Xxipexpert Peter Saltarelli Wireless Volume 2 Workbook Complete

IPexper IPe xpert’ t’s s La Lab b Pr Preparation eparation Workbook Workbook for the Cisco® CCIE™ v2.0 Wireless Wireless Lab Exam Volume 2

IPexpert’s Workbook for the CCIE Wireless Lab Exam

Volume 2 – Workbook

IPexpert’s Lab Preparation Workbook for TM the Cisco® CCIE Wireless Lab Exam Volume 2 Before We Begin This product is part of the IPexpert "Blended Learning Solution™" that provides CCIE candidates with a comprehensive training program. For information about the full solution, contact an IPexpert Training Advisor today. Telephone: +1.810.326.1444 Email: [email protected] TM

Congratulations! You now possess one of the ULTIMATE CCIE Wireless Lab preparation resources available today! This resource was produced by senior engineers, technical instructors, and authors boasting decades of internetworking experience. Although there is no way to guarantee a 100% success rate on the CCIETM Wireless Lab exam, we feel VERY confident that your chances of passing the Lab will improve dramatically after completing this industry-recognized Workbook!

Technical Support from IPexpert and your CCIE community!

IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our online communities have attracted a membership of over 20,000 of your peers from around the world! At Blog.IPexpert.com you can keep up to date with everything IPexpert does, as well as start your own CCIE-focused blog or simply add your existing blog to our directory so your peers can find you. At OnlineStudyList.com, you may subscribe to multiple “SPAM-free”, CCIEfocused email lists.

v3150

Copyright © by IPexpert, Inc. All Rights Reserved.

1



Feedback Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert, we look to you – our valued clients – for the real world, frontline evaluation that we believe is necessary to improve continually. Please send an email with your thoughts to [email protected] or [email protected] or call 1.866.225.8064 (international callers dial +1.810.326.1444). TM

TM

In addition, when you pass the CCIE Lab exam, we want to hear about it! Email your CCIE number to [email protected] [email protected] and and let us know how IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations.

Additional CCIETM Preparation Material TM

IPexpert, Inc. is committed to developing the most effective Cisco CCIE R&S, Security, Service Provider, Voice and Wireless Lab certification preparation tools available. Our team of certified networking professionals develops the most up-to-date and comprehensive materials for networking certification, including self-paced workbooks, online Cisco hardware rental, classroom training, online (distance learning) instructor-led training, audio products, and video training materials. Unlike other certification-training providers, we employ the most experienced and accomplished team of experts to create, maintain and constantly update our products. At TM IPexpert, we are focused on making your CCIE Lab preparation more effective.

A message from the Author(s): The scenarios covered in this workbook were developed by Wireless CCIEs to help you prepare for the Cisco CCIE Wireless laboratory. It is strongly recommended that you use other reading materials in addition to this w orkbook. Training is not the CCIE Wireless workbook objective. The intent of these labs is to test your knowledge and ability of implementing Cisco Enterprise Wireless Solutions. Time management is very important, if you get stuck on a lab scenario be sure to write it down. Formulate a Checklist for skipped sections and then return to those sections once you have gone through the entire lab. Be sure to revisit the questions that you do not understand.

For more information on the CCIE Wireless lab, please visit http://www.cisco.com/web/learning/le3/ccie/index.html and and click on the link for Wireless on the top-right of the page.

Helpful Hints • •

• •

v3150

Keep It Simple, try to avoid any extra work (example: adding descriptions) Always reference everything from the Documentation Website: http://www.cisco.com/cisco/web/psa/default.html?mode=prod Know your SRNDs well http://www.cisco.com/go/srnd Save your router configurations often (wr is the quickest command)


2



IPEXPERT END-USER LICENSE AGREEMENT END USER LICENSE FOR ONE (1) PERSON ONLY IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS.

This is a legally binding agreement between you and IPEXPERT, the “Licensor,” from whom you have licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms have been modified by a written agreement (the “Governing Agreement” ) signe d by you (o r the party that h as licen sed th e Traini ng Mate rials fo r you r use) and an exe cutive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials Materials to you. In this event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions. The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized authorized to use the Training Materials throughout the term of this License.

Copyright and Proprietary Rights

The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT. IPEXPERT. The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-share the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information Information other than printing out or downloading portions of the text and images for your own personal, non-commercial use without the prior written permission of IPEXPERT. You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information Information in any manner that infringes the rights of any person or entity. Exclusions of Warranties

THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS.” LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may have other rights that vary from state to state. Choice of Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall be brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this Agreement is held inva lid, the rema inder of th is License shall contin ue in full fo rce and e ffect

v3150


3



Limitation of Claims and Liability

ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR’S LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER. Entire Agreement

This is the entire agreement between the parties and may not be modified except in writing signed by both parties.

U.S. Government - Restricted Rights The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction release, performance, display, or disclosure of the Training Materials and accompanying documentation by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement. IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.

v3150


4



IPexpert’s Mock Lab training exam for TM the Cisco® CCIE Wireless Lab Exam – Volume 2 NOTE

You are encouraged to take advantage of the knowledge and support from your peers around the globe. Join onlinestudylist.com to get more community support and also official support from IPexpert.

v3150


5



!"#$% '( )'*+%*+, !"#$"#%& #()*+,#% -!.#(,# /0%##1#(& 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222223

"#$ %&"' ()*"#&" +,' ,#" -./ 0"'&,# ,#(1 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222223

!"#" %&'()*+(*, - .(/,)01,(2 .034,/""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5 -/4 56 ..!# 7!%#-#,, 8#%,!9( : ; / < =9+% &%/!(!(0 -/4 2222222222222222222222222222222222222222222222222222222222 55 19.> -/4 56 &9"9-90? 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 5: -/4 56 "%#*-/4 ,#&+" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 53 -/4 56 "%#%#@+!,!&#,6 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 53 -/4 56 &/4-#, 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 5A

456(" .7 8(5# 5#$ &%6#"4 456(" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 .9 456(" :7 $"8)*" )0 5$$'"&&"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 .; -/4 56 < =9+% ..!# 7!%#-#,, 8: 19.> -/4 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 5B

.2<

*,#+)=%'" 5#$ 4',%6("&>,,4 ?)'"$ )#+'5&4'%*4%'" 4, &%00,'4

?(5#@& 2222222222222222222222222 .A

:2< 32< 92<

*,#+)=%'" 5#$ 4',%6("&>,,4 )#+'5&4'%*4%'" 500()*54),# &"'8)*"& 2222222222222222222222222222222222222222222222.B *,#+)=%'" 5#$ 4',%6("&>,,4 5%4,#,C,%& $"0(,1C"#4 C,$"( 222222222222222222222222222222222222222222222222222222222 .D *,#+)=%'" 5#$ 4',%6("&>,,4 %#)+)"$ $"0(,1C"#4 C,$"( 22222222222222222222222222222222222222222222222222222222222222222222 .D

456(" 37 ?(* 8(5#& 5#$ &&)$ & 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :< ;2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?*& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :3 A2<

*,#+)=%'" 5#$ 4',%6("&>,,4 ?(5# &"'8)*"& 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :9

-/4 :6 ..!# 7!%#-#,, 8#%,!9( :C / < =9+% &%/!(!(0 -/4 222222222222222222222222222222222222222222222222222222222222 :B 19.> -/4 :6 &9"9-90? 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :< -/4 :6 "%#*-/4 ,#&+" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :D -/4 :6 "%#%#@+!,!&#,6 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 :D -/4 :6 &/4-#, 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3E

456(" .7 8(5# 5#$ &%6#"4 456(" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3< 456(" :7 $"8)*" )0 5$$'"&&"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3. -/4 :6 < =9+% ..!# 7!%#-#,, 8: 19.> -/4 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3: &/,> 56

.9(F!0+%# /() &%9+4-#,=99& 7!%#) !(F%/,&%+.&+%# &9 ,+""9%& 7-/(, 3:

.2.

65&)* #"4?,'E $"45)(& 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3:

.2: F,&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3: .23 (51"' : *,#+)=%'54),# 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222233 .29 4)C" &1#*>',#)G54),# 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222233 .2; C&"222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 33 &/,> :6

.9(F!0+%# /() &%9+4-#,=99& 7!%#) !(F%/,&%+.&+%# &9 ,+""9%& 7-/(, 3A

v3150


6



:2. ()=>4?")=>4 50& $)&*,8"'1 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 39 :2: ()=>4?")=>4 50& &"44)#=&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 39 :23 &1&(,= 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222223; &/,> 36

.9(F!0+%# /() &%9+4-#,=99& /+&9(919+, )#"-9?1#(& 19)#- 222222222222222 3G

32. 50 (,==)#= 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3; 32: &&)$ *,#+)=%'54),# 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3; 323 5$$)4),#5( &"44)#=& 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3; &/,> A6

.9(F!0+%# /() &%9+4-#,=99& +(!F!#) )#"-9?1#(& 19)#- 222222222222222222222222222 3B

92. *,#+)=%')#= C, ,++)*" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3A 92: *,#+)=%')#= >"5$F%5'4"' ,++)*" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3A 923 *,#+)=%')#= =%"&4 &,(%4),# 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3H &/,> G6

.9(F!0+%# /() &%9+4-#,=99& 7., 22222222222222222222222222222222222222222222222222222222222222222222222222222222 3H

;2. 5$$)#= ?(* & 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3H ;2: 5$$)#= C,6)()41 &"'8)*"& 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3H ;23 *,#+)=%')#= ?*& 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3H &/,> B6

.9(F!0+%# /() &%9+4-#,=99& 7-/( ,#%8!.#, 22222222222222222222222222222222222222222222222222222222 3<

A2. '5$), C5#5="C"#4 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3B A2: *,#4',(("' &"*%')41 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 3B A23 8,)*" &"44)#=& 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222223D -/4 36 ..!# 7!%#-#,, 8#%,!9( : 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 AE < =9+% &%/!(!(0 -/4 3 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 AE 19.> -/4 36 &9"9-90? 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 A5 -/4 36 "%#*-/4 ,#&+" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 A: -/4 36 "%#%#@+!,!&#,6 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 A: -/4 36 &/4-#, 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 A3

456(" .7 8(5# 5#$ &%6#"4 456(" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 93 456(" :7 $"8)*" )0 5$$'"&&"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 99 -/4 36 < =9+% ..!# 7!%#-#,, 8: 19.> -/4 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 AG

.2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?)'"$ )#+'5&4'%*4%'" 4, &%00,'4 ?(5#@& 22222222222222222222222222222222222222222 9;

67 /80,140*3 0* 9:; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5< 6= )&>,0*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5< ?@ )&>,0*3 A*2 /80,140*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5B :@#; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5B :2< *,#+)=%'" 5#$ 4',%6("&>,,4 )#+'5&4'%*4%'" 500()*54),# &"'8)*"& 22222222222222222222222222222222222222222222222222 9H CDE; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5F GE +A*A3(+(*,; """""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """ 5F #80,140*3 /(1>)0,H; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5I 32< *,#+)=%'" 5#$ 4',%6("&>,,4 5%4,#,C,%& $"0(,1C"#4 C,$"( 22222222222222222222222222222222222222222222222222222222222229B G>,&*&+&>/ /(,>J; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """"""""" 5I

v3150


7



92< *,#+)=%'" 5#$ 4',%6("&>,,4 %#)+)"$ $"0(,1C"#4 C,$"( 222222222222222222222222222222222222222222222222222222222222222222222222 9D

K6L +A*A3(+(*,; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5M 456(" 37 ?(* 8(5#& 5#$ &&)$ & 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 9D GE E)0+0*3; """"""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""" (/,/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" )0,H A*2 P&1AP )A20>/; """""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""" 3( 2(,(1,0&*; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" <7 ;2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?*&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 ;: KL#; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" <7 ?GE/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" <= A2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?(5# &"'8)*"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222;3 K0)(P(// T&01(; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" <= -/4 A6 ..!# 7!%#-#,, 8#%,!9( : 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 GG < =9+% &%/!(!(0 -/4 A 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 GG 19.> -/4 A6 &9"9-90? 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 GB -/4 A6 "%#*-/4 ,#&+" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 GH -/4 A6 "%#%#@+!,!&#,6 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 GH -/4 A6 &/4-#, 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 G<

456(" .7 8(5# 5#$ &%6#"4 456(" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 ;B 456(" :7 $"8)*" )0 5$$'"&&"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 ;D -/4 A6 < =9+% ..!# 7!%#-#,, 8: 19.> -/4 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 BE

.2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?)'"$ )#+'5&4'%*4%'" 4, &%00,'4 ?(5#@& 22222222222222222222222222222222222222222 A<

67 /80,140*3 0* 9:; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BN 6= )&>,0*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BN ?@ )&>,0*3 A*2 /80,140*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BQ :@#; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BQ ?>P,01A/,"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BQ :2< *,#+)=%'" 5#$ 4',%6("&>,,4 )#+'5&4'%*4%'" 500()*54),# &"'8)*"& 22222222222222222222222222222222222222222222222222 A: CDE; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" B7 GE +A*A3(+(*,; """""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """ B7 #80,140*3 /(1>)0,H; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" B= 32< *,#+)=%'" 5#$ 4',%6("&>,,4 5%4,#,C,%& $"0(,1C"#4 C,$"( 2222222222222222222222222222222222222222222222222222222222222A3 G>,&*&+&>/ /(,>J; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """"""""" B= 92< *,#+)=%'" 5#$ 4',%6("&>,,4 %#)+)"$ $"0(,1C"#4 C,$"( 222222222222222222222222222222222222222222222222222222222222222222222222 A3 K6L +A*A3(+(*,; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" B= 456(" 37 ?(* 8(5#& 5#$ &&)$ & 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 A9 GE E)0+0*3; """"""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""" B5

v3150


8



%>(/,/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" B< GE )(30/,)A,0&* /(1>)0,H A*2 P&1AP )A20>/; """""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""" B< LP0(*, 1&**(1,0&* ,(/,0*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BB LP(A* GR.; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BB ;2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?*&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 AH KL#; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BF ?GE/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BF A2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?(5# &"'8)*"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222AH K0)(P(// T&01(; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" BF -/4 G6 ..!# 7!%#-#,, 8: 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 BD < =9+% &%/!(!(0222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 BD 19.> -/4 G6 &9"9-90? 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 HE -/4 G6 "%#*-/4 ,#&+" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 H5 -/4 G6 "%#%#@+!,!&#,6 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 H5 -/4 G6 &/4-#, 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 H:

456(" .7 8(5# 5#$ &%6#"4 456(" 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 H: 456(" :7 $"8)*" )0 5$$'"&&"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 H3 -/4 G6 < =9+% ..!# 7!%#-#,, 8: 19.> -/4 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 HA

.2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?)'"$ )#+'5&4'%*4%'" 4, &%00,'4 ?(5#@& 22222222222222222222222222222222222222222 H9

67 /80,140*3 0* 9:; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" F5 6= )&>,0*3; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" F5 :@#; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" F< ?>P,01A/,"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" F< :2< *,#+)=%'" 5#$ 4',%6("&>,,4 )#+'5&4'%*4%'" 500()*54),# &"'8)*"& 22222222222222222222222222222222222222222222222222 H; CDE; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" F< GE +A*A3(+(*,; """""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """ FB #80,140*3 /(1>)0,H; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" FB 32< *,#+)=%'" 5#$ 4',%6("&>,,4 5%4,#,C,%& $"0(,1C"#4 C,$"( 2222222222222222222222222222222222222222222222222222222222222HH G>,&*&+&>/ /(,>J; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """"""""" FF 92< *,#+)=%'" 5#$ 4',%6("&>,,4 %#)+)"$ $"0(,1C"#4 C,$"( 222222222222222222222222222222222222222222222222222222222222222222222222 HB K6L +A*A3(+(*,; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" FI 456(" 37 ?(* 8(5#& 5#$ &&)$ & 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 HB GE E)0+0*3; """"""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""" FM %>(/,/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" FM GE )(30/,)A,0&* /(1>)0,H A*2 P&1AP )A20>/; """""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""" FM ?A*A3(+(*,; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IN LP(A* GR.; """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IN ;2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?*&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 B< KL#; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IN ?GE/; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IN

v3150


9



LP(A* G0); """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IQ A2< *,#+)=%'" 5#$ 4',%6("&>,,4 ?(5# &"'8)*"& 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222B. K0)(P(// T&01(; """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" IQ

v3150


10



Lab 1: CCIE Wireless Version 2 – a 8 hour training Lab 1.0 Configure and troubleshoot wired infrastructure to support WLAN's 2.0 Configure and Troubleshoot Infrastructure Application Services 3.0 Configure and Troubleshoot Autonomous deployment model 4.0 Configure and Troubleshoot Unified deployment model 5.0 Configure and Troubleshoot WCS 6.0 Configure and Troubleshoot WLAN Services Lab Overview

This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem extra hard because they are meant to prepare the candidate to read in between the lines. The network and WLC´s are partly pre-configured in order to save time but some of the configurations have to be altered to meet the exam requirements The fact that WLC are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre-configs or make some small changes, both on the WLC’s and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues on more than one occasion. This is meant to prepare the candidate not to take anything for granted and stay focused while the lab tries to confuse you. This lab will use ALL equipment in the LAB 1: topology. Refer to the names of the equipment on that topology. When configuring WLAN’s/ SSIDs. The lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01 Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords. It is strongly advised to read the whole LAB over before you start configuring. And in each section read it briefly over to refresh. In some sections some later tasks would better be done first Estimated Time to Complete: 8 hours

v3150


11



Mock Lab 1: Topology

v3150


12



Lab 1: Pre-Lab Setup Physically connect and configure your network according to Diagram 1. The switches are pre-configured with some VLANs and IP addresses.

Lab 1: Prerequisites: This lab will rely on the network infrastructure. You will need to pre-configure the network with the base configuration files. If using your own hardware: Login to IPexpert.com, navigate to the “My Downloads” area, download “IPexpert Wireless Volume 1 Configs,” find the Lab 1 INITIAL Configs, and copy and paste the proper switch files to the proper devices. If you are using Proctor Labs: Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook ! Lab 1 ! INITIAL

v3150


13



Lab 1: Tables Table 1: VLAN and Subnet Table

v3150

VLAN

VLAN Name

Subnet

Netmask

5

Servers

10.10.210.0

/24

10

HQSwitchMgmt

10.10.10.0

/24

11

HQGuest1

10.10.11.0

/24

12

HQData1

10.10.12.0

/24

13

HQData2

10.10.13.0

/24

14

HQData3

10.10.14.0

/24

15

HQVoice1

10.10.15.0

/24

16

HQVoice2

10.10.16.0

/24

17

HQData4

10.10.17.0

/24

20

MOSwitchMgmt

10.10.20.0

/25

21

MOGuest1

10.10.21.64

/26

22

MOData1

10.10.22.128

/26

23

MOVoice1

10.10.23.192

/26

105

HQServicePort

10.10.105.0

/24

110

HQAAP

10.10.110.0

/24

111

HQWLC1

10.10.111.0

/24

112

HQWLC2

10.10.112.0

/24

113

HQLAP1

10.10.113.0

/24

114

HQLAP2

10.10.114.0

/24

120

MOWLC1

10.10.120.128

/26

121

MOLAP1

10.10.121.192

/26

999

VLAN999

n/a

n/a


14



Table 2: Device IP Addresses Device

Port

Connected

Connected

IP Address

CAT1

NA

NA

10.10.10.2

CAT2

NA

NA

10.10.10.3

CAT3

NA

NA

10.10.10.4

CAT4

NA

NA

10.10.20.1

ACS

NIC1

CAT2

Fa0/11

10.10.210.5

WCS

NIC1

CAT2

Fa0/11

10.10.210.6

CME

Fa0/0

CAT1

Fa0/4

10.10.210.20 10.10.205.20 (Loop)

MSE

Eth0

CAT2

Fa0/11

10.10.210.10

WLC1

Po1

CAT2

Gi0/1

10.10.111.10

WLC2

Po1

CAT3

Gi0/1

10.10.112.10

WLC3

Po1

CAT4

Fa0/1

10.10.120.140

WLC4

Po1

CAT2

Fa0/15

10.10.112.20

AAP1

Gi0

CAT1

Fa0/2

10.10.110.100

AAP2

Fa0

CAT3

Fa0/2

10.10.110.101

LAP1

Gi0

CAT1

Fa0/1

10.10.113.x

LAP2

Fa0

CAT2

Fa0/2

10.10.114.x

LAP3

Gi0

CAT3

Fa0/3

10.10.114.x

LAP4

Gi0

CAT4

Fa0/4

10.10.121.x

LAP5

Fa0

CAT4

Fa0/5

10.10.121.x

v3150


15



Lab 1: 8 hour CCIE Wireless v2 Mock LAB 1.0 Configure and troubleshoot wired infrastructure to support WLAN's

L2 switching in HQ: To prepare your network we need to take extra care that the network is

properly set up. All future configurations with wireless components will rely on the network to work. Please bear in mind that most wireless issues are related to the network. The Proctor Labs lab environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this lab. •

•

•

•

•

Cat1 will handle all VLAN´s and distribute them to Cat2. Cat3 will also get all VLAN changes from Cat1 o Use Md5 encryption to protect the VLAN database on your 3 switches. Use ipexpert123 as the MD5 secret o Cat1 should be the root for odd numbered VLANs in the HQ Cat2 should be the root for the even numbered VLANs in the HQ Do not configure Cat3 for the last question above. From Cat3, Show commands should give the correct outcome to see o where the Root bridges are. Cat1 should be seen as root for odd numbered VLANs and Cat2 for even numbered VLANs Configure the 2 links between Cat1 and Cat2 to appear as one STP instance. Use a method that is Cisco proprietary negotiation method. o

L3 routing

Site HQ: Cat1 SVIs always have the last IP usable address from each VLAN network. Cat2 SVIs always have next IP address below in each VLAN network. VLAN 10 should be .2 on Cat1 and .3 on Cat2. Cat3 only needs SVI Interface and IP address in VLAN10 (HQSwitchMgmt). For Cat3 VLAN10 SVI, Use IP address 10.10.10.4/24. VLAN 5 is preconfigured don´t change that as that will ruin management access to your servers.

•

•

v3150

Create the SVI´s on your appropriate HQ switches and ensure you have connectivity between all L3 interfaces. Refer to table 1 for the VLAN ID´s. HQ, MO have different VTP domains as can be seen in table 1. Create a Loopback99 interface on your Cat1 with IP 10.99.99.99/32


16



Use a Cisco proprietary routing protocol to advertise Loopback99 to Cat2. o Only advertise loopback99 in your configuration. o Don´t summarize the classful networks in your routing domain. VLAN 12 should be redundant for Cat1 and Cat2 o On Cat1 and Cat2, Use a Cisco proprietary method to create a redundant SVI for VLAN 12. o The VLAN 12 virtual IP should be the next available IP address below Cat1 and Cat2. o Cat1 should always be the primary router for VLAN 12 and in case of failure it should revert back when things go back to normal. Create a DHCP pool for VLAN 12. The pool starts from .65 and ends with .125. Configure redundant DHCP pool between Cat1 and Cat2. o

•

•

MO routing and switching •

•

•

•

•

Create VLANS and SVI´s for Cat4 according to table 1. Cat4 should not exchange VLAN configuration with other switches. Cat4 should participate in routing updates and exchange routing tables with HQ. Only advertise the needed networks over the routing protocol. Cat4 SVI’s always use the first IP address per SVI. Don´t summarize the classful networks as before.

QOS •

•

•

v3150

On all routers and switches, trust layer2 and layer3 QOS markings where appropriate. Tune your COS to DSCP mapping (and vice versa) as Cisco best practices recommend o VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40. The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic. o Skinny is TCP port 2000 RTP traffic is UDP port range 16384 to 32767. o o It is uncertain that the ISP is marking the packets correctly over the WAN. Ensure the correct marking is maintained.


17



2.0 Configure and Troubleshoot Infrastructure Application Services

NTP •

•

•

•

•

Use NTP server on WCS to synch time for all your wireless network devices including the WLC´s. WCS is 10.10.210.6 Controllers should synch time every 2 hours. Cat1 should be the NTP master for all switches. Use password "ipexpert" for NTP authentication. Use UTC time zone 0. Cat1 should answer NTP requests only on VLAN 10 and only allow switches in your network to synch time with Cat1. Cat2 uses VLAN 5 IP, Cat4 uses VLAN 20 IP and Cat3 uses VLAN10 IP address for NTP communications. Don´t forget the autonomous AP´s!

AP management HQ •

•

•

LAP2 (f0/2 on Cat2) and LAP3 (F0/3 on Cat3) should discover WLC2 and WLC4 with DHCP (don´t use DNS). o Future AP´s will use the DHCP information to load balance new AP´s between the WLC2 and WLC4. Name the APs from their default name to the name in table 1. Subnets for those APs are listed in table 2. Configure your network accordingly o Use your Microsoft DHCP server to accomplish this. Exclude the range from 1 to 20 and 200 to 254. o o Microsoft DHCP server is 10.10.210.6 Make sure that WLC2 will be primary and WLC4 secondary Controllers for LAP2 and LAP3. Mobility group should be named HQ. LAP4 and LAP5 should join WLC4 with DNS lookup configured on Microsoft DNS. Set those APs on VLAN 121 on Cat4.

Switching security •

•

v3150

All LAP AP Ports should go to STP Forwarding mode immediately In MO, all switch ports with access points should block traffic if BPDU´s are advertised over the port.


18


•


In HQ, all switch ports with access points should get disabled if BPDU´s are advertised over the port.

3.0 Configure and Troubleshoot Autonomous deployment model

Autonomous Setup

An aluminum company has mobile cranes in their manufacturing area. Those cranes will have industrial computers on board with Ethernet ports (no wireless). You need to use AAP2 to connect the industrial computer to the wireless network •

•

•

•

Make a Layer 2 only VLAN 999 on AAP2 connected switch to avoid loops in your network. AAP2 will connect to AAP1 with 802.1x security. SSID is crane-xx Username is crane and password is aluminum. o AAP1 will authenticate the crane user. And the industrial PC should be on VLAN 17. As the industrial PC is not ready yet. Configure DHCP on AAP2 to see DHCP work. Configure DHCP on Cat1 for VLAN 17. Exclude the first 9 addresses. Use the most secure EAP option that is Cisco proprietary o The Crane is mobile. Ensure that it only scans non-overlapping channels in your 2.4 GHz frequency. So it uses the least time to scan channels when moving around. Ensure that the association reliable. So the AP disassociates clients only after 127 packets are lost.

4.0

Configure and Troubleshoot Unified deployment model

WLC management

WLC1 has its Service Port connected to Cat1. •

v3150

Connect the SP on VLAN 5. Use DHCP from Cat2 for the SP. The SP port should always get the 10.10.210.50 address. This should only work for WLC1 SP interface. Default gateway advertised by the DHCP scope should be VLAN 5 SVI on Cat1.


19


•

•

•

•


It is required that users from Cat4 MOData1 can reach this SP and manage it. Pinging that address from the MOData1 VLAN should work. Remove this configuration after you have made it work. Why? On WLC1 guests should see the name guests.proctorlabs.com in their web browser URL when doing guest authentication. This name should resolve on your DNS server (Microsoft server 10.10.210.6) to WLC1 virtual IP address. All WLC´s should have IP management Interfaces according to table 2 – Verify it is all correct. Configure appropriate VLAN interfaces per WLC according to table 3.

Table 3: WLC VLANs and SSIDs Device

Interface

WLC IP Address

Default gateway

WLAN

WLC1

Vlan 11

10.10.11.252/24

10.10.11.254

HQ-guests-XX

WLC2

Manageme

WLC1 Anchor

NA

HQ-guests-XX

WLC2

Vlan 13

10.10.13.50/54

10.10.13.254

Client-Vlan-XX

WLC2

Vlan 15

10.10.15.50/24

10.10.15.254

voip-5ghz-XX

WLC3

Vlan 22

10.10.22.130/26

10.10.22.129

MOData1-XX

WLC4

Manageme

WLC1 Anchor

NA

HQ-guests-XX

WLC4

Vlan 13

10.10.13.51/24

10.10.13.254

Client-Vlan-XX

WLC4

Vlan 15

10.10.15.51/24

10.10.15.254

voip-5ghz-XX

VLANs on Switches should already be done and working in the first part of this lab. •

•

•

•

v3150

The CLI prompt should represent each WLC. For example WLC1 Set up etherchannel for both interfaces on WLC2. Ensure that APs are load balanced across the WLC2 ports according to best practices. QOS needs to be tagged using 802.1p on the management VLAN of all WLC´s Only needed VLAN´s should traverse over to each WLC in the network.


20



AP Priming •

•

LAP2 and LAP3 should have redundant WLC´s for WLC2 and WLC4. Ensure that LAP2 will be given priority over other devices when requesting PoE.

Guests •

•

•

•

•

•

•

•

•

Configure Client-Vlan11 on port 1 on WLC1. o Use .252 for the WLC IP address. See table 3. Configure WLC1 port 2 to be the primary management port connected to Cat1. And port 1 connected to Cat2 to be redundant for the WLC1 operation. Configure port 1 so no other VLAN´s are allowed except guests and for redundancy purposes (above) Guests should be able to ping and telnet to the .254 SVI on Cat2 and nothing else. This restriction should not be applied to the WLAN. DNS and DHCP should also work for the clients. Configure the WLC1 to restrict the above mentioned access. DNS server IP is 10.10.210.6 Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11 and they should traverse out of Port1 on WLC1. o Use SSID HQ-guests-XX o No encryption Web-splash page will authenticate guest users locally on WLC1 o o The guest SSID has to work on all AP´s in the HQ Guests use DHCP on WLC1. Issue 15 address pool starting from 10.10.13.15 Create a lobby admin account on WLC1 and with this account, create a guest user that lasts for 4 hours. Lobby account User is lobby password Lobby123. Guest user is guest4 password ipexpert123 Test the connection from the Win7 client and test the telnet and ping connectivity. The laptop is reachable from the WCS server using VNC to 10.10.210.4 password IPexpert123

Mobility •

•

v3150

HQ users should be able to roam seamlessly between WLC2 and WLC4. This is not needed for WLC3 in MO. Use the mobility name HQ when accomplishing this. o All HQ WLC´s should check their mobility members every 15 seconds.


21



Interference and radio settings

On your 802.11g network, the 2.4 GHz channel 11 near LAP1 is unusable because of foreign interference. Join your LAP1 AP manually to WLC4 without DHCP, DNS information passed to the AP. LAP1 should belong to VLAN113. •

•

Make sure that your LAP1 uses the lowest 2,4Ghz frequency channel in the future. On all your controllers change the utilization trap to trigger at 87% in your 5 GHz radio only.

AP registration security and local radius

MO should only allow LAP4 and LAP5 to join WLC3 •

•

•

•

•

Ensure that only those AP´s can join WLC3 and no other AP´s Configure local radius on WLC3 for WLAN MOData1 VLAN for SSID is MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26 Use PEAP mschapv2 authentication. username localpeap password localradius. Security is WPA1 with software encryption: Configure DHCP on WLC3 for these SSID clients. Give out 131 and 132 addresses of the scope. Test connectivity with AnyConnect on your test PC

Client connection testing

Your AnyConnect client needs to connect to the Client-Vlan13-XX WLAN in HQ. C onfigure your network to meet the requirements below: •

•

v3150

SSID Client-Vlan13-XX o This SSID should exist on WLC2 and WLC4. Clients should terminate at Vlan13. Table 3 shows what IP goes on the Controller´s VLAN13 Use ACS and EAP-FAST authentication. The RADIUS preshared key is ipexpert123. First SSH from the windows machine with admin and IPexpert123 then configure a user acsadmin password IPexpert123. o Set you’re your ACS to use NTP at IP 10.10.210.6 Use client username tarzan with password jane o o Allow OFDM only for this SSID. Advertise 802.11i in your beacons but also enable for software encryption o to work over 802.11i for older clients. o DHCP should be set up on Cat1


22



On LAP2 this SSID should bypass the controller for data traffic and go to VLAN 12. Don´t use AP-groups to make this work. o Configure the switch connected to LAP2 to support this scenario. LAP2 should use its current VLAN for management. DHCP for VLAN 12 is on Cat1. Test this configuration and see the IP address change on your AnyConnect client. o

•

Rouge detection

Your WLC3 should detect rouge access points. •

It needs to see if Open access points (no security) are on your wired network. o We need to detect rogue APs ASAP. Also Greenfield mode AP´s. o Make sure that one of your AP´s connected to WLC3 accomplishes the above

Man-in-the-middle

Your CEO was reading an article about man in the middle attacks and is worried that your HQ Wireless system is vulnerable. •

Configure all LAPs in your HQ network to validate RF information in order to protect the integrity of your LAP APs.

5.0

Configure and Troubleshoot WCS

WCS Management •

v3150

Manage all WLC´s with WCS using the most secure method Username wcs password ipexpert.123-ipexpert.123 o Allow only this method to be used on the WLC´s o


23



Maps •

•

Put LAP2 – LAP3 on floor 1 map on your WCS. Position the AP´s for best coverage. See how AIR-ANT2450S-R antennas will perform on LAP2 2.4 GHz Radio. The antenna has also to face 25° towards the floor. Let the direction of the antenna point down the map (90°) Controllers shouldn´t send information to WCS when the APs change its power levels.

.

6.0

Configure and Troubleshoot WLAN Services

Wireless Voice

On WLC2 and WLC4 in HQ: •

•

•

•

•

•

•

v3150

Deploy a SSID called voip-5ghz-XX – This will be VLAN 15. WLC IP information in table 3. DHCP is on Cat1 and should give out callmanager option about the CME router 10.10.210.20 Allow only 5 GHz connections on this SSID. Use 802.11i encryption and ensure that Cisco 7925 phones can roam o seamlessly Phone uses EAP-FAST authentication. On your ACS configure the user o phone with password of ipexpert. o Test it from your AnyConnect. Make sure your phones have enough time to authenticate on the ACS so they don´t accidentally time-out while retrieving the PAC‘s. Allow at least 20 seconds to pass before giving up. Only support 802.11e on this SSID and 7925 phones should get Platinum QoS treatment. The 802.11e clients with this SSID will get mapped with 802.1p value of 5 when they hit the wired network. Support 27 voice streams. Only configure the data-rates necessary. Deployment Guide specifies the following data rates 802.11b - Basic = 11, Optional = None o o 802.11g - Basic = 12, Optional = 18,24 o 802.11a - Basic = 12, Optional = 18,24 802.11b/g - Basic = 11, Optional = 12,18,24 o The Cisco AP's support up to 27 calls, so there is no need for any speeds greater than 24Mbps.


24



13 Streams = 6Mbps o 20 Streams = 12Mbps o 27 Streams = 24Mbps User your AnyConnect client to test the connectivity. You should be able to ping the CME router from the desktop after connecting. It should work from the AnyConnect client on the PC. o

•

You are at the end of this marathon – it is a bit long and some longer than the a ctual lab. Especially chapter 4, but the wording can slow you down as it might do on the actual lab. So I hope this was a good exercise. Do this lab many, many times to practice speed and work on things you want to study in the meantime

Technical Verification and Support

To verify your configurations please review the Volume 1 Detailed Solutions Guide that you received along with this Workbook. You can also find this document in the eBook section of your www.IPexpert.com account. Support is also available in the following ways: IPexpert Support: www.OnlineStudyList.com IPexpert Blog: blog.ipexpert.com Proctor Labs Hardware Support: [email protected]

v3150


25



Lab 2: CCIE Wireless version 2 8 hour training Lab 1. Configure and troubleshoot wired infrastructure to support WLAN's 2. Configure and Troubleshoot Infrastructure Application Services 3. Configure and Troubleshoot Autonomous deployment model 4. Configure and Troubleshoot Unified deployment model 5. Configure and Troubleshoot WCS 6. Configure and Troubleshoot WLAN Services Lab Overview

This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem extra hard because they are meant to prepare the candidate to read in between the lines. The network and WLC’s are partly pre-configured in order to save time but some of the configurations have to be altered to meet the exam requirements. The fact that WLCs are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre)configs or m ake some small changes, both on the WLCs and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues on more than one occasion. This is meant to prepare the candidate not to take anything for granted and stay focused while the lab tries to confuse you. This lab will use ALL equipment in the LAB 2: topology. Refer to the names of the equipments on that topology. When configuring WLANs/SSIDs, the lab refers to SSID-XX, replace XX with your pod number where POD01 is for example SSID-01

Estimated Time to Complete: 2 hours

v3150


26



Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for password It is strongly advised to read the whole lab over before you start configuring. And in each section read it briefly over to refresh. In some sections some later tasks would better be done first.

Estimated time to complete: 8 hours

v3150


27




v3150


28



Lab 2: Pre-Lab Setup •

Physically connect and configure your network network according to Diagram 1. The switches are pre-configured with some VLANs and IP addresses.

Lab 2: Prerequisites: •

•

This lab will focus on the network infrastructure. infrastructure. You will need to preconfigure the network with the base configuration files. If using your own hardware: o

•

If you are using Proctor Labs: o

v3150

Login to IPexpert.com, navigate to the “eBooks/Downloads” area, download “IPexpert Wireless Volume 2 Configs,” find the Lab 2 INITIAL Configs, and copy and paste the proper switch files to the proper devices.

Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook Lab 2 INITIAL


29




v3150

VLAN

VLAN Name

Subnet

Netmask

5

Servers

10.10.210.0

/24

10

HQSwitchMgmt

10.10.10.0

/24

11

HQGuest1

10.10.11.0

/24

12

HQData1

10.10.12.0

/25

13

HQData2

10.10.13.0

/25

14

HQData3

10.10.14.0

/25

15

HQVoice1

10.10.15.0

/24

16

HQVoice2

10.10.16.0

/24

17

HQData4

10.10.17.0

/24

18

HQWiredGuests

20

MOSwitchMgmt

10.10.20.0

/25

21

MOGuest1

10.10.21.64

/26

22

MOData1

10.10.22.128

/26

23

MOVoice1

10.10.23.192

/26

32

HQData1-2

10.10.12.128

/25

33

HQData2-2

10.10.13.128

/25

34

HQData3-2

10.10.14.128

/25

105

HQService

10.10.105.0

/24

110

HQAAPMgmt

10.10.110.0

/24

111

HQLWAP1

10.10.111.0

/24

112

HQLWAP2

10.10.112.0

/24

113

HQLWAP3

10.10.113.0

/24

114

HQLWAP4

10.10.114.0

/24

120

MOAPMgmt

10.10.120.128

/26

121

MOLWAP1

10.10.121.192

/26

999

VLAN999


30




Port

Connected

Connected

IP Address

CAT1

NA

NA

10.10.10.2

CAT2

NA

NA

10.10.10.3

CAT3

NA

NA

10.10.10.4

CAT4

NA

NA

10.10.20.1

ACS

NIC1

CAT2

Fa0/11

10.10.210.5

WCS

NIC1

CAT2

Fa0/11

10.10.210.6

CME

Fa0/0

CAT1

Fa0/4

10.10.210.20 10.10.205.20 (Loop)

MSE

Eth0

CAT2

Fa0/11

10.10.210.10

WLC1

Po1

CAT2

Gi0/1

10.10.111.10

WLC2

Po1

CAT3

Gi0/1

10.10.112.10

WLC3

Po1

CAT4

Fa0/1

10.10.120.140

WLC4

Po1

CAT2

Fa0/15

10.10.112.20

AAP1

Gi0

CAT1

Fa0/2

10.10.110.100

AAP2

Fa0

CAT3

Fa0/2

10.10.110.101

LAP1

Gi0

CAT1

Fa0/1

10.10.113.x

LAP2

Fa0

CAT2

Fa0/2

10.10.114.x

LAP3

Gi0

CAT3

Fa0/3

10.10.114.x

LAP4

Gi0

CAT4

Fa0/4

10.10.121.x

LAP5

Fa0

CAT4

Fa0/5

10.10.121.x

v3150


31



Lab 2: 8 Hour CCIE Wireless v2 Mock Lab Task 1: Configure and troubleshoot wired infrastructure to support WLANs 1.1 Basic network details •

•

•

•

•

To reach any internet (i.e. behind WAN / non-local) resource, switches from the headquarters should use Cat2 as gateway since Cat2 has the right static route towards outside. When you need to create an interface on a WLC, use the last digit of the management interface to determine the last digit of your dynamic interface. For example, a WLC with a management ip on 10.10.110.10 will have all its dynamic interfaces ending by .10 Connectivity between all Cat switches should be fine. Cat4 default gateway should not be mentioned with an IP address but with an outgoing interface on Cat4. The 3 client VLANs are split in 2 between Cat1 and Cat2. Make sure that the Catalysts do not operate on those VLANs as load-balanced gateway and configure OSPF routing to make sure every switch is aware of those subnets. OSPF should use a loopback interface to identify itself to other routers and Cat1 should be the designated router. OSPF updates should only be sent through VLAN 10 when possible. Make sure that only the necessary VLANs are allowed on each trunk ports.

1.2 QoS •

•

v3150

Make sure that every port has the right QoS configuration. We want to trust layer 3 tagging of traffic on all ports susceptible to transport voice traffic. The traffic from the headquarters should preserve its QoS tagging across the WAN link to the remote office. It seems the ISP doesn’t preserve this tagging so make sure that the traffic is re-tagged accordingly after crossing the WAN. Skinny uses TCP port 2000 and RTP uses UDP port range 16384 to 32767. Make sure that you are as precise as possible and do not tag traffic that would not be voice traffic.


32


•


On Cat1, ports fa0/13 to fa0/20 included will be connected with desk IP phones with laptops behind them. Those are not plugged in yet, but you need to prepare the switch port configuration so that those ports use VLAN 23 for voice traffic and VLAN 13 for the laptops. We also want those ports to be up and forwarding as soon as something is plugged to them.

1.3 Layer 2 configuration •

•

We want Cat1 to always be the root for all VLANs for spanning-tree purposes. In case of failure, Cat2 has to be the one taking over the root role in case of Cat1 failure. We want Cat3 to never be root. Moreover, we want Cat3 to switch its links towards Cat2 in less than a second in case of failure of Cat1.

1.4 Time synchronization •

•

•

Make sure the two IOS access points synchronize their time with the WCS server. Cat1 should get his synchronization from the WCS server but the other switches should get their synchronization from Cat1. They should do so using “IPexpert123” as authentication key. On the WLCs, make sure they synchronize their time with the WCS and the synchronization should happen every 2 hours. Also make sure that the WLCs know they are in Pacific US time zone.

1.5 MSE •

v3150

Make sure that MSE stays in time synchronization with the WCS. Also make sure that MSE will use “admin/IPexpert123!!” as credentials for WCS to connect to it


33



Task 2: Configure and troubleshoot wired infrastructure to support WLANs 2.1 Lightweight APs discovery •

•

•

•

LAP 2 and 3 must use the WCS server as DHCP server. That scope should give an IP with the last digit between 100 and 200 to the APs. They should learn WLC 2 IP address through DNS discovery. Once joined, they should learn the IP address of WLC4 as well. LAP 1 should use WCS server as DHCP server, but should discover WLC 4 through a DHCP option. That scope should give an IP with the last digit between 100 and 200 to the AP LAP 4 and 5 need to learn through DHCP the IP addresses of controllers WLC 3 and 1. Cat4 should be the DHCP server for those access points. LAP 4 and 5 should have WLC3 as primary controller and WLC1 as secondary in case of failure of the remote office WLC.

2.2 Lightweight APs settings •

•

Make sure that it is possible to connect via console to all access points with the username “admin” and password “IPexpert123” Make sure that the APs know which are their preferred WLCs. Use the table below: Primary WLC

Secondary WLC

LAP1

WLC4

WLC2

LAP2

WLC2

WLC4

LAP3

WLC2

WLC4

LAP4

WLC3

WLC1

LAP5

WLC3

WLC1

•

v3150

Tertiary WLC

Make sure that LAP1, 2 and 3 will never associate to WLC1 or WLC3.


34



2.3 Syslog •

•

Configure the autonomous access point AAP1 so that it logs the messages usually appearing on console towards the WCS where a syslog server is installed. The AP should use the facility “local2”. Configure the controllers and all lightweight access points to log as well towards the WCS syslog. Controllers should use facility local3 and APs local4. They should all log up to warning level of logs.

Task 3: Configure and troubleshoot Autonomous deployment model 3.1 AP logging •

When we consult the Autonomous AP logs through “show log”, we noticed it doesn’t go back as much as we want to. Double the retaining capacity of the logs messages shown through “show log”.

3.2 SSID configuration •

Configure a bridge SSID called “Bridge1” between AAP1 and AAP2. Make sure they use WPA2-aes to connect to each other. AAP2 should authenticate itself as “admin/IPexpert123” with EAP-FAST and AAP1 should be the radius server for this purpose. On top of the VLAN of the SSID, the bridge link should carry VLANs 11, 12 and 13. The SSID name should be visible in beacons.

3.3 Additional settings •

•

v3150

Make sure that AAP2 will only try to connect to AAP1. Make sure that AAP1 will only accept connections from AAP2. Make sure that the access points retry packets 16 times after giving up but when they give up, they should not cause the link to go down. Configure the access points so that they use WMM, that they use the 802.11e QBSS and that they do the proper mapping between 802.1p CoS and 802.11e UP (where the voice tag is not the same number in the 2 standards).


35



Task 4: Configure and Troubleshoot Unified Deployment model 4.1 Configuring MO Office •

•

•

•

•

WLC3 is the remote office controller. WLC1 sits in the headquarters but is a dedicated controller serving as fallback for WLC3. The clients will be placed in VLANs 21, 22 and 23 respectively for guests, data and voice clients. You have to make sure that traffic never gets released on the headquarters side. We need to make sure that the clients will be placed in that VLAN even if the access points move to WLC1 because WLC3 went down. The SSID MOGuest will have a pre-shared key “IPexpert123” using standards with the best RC4-based encryption as well as a web authentication portal hosted on the controller itself. The SSID MOData will use the best encryption standard available and will authenticate users against ACS. The SSID MOVoice will use a Cisco-proprietary fast roaming mechanism and the best encryption/authentication standard among those that have no fast-roaming mechanism on their own. The Cisco proprietary fast roaming mechanism should not be mandatory to use the SSID.

4.2 Configuring Headquarter Office • •

•

v3150

WLC 2 and 4 should be configured with the same WLANs. HQData SSID should use enterprise-class authentication with 802.11i encryption. It should not forward traffic into any valid subnet until the user authenticates at which point it will select the VLAN depending on the user group. User “admin” belongs to user group “department1”; user “john” belongs to department2 and user “lisa” to department3. Users from group “department1” should be granted access to VLAN 12 or 32 depending where they connect from (Users connecting through WLC2 should use lower numbered VLANs and users connecting through WLC4 should use higher numbered VLANs). Users from group “department2” should be given access to VLAN 13 or 33 depending on the same conditions and users from group “department3” to VLAN 14 or 34. Users should have their identity re-verified every 60 minutes and they should not be able to use a static IP address. Since we know that old clients will use this SSID, the WLC should not pay attention and take actions if clients refuse to roam and stay connected at very bad signal strength. Clients of this SSID should not be able to exchange files between themselves directly. HQVoice SSID should use a shared-key authentication with RSN encryption. It should balance the clients between VLAN 15 and 16.


36


•


HQGuest SSID should have no layer 2 security, a web authentication portal and place clients in vlan11.

4.3 Configuring Guest solution •

We need clients connected to a switchport that sits on VLAN 18 to be intercepted and presented the web authentication login page that is configured internally on WLC1. This VLAN should not be allowed in the Core switches Cat1 and Cat2 and should stay at the access layer. They should get an IP address in the subnet 10.10.11.x. Configure port fa0/12 on Cat3 for such guest usage. Cat2 should be the DHCP server for VLAN 11

Task 5: Configure and Troubleshoot WCS 5.1 Adding WLCs • •

•

Add all WLCs to WCS. They should be managed with snmpv3 and should refuse any version 2 connection attempt. They should be free of any community configuration and be configured with v3 username and password admin/IPexpert12345 and the strongest encryption mechanism

5.2 Adding Mobility Services •

•

Create a building with one floor and create a map for that floor. The environment is a warehouse with the ceiling at 20 feet high and APs placed at 12 feet high. Place the APs in every corner of the map. You can find the floor image in the WCS c:\FTP\ folder. Add MSE to WCS with both location and intrusion detection service activated. Synchronize it with the map and controllers.

5.3 Configuring WCS • •

v3150

Make sure that rogue APs can be seen on the map. Select a rogue on the map and make sure that no alerts will be sent about that rogue again and that it will not be contained by your access points.


37



Task 6: Configure and troubleshoot WLAN services 6.1 Radio management •

•

WLC1 and 3 are the only WLC susceptible to manage Medium Office access points while WLC 2 and 4 are the only ones to manage Headquarters access points. Make sure that WLC 2 and 4 talk to each other (but not to 1 and 3) to elect RF-leader and make RF decisions while WLC1 and 3 talk to each other but not to 2 and 4 for those decisions. All WLCs should: Support all data rates above 11Mbps (included) on 2.4 GHz. o 11Mbps being the only mandatory rate. o The WLC will increase the power (if possible) on an AP if 5 clients are detected to be sticking with low signal. o Never bring an AP transmission power lower than 1dbm o Support all data rates above 12Mbps (included) on 5 GHz. 12Mbps being the only mandatory rate Support beamforming on 11n-class access points when dealing o with 11a/g clients. o Lower the APs transmission power if several surrounding APs are heard at -67 or louder. o Support phones and devices that make their transmit power variable depending on AP power level When selecting a channel for an AP, the WLC should take into o account the load of other Cisco APs as well as rogues in the deployment (for example 2 APs could be on the same channel next to each other if they have relatively low load). If CleanAir APs, thanks to their CleanAir chipset, detect a specific o source of interference, this should count in the algorithm decision if it’s worth to change channel immediately.

6.2 Controller Security •

v3150

Make sure that only management subnets (VLANs 5, 111, 112, and 120 as well as the 10.10.0.0/24 subnet) can talk to WLC1. It should be inaccessible from any other subnet.


38



6.3 Voice settings •

Ensure that both voice SSIDs follow usual VoWlan recommendations like : o It must support the phones sending tagged voice UP traffic. They should allow phones to sleep and only wake up every 2 o beacons for broadcast buffered traffic. o The APs should not do off-channel scanning (for RRM, rogue scanning purposes etc ..) in the 200ms after they last received a voice-tagged frame (and only in this case) o The AP should block phones to initiate a new call if there is not enough bandwidth available and should therefore reserve 10% of their bandwidth for roaming devices. o For the medium access parameters, do not use the 802.11e parameters but optimize the channel access timers for Voice. Also limit the amount of wireless retries.



v3150


39



Lab 3: CCIE wireless version 2 8 hour training Lab 3 1.0 Configure and troubleshoot wired infrastructure to support WLAN's 2.0 Configure and Troubleshoot Infrastructure Application Services 3.0 Configure and Troubleshoot Autonomous deployment model 4.0 Configure and Troubleshoot Unified deployment model 5.0 Configure and Troubleshoot WCS 6.0 Configure and Troubleshoot WLAN Services Lab Overview

This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem tricky but they are supposed to prepare the candidate to read in between the lines. The network and WLC´s are partly pre-configured but some of the configuration have to be altered to meet the exam requirements The fact that WLC are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre-configs or make some changes. Both on the WLC’s AP’s and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues. In this lab and the real lab w e cannot take anything for and stay focused. This lab will use All equipment in the LAB 1: topology. Refer to the names of the equipment on that topology. Rectify names according to Table 2. When configuring WLAN’s/ SSIDs. If the lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01 Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords. When not specially mentioned use 2,4 GH z frequency. It is strongly advised to read the whole LAB over before you start configuring. And read each section briefly over to refresh your memory. In some sections some later tasks would better be done first. Tip: WCS templates may seriously speed things up!


v3150


40



Mock Lab 3: Topology 110< ="65>5?? @% A,:B >'C * ;,D,>,EF

!"#$%&#'("') /01

Internet +,%

+,(

2+ % $ # "

!

( $ # "

5508

( $ # ' &

&'#$%*

&'#$%) % $ # ' &

( ( $ # ' &

!

&'#$%*

Cat1

CME

WLC1

3 $ # ' &

&'#$)

ACS/WCS/ MSE/Test PC

&'#$%)

+,(

&'#$(&'#$(.

Cat2 % % $ # ' &

# % $ # ' &

% % $ # ' &

+,%

2504

+,456 0895:;,6 # " !

# " !

LWAPP

&'#$%%

&'#$%#

&'#

%$&'#$*

Cat3

LAP1

AAP1

3502i

1262N

# ' &

( $ # " !

% $ # " !

3 $ # ' &

( , +

% , +

+ 2

WLC4

% $ # ' &

&'#

LWAPP LAP2

1242AG # " !

LWAPP LAP3

WAN

1042N AAP2 1242AG

WLC2 5508

*"+,(" .//01" LWAPP

&'#$)

!"#

% % $ # ' &

LAP4 1262N +,(

&'#$( Cat4

+,%

&'#

%$WLC3 2504

LWAPP

&'#

&'#$-

LAP5 1242AG

v3150


41




Lab 3: Prerequisites: This lab will rely on the network infrastructure. You will need to pre-configure the network with the base configuration files. If using your own hardware: Login to IPexpert.com, navigate to the “My Downloads” area, download “IPexpert Wireless Volume 1 Configs,” find the Lab 3 INITIAL Configs, and copy and paste the proper switch files to the proper devices. If you are using Proctor La bs: Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook ! Lab 3 ! INITIAL

v3150


42




v3150

VLAN

VLAN Name

Subnet

Netmask

5

Servers

10.10.210.0

/24

10

HQSwitchMgmt

10.10.10.0

/24

11

HQGuest1

10.10.11.0

/24

12

HQData1

10.10.12.0

/24

13

HQData2

10.10.13.0

/24

14

HQData3

10.10.14.0

/24

15

HQVoice1

10.10.15.0

/24

16

HQVoice2

10.10.16.0

/24

17

HQData4

10.10.17.0

/24

20

MOSwitchMgmt

10.10.20.0

/25

21

MOGuest1

10.10.21.64

/26

22

MOData1

10.10.22.128

/26

23

MOVoice1

10.10.23.192

/26

105

HQServicePort

10.10.105.0

/24

110

HQAAP

10.10.110.0

/24

111

HQWLC1

10.10.111.0

/24

112

HQWLC2

10.10.112.0

/24

113

HQLAP1

10.10.113.0

/24

114

HQLAP2

10.10.114.0

/24

120

MOWLC1

10.10.120.128

/26

121

MOLAP1

10.10.121.192

/26

131

HOAP

192.168.100.0

/24

999

VLAN999

n/a

n/a


43




Port

Connected

Connected

IP Address

CAT1

NA

NA

10.10.10.2

CAT2

NA

NA

10.10.10.3

CAT3

NA

NA

10.10.10.4

CAT4

NA

NA

10.10.20.1

ACS

NIC1

CAT2

Fa0/11

10.10.210.5

WCS

NIC1

CAT2

Fa0/11

10.10.210.6

CME

Fa0/0

CAT1

Fa0/4

10.10.210.20 10.10.205.20 (Loop)

MSE

Eth0

CAT2

Fa0/11

10.10.210.10

WLC1

Po1

CAT2

Gi0/1

10.10.111.10

WLC2

Po1

CAT3

Gi0/1

10.10.112.10

WLC3

Po1

CAT4

Fa0/1

10.10.120.140

WLC4

Po1

CAT2

Fa0/15

10.10.112.20

AAP1

Gi0

CAT1

Fa0/2

10.10.110.100

AAP2

Fa0

CAT3

Fa0/2

10.10.110.101

LAP1

Gi0

CAT1

Fa0/1

10.10.113.x

LAP2

Fa0

CAT2

Fa0/2

10.10.114.x

LAP3

Gi0

CAT3

Fa0/3

10.10.114.x

LAP4

Gi0

CAT4

Fa0/4

10.10.121.x

LAP5

Fa0

CAT4

Fa0/5

10.10.121.x

v3150


44



Lab 3: 8 hour CCIE wireless v2 Mock LAB 1.0 Configure and troubleshoot wired infrastructure to support WLAN's

L2 switching in HQ: To prepare your network we need to take extra care that the network is properly set up. All future configurations with wireless components will rely on the network. Please bear in mind that most wireless issues are related to the network. The Proctor Labs lab environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this lab. •

•

•

•

•

•

Cat1 will handle all VLAN´s and distribute them to Cat2. Cat3 will also get all VLAN changes from Cat1 Use Md5 encryption to protect the VLAN database on your 3 switches. o Use ipexpert123 as the MD5 secret. Domain is ipexpert o Create the VLANs in table 1 for your HQ switches. Cat1 should be the root all VLANs Cat2 should be the root for all VLANs if the root fails Do not configure Cat3 for the last question above. o From Cat3, “show” commands should give the correct outcome to see where the root bridges are. Cat1 should be seen as root for all VLANs and Cat2 will be the backup path. Prove that the backup path works by testing. Configure the 2 links between Cat1 and Cat2 to appear as one STP instance. o Use a method that has no negotiation.

L3 routing: •

•

•

•

•

•

v3150

Site HQ: Do not configure or change anything that is not requested by the lab. Cat1 is SVI has always the first IP address from each VLAN network. Cat2 is SVI has always second IP address in each VLAN network. For Cat3 VLAN10 SVI, Use IP address 10.10.10.4/24 VLAN 5 IP configuration should not be changed VLAN10 ip configuration should not be changed (HQSwitchMgmt).


45


•

•

•

•


Create the SVI´s on your appropriate HQ switches and ensure you have connectivity between all L3 interfaces. Refer to table 1 for the VLAN ID´s. HQ, MO have different VTP domains as can be seen in table 1. VLANs should flow between all 3 switches in the HQ. Create a Loopback99 interface on your CAT1 with ip 10.99.99.99/32 Use a link state open standard based routing protocol to advertise o Loopback99 to CAT2. Only advertise loopback99 in your configuration. o o Don´t summarize the classful networks in your routing domain. VLAN 12 should be redundant for CAT1 and CAT2 o On CAT1 and CAT2, Use a Cisco proprietary method to create a redundant SVI for VLAN 12. o The VLAN 12 virtual IP should be the next available ip address after CAT1 and CAT2 . CAT1 should always be the primary router for VLAN12 and in case of o failure it should revert back when things go back to normal. Create a redundant DHCP pool for VLAN12 on CAT1 and CAT2:

MO routing and switching: •

•

•

Create VLANS and SVI´s for CAT4 according to table 1. CAT4 SVI’s always use the first IP address per SVI. Create MO SVI´s from Table 1. CAT4 should be ready to serve VLAN configuration to other switches. Protect the database IPexpert-MO with the password ipexpert.123 CAT4 should not participate in routing updates and exchange routing tables with HQ. CAT4 should be able to reach any network on HQ. On HQ you need to advertise all the networks belonging to CAT4 MO. Use your routing protocol to accomplish this in your HQ Switches

QOS: •

•

•

v3150

On all routers and switches, trust layer2 and layer3 QOS markings where appropriate. Tune your COS to DSCP mapping (and vice versa) as Cisco best practices recommend VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 o (AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40. The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic with the RTP and Skinny (not encrypted) known udp and tcp ports.


46


o


Ensure the correct marking is maintained when VoIP traffic enters MO from HQ and vice versa.


NTP: •

•

•

•

•

Use NTP server on WCS to synch time for all your network devices including the WLC´s. WCS is 10.10.210.6 Controllers should synch time every 2 hours. CAT1 should be the NTP master for all switches and routers. For routers and switches: use password "ipexpert" for NTP authentication. Use EST timezone -5. CAT1 should answer ntp requests only on VLAN10 and only allow switches and routers in your network to synch time with CAT1. CAT2 uses VLAN5 IP, CAT4 uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications. Don´t forget the autonomous AP´s ! Configure them to use the same time settings with CAT1 as the NTP server. No security is needed for the Autonomous Aps. Use IP information from Table 2 for the APs.

AP management: HQ •

•

v3150

LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and WLC4 with DNS (not option 43). APs should be on VLAN1134 o LAPs default gateway is 10.10.114.1 Default name to the name in table 1. Subnets for those APs are listed in o table 2. Configure your network accordingly o Use your Microsoft DHCP and DNS server to accomplish this. DNS suffix for your APs subnet should be LAPs.proctorlabs.com o o Exclude the range from 1 to 20 and 200 to 254. o Microsoft DHCP/DNS server is 10.10.210.6 Make sure that WLC2 will be primary and WLC4 secondary Controllers for LAP2 and WLC4 are primary controllers for LAP3 and WLC2 secondary controller. Mobility group should be named HQ2 for WLC2 and HQ4 for WLC4. WLC´s should have the same RF group HQ-WLC2-and-4


47


•


LAP4 and LAP5 should join WLC4 with DHCP from CAT4. Set those APs on VLAN 121 on CAT4:

Switching security: •

•

•

All LAP AP Ports (present and future) should go to STP Forwarding mode immediately In MO All switchports with access points should block traffic if BPDU´s are advertised over the port. Also all potential host ports. In HQ all switchports with access points should get disabled if BPDU´s are advertised over the port. This setting needs to be default for all host switchports so it won´t be forgotten in future tasks. You don´t want your VMware servers on CAT2 port Fa0/11 to get potentially disabled. Let that one port bypass that default setting.


Autonomous setup: •

•

•

•

•

•

v3150

A cargo company has mobile fork lifters in their warehouses. Those fork lifters will have industrial computers on board with Ethernet ports (no wireless) You need to use AAP2 to connect the industrial computer to the wireless network Make a Layer2 only VLAN on AAP2 connected switch to avoid loops in your network VLAN 999. Override bpduguard with bpdufilter on f0/2 port on CAT3. AAP2 will connect to AAP1 with 802.1x security. SSID is fork-xx Username is lifter and password is fork. Use 2,4Ghz frequency. AAP1 will authenticate the lifter user. And the industrial PC should be on o VLAN 17. As the industrial PC is not ready yet. Configure DHCP on AAP2 to see the DHCP offer working. Configure DHCP on CAT1 for VLAN17. Exclude the first 9 addresses. Use the most secure option that is Cisco proprietary o The forklifter is actively mobile. Ensure that it only scans non-overlapping channels in your 2,4 GHz frequency. So it uses the least time to scan channels when moving around. Ensure that the association reliable. So the AP disassociates clients only many packets are lost. Use the maximum reliable setting for the association to stay up.


48



4.0 Configure and Troubleshoot Unified deployment model

WLC management: •

•

•

•

WLC1 has its Service Port connected to CAT1. Connect the SP on VLAN 10. Use DHCP from CAT2 for the SP. The SP port should always get the 10.10.10.50 address. Default gateway is 10.10.10.2 it should be pingable from the same VLAN. On WLC1 guests should see the name guests.proctorlabs.com. This name should resolve on your DNS server (Microsoft server 10.10.210.6) to WLC1 virtual IP address. Configure appropriate VLAN interfaces per WLC according to table 3. (WLANs will be configured and explained in more detail later)


Interface

WLC IP Address

Default gateway

WLAN

WLC1

Vlan 11

10.10.11.252/24

10.10.11.1

HQ-guests-XX

WLC2

Management

NA

NA

HQ-guests-XX

WLC2

Vlan 13

10.10.13.50/54

10.10.13.1

Client-Vlan-XX

WLC2

Vlan 15

10.10.15.50/24

10.10.15.2

voip-5ghz-XX

WLC2

Vlan 12

10.10.12.50/24

10.10.12.3

WLC3

Vlan 22

10.10.22.130/26

10.10.22.129

MOData1-XX

WLC4

Management

NA

NA

HQ-guests-XX

WLC4

Vlan 13

10.10.13.51/24

10.10.13.1

Client-Vlan-XX

WLC4

Vlan 12

10.10.12.51/24

10.10.12.3

WLC4

Vlan 15

10.10.15.51/24

10.10.15.1

voip-5ghz-XX

VLANs on Switches should already be done and working in the first part of this LAB.

•

•

v3150

Set up etherchannel for both interfaces on WLC2. Ensure that APs are load balanced over the layer3 network based on source and destination IP information. Do this for all switches connected to controllers. VLAN´s on the wired network should work on the wired interfaces of each WLC


49


•

•


QOS needs to be tagged on the management VLAN of all WLC´s Only VLAN´s created on WLC´s should traverse over the link towards the network and vice versa.

AP Priming: •

LAP1 should join WLC3. Find a way to configure a static VLAN113 10.10.113.100 address for this AP. Manually join LAP1 to your WLC3. Default gateway is 10.10.113.1

Guests: •

•

•

•

•

•

•

v3150

For WLC1 guests will be directed out the Po2 Configure Client-Vlan11 on port1 on WLC1. o Use .252 for the WLC IP address. See table 3. WLC1 used to be connected with po1 and po2 to two separate 6509 switches with VSS configured. Now they have been replaced with 2x 3560 switches connected again the same way. Configure WLC1 port2 to be the primary management port connected to CAT1. And port 1 connected to CAT2. Make the management interface redundant for po1 and po2 WLC1 operation. The guest access should be redundant too. Configure Port 1 so no other VLAN´s are allowed except guests and for management redundancy purposes (4.10) Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11 and they should traverse default out of Port1 on WLC1. Use SSID HQ-guests-XX. There are also complaints that users from APs on WLC2 and also other users trying to roam to APs on WLC2 don´t work. This problem is seen mainly on the guest SSID. Rectify the mobility config so it will be seamless. o No encryption o Web-splash page will authenticate guest users on WLC1 The guest SSID hast to work on all AP´s in the HQ. Guest need to reach o SSL VPN server on 10.10.210.6 even before they reach the splash page. Enable ICMP to work for that vpn server as well for troubleshooting ease. Guests use DHCP on WLC1. Issue 15 address pool starting from 10.10.11.10. DNS is 10.10.210.6


50


•

•


Create a lobby admin account on WLC1 and with this account, create a guest user that lasts for 3 days. Lobby account User is lobby password Lobby123. Guest user is guest4 password ipexpert123 Test the HQ-guests-xx connection from the Laptop test https://10.10.210.6 without the splash login. Then try to login through the splash page. Before the login through splash page, the guest should NOT be able to ping 10.10.10.3 but it should work after splash web authentication. The laptop is reachable directly with VNC on 10.10.210.4 password IPexpert123

Mobility: •

•

HQ users should be able to roam between all controllers. Use the default Mobility names HQ1 for WLC1, HQ2 for WLC2 , HQ3 for WLC3, and HQ4 for WLC4. All HQ WLC´s should check its mobility members every 15 seconds. They should consider them dead after 60 seconds.

Interference and radio settings: •

On your 802.11g network , the 2.4 GHz channel 2452 GHz with 2 channels above and below are severely impacted by a nearby microwave oven located next to LAP3. These channels are unusable because of this massive interference. Make sure that your LAP3 uses the best possible 2,4Ghz frequency channel to avoid the microwave interference in the future.

AP registration security and local radius: •

•

•

•

•

•

v3150

MO: should only allow LAP1 to join WLC3 Ensure that only LAP1 can join WLC3. Create DHCP pool for LAPs VLAN113 on CAT2. Point to WLC3. Change LAP1 to DHCP. Configure local radius on WLC3 for WLAN MOData1 VLAN for SSID is MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26 Use PEAP mschapv2 authentication . username localpeap password localradius. Security is WPA 802.11i with software encryption: Configure DHCP on WLC3 for this SSID clients. Give out 131 and 132 addresses of the scope. Test connectivity with AnyConnect on your test PC


51



Client connection testing: •

•

•

•

Your AnyConnect client needs to connect to the Client-Vlan13-XX WLAN in HQ Configure your network to meet the requirements below:

SSID Client-Vlan13-XX This ssid should exist on WLC2 and WLC4. Clients should terminate at o Vlan13. Table 3 shows what IP should be on your Controller´s VLAN13. Exempt addresses 10.10.13.1 – 10.10.13.49 and 10.10.13.59 – 10.10.13.254 Use WPA psk. Psk is ipExpert.123 o o Allow CCK modulation for this SSID. Exempt 5Ghz. o Advertise 802.11i and pre-standard WPA in your beacons but also enable for software encryption to work over 802.11i for older clients. o DHCP should be set up on CAT1 o On LAP2 this SSID should use to VLAN12. Don’t use HREAP. Only let this SSID go out VLAN 12 for LAP2. DHCP is the redundant IP of vlan12 shared with CAT1 and CAT2. Gateway is the redundant IP of VLAN12. Test this configuration and see the IP address change on your AnyConnect client.

Rouge detection: •

•

Your WLC3 should detect rouge access points. Configure all LAPs in your HQ network to validate RF information in order to prevent spoofing of SSID and your AP Mac addresses from man in the middle attacks.

5.0 Configure and Troubleshoot WCS

WCS: Management:

•

•

v3150

Manage all WLC´s with WCS using the default method. The user is admin and password IPexpert123 for all WLC´s.


52



MAPs: •

•

•

•

•

Put your LAPs on floor 1 map on your WCS. Position as many APs you need for data 2,4Ghz coverage your second floor. Your campus is 2 floors with 500 x 500 feet span. You are instructed to expect -80 dBm RSSI cutoff. Make sure you see it work for your WCS 2,4 coverage map. First create a new building in your system campus put 2 floors. LAP2 is a 1242 with AIR-ANT5135D-R antenna for A band and the antenna is slightly tilted 15° down. The AP is in the ceiling of floor 1. Let WCS know about the antenna settings. B/G band has the same setting. LAP1 is also on floor 1 but it is in 7 feet height. Use WCS to disable all 802.11b clients association in your network. Still allow OFDM clients on 2,4 GHz to connect at 9 mbps and not less. When Root is logged in. Show the overall security score on the right side of your security page. This has to work when root is logged on.

6.0 Configure and Troubleshoot WLAN Services

Wireless Voice: •

•

•

v3150

On WLC2 and WLC4 in HQ:

Deploy a SSID called voip-5ghz-XX – This will be VLAN 15. WLC IP information in table 3. DHCP and default gateway is on CAT1 and should give out Cisco call manager option about the CME router 10.10.210.20. Exclude addresses 10.10.15.1 – 10.10.15.10 and 10.10.15.40 – 10.10.15.70 Use Table 3 for VLAN50 ip information for each Controller. Allow only 5ghz connections on this SSID. Use WPA 802.11i encryption and ensure that Cisco 7925 phones can inter o control roam seamlessly o Phone uses PEAP authentication. On your ACS configure the user phone with password of ipexpert. ACS is 10.10.210.5 user acsadmin password IPexpert123 o For ACS use NTP server 10.10.10.2 allow for this communication on your CAT1 NTP server . Time zone is EST Test it from your Anyconnect . o


53


•

•


Only support 802.11e on this previously configured voice SSID and 7925 phones should get Platinum QOS treatment. 802.11e clients with this SSID will get mapped with 802.1p value of 5 when they hit the wired network. Only allow the necessary data rates for the phones operation in your 5 GHz band.

You are at the end of this LAB! Should I say congratulations? " – It has hard questions when it comes to wording. But we have to be prepared to spot what the LAB wants. This will come in handy at the actual battlefield. So I hope this w as a good exercise. Do this lab m any numerous times to practice speed and work on things you want to study in the meantime



v3150


54



Lab 4: CCIE wireless version 2 8 hour training Lab 4 1.0 Configure and troubleshoot wired infrastructure to support WLAN's 2.0 Configure and Troubleshoot Infrastructure Application Services 3.0 Configure and Troubleshoot Autonomous deployment model 4.0 Configure and Troubleshoot Unified deployment model 5.0 Configure and Troubleshoot WCS 6.0 Configure and Troubleshoot WLAN Services Lab Overview

This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem tricky but they are supposed to prepare the candidate to read in between the lines. The network and WLC´s are partly pre-configured but some of the configuration have to be altered to meet the exam requirements The fact that WLC are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre-configs or make some changes. Both on the WLC’s AP’s and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues. In this lab and the real lab w e cannot take anything for and stay focused. This lab will use All equipment in the LAB 4: topology. Refer to the names of the equipment on that topology. Rectify names according to Table 2. When configuring WLAN’s/ SSIDs. If the lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01 Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords. When not specially mentioned use 2,4 GH z frequency. It is strongly advised to read the whole LAB over before you start configuring. And read each section briefly over to refresh your memory. In some sections some later tasks would better be done first. Tip: WCS templates may seriously speed things up!


v3150


55




v3150


56




Lab 4: Prerequisites: This lab will rely on the network infrastructure. You will need to pre-configure the network with the base configuration files. If using your own hardware: Login to IPexpert.com, navigate to the “My Downloads” area, download “IPexpert Wireless Volume 2 Configs,” find the Lab 4 INITIAL Configs, and copy and paste the proper switch files to the proper devices. If you are using Proctor La bs: Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook ! Lab 4 ! INITIAL

v3150


57




v3150

VLAN

VLAN Name

Subnet

Netmask

5

Servers

10.10.210.0

/24

10

HQSwitchMgmt

10.10.10.0

/24

11

HQGuest1

10.10.11.0

/24

12

HQData1

10.10.12.0

/24

13

HQData2

10.10.13.0

/24

14

HQData3

10.10.14.0

/24

15

HQVoice1

10.10.15.0

/24

16

HQVoice2

10.10.16.0

/24

17

HQData4

10.10.17.0

/24

20

MOSwitchMgmt

10.10.20.0

/25

21

MOGuest1

10.10.21.64

/26

22

MOData1

10.10.22.128

/26

23

MOVoice1

10.10.23.192

/26

105

HQServicePort

10.10.105.0

/24

110

HQAAP

10.10.110.0

/24

111

HQWLC1

10.10.111.0

/24

112

HQWLC2

10.10.112.0

/24

113

HQLAP1

10.10.113.0

/24

114

HQLAP2

10.10.114.0

/24

120

MOWLC1

10.10.120.128

/26

121

MOLAP1

10.10.121.192

/26

131

HOAP

192.168.100.0

/24

999

VLAN999

n/a

n/a


58




Port

Connected

Connected

IP Address

CAT1

NA

NA

10.10.10.2

CAT2

NA

NA

10.10.10.3

CAT3

NA

NA

10.10.10.4

CAT4

NA

NA

10.10.20.1

ACS

NIC1

CAT2

Fa0/11

10.10.210.5

WCS

NIC1

CAT2

Fa0/11

10.10.210.6

CME

Fa0/0

CAT1

Fa0/4

10.10.210.20 10.10.205.20 (Loop)

MSE

Eth0

CAT2

Fa0/11

10.10.210.10

WLC1

Po1

CAT2

Gi0/1

10.10.111.10

WLC2

Po1

CAT3

Gi0/1

10.10.112.10

WLC3

Po1

CAT4

Fa0/1

10.10.120.140

WLC4

Po1

CAT2

Fa0/15

10.10.112.20

AAP1

Gi0

CAT1

Fa0/2

10.10.110.100

AAP2

Fa0

CAT3

Fa0/2

10.10.110.101

LAP1

Gi0

CAT1

Fa0/1

10.10.113.x

LAP2

Fa0

CAT2

Fa0/2

10.10.114.x

LAP3

Gi0

CAT3

Fa0/3

10.10.114.x

LAP4

Gi0

CAT4

Fa0/4

10.10.121.x

LAP5

Fa0

CAT4

Fa0/5

10.10.121.x

v3150


59




L2 switching in HQ: To prepare your network we need to take extra care that the network is properly set up. All future configurations with wireless components will rely on the network. Please bear in mind that most wireless issues are related to the network. The Proctor Labs LAB environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this LAB. •

•

•

•

•

•

CAT1, CAT2 and CAT3 in HQ should have independent VLAN databases so no accidents can happen with incorrect VLAN information is distributed. The domain name should be ipexpert-local Create the VLANs in table 1 for your HQ switches. CAT1 should be the root all VLANs. Use the primary command. CAT2 should be the secondary root for all VLANs if the root fails. Use the secondary command. Do not configure CAT3 for the last question above. o From CAT3, Show commands should give the correct outcome to see where the Root bridges are. CAT1 should be seen as root for all vlans and CAT2 will be the backup path. Prove that the backup path works by testing. Configure the 2 links between CAT1 and CAT2 to appear as one STP instance. o Use a method that has no negotiation.

L3 routing: •

•

•

•

•

•

v3150

Site HQ: Do not configure or change anything that is not requested by the LAB. CAT1 is SVI has always the first IP address from each VLAN network. CAT2 is SVI has always second IP address in each VLAN network. VLAN 10 should be .2 on CAT1 and .3 on CAT2 don’t change them. For CAT3 VLAN10 SVI, Use ip address 10.10.10.4/24 VLAN 5 ip configuration should not be changed


60


•

•


Create the SVI´s on your appropriate HQ switches and ensure you have connectivity between all L3 interfaces. Refer to table 1 for the VLAN ID´s. HQ, MO have different VTP domains as can be seen in table 1. HQ should be able to reach all networks on CAT4. CAT4 should reach any network in HQ. Don´t use a routing protocol in any of your switches. VLAN10 on CAT1 and CAT2 is not working for some reason. Find out and rectify. CAT1 will have the first IP in each SVI1 and CAT2 should have the second IP in each SVI. (Apart from VLANs already created on the switches.) Create a DHCP pool for VLAN12 on CAT1 , don´t give out addresses from 1. -60. Default gateway is .2

MO routing and switching: •

•

Create VLANS and SVI´s for CAT4 according to table 1. CAT4 should be have a standalone VLAN configuration and not exchange VLAN information with other switches. VTP domain should be MO4.

QOS: •

•

•

On all routers and switches, trust layer2 and layer3 QOS markings where appropriate. Tune your COS to DSCP mapping (and vice versa) as Cisco best practices recommend VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40.

Multicast •

•

v3150

MO WLC 3 should advertise multicast group for its locally registered AP´s. Use 239.x.x.x where x is the last 3 digits in MO WLC 3 Management IP. All CAT4 VLANs should have multicast routing enabled for CAT4. Use a method that doesn´t flood your network as it should be built for growth later. On your CAT4 , use RP address of 10.99.254.254/30. When the IGMP timeout expires (70 seconds), the controller sends a query to all WLANs. Those clients which are listening in the multicast group should send a packet back to the controller The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic with the RTP and Skinny (not encrypted) known udp and tcp ports. o Ensure the correct marking is maintained when VoIP traffic enters MO from HQ and vice versa.


61




NTP: •

•

Use NTP server on WCS to synch time for all your network devices including the WLC´s. WCS is 10.10.210.6 Controllers should synch time every 2 hours. o o CAT1 should be the NTP master for all switches and routers. For routers and switches: use password "ipexpert" for NTP authentication. Use EST timezone -5. CAT1 should answer ntp requests only on VLAN10 and only allow o switches and routers in your network to synch time with CAT1. CAT2 uses VLAN5 IP, CAT4 uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications. Configure NTP for the autonomous AP´s. Point to CAT1 10.10.10.2 and use timezone EST -5


•

•

v3150

LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and WLC4 with DHCP on CAT1. Default gateway is .1 Name the APs from their default name to the name in table 1. Subnet for o those Aps are listed in table 2. Configure your network accordingly. This should be done for all other LAP APs. o Exclude the range from 1 to 20 and 200 to 254. Make sure that WLC2 will be primary Controller for LAP2 and WLC4 Primary controller for LAP3. Mobility group should be named HQ2 for WLC2 and HQ4 for WLC4. LAP2 and LAP3 need to failover if primary controller fails. LAP2 secondary is WLC4 and LAP3 secondary is WLC2. LAP4 and LAP5 should join WLC3 with DHCP from Cat4. You are forbidden to enter option 43 or DNS on your MS DHCP. Also you can´t use the AP CLI to manually join them. Use the network to deliver the LAP management traffic to WLC3. Set those APs on VLAN 121 on CAT4:


62




•

All MO LAP AP Ports should go to STP Forwarding mode immediately but don´t risk spanning-tree loops later on if some switch is connected to those ports. In HQ All switchports with LAP access points should block traffic if Bridge Protocol Data Units are advertised over the port.



•

•

•

•

A Law firm company has 2 buildings. One Building has a Wireless Bridge AAP2 To connect to the HQ LAN through AAP1. Make AAP2 and AAP1 to belong to the AAP management VLAN 110. AAP2 BVI1 interface has to be reachable only over the bridge link. Behind AAP2 VLAN 14 needs to traverse the bridge link over to HQ network. 10.10.14.2 is on CAT2. This will be tested as it was behind AAP2. The end result is CAT1 pinging over the bridge link to 10.10.14.2 behind the AAP2. Use 2,4ghz. AAP2 will connect to AAP1 with Cisco proprietary most secure 802.1x method. SSID is lawfirm-xx Username is lawyer and password is fresnelzone. AAP1 will authenticate the lawyer user. No FTP traffic should be allowed over the bridge link during business hours 9am to 5pm Monday – Friday


WLC management: •

•

v3150

On WLC1 guests should be transported from Other HQ controllers to WLC1. Prepare the Configuration so the WLAN can be directed directly to WLC1 in the future. WLC1 default mobility domain should be HQ1, WLC2 HQ2, WLC3 HQ3, and WLC4 HQ4.

Configure appropriate VLAN interfaces per WLC according to table 3.


63




Interface

WLC IP Address

Default gateway

WLAN

WLC1

Vlan 11

10.10.11.252/24

10.10.11.1

HQ-guests-XX

WLC2

Management

NA

NA

HQ-guests-XX

WLC2

Vlan 13

10.10.13.50/54

10.10.13.1

Client-Vlan-XX

WLC2

Vlan 15

10.10.15.50/24

10.10.15.1

voip-6ghz-XX

WLC3

Vlan 22

10.10.22.130/26

10.10.22.129

MOData1-XX

WLC4

Management

NA

NA

HQ-guests-XX

WLC4

Vlan 13

10.10.13.51/24

10.10.13.1

Client-Vlan-XX

WLC4

Vlan 15

10.10.15.51/24

10.10.15.1

voip-6ghz-XX

VLANs on Switches should already be done and working in the first part of this LAB.

•

•

•

Set up etherchannel for both interfaces on WLC2. Ensure that APs are load balanced over the layer3 network based on source and destination IP information. QOS needs to be tagged on the management VLAN of all WLC´s Only VLAN´s created on WLC´s should traverse over the link towards the network and vice versa.

AP Priming: •

•

v3150

LAP1 should have redundant WLC´s for WLC2 and WLC4. WLC4 is primary. Join the AP manually from its console but allow for it to get DHCP address from CAT2. Refer to Table 2 for ip information and VLAN. Default gateway is 10.10.113.2 Users with Apple computers complain that they can´t switch SSIDs on their computers. The WLC reports the are connected but the client doesn’t seem to notice. Rectify the issue with one setting on all Controllers.


64



Guests: •

•

•

•

•

WLC1 guest for VLAN 11 should exit to Po2 by default but Po1 if Po2 goes down. Configure WLC1 port1 to be the primary management port connected to CAT2. Ensure that only existing VLANs to traverse the switch ports. Guest VLAN is VLAN 12. Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11. No encryption. Don´t allow static ip addressing of clients. o o Timeout is 4 hours. o Do not advertise Aironet Information Element to avoid interoperability issues with various guest equipment. Delivery traffic indication message should be every 5 beacons on 2,4 Ghz o connections. The guest SSID hast to work on all AP´s in the HQ. Users should have the o option of entering their email address on the splash page and connect after that. Guests use DHCP on CAT1. Issue 15 address pool starting from 10.10.11.10. Default gateway is CAT1 SVI VLAN 11. DNS is 10.10.210.6 Test the connection from the Win7 PC. The PC is reachable directly with VNC from the WCS server on 10.10.210.4 password IPexpert123


•

•

•

v3150

Configure your ACS to be used on WLC3 for WLAN MOData1 VLAN for SSID is MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26. LAP4 should send their users to VLAN 23. Don´t use AP-groups. DHCP for VLAN23 is configured on CAT4. Use EAP-FAST authentication . username fast password faster. Security is WEP 128 bit. Configure DHCP on your Microsoft DHCP server for this SSID clients above. Give out 131 and 132 addresses of the scope. Also ensure the VLAN23 users get DHCP as well with the same parameters. Test connectivity to MOdata1-xx with AnyConnect on your test PC


65



Client connection testing: •

•

•

•

•

Your AnyConnect client needs to connect to the Client-Vlan13-XX WLAN in HQ Configure your network to meet the requirements below:

SSID Client-Vlan13-XX This ssid should exist on WLC2 and WLC4. Clients should terminate at o Vlan13. Table 3 shows what IP should be on your Controller´s VLAN13 o Use WPA Enterprise with AES encryption. Use 802.1x security and PEAP authentication on your ACS server. o Username Client-peap password ipexpert123 o DHCP server is Microsoft DHCP server. Gateway is .1 Configure the DHCP so there will be no conflict with the least of o exclusions possible. For this SSID you have a strange requirement from your customer. He (a guy in a white coat with the mad scientific look with a very narrow interest in radio waves) shows you spectrum expert screenshots of square top looking waves. He mentions he doesn´t want the round top waves to show in his environment as he claims it slows down the network. Make sure that controllers necessary have the setting to fulfill this strange request. The customer doesn´t have any other explanation than this picture. Test this on your AnyConnect client.

Clean AIR: •

•

v3150

Your WLC4 should detect and report microwave ovens and Bluetooth devices on capable access points in the 2,4 Ghz frequency.

For capable access points, monitor and dynamically avoid Bluetooth and microwave oven interference. There is no requirement for anything else available. The event driven Radio resource management should be set to the highest value.


66




WCS: Management: •

Manage all WLC´s with WCS using version 2 of Simple Network Management Protocol. No other methods should be available. Use the name ipexpert.snmp for your name. Only WCS should be able to control or read the WLC´s.

MAPs: •

•

Put LAP1,LAP2, LAP3, LAP4 and LAP5 on Campus IPX, building1, floor1 map on your WCS. Position the AP´s for best location tracking. Configure your mobility services so you see live WiFi clients on your MAP. Campus is 1000 by 1000 feet. Building is 500 by 900 feet. Floor is 200 by 100 feet. Horizontal number first. MSE IP is 10.10.210.10 use encrypted method to communicate WCS to MSE. Clean air: Locate and report Clean-air interference in MSE. Gather history related to interference and Client stations. Display all interferers on your WCS MAP.


Wireless Voice: •

•

v3150

On WLC2 and WLC4 in HQ:

Deploy SSID voip-6ghz-XX. Terminate at VLAN 15. WLC IP information in table 3. DHCP is on CAT1 and should give out callmanager option about the CME router 10.10.210.20. Default gateway is CAT1 VLAN15 SVI. Take care of IP conflict in your DHCP configuration. o Allow only 5ghz connections on this SSID. Use WPA encryption and ensure that Cisco 7925 phones can roam o seamlessly. Your phone 7921 has load 1.3.(4) Allow for better battery usage on your CCX compatible phones. Phone uses EAP-FAST authentication. On your ACS configure the user o phone with password of ipexpert


67



Test it from your Anyconnect . Some of your wife phones on WLC2 and WLC4 will use SIP and not all of them will be Cisco phones. Some might be iPhone or android devices. You need to QOS mark the packets by recognizing SIP call setup messages no matter tcp ports they will use. Use this setting on your controller that has the voice ssid configured above. o

•

You are at the end of LAB 4. It is a bit difficult to finish in 8 hours. Harder the training thus easier the battle. The question phrasing can slow you down as it might do on the actual LAB. So I hope this was a good exercise. Do this lab many times to practice speed and work on things you want to improve in the meantime. I recommend having a LAB strategy in place that you practice when you take this LAB because this LAB is built up from the blueprint sections and hopefully prepares you for the actual LAB.



v3150


68



Lab 5: CCIE Wireless v2 8 hour training 1.0 Configure and troubleshoot wired infrastructure to support WLAN's 2.0 Configure and Troubleshoot Infrastructure Application Services 3.0 Configure and Troubleshoot Autonomous deployment model 4.0 Configure and Troubleshoot Unified deployment model 5.0 Configure and Troubleshoot WCS 6.0 Configure and Troubleshoot WLAN Services

Lab Overview

This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. In this lab we use a scoring system of maximum 100 points. 85 points and above will be considered a pass. A good idea is to define and use your LAB exam strategy to practice and fine tune to prepare for the real battle. This will help in your time management that is essential to pass! This lab will use all equipment in the LAB 1: topology. Refer to the names of the equipment on that topology. When configuring WLAN’s/ SSIDs. The lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01 Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords.


v3150


69




v3150


70




Lab 5: Prerequisites: This lab will rely on the network infrastructure. You will need to pre-configure the network with the base configuration files. If using your own hardware: Login to IPexpert.com, navigate to the “My Downloads” area, download “IPexpert Wireless Volume 1 Configs,” find the Lab 3 INITIAL C onfigs, and copy and paste the proper switch files to the proper devices. If you are using Proctor Labs: Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook ! Lab 5 ! INITIAL

v3150


71




v3150

VLAN

VLAN Name

Subnet

Netmask

5

Servers

10.10.210.0

/24

10

HQSwitchMgmt

10.10.10.0

/24

11

HQGuest1

10.10.11.0

/24

12

HQData1

10.10.12.0

/24

13

HQData2

10.10.13.0

/24

14

HQData3

10.10.14.0

/24

15

HQVoice1

10.10.15.0

/24

16

HQVoice2

10.10.16.0

/24

17

HQData4

10.10.17.0

/24

20

MOSwitchMgmt

10.10.20.0

/25

21

MOGuest1

10.10.21.64

/26

22

MOData1

10.10.22.128

/26

23

MOVoice1

10.10.23.192

/26

105

HQServicePort

10.10.105.0

/24

110

HQAAP

10.10.110.0

/24

111

HQWLC1

10.10.111.0

/24

112

HQWLC2

10.10.112.0

/24

113

HQLAP1

10.10.113.0

/24

114

HQLAP2

10.10.114.0

/24

120

MOWLC1

10.10.120.128

/26

121

MOLAP1

10.10.121.192

/26

131

HOAP

192.168.100.0

/24

999

VLAN999

n/a

n/a


72




Port

Connected

Connected

IP Address

CAT1

NA

NA

10.10.10.2

CAT2

NA

NA

10.10.10.3

CAT3

NA

NA

10.10.10.4

CAT4

NA

NA

10.10.20.1

ACS

NIC1

CAT2

Fa0/11

10.10.210.5

WCS

NIC1

CAT2

Fa0/11

10.10.210.6

CME

Fa0/0

CAT1

Fa0/4

10.10.210.20 10.10.205.20 (Loop)

MSE

Eth0

CAT2

Fa0/11

10.10.210.10

WLC1

Po1

CAT2

Gi0/1

10.10.111.10

WLC2

Po1

CAT3

Gi0/1

10.10.112.10

WLC3

Po1

CAT4

Fa0/1

10.10.120.140

WLC4

Po1

CAT2

Fa0/15

10.10.112.20

AAP1

Gi0

CAT1

Fa0/2

10.10.110.100

AAP2

Fa0

CAT3

Fa0/2

10.10.110.101

LAP1

Gi0

CAT1

Fa0/1

10.10.113.x

LAP2

Fa0

CAT2

Fa0/2

10.10.114.x

LAP3

Gi0

CAT3

Fa0/3

10.10.114.x

LAP4

Gi0

CAT4

Fa0/4

10.10.121.x

LAP5

Fa0

CAT4

Fa0/5

10.10.121.x

v3150


73




L2 switching in HQ: The Proctor Labs LAB environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this LAB. CAT1, CAT2 and CAT3 in HQ should have independent VLAN databases so no accidents can happen with incorrect VLAN information is distributed. The domain name should be ipexpert-standalone Configure the 2 links between CAT1 and CAT2 to appear as 2 gigabit connection. •

•

•

L3 routing: Site HQ: Do not configure or change anything that is not requested by the LAB. o CAT1 is SVI has always the first IP address from each VLAN network. o CAT2 is SVI has always second IP address in each VLAN network. o VLAN 10 should be .2 on CAT1 and .3 on CAT2 don’t change them. For CAT3 VLAN10 SVI, Use ip address 10.10.10.4/24 o o VLAN 5 ip configuration should not be changed o CAT1 needs to reach WCS. Don´t use a routing protocol to accomplish this. CAT2 need to reach all networks on MO. Use EIGRP. MO should have default route distributed via the routing protocol. Let the SVI interfaces only be advertised in your EIGRP configuration Use the DHCP pool for VLAN12 on CAT1, don´t give out addresses from o 1. -60. Default gateway is .2: CAT4 should be ready to exchange and serve VLAN configuration to other switches.VTP domain should be MO4.Prepare VLAN22 for IPv6 connectivity using IPv6 with dhcp functionality DHCP on CAT4. This will be needed later for clients connecting to WLC3 MOData1-xx SSID. use any link local address you like. o

•

v3150


74



QOS: •

•

•

On all routers and switches, trust layer2 and layer3 QOS markings where appropriate. Between switches trust layer2 QOS tagging. Tune your COS to DSCP mapping (and vice versa) as Cisco best practices recommend VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40.

Multicast •

•

•

•

•

MO WLC 3 should advertise multicast group for its locally registered AP´s. Use 239.x.x.x where x is the last 3 digits in MO WLC 3 Management IP. All CAT4 VLANs should have multicast routing enabled for CAT4. Use a method that doesn´t flood your network as it should be built for growth later. On your CAT4, use RP address of 10.99.254.254/30. When the IGMP timeout expires (70 seconds), the controller sends a query to all WLANs. Those clients which are listening in the multicast group should send a packet back to the controller. The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic with the RTP and Skinny (not encrypted) known udp and tcp ports. Ensure the correct marking is maintained when VoIP traffic enters MO from HQ and vice versa. There will be phones on CAT3 ports 12-19. Voice VLAN is 16. We don´t trust marking over the “cloud” network between MO CAT4 and HQ CAT2. We need to ensure that voice traffic (skinny and sccp) will be marked correctly between MO and HQ. Make a policy that marks this traffic correctly


NTP: •

•

•

v3150

Use NTP server on WCS to synch time for all your network devices including the WLC´s. WCS is 10.10.210.6 Controllers should synch time every 2 hours. CAT1 should be the NTP master for all switches and routers. For routers and switches: use password "ipexpert" for NTP authentication. Use EST timezone -5. Use authentication for your switches.


75


•

•

•

•


CAT1 should answer ntp requests only on VLAN10 and only allow switches and routers in your network to synch time with CAT1. CAT2 uses VLAN10 IP, CAT4 uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications. Allow your ACS 10.10.210.5 to use the NTP on WCS Fix any connectivity issues on WLC1 and other WLCs if there is problem reaching the ntp server. Configure NTP for the autonomous AP´s. Point to CAT1 10.10.10.2 and use timezone EST -5. Fix any network connectivity issues the AAPs might have


•

•

•

•

•

LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and WLC4 with DHCP on CAT1. Default gateway is .1 Name the Aps from their default name to the name in table 1. Subnet for those Aps are listed in table 2. Configure your network accordingly. Exclude the range from 1 to 20 and 200 to 254. Make sure that WLC2 will be primary Controller for LAP2 and WLC4Primary controller for LAP3. Mobility group should be named HQ2 for WLC2 and HQ4 for WLC4. LAP2 and LAP3 need to failover between those controllers if primary controller fails. Make sure APs fallback to their primary controller when possible. Fix any network issues that the WLCs might have. LAP4 and LAP5 should join WLC3. LAP4 with DHCP from your CAT4 DHCP server. LAP5 should have manual configured IP as 10.10.121.210 and WLC3 needs to be manually entered for LAP5 to join WLC3. LAP4 and LAP5 are the only APs allowed to join WLC3 with authentication from the ACS server. Set those Aps on VLAN 121 on CAT4. Some parts are preconfigured and need to work. Network might need to be rectified to meet the requirements. Rename the access points to reflect Table 2.


•

v3150

All MO LAP AP Ports should go to STP Forwarding mode immediately with minimum risk. In HQ All switchports with LAP access points should get ip address in the fastest way possible, also block traffic if Bridge Protocol Data Units are advertised over the port. This should be default for all host ports.


76





•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

v3150

A customer company has 2 Autonomous APS AAP1 and AAP2. AAP1 will connect to WLC1 as a WGB (SSID WGB-xx) AAP1 connects to APs on WLC4 on LAP1. join LAP1 to WLC4 Terminate the AAP1 access on WLC1 VLAN11 port 1 (on CAT2) For SSID WGB-xx use wpa2 Advanced encryption standard psk of cisco!cisco DHCP is on CAT1. Use 2,4 GHz for this. WLC1 default group should be HQ1 and WLC5 default mobility group should be HQ5. Avoid loops in your network. CAT2 should be able to ping the AAP1. Set 10.10.11.3 on AAP1 BVI1 interface. Exempt vlan11 on the AAP1 trunk port to ensure the ping will flow wirelessly from Cat2 to AAP1 BVI1 interface through LAP1. Fix any bpdu issues that AAP1 might have but don´t change the defaults configured before AAP1 will connect users on 5 GHz radio using SSID aap1-xx and 802.11i encryption. AAP2 connects to aap1-xx ssid as a WGB and will use VLAN 12 through AAP1. Use EAP-Fast between the APs with authentication stored on ACS. AAP2 BVI1 interface should get a DHCP vlan12 address from CAT1 and be able to ping 10.10.12.1 and vice versa. Filter vlan 12 from CAT3 AAP2 trunk port. EAP-FAST username is fast-xx password fast. Aap1-xx clients will have WPA2 configured but some don´t support encryption in hardware. Advertise necessary IE in your beacons to support hardware and software encryption. points) On 5 GHz UNII-I is severely interfered. Don´t use UNII-I WGB 5 GHz radio is getting a lot of “Reached maximum retries” in its logs and the link is disconnecting frequently. Make the link as reliable as possible so it disconnects less often.


77




WLC management: •

•

In HQ guests should be transported from Other HQ controllers to WLC1. Prepare the Configuration so the guest WLAN traffic can be directed directly to WLC1 in the future. WLC1 default mobility domain should be HQ1, WLC2 HQ2, and WLC4 HQ4. Configure appropriate VLAN interfaces per WLC according to table 3.


Interface

WLC IP Address

Default gateway

WLAN

WLC1

Vlan 11

10.10.11.252/24

10.10.11.1

HQ-guests-XX

WLC2

Management

NA

NA

HQ-guests-XX

WLC2

Vlan 13

10.10.13.50/54

10.10.13.1

Client-Vlan-XX

WLC2

Vlan 15

10.10.15.50/24

10.10.15.1

voip-6ghz-XX

WLC3

Vlan 22

10.10.22.130/26

10.10.22.129

MOData1-XX

WLC4

Management

NA

NA

HQ-guests-XX

WLC4

Vlan 13

10.10.13.51/24

10.10.13.1

Client-Vlan-XX

WLC4

Vlan 15

10.10.15.51/24

10.10.15.1

HQ-guests-XX

VLANs on Switches should already be done and working in the first part of this LAB. •

•

•

v3150

Set up etherchannel for all WLC2 connected interfaces. Ensure that APs are load balanced correctly. QOS needs to be tagged on the all WLC´s Your MO WLC3 controller should do the DCA changes at 9:00, 17:00 and 01:00 for 2,4 GHz


78



AP Priming: •

•

•

On WLC4 scan all available channels for rogues. LAP3 should find rouges as soon as possible WLC1 guest portal should say “Welcome to IPexpert guest network” guests should be able to ping 10.10.120.140 without web authentication. Guest on WLC1 set to bronze QOS queue should get a maximum of 100 Kbps for real time traffic Rogue aps should be treated as major alarms snmp traps on WCS. WCS sends email about rouge aps to [email protected] from the address [email protected] and email server 20.20.20.20 Send controller information with your message. Don´t sent information about power level changes on your WLC3 radios

Guests: •

•

•

•

•

•

•

•

•

•

•

WLC3 uses same default mobility domain as WLC4 but no redundancy or roaming is needed between the controllers. Configure WLC1 port1 to be the primary management port connected to CAT2. Guests on VLAN 11 should go out of port1. Ensure that only existing VLANs to traverse the switch ports. Guest VLAN is VLAN 11. Make the setup redundant for management and guests. Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11.No encryption. Don´t allow static ip addressing of clients. Timeout is 4 hours. Do not advertise Aironet Information Element to avoid interoperability issues with various guest equipment. The guest SSID hast to work on all AP´s in the HQ. Users should have the option of entering their email address on the splash page and connect after that. QOS profile is bronze. Users need to be able to roam between all controllers in HQ. Guests use DHCP on CAT1. Issue 15 address pool starting from 10.10.11.10. Default gateway is CAT1 SVI VLAN 11. DNS is 10.10.210.6 Test the guest connection from the Laptop. The laptop is reachable from the WCS server with VNC at 10.10.210.4 password IPexpert123.


v3150

Configure your ACS to be used on WLC3 for WLAN MOData1-XX in table 3. WLC VLAN 22 IPv4 is 10.10.22.130/26. Test IPV6 connectivity on your client.


79


•


Use EAP-FAST authentication . Username fast password faster. Security is prestandard WPA with hardware encryption.ACS user is acsadmin password IPexpert123

Management: •

WLC4 should be authenticated by tacacs on ACS server. Use admin and password of tacacs for administrators. Also create a lobby admin user lobby password lobby.123 after the tacacs is working, change admin password to IPexpert123 in ACS

Clean AIR: •

•

Your WLC4 should detect and report microwave ovens and Bluetooth devices on capable access points in the 2.4 GHz frequency. For capable access points, monitor and report Bluetooth and microwave ovens interference. There is no requirement for anything else available. The event driven Radio resource management should be set to the lowest value.


WCS: Management: •

Administrate all WLC´s with WCS using most secure Simple Network Management Protocol. No other methods should be available. User WCS with password ipexpert.snmp.123$ for your authentication.

MAPs: •

v3150

Locate all WiFi clients that live on Campus IPX, building1, floor1 map on your WCS. Position the AP´s for best location tracking. Campus is 1000 by 1000 feet. Building is 500 by 900 feet. Floor is 200 by 100 feet. Horizontal number first. MSE IP is 10.10.210.10 use encrypted method to communicate WCS to MSE.


80



Clean Air: •

Locate and report Clean-air interference in MSE (show icons and zone of impact). Gather 1 day report from your campus regarding the worst interference. Save a clean air report on your WCS desktop. Name it cleanair.pdf


Wireless Voice: •

•

•

•

•

•

•

v3150

On WLC2 and WLC4 in HQ: Deploy SSID VoIP-XX. Terminate at VLAN 15. WLC IP information in table 3. DHCP is on CAT1.Default gateway is CAT1 VLAN15 SVI. Take care of IP conflict in your DHCP configuration. Use 2.4 OFDM only Phones on this SSID should get a maximum of 125kbps voice traffic. Use Platinum Use WPA2 encryption and ensure that Cisco 7925 phones can roam seamlessly. Phone uses EAP-FAST authentication. On your ACS configure the user phone with password of ipexpert Test it from your AnyConnect . Company policy doesn´t allow for more than 2 devices to log on to the wireless network with the same user credentials. Make it so on WLC4


81

Xxipexpert Peter Saltarelli Wireless Volume 2 Workbook Complete

Recommend Documents