IPexper IPe xpert’ t’s s La Lab b Pr Preparation eparation Workbook Workbook for the Cisco® CCIE™ v2.0 Wireless Wireless Lab Exam Volume 2
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
IPexpert’s Lab Preparation Workbook for TM the Cisco® CCIE Wireless Lab Exam Volume 2 Before We Begin This product is part of the IPexpert "Blended Learning Solution™" that provides CCIE candidates with a comprehensive training program. For information about the full solution, contact an IPexpert Training Advisor today. Telephone: +1.810.326.1444 Email:
[email protected] TM
Congratulations! You now possess one of the ULTIMATE CCIE Wireless Lab preparation resources available today! This resource was produced by senior engineers, technical instructors, and authors boasting decades of internetworking experience. Although there is no way to guarantee a 100% success rate on the CCIETM Wireless Lab exam, we feel VERY confident that your chances of passing the Lab will improve dramatically after completing this industry-recognized Workbook!
Technical Support from IPexpert and your CCIE community!
IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our online communities have attracted a membership of over 20,000 of your peers from around the world! At Blog.IPexpert.com you can keep up to date with everything IPexpert does, as well as start your own CCIE-focused blog or simply add your existing blog to our directory so your peers can find you. At OnlineStudyList.com, you may subscribe to multiple “SPAM-free”, CCIEfocused email lists.
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
1
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Feedback Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert, we look to you – our valued clients – for the real world, frontline evaluation that we believe is necessary to improve continually. Please send an email with your thoughts to
[email protected] or
[email protected] or call 1.866.225.8064 (international callers dial +1.810.326.1444). TM
TM
In addition, when you pass the CCIE Lab exam, we want to hear about it! Email your CCIE number to
[email protected] [email protected] and and let us know how IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations.
Additional CCIETM Preparation Material TM
IPexpert, Inc. is committed to developing the most effective Cisco CCIE R&S, Security, Service Provider, Voice and Wireless Lab certification preparation tools available. Our team of certified networking professionals develops the most up-to-date and comprehensive materials for networking certification, including self-paced workbooks, online Cisco hardware rental, classroom training, online (distance learning) instructor-led training, audio products, and video training materials. Unlike other certification-training providers, we employ the most experienced and accomplished team of experts to create, maintain and constantly update our products. At TM IPexpert, we are focused on making your CCIE Lab preparation more effective.
A message from the Author(s): The scenarios covered in this workbook were developed by Wireless CCIEs to help you prepare for the Cisco CCIE Wireless laboratory. It is strongly recommended that you use other reading materials in addition to this w orkbook. Training is not the CCIE Wireless workbook objective. The intent of these labs is to test your knowledge and ability of implementing Cisco Enterprise Wireless Solutions. Time management is very important, if you get stuck on a lab scenario be sure to write it down. Formulate a Checklist for skipped sections and then return to those sections once you have gone through the entire lab. Be sure to revisit the questions that you do not understand.
For more information on the CCIE Wireless lab, please visit http://www.cisco.com/web/learning/le3/ccie/index.html and and click on the link for Wireless on the top-right of the page.
Helpful Hints • •
• •
v3150
Keep It Simple, try to avoid any extra work (example: adding descriptions) Always reference everything from the Documentation Website: http://www.cisco.com/cisco/web/psa/default.html?mode=prod Know your SRNDs well http://www.cisco.com/go/srnd Save your router configurations often (wr is the quickest command)
Copyright © by IPexpert, Inc. All Rights Reserved.
2
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
IPEXPERT END-USER LICENSE AGREEMENT END USER LICENSE FOR ONE (1) PERSON ONLY IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS.
This is a legally binding agreement between you and IPEXPERT, the “Licensor,” from whom you have licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms have been modified by a written agreement (the “Governing Agreement” ) signe d by you (o r the party that h as licen sed th e Traini ng Mate rials fo r you r use) and an exe cutive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials Materials to you. In this event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions. The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized authorized to use the Training Materials throughout the term of this License.
Copyright and Proprietary Rights
The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT. IPEXPERT. The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-share the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information Information other than printing out or downloading portions of the text and images for your own personal, non-commercial use without the prior written permission of IPEXPERT. You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information Information in any manner that infringes the rights of any person or entity. Exclusions of Warranties
THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS.” LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may have other rights that vary from state to state. Choice of Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall be brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this Agreement is held inva lid, the rema inder of th is License shall contin ue in full fo rce and e ffect
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
3
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Limitation of Claims and Liability
ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR’S LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER. Entire Agreement
This is the entire agreement between the parties and may not be modified except in writing signed by both parties.
U.S. Government - Restricted Rights The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction release, performance, display, or disclosure of the Training Materials and accompanying documentation by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement. IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
4
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
IPexpert’s Mock Lab training exam for TM the Cisco® CCIE Wireless Lab Exam – Volume 2 NOTE
You are encouraged to take advantage of the knowledge and support from your peers around the globe. Join onlinestudylist.com to get more community support and also official support from IPexpert.
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
5
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
!"#$% '( )'*+%*+, !"#$"#%& #()*+,#% -!.#(,# /0%##1#(& 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222223
"#$ %&"' ()*"#&" +,' ,#" -./ 0"'&,# ,#(1 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222223
!"#" %&'()*+(*, - .(/,)01,(2 .034,/""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5 -/4 56 ..!# 7!%#-#,, 8#%,!9( : ; / < =9+% &%/!(!(0 -/4 2222222222222222222222222222222222222222222222222222222222 55 19.> -/4 56 &9"9-90? 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 5: -/4 56 "%#*-/4 ,#&+" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 53 -/4 56 "%#%#@+!,!,6 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 53 -/4 56 &/4-#, 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 5A
456(" .7 8(5# 5#$ &%6#"4 456(" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 .9 456(" :7 $"8)*" )0 5$$'"&&"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 .; -/4 56 < =9+% ..!# 7!%#-#,, 8: 19.> -/4 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 5B
.2<
*,#+)=%'" 5#$ 4',%6("&>,,4 ?)'"$ )#+'5&4'%*4%'" 4, &%00,'4
?(5#@& 2222222222222222222222222 .A
:2< 32< 92<
*,#+)=%'" 5#$ 4',%6("&>,,4 )#+'5&4'%*4%'" 500()*54),# &"'8)*"& 2222222222222222222222222222222222222222222222.B *,#+)=%'" 5#$ 4',%6("&>,,4 5%4,#,C,%& $"0(,1C"#4 C,$"( 222222222222222222222222222222222222222222222222222222222 .D *,#+)=%'" 5#$ 4',%6("&>,,4 %#)+)"$ $"0(,1C"#4 C,$"( 22222222222222222222222222222222222222222222222222222222222222222222 .D
456(" 37 ?(* 8(5#& 5#$ &&)$ & 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :< ;2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?*& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :3 A2<
*,#+)=%'" 5#$ 4',%6("&>,,4 ?(5# &"'8)*"& 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :9
-/4 :6 ..!# 7!%#-#,, 8#%,!9( :C / < =9+% &%/!(!(0 -/4 222222222222222222222222222222222222222222222222222222222222 :B 19.> -/4 :6 &9"9-90? 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :< -/4 :6 "%#*-/4 ,#&+" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :D -/4 :6 "%#%#@+!,!,6 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :D -/4 :6 &/4-#, 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3E
456(" .7 8(5# 5#$ &%6#"4 456(" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3< 456(" :7 $"8)*" )0 5$$'"&&"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3. -/4 :6 < =9+% ..!# 7!%#-#,, 8: 19.> -/4 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3: &/,> 56
.9(F!0+%# /() &%9+4-#,=99& 7!%#) !(F%/,&%+.&+%# &9 ,+""9%& 7-/(, 3:
.2.
65&)* #"4?,'E $"45)(& 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3:
.2: F,&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3: .23 (51"' : *,#+)=%'54),# 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222233 .29 4)C" &1#*>',#)G54),# 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222233 .2; C&"222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 33 &/,> :6
.9(F!0+%# /() &%9+4-#,=99& 7!%#) !(F%/,&%+.&+%# &9 ,+""9%& 7-/(, 3A
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
6
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
:2. ()=>4?")=>4 50& $)&*,8"'1 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 39 :2: ()=>4?")=>4 50& &"44)#=&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 39 :23 &1&(,= 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222223; &/,> 36
.9(F!0+%# /() &%9+4-#,=99& /+&9(919+, )#"-9?1#(& 19)#- 222222222222222 3G
32. 50 (,==)#= 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3; 32: &&)$ *,#+)=%'54),# 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3; 323 5$$)4),#5( &"44)#=& 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3; &/,> A6
.9(F!0+%# /() &%9+4-#,=99& +(!F!#) )#"-9?1#(& 19)#- 222222222222222222222222222 3B
92. *,#+)=%')#= C, ,++)*" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3A 92: *,#+)=%')#= >"5$F%5'4"' ,++)*" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3A 923 *,#+)=%')#= =%"&4 &,(%4),# 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3H &/,> G6
.9(F!0+%# /() &%9+4-#,=99& 7., 22222222222222222222222222222222222222222222222222222222222222222222222222222222 3H
;2. 5$$)#= ?(* & 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3H ;2: 5$$)#= C,6)()41 &"'8)*"& 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3H ;23 *,#+)=%')#= ?*& 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3H &/,> B6
.9(F!0+%# /() &%9+4-#,=99& 7-/( ,#%8!.#, 22222222222222222222222222222222222222222222222222222222 3<
A2. '5$), C5#5="C"#4 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3B A2: *,#4',(("' &"*%')41 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3B A23 8,)*" &"44)#=& 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222223D -/4 36 ..!# 7!%#-#,, 8#%,!9( : 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 AE < =9+% &%/!(!(0 -/4 3 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 AE 19.> -/4 36 &9"9-90? 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 A5 -/4 36 "%#*-/4 ,#&+" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 A: -/4 36 "%#%#@+!,!,6 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 A: -/4 36 &/4-#, 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 A3
456(" .7 8(5# 5#$ &%6#"4 456(" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 93 456(" :7 $"8)*" )0 5$$'"&&"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 99 -/4 36 < =9+% ..!# 7!%#-#,, 8: 19.> -/4 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 AG
.2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?)'"$ )#+'5&4'%*4%'" 4, &%00,'4 ?(5#@& 22222222222222222222222222222222222222222 9;
67 /80,140*3 0* 9:; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5< 6= )&>,0*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5< ?@ )&>,0*3 A*2 /80,140*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5B :@#; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5B :2< *,#+)=%'" 5#$ 4',%6("&>,,4 )#+'5&4'%*4%'" 500()*54),# &"'8)*"& 22222222222222222222222222222222222222222222222222 9H CDE; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5F GE +A*A3(+(*,; """""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """ 5F #80,140*3 /(1>)0,H; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5I 32< *,#+)=%'" 5#$ 4',%6("&>,,4 5%4,#,C,%& $"0(,1C"#4 C,$"( 22222222222222222222222222222222222222222222222222222222222229B G>,&*&+&>/ /(,>J; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """"""""" 5I
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
7
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
92< *,#+)=%'" 5#$ 4',%6("&>,,4 %#)+)"$ $"0(,1C"#4 C,$"( 222222222222222222222222222222222222222222222222222222222222222222222222 9D
K6L +A*A3(+(*,; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5M 456(" 37 ?(* 8(5#& 5#$ &&)$ & 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 9D GE E)0+0*3; """"""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """"""""""""""""
(/,/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" )0,H A*2 P&1AP )A20>/; """""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""" 3( 2(,(1,0&*; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" <7 ;2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?*&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 ;: KL#; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" <7 ?GE/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" <= A2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?(5# &"'8)*"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222;3 K0)(P(// T&01(; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" <= -/4 A6 ..!# 7!%#-#,, 8#%,!9( : 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 GG < =9+% &%/!(!(0 -/4 A 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 GG 19.> -/4 A6 &9"9-90? 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 GB -/4 A6 "%#*-/4 ,#&+" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 GH -/4 A6 "%#%#@+!,!,6 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 GH -/4 A6 &/4-#, 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 G<
456(" .7 8(5# 5#$ &%6#"4 456(" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 ;B 456(" :7 $"8)*" )0 5$$'"&&"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 ;D -/4 A6 < =9+% ..!# 7!%#-#,, 8: 19.> -/4 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 BE
.2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?)'"$ )#+'5&4'%*4%'" 4, &%00,'4 ?(5#@& 22222222222222222222222222222222222222222 A<
67 /80,140*3 0* 9:; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BN 6= )&>,0*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BN ?@ )&>,0*3 A*2 /80,140*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BQ :@#; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BQ ?>P,01A/,"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BQ :2< *,#+)=%'" 5#$ 4',%6("&>,,4 )#+'5&4'%*4%'" 500()*54),# &"'8)*"& 22222222222222222222222222222222222222222222222222 A: CDE; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" B7 GE +A*A3(+(*,; """""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """ B7 #80,140*3 /(1>)0,H; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" B= 32< *,#+)=%'" 5#$ 4',%6("&>,,4 5%4,#,C,%& $"0(,1C"#4 C,$"( 2222222222222222222222222222222222222222222222222222222222222A3 G>,&*&+&>/ /(,>J; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """"""""" B= 92< *,#+)=%'" 5#$ 4',%6("&>,,4 %#)+)"$ $"0(,1C"#4 C,$"( 222222222222222222222222222222222222222222222222222222222222222222222222 A3 K6L +A*A3(+(*,; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" B= 456(" 37 ?(* 8(5#& 5#$ &&)$ & 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 A9 GE E)0+0*3; """"""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""" B5
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
8
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
%>(/,/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" B< GE )(30/,)A,0&* /(1>)0,H A*2 P&1AP )A20>/; """""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""" B< LP0(*, 1&**(1,0&* ,(/,0*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BB LP(A* GR.; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BB ;2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?*&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 AH KL#; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BF ?GE/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BF A2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?(5# &"'8)*"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222AH K0)(P(// T&01(; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BF -/4 G6 ..!# 7!%#-#,, 8: 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 BD < =9+% &%/!(!(0222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 BD 19.> -/4 G6 &9"9-90? 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 HE -/4 G6 "%#*-/4 ,#&+" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 H5 -/4 G6 "%#%#@+!,!,6 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 H5 -/4 G6 &/4-#, 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 H:
456(" .7 8(5# 5#$ &%6#"4 456(" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 H: 456(" :7 $"8)*" )0 5$$'"&&"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 H3 -/4 G6 < =9+% ..!# 7!%#-#,, 8: 19.> -/4 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 HA
.2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?)'"$ )#+'5&4'%*4%'" 4, &%00,'4 ?(5#@& 22222222222222222222222222222222222222222 H9
67 /80,140*3 0* 9:; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" F5 6= )&>,0*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" F5 :@#; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" F< ?>P,01A/,"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" F< :2< *,#+)=%'" 5#$ 4',%6("&>,,4 )#+'5&4'%*4%'" 500()*54),# &"'8)*"& 22222222222222222222222222222222222222222222222222 H; CDE; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" F< GE +A*A3(+(*,; """""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """ FB #80,140*3 /(1>)0,H; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" FB 32< *,#+)=%'" 5#$ 4',%6("&>,,4 5%4,#,C,%& $"0(,1C"#4 C,$"( 2222222222222222222222222222222222222222222222222222222222222HH G>,&*&+&>/ /(,>J; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """"""""" FF 92< *,#+)=%'" 5#$ 4',%6("&>,,4 %#)+)"$ $"0(,1C"#4 C,$"( 222222222222222222222222222222222222222222222222222222222222222222222222 HB K6L +A*A3(+(*,; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" FI 456(" 37 ?(* 8(5#& 5#$ &&)$ & 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 HB GE E)0+0*3; """"""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""" FM %>(/,/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" FM GE )(30/,)A,0&* /(1>)0,H A*2 P&1AP )A20>/; """""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""" FM ?A*A3(+(*,; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IN LP(A* GR.; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IN ;2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?*&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 B< KL#; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IN ?GE/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IN
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
9
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
LP(A* G0); """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IQ A2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?(5# &"'8)*"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222B. K0)(P(// T&01(; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IQ
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
10
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 1: CCIE Wireless Version 2 – a 8 hour training Lab 1.0 Configure and troubleshoot wired infrastructure to support WLAN's 2.0 Configure and Troubleshoot Infrastructure Application Services 3.0 Configure and Troubleshoot Autonomous deployment model 4.0 Configure and Troubleshoot Unified deployment model 5.0 Configure and Troubleshoot WCS 6.0 Configure and Troubleshoot WLAN Services Lab Overview
This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem extra hard because they are meant to prepare the candidate to read in between the lines. The network and WLC´s are partly pre-configured in order to save time but some of the configurations have to be altered to meet the exam requirements The fact that WLC are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre-configs or make some small changes, both on the WLC’s and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues on more than one occasion. This is meant to prepare the candidate not to take anything for granted and stay focused while the lab tries to confuse you. This lab will use ALL equipment in the LAB 1: topology. Refer to the names of the equipment on that topology. When configuring WLAN’s/ SSIDs. The lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01 Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords. It is strongly advised to read the whole LAB over before you start configuring. And in each section read it briefly over to refresh. In some sections some later tasks would better be done first Estimated Time to Complete: 8 hours
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
11
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Mock Lab 1: Topology
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
12
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 1: Pre-Lab Setup Physically connect and configure your network according to Diagram 1. The switches are pre-configured with some VLANs and IP addresses.
Lab 1: Prerequisites: This lab will rely on the network infrastructure. You will need to pre-configure the network with the base configuration files. If using your own hardware: Login to IPexpert.com, navigate to the “My Downloads” area, download “IPexpert Wireless Volume 1 Configs,” find the Lab 1 INITIAL Configs, and copy and paste the proper switch files to the proper devices. If you are using Proctor Labs: Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook ! Lab 1 ! INITIAL
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
13
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 1: Tables Table 1: VLAN and Subnet Table
v3150
VLAN
VLAN Name
Subnet
Netmask
5
Servers
10.10.210.0
/24
10
HQSwitchMgmt
10.10.10.0
/24
11
HQGuest1
10.10.11.0
/24
12
HQData1
10.10.12.0
/24
13
HQData2
10.10.13.0
/24
14
HQData3
10.10.14.0
/24
15
HQVoice1
10.10.15.0
/24
16
HQVoice2
10.10.16.0
/24
17
HQData4
10.10.17.0
/24
20
MOSwitchMgmt
10.10.20.0
/25
21
MOGuest1
10.10.21.64
/26
22
MOData1
10.10.22.128
/26
23
MOVoice1
10.10.23.192
/26
105
HQServicePort
10.10.105.0
/24
110
HQAAP
10.10.110.0
/24
111
HQWLC1
10.10.111.0
/24
112
HQWLC2
10.10.112.0
/24
113
HQLAP1
10.10.113.0
/24
114
HQLAP2
10.10.114.0
/24
120
MOWLC1
10.10.120.128
/26
121
MOLAP1
10.10.121.192
/26
999
VLAN999
n/a
n/a
Copyright © by IPexpert, Inc. All Rights Reserved.
14
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Table 2: Device IP Addresses Device
Port
Connected
Connected
IP Address
CAT1
NA
NA
10.10.10.2
CAT2
NA
NA
10.10.10.3
CAT3
NA
NA
10.10.10.4
CAT4
NA
NA
10.10.20.1
ACS
NIC1
CAT2
Fa0/11
10.10.210.5
WCS
NIC1
CAT2
Fa0/11
10.10.210.6
CME
Fa0/0
CAT1
Fa0/4
10.10.210.20 10.10.205.20 (Loop)
MSE
Eth0
CAT2
Fa0/11
10.10.210.10
WLC1
Po1
CAT2
Gi0/1
10.10.111.10
WLC2
Po1
CAT3
Gi0/1
10.10.112.10
WLC3
Po1
CAT4
Fa0/1
10.10.120.140
WLC4
Po1
CAT2
Fa0/15
10.10.112.20
AAP1
Gi0
CAT1
Fa0/2
10.10.110.100
AAP2
Fa0
CAT3
Fa0/2
10.10.110.101
LAP1
Gi0
CAT1
Fa0/1
10.10.113.x
LAP2
Fa0
CAT2
Fa0/2
10.10.114.x
LAP3
Gi0
CAT3
Fa0/3
10.10.114.x
LAP4
Gi0
CAT4
Fa0/4
10.10.121.x
LAP5
Fa0
CAT4
Fa0/5
10.10.121.x
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
15
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 1: 8 hour CCIE Wireless v2 Mock LAB 1.0 Configure and troubleshoot wired infrastructure to support WLAN's
L2 switching in HQ: To prepare your network we need to take extra care that the network is
properly set up. All future configurations with wireless components will rely on the network to work. Please bear in mind that most wireless issues are related to the network. The Proctor Labs lab environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this lab. •
•
•
•
•
Cat1 will handle all VLAN´s and distribute them to Cat2. Cat3 will also get all VLAN changes from Cat1 o Use Md5 encryption to protect the VLAN database on your 3 switches. Use ipexpert123 as the MD5 secret o Cat1 should be the root for odd numbered VLANs in the HQ Cat2 should be the root for the even numbered VLANs in the HQ Do not configure Cat3 for the last question above. From Cat3, Show commands should give the correct outcome to see o where the Root bridges are. Cat1 should be seen as root for odd numbered VLANs and Cat2 for even numbered VLANs Configure the 2 links between Cat1 and Cat2 to appear as one STP instance. Use a method that is Cisco proprietary negotiation method. o
L3 routing
Site HQ: Cat1 SVIs always have the last IP usable address from each VLAN network. Cat2 SVIs always have next IP address below in each VLAN network. VLAN 10 should be .2 on Cat1 and .3 on Cat2. Cat3 only needs SVI Interface and IP address in VLAN10 (HQSwitchMgmt). For Cat3 VLAN10 SVI, Use IP address 10.10.10.4/24. VLAN 5 is preconfigured don´t change that as that will ruin management access to your servers.
•
•
v3150
Create the SVI´s on your appropriate HQ switches and ensure you have connectivity between all L3 interfaces. Refer to table 1 for the VLAN ID´s. HQ, MO have different VTP domains as can be seen in table 1. Create a Loopback99 interface on your Cat1 with IP 10.99.99.99/32
Copyright © by IPexpert, Inc. All Rights Reserved.
16
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Use a Cisco proprietary routing protocol to advertise Loopback99 to Cat2. o Only advertise loopback99 in your configuration. o Don´t summarize the classful networks in your routing domain. VLAN 12 should be redundant for Cat1 and Cat2 o On Cat1 and Cat2, Use a Cisco proprietary method to create a redundant SVI for VLAN 12. o The VLAN 12 virtual IP should be the next available IP address below Cat1 and Cat2. o Cat1 should always be the primary router for VLAN 12 and in case of failure it should revert back when things go back to normal. Create a DHCP pool for VLAN 12. The pool starts from .65 and ends with .125. Configure redundant DHCP pool between Cat1 and Cat2. o
•
•
MO routing and switching •
•
•
•
•
Create VLANS and SVI´s for Cat4 according to table 1. Cat4 should not exchange VLAN configuration with other switches. Cat4 should participate in routing updates and exchange routing tables with HQ. Only advertise the needed networks over the routing protocol. Cat4 SVI’s always use the first IP address per SVI. Don´t summarize the classful networks as before.
QOS •
•
•
v3150
On all routers and switches, trust layer2 and layer3 QOS markings where appropriate. Tune your COS to DSCP mapping (and vice versa) as Cisco best practices recommend o VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40. The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic. o Skinny is TCP port 2000 RTP traffic is UDP port range 16384 to 32767. o o It is uncertain that the ISP is marking the packets correctly over the WAN. Ensure the correct marking is maintained.
Copyright © by IPexpert, Inc. All Rights Reserved.
17
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
2.0 Configure and Troubleshoot Infrastructure Application Services
NTP •
•
•
•
•
Use NTP server on WCS to synch time for all your wireless network devices including the WLC´s. WCS is 10.10.210.6 Controllers should synch time every 2 hours. Cat1 should be the NTP master for all switches. Use password "ipexpert" for NTP authentication. Use UTC time zone 0. Cat1 should answer NTP requests only on VLAN 10 and only allow switches in your network to synch time with Cat1. Cat2 uses VLAN 5 IP, Cat4 uses VLAN 20 IP and Cat3 uses VLAN10 IP address for NTP communications. Don´t forget the autonomous AP´s!
AP management HQ •
•
•
LAP2 (f0/2 on Cat2) and LAP3 (F0/3 on Cat3) should discover WLC2 and WLC4 with DHCP (don´t use DNS). o Future AP´s will use the DHCP information to load balance new AP´s between the WLC2 and WLC4. Name the APs from their default name to the name in table 1. Subnets for those APs are listed in table 2. Configure your network accordingly o Use your Microsoft DHCP server to accomplish this. Exclude the range from 1 to 20 and 200 to 254. o o Microsoft DHCP server is 10.10.210.6 Make sure that WLC2 will be primary and WLC4 secondary Controllers for LAP2 and LAP3. Mobility group should be named HQ. LAP4 and LAP5 should join WLC4 with DNS lookup configured on Microsoft DNS. Set those APs on VLAN 121 on Cat4.
Switching security •
•
v3150
All LAP AP Ports should go to STP Forwarding mode immediately In MO, all switch ports with access points should block traffic if BPDU´s are advertised over the port.
Copyright © by IPexpert, Inc. All Rights Reserved.
18
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
Volume 2 – Workbook
In HQ, all switch ports with access points should get disabled if BPDU´s are advertised over the port.
3.0 Configure and Troubleshoot Autonomous deployment model
Autonomous Setup
An aluminum company has mobile cranes in their manufacturing area. Those cranes will have industrial computers on board with Ethernet ports (no wireless). You need to use AAP2 to connect the industrial computer to the wireless network •
•
•
•
Make a Layer 2 only VLAN 999 on AAP2 connected switch to avoid loops in your network. AAP2 will connect to AAP1 with 802.1x security. SSID is crane-xx Username is crane and password is aluminum. o AAP1 will authenticate the crane user. And the industrial PC should be on VLAN 17. As the industrial PC is not ready yet. Configure DHCP on AAP2 to see DHCP work. Configure DHCP on Cat1 for VLAN 17. Exclude the first 9 addresses. Use the most secure EAP option that is Cisco proprietary o The Crane is mobile. Ensure that it only scans non-overlapping channels in your 2.4 GHz frequency. So it uses the least time to scan channels when moving around. Ensure that the association reliable. So the AP disassociates clients only after 127 packets are lost.
4.0
Configure and Troubleshoot Unified deployment model
WLC management
WLC1 has its Service Port connected to Cat1. •
v3150
Connect the SP on VLAN 5. Use DHCP from Cat2 for the SP. The SP port should always get the 10.10.210.50 address. This should only work for WLC1 SP interface. Default gateway advertised by the DHCP scope should be VLAN 5 SVI on Cat1.
Copyright © by IPexpert, Inc. All Rights Reserved.
19
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
•
•
•
Volume 2 – Workbook
It is required that users from Cat4 MOData1 can reach this SP and manage it. Pinging that address from the MOData1 VLAN should work. Remove this configuration after you have made it work. Why? On WLC1 guests should see the name guests.proctorlabs.com in their web browser URL when doing guest authentication. This name should resolve on your DNS server (Microsoft server 10.10.210.6) to WLC1 virtual IP address. All WLC´s should have IP management Interfaces according to table 2 – Verify it is all correct. Configure appropriate VLAN interfaces per WLC according to table 3.
Table 3: WLC VLANs and SSIDs Device
Interface
WLC IP Address
Default gateway
WLAN
WLC1
Vlan 11
10.10.11.252/24
10.10.11.254
HQ-guests-XX
WLC2
Manageme
WLC1 Anchor
NA
HQ-guests-XX
WLC2
Vlan 13
10.10.13.50/54
10.10.13.254
Client-Vlan-XX
WLC2
Vlan 15
10.10.15.50/24
10.10.15.254
voip-5ghz-XX
WLC3
Vlan 22
10.10.22.130/26
10.10.22.129
MOData1-XX
WLC4
Manageme
WLC1 Anchor
NA
HQ-guests-XX
WLC4
Vlan 13
10.10.13.51/24
10.10.13.254
Client-Vlan-XX
WLC4
Vlan 15
10.10.15.51/24
10.10.15.254
voip-5ghz-XX
VLANs on Switches should already be done and working in the first part of this lab. •
•
•
•
v3150
The CLI prompt should represent each WLC. For example WLC1 Set up etherchannel for both interfaces on WLC2. Ensure that APs are load balanced across the WLC2 ports according to best practices. QOS needs to be tagged using 802.1p on the management VLAN of all WLC´s Only needed VLAN´s should traverse over to each WLC in the network.
Copyright © by IPexpert, Inc. All Rights Reserved.
20
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
AP Priming •
•
LAP2 and LAP3 should have redundant WLC´s for WLC2 and WLC4. Ensure that LAP2 will be given priority over other devices when requesting PoE.
Guests •
•
•
•
•
•
•
•
•
Configure Client-Vlan11 on port 1 on WLC1. o Use .252 for the WLC IP address. See table 3. Configure WLC1 port 2 to be the primary management port connected to Cat1. And port 1 connected to Cat2 to be redundant for the WLC1 operation. Configure port 1 so no other VLAN´s are allowed except guests and for redundancy purposes (above) Guests should be able to ping and telnet to the .254 SVI on Cat2 and nothing else. This restriction should not be applied to the WLAN. DNS and DHCP should also work for the clients. Configure the WLC1 to restrict the above mentioned access. DNS server IP is 10.10.210.6 Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11 and they should traverse out of Port1 on WLC1. o Use SSID HQ-guests-XX o No encryption Web-splash page will authenticate guest users locally on WLC1 o o The guest SSID has to work on all AP´s in the HQ Guests use DHCP on WLC1. Issue 15 address pool starting from 10.10.13.15 Create a lobby admin account on WLC1 and with this account, create a guest user that lasts for 4 hours. Lobby account User is lobby password Lobby123. Guest user is guest4 password ipexpert123 Test the connection from the Win7 client and test the telnet and ping connectivity. The laptop is reachable from the WCS server using VNC to 10.10.210.4 password IPexpert123
Mobility •
•
v3150
HQ users should be able to roam seamlessly between WLC2 and WLC4. This is not needed for WLC3 in MO. Use the mobility name HQ when accomplishing this. o All HQ WLC´s should check their mobility members every 15 seconds.
Copyright © by IPexpert, Inc. All Rights Reserved.
21
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Interference and radio settings
On your 802.11g network, the 2.4 GHz channel 11 near LAP1 is unusable because of foreign interference. Join your LAP1 AP manually to WLC4 without DHCP, DNS information passed to the AP. LAP1 should belong to VLAN113. •
•
Make sure that your LAP1 uses the lowest 2,4Ghz frequency channel in the future. On all your controllers change the utilization trap to trigger at 87% in your 5 GHz radio only.
AP registration security and local radius
MO should only allow LAP4 and LAP5 to join WLC3 •
•
•
•
•
Ensure that only those AP´s can join WLC3 and no other AP´s Configure local radius on WLC3 for WLAN MOData1 VLAN for SSID is MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26 Use PEAP mschapv2 authentication. username localpeap password localradius. Security is WPA1 with software encryption: Configure DHCP on WLC3 for these SSID clients. Give out 131 and 132 addresses of the scope. Test connectivity with AnyConnect on your test PC
Client connection testing
Your AnyConnect client needs to connect to the Client-Vlan13-XX WLAN in HQ. C onfigure your network to meet the requirements below: •
•
v3150
SSID Client-Vlan13-XX o This SSID should exist on WLC2 and WLC4. Clients should terminate at Vlan13. Table 3 shows what IP goes on the Controller´s VLAN13 Use ACS and EAP-FAST authentication. The RADIUS preshared key is ipexpert123. First SSH from the windows machine with admin and IPexpert123 then configure a user acsadmin password IPexpert123. o Set you’re your ACS to use NTP at IP 10.10.210.6 Use client username tarzan with password jane o o Allow OFDM only for this SSID. Advertise 802.11i in your beacons but also enable for software encryption o to work over 802.11i for older clients. o DHCP should be set up on Cat1
Copyright © by IPexpert, Inc. All Rights Reserved.
22
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
On LAP2 this SSID should bypass the controller for data traffic and go to VLAN 12. Don´t use AP-groups to make this work. o Configure the switch connected to LAP2 to support this scenario. LAP2 should use its current VLAN for management. DHCP for VLAN 12 is on Cat1. Test this configuration and see the IP address change on your AnyConnect client. o
•
Rouge detection
Your WLC3 should detect rouge access points. •
It needs to see if Open access points (no security) are on your wired network. o We need to detect rogue APs ASAP. Also Greenfield mode AP´s. o Make sure that one of your AP´s connected to WLC3 accomplishes the above
Man-in-the-middle
Your CEO was reading an article about man in the middle attacks and is worried that your HQ Wireless system is vulnerable. •
Configure all LAPs in your HQ network to validate RF information in order to protect the integrity of your LAP APs.
5.0
Configure and Troubleshoot WCS
WCS Management •
v3150
Manage all WLC´s with WCS using the most secure method Username wcs password ipexpert.123-ipexpert.123 o Allow only this method to be used on the WLC´s o
Copyright © by IPexpert, Inc. All Rights Reserved.
23
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Maps •
•
Put LAP2 – LAP3 on floor 1 map on your WCS. Position the AP´s for best coverage. See how AIR-ANT2450S-R antennas will perform on LAP2 2.4 GHz Radio. The antenna has also to face 25° towards the floor. Let the direction of the antenna point down the map (90°) Controllers shouldn´t send information to WCS when the APs change its power levels.
.
6.0
Configure and Troubleshoot WLAN Services
Wireless Voice
On WLC2 and WLC4 in HQ: •
•
•
•
•
•
•
v3150
Deploy a SSID called voip-5ghz-XX – This will be VLAN 15. WLC IP information in table 3. DHCP is on Cat1 and should give out callmanager option about the CME router 10.10.210.20 Allow only 5 GHz connections on this SSID. Use 802.11i encryption and ensure that Cisco 7925 phones can roam o seamlessly Phone uses EAP-FAST authentication. On your ACS configure the user o phone with password of ipexpert. o Test it from your AnyConnect. Make sure your phones have enough time to authenticate on the ACS so they don´t accidentally time-out while retrieving the PAC‘s. Allow at least 20 seconds to pass before giving up. Only support 802.11e on this SSID and 7925 phones should get Platinum QoS treatment. The 802.11e clients with this SSID will get mapped with 802.1p value of 5 when they hit the wired network. Support 27 voice streams. Only configure the data-rates necessary. Deployment Guide specifies the following data rates 802.11b - Basic = 11, Optional = None o o 802.11g - Basic = 12, Optional = 18,24 o 802.11a - Basic = 12, Optional = 18,24 802.11b/g - Basic = 11, Optional = 12,18,24 o The Cisco AP's support up to 27 calls, so there is no need for any speeds greater than 24Mbps.
Copyright © by IPexpert, Inc. All Rights Reserved.
24
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
13 Streams = 6Mbps o 20 Streams = 12Mbps o 27 Streams = 24Mbps User your AnyConnect client to test the connectivity. You should be able to ping the CME router from the desktop after connecting. It should work from the AnyConnect client on the PC. o
•
You are at the end of this marathon – it is a bit long and some longer than the a ctual lab. Especially chapter 4, but the wording can slow you down as it might do on the actual lab. So I hope this was a good exercise. Do this lab many, many times to practice speed and work on things you want to study in the meantime
Technical Verification and Support
To verify your configurations please review the Volume 1 Detailed Solutions Guide that you received along with this Workbook. You can also find this document in the eBook section of your www.IPexpert.com account. Support is also available in the following ways: IPexpert Support: www.OnlineStudyList.com IPexpert Blog: blog.ipexpert.com Proctor Labs Hardware Support: [email protected]
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
25
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 2: CCIE Wireless version 2 8 hour training Lab 1. Configure and troubleshoot wired infrastructure to support WLAN's 2. Configure and Troubleshoot Infrastructure Application Services 3. Configure and Troubleshoot Autonomous deployment model 4. Configure and Troubleshoot Unified deployment model 5. Configure and Troubleshoot WCS 6. Configure and Troubleshoot WLAN Services Lab Overview
This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem extra hard because they are meant to prepare the candidate to read in between the lines. The network and WLC’s are partly pre-configured in order to save time but some of the configurations have to be altered to meet the exam requirements. The fact that WLCs are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre)configs or m ake some small changes, both on the WLCs and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues on more than one occasion. This is meant to prepare the candidate not to take anything for granted and stay focused while the lab tries to confuse you. This lab will use ALL equipment in the LAB 2: topology. Refer to the names of the equipments on that topology. When configuring WLANs/SSIDs, the lab refers to SSID-XX, replace XX with your pod number where POD01 is for example SSID-01
Estimated Time to Complete: 2 hours
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
26
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for password It is strongly advised to read the whole lab over before you start configuring. And in each section read it briefly over to refresh. In some sections some later tasks would better be done first.
Estimated time to complete: 8 hours
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
27
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Mock Lab 2: Topology
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
28
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 2: Pre-Lab Setup •
Physically connect and configure your network network according to Diagram 1. The switches are pre-configured with some VLANs and IP addresses.
Lab 2: Prerequisites: •
•
This lab will focus on the network infrastructure. infrastructure. You will need to preconfigure the network with the base configuration files. If using your own hardware: o
•
If you are using Proctor Labs: o
v3150
Login to IPexpert.com, navigate to the “eBooks/Downloads” area, download “IPexpert Wireless Volume 2 Configs,” find the Lab 2 INITIAL Configs, and copy and paste the proper switch files to the proper devices.
Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook Lab 2 INITIAL
Copyright © by IPexpert, Inc. All Rights Reserved.
29
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 2: Tables Table 1: VLAN and Subnet Table
v3150
VLAN
VLAN Name
Subnet
Netmask
5
Servers
10.10.210.0
/24
10
HQSwitchMgmt
10.10.10.0
/24
11
HQGuest1
10.10.11.0
/24
12
HQData1
10.10.12.0
/25
13
HQData2
10.10.13.0
/25
14
HQData3
10.10.14.0
/25
15
HQVoice1
10.10.15.0
/24
16
HQVoice2
10.10.16.0
/24
17
HQData4
10.10.17.0
/24
18
HQWiredGuests
20
MOSwitchMgmt
10.10.20.0
/25
21
MOGuest1
10.10.21.64
/26
22
MOData1
10.10.22.128
/26
23
MOVoice1
10.10.23.192
/26
32
HQData1-2
10.10.12.128
/25
33
HQData2-2
10.10.13.128
/25
34
HQData3-2
10.10.14.128
/25
105
HQService
10.10.105.0
/24
110
HQAAPMgmt
10.10.110.0
/24
111
HQLWAP1
10.10.111.0
/24
112
HQLWAP2
10.10.112.0
/24
113
HQLWAP3
10.10.113.0
/24
114
HQLWAP4
10.10.114.0
/24
120
MOAPMgmt
10.10.120.128
/26
121
MOLWAP1
10.10.121.192
/26
999
VLAN999
Copyright © by IPexpert, Inc. All Rights Reserved.
30
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Table 2: Device IP Addresses Device
Port
Connected
Connected
IP Address
CAT1
NA
NA
10.10.10.2
CAT2
NA
NA
10.10.10.3
CAT3
NA
NA
10.10.10.4
CAT4
NA
NA
10.10.20.1
ACS
NIC1
CAT2
Fa0/11
10.10.210.5
WCS
NIC1
CAT2
Fa0/11
10.10.210.6
CME
Fa0/0
CAT1
Fa0/4
10.10.210.20 10.10.205.20 (Loop)
MSE
Eth0
CAT2
Fa0/11
10.10.210.10
WLC1
Po1
CAT2
Gi0/1
10.10.111.10
WLC2
Po1
CAT3
Gi0/1
10.10.112.10
WLC3
Po1
CAT4
Fa0/1
10.10.120.140
WLC4
Po1
CAT2
Fa0/15
10.10.112.20
AAP1
Gi0
CAT1
Fa0/2
10.10.110.100
AAP2
Fa0
CAT3
Fa0/2
10.10.110.101
LAP1
Gi0
CAT1
Fa0/1
10.10.113.x
LAP2
Fa0
CAT2
Fa0/2
10.10.114.x
LAP3
Gi0
CAT3
Fa0/3
10.10.114.x
LAP4
Gi0
CAT4
Fa0/4
10.10.121.x
LAP5
Fa0
CAT4
Fa0/5
10.10.121.x
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
31
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 2: 8 Hour CCIE Wireless v2 Mock Lab Task 1: Configure and troubleshoot wired infrastructure to support WLANs 1.1 Basic network details •
•
•
•
•
To reach any internet (i.e. behind WAN / non-local) resource, switches from the headquarters should use Cat2 as gateway since Cat2 has the right static route towards outside. When you need to create an interface on a WLC, use the last digit of the management interface to determine the last digit of your dynamic interface. For example, a WLC with a management ip on 10.10.110.10 will have all its dynamic interfaces ending by .10 Connectivity between all Cat switches should be fine. Cat4 default gateway should not be mentioned with an IP address but with an outgoing interface on Cat4. The 3 client VLANs are split in 2 between Cat1 and Cat2. Make sure that the Catalysts do not operate on those VLANs as load-balanced gateway and configure OSPF routing to make sure every switch is aware of those subnets. OSPF should use a loopback interface to identify itself to other routers and Cat1 should be the designated router. OSPF updates should only be sent through VLAN 10 when possible. Make sure that only the necessary VLANs are allowed on each trunk ports.
1.2 QoS •
•
v3150
Make sure that every port has the right QoS configuration. We want to trust layer 3 tagging of traffic on all ports susceptible to transport voice traffic. The traffic from the headquarters should preserve its QoS tagging across the WAN link to the remote office. It seems the ISP doesn’t preserve this tagging so make sure that the traffic is re-tagged accordingly after crossing the WAN. Skinny uses TCP port 2000 and RTP uses UDP port range 16384 to 32767. Make sure that you are as precise as possible and do not tag traffic that would not be voice traffic.
Copyright © by IPexpert, Inc. All Rights Reserved.
32
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
Volume 2 – Workbook
On Cat1, ports fa0/13 to fa0/20 included will be connected with desk IP phones with laptops behind them. Those are not plugged in yet, but you need to prepare the switch port configuration so that those ports use VLAN 23 for voice traffic and VLAN 13 for the laptops. We also want those ports to be up and forwarding as soon as something is plugged to them.
1.3 Layer 2 configuration •
•
We want Cat1 to always be the root for all VLANs for spanning-tree purposes. In case of failure, Cat2 has to be the one taking over the root role in case of Cat1 failure. We want Cat3 to never be root. Moreover, we want Cat3 to switch its links towards Cat2 in less than a second in case of failure of Cat1.
1.4 Time synchronization •
•
•
Make sure the two IOS access points synchronize their time with the WCS server. Cat1 should get his synchronization from the WCS server but the other switches should get their synchronization from Cat1. They should do so using “IPexpert123” as authentication key. On the WLCs, make sure they synchronize their time with the WCS and the synchronization should happen every 2 hours. Also make sure that the WLCs know they are in Pacific US time zone.
1.5 MSE •
v3150
Make sure that MSE stays in time synchronization with the WCS. Also make sure that MSE will use “admin/IPexpert123!!” as credentials for WCS to connect to it
Copyright © by IPexpert, Inc. All Rights Reserved.
33
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Task 2: Configure and troubleshoot wired infrastructure to support WLANs 2.1 Lightweight APs discovery •
•
•
•
LAP 2 and 3 must use the WCS server as DHCP server. That scope should give an IP with the last digit between 100 and 200 to the APs. They should learn WLC 2 IP address through DNS discovery. Once joined, they should learn the IP address of WLC4 as well. LAP 1 should use WCS server as DHCP server, but should discover WLC 4 through a DHCP option. That scope should give an IP with the last digit between 100 and 200 to the AP LAP 4 and 5 need to learn through DHCP the IP addresses of controllers WLC 3 and 1. Cat4 should be the DHCP server for those access points. LAP 4 and 5 should have WLC3 as primary controller and WLC1 as secondary in case of failure of the remote office WLC.
2.2 Lightweight APs settings •
•
Make sure that it is possible to connect via console to all access points with the username “admin” and password “IPexpert123” Make sure that the APs know which are their preferred WLCs. Use the table below: Primary WLC
Secondary WLC
LAP1
WLC4
WLC2
LAP2
WLC2
WLC4
LAP3
WLC2
WLC4
LAP4
WLC3
WLC1
LAP5
WLC3
WLC1
•
v3150
Tertiary WLC
Make sure that LAP1, 2 and 3 will never associate to WLC1 or WLC3.
Copyright © by IPexpert, Inc. All Rights Reserved.
34
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
2.3 Syslog •
•
Configure the autonomous access point AAP1 so that it logs the messages usually appearing on console towards the WCS where a syslog server is installed. The AP should use the facility “local2”. Configure the controllers and all lightweight access points to log as well towards the WCS syslog. Controllers should use facility local3 and APs local4. They should all log up to warning level of logs.
Task 3: Configure and troubleshoot Autonomous deployment model 3.1 AP logging •
When we consult the Autonomous AP logs through “show log”, we noticed it doesn’t go back as much as we want to. Double the retaining capacity of the logs messages shown through “show log”.
3.2 SSID configuration •
Configure a bridge SSID called “Bridge1” between AAP1 and AAP2. Make sure they use WPA2-aes to connect to each other. AAP2 should authenticate itself as “admin/IPexpert123” with EAP-FAST and AAP1 should be the radius server for this purpose. On top of the VLAN of the SSID, the bridge link should carry VLANs 11, 12 and 13. The SSID name should be visible in beacons.
3.3 Additional settings •
•
v3150
Make sure that AAP2 will only try to connect to AAP1. Make sure that AAP1 will only accept connections from AAP2. Make sure that the access points retry packets 16 times after giving up but when they give up, they should not cause the link to go down. Configure the access points so that they use WMM, that they use the 802.11e QBSS and that they do the proper mapping between 802.1p CoS and 802.11e UP (where the voice tag is not the same number in the 2 standards).
Copyright © by IPexpert, Inc. All Rights Reserved.
35
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Task 4: Configure and Troubleshoot Unified Deployment model 4.1 Configuring MO Office •
•
•
•
•
WLC3 is the remote office controller. WLC1 sits in the headquarters but is a dedicated controller serving as fallback for WLC3. The clients will be placed in VLANs 21, 22 and 23 respectively for guests, data and voice clients. You have to make sure that traffic never gets released on the headquarters side. We need to make sure that the clients will be placed in that VLAN even if the access points move to WLC1 because WLC3 went down. The SSID MOGuest will have a pre-shared key “IPexpert123” using standards with the best RC4-based encryption as well as a web authentication portal hosted on the controller itself. The SSID MOData will use the best encryption standard available and will authenticate users against ACS. The SSID MOVoice will use a Cisco-proprietary fast roaming mechanism and the best encryption/authentication standard among those that have no fast-roaming mechanism on their own. The Cisco proprietary fast roaming mechanism should not be mandatory to use the SSID.
4.2 Configuring Headquarter Office • •
•
v3150
WLC 2 and 4 should be configured with the same WLANs. HQData SSID should use enterprise-class authentication with 802.11i encryption. It should not forward traffic into any valid subnet until the user authenticates at which point it will select the VLAN depending on the user group. User “admin” belongs to user group “department1”; user “john” belongs to department2 and user “lisa” to department3. Users from group “department1” should be granted access to VLAN 12 or 32 depending where they connect from (Users connecting through WLC2 should use lower numbered VLANs and users connecting through WLC4 should use higher numbered VLANs). Users from group “department2” should be given access to VLAN 13 or 33 depending on the same conditions and users from group “department3” to VLAN 14 or 34. Users should have their identity re-verified every 60 minutes and they should not be able to use a static IP address. Since we know that old clients will use this SSID, the WLC should not pay attention and take actions if clients refuse to roam and stay connected at very bad signal strength. Clients of this SSID should not be able to exchange files between themselves directly. HQVoice SSID should use a shared-key authentication with RSN encryption. It should balance the clients between VLAN 15 and 16.
Copyright © by IPexpert, Inc. All Rights Reserved.
36
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
Volume 2 – Workbook
HQGuest SSID should have no layer 2 security, a web authentication portal and place clients in vlan11.
4.3 Configuring Guest solution •
We need clients connected to a switchport that sits on VLAN 18 to be intercepted and presented the web authentication login page that is configured internally on WLC1. This VLAN should not be allowed in the Core switches Cat1 and Cat2 and should stay at the access layer. They should get an IP address in the subnet 10.10.11.x. Configure port fa0/12 on Cat3 for such guest usage. Cat2 should be the DHCP server for VLAN 11
Task 5: Configure and Troubleshoot WCS 5.1 Adding WLCs • •
•
Add all WLCs to WCS. They should be managed with snmpv3 and should refuse any version 2 connection attempt. They should be free of any community configuration and be configured with v3 username and password admin/IPexpert12345 and the strongest encryption mechanism
5.2 Adding Mobility Services •
•
Create a building with one floor and create a map for that floor. The environment is a warehouse with the ceiling at 20 feet high and APs placed at 12 feet high. Place the APs in every corner of the map. You can find the floor image in the WCS c:\FTP\ folder. Add MSE to WCS with both location and intrusion detection service activated. Synchronize it with the map and controllers.
5.3 Configuring WCS • •
v3150
Make sure that rogue APs can be seen on the map. Select a rogue on the map and make sure that no alerts will be sent about that rogue again and that it will not be contained by your access points.
Copyright © by IPexpert, Inc. All Rights Reserved.
37
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Task 6: Configure and troubleshoot WLAN services 6.1 Radio management •
•
WLC1 and 3 are the only WLC susceptible to manage Medium Office access points while WLC 2 and 4 are the only ones to manage Headquarters access points. Make sure that WLC 2 and 4 talk to each other (but not to 1 and 3) to elect RF-leader and make RF decisions while WLC1 and 3 talk to each other but not to 2 and 4 for those decisions. All WLCs should: Support all data rates above 11Mbps (included) on 2.4 GHz. o 11Mbps being the only mandatory rate. o The WLC will increase the power (if possible) on an AP if 5 clients are detected to be sticking with low signal. o Never bring an AP transmission power lower than 1dbm o Support all data rates above 12Mbps (included) on 5 GHz. 12Mbps being the only mandatory rate Support beamforming on 11n-class access points when dealing o with 11a/g clients. o Lower the APs transmission power if several surrounding APs are heard at -67 or louder. o Support phones and devices that make their transmit power variable depending on AP power level When selecting a channel for an AP, the WLC should take into o account the load of other Cisco APs as well as rogues in the deployment (for example 2 APs could be on the same channel next to each other if they have relatively low load). If CleanAir APs, thanks to their CleanAir chipset, detect a specific o source of interference, this should count in the algorithm decision if it’s worth to change channel immediately.
6.2 Controller Security •
v3150
Make sure that only management subnets (VLANs 5, 111, 112, and 120 as well as the 10.10.0.0/24 subnet) can talk to WLC1. It should be inaccessible from any other subnet.
Copyright © by IPexpert, Inc. All Rights Reserved.
38
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
6.3 Voice settings •
Ensure that both voice SSIDs follow usual VoWlan recommendations like : o It must support the phones sending tagged voice UP traffic. They should allow phones to sleep and only wake up every 2 o beacons for broadcast buffered traffic. o The APs should not do off-channel scanning (for RRM, rogue scanning purposes etc ..) in the 200ms after they last received a voice-tagged frame (and only in this case) o The AP should block phones to initiate a new call if there is not enough bandwidth available and should therefore reserve 10% of their bandwidth for roaming devices. o For the medium access parameters, do not use the 802.11e parameters but optimize the channel access timers for Voice. Also limit the amount of wireless retries.
Technical Verification and Support
To verify your configurations please review the Volume 1 Detailed Solutions Guide that you received along with this Workbook. You can also find this document in the eBook section of your www.IPexpert.com account. Support is also available in the following ways: IPexpert Support: www.OnlineStudyList.com IPexpert Blog: blog.ipexpert.com Proctor Labs Hardware Support: [email protected]
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
39
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 3: CCIE wireless version 2 8 hour training Lab 3 1.0 Configure and troubleshoot wired infrastructure to support WLAN's 2.0 Configure and Troubleshoot Infrastructure Application Services 3.0 Configure and Troubleshoot Autonomous deployment model 4.0 Configure and Troubleshoot Unified deployment model 5.0 Configure and Troubleshoot WCS 6.0 Configure and Troubleshoot WLAN Services Lab Overview
This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem tricky but they are supposed to prepare the candidate to read in between the lines. The network and WLC´s are partly pre-configured but some of the configuration have to be altered to meet the exam requirements The fact that WLC are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre-configs or make some changes. Both on the WLC’s AP’s and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues. In this lab and the real lab w e cannot take anything for and stay focused. This lab will use All equipment in the LAB 1: topology. Refer to the names of the equipment on that topology. Rectify names according to Table 2. When configuring WLAN’s/ SSIDs. If the lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01 Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords. When not specially mentioned use 2,4 GH z frequency. It is strongly advised to read the whole LAB over before you start configuring. And read each section briefly over to refresh your memory. In some sections some later tasks would better be done first. Tip: WCS templates may seriously speed things up!
Estimated Time to Complete: 8 hours
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
40
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Mock Lab 3: Topology 110< ="65>5?? @% A,:B >'C * ;,D,>,EF
!"#$%'("') /01
Internet +,%
+,(
2+ % $ # "
!
( $ # "
5508
( $ # ' &
&'#$%*
&'#$%) % $ # ' &
( ( $ # ' &
!
&'#$%*
Cat1
CME
WLC1
3 $ # ' &
&'#$)
ACS/WCS/ MSE/Test PC
&'#$%)
+,(
&'#$(&'#$(.
Cat2 % % $ # ' &
# % $ # ' &
% % $ # ' &
+,%
2504
+,456 0895:;,6 # " !
# " !
LWAPP
&'#$%%
&'#$%#
&'#
%$&'#$*
Cat3
LAP1
AAP1
3502i
1262N
# ' &
( $ # " !
% $ # " !
3 $ # ' &
( , +
% , +
+ 2
WLC4
% $ # ' &
&'#
LWAPP LAP2
1242AG # " !
LWAPP LAP3
WAN
1042N AAP2 1242AG
WLC2 5508
*"+,(" .//01" LWAPP
&'#$)
!"#
% % $ # ' &
LAP4 1262N +,(
&'#$( Cat4
+,%
&'#
%$WLC3 2504
LWAPP
&'#
&'#$-
LAP5 1242AG
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
41
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 3: Pre-Lab Setup Physically connect and configure your network according to Diagram 1. The switches are pre-configured with some VLANs and IP addresses.
Lab 3: Prerequisites: This lab will rely on the network infrastructure. You will need to pre-configure the network with the base configuration files. If using your own hardware: Login to IPexpert.com, navigate to the “My Downloads” area, download “IPexpert Wireless Volume 1 Configs,” find the Lab 3 INITIAL Configs, and copy and paste the proper switch files to the proper devices. If you are using Proctor La bs: Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook ! Lab 3 ! INITIAL
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
42
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 3: Tables Table 1: VLAN and Subnet Table
v3150
VLAN
VLAN Name
Subnet
Netmask
5
Servers
10.10.210.0
/24
10
HQSwitchMgmt
10.10.10.0
/24
11
HQGuest1
10.10.11.0
/24
12
HQData1
10.10.12.0
/24
13
HQData2
10.10.13.0
/24
14
HQData3
10.10.14.0
/24
15
HQVoice1
10.10.15.0
/24
16
HQVoice2
10.10.16.0
/24
17
HQData4
10.10.17.0
/24
20
MOSwitchMgmt
10.10.20.0
/25
21
MOGuest1
10.10.21.64
/26
22
MOData1
10.10.22.128
/26
23
MOVoice1
10.10.23.192
/26
105
HQServicePort
10.10.105.0
/24
110
HQAAP
10.10.110.0
/24
111
HQWLC1
10.10.111.0
/24
112
HQWLC2
10.10.112.0
/24
113
HQLAP1
10.10.113.0
/24
114
HQLAP2
10.10.114.0
/24
120
MOWLC1
10.10.120.128
/26
121
MOLAP1
10.10.121.192
/26
131
HOAP
192.168.100.0
/24
999
VLAN999
n/a
n/a
Copyright © by IPexpert, Inc. All Rights Reserved.
43
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Table 2: Device IP Addresses Device
Port
Connected
Connected
IP Address
CAT1
NA
NA
10.10.10.2
CAT2
NA
NA
10.10.10.3
CAT3
NA
NA
10.10.10.4
CAT4
NA
NA
10.10.20.1
ACS
NIC1
CAT2
Fa0/11
10.10.210.5
WCS
NIC1
CAT2
Fa0/11
10.10.210.6
CME
Fa0/0
CAT1
Fa0/4
10.10.210.20 10.10.205.20 (Loop)
MSE
Eth0
CAT2
Fa0/11
10.10.210.10
WLC1
Po1
CAT2
Gi0/1
10.10.111.10
WLC2
Po1
CAT3
Gi0/1
10.10.112.10
WLC3
Po1
CAT4
Fa0/1
10.10.120.140
WLC4
Po1
CAT2
Fa0/15
10.10.112.20
AAP1
Gi0
CAT1
Fa0/2
10.10.110.100
AAP2
Fa0
CAT3
Fa0/2
10.10.110.101
LAP1
Gi0
CAT1
Fa0/1
10.10.113.x
LAP2
Fa0
CAT2
Fa0/2
10.10.114.x
LAP3
Gi0
CAT3
Fa0/3
10.10.114.x
LAP4
Gi0
CAT4
Fa0/4
10.10.121.x
LAP5
Fa0
CAT4
Fa0/5
10.10.121.x
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
44
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 3: 8 hour CCIE wireless v2 Mock LAB 1.0 Configure and troubleshoot wired infrastructure to support WLAN's
L2 switching in HQ: To prepare your network we need to take extra care that the network is properly set up. All future configurations with wireless components will rely on the network. Please bear in mind that most wireless issues are related to the network. The Proctor Labs lab environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this lab. •
•
•
•
•
•
Cat1 will handle all VLAN´s and distribute them to Cat2. Cat3 will also get all VLAN changes from Cat1 Use Md5 encryption to protect the VLAN database on your 3 switches. o Use ipexpert123 as the MD5 secret. Domain is ipexpert o Create the VLANs in table 1 for your HQ switches. Cat1 should be the root all VLANs Cat2 should be the root for all VLANs if the root fails Do not configure Cat3 for the last question above. o From Cat3, “show” commands should give the correct outcome to see where the root bridges are. Cat1 should be seen as root for all VLANs and Cat2 will be the backup path. Prove that the backup path works by testing. Configure the 2 links between Cat1 and Cat2 to appear as one STP instance. o Use a method that has no negotiation.
L3 routing: •
•
•
•
•
•
v3150
Site HQ: Do not configure or change anything that is not requested by the lab. Cat1 is SVI has always the first IP address from each VLAN network. Cat2 is SVI has always second IP address in each VLAN network. For Cat3 VLAN10 SVI, Use IP address 10.10.10.4/24 VLAN 5 IP configuration should not be changed VLAN10 ip configuration should not be changed (HQSwitchMgmt).
Copyright © by IPexpert, Inc. All Rights Reserved.
45
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
•
•
•
Volume 2 – Workbook
Create the SVI´s on your appropriate HQ switches and ensure you have connectivity between all L3 interfaces. Refer to table 1 for the VLAN ID´s. HQ, MO have different VTP domains as can be seen in table 1. VLANs should flow between all 3 switches in the HQ. Create a Loopback99 interface on your CAT1 with ip 10.99.99.99/32 Use a link state open standard based routing protocol to advertise o Loopback99 to CAT2. Only advertise loopback99 in your configuration. o o Don´t summarize the classful networks in your routing domain. VLAN 12 should be redundant for CAT1 and CAT2 o On CAT1 and CAT2, Use a Cisco proprietary method to create a redundant SVI for VLAN 12. o The VLAN 12 virtual IP should be the next available ip address after CAT1 and CAT2 . CAT1 should always be the primary router for VLAN12 and in case of o failure it should revert back when things go back to normal. Create a redundant DHCP pool for VLAN12 on CAT1 and CAT2:
MO routing and switching: •
•
•
Create VLANS and SVI´s for CAT4 according to table 1. CAT4 SVI’s always use the first IP address per SVI. Create MO SVI´s from Table 1. CAT4 should be ready to serve VLAN configuration to other switches. Protect the database IPexpert-MO with the password ipexpert.123 CAT4 should not participate in routing updates and exchange routing tables with HQ. CAT4 should be able to reach any network on HQ. On HQ you need to advertise all the networks belonging to CAT4 MO. Use your routing protocol to accomplish this in your HQ Switches
QOS: •
•
•
v3150
On all routers and switches, trust layer2 and layer3 QOS markings where appropriate. Tune your COS to DSCP mapping (and vice versa) as Cisco best practices recommend VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 o (AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40. The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic with the RTP and Skinny (not encrypted) known udp and tcp ports.
Copyright © by IPexpert, Inc. All Rights Reserved.
46
IPexpert’s Workbook for the CCIE Wireless Lab Exam
o
Volume 2 – Workbook
Ensure the correct marking is maintained when VoIP traffic enters MO from HQ and vice versa.
2.0 Configure and Troubleshoot Infrastructure Application Services
NTP: •
•
•
•
•
Use NTP server on WCS to synch time for all your network devices including the WLC´s. WCS is 10.10.210.6 Controllers should synch time every 2 hours. CAT1 should be the NTP master for all switches and routers. For routers and switches: use password "ipexpert" for NTP authentication. Use EST timezone -5. CAT1 should answer ntp requests only on VLAN10 and only allow switches and routers in your network to synch time with CAT1. CAT2 uses VLAN5 IP, CAT4 uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications. Don´t forget the autonomous AP´s ! Configure them to use the same time settings with CAT1 as the NTP server. No security is needed for the Autonomous Aps. Use IP information from Table 2 for the APs.
AP management: HQ •
•
v3150
LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and WLC4 with DNS (not option 43). APs should be on VLAN1134 o LAPs default gateway is 10.10.114.1 Default name to the name in table 1. Subnets for those APs are listed in o table 2. Configure your network accordingly o Use your Microsoft DHCP and DNS server to accomplish this. DNS suffix for your APs subnet should be LAPs.proctorlabs.com o o Exclude the range from 1 to 20 and 200 to 254. o Microsoft DHCP/DNS server is 10.10.210.6 Make sure that WLC2 will be primary and WLC4 secondary Controllers for LAP2 and WLC4 are primary controllers for LAP3 and WLC2 secondary controller. Mobility group should be named HQ2 for WLC2 and HQ4 for WLC4. WLC´s should have the same RF group HQ-WLC2-and-4
Copyright © by IPexpert, Inc. All Rights Reserved.
47
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
Volume 2 – Workbook
LAP4 and LAP5 should join WLC4 with DHCP from CAT4. Set those APs on VLAN 121 on CAT4:
Switching security: •
•
•
All LAP AP Ports (present and future) should go to STP Forwarding mode immediately In MO All switchports with access points should block traffic if BPDU´s are advertised over the port. Also all potential host ports. In HQ all switchports with access points should get disabled if BPDU´s are advertised over the port. This setting needs to be default for all host switchports so it won´t be forgotten in future tasks. You don´t want your VMware servers on CAT2 port Fa0/11 to get potentially disabled. Let that one port bypass that default setting.
3.0 Configure and Troubleshoot Autonomous deployment model
Autonomous setup: •
•
•
•
•
•
v3150
A cargo company has mobile fork lifters in their warehouses. Those fork lifters will have industrial computers on board with Ethernet ports (no wireless) You need to use AAP2 to connect the industrial computer to the wireless network Make a Layer2 only VLAN on AAP2 connected switch to avoid loops in your network VLAN 999. Override bpduguard with bpdufilter on f0/2 port on CAT3. AAP2 will connect to AAP1 with 802.1x security. SSID is fork-xx Username is lifter and password is fork. Use 2,4Ghz frequency. AAP1 will authenticate the lifter user. And the industrial PC should be on o VLAN 17. As the industrial PC is not ready yet. Configure DHCP on AAP2 to see the DHCP offer working. Configure DHCP on CAT1 for VLAN17. Exclude the first 9 addresses. Use the most secure option that is Cisco proprietary o The forklifter is actively mobile. Ensure that it only scans non-overlapping channels in your 2,4 GHz frequency. So it uses the least time to scan channels when moving around. Ensure that the association reliable. So the AP disassociates clients only many packets are lost. Use the maximum reliable setting for the association to stay up.
Copyright © by IPexpert, Inc. All Rights Reserved.
48
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
4.0 Configure and Troubleshoot Unified deployment model
WLC management: •
•
•
•
WLC1 has its Service Port connected to CAT1. Connect the SP on VLAN 10. Use DHCP from CAT2 for the SP. The SP port should always get the 10.10.10.50 address. Default gateway is 10.10.10.2 it should be pingable from the same VLAN. On WLC1 guests should see the name guests.proctorlabs.com. This name should resolve on your DNS server (Microsoft server 10.10.210.6) to WLC1 virtual IP address. Configure appropriate VLAN interfaces per WLC according to table 3. (WLANs will be configured and explained in more detail later)
Table 3: WLC VLANs and SSIDs Device
Interface
WLC IP Address
Default gateway
WLAN
WLC1
Vlan 11
10.10.11.252/24
10.10.11.1
HQ-guests-XX
WLC2
Management
NA
NA
HQ-guests-XX
WLC2
Vlan 13
10.10.13.50/54
10.10.13.1
Client-Vlan-XX
WLC2
Vlan 15
10.10.15.50/24
10.10.15.2
voip-5ghz-XX
WLC2
Vlan 12
10.10.12.50/24
10.10.12.3
WLC3
Vlan 22
10.10.22.130/26
10.10.22.129
MOData1-XX
WLC4
Management
NA
NA
HQ-guests-XX
WLC4
Vlan 13
10.10.13.51/24
10.10.13.1
Client-Vlan-XX
WLC4
Vlan 12
10.10.12.51/24
10.10.12.3
WLC4
Vlan 15
10.10.15.51/24
10.10.15.1
voip-5ghz-XX
VLANs on Switches should already be done and working in the first part of this LAB.
•
•
v3150
Set up etherchannel for both interfaces on WLC2. Ensure that APs are load balanced over the layer3 network based on source and destination IP information. Do this for all switches connected to controllers. VLAN´s on the wired network should work on the wired interfaces of each WLC
Copyright © by IPexpert, Inc. All Rights Reserved.
49
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
•
Volume 2 – Workbook
QOS needs to be tagged on the management VLAN of all WLC´s Only VLAN´s created on WLC´s should traverse over the link towards the network and vice versa.
AP Priming: •
LAP1 should join WLC3. Find a way to configure a static VLAN113 10.10.113.100 address for this AP. Manually join LAP1 to your WLC3. Default gateway is 10.10.113.1
Guests: •
•
•
•
•
•
•
v3150
For WLC1 guests will be directed out the Po2 Configure Client-Vlan11 on port1 on WLC1. o Use .252 for the WLC IP address. See table 3. WLC1 used to be connected with po1 and po2 to two separate 6509 switches with VSS configured. Now they have been replaced with 2x 3560 switches connected again the same way. Configure WLC1 port2 to be the primary management port connected to CAT1. And port 1 connected to CAT2. Make the management interface redundant for po1 and po2 WLC1 operation. The guest access should be redundant too. Configure Port 1 so no other VLAN´s are allowed except guests and for management redundancy purposes (4.10) Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11 and they should traverse default out of Port1 on WLC1. Use SSID HQ-guests-XX. There are also complaints that users from APs on WLC2 and also other users trying to roam to APs on WLC2 don´t work. This problem is seen mainly on the guest SSID. Rectify the mobility config so it will be seamless. o No encryption o Web-splash page will authenticate guest users on WLC1 The guest SSID hast to work on all AP´s in the HQ. Guest need to reach o SSL VPN server on 10.10.210.6 even before they reach the splash page. Enable ICMP to work for that vpn server as well for troubleshooting ease. Guests use DHCP on WLC1. Issue 15 address pool starting from 10.10.11.10. DNS is 10.10.210.6
Copyright © by IPexpert, Inc. All Rights Reserved.
50
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
•
Volume 2 – Workbook
Create a lobby admin account on WLC1 and with this account, create a guest user that lasts for 3 days. Lobby account User is lobby password Lobby123. Guest user is guest4 password ipexpert123 Test the HQ-guests-xx connection from the Laptop test https://10.10.210.6 without the splash login. Then try to login through the splash page. Before the login through splash page, the guest should NOT be able to ping 10.10.10.3 but it should work after splash web authentication. The laptop is reachable directly with VNC on 10.10.210.4 password IPexpert123
Mobility: •
•
HQ users should be able to roam between all controllers. Use the default Mobility names HQ1 for WLC1, HQ2 for WLC2 , HQ3 for WLC3, and HQ4 for WLC4. All HQ WLC´s should check its mobility members every 15 seconds. They should consider them dead after 60 seconds.
Interference and radio settings: •
On your 802.11g network , the 2.4 GHz channel 2452 GHz with 2 channels above and below are severely impacted by a nearby microwave oven located next to LAP3. These channels are unusable because of this massive interference. Make sure that your LAP3 uses the best possible 2,4Ghz frequency channel to avoid the microwave interference in the future.
AP registration security and local radius: •
•
•
•
•
•
v3150
MO: should only allow LAP1 to join WLC3 Ensure that only LAP1 can join WLC3. Create DHCP pool for LAPs VLAN113 on CAT2. Point to WLC3. Change LAP1 to DHCP. Configure local radius on WLC3 for WLAN MOData1 VLAN for SSID is MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26 Use PEAP mschapv2 authentication . username localpeap password localradius. Security is WPA 802.11i with software encryption: Configure DHCP on WLC3 for this SSID clients. Give out 131 and 132 addresses of the scope. Test connectivity with AnyConnect on your test PC
Copyright © by IPexpert, Inc. All Rights Reserved.
51
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Client connection testing: •
•
•
•
Your AnyConnect client needs to connect to the Client-Vlan13-XX WLAN in HQ Configure your network to meet the requirements below:
SSID Client-Vlan13-XX This ssid should exist on WLC2 and WLC4. Clients should terminate at o Vlan13. Table 3 shows what IP should be on your Controller´s VLAN13. Exempt addresses 10.10.13.1 – 10.10.13.49 and 10.10.13.59 – 10.10.13.254 Use WPA psk. Psk is ipExpert.123 o o Allow CCK modulation for this SSID. Exempt 5Ghz. o Advertise 802.11i and pre-standard WPA in your beacons but also enable for software encryption to work over 802.11i for older clients. o DHCP should be set up on CAT1 o On LAP2 this SSID should use to VLAN12. Don’t use HREAP. Only let this SSID go out VLAN 12 for LAP2. DHCP is the redundant IP of vlan12 shared with CAT1 and CAT2. Gateway is the redundant IP of VLAN12. Test this configuration and see the IP address change on your AnyConnect client.
Rouge detection: •
•
Your WLC3 should detect rouge access points. Configure all LAPs in your HQ network to validate RF information in order to prevent spoofing of SSID and your AP Mac addresses from man in the middle attacks.
5.0 Configure and Troubleshoot WCS
WCS: Management:
•
•
v3150
Manage all WLC´s with WCS using the default method. The user is admin and password IPexpert123 for all WLC´s.
Copyright © by IPexpert, Inc. All Rights Reserved.
52
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
MAPs: •
•
•
•
•
Put your LAPs on floor 1 map on your WCS. Position as many APs you need for data 2,4Ghz coverage your second floor. Your campus is 2 floors with 500 x 500 feet span. You are instructed to expect -80 dBm RSSI cutoff. Make sure you see it work for your WCS 2,4 coverage map. First create a new building in your system campus put 2 floors. LAP2 is a 1242 with AIR-ANT5135D-R antenna for A band and the antenna is slightly tilted 15° down. The AP is in the ceiling of floor 1. Let WCS know about the antenna settings. B/G band has the same setting. LAP1 is also on floor 1 but it is in 7 feet height. Use WCS to disable all 802.11b clients association in your network. Still allow OFDM clients on 2,4 GHz to connect at 9 mbps and not less. When Root is logged in. Show the overall security score on the right side of your security page. This has to work when root is logged on.
6.0 Configure and Troubleshoot WLAN Services
Wireless Voice: •
•
•
v3150
On WLC2 and WLC4 in HQ:
Deploy a SSID called voip-5ghz-XX – This will be VLAN 15. WLC IP information in table 3. DHCP and default gateway is on CAT1 and should give out Cisco call manager option about the CME router 10.10.210.20. Exclude addresses 10.10.15.1 – 10.10.15.10 and 10.10.15.40 – 10.10.15.70 Use Table 3 for VLAN50 ip information for each Controller. Allow only 5ghz connections on this SSID. Use WPA 802.11i encryption and ensure that Cisco 7925 phones can inter o control roam seamlessly o Phone uses PEAP authentication. On your ACS configure the user phone with password of ipexpert. ACS is 10.10.210.5 user acsadmin password IPexpert123 o For ACS use NTP server 10.10.10.2 allow for this communication on your CAT1 NTP server . Time zone is EST Test it from your Anyconnect . o
Copyright © by IPexpert, Inc. All Rights Reserved.
53
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
•
Volume 2 – Workbook
Only support 802.11e on this previously configured voice SSID and 7925 phones should get Platinum QOS treatment. 802.11e clients with this SSID will get mapped with 802.1p value of 5 when they hit the wired network. Only allow the necessary data rates for the phones operation in your 5 GHz band.
You are at the end of this LAB! Should I say congratulations? " – It has hard questions when it comes to wording. But we have to be prepared to spot what the LAB wants. This will come in handy at the actual battlefield. So I hope this w as a good exercise. Do this lab m any numerous times to practice speed and work on things you want to study in the meantime
Technical Verification and Support
To verify your configurations please review the Volume 1 Detailed Solutions Guide that you received along with this Workbook. You can also find this document in the eBook section of your www.IPexpert.com account. Support is also available in the following ways: IPexpert Support: www.OnlineStudyList.com IPexpert Blog: blog.ipexpert.com Proctor Labs Hardware Support: [email protected]
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
54
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 4: CCIE wireless version 2 8 hour training Lab 4 1.0 Configure and troubleshoot wired infrastructure to support WLAN's 2.0 Configure and Troubleshoot Infrastructure Application Services 3.0 Configure and Troubleshoot Autonomous deployment model 4.0 Configure and Troubleshoot Unified deployment model 5.0 Configure and Troubleshoot WCS 6.0 Configure and Troubleshoot WLAN Services Lab Overview
This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem tricky but they are supposed to prepare the candidate to read in between the lines. The network and WLC´s are partly pre-configured but some of the configuration have to be altered to meet the exam requirements The fact that WLC are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre-configs or make some changes. Both on the WLC’s AP’s and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues. In this lab and the real lab w e cannot take anything for and stay focused. This lab will use All equipment in the LAB 4: topology. Refer to the names of the equipment on that topology. Rectify names according to Table 2. When configuring WLAN’s/ SSIDs. If the lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01 Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords. When not specially mentioned use 2,4 GH z frequency. It is strongly advised to read the whole LAB over before you start configuring. And read each section briefly over to refresh your memory. In some sections some later tasks would better be done first. Tip: WCS templates may seriously speed things up!
Estimated Time to Complete: 8 hours
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
55
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Mock Lab 4: Topology
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
56
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 4: Pre-Lab Setup Physically connect and configure your network according to Diagram 1. The switches are pre-configured with some VLANs and IP addresses.
Lab 4: Prerequisites: This lab will rely on the network infrastructure. You will need to pre-configure the network with the base configuration files. If using your own hardware: Login to IPexpert.com, navigate to the “My Downloads” area, download “IPexpert Wireless Volume 2 Configs,” find the Lab 4 INITIAL Configs, and copy and paste the proper switch files to the proper devices. If you are using Proctor La bs: Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook ! Lab 4 ! INITIAL
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
57
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 4: Tables Table 1: VLAN and Subnet Table
v3150
VLAN
VLAN Name
Subnet
Netmask
5
Servers
10.10.210.0
/24
10
HQSwitchMgmt
10.10.10.0
/24
11
HQGuest1
10.10.11.0
/24
12
HQData1
10.10.12.0
/24
13
HQData2
10.10.13.0
/24
14
HQData3
10.10.14.0
/24
15
HQVoice1
10.10.15.0
/24
16
HQVoice2
10.10.16.0
/24
17
HQData4
10.10.17.0
/24
20
MOSwitchMgmt
10.10.20.0
/25
21
MOGuest1
10.10.21.64
/26
22
MOData1
10.10.22.128
/26
23
MOVoice1
10.10.23.192
/26
105
HQServicePort
10.10.105.0
/24
110
HQAAP
10.10.110.0
/24
111
HQWLC1
10.10.111.0
/24
112
HQWLC2
10.10.112.0
/24
113
HQLAP1
10.10.113.0
/24
114
HQLAP2
10.10.114.0
/24
120
MOWLC1
10.10.120.128
/26
121
MOLAP1
10.10.121.192
/26
131
HOAP
192.168.100.0
/24
999
VLAN999
n/a
n/a
Copyright © by IPexpert, Inc. All Rights Reserved.
58
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Table 2: Device IP Addresses Device
Port
Connected
Connected
IP Address
CAT1
NA
NA
10.10.10.2
CAT2
NA
NA
10.10.10.3
CAT3
NA
NA
10.10.10.4
CAT4
NA
NA
10.10.20.1
ACS
NIC1
CAT2
Fa0/11
10.10.210.5
WCS
NIC1
CAT2
Fa0/11
10.10.210.6
CME
Fa0/0
CAT1
Fa0/4
10.10.210.20 10.10.205.20 (Loop)
MSE
Eth0
CAT2
Fa0/11
10.10.210.10
WLC1
Po1
CAT2
Gi0/1
10.10.111.10
WLC2
Po1
CAT3
Gi0/1
10.10.112.10
WLC3
Po1
CAT4
Fa0/1
10.10.120.140
WLC4
Po1
CAT2
Fa0/15
10.10.112.20
AAP1
Gi0
CAT1
Fa0/2
10.10.110.100
AAP2
Fa0
CAT3
Fa0/2
10.10.110.101
LAP1
Gi0
CAT1
Fa0/1
10.10.113.x
LAP2
Fa0
CAT2
Fa0/2
10.10.114.x
LAP3
Gi0
CAT3
Fa0/3
10.10.114.x
LAP4
Gi0
CAT4
Fa0/4
10.10.121.x
LAP5
Fa0
CAT4
Fa0/5
10.10.121.x
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
59
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 4: 8 hour CCIE wireless v2 Mock LAB 1.0 Configure and troubleshoot wired infrastructure to support WLAN's
L2 switching in HQ: To prepare your network we need to take extra care that the network is properly set up. All future configurations with wireless components will rely on the network. Please bear in mind that most wireless issues are related to the network. The Proctor Labs LAB environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this LAB. •
•
•
•
•
•
CAT1, CAT2 and CAT3 in HQ should have independent VLAN databases so no accidents can happen with incorrect VLAN information is distributed. The domain name should be ipexpert-local Create the VLANs in table 1 for your HQ switches. CAT1 should be the root all VLANs. Use the primary command. CAT2 should be the secondary root for all VLANs if the root fails. Use the secondary command. Do not configure CAT3 for the last question above. o From CAT3, Show commands should give the correct outcome to see where the Root bridges are. CAT1 should be seen as root for all vlans and CAT2 will be the backup path. Prove that the backup path works by testing. Configure the 2 links between CAT1 and CAT2 to appear as one STP instance. o Use a method that has no negotiation.
L3 routing: •
•
•
•
•
•
v3150
Site HQ: Do not configure or change anything that is not requested by the LAB. CAT1 is SVI has always the first IP address from each VLAN network. CAT2 is SVI has always second IP address in each VLAN network. VLAN 10 should be .2 on CAT1 and .3 on CAT2 don’t change them. For CAT3 VLAN10 SVI, Use ip address 10.10.10.4/24 VLAN 5 ip configuration should not be changed
Copyright © by IPexpert, Inc. All Rights Reserved.
60
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
•
Volume 2 – Workbook
Create the SVI´s on your appropriate HQ switches and ensure you have connectivity between all L3 interfaces. Refer to table 1 for the VLAN ID´s. HQ, MO have different VTP domains as can be seen in table 1. HQ should be able to reach all networks on CAT4. CAT4 should reach any network in HQ. Don´t use a routing protocol in any of your switches. VLAN10 on CAT1 and CAT2 is not working for some reason. Find out and rectify. CAT1 will have the first IP in each SVI1 and CAT2 should have the second IP in each SVI. (Apart from VLANs already created on the switches.) Create a DHCP pool for VLAN12 on CAT1 , don´t give out addresses from 1. -60. Default gateway is .2
MO routing and switching: •
•
Create VLANS and SVI´s for CAT4 according to table 1. CAT4 should be have a standalone VLAN configuration and not exchange VLAN information with other switches. VTP domain should be MO4.
QOS: •
•
•
On all routers and switches, trust layer2 and layer3 QOS markings where appropriate. Tune your COS to DSCP mapping (and vice versa) as Cisco best practices recommend VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40.
Multicast •
•
v3150
MO WLC 3 should advertise multicast group for its locally registered AP´s. Use 239.x.x.x where x is the last 3 digits in MO WLC 3 Management IP. All CAT4 VLANs should have multicast routing enabled for CAT4. Use a method that doesn´t flood your network as it should be built for growth later. On your CAT4 , use RP address of 10.99.254.254/30. When the IGMP timeout expires (70 seconds), the controller sends a query to all WLANs. Those clients which are listening in the multicast group should send a packet back to the controller The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic with the RTP and Skinny (not encrypted) known udp and tcp ports. o Ensure the correct marking is maintained when VoIP traffic enters MO from HQ and vice versa.
Copyright © by IPexpert, Inc. All Rights Reserved.
61
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
2.0 Configure and Troubleshoot Infrastructure Application Services
NTP: •
•
Use NTP server on WCS to synch time for all your network devices including the WLC´s. WCS is 10.10.210.6 Controllers should synch time every 2 hours. o o CAT1 should be the NTP master for all switches and routers. For routers and switches: use password "ipexpert" for NTP authentication. Use EST timezone -5. CAT1 should answer ntp requests only on VLAN10 and only allow o switches and routers in your network to synch time with CAT1. CAT2 uses VLAN5 IP, CAT4 uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications. Configure NTP for the autonomous AP´s. Point to CAT1 10.10.10.2 and use timezone EST -5
AP management: HQ •
•
•
v3150
LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and WLC4 with DHCP on CAT1. Default gateway is .1 Name the APs from their default name to the name in table 1. Subnet for o those Aps are listed in table 2. Configure your network accordingly. This should be done for all other LAP APs. o Exclude the range from 1 to 20 and 200 to 254. Make sure that WLC2 will be primary Controller for LAP2 and WLC4 Primary controller for LAP3. Mobility group should be named HQ2 for WLC2 and HQ4 for WLC4. LAP2 and LAP3 need to failover if primary controller fails. LAP2 secondary is WLC4 and LAP3 secondary is WLC2. LAP4 and LAP5 should join WLC3 with DHCP from Cat4. You are forbidden to enter option 43 or DNS on your MS DHCP. Also you can´t use the AP CLI to manually join them. Use the network to deliver the LAP management traffic to WLC3. Set those APs on VLAN 121 on CAT4:
Copyright © by IPexpert, Inc. All Rights Reserved.
62
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Switching security: •
•
All MO LAP AP Ports should go to STP Forwarding mode immediately but don´t risk spanning-tree loops later on if some switch is connected to those ports. In HQ All switchports with LAP access points should block traffic if Bridge Protocol Data Units are advertised over the port.
3.0 Configure and Troubleshoot Autonomous deployment model
Autonomous setup: •
•
•
•
•
A Law firm company has 2 buildings. One Building has a Wireless Bridge AAP2 To connect to the HQ LAN through AAP1. Make AAP2 and AAP1 to belong to the AAP management VLAN 110. AAP2 BVI1 interface has to be reachable only over the bridge link. Behind AAP2 VLAN 14 needs to traverse the bridge link over to HQ network. 10.10.14.2 is on CAT2. This will be tested as it was behind AAP2. The end result is CAT1 pinging over the bridge link to 10.10.14.2 behind the AAP2. Use 2,4ghz. AAP2 will connect to AAP1 with Cisco proprietary most secure 802.1x method. SSID is lawfirm-xx Username is lawyer and password is fresnelzone. AAP1 will authenticate the lawyer user. No FTP traffic should be allowed over the bridge link during business hours 9am to 5pm Monday – Friday
4.0 Configure and Troubleshoot Unified deployment model
WLC management: •
•
v3150
On WLC1 guests should be transported from Other HQ controllers to WLC1. Prepare the Configuration so the WLAN can be directed directly to WLC1 in the future. WLC1 default mobility domain should be HQ1, WLC2 HQ2, WLC3 HQ3, and WLC4 HQ4.
Configure appropriate VLAN interfaces per WLC according to table 3.
Copyright © by IPexpert, Inc. All Rights Reserved.
63
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Table 3: WLC VLANs and SSIDs Device
Interface
WLC IP Address
Default gateway
WLAN
WLC1
Vlan 11
10.10.11.252/24
10.10.11.1
HQ-guests-XX
WLC2
Management
NA
NA
HQ-guests-XX
WLC2
Vlan 13
10.10.13.50/54
10.10.13.1
Client-Vlan-XX
WLC2
Vlan 15
10.10.15.50/24
10.10.15.1
voip-6ghz-XX
WLC3
Vlan 22
10.10.22.130/26
10.10.22.129
MOData1-XX
WLC4
Management
NA
NA
HQ-guests-XX
WLC4
Vlan 13
10.10.13.51/24
10.10.13.1
Client-Vlan-XX
WLC4
Vlan 15
10.10.15.51/24
10.10.15.1
voip-6ghz-XX
VLANs on Switches should already be done and working in the first part of this LAB.
•
•
•
Set up etherchannel for both interfaces on WLC2. Ensure that APs are load balanced over the layer3 network based on source and destination IP information. QOS needs to be tagged on the management VLAN of all WLC´s Only VLAN´s created on WLC´s should traverse over the link towards the network and vice versa.
AP Priming: •
•
v3150
LAP1 should have redundant WLC´s for WLC2 and WLC4. WLC4 is primary. Join the AP manually from its console but allow for it to get DHCP address from CAT2. Refer to Table 2 for ip information and VLAN. Default gateway is 10.10.113.2 Users with Apple computers complain that they can´t switch SSIDs on their computers. The WLC reports the are connected but the client doesn’t seem to notice. Rectify the issue with one setting on all Controllers.
Copyright © by IPexpert, Inc. All Rights Reserved.
64
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Guests: •
•
•
•
•
WLC1 guest for VLAN 11 should exit to Po2 by default but Po1 if Po2 goes down. Configure WLC1 port1 to be the primary management port connected to CAT2. Ensure that only existing VLANs to traverse the switch ports. Guest VLAN is VLAN 12. Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11. No encryption. Don´t allow static ip addressing of clients. o o Timeout is 4 hours. o Do not advertise Aironet Information Element to avoid interoperability issues with various guest equipment. Delivery traffic indication message should be every 5 beacons on 2,4 Ghz o connections. The guest SSID hast to work on all AP´s in the HQ. Users should have the o option of entering their email address on the splash page and connect after that. Guests use DHCP on CAT1. Issue 15 address pool starting from 10.10.11.10. Default gateway is CAT1 SVI VLAN 11. DNS is 10.10.210.6 Test the connection from the Win7 PC. The PC is reachable directly with VNC from the WCS server on 10.10.210.4 password IPexpert123
AP registration security and local radius: •
•
•
•
v3150
Configure your ACS to be used on WLC3 for WLAN MOData1 VLAN for SSID is MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26. LAP4 should send their users to VLAN 23. Don´t use AP-groups. DHCP for VLAN23 is configured on CAT4. Use EAP-FAST authentication . username fast password faster. Security is WEP 128 bit. Configure DHCP on your Microsoft DHCP server for this SSID clients above. Give out 131 and 132 addresses of the scope. Also ensure the VLAN23 users get DHCP as well with the same parameters. Test connectivity to MOdata1-xx with AnyConnect on your test PC
Copyright © by IPexpert, Inc. All Rights Reserved.
65
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Client connection testing: •
•
•
•
•
Your AnyConnect client needs to connect to the Client-Vlan13-XX WLAN in HQ Configure your network to meet the requirements below:
SSID Client-Vlan13-XX This ssid should exist on WLC2 and WLC4. Clients should terminate at o Vlan13. Table 3 shows what IP should be on your Controller´s VLAN13 o Use WPA Enterprise with AES encryption. Use 802.1x security and PEAP authentication on your ACS server. o Username Client-peap password ipexpert123 o DHCP server is Microsoft DHCP server. Gateway is .1 Configure the DHCP so there will be no conflict with the least of o exclusions possible. For this SSID you have a strange requirement from your customer. He (a guy in a white coat with the mad scientific look with a very narrow interest in radio waves) shows you spectrum expert screenshots of square top looking waves. He mentions he doesn´t want the round top waves to show in his environment as he claims it slows down the network. Make sure that controllers necessary have the setting to fulfill this strange request. The customer doesn´t have any other explanation than this picture. Test this on your AnyConnect client.
Clean AIR: •
•
v3150
Your WLC4 should detect and report microwave ovens and Bluetooth devices on capable access points in the 2,4 Ghz frequency.
For capable access points, monitor and dynamically avoid Bluetooth and microwave oven interference. There is no requirement for anything else available. The event driven Radio resource management should be set to the highest value.
Copyright © by IPexpert, Inc. All Rights Reserved.
66
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
5.0 Configure and Troubleshoot WCS
WCS: Management: •
Manage all WLC´s with WCS using version 2 of Simple Network Management Protocol. No other methods should be available. Use the name ipexpert.snmp for your name. Only WCS should be able to control or read the WLC´s.
MAPs: •
•
Put LAP1,LAP2, LAP3, LAP4 and LAP5 on Campus IPX, building1, floor1 map on your WCS. Position the AP´s for best location tracking. Configure your mobility services so you see live WiFi clients on your MAP. Campus is 1000 by 1000 feet. Building is 500 by 900 feet. Floor is 200 by 100 feet. Horizontal number first. MSE IP is 10.10.210.10 use encrypted method to communicate WCS to MSE. Clean air: Locate and report Clean-air interference in MSE. Gather history related to interference and Client stations. Display all interferers on your WCS MAP.
6.0 Configure and Troubleshoot WLAN Services
Wireless Voice: •
•
v3150
On WLC2 and WLC4 in HQ:
Deploy SSID voip-6ghz-XX. Terminate at VLAN 15. WLC IP information in table 3. DHCP is on CAT1 and should give out callmanager option about the CME router 10.10.210.20. Default gateway is CAT1 VLAN15 SVI. Take care of IP conflict in your DHCP configuration. o Allow only 5ghz connections on this SSID. Use WPA encryption and ensure that Cisco 7925 phones can roam o seamlessly. Your phone 7921 has load 1.3.(4) Allow for better battery usage on your CCX compatible phones. Phone uses EAP-FAST authentication. On your ACS configure the user o phone with password of ipexpert
Copyright © by IPexpert, Inc. All Rights Reserved.
67
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Test it from your Anyconnect . Some of your wife phones on WLC2 and WLC4 will use SIP and not all of them will be Cisco phones. Some might be iPhone or android devices. You need to QOS mark the packets by recognizing SIP call setup messages no matter tcp ports they will use. Use this setting on your controller that has the voice ssid configured above. o
•
You are at the end of LAB 4. It is a bit difficult to finish in 8 hours. Harder the training thus easier the battle. The question phrasing can slow you down as it might do on the actual LAB. So I hope this was a good exercise. Do this lab many times to practice speed and work on things you want to improve in the meantime. I recommend having a LAB strategy in place that you practice when you take this LAB because this LAB is built up from the blueprint sections and hopefully prepares you for the actual LAB.
Technical Verification and Support
To verify your configurations please review the Volume 1 Detailed Solutions Guide that you received along with this Workbook. You can also find this document in the eBook section of your www.IPexpert.com account. Support is also available in the following ways: IPexpert Support: www.OnlineStudyList.com IPexpert Blog: blog.ipexpert.com Proctor Labs Hardware Support: [email protected]
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
68
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 5: CCIE Wireless v2 8 hour training 1.0 Configure and troubleshoot wired infrastructure to support WLAN's 2.0 Configure and Troubleshoot Infrastructure Application Services 3.0 Configure and Troubleshoot Autonomous deployment model 4.0 Configure and Troubleshoot Unified deployment model 5.0 Configure and Troubleshoot WCS 6.0 Configure and Troubleshoot WLAN Services
Lab Overview
This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. In this lab we use a scoring system of maximum 100 points. 85 points and above will be considered a pass. A good idea is to define and use your LAB exam strategy to practice and fine tune to prepare for the real battle. This will help in your time management that is essential to pass! This lab will use all equipment in the LAB 1: topology. Refer to the names of the equipment on that topology. When configuring WLAN’s/ SSIDs. The lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01 Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords.
Estimated Time to Complete: 8 hours
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
69
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Mock Lab 5: Topology
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
70
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 5: Pre-Lab Setup Physically connect and configure your network according to Diagram 1. The switches are pre-configured with some VLANs and IP addresses.
Lab 5: Prerequisites: This lab will rely on the network infrastructure. You will need to pre-configure the network with the base configuration files. If using your own hardware: Login to IPexpert.com, navigate to the “My Downloads” area, download “IPexpert Wireless Volume 1 Configs,” find the Lab 3 INITIAL C onfigs, and copy and paste the proper switch files to the proper devices. If you are using Proctor Labs: Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook ! Lab 5 ! INITIAL
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
71
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 5: Tables Table 1: VLAN and Subnet Table
v3150
VLAN
VLAN Name
Subnet
Netmask
5
Servers
10.10.210.0
/24
10
HQSwitchMgmt
10.10.10.0
/24
11
HQGuest1
10.10.11.0
/24
12
HQData1
10.10.12.0
/24
13
HQData2
10.10.13.0
/24
14
HQData3
10.10.14.0
/24
15
HQVoice1
10.10.15.0
/24
16
HQVoice2
10.10.16.0
/24
17
HQData4
10.10.17.0
/24
20
MOSwitchMgmt
10.10.20.0
/25
21
MOGuest1
10.10.21.64
/26
22
MOData1
10.10.22.128
/26
23
MOVoice1
10.10.23.192
/26
105
HQServicePort
10.10.105.0
/24
110
HQAAP
10.10.110.0
/24
111
HQWLC1
10.10.111.0
/24
112
HQWLC2
10.10.112.0
/24
113
HQLAP1
10.10.113.0
/24
114
HQLAP2
10.10.114.0
/24
120
MOWLC1
10.10.120.128
/26
121
MOLAP1
10.10.121.192
/26
131
HOAP
192.168.100.0
/24
999
VLAN999
n/a
n/a
Copyright © by IPexpert, Inc. All Rights Reserved.
72
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Table 2: Device IP Addresses Device
Port
Connected
Connected
IP Address
CAT1
NA
NA
10.10.10.2
CAT2
NA
NA
10.10.10.3
CAT3
NA
NA
10.10.10.4
CAT4
NA
NA
10.10.20.1
ACS
NIC1
CAT2
Fa0/11
10.10.210.5
WCS
NIC1
CAT2
Fa0/11
10.10.210.6
CME
Fa0/0
CAT1
Fa0/4
10.10.210.20 10.10.205.20 (Loop)
MSE
Eth0
CAT2
Fa0/11
10.10.210.10
WLC1
Po1
CAT2
Gi0/1
10.10.111.10
WLC2
Po1
CAT3
Gi0/1
10.10.112.10
WLC3
Po1
CAT4
Fa0/1
10.10.120.140
WLC4
Po1
CAT2
Fa0/15
10.10.112.20
AAP1
Gi0
CAT1
Fa0/2
10.10.110.100
AAP2
Fa0
CAT3
Fa0/2
10.10.110.101
LAP1
Gi0
CAT1
Fa0/1
10.10.113.x
LAP2
Fa0
CAT2
Fa0/2
10.10.114.x
LAP3
Gi0
CAT3
Fa0/3
10.10.114.x
LAP4
Gi0
CAT4
Fa0/4
10.10.121.x
LAP5
Fa0
CAT4
Fa0/5
10.10.121.x
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
73
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Lab 5: 8 hour CCIE wireless v2 Mock LAB 1.0 Configure and troubleshoot wired infrastructure to support WLAN's
L2 switching in HQ: The Proctor Labs LAB environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this LAB. CAT1, CAT2 and CAT3 in HQ should have independent VLAN databases so no accidents can happen with incorrect VLAN information is distributed. The domain name should be ipexpert-standalone Configure the 2 links between CAT1 and CAT2 to appear as 2 gigabit connection. •
•
•
L3 routing: Site HQ: Do not configure or change anything that is not requested by the LAB. o CAT1 is SVI has always the first IP address from each VLAN network. o CAT2 is SVI has always second IP address in each VLAN network. o VLAN 10 should be .2 on CAT1 and .3 on CAT2 don’t change them. For CAT3 VLAN10 SVI, Use ip address 10.10.10.4/24 o o VLAN 5 ip configuration should not be changed o CAT1 needs to reach WCS. Don´t use a routing protocol to accomplish this. CAT2 need to reach all networks on MO. Use EIGRP. MO should have default route distributed via the routing protocol. Let the SVI interfaces only be advertised in your EIGRP configuration Use the DHCP pool for VLAN12 on CAT1, don´t give out addresses from o 1. -60. Default gateway is .2: CAT4 should be ready to exchange and serve VLAN configuration to other switches.VTP domain should be MO4.Prepare VLAN22 for IPv6 connectivity using IPv6 with dhcp functionality DHCP on CAT4. This will be needed later for clients connecting to WLC3 MOData1-xx SSID. use any link local address you like. o
•
v3150
Copyright © by IPexpert, Inc. All Rights Reserved.
74
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
QOS: •
•
•
On all routers and switches, trust layer2 and layer3 QOS markings where appropriate. Between switches trust layer2 QOS tagging. Tune your COS to DSCP mapping (and vice versa) as Cisco best practices recommend VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40.
Multicast •
•
•
•
•
MO WLC 3 should advertise multicast group for its locally registered AP´s. Use 239.x.x.x where x is the last 3 digits in MO WLC 3 Management IP. All CAT4 VLANs should have multicast routing enabled for CAT4. Use a method that doesn´t flood your network as it should be built for growth later. On your CAT4, use RP address of 10.99.254.254/30. When the IGMP timeout expires (70 seconds), the controller sends a query to all WLANs. Those clients which are listening in the multicast group should send a packet back to the controller. The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic with the RTP and Skinny (not encrypted) known udp and tcp ports. Ensure the correct marking is maintained when VoIP traffic enters MO from HQ and vice versa. There will be phones on CAT3 ports 12-19. Voice VLAN is 16. We don´t trust marking over the “cloud” network between MO CAT4 and HQ CAT2. We need to ensure that voice traffic (skinny and sccp) will be marked correctly between MO and HQ. Make a policy that marks this traffic correctly
2.0 Configure and Troubleshoot Infrastructure Application Services
NTP: •
•
•
v3150
Use NTP server on WCS to synch time for all your network devices including the WLC´s. WCS is 10.10.210.6 Controllers should synch time every 2 hours. CAT1 should be the NTP master for all switches and routers. For routers and switches: use password "ipexpert" for NTP authentication. Use EST timezone -5. Use authentication for your switches.
Copyright © by IPexpert, Inc. All Rights Reserved.
75
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
•
•
•
Volume 2 – Workbook
CAT1 should answer ntp requests only on VLAN10 and only allow switches and routers in your network to synch time with CAT1. CAT2 uses VLAN10 IP, CAT4 uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications. Allow your ACS 10.10.210.5 to use the NTP on WCS Fix any connectivity issues on WLC1 and other WLCs if there is problem reaching the ntp server. Configure NTP for the autonomous AP´s. Point to CAT1 10.10.10.2 and use timezone EST -5. Fix any network connectivity issues the AAPs might have
AP management: HQ •
•
•
•
•
•
LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and WLC4 with DHCP on CAT1. Default gateway is .1 Name the Aps from their default name to the name in table 1. Subnet for those Aps are listed in table 2. Configure your network accordingly. Exclude the range from 1 to 20 and 200 to 254. Make sure that WLC2 will be primary Controller for LAP2 and WLC4Primary controller for LAP3. Mobility group should be named HQ2 for WLC2 and HQ4 for WLC4. LAP2 and LAP3 need to failover between those controllers if primary controller fails. Make sure APs fallback to their primary controller when possible. Fix any network issues that the WLCs might have. LAP4 and LAP5 should join WLC3. LAP4 with DHCP from your CAT4 DHCP server. LAP5 should have manual configured IP as 10.10.121.210 and WLC3 needs to be manually entered for LAP5 to join WLC3. LAP4 and LAP5 are the only APs allowed to join WLC3 with authentication from the ACS server. Set those Aps on VLAN 121 on CAT4. Some parts are preconfigured and need to work. Network might need to be rectified to meet the requirements. Rename the access points to reflect Table 2.
Switching security: •
•
v3150
All MO LAP AP Ports should go to STP Forwarding mode immediately with minimum risk. In HQ All switchports with LAP access points should get ip address in the fastest way possible, also block traffic if Bridge Protocol Data Units are advertised over the port. This should be default for all host ports.
Copyright © by IPexpert, Inc. All Rights Reserved.
76
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
3.0 Configure and Troubleshoot Autonomous deployment model
Autonomous setup: •
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
v3150
A customer company has 2 Autonomous APS AAP1 and AAP2. AAP1 will connect to WLC1 as a WGB (SSID WGB-xx) AAP1 connects to APs on WLC4 on LAP1. join LAP1 to WLC4 Terminate the AAP1 access on WLC1 VLAN11 port 1 (on CAT2) For SSID WGB-xx use wpa2 Advanced encryption standard psk of cisco!cisco DHCP is on CAT1. Use 2,4 GHz for this. WLC1 default group should be HQ1 and WLC5 default mobility group should be HQ5. Avoid loops in your network. CAT2 should be able to ping the AAP1. Set 10.10.11.3 on AAP1 BVI1 interface. Exempt vlan11 on the AAP1 trunk port to ensure the ping will flow wirelessly from Cat2 to AAP1 BVI1 interface through LAP1. Fix any bpdu issues that AAP1 might have but don´t change the defaults configured before AAP1 will connect users on 5 GHz radio using SSID aap1-xx and 802.11i encryption. AAP2 connects to aap1-xx ssid as a WGB and will use VLAN 12 through AAP1. Use EAP-Fast between the APs with authentication stored on ACS. AAP2 BVI1 interface should get a DHCP vlan12 address from CAT1 and be able to ping 10.10.12.1 and vice versa. Filter vlan 12 from CAT3 AAP2 trunk port. EAP-FAST username is fast-xx password fast. Aap1-xx clients will have WPA2 configured but some don´t support encryption in hardware. Advertise necessary IE in your beacons to support hardware and software encryption. points) On 5 GHz UNII-I is severely interfered. Don´t use UNII-I WGB 5 GHz radio is getting a lot of “Reached maximum retries” in its logs and the link is disconnecting frequently. Make the link as reliable as possible so it disconnects less often.
Copyright © by IPexpert, Inc. All Rights Reserved.
77
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
4.0 Configure and Troubleshoot Unified deployment model
WLC management: •
•
In HQ guests should be transported from Other HQ controllers to WLC1. Prepare the Configuration so the guest WLAN traffic can be directed directly to WLC1 in the future. WLC1 default mobility domain should be HQ1, WLC2 HQ2, and WLC4 HQ4. Configure appropriate VLAN interfaces per WLC according to table 3.
Table 3: WLC VLANs and SSIDs Device
Interface
WLC IP Address
Default gateway
WLAN
WLC1
Vlan 11
10.10.11.252/24
10.10.11.1
HQ-guests-XX
WLC2
Management
NA
NA
HQ-guests-XX
WLC2
Vlan 13
10.10.13.50/54
10.10.13.1
Client-Vlan-XX
WLC2
Vlan 15
10.10.15.50/24
10.10.15.1
voip-6ghz-XX
WLC3
Vlan 22
10.10.22.130/26
10.10.22.129
MOData1-XX
WLC4
Management
NA
NA
HQ-guests-XX
WLC4
Vlan 13
10.10.13.51/24
10.10.13.1
Client-Vlan-XX
WLC4
Vlan 15
10.10.15.51/24
10.10.15.1
HQ-guests-XX
VLANs on Switches should already be done and working in the first part of this LAB. •
•
•
v3150
Set up etherchannel for all WLC2 connected interfaces. Ensure that APs are load balanced correctly. QOS needs to be tagged on the all WLC´s Your MO WLC3 controller should do the DCA changes at 9:00, 17:00 and 01:00 for 2,4 GHz
Copyright © by IPexpert, Inc. All Rights Reserved.
78
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
AP Priming: •
•
•
On WLC4 scan all available channels for rogues. LAP3 should find rouges as soon as possible WLC1 guest portal should say “Welcome to IPexpert guest network” guests should be able to ping 10.10.120.140 without web authentication. Guest on WLC1 set to bronze QOS queue should get a maximum of 100 Kbps for real time traffic Rogue aps should be treated as major alarms snmp traps on WCS. WCS sends email about rouge aps to [email protected] from the address [email protected] and email server 20.20.20.20 Send controller information with your message. Don´t sent information about power level changes on your WLC3 radios
Guests: •
•
•
•
•
•
•
•
•
•
•
WLC3 uses same default mobility domain as WLC4 but no redundancy or roaming is needed between the controllers. Configure WLC1 port1 to be the primary management port connected to CAT2. Guests on VLAN 11 should go out of port1. Ensure that only existing VLANs to traverse the switch ports. Guest VLAN is VLAN 11. Make the setup redundant for management and guests. Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11.No encryption. Don´t allow static ip addressing of clients. Timeout is 4 hours. Do not advertise Aironet Information Element to avoid interoperability issues with various guest equipment. The guest SSID hast to work on all AP´s in the HQ. Users should have the option of entering their email address on the splash page and connect after that. QOS profile is bronze. Users need to be able to roam between all controllers in HQ. Guests use DHCP on CAT1. Issue 15 address pool starting from 10.10.11.10. Default gateway is CAT1 SVI VLAN 11. DNS is 10.10.210.6 Test the guest connection from the Laptop. The laptop is reachable from the WCS server with VNC at 10.10.210.4 password IPexpert123.
AP registration security and local radius: •
v3150
Configure your ACS to be used on WLC3 for WLAN MOData1-XX in table 3. WLC VLAN 22 IPv4 is 10.10.22.130/26. Test IPV6 connectivity on your client.
Copyright © by IPexpert, Inc. All Rights Reserved.
79
IPexpert’s Workbook for the CCIE Wireless Lab Exam
•
Volume 2 – Workbook
Use EAP-FAST authentication . Username fast password faster. Security is prestandard WPA with hardware encryption.ACS user is acsadmin password IPexpert123
Management: •
WLC4 should be authenticated by tacacs on ACS server. Use admin and password of tacacs for administrators. Also create a lobby admin user lobby password lobby.123 after the tacacs is working, change admin password to IPexpert123 in ACS
Clean AIR: •
•
Your WLC4 should detect and report microwave ovens and Bluetooth devices on capable access points in the 2.4 GHz frequency. For capable access points, monitor and report Bluetooth and microwave ovens interference. There is no requirement for anything else available. The event driven Radio resource management should be set to the lowest value.
5.0 Configure and Troubleshoot WCS
WCS: Management: •
Administrate all WLC´s with WCS using most secure Simple Network Management Protocol. No other methods should be available. User WCS with password ipexpert.snmp.123$ for your authentication.
MAPs: •
v3150
Locate all WiFi clients that live on Campus IPX, building1, floor1 map on your WCS. Position the AP´s for best location tracking. Campus is 1000 by 1000 feet. Building is 500 by 900 feet. Floor is 200 by 100 feet. Horizontal number first. MSE IP is 10.10.210.10 use encrypted method to communicate WCS to MSE.
Copyright © by IPexpert, Inc. All Rights Reserved.
80
IPexpert’s Workbook for the CCIE Wireless Lab Exam
Volume 2 – Workbook
Clean Air: •
Locate and report Clean-air interference in MSE (show icons and zone of impact). Gather 1 day report from your campus regarding the worst interference. Save a clean air report on your WCS desktop. Name it cleanair.pdf
6.0 Configure and Troubleshoot WLAN Services
Wireless Voice: •
•
•
•
•
•
•
v3150
On WLC2 and WLC4 in HQ: Deploy SSID VoIP-XX. Terminate at VLAN 15. WLC IP information in table 3. DHCP is on CAT1.Default gateway is CAT1 VLAN15 SVI. Take care of IP conflict in your DHCP configuration. Use 2.4 OFDM only Phones on this SSID should get a maximum of 125kbps voice traffic. Use Platinum Use WPA2 encryption and ensure that Cisco 7925 phones can roam seamlessly. Phone uses EAP-FAST authentication. On your ACS configure the user phone with password of ipexpert Test it from your AnyConnect . Company policy doesn´t allow for more than 2 devices to log on to the wireless network with the same user credentials. Make it so on WLC4
Copyright © by IPexpert, Inc. All Rights Reserved.
81