Re: [OSL | CCIE_Wireless] Autonomous - Reliability

[Jay Killion (jakillio)]

Hey Andre -

Attached are the configs from the two AP's (AAP 1 is the root, 2 is the WGB).  
I just tried it again with the exact same results.  WGB will associate without 
any issue, but no DHCP (and if you assign a static, it won't ping).  Just 
remove 'infrastructure client' from the root and things will immediately start 
working.

I'm certainly interested to see what you find.

Thanks -
Jay Killion, CCIE #17873 R/S

From: Andre Aubet <a.au...@gmail.com<mailto:a.au...@gmail.com>>
Date: Thursday, February 6, 2014 11:28 AM
To: Jay Killion <jakil...@cisco.com<mailto:jakil...@cisco.com>>
Cc: Jason Boyers <j0boy...@gmail.com<mailto:j0boy...@gmail.com>>, 
"ccie_wireless@onlinestudylist.com<mailto:ccie_wireless@onlinestudylist.com>" 
<ccie_wireless@onlinestudylist.com<mailto:ccie_wireless@onlinestudylist.com>>
Subject: Re: [OSL | CCIE_Wireless] Autonomous - Reliability

Ok, I just tried to configure the whole thing:

  *   authentication open eap + authentication network-eap
  *   radius-server local on root AP
  *   DHCP server on core switch behind AP
  *   infrastructure-client on AP
  *   WGB using dot1x profile to authenticate on root AP
  *   DHCP client configured on WGB BVI1

And all works fine. I added vlans in the WGB to act as a trunk link, and I can 
ping many clients behind my WGB in different vlans.

I'm sure there is a specific command interacting with the infrastructure-client 
that made your association/authentication fail.
Unless the radio was buggy, and when you removed the infrastructure-client 
command, if forced the radio interface to reset.


2014-02-06 Andre Aubet <a.au...@gmail.com<mailto:a.au...@gmail.com>>:
Jay,

Can you share your full configuration for the two APs? I just tried myself to 
configure a WGB using infrastructure-client on the root AP, but it works great.

Andre.


2014-02-06 Jay Killion (jakillio) 
<jakil...@cisco.com<mailto:jakil...@cisco.com>>:
No, I just used "station-role workgroup-bridge" configured.  But you make a 
great point, it's good to try the different options together to find out what 
breaks what.


From: Jason Boyers <j0boy...@gmail.com<mailto:j0boy...@gmail.com>>
Date: Thursday, February 6, 2014 8:19 AM
To: Jay Killion <jakil...@cisco.com<mailto:jakil...@cisco.com>>
Cc: Andre Aubet <a.au...@gmail.com<mailto:a.au...@gmail.com>>, 
"ccie_wireless@onlinestudylist.com<mailto:ccie_wireless@onlinestudylist.com>" 
<ccie_wireless@onlinestudylist.com<mailto:ccie_wireless@onlinestudylist.com>>

Subject: Re: [OSL | CCIE_Wireless] Autonomous - Reliability

On the WGB, do you have "station-role workgroup-bridge multicast mode client" 
configured?  That is incompatible with the "infrastructure client" command on 
the root side.  I found it helpful to go through the different combinations 
("station-role workgroup-bridge" with and without the various multicast mode 
commands, with and without infrastructure client, and such) to ensure how 
things will and will not work.  There are some combinations that simply won't 
pass traffic.

Jason Boyers, CCIE #26024 (Wireless)
Blog: netboyers.wordpress.com<http://netboyers.wordpress.com>


On Thu, Feb 6, 2014 at 8:29 AM, Jay Killion (jakillio) 
<jakil...@cisco.com<mailto:jakil...@cisco.com>> wrote:
Hey Andre -

Yes, the full requirement was, "Ensure that the association reliable. So the AP 
disassociates clients only many packets are lost. Use the maximum reliable 
setting for the association to stay up.".  Given that the word "reliable" and 
"reliability" are used 7 times in the CCO WGB documentation and every single 
one of them are in the section on "infrastructure client", I interpreted the 
requirement as wanting both "packet retries" and "infrastructure client".  But 
anyways…

Yes, I was using both "auth open" and "auth eap" for the SSID.  The WGB would 
associate and authenticate every time without any issue, even after rebooting 
both sides.  The instant I removed "infrastructure client" from the root side, 
without any further changes, the WGB side immediately received DHCP and pings 
started working.

I'm still not sure why it wouldn't work with "infrastructure client", but good 
to know for the future.


From: Andre Aubet <a.au...@gmail.com<mailto:a.au...@gmail.com>>
Date: Thursday, February 6, 2014 1:50 AM
To: Jay Killion <jakil...@cisco.com<mailto:jakil...@cisco.com>>
Subject: Re: [OSL | CCIE_Wireless] Autonomous - Reliability

Hi Jay,

You really met an interesting behavior here!!!

I just read the complete lab requirement, it says:
Ensure that the association reliable. So the AP disassociates clients only many 
packets are lost. Use the maximum reliable setting for the association to stay 
up.

For this, I would have used the packet retries command I think. It allows the 
client entry to be removed only after a specified number of missed 802.11 
packets (maximum being 127 I think).

About the infrastructure client, what it actually does:

  *   sends a first time the multicast/broadcast frame, and re-send it in an 
encapsulated unicast frame to the WGB. It allows the frame to be acknowledged 
by the WGB.
  *   allows the WGB, which is normally treated as a wireless client, to 
associate to an infrastructure only AP

In your configuration, this is weird the WGB can't get an IP address. You say 
the association works fine, but the DHCP Discover isn't received by the DHCP 
server. If it didn't work with a static IP address, I would think something is 
missing in your configuration.

By any chance, were you using the authentication network-eap method to 
associate, or only authentication open eap. I think network-eap (Cisco 
proprietary) is a requirement when using an infrastructure mode.

Andre.


2014-02-06 Jay Killion (jakillio) 
<jakil...@cisco.com<mailto:jakil...@cisco.com>>:
Hi all -

I'm working on WB2 lab 3 and the following requirement was given for an 
autonomous WGB, "Ensure that the association is reliable."  I thought the 
question was looking for me to configure "infrastructure client" on the root AP 
since CCO documentation says to do this for "increased reliability".  Turns out 
that wasn't what the lab was looking for, but it did bring up an interesting 
result – no DHCP even though the WGB associated without any issue.

The other requirement for this task was to have the WGB receive it's IP address 
via DHCP.  I couldn't for the life of me figure out why DHCP wasn't working, as 
my debugs showed the AP sending them but never getting a reply (or being seen 
by the DHCP server).  Even if I configured a static IP address for the BVI, 
pings still wouldn't work.

I finally looked at the answer to see what I was missing and noticed IPX didn't 
use "infrastructure client" as part of their solution.  I removed that piece 
and everything immediately started working.  I've read what "infrastructure 
client" does – reliably deliver multicast and ARP's, but I don't see why this 
broke the ping / DHCP from the WGB.

Any insight?

Thanks
Jay Killion, CCIE #17873 R/S


_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::

iPexpert on YouTube: 
www.youtube.com/ipexpertinc<http://www.youtube.com/ipexpertinc>


_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::

iPexpert on YouTube: 
www.youtube.com/ipexpertinc<http://www.youtube.com/ipexpertinc>




{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf400
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural

\f0\fs24 \cf0 \
version 12.4\
no service pad\
service timestamps debug datetime msec\
service timestamps log datetime msec\
service password-encryption\
!\
hostname AAP1\
!\
logging rate-limit console 9\
enable secret 5 $1$.6Zc$OhQj3dgSiVMgWRcmxlV7x.\
!\
aaa new-model\
!\
!\
aaa group server radius rad_eap\
 server 10.10.110.100 auth-port 1812 acct-port 1813\
!\
aaa group server radius rad_mac\
 server 10.10.110.100 auth-port 1812 acct-port 1813\
!\
aaa group server radius rad_acct\
!\
aaa group server radius rad_admin\
!\
aaa group server tacacs+ tac_admin\
!\
aaa group server radius rad_pmip\
!\
aaa group server radius dummy\
!\
aaa authentication login eap_methods group rad_eap\
aaa authentication login mac_methods local\
aaa authorization exec default local \
aaa accounting network acct_methods start-stop group rad_acct\
!\
aaa session-id common\
no ip domain lookup\
!\
!\
dot11 syslog\
!\
dot11 ssid fork-01\
   vlan 17\
  authentication open eap eap_methods \
   authentication network-eap eap_methods \
   authentication key-management wpa version 2\
   guest-mode\
!\
!\
!\
username Cisco password 7 05280F1C2243\
!\
!\
bridge irb\
!\
!\
interface Dot11Radio0\
 no ip address\
 no ip route-cache\
 !\
 encryption vlan 17 mode ciphers aes-ccm \
 !\
 ssid fork-01\
 !\
 channel 2437\
 station-role root\
 infrastructure-client\
 bridge-group 1\
 bridge-group 1 subscriber-loop-control\
 bridge-group 1 block-unknown-source\
 no bridge-group 1 source-learning\
 no bridge-group 1 unicast-flooding\
 bridge-group 1 spanning-disabled\
!\
interface Dot11Radio0.17\
 encapsulation dot1Q 17\
 no ip route-cache\
 bridge-group 17\
 bridge-group 17 subscriber-loop-control\
 bridge-group 17 block-unknown-source\
 no bridge-group 17 source-learning\
 no bridge-group 17 unicast-flooding\
 bridge-group 17 spanning-disabled\
!\
interface Dot11Radio1\
 no ip address\
 no ip route-cache\
 shutdown\
 dfs band 3 block\
channel 5765\
 station-role root\
 bridge-group 1\
 bridge-group 1 subscriber-loop-control\
 bridge-group 1 block-unknown-source\
 no bridge-group 1 source-learning\
 no bridge-group 1 unicast-flooding\
 bridge-group 1 spanning-disabled\
!\
interface Dot11Radio1.17\
 encapsulation dot1Q 17\
 no ip route-cache\
 bridge-group 17\
 bridge-group 17 subscriber-loop-control\
 bridge-group 17 block-unknown-source\
 no bridge-group 17 source-learning\
 no bridge-group 17 unicast-flooding\
 bridge-group 17 spanning-disabled\
!\
interface FastEthernet0\
 no ip address\
 no ip route-cache\
 duplex auto\
 speed auto\
!\
interface FastEthernet0.17\
 encapsulation dot1Q 17\
 no ip route-cache\
 bridge-group 17\
 no bridge-group 17 source-learning\
 bridge-group 17 spanning-disabled\
!\
interface FastEthernet0.110\
 encapsulation dot1Q 110 native\
 no ip route-cache\
 bridge-group 1\
 no bridge-group 1 source-learning\
 bridge-group 1 spanning-disabled\
!\
interface BVI1\
 ip address 10.10.110.100 255.255.255.0\
 no ip route-cache\
!\
ip default-gateway 10.10.110.1\
ip http server\
no ip http secure-server\
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag\
ip radius source-interface BVI1 \
radius-server local\
  no authentication leap\
  no authentication mac\
  nas 10.10.110.100 key 7 05080F1C2243\
  user lifter nthash 7 06272B771A685A3F573346595451780E050A6317043656325A2074010103722851\
!\
radius-server attribute 32 include-in-access-req format %h\
radius-server host 10.10.110.100 auth-port 1812 acct-port 1813 key 7 0822455D0A16\
radius-server vsa send accounting\
bridge 1 route ip\
!\
!\
!\
line con 0\
 exec-timeout 0 0\
 logging synchronous\
line vty 0 4\
!\
sntp server 10.10.10.2\
end       \
}
{\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf400
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural

\f0\fs24 \cf0 AP2#wr t\
Building configuration...\
\
Current configuration : 1620 bytes\
!\
version 12.4\
no service pad\
service timestamps debug datetime msec\
service timestamps log datetime msec\
service password-encryption\
!\
hostname AAP2\
!\
logging rate-limit console 9\
enable secret 5 $1$TwPc$7FwkVWo.y3PmR30JCj.4n0\
!\
no aaa new-model\
no ip domain lookup\
!\
!\
dot11 syslog\
!\
dot11 ssid fork-01\
   authentication open eap dummy \
   authentication network-eap dummy \
   authentication key-management wpa version 2\
   dot1x credentials fast\
   dot1x eap profile fast\
   guest-mode\
!\
eap profile fast\
 method fast\
!\
!\
!\
dot1x credentials fast\
 username lifter\
 password 7 030254190D\
!\
username Cisco password 7 112A1016141D\
!\
!\
bridge irb\
!\
!\
interface Dot11Radio0\
 no ip address\
 no ip route-cache\
!        \
 encryption mode ciphers aes-ccm \
 !\
 ssid fork-01\
 !\
 packet retries 128\
 station-role workgroup-bridge\
 mobile station scan 2412 2437 2462\
 bridge-group 1\
!\
interface Dot11Radio1\
 no ip address\
 no ip route-cache\
 shutdown\
 dfs band 3 block\
 channel 5805\
 station-role root\
 bridge-group 1\
 bridge-group 1 subscriber-loop-control\
 bridge-group 1 block-unknown-source\
 no bridge-group 1 source-learning\
 no bridge-group 1 unicast-flooding\
 bridge-group 1 spanning-disabled\
!         \
interface FastEthernet0\
 no ip address\
 no ip route-cache\
 duplex auto\
 speed auto\
 bridge-group 1\
!\
interface BVI1\
 ip address dhcp\
 no ip route-cache\
!\
ip default-gateway 10.10.17.1\
ip http server\
no ip http secure-server\
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag\
bridge 1 route ip\
!\
!\
!\
line con 0\
 exec-timeout 0 0\
 logging synchronous\
line vty 0 4\
 login local\
!\
sntp server 10.10.10.2\
end\
\
}
_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::

iPexpert on YouTube: www.youtube.com/ipexpertinc