Search This Blog

Wednesday 30 March 2011

WiSM Configuration using Manual LAG and DHCP for Service Interface

I have created this video showing how to set-up the WiSM without using the Auto LAG commands. I prefer to do it this way as you have more control over the commands you can put on the interface.

There is no sound on the video.

http://www.youtube.com/watch?v=jqz4Ra8eoq0

Working with the WCS FTP Server

The details for the FTP server on the WCS are...

User: ftp-user
Password: (wcsrootpassword)

The format to download an IOS to an AAP is

archive download-sw /overwrite ftp://ftp-user:password@10.10.210.6/filename.tar

Thursday 24 March 2011

Local EAP and Radius EAP - Network User

I used to believe that when you use Local Radius you must not have an External Radius server configured as the External Radius is always preferred. Well this can be true, but it depends on the settings on the Radius server setup.

If you have the "Network User" box ticked on the Radius server configuration. This becomes the default Radius server for all AAA authentication. You need to have "Network User" selected if you set up AP Policies and want the AP's authenticated against AAA as there is nowhere to configure a specific server.

Where you can specify a server, such as 802.1x authentication within a WLAN, there is no need to have "Network User" selected and Local Radius and External Radius can work in harmony!

Friday 18 March 2011

AP Policies ACS

AP Policies can be used to have a list of approved AP's.  It is also possible to back this off to Radius. Remember to check the MAC address delimiter. Add the MAC address of the AP to ACS with the MAC as the username and password.

Also you must check "Network User" on the Radius server as the server cannot be individually specified.



ACS Network Access Profiles

You can use Network Access Profiles in ACS to either grant or deny access based on various attributes. This example denies users from SSID "Sec1" and a particular OUI from accessing the network. You can use various attributes so its worth learning what the main ones are.








You can also use this to allow authentication based on certain attributes and deny others.

LDAP Authenticated Bind

You can bind to an LDAP server for local authentication. Authenticated bind is possible and easier as you dont need to make changes to the AD for anonymous bind.


Monday 14 March 2011

Per User QoS Roles Bug

There appears to be a bug when entering the values for per user bandwidth roles on the WLC in 4.2.

If I enter the values 40,40,50,50 in that order to specift the standard traffic and UDP traffic values, I get the following after I click apply.

You see, they are not in the order I applied them. This workaround appears to be to enter the values in the CLI.


config netuser guest-role create visitor

config netuser guest-role qos data-rate average-data-rate visitor 40
config netuser guest-role qos data-rate burst-data-rate visitor 40
config netuser guest-role qos data-rate average-realtime-rate visitor 50
config netuser guest-role qos data-rate burst-realtime-rate visitor 50

show netuser guest-roles                                               

Role Name........................................ visitor
     Average Data Rate........................... 40
     Burst Data Rate............................. 40
     Average Realtime Rate....................... 50
     Burst Realtime Rate......................... 50

Wednesday 9 March 2011

CCX Versions and Features

http://www.cisco.com/web/partners/pr46/pr147/program_additional_information_new_release_features.html

MFP (Management frame protection only supported on CCX5 devices)

Open with EAP or Network EAP

Jermome did a real good blog on this, but to summarize

OPEN with EAP = Authentication bit set to 0. All EAP methods but LEAP require this.
Network EAP = Authentication bit set to 1. LEAP requires this.

Some Cisco clients such as AP's require both when using a EAP method other than LEAP. This is for legacy reasons.


As only CCX devices can use LEAP, setting the method to Network EAP will allow only CCX devices to connect.

dot11 arp-cache

This is sometimes knows as "power save mode" and is the highest supported on the 7920 phone. It prevents the AP from forwarding arp requests to clients if it alreeady knows the client, thus saving the wake up time required on the client.

U-APSD is the highest level of power save on the 7921. Although dot11 arp cache should also be enabled.

dot11 arp-cache

Use the dot11 arp-cache global configuration command to enable client ARP caching on the access point. ARP caching on the access point reduces the traffic on your wireless LAN and increases client battery life by stopping ARP requests for client devices at the access point. Instead of forwarding ARP requests to client devices, the access point responds to requests on behalf of associated client devices and drops ARP requests that are not directed to clients associated to the access point. When ARP caching is optional, the access point responds on behalf of clients with IP addresses known to the access point but forwards through its radio port any ARP requests addressed to unknown clients. When the access point knows all the IP addresses for associated clients, it drops any ARP requests not directed to its clients. In its beacon, the access point includes an information element to alert client devices that they can safely ignore broadcast messages to increase battery life.
[no] dot11 arp-cache [optional]

Syntax Description

optional
Configures the access point to respond to ARP requests addressed to clients for which the access point knows the IP address but forward through its radio port ARP requests addressed to client devices that the access point does not recognize. When the access point learns all the IP addresses for associated clients, it drops any ARP requests not directed to its clients.

Defaults

ARP caching is disabled by default.

Command Modes

Global configuration

Command History

Release
Modification
12.2(13)JA
This command was introduced.

Examples

This example shows how to enable ARP caching:
AP(config)# dot11 arp-cache

Tuesday 8 March 2011

WCS Alarm Removal States

What the different Alarm removal states mean....


- CLEAR : Remove the alarm from the list, but it will stays at the WCS Database.
- DELETE : Forget the alarm. When it happens again, the WCS thinks it’s the first time.
- ACKNOWLEDGE : Yeah, yeah.. I know. Don’t show the alarm again.

Switch Port Best Practice Configs - Work in progress

These are some of the default port configurations I am going to use in the exam. Its a work in progress, so please comment if you disagree or can add to anything.


Default Switch Commands


no ip domain-lookup


port-channel load-balance src-dst-ip
!
mls qos
mls qos map cos-dscp 0 8 16 24 32 46 48 54
mls qos map dscp-cos 46 to 5
mls qos map dscp-cos 24 to 3

!
line con 0
logging syncronous
exec-timeout 0


Switch to Switch Links


!
interface fastethernet x/x
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan x (if specified by the question)
 switchport trunk allowed vlan x,y,z
 priority-queue out (on a 3560 or 2960)
 mls qos trust dscp
!


WAN/Internet


ip access-list extended ACL-RTP
 permit udp any range 16384 32767 any range 16384 32767
!
ip access-list extended ACL-SCCP
 permit tcp any any eq 2000
 permit tco any eq 2000 any
!
class-map MAP-RTP
 match access-group name ACL-RTP
!
class-map MAP-SCCP
 match access-group name ACL-SCCP
!
policy-map POLICY-VOICE
 class MAP-RTP
  set dscp ef
 class MAP-SCCP
  set dscp cs3
!
interface fastethernet x/x
 no switchport
 ip address x.x.x.x y.y.y.y
 service-policy POLICY-VOICE in
 priority-queue out



CME


interface fastethernet x/x
 switchport mode access
 switchport access vlan x
 spanning-tree portfast
 spanning-tree bpduguard enable

 mls qos trust DSCP
 priority-queue out



WISM


wism service-vlan z
!

wism module x controller 1 allowed-vlan y,z(this should bring up the LAG)
wism module x controller 1 native-vlan x (i would make this something other than management to maintain qos)
wism module x controller 1 qos-trust cos
!

wism module x controller 2 allowed-vlan y,z
wism module x controller 2 native-vlan x

wism module x controller 2 qos-trust cos


WLC (LAG)


interface fastethernet x/x
 channel-group 1 mode on
!
interface port-channel 1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan x (again, dont make this the management uless you are told to)
 switchport trunk allowed vlan x,y,z

 spanning-tree portfast trunk
 spanning-tree bpduguard enable

 priority-queue out
 mls qos trust cos





WLC (No LAG)


interface fastethernet x/x
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan x (if specified by the question)
 switchport trunk allowed vlan x,y,z

 spanning-tree portfast trunk
 spanning-tree bpduguard enable

 priority-queue out
 mls qos trust cos



LAP (Local Mode)


interface fastethernet x/x
 switchport mode access
 switchport access vlan x (always needed for management interface)
 spanning-tree portfast
 spanning-tree bpduguard enable
 priority-queue out
 mls qos trust dscp



LAP (H-REAP)


interface fastethernet x/x
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan x (always needed for management interface)
 switchport trunk allowed vlan x,y,z
 priority-queue out
 mls qos trust cos



AAP (Multiple VLANs)


interface fastethernet x/x
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan x (if specified by the question)
 switchport trunk allowed vlan x,y,z
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
 priority-queue out
 mls qos trust cos


AAP (Single VLAN)


interface fastethernet x/x
 switchport mode access
 switchport access vlan x
 spanning-tree portfast
 spanning-tree bpduguard enable
 priority-queue out
 mls qos trust dscp



IP Phone
 
interface fastethernet x/x
 switchport mode access
 switchport access vlan x
 switchport voice vlan y
 spanning-tree portfast
 spanning-tree bpduguard enable
 priority-queue out
 mls qos trust device cisco-phone (cdp required, this detects a cisco phone and applies the configured trust)
 mls qos trust cos



Note about "priority queue out"


This is required in the 3560 to turn queue 1 into the expedite (priority) queue. And then, based on default output queue mappings, CoS of 5 gets places into the queue and dealt with first.
The Cat 6500 depending on the module, does not need or support the command as it often has a fixed priority queue, so it may be that simply applying the correct trust state and make sure the maps are correct is enough to deal with voice as priority. I guess it depends on what they are asking.


Notes about SRR/WRR and marking



When looking at QoS configurations for switchports, there are several things to keep in mind.  I'll address two here.  First, when you configure "mls qos," that automatically enables SRR or WRR on the ports with the default percentages and thresholds.  Additional configurations of SRR or WRR would be used to change the defaults. 

For the individual interface trust configurations, remember that if the port is an access port, there will not be any CoS markings in the frame to trust.  On a trunk port, you would generally trust CoS (if you need to trust anything.)  However, as mentioned, you normally want to trust DSCP on trunks between switches.  The reason is that the frames have already had their CoS-DSCP mappings on ingress to the switch.  Thus, they have an appropriate DSCP marking that you have already determined.  Let's say that you are trusting an end device's DSCP markings.  And, let's say that they send a packet with DSCP AF31.  On egress (with the default map,) that will be mapped to CoS 3.  On ingress, if you trust CoS, that will be remarked to DSCP CS3.  Thus, your trust of the end device marking is negated by trusting CoS on the trunk.

Monday 7 March 2011

WCS Radius and TACACS Management

TACACS

Create custom attribute in Interface settings and populate in user or groups with roles copied from WCS Groups. These can be edited for exact requirements but must be numbered sequentially.



RADIUS


 

Friday 4 March 2011

Airspace Attributes ACS

Check the Aire-Interface-Name and assign a name with THE SAME as the WLC Interface you created.. It’s case sensitive.

Submit & Restart.

IETF Radius Attributes VLAN Assignment


Make sure that allow aaa override is checked at the WLAN config.

Wednesday 2 March 2011

Creating and Installing Device Certs using Windows CA

Use this method to stop the annoying security alert when logging into HTTPS to manage the WLC's.

Install openssl0_9_8 on a Windows 2000/XP PC
Navigate to C:\OpenSSL\bin

Need to create the Cert request on behalf of the WLC. This creates the private "mykey.pem" and request "myreq.pem". Fill in information and put the WLC hostname as the CN. Remember the password!

OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

Open myreq.pem in wordpad and copy

Goto https://ca_servert/certcrv and login as administrator

Request a Certificate

Advanced Request

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Paste the request and select Template Web Server

Download cert in Base 64 Format, save to open SSL folder as certnew.cer

Run the next command to merge the cert with the private key file

OpenSSL> pkcs12 -export -in certnew.cer -inkey mykey.pem -out finalcert.p12 -clcerts -passin pass:cisco -passout pass:cisco

You then need to convert thr p12 file into a pem file for the controller

OpenSSL> pkcs12 -in finalcert.p12 -out final.pem -passin pass:cisco -passout pass:cisco

The cert is now created, need to upload it to the controller type webadmincert and dont forget to add a DNS entry for the hostname!

The same process can also be used for adding device certs for Local EAP. You will also require the CA Cert to be installed on the controller.

Request the CA cert and download in DER format. Then convert to PEM

OpenSSL> x509 -in rootca.cer -inform DER -out rootca.pem -outform PEM

Tuesday 1 March 2011

Coverage Hole Algorithm

Client SNR Cutoff Value (|dB|) = [AP Transmit Power (dBm) – Constant (17 dBm) – Coverage Profile (dB)]

Normally you would be given the SNR value that you want the algorithm triggered on. Lets say that you are asked to increase the power of the AP, should the client SNR fall below 20dB SNR. You also need the current power level. 17 in this case (Power level 2 FCC)

19=17-17-x
x=- -19.

So the Coverage Profile should be 19

MCS Data Rates

MCS Data Rates.



FCC Regulations and Channels


FCC 2.4 GHz BAND RULES (POINT-TO-MULTIPOINT)
Maximum = +36dBm (4watts)

Maximum Power from Intentional Radiator *1
Maximum Antenna Gain (dBi)
EIRP (dBm)
EIRP (watts)
30dBm or 1 watt
6
36
4
27dBm or 500mW
9
36
4
24dBm or 250mW
12
36
4
21dBm or 125mW
15
36
4
18dBm or 63mW
18
36
4
15dBm or 32mW
21
36
4
12dBm or 16mW
24
36
4

 *1 The FCC terminology of Intentional Radiator is the transmitter power of the wireless equipment, such as a wireless access point, router or bridge.
FCC 2.4 GHz BAND RULES (POINT-TO-POINT)
Maximum = See FCC Special Rule *2

Maximum Power from Intentional Radiator *1
Maximum Antenna Gain (dBi)
EIRP (dBm) *3
EIRP (watts) *3
30dBm or 1 watt
6
36
4
29dBm or 800mW
9
38
6.3
28dBm or 630mW
12
40
10
27dBm or 500mW
15
42
16
26dBm or 400mW
18
44
25
25dBm or 316mW
21
46
39.8
24dBm or 250mW
24
48
63
23dBm or 200mW
27
50
100
22dBm or 160mW
30
52
158

*1 The FCC terminology of Intentional Radiator is the transmitter power of the wireless equipment, such as a wireless access point, router or bridge.
*2 The FCC ruling states that for every 1dBi the Intentional Radiator is reduced below the initial 30dBm that the antenna gain may be increased from the initial 6dBi by 3dB.
*3 Equivalent Isotropically Radiated Power (EIRP) is terminology for the total RF power radiated by the antenna.
FCC 5 GHz BANDS AND RULES

BAND
Frequency (GHz)
Channels
Permitted Use Location
Point-to-Point Max. Intentional Radiator Power *1
Point-to-Point Maximum EIRP *2
Point-to-MultiPoint Intentional Radiator Power *1
Point-to-MultiPoint Maximum EIRP *2
UNII
(Low)
5.15-5.25
36, 40, 44, 48
Indoor Only
40mW 16dBm
160mw 22dBm
40mW 16dBm *4
160mW 22dBm
UNII-2 (Middle)
5.25-5.35
52, 56, 60, 64
Indoor or Outdoor
200mW 23dBm
800mW 29dBm
200mW 23dBm *4
800mW 29dBm
UNII-2 Extended
5.470-5.725
100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140
Indoor or Outdoor
200mW 23dBm
800mW 29dBm
200mW 23dBm *4
800mW 29dBm
UNII-3 (Upper)
5.725-5.825
149 to 161
Typical Outdoor
Antenna to 23dBi *3
200 watts
800mW 29dBm *4
3200mW 35dBm

*1 The FCC terminology of Intentional Radiator is the transmitter power of the wireless equipment, such as a wireless access point, router or bridge.
*2 Equivalent Isotropically Radiated Power (EIRP) is terminology for the total RF power radiated by the antenna.
*3 Fixed point-to-point in the UNII-3 band may utilize directional antennas up to 23dBi gain without any corresponding reduction of the Intentional Radiator's RF output power. If antennas higher than 23dBi gain are utilized, a reduction of 1 dB is required for every 1 dB increase in the antenna gain above 23dBi.
*4 The FCC point to multipoint rule is the maximum power from the intentional radiator + maximum antenna gain of 6 dBi. For every 1 dB gain over 6 dB the power of the intentional radiator must be reduced by 1 dB.
*5 FCC Part 15.407 defines the power limits. For example, in the 5.15-5.25 GHz band the maximum conducted output power over the frequency band of operation shall not exceed the lesser of 50 mW or 4 dBm + 10 log B, where B is the 26-dB emission bandwidth in MHz. In addition, the peak power spectral density shall not exceed 4 dBm in any 1-MHz band. We have shown the lesser amount of 40mW as the IEEE documents have done. We have applied the same concept to the other bands.