lab1 cciewl version2 questionset

QUESTIONS SET

LAB 1 Real Labs V2

www.cciewirelesslabs.com

www.cciewirelesslabs.com 05-July-2013

www.cciewirelesslabs.com www.cciewirelesslabs.com

THIS PAGE IS INTENTIONALLY LEFT BLANK



GENERAL GUIDELINES

1. Read all of the questions in the section before you start the configuration. It is even recommended that you read the entire lab before you proceed with any configuration. 2. Exam questions have dependencies on others. Read through the entire lab to help identify these questions and the best order of configuration. Section need not be completed in the order presented in the Lab. 3. Question may include verification output that can be used to check your solutions. Highlighted values in output verification displays MUST be matched to ensure correctness. 4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware problems in your equipment, contact the lab proctor as soon as possible. 5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before starting the exam, confirm that all devices in you rack are in working order. During the exam, if any device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot be marked and may cause you to lose substantial points. 6. Knowledge of implementation and troubleshooting techniques is part of the lab exam. 7. Points are awarded only for working configurations. Towards the end of the exam, you should test the functionality of all sections of the exam. 8. You would be presented with pre---configured equipments. The following pre---configurations should NOT be changed: • Terminal server to clear the lines: “Cisco” (usermode only) • All APs default username “Cisco” and password “Cisco” • Enable passwords for all IOS devices are “Cisco” • Device hostname. (Except LAP bootnames which need to be changed see q2.1) • Console configuration 9. If a WLC has to be initialized, always use username “admin” and password “Cisco123”



10. Throughout the exam, assume: • YY is your assigned 2---digit pod number. For example YY value for pod3 is 03 • X is any number 11. Unless specifically mentioned or change needed by a question, leave all settings on its default values 12. You should do all lab based on 2.4 Ghz band only, unless when explicitly mentioned on the exam.

13. You should ignore all rouges or SSIDs belonging to your pod that are visible through your equipment, except when explicitly mentioned in the lab questions.

14. An NTP server is available at 192.168.129.13 15. At the end of the lab make sure you re---enable all radios you shut down for testing purposes



FIGURE 1: CONCEPTUAL DIAGRAM



FIGURE 2: LOGICAL DIAGRAM



FIGURE 3: PHYSICAL CONNECTION



FIGURE 4: REMOTE PHYSICAL CONNECTION



FIGURE 5: SUBNETWORKS

VLAN NAME Network/Mask VLAN ID Default GW Area

ISP Cenral 192.168.128.0/24 128 192.168.128.254 CentralManagement 192.168.129.0/24 129 192.168.129.1 Central

Voice 192.168.130.0/24 130 192.168.130.1 CentralManagement Guest 192.168.136.0/24 136 192.168.136.1 Central

Dmz Guest 192.168.137.0/24 137 192.168.137.1 CentralNon Routed 192.168.138.0/24 138 Non Routed Central

Peap 192.168.141.0/24 141 192.168.141.1 CentralAll EAP types 192.168.142.0/24 142 192.168.142.1 CentralContractors 192.168.143.0/24 143 192.168.143.1 CentralService ports 172.16.0.0/24 172 172.16.0.1 Central

Aps1 192.168.132.0/24 300 192.168.132.1 CentralAps2 192.168.133.0/24 301 192.168.133.1 Central

ISP Remote 192.168.144.0/24 144 192.168.144.254 RemoteManagement Remote 192.168.145.0/24 145 192.168.145.1 Remote

Voice Remote 192.168.146.0/24 146 192.168.146.1 RemoteData Remote 192.168.147.0/24 147 192.168.147.1 Remote

Non Routed Remote 192.168.148.0/24 148 Not routed RemoteAps 192.168.149.0/24 149 192.168.149.1 Remote

Home Office 192.168.200.0/24 X 192.168.200.1 Home office

Central Office

Remote Office

Home office

FIGURE 5: Subnetworks



FIGURE 6: LAB ACCESS

As part of your lab setup, the following would be available:

• A home---office AP (1040) and Cisco Wireless Phone (7925G) • Candidate PC : this is the PC physically at your desk • WCS • MSE • ACS • A client PC with anyconnect client to connect to your SSIDs • A syslog server

WCS Notes Username Password Access Reachable from the candidate PC via RDP WCS AD Login

Administrator Cisco123

WCS login 192.168.120.11 root Cisco123 MSE Notes Username Password Access Reachable from WCS via SSH MSE Login 192.168.129.11 root Cisco123 ACS Notes Username Password Access Reachable from WCS via HTTPS ACS Login https://192.168.129.10/acsadmin admin Cisco123 Client PC Notes Username Password Access Reachable from the candidate PC via RDP Login admin Cisco123 Syslog server

Notes Username Password

Kiwi Available on WCS



1. L2/L3 Infrastructure to support WLANs

1.1 Configure IPv4 routing infrastructure Configure OSPF process in the Central Office (see Fig 5) between 6504-A and 6505-B as per the following requirements:

• Establish dynamic router neighbor peering using only VLAN129 • Suppress router advertisements on all other interfaces between 6504-A & 650-B • 6504-B must learn and actively use a default route via dynamic OSPF update from

6504-B

(output truncated):

6504---2#show ip route

O*E2 0.0.0.0/0 [110/1] via 192.168.129.2, 00:00:06, Vlan129

1.2 Configure IPv4 HA infrastructure Complete the configuration of the HA topology for all preconfigured interfaces in the central office (see Fig 5) as per following requirements:

• 6504-A should be the active router for all existing vlan interfaces in the 129---137 VLAN---ID range

• 6504---2 should be the active router for any remaining vlan interfaces (141-143, 300---301)

• provide redundancy if the active interface is down • make sure the router with the highest priority becomes the active router,

whenever it is available



1.3 Configure HA on the switching infrastructure Configure the spanning---tree (STP) HA availability operation for the preconfigured vlans in the central office (Fig 5) as per following requirements:

• 6504-A should be STP root for all existing VLANs in the 129---137 range • 6504-B should be STP root for all existing VLANs in the range 141-143,300---301 • On the 2960---central---switch, prevent STP loops on switchports running portfast.

In case any another switch running spanning tree is connected to it, it should disable it. Use only one command to achieve this task.

Set up a 2 gigabit ethernet link between 6504-A and 6504-B. Make sure that downstream traffic to an access point as well as upstream traffic from an access point always enters on the same port

1.4 Configure QoS on the switching infrastructure The QoS configuration for the connection to the central office and remote office WLC needs to be configured with the following QOS table

QoS profile AVVID IP DSCP AVVID 802.1p Platinum 48 (CS6) 6 Platinum 46 (EF) 5 Gold 34 (AF41) 4 Gold 26 (AF31) 3 Silver 18 (AF21) 2 Bronze 10 (AF11) 1 Silver 0 (BE) 0

Configure the central and remote switches and the WLCs has to meet the following requirements:

• WLC imposes a QOS egress frame classification process using WLC default settings for all interfaces and frame types

• WLC egress traffic conforms such that the infrastructure can trust the WLC QOS classifications limits for all interfaces and frame types

• Switchports should trust the WLC egress QOS classification • Switchport queues WLC egress classifications consistent with table above • AP switchports trust the AP imposed QOS marking with respect to user traffic



2. Infrastructure Application Services 2.1 Troubleshooting Discovery mechanisms The customer is experiencing issues with the APs joining the WLAN controllers at the central and remote locations. Perform the appropriate configuration & troubleshooting steps to have all the APs registered and make sure that APs always go back to their primary WLC regardless of the mobility state. Also check if radio interfaces (as required throughout the exam) are UP on all APs On the central site troubleshoot the discovery mechanism using preconfigured VLAN pools on both the 6504-A and 6504-B without adding any additional commands. The AP names and AP to WLC pairing should reflect the assignment in the table below:

Switch---port Name Primary Secondary 6504---1 g4/3 L3500---1 5508---1 5508---2 6504---1 g4/5 L3500---2 5508---1 5508---2 2960---central f0/1

L3500---3 5508---2 5508---1

6504---2 g4/1 L3500---4 5508---2 5508---1

On the remote site you need to rely on the broadcast messages send by the APs for the discovery. The AP names an AP to WLC pairing should reflect the assignment in the table below

Switch---port Name Primary Secondary 3560---remote g0/1

L1260---1 5508---4 None

3560---remote g0/2

L1260---2 5508---4 None

Note: the L1040 at the home---office will be configured in question 4.7



2.2 Troubleshoot DHCP services You are troubleshooting wireless client DHCP issues for central office APs on the 6504-A IOS DHCP server using “debug dhcp” command. In order to help you troubleshoot, make sure you are able to identify the AP Ethernet MAC address for a given wireless client device association within the debug output

2.3 Configure WLC Management Enable secure SNMP communications on all WLCs using the strongest authentication and encryption methods. Use below details • Username “admin” • Authentication and encryption password “Cisco123” 2.4 Troubleshooting and configure syslog Configure syslog on the following devices listed below to point to syslog server running on 192.168.129.11. The syslog log level should be set to “warning” and use the local use 7 facility This should be done on following devices: • 5508---1 , 5508---2 , 5508---3 , 5508---4 • ALL CAPWAP APs

2.5 Configure and troubleshoot RADIUS Configure the RADIUS server to peer with all WLCs without using any IP address based configuration. Configure the WLCs to peer with the RADIUS server.



3. Autonomous deployment model 3.1 Configure WGB roaming behavior Outside the central office there is a truck loading bay, where a forklift truck is operating (see Fig1) The 1260---Br1 is mounted outside building1 and the 1260---Br2 is mounted on the forklift truck. Two 1260 APs (1260---BR1 and 1260---BR2) in NEMA enclosures are used to bridge the traffic to a handheld device that is attached on the wired interface of the 1260---2 device However the connectivity to the handheld device from the wired network fails. Troubleshoot and fix the issue so connectivity gets restored, using the 802.11a/n radio and the implemented SSID , AP modes. The WGB must be able to connect at 802.11n MCS rates. Verify connectivity by pinging the client (192.168.143.3) from 6504-B

3.2 Configure WGB roaming behavior In a couple of months additional APs are going to be installed in the building where the forklift operates Configure the WGB to optimize its roaming process based on the requirements below

• The current root bridge and all the new APs will be configured to only use UNII---1 channels to avoid DFS concerns and outdoor bridging channels.

• The table below shows 1260 5ghz receiver sensitivity of the WGB. The

WGB should roam if the RSSI is not sufficient to maintain 802.11a link of a least 54mb/s without changing the radio data rate configuration. To support the forklift application the wireless link must be at least 24mbps. When the forklift WGB thinks it needs to roam , it should check for a better AP every 10 secs.

802.11a(non_HT20)93dbm@6mb/s93dbm@9mb/s

92dbm@12mb/s90dbm@18mb/s87dbm@24mb/s84dbm@36mb/s79dbm@48mb/s79dbm@54mb/s



4. UNIFIED deployment model The customer wants to provide secure wireless services to different types of users. The following tables represent the WLANs to be configured throughout questions from 4.1 to 4.7 in this section.

SSID Sites where available Notes DataAYY Central (5500---1,5500---2) DataBYY Central (5500---1,5500---2) DataRYY Remote (5500---4) VoiceYY Central (5500---1,5500---2)

& Home Office See section 6

ContractorYY Central (5500---1,5500---2) GuestYY Central(5500---1,5500---2)

& remote (5500---4)

Notes: • All WLAN profiles should be configured for 2.4ghz only. • The profile for Data, Contractor and Guest have been pre---configured on the

client PC. Use anyconnect profile for testing purposes. • Use the ACS on pre---configured account “user1” password “Cisco123” for testing

the data 802.1x profile. • The 5508---3 will only be used for the home office AP and DMZ termination. • If you need a password or key and it is not specified use Cisco123

4.1 Central site Data WLAN Configure the DataAYY & DataBYY WLANs at the central site to provide the following characteristics

• Use WPA2 with an encryption method that supports MCS rates • Map the DataAYY and DataBYY WLAN to VLAN138 by default • If a client fails the 802.1x authentication process 3 times it should be

disallowed to gain network access upon 4th attempt for 5 minutes • Provide AAA override policy as per the below WLAN and protocol decision table



EAP Protocol WLAN PEAP EAP---FAST Additional EAP

methods DataAYY 141 138 Auth---fail DataBYY 142

4.2 Central site contractor WLAN The ContractorYY WLAN should be configured to provide access to third party contractors that need to make use of the network at the central site as follows:

• Use WPA2 with AES, to avoid dealing with different contractor 802.1x supplicants • Map the ContractorYY WLAN to vlan143 by default • Since the customer doesn’t have control over the contractor devices, make sure

that they do not trigger any transmit power changes on the APs • Restrict contractors to only 802.11b/g data rates without impacting other WLANs

4.3 Troubleshooting client roaming behavior It has been identified that phones moving from APs on 5508---1 to APs on 5508---2 (and vice versa) using CCKM are not able to roam seamlessly and are forced to fully re---authenticate. Troubleshoot the issue to fix this behavior. 4.4 Remote site data WLAN When the APs are connected to the WLC, configure the DataYY WLAN at the remote site to provide the following characteristics:

• Use WPA2 with encryption method that supports MCS rates • Map the dataYY WLAN to vlan148 by default • EAP---TLS client authentication should be placed on vlan147. All other EAP

protocol attempts should result in failed authentication • RADIUS protocol sourced from the remote WLC management interface is failing.

This needs to be fixed without changing the ACS NAS peering configuration



4.5 Remote site data WLAN HA

When the APs cannot connect to the WLC, configure the datary WLAN at the remote site to provide the following characteristics:

• Use WPA2 with an encryption method that supports MCS rates • 802.1x/EAP authentication should use the centralized ACS server • CCKM fast secure roaming should be provided for any client sessions that existed

prior to the WLC connection being lost • EAP---TLS client authentication should be placed on vlan147. All other EAP protocol

attempts should result in a failed authentication 4.6 Guest services Configure and troubleshoot the GuestYY WLAN at the central and remote site as follows:

• Guest users should use dmz---guest vlan terminating at 5508---3 • Map the wlan to non---routed vlan138 on wlc 5508---1 and 5508---2 and to

non---routed vlan148 on 5508---4 • Peer---to---peer communications should be avoided • Client devices should not trigger any power changes on the APs • Clients should not be allowed access, If using static IP addresses • Users should be asked for their email before obtaining access to the network

4.7 Configuring and troubleshooting the home office solution The customer wants to provide secure wireless services to employees that work remotely. The solution must provide the following characteristics:

• The APs used by home office employee should connect to the wlc 5508---3 using ip address 192.168.128.33. NAT is preconfigured on the path to the home office

• Make sure that APs on the rest of the infrastructure can’t join wlc 5508---3. Don’t use ACLs

• All the traffic should be tunneled back using DTLS • The AP should allow the user to create (if needed) a local SSID for his home network • The current home AP being used should be named L1040



Note: For console access for the L1040 refer to the MOTD on your commserver

4.8 Channel assignment The customer wants to configure the Unified infrastructure to be able to self adapt to the RF environment. The following tasks should be accomplished: The customer is worried that channel changes might disrupt the company operations so he has asked that on all sites, changes are triggered only during personnel shift changes which occur starting at 8am and re---occur every 6 hours under normal conditions. (severe interferer presence is not taken into account during this interval) To have some level of predictability , when all central WLCs are online, the customer wants to designate 5508---1 as the one in charge of making any RF decisions. 4.9 Implementing CleanAir The deployment of 3500 series AP at the central site was driven by too many problems suspected to be caused by RF issues • Enable DCA to take into account consideration the spectrum information provided

by the APs, making sure that a channel change is triggered when the air quality index drops below a value of 60

• Allow that a cost metric bias is added into the DCA calculation when non---wifi interferer devices are identified

4.10 Rogue detection The customer has strict policy that no other wireless services (either IBSS or ESS) should be present in the headquarters premises. Exception to this policy is rogue AP detection in question 5.3 Given the distance to other building, on the central site we want to raise a possible alarm for any rogue which is heard with a signal better than ---88 The network must not take actions against such rogues.



5. WCS 5.1 WCS Initial configuration The network infrastructure has a WCS available in the central office, with IP Address of 192.168.129.11. The username is root, password Cisco123. You can use WCS to configure any setting as needed during exam Tasks to be completed:

• You should add all your controllers to the WCS for centralized management • The customer is concerned about the security of the connection between WCS

and different controllers. Make sure all management communications between them is authenticated and encrypted. No default users or communities should remain on the WLC

5.2 Troubleshooting MSE Context Aware Services The network infrastructure has a MSE in the central office , with the IP Address of 192.168.129.14 that is unreachable. The username is root , password is Cisco123 Tasks to be completed

• Synchronize the MSE using the CAS service on all maps and all WLCs • Verify NMSP status in WCS for all WLCs is ‘active’ • Verify NMSP status on all WLC is properly transmitting and receiving traffic



6. WLAN Services 6.1 Voice infrastructure setup The wireless infrastructure will provide voice services for 7925 based phones on the central and home office users. Map the voiceYY WLAN to vlan130 by default The following requirements from customer must be met:

• Every other beacon should be without TIM element. This must not affect other wlans

• The encryption must not be affected by TKIP hold off timer, and must use the highest encryption method available

• RF contention windows for wireless clients must be optimized for voice and video

• Test 2.4ghz radios in lab infrastructure design • Authentication must use 802.1x with centralized key management, and full

re---authentication should take place ones a day • Calls should be rejected if RF utilization per AP radio is exceeded. This must be done

dynamically per AP • Only WMM aware clients must be able to connect to this SSID • CAC should accept the default value used by phones as minimum rate • It is expected that the deployment will follow normal deployment guidelines:

1) DHCP requirement must not be enabled 2) Aironet extensions are enabled 3) P2P is disabled 4) MFP client is not enabled 5) Band select is not enabled 6) Load balancing is not enabled 7) Optimize the 802.11b.g beacons to be transmitted at 11mbps 8) Do not use data rates below 11mbps for transmission and retries 9) Devices must adapt to power used by AP 10)WLAN CoS tagging should allow phone priority frames



6.2 Voice troubleshooting Cisco TAC has been assisting with poor voice quality on 802.11 and has indicated the following changes are required:

• WLC dynamic AP transmit power should be limited to 50mw to match 7925G device • WLC dynamic AP transmit power should not drop below 14dbm based on the site

survey that was performed to ensure signal penetration • APs should wait for 250ms for client devices to respond before attempting to

resend the EAPOL key exchange If poor voice quality should reoccur , make statistics can be collected on the WLC GUI that shows packet delays and lost packets for approximately the last 90 seconds of the voice flow 6.3 Phone configuration Configure the phone at your desk to join WLAN voiceYY. Once registered, you should be able to place a call to the number 1001. Use the username “user1” to connect to the wireless infrastructure.



THANK FOR USING CCIEWIRELESSLABS

lab1 cciewl version2 questionset

Documents

lab exam

exam questions

lab questions

lab proctor

entire lab

cisco device hostname

best order of configuration

cisco usermode