Sie sind auf Seite 1von 72

Nay Pyi Taw 2017

LAN Sub-System Installation & Commissioning Procedures

TABLE OF CONTENT

I. INTRODUCTION .............................................................................................. 4

I.1. PURPOSE ....................................................................................................... 4


I.2. REFERENCES ................................................................................................... 5

II. NEXUS N9K-C9508 CONFIGURATION ............................................................. 5

II.1. BASIC CONFIGURATION ..................................................................................... 5


II.2. CONFIGURE VLAN (ON BOTH SWITCHES) ................................................................ 5
II.3. CONFIGURE VPC ............................................................................................. 6
II.4. CONNECT TO OTHER DEVICES .............................................................................. 8
II.1. CONFIGURE L3 GATEWAY FOR ALL DEVICE.............................................................. 10
II.1. CONFIGURE DEFAULT ROUTING (ON BOTH SWITCHES) ................................................ 14

III. CONFIGURE ACCESS SWITCH 3850 ............................................................ 15

III.1. PHYSICAL CABLING ....................................................................................... 16


III.2. CONFIGURE THE HOSTNAME FOR SWITCH IDENTIFICATION ......................................... 18
III.3. CONFGURING A LAN INTERFACE AS A LAYER 2 ACCESS PORT ...................................... 18
III.4. CONFIGURE MANAGEMENT IP ADDRESS ON AN IN-BAND INTERFACE ............................. 19
III.5. CONFIGURE PORT-CHANNEL CONNECT TO CORE SWITCH ............................................ 20
III.6. CONFIGURE VTP .......................................................................................... 22
III.7. CONFIGURE INTERFACE CONNECT WITH USERS ....................................................... 22

IV. CONFIGURE CISCO PRIME INFRASTRUCTURE ............................................. 22

IV.1. SYSTEM REQUIREMENTS.................................................................................. 22


IV.2. INSTALL CISCO PRIME INFRASTRUCTURE .............................................................. 22
IV.3. CONFIGURE DEVICE MONITORING ....................................................................... 28
IV.4. CONFIGURE THE MONITORING POLICY .................................................................. 31
IV.5. CONFIGURE ADMINISTRATOR POLICY ................................................................... 32
IV.5.1. Configure SMTP server ........................................................................ 32
IV.5.2. Create the configuration file and push into the network device ................. 33
IV.5.3. Configuration Management .................................................................. 36

V. SETUP SYMANTEC ENDPOINT PROTECTION MANAGER ................................. 38

V.1. INSTALL MICROSOFT SQL CLIENT TOOLS .............................................................. 38


V.2. INSTALL MANAGEMENT SERVER AND CONSOLE ......................................................... 45

VI. CONFIGURE THE WIFI SYSTEM AT HQ ......................................................... 56

VI.1. CONFIGURE ACCESS SWITCH 3850 CONNECT TO ACCESS POINT ................................... 56


VI.2. CONFIGURE PORT ON NEXUS WHICH CONNECTS TO WLC 2504.................................... 57

Page 2
LAN Sub-System Installation & Commissioning Procedures

VI.3. CONFIGURE WLC 2504 ................................................................................. 57


VI.3.1. Initial Set-up ...................................................................................... 57
VI.3.2. Configure LDAP server on WLC ............................................................. 61
VI.3.3. Create the INTERNAL and GUEST wifi .................................................... 61
VI.4. CONFIGURE AP ON WLC ................................................................................. 66
VI.5. CONFIGURE FLEXCONNECT .............................................................................. 67

VII. CONFIGURE AUTONOMOUS AP AT BRANCH ............................................... 69

Page 3
LAN Sub-System Installation & Commissioning Procedures

I. INTRODUCTION
I.1. Purpose
The purpose of this document is to describe in technical terms the steps necessary

Page 4
LAN Sub-System Installation & Commissioning Procedures

to install and configure module LAN for the project.

I.2. References
This installation guide base on “MPFMp-GS101-DES-IT-IRD-System” document.

II. NEXUS N9K-C9508 CONFIGURATION


II.1. Basic configuration
On DC2-N9K-CS1
switchname DC2-N9K-CS1
username adminird password ******** role network-admin
feature interface-vlan
feature hsrp
feature lacp
feature dhcp
feature vpc
feature lldp
service dhcp
ip dhcp relay
no ipv6 dhcp relay

On DC2-N9K-CS2
switchname DC2-N9K-CS2
username adminird password ******** role network-admin
feature interface-vlan
feature hsrp
feature lacp
feature dhcp
feature vpc
feature lldp
service dhcp
ip dhcp relay
no ipv6 dhcp relay

II.2. Configure VLAN (on both switches)

Page 5
LAN Sub-System Installation & Commissioning Procedures

vlan 61
name LAN1
!
vlan 62
name LAN2
!
vlan 63
name LAN3
!
vlan 64
name LAN4
!
vlan 65
name LAN5
!
vlan 66
name LAN6
!
vlan 90
name WIFI_INTERNAL
!
vlan 92
name WIFI_GUEST
!
Vlan 99
Name BRIDGE
!
vlan 100
name MGMT
!
vlan 101
name SVR1
!
vlan 102
name SVR2
!
vlan 103
name SVR3
!
Vlan 104
Name SVR4

II.3. Configure VPC


Step 1: enable VPC feature and configure the vpc domain ID on both switches
feature vpc
vpc domain 1

Step 2: Choose a peer keep alive deployment

On DC2-N9K-CS1:

Page 6
LAN Sub-System Installation & Commissioning Procedures

vrf context vpc-keepalive


!
interface eth1/3
channel-group 99 mode active
no shutdown
!
interface eth3/3
channel-group 99 mode active
no shutdown
!
interface port-channel 99
no switchport
vrf member vpc-keepalive
ip address 10.2.60.5/30
no shutdown
!

On DC2-N9K-CS2

vrf context vpc-keepalive


interface eth1/3
channel-group 99 mode active
no shutdown
!
interface eth3/3
channel-group 99 mode active
no shutdown
!
interface port-channel 99
no switchport
vrf member vpc-keepalive
ip address 10.2.60.6/30
no shutdown
!

Step 3: Establish the VPC Peer Keepalive link


On DC2-N9K-CS1:

vpc domain 1
peer-switch
role priority 1
peer-keepalive destination 10.2.60.6 source 10.2.60.5 vrf vpc-keepalive
peer-gateway
auto-recovery

On DC2-N9K-CS2:

Page 7
LAN Sub-System Installation & Commissioning Procedures

vpc domain 1
peer-switch
role priority 2
peer-keepalive destination 10.2.60.5 source 10.2.60.6 vrf vpc-keepalive
peer-gateway
auto-recovery

Step 4: Configure the VPC peer-link on both switches


feature lacp
!
interface Ethernet 5/47-48
description ***VPC PEER LINK***
switchport
switchport mode trunk
channel-group 100 mode active
no shutdown
!
interface port-channel 100
description ***VPC PEER LINK***
switchport
switchport mode trunk
vpc peer-link
no shutdown
!

II.4. Connect to other devices


Connect to WLC:
On DC2-N9K-CS1:
interface eth3/5
description connect_to_WLC
switchport
switchport mode trunk
switchport trunk native vlan 98
channel-group 305
no shutdown
!
interface port-channel 305
description connect_to_WLC
vpc 305
switchport mode trunk
switchport trunk native vlan 98

On DC2-N9K-CS2:

Page 8
LAN Sub-System Installation & Commissioning Procedures

interface eth3/5
description connect_to_WLC
switchport
switchport mode trunk
switchport trunk native vlan 98
channel-group 305
no shutdown
!
interface port-channel 305
description connect_to_WLC
vpc 305
switchport mode trunk
switchport trunk native vlan 98

Connect to Prime Infrastructure:


On DC2-N9K-CS1:
interface eth3/4
switchport
description connect_to_PI
switchport mode access
switchport access vlan 100

On DC2-N9K-CS2:
Interface eth1/2
switchport
description connect_to_PI_CIMC
switchport mode access
switchport access vlan 100
!
Interface eth3/4
switchport
description connect_to_PI
switchport mode access
switchport access vlan 100

Connect to DC2-A5K-FW01:
On DC2-N9K-CS1:
interface eth3/1
channel-group 301 mode active
interface port-channel 301
description connect_to_DC2-A5K-FW01
vpc 301
switchport mode trunk

On DC2-N9K-CS2:

Page 9
LAN Sub-System Installation & Commissioning Procedures

interface eth3/1
channel-group 301 mode active
interface port-channel 301
description connect_to_DC2-A5K-FW01
vpc 301
switchport mode trunk

Connect to DC2-A5K-FW02:
On DC2-N9K-CS1:
interface eth3/2
channel-group 302 mode active
interface port-channel 302
description connect_to_ DC2-A5K-FW02
vpc 302
switchport mode trunk

On DC2-N9K-CS2:
interface eth3/2
channel-group 302 mode active
interface port-channel 302
description connect_to_ DC2-A5K-FW02
vpc 302
switchport mode trunk

Connect to HQ-C3K-AC
On DC2-N9K-CS1:
interface ethernet5/x (x from 1 to 6)
channel-group 501 mode active
interface port-channel 50x
description connect_to_ HQ-C3K-ACx
vpc 50x
switchport mode trunk

On DC2-N9K-CS2:
interface ethernet5/x (x from 1 to 6)
channel-group 50x mode active
interface port-channel 50x
description connect_to_ HQ-C3K-ACx
vpc 50x
switchport mode trunk

II.1. Configure L3 gateway for all device


On DC2-N9K-CS1:

Page 10
LAN Sub-System Installation & Commissioning Procedures

interface Vlan1
shutdown
description unused

interface Vlan61
no shutdown
ip address 10.2.61.2/24
hsrp 1
preempt
ip 10.2.61.1

interface Vlan62
no shutdown
ip address 10.2.62.2/24
hsrp 1
preempt
ip 10.2.62.1

interface Vlan63
no shutdown
ip address 10.2.63.2/24
hsrp 1
preempt
ip 10.2.63.1

interface Vlan64
no shutdown
ip address 10.2.64.2/24
hsrp 1
preempt
ip 10.2.64.1

interface Vlan90
no shutdown
ip address 10.2.90.2/23
hsrp 1
preempt
ip 10.2.90.1

interface Vlan92
no shutdown
ip address 10.2.92.2/24
hsrp 1
preempt
ip 10.2.92.1

interface Vlan99
no shutdown
ip address 10.2.99.2/24
hsrp version 2
hsrp 1
preempt

Page 11
LAN Sub-System Installation & Commissioning Procedures

ip 10.2.99.1

interface Vlan100
no shutdown
ip address 10.2.100.2/24
hsrp 1
preempt
ip 10.2.100.1

interface Vlan101
no shutdown
ip address 10.2.101.2/24
hsrp 1
preempt
ip 10.2.101.1

interface Vlan102
no shutdown
ip address 10.2.102.2/24
hsrp 1
preempt
ip 10.2.102.1

interface Vlan103
no shutdown
ip address 10.2.103.2/24
hsrp 1
preempt
ip 10.2.103.1

interface Vlan104
no shutdown
ip address 10.2.104.2/24
hsrp 1
preempt
ip 10.2.104.1

On DC2-N9K-CS2:

Page 12
LAN Sub-System Installation & Commissioning Procedures

interface Vlan1
shutdown
description unused

interface Vlan61
no shutdown
ip address 10.2.61.3/24
hsrp 1
priority 90
ip 10.2.61.1

interface Vlan62
no shutdown
ip address 10.2.62.3/24
hsrp 1
priority 90
ip 10.2.62.1

interface Vlan63
no shutdown
ip address 10.2.63.3/24
hsrp 1
priority 90
ip 10.2.63.1

interface Vlan64
no shutdown
ip address 10.2.64.3/24
hsrp 1
priority 90
ip 10.2.64.1

interface Vlan65
no shutdown
ip address 10.2.65.3/24
hsrp 1
priority 90
ip 10.2.65.1

interface Vlan90
no shutdown
ip address 10.2.90.3/23
hsrp 1
priority 90
ip 10.2.90.1

interface Vlan92
no shutdown
ip address 10.2.92.3/24
hsrp 1
priority 90
ip 10.2.92.1

Page 13
LAN Sub-System Installation & Commissioning Procedures

interface Vlan99
no shutdown
ip address 10.2.99.3/24
hsrp version 2
hsrp 1
priority 90
ip 10.2.99.1

interface Vlan100
no shutdown
no ip redirects
ip address 10.2.100.3/24
no ipv6 redirects
hsrp 1
priority 90
ip 10.2.100.1
ip dhcp relay address 10.2.103.20

interface Vlan101
no shutdown
ip address 10.2.101.3/24
hsrp 1
priority 90
ip 10.2.101.1

interface Vlan102
no shutdown
ip address 10.2.102.3/24
hsrp 1
priority 90
ip 10.2.102.1

interface Vlan103
no shutdown
ip address 10.2.103.3/24
hsrp 1
priority 90
ip 10.2.103.1

interface Vlan104
no shutdown
ip address 10.2.104.3/24
hsrp 1
priority 90
ip 10.2.104.1

II.1. Configure default routing (on both switches)


ip route 0.0.0.0/0 10.2.99.4

Page 14
LAN Sub-System Installation & Commissioning Procedures

III. CONFIGURE ACCESS SWITCH 3850


In the MPFMp network, we use Stacking Technology for Cisco Catalyst 3850 at HQ,
and DMZ at DC. Stacking Ethernet switches provides the network administrator of
MPFMp with three major operational benefits:
- Single point of management
- Built-in redundancy and high availability
- Scalable to fit network needs
This below topology detais connection between HQ LAN Module and DC Core

Page 15
LAN Sub-System Installation & Commissioning Procedures

Module:

III.1. Physical Cabling

Stacking 2 device

Stacking 3 device

Stacking 4 device

Page 16
LAN Sub-System Installation & Commissioning Procedures

Stacking 5 device

Page 17
LAN Sub-System Installation & Commissioning Procedures

III.2. Configure the Hostname for Switch Identification

hostname HQ-C3K-ACx (x from 1 to 6 depend on number of RACK on LAN)


!
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption

III.3. Confguring a LAN interface as a Layer 2 Access Port

HQ-C3K-AC1
!
vlan 61
name LAN1
vlan 100
name MGMT
!

HQ-C3K-AC2
!
vlan 62
name LAN2
vlan 100
name MGMT
!

HQ-C3K-AC3
!
vlan 63
name LAN3
vlan 100
name MGMT
!

HQ-C3K-AC4 (if LAN has 4 rack)


!
vlan 64
name LAN4
vlan 100
name MGMT
!

Page 18
LAN Sub-System Installation & Commissioning Procedures

HQ-C3K-AC5 (if LAN has 5 rack


!
vlan 65
name LAN5
vlan 100
name MGMT
!

HQ-C3K-AC6 (if LAN has 6 rack)


!
vlan 66
name LAN6
vlan 100
name MGMT
!

III.4. Configure Management IP Address on an In-Band


Interface

HQ-C3K-AC1
!
interface vlan 100
ip address 10.2.100.161 255.255.255.0
no shutdown
!
ip default-gateway 10.2.100.1

HQ-C3K-AC2
!
interface vlan 100
ip address 10.2.100.162 255.255.255.0
no shutdown
!
ip default-gateway 10.2.100.1

HQ-C3K-AC3
!
interface vlan 100
ip address 10.2.100.163 255.255.255.0
no shutdown
!
ip default-gateway 10.2.100.1

Page 19
LAN Sub-System Installation & Commissioning Procedures

HQ-C3K-AC4 (if LAN has 4 rack)


!
interface vlan 100
ip address 10.2.100.164 255.255.255.0
no shutdown
!
ip default-gateway 10.2.100.1

HQ-C3K-AC5 (if LAN has 5 rack)


!
interface vlan 100
ip address 10.2.100.165 255.255.255.0
no shutdown
!
ip default-gateway 10.2.100.1

HQ-C3K-AC6 (if LAN has 6 rack)


!
interface vlan 100
ip address 10.2.100.166 255.255.255.0
no shutdown
!
ip default-gateway 10.2.100.1

III.5. Configure port-channel connect to Core switch

For stack has only 1 member


!
interface GigabitEthernet 1/1/1
channel-group 1 mode active
!
interface GigabitEthernet 1/1/2
channel-group 1 mode active
!
interface port-channel 1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
!

For stack has with 2 member


!

Page 20
LAN Sub-System Installation & Commissioning Procedures

interface GigabitEthernet 1/1/1


channel-group 1 mode active
!
interface GigabitEthernet 2/1/1
channel-group 1 mode active
!
interface port-channel 1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
!

For stack has with 3 member


!
interface GigabitEthernet 1/1/1
channel-group 1 mode active
!
interface GigabitEthernet 3/1/1
channel-group 1 mode active
!
interface port-channel 1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
!

For stack has with 4 member


!
interface GigabitEthernet 1/1/1
channel-group 1 mode active
!
interface GigabitEthernet 4/1/1
channel-group 1 mode active
!
interface port-channel 1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
!

For stack has with 5 member


!
interface GigabitEthernet 1/1/1
channel-group 1 mode active
!
interface GigabitEthernet 5/1/1
channel-group 1 mode active

Page 21
LAN Sub-System Installation & Commissioning Procedures

!
interface port-channel 1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
!

III.6. Configure VTP

vtp mode transparent


end

III.7. Configure interface connect with users


!
interface range Gi1/0/1 – 48
switchport
switchport mode access
switchport access vlan 61
!
…………………………………………………….
interface range GiN/0/1-48
switchport
switchport mode access
switchport access vlan 61
!
(N number of member on stack group)

IV. CONFIGURE CISCO PRIME INFRASTRUCTURE


IV.1. System Requirements

RAM NIC
Server Hostname CPU Disk OS/App IP
(GB) (Gbps)

Red Hat
Cisco Prime 600 Linux
PI 8 16 1 10.2.100.y/24
Infrastructure GB Enterprise
Server 6.7

IV.2. Install Cisco Prime Infrastructure


Step 1: Attach a keyboard and monitor to the USB ports on the rear panel of the

Page 22
LAN Sub-System Installation & Commissioning Procedures

appliance or by using a KVM cable and connector to access the appliance console.
Step 2: Power on the appliance.
Step 3: To set up CIMC press F8 to enter the CIMC configuration utility
You might need to press the function keys (F8, F6 and F2) more than once until
the system responds. If you do not press F8 quickly enough you may enter the EFI
shell. Press Ctrl, Alt, Del to reboot the system and press F8 again.
Step 4: In the Configuration Utility window, change the following fields as
specified:
- NIC mode—Select Dedicated .
- IP (Basic)—Select IPV4 .
- DHCP—Disable DHCP if enabled.
- CIMC IP—Enter the IP address of the CIMC: 10.2.100.100
- Prefix/Subnet—Enter the subnet of the CIMC: 255.255.255.0
- Gateway—Enter the Gateway address: 10.2.100.1
- Pref DNS Server—Enter the preferred DNS server address.
- NIC Redundancy—Null

Page 23
LAN Sub-System Installation & Commissioning Procedures

Step 5: Press F1 to specify additional settings.

Step 6: Make the following changes on the Additional Settings window:


- Turn off Dynamic DNS.
- Enter the admin password. If you leave the password field blank, the
default password is password.
Step 7: Press F10 to save the settings.
Step 8: Press escape to exit and reboot the server.
For remote management move to current step 7
Step 9: After the settings are saved, open a browser and enter the following
URL:
https://10.2.100.100
Step 10: Log in to CIMC web interface using the following credentials:
- Username—admin
- Password—the password
Step 11: Launch the vKVM Console.
See Connecting to the vKVM Console for more information on how to
connect to the vKVM console.
Step 12: Enter setup at the login prompt when prompted to initiate the
installation.

Page 24
LAN Sub-System Installation & Commissioning Procedures

Step 13: Enter the following parameters in turn:


Enter hostname []: DC2-PRIME-NMS1
Enter IP address []: 10.2.100.101
Enter IP default netmask []: 255.255.255.0
Enter IP default gateway []: 10.2.100.1
Enter default DNS domain []: Ird.gov.mm
Enter primary nameserver []: 8.8.8.8
Add/Edit another nameserver? Y/N: N
Enter primary NTP server [time.nist.gov]: 8.8.8.8
Add/Edit secondary NTP server? Y/N: N
Enter system timezone[UTC]:
Change system clock time? Y/N: N
Enter username [admin]: admin
Enter password: ******
Enter password again: ******

Step 14: Select No

Page 25
LAN Sub-System Installation & Commissioning Procedures

Step 15: Enter the root password for the Web console interface as ******. Then
enter the password again to confirm:

Step 16: Enter Y to complete the installation process (takes 1-3 hours for the
installation to complete)

Page 26
LAN Sub-System Installation & Commissioning Procedures

Step17: The Web Console is always installed after the server installation process
is complete. Access the console web interface at https://10.2.100.101

Add License

Next, add the license into the cisco prime infrastructure. Cisco Prime Infrastructure
version 3.1.

On the main interface click the icon > Click Administrator.

Navigate to License and Sofware Update > Click License > Click File > Click License
File

 Click Add > Click Choose File, choose link to the location of file license on
the computer > Click OK.

Page 27
LAN Sub-System Installation & Commissioning Procedures

 After add the license is complete, the information shown:

 Check the license information. Click Summary > Click License to check the
number of devices added to the Prime Infrastructure

IV.3. Configure device monitoring


Access the web console at the address https://10.2.100.101

Navigate to icon > click Inventory > Device Management

Click Network Devices > Click All Device > Add Device

Page 28
LAN Sub-System Installation & Commissioning Procedures

Enter the IP address in the General box

Enter the community string read and write mpfmp into the SNMP Parameters
section

Page 29
LAN Sub-System Installation & Commissioning Procedures

Enter the Telnet information:

Username: prime

Password: ********.

Enable Password is Ird@1234

After entering enough information > Click Verify Credentials to test the device >
click Add

Click icon > Click Inventory. Navigate to Device Management > Click Network
Device to check the devices that have been added to the PI.

Page 30
LAN Sub-System Installation & Commissioning Procedures

IV.4. Configure the monitoring policy


Access the Web Console interface at https://10.2.100.101

Click icon > Click Monitor. Navigate to Monitoring Tools, Click Monitoring
Polices > Click AutoMonitoring.

Navigate to Device Health, edit Polling Frequency of CPU Ultilization, Memory Pool
Ultilization, Environment Temperature is 5 min.
Polling Frequency of Device Availability is 1 min.
In Threshold section, delete Use System Defaults and select Use Custom Value.

Page 31
LAN Sub-System Installation & Commissioning Procedures

Edit Threshold parameters following:


+ CPU Ultilization: 80%
+ Memory Pool Ultilization: 80%
+ Environment Temperature: 60%
No change parameters in Interface Parameter section.

Click Save and Activates

IV.5. Configure administrator policy


IV.5.1. Configure SMTP server
Access the Prime Infrastructure web console at address https://10.2.100.101

Navigate icon on main screen > Click Administration. In Setting section, click
on System Setting.

Navigate Mail and Notification > Click Mail Server Configuration. Enter the
parameters as follows:
In the Primary SMTP Server, enter the IP address 10.2.103.21 in the
Hostname/IP box. The remaining cells are left blank. In the Sender and

Page 32
LAN Sub-System Installation & Commissioning Procedures

Receivers section, enter the Email address that you want to send the alert
information to tungnk6@fpt.com.vn

Click Save to save the SMTP configuration information

IV.5.2. Create the configuration file and push into the network
device

This section will guide you throuh the steps to create a configuration file and push
into the network device.

Click icon on main interface

Click Configuration > Navigate to Templates, choose Features & Technologies

Page 33
LAN Sub-System Installation & Commissioning Procedures

Select CLI Templates > Click CLI

In the CLI templates interface, enter a name and description in the Name and
Description fields (Items * are required to fill the required fields).

Page 34
LAN Sub-System Installation & Commissioning Procedures

In the Device Type, click Routers > Click OK

In the Template Detail, Enter commands to configure the router

Page 35
LAN Sub-System Installation & Commissioning Procedures

Check the configuration parameters > Click Save as new templates

IV.5.3. Configuration Management

Access the web console interface at address https://10.2.100.101

Click Inventory > Navigate to Device Management, click Config Archive

In the Device tab > Select the devices to backup > Click Schedule Archive.

Page 36
LAN Sub-System Installation & Commissioning Procedures

In the Recurrence section: Select Daily > Click Submit

To check the newly created job, Click Click here at the message in the right corner
of the interface

Page 37
LAN Sub-System Installation & Commissioning Procedures

V. SETUP SYMANTEC ENDPOINT PROTECTION MANAGER


V.1. Install Microsoft SQL Client Tools
 Click Setup on Microsoft SQL Setup files

 Click Installation

Page 38
LAN Sub-System Installation & Commissioning Procedures

 Choose New SQL Server stand-alone installation or add features to an

Page 39
LAN Sub-System Installation & Commissioning Procedures

existing installation

 Click Next

Page 40
LAN Sub-System Installation & Commissioning Procedures

 Tick on the box I accept the license term

 Click Next
Tick on the box Use Microsoft Update to check for updates (recommended)

Page 41
LAN Sub-System Installation & Commissioning Procedures

 Click Next

Page 42
LAN Sub-System Installation & Commissioning Procedures

 Click Next
On Feature Selection, Tick on the box Client Tools Connectivity, Client Tools
Backwards Compatibility, Client Tools SDK, SQL Client Connectivity SDK
Click Next

 Click Install

Page 43
LAN Sub-System Installation & Commissioning Procedures

Page 44
LAN Sub-System Installation & Commissioning Procedures

 Finish, Click Close

V.2. Install Management Server and Console

 Click on Symantec Endpoint Protection Manager setup file

Page 45
LAN Sub-System Installation & Commissioning Procedures

 Choose Next to continute

 Tick on the box I accept terms in the license agreement and Next

 Click Install

Page 46
LAN Sub-System Installation & Commissioning Procedures

 Click Next

Page 47
LAN Sub-System Installation & Commissioning Procedures

 Choose Custom configuration for new installation (more than 500 clients or

Page 48
LAN Sub-System Installation & Commissioning Procedures

custom settings) and Next

 Choose Install my first site then Next

Page 49
LAN Sub-System Installation & Commissioning Procedures

 Fill the parameters on the blank and click Next

 Tick on the box Microsoft SQL Server database and Next

Page 50
LAN Sub-System Installation & Commissioning Procedures

 Choose Creat a new database and Next

 Fill the parameters of SQL Database Server on the blank then Click Connect

Page 51
LAN Sub-System Installation & Commissioning Procedures

to Database

Click Next

Page 52
LAN Sub-System Installation & Commissioning Procedures

Fill the username, password of account management console and parameters of


mail server then Click Next

Page 53
LAN Sub-System Installation & Commissioning Procedures

 Creat an encryption password for client computers to use when


communication with the management server

Page 54
LAN Sub-System Installation & Commissioning Procedures

 Click Run LiveUpdate to update Signature from Cloud Server of Symantec,


click Next to continute

 Click Next

Page 55
LAN Sub-System Installation & Commissioning Procedures

 Waiting for LiveUpdate and Finish the Installation

VI. CONFIGURE THE WIFI SYSTEM AT HQ


VI.1. Configure access switch 3850 connect to Access point
Configure vlan management:

vlan 98
name wifi_management
Configure switch port which connects to AP

Page 56
LAN Sub-System Installation & Commissioning Procedures

interface Gix/0/y (x from 1 to 6, y from 1 to 48)


description connect_to_AP
switchport mode trunk
switchport trunk native vlan 98

VI.2. Configure port on Nexus which connects to WLC 2504

On DC2-N9K-CS1:
!
interface G3/5
no shutdown
switchport mode trunk
channel-group 305
!
interface port-channel 305
description connect_to_WLC
vpc 305
switchport mode trunk
switchport trunk native vlan 98
!

On DC2-N9K-CS2:
!
interface G3/5
no shutdown
switchport mode trunk
channel-group 305
!
interface port-channel 305
description connect_to_WLC
vpc 305
switchport mode trunk
switchport trunk native vlan 98
!

VI.3. Configure WLC 2504


VI.3.1. Initial Set-up
Step 1: Using Terminal software (Putty, Teraterm…) to access the Cisco WLC via

Console port, configure as below:

Welcome to the Cisco Wizard Configuration Tool


Use the '-' character to backup

Page 57
LAN Sub-System Installation & Commissioning Procedures

Would you like to terminate autoinstall? [yes]:


AUTO-INSTALL: starting now...
rc = 0
AUTO-INSTALL:no interfaces registered.
AUTO-INSTALL: process terminated - no configuration loaded

System Name [Cisco_b2:19:c4] (31 characters max):DC2-W2K-WLC1


Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): ********
Re-enter Administrative Password : ********

Enable Link Aggregation (LAG) [yes][NO]: yes

Management Interface IP Address: 10.2.98.5


Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.2.98.1
Management Interface VLAN Identifier (0 = untagged): 0
Management Interface Port Num [1 to 4]: 1
Management Interface DHCP Server IP Address: 10.2.103.20

Virtual Gateway IP Address: 1.1.1.1

Multicast IP Address: 239.1.1.1

Mobility/RF Group Name: IRD

Network Name (SSID): none

Configure DHCP Bridging Mode [yes][NO]: no

Allow Static IP Addresses [YES][no]: yes

Configure a RADIUS Server now? [YES][no]: no


Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.

Enter Country Code list (enter 'help' for a list of countries) [US]: DE

Enable 802.11b Network [YES][no]: yes


Enable 802.11a Network [YES][no]: yes
Enable 802.11g Network [YES][no]: yes
Enable Auto-RF [YES][no]: yes

Configure a NTP server now? [YES][no]: yes

Enter the NTP server's IP address: 10.2.103.20


Enter a polling interval between 3600 and 604800 secs: 3600

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes

Page 58
LAN Sub-System Installation & Commissioning Procedures

Configuration saved!
Resetting system with new configuration...

Configuration saved!
Resetting system

Step 2: After reboot WLC, access the URL https://10.2.98.5 with

username/password has been defined at step 1

(Username/password: admin/********)

Step 3: Instal License for WLC (AP Adder license)

Access Cisco License portal, download the license file using PAK.

Copy the license file to TFTP server.

Navigate to Management>Software Activation>Command

Page 59
LAN Sub-System Installation & Commissioning Procedures

At Action: select Install License

In the File name to install, write down the path to License on TFTP.

Ex: tftp://<PC_IP>/AP_adder.lic

Click Install license.

Reboot WLC

Page 60
LAN Sub-System Installation & Commissioning Procedures

VI.3.2. Configure LDAP server on WLC


Step 1: Navigate to SecurityLDAP, click New…

Step 2: Fill out below information

VI.3.3. Create the INTERNAL and GUEST wifi

Create the INTERNAL with web authentication using LDAP

Step 1: Navigate to WLANs  WLANs, click New to create a new WLAN: IRD

Page 61
LAN Sub-System Installation & Commissioning Procedures

INTERNAL

Step 2: Configure some parameters as below:

Security  Layer 2: click None

Page 62
LAN Sub-System Installation & Commissioning Procedures

On the tab Security  Layer 3:


Layer 3 security: choose Web Policy
Over-ride Global Config: Enable
Web authentication type: Internal

On the tab Security  AAA Server, choose the LDAP server which we created

Page 63
LAN Sub-System Installation & Commissioning Procedures

at step 1
Order user authentication: choose LDAP then local

Navigate to Advanced:
Tick on FlexConnect Local Switching

Click Apply in order to apply the configuratin to WLC.

Final step, you should ssh to WLC to increase the web-authentication time-
out:

Page 64
LAN Sub-System Installation & Commissioning Procedures

Create the GUEST wifi using Pre Share Key authentication

Step 1: Create the new wlan with SSID: IRD GUEST

Step 2: Configure the Security method for GUEST


At Authentication Key Management section, click PSK (pre shared key)
Fill out the password using for this wireless.

Page 65
LAN Sub-System Installation & Commissioning Procedures

Navigate to Advanced to enable Flexconnect mode

VI.4. Configure AP on WLC


Step 1: To rename the AP, do as following
Navigate to WIRELESS  All APs, click any AP and rename it

Step 2: Enable Flexconnect mode on AP:


At AP mode, choose FlexConnect and click Apply. AP will reset and run at

Page 66
LAN Sub-System Installation & Commissioning Procedures

FlexConnect mode

VI.5. Configure FlexConnect


Step 1: Navigate to WIRELESS  FlexConnect Group, click New to create new

Page 67
LAN Sub-System Installation & Commissioning Procedures

group

Step 2: Adding AP into FlexConnect Group:


Click Add AP, Select AP from current Controller, Choose AP name and click Add

Step 3: Mapping the WLAN create above with VLAN for datapath

Page 68
LAN Sub-System Installation & Commissioning Procedures

Click Apply in order for the configuration take effect.

VII. CONFIGURE AUTONOMOUS AP AT BRANCH


Each branch will have its own AP which run with autonomous mode. An AP
autonomous mode will connect to POE port on SM-X EtherSwitch module.
Step 1: Connect the AP Cisco 2702I to port Gi0/24 on SM-X EtherSwitch module
Step 2: Convert Cisco AP 2702I from default Lightweigh mode to Autonomous

Page 69
LAN Sub-System Installation & Commissioning Procedures

mode:
Connect to AP via console port using terminal software, issue command:
capwap ap autonomous
Convert to Autonomous image. Proceed? (yes/[no]): yes

Step 3:
Basic configuration
!
hostname BRx-A2K-AP1 //x starts from 1 to 5
service password-encryption
enable password Ird@1234
username admin privilege 15 password ********
username adminird privilege 15 password ********
no ip domain lookup
ip domain name Ird.gov.mm
crypto key generate rsa modulus 2048
ip ssh version 2
!
line vty 0 4
password Ird@1234
login local
transport input all
!

Step 4:
Create vlan for wireless network
dot11 vlan-name INTERNAL vlan 1

Step 5: Create SSID (which bounds to vlan above)


dot11 ssid INTERNAL
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk asci Ird@1234
!

Step 6: Configuration of the 2.4 GHZ interface

Page 70
LAN Sub-System Installation & Commissioning Procedures

!
interface Dot11Radio0
no ip address
mbssid
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid INTERNAL
antenna gain 0
stbc
beamform ofdm
station-role root
no shutdown
!

Step 7: configure sub-interface for VLAN-tagging


!
interface Dot11Radio0.1
encapsulation dot1Q 1
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!

Step 8: now we need to bridge the wireless data to our cable-network


!
interface GigabitEthernet0.1
encapsulation dot1Q 1
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
no shutdown
!

Step 9: Configure IP management for AP


BR1-A2K-AP1
!
interface BVI1
ip address 10.2.201.3 255.255.255.0
ip default-gateway 10.2.201.1
!

Page 71
LAN Sub-System Installation & Commissioning Procedures

BR2-A2K-AP1
!
interface BVI1
ip address 10.2.205.3 255.255.255.0
ip default-gateway 10.2.205.1
!

BR3-A2K-AP1
!
interface BVI1
ip address 10.2.209.3 255.255.255.0
ip default-gateway 10.2.209.1
!

BR4-A2K-AP1
!
interface BVI1
ip address 10.2.213.3 255.255.255.0
ip default-gateway 10.2.213.1
!

BR5-A2K-AP1
!
interface BVI1
ip address 10.2.217.3 255.255.255.0
ip default-gateway 10.2.217.1
!

Page 72