Generally:

- No NTP is configured on the WLC / no timezone -> use PAcific Timezone... like
MSE and WCS did
- sysname of WLCs are wrong -> like (5508-1)>
- enable AP fallback WLCs.
- Check DHCP Scopes on 6504-A / B
- check interfaces vlan for strange config (no ip igmp snooping / multicast)
- SVI dmz2-guest has something wrong
- 5508-1 and 5508-2 has management if on native vlan should be changed that will
be tagged
- allow only needed VLANs to WLC trunks
- some vlans has HSRP active - some not...
- some SVIs exists only on 6504-A and others only on 6504-B... so be attention t
o default GW... sometimes .1 sometimes .2
- all configs should be done on 2,4GHz - until there are other specifications...

1.1 : Spanning tree vlan priority to configure

6504-1 Po1 must have the root for vlan 51,....241.
6504-2 Po1 must have root of vlan 52,.....242.
Link between 6504-A/B should be 2GB Etherchannel (media-type RJ45)
2960 central switch - spanning-tree portfast bpduguard default
1.2 : OSPF with E2 networks
Router id is same on both Core switch so we must change it.
Modify ospf costs on the int vl 100 / on both 6504-A and B. The routing table sh
ould have the values [110/20] (ip ospf costs 19)
1.x : Multicast to debug (AnyCast)
Multicast traffic must pass only to connected AP port. 5508-2 WLC.
1.X : QoS
DSCP EF demote BE for guest access. without service policy.
2.1 : All AP must join to Central WLC by option 43 and remote by Brodcast.
L3500-1 - Primary 5508-1, Sec - 5508-2
L3500-2 - Primary 5508-1, Sec - 5508-2
L3500-3 - Primary 5508-1, Sec - 5508-2
L3500-4 - Primary 5508-2, Sec - 5508-1
Dot1x for L1260-2 and 3560 - remove authentication port-control auto, register A
P to WLC, set Username/Pass, set authentication port-control auto and dot1x pae
on the switchport
1260-1 will join by normal broadcast method.
AP fallback was disable on most WLCs.
2.X : Tacacs on WLC 1,2,3 for user in Read Only and also for WCS
2.X : DHCP snooping
Something related with AP etherne mac
find Rouge DHCP after every 45 minutes
2.X only vlans where APs are connected should be able to talk with multicast to
WLC over L3
3.1 : Bridge on Autonomous AP is configured in PSK, You must configure in EAP-TL
S (with certificate on both AP) there 5 files with for certificate - in CUT-ANDPASTE format

certificate CA1
certificate bridge
certificate CA2
Bridge certificate
Bridge private file
3.2 : class-map on Autonomous Access-point for Radius in higher priority
set UDP1812/1813 between ACS and remote switch to highest QoS marking on the rad
io, all other to the next highest
service policy radio for RADIUS 1812 1813 between ACS and remote Switch only. Th
e RADIUS ports should get the highest QoS marking and the rest the next highest
only on the radio. CS7 and CS6
3.3 : 1260-BR2 is plug to the wan. the best path is the bridge, change it to be
the wan
12602-BR2 is connected to WAN and via Bridge link to 12602-BR1

4.1 : There are two PKI CA1 (issued ACS) and CA2 (other PKI)
ACS should send ACL in the attribute following users departementx and one other
2 different CAs - DepartementX with win2008 CA and anyconnect profile cciewirele
ssTLS shouldnt access vlan 100 but all other yes. And the old certificate from wir
elessCA with preconfigured profile wirelessnetTLSno access to vlan 129 and all othe
r yes.
4.X : AP should work also for Costa Rica (I added the country Costa Rica)
4.X : Contractor WLAN with WPA2/AES, no power changes - WMM disable and Coverage
hole disable
4.X : To extend contractor WLAN we need to Create of a Group interface on WLC. A
void multicast dup packets.
4.X : Roaming not working between 5508-1 and 5508-2 WLC (same as LAB2 and LAB3)
4.X :
ccess
4.X+1
have

GUEST on termination on 5508-3 (Pasthrough without email input, just get a

by click)
: GUEST from 5508-1 should have vlan dmzguest-b1, Guest from 5508-2 should
vlan dmzguest-b2 (Foreign Mapping) - all other to the non-routet interface

4.X : There are Contention Windows EDCA parameter to check on WLC

4.7 : Home office AP conifguration (Exactly Same as LAB2 and LAB3)
4.5 : MESH between 2960(3500-3) and 6504-1(3500-2)
native vlan 73 and 59 for 2960 mgmt vlan. The question does only request that if
you shutdown the wired connection between 6504-A and 2960 the 2960 mgmt address
should be pingable from central office. (mgmt 2960 - 192.168.59.2)
4.6 : Certificate + FQDN for Web portal on 5508-3
4.9 : CleanAir Exactly same as LAB2),
4.X : TPC 50mW 14dB
4.X : 5503 change primary and backup ports - given in the question.

5.1 : WCS : add MSE and synchonization with map(Same as LAB2)

5.2 : configure backup once a week with at 23h00, 1000 client limits (-> Setting
s)
5.3 : configure events AP(AP load and failure events) to send it to 127.0.0.1 on
SNMP port 1162.
5.4 : If phone missing then one minute then create a alarm and send to 192.168.1
29.11 (WCS), port 1162. Dont forget to sync the Groups with MSE.

6.1 : voice ssid is configured (PSK), problem with DHCP_REQD for voice SSID.(DHC
P override and DHCP required was enabled under WLAN advnaced page)
6.2 : Change PSK to EAP-TLS with the certificate embedded of the phone. Set the
right ACS policy.
6.3 : Do a call to 1001 (same the others LABs)
6.4 : Voice Troubleshooting (Exactly Same as LAB2 question 6.2)
6.x : cckm time >1 second config wlan security wpa akm cckm timestamp-tolerance
5000 <WLAN id >