self-study installation for smb - issue 07 dt00cte100€¦ · · 2016-08-31self-study...

LAN / WLAN

SELF-STUDY INSTALLATION FOR SMBISSUE 07

PARTICIPANT'S GUIDE

OMNISWITCH 6350 HARDWARE PRESENTATION

OMNISWITCH AOS R6

Module Objectives

You will:

Identify the different hardware and

software components of the OS 6350 as well

as where it fits in different networks

OS 6350

High

Availability

Operating

System

Extensive

Manageability

Enhanced

Security

High

Availability

High

Availability

Operating

System

Extensive

Manageability

Enhanced

Security

AOS

OmniSwitch 6350 - Gigabit Ethernet switch

Overview

10 POE or Non-POE Triple-speed 10/100/1000 Gigabit interfaces

2 Gigabit RJ45/SFP combo ports

Low-power consumption

Fanless operation on the 6350-10

and 6350-P10 models

Delivering Power over Ethernet (PoE)

802.3af/802.3at compliant

65 W of power for PoE attached devices

Internal AC power supplies

No Backup power supply

Advanced QoS and security features

autoQoS IEEE

802.3af/at PoE


Front panel

2 1Gig RJ45/SFP Combo Ports

OK Solid green (hardware status OK)

PWR Solid Green (power supply operational)

10 x 1G User Interface Ports 802.3at Support PoE on all 24 or 48 ports

RJ-45 Serial Console Port and

USB Flash drive port

User Port and SFP LED’s

Solid=Link/Blinking=Activity

Green=NonPoE/Amber=PoE


Ports

OmniSwitch 6350

Distribution PortsCombo

ports

Nbr typeRJ45/SFP

1G

10 P10 10 10/100/1000 2

OS 6350-10

OS 6350-P10

AOS R6 for the OS 6350

VLANs IEEE 802.1Q

Policy rule based

802.1x/MAC Auth.

Spanning Tree IEEE 802.1D

IEEE 802.1w

IEEE 802.1s

PVST +

Link Aggregation IEEE 802.3ad (dynamic)

Multicast switching IPv4: IGMP v1/v2/v3

IPv6 MLD v1/v2

QoS / ACLs / Policies Classification on L1/L2/L3/L4

8 internal priorities

802.1p/ToS/DiffServ marking

Per COS Max bandwidth

Statistics (# of pkt, # of byte)

Ingress Policing / Egress Shaping

Multi-actions support

Server Load Balancing

Security IEEE 802.1x, A-VLANs

Access Guardian Host Integrity Check

User Network Profile

IP Anti-Spoofing

Learnt Port Security

sFlow ® , RMON (4 groups)

SNMP v2/v3

SSH, SSL, Radius, LDAP

IPv4 Static routing

IPv6 Tunneling (Configured, 6to4)

Static routing

Misc. ECMP (v4 & v6)

Loopback

Proxy ARP / Ext Proxy ARP

Router Discovery Protocol

Port mirroring (many-to-one)

Jumbo frames (9K)

Policy Based Mirroring

GVRP/MVRP

UDLD

Management Out-of-the-box Auto-provisioning

USB support

AMAP

LLDP

DHCP server

NTP server

CLI / WebView / OmniVista

AOS

R6OS 6350-10

OS 6350-P10

ACCESS POINTS HARDWARE PRESENTATION

OmniAccess Wireless –Access Points

AP1101Dual Radio, 2x2:2 MIMO

Specification AP 1101

Antennas Built-in

Clients 64

Data rate per radio (Mbps) 1200

802.11n spatial streams 2

802.11n MIMO 2x2

802.11ac

2.4 + 5GHz WIPS

Cluster Network

RDA Feature

802.11e (QoS)

Full Capacity w/ 802.3af

Ethernet

OmniAccess Wireless –Hardware Overview

Hidden LED Location

Red Blue Green Time Line Status

ON Power on

ONBootloader-

OS loadingSystem start up

Flash System running Network abnormal (Interface down)

Flash System running Network normal, without SSID created

ON System runningNetwork normal, single band working,

either 2.4Ghz or 5Ghz working

ON System runningNetwork normal, dual bands working,

2.4Ghz and 5Ghz are both working

Flash Flash System runningRed and Blue LED rotate flash in a

specific frequency; OS upgrading

Flash Flash Flash System running3 LED rotate flash in a specific

frequency; Used for location an AP

Security Lock Slot

Reset Button

Ethernet

Console

DC Power Socket

DC Power Socket Console

Product Features - Hardware Features

AP Cluster Network Architecture

Scale

Limited to 16 AP1101 in a cluster

256 concurrent clients

16 WLANs (SSID)

Virtual Controller Architecture

Decentralized, Self Organizing System

Primary and Secondary Virtual Controller

Centralized Configuration & Monitoring Portal

Centralized Image Management

Mobility

Same L2 Domain with firewall and authentication state synchronization

Alcatel-Lucent Instant Technology

Over-the-air provisioning

Wizard driven setup: 5 minute WLAN configuration

Virtual Controller: virtual controller technology

AOS OMNISWITCH MANAGEMENT

OMNISWITCH AOS R6

Module Objectives

You will learn about:

Logging Into The Switch

Managing Files/Directories

If you want to know more:

Upgrading Software version

User Accounts

AAA Authentication

Role based management

AOS

Management Tools

Accessing the switch may be done locally or remotely

Management tools include:

CLI - May be accessed locally via the console port, or remotely via Telnet

Webview - which requires an HTTP client (browser) on a remote workstation

SNMP, which requires an SNMP manager (such as Alcatel-Lucent’s OmniVista or HP

OpenView) on the remote workstation

Secure Shell - Available using the Secure Shell interface

FTP - File transfers can be done via FTP or Secure Shell FTP

TFTP - File transfers can be done via TFTP

USB device - Disaster recovery, Upload/download image files

User Accounts

Admin and Default

Default user account

Admin

Full privileges

By default, access only allowed through console port

Cannot be modified except for password

Default password is ‘switch’

Ability to create new users with full or limited access rights

For more information, go to the next section “If you want to know more”

AOS File System

Flash Memory File System

Provides storage for system and

configuration files

2 versions are present on the flash, the

working and the certified

*.img files stored in both working and

certified directories

Configuration rollback

Based on the working and certified

Directories

Applies to system files and configuration

file

A certified version (SW + conf) will be used as a

backup when dealing with any changes

(modification, upgrades, …)

Swlog1.log

Jsecu.img

Jbase.img

Jeni.img

Jos.img

Working Directory

Jsecu.img

Jbase.img

Jeni.img

Jos.img

Certified Directory

Swlog2.log

Boot.params

network

switch

Flash Directory

IF YOU WANT TO KNOW MORE

MANAGING FILES/DIRECTORIES

AOS

R6

System Boot Sequence

BootROM

Boot Sequence (Recalls)

Bootstrap Basic Operation

Initializes Hardware

Performs memory diagnostics

Selects a right Miniboot

Copy & execute MiniBoot

MiniBoot Basic Operation

Initializes basic kernel

Selection of image

Based on boot.params

Copy & load the OS

The image contains its own copy of the

kernel specific to the SW version

MiniBoot

root directory

boot.params

kernel.lnk from

OS package

/working directory

/certified directory

kernel.lnk from

OS package

Flash RAM

MiniBoot

Production

kernel

2

4

5

3

1


Working and Certified directories are identical

Certified Directory

-base.img

-secu.img

-eni.img

-os.img

-boot.cfg

Working Directory

-base.img

-secu.img

-eni.img

-os.img

-boot.cfg

Working Directory

-base.img

-secu.img

-eni.img

-os.img

-boot.cfg

Certified Directory

-base.img

-secu.img

-eni.img

-os.img

-boot.cfg

Working and Certified

Contents are identical

The switch runs

from working


Working and Certified directories are different

Certified Directory

-base.img

-secu.img

-eni.img

-os.img

-boot.cfg

Working Directory

-base.img

-secu.img

-eni.img

-os.img

-boot.cfg

Working Directory

-base.img

-secu.img

-eni.img

-os.img

-boot.cfg

Certified Directory

-base.img

-secu.img

-eni.img

-os.img

-boot.cfg

Working and Certified

Contents are different

The switch runs

from certified


Working and Certified directories are different

Copying Running config to Working Directory (boot.cfg) and Certifying Working Directory

Working Certified

6350-10

Running configuration

boot.cfg

---> Now running config matches working and certified matches working

1. Switch will run from

Certified

12. Rebooting from

working directory

-> reload working no rollback-timeout

23. If Changes done on

running config ->

saved to working

directory

-> copy running-config

working

3

4. Then makes contents of working identica

to certified

-> copy working certified

4

OmniSwitch

Software System Architecture

-> show running-directoryCONFIGURATION STATUS

Running CMM : PRIMARY,

CMM Mode : DUAL CMMs,

Current CMM Slot : A

Running configuration : WORKING,

Certify/Restore Status : CERTIFIED

SYNCHRONIZATION STATUS

Flash Between CMMs : SYNCHRONIZED,

Running Configuration : SYNCHRONIZED,

NIs Reload On Takeover : NONE

Swlog1.log

secu.img

base.img

eni.img

os.img

Working Directory

secu.img

base.img

eni.img

os.img

Certified Directory

Swlog2.log

Boot.params

network

switch

Flash Directory

System Commands

Directory Commands include:

pwd - display current directory

cd – change directory

dir – list directory contents

mkdir – create new directory

rmdir – remove existing directory

File Commands include:

ls – list directory content

cp – copy a file

mv – move a file

vi – invoke editor

rm – remove a file

Utility Commands include:

freespace - command displays the amount free file system memory

fsck – performs file system check

Managing Files and Directories

Upgrading/Registering Switch Software

File transfer available using

FTP

Secure FTP

TFTP

Zmodem

USB

The switch acts as

FTP Server

FTP/TFTP client

By default, an FTP session connects to the ‘working’ directory

CLI

WebView

OmniVista

Managing Files

FTP/TFTP Upgrading/Registering Switch Software

FTP Server

WebView

-> ftp {host_name | ip_address}

-> sftp {host_name | ip_address}

-> tftp {host_name | ip_address} {get | put} source-file [src_path/]src_file [destination-file [dest_path/] dest_file] [ascii]

USB support

Disaster recovery (requires miniboot-uboot upgrade and special directory structure in the

driver to store image files)

Upload/download image files

Upload/download configuration files

USB support is disabled by default

Only this USB device will be supported and guaranteed to function correctly

Any file management operation is supported including recursive operations

-> usb enable-> /uflash Bulk device is createdNode ID 0x2

LUN #0Vendor Info : PIXIKAProduct ID : USB Flash DriveProduct Revision : 4.00Number of Blocks : 509695Bytes per Block : 512Total Capacity : 260963840

TUE MAR 09 15:09:21 : SYSTEM (75) alert message:+++ USB Bulk Device mounted at 12 Mbps.

-> usb disableTUE MAR 09 15:13:12 : SYSTEM (75) alert message:+++ Device /uflash removed and uninstalled from FS

-> show usb statisticsUSB: EnabledUSB auto-copy: DisabledUSB disaster-recovery: EnabledNode ID 0x2

LUN #0Vendor Info : PIXIKAProduct ID : USB Flash DriveProduct Revision : 4.00Number of Blocks : 509695Bytes per Block : 512Total Capacity : 260963840

USB Flash Drive Management

Disaster-recovery

Switch configured to boot from the USB

flash device

-> usb enable

-> usb disaster-recovery enable

Create a directory named xxxx/certified* on the

USB flash drive with all the proper image files

Copy all of the files from the /uflash//certified

directory to the certified directory on /flash

Connect the USB flash drive to the CMM; The

flash will be reformatted and the images will be

copied to the /flash/certified directory of the

CMM and the switch will reboot from the

certified direct

* xxxx= 6350 - switch model

USB Flash Drive Management

Auto-copy

Upgrades the image files from the USB

device to the /flash/working directory

Create a file named aossignature in the root of

the USB flash drive

Create a directory named xxxx/working* on the

USB flash drive with all the proper image files

Run

-> usb enable

-> usb auto-copy enable

Connect the USB flash drive to the CMM; the

images will be validated and copied to the

/flash/working directory of the CMM and the

switch will reboot from the working directory

applying the code upgrade

* xxxx= 6350 - switch model

Managing Files and Directories

Upgrading Switch Software

Transfer new image files to the /flash/working directory

Use methods previously discussed

OS Package

KF3base.img Base Software

KF3eni.img Base Software NI image for all Ethernet-type NIs

KF3os.img Base Software Operating System

KF3secu.img Optional Security (AVLANS)



Swlog1.log

secu.img

base.img

eni.img

os.img

Working Directory

secu.img

base.img

eni.img

os.img

Certified Directory

Swlog2.log

Boot.params

network

switch

Flash Directory

Managing Files

Upgrading/Monitoring Switch Software

-> show microcode [working | certified | loaded]

-> show microcodePackage Release Size Description

-----------------+---------------+--------+-----------------------------------Kbase.img 6.4.5.402.R02 20599723 Alcatel-Lucent Base SoftwareKadvrout.img 6.4.5.402.R02 2991820 Alcatel-Lucent Advanced RoutingK2os.img 6.4.5.402.R02 1965391 Alcatel-Lucent OSKeni.img 6.4.5.402.R02 6093065 Alcatel-Lucent NI softwareKsecu.img 6.4.5.402.R02 649040 Alcatel-Lucent Security ManagementKencrypt.img 6.4.5.402.R02 3437 Alcatel-Lucent Encryption Management

sw5 (OS6450-A) -> show microcodePackage Release Size Description

-----------------+---------------+--------+-----------------------------------KF3base.img 6.7.1.146.R01 17108875 Alcatel-Lucent Base SoftwareKFos.img 6.7.1.146.R01 2604933 Alcatel-Lucent OSKFeni.img 6.7.1.146.R01 5880634 Alcatel-Lucent NI softwareKFsecu.img 6.7.1.146.R01 614320 Alcatel-Lucent Security ManagementKFdiag.img 6.7.1.146.R01 2411898 Alcatel-Lucent Diagnostic Software

CONFIGURATION METHODS

Configuration Methods - Command Line Interface

Command Line Interface

Online configuration via real-time sessions using CLI commands

Console or Telnet

Offline configuration using text file holding CLI commands

Transfer to switch at a later time

Snapshot feature captures switch configurations in a text file

configuration snapshot feature_list [path/filename]

configuration apply filename

show configuration snapshot [feature_list]

Command Line Interface - Options

Command Line Editing

Use ‘!!’, arrow, delete, insert keys to recall and modify previous commands

Command Prefix Recognition

Remembers command prefixes to reduce typing

CLI Prompt Option

Modify the CLI prompt

Command Help

Use ‘?’ to display possible parameters

Keyword Completion

Use <TAB> key to auto complete keywords

Command History (up to 30 commands)

Display a list of previously entered commands

Command Logging (up to 100 commands; detailed information)

Logs command and results of the command entered

Syntax Error Display

Displays indicators showing what is wrong and where in the command

Alias Command Option

Substitute text for CLI command

More Command

Set the number of displayed lines

Command Line Interface - Basic Management Commands

-> show running-directory

-> write memory


-> copy flash-synchro

-> reload working no-rollback-timeout

-> reload primary at 08:43 july 24

Confirm delayed reload (Y/N): y

-> show configuration snapshot all

-> show ip interface

-> show vlan

….

Ethernet Ports - CLI Setting Port Options

-> interfaces slot[/port[-port2]] speed {auto | 10 | 100 | 1000 | 10000 | max {100 | 1000}}

-> interfaces slot[/port] mode {uplink | stacking}-> interfaces slot[/port[-port2]] autoneg {enable | disable | on | off}-> interfaces slot[/port[-port2]] crossover {auto | mdix | mdi}-> interfaces slot[/port[-port2]] pause {tx | rx | tx-and-rx | disable}-> interfaces slot[/port[-port2]] duplex {full | half | auto}-> interfaces slot[/port[-port2]] admin {up | down}-> interfaces slot/port alias description-> interfaces slot[/port[-port2]] no l2 statistics [cli]-> interfaces slot[/port[-port2]] max frame bytes-> interfaces slot[/port[-port2]] flood multicast {enable | disable}-> interfaces slot[/port[-port2]] flood [broadcast | multicast | unknown-unicast|all]

[enable | disable]-> interfaces violation-recovery-time-> interfaces violation-recovery-trap-> interfaces clear-violation-all

Port parameters setting

• Ethernet Ports

• SFP Ports

• Combo Ports

• XFP Ports10 Gbps Small Form Factor

Pluggable (XFP) transceivers

Fixed 10/100/1000BaseT

Combo RJ45/SFP connectors for

10/100/1000BaseT or 1000Base-X

SFP connectors for 100/1000 Base-

X SFP connectors

• SFP+ Ports10 Gbps Small Form Factor

Pluggable Plus (SFP+) transceivers

Ethernet Ports - CLI Monitoring

-> show interfaces-> show interfaces capability-> show interfaces flow control-> show interfaces pause-> show interfaces e2e-flow-vlan-> show interfaces accounting-> show interfaces counters-> show interfaces counters errors-> show interfaces collisions-> show interfaces status-> show interfaces port-> show interfaces ifg-> show interfaces flood rate-> show interfaces traffic-> show interfaces transceiver

-> show interfaces portSlot/ Admin Link Violations AliasPort Status Status-----+----------+---------+----------+-------------1/1 enable down none “ sales "1/2 enable down none " sales "1/3 enable down none " sales "1/4 enable down none " sales "1/5 enable down none " sales "1/6 enable down none " sales "1/7 enable down none " sales "1/8 enable down none " sales “

….….

-> show interfaces 1/10Slot/Port 1/10 :Operational Status : up,Last Time Link Changed : TUE NOV 22 12:19:52 ,Number of Status Change: 1,Type : Ethernet,SFP/XFP : Not Present,MAC address : 00:e0:b1:c5:3a:0b,BandWidth (Megabits) : 1000, Duplex : Full,Autonegotiation : 1 [ 1000-F 100-F 100-H 10-F 10-H ],Long Frame Size(Bytes) : 9216,Rx :Bytes Received : 233117328, Unicast Frames : 51104,Broadcast Frames: 22156, M-cast Frames : 3542048,UnderSize Frames: 0, OverSize Frames: 0,Lost Frames : 0, Error Frames : 0,CRC Error Frames: 0, Alignments Err : 0,Tx :Bytes Xmitted : 14720188, Unicast Frames : 12,Broadcast Frames: 1870, M-cast Frames : 227257,UnderSize Frames: 0, OverSize Frames: 0,Lost Frames : 0, Collided Frames: 0,Error Frames : 0

-> show interfaces 1/10 capabilitySlot/Port AutoNeg Flow Crossover Speed Duplex

-----------+---------+--------+-----------+----------+----------1/10 CAP EN/DIS EN/DIS MDI/X/Auto 10/100/1G Full/Half1/10 DEF EN DIS Auto Auto Auto

Pre-Banner Text

Provides ability to display custom message before user login

Any text stored in pre_banner.txt file in /flash directory will be displayed

before login prompt

Ex.

Please supply your user name and password at the prompts.

login : user123

password :*****

WebView

Monitoring and configuring the switch by using WebView

Embedded in switch software

Support following web browser

Internet Explorer 6.0 and later for Windows NT, 2000, XP, 2003

Firefox 2.0 for Windows and Solaris SunOS 5.10

WebView configuration -> ip http server or https server – Enables the WebView Application (default)

-> ip http ssl or https ssl – Forces ssl connection between browser and switch (default=disabled)

-> ip http port or https port - Changes the port number for the embedded Web server

-> aaa authentication http local – checks the local database for http authentication

-> show ip httpWeb Management = onWeb Management Force SSL = offWeb Management Http Port = 80Web Management Https Port = 443

WebView – Login

Chassis Home PageWebView Home Page

Help page layout

ACCESS METHODS AND USER ACCOUNTS

Access Methods

Specifications

The switch may be set up to allow or deny access through any of the available

management interfaces

Console, Telnet, HTTP, HTTPS, FTP, Secure Shell, and SNMP

Configured through the Authenticated Switch Access (ASA) feature

Authentication and authorization

Local or external database

Switch Security Specifications

Telnet - 4 concurrent sessions

FTP - 4 concurrent sessions

HTTP - 4 concurrent sessions

SSH + SFTP - 8 concurrent sessions

Total sessions (Secure Shell, Telnet, FTP, HTTP, and console) - 20

SNMP - 50 concurrent sessions

User Accounts

Role Based Management – Account creation

-> user username [password password] [expiration {day | date}] [read-only | read-write

[families... |domains...| all | none]] [no snmp | no auth | sha | md5 | sha+des |

md5+des] [end-user profile name] [console-only {enable | disable}]

-> no user username

“admin” user restriction to console only

-> user admin console-only {enable | disable}

Minimum password length

-> user password-size min 10

Password expiration

-> user password-expiration 5 (Expires in 5 days for all users)

-> user user1 password userpass expiration 5 (Specific user)

-> user user1 password userpass expiration 12/01/2016 15:30

OMNIACCESS WLAN - OMNISWITCH

Contents

1 Objective .................................................................................................................................. 2

2 Equipment/Software required ................................................................................................. 2

3 Supported Platforms ................................................................................................................ 2

4 Lab Steps .................................................................................................................................. 2

2

Labs Overview

1 Objective

The objective of the following labs is to be able to configure an OmniSwitch 6350-10 with an AP 1101 which

contains three SSID‘s: Employee, Guest and Voice.

To do that, you will have to configure the needed vlans on the switch with the proper gateways and activate

power over Ethernet.

On the AP, you will have to configure the three SSID’s.

2 Equipment/Software required

One OmniSwitch 6350-P10

One AP 1101

One or Two Laptops or PCs

3 Supported Platforms

All – 6350-P10 in these labs

4 Lab Steps

To reach the objective, we are going to use the following diagram:

OS 6350-P10

Port 1/1 Port 1/3 Console Port

Client PC1 AP 1101 Admin Console PC

3

Labs Overview

We will also use the following table as reference for the VLANs:

VLAN Name VLAN ID IP Address Pool Gateway

IAP 11 192.168.11.0/24 192.168.11.1

Employee 12 192.168.12.0/24 192.168.12.1

Guest 13 192.168.13.0/24 192.168.13.1

Voice 14 192.168.14.0/24 192.168.14.1

The different steps to reach the objective are as follow:

LAB1 OmniSwitch Overview (optional)

This lab helps people who do not have any experience on OmniSwitches to discover the command line

interface through basic commands and to discover the redundant architecture of the AOS (Alcatel-Lucent

Operating System) using Working and Certified directories

LAB2 Configure VLANs and gateways on the switch

The first step will be to configure the needed VLANs on the switch. In this lab, we will see how to create

multiple VLANs and how to put some ports into the different VLANs

LAB3 Configure AP

The last step consists in configuring the different SSIDs on the AP. We will use the web based interface of the

AP to do so.

OMNISWITCH ACCESS

CONFIGURATION AND MANAGEMENT

Overview – Necessary Knowledge

How to

familiarize you with the code, WORKING and CERTIFIED directories, image files, USB drive support, GUI interface and user access rights

Contents 1 Lab Steps ....................................................................................... 3

1.1. Gathering Switch Information ....................................................................... 3 1.2. Ethernet Port Configuration ......................................................................... 4

2 Working/certified Directories ............................................................... 4 2.1. Working/CERTIFIED Directory ........................................................................ 4 2.2. Summary ................................................................................................. 5

3 Operating System ............................................................................. 6 3.1. Lab Steps ................................................................................................ 6

4 Annexes – If you want to know more ..................................................... 10

5 USB Flash Drive .............................................................................. 11 5.1. Lab Steps .............................................................................................. 11

6 Web View Remote Access .................................................................. 11 6.1. Lab Steps .............................................................................................. 11 6.2. Secure Socket Layer ................................................................................. 12

2


7 Switch Security Access ..................................................................... 13 7.1. Lab Steps .............................................................................................. 13 7.2. Creating/Deleting Users ............................................................................ 13 7.3. Partition Management .............................................................................. 16 7.4. Summary ............................................................................................... 18

3


Hardware Information and Operation It’s important to determine code versions and serial numbers of the switch. These can be helpful for troubleshooting when dealing with customer support or for upgrading switch hardware and software.

1 Lab Steps

The following will show you how to gather code and module information on a switch.

1.1. Gathering Switch Information

Enter the following commands to gather basic switch information about hardware and software.

Type the following:

-> show hardware info – Information on CPU, Memory, Miniboot.

-> show microcode – Code descriptions and versions.

-> show chassis – Chassis type and part numbers.

-> show cmm – Processor and fabric board information.

-> show ni – Networking interface information.

-> show power – Power supply information.

-> show fan – Fan Information.

-> show temperature – Temperature and temperature threshold.

-> show health – health statistics.

The commands listed on page 1 will tell you the version of code running on the switch as well as revision level and serial numbers for the modules, power supplies and fans.

OS 6350-10

Console Port

Admin Console PC

4


1.2. Ethernet Port Configuration

You can allow Ethernet ports to auto-negotiate the speed and duplex, or you can manually set them. Enter the following commands to change and view the configuration of the Ethernet ports as well as gather frame statistics and error counts:

Enter:

-> show interfaces slot/port – Tells whether the port is active or not as well as traffic statistics.

-> interfaces slot/port duplex [half,full,auto] – Sets the duplex mode.

-> interfaces slot/port speed [10,100,1000,auto] – Sets the speed.

-> interfaces slot/port admin [up,down] – enable or disable a port.

-> show interfaces status – Display line interface settings

-> show interfaces slot/port accounting – gather frame statistics.

-> show interfaces slot/port counters – gather error and frame counts.

Use ‘?’ to experiment with other interface commands

2 Working/certified Directories

An OmniSwitch provides the user with the ability to keep two separate configurations stored on the switch. These configurations are stored in the WORKING and CERTIFIED directories. The switch can boot from either configuration.

2.1. Working/CERTIFIED Directory

Ensure that there is a console connection to the switch, open your communication software such as HyperTerminal or ProComm and power cycle the switch.

Default Com Settings: BPS – 9600 Data Bits – 8 Parity – None Stop Bits – 1 Flow Control - None

Watch as the switch boots, take note of the various messages that scroll across the screen as well as which directory the switch is booting from. Once prompted, log in to the switch.

Type the following:

login: admin password: switch

-> exit login: admin password: switch

-> show system

After logging back in, check to see which directory the switch booted from. It will show either CERTIFIED or WORKING. The switch boots from the CERTIFIED directory when the configurations in the WORKING and CERTIFIED directories differ. If the configurations are identical, including code and the boot.cfg file, it will

boot from WORKING, this is shown under ‘Running Configuration’.

Type the following:

-> show running-directory CONFIGURATION STATUS Running CMM : PRIMARY, CMM Mode : DUAL CMMs, Current CMM Slot : A, Running configuration : WORKING, Certify/Restore Status : CERTIFIED

5


SYNCHRONIZATION STATUS Flash Between CMMs : NOT SYNCHRONIZED, Running Configuration : NOT SYNCHRONIZED, NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)

Now let’s check to see what version of code is running on the switch as well as what files are stored in both the WORKING and CERTIFIED directories. These topics will be discussed in more detail in a later lab.

Type the following:

-> show running-directory -> ls /flash/working -> ls /flash/certified

The switch can be forced to boot from the WORKING directory even if the configurations are different. If changes were made, but not saved, you will be prompted to confirm the reboot.

Type the following (on Release 6 switches):

-> reload working no rollback-timeout Confirm Activate (Y/N) : y

This will reboot the switch, but it will now boot from the WORKING directory. The ‘no rollback’ parameter tells the switch to continue running under the WORKING directory permanently rather than rebooting after a specified amount of time.

Once the switch boots, verify that it booted from the WORKING directory.

Type the following:

-> show running-directory CONFIGURATION STATUS Running CMM : PRIMARY, CMM Mode : DUAL CMMs, Current CMM Slot : A, Running configuration : WORKING, Certify/Restore Status : CERTIFIED SYNCHRONIZATION STATUS Flash Between CMMs : NOT SYNCHRONIZED, Running Configuration : NOT SYNCHRONIZED, NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)

To see what version of code is running, type:

-> show microcode

Make note of the version of code you are running (e.g. – 6.7.1.X. RX) - where X represents a minor code revision and release number. Note that older switch code versions will be different but still within the R6 code version stream.

2.2. Summary

The WORKING and CERTIFIED directories provide the opportunity to have two different configurations or versions of code on the switch. The CERTIFIED version can be used as a backup to the WORKING directory. These two directories will be discussed in more detail in a later lab.

6


3 Operating System

An OmniSwitch provides the user with the ability to keep two separate configurations stored on the switch. These configurations are stored in the WORKING and CERTIFIED directories. The switch can boot from either configuration.

3.1. Lab Steps

This lab will introduce the commands necessary to navigate the directory structure of the switch. Also, to introduce the CLI and line editing feature as well as saving and applying configuration files.

The switch can be configured using SNMP, WebView or the CLI. In this section, we’ll concentrate on the CLI, its syntax, and its line-editing feature. The CLI gives you the ability to search for parameters if the complete command is not known as well as recall and edit previous commands.

Using ‘?’

A ‘?’ can be used to get a list of possible commands. Additionally, a question mark can be entered after a command is started to get a list of available parameters.

Type the following:

login: admin password: switch

-> ? -> vlan ?

Notice the list of options available with the vlan command. Experiment with this for some other

commands such as ‘show?’, ‘aaa?’, or ‘copy?’; this can be a useful feature when you are unsure of the entire command.

Also, entering a ‘?’ after a letter or string of letters, will list all commands that begin with that string.

Type the following:

-> po?

Using <TAB>

Abbreviated commands are not allowed, however, pressing the <TAB> key will automatically complete any partial commands.

Type the following:

-> sh<TAB> vl<TAB>

CLI Line Editor and History

Some additional capabilities of the CLI are to display the last command entered, modify commands, scroll through previous commands, and to re-enter a specific previously entered command.

Display the previous command

Type the following:

-> !!

You can now modify the command as necessary. Additionally, you can use the arrow keys to scroll through previous commands.

You can also display a list of previously entered commands, copy one of those commands to the CLI, modify it if needed, and re-enter it.

Type the following:

-> show history -> !# (‘#’ = command number)

You now have the ability to edit the command as needed and re-enter it.You can bring up the last command that begins with a prefix. Bring up the last command previously entered that begins with ‘show’. Enter:

-> !show

7


Directory Structure

It is important to understand the directory structure of an OmniSwitch. Different directories store different configurations on the switch. There are two main directories, flash/Working and flash/Certified. Each contains a configuration for the switch. The switch uses basic UNIX commands to create, delete, move and copy files and directories.

pwd – show current directory.

cd – change directory.

mkdir – create a new directory.

ls – list contents of a directory.

dir – list contents of a directory.

mv – move a file.

cp – copy a file.

rm – remove a file.

Type the following:

-> ls -> pwd -> cd /flash/working -> ls -l (view file date/times including boot.cfg) -> pwd -> cd .. -> cd certified -> pwd -> cd /flash -> pwd

Note: Be careful not to move or delete any important files.

Configuration Basics

There are three different versions of a configuration on an OmniSwitch. They are the Working, Certified, and Running version. When the switch boots, (depending on the switch configurations), it will boot from either the WORKING or CERTIFIED Directory. Once it boots from one of these directories, that configuration then becomes the Running Configuration.

Running Configuration

Let’s create three new VLANs numbered VLAN 2, VLAN 3, and VLAN 99.

Type the following:

-> vlan 2 -> vlan 3 -> vlan 99 -> show vlan[Do you remember the shortcut using the <tab> key?]

The above commands created three VLANs with their respective numbers. Entering the commands makes changes to the Running Configuration. The changes take effect immediately, but have not been written permanently. To demonstrate this, reboot the switch.

Type the following :


When the switch reboots, login and check to see which VLANs have been created.

Type the following:

-> show vlan

Notice that the VLANs do not exist. This is because the changes were made to the Running Configuration, but not saved. Let’s do the same again, but this time we’ll save the changes to the WORKING directory.

Working Directory

The WORKING directory is a directory on the switch where the configuration file and code are stored. This directory can be read when the switch boots and the configuration stored in the boot.cfg file will be applied.

8


Re-Type the following:

-> vlan 2 -> vlan 3 -> vlan 99 -> show vlan

The configuration file the switch reads upon boot is called boot.cfg. The boot.cfg file can exist in either the WORKING or CERTIFIED directory.

Type the following:

-> write memory File /flash/working/boot.cfg replaced. This file may be overwritten if "takeover" is executed before "certify"

The command above writes the running configuration to the boot.cfg file in the WORKING directory. Now if the switch is rebooted from the WORKING directory, the configuration will be saved. Let’s reboot the switch, giving it the command to reboot from the configuration stored in the WORKING directory.

Type the following:


When the switch reboots log in and type the command to view the VLANs.

Type the following:

-> show vlan

Notice the VLANs are still there since they were saved to the boot.cfg file in the WORKING directory and the switch booted from the WORKING directory.

The boot.cfg file contains the switch configuration that gets read when the switch boots, we will view

this file in the next section. By using the parameter ‘no rollback-timeout’ with the reload command,

the switch will permanently run with that configuration. The ‘rollback-timeout’ parameter could be used to have the switch automatically reboot after a specified amount of time. The following command will cause the switch to reboot to the WORKING directory, then after 1 minute, reboot again.

-> reload working rollback-timeout 1

Certified Directory

Recall that the CERTIFIED directory can be used to store a backup configuration on the switch. When the switch boots, it compares the configurations in both the WORKING and CERTIFIED directories, if they’re the same it boots from the WORKING directory, if they differ, it boots from the CERTIFIED directory. Let’s reboot the switch, without telling it to specifically boot from the WORKING directory

Enter:

-> reload

When the switch reboots, check for the VLANs.

Enter:

-> show vlan

Notice they are gone, this is because the switch booted from the CERTIFIED directory. Enter the command to show what directory the switch booted from.

Enter:


The switch booted from the CERTIFIED directory because the changes saved to the WORKING directory have not been saved to the CERTIFIED directory, causing the two directories to be different.

Changes cannot be written directly to the CERTIFED directory, they can only be copied to the CERTIFIED directory from the WORKING directory. Let’s reboot the switch from the WORKING directory once again.

Enter:


When the switch reboots, log in and enter the command to see which directory the switch booted from as well the Certify/Restore status.


9


CONFIGURATION STATUS Running CMM : PRIMARY, CMM Mode : DUAL CMMs, Current CMM Slot : A, Running configuration : WORKING, Certify/Restore Status : CERTIFIED NEEDED SYNCHRONIZATION STATUS Flash Between CMMs : NOT SYNCHRONIZED, Running Configuration : NOT SYNCHRONIZED, NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)

Notice that the entry reads ‘CERTIFY NEEDED’. This indicates that the WORKING directory has not been copied to the CERTIFIED directory. Enter the command to copy the configuration in the WORKING directory to the CERTIFIFIED directory.

Enter:


The above command “Certifies” the WORKING directory. You now have a backup configuration stored in the CERTIFIED directory. Enter the command to check the Certify/Restore status, notice it reads ‘CERTIFIED’.

-> show running-directory CONFIGURATION STATUS Running CMM : PRIMARY, CMM Mode : DUAL CMMs, Current CMM Slot : A, Running configuration : WORKING, Certify/Restore Status : CERTIFIED SYNCHRONIZATION STATUS Flash Between CMMs : NOT SYNCHRONIZED, Running Configuration : NOT SYNCHRONIZED, NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)

Note: The ‘copy working certified’ command should be used only after the configuration in the WORKING directory is known to be good (or valid).

Snapshot / Text Based Configuration

The snapshot feature allows a text file to be created based on the current running configuration. This file can then be uploaded from the switch, manipulated, and applied to other switches.

The command “more” enables the more mode for your console screen display.

Type the following:

-> show configuration snapshot all -> write terminal

The commands above list your current running configuration on the screen. You can capture your configuration to a text file. Either command can be used.

Type the following.

-> configuration snapshot all snapall

The above command creates a snapshot of the entire switch configuration and copies it to a file called snapall in the current directory.

Type the following:

-> view snapall

The above command will bring up the vi editor but allows you to only view the file. Notice the syntax of

the ASCII file. Use the ‘j’ and ‘k’ keys to scroll up and down respectively.

Note: Entering ‘vi’ instead of ‘view’ will allow you to use the vi editor to edit the file. Exit

from viewing the snapshot file. If vi is used, ‘<esc> :q!’ exits the vi session.

Type the following:

10


-> :q

The ‘more’ command can be used as an alternative to view the file.

-> more snapall

It isn’t necessary to create a snapshot of the entire switch configuration. To create a snapshot of only the VLAN configuration enter the following.

Type the following:

-> vlan 5-7 -> show vlan -> configuration snapshot vlan snapvlan

This will copy only the VLAN configuration to a file called snapvlan in the current directory. Additional options can be specified for creating snapshots. Enter the following to see the additional parameters and experiment with creating additional snapshots.

Enter:

-> configuration snapshot ?

A syntax check can be run on a configuration snapshot before it is applied.

Enter:

-> configuration syntax check snapvlan verbose

After running a syntax check, the snapshot can be applied to the switch. Let’s delete some existing VLANs and then reapply them using the VLAN snapshot.

Enter:

-> no vlan 5-7 -> show vlan

Notice the VLANs have been removed. Apply the VLAN snapshot saved earlier.

-> configuration apply snapvlan -> show vlan

This will reapply the snapshot file used in the command and recreate VLANs 5, 6, and 7. This command can be used to apply a snapshot taken from another switch to help make configuration easier.

4 Annexes – If you want to know more

In this section, you will find optional labs.

11


5 USB Flash Drive

An Alcatel-Lucent certified USB flash drive can be connected the CMM and used to transfer images to and from the flash memory on the switch. This can be used for upgrading switch code or backing up files. Additionally, automatic code upgrades as well having the capability to boot from the USB flash drive for disaster recovery purposes are also supported.

This lab will introduce the Omniswitches usb port utilization. For this lab, we will only demonstrate how to copy a file from the switch to the USB memory stick.

5.1. Lab Steps

You will need to plug an USB memory stick to the USB port of the Omniswitch.

Then you will type the following commands on Omniswitches to mount and transfer files using USB flash drive. For this lab, we will only copy the configuration file (boot.cfg) from the switch to the usb flash driver.

-> usb enable -> cp /flash/working/boot.cfg /uflash/boot.cfg

Then check that files are well transferred on your USB drive.

-> cd /uflash -> ls

6 Web View Remote Access

By default, remote access is not allowed on an OmniSwitch. This is a security measure to prevent unauthorized access. In order to allow remote access, including Telnet and WebView (HTTP), the switch must be configured to allow it.

6.1. Lab Steps

Before beginning, reboot the switch from the WORKING directory. (Using your console connection)

Enter:

-> rm /flash/working/boot.cfg -> reload working no rollback-timeout

When the switch reboots, save the configuration to the boot.cfg file.

Enter:

-> write memory -> copy working certified

OS 6350-10

Port 1/1 Console Port

When ready to test WebView Admin Console PC

12


Steps for connecting to a virtual IP address on the switch

Create a virtual router IP address for VLAN 1 with a class C netmask.

Enter:

-> ip interface VLAN1 address 10.0.1.1/24 vlan 1 (using your console connection)

If you do not have a second PC move the connection from your PC to the Ethernet adapter and connect directly to port 1/1 of the switch. Change the settings on the PC Ethernet adapter to:

IP Address: 10.0.1.2

Netmask: 255.255.255.0

Def. Gateway: 10.0.1.1

If you do have a second PC available, perform the above on it and leave your console session connected as it was previously.

Ensure you have IP connectivity by pinging the switch via the PC attached to switch port 1/1. Once IP connectivity has been established, from your console connected PC enter the command to show the current status of Web Management.

Enter:

-> show http

Web Management = on Web Management Force SSL = off Web Management Http Port = 80 Web Management Https Port = 443

Bring up a web browser on the Ethernet connected PC, and enter the IP address of the switch (10.0.1.1) in the URL.

You should still not be able to access the switch. If a message in your browser displays telling you that Web Management is disabled enter the following to enable Web Management.

Enter:

-> ip http server

Now that Web Management has been enabled, try connecting again using a web browser using admin and switch to login. You still do not have the ability to login and configure the switch with WebView.

You should receive a message indicating an invalid username and password was entered. Display the current AAA authentication settings.

Enter:

-> show aaa authentication

Under the HTTP section, it indicates that HTTP access is denied. By default, all remote access is denied. Let’s enable remote access.

Enter:

-> aaa authentication http local -> show aaa authentication

This configures the switch to check the local database for any type of login. You could also have entered

‘aaa authentication default local’ to have it check the local database for all access methods such as FTP or TELNET. Take note of the various methods of access and their default values.

Attempt remote access via your browser again, you should have access to the switch.

6.2. Secure Socket Layer

The Secure Socket Layer feature of WebView allows for secure access to the switch by encrypting the HTML from the web browser to the switch. Keep in mind that the switch is capable of handling SSL at anytime. The following command forces SSL communication between the switch and browser, non-encrypted HTML will not be accepted. The force-ssl option is enabled by default on R7 switches.

Enter:

-> ip http ssl

13


-> ip -> show http Web Management = off Web Management Force SSL = on Web Management Http Port = 80 Web Management Https Port = 443

Try connecting by using https://{IP Address} in your web browser, the communication is now encrypted using SSL.

Now, look around:

Under Networking --- IP (vertical options on left) rollover IP (along horizontal at the top) and then click on Global. What are the IP Route Preferences?

Under Networking --- IP rollover IP and Interfaces then click on Configured.

Under System -- Interfaces, click on General. Make note of the MAC address of the port your PC is connected to. Also, take a look at Statistics (Input and Output).

7 Switch Security Access

This lab is designed to familiarize you with the switch security features of an OmniSwitch. With this feature, users with different access rights and configuration abilities can be created.

Security is an important element on an OmniSwitch. In this lab, we’ll discover how to create users and manipulate the read and write privileges on the switch.

7.1. Lab Steps

Before you begin this lab, remove the boot.cfg file in the working and certified directories, and type reload, to set your switch back to factory defaults. [You may also need to remove userTable5 from the network directory.

To view a list of users already created enter the following.

Enter:

-> show user

You should see at least 2 users: admin and default. Notice the read and write privileges for each user and domain, as well as the SNMP privileges.

Admin – Default user with full capability to configure the switch and create additional users.

Default – This account cannot be used to login to the switch. These privileges are applied to all new users created on the switch. By default, new users have no privileges; however the privileges of the default user can be modified if desired.

-> show user User name = admin Password expiration = None, Read-Only for domains = None, Read/Write for domains = All , SNMP allowed = NO User name = default Password expiration = None, Read-Only for domains = None, Read/Write for domains = None , Snmp Allowed = NO

As you can see, new users have no administrative rights by default. (In the next section we’ll see how to create new users and configure administrative rights for them).

7.2. Creating/Deleting Users

14


If the user accounts of userread and userwrite have already been created, then use the following commands to delete them before continuing.

Enter:

-> no user userread -> no user userwrite -> write memory

Next, we’ll create two new users called userread and userwrite, assign them passwords, and save the configuration.

Enter:

-> user userread password userread

(You have created a new user, but they can’t do anything yet. You don’t have privileges because the default user privileges get assigned to all new users, and the default user has no privileges. If you do not set the privilege for a user, that user will not even be able to login).

-> user userread read-only ip -> user userwrite password userwrite -> user userwriteIread-write ip -> write memory

You will now log back in with either of these users. Then attempt to enter four commands (show vlan, show ip interface, ip interface…, and reload).

Enter:

-> exit login: userread password: ******** -> show vlan -> show ip interface -> ip interface vlan-1-20 address 192.168.20.1/24 vlan 1 -> reload

Which of these four commands worked? Try running various commands to see what access your privileges have given you.

-> show vlan ERROR: Authorization failed. No functional privileges on this command

Login as userwrite and attempt the same three commands. What have you learned?

Now, log back in under the admin account and enter the command to see the new users.

Enter:

-> exit login: admin password: ***** -> show user

You will see the privileges you assigned to userread and userwrite.

User name = userread Password expiration = None, ReadOnly for domains = , Read only for families = ip , Read/Write for domains = None, SNMP allowed = NO User name = userwrite Password expiration = None, Read-Only for domains = None, Read/Write for domains = , Read/Write for families = ip , SNMP allowed = NO

15


Now let’s change the privileges of userread and then view the changes.

Enter:

-> user userread read-only all -> show user userread -> write memory

You should now see that this user has full read access.

-> show user userread User name = userread Password expiration = None, Read-Only for domains = All, Read/Write for domains = None , SNMP allowed = NO

Log in as userread and type the following commands. Notice you now have the ability to view the information.

Enter:

-> exit login: userread password: ********

-> show vlan -> show user -> show chassis

Now let’s test the ability of this user to make changes to the switch.

Enter:

-> vlan 2

You will get an error saying you’re not authorized. This is because userread only has read privileges, not write privileges.

-> vlan 2 ERROR: Authorization failed. No functional privileges on this command

Log back in under admin and modify the privileges of userwrite to allow changes to the switch.

Enter:

-> exit login:admin password: *****

-> user userwrite read-write all -> show user userwrite -> write memory

You should now see that this user has full write privileges.

-> show user userwrite User name = userwrite Password expiration = None, Read-Only for domains = None, Read/Write for domains = All , SNMP allowed = NO

Login as userwrite, and enter the command to create a VLAN. You can now create VLANs since you have full write privileges.

Enter:

-> exit login: userwrite password: ********* -> vlan 2

16


7.3. Partition Management

You can give users privileges based on specific commands or groups of commands known as domains. This is known as Partition Management.

Let’s modify the privileges of userread and only give permission to run commands in the Layer2 domain.

Enter:

-> user userread read-only none -> user userread read-only domain-layer2 -> show user userread -> write memory

This gives the user read-only privileges to the commands under the Layer2 domain.

-> show user userread User name = userread, Password expiration = None, Read-Only for domains = Layer 2, Read/Write for domains = All , SNMP allowed = NO

Login in as userread and run the following commands.

Enter:

login: userread password: ********

-> show vlan -> show running-directory

You have the ability to run VLAN commands since they are under the layer2 domain. However, the ‘running-directory’ command will fail since you do not have access to the admin domain.

-> show running-directory ERROR: Authorization failed. No functional privileges on this command

A list of the domains and the associated commands are available in the user guide. The same domain privileges can be applied for write access also.

Authenticated Switch Access

ASA provides the ability to restrict which users are able to configure the switch remotely. Switch login attempts can be challenged via the local database, or a remote database such as RADIUS or LDAP. ASA applies to Telnet, FTP, SNMP, SSH, HTTP, and the console and modem ports.

Enter the following to configure the switch to check the local database when a TELNET connection is attempted.

Enter:

-> aaa authentication telnet local

Ensure you have IP connectivity through a virtual router interface as shown in the Remote Access lab. Perform the following to test TELNET connectivity.

Telnet to the IP address on the switch from your PC login: admin password: *****

You will now be allowed to access the switch using a TELNET connection. This capability can be disabled if desired. From your console connection, perform the following to check the remote access status and then disable it.

Enter:

-> show aaa authentication

Notice that it shows TELNET authentication is being done locally, or by the switch’s internal database. No external authentication (RADIUS, LDAP) is being done at this time.

-> show aaa authentication Service type = Default 1rst authentication server = local

17


Service type = Console 1rst authentication server = local Service type = Telnet Authentication = Use Default, 1rst authentication server = local Service type = Ftp 1rst authentication server = local Service type = Http Authentication = Use Default, 1rst authentication server = local Service type = Snmp 1rst authentication server = local Service type = Ssh Authentication = Use Default, 1rst authentication server = local

Now, let’s disable TELNET access and try connecting once again. From your console connection enter the following.

Enter:

-> no aaa authentication telnet -> show aaa authentication Service type = Default 1rst authentication server = local Service type = Console 1rst authentication server = local Service type = Telnet Authentication = Denied, Service type = Ftp 1rst authentication server = local Service type = Http Authentication = Use Default, 1rst authentication server = local Service type = Snmp 1rst authentication server = local Service type = Ssh Authentication = Use Default, 1rst authentication server = local

Attempt to TELNET the switch again.

Notice you are no longer authorized. Experiment with this feature using FTP and HTTP.

End User Profiles

Partition Management allows the administrator to limit what commands users have access to. EUP is similar to Partition Management, but with the additional capability of limiting what VLANs and ports a user has access to.

Let’s begin by creating a few VLANs and a new user called customer1.

Enter:

-> vlan 100 -> vlan 200 -> vlan 300 -> user customer1 password customer1

Now, let’s create an End-User Profile with read-write access but limit the profile to VLANs 100-200.

Enter:

-> end-user profile profile1 read-write all -> end-user profile profile1 vlan-range 100-200 -> end-user profile profile1 port-list 1/1-12

18


Now associate the user to the profile and save the configuration.

-> user customer1 end-user-profile profile1 -> write memory

Logout out and then log back in under the newly created user account. Then run the commands listed below. Notice that you do not have access to VLAN 300 since it is not part of the user profile for client 1.

-> exit login: customer1 password: *********

-> show vlan -> vlan 300 port default [slot /port] ( port within the range 1-12 as specified in

the end-user-profile profile1) (For instance, use slot/port 1/5)

Password Expiration

An administrator has the ability to set the expiration date on passwords. It can be set in days or at a specific date and time. Let’s change the password expiration time to 5 days for customer1.

Log in under admin. -> user customer1 expiration 5 -> write memory Log in under customer1

The switch now informs you that your password expires in 5 days.

7.4. Summary

This lab introduced you to the Operating System of an OmniSwitch. The WORKING and CERTIFIED directories allow multiple configurations to be stored on the switch. The CERTIFIED configuration can be used as a backup in case of any mis-configurations to the WORKING directory. Once a WORKING configuration is known to be valid, it can then be copied to the CERTIFIED directory, and used as a backup.

The snapshot feature can be helpful if you have a number of switches with similar configurations, perhaps with only IP addresses having to be changed. Saving the configuration to an ASCII file, modifying it, then applying it to a different switch can make configuring a group of switches easier.

It introduced also the WebView remote access feature. WebView can be used to configure the switch using a Web Browser instead of the CLI. Additionally, using the SSL feature, the communication can be encrypted between the browser and the switch.

As well as the authenticated access feature of an OmniSwitch. Using this feature an administrator is able to configure a security scheme to allow only authorized users access to the switch. Additionally, read and write privileges as well as remote access can be strictly controlled.

VLAN MANAGEMENT FOR OS6350

OMNISWITCH AOS R6

VLAN Management - Module objectives

You will:

Understand the VLAN implementation and

features on OmniSwitch 6350

Learn how to:

Deploy static or dynamic VLAN in order to

segment a network

Configure VLAN Tagging over Ethernet links

If you want to know more:

DHCP Policy

802.1x authenticated VLAN

VLAN Mobility – Default behaviour

High

Availability

Operating

System

Extensive

Manageability

Enhanced

Security

High

Availability

High

Availability

Operating

System

Extensive

Manageability

Enhanced

Security

AOS

VLANs - Overview

VLAN - Virtual LAN

A broadcast domain

Ease of network management

Provide a more secure network

Ports become members of VLANs by

Static Configuration

Mobility/Authentication

802.1q

VLANs - Evolution to Virtual LANs

Switch-centric model with VLANs (Logical perspective)

Voic

e

VLA

N

Data

VLA

N

Managem

ent

VLA

N

VLAN Membership - Edge Devices

How do ports and devices join VLANs?

Port based VLAN (Static)

Group Mobility VLAN (Dynamic)

Authenticated VLAN (Dynamic + Security)

802.1Q VLAN (Tagged)

VLAN Mobile Tag

Static VLAN Membership

Static VLAN

VLAN is assigned to the data port whatever the connected user (aka the default VLAN

of the port)

Segmentation of VLANs is done according to topology, geography, etc.

-> VLAN 2 port default 1/2



1/2

1/4

1/6

VLAN 1

VLAN 2

VLAN

VLAN 4

VLAN 5

VLAN 6

Virtu

al R

oute

r

Dynamic VLAN Membership

Dynamic VLANs

VLAN is assigned depending on the device or the user

Device oriented: VLAN according to traffic criteria (MAC@, etc.).

User oriented: Authenticated VLAN (IEEE 802.1X for enhanced security)

VLAN 1

VLAN 2

VLAN

VLAN 4

VLAN 5

Virtu

al R

oute

r

VLAN 6

Dynamic VLAN Membership - Port Policy

Assignment policy is defined by port

0005d3:123456

192.168.10.0/24

Appletalk devices

VLANs

CLI

Defining a VLAN and its router interface

-> vlan 2

-> ip interface training_lab address 192.168.10.1 vlan 2

Assigning Ports to a VLAN

-> vlan 2 port default <slot>/<port>

Optional commands

-> vlan 4 enable

-> vlan 4 stp disable

-> vlan 4 name Engineering

Use quotes around string if the VLAN name contains multiple words with spaces between them

-> vlan 10-15 100-105 200 name “Training Network”

Monitoring

-> show vlan 4

-> show vlan port

-> show ip interface

Vlan with Static port - Example

-> vlan 2 name Data

-> vlan 2 port default 1/1

-> ip interface Data address 10.1.20.1 mask 255.255.255.0 vlan 2

-> vlan 3 name Voice

-> vlan 3 port default 1/10

-> ip interface Voice address 10.1.30.1 mask 255.255.255.0 vlan 3

-> show ip intrefaceTotal 6 interfacesName IP Address Subnet Mask Status Forward Device--------------+-------------+----------------+--------+--------+--------Data 10.1.20.1 255.255.255.0 UP NO vlan 2Voice 10.1.30.1 255.255.255.0 UP NO vlan 3

-> show vlan 2Name : Data,Administrative State : enabled,Operational State : enabled,1x1 Spanning Tree State : enabled,Flat Spanning Tree State : enabled,Authentication : disabled,IP Router Port : on,IP MTU : 1500,IPX Router Port : none,Mobile Tag : off,Source Learning : enabled

-> show vlan 2 portport type status

---------+---------+--------------1/1 default active

-> show vlanstree mble src

vlan type admin oper 1x1 flat auth ip tag lrn name----+-----+------+------+------+------+----+-----+-----+-----+---------1 std on on on on off on off on VLAN 12 std on on on on off on off on Data3 std on on on on off on off on Voice

Data VLAN

VLAN 2

Voice VLAN

VLAN 3

dynamic @IPdynamic @IP

VLAN

Voice

VLAN

Data

IP Phone

DHCP Server - oxo

VLAN rules - CLI

Enabling a mobile port-> vlan port mobile <slot>/<port>

Assigning a rule to a VLAN-> vlan 2 <rule>

Defining an IP protocol rule for VLAN 2-> vlan 2 protocol ?

snap ip-snap ip-e2 ethertype dsapssap decnet appletalk

Defining an IP network address rule for VLAN 25-> vlan 25 ip 21.0.0.0

-> vlan 25 ip 21.1.0.0 255.255.0.0

Monitoring-> show vlan 4

-> show vlan port

-> show vlan rules

-> show vlan 4 rules

-> show vlan port mobile

Vlan Mobility rules - Example

-> vlan 2 name Data

-> vlan 2 ip 10.1.20.0 255.255.255.0

-> vlan port mobile 1/1

-> ip interface Data address 10.1.20.1 mask 255.255.255.0 vlan 2

-> vlan 3 name Voice

-> vlan 3 mac-range 00:80:9f:00:00:00 00:80:9f:ff:ff:ff

-> vlan port mobile 1/10

-> ip interface Voice address 10.1.30.1 mask 255.255.255.0 vlan 3

-> show ip intrefaceTotal 6 interfacesName IP Address Subnet Mask Status Forward Device----------+--------------+----------------+---------+----------+--------Data 10.1.20.1 255.255.255.0 UP YES vlan 2Voice 10.1.30.1 255.255.255.0 UP YES vlan 3

-> show vlan 2Name : Data,Administrative State : enabled,Operational State : enabled,1x1 Spanning Tree State : enabled,Flat Spanning Tree State : enabled,Authentication : disabled,IP Router Port : on,IP MTU : 1500,IPX Router Port : none,Mobile Tag : off,Source Learning : enabled

-> show vlan 2 portport type status

---------+---------+--------------1/1 mobile active

sw1> show vlan rulestype vlan rule

-----------------+------+-------------------------------------------ip-net 2 10.1.20.0, 255.255.255.0mac-range 3 00:80:9f:00:00:00, 00:80:9f:ff:ff:ff

Data VLAN

VLAN 2

Voice VLAN

VLAN 3

DHCP Server

dynamic @IPdynamic @IP

VLAN

Voice

VLAN

Data

IP Phone

DHCP Server

VLAN Membership

802.1Q

How do ports join VLANs?

Port based VLAN (Static)

Group Mobility VLAN (Dynamic)

Authenticated VLAN (Dynamic + Security)

802.1Q VLAN (Tagged)

VLAN Mobile Tag

VLANs

IEEE 802.1Q

Aggregates multiple VLANs across Ethernet links

Combines traffic from multiple VLANs over a single link

Encapsulates bridged frames within standard IEEE 802.1Q frame

Enabled on fixed ports

Tags port traffic for destination VLAN

Tagged Frames

802.1Q

VLAN Tag

802.3 MAC header change

4096 unique VLAN Tags (addresses)

VLAN ID == GID == VLAN Tag

802.1P

Three bit field within 802.1Q header

Allows up to 8 different priorities

Feature must be implemented in hardware

802.1p (3 bits)

DA SA

VLAN ID (12 Bits)

4 Bytes

“Modified 802.3 MAC”

Ethertype, Priority, Tag

VLANs - Configuration

-> vlan 2 enable

-> vlan 3 enable

-> vlan 2 802.1q 1/4

-> vlan 3 802.1q 1/4

VLAN 3

VLAN 2

VLAN 1

VLAN 3

VLAN 2

VLAN 1

3/4

-> show vlan 3 port

-> show 802.1q 1/4

3/4

VLAN - Mobile Tag

Allows the dynamic assignment of mobile ports to more than one VLAN at the

same time

Enabled on mobile ports

-> vlan 3 mobile-tag enable

Allows mobile ports to receive 802.1Q tagged packets with

Enable the classification of mobile port packets based on 802.1Q VLAN ID tag 3

Takes precedence over all VLAN Rules

Voice VLAN

Default VLAN

Data VLAN

Communication

Server

Tagged packets

With tag=3

OmniPCXOffice

VLAN mobile - Tagging vs 802.1Q tagging

VLAN Mobile Tag 802.1Q Tag

Allows mobile ports to receive 802.1Q tagged

packets

Not supported on mobile ports

Enabled on the VLAN that will receive tagged

mobile port traffic

Enabled on fixed ports; tags port traffic for

destination VLAN

Triggers dynamic assignment of tagged mobile

port traffic to one or more VLANs

Statically assigns (tags) fixed ports to one or more

VLANs

IF YOU WANT TO KNOW MORE

Dynamic VLAN Membership - DHCP Policy

DHCP VLAN Membership

DHCP PORT policy

Devices generating DHCP requests on these ports

DHCP MAC/MAC Range policy

Devices with specified MAC addresses generating

DHCP requests

DHCP Generic policy

Any DHCP packet (one rule per switch)

DHCP request frames will not be

forwarded until a devices VLAN

membership is defined

Without internal BootP Relay entity DHCP

frames are only forwarded to ports within

the VLAN

With an internal BootP Relay entity DHCP

frames are forwarded to the Relay

1Client needing IP address appears

in default DHCP VLAN

3After receiving IP address, now

participates in authorized VLANs

2BootP Relay delivers request

to DHCP server

BootP Relay

BootP Relay

BootP Relay

Dynamic VLAN Membership

802.1x Authenticated VLANs

Applies to users connected on authenticated ports

Users must authenticate through 802.1x client

Authentication is based on either RADIUS, LDAP or TACACS+

Successful login

The client MAC is associated with the correct VLAN

Default

VLAN

Target

VLAN

Supplicant

Host

Using

802.1x

client

Switch running

Authentication Agent

RADIUS, TACACS+, or LDAP

Server

User

Precedence/Rule Type

Upon receiving a frame, Source Learning compares the frame with VLAN

Policies in Order

1. Frame Type

2. DHCP MAC

3. DHCP MAC Range

4. DHCP Port

5. DHCP Generic

6. MAC-Port-IP

7. MAC-Port Binding

8. Port-Protocol Binding

9. MAC Address

10. MAC Range

11. Network Address

12. Protocol

13. Default (No Match -> port default VLAN)

VLAN Mobility

Default behavior

Default VLAN handling (renaming)

Default VLAN

-> vlan port slot/port default vlan {enable | disable}

Enabled -> user will join default VLAN when no rule matches (default)

Disabled -> user’s traffic will be dropped, when no rule matches

Default VLAN restore

-> vlan port slot/port default vlan restore {enable | disable}

Enabled -> user will join default VLAN when traffic ages out (default)

Disabled -> user will remain in the VLAN membership even after traffic ages out

VLANS

Contents 1 Objective ....................................................................................... 2

2 VLANs ........................................................................................... 2

3 Equipment/Software Required .............................................................. 2

4 Related Commands............................................................................ 2

5 Supported Platforms .......................................................................... 2

6 Lab Steps ....................................................................................... 3 6.1. Creating Additional VLANs ........................................................................... 5 6.2. Configure 802.1Q ...................................................................................... 7

7 Summary ........................................................................................ 8

8 Lab Check ...................................................................................... 8

2

VLANs

1 Objective

This lab is designed to familiarize you with VLANs on an OmniSwitch.

2 VLANs

VLANs provide the ability to segregate a network into multiple broadcast domains. This can be done statically or dynamically by creating policies. Additionally, Virtual Router ports can be assigned to VLANs to allow traffic to be switched at Layer 3.

3 Equipment/Software Required

One OmniSwitch (Any Model)

2 or more PCs.

4 Related Commands

vlan, show vlan, show vlan [vid], ip interface,

show vlan [vid] ports, vlan [vid] ip, vlan [vid] mac


All

Connect a laptop or desktop PC to the 6350 console port. You will need a USB–to-Serial adapter if you do not have a standard serial comm port on your PC. For simplicity throughout the exercise if you have 2-3 laptops or PC to work with that would be preferred.

OS 6350-10


Client PC1 Client PC2 Admin Console PC

3

VLANs

6 Lab Steps

Before continuing, remove the existing configuration from the WORKING directory and reboot. Connect your Admin laptop or PC to the console port of the 6350. Open a terminal emulator (Putty, HyperTerm, etc.). Open a serial connection to establish a console connection with the following settings:

9600 Baud, 8 Data Bits, No Parity, 1 Stop Bit, No Flow Control

Login to the switch by entering at the prompts:

-> Login: admin

-> Password: switch

Type the following:

-> rm /flash/working/boot.cfg -> reload working no rollback-timeout -> copy working certified

In its default configuration, the switch has only one VLAN; VLAN 1. This is the default VLAN and all ports are initially associated with it. This VLAN CANNOT be deleted, but it can be disabled if so desired.

Let’s run the command to see the VLANs that exist on the switch as well as information on a single VLAN.

Type the following:

-> show vlan stree mble src vlan type admin oper 1x1 flat auth ip tag lrn name -----+-----+------+------+------+------+----+-----+-----+------+---------- 1 std on off on on off on off on VLAN 1

Reference the User Guides for details on each column:

vlan – The VLAN ID number type - The type of VLAN (std, vstk, gvrp or ipmv) admin – Administrative status oper – Operational Status (Any active ports associated with the VLAN) 1X1 – 1X1 Spanning Tree Status – (on/off) flat – Flat Spanning Tree Status – (Is 802.1s Enabled) auth – Authenticated VLAN status ip – IP status (Has an IP address been associated with the VLAN) ipx – IPX status (Has an IPX address been associated with the VLAN) mble tag – mobility tag (on/off) name – VLAN name

To display information on a specific VLAN:

-> show vlan 1 Name : VLAN 1, Administrative State: enabled, Operational State : disabled, 1x1 Spanning Tree State : enabled, Flat Spanning Tree State : enabled, Authentication : disabled, IP Router Port : off, IPX Router Port : none, Mobile Tag : off, Source Learning : enabled Router Vlan : no

Notice the VLAN is Administrative State is enabled, however its Operational State is disabled. Without members the VLAN will be Operational down.

4

VLANs

You can also list the ports and their associated VLAN assignments (notice we have no active ports to operationally enable the VLAN):

-> show vlan port (or 'show vlan 1 port' to display just vlan 1 ports) vlan port type status ------+-------+---------+------------- 1 1/1 default inactive 1 1/2 default inactive 1 1/3 default inactive 1 1/4 default inactive 1 1/5 default inactive 1 1/6 default inactive 1 1/7 default inactive 1 1/8 default inactive 1 1/9 default inactive 1 1/10 default inactive

To display the VLAN assignment on a specific port (or ports):

-> show vlan port 1/1 vlan type status --------+---------+-------------- 1 default inactive

In order to have IP connectivity to a VLAN interface (not required for connectivity to other clients/servers within a VLAN), an IP address must be assigned to a Virtual Router port and associated to that VLAN. This IP address can then be used for IP connectivity as well as Layer 3 switching. In order to do this, we first create the IP address and then associate it to a VLAN.

Type the following (int_1 is the VLAN alias, 192.168.10.3 is the IP interface address):

-> ip interface int_1 address 192.168.10.3/24 -> show ip interface Total 3 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- Loopback 127.0.0.1 255.0.0.0 UP NO Loopback dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1 int_1 192.168.10.3 255.255.255.0 DOWN NO unbound

Notice we did not associate a VLAN with the interface yet, this is indicated by the 'unbound' status in the Device column. To bind a VLAN:

-> ip interface int_1 vlan 1

Note: The last two commands could have been consolidated as one command:

-> ip interface int_1 address 192.168.10.3/24 vlan 1 -> show ip interface Total 3 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- Loopback 127.0.0.1 255.0.0.0 UP NO Loopback dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1 int_1 192.168.10.3 255.255.255.0 DOWN NO vlan 1

Take note of the Status field. If it reads DOWN, this indicates no active ports or devices have been associated with the VLAN that the Virtual Router has been assigned to. If a Virtual Router interface is down, it cannot be connected to, will not reply to PING requests nor will it be advertised in any router updates. This will not affect the Layer 2 broadcast domain, however.

Let’s activate a port in VLAN 1 to change the status to UP.

5

VLANs

Perform the following:

Connect PC1 to an Ethernet port on the switch.

Remember, all ports by default are members of VLAN 1 so any port can be used.

Now, type:

-> show vlan 1 port port type status ---------+---------+-------------- 1/1 default forwarding 1/2 default inactive 1/3 default inactive 1/4 default inactive 1/5 default inactive 1/6 default inactive 1/7 default inactive 1/8 default inactive 1/9 default inactive 1/10 default inactive

Since all ports currently belong to VLAN 1, this will now cause VLAN 1 to become active. Run the command to check the status of the IP interface to see this.

Type the following:

-> show ip interface Total 3 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- Loopback 127.0.0.1 255.0.0.0 UP NO Loopback dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1 int_1 192.168.10.3 255.255.255.0 UP YES vlan 1

Now that the VLAN has an active port, let’s modify the IP information of PC1 and PING the router interface associated with VLAN 1. Perform the following:

Modify the IP information of client PC1:

PC1 - IP Address - 192.168.10.103

PC1 - Mask – 255.255.255.0

PC1 - Default Gateway – 192.168.10.3 (The IP address of VLAN 1 virtual router).

Ping the switch’s VLAN 1 Virtual Router IP address. You should now have IP connectivity.

6.1. Creating Additional VLANs

Currently there is only one VLAN created on the switch. The following steps will provide information on creating a second VLAN, enabling IP on the VLANs, moving ports into the VLAN, and forwarding IP packets between VLANs.

To begin, let’s create a new VLAN and assign an IP address to that VLAN as done previously;

-> vlan 11 name AP -> vlan 12 name Employee -> vlan 13 name Guest -> vlan 14 name Voice -> ip interface int_11 address 192.168.1.1/24 -> ip interface int_11 vlan 11

How would you enter the last two commands as one command?

-> ip interface int_12 address 192.168.12.1/24 vlan 12 -> ip interface int_13 address 192.168.13.1/24 vlan 13 -> ip interface int_14 address 192.168.14.1/24 vlan 14

6

VLANs

Let's look at what we have configured so far:

-> show ip interface Total 7 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- Loopback 127.0.0.1 255.0.0.0 UP NO Loopback dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1 int_1 192.168.10.3 255.255.255.0 UP YES vlan 1 int_11 192.168.1.1 255.255.255.0 DOWN NO vlan 11 int_12 192.168.12.1 255.255.255.0 DOWN NO vlan 12 int_13 192.168.13.1 255.255.255.0 DOWN NO vlan 13 int_14 192.168.14.1 255.255.255.0 DOWN NO vlan 14

-> show vlan stree mble src vlan type admin oper 1x1 flat auth ip ipx tag lrn name -----+------+------+------+------+------+----+-----+-----+-----+-----+---------- 1 std on on on on off on NA off on VLAN 1 11 std on off on on off on NA off on AP 12 std on off on on off on NA off on Employee 13 std on off on on off on NA off on Guest 14 std on off on on off on NA off on Voice

Now let’s assign a port to VLAN 11, connect a client to that port, and modify its IP addressing to allow communication to the Virtual Router interface. Remember from earlier that all ports belong to VLAN 1 by default so we must move a port into VLAN 11.

Type/Perform the following:

-> vlan 11 port default 1/8 (1/8 = slot/port the PC2 is connected to)

Make sure you have connected PC2 to the slot and port above. Modify the IP information of PC2 to match the following:

PC2 - IP Address – 192.168.1.100

PC2 - Mask – 255.255.255.0

PC2 - Default Gateway – 192.168.1.1 (The IP address of VLAN 11 Virtual Router for your station)

Review what you’ve done:

-> show vlan 11 port port type status ---------+---------+-------------- 1/8 default forwarding

-> show ip interface Total 7 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- Loopback 127.0.0.1 255.0.0.0 UP NO Loopback dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1 int_1 192.168.10.3 255.255.255.0 UP YES vlan 1 int_11 192.168.1.1 255.255.255.0 UP YES vlan 11 int_12 192.168.12.1 255.255.255.0 DOWN NO vlan 12 int_13 192.168.13.1 255.255.255.0 DOWN NO vlan 13 int_14 192.168.14.1 255.255.255.0 DOWN NO vlan 14

7

VLANs

-> show vlan

stree mble src vlan type admin oper 1x1 flat auth ip ipx tag lrn name -----+------+------+------+------+------+----+-----+-----+-----+-----+---------- 1 std on on on on off on NA off on VLAN 1 11 std on on on on off on NA off on AP 12 std on off on on off on NA off on Employee 13 std on off on on off on NA off on Guest 14 std on off on on off on NA off on Voice

By default the switch will route the packets between VLAN 1 and VLAN 11 using the Virtual IP interfaces you created.

Perform the following to test connectivity:

From client on VLAN 1 ping the Virtual Router port for VLAN 11. (For example, ping 192.168.11.1)

This should be successful since you’ve set the Default Gateway of PC2 to the virtual router interface of VLAN 11. The switch will route the packets to interface int_1.

From client on VLAN 1 ping client on VLAN 11. (For example, ping 192.168.11.103)

This should be successful since you’ve set the Default Gateway to the Virtual Router interface of VLAN 11. The switch will route the request packet to VLAN 1 in one direction, then route the echo back to VLAN 11.

You should receive successful responses to all the above PINGs. If the PINGs are not successful, check your IP addressing (and Gateway) on both the PC and the switch as well as checking the VLAN associations using the following commands. Again, you may type:

-> show vlan -> show vlan 1 -> show vlan 1 port -> show vlan 11 -> show vlan 11 port -> show ip interface

6.2. Configure 802.1Q

Normally, to have Layer 2 connectivity between the switch and the AP for all three VLANs, three physical links would be required. However, we will configure 802.1Q tagging to carry data from all three VLANs over one physical link.

Type the following: (we will use slot 1 port 3 for the connection to your AP)

-> vlan 11 port default 1/3 -> vlan 12-14 802.1q 1/3 -> show vlan 11 port port type status ---------+---------+-------------- 1/3 default forwarding

-> show vlan 12 port port type status ---------+---------+-------------- 1/3 qtagged forwarding

-> show vlan port 1/3 vlan type status --------+---------+-------------- 11 default inactive 12 qtagged inactive 13 qtagged inactive 14 qtagged inactive

You should see that slot 1 port 3 is carrying tagged information for VLANs 12,13 and 14 and bridging VLAN 11. Remember, a physical port MUST always have at least one VLAN (the default for the port) bridging.

8

VLANs

We have so far configured the switch to connect the IAP on port 1/3 and to transport:

VLAN 11 by default for IAP Configuration

VLAN 12, 13 and 14 for employee, guest and voice SSID’s

To activate Power Over Ethernet, type the following command:

-> lanpower start 1

This command activated POE for all the ports on the switch. We are now ready to plug in the IAP on port 1/3.

You can now proceed with the next LAB to configure the AP.

7 Summary

VLANs are an important concept to understand when configuring an OmniSwitch. They provide the ability to segregate the network into multiple broadcast domains. This can be done either statically or dynamically. Also, in order for devices in different VLANs to communicate, they must be routed. A virtual router interface can be associated for each VLAN to allow for the routing of traffic.

8 Lab Check

What is the purpose of a VLAN?

...............................................................................................................................

...............................................................................................................................

In this lab, name two methods that were used to associate a port with a VLAN?

1) ...........................................................................................................................

2) ...........................................................................................................................

What type of rule(s) were used to dynamically move a port into a VLAN?

...............................................................................................................................

Is it necessary to have a routing protocol configured in order to route between VLANs on the same switch?

........................................................................................................ (Yes or No – why?)

In order for a VLAN to route traffic, what must be created on the switch?

...............................................................................................................................

Which VLAN does a port belong to by default?

VLAN .......................................................................................................................

What is the command to move a port into a different default VLAN?

...............................................................................................................................

What are two commands to check which VLAN a port is associated with?

...............................................................................................................................

ACCESS POINTS

OMNIACCESS WLAN

Module Objectives

In this module you will learn about

Access Points.

You will review and discuss:

AP Introduction

Hardware, security and radio features

Initial setup

Basic configuration

AP - INTRODUCTION

Product Features

Security Features

Authentication Type

802.1x, WPA, WPA2

MAC Address

Customizable Captive Portal

Encryption : WEP, TKIP, AES

Built-in User Database and External Radius Server Support

Firewall

Radio Features

Dynamic Frequency Adjustment (DFA) – Optimize available channel/transmission

power

Channel/transmission power manual assignment

Deployment Scenarios

Single Cluster

A Single Cluster

Contains a maximum of 16 AP1101

Supports 256 concurrent clients (64

per AP1101)

Broadcasts 16 WLANs (SSID)

L2 Mobility

Any client can roam between APs

and maintain it’s connection (IP

address and authentication)

AP – INITIAL SETUP

Unpack and Power on the AP1101

Open the packing box and take out the AP1101

Power the AP by connecting it to a PoE port of the switch

Assigning an IP address to the AP

The AP needs an IP address for network connectivity

Connect the Switch to the Router

Ensure that the DHCP server is enabled on the Router

After few seconds, the AP gets an IP address

The AP start broacasting SSID « mywifi-xxxx »

xxxx: 4 last bytes of the AP MAC address

AP initial setup – Connection to the Web interface

Connect to “mywifi-xxxx” SSID (xxxx: last four bytes of AP MAC address), open

a web browser and enter the following:

http://mywifi.al-enterprise.com:8080

There are three login accounts:

Administrator : Configuration of the AP

Viewer : Checking configuration ONLY

GuestOperator : Checking configuration ONLY and creating Guests users

“admin” is the default password for all login accounts

Select “Administrator”:

Username = Administrator

Password = admin

https://mywifi.al-enterprise.com/

AP initial setup – Wizard

A initialization wizard will pop up.

It is used for:

Modifying Administrator password

Creating a management WLAN (SSID)

AP initial setup – New SSID

Creation of additional SSID

Click “New” in the WLAN Window of the Dashboard

Configuration of a new WLAN

Click on « Advanced » to configure advanced parameters

AP initial setup – New WLAN

AP initial setup - Group

Group Network

In a Group deployment, APs of the Group are listed in the AP Window

The list displays the MAC address of the AP, it’s status and the number of clients

authenticated to this AP

AP initial setup - Group

Group Network

Double-click on the AP window to access the Advanced-Window Mode

The role of the AP in the Group is highlighted in red:

Primary Virtual Controller (PVC): Central point of management. One per Group.

Secondary Virtual Controller (SVC): Backup of the PVC. One per Group.

MEMBER: Others AP in the Group.

The AP with the highest MAC

address is elected PVC.

The AP with the second highest

MAC address is elected SVC.

Other APs of the cluster become

MEMBER.

Election Process

ADVANCED PARAMETERS

In the Advanced WLAN Window, you have the following parameters

WLAN Parameters

WLAN Parameter Specification

SSID The WiFi signal name

Band Check the radio that you want the WLAN to be broadcasted. The radio

won’t broadcast this WLAN when it’s unchecked.

Network Type There are three options for network type, they are Employee, Voice and

Guest, which indicates the WLAN application purpose. Once you specifed

a network type, the Security Method and optimized Qos Parameter will be

set accordingly.

Hiden Hidden broadcast or visible broadcast SSID.

Enable Turn on or Turn off the WLAN.

MaxClients The max concurrent user that the WLAN supports. When the quantity of

concurrent user is more than this value, the user connection will be

rejected.

Captive Portal Set the WLAN to enable portal authentication or not.

VLAN ID WLANs mapping Vlan ID.

Security Type It’s tree-pattern for security type. Basing on target customer scale, there

are three root types, Open, Personal and Enterprise. Once the root types

has been selected, you can select the corresponding authentication and

encryption method combination, while once an combination has been

selected, you have to configure the corresponding parameters.

Cancel The WLAN Creation Window will be closed if you click ‘Cancel’ button.

Save Click ‘Save’ to complete creating the WLAN.

CONFIGURE AP

Contents 1 Objective .......................................................................................1

2 Equipment/Software Required ..............................................................1

3 Supported Platforms ..........................................................................1

4 Lab Steps .......................................................................................1 4.1. AP Initialization ........................................................................................ 1 4.2. AP Initial Configuration ............................................................................... 2

5 Summary ........................................................................................9

1

RIP/RIP2

1 Objective

This lab will help you to configure an IAP with the three SSIDs based on the VLANs and IP addresses that you have already configured on the switch.

Part 1 - AP initialization: The first part is here to help you prepare your AP for configuration. You will reset the configuration and give IP connectivity to your AP.

Part 2 - AP initial configuration: In this section, you will create the three SSID’s employee, guest and voice.

2 Equipment/Software Required

One OmniSwitch

One AP1101


All

4 Lab Steps

4.1. AP Initialization

In this section you will switch the Instant AP back to factory default.

1. Plug the port “Ethernet” of your AP to the port 1/3 of the switch.

2. Wait for the boot process to be over. You can see it when the LED on the face of the AP turns into a solid green or blue. It will take less than a minute.

3. Press and hold the “Reset” button at the back of the AP for 5 secondes and then release it. The AP will reboot automatically and you will get a solid green on the LED after the boot process.

4. The default IP address of the AP is 192.168.1.254.

OS 6350-P10


Client AP 1101 Admin Console PC

2

RIP/RIP2

4.2. AP Initial Configuration

In this section you will create an initial configuration. This configuration will provide a SSID for employees, guests and voice.

Each AP will broadcast the default “mywifi-xxxx” SSID at start up (xxxx refers to the 4 last values of the MAC address of the AP). To be sure to connect to your AP, you will use the Ethernet connection to configure the IAP.

1. Enable the ethernet interface on the laptop, change your IP address to be in the subnet of VLAN 11 (192.168.1.100) and set the gateway to 192.168.1.1. Plug in the laptop on port 8 of the OS 6350.

2. Open a web browser and connect to http://192.168.1.254:8080 (we are using the default IP address of the AP). Log in the AP using the login profile Administrator and password admin.

3. Press Next on the Welcome page of the Setup Wizard.

4. In the Step 1/3, you can change the default password of the Administrator profile. We will use the same password “admin”. Enter “admin” in the Passphrase and Confirm field. Click Save.

5. In the regulatory domain selection screen, select the country where you are (if you are not in the USA, Israel nor Japan) and click Save.

3

RIP/RIP2

6. The last step of the Setup Wizard is used to create a Management WLAN. We will create the admin network.

7. In the “Create New WLAN” wizard, enter the following:

a. WLAN Name: Admin

b. Band: 2.4GHz and 5GHz are already selected. Don’t change it.

c. Security Type and Passphrase format are already set. Don’t change it.

d. Passphrase: alcatel_lucent

e. Confirm : alcatel_lucent

f. Click Save

8. Login again on the main screen, using the login profile Administrator and the password admin.

9. To create the employee network, click New in the WLAN window (top left corner).

4

RIP/RIP2

10. In the “Create New WLAN” window, enter the following:

a. Click on Advance.

b. WLAN Name: Employee

c. Band: 2.4GHz and 5GHz are already selected. Don’t change it.

d. Network Type: Employee is already selected. Don’t change it.

e. Security Type and Passphrase format are already set. Don’t change it.

f. Passphrase: employee

g. Confirm : employee

h. VLAN ID: 12

i. Click Save

5

RIP/RIP2

11. To create the guest network, click New in the WLAN window (top left corner).



b. WLAN Name: Guest


d. Network Type: Select Guest.

e. Security Type: Select Personal and WPA/WPA2 Personal (Both TKIP AND AES).

f. Passphrase: guest_AP

g. Confirm : guest_AP

h. VLAN ID: 13

i. Click Save

6

RIP/RIP2

13. To create the voice network, click New in the WLAN window (top left corner).



b. WLAN Name: Voice


d. Network Type: Select Voice.

e. Security Type and Passphrase format are already set. Don’t change it.

f. Passphrase: voice_AP

g. Confirm : voice_AP

h. VLAN ID: 14

i. Click Save

7

RIP/RIP2

15. Check the WLAN list; the “mywifi-xxxx” SSID have disappeared from the list and you find the management SSID (Admin) as well as the three users SSID (Employee, Guest and Voice).

8

RIP/RIP2

16. Logout from the configuration page (top-right corner) and close the Web browser

17. We will now check that the 3 AP networks are available in the air.

a. Refresh the WLAN network list; Employee, Guest and Voice should be available.

b. Connect to Employee. Enter the network security key we have defined: employee.

c. Change the IP configuration of the wireless card with the address 192.168.12.100, mask 255.255.255.0 and gateway 192.168.12.1

9

RIP/RIP2

d. Try to ping 192.168.12.1

e. Disconnect from Employee

f. Connect to Guest. Enter the network security key we have defined: guest_AP

g. Change the IP configuration of the wireless card with the address 192.168.13.100, mask 255.255.255.0 and gateway 192.168.13.1

h. Try to ping 192.168.13.1

i. Disconnect from Guest

j. Connect to Voice. Enter the network security key we have defined: voice_AP

k. Change the IP configuration of the wireless card with the address 192.168.14.100, mask 255.255.255.0 and gateway 192.168.14.1

l. Try to ping 192.168.14.1

m. Disconnect from Voice

5 Summary

This lab introduced you to the Initialization of the AP and the initial configuration of the AP. You

Part No. 060407-00 Rev. BSeptember 2015

SMB Configuration Guide

enterprise.alcatel-lucent.com

ii SMB Configuration Guide September 2015

enterprise.alcatel-lucent.com Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of Alcatel-Lucent. To view other trademarks used by affiliated companies of ALE Holding, visit: enter-prise.alcatel-lucent.com/trademarks. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Neither ALE Holding nor any of its affiliates assumes any responsibility for inaccuracies contained herein. (July 2015)

Service & Support Contact Information

North America: 800-995-2696

Latin America: 877-919-9526

EMEA: +800 00200100 (Toll Free) or +1(650)385-2193

Asia Pacific: +65 6240 8484

Web: service.esd.alcatel-lucent.com

Email: [email protected]

SMB Configuration Guide September 2015 1

Contents

Chapter 1 SMB Overview and Quick Configuration .............................................................1-1

In This Chapter ................................................................................................................1-1

Overview .........................................................................................................................1-2

OmniPCX Office RCE Quick Configuration ..................................................................1-3

OmniSwitch Quick Configuration ..................................................................................1-3

OAW-IAP Quick Configuration .....................................................................................1-4

Upgrade Information .......................................................................................................1-5

Chapter 2 SMB Configuration With OmniPCX Office RCE ...................................................2-1

In This Chapter ................................................................................................................2-1

OmniPCX Office RCE Setup for OmniSwitch Auto Configuration ..............................2-2

OmniSwitch Auto Configuration through OmniPCX Office RCE .................................2-2

IAP Configuration ...........................................................................................................2-3Step 1. Power up IAP ...............................................................................................2-3Step 2. Connecting to instant ....................................................................................2-4Step 3. Configure IAP ..............................................................................................2-5

Chapter 3 SMB Configuration Without OmniPCX Office RCE .............................................3-1

In This Chapter ................................................................................................................3-1

OmniSwitch Configuration .............................................................................................3-2

IAP Configuration ...........................................................................................................3-3Step 1. Power up IAP ...............................................................................................3-3Step 2. Connecting to instant SSID ..........................................................................3-5Step 3. Configuring IAP ...........................................................................................3-6

Contents

2 SMB Configuration Guide September 2015

SMB Configuration Guide September 2015 page 1-1

1 SMB Overview and Quick Configuration

This chapter provides a brief overview of the Alcatel-Lucent Enterprise SMB (small-medium business) solution along with the steps for quickly configuring the various components. For more detailed step-by-step instructions refer to the appropriate configuration chapter.

In This ChapterThe information described in this chapter includes:

• “Overview” on page 1-2

• “OmniPCX Office RCE Quick Configuration” on page 1-3

• “OmniSwitch Quick Configuration” on page 1-3

• “OAW-IAP Quick Configuration” on page 1-4

• “Upgrade Information” on page 1-5

Overview SMB Overview and Quick Configuration

page 1-2 SMB Configuration Guide September 2015

OverviewThis configuration guide covers how to install the various components of the Alcatel-Lucent Enterprise SMB (small-medium business) solution. The SMB market can be addressed via two Alcatel-Lucent Enter-prise solutions: one includes an OmniSwitch™ and OmniAccess™ Instant Access Points (IAPs), enabling high speed wired and wireless (Wi-Fi) LAN access, referred to as the Mobility solution, while the second includes OmniPCX™ Office RCE, providing IP Telephony, for a complete voice/data/Wi-Fi solution.

This SMB Configuration Guide describes the installation steps based on the following products.

• OmniPCX™ Office RCENote: Minimum version R10.2 is required for the OmniPCX Office RCE information described in this document. See “Upgrade Information” on page 1-5 for information on upgrading to R10.2.

• OmniSwitch OS6450-P24



• OmniSwitch OS6450-P10L




• OmniSwitch 6350-P24

• OmniSwitch 6350-P48

• OAW-IAP

Chapter 1 provides quick steps to configure these products, Chapter 2 provides a detailed procedure to configure OmniPCX Office RCE, the OmniSwitch and the OAW-IAP, and Chapter 3 provides a detailed procedure to configure the OmniSwitch and OAW-IAP when OmniPCX Office RCE is not installed.

For additional solution information please refer to the SMB Solution Sheet.

SMB Overview and Quick Configuration OmniPCX Office RCE Quick Configuration


OmniPCX Office RCE Quick ConfigurationIf using OmniPCX Office RCE version R10.2 there is no configuration required, the necessary files are already included as part of the default configuration.

1 The os_conf configuration file contains the following commands and will be used to automatically configure the OmniSwitch:

system daylight savings time disablevlan 1 enable name "VLAN 1"ip service allip interface dhcp-client vlan 1 ifindex 1ip interface dhcp-client vsi-accept-filter "alcatel.a4400.0"aaa authentication default "local"aaa authentication console "local"bridge mode flatqos enableqos trust portsqos no phonesswlog console level infolanpower start 1

2 The os_script script file contains the following command for certifying the configuration:

copy working certified

3 The os_ins.alu instruction file contains the following entries describing the location and file names needed by the OmniSwitch:

Config filename: os_conf

Config location: /tftpboot

Script filename: os_script

Script location: /tftpboot

OmniSwitch Quick ConfigurationFollow the steps below to automatically configure the OmniSwitch:

1 Connect an Ethernet cable between the OmniPCX Office RCE and the OmniSwitch.

2 Connect AC power cord on the OmniSwitch.

3 The OmniSwitch will boot up and automatically download the configuration files from the OmniPCX Office RCE. Once the download is complete, the OmniSwitch will reboot again. This process will take approximately 6 to 8 minutes.

Note. DO NOT INTERUPT WHEN AUTO CONFIGURATION IS IN PROGRESS.

Note. Repeat these steps for the installation of each OmniSwitch.

OAW-IAP Quick Configuration SMB Overview and Quick Configuration


OAW-IAP Quick Configuration1 Connect an Ethernet cable between IAP and OmniSwitch, wait for approximately 6 minutes for the IAP to initialize.

2 Using a wireless PC, scan the wireless networks and connect to the instant SSID.

3 Open a web browser to http://instant.alcatel-lucent.com.

4 Log in to the OAW-IAP UI with admin as the username and password.

Note. Alcatel-Lucent recommends that you change the administrator credentials after the initial configura-tion.

Note. If the country code window is displayed after a successful login, select a country from the list.

5 From the AOS-W Instant UI main window, click New under the Networks section. The New WLAN window is displayed.

6 In the New WLAN setting tab, enter an SSID name for the network and click Next.

7 In the VLAN tab, select the required Client IP assignment and Client VLAN assignment options and click Next.

8 In the Security tab, enter a unique passphrase and retype it to confirm and click Next.

9 In the Access tab, ensure that the Unrestricted access control is specified and click Finish.

10 The new network is added and displayed in the Networks window.

Note. After the secure wireless network access is configured, Alcatel-Lucent recommends deleting the instant SSID to protect from unauthorized wireless access.

SMB Overview and Quick Configuration Upgrade Information


Upgrade InformationWhen upgrading to OmniPCX Office RCE version R10.2:

• The old default configuration files will be replaced with the new default configuration files of R10.2.

• Any customized configuration files will be retained in R10.2.

Upgrade Information SMB Overview and Quick Configuration



2 SMB Configuration With OmniPCX Office RCE

This chapter describes the detailed configuration steps to install the SMB solution with the OmniPCX Office RCE.


• “OmniPCX Office RCE Setup for OmniSwitch Auto Configuration” on page 2-2

• “OmniSwitch Auto Configuration through OmniPCX Office RCE” on page 2-2

• “IAP Configuration” on page 2-3

OmniPCX Office RCE Setup for OmniSwitch Auto Configuration SMB Configuration With OmniPCX Office RCE


OmniPCX Office RCE Setup for OmniSwitch Auto Configuration

If using OmniPCX Office RCE version R10.2 there is no configuration required, the necessary files are already included as part of the default configuration. See “OmniPCX Office RCE Quick Configuration” on page 1-3 for a description of the files and their contents.

OmniSwitch Auto Configuration through OmniPCX Office RCE

Follow the steps below auto configure the OmniSwitch:

1 The OmniSwitch should be in factory default mode with no boot.cfg file.

2 Connect an Ethernet cable between the OmniPCX Office RCE and the OmniSwitch.

OmniPCX Office RCE / OmniSwitch Ethernet Connection

3 Connect the AC power cord on OmniSwitch.

OmniSwitch AC Power Connection

4 The OmniSwitch will boot up and automatically download the configuration files from the OmniPCX Office RCE. Once the download is complete, the OmniSwitch will reboot again. This process will take approximately 6 to 8 minutes.

Note. DO NOT INTERUPT WHEN AUTO CONFIGURATION IS IN PROGRESS.


SMB Configuration With OmniPCX Office RCE IAP Configuration


IAP ConfigurationThe next process in the installation of SMB is the IAP configuration. This section describes the steps to configure the IAP.

Step 1. Power up IAP1 The IAP should be in factory default mode without any configuration.

2 Connect an Ethernet cable between IAP and OmniSwitch, wait for approximately 6 minutes for the IAP to initialize.

OAW-IAP Ethernet Connection

OmniSwitch/IAP Ethernet Connection

Ethernet

IAP Configuration SMB Configuration With OmniPCX Office RCE


3 Wait for all LEDs on the IAP to turn green and blink.

LEDs turned green and blinking

Step 2. Connecting to instant1 Using a wireless PC, scan the wireless networks and connect to the instant SSID.

Connecting to SSID

2 Open a web browser http://instant.alcatel-lucent.com.



If not able to connect, disable proxy setting in the browser.

Instant Alcatel-Lucent browser

Step 3. Configure IAP1 Log in to the AOS-W instant UI with admin as the username and password respectively.

Note. Alcatel-Lucent recommends that you change the administrator credentials after the initial configura-tion. For more information, see the Management Authentication Settings section in AOS-W Instant User Guide.

Log in to the AOS-W instant UI



Note. If the country code window is displayed after a successful login, select a country from the list. The country code window is displayed only when OAW-IAP-ROW (Rest of world) variants are installed. The country code setting is not applicable to the OAW-IAPs designed for US, Japan, and Israel.

2 To create a secure wireless network access, perform the following steps:

a. From the AOS-W instant UI main window, click New under the Network section. The New WLAN window is displayed.

New WLAN window



b. In the New WLAN setting tab. Enter an SSID name for the network and click Next.

New WLAN setting tab

c. In the VLAN tab, select the required Client IP assignment and Client VLAN assignment options and click Next.

VLAN setting tab



d. In the security tab, enter a unique passphrase and retype it to confirm. Click Next.

Security setting tab

e. In the Access tab, ensure that the Unrestricted access control is specified and click Finish.

Access setting tab

f. Try connecting to the new SSID that was just created. Ensure network access before proceeding to deleting instant SSID step.

3 Delete the instant SSID to protect from unauthorized wireless access. Follow the steps below to delete



the instant SSID:

a. Select instant SSID in Networks. Click X and click Delete Now.

Instant deletion window

Instant deletion confirm window



Note. For multiple OAW-IAPs deployment, IAPs automatically find each other in same subnet and form a single functioning network managed by a Virtual Controller. It is recommended to configure a virtual controller IP in a multiple IAP deployment scenario. Please refer to user manual for configuration proce-dure.

This completes the IAP configuration with secure wireless access.


3 SMB Configuration Without OmniPCX Office RCE

This chapter describes the detailed configuration steps to configure the SMB solution without an OmniPCX Office RCE.


• “OmniSwitch Configuration” on page 3-2

• “IAP Configuration” on page 3-3

OmniSwitch Configuration SMB Configuration Without OmniPCX Office RCE


OmniSwitch ConfigurationTo install the SMB solution without an OmniPCX Office RCE the OmniSwitch must be manually config-ured. To configure the OmniSwitch follow the below steps:

1 The OmniSwitch should be in the factory default mode with no boot.cfg file.

2 Connect the AC power cord on the OmniSwitch.

OmniSwitch AC Power Connection

3 Connect to the console and log in to the OmniSwitch CLI with admin and switch as the username and password, respectively.

Console Connection

4 Execute the following commands:

-> system daylight savings time disable

-> vlan 1 enable name "VLAN 1"

-> ip service all

-> ip interface dhcp-client vlan 1 ifindex 1

-> ip interface dhcp-client vsi-accept-filter "alcatel.a4400.0"

-> aaa authentication default "local"

-> aaa authentication console "local"

-> bridge mode flat

-> qos enable

-> qos trust ports

-> qos no phones

-> swlog console level info

-> lanpower start 1

-> write memory



SMB Configuration Without OmniPCX Office RCE IAP Configuration


IAP ConfigurationThe next process in the installation of the SMB solution is the IAP configuration. This section describes the steps to configure the IAP.

Step 1. Power up IAP1 The IAP should be in factory default mode without any configuration.

2 Connect an Ethernet cable between IAP and OmniSwitch, wait for approximately 6 minutes for the IAP to initialize.

OAW-IAP Ethernet Connection

OmniSwitch/IAP Ethernet Connection

Ethernet

IAP Configuration SMB Configuration Without OmniPCX Office RCE


3 Wait for all LEDs on the IAP to turn green and blink.

LEDs turned green and blinking



Step 2. Connecting to instant SSID1 Using a wireless PC, scan the wireless networks and connect to instant SSID.

Connecting to SSID

2 Open a web browser to http://instant.alcatel-lucent.com.

If not able to connect, disable the proxy settings in the browser.

Instant Alcatel-Lucent browser



Step 3. Configuring IAP1 Log in to the AOS-W instant UI with admin as username and password.

Note. Alcatel-Lucent recommends that you change the administrator credentials after the initial configura-tion. For more information, refer the Management Authentication Settings section in AOS-W Instant User Guide.

Log in to the AOS-W instant UI

Note. If the country code window is displayed after a successful login, select a country from the list. The country code window is displayed only when OAW-IAP-ROW (Rest of world) variants are installed. The country code setting is not applicable to the OAW-IAPs designed for US, Japan, and Israel.



2 To create a secure wireless network access, perform the following steps:

a. From the AOS-W instant UI main window, click New under the Network section. The New WLAN window is displayed.

New WLAN window

b. In the New WLAN setting tab, enter a SSID name for the network and click Next.

New WLAN setting tab

c. In the VLAN tab, select the required Client IP assignment and Client VLAN assignment



options and then click Next.

VLAN setting tab

d. In the security tab, enter a unique passphrase and retype it to confirm and click Next.

Security setting tab



e. In the Access tab, ensure that the unrestricted access control is specified and click Finish.

Access setting tab

f. Try connecting to new SSID that was just created. Ensure network access before proceeding to deleting instant SSID step.

3 Delete the instant SSID to protect from unauthorized wireless access. Follow the below steps to delete the instant SSID:

a. Select instant SSID in network. Click X and click Delete Now.

SSID deletion window



Instant deletion confirm window

Note. In a multiple OAW-IAP deployment, the IAPs automatically find each other in the same subnet and form a single functioning network managed by a Virtual Controller. It is recommended to configure virtual controller IP in multiple IAP deployment scenario. Please refer to AOS-W user manual for configuration procedure.

This completes IAP configuration with secure wireless access.

1

• What’s in for you

Demonstration booking forms

User guides

Requirement lists

Videos

Access to the help desk (from 9am to 6pm CET – PST)

And much more!

• Specific demonstrations can be handled upon request

FREE SERVICE to conduct remote

demonstrations on your premises or

the customer’s from our data center

on selected ALE Communications and

Network solutions

http://edemo.al-mydemo.com/

Book your remote demo

through the

eDemo website!

http://edemo.al-mydemo.com/

ACCESS TO TECHNICAL SUPPORT

ENTERPRISE CUSTOMER CARE GUIDELINE – JANUARY 2016

Contents 1 Objective ....................................................................................... 2

2 Introduction .................................................................................... 2

3 Requirements for accessing technical support ............................................ 2 3.1. Accessing Technical support ......................................................................... 2

3.1.1. Service Contract Check .................................................................................... 2 3.1.2. Engineer Certification Check ............................................................................. 2

3.2. Opening Severity 1,2,3 and 4 severities ........................................................... 3 3.3. Basic Requirements for opening an eService Request ........................................... 3 3.4. Status of eService Request ........................................................................... 3 3.5. eService Request Escalation ......................................................................... 4 3.6. END CUSTOMER NAME ................................................................................. 4

4 Incident Severity .............................................................................. 4 4.1. Severity 1: Critical severity (Severity One) ...................................................... 4 4.2. Severity 2: High severity (Severity Two). .......................................................... 4 4.3. Severity 3: Medium severity (Severity Three) .................................................... 4 4.4. Severity 4: Low severity (Severity Four) ........................................................... 4

5 Tools available: ................................................................................ 5 5.1. Contact Checker ....................................................................................... 5 5.2. Alcatel-Lucent Enterprise Application Partner Program (AAPP) ............................... 5 5.3. Security Advisories ..................................................................................... 5 5.4. Technical communications ........................................................................... 5 5.5. The Knowledge Center ................................................................................ 6 5.6. Twitter and Facebook ................................................................................. 6 5.7. Contacts ................................................................................................. 6

Notes

This document is provided and supported by Alcatel Lucent Enterprise Customer Care

2

Enterprise Customer Care Guideline – January 2016

1 Objective

This document defines how a Business Partner expert can access technical support.

2 Introduction

End-Customers report their technical issues to our business partners who provide them support & services. Certified Engineers of our business partners are entitled to open request to Alcatel Lucent Enterprise Technical Support organization. The system for which the issue is reported must have a valid support contract (SPS).

3 Requirements for accessing technical support

3.1. Accessing Technical support

When accessing technical support, our teams will first perform the following

3.1.1. Service Contract Check

Our Welcome Center will first check the Service Contract status (depending on the product):

Valid Service contract (SMS/SES or SPS since July 2012) for OmniPCX Enterprise, OpenTouch and related Communications applications.

Valid Support Fees for Data solutions.

It is recommended that the business partner engineers keep their certifications up to date and verify the system for which an issue is reported has a valid contract, prior to reaching out to Alcatel Lucent Enterprise support. Contracts status can be checked at:

http://enterprise.alcatel-lucent.com/?services=SupportServices&page=ContractChecker

3.1.2. Engineer Certification Check

Our Welcome Center will then verify the certification levels. The engineer must have a valid and unexpired post-sales certification for the solution he is asking support on

For sales representatives who sell

Alcatel-Lucent products and solutions

ACSR

Alcatel-Lucent Certified

Sales RepresentativeSALES

ACSE


System Expert

ACFE


Field Expert

ACPS

Alcatel-Lucent

Certified Presales

AQPS

Alcatel-Lucent

Qualified Presales

CERTIFICATIONS

For expert engineers in charge of

complex configurations, installation and

remote service support

For field engineers in charge of

advanced configurations, installation

and service supportPOSTSALES

For presales engineers who design

large/complex networking projects

For Presales engineers who design

stand-alone projectsPRESALES

LOGOSDESCRIPTIONFUNCTIONS

For sales representatives who sell

Alcatel-Lucent products and solutions

ACSR


Sales RepresentativeSALES

ACSE


System Expert

ACFE


Field Expert

ACPS

Alcatel-Lucent

Certified Presales

AQPS

Alcatel-Lucent

Qualified Presales

CERTIFICATIONS

For expert engineers in charge of

complex configurations, installation and

remote service support

For field engineers in charge of

advanced configurations, installation

and service supportPOSTSALES

For presales engineers who design

large/complex networking projects

For Presales engineers who design

stand-alone projectsPRESALES

LOGOSDESCRIPTIONFUNCTIONS


3


3.2. Opening Severity 1,2,3 and 4 severities

For Severity 3 (S3) and Severity 4 (S4) cases, you can contact us by telephone, e-mail or via the internet, through the eService Request on the BP Entreprise Business Portal.

For Severity 1 (S1) and Severity 2 (S2) cases, you must contact us by telephone only. In that case, you will be routed immediately to an Alcatel-Lucent engineer.

E-mail: [email protected]

Phone: + 1 650 385 2193

Answer: + 1 650 385 2193

French answer: + 1 650 385 2196

German answer: + 1 650 385 2197

Spanish answer: + 1 650 385 2198

3.3. Basic Requirements for opening an eService Request

When opening an eSR, our business partner expert is expected to provide the system ID (or serial number). In a majority of cases, Alcatel-Lucent Support Engineer has limited knowledge about the customer configuration and the environment. So it is key to provide a much information as possible to the technical support engineer to speed up the trouble shooting process:

Business impacts, occurrence of the issue, reproducibility detailed description of the issue, the use case / scenario for which the issue can be observed description of the environment, products and servers

involved with their software release.

Before opening a eService Request, please make sure that

The solution you are implementing is supported, your problem has not already been reported and fixed ( Use our TKC knowledge base and Release note library) you have read the technical tips related to the

subject.

Please note that for most products or solutions, a form that contains all required information is available in the support section of our business partner web site.

3.4. Status of eService Request

With the online Alcatel-Lucent eService Request tool, you can easily track progress or update your eService Requests with notes and attachments. The status can be set to:

Open: Your Alcatel-Lucent engineer is currently investigating the issue (analysis of the issue, lab

replication efforts, configuration verifications, software code verification, …)

Pending-External: Your Alcatel-Lucent TAC engineer has requested additional information from you;

Customer validation: Your eService Request has been treated. We await your validation of our answer. Without any feedback, the SR will be automatically closed after 10 days for an eSR, 60 days for a PR

(Engineering request)

Validation refused: You have refused our answer, the SR/PR will be re-opened;

Closed: Your eService Request is closed.

4


3.5. eService Request Escalation

When your business is impacted or in danger due to Technical Support issues, contact us trough the escalation procedure. If you are not completely satisfied with the progress on resolving your eService Request or if your business is impacted, please contact us trough the escalation procedure.

3.6. END CUSTOMER NAME

Switching from a pure “case by case” approach, to a more “Customer” oriented approach

In order to improve our need to end customer support, we populate our CRM data base with the end customer name information to provide better management of the overall customer situation and environment and improve the level of service and feedback ALE can provide. Kindly provide us with the end customer name when opening an eSR with ALCATEL LUCENT ENTERPRISE CUSTOMER CARE.

4 Incident Severity

To ensure that all customer maintenance and support problems are reported and evaluated in a standard format by the Partner and the customer, four (4) problem severity levels have been established. These severity levels will assist the Partner and Alcatel in allocating the appropriate resources to resolve problems and use a common classification system that facilitates all action plans and decisions. According to the problem severity level, the Partner must contact Alcatel Technical Support via the Welcome Center to report the problem and determine an action plan in order to resolve the issue with all the resources needed within a specific period of time.

The order of priority levels begins from the most severe system breakdown (severity 1) to normal assistance and routine support and information requests with no impact on the customer day to day operations (severity 4).

4.1. Severity 1: Critical severity (Severity One)

End User’s telecommunications network or a major business application is down, causing a critical impact to business operations if service is not restored quickly. Severity 1 cases are processed 24 hours a day seven days a week. Alcatel requires that a certified technician of the Business Partner is onsite to qualify the issue as a Severity 1.

4.2. Severity 2: High severity (Severity Two).

End User’s service is not down but telecommunications network or a main business application is severely degraded with a significant impact to business operations. Workaround needs to be delivered if possible.

4.3. Severity 3: Medium severity (Severity Three)

Network functionality is noticeably impaired but most business operations continue with medium business impact to customer.

4.4. Severity 4: Low severity (Severity Four)

Network functionality is loosely impaired or End User requires information or assistance on Alcatel product capabilities, system installation or configuration. These ordinary issues have very low business impact to customer

5


5 Tools available:

5.1. Contact Checker

This tool can be used to verify the validity of the support contract entering either the support contract number or the CPU ID)


5.2. Alcatel-Lucent Enterprise Application Partner Program (AAPP)

Kindly VISIT THE APPLICATION PARTNER PORTAL at

http://applicationpartner.alcatel-lucent.com

5.3. Security Advisories

That section contains all latest available information about security alerts and security recommendations when deploying Alcatel-Lucent Enterprise solutions in a customer environment. Regular connections to that section of our support portal is important to stay up to date with the latest security communications.

5.4. Technical communications

You can find all technical documentation published by Alcatel-Lucent Enterprise Customer Care (trouble shooting guides, quick set up guides etc …). Those documents complement the product documentation which is also available in that section of our business partner web site.


http://applicationpartner.alcatel-lucent.com/

http://enterprise.alcatel-lucent.com/?dept=EnterpriseServices&page=ContractChecker

6


5.5. The Knowledge Center

This tool is now available to all our business partners. Each time an issue is resolved, our support engineers publish a knowledge article available to all experts.

5.6. Twitter and Facebook

The Technical Support Facebook and Twitter channels are accessible in the Technical Quick Links on the technical support page

The objective is to increase the awareness of our:

New software releases

New technical communications

AAPP InterWorking Reports

Newsletter

All products Voice & data are covered and direct access is given to the related software or document on the Business Portal

5.7. Contacts

Please contact one of the following persons should you have any additional questions regarding Customer Care support access and procedures:

- Franck DUPUY: [email protected]

- Marc CHAUVIN: [email protected]

- Eric LECHELARD: [email protected]

End of document

mailto:[email protected]

Find a CourseBrowse our catalog available on ALE Knowledge Hub (https://enterprise-education.csod.com) to find your training path and course detail.

FeedbackIn order to improve the quality of the documentation, please report any feedback to:Address:

Alcatel-Lucent Enterprise115-225 rue Antoine de Saint-ExupéryZAC Prat Pip – Guipavas29806 BREST CEDEX 9 – FranceFAX: (33) 2 98 28 50 03

Or Email: [email protected]

https://enterprise-education.csod.com

https://enterprise-education.csod.com

mailto:[email protected]

self-study installation for smb - issue 07 dt00cte100€¦ · · 2016-08-31self-study...

Documents