Calendar
QuicksearchArchivesCategoriesBlog AdministrationPowered byLizenz/LicenseDer Inhalt dieses Blogs ist © Copyright 2009 Ralf Ertzinger. Jegliche Reproduktion und Wiederverwertung nur mit schriftlicher Genehmigung des Autors. The content of this blog is © Copyright 2009 Ralf Ertzinger. |
Saturday, March 17. 2012Manually converting a Cisco AP to LAP modeSeveral of Cisco Systems Wireless Access Points can be used in two different deployment scenarios:
Each scenario requires special software on the AP. Converting a Thin AP to Thick is comparatively easy, as this can be done from the WLC the AP is managed by. Converting in the other direction (Thick to Thin) is a bit more complicated. It requires a so called LWAPP Upgrade and Recovery image to be installed on the AP, along with some configuration changes. Equipped with this image the AP will be able to find and associate with a WLC, which will then provide the AP with the "real" LAP IOS version and appropriate config. Getting the LWAPP Upgrade image onto the AP can be a bit tricky, though. Cisco offers a tool to help with the process (the Autonomous To Lightweight Mode Upgrade Tool), but this has several drawbacks.
The latter is, of course, entirely subjective. But there is not much magic in what this tool does, anyway. Converting a Thick AP to Thin mode can be done completly manually. The following is required:
Please note: Following this procedure the AP will reboot without a config. It's expected that the AP will be able to acquire an IP address on it's ethernet port via DHCP and establish a connection to a WLC. The AP will not be remotely manageable unless it is able to associate with a WLC. Keep this in mind before converting an AP in Australia from Europe. ConvertionThe convertion consists of three main steps:
Self signed certificateConnect to the AP and make sure you have the appropriate privileges: ap#sh privilege Current privilege level is 15 The self signed certificate will contain the MAC address of the ethernet interface, so this needs to be determined first. ap#show int F0 | include address Hardware is PowerPC405GP Ethernet, address is 0014.6a40.45ab (bia 0014.6a40.45ab) Next, some boot parameters need to be set, as well as the clock of the AP. This is necessary for the creation of the self signed certificate as well as acceptance of the root certificates to be installed later. ap# conf t ap(config)# no boot manual ap(config)# no boot enable-break ap(config)# no sntp broadcast client ap(config)# no timezone ap(config)# end ap# clock set 17:36:00 17 March 2012 Next, eventually existing versions of the self signed certificate (SSC) will be removed. These do not necessarily exist, so getting an error message here denoting this is not critical. Confirmation is required if the keys actually do exist. Afterwards, a new RSA keypair is generated, and a SSC based on this keypair. The common name (cn) entered in the certificate subject name consists of the AP family description (C1200 for a 1242AG, for example) and the MAC address of the ethernet interface as determined above. The other fields of the subject name are static. ap# conf t ap(config)# crypto key zeroize rsa CISCO_IOS_SSC_Keys % The specified RSA keypair does not exist (CISCO_IOS_SSC_Keys). ap(config)# no crypto ca trustpoint CISCO_IOS_SSC_Cert % CA trustpoint 'CISCO_IOS_SSC_Cert' is not known. ap(config)# crypto key generate rsa general-keys label CISCO_IOS_SSC_Keys modulus 2048 The name for the keys will be: CISCO_IOS_SSC_Keys % The key modulus size is 2048 bits % Generating 2048 bit RSA keys ...[OK] ap(config)# crypto ca trustpoint CISCO_IOS_SSC_Cert ap(ca-trustpoint)#enrollment selfsigned ap(ca-trustpoint)#serial-number none ap(ca-trustpoint)#fqdn none ap(ca-trustpoint)#ip-address none ap(ca-trustpoint)#subject-name cn=C1200-00146a4045ab, ea=support@cisco.com, o=Cisco Systems, C=US, ST=California, L=San Jose ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#rsakeypair CISCO_IOS_SSC_Keys ap(ca-trustpoint)#exit ap(config)#crypto ca enroll CISCO_IOS_SSC_Cert % The fully-qualified domain name will not be included in the certificate Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created Root certificatesSome root and intermediate certificates need to be installed on the AP. There are several of these, owing to the history of the WLC. Again, an error during certificate removal stating that the certificate does not exist is not fatal. Confirm the removal if prompted so. ap# conf t ap(config)#no crypto ca trustpoint airespace-new-root-cert % CA trustpoint 'airespace-new-root-cert' is not known. ap(config)#no crypto ca trustpoint airespace-device-root-cert % CA trustpoint 'airespace-device-root-cert' is not known. ap(config)#no crypto ca trustpoint airespace-old-root-cert % CA trustpoint 'airespace-old-root-cert' is not known. ap(config)#no crypto ca trustpoint cisco-root-cert % CA trustpoint 'cisco-root-cert' is not known. ap(config)#no crypto ca trustpoint cisco-mfg-root-cert % CA trustpoint 'cisco-mfg-root-cert' is not known. ap(config)#crypto ca profile enrollment Cisco_IOS_profile ap(ca-profile-enroll)#authentication terminal ap(ca-profile-enroll)#enrollment terminal ap(ca-profile-enroll)#exit ap(config)#crypto ca trustpoint airespace-new-root-cert ap(ca-trustpoint)#enrollment profile Cisco_IOS_profile ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#exit ap(config)#crypto ca trustpoint airespace-device-root-cert ap(ca-trustpoint)#enrollment profile Cisco_IOS_profile ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#exit ap(config)#crypto ca trustpoint airespace-old-root-cert ap(ca-trustpoint)#enrollment profile Cisco_IOS_profile ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#exit ap(config)#crypto ca trustpoint cisco-root-cert ap(ca-trustpoint)#enrollment profile Cisco_IOS_profile ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#exit ap(config)#crypto ca trustpoint cisco-mfg-root-cert ap(ca-trustpoint)#enrollment profile Cisco_IOS_profile ap(ca-trustpoint)#revocation-check none ap(ca-trustpoint)#exit Next, import the certificates. airespace-new-root-cert: ap(config)#crypto ca authen airespace-new-root-cert Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIEWjCCA4OgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpjELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRcwFQYDVQQK Ew5BaXJlc3BhY2UgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxGjAYBgNVBAMT EUFpcmVzcGFjZSBSb290IENBMSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0QGFpcmVz cGFjZS5jb20wHhcNMDMwNzMxMTM0MTIyWhcNMTMwNDI5MTM0MTIyWjCBpjELMAkG A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl MRcwFQYDVQQKEw5BaXJlc3BhY2UgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcx GjAYBgNVBAMTEUFpcmVzcGFjZSBSb290IENBMSQwIgYJKoZIhvcNAQkBFhVzdXBw b3J0QGFpcmVzcGFjZS5jb20wgd8wDQYJKoZIhvcNAQEBBQADgc0AMIHJAoHBAMyg +SMwvUnpR6Q/oqzzpIJ/Zne7ZvRrFja6hO8JZpzK4OrKbx0PupD++li4UCwQ/Hjc ydEm2I8q0Fmoppv+kDJL1kVTztkTG5mwKCpz2YZV769epUCWIuVLn8QliYh48aUf 9HsW8gwKN6NSYDpasNxFM7DAt8gC3yXwWF3/X0P9rh9Io0vf+ArCfjC+kxvTSQre yB/2+ZdPFAhVyIE/0zTxuKGJKwoQ2YpEfb8hPmRSDSDnjpMi2hHKekas60FGqwID AQABo4IBFDCCARAwHQYDVR0OBBYEFFONg2BHjcIPgGYyMunhcHBVKxfqMIHTBgNV HSMEgcswgciAFFONg2BHjcIPgGYyMunhcHBVKxfqoYGspIGpMIGmMQswCQYDVQQG EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFzAV BgNVBAoTDkFpcmVzcGFjZSBJbmMuMRQwEgYDVQQLEwtFbmdpbmVlcmluZzEaMBgG A1UEAxMRQWlyZXNwYWNlIFJvb3QgQ0ExJDAiBgkqhkiG9w0BCQEWFXN1cHBvcnRA YWlyZXNwYWNlLmNvbYIBADAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq hkiG9w0BAQQFAAOBwQAG42U9Sxn6oMO5jq4jxaMwXkJFIqlhvhtbiFbtLlrkL3rA JqooBZgkCA0VEhabROQoRy67pXMp8HDbVgEce+nzokA5mjVXpQOE7KA1Pc9J6OwB lAR0aQvBIHknZIc9JZQ9zWapcm9KeetAHHxol06SXYAjE8EmH2BHY6nZrB/fAJL2 V98atJuQTiLOVRXNRPaKAE4ryGH7wVQNwfOma4zdwcJ8RCAn5iQRmLDgAt6eBtZP DVOJh5bBwNsSsPWBb+0= -----END CERTIFICATE----- quit Certificate has the following attributes: Fingerprint: C2176703 8D42BF7F 5240CAD3 F59930A9 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported airespace-device-root-cert: ap(config)#crypto ca authen airespace-device-root-cert Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIEfzCCA6igAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBpjELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRcwFQYDVQQK Ew5BaXJlc3BhY2UgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxGjAYBgNVBAMT EUFpcmVzcGFjZSBSb290IENBMSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0QGFpcmVz cGFjZS5jb20wHhcNMDUwNDI4MjIzNzEzWhcNMTUwMTI2MjIzNzEzWjCBqDELMAkG A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl MRcwFQYDVQQKEw5BaXJlc3BhY2UgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcx HDAaBgNVBAMTE0FpcmVzcGFjZSBEZXZpY2UgQ0ExJDAiBgkqhkiG9w0BCQEWFXN1 cHBvcnRAYWlyZXNwYWNlLmNvbTCB3zANBgkqhkiG9w0BAQEFAAOBzQAwgckCgcEA qTwBWOcoTnX/hqV6iGrKN0ML7PB1gvVr22rFFFVPsG6qMns+zjyTkQPJO6QMCvky pstdo/HDxShTv04ZLBv8SEZ+vZMGtJdKEnO/NYrYVA8mHmEromc7aNI5yH4enpZ7 JlTShUW7f3hfTp1Le4ABqi9FXP9FUuzbVmfj/OcJPgaPrjU9Qii0jYtBXZv0ljQt wUWZh7ab+ktR+2e0oMIef8YmmjlH6x1IXoOxKYsHnl4e2rWgvl4d4BCf8L1HUOMr AgMBAAGjggE3MIIBMzAMBgNVHRMEBTADAQH/MC4GCWCGSAGG+EIBDQQhFh9BaXJl c3BhY2UgRGV2aWNlIENBIENlcnRpZmljYXRlMB0GA1UdDgQWBBQKUjuxJXBSO5zq dH+yrT2Pleo/zDCB0wYDVR0jBIHLMIHIgBRTjYNgR43CD4BmMjLp4XBwVSsX6qGB rKSBqTCBpjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNV BAcTCFNhbiBKb3NlMRcwFQYDVQQKEw5BaXJlc3BhY2UgSW5jLjEUMBIGA1UECxML RW5naW5lZXJpbmcxGjAYBgNVBAMTEUFpcmVzcGFjZSBSb290IENBMSQwIgYJKoZI hvcNAQkBFhVzdXBwb3J0QGFpcmVzcGFjZS5jb22CAQAwDQYJKoZIhvcNAQEEBQAD gcEAoOjVnZvanu0MlgRd/qNwhOxZtcPTcWlNsHBmTgyAYNae42boH588z2iKsEmO zPpspyhU8tgEZpDJj+yE7y9/DwjJD3GdwPTBJc7RtSVt2T5Rd3vV6H8dx5/MUC3C AkLAXRaC3uPfdUG4xVtDPBDf4r/S6ALn2SMymiOiB2+GvMBI1Wmzg1msiXmX8CxV b4/jGHVPYFxDzafIGEewhR2t8NbNYsjeqG5uEkp83L+m/MfhhSodsVKdY7NogwX2 e9Jf -----END CERTIFICATE----- quit Certificate has the following attributes: Fingerprint: B5B0E363 7834493B DD640D72 122B19AC Certificate validated - Signed by existing trustpoint CA certificate. Trustpoint CA certificate accepted. % Certificate successfully imported airespace-old-root-cert: ap(config)#crypto ca authen airespace-old-root-cert Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIEBjCCAy+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjzELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRYwFAYDVQQK Ew1haXJlc3BhY2UgSW5jMQ0wCwYDVQQLEwRub25lMQswCQYDVQQDEwJjYTEkMCIG CSqGSIb3DQEJARYVc3VwcG9ydEBhaXJlc3BhY2UuY29tMB4XDTAzMDIxMjIzMzg1 NVoXDTEyMTExMTIzMzg1NVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp Zm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEWMBQGA1UEChMNYWlyZXNwYWNlIElu YzENMAsGA1UECxMEbm9uZTELMAkGA1UEAxMCY2ExJDAiBgkqhkiG9w0BCQEWFXN1 cHBvcnRAYWlyZXNwYWNlLmNvbTCB3zANBgkqhkiG9w0BAQEFAAOBzQAwgckCgcEA 2505ATAFndEFyyeTm5kH+B/1f6kkBlv3Glhl+LnPzLNnk1TUabq4RxyjJ67qAGqs kEecncI7Z976zA0oMsYQP6WcQeLotCULTSkD61JimpnWGLdHxKlBURq5lbsUkFQE X0oLn/OH80bV86JJKu0baj3WOdhJJDZqEjTdLbE81Il+LqEBY7zMgi96bQszq1cF PHhKbaPdHluWz1TGz01ZvBv9bLbnL8spiNy+bU12+4Mfr1aD5OIIIgCp6y477w35 AgMBAAGjge8wgewwHQYDVR0OBBYEFJRX330Ugi0xuyh3LomWGIbaRoS6MIG8BgNV HSMEgbQwgbGAFJRX330Ugi0xuyh3LomWGIbaRoS6oYGVpIGSMIGPMQswCQYDVQQG EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFjAU BgNVBAoTDWFpcmVzcGFjZSBJbmMxDTALBgNVBAsTBG5vbmUxCzAJBgNVBAMTAmNh MSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0QGFpcmVzcGFjZS5jb22CAQAwDAYDVR0T BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBwQCusDSdwPkqqjpXdbOnnFQhqdAVOJJh lcA0eQTagdQSD1j64imSI761SpBtcPf3IZLvr6Sw9IhgTjCUu8x3o2CogSkISbh7 XKGqFyGSKlVraODTGtxyZMTE1rIzNFyGJU5JiAlmRc1A8Sdhi8N+cdrZFnclMiNh cdh6Fvkq98FRy4iSRDvGZlm+pHuYXohmaKHr1Ii79uepSf34dxHVGKgOID2hK+vc aWPtp7dgeaMiOAyWDLjTJMrdlJ3qOeDvAz0= -----END CERTIFICATE----- quit Certificate has the following attributes: Fingerprint: 61FD1452 D2803ADC BC4D069C 5FC3C92E % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported cisco-mfg-root-cert: ap(config)#crypto ca authen cisco-mfg-root-cert Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIE2TCCA8GgAwIBAgIKamlnswAAAAAAAzANBgkqhkiG9w0BAQUFADA1MRYwFAYD VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw HhcNMDUwNjEwMjIxNjAxWhcNMjkwNTE0MjAyNTQyWjA5MRYwFAYDVQQKEw1DaXNj byBTeXN0ZW1zMR8wHQYDVQQDExZDaXNjbyBNYW51ZmFjdHVyaW5nIENBMIIBIDAN BgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAoMX33JaUNRXx9JlOu5tB4X3beRaR u/NU8kFKlDJiYskj95rnu5t56AcpTjD1rhvFIVZGsPj05o6BuBbMqJuF0kKB23zL lKkRYRIcXOozIByaFqd925kGauI2r+z4Cv+YZwf0MO6l+IgaqujHPBzO7kj9zVw3 8YaTnj1xdX007ksUqcApewUQ74eeaTEw9Ug2P9irzhXi6FifPmJxBIcmpBViASWq 1d/JyVu4yaEHe75okpOTIKhsvRV100RdRUvsqNpgx9jI1cjtQeH1X1eOUzKTSdXZ D/g2qgfEMkHFp68dGf/2c5k5WnNnYhM0DR9elXBSZBcG7FNcXNtq6jUAQQIBA6OC AecwggHjMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNDFIiarT0Zg7K4F kcfcWtGwR/dsMAsGA1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAZBgkrBgEE AYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQn88gVHm6aAgkWrSugiWBf 2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3LmNpc2NvLmNvbS9zZWN1 cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEFBQcBAQREMEIwQAYIKwYB BQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9jZXJ0cy9j cmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQIAMEMwQQYIKwYBBQUH AgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy9p bmRleC5odG1sMF4GA1UdJQRXMFUGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUH AwUGCCsGAQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDAQYKKwYBBAGCNxQCAQYJ KwYBBAGCNxUGMA0GCSqGSIb3DQEBBQUAA4IBAQAw8zAtjPLKN0pkmSQpCvKGqkLV I+ii6itvaSN6go4cTAnPpE+rhC836WVg0ZrG2PML9d7QJwBcbx2RvdFOWFEdyeP3 OOfTC9Fovo4ipUsG4eakqjN9GnW6JvNwxmEApcN5JlunGdGTjaubEBEpH6GC/f08 S25l3JNFBemvM2tnIwcGhiLa69yHz1khQhrpz3B1iOAkPV19TpY4gJfVb/Cbcdi6 YBmlsGGGrd1lZva5J6LuL2GbuqEwYf2+rDUU+bgtlwavw+9tzD0865XpgdOKXrbO +nmka9eiV2TEP0zJ2+iC7AFm1BCIolblPFft6QKoSJFjB6thJksaE5/k3Npf -----END CERTIFICATE----- quit Trustpoint 'cisco-mfg-root-cert' is a subordinate CA and holds a non self signed cert Certificate has the following attributes: Fingerprint: 6EA241F5 AC9A1148 CC8B4B43 C7C13025 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported cisco-root-cert: ap(config)# crypto ca authen cisco-root-cert Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIDQzCCAiugAwIBAgIQX/h7KCtU3I1CoxW1aMmt/zANBgkqhkiG9w0BAQUFADA1 MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENB IDIwNDgwHhcNMDQwNTE0MjAxNzEyWhcNMjkwNTE0MjAyNTQyWjA1MRYwFAYDVQQK Ew1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwggEg MA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCwmrmrp68Kd6ficba0ZmKUeIhH xmJVhEAyv8CrLqUccda8bnuoqrpu0hWISEWdovyD0My5jOAmaHBKeN8hF570YQXJ FcjPFto1YYmUQ6iEqDGYeJu5Tm8sUxJszR2tKyS7McQr/4NEb7Y9JHcJ6r8qqB9q VvYgDxFUl4F1pyXOWWqCZe+36ufijXWLbvLdT6ZeYpzPEApk0E5tzivMW/VgpSdH jWn0f84bcN5wGyDWbs2mAag8EtKpP6BrXruOIIt6keO1aO6g58QBdKhTCytKmg9l Eg6CTY5j/e/rmxrbU6YTYK/CfdfHbBcl1HP7R2RQgYCUTOG/rksc35LtLgXfAgED o1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJ/PI FR5umgIJFq0roIlgX9p7L6owEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF BQADggEBAJ2dhISjQal8dwy3U8pORFBi71R803UXHOjgxkhLtv5MOhmBVrBW7hmW Yqpao2TB9k5UM8Z3/sUcuuVdJcr18JOagxEu5sv4dEX+5wW4q+ffy0vhN4TauYuX cB7w4ovXsNgOnbFp1iqRe6lJT37mjpXYgyc81WhJDtSd9i7rp77rMKSsH0T8lasz Bvt9YAretIpjsJyp8qS5UwGH0GikJ3+r/+n6yUA4iGe0OcaEb1fJU9u6ju7AQ7L4 CYNu/2bPPu8Xs1gYJQk0XuPL1hS27PKSb3TkL4Eq1ZKR4OCXPDJoBYVL0fdX4lId kxpUnwVwwEpxYB5DC2Ae/qPOgRnhCzU= -----END CERTIFICATE----- quit Certificate has the following attributes: Fingerprint: BE395ABE 078AB112 1725CC1D 46343CB2 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported Image transferThe LWAPP Upgrade image is transferred to the AP. This will overwrite any existing images, thus this is the point of no return, in a way. Enter the appropriate data for your environment (IP address, image name) in the TFTP server section. ap# arch down /over /create-space tftp://10.200.254.4/images/c1200-rcvk9w8-tar.123-7.JX9.tar examining image... Loading images/c1200-rcvk9w8-tar.123-7.JX9.tar from 10.200.254.4 (via BVI1): ! extracting info (273 bytes) Image info: Version Suffix: rcvk9w8- Image Name: c1200-rcvk9w8-mx Version Directory: c1200-rcvk9w8-mx Ios Image Size: 1751552 Total Image Size: 1751552 Image Feature: WIRELESS LAN|LWAPP|RECOVERY Image Family: C1200 Wireless Switch Management Version: 3.0.51.0 Extracting files... c1200-rcvk9w8-mx/ (directory) 0 (bytes) extracting c1200-rcvk9w8-mx/c1200-rcvk9w8-mx (1741240 bytes)!!!!!!!!! extracting c1200-rcvk9w8-mx/info (273 bytes) extracting info.ver (273 bytes)!! [OK - 1751040 bytes] Deleting current version... Deleting flash:/c1200-k9w7-mx.123-8.JA2...done. New software image installed in flash:/c1200-rcvk9w8-mx Configuring system to use new image...done.archive download: takes 67 seconds ap#show archive status SUCCESS: Upgrade complete. Now there is only one thing left to do: remove the startup-config, and reload the AP. On reload the AP will come up with the LAP software and start searching for a WLC to join. ap# wr erase Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] ap# reload Proceed with reload? [confirm] Wednesday, November 18. 2009Resetting SATA devices under LinuxNote: this was tested only on SATA attached optical drives, not on hard disks. Removing a hard disk with mounted partitions on it (directly or indirectly) is probably not a very smart idea. A device name of
# readlink /sys/block/sr0 ../devices/pci0000:00/0000:00:1f.2/host1/target1:0:0/1:0:0:0/block/sr0 The interesting part if the answer is
# echo 1 > /sys/block/sr0/device/delete This will remove the device from the bus (logically). Look in
# echo "- - -" > /sys/class/scsi_host/host1/scan
Friday, February 13. 2009Experiences with the MSI supportI have to say that I am very pleased with the technical support I have received so far from MSI for my IM-GM45. Besides the MTRR issue I wrote about here, I had filed a second, minor request. The second request regarded the shared video memory setting for the on-board graphics chipset. In the original BIOS the minimum amount of memory that could be allocated for video RAM was 32MB, which is way too much for the text mode that I need. So I filed a request asking for the possibility to select a lower amount of memory (preferably 1MB or less). Two business days later I received a mail from the MSI support containing a BIOS with the fix for my specific request (fortunately it also contained the MTRR-fix). This is admittedly much more than I expected. Thanks to MSI for the quick and helpful response to both of my requests. Sunday, February 8. 2009Building an OpenSolaris storage - Hardware, Part 2Earlier this week the last of the hardware I ordered arrived, so I could finally assemble the whole system. Contrary to my expectations the CPU did not come with a fan (which was just as well, as I already had two), but with a lot of packaging instead. Someone at Intel should think about cutting down on all that plastic just to ship a tiny piece of silicon.Speaking of silicon, contrary to almost all other current x86 CPUs the Core2Duo Mobile processors do not have a metal cap to protect the die, but the die instead sits rather unprotected on top (similar to the Athlon XP and Pentium 3 processors). This makes attaching a fan an interesting experience, because it is quite easy to damage the die while doing this. Coolermaster is obviously aware of this, the contact side of the fan contains a foam spacer which surrounds the die when the cooler is placed on the CPU and which is supposed to prevent tilting. The cooler is then fastened to a mounting plate sitting on the bottom of the board using some spring screws. This works insofar as I was able to mount this without damaging the die.Getting all this into the case is a bit tricky but manageable, as the mainboad tray can be pulled out from the case. The case has qute an assortment of LEDs and switches, unfortunately not all of these have corresponding connectors on the board (the two LAN-LEDs, the ERROR LED, the Mute switch and the intrusion detection switch). The SATA cables are numbered which makes it easy to plug them into the right connector, so the mainboards view of drive numbering lines up with the numbers on the case. After putting all this together I switched the system on for the first time. All went well and the BIOS came up. The system is not exactly quiet, but I find the noise far more bearable than the Thecus one, mainly because most of the noise is airflow, and not the droning of the fans. The noise level is constant, too, so far I have not heard the case fans increase speed. Next up: installing software Saturday, January 24. 2009Building an OpenSolaris storage - Hardware, Part 1Today the first half of my order arrived: the case, the mainboard and the fan. As this delivery was somewhat unexpected (the mainboard is a new model, and I had expected it a week later), I now have new hardware I can not use, due to the lack of a CPU. This is a bit embarassing, but cannot be changed right now, so I'll start with what I have. My apologies for the appaling quality of the pictures, but all I have in the way of digital image capture is the camera in my cell phone. The CaseThe first thing I noticed about the case is how solid it looks and feels. Contrary to the photos I had seen so far the case is not all black, but the sides and the top and bottom are a dark siverish grey. The front, however, is black. I have to say it looks quite good. Although the front and sides are plastic, there is absolutely nothing cheap about the feeling. This is underlined by the weight of the thing. Even though there is no power supply in it (that is external), and no parts have been mounted yet, the empty case weighs over seven kilograms. Under the plasic outside panels there is a massive metal cage. It really has a no-nonsense feel to it. The inside is full of pre-routed cables that lead to the front panel, the power distribution plane and the hard disk backplane. The case has a 20+4-pin ATX power connector plus the four pin additional CPU power connector most current boards need. Luckily, all the MSI board requires is the 20-pin ATX connector.A pleasant surprise (aside from the colour) was that the case has a multi-format card reader already built in. From the manufacturers site I had gathered that this was an optional extra, but my case came with one included. Also included is a CPU fan, but that is quite specific for a certain mainboard, and will not fit most other boards, so it is useless to me. What is not included is a manual, at least I have not found any. As all of the cables are clearly labeled this is not much of a problem, though. The BoardThe mainboard comes with the usual assortment of cables (2xSATA, 2xSATA power adaptor, 44-pin IDE) and the rear panel bracket. In addition, it also contains a CPU fan, which surprised me. It also is a Coolermaster model, but not the same I ordered extra. If, as I suspect, the CPU also comes with a fan I'll have quite enough of those things. The board also had a pleasant surprise, this one on the bottom of the board. MSI put a CF card socket there, which the web site stated as an optional extra. I think I'll use a CF card instead of the notebook hard disk, as this produces less noise and heat.The FanWell... it's a fan, right? Goes on the CPU, and hopefully does not make too much noise. I can always threaten it with the other fan if it does. Building an OpenSolaris storage - HistoryThis is supposed to be a documentation of my endeavour to build an OpenSolaris based storage machine for my home use. Coming from a Linux background myself it will also serve as a notebook of how to do stuff under Solaris. HistoryFor years I had a midi tower based system running, which was both my internet router and the local storage machine. This machine was shut down eventually, energy prices being what they are, and was replaced by an ASUS router running OpenWRT for internet access. The storage facility was not replaced, so only the hard drives on the client machines themselves were left. In the middle of last year I finally had enough of that and started looking around for a small storage appliance. I wanted something I could play around with, so being able to screw with or replace the original operating system was a must. I ended up with the Thecus N2100, which is a small, ARM based NAS enclosure running Linux from embedded flash, and able to house two SATA hard disk drives. It's possible to get a fully functional Debian system on it if you're not afraid of poking around with serial ports (which I am not), so it seemed like a good choice. It was ordered together with two Seagate 7200.11 1TB drives. It turned out pretty fast that the Thecus and the Seagate drives did not like each other a whole lot, which is probably due to the rather high spinup current that the Seagate drives need (3A on the 12V rail). This was more than the Thecus could provide, so the drives did not spin up most of the time. So the two Seagate drives were replaced with two Samsung 1TB drives, and the Seagates were banished to the shelf. In hindsight this was probably a good thing, because a) the Seagates did not have time to fill up their log and run into the current firmare bug, and b) I had 4 1TB drives lying around, which would come in handy later. The Thecus liked the Samsung drives a whole lot better, and the original firmare was quickly replaced with a Debian Lenny distribution. From a purely administrative standpoint all this worked very well, the distribution detects all the hardware in the system (not that there is a whole lot of it, but nonetheless), including the multi-coloured LEDs in the front panel and the fan controller. Debian duly provided me with NFS and SAMBA based storage, a print server for the printer connected to the USB ports, and several other services. The main problem with the Thecus was speed. The system is equipped with a 600MHz ARM processor, which sounds quite beefy, especially compared to the other NAS storage enclosures out there, which usually have less. In reality it is not a whole lot. None of the individual subsystems are epecially fast on their own (the system has two 1GB network controllers, but trying to get 100MBit directly from memory is pushing things, and the storage controller has problems of it's own, also limiting the possible performance). The net result of all this was that getting more than 5MB/s read or write performance was pretty much out of the question. As this was unsatisfactory a new solution was needed. In the mean time I had played around with OpenSolaris (in the form of the bi-weekly nevada snapshots), and was quite impressed by it's ZFS file system. So I wanted to build the new system around this OS, in order to try it out in real life with more than just a few megabytes of test disks. This meant using an Intel based machine, though (getting a Sparc based enclosure seemed to push my luck), so I started looking around again. Thecus offered a five disk hot-swap enclosure (the 5200(PRO)) with a 600MHz or 1.6GHz Celeron processor, Marvell-SATA-Controller and Intel Gigabit Ethernet, booting from an internal flash disk. While talking this through with several people on IRC (thanks, ofu!) it became clear that I could get more performance for the same money when building the system myself. (Ironically, I have gotten my hands on a Thecus 5200 based system as well, so I get to have the best of both worlds. Life is great, sometimes). I did not want a midi or mini ATX tower though, so choice was getting slim. ofu again pointed me towards the Chenbro 340 case, which has four hot swap cabable SATA bays and takes a Mini-ITX board. Finding a fitting board turned out to be somewhat complicated, as Mini-ITX boards with (at least) 4 SATA ports are rare (in theory it is possible to put a PCI card into the case using a riser card, but I did not want to go that way). Even more, all the hardware (especially storage and network) had to be supported by Solaris. I figured the safest way to go was getting an all-Intel board (Intel SATA controller, Intel network), as these parts are known to work well. In the end I chose the MSI IM-GM45, which has four on-board SATA ports connected to an Intel ICH9M-E controller, two Intel gigabit ethernet ports and takes an Intel Penryn processor (among others). It also has an IDE connector, which will drive the boot disk (the four SATA drives will run in a RAIDZ configuration, from which Solaris can not yet boot). The board takes up to 4GB of DDR2 RAM, which is plenty. It also has wide selection of video outputs (which I do not need at all), and five serial ports, one of which is on the rear panel (which I do need). The final list of parts for this project is as follows: * Chenbro 340 case * MSI IM-GM45 mainboard * CoolerMaster EPN-41CSS-01-GP cooler+fan * Intel T8100 CPU * 4GB RAM The hard disks are already there (the two Seagates on the shelf, and the two Samsungs in the old enclosure). These will be resused. I also have several old notebook drives lying around, one of which will be used as the boot disk.
(Page 1 of 1, totaling 6 entries)
|