Lab1 Cciewl Version2 Questionset

QUESTIONS SET
LAB 1
Real Labs V2

www.cciewirelesslabs.com

www.cciewirelesslabs.com 05-July-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com

THIS PAGE IS INTENTIONALLY LEFT BLANK

GENERAL GUIDELINES

1. Read all of the questions in the section before you start the configuration. It is even
recommended that you read the entire lab before you proceed with any
configuration.

2. Exam questions have dependencies on others. Read through the entire lab to
help identify these questions and the best order of configuration. Section need not
be completed in the order presented in the Lab.

3. Question may include verification output that can be used to check your
solutions. Highlighted values in output verification displays MUST be matched to
ensure correctness.

4. If you need clarification of the meaning of a questions, or if you suspect that
there may be hardware problems in your equipment, contact the lab proctor as soon
as possible.

5. The equipment on the rack assigned to you is physically cabled, so do NOT
tamper with it. Before starting the exam, confirm that all devices in you rack are in
working order. During the exam, if any device is locked or inaccessible for any
reason, you must recover it. When you finish the exam, ensure that all devices are
accessible to the grading proctor. A device that is not accessible for grading cannot
be marked and may cause you to lose substantial points.

6. Knowledge of implementation and troubleshooting techniques is part of the lab
exam.

7. Points are awarded only for working configurations. Towards the end of the
exam, you should test the functionality of all sections of the exam.

8. You would be presented with pre---configured equipments.

The following pre---configurations should NOT be changed:
Terminal server to clear the lines: Cisco (usermode only)
All APs default username Cisco and password Cisco
Enable passwords for all IOS devices are Cisco
Device hostname. (Except LAP bootnames which need to be changed see q2.1)
Console configuration

9. If a WLC has to be initialized, always use username admin and password Cisco123


10. Throughout the exam, assume:
YY is your assigned 2---digit pod number. For example YY value for pod3 is 03
X is any number

11. Unless specifically mentioned or change needed by a question, leave all settings on its
default values

12. You should do all lab based on 2.4 Ghz band only, unless when explicitly mentioned on the
exam.

13. You should ignore all rouges or SSIDs belonging to your pod that are visible through your
equipment, except when explicitly mentioned in the lab questions.

14. An NTP server is available at 192.168.129.13

15. At the end of the lab make sure you re---enable all radios you shut down for testing purposes


FIGURE 1: CONCEPTUAL DIAGRAM


FIGURE 2: LOGICAL DIAGRAM


FIGURE 3: PHYSICAL CONNECTION


FIGURE 4: REMOTE PHYSICAL CONNECTION


FIGURE 5: SUBNETWORKS

VLAN NAME Network/Mask VLAN ID Default GW Area
ISP Cenral 192.168.128.0/24 128 192.168.128.254 Central
Management 192.168.129.0/24 129 192.168.129.1 Central
Voice 192.168.130.0/24 130 192.168.130.1 Central
Management Guest 192.168.136.0/24 136 192.168.136.1 Central
Dmz Guest 192.168.137.0/24 137 192.168.137.1 Central
Non Routed 192.168.138.0/24 138 Non Routed Central
Peap 192.168.141.0/24 141 192.168.141.1 Central
All EAP types 192.168.142.0/24 142 192.168.142.1 Central
Contractors 192.168.143.0/24 143 192.168.143.1 Central
Service ports 172.16.0.0/24 172 172.16.0.1 Central
Aps1 192.168.132.0/24 300 192.168.132.1 Central
Aps2 192.168.133.0/24 301 192.168.133.1 Central
ISP Remote 192.168.144.0/24 144 192.168.144.254 Remote
Management Remote 192.168.145.0/24 145 192.168.145.1 Remote
Voice Remote 192.168.146.0/24 146 192.168.146.1 Remote
Data Remote 192.168.147.0/24 147 192.168.147.1 Remote
Non Routed Remote 192.168.148.0/24 148 Not routed Remote
Aps 192.168.149.0/24 149 192.168.149.1 Remote
Home Office 192.168.200.0/24 X 192.168.200.1 Home office
Central Office
Remote Office
Home office
FIGURE 5: Subnetworks

FIGURE 6: LAB ACCESS
As part of your lab setup, the following would be available:

A home---office AP (1040) and Cisco Wireless Phone (7925G)
Candidate PC : this is the PC physically at your desk
WCS
MSE
ACS
A client PC with anyconnect client to connect to your SSIDs
A syslog server

WCS Notes Username Password
Access Reachable from the candidate PC via RDP
WCS AD
Login
Administrator Cisco123
WCS login 192.168.120.11 root Cisco123
MSE Notes Username Password
Access Reachable from WCS via SSH
MSE Login 192.168.129.11 root Cisco123
ACS Notes Username Password
Access Reachable from WCS via HTTPS
ACS Login https://192.168.129.10/acsadmin admin Cisco123
Client PC Notes Username Password
Access Reachable from the candidate PC via RDP
Login admin Cisco123
Syslog
server
Notes Username Password
Kiwi Available on WCS


1. L2/L3 Infrastructure to support WLANs

1.1 Configure IPv4 routing infrastructure

Configure OSPF process in the Central Office (see Fig 5) between 6504-A and 6505-B as per
the following requirements:

Establish dynamic router neighbor peering using only VLAN129
Suppress router advertisements on all other interfaces between 6504-A & 650-B
6504-B must learn and actively use a default route via dynamic OSPF update from
6504-B

(output truncated):
6504---2#show ip route
O*E2 0.0.0.0/0 [110/1] via 192.168.129.2, 00:00:06, Vlan129

1.2 Configure IPv4 HA infrastructure

Complete the configuration of the HA topology for all preconfigured interfaces in the
central office (see Fig 5) as per following requirements:

6504-A should be the active router for all existing vlan interfaces in the 129---137
VLAN---ID range
6504---2 should be the active router for any remaining vlan interfaces (141-143,
300---301)
provide redundancy if the active interface is down
make sure the router with the highest priority becomes the active router,
whenever it is available


1.3 Configure HA on the switching infrastructure

Configure the spanning---tree (STP) HA availability operation for the
preconfigured vlans in the central office (Fig 5) as per following requirements:

6504-A should be STP root for all existing VLANs in the 129---137 range
6504-B should be STP root for all existing VLANs in the range 141-143,300---301
On the 2960---central---switch, prevent STP loops on switchports running portfast.
In case any another switch running spanning tree is connected to it, it should
disable it. Use only one command to achieve this task.

Set up a 2 gigabit ethernet link between 6504-A and 6504-B.
Make sure that downstream traffic to an access point as well as upstream traffic from an
access point always enters on the same port

1.4 Configure QoS on the switching infrastructure

The QoS configuration for the connection to the central office and remote office WLC
needs to be configured with the following QOS table

QoS profile AVVID IP DSCP AVVID 802.1p
Platinum 48 (CS6) 6
Platinum 46 (EF) 5
Gold 34 (AF41) 4
Gold 26 (AF31) 3
Silver 18 (AF21) 2
Bronze 10 (AF11) 1
Silver 0 (BE) 0

Configure the central and remote switches and the WLCs has to meet the following
requirements:

WLC imposes a QOS egress frame classification process using WLC default settings
for all interfaces and frame types
WLC egress traffic conforms such that the infrastructure can trust the WLC QOS
classifications limits for all interfaces and frame types
Switchports should trust the WLC egress QOS classification
Switchport queues WLC egress classifications consistent with table above
AP switchports trust the AP imposed QOS marking with respect to user traffic

2. Infrastructure Application Services

2.1 Troubleshooting Discovery mechanisms

The customer is experiencing issues with the APs joining the WLAN controllers at the
central and remote locations. Perform the appropriate configuration &
troubleshooting steps to have all the APs registered and make sure that APs always go
back to their primary WLC regardless of the mobility state. Also check if radio
interfaces (as required throughout the exam) are UP on all APs

On the central site troubleshoot the discovery mechanism using preconfigured VLAN
pools on both the 6504-A and 6504-B without adding any additional commands. The
AP names and AP to WLC pairing should reflect the assignment in the table below:

Switch---port Name Primary Secondary
6504---1 g4/3 L3500---1 5508---1 5508---2
6504---1 g4/5 L3500---2 5508---1 5508---2
2960---central
f0/1
L3500---3 5508---2 5508---1
6504---2 g4/1 L3500---4 5508---2 5508---1

On the remote site you need to rely on the broadcast messages send by the APs for the
discovery. The AP names an AP to WLC pairing should reflect the assignment in the table
below

Switch---port Name Primary Secondary
3560---remote
g0/1
L1260---1 5508---4 None
3560---remote
g0/2
L1260---2 5508---4 None

Note: the L1040 at the home---office will be configured in question 4.7


2.2 Troubleshoot DHCP services

You are troubleshooting wireless client DHCP issues for central office APs on the
6504-A IOS DHCP server using debug dhcp command. In order to help you troubleshoot,
make sure you are able to identify the AP Ethernet MAC address for a given wireless client
device association within the debug output

2.3 Configure WLC Management

Enable secure SNMP communications on all WLCs using the strongest authentication and
encryption methods.

Use below details

Username admin
Authentication and encryption password Cisco123

2.4 Troubleshooting and configure syslog

Configure syslog on the following devices listed below to point to syslog server running on
192.168.129.11. The syslog log level should be set to warning and use the local use 7
facility

This should be done on following devices:

5508---1 , 5508---2 , 5508---3 , 5508---4
ALL CAPWAP APs

2.5 Configure and troubleshoot RADIUS

Configure the RADIUS server to peer with all WLCs without using any IP address based
configuration. Configure the WLCs to peer with the RADIUS server.


3. Autonomous deployment model

3.1 Configure WGB roaming behavior

Outside the central office there is a truck loading bay, where a forklift truck is operating
(see Fig1) The 1260---Br1 is mounted outside building1 and the 1260---Br2 is mounted on the
forklift truck.

Two 1260 APs (1260---BR1 and 1260---BR2) in NEMA enclosures are used to bridge the
traffic to a handheld device that is attached on the wired interface of the 1260---2 device

However the connectivity to the handheld device from the wired network fails.
Troubleshoot and fix the issue so connectivity gets restored, using the 802.11a/n radio
and the implemented SSID , AP modes. The WGB must be able to connect at 802.11n MCS
rates.

Verify connectivity by pinging the client (192.168.143.3) from 6504-B

3.2 Configure WGB roaming behavior

In a couple of months additional APs are going to be installed in the building where
the forklift operates

Configure the WGB to optimize its roaming process based on the requirements below

The current root bridge and all the new APs will be configured to only use
UNII---1 channels to avoid DFS concerns and outdoor bridging channels.

The table below shows 1260 5ghz receiver sensitivity of the WGB. The
WGB should roam if the RSSI is not sufficient to maintain 802.11a link of a
least 54mb/s without changing the radio data rate configuration. To support
the forklift application the wireless link must be at least 24mbps. When the
forklift WGB thinks it needs to roam , it should check for a better AP every 10 secs.

802.11a(non_HT20)
93dbm@6mb/s
93dbm@9mb/s
92dbm@12mb/s
90dbm@18mb/s
87dbm@24mb/s
84dbm@36mb/s
79dbm@48mb/s
79dbm@54mb/s

4. UNIFIED deployment model

The customer wants to provide secure wireless services to different types of users.
The following tables represent the WLANs to be configured throughout questions
from 4.1 to 4.7 in this section.

SSID Sites where available Notes
DataAYY Central (5500---1,5500---2)
DataBYY Central (5500---1,5500---2)
DataRYY Remote (5500---4)
VoiceYY Central (5500---1,5500---2)
& Home Office
See section 6
ContractorYY Central (5500---1,5500---2)
GuestYY Central(5500---1,5500---2)
& remote (5500---4)

Notes:
All WLAN profiles should be configured for 2.4ghz only.
The profile for Data, Contractor and Guest have been pre---configured on the
client PC. Use anyconnect profile for testing purposes.
Use the ACS on pre---configured account user1 password Cisco123 for testing
the data 802.1x profile.
The 5508---3 will only be used for the home office AP and DMZ termination.
If you need a password or key and it is not specified use Cisco123

4.1 Central site Data WLAN

Configure the DataAYY & DataBYY WLANs at the central site to provide the following
characteristics

Use WPA2 with an encryption method that supports MCS rates
Map the DataAYY and DataBYY WLAN to VLAN138 by default
If a client fails the 802.1x authentication process 3 times it should be
disallowed to gain network access upon 4
th
attempt for 5 minutes
Provide AAA override policy as per the below WLAN and protocol decision table


EAP Protocol
WLAN PEAP EAP---FAST Additional EAP
methods
DataAYY 141 138 Auth---fail
DataBYY 142

4.2 Central site contractor WLAN

The ContractorYY WLAN should be configured to provide access to third party
contractors that need to make use of the network at the central site as follows:

Use WPA2 with AES, to avoid dealing with different contractor 802.1x supplicants
Map the ContractorYY WLAN to vlan143 by default
Since the customer doesnt have control over the contractor devices, make sure
that they do not trigger any transmit power changes on the APs
Restrict contractors to only 802.11b/g data rates without impacting other WLANs

4.3 Troubleshooting client roaming behavior

It has been identified that phones moving from APs on 5508---1 to APs on 5508---2 (and vice
versa) using CCKM are not able to roam seamlessly and are forced to fully re---authenticate.
Troubleshoot the issue to fix this behavior.

4.4 Remote site data WLAN

When the APs are connected to the WLC, configure the DataYY WLAN at the remote site to
provide the following characteristics:

Use WPA2 with encryption method that supports MCS rates
Map the dataYY WLAN to vlan148 by default
EAP---TLS client authentication should be placed on vlan147. All other EAP
protocol attempts should result in failed authentication
RADIUS protocol sourced from the remote WLC management interface is failing.
This needs to be fixed without changing the ACS NAS peering configuration


4.5 Remote site data WLAN HA

When the APs cannot connect to the WLC, configure the datary WLAN at the remote site
to provide the following characteristics:

Use WPA2 with an encryption method that supports MCS rates
802.1x/EAP authentication should use the centralized ACS server
CCKM fast secure roaming should be provided for any client sessions that existed
prior to the WLC connection being lost
EAP---TLS client authentication should be placed on vlan147. All other EAP protocol
attempts should result in a failed authentication

4.6 Guest services

Configure and troubleshoot the GuestYY WLAN at the central and remote site as
follows:

Guest users should use dmz---guest vlan terminating at 5508---3
Map the wlan to non---routed vlan138 on wlc 5508---1 and 5508---2 and to
non---routed vlan148 on 5508---4
Peer---to---peer communications should be avoided
Client devices should not trigger any power changes on the APs
Clients should not be allowed access, If using static IP addresses
Users should be asked for their email before obtaining access to the network

4.7 Configuring and troubleshooting the home office solution

The customer wants to provide secure wireless services to employees that work
remotely. The solution must provide the following characteristics:

The APs used by home office employee should connect to the wlc 5508---3 using ip
address 192.168.128.33. NAT is preconfigured on the path to the home office
Make sure that APs on the rest of the infrastructure cant join wlc 5508---3. Dont use
ACLs
All the traffic should be tunneled back using DTLS
The AP should allow the user to create (if needed) a local SSID for his home network
The current home AP being used should be named L1040


Note:

For console access for the L1040 refer to the MOTD on your commserver

4.8 Channel assignment

The customer wants to configure the Unified infrastructure to be able to self adapt to the
RF environment. The following tasks should be accomplished:

The customer is worried that channel changes might disrupt the company operations so
he has asked that on all sites, changes are triggered only during personnel shift changes
which occur starting at 8am and re---occur every 6 hours under normal conditions.
(severe interferer presence is not taken into account during this interval)

To have some level of predictability , when all central WLCs are online, the customer wants
to designate 5508---1 as the one in charge of making any RF decisions.

4.9 Implementing CleanAir

The deployment of 3500 series AP at the central site was driven by too many problems
suspected to be caused by RF issues

Enable DCA to take into account consideration the spectrum information provided
by the APs, making sure that a channel change is triggered when the air quality
index drops below a value of 60
Allow that a cost metric bias is added into the DCA calculation when non---wifi interferer
devices are identified

4.10 Rogue detection

The customer has strict policy that no other wireless services (either IBSS or ESS) should
be present in the headquarters premises. Exception to this policy is rogue AP detection in
question 5.3

Given the distance to other building, on the central site we want to raise a possible alarm
for any rogue which is heard with a signal better than ---88

The network must not take actions against such rogues.


5. WCS

5.1 WCS Initial configuration

The network infrastructure has a WCS available in the central office, with IP Address of
192.168.129.11. The username is root, password Cisco123. You can use WCS to configure
any setting as needed during exam

Tasks to be completed:

You should add all your controllers to the WCS for centralized management
The customer is concerned about the security of the connection between WCS
and different controllers. Make sure all management communications between
them is authenticated and encrypted. No default users or communities should
remain on the WLC

5.2 Troubleshooting MSE Context Aware Services

The network infrastructure has a MSE in the central office , with the IP Address of
192.168.129.14 that is unreachable. The username is root , password is Cisco123

Tasks to be completed

Synchronize the MSE using the CAS service on all maps and all WLCs
Verify NMSP status in WCS for all WLCs is active
Verify NMSP status on all WLC is properly transmitting and receiving traffic


6. WLAN Services

6.1 Voice infrastructure setup

The wireless infrastructure will provide voice services for 7925 based phones on the
central and home office users. Map the voiceYY WLAN to vlan130 by default

The following requirements from customer must be met:

Every other beacon should be without TIM element. This must not affect other
wlans
The encryption must not be affected by TKIP hold off timer, and must use the
highest encryption method available
RF contention windows for wireless clients must be optimized for voice and
video
Test 2.4ghz radios in lab infrastructure design
Authentication must use 802.1x with centralized key management, and full
re---authentication should take place ones a day
Calls should be rejected if RF utilization per AP radio is exceeded. This must be done
dynamically per AP
Only WMM aware clients must be able to connect to this SSID
CAC should accept the default value used by phones as minimum rate
It is expected that the deployment will follow normal deployment guidelines:

1) DHCP requirement must not be enabled
2) Aironet extensions are enabled
3) P2P is disabled
4) MFP client is not enabled
5) Band select is not enabled
6) Load balancing is not enabled
7) Optimize the 802.11b.g beacons to be transmitted at 11mbps
8) Do not use data rates below 11mbps for transmission and retries
9) Devices must adapt to power used by AP
10)WLAN CoS tagging should allow phone priority frames


6.2 Voice troubleshooting

Cisco TAC has been assisting with poor voice quality on 802.11 and has indicated the
following changes are required:

WLC dynamic AP transmit power should be limited to 50mw to match 7925G device
WLC dynamic AP transmit power should not drop below 14dbm based on the site
survey that was performed to ensure signal penetration
APs should wait for 250ms for client devices to respond before attempting to
resend the EAPOL key exchange

If poor voice quality should reoccur , make statistics can be collected on the WLC GUI that
shows packet delays and lost packets for approximately the last 90 seconds of the voice
flow

6.3 Phone configuration

Configure the phone at your desk to join WLAN voiceYY. Once registered, you should be
able to place a call to the number 1001. Use the username user1 to connect to the wireless
infrastructure.



THANK FOR USING CCIEWIRELESSLABS

Lab1 Cciewl Version2 Questionset

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Lab1 Cciewl Version2 Questionset

Hochgeladen von

Copyright:

Verfügbare Formate

QUESTIONS SET

Das könnte Ihnen auch gefallen