Professional Documents
Culture Documents
Li
sa
lta
ce
ns
ed
el
o.
co
ho
ya
33
er
et
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
Volume 2 Workbook
el
li
This product is part of the IPexpert "Blended Learning Solution" that provides CCIE candidates
with a comprehensive training program. For information about the full solution, contact an
IPexpert Training Advisor today.
lta
r
Telephone: +1.810.326.1444
Email: sales@ipexpert.com
TM
o.
co
ho
Pe
te
r
Sa
Congratulations! You now possess one of the ULTIMATE CCIE Wireless Lab preparation
resources available today! This resource was produced by senior engineers, technical
instructors, and authors boasting decades of internetworking experience. Although there is no
TM
way to guarantee a 100% success rate on the CCIE
Wireless Lab exam, we feel VERY
confident that your chances of passing the Lab will improve dramatically after completing this
industry-recognized Workbook!
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
IPexpert is proud to lead the industry with multiple support options at your disposal free of charge.
Our online communities have attracted a membership of over 20,000 of your peers from around
the world! At Blog.IPexpert.com you can keep up to date with everything IPexpert does, as well
as start your own CCIE-focused blog or simply add your existing blog to our directory so your
peers can find you. At OnlineStudyList.com, you may subscribe to multiple SPAM-free, CCIEfocused email lists.
v3150
Volume 2 Workbook
Feedback
Do you have a suggestion or other feedback regarding this book or other IPexpert products? At
IPexpert, we look to you our valued clients for the real world, frontline evaluation that we
believe is necessary to improve continually. Please send an email with your thoughts to
feedback@ipexpert.com or call 1.866.225.8064 (international callers dial +1.810.326.1444).
TM
TM
In addition, when you pass the CCIE Lab exam, we want to hear about it! Email your CCIE
number to success@ipexpert.com and let us know how IPexpert helped you succeed. We would
like to send you a gift of thanks and congratulations.
TM
el
li
to
o.
co
ho
Pe
te
r
Sa
lta
r
IPexpert, Inc. is committed to developing the most effective Cisco CCIE R&S, Security, Service
Provider, Voice and Wireless Lab certification preparation tools available. Our team of certified
networking professionals develops the most up-to-date and comprehensive materials for
networking certification, including self-paced workbooks, online Cisco hardware rental, classroom
training, online (distance learning) instructor-led training, audio products, and video training
materials. Unlike other certification-training providers, we employ the most experienced and
accomplished team of experts to create, maintain and constantly update our products. At
TM
IPexpert, we are focused on making your CCIE Lab preparation more effective.
ya
33
si
v
el
y
The scenarios covered in this workbook were developed by Wireless CCIEs to help you prepare
for the Cisco CCIE Wireless laboratory. It is strongly recommended that you use other reading
materials in addition to this workbook.
er
et
lip
ex
cl
r u
Training is not the CCIE Wireless workbook objective. The intent of these labs is to test your
knowledge and ability of implementing Cisco Enterprise Wireless Solutions.
sa
lta
ce
ns
ed
el
Time management is very important, if you get stuck on a lab scenario be sure to write it down.
Formulate a Checklist for skipped sections and then return to those sections once you have gone
through the entire lab. Be sure to revisit the questions that you do not understand.
Li
Helpful Hints
v3150
Keep It Simple, try to avoid any extra work (example: adding descriptions)
Always reference everything from the Documentation Website:
http://www.cisco.com/cisco/web/psa/default.html?mode=prod
Know your SRNDs well http://www.cisco.com/go/srnd
Save your router configurations often (wr is the quickest command)
Volume 2 Workbook
lta
r
el
li
This is a legally binding agreement between you and IPEXPERT, the Licensor, from whom you have licensed the
IPEXPERT training materials (the Training Materials). By using the Training Materials, you agree to be bound by the
terms of this License, except to the extent these terms have been modified by a written agreement (the Governing
Agreement) signed by you (or the party that has licensed the Training Materials for your use) and an executive officer of
Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials to you. In this
event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions.
te
r
Sa
The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the
Training Materials throughout the term of this License.
o.
co
ho
ya
to
Pe
The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and
International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the
Training Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its
workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT.
33
er
et
el
lip
ex
cl
r u
si
v
el
y
The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or
time-share the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or
disassemble the Training Materials. You may not modify, or create derivative works based upon the Training Materials in
whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any
means, electronic, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information other
than printing out or downloading portions of the text and images for your own personal, non-commercial use without the
prior written permission of IPEXPERT.
ce
ns
Exclusions of Warranties
sa
lta
ed
You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or
IPEXPERT Information in any manner that infringes the rights of any person or entity.
Li
THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED AS IS. LICENSOR HEREBY DISCLAIMS ALL
OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT
ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY
LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you
specific legal rights, and you may have other rights that vary from state to state.
Choice of Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without
reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in
connection with the Training Materials shall be brought in the Michigan state or courts located in Port Huron, Michigan,
and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations
Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this
Agreement is held invalid, the remainder of this License shall continue in full force and effect
v3150
Volume 2 Workbook
el
li
This is the entire agreement between the parties and may not be modified except in writing signed by both parties.
lta
r
o.
co
Pe
te
r
Sa
The Training Materials and accompanying documentation are commercial computer Training Materials and commercial
computer Training Materials documentation, respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212,
as applicable. Any use, modification, reproduction release, performance, display, or disclosure of the Training Materials
and accompanying documentation by the U.S. Government shall be governed solely by the terms of this Agreement and
shall be prohibited except to the extent expressly permitted by the terms of this Agreement.
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING
MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.
v3150
Volume 2 Workbook
el
li
NOTE
o.
co
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
You are encouraged to take advantage of the knowledge and support from your
peers around the globe. Join onlinestudylist.com to get more community support
and also official support from IPexpert.
v3150
Volume 2 Workbook
Table
of
Contents
IPEXPERT
END-USER
LICENSE
AGREEMENT
...............................................................................................
3
END
USER
LICENSE
FOR
ONE
(1)
PERSON
ONLY
....................................................................................................
3
U.S.
Government
-
Restricted
Rights
...............................................................................................................................
4
LAB
1:
CCIE
WIRELESS
VERSION
2
A
8
HOUR
TRAINING
LAB
..........................................................
11
MOCK
LAB
1:
TOPOLOGY
................................................................................................................................
12
LAB
1:
PRE-LAB
SETUP
....................................................................................................................................
13
el
li
Sa
lta
r
o.
co
ho
ya
33
el
y
to
Pe
te
r
er
si
v
et
lip
ex
cl
r u
el
sa
lta
ed
ce
ns
Li
v3150
Volume 2 Workbook
el
li
Sa
lta
r
o.
co
ho
to
Pe
te
r
ya
el
y
33
si
v
er
et
lip
ex
cl
r u
el
sa
lta
ce
ns
ed
Li
v3150
Volume 2 Workbook
Sa
lta
r
el
li
te
r
o.
co
Pe
ho
to
ya
el
y
33
er
et
ex
cl
r u
si
v
sa
lta
Li
ce
ns
ed
el
lip
v3150
Volume 2 Workbook
Guests:
......................................................................................................................................................................................
65
AP
registration
security
and
local
radius:
................................................................................................................
65
Client
connection
testing:
................................................................................................................................................
66
Clean
AIR:
...............................................................................................................................................................................
66
5.0
CONFIGURE
AND
TROUBLESHOOT
WCS
......................................................................................................................
67
WCS:
..........................................................................................................................................................................................
67
MAPs:
........................................................................................................................................................................................
67
6.0
CONFIGURE
AND
TROUBLESHOOT
WLAN
SERVICES
...............................................................................................
67
Wireless
Voice:
......................................................................................................................................................................
67
LAB
5:
CCIE
WIRELESS
V2
...............................................................................................................................
69
el
li
lta
r
Sa
o.
co
Pe
te
r
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
v3150
Volume 2 Workbook
o.
co
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
v3150
10
Volume 2 Workbook
Pe
lta
r
Lab Overview
o.
co
te
r
Sa
el
li
ho
ya
33
er
si
v
el
y
to
This lab will test your knowledge on several items of CCIE Wireless
blueprint version 2. The wording in the LAB questions might seem extra
hard because they are meant to prepare the candidate to read in between
the lines. The network and WLCs are partly pre-configured in order to save
time but some of the configurations have to be altered to meet the exam
requirements
et
sa
lta
ce
ns
ed
el
lip
ex
cl
r u
The fact that WLC are pre-configured doesnt mean that there are no tasks
where you have to rectify wrong pre-configs or make some small changes,
both on the WLCs and the network. Those are all part of solving this lab.
Throughout this lab you may expect to rectify basic IP connectivity issues
on more than one occasion. This is meant to prepare the candidate not to
take anything for granted and stay focused while the lab tries to confuse
you.
Li
This lab will use ALL equipment in the LAB 1: topology. Refer to the names
of the equipment on that topology.
When configuring WLANs/ SSIDs. The lab refers to SSID-XX replace XX
with your pod number where POD01 is for example SSID-01
Unless otherwise indicated, use admin for usernames and IPexpert123
for passwords.
It is strongly advised to read the whole LAB over before you start
configuring. And in each section read it briefly over to refresh. In some
sections some later tasks would better be done first
Estimated Time to Complete: 8 hours
v3150
11
Volume 2 Workbook
o.
co
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
v3150
12
Volume 2 Workbook
lta
r
el
li
Lab 1: Prerequisites:
te
r
Sa
This lab will rely on the network infrastructure. You will need to pre-configure the
network with the base configuration files.
o.
co
ho
el
y
ya
to
Pe
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
Log on to your Wireless vRack Web UI and navigate to near the top of the web page,
click the Load Lab button and choose: IPexpert WIFI Volume 2 Workbook Lab 1
INITIAL
v3150
13
Volume 2 Workbook
Lab 1: Tables
VLAN Name
Subnet
Netmask
Servers
10.10.210.0
/24
10
HQSwitchMgmt
10.10.10.0
/24
11
HQGuest1
10.10.11.0
/24
12
HQData1
10.10.12.0
/24
13
HQData2
10.10.13.0
/24
14
HQData3
10.10.14.0
15
HQVoice1
10.10.15.0
lta
r
16
HQVoice2
10.10.16.0
17
HQData4
10.10.17.0
20
MOSwitchMgmt
10.10.20.0
21
MOGuest1
10.10.21.64
22
MOData1
10.10.22.128
/26
23
MOVoice1
10.10.23.192
33
/26
105
HQServicePort
10.10.105.0
/24
110
HQAAP
10.10.110.0
/24
111
HQWLC1
10.10.111.0
/24
10.10.112.0
/24
v3150
/24
Sa
/24
/24
o.
co
ho
ya
el
y
to
Pe
te
r
/24
et
si
v
el
lip
ex
cl
r u
sa
lta
ed
HQWLC2
/25
/26
113
HQLAP1
10.10.113.0
/24
114
HQLAP2
10.10.114.0
/24
Li
ce
ns
112
el
li
VLAN
er
120
MOWLC1
10.10.120.128
/26
121
MOLAP1
10.10.121.192
/26
999
VLAN999
n/a
n/a
14
Volume 2 Workbook
Port
CAT1
NA
Connected
Device
NA
Connected
Port
IP Address
CAT2
NA
NA
10.10.10.3
CAT3
NA
NA
10.10.10.4
CAT4
NA
NA
10.10.20.1
ACS
NIC1
CAT2
Fa0/11
10.10.210.5
WCS
NIC1
CAT2
Fa0/11
10.10.210.6
CME
Fa0/0
CAT1
Fa0/4
10.10.210.20
lta
r
el
li
10.10.10.2
CAT2
Fa0/11
WLC1
Po1
CAT2
Gi0/1
WLC2
Po1
CAT3
Gi0/1
WLC3
Po1
CAT4
WLC4
Po1
CAT2
AAP1
Gi0
CAT1
AAP2
Fa0
CAT3
LAP1
Gi0
CAT1
LAP2
Fa0
LAP3
Gi0
LAP4
Gi0
ho
o.
co
Pe
to
ya
Fa0/2
33
si
v
el
y
Fa0/15
10.10.112.10
10.10.120.140
10.10.112.20
10.10.110.100
Fa0/1
10.10.113.x
CAT2
Fa0/2
10.10.114.x
CAT3
Fa0/3
10.10.114.x
CAT4
Fa0/4
10.10.121.x
CAT4
Fa0/5
10.10.121.x
et
lip
el
er
10.10.110.101
ex
cl
r u
Fa0/2
sa
lta
ed
ce
ns
Fa0
Fa0/1
10.10.111.10
Li
LAP5
10.10.210.10
Eth0
te
r
MSE
Sa
10.10.205.20 (Loop)
v3150
15
Volume 2 Workbook
o.
co
ho
Pe
et
er
33
ya
to
ce
ns
L3 routing
sa
lta
ed
el
lip
ex
cl
r u
si
v
el
y
Sa
Cat1 will handle all VLANs and distribute them to Cat2. Cat3 will also get all
VLAN changes from Cat1
o Use Md5 encryption to protect the VLAN database on your 3 switches.
o Use ipexpert123 as the MD5 secret
Cat1 should be the root for odd numbered VLANs in the HQ
Cat2 should be the root for the even numbered VLANs in the HQ
Do not configure Cat3 for the last question above.
o From Cat3, Show commands should give the correct outcome to see
where the Root bridges are. Cat1 should be seen as root for odd
numbered VLANs and Cat2 for even numbered VLANs
Configure the 2 links between Cat1 and Cat2 to appear as one STP instance.
o Use a method that is Cisco proprietary negotiation method.
te
r
lta
r
el
li
L2 switching in HQ: To prepare your network we need to take extra care that the network is
properly set up. All future configurations with wireless components will rely on the network to
work. Please bear in mind that most wireless issues are related to the network. The Proctor
Labs lab environment will have some preconfigured equipment. It is up to you to change
configuration according to the requirements in this lab.
Li
Site HQ: Cat1 SVIs always have the last IP usable address from each VLAN network. Cat2
SVIs always have next IP address below in each VLAN network. VLAN 10 should be .2 on Cat1
and .3 on Cat2. Cat3 only needs SVI Interface and IP address in VLAN10 (HQSwitchMgmt). For
Cat3 VLAN10 SVI, Use IP address 10.10.10.4/24. VLAN 5 is preconfigured dont change that
as that will ruin management access to your servers.
Create the SVIs on your appropriate HQ switches and ensure you have
connectivity between all L3 interfaces. Refer to table 1 for the VLAN IDs. HQ,
MO have different VTP domains as can be seen in table 1.
v3150
16
el
li
lta
r
o.
co
te
r
ho
Pe
ya
to
er
33
el
y
lip
On all routers and switches, trust layer2 and layer3 QOS markings where
appropriate.
Tune your COS to DSCP mapping (and vice versa) as Cisco best practices
recommend
o VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26
(AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40.
The traffic from MO should have a policy that marks skinny traffic and RTP VOIP
traffic.
o Skinny is TCP port 2000
o RTP traffic is UDP port range 16384 to 32767.
o It is uncertain that the ISP is marking the packets correctly over the WAN.
Ensure the correct marking is maintained.
v3150
sa
lta
ce
ns
Li
ed
el
ex
cl
r u
QOS
et
si
v
Sa
Volume 2 Workbook
17
Volume 2 Workbook
el
li
lta
r
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
33
el
y
LAP2 (f0/2 on Cat2) and LAP3 (F0/3 on Cat3) should discover WLC2 and WLC4
with DHCP (dont use DNS).
o Future APs will use the DHCP information to load balance new APs
between the WLC2 and WLC4. Name the APs from their default name to
the name in table 1. Subnets for those APs are listed in table 2. Configure
your network accordingly
o Use your Microsoft DHCP server to accomplish this.
o Exclude the range from 1 to 20 and 200 to 254.
o Microsoft DHCP server is 10.10.210.6
Make sure that WLC2 will be primary and WLC4 secondary Controllers for LAP2
and LAP3. Mobility group should be named HQ.
LAP4 and LAP5 should join WLC4 with DNS lookup configured on Microsoft
DNS. Set those APs on VLAN 121 on Cat4.
si
v
to
HQ
Sa
Pe
AP management
o.
co
te
r
ho
ya
Use NTP server on WCS to synch time for all your wireless network devices
including the WLCs. WCS is 10.10.210.6
Controllers should synch time every 2 hours.
Cat1 should be the NTP master for all switches. Use password "ipexpert" for
NTP authentication. Use UTC time zone 0.
Cat1 should answer NTP requests only on VLAN 10 and only allow switches in
your network to synch time with Cat1. Cat2 uses VLAN 5 IP, Cat4 uses VLAN 20
IP and Cat3 uses VLAN10 IP address for NTP communications.
Dont forget the autonomous APs!
Switching security
v3150
18
Volume 2 Workbook
In HQ, all switch ports with access points should get disabled if BPDUs are
advertised over the port.
el
li
Autonomous Setup
o.
co
ho
ya
33
er
et
Li
4.0
ce
ns
ed
sa
lta
el
lip
ex
cl
r u
si
v
el
y
to
Pe
Make a Layer 2 only VLAN 999 on AAP2 connected switch to avoid loops in your
network.
AAP2 will connect to AAP1 with 802.1x security. SSID is crane-xx Username is
crane and password is aluminum.
o AAP1 will authenticate the crane user. And the industrial PC should be on
VLAN 17. As the industrial PC is not ready yet. Configure DHCP on AAP2
to see DHCP work. Configure DHCP on Cat1 for VLAN 17. Exclude the
first 9 addresses.
o Use the most secure EAP option that is Cisco proprietary
The Crane is mobile. Ensure that it only scans non-overlapping channels in your
2.4 GHz frequency. So it uses the least time to scan channels when moving
around.
Ensure that the association reliable. So the AP disassociates clients only after
127 packets are lost.
te
r
Sa
lta
r
An aluminum company has mobile cranes in their manufacturing area. Those cranes will have
industrial computers on board with Ethernet ports (no wireless). You need to use AAP2 to
connect the industrial computer to the wireless network
WLC management
WLC1 has its Service Port connected to Cat1.
v3150
Connect the SP on VLAN 5. Use DHCP from Cat2 for the SP. The SP port
should always get the 10.10.210.50 address. This should only work for WLC1 SP
interface. Default gateway advertised by the DHCP scope should be VLAN 5 SVI
on Cat1.
19
It is required that users from Cat4 MOData1 can reach this SP and manage it.
Pinging that address from the MOData1 VLAN should work. Remove this
configuration after you have made it work. Why?
On WLC1 guests should see the name guests.proctorlabs.com in their web
browser URL when doing guest authentication. This name should resolve on
your DNS server (Microsoft server 10.10.210.6) to WLC1 virtual IP address.
All WLCs should have IP management Interfaces according to table 2 Verify it
is all correct.
Configure appropriate VLAN interfaces per WLC according to table 3.
el
li
Volume 2 Workbook
Sa
lta
r
Default gateway
WLAN
WLC1
Vlan 11
10.10.11.252/24
10.10.11.254
HQ-guests-XX
WLC2
WLC1 Anchor
NA
WLC2
Manageme
nt
Vlan 13
10.10.13.50/54
10.10.13.254
WLC2
Vlan 15
10.10.15.50/24
WLC3
Vlan 22
10.10.22.130/26
WLC4
WLC1 Anchor
WLC4
Manageme
nt
Vlan 13
WLC4
Vlan 15
10.10.15.51/24
o.
co
ho
Pe
to
ya
33
10.10.22.129
NA
er
si
v
el
y
10.10.15.254
et
HQ-guests-XX
Client-Vlan-XX
voip-5ghz-XX
MOData1-XX
HQ-guests-XX
10.10.13.254
Client-Vlan-XX
10.10.15.254
voip-5ghz-XX
sa
lta
ed
el
lip
ex
cl
r u
10.10.13.51/24
Interface
te
r
Device
v3150
The CLI prompt should represent each WLC. For example WLC1
Set up etherchannel for both interfaces on WLC2. Ensure that APs are load
balanced across the WLC2 ports according to best practices.
QOS needs to be tagged using 802.1p on the management VLAN of all WLCs
Only needed VLANs should traverse over to each WLC in the network.
Li
ce
ns
VLANs on Switches should already be done and working in the first part of this lab.
20
Volume 2 Workbook
AP Priming
LAP2 and LAP3 should have redundant WLCs for WLC2 and WLC4.
Ensure that LAP2 will be given priority over other devices when requesting PoE.
Guests
el
li
lta
r
Sa
ya
33
er
et
lip
el
sa
lta
Li
ce
ns
ed
ex
cl
r u
si
v
el
y
to
o.
co
te
r
ho
Pe
Mobility
v3150
HQ users should be able to roam seamlessly between WLC2 and WLC4. This is
not needed for WLC3 in MO.
o Use the mobility name HQ when accomplishing this.
All HQ WLCs should check their mobility members every 15 seconds.
21
Volume 2 Workbook
lta
r
el
li
Make sure that your LAP1 uses the lowest 2,4Ghz frequency channel in the
future.
On all your controllers change the utilization trap to trigger at 87% in your 5 GHz
radio only.
o.
co
te
r
ho
Pe
ya
to
er
33
el
y
el
et
si
v
lip
Ensure that only those APs can join WLC3 and no other APs
Configure local radius on WLC3 for WLAN MOData1 VLAN for SSID is
MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26
Use PEAP mschapv2 authentication. username localpeap password localradius.
Security is WPA1 with software encryption:
Configure DHCP on WLC3 for these SSID clients. Give out 131 and 132
addresses of the scope.
Test connectivity with AnyConnect on your test PC
ex
cl
r u
Sa
v3150
sa
lta
ce
ns
SSID Client-Vlan13-XX
o This SSID should exist on WLC2 and WLC4. Clients should terminate at
Vlan13. Table 3 shows what IP goes on the Controllers VLAN13
Use ACS and EAP-FAST authentication. The RADIUS preshared key is
ipexpert123. First SSH from the windows machine with admin and IPexpert123
then configure a user acsadmin password IPexpert123.
o Set youre your ACS to use NTP at IP 10.10.210.6
o Use client username tarzan with password jane
o Allow OFDM only for this SSID.
o Advertise 802.11i in your beacons but also enable for software encryption
to work over 802.11i for older clients.
o DHCP should be set up on Cat1
Li
ed
Your AnyConnect client needs to connect to the Client-Vlan13-XX WLAN in HQ. Configure your
network to meet the requirements below:
22
Volume 2 Workbook
o On LAP2 this SSID should bypass the controller for data traffic and go to
VLAN 12. Dont use AP-groups to make this work.
o Configure the switch connected to LAP2 to support this scenario. LAP2
should use its current VLAN for management. DHCP for VLAN 12 is on
Cat1.
Test this configuration and see the IP address change on your AnyConnect
client.
Rouge detection
lta
r
It needs to see if Open access points (no security) are on your wired network.
o We need to detect rogue APs ASAP. Also Greenfield mode APs.
o Make sure that one of your APs connected to WLC3 accomplishes the
above
to
o.
co
Man-in-the-middle
ho
Pe
te
r
Sa
el
li
ya
33
er
sa
lta
Li
5.0
ce
ns
ed
el
lip
et
si
v
ex
cl
r u
el
y
Your CEO was reading an article about man in the middle attacks and is worried that your HQ
Wireless system is vulnerable.
WCS Management
v3150
Manage all WLCs with WCS using the most secure method
o Username wcs password ipexpert.123-ipexpert.123
o Allow only this method to be used on the WLCs
23
Volume 2 Workbook
Maps
Put LAP2 LAP3 on floor 1 map on your WCS. Position the APs for best
coverage.
See how AIR-ANT2450S-R antennas will perform on LAP2 2.4 GHz Radio. The
antenna has also to face 25 towards the floor. Let the direction of the antenna
point down the map (90) Controllers shouldnt send information to WCS when
the APs change its power levels.
lta
r
6.0
Sa
Wireless Voice
On WLC2 and WLC4 in HQ:
ho
ya
to
33
er
et
lip
el
sa
lta
Only support 802.11e on this SSID and 7925 phones should get Platinum QoS
treatment. The 802.11e clients with this SSID will get mapped with 802.1p value
of 5 when they hit the wired network.
Support 27 voice streams. Only configure the data-rates necessary.
Deployment Guide specifies the following data rates
o 802.11b - Basic = 11, Optional = None
o 802.11g - Basic = 12, Optional = 18,24
o 802.11a - Basic = 12, Optional = 18,24
o 802.11b/g - Basic = 11, Optional = 12,18,24
The Cisco AP's support up to 27 calls, so there is no need for any speeds greater
than 24Mbps.
Li
ce
ns
ed
ex
cl
r u
si
v
el
y
o.
co
te
r
Deploy a SSID called voip-5ghz-XX This will be VLAN 15. WLC IP information
in table 3. DHCP is on Cat1 and should give out callmanager option about the
CME router 10.10.210.20
Allow only 5 GHz connections on this SSID.
o Use 802.11i encryption and ensure that Cisco 7925 phones can roam
seamlessly
o Phone uses EAP-FAST authentication. On your ACS configure the user
phone with password of ipexpert.
o Test it from your AnyConnect.
Make sure your phones have enough time to authenticate on the ACS so they
dont accidentally time-out while retrieving the PACs. Allow at least 20 seconds
to pass before giving up.
Pe
el
li
v3150
24
Volume 2 Workbook
o 13 Streams = 6Mbps
o 20 Streams = 12Mbps
o 27 Streams = 24Mbps
User your AnyConnect client to test the connectivity. You should be able to ping
the CME router from the desktop after connecting. It should work from the
AnyConnect client on the PC.
Pe
o.
co
te
r
Sa
lta
r
el
li
You are at the end of this marathon it is a bit long and some longer than the actual lab.
Especially chapter 4, but the wording can slow you down as it might do on the actual lab.
So I hope this was a good exercise. Do this lab many, many times to practice speed and
work on things you want to study in the meantime
ho
ya
el
y
to
To verify your configurations please review the Volume 1 Detailed Solutions Guide
that you received along with this Workbook. You can also find this document in
the eBook section of your www.IPexpert.com account.
33
si
v
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
v3150
25
Volume 2 Workbook
o.
co
ya
to
Lab Overview
ho
Pe
te
r
Sa
lta
r
el
li
33
er
et
el
lip
ex
cl
r u
si
v
el
y
This lab will test your knowledge on several items of CCIE Wireless
blueprint version 2. The wording in the LAB questions might seem extra
hard because they are meant to prepare the candidate to read in between
the lines. The network and WLCs are partly pre-configured in order to save
time but some of the configurations have to be altered to meet the exam
requirements.
sa
lta
Li
ce
ns
ed
The fact that WLCs are pre-configured doesnt mean that there are no tasks
where you have to rectify wrong pre)configs or make some small changes,
both on the WLCs and the network. Those are all part of solving this lab.
Throughout this lab you may expect to rectify basic IP connectivity issues
on more than one occasion. This is meant to prepare the candidate not to
take anything for granted and stay focused while the lab tries to confuse
you.
This lab will use ALL equipment in the LAB 2: topology. Refer to the names
of the equipments on that topology.
When configuring WLANs/SSIDs, the lab refers to SSID-XX, replace XX
with your pod number where POD01 is for example SSID-01
v3150
26
Volume 2 Workbook
Unless otherwise indicated, use admin for usernames and IPexpert123 for password
It is strongly advised to read the whole lab over before you start configuring. And in each section
read it briefly over to refresh. In some sections some later tasks would better be done first.
o.
co
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
v3150
27
Volume 2 Workbook
o.
co
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
v3150
28
Volume 2 Workbook
Lab 2: Prerequisites:
This lab will focus on the network infrastructure. You will need to preconfigure the network with the base configuration files.
el
li
o.
co
Pe
te
r
Sa
lta
r
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
v3150
29
Volume 2 Workbook
Lab 2: Tables
VLAN Name
Subnet
Netmask
Servers
10.10.210.0
/24
10
HQSwitchMgmt
10.10.10.0
/24
11
HQGuest1
10.10.11.0
/24
12
HQData1
10.10.12.0
/25
13
HQData2
10.10.13.0
/25
14
HQData3
10.10.14.0
15
HQVoice1
10.10.15.0
lta
r
16
HQVoice2
10.10.16.0
17
HQData4
10.10.17.0
18
HQWiredGuests
20
MOSwitchMgmt
10.10.20.0
21
MOGuest1
10.10.21.64
/26
22
MOData1
10.10.22.128
/26
23
MOVoice1
10.10.23.192
/26
32
HQData1-2
10.10.12.128
/25
33
HQData2-2
10.10.13.128
/25
10.10.14.128
/25
v3150
/25
Sa
/24
/24
o.
co
ho
ya
33
el
y
to
Pe
te
r
/24
et
si
v
el
lip
ex
cl
r u
sa
lta
ed
HQData3-2
/25
105
HQService
10.10.105.0
/24
110
HQAAPMgmt
10.10.110.0
/24
Li
ce
ns
34
el
li
VLAN
er
111
HQLWAP1
10.10.111.0
/24
112
HQLWAP2
10.10.112.0
/24
113
HQLWAP3
10.10.113.0
/24
114
HQLWAP4
10.10.114.0
/24
120
MOAPMgmt
10.10.120.128
/26
121
MOLWAP1
10.10.121.192
/26
999
VLAN999
30
Volume 2 Workbook
Port
CAT1
NA
Connected
Device
NA
Connected
Port
IP Address
CAT2
NA
NA
10.10.10.3
CAT3
NA
NA
10.10.10.4
CAT4
NA
NA
10.10.20.1
ACS
NIC1
CAT2
Fa0/11
10.10.210.5
WCS
NIC1
CAT2
Fa0/11
10.10.210.6
CME
Fa0/0
CAT1
Fa0/4
10.10.210.20
lta
r
el
li
10.10.10.2
CAT2
Fa0/11
WLC1
Po1
CAT2
Gi0/1
WLC2
Po1
CAT3
Gi0/1
WLC3
Po1
CAT4
WLC4
Po1
CAT2
AAP1
Gi0
CAT1
AAP2
Fa0
CAT3
LAP1
Gi0
CAT1
LAP2
Fa0
LAP3
Gi0
LAP4
Gi0
ho
o.
co
Pe
to
ya
Fa0/2
33
si
v
el
y
Fa0/15
10.10.112.10
10.10.120.140
10.10.112.20
10.10.110.100
Fa0/1
10.10.113.x
CAT2
Fa0/2
10.10.114.x
CAT3
Fa0/3
10.10.114.x
CAT4
Fa0/4
10.10.121.x
CAT4
Fa0/5
10.10.121.x
et
lip
el
er
10.10.110.101
ex
cl
r u
Fa0/2
sa
lta
ed
ce
ns
Fa0
Fa0/1
10.10.111.10
Li
LAP5
10.10.210.10
Eth0
te
r
MSE
Sa
10.10.205.20 (Loop)
v3150
31
Volume 2 Workbook
el
li
lta
r
Sa
m
o.
co
te
r
ho
Pe
ya
to
1.2 QoS
v3150
et
sa
lta
Make sure that every port has the right QoS configuration. We want to trust layer
3 tagging of traffic on all ports susceptible to transport voice traffic.
The traffic from the headquarters should preserve its QoS tagging across the
WAN link to the remote office. It seems the ISP doesnt preserve this tagging so
make sure that the traffic is re-tagged accordingly after crossing the WAN.
Skinny uses TCP port 2000 and RTP uses UDP port range 16384 to 32767.
Make sure that you are as precise as possible and do not tag traffic that would
not be voice traffic.
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
33
er
To reach any internet (i.e. behind WAN / non-local) resource, switches from the
headquarters should use Cat2 as gateway since Cat2 has the right static route
towards outside.
When you need to create an interface on a WLC, use the last digit of the
management interface to determine the last digit of your dynamic interface. For
example, a WLC with a management ip on 10.10.110.10 will have all its dynamic
interfaces ending by .10
Connectivity between all Cat switches should be fine. Cat4 default gateway
should not be mentioned with an IP address but with an outgoing interface on
Cat4.
The 3 client VLANs are split in 2 between Cat1 and Cat2. Make sure that the
Catalysts do not operate on those VLANs as load-balanced gateway and
configure OSPF routing to make sure every switch is aware of those subnets.
OSPF should use a loopback interface to identify itself to other routers and Cat1
should be the designated router. OSPF updates should only be sent through
VLAN 10 when possible.
Make sure that only the necessary VLANs are allowed on each trunk ports.
el
y
32
Volume 2 Workbook
On Cat1, ports fa0/13 to fa0/20 included will be connected with desk IP phones
with laptops behind them. Those are not plugged in yet, but you need to prepare
the switch port configuration so that those ports use VLAN 23 for voice traffic and
VLAN 13 for the laptops. We also want those ports to be up and forwarding as
soon as something is plugged to them.
el
li
o.
co
ho
Pe
ya
to
er
33
el
y
et
Make sure that MSE stays in time synchronization with the WCS. Also
make sure that MSE will use admin/IPexpert123!! as credentials for
WCS to connect to it
Li
ce
ns
ed
1.5 MSE
sa
lta
el
lip
si
v
Make sure the two IOS access points synchronize their time with the WCS
server.
Cat1 should get his synchronization from the WCS server but the other
switches should get their synchronization from Cat1. They should do so
using IPexpert123 as authentication key.
On the WLCs, make sure they synchronize their time with the WCS and
the synchronization should happen every 2 hours. Also make sure that the
WLCs know they are in Pacific US time zone.
ex
cl
r u
te
r
Sa
We want Cat1 to always be the root for all VLANs for spanning-tree purposes. In
case of failure, Cat2 has to be the one taking over the root role in case of Cat1
failure.
We want Cat3 to never be root. Moreover, we want Cat3 to switch its links
towards Cat2 in less than a second in case of failure of Cat1.
lta
r
v3150
33
Volume 2 Workbook
el
li
WLC2
LAP5
v3150
ce
ns
LAP4
WLC2
Li
LAP3
el
LAP2
sa
lta
WLC4
ed
LAP1
lip
ex
cl
r u
o.
co
ya
33
er
Primary WLC
Secondary WLC
et
si
v
Make sure that it is possible to connect via console to all access points
with the username admin and password IPexpert123
Make sure that the APs know which are their preferred WLCs. Use the
table below:
el
y
to
ho
Pe
te
r
lta
r
Sa
LAP 2 and 3 must use the WCS server as DHCP server. That scope
should give an IP with the last digit between 100 and 200 to the APs. They
should learn WLC 2 IP address through DNS discovery. Once joined, they
should learn the IP address of WLC4 as well.
LAP 1 should use WCS server as DHCP server, but should discover WLC
4 through a DHCP option. That scope should give an IP with the last digit
between 100 and 200 to the AP
LAP 4 and 5 need to learn through DHCP the IP addresses of controllers
WLC 3 and 1. Cat4 should be the DHCP server for those access points.
LAP 4 and 5 should have WLC3 as primary controller and WLC1 as
secondary in case of failure of the remote office WLC.
Tertiary WLC
WLC2
WLC4
WLC4
WLC3
WLC1
WLC3
WLC1
Make sure that LAP1, 2 and 3 will never associate to WLC1 or WLC3.
34
Volume 2 Workbook
2.3 Syslog
Sa
lta
r
el
li
o.
co
ho
ya
to
33
er
sa
lta
ce
ns
ed
el
lip
et
si
v
Configure a bridge SSID called Bridge1 between AAP1 and AAP2. Make
sure they use WPA2-aes to connect to each other. AAP2 should
authenticate itself as admin/IPexpert123 with EAP-FAST and AAP1
should be the radius server for this purpose. On top of the VLAN of the
SSID, the bridge link should carry VLANs 11, 12 and 13. The SSID name
should be visible in beacons.
ex
cl
r u
el
y
Pe
te
r
3.1 AP logging
v3150
Make sure that AAP2 will only try to connect to AAP1. Make sure that
AAP1 will only accept connections from AAP2. Make sure that the access
points retry packets 16 times after giving up but when they give up, they
should not cause the link to go down.
Configure the access points so that they use WMM, that they use the
802.11e QBSS and that they do the proper mapping between 802.1p CoS
and 802.11e UP (where the voice tag is not the same number in the 2
standards).
Li
35
Volume 2 Workbook
o.
co
ho
ya
er
sa
lta
Li
ce
ns
ed
el
lip
et
ex
cl
r u
si
v
33
el
y
to
Pe
te
r
Sa
el
li
WLC3 is the remote office controller. WLC1 sits in the headquarters but is
a dedicated controller serving as fallback for WLC3. The clients will be
placed in VLANs 21, 22 and 23 respectively for guests, data and voice
clients. You have to make sure that traffic never gets released on the
headquarters side.
We need to make sure that the clients will be placed in that VLAN even if
the access points move to WLC1 because WLC3 went down.
The SSID MOGuest will have a pre-shared key IPexpert123 using
standards with the best RC4-based encryption as well as a web
authentication portal hosted on the controller itself.
The SSID MOData will use the best encryption standard available and will
authenticate users against ACS.
The SSID MOVoice will use a Cisco-proprietary fast roaming mechanism
and the best encryption/authentication standard among those that have no
fast-roaming mechanism on their own. The Cisco proprietary fast roaming
mechanism should not be mandatory to use the SSID.
lta
r
v3150
36
Volume 2 Workbook
lta
r
el
li
ho
et
er
33
ya
to
ce
ns
Li
sa
lta
Create a building with one floor and create a map for that floor. The
environment is a warehouse with the ceiling at 20 feet high and APs
placed at 12 feet high. Place the APs in every corner of the map. You
can find the floor image in the WCS c:\FTP\ folder.
Add MSE to WCS with both location and intrusion detection service
activated. Synchronize it with the map and controllers.
ed
el
lip
ex
cl
r u
si
v
el
y
Pe
o.
co
te
r
Sa
v3150
37
Volume 2 Workbook
o.
co
ho
ya
33
er
et
sa
lta
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
WLC1 and 3 are the only WLC susceptible to manage Medium Office
access points while WLC 2 and 4 are the only ones to manage
Headquarters access points. Make sure that WLC 2 and 4 talk to each
other (but not to 1 and 3) to elect RF-leader and make RF decisions while
WLC1 and 3 talk to each other but not to 2 and 4 for those decisions.
All WLCs should:
o Support all data rates above 11Mbps (included) on 2.4 GHz.
11Mbps being the only mandatory rate.
o The WLC will increase the power (if possible) on an AP if 5 clients
are detected to be sticking with low signal.
o Never bring an AP transmission power lower than 1dbm
o Support all data rates above 12Mbps (included) on 5 GHz. 12Mbps
being the only mandatory rate
o Support beamforming on 11n-class access points when dealing
with 11a/g clients.
o Lower the APs transmission power if several surrounding APs are
heard at -67 or louder.
o Support phones and devices that make their transmit power
variable depending on AP power level
o When selecting a channel for an AP, the WLC should take into
account the load of other Cisco APs as well as rogues in the
deployment (for example 2 APs could be on the same channel next
to each other if they have relatively low load).
o If CleanAir APs, thanks to their CleanAir chipset, detect a specific
source of interference, this should count in the algorithm decision if
its worth to change channel immediately.
el
li
Li
v3150
Make sure that only management subnets (VLANs 5, 111, 112, and 120
as well as the 10.10.0.0/24 subnet) can talk to WLC1. It should be
inaccessible from any other subnet.
38
Volume 2 Workbook
o.
co
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
To verify your configurations please review the Volume 1 Detailed Solutions Guide
that you received along with this Workbook. You can also find this document in
the eBook section of your www.IPexpert.com account.
Support is also available in the following ways:
IPexpert Support: www.OnlineStudyList.com
IPexpert Blog: blog.ipexpert.com
Proctor Labs Hardware Support: support@ipexpert.com
v3150
39
Volume 2 Workbook
Pe
Lab Overview
o.
co
te
r
Sa
lta
r
el
li
ho
ya
33
er
si
v
el
y
to
This lab will test your knowledge on several items of CCIE Wireless
blueprint version 2. The wording in the LAB questions might seem tricky but
they are supposed to prepare the candidate to read in between the lines.
The network and WLCs are partly pre-configured but some of the
configuration have to be altered to meet the exam requirements
et
sa
lta
ed
el
lip
ex
cl
r u
The fact that WLC are pre-configured doesnt mean that there are no tasks
where you have to rectify wrong pre-configs or make some changes. Both
on the WLCs APs and the network. Those are all part of solving this lab.
Throughout this lab you may expect to rectify basic IP connectivity issues.
In this lab and the real lab we cannot take anything for and stay focused.
ce
ns
This lab will use All equipment in the LAB 1: topology. Refer to the names of
the equipment on that topology. Rectify names according to Table 2.
Li
v3150
40
Volume 2 Workbook
el
li
Headquarters
lta
r
NIC
Internet
Sa
o.
co
Fa0/11
te
r
Fa0/22
Fa0/20
ho
Power
Injector
Fa0
LWAPP
LAP2
1242AG
Gi0
er
Fa0/8
et
Gi0/1
WLC4
2504
LWAPP
SP
Po2
Po1
Po2
LAP3
1042N
WAN
WLC2
5508
Remote
Office
LWAPP
LAP4
1262N
WLC3
2504
LWAPP
Fa0/4
Gi0
Fa0/22
Li
ce
ns
ed
AAP2
1242AG
el
lip
Fa0
e
sa x
lta cl
r u
Gi0/2
si
v
Cat3
Fa0/16
ya
to
Fa0/20
Fa0/3
Po1
el
y
Fa0/22
Fa0/2
AAP1
1262N
Cat2
Fa0/15
Fa0/2
Fa0/24
LWAPP
LAP1
3502i
Gi0/1
Fa0/24
Pe
Fa0/23
Gi0
Fa0/2
Fa0/1
Gi0
Fa0/23
Fa0/22
Cat1
ACS/WCS/
MSE/Test PC
WLC1
5508
33
Fa0/4
CME
Po1
SP
Fa0/8
Gi0/2
Po2
Po1
Fa0/1
Po2
Fa0/2
Fa0
Cat4
Fa0/5
LAP5
1242AG
v3150
41
Volume 2 Workbook
lta
r
el
li
Lab 3: Prerequisites:
te
r
Sa
This lab will rely on the network infrastructure. You will need to pre-configure the
network with the base configuration files.
o.
co
ho
el
y
ya
to
Pe
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
Log on to your Wireless vRack Web UI and navigate to near the top of the web page,
click the Load Lab button and choose: IPexpert WIFI Volume 2 Workbook Lab 3
INITIAL
v3150
42
Volume 2 Workbook
Lab 3: Tables
VLAN Name
Subnet
Netmask
Servers
10.10.210.0
/24
10
HQSwitchMgmt
10.10.10.0
/24
11
HQGuest1
10.10.11.0
/24
12
HQData1
10.10.12.0
/24
13
HQData2
10.10.13.0
/24
14
HQData3
10.10.14.0
15
HQVoice1
10.10.15.0
lta
r
16
HQVoice2
10.10.16.0
17
HQData4
10.10.17.0
20
MOSwitchMgmt
10.10.20.0
21
MOGuest1
10.10.21.64
22
MOData1
10.10.22.128
/26
23
MOVoice1
10.10.23.192
33
/26
105
HQServicePort
10.10.105.0
/24
110
HQAAP
10.10.110.0
/24
111
HQWLC1
10.10.111.0
/24
10.10.112.0
/24
v3150
/24
Sa
/24
/24
o.
co
ho
ya
el
y
to
Pe
te
r
/24
et
si
v
el
lip
ex
cl
r u
sa
lta
ed
HQWLC2
/25
/26
113
HQLAP1
10.10.113.0
/24
114
HQLAP2
10.10.114.0
/24
Li
ce
ns
112
el
li
VLAN
er
120
MOWLC1
10.10.120.128
/26
121
MOLAP1
10.10.121.192
/26
131
HOAP
192.168.100.0
/24
999
VLAN999
n/a
n/a
43
Volume 2 Workbook
Port
CAT1
NA
Connected
Device
NA
Connected
Port
IP Address
CAT2
NA
NA
10.10.10.3
CAT3
NA
NA
10.10.10.4
CAT4
NA
NA
10.10.20.1
ACS
NIC1
CAT2
Fa0/11
10.10.210.5
WCS
NIC1
CAT2
Fa0/11
10.10.210.6
CME
Fa0/0
CAT1
Fa0/4
10.10.210.20
lta
r
el
li
10.10.10.2
CAT2
Fa0/11
WLC1
Po1
CAT2
Gi0/1
WLC2
Po1
CAT3
Gi0/1
WLC3
Po1
CAT4
WLC4
Po1
CAT2
AAP1
Gi0
CAT1
AAP2
Fa0
CAT3
LAP1
Gi0
CAT1
LAP2
Fa0
LAP3
Gi0
LAP4
Gi0
ho
o.
co
Pe
to
ya
Fa0/2
33
si
v
el
y
Fa0/15
10.10.112.10
10.10.120.140
10.10.112.20
10.10.110.100
Fa0/1
10.10.113.x
CAT2
Fa0/2
10.10.114.x
CAT3
Fa0/3
10.10.114.x
CAT4
Fa0/4
10.10.121.x
CAT4
Fa0/5
10.10.121.x
et
lip
el
er
10.10.110.101
ex
cl
r u
Fa0/2
sa
lta
ed
ce
ns
Fa0
Fa0/1
10.10.111.10
Li
LAP5
10.10.210.10
Eth0
te
r
MSE
Sa
10.10.205.20 (Loop)
v3150
44
Volume 2 Workbook
o.
co
ho
Pe
ya
to
er
33
el
y
et
si
v
sa
lta
ce
ns
ed
el
lip
ex
cl
r u
Cat1 will handle all VLANs and distribute them to Cat2. Cat3 will also get all
VLAN changes from Cat1
o Use Md5 encryption to protect the VLAN database on your 3 switches.
o Use ipexpert123 as the MD5 secret. Domain is ipexpert
Create the VLANs in table 1 for your HQ switches.
Cat1 should be the root all VLANs
Cat2 should be the root for all VLANs if the root fails
Do not configure Cat3 for the last question above.
o From Cat3, show commands should give the correct outcome to see
where the root bridges are. Cat1 should be seen as root for all VLANs and
Cat2 will be the backup path. Prove that the backup path works by testing.
Configure the 2 links between Cat1 and Cat2 to appear as one STP instance.
o Use a method that has no negotiation.
te
r
Sa
lta
r
el
li
To prepare your network we need to take extra care that the network is properly set up. All
future configurations with wireless components will rely on the network. Please bear in mind that
most wireless issues are related to the network. The Proctor Labs lab environment will have
some preconfigured equipment. It is up to you to change configuration according to the
requirements in this lab.
L3 routing:
v3150
Site HQ: Do not configure or change anything that is not requested by the lab.
Cat1 is SVI has always the first IP address from each VLAN network.
Cat2 is SVI has always second IP address in each VLAN network.
For Cat3 VLAN10 SVI, Use IP address 10.10.10.4/24
VLAN 5 IP configuration should not be changed
VLAN10 ip configuration should not be changed (HQSwitchMgmt).
Li
45
Create the SVIs on your appropriate HQ switches and ensure you have
connectivity between all L3 interfaces. Refer to table 1 for the VLAN IDs. HQ,
MO have different VTP domains as can be seen in table 1. VLANs should flow
between all 3 switches in the HQ.
Create a Loopback99 interface on your CAT1 with ip 10.99.99.99/32
o Use a link state open standard based routing protocol to advertise
Loopback99 to CAT2.
o Only advertise loopback99 in your configuration.
o Dont summarize the classful networks in your routing domain.
VLAN 12 should be redundant for CAT1 and CAT2
o On CAT1 and CAT2, Use a Cisco proprietary method to create a
redundant SVI for VLAN 12.
o The VLAN 12 virtual IP should be the next available ip address after CAT1
and CAT2 .
o CAT1 should always be the primary router for VLAN12 and in case of
failure it should revert back when things go back to normal.
Create a redundant DHCP pool for VLAN12 on CAT1 and CAT2:
v3150
o.
co
ya
er
33
el
y
et
si
v
lip
el
Li
QOS:
ce
ns
ed
ex
cl
r u
Create VLANS and SVIs for CAT4 according to table 1. CAT4 SVIs always use
the first IP address per SVI. Create MO SVIs from Table 1.
CAT4 should be ready to serve VLAN configuration to other switches. Protect the
database IPexpert-MO with the password ipexpert.123
CAT4 should not participate in routing updates and exchange routing tables with
HQ. CAT4 should be able to reach any network on HQ. On HQ you need to
advertise all the networks belonging to CAT4 MO. Use your routing protocol to
accomplish this in your HQ Switches
sa
lta
to
ho
Pe
te
r
Sa
lta
r
el
li
Volume 2 Workbook
On all routers and switches, trust layer2 and layer3 QOS markings where
appropriate.
Tune your COS to DSCP mapping (and vice versa) as Cisco best practices
recommend
o VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26
(AF31) VoIP RTP stream gets value of 46 (EF) instead of the default 40.
The traffic from MO should have a policy that marks skinny traffic and RTP VOIP
traffic with the RTP and Skinny (not encrypted) known udp and tcp ports.
46
Volume 2 Workbook
el
li
lta
r
ce
ns
o.
co
ho
ya
33
er
et
Li
sa
lta
LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and
WLC4 with DNS (not option 43). APs should be on VLAN1134
o LAPs default gateway is 10.10.114.1
o Default name to the name in table 1. Subnets for those APs are listed in
table 2. Configure your network accordingly
o Use your Microsoft DHCP and DNS server to accomplish this.
o DNS suffix for your APs subnet should be LAPs.proctorlabs.com
o Exclude the range from 1 to 20 and 200 to 254.
o Microsoft DHCP/DNS server is 10.10.210.6
Make sure that WLC2 will be primary and WLC4 secondary Controllers for LAP2
and WLC4 are primary controllers for LAP3 and WLC2 secondary controller.
Mobility group should be named HQ2 for WLC2 and HQ4 for WLC4. WLCs
should have the same RF group HQ-WLC2-and-4
ed
el
lip
HQ
ex
cl
r u
AP management:
si
v
el
y
to
Pe
te
r
Sa
Use NTP server on WCS to synch time for all your network devices including the
WLCs. WCS is 10.10.210.6
Controllers should synch time every 2 hours.
CAT1 should be the NTP master for all switches and routers. For routers and
switches: use password "ipexpert" for NTP authentication. Use EST timezone -5.
CAT1 should answer ntp requests only on VLAN10 and only allow switches and
routers in your network to synch time with CAT1. CAT2 uses VLAN5 IP, CAT4
uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications.
Dont forget the autonomous APs ! Configure them to use the same time
settings with CAT1 as the NTP server. No security is needed for the Autonomous
Aps. Use IP information from Table 2 for the APs.
v3150
47
Volume 2 Workbook
LAP4 and LAP5 should join WLC4 with DHCP from CAT4. Set those APs on
VLAN 121 on CAT4:
Switching security:
te
r
Sa
lta
r
All LAP AP Ports (present and future) should go to STP Forwarding mode
immediately
In MO All switchports with access points should block traffic if BPDUs are
advertised over the port. Also all potential host ports.
In HQ all switchports with access points should get disabled if BPDUs are
advertised over the port. This setting needs to be default for all host switchports
so it wont be forgotten in future tasks. You dont want your VMware servers on
CAT2 port Fa0/11 to get potentially disabled. Let that one port bypass that
default setting.
el
li
o.
co
ho
33
er
et
si
v
lip
el
Make a Layer2 only VLAN on AAP2 connected switch to avoid loops in your
network VLAN 999. Override bpduguard with bpdufilter on f0/2 port on CAT3.
AAP2 will connect to AAP1 with 802.1x security. SSID is fork-xx Username is
lifter and password is fork. Use 2,4Ghz frequency.
o AAP1 will authenticate the lifter user. And the industrial PC should be on
VLAN 17. As the industrial PC is not ready yet. Configure DHCP on AAP2
to see the DHCP offer working. Configure DHCP on CAT1 for VLAN17.
Exclude the first 9 addresses.
o Use the most secure option that is Cisco proprietary
The forklifter is actively mobile. Ensure that it only scans non-overlapping
channels in your 2,4 GHz frequency. So it uses the least time to scan channels
when moving around.
Ensure that the association reliable. So the AP disassociates clients only many
packets are lost. Use the maximum reliable setting for the association to stay up.
Li
ce
ns
ex
cl
r u
sa
lta
A cargo company has mobile fork lifters in their warehouses. Those fork lifters
will have industrial computers on board with Ethernet ports (no wireless)
You need to use AAP2 to connect the industrial computer to the wireless network
ed
el
y
Autonomous setup:
ya
to
Pe
v3150
48
Volume 2 Workbook
el
li
lta
r
Sa
Pe
te
r
o.
co
Interface
WLC IP Address
Default gateway
WLAN
WLC1
Vlan 11
10.10.11.252/24
10.10.11.1
HQ-guests-XX
WLC2
Management
NA
WLC2
Vlan 13
10.10.13.50/54
WLC2
Vlan 15
10.10.15.50/24
WLC2
Vlan 12
WLC3
Vlan 22
WLC4
Management
WLC4
Vlan 13
lip
10.10.12.50/24
el
ya
er
33
el
y
et
si
v
ex
cl
r u
10.10.13.1
Client-Vlan-XX
voip-5ghz-XX
10.10.12.3
NA
NA
HQ-guests-XX
10.10.13.51/24
10.10.13.1
Client-Vlan-XX
Vlan 12
10.10.12.51/24
10.10.12.3
Vlan 15
10.10.15.51/24
10.10.15.1
sa
lta
10.10.22.130/26
10.10.15.2
HQ-guests-XX
MOData1-XX
ed
Li
WLC4
NA
10.10.22.129
ce
ns
WLC4
to
Device
ho
voip-5ghz-XX
VLANs on Switches should already be done and working in the first part of this LAB.
v3150
Set up etherchannel for both interfaces on WLC2. Ensure that APs are load
balanced over the layer3 network based on source and destination IP
information. Do this for all switches connected to controllers.
VLANs on the wired network should work on the wired interfaces of each WLC
49
Volume 2 Workbook
AP Priming:
LAP1 should join WLC3. Find a way to configure a static VLAN113
10.10.113.100 address for this AP. Manually join LAP1 to your WLC3. Default
gateway is 10.10.113.1
el
li
Sa
m
o.
co
te
r
ho
ya
33
er
et
el
lip
ex
cl
r u
sa
lta
Li
ed
ce
ns
si
v
el
y
to
Pe
lta
r
Guests:
v3150
50
Volume 2 Workbook
Create a lobby admin account on WLC1 and with this account, create a guest
user that lasts for 3 days. Lobby account User is lobby password Lobby123.
Guest user is guest4 password ipexpert123
Test the HQ-guests-xx connection from the Laptop test https://10.10.210.6
without the splash login. Then try to login through the splash page. Before the
login through splash page, the guest should NOT be able to ping 10.10.10.3 but
it should work after splash web authentication. The laptop is reachable directly
with VNC on 10.10.210.4 password IPexpert123
lta
r
Sa
33
er
et
si
v
el
lip
ex
cl
r u
ya
to
On your 802.11g network , the 2.4 GHz channel 2452 GHz with 2 channels
above and below are severely impacted by a nearby microwave oven located
next to LAP3. These channels are unusable because of this massive
interference. Make sure that your LAP3 uses the best possible 2,4Ghz
frequency channel to avoid the microwave interference in the future.
el
y
o.
co
ho
Pe
te
r
HQ users should be able to roam between all controllers. Use the default Mobility
names HQ1 for WLC1, HQ2 for WLC2 , HQ3 for WLC3, and HQ4 for WLC4.
All HQ WLCs should check its mobility members every 15 seconds. They should
consider them dead after 60 seconds.
el
li
Mobility:
v3150
sa
lta
Li
ce
ns
ed
51
Volume 2 Workbook
SSID Client-Vlan13-XX
o This ssid should exist on WLC2 and WLC4. Clients should terminate at
Vlan13. Table 3 shows what IP should be on your Controllers VLAN13.
Exempt addresses 10.10.13.1 10.10.13.49 and 10.10.13.59
10.10.13.254
o Use WPA psk. Psk is ipExpert.123
o Allow CCK modulation for this SSID. Exempt 5Ghz.
o Advertise 802.11i and pre-standard WPA in your beacons but also enable
for software encryption to work over 802.11i for older clients.
o DHCP should be set up on CAT1
o On LAP2 this SSID should use to VLAN12. Dont use HREAP. Only let
this SSID go out VLAN 12 for LAP2. DHCP is the redundant IP of vlan12
shared with CAT1 and CAT2. Gateway is the redundant IP of VLAN12.
Test this configuration and see the IP address change on your AnyConnect
client.
o.
co
ho
ya
33
er
lip
ce
ns
Li
sa
lta
el
ed
ex
cl
r u
Rouge detection:
et
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
WCS:
v3150
Management:
Manage all WLCs with WCS using the default method. The user is admin and
password IPexpert123 for all WLCs.
52
Volume 2 Workbook
MAPs:
Sa
o.
co
Pe
te
r
lta
r
el
li
Put your LAPs on floor 1 map on your WCS. Position as many APs you need for
data 2,4Ghz coverage your second floor. Your campus is 2 floors with 500 x 500
feet span. You are instructed to expect -80 dBm RSSI cutoff. Make sure you see
it work for your WCS 2,4 coverage map.
First create a new building in your system campus put 2 floors.
LAP2 is a 1242 with AIR-ANT5135D-R antenna for A band and the antenna is
slightly tilted 15 down. The AP is in the ceiling of floor 1. Let WCS know about
the antenna settings. B/G band has the same setting. LAP1 is also on floor 1 but
it is in 7 feet height.
Use WCS to disable all 802.11b clients association in your network. Still allow
OFDM clients on 2,4 GHz to connect at 9 mbps and not less.
When Root is logged in. Show the overall security score on the right side of your
security page. This has to work when root is logged on.
v3150
ce
ns
ho
ya
er
Li
sa
lta
Deploy a SSID called voip-5ghz-XX This will be VLAN 15. WLC IP information
in table 3. DHCP and default gateway is on CAT1 and should give out Cisco call
manager option about the CME router 10.10.210.20. Exclude addresses
10.10.15.1 10.10.15.10 and 10.10.15.40 10.10.15.70 Use Table 3 for
VLAN50 ip information for each Controller.
Allow only 5ghz connections on this SSID.
o Use WPA 802.11i encryption and ensure that Cisco 7925 phones can inter
control roam seamlessly
o Phone uses PEAP authentication. On your ACS configure the user phone
with password of ipexpert. ACS is 10.10.210.5 user acsadmin password
IPexpert123
o For ACS use NTP server 10.10.10.2 allow for this communication on your
CAT1 NTP server . Time zone is EST
o Test it from your Anyconnect .
ed
el
lip
et
ex
cl
r u
si
v
Wireless Voice:
33
el
y
to
53
Volume 2 Workbook
Only support 802.11e on this previously configured voice SSID and 7925 phones
should get Platinum QOS treatment. 802.11e clients with this SSID will get
mapped with 802.1p value of 5 when they hit the wired network.
Only allow the necessary data rates for the phones operation in your 5 GHz
band.
o.
co
ho
ya
el
y
to
Pe
te
r
Sa
lta
r
el
li
You are at the end of this LAB! Should I say congratulations? J It has hard questions when it
comes to wording. But we have to be prepared to spot what the LAB wants. This will come in
handy at the actual battlefield. So I hope this was a good exercise. Do this lab many numerous
times to practice speed and work on things you want to study in the meantime
33
er
et
ex
cl
r u
si
v
To verify your configurations please review the Volume 1 Detailed Solutions Guide
that you received along with this Workbook. You can also find this document in
the eBook section of your www.IPexpert.com account.
el
lip
sa
lta
Li
ce
ns
ed
v3150
54
Volume 2 Workbook
Pe
Lab Overview
o.
co
te
r
Sa
lta
r
el
li
ho
ya
33
er
si
v
el
y
to
This lab will test your knowledge on several items of CCIE Wireless
blueprint version 2. The wording in the LAB questions might seem tricky but
they are supposed to prepare the candidate to read in between the lines.
The network and WLCs are partly pre-configured but some of the
configuration have to be altered to meet the exam requirements
et
sa
lta
ed
el
lip
ex
cl
r u
The fact that WLC are pre-configured doesnt mean that there are no tasks
where you have to rectify wrong pre-configs or make some changes. Both
on the WLCs APs and the network. Those are all part of solving this lab.
Throughout this lab you may expect to rectify basic IP connectivity issues.
In this lab and the real lab we cannot take anything for and stay focused.
ce
ns
This lab will use All equipment in the LAB 4: topology. Refer to the names of
the equipment on that topology. Rectify names according to Table 2.
Li
v3150
55
Volume 2 Workbook
o.
co
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
v3150
56
Volume 2 Workbook
lta
r
el
li
Lab 4: Prerequisites:
te
r
Sa
This lab will rely on the network infrastructure. You will need to pre-configure the
network with the base configuration files.
o.
co
ho
el
y
ya
to
Pe
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
Log on to your Wireless vRack Web UI and navigate to near the top of the web page,
click the Load Lab button and choose: IPexpert WIFI Volume 2 Workbook Lab 4
INITIAL
v3150
57
Volume 2 Workbook
Lab 4: Tables
VLAN Name
Subnet
Netmask
Servers
10.10.210.0
/24
10
HQSwitchMgmt
10.10.10.0
/24
11
HQGuest1
10.10.11.0
/24
12
HQData1
10.10.12.0
/24
13
HQData2
10.10.13.0
/24
14
HQData3
10.10.14.0
15
HQVoice1
10.10.15.0
lta
r
16
HQVoice2
10.10.16.0
17
HQData4
10.10.17.0
20
MOSwitchMgmt
10.10.20.0
21
MOGuest1
10.10.21.64
22
MOData1
10.10.22.128
/26
23
MOVoice1
10.10.23.192
33
/26
105
HQServicePort
10.10.105.0
/24
110
HQAAP
10.10.110.0
/24
111
HQWLC1
10.10.111.0
/24
10.10.112.0
/24
v3150
/24
Sa
/24
/24
o.
co
ho
ya
el
y
to
Pe
te
r
/24
et
si
v
el
lip
ex
cl
r u
sa
lta
ed
HQWLC2
/25
/26
113
HQLAP1
10.10.113.0
/24
114
HQLAP2
10.10.114.0
/24
Li
ce
ns
112
el
li
VLAN
er
120
MOWLC1
10.10.120.128
/26
121
MOLAP1
10.10.121.192
/26
131
HOAP
192.168.100.0
/24
999
VLAN999
n/a
n/a
58
Volume 2 Workbook
Port
CAT1
NA
Connected
Device
NA
Connected
Port
IP Address
CAT2
NA
NA
10.10.10.3
CAT3
NA
NA
10.10.10.4
CAT4
NA
NA
10.10.20.1
ACS
NIC1
CAT2
Fa0/11
10.10.210.5
WCS
NIC1
CAT2
Fa0/11
10.10.210.6
CME
Fa0/0
CAT1
Fa0/4
10.10.210.20
lta
r
el
li
10.10.10.2
CAT2
Fa0/11
WLC1
Po1
CAT2
Gi0/1
WLC2
Po1
CAT3
Gi0/1
WLC3
Po1
CAT4
WLC4
Po1
CAT2
AAP1
Gi0
CAT1
AAP2
Fa0
CAT3
LAP1
Gi0
CAT1
LAP2
Fa0
LAP3
Gi0
LAP4
Gi0
ho
o.
co
Pe
to
ya
Fa0/2
33
si
v
el
y
Fa0/15
10.10.112.10
10.10.120.140
10.10.112.20
10.10.110.100
Fa0/1
10.10.113.x
CAT2
Fa0/2
10.10.114.x
CAT3
Fa0/3
10.10.114.x
CAT4
Fa0/4
10.10.121.x
CAT4
Fa0/5
10.10.121.x
et
lip
el
er
10.10.110.101
ex
cl
r u
Fa0/2
sa
lta
ed
ce
ns
Fa0
Fa0/1
10.10.111.10
Li
LAP5
10.10.210.10
Eth0
te
r
MSE
Sa
10.10.205.20 (Loop)
v3150
59
Volume 2 Workbook
o.
co
ho
Pe
ya
to
er
33
el
y
et
sa
lta
ce
ns
ed
el
lip
ex
cl
r u
si
v
te
r
Sa
lta
r
el
li
To prepare your network we need to take extra care that the network is properly set up. All
future configurations with wireless components will rely on the network. Please bear in mind that
most wireless issues are related to the network. The Proctor Labs LAB environment will have
some preconfigured equipment. It is up to you to change configuration according to the
requirements in this LAB.
Li
L3 routing:
v3150
Site HQ: Do not configure or change anything that is not requested by the LAB.
CAT1 is SVI has always the first IP address from each VLAN network.
CAT2 is SVI has always second IP address in each VLAN network.
VLAN 10 should be .2 on CAT1 and .3 on CAT2 dont change them.
For CAT3 VLAN10 SVI, Use ip address 10.10.10.4/24
VLAN 5 ip configuration should not be changed
60
Create the SVIs on your appropriate HQ switches and ensure you have
connectivity between all L3 interfaces. Refer to table 1 for the VLAN IDs. HQ,
MO have different VTP domains as can be seen in table 1. HQ should be able to
reach all networks on CAT4. CAT4 should reach any network in HQ. Dont use a
routing protocol in any of your switches. VLAN10 on CAT1 and CAT2 is not
working for some reason. Find out and rectify. CAT1 will have the first IP in each
SVI1 and CAT2 should have the second IP in each SVI. (Apart from VLANs
already created on the switches.)
Create a DHCP pool for VLAN12 on CAT1 , dont give out addresses from 1. -60.
Default gateway is .2
lta
r
el
li
Volume 2 Workbook
o.
co
ho
Pe
ya
er
33
el
y
et
si
v
sa
lta
MO WLC 3 should advertise multicast group for its locally registered APs. Use
239.x.x.x where x is the last 3 digits in MO WLC 3 Management IP. All CAT4
VLANs should have multicast routing enabled for CAT4. Use a method that
doesnt flood your network as it should be built for growth later. On your CAT4 ,
use RP address of 10.99.254.254/30. When the IGMP timeout expires (70
seconds), the controller sends a query to all WLANs. Those clients which are
listening in the multicast group should send a packet back to the controller
The traffic from MO should have a policy that marks skinny traffic and RTP VOIP
traffic with the RTP and Skinny (not encrypted) known udp and tcp ports.
o Ensure the correct marking is maintained when VoIP traffic enters MO
from HQ and vice versa.
Li
ce
ns
Multicast
ed
el
lip
On all routers and switches, trust layer2 and layer3 QOS markings where
appropriate.
Tune your COS to DSCP mapping (and vice versa) as Cisco best practices
recommend
VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31)
VoIP RTP stream gets value of 46 (EF) instead of the default 40.
ex
cl
r u
to
QOS:
Sa
te
r
v3150
61
Volume 2 Workbook
o.
co
ho
Pe
ya
LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and
WLC4 with DHCP on CAT1. Default gateway is .1
o Name the APs from their default name to the name in table 1. Subnet for
those Aps are listed in table 2. Configure your network accordingly. This
should be done for all other LAP APs.
o Exclude the range from 1 to 20 and 200 to 254.
Make sure that WLC2 will be primary Controller for LAP2 and WLC4 Primary
controller for LAP3. Mobility group should be named HQ2 for WLC2 and HQ4 for
WLC4. LAP2 and LAP3 need to failover if primary controller fails. LAP2
secondary is WLC4 and LAP3 secondary is WLC2.
LAP4 and LAP5 should join WLC3 with DHCP from Cat4. You are forbidden to
enter option 43 or DNS on your MS DHCP. Also you cant use the AP CLI to
manually join them. Use the network to deliver the LAP management traffic to
WLC3. Set those APs on VLAN 121 on CAT4:
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
er
HQ
et
si
v
AP management:
33
el
y
to
te
r
Sa
lta
r
el
li
v3150
62
Volume 2 Workbook
Switching security:
All MO LAP AP Ports should go to STP Forwarding mode immediately but dont
risk spanning-tree loops later on if some switch is connected to those ports.
In HQ All switchports with LAP access points should block traffic if Bridge
Protocol Data Units are advertised over the port.
el
li
lta
r
Autonomous setup:
A Law firm company has 2 buildings. One Building has a Wireless Bridge AAP2
To connect to the HQ LAN through AAP1.
Make AAP2 and AAP1 to belong to the AAP management VLAN 110. AAP2
BVI1 interface has to be reachable only over the bridge link. Behind AAP2 VLAN
14 needs to traverse the bridge link over to HQ network. 10.10.14.2 is on CAT2.
This will be tested as it was behind AAP2. The end result is CAT1 pinging over
the bridge link to 10.10.14.2 behind the AAP2. Use 2,4ghz.
AAP2 will connect to AAP1 with Cisco proprietary most secure 802.1x method.
SSID is lawfirm-xx Username is lawyer and password is fresnelzone. AAP1 will
authenticate the lawyer user.
No FTP traffic should be allowed over the bridge link during business hours 9am
to 5pm Monday Friday
o.
co
ho
ya
33
er
et
lip
sa
lta
ed
el
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
Li
ce
ns
v3150
63
Volume 2 Workbook
WLC IP Address
Default gateway
WLAN
WLC1
Vlan 11
10.10.11.252/24
10.10.11.1
HQ-guests-XX
WLC2
Management
NA
NA
HQ-guests-XX
WLC2
Vlan 13
10.10.13.50/54
10.10.13.1
Client-Vlan-XX
WLC2
Vlan 15
10.10.15.50/24
10.10.15.1
voip-6ghz-XX
WLC3
Vlan 22
10.10.22.130/26
10.10.22.129
MOData1-XX
WLC4
Management
NA
NA
HQ-guests-XX
WLC4
Vlan 13
10.10.13.51/24
10.10.13.1
Client-Vlan-XX
WLC4
Vlan 15
10.10.15.51/24
10.10.15.1
lta
r
el
li
Device
Sa
voip-6ghz-XX
o.
co
ya
er
33
el
y
et
si
v
LAP1 should have redundant WLCs for WLC2 and WLC4. WLC4 is primary.
Join the AP manually from its console but allow for it to get DHCP address from
CAT2. Refer to Table 2 for ip information and VLAN. Default gateway is
10.10.113.2
Users with Apple computers complain that they cant switch SSIDs on their
computers. The WLC reports the are connected but the client doesnt seem to
notice. Rectify the issue with one setting on all Controllers.
v3150
Li
ce
ns
ed
AP Priming:
sa
lta
el
lip
ex
cl
r u
ho
Set up etherchannel for both interfaces on WLC2. Ensure that APs are load
balanced over the layer3 network based on source and destination IP
information.
QOS needs to be tagged on the management VLAN of all WLCs
Only VLANs created on WLCs should traverse over the link towards the
network and vice versa.
to
Pe
te
r
VLANs on Switches should already be done and working in the first part of this LAB.
64
Volume 2 Workbook
Guests:
o.
co
ho
ya
to
33
er
si
v
el
y
Pe
te
r
Sa
lta
r
el
li
WLC1 guest for VLAN 11 should exit to Po2 by default but Po1 if Po2 goes
down.
Configure WLC1 port1 to be the primary management port connected to CAT2.
Ensure that only existing VLANs to traverse the switch ports. Guest VLAN is
VLAN 12.
Create the WLAN HQ-guests-xx on all HQ WLCs. HQ WLCs should transport
all guest access traffic to WLC1 Vlan 11. No encryption.
o Dont allow static ip addressing of clients.
o Timeout is 4 hours.
o Do not advertise Aironet Information Element to avoid interoperability
issues with various guest equipment.
o Delivery traffic indication message should be every 5 beacons on 2,4 Ghz
connections.
o The guest SSID hast to work on all APs in the HQ. Users should have the
option of entering their email address on the splash page and connect
after that.
Guests use DHCP on CAT1. Issue 15 address pool starting from 10.10.11.10.
Default gateway is CAT1 SVI VLAN 11. DNS is 10.10.210.6
Test the connection from the Win7 PC. The PC is reachable directly with VNC
from the WCS server on 10.10.210.4 password IPexpert123
v3150
et
lip
ce
ns
Li
sa
lta
el
Configure your ACS to be used on WLC3 for WLAN MOData1 VLAN for SSID is
MOData1-XX in table 3. WLC VLAN 22 IP is 10.10.22.130/26. LAP4 should send
their users to VLAN 23. Dont use AP-groups. DHCP for VLAN23 is configured
on CAT4.
Use EAP-FAST authentication . username fast password faster. Security is WEP
128 bit.
Configure DHCP on your Microsoft DHCP server for this SSID clients above.
Give out 131 and 132 addresses of the scope. Also ensure the VLAN23 users
get DHCP as well with the same parameters.
Test connectivity to MOdata1-xx with AnyConnect on your test PC
ed
ex
cl
r u
65
Volume 2 Workbook
SSID Client-Vlan13-XX
o This ssid should exist on WLC2 and WLC4. Clients should terminate at
Vlan13. Table 3 shows what IP should be on your Controllers VLAN13
o Use WPA Enterprise with AES encryption. Use 802.1x security and PEAP
authentication on your ACS server.
o Username Client-peap password ipexpert123
o DHCP server is Microsoft DHCP server. Gateway is .1
o Configure the DHCP so there will be no conflict with the least of
exclusions possible.
For this SSID you have a strange requirement from your customer. He (a guy in
a white coat with the mad scientific look with a very narrow interest in radio
waves) shows you spectrum expert screenshots of square top looking waves. He
mentions he doesnt want the round top waves to show in his environment as he
claims it slows down the network. Make sure that controllers necessary have the
setting to fulfill this strange request. The customer doesnt have any other
explanation than this picture.
Test this on your AnyConnect client.
o.
co
ho
Pe
ya
33
er
et
Your WLC4 should detect and report microwave ovens and Bluetooth
devices on capable access points in the 2,4 Ghz frequency.
v3150
Li
ce
ns
sa
lta
Clean AIR:
ed
el
lip
ex
cl
r u
si
v
el
y
to
te
r
Sa
lta
r
el
li
For capable access points, monitor and dynamically avoid Bluetooth and
microwave oven interference. There is no requirement for anything else
available. The event driven Radio resource management should be set to the
highest value.
66
Volume 2 Workbook
Manage all WLCs with WCS using version 2 of Simple Network Management
Protocol. No other methods should be available. Use the name ipexpert.snmp for
your name. Only WCS should be able to control or read the WLCs.
lta
r
el
li
o.
co
ho
Pe
ya
to
er
33
el
y
et
ex
cl
r u
si
v
Put LAP1,LAP2, LAP3, LAP4 and LAP5 on Campus IPX, building1, floor1 map
on your WCS. Position the APs for best location tracking. Configure your
mobility services so you see live WiFi clients on your MAP. Campus is 1000 by
1000 feet. Building is 500 by 900 feet. Floor is 200 by 100 feet. Horizontal
number first. MSE IP is 10.10.210.10 use encrypted method to communicate
WCS to MSE.
Clean air: Locate and report Clean-air interference in MSE. Gather history related
to interference and Client stations. Display all interferers on your WCS MAP.
te
r
Sa
MAPs:
v3150
Li
ce
ns
sa
lta
Wireless Voice:
ed
el
lip
67
Volume 2 Workbook
o.
co
ho
ya
33
er
et
sa
lta
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
You are at the end of LAB 4. It is a bit difficult to finish in 8 hours. Harder the training thus easier
the battle. The question phrasing can slow you down as it might do on the actual LAB. So I hope
this was a good exercise. Do this lab many times to practice speed and work on things you want
to improve in the meantime. I recommend having a LAB strategy in place that you practice when
you take this LAB because this LAB is built up from the blueprint sections and hopefully
prepares you for the actual LAB.
Li
To verify your configurations please review the Volume 1 Detailed Solutions Guide
that you received along with this Workbook. You can also find this document in
the eBook section of your www.IPexpert.com account.
Support is also available in the following ways:
IPexpert Support: www.OnlineStudyList.com
IPexpert Blog: blog.ipexpert.com
Proctor Labs Hardware Support: support@ipexpert.com
v3150
68
Volume 2 Workbook
o.
co
ya
to
Lab Overview
ho
Pe
te
r
Sa
lta
r
el
li
33
er
et
el
lip
ex
cl
r u
si
v
el
y
This lab will test your knowledge on several items of CCIE Wireless
blueprint version 2. In this lab we use a scoring system of maximum 100
points. 85 points and above will be considered a pass. A good idea is to
define and use your LAB exam strategy to practice and fine tune to prepare
for the real battle. This will help in your time management that is essential to
pass!
sa
lta
ed
This lab will use all equipment in the LAB 1: topology. Refer to the names of
the equipment on that topology.
ce
ns
Li
v3150
69
Volume 2 Workbook
o.
co
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
v3150
70
Volume 2 Workbook
lta
r
el
li
Lab 5: Prerequisites:
Sa
This lab will rely on the network infrastructure. You will need to pre-configure the
network with the base configuration files.
o.
co
Pe
te
r
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
If you are using Proctor Labs: Log on to your Wireless vRack Web UI and navigate to
near the top of the web page, click the Load Lab button and choose: IPexpert WIFI
Volume 2 Workbook Lab 5 INITIAL
v3150
71
Volume 2 Workbook
Lab 5: Tables
VLAN Name
Subnet
Netmask
Servers
10.10.210.0
/24
10
HQSwitchMgmt
10.10.10.0
/24
11
HQGuest1
10.10.11.0
/24
12
HQData1
10.10.12.0
/24
13
HQData2
10.10.13.0
/24
14
HQData3
10.10.14.0
15
HQVoice1
10.10.15.0
lta
r
16
HQVoice2
10.10.16.0
17
HQData4
10.10.17.0
20
MOSwitchMgmt
10.10.20.0
21
MOGuest1
10.10.21.64
22
MOData1
10.10.22.128
/26
23
MOVoice1
10.10.23.192
33
/26
105
HQServicePort
10.10.105.0
/24
110
HQAAP
10.10.110.0
/24
111
HQWLC1
10.10.111.0
/24
10.10.112.0
/24
v3150
/24
Sa
/24
/24
o.
co
ho
ya
el
y
to
Pe
te
r
/24
et
si
v
el
lip
ex
cl
r u
sa
lta
ed
HQWLC2
/25
/26
113
HQLAP1
10.10.113.0
/24
114
HQLAP2
10.10.114.0
/24
Li
ce
ns
112
el
li
VLAN
er
120
MOWLC1
10.10.120.128
/26
121
MOLAP1
10.10.121.192
/26
131
HOAP
192.168.100.0
/24
999
VLAN999
n/a
n/a
72
Volume 2 Workbook
Port
CAT1
NA
Connected
Device
NA
Connected
Port
IP Address
CAT2
NA
NA
10.10.10.3
CAT3
NA
NA
10.10.10.4
CAT4
NA
NA
10.10.20.1
ACS
NIC1
CAT2
Fa0/11
10.10.210.5
WCS
NIC1
CAT2
Fa0/11
10.10.210.6
CME
Fa0/0
CAT1
Fa0/4
10.10.210.20
lta
r
el
li
10.10.10.2
CAT2
Fa0/11
WLC1
Po1
CAT2
Gi0/1
WLC2
Po1
CAT3
Gi0/1
WLC3
Po1
CAT4
WLC4
Po1
CAT2
AAP1
Gi0
CAT1
AAP2
Fa0
CAT3
LAP1
Gi0
CAT1
LAP2
Fa0
LAP3
Gi0
LAP4
Gi0
ho
o.
co
Pe
to
ya
Fa0/2
33
si
v
el
y
Fa0/15
10.10.112.10
10.10.120.140
10.10.112.20
10.10.110.100
Fa0/1
10.10.113.x
CAT2
Fa0/2
10.10.114.x
CAT3
Fa0/3
10.10.114.x
CAT4
Fa0/4
10.10.121.x
CAT4
Fa0/5
10.10.121.x
et
lip
el
er
10.10.110.101
ex
cl
r u
Fa0/2
sa
lta
ed
ce
ns
Fa0
Fa0/1
10.10.111.10
Li
LAP5
10.10.210.10
Eth0
te
r
MSE
Sa
10.10.205.20 (Loop)
v3150
73
Volume 2 Workbook
to
o.
co
L3 routing:
ho
Pe
te
r
Sa
lta
r
el
li
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
o Site HQ: Do not configure or change anything that is not requested by the
LAB.
o CAT1 is SVI has always the first IP address from each VLAN network.
o CAT2 is SVI has always second IP address in each VLAN network.
o VLAN 10 should be .2 on CAT1 and .3 on CAT2 dont change them.
o For CAT3 VLAN10 SVI, Use ip address 10.10.10.4/24
o VLAN 5 ip configuration should not be changed
o CAT1 needs to reach WCS. Dont use a routing protocol to accomplish
this. CAT2 need to reach all networks on MO. Use EIGRP. MO should
have default route distributed via the routing protocol. Let the SVI
interfaces only be advertised in your EIGRP configuration
o Use the DHCP pool for VLAN12 on CAT1, dont give out addresses from
1. -60. Default gateway is .2:
CAT4 should be ready to exchange and serve VLAN configuration to other
switches.VTP domain should be MO4.Prepare VLAN22 for IPv6 connectivity
using IPv6 with dhcp functionality DHCP on CAT4. This will be needed later for
clients connecting to WLC3 MOData1-xx SSID. use any link local address you
like.
v3150
74
Volume 2 Workbook
QOS:
On all routers and switches, trust layer2 and layer3 QOS markings where
appropriate. Between switches trust layer2 QOS tagging.
Tune your COS to DSCP mapping (and vice versa) as Cisco best practices
recommend
VoIP SCCP AVVID gets value of 24 (CS3) instead of the default 26 (AF31)
VoIP RTP stream gets value of 46 (EF) instead of the default 40.
lta
r
MO WLC 3 should advertise multicast group for its locally registered APs. Use
239.x.x.x where x is the last 3 digits in MO WLC 3 Management IP. All CAT4
VLANs should have multicast routing enabled for CAT4. Use a method that
doesnt flood your network as it should be built for growth later. On your CAT4,
use RP address of 10.99.254.254/30. When the IGMP timeout expires (70
seconds), the controller sends a query to all WLANs. Those clients which are
listening in the multicast group should send a packet back to the controller.
The traffic from MO should have a policy that marks skinny traffic and RTP VOIP
traffic with the RTP and Skinny (not encrypted) known udp and tcp ports.
Ensure the correct marking is maintained when VoIP traffic enters MO from HQ
and vice versa.
There will be phones on CAT3 ports 12-19. Voice VLAN is 16.
We dont trust marking over the cloud network between MO CAT4 and HQ
CAT2. We need to ensure that voice traffic (skinny and sccp) will be marked
correctly between MO and HQ. Make a policy that marks this traffic correctly
o.
co
ho
ya
er
33
el
y
et
si
v
sa
lta
ce
ns
ed
el
lip
ex
cl
r u
to
Pe
te
r
Sa
el
li
Multicast
NTP:
v3150
Li
Use NTP server on WCS to synch time for all your network devices including the
WLCs. WCS is 10.10.210.6
Controllers should synch time every 2 hours.
CAT1 should be the NTP master for all switches and routers. For routers and
switches: use password "ipexpert" for NTP authentication. Use EST timezone -5.
Use authentication for your switches.
75
CAT1 should answer ntp requests only on VLAN10 and only allow switches and
routers in your network to synch time with CAT1. CAT2 uses VLAN10 IP, CAT4
uses VLAN20 IP and CAT3 uses VLAN10 IP address for NTP communications.
Allow your ACS 10.10.210.5 to use the NTP on WCS
Fix any connectivity issues on WLC1 and other WLCs if there is problem
reaching the ntp server.
Configure NTP for the autonomous APs. Point to CAT1 10.10.10.2 and use
timezone EST -5. Fix any network connectivity issues the AAPs might have
el
li
Volume 2 Workbook
lta
r
AP management:
o.
co
te
r
ho
Pe
ya
33
er
et
lip
sa
lta
Li
ce
ns
ed
el
ex
cl
r u
si
v
el
y
to
LAP2 (f0/2 on CAT2) and LAP3 (F0/3 on CAT3) should discover WLC2 and
WLC4 with DHCP on CAT1. Default gateway is .1
Name the Aps from their default name to the name in table 1. Subnet for those
Aps are listed in table 2. Configure your network accordingly.
Exclude the range from 1 to 20 and 200 to 254.
Make sure that WLC2 will be primary Controller for LAP2 and WLC4Primary
controller for LAP3. Mobility group should be named HQ2 for WLC2 and HQ4 for
WLC4. LAP2 and LAP3 need to failover between those controllers if primary
controller fails. Make sure APs fallback to their primary controller when possible.
Fix any network issues that the WLCs might have.
LAP4 and LAP5 should join WLC3. LAP4 with DHCP from your CAT4 DHCP
server. LAP5 should have manual configured IP as 10.10.121.210 and WLC3
needs to be manually entered for LAP5 to join WLC3.
LAP4 and LAP5 are the only APs allowed to join WLC3 with authentication from
the ACS server. Set those Aps on VLAN 121 on CAT4. Some parts are
preconfigured and need to work. Network might need to be rectified to meet the
requirements. Rename the access points to reflect Table 2.
Sa
HQ
Switching security:
v3150
76
Volume 2 Workbook
v3150
el
li
lta
r
Sa
m
o.
co
te
r
ho
ya
33
er
et
si
v
lip
sa
lta
ce
ns
Li
ed
el
ex
cl
r u
el
y
to
Pe
77
Volume 2 Workbook
el
li
lta
r
Sa
te
r
WLC IP Address
Default gateway
WLC1
Vlan 11
10.10.11.252/24
10.10.11.1
WLC2
Management
NA
WLC2
Vlan 13
10.10.13.50/54
WLC2
Vlan 15
10.10.15.50/24
WLC3
Vlan 22
10.10.22.130/26
WLC4
Management
NA
WLC4
Vlan 13
WLC4
Vlan 15
ya
ho
to
33
el
y
10.10.15.1
er
si
v
10.10.13.1
WLAN
HQ-guests-XX
HQ-guests-XX
Client-Vlan-XX
voip-6ghz-XX
NA
HQ-guests-XX
10.10.13.51/24
10.10.13.1
Client-Vlan-XX
10.10.15.51/24
10.10.15.1
HQ-guests-XX
el
lip
et
MOData1-XX
ex
cl
r u
10.10.22.129
sa
lta
ed
ce
ns
NA
o.
co
Interface
Pe
Device
v3150
Li
VLANs on Switches should already be done and working in the first part of this LAB.
Set up etherchannel for all WLC2 connected interfaces. Ensure that APs are load
balanced correctly.
QOS needs to be tagged on the all WLCs
Your MO WLC3 controller should do the DCA changes at 9:00, 17:00 and 01:00
for 2,4 GHz
78
Volume 2 Workbook
AP Priming:
lta
r
el
li
On WLC4 scan all available channels for rogues. LAP3 should find rouges as
soon as possible
WLC1 guest portal should say Welcome to IPexpert guest network guests
should be able to ping 10.10.120.140 without web authentication. Guest on
WLC1 set to bronze QOS queue should get a maximum of 100 Kbps for real time
traffic
Rogue aps should be treated as major alarms snmp traps on WCS. WCS sends
email about rouge aps to alarm@rouge.com from the address wcs@rouge.com
and email server 20.20.20.20 Send controller information with your message.
Dont sent information about power level changes on your WLC3 radios
o.
co
te
r
ho
ya
33
er
et
si
v
el
lip
ex
cl
r u
sa
lta
ed
ce
ns
Li
el
y
to
Pe
Sa
Guests:
v3150
79
Volume 2 Workbook
Management:
WLC4 should be authenticated by tacacs on ACS server. Use admin and
password of tacacs for administrators. Also create a lobby admin user lobby
password lobby.123 after the tacacs is working, change admin password to
IPexpert123 in ACS
lta
r
el
li
o.
co
ho
ya
el
y
to
Pe
Your WLC4 should detect and report microwave ovens and Bluetooth devices on
capable access points in the 2.4 GHz frequency.
For capable access points, monitor and report Bluetooth and microwave ovens
interference. There is no requirement for anything else available. The event
driven Radio resource management should be set to the lowest value.
te
r
Sa
Clean AIR:
ed
Management:
33
er
sa
lta
el
WCS:
ce
ns
Administrate all WLCs with WCS using most secure Simple Network
Management Protocol. No other methods should be available. User WCS with
password ipexpert.snmp.123$ for your authentication.
Li
et
lip
ex
cl
r u
si
v
MAPs:
v3150
Locate all WiFi clients that live on Campus IPX, building1, floor1 map on your
WCS. Position the APs for best location tracking. Campus is 1000 by 1000 feet.
Building is 500 by 900 feet. Floor is 200 by 100 feet. Horizontal number first.
MSE IP is 10.10.210.10 use encrypted method to communicate WCS to MSE.
80
Volume 2 Workbook
Clean Air:
Locate and report Clean-air interference in MSE (show icons and zone of
impact). Gather 1 day report from your campus regarding the worst interference.
Save a clean air report on your WCS desktop. Name it cleanair.pdf
lta
r
o.
co
ho
Pe
ya
to
er
33
el
y
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
et
si
v
te
r
Sa
el
li
Wireless Voice:
v3150
81
Volume 2 Workbook
o.
co
ho
ya
33
er
et
sa
lta
Li
ce
ns
ed
el
lip
ex
cl
r u
si
v
el
y
to
Pe
te
r
Sa
lta
r
el
li
You are at the end of LAB 5. It should be easily done in 7 hours with 1 hour to verify and
complete tasks you left unfinished. Because most of the network is configured we only need to
find errors built into the network. This is essential to pass the lab, there must be some time left
to verify and fix things. There will be some mistakes and we should take it into account. The
question phrasing can slow you down as it might do on the actual LAB. Calculate your score.
The passing score is 85 points or above. Be critical in your scoring, no partial score is allowed if
one item is not correct in a multi item question. Do this lab many times to practice speed and
work on things you want to improve in the meantime. I recommend having a LAB strategy in
place that you practice when you take this LAB because this LAB is built up from the blueprint
sections and hopefully prepares you for the actual LAB.
To verify your configurations please review the Volume 1 Detailed Solutions Guide
that you received along with this Workbook. You can also find this document in
the eBook section of your www.IPexpert.com account.
Support is also available in the following ways:
IPexpert Support: www.OnlineStudyList.com
IPexpert Blog: blog.ipexpert.com
Proctor Labs Hardware Support: support@ipexpert.com
v3150
82