Saturday, 8 December 2018

IPv6 Addressing - All About Prefix


IANA has allocated only one eighth of the total address space, currently 2000::/3 is allocated for use on the Internet.

IANA allocates prefixes of /23 upto /12 to RIRs.

The RIRs assign smaller blocks to ISPs that distributes them to users. These are typically in sizes from /19 to /32.

The addresses are typically distributed in /48 to /56 sized blocks to the end users.

Hurricane Electric Certification ID

IPv6 Certification Badge for kundan10941

Control Roaming Behavior on Cisco Wireless Network

Minimum RSSI
If a client RSSI value is below this threshold it will not associate/authenticate to the access point, instead it will continue to look for a better signal from different access points.
Valid = -80dBm to -90dBm, Default = -90dBm

Hysteris
How much stronger the signal of another access point has to be before a client decides to roam to it. This is useful if you have multiple access points in close proximity of each other or clients are moving between the edge of coverage of different access point. The higher this value the closer a client needs to be to an access point for it to associate to the second access point.
Valid ranges are from 2 through 4 dB.

San Threshold
scan threshold this is another RSSI value range. When the wireless client’s RSSI drops below this threshold the client will begin actively scanning for another access point it can receive a stronger signal from.
Valid values range between -70 through -77.

Transition time
This is the transition time of a client to associate to different access point.
The client determines a better signal when its RSSI drops below the scan threshold and it sees a signal from a neighboring access point higher than the scan threshold.

Go to Wireless -> 802.11a/n/ac, 802.11b/g/n -> client roaming









Friday, 23 November 2018

Lightweight to Autonomous and Vice Versa


Lightweight to Autonomous Conversion


Configure the IP Address in AP
APLWAPPTOIOS#debug capwap console cli (command to enter into config terminal)
APLWAPPTOIOS#config terminal
APLWAPPTOIOS(config)#Interface bvi1
APLWAPPTOIOS(config-if)#Ip address x.x.x.x x.x.x.x
APLWAPPTOIOS(config-if)#Ip add dhcp (to configure interface to obtain IP from DHCP)

Command to load Autonomous Image from TFTP
APLWAPPTOIOS#archive download-sw /force-reload /overwrite tftp://<tftp ip address>/<image name.tar>

Autonomous to Lightweight Conversion

Configure the IP Address in AP
APIOSTOLWAPP#config terminal
APIOSTOLWAPP(config)#Interface bvi1
APIOSTOLWAPP(config-if)#Ip address x.x.x.x x.x.x.x
APIOSTOLWAPP(config-if)#Ip add dhcp (to configure interface to obtain IP from DHCP)

Command to load Lightweight AP Image from TFTP
APLWAPPTOIOS#archive download-sw /force-reload /overwrite tftp://<tftp ip address>/<image name.tar>

Wednesday, 21 November 2018

BPDU Guard and BPDU Filter


BPDU Guard
BPDU Guard is used to protect STP topology from BPDU attacks.

BPDU Guard must be enabled on a port that should never receive a BPDU from its connected device.

End devices like workstations, server, printers etc. are not supposed to generate BPDUs, because BPDU messages are exchanged by network switches.

If someone plugs switch/hub from switchport then BPDUs will be exchanged and can cause issue in our network.

When a BPDU Guard enabled port receive BPDU from the connected device, BPDU Guard disables the port and the port state is changed to Err disable state.

Global Config
switch(config)#spanning-tree portfast edge bpduguard default
To remove, use no command 
Interface Config
switch(config-if)#spanning-tree bpduguard enable
To disable use disable at the end 

BPDU Filter
BPDU filter is a feature used to filter sending or receiving BPDUs on a switchport.

When BPDU Filter is enabled globally and If any BPDUs are received on switchports, the PortFast feature is disabled and the port will become a normal STP port.

When BPDU Filter is enabled at an Interface, BPDU Filter will not send out BPDUs and avoid the processing of received BPDUs. This will completely disable the Spanning Tree Protocol (STP) on that interface.

Global Config
switch(config)#spanning-tree portfast edge bpdufilter defaultTo remove, use no command 
Interface Config
switch(config-if)#spanning-tree bpdufilter enable.
To disable use disable at the end

Tuesday, 30 October 2018

AP Recovery from ROMMON Mode


Configure the IP Address in AP 
ap: set IP_ADDR 192.168.100.20

Configure the Mask in AP
ap: set NETMASK 255.255.255.0

Configure the Gateway in AP
ap: set DEFAULT_ROUTER 192.168.100.1

Prepare the Access Point for TFTP
ap: tftp_init
ap: ether_init
ap: flash_init

Enter the tar command to load and inflate the new image from your TFTP server
ap: tar -xtract tftp://192.168.100.10/FILE-NAME.tar flash:

Check the dir flash
ap:dir flash:

Set the file-name/ios for boot
ap:set BOOT flash:/FILE-NAME.tar

Reload the AP
ap:boot

WLC Radius Server Fallback Modes


Active Mode
In active mode, when a server does not respond to the WLC authentication request, the WLC marks the server as dead and then moves the server to the non-active server pool and starts to send probe messages periodically until that server responds.

If the server responds, then the WLC moves the dead server to the active pool and stops sending probe messages.

In this mode, when an authentication request comes, the WLC always picks the lowest index (highest priority) server from the active pool of RADIUS servers.

The WLC sends a probe packet after timeout (the default is 300 seconds) in order to determine server status in case the server was unresponsive earlier.

Passive Mode
In passive mode, if a server does not respond to the WLC authentication request, the WLC moves the server to the inactive queue and sets a timer. 

When the timer expires, the WLC moves the server to active queue irrespective of the server's actual status. When an authentication request comes, the WLC picks the lowest index (highest priority) server from the active queue (which might include the non-active server).

If the server does not respond then the WLC marks it as inactive, sets the timer, and moves to the next highest priority server. This process continues until the WLC finds an active RADIUS server, or the active server pool is exhausted.

The WLC assumes the server is active after timeout (the default is 300 seconds) in case the server was unresponsive earlier. If it is still unresponsive, the WLC waits for another timeout and tries again when an authentication request comes in.

Off Mode
In off mode, the WLC supports failover only. In other words, fallback is disabled. When the primary RADIUS server goes down, the WLC will failover to the next active backup RADIUS server. The WLC continues to use the secondary RADIUS server forever, even if the primary server is available.

Aggressive Failover
If the aggressive failover feature is enabled in the WLC, the WLC is too aggressive to mark the AAA server as "not responding". However this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. The WLC can still mark the AAA server as "not responding" and "not functional".

In order to overcome this, disable the aggressive failover feature. Enter the "config radius aggressive-failover disable" command from the controller in order to perform this. 

If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

WLC Commands to enable Fallback Radius
The first step is to select the mode of RADIUS server fallback. As mentioned earlier, the WLC supports active and passive modes of fallback.

In order to select the mode of fallback, enter this command:
WLC1 > config radius fallback-test mode {active/passive/off}
  • active - Sends probes to dead servers to test the status.
  • passive - Sets server status based on the last transaction.
  • off - Disables the server fallback test (default).
The next step is to select the interval which specifies the probe interval for active mode or the inactive time for the passive modes of operation.

In order to set the interval, enter this command:
WLC1 > config radius fallback-test mode interval {180 - 3600}
<180 to 3600> - Enter the probe interval or inactive time in seconds (the default is 300 seconds).

The interval specifies the probe interval in the case of active mode fallback or inactive time in the case of passive mode fallback.
For the active mode of operation, you need to configure a username which will be used in the probe request sent to the RADIUS server.

In order to configure the username, enter this command:
WLC1 >config radius fallback-test username {username}
    <username> - Enter a name up to 16 alphanumeric characters (the default  is cisco-probe)

    Thursday, 25 October 2018

    WLC Auto Anchoring


    Auto Anchoring is used when you are anchoring a WLAN to a particular controller in the mobility domain.

    Most common use of Auto Anchor is Wireless Guest service where all guest traffic tunnel back to DMZ controller irrespective of where they associate to network.


    In this we configure the WLC IP Address and MAC Address in each other’s mobility groups.

    WLC GUI
    Controller-> Mobility Groups


    we need to make sure that both wlc has been added and control and data path is up.


    WLC - IP Address
    WLC - Mobility Group Name
    WLC - MAC Address


    Must be added for data and control path to go UP.
    Once we are done with this, we now need to map the anchor in WLAN.

    Go at the end of WLAN drop down menu select Mobility Anchors


    Configure the same in anchor WLC (Anchor WLC itself is a Anchor so we need to select local in Anchor WLC)


    After all these settings when clients connect to the SSID where an anchor is mapped, actual client details is seen in anchor controller.

    Always remember Layer 2 security is handled by Foreign WLC and Layer 3 security is handled by Anchor WLC.

    In an Auto Anchor mobility, Client point of attachment is known as Export Foreign and Client Point of presence is known as Export Anchor.

    Roaming in WLC



    There are 3 types of Roaming

    1. Intra Controller
    2. Inter Controller
    3. Inter Controller - L3
    Intra Controller


    In intra controller roaming, when client goes from one AP to different AP and both AP is connected in single WLC then only client state & security context will be updated in WLC.

    Inter Controller


    In inter controller roaming, when client goes from one AP to different AP and other AP is connected in different WLC then client state & security context will be moved in WLC.

    Inter Controller - L3
    In inter controller - L3 roaming, when client goes from one AP to different AP and other AP is connected in different WLC with different VLAN for WLAN in which the client is connecting then client state & security context will be copied in WLC.



    In this scenario, original WLC marks the client entry as Anchor and new WLC marks the client entry as Foreign.

    The two WLC is now referred to Anchor WLC and Foreign WLC respectively, client will keep the IP address unchanged and that is the real advantage.


    Tuesday, 23 October 2018

    DHCP Snooping and IP ARP Inspection




    DHCP snooping is a DHCP security feature to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.

    It provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

    DHCP Snooping works along with IP ARP inspection, it is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack like ARP poisoning.

    DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t match with database/snooping table or with access-list, it will be dropped.

    We first need to enable DHCP snooping, both globally and for VLAN
    Switch(config)#ip dhcp snooping
    Switch(config)#ip dhcp snooping vlan 20

    Trust the interface pointing towards DHCP Server to accept DHCP messages from and to DHCP Server
    Switch(config)#interface fastethernet0/1
    Switch(config)#ip dhcp snooping trust 
    Switch#show ip dhcp snooping
    Switch DHCP snooping is enabled
    DHCP snooping is configured on following VLANs:
    20
    DHCP snooping is operational on following VLANs:
    20
    DHCP snooping is configured on the following L3 Interfaces:
    Insertion of option 82 is enabled
       circuit-id format: vlan-mod-port
       remote-id format: MAC
    Option 82 on untrusted port is not allowed
    Verification of hwaddr field is enabled
    Verification of giaddr field is enabled
    DHCP snooping trust/rate is configured on the following Interfaces:
    Interface               Trusted Allow option  Rate limit (pps)
    --------------------   ---------- -----------------  ---------------------
    Fastethernet0/1     yes            yes               unlimited
     Custom circuit-ids:

    Option 82 
    By default, switch adds option 82 into dhcp request packet before forwarding to DHCP server. Actually, information option addition task is supposed to be done by DHCP realy device with giaddr field to non-zero vlaue. DHCP server assigns ip addresses based on option 82 parameters and forwards packets to ip address mentioned in giaddr field. But when switch forwards dhcp packet with option 82 information, it does not change giaddr field to non-zero value, it remians to 0.0.0.0 only.
    DHCP server expects a packet with option field should have giaddr field to some non-zero value but observs that its zero hence rejects them
    To avoid this configure "no ip dhcp snooping information option" in switch, so that switch does not add option field in dhcp packet

    Lets check our table !
    Switch#show ip dhcp snooping binding 
    MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
    ------------------  ---------------  ----------  -------------  ----  --------------------
    00:11:22:33:44:55   192.168.0.1      65330       dhcp-snooping   20   FastEthernet0/3
    Total number of bindings: 1
    As you can see above, we have 1 dhcp client available in dhcp binding database.

    Now lets configure ip arp inspection
    Switch(config)#ip arp inspection vlan 20
    Switch(config)#interface fastethernet0/1
    Switch(config)#ip arp inspection trust
    Switch#show ip arp inspection
    Source Mac Validation      : Disabled
    Destination Mac Validation : Disabled
    IP Address Validation      : Disabled
    Vlan     Configuration    Operation   ACL Match          Static ACL
     ----     -------------    ---------   ---------          ----------
       20     Enabled          Active
    Vlan     ACL Logging      DHCP Logging      Probe Logging
     ----     -----------      ------------      -------------
       20     Deny             Deny              Off
    Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
     ----      ---------        -------     ----------      ---------
       20              0              0              0              0
    Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
     ----   ------------    -----------  -------------   -------------------
       20              0              0              0                     0
    Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
     ----   -----------------   ----------------------   ---------------------
       20                   0                        0                       0
    Source MAC, destination MAC, and IP address validation are showing as disabled.
    you can enable optionally (optional) to have thorough security with “ip arp inspection validate” command.

    Below is the details to use the option
    dst-mac(Optional) : Enables validation of the destination MAC address in the Ethernet header against the target MAC address in the ARP body for 
    ARP responses. The device classifies packets with different MAC addresses as invalid and drops them.
    ip(Optional) : Enables validation of the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. The device checks the sender IP addresses in all ARP requests and responses and checks the target IP addresses only in ARP responses.
    src-mac (Optional)  : Enables validation of the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses. The devices classifies packets with different MAC addresses as invalid and drops them.

    Lets look at the ARP Inspection to allow static clients to reach the destination
    As an example now if Attacker/Rogue Device with static IP configured with it, tries to ping DHCP Server, it will fail reason being is, there is no entry found in the dhcp snooping binding table, also there is no ACL configured to accept the packet from this device.
    To allow untrust to trust either "ip arp inspection trust" command is required or ACL must be configured.
    ACL can be configured to accept the packet if the port is untrust and static IP is assigned to the device, in our case it is the Static client who wants to connect to the network and for this we can configure the access-list.

    Below is the command to configure access-list
    Switch(config)#arp access list acl-name
    Switch(config-arp-acl)#permit ip host IP_ADDRESS mac host MAC_ADDRESS 

    Applying access list
    Switch(config)#ip arp inspection filter acl-name vlan 20

    That's it for DHCP Snooping and IP ARP Inspection !

    What are Sticky Clients ?

    What are Sticky Clients ? CREDIT : http://wifinigel.blogspot.com/2015/03/what-are-sticky-clients.html One term you'll often hear banded ...