AP Recovery from ROMMON Mode

Configure the IP Address in AP 

ap: set IP_ADDR 192.168.100.20

Configure the Mask in AP

ap: set NETMASK 255.255.255.0

Configure the Gateway in AP

ap: set DEFAULT_ROUTER 192.168.100.1

Prepare the Access Point for TFTP

ap: tftp_init

ap: ether_init

ap: flash_init

Enter the tar command to load and inflate the new image from your TFTP server

ap: tar -xtract tftp://192.168.100.10/FILE-NAME.tar flash:

Check the dir flash

ap:dir flash:

Set the file-name/ios for boot

ap:set BOOT flash:/FILE-NAME.tar

Reload the AP

ap:boot

WLC Radius Server Fallback Modes

Active Mode

In active mode, when a server does not respond to the WLC authentication request, the WLC marks the server as dead and then moves the server to the non-active server pool and starts to send probe messages periodically until that server responds.

If the server responds, then the WLC moves the dead server to the active pool and stops sending probe messages.

In this mode, when an authentication request comes, the WLC always picks the lowest index (highest priority) server from the active pool of RADIUS servers.

The WLC sends a probe packet after timeout (the default is 300 seconds) in order to determine server status in case the server was unresponsive earlier.

Passive Mode

In passive mode, if a server does not respond to the WLC authentication request, the WLC moves the server to the inactive queue and sets a timer. 

When the timer expires, the WLC moves the server to active queue irrespective of the server's actual status. When an authentication request comes, the WLC picks the lowest index (highest priority) server from the active queue (which might include the non-active server).

If the server does not respond then the WLC marks it as inactive, sets the timer, and moves to the next highest priority server. This process continues until the WLC finds an active RADIUS server, or the active server pool is exhausted.

The WLC assumes the server is active after timeout (the default is 300 seconds) in case the server was unresponsive earlier. If it is still unresponsive, the WLC waits for another timeout and tries again when an authentication request comes in.

Off Mode

In off mode, the WLC supports failover only. In other words, fallback is disabled. When the primary RADIUS server goes down, the WLC will failover to the next active backup RADIUS server. The WLC continues to use the secondary RADIUS server forever, even if the primary server is available.

Aggressive Failover

If the aggressive failover feature is enabled in the WLC, the WLC is too aggressive to mark the AAA server as "not responding". However this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. The WLC can still mark the AAA server as "not responding" and "not functional".

In order to overcome this, disable the aggressive failover feature. Enter the "config radius aggressive-failover disable" command from the controller in order to perform this. 

If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

WLC Commands to enable Fallback Radius

The first step is to select the mode of RADIUS server fallback. As mentioned earlier, the WLC supports active and passive modes of fallback.

In order to select the mode of fallback, enter this command:

WLC1 > config radius fallback-test mode {active/passive/off}

• active - Sends probes to dead servers to test the status.
• passive - Sets server status based on the last transaction.
• off - Disables the server fallback test (default).

The next step is to select the interval which specifies the probe interval for active mode or the inactive time for the passive modes of operation.

In order to set the interval, enter this command:

WLC1 > config radius fallback-test mode interval {180 - 3600}

<180 to 3600> - Enter the probe interval or inactive time in seconds (the default is 300 seconds).

The interval specifies the probe interval in the case of active mode fallback or inactive time in the case of passive mode fallback.

For the active mode of operation, you need to configure a username which will be used in the probe request sent to the RADIUS server.

In order to configure the username, enter this command:

WLC1 >config radius fallback-test username {username}

<username> - Enter a name up to 16 alphanumeric characters (the default  is cisco-probe)

WLC Auto Anchoring

Auto Anchoring is used when you are anchoring a WLAN to a particular controller in the mobility domain.

Most common use of Auto Anchor is Wireless Guest service where all guest traffic tunnel back to DMZ controller irrespective of where they associate to network.

In this we configure the WLC IP Address and MAC Address in each other’s mobility groups.

WLC GUI

Controller-> Mobility Groups

we need to make sure that both wlc has been added and control and data path is up.

WLC - IP Address
WLC - Mobility Group Name
WLC - MAC Address

Must be added for data and control path to go UP.
Once we are done with this, we now need to map the anchor in WLAN.

Go at the end of WLAN drop down menu select Mobility Anchors

Configure the same in anchor WLC (Anchor WLC itself is a Anchor so we need to select local in Anchor WLC)

After all these settings when clients connect to the SSID where an anchor is mapped, actual client details is seen in anchor controller.

Always remember Layer 2 security is handled by Foreign WLC and Layer 3 security is handled by Anchor WLC.

In an Auto Anchor mobility, Client point of attachment is known as Export Foreign and Client Point of presence is known as Export Anchor.

Roaming in WLC

There are 3 types of Roaming

1. Intra Controller
2. Inter Controller
3. Inter Controller - L3

Intra Controller

In intra controller roaming, when client goes from one AP to different AP and both AP is connected in single WLC then only client state & security context will be updated in WLC.

Inter Controller

In inter controller roaming, when client goes from one AP to different AP and other AP is connected in different WLC then client state & security context will be moved in WLC.

Inter Controller - L3

In inter controller - L3 roaming, when client goes from one AP to different AP and other AP is connected in different WLC with different VLAN for WLAN in which the client is connecting then client state & security context will be copied in WLC.

In this scenario, original WLC marks the client entry as Anchor and new WLC marks the client entry as Foreign.

The two WLC is now referred to Anchor WLC and Foreign WLC respectively, client will keep the IP address unchanged and that is the real advantage.

DHCP Snooping and IP ARP Inspection

DHCP snooping is a DHCP security feature to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.

It provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

DHCP Snooping works along with IP ARP inspection, it is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack like ARP poisoning.

DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t match with database/snooping table or with access-list, it will be dropped.

We first need to enable DHCP snooping, both globally and for VLAN

Switch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 20

Trust the interface pointing towards DHCP Server to accept DHCP messages from and to DHCP Server

Switch(config)#interface fastethernet0/1

Switch(config)#ip dhcp snooping trust 

Switch#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

20

DHCP snooping is operational on following VLANs:

20

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled

   circuit-id format: vlan-mod-port

   remote-id format: MAC

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface               Trusted Allow option  Rate limit (pps)

--------------------   ---------- -----------------  ---------------------

Fastethernet0/1     yes            yes               unlimited

 Custom circuit-ids:

Option 82 

By default, switch adds option 82 into dhcp request packet before forwarding to DHCP server. Actually, information option addition task is supposed to be done by DHCP realy device with giaddr field to non-zero vlaue. DHCP server assigns ip addresses based on option 82 parameters and forwards packets to ip address mentioned in giaddr field. But when switch forwards dhcp packet with option 82 information, it does not change giaddr field to non-zero value, it remians to 0.0.0.0 only.

DHCP server expects a packet with option field should have giaddr field to some non-zero value but observs that its zero hence rejects them

To avoid this configure "no ip dhcp snooping information option" in switch, so that switch does not add option field in dhcp packet

Lets check our table !

Switch#show ip dhcp snooping binding 

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

00:11:22:33:44:55   192.168.0.1      65330       dhcp-snooping   20   FastEthernet0/3

Total number of bindings: 1

As you can see above, we have 1 dhcp client available in dhcp binding database.

Now lets configure ip arp inspection

Switch(config)#ip arp inspection vlan 20

Switch(config)#interface fastethernet0/1

Switch(config)#ip arp inspection trust

Switch#show ip arp inspection

Source Mac Validation      : Disabled

Destination Mac Validation : Disabled

IP Address Validation      : Disabled

Vlan     Configuration    Operation   ACL Match          Static ACL

 ----     -------------    ---------   ---------          ----------

   20     Enabled          Active

Vlan     ACL Logging      DHCP Logging      Probe Logging

 ----     -----------      ------------      -------------

   20     Deny             Deny              Off

Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops

 ----      ---------        -------     ----------      ---------

   20              0              0              0              0

Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures

 ----   ------------    -----------  -------------   -------------------

   20              0              0              0                     0

Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data

 ----   -----------------   ----------------------   ---------------------

   20                   0                        0                       0

Source MAC, destination MAC, and IP address validation are showing as disabled.

you can enable optionally (optional) to have thorough security with “ip arp inspection validate” command.

Below is the details to use the option

dst-mac(Optional) : Enables validation of the destination MAC address in the Ethernet header against the target MAC address in the ARP body for 

ARP responses. The device classifies packets with different MAC addresses as invalid and drops them.

ip(Optional) : Enables validation of the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. The device checks the sender IP addresses in all ARP requests and responses and checks the target IP addresses only in ARP responses.

src-mac (Optional)  : Enables validation of the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses. The devices classifies packets with different MAC addresses as invalid and drops them.

Lets look at the ARP Inspection to allow static clients to reach the destination

As an example now if Attacker/Rogue Device with static IP configured with it, tries to ping DHCP Server, it will fail reason being is, there is no entry found in the dhcp snooping binding table, also there is no ACL configured to accept the packet from this device.

To allow untrust to trust either "ip arp inspection trust" command is required or ACL must be configured.

ACL can be configured to accept the packet if the port is untrust and static IP is assigned to the device, in our case it is the Static client who wants to connect to the network and for this we can configure the access-list.

Below is the command to configure access-list

Switch(config)#arp access list acl-name

Switch(config-arp-acl)#permit ip host IP_ADDRESS mac host MAC_ADDRESS 

Applying access list

Switch(config)#ip arp inspection filter acl-name vlan 20

That's it for DHCP Snooping and IP ARP Inspection !

WLC useful commands

To configure IP Address in AP

config ap static-ip enable AP-NAME IP-ADDRESS MASK GATEWAY

To configure AP Credentials for Telnet/SSH

config ap telnet enable AP-NAME

config ap ssh enable AP-NAME

config ap mgmtuser add username USERNAME password PASSWORD enablesecret ENABLE-PASSWORD AP-NAME

config ap mgmtuser add username USERNAME password PASSWORD enablesecret ENABLE-PASSWORD all 

To change AP mode

config ap mode MODE AP-NAME

To configure ap group name in AP

config ap group-name GROUP-NAME AP-NAME

To configure flexconnect native vlan in AP

config ap flexconnect vlan native VLAN-ID AP-NAME

To check vlan id of interface

show interface summary

To check wlan id of interface

show wlan summary

To map vlan id to wlan in flexconnect AP

config ap flexconnect vlan wlan WLAN-ID VLAN-ID AP-NAME

To configure wlan and mapping wlan interface in ap group

config wlan apgroup interface-mapping add GROUP-NAME WLAN-ID INTERFACE-NAME

To downgrade AP to autonomous from WLC

config ap tftp-downgrade TFTP-IP-ADDRESS FILENAME AP-NAME

To check cdp neighbour of AP

show ap cdp neighbors detail AP-NAME

To disable wireless clients from connecting network (Adding clients in exclusion list)

config exclusionlist add MAC-ADDRESS DESCRIPTION

To configure AP Group in access point from WLC CLI

config ap group-name AP-GROUP-NAME AP-NAME

To configure AP High Availability from WLC CLI

config ap primary-base WLC-NAME AP-NAME WLC-IP-ADDRESS

To enable LED of AP

config ap led-state enable AP_NAME

To disable LED of AP

config ap led-state disable AP_NAME

To reload AP

config ap reset AP-NAME

To configure ip address in interface

config interface address management IP-ADDRESS SUBNET_MASK GATEWAY

To configure vlan in interface

config interface vlan management VLAN-ID

To apply filter in WLC for quick findings

grep include “pattern” “commands”

Examples..

grep include "AP Serial Number" "show ap config general AP-NAME"

grep include "MAC Address" "show ap config general AP-NAME”

grep include "IP Address" "show ap config general AP-NAME"

Upgrading IOS in L2 switches

Copy the new IOS image to switch

copy tftp: flash:

verify the image

verify /md5 flash:IOS-NAME

Configure the boot path to new IOS

boot system switch all flash:/PATH

Verify the path

sh boot

Save the config

write

Now you are all set to reboot the device !