Beruflich Dokumente
Kultur Dokumente
REL
ESS
CCI
EWi
rel
ess(
v3)Vol
ume1Detai
l
edSol
uti
onGui
de
Par
t2of2
[ 1A]
v3.
i
Pex
per
tInc
. 3100Ki
ngRd.
Eas
tChi
na,
Mic
higan48054USA Phone:
+1.
810.
326.
1444 Fax
:+1.
810.
454.
0130 Emai
l:
sal
es@i
pex
per
t.
com URL:
www.
i
Pex
per
t.
com
CCIE Wireless (v3)
Volume 1 Detailed Solution Guide
Part 2 of 2
Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Table of Contents
Section 4: Converged IOS-XE Controllers ....................................................................................................... 7
Lab 118: Management Access :: Detailed Solutions ...................................................................................... 8
Lab 119: Mobility (MA/MC) :: Detailed Solutions ........................................................................................ 26
Lab 120: AP Joins :: Detailed Solutions ........................................................................................................ 48
Lab 121: Logging :: Detailed Solutions ......................................................................................................... 55
Lab 122: Client RADIUS :: Detailed Solutions ............................................................................................... 60
Lab 123: ACLs :: Detailed Solutions .............................................................................................................. 71
Lab 124: Rogue Policies :: Detailed Solutions .............................................................................................. 80
Lab 125: Client Exclusion :: Detailed Solutions ............................................................................................ 90
Lab 126: MFP and 802.11w :: Detailed Solutions ......................................................................................... 95
Lab 127: AP Configurations :: Detailed Solutions ....................................................................................... 103
Lab 128: Client Load Balancing :: Detailed Solutions ................................................................................. 108
Lab 129: Band Select :: Detailed Solutions ................................................................................................. 112
Lab 130: General Radio Settings :: Detailed Solutions ............................................................................... 117
Lab 131: RF Groups :: Detailed Solutions ................................................................................................... 123
Lab 132: TPC :: Detailed Solutions ............................................................................................................. 130
Lab 133: DCA :: Detailed Solutions ............................................................................................................. 137
Lab 134: Coverage Hole Detection :: Detailed Solutions ............................................................................ 144
Lab 135: CCX Assisted Roaming :: Detailed Solutions ................................................................................ 150
Lab 136: DFS :: Detailed Solutions ............................................................................................................. 155
Lab 137: 802.11n/ac High Throughput :: Detailed Solutions ..................................................................... 160
Lab 138: CleanAir :: Detailed Solutions ...................................................................................................... 169
Lab 139: Country Codes :: Detailed Solutions ............................................................................................ 180
Lab 140: General Controller Settings :: Detailed Solutions ........................................................................ 187
Lab 141: Multicast :: Detailed Solutions .................................................................................................... 191
Lab 142: WLANs- Non-Guest :: Detailed Solutions..................................................................................... 197
Lab 143: Guest WLANs- Local Web :: Detailed Solutions ........................................................................... 208
Lab 144: Guest WLANs- External Web :: Detailed Solutions ...................................................................... 226
Lab 145: AP Groups :: Detailed Solutions ................................................................................................... 237
Section 5: Prime Infrastructure and MSE ....................................................................................................242
Lab 146: PI CLI Configurations :: Detailed Solutions................................................................................... 244
Lab 147: Adding Devices to PI :: Detailed Solutions ................................................................................... 254
Lab 148: Device Configuration Templates :: Detailed Solutions ................................................................ 277
Lab 149: Configuration Groups :: Detailed Solutions ................................................................................. 300
Lab 150: Configuration Auditing :: Detailed Solutions ............................................................................... 314
Lab 151: Basic Map Setup :: Detailed Solutions ......................................................................................... 324
Lab 152: Advanced Map Configurations :: Detailed Solutions ................................................................... 339
Lab 153: Virtual Domains :: Detailed Solutions .......................................................................................... 355
Lab 154: Management AAA :: Detailed Solutions ...................................................................................... 366
Lab 155: Administrative Settings :: Detailed Solutions .............................................................................. 380
On behalf of the entire iPexpert team, I'd personally like to thank you for putting your greatest
certification journey in our hands, and trusting us to deliver cutting-edge training to help you
accomplish this goal. Although there is no way to guarantee a 100% pass rate on the CCIE Lab, my team
and I feel extremely confident that your chances of passing will improve dramatically with the use of
our training materials.
-Respectfully, Wayne A. Lawson II, CCIE #5244 (Emeritus) / Founder & CEO - iPexpert, Inc.
Feedback
At iPexpert, we value the feedback (both positive and constructive) offered by our clientele. Our
dedication to offering the best tools and content to help students succeed could not be possible
without your comments and suggestions. Your feedback is what continually keeps us enhancing our
product portfolio, and it is greatly appreciated. If there is anything you'd like us to know, please do so
via the feedback@ipexpert.com alias.
In addition, when you pass your CCIE Lab exam, we want to hear about it! Please email your Full Name
(used in the CCIE Verification Tool), CCIE number and the track to success@ipexpert.com and let us
know how iPexpert played a role in your success. We would like to be sure you're welcomed into the
"CCIE Club" appropriately, send you a gift for your accomplishment.
Lastly, referrals are very important to us. It tells us that; 1) you like, value, and approve of our training
and 2) it helps us to continue to grow as a company. If you have any of your peers who you feel will
value by the use of any of our training materials, please send us their name, email address, telephone
number and what certification and track you feel that they're interested in. If your referral makes a
purchase, we will provide you with in-house credit that can be used at any time. If your referrals exceed
a certain threshold, we will also include a gift card of your choice (either an American Express or
Amazon gift card).
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Topology Detail
Version 3.1A 10 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
2. Ensure that HTTP and HTTPS access is enabled and working on CAT3.
HTTP and HTTPS access on our converged access devices is enabled by default. So on WLC3, we should
need to disable it. On CAT3, just ensure that it’s enabled and that you can access the page (even though
you can’t login yet).
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#no ip http server
WLC3(config)#no ip http secure-server
WLC3(config)#end
11 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Version 3.1A 12 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
HTTP is the above image and HTTPS is the below image for CAT3.
Sometimes I have seen the default self-signed certificate not allow HTTPS access. There’s something
about the keys that are not correct. Or sometimes it’s missing. If you run into that, here is what to do.
First, look for the existing self-signed trustpoint. It should be named similar to the output below.
13 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
If it’s there, disable HTTPS, delete it, and re-enable HTTPS. If it’s not there, just disable and then enable
HTTPS. A new self signed cert should be created for you that should work.
3. Restrict access to the GUI on CAT3 so that only clients on VLAN 5 are able to access the GUI.
We will use a standard numbered ACL to control which IPs are allowed to access the web GUI.
Fortunately, our WIN7 client is in that VLAN.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#access-list 1 permit 10.10.210.0 0.0.0.255
CAT3(config)#ip http access-class 1
CAT3(config)#end
Version 3.1A 14 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
If I try and access it from a different VLAN, it won’t. Since I don’t have a client with a browser on a
different VLAN, I can just use telnet to port 80 as a good test.
CAT2#telnet 10.10.113.13 80
Trying 10.10.113.13, 80 ...
% Connection refused by remote host
exit
HTTP/1.1 400 Bad Request
Date: Thu, 27 Aug 2015 16:04:09 GMT
Server: cisco-IOS
Accept-Ranges: none
The first attempt used the connected interface (which would have been a source of 10.10.113.3). The
second attempt used a source interface of vlan5 (which would have been 10.10.210.3). The first
attempt was denied and the 2nd worked.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ip http session-idle-timeout 600
CAT3(config)#ip http max-connections 10
CAT3(config)#end
15 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
6. Install a web certificate on CAT3 to be used for the management GUI. The needed files can be
found on the WIN7 PC at C:\Rack Files\Certificates\.
CA file= CA.pem
To complete this task, you’ll need to install the certificate into a trustpoint, call that trustpoint out in
the HTTPS config, and reboot. The new cert doesn’t seem to take effect without the reboot.
When pasting in the certificate info, be sure to paste in the correct order. It goes CA cert > Private Key
> Device cert.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Version 3.1A 16 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Q+v7Xu44Z3M0MXPQp3Ya8Ql/5iHDjg4kmZXYTkuIEGtG+3tuef7vQvMa8HRnYXU/
1d9bepPNIH5dnHQZok7b793Ohy/Z8Yc0IFqFESpcNNeDuFz/ArEfHGeQjoY1SuP/
3Z/UG/HDbPOVsoLfaQ6gsnD6MSvzhrwN+to4f6pTovi4SgO11QcRDEDSTHK31tXS
wdHWt/rmX46DKEIhsRsb1devGhYdiPZPX6+3LXfgNPK8/+Qz+pPeqkrdmJEztD3i
4hASiGv99eBxQxN+Xn6LkuwkzjLHpVxmhHNJ4HsLej7HA2XNgJ2euCRbL+adpOpk
U0q1q3OfuuF0/NDbbphTWEWiA10mdA7E/ropeA/KI7V3GVmnAEXgUXSRa1aTkXIn
HH5XxY1WBJLeqFmNbAHCOrF1zA1FqitVM8t7nXjQPofuC4arCCpjVmZE3MFn76mH
17 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
1noFDQ4mExVlKVQUkS+AHHkuZQUP7Pr2hg6Y2cNjia8gNT9WRFYKUyBFDqMTwqcj
CyRzwZjVW/bnZ6k/FX/NxHs8uA80Z76CaYDSZiuAVx8+Oy0ZFxxL1LWXYTQEeiiT
sbhCzKUP2KPlf19kBA74Jk1CMxyIMrEBWcxnsnkchfaVUip3vE90+bT90KCAbVDu
Pr6jHKQ0of2wzgtU8ms5Bv01MK7BtJi4Heog90LLnmvelgLqZg1G7Nrl6hJty0Ij
kKd8cZZbEK6+pT1/5K834fozHNdbAdzH6HbBEIPl4mgw6Qp7a572dsH0RfhI2Fkw
+bGxOVqwWByQvwk45zvahw4pTlx2mgBj7ap66h+09rL1QbsP8dj+GE+cLURqHecU
RGDkan7H9rDFDXRQSUiskvR0JNTlztU3tGxo0kWOMoPxnW7WjRwMjmBugYw5+3sR
UE3q2h+tjHu/YhkafmiIwvEyjetYvAh7maBaLeIcc/VcbiNidN9LVPedmFBVL3j0
qQbV4Vogg4aHh7DnNeyARHphwPmJcHbf5t2kNce95j9j+kpT+YkkFQZa6GovwqFe
mggOEYJYjdW9leTyaLr68TIoecBII7/8RrlJDShPxipn+RxtFJurgW2fAdGa5kJE
KBrnk1g8DLbaBPVrKcmgnxuFhKcWqlIsTlbMTRQcyezRRQJePiEsQR4n2/FBWzeJ
HSti97dzTxYhEkLOtz9YBJUZi/bsSCkwlYeyrIcZH0yyPhlb5QR0JVM4WjuaP5wh
t0NAHWAkhgKVt8s97zKMBqQJsO/ufLfAMJ8Y7otidv4R0XMBOYS3oGVpNWSwcS8R
yEhckTkQ1E3ttBA9MS7pDTcf0hB2PJKfensjNHirfTakgOB0YS4xLkjMH1lUcyYz
8fVO4UWNoR/r+WZzSI4u55DYYRSHwhZcxNOIl7yZLEZ3sd2wypS6Gb9jSjFlQH2q
55aDJ5RanAcQzbXQIhTVHjYSAncDH4/nqNoP7hNJzWZKcP61sp33yRBbFsQrZ52c
GfjUolKULZ6UYvJmiy+UqM1VCrUJS0RddmacTrEp3o6lEoEuznzz1wXDcxzFAPzz
laF4Ia8Yt8n4zjPM5jGRIpVinc/RcUpXn7Gtp2d3LFXaglTKoyBvOw==
-----END RSA PRIVATE KEY-----
quit
% Enter PEM-formatted General Purpose certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIGATCCBOmgAwIBAgITaQAAABumys58XGUMMAAAAAAAGzANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghJUEVY
UEVSVDEfMB0GA1UEAxMWSVBFWFBFUlQtU0VSVkVSMjAxMi1DQTAeFw0xNTA5MjIy
MjA2MzlaFw0yNTA5MTkyMjA2MzlaMIGZMQswCQYDVQQGEwJVUzESMBAGA1UECBMJ
TWlubmVzb3RhMRIwEAYDVQQHEwlMaW5kc3Ryb20xETAPBgNVBAoTCGlQZXhwZXJ0
MQ4wDAYDVQQLEwVDQ0lFVzEcMBoGA1UEAxMTQ0FUMy5JUEVYUEVSVC5sb2NhbDEh
MB8GCSqGSIb3DQEJARYSY2NpZXdAaXBleHBlcnQuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAqFJ2YlNIqHCXlnJmSW+pbp2Sivgep2MWmHNO+xY5
pNxOTYZQnqGqXxMKbpTsPpL1L8Xcch93yk+W5exGQbNyK+laZ2r4vSlLVmpVnP89
n6DY7r/WbWOQTPtzFG+BSHr+XRHje+69c6D7QfzOetaqb6+9bAfll0j6rF3n6bwO
vZQ2eQQ5oFHs8EhO65jAjs/q5raie7EMZG6DcAqz9hDde4MbkCt7cTtz7m76IFHP
kVLB7p7aQ01i52MrQ/U8x5X6aTTK+0KxReZyAbn7ZthSbYGH+IVXgk+Zf9KoojhH
I+pr0R1+V8scC1mvhp8/SXu06M0RJ3hWZ22f0y1nc4iFzwIDAQABo4IChjCCAoIw
HQYDVR0OBBYEFHbIm/2ZlzMWd83JV67y7STJFfDwMB8GA1UdIwQYMBaAFFnQRxhE
bkYkePp3xUEtO1+LfIVfMIHaBgNVHR8EgdIwgc8wgcyggcmggcaGgcNsZGFwOi8v
Version 3.1A 18 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
L0NOPUlQRVhQRVJULVNFUlZFUjIwMTItQ0EsQ049U2VydmVyMjAxMixDTj1DRFAs
Q049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln
dXJhdGlvbixEQz1JUEVYUEVSVCxEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcsG
CCsGAQUFBwEBBIG+MIG7MIG4BggrBgEFBQcwAoaBq2xkYXA6Ly8vQ049SVBFWFBF
UlQtU0VSVkVSMjAxMi1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj
ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1JUEVYUEVSVCxEQz1s
b2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
bkF1dGhvcml0eTAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYB
BAGCNxUIgai2HIXL4TWG0Z8Zh6oqgaqwCoEEhu79CIb97j4CAWQCAQQwHQYDVR0l
BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYB
BQUHAwIwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAGgNFPGOy4T1fHmv
NWwgv6OVCpmgx5xxJaFMOswlK9NpnTogWm2QPa3j5lOdb6+nAvh/+L1WGJN81UQP
Zglk2TTyKe05Mqp1LKzy70JHsXkoDG4GKLUY7oeZUbvuIPmn8SnH18CnlwvpbYxx
Qgr7dRpZ85KKgMh1+Vvm4Stncbi6XRTk+NXs7+g+0NdW4xHtknjt68Bp9m2BlFGZ
1l/dQUjUJcmPpQw+mygA3lUN5LiK04mDV4t7IZFgPeYuTGSIY2gEsFk6V13JSQeR
Ssv+srMqxo14SjaicpavZs5mvvylvMLqL1t1uftbbtPGCWSVlt8Cm9M6PdjnR9AJ
YX5AH+A=
-----END CERTIFICATE-----
CAT3#wr mem
Building configuration...
Compressed configuration from 4145 bytes to 2213 bytes[OK]
CAT3#reload
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
Here is where you can confirm which trustpoint is in use for HTTPS.
19 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Version 3.1A 20 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
After the reboot, when you go to the website, you can look at the certificate and see that it’s the CA-
signed cert.
7. Configure a local user on CAT4 with the credentials below that will allow it to login to the web GUI.
User= admin
Password= IPexpert123
21 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#user admin priv 15 secret IPexpert123
CAT4(config)#end
8. Configure CAT3 to use ISE to authenticate GUI users. If ISE is not responding, CAT3 should use its
local user repository.
ISE info
o IP= 10.10.210.5
Mark the RADIUS server dead for 10 minutes when it stops responding.
o User= admin
o Password= Ipexpert123
Version 3.1A 22 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Special note: due to an apparent bug (link below), the switch doesn’t seem to use the method lists
specified in the ip http authentication commands like it should, so you’ll need to enable the
method lists on the console line as well.
https://tools.cisco.com/bugsearch/bug/CSCeb82510
The first steps on this are related to getting the RDAIUS server configured on the switch. Define the
RADIUS server and then build a server group. Lastly, build a method list for both login and exec
authorization, then you can call out those method lists for HTTPS authentications.
This is actually the same drill that we had for autonomous AP HTTP authentication.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#aaa new-model
CAT3(config)#radius-server deadtime 10
CAT3(config)#radius server ISE
CAT3(config-radius-server)#address ipv4 10.10.210.5 auth-port 1812 acct-port 1813
CAT3(config-radius-server)#key ipexpert
CAT3(config-radius-server)#exit
Now this is what the config should need to be without the bug. It works just fine on our autonomous
APs, which have the same configurations available, but what you’ll find is that you can login, however
things just won’t work correctly. The webpages don’t always reflect reality and you cannot configure
anything (even though it sometimes says that the configs apply). It won’t matter if you auth through
ISE or locally. The end result is the same.
23 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Feel free to attempt to make a simple configuration, like changing the host name at Configuration >
System > General. It won’t pull the correct name when the page loads, and attempts to configure the
name won’t alter the host name in the CLI like it should.
Let’s configure the console port to get around the bug. Just know that if you logout of the console
connection, you will need to login again. If you lock yourself out of the switch, just reload the lab.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#line con 0
CAT3(config-line)#login authentication HTTPS
CAT3(config-line)#authorization exec HTTPS
%Authorization without the global command 'aaa authorization console' is useless
CAT3(config-line)#end
You can test the failover by blocking traffic to/from the ISE server.
Here is the RADIUS login result and the logs on ISE of the authentications.
Version 3.1A 24 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Once RADIUS auths work, shut down the server port and test the failover.
CAT1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT1(config)#int fa0/6
CAT1(config-if)#shut
CAT1(config-if)#end
Once you are done testing, bring the server port back up.
This concludes Lab 118 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
25 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
Version 3.1A 26 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
iPexpert’s video on demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Topology Detail
This lab requires access to CAT3-4, WLC1, and WLC3 in your rack.
27 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Version 3.1A 28 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Scenario 1
This is a scenario where the 3650s are acting as MAs, only in the same SPG with the 5760 as their MC.
The 5760 is adding WLC1 as a mobility group member for future DMZ anchoring needs. This seems like
a fairly real-world design based on our hardware and topology.
1. Configure WLC3 to be a Mobility Controller (MC) for the mobility group named HQ.
5760 WLCs are MCs by default, so you should just need to configure the mobility group name.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#wireless mobility group name HQ
WLC3(config)#end
2. Configure CAT3 and CAT4 to be Mobility Agents (MAs) with WLC3 as their MC.
CAT3 and CAT4 should both be in a Switch Peer Group (SPG) named CCIEW.
3650s are MAs by default. Placing them into the same SPG will allow for optimal roaming between their
APs. The SPG is defined on the MC. We’ll also enable the wireless management interfaces on each
device. They only have 1 layer 3 interface each, so it should be pretty obvious which to pick.
29 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#wireless management interface vlan112
WLC3(config)#wireless mobility controller peer-group CCIEW member ip 10.10.113.13
WLC3(config)#wireless mobility controller peer-group CCIEW member ip 10.10.113.14
WLC3(config)#end
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wireless management interface vlan113
CAT3(config)#wireless mobility controller ip 10.10.112.10
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wireless management interface vlan113
CAT4(config)#wireless mobility controller ip 10.10.112.10
CAT4(config)#end
After a few minutes, there should be tunnels between the MC and the Mas, as well as between the
MAs (since they are in the same SPG).
Version 3.1A 30 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
31 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Version 3.1A 32 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
3. Enable new mobility on WLC1 and configure WLC1 to be in the mobility group named DMZ.
6. After you are done verifying, remove WLC1 and WLC3 from each other’s mobility domain list.
New mobility allows certain AireOS controllers to support mobility between AireOS and IOS-XE
controllers. Enabling new mobility on the controller will require a reboot.
After the reboot, configure the rest of the mobility group/domain task.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#wireless mobility group member ip 10.10.111.10 group DMZ
WLC3(config)#end
33 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
WLC3#sho wi mo sum
Version 3.1A 34 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Scenario 2
This is a scenario where the 3650s are acting as MAs, only in different SPGs with WLC1 as their MC.
While different SPGs in the same physical location is not uncommon, having the 5508 be the MC for
the 3650s is probably lower on the likelihood scale.
WLC3#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#no wireless mobility controller peer-group CCIEW
WLC3(config)#no wireless mobility group member ip 10.10.111.10
WLC3(config)#end
35 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
9. Configure WLC1 to be a Mobility Controller (MC) for the mobility group named HQ.
10. Configure CAT3 and CAT4 to be Mobility Agents (MAs) with WLC1 as their MC.
Cisco gave us the option to make an AireOS controller the MC for our MAs, so at least you could migrate
without having to buy all of your AP licenses again. Now that CAT3 and CAT4 are in different SPGs, they
will not form a tunnel between them.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire mob contr ip 10.10.111.10
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wire mob contr ip 10.10.111.10
CAT4(config)#end
Version 3.1A 36 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
37 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
CAT4#sho wi mo su
Version 3.1A 38 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
12. When you are done, remove the SPG configuration from WLC1.
Scenario 3
This is a scenario where the 3650s are back in the same SPG, but this time one of the 3650s is the MC
of the SPG. We are also adding another MC to the mobility domain list to support things like theoretical
roaming or anchoring possibilities. This scenario is fairly realistic for the real world.
13. Configure CAT3 to be a Mobility Controller (MC) for the mobility group named HQ.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire mob controller
%
Mobility role changed to Mobility Controller.
Please save config and reboot the whole stack.
CAT3(config)#end
CAT3#wr memory
CAT3#reload
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
Go grab a cup of coffee while you wait for the reboot to complete.
39 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
14. Configure CAT4 to be in a SPG named CCIEW, where CAT3 is the MC.
CAT3#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire mobility group name HQ
CAT3(config)#wire mobility controller peer-group CCIEW
CAT3(config)#wire mobility controller peer-group CCIEW member ip 10.10.113.14
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wire mo contr ip 10.10.113.13
CAT4(config)#end
Version 3.1A 40 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
CAT4#sho wi mo su
41 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
15. Configure CAT3 and CAT4 to send mobility messages to each other using multicast group
239.34.34.34.
If we actually had a bunch of MAs, this would be helpful. This config only needs to be done on the MC
and it will be propagated to the MAs in the SPG.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire mob controller peer-group CCIEW multicast ip 239.34.34.34
CAT3(config)#end
CAT3#sho wi mo su
[lines omitted]
Switch Peer Group Name : CCIEW
Switch Peer Group Member Count : 1
Bridge Domain ID : 0
Multicast IP Address : 239.34.34.34
CAT4#sho wi mo su
Version 3.1A 42 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
16. CAT4 should start trying to send excess clients to other MAs after it reaches 500 local clients.
This is a common config on switches that handle the APs at the entrances of buildings, where many
clients will get their point of presence (PoP) anchored.
CAT4#config t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wire mob load-balance threshold 500
CAT4(config)#end
18. Add WLC3 and CAT3 to each other’s mobility domain list.
WLC3#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#wire mo group name DMZ
WLC3(config)#wire mob group member ip 10.10.113.13 group HQ
WLC3(config)#end
CAT3#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire mob group mem ip 10.10.112.10 group DMZ
CAT3(config)#end
WLC3#sho wi mo su
43 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Scenario 4
This is a scenario where the 3650s are both their own MCs. They will peer with each other, as well as
with the 5760. This is another good real-world scenario.
20. Configure CAT3 to be its own Mobility Controller (MC) for the mobility group named HQ1.
We already have it as a MC, we just need to change the domain name. We should also remove the SPG
config from the last scenario.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire mob group name HQ1
CAT3(config)#no wire mob cont peer CCIEW
CAT3(config)#end
Version 3.1A 44 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
21. Configure CAT4 to be its own Mobility Controller (MC) for the mobility group named HQ2.
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wire mob contr
%
Mobility role changed to Mobility Controller.
Please save config and reboot the whole stack.
CAT4(config)#end
CAT4#wr mem
CAT4#reload
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wire mob group name HQ2
CAT4(config)#end
23. Add CAT3, CAT4, and WLC3 to each other’s mobility domain list.
24. These three devices should send mobility keepalives every 5 seconds and consider a peer down
after 5 retries.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#no wireless mobility group member ip 10.10.113.13
WLC3(config)#wire mo group name DMZ
WLC3(config)#wire mob group member ip 10.10.113.13 group HQ2
WLC3(config)#wire mob group member ip 10.10.113.14 group HQ2
WLC3(config)#wire mob group keepalive interval 5
45 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire mob group member ip 10.10.112.10 group DMZ
CAT3(config)#wire mob group member ip 10.10.113.14 group HQ2
CAT3(config)#wire mob group keepalive interval 5
CAT3(config)#wire mob group keepalive count 5
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wire mob group member ip 10.10.112.10 group DMZ
CAT4(config)#wire mob group member ip 10.10.113.13 group HQ1
CAT4(config)#wire mob group keepalive interval 5
CAT4(config)#wire mob group keepalive count 5
CAT4(config)#end
Version 3.1A 46 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 119 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
47 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Technologies Covered
AP Joins
AP Authorization
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
Version 3.1A 48 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
iPexpert’s video on demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Video Title: Unified Wireless (Converged)- AP Controller Discovery and Join Authorization
Topology Detail
This lab requires access to CAT1-4, WLC3, and HQ LAPs in your rack.
49 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Version 3.1A 50 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
In this scenario, CAT3-4 are in a SPG named CCIEW with WLC3 configured as their MC.
1. Configure LAP1 and LAP3 to join their local switch as their controller.
APs joining to their MA just need to be placed in the same VLAN as the MA’s wireless management
interface. The CATs are using VLAN 113 as their management interface. Right now, LAP1-2 are already
in VLAN113 and LAP3 is in VLAN 114, so let’s move LAP3 into VLAN 113.
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#int gi1/0/3
CAT4(config-if)#sw acc vl 113
CAT4(config-if)#end
CAT4#sho ap sum
Number of APs: 2
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap auth-list ap-policy mic
CAT3(config)#end
CAT3#sho ap auth-list
Authorize MIC APs against AAA : Disabled
51 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
When dealing with filtering, I always like to ensure that my desired AP(s) join without it first. Once they
are joined, I use that information to build the policy. Rather than rebooting the APs, a faster method
to kick them off is to clear their DHCP address.
CAT4#sho ap summary
Number of APs: 2
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap auth-list ap-policy authorize-ap
CAT4(config)#user 34a84ec54500 mac
CAT4(config)#end
[after the APs drop from the WLC, they pull a new IP and try to rejoin. Only LAP3 is
able to]
CAT4#sho ap sum
Number of APs: 1
Version 3.1A 52 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
4. Configure LAP2 and LAP4 to join WLC3 by making WLC3 their primary controller.
We will do as asked and make WLC3 the primary controller, but we also must take LAP2 out of VLAN
113, otherwise the request never makes it to WLC3. CAT4 will absorb the CAPWAP traffic and not
forward it on when it arrives on the wireless management VLAN.
LAP2
AP74a2.e661.2ea7#capwap ap primary-base WLC3 10.10.112.10
LAP4
AP6c20.56d7.63dd#capwap ap primary-base WLC3 10.10.112.10
WLC3#sho ap sum
Number of APs: 2
5. Rename all APs to their friendly names (i.e. LAP1, LAP2, etc.).
CAT3#sho ap sum
Number of APs: 1
53 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
show ap summary
show ap auth-list
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 120 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Version 3.1A 54 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Technologies Covered
Wireless Logging
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
55 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
iPexpert’s video on demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Topology Detail
This lab requires access to CAT3-4, WLC3, and HQ LAPs in your rack.
Version 3.1A 56 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
57 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
You should wait to configure logging until all of the APs have joined the switch. While the server IP
should apply to future APs, I don’t know that the level and facility will.
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap syslog host 10.10.210.8
CAT4(config)#ap syslog facility local3
CAT4(config)#ap syslog level inform
CAT4(config)#end
Version 3.1A 58 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
For whatever reason, the facility never shows. Although this goes along with the switch syslog facility
information as well. I’ve never found a show command that reveals it outside of a show run.
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 121 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
59 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Technologies Covered
External RADIUS
Local EAP
EAP Settings
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
Version 3.1A 60 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
iPexpert’s video on demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Video Title: Unified Wireless (Converged)- RADIUS Servers- External Client RADIUS
Video Title: Unified Wireless (Converged)- RADIUS Servers- Local Client RADIUS
Topology Detail
This lab requires access to CAT3 and the WIN7 PC in your rack.
61 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Version 3.1A 62 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
External RADIUS
IP= 10.10.210.5
2. Configure a server group named ISE that references the ISE server.
3. Configure a dot1x authentication method list named ISE that references the ISE server group only.
You’ve actually done all of this already in the network infrastructure section of the workbook.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#aaa new
CAT3(config)#radius server ISE
CAT3(config-radius-server)#address ipv4 10.10.210.5 auth 1812 acc 1813
CAT3(config-radius-server)#key ipexpert
CAT3(config-radius-server)#exit
VLAN= 13
63 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
6. Have your client connect using PEAP and supply the credentials below.
User= iseuser1
Password= IPexpert123
WLANs are WPA2/AES with 802.1x by default, so there’s not too much to the config.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAEAP1-Pod1 1 HQ-WPAEAP1-Pod1
CAT3(config-wlan)#sec dot1x authentication-list ISE
CAT3(config-wlan)#client vlan 13
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
Local RADIUS
7. Install a server certificate for CAT3 to present to clients during PEAP or EAP-TLS authentications.
The needed files can be found on the WIN7 PC at C:\Rack Files\Certificates\.
CA file= CA.pem
Version 3.1A 64 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
This is the same process (and same certificate) used for the HTTPS cert install earlier in this section.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#crypto pki import LOCALEAP pem term password IPexpert123
% Enter PEM-formatted CA certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIDlzCCAn+gAwIBAgIQLGnalJWj3J1GQa+/HM05XDANBgkqhkiG9w0BAQsFADBS
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghJUEVYUEVS
VDEfMB0GA1UEAxMWSVBFWFBFUlQtU0VSVkVSMjAxMi1DQTAeFw0xNTA5MTcxOTQ1
NTBaFw0zNTA5MTcxOTU1NTBaMFIxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEYMBYG
CgmSJomT8ixkARkWCElQRVhQRVJUMR8wHQYDVQQDExZJUEVYUEVSVC1TRVJWRVIy
MDEyLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtoNQnrQU+QR6
uYbMNX74baf/uzl3EOayuECyl/GdTTeiIa4OTVg2uJWXaJ1TuQGnFSSPJixk+dQE
0PcC8/Ky5W7ZZJcOQ9jnXGb32pcq3wEjRDiJBjm5xm9FVg22X0aMzwMZwLY/ZLG3
YJEQ/8wK0BgOK1yeUi9cfoM55EzfZgZuyfeBM0dDpaHHWTHSE2SZUtzz+Uvia1kk
7Wx8jYO1EeuVPwWHRMna8G4GEeBBJRet7dvF14MT5XwEKifePSThYX5dNs2iKPtP
EZRIWPA2ynjK2Fwyq33m/E72K5E/u2xR04QeoxV1ruim3Iscw6VEQnkHW/KZv9wp
CSFrIj1LiwIDAQABo2kwZzATBgkrBgEEAYI3FAIEBh4EAEMAQTAOBgNVHQ8BAf8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWdBHGERuRiR4+nfFQS07
X4t8hV8wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAGyHjpal
Wwb+uUSCDz2RGe5GnXY62U8dNkdNnB+sBSIG5mHqJDeZl5NR4f+8dH9Cxin66hxs
QKiyQUHNEDiOkdljIGgFASso2GVTa3Xi4/9kXjCOTIt/IUJmfce5Fg6b2+TYIeS4
WxbLEPdqgohWLiXepJ7fOm+xY9gl4/pVt8W0ipqQ+jExOsMfJ/tHVkPrqCfs9wrk
ot2m3Q79w6EgWwslzI9R41T1B6qzxQtJtUCrpyDZo5kNsXHWW3xD0V0P+RMiJQOw
FxmNoSF3oxqWZzgY9iuS6uoDpnlrgoxC0Cb9hTEmwvWfc73q124ETxNU0Q/76ZaX
MT6jrN4gx80Z/7A=
-----END CERTIFICATE-----
Q+v7Xu44Z3M0MXPQp3Ya8Ql/5iHDjg4kmZXYTkuIEGtG+3tuef7vQvMa8HRnYXU/
1d9bepPNIH5dnHQZok7b793Ohy/Z8Yc0IFqFESpcNNeDuFz/ArEfHGeQjoY1SuP/
65 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
3Z/UG/HDbPOVsoLfaQ6gsnD6MSvzhrwN+to4f6pTovi4SgO11QcRDEDSTHK31tXS
wdHWt/rmX46DKEIhsRsb1devGhYdiPZPX6+3LXfgNPK8/+Qz+pPeqkrdmJEztD3i
4hASiGv99eBxQxN+Xn6LkuwkzjLHpVxmhHNJ4HsLej7HA2XNgJ2euCRbL+adpOpk
U0q1q3OfuuF0/NDbbphTWEWiA10mdA7E/ropeA/KI7V3GVmnAEXgUXSRa1aTkXIn
HH5XxY1WBJLeqFmNbAHCOrF1zA1FqitVM8t7nXjQPofuC4arCCpjVmZE3MFn76mH
1noFDQ4mExVlKVQUkS+AHHkuZQUP7Pr2hg6Y2cNjia8gNT9WRFYKUyBFDqMTwqcj
CyRzwZjVW/bnZ6k/FX/NxHs8uA80Z76CaYDSZiuAVx8+Oy0ZFxxL1LWXYTQEeiiT
sbhCzKUP2KPlf19kBA74Jk1CMxyIMrEBWcxnsnkchfaVUip3vE90+bT90KCAbVDu
Pr6jHKQ0of2wzgtU8ms5Bv01MK7BtJi4Heog90LLnmvelgLqZg1G7Nrl6hJty0Ij
kKd8cZZbEK6+pT1/5K834fozHNdbAdzH6HbBEIPl4mgw6Qp7a572dsH0RfhI2Fkw
+bGxOVqwWByQvwk45zvahw4pTlx2mgBj7ap66h+09rL1QbsP8dj+GE+cLURqHecU
RGDkan7H9rDFDXRQSUiskvR0JNTlztU3tGxo0kWOMoPxnW7WjRwMjmBugYw5+3sR
UE3q2h+tjHu/YhkafmiIwvEyjetYvAh7maBaLeIcc/VcbiNidN9LVPedmFBVL3j0
qQbV4Vogg4aHh7DnNeyARHphwPmJcHbf5t2kNce95j9j+kpT+YkkFQZa6GovwqFe
mggOEYJYjdW9leTyaLr68TIoecBII7/8RrlJDShPxipn+RxtFJurgW2fAdGa5kJE
KBrnk1g8DLbaBPVrKcmgnxuFhKcWqlIsTlbMTRQcyezRRQJePiEsQR4n2/FBWzeJ
HSti97dzTxYhEkLOtz9YBJUZi/bsSCkwlYeyrIcZH0yyPhlb5QR0JVM4WjuaP5wh
t0NAHWAkhgKVt8s97zKMBqQJsO/ufLfAMJ8Y7otidv4R0XMBOYS3oGVpNWSwcS8R
yEhckTkQ1E3ttBA9MS7pDTcf0hB2PJKfensjNHirfTakgOB0YS4xLkjMH1lUcyYz
8fVO4UWNoR/r+WZzSI4u55DYYRSHwhZcxNOIl7yZLEZ3sd2wypS6Gb9jSjFlQH2q
55aDJ5RanAcQzbXQIhTVHjYSAncDH4/nqNoP7hNJzWZKcP61sp33yRBbFsQrZ52c
GfjUolKULZ6UYvJmiy+UqM1VCrUJS0RddmacTrEp3o6lEoEuznzz1wXDcxzFAPzz
laF4Ia8Yt8n4zjPM5jGRIpVinc/RcUpXn7Gtp2d3LFXaglTKoyBvOw==
-----END RSA PRIVATE KEY-----
quit
% Enter PEM-formatted General Purpose certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIGATCCBOmgAwIBAgITaQAAABumys58XGUMMAAAAAAAGzANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghJUEVY
UEVSVDEfMB0GA1UEAxMWSVBFWFBFUlQtU0VSVkVSMjAxMi1DQTAeFw0xNTA5MjIy
MjA2MzlaFw0yNTA5MTkyMjA2MzlaMIGZMQswCQYDVQQGEwJVUzESMBAGA1UECBMJ
TWlubmVzb3RhMRIwEAYDVQQHEwlMaW5kc3Ryb20xETAPBgNVBAoTCGlQZXhwZXJ0
MQ4wDAYDVQQLEwVDQ0lFVzEcMBoGA1UEAxMTQ0FUMy5JUEVYUEVSVC5sb2NhbDEh
MB8GCSqGSIb3DQEJARYSY2NpZXdAaXBleHBlcnQuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAqFJ2YlNIqHCXlnJmSW+pbp2Sivgep2MWmHNO+xY5
pNxOTYZQnqGqXxMKbpTsPpL1L8Xcch93yk+W5exGQbNyK+laZ2r4vSlLVmpVnP89
n6DY7r/WbWOQTPtzFG+BSHr+XRHje+69c6D7QfzOetaqb6+9bAfll0j6rF3n6bwO
Version 3.1A 66 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
vZQ2eQQ5oFHs8EhO65jAjs/q5raie7EMZG6DcAqz9hDde4MbkCt7cTtz7m76IFHP
kVLB7p7aQ01i52MrQ/U8x5X6aTTK+0KxReZyAbn7ZthSbYGH+IVXgk+Zf9KoojhH
I+pr0R1+V8scC1mvhp8/SXu06M0RJ3hWZ22f0y1nc4iFzwIDAQABo4IChjCCAoIw
HQYDVR0OBBYEFHbIm/2ZlzMWd83JV67y7STJFfDwMB8GA1UdIwQYMBaAFFnQRxhE
bkYkePp3xUEtO1+LfIVfMIHaBgNVHR8EgdIwgc8wgcyggcmggcaGgcNsZGFwOi8v
L0NOPUlQRVhQRVJULVNFUlZFUjIwMTItQ0EsQ049U2VydmVyMjAxMixDTj1DRFAs
Q049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln
dXJhdGlvbixEQz1JUEVYUEVSVCxEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcsG
CCsGAQUFBwEBBIG+MIG7MIG4BggrBgEFBQcwAoaBq2xkYXA6Ly8vQ049SVBFWFBF
UlQtU0VSVkVSMjAxMi1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj
ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1JUEVYUEVSVCxEQz1s
b2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
bkF1dGhvcml0eTAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYB
BAGCNxUIgai2HIXL4TWG0Z8Zh6oqgaqwCoEEhu79CIb97j4CAWQCAQQwHQYDVR0l
BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYB
BQUHAwIwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAGgNFPGOy4T1fHmv
NWwgv6OVCpmgx5xxJaFMOswlK9NpnTogWm2QPa3j5lOdb6+nAvh/+L1WGJN81UQP
Zglk2TTyKe05Mqp1LKzy70JHsXkoDG4GKLUY7oeZUbvuIPmn8SnH18CnlwvpbYxx
Qgr7dRpZ85KKgMh1+Vvm4Stncbi6XRTk+NXs7+g+0NdW4xHtknjt68Bp9m2BlFGZ
1l/dQUjUJcmPpQw+mygA3lUN5LiK04mDV4t7IZFgPeYuTGSIY2gEsFk6V13JSQeR
Ssv+srMqxo14SjaicpavZs5mvvylvMLqL1t1uftbbtPGCWSVlt8Cm9M6PdjnR9AJ
YX5AH+A=
-----END CERTIFICATE-----
I tend to disable the revocation check in the trustpoint as a matter of habit, as I’ve had it break things
before if there are issues with the lookup.
Choose to use the newly installed server cert during EAP-TLS or PEAP authentications.
67 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
This controls what EAP methods are allowed for the clients. Be sure to call out the trustpoint to support
PEAP/EAP-TLS clients.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#eap profile CCIEW
CAT3(config-eap-profile)# method peap
CAT3(config-eap-profile)# method tls
CAT3(config-eap-profile)# method fast
CAT3(config-eap-profile)# pki-trustpoint LOCALEAP
CAT3(config-eap-profile)#end
This determines how EAP-FAST will be handled. Normally the default settings are fine.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#eap method fast profile FAST
CAT3(config-eap-method-profile)# authority-id identity CAT3
CAT3(config-eap-method-profile)# local-key 0 1234567890
CAT3(config-eap-method-profile)#end
User= catuser1
Password= IPexpert123
These are different than the management users you have created before.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#user-name catuser1
CAT3(config-user-name)# privilege 15
CAT3(config-user-name)# password 0 IPexpert123
Version 3.1A 68 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Before we do the WLAN config, we need to define some other settings for the local authentications.
These lines basically just say to look local for everything.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#aaa authentication dot1x default local
CAT3(config)#aaa authentication dot1x LOCALEAP local
CAT3(config)#aaa authorization credential-download LOCALEAP local
CAT3(config)#aaa local authentication LOCALEAP authorization LOCALEAP
CAT3(config)#wlan HQ-WPAEAP1-Pod1
CAT3(config-wlan)#shut
CAT3(config-wlan)#no security dot1x authentication-list ISE
CAT3(config-wlan)#local-auth CCIEW
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
12. Test connecting to the WLAN using the WIN7 client using PEAP and EAP-TLS.
You should be able to connect with both PEAP using the new local credentials or with EAP-TLS.
69 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
show run
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 122 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Version 3.1A 70 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Technologies Covered
Wireless ACLs
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
71 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
iPexpert’s video on demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Topology Detail
This lab requires access to CAT3 and the WIN7 PC in your rack.
Version 3.1A 72 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
73 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
1. Configure an extended IPv4 ACL named CCIEW1 that would apply to traffic coming a wireless client
that does the following.
2. Configure an extended IPv4 ACL named CCIEW2 that would apply to traffic coming from a wireless
client that does the following.
ACLs on converged access are applied in the inbound direction (as traffic comes from the client to the
AP/controller). We don’t need to worry about allowing/blocking traffic heading out to the wireless
client.
To prevent clients from pinging, but allow the clients to be pinged, we just need to make sure that we
only block incoming echo requests, while allowing the echo replies. We can do that with IOS-based
ACLs.
On the 2nd ACL, be sure to allow DNS using both UDP and TCP. It’s normally just UDP between the client
and server, but depending on the size of the reply, TCP can be invoked.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ip access-list extended CCIEW1
CAT3(config-ext-nacl)#deny icmp any any echo
CAT3(config-ext-nacl)#permit ip any any
CAT3(config-ext-nacl)#exit
Version 3.1A 74 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
3. Rename the HQ-WPAPSK1-PodX and HQ-WPAPSK2-PodX WLANs to reflect your rack number (i.e.
rename –PodX to –Pod5 if you are on rack 5).
Unfortunately, we can’t simply rename the WLANs without removing them like we can do on the
AireOS controllers, but at least the config of the converged access controllers makes this not too big of
a deal. Simply copy the running config of the WLANs and paste it into notepad. Then, alter the
profile/SSID names, then delete the WLANs and paste in the updated config. Here is the config to paste
(assuming you were on rack 1).
conf t
no wlan HQ-WPAPSK1-PodX 3 HQ-WPAPSK1-PodX
no wlan HQ-WPAPSK2-PodX 4 HQ-WPAPSK2-PodX
CAT3#conf t
75 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
CAT3(config-wlan)#wlan HQ-WPAPSK2-Pod1
CAT3(config-wlan)#shut
CAT3(config-wlan)#ip access-group CCIEW2
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
NOTE
The WIN7 PC has a wired interface on VLAN5, so do not test to targets on VLAN 5 as that traffic will exit
the wired interface rather than the wireless interface.
First, I’ll connect to the HQ-WPAPSK1-PodX WLAN. I pull the IP address 10.10.14.151. When I do ping
tests, I can ping via IPv6, but not via IPv4.
Version 3.1A 76 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
CAT2#ping 10.10.14.151
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.14.151, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/9 ms
Now, let’s test the other WLAN. I connect and pull an address of 10.10.15.153.
I can ping WLC4 by name (testing both ICMP and DNS). But I cannot pull up the web page for WLC4.
77 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAEAP1-PodX
CAT3(config-wlan)#aaa-override
CAT3(config-wlan)#end
Version 3.1A 78 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Show access-list
Show wlan name
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 123 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
79 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Technologies Covered
Rogue Policies
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
Version 3.1A 80 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
iPexpert’s video on demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Topology Detail
81 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Version 3.1A 82 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
1. Configure monitor mode APs to attempt to associate to rogue APs advertising open SSIDs to
determine if they are on your wired network.
3. Remove rogue APs from the rogue list if they haven’t been seen in the last 10 minutes.
5. Check with AAA servers to see if any detected rogue clients are yours.
6. APs should report their detected rogues to their WLC every 42 seconds.
7. Have your APs only scan for rogues on channels configured in the DCA list.
Your APs should scan through the list of channels every 2 minutes.
In real life, be extremely cautious about enabling auto-contain. You could end up with a big fine if you
aren’t careful.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wireless wps rogue ap rldp auto-contain monitor-ap-only
Warning! Enabling rogue containment may have legal consequences.
Do you want to continue? (y/n)[y]: y
CAT3(config)#wireless wps rogue auto-contain level 1
83 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Rogue Rules
8. Rule 1
Name= rule1
Type= Friendly
Version 3.1A 84 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
o SSID= Lab1
o SSID= Lab2
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire wps rogue rule rule1 priority 1
CAT3(config-rule)#classify friendly
CAT3(config-rule)#condition ssid Lab1
CAT3(config-rule)#condition ssid Lab2
CAT3(config-rule)#no shut
CAT3(config-rule)#end
Priority : 1
Rule Name : rule1
State : Enabled
Type : Friendly
Match Operation : Any
Hit Count : 0
Total Conditions : 1
Condition :
type : Ssid
SSID Count : 2
SSID 1 : Lab1
SSID 2 : Lab2
The match operation doesn’t really matter here since we only have 1 condition.
9. Rule 2
Name= rule2
Type= Friendly
85 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire wps rogue rule rule2 priority 2
CAT3(config-rule)#classify friendly
CAT3(config-rule)#match all
CAT3(config-rule)#condition rssi -70
CAT3(config-rule)#con duration 1800
CAT3(config-rule)#cond encryption off
CAT3(config-rule)#no shut
CAT3(config-rule)#end
Priority : 2
Rule Name : rule2
State : Enabled
Type : Friendly
Match Operation : All
Hit Count : 3
Total Conditions : 3
Condition :
type : Duration
value (seconds) : 1800
Condition :
type : No-encryption
value : Enabled
Condition :
type : Rssi
value (dBm) : -70
10. Rule 3
Name= rule3
Type= malicious
Version 3.1A 86 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
CAT3# conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire wps rogue rule rule3 priority 1
CAT3(config-rule)#classify malicious
CAT3(config-rule)#match all
CAT3(config-rule)#condition infrastructure ssid
CAT3(config-rule)#condition client-count 2
CAT3(config-rule)#no shut
CAT3(config-rule)#end
Priority : 1
Rule Name : rule3
State : Enabled
Type : Malicious
Match Operation : All
Hit Count : 0
Total Conditions : 2
Condition :
type : Client-count
value : 2
Condition :
type : Managed-ssid
value : Enabled
87 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
13. Ensure that a rogue AP with the MAC address of 00:11:22:33:44:55 is automatically marked as
friendly-internal, regardless of if it would have matched the malicious rule.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire wps rogue ap friendly 00:11:22:33:44:55 state internal
CAT3(config)#end
Number of APs : 4
Version 3.1A 88 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 124 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
89 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Technologies Covered
Client Exclusion
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
Version 3.1A 90 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
N/A
iPexpert’s video on demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Topology Detail
91 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Version 3.1A 92 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
1. Configure the HQ-WPAEAP1-PodX WLAN on CAT3 such that clients who experience excessive
authentication or association failures are excluded from associating for 5 minutes.
Clients should not be excluded if they are statically configured for an IP that is already
currently in use.
We have a few extra exclusion reasons on the switches than we do on the AireOS controllers.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAEAP1-PodX
CAT3(config-wlan)#exclusionlist
CAT3(config-wlan)#exclusionlist timeout 300
CAT3(config-wlan)#exit
93 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 125 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Version 3.1A 94 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
Technologies Covered
Infrastructure MFP
Client MFP
802.11w
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
95 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
Version 3.1A 96 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
97 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
In this scenario, CAT3-4 are in the same SPG with WLC3 as their MC.
1. Configure CAT3 and CAT4 to use 10.10.205.20 as their NTP server (no authentication).
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ntp server 10.10.205.20
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ntp server 10.10.205.20
CAT4(config)#end
MFP
3. Configure the HQ-WPAEAP1-PodX WLAN so that clients who are CCX v5 capable are able to use
client MFP.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wire wps mfp infrastructure
CAT3(config)#wlan HQ-WPAEAP1-PodX
CAT3(config-wlan)#mfp infrastructure-protection
CAT3(config-wlan)#mfp client
CAT3(config-wlan)#end
Version 3.1A 98 | P a g e
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
[lines omitted]
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wire wps mfp infrastructure
CAT4(config)#wlan HQ-WPAEAP1-PodX
CAT4(config-wlan)#mfp infrastructure-protection
CAT4(config-wlan)#mfp client
CAT4(config-wlan)#end
[lines omitted]
99 | P a g e Version 3.1A
iPexpert’s Detailed Solution Guide
for Cisco’s CCIE Wireless v3 Lab Exam, Volume 1
802.11w
5. Ensure that HQ-WPAPSK1-PodX is only using WPA2/AES for the layer 2 key management and
encryption.
Clients that do not support 802.11w should still be able to use the WLAN.
7. Enable PMF PSK in addition to regular PSK to support the optional nature that we specified.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAPSK1-Pod1
CAT3(config-wlan)#shut
CAT3(config-wlan)#no security wpa wpa1
CAT3(config-wlan)#security wpa wpa2 ciphers aes
CAT3(config-wlan)#security pmf optional
CAT3(config-wlan)#security pmf saquery-retry-time 300
CAT3(config-wlan)#security pmf association-comeback 5
CAT3(config-wlan)#security wpa akm pmf psk
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wlan HQ-WPAPSK1-PodX
CAT4(config-wlan)#no security wpa wpa1
CAT4(config-wlan)#security wpa wpa2 ciphers aes
CAT4(config-wlan)#security pmf optional
CAT4(config-wlan)#security pmf saquery-retry-time 300
CAT4(config-wlan)#security pmf association-comeback 5
CAT4(config-wlan)#security wpa akm pmf psk
CAT4(config-wlan)#end
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 126 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
AP Configurations
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
This lab requires access to CAT1-4, WLC3, and HQ LAPs in your rack.
1. Configure all APs joined to IOS-XE controllers to try to negotiate 802.1x on their wired ports with
the following credentials.
Password= IPexpert123
Password= IPexpert123
Password= IPexpert123
Be sure to know how to configure AP settings both at a global level and at a per-AP level.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot1x username lap password 0 IPexpert123
CAT3(config)#end
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot1x username lap password 0 IPexpert123
WLC3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap dot1x username lap password 0 IPexpert123
CAT4(config)#end
CAT4#ap name LAP2 dot1x-user username lap2 password IPexpert123
CAT4#ap name LAP2 mgmtuser username admin password IPexpert123 secret IPexpert123
CAT4#sho ap summary
Number of APs: 2
show ap summary
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 127 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Video Title: Unified Wireless (Converged)- Client Load Balancing and BandSelect
Topology Detail
2. Consider an AP busy if it has 7 more clients than the least loaded AP in the area.
3. If a client attempts to join a busy AP, it should be denied twice before being allowed to join.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAEAP1-PodX
CAT3(config-wlan)#load-balance
CAT3(config-wlan)#exit
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 128 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Band Select
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Video Title: Unified Wireless (Converged)- Client Load Balancing and BandSelect
Topology Detail
Delay responding to 3 probe requests per client on the 2.4 GHz radios.
Ensure the probe responses are spaced at least 150 ms apart to count as unique.
Purge 2.4 GHz-only clients from the band select suppression table after 15 seconds.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAEAP1-PodX
CAT3(config-wlan)#band-select
CAT3(config-wlan)#exit
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 129 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Radio Settings
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC.
1. Have beacons sent out 5 times per second on the 2.4 GHz radios.
2. Configure 12 Mbps to be the lowest enabled data rate on the 5 GHz radios and ensure that
multicasts are sent out at that data rate.
3. Configure 11 Mbps as the lowest enabled data rate on the 2.4 GHz radios and maintain support for
802.11b clients.
4. Ensure that the APs can inform clients about their power levels so that compatible clients can adjust
their power levels appropriately.
5. Have APs request that CCX v2 compatible clients send out probes every 60 seconds in order for the
unified network to have more location data points for them.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24ghz shut
CAT3(config)#ap dot11 5ghz shut
CAT3(config-wlan)#ccx aironet-iesupport
[lines omitted]
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 130 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
RF Groups
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wireless rf-network HQ
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wireless rf-network HQ
CAT4(config)#end
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#wireless rf-network HQ
WLC3(config)#end
When available, WLC3 should make all channel and power decisions for the RF group on
both radios.
The MC is the one that makes the RRM decisions. If there are multiple MCs, or if the converged access
network needs to play nice with the AireOS network, the MC is the one that forms the RF group with
other controllers.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 24ghz rrm group-mode leader
WLC3(config)#ap dot11 24ghz rrm group-member WLC1 10.10.111.10
WLC3(config)#ap dot11 5ghz rrm group-mode leader
WLC3(config)#ap dot11 5ghz rrm group-member WLC1 10.10.111.10
WLC3(config)#end
3. Have APs on CAT3-4 send neighbor messages every 90 seconds on all radios.
4. APs on CAT3-4 should only scan channels on the DCA when looking for rogues and noise off-
channel.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24ghz rrm monitor signal 90
CAT3(config)#ap dot11 5ghz rrm monitor signal 90
CAT3(config)#ap dot11 24ghz rrm monitor channel-list dca
CAT3(config)#ap dot11 5ghz rrm monitor channel-list dca
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap dot11 24ghz rrm monitor signal 90
CAT4(config)#ap dot11 5ghz rrm monitor signal 90
CAT4(config)#ap dot11 24ghz rrm monitor channel-list dca
CAT4(config)#ap dot11 5ghz rrm monitor channel-list dca
CAT4(config)#end
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 131 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
TPC
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. TPC settings are configured
on the MC for all associated MAs.
With TPC in Auto mode, the MC will control the transmit power of the APs on itself and the MAs. With
TPC turned off, the MAs are then responsible for manually setting the transmit power. When in doubt,
configure RRM settings identically on both MAs and the MC.
1. Configure WLC3 to automatically calculate power levels on the MA APs every 10 minutes on the 5
GHz radios.
2. Configure CAT3-4 and WLC3 to statically set power levels to 3 on the 2.4 GHz radios.
Since RRM is enabled on the 5 GHz radios, we only need to configure the min/max settings on WLC3.
Although it’s not hurting anything if you also configured them on CAT3-4. But, to statically set the power
levels to 3 on the 2.4 GHz radios, you must turn TPC off. With TPC off, these power settings are static
settings. This must be done on each MA (including WLC3 which is an MA to LAP4) in order for the
settings to apply to the associated APs.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 5ghz shut
WLC3(config)#ap dot11 5ghz rrm txpower auto
WLC3(config)#ap dot11 5ghz rrm txpower max 14
WLC3(config)#ap dot11 5ghz rrm txpower min 9
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24ghz shut
CAT3(config)#no ap dot11 24ghz rrm txpower auto
CAT3(config)#ap dot11 24ghz rrm txpower 3
CAT3(config)#end
CAT4#conf t
Per-AP power configs are done on the MA, since you are directly configuring an AP.
4. Change the TPC threshold on WLC3 so that the average power levels on the 5 GHz radios drop by
1 compared to the default threshold value (assuming they are in between the max/min settings at
the moment).
Drop the threshold 3 dB from the default of -70. Also, enable the radios since we are done with the
tasks.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 5ghz rrm tpc-threshold -73
WLC3(config)#no ap dot11 24ghz shutdown
WLC3(config)#no ap dot11 5ghz shutdown
WLC3(config)#end
It can take some time until the global TPC settings are enforced on the AP. You may have to give it a
couple of 10 minute cycles.
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 132 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
DCA
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC.
Most DCA settings are configured on the MC for all associated MAs, as long as DCA is set to Auto and
not turned off. But if you are ever in doubt where a setting should be configured, you can configure
these settings on both the MC and the MAs.
1. Have WLC3 dynamically evaluate the channel plan every 2 hours starting at midnight.
Set the DCA channel sensitivity to the setting that would cause the fewest channel
change events.
These are some basic DCA settings. As with TPC, DCA is run on the MC.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 24ghz rrm channel dca anchor-time 0
WLC3(config)#ap dot11 24ghz rrm channel dca interval 2
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 5ghz shut
WLC3(config)#ap dot11 5ghz rrm channel dca chan-width 40
WLC3(config)#no ap dot11 5ghz shut
WLC3(config)#end
4. Disable the use of UNII-3 band channels on the 5 GHz radios for use in DCA.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 5ghz shut
WLC3(config)#ap dot11 5ghz rrm channel dca remove 149
WLC3(config)#ap dot11 5ghz rrm channel dca remove 153
WLC3(config)#ap dot11 5ghz rrm channel dca remove 157
WLC3(config)#ap dot11 5ghz rrm channel dca remove 161
WLC3(config)#no ap dot11 5ghz shut
WLC3(config)#end
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 133 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. CHD settings are
configured on the MAs.
2. Consider clients to be at a low signal level based on a threshold value of -78 dBm for data queue
traffic and -76 dBm for voice queue traffic.
3. Clients should be considered in a pre-alarm condition when they experience at least 50 failed
packets, which represents at least 40% of its total packets.
4. Coverage hole detection should kick in for pre-alarm clients below the RSSI threshold when there
are at least 2 of them on an AP and they represent at least 20% of the total clients.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24ghz shutdown
CAT3(config)#no ap dot11 24ghz rrm coverage
CAT3(config)#no ap dot11 24ghz shutdown
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap dot11 24ghz shutdown
CAT4(config)#no ap dot11 24ghz rrm coverage
CAT3#config t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAEAP1-PodX
CAT3(config-wlan)#chd
CAT3(config-wlan)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wlan HQ-WPAEAP1-PodX
CAT4(config-wlan)#chd
CAT4(config-wlan)#end
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 134 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. CCX Roaming settings are
configured on the MAs.
1. Configure the following CCX roaming settings on CAT3 and CAT4’s 5 GHz radios.
CCX clients should not associate to (or stay associated to) APs at a signal level below -82
dBm.
Clients should roam to another AP only when its signal is at least 4 times better than its
current AP’s signal.
Clients should start trying to roam when its signal drops to -75dBm or worse.
The roam should complete within 4 seconds of hitting the scan threshold.
CAT3#config t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 5ghz l2roam rf-params custom -82 6 -75 4
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap dot11 5ghz l2roam rf-params custom -82 6 -75 4
CAT4(config)#end
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 135 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
DFS
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. DFS settings are configured
on the MAs.
1. When an AP encounters a radar signal while using a DFS channel, it should move to a new channel
and tell its associated clients which channel it is moving to.
2. Enable 802.11h based TPC and set the power constraint to 9 dBm.
In order to enable the power constraint, you must disable DTPC. Only one of the two settings can be
enabled at a time.
CAT3#config t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 5ghz shutdown
CAT3(config)#ap dot11 5ghz channelswitch mode 1
CAT3(config)#no ap dot11 5ghz dtpc
CAT3(config)#ap dot11 5ghz power-constraint 9
CAT3(config)#no ap dot11 5ghz shutdown
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap dot11 5ghz l2roam rf-params custom -82 6 -75 4
CAT4(config)#ap dot11 5ghz shutdown
CAT4(config)#ap dot11 5ghz channelswitch mode 1
CAT4(config)#no ap dot11 5ghz dtpc
CAT4(config)#ap dot11 5ghz power-constraint 9
CAT4(config)#no ap dot11 5ghz shutdown
CAT4(config)#end
Show run
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 136 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. 802.11n/ac settings are
configured on the MAs (except for the DCA channel width settings).
1. Disable all 3 spatial stream data rates on the 2.4 GHz radios.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24ghz shut
CAT3(config)#no ap dot11 24ghz dot11n mcs tx 16
CAT3(config)#no ap dot11 24ghz dot11n mcs tx 17
CAT3(config)#no ap dot11 24ghz dot11n mcs tx 18
CAT3(config)#no ap dot11 24ghz dot11n mcs tx 19
CAT3(config)#no ap dot11 24ghz dot11n mcs tx 20
CAT3(config)#no ap dot11 24ghz dot11n mcs tx 21
CAT3(config)#no ap dot11 24ghz dot11n mcs tx 22
CAT3(config)#no ap dot11 24ghz dot11n mcs tx 23
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap dot11 24ghz shut
CAT4(config)#no ap dot11 24ghz dot11n mcs tx 16
CAT4(config)#no ap dot11 24ghz dot11n mcs tx 17
CAT4(config)#no ap dot11 24ghz dot11n mcs tx 18
CAT4(config)#no ap dot11 24ghz dot11n mcs tx 19
CAT4(config)#no ap dot11 24ghz dot11n mcs tx 20
CAT4(config)#no ap dot11 24ghz dot11n mcs tx 21
CAT4(config)#no ap dot11 24ghz dot11n mcs tx 22
CAT4(config)#no ap dot11 24ghz dot11n mcs tx 23
CAT4(config)#end
11gSupport : Enabled
11nSupport : Enabled
MCS 22 : Disabled
MCS 23 : Disabled
2. Ensure that A-MSDU is enabled for all packet priorities on the 2.4 GHz radios.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24ghz dot11n a-msdu tx priority all
CAT3(config)#ap dot11 24ghz dot11n guard-interval any
CAT3(config)#ap dot11 24ghz dot11n rifs rx
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap dot11 24ghz dot11n a-msdu tx priority all
CAT4(config)#ap dot11 24ghz dot11n guard-interval any
CAT4(config)#ap dot11 24ghz dot11n rifs rx
Priority 4 : Enabled
Priority 5 : Enabled
Priority 6 : Disabled
Priority 7 : Disabled
Aggregation scheduler : Enabled
Realtime timeout : 10
A-MSDU Tx:
Priority 0 : Enabled
Priority 1 : Enabled
Priority 2 : Enabled
Priority 3 : Enabled
Priority 4 : Enabled
Priority 5 : Enabled
Priority 6 : Enabled
Priority 7 : Enabled
Guard Interval : Any
Rifs Rx : Enabled
5. Ensure that clients can achieve the fastest 802.11ac data rates.
6. Ensure that 802.11n/ac data rates are possible on the HQ-WPAEAP1-PodX WLAN.
The previous tasks of ensuring RIFS and short guard intervals have helped with ensuring the fastest
802.11ac speeds. The other settings are going to be surrounding the allowed rates and using 80 MHz
wide channels. All rates are enabled by default, so we should only need to configure 80 MHz wide
channels. Since the MC controls the RRM settings, we need to enable it on WLC3.
For the WLAN to support 802.11ac, it needs Open or WPA2/AES security and WMM enabled.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 5g shut
WLC3(config)#ap dot11 5g rrm chan dca chan 80
WLC3(config)#no ap dot11 5g shut
WLC3(config)#end
LAP1 is the only 802.11ac lightweight AP in our rack. It might still be set to statically use a channel-
width of 20 MHz. So, I’ll remove the static setting and let RRM configure it. Let’s also get our radios
enabled globally on all switches.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#no ap dot11 24 shut
CAT3(config)#no ap dot11 5g shut
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#no ap dot11 24 shut
CAT4(config)#no ap dot11 5g shut
CAT4(config)#end
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 137 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
CleanAir
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. CleanAir settings are
configured on the MC for all associated MAs.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 24gh cleanair
WLC3(config)#ap dot11 5gh cleanair
WLC3(config)#end
2. When an AP detects a persistent interferer device, its neighboring APs should be informed about
it.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 24 rrm channel pda-prop
WLC3(config)#ap dot11 5g rrm channel pda-prop
WLC3(config)#end
4. Traps should be sent out if an AP’s AQI score drops to 40, or when Microwave Ovens are detected.
5. If APs on WLC1 have their AQI scores drop to 35 or worse for a period of time, they should change
channels.
Bluetooth is only in the 2.4 GHz spectrum. Same with microwave ovens.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#no ap dot11 24 clean device bt-discovery
WLC3(config)#no ap dot11 24 clean device bt-link
Now let’s look at the config on the MC as well as one of the MAs.
SuperAG.................................. : Enabled
Canopy................................... : Enabled
WiMax Mobile............................. : Enabled
WiMax Fixed.............................. : Enabled
Interference Device Types Triggering Alarms:
TDD Transmitter.......................... : Disabled
Jammer................................... : Disabled
Continuous Transmitter................... : Disabled
DECT-like Phone.......................... : Disabled
Video Camera............................. : Disabled
WiFi Inverted............................ : Disabled
WiFi Invalid Channel..................... : Disabled
SuperAG.................................. : Disabled
Canopy................................... : Disabled
WiMax Mobile............................. : Disabled
WiMax Fixed.............................. : Disabled
Interference Device Alarms................... : Enabled
Additional CleanAir Settings:
CleanAir Event-driven RRM State.............. : Enabled
CleanAir Driven RRM Sensitivity.............. : LOW
CleanAir Persistent Devices state............ : Enabled
CleanAir Persistent Device Propagation....... : Enabled
Jammer................................... : Enabled
Continuous Transmitter................... : Enabled
DECT-like Phone.......................... : Enabled
Video Camera............................. : Enabled
802.15.4................................. : Enabled
WiFi Inverted............................ : Enabled
WiFi Invalid Channel..................... : Enabled
SuperAG.................................. : Enabled
Canopy................................... : Enabled
Microsoft Device......................... : Enabled
WiMax Mobile............................. : Enabled
WiMax Fixed.............................. : Enabled
Interference Device Types Triggering Alarms:
Bluetooth Link........................... : Disabled
Microwave Oven........................... : Enabled
802.11 FH................................ : Disabled
Bluetooth Discovery...................... : Disabled
TDD Transmitter.......................... : Disabled
Jammer................................... : Disabled
Continuous Transmitter................... : Disabled
DECT-like Phone.......................... : Disabled
Video Camera............................. : Disabled
802.15.4................................. : Disabled
WiFi Inverted............................ : Disabled
WiFi Invalid Channel..................... : Disabled
SuperAG.................................. : Disabled
Canopy................................... : Disabled
Microsoft Device......................... : Disabled
WiMax Mobile............................. : Disabled
WiMax Fixed.............................. : Disabled
Interference Device Alarms................... : Enabled
AdditionalClean Air Settings:
CleanAir Event-driven RRM State.............. : Enabled
CleanAir Driven RRM Sensitivity.............. : LOW
CleanAir Persistent Devices state............ : Disabled
CleanAir Persistent Device Propagation....... : Disabled
So interestingly enough, the device propagation shows as disabled on the MA (last line in the output
above), but it cannot be configured on the MA.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24 rrm channel device
% switch-1:wcm:This command is not available on Mobility Agent
CAT3(config)#ap dot11 24 rrm channel pda-prop
% switch-1:wcm:This is command is not available on Mobility Agent
So I guess we just worry about what the MC says, and mainly look to see that the MC link status shows
UP on the MAs.
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 138 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Country Codes
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In this scenario, CAT3 and CAT4 are in the same SPG with WLC3 as their MC. Configure country codes
on all of these devices.
Country codes control a number of different things. They affect RRM calculations, so you want them
configured on the MC. They also impact the regulatory domain, which controls which APs can join an
MA, so you want them on the MAs as well.
1. You bought an AP from someone in Germany and it’s having issues joining your controller (which
is in the United States), configure your country codes so that it will be supported.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24 shut
CAT3(config)#ap dot11 5g shut
CAT3(config)#ap country US,DE
Changing country code could reset channel and RRM grouping configuration. If running
in RRM One-Time mode, reassign channels after this command. Check customized APs for
valid channel values after this command.
Are you sure you want to continue? (y/n)[y]: y
CAT3(config)#no ap dot11 24 shut
CAT3(config)#no ap dot11 5g shut
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap dot11 24 shut
CAT4(config)#ap dot11 5g shut
CAT4(config)#ap country US,DE
Changing country code could reset channel and RRM grouping configuration. If running
in RRM One-Time mode, reassign channels after this command. Check customized APs for
valid channel values after this command.
Are you sure you want to continue? (y/n)[y]: y
CAT4(config)#no ap dot11 24 shut
CAT4(config)#no ap dot11 5g shut
CAT4(config)#end
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 24 shut
WLC3(config)#ap dot11 5g shut
WLC3(config)#ap country US,DE
Changing country code could reset channel and RRM grouping configuration. If running
in RRM One-Time mode, reassign channels after this command. Check customized APs for
valid channel values after this command.
Are you sure you want to continue? (y/n)[y]: y
WLC3(config)#no ap dot11 24 shut
WLC3(config)#no ap dot11 5g shut
WLC3(config)#end
Auto-RF : C x x x x C x x x x C x x .
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11a : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Channels : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6
: 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
DE (-E ,-E ): . A . A . A . A A A A A * * * * * * * * * * * . . . . .
US (-A ,-AB ): . A . A . A . A A A A A * * * * * . . . * * * A A A A *
Auto-RF : . C . C . C . C C C C C x x x x x x x x x x x C C C C x
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
4.9GHz 802.11a :
Channels : 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
DE (-E ,-E ): . . . . . . . . . . . . . . . . . . . . . . . . . .
US (-A ,-AB ): * * * * * * * * * * * * * * * * * * * A * * * * * A
Auto-RF : . . . . . . . . . . . . . . . . . . . . . . . . . .
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2. Now that you made your changes, none of your mesh APs are able to join your WLC, go back to
just the US country code.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24 shut
CAT3(config)#ap dot11 5g shut
CAT3(config)#ap country US
Changing country code could reset channel and RRM grouping configuration. If running
in RRM One-Time mode, reassign channels after this command. Check customized APs for
valid channel values after this command.
Are you sure you want to continue? (y/n)[y]: y
CAT3(config)#no ap dot11 24 shut
CAT3(config)#no ap dot11 5g shut
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap dot11 24 shut
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#ap dot11 24 shut
WLC3(config)#ap dot11 5g shut
WLC3(config)#ap country US
Changing country code could reset channel and RRM grouping configuration. If running
in RRM One-Time mode, reassign channels after this command. Check customized APs for
valid channel values after this command.
Are you sure you want to continue? (y/n)[y]: y
WLC3(config)#no ap dot11 24 shut
WLC3(config)#no ap dot11 5g shut
WLC3(config)#end
3. Hang on, mesh APs are not supported on IOS-XE controllers. Oh well, just leave it at US only.
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 139 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
There are more general settings, but most of them were already handled in the Network Infrastructure
labs. These are a few “controller” related settings.
1. Ensure that clients can change between different WLANs on the same controller quickly.
2. Client sessions should be removed if they haven’t been heard from in 10 minutes.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wireless client fast-ssid-change
CAT3(config)#wireless client user-timeout 600
CAT3(config)#end
Show run
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 140 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Wireless Multicast
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
2. Have the CATs snoop in on the IGMP messages of the wireless clients.
Multicast is disabled by default, but IGMP snooping is enabled by default. So once multicast is turned
on, IGMP snooping should already be there.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wireless multicast
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wireless multicast
CAT4(config)#end
Multicast : Enabled
mDNS : Enabled
AP Capwap Multicast : Unicast
Wireless Broadcast : Disabled
Wireless Multicast non-ip-mcast : Disabled
3. When the CATs need to send multicast packets to wireless clients, it should send a single packet
rather than individual packets addressed to each AP.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap capwap multicast 239.33.33.33
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap capwap multicast 239.44.44.44
CAT4(config)#end
Multicast : Enabled
mDNS : Enabled
AP Capwap Multicast : Multicast
AP Capwap Multicast group Address : 239.33.33.33
Wireless Broadcast : Disabled
Wireless Multicast non-ip-mcast : Disabled
To see that the APs joined the groups, you can check the IGMP snooping tables on the MAs.
On 3650s (and 3850s), since the joined APs and management interfaces are always on the same
VLAN/subnet, I don’t know why you wouldn’t want to use multicast mode. There is no wired routing
needed for this.
Non-IP multicast is disabled globally by default, but enabled on every interface. So once you enable it
globally, all interfaces would allow it. We weren’t asked to enable it globally, but we will disable it on
the VLAN.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#no wireless multicast non-ip vlan 13
CAT3(config)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#no wireless multicast non-ip vlan 13
CAT4(config)#end
Multicast : Enabled
mDNS : Enabled
AP Capwap Multicast : Multicast
AP Capwap Multicast group Address : 239.33.33.33
Wireless Broadcast : Disabled
Wireless Multicast non-ip-mcast : Disabled
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 141 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
WLANs
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Video Title: Unified Wireless (Converged)- WLAN Configs- Anchoring and L2 roaming
Topology Detail
Use open static WEP using WEP key 1 with a static key of “cciew”.
o MAC filtering should only be handle by CAT3 and ISE should not be queried.
Clients should not need to re-authenticate after a period of time as long as they stay
connected to the WLAN.
3. Configure another MAC filtering entry for a client using the MAC address 00:11:22:33:44:55.
I often like to make things work without MAC filtering first before I turn it on. It lets me know that I got
everything configured correctly and it also allows me to easily grab the MAC address of my client.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WEP1-Pod1 1 HQ-WEP1-Pod1
CAT3(config-wlan)#radio dot11b
CAT3(config-wlan)#client vlan 13
CAT3(config-wlan)#no sec wpa
CAT3(config-wlan)#security static-wep-key encryption 40 ascii 0 cciew 1
CAT3(config-wlan)#no session-timeout
CAT3(config-wlan)#no ccx aironet-iesupport
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
I was able to connect without the filtering and now I know the MAC address of my client. Let’s add on
the local MAC filtering.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#username c8d719c00590 mac aaa attribute list wep1
CAT3(config)#username 001122334455 mac aaa attribute list wep1
CAT3(config)#wlan HQ-WEP1-Pod1
CAT3(config-wlan)#shut
CAT3(config-wlan)#mac-filtering wep1
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
After applying and reconnecting, I was still able to connect and pull an IP.
Ensure that the upstream switches only receive IGMP join requests from clients on this
WLAN on VLAN 14 to prevent duplicate multicast streams.
Use security settings that support only RSN and a pre-shared key of ipexpert.
If a statically IPed client associates to the WLAN, and CAT3 doesn’t have an interface that
supports it, have CAT3 see if it can tunnel the client to another controller.
Check to see the auth log on ISE for the MAC address lookup when you test connecting to
the WLAN.
This WLAN requires a bit of pre-work. We’ll need to get the VLAN group defined as well as the RADIUS
server config.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#vlan group VLAN1415 vlan-list 14,15
CAT3(config)#aaa new
CAT3(config)#radius server ISE
CAT3(config-radius-server)#address ipv4 10.10.210.5 auth 1812 acc 1813
CAT3(config-radius-server)#key ipexpert
CAT3(config-radius-server)#exit
Now we should be able to configure the WLAN. The configurations below go in order of what features
were asked to be configured in the task. If you see references to RSN, translate that WPA2/AES.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAPSK1-Pod1 2
CAT3(config-wlan)#radio dot11ag
CAT3(config-wlan)#client vlan VLAN1415
CAT3(config-wlan)#ip multicast vlan 14
CAT3(config-wlan)#security wpa wpa2 ciphers aes
CAT3(config-wlan)#no security wpa akm dot1x
CAT3(config-wlan)#security wpa akm psk set-key ascii 0 ipexpert
CAT3(config-wlan)#mac-filtering ISEMAC
CAT3(config-wlan)#client association limit 100
CAT3(config-wlan)#static-ip tunneling
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
I was able to connect and pull an IP. Looking at ISE, I do see the MAC auth log. The auth matches the
MAB authentication rule in ISE, by default, and shows up as a host lookup. Unlike the AireOS controllers,
the IOS-XE devices only look where you tell them to, so the local entries that we created for the WEP
WLAN were ignored.
WPA-PSK WLAN #2
o Statically IPed clients that tend to only receive traffic, and not send any traffic
without the need to manually populate the MAC-to-IP binding table for each of
them.
o Non-Cisco workgroup bridges that may use different source IPs with the same
MAC address.
The only pre-work outside of the WLAN for this is enabling wireless multicast traffic globally for the
passive-client feature. Also, if you see references to TSN, translate that to WPA1/TKIP. We can’t support
WPA/TKIP alone. It must be accompanied by WPA2/AES.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wireless multicast
CAT3(config)#wlan HQ-WPAPSK2-Pod1 3
CAT3(config-wlan)#radio dot11a
CAT3(config-wlan)#client vlan 15
CAT3(config-wlan)#no security wpa akm dot1x
CAT3(config-wlan)#security wpa akm psk set-key ascii 0 ipexpert
CAT3(config-wlan)#security wpa wpa1
CAT3(config-wlan)#security wpa wpa1 ciphers tkip
WPA-EAP WLAN
Configure the WLAN so that clients can use 802.11n data rates after a successful EAP
authentication.
Have CAT3 add option 82 information to the client DHCP requests in an ACSII format that
includes the client’s SSID information.
Configure the WLAN such that it supports client supplicant provisioning from ISE.
Have the WLAN attempt to spread clients out across multiple APs in an area rather than
having all clients use a single AP.
For the DHCP portion, we need to get DHCP snooping enabled on the switch. I’ll also set it up as a relay
agent. Snooping is required to verify the client actually pulls a DHCP address.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ip dhcp snooping
CAT3(config)#ip dhcp snooping vlan 13
CAT3(config)#int range gi1/0/21-22
CAT3(config-if-range)#ip dhcp snooping trust
CAT3(config-if-range)#interface Vlan13
CAT3(config-if)# ip dhcp relay information trusted
CAT3(config-if)# ip address 10.10.13.13 255.255.255.0
CAT3(config-if)# ip helper-address 10.10.13.3
CAT3(config-if)#end
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAEAP1-Pod1 4 HQ-WPAEAP1-Pod1
CAT3(config-wlan)#client vlan 13
CAT3(config-wlan)#security dot1x authentication-list ISE
CAT3(config-wlan)#ip dhcp required
CAT3(config-wlan)#ip dhcp opt82
CAT3(config-wlan)#ip dhcp opt82 ascii
CAT3(config-wlan)#ip dhcp opt82 format add-ssid
CAT3(config-wlan)#aaa-override
CAT3(config-wlan)#nac
CAT3(config-wlan)#load-balance
CAT3(config-wlan)#band-select
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 142 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Guest WLANs
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Video Title: Unified Wireless (Converged)- WLAN Configs- Anchoring and L2 roaming
Video Title: Unified Wireless (Converged)- Guest WLANs with Local Web Auth
Topology Detail
This lab requires access to CAT3-4, WLC3, and the WIN7 client.
No layer 2 authentication.
Clients should not be allowed to talk to each other on this WLAN (assume this WLAN only
exists on CAT3).
The first step in this task is to define the global webauth settings on the switch. We’ll create a parameter
map specifically for this webpage, and we’ll also set the virtual IP settings in the global parameter map.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#parameter-map type webauth PASS
This operation will permanently convert all relevant authentication commands to their
CPL control-policy equivalents. As this conversion is irreversible and will disable
the conversion CLI 'authentication display [legacy|new-style]', you are strongly
advised to back up your current configuration before proceeding.
Do you wish to continue? [yes]: yes
CAT3(config-params-parameter-map)#type consent
CAT3(config-params-parameter-map)#consent email
CAT3(config-params-parameter-map)#redirect on-success https://10.10.210.6
CAT3(config-params-parameter-map)#exit
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan Guest1-Pod1 1
CAT3(config-wlan)#client vlan 11
CAT3(config-wlan)#no security wpa
CAT3(config-wlan)#security web-auth
CAT3(config-wlan)#security web-auth parameter-map PASS
CAT3(config-wlan)#peer-blocking drop
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
My client was able to connect and pull an IP. Let’s initiate the web redirect.
Not the most impressive webpage, but we do see the guest.ipexpert.local entry in the URL and the
prompt for the email address. After entering my info and accepting, I was successfully logged in and
then redirected to PI.
2. Install the custom webauth bundle from the Windows 2012 server.
Extract the tar file to the local flash drive. I put mine in a directory called webauth.
CAT3#dir flash:webauth
Directory of flash:/webauth/
No layer 2 authentication.
o You will need to override the default as to not break the previous WLAN.
o Files
All clients should have to re-login after 12 hours of being connected to the WLAN.
o Make sure that your solution also prevents clients between WLCs from talking to
each other.
o This solution should not impact any other WLANs with clients on VLAN 12.
We’ll start again with the global webauth settings. We’ll also be sure to configure the AAA part to allow
for the local login.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#parameter-map type webauth WEBAUTH
CAT3(config-params-parameter-map)#typ webauth
CAT3(config-params-parameter-map)#custom-page login device flash:/webauth/login.html
CAT3(config-params-parameter-map)#custom-page failure device
flash:/webauth/failed.html
CAT3(config-params-parameter-map)#exit
CAT3(config)#aaa authentication login WEBAUTH local
CAT3(config)#aaa authorization network WEBAUTH local
CAT3(config)#aaa authorization credential-download WEBAUTH local
CAT3(config)#end
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ip access-list extended GUEST2
CAT3(config-ext-nacl)#deny ip 10.10.12.0 0.0.0.255 10.10.12.0 0.0.0.255
CAT3(config-ext-nacl)#permit ip any any
CAT3(config-ext-nacl)#end
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan Guest2-Pod1 2
CAT3(config-wlan)#client vlan 12
CAT3(config-wlan)#no security wpa
CAT3(config-wlan)#security web-auth
CAT3(config-wlan)#security web-auth authentication-list WEBAUTH
CAT3(config-wlan)#security web-auth parameter-map WEBAUTH
CAT3(config-wlan)#session-timeout 43200
CAT3(config-wlan)#ip access-group GUEST2
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
Username= guest
Password= guest
Lifetime of 7 days
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#user-name guest
CAT3(config-user-name)#password 0 guest
CAT3(config-user-name)#type network-user description guest guest-user lifetime year 0
month 0 day 7
CAT3(config-user-name)#end
I was able to connect and pull an IP in VLAN 12. The web redirect sent me to our custom page as
expected.
5. Expand the Guest2-PodX configuration so that it is available on CAT3, CAT4, and WLC3.
CAT3 and CAT4 should tunnel the clients on that WLAN up to WLC3 (which is their MC).
7. Install a certificate to be used during webauth to try and avoid certificate warnings.
The cert files can be found on the WIN7 client at C:\Rack Files\Certificates\.
CA file= CA.pem
Be sure clients are redirected to guest.IPEXPERT.local, so the URL matches the certificate
CN.
Rather than tweak the WLAN on CAT3, I’m just going to blow it away and configure it from scratch since
there are some notable differences in the config when we tunnel.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#no wlan Guest2-Pod1 2 Guest2-Pod1
CAT3(config)#wlan Guest2-Pod1 2 Guest2-Pod1
CAT3(config-wlan)# client vlan 12
CAT3(config-wlan)# no security wpa
CAT3(config-wlan)# security web-auth
CAT3(config-wlan)# mobility anchor 10.10.112.10
CAT3(config-wlan)# no shutdown
CAT3(config-wlan)#end
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wlan Guest2-Pod1 2 Guest2-Pod1
CAT4(config-wlan)# client vlan 12
CAT4(config-wlan)# no security wpa
CAT4(config-wlan)# mobility anchor 10.10.112.10
CAT4(config-wlan)# aaa-override
CAT4(config-wlan)# no shutdown
CAT4(config-wlan)#end
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#aaa new
WLC3(config)#radius server ISE
WLC3(config-radius-server)#add ipv4 10.10.210.5 auth 1812 acc 1813
WLC3(config-radius-server)#key ipexpert
WLC3(config-radius-server)#exit
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#crypto pki import GUEST pem terminal password IPexpert123
% Enter PEM-formatted CA certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIDlzCCAn+gAwIBAgIQLGnalJWj3J1GQa+/HM05XDANBgkqhkiG9w0BAQsFADBS
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghJUEVYUEVS
VDEfMB0GA1UEAxMWSVBFWFBFUlQtU0VSVkVSMjAxMi1DQTAeFw0xNTA5MTcxOTQ1
NTBaFw0zNTA5MTcxOTU1NTBaMFIxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEYMBYG
CgmSJomT8ixkARkWCElQRVhQRVJUMR8wHQYDVQQDExZJUEVYUEVSVC1TRVJWRVIy
MDEyLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtoNQnrQU+QR6
uYbMNX74baf/uzl3EOayuECyl/GdTTeiIa4OTVg2uJWXaJ1TuQGnFSSPJixk+dQE
0PcC8/Ky5W7ZZJcOQ9jnXGb32pcq3wEjRDiJBjm5xm9FVg22X0aMzwMZwLY/ZLG3
YJEQ/8wK0BgOK1yeUi9cfoM55EzfZgZuyfeBM0dDpaHHWTHSE2SZUtzz+Uvia1kk
7Wx8jYO1EeuVPwWHRMna8G4GEeBBJRet7dvF14MT5XwEKifePSThYX5dNs2iKPtP
EZRIWPA2ynjK2Fwyq33m/E72K5E/u2xR04QeoxV1ruim3Iscw6VEQnkHW/KZv9wp
CSFrIj1LiwIDAQABo2kwZzATBgkrBgEEAYI3FAIEBh4EAEMAQTAOBgNVHQ8BAf8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWdBHGERuRiR4+nfFQS07
X4t8hV8wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAGyHjpal
Wwb+uUSCDz2RGe5GnXY62U8dNkdNnB+sBSIG5mHqJDeZl5NR4f+8dH9Cxin66hxs
QKiyQUHNEDiOkdljIGgFASso2GVTa3Xi4/9kXjCOTIt/IUJmfce5Fg6b2+TYIeS4
WxbLEPdqgohWLiXepJ7fOm+xY9gl4/pVt8W0ipqQ+jExOsMfJ/tHVkPrqCfs9wrk
ot2m3Q79w6EgWwslzI9R41T1B6qzxQtJtUCrpyDZo5kNsXHWW3xD0V0P+RMiJQOw
FxmNoSF3oxqWZzgY9iuS6uoDpnlrgoxC0Cb9hTEmwvWfc73q124ETxNU0Q/76ZaX
MT6jrN4gx80Z/7A=
-----END CERTIFICATE-----
3jx+nH2mZy1CV3UgovjmbGlf7XisRc+ZUV6fEh0sBs8ZFcDqg/Cy09vpNWQPibuw
f9YIoAEEXZLqYw2cW21SdneCR/NW8Qh1NN+m9FsVUgDciH0q5NEisaIvScvwd4WA
bW+CC5TabDSvT9xy6tNjGHOpu+Ln9SN6rPPfEWuPaldFxv/BBKDkFdAT5ftkjQ12
+CUeJmSigh4cZI9HDncSMAi78roOnrPGqc5aCTk3nKdmVIJXsWLNvHPlt0BGKR57
c5lVS90oAxL6ZD2QjBom2FiQQz8GDE8ibijbmoK2ARCORIyRUAZFJb1W5Mu8dEGb
WvmEaz5p0hQlPKlRcF5sJLFlncTY7c6bfik/QaCunClsvVFKa0kWZSnN5yca9p1A
owBieLMjbcWSeigyxcpSl6oL2426rrdrNoyDnuOrzcMb6scC5PoR4EQ3079AEX8E
4q5u3vmLeLZtXsLiwLZLOCKBG5UgJL+IN50VBwpPP0123jq9fVGUrHxlvgqdhPk7
QD+9jP3XhtJSh77X4clMQOO/ysEY36OGsYSNxvZw/BbBVRtYIbUIRRmw8t+o/GeQ
gwls5YH9WUQPXIXxlZFa7ANwJ7z7KQYBmq9z17JzmwOWe6gWO7rqS367BG+iDOpw
J8yy6USOh5cwdRu+Q9NG60SnO+tvrdT99ZKAepOkwab7uW3JUeOOUm9MfL+fjzFu
7GO79pbRsTlzWbVQhX8DIPe+b6XsEfnP6HRIMX/TsTd3/c8kFMutiyYOeoPJlibk
i6EyU5uNimA28iWASdmvk1uMaisKngZ+yTZ4jVeeTQrDEB8WFq8TiDSrIH/4418P
qjlgRIacC99gb2QfA2tBQCFsEcwWrsW6TqlpasqL+2wM0K0xjCiQIFcmQca5L42d
n+oaop2JNJHUo1lHocEOrGOvXRV2Aw/2DjtKbxhd5gNWtVNjXDS+dBaxZkSc29Sz
LCpXXdbOk4HFgw/r/s4NoPaU1r7YpIVZVOTOd8OaKc67gXItX5yOGIOuXIBq/yg6
J47rpQEUE/5gAZ6vNJ77nvC3QaNBGYFfrQ1j3i2tjY73zgYO3iFNfQqZ8G3zdS7a
WwqfyvmIYTneCac1/DkLVuA4m+u8elvIwPUHKu3rorGM7pRN3oOuxBkoRa3oY6F9
d4duGMEziQsb8OTmXzphG9NSMOIkM3CO7R9ubRenLBh0mhz7X2Qdi1xxy2vOSCbL
qFs1qE4fr1JwP8aIKZXDUOFCPGEN0fPvNgh3H6itKREIefrikEWJNm3GUVmqr3bF
juh/Lz5K7asxR9SYcARsMyopxcfOLxoA8/NgwXd9ufWDLHY8BGiJNCYMiK0cYzox
ZgG1EcWapse5NV1uPNsT0mbX1/NvfBNquFRPRhayg/rmEOObVM6bGC6NQP2MsbG8
ndgoSRvISFoIhcq0GWxWa2Sf6xXUXsSExEuayQXDhB1ytk7r1xIvcYCazT72jIzB
OfJtIFIxpVOfOL7TlQqa98ntxigqp2hgxZfPwSliS0SuJuH2gy/eoWrhdcBiGZ2h
EqGLQiwHGfx6Ijxr5pY2bhI6ZVYbPEIE2jJAlo/AXLR2LAM4gzOxFA==
-----END RSA PRIVATE KEY-----
quit
% Enter PEM-formatted General Purpose certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIGAjCCBOqgAwIBAgITaQAAACAK4PTWdhuZfwAAAAAAIDANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghJUEVY
UEVSVDEfMB0GA1UEAxMWSVBFWFBFUlQtU0VSVkVSMjAxMi1DQTAeFw0xNTA5MjQx
ODE3NTVaFw0yNTA5MjExODE3NTVaMIGaMQswCQYDVQQGEwJVUzESMBAGA1UECBMJ
TWlubmVzb3RhMRIwEAYDVQQHEwlMaW5kc3Ryb20xETAPBgNVBAoTCGlQZXhwZXJ0
MQ4wDAYDVQQLEwVDQ0lFVzEdMBsGA1UEAxMUZ3Vlc3QuSVBFWFBFUlQubG9jYWwx
ITAfBgkqhkiG9w0BCQEWEmNjaWV3QGlwZXhwZXJ0LmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKnbKTDM2cq3nGV7IbqxHV6gacep8uOZCfKnp17X
m8nA8K9ZmlOjIvwsUt0UnMDIqns5X00o2r2stvZ1WbV8+po6Wq/p0NzpR922aGtU
iYq9kTxebZdsbY5b+5wLobFV3do7Ijy6TOnsIjN9WGqYSdo6rR2dobkL/jlU6c/I
aX/iMA3cVERBOSvlGKFpBnTwqTJa/FQsjUI/w6f87pU4nVhsUazLkXy6vgQnWTjA
eEAmF67qeqRjQ0C1Trc9PDMPKYIometdS7u5sRRRmtwbrTvcLQSxLRXHgUl4fNb2
TQD4A7htAIL/6JN/Y5UuTkBNZ2PnCswh4X9j/qVcrA0rCzkCAwEAAaOCAoYwggKC
MB0GA1UdDgQWBBS7uWC+dNcuHXKMUeSS7BQCgjcTNTAfBgNVHSMEGDAWgBRZ0EcY
RG5GJHj6d8VBLTtfi3yFXzCB2gYDVR0fBIHSMIHPMIHMoIHJoIHGhoHDbGRhcDov
Ly9DTj1JUEVYUEVSVC1TRVJWRVIyMDEyLUNBLENOPVNlcnZlcjIwMTIsQ049Q0RQ
LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp
Z3VyYXRpb24sREM9SVBFWFBFUlQsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0
aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHL
BggrBgEFBQcBAQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPUlQRVhQ
RVJULVNFUlZFUjIwMTItQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZp
Y2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9SVBFWFBFUlQsREM9
bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRp
b25BdXRob3JpdHkwDgYDVR0PAQH/BAQDAgWgMD0GCSsGAQQBgjcVBwQwMC4GJisG
AQQBgjcVCIGothyFy+E1htGfGYeqKoGqsAqBBIbu/QiG/e4+AgFkAgEEMB0GA1Ud
JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAnBgkrBgEEAYI3FQoEGjAYMAoGCCsG
AQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCu3RQvPnuqrSPD
NKt/1o2z5hM3DaEISOP5a7XpGtAtbf9olJGSONlSpETp3ZGTT8tLR4Bdal9qBtCf
Ze5sg1nVv9WuNoWxzSXWU1FgGJvVoOh4zXKoeAgw3NbNlKujqAd3+IHMf7bXJ88i
7a/ks6tprle1/SU2sxo2YcOr5WGo+mUJ9IiFqSjs12XBeogL2QJfHTZ8PAFtxalQ
tzR5umuchIWbwLze8xQKpcEkqtTz1X8c/lbIb67BPUEXRGfkdd+lqsUs6ib2TvW2
mQ+7i1QQoudyEGjG3HCeFQucdxNC2vVaeHWQtH0h79Qg+Jva6tEIvU3Uh9hjlDrT
q5C+x4Io
-----END CERTIFICATE-----
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#parameter-map type webauth WEBAUTH
This operation will permanently convert all relevant authentication commands to their
CPL control-policy equivalents. As this conversion is irreversible and will disable
the conversion CLI 'authentication display [legacy|new-style]', you are strongly
advised to back up your current configuration before proceeding.
Do you wish to continue? [yes]: yes
WLC3(config-params-parameter-map)#type webauth
WLC3(config-params-parameter-map)#exit
Lastly, I had to configure an interface on WLC3 for VLAN12 with DHCP relay info for the client to pull
an IP.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#interface Vlan12
WLC3(config-if)# ip dhcp relay information trusted
WLC3(config-if)# ip address 10.10.12.23 255.255.255.0
WLC3(config-if)# ip helper-address 10.10.12.3
WLC3(config-if)#end
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 143 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior t o completing
this lab scenario.
Video Title: Unified Wireless (Converged)- WLAN Configs- Anchoring and L2 roaming
Video Title: Unified Wireless (Converged)- Guest WLANs with Central Web Auth
Topology Detail
This lab requires access to CAT3-4, WLC3, and the WIN7 client.
Configure the WLAN with the appropriate settings to support central web authentication
using the ISE server.
o No layer 3 auth
o RADIUS NAC
To get ready for CWA, we need to do a bunch of AAA config. We need a RADIUS server with support
for CoA, and we need a number of method lists defined for the different functions.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#aaa new
CAT3(config)#radius server ISE
CAT3(config-radius-server)#add ipv4 10.10.210.5 auth 1812 acc 1813
CAT3(config-radius-server)#key ipexpert
CAT3(config-radius-server)#exit
CAT3(config)#dot1x system-auth-control
Now we can configure the WLAN. Don’t forget to enable NAC, AAA override, and accounting on top of
MAC filtering.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan Guest1-Pod1 1
CAT3(config-wlan)#client vlan 11
CAT3(config-wlan)#no security wpa
CAT3(config-wlan)#mac-filtering ISE
CAT3(config-wlan)#security dot1x authentication-list ISE
CAT3(config-wlan)#accounting-list ISE
CAT3(config-wlan)#aaa-override
CAT3(config-wlan)#nac
CAT3(config-wlan)#no exclusionlist
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
2. Create an ACL to be used for the CWA redirect named REDIRECT that allows the needed services
and triggers on HTTP or HTTPS traffic.
When writing the redirect ACL, keep in mind what permits and denies do. Traffic that matches a permit
rule will trigger the redirect, so you want to deny all needed services (DHCP, DNS, ISE traffic), then
permit HTTP and HTTPS traffic.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ip access-list extended REDIRECT
CAT3(config-ext-nacl)#deny icmp any any
CAT3(config-ext-nacl)#deny udp any any eq bootps
3. ISE already has the following credentials that you can use
Password= IPexpert123
Server Policies:
URL Redirect:
https://ISE.IPEXPERT.local:8443/portal/gateway?sessionId=0a0a710d560572aa0000000c&port
al=e2e6fed0-5fca-11e5-8e95-
0050569bca4b&action=cwa&token=cd1d8e911d91921cad08ba18f29791bc
URL Redirect ACL: REDIRECT
4. WLC3 is currently configured as CAT3’s MC. Expand the Guest1-PodX configuration so that CAT3
tunnels the traffic up to WLC3.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan Guest1-Pod1
CAT3(config-wlan)#shut
CAT3(config-wlan)#mob anchor 10.10.112.10
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
As with AireOS controllers, the layer 2 auths (which CWA uses) are done on the foreign controllers.
WLC3 doesn’t even need any AAA config for this to work. Just configure the WLAN, referencing dummy
method lists. You do however need to configure the redirect ACL.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#wlan Guest1-Pod1 1 Guest1-Pod1
WLC3(config-wlan)# aaa-override
WLC3(config-wlan)# client vlan 12
WLC3(config-wlan)# mac-filtering MACFILTER
WLC3(config-wlan)# mobility anchor
WLC3(config-wlan)# nac
WLC3(config-wlan)# no security wpa
WLC3(config-wlan)# no shutdown
WLC3(config-wlan)#
WLC3(config-wlan)#ip access-list extended REDIRECT
WLC3(config-ext-nacl)# deny icmp any any
WLC3(config-ext-nacl)# deny udp any any eq bootps
WLC3(config-ext-nacl)# deny udp any any eq bootpc
WLC3(config-ext-nacl)# deny udp any any eq domain
Server Policies:
URL Redirect:
https://ISE.IPEXPERT.local:8443/portal/gateway?sessionId=0a0a710d5605768f0000002d&port
al=e2e6fed0-5fca-11e5-8e95-
0050569bca4b&action=cwa&token=70634da05fdd2260eef17365672faa29
URL Redirect ACL: REDIRECT
We see that the server policies only show up on the anchor. The redirect and login remain the same.
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 144 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
AP Groups
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
This is a basic PSK WLAN. The only thing we do different is to specify a WLAN ID number higher than
16 to keep it out of the default AP group. I chose 20.
CAT4#config t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#wlan HQ-WPAPSK3-Pod1 20
CAT4(config-wlan)#no security wpa akm dot1x
CAT4(config-wlan)#security wpa akm psk set-key ascii 0 ipexpert
CAT4(config-wlan)#client vlan 15
CAT4(config-wlan)#no shut
CAT4(config-wlan)#end
Number of WLANs: 1
CAT4#sho ap groups
I did this lab after a fresh load, so I only have the 1 PSK WLAN. If you have other, go ahead and add
them as well. All WLANs should use VLAN 13.
CAT4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT4(config)#ap group CCIEW
CAT4(config-apgroup)#wlan HQ-WPAPSK3-Pod1
CAT4(config-wlan-apgroup)#vlan 13
CAT4(config-wlan-apgroup)#end
Once the APs reboot and re-join the controller, we can verify.
CAT4#sho ap groups
-----------------------------------------------------
20 HQ-WPAPSK3-Pod1 HQData1
Show ap group
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 145 of iPexpert’s CCIE Wireless DSG, Section 4, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
PI CLI Configurations
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
This lab requires access to the PI server and the WIN7 client.
User= admin
Password= IPexpert123
Ideally you are using NTP, but if you must set the clock manually, do so. Notice that it starts in UTC.
Normally I will only change the time zone when asked; otherwise it’s fairly irrelevant. UTC is always a
good one to use as a default.
PI/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
PI/admin(config)# clock timezone EST5EDT
% Warning: System timezone was modified, NCS will need to be restarted.
PI/admin(config)# ntp server 10.10.210.20
PI/admin(config)# end
unsynchronized
time server re-starting
polling server every 64 s
Notice how it is not synchronized yet? PI takes a few minutes get to a synchronized state, but based
on the information in the delay, offset, and jitter columns, we can see that communications are
happening. That’s a good sign. Usually once I see that, I’m pretty confident that the synchronization
will take place and I don’t hang around waiting to see. I’ll just come back during my final verifications
and ensure that it made its way to a fully synchronized state. This is what it should eventually look like.
These are all connectivity/related CLI configurations. In all likeliness, this is all preconfigured for you,
but it’s good to know about just in case you have connectivity related issues.
ip domain-name ipexpert.com
!
interface GigabitEthernet 0
ip address 10.10.210.6 255.255.255.0
ipv6 address static 2001:CC1E:0:210:0:0:0:6/64
!
ip name-server 10.10.210.8
!
ip default-gateway 10.10.210.1
[lines omitted]
PI/admin#ping 10.10.205.20
PING 10.10.205.20 (10.10.205.20) 56(84) bytes of data.
64 bytes from 10.10.205.20: icmp_seq=1 ttl=255 time=5.69 ms
From 10.10.210.1: icmp_seq=1 Redirect Network(New nexthop: 10.10.210.20)
64 bytes from 10.10.205.20: icmp_seq=2 ttl=255 time=0.765 ms
64 bytes from 10.10.205.20: icmp_seq=3 ttl=255 time=0.670 ms
64 bytes from 10.10.205.20: icmp_seq=4 ttl=255 time=0.634 ms
PI/admin#Ping6 2001:cc1e:0:205::20
PING 2001:cc1e:0:205::20(2001:cc1e:0:205::20) from 2001:cc1e:0:210::6 eth0: 56 data
bytes
64 bytes from 2001:cc1e:0:205::20: icmp_seq=0 ttl=64 time=3.14 ms
64 bytes from 2001:cc1e:0:205::20: icmp_seq=1 ttl=64 time=0.626 ms
64 bytes from 2001:cc1e:0:205::20: icmp_seq=2 ttl=64 time=0.601 ms
64 bytes from 2001:cc1e:0:205::20: icmp_seq=3 ttl=64 time=0.655 ms
User= bytor
Password= IPexpert123
Role= admin
Users created in the CLI are only valid for CLI access.
PI/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
PI/admin(config)# username bytor password plain IPexpert123 role admin
PI/admin(config)# end
10. Pretend that you’ve lost the password for the GUI account named admin and reset it to
IPexpert123.
User= ftpuser
Password= IPexpert123
In case you ever get locked out of the GUI due to “losing” the password, you have a method in the CLI
to reset it. You can also set the user/pass for the FTP account in case you ever need to FTP files to/from
the server and you don’t know the credentials.
PI/admin# wr mem
Generating configuration...
PI/admin#
NOTE
This next task will take a LONG, time to complete (like 20+ minutes). So you can skip it if you want (just
know what the commands are) and jump forward to verifying the application is running.
Even though PI has been around for a while now, they still call the service NCS in the CLI. If you suspect
that PI is having issues internally, try giving the service a restart.
14. Verify that the application restarts with the show application status NCS command.
show clock
show ntp
show run
ncs password root
ncs password ftpuser
show app status NCS
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 146 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Adding WLCs
Adding Switches
Adding AAPs
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. Add WLC1, WLC2, and WLC3 to PI using the most secure methods of communication.
Ensure that PI can login to WLC3 with the following credentials using SSH.
o User= admin
o Password= IPexpert123
First, create the snmpv3 user. It was left up to us what security methods to choose and the associated
passwords. Just make sure the name is prime and the mode is RW. On WLC3, you’ll need to specify
128-bit AES rather than the more secure 256-bit. The reason is that PI doesn’t support 256.
WLC3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WLC3(config)#snmp-server group prime v3 priv read v1default write v1default
WLC3(config)#snmp-server user prime prime v3 auth sha IPexpert12345 priv aes 128
IPexpert12345
WLC3(config)#user admin priv 15 password IPexpert123
WLC3(config)#enable secret IPexpert123
WLC3(config)#no aaa new
WLC3(config)#line vty 0 15
WLC3(config-line)#login local
WLC3(config)#end
I recommend verifying the credentials prior to adding the device. It just helps to ensure that you
entered the information correctly on this screen, and that the device itself is also configured to allow
the communications.
The config for WLC3 is nearly identical than that for WLC1-2. We just want to also specify the Enable
password.
Once they have been added, you should see them listed in the managed devices as shown below.
Add a RO management user to WLC4 named “prime” and use that to prevent any CLI RW
possibilities.
Name= IOS_Devices
RO community= public
RW community= private
Credential sets make life easier for the repetitive task of adding many devices that use the same
credentials.
4. Manually add the AAPs to PI using this IOS_Devices credential profile. Be sure to add the needed
config to the AAPs to support this.
AAPs use different user/enable credentials by default and they do not have the communities
configured.
AAP1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
AAP1(config)#user admin pass IPexpert123
AAP1(config)#snmp-server comm public ro
AAP1(config)#snmp-server comm private rw
AAP1(config)#enable secret IPexpert123
AAP1(config)#end
AAP2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
AAP2(config)#user admin pass IPexpert123
AAP2(config)#snmp-server comm public ro
AAP2(config)#snmp-server comm private rw
AAP2(config)#enable secret IPexpert123
AAP2(config)#end
Choose the credential set, and the credentials are automatically populated for you. So it’s a little bit
easier than what we were doing before, but we are still adding one device at a time.
Ensure all switches are configured to work with the credential set.
First, configure the switches, just like you did the AAPs.
CAT1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT1(config)#user admin pass IPexpert123
CAT1(config)#snmp-server comm public ro
CAT1(config)#snmp-server comm private rw
CAT1(config)#enable secret IPexpert123
CAT5(config)#line vty 0 15
CAT5(config-line)#login local
CAT1(config)#end
This method in PI makes life simpler when adding many devices that use the same credentials.
The job will take a number of minutes to complete. Once it does, it should hopefully have discovered
all 5 of your switches. Overall, it takes longer to add devices using this method, but it takes less work.
So if you can fire it off and go do something else for a while, you could ultimately save yourself a minute
of time in the lab, but I think I’d probably just go for the manual adds with the credential set rather
than a discovery if the choice was mine, but you never know if they might ask you to use this method.
So you should know it.
Notice how the IPs chosen for CAT1 and CAT2 aren’t in VLAN10? The discovery process seems to reach
out to the devices that it finds, analyzes it, and then it picks an IP. Based on the default settings in the
discovery, Loopbacks are preferred. That’s why CAT5 is managed using its 10.10.20.1 address rather
than its 10.10.99.2 address.
HQ
MO
Repeat this for MO and the DMZ groups as asked. At the end, your hierarchy should look like this.
Once you complete all of the assignments, it should look like this.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 147 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
This lab requires access to pretty much every device in your rack.
IP= 10.10.210.5
Support CoA
It takes a little digging to find the template. You can get to it by going to Features and Technologies >
Controller > Security > AAA > RADIUS Auth Servers.
Go ahead and fill in the details as requested. In general, I try to apply the default settings that you’d
find when configuring it in the CLI or GUI unless told otherwise. Once saved, you can click on the
template and get the Deploy option at the bottom.
Once saved, go ahead and deploy it, just as you did with the RADIUS template. Here is the WLAN on
one of the WLCs after the job completes.
IOS-XE Templates
5. Use the “Radius Configuration-IOS” CLI template to configure RADIUS and AAA configs on your IOS-
XE devices.
Click OK after applying the Value Assignment settings. The template should deploy.
!
radius-server host 10.10.210.5 auth-port 1812 acct-port 1813
radius-server key ipexpert
!
aaa group server radius ISE
server 10.10.210.5 auth-port 1812 acct-port 1813
!
aaa new-model
aaa session-id common
Here we can use the same Controller WLAN template as we did with WLC1-2, but we need to flip it to
the IOS/UA device type.
For whatever reason, PI isn’t seeing the method list that was just created. I couldn’t figure out how to
get it to show up, so we will need to manually remediate later.
PI will require us to enable a session timeout. Configure and then save the template. Then deploy it to
the IOS-XE devices.
Number of WLANs: 1
To make this work, we need 2 manual configs. One is that we need to enable dot1x system auth control
globally. The other is to configure the WLAN to use the AAA method list that we created earlier. As you
can see, the IOS-XE templates aren’t totally bullet-proof, so be sure to pay attention to what they do,
and do not configure.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#dot1x system-auth-control
CAT3(config)#wlan HQData1-Pod1
CAT3(config-wlan)#shut
CAT3(config-wlan)#security dot1x authentication-list ISE
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
Repeat this on CAT4 and WLC3 and you should have a valid WLAN with 802.1x.
Lightweight AP Templates
9. Create a template to configure WLC1 as a primary WLC and WLC2 as a secondary WLC for
lightweight APs
Notice that it worked for the APs joined to WLCs in centralized mode, but not to CAT3-4 as converged
access MA switches. These switches are managed in a RW fashion, so it’s not a permissions thing. I
think it’s probably because we just don’t have that configuration available on those devices. When the
APs are joined that way, the pri/sec/ter configuration is meaningless anyways.
10. Create a template to enable telnet and SSH access to lightweight APs.
It worked OK on the IOS-XE devices, but the other APs had issues. First, LAP5 is on WLC4, which is
managed in a RO fashion. So we shouldn’t be able to make any changes there, but what about LAP3-4,
which are currently on WLC1 thanks to the previous template. That is managed in a RW fashion. If we
try and manually apply the config on a per-AP basis (not using a template), we get a clue.
We actually have to change the credentials in order for an AireOS joined AP to enable telnet/SSH. Let’s
tweak our template and do just that. Set it to admin/IPexpert123/IPexpert123 as the credentials.
I don’t know why it said LAP2 was a partial success. I was able to login with the admin/IPexpert123
credentials and verify telnet/ssh are indeed enabled.
Username: admin
Password: IPexpert123
LAP2>en
Password: IPexpert123
LAP2#sho capw cli con | in Tel|ssh
ssh status Enabled
Telnet status Enabled
Autonomous AP Templates
11. Create a template to configure 10.10.205.20 as an sntp server for autonomous Aps.
All that we have for autonomous APs are CLI templates that we configure ourselves from scratch. Now
all we need are the commands. Assume that you will start in “conf t” mode and that it will exit out of
config mode for you. So we just need a single command.
Interesting… I verified my credentials earlier and specified Telnet when adding the AAPs. Evidently
that’s not being honored when pushing out the templates. Let’s go ahead and change our config CLI
method at the global level for AAPs and try again.
Lesson learned… The global CLI method settings are the ones that matter and not what you specified
when adding the devices.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 148 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Configuration Groups
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
o 2.4 GHz= 1, 6, or 11
Apply the RADIUS Auth Server and WLAN templates that you created in the previous
section.
Config groups allow you to push out consistent settings across multiple controllers.
So we have a partial success. Let’s look closer. Click on the details of one of them.
So it won’t disable the radios for you to automatically push this stuff out. Manually disable the radios
on both WLCs and try again.
Looks like the channel width setting applied, but the UNII-3 channels were not removed from the list.
Evidently it was too much for PI to handle.
3. Create a CLI template from scratch named NTP that configures 10.10.205.20 as an NTP server for
your ISO-XE devices.
First create the CLI config template. The config groups do not support any sort of forms, so we just
need static configs in the templates.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 149 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Configuration Auditing
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
2. If configurations on the WLCs in the group do not match the templates during an audit, PI should
automatically remediate the issue.
In order to enable this, we need to first enable Template-based auditing in the administrative settings.
Now go into the controller configuration group and make the configurations.
It should pass. If not, apply the templates in the config group again and then audit again.
After running the audit, it complains that they are out-of-sync. Looking at the details, it seems to expect
these WLCs to be in each other’s mobility group list, and they are not.
I’m guessing that’s stemming from setting them to use the same mobility group name. Well, let’s just
manually do it to get around this error and move on. Be sure to sync the configs to PI after making the
change so that PI knows about it.
4. Go directly to WLC1 and uncheck the “network user” setting from the RADIUS server and apply.
Authentication Servers
Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec -
AuthMode/Phase1/Group/Lifetime/Auth/Encr/Region
--- ---- ---------------- ------ -------- ---- -------- ------- --------------
-----------------------------------------
1 10.10.210.5 1812 Enabled 2 2 Enabled
Disabled - none/unknown/group-0/0 none/none/none
5. Manually sync the config of WLC1 to PI, and run the audit again from the config group. It should
show that it is not passing audit, but it won’t be remedied yet.
6. Now go into the PI background tasks and manually execute the wireless configuration audit task.
Once this completes, the auto-enforcement should have happened and the Network
User setting should be enabled again.
You will find this under the Other Background Tasks section. Check the box, scroll to the top, and choose
to execute now. Otherwise you’d need to wait unit 4 AM for the task to run on its own.
Now the setting has been reconciled with the template on WLC1.
Authentication Servers
Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec -
AuthMode/Phase1/Group/Lifetime/Auth/Encr/Region
--- ---- ---------------- ------ -------- ---- -------- ------- --------------
-----------------------------------------
1 N 10.10.210.5 1812 Enabled 2 2 Enabled
Disabled - none/unknown/group-0/0 none/none/none
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 150 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Adding maps
Adding/positioning APs
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
In order to set the dimensions, you’ll need to uncheck the Maintain Aspect Ratio option.
Drag the blue box over the building as shown. Set the size by just typing in the dimensions for the
horizontal and vertical spans. It should roughly look like this.
From within the Wireless building view, choose to add a new floor area.
When the floor is first added, you might not see the image. It might look something like this.
NOTE
The message at the top says that the floor image enhancement is in progress. Give it a few minutes and
then zoom in or out. Eventually the image will appear. Just keep trying a zoom change every so often.
4. Add LAPs 1-4 and AAP2 to Floor 1 as shown in the image below.
Arrange the APs on the map as requested. It doesn’t really matter at the moment if radios are down or
in alarm. Choose LAP1 and set the height.
When you are done, click the Save button near the top.
PI will process your configs and eventually spit you back out at the map with a heat map displayed.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 151 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Location Presence
Map Editor
Controlling Map Display
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. Configure location presence information for Floor 1 with the following details.
City= Lindstrom
State= MN
Country= USA
Building= Wireless
Floor= 1
Create a location inclusion range that lines up with the perimeter of the floor (do not
include the few feet of outside space on the left side of the image).
Create a location exclusion range that encompasses the bottom-center room on the
map. It’s been boarded up and nothing should be in there.
The top-left room used to be an x-ray room for a clinic and has lead-lined walls. Draw
walls on all 4 sides of the room with a type of Thick Wall.
There’s a mini conveyor belt in the top-right room. Draw a horizontal rail along the
length of the room with a width of 5 feet.
Choose the map editor from the top-right drop-down box and click Go.
Click on the Location Region button and draw an Inclusion region as shown below.
Click on the button again and create an Exclusion range as shown below.
Trace the outline of the top-right room and then double-click when done.
It’s a little annoying when you just want to draw a straight line, but you need at least 3 index points. So
click once on one end, then once in the middle, and then finally at the other end.
Click on the Marker icon and name it Jeff. Then click on the middle of the room to place it.
Have the heat map display the 5 GHz spectrum with an RSSI cutoff of -70 dBm.
Rather than see the AP names in their tags, show their current power and channel.
The map should now look something like this. Channel and power info will vary.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 152 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Virtual Domains
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Topology Detail
Create the following virtual domains that contain the specified items.
1. Virtual Domain= HQ
o CAT1-4
o WLC1-2
o AAP1-2
No need to specify the Access Points. Although you could have chosen to call out the AAPs on that tab
rather than under the Network Devices tab. Once you have things specified, click on Submit.
Click on the Root domain and then choose to add a new domain.
Include WLC3.
5. Switch between virtual domains as the root user and verify your settings
You should see that even though you didn’t specify the LAPs in any virtual domain that
they naturally fall into the virtual domain of their associated WLC.
You can switch between virtual domains, by clicking the virtual domain on top and choosing a different
one.
The Inventory screen is a good place to look at this. Here is the inventory for the DMZ domain.
Here are the Lightweight APs in the HQ domain. As noted earlier, they show up by virtue of their
associated WLCs being in the domain.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 153 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Management AAA
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Topology Detail
Password= ciscooo
2. Change the local password policy to allow for this new user.
The default password policies won’t allow for these credentials, so we’ll have to relax them. You’ll have
to reduce or turn off the minimum length and then disable the following.
Feel free to log out and log in as this user to test it.
If ISE authentication fails, the local users should still be able to login.
Next enable RADIUS authentications. Be sure to choose the correct fallback method. Luckily the local
Root account is always able to login, regardless of any of these settings.
4. Test this by logging in with the credentials below. ISE has already been preconfigured for this
authentication.
Password= IPexpert123
Log out and log back in as the lobby user. Choose to add a new guest user and look at the advanced
tab.
By default, no profile is specified and the account will have a limited lifetime of 1 day into the future.
There is also a generic disclaimer.
5. Log back in as root and create a local user named lobby in the Lobby Ambassador group in the DMZ
virtual domain.
o Unlimited lifetime
First try using the local user’s password and see that it succeeds, only thanks to the
fallback settings that were configured earlier.
Then use the IPexpert123 password and see that it also succeeds.
Now check the settings and see that they are inherited form the local user, even though
you authenticated with the ISE user credentials.
This shows what happens when there is the same user account on RADIUS/TACACS+ and
local (authentication is done externally and permissions/settings are pulled form the local
user).
You can only login with the local credentials because of the fallback in case of failure. If it was only
fallback on no response, this would not work, but login with the IPexpert123 password and try to create
a new user.
See that we inherited the settings of the local user of the same name, even though we authenticated
with the external users.
7. Now remove the local lobby user from the Lobby Ambassador group and place it into the Super
Users group and the root virtual domain.
We are back at the lobby ambassador view in the DMZ virtual domain, so we can’t go too far with this.
The functionality of the local settings with external authentications, I believe, are pretty much isolated
to Guest account default settings, since those cannot be defined with RADIUS/TACACS attributes.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 154 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
System Settings
Background Tasks
Logging
User Settings
ISE Integration
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Topology Detail
System Settings
1. Ensure that PI uses SSH to communicate to WLCs and Telnet to communicate with Autonomous
APs when a CLI method is used.
This section includes a sampling of configs under the System Settings page. This particular setting is in
the CLI Session section.
5. Create a login banner for PI that says “Someday, this will be as solid as WCS used to be.”
IP= 10.10.210.8
Name= CCIEW
Go to Notification Receivers and choose to add a new one. This will allow received traps to be sent out
to another SNMP server.
8. Ensure TFTP and FTP services are enabled on their default ports.
You’ll find this under Server Settings. Everything is turned on using the default ports already, but it’s
good to know where this is.
OUI= 00:99:99
Name= CCIEW
OUI= 00:11:22
Name= CCIEW
Same location as before. Choose to add a new OUI, but since it already exists, you need to check the
“Change Vendor Name” option.
Background Tasks
11. Have “CleanAir Air Quality” data collected every 30 minutes and keep the data non-aggregated for
10 days.
Background tasks are the things that PI does on a repetitive basis, like poll devices for info or backup
configurations.
13. Ensure that controller configuration backups are being done every day at 21:12 to the default TFTP
server.
Config backups are in the bottom section. Click into Controller Configuration Backup.
PI Logging
This is the configuration of logs generated by PI. All categories are enabled by default.
User Settings
15. Configure the following user settings for the root user.
These settings are per-user, so be sure to be logged in as the user in question when configuring this.
Integrating ISE
User= admin
Password= IPexpert123
This allows PI to grab client authentication and other information from ISE.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 155 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Reports
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE Wireless
Lab exam. We recommend watching the following learning videos prior to completing this lab scenario.
Topology Detail
In the Controller Inventory portion, include the serial number and sort by model first,
then name in an ascending fashion.
Choose to create a new one and configure as shown. Ensure that you are currently in the ROOT-
DOMAIN as you create this.
In Customize, you can set the particulars of how data is displayed in the report.
Apply your customizations and then save the report. You can see that it creates a copy for each virtual
domain.
Schedule the report to run weekly on Sundays at noon starting on September 13, 2015.
Manually run and save the output as a PDF named CPU.pdf and place it on the WIN7 PC
desktop.
Save the report and then run it. Once run, choose to Save and Export.
Choose a type of PDF and do not choose to email it when complete. Once complete, you’ll be able to
download it.
Schedule the report to run daily at noon starting on September 13, 2015.
Before creating the report, be sure to switch into the HQ virtual domain so that the report is created
there.
We can configure almost everything here, but look at the file path.
It’s not saving to the requested directory, yet we can’t alter it on this screen. Go ahead and save the
report and we’ll fix it. Go to Administration > System Settings > Report. This is where we set the location
of all saved reports. This is also where we set the retention period.
Note that I didn’t put the full path, but rather the root folder. Each report type gets its own subfolder
automatically defined in the root folder. So, if the file should be saved in
/localdisk/ftp/reports/cciew/APSummary, we specify a root folder of /localdisk/ftp/reports/cciew and
the APSummary folder will get automatically added to the path. Also, take care not to put a / at the
end of the path or the URL will break. Save this config and go back to the report.
This is what we want to see. Also, if you look at the list of saved reports, you should see that the report
is in the HQ virtual domain. The reason I see other reports in other virtual domains right now is because
I had to jump back to the ROOT-DOMAIN to edit the server setting.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 156 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Alarms
Events
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
Clear out the first alarm on the list so that it isn’t shown, but will come back if the
underlying issue reoccurs.
Acknowledge the next alarm so that you don’t get further emails about it if it reoccurs
over the next 7 days.
The first request is to clear the alarm. This will cause it not to be seen, unless the issue reoccurs or is
still happening. Check the alarm’s box and choose to clear it.
Next, we are acknowledging an alarm. Normally this will hide the alarm and prevent any notifications
about it for the next 7 days, but we are asked to still see it. Go ahead and acknowledge it while we are
here.
Then go to Administration > System Settings > Alarms and Events and uncheck the option to hide
acknowledged alarms.
Head back to the alarms list and it should still show up.
Only email out critical AP alarms, as well as critical and major Controller alarms.
The emails should have a subject that only says “Find Your Love Matches for Free”.
Ensure that the alarm “AP radio interface down due to configuration changes” is emailed
out by altering its severity to Critical.
Click into the Controller alarms and edit the severity levels.
Then check each alarm category that you want enabled and Save.
Now we’ll edit the subject line. Head to Administration > System Settings > Alarms and Events. I took
this subject line from one of the emails in my spam folder.
For the last requirement, we need to alter the severity level of a particular alarm so that it falls into one
of the severity levels that we have enabled globally. From within the System Settings, go to Severity
Configuration. Find the alarm, and change it to be critical.
Hint- the alarms are listed in alphabetical order by default. You can also sort by category if that makes
it easier.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 157 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Rogue Management
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
Search for GoodRogue in the top-right box, and you should get some hits. Click on View List.
2. Find an alarm for the rogue AP with an SSID of Rogue-PodX (where X is your rack #).
Classify it as Malicious-Alert.
Search for Rogue-PodX in the top-right box, and you should get some hits. Click on View List.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 158 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. Stop and then start the MSE service from the CLI.
SSH to the MSE from the WIN7 PC and login with the credentials root/IPexpert123, then run the
commands below.
STATUS:
Health Monitor is not running
Flushing any pending data from Admin Process read and write pipe.
Starting Apache HTTPD Server
Apache Server is already running. Skipping restart.
Starting Health Monitor, Waiting to check the status.
Health Monitor successfully started
Starting Admin process...
Started Admin process.
Starting database ......
Database started successfully. Starting framework and services
...............................
Framework and services successfully started
STATUS:
Health Monitor is running
Retrieving MSE Services status.
MSE services are up, getting the status
-------------
Server Config
-------------
[lines omitted]
2. Run the CLI setup wizard and ensure the following are set.
You can use either the wizard or the menu interface if you’d like. I chose the wizard. Just know how to
configure things.
--------------------------------------------------------------
--------------------------------------------------------------
Mobility Services Engine Setup.
You will be prompted to choose whether you wish to configure a parameter, skip it, or
reset it to its initial default value.
Changes made will only be applied to the system once all the information is entered
and verified.
--------------------------------------------------------------
Current Hostname=[MSE]
Configure Hostname? (Y)es/(S)kip/(U)se default [Skip]:
Current Timezone=[UTC]
Configure Timezone? (Y)es/(S)kip/(U)se default [Skip]:
The admin user is used by the Cisco Prime Infrastructure and other northbound systems
to authenticate their SOAP/XML session with the MSE.
Once this password is updated, it must also be updated on the Cisco Prime
Infrastructure page for MSE General Parameters so that the Cisco Prime Infrastructure
can communicate with the MSE.
-----------------------------BEGIN----------------------------
------------------------------END-----------------------------
Configuration Changed
--------------------------------------------------------------
Checking mandatory configuration information...
[lines omitted]
Once complete, you should see it in the list of MSEs as shown below.
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 159 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. Add the following devices to PI in any manner you’d like, paying attention to the RO/RW
requirement. This requirement only applies to the SNMP portion. Use the admin credentials to give
RW CLI access.
WLC1- RW
WLC3- RW
WLC4- RO
CAT3- RW
CAT4- RO
It’s probably simplest to use the built-in v2 communities on the AireOS WLCs and then create some v2
communities and user credentials on the switches and WLC3. So, no extra config is needed on the
WLCs. You could do something like this on the switches.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#snmp-server community public RO
CAT3(config)#snmp-server community private RW
CAT3(config)#user admin priv 15 sec IPexpert123
CAT4(config)#enable sec IPexpert123
CAT3(config)#line vty 0 15
CAT3(config-line)#login local
CAT3(config-line)#end
2. Place LAPs 1-5 onto the Floor1 map anywhere that you’d like, but be sure to have APs near the 4
corners of the building.
Here’s how I placed mine. As long as you spread them out a bit, that’s fine for our purposes.
3. Ensure that the Context Aware Notification (CAS) service has been enabled on the MSE and that
the MSE has been joined to PI.
Go to Services > Mobility Services Engine and you’ll see the status of each service on the MSE.
4. Synchronize all devices and all maps to the MSE for CAS.
Synchronizing tells the MSE what to keep track of, as well as all of the details of how the floors and APs
are laid out.
Note that almost all of the devices are already assigned to the MSE thanks to us synchronizing our
maps. When there are dependencies, they are also synchronized. Since the maps had APs, and the APs
were joined to WLCs, those WLCs were automatically added.
You should always check to ensure that all needed WLCs were added. If a WLC didn’t have any APs on
it, it wouldn’t automatically get added with the maps. That could be bad if you miss it and one of the
APs moves over to that WLC. Let’s get WLC3 synched.
5. Ensure that all devices have an active NMSP connection with the MSE.
After synchronizing your devices, this is the first thing to check. Be sure to check every time as any
NMSP issues will cause issues elsewhere, and probably point loss in the lab.
Click onto the MSE from the Mobility Services Engines list to open its management GUI and go to the
Configuration screen.
We need to fix this. Fortunately, you can get some good help by clicking on the stethoscope icon.
Here we see 2 potential issues. The WLC time and the Key Hash match. At the moment, it’s actually just
the key hash. Since PI is managing WLC4 without the benefit of a RW SNMP community/user, PI
couldn’t add the key hash for the MSE. If we look at WLC1 or either of the 3650s, we’ll see the needed
config for the MSE to be able to talk to the devices via NMSP.
00:50:56:9b:45:fa LBS-SSC-SHA256
6e35bda262e3dfd56781ccc2d99afda3c0c3bf5c5fa3c17fce70aebc188a3f82
CAT4 was OK since we provided RW CLI credentials. PI uses SNMP to configure the AireOS devices and
CLI to configure the IOS-XE devices.
Let’s add in the auth-list entry on WLC4, and we should be good after that. A simple way to create this
is to simply find it in the running config of WLC1 and copy/paste it into WLC4.
Go back to the MSE and reload the page. All should be good.
6. Configure the MSE to track only the following types of devices with the requested limits.
Go to Tracking under the CAS section and configure things as shown below.
If the MSE isn’t configured to track things, they won’t show up on the map. As you saw, not everything
is tracked by default.
7. Keep track of location history for the following devices for 45 days.
Wireless Clients
Interferers
This allows you to see where devices have been, and not just where they currently are.
8. Go to the Floor1 map in PI and configure the following devices show up on the map.
Wireless clients (including those that are just probing and not associated).
All active CleanAir interferers with a severity greater than 10 along with their zone of
impact.
o You might not actually get any interferers to show on the map with these settings.
Ensure that you at least see Wireless Clients and Rogue APs on the map when you are
done.
Go to the Floor1 map and enable Clients on the map. Be sure to edit the clients that show and check
the “Show All Clients” box to show non-connected, probing clients. Otherwise, you will only see
currently associated clients.
I didn’t get any interferers that matched that, but here is what it would look like if I just showed all
active interferers.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 160 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Location Filtering
Advanced Settings
Context Aware Notifications
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Video Title: Prime and MSE- MSE Location- Context Aware Notifications
Topology Detail
Location Filtering
Only track Clean Air detected interferers with a duty cycle of at least 5%.
Continue to track probing clients, but only when their probes are heard at a signal level of
-75 dB or louder.
Enable location MAC filtering, (but do not add any entries yet).
View the tracking numbers on the MSE to see if anything is being filtered out.
Go to the MSE config GUI to the CAS section and configure Filtering.
Jump up to the Tracking parameters and you can see if anything is being filtered. In my case, nothing
is.
Here is my map.
2. Find the MAC addresses of the rogue AP that is broadcasting the Rogue-Pod# SSID (where # is your
rack number).
Search for the SSID in PI to get to the alarm. In the alarm is the MAC address. Since our rogue has 2
radios, you’ll see 2 instances, but the MAC addresses will probably be sequential.
I expanded one of the alarms and then heighted/copied one of the MAC addresses to my clipboard.
3. Add a Disallow location filtering entry for the MAC address of your rogue AP, where the last octet
is a wildcard.
You should see 2 MAC entries show up in the blocked list when you save these settings.
The Rogue AP should not show up on your map (though it can be hard to see something
missing with lots of other stuff around).
Back to the MSE GUI > CAS > Filtering. I pasted in my MAC address and replaced the last 2 characters
with a *.
If I look at the tracking parameters, I see 2 rogue APs not being tracked.
Note that once you use the allowed list, anything not on the list is blocked.
As long as the Allowed list is empty, everything that is not being disallowed is allowed by default. Once
you start putting entries in the Allowed list, now it’s a white list and all things not on the list are blocked
by default.
And here is my map ONLY showing the Rogue-Pod1 rogue AP. It shows them in different locations, but
looking at the MAC addresses, I see it’s just the 2 different radios of the same rogue.
The lone non-tracked client is probably due to it being only a probing client below my RSSI threshold.
6. Configure presence parameters so that clients can be informed about their location.
7. Have the MSE take into account all measurements of at least -78dBm for location calculations for
a given device.
9. Look at the other settings under Advanced Configuration to get a feel for what is there. Most of
these are not to be changed except under guidance of TAC.
I don’t know how prone the lab will be to delve into these settings, but know where they are just in
case.
o It should trigger if a client with the MAC address of 00:11:22:33:44:55 goes missing
for at least 30 minutes.
o It should trigger if a tag in an asset group named TAG has a low battery level.
o In addition to the notice to PI, send an email using the SMTP server at 10.10.210.8.
To address= cciew@ipexpert.com
Click into the group and choose to add a new Event Definition.
Go to the Destination and Transport tab and add a new one as shown below.
Finally, go to the General tab, enable the definition and save it.
Go to the Synchronize Services page and assign the group to the MSE.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 161 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. If you haven’t done it already, add the network devices to PI as described in lab 160- task 1.
I have this done already. Look at lab 160- task 1, if you skipped past that before doing this one.
This should have already been done before, but you can verify it on the screen that lists your MSE.
4. LAPs 1-5 should be in local mode. Enable the WIPS sub-mode on all APs to put them into enhanced
local mode.
We can support WIPS on local, FlexConnect, and monitor mode APs. Typically, if you are using local or
FlexConnect APs, you’ll be enabling WIPS on all of them.
In addition to the WLANs on your WLCs, you have some autonomous APs with the
following SSIDs that should be considered your SSIDs for WIPS detections.
o SSID 1= Auto1
o SSID 2= Auto2
Enable the “DoS: Probe request flood” signature detection with a threshold of 400
requests per sampling period.
o Severity= Critical
o Should detect attacks on Guest networks as well as the autonomous SSIDs that
you added earlier.
We can see that the default profile has been automatically pushed out to the WLCs, so it’s already
functional, but we’ll be creating our own custom profile to use.
In order to add SSIDs to a category that wouldn’t be there automatically, check the box of the category
(MyWLAN in our case) and edit the group.
Now that you have the SSIDs defined, save and move to the next screen.
Enable the probe request flood signature and then edit it.
6. Try to push this new profile out to each device managed by PI.
Even WLC4, which only has a RO SNMP community defined in PI, gets the update.
7. Configure the MSE so that it reserves 10 GB for forensic captures and ages out alarms after 60 days.
Get to the MSE config GUI and make your way down to the WIPs section.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 162 of iPexpert’s CCIE Wireless DSG, Section 5, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
CLI Configurations
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
IP= 10.10.210.5
User= admin
Password= IPexpert123
If at all possible, it’s much better to use NTP with ISE, but if that’s not allowed, it’s good to manually
ensure the clock is correct. I would use the AD server as your reference clock in the lab.
ISE/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ISE/admin(config)# clock timezone EST5EDT
ISE/admin(config)# end
ISE/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ISE/admin(config)# ntp server 10.10.210.8
ISE/admin(config)# end
unsynchronised
time server re-starting
polling server every 64 s
ISE takes a little while to sync up to an NTP server. You may need to wait 5-10 minutes, but based on
the output above, you can know that at least communications are happening. We see the stratum and
some delay/offset numbers. Usually once I see these, I assume synchronization will complete
eventually.
5. Ensure that the server pulled an IPv6 address via stateless autoconfig.
For whatever reason, ISE doesn’t seem to have the ability to configure a static IPv6 address, so dynamic
methods are all that you have.
There is an outside chance that you may need to configure or fix this if devices off subnet cannot talk
to ISE.
I really doubt you’ll ever configure a new DNS suffix, since that has implications for the certificate, but
you may need to configure a DNS server.
ISE/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ISE/admin(config)# ip name-server 10.10.210.8
ISE/admin(config)# end
User= cciew
Password= IPexpert123
Role= admin
ISE/admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ISE/admin(config)# user cciew pass plain IPexpert123 role admin
ISE/admin(config)# end
9. Pretend that you’ve lost the password for the GUI account named admin and try to reset it to
IPexpert123.
This will fail since that is the password already, but the idea was to just ensure that you
know the command in case it actually happens.
This is a good command to know on the off chance you are locked out of the GUI.
ISE/admin# wr mem
Generating configuration...
Verify that the service restarts with the show application status ise command.
If ISE seems to be not working correctly, this is something to try. I’d do this over rebooting the entire
server, as I wouldn’t want to risk something going wrong during the reboot and losing all access.
It’ll take some time for this to complete. Once it’s done, you should see output like this.
show clock
show timezone
show ntp
show run
show app status ise
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 163 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Logging
Backups/Restores
Admin Access
Settings
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. Login to the GUI at https://10.10.210.5 from the WIN7 PC with the credentials below.
User= admin
Password= IPexpert123
Logging
4. Send all AAA Audit logs (including failed attempts and passed authentications) to the WIN2012
syslog server.
Just because you defined a syslog server doesn’t mean syslogs are being sent to it. We need to specify
why categories of logs to send to it.
Unfortunately, this doesn’t propagate to the child categories. Repeat this for failed attempts and
passed auths.
Backups
Name= WIN2012-FTP
Server= 10.10.210.8
Path= /
User= administrator
Password= IPexpert123
The repository can be created under the Maintenance section. They are needed any time you want to
copy files to or from an external source.
Name= CCIEW
Repository= WIN2012-FTP
Run monthly on the first day of the month at midnight, starting tomorrow.
Admin Access
8. Users should see a pre-login banner that says “Only future CCIE’s allowed!” when logging into the
GUI.
9. Only users in the 10.10.0.0/16 IP range should be allowed to access the web GUI of ISE.
The description of the feature tells you that the max is 100 minutes.
User= CCIEW
Password= CCIEW
12. Ensure that admin users never have their passwords expire or have their accounts get locked out.
This password is too simple with the default password policies. Let’s edit those first. You’ll notice that
the admin accounts are already set not to expire or be locked out. This is on purpose.
Settings
15. Set the EAP-FAST master key generation period to be every 2 weeks.
16. Configure ISE to not have to check the user credentials on PEAP re-authentications within 1 hour
of the original authentication.
This is the Fast Reconnect feature, which requires the Session Resume feature.
We already set the NTP server in the last lab, but I wanted you to know that you can do it in the GUI as
well.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 164 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
We can see that the existing cert hasn’t expired by any means, but you can still renew it if asked. Scroll
down to the bottom to find the renewal option.
2. On second thought, generate a new self-signed certificate that’s good for 1 year.
We can go with a new self-signed certificate altogether, rather than renewing an existing cert.
Password= IPexpert123
You’ll get kicked out again and have to wait for the service to restart. Once it has, log back in.
If you want, you can go to https://ise.ipexpert.local and see that your browser (hopefully) shouldn’t
complain about an untrusted cert.
4. Install a new CA cert that can be used to verify EAP-TLS client authentications.
If you need to support EAP-TLS auths, you need to add in a CA cert to validate the client certificates.
It’s enabled by default, but look for the green box to verify.
Name= TLS_Clients
OU= Wireless
O= iPexpert
City= Lindstrom
State= MN
Country= USA
Name= iPexpert_CA
URL= http://10.10.210.8/certsrv/mscep/
Fill in the information and test the connection. You should get a successful response, then submit.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 165 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Internal users/groups
External identity stores
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
Internal Groups
Admins1
Admins2
Users1
Users2
Lobby
Guest
Internal users are probably the most common credentials used in the lab. Adding users to groups makes
your rule writing much simpler.
As you see, we have a number of pre-configured groups that could be used for different things, but
you’ll probably want to create your own.
2. Create the following Endpoint groups at the top level of the hierarchy.
Employees
BYOD
Endpoint groups are where MAC address entries are placed into.
Internal Users
Table 166.2
4. If users change their passwords, they should not be able to reuse any of their previous 5 passwords.
5. New passwords must have at least 3 different characters than the last.
In order to create the guest user with the supplied credentials, we’ll need to tweak the password policy.
So let’s do all of those at the same time.
You could either delete this rule, or disable it. Either one gets the job done. Disabling is nice for the
ability to turn it back on later if you want, without having to recreate it.
I don’t know if they’ll ever go this deep in the lab, but it’s kind of fun to play with.
External ID Stores- AD
Domain= IPEXPERT.local
User= administrator
Password= IPexpert123
Joining ISE to AD requires a few different things to succeed. Two of the less obvious being that ISE and
the AD server’s clocks are in synch (think NTP), and that ISE can resolve the domain name (think DNS
server).
Domain Users
Domain Computers
adgroup1
adgroup2
In a lab environment, with smaller numbers of groups in AD, this is probably the simplest method to
call out your groups. Be sure to call out any groups that you’d ever want to write rules against.
This will list every group in AD. Just find the ones that you want.
13. Ensure that you are able to write AuthZ rules against which department the users are in (based on
their AD information).
By default, you can write rules based on group membership. If you want to write rules based on other
AD data, call it out in the Attributes tab.
14. Add an LDAP server to the external identity sources using the information below.
Name= WIN2012LDAP
Schema= Custom
Host= 10.10.210.8
o Password= IPexpert123
While LDAP is technically possible, I’d hope that they’d prefer AD connections. But just in case, know
how to configure this.
If you want to test the config, go back to the Connections tab and do a test bind.
You should get some results. The numbers might be different, but they shouldn’t be zeros.
15. Once added, call out the following LDAP groups in ISE.
Domain Users
Domain Computers
adgroup1
adgroup2
Name- CCIEW
Use the common name of the client certificate to find the user name.
Have ISE reach out to the WIN2012 AD server and perform a binary certificate
comparison between the client cert and the AD-stored cert for the client.
Normally you can use the pre-configured profile for everything. The only time you need a different
profile is if you want to look at a different part of the cert for the username or if you want to involve
AD or LDAP.
ID Store Sequences
Name= EVERYTHING
o Internal Users
o Internal Endpoints
o iPexpert-AD
o Guest Users
If AD is unavailable fore whatever reason, ISE should still proceed to check the Guest
Users ID store.
These can greatly simplify your authentication policies. They allow ISE to look in multiple locations for
user credential verification.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 166 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Network Devices
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. Configure the following locations for network devices under All Locations.
HQ
DMZ
MO
Building 1
Building 2
Network device groups makes your rule writing easier. While they are often not required by the lab, I
use them as a standard matter of course.
Repeat this for the other 2 top level locations. It should look like this when you are done.
Next create the two buildings underneath the HQ location. Just click on the HQ location first, and then
choose to add.
WLC
AP
AireOS
IOS-XE
AAP
LAP
This is the same process as the locations. We’re just calling out device types.
Add the groups as specified. It should look like this when you are done.
WLC1
o IP= 10.10.111.10/32
o Location= Building1
o Enable Keywrap
KEK= 1234567890123456
MACK= 12345678901234567890
Choose to add a new network device and fill in the info as requested.
WLC4
o IP= 10.10.120.10/32
o Location= MO
CAT3_4
o Location= HQ
Here we are adding multiple devices under a single logical entry in ISE. This is totally fine with a couple
of caveats. First, you cannot easily apply different policies to the individual devices under the one logical
device. Second, you lose granularity in logging/reports if you ever wanted to view by network device.
Often for devices of the same type in the same location in the lab, this is perfectly acceptable.
AAP1
o IP= 10.10.110.100/32
o Location= HQ
LAP5
o IP= 10.10.121.0/24
o Location= MO
Since LAP5 uses DHCP to pull an IP (without a reservation), we can’t just specify its current IP, so we
specify its subnet.
7. If an auth comes into ISE that doesn’t match one of these network devices, ISE should still process
it as long as the device uses a shared secret of ipexpert.
This is an easy way to get auths from any device allowed in ISE. The major downside of using the default
network device is that it matches auths coming from anywhere and anything. So we don’t have the
ability to specify network device groups, which can complicate rule writing depending on our
requirements.
This is disabled by default, so you will need to enable it if you want to use it.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 167 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
AuthC rules
Allowed Protocols
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
Allowed Protocols
1. Edit the Default Network Access allowed protocols list as requested below.
Allow CHAP.
In almost all instances, a single allowed protocols list is fine for the lab. Just make sure all needed
protocols are allowed.
Name= BYOD
o Host Lookups
o PAP/ASCII
o EAP-TLS
Authentication Conditions
3. Create a compound condition to match 802.1x authentications from autonomous APs as directed
below.
Name= AAP_802.1X
This is under the Conditions category. Go to the Authentications > compound conditions and duplicate
the wireless 802.1x condition.
This will match the default service type used by autonomous APs.
4. Create a compound condition to match authentications on a BYOD WLAN from WLCs as directed
below.
Name= BYOD
o For instance, if you are on rack 5, the called-station-ID should end with HQ-
WPAEAP2-Pod5.
Authentication Rules
5. Switch to a policy type of Simple in the Authentication Policy (Policy > Authentication).
Change the behavior for when a user is not found to continue on to the authorization
phase.
This bring you to something like the default in ACS, where all authentications are subject to the same
policy. This was generally OK in ACS, but in ISE, it might not be the best choice if you are doing any
Guest portals.
My guess is that you’ll be using rule-based policies in the lab, since it’s the default. I’d be very
comfortable working with them.
Name= BYOD
Match on authentications coming from WLCs on the BYOD WLAN (use the condition that
you created earlier).
Rules are processed like an ACL. Top-down, and first rule matched determines the result, so pay
attention to your order as you configure things.
Click the triangle at the end of the default rule and add a new rule above.
When creating the rule, in the If section, choose an existing compound condition to find the BYOD
condition that was created earlier.
Name= MAB
If the user is not found, allow the authentication to move to the authorization phase.
As you define the If conditions, specify Wired MAB and then click the cog to the right and add a second
condition.
The reason we want to Continue if the MAC address is not found is primarily for Guest flows. Since
CWA uses MAB to interact with ISE, if it was Reject, new guests would always be rejected on their first
connection attempt.
Name= Dot1x
Things should look like this when you are all done. Don’t forget to save!
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 168 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
AuthZ Policies
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Video Title: ISE- Authorization Rules- Basics and the Exception Policy
Topology Detail
This lab focuses on being able to configure authorization (authZ) rules to match on specific conditions.
The results will pretty much always be a simple permit. As you test each of these rules, it is important
that you look at the auth logs and verify that you indeed matched on the expected rule, so you will be
building both your rule writing skills and your auth log reading skills at the same time.
As you look at the auth logs, be sure to pull out these key pieces of information.
Look for each piece of information that the associated authZ rule referenced in the log.
o For instance, if the rule matched on PEAP auths that it came from a WLC in the
HQ, look for those 3 pieces of matching criteria (PEAP, WLC, HQ).
o When rules don’t match as expected, you want to be able to troubleshoot the
scenario, and reading auth logs is a critical part of that.
1. Rename and enable the SSIDs on WLC1 and AAP1 to reflect your rack number (i.e. –Pod5 for rack
5).
You can simply rename them on WLC1. On AAP1, take the running config, tweak it in notepad, then
remove/read the SSID.
Number of WLANs.................................. 4
AAP1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
AAP1(config)#no dot11 ssid AutoEAP-PodX
AAP1(config)#dot11 ssid AutoEAP-Pod1
AAP1(config-ssid)#vlan 12
AAP1(config-ssid)#authentication open mac-address eap_methods eap eap_methods
AAP1(config-ssid)#authentication key-management wpa version 2
AAP1(config-ssid)#mbssid guest-mode
AAP1(config-ssid)#no dot11 ssid AutoOpen-PodX
AAP1(config)#dot11 ssid AutoOpen-Pod1
AAP1(config-ssid)#vlan 11
AAP1(config-ssid)#authentication open mac-address eap_methods
AAP1(config-ssid)#mbssid guest-mode
AAP1(config-ssid)#int d0
AAP1(config-if)#ssid AutoEAP-Pod1
AAP1(config-if)#ssid AutoOpen-Pod1
AAP1(config-if)#int d1
AAP1(config-if)#ssid AutoEAP-Pod1
AAP1(config-if)#ssid AutoOpen-Pod1
AAP1(config-if)#end
2. Install the AnyConnect profiles for your rack by running the appropriate batch file for your rack,
found under the AnyConnect Profiles folder.
Open the AnyConnect Profiles shortcut on the desktop and run the WB1-ISE batch file. The profiles
should install.
3. Ensure that the authZ policy uses a “first matched rule applies” policy model.
First Rule Matched should be the default. It should look like this when you are done.
The result of all rules should be a Permit. Rules should be ordered numerically (rule1 is above rule2,
which is above rule3, etc.).
Add a new rule above the default rule. Click the triangle on the right and add a new rule above.
Match on the device type information for the next few rules.
Once you have the rule the way that you want it, click on Done.
Here are rules 2-3. Pay attention to the rule 3 matching conditions.
9. Rule5- match on all authentications coming from a Network Device configured in ISE named AAP1.
10. Rule6- match on all authentications coming from a device named WLC2 as called out in the RADIUS
communications.
Test these rules as described below. The tests should match the referenced rule. It’s OK if you aren’t
able to actually login to the devices. We just need to generate an auth that will match a rule.
You’ll notice order of rules is important. For instance, WLC4 can match both rule1 and rule2, but based
on the ordering of the rules, it matches rule1.
Go ahead and test connections to each device. You should use HTTP access for the non-AireOS devices,
since the AAPs don’t have HTTPS enabled, and the IOS-XE devices sometimes don’t always work without
some tweaking.
After you’re done attempting to login to each device, go ahead and look at the logs to verify that each
auth hit the appropriate rule. I won’t show every log, but here is what to look for. First, get to the auth
logs.
Here we see the most recent auths on ISE, with the most recent on top. There is a good amount of
high-level info here. We can even see which rule was matched in the AuthZ policy on the right-hand
column in the image below.
But to look at the full log (which you MUST be familiar with interpreting), click on an individual log’s
Details link.
The Overview section has high-level info about the auth. This info is all available on the high-level list
where we were just looking, but we can see which AuthC and AuthZ rules were matched. This was my
WLC4 auth, which was supposed to match Rule1, so that’s a good sign.
Under the Authentication Details section, we get more good info. Here is some info on the user and
the AuthC process.
Here we see that the user in question was named admin1. It was found in the identity store named
“Internal Users” and it was in an internal group named Admins1. The protocol used for the
authentication was PAP_ASCII, which is typically indicative of a web authentication.
The Service Type can come into play with distinguishing between different methods of authentications.
Some of the pre-canned matching conditions will reference that field, so be aware of it.
Next we see information about the network device. In this part of the log, the network device name is
based on the Network Device configured on ISE. We have one configured called WLC4, which is what’s
referenced here. It’s important to know that this field is a reference to the network device in ISE and
not necessarily the actual name locally configured on the device. We also see the network device type
and location info as well as the IP address that the auth came from. Lastly, we see which AuthZ profile
was assigned. In this case, a simple Permit.
The next section (Other Attributes) will have a mixed bag of info depending on what happened with
the authentication.
In the above image, we can see what UDP port was used for the RADIUS communication. We can also
see all of the possible identity stores that could have been used to find the user credentials.
At the bottom, we have what seems to be redundant information from up above. That’s somewhat
true, except for the NAS Identifier. This is the name of the network devices as told to ISE by the network
device itself. So this should be the real name of the device as configured on the device.
So if you had some authentications that did not match your intended rules, this is where you need to
look. Look at the rule that you didn’t want to match (if it was above your intended rule), or the rule
that you intended to match (if you instead matched a rule below that one) and figure out what
happened. Compare the matching criteria of the rule in question to the data in the auth log and figure
out what went wrong.
The result of all rules should be a Permit. Rules should be ordered numerically (rule1 is above rule2,
which is above rule3, etc.).
11. Delete the 6 rules that you created in the previous section and start from scratch.
Basically, if it has an inner/outer method, you’ll find It under EapTunnel. Otherwise, it’s under
EapAuthentication.
AireOS WLCs send MAC filter authentications as Host Lookups. Hence, they will want to match an entry
in the Internal Endpoints database, it’s just a MAC check. The AAP MAC authentications unfortunately
come in an actual username/password lookup using PAP_ASCII, but management authentications also
come in using PAP_ASCII as you may have noticed in the previous section. So to be able to distinguish
between MAC auths and management auths, we also need to match on the NAS port type, which will
define if it’s a wireless auth or a management auth.
Lastly, we also run into an issue distinguishing an AAP MAC auth from an AireOS WLC guest web auth.
They are both PAP_ASCII by default and use the same NAS Port type. They are virtually indistinguishable
when you look at the auth logs, so we need to additionally call out if the auths are coming from an
autonomous AP or an AireOS controller.
The easiest way to build your rules when you are unsure of what to match on is to just do some test
authentications. They’ll probably fail, but now you have an auth log to comb through to see what
interesting pieces of information are available to write rules against.
Test these rules as described below. The tests should match the referenced rule. It’s OK if you aren’t
able to actually login to the devices. We just need to generate an auth that will match a rule.
o This will fail due to the missing user account. Use the info in the auth log and create
a user account for this to pass.
Here are the results of my initial run through the tests. Note the failure. That was my AutoOpen-Pod1
attempt.
Now I need to fix the AAP MAC filter issue. Go to the internal users ID store and add a new user. The
account is the MAC address, all lower case, with no delineators. The password is identical to the user
name.
Unfortunately, we have another issue (probably). My client tried to authenticate with an unknown user
name for too many times and it tripped a filtering threshold that ISE has by default to prevent a
misconfigured client from eating up too many resources as it continually tries to reauthenticate. Here
is what to look for and how to get around it.
Look at the auth list for the most recent entry of the client auth. Click into the full auth log.
Notice the message about the endpoint conducting several failed authentications of the same type of
scenario. Right-click on the ball icon next to the endpoint MAC address and choose to bypass
suppression filtering for 1 hour.
Now retry the authentication and you should get some fresh attempts in the logs (hopefully successful
ones). Now my Rule6 is matching.
The result of all rules should be a Permit. Rules should be ordered numerically (rule1 is above rule2,
which is above rule3, etc.).
19. Delete the 7 rules that you created in the previous section and start from scratch.
20. Rule1- match on all authentications where the user is in the internal group named Users1.
21. Rule2- match on all authentications where the user is in the AD group named Domain Users.
22. Rule3- match on all authentications where the device is in the internal endpoint group named
Profiled.
As you build the rules, the left-hand condition box (below) is used to reference internal group
membership for either users or devices (endpoints).
So for rules 1 and 3, you can get away with only specifying those. AD groups need to be called out with
a normal condition.
Test these rules as described below. The tests should match the referenced rule. It’s OK if you aren’t
able to actually login to the devices, we just need to generate an auth that will match a rule.
Rule1- Connect to the HQ-WPAEAP1-PodX WLAN using PEAP with the iseuser1 user.
Rule2- Connect to the HQ-WPAEAP1-PodX WLAN using PEAP with the aduser1 user.
Rule3- Connect to the HQ-WPAEAP1-PodX WLAN using PEAP with the iseuser2 user.
Here are my results. I ended up doing the WPAPSK test before the iseuser2 test for rule 3.
This is a good illustration about matching on an internal endpoint group. Even when I was only doing a
user/password authentication and not doing a MAC lookup, the matching criteria still applied because
the wireless device was in an endpoint group.
The result of all rules should be a Permit. Rules should be ordered numerically (rule1 is above rule2,
which is above rule3, etc.).
23. Delete the 3 rules that you created in the previous section and start from scratch.
24. Rule1- match on all EAP-TLS authentications where the client certificate has a SAN that ends in
@IPEXPERT.local as shown in the image below.
25. Rule2- match on all EAP-TLS authentications where the client certificate was signed by a CA named
IPEXPERT-SERVER2012-CA.
26. Rule3- match on all authentications where the credentials used a username of iseuser1.
27. Rule4- match on all authentications where the internal user has a CCIE number of at least 25000
(based on a custom internal user attribute).
You should be comfortable matching in information fields in client certificates. Fortunately, all of the
certificate info that you need is in the auth logs. So when in doubt, do a test auth and comb the logs.
Test these rules as described below. The tests should match the referenced rule. It’s OK if you aren’t
able to actually login to the devices. We just need to generate an auth that will match a rule.
Rule2- Disable rule1 and connect to the HQ- WPAEAP1-PodX WLAN using EAP-TLS.
Rule3- Connect to the HQ- WPAEAP1-PodX WLAN using PEAP with the user named iseuser1.
Rule4- Connect to the HQ- WPAEAP1-PodX WLAN using PEAP with the user named iseuser2.
Here are my results. There was one errant failure in there, but eventually everything authed against
the correct rules. I saved my testing of rule 2 until the end.
The result of all rules should be a Permit. Rules should be ordered numerically (rule1 is above rule2,
which is above rule3, etc.).
28. Delete the 4 rules that you created in the previous section and start from scratch.
29. Rule1- match on all authentications on the SSID HQ-WPAEAP1-Pod# (where # is your rack #).
30. Rule2- match on all authentications on SSIDs that begin “HQ-“ (without the quotes).
31. Rule3- match on all authentications where they happen during business hours (M-F 9AM to 5 PM).
32. Rule4- match on all authentications where they happen outside of business hours.
You can configure the date/time condition by going to Policy Elements > Conditions > Common > Time
and Date.
Unfortunately, there doesn’t seem to be the possibility of just saying NOT in Business_Hours. So we’re
left with 2 choices. Create multiple date/time conditions to call out the times outside of business hours
(which would be a pain), or just create a rule right below the one matching on Business_Hours with the
same conditions minus the date/time. That’s what I ended up doing.
Test these rules as described below. The tests should match the referenced rule. It’s OK if you aren’t
able to actually login to the devices. We just need to generate an auth that will match a rule.
Rule3 and rule4- Login to the WLC1 GUI using admin1/IPexpert123 credentials. Depending
on the day/time, it should match one of these rules. Remember that the date/time is based
on the ISE server’s clock.
Here are my results. I’m testing this on a Saturday (because I’m dedicated to getting this workbook out
to you all ASAP), so I matched rule 4 instead of rule 3.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 169 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
AAA Overrides
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learn ing videos prior to completing
this lab scenario.
Topology Detail
1. Rename and enable the WLAN on CAT3 to reflect your rack number (i.e. –Pod5 for rack 5).
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#no wlan HQ-CATEAP1-PodX 1 HQ-CATEAP1-PodX
CAT3(config)#wlan HQ-CATEAP1-Pod1 1 HQ-CATEAP1-Pod1
CAT3(config-wlan)#aaa-override
CAT3(config-wlan)#client vlan 13
CAT3(config-wlan)#security dot1x authentication-list ISE
CAT3(config-wlan)#no shutdown
CAT3(config-wlan)#end
Create the following Authorization Profiles in ISE. The format below is NAME – ACTION.
3. INTERFACE14- assign users to the vlan14 interface on AireOS WLCs using an Airespace attribute.
For this one, we need to manually create our entry. It’s under the Airespace category.
4. CLIENTACL- assign an ACL named CLIENTACL to AireOS WLCs to the client session.
We find this under the Airespace category as well. We also have a common task for it.
This one can be accomplished in just 2 lines. When you are done, use the “check DACL syntax” option
to make sure that you didn’t make any syntax mistakes.
Create the following authorization rules in ISE. We are assigning multiple authZ profiles at a time to
make less work for rules and testing.
8. Rule1- if coming from an AireOS WLC and a user in Users1, then assign the VLAN15, TIMEOUT, and
PLATINUM authZ profiles.
9. Rule2- if coming from an AireOS WLC and a user in Users2, then assign the INTERFACE14 and
CLIENTACL authZ profiles.
10. Rule3- if coming from an IOS-XE WLC, then assign the VLAN15 and NOPING authZ profiles.
11. Rule4- if coming from an AAP, then assign the VLAN15 authZ profile.
Here are the rules. It’s more normal to only assign a single AuthZ profile to a rule. I mainly stacked them
up for simplicity.
Test these authZ profiles using the methods below. Verify the results of the overrides by looking at the
client sessions and doing appropriate tests.
Rule1- connect to HQ-WPAEAP1-Pod# using PEAP with the user named iseuser1.
I connected and pulled a VLAN 15 IP address. Let’s look at the other items.
This command has a bunch of stuff taken out to help focus on the important stuff.
Rule2- connect to HQ- WPAEAP1-Pod# using PEAP with the user named iseuser2.
Server Policies:
ACS ACL: xACSACLx-IP-NOPING-56104bd0
CAT3#sho access-lists
[lines omitted]
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 170 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
N/A
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
We need to configure more AuthZ Profiles. Here are the needed settings for RW WLC access.
3. Configure an authorization profile to grant Lobby access to AireOS controllers named WLC-Lobby.
4. Configure an AuthZ rule so that users in the Admins1 group are given RW access to AireOS WLCs
5. Configure an AuthZ rule so that users in the Admins2 group are given RO access to AireOS WLCs.
6. Configure an AuthZ rule so that users in the Lobby group are given Lobby access to AireOS WLCs.
Here are the rules that I created for this. The matching criteria has some wiggle room.
Login to WLC1 as each of the 3 users (admin1, admin2, and lobby). When I logged in as admin1, I could
make changes. When I logged in as admin2, I could not. Logging in as lobby, I get the lobby ambassador
interface as shown below.
7. Configure an authorization profile to grant RW access to IOS devices (AAPs or CATs) named IOS-
Admin.
8. Configure an authorization profile to grant RO access to IOS devices (AAPs or CATs) named IOS-RO.
9. Configure AuthZ rules so that users in the Admins1 group are given RW access to IOS devices.
10. Configure AuthZ rules so that users in the Admins2 group are given RO access to IOS devices.
Since we want to test both RO and RW, telnet is probably the simplest method to demonstrate. RW
access drops the user right into Priv Exec mode whereas RO access drops the user into User Exec mode.
CAT2#telnet 10.10.113.13
Trying 10.10.113.13 ... Open
Username: admin1
Password: IPexpert123
CAT3#exit
Username: admin2
Password: IPexpert123
CAT3>exit
CAT2#telnet 10.10.110.100
Trying 10.10.110.100 ... Open
Username: admin1
Password: IPexpert123
AAP1#exit
Username: admin2
Password: IPexpert123
AAP1>exit
PI Management
12. Configure an authorization profile to grant Lobby Ambassador access to the ROOT-DOMAIN to the
PI server named PI-Lobby.
Login to the PI server and get to the groups. Grab the task list info for the Lobby Ambassador group
and then for the virtual domain. You normally need these entries.
But if you look at the note on the user group page, you see this.
So let’s try skipping the tasks and just specify the Virtual Domain and the Role.
13. Configure an AuthZ rule so that users in the Lobby group are given Lobby Ambassador access to
the PI server.
14. Configure PI to use ISE for management authentications and test access.
Hooray for not needing to add every single task individually in the AuthZ profile!!!
ISE Management
15. Configure ISE to allow management authentications using both internal and AD users.
16. Configure the Super Admin group to allow both local users as well as AD users in the Domain
Admins group to gain the associated rights.
In order to reference the Administrators group, we need to call it out in the Identity Store.
Now go back to the Admin access and edit the Super Admins group.
Testing
Login to the GUIs or telnet/SSH to the IOS devices and test your configurations with the users below as
appropriate.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 171 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
Client Profiling
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. In addition to the default profile data collecting methods, enable HTTP profiling on ISE.
Now the ISE server can use browser user agent information to help figure out what things are. This is a
handy one to help differentiate between different types of similar devices.
When ISE profiles something and assigns it to a new profile group, there is the option of forcing the
client to reauth. For instance, maybe you have a vendetta against iPads and none should be allowed
on your network, but other Apple devices are OK. So once ISE realizes that something is an iPad, it can
force a reauth, which would then hit a rule that blocks the iPad from the network. Otherwise, you’d
have to wait until the next natural auth for this to happen.
3. Ensure that ISE uses an SNMP string of public when doing SNMP checks with NMAP scans.
5. If clients are identified as Apple iPhones or Apple iPads, they should be placed into an endpoint
group named Apple-iPhone or Apple-iPad respectively. These groups should be directly under the
Profiled endpoint group.
When dealing with the endpoint groups in combination with profiling, you need to pay close attention
to the hierarchy. If you look at the iPad and iPhone profiles, they are under the Apple-Device parent
policy. Now if the Apple-Device profile had the option to create an identity group for it, the iPad and
iPhone groups would have been created underneath the Apple-Device group in the endpoints group
list, but since that wasn’t the case, ISE just recursed up the parent policy list until it either ran out of
parent policies, or found one that did have a group created. In this case, there were none, so they were
placed directly under Profiled in the hierarchy.
Have it run an NMAP Common Ports and OS scan if the device matches the WinPlatform
condition.
Also, do not have ISE perform a CoA event when a device is classified as a Microsoft-
Workstation.
The list of profiles is long and it can be a pain scrolling to find what you want. If you know the name (or
part of it), use the filtering option as shown below to make life easier.
In order to take an NMAP action, you need a rule that says to perform an NMAP action, so add the rule
as shown above (don’t remove/modify the existing rules).
7. Alter the Apple-iPod profile so that BOTH of the default configured conditions must be a match for
a device to be profiled as an iPod.
A device can be profiled once it meets the minimum certainty score for a particular profile. By default,
the profile has a minimum score of 20, and both rules increase the score by 20. So if either rule is
matched, the device can be profiled as an iPod. Since we were not allowed to alter the minimum score,
we need to alter the rules.
You can make the rules add most any score you want as long as they are each less than 20 and their
sums add up to at least 20. I’ll set them to 10 and 10.
8. Connect your WIN7 client to the HQ- WPAEAP1-PodX WLAN and see how it is profiled.
Tweak any AuthZ rules or other settings to allow your client to connect successfully.
Look at the details of the endpoint to see what info ISE knows about it.
Looks like it’s just profiled as a Cisco-Device right now. Let’s look at the endpoint details.
Find the endpoint with the matching MAC address of your client and click into it.
It’s a whole bunch of information for sure, but this is pretty much all gathered through the RADIUS
profiler. Let’s gather some more profiling information and see if we can get a little more accurately
identified.
9. Configure the HQ-WPAEAP1-PodX WLAN on WLC1 to send DHCP profiling information to ISE. Then,
connect to the WLAN again and see if there is any profiling change to your client.
Based on the current config of the WLAN, we need to do a couple of things for DHCP profiling. Add ISE
as an accounting server, require DHCP on the WLAN, and enable the DHCP RADIUS profiling.
If you look at the auth logs, we see a good sign. There is evidence of the client being assigned to a new
profile.
Here is our device in the endpoint list showing the new profile of Microsoft-Workstation.
Look at the client info and scroll down to find some new DHCP profiler info.
10. Next, enable HTTP profiling on the same WLAN. Have the client connect and go to
https://10.10.120.10, then look for more profiling info in the endpoint details.
Next try going to http://10.10.113.13, then look at the profiling info in the endpoint.
If you are relying on the WLC for HTTP profiling, it will need to be HTTP and not HTTPS. HTTPS will be
encrypted end-to-end between the client and the web server and the WLC will not be able to snoop in
on it, but HTTP will work just fine.
Here is the captured browser user agent info after the HTTP session.
In this case, I used FireFox. The web user agent typically is a great way to distinguish between different
types of similar devices or even different versions of the same type of device (i.e. Windows 7 vs
Windows 10).
Your WIN7 client should match this policy based on matching its MAC address.
Ensure that your WIN7 client doesn’t get profiled as any of the other default ISE profiles.
Head over to the profiles again and choose to add a new one.
This is an unlikely profile to create (matching on a single MAC address). You can match on anything that
you want really, but the big thing to key in on here is the requirement to not have the device profiled
as one of the other DEFAULT profiles. I believe all of the default profiles have fairly low minimum
certainty scores. I don’t know that any of them get above 200, so if you make your minimum certainty
score 1000 or more, the client will always use this one. If a single endpoint meets the minimum
certainty score of multiple profiles, it will be placed in the one where it has the highest score.
12. Force your WIN7 client to reauthenticate to HQ- WPAEAP1-PodX. It should be re-profiled as your
new CCIEW device.
13. Write an authZ rule that places CCIEW devices onto VLAN 15 and test it on the HQ-WPAEAP1-PodX
WLAN.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 172 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
Endpoints using this portal should be placed in the GuestEndpoints identity group.
Change the AUP to read “Be nice, or we’ll rate limit you down to dial-up speeds!”
After entering the code and accepting the AUP, clients should be sent to
HTTPS://pi.ipexpert.local/.
You could create things more from scratch, but we have pre-configured portals for each of the major
CWA types. Let’s just use these as a starting point. I’ll duplicate the hotspot portal.
Click into the newly created portal and edit it as shown below.
The Certificate Group Tag controls which server certificate will be used. We want the CA-signed cert,
which is in the group named CCIEW.
Head back to the top and switch to the Portal Page Customization.
Refresh the preview on the right to see what it will look like. This is what you want to see.
2. Create an AuthZ rule that will engage this hotspot portal when users connect to the Guest2-PodX
WLAN on a WLC.
To create the rule, we need to first create an AuthZ Profile. Let’s do that.
Give it a name and configure a Web Redirection common task as shown below.
Then create your AuthZ rule to match the initial auth coming from the Guest2-PodX WLAN (which will
be a plain MAB request).
So I matched on the auth coming from the Guest2-Pod1 WLAN and being a MAC lookup.
3. Create a 2nd AuthZ rule to permit the clients who complete the AUP acceptance.
Here I’m matching on the SSID again, and also on the auth being a part of the Guest flow.
4. Ensure that WLC1 and CAT3 are configured for this to work.
Create a new SSID on each of them named Guest2-PodX (where X is your rack number).
The WLAN should be an open SSID with MAC filtering enabled. Specify ISE as the RADIUS server and be
sure to enable AAA override and RADIUS NAC.
CAT3#config t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan Guest2-Pod1 7
CAT3(config-wlan)#no security wpa
CAT3(config-wlan)#mac-filtering ISE
CAT3(config-wlan)#accounting-list ISE
CAT3(config-wlan)#aaa-override
CAT3(config-wlan)#nac
CAT3(config-wlan)#client vlan 11
CAT3(config-wlan)#no shut
Next we need the Pre-Auth ACL named CWA to go along with the AuthZ profile that was created. Here
is what the ACL should look like on WLC1.
DHCP always works because it uses broadcasts, so we need to allow DNS and access to the ISE portal.
I was fairly specific for DNS specifying the use of 10.10.210.8, and I was also fairly specific with the ISE
communication, limiting it to just port 8443. You could be a little more loose with your rules. Just pay
attention to any requirements.
Here is the ACL on CAT3. With this, we are trying to specify what triggers a redirect, so we deny
DHCP/DNS/ISE traffic (those should not trigger the redirect) and match on everything else.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ip access-list extended CWA
CAT3(config-ext-nacl)#deny udp any any eq 67
CAT3(config-ext-nacl)#deny udp any any eq 68
In the first connection, I went to WLC1. After opening a browser and going to http://1.2.3.4, I was
redirected to the portal.
Next I shut down the WLAN on WLC1 and re-ran the scenario going through CAT3. I found that my
session seemed to still be alive in ISE and I was just redirected to PI without being asked to login. So I
removed the endpoint from the GuestEndpoints group, and then reconnected.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 173 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
o Self registered guest should be assigned a guest type of Daily (default) with the
account valid for 2 days.
o Ask guests to supply their first and last names, their email address, and their
company.
Self registration portals are just username/password portals with the ability for guests to create their
own accounts. Let’s duplicate the pre-configured self registration portal.
Rename it.
Upon a successful authentication, just show the auth success page rather than sending them
elsewhere.
2. Create an AuthZ rule that will send users to the CWA portal that you just created when users
connect to the Guest2-PodX WLAN on a WLC.
This should replace the CWA AuthZ rule from the last lab if that is still there.
Let’s create a new AuthZ profile and then update the AuthZ rule from before.
3. Create a 2nd AuthZ rule to permit the clients who complete the web login.
4. Ensure that the WLANs on WLC1 and CAT3 are configured for this to work.
Connect and trigger the redirect. Scroll down to the bottom and click on the “Don’t have an account?”
link.
Here are my automatically created credentials. Copy them and choose to login. Fill in your info (and
change your password if you want) and Sign On.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 174 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
o Guests should not be able to create their own accounts or edit their own
passwords.
o Rate limit login attempts after 4 failures with 4 minutes in between login attempts
when rate limited.
o Include the AUP, but only as a link and do not require acceptance.
o The browser title of the web login page should read “Lasciate ogne speranza, voi
ch'intrate”.
Or, if you prefer the English translation, “Abandon all hope, ye who enter
here”.
o ALL_ACCOUNTS (default)- Add the ISE Admins1 group to this sponsor group.
o OWN_ACCOUNTS (default)- add the AD Domain Users group to this sponsor group.
Should only be able to create the Daily and Weekly guest types.
o When printing off the account information, the first line should say “Hello [first
name] [last name],”.
Again, we’ll duplicate the existing sponsored guest portal to start off with.
Turn off the separate AUP, or you will see it after the login page.
Now jump over to the Sponsor Groups and edit the ALL_ACCOUNTS group.
Lastly, edit the OWN_ACCOUNTS group. Add the AD group to the members list.
Rename it.
Jump over to the Page Customization and scroll down to Notify Guests > Print Notification.
Edit the page text by adding the last name variable to the first line as shown.
2. Create an AuthZ rule that will send users to the CWA portal that you just created when users
connect to the Guest2-PodX WLAN on a WLC.
Here we need a new AuthZ profile and to tweak the existing redirection rule.
3. Create a 2nd AuthZ rule to permit the clients who complete the web login.
4. Ensure that the WLANs on WLC1 and CAT3 are configured for this to work.
No need to alter the WLANs. There is no difference in config for any of the CWA portals.
5. Try out the sponsor portal at the URL below with different categories of sponsors and create a few
guest users.
You can find the URL in the sponsor portal config screen.
Go into the Sponsor CCIEW portal config screen and click on the Portal Test URL.
I’ll create a guest account for one of my favorite drummers of all time. Note how I can only choose
between Daily and Weekly guest types.
And looking at the print job, the first line reads as asked.
6. Use the WIN7 client to connect to the guest WLANs and login with the sponsor-created users.
Here is the login page as requested. AUP is there, but only as a link and no option to create your own
login.
So the account is not active yet, but the timestamp is 16:38:03 and looking back at the user, it had a
start time of 16:29:00.
So what gives? Well, look a little closer at the time. It’s 16:29:00 PDT (-7:00), and ISE’s clock is in EDT
(-4:00). This won’t be valid for another 3 hours. If you jump back to the sponsor groups page, you can
see that we are defining guest accounts at the San Jose site.
If you need to ever create guests in a different timezone, you can define them in the Guest Access
settings as shown below.
So if you did the same thing as me, you could either recreate the user in a different timezone, or with
an earlier start time (maybe), or you could just be lazy and wait.
N/A
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 175 of iPexpert’s CCIE Wireless DSG, Section 6, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Video Title: Media and Application Services- AireOS Voice- WLAN Configs
Video Title: Media and Application Services- AireOS Voice- Call Admission Control
Video Title: Media and Application Services- AireOS Voice- Rate Limiting
Video Title: Media and Application Services- AireOS Voice- QoS Profiles
Video Title: Media and Application Services- AireOS Voice- Other Radio Settings
Topology Detail
Choose WPA+WPA2 as the layer 2 security and enable the most secure options to allow
for CCKM fast roaming for both 7920 and 7925 phones (assuming they are the most
recent revisions and using recent firmware).
Ensure that the 7925 phones can have their voice traffic marked with a WMM UP of 6.
Configure off-channel scan defer so that the only UP markings used for 792x phone audio
or call control prevent the APs from going off channel to scan.
Allow the phones to only have to wake up for every other beacon to see if there is
buffered broadcast traffic for sleeping clients.
While the 7921 and newer Cisco phones support CCKM with WPA2/AES (on current firmware), the
7920 is stuck at WPA1/TKIP, so enable support for both.
Markings are controlled by the QoS policy. Without platinum QoS, the APs at least will mark down the
UP markings and the phones also will have issues if they try and use UP 6. For the scan defer
requirement, UPs 4-6 are selected by default. Cisco phones should only use 4 and 6 for calling (4 for
call control and 6 for audio). The last requirement is to set DTIM to 2.
2. Configure a WLAN on WLC1 for corporate devices that will be using Jabber clients as described
below.
Ensure that WMM capable clients with Jabber can use appropriate WMM UP markings.
o Non-WMM devices should be allowed, but their traffic should be marked as Best
Effort.
Since the lab uses a Jabber client rather than a Cisco 7925 phone in this version, my guess is that you’ll
have a higher probability of configuring WLANs that will not be voice-specific. Rather it will have to
support regular clients that need to run voice applications. This WLAN digs into a few of the common
configurations for this type of WLAN. You’ll want to apply the platinum QoS profile, but if you have to
support non-WMM devices, you probably don’t want their traffic getting Voice treatment across the
board. So you’ll need to edit the QoS profile itself and mark down the default unicast traffic. I also
marked down the default multicast traffic.
Test connecting to these WLANs using the WIN7 PC with PEAP and credentials of iseuser1/IPexpert123.
You’ll need to connect to Voice1-PodX with regular 802.1x and not CCKM.
Call Admission
Use a CAC method that takes into account the entire channel utilization.
Reserve 50% of the bandwidth for voice with 6% for roaming clients.
CCXv5 clients should be able to complete high-priority calls, even if it pushes the
utilization past 50%.
For these requirements, we’ll use load-based CAC to take account for the entire channel utilization. SIP
CAC handles the non-TSPEC WMM devices that use SIP. Be sure to enable SIP snooping to actually
detect when these calls are originating (which is requested in the next task). The last feature is the
Expedited Bandwidth option.
Then configure CAC. Be sure to configure it on both radios unless told otherwise.
The last part of the config enable SIP snooping on the WLANs.
Ensure that the Voice1-PodX WLAN is configured to support CAC on the 7920 phones.
Ensure that the HQ-WPAEAP1-PodX WLAN is configured to detect the origination of SIP
calls for use in CAC.
Configure the WLC to consider SIP ports used for SIP snooping to be from 5060 through
5070.
Configure the WLC to allow SIP calls to 911 to exceed the maximum call/bandwidth limit.
The 7920 support is theoretical, but since they don’t support WMM or SIP, they have their own special
CAC setting on the WLAN itself. Unless you turn WMM off (very doubtful), you’ll always pick 7920 AP
CAC.
SIP snooping ensures the WLC knows when SIP calls are originating. By default, the WLC should snoop
on port 5060 for SIP calls, but we can alter the port list if called upon. We can also add the expedited
bandwidth feature to SIP calls by specifying phone numbers.
Rate Limiting
5. Configure individual user rate limiting for clients assigned to the Platinum QoS profile as described
below.
Rate limit using the same values for upstream and downstream traffic.
Set an average rate of 5000 Kbps and a burst rate of 7500 Kbps for non UDP traffic.
Set an average rate of 2000 Kbps and a burst rate of 3000 Kbps for UDP traffic.
6. Configure the Voice1-PodX WLAN to override these global settings as described below.
Rate limit using the same values for upstream and downstream traffic.
Set an average rate of 500 Kbps and a burst rate of 750 Kbps for non UDP traffic.
Set an average rate of 800 Kbps and a burst rate of 1000 Kbps for UDP traffic.
[lines omitted]
Quality of Service............................... Platinum
Per-SSID Rate Limits............................. Upstream Downstream
7. Configure the DHCP scope for VLANs 16-17 on CAT2 to advertise a TFTP server of 10.10.205.20 so
that the wired desk phone on CAT3 (or any other Cisco phones on those VLANs) can discover its
call manager.
The scopes are on CAT2. Use option 150 to accomplish this. This is not needed for the Jabber client.
CAT2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT2(config)#ip dhcp pool vlan16
CAT2(dhcp-config)#option 150 ip 10.10.205.20
CAT2(dhcp-config)#ip dhcp pool vlan17
CAT2(dhcp-config)#option 150 ip 10.10.205.20
CAT2(dhcp-config)#end
8. Configure the WLC to manipulate CWmin and CWmax values to more heavily favor the sending of
frames in the Platinum queue over the other 3 queues.
9. If voice AC packets are not ACKed after 3 attempts to send them, they should be discarded.
This is the low-latency MAC feature. Most voice guides that I see recommend this actually stays
disabled for Cisco phones.
10. The WLC should collect basic metrics on the voice calls happening on the associated APs.
11. If voice clients undergo a layer-3 roam on the Voice1-PodX WLAN, the client should be kicked off
and forced to reconnect without the layer 3 tunnel when not on a call.
This is the re-anchor roamed voice clients feature. It’s another feature that Cisco recommends to leave
off for Cisco voice deployments.
12. Configure the WLC to properly mark CoS values for traffic on WLANs using the Platinum QoS profile.
This is done under the QoS profile. It used to be very important in the previous version of the lab. With
current deployment guides and features, we tend to rely solely on DSCP rather than CoS. So this feature
isn’t as important as before, but one change from old code is that we now specify the CoS value rather
than the UP value.
You can use Jabber on the WIN7 PC to make phone calls. Assuming the desk phone has registered after
your option 150 config, open the Jabber client and call 1000. That’s the phone number of the desk
phone (1001 is the Jabber client’s phone number). The desk phone should automatically answer.
Once the call completes, you should be able to see traffic stream metrics for the WIN7 client and other
CAC related information.
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 176 of iPexpert’s CCIE Wireless DSG, Section 7, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Video Title: Media and Application Services- IOS-XE Wireless QoS Basics
Video Title: Media and Application Services- IOS-XE Voice- WLAN Configs
Video Title: Media and Application Services- IOS-XE Voice- Call Admission Control
Video Title: Media and Application Services- IOS-XE Voice- QoS Policies
Video Title: Media and Application Services- IOS-XE Voice- Other Radio Settings
Topology Detail
Choose WPA+WPA2 as the layer 2 security and enable the most secure options to allow
for CCKM fast roaming for both 7920 and 7925 phones (assuming they are the most
recent revisions and using recent firmware).
Configure off-channel scan defer so that the only UP markings used for 792x phone audio
or call control prevent the APs from going off channel to scan.
Allow the phones to only have to wake up for every other beacon to see if there is
buffered broadcast traffic for sleeping clients.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan Voice1-Pod1 1
CAT3(config-wlan)#client vlan 16
CAT3(config-wlan)#security wpa wpa1 ciphers tkip
CAT3(config-wlan)#security wpa akm cckm
CAT3(config-wlan)#security dot1x authentication-list ISE
CAT3(config-wlan)#no channel-scan defer-priority 5
CAT3(config-wlan)#dtim dot11 24ghz 2
CAT3(config-wlan)#dtim dot11 5ghz 2
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
2. Configure a WLAN on CAT3 for corporate devices that will be using Jabber clients as described
below.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAEAP1-Pod1 2
CAT3(config-wlan)#client vlan 13
CAT3(config-wlan)#security ft
CAT3(config-wlan)#security wpa akm ft dot1x
CAT3(config-wlan)#security dot1x authentication-list ISE
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
Test connecting to these WLANs using the WIN7 PC with PEAP and credentials of iseuser1/IPexpert123.
3. Ensure that CAT3 is configured to trust markings from the wireless clients by default.
In our lab code, this should be enabled by default. In earlier IOS-XE code is wasn’t. You can always put
the command in just to be safe. Without this, all wireless traffic is remarked to DSCP 0 by default.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#no qos wireless-default-untrust
CAT3(config)#end
4. Configure the default wireless port policy to enable all 4 wireless queues.
o Traffic in the class should be given the highest priority and multicast traffic should
be rate limited to 10% of the total bandwidth.
Create a VIDEO class-map that matches traffic with a DSCP of CS3, AF31, or AF41.
o Traffic in the class should be given the next highest priority and multicast traffic
should be rate limited to 20% of the total bandwidth
The non-client NRT class should get 10% of the remaining bandwidth.
The wireless port policy primarily controls queuing. All ports that have a joined AP inherit this policy.
By default, only 2 of the 4 queues are in use. Here we are getting all 4 into play. Q0 is the voice queue
and Q1 is the video queue. These are strict priority queues. You’ll normally want to limit bandwidth to
prevent starvation of the lower priority queues, although the policing here is for multicast traffic only.
Unicast traffic is policed at the client and SSID level.
The policy-map is there by default. You’ll just need to add a few class-maps for Q0 and Q1 and then
edit the policy-map.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#class-map VOICE
CAT3(config-cmap)#match dscp ef
CAT3(config-cmap)#class-map VIDEO
CAT3(config-cmap)#match dscp cs3 af31 af41
CAT3(config-cmap)#exit
CAT3(config)#policy-map port_child_policy
CAT3(config-pmap)#class VOICE
CAT3(config-pmap-c)#priority level 1 percent 10
CAT3(config-pmap-c)#class VIDEO
CAT3(config-pmap-c)#priority level 2 percent 20
CAT3(config-pmap-c)#class class-default
CAT3(config-pmap-c)#bandwidth remaining ratio 90
CAT3(config-pmap-c)#end
CAT3#sho policy-map
Policy Map port_child_policy
Class non-client-nrt-class
bandwidth remaining ratio 10
Class VOICE
priority level 1 10 (%)
Class VIDEO
priority level 2 20 (%)
Class class-default
bandwidth remaining ratio 90
(total drops) 0
(bytes output) 3232085
shape (average) cir 1000000000, bc 4000000, be 4000000
target shape rate 1000000000
Service-policy : port_child_policy
(total drops) 0
(bytes output) 0
(total drops) 0
(bytes output) 0
(total drops) 0
(bytes output) 0
bandwidth remaining ratio 10
Priority Level: 1
Priority Level: 2
(total drops) 0
(bytes output) 35822
bandwidth remaining ratio 90
Call Admission
Use a CAC method that takes into account the entire channel utilization.
Reserve 50% of the bandwidth for voice with 6% for roaming clients.
o Assume the use of the G.711 protocol with a 20ms sample interval.
CCXv5 clients should be able to complete high-priority calls, even if it pushes the
utilization past 50%.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24ghz shut
CAT3(config)#ap dot11 24ghz cac voice acm
CAT3(config)#ap dot11 24ghz cac voice load-based
CAT3(config)#ap dot11 24ghz cac voice max-bandwidth 50
CAT3(config)#ap dot11 24ghz cac voice roam-bandwidth 6
CAT3(config)#ap dot11 24ghz cac voice sip
CAT3(config)#ap dot11 24ghz cac voice sip bandwidth 64 sample-interval 20
CAT3(config)#ap dot11 24ghz exp-bwreq
CAT3(config)#ap dot11 5ghz shut
CAT3(config)#ap dot11 5ghz cac voice acm
CAT3(config)#ap dot11 5ghz cac voice load-based
CAT3(config)#ap dot11 5ghz cac voice max-bandwidth 50
CAT3(config)#ap dot11 5ghz cac voice roam-bandwidth 6
CAT3(config)#ap dot11 5ghz cac voice sip
[lines omitted]
Voice AC
Voice AC - Admission control (ACM) : Enabled
Voice Stream-Size : 84000
Voice Max-Streams : 2
Voice Max RF Bandwidth : 50
Voice Reserved Roaming Bandwidth : 6
Voice Load-Based CAC mode : Enabled
Voice tspec inactivity timeout : Enabled
CAC SIP-Voice configuration
SIP based CAC : Enabled
SIP call bandwidth : 64
SIP call bandwith sample-size : 20
Video AC
Video AC - Admission control (ACM) : Disabled
Video max RF bandwidth : Infinite
Video reserved roaming bandwidth : 0
Ensure that the HQ-WPAEAP1-PodX WLAN is configured to detect the origination of SIP
calls for use in CAC.
Configure the WLC to consider SIP ports used for SIP snooping to be from 5060 through
5070.
Configure the WLC to allow SIP calls to 911 to exceed the maximum call/bandwidth limit.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wlan HQ-WPAEAP1-Pod1
CAT3(config-wlan)#shut
CAT3(config-wlan)#call-snoop
CAT3(config-wlan)#no shut
CAT3(config-wlan)#exit
CAT3(config)#wireless sip preferred-call-no 1 911
CAT3(config)#end
Rate Limiting
This will require a policy-map that will be assigned to the client. We’ll re-use the class-maps from
before.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#policy-map VOICE1_CLIENT
CAT3(config-pmap)#class VOICE
CAT3(config-pmap-c)#police 500k conform-action transmit exceed-action drop
CAT3(config-pmap-c-police)#exit
CAT3(config-pmap-c)#class VIDEO
CAT3(config-pmap-c)#police 1000k conform-action transmit exceed-action drop
CAT3(config-pmap-c-police)#exit
CAT3(config-pmap-c)#exit
CAT3(config-pmap)#exit
CAT3(config)#wlan Voice1-Pod1
CAT3(config-wlan)#shut
CAT3(config-wlan)#service-policy client input VOICE1_CLIENT
CAT3(config-wlan)#service-policy client output VOICE1_CLIENT
CAT3(config-wlan)#no shut
CAT3(config-wlan)#end
If you connect your WIN7 client to the Voice1-PodX WLAN, you can see the policy being applied.
0 packets, 0 bytes
30 second rate 0 bps
police:
cir 500000 bps, bc 15625 bytes
conformed 0 bytes; actions:
transmit
exceeded 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps
8. Configure the DHCP scope for VLANs 16-17 on CAT2 to advertise a TFTP server of 10.10.205.20 so
that the wired desk phone on CAT3 (or any other Cisco phones on those VLANs) can discover its
call manager.
CAT2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT2(config)#ip dhcp pool vlan16
CAT2(dhcp-config)#option 150 ip 10.10.205.20
CAT2(dhcp-config)#ip dhcp pool vlan17
CAT2(dhcp-config)#option 150 ip 10.10.205.20
CAT2(dhcp-config)#end
9. Configure the WLC to manipulate CWmin and CWmax values to more heavily favor the sending of
frames in the Platinum queue over the other 3 queues.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24 edca-parameters optimized-voice
CAT3(config)#ap dot11 5g edca-parameters optimized-voice
CAT3(config)#end
10. The WLC should collect basic metrics on the voice calls happening on the associated APs.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#ap dot11 24 tsm
CAT3(config)#ap dot11 5g tsm
CAT3(config)#no ap dot11 24 shut
CAT3(config)#no ap dot11 5g shut
CAT3(config)#end
You can use Jabber on the WIN7 PC to make phone calls. Assuming the desk phone has registered after
your option 150 config, open the Jabber client and call 1000. That’s the phone number of the desk
phone (1001 is the Jabber client’s phone number). The desk phone should automatically answer.
Once the call completes, you should be able to see traffic stream metrics for the WIN7 client and other
CAC related information.
sho policy-map
sho policy-map interface wireless ap
sho ap dot11 24ghz network
sho policy-map interface wireless client
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 177 of iPexpert’s CCIE Wireless DSG, Section 7, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
VideoStream on AireOS
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. If you didn’t do the Voice lab, create the HQ-WPAEAP1-PodX WLAN as described below. Otherwise,
just reuse that WLAN.
3. Have the WLC send multicast traffic to its APs using the multicast group 239.10.111.10.
4. Use the Voice and Video EDCA profile to give video AC traffic better priority access to the RF
medium.
VideoStream requires multicast with IGMP snooping enabled globally. An AP mode of multicast-
multicast is optional, but recommended. Same with the EDCA profile setting.
Configure VideoStream
Assume each stream will take 1000 Kbps of bandwidth with the default packet size.
Only 5 GHz clients on the HQ-WPAEAP1-PodX WLAN should be able to take advantage of
VideoStream.
If the RRC check fails on the initial join, allow the stream with Best Effort access.
Periodically recheck if there is still enough bandwidth to support the existing streams.
If a periodic recheck determines there is not enough bandwidth for all of the existing
streams, have it start dropping client streams.
Ensure that users of this stream are the lasts ones to be kicked off by giving the stream
the highest priority.
VideoStream requires configurations in a number of different areas. First enable it globally, next define
the stream. Configure the radio policies. Finally, enable it on the WLAN.
Testing
Connect the WIN7 PC to the WLAN using PEAP with the credentials iseuser1/IPexpert123.
There is an application called Multicast Hammer on the WIN7 client and on the Windows 2012 server
that can be used to send and receive multicast traffic. Use the application to have the Windows 2012
server send traffic to 239.99.99.99 and have the WIN7 client receive it on its wireless interface.
WIN7 settings.
Once the stream is going, you should be able to view its details on the WLC and see if it was included
in VideoStream.
Most likely in the lab you won’t have any means to test the functionality.
Number of Clients................................ 1
Client Mac Stream Name Stream Type Radio WLAN QoS Status
----------------- ----------- ----------- ---- ---- ------ -------
c8:d7:19:c0:05:90 CCIEW MC-direct 5 2 Video Admitted
Here we can see that the stream is getting the VideoStream treatment.
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 178 of iPexpert’s CCIE Wireless DSG, Section 7, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
VideoStream on IOS-XE
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. If you didn’t do the Voice lab, create the HQ-WPAEAP1-PodX WLAN as described below. Otherwise,
just reuse that WLAN.
Specify the platinum QoS profile for the SSID egress QoS policy.
Specify the platinum-up QoS profile for the SSID ingress QoS policy.
4. Have the switch send multicast traffic to its APs using the multicast group 239.10.113.13.
5. Use the Voice and Video EDCA profile to give video AC traffic better priority access to the RF
medium.
This is mostly the same as the last lab. I already have Q0 and Q1 enabled from an earlier lab.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wireless multicast
CAT3(config)#ip multicast-routing
CAT3(config)#ip igmp snooping
CAT3(config)#ap capwap multicast 239.10.113
CAT3(config)#ap dot11 24 shut
CAT3(config)#ap dot11 5g shut
CAT3(config)#ap dot11 24 edca-parameters optimized-video-voice
CAT3(config)#ap dot11 5g edca-parameters optimized-video-voice
CAT3(config)#end
CAT3#sho policy-map
Policy Map VOICE1_CLIENT
Class VOICE
police cir 500000 bc 15625
conform-action transmit
exceed-action drop
Class VIDEO
police cir 1000000 bc 31250
conform-action transmit
exceed-action drop
Configure VideoStream
Assume each stream will take 500 Kbps of bandwidth with the default packet size.
Only 5 GHz clients on the HQ-WPAEAP1-PodX WLAN should be able to take advantage of
VideoStream.
If the RRC check fails on the initial join, they should be denied access to the stream.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#wireless media-stream multicast-direct
CAT3(config)#wireless media-stream group CCIEW 239.13.13.13 239.13.13.13
CAT3(config-media-stream)#max-bandwidth 500
CAT3(config-media-stream)#qos video
CAT3(config-media-stream)#exit
CAT3(config)#wlan HQ-WPAEAP1-Pod1
CAT3(config-wlan)#media-stream multicast-direct
CAT3(config-wlan)#service-policy input platinum-up
CAT3(config-wlan)#service-policy output platinum
CAT3(config-wlan)#no shut
CAT3(config-wlan)#exit
Testing
Connect the WIN7 PC to the WLAN using PEAP with the credentials iseuser1/IPexpert123.
There is an application called Multicast Hammer on the WIN7 client and on the Windows 2012 server
that can be used to send and receive multicast traffic. Use the application to have the Windows 2012
server send traffic to 239.13.13.13 and have the WIN7 client receive it on its wireless interface.
Once the stream is going, you should be able to view its details on the WLC and see if it was included
in VideoStream.
Most likely in the lab you won’t have any means to test the functionality.
show policy-map
show wireless media-stream client summary
show wireless media-stream group detail
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 179 of iPexpert’s CCIE Wireless DSG, Section 7, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
mDNS/Bonjour Gateway
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. If you didn’t do the Voice lab, create the HQ-WPAEAP1-PodX WLAN as described below. Otherwise,
just reuse that WLAN.
Number of Services.............................. 9
Mobility learning status ........................ Enabled
Service-Name LSS Origin No SP Service-string
-------------------------------- ---- ---------- ----- ---------------
AirTunes No All 0 _raop._tcp.local.
Airplay No All 0 _airplay._tcp.local.
HP_Photosmart_Printer_1 No All 0
_universal._sub._ipp._tcp.local.
HP_Photosmart_Printer_2 No All 0 _cups._sub._ipp._tcp.local.
HomeSharing No All 0 _home-sharing._tcp.local.
Printer-IPP No All 0 _ipp._tcp.local.
Printer-IPPS No All 0 _ipps._tcp.local.
Printer-LPD No All 0 _printer._tcp.local.
Printer-SOCKET No All 0 _pdl-datastream._tcp.local.
* -> If access policy is enabled LSS will be ignored.
3. Verify that the default mDNS profile is enabled on the WLAN and connect your client using PEAP
with the credentials iseuser1/IPexpert123.
[lines omitted]
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
4. Open iTunes on the WIN7 client and look at the mDNS browser information. You should see an
entry from your client for _daap._tcp.local. This is the iTunes Music Sharing service. Services not
on the master service list will show up on this list when detected.
iTunes gives you an error about not being able to play stuff correctly, but that’s OK. Click past it. Now
look at the mDNS browser info.
Key................................... = 1134.13.10.10.in-addr.arpa.
Service string type................... = 4.13.10.10.in-addr.arpa.
Service Provider Client MAC........... = C8:D7:19:C0:05:90
Service Provider AP-MAC............... = 54:78:1A:89:37:E0
Is this a Priority SP................. = No
Service Provider VLAN................. = 13
Service Provider Origin Type.......... = Wireless
Service Provider TTL.................. = 120
TTL Time remaining (sec) ............. = 20
-------------------------------------------------
Key................................... = 113_daap._tcp.local.
Service string type................... = _daap._tcp.local.
Service Provider Client MAC........... = C8:D7:19:C0:05:90
Service Provider AP-MAC............... = 54:78:1A:89:37:E0
Here we see that the WLC received two different service advertisements. The 2nd one is the one that
we care about. It only has a TTL of 2 minutes. So if you missed it, just close/reopen iTunes for a fresh
advertisement. We see that it was learned over the wireless network on VLAN 13.
5. Add this service to the master services list with a service name of “iTunes Music Sharing”. You
should see the entry that was under the mDNS browser now shows under this service.
There is actually a pre-canned service in the GUI for this, but we’ll do it in the CLI as usual.
(WLC1) >config mdns service create "iTunes Music Sharing" _daap._tcp.local. origin all
lss disable query enable
Number of Services.............................. 10
Mobility learning status ........................ Enabled
Service-Name LSS Origin No SP Service-string
-------------------------------- ---- ---------- ----- ---------------
AirTunes No All 0 _raop._tcp.local.
Airplay No All 0 _airplay._tcp.local.
HP_Photosmart_Printer_1 No All 0
_universal._sub._ipp._tcp.local.
HP_Photosmart_Printer_2 No All 0 _cups._sub._ipp._tcp.local.
HomeSharing No All 0 _home-sharing._tcp.local.
Printer-IPP No All 0 _ipp._tcp.local.
Printer-IPPS No All 0 _ipps._tcp.local.
Printer-LPD No All 0 _printer._tcp.local.
Printer-SOCKET No All 0 _pdl-datastream._tcp.local.
iTunes Music Sharing No All 1 _daap._tcp.local.
* -> If access policy is enabled LSS will be ignored.
Now the WLC knows about the service. It won’t show up in the mDNS browser list any more. Instead,
you see the advertisements under the service.
(sec) (sec)
-------------------- ---------------- ----------------
------- ------ ----- ---------
admin’s Library._daap._tcp.local. C8:D7:19:C0:05:90 54:78:1A:89:37:E0
13 Wireless 4500 4397
Also note that the WLC jacked up the TTL quite a bit from what it was before.
6. Add this new service to the default mDNS profile so that others can learn about it.
Until we do this, the service is not discoverable by other wireless clients on different subnets.
(WLC1) >config mdns profile service add default-mdns-profile "iTunes Music Sharing"
HomeSharing
Printer-IPP
Printer-IPPS
Printer-LPD
Printer-SOCKET
iTunes Music Sharing
7. Enable the default mDNS profile on the WLC vlan13 and vlan15 interfaces.
This is disabled by default. Enabling this allows the WLC to snoop the wired network on these VLANs
for mDNS service advertisements. This way, wireless clients will be able to learn about wired devices
on different subnets.
8. Shut/no shut the switch port connecting to the Apple Airport device on CAT3, which will cause
some fresh mDNS advertisements to flow. You should see them listed on WLC1 in the mDNS
browser.
There are a number of advertisements that go out. Here is the list of the strings.
CAT3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT3(config)#int gi1/0/6
CAT3(config-if)#shut
CAT3(config-if)#no shut
CAT3(config-if)#end
9. Find the airport service and add it to the global services list with a name of Airport
(WLC1) >config mdns service create Airport _airport._tcp.local. origin all lss disable
query enable
(WLC1) >config mdns query interval 10
(sec) (sec)
-------------------- ---------------- ----------------
------- ------ ----- ---------
Rack3._airport._tcp.local. 34:36:3B:BB:BD:92 ------
15 Wired 4500 4431
11. Ensure that the WIN7 client is connected to the HQ-WPAEAP1-POdX WLAN, open a command
prompt and run the command dns-sd -B _airport._tcp command and look for an entry to
populate.
This command does a service request, asking if anyone is offering that service. With the
Bonjour Gateway, services do need to be requested and not just passively heard by the
wireless clients.
Here we see a single response for the airport express named Rack3. It’ll sit there for a while looking.
Just press Ctrl+C to break out of it after you get your entry to show up.
12. Enable AP-based mDNS snooping on the LAP4 AP. Have it snoop on VLAN 5, then configure the
switch port to be a trunk with VLANs 5 and 115 allowed and 115 as the native VLAN.
Often times our WLC cannot snoop all of the wired VLANs itself. So we can enlist the help of our APs to
do it.
CAT2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT2(config)#int fa0/4
CAT2(config-if)#sw tr en do
CAT2(config-if)#sw tr nat vl 115
13. Disconnect the WIN7 client from the wireless network and open up iTunes (close and open if it’s
current still open). This will send an mDNS service advertisement on the wired interface on VLAN
5.
Open iTunes. In my testing, if you do it while the client is connected wirelessly, the service
advertisement only goes out the wireless interface.
14. Verify that the entry shows up under the iTunes Music Sharing service list as being seen through
wired snooping on VLAN 5.
(sec) (sec)
-------------------- ---------------- ----------------
------- ------ ----- ---------
admin’s Library._daap._tcp.local. 00:50:56:9B:D4:FC 54:78:1A:89:37:E0
5 mDNS AP 4500 4473
Note how the Type is an mDNS AP; so you can tell that it was the AP that detected the advertisement.
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 180 of iPexpert’s CCIE Wireless DSG, Section 7, Volume 1
Copyright© iPexpert. All Rights Reserved.
Technologies Covered
This portion of the material is designed to provide our students with the exact commands to use, when
to use them, and also the various show commands that will allow you to understand what you're
looking for. In addition, the instructor has provided some detail as to why the various solutions have
been used versus another potential command set that would have accomplished the same outcome.
All referenced reading material can be found in the associated Reading Material file located in your
Member's Area.
iPexpert’s Video on Demand training library contains a wealth of videos pertaining to the CCIE
Wireless Lab exam. We recommend watching the following learning videos prior to completing
this lab scenario.
Topology Detail
1. If you didn’t do the Voice lab, create the HQ-WPAEAP1-PodX WLAN as described below. Otherwise,
just reuse that WLAN.
This will allow the tracking of applications on the WLAN. No actions will be taken yet.
3. Connect your WIN7 client to the WLAN using PEAP and credentials iseuser1/IPexpert123, then
browse to https://10.10.113.13 and https://10.10.120.10 to generate some web traffic. Ping
10.10.13.1. Feel free to do other things as well to generate traffic. Just don’t target things on VLAN
5 or the WIN7 client should send that traffic out its wired interface.
4. Look at the AVC information for the controller as well as on your client.
It can take a little bit for the AVC records to catch up, but only 1-2 minutes. The GUI is the nicest place
to see much of this. To look at the WLAN stats, go to Monitor > Applications > WLAN #.
And you can also look at the individual client stats as well.
5. Create a new AVC profile named CCIEW with the following best practice settings for Jabber.
Rate limit HTTP and HTTPS traffic to 1000 Kbps with a burst of 1000 Kbps in both
directions.
Creating a profile in the CLI is pretty painful, unless you have the specific application list. There is no
context sensitive help here, so let’s just do it in the GUI.
7. Assign the profile to the WLAN and connect your client again.
The markings are hard to test. You probably also won’t be able to see the rate limiting in action either,
but pings will be an easy one to test.
The pings that worked before now are getting dropped by the AVC policy.
For instructor and developer support, please be sure to submit questions through our interactive
support community that’s accessible from the Member’s Area.
This concludes Lab 181 of iPexpert’s CCIE Wireless DSG, Section 7, Volume 1
Copyright© iPexpert. All Rights Reserved.