Você está na página 1de 84

SOLUTIONS SET

LAB 1
Real Labs V2

www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

THIS PAGE IS INTENTIONALLY LEFT BLANK

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

1. L2/L3 Infrastructure to support WLANs

1.1 Configure IPv4 routing infrastructure

6504-A
router ospf 1
passive-interface default
no passive-interface Vlan129
network 192.168.129.2 0.0.0.0 area 0
default-information originate always

6504-B
router ospf 1
passive-interface default
no passive-interface Vlan129
network 192.168.129.3 0.0.0.0 area 0

Verification:

6504-B#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP


D - EIGRP, EX - EIGRP external, O - OSPF, IA- OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.129.2 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 192.168.129.2, 00:26:48, Vlan129


172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/24 is directly connected, Vlan172
L 172.16.0.3/32 is directly connected, Vlan172
192.168.129.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.129.0/24 is directly connected, Vlan129
L 192.168.129.3/32 is directly connected, Vlan129
192.168.130.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.130.0/24 is directly connected, Vlan130
L 192.168.130.3/32 is directly connected, Vlan130
192.168.136.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.136.0/24 is directly connected, Vlan136
L 192.168.136.3/32 is directly connected, Vlan136
192.168.137.0/24 is variably subnetted, 2 subnets, 2 masks

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

C 192.168.137.0/24 is directly connected, Vlan137


L 192.168.137.3/32 is directly connected, Vlan137
192.168.138.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.138.0/24 is directly connected, Vlan138
L 192.168.138.3/32 is directly connected, Vlan138
192.168.141.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.141.0/24 is directly connected, Vlan141
L 192.168.141.3/32 is directly connected, Vlan141
192.168.142.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.142.0/24 is directly connected, Vlan142
L 192.168.142.3/32 is directly connected, Vlan142
192.168.143.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.143.0/24 is directly connected, Vlan143
L 192.168.143.3/32 is directly connected, Vlan143

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

1.2 Configure IPv4 HA infrastructure

6504-A
interface Vlan129
ip address 192.168.129.2 255.255.255.0
standby version 2
standby 1 ip 192.168.129.1
standby 1 priority 255
standby 1 preempt
standby 1 authentication md5 key-string Cisco123
!
interface Vlan130
ip address 192.168.130.2 255.255.255.0
standby version 2
standby 1 ip 192.168.130.1
standby 1 priority 255
standby 1 preempt
standby 1 authentication md5 key-string Cisco123
!
interface Vlan136
ip address 192.168.136.2 255.255.255.0
standby version 2
standby 1 ip 192.168.136.1
standby 1 priority 255
standby 1 preempt
standby 1 authentication md5 key-string Cisco123
!
interface Vlan137
ip address 192.168.137.2 255.255.255.0
standby version 2
standby 1 ip 192.168.137.1
standby 1 priority 255
standby 1 preempt
standby 1 authentication md5 key-string Cisco123
!
interface Vlan138
ip address 192.168.138.2 255.255.255.0
!
interface Vlan141
ip address 192.168.141.2 255.255.255.0
standby version 2
standby 2 ip 192.168.141.1
standby 2 priority 90
standby 2 authentication md5 key-string Cisco123
!
interface Vlan142
ip address 192.168.142.2 255.255.255.0
standby version 2
standby 2 ip 192.168.142.1

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

standby 2 priority 90
standby 2 authentication md5 key-string Cisco123
!
interface Vlan143
ip address 192.168.143.2 255.255.255.0
standby version 2
standby 2 ip 192.168.143.1
standby 2 priority 90
standby 2 authentication md5 key-string Cisco123
!
interface Vlan172
ip address 172.16.0.2 255.255.255.0
!
router ospf 1
passive-interface default
no passive-interface Vlan129
network 192.168.129.0 0.0.0.255 area 0
default-information originate always

6504-B
interface Vlan129
ip address 192.168.129.3 255.255.255.0
standby version 2
standby 1 ip 192.168.129.1
standby 1 priority 90
standby 1 authentication md5 key-string Cisco123
!
interface Vlan130
ip address 192.168.130.3 255.255.255.0
standby version 2
standby 1 ip 192.168.130.1
standby 1 priority 90
standby 1 authentication md5 key-string Cisco123
!
interface Vlan136
ip address 192.168.136.3 255.255.255.0
standby version 2
standby 1 ip 192.168.136.1
standby 1 priority 90
standby 1 authentication md5 key-string Cisco123
!
interface Vlan137
ip address 192.168.137.3 255.255.255.0
standby version 2
standby 1 ip 192.168.137.1
standby 1 priority 90
standby 1 authentication md5 key-string Cisco123
!

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

interface Vlan138
ip address 192.168.138.3 255.255.255.0
!
interface Vlan141
ip address 192.168.141.3 255.255.255.0
standby version 2
standby 2 ip 192.168.141.1
standby 2 priority 255
standby 2 preempt
standby 2 authentication md5 key-string Cisco123
!
interface Vlan142
ip address 192.168.142.3 255.255.255.0
standby version 2
standby 2 ip 192.168.142.1
standby 2 priority 255
standby 2 preempt
standby 2 authentication md5 key-string Cisco123
!
interface Vlan143
ip address 192.168.143.3 255.255.255.0
standby version 2
standby 2 ip 192.168.143.1
standby 2 priority 255
standby 2 preempt
standby 2 authentication md5 key-string Cisco123

Verification:

6504-A#show standby brief

P indicates configured to preempt.

Interface Grp Pri P State Active Standby Virtual IP


Vl129 1 255 P Active local 192.168.129.3 192.168.129.1
Vl130 1 255 P Active local 192.168.130.3 192.168.130.1
Vl136 1 255 P Active local 192.168.136.3 192.168.136.1
Vl137 1 255 P Active local 192.168.137.3 192.168.137.1
Vl141 2 90 Standby 192.168.141.3 local 192.168.141.1
Vl142 2 90 Standby 192.168.142.3 local 192.168.142.1
Vl143 2 90 Standby 192.168.143.3 local 192.168.143.1

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

6504-B#show standby brief

P indicates configured to preempt.

Interface Grp Pri P State Active Standby Virtual IP


Vl129 1 90 Standby 192.168.129.2 local 192.168.129.1
Vl130 1 90 Standby 192.168.130.2 local 192.168.130.1
Vl136 1 90 Standby 192.168.136.2 local 192.168.136.1
Vl137 1 90 Standby 192.168.137.2 local 192.168.137.1
Vl141 2 255 P Active local 192.168.141.2 192.168.141.1
Vl142 2 255 P Active local 192.168.142.2 192.168.142.1
Vl143 2 255 P Active local 192.168.143.2 192.168.143.1

6504-A#show standby vlan 129

Vlan129 - Group 1 (version 2)


State is Active
2 state changes, last state change 00:19:31
Virtual IP address is 192.168.129.1
Active virtual MAC address is 0000.0c9f.f001
Local virtual MAC address is 0000.0c9f.f001 (v2default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.776 secs
Authentication MD5, key-string
Preemption enabled
Active router is local
Standby router is 192.168.129.3, priority 90 (expires in 10.320 sec)
Priority 255 (configured 255)
Group name is "hsrp-Vl129-1" (default)

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

1.3 Configure HA on the switching infrastructure

6504-A
spanning-tree vlan 129-130,136-137 priority 0
spanning-tree vlan 141-143,300-301 priority 4096
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Port-channel3
switchport trunk encapsulation dot1q
switchport mode trunk
!
port-channel load-balance src-dst-ip
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface range GigabitEthernet4/21-22
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on
interface range GigabitEthernet4/10-11
switchport trunk encapsulation dot1q switchport mode trunk
channel-group 3 mode on

6504-B
spanning-tree vlan 129-130,136-137 priority 4096
spanning-tree vlan 141-143,300-301 priority 0
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

channel-group 1 mode on
!
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet4/20
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on
interface GigabitEthernet4/22
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

2960-Central Switch
Spanning-tree portfast bpdufilter default

Verification:
6504-A#show spanning-tree root

Root Hello Max Fwd


Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 32769 001b.0d57.2a80 12 2 20 15 Po1
VLAN0128 32896 001b.0d57.2a80 12 2 20 15 Po1
VLAN0129 129 0025.b46c.c200 0 2 20 15
VLAN0130 130 0025.b46c.c200 0 2 20 15
VLAN0136 136 0025.b46c.c200 0 2 20 15
VLAN0137 137 0025.b46c.c200 0 2 20 15
www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

VLAN0138 32906 001b.0d57.2a80 12 2 20 15 Po1


VLAN0141 141 001b.0d57.2a80 12 2 20 15 Po1
VLAN0142 142 001b.0d57.2a80 12 2 20 15 Po1
VLAN0143 143 001b.0d57.2a80 12 2 20 15 Po1
VLAN0172 32940 001b.0d57.2a80 12 2 20 15 Po1
VLAN0300 300 001b.0d57.2a80 12 2 20 15 Po1
VLAN0301 301 001b.0d57.2a80 12 2 20 15 Po1

6504-B#show spanning-tree root

Root Hello Max Fwd


Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 32769 001b.0d57.2a80 0 2 20 15
VLAN0128 32896 001b.0d57.2a80 0 2 20 15
VLAN0129 129 0025.b46c.c200 12 2 20 15 Po1
VLAN0130 130 0025.b46c.c200 12 2 20 15 Po1
VLAN0136 136 0025.b46c.c200 12 2 20 15 Po1
VLAN0137 137 0025.b46c.c200 12 2 20 15 Po1
VLAN0138 32906 001b.0d57.2a80 0 2 20 15
VLAN0141 141 001b.0d57.2a80 0 2 20 15
VLAN0142 142 001b.0d57.2a80 0 2 20 15
VLAN0143 143 001b.0d57.2a80 0 2 20 15
VLAN0172 32940 001b.0d57.2a80 0 2 20 15
VLAN0300 300 001b.0d57.2a80 0 2 20 15
VLAN0301 301 001b.0d57.2a80 0 2 20 15

6504-A#show etherchannel summary

Flags: D - down P - bundled in port-channel


I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met


u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 1


Number of aggregators: 1

Group Port-channel Protocol Ports


------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Gi1/1(P) Gi1/2(P)

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

1.4 Configure QoS on the switching infrastructure

6504-A
mls qos
mls qos map cos-dscp 0 10 18 26 34 46 48 54

int range Gi4/21-22


priority-queue out
mls qos trust cos

int range Gi4/10-11


priority-queue out
mls qos trust cos

int Gi4/3
priority-queue out
mls qos trust dscp

int Gi4/5
priority-queue out
mls qos trust dscp

int range Gi1/1-2


priority-queue out
mls qos trust ip-precedence
mls qos
mls qos map cos-dscp 0 10 18 26 34 46 48 54

int Gi4/20
priority-queue out
mls qos trust cos

int Gi4/22
priority-queue out
mls qos trust cos

int range Gi4/10-11


priority-queue out
mls qos trust cos

int Gi4/1
priority-queue out
mls qos trust dscp

int Gi4/47
priority-queue out
mls qos trust dscp

int range Gi1/1-2


www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

priority-queue out
mls qos trust ip-precedence

Remote-3560
mls qos
mls qos map cos-dscp 0 10 18 26 34 46 48 54

int range Gi0/20-21


priority-queue out
mls qos trust cos

int range Gi0/1-2


priority-queue out
mls qos trust dscp

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

2. Infrastructure Application Services

2.1 Troubleshooting Discovery mechanisms

6504-A

ip dhcp excluded-address 192.168.132.1 192.168.132.9

ip dhcp excluded-address 192.168.132.21 192.168.132.254

ip dhcp pool vlan300

network 192.168.132.0 255.255.255.0

default-router 192.168.132.1

option 43 hex f104.c0a8.810f

interface Gi4/3

description L3500-1

switchport access vlan 300

switchport mode access

interface Gi4/5

description L3500-2

switchport access vlan 300

switchport mode access

interface Vlan300

ip address 192.168.132.2 255.255.255.0

ip helper-address 192.168.132.2

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

6504-B

ip dhcp excluded-address 192.168.133.1 192.168.133.9

ip dhcp excluded-address 192.168.133.21 192.168.133.254

ip dhcp pool vlan301

network 192.168.133.0 255.255.255.0

default-router 192.168.133.1

option 43 hex f104.c0a8.8110

interface Gi4/1

description L3500-4

switchport access vlan 301

switchport mode access

interface Vlan301

ip address 192.168.133.3 255.255.255.0

ip helper-address 192.168.133.3

2960-central

interface Fa0/1

description L3500-3

switchport access vlan 301

switchport mode access

interface Vlan301

ip address 192.168.133.4 255.255.255.0

ip helper-address 192.168.133.3

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

3560-remote

ip dhcp excluded-address 192.168.149.1 192.168.149.9

ip dhcp excluded-address 192.168.149.21 192.168.149.254

ip dhcp pool vlan149

network 192.168.149.0 255.255.255.0

default-router 192.168.149.1

option 43 hex f104.c0a8.9106

interface Vlan149

ip address 192.168.149.1 255.255.255.0

ip helper-address 192.168.149.1

interface Gi0/1

description L1260-1

switchport access vlan 149

switchport mode access

interface Gi0/2

description L1260-2

switchport access vlan 149

switchport mode access

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

5508-1

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

5508-2

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Verification:

6504-A#show ip dhcp bind

Bindings from all pools not associated with VRF:

IP address Client-ID/ Lease expiration Type Hardware address/ User name


192.168.132.10 0130.f70d.d8cd.b5 Mar 06 1993 05:53 AM Automatic

6504-B#show ip dhcp bind

Bindings from all pools not associated with VRF:

IP address Client-ID/ Lease expiration Type Hardware address/ User name


192.168.133.10 0130.f70d.dce7.93 Mar 06 1993 05:51 AM Automatic

2.2 Troubleshoot DHCP services

6504-B#show int fastEthernet 0/3

FastEthernet0/3 is administratively up, line protocol is up


Hardware is Fast Ethernet, address is 001b.0d57.2a84 (bia 001b.0d57.2a84) Description: L3500-4

6504-B#debug dhcp detail

*Jun 1 19:38:47.875: DHCP: DHCP client process started: 10


*Jun 1 19:38:47.879: RAC: Starting DHCP discover on FastEthernet0/3
*Jun 1 19:38:47.879: DHCP: Try 1 to acquire address for FastEthernet0/3
*Jun 1 19:38:47.879: DHCP: allocate request
*Jun 1 19:38:47.879: DHCP: zapping entry in DHC_PURGING state for Fa0/3
*Jun 1 19:38:47.883: Hostname: 6504-B
*Jun 1 19:38:47.883: DHCP: new entry. add to queue, interface FastEthernet0/3
*Jun 1 19:38:47.883: DHCP: SDiscover attempt # 1 for entry:
*Jun 1 19:38:47.883: Temp IP addr: 0.0.0.0 for peer on Interface: FastEthernet0/3
*Jun 1 19:38:47.883: Temp sub net mask: 0.0.0.0
*Jun 1 19:38:47.883: DHCP Lease server: 0.0.0.0, state: 1 Selecting
*Jun 1 19:38:47.883: DHCP transaction id: 1A74
*Jun 1 19:38:47.883: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
*Jun 1 19:38:47.883: Next timer fires after: 00:00:04
*Jun 1 19:38:47.883: Retry count: 1 Client-ID: cisco-001b.0d57.2a84 -Fa0/3
*Jun 1 19:38:47.883: Client-ID hex dump: 636973636F2D303031662E636162362E
*Jun 1 19:38:47.883: 346463392D4661302F31
*Jun 1 19:38:47.883: Hostname: 6504-B
*Jun 1 19:38:47.883: DHCP: SDiscover: sending 291 byte length DHCP packet
*Jun 1 19:38:47.883: DHCP: SDiscover 291 bytes
*Jun 1 19:38:47.883: B'cast on FastEthernet0/3 interface from 0.0.0.0
www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

2.3 Configure WLC Management


Take 5508-1 as the example and repeat the rest WLCs

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Keys must be at least 12 characters and match with WCS side.

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

2.4 Troubleshooting and configure syslog

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

2.5 Configure and troubleshoot RADIUS

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Assume the IP Add of WLC has already been configured so you just need to select correct location & device type.

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

3. Autonomous deployment model

3.1 Configure WGB roaming behavior

1260-BR1

dot11 ssid WGB


vlan 129 authentication open
infrastructure-ssid
!
interface Dot11Radio1 no ip address
no ip route-cache
!
ssid WGB
!
no dfs band block
channel dfs
station-role root
infrastructure-client
!
interface Dot11Radio1.1
encapsulation dot1Q 129 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.143
encapsulation dot1Q 143
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

speed auto
!
interface FastEthernet0.129
encapsulation dot1Q 129 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.143
encapsulation dot1Q 143
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled

interface BVI1
ip address 192.168.129.101 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.129.1

1260-BR2

dot11 ssid WGB


vlan 129
authentication open
infrastructure-ssid

interface Dot11Radio1
no ip address
no ip route-cache
!
ssid WGB
!
no dfs band block
channel dfs
station-role workgroup-bridge
infrastructure-client
!

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

interface Dot11Radio1.1
encapsulation dot1Q 129 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.143
encapsulation dot1Q 143
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.129
encapsulation dot1Q 129 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.143
encapsulation dot1Q 143
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

interface BVI1
ip address 192.168.129.102 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.129.1

1260-BR1#show dot11 associations

802.11 Client Stations on Dot11Radio1:

SSID [WGB] :

MAC Address IP address Device Name Parent State


0016.41a9.b764 192.168.143.3 WGB-client - 001d.a1ff.7926 Assoc
001d.a1ff.7926 192.168.129.102 WGB 1260-BR2 self Assoc

3.2 Configure WGB roaming behavior

UNII-1/Lower Band (5.150 to 5.250 GHz) Non-overlapping channels 36, 40, 44, 48
UNII-2/Middle Band (5.250 to 5.350 GHz) Non-overlapping channels 52, 56, 60, 64
UNII-2 Extended (5.470 to 5.725 GHz) Non-overlapping channels 100, 104, 108, 112, 120, 124, 128, 136, 140
UNII-3/Upper Band (5.725 to 5.825 GHz) on-overlapping channels 149, 153, 157, 161, 165

1260-BR2
interface Dot11Radio1
mobile station scan 5180 5200 5220 5240
mobile station ignore neighbor-list
mobile station period 10 threshold 79

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

4. UNIFIED deployment model

4.1 Central site Data WLAN

Goto ACS ---> Create 2 locations: HQ and Remote

Add all WLCs to ACS and set proper location

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Goto Policy Elements -> Authoriztion and permissions -> network access -> authorization profiles.

You need to create profiles with aaa override vlans

Do it the same way for vlans:

in ACS goto Policy Elements > Session Conditions > Network Conditions > End Station Filters

This is in order we can match WLAN.

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

In ACS go to Access Policies > Access Services > Default Network Access > Authorization

Click Customize button

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Let’s create policies

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Make sure default points to DenyAccess Rule

Now goto WLC 5508-1 and 5508-2,


example will show only on 5508-1 , do the same on 5508-2

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Apply the same settings to dataB01 WLAN

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

4.2 Central site contractor WLAN

Do the same on 5508-1 and 5508-2. Authentication is preshared key Cisco123

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

4.3 Troubleshooting client roaming behavior

Goto controller -> mobility management -> mobility groups -> edit all

(change mac addresses according to your mac addresses)

On 5508-1
11:11:11:11:11:11 192.168.129.31
22:22:22:22:22:22 192.168.129.32

On 5508-2
22:22:22:22:22:22 192.168.129.32
11:11:11:11:11:11 192.168.129.31

(5508-1) >show mobility summary status should show UP

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

4.4 Remote site data WLAN

Goto ACS

Access Policies > Access Services > Deafult Network Access > Authorization

Then goto 5508-4

Put both AP into H-REAP mode (both 1260-1 and 1260-2)

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Change port settings on 3560-remote switch


!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport trunk native vlan 146
switchport mode trunk
priority-queue out
mls qos trust cos
spanning-tree portfast
!
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport trunk native vlan 146
switchport mode trunk
priority-queue out
mls qos trust cos
spanning-tree portfast

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Goto 5508-4 and create dataR01 WLAN

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

4.5 Remote site data WLAN HA

In previous question we changed AP status to H-REAP and modified switch port states.

Now goto and create hreap-group

Choose radius server

Add both APs to this group

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Make sure both AP has this setting enabled (vlan146 as native)

4.6 Guest services

On 5508-1 , 5508-2 , 5508-3 , and 5508-4 create WLAN

On 5508-1,2

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

On 5508-3

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

On 5508-4

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Now add 5508-1, 5508-2, 5508-4 to mobility list of 5508-3 and vice-versa
(example is shown on 5508-1 and 5508-3)

5508-1) >show mobility summary


Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... HQ
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x6b2f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name
Multicast IP Status
11:11:11:11:11:11 192.168.129.32 HQ
0.0.0.0 Up
22:22:22:22:22:22 192.168.129.31 HQ
0.0.0.0 Up
33:33:33:33:33:33 192.168.136.33 HQ
0.0.0.0 Up

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

So total mobility list should be established like this

5508-1 with 5508-2


5508-1 with 5508-3

5508-2 with 5508-1


5508-2 with 5508-3

5508-3 with 5508-1


5508-3 with 5508-2
5508-3 with 5508-4

5508-4 with 5508-1

Then do the anchoring on 5508-1 , 5508-2 , 5508-3 , 5508-4

On
5508-1,5508-2,5508-4

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

On 5508-3

4.7 Configuring and troubleshooting the home office solution

Goto 5508-3

Controller / interfaces / edit / management

You need to manually add L1040 to controller

capwap ap ip address 192.168.128.1 255.255.255.0


capwap ap ip default-gateway 192.168.128.254

then add controller

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

capwap ap controller ip address 192.168.128.33

then change name on controller to L1040

Convert it to H-REAP and OFFICE EXTEND AP

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

4.8 Channel assignment

On 5508-1,5508-2,5508-3,5508-4

goto WIRELESS / 802.11b /RRM/DCA

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

on 5508-1

make it RF leader

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

4.9 Implementing CleanAir

On 55080-1 and 5508-2

Also check that cleanair is enabled on AP LEVEL !

Goto Wireless / access points / Radios / 802.11b/g/n

Select AP , then select in the right corner

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Check cleanair admin status. Do it on all 3500 series AP

4.10 Rogue detection

On 5508-1 and 5508-2

Security / wireless protection policies /rogue protection/general

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

5. WCS

5.1 WCS Initial configuration

Take 5508-1 as the example and repeat the rest WLCs.

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Keys must be at least 12 characters and match with WCS side.

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

5.2 Troubleshooting MSE Context Aware Services

Step 1: Console in the restart the setup wizard

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Step 2: Add mse to wlc

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Step 3: Verify NMSP

On each WLC, issue show auth-list

Manually add MSE and establish NMSP connection


MSE:

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

On NCS, choose Services->Mobility Services

Select the left sidebar menu, choose System->Status->NMSP Connection Status to verify

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

6. WLAN Services

6.1 Voice infrastructure setup

Step 1: Create VLAN130 interface on WLC

Step 2: Add a new Voice WLAN

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

Step 3: 802.11b/g Setup

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

On 7925, ensure the auto scan mode.

6.2 Voice troubleshooting

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

In order to check statistics on client TSM, Metrics Collection is required to tick.

Select drop menu client TSM to check statistics.

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

6.3 Phone configuration

CME configuration:
ephone 1
mac xxxx.xxxx.xxxx
type 7925
button 1:x

On 7925 phone setting:


Step 1: Choose network profile
Step 2: Provide profile name and SSID
Step 3: Type in Username: user1 and Password: Cisco123 to connect wireless network
Step 4: Ensure ACS has the certificate (Refer to section 4)

www.cciewirelesslabs.com www.cciewirelesslabs.com
25-June-2013 1st Release 15-June-2013

THANK YOU FOR USING CCIEWIRELESSLABS

www.cciewirelesslabs.com www.cciewirelesslabs.com