Add MSE to Cisco prime

This is one simple post, to show how to add MSE (pre-configured) to Cisco prime with three straightforward steps

First step: Add the controller to the prime (Create SNMP user/ version then add it)

 

 

Second step: Add MSE to the Cisco prime and sync it

Third step: Verify the status from Cisco prime and WLC

LAB: Multicast PIM Dense-Spare Mode

Multicast, one of the most interesting topics and for me one of the most challenging topics

In this lab, I am going to use PIM with Dense & Spare mode to achieve successful join for the multicast ip 239.5.5.5

The network has the basic:

1. Interfaces configurations
2. OSPF to ping any interface from any router
3. loopback for each router

Dense mode

configurations for this mode are quite simple and includes two steps (For each router)

1. Define the multicast globally
2. Enable the dense mode for each physical interface that will use it

Router1(config)#ip multicast-routing

Router3(config)#int e 0/1

Router3(config-if)#ip pim dense-mode
Router3(config-if)#end
*Dec 24 18:24:35.925: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 192.168.3.1 on interface Ethernet0/1

Now to test, I want router 3 to join the IP 239.5.5.5 (using loopback) and will ping this address from router 1 where the PC is connected

Router3(config)#int loopback 30
Router3(config-if)#ip igmp join-group 239.5.5.5

Multicast has neighbors and table, just like anything else in routers 😉

Router2#show ip pim neighbor
PIM Neighbor Table
Mode: B – Bidir Capable, DR – Designated Router, N – Default DR Priority,
P – Proxy Capable, S – State Refresh Capable, G – GenID Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
192.168.2.1 Ethernet0/1 00:00:24/00:01:20 v2 1 / S P G
192.168.3.1 Ethernet0/2 00:00:53/00:01:21 v2 1 / S P G
Router3#show ip mroute
IP Multicast Routing Table
Flags: D – Dense, S – Sparse, B – Bidir Group, s – SSM Group, C – Connected,
L – Local, P – Pruned, R – RP-bit set, F – Register flag,
T – SPT-bit set, J – Join SPT, M – MSDP created entry, E – Extranet,
X – Proxy Join Timer Running, A – Candidate for MSDP Advertisement,
U – URD, I – Received Source Specific Host Report,
Z – Multicast Tunnel, z – MDT-data group sender,
Y – Joined MDT-data group, y – Sending to MDT-data group,
V – RD & Vector, v – Vector
Outgoing interface flags: H – Hardware switched, A – Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.5.5.5), 00:05:05/stopped, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/1, Forward/Dense, 00:02:38/stopped
Loopback30, Forward/Dense, 00:05:05/stopped

(192.168.10.1, 239.5.5.5), 00:00:40/00:02:19, flags: LT
Incoming interface: Ethernet0/1, RPF nbr 192.168.3.2
Outgoing interface list:
Loopback30, Forward/Dense, 00:00:40/stopped

(192.168.2.1, 239.5.5.5), 00:00:40/00:02:19, flags: LT
Incoming interface: Ethernet0/1, RPF nbr 192.168.3.2
Outgoing interface list:
Loopback30, Forward/Dense, 00:00:40/stopped

(*, 224.0.1.40), 00:08:50/00:02:10, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/1, Forward/Dense, 00:02:38/stopped
Loopback30, Forward/Dense, 00:08:50/stopped

Router3#

Now ping from Router 1 where the PC is connected

Router1#ping 239.5.5.5 source e 0/2
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.40.1

Reply to request 0 from 192.168.30.1, 42 ms

Awesome 🙂 Getting a reply form Router 3 loopback IP (which joined this mutlicast IP)

Sparse mode:

Now, I want to remove the configurations for dense in each physical interface and add spare mode instead – for all routers

Router2(config)#int range e 0/1 – 2
Router2(config-if-range)#no ip pim dense-mode
*Dec 24 18:37:12.366: %PIM-5-NBRCHG: neighbor 192.168.2.1 DOWN on interface Ethernet0/1 non DR
*Dec 24 18:37:12.392: %PIM-5-NBRCHG: neighbor 192.168.3.1 DOWN on interface Ethernet0/2 non DR
Router2(config-if-range)#ip pim sparse-mode
Router2(config-if-range)#
*Dec 24 18:37:20.041: %PIM-5-NBRCHG: neighbor 192.168.3.1 UP on interface Ethernet0/2
*Dec 24 18:37:20.055: %PIM-5-NBRCHG: neighbor 192.168.2.1 UP on interface Ethernet0/1
*Dec 24 18:37:21.047: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 192.168.2.2 on interface Ethernet0/1
*Dec 24 18:37:21.048: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 192.168.3.2 on interface Ethernet0/2

Let us try to see, what if I ping like dense mode

Router1#ping 239.5.5.5
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.5.5.5, timeout is 2 seconds:
.

The ping failed as I haven’t created RP .. all what I need to do is to create the RP and manually enter it for all other routers in the network

Router2(config)#ip pim rp-address 192.168.20.1
Router2(config)#
*Dec 24 18:40:56.086: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Dec 24 18:40:56.086: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

Test with the ping, and its working … and just for fun, I added loopback 20 (Router 2) to join the same multicast group so we can see multiple replies

Router1#ping 239.5.5.5 source e 0/2
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.40.1

Reply to request 0 from 192.168.20.1, 8 ms
Reply to request 0 from 192.168.30.1, 9 ms
Reply to request 0 from 192.168.20.1, 8 ms
Reply to request 0 from 192.168.30.1, 8 ms

These are basic configurations to run PIM in both modes 🙂

LAB: WGB with autonomous AP using local RADIUS

In this lab, I am going to connect WGB to autonomous AP that is using local  RADIUS with EAP-FAST.

Autonomous AP configurations: 

SSID: I am going to use the eap method called nour-method for the dot1x authentication

AIR-LAP1141N-A-K9(config)#dot11 ssid WGB
AIR-LAP1141N-A-K9(config-ssid)#authentication open eap nour-method
AIR-LAP1141N-A-K9(config-ssid)#authentication network-eap nour-method
AIR-LAP1141N-A-K9(config-ssid)#authentication key-management wpa
AIR-LAP1141N-A-K9(config-ssid)#infrastructure-ssid optional

Radio interface: the basic encryption and define the SSID

AIR-LAP1141N-A-K9(config)#int dot11Radio 0
AIR-LAP1141N-A-K9(config-if)#no shutdown
AIR-LAP1141N-A-K9(config-if)#encryption mode ciphers aes-ccm
AIR-LAP1141N-A-K9(config-if)#ssid WGB

RADIUS authentication:

AIR-LAP1141N-A-K9(config)#aaa new-model
AIR-LAP1141N-A-K9(config)#aaa authentication login nour-method group radius
AIR-LAP1141N-A-K9(config)#radius-server host 192.168.143.7 auth-port 1812 acct-port 1813 key cisco123

Local RADIUS:

AIR-LAP1141N-A-K9(config)#radius-server local
AIR-LAP1141N-A-K9(config-radsrv)#no authentication lea
AIR-LAP1141N-A-K9(config-radsrv)#no authentication leap
AIR-LAP1141N-A-K9(config-radsrv)#authentication eapfast
AIR-LAP1141N-A-K9(config-radsrv)#nas 192.168.143.7 key cisco123
AIR-LAP1141N-A-K9(config-radsrv)#user test password test

WGB AP configurations: 

SSID and define the dot1x method and credentials (as any client that needs to connect to dot1x ssid)

AIR-LAP1131AG-A-K9(config)#dot11 ssid WGB
AIR-LAP1131AG-A-K9(config-ssid)#authentication open eap nour-method
AIR-LAP1131AG-A-K9(config-ssid)#authentication network-eap nour-method
AIR-LAP1131AG-A-K9(config-ssid)#authentication key-management wpa
AIR-LAP1131AG-A-K9(config-ssid)#dot1x credentials WGB-credentials
AIR-LAP1131AG-A-K9(config-ssid)#dot1x eap profile WGB-eapfast
AIR-LAP1131AG-A-K9(config-ssid)#ex

 

Credentials:

AIR-LAP1131AG-A-K9(config)#dot1x credentials WGB-credentials
AIR-LAP1131AG-A-K9(config-dot1x-creden)#username test
AIR-LAP1131AG-A-K9(config-dot1x-creden)#password test
AIR-LAP1131AG-A-K9(config-dot1x-creden)#anonymous-id wgb
AIR-LAP1131AG-A-K9(config-dot1x-creden)#exit

Eap method profile:

AIR-LAP1131AG-A-K9(config)#eap profile WGB-eapfast
AIR-LAP1131AG-A-K9(config-eap-profile)#method fast

Radio interface:

AIR-LAP1131AG-A-K9(config)#int dot11Radio 0
AIR-LAP1131AG-A-K9(config-if)#no shutdown
AIR-LAP1131AG-A-K9(config-if)#ssid WGB
AIR-LAP1131AG-A-K9(config-if)#encryption mode ciphers aes-ccm
AIR-LAP1131AG-A-K9(config-if)#ssid WGB
AIR-LAP1131AG-A-K9(config-if)#station-role workgroup-bridge
AIR-LAP1131AG-A-K9(config-if)#infrastructure-client

Checking the connectivity 

 

AIR-LAP1141N-A-K9#show dot11 ass

802.11 Client Stations on Dot11Radio0:

SSID [WGB] :

MAC Address IP address Device Name Parent State
001d.a1ec.8790 192.168.143.8 WGB AIR-LAP1131AG-A self EAP-Assoc

AIR-LAP1141N-A-K9#ping 192.168.143.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.143.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

 

Optional: Adding security so the autonomous AP will allow only the WGB to connect to it and will guide the WGB to connect to that specific AP. The trick is by using the radio mac address for the configurations

–> From the WGB AP
AIR-LAP1131AG-A-K9#show int d0
Dot11Radio0 is up, line protocol is up
Hardware is 802.11G Radio, address is 001d.a1ec.8790 (bia 001d.e54c.41d0)

–> IOS AP
AIR-LAP1141N-A-K9#sh int d0
Dot11Radio0 is up, line protocol is up
Hardware is 802.11N 2.4GHz Radio, address is 081f.f3b3.7e40 (bia 081f.f3b3.7e40)

–> IOS AP
AIR-LAP1141N-A-K9(config)#dot11 association mac-list 700
AIR-LAP1141N-A-K9(config)#access-list 700 permit 001d.a1ec.8790 0000.0000.0000
AIR-LAP1141N-A-K9(config)#access-list 700 deny 0000.0000.0000 ffff.ffff.ffff

–> WGB AP

AIR-LAP1131AG-A-K9(config)#int d0
AIR-LAP1131AG-A-K9(config-if)#parent 1 081f.f3b3.7e40

 

Cheers 🙂 !

Layer 3 QoS – ToS

We have to keep in mind that QoS, helps the network passing “important” traffic once a congestion happen; it doesn’t prevent the network from being loaded it just try to survive the situation with minimum interruption for the traffic that matters the most.

To apply QoS for Layer 3, we need to mark the traffic according to its importance then decide how to deal with it when congestion happen!

ToS Marking:

Layer 3 IP packets can have QoS;  called ToS marking by using:

1.  IP precedence value which uses 3 bits to duplicate the Layer 2 CoS value and position this value at Layer 3, hence the range is from 0-7.
2. Differentiated Services Code Point (DSCP): uses 6 of the 8 bits (allowing for 64 QoS values).

ToS is 1 byte of the layer 3 IP packet, which is divided and used as the following:

[0] [1] [2] [3] [4] [5] [6] [7]

For IP precedence, the bits 0, 1 & 2 are used to map the CoS 3 bits in Layer 2 QoS.

For DSCP, these bits have different meaning:

[0] [1] [2] = Class

These bits can be in the combination of:

• 0 0 0   = Best Effort, no QoS   (BE)
• 0 0 1   = Assured Forwarding 1  (AF1)
• 0 1 0   = Assured Forwarding 2 (AF2)
• 0 1 1    = Assured Forwarding 3 (AF 3)
• 1 0 0   = Assured Forwarding 4 (AF 4)
• 1 0 1   = Expedited forwarding (EF)  (DSCP 46)
• Any   = Class Selector (CS) — only these 3 bits are used, rest are zeros .. used for backward compatibility with IP precedence/ CoS

[3] [4]: 

• For class AF, these bits are Drop Probability  (DP), a higher DP means a higher probability for the packet to be dropped if congestion occurs, could be 1 (Low), 2 (Medium) & 3 (high) where high is the worse!
• For the class EF, these two bits are always 1
• For the class CS, these two bits are always 0

[5]: Always Zero!

[6] [7] : Used to tell the network/ link congestion to the destination point

Congestion management:

To prioritizes packets, when congestion happen, we need to use one of these queues.

1. Priority queuing (PQ): strict service of a queue for one queue and ignore the others.
2. Custom queuing (CQ): Just a load balance between the queues.
3. Weighted fair queuing (WFQ):Gives priority for smaller packets or packets with higher ToS, interface level command is fair-queue
4. class-based weighted fair queuing (CBWFQ): Customized bandwidth for each class – CBWFQ : Can be enabled as an output feature only
5. Low-latency queuing (LLQ): Serve one queue in priority until certain BW, usually used for VoIP; use priority command to set LLQ policy.

Configurations Example 1: 

They are done using MQS (Modular QoS Console command set), I am using the simple network below where the cluster of PCs is to generate traffic and one PC for ping test

First step is to create class-map to define how to classify the traffic (I want to use icmp and ftp)

Router(config)#class-map match-any n-class

Router(config-cmap)#match protocol icmp

Router(config)#class-map match-all ftp-c

Router(config-cmap)#match protocol ftp

 

Second step is to create policy-map to define the priority for the traffic

Router(config)#policy-map n-policy

Router(config-pmap)#class n-class

Router(config-pmap-c)#set ip dscp ef

Router(config-pmap-c)#bandwidth percent 75

Router(config-pmap-c)#ex

Router(config-pmap)#class ftp-c

Router(config-pmap-c)#set ip dscp af13

 

Third step, set service policy to assign this QoS to interface

Router(config)#int serial 0/3/0

Router(config-if)#service-policy output n-policy

I applied the same on both serial links (output to prioritize icmp and lower ftp)

 

Created the same on the other router and linked the service policy to the serial

I applied small ping test for before and after

Configurations Example 2:

For the same network, I added QoS exclusively for the PC I used for ping test

Router(config)#access-list 107 permit icmp host 192.168.3.12 any

Router(config)#class-map match-all icmp-class
Router(config-cmap)#match access-group 107

Router(config)#policy-map icmp-policy
Router(config-pmap)#class icmp-class
Router(config-pmap-c)#set ip dscp ef
Router(config-pmap-c)#bandwidth percent 70

Router(config)#int serial 0/3/0
Router(config-if)#service-policy output icmp-policy

 

PT LAB: Bringing up Nours small network – Layer 3 High Availability (HSRP)

I want to make some adjustments to my network so I can add Layer 3 high availability.

1. The changes I am having, separate DHCP servers, instead of using layer 3 router.
2. Set the GW for router 1 to 192.168.VLAN.2  (Router on a stick – native vlan is 1)
3. Add new router with GW to 192.168.VLAN.3  (Router on a stick)
4. Confirm both IPs are reachable from my PCs

 

HSRP

• I want to use HSRP (Hot Standby Routing Protocol) between the two routers for high availability
• I am going to use the old router the active for VLAN 10, 20 and standby for VLAN 30, 40
• While I will use the new router as active for vlan 30, 40 and standby for 10.20
• If the WAN link goes down, I want to enable preempt to force the switch-over
• The priority will be set to 105 for the one I want to be active in the group and will keep the default for the standby (100) and for the link tracking the default of 10

Here we go:

For the old router, using this ocnfigurations for VLAN 10 & 20

HSRP-10-20(config)#int gig0/0.10

HSRP-10-20(config-subif)#standby 10 ip 192.168.10.1

%HSRP-6-STATECHANGE: GigabitEthernet0/0.10 Grp 10 state Speak -> Standby

%HSRP-6-STATECHANGE: GigabitEthernet0/0.10 Grp 10 state Standby -> Active

HSRP-10-20(config-subif)#standby 10 priority 105

HSRP-10-20(config-subif)#standby 10 preempt

HSRP-10-20(config-subif)#standby 10 track gigabitEthernet 0/2

HSRP-10-20#show standby

GigabitEthernet0/0.10 – Group 10 (version 2)

State is Active

4 state changes, last state change 02:14:02

Virtual IP address is 192.168.10.1

Active virtual MAC address is 0000.0C9F.F00A

Local virtual MAC address is 0000.0C9F.F00A (v2 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.426 secs

Preemption enabled

Active router is local

Standby router is unknown

Priority 105 (configured 105)

Track interface GigabitEthernet0/2 state Up decrement 10

Group name is hsrp–10 (default)

Using this configurations for VLAN 30 and 40 (standby)

HSRP-10-20(config)#int gig0/0.30

HSRP-10-20(config-subif)#standby 30 ip 192.168.30.1

HSRP-10-20(config-subif)#standby 30 preempt

HSRP-10-20(config-subif)#standby 30 track gigabitEthernet 0/2

Moving to the new router and making the configurations (same logic)

I found these lines so adorable not to share, while applying the preempt on this router:

%HSRP-6-STATECHANGE: GigabitEthernet0/0.40 Grp 40 state Speak -> Standby

HSRP-30-40(config-subif)#standby 40 preempt

HSRP-30-40(config-subif)#

HSRP-30-40(config-subif)#

%HSRP-6-STATECHANGE: GigabitEthernet0/0.40 Grp 40 state Standby -> Active

 

HSRP-30-40#show standby

GigabitEthernet0/0.10 – Group 10 (version 2)

State is Standby

3 state changes, last state change 02:26:25

Virtual IP address is 192.168.10.1

Active virtual MAC address is 0000.0C9F.F00A

Local virtual MAC address is 0000.0C9F.F00A (v2 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.327 secs

Preemption enabled

Active router is 192.168.10.2

Standby router is local

Priority 100 (default 100)

Track interface GigabitEthernet0/2 state Up decrement 10

Group name is hsrp–10 (default)

GigabitEthernet0/0.20 – Group 20 (version 2)

State is Standby

3 state changes, last state change 02:20:25

Virtual IP address is 192.168.20.1

Active virtual MAC address is 0000.0C9F.F014

Local virtual MAC address is 0000.0C9F.F014 (v2 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 1.533 secs

Preemption disabled

Active router is 192.168.20.2

Standby router is local

Priority 100 (default 100)

Track interface GigabitEthernet0/2 state Up decrement 10

Group name is hsrp–20 (default)

GigabitEthernet0/0.30 – Group 30 (version 2)

State is Active

15 state changes, last state change 02:27:04

Virtual IP address is 192.168.30.1

Active virtual MAC address is 0000.0C9F.F01E

Local virtual MAC address is 0000.0C9F.F01E (v2 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.481 secs

Preemption enabled

Active router is local

Standby router is 192.168.30.3, priority 105 (expires in 1 sec)

Priority 105 (configured 105)

Track interface GigabitEthernet0/2 state Up decrement 10

Group name is hsrp–30 (default)

GigabitEthernet0/0.40 – Group 40 (version 2)

State is Active

5 state changes, last state change 02:18:41

Virtual IP address is 192.168.40.1

Active virtual MAC address is 0000.0C9F.F028

Local virtual MAC address is 0000.0C9F.F028 (v2 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.24 secs

Preemption enabled

Active router is local

Standby router is 192.168.40.2, priority 105 (expires in 8 sec)

Priority 105 (configured 105)

Track interface GigabitEthernet0/2 state Up decrement 10

Group name is hsrp–40 (default)

 

Now, we reached the fun part of each lab .. the verifying  🙂

First thing I will reload one router and see how it goes

 

Second thing, I will kill the WAN link in the active router and see how it goes

The reason behind this, when the router is dead/ unreachable we will relay in the timers to figure this out, while when the link goes down the track command lower the priority immediately