Shulou(Shulou.com)06/01 Report--

Recently completed the company's access project, which lasted more than 3 months and deployed nearly thousands of sites. In the process of deployment, he also stepped on various pits. The company uses a third-party software system as an access control platform. The system is deployed in a dual hot standby mode. The system features rich, in addition to 802.1x certification, the system also supports desktop management, process management, unauthorized external connection and other functions. The main purpose of 802.1x protocol is to solve the access authentication problem of local area network users. 802.1x is a standard defined by IEEE to solve port-based access control. This article only summarizes the deployment dot1x section of this project in detail.

1. Project flow arrangement

In the project research phase, we contacted the original factory pre-sales, software platform, company requirements and other information exchange, after a brief understanding of the software platform module functions, we selected several modules to put forward test requirements. After a week or two of build and testing, the manufacturer outputs the following test form.

In the process of testing functions, we feel that the manufacturer's products have stable performance and rich functions to meet the company's needs. Therefore, we quickly completed the project, bidding and other work. The project kicked off after a supplier exchange kick-off meeting. At the same time, I assumed the position of Project Manager, responsible for the schedule arrangement, resource coordination and technical support of the whole project.

Division I is headquartered in Shanghai, there are nearly twenty or thirty branches, branches throughout the country in various provinces and cities. In terms of project arrangement, we deploy the head office first, because the office is located in the head office. In the process of project implementation, if there are problems, they can be solved as soon as possible. Moreover, the deployment of headquarters enables us to familiarize ourselves with suppliers 'products as soon as possible. At the same time, it also facilitates the communication and coordination between our company and suppliers. We trust our suppliers professionally and our suppliers trust us with our organizational familiarity. It is in this mutual trust that we can complete the project construction on time and efficiently.

In the process of deployment, the headquarters encountered functional problems of telephones, video surveillance, printers and scanners, some of which were not considered before deployment, and some of which were problems of the terminals themselves. After two weeks or so, we completed the wired and wireless access to the headquarters. After Xu we chose a sales office in Shanghai as the first site of the branch. After all, the structure of headquarters is different from that of branch offices. As the first site of the branch, Shanghai Sales Department is also a key focus in the process of our deployment of access projects. As long as we can successfully complete the project deployment of Shanghai Branch, for us, the deployment of other branches is only a copy of Shanghai Branch.

In Shanghai, it took us about two weeks to test and deploy, and after stepping in a lot of holes and confirming that the system was working properly, we had great confidence in the deployment of the branch office. When arranging the deployment of the branch office, I took Shanghai as the core and Shanghai Branch as the starting point, radiating out from Jiangsu and Zhejiang regions, and arranged the deployment work from near to far. Mainly considering two aspects, one is that if there is a problem, our technicians can rush to the scene as soon as possible. The other is the problem of equipment deployment. The deployment of access is based on switches. Not all switches can fully adapt to the access system. It is necessary to upgrade the equipment in the early stage. In the process of upgrading, failures may occur. There is no backup machine locally in the branch office and no professional technicians. Therefore, the faster the equipment and manpower are deployed from the headquarters, the better.

According to statistics, our company has about 30 pieces of equipment to be upgraded. These equipment are arranged to be upgraded in 6 batches, and many sets are upgraded at a time. In the process of upgrading, if one of them fails irreversibly, then the whole upgrading process will be terminated. The upgrade device starts from the network access layer device and prevents the failure generated by the aggregation device during the implementation process from affecting the unimplemented access device. For now, this strategy seems wise.

In the process of implementation, we collected the problems encountered and formed a tabular document. At the same time, some unsolvable problems were recorded accurately to each equipment and owner. These documents are the basis and experience for future troubleshooting and are part of the final delivery documentation that the supplier needs to provide.

2. Technical Support

install the client

Because after the client is installed, some terminal software policies will take effect, so when deploying, I adopt the deployment by site. After installing a site and completing the entire network admission deployment, I will deploy the next site. Generally, a site deployment takes about 1 week to prepare, and multiple sites are deployed in parallel, which can save a lot of time. Since policy push is not used, local IT staff of branch offices are arranged to manually distribute installation. Therefore, during post-deployment, computers with or without installation are often unable to access the Internet. In addition, there are individual computers that are not installed because of the system itself, and can only be redeployed by reinstalling the system.

upgrade the switch

Use the command copy in combination with tftp to transfer IOS. Note the IOS version and the remaining space of the switch Flash. After transferring IOS, check whether the file size is completely transferred. After upgrading, check whether the client can access the Internet normally.

switch admission configuration

Automatic interface recovery

errdisable recovery cause all automatic recovery errdisable interface

errrecoverable recovery interval 30 Perform automatic recovery operations every 30 seconds

enable AAA

aaa new-model Open AAA authentication

aaa authentication login default line local none Configure AAA login policy

aaa authentication dot1x default group radius none configure dot1x authentication policy

aaa authorization network default group radius configure dot1x authorization policy

radius-server host 10.188.64.158 auth-port 1812 acct-port 1813 key abc123 Configure radius authentication server

radius-server retransmit 3 server connection attempts 3

radius-server vsa send authentication Configure the switch to send vendor-specific attributes to the AAA server in order to obtain VLAN information for the user

dot1x system-auth-control Global open dot1x authentication

Enable 802.1x under port

interface fastethernet 0/13

switchport mode access

switchport access vlan 10

authentication port-control auto

dot1x pae authenticator

spanning-tree portfast

authentication host-mode multi-auth new version features multi-client authentication, old version If the switch is connected to a small switch, one of the clients passes, then the other clients do not need authentication, this feature is that all clients on the small switch need authentication.

mab eap

trodden "pit"

error-disable status interface

The error-disable command was not configured the first time the deployment was tested at headquarters. After deployment, it was found that most of the phones had problems, and the interface admission configuration was not restored after canceling it. The interface status was checked and found that the interface was in error-disabled status. This state is the Cisco switch self-protection mechanism, mainly to prevent the expansion of the problem, such as repeated flipping of the interface consumes a large amount of equipment resources. There are two ways to solve this problem, one is to manually restart the interface, which is a temporary approach; the other is to configure automatic recovery through commands, when the interface is error-disabled, every time after a period of time, the switch automatically resets the interface and removes the error-disabled state. Because of our deployment experience at headquarters, we configured this command for later deployments.

Missing Exemption Equipment

The success of a project often depends on preparatory work. The more prepared you are, the smaller the hole you fill in. As the lower layer of the seven-layer model, network often involves many business systems. Just like the road, there are not only cars, trucks, buses, etc., but also scooters, bicycles, carriages and other strange vehicles. What needs to be done at the very beginning of the entire access project is statistical resources. The so-called resources are not only computers and servers, but also phones, AP, surveillance, access control, video equipment, etc. Because each branch has its own IT personnel, but due to some reasons, the statistical equipment is incomplete, resulting in some equipment can not be used normally after the access system is online. At this time, it is necessary to fill the pit.

Computers without added domains

Division I access strategy requires two, first computer to add domain, followed by access to the computer client. If both conditions are met, then the device is allowed to enter the network. After deployment, we found that there were many terminal computers that did not add domains. The main reason is due to some branch IT personnel personal problems, things perfunctory caused. After being unable to access the Internet, the local IT staff was ordered to install the client, and the admission system was successfully deployed.

Incompatible IP phones

After the network access system went online, all wired and wireless interfaces could be controlled, which was a beautiful ideal state. Of course, that was impossible. During the deployment process, we found that some models of phones could not complete the phone registration after the access switch was configured for admission. There's no particularly good way to do this except to change equipment. When changing equipment, the first thing to consider is cost, including time and money. After considering the cost, we decided to take a step back and de-configure the interface of the connected device and record the device. This part of the equipment is in the priority sequence when the equipment is replaced next time.

unupgraded switch

In addition to the above problems, in the process of upgrading the switch, we also encountered pits. The process of upgrading is successful, and the result is failure. After the upgrade, we checked that the interfaces were normal. The equipment was stable and the new version was successfully run. And then, we happily got off work. The next day, after receiving the user report, after checking, the following log information was found on the switch:

Log information indicates that Cisco does not consider the device legitimate. Visual inspection of the equipment is previously repaired, similar to the "assembly machine." New versions of IOS may have a check mechanism and therefore may not work properly. After consulting online, find a solution, through power restart can be restored. We had two devices on our network that experienced this problem, and only one of them recovered from this action. The other one can only be deployed by changing equipment.

3. Some project ideas

Don't believe everything the user says.

During deployment, after we deployed the night before, the inspections were normal. The next morning, users often report that the entire site is down. However, after careful understanding, we will find that the affected area is not so exaggerated. From the user's point of view, deliberately exaggerating the fault scope and upgrading the fault level can get the attention and priority of the operation and maintenance personnel. As a professional operation and maintenance personnel, first of all, don't panic because of the user's exaggeration, and then, like the old doctor, judge and reduce, locate and handle the fault by himself through the professional method of "looking, hearing and asking."

Change requires bloodshed.

Through history, we know that every change of dynasty requires bloodshed. The same goes for projects. Failure after failure leads to success. Don't be afraid of bloodshed and not change. The blood of change is temporary. Everything is for the better of the future. Just before the change, do enough preparation work.

I have seen too many IT employees encounter a lot of problems in their work, and these problems can be fed back, or they can be improved by one or two times after being dealt with. But they just don't do it. In some companies, the person who asks the question is given extra work by the superior. Everyone has no problem, only you have a problem, then you solve it yourself, that is to say, success is yours, failure is even more yours. Finally, because of the responsibility, many problems have been caused. Everyone is "enduring" rather than dealing with them. As operation and maintenance personnel, we should understand that "change" and "bloodshed" are associated, and it is worth paying for once and for all. In order to reach the distance, it is normal to bump and bleed on the road.

Concession is progress.

In one's life, there are always problems that cannot be solved. Years later, when I think back again, the problem that I was entangled with for a while was just like this. All problems are solvable. Retreat to jump further. Temporary concessions, not dead to small problems, can make the project better and smoother according to the plan.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.