Friday, July 29, 2016

Building my CCNA Wireless Home Lab

The CCNA Wireless WIFUND 200-355 exam covers topics on WLC using AireOS 8.0 image (as of this writing). So I've installed the latest and stable image (the one with a star) on my WLC 2504. The WLC is directly connected to my PC (running TFTP) and is assigned with a /30 IP. The details on how to upgrade a WLC can be found on this post.









I got two AIR-SAP1602E, which are standalone access points that use external antennas (hence the "E"). I converted one of them to be a lightweight AP in order to associate with a WLC. I had a post regarding the conversion process between lightweight and autonomous AP. You just need to download the lightweight recovery image (rcvk9w8) and the AP will get the full image (k9w8) from the WLC.

ap#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ap(config)#interface bvi1
ap(config-if)#ip address 192.168.1.2 255.255.255.0
ap(config)#ip default-gateway 192.168.1.1     // TFTP PC

ap#archive download-sw /force-reload /overwrite tftp://192.168.1.1/ap1g2-rcvk9w8-tar.152-2.JB3.tar
examining image...
Loading ap1g2-rcvk9w8-tar.152-2.JB3.tar from 192.168.1.1 (via BVI1): !
extracting info (273 bytes)
Image info:
    Version Suffix: rcvk9w8-
    Image Name: ap1g2-rcvk9w8-mx
    Version Directory: ap1g2-rcvk9w8-mx
    Ios Image Size: 6564352
    Total Image Size: 6564352
    Image Feature: WIRELESS LAN|LWAPP|RECOVERY
    Image Family: AP1G2
    Wireless Switch Management Version: 7.4.1.37
Extracting files...
ap1g2-rcvk9w8-mx/ (directory) 0 (bytes)O
extracting ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx (6557718 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!
extracting ap1g2-rcvk9w8-mx/info (273 bytes)
extracting info.ver (273 bytes)
[OK - 6563840 bytes]

Deleting current version: flash:/ap1g2-k9w7-mx.152-2.JB2...done.
sew software image installed in fl
nhW:r/iatpi1ngg2 -oructv kt9hwe8 -emvxe
itC olnofgi gtuor ifnlga sshy:s/teevme ntto. luosge  .n.e.w
 mage...done.
Requested system reload in progress...
archive download: takes 72 seconds

Write of event.log done

*Mar  1 00:37:01.633: %SYS-5-RELOAD: Reload requested by Exec. Reload Reason: Reason unspecified.
Boot from flash

IOS Bootloader - Starting system.
 FLASH CHIP: Micronix MX25L256_35F
Xmodem file system is available.
flashfs[0]: 7 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31936000
flashfs[0]: Bytes used: 6941184
flashfs[0]: Bytes available: 24994816
flashfs[0]: flashfs fsck took 9 seconds.
Reading cookie from SEEPROM
Base Ethernet MAC address: c0:8c:60:1f:24:7d
 ************* loopback_mode = 0
Loading "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx"...####################
File "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx" uncompressed and installed, entry point: 0x100000
executing...


<OUTPUT TRUNCATED>


APc08c.601f.247d>show version
Cisco IOS Software, C1600 Software (AP1G2-RCVK9W8-M), Version 15.2(2)JB3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 19-Dec-13 03:29 by prod_rel_team

ROM: Bootstrap program is C1600 boot loader
BOOTLDR: C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)

APc08c.601f.247d uptime is 0 minutes
System returned to ROM by power-on
System image file is "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx"
Last reload reason:


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-SAP1602E-A-K9    (PowerPC) processor (revision B0) with 98294K/32768K bytes of memory.
Processor board ID FGL1736W0UE
PowerPC CPU at 533Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.4.1.37
1 Gigabit Ethernet interface

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: C0:8C:60:1F:24:7D
Part Number                          : 73-14508-04
PCA Assembly Number                  : 000-00000-00
PCA Revision Number                  :
PCB Serial Number                    : FOC17292D2Y
Top Assembly Part Number             : 800-38553-01
Top Assembly Serial Number           : FGL1736W0UE
Top Revision Number                  : A0
Product/Model Number                 : AIR-SAP1602E-A-K9


Configuration register is 0xF


After the AP gets an IP address, it discovers a WLC using a DNS broadcast (CISCO-CAPWAP-CONTROLLER) and will establish a DTLS tunnel using the self-signed certificate from the WLC using UDP port 5246.


*Mar  1 00:00:13.459: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg
*Mar  1 00:00:13.879: Found crash file: 'crashinfo_19930415-184228-UTC'
*Mar  1 00:00:14.703: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:15.911: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:16.347: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1600 Software (AP1G2-RCVK9W8-M), Version 15.2(2)JB3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 19-Dec-13 03:29 by prod_rel_team
*Mar  1 00:00:16.383: %CAPWAP-3-ERRORLOG: Binding Config Initialization failed for binding 1
*Mar  1 00:00:17.423: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully

no bridge-group 1 source-learning
                   ^
% Invalid input detected at '^' marker.
%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar  1 00:00:47.227: %CDP_PD-4-POWER_OK: All radios disabled - NEGOTIATED inline power source
*Mar  1 00:00:52.243: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.1.15, mask 255.255.255.0, hostname APc08c.601f.247d
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (8.8.8.8) (4.2.2.2)
*Mar  1 00:01:03.127: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar  1 00:01:06.127: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Mar  1 00:01:16.127: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan  1 00:28:52.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.4 peer_port: 5246
*Jan  1 00:28:54.563: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.1.4

*Jan  1 00:28:54.563: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Jan  1 00:28:54.563: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.4:5246
*Jan  1 00:28:54.563: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Jan  1 00:29:23.103: %CDP_PD-4-POWER_OK: All radios disabled - NEGOTIATED inline power source
*Jan  1 00:29:56.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan  1 00:28:52.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.4 peer_port: 5246
*Jan  1 00:28:52.563: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.1.4
*Jan  1 00:28:52.563: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Jan  1 00:28:52.563: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.4:5246
*Jan  1 00:28:52.567: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.


It's also useful to configure option 43 hex f104.<WLC IP HEX STRING> under the DHCP pool that's providing dynamic IP address for the APs. You'll need to convert the WLC IP address from decimal to HEX with the help of this online tool and append with a HEX string of f104. The f1 means the data string is in HEX, 04 means 4 bytes (32 bits) of data will follow, which is IPv4 address of the WLC.

R1(config)#ip dhcp pool LAN_POOL
R1(dhcp-config)#option 43 ?
  ascii     Data is an NVT ASCII string
  hex       Data is a hexadecimal string
  instance  Specify the option instance
  ip        Data is one or more IP addresses

R1(dhcp-config)#option 43 hex ?
  LINE  Hexadecimal string
  none  No data

R1(dhcp-config)#option 43 hex f104.c0a8.0104


You need to configure the router's local clock and set it as the master NTP for the AP to properly establish a DTLS tunnel to the WLC. Add NTP server on WLC by going to Controller > NTP Server > New > Type the NTP's IP address and click Apply.


R1#clock set 19:32:00 3 Jul 2016
R1#show clock
.19:32:01.543 UTC Sun Jul 3 2016

R1(config)#ntp master ?
  <1-15>  Stratum number
  <cr>

R1(config)#ntp master 1





The AP's Operational Status will change from DOWNLOADING to REG (REGISTERED).



You create the wifi SSID under WLANs > Create New and click Go > Type Profile Name and SSID > tick Enabled under its Status. I've configured the SSID to utilize the management interface which is on VLAN 1 and created a static WEP key or password under Security > Layer 2.



I clicked on the SSID WLC-WIFI and typed the password (Cisco) using both my laptop and iPhone.

 







Below are the router and switch configurations that I've used for my wireless lab. I've configured switchport host under the interfaces using the interface range command and configured trunking between R1 and WLC1. The commands highlighted in RED are important to take note of.

R1#show run
Building configuration...

Current configuration : 1508 bytes
!
! Last configuration change at 06:20:33 UTC Wed Jul 6 2016
! NVRAM config last updated at 06:21:08 UTC Wed Jul 6 2016
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool LAN_POOL
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8 4.2.2.2
   option 43 hex f104.c0a8.0104
!
!
no ip domain lookup
ip name-server 8.8.8.8
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 password 0 cisco
!
!
!
!
!
!
interface FastEthernet0/0
 description ### WAN ###
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description ### LAN ###
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C

*** R1 ***

^C
!
line con 0
 password cisco
 logging synchronous
line aux 0
line vty 0 4
 password cisco
 logging synchronous
 login
!
scheduler allocate 20000 1000
ntp master
!
end


SW1#show run
Building configuration...

Current configuration : 3151 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
username admin privilege 15 password 0 cisco
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
crypto pki trustpoint TP-self-signed-3359651200
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3359651200
 revocation-check none
 rsakeypair TP-self-signed-3359651200
!
!
crypto pki certificate chain TP-self-signed-3359651200
 certificate self-signed 01
  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33333539 36353132 3030301E 170D3933 30333031 30303030
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353936
  35313230 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CB60 DD6D0350 C136B2E0 EBAC51B3 6AA95F75 29D7E6A6 F80D4477 FF69E42A
  1E0DBF1E EB1A1FCC 8A8A1F0B 6A6328E8 5447EDB4 6B13C11D A0513070 AE7C4840
  C9563CD8 069B097B 0612E862 D5DC6C60 031A74FC F22DBFE2 3F20F970 E993C944
  F70606B1 3FE2F122 786A79EE 2D6CB65C 22614C52 83C4A6E9 5AF93AC6 150ED67C
  7FCF0203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603
  551D1104 08300682 04535731 2E301F06 03551D23 04183016 8014CDF0 E4127E8C
  DA428316 ACC68F90 4EE7A86B 0684301D 0603551D 0E041604 14CDF0E4 127E8CDA
  428316AC C68F904E E7A86B06 84300D06 092A8648 86F70D01 01040500 03818100
  3BD6323E 3DBFAB75 ADC467C6 6A1C4F62 7811AEFF 99D11DD8 A95BADF5 175E676A
  3B9CC683 3D032E37 314F427B 779E903F A5711CDD BB7EBBE9 0C933454 03F7ED9D
  D0938436 E97A7B01 D5812BE7 F4215E57 5CBB2BA7 5A52709B B8319664 B36CD4BD
  E14D5532 DE06794C 1730CC7B 902425DE FD7FD047 27C5F394 5658E05C 4B61C40B
  quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/8
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/9
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/11
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/12
 description ### WLC1 ###
 switchport trunk encapsulation dot1q
 switchport mode trunk

!
interface FastEthernet0/13
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/14
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/15
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/16
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/17
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/18
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/19
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/20
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/21
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/22
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/23
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/24
 description ### R1 ### 
 switchport trunk encapsulation dot1q
 switchport mode trunk

!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
ip default-gateway 192.168.1.1
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
banner motd ^C

*** SW1 ***

^C
!
line con 0
 password cisco
 logging synchronous
 login
line vty 0 4
 password cisco
 logging synchronous
 login
line vty 5 15
 login
!
end

Friday, July 22, 2016

Welcome to my CCNA Wireless Blog!

I've taken CompTIA, Check Point and ITIL certs for the past few months and was away from learning new Cisco skills for quite a while. My next goal is to get CCNA Wireless and CWNA certified to acquire deep knowledge of wireless technology since I work with WLCs and APs on a daily basis. I've posted a few topics regarding wireless in my other blog but now I want to maintsream them here.

It's hard to emulate wireless especially for the access points, so I setup my own wireless lab at home. I've used a Cisco 2811 router for my Internet gateway router (connected to a cable modem), Cisco 3560 switch to provide Power over Ethernet (PoE) for the access points, Cisco WLC 2504 with 8.0 image (this can be virtualized), two 1602 access points: one setup as autonomous or standalone AP (AIR-SAP 1602E) and the other as lightweight or controller-based AP (AIR-CAP 1602E).

This is the logical network topology I've used for my wireless lab. I've used a flat network design and everything runs on native VLAN 1 to simplify the configurations. I'll share more details and the steps I took in building my wireless lab on succeeding posts.These are the materials I've used for my wireless study: CCNA Wireless 200-355 Official Cert Guide by David Hucaby, training videos by Keith Barker and Jerome Henry.


This is how the actual devices look like in my home lab.