IPexpert’s Lab Preparation Workbookdocshare04.docshare.tips/files/26457/264570296.pdf ·...

IPexpert’s Lab Preparation Workbook

Volume 2for the Cisco® CCIE™ v2.0 Wireless Lab Exam

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m

IPexpert’s Workbook for the CCIE Wireless Lab Exam Volume 2 – Workbook

v3150 Copyright © by IPexpert, Inc. All Rights Reserved. 1

IPexpert’s Lab Preparation Workbook for the Cisco® CCIETM Wireless Lab Exam -

Volume 2 Before We Begin

This product is part of the IPexpert "Blended Learning Solution™" that provides CCIE candidates with a comprehensive training program. For information about the full solution, contact an IPexpert Training Advisor today. Telephone: +1.810.326.1444 Email: [email protected] Congratulations! You now possess one of the ULTIMATE CCIETM Wireless Lab preparation resources available today! This resource was produced by senior engineers, technical instructors, and authors boasting decades of internetworking experience. Although there is no way to guarantee a 100% success rate on the CCIETM Wireless Lab exam, we feel VERY confident that your chances of passing the Lab will improve dramatically after completing this industry-recognized Workbook! Technical Support from IPexpert and your CCIE community!

IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our online communities have attracted a membership of over 20,000 of your peers from around the world! At Blog.IPexpert.com you can keep up to date with everything IPexpert does, as well as start your own CCIE-focused blog or simply add your existing blog to our directory so your peers can find you. At OnlineStudyList.com, you may subscribe to multiple “SPAM-free”, CCIE-focused email lists.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Feedback Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert, we look to you – our valued clients – for the real world, frontline evaluation that we believe is necessary to improve continually. Please send an email with your thoughts to [email protected] or call 1.866.225.8064 (international callers dial +1.810.326.1444). In addition, when you pass the CCIETM Lab exam, we want to hear about it! Email your CCIETM number to [email protected] and let us know how IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations. Additional CCIETM Preparation Material IPexpert, Inc. is committed to developing the most effective Cisco CCIETM R&S, Security, Service Provider, Voice and Wireless Lab certification preparation tools available. Our team of certified networking professionals develops the most up-to-date and comprehensive materials for networking certification, including self-paced workbooks, online Cisco hardware rental, classroom training, online (distance learning) instructor-led training, audio products, and video training materials. Unlike other certification-training providers, we employ the most experienced and accomplished team of experts to create, maintain and constantly update our products. At IPexpert, we are focused on making your CCIETM Lab preparation more effective. A message from the Author(s):

The scenarios covered in this workbook were developed by Wireless CCIEs to help you prepare for the Cisco CCIE Wireless laboratory. It is strongly recommended that you use other reading materials in addition to this workbook.

Training is not the CCIE Wireless workbook objective. The intent of these labs is to test your knowledge and ability of implementing Cisco Enterprise Wireless Solutions.

Time management is very important, if you get stuck on a lab scenario be sure to write it down. Formulate a Checklist for skipped sections and then return to those sections once you have gone through the entire lab. Be sure to revisit the questions that you do not understand.

For more information on the CCIE Wireless lab, please visit http://www.cisco.com/web/learning/le3/ccie/index.html and click on the link for Wireless on the top-right of the page.

Helpful Hints

• Keep It Simple, try to avoid any extra work (example: adding descriptions) • Always reference everything from the Documentation Website:

http://www.cisco.com/cisco/web/psa/default.html?mode=prod • Know your SRNDs well http://www.cisco.com/go/srnd • Save your router configurations often (wr is the quickest command)

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



IPEXPERT END-USER LICENSE AGREEMENT

END USER LICENSE FOR ONE (1) PERSON ONLY

IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS.

This is a legally binding agreement between you and IPEXPERT, the “Licensor,” from whom you have licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms have been modified by a written agreement (the “Governing Agreement”) signed by you (or the party that has licensed the Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions. The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Training Materials throughout the term of this License.

Copyright and Proprietary Rights The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT.

The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-share the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing out or downloading portions of the text and images for your own personal, non-commercial use without the prior written permission of IPEXPERT.

You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity.

Exclusions of Warranties THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS.” LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may have other rights that vary from state to state.

Choice of Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall be brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this Agreement is held invalid, the remainder of this License shall continue in full force and effect

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Limitation of Claims and Liability

ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR’S LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER.

Entire Agreement This is the entire agreement between the parties and may not be modified except in writing signed by both parties.

U.S. Government - Restricted Rights

The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction release, performance, display, or disclosure of the Training Materials and accompanying documentation by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.

IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



IPexpert’s Mock Lab training exam for the Cisco® CCIETM Wireless Lab Exam –

Volume 2

NOTE

You are encouraged to take advantage of the knowledge and support from your peers around the globe. Join onlinestudylist.com to get more community support and also official support from IPexpert.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Table of Contents

IPEXPERT END-‐USER LICENSE AGREEMENT ............................................................................................... 3 END USER LICENSE FOR ONE (1) PERSON ONLY .................................................................................................... 3 U.S. Government -‐ Restricted Rights ............................................................................................................................... 4

LAB 1: CCIE WIRELESS VERSION 2 – A 8 HOUR TRAINING LAB .......................................................... 11

MOCK LAB 1: TOPOLOGY ................................................................................................................................ 12

LAB 1: PRE-‐LAB SETUP .................................................................................................................................... 13

LAB 1: PREREQUISITES: .................................................................................................................................. 13

LAB 1: TABLES .................................................................................................................................................... 14 TABLE 1: VLAN AND SUBNET TABLE ................................................................................................................................. 14 TABLE 2: DEVICE IP ADDRESSES ......................................................................................................................................... 15

LAB 1: 8 HOUR CCIE WIRELESS V2 MOCK LAB ......................................................................................... 16 1.0 CONFIGURE AND TROUBLESHOOT WIRED INFRASTRUCTURE TO SUPPORT WLAN'S ......................... 16 2.0 CONFIGURE AND TROUBLESHOOT INFRASTRUCTURE APPLICATION SERVICES .............................................. 18 3.0 CONFIGURE AND TROUBLESHOOT AUTONOMOUS DEPLOYMENT MODEL ......................................................... 19 4.0 CONFIGURE AND TROUBLESHOOT UNIFIED DEPLOYMENT MODEL .................................................................... 19 TABLE 3: WLC VLANS AND SSIDS .................................................................................................................................... 20 5.0 CONFIGURE AND TROUBLESHOOT WCS ................................................................................................................. 23 6.0 CONFIGURE AND TROUBLESHOOT WLAN SERVICES ........................................................................................... 24

LAB 2: CCIE WIRELESS VERSION 2, A 8 HOUR TRAINING LAB ............................................................ 26


LAB 2: PRE-‐LAB SETUP .................................................................................................................................... 29



LAB 2: 8 HOUR CCIE WIRELESS V2 MOCK LAB ......................................................................................... 32

TASK 1: CONFIGURE AND TROUBLESHOOT WIRED INFRASTRUCTURE TO SUPPORT WLANS 32 1.1 BASIC NETWORK DETAILS .......................................................................................................................................... 32 1.2 QOS ..................................................................................................................................................................................... 32 1.3 LAYER 2 CONFIGURATION .............................................................................................................................................. 33 1.4 TIME SYNCHRONIZATION ............................................................................................................................................... 33 1.5 MSE .................................................................................................................................................................................... 33

TASK 2: CONFIGURE AND TROUBLESHOOT WIRED INFRASTRUCTURE TO SUPPORT WLANS 34

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



2.1 LIGHTWEIGHT APS DISCOVERY ..................................................................................................................................... 34 2.2 LIGHTWEIGHT APS SETTINGS ........................................................................................................................................ 34 2.3 SYSLOG ............................................................................................................................................................................... 35

TASK 3: CONFIGURE AND TROUBLESHOOT AUTONOMOUS DEPLOYMENT MODEL ............... 35 3.1 AP LOGGING ...................................................................................................................................................................... 35 3.2 SSID CONFIGURATION .................................................................................................................................................... 35 3.3 ADDITIONAL SETTINGS ................................................................................................................................................... 35

TASK 4: CONFIGURE AND TROUBLESHOOT UNIFIED DEPLOYMENT MODEL ........................... 36 4.1 CONFIGURING MO OFFICE ............................................................................................................................................. 36 4.2 CONFIGURING HEADQUARTER OFFICE ........................................................................................................................ 36 4.3 CONFIGURING GUEST SOLUTION ................................................................................................................................... 37

TASK 5: CONFIGURE AND TROUBLESHOOT WCS ................................................................................ 37 5.1 ADDING WLCS ................................................................................................................................................................. 37 5.2 ADDING MOBILITY SERVICES ........................................................................................................................................ 37 5.3 CONFIGURING WCS ......................................................................................................................................................... 37

TASK 6: CONFIGURE AND TROUBLESHOOT WLAN SERVICES ........................................................ 38 6.1 RADIO MANAGEMENT ...................................................................................................................................................... 38 6.2 CONTROLLER SECURITY ................................................................................................................................................. 38 6.3 VOICE SETTINGS ............................................................................................................................................................... 39

LAB 3: CCIE WIRELESS VERSION 2 ............................................................................................................... 40

8 HOUR TRAINING LAB 3 ................................................................................................................................ 40


LAB 3: PRE-‐LAB SETUP .................................................................................................................................... 42



LAB 3: 8 HOUR CCIE WIRELESS V2 MOCK LAB ......................................................................................... 45 1.0 CONFIGURE AND TROUBLESHOOT WIRED INFRASTRUCTURE TO SUPPORT WLAN'S ......................................... 45 L2 switching in HQ: ............................................................................................................................................................ 45 L3 routing: .............................................................................................................................................................................. 45 MO routing and switching: .............................................................................................................................................. 46 QOS: ........................................................................................................................................................................................... 46

2.0 CONFIGURE AND TROUBLESHOOT INFRASTRUCTURE APPLICATION SERVICES .................................................. 47 NTP: ........................................................................................................................................................................................... 47 AP management: ................................................................................................................................................................. 47 Switching security: ............................................................................................................................................................. 48

3.0 CONFIGURE AND TROUBLESHOOT AUTONOMOUS DEPLOYMENT MODEL ............................................................. 48 Autonomous setup: ............................................................................................................................................................. 48

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



4.0 CONFIGURE AND TROUBLESHOOT UNIFIED DEPLOYMENT MODEL ........................................................................ 49 WLC management: ............................................................................................................................................................. 49

TABLE 3: WLC VLANS AND SSIDS .................................................................................................................................... 49 AP Priming: ............................................................................................................................................................................ 50 Guests: ...................................................................................................................................................................................... 50 Mobility: ................................................................................................................................................................................... 51 Interference and radio settings: ................................................................................................................................... 51 AP registration security and local radius: ................................................................................................................ 51 Client connection testing: ................................................................................................................................................ 52 Rouge detection: .................................................................................................................................................................. 52

5.0 CONFIGURE AND TROUBLESHOOT WCS ...................................................................................................................... 52 WCS: .......................................................................................................................................................................................... 52 MAPs: ........................................................................................................................................................................................ 53

6.0 CONFIGURE AND TROUBLESHOOT WLAN SERVICES ............................................................................................... 53 Wireless Voice: ...................................................................................................................................................................... 53

LAB 4: CCIE WIRELESS VERSION 2 ............................................................................................................... 55

8 HOUR TRAINING LAB 4 ................................................................................................................................ 55


LAB 4: PRE-‐LAB SETUP .................................................................................................................................... 57



LAB 4: 8 HOUR CCIE WIRELESS V2 MOCK LAB ......................................................................................... 60 1.0 CONFIGURE AND TROUBLESHOOT WIRED INFRASTRUCTURE TO SUPPORT WLAN'S ......................................... 60 L2 switching in HQ: ............................................................................................................................................................ 60 L3 routing: .............................................................................................................................................................................. 60 MO routing and switching: .............................................................................................................................................. 61 QOS: ........................................................................................................................................................................................... 61 Multicast .................................................................................................................................................................................. 61




TABLE 3: WLC VLANS AND SSIDS .................................................................................................................................... 64 AP Priming: ............................................................................................................................................................................ 64

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Guests: ...................................................................................................................................................................................... 65 AP registration security and local radius: ................................................................................................................ 65 Client connection testing: ................................................................................................................................................ 66 Clean AIR: ............................................................................................................................................................................... 66


6.0 CONFIGURE AND TROUBLESHOOT WLAN SERVICES ............................................................................................... 67 Wireless Voice: ...................................................................................................................................................................... 67

LAB 5: CCIE WIRELESS V2 ............................................................................................................................... 69

8 HOUR TRAINING ............................................................................................................................................. 69


LAB 5: PRE-‐LAB SETUP .................................................................................................................................... 71



LAB 5: 8 HOUR CCIE WIRELESS V2 MOCK LAB ......................................................................................... 74 1.0 CONFIGURE AND TROUBLESHOOT WIRED INFRASTRUCTURE TO SUPPORT WLAN'S ......................................... 74 L2 switching in HQ: ............................................................................................................................................................ 74 L3 routing: .............................................................................................................................................................................. 74 QOS: ........................................................................................................................................................................................... 75 Multicast .................................................................................................................................................................................. 75




TABLE 3: WLC VLANS AND SSIDS .................................................................................................................................... 78 AP Priming: ............................................................................................................................................................................ 79 Guests: ...................................................................................................................................................................................... 79 AP registration security and local radius: ................................................................................................................ 79 Management: ........................................................................................................................................................................ 80 Clean AIR: ............................................................................................................................................................................... 80


License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Clean Air: ................................................................................................................................................................................. 81 6.0 CONFIGURE AND TROUBLESHOOT WLAN SERVICES ............................................................................................... 81 Wireless Voice: ...................................................................................................................................................................... 81

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 1: CCIE Wireless Version 2 – a 8 hour training Lab

1.0 Configure and troubleshoot wired infrastructure to support WLAN's

2.0 Configure and Troubleshoot Infrastructure Application Services

3.0 Configure and Troubleshoot Autonomous deployment model

4.0 Configure and Troubleshoot Unified deployment model 5.0 Configure and Troubleshoot WCS 6.0 Configure and Troubleshoot WLAN Services

Lab Overview

This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem extra hard because they are meant to prepare the candidate to read in between the lines. The network and WLC´s are partly pre-configured in order to save time but some of the configurations have to be altered to meet the exam requirements

The fact that WLC are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre-configs or make some small changes, both on the WLC’s and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues on more than one occasion. This is meant to prepare the candidate not to take anything for granted and stay focused while the lab tries to confuse you.

This lab will use ALL equipment in the LAB 1: topology. Refer to the names of the equipment on that topology.

When configuring WLAN’s/ SSIDs. The lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01

Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords.

It is strongly advised to read the whole LAB over before you start configuring. And in each section read it briefly over to refresh. In some sections some later tasks would better be done first

Estimated Time to Complete: 8 hours

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Mock Lab 1: Topology

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 1: Pre-Lab Setup

Physically connect and configure your network according to Diagram 1. The switches are pre-configured with some VLANs and IP addresses.

Lab 1: Prerequisites:

This lab will rely on the network infrastructure. You will need to pre-configure the network with the base configuration files.

If using your own hardware:

Login to IPexpert.com, navigate to the “My Downloads” area, download “IPexpert Wireless Volume 1 Configs,” find the Lab 1 INITIAL Configs, and copy and paste the proper switch files to the proper devices.

If you are using Proctor Labs:

Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook à Lab 1 à INITIAL

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 1: Tables Table 1: VLAN and Subnet Table

VLAN VLAN Name Subnet Netmask

5 Servers 10.10.210.0 /24

10 HQSwitchMgmt 10.10.10.0 /24

11 HQGuest1 10.10.11.0 /24

12 HQData1 10.10.12.0 /24

13 HQData2 10.10.13.0 /24

14 HQData3 10.10.14.0 /24

15 HQVoice1 10.10.15.0 /24

16 HQVoice2 10.10.16.0 /24

17 HQData4 10.10.17.0 /24

20 MOSwitchMgmt 10.10.20.0 /25

21 MOGuest1 10.10.21.64 /26

22 MOData1 10.10.22.128 /26

23 MOVoice1 10.10.23.192 /26

105 HQServicePort 10.10.105.0 /24

110 HQAAP 10.10.110.0 /24

111 HQWLC1 10.10.111.0 /24

112 HQWLC2 10.10.112.0 /24

113 HQLAP1 10.10.113.0 /24

114 HQLAP2 10.10.114.0 /24

120 MOWLC1 10.10.120.128 /26

121 MOLAP1 10.10.121.192 /26

999 VLAN999 n/a n/a

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Table 2: Device IP Addresses

Device Port Connected Device

Connected Port

IP Address

CAT1 NA NA 10.10.10.2

CAT2 NA NA 10.10.10.3

CAT3 NA NA 10.10.10.4

CAT4 NA NA 10.10.20.1

ACS NIC1 CAT2 Fa0/11 10.10.210.5

WCS NIC1 CAT2 Fa0/11 10.10.210.6

CME Fa0/0 CAT1 Fa0/4 10.10.210.20

10.10.205.20 (Loop)

MSE Eth0 CAT2 Fa0/11 10.10.210.10

WLC1 Po1 CAT2 Gi0/1 10.10.111.10

WLC2 Po1 CAT3 Gi0/1 10.10.112.10

WLC3 Po1 CAT4 Fa0/1 10.10.120.140

WLC4 Po1 CAT2 Fa0/15 10.10.112.20

AAP1 Gi0 CAT1 Fa0/2 10.10.110.100

AAP2 Fa0 CAT3 Fa0/2 10.10.110.101

LAP1 Gi0 CAT1 Fa0/1 10.10.113.x

LAP2 Fa0 CAT2 Fa0/2 10.10.114.x

LAP3 Gi0 CAT3 Fa0/3 10.10.114.x

LAP4 Gi0 CAT4 Fa0/4 10.10.121.x

LAP5 Fa0 CAT4 Fa0/5 10.10.121.x

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 1: 8 hour CCIE Wireless v2 Mock LAB


L2 switching in HQ: To prepare your network we need to take extra care that the network is properly set up. All future configurations with wireless components will rely on the network to work. Please bear in mind that most wireless issues are related to the network. The Proctor Labs lab environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this lab.

• Cat1 will handle all VLAN´s and distribute them to Cat2. Cat3 will also get all VLAN changes from Cat1

o Use Md5 encryption to protect the VLAN database on your 3 switches. o Use ipexpert123 as the MD5 secret

• Cat1 should be the root for odd numbered VLANs in the HQ • Cat2 should be the root for the even numbered VLANs in the HQ • Do not configure Cat3 for the last question above.

o From Cat3, Show commands should give the correct outcome to see where the Root bridges are. Cat1 should be seen as root for odd numbered VLANs and Cat2 for even numbered VLANs

• Configure the 2 links between Cat1 and Cat2 to appear as one STP instance. o Use a method that is Cisco proprietary negotiation method.

L3 routing

Site HQ: Cat1 SVIs always have the last IP usable address from each VLAN network. Cat2 SVIs always have next IP address below in each VLAN network. VLAN 10 should be .2 on Cat1 and .3 on Cat2. Cat3 only needs SVI Interface and IP address in VLAN10 (HQSwitchMgmt). For Cat3 VLAN10 SVI, Use IP address 10.10.10.4/24. VLAN 5 is preconfigured don´t change that as that will ruin management access to your servers.

• Create the SVI´s on your appropriate HQ switches and ensure you have

connectivity between all L3 interfaces. Refer to table 1 for the VLAN ID´s. HQ, MO have different VTP domains as can be seen in table 1.

• Create a Loopback99 interface on your Cat1 with IP 10.99.99.99/32

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



o Use a Cisco proprietary routing protocol to advertise Loopback99 to Cat2. o Only advertise loopback99 in your configuration. o Don´t summarize the classful networks in your routing domain.

• VLAN 12 should be redundant for Cat1 and Cat2 o On Cat1 and Cat2, Use a Cisco proprietary method to create a redundant

SVI for VLAN 12. o The VLAN 12 virtual IP should be the next available IP address below

Cat1 and Cat2. o Cat1 should always be the primary router for VLAN 12 and in case of

failure it should revert back when things go back to normal. • Create a DHCP pool for VLAN 12. The pool starts from .65 and ends with .125.

Configure redundant DHCP pool between Cat1 and Cat2.

MO routing and switching

• Create VLANS and SVI´s for Cat4 according to table 1. • Cat4 should not exchange VLAN configuration with other switches. • Cat4 should participate in routing updates and exchange routing tables with HQ.

Only advertise the needed networks over the routing protocol. • Cat4 SVI’s always use the first IP address per SVI. • Don´t summarize the classful networks as before.

QOS

• On all routers and switches, trust layer2 and layer3 QOS markings where appropriate.

• Tune your COS to DSCP mapping (and vice versa) as Cisco best practices recommend

o VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40.

• The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic.

o Skinny is TCP port 2000 o RTP traffic is UDP port range 16384 to 32767. o It is uncertain that the ISP is marking the packets correctly over the WAN.

Ensure the correct marking is maintained.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m




NTP

• Use NTP server on WCS to synch time for all your wireless network devices including the WLC´s. WCS is 10.10.210.6

• Controllers should synch time every 2 hours. • Cat1 should be the NTP master for all switches. Use password "ipexpert" for

NTP authentication. Use UTC time zone 0. • Cat1 should answer NTP requests only on VLAN 10 and only allow switches in

your network to synch time with Cat1. Cat2 uses VLAN 5 IP, Cat4 uses VLAN 20 IP and Cat3 uses VLAN10 IP address for NTP communications.

• Don´t forget the autonomous AP´s!

AP management

HQ

• LAP2 (f0/2 on Cat2) and LAP3 (F0/3 on Cat3) should discover WLC2 and WLC4 with DHCP (don´t use DNS).

o Future AP´s will use the DHCP information to load balance new AP´s between the WLC2 and WLC4. Name the APs from their default name to the name in table 1. Subnets for those APs are listed in table 2. Configure your network accordingly

o Use your Microsoft DHCP server to accomplish this. o Exclude the range from 1 to 20 and 200 to 254. o Microsoft DHCP server is 10.10.210.6

• Make sure that WLC2 will be primary and WLC4 secondary Controllers for LAP2 and LAP3. Mobility group should be named HQ.

• LAP4 and LAP5 should join WLC4 with DNS lookup configured on Microsoft DNS. Set those APs on VLAN 121 on Cat4.

Switching security

• All LAP AP Ports should go to STP Forwarding mode immediately • In MO, all switch ports with access points should block traffic if BPDU´s are

advertised over the port.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• In HQ, all switch ports with access points should get disabled if BPDU´s are advertised over the port.


Autonomous Setup

An aluminum company has mobile cranes in their manufacturing area. Those cranes will have industrial computers on board with Ethernet ports (no wireless). You need to use AAP2 to connect the industrial computer to the wireless network

• Make a Layer 2 only VLAN 999 on AAP2 connected switch to avoid loops in your network.

• AAP2 will connect to AAP1 with 802.1x security. SSID is crane-xx Username is crane and password is aluminum.

o AAP1 will authenticate the crane user. And the industrial PC should be on VLAN 17. As the industrial PC is not ready yet. Configure DHCP on AAP2 to see DHCP work. Configure DHCP on Cat1 for VLAN 17. Exclude the first 9 addresses.

o Use the most secure EAP option that is Cisco proprietary • The Crane is mobile. Ensure that it only scans non-overlapping channels in your

2.4 GHz frequency. So it uses the least time to scan channels when moving around.

• Ensure that the association reliable. So the AP disassociates clients only after 127 packets are lost.

4.0 Configure and Troubleshoot Unified deployment model

WLC management

WLC1 has its Service Port connected to Cat1.

• Connect the SP on VLAN 5. Use DHCP from Cat2 for the SP. The SP port should always get the 10.10.210.50 address. This should only work for WLC1 SP interface. Default gateway advertised by the DHCP scope should be VLAN 5 SVI on Cat1.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• It is required that users from Cat4 MOData1 can reach this SP and manage it.

Pinging that address from the MOData1 VLAN should work. Remove this configuration after you have made it work. Why?

• On WLC1 guests should see the name guests.proctorlabs.com in their web browser URL when doing guest authentication. This name should resolve on your DNS server (Microsoft server 10.10.210.6) to WLC1 virtual IP address.

• All WLC´s should have IP management Interfaces according to table 2 – Verify it is all correct.

• Configure appropriate VLAN interfaces per WLC according to table 3.

Table 3: WLC VLANs and SSIDs

Device Interface WLC IP Address Default gateway WLAN

WLC1 Vlan 11 10.10.11.252/24 10.10.11.254 HQ-guests-XX

WLC2 Management

WLC1 Anchor NA HQ-guests-XX

WLC2 Vlan 13 10.10.13.50/54 10.10.13.254 Client-Vlan-XX

WLC2 Vlan 15 10.10.15.50/24 10.10.15.254 voip-5ghz-XX

WLC3 Vlan 22 10.10.22.130/26 10.10.22.129 MOData1-XX

WLC4 Management

WLC1 Anchor NA HQ-guests-XX



VLANs on Switches should already be done and working in the first part of this lab.

• The CLI prompt should represent each WLC. For example WLC1 • Set up etherchannel for both interfaces on WLC2. Ensure that APs are load

balanced across the WLC2 ports according to best practices. • QOS needs to be tagged using 802.1p on the management VLAN of all WLC´s • Only needed VLAN´s should traverse over to each WLC in the network.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



AP Priming

• LAP2 and LAP3 should have redundant WLC´s for WLC2 and WLC4. • Ensure that LAP2 will be given priority over other devices when requesting PoE.

Guests

• Configure Client-Vlan11 on port 1 on WLC1. o Use .252 for the WLC IP address. See table 3.

• Configure WLC1 port 2 to be the primary management port connected to Cat1. And port 1 connected to Cat2 to be redundant for the WLC1 operation.

• Configure port 1 so no other VLAN´s are allowed except guests and for redundancy purposes (above)

• Guests should be able to ping and telnet to the .254 SVI on Cat2 and nothing else. This restriction should not be applied to the WLAN. DNS and DHCP should also work for the clients.

• Configure the WLC1 to restrict the above mentioned access. DNS server IP is 10.10.210.6

• Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11 and they should traverse out of Port1 on WLC1.

o Use SSID HQ-guests-XX o No encryption o Web-splash page will authenticate guest users locally on WLC1 o The guest SSID has to work on all AP´s in the HQ

• Guests use DHCP on WLC1. Issue 15 address pool starting from 10.10.13.15 • Create a lobby admin account on WLC1 and with this account, create a guest

user that lasts for 4 hours. Lobby account User is lobby password Lobby123. Guest user is guest4 password ipexpert123

• Test the connection from the Win7 client and test the telnet and ping connectivity. The laptop is reachable from the WCS server using VNC to 10.10.210.4 password IPexpert123

Mobility

• HQ users should be able to roam seamlessly between WLC2 and WLC4. This is not needed for WLC3 in MO.

o Use the mobility name HQ when accomplishing this. • All HQ WLC´s should check their mobility members every 15 seconds.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Interference and radio settings

On your 802.11g network, the 2.4 GHz channel 11 near LAP1 is unusable because of foreign interference. Join your LAP1 AP manually to WLC4 without DHCP, DNS information passed to the AP. LAP1 should belong to VLAN113.

• Make sure that your LAP1 uses the lowest 2,4Ghz frequency channel in the future.

• On all your controllers change the utilization trap to trigger at 87% in your 5 GHz radio only.

AP registration security and local radius

MO should only allow LAP4 and LAP5 to join WLC3

• Ensure that only those AP´s can join WLC3 and no other AP´s • Configure local radius on WLC3 for WLAN MOData1 VLAN for SSID is

MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26 • Use PEAP mschapv2 authentication. username localpeap password localradius.

Security is WPA1 with software encryption: • Configure DHCP on WLC3 for these SSID clients. Give out 131 and 132

addresses of the scope. • Test connectivity with AnyConnect on your test PC

Client connection testing

Your AnyConnect client needs to connect to the Client-Vlan13-XX WLAN in HQ. Configure your network to meet the requirements below:

• SSID Client-Vlan13-XX o This SSID should exist on WLC2 and WLC4. Clients should terminate at

Vlan13. Table 3 shows what IP goes on the Controller´s VLAN13 • Use ACS and EAP-FAST authentication. The RADIUS preshared key is

ipexpert123. First SSH from the windows machine with admin and IPexpert123 then configure a user acsadmin password IPexpert123.

o Set you’re your ACS to use NTP at IP 10.10.210.6 o Use client username tarzan with password jane o Allow OFDM only for this SSID. o Advertise 802.11i in your beacons but also enable for software encryption

to work over 802.11i for older clients. o DHCP should be set up on Cat1

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



o On LAP2 this SSID should bypass the controller for data traffic and go to VLAN 12. Don´t use AP-groups to make this work.

o Configure the switch connected to LAP2 to support this scenario. LAP2 should use its current VLAN for management. DHCP for VLAN 12 is on Cat1.

• Test this configuration and see the IP address change on your AnyConnect client.

Rouge detection

Your WLC3 should detect rouge access points.

• It needs to see if Open access points (no security) are on your wired network. o We need to detect rogue APs ASAP. Also Greenfield mode AP´s. o Make sure that one of your AP´s connected to WLC3 accomplishes the

above

Man-in-the-middle

Your CEO was reading an article about man in the middle attacks and is worried that your HQ Wireless system is vulnerable.

• Configure all LAPs in your HQ network to validate RF information in order to protect the integrity of your LAP APs.

5.0 Configure and Troubleshoot WCS

WCS Management

• Manage all WLC´s with WCS using the most secure method o Username wcs password ipexpert.123-ipexpert.123 o Allow only this method to be used on the WLC´s

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Maps

• Put LAP2 – LAP3 on floor 1 map on your WCS. Position the AP´s for best coverage.

• See how AIR-ANT2450S-R antennas will perform on LAP2 2.4 GHz Radio. The antenna has also to face 25° towards the floor. Let the direction of the antenna point down the map (90°) Controllers shouldn´t send information to WCS when the APs change its power levels.

.

6.0 Configure and Troubleshoot WLAN Services

Wireless Voice

On WLC2 and WLC4 in HQ:

• Deploy a SSID called voip-5ghz-XX – This will be VLAN 15. WLC IP information in table 3. DHCP is on Cat1 and should give out callmanager option about the CME router 10.10.210.20

• Allow only 5 GHz connections on this SSID. o Use 802.11i encryption and ensure that Cisco 7925 phones can roam

seamlessly o Phone uses EAP-FAST authentication. On your ACS configure the user

phone with password of ipexpert. o Test it from your AnyConnect.

• Make sure your phones have enough time to authenticate on the ACS so they don´t accidentally time-out while retrieving the PAC‘s. Allow at least 20 seconds to pass before giving up.

• Only support 802.11e on this SSID and 7925 phones should get Platinum QoS

treatment. The 802.11e clients with this SSID will get mapped with 802.1p value of 5 when they hit the wired network.

• Support 27 voice streams. Only configure the data-rates necessary. • Deployment Guide specifies the following data rates

o 802.11b - Basic = 11, Optional = None o 802.11g - Basic = 12, Optional = 18,24 o 802.11a - Basic = 12, Optional = 18,24 o 802.11b/g - Basic = 11, Optional = 12,18,24

• The Cisco AP's support up to 27 calls, so there is no need for any speeds greater than 24Mbps.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



o 13 Streams = 6Mbps o 20 Streams = 12Mbps o 27 Streams = 24Mbps

• User your AnyConnect client to test the connectivity. You should be able to ping the CME router from the desktop after connecting. It should work from the AnyConnect client on the PC.

You are at the end of this marathon – it is a bit long and some longer than the actual lab. Especially chapter 4, but the wording can slow you down as it might do on the actual lab. So I hope this was a good exercise. Do this lab many, many times to practice speed and work on things you want to study in the meantime

Technical Verification and Support

To verify your configurations please review the Volume 1 Detailed Solutions Guide that you received along with this Workbook. You can also find this document in the eBook section of your www.IPexpert.com account.

Support is also available in the following ways:

IPexpert Support: www.OnlineStudyList.com IPexpert Blog: blog.ipexpert.com Proctor Labs Hardware Support: [email protected]

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 2: CCIE Wireless version 2 8 hour training Lab

1. Configure and troubleshoot wired infrastructure to support WLAN's

2. Configure and Troubleshoot Infrastructure Application Services

3. Configure and Troubleshoot Autonomous deployment model

4. Configure and Troubleshoot Unified deployment model

5. Configure and Troubleshoot WCS 6. Configure and Troubleshoot WLAN Services

Lab Overview

This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem extra hard because they are meant to prepare the candidate to read in between the lines. The network and WLC’s are partly pre-configured in order to save time but some of the configurations have to be altered to meet the exam requirements.

The fact that WLCs are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre)configs or make some small changes, both on the WLCs and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues on more than one occasion. This is meant to prepare the candidate not to take anything for granted and stay focused while the lab tries to confuse you.

This lab will use ALL equipment in the LAB 2: topology. Refer to the names of the equipments on that topology.

When configuring WLANs/SSIDs, the lab refers to SSID-XX, replace XX with your pod number where POD01 is for example SSID-01


License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for password

It is strongly advised to read the whole lab over before you start configuring. And in each section read it briefly over to refresh. In some sections some later tasks would better be done first.

Estimated time to complete: 8 hours

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m




License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 2: Pre-Lab Setup • Physically connect and configure your network according to Diagram 1.

The switches are pre-configured with some VLANs and IP addresses.

Lab 2: Prerequisites: • This lab will focus on the network infrastructure. You will need to pre-

configure the network with the base configuration files.

• If using your own hardware:

o Login to IPexpert.com, navigate to the “eBooks/Downloads” area, download “IPexpert Wireless Volume 2 Configs,” find the Lab 2 INITIAL Configs, and copy and paste the proper switch files to the proper devices.

• If you are using Proctor Labs:

o Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook à Lab 2 à INITIAL

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





5 Servers 10.10.210.0 /24


11 HQGuest1 10.10.11.0 /24

12 HQData1 10.10.12.0 /25

13 HQData2 10.10.13.0 /25

14 HQData3 10.10.14.0 /25

15 HQVoice1 10.10.15.0 /24

16 HQVoice2 10.10.16.0 /24

17 HQData4 10.10.17.0 /24

18 HQWiredGuests


21 MOGuest1 10.10.21.64 /26

22 MOData1 10.10.22.128 /26

23 MOVoice1 10.10.23.192 /26

32 HQData1-2 10.10.12.128 /25

33 HQData2-2 10.10.13.128 /25

34 HQData3-2 10.10.14.128 /25

105 HQService 10.10.105.0 /24

110 HQAAPMgmt 10.10.110.0 /24

111 HQLWAP1 10.10.111.0 /24

112 HQLWAP2 10.10.112.0 /24

113 HQLWAP3 10.10.113.0 /24

114 HQLWAP4 10.10.114.0 /24

120 MOAPMgmt 10.10.120.128 /26

121 MOLWAP1 10.10.121.192 /26

999 VLAN999

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





Connected Port

IP Address

CAT1 NA NA 10.10.10.2

CAT2 NA NA 10.10.10.3

CAT3 NA NA 10.10.10.4

CAT4 NA NA 10.10.20.1

ACS NIC1 CAT2 Fa0/11 10.10.210.5

WCS NIC1 CAT2 Fa0/11 10.10.210.6

CME Fa0/0 CAT1 Fa0/4 10.10.210.20

10.10.205.20 (Loop)

MSE Eth0 CAT2 Fa0/11 10.10.210.10

WLC1 Po1 CAT2 Gi0/1 10.10.111.10

WLC2 Po1 CAT3 Gi0/1 10.10.112.10

WLC3 Po1 CAT4 Fa0/1 10.10.120.140

WLC4 Po1 CAT2 Fa0/15 10.10.112.20

AAP1 Gi0 CAT1 Fa0/2 10.10.110.100

AAP2 Fa0 CAT3 Fa0/2 10.10.110.101

LAP1 Gi0 CAT1 Fa0/1 10.10.113.x

LAP2 Fa0 CAT2 Fa0/2 10.10.114.x

LAP3 Gi0 CAT3 Fa0/3 10.10.114.x

LAP4 Gi0 CAT4 Fa0/4 10.10.121.x

LAP5 Fa0 CAT4 Fa0/5 10.10.121.x

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 2: 8 Hour CCIE Wireless v2 Mock Lab

Task 1: Configure and troubleshoot wired infrastructure to support WLANs

1.1 Basic network details • To reach any internet (i.e. behind WAN / non-local) resource, switches from the

headquarters should use Cat2 as gateway since Cat2 has the right static route towards outside.

• When you need to create an interface on a WLC, use the last digit of the management interface to determine the last digit of your dynamic interface. For example, a WLC with a management ip on 10.10.110.10 will have all its dynamic interfaces ending by .10

• Connectivity between all Cat switches should be fine. Cat4 default gateway should not be mentioned with an IP address but with an outgoing interface on Cat4.

• The 3 client VLANs are split in 2 between Cat1 and Cat2. Make sure that the Catalysts do not operate on those VLANs as load-balanced gateway and configure OSPF routing to make sure every switch is aware of those subnets. OSPF should use a loopback interface to identify itself to other routers and Cat1 should be the designated router. OSPF updates should only be sent through VLAN 10 when possible.

• Make sure that only the necessary VLANs are allowed on each trunk ports.

1.2 QoS • Make sure that every port has the right QoS configuration. We want to trust layer

3 tagging of traffic on all ports susceptible to transport voice traffic. • The traffic from the headquarters should preserve its QoS tagging across the

WAN link to the remote office. It seems the ISP doesn’t preserve this tagging so make sure that the traffic is re-tagged accordingly after crossing the WAN. Skinny uses TCP port 2000 and RTP uses UDP port range 16384 to 32767. Make sure that you are as precise as possible and do not tag traffic that would not be voice traffic.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• On Cat1, ports fa0/13 to fa0/20 included will be connected with desk IP phones with laptops behind them. Those are not plugged in yet, but you need to prepare the switch port configuration so that those ports use VLAN 23 for voice traffic and VLAN 13 for the laptops. We also want those ports to be up and forwarding as soon as something is plugged to them.

1.3 Layer 2 configuration • We want Cat1 to always be the root for all VLANs for spanning-tree purposes. In

case of failure, Cat2 has to be the one taking over the root role in case of Cat1 failure.

• We want Cat3 to never be root. Moreover, we want Cat3 to switch its links towards Cat2 in less than a second in case of failure of Cat1.

1.4 Time synchronization • Make sure the two IOS access points synchronize their time with the WCS

server. • Cat1 should get his synchronization from the WCS server but the other

switches should get their synchronization from Cat1. They should do so using “IPexpert123” as authentication key.

• On the WLCs, make sure they synchronize their time with the WCS and the synchronization should happen every 2 hours. Also make sure that the WLCs know they are in Pacific US time zone.

1.5 MSE • Make sure that MSE stays in time synchronization with the WCS. Also

make sure that MSE will use “admin/IPexpert123!!” as credentials for WCS to connect to it

Lice

nsed ex

clusiv

ely to

Pet

er S

altar

elli

salta

rellip

eter

33@

yahoo.co

m



Task 2: Configure and troubleshoot wired infrastructure to support WLANs

2.1 Lightweight APs discovery • LAP 2 and 3 must use the WCS server as DHCP server. That scope

should give an IP with the last digit between 100 and 200 to the APs. They should learn WLC 2 IP address through DNS discovery. Once joined, they should learn the IP address of WLC4 as well.

• LAP 1 should use WCS server as DHCP server, but should discover WLC 4 through a DHCP option. That scope should give an IP with the last digit between 100 and 200 to the AP

• LAP 4 and 5 need to learn through DHCP the IP addresses of controllers WLC 3 and 1. Cat4 should be the DHCP server for those access points.

• LAP 4 and 5 should have WLC3 as primary controller and WLC1 as secondary in case of failure of the remote office WLC.

2.2 Lightweight APs settings • Make sure that it is possible to connect via console to all access points

with the username “admin” and password “IPexpert123” • Make sure that the APs know which are their preferred WLCs. Use the

table below: Primary WLC Secondary WLC Tertiary WLC

LAP1 WLC4 WLC2

LAP2 WLC2 WLC4

LAP3 WLC2 WLC4

LAP4 WLC3 WLC1

LAP5 WLC3 WLC1

• Make sure that LAP1, 2 and 3 will never associate to WLC1 or WLC3.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



2.3 Syslog • Configure the autonomous access point AAP1 so that it logs the

messages usually appearing on console towards the WCS where a syslog server is installed. The AP should use the facility “local2”.

• Configure the controllers and all lightweight access points to log as well towards the WCS syslog. Controllers should use facility local3 and APs local4. They should all log up to warning level of logs.

Task 3: Configure and troubleshoot Autonomous deployment model

3.1 AP logging • When we consult the Autonomous AP logs through “show log”, we noticed

it doesn’t go back as much as we want to. Double the retaining capacity of the logs messages shown through “show log”.

3.2 SSID configuration • Configure a bridge SSID called “Bridge1” between AAP1 and AAP2. Make

sure they use WPA2-aes to connect to each other. AAP2 should authenticate itself as “admin/IPexpert123” with EAP-FAST and AAP1 should be the radius server for this purpose. On top of the VLAN of the SSID, the bridge link should carry VLANs 11, 12 and 13. The SSID name should be visible in beacons.

3.3 Additional settings • Make sure that AAP2 will only try to connect to AAP1. Make sure that

AAP1 will only accept connections from AAP2. Make sure that the access points retry packets 16 times after giving up but when they give up, they should not cause the link to go down.

• Configure the access points so that they use WMM, that they use the 802.11e QBSS and that they do the proper mapping between 802.1p CoS and 802.11e UP (where the voice tag is not the same number in the 2 standards).

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Task 4: Configure and Troubleshoot Unified Deployment model

4.1 Configuring MO Office • WLC3 is the remote office controller. WLC1 sits in the headquarters but is

a dedicated controller serving as fallback for WLC3. The clients will be placed in VLANs 21, 22 and 23 respectively for guests, data and voice clients. You have to make sure that traffic never gets released on the headquarters side.

• We need to make sure that the clients will be placed in that VLAN even if the access points move to WLC1 because WLC3 went down.

• The SSID MOGuest will have a pre-shared key “IPexpert123” using standards with the best RC4-based encryption as well as a web authentication portal hosted on the controller itself.

• The SSID MOData will use the best encryption standard available and will authenticate users against ACS.

• The SSID MOVoice will use a Cisco-proprietary fast roaming mechanism and the best encryption/authentication standard among those that have no fast-roaming mechanism on their own. The Cisco proprietary fast roaming mechanism should not be mandatory to use the SSID.

4.2 Configuring Headquarter Office • WLC 2 and 4 should be configured with the same WLANs. • HQData SSID should use enterprise-class authentication with 802.11i

encryption. It should not forward traffic into any valid subnet until the user authenticates at which point it will select the VLAN depending on the user group. User “admin” belongs to user group “department1”; user “john” belongs to department2 and user “lisa” to department3. Users from group “department1” should be granted access to VLAN 12 or 32 depending where they connect from (Users connecting through WLC2 should use lower numbered VLANs and users connecting through WLC4 should use higher numbered VLANs). Users from group “department2” should be given access to VLAN 13 or 33 depending on the same conditions and users from group “department3” to VLAN 14 or 34. Users should have their identity re-verified every 60 minutes and they should not be able to use a static IP address. Since we know that old clients will use this SSID, the WLC should not pay attention and take actions if clients refuse to roam and stay connected at very bad signal strength. Clients of this SSID should not be able to exchange files between themselves directly.

• HQVoice SSID should use a shared-key authentication with RSN encryption. It should balance the clients between VLAN 15 and 16.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• HQGuest SSID should have no layer 2 security, a web authentication portal and place clients in vlan11.

4.3 Configuring Guest solution • We need clients connected to a switchport that sits on VLAN 18 to be

intercepted and presented the web authentication login page that is configured internally on WLC1. This VLAN should not be allowed in the Core switches Cat1 and Cat2 and should stay at the access layer. They should get an IP address in the subnet 10.10.11.x. Configure port fa0/12 on Cat3 for such guest usage. Cat2 should be the DHCP server for VLAN 11

Task 5: Configure and Troubleshoot WCS

5.1 Adding WLCs • Add all WLCs to WCS. • They should be managed with snmpv3 and should refuse any version 2

connection attempt. • They should be free of any community configuration and be configured

with v3 username and password admin/IPexpert12345 and the strongest encryption mechanism

5.2 Adding Mobility Services • Create a building with one floor and create a map for that floor. The

environment is a warehouse with the ceiling at 20 feet high and APs placed at 12 feet high. Place the APs in every corner of the map. You can find the floor image in the WCS c:\FTP\ folder.

• Add MSE to WCS with both location and intrusion detection service activated. Synchronize it with the map and controllers.

5.3 Configuring WCS • Make sure that rogue APs can be seen on the map. • Select a rogue on the map and make sure that no alerts will be sent about

that rogue again and that it will not be contained by your access points.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Task 6: Configure and troubleshoot WLAN services

6.1 Radio management • WLC1 and 3 are the only WLC susceptible to manage Medium Office

access points while WLC 2 and 4 are the only ones to manage Headquarters access points. Make sure that WLC 2 and 4 talk to each other (but not to 1 and 3) to elect RF-leader and make RF decisions while WLC1 and 3 talk to each other but not to 2 and 4 for those decisions.

• All WLCs should: o Support all data rates above 11Mbps (included) on 2.4 GHz.

11Mbps being the only mandatory rate. o The WLC will increase the power (if possible) on an AP if 5 clients

are detected to be sticking with low signal. o Never bring an AP transmission power lower than 1dbm o Support all data rates above 12Mbps (included) on 5 GHz. 12Mbps

being the only mandatory rate o Support beamforming on 11n-class access points when dealing

with 11a/g clients. o Lower the APs transmission power if several surrounding APs are

heard at -67 or louder. o Support phones and devices that make their transmit power

variable depending on AP power level o When selecting a channel for an AP, the WLC should take into

account the load of other Cisco APs as well as rogues in the deployment (for example 2 APs could be on the same channel next to each other if they have relatively low load).

o If CleanAir APs, thanks to their CleanAir chipset, detect a specific source of interference, this should count in the algorithm decision if it’s worth to change channel immediately.

6.2 Controller Security • Make sure that only management subnets (VLANs 5, 111, 112, and 120

as well as the 10.10.0.0/24 subnet) can talk to WLC1. It should be inaccessible from any other subnet.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



6.3 Voice settings • Ensure that both voice SSIDs follow usual VoWlan recommendations like :

o It must support the phones sending tagged voice UP traffic. o They should allow phones to sleep and only wake up every 2

beacons for broadcast buffered traffic. o The APs should not do off-channel scanning (for RRM, rogue

scanning purposes etc ..) in the 200ms after they last received a voice-tagged frame (and only in this case)

o The AP should block phones to initiate a new call if there is not enough bandwidth available and should therefore reserve 10% of their bandwidth for roaming devices.

o For the medium access parameters, do not use the 802.11e parameters but optimize the channel access timers for Voice. Also limit the amount of wireless retries.





License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 3: CCIE wireless version 2 8 hour training Lab 3





5.0 Configure and Troubleshoot WCS 6.0 Configure and Troubleshoot WLAN Services

Lab Overview

This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem tricky but they are supposed to prepare the candidate to read in between the lines. The network and WLC´s are partly pre-configured but some of the configuration have to be altered to meet the exam requirements

The fact that WLC are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre-configs or make some changes. Both on the WLC’s AP’s and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues. In this lab and the real lab we cannot take anything for and stay focused.

This lab will use All equipment in the LAB 1: topology. Refer to the names of the equipment on that topology. Rectify names according to Table 2.

When configuring WLAN’s/ SSIDs. If the lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01

Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords. When not specially mentioned use 2,4 GHz frequency.

It is strongly advised to read the whole LAB over before you start configuring. And read each section briefly over to refresh your memory. In some sections some later tasks would better be done first. Tip: WCS templates may seriously speed things up!


License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m




HeadquartersGi0/2

Fa0/20

Fa0/11

Fa0/24

Fa0/23

Fa0/1

Fa0/2

Po2

Gi0/1

Gi0

Fa0

Gi0

Gi0/1

Gi0/2

Po1

Po1Po2

Po1

Po2

Fa0/15

Fa0/16

Fa0/2

Fa0

Cat1 Cat2

LWAPP

LAP13502i

AAP11262N

AAP21242AG

LWAPP

LAP31042N

LWAPP

LAP21242AG

WLC15508

WLC42504

WLC25508

ACS/WCS/MSE/Test PC

Fa0/24

Fa0/23

Fa0/22

Fa0/20

Fa0/22

Fa0/3

Gi0

NIC

WAN

Fa0/22

SP

CME

SPFa0/8

Fa0/4

Power Injector

Cat3

Fa0/8

Remote Office

Fa0/1

Fa0/2

Fa0/22

Cat4

LWAPP

LAP41262N

LWAPP

LAP51242AG

WLC32504

Fa0/4

Fa0/5Fa0

Gi0

Po2

Po1

Internet

Fa0/2

CCIE Wireless v2 mock lab 3 topology

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m











License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





5 Servers 10.10.210.0 /24


11 HQGuest1 10.10.11.0 /24

12 HQData1 10.10.12.0 /24

13 HQData2 10.10.13.0 /24

14 HQData3 10.10.14.0 /24

15 HQVoice1 10.10.15.0 /24

16 HQVoice2 10.10.16.0 /24

17 HQData4 10.10.17.0 /24


21 MOGuest1 10.10.21.64 /26

22 MOData1 10.10.22.128 /26

23 MOVoice1 10.10.23.192 /26

105 HQServicePort 10.10.105.0 /24

110 HQAAP 10.10.110.0 /24

111 HQWLC1 10.10.111.0 /24

112 HQWLC2 10.10.112.0 /24

113 HQLAP1 10.10.113.0 /24

114 HQLAP2 10.10.114.0 /24

120 MOWLC1 10.10.120.128 /26

121 MOLAP1 10.10.121.192 /26

131 HOAP 192.168.100.0 /24

999 VLAN999 n/a n/a

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





Connected Port

IP Address

CAT1 NA NA 10.10.10.2

CAT2 NA NA 10.10.10.3

CAT3 NA NA 10.10.10.4

CAT4 NA NA 10.10.20.1

ACS NIC1 CAT2 Fa0/11 10.10.210.5

WCS NIC1 CAT2 Fa0/11 10.10.210.6

CME Fa0/0 CAT1 Fa0/4 10.10.210.20

10.10.205.20 (Loop)

MSE Eth0 CAT2 Fa0/11 10.10.210.10

WLC1 Po1 CAT2 Gi0/1 10.10.111.10

WLC2 Po1 CAT3 Gi0/1 10.10.112.10

WLC3 Po1 CAT4 Fa0/1 10.10.120.140

WLC4 Po1 CAT2 Fa0/15 10.10.112.20

AAP1 Gi0 CAT1 Fa0/2 10.10.110.100

AAP2 Fa0 CAT3 Fa0/2 10.10.110.101

LAP1 Gi0 CAT1 Fa0/1 10.10.113.x

LAP2 Fa0 CAT2 Fa0/2 10.10.114.x

LAP3 Gi0 CAT3 Fa0/3 10.10.114.x

LAP4 Gi0 CAT4 Fa0/4 10.10.121.x

LAP5 Fa0 CAT4 Fa0/5 10.10.121.x

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 3: 8 hour CCIE wireless v2 Mock LAB


L2 switching in HQ: To prepare your network we need to take extra care that the network is properly set up. All future configurations with wireless components will rely on the network. Please bear in mind that most wireless issues are related to the network. The Proctor Labs lab environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this lab.

• Cat1 will handle all VLAN´s and distribute them to Cat2. Cat3 will also get all VLAN changes from Cat1

o Use Md5 encryption to protect the VLAN database on your 3 switches. o Use ipexpert123 as the MD5 secret. Domain is ipexpert

• Create the VLANs in table 1 for your HQ switches. • Cat1 should be the root all VLANs • Cat2 should be the root for all VLANs if the root fails • Do not configure Cat3 for the last question above.

o From Cat3, “show” commands should give the correct outcome to see where the root bridges are. Cat1 should be seen as root for all VLANs and Cat2 will be the backup path. Prove that the backup path works by testing.

• Configure the 2 links between Cat1 and Cat2 to appear as one STP instance. o Use a method that has no negotiation.

L3 routing: • Site HQ: Do not configure or change anything that is not requested by the lab. • Cat1 is SVI has always the first IP address from each VLAN network. • Cat2 is SVI has always second IP address in each VLAN network. • For Cat3 VLAN10 SVI, Use IP address 10.10.10.4/24 • VLAN 5 IP configuration should not be changed • VLAN10 ip configuration should not be changed (HQSwitchMgmt).

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• Create the SVI´s on your appropriate HQ switches and ensure you have connectivity between all L3 interfaces. Refer to table 1 for the VLAN ID´s. HQ, MO have different VTP domains as can be seen in table 1. VLANs should flow between all 3 switches in the HQ.

• Create a Loopback99 interface on your CAT1 with ip 10.99.99.99/32 o Use a link state open standard based routing protocol to advertise

Loopback99 to CAT2. o Only advertise loopback99 in your configuration. o Don´t summarize the classful networks in your routing domain.

• VLAN 12 should be redundant for CAT1 and CAT2 o On CAT1 and CAT2, Use a Cisco proprietary method to create a

redundant SVI for VLAN 12. o The VLAN 12 virtual IP should be the next available ip address after CAT1

and CAT2 . o CAT1 should always be the primary router for VLAN12 and in case of

failure it should revert back when things go back to normal. • Create a redundant DHCP pool for VLAN12 on CAT1 and CAT2:

MO routing and switching: • Create VLANS and SVI´s for CAT4 according to table 1. CAT4 SVI’s always use

the first IP address per SVI. Create MO SVI´s from Table 1. • CAT4 should be ready to serve VLAN configuration to other switches. Protect the

database IPexpert-MO with the password ipexpert.123 • CAT4 should not participate in routing updates and exchange routing tables with

HQ. CAT4 should be able to reach any network on HQ. On HQ you need to advertise all the networks belonging to CAT4 MO. Use your routing protocol to accomplish this in your HQ Switches

QOS: • On all routers and switches, trust layer2 and layer3 QOS markings where

appropriate. • Tune your COS to DSCP mapping (and vice versa) as Cisco best practices

recommend o VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26

(AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40. • The traffic from MO should have a policy that marks skinny traffic and RTP VOIP

traffic with the RTP and Skinny (not encrypted) known udp and tcp ports.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



o Ensure the correct marking is maintained when VoIP traffic enters MO from HQ and vice versa.


NTP: • Use NTP server on WCS to synch time for all your network devices including the

WLC´s. WCS is 10.10.210.6 • Controllers should synch time every 2 hours. • CAT1 should be the NTP master for all switches and routers. For routers and

switches: use password "ipexpert" for NTP authentication. Use EST timezone -5. • CAT1 should answer ntp requests only on VLAN10 and only allow switches and

routers in your network to synch time with CAT1. CAT2 uses VLAN5 IP, CAT4 uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications.

• Don´t forget the autonomous AP´s ! Configure them to use the same time settings with CAT1 as the NTP server. No security is needed for the Autonomous Aps. Use IP information from Table 2 for the APs.

AP management: HQ

• LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and WLC4 with DNS (not option 43). APs should be on VLAN1134

o LAPs default gateway is 10.10.114.1 o Default name to the name in table 1. Subnets for those APs are listed in

table 2. Configure your network accordingly o Use your Microsoft DHCP and DNS server to accomplish this. o DNS suffix for your APs subnet should be LAPs.proctorlabs.com o Exclude the range from 1 to 20 and 200 to 254. o Microsoft DHCP/DNS server is 10.10.210.6

• Make sure that WLC2 will be primary and WLC4 secondary Controllers for LAP2 and WLC4 are primary controllers for LAP3 and WLC2 secondary controller. Mobility group should be named HQ2 for WLC2 and HQ4 for WLC4. WLC´s should have the same RF group HQ-WLC2-and-4

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• LAP4 and LAP5 should join WLC4 with DHCP from CAT4. Set those APs on VLAN 121 on CAT4:

Switching security: • All LAP AP Ports (present and future) should go to STP Forwarding mode

immediately • In MO All switchports with access points should block traffic if BPDU´s are

advertised over the port. Also all potential host ports. • In HQ all switchports with access points should get disabled if BPDU´s are

advertised over the port. This setting needs to be default for all host switchports so it won´t be forgotten in future tasks. You don´t want your VMware servers on CAT2 port Fa0/11 to get potentially disabled. Let that one port bypass that default setting.


Autonomous setup: • A cargo company has mobile fork lifters in their warehouses. Those fork lifters

will have industrial computers on board with Ethernet ports (no wireless) • You need to use AAP2 to connect the industrial computer to the wireless network

• Make a Layer2 only VLAN on AAP2 connected switch to avoid loops in your

network VLAN 999. Override bpduguard with bpdufilter on f0/2 port on CAT3. • AAP2 will connect to AAP1 with 802.1x security. SSID is fork-xx Username is

lifter and password is fork. Use 2,4Ghz frequency. o AAP1 will authenticate the lifter user. And the industrial PC should be on

VLAN 17. As the industrial PC is not ready yet. Configure DHCP on AAP2 to see the DHCP offer working. Configure DHCP on CAT1 for VLAN17. Exclude the first 9 addresses.

o Use the most secure option that is Cisco proprietary • The forklifter is actively mobile. Ensure that it only scans non-overlapping

channels in your 2,4 GHz frequency. So it uses the least time to scan channels when moving around.

• Ensure that the association reliable. So the AP disassociates clients only many packets are lost. Use the maximum reliable setting for the association to stay up.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m




WLC management: • WLC1 has its Service Port connected to CAT1. • Connect the SP on VLAN 10. Use DHCP from CAT2 for the SP. The SP port

should always get the 10.10.10.50 address. Default gateway is 10.10.10.2 it should be pingable from the same VLAN.

• On WLC1 guests should see the name guests.proctorlabs.com. This name should resolve on your DNS server (Microsoft server 10.10.210.6) to WLC1 virtual IP address.

• Configure appropriate VLAN interfaces per WLC according to table 3. (WLANs will be configured and explained in more detail later)




WLC2 Management NA NA HQ-guests-XX



WLC2 Vlan 12 10.10.12.50/24 10.10.12.3




WLC4 Vlan 12 10.10.12.51/24 10.10.12.3


VLANs on Switches should already be done and working in the first part of this LAB.

• Set up etherchannel for both interfaces on WLC2. Ensure that APs are load

balanced over the layer3 network based on source and destination IP information. Do this for all switches connected to controllers.

• VLAN´s on the wired network should work on the wired interfaces of each WLC

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• QOS needs to be tagged on the management VLAN of all WLC´s • Only VLAN´s created on WLC´s should traverse over the link towards the

network and vice versa.

AP Priming: • LAP1 should join WLC3. Find a way to configure a static VLAN113

10.10.113.100 address for this AP. Manually join LAP1 to your WLC3. Default gateway is 10.10.113.1

Guests:

• For WLC1 guests will be directed out the Po2 • Configure Client-Vlan11 on port1 on WLC1.

o Use .252 for the WLC IP address. See table 3. • WLC1 used to be connected with po1 and po2 to two separate 6509 switches

with VSS configured. Now they have been replaced with 2x 3560 switches connected again the same way. Configure WLC1 port2 to be the primary management port connected to CAT1. And port 1 connected to CAT2. Make the management interface redundant for po1 and po2 WLC1 operation. The guest access should be redundant too.

• Configure Port 1 so no other VLAN´s are allowed except guests and for management redundancy purposes (4.10)

• Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11 and they should traverse default out of Port1 on WLC1.

• Use SSID HQ-guests-XX. There are also complaints that users from APs on WLC2 and also other users trying to roam to APs on WLC2 don´t work. This problem is seen mainly on the guest SSID. Rectify the mobility config so it will be seamless.

o No encryption o Web-splash page will authenticate guest users on WLC1 o The guest SSID hast to work on all AP´s in the HQ. Guest need to reach

SSL VPN server on 10.10.210.6 even before they reach the splash page. Enable ICMP to work for that vpn server as well for troubleshooting ease.

• Guests use DHCP on WLC1. Issue 15 address pool starting from 10.10.11.10. DNS is 10.10.210.6

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• Create a lobby admin account on WLC1 and with this account, create a guest user that lasts for 3 days. Lobby account User is lobby password Lobby123. Guest user is guest4 password ipexpert123

• Test the HQ-guests-xx connection from the Laptop test https://10.10.210.6 without the splash login. Then try to login through the splash page. Before the login through splash page, the guest should NOT be able to ping 10.10.10.3 but it should work after splash web authentication. The laptop is reachable directly with VNC on 10.10.210.4 password IPexpert123

Mobility: • HQ users should be able to roam between all controllers. Use the default Mobility

names HQ1 for WLC1, HQ2 for WLC2 , HQ3 for WLC3, and HQ4 for WLC4. • All HQ WLC´s should check its mobility members every 15 seconds. They should

consider them dead after 60 seconds.

Interference and radio settings: • On your 802.11g network , the 2.4 GHz channel 2452 GHz with 2 channels

above and below are severely impacted by a nearby microwave oven located next to LAP3. These channels are unusable because of this massive interference. Make sure that your LAP3 uses the best possible 2,4Ghz frequency channel to avoid the microwave interference in the future.

AP registration security and local radius:

• MO: should only allow LAP1 to join WLC3 • Ensure that only LAP1 can join WLC3. Create DHCP pool for LAPs VLAN113 on

CAT2. Point to WLC3. Change LAP1 to DHCP. • Configure local radius on WLC3 for WLAN MOData1 VLAN for SSID is

MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26 • Use PEAP mschapv2 authentication . username localpeap password localradius.

Security is WPA 802.11i with software encryption: • Configure DHCP on WLC3 for this SSID clients. Give out 131 and 132 addresses

of the scope. • Test connectivity with AnyConnect on your test PC

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Client connection testing: • Your AnyConnect client needs to connect to the Client-Vlan13-XX

WLAN in HQ • Configure your network to meet the requirements below:

• SSID Client-Vlan13-XX

o This ssid should exist on WLC2 and WLC4. Clients should terminate at Vlan13. Table 3 shows what IP should be on your Controller´s VLAN13. Exempt addresses 10.10.13.1 – 10.10.13.49 and 10.10.13.59 – 10.10.13.254

o Use WPA psk. Psk is ipExpert.123 o Allow CCK modulation for this SSID. Exempt 5Ghz. o Advertise 802.11i and pre-standard WPA in your beacons but also enable

for software encryption to work over 802.11i for older clients. o DHCP should be set up on CAT1 o On LAP2 this SSID should use to VLAN12. Don’t use HREAP. Only let

this SSID go out VLAN 12 for LAP2. DHCP is the redundant IP of vlan12 shared with CAT1 and CAT2. Gateway is the redundant IP of VLAN12.

• Test this configuration and see the IP address change on your AnyConnect client.

Rouge detection: • Your WLC3 should detect rouge access points. • Configure all LAPs in your HQ network to validate RF information in

order to prevent spoofing of SSID and your AP Mac addresses from man in the middle attacks.


WCS: • Management:

• Manage all WLC´s with WCS using the default method. The user is admin and

password IPexpert123 for all WLC´s.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



MAPs: • Put your LAPs on floor 1 map on your WCS. Position as many APs you need for

data 2,4Ghz coverage your second floor. Your campus is 2 floors with 500 x 500 feet span. You are instructed to expect -80 dBm RSSI cutoff. Make sure you see it work for your WCS 2,4 coverage map.

• First create a new building in your system campus put 2 floors. • LAP2 is a 1242 with AIR-ANT5135D-R antenna for A band and the antenna is

slightly tilted 15° down. The AP is in the ceiling of floor 1. Let WCS know about the antenna settings. B/G band has the same setting. LAP1 is also on floor 1 but it is in 7 feet height.

• Use WCS to disable all 802.11b clients association in your network. Still allow OFDM clients on 2,4 GHz to connect at 9 mbps and not less.

• When Root is logged in. Show the overall security score on the right side of your security page. This has to work when root is logged on.


Wireless Voice: • On WLC2 and WLC4 in HQ:

• Deploy a SSID called voip-5ghz-XX – This will be VLAN 15. WLC IP information

in table 3. DHCP and default gateway is on CAT1 and should give out Cisco call manager option about the CME router 10.10.210.20. Exclude addresses 10.10.15.1 – 10.10.15.10 and 10.10.15.40 – 10.10.15.70 Use Table 3 for VLAN50 ip information for each Controller.

• Allow only 5ghz connections on this SSID. o Use WPA 802.11i encryption and ensure that Cisco 7925 phones can inter

control roam seamlessly o Phone uses PEAP authentication. On your ACS configure the user phone

with password of ipexpert. ACS is 10.10.210.5 user acsadmin password IPexpert123

o For ACS use NTP server 10.10.10.2 allow for this communication on your CAT1 NTP server . Time zone is EST

o Test it from your Anyconnect .

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• Only support 802.11e on this previously configured voice SSID and 7925 phones should get Platinum QOS treatment. 802.11e clients with this SSID will get mapped with 802.1p value of 5 when they hit the wired network.

• Only allow the necessary data rates for the phones operation in your 5 GHz band.

You are at the end of this LAB! Should I say congratulations? J – It has hard questions when it comes to wording. But we have to be prepared to spot what the LAB wants. This will come in handy at the actual battlefield. So I hope this was a good exercise. Do this lab many numerous times to practice speed and work on things you want to study in the meantime





License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 4: CCIE wireless version 2 8 hour training Lab 4






Lab Overview

This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. The wording in the LAB questions might seem tricky but they are supposed to prepare the candidate to read in between the lines. The network and WLC´s are partly pre-configured but some of the configuration have to be altered to meet the exam requirements

The fact that WLC are pre-configured doesn’t mean that there are no tasks where you have to rectify wrong pre-configs or make some changes. Both on the WLC’s AP’s and the network. Those are all part of solving this lab. Throughout this lab you may expect to rectify basic IP connectivity issues. In this lab and the real lab we cannot take anything for and stay focused.

This lab will use All equipment in the LAB 4: topology. Refer to the names of the equipment on that topology. Rectify names according to Table 2.

When configuring WLAN’s/ SSIDs. If the lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01

Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords. When not specially mentioned use 2,4 GHz frequency.

It is strongly advised to read the whole LAB over before you start configuring. And read each section briefly over to refresh your memory. In some sections some later tasks would better be done first. Tip: WCS templates may seriously speed things up!


License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m




License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





5 Servers 10.10.210.0 /24


11 HQGuest1 10.10.11.0 /24

12 HQData1 10.10.12.0 /24

13 HQData2 10.10.13.0 /24

14 HQData3 10.10.14.0 /24

15 HQVoice1 10.10.15.0 /24

16 HQVoice2 10.10.16.0 /24

17 HQData4 10.10.17.0 /24


21 MOGuest1 10.10.21.64 /26

22 MOData1 10.10.22.128 /26

23 MOVoice1 10.10.23.192 /26

105 HQServicePort 10.10.105.0 /24

110 HQAAP 10.10.110.0 /24

111 HQWLC1 10.10.111.0 /24

112 HQWLC2 10.10.112.0 /24

113 HQLAP1 10.10.113.0 /24

114 HQLAP2 10.10.114.0 /24

120 MOWLC1 10.10.120.128 /26

121 MOLAP1 10.10.121.192 /26

131 HOAP 192.168.100.0 /24

999 VLAN999 n/a n/a

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





Connected Port

IP Address

CAT1 NA NA 10.10.10.2

CAT2 NA NA 10.10.10.3

CAT3 NA NA 10.10.10.4

CAT4 NA NA 10.10.20.1

ACS NIC1 CAT2 Fa0/11 10.10.210.5

WCS NIC1 CAT2 Fa0/11 10.10.210.6

CME Fa0/0 CAT1 Fa0/4 10.10.210.20

10.10.205.20 (Loop)

MSE Eth0 CAT2 Fa0/11 10.10.210.10

WLC1 Po1 CAT2 Gi0/1 10.10.111.10

WLC2 Po1 CAT3 Gi0/1 10.10.112.10

WLC3 Po1 CAT4 Fa0/1 10.10.120.140

WLC4 Po1 CAT2 Fa0/15 10.10.112.20

AAP1 Gi0 CAT1 Fa0/2 10.10.110.100

AAP2 Fa0 CAT3 Fa0/2 10.10.110.101

LAP1 Gi0 CAT1 Fa0/1 10.10.113.x

LAP2 Fa0 CAT2 Fa0/2 10.10.114.x

LAP3 Gi0 CAT3 Fa0/3 10.10.114.x

LAP4 Gi0 CAT4 Fa0/4 10.10.121.x

LAP5 Fa0 CAT4 Fa0/5 10.10.121.x

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





L2 switching in HQ: To prepare your network we need to take extra care that the network is properly set up. All future configurations with wireless components will rely on the network. Please bear in mind that most wireless issues are related to the network. The Proctor Labs LAB environment will have some preconfigured equipment. It is up to you to change configuration according to the requirements in this LAB.

• CAT1, CAT2 and CAT3 in HQ should have independent VLAN databases so no accidents can happen with incorrect VLAN information is distributed. The domain name should be ipexpert-local

• Create the VLANs in table 1 for your HQ switches. • CAT1 should be the root all VLANs. Use the primary command. • CAT2 should be the secondary root for all VLANs if the root fails. Use the

secondary command. • Do not configure CAT3 for the last question above.

o From CAT3, Show commands should give the correct outcome to see where the Root bridges are. CAT1 should be seen as root for all vlans and CAT2 will be the backup path. Prove that the backup path works by testing.

• Configure the 2 links between CAT1 and CAT2 to appear as one STP instance. o Use a method that has no negotiation.

L3 routing: • Site HQ: Do not configure or change anything that is not requested by the LAB. • CAT1 is SVI has always the first IP address from each VLAN network. • CAT2 is SVI has always second IP address in each VLAN network. • VLAN 10 should be .2 on CAT1 and .3 on CAT2 don’t change them. • For CAT3 VLAN10 SVI, Use ip address 10.10.10.4/24 • VLAN 5 ip configuration should not be changed

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• Create the SVI´s on your appropriate HQ switches and ensure you have connectivity between all L3 interfaces. Refer to table 1 for the VLAN ID´s. HQ, MO have different VTP domains as can be seen in table 1. HQ should be able to reach all networks on CAT4. CAT4 should reach any network in HQ. Don´t use a routing protocol in any of your switches. VLAN10 on CAT1 and CAT2 is not working for some reason. Find out and rectify. CAT1 will have the first IP in each SVI1 and CAT2 should have the second IP in each SVI. (Apart from VLANs already created on the switches.)

• Create a DHCP pool for VLAN12 on CAT1 , don´t give out addresses from 1. -60. Default gateway is .2

MO routing and switching: • Create VLANS and SVI´s for CAT4 according to table 1. • CAT4 should be have a standalone VLAN configuration and not exchange VLAN

information with other switches. VTP domain should be MO4.


appropriate. • Tune your COS to DSCP mapping (and vice versa) as Cisco best practices

recommend • VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31)

VoIP RTP stream gets value of 46 (EF) instead of the default 40.

Multicast • MO WLC 3 should advertise multicast group for its locally registered AP´s. Use

239.x.x.x where x is the last 3 digits in MO WLC 3 Management IP. All CAT4 VLANs should have multicast routing enabled for CAT4. Use a method that doesn´t flood your network as it should be built for growth later. On your CAT4 , use RP address of 10.99.254.254/30. When the IGMP timeout expires (70 seconds), the controller sends a query to all WLANs. Those clients which are listening in the multicast group should send a packet back to the controller

• The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic with the RTP and Skinny (not encrypted) known udp and tcp ports.

o Ensure the correct marking is maintained when VoIP traffic enters MO from HQ and vice versa.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





WLC´s. WCS is 10.10.210.6 o Controllers should synch time every 2 hours. o CAT1 should be the NTP master for all switches and routers. For routers

and switches: use password "ipexpert" for NTP authentication. Use EST timezone -5.

o CAT1 should answer ntp requests only on VLAN10 and only allow switches and routers in your network to synch time with CAT1. CAT2 uses VLAN5 IP, CAT4 uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications.

• Configure NTP for the autonomous AP´s. Point to CAT1 10.10.10.2 and use timezone EST -5

AP management: HQ

• LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and WLC4 with DHCP on CAT1. Default gateway is .1

o Name the APs from their default name to the name in table 1. Subnet for those Aps are listed in table 2. Configure your network accordingly. This should be done for all other LAP APs.

o Exclude the range from 1 to 20 and 200 to 254. • Make sure that WLC2 will be primary Controller for LAP2 and WLC4 Primary

controller for LAP3. Mobility group should be named HQ2 for WLC2 and HQ4 for WLC4. LAP2 and LAP3 need to failover if primary controller fails. LAP2 secondary is WLC4 and LAP3 secondary is WLC2.

• LAP4 and LAP5 should join WLC3 with DHCP from Cat4. You are forbidden to enter option 43 or DNS on your MS DHCP. Also you can´t use the AP CLI to manually join them. Use the network to deliver the LAP management traffic to WLC3. Set those APs on VLAN 121 on CAT4:

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Switching security: • All MO LAP AP Ports should go to STP Forwarding mode immediately but don´t

risk spanning-tree loops later on if some switch is connected to those ports. • In HQ All switchports with LAP access points should block traffic if Bridge

Protocol Data Units are advertised over the port.


Autonomous setup: • A Law firm company has 2 buildings. One Building has a Wireless Bridge AAP2 • To connect to the HQ LAN through AAP1. • Make AAP2 and AAP1 to belong to the AAP management VLAN 110. AAP2

BVI1 interface has to be reachable only over the bridge link. Behind AAP2 VLAN 14 needs to traverse the bridge link over to HQ network. 10.10.14.2 is on CAT2. This will be tested as it was behind AAP2. The end result is CAT1 pinging over the bridge link to 10.10.14.2 behind the AAP2. Use 2,4ghz.

• AAP2 will connect to AAP1 with Cisco proprietary most secure 802.1x method.

SSID is lawfirm-xx Username is lawyer and password is fresnelzone. AAP1 will authenticate the lawyer user.

• No FTP traffic should be allowed over the bridge link during business hours 9am to 5pm Monday – Friday


WLC management: • On WLC1 guests should be transported from Other HQ controllers to

WLC1. Prepare the Configuration so the WLAN can be directed directly to WLC1 in the future. WLC1 default mobility domain should be HQ1, WLC2 HQ2, WLC3 HQ3, and WLC4 HQ4.


License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m














• Set up etherchannel for both interfaces on WLC2. Ensure that APs are load

balanced over the layer3 network based on source and destination IP information.

• QOS needs to be tagged on the management VLAN of all WLC´s • Only VLAN´s created on WLC´s should traverse over the link towards the

network and vice versa.

AP Priming: • LAP1 should have redundant WLC´s for WLC2 and WLC4. WLC4 is primary.

Join the AP manually from its console but allow for it to get DHCP address from CAT2. Refer to Table 2 for ip information and VLAN. Default gateway is 10.10.113.2

• Users with Apple computers complain that they can´t switch SSIDs on their computers. The WLC reports the are connected but the client doesn’t seem to notice. Rectify the issue with one setting on all Controllers.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Guests: • WLC1 guest for VLAN 11 should exit to Po2 by default but Po1 if Po2 goes

down. • Configure WLC1 port1 to be the primary management port connected to CAT2.

Ensure that only existing VLANs to traverse the switch ports. Guest VLAN is VLAN 12.

• Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11. No encryption.

o Don´t allow static ip addressing of clients. o Timeout is 4 hours. o Do not advertise Aironet Information Element to avoid interoperability

issues with various guest equipment. o Delivery traffic indication message should be every 5 beacons on 2,4 Ghz

connections. o The guest SSID hast to work on all AP´s in the HQ. Users should have the

option of entering their email address on the splash page and connect after that.

• Guests use DHCP on CAT1. Issue 15 address pool starting from 10.10.11.10. Default gateway is CAT1 SVI VLAN 11. DNS is 10.10.210.6

• Test the connection from the Win7 PC. The PC is reachable directly with VNC from the WCS server on 10.10.210.4 password IPexpert123

AP registration security and local radius: • Configure your ACS to be used on WLC3 for WLAN MOData1 VLAN for SSID is

MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26. LAP4 should send their users to VLAN 23. Don´t use AP-groups. DHCP for VLAN23 is configured on CAT4.

• Use EAP-FAST authentication . username fast password faster. Security is WEP 128 bit.

• Configure DHCP on your Microsoft DHCP server for this SSID clients above. Give out 131 and 132 addresses of the scope. Also ensure the VLAN23 users get DHCP as well with the same parameters.

• Test connectivity to MOdata1-xx with AnyConnect on your test PC

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Client connection testing:

• Your AnyConnect client needs to connect to the Client-Vlan13-XX WLAN in HQ

• Configure your network to meet the requirements below:

• SSID Client-Vlan13-XX

o This ssid should exist on WLC2 and WLC4. Clients should terminate at Vlan13. Table 3 shows what IP should be on your Controller´s VLAN13

o Use WPA Enterprise with AES encryption. Use 802.1x security and PEAP authentication on your ACS server.

o Username Client-peap password ipexpert123 o DHCP server is Microsoft DHCP server. Gateway is .1 o Configure the DHCP so there will be no conflict with the least of

exclusions possible. • For this SSID you have a strange requirement from your customer. He (a guy in

a white coat with the mad scientific look with a very narrow interest in radio waves) shows you spectrum expert screenshots of square top looking waves. He mentions he doesn´t want the round top waves to show in his environment as he claims it slows down the network. Make sure that controllers necessary have the setting to fulfill this strange request. The customer doesn´t have any other explanation than this picture.

• Test this on your AnyConnect client.

Clean AIR: • Your WLC4 should detect and report microwave ovens and Bluetooth

devices on capable access points in the 2,4 Ghz frequency.

• For capable access points, monitor and dynamically avoid Bluetooth and

microwave oven interference. There is no requirement for anything else available. The event driven Radio resource management should be set to the highest value.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m




WCS: Management:

• Manage all WLC´s with WCS using version 2 of Simple Network Management Protocol. No other methods should be available. Use the name ipexpert.snmp for your name. Only WCS should be able to control or read the WLC´s.

MAPs: • Put LAP1,LAP2, LAP3, LAP4 and LAP5 on Campus IPX, building1, floor1 map

on your WCS. Position the AP´s for best location tracking. Configure your mobility services so you see live WiFi clients on your MAP. Campus is 1000 by 1000 feet. Building is 500 by 900 feet. Floor is 200 by 100 feet. Horizontal number first. MSE IP is 10.10.210.10 use encrypted method to communicate WCS to MSE.

• Clean air: Locate and report Clean-air interference in MSE. Gather history related to interference and Client stations. Display all interferers on your WCS MAP.


Wireless Voice: • On WLC2 and WLC4 in HQ:

• Deploy SSID voip-6ghz-XX. Terminate at VLAN 15. WLC IP information in table

3. DHCP is on CAT1 and should give out callmanager option about the CME router 10.10.210.20. Default gateway is CAT1 VLAN15 SVI. Take care of IP conflict in your DHCP configuration.

o Allow only 5ghz connections on this SSID. o Use WPA encryption and ensure that Cisco 7925 phones can roam

seamlessly. Your phone 7921 has load 1.3.(4) Allow for better battery usage on your CCX compatible phones.

o Phone uses EAP-FAST authentication. On your ACS configure the user phone with password of ipexpert

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



o Test it from your Anyconnect . • Some of your wife phones on WLC2 and WLC4 will use SIP and not all of them

will be Cisco phones. Some might be iPhone or android devices. You need to QOS mark the packets by recognizing SIP call setup messages no matter tcp ports they will use. Use this setting on your controller that has the voice ssid configured above.

You are at the end of LAB 4. It is a bit difficult to finish in 8 hours. Harder the training thus easier the battle. The question phrasing can slow you down as it might do on the actual LAB. So I hope this was a good exercise. Do this lab many times to practice speed and work on things you want to improve in the meantime. I recommend having a LAB strategy in place that you practice when you take this LAB because this LAB is built up from the blueprint sections and hopefully prepares you for the actual LAB.





License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Lab 5: CCIE Wireless v2 8 hour training






Lab Overview

This lab will test your knowledge on several items of CCIE Wireless blueprint version 2. In this lab we use a scoring system of maximum 100 points. 85 points and above will be considered a pass. A good idea is to define and use your LAB exam strategy to practice and fine tune to prepare for the real battle. This will help in your time management that is essential to pass!

This lab will use all equipment in the LAB 1: topology. Refer to the names of the equipment on that topology.

When configuring WLAN’s/ SSIDs. The lab refers to SSID-XX replace XX with your pod number where POD01 is for example SSID-01

Unless otherwise indicated, use “admin” for usernames and “IPexpert123” for passwords.


License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m




License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m







If using your own hardware: Login to IPexpert.com, navigate to the “My Downloads” area, download “IPexpert Wireless Volume 1 Configs,” find the Lab 3 INITIAL Configs, and copy and paste the proper switch files to the proper devices.

If you are using Proctor Labs: Log on to your Wireless vRack Web UI and navigate to near the top of the web page, click the “Load Lab” button and choose: IPexpert WIFI Volume 2 Workbook à Lab 5 à INITIAL

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





5 Servers 10.10.210.0 /24


11 HQGuest1 10.10.11.0 /24

12 HQData1 10.10.12.0 /24

13 HQData2 10.10.13.0 /24

14 HQData3 10.10.14.0 /24

15 HQVoice1 10.10.15.0 /24

16 HQVoice2 10.10.16.0 /24

17 HQData4 10.10.17.0 /24


21 MOGuest1 10.10.21.64 /26

22 MOData1 10.10.22.128 /26

23 MOVoice1 10.10.23.192 /26

105 HQServicePort 10.10.105.0 /24

110 HQAAP 10.10.110.0 /24

111 HQWLC1 10.10.111.0 /24

112 HQWLC2 10.10.112.0 /24

113 HQLAP1 10.10.113.0 /24

114 HQLAP2 10.10.114.0 /24

120 MOWLC1 10.10.120.128 /26

121 MOLAP1 10.10.121.192 /26

131 HOAP 192.168.100.0 /24

999 VLAN999 n/a n/a

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





Connected Port

IP Address

CAT1 NA NA 10.10.10.2

CAT2 NA NA 10.10.10.3

CAT3 NA NA 10.10.10.4

CAT4 NA NA 10.10.20.1

ACS NIC1 CAT2 Fa0/11 10.10.210.5

WCS NIC1 CAT2 Fa0/11 10.10.210.6

CME Fa0/0 CAT1 Fa0/4 10.10.210.20

10.10.205.20 (Loop)

MSE Eth0 CAT2 Fa0/11 10.10.210.10

WLC1 Po1 CAT2 Gi0/1 10.10.111.10

WLC2 Po1 CAT3 Gi0/1 10.10.112.10

WLC3 Po1 CAT4 Fa0/1 10.10.120.140

WLC4 Po1 CAT2 Fa0/15 10.10.112.20

AAP1 Gi0 CAT1 Fa0/2 10.10.110.100

AAP2 Fa0 CAT3 Fa0/2 10.10.110.101

LAP1 Gi0 CAT1 Fa0/1 10.10.113.x

LAP2 Fa0 CAT2 Fa0/2 10.10.114.x

LAP3 Gi0 CAT3 Fa0/3 10.10.114.x

LAP4 Gi0 CAT4 Fa0/4 10.10.121.x

LAP5 Fa0 CAT4 Fa0/5 10.10.121.x

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m





L2 switching in HQ: • The Proctor Labs LAB environment will have some preconfigured

equipment. It is up to you to change configuration according to the requirements in this LAB.

• CAT1, CAT2 and CAT3 in HQ should have independent VLAN databases so no accidents can happen with incorrect VLAN information is distributed. The domain name should be ipexpert-standalone

• Configure the 2 links between CAT1 and CAT2 to appear as 2 gigabit connection.

L3 routing: o Site HQ: Do not configure or change anything that is not requested by the

LAB. o CAT1 is SVI has always the first IP address from each VLAN network. o CAT2 is SVI has always second IP address in each VLAN network. o VLAN 10 should be .2 on CAT1 and .3 on CAT2 don’t change them. o For CAT3 VLAN10 SVI, Use ip address 10.10.10.4/24 o VLAN 5 ip configuration should not be changed o CAT1 needs to reach WCS. Don´t use a routing protocol to accomplish

this. CAT2 need to reach all networks on MO. Use EIGRP. MO should have default route distributed via the routing protocol. Let the SVI interfaces only be advertised in your EIGRP configuration

o Use the DHCP pool for VLAN12 on CAT1, don´t give out addresses from 1. -60. Default gateway is .2:

• CAT4 should be ready to exchange and serve VLAN configuration to other switches.VTP domain should be MO4.Prepare VLAN22 for IPv6 connectivity using IPv6 with dhcp functionality DHCP on CAT4. This will be needed later for clients connecting to WLC3 MOData1-xx SSID. use any link local address you like.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m




appropriate. Between switches trust layer2 QOS tagging. • Tune your COS to DSCP mapping (and vice versa) as Cisco best practices

recommend • VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31)

VoIP RTP stream gets value of 46 (EF) instead of the default 40.

Multicast • MO WLC 3 should advertise multicast group for its locally registered AP´s. Use

239.x.x.x where x is the last 3 digits in MO WLC 3 Management IP. All CAT4 VLANs should have multicast routing enabled for CAT4. Use a method that doesn´t flood your network as it should be built for growth later. On your CAT4, use RP address of 10.99.254.254/30. When the IGMP timeout expires (70 seconds), the controller sends a query to all WLANs. Those clients which are listening in the multicast group should send a packet back to the controller.

• The traffic from MO should have a policy that marks skinny traffic and RTP VOIP traffic with the RTP and Skinny (not encrypted) known udp and tcp ports.

• Ensure the correct marking is maintained when VoIP traffic enters MO from HQ and vice versa.

• There will be phones on CAT3 ports 12-19. Voice VLAN is 16. • We don´t trust marking over the “cloud” network between MO CAT4 and HQ

CAT2. We need to ensure that voice traffic (skinny and sccp) will be marked correctly between MO and HQ. Make a policy that marks this traffic correctly



WLC´s. WCS is 10.10.210.6 • Controllers should synch time every 2 hours. • CAT1 should be the NTP master for all switches and routers. For routers and

switches: use password "ipexpert" for NTP authentication. Use EST timezone -5. Use authentication for your switches.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• CAT1 should answer ntp requests only on VLAN10 and only allow switches and routers in your network to synch time with CAT1. CAT2 uses VLAN10 IP, CAT4 uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications.

• Allow your ACS 10.10.210.5 to use the NTP on WCS • Fix any connectivity issues on WLC1 and other WLCs if there is problem

reaching the ntp server. • Configure NTP for the autonomous AP´s. Point to CAT1 10.10.10.2 and use

timezone EST -5. Fix any network connectivity issues the AAPs might have

AP management: HQ

• LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and WLC4 with DHCP on CAT1. Default gateway is .1

• Name the Aps from their default name to the name in table 1. Subnet for those Aps are listed in table 2. Configure your network accordingly.

• Exclude the range from 1 to 20 and 200 to 254. • Make sure that WLC2 will be primary Controller for LAP2 and WLC4Primary

controller for LAP3. Mobility group should be named HQ2 for WLC2 and HQ4 for WLC4. LAP2 and LAP3 need to failover between those controllers if primary controller fails. Make sure APs fallback to their primary controller when possible. Fix any network issues that the WLCs might have.

• LAP4 and LAP5 should join WLC3. LAP4 with DHCP from your CAT4 DHCP server. LAP5 should have manual configured IP as 10.10.121.210 and WLC3 needs to be manually entered for LAP5 to join WLC3.

• LAP4 and LAP5 are the only APs allowed to join WLC3 with authentication from the ACS server. Set those Aps on VLAN 121 on CAT4. Some parts are preconfigured and need to work. Network might need to be rectified to meet the requirements. Rename the access points to reflect Table 2.

Switching security: • All MO LAP AP Ports should go to STP Forwarding mode immediately with

minimum risk. • In HQ All switchports with LAP access points should get ip address in the fastest

way possible, also block traffic if Bridge Protocol Data Units are advertised over the port. This should be default for all host ports.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m




Autonomous setup: • A customer company has 2 Autonomous APS AAP1 and AAP2. • AAP1 will connect to WLC1 as a WGB (SSID WGB-xx) • AAP1 connects to APs on WLC4 on LAP1. join LAP1 to WLC4 • Terminate the AAP1 access on WLC1 VLAN11 port 1 (on CAT2) • For SSID WGB-xx use wpa2 Advanced encryption standard psk of cisco!cisco • DHCP is on CAT1. • Use 2,4 GHz for this. • WLC1 default group should be HQ1 and WLC5 default mobility group should be

HQ5. • Avoid loops in your network. • CAT2 should be able to ping the AAP1. • Set 10.10.11.3 on AAP1 BVI1 interface. • Exempt vlan11 on the AAP1 trunk port to ensure the ping will flow wirelessly from

Cat2 to AAP1 BVI1 interface through LAP1. Fix any bpdu issues that AAP1 might have but don´t change the defaults configured before

• AAP1 will connect users on 5 GHz radio using SSID aap1-xx and 802.11i encryption.

• AAP2 connects to aap1-xx ssid as a WGB and will use VLAN 12 through AAP1. • Use EAP-Fast between the APs with authentication stored on ACS. • AAP2 BVI1 interface should get a DHCP vlan12 address from CAT1 and be able

to ping 10.10.12.1 and vice versa. • Filter vlan 12 from CAT3 AAP2 trunk port. EAP-FAST username is fast-xx

password fast. • Aap1-xx clients will have WPA2 configured but some don´t support encryption in

hardware. Advertise necessary IE in your beacons to support hardware and software encryption. points)

• On 5 GHz UNII-I is severely interfered. Don´t use UNII-I • WGB 5 GHz radio is getting a lot of “Reached maximum retries” in its logs and

the link is disconnecting frequently. Make the link as reliable as possible so it disconnects less often.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m




WLC management: • In HQ guests should be transported from Other HQ controllers to WLC1. Prepare

the Configuration so the guest WLAN traffic can be directed directly to WLC1 in the future. WLC1 default mobility domain should be HQ1, WLC2 HQ2, and WLC4 HQ4.













• Set up etherchannel for all WLC2 connected interfaces. Ensure that APs are load balanced correctly.

• QOS needs to be tagged on the all WLC´s • Your MO WLC3 controller should do the DCA changes at 9:00, 17:00 and 01:00

for 2,4 GHz

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



AP Priming: • On WLC4 scan all available channels for rogues. LAP3 should find rouges as

soon as possible • WLC1 guest portal should say “Welcome to IPexpert guest network” guests

should be able to ping 10.10.120.140 without web authentication. Guest on WLC1 set to bronze QOS queue should get a maximum of 100 Kbps for real time traffic

• Rogue aps should be treated as major alarms snmp traps on WCS. WCS sends email about rouge aps to [email protected] from the address [email protected] and email server 20.20.20.20 Send controller information with your message. Don´t sent information about power level changes on your WLC3 radios

Guests: • WLC3 uses same default mobility domain as WLC4 but no redundancy or

roaming is needed between the controllers. • Configure WLC1 port1 to be the primary management port connected to CAT2.

Guests on VLAN 11 should go out of port1. Ensure that only existing VLANs to traverse the switch ports. Guest VLAN is VLAN 11. Make the setup redundant for management and guests.

• Create the WLAN HQ-guests-xx on all HQ WLC´s. HQ WLC´s should transport all guest access traffic to WLC1 Vlan 11.No encryption.

• Don´t allow static ip addressing of clients. • Timeout is 4 hours. • Do not advertise Aironet Information Element to avoid interoperability issues with

various guest equipment. • The guest SSID hast to work on all AP´s in the HQ. Users should have the option

of entering their email address on the splash page and connect after that. • QOS profile is bronze. • Users need to be able to roam between all controllers in HQ. • Guests use DHCP on CAT1. Issue 15 address pool starting from 10.10.11.10.

Default gateway is CAT1 SVI VLAN 11. DNS is 10.10.210.6 • Test the guest connection from the Laptop. The laptop is reachable from the

WCS server with VNC at 10.10.210.4 password IPexpert123.

AP registration security and local radius: • Configure your ACS to be used on WLC3 for WLAN MOData1-XX in table 3.

WLC VLAN 22 IPv4 is 10.10.22.130/26. Test IPV6 connectivity on your client.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



• Use EAP-FAST authentication . Username fast password faster. Security is prestandard WPA with hardware encryption.ACS user is acsadmin password IPexpert123

Management: • WLC4 should be authenticated by tacacs on ACS server. Use admin and

password of tacacs for administrators. Also create a lobby admin user lobby password lobby.123 after the tacacs is working, change admin password to IPexpert123 in ACS

Clean AIR: • Your WLC4 should detect and report microwave ovens and Bluetooth devices on

capable access points in the 2.4 GHz frequency. • For capable access points, monitor and report Bluetooth and microwave ovens

interference. There is no requirement for anything else available. The event driven Radio resource management should be set to the lowest value.


WCS: Management:

• Administrate all WLC´s with WCS using most secure Simple Network Management Protocol. No other methods should be available. User WCS with password ipexpert.snmp.123$ for your authentication.

MAPs: • Locate all WiFi clients that live on Campus IPX, building1, floor1 map on your

WCS. Position the AP´s for best location tracking. Campus is 1000 by 1000 feet. Building is 500 by 900 feet. Floor is 200 by 100 feet. Horizontal number first. MSE IP is 10.10.210.10 use encrypted method to communicate WCS to MSE.

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



Clean Air:

• Locate and report Clean-air interference in MSE (show icons and zone of impact). Gather 1 day report from your campus regarding the worst interference. Save a clean air report on your WCS desktop. Name it cleanair.pdf


Wireless Voice: • On WLC2 and WLC4 in HQ: • Deploy SSID VoIP-XX. Terminate at VLAN 15. WLC IP information in table 3.

DHCP is on CAT1.Default gateway is CAT1 VLAN15 SVI. Take care of IP conflict in your DHCP configuration. Use 2.4 OFDM only

• Phones on this SSID should get a maximum of 125kbps voice traffic. Use Platinum

• Use WPA2 encryption and ensure that Cisco 7925 phones can roam seamlessly. • Phone uses EAP-FAST authentication. On your ACS configure the user phone

with password of ipexpert • Test it from your AnyConnect . • Company policy doesn´t allow for more than 2 devices to log on to the wireless

network with the same user credentials. Make it so on WLC4

License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m



You are at the end of LAB 5. It should be easily done in 7 hours with 1 hour to verify and complete tasks you left unfinished. Because most of the network is configured we only need to find errors built into the network. This is essential to pass the lab, there must be some time left to verify and fix things. There will be some mistakes and we should take it into account. The question phrasing can slow you down as it might do on the actual LAB. Calculate your score. The passing score is 85 points or above. Be critical in your scoring, no partial score is allowed if one item is not correct in a multi item question. Do this lab many times to practice speed and work on things you want to improve in the meantime. I recommend having a LAB strategy in place that you practice when you take this LAB because this LAB is built up from the blueprint sections and hopefully prepares you for the actual LAB.





License

d exclu

sively

to P

eter

Salt

arell

i

salta

rellip

eter

33@

yahoo.co

m

IPexpert’s Lab Preparation Workbookdocshare04.docshare.tips/files/26457/264570296.pdf ·...

Documents

Transcript of IPexpert’s Lab Preparation Workbookdocshare04.docshare.tips/files/26457/264570296.pdf ·...