The unit was an Elitedesk 800 G3

Download the driver bundle from here : http://ftp.hp.com/pub/caps-softpaq/cmit/HP_Driverpack_Matrix_x64.html

Extract the Drivers then Import them into Out of Box Drivers on your MDT Share

Once done Update Deployment Share

Once done , replace image on the Microsoft Deployment Services

WIM’s will be installed to 

C:\DeploymentShare\Boot

GD Star Rating
loading...
GD Star Rating
loading...

Fortigate

Create a new Interface under a port or an existing virtual switch where the Aruba switch uplinks to 

Enter Vlan ID and Interface IP

 

Next you will need to setup Allow Policies to allow traffic from the Vlan to the normal lan as well as internet

Aruba

Create a New Vlan with the Same ID

Add a trunk to the Uplink

Tag all the Ports with Vlan 2 that will have a phone plugged into them, Including the Trunk

Untag any ports the phone system or VOIP card might use

Attach the “voice” to the Vlan which will assign the right vlans for the phones that use LLDP 

 

GD Star Rating
loading...
GD Star Rating
loading...

Meraki MX Router

Enable Vlans

Go to Security Appliance then Addressing & VLANs

Next setup the Subnet ID ( Number ) for your Vlans and the Address of the Router in each Vlan 

Next Change the Uplink to the Switch to a VLAN and set the Native Vlan ( this is the default usually 1 ) and the other Vlans which will pass down this trunk. The Native VLAN will need to be the same on both sides of Meraki and Cisco Switch

DHCP

Go to Security Appliance then DHCP

What device will be the DHCP on this new Subnet? You can set the Meraki or if its a Windows Network point the IP Helper to your main DHCP server

Cisco Switch

Uplink

On the uplink of your switch to the Meraki set e.g. GigabitEthernet1/0/1

 

conf t
int gi1/0/1
switchport trunk native vlan 1
switchport trunk allowed vlan 1,5
switchport mode trunk
end

You might see the native vlan 1 not showing in the config , this is because 1 is always the native vlan

UnTag Port on new Vlan

This changes the port to use Vlan 5

conf t
int gi1/0/2
switchport acccess vlan 5
switchport mode access
end
GD Star Rating
loading...
GD Star Rating
loading...

Finding issues in wireless networks can be hard , however there are some tools you can use before you get the Spectrum Analyser in! 

Auditing

Download and install inSSIDer Home

Great way to visualise SSID strength and channels, just to note when you run this , your Pings will go up!

Ekahau

Great Heatmapping software and paid for software for scanning

For Home or small office WiFi network tuning/refining, we can simply use some of following software to help us:

 

How to check to DeAuths 

Once you identify the channel, launch https://www.wireshark.org/ on that channel and listen for a minute or two.

First, apply this filter:

wlan.fc.type_subtype == 0xc

This will show you all the deauthentication frames that have been sent out.

Deauth Flood

Apply this filter next:

wlan.fc.type_subtype == 0x8 && wlan.sa == <BSSID of the SSID you are inspecting>

This will display beacon frames from your AP. Check the signal strength. In this case, we’ve got a good strong signal because we’re right next to the AP (right around -40 dBm on average).

Our Beacons

Next, apply this filter:

wlan.fc.type_subtype == 0xc && wlan.sa == <BSSID of the SSID you are inspecting>

This shows deauthentication frames from your AP. Note the signal strength on the far right…

Spoofed Deauths

The deauthentication frames are coming in much weaker than the valid beacon frames. This indicates strongly that another AP is spoofing your system.

 

 

2 What is SNR or S/N or Signal-to-noise ratio

SNR is the difference between the received wireless signal and the noise floor. The noise floor is simply erroneous background transmissions that are emitted from either other devices that are too far away for the signal to be intelligible, or by devices that are inadvertently creating interference on the same frequency. [1]

e.g. A client device’s radio receives a signal at -75 dBm, and the noise floor is -90 dBm, then the effective SNR is 15 dB. This would then reflect as a signal strength of 15 dB for this wireless connection.

3 Why does SNR matter for WiFi

To achieve certain speed, certain SNR is required, e.g. to achieve 1300Mbps, 32dB or SNR is required (Note: SNR is not the only requirement, other conditions like number of spatial streams, WiFi generation etc. are also required to achieve it)

4 What decides WiFi roaming between/among different WiFi AP (Access Points)?

It’s not as simple as we thought, e.g. this WiFi Access Point is close to use, our device (Mobile, computer/laptop etc.) will then switch/connect to it directly, WiFi roaming does not work like that, but usually it is the optimal case which we want to achieve.

Usually by default, WiFi clients are “sticky” which means they tends to keep associated/connected to the already connected/associated AP. They will only switch/roam if it is impossible or almost impossible to transfer data (e.g. Signal strength dropped significantly) [This behaviour can be altered by changing setting on the operating system/driver e.g. WiFi roaming aggressiveness or by modifying some configuration on the WiFi system/Access Point, e.g. force to disconnect the client which has certain low signal strength, changing AP radio power level etc.]
Note: If a client is too aggressive, always switch to AP with stronger signal instantly, the user’s browsing/VOIP experience etc. will be negatively and heavily impacted. It can make the internet/network unstable or even unusable.

So, usually factors which will impact WiFi client roaming aggressiveness are WiFi signal strength, vendor of client device, operating system of the client device, configuration of the client device, AP/WLAN (Wireless LAN) system configuration etc.

5 How to eliminate or reduce sticky clients/cases? (How to make clients roam between APs as desired)

Usually it is the client that decides when to roam/switch to another AP.

There are many ways to reduce/eliminate sticky client issue.

At the Client side

  • If we are using computer/laptop, usually there are settings to control wireless roaming aggressiveness, we can change it to medium or high if necessary (Test should be done before deciding which option is the best for our specific needs/situation)
  • Manually disconnect wait 5-10 seconds and reconnect to the WiFi (Usually the client will associate/connect the one with strongest signal in this case)

At the AP/WLAN side

Although in the 802.11 standards, there is not much standards on roaming, many AP vendors/systems still provides some control over client roaming.

  • Place APs far enough from each other physically, so that WiFi signal from each AP does not overlap/cover same spot/area
  • Reduce AP radio output power level, so that WiFi signal from each AP does not overlap/cover same spot/area
  • Some AP vendors/systems provide features like actively disconnect clients which has weak signal under certain/specified level (Usually this is not good if we want clients to have fast roaming experience among different APs)
  • Setting minimum RSSI may or may not force client to roam (Using minimum RSSI may not be a good idea, lower the radio output power maybe better)

6 How to Design/Plan AP positioning (How to properly design deploy APs for enterprise/business, education, office, home etc.)

WiFi/WLAN deployment can be tricky sometimes, especially when designing a network that has multiple APs. Obscures in the radio wave path can block or even reflect radio wave. Different material will have different level of impact on signal and its strength, some may block the signal completely while some will only have slight impact, as mentioned, some will reflect the signal.

To properly design and deploy the WiFi/WLAN network. We may need to do some testing and site survey, e.g. using Ekahau. There are also some vendors provide WiFi/WLAN designer, e.g. UniFi Design Center, Ruckus Wi-Fi planner, Ekahau etc.

GD Star Rating
loading...
GD Star Rating
loading...

Recently we found a Fortigate Router not listening locally 

Login to Console via Serial Cable ( Putty ) 

config system interface
edit wan1
set allowaccess ping http https
end


config system admin
edit admin
set trusthost1 %publicip%/32
set trusthost2 %localIprange%/24
end
GD Star Rating
loading...
GD Star Rating
loading...

Connect to http://wired.meraki.com/#configure on a PC/Server connect to the meraki. The default username is the serial number of the device which can be got from the Cloud Dashboard and password is blank

The following will restart the Meraki so make sure you arrange downtime.

Change Port 2 to Internet from LAN and add the IP details and click Save

Make sure all ethernets are set to Auto for Negotiation

By default the Meraki will put the connections on Active / Passive , to enable Active / Active 

Login to your Meraki Cloud Dashboard and Enable Load Balancing : 

This will spread both inbound and outbound via both links

To force one port e.g. to a specific Link , add an Internet Traffic Flow setting

e.g.

GD Star Rating
loading...
GD Star Rating
loading...

Get Model Number and Serial for Firmware

Login to your switch via SSH and run 

show switch

This will show you the System Type ( Model of the switch ) and if its stacked, now type 

show version

This will show you your current firmware and Also Serial Number ( In Red ) 

Download Firmware

1. Go to Extremenetwork Support and Click Downloads for ExtremeXOS for your switch model
2. Login using your account. You have to register if you don’t have account.
3. Click Accept All.
4. Type the serial number.
5. Click Software Downloads.
6. Click the correct ExtremeXOS image and download to your tftp server.

Setup TFTP

Free tftp tools such as tftp32 will work for the switch upgrade

Make sure Port UDP 69 is allowed through Windows Firewall

Even if your windows Firewall is disabled , make sure its disabled on Guest Networks as this will usually be the network the management speaks on not domain

Make sure the machine you are using does not have WDS enabled , WDS uses TFTP 

Run TFTP and make sure the server is listening on an Network IP ( NOT 172.0.0.1 )

Copy the .xos file to the TFTP Directory 

In SSH make sure you can Ping the IP of the TFTP server from the Switch via

ping %IP OF TFTPServer% 

And you get a reply 

Backup Existing Config

upload config %IP OF TFTPServer% config.xsf VR-Default

Download and install new Image

download image %IP OF TFTPServer%  summitX-22.3.1.4-patch1-8.xos “VR-Default” secondary\

Do you want to install image after downloading? (y – yes, n – no, – cancel) Yes

You will need to reboot the switch and if the switch is in a stack you will need to reboot them both as Stack switches cannot be in different versions

GD Star Rating
loading...
GD Star Rating
loading...

The Category blocked was Alcohol, however, I whitelisted this category. Disabling the filter based category allowed this.

Problem was the Fortigate GUI was not displaying the actual committed config on the firewall ( the profile was screwed )

solution

this way the “default” profile was visible

Also you might want tod DNS Filter

basically DNS filters work like webfilter but at DNS level

so let say you want to go to youporn

the firewall try to resolve the name of youporn.com but since it is a blocked category

it blocks the resolution of the name even before you get to browse itWe saved this conversation. You’ll see it soon in the Conversations tab in Skype for Business and in the Conversation History folder in Outlook.

 

GD Star Rating
loading...
GD Star Rating
loading...