IPv6 Addressing - All About Prefix

IANA has allocated only one eighth of the total address space, currently 2000::/3 is allocated for use on the Internet.

IANA allocates prefixes of /23 upto /12 to RIRs.

The RIRs assign smaller blocks to ISPs that distributes them to users. These are typically in sizes from /19 to /32.

The addresses are typically distributed in /48 to /56 sized blocks to the end users.

Hurricane Electric Certification ID

Control Roaming Behavior on Cisco Wireless Network

Minimum RSSI

If a client RSSI value is below this threshold it will not associate/authenticate to the access point, instead it will continue to look for a better signal from different access points.

Valid = -80dBm to -90dBm, Default = -90dBm

Hysteris

How much stronger the signal of another access point has to be before a client decides to roam to it. This is useful if you have multiple access points in close proximity of each other or clients are moving between the edge of coverage of different access point. The higher this value the closer a client needs to be to an access point for it to associate to the second access point.

Valid ranges are from 2 through 4 dB.

San Threshold

scan threshold this is another RSSI value range. When the wireless client’s RSSI drops below this threshold the client will begin actively scanning for another access point it can receive a stronger signal from.

Valid values range between -70 through -77.

Transition time
This is the transition time of a client to associate to different access point.

The client determines a better signal when its RSSI drops below the scan threshold and it sees a signal from a neighboring access point higher than the scan threshold.

Go to Wireless -> 802.11a/n/ac, 802.11b/g/n -> client roaming

Lightweight to Autonomous and Vice Versa

Lightweight to Autonomous Conversion

Configure the IP Address in AP

APLWAPPTOIOS#debug capwap console cli (command to enter into config terminal)

APLWAPPTOIOS#config terminal

APLWAPPTOIOS(config)#Interface bvi1

APLWAPPTOIOS(config-if)#Ip address x.x.x.x x.x.x.x

APLWAPPTOIOS(config-if)#Ip add dhcp (to configure interface to obtain IP from DHCP)

Command to load Autonomous Image from TFTP

APLWAPPTOIOS#archive download-sw /force-reload /overwrite tftp://<tftp ip address>/<image name.tar>

Autonomous to Lightweight Conversion

Configure the IP Address in AP

APIOSTOLWAPP#config terminal

APIOSTOLWAPP(config)#Interface bvi1

APIOSTOLWAPP(config-if)#Ip address x.x.x.x x.x.x.x

APIOSTOLWAPP(config-if)#Ip add dhcp (to configure interface to obtain IP from DHCP)

Command to load Lightweight AP Image from TFTP

APLWAPPTOIOS#archive download-sw /force-reload /overwrite tftp://<tftp ip address>/<image name.tar>

BPDU Guard and BPDU Filter

BPDU Guard

BPDU Guard is used to protect STP topology from BPDU attacks.

BPDU Guard must be enabled on a port that should never receive a BPDU from its connected device.

End devices like workstations, server, printers etc. are not supposed to generate BPDUs, because BPDU messages are exchanged by network switches.

If someone plugs switch/hub from switchport then BPDUs will be exchanged and can cause issue in our network.

When a BPDU Guard enabled port receive BPDU from the connected device, BPDU Guard disables the port and the port state is changed to Err disable state.

Global Config

switch(config)#spanning-tree portfast edge bpduguard default

To remove, use no command 

Interface Config

switch(config-if)#spanning-tree bpduguard enable

To disable use disable at the end 

BPDU Filter

BPDU filter is a feature used to filter sending or receiving BPDUs on a switchport.

When BPDU Filter is enabled globally and If any BPDUs are received on switchports, the PortFast feature is disabled and the port will become a normal STP port.

When BPDU Filter is enabled at an Interface, BPDU Filter will not send out BPDUs and avoid the processing of received BPDUs. This will completely disable the Spanning Tree Protocol (STP) on that interface.

Global Config

switch(config)#spanning-tree portfast edge bpdufilter defaultTo remove, use no command 

Interface Config

switch(config-if)#spanning-tree bpdufilter enable.

To disable use disable at the end

IEEE Standards for Wi-Fi

AP Recovery from ROMMON Mode

Configure the IP Address in AP 

ap: set IP_ADDR 192.168.100.20

Configure the Mask in AP

ap: set NETMASK 255.255.255.0

Configure the Gateway in AP

ap: set DEFAULT_ROUTER 192.168.100.1

Prepare the Access Point for TFTP

ap: tftp_init

ap: ether_init

ap: flash_init

Enter the tar command to load and inflate the new image from your TFTP server

ap: tar -xtract tftp://192.168.100.10/FILE-NAME.tar flash:

Check the dir flash

ap:dir flash:

Set the file-name/ios for boot

ap:set BOOT flash:/FILE-NAME.tar

Reload the AP

ap:boot

WLC Radius Server Fallback Modes

Active Mode

In active mode, when a server does not respond to the WLC authentication request, the WLC marks the server as dead and then moves the server to the non-active server pool and starts to send probe messages periodically until that server responds.

If the server responds, then the WLC moves the dead server to the active pool and stops sending probe messages.

In this mode, when an authentication request comes, the WLC always picks the lowest index (highest priority) server from the active pool of RADIUS servers.

The WLC sends a probe packet after timeout (the default is 300 seconds) in order to determine server status in case the server was unresponsive earlier.

Passive Mode

In passive mode, if a server does not respond to the WLC authentication request, the WLC moves the server to the inactive queue and sets a timer. 

When the timer expires, the WLC moves the server to active queue irrespective of the server's actual status. When an authentication request comes, the WLC picks the lowest index (highest priority) server from the active queue (which might include the non-active server).

If the server does not respond then the WLC marks it as inactive, sets the timer, and moves to the next highest priority server. This process continues until the WLC finds an active RADIUS server, or the active server pool is exhausted.

The WLC assumes the server is active after timeout (the default is 300 seconds) in case the server was unresponsive earlier. If it is still unresponsive, the WLC waits for another timeout and tries again when an authentication request comes in.

Off Mode

In off mode, the WLC supports failover only. In other words, fallback is disabled. When the primary RADIUS server goes down, the WLC will failover to the next active backup RADIUS server. The WLC continues to use the secondary RADIUS server forever, even if the primary server is available.

Aggressive Failover

If the aggressive failover feature is enabled in the WLC, the WLC is too aggressive to mark the AAA server as "not responding". However this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. The WLC can still mark the AAA server as "not responding" and "not functional".

In order to overcome this, disable the aggressive failover feature. Enter the "config radius aggressive-failover disable" command from the controller in order to perform this. 

If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

WLC Commands to enable Fallback Radius

The first step is to select the mode of RADIUS server fallback. As mentioned earlier, the WLC supports active and passive modes of fallback.

In order to select the mode of fallback, enter this command:

WLC1 > config radius fallback-test mode {active/passive/off}

• active - Sends probes to dead servers to test the status.
• passive - Sets server status based on the last transaction.
• off - Disables the server fallback test (default).

The next step is to select the interval which specifies the probe interval for active mode or the inactive time for the passive modes of operation.

In order to set the interval, enter this command:

WLC1 > config radius fallback-test mode interval {180 - 3600}

<180 to 3600> - Enter the probe interval or inactive time in seconds (the default is 300 seconds).

The interval specifies the probe interval in the case of active mode fallback or inactive time in the case of passive mode fallback.

For the active mode of operation, you need to configure a username which will be used in the probe request sent to the RADIUS server.

In order to configure the username, enter this command:

WLC1 >config radius fallback-test username {username}

<username> - Enter a name up to 16 alphanumeric characters (the default  is cisco-probe)

WLC Auto Anchoring

Auto Anchoring is used when you are anchoring a WLAN to a particular controller in the mobility domain.

Most common use of Auto Anchor is Wireless Guest service where all guest traffic tunnel back to DMZ controller irrespective of where they associate to network.

In this we configure the WLC IP Address and MAC Address in each other’s mobility groups.

WLC GUI

Controller-> Mobility Groups

we need to make sure that both wlc has been added and control and data path is up.

WLC - IP Address
WLC - Mobility Group Name
WLC - MAC Address

Must be added for data and control path to go UP.
Once we are done with this, we now need to map the anchor in WLAN.

Go at the end of WLAN drop down menu select Mobility Anchors

Configure the same in anchor WLC (Anchor WLC itself is a Anchor so we need to select local in Anchor WLC)

After all these settings when clients connect to the SSID where an anchor is mapped, actual client details is seen in anchor controller.

Always remember Layer 2 security is handled by Foreign WLC and Layer 3 security is handled by Anchor WLC.

In an Auto Anchor mobility, Client point of attachment is known as Export Foreign and Client Point of presence is known as Export Anchor.

Roaming in WLC

There are 3 types of Roaming

1. Intra Controller
2. Inter Controller
3. Inter Controller - L3

Intra Controller

In intra controller roaming, when client goes from one AP to different AP and both AP is connected in single WLC then only client state & security context will be updated in WLC.

Inter Controller

In inter controller roaming, when client goes from one AP to different AP and other AP is connected in different WLC then client state & security context will be moved in WLC.

Inter Controller - L3

In inter controller - L3 roaming, when client goes from one AP to different AP and other AP is connected in different WLC with different VLAN for WLAN in which the client is connecting then client state & security context will be copied in WLC.

In this scenario, original WLC marks the client entry as Anchor and new WLC marks the client entry as Foreign.

The two WLC is now referred to Anchor WLC and Foreign WLC respectively, client will keep the IP address unchanged and that is the real advantage.

DHCP Snooping and IP ARP Inspection

DHCP snooping is a DHCP security feature to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.

It provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

DHCP Snooping works along with IP ARP inspection, it is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack like ARP poisoning.

DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t match with database/snooping table or with access-list, it will be dropped.

We first need to enable DHCP snooping, both globally and for VLAN

Switch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 20

Trust the interface pointing towards DHCP Server to accept DHCP messages from and to DHCP Server

Switch(config)#interface fastethernet0/1

Switch(config)#ip dhcp snooping trust 

Switch#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

20

DHCP snooping is operational on following VLANs:

20

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

   circuit-id format: vlan-mod-port

   remote-id format: MAC

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface               Trusted Allow option  Rate limit (pps)

--------------------   ---------- -----------------  ---------------------

Fastethernet0/1     yes            yes               unlimited

 Custom circuit-ids:

Option 82 

By default, switch adds option 82 into dhcp request packet before forwarding to DHCP server. Actually, information option addition task is supposed to be done by DHCP realy device with giaddr field to non-zero vlaue. DHCP server assigns ip addresses based on option 82 parameters and forwards packets to ip address mentioned in giaddr field. But when switch forwards dhcp packet with option 82 information, it does not change giaddr field to non-zero value, it remians to 0.0.0.0 only.

DHCP server expects a packet with option field should have giaddr field to some non-zero value but observs that its zero hence rejects them

To avoid this configure "no ip dhcp snooping information option" in switch, so that switch does not add option field in dhcp packet

Lets check our table !

Switch#show ip dhcp snooping binding 

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

00:11:22:33:44:55   192.168.0.1      65330       dhcp-snooping   20   FastEthernet0/3

Total number of bindings: 1

As you can see above, we have 1 dhcp client available in dhcp binding database.

Now lets configure ip arp inspection

Switch(config)#ip arp inspection vlan 20

Switch(config)#interface fastethernet0/1

Switch(config)#ip arp inspection trust

Switch#show ip arp inspection

Source Mac Validation      : Disabled

Destination Mac Validation : Disabled

IP Address Validation      : Disabled

Vlan     Configuration    Operation   ACL Match          Static ACL

 ----     -------------    ---------   ---------          ----------

   20     Enabled          Active

Vlan     ACL Logging      DHCP Logging      Probe Logging

 ----     -----------      ------------      -------------

   20     Deny             Deny              Off

Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops

 ----      ---------        -------     ----------      ---------

   20              0              0              0              0

Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures

 ----   ------------    -----------  -------------   -------------------

   20              0              0              0                     0

Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data

 ----   -----------------   ----------------------   ---------------------

   20                   0                        0                       0

Source MAC, destination MAC, and IP address validation are showing as disabled.

you can enable optionally (optional) to have thorough security with “ip arp inspection validate” command.

Below is the details to use the option

dst-mac(Optional) : Enables validation of the destination MAC address in the Ethernet header against the target MAC address in the ARP body for 

ARP responses. The device classifies packets with different MAC addresses as invalid and drops them.

ip(Optional) : Enables validation of the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. The device checks the sender IP addresses in all ARP requests and responses and checks the target IP addresses only in ARP responses.

src-mac (Optional)  : Enables validation of the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses. The devices classifies packets with different MAC addresses as invalid and drops them.

Lets look at the ARP Inspection to allow static clients to reach the destination

As an example now if Attacker/Rogue Device with static IP configured with it, tries to ping DHCP Server, it will fail reason being is, there is no entry found in the dhcp snooping binding table, also there is no ACL configured to accept the packet from this device.

To allow untrust to trust either "ip arp inspection trust" command is required or ACL must be configured.

ACL can be configured to accept the packet if the port is untrust and static IP is assigned to the device, in our case it is the Static client who wants to connect to the network and for this we can configure the access-list.

Below is the command to configure access-list

Switch(config)#arp access list acl-name

Switch(config-arp-acl)#permit ip host IP_ADDRESS mac host MAC_ADDRESS 

Applying access list

Switch(config)#ip arp inspection filter acl-name vlan 20

That's it for DHCP Snooping and IP ARP Inspection !