2019年8月2日 星期五

How to configure ACS 5.8 for 802.1x authentication on a Cisco switch


https://www.techrepublic.com/pictures/how-to-configure-acs-52-for-8021x-authentication-on-a-cisco-switch/

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html#d9598e3899a1635
  • Switch's Configuration

aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
aaa authorization network default group radius

radius server Radius
 address ipv4 1.1.1.1 auth-port 1645 acct-port 1646
 key xxx

interface GigabitEthernet1/0/1
 switchport access vlan 60
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
end
  • PC's Configuration




  • Cisco ACS's Configuration

2019年7月7日 星期日

Configure VXLAN Flood and Learn with Multicast Core(vPC)

  • Spine's Configuration

feature ospf
feature pim

ip pim rp-address 192.168.1.100 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8

interface Ethernet1/1                     //downlink to Leaf-1
  no switchport
  ip address 192.168.1.9/30
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode
  no shutdown

interface Ethernet1/2                    //downlink to Leaf-2
  no switchport
  ip address 192.168.1.5/30
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode
  no shutdown

interface Ethernet1/3                   //downlink to Leaf-3
  no switchport
  ip address 192.168.1.13/30
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode
  no shutdown

interface loopback0
  ip address 192.168.1.100/32
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode

router ospf 1
  router-id 192.168.1.100
  • Leaf-1's Configuration

feature ospf
feature pim
feature vn-segment-vlan-based           //Configures the global mode for all VxLAN bridge domains
feature nv overlay                               //Enables the VxLAN feature

ip pim rp-address 192.168.1.100 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8

vlan 10                                                //Mapping VLAN to VxLAN VNI
  vn-segment 160010
vlan 20
  vn-segment 160020

interface nve1                       //Creating and Configuring an NVE Interface and Associate VNIs
  source-interface loopback0
  member vni 160010 mcast-group 231.1.1.1
  member vni 160020 mcast-group 231.1.1.1
  no shutdown

interface Ethernet1/1                      //uplink to Spine
  no switchport
  ip address 192.168.1.10/30
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode
  no shutdown

interface Ethernet1/2                     //downlink to SW1
  switchport
  switchport access vlan 10
  no shutdown

interface loopback0
  ip address 192.168.2.5/32
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode

router ospf 1
  router-id 192.168.2.5

  • Leaf-2's Configuration

feature ospf
feature pim
feature vn-segment-vlan-based          //Configures the global mode for all VxLAN bridge domains
feature lacp
feature vpc
feature nv overlay                              //Enables the VxLAN feature

ip pim rp-address 192.168.1.100 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8

vlan 10                                               //Mapping VLAN to VxLAN VNI
  vn-segment 160010
vlan 20
  vn-segment 160020

vrf context management
vpc domain 10
  peer-switch
  peer-keepalive destination 172.16.1.2 source 172.16.1.1
  peer-gateway

interface port-channel2                         //downlink to SW2
  switchport access vlan 10
  vpc 2

interface port-channel200                     //vpc peer-link
  switchport mode trunk
  spanning-tree port type network
  vpc peer-link

interface nve1                            //Creating and Configuring an NVE Interface and Associate VNIs
  no shutdown
  source-interface loopback0
  member vni 160010 mcast-group 231.1.1.1
  member vni 160020 mcast-group 231.1.1.1

interface Ethernet1/1
  switchport access vlan 10
  channel-group 2 mode active

interface Ethernet1/2                               //uplink to Spine
  no switchport
  ip address 192.168.1.6/30
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode

  no shutdown

interface Ethernet1/6
  switchport mode trunk
  channel-group 200 mode active

interface Ethernet1/7
  switchport mode trunk

  channel-group 200 mode active

interface mgmt0                                      //vpc keep-alive
  vrf member management
  ip address 172.16.1.1/24

interface loopback0
  ip address 192.168.2.3/32
  ip address 192.168.2.1/32 secondary
  ip router ospf 1 area 0.0.0.0

  ip pim sparse-mode

router ospf 1

  router-id 192.168.2.3

  • Leaf-3's Configuration

feature ospf
feature pim
feature vn-segment-vlan-based          //Configures the global mode for all VxLAN bridge domains
feature lacp
feature vpc
feature nv overlay                              //Enables the VxLAN feature

ip pim rp-address 192.168.1.100 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8

vlan 10                                               //Mapping VLAN to VxLAN VNI
  vn-segment 160010
vlan 20
  vn-segment 160020

vrf context management
vpc domain 10
  peer-switch
  peer-keepalive destination 172.16.1.1 source 172.16.1.2
  peer-gateway

interface port-channel2                        //downlink to SW2
  switchport access vlan 10
  vpc 2

interface port-channel200                     //vpc peer-link
  switchport mode trunk
  spanning-tree port type network
  vpc peer-link

interface nve1                                       //Creating and Configuring an NVE Interface and Associate VNIs
  no shutdown
  source-interface loopback0
  member vni 160010 mcast-group 231.1.1.1

  member vni 160020 mcast-group 231.1.1.1

interface Ethernet1/1
  switchport access vlan 10
  channel-group 2 mode active

interface Ethernet1/2                                            //uplink to Spine
  no switchport
  ip address 192.168.1.14/30
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode

  no shutdown

interface Ethernet1/6
  switchport mode trunk
  channel-group 200 mode active

interface Ethernet1/7
  switchport mode trunk

  channel-group 200 mode active

interface mgmt0                                         //vpc keep-alive
  vrf member management
  ip address 172.16.1.2/24

interface loopback0
  ip address 192.168.2.4/32
  ip address 192.168.2.1/32 secondary
  ip router ospf 1 area 0.0.0.0

  ip pim sparse-mode

router ospf 1

  router-id 192.168.2.4

  • SW1's Configuration
interface Ethernet0/0                   //uplink to Leaf-1
  switchport access vlan 1

interface vlan 1
  ip address 172.16.99.111 255.255.255.0
  no shutdown

  • SW2's Configuration

interface Port-channel1              //uplink to Leaf-2 and Leaf-3
  switchport access vlan 1

interface Ethernet0/0
  channel-protocol lacp
  channel-group 1 mode active

interface Ethernet0/1
  channel-protocol lacp

  channel-group 1 mode active

interface vlan 1
  ip address 172.16.99.222 255.255.255.0
  no shutdown

2019年6月9日 星期日

Configure VXLAN Flood and Learn with Multicast Core


  • Spine's Configuration

feature ospf
feature pim

ip pim rp-address 192.168.1.100 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8

interface Ethernet1/1                     //downlink to Leaf-1
  no switchport
  ip address 192.168.1.9/30
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode
  no shutdown

interface Ethernet1/2                    //downlink to Leaf-2
  no switchport
  ip address 192.168.1.5/30
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode
  no shutdown

interface loopback0
  ip address 192.168.1.100/32
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode

router ospf 1
  router-id 192.168.1.100


  • Leaf-1's Configuration

feature ospf
feature pim
feature vn-segment-vlan-based           //Configures the global mode for all VxLAN bridge domains
feature nv overlay                               //Enables the VxLAN feature

ip pim rp-address 192.168.1.100 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8

vlan 10                                                //Mapping VLAN to VxLAN VNI
  vn-segment 160010
vlan 20
  vn-segment 160020

interface nve1                       //Creating and Configuring an NVE Interface and Associate VNIs
  source-interface loopback0
  member vni 160010 mcast-group 231.1.1.1
  member vni 160020 mcast-group 231.1.1.1
  no shutdown

interface Ethernet1/1                      //uplink to Spine
  no switchport
  ip address 192.168.1.10/30
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode
  no shutdown

interface Ethernet1/2                     //downlink to SW1
  switchport
  switchport access vlan 10
  no shutdown

interface loopback0
  ip address 192.168.2.5/32
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode

router ospf 1
  router-id 192.168.2.5


  • Leaf-2's Configuration

feature ospf
feature pim
feature vn-segment-vlan-based
feature nv overlay

ip pim rp-address 192.168.1.100 group-list 224.0.0.0/4
ip pim ssm range 232.0.0.0/8

vlan 10
  vn-segment 160010
vlan 20
  vn-segment 160020

interface nve1
  source-interface loopback0
  member vni 160010 mcast-group 231.1.1.1
  member vni 160020 mcast-group 231.1.1.1
  no shutdown

interface Ethernet1/2                     //uplink to Spine
  no switchport
  ip address 192.168.1.6/30
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode
  no shutdown

interface Ethernet1/1                    //downlink to SW2
  switchport
  switchport access vlan 10
  no shutdown

interface loopback0
  ip address 192.168.2.3/32
  ip router ospf 1 area 0.0.0.0
  ip pim sparse-mode

router ospf 1
  router-id 192.168.2.3


  • SW1's Configuration

interface Ethernet0/0                   //uplink to Leaf-1
  switchport access vlan 1

interface vlan 1
  ip address 172.16.99.111 255.255.255.0
  no shutdown


  • SW2's Configuration

interface Ethernet0/0                 //uplink to Leaf-2
  switchport access vlan 1

interface vlan 1
  ip address 172.16.99.222 255.255.255.0
  no shutdown