25 November 2008

Handy Commands for Cisco Initial Configuration

I found the following handy Cisco commands are very useful for initial configuration of Cisco devices.
I always use these commands to configure Cisco devices from fresh configuration.

router> enable
router> configure terminal
router (config)# no ip domain-lookup

The no ip domain-lookup is very useful, what this command does is tell the Cisco device not to do a domain lookup when you mistype something in the CLI. For example if you do this without the no ip domain-lookup:

router# pign
Translating "pign"... domain server (
%unknown command or computer name, or unable to find computer address

The Cisco device will try to find the computer name of pign, it doesn't know that you mistyped ping. This process could take a very long time.
If you apply the no ip domain-lookup, the Cisco device won't try to do the domain lookup.

The second command is the alias command. This command makes an alias of a command that you use frequently.
For example you often use the command show ip interface brief, you can make an alias of it to be "ship".

router (config)# alias exec ship show ip interface brief

You configure it by entering alias first, followed by which mode the command resides in - in this example the show command resides in the exec mode - type in the alias for the command, then you enter the full commands that you want to make alias.
Now you just have to type in ship instead of the long show ip interface brief command.

Next command is useful when you connect to the Cisco devices and you need a very long time to configure it.
The Cisco devices have a default time of how long you're allowed to get connected to them. Sometimes you don't want to reconnect again all the time, but mind you that the time limitation is set because of security concern.

router (config)# line vty 0 4
router (config-line)# no exec-timeout

The above commands tell the router to give you all the time that you need when configuring the router from the telnet session, it won't cut your connection. You can also configure it for the console connection.

Last one is my favorite one, you know when you're configuring a Cisco device sometimes you'd get some notifications from the device which is great, it tells you things going on in it.
But it gets annoying when you're trying to configure it and the notifications just cut down your halfway written command.
The following command tells the router to write back the command you entered before the notifications cut it:

router (config)# line vty 0 4
router (config-line)# logging synchronous

I hope these commands are useful for you.

Read more!

21 November 2008

Handy Cisco Command - Interface Range

There are many handy Cisco commands that you can use to help you in configuring Cisco devices, these commands well not exactly secret commands but you might not get it from the CCNA curriculum.

One of these handy commands I already posted it at my previous post. But I want to cover it again in case you missed the post.

This one is the interface range command. What this command does is to select a range of interfaces and apply the same commands to them.
This is very handy especially in a Cisco switch environment where you might want to set some ports to be access ports or apply the same security to those ports instead of doing it one by one for each interface.

For example, I want to select the interfaces fastethernet 0/2 to 0/8, with the interface range command I'd just do it like this:

2950> enable
2950# configure terminal
2950 (config)# interface range fa0/2 - 8
2950 (config-if-range)#

There, you notice that instead of displaying 2950 (config-if)# where you can get when you issue interface fa0/2, you'd get the 2950 (config-if-range)# prompt that shows you that you are selecting a range of interfaces.

When you want to select interfaces that are not in sequential order, like when you want to select interfaces fa0/2 to fa0/8, then interfaces fa0/10 to fa0/16, and the interface fa0/24 then you can do it like this:

2950 (config)# interface range fa0/2 -8, fa0/10 - 16, fa0/24
2950 (config-if-range)#

I'll be posting more handy Cisco commands again next time, hope this one is useful for you.

Read more!

19 November 2008

Do I Need Lightning and Surge Protection?

That was what I concerned when first building my Cisco home lab. I never concerned about this before since I only had my laptop, couple of PCs and the good old Linksys networking devices.

No matter what devices I have, I should have installed some lightning and surge protection for any electronic devices I have.

Lightning, power surges and spikes are the main enemy of electronic devices. Lightning can cause a major power surge and spike, meaning when a lightning strikes it causes a brief huge power spike which can reach a spike of 50 million volts, it's brief but deadly.

And not only surges from lightning, if you live in some old neighborhood, sometimes the electrician didn't do their work very well or perhaps the electrical installation is too old so power surges and spikes can happen any time.

Knowing this I immediately bought a power surge protector, it's a surge protector from Belkin and I use it to protect only my networking devices.

But you you never know, I only concerned about surges and spikes from electrical line, I forgot about the line that is coming from my internet cable.

About three days ago lightning stroke, I don't know where, it doesn't have to strike your home directly, it can strike your neighbor home some miles away and it can still get to you.

One lightning strike, one cable modem, one Phillips LCD TV, one computer, and one CATV splitter are dead. Warranty available for the modem and TV thank God.
Luckily my Cisco devices are okay, thanks to the power surge protector I think.

Man it was a nightmare, one big thunder and suddenly everything was down, the lights, computers, everything.
All suddenly dark, I spotted a spark somewhere, a large cracking sound, and everyone just went aaahhhhh.
Even the computers when turned on after a while, the NICs were not working for some times, luckily they do now.
Yet my laptop still mute, the speaker and some usb ports are dead.

So the moral of this story, buy some lightning and surge protectors, at least they provide protection to some degree.
You can also buy surge protectors that provide phone line protection for DSL connection or coaxial for your cable internet connection.

What about UPS, some UPS also provide lightning and surge protection, well I prefer to have both.
Plug in the surge protector first to the electric outlet and then the UPS goes to the surge protector.
And remember to buy them from a reputable vendors like APC or other brands, they cost more indeed but no doubt about the qualities.

If you don't want to buy them then the best protection when dealing with lightning strike in your home is to turn off all the devices and unplug all the power cables when it's raining heavy.

Hope this experience of mine won't happen to you.

Read more!

16 November 2008

Building HotSpot

Ever wonder how to build your very own wifi hotspot? If you followed my previous posts, I hope you manage to build your own home network and that is suffice for the first step in building wifi hotspot.

Next things to consider are how to manage your network, you certainly don't want anyone just joining your wireless network right? that is if you don't want to build free for all hotspot.

You also don't want people eating all your bandwidth, somehow you need to limit the hotspot users, and limit their access so they won't be able to join your internal LAN.

If you want these features in your hotspot, you probably going to need something that is called captive portal.

What captive portal does is like this, if someone join your wireless network, he or she then open a web browser, the captive portal would then redirect the browser to your html page, no matter what url requested.
That html page of yours is typically a welcome page or a login page so only certain people can make use of your wireless network.
This is great for public wifi hotspots.

There are many captive portals that you can find, free or commercial ones, the one that I'm familiar with is from publicIP, it's called ZoneCD.

Most of the captive portals that you can find might work the same way, they need you to put a PC between your wireless device and your internal network or internet router.
This is the image I got from the publicIP ZoneCD:

The PC should have 2 NIC (Network Interface Card), one goes to your internal LAN, the other goes to wireless LAN.
That PC would do all the authentication of the wireless users, the bandwidth limitation, etc.

What I like most about ZoneCD is that it's a Live CD, you just need a working PC, put in the CD and then the PC boots from the CD, nothing needs to be installed.
Sure it's based on Linux/UNIX, but you don't need to know anything about Linux, you only need to know how to operate a PC, so they say.

You can do homepage redirection, content filtering for porn sites or downloads, the ZoneCD has built in firewall, you can also modify the login page to conform your own taste or give it a logo of your company.

Read more!

12 November 2008

Configuring WPA and WPA2 on Cisco Aironet

The last post I talked about configuring WEP authentication on Cisco Aironet wireless access point.
Now I want to configure WPA and WPA2 to give more strength in the wireless security.

Just for a note I put an image of padlock on the last post and now I give a picture of a vault to give the image of stronger security.
You know what I mean, padlock versus vault, oh just forget it.

Back to the topic, when first posting about WEP I said that WEP encryption is weak, you better use encryption like WPA and WPA2.

WPA gives better key management and stronger cipher encryption. For those who don't know about cipher, it's kinda algorithm for encryption and decryption, we'll be configuring the cipher when dealing with WPA and WPA2. WPA uses what is called TKIP or Temporal Key Integrity Protocol for the cipher encryption.

WPA2 is even better than WPA, it uses a stronger encryption called AES or Advanced Encryption Standard, it creates fresh sessions key so every packet sent are encrypted with different key.

One other thing to know, the WPA and WPA2 come with two flavors, the Personal and Enterprise. In enterprise mode we need to have authentication server such as RADIUS, I don't have RADIUS server currently so I'll skip to the Personal mode instead.
The personal mode of WPA and WPA2 have what is called WPA-PSK the WPA Pre-Shared Key, we have to configure the WPA-PSK on both the Access Point and the clients.

So get on to the configuration of WPA first for my SSID Guest on VLAN 40:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface dot11radio 0
1240AG (config-if)# encryption vlan 40 mode ciphers tkip
1240AG (config-if)# ssid Guest
1240AG (config-if-ssid)# vlan 40
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# authentication key-management wpa
1240AG (config-if-ssid)# wpa-psk ascii your-key-here

That's it you've successfully configured WPA on Cisco Aironet Wireless Access Point. Just configure the ciphers to tkip, set the authentication to open, use the wpa key management and the great thing in WPA is that we can set ascii characters as the key instead of hexadecimal like we did on configuring WEP.

The difference of WPA with WPA2 configurations is just some small things. We have to set the ciphers to AES and the key management to WPA version 2. Let's get started to configure WPA2 for my SSID Admin on VLAN 30:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface dot11radio 0
1240AG (config-if)# encryption vlan 30 mode ciphers aes-ccm
1240AG (config-if)# ssid Admin
1240AG (config-if-ssid)# vlan 30
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# authentication key-management wpa version 2
1240AG (config-if-ssid)# wpa-psk ascii your-key-here

Don't forget to check out how to set up Wireless Network and the SSID on my last posts. Cheers.

Read more!

10 November 2008

Configuring WEP Authentication on Cisco Aironet

The wireless network you installed for your LAN can mean that you are directly exposing your network to the public.

Anyone can use a wireless sniffer and view all the traffics going between the wireless access point and the clients. That's why you need to add security in your wireless LAN.

This post will talk about WEP or Wired Equivalent Privacy, the name states that your wireless network will be as safe as your wired network but not in reality.
There are many WEP decryption tools available out there. Just capture some packets using wireless sniffer and use the the decryption tool to find out the WEP key.

So we know the WEP is not secure, nevertheless I want to show how to configure WEP authentication for Cisco Aironet wireless access point.

WEP uses 40 bits encryption key (10 hexadecimal characters) or 128 bits (26 hexadecimal characters).
Don't get a false sense of security with the length of the encryption, the longer the encryption key just mean the more packets you need to capture and more time to decrypt them.

There are two types authentication for security according the IEEE 802.11 committee, the shared-key and open authentication.

In a shared-key authentication, the access point will send a challenge packet to the client and the client must encrypt the packet with with the right key (WEP key) then return it to the access point.
This method is not secure since everything sent in clear text.

The other method is open authentication, just like the name the authentication is open or you can say no authentication required.
But when open authentication used with the WEP, the WEP key will be used to encrypt all data before sending them.

I have to admit, I get a little confused when first time configuring authentication in Cisco Aironet wireless access points since no one thought me so I had to browse all the configuration examples.

It's easier to use the web interface of the access point, but I want to configure it through CLI.
To configure WEP authentication you should do this by entering the dot11radio interface:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface dot11radio 0

Create the SSID and associate it with VLAN if you haven't done it:

1240AG (config-if)# ssid Guest
1240AG (config-if-ssid)# vlan 40
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# exit

Configure the WEP authentication:

1240AG (config-if)# encryption vlan 40 mode wep mandatory
1240AG (config-if)# encryption vlan 40 key 1 size 128bit 12345678901234567890123456 transmit-key

The above first command tell the Cisco Aironet to do WEP encryption on vlan 40 (SSID Guest) and set it as mandatory.
If you replace mandatory with optional, the use of WEP encryption depends on the client configuration, they can choose to encrypt the packets or not.

The second command tells the access point to use the WEP encryption key of 128 bit with the above 26 characters key. You can use whatever key you choose as long as it is hexadecimal characters (0-9 and A-F).

Don't forget to set up the access point as I did on the last post.

Read more!

08 November 2008

Configuring Cisco Aironet in Home Lab - Part 2

Now it's time to configure Cisco Aironet Wireless Access Point for Cisco home lab.

What I'm going to do first is to configure the connectivity between the Cisco Aironet 1240AG wireless access point to the Cisco 2950 switch.

Here's the closer look of the network diagram of the wireless access point and the switch:

The network will be using VLAN 5 ( network) as the native VLAN and the rest of the VLANs will be used for the SSIDs.

There's an interface called BVI or Bridge-group Virtual Interface, what this interface does is bridge all of the interfaces in the access point - the wired and wireless interfaces - so you can use the interface BVI IP address to manage all of those interfaces.

In Cisco Aironet 1240AG wireless access points, you have 1 interface fast ethernet port, 1 console port, 1 dot11radio 0 for the 802.11G, and 1 dot11radio 1 for 802.11A.

In this configuration I only going to configure the dot11radio 0 for the 802.11G wireless network since I only have the antennas for the 802.11G.
You can configure both 802.11A and 802.11G if you want.

First we configure the interface BVI 1 IP address:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface bvi 1
1240AG (config-if)# ip address
1240AG (config-if)# no shutdown

Now set the native VLAN (VLAN 5) to the wireless access point, we have to configure the native VLAN on both of the fastethernet sub interface and the dot11radio 0 sub interface:

1240AG (config)# interface fastethernet 0.5
1240AG (config-if)# encapsulation dot1q 5 native
1240AG (config-if)# interface dot11radio 0.5
1240AG (config-if)# encapsulation dot1q 5 native

Next is to set up the SSID starting from SSID for admin and associate it with VLAN 30.
We need to configure the SSID on the dot11radio 0 interface first then configure the VLAN on the dot11radio 0.30 sub interface and fast ethernet 0.30 sub interface.
Also I set up the SSID for open authentication first.

1240AG (config)# interface dot11radio 0
1240AG (config-if)# ssid ADMIN
1240AG (config-if-ssid)# vlan 30
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# end

1240AG (config)# interface fastethernet 0.30
1240AG (config-subif)# encapsulation dot1q 30
1240AG (config-subif)# bridge-group 30

1240AG (config-subif)# interface dot11radio 0.30
1240AG (config-subif)# encapsulation dot1q 30
1240AG (config-subif)# bridge-group 30

The bridge-group command allows you to group interfaces and bridge nonrouted traffic among the interfaces.
In this example traffic from dot11radio 0.30 sub interface to fastethernet 0.30 sub interface and vice versa.

Note: If you configure the SSID on the global configuration mode, the SSID will be both in the dot11radio 0 and 1.

Do the same with the SSID for guest and associate it with VLAN 40:

1240AG (config)# interface dot11radio 0
1240AG (config-if)# ssid GUEST
1240AG (config-if-ssid)# vlan 40
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# end

1240AG (config)# interface fastethernet 0.40
1240AG (config-subif)# encapsulation dot1q 40
1240AG (config-subif)# bridge-group 40

1240AG (config-subif)# interface dot11radio 0.40
1240AG (config-subif)# encapsulation dot1q 40
1240AG (config-subif)# bridge-group 40

Next step is to configure the switch port connected to the wireless access point as a trunk port with native VLAN 5.
I already posted about how to do this on the last post.

Also if you are going to use dynamic IP address, make sure you have configured router as DHCP server that serving clients for VLAN 30 and 40.

Right now if you have no problem pinging the switch and router from the wireless access point, your access point is broadcasting SSID and giving IP address from router for any client joining the SSID.

The SSIDs are not secure since they use open authentication, next time I'll configure it with stronger authentication.

Read more!

07 November 2008

Configuring Cisco Aironet in Home Lab - Part 1

I've configured my Cisco home lab with a router that connects to cable internet and a switch with VLANs.
Now it's time to add a new device to the Cisco home lab, a Cisco Aironet 1240AG wireless access point for wireless connection.

And by the way, the image on the left is not an official logo from Cisco or anything, I just made that up.

I won't configure anything fancy this time, only give basic administration configuration and set up an open SSIDs also associate the SSIDs to VLANs.

Since I want to configure two SSIDs - one is free for all SSID with no authentication and the other one with authentication - for the wireless network, I need to configure additional VLAN on the switch.

I have already the VLAN 30 for the wireless network and want to add VLAN 40, so in total there would be 5 VLANs in my Cisco home network lab.

I made a network diagram with Cisco Aironet 1240AG wireless access point added in the picture below:

So lets start the configuration on the next post, there are some steps to complete this Cisco home lab network diagram if you haven't done so.

Starting from the wireless access point I'm going to configure the basic administration configuration such as the access point's management IP address, SSIDs and associate them to VLANs, optionally configure the authentication security options for the SSIDs, and establish trunk connection to the switch.

For the switch I'll configure VLANs and the trunk connection to the access point and the router.

Last in the router I'll configure interVLAN routing, DHCP server for each VLAN, and other configurations like I've posted before.

Read more!

05 November 2008

Wireless Home Network

At the last post I talked briefly about the wireless site survey in networking projects.

Now I want to share my view in things that I personally consider in building wireless home network.
The following points are just my considerations, most home or SOHO users just plug their wireless access points, configure them and they just work fine.

Which Standard to Use

Currently there are four common standards for wireless networking, the 802.11a, 802.11b, 802.11g, and the latest one is 802.11n. These standards use unlicensed frequencies meaning they're all free for all to use.

You can use the frequencies for your wireless networks and you can't complain if your neighbors used up all of the frequencies available and interfere with your wireless signal.
Later on this when I talk about the wireless channels in a moment.

802.11a uses the 5GHz operational frequency and has a data rate transfer of 54Mbps. This standard is not too popular anymore because it has a higher frequency meaning it has higher data rates but with shorter range.
The higher the frequency also makes it more easily absorbed by solid objects around it.

802.11b and 802.11g use 2.4GHz operational frequency. Most wireless access points support both the b and g standards since they both use the same frequency they're both interoperable.
The difference is that the 802.11b has data rate transfer of 11Mbps while the 802.11g has 54Mbps.

The latest one is 802.11n, it uses 5GHz and/or 2.4GHz frequencies and in terms of data rate and wireless range, it has biggest data rate the widest range, some vendors claim their 802.11n access points can have data rates up to 114Mbps.

I don't know the truth about that since I don't have any 802.11n devices yet.
For me I just love the sleek looking design of 802.11n wireless router from Linksys.
Cool, gotta have that someday.

Wireless Access Points Locations

Place the access points in locations that you think can reach all the clients in the network. Consider the interferences from microwave oven or cordless phones.
Also keep in mind about objects that can block, absorb or reflect the signals from the access points such as thick wall or metal surfaces.

The further you get from the access points and the more objects standing between you and the access point, the lower data rate you'd get.

Channels to Use

If one wireless access point is enough to cover your clients, check on the wireless channels that are used by access points installed near your network.
If your access point uses the same channel as your neighbor's, they will interfere the wireless signals.
If you're using more than one access points, set them to use different channels.

In 802.11b and g standards, the common channels or the clean channels that you can use are channel 1, 6, and 11. Use one for each of your access point, do not use the same channel if the signals.
What I mean by clean channels is that these channels are not overlapping each other.
The following is the graphical representation of 802.11b and g wireless channels:

The 802.11a offers more clean channels for you to choose. You can see the wireless channels that you can use for 802.11a:

More on subjects on channels you can find directly at the source at the FCC site.


Service Set Identifier or SSID is like an ID for your wireless network. I'm sure you already know this, to join wireless network you need to know the SSID or you can scan for the SSID and join it.

You can use many available wireless network sniffers to scan the SSID and the wireless channels used by the wireless networks. Some of them you can find at the list here.
Once again not every sniffer works with your wireless network card, check on it before downloading.

You can use any SSID for your wireless network, your name, company name, etc. The reason I brought this up because if you're using the upper end wireless access points like from Cisco, you can have multiple SSID broadcasted from a single wireless access point.

Maybe you need a free for all SSID for your guests, another SSID for your home users or employees, and another one just for you as the admin.

In Cisco, you can tie these SSIDs to VLANs, this can give you flexibility in deciding different security for each SSID, different access list for them, etc.

Wireless Security

Now this is the most important part of all, the wireless security or the encryption method you want to associate with your SSID.
There are some types of wireless network authentication for security from the open authentication that you can apply for guests on your WLAN to the WPA version 2.
There are also WEP that is not so secure nowadays since people can tap on your signals and decrypt them.
Best to say that WPA or WPA2 are more secure to use in your WLAN, you can also use 802.1x security.

Remember that not all hardware or wireless NIC support all authentication, most of them support the WPA authentication so it's more common to use nowadays.

I got to admit I'm too lazy to give all explanation of them here plus this post takes longer than I expected.
Smarter and more diligent people have describe about this, one of them you can find at wikipedia.

I don't want to make you bore and start on the configuration of Cisco wireless network on the next posts.

Read more!

04 November 2008

Planning for Wireless Network

If you're planning to deploy wireless access points in a networking project then I congrats you, you still have lots of works to be done before you get to configuring the access points sengihnampakgigi.

There are lots of things to consider if you're in a networking project, the location of the access points, channels to use, are there radio interferences in the locations, etc.

You need to do wireless site survey in a network project, see they even created their own science for this work.

To talk about wireless site survey could take its own blogs, books, tools and even specialized certification if you want to do it properly and professionally.
The tools software and hardware don't come in cheap I'm telling you.

There are softwares that can do wireless site survey, they can visually show you the range of access points that are installed in the site. Few that I've seen in work before are from ekahau and visiwave.

On the top of this post is the sample report from visiwave and the left picture here is from ekahau.

These pictures show you the range of the wireless access points on site. They're kinda like heat meter or something. With these you can then determine the best placement for the access points that can reach all clients.

From my experience not all of these softwares work with your wireless cards, so keep in mind before purchasing these softwares, do they support your wireless cards or not.

There also hardwares that can help you do the site survey and these hardwares can also scan for radio interferences such as that come from oven microwave, cordless phones, etc.
You got to check on yellowjacket from bvssystem, these things are cool.

The people in bvssystem integrates HP iPaq PDA with their yellowjacket to be used as wireless site survey tool.
This one is in the form of Tablet PC for spectrum analysis:

Both softwares and hardwares can provide you with detailed reports of the wireless site survey result.

Now that's when you're working in a network project, if you want to deploy wireless access points in your home or SOHO, you don't need to do all that troubles.

Next post I want to talk about the things to consider if you want to install wireless access points in your home or SOHO.

Read more!

Get to Know Cisco Aironet Wireless Access Point

Ah, I just love these things the Cisco Aironet Wireless Access Points, on the left one you can see the Cisco Aironet 1240AG Access Point, one among every other Cisco Aironet series.

This is the very first Cisco device that I got, I thought that at least I can integrate it with my existing non-Cisco home network.

1240AG is not the prettiest access point that you can get, but I like the shape anyway. It reminds me of liquor bottles that I used to see in the movies.

Now why would you want to buy Cisco Aironet, it costs about ten times or more than the average home usage access points like Linksys or D-Link.

These Aironet things are great, for the 1240AG, it has one Fast Ethernet port and one console port.
It doesn't come with integrated antennas, you have to buy them. You can use the 802.11G antennas and/or 802.11A antennas. This gives you flexibility in choosing the antennas, you can even use both if you want to.
Mind you that not all countries allow the use of 802.11A standard.

The console port as usual used for configuring the Cisco Aironet Access Point through CLI. You can also use web browser to configure the Access Point, different from other Cisco devices' web interfaces, the Aironet web interface offers rich features configuration.
Other Cisco devices have not that good appearances, you definitely prefer configuring other Cisco devices through CLI.

Below is the example of the Cisco Aironet web interface:

Unlike other Cisco devices, Cisco Aironet Access Points are by default configure to accept IP address from DHCP server, if you have DHCP server in your LAN, that's great.
Just plug in a cable to connect the access point to your LAN and as soon as it receives IP address you can do configuration for it.

One tip, for the Cisco Aironet 1100 series Access Points, they have a default IP address of that last for just 5 minutes.
So during that 5 minutes you can configure your computer NIC for an IP address of or other, and connect a network cable from your computer NIC to the ethernet port of the access point.
Open the web browser and type in the address, then you can do some configuration. Remember this only last for 5 minutes, after that the access point will request IP address from DHCP address indefinitely.

Now what other features the Aironet Access Points have, many features that the average home usage access points don't have.

You can configure the Access Points to be an Intrusion Detection System (IDS) to protect your network, use it for scanning your network for rogue access points that your neighbour use for stealing your bandwidth, and they also offer the powerful 802.1x to authenticate clients.

You can also set your own transmit power and data rates of the wireless radio interfaces.

Configure several SSIDs to segment your network. Each SSID can be correlated with VLAN. Provide SSID for your guests, another SSID for your home users, and a special SSID just for administration purpose.
Want another SSID? a special SSID just for handling your VoIP packets, cool.

If you have several Cisco Aironet Access Points in your disposal, set them up so your users can roam all over the place and jump from one area of access point to another without loosing connection.

Have hundreds of Aironet Access Points in a project? You don't need to configure them one by one. Upgrade or request from Cisco for Aironet with Cisco IOS Lightweight enable mode.
With Ligthweight feature and wireless LAN controller you just need to make one configuration on the wireless LAN controller and it will send the configuration to all access points in your network.
Saves you from lot of works.

So many features to tell, to try out all these features get your own Cisco Aironet Wireless Access Points now. You won't be sorry if you're a true techies, except that your wallet would be thinner a bit. sengihnampakgigi

Read more!

02 November 2008

The Danger of Broadcast Storm and the Solution

If you've taken the Cisco Academy program or been in the network world for a while, you must have heard about broadcast storm.

Broadcast storm is a state in a network where a frame broadcast in a switch environment is continually being flooded through the network.

This is mostly happen in a switch environment where you have redundant connection between switches, remember that routers segment or isolate broadcast between networks.

Redundant connections are important if you want to create a backup path between switches. If one path fails the other will take over.
This won't work out with switches that don't have any loop avoidance mechanism.

This is how a broadcast storm can happen, I have two switches connected with redundant links and one switch connected to a client and the other switch connected to a server.

Then the client sends a broadcast, say an Address Resolution Protocol or ARP to find out where the location of the server like this, pay attention to the red arrow, pretend that the arrow is a broadcast frame sent by the client.

Remember the rule of a switch, a switch forwards a broadcast frame to all ports except the port where it receives the request.

The Switch A receives the frame and forward it to the two links it has:

The broadcast frame received by the Switch B from two different ports and forward it again to other ports including the port where the Server is attached.

But it doesn't stop there, the frames are flooded again back to Switch A and back to the client.

From now on, back again to picture 2 then 3 and so on, this will keep going on forever until you shutdown the network.
This condition can also be called switch loop and it leads to broadcast storm.
Most likely you can find a question about this in the CCNA exam.

Luckily Cisco switches have loop avoidance mechanism called Spanning Tree Protocol or STP.

What STP does is eliminating loops in the network while allowing redundant links, the switches in the network will send out BPDU or Bridge Protocol Data Unit.

BPDU is like a boomerang send out to all ports in the switch. The BPDUs will travel all over the network and when the switch receive the BPDU it sent, then the switch knows that switch loop is occuring in the network and will block one of the ports where the loop occured.

Actually there's a set of session needed just to explain STP, there's even books specialized to explain STP considering that STP is very important in a redundant network.

STP eliminates redundant links in your network that's it, but if you don't carefully design your network even if you're using Cisco devices, your network will someday experience a melt down.

There's a great article about a network meltdown in a hospital related to STP that you can read here. In a hospital!! Man, that's serious business, we're talking about people lives here.
So the case study can be a valuable resource for you, just read it.

This happened to me once when I went on a client. They're just a small office kinda like SOHO, they're not using Cisco devices, they just using network devices from Linksys and D-Link.

So they called me and said for some reason the network went down.

After checking the network for a while, no problem with the configuration and the cabling but still no connectivity.
Then after tracing all the cables - it was not exactly a neat cabling they have there - I found that one cable was connected end to end to the same switch which created the broadcast storm.

So the moral of this story, it's very easy to take down an entire network with just a single network cable, especially if the networks are using average home usage network devices .

No need to say that it is very important to keep the physical security of your network devices. You can't trust the employees again nowadays.

Read more!