5.1 - The ACL in the DSG does allow UDP/123 for NTP. LWAPP Data is not necessary on a CPU ACL. And you are correct on LWAPP Control to the AP-Manager.
Victor, you are correct that this scenario is too long for the lab. It hopefully made you think, though. 5.2 - Yes, that is a predefined issue. I could point that out clearly, but I didn't. 5.6 - This could has been discussed a few times. In the next version of the workbook, this will be written differently :) There has already bee discussion on this - see http://www.onlinestudylist.com/archives/ccie_wireless/2011-April/002069.html . Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: *[email protected] * On Thu, Jun 16, 2011 at 3:54 AM, Victor Platov (viplatov) < [email protected]> wrote: > Hi Raul,**** > > ** ** > > Regarding CPU ACLs and LWAPP. Per my findings we have to create the > following ACLs for LWAPP:**** > > **1. **Permit LWAPP control from APs to Management interface (used > for Controller discovery)**** > > **2. **Permit LWAPP control from APs to AP-manager interface (used > for all other tasks like AP join, AP CFG and so on)**** > > That’s it. We don’t have to create any data LWAPP ACLs since it doesn’t hit > the CPU. **** > > ** ** > > ** ** > > Also I’ve found out that in case of “permit something, deny all other” > approach we have to remember all the stuff we don’t care in our daily life > like Mobility, Radius, Tacacs, DHCP, DNS, EoIP, NTP and so on.**** > > I think during the real lab if we asked something like “allow WLC > mamagement from subnets A and B only” we’d better use “permit mgmt from A > and B, deny mgmt from others, permit any” approach. In other way we will > definitly face a lot of issues releated to client association, mobility, > dhcp, dns and other stuff.**** > > ** ** > > You really don’t have time during the lab exam to sort the things out, > don’t you?**** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Raul Manzano > *Sent:* Tuesday, June 14, 2011 10:05 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_Wireless] Lab 5 or how to die trying.**** > > ** ** > > Hi Guys.**** > > **** > > I just finished the lab5, It is the hardest I made and I need more speed > and clearly my knowledge, but surprise I really did not have too much > errors.**** > > **** > > I want to share the doubs or possibly mistakes I think I found in this lab. > **** > > **** > > 5.1: CPU acl. In my lab if I don´t create an ACL permitting the LWAPP > control traffic from the AP subnet to the AP-manager the AP can not register > in the WLC. The DSG talks about to create this acl but permitting LWAPP data > traffic for this interface and LWAPP control for management interface, even > more if I delete the LWAPP control for management interface the AP is still > associating to the WLC:**** > > **** > > (WLC1) >SHOW acl detailed MANAGEMENT**** > > Source Destination > Source Port Dest Port > I Dir IP Address/Netmask IP Address/Netmask > Prot Range Range DSCP Action Counter > -- --- ------------------------------- ------------------------------- ---- > ----------- ----------- ---- ------ ----------- > 1 Any 10.10.112.10/255.255.255.255 10.10.111.10/255.255.255.255 > 17 16666-16666 16666-16666 Any Permit 3274 > 2 Any 10.10.120.140/255.255.255.255 10.10.111.10/255.255.255.255 > 17 16666-16666 16666-16666 Any Permit 3151 > 3 In 10.10.113.0/255.255.255.0 10.10.111.10/255.255.255.255 > 17 0-65535 12223-12223 Any Permit 0 > 4 In 10.10.113.0/255.255.255.0 10.10.111.11/255.255.255.255 > 17 0-65535 12222-12222 Any Permit 0 > 5 In 10.10.114.0/255.255.255.0 10.10.111.10/255.255.255.255 > 17 0-65535 12223-12223 Any Permit 1 > 6 In 10.10.114.0/255.255.255.0 10.10.111.11/255.255.255.255 > 17 0-65535 12222-12222 Any Permit 0 > 7 In 10.10.210.0/255.255.255.0 10.10.111.10/255.255.255.255 > 6 0-65535 443-443 Any Permit 28510 > 8 In 192.168.10.0/255.255.255.0 10.10.111.10/255.255.255.255 > 6 0-65535 443-443 Any Permit 0 > 9 In 10.10.210.0/255.255.255.0 10.10.111.10/255.255.255.255 > 6 0-65535 22-22 Any Permit 1225 > 10 In 192.168.10.0/255.255.255.0 10.10.111.10/255.255.255.255 > 6 0-65535 22-22 Any Permit 0 > 11 Any 10.10.210.6/255.255.255.255 10.10.111.10/255.255.255.255 > 17 49-49 0-65535 Any Permit 0 > 12 Any 10.10.210.6/255.255.255.255 10.10.111.10/255.255.255.255 > 17 1812-1812 0-65535 Any Permit 183 > 13 Any 10.10.210.6/255.255.255.255 10.10.111.10/255.255.255.255 > 17 123-123 0-65535 Any Permit 12 > 14 Any 10.10.120.140/255.255.255.255 10.10.111.10/255.255.255.255 > 97 0-65535 0-65535 Any Permit 0 > 15 Any 10.10.112.10/255.255.255.255 10.10.111.10/255.255.255.255 > 97 0-65535 0-65535 Any Permit 0 > 16 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 > 17 68-68 67-67 Any Permit 74 > 17 In 10.10.210.6/255.255.255.255 0.0.0.0/0.0.0.0 > 17 53-53 0-65535 Any Permit 0 > 18 Any 10.10.111.10/255.255.255.255 10.10.111.10/255.255.255.255 > Any 0-65535 0-65535 Any Permit 0 > 19 In 10.10.210.5/255.255.255.255 10.10.111.10/255.255.255.255 > 17 0-65535 0-65535 Any Permit 0 > 20 In 10.10.113.0/255.255.255.255 10.10.111.12/255.255.255.255 > 17 0-65535 12222-12222 Any Permit 0 > 21 In 10.10.114.0/255.255.255.0 10.10.111.12/255.255.255.255 > 17 0-65535 12222-12222 Any Permit 0 > 22 In 10.10.114.0/255.255.255.0 10.10.111.11/255.255.255.255 > 17 0-65535 12223-12223 Any Permit 49 > 23 In 10.10.114.0/255.255.255.0 10.10.111.12/255.255.255.255 > 17 0-65535 12223-12223 Any Permit 10977 **** > > DenyCounter : 189 **** > > **** > > In the same way, the WLC does not sycn with the NTP server if I use the ACL > propposed by the DSG, I need to add src/ntp/port 123 dst/wlc/port any as you > can see above in acl 13.**** > > **** > > Thoughs??**** > > **** > > 5.2: I don´t know if is a lab requirement, but really strange issue with > interface vlan 11 on WLC1, the configuration file creates an interface in > WLC1 with no mapping to any port, in this way although you configure all > correct you don´t receive any traffic, simply mapping this port to p1 or 2 > starts to work. Because it is not explicitily explained in DSG (there is a > screenshot of how to create VLAN11 interface on WLC1) I don´t know if it is > a predefined issue.**** > > **** > > 5.6: TSPEC is only supported for platinum profile???, I´m suppose so that > Sec1 SSID uses this profile instead Gold as DSG tell us. In this way I don´t > understand why Platinum profile is used in SSID Guest2 on WLC1 when the > profile should be gold (I understand as DSG indicates in the requirements of > the exercise, in fact, the rest os WLC configured with this SSID are using > gold profile). Can be a mistake???**** > > **** > > Cheers!!!**** > > **** > > Raul.**** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
