Aug 3, 2013

How to Installing Windows Server 2012 (step by step)

11:10 PM No comments


Windows Server 2012, codenamed "Windows Server 8", is the sixth release of Windows Server. It is the server version of Windows 8 and succeeds Windows Server 2008 R2. Two pre-release versions, a developer preview and a beta version, were released during development. The software was generally available to customers starting on September 4, 2012.
In this easy step by step guide, we will learn how to install and activate Windows Server 2012.
Before you start make sure you have the minimum requirements to install Windows Server (Windows Server Requirements):
Processor: Minimum: 1.4 GHz 64-bit processor
Ram: Minimum: 512 MB
Disk Space: Minimum: 32 GB
Other requirements:
  • DVD drive
  • Super VGA (800 x 600) or higher-resolution monitor
  • Keyboard and Microsoft® mouse (or other compatible pointing device)
  • Internet access
 You can then download the evalution copy of Windows Server 2012 from here, Download the ISO and burn it to some DVD:
http://technet.microsoft.com/en-US/evalcenter/hh670538.aspx?ocid=&wt.mc_id=TEC_108_1_33

Now that we have everything we need, We can Start:
1- Insert the Windows Server 2012 DVD, and once you get the following message press Enter to boot from the setup

 

2- Wait for a while till the setup loads all necessary files (Depending on your machine, it will take couple of minutes)

 3- Once the setup files are loaded, the setup will start with the following screen. You can change these to meet your needs (the default values should be fine for now)


  4- Once you click Next, you can start the installation, click "Install now"
 5- You will see the following screen, wait until it finishes loading

 6- In the following setup screen, you will see four options. Select Windows Server 2012 DataCenter Evaluation (Server With GUI).

 7- After you click Next from previous screen, Read the License terms, tick the "I accept the license terms" and click Next

 8- Now It will ask you for the drive (or partition) you want to install Windows on. Here I'm installing it on the one partition I have here. NOTE: This will remove the content of the partition. Either you create a partition to install windows on, or you can test this on a testing machine

 9- Now once we picked our partition, clicking on next from previous screen will start the setup. This process might take a while.

 10- Once the setup is done, it will restart and start your Windows Server 2012 for the first time. It will ask you then to set up a password for the Administrator user

 11- The setup will finalize your settings, might take a couple of minutes

 12- Once the setup is done, you can log in for the first time to your Windows Server, as the screen says, press Ctrl+Alt+Delete to log in, and use the password you set in the setup process

 13 - Once you Log in, Windows Server 2012 will show the Server Manager

 Congratulations! you have now Windows server 2012 Installed with Datacenter.
Read more »

Posted in:

How to Configuring Point-to-Point Serial Interfaces

10:48 PM No comments

The point-to-point serial link is a little different than the Frame Relay serial link. As you recall, Frame Relay is used in many cases in a point-to-multipoint environment. To create a point-to-point connection between two routers, you can use other types of WAN encapsulations, such as HDLC, PPP, and SLIP. For a complete review of these encapsulations, refer to Chapter 11 of the ICDN book. We will use the default serial encapsulation, which is HDLC.
For two serial interfaces to communicate, you must provide the clock rate. The clock rate provides bit synchronization and has other uses that are beyond the scope of this chapter's purposes. The device that provides this clock rate is the data circuit-terminating equipment (DCE). The other device is denoted as the data terminal equipment (DTE). In the real world, the router is the DTE. The telecom equipment, such as the Frame Relay switch, is the DCE. Because the lab scenario bypasses the telecom equipment, you need to specify which router is the DTE and which one is the DCE; you also need to provide the clock rate. To bypass the telecom equipment, you need to directly connect the routers with a DTE–DCE crossover cable. Each end of this cable is labeled as DTE or DCE. Whichever router is plugged into the DCE end of the cable will need to provide the clock rate. In the Frame Relay network, the Frame Relay switch is the DCE, so none of the Frame Relay routers needs to provide clock rate. For more information on WAN serial cabling and signaling, refer to Chapter 2 of Interconnecting Cisco Network Devices from Cisco Press.
First, review the routers that you are going to use to configure a point-to-point serial connection. Figure 7-4 shows routers R3 and R5. This is the only point-to-point connection in the lab.



In the figure, you can see the R5 has been cabled as the DCE, so it will need to supply the clock rate.
Begin by configuring the serial link and assign IP addresses to the interfaces. Start with R5.
You last configured R2, so you need to go back to the terminal server and resume the connection to R5. When there, you need to go into global configuration mode and then into the appropriate interface configuration. For R5, that would be Serial 0. Example 7-26 walks you through these initial configuration steps.

Example 7-26. R5 Serial Configuration

R2#
R2#<crtl-shft-6-x>

    Termserver#5
[Resuming connection 5 to r5 ... ]

R5#config t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#interface serial 0
R5(config-if)#
Now that you are in interface configuration mode for R5's Serial 0, you can execute the necessary configuration commands. The first thing to do is make the encapsulation type HDLC for the interface. Because HDLC is the default encapsulation method, you really don't need to execute the command. However, just for the sake of practice, and so that you understand that there is a data link layer configuration command for the serial link, specify HDLC as the encapsulation by entering it as a command option. This is the same command issued previously when specifying the encapsulation type for routers R2, R3, and R4; the only difference is that you specify the hdlc option instead of frame-relay.
This is the command for R2's S0, R3's S0, and R4's S0:
Router(config-if)#encapsulation frame-relay [cisco | ietf]
This is the command for R3's S1 and R5's S0:
Router(config-if)#encapsulation hdlc
Unlike Frame Relay, there aren't any different types of HDLC encapsulation. After you specify the encapsulation type as HDLC, you can assign the appropriate IP address to the interface.
NOTE
We will not review previous commands that already have been demonstrated. Refer back to the previous examples if you are unsure of the command syntax, or use the help menu in Cisco IOS Software.
Example 7-27 shows the commands executed on R5.

Example 7-27. R5 Configuration Commands

R5(config-if)#encapsulation hdlc
R5(config-if)#ip address 192.168.35.5 255.255.255.0
R5(config-if)#
Before removing the interface from shutdown mode, you need to provide the clock rate to R3 using the following command:
Router(config-if)#clock rate {300-8000000 bps}
The only option in this command is to give the speed of the link in bits per second. Because this is a T1 or E1 interface, you can specify an easy-to-remember value of 2,000,000. This is the equivalent of an E1 link, which will work for this lab environment. As mentioned earlier, in the real world, you will not have to configure this parameter. The telecom service provider will set this value on its equipment. After you set this value, give the interface a description and remove the interface from shutdown mode, as demonstrated in Example 7-28.

Example 7-28. clock rate Command

R5(config-if)#clock rate 2000000
R5(config-if)#description This interface connects to R3's S1 (DTE)
R5(config-if)#no shutdown
R5(config-if)#
%LINK-3-UPDOWN: Interface Serial0, changed state to down
R5(config-if)#
At first glance, you might get a little nervous that the interface did not come up, but that is normal. R3's serial interface has not been configured yet, so the R5 interface is not receiving any signaling from R3; thus, the interface will remain in the down state until R3 is configured and removed from shutdown mode. Before you get too far into this configuration, you should know about a very helpful show command:
Router#show interfaces [bri | null | serial | tokenring | accounting | crb | irb]
  {number}
This command is very useful in troubleshooting and verifying interface configuration. The first option is to choose which type of interface you would like to see; the second option is to select the number of the interface. If you do not select any type of interface, the command shows you all the interfaces that the router has. Example 7-29 demonstrates sample output of the command on R5.

Example 7-29. show interfaces serial 0 Command Output

R5#show interfaces serial 0
Serial0 is down, line protocol is down
  Hardware is HD64570
  Description: This interface connects to R3's S1 (DTE)
  Internet address is 192.168.35.5/24
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
  Encapsulation HDLC, loopback not set, keepalive set (10 sec)
  Last input never, output 2w5d, output hang never
  Last clearing of "show interface" counters never
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     212 packets output, 18206 bytes, 0 underruns
     0 output errors, 0 collisions, 37557 interface resets
     0 output buffer failures, 0 output buffers swapped out
     111 carrier transitions
     DCD=up  DSR=up  DTR=down  RTS=down  CTS=up
The highlighted text reveals some important information regarding the interface Serial 0. The first thing that you see is the state in which the interface resides: "Serial0 is down, line protocol is down." The first "down" (this is referred to as interface or the physical layer state) tells you that there is a physical problem. A physical problem might result from a cable not being plugged in, or the connected device might not be receiving any electrical signaling, which is the case here. The "line protocol down" means that Layer 2 is not functional, meaning that HDLC is not operating correctly for some reason. It is important to note that the line protocol will never be up if the interface is in the down state. Next, the output shows the description placed on the Serial 0 interface. You see the IP address that you assigned earlier. This is a good place to review your configuration and make sure that what you typed in the interface configuration mode was correct. You also see the encapsulation type here. For a complete review of the output, refer to Chapter 3 of Interconnecting Cisco Network Devices. You will see this command again after configuring R3's serial interface to see what changes.
To configure R3, you need to go back to the terminal server and resume the session with R3, but don't forget to save the configuration before leaving. When at R3, you need to enter global configuration mode and then go into interface configuration mode for Serial 1. Remember, you will configure Serial 0 for Frame Relay. Serial 1 connects to R5's S0 interface. (Refer to your lab diagram.) See Example 7-30.

Example 7-30. R3 Interface Configuration Mode

R5#copy running-config startup-config
Building configuration...
[OK]
R5#<ctrl-shft-6><x>
    Termserver#3
[Resuming connection 3 to r3 ... ]
R3#
R3#config t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface serial 1
R3(config-if)#
Now you are in interface configuration mode for Serial 1 on R3, and you can assign the appropriate IP address and mask. After that, don't forget to remove the interface from shutdown mode. Example 7-31 illustrates the commands.

Example 7-31. R3 Serial 1 Configuration Commands

R3(config-if)#encapsulation hdlc
R3(config-if)#ip address 192.168.35.3 255.255.255.0
R3(config-if)#description This interface connects to R5's S0 (DCE)
R3(config-if)#no shutdown
R3(config-if)#
%LINK-3-UPDOWN: Interface Serial1, changed state to up
R3(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up
R3(config-if)#
As you can see, the interface came up, and so did the line protocol. Return to R5 and see how the show interface command output has changed. Example 7-32 shows the changes in the output.

Example 7-32. R5 show interface serial 0 Command Output

R3(config-if)#end
%SYS-5-CONFIG_I: Configured from console by console
R3#copy running-config startup-config
Building configuration...
[OK]
R3#<ctrl-shft-6-x>
    Termserver#5
[Resuming connection 5 to r5 ... ]

R5#
R5#show interface serial 0
Serial0 is up, line protocol is up
  Hardware is HD64570
  Description: This interface connects to R3's S1 (DTE)
  Internet address is 192.168.35.5/24
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
  Encapsulation HDLC, loopback not set, keepalive set (10 sec)
  Last input 00:00:01, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     25 packets input, 1865 bytes, 0 no buffer
     Received 25 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     236 packets output, 20009 bytes, 0 underruns
     0 output errors, 0 collisions, 37629 interface resets
     0 output buffer failures, 0 output buffers swapped out
     112 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up
R5#
Great! You now should be capable of pinging R3 from R5, as demonstrated in Example 7-33.

Example 7-33. R5 ping Result

R5#ping 192.168.35.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.35.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R5#
You got 100 percent success! R3 and R5 have full IP connectivity. Question: Should R5 be capable of pinging R3's Serial 0 IP address? Why not? Even though R5 can reach R3 through interface Serial 1, R5 cannot ping R3's Serial 0 interface. This is because you do not have any routing protocols configured to let R5 know about the 192.168.100.0 network, to which R3's Serial 0 interface belongs. When you have configured all the interfaces on all the routers, you will start configuring the routing protocols. Then you should be capable of pinging any interface on any router.

Read more »

Posted in:

How to speed up your internet connection

10:45 PM 1 comment



Does your broadband seem a bit sluggish? If so, there may just be a simple solution.

You'll need:


    A computer connected to the internet.

Follow these step-by-step instructions to find out how to speed up your internet connection

Step 1: Read our guide on How to check your internet speed and discover what speed your broad connection is actually producing.

Step 2: Find out what speed you’re paying your internet provider (ISP) for. You may have to phone them to get the answer to this. If you’ve had your broadband for some time, it may be time to upgrade.

Step 3: Check what speed is achievable in your area. This is also covered in our guide on checking your internet speed. A number of ISP’s are starting to use Optical fibres instead of copper telephone cables to offer superfast broadband and this may be available through your ISP. But it is not yet available across the whole of the UK. This type of connection can offer up to 100mb as it claims to be able to transfer data at the speed of light. However, this can still be dependent upon your phone line, so check first what speeds you can realistically expect.

Step 4: Now that you know what speed you’re paying for and what your hardware is capable of producing, there are a number of things you can do that are likely to make your internet run faster:


    Check that you haven’t exceeded your monthly download allowance. Some ISPs cap internet speeds as a penalty for doing this.
    If possible, always use the master telephone socket for your broadband router.
    Don’t use a telephone extension lead with your router. If it’s unavoidable, use the shortest one you can.
    Make sure that all other telephone sockets in use are fitted with microfilters (see right). Not doing this can result in loss of internet speed and interference on the line.Microfilters
    Is your computer running any unnecessary applications in the background? This can slow things down considerably, but finding out if it’s happening can be a bit complicated. It might be best to ask an expert for help.
    Make sure your antivirus software is kept up to date. Viruses and adware can slow down your computer and the internet a lot.
    If you’re using wifi (wireless internet), make sure it’s password protected. Otherwise you could be providing your neighbours with free wifi!
    If you’re using a laptop with a wireless connection, try using it in a different room or consider using a network cable to connect to the router instead.

- See more at: http://digitalunite.com/guides/using-internet-0/connecting-internet/how-speed-your-internet-connection#sthash.LPJBPX9R.dpuf
Read more »

Posted in: ,

Why & How do I change the IP address of wireless Access Point & Extender?

10:41 PM No comments

 300Mbps Wireless N Access Points, 150Mbps Wireless N Access Points, 54Mbps Wireless G Access Points, Range Extenders
Why do I Change the IP address of the access point/extender?
 
The default IP address of the Access Point or Range Extender is 192.168.1.1 or 192.168.1.254 or 192.168.0.254. It changes by model. Please find it out on the bottom label of the product. If you have the same IP address on your root/main router, you need to change the IP address of the TP-LINK device to avoid the IP conflict.
 
How to Change the IP address of the access point/extender?
 
Step 1
Login the Web-based Interface of your wireless access point or extender. If you cannot login the Web-based Interface of the AP, Please click here.
 
Step 2
Click Network on the left hand, and then change the IP address to the one which is not used but suitable for your network, then
click on Save to save your settings. 


Note:
1.  The settings will take effect once the device is rebooted.
2.  If you have a broadband router which provide you Internet connection, please re-configure the IP settings of your computer to Obtain an IP address automatically to suitable for the router in order to connect to Internet after the settings.
Read more »

Posted in:

How do I configure wireless Access Point to Point to Point Bridge mode?

10:37 PM No comments

 54Mbps Wireless G Access Points
Definition: In Wi-Fi networking, Bridge mode allows two or more wireless access points (APs) to communicate with each for the purpose of joining multiple LANs.
 
Some wireless bridges support only a single point-to-point connection to another AP. Others support point-to-multipoint connections to several other APs. This article is about how to setup Point to Point Bridge.
 
 
 
Step 1
Connect your computer to a AP with the hard wired connection, and then log into the Web-based Interface by entering the IP address 192.168.1.1/192.168.1.254 into Web Browser.
If you cannot log into the Web-based Interface, please click here and follow the instruction for a try. 
 
Step 2
Change the LAN IP address of the access point to avoid IP conflict if necessary. Please refer to FAQ_173 for some detailed information.
 
After changing the IP address of your access point, you need re-log into it by using the new IP address. And please note that the IP addresses of the two access points cannot be the same in your network.
 
Step 3
Configure your Access Point to Point to Point Bridge mode.
1. Click on Wireless ->Basic Settings on the left menu, change the channel to a fixed one.
 
 2. Click Wireless -> Wireless Mode on the left, select Bridge (Point to Point).
 
 3. Press Survey or Search button on the bottom, then an AP list will be displayed. Locate the BSSID(MAC address) of the other access point, remember the Channel-> Click Connect.
 
 4. Then you will see the MAC addresses of the other access point displayed in the MAC of AP boxes.
 
 
 
5. Click on Save button to save the settings.
 
6. Go to Wireless-Security Settings to secure the wireless as WEP. Note that it only supports WEP when the AP is configured as bridge mode.
 
 7. Go to System Tools-Reboot to reboot the device.
 
 
Step 4
Configure the other Access Point to Point to Point Bridge mode as same as the above steps.
 
Note:
1.    The channel and the security settings (security type & password) should be identical on the two access points.
2.    The IP address should be the same subnet but different. For example, if the IP address of the AP1 is 192.168.1.254, the IP address of the AP2 should be 192.168.1.X (1X<254). No IP addresses can be the same in your whole network.
 
Additional information:
There is an option called With AP Mode in the setting page. If you enable it, the access point can work in AP mode at the same time when it has been configured to Bridge mode. This means that you can connect other wireless clients to this access point when it has been configured to Bridge mode.
 
Otherwise you cannot connect any wireless client to this access point when it has been configured to Bridge mode.
 
 
Read more »

Posted in:

Aug 2, 2013

How to Securing your MikroTik Router / Firewall

10:33 PM No comments



The first step in securing your network is to secure any appliance (managed switch router / firewall / VPN Concentrator) that is directly attached to your network)There are many approaches to securing devices, some are better than others. The Basic concepts of securing your MikroTik Router, or any router for that matter can be summarised as follows;
  1. Stop all Unnecessary Services on the MikroTik Router.
  2. Create Firewall Lists to Deny all un wanted inbound Traffic and only allow wanted /needed inbound trafic.
  3. If you need services on the router to be remotely accessible you should limit the addresses that can connect to the router.
  4. If there are services on the router that cannot be pratically limited to a small number of addresses, then you should try to protect the router by stricty firewalling these services so that the services can only operate strictly to standards suchas RFCs etc.
 Each of the above approaches & their implementations will be outlined  in detail in this article:

Stop all Unnecessary Services on the MikroTik Router.
This reduces the attack surface of your router the less services there are to attack the less likely your router could be compromised or overloaded;

 Deny all un wanted inbound Traffic
By restricting inbound traffic to the router, one can prevent the accidental opening up of services on the router. Also by restricting all types of services except for the services you know about & you want, you prevent any services (that you may not be aware of ) being accessible remotely on the MikroTik router.

Remotely Accessible Router Services should be limited to few addresses
This is a simple and very effective way of controlling who can attempt to access the MikroTik router. One could check from which addresses or networks the MikroTik Router would be administered. Then one could create firewall rules that only allow access to the router services from the management netwokrs.


 PubliclyAccessible Router Services should filtered

to operate strictly to RFC standards
If there is a service open to the world one should create firewall rules that limit access to the service within strict parameters.One should monitor the behavior of the service in normal operation and then create firewall rules that prevent the service being used outside its normal working parameters.

A typical example of this type of firewalling is someone wants to be able to ssh into a router from anywhere, however if you leave TCP port 22 (SSH) open to the world you would find that there are alot of morons out there who are only two happy to run a bruteforce dictionary attack on your server. Fortunately SSH servers normally disconnect a user after a number of failed attempts. So we can use this fact to create a firewall rule to prevent someone trying to brute force hack our ssh server by carrying out the following algorithim
  1. Deny any one who is on the ssh_blacklist a new session on any protocol.
  2. Allow anyone who was on the "ssh_Dark grey list" to connect a new session on port 22 and add the address to the "ssh_Blacklist " with a time out of 1 hour
  3. Allow anyone who was on the "ssh_grey list" to connect a new session on port 22 and add the address to the "ssh_dark grey list" with a time out of 1 minute
  4. Allow anyone who was on the "light_grey_list" to connect a new session on port 22 and add the address to the "ssh_grey list" with a time out of 1 minute
  5. Allow anyone who creates a first session on port 22 and add the address to the "ssh_lightgreylist " with a time out of 1 minute

/ip firewall filter

add chain=input src-address-list=sshblacklist action=drop \
comment="drop all traffic brute force attack sources" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=sshdarkgreylist action=add-src-to-address-list \
address-list=sshblacklist address-list-timeout=1h \
comment="add new failed sshdarkgreylist to sshblacklist" \
disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=sshgreylist action=add-src-to-address-list \
address-list=sshdarkgreylist address-list-timeout=1m \
comment="add new failed sshgreylist to sshdarkgreylist" \
disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=sshlightgreylist action=add-src-to-address-list \
address-list=sshgreylist address-list-timeout=1m \
comment="add new failed sshlightgreylist to sshgreylist" \
disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list \
address-list=sshlightgreylist address-list-timeout=1m \
comment="new connections to sshlightgreylist" \
disabled=no

 References
The SSH brute force mitigation Script is based on some legend's script at the following location;
Read more »

Posted in:

Setting up a MikroTik Router as a HotSpot

10:14 PM No comments

This document outlines how to configure a MikroTik RouterBoard to be used as a HIB with SIMPLer.

General information on the RouterBoard may be found in the MikroTik Wiki: http://wiki.mikrotik.com/wiki/Category:Manual

Basic Setup

Once an IP address is assigned, use Winbox (download from the first time setup page) to do the remainder of the setup.
  • Setup the hotspot as follows (this info is based on http://www.hotspotsystem.com/en/hotspot/install_guide_mikrotik.html
    • Verify that the routerboard DNS settings are correct - click on IP -> DNS and then Settings - if the default values are not correct, update them to reflect the current network. 
    • Add the hotspot service to ether2 (or any other ether port - just replace references to ether2 with whatever ethernet port you are using below) by going IP -> Hotspot and then clicking Hotspot Setup:
    • Select ether2 from the drop down and click Next.
    • Pick a suitable IP range to use (192.168.182.1/24 is the default used on HIBs, so use that)


 
    • Click Next for the "Address Pool of Network"  
    •  Click Next for the "Certificate" - leave at "none" 

    • Ignore the SMTP server setting, and accept the default for the DNS server setting, and leave the DNS name blank.
    • On the next dialog, create a password for the "admin" user - this will allow you to login to the hotspot with this username/password without having to use the RADIUS server - this is useful to verify basic operation before going any further.
  • At this point the basic hotspot should be up and running. Connect a laptop to the ether2 port, and verify that you get an IP address from the range 192.168.182.2 - 192.168.182.254. Try to access the internet using a web browser, and you should get the default MikroTik splash page. You can enter the admin username / password you created above in order to get access to the internet. (if the status / logout dialog does not popup, you can logout using http://192.168.182.1/logout)

Adding RADIUS support to authenticate against SIMPLer

  • Again using winbox, configure RADIUS support as follows:
    • In the hotspot profiles (IP -> HotSpot -> Server Profiles), double click the hotspot you created (should probably be hsprof1)
    • In the Login tab, deselect Cookie and select CHAP and PAP: 
    • In the RADIUS tab, select "Use RADIUS", and click OK: 
 On the left colum, click Radius, and then the red + to add a new RADIUS server. On the dialog, click hotspot, and enter the IP address of the RADIUS server and the secret (the default, which you can get from the hotspot setup in SIMPLer is az0s3cr3t):



  • If you want to allow access to certain sites without authentication (e.g. payment gateways, etc), you can add them to IP -> HotSpot -> Walled Garden. For basic setup this should not be necessary.
  • Set the clock on the routerboard by going to System -> NTP Client, click "Enabled", set the Mode to unicast and the server to "pool.ntp.org": 
 Set the system identity to be the hotspot name as follows: Go to System -> Identity and enter the full hotspot name (for example demowisp_demowisp_hs5 is the one I am using):


    • At this point you should be able to login using a token from the selected hotspot. You can verify which users are logged in using IP -> Hotspot -> Active in winbox

Updating the login splash page


The login (and logout) splash pages can be updated as wished. However in order to allow customers to purchase a token using the operator's payment gateway, a link to the SIMPLer captive portal purchase form must be added. The format of the link is as follows:

https://xyz.azotel.com/hotspot/register.pl?hs_name=hotspot_name

Where xyz and hotspot_name are replaced with the relevant equivalents for the operator.

To get the html code for the current login page, click on Files in winbox, and go to hotspot/login.html:


You can just drag'n'drop this file to your desktop, update it, and then drag it back into the Files dialog. Or, if you wish, you can copy the file to your PC using ssh/ftp. The ssh command to copy it is as follows:

    scp admin@<ip of mikrotik>:/hotspot/login.html login.html

To copy it back, use
   
    scp login.html admin@<ip of mikrotik>:/hotspot/login.html

You can also drag'n'drop graphics to the hotspot/img directory to be used on the login page.

Read more »

Posted in:

Jun 13, 2013

How to configure VTP Pruning

10:40 PM 1 comment

Introduction

As you would be aware a switched network creates one broadcast domain, similar to that of a VLAN powered network where all nodes belonging to the same VLAN are part of the same broadcast domain, receiving all broadcasts sent on their network.

The Broadcast And Unicast Problem In VLAN Networks

What we are about to see is how these broadcasts can actually create problems by flooding the VLAN network with unnecessary traffic, and depending on your network setup, this can prove to be a huge problem. The reason for this is because the trunk links interconecting your network switches will carry these broadcasts to every switch in the network, regardless of which VLAN the broadcast is intended for.


 

As shown and described, a host connected to a port configured for VLAN 2 on Switch 1 (first switch on the left), generates a network broadcast. Naturally, the switch will forward the broadcast out all ports assigned to the same VLAN it was received from, that is, VLAN 2.
In addition, the Catalyst switch will forward the broadcast out its trunk link, so it may reach all ports in the network assigned to VLAN 2. The Root switch receives the broadcast through one of it's trunks and immediately forwards it out the other two - towards Switch 2 & 3.
Switch 2 is delighted to receive the broadcast as it does in fact have one port assigned to VLAN 2. Switch 3 however, is a different case - it has no ports assigned to VLAN 2 and therefore will drop the broadcast packet it receives.
In this example, the bandwidth usage was ineffecient because one broadcast packet was sent over all possible trunk links, and was then dropped by Switch 3.
You might ask yourself 'So what's the big deal?'.
The problem here is small and can easily be ignored... but consider a network of fifteen or more 12 port switches (this translates to at least 210 nodes) and you can start to appreciate how serious the problem can get. To make things worse (and more realistic), consider you're using 24 port switches, then you're all of a sudden talking about more than 300 nodes!
To further help understand how serious the problem gets, let's take a look at our example network below:



Here we have a medium sized network powered by Cisco Catalyst switches. The two main switches up the top are the VTP servers and also perform 3rd layer switching by routing packets between the VLANs we've created.
Right below them you'll find our 2950's Catalyst switches which are connected to the core switches via redundant fiber trunk links. Directly below our 2950's are our 2948 Catalyst switches that connect all workstations to the network.
A workstation connected to a port assigned to VLAN 2 decided to send a network broadcast looking for a specific network resource. While the workstation is totally unaware of our network design and complexity, its broadcast is the reason all our trunks will flood with unwanted traffic, consuming valuable bandwidth!
Let's take a look at what happens:


We don't think describing the above is actually required as the diagram shows all the information we need and we're confident you will agree that we dealing with a big problem:)
So how do we fix this mess ?
Keep reading on as you're about to learn........

The Solution: Enabling VTP Pruning

VTP Pruning as you might have already guessed solves the above problem by reducing the unnecessary flooded traffic described previously. This is done by forwarding broadcasts and unknown unicast frames on a VLAN over trunk links only if the receiving end of the trunk has ports in that VLAN.


Support For VTP Pruning

The VTP Pruning service is supported by both VTP 1 and VTP 2 versions of the VTP protocol. With VTP 1, VTP pruning is possible with the use of additional VTP message types.
When a Cisco Catalyst switch has ports associated with a VLAN, it will send an advertisement to its neighboring switches informing them about the ports it has active on that VLAN. This information is then stored by the neighbors and used to decide if flooded traffic from a VLAN should be forwarded to the switch via the trunk port or not.
Note: VTP Pruning is disabled by default on all Cisco Catalyst switches and can be enabled by issuing the "set vtp pruning enable" command.
If this command is issued on the VTP Server(s) of your network, then pruning is enabled for the entire management domain.

When you enable VTP Pruning on your network, all VLANs become eligible for pruning on all trunk links. This default list of pruning eligibility can thankfully be modified to suite your needs but you must first clear all VLANs from the list using the "clear vtp prune-eligible vlan-range" command and then set the VLAN range you wish to add in the prune eligible list by issuing the following command: "set vtp prune-eligible vlan-range" where the 'vlan-range' is the actual inclusive range of VLANs e.g '2-20'.
By default, VLANs 2–1000 are eligible for pruning. VLAN 1 has a special meaning because it is normally used as a management VLAN and is never eligible for pruning, while VLANs 1001–1005 are also never eligible for pruning. If the VLANs are configured as pruning-ineligible, the flooding continues as illustrated in our examples.

Summary

VTP Pruning can in fact be an administrator's best friend in any Cisco powered network, increasing available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices.
At this point, we have also come to the end of the first part of our VLAN presentation. As we are still working on the second and final part of the VLAN topic, we hope these pages will keep you going until it is complete.
Read more »

Posted in:

VLAN and VTP configuration

10:24 PM 1 comment

Lab instructions

The aim of this lab is to check your ability to configure VTP and VLAN on a small network of four switches. This lab will help you to prepare your ICND1 exam.
1.Configure the VTP-SERVER switch as a VTP server

2.Connect to the  3 other switches and configure them as VTP clients.
All links between swiches must be configured as trunk lines.

3.Configure VTP domain name as "TESTDOMAIN" and VTP password as "cisco"

4.Configure VLAN 10 with name "STUDENTS" and VLAN 50 with name "SERVERS"

5. Check propagation on all switches of the VTP domain.

Network diagram

 

Solution

Configure the VTP-SERVER switch as a VTP server
VTP-SERVER(config)#vtp mode server
Verify the VTP configuration using the "show vtp status command"
VTP-SERVER#show vtp status
VTP Version                     : 2
Configuration Revision          : 4
Maximum VLANs supported locally : 255
Number of existing VLANs        : 7
VTP Operating Mode              : Server
VTP Domain Name                 : TESTDOMAIN
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xAE 0x4F 0x3F 0xC5 0xD3 0x41 0x9C 0x11
Configuration last modified by 192.168.1.1 at 3-1-93 00:27:41
Local updater ID is 192.168.1.1 on interface Vl1 (lowest numbered VLAN interface found)


Connect to the  3 other switches and configure them as VTP clients.
All links between swiches must be configured as trunk lines.
VTP-CLIENT3(config)#vtp mode client
Verify the VTP configuration using the "show vtp status command"
VTP-CLIENT3#sh vtp status
VTP Version                     : 2
Configuration Revision          : 4
Maximum VLANs supported locally : 255
Number of existing VLANs        : 7
VTP Operating Mode              : Client
VTP Domain Name                 : TESTDOMAIN
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xAE 0x4F 0x3F 0xC5 0xD3 0x41 0x9C 0x11
Configuration last modified by 192.168.1.1 at 3-1-93 00:27:41


Configure VTP domain name as "TESTDOMAIN" and VTP password as "cisco"
1. Configure each link between switches as a trunk line
interface GigabitEthernet1/1
switchport mode trunk

interface GigabitEthernet1/2
switchport mode trunk

2.On the server :
VTP-SERVER(config)#vtp domain TESTDOMAIN
VTP-SERVER(config)#vtp password cisco

3.On each client :
VTP-CLIENT1(config)#vtp password cisco
VTP-CLIENT1(config)#vtp domain TESTDOMAIN


Configure VLAN 10 with name "STUDENTS" and VLAN 50 with name "SERVERS"
On the VTP server switch, configure the following commands
VTP-SERVER(config)#vlan 10
VTP-SERVER(config-vlan)#name STUDENTS
VTP-SERVER(config)#vlan 50
VTP-SERVER(config-vlan)#name SERVERS

Check propagation on all switches of the VTP domain.
Use the "show vlan brief" on each switch to check propagation of the 2 VLANS.
VTP-SERVER#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4, [...]
10   STUDENTS                         active  
50   SERVERS                          active  
1002 fddi-default                     active  
1003 token-ring-default               active  
1004 fddinet-default                  active  
1005 trnet-default                    active


Read more »

Posted in:

Cisco VTP VLAN Trunking Protocol

10:23 PM 1 comment


 

Cisco VTP VLAN Trunking Protocol

(VTP) is a Cisco Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis. Virtual Local Area Network (VLAN) Trunk Protocol (VTP) reduces administration in a switched network. When you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP is a Cisco-proprietary protocol that is available on most of the Cisco Catalyst Family products. VTP ensures that all switches in the VTP domain are aware of all VLANs. There are occasions, however, when VTP can create unnecessary traffic. All unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN. All switches in the network receive all broadcasts, even in situations where few users are connected in that VLAN. VTP pruning is a feature used to eliminate (or prune) this unnecessary traffic. By default, all Cisco Catalyst switches are configured to be VTP servers. This is suitable for small-scale networks where the size of the VLAN information is small and easily stored in all switches (in NVRAM). In a large network, a judgment call must be made at some point when the NVRAM storage needed is wasted, because it is duplicated on every switch. At this point, the network administrator should choose a few well-equipped switches and keep them as VTP servers. Everything else participating in VTP can be turned into a client. The number of VTP servers should be chosen so as to provide the degree of redundancy desired in the network.

Modes of OperationServer

In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links. VTP server is the default mode.

Transparent

VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2, transparent switches do forward VTP advertisements that they receive out their trunk ports.

Client

VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.

Advertisements Summary Advertisements

When the switch receives a summary advertisement packet, it compares the VTP domainname to its own VTP domain name. If the name is different, the switch simply ignores the packet. If the name is the same, the switch then compares the configuration revision to its own revision. If its own configuration revision is higher or equal, the packet is ignored. If it is lower, an advertisement request is sent.

Subset Advertisements

When you add, delete, or change a VLAN in a switch, the server switch where the changes were made increments the configuration revision and issues a summary advertisement, followed by one or several subset advertisements. A subset advertisement contains a list of VLAN information. If there are several VLANS, more than one subset advertisement may be required in order to advertise them all.

Advertisement Requests

A switch needs a VTP advertisement request in the following situations:

The switch has been reset. The VTP domain name has been changed. The switch has received a VTP summary advertisement with a higher configuration revision than its own. Upon receipt of an advertisement request, a VTP device sends a summary advertisement, followed by one or more subset advertisements.

Configuration To configure an IOS based switch to be a VTP server, issue the following commands:

SwitchA# vlan database

SwitchA(vlan)# vtp domain CiscoKits

SwitchA(vlan)# vtp server

SwitchA(vlan)# exit

These commands configure the switch to be a VTP server in the VTP domain CiscoKits. The changes are saved and the revision number is incremented when the exit command is issued. To configure a VTP client, run the following commands:

SwitchB# vlan database

SwitchB(vlan)# vtp domain CiscoKits

SwitchB(vlan)# vtp client

SwitchB(vlan)# exit

To disable VTP, set the vtp mode to transparent as such:

SwitchC# vlan database

SwitchC(vlan)# vtp transparent

SwitchC(vlan)# exit

To monitor the VTP operation and status, use either:

SwitchA# show vtp status

or

SwitchA# show vtp counters.
Read more »

Posted in:
Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Computer Tricks and Tips