Hi Raul,
Regarding CPU ACLs and LWAPP. Per my findings we have to create the following ACLs for LWAPP: 1. Permit LWAPP control from APs to Management interface (used for Controller discovery) 2. Permit LWAPP control from APs to AP-manager interface (used for all other tasks like AP join, AP CFG and so on) That's it. We don't have to create any data LWAPP ACLs since it doesn't hit the CPU. Also I've found out that in case of "permit something, deny all other" approach we have to remember all the stuff we don't care in our daily life like Mobility, Radius, Tacacs, DHCP, DNS, EoIP, NTP and so on. I think during the real lab if we asked something like "allow WLC mamagement from subnets A and B only" we'd better use "permit mgmt from A and B, deny mgmt from others, permit any" approach. In other way we will definitly face a lot of issues releated to client association, mobility, dhcp, dns and other stuff. You really don't have time during the lab exam to sort the things out, don't you? From: [email protected] [mailto:[email protected]] On Behalf Of Raul Manzano Sent: Tuesday, June 14, 2011 10:05 PM To: [email protected] Subject: [OSL | CCIE_Wireless] Lab 5 or how to die trying. Hi Guys. I just finished the lab5, It is the hardest I made and I need more speed and clearly my knowledge, but surprise I really did not have too much errors. I want to share the doubs or possibly mistakes I think I found in this lab. 5.1: CPU acl. In my lab if I don´t create an ACL permitting the LWAPP control traffic from the AP subnet to the AP-manager the AP can not register in the WLC. The DSG talks about to create this acl but permitting LWAPP data traffic for this interface and LWAPP control for management interface, even more if I delete the LWAPP control for management interface the AP is still associating to the WLC: (WLC1) >SHOW acl detailed MANAGEMENT Source Destination Source Port Dest Port I Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter -- --- ------------------------------- ------------------------------- ---- ----------- ----------- ---- ------ ----------- 1 Any 10.10.112.10/255.255.255.255 10.10.111.10/255.255.255.255 17 16666-16666 16666-16666 Any Permit 3274 2 Any 10.10.120.140/255.255.255.255 10.10.111.10/255.255.255.255 17 16666-16666 16666-16666 Any Permit 3151 3 In 10.10.113.0/255.255.255.0 10.10.111.10/255.255.255.255 17 0-65535 12223-12223 Any Permit 0 4 In 10.10.113.0/255.255.255.0 10.10.111.11/255.255.255.255 17 0-65535 12222-12222 Any Permit 0 5 In 10.10.114.0/255.255.255.0 10.10.111.10/255.255.255.255 17 0-65535 12223-12223 Any Permit 1 6 In 10.10.114.0/255.255.255.0 10.10.111.11/255.255.255.255 17 0-65535 12222-12222 Any Permit 0 7 In 10.10.210.0/255.255.255.0 10.10.111.10/255.255.255.255 6 0-65535 443-443 Any Permit 28510 8 In 192.168.10.0/255.255.255.0 10.10.111.10/255.255.255.255 6 0-65535 443-443 Any Permit 0 9 In 10.10.210.0/255.255.255.0 10.10.111.10/255.255.255.255 6 0-65535 22-22 Any Permit 1225 10 In 192.168.10.0/255.255.255.0 10.10.111.10/255.255.255.255 6 0-65535 22-22 Any Permit 0 11 Any 10.10.210.6/255.255.255.255 10.10.111.10/255.255.255.255 17 49-49 0-65535 Any Permit 0 12 Any 10.10.210.6/255.255.255.255 10.10.111.10/255.255.255.255 17 1812-1812 0-65535 Any Permit 183 13 Any 10.10.210.6/255.255.255.255 10.10.111.10/255.255.255.255 17 123-123 0-65535 Any Permit 12 14 Any 10.10.120.140/255.255.255.255 10.10.111.10/255.255.255.255 97 0-65535 0-65535 Any Permit 0 15 Any 10.10.112.10/255.255.255.255 10.10.111.10/255.255.255.255 97 0-65535 0-65535 Any Permit 0 16 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 68-68 67-67 Any Permit 74 17 In 10.10.210.6/255.255.255.255 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 0 18 Any 10.10.111.10/255.255.255.255 10.10.111.10/255.255.255.255 Any 0-65535 0-65535 Any Permit 0 19 In 10.10.210.5/255.255.255.255 10.10.111.10/255.255.255.255 17 0-65535 0-65535 Any Permit 0 20 In 10.10.113.0/255.255.255.255 10.10.111.12/255.255.255.255 17 0-65535 12222-12222 Any Permit 0 21 In 10.10.114.0/255.255.255.0 10.10.111.12/255.255.255.255 17 0-65535 12222-12222 Any Permit 0 22 In 10.10.114.0/255.255.255.0 10.10.111.11/255.255.255.255 17 0-65535 12223-12223 Any Permit 49 23 In 10.10.114.0/255.255.255.0 10.10.111.12/255.255.255.255 17 0-65535 12223-12223 Any Permit 10977 DenyCounter : 189 In the same way, the WLC does not sycn with the NTP server if I use the ACL propposed by the DSG, I need to add src/ntp/port 123 dst/wlc/port any as you can see above in acl 13. Thoughs?? 5.2: I don´t know if is a lab requirement, but really strange issue with interface vlan 11 on WLC1, the configuration file creates an interface in WLC1 with no mapping to any port, in this way although you configure all correct you don´t receive any traffic, simply mapping this port to p1 or 2 starts to work. Because it is not explicitily explained in DSG (there is a screenshot of how to create VLAN11 interface on WLC1) I don´t know if it is a predefined issue. 5.6: TSPEC is only supported for platinum profile???, I´m suppose so that Sec1 SSID uses this profile instead Gold as DSG tell us. In this way I don´t understand why Platinum profile is used in SSID Guest2 on WLC1 when the profile should be gold (I understand as DSG indicates in the requirements of the exercise, in fact, the rest os WLC configured with this SSID are using gold profile). Can be a mistake??? Cheers!!! Raul.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
