Month: June 2014
CCNA Wireless Summary Notes: Implementing a Wireless Guest Network
Guest Access should be isolated from corporate access.
Steps involved:
- Create dynamic interface for the guest.
- Create guest WLAN
- Bind WLAN to dynamic interface
- Configure security parameters
Anchors can be used to handle guest traffic on behalf of the other controllers by building a tunnel to the controller. Configuring Mobility Anchors:
- Create identical guest WLANs on each controller. The outgoing interfaces may differ. Ussually, the management interface is used. On the anchor controller, we must use the actual dynamic interface name for the guest DMZ.
- Create Mobility group relationship. All controllers should have each other in their mobility group lists for the neighborship to be formed. They should also be in the same mobility group.
- On each contoller, including the anchor itself, you should identify the anchor controller. Begin with the anchor controller first.
From the list, select the IP address of the Anchor. If you select local, that controller is the anchor then click on mobility anchor create.
The status of the EoIP tunnel will be displayed.
CCDP ARCH Summary Notes 1
Covered Topics:
- Topic 1 – Cisco SONA
- Topic 2 – Cisco Enterprise Architecture
Hiererchial Architecture
- Core – High end switching. Backbone of the network.Uses CEF and very little policy. Able to adopt to changes quickly. Optimizes transport of communication. Multilayer switching.
- Distribution – policy based connectivity. This is agregated in wiring closets. For the WAN, its the edge of the campus and provides policy based connectivity (QoS, Security). Usually multi layer switching.
- Access – Local and remote access. Access to both wired and wireless device. Connects to the WAN, Data Center, PSTN and Internet. For the WAN, its for teleworkers and remote sites. Usually L2 switching, IDS,IPS, ASA
Service Oriented Network Architecture (SONA)
Connects all the components of the IT Infrastructure to provide intelligence of the network. Components include:
- Intergrated Network Systems layer – Campus, data center, branch, enterprise edge, WAN,MAN, Teleworker. All IT resources are interconnected – servers etc. The customer has anywhere, anytime connectivity.
- Intergrated Network services layer _ Management services, Security, Storage, Voice and collaboration, Identity services, Network Infrastructure Virtualization.
- Application layer – business applications (Sharepoint, E-comm) and Collaboration level (VoIP, Instant messaging services, Unified messaging, Cisco unified meeting Place, Contact center)
Benefits of SONA.
- Functionality – supports company needs.
- Scalability – enables the company to grow and expand.
- Availability – system uptime and reliabilty
- Performance – responsiveness, maximization
- Manageability – can control, monitor, fault detection and toubleshoot organization
- Efficiency – make sure that services are delivered within budget and as expected.
Infrastructure Services
Supports application awareness. Provides intelligence of the network.
Include the following:
- Voice Services – IP Telephony
- Security Services – confidentiality and overal protection of the network
- Mobility Services – 802.1X and EAP, Wireless Services.
- Storage services – SAN
- Compute Services
- Identity Services.
Cisco Enterprise Architecture
Service Provider Edge – Provides Internet and voice services that go outside the enterprise. Has Security, SLA,
Enterprise Edge – Has several modules (WAN, Ecommerce, Internet Module and Remote access layer)
Enterprise Campus – combines switching and routing. Multicast support, QoS, Voice and Video, Protecting against malware, 802.1x solutions, can use IPSec and MPLS VPNs. It is broken into Data center, Campus backbone (high speed pipes), Building distribution (most of the policies are implemented here), Building Access layer.
CCNA Wireless Summary Notes: Configuring a WLAN
WLAN connects the wired network (VLAN) to the wireless network (SSID). Different WLANs cannot communicate unless the traffic is routed in the wired network.
WLAN Limitations:
- WLC supports a max of 512 WLANs. Only 16 can be actively configured on an AP.
- Advertising each WLAN uses up valuable airtime.
- Each WLAN requires beacons to advertise it. A min of 100 beacons can be sent per second. The more the WLANs, the more the beacons.
Always limit number of WLANs to <=5.
Configuring a WLAN
- Radius server configuration
2) Create a Dynamic Interface
3) Creating a New WLAN
The ID number is used as an index into the list of WLANs that are defined on the controller. Ususally used when configuring the WLC in Cisco Prime using templates.
4) Configure the type of WLAN Security to be used
5) You may choose to specify WLAN QoS or use default which is best effort.
6) Configure advanced security features
By default, a client session is 30 minutes (1800 sec) then it needs to reauthenticate.
CCNA Wireless Summary Notes: Understanding Wireless Client
Overview of common clients
- Windows 7 and 8
- Intel PROSet – It can be installed if you are using Intel Wireless adapter. Its preferable when dealing with lightweight extensible Authentication Protocol (LEAP), EAP Flexible Authentication by Secure Tunneling (EAP-FAST), or Cisco Compatible Extensions (CCX) because these are not supported by Windows.
- Android
- Apple OS X
- Cisco AnyConnect. It runs on virtually most of the OS that we have so far and does not depend on the connection type. Has the following modules:
- VPN
- Diagnostic and Reporting Tool (DART) – for troubleshooting
- Network Access Manager (NAM) – controls authentication
- Posture Assessment – before it builds a connection, it verifies that the necessary elements like the antivirus and firewall are installed.
- Telemetry – sends info back to the web filtering infrastructure
- Web Security – enforces security policies according to Cisco Web Security policies.
- For Anyconnect to manage wireless connections, the NAM and VPN modules should be installed.
- Policies are created on Cisco Adaptive Security Appliance (ASA) through its Adaptive Security Device Manager (ASDM) management front end and pushed to the client.
- The main AnyConnect client interface consists of VPN, network, and web security functions
Cisco Compatible Extensions (CCX)
CCX program can be used to verify that clients support wireless enhancements. There are several versions of this program v5 being the current one. v4 and v5 are interactive and the client reports information about itself to the wireless infrastructure.
Management frame protection (MFP) addresses an inherent weakness in the management frames that an AP transmits. This is supported in v5.
Features supported in CCX v1 to v5 from CCNA Wireless OCG.
CCX Lite – simplifies the compatibility process as not all features are needed in all devices. Its categories are:
- Foundation – core features common in like all devices
- Voice – supports features like CAC, voice metrics etc
- Location – for real time tracking
- Management – features like client and link management are included.
For a device to be CCX certified, it needs to be compliant with the Foundation Module. The other modules are optional
From CCNA Wireless OCG. Security features supported in CCX.
- 802.1x is in all versions
- WPA from CCXv2
- WPA2 from CCXv3 but
- PEAP-MSCHAP and EAP-TLS introduced in CCXv4
- EAP-FAST introduced in CCXv3
- MFP in v5 only
Cisco ACS 5.4: Importing user file using .csv
How to create a list of users and add them to the ACS
Finally lets confirm that all users have been added
Patching Cisco ACS 5.4
Current Status and version before patching
acs100/admin# show application version acs
Cisco ACS VERSION INFORMATION
—————————–
Version : 5.4.0.46.0a
Internal Build ID : B.221acs100/admin# show application status acs
ACS role: PRIMARY
Process ‘database’ running
Process ‘management’ running
Process ‘runtime’ running
Process ‘ntpd’ running
Process ‘view-database’ running
Process ‘view-jobmanager’ running
Process ‘view-alertmanager’ running
Process ‘view-collector’ running
Process ‘view-logprocessor’ running
Showing path to the ftp server where my patch files are
repository FTP
url ftp://172.0.6.67/
user admin password plain test1234
Making sure that I am able to reach my server
acs100/admin# ping ip 172.0.6.67
PING 172.0.6.67 (172.0.6.67) 56(84) bytes of data.
64 bytes from 172.0.6.67: icmp_seq=1 ttl=128 time=0.505 ms
64 bytes from 172.0.6.67: icmp_seq=2 ttl=128 time=0.490 ms
64 bytes from 172.0.6.67: icmp_seq=3 ttl=128 time=0.441 ms
64 bytes from 172.0.6.67: icmp_seq=4 ttl=128 time=0.440 ms
Patching process
acs100/admin# acs patch install 5-4-0-46-6.tar.gpg repository FTP
Installing ACS patch requires a restart of ACS services. Continue? (yes/no) y
Calculating disk size for /opt/CSCOacs/patches
Total size of patch files are 1103 M.
Max Size defined for patch files are 1000 M.
WARNING: Patch of size 1103 M exceeds the allowed quota of 1000 M. This will not prohibit patch installation process as long as there is enough disk space. Please note that this indicates you should consider moving ACS to a higher disk space machine
Stopping ACS.
Stopping Management and View………………………………………………………
Stopping Runtime……..
Stopping Database…….
Stopping Ntpd….
Cleanup..
Stopping log forwarding …..
Installing patch version ‘5.4.0.46.6’
Installing ADE-OS 1.2 patch. Please wait…
Decompressing patch files 5.4.0.46.6 …
About to install files
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
/opt/CSCOacs/patches/5-4-0-46-6
Patch ‘5-4-0-46-6’ version ‘5.4.0.46.6’ successfully installed
Starting ACS ….To verify that ACS processes are running, use the
‘show application status acs’ command.
Verifying that the ACS is back up and the processes are running. It wook a few minutes for all processes to finish initialization
acs100/admin# show application status acs
ACS role: PRIMARY
Process ‘database’ running
Process ‘management’ running (HTTP is nonresponsive)
Process ‘runtime’ running
Process ‘ntpd’ running
Process ‘view-database’ Restarting
Process ‘view-jobmanager’ initializing
Process ‘view-alertmanager’ initializing
Process ‘view-collector’ initializing
Process ‘view-logprocessor’ initializingacs100/admin# show application status acs
ACS role: PRIMARY
Process ‘database’ running
Process ‘management’ running
Process ‘runtime’ running
Process ‘ntpd’ running
Process ‘view-database’ running
Process ‘view-jobmanager’ running
Process ‘view-alertmanager’ running
Process ‘view-collector’ running
Process ‘view-logprocessor’ running
Confirming that the version has been updated
acs100/admin# show version
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.3.063
ADE-OS System Architecture: i386Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: acs100Version information of installed applications
———————————————Cisco ACS VERSION INFORMATION
—————————–
Version : 5.4.0.46.6
Internal Build ID : B.221
Patches :
5-4-0-46-6
And just because I feel like rebooting the server to make sure that all is well, lets stop the services
acs100/admin# acs stop
Stopping ACS.
Stopping Management and View………………………………………………………
Stopping Runtime……..
Stopping Database…….
Stopping Ntpd….
Cleanup..
Reload
acs100/admin# reload
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration…
Saved the ADE-OS running configuration to startup successfully
Continue with reboot? [y/n] yBroadcast message from root (pts/0) (Tue Jun 17 14:00:07 2014):
The system is going down for reboot NOW!
And finally confirm that all is well after reboot
ACS100/admin# show application status acs
ACS role: PRIMARY
Process ‘database’ running
Process ‘management’ running
Process ‘runtime’ running
Process ‘ntpd’ running
Process ‘view-database’ running
Process ‘view-jobmanager’ running
Process ‘view-alertmanager’ running
Process ‘view-collector’ running
Process ‘view-logprocessor’ running
There you go. Easy pizzy 🙂
CCNA Wireless Summary Notes: Managing Wireless Networks with Wireless Control System (WCS) & sneakpeak into Cisco Prime Interface.
Evolution of WCS
Cisco WCS (no longer supported) -> Cisco Prime Network Control System (NCS) -> Cisco Prime Infrastructure (PI): Works with both wired and wireless.
WCS
Hosted on 32-bit Windows 2003 SP1+ or Red Hat Linux ServerHas 2 Forms
- WCS Base ( clients located in relation to nearest AP)
- WCS Plus ( clients location more accurate and can also use MSE for tracking).
Licencing
- Single Server Licence for 50, 100 or 500 APs
- Enterprise licence (only for WCS Plus) – can support 1 or more server instances with a max of 50000 APs
Cisco WCS Navigator acts as a single interface to access up to 20 distinct WCS servers. This is a separate product.
WLC Page Displays
- Alarm Summary
- Grouped as critical, major and minor
- WCS will remember each alarm for a default period of 15 days or until someone takes some action on it.
- Actions to be performed on Alarms:
Assign to me – remains in your alarm list
Unassign – removed from your alarm list
Delete – WCS will forget about it
Clear – WCS will record it and remove from list
Acknowledge – alarm has been checked and can be removed from the list
Unacknowledge – Alarm is added back to the list
Email notification
- Main Navigation Area
- Functions that can be performed
Monitor
Reports
Administer WCS
Configure – changes to WLCs, APs etc
Services – Intergrate WCS with external services
Tools – Perform audits, attach info to Cisco TAC requests
Help
- Home
- Displays charts and graphs of wireless activity.
- Is customizable for each user
WCS to configure devices
Configure > Controllers (add correct SNMP settings for the controller to be added)
WCS Maps
Monitor > Maps
- WCS maps are organized in a tree-like structure. A campus contains one or more buildings or outdoor areas. Each building can contain one or more floor maps. By default, maps are placed into a system campus.
- WCS computes the RF signal strength for each AP and displays the results as a colored heatmap. Red represents a strong signal (–35 dBm), progressing through orange, yellow, green, and then blues and purples at the weak end of the scale
(–90 dBm). - WCS updates the AP icons based on current conditions. A green icon – AP radio that is working properly, with no faults or alarms. A yellow icon – AP radio with a minor alarm, while a red icon indicates a major alarm.
In summary, the interface for the WCS is similar to the Prime Infrastructure Interface. Since PI is what I have for now, I will show you the interface that it has. Please note that PI is not covered in the CCNA series so this is just additional information for those who want 🙂
Home
What you can access from Cisco Prime Infrastructure Monitor Interface
Configure Interface
Services allow you to add access to external services like MSE for tracking
The report tab can be used to generate reports
The Administration tab can be used to configure the PI itself
Oh, Forgot to mention that the alarms were moved to the bottom for the PI
Last but not least, the most interesting part of it all offcourse is the site map 🙂
CCNA Wireless Summary Notes: Dealing with Wireless Interference
Interference – 802.11 that originates form a source other than the expected APs
Noise – Signals that originate from a source that is not 802.11
Common non-802.11 devices that can interfere with a WLAN
Bluetooth
- Has low power consumption
- Grouped in 3 classes (class 1 – 1mW, class 2 – 2.5 mW, class 3 – up to 100mW and is less common)
- Operates in 2.4-GHz ISM band but Not compatible with 802.11 standard
- Up to eight devices can be paired or linked into a PAN, with one device taking a master role and the others operating as slaves
ZigBee
- Defined in the IEEE 802.15.4 standard
- allocates the 2.4-GHz ISM band into 16 channels of 5 MHz each
- has a low duty cycle and does not utilize a channel much of the time
- Low power consumption
- Low transmit power level hence less interference
- Low data rates ( 20 to 250 Kbps).
- commonly used for energy management and home and building automation applications
Cordless Phones
- Phones that are advertised to use the 2.4- and 5.8-GHz bands can cause significant interference with nearby WLANs
- Can use one channel at a time, but can also change channels dynamically
- Transmit power can rise up to 250mW (more than AP maximum power)
- DECT phones do not use the 2.4-GHz ISM band hence do not cause interference with 802.11 WLANs. They operate in the upper portion of the 1.8 GHz band in Europe, Asia, Australia, and South America. For America – 1.9 GHz.
Microwave Ovens
- Microwave ovens are free to use the 2.4-GHz ISM band and most produce a signal that spreads over a large portion of the band
- Microwaves are commonly rated to generate around 700 W of power inside the oven. Leaked energy often interferes with nearby APs.
WiMAX (Worldwide Interoperability for Microwave Access)
- Specified in the IEEE 802.16 standard and not compatible with 802.11 WLANs
- Provides “last mile” broadband access to consumers within a geographic area
- WiMAX does not require line of sight with a base station, so it can offer connectivity to many fixed and mobile users within a 3 to 10-km radius
- Uses several bands between 2 and 11 GHz and from 10 to 66 GHz
- Can cause interference but highly unlikely.
Cisco CleanAir
This is a spectrum analysis capability built right in to the radio hardware that enables the AP to operate normally and also monitor RF energy on that channel, analyze the data, and report specific information about any interfering devices without interrupting normal WLAN operation. 802.11 frames are processes normally using the split MAC architecture whereas the non 802.11 signals are processed by the spectrum analysis hardware in the AP then sent tp WLC which can also send the information to the MSE so that the interference is located. Using Radio Resource Management (RRM) process and Event-driven RRM, the interference can be interacted automatically – AP can be moved to a different channel.
Check Channel quality for AP
Monitor > Access Points > Radios > 802.11a/n or 802.11b/g/n .
Enable CleanAir
Interference
The duty cycle is the percentage of time the source is transmitting on the channel, which indicates its persistence or how much of the airtime the interferer is consuming. The AP combines the RSSI and duty cycle into a severity index value. Severity ranges from 0 (not severe) to 100 (very severe).
Interference device reports
Cisco WLCs can do a better analysis by calculating an air-quality index (AQI) for each AP and its channels which indicates WiFi health within an AP’s cell (0 -unusable, 100 – perfect).
Event-Driven RRM (ED-RRM)
CleanAir and RRM can work together so that controllers actually take some action on interference events at the regular RRM intervals which by default is 10 minutes (when the dynamic channel algorithm is run by the controller).
With (ED-RRM) the RRM DCA process is triggered immediately an interference is reported by an AP. You must enable it then specify AQI threshold that will be used as the baseline.
Enable ED-RRM and chose AQI threshold