Month: June 2014

CCNA Wireless Summary Notes: Implementing a Wireless Guest Network

Posted on Updated on


Guest Access should be isolated from corporate access. 

Steps involved: 

  1. Create dynamic interface for the guest. 
  2. Create guest WLAN 
  3. Bind WLAN to dynamic interface
  4. Configure security parameters

Anchors can be used to handle guest traffic on behalf of the other controllers by building a tunnel to the controller. Configuring Mobility Anchors:

  1. Create identical guest WLANs on each controller. The outgoing interfaces may differ. Ussually, the management interface is used. On the anchor controller, we must use the actual dynamic interface name for the guest DMZ.  
  2. Create Mobility group relationship. All controllers should have each other in their mobility group lists for the neighborship to be formed. They should also be in the same mobility group.
  3. On each contoller, including the anchor itself, you should identify the anchor controller. Begin with the anchor controller first. 

Image

 

From the list, select the IP address of the Anchor. If you select local, that controller is the anchor then click on mobility anchor create. 

 

Image

 

The status of the EoIP tunnel will be displayed. 

Advertisements

CCDP ARCH Summary Notes 1

Posted on


Covered Topics:

  • Topic 1 – Cisco SONA
  • Topic 2 – Cisco Enterprise Architecture

Hiererchial Architecture

  • Core – High end switching. Backbone of the network.Uses CEF and very little policy. Able to adopt to changes quickly. Optimizes transport of communication. Multilayer switching.
  • Distribution – policy based connectivity. This is agregated in wiring closets. For the WAN, its the edge of the campus and provides policy based connectivity (QoS, Security). Usually multi layer switching.
  • Access – Local and remote access. Access to both wired and wireless device. Connects to the WAN, Data Center, PSTN and Internet. For the WAN, its for teleworkers and remote sites. Usually L2 switching, IDS,IPS, ASA

Service Oriented Network Architecture (SONA)

Connects all the components of the IT Infrastructure to provide intelligence of the network. Components include:

  • Intergrated Network Systems layer – Campus, data center, branch, enterprise edge, WAN,MAN, Teleworker. All IT resources are interconnected – servers etc. The customer has anywhere, anytime connectivity.
  • Intergrated Network services layer _ Management services, Security, Storage, Voice and collaboration, Identity services, Network Infrastructure Virtualization.
  • Application layer – business applications (Sharepoint, E-comm) and Collaboration level (VoIP, Instant messaging services, Unified messaging, Cisco unified meeting Place, Contact center)

Benefits of SONA.

  • Functionality – supports company needs.
  • Scalability – enables the company to grow and expand.
  • Availability – system uptime and reliabilty
  • Performance – responsiveness, maximization
  • Manageability – can control, monitor, fault detection and toubleshoot organization
  • Efficiency – make sure that services are delivered within budget and as expected.

Infrastructure Services

Supports application awareness. Provides intelligence of the network.

Include the following:

  • Voice Services – IP Telephony
  • Security Services – confidentiality and overal protection of the network
  • Mobility Services – 802.1X and EAP, Wireless Services.
  • Storage services – SAN
  • Compute Services
  • Identity Services.

Cisco Enterprise Architecture

Service Provider Edge – Provides Internet and voice services that go outside the enterprise. Has Security, SLA,

Enterprise Edge – Has several modules (WAN, Ecommerce, Internet Module and Remote access layer)

Enterprise Campus – combines switching and routing. Multicast support, QoS, Voice and Video, Protecting against malware, 802.1x solutions, can use IPSec and MPLS VPNs. It is broken into Data center, Campus backbone (high speed pipes), Building distribution (most of the policies are implemented here),  Building Access layer.

 

 

 

CCNA Wireless Summary Notes: Configuring a WLAN

Posted on


WLAN connects the wired network (VLAN) to the wireless network (SSID). Different WLANs cannot communicate unless the traffic is routed in the wired network.

WLAN Limitations:

  1. WLC supports a max of 512 WLANs. Only 16 can be actively configured on an AP.
  2. Advertising each WLAN uses up valuable airtime.
  3. Each WLAN requires beacons to advertise it. A min of 100 beacons can be sent per second. The more the WLANs, the more the beacons.

Always limit number of WLANs to <=5.

Configuring a WLAN

  1. Radius server configuration

2014_06_27_12_22_06_10.44.20.50_Remote_Desktop_Connection

2) Create a Dynamic Interface

2014_06_27_12_45_12_10.44.20.50_Remote_Desktop_Connection

3) Creating a New WLAN

The ID number is used as an index into the list of WLANs that are defined on the controller. Ususally used when configuring the WLC in Cisco Prime using templates.

4) Configure the type of WLAN Security to be used

5) You may choose to specify WLAN QoS or use default which is best effort.

6) Configure advanced security features

By default, a client session is 30 minutes (1800 sec) then it needs to reauthenticate.

2014_06_27_17_06_51_NMDCBPWLC100

 

 

CCNA Wireless Summary Notes: Understanding Wireless Client

Posted on


Overview of common clients

  1. Windows 7 and 8
  2. Intel PROSet – It can be installed if you are using Intel Wireless adapter. Its preferable when dealing with lightweight extensible Authentication Protocol (LEAP), EAP Flexible Authentication by Secure Tunneling (EAP-FAST), or Cisco Compatible Extensions (CCX) because these are not supported by Windows.
  3. Android
  4. Apple OS X
  5. Cisco AnyConnect. It runs on virtually most of the OS that we have so far and does not depend on the connection type. Has the following modules:
    1. VPN
    2. Diagnostic and Reporting Tool (DART) – for troubleshooting
    3. Network Access Manager (NAM) – controls authentication
    4. Posture Assessment – before it builds a connection, it verifies that the necessary elements like the antivirus and firewall are installed.
    5. Telemetry – sends info back to the web filtering infrastructure
    6. Web Security – enforces security policies according to Cisco Web Security policies.
  • For Anyconnect to manage wireless connections, the NAM and VPN modules should be installed.
  • Policies are created on Cisco Adaptive Security Appliance (ASA) through its Adaptive Security Device Manager (ASDM) management front end and pushed to the client.
  • The main AnyConnect client interface consists of VPN, network, and web security functions

Cisco Compatible Extensions (CCX)

CCX program can be used to verify that clients support wireless enhancements. There are several versions of this program v5 being the current one. v4 and v5 are interactive and the client reports information about itself to the wireless infrastructure.

Management frame protection (MFP) addresses an inherent weakness in the management frames that an AP transmits. This is supported in v5.

Features supported in CCX v1 to v5 from CCNA Wireless OCG.

2014_06_25_16_42_43_CCNA_Wireless_640_722_Official_Cert_Guide_SECURED_Adobe_Reader

CCX Lite – simplifies the compatibility process as not all features are needed in all devices. Its categories are:

  • Foundation – core features common in like all devices
  • Voice – supports features like CAC, voice metrics etc
  • Location – for real time tracking
  • Management – features like client and link management are included.

For a device to be CCX certified, it needs to be compliant with the Foundation Module. The other modules are optional

From CCNA Wireless OCG. Security features supported in CCX.

  • 802.1x is in all versions
  • WPA from CCXv2
  • WPA2 from CCXv3 but
    • PEAP-MSCHAP and EAP-TLS introduced in CCXv4
    • EAP-FAST introduced in CCXv3
  • MFP in v5 only

2014_06_25_16_52_59_CCNA_Wireless_640_722_Official_Cert_Guide_SECURED_Adobe_Reader  2014_06_25_16_53_39_CCNA_Wireless_640_722_Official_Cert_Guide_SECURED_Adobe_Reader

 

 

Cisco ACS 5.4: Importing user file using .csv

Posted on


How to create a list of users and add them to the ACS

2014_06_18_13_41_33_wldcbpinf02.mkcorp.com_Remote_Desktop_Connection

 

2014_06_18_13_44_45_wldcbpinf02.mkcorp.com_Remote_Desktop_Connection

2014_06_18_13_45_51_wldcbpinf02.mkcorp.com_Remote_Desktop_Connection

2014_06_18_13_47_22_Program_Manager

2014_06_18_14_12_26_wldcbpinf02.mkcorp.com_Remote_Desktop_Connection

2014_06_18_13_54_23_wldcbpinf02.mkcorp.com_Remote_Desktop_Connection

2014_06_18_13_55_48_wldcbpinf02.mkcorp.com_Remote_Desktop_Connection

 

2014_06_18_14_08_56_wldcbpinf02.mkcorp.com_Remote_Desktop_Connection

Finally lets confirm that all users have been added

2014_06_18_14_10_21_wldcbpinf02.mkcorp.com_Remote_Desktop_Connection

Patching Cisco ACS 5.4

Posted on


Current Status and version before patching

acs100/admin# show application version acs

Cisco ACS VERSION INFORMATION
—————————–
Version : 5.4.0.46.0a
Internal Build ID : B.221

acs100/admin# show application status acs

ACS role: PRIMARY

Process ‘database’                  running
Process ‘management’                running
Process ‘runtime’                   running
Process ‘ntpd’                      running
Process ‘view-database’             running
Process ‘view-jobmanager’           running
Process ‘view-alertmanager’         running
Process ‘view-collector’            running
Process ‘view-logprocessor’         running

Showing path to the ftp server where my patch files are

repository FTP
  url ftp://172.0.6.67/
  user admin password plain test1234

Making sure that I am able to reach my server

acs100/admin# ping ip 172.0.6.67
PING 172.0.6.67 (172.0.6.67) 56(84) bytes of data.
64 bytes from 172.0.6.67: icmp_seq=1 ttl=128 time=0.505 ms
64 bytes from 172.0.6.67: icmp_seq=2 ttl=128 time=0.490 ms
64 bytes from 172.0.6.67: icmp_seq=3 ttl=128 time=0.441 ms
64 bytes from 172.0.6.67: icmp_seq=4 ttl=128 time=0.440 ms

Patching process

acs100/admin# acs patch install 5-4-0-46-6.tar.gpg repository FTP
Installing ACS patch requires a restart of ACS services. Continue?  (yes/no) y
Calculating disk size for /opt/CSCOacs/patches
Total size of patch files are 1103 M.
Max Size defined for patch files are 1000 M.
WARNING: Patch of size 1103 M exceeds the allowed quota of 1000 M. This will not                                       prohibit patch installation process as long as there is enough disk space. Please note that this indicates you should consider moving ACS to a higher disk space machine
Stopping ACS.
Stopping Management and View………………………………………………………
Stopping Runtime……..
Stopping Database…….
Stopping Ntpd….
Cleanup..
Stopping log forwarding …..
Installing patch version ‘5.4.0.46.6’
Installing ADE-OS 1.2 patch.  Please wait…
Decompressing patch files 5.4.0.46.6 …
About to install files
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
/opt/CSCOacs/patches/5-4-0-46-6
Patch ‘5-4-0-46-6’ version ‘5.4.0.46.6’ successfully installed
Starting ACS ….

To verify that ACS processes are running, use the
‘show application status acs’ command.

 

Verifying that the ACS is back up and the processes are running. It wook a few minutes for all processes to finish initialization

acs100/admin# show application status acs

ACS role: PRIMARY

Process ‘database’                  running
Process ‘management’                running (HTTP is nonresponsive)
Process ‘runtime’                   running
Process ‘ntpd’                      running
Process ‘view-database’             Restarting
Process ‘view-jobmanager’           initializing
Process ‘view-alertmanager’         initializing
Process ‘view-collector’            initializing
Process ‘view-logprocessor’         initializing

acs100/admin# show application status acs

ACS role: PRIMARY

Process ‘database’                  running
Process ‘management’                running
Process ‘runtime’                   running
Process ‘ntpd’                      running
Process ‘view-database’             running
Process ‘view-jobmanager’           running
Process ‘view-alertmanager’         running
Process ‘view-collector’            running
Process ‘view-logprocessor’         running

Confirming that the version has been updated

acs100/admin# show version

Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.3.063
ADE-OS System Architecture: i386

Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: acs100

Version information of installed applications
———————————————

Cisco ACS VERSION INFORMATION
—————————–
Version : 5.4.0.46.6
Internal Build ID : B.221
Patches :
5-4-0-46-6

And just because I feel like rebooting the server to make sure that all is well, lets stop the services

acs100/admin# acs stop

Stopping ACS.
Stopping Management and View………………………………………………………
Stopping Runtime……..
Stopping Database…….
Stopping Ntpd….
Cleanup..

Reload

acs100/admin# reload
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration…
Saved the ADE-OS running configuration to startup successfully
Continue with reboot? [y/n] y

Broadcast message from root (pts/0) (Tue Jun 17 14:00:07 2014):

The system is going down for reboot NOW!

And finally confirm that all is well after reboot

ACS100/admin# show application status acs

ACS role: PRIMARY

Process ‘database’                  running
Process ‘management’                running
Process ‘runtime’                   running
Process ‘ntpd’                      running
Process ‘view-database’             running
Process ‘view-jobmanager’           running
Process ‘view-alertmanager’         running
Process ‘view-collector’            running
Process ‘view-logprocessor’         running

There you go. Easy pizzy 🙂

 

CCNA Wireless Summary Notes: Managing Wireless Networks with Wireless Control System (WCS) & sneakpeak into Cisco Prime Interface.

Posted on


Evolution of WCS

Cisco WCS (no longer supported)  -> Cisco Prime Network Control System (NCS) -> Cisco Prime Infrastructure (PI): Works with both wired and wireless.

WCS

Hosted on 32-bit Windows 2003 SP1+ or Red Hat Linux ServerHas 2 Forms

  1. WCS Base ( clients located in relation to nearest AP)
  2. WCS Plus ( clients location more accurate and can also use MSE for tracking).

Licencing

  1. Single Server Licence for 50, 100 or 500 APs
  2. Enterprise licence (only for WCS Plus) – can support 1 or more server instances with a max of 50000 APs

Cisco WCS Navigator acts as a single interface to access up to 20 distinct WCS servers. This is a separate product.

WLC Page Displays

  • Alarm Summary
    1. Grouped as critical, major and minor
    2. WCS will remember each alarm for a default period of 15 days or until someone takes some action on it.
    3. Actions to be performed on Alarms:

Assign to me – remains in your alarm list

Unassign – removed from your alarm list

Delete – WCS will forget about it

Clear – WCS will record it and remove from list

Acknowledge – alarm has been checked and can be removed from the list

Unacknowledge – Alarm is added back to the list

Email notification

  • Main Navigation Area
    1. Functions that can be performed

Monitor

Reports

Administer WCS

Configure – changes to WLCs, APs etc

Services – Intergrate WCS with external services

Tools – Perform audits, attach info to Cisco TAC requests

Help

  • Home
    1. Displays charts and graphs of wireless activity.
    2. Is customizable for each user

WCS to configure devices

Configure > Controllers (add correct SNMP settings for the controller to be added)

WCS Maps

Monitor > Maps

  • WCS maps are organized in a tree-like structure. A campus contains one or more buildings or outdoor areas. Each building can contain one or more floor maps. By default, maps are placed into a system campus.
  • WCS computes the RF signal strength for each AP and displays the results as a colored heatmap. Red represents a strong signal (–35 dBm), progressing through orange, yellow, green, and then blues and purples at the weak end of the scale
    (–90 dBm).
  • WCS updates the AP icons based on current conditions. A green icon – AP radio that is working properly, with no faults or alarms. A yellow icon – AP radio with a minor alarm, while a red icon indicates a major alarm.

In summary, the interface for the WCS is similar to the Prime Infrastructure Interface. Since PI is what I have for now, I will show you the interface that it has. Please note that PI is not covered in the CCNA series so this is just additional information for those who want 🙂

Home

Image

What you can access from Cisco Prime Infrastructure Monitor Interface

Image

Configure Interface

Image

Services allow you to add access to external services like MSE for tracking

Image

The report tab can be used to generate reports

Image

The Administration tab can be used to configure the PI itself

Image

Oh, Forgot to mention that the alarms were moved to the bottom for the PI

2014_06_17_12_20_18_Cisco_Prime_Infrastructure_Monitor_Maps_Area_View_172.20.74.187

Last but not least, the most interesting part of it all offcourse is the site map 🙂

2014_06_17_12_17_36_Cisco_Prime_Infrastructure_Monitor_Maps_Area_View_172.20.74.187

 

CCNA Wireless Summary Notes: Dealing with Wireless Interference

Posted on


Interference – 802.11 that originates form a source other than the expected APs

Noise – Signals that originate from a source that is not 802.11

Common non-802.11 devices that can interfere with a WLAN

Bluetooth

  • Has low power consumption
  • Grouped in 3 classes (class 1 – 1mW, class 2 – 2.5 mW, class 3 – up to 100mW and is less common)
  • Operates in 2.4-GHz ISM band but Not compatible with 802.11 standard
  • Up to eight devices can be paired or linked into a PAN, with one device taking a master role and the others operating as slaves

ZigBee

  • Defined in the IEEE 802.15.4 standard
  • allocates the 2.4-GHz ISM band into 16 channels of 5 MHz each
  • has a low duty cycle and does not utilize a channel much of the time
  • Low power consumption
  • Low transmit power level hence less interference
  • Low data rates ( 20 to 250 Kbps).
  • commonly used for energy management and home and building automation applications

Cordless Phones

  • Phones that are advertised to use the 2.4- and 5.8-GHz bands can cause significant interference with nearby WLANs
  • Can use one channel at a time, but can also change channels dynamically
  • Transmit power can rise up to 250mW (more than AP maximum power)
  • DECT phones do not use the 2.4-GHz ISM band hence do not cause interference with 802.11 WLANs. They operate in the upper portion of the 1.8 GHz band in Europe, Asia, Australia, and South America. For America – 1.9 GHz.

Microwave Ovens

  • Microwave ovens are free to use the 2.4-GHz ISM band and most produce a signal that spreads over a large portion of the band
  • Microwaves are commonly rated to generate around 700 W of power inside the oven. Leaked energy often interferes with nearby APs.

WiMAX (Worldwide Interoperability for Microwave Access)

  • Specified in the IEEE 802.16 standard and not compatible with 802.11 WLANs
  • Provides “last mile” broadband access to consumers within a geographic area
  • WiMAX does not require line of sight with a base station, so it can offer connectivity to many fixed and mobile users within a 3 to 10-km radius
  • Uses several bands between 2 and 11 GHz and from 10 to 66 GHz
  • Can cause interference but highly unlikely.

Cisco CleanAir

This is a spectrum analysis capability built right in to the radio hardware that enables the AP to operate normally and also monitor RF energy on that channel, analyze the data, and report specific information about any interfering devices without interrupting normal WLAN operation. 802.11 frames are processes normally using the split MAC architecture whereas the non 802.11 signals are processed by the spectrum analysis hardware in the AP then sent tp WLC which can also send the information to the MSE so that the interference is located. Using Radio Resource Management (RRM) process and Event-driven RRM, the interference can be interacted automatically – AP can be moved to a different channel.

Check Channel quality for AP

Monitor > Access Points > Radios > 802.11a/n or 802.11b/g/n .

Image

Enable CleanAir

Image

Interference

The duty cycle is the percentage of time the source is transmitting on the channel, which indicates its persistence or how much of the airtime the interferer is consuming. The AP combines the RSSI and duty cycle into a severity index value. Severity ranges from 0 (not severe) to 100 (very severe).

Interference device reports

Image

Cisco WLCs can do a better analysis by calculating an air-quality index (AQI) for each AP and its channels which indicates WiFi health within an AP’s cell (0 -unusable, 100 – perfect).

Image

Event-Driven RRM (ED-RRM)

CleanAir and RRM can work together so that controllers actually take some action on interference events at the regular RRM intervals which by default is 10 minutes (when the dynamic channel algorithm is run by the controller).

With (ED-RRM) the RRM DCA process is triggered immediately an interference is reported by an AP. You must enable it then specify AQI threshold that will be used as the baseline.

Enable ED-RRM and chose AQI threshold

Image