ethernet cable between the OmniPCX Office RCE and the OmniSwitch.
OmniPCX Office RCE / OmniSwitch Ethernet Connection
3 Connect the AC power cord on OmniSwitch.
OmniSwitch AC Power Connection
4 The OmniSwitch will boot up and automatically download the configuration files from the OmniPCX Office RCE. Once the download is complete, the OmniSwitch will reboot again. This process will take approximately 6 to 8 minutes.
Note. DO NOT INTERUPT WHEN AUTO CONFIGURATION IS IN PROGRESS.
Note. Repeat these steps for the installation of each OmniSwitch.
SMB Configuration With OmniPCX Office RCE IAP Configuration
SMB Configuration Guide September 2015 page 2-3
IAP ConfigurationThe next process in the installation of SMB is the IAP configuration. This section describes the steps to configure the IAP.
Step 1. Power up IAP1 The IAP should be in factory default mode without any configuration.
2 Connect an Ethernet cable between IAP and OmniSwitch, wait for approximately 6 minutes for the IAP to initialize.
OAW-IAP Ethernet Connection
OmniSwitch/IAP Ethernet Connection
Ethernet
IAP Configuration SMB Configuration With OmniPCX Office RCE
page 2-4 SMB Configuration Guide September 2015
3 Wait for all LEDs on the IAP to turn green and blink.
LEDs turned green and blinking
Step 2. Connecting to instant1 Using a wireless PC, scan the wireless networks and connect to the instant SSID.
Connecting to SSID
2 Open a web browser http://instant.alcatel-lucent.com.
SMB Configuration With OmniPCX Office RCE IAP Configuration
SMB Configuration Guide September 2015 page 2-5
If not able to connect, disable proxy setting in the browser.
Instant Alcatel-Lucent browser
Step 3. Configure IAP1 Log in to the AOS-W instant UI with admin as the username and password respectively.
Note. Alcatel-Lucent recommends that you change the administrator credentials after the initial configura-tion. For more information, see the Management Authentication Settings section in AOS-W Instant User Guide.
Log in to the AOS-W instant UI
IAP Configuration SMB Configuration With OmniPCX Office RCE
page 2-6 SMB Configuration Guide September 2015
Note. If the country code window is displayed after a successful login, select a country from the list. The country code window is displayed only when OAW-IAP-ROW (Rest of world) variants are installed. The country code setting is not applicable to the OAW-IAPs designed for US, Japan, and Israel.
2 To create a secure wireless network access, perform the following steps:
a. From the AOS-W instant UI main window, click New under the Network section. The New WLAN window is displayed.
New WLAN window
SMB Configuration With OmniPCX Office RCE IAP Configuration
SMB Configuration Guide September 2015 page 2-7
b. In the New WLAN setting tab. Enter an SSID name for the network and click Next.
New WLAN setting tab
c. In the VLAN tab, select the required Client IP assignment and Client VLAN assignment options and click Next.
VLAN setting tab
IAP Configuration SMB Configuration With OmniPCX Office RCE
page 2-8 SMB Configuration Guide September 2015
d. In the security tab, enter a unique passphrase and retype it to confirm. Click Next.
Security setting tab
e. In the Access tab, ensure that the Unrestricted access control is specified and click Finish.
Access setting tab
f. Try connecting to the new SSID that was just created. Ensure network access before proceeding to deleting instant SSID step.
3 Delete the instant SSID to protect from unauthorized wireless access. Follow the steps below to delete
SMB Configuration With OmniPCX Office RCE IAP Configuration
SMB Configuration Guide September 2015 page 2-9
the instant SSID:
a. Select instant SSID in Networks. Click X and click Delete Now.
Instant deletion window
Instant deletion confirm window
IAP Configuration SMB Configuration With OmniPCX Office RCE
page 2-10 SMB Configuration Guide September 2015
Note. For multiple OAW-IAPs deployment, IAPs automatically find each other in same subnet and form a single functioning network managed by a Virtual Controller. It is recommended to configure a virtual controller IP in a multiple IAP deployment scenario. Please refer to user manual for configuration proce-dure.
This completes the IAP configuration with secure wireless access.
SMB Configuration Guide September 2015 page 3-1
3 SMB Configuration Without OmniPCX Office RCE
This chapter describes the detailed configuration steps to configure the SMB solution without an OmniPCX Office RCE.
In This ChapterThe information described in this chapter includes:
• “OmniSwitch Configuration” on page 3-2
• “IAP Configuration” on page 3-3
OmniSwitch Configuration SMB Configuration Without OmniPCX Office RCE
page 3-2 SMB Configuration Guide September 2015
OmniSwitch ConfigurationTo install the SMB solution without an OmniPCX Office RCE the OmniSwitch must be manually config-ured. To configure the OmniSwitch follow the below steps:
1 The OmniSwitch should be in the factory default mode with no boot.cfg file.
2 Connect the AC power cord on the OmniSwitch.
OmniSwitch AC Power Connection
3 Connect to the console and log in to the OmniSwitch CLI with admin and switch as the username and password, respectively.
Console Connection
4 Execute the following commands:
-> system daylight savings time disable
-> vlan 1 enable name "VLAN 1"
-> ip service all
-> ip interface dhcp-client vlan 1 ifindex 1
-> ip interface dhcp-client vsi-accept-filter "alcatel.a4400.0"
-> aaa authentication default "local"
-> aaa authentication console "local"
-> bridge mode flat
-> qos enable
-> qos trust ports
-> qos no phones
-> swlog console level info
-> lanpower start 1
-> write memory
-> copy working certified
Note. Repeat these steps for the installation of each OmniSwitch.
SMB Configuration Without OmniPCX Office RCE IAP Configuration
SMB Configuration Guide September 2015 page 3-3
IAP ConfigurationThe next process in the installation of the SMB solution is the IAP configuration. This section describes the steps to configure the IAP.
Step 1. Power up IAP1 The IAP should be in factory default mode without any configuration.
2 Connect an Ethernet cable between IAP and OmniSwitch, wait for approximately 6 minutes for the IAP to initialize.
OAW-IAP Ethernet Connection
OmniSwitch/IAP Ethernet Connection
Ethernet
IAP Configuration SMB Configuration Without OmniPCX Office RCE
page 3-4 SMB Configuration Guide September 2015
3 Wait for all LEDs on the IAP to turn green and blink.
LEDs turned green and blinking
SMB Configuration Without OmniPCX Office RCE IAP Configuration
SMB Configuration Guide September 2015 page 3-5
Step 2. Connecting to instant SSID1 Using a wireless PC, scan the wireless networks and connect to instant SSID.
Connecting to SSID
2 Open a web browser to http://instant.alcatel-lucent.com.
If not able to connect, disable the proxy settings in the browser.
Instant Alcatel-Lucent browser
IAP Configuration SMB Configuration Without OmniPCX Office RCE
page 3-6 SMB Configuration Guide September 2015
Step 3. Configuring IAP1 Log in to the AOS-W instant UI with admin as username and password.
Note. Alcatel-Lucent recommends that you change the administrator credentials after the initial configura-tion. For more information, refer the Management Authentication Settings section in AOS-W Instant User Guide.
Log in to the AOS-W instant UI
Note. If the country code window is displayed after a successful login, select a country from the list. The country code window is displayed only when OAW-IAP-ROW (Rest of world) variants are installed. The country code setting is not applicable to the OAW-IAPs designed for US, Japan, and Israel.
SMB Configuration Without OmniPCX Office RCE IAP Configuration
SMB Configuration Guide September 2015 page 3-7
2 To create a secure wireless network access, perform the following steps:
a. From the AOS-W instant UI main window, click New under the Network section. The New WLAN window is displayed.
New WLAN window
b. In the New WLAN setting tab, enter a SSID name for the network and click Next.
New WLAN setting tab
c. In the VLAN tab, select the required Client IP assignment and Client VLAN assignment
IAP Configuration SMB Configuration Without OmniPCX Office RCE
page 3-8 SMB Configuration Guide September 2015
options and then click Next.
VLAN setting tab
d. In the security tab, enter a unique passphrase and retype it to confirm and click Next.
Security setting tab
SMB Configuration Without OmniPCX Office RCE IAP Configuration
SMB Configuration Guide September 2015 page 3-9
e. In the Access tab, ensure that the unrestricted access control is specified and click Finish.
Access setting tab
f. Try connecting to new SSID that was just created. Ensure network access before proceeding to deleting instant SSID step.
3 Delete the instant SSID to protect from unauthorized wireless access. Follow the below steps to delete the instant SSID:
a. Select instant SSID in network. Click X and click Delete Now.
SSID deletion window
IAP Configuration SMB Configuration Without OmniPCX Office RCE
page 3-10 SMB Configuration Guide September 2015
Instant deletion confirm window
Note. In a multiple OAW-IAP deployment, the IAPs automatically find each other in the same subnet and form a single functioning network managed by a Virtual Controller. It is recommended to configure virtual controller IP in multiple IAP deployment scenario. Please refer to AOS-W user manual for configuration procedure.
This completes IAP configuration with secure wireless access.
1
• What’s in for you
Demonstration booking forms
User guides
Requirement lists
Videos
Access to the help desk (from 9am to 6pm CET – PST)
And much more!
• Specific demonstrations can be handled upon request
FREE SERVICE to conduct remote
demonstrations on your premises or
the customer’s from our data center
on selected ALE Communications and
Network solutions
http://edemo.al-mydemo.com/
Book your remote demo
through the
eDemo website!
ACCESS TO TECHNICAL SUPPORT
ENTERPRISE CUSTOMER CARE GUIDELINE – JANUARY 2016
Contents 1 Objective ....................................................................................... 2
2 Introduction .................................................................................... 2
3 Requirements for accessing technical support ............................................ 2 3.1. Accessing Technical support ......................................................................... 2
3.1.1. Service Contract Check .................................................................................... 2 3.1.2. Engineer Certification Check ............................................................................. 2
3.2. Opening Severity 1,2,3 and 4 severities ........................................................... 3 3.3. Basic Requirements for opening an eService Request ........................................... 3 3.4. Status of eService Request ........................................................................... 3 3.5. eService Request Escalation ......................................................................... 4 3.6. END CUSTOMER NAME ................................................................................. 4
4 Incident Severity .............................................................................. 4 4.1. Severity 1: Critical severity (Severity One) ...................................................... 4 4.2. Severity 2: High severity (Severity Two). .......................................................... 4 4.3. Severity 3: Medium severity (Severity Three) .................................................... 4 4.4. Severity 4: Low severity (Severity Four) ........................................................... 4
5 Tools available: ................................................................................ 5 5.1. Contact Checker ....................................................................................... 5 5.2. Alcatel-Lucent Enterprise Application Partner Program (AAPP) ............................... 5 5.3. Security Advisories ..................................................................................... 5 5.4. Technical communications ........................................................................... 5 5.5. The Knowledge Center ................................................................................ 6 5.6. Twitter and Facebook ................................................................................. 6 5.7. Contacts ................................................................................................. 6
Notes
This document is provided and supported by Alcatel Lucent Enterprise Customer Care
2
Enterprise Customer Care Guideline – January 2016
1 Objective
This document defines how a Business Partner expert can access technical support.
2 Introduction
End-Customers report their technical issues to our business partners who provide them support & services. Certified Engineers of our business partners are entitled to open request to Alcatel Lucent Enterprise Technical Support organization. The system for which the issue is reported must have a valid support contract (SPS).
3 Requirements for accessing technical support
3.1. Accessing Technical support
When accessing technical support, our teams will first perform the following
3.1.1. Service Contract Check
Our Welcome Center will first check the Service Contract status (depending on the product):
Valid Service contract (SMS/SES or SPS since July 2012) for OmniPCX Enterprise, OpenTouch and related Communications applications.
Valid Support Fees for Data solutions.
It is recommended that the business partner engineers keep their certifications up to date and verify the system for which an issue is reported has a valid contract, prior to reaching out to Alcatel Lucent Enterprise support. Contracts status can be checked at:
http://enterprise.alcatel-lucent.com/?services=SupportServices&page=ContractChecker
3.1.2. Engineer Certification Check
Our Welcome Center will then verify the certification levels. The engineer must have a valid and unexpired post-sales certification for the solution he is asking support on
For sales representatives who sell
Alcatel-Lucent products and solutions
ACSR
Alcatel-Lucent Certified
Sales RepresentativeSALES
ACSE
Alcatel-Lucent Certified
System Expert
ACFE
Alcatel-Lucent Certified
Field Expert
ACPS
Alcatel-Lucent
Certified Presales
AQPS
Alcatel-Lucent
Qualified Presales
CERTIFICATIONS
For expert engineers in charge of
complex configurations, installation and
remote service support
For field engineers in charge of
advanced configurations, installation
and service supportPOSTSALES
For presales engineers who design
large/complex networking projects
For Presales engineers who design
stand-alone projectsPRESALES
LOGOSDESCRIPTIONFUNCTIONS
For sales representatives who sell
Alcatel-Lucent products and solutions
ACSR
Alcatel-Lucent Certified
Sales RepresentativeSALES
ACSE
Alcatel-Lucent Certified
System Expert
ACFE
Alcatel-Lucent Certified
Field Expert
ACPS
Alcatel-Lucent
Certified Presales
AQPS
Alcatel-Lucent
Qualified Presales
CERTIFICATIONS
For expert engineers in charge of
complex configurations, installation and
remote service support
For field engineers in charge of
advanced configurations, installation
and service supportPOSTSALES
For presales engineers who design
large/complex networking projects
For Presales engineers who design
stand-alone projectsPRESALES
LOGOSDESCRIPTIONFUNCTIONS
3
Enterprise Customer Care Guideline – January 2016
3.2. Opening Severity 1,2,3 and 4 severities
For Severity 3 (S3) and Severity 4 (S4) cases, you can contact us by telephone, e-mail or via the internet, through the eService Request on the BP Entreprise Business Portal.
For Severity 1 (S1) and Severity 2 (S2) cases, you must contact us by telephone only. In that case, you will be routed immediately to an Alcatel-Lucent engineer.
E-mail: [email protected]
Phone: + 1 650 385 2193
Answer: + 1 650 385 2193
French answer: + 1 650 385 2196
German answer: + 1 650 385 2197
Spanish answer: + 1 650 385 2198
3.3. Basic Requirements for opening an eService Request
When opening an eSR, our business partner expert is expected to provide the system ID (or serial number). In a majority of cases, Alcatel-Lucent Support Engineer has limited knowledge about the customer configuration and the environment. So it is key to provide a much information as possible to the technical support engineer to speed up the trouble shooting process:
Business impacts, occurrence of the issue, reproducibility detailed description of the issue, the use case / scenario for which the issue can be observed description of the environment, products and servers
involved with their software release.
Before opening a eService Request, please make sure that
The solution you are implementing is supported, your problem has not already been reported and fixed ( Use our TKC knowledge base and Release note library) you have read the technical tips related to the
subject.
Please note that for most products or solutions, a form that contains all required information is available in the support section of our business partner web site.
3.4. Status of eService Request
With the online Alcatel-Lucent eService Request tool, you can easily track progress or update your eService Requests with notes and attachments. The status can be set to:
Open: Your Alcatel-Lucent engineer is currently investigating the issue (analysis of the issue, lab
replication efforts, configuration verifications, software code verification, …)
Pending-External: Your Alcatel-Lucent TAC engineer has requested additional information from you;
Customer validation: Your eService Request has been treated. We await your validation of our answer. Without any feedback, the SR will be automatically closed after 10 days for an eSR, 60 days for a PR
(Engineering request)
Validation refused: You have refused our answer, the SR/PR will be re-opened;
Closed: Your eService Request is closed.
4
Enterprise Customer Care Guideline – January 2016
3.5. eService Request Escalation
When your business is impacted or in danger due to Technical Support issues, contact us trough the escalation procedure. If you are not completely satisfied with the progress on resolving your eService Request or if your business is impacted, please contact us trough the escalation procedure.
3.6. END CUSTOMER NAME
Switching from a pure “case by case” approach, to a more “Customer” oriented approach
In order to improve our need to end customer support, we populate our CRM data base with the end customer name information to provide better management of the overall customer situation and environment and improve the level of service and feedback ALE can provide. Kindly provide us with the end customer name when opening an eSR with ALCATEL LUCENT ENTERPRISE CUSTOMER CARE.
4 Incident Severity
To ensure that all customer maintenance and support problems are reported and evaluated in a standard format by the Partner and the customer, four (4) problem severity levels have been established. These severity levels will assist the Partner and Alcatel in allocating the appropriate resources to resolve problems and use a common classification system that facilitates all action plans and decisions. According to the problem severity level, the Partner must contact Alcatel Technical Support via the Welcome Center to report the problem and determine an action plan in order to resolve the issue with all the resources needed within a specific period of time.
The order of priority levels begins from the most severe system breakdown (severity 1) to normal assistance and routine support and information requests with no impact on the customer day to day operations (severity 4).
4.1. Severity 1: Critical severity (Severity One)
End User’s telecommunications network or a major business application is down, causing a critical impact to business operations if service is not restored quickly. Severity 1 cases are processed 24 hours a day seven days a week. Alcatel requires that a certified technician of the Business Partner is onsite to qualify the issue as a Severity 1.
4.2. Severity 2: High severity (Severity Two).
End User’s service is not down but telecommunications network or a main business application is severely degraded with a significant impact to business operations. Workaround needs to be delivered if possible.
4.3. Severity 3: Medium severity (Severity Three)
Network functionality is noticeably impaired but most business operations continue with medium business impact to customer.
4.4. Severity 4: Low severity (Severity Four)
Network functionality is loosely impaired or End User requires information or assistance on Alcatel product capabilities, system installation or configuration. These ordinary issues have very low business impact to customer
5
Enterprise Customer Care Guideline – January 2016
5 Tools available:
5.1. Contact Checker
This tool can be used to verify the validity of the support contract entering either the support contract number or the CPU ID)
http://enterprise.alcatel-lucent.com/?services=SupportServices&page=ContractChecker
5.2. Alcatel-Lucent Enterprise Application Partner Program (AAPP)
Kindly VISIT THE APPLICATION PARTNER PORTAL at
http://applicationpartner.alcatel-lucent.com
5.3. Security Advisories
That section contains all latest available information about security alerts and security recommendations when deploying Alcatel-Lucent Enterprise solutions in a customer environment. Regular connections to that section of our support portal is important to stay up to date with the latest security communications.
5.4. Technical communications
You can find all technical documentation published by Alcatel-Lucent Enterprise Customer Care (trouble shooting guides, quick set up guides etc …). Those documents complement the product documentation which is also available in that section of our business partner web site.
6
Enterprise Customer Care Guideline – January 2016
5.5. The Knowledge Center
This tool is now available to all our business partners. Each time an issue is resolved, our support engineers publish a knowledge article available to all experts.
5.6. Twitter and Facebook
The Technical Support Facebook and Twitter channels are accessible in the Technical Quick Links on the technical support page
The objective is to increase the awareness of our:
New software releases
New technical communications
AAPP InterWorking Reports
Newsletter
All products Voice & data are covered and direct access is given to the related software or document on the Business Portal
5.7. Contacts
Please contact one of the following persons should you have any additional questions regarding Customer Care support access and procedures:
- Franck DUPUY: [email protected]
- Marc CHAUVIN: [email protected]
- Eric LECHELARD: [email protected]
End of document
Find a CourseBrowse our catalog available on ALE Knowledge Hub (https://enterprise-education.csod.com) to find your training path and course detail.
FeedbackIn order to improve the quality of the documentation, please report any feedback to:Address:
Alcatel-Lucent Enterprise115-225 rue Antoine de Saint-ExupéryZAC Prat Pip – Guipavas29806 BREST CEDEX 9 – FranceFAX: (33) 2 98 28 50 03
Or Email: [email protected]