Switch-A(config)#interface port-channel 1
Switch-A(config-if)#switchport trunk encapsulation dot1q
Switch-A(config-if)#switchport mode trunk
Switch-A(config-if)#speed nonegotiate

Switch-A(config)#interface GigabitEthernet1/1/1
Switch-A(config-if)#switchport mode trunk
Switch-A(config-if)#speed nonegotiate
Switch-A(config-if)#channel-group 1 mode active

Switch-A(config)#interface GigabitEthernet2/1/1
Switch-A(config-if)#switchport mode trunk
Switch-A(config-if)#speed nonegotiate
Switch-A(config-if)#channel-group 1 mode active
——————————————————-

Switch-B(config)#interface port-channel 1
Switch-B(config-if)#switchport trunk encapsulation dot1q
Switch-B(config-if)#switchport mode trunk
Switch-B(config-if)#speed nonegotiate

Switch-B(config)#interface GigabitEthernet1/1/1
Switch-B(config-if)#switchport mode trunk
Switch-B(config-if)#speed nonegotiate
Switch-B(config-if)#channel-group 1 mode active

Switch-B(config)#interface GigabitEthernet2/1/1
Switch-B(config-if)#switchport mode trunk
Switch-B(config-if)#speed nonegotiate
Switch-B(config-if)#channel-group 1 mode active

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Find the latest Firmware : https://software.cisco.com/download/release.html?mdfid=284846029&softwareid=282046477&release=3.3.0SE&flowid=45549

Setup TFTP Server ( Download : http://tftpd32.jounin.net/tftpd32_download.html )

Copy Bin file to TFTP Directory

3650-SW1#copy tftp flash

3650-SW1#Address or name of remote host []? 10.1.1.250
3650-SW1#Source filename []? cat3k_caa-universalk9.SPA.03.06.06.E.152-2.E6.bin
3650-SW1#Destination filename [cat3k_caa-universalk9.SPA.03.03.01.SE.150-1.EZ1.bin]?<enter>

3850-SW1#software install file flash:cat3k_caa-universalk9.SPA.03.06.06.E.152-2.E6.bin switch 1-4

The install should ask you to reload which will restart the whole stack ( All Stack members should run the same IOS ) 

If the SSH console disconnects during the install progress you will need to do an Manual Reload Command

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to enable LCAP on a Cross Stack Cisco Switch via EtherChannel.

On Enabling this I got an error on juw5 one side of the LACP Switch :

suspended: LACP currently not enabled on the remote port.

I broke the Port Channel , and set it back to switch mode trunk

Then re-enabled the Portchannel in order

Switch 1 Port One

Switch 2 Port One

Switch 2 Port Two

Switch 1 Port Two

VN:F [1.9.22_1171]
Rating: 8.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Err-Disabled happens when you insert a SFP that doesn’t match or when there is a general error on the port. It will stay Err Disabled so you can clear the errors SFP or cable

When ready run

 

  • Conf t
  • Interface GigabitEthernet (number of err-disabled )
  • shut
  • no shut

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Prepare the Switch Config

Vlan ID 1 = Guest

Vlan ID 10 = Corporate

Access point ports and controllers should be Untagged with VlanID 1 and Tagged with Vlan 10

Guest Wifi Internet Input should be Untagged with Vlan 1 as well as your Management port you control the switch with

Input of Corporate Network into the switch needs to be Tagged port 10

Access point configuration

  1. Check you are not using an Array of AP’s and if you are you are, log into the Master AP in your array. Any other access point you login to the changes will not save

2) Create a new SSID with password

Enabled VLAN Status

Create VID 1 Default per below and Corp for Vlan ID 

Change the PVID settings to 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

If you’ve never used a Cisco Access point ( Aironet ) by default out of the box or after a factory reset the dot11rad 0 interface will be set to shutdown and will no broadcast any of your SSID’s

Also by default only webpage administration is available, you can enable SSH through the website Administration

Enabled through SSH :  

ap(config)#interf dot11rad 0

ap(config)#no shutdown

Depending if you have 1 or 2 SSID you will need to enable Guest mode or MutliGuest Mode

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When going through the commands to enable WPA on cisco Wireless Account point


ap(config)#interface Dot11Radio0
ap(config-if)# encryption mode ciphers aes-ccm

Then


ap(config-ssid)#authentication open
ap(config-ssid)#authentication key-management wpa version 2

I was shown Error: Encryption mode cipher is not configured.

Turns out this setting needs to be applied to each VLAN presented to the SSID

ap(config)#interface Dot11Radio0

ap(config-if)#encryption vlan 13 mode ciphers aes-ccm tkip

I could then run

ap(config-ssid)#authentication open

ap(config-ssid)#authentication key-management wpa version 2

ap(config-ssid)#guest-mode

ap(config-ssid)#wpa-psk ascii WirelessPassword

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

So you’ve just got a TPG IP Line connection and they have sent you your IP , how do you set this up on your Fortigate or other router?

They would have sent you an IP with Netmask e.g. : 210.9.x.x/30

How do you set this up on your router?

Enter the IP in the Subnet Calculator with the mask bit e.g. 30 and it will give you the range you can work from

38.242.x.x will be the network address cannot be used as it used to identify where the network starts

38.242.x.x ( +1) Will be the ISP Gateway , you need this to add a static route on the foritgate for this WAN Port

38.242.x.x ( +2) Will be the IP address you need to set on your Foritgate

 

Next you will need to add a policy to allow all outbound from Lan to the new WAN Port

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Private Pre-Shared Key: Simplified Authentication


Organizations that are planning wireless LAN’s to support corporate devices, BYOD, guest access, may be struggling to find the balance between flexibility and security. Though using IEEE 802.1X is the most secure approach to Wi-Fi authentication, this method is typically only implemented for devices managed by IT. For BYOD, contractors, or guests, the IT staff may not have the access, time, or knowledge to provision certain devices.

  1. Configure Private PSK on Guest SSID to the below.

 

 

  1. Specify the PSK User groups
    1. You will have to create them based on daily/weekly/monthly rotation
    2. See below for details

Note: you have to use the profile attribute as your guest user profile in this instance, it is 2.

  1. Hit Save and view your Local PPSK User groups.

 

  1. If you Browse to Configuration> Authentication> Local Users you will see all the pre-generated user keys.

 

 

  1. Create a user account with guest user account and password rights.
    1. Goto Home> administrators > administrators
    2. Create new
    3. Give a username/email and password
    4. Assign to the User Manager Operator group.

 

  1. Configure email service on Hive manager.
    1. Goto Home>Hivemanager Services> check the Email Service settings
    2. Specifiy the smtp server as 127.0.0.1
    3. Specify a from email address
    4. Click update.

 

  1. Log in as the User who will be distributing the guest credentials
    1. Login to the myhive.aerohive.com portal as the new account
    2. Click create
    3. Enter details and you will have your user specific guest account details, which you can send to them.

 

 

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

cisco-asa-5520-and-55501The inspection engine is looking at the ftp protocol and finding something objectionable in that user’s sessions. Exactly what is hard to say without debugging or capturing a live failing session.

You can disable ftp inspection as follows (in global configuration mode of course):

policy-map global_policy

class inspection_default

no inspect ftp

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)