Armed with a Cisco 877W or an AironetAP it would be good to have multiple SSID’s assigned to their own VLAN’s with their own WPA passwords.

The only restriction is that only one SSID can broadcast it’s name (guest-mode). In my application I have a “public” SSID with limited access and then addition ones which connect to other devices.

Define your SSID’s along with their vlans etc.

dot11 ssid PUBLIC
  vlan 1
  authentication open
  authentication key-management wpa
  guest-mode
  wpa-psk ascii PUBLICPASSWORD

dot11 ssid PRIVATE1
  vlan 2
  authentication open
  authentication key-management wpa
  wpa-psk ascii PRIVATEPASSWORD1

dot11 ssid PRIVATE2
  vlan 3
  authentication open
  authentication key-management wpa
  wpa-psk ascii PRIVATEPASSWORD2

Next setup your radio interface

interface Dot11Radio0
  no ip address
  no ip route-cache

  encryption vlan 1 mode ciphers tkip
  encryption vlan 2 mode ciphers tkip
  encryption vlan 3 mode cipthers tkip

  ssid PUBLIC
  ssid PRIVATE1
  ssid PRIVATE2

  speed default (you may wish to leave this at defaults)
  channel least-congested (you may wish to hard code this)
  station-role root
  rts threshold 2312

Now configure “integrated routing and bridging” which allows the L3 interfaces to be integrated with multiple bridged interfaces.

bridge irb

bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip

Now join the create layer 2 radio interfaces in each bridge group.

interface Dot11Radio0.1
  no ip address
  encapsulation dot1q 1 native
  bridge-group 1
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled

interface Dot11Radio0.2
  no ip address
  encapsulation dot1q 2 native
  bridge-group 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled

interface Dot11Radio0.3
  no ip address
  encapsulation dot1q 3 native
  bridge-group 3
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  bridge-group 3 spanning-disabled

Now if you have an 877W and the vlans exist then you just need to put the VLAN interfaces intot the bridge groups.

interface Vlan1
  no ip address
  bridge-group 1

interface Vlan2
  no ip address
  bridge-group 2

interface Vlan3
  no ip address
  bridge-group 3

(or if you have you have physical interfaces)

interface FastEthernet0/0.1
  encapsulation dot1q 1 native
  no ip address
  bridge-group 1

interface FastEthernet0/0.2
  encapsulation dot1q 2
  no ip address
  bridge-group 2

interface FastEthernet0/0.3
  encapsulation dot1q 3
  no ip address
  bridge-group 1

Now create the Layer3 interface associated with the bridge groups.

interface BVI1
  ip address 10.10.1.1 255.255.255.0

interface BVI2
  ip address 10.10.2.1 255.255.255.0

interface BVI3
  ip address 10.10.3.1 255.255.255.0

The is other non multi-SSID specific config on this device which is outside the scope of the note. Including for example creating the VLAN’s in the first place an also configuring connected devices.

Good luck

Mick

Just posting a note to say Gus is teething (on everything and everyone). We’ve tried various toys to save the fingers and furnature but it’s not to be … puppies.

Some photos during a wild 10 mins last night.

Announcements can be sent from a voice gateway (router) without the need to write complex gateway scripts or the use of CUE (Cisco Unity Express).

All you need is a VXML script and an audio file (I would suggest recorded in G729r8 format see future post of how to create these from the router too).

Instructions

Create the vxml script which should contain something like the following:

<?xml version="1.0" encoding="iso-8859-1"?>
<vxml version="2.0">

<!--
Out Of Office Announcement
File Name : oooa.vxml
Description: Plays back an out of office announcement message

-->

<var name="option"/>
<form id="main">
 <block>
 <prompt><audio src="flash:oooa.au"/></prompt>
 </block>
</form>
</vxml>

Upload this script along with the audio file (which I’ve called oooa.vxml and oooa.au) to the router flash. Then install the application by entering the following commands :

Router# conf t
Router(config)# application
Router(config-app)# service oooa flash:oooa.vxml
Router(config-app-param)# end
Router# wr mem

The next thing is to associate the service oooa with a dial-peer. This can be an in or an outbound dial-peer, my personal preference is inbound which is the example I’ll give. The being said to test this you need to generate an inbound call into the gateway. One thing that isn’t obvious from the documentation is that you can associate this with both pots and also voip dial-peers. The fact this it can be associated with voip is the reason I would record the message using g729r8 !

Router# conf t
Router(config)# dial-peer voice 3901 voip
Router(config-dial-peer)# incoming called-number 3901
Router(config-dial-peer)# service oooa
Router(config-dial-peer)# codec g729r8
Router(config-dial-peer)# end
Router# wr mem

(The default codec is g729r8 so the codec command is only included for completeness).
UPDATE: 22/06/2009 – On more recent version of IOS the default codec for ephone’s has been iLBC !

Now if a call arrives at this router using H323 looking for the number 3901 will have the message associated with oooa.au played to them.

UPDATED:

This application really comes into it’s own if you call forward on busy no answer etc. However the problem is that for this type of application it must exist on the inbound dial peer. So if you are already in the call manager your are stuck. A simple solution to this is to create a dialpeer pointing at a loopback on the same router. The setup both a destination-pattern and also an incoming called-number the same and your problems are solved.

Router# conf t
Router(config)# interface Loopback 3901
Router(config-if)# ip address 10.10.10.10 255.255.255.255
Router(config-if)# dial-peer voice 3901 voip
Router(config-dial-peer)# incoming called-number 3901
Router(config-dial-peer)# destination-pattern 3901
Router(config-dial-peer)# session target ipv4:10.10.10.10
Router(config-dial-peer)# dtmf-relay h245-alphanumeric
Router(config-dial-peer)# codec g729r8
Router(config-dial-peer)# no vad
Router(config-dial-peer)# end
Router# wr mem

A couple of gotcha’s I recently walked into if you have changed the default H323 port on this device from TCP 1720 (to TCP 1844 for example) you need to ensure that the session target is session target ipv4:10.10.10.10:1844 otherwise it all looks fine but doesn’t work.

IMPORTANT NEWS: A break from my studies to post an announcement — ALL three of my new chilli plants now have chilli’s growing. A rough count shows at least three or four on each plant. I will post pictures later today to confirm this momentous occasion.

It’s been nearly two weeks since I’ve posted an update — this has been for a number of reasons primarily studying and secondly since I ditched my XDA Stella I have no easy source of pictures.

So after borrowing my missus camera I have again managed to get some pictures.

Two startling pieces of news.

1. Bill has a red chilli !

2. Huey has three chilli’s !

The tomato plants are still growing like triffids (all except toms 3 — which nearly drowned in the rain so I needed to drill irigation holes in the pot).

Huey Dewey and Louie are going from strength to strength. I have moved Dewey to join Huey on my daughters window ledge.

Huey is now : 13 inches high.

Dewey is a massive 22 inches high.

Louie is now : 15 inches high.

All the plants have loads of flowers – Huey has three chili’s.

In addition to this Gus our little puppy has today recieved his first collar and he does look proud. We’ve had him tree weeks now and he’s getting big !!!

Patrick’s cucumber plant is going to have outgrown the small green tent soon.

Having managed to borrow my missus camera I’m able to post an update on where were at here.

The chilli’s have almost doubled in size in the last week.

My son patrick now has a cucumber which is located outside in the green tent. I’ve moved the tent away from the decking at the bottom of the garden to facilitate the much needed garden bench.

We’ve moved the palm tree around to the back which also joins the bench on the decking and with the umbrella attached I’m ready for studying outside !!!

On a slighly sad note one of the two sun flowers my wife managed to grow from seed has been eaton by something in the garden. And the Jasmine in the front has dropped it’s one and only flower.

Last but not least our puppy Gus is growing up quite quickly. We’ve nearly got the toilet training sorted but I guess like all teenagers he is rebelious to say the least. And just when you are mad as you can be – on comes that sweet look …

Laters.

This brief note covers getting an SSL certificate registered with Thawte onto a Cisco router running IOS.

1. Create the Trustpoint

This binds the SSL cert to the CA (Certificate Authority) which in this case is Thawte.  The subject is where you will specify all the usual bits you need in the cert. Also ensure that fqdn defined and is that same as the common name. If you don’t the name of the router will be used instead.

Router# conf t
Router(config)# crypto pki trustpoint thawte.com
Router(ca-trustpoint)# enroll terminal
Router(ca-trustpoint)# serial-number none
Router(ca-trustpoint)# fqdn hostname.domain.com
Router(ca-trustpoint)# ip-address none
Router(ca-trustpoint)# subject-name CN=hostname.domain.com,O=Organisation, OU=Department,L=Location,ST=State,C=Country
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# end
Router# wr mem

Note the ’subject-name’ is all on one line – due to the width of this page and spaces it is wrapping.

2. Authenticate the CA with the trustpoint

This means loading Thawte’s Premium signing certificate into the router.

It took quite a while to locate Thawte’s Premium Signing Certificate from their website so there is nothing to stop you cut’n'pasting from this post.

If you wish to get your own copy then you can download the complete set from http://www.thawte.com/roots/. Accept their terms (assuming you do) then download and unpack the zip file.

The file you need is : Thawte SSLWEB Server Roots\thawte Premium Server CA\Thawte Premium Server CA.pem

It is really important you get the right CA Certificate file on your router. Unfortunately the process won’t fail until you try and import your new certificate if you get the wrong one !!!!

Open the file in a text editor and you can then cut and paste at the appropriate time.

Router# conf t
Router(config)# crypto pki authenticate thawte.com
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 069F6979 16669002 1B8C8CA2 C3076F3A
Fingerprint SHA1: 627F8D78 27656399 D27D7F90 44C9FEB3 F33EFA9A
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Router(config)# end
Router(config)# wr mem

You can now check this certificate

Router#show crypto pki certificate
CA Certificate
 Status: Available
 Certificate Serial Number: 0x1
 Certificate Usage: General Purpose
 Issuer:
 e=premium-server@thawte.com
 cn=Thawte Premium Server CA
 ou=Certification Services Division
 o=Thawte Consulting cc
 l=Cape Town
 st=Western Cape
 c=ZA
 Subject:
 e=premium-server@thawte.com
 cn=Thawte Premium Server CA
 ou=Certification Services Division
 o=Thawte Consulting cc
 l=Cape Town
 st=Western Cape
 c=ZA
 Validity Date:
 start date: 01:00:00 BST Aug 1 1996
 end   date: 23:59:59 GMT Dec 31 2020
 Associated Trustpoints: thawte.com

3. Generate CSR – Begin Certificate enrollment.

This starts the process of getting your own certificate by generating a CSR or Certificate Request.

Router# conf t
Router(config)# crypto pki enroll thawte.com
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=hostname.domain.com,O=Organisation,OU=Department,L=Location,ST=State,C=Country
% The subject name in the certificate will include: hostname.domain.com
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIICDjCCAXcCAQAwgawxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjEcMBoGA1UECxMTQWNjb3VudHMgRGVwYXJ0bWVudDEdMBsG
A1UEChMUT3VyIfsjkfjsdkfhksdjfklssdfsdfsdfdsfdsWQxGzAZBgNVBAMTEnNzbHZwbi5wb2Jv
eC5jby51azEhMB8GCSqGSIb3DQEJAhYSc3NsdnBuLnBvYm94LmNvLnVrMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzlVpHnVWmZK+krq6J/R3fQwf9kceyLB8u
iis91j5EON4pMvVcKiCpJDa+kGLTSzalmKERHO4Tz6Nm53HLmCo3JGGkox+Pnv7C
oVlZu23ukAZmF0/fzfsaJkrDeWWagsDgdFseee+ffDse4XfbWVnIVqYGoWtyxdGQm3vSJ
569/tKQV5QIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEApaSo522bW34bcGgA5zr1uuoi2IUyV+1IBb3K+teG
RtUyrw1Z+4aVhBlsi1kSoVoLdKiUTAr5IwtEEO6pVq2uxxYvia7D1g24R5m8JN1h
HgafrfnnAvtP8EFH//0XLrdWVAUL25KtMpqjhJricWsc62CnbCiGPb/AsmaIJcBe
hxQ=
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
Router(config)# end
Router# wr mem

Now cut out the CSR the router has generated and send it to Thawte.

4. Import Certificate

Once you have received your certificate back from Thawte you need to import it into the router.

Router# conf t
Router(config)# crypto pki import thawte.com certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
 Fingerprint MD5: 069F6979 16669002 1B8C8CA2 C3076F3A
 Fingerprint SHA1: 627F8D78 27656399 D27D7F90 44C9FEB3 F33EFA9A 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Router(config)# end
Router# wr mem

An you should find you have your certificate registered on your router for use as required secure website or ssl vpn.

RENEWALS:

Unless Thawte’s CA Certificate has expired or changed – it presently expires in 2020 – you only need to go through enrolment. Also your certificate will only be effected when you import the replacement.

So to renew a certificate go back to step 3 and run enrolment.

Update: Please note that in IOS Cisco are in the process of changing the command ‘crypto ca’ to ‘crypto pki’ these are presently interchangable. The commands in this note are in the new style but you could just as easily have typed ‘crypto ca trustpoint thawte.com’ for example. The config however seems to show the new format.

I do quite a bit of work with Virtual machines based on an ESX platform. One of the advantages of such a platform is the ability to create a template server, then duplicate copies as and when you need one. With most operating systems it’s just a question of changing the IP and hostname and you are in business.

In the case of Ubuntu Linux a udev rule is created for each network interface and which is bound to the MAC address of the card. Which makes loads of sense in the “Real World” but when you create a new VM an additional MAC address is generated. This can be a little frustrating as the first machine would have an eth0 the second an eth1 the third and eth2 and so on.

The database which stores these values is located in a file :

/etc/udev/rules.d/70-persistent-net.rules

An example of one of mine – on a third install.

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.
#
# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:c9:f4:13", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"
#
# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:c9:f3:19", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
#
# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:38:fd:fa", ATTR{type}=="1", KERNEL=="eth*", NAME="eth2"

In this case whilst I would prefer the device to be known as eth0 it is in fact known as eth2.

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.
#
# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:38:fd:fa", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

If the file is amended to the following and a reboot done all is sorted.
Don’t forget to amend the network configuration to reflect the change of device ID. In the case of UBUNTU this would be /etc/network/interfaces.

Firstly grab a copy of the 64bit Ubuntu server ISO from the ubuntu website and store is somewhere you can get to from your ESX box. Over the years I have taken the approach of storing server VMDK’s on ESX’s local hard disk pushing installation media onto a NAS.

(Note: Earlier this year we went gigabit ethernet on the NAS LAN so plans are there to potentially store VM’s a NAS too).

Install the virtual machine as you would do normally. I selected 64bit Ubuntu – I’m finding that telling ESX the O/S is a 64bit version regardless of whether you actually install the 64bit version or not seems to make the virtual machine more stable.

Edit the VM and set the boot media to be the Ubuntu ISO you downloaded ealier and mark it as connected and connected on boot.

Run the installation as you would do on normal hardware.

Now it’s time to install VMWare tools.

From the VMWare menu select Install/Upgrade VMWare Tools.

Mount the media and extract the installation files into /tmp

mount /cdrom
cd /tmp
tar zxf /media/cdrom/VMwareTools*.tar.gz

As part of the installation some compiling needs to be done so we’ll need to put some source libraries on unless they’re already there.

sudo apt-get install build-essential linux-headers-`uname -r`

The config.h file whilst needed is not created by default so an empty one is created so the build will complete.

sudo touch /usr/src/linux-headers-`uname -r`/include/linux/config.h

(Thanks https://help.ubuntu.com/community/VMware for the tip on this).

cd vmware-distribution
sudo ./vmware-install.pl

Follow the prompts for the installation – shared folders fails to build but in the ESX environment they’re not essential.

Reboot the box and you are in buisiness.

More pictures of GUS playing with the children in the garden.