I had a need to do some port-channel configuration on the Brocade switches. I thought Id share the config needed for that.
To do a static trunk/port-channel:
(config)# trunk e 1/1/1 e 2/1/1
(config)# trunk deploy
To do a LACP trunk/port-channel:
(config)# int e 1/1/1
(config-if)# link-agg conf key 10001
(config-if)# link-agg act
(config-if)# int e 2/1/1
(config-if)# link-agg conf key 10001
(config-if)# link-agg act
To verify the configuration, use the following commands:
"show trunk"
"show link-agg"
Saturday, June 30, 2012
Thursday, June 28, 2012
How To Change The Brocade AP System Name Inside the Web GUI
In case you ever need to change the system name of the AP, so that it matches something like a description of where the AP actually is, here is where you need to go to do that. Follow the numbering scheme in the screenshot.
Click on 'commit' and 'save'.
Click on 'commit' and 'save'.
How To Put A Static IP Address On A Brocade 650 AP Via Web GUI
I wanted to share how to set a static IP address on a Brocade 650 AP from the Web GUI. In the screenshots below, go by the numbering system for what order to click on.
***NOTE that this is once the AP is already on the network via DHCP. You will want to make sure that no other device has this IP address already.
Then, click 'ok', 'exit', 'commit', and 'save'.
***NOTE that this is once the AP is already on the network via DHCP. You will want to make sure that no other device has this IP address already.
Uncheck the dhcp option in the screenshot below.
Then, click 'ok', 'exit', 'commit', and 'save'.
Monday, June 25, 2012
Check Point: How To Connect Sync Ports Together In HA/Redundancy
I wanted to write up a 'how to' on connecting sync ports in a Check Point HA topology. See the diagram below. For both sync ports, you should connect each one (sync #1 and sync#2) to its own switch, in case one switch fails. Also, make sure you connect them to a switch and NOT a crossover cable to each other. If you use a crossover cable, and one unit goes down, the interface on the other unit also goes down. This can cause you problems and is undesirable. Make sure you ALWAYS use a switch when connecting sync ports together in an HA topology. Check Point TAC will always tell you to use a crossover cable. This is not the correct way to do this.
How to connect the sync ports:
How NOT to connect the sync ports (below, with the use of crossover cables):
How to connect the sync ports:
How NOT to connect the sync ports (below, with the use of crossover cables):
ShoreTel DHCP Config Options For IP Phones
I thought I would post a DHCP config for an IP phones that I deployed.
How To Change NTP Server For ShoreTel IP Phones
I wanted to make the NTP server an external server so that the IP phones could get their time from it. I chose one somewhere in Nebraska I think. Here are some screenshots of what to do. First, go to the directory to select the file that matches the IP phone you have. See below.
Next, edit your appropriate file.
Reboot your phones, and the time should come up correctly. I have noticed that sometime NTP takes a little time to set your phones. Just FYI.
Next, edit your appropriate file.
Thursday, June 21, 2012
How To Change A Wireless SSID Key On A Brocade Wireless Controller
How do you change the wireless key on a Brocade wireless controller? See the screenshot below. Noticed what I have circled in red to get to where the key is put in.
Friday, June 15, 2012
How To Configure A Brocade 7131 Portal/Client Wireless (Mesh) Bridge In CLI
I always prefer CLI over GUIs any day. When it comes to Brocade wireless, I have had one really great teaching resource somewhat in my area that has really helped me out a lot. That is something I really appreciate. So, I wanted to post two CLI configs of a wireless bridge using 7131s, and highlight some important pieces of the config. In this config, I have a bridge configured. Also, wireless devices can connect to both of the APs, the portal and the client.
The items highlighted in YELLOW is the config for the wireless devices to connect to the AP.
The items highlighted in RED is the config for the bridge config on the AP.
First, here is the client side:
sh run
!
! Configuration of BR7131 version 5.2.0.0-069R
!
!
version 2.1
!
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
firewall-policy default
no ip dos tcp-sequence-past-window
no stateful-packet-inspection-l2
!
igmp-snoop-policy default
no igmp-snooping
no querier
unknown-multicast-fwd
!
!
mint-policy global-default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
wlan BOE
ssid BOE
vlan 1
bridging-mode local
encryption-type tkip-ccmp
authentication-type none
wpa-wpa2 psk 0 WIRELESSCLIENTPASSKEY
!
wlan bridge-Bridge
ssid bridge-Bridge
vlan 1
bridging-mode tunnel
encryption-type tkip
authentication-type none
no client-client-communication
wpa-wpa2 psk 0 PASSWORD
!
!
management-policy default
no http server
https server
ssh
user admin password role superuser access all
user operator password role monitor access all
no snmp-server manager v2
snmp-server community public ro
snmp-server community private rw
snmp-server user snmpoperator v3 encrypted des auth md5 0 operator
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
banner motd Brocade Mobility Wireless
!
profile br71xx default-br71xx
autoinstall configuration
autoinstall firmware
interface radio1
interface radio2
interface radio3
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge2
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface wwan1
use firewall-policy default
service pm sys-restart
!
rf-domain default
timezone America/Chicago
country-code us
!
br71xx XX-XX-XX-XX-XX-XX
use profile default-br71xx
use rf-domain default
hostname br7131-XXXXX
bridge vlan 1
no edge-vlan
bridging-mode tunnel
ip arp trust
interface radio1
power 27
wlan BOE bss 1 primary
preamble-short
aggregation amsdu tx-rx
rifs tx-rx
interface radio2
rf-mode 5GHz-wlan
channel 60
power 27
data-rates default
placement outdoor
mesh client <----- This command says that this AP is the 'client'
mesh psk PASSWORD
wlan bridge-Bridge bss 1 primary
no preamble-short
antenna-mode 1x1
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,20
interface ge2
interface vlan1
ip address 172.16.2.252/24
ip dhcp client request options all
logging on
logging console warnings
logging buffered warnings
!
!
end
br7131-XXXXX#
-------------------------
Now for the config of the 7131 portal side of the bridge. Again, wireless devices do connect to this as well.
h run
!
! Configuration of BR7131 version 5.2.0.0-069R
!
!
version 2.1
!
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
firewall-policy default
no ip dos tcp-sequence-past-window
no stateful-packet-inspection-l2
!
igmp-snoop-policy default
no igmp-snooping
no querier
unknown-multicast-fwd
!
!
mint-policy global-default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
wlan BOE
description BOE
ssid BOE
vlan 1
bridging-mode local
encryption-type tkip-ccmp
authentication-type none
wpa-wpa2 psk 0 WIRELESSCLIENTPASSKEY
!
wlan bridge-Bridge
ssid bridge-Bridge
vlan 1
bridging-mode tunnel
encryption-type tkip
authentication-type none
no client-client-communication
wpa-wpa2 psk 0 PASSWORD
management-policy default
no http server
https server
ssh
user admin password role superuser access all
user operator password role monitor access all
no snmp-server manager v2
snmp-server community public ro
snmp-server community private rw
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpoperator v3 encrypted des auth md5 0 operator
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
banner motd Brocade Mobility Wireless
!
profile br71xx default-br71xx
autoinstall configuration
autoinstall firmware
interface radio1
interface radio2
interface radio3
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge2
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface wwan1
use firewall-policy default
service pm sys-restart
!
rf-domain default
timezone America/Chicago
country-code us
!
br71xx XX-XX-XX-XX-XX-XX
use profile default-br71xx
use rf-domain default
hostname br7131-XXXXXX
bridge vlan 1
no edge-vlan
bridging-mode tunnel
ip arp trust
interface radio1
power 27
wlan BOE bss 1 primary
preamble-short
aggregation amsdu tx-rx
rifs tx-rx
interface radio2
description Mesh
rf-mode 5GHz-wlan
channel 60
power 27
data-rates default
placement outdoor
mesh portal <----- This command says that this AP is the 'portal'
mesh psk PASSWORD
wlan bridge-Bridge bss 1 primary
no preamble-short
antenna-mode 1x1
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,20
interface vlan1
ip address 172.16.2.251/24
ip dhcp client request options all
logging on
logging console warnings
logging buffered warnings
!
!
end
br7131-XXXXXX#
The items highlighted in YELLOW is the config for the wireless devices to connect to the AP.
The items highlighted in RED is the config for the bridge config on the AP.
First, here is the client side:
sh run
!
! Configuration of BR7131 version 5.2.0.0-069R
!
!
version 2.1
!
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
firewall-policy default
no ip dos tcp-sequence-past-window
no stateful-packet-inspection-l2
!
igmp-snoop-policy default
no igmp-snooping
no querier
unknown-multicast-fwd
!
!
mint-policy global-default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
wlan BOE
ssid BOE
vlan 1
bridging-mode local
encryption-type tkip-ccmp
authentication-type none
wpa-wpa2 psk 0 WIRELESSCLIENTPASSKEY
!
wlan bridge-Bridge
ssid bridge-Bridge
vlan 1
bridging-mode tunnel
encryption-type tkip
authentication-type none
no client-client-communication
wpa-wpa2 psk 0 PASSWORD
!
!
management-policy default
no http server
https server
ssh
user admin password role superuser access all
user operator password role monitor access all
no snmp-server manager v2
snmp-server community public ro
snmp-server community private rw
snmp-server user snmpoperator v3 encrypted des auth md5 0 operator
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
banner motd Brocade Mobility Wireless
!
profile br71xx default-br71xx
autoinstall configuration
autoinstall firmware
interface radio1
interface radio2
interface radio3
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge2
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface wwan1
use firewall-policy default
service pm sys-restart
!
rf-domain default
timezone America/Chicago
country-code us
!
br71xx XX-XX-XX-XX-XX-XX
use profile default-br71xx
use rf-domain default
hostname br7131-XXXXX
bridge vlan 1
no edge-vlan
bridging-mode tunnel
ip arp trust
interface radio1
power 27
wlan BOE bss 1 primary
preamble-short
aggregation amsdu tx-rx
rifs tx-rx
interface radio2
rf-mode 5GHz-wlan
channel 60
power 27
data-rates default
placement outdoor
mesh client <----- This command says that this AP is the 'client'
mesh psk PASSWORD
wlan bridge-Bridge bss 1 primary
no preamble-short
antenna-mode 1x1
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,20
interface ge2
interface vlan1
ip address 172.16.2.252/24
ip dhcp client request options all
logging on
logging console warnings
logging buffered warnings
!
!
end
br7131-XXXXX#
-------------------------
Now for the config of the 7131 portal side of the bridge. Again, wireless devices do connect to this as well.
h run
!
! Configuration of BR7131 version 5.2.0.0-069R
!
!
version 2.1
!
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
firewall-policy default
no ip dos tcp-sequence-past-window
no stateful-packet-inspection-l2
!
igmp-snoop-policy default
no igmp-snooping
no querier
unknown-multicast-fwd
!
!
mint-policy global-default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
wlan BOE
description BOE
ssid BOE
vlan 1
bridging-mode local
encryption-type tkip-ccmp
authentication-type none
wpa-wpa2 psk 0 WIRELESSCLIENTPASSKEY
!
wlan bridge-Bridge
ssid bridge-Bridge
vlan 1
bridging-mode tunnel
encryption-type tkip
authentication-type none
no client-client-communication
wpa-wpa2 psk 0 PASSWORD
!
!management-policy default
no http server
https server
ssh
user admin password role superuser access all
user operator password role monitor access all
no snmp-server manager v2
snmp-server community public ro
snmp-server community private rw
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpoperator v3 encrypted des auth md5 0 operator
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
banner motd Brocade Mobility Wireless
!
profile br71xx default-br71xx
autoinstall configuration
autoinstall firmware
interface radio1
interface radio2
interface radio3
interface ge1
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface ge2
ip dhcp trust
qos trust dscp
qos trust 802.1p
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface wwan1
use firewall-policy default
service pm sys-restart
!
rf-domain default
timezone America/Chicago
country-code us
!
br71xx XX-XX-XX-XX-XX-XX
use profile default-br71xx
use rf-domain default
hostname br7131-XXXXXX
bridge vlan 1
no edge-vlan
bridging-mode tunnel
ip arp trust
interface radio1
power 27
wlan BOE bss 1 primary
preamble-short
aggregation amsdu tx-rx
rifs tx-rx
interface radio2
description Mesh
rf-mode 5GHz-wlan
channel 60
power 27
data-rates default
placement outdoor
mesh portal <----- This command says that this AP is the 'portal'
mesh psk PASSWORD
wlan bridge-Bridge bss 1 primary
no preamble-short
antenna-mode 1x1
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,20
interface vlan1
ip address 172.16.2.251/24
ip dhcp client request options all
logging on
logging console warnings
logging buffered warnings
!
!
end
br7131-XXXXXX#
Thursday, June 14, 2012
How To Add A Wireless SSID On A Brocade Wireless Controller (RS6000)
In this configuration, we are going to add a SSID so that wireless devices can connect to the network. See the screenshots below and notice what I have circled. The circled items will tell you what you need to configure and where you need to be.
Lets go to the Configuration Tab --> Wireless and 'Add' a SSID. Make sure you click 'OK', 'Commit', and 'Save'.
Lets go to the Configuration Tab --> Wireless and 'Add' a SSID. Make sure you click 'OK', 'Commit', and 'Save'.
Now, lets select the security info you want. Make sure you click 'OK', 'Commit', and 'Save'.
Now, lets go to Configure --> Devices --> Device Overides. Highlight the device you want to edit, and click on 'Edit'.
Lets now select the radio you want to edit.
You will want to select the SSID on the left, and move it over to the right. Click 'OK' after each of the following screenshots.
Click 'OK', 'Commit', and 'Save'. Now you will have a SSID that wireless devices can connect to.
Cisco ASA: How To Change The Default Gateway For Clients When Your ASA Is The DHCP Server
What do you do IF your Cisco ASA is the DHCP server for a network and you need a different default-gateway for your DHCP clients? In my case, I needed the ASA to be the DHCP server, but I needed a layer 3 switch to be the default gateway for the clients. You see, I had two vlans on the local network, and I needed the DHCP clients to be able to get to the other vlan. But, I couldn't have those DHCP clients coming to the ASA first. I needed them to go to the layer 3 switch (where the vlans resided) in order for the two to talk to each other. Well, in the ASA DHCP config, you can change the default gateway for the clients to be something different than the ASA itself. Here is the command you are looking for to make that happen. Its the 'dhcpd option 3' command. Here is my example to get this working:
ASA(config)# dhcpd option 3 ip 192.168.1.2
This made my layer 3 switch the default-gateway for the clients instead of my ASA. Works well.
ASA(config)# dhcpd option 3 ip 192.168.1.2
This made my layer 3 switch the default-gateway for the clients instead of my ASA. Works well.
Wednesday, June 13, 2012
How Does 802.1X Work In A Cisco Environment - A Document I Created
I made up a document for a company some time back about 802.1X and how it works in that company. I thought Id post it here in the hopes that its is helpful to you all. Below is the document:
-------------------------
There are 3 sections to this document, shown below. Please read this document in its entirety.
1. How DOT1X works in "company name"’s environment.
2. Things you should know about your Cisco SWITCHES:
3. Things to remember on the ACS Server:
How DOT1X works in "company name"’s environment.
Device Roles in the Dot1x environment:
With 802.1x port-based authentication, the devices in the network have specific roles.
• Host: Requests access to the LAN and switch services and responds to requests from the switch.
• Authentication server (172.16.21.50): Performs the actual authentication of the host. The authentication server validates the identity of the host and notifies the switch whether or not the host is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the host.
• Cisco Switch: Controls the physical access to the network based on the authentication status of the host. The switch acts as an intermediary (proxy) between the host and the authentication server, requesting identity information from the host, verifying that information with the authentication server, and relaying a response to the host. The switch interacts with the RADIUS client. The RADIUS client encapsulates and decapsulates the EAP frames and interacts with the authentication server.
How 802.1x Authentication Works
IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a local area network (LAN) through accessible ports. 802.1x authenticates each user device that is connected to a switch port before making available any services that are offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the switch port to which the device is connected. After authentication is successful, normal traffic can pass through the switch port. 802.1x controls network access by creating two distinct "virtual access points" at each switch port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is always open. The controlled port is open only when the device that is connected to the port has been authorized by 802.1x. After this authorization takes place, the controlled port opens, allowing normal traffic to pass.
Steps to successful Authentication (Refer to picture below):
1. Client, when plugged into the network, sends out EAPOL-Start message and waits for response from switch.
2. Switch sends EAP-Request/Identity. Basically, a “what is your mac-address/hostname?”.
3. Client responds with a EAP-Response/Identity message. Basically a “I am this mac-address/hostname credentials”.
4. Switch forwards this over to the ACS radius server (172.16.21.50).
5. ACS radius server sends back a radius access-request message, saying “what is your userID/password credentials?”.
6. Switch forwards the message to the client, saying “userID/password please”.
7. Client responds with a EAP-Response/OTP (one time password) message. “I am userID/password”.
8. Switch forwards this message over to the ACS radius server.
9. ACS radius server responds with a Radius Access-Accept message. Either a “yes, you can”. If password is not right, it’s a “no, you cant”.
Steps taken when the client does not support 802.1x:
In "company name"’s network, if the client does not support 802.1x, no messages are sent are sent from the client, therefore when the “guest vlan” is set on the port, the client is then moved over to the guest vlan on the network. If there is not guest vlan, there is no access for the client and it will be shut down.
Things you should know about your Cisco SWITCHES:
Port States:
• force-authorized: Disables 802.1x authentication and causes the port to transition to the
authorized state without any authentication exchange required. The port transmits and receives
normal traffic without 802.1x-based authentication of the host. This is the default setting.
• force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the host to authenticate. The switch cannot provide authentication services to the host through the interface.
• auto: Enables 802.1x authentication and causes the port to begin in the unauthorized state,
allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received. The switch requests the identity of the host and begins relaying authentication messages between the host and the authentication server. Each host attempting to access the network is uniquely identified by the switch by using the host’s MAC address.
Guest VLAN:
You can use the guest VLAN feature to enable non-802.1x capable hosts to access networks that use 802.1x authentication. Hosts that do not have 802.1x supplicant capability will not be able to respond the EAPoL requests initiated by the switch. Normally the port will be shut down if the switch identifies that the connected host is clientless. If the guest VLAN feature is enabled, the port will be associated with a different VLAN instead of shutting down.
Example: Cut and paste from "company name" switch SSA-MDF-1
aaa authentication dot1x default group radius Create an 802.1X authentication method list.
dot1x system-auth-control Enable 802.1X authentication globally on the switch.
****NOTE****: Below port is in correct configuration for enabled dot1x:
interface FastEthernet0/11
switchport access vlan 600
switchport mode access
switchport voice vlan 301
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip trust
dot1x pae authenticator Enables 802.1X authentication on the port with default parameters.
dot1x port-control auto Enable 802.1X authentication on the interface.
dot1x host-mode multi-host Allows multiple hosts (clients) on an 802.1X-authorized port.
dot1x timeout tx-period 15 Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request.
dot1x guest-vlan 620 Enables “guest vlan” access for clients that do not support 802.1x. Port will not shut down!
spanning-tree portfast
****NOTE****: Below port is in “force-authorized” configuration for enabled dot1x. The command “dot1x port-control auto” is not present below, which will end up in default mode, “force-authorized” mode:
interface FastEthernet0/27
switchport access vlan 600
switchport mode access
switchport voice vlan 301
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip trust
dot1x pae authenticator
dot1x host-mode multi-host
dot1x timeout tx-period 15
dot1x guest-vlan 620
spanning-tree portfast
*****NOTE*****: I have noticed on this particular example that the Radius server configuration is NOT complete on the switch SSA-MDF-1. I have not checked the others, but if one isn’t correct, then there may be others as well.
*****NOTE*****: These switches/routers have to be configured as devices that authenticate to the Radius server. If they are not configured in the ACS Server, then they will not authenticate with ACS. See next section for where to go for this.
Things to remember on the ACS Server:
To add the Cisco switches/routers to be able to authenticate via the ACS Radius server, go to the following:
Network Configuration --> Network Groups --> Dot1x --> Add Device.
*****NOTE*****: On the ACS Server, under Shared Profile Components --> Network Access Restrictions --> Dot1x, this is the profile defined for Dot1x. Not much there accept a wide open profile to permit. See screenshot below:
*****NOTE*****: On the ACS Server, under Group Setup --> select the group you would like to edit, if any. In the group settings for the group, you can select DOT1X as a requirement for the group to access the network. See screenshot below:
-------------------------
There are 3 sections to this document, shown below. Please read this document in its entirety.
1. How DOT1X works in "company name"’s environment.
2. Things you should know about your Cisco SWITCHES:
3. Things to remember on the ACS Server:
How DOT1X works in "company name"’s environment.
Device Roles in the Dot1x environment:
With 802.1x port-based authentication, the devices in the network have specific roles.
• Host: Requests access to the LAN and switch services and responds to requests from the switch.
• Authentication server (172.16.21.50): Performs the actual authentication of the host. The authentication server validates the identity of the host and notifies the switch whether or not the host is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the host.
• Cisco Switch: Controls the physical access to the network based on the authentication status of the host. The switch acts as an intermediary (proxy) between the host and the authentication server, requesting identity information from the host, verifying that information with the authentication server, and relaying a response to the host. The switch interacts with the RADIUS client. The RADIUS client encapsulates and decapsulates the EAP frames and interacts with the authentication server.
How 802.1x Authentication Works
IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a local area network (LAN) through accessible ports. 802.1x authenticates each user device that is connected to a switch port before making available any services that are offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the switch port to which the device is connected. After authentication is successful, normal traffic can pass through the switch port. 802.1x controls network access by creating two distinct "virtual access points" at each switch port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is always open. The controlled port is open only when the device that is connected to the port has been authorized by 802.1x. After this authorization takes place, the controlled port opens, allowing normal traffic to pass.
Steps to successful Authentication (Refer to picture below):
1. Client, when plugged into the network, sends out EAPOL-Start message and waits for response from switch.
2. Switch sends EAP-Request/Identity. Basically, a “what is your mac-address/hostname?”.
3. Client responds with a EAP-Response/Identity message. Basically a “I am this mac-address/hostname credentials”.
4. Switch forwards this over to the ACS radius server (172.16.21.50).
5. ACS radius server sends back a radius access-request message, saying “what is your userID/password credentials?”.
6. Switch forwards the message to the client, saying “userID/password please”.
7. Client responds with a EAP-Response/OTP (one time password) message. “I am userID/password”.
8. Switch forwards this message over to the ACS radius server.
9. ACS radius server responds with a Radius Access-Accept message. Either a “yes, you can”. If password is not right, it’s a “no, you cant”.
Steps taken when the client does not support 802.1x:
In "company name"’s network, if the client does not support 802.1x, no messages are sent are sent from the client, therefore when the “guest vlan” is set on the port, the client is then moved over to the guest vlan on the network. If there is not guest vlan, there is no access for the client and it will be shut down.
Things you should know about your Cisco SWITCHES:
Port States:
• force-authorized: Disables 802.1x authentication and causes the port to transition to the
authorized state without any authentication exchange required. The port transmits and receives
normal traffic without 802.1x-based authentication of the host. This is the default setting.
• force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the host to authenticate. The switch cannot provide authentication services to the host through the interface.
• auto: Enables 802.1x authentication and causes the port to begin in the unauthorized state,
allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received. The switch requests the identity of the host and begins relaying authentication messages between the host and the authentication server. Each host attempting to access the network is uniquely identified by the switch by using the host’s MAC address.
Guest VLAN:
You can use the guest VLAN feature to enable non-802.1x capable hosts to access networks that use 802.1x authentication. Hosts that do not have 802.1x supplicant capability will not be able to respond the EAPoL requests initiated by the switch. Normally the port will be shut down if the switch identifies that the connected host is clientless. If the guest VLAN feature is enabled, the port will be associated with a different VLAN instead of shutting down.
Example: Cut and paste from "company name" switch SSA-MDF-1
aaa authentication dot1x default group radius Create an 802.1X authentication method list.
dot1x system-auth-control Enable 802.1X authentication globally on the switch.
****NOTE****: Below port is in correct configuration for enabled dot1x:
interface FastEthernet0/11
switchport access vlan 600
switchport mode access
switchport voice vlan 301
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip trust
dot1x pae authenticator Enables 802.1X authentication on the port with default parameters.
dot1x port-control auto Enable 802.1X authentication on the interface.
dot1x host-mode multi-host Allows multiple hosts (clients) on an 802.1X-authorized port.
dot1x timeout tx-period 15 Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request.
dot1x guest-vlan 620 Enables “guest vlan” access for clients that do not support 802.1x. Port will not shut down!
spanning-tree portfast
****NOTE****: Below port is in “force-authorized” configuration for enabled dot1x. The command “dot1x port-control auto” is not present below, which will end up in default mode, “force-authorized” mode:
interface FastEthernet0/27
switchport access vlan 600
switchport mode access
switchport voice vlan 301
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip trust
dot1x pae authenticator
dot1x host-mode multi-host
dot1x timeout tx-period 15
dot1x guest-vlan 620
spanning-tree portfast
*****NOTE*****: These switches/routers have to be configured as devices that authenticate to the Radius server. If they are not configured in the ACS Server, then they will not authenticate with ACS. See next section for where to go for this.
Things to remember on the ACS Server:
To add the Cisco switches/routers to be able to authenticate via the ACS Radius server, go to the following:
Network Configuration --> Network Groups --> Dot1x --> Add Device.
*****NOTE*****: On the ACS Server, under Shared Profile Components --> Network Access Restrictions --> Dot1x, this is the profile defined for Dot1x. Not much there accept a wide open profile to permit. See screenshot below:
*****NOTE*****: On the ACS Server, under Group Setup --> select the group you would like to edit, if any. In the group settings for the group, you can select DOT1X as a requirement for the group to access the network. See screenshot below:
Cisco Power Injectors vs Cisco POE Switches: Pros and Cons
I usually like, and prefer, when customers do not use POE injectors. This is, however, a personal preference. Here are my primary thoughts on POE injectors vs POE from the switch:
PROs
PRO #1: If you only have a few things to power (like APs, IP phones, etc), then POE injectors are good. The cost is low as opposed to a POE switch, so a good rule is that if you only have a few things to provide power to, go with POE injectors.
PRO #2: I mentioned this in #1, but if finances are the issue, POE injectors are good. They are cheap. Real cheap as opposed to a POE switch.
PRO #3: If the POE goes out in a POE switch, all POE has the chance of going out. If you have injectors, this isnt the case. If an injector goes out, it only affects one device.
PRO #4: If you do have to replace a POE injector, you dont have to bring any production down. You only replace the bad injector and you are back up and running without any production downtime anywhere else in the network.
CONs
CON #1: POE injectors take up more space.
CON #2: POE injectors take up more power slots for plug-ins.
CON #3: POE injectors require more patch cables. One for connection to the switch, and one for connection to the powered device. Thats twice what it takes from that of a switch.
CON #4: Most important to me, you can not reboot a powered device, if you need to, from a remote location. I would do this inside the switch config by disabling either the port or the power on the port. You would have to have someone physically find the POE injector you needed, and have them recycle power to it. WHAT A PAIN!!! if you are not physically onsite.
CON #5: They just look bad either hanging from the patch cable, suspended in the air below the switch in that sea of spaghetti of patch cables. I dont like it.
Mostly because of CON #4, I always prefer a POE switch. I guess that is because I have to do the troubleshooting of devices, and its just easier to disable a port and re-enable it again.
I posted this in my BrocadeFun site as well, since it is worth mentioning to both Cisco and Brocade folks alike.
PROs
PRO #1: If you only have a few things to power (like APs, IP phones, etc), then POE injectors are good. The cost is low as opposed to a POE switch, so a good rule is that if you only have a few things to provide power to, go with POE injectors.
PRO #2: I mentioned this in #1, but if finances are the issue, POE injectors are good. They are cheap. Real cheap as opposed to a POE switch.
PRO #3: If the POE goes out in a POE switch, all POE has the chance of going out. If you have injectors, this isnt the case. If an injector goes out, it only affects one device.
PRO #4: If you do have to replace a POE injector, you dont have to bring any production down. You only replace the bad injector and you are back up and running without any production downtime anywhere else in the network.
CONs
CON #1: POE injectors take up more space.
CON #2: POE injectors take up more power slots for plug-ins.
CON #3: POE injectors require more patch cables. One for connection to the switch, and one for connection to the powered device. Thats twice what it takes from that of a switch.
CON #4: Most important to me, you can not reboot a powered device, if you need to, from a remote location. I would do this inside the switch config by disabling either the port or the power on the port. You would have to have someone physically find the POE injector you needed, and have them recycle power to it. WHAT A PAIN!!! if you are not physically onsite.
CON #5: They just look bad either hanging from the patch cable, suspended in the air below the switch in that sea of spaghetti of patch cables. I dont like it.
Mostly because of CON #4, I always prefer a POE switch. I guess that is because I have to do the troubleshooting of devices, and its just easier to disable a port and re-enable it again.
I posted this in my BrocadeFun site as well, since it is worth mentioning to both Cisco and Brocade folks alike.
Monday, June 11, 2012
Dual-ISP Policy Based Routing: Cisco Route-Maps On A Core Switch To Re-Route HTTP/HTTPS Traffic
I wanted to divert one IP address across a second Internet connection that we have just put in at a customer site. We felt like we needed to do some testing, so we decided to test with a pc with an IP address of 192.168.20.10. We also decided that if we wanted to reach the 70.1.1.0 network on the public side, we needed this traffic to NOT go across the new Internet connection. Here is the topology:
So, here is how I did it.
First, I created my access list to define what traffic needs to be routed across to the new Internet connection. Notice lines two and three
access-list 105 deny ip host 192.168.20.10 70.1.1.0 0.0.0.255 <------ Do NOT set the next hop if this criteria matches
access-list 105 permit tcp host 192.168.20.10 any eq 80 <------ Do set the next hop if this criteria matches
access-list 105 permit tcp host 192.168.20.10 any eq 443 <------ Do set the next hop if this criteria matches
access-list 105 deny ip any any <------ Do NOT set the next hop if this criteria matches
Next, configure your route-map to say that it must match ACL 105 and set the next hop to be 192.168.20.100.
route-map HTTP permit 10
match ip address 105
set ip next-hop 192.168.20.100
Next, apply it to the interface vlan 13.
interface Vlan13
ip policy route-map HTTP
So, here is how I did it.
First, I created my access list to define what traffic needs to be routed across to the new Internet connection. Notice lines two and three
access-list 105 deny ip host 192.168.20.10 70.1.1.0 0.0.0.255 <------ Do NOT set the next hop if this criteria matches
access-list 105 permit tcp host 192.168.20.10 any eq 80 <------ Do set the next hop if this criteria matches
access-list 105 permit tcp host 192.168.20.10 any eq 443 <------ Do set the next hop if this criteria matches
access-list 105 deny ip any any <------ Do NOT set the next hop if this criteria matches
Next, configure your route-map to say that it must match ACL 105 and set the next hop to be 192.168.20.100.
route-map HTTP permit 10
match ip address 105
set ip next-hop 192.168.20.100
Next, apply it to the interface vlan 13.
interface Vlan13
ip policy route-map HTTP
Sunday, June 10, 2012
How To Add A Static IP Address To A Brocade 650/7131 Acess-Point Via CLI (Command Line): Step-By-Step
Here are the commands in the CLI to put a static IP address on an AP.
en
config t
self
int vlan 1
ip address 192.168.1.1/24
exit
ip default-gateway 192.168.50.1
commit
en
config t
self
int vlan 1
ip address 192.168.1.1/24
exit
ip default-gateway 192.168.50.1
commit
Friday, June 8, 2012
Basic Config For A Cisco CSM (Content Services Module) In A 6500
I wanted to generically go over a basic config for a CSM (Content Services Module) in a 6500 switch I did some time back. Notice the config for three physical servers (192.168.1.152, 153, and 156) where the CSM blade is hosting a virtual IP address (192.168.1.175) for them. My notes are out to the side on the basic concepts. Im basically trying to hit one IP address (the virtual IP address) and load balancing them across three different physical servers (real servers).
First, here is the topology:
Now, the config and some notes:
serverfarm webserver1 <------ serverfarm name
nat server
nat client webserver1 <----- use the natpool webserver1 for incoming connections
predictor leastconns
failaction reassign
real 192.168.1.152 <----- IP address of physical server #1
inservice <----- it is 'in' service.
real 192.168.1.153 <----- IP address of physical server #2
inservice
real 192.168.1.156 <----- IP address of physical server #3
inservice
probe HTTP
vserver HTTP-server1 <----- virtual server 'name'
virtual 192.168.1.175 tcp 0 <------ virtual IP address that will be used for all 3 servers above
serverfarm webserver1 <-------- points to the 'serverfarm webserver1' so that it knows the physical servers to point to
sticky 20 <----- use sticky connections
idle 300
no persistent rebalance
inservice <------ bring the vserver into 'in' service
natpool webserver1 192.168.1.251 192.168.1.251 netmask 255.255.0.0 <----- client coming in will be nat'ed to this address pool
probe HTTP http
interval 2
failed 20
First, here is the topology:
Now, the config and some notes:
serverfarm webserver1 <------ serverfarm name
nat server
nat client webserver1 <----- use the natpool webserver1 for incoming connections
predictor leastconns
failaction reassign
real 192.168.1.152 <----- IP address of physical server #1
inservice <----- it is 'in' service.
real 192.168.1.153 <----- IP address of physical server #2
inservice
real 192.168.1.156 <----- IP address of physical server #3
inservice
probe HTTP
vserver HTTP-server1 <----- virtual server 'name'
virtual 192.168.1.175 tcp 0 <------ virtual IP address that will be used for all 3 servers above
serverfarm webserver1 <-------- points to the 'serverfarm webserver1' so that it knows the physical servers to point to
sticky 20 <----- use sticky connections
idle 300
no persistent rebalance
inservice <------ bring the vserver into 'in' service
natpool webserver1 192.168.1.251 192.168.1.251 netmask 255.255.0.0 <----- client coming in will be nat'ed to this address pool
probe HTTP http
interval 2
failed 20
Wednesday, June 6, 2012
Beginning Questions To Ask For Initial Firewall Configuration
I thought Id put down what I ask up front when I do a firewall setup. This is pretty much standard for me to ask on any firewall, but Im putting it in the Ciscofun blog because I tend to do more Cisco ASAs than Check Points.
outside address/subnet mask?
inside address/subnet mask?
next hop address (default route)?
is there a DMZ? if so, what address/subnet mask?
internal routing?
email server on the inside? web server? special nat translations? (static nats)
access-lists on the outside? or inside?
does this do dhcp for the internal network?
vpn remote-access? if so, what dhcp scope to use for clients?
integrate remote-access with AD?
domain name?
site to site vpns? if so, what remote peer, phase I sa, phase II sa, key, nat/nonat?, interesting traffic?
any special routing other than inside network?
local username/passwords on ASA? integrated login to ASA with AD?
outside address/subnet mask?
inside address/subnet mask?
next hop address (default route)?
is there a DMZ? if so, what address/subnet mask?
internal routing?
email server on the inside? web server? special nat translations? (static nats)
access-lists on the outside? or inside?
does this do dhcp for the internal network?
vpn remote-access? if so, what dhcp scope to use for clients?
integrate remote-access with AD?
domain name?
site to site vpns? if so, what remote peer, phase I sa, phase II sa, key, nat/nonat?, interesting traffic?
any special routing other than inside network?
local username/passwords on ASA? integrated login to ASA with AD?
'Upgrade_export' Is Now The 'Migrate Export' Command In CLI
I had a check point management station that I needed to backup, since we were going to upgrade from R75.30 to R75.40. I found that the common 'upgrade_export' command wouldnt work for me. What I found was that it has been replaced with a new command:
[Expert@Smart1]# $FWDIR/bin/upgrade_tools/upgrade_export /backups/5.30.2012
'upgrade_export' and 'upgrade_import' have been replaced by
the 'migrate' utility.
Run 'migrate' to export and import the Check Point Security
Management Server database.
Running 'migrate export' is equivalent to 'upgrade_export'.
Running 'migrate import' is equivalent to 'upgrade_import'.
[Expert@Smart1]#
Here is what I found that I had to do:
[Expert@Smart1]# $FWDIR/bin/upgrade_tools/migrate export 5.30.2012
You are required to close all clients to Security Management Server
or execute 'cpstop' before the Export operation begins.
Do you want to continue? (y/n) [n]? y
Copying required files...
Compressing files...
The operation completed successfully.
Location of archive with exported database: /home/admin/5.30.2012.tgz
------------------------------------------------------------------------------------
[Expert@Smart1]# ls
-cpinfo11302011 IIwrapperSetup UnixInstallScript
5.30.2012.tgz MiniWrapper Wrapper.conf
Actions MiniWrapperInstall cpinfo
CKP_mutex::fwca_crl_mutex SU cpinfo.out.gz
CPcvpn SUInstall hotfixes
Check_Point_R75_iPhone_Skype.linux.tgz Uninstall.conf
------------------------------------------------------------------------------------
Then FTP it to another place off box, and there is your backup.
[Expert@Smart1]# $FWDIR/bin/upgrade_tools/upgrade_export /backups/5.30.2012
'upgrade_export' and 'upgrade_import' have been replaced by
the 'migrate' utility.
Run 'migrate' to export and import the Check Point Security
Management Server database.
Running 'migrate export' is equivalent to 'upgrade_export'.
Running 'migrate import' is equivalent to 'upgrade_import'.
[Expert@Smart1]#
Here is what I found that I had to do:
[Expert@Smart1]# $FWDIR/bin/upgrade_tools/migrate export 5.30.2012
You are required to close all clients to Security Management Server
or execute 'cpstop' before the Export operation begins.
Do you want to continue? (y/n) [n]? y
Copying required files...
Compressing files...
The operation completed successfully.
Location of archive with exported database: /home/admin/5.30.2012.tgz
------------------------------------------------------------------------------------
[Expert@Smart1]# ls
-cpinfo11302011 IIwrapperSetup UnixInstallScript
5.30.2012.tgz MiniWrapper Wrapper.conf
Actions MiniWrapperInstall cpinfo
CKP_mutex::fwca_crl_mutex SU cpinfo.out.gz
CPcvpn SUInstall hotfixes
Check_Point_R75_iPhone_Skype.linux.tgz Uninstall.conf
------------------------------------------------------------------------------------
Then FTP it to another place off box, and there is your backup.
ShoreTel: How To Add or Take Out Local Prefixes
ShoreTel: How To Add or Take Out Local Prefixes
Here is a step by step on how to add to your local prefix list. This is similar to adding route-patterns in the Cisco world. Local prefixes tell the system that the numbers added are local calls. Here is how to add to the local prefix list:
You will see the numbers for local calling in the list in the center of the screen.
Here is a step by step on how to add to your local prefix list. This is similar to adding route-patterns in the Cisco world. Local prefixes tell the system that the numbers added are local calls. Here is how to add to the local prefix list:
Login to Director:
username/password
Goto Trunks → Local Prefixes:
Click on the location that matches the site you need to edit in the center:
You will see the numbers for local calling in the list in the center of the screen.
Get the numbers from them they can not dial. If the number they give you is in the list, take it out. If the number is NOT in the list, put it in but clicking 'New'. Add the area code and prefix and click 'ok'.
Then click 'Save' at the top of the screen. Log off and you are done.
Monday, June 4, 2012
Cisco Nexus 5000/2000 Install (Part 4): HA/Redundancy Topology and Configuration Examples/Samples
Cisco Nexus 5000/2000 Install (Part 4): Topology and Configuration Examples/Samples
I thought I would put up a final topology and configuration examples of this install I did. I have taken out the sensitive data and changed sensitive data that would be important to the config. See below the final topology and configs for N5K-1 and N5K-2. You will notice in N5K-1 it has the port extension module in it. That will be Ethernet 2/1-16.
For more info and notes that I took on this install, see the following links:
For the notes and some explanations "through" the install, click here.
For the notes on "vPC", click here.
For the notes on the "FEXs", click here.
Here are the configs, first for N5k-1, then for N5K-2:
sh run
!Command: show running-config
!Time: Wed Apr 1 21:12:58 2009
version 5.1(3)N1(1a)
hostname N5K-1
feature telnet
no feature http-server
cfs eth distribute
feature lacp
feature vpc
feature lldp
feature fex
ip domain-lookup
class-map type qos class-fcoe
class-map type queuing class-fcoe
match qos-group 1
class-map type queuing class-all-flood
match qos-group 2
class-map type queuing class-ip-multicast
match qos-group 2
class-map type network-qos class-fcoe
match qos-group 1
class-map type network-qos class-all-flood
match qos-group 2
class-map type network-qos class-ip-multicast
match qos-group 2
fex 100
pinning max-links 1
description "FEX0100"
fex 101
pinning max-links 1
description "FEX0101"
vrf context management
vlan 1-2,10,273
vpc domain 1
peer-keepalive destination 192.168.1.51
interface port-channel6
switchport mode fex-fabric
fex associate 100
vpc 6
interface port-channel7
switchport mode fex-fabric
fex associate 101
vpc 7
interface port-channel11
description To_Core_Switch1
switchport mode trunk
speed 1000
vpc 11
interface port-channel15
description To_Core_Switch2
switchport mode trunk
speed 1000
vpc 15
interface port-channel100
switchport mode fex-fabric
interface port-channel101
speed 10000
interface port-channel1516
switchport mode trunk
spanning-tree port type network
speed 1000
vpc peer-link
interface Ethernet1/1
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/2
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/3
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/4
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/5
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/6
description *** To FEX 100 ****** To FEX 100 ***
switchport mode fex-fabric
fex associate 100
channel-group 6
interface Ethernet1/7
description *** To FEX 101 ****** To FEX 101 ***
switchport mode fex-fabric
fex associate 101
channel-group 7
interface Ethernet1/8
interface Ethernet1/9
interface Ethernet1/10
interface Ethernet1/11
interface Ethernet1/12
interface Ethernet1/13
interface Ethernet1/14
interface Ethernet1/15
switchport mode trunk
speed 1000
channel-group 1516 mode active
interface Ethernet1/16
switchport mode trunk
speed 1000
channel-group 1516 mode active
interface Ethernet1/17
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/18
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/19
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/20
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/21
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/22
interface Ethernet1/23
interface Ethernet1/24
interface Ethernet1/25
interface Ethernet1/26
interface Ethernet1/27
interface Ethernet1/28
interface Ethernet1/29
interface Ethernet1/30
switchport access vlan 273
speed 1000
interface Ethernet1/31
interface Ethernet1/32
interface Ethernet2/1
interface Ethernet2/2
interface Ethernet2/3
interface Ethernet2/4
interface Ethernet2/5
interface Ethernet2/6
interface Ethernet2/7
interface Ethernet2/8
interface Ethernet2/9
interface Ethernet2/10
interface Ethernet2/11
interface Ethernet2/12
interface Ethernet2/13
interface Ethernet2/14
interface Ethernet2/15
interface Ethernet2/16
interface mgmt0
ip address 192.168.1.52/24
interface Ethernet100/1/1
switchport access vlan 273
interface Ethernet100/1/2
switchport access vlan 273
interface Ethernet100/1/3
switchport access vlan 273
interface Ethernet100/1/4
switchport access vlan 273
interface Ethernet100/1/5
switchport access vlan 273
interface Ethernet100/1/6
switchport access vlan 273
interface Ethernet100/1/7
switchport access vlan 273
interface Ethernet100/1/8
switchport access vlan 273
interface Ethernet100/1/9
switchport access vlan 273
interface Ethernet100/1/10
switchport access vlan 273
interface Ethernet100/1/11
switchport access vlan 273
interface Ethernet100/1/12
switchport access vlan 273
interface Ethernet100/1/13
switchport access vlan 273
interface Ethernet100/1/14
switchport access vlan 273
interface Ethernet100/1/15
switchport access vlan 273
interface Ethernet100/1/16
switchport access vlan 273
interface Ethernet100/1/17
switchport access vlan 2
interface Ethernet100/1/18
switchport access vlan 2
interface Ethernet100/1/19
switchport access vlan 2
interface Ethernet100/1/20
switchport access vlan 2
interface Ethernet100/1/21
switchport access vlan 2
interface Ethernet100/1/22
switchport access vlan 2
interface Ethernet100/1/23
switchport access vlan 2
interface Ethernet100/1/24
switchport access vlan 2
interface Ethernet100/1/25
switchport access vlan 2
interface Ethernet100/1/26
switchport access vlan 2
interface Ethernet100/1/27
switchport access vlan 2
interface Ethernet100/1/28
switchport access vlan 2
interface Ethernet100/1/29
switchport access vlan 2
interface Ethernet100/1/30
switchport access vlan 2
interface Ethernet100/1/31
switchport access vlan 2
interface Ethernet100/1/32
switchport access vlan 2
interface Ethernet101/1/1
switchport access vlan 273
interface Ethernet101/1/2
switchport access vlan 273
interface Ethernet101/1/3
switchport access vlan 273
interface Ethernet101/1/4
switchport access vlan 273
interface Ethernet101/1/5
switchport access vlan 273
interface Ethernet101/1/6
switchport access vlan 273
interface Ethernet101/1/7
switchport access vlan 273
interface Ethernet101/1/8
switchport access vlan 273
interface Ethernet101/1/9
switchport access vlan 273
interface Ethernet101/1/10
switchport access vlan 273
interface Ethernet101/1/11
switchport access vlan 273
interface Ethernet101/1/12
switchport access vlan 273
interface Ethernet101/1/13
switchport access vlan 273
interface Ethernet101/1/14
switchport access vlan 273
interface Ethernet101/1/15
switchport access vlan 273
interface Ethernet101/1/16
switchport access vlan 273
interface Ethernet101/1/17
switchport access vlan 2
interface Ethernet101/1/18
switchport access vlan 2
interface Ethernet101/1/19
switchport access vlan 2
interface Ethernet101/1/20
switchport access vlan 2
interface Ethernet101/1/21
switchport access vlan 2
interface Ethernet101/1/22
switchport access vlan 2
interface Ethernet101/1/23
switchport access vlan 2
interface Ethernet101/1/24
switchport access vlan 2
interface Ethernet101/1/25
switchport access vlan 2
interface Ethernet101/1/26
switchport access vlan 2
interface Ethernet101/1/27
switchport access vlan 2
interface Ethernet101/1/28
switchport access vlan 2
interface Ethernet101/1/29
switchport access vlan 2
interface Ethernet101/1/30
switchport access vlan 2
interface Ethernet101/1/31
switchport access vlan 2
interface Ethernet101/1/32
switchport access vlan 2
line console
line vty
boot kickstart bootflash:/n5000-uk9-kickstart.5.1.3.N1.1a.bin
boot system bootflash:/n5000-uk9.5.1.3.N1.1a.bin
ip route 0.0.0.0/0 192.168.1.1
N5K-1#
N5K-1#
==================================================================
term len 0
N5K-2# sh run
!Command: show running-config
!Time: Wed Apr 1 21:11:26 2009
version 5.1(3)N1(1a)
hostname N5K-2
feature telnet
no feature http-server
cfs eth distribute
feature lacp
feature vpc
feature lldp
feature fex
ip domain-lookup
class-map type qos class-fcoe
class-map type queuing class-fcoe
match qos-group 1
class-map type queuing class-all-flood
match qos-group 2
class-map type queuing class-ip-multicast
match qos-group 2
class-map type network-qos class-fcoe
match qos-group 1
class-map type network-qos class-all-flood
match qos-group 2
class-map type network-qos class-ip-multicast
match qos-group 2
fex 100
pinning max-links 1
description "FEX0100"
fex 101
pinning max-links 1
description "FEX0101"
vrf context management
ip route 0.0.0.0/0 192.168.1.1
vlan 1-2,273
vpc domain 1
peer-keepalive destination 192.168.1.52
interface port-channel6
switchport mode fex-fabric
fex associate 100
vpc 6
interface port-channel7
switchport mode fex-fabric
fex associate 101
vpc 7
interface port-channel11
switchport mode trunk
speed 1000
vpc 11
interface port-channel15
description To_Core_Switch2
switchport mode trunk
speed 1000
vpc 15
interface port-channel1516
switchport mode trunk
spanning-tree port type network
speed 1000
vpc peer-link
interface Ethernet1/1
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/2
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/3
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/4
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/5
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/6
description *** To FEX 100 ****** To FEX 100 ***
switchport mode fex-fabric
fex associate 100
channel-group 6
interface Ethernet1/7
description *** To FEX 101 ****** To FEX 101 ***
switchport mode fex-fabric
fex associate 101
channel-group 7
interface Ethernet1/8
interface Ethernet1/9
interface Ethernet1/10
interface Ethernet1/11
interface Ethernet1/12
interface Ethernet1/13
interface Ethernet1/14
interface Ethernet1/15
switchport mode trunk
speed 1000
channel-group 1516 mode active
interface Ethernet1/16
switchport mode trunk
speed 1000
channel-group 1516 mode active
interface Ethernet1/17
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/18
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/19
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/20
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/21
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/22
interface Ethernet1/23
interface Ethernet1/24
interface Ethernet1/25
interface Ethernet1/26
interface Ethernet1/27
interface Ethernet1/28
interface Ethernet1/29
interface Ethernet1/30
interface Ethernet1/31
interface Ethernet1/32
interface mgmt0
ip address 192.168.1.51/24
interface Ethernet100/1/1
switchport access vlan 273
interface Ethernet100/1/2
switchport access vlan 273
interface Ethernet100/1/3
switchport access vlan 273
interface Ethernet100/1/4
switchport access vlan 273
interface Ethernet100/1/5
switchport access vlan 273
interface Ethernet100/1/6
switchport access vlan 273
interface Ethernet100/1/7
switchport access vlan 273
interface Ethernet100/1/8
switchport access vlan 273
interface Ethernet100/1/9
switchport access vlan 273
interface Ethernet100/1/10
switchport access vlan 273
interface Ethernet100/1/11
switchport access vlan 273
interface Ethernet100/1/12
switchport access vlan 273
interface Ethernet100/1/13
switchport access vlan 273
interface Ethernet100/1/14
switchport access vlan 273
interface Ethernet100/1/15
switchport access vlan 273
interface Ethernet100/1/16
switchport access vlan 273
interface Ethernet100/1/17
switchport access vlan 2
interface Ethernet100/1/18
switchport access vlan 2
interface Ethernet100/1/19
switchport access vlan 2
interface Ethernet100/1/20
switchport access vlan 2
interface Ethernet100/1/21
switchport access vlan 2
interface Ethernet100/1/22
switchport access vlan 2
interface Ethernet100/1/23
switchport access vlan 2
interface Ethernet100/1/24
switchport access vlan 2
interface Ethernet100/1/25
switchport access vlan 2
interface Ethernet100/1/26
switchport access vlan 2
interface Ethernet100/1/27
switchport access vlan 2
interface Ethernet100/1/28
switchport access vlan 2
interface Ethernet100/1/29
switchport access vlan 2
interface Ethernet100/1/30
switchport access vlan 2
interface Ethernet100/1/31
switchport access vlan 2
interface Ethernet100/1/32
switchport access vlan 2
interface Ethernet101/1/1
switchport access vlan 273
interface Ethernet101/1/2
switchport access vlan 273
interface Ethernet101/1/3
switchport access vlan 273
interface Ethernet101/1/4
switchport access vlan 273
interface Ethernet101/1/5
switchport access vlan 273
interface Ethernet101/1/6
switchport access vlan 273
interface Ethernet101/1/7
switchport access vlan 273
interface Ethernet101/1/8
switchport access vlan 273
interface Ethernet101/1/9
switchport access vlan 273
interface Ethernet101/1/10
switchport access vlan 273
interface Ethernet101/1/11
switchport access vlan 273
interface Ethernet101/1/12
switchport access vlan 273
interface Ethernet101/1/13
switchport access vlan 273
interface Ethernet101/1/14
switchport access vlan 273
interface Ethernet101/1/15
switchport access vlan 273
interface Ethernet101/1/16
switchport access vlan 273
interface Ethernet101/1/17
switchport access vlan 2
interface Ethernet101/1/18
switchport access vlan 2
interface Ethernet101/1/19
switchport access vlan 2
interface Ethernet101/1/20
switchport access vlan 2
interface Ethernet101/1/21
switchport access vlan 2
interface Ethernet101/1/22
switchport access vlan 2
interface Ethernet101/1/23
switchport access vlan 2
interface Ethernet101/1/24
switchport access vlan 2
interface Ethernet101/1/25
switchport access vlan 2
interface Ethernet101/1/26
switchport access vlan 2
interface Ethernet101/1/27
switchport access vlan 2
interface Ethernet101/1/28
switchport access vlan 2
interface Ethernet101/1/29
switchport access vlan 2
interface Ethernet101/1/30
switchport access vlan 2
interface Ethernet101/1/31
switchport access vlan 2
interface Ethernet101/1/32
switchport access vlan 2
line console
line vty
boot kickstart bootflash:/n5000-uk9-kickstart.5.1.3.N1.1a.bin
boot system bootflash:/n5000-uk9.5.1.3.N1.1a.bin
ip route 0.0.0.0/0 192.168.1.1
N5K-2#
N5K-2#
I thought I would put up a final topology and configuration examples of this install I did. I have taken out the sensitive data and changed sensitive data that would be important to the config. See below the final topology and configs for N5K-1 and N5K-2. You will notice in N5K-1 it has the port extension module in it. That will be Ethernet 2/1-16.
For more info and notes that I took on this install, see the following links:
For the notes and some explanations "through" the install, click here.
For the notes on "vPC", click here.
For the notes on the "FEXs", click here.
sh run
!Command: show running-config
!Time: Wed Apr 1 21:12:58 2009
version 5.1(3)N1(1a)
hostname N5K-1
feature telnet
no feature http-server
cfs eth distribute
feature lacp
feature vpc
feature lldp
feature fex
ip domain-lookup
class-map type qos class-fcoe
class-map type queuing class-fcoe
match qos-group 1
class-map type queuing class-all-flood
match qos-group 2
class-map type queuing class-ip-multicast
match qos-group 2
class-map type network-qos class-fcoe
match qos-group 1
class-map type network-qos class-all-flood
match qos-group 2
class-map type network-qos class-ip-multicast
match qos-group 2
fex 100
pinning max-links 1
description "FEX0100"
fex 101
pinning max-links 1
description "FEX0101"
vrf context management
vlan 1-2,10,273
vpc domain 1
peer-keepalive destination 192.168.1.51
interface port-channel6
switchport mode fex-fabric
fex associate 100
vpc 6
interface port-channel7
switchport mode fex-fabric
fex associate 101
vpc 7
interface port-channel11
description To_Core_Switch1
switchport mode trunk
speed 1000
vpc 11
interface port-channel15
description To_Core_Switch2
switchport mode trunk
speed 1000
vpc 15
interface port-channel100
switchport mode fex-fabric
interface port-channel101
speed 10000
interface port-channel1516
switchport mode trunk
spanning-tree port type network
speed 1000
vpc peer-link
interface Ethernet1/1
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/2
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/3
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/4
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/5
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/6
description *** To FEX 100 ****** To FEX 100 ***
switchport mode fex-fabric
fex associate 100
channel-group 6
interface Ethernet1/7
description *** To FEX 101 ****** To FEX 101 ***
switchport mode fex-fabric
fex associate 101
channel-group 7
interface Ethernet1/8
interface Ethernet1/9
interface Ethernet1/10
interface Ethernet1/11
interface Ethernet1/12
interface Ethernet1/13
interface Ethernet1/14
interface Ethernet1/15
switchport mode trunk
speed 1000
channel-group 1516 mode active
interface Ethernet1/16
switchport mode trunk
speed 1000
channel-group 1516 mode active
interface Ethernet1/17
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/18
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/19
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/20
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/21
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/22
interface Ethernet1/23
interface Ethernet1/24
interface Ethernet1/25
interface Ethernet1/26
interface Ethernet1/27
interface Ethernet1/28
interface Ethernet1/29
interface Ethernet1/30
switchport access vlan 273
speed 1000
interface Ethernet1/31
interface Ethernet1/32
interface Ethernet2/1
interface Ethernet2/2
interface Ethernet2/3
interface Ethernet2/4
interface Ethernet2/5
interface Ethernet2/6
interface Ethernet2/7
interface Ethernet2/8
interface Ethernet2/9
interface Ethernet2/10
interface Ethernet2/11
interface Ethernet2/12
interface Ethernet2/13
interface Ethernet2/14
interface Ethernet2/15
interface Ethernet2/16
interface mgmt0
ip address 192.168.1.52/24
interface Ethernet100/1/1
switchport access vlan 273
interface Ethernet100/1/2
switchport access vlan 273
interface Ethernet100/1/3
switchport access vlan 273
interface Ethernet100/1/4
switchport access vlan 273
interface Ethernet100/1/5
switchport access vlan 273
interface Ethernet100/1/6
switchport access vlan 273
interface Ethernet100/1/7
switchport access vlan 273
interface Ethernet100/1/8
switchport access vlan 273
interface Ethernet100/1/9
switchport access vlan 273
interface Ethernet100/1/10
switchport access vlan 273
interface Ethernet100/1/11
switchport access vlan 273
interface Ethernet100/1/12
switchport access vlan 273
interface Ethernet100/1/13
switchport access vlan 273
interface Ethernet100/1/14
switchport access vlan 273
interface Ethernet100/1/15
switchport access vlan 273
interface Ethernet100/1/16
switchport access vlan 273
interface Ethernet100/1/17
switchport access vlan 2
interface Ethernet100/1/18
switchport access vlan 2
interface Ethernet100/1/19
switchport access vlan 2
interface Ethernet100/1/20
switchport access vlan 2
interface Ethernet100/1/21
switchport access vlan 2
interface Ethernet100/1/22
switchport access vlan 2
interface Ethernet100/1/23
switchport access vlan 2
interface Ethernet100/1/24
switchport access vlan 2
interface Ethernet100/1/25
switchport access vlan 2
interface Ethernet100/1/26
switchport access vlan 2
interface Ethernet100/1/27
switchport access vlan 2
interface Ethernet100/1/28
switchport access vlan 2
interface Ethernet100/1/29
switchport access vlan 2
interface Ethernet100/1/30
switchport access vlan 2
interface Ethernet100/1/31
switchport access vlan 2
interface Ethernet100/1/32
switchport access vlan 2
interface Ethernet101/1/1
switchport access vlan 273
interface Ethernet101/1/2
switchport access vlan 273
interface Ethernet101/1/3
switchport access vlan 273
interface Ethernet101/1/4
switchport access vlan 273
interface Ethernet101/1/5
switchport access vlan 273
interface Ethernet101/1/6
switchport access vlan 273
interface Ethernet101/1/7
switchport access vlan 273
interface Ethernet101/1/8
switchport access vlan 273
interface Ethernet101/1/9
switchport access vlan 273
interface Ethernet101/1/10
switchport access vlan 273
interface Ethernet101/1/11
switchport access vlan 273
interface Ethernet101/1/12
switchport access vlan 273
interface Ethernet101/1/13
switchport access vlan 273
interface Ethernet101/1/14
switchport access vlan 273
interface Ethernet101/1/15
switchport access vlan 273
interface Ethernet101/1/16
switchport access vlan 273
interface Ethernet101/1/17
switchport access vlan 2
interface Ethernet101/1/18
switchport access vlan 2
interface Ethernet101/1/19
switchport access vlan 2
interface Ethernet101/1/20
switchport access vlan 2
interface Ethernet101/1/21
switchport access vlan 2
interface Ethernet101/1/22
switchport access vlan 2
interface Ethernet101/1/23
switchport access vlan 2
interface Ethernet101/1/24
switchport access vlan 2
interface Ethernet101/1/25
switchport access vlan 2
interface Ethernet101/1/26
switchport access vlan 2
interface Ethernet101/1/27
switchport access vlan 2
interface Ethernet101/1/28
switchport access vlan 2
interface Ethernet101/1/29
switchport access vlan 2
interface Ethernet101/1/30
switchport access vlan 2
interface Ethernet101/1/31
switchport access vlan 2
interface Ethernet101/1/32
switchport access vlan 2
line console
line vty
boot kickstart bootflash:/n5000-uk9-kickstart.5.1.3.N1.1a.bin
boot system bootflash:/n5000-uk9.5.1.3.N1.1a.bin
ip route 0.0.0.0/0 192.168.1.1
N5K-1#
N5K-1#
==================================================================
term len 0
N5K-2# sh run
!Command: show running-config
!Time: Wed Apr 1 21:11:26 2009
version 5.1(3)N1(1a)
hostname N5K-2
feature telnet
no feature http-server
cfs eth distribute
feature lacp
feature vpc
feature lldp
feature fex
ip domain-lookup
class-map type qos class-fcoe
class-map type queuing class-fcoe
match qos-group 1
class-map type queuing class-all-flood
match qos-group 2
class-map type queuing class-ip-multicast
match qos-group 2
class-map type network-qos class-fcoe
match qos-group 1
class-map type network-qos class-all-flood
match qos-group 2
class-map type network-qos class-ip-multicast
match qos-group 2
fex 100
pinning max-links 1
description "FEX0100"
fex 101
pinning max-links 1
description "FEX0101"
vrf context management
ip route 0.0.0.0/0 192.168.1.1
vlan 1-2,273
vpc domain 1
peer-keepalive destination 192.168.1.52
interface port-channel6
switchport mode fex-fabric
fex associate 100
vpc 6
interface port-channel7
switchport mode fex-fabric
fex associate 101
vpc 7
interface port-channel11
switchport mode trunk
speed 1000
vpc 11
interface port-channel15
description To_Core_Switch2
switchport mode trunk
speed 1000
vpc 15
interface port-channel1516
switchport mode trunk
spanning-tree port type network
speed 1000
vpc peer-link
interface Ethernet1/1
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/2
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/3
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/4
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/5
description To_Core_Switch2
switchport mode trunk
speed 1000
channel-group 15 mode active
interface Ethernet1/6
description *** To FEX 100 ****** To FEX 100 ***
switchport mode fex-fabric
fex associate 100
channel-group 6
interface Ethernet1/7
description *** To FEX 101 ****** To FEX 101 ***
switchport mode fex-fabric
fex associate 101
channel-group 7
interface Ethernet1/8
interface Ethernet1/9
interface Ethernet1/10
interface Ethernet1/11
interface Ethernet1/12
interface Ethernet1/13
interface Ethernet1/14
interface Ethernet1/15
switchport mode trunk
speed 1000
channel-group 1516 mode active
interface Ethernet1/16
switchport mode trunk
speed 1000
channel-group 1516 mode active
interface Ethernet1/17
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/18
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/19
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/20
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/21
description To_Core_Switch1
switchport mode trunk
speed 1000
channel-group 11 mode active
interface Ethernet1/22
interface Ethernet1/23
interface Ethernet1/24
interface Ethernet1/25
interface Ethernet1/26
interface Ethernet1/27
interface Ethernet1/28
interface Ethernet1/29
interface Ethernet1/30
interface Ethernet1/31
interface Ethernet1/32
interface mgmt0
ip address 192.168.1.51/24
interface Ethernet100/1/1
switchport access vlan 273
interface Ethernet100/1/2
switchport access vlan 273
interface Ethernet100/1/3
switchport access vlan 273
interface Ethernet100/1/4
switchport access vlan 273
interface Ethernet100/1/5
switchport access vlan 273
interface Ethernet100/1/6
switchport access vlan 273
interface Ethernet100/1/7
switchport access vlan 273
interface Ethernet100/1/8
switchport access vlan 273
interface Ethernet100/1/9
switchport access vlan 273
interface Ethernet100/1/10
switchport access vlan 273
interface Ethernet100/1/11
switchport access vlan 273
interface Ethernet100/1/12
switchport access vlan 273
interface Ethernet100/1/13
switchport access vlan 273
interface Ethernet100/1/14
switchport access vlan 273
interface Ethernet100/1/15
switchport access vlan 273
interface Ethernet100/1/16
switchport access vlan 273
interface Ethernet100/1/17
switchport access vlan 2
interface Ethernet100/1/18
switchport access vlan 2
interface Ethernet100/1/19
switchport access vlan 2
interface Ethernet100/1/20
switchport access vlan 2
interface Ethernet100/1/21
switchport access vlan 2
interface Ethernet100/1/22
switchport access vlan 2
interface Ethernet100/1/23
switchport access vlan 2
interface Ethernet100/1/24
switchport access vlan 2
interface Ethernet100/1/25
switchport access vlan 2
interface Ethernet100/1/26
switchport access vlan 2
interface Ethernet100/1/27
switchport access vlan 2
interface Ethernet100/1/28
switchport access vlan 2
interface Ethernet100/1/29
switchport access vlan 2
interface Ethernet100/1/30
switchport access vlan 2
interface Ethernet100/1/31
switchport access vlan 2
interface Ethernet100/1/32
switchport access vlan 2
interface Ethernet101/1/1
switchport access vlan 273
interface Ethernet101/1/2
switchport access vlan 273
interface Ethernet101/1/3
switchport access vlan 273
interface Ethernet101/1/4
switchport access vlan 273
interface Ethernet101/1/5
switchport access vlan 273
interface Ethernet101/1/6
switchport access vlan 273
interface Ethernet101/1/7
switchport access vlan 273
interface Ethernet101/1/8
switchport access vlan 273
interface Ethernet101/1/9
switchport access vlan 273
interface Ethernet101/1/10
switchport access vlan 273
interface Ethernet101/1/11
switchport access vlan 273
interface Ethernet101/1/12
switchport access vlan 273
interface Ethernet101/1/13
switchport access vlan 273
interface Ethernet101/1/14
switchport access vlan 273
interface Ethernet101/1/15
switchport access vlan 273
interface Ethernet101/1/16
switchport access vlan 273
interface Ethernet101/1/17
switchport access vlan 2
interface Ethernet101/1/18
switchport access vlan 2
interface Ethernet101/1/19
switchport access vlan 2
interface Ethernet101/1/20
switchport access vlan 2
interface Ethernet101/1/21
switchport access vlan 2
interface Ethernet101/1/22
switchport access vlan 2
interface Ethernet101/1/23
switchport access vlan 2
interface Ethernet101/1/24
switchport access vlan 2
interface Ethernet101/1/25
switchport access vlan 2
interface Ethernet101/1/26
switchport access vlan 2
interface Ethernet101/1/27
switchport access vlan 2
interface Ethernet101/1/28
switchport access vlan 2
interface Ethernet101/1/29
switchport access vlan 2
interface Ethernet101/1/30
switchport access vlan 2
interface Ethernet101/1/31
switchport access vlan 2
interface Ethernet101/1/32
switchport access vlan 2
line console
line vty
boot kickstart bootflash:/n5000-uk9-kickstart.5.1.3.N1.1a.bin
boot system bootflash:/n5000-uk9.5.1.3.N1.1a.bin
ip route 0.0.0.0/0 192.168.1.1
N5K-2#
N5K-2#
Subscribe to:
Posts (Atom)