Professional Documents
Culture Documents
Implementing Cisco
Unified Wireless
Networking Essentials
Version 1.0
Lab Guide
Text Part Number: 97-2700-02
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
Table of Contents
Lab Guide
Overview
1
Outline
1
Lab 1-1: Becoming Familiar with Antennae and Ranges
2
Activity Objective
2
Visual Objective
2
Required Resources
2
Task 1: Complete These Power Conversions
3
Task 2: Calculate EIRP and Choose the Correct Antenna
4
Task 3: Determine the Type of Antenna Represented, Its Use, and the Best Location for It
5
Lab 1-2: Creating an Ad Hoc (IBSS) Network and Analyzing the Communication
7
Activity Objective
7
Visual Objective
7
Required Resources
7
Command List
9
Job Aids
9
Task 1: Connect to the Remote Lab
10
Task 2: Connect to Your Remote Lab Wireless Laptop
13
Task 3: Verify the Internal Card Settings
15
Task 4: Create an Ad Hoc Network and Analyze the Communication
19
Lab 2-1: Configuring a Cisco 2106 WLC
34
Activity Objective
34
Visual Objective
34
Required Resources
34
Job Aids
35
Task 1: Connect to the WLAN Controller Serial Interface and Configure Your Controller for the
First Time
37
Task 2: Connect to Your Controller
42
Task 3: Allow Limited Remote Management
44
Task 4: Allow Open Authentication
45
Task 5: Create a DHCP Scope
47
Task 6: Look for APs
48
Lab 2-2: Configuring and Migrating a Standalone AP
50
Activity Objective
50
Visual Objective
50
Required Resources
50
Job Aids
51
Task 1: Check the AP Parameters
51
Task 2: Configure Your Standalone AP
54
Task 3: Convert Your Standalone AP to LWAPP
64
Lab 2-3: Installing and Configuring a Cisco Mobility Express Wireless Controller and AP
76
Activity Objective
76
Visual Objective
76
Required Resources
76
Job Aids
77
Task 1: Configure Your Cisco Mobility Express Wireless Controller
80
Task 2: Create a DHCP Scope
85
Task 3: Manage the AP
88
Task 4: Use the Cisco Configuration Assistant
91
Lab 3-1: Installing and Using the Cisco ADU
104
Activity Objective
104
Visual Objective
104
Required Resources
104
Job Aids
105
Task 1: Installing the Software
105
Task 2: Use the Cisco ADU and the Cisco Site Survey Utility
110
ii
124
124
124
124
125
125
134
141
146
146
146
147
147
148
152
155
159
160
162
169
171
171
171
171
172
172
178
188
188
188
188
189
189
194
198
202
202
202
202
203
203
207
211
218
218
218
218
219
219
224
231
231
231
231
232
240
iii
iv
IUWNE
Lab Guide
Overview
This guide presents the instructions and other information concerning the lab activities for this
course. You can find the solutions in the lab activity Answer Key.
Outline
This guide includes these activities:
Lab 1-2: Creating an Ad Hoc Network (IBSS) and Analyzing the Communication
Lab 5-1: Configuring Controllers and APs from the Cisco WCS Interface
Lab 6-1: Backing Up the Controller Configuration and the Cisco WCS Database
Answer Key
Activity Objective
In this activity, you will work with antennae and powers. After completing this activity, you
will be able to meet these objectives:
Determine the EIRP from the AP, cable, and antenna specifications provided
Visual Objective
The figure illustrates what you will accomplish in this activity.
x mW = y dBm
IUWNE v1.05
Required Resources
These are the resources and equipment that are required to complete this activity:
Activity Procedure
Complete these steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
A station receives 0.000001 mW RSSI from an AP. The noise level is around
0.00000025 mW. Convert these values to dBm and determine the SNR level. Is the
SNR level acceptable?
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Activity Verification
You have successfully completed this task when you attain this result:
You have found the correct values as per the answer key.
Lab Guide
Activity Procedure
Complete these steps:
Step 1
Which antenna would work best for a point-to-point 26-mile (42-km) link? A 21 dBi
dish, a 5.2 dBi omnidirectional, or an 8.1 dBi patch?
Step 2
Which antenna would work best for large lobby coverage from a wall? A 21 dBi
dish, a 5.2 dBi omnidirectional, or an 8.1 dBi patch?
Step 3
Which antenna would work best for coverage of a meeting room from the ceiling?
21 dBi dish, 5.2 dBi omni, 8.1 dBi patch?
Step 4
Step 5
Step 6
Step 7
You have been asked not to exceed 20 dBm EIRP on a 3.0 dBi omnidirectional
antenna. Which power level should you set your AP to knowing that you use 50 feet
of 6 dB/100 feet loss cable?
Step 8
You have been asked not to exceed 17 dBm EIRP on a 13.5 dBi Yagi antenna.
Which power level should you set your AP to knowing that you will use 150 feet of
6 dB/100 feet loss cable and that the cable connectors add an extra 0.5 dB loss?
Step 9
You have been asked not to exceed 17 dBm EIRP on a 5.2 patch antenna. How
much length of 2.8 dB loss per 100 feet cable should you use, knowing that the AP
power level is statically set to 40 mW?
Activity Verification
You have successfully completed this task when you attain this result:
You have found the right values as per the answer key.
Activity Procedure
Complete these steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Lab Guide
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Activity Verification
You have successfully completed this task when you attain this result:
You have found the right values as per the answer key.
Activity Objective
In this activity, you will connect to the remote lab and create an ad hoc network between two
machines. You will then analyze the communication to understand what exactly is exchanged
between the laptops. After completing this activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.06
Required Resources
These are the resources and equipment that are required to complete this activity:
Lab Guide
In the remote lab, a laptop with preinstalled sniffer and wireless card
Command List
The table describes the command that is used in this activity.
ping Command
Command
Description
ping
Job Aids
These job aids are available to help you complete the lab activity:
Lab MapGroups 1 to 4
Group 1
Group 2
Group 3
Group 4
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
student1
student2
student3
student4
Remote laptop
password
cisco
cisco
cisco
cisco
Ad hoc channel
Ad hoc SSID
IUWNE-AD1
IUWNE-AD1
IUWNE-AD2
IUWNE-AD2
Ad hoc IP address
192.168.10.1
192.168.10.2
192.168.10.5
192.168.10.6
Ad hoc mask
255.255.255.252
255.255.255.252
255.255.255.252
255.255.255.252
Lab MapGroups 5 to 8
Group 5
Group 6
Group 7
Group 8
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
student5
student6
student7
student8
Remote laptop
password
cisco
cisco
cisco
cisco
Ad hoc channel
11
11
Ad hoc SSID
IUWNE-AD3
IUWNE-AD3
IUWNE-AD4
IUWNE-AD4
Ad hoc IP address
192.168.10.9
192.168.10.10
192.168.10.13
192.168.10.14
Ad hoc mask
255.255.255.252
255.255.255.252
255.255.255.252
255.255.255.252
Lab Guide
Activity Procedure
Complete these steps:
10
Step 1
Check to see if the Cisco VPN client is already installed on your PC: Choose Start >
Programs, and verify that the Cisco VPN client folder is present in the list of
available programs. If the folder is present, go directly to Step 4.
Step 2
If the folder is not present, ask your instructor to provide you with the Cisco VPN
client installer and the profile file (.pcf) required to access the remote lab.
Step 3
Double-click the Cisco Systems VPN Client Installer, and use the default values to
install the program. You may be asked to reboot your PC.
Step 4
Chose Start > Programs, go to the Cisco Systems VPN Client folder, and click the
VPN Client icon.
Step 5
Step 6
Browse through the list and choose the .pcf file provided by your instructor. This
action should add a new entry in your Cisco VPN client window.
Step 7
Double-click the new entry in your Cisco VPN Client Window. Ask your instructor
to provide the credentials used in your class.
Lab Guide
11
Step 8
The connection is established when a small lock appears in the bottom-right corner
of your screen.
Step 9
Verify that you were assigned an IP address in the VPN network: Choose Start >
Run, enter cmd, and click OK.
Step 10
In the MS-DOS window, enter ipconfig/all. Check to verify that an adapter called
Cisco VPN adapter appears in the list and that it has an IP address in the range
10.X0.1.0 (where X is your group number).
Step 11
In the command prompt window, enter ping 10.100.1.254 to ping the common
gateway. Verify that the ping is successful.
Activity Verification
You have successfully completed this task when you attain these results:
12
Activity Procedure
Complete these steps:
Step 1
Verify that your VPN connection to the remote lab is working properly.
Step 2
Connect to your remote laptop using the remote desktop: Choose Start > Programs
> Accessories > Communications > Remote Desktop Connection.
Note
Step 3
In each group, only one person at a time can be connected to the remote lab wireless
laptop. Choose with your partner who will be connecting.
Use the lab map table shown in the Job Aids section to determine the destination IP
address that should be used to connect to your remote laptop. The address should be
in the format 10.X0.1.240, where X is your pod number.
Lab Guide
13
14
Step 4
In the remote desktop connection pop-up window, in the computer field, enter the IP
address of your remote laptop, and click Connect.
Step 5
You will be presented with a new window where you are asked to enter the
credentials required to access your remote lab wireless laptop. Use the lab map table
to find out which username and password are used to connect to your groups laptop.
They should be in the format username, studentX, (where X is your group number),
and password, cisco.
Step 6
Enter the credentials, and click OK. You should see the Windows desktop of your
remote laptop. You will use this same method of access for all remaining labs, so
keep this procedure available for reference for the subsequent labs.
Step 7
Take some time to familiarize yourself with the remote desktop interface. It is a
remote desktop on top of your class PC desktop. The upper bar shows that you are in
the remote desktop interface and displays the IP address of the remote laptop. To
minimize the remote desktop window, click the Minimize button. The remote
desktop window is minimized to your class PC taskbar. You can then access other
applications in your class PC. Click the remote desktop program in the task bar to
restore it to its full size. Click the Maximize button to increase or the Restore down
button to reduce the size of the remote desktop application. To end the remote
desktop session, click the Close button in the remote desktop window. Never
disconnect the VPN session without closing the remote desktop application first.
You would be disconnected from the remote laptop without any possibility of
connecting back.
Activity Verification
You have successfully completed this task when you attain these results:
You can see your remote lab wireless laptop IP address in a tab at the top of your screen.
You see your remote lab wireless laptop desktop and can interact with it.
Activity Procedure
Complete these steps:
Step 1
From your remote lab wireless laptop, click Start > Connect To > Show All
Connections.
Step 2
Locate your wireless connection. It should be called Intel(R) Wireless WiFi Link
4965AGN.
Step 3
Lab Guide
15
16
Step 4
Right-click Intel(R) Wireless WiFi link 4965AGN again and choose Properties.
Step 5
A new window opens. Click the Configure button located at the right of the
physical card description.
Step 6
A new window appears. Click the Advanced tab. In the Property list, choose Ad
Hoc Channel, and then choose the right value for your group from the drop-down
menu next to 802.11b/g. Refer to the following table:
Pod
Pod1
Pod2
Pod3
Pod4
Pod5
Pod6
Pod7
Pod8
Channel
11
11
Lab Guide
17
Step 7
Choose Ad Hoc Power Management, and verify that the default value is set to
Disabled. Choosing Disabled ensures that your card does not turn to the power save
mode while you are in ad hoc mode.
Step 8
You can see your wireless card MAC address at the bottom of the window.
Document it here.
Intel card MAC address:________________________________________________
Step 9
Activity Verification
You have successfully completed this task when you attain these results:
18
You have configured the channel used by your card to connect to ad hoc networks.
Peer Group
Pod 1
Pod 2
Pod 3
Pod 4
Pod 5
Pod 6
Pod 7
Pod 8
Activity Procedure
Complete these steps:
Step 1
Prepare your wireless connection. If you closed the Wireless Network Connection
Properties window, click Start > Connect to > Show all connections.
Step 2
Step 3
Locate your wireless connection. It should be called Intel(R) Wireless WiFi Link
4965AGN.
Step 4
Step 5
To create an ad hoc network you must have a common subnet IP address, and create
a common SSID. You need the IP address because neither of the two laptops is
configured to act as a DHCP server. In the Wireless Network Connection Properties
window, click the General tab, choose Internet Protocol TCP/IP, and then click
Properties.
Lab Guide
19
20
Step 6
In the General tab, click the Use the following IP address radio button.
Step 7
Enter the IP address assigned to your group for this lab. Refer to the lab map.
Step 8
Step 9
Step 10
Step 11
If any networks are in the Preferred networks list, click them one by one and click
the Remove button until the Preferred network list is empty.
Step 12
Click Add.
Lab Guide
21
22
Step 13
A new window appears. In the Network name (SSID) field, enter your ad hoc SSID.
Refer to the lab map.
Step 14
Step 15
Step 16
Step 17
Lab Guide
23
24
Step 18
Click OK to close the Wireless Network Connection Properties window and initiate
the connection.
Step 19
After a few seconds, your Intel wireless card should show the status as Connected.
Step 20
Step 21
You should see that you are connected to the ad hoc network you created.
Step 22
Open a command prompt. Choose Start > All programs > Accessories >
Command prompt.
Step 23
Try to ping the peer group IP address. The command should be in the form of ping
192.168.10.Z, where Z is the peer group host address. The ping should be
successful.
Lab Guide
25
26
Step 24
You have now confirmed that the peer-to-peer connection worked. The next step is
to sniff the connection process and analyze it. Right-click your Intel 4965 card and
choose Disable.
Step 25
To start Wireshark, click Start > All Programs > Wireshark > Wireshark.
Step 26
Choose the Airpcap passive interface. In Wireshark, click Capture and choose
Interfaces.
Step 27
In the Interfaces list, you should see Airpcap USB wireless capture adapter. Click
Options at the right end of the Airpcap USB wireless capture adapter line.
Step 28
Step 29
Step 30
In the Channel field, choose the ad hoc channel used by your group. Refer to the lab
map.
Step 31
Verify that the Capture Type is set to 802.11 + Radio. Click OK.
Step 32
You should filter the capture to only display frames coming from and to your Intel
adapter. In the Capture Filter field, enter ether host followed by the MAC address
of your Intel card documented in Step 8 of the previous task1. For example: ether
host 00:0b:85:72:17:10.
The Capture Filter menu presents a drop-down list from which some classical filters can be selected directly. The ether
host filter is not in the list, and must be entered manually.
2008 Cisco Systems, Inc.
Lab Guide
27
28
Step 33
Make sure that your partner group is at the same step. Then, in the bottom section of
the Wireshark capture option window, click Start to launch the capture.
Step 34
Step 35
Locate your wireless connection. You should see Intel(R) Wireless WiFi link
4965AGN.
Step 36
Step 37
After a few seconds, your Intel wireless card should show the status as Connected.
Step 38
Step 39
You should see that you are connected to the ad hoc network you created.
Step 40
Open a command prompt window. Click Start > All programs > Accessories >
Command prompt.
Lab Guide
29
Step 41
Try to ping the peer group IP address. The command should be in the form ping
192.168.10.Z, where Z is the peer group host address. The ping should be
successful.
Step 42
From the Wireshark window, stop the capture. Click the Stop capture icon.
Step 43
Try to analyze the capture with your partner group and answer the following
questions: What is the most common frame type seen in the capture? Pings? Probe
requests/ probe answers? Beacons?
_________________________________________________________________
Step 44
Step 45
Click one beacon. Expand the Radiotap section. What is the peak frequency of the
channel used? The channel you defined for your network? Another one?
__________________________________________________________________
Step 46
At what speed (data rate) was it sent? The lowest possible speed? The fastest? An
intermediate speed?
__________________________________________________________________
Step 47
How often, on average, is the beacon sent? (Intervals between frames in the upper
section of the program window are given in seconds. You can also expand the IEEE
802.11 wireless management frame section and the Fixed Parameters subsection.)
Every second? Every tenth of a second? One hundred times a second?
___________________________________________________________________
30
Step 48
Expand the Tagged parameters section of the IEEE 802.11 wireless management
frame section. What are the supported rates? All the 802.11b rates? Only some of
them? More than the 802.11b rates?
___________________________________________________________________
Step 49
From these supported rates, what type of network protocol do you think is used?
802.11b? 802.11g? 802.11b/g? 802.11a?
___________________________________________________________________
Step 50
In the same Tagged parameters section of the IEEE 802.11 wireless LAN
management frame section, which flag indicates that it is an ad hoc network? An ad
hoc field? IBSS? BSSID?
____________________________________________________________________
Step 51
Step 52
Try to find frames that were not sent at the lowest speed. Why were they sent faster?
Because only beacon frames are sent slowly? To optimize the transmission to the
recipient?
____________________________________________________________________
Step 53
Close the Wireshark software. Save the capture on your desktop for future reference.
Give it the name Ad-hoc1.
Step 54
Step 55
Click the General tab, choose Internet Protocol TCP/IP, and click Properties.
Lab Guide
31
32
Step 56
Step 57
Step 58
Click OK to validate.
Step 59
Step 60
Step 61
Step 62
Activity Verification
You have successfully completed this task when you attain these results:
Lab Guide
33
Activity Objective
In this activity, you will connect to your Cisco 2106 WLC through the serial connection and
configure it for the first time. After completing this activity, you will be able to meet these
objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.07
Required Resources
These are the resources and equipment that are required to complete this activity:
34
A connection to the remote terminal server with serial connection to your controller
Job Aids
These job aids are available to help you complete the lab activity:
Lab table
Pod 2
Pod 3
Pod 4
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
student1
student2
student3
student4
Remote laptop
password
cisco
cisco
cisco
cisco
2106-1
2106-2
2106-3
2106-4
Administrative user
admin1
admin2
admin3
admin4
Administrative
password
cisco
cisco
cisco
cisco
Management interface
IP address
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
Management interface
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
Management vlan id
Management port
Management DHCP
server
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
AP manager IP address
10.10.1.11
10.20.1.11
10.30.1.11
10.40.1.11
AP Manager DHCP
server
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
pod1
pod2
pod3
pod4
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-1
IUWNE-2
IUWNE-3
IUWNE-4
Allow static IP
addresses
Yes
Yes
Yes
Yes
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
Lab Guide
35
Pod 1
Pod 2
Pod 3
Pod 4
Configure NTP
No
No
No
No
Configure time
No
No
No
No
Scope 1-1
Scope 2-1
Scope 3-1
Scope 4-1
10.10.1.21
10.20.1.21
10.30.1.21
10.40.1.21
10.10.1.25
10.20.1.25
10.30.1.25
10.40.1.25
DHCP Network
10.10.1.0
10.20.1.0
10.30.1.0
10.40.1.0
DHCP Netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
14400
14400
14400
14400
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP status
Enabled
Enabled
Enabled
Enabled
36
Pod 5
Pod 6
Pod 7
Pod 8
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
student5
student6
student7
student8
Remote laptop
password
cisco
cisco
cisco
cisco
2106-5
2106-6
2106-7
2106-8
Administrative user
admin5
admin6
admin7
admin8
Administrative
password
cisco
cisco
cisco
cisco
Management interface
IP address
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
Management interface
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
Management vlan id
Management port
Management DHCP
server
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
AP manager IP address
10.50.1.11
10.60.1.11
10.70.1.11
10.80.1.11
AP Manager DHCP
server
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
pod5
pod6
pod7
pod8
Pod 5
Pod 6
Pod 7
Pod 8
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-5
IUWNE-6
IUWNE-7
IUWNE-8
Allow static IP
addresses
Yes
Yes
Yes
Yes
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
Configure NTP
No
No
No
No
Configure time
No
No
No
No
Scope 5-1
Scope 6-1
Scope 7-1
Scope 8-1
10.50.1.21
10.60.1.21
10.70.1.21
10.80.1.21
10.50.1.25
10.60.1.25
10.70.1.25
10.80.1.25
DHCP Network
10.50.1.0
10.60.1.0
10.70.1.0
10.80.1.0
DHCP Netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
14400
14400
14400
14400
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP status
Enabled
Enabled
Enabled
Enabled
Activity Procedure
Complete these steps:
Step 1
From your class PC, start the VPN client and double-click the remote lab connection
to activate it.
Step 2
From your class PC, choose Start > Programs > Accessories > Command
Prompt.
Step 3
At the command prompt, enter telnet followed by the IP address of the remote
terminal server (10.1.1.252 or other if provided by your instructor).
Lab Guide
37
38
Step 4
Enter the credentials (username student, password cisco or other if provided by your
instructor) to access the terminal server.
Step 5
After successful login you will be asked to select the correct pod (Podx), where x is
your pod number.
Step 6
You will see a new menu, allowing you to connect to several devices in your group.
Take some time to familiarize yourself with the different options that are available.
Step 7
You now need to connect to the Cisco 2106 WLC, which is WLC2106, or Item 2.
Notice that once you are connected to your controller, you can go back to the device
menu at any time by using the usual escape sequence CTRL + SHIFT + 6 then X.
Selecting 2 from the device menu should bring you to the controllers serial interface
which, since the controller is not configured yet, should be the initial CLI setup
wizard.
Note
Step 8
VERY IMPORTANT: Verify that the first question you see is System Name. When enabling
the HyperTerminal session to your controller, you may have pressed Enter to test the
connection, and the setting you had at that time may have become the default answer to the
first questions. If that has become the default, and if the first question you see is not System
Name, enter - (minus sign) and press Enter; this action will take you back one question.
Repeat the procedure as many times as needed to get back to the System Name question.
Choose the parameters for your pod (X is the number of your pod). Username is
adminX, where X is your pod number, and the password is cisco. Additional
parameters are given below and summarized in the table Lab TableIP
Addressing, Naming, and Information: Pods X to Y.
System Name [Cisco_34:26:a3]: 2106-1
Enter Administrative User Name (24 characters max): admin1
Enter Administrative Password (24 characters max): *******
Re-enter Administrative Password
: *******
Management Interface IP Address: 10.X0.1.10
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.X0.1.254
Management Interface VLAN Identifier (0 = untagged): 0
Management Interface Port Num [1 to 8]: 1
Note
The port number is important because it must match the connection leading from the WLAN
controller to the network infrastructure.
Later your controller will be configured as a DHCP server. When using an internal WLAN
controller DHCP server, the IP address needs to match the management interface.
Therefore the DHCP server and management address will be the same and point to itself for
this lab. The remaining DHCP configuration will be completed later via the GUI.
Lab Guide
39
Note
The Virtual Gateway provides Layer 3 features such as the DHCP relay to wireless clients.
This value must match among mobility groups.
Mobility/RF Group allows multiple wireless controllers to be clustered into one logical
controller group to allow dynamic RF adjustments and roaming for wireless clients.
By default one WLAN SSID is configured on the WLC already and it is using server-based
authentication. If you skip RADIUS configuration during the startup wizard, the result is a
preconfigured SSID using 802.1x EAP requiring a RADIUS server; however, no server is
defined. This choice is to prevent open authentication security vulnerabilities.
On your controller, you enable all radios, 802.11b, 802.11g and 802.11a. The AP provided
for this controller will only have one 802.11a radio. You still allow all protocols, which means
that if an 802.11b/g AP were to join the controller, its radios would be enabled.
You do not configure the time on this controller. In a real deployment, you would configure
the time during the initial configuration of a controller. In this remote lab scenario, the time
has already been configured and is consistent with the time of the other devices in the lab.
40
Step 9
Read the warning. Take some time to review your configuration to make sure it
matches the lab map. Then answer yes to the Configuration correct?
question. The controller will save the configuration and reboot directly.
Step 10
Wait for the controller to reboot completely, until you are prompted for a username.
Enter your administrative username, and then press Enter.
Lab Guide
41
Step 11
Enter your password, and then press Enter. Verify that you get the prompt
(Cisco Controller)>.
Step 12
Verify your configuration by entering: show sysinfo. The display should be similar
to the one displayed here, with the values that are relevant to your pod.
Activity Verification
You have successfully completed this task when you attain these results:
Your initial setup is complete and you see the (Cisco Controller)> prompt.
Activity Procedure
Complete these steps:
Step 1
Check that you are connected through the VPN tunnel to the remote lab network.
Step 2
Note
42
Now that the controller has a web interface, all members of the group can connect
simultaneously to the controller. Use this possibility to explore the controller interface, but
keep in mind that it is preferable to avoid having two people working on the same feature to
avoid any confusion in the changes that could be made.
Step 3
From your class PC, open a browser session to your controller Management
Interface IP address. Use https. You may have to disable your local proxy to access
the web interface through the VPN tunnel.
Step 4
Step 5
Step 6
Enter the administrative username (adminX, where X = Pod number) you defined in
the previous lab, and cisco as the password.
Step 7
Lab Guide
43
Activity Verification
You have successfully completed this task when you attain these results:
You are successfully connected to your controller web interface and see the Monitor
Summary page.
This is a lab environment. In a production environment, you might want to consider your
companys security strategy before allowing Telnet connections.
Activity Procedure
Complete these steps:
44
Step 1
From the controllers web interface, in the upper menu, navigate to Management >
Telnet-SSH.
Step 2
Notice that SSH sessions are already allowed. From the drop-down menu for Allow
New Telnet sessions, choose Yes. Notice that Telnet sessions are limited to five
minutes.
Step 3
Click Apply in the upper-right corner. You are now set up to allow Telnet sessions
and SSH sessions.
Step 4
Test the connectivity: From your class PC choose Start > Programs > Accessories
> Command Prompt.
Step 5
Enter telnet followed by the IP address of your controller service interface. The
entry should be in the format telnet 10.X0.1.10, where X is your Pod number.
Step 6
Step 7
Activity Verification
You have successfully completed this task when you attain these results:
This is a lab environment. In a production environment, you might want to consider your
companys security strategy before allowing open authentication WLANs into your network.
Activity Procedure
Complete these steps:
Step 1
From your controller web interface, in the upper menu, navigate to WLAN.
Step 2
Look at the profile you created during the initial setup, by default it should use
WPA2/802.1x for authentication.
Step 3
Click your profile, IUWNE-X, where X is your Pod number, to edit it.
Lab Guide
45
Step 4
Make sure that, in the General tab, your WLAN status is set to Enable. Notice that
the SSID is broadcast by default.
Step 5
Step 6
In the Layer 2 Security drop-down list, choose None to allow open authentication.
Step 7
Click Apply in the upper-right corner to validate the changes, read the warning, and
click OK to continue. Your security policies field should now be empty, which
means that you allow open authentication to your WLAN.
Activity Verification
You have successfully completed this task when you attain this result:
46
This is a lab environment. In a production environment, you might have an external DHCP
server for all your clients. In such a case, the management Interface DHCP server IP
address and the AP Manager DHCP server IP address would be the network DHCP server
IP address instead of being the IP address of the controller itself. This limited internal DHCP
server is recommended for 10 or fewer APs and their respective clients. DHCP option 43 is
not supported.
Activity Procedure
Complete these steps:
Step 1
From your controller web interface, in the upper menu, navigate to Controller.
Step 2
Step 3
Step 4
In the Scope Name field, enter Scope X-1, where X is your Pod number.
Step 5
Step 6
A new window appears, showing your new scope in the list. It is disabled by default
and does not have any range. Click its name to edit its settings.
Step 7
A new window appears. In the Pool Start Address field, enter the parameters listed
in the table, where X is your pod number.
Lab Guide
47
Value
10.X0.1.21
10.X0.1.25
Network
10.X0.1.0
Netmask
255.255.255.0
Lease time
14400
Default Router
10.X0.1.254
DNS Server
10.100.1.1
10.100.1.1
Status
Enabled
Step 8
Review your scope to check the values entered, and then click Apply to create the
scope.
Step 9
Your new scope now appears in the list, with a status of Enabled.
Step 10
Save your configuration. In the upper menu, click Save configuration. Click OK to
confirm that you want to save the configuration.
Activity Verification
You have successfully completed this task when you attain this result:
You have successfully created a scope for your clients that are on your controller.
48
Activity Procedure
Complete these steps:
Step 1
From your controller web interface, in the upper menu, navigate to Monitor. The
Access Point Summary should not show any AP. One AP is allocated to your Pod.
You were told that the AP should automatically join the controller. It clearly does
not. The source of this issue can be in the AP configuration (standalone mode) or, if
the AP is in LWAPP mode, in the dialogue process between the AP and the
controller
Step 2
Step 3
Step 4
AP events are usually mentioned in the trap logs, but you should not see anything relevant to an
AP failure here. This means that the AP did not fail to associate. Two possibilities remain: the
AP cannot reach the controller, or there is something wrong on the AP. Actually, the AP
allocated to your pod should still be in standalone mode. In the next lab, you will convert the
autonomous AP to LWAPP and manage it with the tools used in this task to find whether the
AP has joined your controller properly.
Note
Because the controller does not have an AP, the WLAN you created will not be available for
any client. The AP is needed for the client to see the WLANs configured on the controller. If
you are unsure about this point, connect to your remote laptop and try to detect the WLAN
created on your controller, IUWNE-X. You should not be able to see it.
Activity Verification
You have successfully completed this task when you attain this result:
You have checked for the presence of your AP in the Management menu and on the CLI,
but could not find it.
Lab Guide
49
Activity Objective
In this activity, you will give your autonomous AP a basic configuration and test it. You will
then migrate this AP to LWAPP. After completing this activity, you will be able to meet these
objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.08
Required Resources
These are the resources and equipment that are required to complete this activity:
50
A connection to the remote terminal server with serial connection to your controller
Job Aids
These job aids are available to help you complete the lab activity:
Lab map
Pod 2
Pod 3
Pod 4
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
student1
student2
student3
student4
Remote laptop
password
cisco
cisco
cisco
cisco
AP IP address
10.10.1.50
10.20.1.50
10.30.1.50
10.40.1.50
AP IP mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
AP SNMP RW
community
private1
private2
private3
private4
Autonomous SSID
IUWNE-11
IUWNE-21
IUWNE-31
IUWNE-41
LWAPP channel
36
40
44
48
Pod 6
Pod 7
Pod 8
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
student5
student6
student7
student8
Remote laptop
password
cisco
cisco
cisco
cisco
AP IP address
10.50.1.50
10.60.1.50
10.70.1.50
10.80.1.50
AP IP mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
AP SNMP RW
community
private5
private6
private7
private8
Autonomous SSID
IUWNE-51
IUWNE-61
IUWNE-71
IUWNE-81
LWAPP channel
52
56
60
64
Activity Procedure
Complete these steps:
Step 1
Connect to your Cisco Aironet 1252 AP. From your class PC, choose Start >
Programs > Accessories > Command Prompt.
Lab Guide
51
52
Step 2
At the command prompt, enter telnet followed by the IP address of the remote
terminal server (10.1.1.252 or other if provided by your instructor).
Step 3
Enter the credentials (username student, password cisco or other if provided by your
instructor) to access the terminal server.
Step 4
After successful login you will be asked to choose the correct pod (Podx), where x
is your pod number.
Step 5
You will see a new menu, allowing you to connect to several devices in your group.
Take some time to familiarize yourself with the different options that are available.
Step 6
Step 7
You should be able to see the AP prompt. You may have to press Enter to activate
the CLI.
Step 8
Enter enable to access privileged mode. The password is Cisco (with Capital C).
Step 9
Enter show ip interface brief to check the IP addresses that are present on the AP.
Step 10
You should see that the IP address is assigned to the BVI interface, which is an
indication that the AP is back to standalone mode. All the usual Cisco IOS
commands, such as configure terminal, are available.
Note
The Bridge Virtual Interface, or BVI, is an IP address common to radio interfaces and the
Ethernet interface. Because it is not assigned to a specific physical interface but is common
to several of them, it is considered virtual, and is a bridge between interfaces.
Step 11
Start by configuring your CLI interface for better ease of use. Enter configure
terminal to enter configuration mode.
Step 12
Step 13
The system returns status messages to the console. This feature is sometimes
disturbing if you are entering an instruction. You can ask the system to redisplay
what you were entering if a system message is to be sent to the console and
interrupts what you were doing. To use this command, go to the console by typing
line console 0.
Step 14
Then enter logging synchronous. From then on, when a message is sent to the
console, what you were typing will be displayed again for you to continue typing
exactly from where you were interrupted by the message.
Step 15
Configure your AP with a static IP address. You want to configure the first and
unique BVI interface. Enter interface BVI 1.
Step 16
Step 17
Step 18
Lab Guide
53
Step 19
Verify that your AP is in range of your controller. Try to ping your controller. Enter
ping followed by your controller Management Interface IP address. It should be in
the format ping 10.X0.1.10 where X is your pod number. The ping should be
successful.
Step 20
Activity Verification
You have successfully completed this task when you attain these results:
You have made sure that your AP is in standalone mode, and have its IP address statically
defined.
In a real environment, you would migrate the AP directly, knowing in advance which
parameters would be left.
Activity Procedure
Complete these steps:
54
Step 1
Make sure that you have a VPN connection to the remote lab.
Step 2
From your class PC, open a browser HTTP session to your AP address, which was
configured from during the previous task and should be 10.X0.1.50 where X = pod
number.
Step 3
Use HTTP, not HTTPS. The username is blank; the password is Cisco (with a
capital C).
Step 4
Step 5
Step 6
In the Hostname field, enter your AP name in the form 1252-X where X is your
group number.
Step 7
Leave the IP address assignment that was assigned during the previous task of
manual configuration. Do not change the values that are already present.
Note
Step 8
In the SNMP Community field, enter privateX, where X is your pod number.
Lab Guide
55
56
Step 9
Click the Read-Write radio button to make sure that the AP can be managed using
this SNMP community.
Step 10
At the bottom right of the page, click Apply to validate the changes. Read the
warning and click OK to continue.
Step 11
Step 12
Step 13
Step 14
In the VLAN section, click No VLAN because you do not want to tag frames
coming from this simple SSID.
Step 15
Step 16
At the bottom-right corner of the Express Security Set Up window, click Apply to
validate the changes. Read the warning and click OK to continue.
Step 17
You now need to enable your radio to allow this SSID to be sent out. In the left
menu, click Network Interfaces, and then click the Radio1-802.11N5Ghz tab.
Step 18
The radios status is set to Disabled, which is the default. Click the Settings tab.
Lab Guide
57
58
Step 19
Step 20
Click Apply at the bottom right of the page to validate the change.
Step 21
Step 22
In the Network Interfaces section of the Home: Summary Status, you should see
your radio Interface status at green, with a green up arrow. In the event log, you
should see that the line protocol on interface Dot11Radio1 was changed to up.
Step 23
Your AP is ready to provide connections. The configuration entered from the web
interface is saved automatically. Close the AP web browser.
Step 24
Use your local class PC to initiate a remote connection to the remote wireless laptop
to verify that it can see this new broadcast SSID being broadcasted by the standalone
AP. Choose Start > Programs > Accessories > Communications > Remote
Desktop Connection.
Note
In each pod, only one connection at a time is possible to the remote laptop. Choose with
your partner who will be connecting.
Step 25
Use the lab table in the job aids to verify what IP address you should use to connect
to your remote laptop. It should be in the format 10.X0.1.240, where X is your pod
number.
Step 26
In the Remote Desktop Connection window, in the Computer field, enter the IP
address of your remote laptop, and click cConnect.
Step 27
A new window appears where you are asked to enter the credentials required to
access your remote laptop. Use the lab table in the job aids to verify which username
and password are used to connect to your group laptop. They should be in the format
studentX/cisco, where X is your pod number.
Lab Guide
59
60
Step 28
Enter the credentials and click OK. You should see the Windows desktop of your
remote laptop.
Step 29
From your remote lab wireless laptop, click Start > Connect To > Show All
Connections.
Step 30
Locate your wireless connection. It should be called Intel Wireless WiFi Link
4965AGN.
Step 31
Step 32
Step 33
Step 34
You should see the WLAN you just created. Click it, and click Connect.
Step 35
Step 36
After a few seconds, the connection status should change to Waiting for the network
to be ready.
Note
Step 37
Your AP does not provide any IP address. The state Waiting for the network to be ready
indicates that the Layer 2 connection (authentication and association) was successful, and
that the client is waiting for an IP address to be assigned via DHCP. Because there is no
DHCP server, this step fails. This failure is expected. Your goal at this stage is simply to
verify the Layer 2 association, not to get full connectivity to the network.
61
Step 38
Click Details to check the connectivity limitation. Verify that you obtained an
address in the Automatic Private IP addressing range (APIPA), 169.254.0.0, which
shows that no DHCP server could be found2.
Step 39
Your WLAN works properly for the purpose of the connection verification. Close
the Network Connection Details window. Close the Wireless Network
Connection Status window.
Step 40
You do not need to stay connected to this WLAN anymore. Click it and choose
Disconnect.
If you obtain an address in the range 192.168.1.0/24, verify that your card is set to DHCP and ask your instructor to
shut the port to your Cisco 526 controller on the main switch.
62
Step 41
Step 42
In the Wireless Network Connection window, right-click your Intel card icon and
choose Disable.
Step 43
Close the Wireless Network Connection window. Do not close your remote desktop
connection.
Activity Verification
You have successfully completed this task when you attain these results:
Lab Guide
63
Activity Procedure
Complete these steps:
64
Step 1
Step 2
Inside the folder, locate a file called c1250-rcvk9w8-tar.124-10b.JA. This file is the
LWAPP-enabled image that is for your AP.
Step 3
Still on your remote laptop desktop, locate the tftpd32 icon. Double-click it to start
the program.
Step 4
Step 5
Step 6
Step 7
You now need to connect to your AP serial port to enter the required commands to
upgrade it to LWAPP. Your serial connection should be still open at this point and
connected to your AP. If it is closed, use steps 1 to 7 of Task 1 to connect to your
AP CLI.
Step 8
Enter enable to get to privileged mode. The password is Cisco (with a capital C).
Step 9
Verify that you can ping your remote laptop. Enter ping followed by your remote
laptop IP address. It should be in the form ping 10.X0.1.240, where X is your pod
number. The ping should be successful.
Step 10
Enter the command to download the new image file containing the LWAPP code.
Enter archive download-sw /force-reload /overwrite tftp://10.X0.1.240/c1250rcvk9w8-tar.10bJA.tar, where X is your pod number. The /force-reload option
asks for a reboot after the new image download, the /overwrite option asks to replace
the original code with the new one.
Lab Guide
65
66
Step 11
In the background, your TFTP server starts sending the file to the AP. Monitor the
progression, and verify that the file has been completely sent.
Step 12
Once the AP has upgraded its code, it should reboot and load the new code. You can
recognize the AP by its name, c1250-rcvk9w8.
Step 13
The AP tries to join a controller, and find yours. It moves to a join state. Upon
joining the controller, the AP needs to download the same code version as the
version on the controller. Watch the download sequence, and see the AP reboot.
Step 14
At the end of the second reboot, the AP then tries to find a controller using the DNS
server, looking for CISCO-LWAPP-CONTROLLER host. In this lab, the DNS
server does not provide the controller address, so this process fails. The AP then
broadcasts in the subnet, discovers your controller, and goes to the join phase. You
can see that it then moves to CFG (configuration) phase and receives its
configuration from the controller.
Lab Guide
67
68
Step 15
Press Enter. The AP should prompt you for a user name and password. The
username is Cisco and the password is Cisco. If these credentials are not valid, your
AP might have a remaining configuration from a previous class. In such a case, use
root as the username and Public1! as the password.
Step 16
The AP prompt should appear. Its name is still maintained. Enter enable to go to
privileged exec mode. The password is Cisco. If this password is invalid, your AP
might have a remaining configuration from a previous class. In such a case use
Public1! as the password.
Step 17
Enter the command: show ip interface brief to check the APs IP address.
Step 18
The IP address is now connected to the Gigabit Ethernet interface, and not to the
BVI.
Step 19
Enter show running-config. Browse through the configuration file. You should not
be able to see any information relevant to a WLAN. Apart from the main
configuration, the AP configuration now shows a long certificate, used to encrypt
the exchanges with the controller.
Step 20
Step 21
Try to open a web session to your AP; it should fail. The AP is not reachable
anymore; only some limited commands are supported on the CLI.
Step 22
Step 23
Step 24
Connect to your controller. From your class PC, open an HTTPS session to
10.X0.1.10, where X is your group number.
Step 25
You controllers initial screen should appear. Click Login. Enter your credentials
and click OK. You should be on your controller monitor page.
Step 26
From this page, you should see that your migrated AP is now present. Its b/g/n radio
is set to 0 because it only has an 802.11a/n radio.
Step 27
From the upper menu, click Wireless. Your AP appears. You can see that it has kept
its name.
Step 28
Click the AP name to check its settings. No other apparent configuration should be
seen.
Step 29
For stability, enter your controller name in the Primary Controller Name field. It
should be in the form 2106-X, where X is your pod number3.
Step 30
The AP does not need to have a static IP anymore. In the right side of the screen,
uncheck Static IP.
Note
Your controller has an integrated DHCP server. This server provides IP addresses to
wireless clients and LWAPP APs. As long as your AP was in standalone mode, it could not
receive an IP address from the controller. Now that it is in LWAPP mode, it will receive an IP
address from the controller at each reboot.
The value to enter here is your controller name, as it is seen from Management > SNMP > General. Do not enter an
IP address because the AP will compare the name sent from the controller in the LWAPP discovery answer to this
value, and the names have to be the same string.
Lab Guide
69
70
Step 31
The AP also has direct credentials. Verify that Over-ride Global credentials is
checked. In the username field, enter root. Use Public1! as the password.
Step 32
Click Apply in the upper-right section of the page to validate the change. Read the
warning, and click OK to continue.
Step 33
Step 34
You should see the WLAN you created on the controller, but not the WLAN you
created on the AP when it was in standalone mode. The AP keeps the parameters
relevant to itself (its identity in the network), but the parameters relevant to the
wireless communication are now sent from the controller.
Step 35
Navigate back to wireless, and click in the left menu Access Points > Radios >
802.11a/n radios. You will change the channel on which the AP is set.
Step 36
You should see your AP transmit power and channel. There should be an asterisk
next to the channel and power level values, indicating that the values can be changed
dynamically.
Step 37
Click the blue arrow at the right end of the line and choose Configure.
Step 38
Channel
36
40
44
48
52
56
60
64
Step 39
In TX Power Level assignment, click Custom, and choose 5 for the Channel power
value4.
Step 40
Step 41
The values you chose should now appear, instead of the previous values.
Step 42
Still in the same window, and leaving the values you chose, in RF Channel
Assignment, click Global. In Tx Power Level Assignment, click Global.
Power level 1 is the maximum transmit power allowed in your country. Power level 2 is half this value, 3 is half again
(25%) and so on. Power level 5 is 6.125 percent of the maximum power allowed in your country on this channel.
Depending on the model, there can be up to 8 levels.
2008 Cisco Systems, Inc.
Lab Guide
71
Note
72
Choosing Global will make the AP transmit with the parameters you defined, but if any new
event in the network condition makes these parameters not optimal anymore, the controller
is allowed to change them automatically. Turning these values back to global will not force
the power to max power, as long as the AP does not report a coverage hole.
Step 43
Step 44
Click Back to return to the list. Your AP should now show the values you chose,
with the asterisk still next to them.
Step 45
Save your configuration. In the upper menu, click Save configuration. Click OK to
confirm when prompted.
Step 46
Step 47
Step 48
Step 49
Step 50
Step 51
Make sure that your card is set to receive an IP address automatically (DHCP).
Step 52
Click OK and close the Properties window and the Control Panel.
Step 53
In the bottom-right corner of your desktop, right-click your wireless connection icon
and choose View Available Wireless Networks.
Lab Guide
73
Step 54
The WLAN created on your controller, IUWNE-X (X = pod number), should appear
in the list. The WLAN created on the AP in standalone mode should not be here5.
Step 55
Step 56
Step 57
In the remote laptop, open a command prompt and click Start > All Programs >
Accessories > Command Prompt.
Step 58
Enter ipconfig to check if you received an IP address from your controller. You
should have received an IP address from the scope you created before.
Step 59
Try to ping the controller management IP address (10.X0.1.10). The ping should be
successful.
Step 60
From your remote lab wireless laptop, click Start > Connect To > Show All
Connections.
Step 61
Locate your wireless connection. It should be called Intel Wireless WiFi Link
4965AGN.
Step 62
It may be possible that the WLAN you created on the autonomous AP still appears. If this is the case, try to connect to
it. It will fail. The WLAN still appears because Windows caches some of the SSIDs heard in the past even when they
are not in range anymore. In this lab the AP MAC address is still heard by the Windows client, which may make it
assume that a WLAN heard before associated to this MAC address should still be available.
74
Step 63
Close the other open windows in your remote wireless laptop and close the remote
desktop connection to that remote wireless laptop.
Step 64
Close the other open windows to such items as terminal server. Remember to use
Control-Shift-6 +X to use the terminal server menu to correctly terminate sessions
and close your sessions.
Activity Verification
You have successfully completed this task when you attain these results:
Lab Guide
75
Activity Objective
In this lab, you will configure your Cisco Mobility Express Wireless Controller and your Cisco
Mobility Express AP. After completing this activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.09
Required Resources
These are the resources and equipment that are required to complete this activity:
76
A connection to the remote terminal server with serial connection to your controller
Command List
The table describes the commands that are used in this activity.
CLI Connection Command
Command
Description
telnet
Job Aids
These job aids are available to help you complete the lab activity:
Lab Guide
77
78
Pod 1
Pod 2
Pod 3
Pod 4
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
student1
student2
student3
student4
Remote laptop
password
cisco
cisco
cisco
cisco
Controller name
526-1
526-2
526-3
526-4
Administrative user
admin1
admin2
admin3
admin4
Administrative
password
cisco
cisco
cisco
cisco
Management interface
IP address
10.10.1.100
10.20.1.100
10.30.1.100
10.40.1.100
Management interface
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
Management vlan id
Management port
Management DHCP
server
10.10.1.253
10.20.1.253
10.30.1.253
10.40.1.253
AP manager IP address
10.10.1.101
10.20.1.101
10.30.1.101
10.40.1.101
AP Manager DHCP
server
10.10.1.253
10.20.1.253
10.30.1.253
10.40.1.253
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
Pod1
Pod2
Pod3
Pod4
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-101
IUWNE-201
IUWNE-301
IUWNE-401
Allow static IP
addresses
Yes
Yes
Yes
Yes
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
521 AP name
521-1
521-2
521-3
521-4
Layer 3 switch
username
student1
student2
student3
student4
Layer 3 switch
password
cisco
cisco
cisco
cisco
DHCP scope
10.10.1.3110.10.1.35
10.20.1.3110.20.1.35
10.30.1.3110.30.1.35
10.40.1.3110.40.1.35
Pod1
Pod2
Pod3
Pod4
DHCP network
10.10.1.0
10.20.1.0
10.30.1.0
10.40.1.0
Pod 1
Pod 2
Pod 3
Pod 4
DHCP netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP gateway
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
DHCP lease
04
04
04
04
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Option 60
Cisco AP c520
Cisco AP c520
Cisco AP c520
Cisco AP c520
DHCP option 43
10.10.1.100
10.20.1.100
10.30.1.100
10.40.1.100
Cisco Configuration
Assistant community
IUWNE-1
IUWNE-2
IUWNE-3
IUWNE-4
Cisco Configuration
Assistant WLAN
IUWNE-102
IUWNE-202
IUWNE-302
IUWNE-402
Pod 6
Pod 7
Pod 8
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
student5
student6
student7
student8
Remote laptop
password
cisco
cisco
cisco
cisco
Controller name
526-5
526-6
526-7
526-8
Administrative user
admin5
admin6
admin7
admin8
Administrative
password
cisco
cisco
cisco
cisco
Management interface
IP address
10.50.1.100
10.60.1.100
10.70.1.100
10.80.1.100
Management interface
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
Management vlan id
Management port
Management DHCP
server
10.50.1.253
10.60.1.253
10.70.1.253
10.80.1.253
AP manager IP address
10.50.1.101
10.60.1.101
10.70.1.101
10.80.1.101
AP Manager DHCP
server
10.50.1.253
10.60.1.253
10.70.1.253
10.80.1.253
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
Pod5
Pod6
Pod7
Pod8
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-501
IUWNE-601
IUWNE-701
IUWNE-801
Allow static IP
addresses
Yes
Yes
Yes
Yes
Lab Guide
79
Pod 5
Pod 6
Pod 7
Pod 8
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
521 AP name
521-5
521-6
521-7
521-8
Layer 3 switch
username
student5
student6
student7
student8
Layer 3 switch
password
cisco
cisco
cisco
cisco
DHCP scope
10.50.1.3110.50.1.35
10.60.1.3110.60.1.35
10.70.1.3110.70.1.35
10.80.1.3110.80.1.35
Pod5
Pod6
Pod7
Pod8
DHCP network
10.50.1.0
10.60.1.0
10.70.1.0
10.80.1.0
DHCP netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP gateway
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
DHCP lease
04
04
04
04
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Option 60
Cisco AP c520
Cisco AP c520
Cisco AP c520
Cisco AP c520
DHCP option 43
10.10.1.100
10.20.1.100
10.30.1.100
10.40.1.100
Cisco Configuration
Assistant community
IUWNE-5
IUWNE-6
IUWNE-7
IUWNE-8
Cisco Configuration
Assistant WLAN
IUWNE-502
IUWNE-602
IUWNE-702
IUWNE-802
In a real environment, you would be more likely to use the Mobility Express web interface for
this initial setting, or the Cisco Configuration Assistant.
Activity Procedure
Complete these steps:
80
Step 1
Make sure that you have a VPN connection to the remote lab.
Step 2
From your class PC, choose Start > Programs > Accessories > Command
Prompt.
Step 3
At the command prompt, enter telnet followed by the IP address of the remote
terminal server (10.1.1.252 or other if provided by your instructor).
Step 4
Enter the credentials (username student, password cisco or other if provided by your
instructor) to access the terminal server.
Step 5
After successful login you will be asked to choose the correct pod (Podx), where x
is your pod number.
Step 6
You will see a new menu, allowing you to connect to several devices in your group.
Take some time to familiarize yourself with the different options provided.
Step 7
You now need to connect to the Cisco 526 controller, which is WLC526, Item 1.
Notice that once connected to your controller, you can go back to the device menu at
any time by using the usual escape sequence CTRL + SHIFT + 6 then X. Choosing
1 from the device menu should bring you to the controller serial interface which,
since the controller is not configured yet, should be the initial CLI setup wizard.
Lab Guide
81
Note
VERY IMPORTANT: Verify that the first question you see is System Name. When enabling
the HyperTerminal session to your controller, you may have pressed Enter to test the
connection, and the setting you had at that time may have become the default answer to the
first questions. If that has become the default, and if the first question you see is not System
Name, enter - (minus sign) and press Enter; this action will take you back one question.
Repeat the procedure as many times as needed to get back to the System Name question.
Choose the parameters for your pod (x is the number of your pod). Username is
adminX, where X is your pod number, and the password is cisco. Additional
parameters are given below and summarized in the Lab MapIP Addressing,
Naming Conventions, and Information table.
System Name [Cisco_34:26:a3]: 526-1
Enter Administrative User Name (24 characters max): admin1
Enter Administrative Password (24 characters max): *******
Re-enter Administrative Password
: *******
Management Interface IP Address: 10.10.1.100
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.10.1.254
Management Interface VLAN Identifier (0 = untagged): 0
Management Interface Port Num [1 to 2]: 1
Note
The port number is important because it must match the connection leading from the
wireless LAN controller to the network infrastructure.
You will configure later on a DHCP scope on the switch to which this controller connects.
The Cisco 526 controller does not have an internal DHCP server.
Note
Virtual Gateway provides Layer 3 features such as DHCP relay to wireless clients. This
value must match among mobility groups.
Mobility/RF Group allows multiple wireless controllers to be clustered into one logical
controller group to allow dynamic RF adjustments and roaming for wireless clients.
By default one WLAN SSID is configured on the WLC already, and it is using server-based
authentication. If you skip RADIUS configuration during the startup wizard, the result is a
preconfigured SSID using 802.1x EAP requiring a RADIUS server; however, there is no
server defined. This is to prevent open authentication security vulnerabilities.
On your controller, you enable all radios, 802.11b and 802.11g. Notice that the wizard does
not prompt you for 802.11a. The Cisco Mobility Express solution APs are 802.11b and g
only, so there is no need for an 802.11a network.
You do not configure the time on this controller. In a real deployment, you would configure
the time during the initial configuration of a controller. In this remote lab scenario, the time
has already been configured and is consistent with the time of the other devices in the lab.
Lab Guide
83
Read the warning. Take some time to review your configuration to make sure it
matches the lab map. Then answer yes to the Configuration Correct question.
The controller will save the configuration and reboot directly
84
Step 8
Wait for the controller to reboot completely, until you are prompted for a username.
Enter your administrative username, and then press Enter.
Step 9
Enter your password, and then press Enter. Verify that you get the prompt
(Cisco Controller)>.
Step 10
Verify your configuration, by entering show sysinfo. The display should be similar
to the one displayed here, with the values relevant to your pod.
Activity Verification
You have successfully completed this task when you attain these results:
Your initial setup is complete and you see the (Cisco Controller)> prompt.
You could verify your configuration using the show sysinfo command.
Activity Procedure
Complete these steps:
Step 1
Step 2
From your class PC, connect to the class switch using Telnet. Click Start > All
Programs > Accessories > Command Prompt.
Lab Guide
85
Step 3
At the command prompt, enter telnet followed by the IP address of the remote
switch which should be 10.X0.1.253 where X is your pod number or other if
provided by your instructor.
Step 4
Enter your credentials. The username should be in the form studentX, where X is
your pod number. The password should be cisco.
Step 5
Step 6
To configure a DHCP scope from the command line, you need to create the scope. It
is created by allocating a whole subnet to a DHCP scope. You also need to exclude
some addresses from the range, so that you will only allocate a few addresses and
not the whole range itself. Use the following table:
Pod 1
Pod 2
Pod 3
Pod 4
10.10.1.1 10.10.1.30
10.20.1.1 10.20.1.30
10.30.1.1 10.30.1.30
10.40.1.1 10.40.1.30
10.10.1.36
10.10.1.255
10.20.1.36
10.20.1.255
10.30.1.36
10.30.1.255
10.40.1.36
10.40.1.255
DHCP scope
10.10.1.3110.10.1.35
10.20.1.3110.20.1.35
10.30.1.3110.30.1.35
10.40.1.3110.40.1.35
Pod1
Pod2
Pod3
Pod4
DHCP network
10.10.1.0
10.20.1.0
10.30.1.0
10.40.1.0
DHCP netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP gateway
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
DHCP lease
04
04
04
04
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Option 60
Cisco AP c520
Cisco AP c520
Cisco AP c520
Cisco AP c520
DHCP option 43
10.10.1.100
10.20.1.100
10.30.1.100
10.40.1.100
Pod 5
Pod 6
Pod 7
Pod 8
10.50.1.1 10.50.1.30
10.60.1.1 10.60.1.30
10.70.1.1 10.70.1.30
10.80.1.1 10.80.1.30
10.50.1.36
10.50.1.255
10.60.1.36
10.60.1.255
10.70.1.36
10.70.1.255
10.80.1.36
10.80.1.255
DHCP scope
10.50.1.3110.50.1.35
10.60.1.3110.60.1.35
10.70.1.3110.70.1.35
10.80.1.3110.80.1.35
Pod5
Pod6
Pod7
Pod8
DHCP network
10.50.1.0
10.60.1.0
10.70.1.0
10.80.1.0
DHCP excluded
addresses
DHCP excluded
addresses
Your privilege level on the switch means that you do not need to type enable first.
86
DHCP netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
DHCP gateway
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
DHCP lease
04
04
04
04
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP Option 60
Cisco AP c520
Cisco AP c520
Cisco AP c520
Cisco AP c520
DHCP option 43
10.10.1.100
10.20.1.100
10.30.1.100
10.40.1.100
Step 7
In this scope, you want to allocate addresses from 10.X0.1.31 to 10.X0.1.35 (where
X is your pod number). Therefore, you need to exclude 10.X0.1.1 to 10.X0.1.30,
and then 10.X0.1.36 to 10.X0.1.255. Enter ip dhcp excluded-address followed by
the first range. It should be in the form ip dhcp excluded-address 10.X0.1.1
10.X0.1.30 (notice the space between the two IP addresses of 10.X0.1.1 and
10.X0.1.30).
Step 8
Exclude the second part. Enter ip dhcp excluded-address followed by the second
range. It should be in the form ip dhcp excluded-address 10.X0.1.36 10.X0.1.255.
The addresses between these two ranges are not excluded and are therefore allocated
once you create the scope.
Step 9
To create the scope, enter ip dhcp pool PodX (your scope name), where X is your
pod number.
Step 10
Enter a subcommand prompt where you will configure the scope details. The first
element is, of course, the subnet. Enter network followed by your subnet number
and mask. It should be in the form network 10.X0.1.0 255.255.255.0, where X is
your pod number.
Step 11
The next information is the gateway you want your clients to use. Enter defaultrouter followed by the gateway IP address. It should be in the form default-router
10.X0.1.254, where X is your pod number.
Step 12
The next information is the lease duration. On the Cisco 2106 controller, you used 4
hours. Use the same duration here. Enter lease followed by its duration in days and
hours. It should be in the form: lease 0 4 (0 days, 4 hours).
Lab Guide
87
Step 13
The next information is the DNS server address. Enter dns-server followed by the
server address. It should be in the form dns-server 10.100.1.1.
Step 14
A final, interesting, option to configure in this DHCP scope is Option 43. Your AP
has a static IP address and uses broadcast in its subnet to discover the controller. A
DHCP server can be used to provide APs with an IP address and a Controller
Management Interface IP address. To achieve this, the DHCP server must first
recognize that the DHCP discover message comes from an AP. This is done via an
identification mechanism: the AP identifies itself sending a specific string. The
Cisco 521 AP sends Cisco AP c520, and the Cisco 1252 AP sends Cisco AP c1250.
The first element is to recognize these strings. Enter option 60 ascii Cisco AP
c520 (inclusive of the quotes ).
Step 15
The second element is to send back the controller IP address, upon receipt of the
option 60 string. This is Option 43 itself. Enter option 43 ascii followed by your
controller management IP address. It should be in the form option 43 ascii
10.X0.1.100 where X is your group number (inclusive of the quotes ).
Step 16
This last option, specific to APs, will not actually be used by your AP because the
AP has a static IP address and will not query the DHCP server. This option might
still be useful if another AP was connected to your LAN. Your DHCP scope is ready
to provide IP addresses. Enter end to exit the configuration mode.
Step 17
Verify your scope. Enter show running-config and you should see the configuration
file and your DHCP scope near the top along with other pods DHCP scope. Verify
each element carefully.
Step 18
Activity Verification
You have successfully completed this task when you attain this result:
88
Activity Procedure
Complete these steps:
Step 1
Connect to your Cisco Mobility Express 526 Controller. From your class PC, open
an HTTPS session to your controllers management interface. It should be in the
form https://10.X0.1.100, where X is your group number.
Step 2
Step 3
Enter your administrative user and password credentials (username = adminX and
password = cisco where X = Pod number).
Step 4
You should see the controller main monitor window. Your AP, already in LWAPP
mode, should be there. If it is not, check with your instructor.
Step 5
In the upper menu, navigate to Wireless. You should see your AP listed.
Lab Guide
89
Step 6
Step 7
A new window appears. Change the AP name. The new name should be in the form
521-X, where X is your group number. Refer to the lab table in the job aids.
Step 8
90
Step 9
Step 10
Enter your controller name as the primary controller. It should be in the form 526-X,
where X is your group number.
Step 11
At the bottom of the screen, check that your AP has one single 802.11b/g radio, and
that it is set to Enable.
Step 12
Click the Advanced tab. Check that the Cisco Discovery Protocol check box is
checked. Your AP can be discovered using Cisco Discovery Protocol.
Step 13
Click Apply to validate the changes. Read the warning and click OK to continue.
Step 14
Step 15
The WLAN you created during the initial setup should be listed. You could modify
it here, but do not change it now. You will use the Cisco Configuration Assistant in
the next task.
Step 16
Activity Verification
You have successfully completed this task when you attain these results:
You could change its name and location, and check its IP address.
Activity Procedure
Complete these steps:
Step 1
Note
Connect to your remote wireless laptop: from your class PC, choose Start >
Programs > Accessories > Communications > Remote Desktop Connection.
In each pod, only one connection at a time is possible to the remote laptop. Choose with
your partner who will be connecting.
Lab Guide
91
92
Step 2
Use the lab table in the job aid to know what IP address you should use to connect to
your remote wireless laptop. It should be in the format 10.X0.1.240, where X is your
pod number.
Step 3
In the Remote Desktop Connection window, in the Computer field, enter the IP
address of your remote laptop, and click Connect.
Step 4
You will be presented with a new window where you are asked to enter the
credentials required to access your remote wireless laptop. Use the lab table in the
job aid to know which username and password are used to connect to your group
laptop. They should be in the format studentX/cisco, where X is your pod number.
Step 5
Enter the credentials and click OK. You should see the Windows desktop of your
remote laptop.
Step 6
Step 7
Step 8
The initial window should ask if you want to connect to a community or create a
new one. There should not be any community listed, so choose to create one and
click OK to proceed. If there is already a community, ask your instructor to remove
it.
Step 9
A new window appears. In the Name field, enter IUWNE-X, where X is your pod
number. This will become the community name. A community is a common group
name for the devices that you administrate. It can be arbitrarily defined on the Cisco
Configuration Assistant, and does not need to be preconfigured on the devices.
Step 10
Step 11
Click Advanced. This setting shows how the Cisco Configuration Assistant will
connect to the devices you manage. Cisco Configuration Assistant uses
HTTP/HTTPS, which immediately shows that it will not be able to connect to your
AP because it is managed via the controller and does not offer any direct web
interface. Click OK to continue.
Lab Guide
93
Step 12
Step 13
Step 14
After a few seconds a popup window should appear, warning you about a self-sign
certificate. It is the certificate generated at boot time by your Cisco 526 controller.
Click Yes to accept it.
Step 15
A new window appears, asking the credentials to connect to the Cisco 526
controller. Enter the credentials. Username should be adminX, where X is your pod
number, and password cisco. Click OK to continue.
If your controller was connected to an SMB switch of CE520 series, it would support the Cisco Configuration
Assistant communities, and you could use it to discover the whole network. On an enterprise type of switch,
communities are not supported. You can still discover devices, if they are directly manageable (like a controller) and if
you provide their IP address directly, as is done here.
94
Step 16
Your controller should then appear in the device list. It is now discovered and can be
managed through the Cisco Configuration Assistant as well.
Step 17
In the Discover devices section, enter the IP address of your Cisco 521 AP. You
documented the IP address in the previous task. Keep the Discover field set to a
single device by IP address.
Step 18
Click Start.
Step 19
After a few seconds, a new box showing Unable to connect should appear.
Step 20
It is expected that the box will appear. The AP cannot be contacted directly using
HTTP or HTTPS. Was the AP discovered?
Step 21
Lab Guide
95
Step 22
Step 23
Step 24
Your AP is not shown on the topology. Is that because it is not seen by the Cisco
Configuration Assistant8 but still managed when Cisco Configuration Assistant
connects to the controller, or is it because it was not added at all and is ignored? To
check, click Monitor in the left menu.
Step 25
In the submenu, unfold the reports menu, and click Reports > Inventory. It will
show you the devices known in your community.
Another reason is because the main switch is not a CE520, and therefore not community-aware.
96
Step 26
You see that the Cisco 521 was indeed brought along with the controller, and is
known to the Cisco Configuration Assistant. The tool cannot display Cisco 521 on
the graphical map. This is because the main switch is not community-aware, so the
tool does not know where the AP is connected. However, it still knows that it is
managed by the Cisco 526 controller. There is just a graphical presentation
disconnect, but the AP is here.
Step 27
Close the Inventory window. The topology reappears. Right-click controller and
choose Annotation. The annotation field allows the administrator to write a short
memo.
Lab Guide
97
Step 28
Enter a short text such as Plus 521-X AP, where X is your pod number.
Step 29
Click OK.
Step 30
Step 31
There are many ways of working with the Cisco Configuration Assistant. Now
change the Cisco 526 controller previously configured to add an open authentication
SSID9. You could click the left menu on Configure > Wireless > WLAN, but the
simplest way is, once again, to right-click your controller, and choose WLAN
(SSID).
In a real network, you would probably not set all the WLANs you create to Open, no encryption. In Module 4 you will
learn how to configure the infrastructure for security. Until then, you are temporarily creating simple WLANs.
98
Step 32
A new window appears, showing the WLAN you created on the Cisco 526
controller during the first setup.
Step 33
You will create a new WLAN. You do not need this one anymore. Click it, and click
Delete at the bottom. The WLAN list should be empty.
Step 34
Lab Guide
99
100
Step 35
A new window appears, warning you that no Radius server was created. The default
settings of a WLAN on Cisco controllers are WPA/WPA2 with a central serverbased authentication, which is done through a RADIUS server. A WLAN cannot
work because no Radius information is provided. You will create a new WLAN with
open authentication, therefore a Radius is still not needed at this stage; Click No to
continue.
Step 36
A new window appears. In the SSID field, enter IUWNE-X02, where X is your pod
number.
Step 37
There is no VLAN configured yet, leave the field to its default value of 1. Leave
QoS to Data, and security to No Security.
Step 38
Step 39
Step 40
Click OK to validate the WLAN creation. If OK or Apply at the bottom are not
clicked, all the operations remain local to the Cisco Configuration Assistant
software. As soon as you click OK or Apply, they are written to the Cisco 526
controller.
Step 41
The system prompts you for your 526 controller username and password. Enter your
administrative user credentials. They should be in the form adminX for the
username and cisco for the password, where X is your pod number.
Step 42
In the upper-left part of the Window, click Application > Exit. Click Yes to
confirm.
Step 43
Step 44
Reopen the web browser session to your Cisco 526 controller, and click WLAN
(even if you are already in WLAN, to refresh).
Step 45
You should see the new WLAN created, its status should be set to enabled, and
security policies should be empty, which implies open authentication and no
encryption.
Lab Guide
101
102
Step 46
Go back to your remote desktop connection. From your remote lab wireless laptop,
choose Start > Connect To > Show All Connections.
Step 47
Locate your wireless connection. It should be called Intel Wireless WiFi Link
4965AGN.
Step 48
Step 49
Right-click your wireless connection again and choose View Available Wireless
Networks.
Step 50
The WLAN you created should appear in the list. If it does not appear, click Refresh
network list.
Step 51
Step 52
Read the warning about an unsecured network, and click Connect Anyway.
Step 53
Step 54
Verify the connection. Choose Start > All Programs > Accessories > Command
Prompt.
Step 55
Enter ipconfig. You should see that your wireless card has an address in the range
you created on the class switch, which acts now as a DHCP server here also.
Step 56
Try to ping your 526 controller. Enter ping followed by the Management IP address
of your controller. It should be in the form ping 10.X0.1.100 where X is your pod
number. The ping should be successful.
Step 57
From your remote lab wireless laptop, choose Start > Connect To > Show All
Connections. Locate your wireless connection. It should be called Intel Wireless
WiFi Link 4965AGN.
Step 58
Activity Verification
You have successfully completed this task when you attain these results:
You could create a new WLAN from the Cisco Configuration Assistant.
Lab Guide
103
Activity Objective
In this activity, you will install and configure the Cisco Aironet Desktop Utility. After
completing this activity, you will be able to meet these objectives:
Configure the Cisco ADU and implement the Cisco Site Survey Utility
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.010
Required Resources
These are the resources and equipment that are required to complete this activity:
104
A connection to the remote terminal server with serial connection to your controller
In the remote lab, a remote laptop with the Cisco card inserted and the Cisco ADU software
installed on the desktop
Job Aids
These job aids are available to help you complete the lab activity:
Lab table
Pod 2
Pod 3
Pod 4
WLAN
IUWNE-102
IUWNE-202
IUWNE-302
IUWNE-402
Profile name
Mobility Express
Mobility Express
Mobility Express
Mobility Express
Static IP
10.10.1.26
10.20.1.26
10.30.1.26
10.40.1.26
Static netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Gateway
10.10.1.254
10.20.1.254
10.30.1.254
10.1.40.254
DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
Pod 6
Pod 7
Pod 8
WLAN
IUWNE-502
IUWNE-602
IUWNE-702
IUWNE-802
Profile name
Mobility Express
Mobility Express
Mobility Express
Mobility Express
Static IP
10.50.1.26
10.60.1.26
10.70.1.26
10.80.1.26
Static netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Gateway
10.50.1.254
10.60.1.254
10.70.1.254
10.1.80.254
DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
Activity Procedure
Complete these steps:
Step 1
Check that you are connected, through the VPN tunnel, to the remote lab network.
Step 2
Connect to your remote wireless laptop; from your class PC choose Start >
Programs > Accessories > Communications > Remote Desktop Connection.
Lab Guide
105
Note
106
In each pod, only one connection to the remote laptop is possible at a time. Choose with
your partner who will be connecting.
Step 3
Use the lab table located in the job aid to know what IP address you should use to
connect to your remote laptop. It should be in the format 10.X0.1.240, where X is
your pod number.
Step 4
In the Remote Desktop Connection pop-up window, in the computer field, enter the
IP address of your remote laptop, and click connect.
Step 5
You will be presented with a new window where you are asked to enter the
credentials required to access your remote laptop. Use the lab map to know which
username and password are used to connect to your group laptop. They should be in
the format studentX/cisco, where X is your pod number.
Step 6
Enter the credentials and click OK. You should see the Windows desktop of your
remote laptop.
Step 7
Step 8
Lab Guide
107
108
Step 9
Step 10
Click Next.
Step 11
Check the check box Install the Cisco Aironet Site Survey Utility.
Step 12
Click Next.
Step 13
Keep the default values in the next two windows (directory location for installation
and program folder name) and click Next to proceed. Read the information page
about the card management, and click Next to proceed.
Step 14
Choose Next to acknowledge the notice of client utility choice that you are about to
be presented with in follow window. Choose to configure the Cisco card using the
Cisco Aironet Desktop Utility. During the labs for this course, you will use the
Windows client for the internal Intel 4965 card and the Cisco ADU for the Cisco
card bus.
Step 15
Click Next.
Step 16
Read the warning informing you that the laptop will be rebooted at the end of the
install, and click Yes to continue.
Step 17
Read the information about the WLAN adapter. Because it is already inserted, click
OK to continue.
Step 18
Lab Guide
109
Step 19
Read the final installation status and the reminder about laptop reboot and click OK
to continue. You will lose connection to your remote laptop.
Step 20
Wait about a minute and connect back to your remote wireless laptop.
Step 21
You should see now in the right part of the taskbar the ASTU green icon. You now
have two WLAN adapters available.
Activity Verification
You have successfully completed this task when you attain these results:
You could reconnect to your remote laptop after the Cisco ADU installation.
Task 2: Use the Cisco ADU and the Cisco Site Survey Utility
In this task, you will learn to use the Cisco ADU to create a profile, and the Cisco Site Survey
Utility to understand the wireless environment.
Activity Procedure
Complete these steps:
110
Step 1
Choose Start > All programs > Cisco Aironet > Aironet Site Survey Utility.
Step 2
A new window appears where you see the received signal on a given channel.
Step 3
Click AP scan list. The list of all APs detected appears. In a busy environment, there
may be quite a few APs. Wait a few seconds for the list to be created, and then click
Pause List Update.
Step 4
Browse down to find the Network Name created on the Cisco 526 controller. It
should be in the form IUWNE-X02, where X is your pod number. Adjust your
display window as needed.
Step 5
Step 6
Step 7
Step 8
Minimize the Cisco Aironet Site Survey Utility window, but do not close it.
Lab Guide
111
Step 9
In the task bar, right-click ASTU10, and choose Open Aironet Desktop Utility.
Step 10
The current status may show that you are already connected to a profile. Click the
Profile Management tab.
Step 11
Step 12
Step 13
Step 14
In the SSID1 field, enter the name of the SSID on your Cisco 526 controller. It
should be in the form IUWNE-X02, where X is your pod number.
Step 15
10
The ASTU, Aironet System Tray Utility, is the Green icon installed with the Cisco ADU in the bottom-right portion
of your desktop.
112
Step 16
Check that Security is set to None because this WLAN uses open authentication.
Step 17
Step 18
Because the WLAN is on the b/g network, uncheck 5 GHz 54 Mbps. Leave the
other parameters as they are. You could enter the AP MAC address in Preferred AP,
but do not do it yet. Click OK to create the profile. Do not activate it yet.
Step 19
Lab Guide
113
114
Step 20
Step 21
Step 22
Step 23
Choose at the top: Action > Disable the radio. You need to have the radio off so
you can turn it on when you are ready to sniff the communication. Notice that both
Adaptor information and Advanced statistics become grayed.
Step 24
Try to connect with a static IP address. This will verify the prior lab where you
configured YES for Allow static IP address during initial setup on your controller.
Step 25
Right-click your wireless connections in the taskbar, and choose Open Network
Connections.
Step 26
In your network adapters list, try to identify the Cisco WLAN card. It should be
labeled Cisco Aironet 802.11a/b/g Wireless Adapter. Right-click the name and
choose Properties.
Step 27
Step 28
Step 29
Lab Guide
115
116
Pod 1
Pod 2
Pod 3
Pod 4
Static IP
10.10.1.26
10.20.1.26
10.30.1.26
10.40.1.26
Static netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Gateway
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
Pod 5
Pod 6
Pod 7
Pod 8
Static IP
10.50.1.26
10.60.1.26
10.70.1.26
10.80.1.26
Static netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Gateway
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
DNS server
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
Step 30
Step 31
Step 32
Close the network connection window. Your card is ready for the association. This
window may take a few seconds because windows activate this change in address
information.
Step 33
You will sniff the card connection to the network. Start Wireshark. Click Start > All
Programs > Wireshark > Wireshark.
Step 34
You will first filter only frames going to or coming from your Cisco WLAN adapter.
In the upper menu, click Capture > Interfaces.
Step 35
Click Options at the right side of the Airpcap USB wireless capture adapter line.
Step 36
In the Capture Filter field, enter ether host followed by the MAC address of your
Cisco WLAN adapter. You documented it at Step 21. It should be in the form ether
host ab:cd:ef:gh:ij:kl, where ab:cd:ef:gh:ij:kl is your Cisco card MAC address.
Step 37
Step 38
A new window opens. In Channel, choose the channel on which your Cisco 521 AP
operates. You documented it at Step 6 of this task. Click OK to validate.
Step 39
Lab Guide
117
Step 40
The number of packets accepted as per your filter should stay to 0 or very low.
Step 41
Step 42
Step 43
Click the Profile management tab and double-click the Mobility Express profile
to activate it, or you may be connected to another SSID.
Step 44
Step 45
As soon as you see the status set to Associated, click the Stop Capture icon in the
Wireshark window.
Step 46
In the upper part of the Wireshark window, find the probe request. Write the name
of the SSID you see in it. Is your card looking for a null SSID? A broadcast SSID?
A named SSID?
____________________________________________________________________
118
Step 47
Step 48
Step 49
Step 50
Step 51
Can you see the Cisco proprietary information (Cisco Compatible Extensions) in the
exchange? Yes / No
Step 52
Step 53
Lab Guide
119
Step 54
Click Associated AP status. It should now show your connection to the IUWNEX02 SSID along with your pods respective 2.4-GHz channel.
Step 55
Step 56
At the bottom left of the window, check the Display in percent check box. Did you
have the same perception of the link quality level?
Step 57
Step 58
Reopen the web session window from your local classroom PC to your Cisco 526
controller (https://10.X0.1.100).
Step 59
Step 60
In the lower part of the screen, locate the Client Summary section. Current clients
should show at least one client11. Click Detail at the right end of the Current Clients
line.
Step 61
At least one client should be associated: your remote laptop. Some neighboring
laptops may also be seen. Check with the MAC address documented at Step 21 that
one of the clients is your Cisco card.
11
You may see more than one client because each card sending a probe request will be flagged as a client in your
network, even if it does not actively try to associate afterwards.
120
Step 62
Check to verify that the client is authenticated and associated. Check to verify that it
is using the WLAN-Profile12.
Step 63
Step 64
Can you see which interface it is using? Can you see which AP it is connecting
through? Which authentication parameters of the WLAN are used?
Step 65
Step 66
Close the web session. You now have a validation of your Layer 2 connection. You
want to check the Layer 3 connectivity via a ping. From your remote wireless
laptop, open a command prompt and choose Start > All Programs > Accessories >
Command Prompt.
Step 67
Enter ipconfig. You should see that your wireless card has the static address you
defined.
Step 68
Try to ping your Cisco 526 controller. Enter ping followed by the Management IP
address of your controller. It should be in the form: ping 10.X0.1.100 where X is
your pod number. The ping should be successful.
12
The WLAN Profile shown is the one seen from the controller perspective, IUWNE-X02, not the profile from the
client perspective, Cisco Mobility Express.
Lab Guide
121
122
Step 69
At this point, the verification is complete. You need to return your WLAN card to its
default mode before shutting it down to be ready for the next lab. Right-click your
wireless connections in the taskbar, and choose Open Network Connections.
Step 70
In your network adapters list, try to identify the Cisco WLAN card. It should be
labeled Cisco Aironet 802.11a/b/g Wireless Adapter. Right-click it and choose
Properties.
Step 71
Step 72
Step 73
Step 74
Step 75
In the Windows Network Properties window, right-click your Cisco WLAN card
and choose Disable.
Step 76
Step 77
Close the remote desktop session and all the other open windows.
Activity Verification
You have successfully completed this task when you attain these results:
Complete Cisco ADU installation inclusive of the Cisco Site Survey Utility.
You could associate to your IUWNE-X02 SSID using the Cisco ADU client.
Lab Guide
123
Activity Objective
In this activity, you will experiment with connections features and roaming. For this lab, you
will work in a team with another group. Both will create the same WLAN, and you will see
how your client can roam from one to the other. After completing this activity, you will be able
to meet these objectives:
Connect to a specific AP
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.011
Required Resources
These are the resources and equipment that are required to complete this activity:
124
A connection to the remote terminal server with serial connection to your controller
Job Aids
These job aids are available to help you complete the lab activity:
Lab map
Pod 2
Pod 3
Pod 4
WLAN
IUWNE-ROAM12
IUWNE-ROAM12
IUWNE-ROAM34
IUWNE-ROAM34
Mobility group
Pod12
Pod12
Pod34
Pod34
Pod 6
Pod 7
Pod 8
WLAN
IUWNE-ROAM56
IUWNE-ROAM56
IUWNE-ROAM78
IUWNE-ROAM78
Mobility group
Pod56
Pod56
Pod78
Pod78
Activity Procedure
Complete these steps:
Step 1
Check that you are connected, through the VPN tunnel, to the remote lab network.
Step 2
From your class PC, open a browser session to your Cisco 2106 controller
Management Interface IP address. (https://10.X0.1.10) You may have to disable
your local proxy to access the web interface through the VPN tunnel.
Step 3
Lab Guide
125
126
Step 4
Click Login.
Step 5
Enter the administrative username you defined in the previous lab and the password
(adminX for the username and cisco for the password).
Step 6
Step 7
Step 8
You should see the WLAN you created before. Click its name to edit its settings.
Step 9
Uncheck the Status Enabled check box. You do not want this WLAN to currently be
active13. Click Apply to validate the change.
Step 10
Now, at the WLAN page list, in the upper-right part of the window, click New to
create a new WLAN.
13
The Cisco 2106 and the AP are perfectly capable of supporting several WLANs at the same time, but in a crowded
environment, you do not want to see too many SSID names that you will not use. For this reason you will disable the
WLANs you do not use for each new lab.
Lab Guide
127
Step 11
Note
128
In Profile Name field, enter Roaming. In the WLAN SSID field, enter the name of
the WLAN. Refer to the lab table (IUWNE-ROAMX, where X = shared group
number between two pods).
The name is in capitals and is case-sensitive.
Step 12
Step 13
Step 14
Step 15
In the Radio Policy drop-down list, choose 802.11a only. Because your Cisco 1252
AP operates only in the 802.11a spectrum, there is no point in allowing this WLAN
in the 802.11b/g band.
Step 16
Step 17
Step 18
Step 19
You should now have two WLAN Profile Names in the list, but only the Roaming
show a status of Enabled.
Step 20
Lab Guide
129
Step 21
You should see your AP. Note that its Ethernet MAC address is shown. You want to
know its radio MAC address. In the left menu, choose radio > 802.11a/n.
Step 22
You should see your AP, along with its radio MAC address. Document this MAC
address here:
1252 AP 802.11a MAC address:_________________________________________
130
Step 23
You want to allow your clients to connect at 802.11n speeds. Position your mouse
on the arrow at the end of the AP description line and choose Configure.
Step 24
A new screen appears. In the 11n Parameters section, verify that your AP supports
802.11n. You will be using 20-MHz-wide channels, compatible with non-802.11n
clients. Verify that the Channel Width is set to 20 MHz.
Step 25
Step 26
Step 27
In the General section, verify that 802.11n is activated. In the MCS Data Rate
Settings, verify that all data rates are checked. Document the highest possible rate:
___________________________________________________________________
Step 28
To be able to roam, not only do you need to have a common WLAN, but the
controllers also need to be in the same mobility group. In the upper menu, click
Controller.
Lab Guide
131
Step 29
In Default Mobility Domain Name and RF-Network Name, enter your common
group name. Refer to the table:
Pod
Name
Pod12
Pod12
Pod34
Pod34
Pod56
Pod56
Pod78
Pod78
Note
132
Step 30
Step 31
Controllers are now in the same mobility group, but they do not communicate with
each other yet. In the left menu, unfold Mobility Management, and choose Mobility
groups.
Step 32
You see your controllers details. Document its Management IP address and built-in
MAC address14:
Management IP address: ______________________________________________
Built in MAC address: ________________________________________________
Step 33
In the upper-right part of the screen, click New to create a new member to your
mobility group.
Step 34
Ask your partner group for their controller IP address and built-in Mac address, and
enter the values in the right fields.
Step 35
Step 36
14
The built-in MAC address is a MAC address common to the whole system, and not relevant to a specific port. This
MAC address is reachable through any port, and characterizes the system as a whole.
Lab Guide
133
Step 37
To verify connectivity to the other controller, put the mouse over the arrow at the
right end of the line describing your partner controller, and choose Ping.
Step 38
Step 39
Your controllers are now ready to offer intercontroller connectivity and roaming. Do
not close the web browser window.
Activity Verification
You have successfully completed this task when you attain these results:
Your controller is in the same mobility group as your partner controller, and they could
ping each other successfully.
Activity Procedure
Complete these steps:
134
Step 1
Steps 1 through 8 are for even-numbered pods (2, 4, 6, and 8) to disable their radios.
Odd-numbered pods can proceed to Step 9. In the controller web browser window,
click Wireless in the upper menu.
Step 2
Step 3
Step 4
Put your mouse on the arrow at the end of the line and choose configure.
Step 5
Step 6
In the General section, set the Admin Status to Disable to turn your radio off.
Step 7
Click Apply to validate the change. Click Back to return to the radio list.
Step 8
The AP should show in the list, with its radio status set to DOWN and Disable.
Even-numbered pods can now proceed to Step 16 to configure their remote lab
wireless laptop.
Lab Guide
135
136
Step 9
Steps 9 through 15 are for odd-numbered pods (1, 3, 5, and 7) to remove any
existing client associations. Even-numbered pods should have finished Step 8 and
proceeded to step 16. On the odd-numbered pod controllers, the AP radio should still
be up. At this point, only one of the APs in the mobility group is up, which
guarantees that the client will connect to this AP only.
Step 10
One last step needs to be performed; remove the clients trace from the controllers.
Otherwise, the client will not connect to the controller you expect. You will see why
later on. In the upper menu, click Monitor.
Step 11
Step 12
A new window appears. You should see at least one client. If you do not see any
clients, move directly to Step 16.
Step 13
Put your mouse on the arrow at the right end of the line describing each client, and
choose Remove. Be careful not to choose Disable.
Step 14
Click OK to confirm that you want to delete this client from the controller cache.
Repeat the operation for all the other clients you may see in the list.
Step 15
Step 16
Connect to your remote laptop from your class PC; choose Start > Programs >
Accessories > Communications > Remote Desktop Connection.
Note
In each pod, only one connection at a time is possible to the remote laptop. With your
partner choose who will be connecting.
Step 17
Use the lab table to know what IP address you should use to connect to your remote
lab wireless laptop. It should be in the format 10.X0.1.240, where X is your pod
number.
Step 18
In the remote desktop connection pop-up window, in the computer field, enter the IP
address of your remote laptop, and click Connect.
Step 19
You will be presented with a new window where you are asked to enter the
credentials required to access your remote laptop. Use the lab table to know which
username and password are used to connect to your group laptop. They should be in
the format studentX for username and cisco for the password, where X is your pod
number.
Lab Guide
137
138
Step 20
Enter the credentials and click OK. You should see the Windows desktop of your
remote laptop.
Step 21
From your remote lab wireless laptop, click Start > Connect To > Show All
Connections.
Step 22
Locate your wireless connection. It should be called Intel Wireless WiFi Link
4965AGN.
Step 23
Step 24
Right-click your internal Intel 4965 wireless card connection again (not the Cisco
wireless card) and choose View Available Wireless Networks.
Step 25
The IUWNE-ROAMXY SSID should appear in the list. Click Connect. Read the
warning about unsecured networks, and click Connect Anyway to continue.
Step 26
Step 27
Step 28
A new window appears. Verify that you are connected to the correct WLAN
(IUWNE-ROAMX). Also check the speed of the connection. It should be of 802.11n
type.
Step 29
Lab Guide
139
Step 30
Step 31
140
Step 32
Click Close to close the Network Connection Details window. Close the status
window.
Step 33
Try to ping your partner laptop wireless connection. Open a command prompt and
choose Start > All Programs > Accessories > Command Prompt.
Step 34
Ask for your partner pod respective IP address documented at Step 30. Notice that,
in the wireless space, both machines are in the same subnet because they connected
to the same WLAN connected to the same controller.
Step 35
At the command prompt, enter ping t followed by your partners laptop IP address.
Step 36
The ping should be successful and carry on without interruption. Notice the variable
time taken by each ping. The frame needs to travel from your laptop to the AP, then
from the AP to your partner laptop. It answers with a frame that has to travel all the
way back. At each step, CSMA/CA and contention windows may imply a different
delay. Let the ping continue without interrupting it and proceed to the next task
while leaving the command prompt window open.
Activity Verification
You have successfully completed this task when you attain these results:
Activity Procedure
Complete these steps:
Step 1
Step 2
Step 3
Step 4
On the even-numbered pods (2, 4, 6, 8) controllers, you should still see no client
because your AP radio is disabled.
Lab Guide
141
142
Step 5
Steps 5 through 12 are for even-numbered pods (2, 4, 6, and 8) to enable their
respective AP radios. In the controller web browser window, click Wireless in the
upper menu.
Step 6
Step 7
Step 8
Put your mouse on the arrow at the end of the line and choose Configure.
Step 9
Step 10
In the General section, set the Admin Status to Enable. This will turn your radio
back on.
Step 11
Click Apply to validate the change. Click Back to return to the radio list.
Step 12
The AP should show in the list, with its radio status set to UP / Enable. Notice the
channel is on.
15
Step 13
On the odd-numbered pods (1, 3, 5, 7) controllers, the AP radio should also be up.
At this point, both APs are up, but on different channels.
Step 14
Repeat Steps 2 to 4 to make sure that, even though two APs are available now, the
clients did not hop to the second AP15.
Step 15
Now is the time to force the hop, disabling the first AP to force the client to look for
another AP serving the same SSID and hop to it.
Step 16
Steps 16 through 23 are for the odd-numbered pods (1, 3, 5, 7) to disable their radios
to force clients to search for another AP for association, In the controller web
browser window, click Wireless in the upper menu
Step 17
Step 18
Step 19
Put your mouse on the arrow at the end of the line and choose Configure.
Step 20
Step 21
In the General section, set the Admin Status to Disable. This will turn your radio
down. Do not click Apply yet.
Step 22
Before clicking Apply, make sure you have a connection to your remote laptop and
see the window where the machine is still pinging your partners IP address. Be
ready to go back to it as soon as you click Apply in the web browser session. Then,
click Apply to validate the change.
Step 23
The clients have no reason to hop if the connection on the first AP offers a good enough connection.
Lab Guide
143
144
Step 24
A few pings should be timing out, while your WLAN card realizes that the
connection is not available anymore (no ACK to one of the pings), then scans all the
channels to find another AP serving the same SSID and reassociates. With a rate of
about 1 ping per second, try to evaluate how many seconds were lost in the process.
Step 25
Now both clients associate through the second (even-numbered) pods controller
AP.
Step 26
Step 27
Step 28
A new window appears. On the even-numbered controllers, you should still not see a
client.
Step 29
On the odd-numbered pod controllers, you should still see both laptops as clients to
your controller. The AP name has changed now. It indicates the other controller as
the AP, and the protocol changed from 802.11n to Mobile the new controller proxies
the connection for your clients, but keeps in memory that they have to remain on the
same subnet as they were before, and that they come from the first controller.
Step 30
Step 31
From you controller web interface click in the upper menu Save configuration.
Click OK to confirm.
Step 32
Step 33
From your remote lab wireless laptop, choose Start > Connect To > Show All
Connections.
Step 34
Locate your wireless connection. It should be called Intel Wireless WiFi Link
4965AGN.
Step 35
Step 36
Close the open windows in the remote desktop connection. Close the remote desktop
connection and the web interface to your controller.
Activity Verification
You have successfully completed this task when you attain these results:
Lab Guide
145
Activity Objective
In this activity you will set up a WLAN with Web Authentication as the security policy. This
implementation provides an open connection to a user that requires a username and password
security exchange. All network traffic is then transmitted in the clear. In order to provide that
support, a new WLAN instance must be created that provides an SSID that the Web
Authentication client will use. You must also define a Local Net User database and create the
username and password entries. Once the support for Web Authentication is configured
correctly on your controller, you will log in using the Local Net User username and password
using a browser connection from your remote lab wireless laptop. After completing this
activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
146
IUWNE v1.012
Required Resources
These are the resources and equipment that are required to complete this activity:
A connection to the remote terminal server with serial connection to your controller
In the remote lab, a remote lab wireless laptop with a Cisco WLAN adapter
Job Aids
These job aids are available to help you complete the lab activity:
Pod IP addresses
Lab map
Pod 2
Pod 3
Pod 4
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
student1
student2
student3
student4
cisco
cisco
cisco
cisco
90
90
90
90
172.16.90.10
172.16.90.20
172.16.90.30
172.16.90.40
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
WLAN
IUWNE-Web1
IUWNE-Web2
IUWNE-Web3
IUWNE-Web4
Switch IP address
10.10.1.253
10.20.1.253
10.30.1.253
10.40.1.253
Switch username
student1
student2
student3
student4
Switch password
cisco
cisco
cisco
cisco
Controller interface on
the switch
Gigabitethernet0/3
Gigabitethernet0/8
Gigabitethernet0/13
Gigabitethernet0/18
Native VLAN
10
20
30
40
webuser1
webuser2
webuser3
webuser4
cisco
cisco
cisco
cisco
Lab Guide
147
Pod 6
Pod 7
Pod 8
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
student5
student6
student7
student8
cisco
cisco
cisco
cisco
90
90
90
90
172.16.90.50
172.16.90.60
172.16.90.70
172.16.90.80
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
WLAN
IUWNE-Web1
IUWNE-Web2
IUWNE-Web3
IUWNE-Web4
Switch IP address
10.50.1.253
10.60.1.253
10.70.1.253
10.80.1.253
Switch username
student5
student6
student7
student8
Switch password
cisco
cisco
cisco
cisco
Controller interface on
the switch
Gigabitethernet0/23
Gigabitethernet0/28
Gigabitethernet0/33
Gigabitethernet0/38
Native VLAN
50
60
70
80
webuser5
webuser6
webuser7
webuser8
cisco
cisco
cisco
cisco
Activity Procedure
Complete these steps:
148
Step 1
Step 2
From your class PC, connect to your Cisco 526 controller web interface. Open a
secured browser session to 10.X0.1.100, where X is your pod number.
Step 3
Enter your administrative user credentials, adminX as the username and cisco as the
password, where X is your pod number.
Step 4
From the upper Menu bar, choose the Controller > Interfaces option. Notice the
Controller options available in the left sidebar.
Step 5
Step 6
Step 7
Step 8
Step 9
A new screen appears where you can configure your interface details. Enter the
values for this new dynamic interface as per the following table:
Lab Guide
149
150
Pod 1
Pod 2
Pod 3
Pod 4
VLAN 90 ID
90
90
90
90
VLAN 90 IP
172.16.90.10
172.16.90.20
172.16.90.30
172.16.90.40
VLAN90 netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
VLAN 90 gateway
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
Pod 5
Pod 6
Pod 7
Pod 8
VLAN 90 ID
90
90
90
90
VLAN 90 IP
172.16.90.50
172.16.90.60
172.16.90.70
172.16.90.80
VLAN90 netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
VLAN 90 gateway
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
Step 10
The gateway, 172.16.90.253, will act as a DHCP server for clients of this subnet.
The DHCP server is already configured on the gateway. Click Apply to validate the
settings. Read the warning message and click OK to continue.
Step 11
Notice in the upper-right corner of your window the three options; Save
Configuration, Ping, and Logout. Click the Save Configuration option. This saves
the running configuration to the NVRAM.
Activity Verification
You have successfully completed this task when you attain these results:
Lab Guide
151
Activity Procedure
Complete these steps:
Step 1
Navigate to WLAN.
Step 2
Disable your IUWNE-X02 SSID from the previous lab. Click it. A new screen
appears.
Step 3
Step 4
Your WLAN still appears in the list, but is disabled. No connection will be allowed
to this WLAN, and it will not be seen on the AP16.
Step 5
Step 6
In the screen that appears, leave the WLAN type to its default. Enter the profile
name of Web_authentication.
16
Your controller could have several active WLANs, but in a crowded lab environment it is better to limit the WLANs
to the one you really need.
152
Step 7
Assign the correct SSID as indicated on your lab map. It should be in the form
IUWNE-WEBX, where X is your pod number.
Step 8
Click the Apply button to create the new WLAN. A new edit screen will appear.
Step 9
Step 10
Step 11
Lab Guide
153
154
Step 12
Set the Layer 2 Security to None, because this WLAN will just use web
authentication (which is Layer 3) but no Layer 2 encryption or authentication.
Step 13
Step 14
Click Web Policy. Read the warning about DNS and click OK to acknowledge.
Step 15
There are two possible web policies. Leave the policy to its default, Authentication.
Step 16
Step 17
Step 18
Step 19
A new screen appears; choose Reboot in the upper-right portion of the window.
Step 20
Two new options appear, Save and reboot and Reboot without save. Click Save and
reboot. Read the warning and click OK to continue.
Step 21
After a few minutes, your controller should be accessible again, and your Cisco 521
AP should also be accessible. Do not close your controller web browser.
Activity Verification
You have successfully completed this task when you attain these results:
You have successfully created a WLAN on your Cisco 526 Controller associated to the
VLAN 90 interface.
Activity Procedure
Complete these steps:
Step 1
Step 2
Try to ping your management interface gateway. Enter the switch IP address. It
should be in the form 10.X0.1.253.
Step 3
The ping should be successful. You can ping the switch to which your controller
connects. Click OK to close.
Lab Guide
155
156
Step 4
Click Ping again. Enter your interface 90 IP address. It should be in the form
172.16.90.X0, where X is your pod number.
Step 5
The ping is again successful. You can ping your own interface in VLAN 90. Click
OK to close.
Step 6
Click Ping again. Enter the switch IP address in VLAN 90. It should be
172.16.90.253.
Step 7
This time the ping fails. You can reach the switch on the management subnet, but
not on VLAN 90. The problem could come from the switch IP address, but it is
configured properly. The second possibility is a misconfiguration in your controller
link to the switch. To verify, connect to the switch and from your local classroom
PC, choose Start > All Programs > Accessories > Command Prompt.
Step 8
Enter telnet followed by your switch IP address. It should be in the form telnet
10.X0.1.253, where X is your pod number.
Step 9
Enter your credentials. Login should be in the form studentX, where X is your pod
number. Password is cisco.
Step 10
Refer to the table below to know on which port your Cisco 526 controller is
connected. Enter show running-config interface gigabitethernet 0/X, where
gigabitethernet 0/X is your Cisco 526 controller interface on the switch. Refer to the
following table:
Pod 1
Pod 2
Pod 3
Pod 4
Switch IP address
10.10.1.253
10.20.1.253
10.30.1.253
10.40.1.253
Switch username
student1
student2
student3
student4
Switch password
cisco
cisco
cisco
cisco
526 Controller
interface on the
switch
Gigabitethernet0/3
Gigabitethernet0/8
Gigabitethernet0/13
Gigabitethernet0/18
Native VLAN
10
20
30
40
Pod 5
Pod 6
Pod 7
Pod 8
Switch IP address
10.50.1.253
10.60.1.253
10.70.1.253
10.80.1.253
Switch username
student5
student6
student7
student8
Switch password
cisco
cisco
cisco
cisco
526 Controller
interface on the
switch
Gigabitethernet0/23
Gigabitethernet0/28
Gigabitethernet0/33
Gigabitethernet0/38
Native VLAN
50
60
70
80
Step 11
Your controller port is in a VLAN on the switch. This fact means that the controller
can access anything that is the same VLAN, such as the AP, the remote lab wireless
laptop, or the switch itself as long as your controller does not apply any tag to the
frame it sends. This method worked previously because the management interface
was untagged. If you want to send tagged frames from your controller, you will need
to allow the switch to receive them. This implies changing the port mode from
access, in a VLAN, to a trunk. The switch will then accept receiving tags on this
trunk17.
Step 12
17
This configuration is not specific to the Cisco 526 controller. On your Cisco 2106 controller, you have, up to this
point, used only the management interface. As soon as you would need to use more than one interface on a port, this
port must be turned into a trunk.
Lab Guide
157
158
Step 13
Step 14
The port is not in the VLAN specified. Enter no switchport access vlan X0, where
X0 is the VLAN number displayed by the switch for this port.
Step 15
You will need to use 802.1Q type of tagging, which is the one supported by the
controller. Enter switchport trunk encapsulation dot1q.
Step 16
Step 17
This configuration allows your controller to send and receive tagged frames, but one
element is missing. Until now, your controller was connecting to your Cisco 521 AP
and your remote lab wireless laptop because they all were in the same VLAN.
Frames were sent from one port of the VLAN to the other as if the VLAN itself was
an independent switch. If you change the controller port to trunk mode, all frames
coming for the different VLANs will still be sent to it, but with a VLAN tag. This
means that frames coming from your AP, your remote lab wireless laptop, or even
your local classroom PC will be sent to the controller with the VLAN tag you saw
before for your controller port. The problem is that your management and AP
manager interfaces are set with VLAN TAG 0, which means that they are
untagged, and do not understand tagged traffic. Try to access the controller web
interface. It should have become inaccessible. There are two ways of solving this
problem. The first one is to tag the management and AP manager interface, so that
they understand the tags sent from the other devices. The second one is to tell the
switch not to tag the frames that originate from the controllers old VLAN. This
second way is the easiest way. To do it, you need to tell the switch that, on this trunk
port, the native VLAN is your controllers old VLAN number.
Step 18
Still at the controller interface configuration level, enter switchport trunk native
vlan X0, where X is your pod number.
Step 19
You should immediately regain access to your controllers web interface, and your
Cisco 521 AP should be back after a few seconds. If you still cannot access your
switch web interface, notify your instructor.
Step 20
From the switch interface, enter end to exit the configuration mode.
Step 21
Enter ping followed by your controller IP address in VLAN 90. It should be in the
form ping 172.16.90.X0, where X is your pod number. The ping should be
successful. You can ping your controller from the switch. Close the command
prompt window.
Step 22
Verify the connectivity from the controller side. Click Ping again. Enter the switch
IP address in VLAN 90. It should be 172.16.90.253. The ping should this time be
successful. Close the popup window.
Activity Verification
You have successfully completed this task when you attain these results:
Activity Procedure
Complete these steps:
Step 1
Step 2
Step 3
Step 4
Lab Guide
159
Step 5
Step 6
Do not click Guest User because you do not want to restrict the user lifetime18.
Step 7
Step 8
Fill in the description for this user. It should be in the form User for the Web based
WLAN.
Step 9
Activity Verification
You have successfully completed this task when you attain these results:
Activity Procedure
Complete these steps:
Step 1
Navigate to Monitor. Your AP should not be seen anymore19. If you see your AP,
proceed directly to Task 5.
18
When clicking guest user, you can restrict the user credentials lifetime. You could use this setting here, but you
choose instead not to restrict the credentials lifetime and leave the Guest user box unchecked.
19
In this lab environment, when you rebooted your controller, your Cisco 521 AP tried to join your controller but could
not. It then probably joined another controller while you were still rebooting. Now that your controller is back,
rebooting the AP is the easiest way to have it discover your controller again and rejoin it.
160
Step 2
You need to connect to your Cisco 521 AP serial interface to reboot it locally. From
your class PC, choose Start > Programs > Accessories > Command Prompt.
Step 3
At the command prompt, enter telnet followed by the IP address of the remote
terminal server (10.1.1.252 or other if provided by your instructor).
Step 4
Enter the credentials (username student, password cisco or other if provided by your
instructor) to access the terminal server.
Step 5
After successful login, you will be asked to choose the correct pod (Podx), where x
is your pod number.
Step 6
You will see a new menu, allowing you to connect to several devices in your group.
Take some time to familiarize yourself with the different options that are available.
Step 7
You now need to connect to the Cisco 521 AP, which is AP521, or Item 3.
Step 8
Once connected, enter enable to access the privileged mode. The password is Cisco.
Lab Guide
161
Step 9
Enter reload to reboot the AP. Press Enter to confirm. After a few minutes, you
should see that the AP is fully rebooted and an indication that it joined your
controller. Close the command prompt window.
Activity Verification
You have successfully completed this task when you attain these results:
Activity Procedure
Complete these steps:
Step 1
162
Connect to your remote lab wireless laptop; from your class PC, choose Start >
Programs > Accessories > Communications > Remote Desktop Connection.
Note
In each pod, only one connection at a time is possible to the remote lab wireless laptop.
Choose with your partner who will be connecting.
Step 2
Use the lab table to know what IP address you should use to connect to your remote
lab wireless laptop. It should be in the format 10.X0.1.240, where X is your pod
number.
Step 3
In the Remote Desktop Connection pop-up window, in the Computer field, enter the
IP address of your remote lab wireless laptop, and click Connect.
Step 4
You will be presented with a new window where you are asked to enter the
credentials required to access your remote lab wireless laptop. Use the lab map to
know which username and password are used to connect to your pod remote lab
wireless laptop. They should be in the format studentX/cisco, where X is your pod
number.
Lab Guide
163
164
Step 5
Enter the credentials and click OK. You should see the Windows desktop of your
remote lab wireless laptop.
Step 6
From your remote lab wireless laptop, choose Start > Connect To > Show All
Connections.
Step 7
Locate your wireless connection. It should be called Intel Wireless WiFi Link
4965AGN.
Step 8
Step 9
Right-click the Intel Wireless network icon again and click View All Available
Wireless Networks.
Step 10
You should see the WLAN you just created. Click it and click Connect.
Step 11
Read the warning about unsecured networks, and click Connect anyway to proceed.
Step 12
After a few seconds, you should be connected. Open a command prompt to verify
your IP address. Choose Start > All Programs > Accessories > Command
Prompt.
Step 13
Enter ipconfig.
Step 14
Your wireless connection should have an IP address in the 172.16.90.0 range. This
implies that you could reach the gateway as a DHCP client to obtain an IP address
from it. Enter ipconfig /all.
Step 15
Make sure that you have only one DNS server obtained through the wireless
interface of 10.100.1.1. If you have more than one DNS server, report to your
instructor20.
20
You will need DNS server contact to resolve an URL next page. If you have a DNS server on your LAN interface,
Windows will always prefer it to the wireless one, and DNS resolution will fail for our example URL.
Lab Guide
165
166
Step 16
Try to ping through the controller to the gateway; enter ping 172.16.90.253. The
ping should fail.
Step 17
Now back up to only ping your controller IP address in VLAN 90. Enter ping
172.16.90.X0, where X is your pod number. The ping should fail. This means that
although you had DHCP reachability, you do not have IP reachability as a client.
This WLAN is based on web authentication, to actually access the network you need
to be authenticated.
Step 18
Your controller will not present itself to a wireless client as the VLAN interface, but
will always try to emulate the virtual IP address, 1.1.1.1, regardless of which VLAN
the wireless client should be sent once on the wired side of the network. Try to ping
this virtual IP address. Enter ping 1.1.1.1. The ping should fail.
Step 19
In this specific lab environment, your remote lab wireless laptop has two ways of
getting to your controller: via the wired interface, or via the wireless interface. For
the wireless connection to be successful, you need to access the controller from the
wireless interface. This implies creating a static route. Still from your command
prompt, enter a host route: route add 1.1.1.1 mask 255.255.255.255 172.16.90.253.
This informs your remote lab wireless laptop that to reach your controllers virtual
IP address (1.1.1.1), only the wireless gateway should be used.
Step 20
Still from the command prompt, enter route add 10.100.1.1 mask 255.255.255.255
172.16.90.253. This number informs your remote lab wireless laptop that reaching
the DNS server should be done via the wireless interface, so that traffic flows via
your controller and not your wired interface.
Step 21
From your remote lab wireless laptop, open a browser. Verify that the popup blocker
is disabled21. In the address bar enter test.example.com.
Step 22
Step 23
In username, enter the local net user name you created before. It should be in the
form webuserX, where X is your pod number.
Step 24
21
Web authentication page opens a popup window when connected. This page is not necessary in itself, but failure to
see it makes it difficult to know if you are successfully connected or not. Disabling popup blocker for your browser is
required in this lab environment.
2008 Cisco Systems, Inc.
Lab Guide
167
Step 25
Notice that to close the session, you will need use the page https://1.1.1.1/logout.html, and then
click Logout.
168
Step 26
From the command prompt, enter ping 172.16.90.253. The ping should be
successful. Now that you are authenticated, you have full access to the network.
Step 27
Step 28
Activity Verification
You have successfully completed this task when you attain this result:
You have successfully logged in to the web authentication-based WLAN you created.
Activity Procedure
Complete these steps:
Step 1
Step 2
Step 3
Step 4
When the security alert screen comes up, click Yes to continue.
Step 5
When the Login screen appears, log in using the name of the Local Net User you
created, but this time use iforgot as the password.
Step 6
Continue to try and log in to the system counting each failed attempt.
Step 7
Lab Guide
169
Step 8
Step 9
In the command prompt, enter: route delete 10.100.1.1. Traffic to the DNS server
does not need to go via the wireless interface anymore. Close the command prompt.
Step 10
From your remote lab wireless laptop, choose Start > Connect To > Show All
Connections.
Step 11
Locate your wireless connection. It should be called Intel Wireless WiFi Link
4965AGN.
Step 12
Step 13
Step 14
From your class PC, open a web browser session to your 526 controller. Its IP
address should be in the form 10.X0.1.100.
Step 15
Step 16
Choose the Trap Logs option in the left sidebar menu to bring up a list of recent
trap events.
Step 17
Examine the information found there. You should see the Client exclusion event.
Step 18
Document how many failed attempts were reported before you were excluded:
_______________________________________________________________
Step 19
Activity Verification
You have successfully completed this activity when you have attained these results:
170
Activity Objective
In this activity, you will create a secured WLAN on your Cisco 2106 controller, using EAPFAST for authentication, based on a local EAP, and WPA for encryption. After completing this
activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.013
Required Resources
These are the resources and equipment that are required to complete this activity:
A connection to the remote terminal server with serial connection to your controller
In the remote lab, a remote lab wireless laptop with a WLAN adapter
Lab Guide
171
Job Aids
These job aids are available to help you complete the lab activity:
Lab table
Pod 2
Pod 3
Pod 4
Profile
EAP-FAST
EAP-FAST
EAP-FAST
EAP-FAST
WLAN
IUWNE-FAST1
IUWNE-FAST2
IUWNE-FAST3
IUWNE-FAST4
Fastuser1
Fastuser2
Fastuser3
Fastuser4
cisco
cisco
cisco
cisco
Pod 6
Pod 7
Pod 8
Profile
EAP-FAST
EAP-FAST
EAP-FAST
EAP-FAST
WLAN
IUWNE-FAST5
IUWNE-FAST6
IUWNE-FAST7
IUWNE-FAST8
Fastuser5
Fastuser6
Fastuser7
Fastuser8
cisco
cisco
cisco
cisco
Activity Procedure
Complete these steps:
172
Step 1
From your class PC, open a secured web session to your Cisco 2106 controller. Its
IP address should be in the form 10.X0.1.10, where X is your pod number.
Step 2
Click Login. Enter your credentials. Your administrative username should be in the
form adminX, where X is your pod number, and password should be cisco.
Step 3
Navigate to WLAN.
Step 4
Disable your IUWNE-ROAMX SSID from the previous lab (IUWNE-X should still
be disabled). Click it. A new screen appears.
Step 5
Step 6
Your WLAN still appears in the list, but is disabled. No connection will be allowed
to this WLAN, and it will not be seen on the AP22.
Step 7
Step 8
In the screen that appears, leave the WLAN Type to its default, WLAN. Enter the
profile name. It should be EAP_FAST.
Step 9
Assign the correct SSID as indicated on your lab map. It should be in the form
IUWNE-FASTX, where X is your pod number.
22
You controller could have several active WLANs, but in a crowded lab environment it is better to limit the WLANs
to the one you really need.
Lab Guide
173
174
Step 10
Click the Apply button to create the new WLAN. A new edit screen will appear.
Step 11
Step 12
Step 13
Step 14
Click Apply to create the WLAN. Its security parameters are not configured yet;
you will return to them later in this task.
Step 15
Step 16
Step 17
Step 18
Step 19
Step 20
Do not click Guest User. You will not limit the user session in this task, and guest
user only applies to web authentication-based WLANs.
Step 21
Step 22
Fill in the description for this user; Local user for the EAP FAST WLAN.
Step 23
Step 24
Specify to the controller that the user credentials should be retrieved from the
controller. Choose Security > Local EAP > Authentication Priority.
Step 25
The column on the right is the one that is used to authenticate the clients
credentials. Verify that LDAP is in the left column so that it will not be used. If not,
elect LDAP, click the "<" button, and click Apply. This puts the user credentials in
the local database first.
Step 26
Create a new EAP profile. This profile will be used to apply your policy to the EAP
FAST WLAN. Choose Security > Local EAP > Profiles.
Step 27
Click New.
Step 28
When the new window appears, enter the Profile Name. It should be in the form
EAP-FASTX, where X is your pod number.
Step 29
Step 30
Lab Guide
175
176
Step 31
Click Apply.
Step 32
Step 33
Step 34
This window defines the EAP FAST parameters for your EAP FAST policy.
Step 35
You can leave the parameters to their default configuration. In a real network, you
may want to define these parameters according to your network security policy.
Step 36
Go back to your WLAN configuration. Navigate to WLAN. Click your EAP- FAST
WLAN to configure it.
Step 37
Step 38
Click AAA servers. This is where you will indicate to the controllers to use local
EAP for the incoming clients of the WLAN.
Step 39
In local EAP Authentication, check the Local EAP Authentication check box.
Step 40
Make sure that the EAP profile name is the one you created in this task (EAPFASTX, where X is your pod number).
Step 41
Click Layer 2 Security. This field is where you will define how authentication and
encryption should work for this WLAN.
Step 42
Make sure that Layer 2 Security is set to WPA+WPA2 because you will use WPA
for this WLAN.
Lab Guide
177
Step 43
Step 44
Step 45
Unclick WPA2 Policy because WPA is the only encryption you wish to use for this
WLAN.
Step 46
Leave Auth Key Mgmt to 802.1X, which means that the client key rotation and
values will be managed by the AAA server, in this case your controller. Click Apply
to validate the changes.
Step 47
Step 48
For the local EAP values to be applied to your APs, you need to reboot your
controller. Navigate to Command.
Step 49
Step 50
Activity Verification
You have successfully completed this task when you attain these results:
178
VERY IMPORTANT: During step 32 to step 39 of client authentication, make sure NOT TO
DISCONNECT from the remote desktop connection to your remote wireless lab laptop. If
you disconnect during these steps, your remote wireless lab laptop may be blocked and not
respond. You would be unable to proceed with the rest of the labs. This issue is known and
nd
cannot be avoided as a result of user action needed to confirm request for 2 attempt to
download the final PAC file used for authentication.
Activity Procedure
Complete these steps:
Step 1
Note
Connect to your remote lab wireless laptop using remote desktop; choose Start >
Programs > Accessories > Communications > Remote Desktop Connection.
In each pod, only one connection at a time is possible to the remote lab wireless laptop.
Choose with your partner who will be connecting.
Step 2
Use the lab map to know what IP address you should use to connect to your remote
lab wireless laptop. It should be in the format 10.X0.1.240, where X is your pod
number.
Step 3
In the remote desktop connection pop-up window, in the Computer field, enter the
IP address of your remote lab wireless laptop, and click Connect.
Lab Guide
179
Step 4
You will be presented with a new window where you are asked to enter the
credentials required to access your remote lab wireless laptop. Use the lab map to
know which username and password are used to connect to your pod remote lab
wireless laptop. They should be in the format studentX for the username and cisco
for the password, where X is your pod number.
Step 5
Enter the credentials and click OK. You should see the Windows desktop of your
remote lab wireless laptop.
Step 6
From your remote lab wireless laptop, choose Start > Connect To > Show All
Connections.
Step 7
Step 8
Step 9
Right-click your Cisco ASTU (the Cisco Aironet System Tray Utility, which is the
green icon on the system tray) icon and choose Open Aironet Desktop Utility.
Step 10
23
Do not use the Cisco Mobility Express profile; it is set to work on the 2.4-Ghz band only, and will not display SSIDs
in the 80.211a band.
180
Step 11
Click Scan.
Step 12
Step 13
Step 14
Step 15
Step 16
Lab Guide
181
182
Step 17
Step 18
In the drop-down list at the right of the same line, choose EAP FAST.
Step 19
Step 20
Step 21
Notice that the Protected Access Credential zone is empty. Make sure that the Allow
Automatic PAC provisioning box is checked. Your client will automatically receive
its PAC from the controller.
Step 22
Make sure that the other check boxes are unchecked (meaning uncheck the default
No Network Connection Unless User Is Logged In).
Step 23
Click the Configure button at the right end of the MSCHAP v2 User name and
password line.
Step 24
Step 25
Step 26
In the user name field, enter the local net user name you created in the previous task.
It should be in the form FastuserX, where X is your pod number.
Step 27
Enter the password you created along with the local net user in the previous task. It
should be cisco.
Step 28
Step 29
Make sure the Include Windows Logon Domain with User Name is unchecked
because you do not use Windows credentials here, but a name created for this
WLAN.
Step 30
Lab Guide
183
Step 31
Note
24
Both the Server or Domain Name and Login Name fields should be empty.
VERY IMPORTANT: During Steps 32 to step 39, make sure NOT TO DISCONNECT from
the remote desktop connection to your remote wireless lab laptop. If you disconnect during
these steps, your remote wireless lab laptop may be blocked and not respond. You would be
unable to proceed with the rest of the labs. This issue is known and cannot be avoided as a
nd
result of user action needed to confirm request for 2 attempt to download the final PAC file
used for authentication.
Step 32
Click OK to continue.
Step 33
Step 34
Step 35
Step 36
As soon as you click OK, the profile is activated, and a warning about the fact that
you did not receive any valid PAC appears. Click Yes to receive the PAC
automatically24. The process will take a few seconds, and then fail the first attempt.
Step 37
You should be prompted for a second attempt. Click Yes. If you are not prompted,
choose Action > Re-authenticate.
184
Step 38
Now that you have a valid PAC, the process should succeed.
Step 39
Verify from the current status window that you did receive an IP address.
Step 40
Click the Profile Management tab, choose EAP-FAST profile, and click Modify
to edit its settings.
Step 41
Step 42
Lab Guide
185
186
Step 43
In Protected Access Credential, there is now a value, which is the PAC sent from
your controller.
Step 44
Step 45
Click the + sign; at the left of Not Grouped, you should see your controller EAP
FAST Authority ID information and the PAC generated for your FastuserX.
Step 46
Close the manage PAC window, cancel the Configure EAP FAST window, and
cancel the configure Profile window or click OK.
Step 47
From your remote lab wireless laptop, choose Start > Connect To > Show All
Connections.
Step 48
Step 49
Activity Verification
You have successfully completed this task when you attain these results:
Lab Guide
187
Activity Objective
In this activity, you will connect to the Cisco WCS and use it to manage your controller and
AP. After completing this activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.014
Required Resources
These are the resources and equipment that are required to complete this activity:
188
A connection to the remote terminal server with serial connection to your controller
Job Aids
These job aids are available to help you complete the lab activity:
Lab table
Pod 2
Pod 3
Pod 4
Admin1
Admin2
Admin3
Admin4
Public1!
Public1!
Public1!
Public1!
Controller IP address
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
AP new channel
40
44
48
52
Pod 6
Pod 7
Pod 8
Admin5
Admin6
Admin7
Admin8
Public1!
Public1!
Public1!
Public1!
Controller IP address
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
AP new channel
56
60
64
36
Activity Procedure
Complete these steps:
25
Step 1
Step 2
From your local classroom PC, open a secure web browser session to the address:
https://10.100.1.125.
Step 3
After a few seconds, a popup window appears informing you that the certificate is
self-signed. Click OK to continue.
Step 4
On this server, the default web server is used for a previous lab. Do make sure to use https, and not http.
Lab Guide
189
190
Step 5
Connect using the credentials root for a username and Wlan2day for a password.
Step 6
If you log in successfully you should see a monitor screen similar to that shown
below. Take some time to look at what is displayed.
Step 7
You are logged in as root. You need to create your own account. In the upper menu,
click Administration, and choose AAA.
Step 8
Before creating a new user, you need to check the password policy on this Cisco
WCS instance. In the left-hand menu, click Local Password Policy.
Step 9
A new window appears, showing the local policy. This is where password
complexity level is defined. Take some time to examine the parameters, but do not
change them because they impact the whole Cisco WCS system.
Step 10
Step 11
A new screen appears. In the upper-right drop-down list, choose Add User. Click
Go to continue.
Step 12
A new screen appears. In Username, enter AdminX, where X is your pod number.
Lab Guide
191
192
Step 13
In New Password, enter Public1!. It conforms to the local policy password strength.
Step 14
Step 15
Step 16
Step 17
The message User added successfully should appear in the upper part of the
screen.
Step 18
Step 19
Step 20
In the upper-right menu, choose Logout. Log in again using your user credentials.
Step 21
Step 22
Cisco WCS allows each user to have a specific home page. As an administrator, you
want to optimize this welcome page (a newer feature staring in v4.2). As an example
for this lab, you do not need the Mesh tab, and would also like to monitor controllers
CPU and memory load. Click Edit Tabs in the upper-right corner.
Step 23
A new window appears. Click the Mesh name, and choose Delete. Notice at the
bottom that you can always reset to factory defaults from this page.
Step 24
Click Save.
Step 25
You are back to the Home screen, and the Mesh tab is removed. Click Edit
Contents in the upper-right part of the screen.
Lab Guide
193
Step 26
Step 27
In available content, click Controller CPU Utilization, and click Add to Left
Column.
Step 28
In available content, click Controller Memory Utilization, and click Add to Right
Column.
Step 29
Click Save.
Step 30
You are back to the WCS Home, and the General tab now also shows Controller
CPU and Memory values.
Activity Verification
You have successfully completed this task when you attain these results:
You are connected to the Cisco WCS with the user you created.
Activity Procedure
Complete these steps:
Step 1
194
Step 2
Step 3
Open the drop-down window on the right, choose the Add Controllers option, and
then choose GO.
Step 4
You will be prompted with a new screen where you will enter the IP address and net
mask of the Management interface on your WLAN controller. It should be in the
form 10.X0.1.10, where X is your pod number26.
26
Notice the SNMP parameters part of the screen. Your controller will be discovered using SNMP, for which the read
and write community is defaulted to private on the controllers. In a production environment, you would change these
defaults, which present a high security risk, both on the WAC and on the controller, in Management > SNMP.
Lab Guide
195
196
Step 5
Step 6
After a short search, you should get a message that your controller has been added to
Cisco WCS.
Step 7
Step 8
Step 9
Step 10
A new window appears, showing your controllers main monitor page, seen from the
Cisco WCS. You could configure your controller directly from here.
Step 11
Step 12
Step 13
Step 14
A new page appears, showing the WLANs configured on the controller. You could
manage them directly from here.
Step 15
Lab Guide
197
Step 16
You should see your AP in the list. Its status should be green. Click its name.
Step 17
You can see your AP details. Take some time to examine its parameters.
Activity Verification
You have successfully completed this task when you attain these results:
You could verify that your AP was brought along with it.
Activity Procedure
Complete these steps:
198
Step 1
From Cisco WCS, navigate to Configure, and choose Controllers. Notice that it is
also possible to choose Controller templates, to deploy a configuration parameter to
several controllers in one click. Do not choose that option; choose Controllers.
Step 2
Step 3
In the new page, showing your controller properties, click the left WLANs, and the
subgroup WLANs.
Step 4
You see the list of all the WLANs you created before. You do not use the Roaming
profile anymore.
Step 5
Check the check box on its left to choose the Roaming profile, then in the upper
right menu, choose Delete WLANs in the pull-down options, and click GO.
Step 6
Step 7
Step 8
From the upper menu, choose Configure > Access Points. Notice that it is also
possible to choose AP templates, to deploy a configuration parameter to several APs
in one click. Do not choose that option; choose Access Points.
Step 9
Lab Guide
199
Step 10
A new screen appears with your AP parameters. Change its location to IUWNEModule 5.
Step 11
Step 12
Step 13
In the lower part of the screen, locate your 802.11a/n radio parameters. Click it to
edit its settings.
Step 14
AP new channel
AP new channel
Step 15
200
Pod 1
Pod 2
Pod 3
Pod 4
40
44
48
52
Pod 5
Pod 6
Pod 7
Pod 8
56
60
64
36
In TX power Level assignment, click Custom, and choose 4 for the Channel power
value.
Step 16
Step 17
The values you chose should appear now, instead of the previous values.
Step 18
As in a previous lab, Click Global for both the RF Channel Assignment and TX
Power level Assignment without changing the values you chose.
Step 19
Step 20
Verify the status of the WLAN change the same way you did before. Click
Configure > Controllers.
Step 21
Check the check box at the left of your controller IP address. In the upper-right
drop-down list, choose Audit Now. Click GO.
Step 22
After a few seconds, an audit report should appear, informing you that there is no
difference between the controller and the Cisco WCS configurations.
Step 23
To confirm, open a web session to your controller and navigate to WLAN. The
Roaming profile should have disappeared.
Step 24
Click Wireless. In the left menu, choose Radio > 802.11a/n radio. Verify that your
AP has the values transmitted by the Cisco WCS.
Activity Verification
You have successfully completed this task when you attain these results:
You could audit for differences between the network devices configuration and the one
seen on the Cisco WCS.
You could verify that changes were propagated to the network devices.
Lab Guide
201
Activity Objective
In this activity, you will add a map to the Cisco WCS and position your AP on it. After
completing this activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.015
Required Resources
These are the resources and equipment that are required to complete this activity:
202
A connection to the remote terminal server with serial connection to your controller
Job Aids
These job aids are available to help you complete the lab activity:
Lab table
Pod 2
Pod 3
Pod 4
Campus name
Campus1
Campus2
Campus3
Campus4
Building name
Building1
Building2
Building3
Building4
Floor name
Floor1
Floor2
Floor3
Floor4
Pod 6
Pod 7
Pod 8
Campus name
Campus5
Campus6
Campus7
Campus8
Building name
Building5
Building6
Building7
Building8
Floor name
Floor5
Floor6
Floor7
Floor8
Activity Procedure
Complete these steps:
Step 1
Step 2
From the drop-down menu in the upper right part of the screen, under Select a
command, choose Properties, and click Go.
Step 3
Note
Even if you would prefer to work in feet and inches, do not change these parameters without
the agreement of your instructor because they globally affect the Cisco WCS and the other
pods.
Step 4
In the Refresh map from Network field, make sure that Enable is chosen.
Step 5
Leave the Wall Usage calibration field to its default Auto value.
Step 6
Leave the Advanced debug mode field to its default Disable value.
Lab Guide
203
Note
204
Choosing to refresh a map from the network affects the polling parameters of the system,
and may impact the performances of your system. This is a lab environment, but you may
want to consider this impact before enabling the feature in a production environment.
Step 7
Click OK to apply.
Step 8
From the drop-down menu in the upper right part of the screen, under Select a
command, choose New Campus, and click Go.
Step 9
Step 10
Step 11
Click Browse and navigate to the folder on your local classroom PC containing the
campus maps. Choose Campus-Bldg 14.jpg campus map.
Step 12
Step 13
You need to specify the size of your campus. Verify that the Maintain aspect ratio
box is chosen, and enter the horizontal span of the map you imported: 387 m (1270
feet).
Step 14
Notice that as you change the horizontal span, the vertical span is dynamically
adjusted. Click OK to continue.
Step 15
You should now see your campus under the map list. Click its name (CampusX) to
see its details.
Step 16
Step 17
In the Name fields, enter your Building name. It should be in the format BuildingX
(X = pod number).
Step 18
In the Contact field, enter your name. This building has 4 floors and 1 basement.
Adjust your respective fields accordingly.
Step 19
Your building horizontal position should be 140.5, and vertical position 15.6. Its
span should be 92 m wide (301 feet) and 54 m height (177 feet).
Step 20
Click Place to validate your building specifications, and then click Save.
Step 21
The square around your building should become green. Click the building name
(BuildingX) to edit its settings.
Lab Guide
205
206
Step 22
A new screen appears. It is empty because there are no floors yet in this building. In
the upper-right drop-down list, choose New Floor Area. Click GO.
Step 23
In the Floor Area Name fields, enter your floor name FloorPodX (X = pod number).
Step 24
Step 25
Step 26
Step 27
Step 28
Click Browse and navigate to the folder on your local classroom PC containing the
maps. Choose West-Wing.png map.
Step 29
Click Next.
Step 30
Step 31
Activity Verification
You have successfully completed this task when you attain these results:
Activity Procedure
Complete these steps:
Step 1
Lab Guide
207
208
Step 2
Step 3
The first element you need to work on is the map scale. A mistake was made while
entering the floor size, and the floor needs to be rescaled. For now the scale appears
to be close to 82m wide, which is the size of the whole building. The map you have
represents only part of this building, so the scale needs to be corrected. You know
that the Lab 151 room is 8m wide.
Step 4
In the toolbar, there is an icon that looks like a caliper. When moving your mouse
over it, a label shows Scale floor. Click it.
Step 5
Click the left wall (and hold click) and pull it to the right wall of the Lab 151 room,
and then release the click.
Step 6
A popup window appears asking the length of the line. As you enter a value, the
total new width of the map appears. Enter 8 m as the value of LAB 151 width, so
that the new total width of the map is close to 36m. Click OK to validate.
Step 7
Step 8
In this scenario, Lab 153 is the area to which you are asked to provide wireless
coverage.
Step 9
You want to know the size of Lab 153 for your future reference. In the toolbar in the
upper left, there is an icon that looks like a ruler. Click it. Click the left wall of the
lab, then drag the mouse to the right wall (while holding the click) and release the
click. As you move the mouse, the distance appears in the upper-left corner under
distance. Repeat the same operation to obtain the vertical distance from Lab 153s
lower wall to the lab door.
Step 10
Step 11
It is time to give the Cisco WCS an awareness of the walls thicknesses. For now, on
this map, walls are just background lines. Under the Map Editor, you can tell the
Cisco WCS what kind of wall they actually are. Click the line icon in the upper-left
part of the screen. It is labeled Draw Obstacles.
Step 12
Click the arrow at the right of the blue rectangle (upper-left part of the screen).
Lab Guide
209
210
Step 13
A new window appears where you can choose the type of wall you want to represent
in the pull-down options. Choose Thick Wall, and click Done. Notice the respective
change in approximate dB signal related to option.
Step 14
The mouse becomes a cross. The external walls are thick walls. Place the mouse at
the upper-right corner of the building, beyond the meeting room, and click the first
time. Move the mouse down following the wall. Click a second time to define this
next corner of the building and continue on the right. Carry on drawing the external
wall until you reach the bottom-left end of the building; press Escape to interrupt
the wall. You now have a thick wall obstacle (13 dB).
Step 15
In the obstacle menu, choose a light wall obstacle (2 dB). Draw the interior walls
around Lab 151, Lab 152, Lab 153 and the storages rooms in the upper-left part of
Lab 15327. Do not go over the doors.
Step 16
In the obstacle menu, choose a light door obstacle, and draw the doors of the
different rooms around the lab. You can use the zoom option to make sure that the
walls are in contact, and that there is not a one-dot-wide opening between an
obstacle and the next one where there is continuity.
Step 17
Step 18
Step 19
Read the warning about unsaved changes. Since you just saved, you can safely click
OK to continue and exit.
Activity Verification
You have successfully completed this task when you attain these results:
You could resize the map to match the actual area size.
You could draw walls around the area you want to cover.
Activity Procedure
Complete these steps:
Step 1
27
The main area of coverage is Lab 153, but the signal will obviously spread through the thin walls, and you need to
know the actual area of coverage.
Lab Guide
211
212
Step 2
In the upper-right drop-down menu, click Add Access Points. Click Go to continue.
Step 3
A new window appears, showing the list of the available APs. Click yours. Click
OK to continue.
Step 4
Step 5
Position your AP exactly in the center of the grid in the middle of the lab. Position is
25 horizontal, 15 vertical.
Step 6
In the left menu, verify or choose your antenna. The 802.11a/n radio is using the
AIR-ANT5135D-R antenna. It is pointing towards the Lab door (270 degrees). It is
also slightly pointing downwards (10 degrees).
Step 7
In the upper part, your AP height is 2.95m from the floor. Click Save to validate
your AP position.
Lab Guide
213
214
Step 8
The map is refreshed, taking your AP into consideration. The heat map does not
show because the view is by default on the 802.11b/g/n radio.
Step 9
Click Layers.
Step 10
Click the arrow at the right end of Access point. A new window appears.
Step 11
Step 12
Step 13
Step 14
Click OK to validate.
Step 15
Step 16
Step 17
Position your mouse over your AP. A new menu shows with your AP
characteristics. Document your AP channel: _________________
Lab Guide
215
Step 18
Step 19
Step 20
Click 802.11 b/g/n/ radio. Verify that the radio is not seen at present.
Step 21
Click 802.11a/n. In the window, click View Rx Neighbors. Document the first two
neighbors you see:
Neighbor 1 Name:______________________________RSSI__________________
Neighbor 1 Name:______________________________RSSI__________________
28
Step 22
Step 23
The AP is placed incorrectly. It is actually exactly over the Lab word on the map.
From the upper-right drop-down list, choose Position APs.
Step 24
Click OK to continue.
Step 25
Step 26
The difference between the AP uptime and the LWAPP uptime is the time it took for your AP to join the controller.
216
Step 27
You want to verify the coverage pattern of your AP. In the upper right drop-down
list, choose Recompute RF Prediction. Notice the other available options.
Step 28
Click Go.
Step 29
Activity Verification
You have successfully completed this task when you attain these results:
Lab Guide
217
Activity Objective
In this activity, you will use the Cisco WCS tools to manage alarms and locate devices. After
completing this activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.016
Required Resources
These are the resources and equipment that are required to complete this activity:
218
An LWAPP AP
Job Aids
These job aids are available to help you complete the lab activity:
Activity Procedure
Complete these steps:
29
Step 1
Step 2
Verify that you are still connected to the Cisco WCS, having a secure web browser
session to the address: https://10.100.1.129.
Step 3
Step 4
At the bottom-left of the page, locate the dashboard called Alarm Summary.
Step 5
There should be some Malicious AP messages. Click the number you see for
Malicious AP messages. If there are no reported malicious AP messages, click
Monitor Security. Version 5.0 of Cisco WLC and Cisco WCS changed prior
version default displays of too many rogue APs. Display is now dependant on rulesbased rogue classification in both Cisco WLC and Cisco WCS starting in version
5.0.
Lab Guide
219
220
Step 6
Click the number under Total Active in the Unclassified Rogue Access Points Alert
line.
Step 7
The yellow messages represent the APs not known by each controller. This means
that controller 2106-1 can report as rogue the AP on controller 2106-3, because
these two controllers are not in the same mobility group. Controllers will not report
APs seen on other controllers in the same mobility group, but will report any other
AP. This is why you may see APs from other pods, reported by your controller as
rogue, or APs from your pod, reported as rogue by the controllers outside your
mobility group.
Step 8
Step 9
Step 10
Step 11
If the rogue is on the same channel as one of your APs, you should see the rogue
channel information. If the rogue is on another channel, it may be flagged as
unknown because your AP may only hear a distant signal without being sure of the
channel. Look at the time and date the alarm was created. This was the first time the
rogue was detected on your network.
Step 12
Step 13
Document when this alarm was created, which is when your AP detected it for the
first time:
____________________________________________________________________
Step 14
You want to know which AP detected this rogue. From the upper right drop-down
window, choose detecting APs. Click GO.
Step 15
A new screen appears, giving you details about the AP or APs detecting it.
Step 16
You want to know if this rogue has affected your AP performances. From the upper
menu, choose Reports > Performance Report.
Step 17
Step 18
In Report title, enter a report name. It should be in the form PerformanceX, where
X is your pod number.
Step 19
Lab Guide
221
222
Step 20
Step 21
Step 22
Step 23
Step 24
Step 25
Step 26
Browse down to the FCS Error Rate report. Try to see if the rogue AP detection date
and time seen at Step 11 match with a change in the reported FCS rate.
Step 27
You also want to know how many rogue APs your controller has reported since the
beginning of the class. In Reports, choose Security Report.
Step 28
A new screen appears. In the left menu, choose Rogue APs Events.
Step 29
From the upper right drop-down menu, choose New. Click Go.
Step 30
In report title, enter the report name. It should be in the format RogueX, where X is
your pod number.
Step 31
Step 32
Step 33
Step 34
Step 35
Step 36
Lab Guide
223
Step 37
The report shows which rogues where detected and when. Most of them were
probably reported when you first configured your controller or a few seconds later.
Count how many rogues were detected:
___________________________________________________________________
Step 38
Step 39
In the upper left, click the Home icon to go back to the main page.
Activity Verification
You have successfully completed this task when you attain these results:
You could run some reports and analyze the rogue message.
Activity Procedure
Complete these steps:
224
Step 1
Reopen the remote desktop connection to your remote lab wireless laptop.
Step 2
From your remote lab wireless laptop, choose Start > Connect To > Show All
Connections.
Step 3
Step 4
Step 5
Right-click your Cisco ASTU (The Aironet System Tray Utility, which is the green
icon on the system tray) icon and choose Open Aironet Desktop Utility.
Step 6
Click the Profile Management tab. Click the EAP-FAST profile. You should get
connected to the network.
Step 7
Open a command prompt. Click Start > All Programs > Accessories > Command
Prompt.
Step 8
You want to ping your controller continuously, but want to make sure that you are
using the wireless link and not the wired link.
Step 9
Step 10
You will se the IP address of your Cisco WLAN adapter. Enter a static route using
this IP address to reach your controller virtual gateway IP address. Enter route add
1.1.1.1 mask 255.255.255.255 followed by your Cisco WLAN card IP address.
For example: route add 1.1.1.1 mask 255.255.255.255 10.10.1.28.
Step 11
Ping your controller continuously. Enter ping t followed by your controller virtual
gateway IP address: ping t 1.1.1.1.
Lab Guide
225
226
Step 12
Step 13
Step 14
Step 15
Step 16
Step 17
You will see all the detected rogues. Because some controllers are in different
mobility groups, they report the others as rogues. In the list your AP with its WLAN
should also be seen as rogue. To understand what containment does, you will try to
treat it as a rogue and contain it.
Step 18
Click the rogue MAC address that matches your WLAN, IUWNE-FASTX, where X
is your pod number.
Step 19
In a real network, you would not contain your own APs. However. In this case,
suppose that a valid client of yours has connected by mistake to this rogue AP. To
contain it, from the upper drop-down window, choose 1 AP Containment30.
Step 20
Click GO.
Step 21
Read the warning. In a real network, you want to make absolutely sure that you are
containing a real rogue in your network before containing an AP. Disconnecting
valid clients from neighbor networks is usually forbidden.
Step 22
30
A rogue AP is reported here and you decide to contain it. To contain it implies that disassociation messages will be
sent to this AP client. In other words, Cisco WCS will ask the other APs around this one to spoof this APs MAC
address, and send disassociation messages. This implies that you actually use the other groups AP to contain your
rogue. You do not need more than one AP in this case, because all the APs and clients are in short range from each
other.
Lab Guide
227
228
Step 23
To see the effect of this containment, reopen the remote desktop connection to your
remote lab wireless laptop.
Step 24
The ping should fail most of the time. This connection has become unusable. In a
real network, using more than one AP to contain the rogue, all the pings would
probably fail. In a lab environment, because all APs are busy containing the others,
the connection is simply heavily disturbed.
Step 25
You suddenly realize that the rogue is actually one of your APs. Reopen the Cisco
WCS web browser interface.
Step 26
From the same rogue AP window, choose Set state to Friendly internal from the
upper-right menu. Click Go to confirm. This will stop the containment, and tell
Cisco WCS that this AP is one of the controllers APs.
Step 27
Step 28
Step 29
The ping should now be successful. The ping packets should be more consistent
with response times and without multiple drops.
Step 30
Close the command prompt window. Closing the window also interrupts the ping
process.
Step 31
From your remote lab wireless laptop, click Start > Connect To > Show All
Connections.
Step 32
Step 33
Lab Guide
229
Step 34
Step 35
Step 36
Activity Verification
You have successfully completed this task when you attain these results:
230
Activity Objective
In this activity, you will perform maintenance tasks to protect your network against failures.
After completing this activity, you will be able to meet these objectives:
Use the command line to save your controller configuration files and manipulate them
Use a TFTP server to save your controller configuration files and manipulate them
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.017
Required Resources
These are the resources and equipment that are required to complete this activity:
A connection to the remote terminal server with serial connection to your controller
In the remote lab, a remote lab wireless laptop with TFTP server
Lab Guide
231
Command List
The table describes the commands that are used in this activity.
Display Controller Configuration and State Commands
Command
Description
show run-config
show running-config
Activity Procedure
Complete these steps:
Step 1
Make sure that you have a VPN connection to the remote lab.
Step 2
Connect to your remote lab wireless laptop using remote desktop; choose Start >
Programs > Accessories > Communications > Remote Desktop Connection.
Note
232
In each pod, only one connection to the remote lab wireless laptop is possible at a time.
Choose with your partner who will be connecting.
Step 3
Use the lab map to know what IP address you should use to connect to your remote
lab wireless laptop. It should be in the format 10.X0.1.240, where X is your pod
number.
Step 4
In the remote desktop connection pop-up window, in the computer field, enter the IP
address of your remote lab wireless laptop, and click Connect.
Step 5
You will be presented with a new window where you are asked to enter the
credentials required to access your remote lab wireless laptop. Enter your credentials
to your remote lab wireless laptop. They should be in the format studentX for the
username and cisco as the password, where X is your pod number.
Step 6
Enter the credentials and click OK. You should see the Windows desktop of your
remote lab wireless laptop.
Step 7
Open a Telnet session to your controller. From your remote lab wireless laptop,
choose Start > All Programs > Accessories > Command Prompt.
Step 8
Enter telnet followed by the Management IP address of your Cisco 2106 controller.
It should be in the form telnet 10.X0.1.10, where X is your pod number.
Step 9
Step 10
At the command prompt, enter show run-config (note, not the same as show
running-config).
Lab Guide
233
Step 11
Step 12
234
Further on, verify if your controller supports Management via wireless, that is
allows wireless users to connect to the controller for management purposes:
_______
Step 13
Step 14
Lab Guide
235
Step 15
236
31
Step 16
Step 17
Step 18
The configuration file displayed by show run-config command gives you extensive
information about your controller parameters, but is not replicable as a configuration
file to another controller. It is used for analysis purposes only. There is another
command, which gives information about the controller configuration in command
mode, just like a router or a switch. It is the show running-config command. Try it;
from the command prompt, enter show running-config31.
Step 19
A list of parameters appears on the command line. This is a configuration file closer
to the one you see on routers and switches, and that can be captured and saved.
Notice the difference between the two commands: show run-config and show running-config.
Lab Guide
237
Capture the information. In the configuration file, try to locate the Virtual interface
address. This information should be about four pages down in sequence.
238
Step 20
From the command line window, right-click the blue bar on top of the window, and
choose Edit. In the submenu, choose Mark.
Step 21
Choose the line describing your virtual interface in the screen. It should be
highlighted as you choose it.
Step 22
While still having the text highlighted, right-click the blue bar, choose Edit, and
choose Copy.
Step 23
Still from the remote lab wireless laptop, open the notepad. Click Start > All
Programs > Accessories > Notepad.
Step 24
Step 25
Step 26
You want to verify if this configuration file can be injected to a controller. Change
the Virtual interface address in the notepad file from 1.1.1.1 to 1.1.1.2.
Step 27
Select the whole note pad file; choose Edit > Select All.
Step 28
Step 29
Move back to your controller command prompt. At the prompt, enter config.
Step 30
Lab Guide
239
Step 31
Right-click the blue bar, choose Edit > Paste. This will paste the line copied from
Notepad back into the controller. You may see a message informing you that the
system needs to be restarted. Do not restart.
Step 32
Still from your remote lab wireless laptop, open a secured web browser session to
your controller. Its IP address should be in the form 10.X0.1.10, where X is your
pod number.
Step 33
Step 34
Step 35
Your virtual IP address is now 1.1.1.2. This shows that the configuration captured
from the show running-config command can be used to duplicate the configuration
to another controller, and can also be modified.
Step 36
Step 37
Close Notepad, leave the command prompt and web interface open.
Activity Verification
You have successfully completed this task when you attain these results:
You could capture the configuration file from the command prompt, modify it and reinject
it back to the controller
Activity Procedure
Complete these steps:
Step 1
240
From the remote lab wireless laptop, reduce the web interface and the command
prompt to access to your desktop.
Step 2
Step 3
Step 4
Step 5
In the remote laptop task bar, click the web browser to go back to the Controller
interface.
Step 6
Click Save Configuration once again to be sure that the configuration is saved to
NVRAM.
Step 7
Step 8
Step 9
Its current value is 1.1.1.2, and this is the value saved in NVRAM. Change the value
to 1.1.1.3. Click Apply to validate the change.
Step 10
Read the warning about Please reset the system for the change to take effect.
Click OK to continue, however, do NOT reset the system.
Lab Guide
241
Step 11
Do not click Save configuration. The value in NVRAM is 1.1.1.2, and the value in
RAM is 1.1.1.3.
Step 12
Navigate to Commands.
Step 13
Step 14
Step 15
Step 16
In TFTP server IP address, enter your remote lab wireless laptop wireless (not
wired) interface IP address, documented in Step 4. Again, make sure that you use
the wireless interface, not the wired interface IP address.
Step 17
In File path, enter / which is the root directory of the TFTP server, which is your
desktop.
Step 18
Step 19
Click Upload.
Step 20
Read the warning about the file encryption, and click OK to continue.
Step 21
Look at the web interface. The process is said to be started, but then fails.
Step 22
The reason for this failure is that by default, management from wireless machines is
forbidden for security reasons. You could enable Management from Wireless in the
Management main menu, which would allow you to connect to your wireless
controller from a wireless machine; however, you would still not have the right to
upload and download controller configuration files via wireless. Only direct wired
Ethernet controller management would be allowed for transfer of configuration,
controller software, and so on.
Step 23
In the TFTP server window, choose your wired interface. It should be in the form
10.X0.1.240, where X is your pod number.
32
File Encryption encrypts the file before downloading it. Although this feature increases the file protection, you will
need to examine the downloaded file. It has to be unencrypted to be readable.
242
Step 24
From your controller web interface, change the TFTP server IP address to the new
address.
Step 25
Try again to upload the configuration file from the controller to the TFTP server.
Step 26
Step 27
Reduce the web browser window. The configuration should be on your desktop. As
it is a .txt file, Notepad would be used to open it by default, but WordPad would
actually be better to read it. Right-click your file, and choose Open with, and then
choose WordPad.
Step 28
The file is an XML file. You can see tags marking areas zones. The great advantage
of XML is that it is a universal language, and the file could be used in many
applications.
Step 29
Step 30
In find what, enter 1.1.1.3. Click Find Next. The value cannot be found.
Lab Guide
243
244
Step 31
Click Edit > Find Again, and enter this time 1.1.1.2. The value is found. This
means that the file sent when uploading the configuration file is the file in NVRAM,
not the file in RAM. A good practice is to always click Save Configuration before
saving a file to avoid differences between the controller actual configuration and the
saved file.
Step 32
Step 33
Click Find Next. You will find several checksum areas. XML files are not normal
text files. If you were to edit this file with Notepad or WordPad and inject it back to
the controller, the process would work, but the controller would reboot and fail on
the checksum verification for this file. The result would be that the controller could
not use this file and would revert back to the initial setup wizard.
Step 34
Step 35
Click File > Exit. If the program asks if you want to save any change, answer No.
Step 36
You will now use an XML editor to look at the file. In your remote lab wireless
laptop, locate a yellow circle icon on your desktop called Cooktop. Double-click it
to start the program.
Step 37
Cooktop is an XML file free editor. It can change the file content just like a text
editor, but it will also recompute the checksums to make that the file is not corrupted
when reinjected. Click File > Open File.
Step 38
In Look In, choose Desktop. Verify that you are using All Files *.* versus the
default of All Cooktop Files for the file name extensions.
Step 39
Step 40
Step 41
Step 42
The system will validate the document and recompute the XML checksums.
Step 43
Step 44
Step 45
You will try to reinject the modified configuration file to the controller. Reopen the
web browser window to your controller.
Step 46
Navigate to Commands. You should choose Download file (versus prior Upload).
Lab Guide
245
Step 47
Step 48
Step 49
In the TFTP server section of the page, in the IP Address field, enter your remote lab
wireless laptop wired (not wireless) interface IP address. It should be in the form
10.X0.1.240, where X is your pod number.
Step 50
Step 51
Step 52
In File Name, enter the configuration file name saved on your desktop.
Step 53
Click Download.
Step 54
Step 55
The download should be successful; your controller should store the downloaded
file to flash and reboot to take it into consideration.
Step 56
Wait about a minute for your controller to reboot, and verify that you can
successfully log back into the controller, and that the configuration reinjection was
taken into consideration.
Step 57
Step 58
Close the command prompt in your remote laptop. Close the remote desktop
session.
Activity Verification
You have successfully completed this task when you attain these results:
246
You have saved your configuration file to a TFTP server and could reinject it back to the
controller.
Activity Objective
In this activity, you will troubleshoot controller and client misconfigurations. Your instructor
will introduce issues on your controller, and you will have to find them. After completing this
activity, you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.018
Required Resources
These are the resources and equipment that are required to complete this activity:
A connection to the remote terminal server with serial connection to your controller
Lab Guide
247
Command List
The table describes the commands that are used in this activity.
Debug LWAPP Commands
Command
Description
Job Aids
These job aids are available to help you complete the lab activity:
248
Pod 2
Pod 3
Pod 4
10.10.1.240
10.20.1.240
10.30.1.240
10.40.1.240
student1
student2
student3
student4
cisco
cisco
cisco
cisco
Controller name
2106-1
2106-2
2106-3
2106-4
Administrative user
admin1
admin2
admin3
admin4
Administrative
password
cisco
cisco
cisco
cisco
Management interface
IP address
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
Management interface
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
Management vlan id
Management port
Management DHCP
server
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
AP manager IP address
10.10.1.11
10.20.1.11
10.30.1.11
10.40.1.11
AP Manager DHCP
server
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
Pod1
Pod2
Pod3
Pod4
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-1
IUWNE-2
IUWNE-3
IUWNE-4
Allow static IP
addresses
Yes
Yes
Yes
Yes
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
Configure NTP
No
No
No
No
Configure time
No
No
No
No
Scope 1-1
Scope 2-1
Scope 3-1
Scope 4-1
10.10.1.21
10.20.1.21
10.30.1.21
10.40.1.21
10.10.1.25
10.20.1.25
10.30.1.25
10.40.1.25
DHCP Network
10.10.1.0
10.20.1.0
10.30.1.0
10.40.1.0
Lab Guide
249
Pod 1
Pod 2
Pod 3
Pod 4
DHCP Netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
14400
14400
14400
14400
10.10.1.254
10.20.1.254
10.30.1.254
10.40.1.254
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP status
Enabled
Enabled
Enabled
Enabled
VLAN 90 ID
90
90
90
90
VLAN 90 IP
172.16.90.10
172.16.90.20
172.16.90.30
172.16.90.40
VLAN90 netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
VLAN 90 gateway
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
VLAN 90 port
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
WLAN
IUWNE-Web1
IUWNE-Web2
IUWNE-Web3
IUWNE-Web4
Switch IP address
10.10.1.253
10.20.1.253
10.30.1.253
10.40.1.253
Switch username
student1
student2
student3
student4
Switch password
cisco
Cisco
Cisco
Cisco
Controller interface on
the switch
Gigabitethernet0/3
Gigabitethernet0/8
Gigabitethernet0/13
Gigabitethernet0/18
Native VLAN
10
20
30
40
Webuser1
Webuser2
Webuser3
Webuser4
Cisco
Cisco
Cisco
Cisco
Admin1
Admin2
Admin3
Admin4
Cisco
Cisco
Cisco
Cisco
Controller IP address
10.10.1.10
10.20.1.10
10.30.1.10
10.40.1.10
AP new channel
40
44
48
52
Pod 6
Pod 7
Pod 8
10.50.1.240
10.60.1.240
10.70.1.240
10.80.1.240
student5
student6
student7
student8
cisco
cisco
cisco
cisco
Controller name
2106-5
2106-6
2106-7
2106-8
Administrative user
admin5
admin6
admin7
admin8
Administrative
password
cisco
cisco
cisco
cisco
250
Pod 5
Pod 6
Pod 7
Pod 8
Management interface
IP address
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
Management interface
mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Default router
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
Management vlan id
Management port
Management DHCP
server
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
AP manager IP
address
10.50.1.11
10.60.1.11
10.70.1.11
10.80.1.11
AP Manager DHCP
server
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
Virtual gateway IP
address
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
Pod5
Pod6
Pod7
Pod8
Enable symmetric
tunneling
No
No
No
No
Network name
IUWNE-5
IUWNE-6
IUWNE-7
IUWNE-8
Allow static IP
addresses
Yes
Yes
Yes
Yes
Radius server
No
No
No
No
Country code
US
US
US
US
yes
yes
yes
yes
Configure NTP
No
No
No
No
Configure time
No
No
No
No
Scope 5-1
Scope 6-1
Scope 7-1
Scope 8-1
10.50.1.21
10.60.1.21
10.70.1.21
10.80.1.21
10.50.1.25
10.60.1.25
10.70.1.25
10.80.1.25
DHCP Network
10.50.1.0
10.60.1.0
10.70.1.0
10.80.1.0
DHCP Netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
14400
14400
14400
14400
10.50.1.254
10.60.1.254
10.70.1.254
10.80.1.254
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
10.100.1.1
DHCP status
Enabled
Enabled
Enabled
Enabled
VLAN 90 ID
90
90
90
90
VLAN 90 IP
172.16.90.50
172.16.90.60
172.16.90.80
172.16.90.90
VLAN90 netmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Lab Guide
251
Pod 5
Pod 6
Pod 7
Pod 8
VLAN 90 gateway
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
VLAN 90 port
172.16.90.253
172.16.90.253
172.16.90.253
172.16.90.253
WLAN
IUWNE-Web5
IUWNE-Web6
IUWNE-Web7
IUWNE-Web8
Switch IP address
10.50.1.253
10.60.1.253
10.70.1.253
10.80.1.253
Switch username
student5
student6
student7
student8
Switch password
cisco
cisco
cisco
cisco
Controller interface on
the switch
Gigabitethernet0/3
Gigabitethernet0/8
Gigabitethernet0/13
Gigabitethernet0/18
Native VLAN
50
60
70
80
Webuser5
Webuser6
Webuser7
Webuser8
Cisco
Cisco
Cisco
Cisco
Admin5
Admin6
Admin7
Admin8
Cisco
Cisco
Cisco
Cisco
Controller IP address
10.50.1.10
10.60.1.10
10.70.1.10
10.80.1.10
AP new channel
56
60
64
36
252
Activity Objective
In this activity, you will use the Wireshark software to troubleshoot connection issues. Your
instructor will introduce issues to your configuration, and you will have to find them. You will
then convert your Cisco 1252 AP back to autonomous mode. After completing this activity,
you will be able to meet these objectives:
Visual Objective
The figure illustrates what you will accomplish in this activity.
IUWNE v1.019
Required Resources
These are the resources and equipment that are required to complete this activity:
A connection to the remote terminal server with serial connection to your controller
Lab Guide
253
Step 16
Step 17
Step 18
In the SSID1 field, enter the name of the web authentication SSID on your 526
controller. It should be in the form IUWNE-WebX, where X is your pod number.
Step 19
Step 20
Check that security is set to None, because this WLAN uses open authentication.
Step 21
Lab Guide
261
Step 22
Because the WLAN is on the b/g network, uncheck 5 GHz 54 Mbps. Leave the
other parameters to their default values.
Step 23
Step 24
Do not associate to it yet. Click the Diagnostic tab, and click Adapter information.
Step 25
262
Step 26
Step 27
Start Wireshark. Click Start > All Programs > Wireshark > Wireshark.
Step 28
Choose the right interface to capture from. You will use the Airpcap passive
interface. In Wireshark, click Capture and choose Interfaces.
Step 29
In the interfaces list, you see Airpcap USB wireless capture adapter. Click Options
at the right end of the Airpcap USB wireless capture adapter line.
Step 30
A new window appears. Make sure that Capture in promiscuous mode is checked.
Step 31
Step 32
Step 33
Make sure that capture type is set to 802.11 + Radio. Click OK to validate.
Lab Guide
263
Step 34
You want to filter the capture to only display frames coming from and to your Cisco
WLAN adapter. In the capture filter field, enter ether host followed by the MAC
address of your Cisco WLAN card documented in step 25 of the previous task. For
example: ether host 00:0b:85:72:17:10
Step 35
Go back to the Cisco ADU, and double click the Webauth profile to associate to the
WLAN.
Step 36
Step 37
Try to open the web authentication page via the example URL test.example.com.
The page cannot be found.
Step 38
Step 39
Use the capture to try to understand what went wrong. Keep in mind that each frame
should be acknowledged, that your client is very close to the AP and should get a
good speed. Also keep in mind that the connection process for a web authenticated
WLAN is authentication request, authentication response, association request,
association response, DHCP exchange, and then Web authentication.
Activity Verification
You have successfully completed this task when you attain these results:
264
Activity Procedure
Complete these steps:
Step 1
Make sure that you have a VPN tunnel to the remote lab.
Step 2
Connect to your remote lab wireless laptop using remote desktop; choose Start >
Programs > Accessories > Communications > Remote Desktop Connection.
Note
Step 3
In each pod, only one connection at a time is possible to the remote lab wireless laptop.
Choose with your partner who will be connecting.
Use the lab map to know what IP address you should use to connect to your remote
lab wireless laptop. It should be in the format 10.X0.1.240, where X is your pod
number.
Lab Guide
265
266
Step 4
In the Remote Desktop Connection pop-up window, in the Computer field, enter the
IP address of your remote lab wireless laptop, and click Connect.
Step 5
You will be presented with a new window where you are asked to enter the
credentials required to access your remote lab wireless laptop. Use the lab map to
know which username and password are used to connect to your pod remote lab
wireless laptop. They should be in the format studentX and cisco, where X is your
pod number.
Step 6
Enter the credentials and click OK. You should see the Windows desktop of your
remote lab wireless laptop.
Step 7
Locate on your Desktop a folder called IOS-TO-LWAPP. If you cannot locate it,
check with your instructor. Also locate the tftpd32 program.
Step 8
Open the IOS-to-LWAPP folder, and make sure it contains the c1250-k9w7tar.default image file. This is the file that the AP will be looking for: it contains a
default Cisco IOS image for the Cisco 1252 platform. If the file is not there, ask
your instructor. Otherwise, close the folder.
Step 9
Step 10
Click the browse button on the right side of the Current directory line in the tftpd32
application, navigate to your desktop, and choose the IOS-TO-LWAPP folder.
Step 11
In the server interface drop-down list, make sure to choose 10.X0.1.240, where X is
your pod number.
Step 12
Your TFTP server is ready to send the right image for the Cisco 1252 AP. Keep the
remote desktop session in the background.
Lab Guide
267
268
Step 13
Open a CLI session to your Cisco 2106 controller: still from your remote wireless
laptop, choose Start > Programs > Accessories > Command Prompt.
Step 14
Step 15
Step 16
Step 17
Step 18
Step 19
Enter the following command: config ap tftp-downgrade 10.X0.1.240 c1250k9w7-tar.default 1252-X where X is your pod number. The 1252-X is the AP
name given earlier in the lab exercises.
Step 20
This command does not generate any prompt on the controller. Navigate back to
your remote lab wireless laptop PC, and check if the TFTP server is providing the
image to the rebooting AP.
Step 21
If the TFTP server is not providing the image, wait a few minutes, go back to your
controller and restart from Step 19.
Step 22
While the image is being provided to your AP, connect to the terminal server. From
your class PC, choose Start > Programs > Accessories > Command Prompt.
Step 23
At the command prompt, enter telnet followed by the IP address of the remote
terminal server (10.1.1.252 or other if provided by your instructor).
Step 24
Enter the credentials (username student, password cisco or other if provided by your
instructor) to access the terminal server.
Lab Guide
269
270
Step 25
After successful login you will be asked to choose the correct pod (Podx), where x
is your pod number.
Step 26
You will see a new menu, allowing you to connect to several devices in your group.
Take some time to familiarize yourself with the different options provided.
Step 27
Step 28
You should be able to follow your AP download process, and see the AP reboot,
using the new image. While the AP boots, you should be able to see at different
steps that it is using the c1250-k9w7 image, which is the default autonomous image.
Step 29
Once this process completes, you should be able to access to the AP CLI. You may
have to press Enter to activate the CLI.
Step 30
Enter enable to access privileged mode. The password is Cisco (with Capital C).
Step 31
Enter show ip interface brief to check the ip addresses present on the AP.
Step 32
You should see that the IP address is assigned to the BVI interface, which is an
indication that the AP is back to standalone mode. All the usual IOS commands,
such as configure terminal, are available. Do not configure this AP further.
Activity Verification
You have successfully completed this task when you attain these results:
Lab Guide
271
Answer Key
The correct answers and expected solutions for the activities that are described in this guide
appear here.
Task 1
Q1)
13 dBm
Q2)
16 dBm
Q3)
33 dBm
Q4)
200 mW
Q5)
0.05 mW
Q6)
The station receives -60 dBm and the noise level is -66 dBm. The SNR is (-66 (-60)) 6 dBm. This level is
not an acceptable SNR level. It is far too weak.
Q7)
dBi = dBd + 2.14, and dBd = dBi - 2.14. 7.24 dBi = 7.24 - 2.14 = 5.1 dBi.
Q8)
11.44 dBi
Q9)
dBi = dBd + 2.14, and dBd = dBi - 2.14. 13.56 dBd = 13.56 + 2.14 = 15.7 dBd.
Q10)
21 dBi
Q11)
18.86 dBd
Q12)
2.14 dBi = 0 dBd. 3.28 dBd = 5.42 dBi. 3.28 dBd is far more powerful than 2.14 dBi. The difference is
3.28 dB (dBi or dBd), more than twice the power.
Q13)
3.41 dBi = 2.55 dBd. dBm cannot be converted to dBi or dBd. dBm expresses a power with the milliwatt
as a reference, whereas dBd and dBi compare powers with antenna references. If the second value had
been 4.18 dBd, the comparison would have been possible: 4.18 dBd = 6.32 dBi, which is 2.91 dB
difference (dBi or dBd), almost twice the power.
Q1)
Q2)
Q3)
Q4)
Q5)
Q6)
100 mW is 20 dBm.
EIRP = 20 + 8.5 = 28.5 dBm.
Q7)
Q8)
Task 2
272
Q9)
Task 3
Step 2)
Step 3)
Step 4)
Step 6)
directional antenna
Step 7)
Step 8)
a rooftop
Step 10)
omnidirectional antenna
Step 11)
Step 12)
ceiling
Task 4
Step 43
The most common frame is the beacon, which is sent 10 times per seconds.
Step 44
Step 45
Step 46
Step 47
100 ms.
Step 48
Step 49
802.11b.
Step 50
IBSSID
Step 51
Step 52
Data frames are sent at the optimum speed from the sender perspective and ACKs
are sent at the mandatory speed immediately below the speed used for the data
frame.
Lab Guide
273
274
Location
----------IUWNE
2
1252-1
US - United States
802.11bg:-AB
802.11a:-AB
US - United States
802.11a:-A
1
00:1d:45:91:37:10
DHCP
10.10.1.22
255.255.255.0
10.10.1.254
Disabled
Disabled
IUWNE Lab
none
2601-1
Not Configured
Not Configured
Not Configured
ADMIN_ENABLED
REGISTERED
Disabled
Local
Global: Disabled, Local:
Disabled
5.0.148.0
12.4.10.0
3.0.51.0
180
Enabled
Enabled
Disabled
2
AIR-LAP1252AG-A-K9
12.4(13d)JA
Enabled
FTX1201906W
Manufacture Installed
Enabled (Global MFP
Not Configured
Not Configured
255.255.255.255
0 days, 05 h 33 m 30 s
0 days, 05 h 32 m 29 s
Sat Feb 16 00:24:51 2008
Lab Guide
275
Task 1:
(Cisco Controller) >show running-config
802.11a cac voice tspec-inactivity-timeout ignore
802.11a cac voice stream-size 84000 max-streams 2
802.11b cac voice tspec-inactivity-timeout ignore
802.11b cac voice stream-size 84000 max-streams 2
advanced location expiry tags 1200
advanced location expiry client 150
advanced location expiry calibrating-client 30
advanced location expiry rogue-aps 1200
interface address ap-manager 10.10.1.101 255.255.255.0 10.10.1.254
interface address management 10.10.1.100 255.255.255.0 10.10.1.254
interface address virtual 1.1.1.1
interface dhcp ap-manager primary 255.255.255.255
interface dhcp management primary 255.255.255.255
interface port ap-manager 1
interface port management 1
logging buffered 1
mesh security eap
mgmtuser add admin1 **** read-write
mobility group domain Pod1
msglog level critical
network telnet enable
network rf-network-name Pod1
sysname 526-1
wlan create 1 IUWNE-102 IUWNE-102
wlan security wpa disable 1
wlan security wpa disable 2
wlan dhcp_server 1 10.10.1.11 required
802.11a disable network
wlan enable 2
Task 3
On the switch:
Show running-config
output omitted
Ip dhcp excluded-address 10.10.1.1 10.10.1.30
Ip dhcp excluded-address 10.10.1.36 10.10.1.255
Ip dhcp pool Pod1
Network 10.10.1.0 255.255.255.0
Default-router 10.10.1.254
Lease 0 4
Dns-server 10.100.1.1
output omitted
Lab 3-1 Answer Key: Installing and Using the Cisco ADU
There is no answer key for this lab.
276
Lab Guide
277
Lab Guide
279
Lab 5-1 Answer Key: Configuring Controllers and APs from the
Cisco WCS Interface
When you complete this activity, will get similar results to the one displayed here:
Task 2
Step 18: You should see the class main switch; the port depends on the group.
Task 2:
Step 9: The lab is about 10 m wide and 11 m high in its longer dimension.
280
Show running-config
802.11a cac voice tspec-inactivity-timeout ignore
802.11a cac video tspec-inactivity-timeout ignore
802.11a cac voice stream-size 84000 max-streams 2
802.11b cac voice tspec-inactivity-timeout ignore
802.11b cac video tspec-inactivity-timeout ignore
802.11b cac voice stream-size 84000 max-streams 2
aaa auth mgmt local radius
location rssi-half-life tags 0
location rssi-half-life client 0
location rssi-half-life rogue-aps 0
location expiry tags 5
location expiry client 5
location expiry calibrating-client 5
location expiry rogue-aps 5
ap syslog host global 255.255.255.255
dhcp create-scope Pod1
dhcp address-pool Pod110.10.1.21 10.10.1.26
dhcp default-router Pod110.10.1.254
dhcp enable Pod1
dhcp dns-servers Pod110.100.1.1
dhcp netbios-name-server Pod110.100.1.1
dhcp network Pod110.10.1.0 255.255.255.0
local-auth eap-profile add EAP-FAST1
local-auth eap-profile cert-issuer cisco EAP-FAST1
local-auth eap-profile method add fast EAP-FAST1
local-auth user-credentials ldap
local-auth method fast server-key 736563726574
local-auth eap-profile cert-verify ca-issuer disable EAP-FAST1
interface address ap-manager 10.10.1.11 255.255.255.0 10.10.1.254
interface address management 10.10.1.10 255.255.255.0 10.10.1.254
interface address virtual 1.1.1.1
interface dhcp ap-manager primary 10.10.1.10
interface dhcp management primary 10.10.1.10
interface port ap-manager 1
interface port management 1
ldap retransmit-timeout 1 30
load-balancing window 5
logging buffered 6
logging syslog host 0.0.0.0
mesh security eap
mgmtuser add admin1 **** read-write
mobility group domain Pod1
mobility dscp value for inter-controller mobility packets 0
netuser add Fastuser1 **** wlan 2 userType permanent description
netuser wlan-id Fastuser1 2
network telnet enable
network otap-mode disable
network rf-network-name Pod1
radius fallback-test mode off
radius fallback-test username cisco-probe
radius fallback-test interval 300
sessions timeout 0
snmp version v2c enable
snmp version v3 enable
sysname 2106-1
wlan create 1 IUWNE-1 IUWNE-1
wlan create 2 EAP_FAST IUWNE-FAST1
wlan local-auth enable EAP-FAST1 2
wlan radio 2 802.11a
wlan session-timeout 1 disable
2008 Cisco Systems, Inc.
Lab Guide
281
<mac>c52df09a410ea11f3a0ebae6b5d188aaf258726f</mac>
<max_passwd_len>50</max_passwd_len>
<passwd_len>64</passwd_len>
<passwd>3f33b257d1d5bf8f73f7f88a4b27113b4620283bd06892b0bb45e84dabbdbb874c95fa1a
6d252523aa776805b8080259756658316f5623cd4d44e57c35e972250000</passwd>
</passwordStore>
</userDatabase>
</User-Access-Configuration>
<XML_crc_file_size>782</XML_crc_file_size>
<XML__CRC__CHECKSUM>3297450704</XML__CRC__CHECKSUM>
</XML_config_variables-aaaapiFileDbCfgData.xml-ba700b76>
<XML_config_variables-apfCfgData.xml-82be6d39>
<APCommon-Configuration>
<ConfigIsComplete>0</ConfigIsComplete>
<NumOfWLANs>2</NumOfWLANs>
<WirelessLANData index="1">
<ProfileName>IUWNE-1</ProfileName>
<ProfileNameLen>7</ProfileNameLen>
<Identifier>1</Identifier>
<Status>ENABLED</Status>
<BroadcastSSIDEnabled>1</BroadcastSSIDEnabled>
<CcxAironetIeSupportEnabled>1</CcxAironetIeSupportEnabled>
<Security>
<SecurityType>16384</SecurityType>
<wepPolicy>
<configData>
<Dot11Encryption>WEP104</Dot11Encryption>
<KeyIndex>1</KeyIndex>
</configData>
</wepPolicy>
<dot1xPolicy>
<configData>
<AuthTimeout>1800</AuthTimeout>
</configData>
</dot1xPolicy>
<wifiPolicy>
<configData>
<mcastCipher>4</mcastCipher>
<rsnIeData>30160100000fac040100000fac040100000fac0128000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000</rsnIeData>
<rsnIeLen>24</rsnIeLen>
<warpIeData>dd0a00c0b90100000008010100000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000</warpIeData>
<warpIeLen>12</warpIeLen>
</configData>
</wifiPolicy>
<ipsecPolicy>
<configData>
<IpsecIkePhase1Mode>MAIN</IpsecIkePhase1Mode>
</configData>
</ipsecPolicy>
<VlanLocalAddress>10.10.1.10</VlanLocalAddress>
<VlanLocalNetmask>255.255.255.0</VlanLocalNetmask>
<GWAddress>10.10.1.254</GWAddress>
<BlacklistTimeout>60</BlacklistTimeout>
<InterfaceName>management</InterfaceName>
<WmePolicy>ALLOWED</WmePolicy>
</Security>
<Ssid>IUWNE-1</Ssid>
<apfVapSsidLen>7</apfVapSsidLen>
</WirelessLANData>
<Dot11BConfig>
<Dot11bBand>
<Dot11NumberOfChannels>11</Dot11NumberOfChannels>
<Dot11MaximumTransmitPowerLevel>27</Dot11MaximumTransmitPowerLevel>
2008 Cisco Systems, Inc.
Lab Guide
283
<Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed>
</Dot11bBand>
<Dot11gSupported>Supported</Dot11gSupported>
</Dot11BConfig>
<Dot11AConfig>
<Dot11aBand index="0">
<Dot11FirstChannelNumber>36</Dot11FirstChannelNumber>
<Dot11NumberOfChannels>4</Dot11NumberOfChannels>
<Dot11MaximumTransmitPowerLevel>17</Dot11MaximumTransmitPowerLevel>
<Dot11FirstDCAChannelNumber>36</Dot11FirstDCAChannelNumber>
<Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed>
</Dot11aBand>
<Dot11aBand index="1">
<Dot11BandState>1</Dot11BandState>
<RequiresRadar>1</RequiresRadar>
<Dot11FirstChannelNumber>52</Dot11FirstChannelNumber>
<Dot11ChannelSpacing>4</Dot11ChannelSpacing>
<Dot11NumberOfChannels>4</Dot11NumberOfChannels>
<Dot11MaximumTransmitPowerLevel>23</Dot11MaximumTransmitPowerLevel>
<Dot11FirstDCAChannelNumber>52</Dot11FirstDCAChannelNumber>
<Dot11DCAChannelSpacing>4</Dot11DCAChannelSpacing>
<Dot11DCANumberOfChanels>4</Dot11DCANumberOfChanels>
<Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed>
</Dot11aBand>
<Dot11aBand index="2">
<Dot11BandState>1</Dot11BandState>
<RequiresRadar>1</RequiresRadar>
<Dot11FirstChannelNumber>100</Dot11FirstChannelNumber>
<Dot11ChannelSpacing>4</Dot11ChannelSpacing>
<Dot11NumberOfChannels>5</Dot11NumberOfChannels>
<Dot11MaximumTransmitPowerLevel>23</Dot11MaximumTransmitPowerLevel>
<Dot11FirstDCAChannelNumber>100</Dot11FirstDCAChannelNumber>
<Dot11DCAChannelSpacing>4</Dot11DCAChannelSpacing>
<Dot11DCANumberOfChanels>5</Dot11DCANumberOfChanels>
<Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed>
</Dot11aBand>
<Dot11aBand index="3">
<Dot11BandState>1</Dot11BandState>
<RequiresRadar>1</RequiresRadar>
<Dot11FirstChannelNumber>132</Dot11FirstChannelNumber>
<Dot11ChannelSpacing>4</Dot11ChannelSpacing>
<Dot11NumberOfChannels>3</Dot11NumberOfChannels>
<Dot11MaximumTransmitPowerLevel>23</Dot11MaximumTransmitPowerLevel>
<Dot11FirstDCAChannelNumber>132</Dot11FirstDCAChannelNumber>
<Dot11DCAChannelSpacing>4</Dot11DCAChannelSpacing>
<Dot11DCANumberOfChanels>3</Dot11DCANumberOfChanels>
<Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed>
</Dot11aBand>
<Dot11aBand index="4">
<Dot11BandState>1</Dot11BandState>
<Dot11FirstChannelNumber>149</Dot11FirstChannelNumber>
<Dot11ChannelSpacing>4</Dot11ChannelSpacing>
<Dot11NumberOfChannels>5</Dot11NumberOfChannels>
<Dot11MaximumTransmitPowerLevel>30</Dot11MaximumTransmitPowerLevel>
<Dot11FirstDCAChannelNumber>149</Dot11FirstDCAChannelNumber>
<Dot11DCAChannelSpacing>4</Dot11DCAChannelSpacing>
<Dot11DCANumberOfChanels>4</Dot11DCANumberOfChanels>
<Dot11MaxAntennaGainAllowed>6</Dot11MaxAntennaGainAllowed>
</Dot11aBand>
<Dot11aBand index="5">
<Dot11BandState>1</Dot11BandState>
<Dot11FirstChannelNumber>190</Dot11FirstChannelNumber>
<Dot11ChannelSpacing>6</Dot11ChannelSpacing>
<Dot11NumberOfChannels>2</Dot11NumberOfChannels>
<Dot11MaximumTransmitPowerLevel>20</Dot11MaximumTransmitPowerLevel>
<Dot11MaxAntennaGainAllowed>17</Dot11MaxAntennaGainAllowed>
</Dot11aBand>
<Dot11aDefaultCfg>
<defaultChan>36</defaultChan>
284
</Dot11aDefaultCfg>
</Dot11AConfig>
<Dot11CountryCode>US</Dot11CountryCode>
<networkName>Group1</networkName>
<Dot11MultiCountryCode index="0">US</Dot11MultiCountryCode>
</APCommon-Configuration>
<XML_crc_file_size>5811</XML_crc_file_size>
<XML__CRC__CHECKSUM>3881916614</XML__CRC__CHECKSUM>
</XML_config_variables-apfCfgData.xml-82be6d39>
<XML_config_variables-apfRogueData.xml-114ab423>
<RogueAP-Configuration>
<RogueList index="0">
<level>1</level>
</RogueList>
</RogueAP-Configuration>
<XML_crc_file_size>142</XML_crc_file_size>
<XML__CRC__CHECKSUM>1488059387</XML__CRC__CHECKSUM>
</XML_config_variables-apfRogueData.xml-114ab423>
<XML_config_variables-cliWebCfgData.xml-a3523f1a>
<XML_crc_file_size>22</XML_crc_file_size>
<XML__CRC__CHECKSUM>1389374175</XML__CRC__CHECKSUM>
</XML_config_variables-cliWebCfgData.xml-a3523f1a>
<XML_config_variables-dhcpCfgData.xml-92584a2f>
<DHCP-Configuration>
<scopes index="0">
<scopeName>Scope 1-1</scopeName>
<DHCPEnabled>ENABLED</DHCPEnabled>
<leaseTime>14400</leaseTime>
<poolStart>21.1.10.10</poolStart>
<poolEnd>29.1.10.10</poolEnd>
<poolLastAllocated>25.1.10.10</poolLastAllocated>
<defaultRoute index="0">254.1.10.10</defaultRoute>
<network>0.1.10.10</network>
<netmask>0.255.255.255</netmask>
<dnsServer index="0">1.1.100.10</dnsServer>
<wins index="0">1.1.100.10</wins>
</scopes>
</DHCP-Configuration>
<XML_crc_file_size>575</XML_crc_file_size>
<XML__CRC__CHECKSUM>393978620</XML__CRC__CHECKSUM>
</XML_config_variables-dhcpCfgData.xml-92584a2f>
<XML_config_variables-dot1qCfg.xml-3cf45304>
<XML_crc_file_size>22</XML_crc_file_size>
<XML__CRC__CHECKSUM>1389374175</XML__CRC__CHECKSUM>
</XML_config_variables-dot1qCfg.xml-3cf45304>
<XML_config_variables-ldapCfgData.xml-1778a2ce>
<LDAP-Configuration>
<LDAP-Database-Name>LDAP Database</LDAP-Database-Name>
</LDAP-Configuration>
<XML_crc_file_size>129</XML_crc_file_size>
<XML__CRC__CHECKSUM>3519211832</XML__CRC__CHECKSUM>
</XML_config_variables-ldapCfgData.xml-1778a2ce>
<XML_config_variables-logCfgData.xml-3d9622e2>
<XML_crc_file_size>22</XML_crc_file_size>
<XML__CRC__CHECKSUM>1389374175</XML__CRC__CHECKSUM>
</XML_config_variables-logCfgData.xml-3d9622e2>
<XML_config_variables-meshFileCfg.xml-436a659c>
<MESH-Configuration>
<cfg>
<isChanged>1</isChanged>
<profileName>prfMaP1500LlEAuth93</profileName>
</cfg>
</MESH-Configuration>
<XML_crc_file_size>175</XML_crc_file_size>
<XML__CRC__CHECKSUM>3717743609</XML__CRC__CHECKSUM>
</XML_config_variables-meshFileCfg.xml-436a659c>
<XML_config_variables-mmCfgData.xml-2a91608>
<Mobility-Manager-Configuration>
<group>Group1</group>
2008 Cisco Systems, Inc.
Lab Guide
285
</Mobility-Manager-Configuration>
<XML_crc_file_size>120</XML_crc_file_size>
<XML__CRC__CHECKSUM>2303725361</XML__CRC__CHECKSUM>
</XML_config_variables-mmCfgData.xml-2a91608>
<XML_config_variables-nimSlot0.xml-bcd6b57f>
<XML_crc_file_size>22</XML_crc_file_size>
<XML__CRC__CHECKSUM>1389374175</XML__CRC__CHECKSUM>
</XML_config_variables-nimSlot0.xml-bcd6b57f>
<XML_config_variables-policyCfgData.xml-40f47081>
<XML_crc_file_size>22</XML_crc_file_size>
<XML__CRC__CHECKSUM>1389374175</XML__CRC__CHECKSUM>
</XML_config_variables-policyCfgData.xml-40f47081>
<XML_config_variables-rrmCfgData.xml-89a365cb>
<RadioResourceManager-Configuration>
<rrm2 index="1">
<rrmAllowedChans>
<chanCnt>20</chanCnt>
<chans index="8">100</chans>
<chans index="9">104</chans>
<chans index="10">108</chans>
<chans index="11">112</chans>
<chans index="12">116</chans>
<chans index="13">132</chans>
<chans index="14">136</chans>
<chans index="15">140</chans>
<chans index="16">149</chans>
<chans index="17">153</chans>
<chans index="18">157</chans>
<chans index="19">161</chans>
</rrmAllowedChans>
</rrm2>
</RadioResourceManager-Configuration>
<XML_crc_file_size>668</XML_crc_file_size>
<XML__CRC__CHECKSUM>1600534478</XML__CRC__CHECKSUM>
</XML_config_variables-rrmCfgData.xml-89a365cb>
<XML_config_variables-sigCfg.xml-2d0c8484>
<XML_crc_file_size>22</XML_crc_file_size>
<XML__CRC__CHECKSUM>1389374175</XML__CRC__CHECKSUM>
</XML_config_variables-sigCfg.xml-2d0c8484>
<XML_config_variables-simCfgData.xml-47629dc4>
<System-Interface-Configuration>
<systemName>2106-1</systemName>
<systemIpAddress>192.168.1.1</systemIpAddress>
<systemGateway>0.0.0.0</systemGateway>
</System-Interface-Configuration>
<XML_crc_file_size>224</XML_crc_file_size>
<XML__CRC__CHECKSUM>3204326577</XML__CRC__CHECKSUM>
</XML_config_variables-simCfgData.xml-47629dc4>
<XML_config_variables-simQosCfgData.xml-11069211>
<XML_crc_file_size>22</XML_crc_file_size>
<XML__CRC__CHECKSUM>1389374175</XML__CRC__CHECKSUM>
</XML_config_variables-simQosCfgData.xml-11069211>
<XML_config_variables-simVlanCfgData.xml-a2f725a>
<VLAN-Configuration>
<simInterface index="0">
<InterfaceName>management</InterfaceName>
<vlanStatus>CREATED</vlanStatus>
<vlanLocalAddress>10.10.1.10</vlanLocalAddress>
<vlanLocalNetmask>255.255.255.0</vlanLocalNetmask>
<vlanLocalGateway>10.10.1.254</vlanLocalGateway>
<vlanDhcpProtocolState>1</vlanDhcpProtocolState>
<vlanDhcpPrimaryServer>10.10.1.10</vlanDhcpPrimaryServer>
<vlanPortNumber>1</vlanPortNumber>
<GatewayResolvedState>RESOLVED</GatewayResolvedState>
<vlanGatewayMac>0:1e:7a:ad:52:a9</vlanGatewayMac>
</simInterface>
<simInterface index="1">
<InterfaceName>service-port</InterfaceName>
<vlanId>-1</vlanId>
286
<vlanInterfaceType>Service-Port</vlanInterfaceType>
<vlanDhcpProtocolState>3</vlanDhcpProtocolState>
<vlanInterfaceId>3</vlanInterfaceId>
</simInterface>
<simInterface index="2">
<InterfaceName>virtual</InterfaceName>
<vlanId>-1</vlanId>
<vlanStatus>CREATED</vlanStatus>
<vlanInterfaceType>Virtual</vlanInterfaceType>
<vlanLocalAddress>1.1.1.2</vlanLocalAddress>
<vlanDhcpProtocolState>1</vlanDhcpProtocolState>
</simInterface>
<simInterface index="3">
<InterfaceName>ap-manager</InterfaceName>
<vlanStatus>CREATED</vlanStatus>
<vlanInterfaceType>VLAN</vlanInterfaceType>
<vlanLocalAddress>10.10.1.11</vlanLocalAddress>
<vlanLocalNetmask>255.255.255.0</vlanLocalNetmask>
<vlanLocalGateway>10.10.1.254</vlanLocalGateway>
<vlanDhcpProtocolState>1</vlanDhcpProtocolState>
<vlanDhcpPrimaryServer>10.10.1.10</vlanDhcpPrimaryServer>
<vlanPortNumber>1</vlanPortNumber>
<vlanInterfaceId>1</vlanInterfaceId>
<GatewayResolvedState>RESOLVED</GatewayResolvedState>
<vlanGatewayMac>0:1e:7a:ad:52:a9</vlanGatewayMac>
<vlanFlags>1</vlanFlags>
</simInterface>
</VLAN-Configuration>
<XML_crc_file_size>1949</XML_crc_file_size>
<XML__CRC__CHECKSUM>3145401149</XML__CRC__CHECKSUM>
</XML_config_variables-simVlanCfgData.xml-a2f725a>
<XML_config_variables-snmpCfgData.xml-4f1f9d7c>
<SNMP-Configuration>
<snmpV3User index="0">
<agentUserAuthKeyStore>
<iv>9af0c956b3ef198c2bbe657e02cb5746</iv>
<mac>b5b769a4a62137da506ed909dfd4f3e1fe2605bb</mac>
<passwd>df9e7cc2d2bbc09cbfa42c4942b3ddb00000000000000000000000000000000000000000
000000000000000000000000</passwd>
</agentUserAuthKeyStore>
<agentUserPrivKeyStore>
<iv>e9460c2cc054846a9399f6ca905c808e</iv>
<mac>d043b534f8587048cf403886b6254f4600b4f35e</mac>
<passwd>ff7682febf472d078b453ca2c0574a480000000000000000000000000000000000000000
000000000000000000000000</passwd>
</agentUserPrivKeyStore>
</snmpV3User>
<snmpTrapMgr index="0">
<agentTrapMgrCommunityName>127.0.0.1</agentTrapMgrCommunityName>
<agentTrapMgrIpAddr>127.0.0.1</agentTrapMgrIpAddr>
<agentTrapMgrStatus>1</agentTrapMgrStatus>
</snmpTrapMgr>
</SNMP-Configuration>
<XML_crc_file_size>925</XML_crc_file_size>
<XML__CRC__CHECKSUM>3737039482</XML__CRC__CHECKSUM>
</XML_config_variables-snmpCfgData.xml-4f1f9d7c>
<XML_config_variables-sshpmCfgData.xml-41181e3e>
<SSHPolicyManagerConfigData>
<sshpmIPv4VirtualAddress>1.1.1.2</sshpmIPv4VirtualAddress>
<sshpmIPv4VirtualIPString>1.1.1.1</sshpmIPv4VirtualIPString>
</SSHPolicyManagerConfigData>
<XML_crc_file_size>214</XML_crc_file_size>
<XML__CRC__CHECKSUM>755129620</XML__CRC__CHECKSUM>
</XML_config_variables-sshpmCfgData.xml-41181e3e>
<XML_config_variables-trapMgrCfgData.xml-bd5b2af3>
<XML_crc_file_size>22</XML_crc_file_size>
<XML__CRC__CHECKSUM>1389374175</XML__CRC__CHECKSUM>
</XML_config_variables-trapMgrCfgData.xml-bd5b2af3>
<XML_config_variables-webCustomizations.xml-3adfbbe>
2008 Cisco Systems, Inc.
Lab Guide
287
<Custom-WEB-Configuration>
<wlans index="3">
<useGlobalFlag>0</useGlobalFlag>
</wlans>
</Custom-WEB-Configuration>
<XML_crc_file_size>156</XML_crc_file_size>
<XML__CRC__CHECKSUM>289798437</XML__CRC__CHECKSUM>
</XML_config_variables-webCustomizations.xml-3adfbbe>
<XML_config_variables-xmlVersion.xml-d62125ee>
<XML_config_version>1.7</XML_config_version>
<XML_config_image_version>4.2.99.0</XML_config_image_version>
<XML_crc_file_size>130</XML_crc_file_size>
<XML__CRC__CHECKSUM>567147269</XML__CRC__CHECKSUM>
</XML_config_variables-xmlVersion.xml-d62125ee>
</XML_config_variables>
288