Archive by Author | Joost van der Made
December 30, 2010  

AP Authentication / MAC

When you do an AP Authentication with the ACS, there are different was to show the MAC of the AP to the ACS.

You can configure it at :

When you play with the settings, you’ll see at the ACS the diffent kind of formats :

If you’re creating a user, make sure that the format is exactly the same.
Password is the same as the username…

December 29, 2010  

Option 7 at IOS DHCP

Ofcourse you want all logging goto a syslog server. (It’s also a Cisco recommendation. See WLC Configu Guide)
You can configure a IOS DHCP Scope like :

ip dhcp exclude 192.168.1.1
ip dhcp pool VLAN1
network 192.168.1.0 /24
option 7 ip
option 43 hex f1040a0a0a0a

In my own lab the option 7 wasn’t working !
I had tested the WLC with versions 4.2.130 and 4.2.176.

Then I saw :
%LWAPP-3-CLIENTEVENTLOG: Did not get any DNS options from DHCP.
That’s not good..

After changing it to 4.2.209 the option 7 is working and you’ll see at the LWAPP :

%LWAPP-3-CLIENTEVENTLOG: Got log server settings(192.168.1.10) from DHCP.

December 29, 2010  

WCS TFTP

There is default a TFTP server at the WCS server which I’m using a lot….

But…
When you do a restore of the WCS server with no controller configured, the TFTP server isn’t working.
You need to add atleast one Controller before the TFTP service is active (It’s a WCS service and not a windows service, so you can’t start it manually.).

Then you can upload/download files from the WCS TFTP Service.

December 27, 2010  

AP Groups

When your SSID Domain is much greater that is will span multiple vlan’s, you can use AP Groups.

First configure the needed interfaces.

Create an AP Group with the correct VLAN Mappings.

Configure the AP the use this AP Group.

Reset the AP.

Test the config and you’ll see it’s working.

December 27, 2010  

Spanning-tree Cost

You can define different cost at a port/vlan to manipulate the spanning-tree flow.

Here we see a default spanningtree :

SW2960_1(config-if)#do sh span vl 145

VLAN0145
Spanning tree enabled protocol ieee
Root ID Priority 4241
Address 001e.499b.5080
Cost 19
Port 8 (FastEthernet0/8)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32913 (priority 32768 sys-id-ext 145)
Address aca0.166c.2600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Fa0/7 Altn BLK 19 128.7 P2p
Fa0/8 Root FWD 19 128.8 P2p

Not I want that the spanning-tree blocks port f0/8 instead of 0/7

We’re using :

SW2960_1(config-if)#int f0/7
SW2960_1(config-if)#spanning-tree vlan 145 cost 1
SW2960_1(config-if)#do sh span vl 145

VLAN0145
Spanning tree enabled protocol ieee
Root ID Priority 4241
Address 001e.499b.5080
Cost 19
Port 8 (FastEthernet0/8)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32913 (priority 32768 sys-id-ext 145)
Address aca0.166c.2600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Fa0/7 Altn BLK 1 128.7 P2p
Fa0/8 Root FWD 19 128.8 P2p

The interface is still not forwarding the VLAN 145 traffic….

SW2960_1(config-if)#int f 0/8
SW2960_1(config-if)#spanning-tree vl 145 cos 21
and now we’ll see :

VLAN0145
Spanning tree enabled protocol ieee
Root ID Priority 4241
Address 001e.499b.5080
Cost 20
Port 7 (FastEthernet0/7)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32913 (priority 32768 sys-id-ext 145)
Address aca0.166c.2600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Fa0/7 Root FWD 1 128.7 P2p
Fa0/8 Altn BLK 21 128.8 P2p

The default path cost is computed from the interface bandwidth setting. These are the IEEE default path cost values:
•1000 Mbps—4
•100 Mbps—19
•10 Mbps—100

As you can see I’m using a 100 mb switch….

December 26, 2010  

HREAP on LWAPP AP

How to see if an AP is at which state of HREAP ?
That’s possible from the CLI of the LWAPP AP.

You can do :

L1240-4#sh lwapp reap status
AP Mode: REAP, Connected
Radar detected on:

L1240-4#sh lw reap status
AP Mode: REAP, Standalone
Radar detected on:

To see the “config” of the LWAPP AP :
show derived-config

When the AP is in standalone mode you can do :
L1240-4#sh lw reap association
Address : 0021.a00e.6426 Name : SEP0021A00E6426
IP Address : 192.168.35.104 Interface : Dot11Radio 1
Device : CP-7921 Software Version : NONE
CCX Version : 4 Client MFP : Off

When the AP is switching between modes you’ll see :

%LWAPP-5-CHANGED: LWAPP changed state to JOIN
or
%LWAPP-3-CLIENTERRORLOG: GOING BACK TO DISCOVER MODE
%WIDS-6-DISABLED: IDS Signature is removed and disabled.
L1240-4#
%LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY

Radius accounting is not working when the AP is at HREAP Mode.

December 21, 2010  

Small tips 01

For the lab you’ll have to practise, practise and ofcourse practise….
A good way is to start over and over again on every device.

Erase the devices, make sure you got layer 3 connection (If needed) and then save the config to flash or a tftp server (You can use the WCS for this.)
When the WCS is empty, create a backup which you can use to restore the empty config if needed.

When you want to start with a “clean” AP or WLC, just replace the startup with the file saved at the flash and now you can start over and over again..

This saves you time to reconfigure layer 3 over and over again.. (Yes it’s part of the lab, but this should be known already….)

December 17, 2010  

Rogue Detection

To dectect Rogue access points, make sure the AP’s are at monitor or local mode.

The Protection Type should be AP Authentication.

(See WLC Config Guide Page 453)

December 17, 2010  

DHCP Pool for one client

It’s possible to have DHCP pools with a reservation for a client.

You don’t have to exclude the ip dhcp range, but to be sure :
ip dhcp exclude 10.10.10.1

Create a DHCP Pool with the reservation :
ip dhcp pool CLIENT1
host 10.10.10.2 /24
hardware-addres 00:25:22:70:11:02

To verify :
Wifi_6503#sh ip dhcp bin
IP address Client-ID/ Lease expiration Type
Hardware address
10.10.10.2 0025.2270.1102 Infinite Manual

Wifi_6503#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

December 17, 2010  

Marking at a Switch for Voice

At the 7921 Deployment Guide you’ll see at page 19 some Qos Examples for Voice at the Network.

It’s possible to narrow the flow if you know the CUCM and the VoiceVlan.

Port SCCP (2000) is always src and dst of the CUCM.
RTP is the src and dst of the phones with the range of port 16384 – 32767

access-list 101 permit tcp host CUCM IP eq 2000 DST VoiceVlan
access-list 102 permit udp SRC VoiceVlan range 16384 32767 DST VoiceVlan 16384 32767

class-map match-all SCCP
match access 101
class-map match-all RTP
match access 102

policy-map Voice
class SCCP
set dscp cs3
class RTP
set dscp ef

interface f 0/4
service-policy input Voice

If you try a
service-policy output Voice
at a 3560 switch, it won’t accept the command :

SW3560(config-if)#service-policy out Voice
Warning: Assigning a policy map to the output side of an interface not supported

At a 6500 switch you can do Service-policy input and output…..

« Older Posts
Newer Posts »