Wireless for Network Engineers - Part 2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to sdn tech forum this is wireless for network engineer part two in this video we are going to continue our journey from part one where we can apply the base configuration on ewlc now we will configure policy object and tags on the awlc so that my ap can join the ewlc right in that journey we will also explore internal versus external dhcp and option 43 based controller discovery we will see how ap joins wlc using capweb and also talk about issues and we have encountered during this and any work around the flight all right so we are going to talk on very high level about issues what we encountered from there we will go to actual demo okay so issues encountered is coming on my screen as you can see you if you are using vmware hypervisor you need to allow promiscuous and mac for gen v switch ewlc internal dhcp does not support option 43 so if you are want to do option 43 based discovery you may shift to external dns bypassing day zero may result in loss of trust point and we will understand what is this configure wireless management interface on ewlc this is important otherwise cap web tunnel will not establish all right so this is the agenda you can follow along with me in uh part two we are going to make sure that ap joins the controller and broadcasting ssid in part three we will talk about the client um joining uh the wlan thank you all right so agenda is set and now let's go ahead and start configuring our ewlc so i'm going to ssh to ewlc shell you really do not have to ssh but i'm keeping the shell open so that we can watch the configurations whenever we apply any policy and object we can see what is the after effect of that or how it get translated into the policy so right now as per our previous video we have vlan 10 configured which is apv lan i'm going to configure one more vlan v100 and that will we are going to use it in part three when the client is going to connect to this uh wlan network so vlan 100 name user data vlan that's what first you have to create the vlan even before you start assigning it to any any interface so as you can see gigabit ethernet 2 this is the port where my ap is connected today right and as per in previous video we have allowed vlan 10 now i'm going to add a loud vlan ad make sure you say add otherwise it will override so now i'm allowing two vlans 10 and 100 on that trunk link which is connected from ap directly to ewlc all right now let's go and open the ui as we set up the ui previously chrome decided to not open it so you have to just type this is unsafe i know you you guys know the hack i use an msd in tech so now i'm landing into web ui this web ui and everything we set it up in part one so if you have not watched part one go in uh in the description and you find the link for the part one all right so as you can see i do not have any access point and if you don't have any access point no client as well right let's look at the configurations first no logical interface and no look back but if you want you can create a look back in case you have a redundancy in your system or an environment so two interfaces we are using gigabit one and gigabit two gigabit two is a data and control one is purely management out of one management you can think of it as like that right again different uh tabs but we are not interested in all of them i have made a separate video i'm going to put that link in the description also where i'm talking all about the different tabs and what they what is their importance right for this policy in tags we are only concerned in tax and profile that's the main segment which we want to do so let's first configure two dhcp pools and this is if you want to use ewlc as your dhcp server and ewlc does give you that functionality so you can create the scp pool here we are going to create the first dhcp pool say ap pool and you can just say like per building or site or floor right like that 172 so my ap subnet is in 172 subnet and we will use a different uh subnet for user data right so to have a clear separation so you can specify start starting ip ending ip you can also expire the lease duration maybe 12 hours 24 hour or you can keep it never so that next time it allocate a new ip because lease never expired let's create a other uh dhcp pool and this is this one is going to be for users i'm going to say use the data vlan and as as mentioned we will discuss we will use pen subnet for user data again starting ip and in ip then you can specify the data so as you are creating this dhcp pool uh ewlc go ahead and configure uh the pool in io sexy term all right next what do you want to do since i already have my ap connected to ewlc i want to get the console access as well so i have connected a serial console cable in within ap because ap is right now sitting on my desk and i'm actually i want to console access to that api so that we can watch all the logs and everything live on console right so if you are have console access for your aps i i highly recommend you to have a serial connection so that you can watch the vlogs you really don't need to configure anything on a pc console or a pcli but it's always good to have access so that we can understand from technology perspective what is going on right when you connect to when ap connect to ewlc what goes on right how the cab web exchange and other things happen and it is also very good for troubleshooting uh i'm sure sorry as you can see i'm struggling a little bit here with the secure crt let me try to make a connection uh you need to have your com port and 9600 is the baud rate you need to use if you use any higher baud rate like 38 000 or something then you will this will be gibberish right so use 9600 console portrait and as you can see as i connected to console i can see all the logs here okay as you can see we have console access to ap and ap is booting okay so for what we have done we have not configured any policy or object but we have configured um our ewlc which is connected interface which is connected to ap as trunk and connected our ap physically all right and we are watching ap to boot by default when ap comes online it username is cisco and password is cisco but c in caps right so this is the default username and password you will see when ap joins the controller it inherits the username and password from ewlc so this password will get changed to whatever you have defined my wired zero right now and this is the interface which is connected and there is no cdp neighbor because mostly it's not a physical appliance and virtual appliance does not advertise cdp unless you ask uh to do that and we will do that in uh next section uh once ap is connected there is no policy on tag it will check for the heartbeats or the keeper lives from wlc and if there is no keep alive it will keep on rebooting right so it's not very efficient now let's make sure we configure the policy and tags so our method will be we will configure everything from ui though we'll come back to ssh session and or cli and watch the effect that what configuration is being pushed all right let's configure interface vlan 10 so we configured the vlan but now i'm now i'm configuring a layer 3 interface within that vlan and this is the vlan ip address and this is minded this is also going to be my controller ip so ap all my aps they will use since they are part of vlan 10 they'll use interface wheel and one to as a controller ip address to join this controller you can ignore a gig one completely that is only out of land management all the ap and controller uh communication is going to be uh gigabit ethernet 2 which is my controller ip all right so my vlan 10 i assign the ip address and it is up excuse me so now let's go ahead and configure policy we already have more configured two dhcp pool internal dhcp pool one for user data and one for ap floor and as you notice or i notice i am using two different or wrong subnets so let me create the epv land pool one more time because i was i configured it with 172 168 but that's not the case i want to use 172 16 0 dot 0 24 subnet so sometime you know the planning uh you are thinking something but you type something so let's just quickly go ahead and create the apv land pool and dhcp pool one more time now we have dhcp pool we have interface vlan setting on uwlc and let's get to the meat of this exercise that's where creating tax and profile the first thing what you want to create is a ap joint profile so this is not a ap name this is a profile name where which will be applied on all the aps so many bare minimum you want to do name and if ntp server very good here this is the mandatory configuration the cap back configuration this is the controller ip address which will be passed to ap of uh in dhcp option 43 okay so that's my interface vlan 10 172 160.1 rest of the things are pretty much um optional or fine tuning we will not go into uh that details for now and this is the username and password i mentioned earlier so by default cisco cisco is your name and password but once the apply uh policy is associated this is the the default username password will change and you can see i'm setting the username and password as admin and sdn tech so once my ap joins this controller their username password will change okay cdb status is enabled but enabling cdp here alone is not sufficient uh you need to enable it in vmware virtual switch as well there are multiple uh very advanced options there which i'm just clicking and so that you can see but we are not making any changes there so under ap join profile two things you need profile name and controller ip once you define ap join profile let's go to policy now you you always have a default placeholder created but let's go ahead and create a new one which we are going to use in our configuration again policy profile name so you have to name it and you will understand why name is important because you are calling these objects while associating uh to the ap okay only thing right now you need name and toggle it to enable obviously you if you're doing advanced stuff you can use cts so you can tag your traffic and based on tags you can uh filter your traffic but we are not doing any uh inline tagging or fabric second thing mandatory here in app policy profile is choose your vlan what vlan you want to use right as you hit apply to device that translate get translated into configuration okay so now what we did we created ap join profile and then we created a policy profile final thing is to create a rf tag in wlan so these are like individual objects which you create and then you stitch them together for rf profile let's not create a new rf profile whatever comes by default like five gigahertz and 2.4 gigahertz is it good enough for me so i'm not because what what is under this profile as you can see your frequency band and then the operational rate so you can turn off lower operational rate and keep higher operational rate uh available only in case you know your network that what are the different capabilities of client which is going to connect to your network so all those things you can do it here and we are good with the default one because it's a lab environment but in your production environment if you have multiple or different types of client which can require lower uh data rate then you probably need a multiple profiles or you may have to create a custom profile for them but in for us we are good with that rf profile now let's go ahead and create a wlan right this is the visible part uh that will be broadcasted the ssid will be broadcasted where the client can see the ssid and it's try to connect to that right so we are going to name profile ssd and take wlan but ssid will be sdn tech and let's enable it so and we are saying broadcast ssid that mean it will be broadcasted that mean you if when you search for it here your client can see a zn type is available network for security you can do multiple kind of security.1x pretty secure but for simplicity we are only going to do psk pre-shared key authentication and uh choose your format and then define the pre-shared key okay i'm keeping it unencrypted just for simplicity and the password is cisco123 so this is the password my client will use to join this ssid or this network we are not going to make any changes in layer 3 or aaa layer 3 is mostly for web authentication or web redirection right so now as you can see under add wlan we created layer 2 um format in and specify the security so my ssid is created now that so we have created job ap join policies uh now let's go to tag we are first create policy tag name the tag then you have to add policy map as you can see just before this step we created wlan profile and i'm calling the wlan profile and policy profile we created is a second step so both those objects i'm calling here under my policy tag now let's go to site tag a default is also available but we'll create a new one so policy tag call for wlan part of a site of that and site tag is calling for ap join profile we are not doing any fabric so leave it and enable local site this is a local local mode okay apply to device rf we are not going to create anything new we will live with default rf tag so these are the three individual tabs final you are attaching all this object to the ap how you can attach you can attach either using tag source or static or you can apply filter our method will be a very simple which is static that means we know the ap mac address beforehand and we will use that mac address to identify that ap and attach all the objects what we have created so far okay so i'm selecting all the objects uh policy tag site tag rf tag what we intend to use and then you need to know ap mac and that's where having a console access to your ap is beneficial or useful as you can see since i am in console i can do show version and base ethernet mac address this is the mac address format i need to copy and paste it so that uh when ap sends the controller join request ewlc know that okay this is a known controller i i know that this is i have a static assignment for that and let me push this policy object back to this controller and you will see that when actual boot happens all right so policy and everything is applied and let's connect the shell one more time so that we can see oh here here we go as i applied the configuration and now i am not able to authenticate authenticate so what's the problem because in my base configuration in video one i didn't set the enable password and now aaa is in effect though my aaa is login default still it expect uh enable password so that i can go to configuration mode right i miss that in part one so in part two how you can do that you can use web ui and within web ui you had that command push and i use that that command to send the enable password now we are past that and as you can see since we have attached the policy the ap started getting ip addresses okay so ap has got ip address and right now mind it our dhcp is hosted internally on ewlc okay and these are all uh the logs basically system logs it's complaining because my gigabit ethernet one is also up and probably it is getting some dhcp discover uh messages from lan and since we do not have any pool so these are like you can ignore that but what is happening focus on interface vlan 10 vlan 10 reach out to ewlc and it will get the ip address once it get the ip address what happened next it need to set a cap up control tunnel with controller right to exchange the profile information and that's what happens on port two four six and five two four eight three are standard ports uh udp five two four six and five two four seven or eight uh i'll put the link so if you have firewall make sure these ports are open but controller ip control irp we are planning to pass on the controller ip using dhcp option 43 if you notice when i created a dhcp pool for ap i didn't specify any option right so what happened as you can see right now my ap only got the ip address okay so dhcp binding is good and i was running all this debug so let me uh stop the debugs so dsc ap has got a ip address from dhcp internal dhcp which is 172 16 0 dot 100 okay and that's what we see on ap console then what is it is fine it is trying to do a cap web state discovery and it is sending request on a broadcast because it didn't receive any controller ip address so it is trying to do a cap web discovery by broadcast which is not efficient right and not secure as well now on dhcp i'm trying to define the option and what you have to do you have to select the option option 43 and in optional value you want to use your controller ip address this ip address uh option 43 does not understand ip address so you have you need to convert it in extra decimal and then define that but as you have seen the throws error so it forced me to use external dhcp and now what you're seeing on my screen this is a linux system where i just installed dhcp server and now i'm going to go ahead and create the cpd config okay so now we are shifting from internal dhcp server to external dhcp server because option 43 was not supported okay so this is my linux machine sitting in the same subnet as of ap and i specify the subnet which is 172.16.0 and you can see the vendor encapsulated option f10 and then the hexadecimal of the ip address which is 172 1601 okay and i have a nick in the same so basically now we have uh another dhcp server in the same subnet okay so instead of now ap ap request will be broadcasted dhcp discover will be broadcasted it will reach to ewlc and it will reach to dhcp external dhcp server also because they are in the same subnet and this time external dhcp is going to reply reply with option 43 and that's what we are trying to do here while creating the subnet and scope i run into some issues because if you have any syntax syntax issues dhcp doesn't tell you so what you have to do you have to look at the var log dhcp messages log and that's where you will clearly tell you that what's wrong in your syntax and as you can see i had one extra dot so i didn't get that dotted decimal right and it always accept semicolon at the end of that okay so now looks configuration looks clean let's try to enable dhcp one more time and when direct encapsulated is always a colon so i use it since i did a copy paste i forgot to change the dot as colon right so i'm just sanitizing the config and this is the moment you can take a moment to see the subnet configuration and now let's enable dhcp this is a pseudo privilege so put your root ip address sorry password and say sudo systemctl enable vscpg right simple dscp configuration and install dhcp services define the subnet and enable it simple since it is in the same subnet nothing much to do here let's verify now it is active and running because it is happy with the configuration okay so we have one dhcp server running on internally one dhcp server running externally we need to get rid of the internal one right so that's what we will do next but first since this is a linux machine i'm running firewall so i what i have to do i can either allow dhcp within the firewall or i can disable the firewall entirely but uh for for now let's just add dhcp services or allow dhcp services that's the easy one right and then and this is the command pseudo firewall cmd add service equal to dhcp because dhcp run standard ports 67 udp 67 and 68 so it will be allowed in in firewall okay and uh run time to permanent this will make this rule persistent that mean even if my dhcp server or this linux server get rebooted i still have uh the rule uh applied after reboot and as you can see as we create a dscp server these are my lease files created so you can always go back to your lease file and see who ask for ip addresses and when you allocated ip address all those detail you can see from dhcp uh file con acp lease file uh so we took a little bit of detour from ewlc and started talking about dhcp right but this all part of um the solution so if you note the dhcp it will come handy when you start troubleshooting your things because when client eventually will join the ewlc not ewlc the ap you will see you you need to understand it from bhcp perspective okay so as this is my lease as you can see ap already reached out and it has got an ip address okay because my dhcp lease file has now ap information that means while we were talking ap has already reached out to a dhcp server and that's how you can see on screen ipv4 address updated from 0 0 0 to 172 16 0 dot 200 because that's the range we defined right we wanted at least from 200 to 254 so it got the first ip address okay very well but why we came to external uh dhcp because we wanted to supply up send option 43 is it happening because it was not happening with internal dhcp right uh so let's see if external dhcp is passed passing option 43 and my ap can understand that okay tap web started okay this is the log same thing dhcp offer is made and ap has accepted that ip address and translated that iphone so you can see it from both uh both places you can either see it in dscp server or you can see it at the client side which is ap right this com command comes really handy if you want to check what's going in dhcp in real time pseudo prep dhcp bar log messages so all i'm trying to tell it in real time again either go become a super user or just be in a habit to put sudo all the time if once you start working with servers right okay cap discovery as you can see discovery request sent to 172 160.1 so it was not option 43 has sent the controller ip okay so it is working as expected that's what we wanted right once ap get the ip address the next step is it should get the controller ip address and try to initiate the capweb panel it is not happening so again we ran into some issues and i did a packet capture of the uplink where ap is connected and packet capture says cap malform tunnel right what does that mean i don't know so i realized uh that i am missing one step and that step is i didn't configure the wireless interface i configured only ethernet interface right i didn't configure the wireless interface or service interface in aros language okay so now go ahead and create a new wireless interface and you can use the same ipl ip address or same interface which is vlan 10 okay because that's that is the control from control plane perspective not from data plane still my ap i can see the join stats uh my ap reach out but tunnel is not up so ap has not joined or it's still down i'm looking at join stats general detail uh i can see that uh requests are getting received but these things are not very clear here right the the error what i i'm getting is not very clear it just said not joined but not joined for what region reason right so that's what i'm trying to understand and then into this problem ap is sending cab map but why that cap is not getting entertained though i have created the wireless interface also so what's wrong right and this went on for some time and i started doing some uh research on internet that if i'm missing something here because i'm getting dhcp response from controller or discovery cap web discovery response from controller but then why it is not happening why dtls tunnel is not getting set up okay so i realized that i bypassed the day zero configuration in part one uh and what happened as a part of that if you bypass the day zero you do not have a trust point installed right so right now there is no trust point that's what you saw in my screen show one less manager trust point it's not certificate info and private key this is not there at all so what you have to do as a workaround we are going to create uh the truss point uh certificate manually okay because right now it's ap trying to reach but it is not that it's not getting accepted and you can see dtls searching not available because of that so certificate chain is missing on my ewlc and that happened because i bypassed the day zero configuration so please pay a heat to this problem if you are following me and you don't bypass then you have to create manually using this command okay i'm going to give you the link in the description so you need to create gtls searching manually and this is what we are going to do wireless config vwlcss key key size signature algos s shaft 256 password in clear text you can keep it encrypted also but this is what you do and it is creating a vwlc ssc certificate and make it a trust point anchor on this so my ap know that i am joining a legit controller secure control and this certificate exchange can happen okay so if ewc lc doesn't have that certificate in first place how it can push it to uh aps so that was one oversight or one issue we came across and then what you have to do you have to come to wireless interface and apply that press point so now your configuration is complete you have configured your wireless interface with controller ip address and applied the truss point the profile again rebooting let's see what happened cap dtl is set up and here you can see sending join request to controller through port 5264 okay and apm and join response uh it receives join response from controller ac accepted join request with the result code and cap tunnel is set up once the cab web panel is set up the first time with first time tunnel setup controller decide whether this ap need a software upgrade or no and if if that is the case it go ahead and push the software and ap upgraders itself right so as you can see on my screen after cab web tunnel it is now upgrading itself image image is getting upgraded okay so it's downloading image from ewlc and it will move with the new image this doesn't happen every time is probably the first time when ap joins the controller and next time when you upgrade your uh controllers and you can trigger it manually also so this is good news right uh this is a big win we have our ewlc uh where so far what we did we said stood up our ewlc in a hypervisor environment then we configured policies we connected ap and now iap has joined the controller so we have the control channel or dtls connection up and running right but why did we run into a couple of issues dhcp issue because internal dhcp option 43 was not supported i'm just trying to recap a little bit here while uh ap is getting uh rebooted and then uh so dsb issues worth one and then the configuration oversight you need to have a wireless interface con configured and trust point available on your ewlc okay starting to come up with a new image and you will see the image parity is with ewlc parody my ewc software is 1733 and ap is also getting image version 1733 something okay ap has joined the controller and the controller name okay so this is awesome this looks really good as you can see ap tag changed to sdn tech paul tag policy tag so now it has got the right policy tag association right and everything what you have done on ui you can see that in console right the after effect of that you can see it in console and you can match and verify so that's why having the console access is really really powerful okay what i'm trying to show you here is the you default username and password cisco cisco stopped working because ap has joined the controller and it has inherited the new profile and new user management so now the username changed to whatever you defined in my case it is admin sdn right finger that's why authentication failed c sdn tech enable password i also set enable password same as integ and now i'm ap so show version you can see this is a new image and uptime lastly load reason is image upgrade all good we have our access point join the controller and we have we are already advertising one ssid which is sdn tag okay so looks very good right now and you can go to monitoring wireless ap stats uh number of ap i have only one ap you can click on it and it will open up a nice picture which will show you all the object like how you defined all the object how they are connected together and attached to this api so you have wlan and policy site properties rf tags all coming together getting attached to this ap so we'll stop here uh what we have done in part one we stood up our awlc in part two uh we'll let ap join the controller and final in part three we are going to see how my clients uses this ap and get associated with ssid get their ip address and use the network so stay tuned for part three and if i hope you were able to follow along with me but if i know we ran into a couple of issues here and we moved away from ewlc to external dhcp and other things so if you have any questions or doubt please make the comment section interactive and let me know whatever questions you have and i'll i'll try my best to help you with that okay thank you see you in part three
Info
Channel: SDN TechForum
Views: 67
Rating: undefined out of 5
Keywords: Networking, sdntechforum, monitoring, cisco
Id: hKiU433BdKM
Channel Id: undefined
Length: 41min 31sec (2491 seconds)
Published: Thu Oct 28 2021
Related Videos
Wireless for Network Engineers - Part 3
SDN TechForum
82
Smart License Compliance Using DNAC 2.2
SDN TechForum
176
Masterworks.io Vs Makersplace - ART work Investment redefined
SDN TechForum
33
3 Types of Projects That Will Make You a Programmer
Andy Sterkowitz
26K
NFTs on OpenSea - Sell you Art and get Rich
SDN TechForum
82
this Boiling Liquid goes in your MONITOR - Facility Tour!
Linus Tech Tips
332K
Docker For Beginners: From Docker Desktop to Deployment
Travis Media
489K
Network Security 101: Full Workshop
SecureSet
1.7M
vmware ESXI install on Mini PC (NUC)
SDN TechForum
448
Did facebook, Instagram and whatsapp really go down today ?
SDN TechForum
108
CLOUDFLARE - Turbo charge your Website FREE
SDN TechForum
30
Photoshop for Beginners | FREE COURSE
Envato Tuts+
7.8M
Mini PC Simply NUC by Intel
SDN TechForum
86
Containerized Application - Security Recommendations
SDN TechForum
31
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.