CCIE Security lab: vWLC - Part 2 - Bust and Boom!

Well, it took some time, but *finally* its working. It's been a little stressful, but perseverance and hours of googling paid off.

So the new AP arrived today. I was a little confused as it was packaged so well I thought a shower door was being delivered.

I unwrapped it and plugged it in, being the optimistic guy I am, I was hoping that it would connect to the vWLC without issue.

Yeah, so much not the case. I did try to capture as much data as I could though, so that if/when I fixed it, I could have something useful for others. Unfortunately my Windows laptop has a tendancy to reboot spontaneously because of Windows updates, so a little was lost.

Anyway. AP gets booted up and the first thing to do is to upgrade it to a newer version. This seemed to go OK, but the AP would keep dropping off the vWLC. So I decided to try loading the recovery version instead. I had to do this via the boot console, as for some reason Flash went tits-up.

There are some Cisco docs about this, but they didn't work, and it just sat there doing nothing. Then I googled "load_helper" and found a very helpful post that said that "ether_init" is also needed. So I rebooted the AP and tried again. This is the working command sequence:

load_helper
flash_init
format flash:
set IP_ADDR 10.1.4.53
set NETMASK 255.255.255.0
set DEFAULT_ROUTER 10.1.4.254
ether_init
tftp_init
tar -xtract tftp://10.1.4.200/c1140-rcvk9w8-tar.152-4.JA1.tar flash:
boot

This is how it looks in real life, a little slimmed down, but notice that if you mess up a command (like I did with the first tar command), you need to reenter the previous command:

ap: ether_init
ap: set IP_ADDR 10.1.4.53
ap: set NETMASK 255.255.255.0
ap: set DEFAULT_ROUTER 10.1.4.254
ap: tftp_init
ap: ether_init
ap: tar -xtract tftp://10.1.4.200/c1140_rcvk9w8_tar.152_4.JA1.tar
usage: tar <-table -xtract="">  
ap: tar -xtract tftp://10.1.4.200/c1140_rcvk9w8_tar.152_4.JA1.tar flash:
Unknown cmd: tar
ap: tar ?
usage: tar <-table -xtract="">  
ap: tar -xtract tftp://10.1.4.200/c1140_rcvk9w8_tar.152_4.JA1.tar flash:
Unknown cmd: tar
ap: tftp_init
ap: tar -xtract tftp://10.1.4.200/c1140_rcvk9w8_tar.152_4.JA1.tar flash:
extracting info (273 bytes)
c1140-rcvk9w8-mx/ (directory) 0 (bytes)
extracting c1140-rcvk9w8-mx/c1140-rcvk9w8-mx (6865717 bytes)........................................................ 
a lot of minutes later
extracting c1140-rcvk9w8-mx/info (273 bytes)
extracting c1140-rcvk9w8-mx/file_hashes (280 bytes)
extracting c1140-rcvk9w8-mx/final_hash (141 bytes)
extracting c1140-rcvk9w8-mx/img_sign_rel.cert (1375 bytes)
extracting c1140-rcvk9w8-mx/img_sign_rel_sha2.cert (1371 bytes)
extracting info.ver (273 bytes)
ap: boot
Loading "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-

Once it comes back up again, we are on the new version:

Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
LWAPP image version 7.5.1.73

OK, so one update done. Can we connect to the AP yet? Not quite, but it does start to do an update FROM the vWLC, so at least we are headed in the right direction:

 examining image...!
extracting info (282 bytes)
Image info:
    Version Suffix: k9w8-.153-3.JA
    Image Name: c1140-k9w8-mx.153-3.JA
    Version Directory: c1140-k9w8-mx.153-3.JA
    Ios Image Size: 317952
    Total Image Size: 8714752
    Image Feature: WIRELESS LAN|LWAPP
    Image Family: C1140
    Wireless Switch Management Version: 8.0.100.0
Extracting files...
c1140-k9w8-mx.153-3.JA/ (directory) 0 (bytes)
extracting c1140-k9w8-mx.153-3.JA/c1140-k9w8-xx.153-3.JA (82241        )

After a while the AP comes back up again, and we are running another new version, courtesy of the vWLC:

POWER TABLE FILENAME = flash:/c1140-k9w8-mx.153-3.JA/T5.bin
cisco AIR-LAP1142N-E-K9 (PowerPC405ex) processor (revision B0) with 98294K/32768K bytes of memory.
Processor board ID FCZ1427W4UB
PowerPC405ex CPU at 586Mhz, revision number 0x147E
Last reset from reload
LWAPP image version 8.0.100.0
1 Gigabit Ethernet interface
2 802.11 Radios

Notice the LWAPP image now matches the Controllers version:

(Cisco Controller) >show sysinfo 

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.0.100.0
RTOS Version..................................... 8.0.100.0
Bootloader Version............................... 8.0.100.0
Emergency Image Version.......................... 8.0.100.0

Build Type....................................... DATA + WPS

System Name...................................... vWLC
System Location.................................. 
System Contact................................... 
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 10.1.4.152
IPv6 Address..................................... ::
System Up Time................................... 0 days 3 hrs 39 mins 19 secs
System Timezone Location......................... 
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... GB  - United Kingdom

--More-- or (q)uit
(Cisco Controller) >

The above output is pretty long, but the important thing is that our versions match, and that the Configured Country is GB. This needs to match up with the -E- in the version details on the AP (if you are in the UK that is):

Product/Model Number                 : AIR-LAP1142N-E-K9

However, we are not out of the woods yet. The AP keeps flip-flopping about, and my frustration is growing. But we are seeing it in the vWLC, so this is still encouraging:

However, it doesn't stay stable for very long. Some of the useful errors are below:

%DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.4.152:5246
%CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.4.152 peer_port: 5246
%CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
%LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
%LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x4FEE418!  
%LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
%LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
%LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
%LWAPP-4-CLIENTEVENTLOG: Not sending change state post as the radio admin is down, lrad state = 5

The interesting lines are "%LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255" and "DTLS_CLIENT_ERROR:...Max retransmission count reached for Connection". There seems to be two fixes for this. The first is to disable the Self-Signed Certificate (SSC) hash validation:

(Cisco Controller) >config certificate ssc hash validation disable 

(Cisco Controller) >show certificate ssc

SSC Hash validation.............................. Disabled.

SSC Device Certificate details:

         Subject Name :
                 C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN Controller, 
                 CN=DEVICE-vWLC-AIR-CTVM-K9-520000020001, MAILTO=support@vwlc.com

         Validity :
                 Start : 2015 Mar  3rd, 09:21:37 GMT
                 End   : 2025 Jan  9th, 09:21:37 GMT

         Hash key : e9c65b6b31a76266f28c1bddfa297780ac1bbf8a

(Cisco Controller) >

The second requirement is that the AP needs to be set as FlexConnect

Once these were set, we can actually see the SSIDs!

And here we can see them on the phone as well:

So, this brings an end to trying to set up hardware. It now leaves the remaining tasks to be the setting up of the IPS, so that we can plug the vWLC into it and set up the ISE so that we can plug the vWSA's APs and the IP Phone into that.

Progress is definitely being made, albeit with a bit of added frustration, but no-one ever said a CCIE would be easy.

CCIE Security lab: vWLC - Part 1 - Check the Wireless compatibility matrix for vWLC!

My Cisco 1200 series AP arrived the other day. It's a nice looking AP, as far as they go, but trying to get it set up has reminded me how much Wireless technology annoys me. But it's been a useful learning curve nonetheless.

So, we have the following setup:

vWLC -> SW2 -> SW3 -> 3750X -> AP

It looks like this:

We need a few things in place to run a lightweight AP. These are a DHCP server, with option 43 defined, maybe a DNS server with a couple of entries in it, and, of course, physical connectivity.

I added a Cisco IOSv router to take care of the DHCP and DNS, and, to cut a long story short, got much further. Here is the setup:

AP-DNS#sh run | s dhcp
ip dhcp excluded-address 10.1.4.1 10.1.4.50
ip dhcp excluded-address 10.1.4.100 10.1.4.254
ip dhcp pool APs
 network 10.1.4.0 255.255.255.0
 default-router 10.1.4.254 
 dns-server 10.1.4.101 
 option 60 ascii "Cisco AP c1200"
 option 43 ascii "10.1.4.152"
 domain-name 802101.local
AP-DNS#sh run | i host
hostname AP-DNS
ip host CISCO-LWAPP-CONTROLLER 10.1.4.152
ip host CISCO-CAPWAP-CONTROLLER 10.1.4.152
ip host CISCO-LWAPP-CONTROLLER.802101.local 10.1.4.152
ip host CISCO-CAPWAP-CONTROLLER.802101.local 10.1.4.152
ip host vWLC 10.1.4.152
ip host vWLC.802101.local 10.1.4.152
AP-DNS#

With this, the AP started to get a bit further. But still would not register. I made some changes to the switching side of things, and set the port connecting SW2 to the vWLC to be trunks:

SW2#sh run int gi 1/3
Building configuration...

Current configuration : 158 bytes
!
interface GigabitEthernet1/3
 switchport access vlan 4
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
end

SW2#sh run int gi 2/3
Building configuration...

Current configuration : 174 bytes
!
interface GigabitEthernet2/3
 switchport access vlan 4
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 duplex full
 no negotiation auto
end

SW2#

The vWLC was set up to have the management interface in VLAN 4:

Interface Configuration
Interface Name................................... management
MAC Address...................................... 50:00:00:15:00:01
IP Address....................................... 10.1.4.152
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.1.4.254
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
Link Local IPv6 Address.......................... fe80::5200:ff:fe15:1/64
STATE ........................................... REACHABLE
Primary IPv6 Address............................. ::/128
STATE ........................................... NONE
Primary IPv6 Gateway............................. ::
Primary IPv6 Gateway Mac Address................. 00:00:00:00:00:00
STATE ........................................... INCOMPLETE
VLAN............................................. 4         
Quarantine-vlan.................................. 0
Physical Port.................................... 1         
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. 10.1.4.101
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled

Even with this setup, the AP just kept on renewing the IP address, and moaning about certificates. The vWLC itself does show that the registration requests were getting to where they should be:

(Cisco Controller) >show ap join stats detailed 00:1e:f7:47:72:4b

Sync phase statistics
- Time at sync request received............................ Not applicable
- Time at sync completed................................... Not applicable

Discovery phase statistics
- Discovery requests received.............................. 245
- Successful discovery responses sent...................... 163
- Unsuccessful discovery request processing................ 82
- Reason for last unsuccessful discovery attempt........... Layer 3 discovery request not received on management VLAN
- Time at last successful discovery attempt................ Apr 19 15:47:54.389
- Time at last unsuccessful discovery attempt.............. Apr 19 15:47:54.385

You can see a lot of requests and responses above. After much mucking about it turns out that I should have looked at the compatibility matrix before buying what I assumed would be a decent AP. The link is here in case you need it: http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html.

So now I have ordered a new AP, this time it is an 1142, which is on the matrix. Lesson learned - do your homework! The alternative could have been to run an older version of the vWLC (7.0).

Hopefully when this arrives I can plug it in and get going!

What? You want more?

I am always pretty amazed when people email me, and say that they have bought and enjoyed the books I have written. I am also always surprised when they ask me to write more.

Writing books takes quite a while, somewhere between three and six months each. It's a long process, and has to be juggled between regular employment, my own studies and family life. But it is a rewarding process.

One very common request is for a book on QoS and Multicast, and this was planned, and started many moons ago, but it stalled as I concentrated on getting my own CCIE.

But the voices should not be ignored.

So far I have had requests via email (Ionut and Marino), LinkedIn (Noore) and Twitter (Mark) all asking if I intend to write a book on QoS, and it was part of my original plan, in fact, here is the intended releases, which actually includes Services, and the IGPs:

BGP, MPLS, and VPNs and NAT have already been released, and the CCNA book (now called CCNA and Beyond) will be released at the end of the month. The personal folder is just a few tax documents, it's not my memoirs of anything like that. The UNetLab Cookbook stalled as the guys keep changing it, and the new version is so much different to how it was when I started writing that book.

So the next volume in the series would have been/will be Multicast and QoS. The biggest issue, and perhaps the reason why I stopped writing it was that I could not make a proper Multicast server.

I think I have fixed this issue, as I found, whilst doing my CCIE Security studies, that SUSE Studio is a great way to create custom VMs, and get them in Qemu, which is ideal for UNetLab. So, that is a manageable hurdle.

The next issue is time management. Can I write another book at the same time as studying for my CCIE Security, and maintain a happy work/home life balance? Not sure the wife wants me to write another book at the moment, I think we could do with some "us" time.

So, what to do??
Well, I guess that's where you lot come in.

There is a poll on the menu to the right. I reckon 100 "yes's" should cover it. Leave a comment below. I'll probably ditch Kindle, or keep the Kindle price the same as the printed price. Kindle sales are not as good as printed, and I am actually quite happy about this. I much prefer printed textbooks.

The price would be about the same as the other books, but the platform would move to UNetLab. I havn't touched GNS3 since finishing VPNs and NAT.

The other question is would you support a Kickstarter project for this? If so, for how much and what would you want in return? I have seen other people doing Kickstarters for books, and I'd quite like to turn this into a full-time thing, but at present this is not feasible. Maybe a Kickstart project would be the way forward. I could do things like your name in the book, and so on.

If there is enough people who would like me to write it, then I will do it.

I won't give any timelines for it, but I would keep people updated via the website.

Let me know your thoughts via the poll and feedback below.

CCIE Security lab: Connecting the virtual and physical worlds together

With my new 3750X switch looking like it should be doing as intended, it's time to get it connected to the UNetLab topology.

I must admit, I havn't tried to do this before, so it should be interesting. I did connect pnet0 to a Windows host to grab something before, but this needs to be completely isolated from the rest of the home network, otherwise the Wife will get upset that she can only browse to www.good.com, and not buy shoes.

The basic configuration in UNL is to connect a Pnet interface to a device (like SW3). I am using PNet1 as this is linked to Eth1:

Creating this "3750x" network is just a case of creating a new network, but setting it to be a pnet, instead of a bridge.

As you can see, UNetLab can see two NICs:

root@unl01:~# ifconfig -a | grep ^eth
eth0      Link encap:Ethernet  HWaddr 00:50:56:80:2a:6e
eth1      Link encap:Ethernet  HWaddr 00:50:56:80:a2:db
root@unl01:~#

Inside ESXi things look like this:

We have a vSwitch created, and this includes one of the NICs from the Quad-port NIC card in the ESXi server:

We must accept promiscuous mode, otherwise things won't work properly:

UNL has this network connected.

Unsurprisingly things did not just magically work straight away. So a quick reboot later, and once SW3 is fired up, we can start to see some errors, and these are the kind of errors you want, as it shows everything is working:

%SYS-5-RESTART: System restarted --
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20150414)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to  DSGS_PI5_POSTCOLLAPSE_TEAM_TRACK_CLONE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 15-Apr-15 00:42 by mmen
%LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet0/0 (not full duplex), with 3750X GigabitEthernet3/0/1 (full duplex).
SW3>en
SW3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#int g0/0
SW3(config-if)#duplex full
Autoneg enabled. Duplex cannot be set

%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet0/0 (not full duplex), with 3750X GigabitEthernet3/0/1 (full duplex).
%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet0/0 (not full duplex), with 3750X GigabitEthernet3/0/1 (full duplex).

SW3(config-if)#no neg auto 
SW3(config-if)#duplex full
SW3(config-if)#do sh cdp neigh | b Device
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
SW4              Gig 0/3           170             R S I            Gig 0/3
SW1              Gig 0/1           151             R S I            Gig 0/3
SW2              Gig 0/2           147             R S I            Gig 0/3
3750X            Gig 0/0           130              S I   WS-C3750X Gig 3/0/1

Total cdp entries displayed : 4
SW3(config-if)#

Nice! So, let's add in some VTP, so that the 3750X gets all the VLAN goodness, and then plug in the IP Phone!

SW1(config)#vtp dom 802101
Changing VTP domain name from NULL to 802101
SW1(config)#vtp mo serv
%SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to 802101.
Device mode already VTP Server for VLANS.
SW1(config)#vtp ver 2
SW1(config)#vtp pass 802101
Setting device VTP password to 802101
SW1(config)#

The other devices are set up in client mode, using the same settings as above for the domain and password. However, we need to push some data across to the switch, and as I don't want to keep having to find the laptop that I use for console access to the switch, it would make sense to create a VLAN for switch management:

SW1(config)#vlan 11
SW1(config-vlan)#name Switch-MGMT
SW1(config-vlan)#exi
SW1(config)#

This gets to the other switches:

SW2(config)#do sh vlan br

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi1/0
4    Management                       active    Gi1/1, Gi1/2, Gi1/3
7    DMZ                              active    
9    Phones                           active    
11   Switch-MGMT                      active    
20   Users-1                          active    
21   Users-2                          active    
55   Failover                         active    
99   Data-Phone                       active    
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 
SW2(config)#

But so far, not to the 3750X. It just has the VLANs I manually created for something else.

VTP/DTP is working, and I can see the messages in Wireshark:

I even switched to VTP version 3, and made SW3 the primary server. But the 3750X did not get the VLANs from the virtual environment.

So, where is the issue? Let's expand it out a little, and either rule it down to, or rule out an issue with my VTP configuration, by adding a phone into the mix.

Its a simple config:

int gi 3/0/3
switchport voice vlan 9
switchport mode access
switchport access vlan 21

I switched the 3750X to transparent mode for a moment, so that I could add the VLANs needed. But still there was no joy.

I used the command "sdm prefer vlan", and did a reboot. Once everything came back up again, I could see the VLANs had been added through VTP, however, communicating with devices was a little unwilling.

So I messed around for a bit trying a bit of this and a bit of that, then I decided to ping Andrea a message and ask for help. He was busy, but I got a couple of minutes with him before he had to dash off to another meeting. He told me to try looking for "vmware switch trunk portgroup", which lead me to this document: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074.

Seems like I was pretty close with my first attempt, but needed to add the following settings:

I even rebooted the switch again... and when it came back up, OSPF formed an adjacency, and the phone has a DHCP address:

SW3(config)#router ospf 1
SW3(config-router)#router-id 33.33.33.33
SW3(config-router)#network 0.0.0.0 0.0.0.0 a 0
SW3(config-router)#
%OSPF-5-ADJCHG: Process 1, Nbr 50.50.50.50 on Vlan4 from LOADING to FULL, Loading Done
%OSPF-5-ADJCHG: Process 1, Nbr 50.50.50.50 on Vlan11 from LOADING to FULL, Loading Done
SW3(config-router)#

Rather than posting a blurry photo of the phone's screen, I'll show you the successful DHCP lease for the phone:

So, I do not have a £899 paperweight, I have a working physical switch connected to my IOSv layer-2 switch. It is isolated from my home network, and once the Cisco AP gets delivered I should be able to play around with that.

Just one more bit of proof that its working, here is the DHCP reservation for my MacBook, which was connected to the phone's PC port:

And here is the screenshot from the Mac itself:

Even though it wasn't exactly smooth sailing, I am where I need to be. The UNetLab hosts can talk to the physical hosts, and the floor is opening up for me to have some real fun!

CCIE Security lab: A little AAA, a little MAB and a lot of patience

I had a little bit of time today, between dropping the kids off at nursery and picking the wife up from the airport, so I thought I'd have a little play with my new 3750-X switch, which arrived yesterday. It's the biggest expense so far in this study, and cost £899, so I really hope it's suitable for the CCIE Security!

It came with IOS 12.2, so the first thing to do is to upgrade to a newer version.

3750X#sh ver | i IOS
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
3750X#

Once I had added the commands for "ip ftp username" and "ip ftp password", I was able to load the tar file from FTP:

3750X#archive download-sw /overwrite /reload ftp://192.168.1.76/c3750e-universalk9-tar.150-2-SE8.tar

The upgrade process takes a while, probably about 20-30 mins, but once it's done, we have a much newer version:

3750X#sh ver | i IOS
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE8, RELEASE SOFTWARE (fc1)
3750X#

I also bumped up the license, using the Right To Use method:

3750X#show license
Index 1 Feature: ipservices
        Period left: Life time
        License Type: PermanentRightToUse
        License State: Active, In Use
        License Priority: High
        License Count: Non-Counted

Index 2 Feature: ipbase
        Period left: Life time
        License Type: Permanent
        License State: Active, Not in Use
        License Priority: Medium
        License Count: Non-Counted

Index 3 Feature: lanbase
        Period left: 0  minute  0  second

3750X#

The next part was to make sure that I had access to the commands I would be needing later on, so, let's have a look for "mab", "authentication" and "dot1x" under the interface commands:

3750X(config)#int gi 3/0/20
3750X(config-if)#?
Interface configuration commands:
  aaa                     Authentication, Authorization and Accounting.
  arp                     Set arp type (arpa, probe, snap) or timeout or log options
  auto                    Configure Automation
  bandwidth               Set bandwidth informational parameter
  bgp-policy              Apply policy propagated by bgp community string
  carrier-delay           Specify delay for interface transitions

3750X(config-if)#auth
3750X(config-if)#auth?
% Unrecognized command
3750X(config-if)#mab
                   ^
% Invalid input detected at '^' marker.

3750X(config-if)#exi

Nothing there. Let's start by enabling "aaa new-model". This enables the more granular functions of AAA, and is exactly what we are looking for. Does this help now?

3750X(config)#aaa new-model
3750X(config)#int gi 3/0/20
3750X(config-if)#?
Interface configuration commands:
  aaa                     Authentication, Authorization and Accounting.
  arp                     Set arp type (arpa, probe, snap) or timeout or log options
  auto                    Configure Automation
  bandwidth               Set bandwidth informational parameter
  bgp-policy              Apply policy propagated by bgp community string
  carrier-delay           Specify delay for interface transitions
  cdp                     CDP interface subcommands
  channel-group           Etherchannel/port bundling configuration
  channel-protocol        Select the channel protocol (LACP, PAgP)
  crypto                  Encryption/Decryption commands
  cts                     Configure Cisco Trusted Security
  dampening               Enable event dampening
  datalink                Interface Datalink commands
  default                 Set a command to its defaults
  delay                   Specify interface throughput delay
  description             Interface specific description
  down-when-looped        Force looped interface down
  duplex                  Configure duplex operation.
  eou                     EAPoUDP Interface Configuration Commands
  exit                    Exit from interface configuration mode

3750X(config-if)#exi

Nothing yet. We have not done with global configuration mode yet. We need to specify a few AAA commands:

3750X(config)#aaa authentication ?
  arap             Set authentication lists for arap.
  attempts         Set the maximum number of authentication attempts
  banner           Message to use when starting login/authentication.
  dot1x            Set authentication lists for IEEE 802.1x.
  enable           Set authentication list for enable.
  eou              Set authentication lists for EAPoUDP
  fail-message     Message to use for failed login/authentication.
  login            Set authentication lists for logins.
  onep             Set authentication lists for ONEP
  password-prompt  Text to use when prompting for a password
  ppp              Set authentication lists for ppp.
  sgbp             Set authentication lists for sgbp.
  suppress         Do not send access request for a specific type of user.
  username-prompt  Text to use when prompting for a username

3750X(config)#aaa authentication dot default group radius
3750X(config)#aaa authorization network default group radius
3750X(config)#aaa accounting dot1x default start-stop group radius
3750X(config)#

Now can we see the commands?

3750X(config)#int gi 3/0/20
3750X(config-if)#?
Interface configuration commands:
  aaa                     Authentication, Authorization and Accounting.
  arp                     Set arp type (arpa, probe, snap) or timeout or log options
  auto                    Configure Automation
  bandwidth               Set bandwidth informational parameter
  bgp-policy              Apply policy propagated by bgp community string
  carrier-delay           Specify delay for interface transitions
  cdp                     CDP interface subcommands
  channel-group           Etherchannel/port bundling configuration
  channel-protocol        Select the channel protocol (LACP, PAgP)
  crypto                  Encryption/Decryption commands
  cts                     Configure Cisco Trusted Security
  dampening               Enable event dampening
  datalink                Interface Datalink commands
  default                 Set a command to its defaults
  delay                   Specify interface throughput delay
  description             Interface specific description
  down-when-looped        Force looped interface down
  duplex                  Configure duplex operation.
  eou                     EAPoUDP Interface Configuration Commands
  exit                    Exit from interface configuration mode

Not yet. Remember by default the switch port will be in trunk mode, and for AAA to work in the manner we want it to, we need it to be an access port:

3750X(config-if)#switchport access vlan9
% Access VLAN does not exist. Creating vlan 9
3750X(config-if)#switchport mode access
3750X(config-if)#?
Interface configuration commands:
  aaa                     Authentication, Authorization and Accounting.
  arp                     Set arp type (arpa, probe, snap) or timeout or log options
  authentication          Auth Manager Interface Configuration Commands
  auto                    Configure Automation
  ...
  description             Interface specific description
  dot1x                   Interface Config Commands for IEEE 802.1X
  down-when-looped        Force looped interface down
  ...
  logging                 Configure logging for interface
  mab                     MAC Authentication Bypass Interface Config Commands
  mac                     MAC interface commands
  macro                   Command macro
  macsec                  Enable macsec on the interface
  ...
 
3750X(config-if)#

Great, now we can see the authentication, dot1x and mab commands! Let's set it up:

3750X(config-if)#authentication ?
  control-direction  Set the control-direction on the interface
  event              Set action for authentication events
  fallback           Enable the Webauth fallback mechanism
  host-mode          Set the Host mode for authentication on this interface
  linksec            Configure link security parameters
  open               Enable or Disable open access on this port
  order              Add an authentication method to the order list
  periodic           Enable or Disable Reauthentication for this port
  port-control       Set the port-control value
  priority           Add an authentication method to the priority list
  timer              Set authentication timer values
  violation          Configure action to take on security violations

3750X(config-if)#authentication port-control auto
3750X(config-if)#authentication host-mode multi-auth
3750X(config-if)#authentication order mab dot1x
3750X(config-if)#authentication port-control auto
3750X(config-if)#authentication periodic
3750X(config-if)#mab
3750X(config-if)#dot1x pae authenticator
3750X(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on GigabitEthernet3/0/20 but will only
 have effect when the interface is in a non-trunking mode.
3750X(config-if)#

Whilst this was purely a test, and I will probably be using a very different setup later on, the take away from this is about process more than anything else:

• Enable AAA new-model
• Set up AAA (authentication, authorization, accounting)
• Set interface to be an access-mode port
• Configure authentication on the interface

This is one of those things that, in an exam environment, if the process is not followed then you'll be spending more time fixing and troubleshooting, than actually configuring. Practice does make perfect, but process really does help.

This was just a quick play about, and once the switch is connected to the topology, there will be a longer post, hopefully explaining what all these commands actually mean.

CCIE Security lab: Access to the WWW server

This will be a short post, there are lot's of little things that I am finding need to be finished off, but thats the way it is as the topology changes.

So now we will do a couple of little fixes to the network, so that we can try and access the CCIE Security WWW server, from the LAN.

LA1(config)#int gi0/1.99
LA1(config-subif)#encap dot 99
LA1(config-subif)#ip vrf for 802101
LA1(config-subif)#ip add 198.250.99.1 255.255.255.0
LA1(config-subif)#

LA-SW(config)#int gi0/2
LA-SW(config-if)#swi mo acc
LA-SW(config-if)#swi acc vl 99
LA-SW(config-if)#no sh
LA-SW(config-if)#

LA1(config)#router eigrp LA
LA1(config-router)#address-family ipv4 unicast vrf 802101 autonomous-system 300        
LA1(config-router-af)#network 198.250.99.0
LA1(config-router-af)#

After a while (for BGP to do its thing), we should be able to access this from within the LAN, with a quick hosts entry we can get to both of the websites:

This means that we can use the WSA to block or deny access to these websites. But that will be a different post.

CCIE Security lab: HQ ASAs - failover and stuff

Starting to make some headway now. In the previous post the LAN was set up within the HQ, and now we need to get the LAN talking to the WAN.

The HQ ASAs will be set up in a failover pair. We will also add a interface for vlan 1 to the switches, and set up a static route to the ASAs. Then we will set up NAT and see how far we can get in the topology.

Failover

First of all, let's set up LON-FW1:

hostname LON-FW1
int e0
ip add 163.4.4.254 255.255.255.0 standby 163.4.4.252
nameif outside
int e1
ip add 10.1.1.254 255.255.255.0 standby 10.1.1.252
nameif inside
int e3
ip add 10.1.55.1 255.255.255.0 standby 10.1.55.2
nameif fover
route outside 0 0 163.4.4.1
exit
failover link fover
failover interface ip fover 10.1.55.1 255.255.255.0 standby 10.1.55.2
failover lan unit pri
failover replication http
failover lan interface fover e3
failover key cisco
failover

We don't need to add much to LON-FW2, pretty much just the failover configuration. However... if you do add things, such as setting the hostname to LON-FW2, then it will be easier to see that failover is working correctly.

ciscoasa(config)# hostn LON-FW2
LON-FW2(config)# int e0
LON-FW2(config-if)# ip add 163.4.4.254 255.255.255.0 standby 163.4.4.252
LON-FW2(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
LON-FW2(config-if)# 
LON-FW2(config-if)# int e1
LON-FW2(config-if)# ip add 10.1.1.254 255.255.255.0 standby 10.1.1.252
LON-FW2(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
LON-FW2(config-if)# 
LON-FW2(config-if)# 
LON-FW2(config-if)# int e3
LON-FW2(config-if)# no sh
LON-FW2(config-if)# nameif fover
INFO: Security level for "fover" set to 0 by default.
LON-FW2(config-if)# exi
LON-FW2(config)# failover link fover
INFO: Non-failover interface config is cleared on Ethernet3 and its sub-interfaces
LON-FW2(config)# failover interface ip fover 10.1.55.1 255.255.255.0 standby 1.1.55.2
LON-FW2(config)# failover lan unit sec
LON-FW2(config)# failover replication http
LON-FW2(config)# failover key cisco
LON-FW2(config)# failover
LON-FW2(config)# failover lan interface fover e3
LON-FW2(config)# ..

        Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access 
the configuration register.
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.

LON-FW1(config)# end
LON-FW1# sh interface ip brief 
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  163.4.4.252     YES CONFIG up                    up  
Ethernet1                  10.1.1.252      YES CONFIG up                    up  
Ethernet2                  unassigned      YES unset  administratively down up  
Ethernet3                  10.1.55.2       YES unset  up                    up  
LON-FW1#

A bit of housekeeping

A couple of housekeeping bits now. We need to get some routing from the switches to the firewalls:

SW1(config)#int vlan 1
SW1(config-if)#ip add 10.1.1.3 255.255.255.0
SW1(config-if)#standby 1 ip 10.1.1.1 
SW1(config-if)#standby 1 pre delay min 60
SW1(config-if)#standby 1 pri 110
SW1(config-if)#
SW1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.254

SW2(config)#int vlan 1
SW2(config-if)#ip add 10.1.1.2 255.255.255.0
SW2(config-if)#standby 1 ip 10.1.1.1 
SW2(config-if)#standby 1 pre delay min 60
SW2(config-if)#standby 1 pri 90
SW2(config-if)#no sh
SW2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.254
SW2(config)#
SW2(config)#int ran gi 1/1 - 3
SW2(config-if-range)#swi mo acc
SW2(config-if-range)#swi acc vl 4
SW2(config-if-range)#no sh
SW2(config-if-range)#

SW4(config)#int ra gi1/2 - 3
SW4(config-if-range)#swi mo acc
SW4(config-if-range)#swi acc vl 4
SW4(config-if-range)# 

We also need to set up the switch above the firewalls, and add a little something for the ASAs to talk to:

Switch(config)#ho LON-SW
LON-SW(config)#int ra gi 0/0 - 2
LON-SW(config-if-range)#no sh
LON-SW(config-if-range)#swi mo acc
LON-SW(config-if-range)#swi acc vl 1
LON-SW(config-if-range)#

LON1(config)#int lo1
LON1(config-if)#ip vrf for 802101
% Interface Loopback1 IPv4 disabled and address(es) removed due to disabling VRF 802101
LON1(config-if)#ip add 31.32.33.34 255.255.255.255
LON1(config-if)#

LON-FW1# ping outside 31.32.33.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 31.32.33.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
LON-FW1# 

I added this because the other devices are currently turned off, we don't really need them at the moment, but we do need to set up NAT on the firewalls, so that the LAN can talk to the WAN.

NAT

LON-FW1(config)# object-group network INSIDE-NAT-SUBNETS
LON-FW1(config-network-object-group)# network-object 10.1.1.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.4.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.9.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.20.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.21.0 255.255.255.0
LON-FW1(config-network-object-group)# network-object 10.1.99.0 255.255.255.0
LON-FW1(config-network-object-group)# exi
LON-FW1(config)# nat (inside,outside) after-auto source dynamic INSIDE-NAT-SUB$
LON-FW1(config)# route inside 10.1.0.0 255.255.0.0 10.1.1.1
LON-FW1(config)# 
LON-FW1(config)# access-list outside->in extended permit ip any any 
LON-FW1(config)# access-list outside->in extended permit icmp any any 
LON-FW1(config)# access-group outside->in in interface outside 
LON-FW1(config)# 
LON-FW1(config)# end
LON-FW1# sh run | i nat
LON-FW1# 

Note that I have not included the 10.1.55.0/24 network, really we don't even need this on the switches, and it's kinda messed with the whole IP addressing thing anyway. But there we go.

It is working:

ISE14/admin# ping 31.32.33.34
PING 31.32.33.34 (31.32.33.34) 56(84) bytes of data.
64 bytes from 31.32.33.34: icmp_seq=1 ttl=254 time=19.2 ms
64 bytes from 31.32.33.34: icmp_seq=2 ttl=254 time=20.4 ms
64 bytes from 31.32.33.34: icmp_seq=3 ttl=254 time=19.0 ms
64 bytes from 31.32.33.34: icmp_seq=4 ttl=254 time=14.4 ms

--- 31.32.33.34 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3019ms
rtt min/avg/max/mdev = 14.425/18.296/20.445/2.300 ms

ISE14/admin#

This is from a Windows host in VLAN 4:

So the Firewalls as set up in Active/Standby HA, we have NAT working and our inside hosts can talk to devices beyond the firewalls.

The new switch has arrived, so I can start to play around with that. I'll need to set up UNL to use a separate NIC for this, and that will be in a later post. Till then, it's really starting to take shape!

CCIE Security lab: Switching

It is time to set up the core network.  Nothing new here really, a bit of HSRP and a few niceties (like disabling timeout on the console). The switches need to be given a hostname (obviously), and then we have some basics to do on all of them, and then the HSRP, which will be on SW1 and SW2.

On all switches we create the VLANs, turn off the time out on the console, and set the inter-switch ports to be dot1q trunks:

vlan 4
name Management
vlan 7
name DMZ
vlan 9
name Phones
vlan 20
name Users-1
vlan 21
name Users-2
vlan 55
name Failover
vlan 99
name Data-Phone
exit
line con 0
exec-t 0 0
exit
int ra gi0/1 - 3
swi tru enc dot
swi mo tru
no shu
exit

The next part is to set up the VLAN interfaces and HSRP. I have decided to use .254 as the final octet for the HSRP IPs, as it means I can use the switch numbers (.1 and .2) on the respective switches.

Vlan interfaces and HSRP

• SW1
• SW2

int vlan 4
ip address 10.1.4.1 255.255.255.0
standby 4 ip 10.1.4.254
standby 4 pri 90
standby 4 pre del min 60
no sh
int vlan 7
ip address 10.1.7.1 255.255.255.0
standby 7 ip 10.1.7.254
standby 7 pri 110
standby 7 pre del min 60
no sh
int vlan 9
ip address 10.1.9.1 255.255.255.0
standby 9 ip 10.1.9.254
standby 9 pri 90
standby 9 pre del min 60
no sh
int vlan 20
ip address 10.1.20.1 255.255.255.0
standby 20 ip 10.1.20.254
standby 20 pri 110
standby 20 pre del min 60
no sh
int vlan 21
ip address 10.1.21.1 255.255.255.0
standby 21 ip 10.1.21.254
standby 21 pri 90
standby 21 pre del min 60
no sh
int vlan 55
ip address 10.1.55.1 255.255.255.0
standby 55 ip 10.1.55.254
standby 55 pri 110
standby 55 pre del min 60
no sh
int vlan 99
ip address 10.1.99.1 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 pri 90
standby 99 pre del min 60
no sh

int vlan 4
ip address 10.1.4.2 255.255.255.0
standby 4 ip 10.1.4.254
standby 4 pri 110
standby 4 pre del min 60
no sh
int vlan 7
ip address 10.1.7.2 255.255.255.0
standby 7 ip 10.1.7.254
standby 7 pri 90
standby 7 pre del min 60
no sh
int vlan 9
ip address 10.1.9.2 255.255.255.0
standby 9 ip 10.1.9.254
standby 9 pri 110
standby 9 pre del min 60
no sh
int vlan 20
ip address 10.1.20.2 255.255.255.0
standby 20 ip 10.1.20.254
standby 20 pri 90
standby 20 pre del min 60
no sh
int vlan 21
ip address 10.1.21.2 255.255.255.0
standby 21 ip 10.1.21.254
standby 21 pri 110
standby 21 pre del min 60
no sh
int vlan 55
ip address 10.1.55.2 255.255.255.0
standby 55 ip 10.1.55.254
standby 55 pri 90
standby 55 pre del min 60
no sh
int vlan 99
ip address 10.1.99.2 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 pri 110
standby 99 pre del min 60
no sh

Confirmation:

SW1#sh standby bri
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Vl4         4    90  P Standby 10.1.4.2        local           10.1.4.254
Vl7         7    110 P Active  local           10.1.7.2        10.1.7.254
Vl9         9    90  P Standby 10.1.9.2        local           10.1.9.254
Vl20        20   110 P Active  local           10.1.20.2       10.1.20.254
Vl21        21   90  P Standby 10.1.21.2       local           10.1.21.254
Vl55        55   110 P Active  local           10.1.55.2       10.1.55.254
Vl99        99   90  P Standby 10.1.99.2       local           10.1.99.254
SW1#

SW2#sh standby bri
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Vl4         4    110 P Active  local           10.1.4.1        10.1.4.254
Vl7         7    90  P Standby 10.1.7.1        local           10.1.7.254
Vl9         9    110 P Active  local           10.1.9.1        10.1.9.254
Vl20        20   90  P Standby 10.1.20.1       local           10.1.20.254
Vl21        21   110 P Active  local           10.1.21.1       10.1.21.254
Vl55        55   90  P Standby 10.1.55.1       local           10.1.55.254
Vl99        99   110 P Active  local           10.1.99.1       10.1.99.254
SW2#

Looks good now. We have an internal network and can start playing with the really cool toys, like the ISE and WSA, but not before we setup the firewalls for HA and NAT

I am waiting on my (newish) 3750X to be delivered today, its the PoE version, so it'll handle the phone and the Wifi parts of the lab.