Thanks Jason. I remenbered this discussion about wmm and non-wmm, but reading it again helps me to understand better the behaviour expected.
Best Regards. 2011/6/21 Jason Boyers <[email protected]> > 5.1 - The ACL in the DSG does allow UDP/123 for NTP. LWAPP Data is not > necessary on a CPU ACL. And you are correct on LWAPP Control to the > AP-Manager. > > Victor, you are correct that this scenario is too long for the lab. It > hopefully made you think, though. > > 5.2 - Yes, that is a predefined issue. I could point that out clearly, but > I didn't. > 5.6 - This could has been discussed a few times. In the next version of > the workbook, this will be written differently :) There has already bee > discussion on this - see > http://www.onlinestudylist.com/archives/ccie_wireless/2011-April/002069.html > . > > > Jason Boyers - CCIE #26024 (Wireless) > Technical Instructor - IPexpert, Inc. > Mailto: *[email protected] > * > > On Thu, Jun 16, 2011 at 3:54 AM, Victor Platov (viplatov) < > [email protected]> wrote: > >> Hi Raul,**** >> >> ** ** >> >> Regarding CPU ACLs and LWAPP. Per my findings we have to create the >> following ACLs for LWAPP:**** >> >> **1. **Permit LWAPP control from APs to Management interface (used >> for Controller discovery)**** >> >> **2. **Permit LWAPP control from APs to AP-manager interface (used >> for all other tasks like AP join, AP CFG and so on)**** >> >> That’s it. We don’t have to create any data LWAPP ACLs since it doesn’t >> hit the CPU. **** >> >> ** ** >> >> ** ** >> >> Also I’ve found out that in case of “permit something, deny all other” >> approach we have to remember all the stuff we don’t care in our daily life >> like Mobility, Radius, Tacacs, DHCP, DNS, EoIP, NTP and so on.**** >> >> I think during the real lab if we asked something like “allow WLC >> mamagement from subnets A and B only” we’d better use “permit mgmt from A >> and B, deny mgmt from others, permit any” approach. In other way we will >> definitly face a lot of issues releated to client association, mobility, >> dhcp, dns and other stuff.**** >> >> ** ** >> >> You really don’t have time during the lab exam to sort the things out, >> don’t you?**** >> >> ** ** >> >> ** ** >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Raul Manzano >> *Sent:* Tuesday, June 14, 2011 10:05 PM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Wireless] Lab 5 or how to die trying.**** >> >> ** ** >> >> Hi Guys.**** >> >> **** >> >> I just finished the lab5, It is the hardest I made and I need more speed >> and clearly my knowledge, but surprise I really did not have too much >> errors.**** >> >> **** >> >> I want to share the doubs or possibly mistakes I think I found in this >> lab.**** >> >> **** >> >> 5.1: CPU acl. In my lab if I don´t create an ACL permitting the LWAPP >> control traffic from the AP subnet to the AP-manager the AP can not register >> in the WLC. The DSG talks about to create this acl but permitting LWAPP data >> traffic for this interface and LWAPP control for management interface, even >> more if I delete the LWAPP control for management interface the AP is still >> associating to the WLC:**** >> >> **** >> >> (WLC1) >SHOW acl detailed MANAGEMENT**** >> >> Source >> Destination Source Port Dest Port >> I Dir IP Address/Netmask IP Address/Netmask >> Prot Range Range DSCP Action Counter >> -- --- ------------------------------- ------------------------------- >> ---- ----------- ----------- ---- ------ ----------- >> 1 Any 10.10.112.10/255.255.255.255 10.10.111.10/255.255.255.255 >> 17 16666-16666 16666-16666 Any Permit 3274 >> 2 Any 10.10.120.140/255.255.255.255 10.10.111.10/255.255.255.255 >> 17 16666-16666 16666-16666 Any Permit 3151 >> 3 In 10.10.113.0/255.255.255.0 10.10.111.10/255.255.255.255 >> 17 0-65535 12223-12223 Any Permit 0 >> 4 In 10.10.113.0/255.255.255.0 10.10.111.11/255.255.255.255 >> 17 0-65535 12222-12222 Any Permit 0 >> 5 In 10.10.114.0/255.255.255.0 10.10.111.10/255.255.255.255 >> 17 0-65535 12223-12223 Any Permit 1 >> 6 In 10.10.114.0/255.255.255.0 10.10.111.11/255.255.255.255 >> 17 0-65535 12222-12222 Any Permit 0 >> 7 In 10.10.210.0/255.255.255.0 10.10.111.10/255.255.255.255 >> 6 0-65535 443-443 Any Permit 28510 >> 8 In 192.168.10.0/255.255.255.0 10.10.111.10/255.255.255.255 >> 6 0-65535 443-443 Any Permit 0 >> 9 In 10.10.210.0/255.255.255.0 10.10.111.10/255.255.255.255 >> 6 0-65535 22-22 Any Permit 1225 >> 10 In 192.168.10.0/255.255.255.0 10.10.111.10/255.255.255.255 >> 6 0-65535 22-22 Any Permit 0 >> 11 Any 10.10.210.6/255.255.255.255 10.10.111.10/255.255.255.255 >> 17 49-49 0-65535 Any Permit 0 >> 12 Any 10.10.210.6/255.255.255.255 10.10.111.10/255.255.255.255 >> 17 1812-1812 0-65535 Any Permit 183 >> 13 Any 10.10.210.6/255.255.255.255 10.10.111.10/255.255.255.255 >> 17 123-123 0-65535 Any Permit 12 >> 14 Any 10.10.120.140/255.255.255.255 10.10.111.10/255.255.255.255 >> 97 0-65535 0-65535 Any Permit 0 >> 15 Any 10.10.112.10/255.255.255.255 10.10.111.10/255.255.255.255 >> 97 0-65535 0-65535 Any Permit 0 >> 16 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 >> 17 68-68 67-67 Any Permit 74 >> 17 In 10.10.210.6/255.255.255.255 0.0.0.0/0.0.0.0 >> 17 53-53 0-65535 Any Permit 0 >> 18 Any 10.10.111.10/255.255.255.255 10.10.111.10/255.255.255.255 >> Any 0-65535 0-65535 Any Permit 0 >> 19 In 10.10.210.5/255.255.255.255 10.10.111.10/255.255.255.255 >> 17 0-65535 0-65535 Any Permit 0 >> 20 In 10.10.113.0/255.255.255.255 10.10.111.12/255.255.255.255 >> 17 0-65535 12222-12222 Any Permit 0 >> 21 In 10.10.114.0/255.255.255.0 10.10.111.12/255.255.255.255 >> 17 0-65535 12222-12222 Any Permit 0 >> 22 In 10.10.114.0/255.255.255.0 10.10.111.11/255.255.255.255 >> 17 0-65535 12223-12223 Any Permit 49 >> 23 In 10.10.114.0/255.255.255.0 10.10.111.12/255.255.255.255 >> 17 0-65535 12223-12223 Any Permit 10977 **** >> >> DenyCounter : 189 **** >> >> **** >> >> In the same way, the WLC does not sycn with the NTP server if I use the >> ACL propposed by the DSG, I need to add src/ntp/port 123 dst/wlc/port any as >> you can see above in acl 13.**** >> >> **** >> >> Thoughs??**** >> >> **** >> >> 5.2: I don´t know if is a lab requirement, but really strange issue with >> interface vlan 11 on WLC1, the configuration file creates an interface in >> WLC1 with no mapping to any port, in this way although you configure all >> correct you don´t receive any traffic, simply mapping this port to p1 or 2 >> starts to work. Because it is not explicitily explained in DSG (there is a >> screenshot of how to create VLAN11 interface on WLC1) I don´t know if it is >> a predefined issue.**** >> >> **** >> >> 5.6: TSPEC is only supported for platinum profile???, I´m suppose so that >> Sec1 SSID uses this profile instead Gold as DSG tell us. In this way I don´t >> understand why Platinum profile is used in SSID Guest2 on WLC1 when the >> profile should be gold (I understand as DSG indicates in the requirements of >> the exercise, in fact, the rest os WLC configured with this SSID are using >> gold profile). Can be a mistake???**** >> >> **** >> >> Cheers!!!**** >> >> **** >> >> Raul.**** >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
