Thursday, May 1, 2014

Anchoring for Guest Access on CT5760

Guest Anchor Configuration with WLAN / APs on both WLCs

This note is specifically capturing the required configurations for anchoring a CT5760 to another CT5760. The other configuration requirements for setting up webauth, webconsent, central web auth are covered in specific notes about each. Combine for a full solution...

 


Anchor Controller

DHCP can be run on devices other than the WLC if desired but if you choose to run it on the WLC for the Guest network this basic template is useful for building it. See the configuration guide for additional options if necessary.

ip dhcp excluded address 192.168.1.1 192.168.1.50

!

ip dhcp pool GUEST_VL296

network 192.168.1.0 /24

default-router 192.168.1.1

dns-server 8.8.8.8 4.4.4.4

lease 0 2


Similar to the previous versions of the Wireless LAN Controllers, the mobility domains on the foreign and anchor controllers are different. Below are the CLI configurations for the CT5760 to configure the mobility domains and member relationships.

 

hostname ANCHOR_CONTROLLER

wireless mobility group name ANCHOR_GROUP

wireless mobility group member 10.1.1.1 group FOREIGN_GROUP

 

Any WLAN that has DHCP required configured will also required DHCP snooping on the client VLAN configured to be enabled. If you miss this step your client will not be able to obtain an IP address and will never pass the IPLEARN state.

 

ip dhcp snooping vlan 296

ip dhcp snooping

ip device tracking

 

The WLAN configuration security settings will need to match in a similar way as they did in the earlier versions. This example shows the basic WLAN settings to disabled to WPA and AKM settings on the WLAN and enable WebAuth WebConsent which will present the user with a basic Acceptable Use Policy prior to joining the network. (** WebConsent configuration covered in more detail in another entry)

 

WLAN GUEST 1 GUEST

client VLAN 296

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

security web-auth

security web-auth parameter-map consent

session-timeout 1800

no shutdown

 


Foreign Controller

hostname FOREIGN_CONTROLLER

 

Mobility groups are created in a similar fashion to the earlier versions. Make sure to specify the mobility group name of the other controller in your CLI like below and not add the controller to your group.

 

wireless mobility group name FOREIGN_GROUP

wireless mobility group member 20.1.1.1 group ANCHOR_CONTROLLER

 

Creating the 'dummy' client VLAN i somewhat counter-intuitive but just pick one that is not in use and that you don't have DHCP snooping enabled on. Do not choose the 'wireless management interface' here.

 

wlan GUEST 1 GUEST

client VLAN 1 ! <-- This is a dummy VLAN that is not in use and DHCP snooping is not enabled on

mobility anchor 20.1.1.1

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

security web-auth

security web-auth parameter-map consent

session-timeout 1800

no shutdown


 

Jumbo Frames (Nexus7k/5k)

Enabling jumbo frames in a data center can be somewhat nerve racking when you are trying to ensure you don't take the entire place down. Here are some notes that might help make the project a bit less intimidating.

General Caveats/Considerations

  • Understand your topology and know the traffic flows
  • Understand all hardware in your network and it's support of jumbo frames
  • Enable jumbo frames on all switches in the path/environment
  • Be aware of existing QoS policies implemented
    • Overwriting an existing policy could be problematic
    • Order of operations in MQC or 3CPL should be considered
  • Enabling jumbo frames on a switch simply says "don't discard frames that are equal or less than this value" - nonintrusive
  • Frames are not aggregated and typically are sourced from device other than the network equipment at layer 2
  • Ethernet feature - use care allowing to traverse l3 interfaces
  • Understand your traffic flow and connectivity
  • Enable jumboframes on host interfaces with extreme care
    • Understand the different vendor's and how they interpret the MTU command
      • Does it include the header info or not?
  • Enable jumbo frames on all devices in a layer 2 environment that could potentially communicate with each other
  • Pairs of 5ks should be updated simultaneously using secureCRT Chat Window or Config-sync
Nexus 7k



System jumbomtu 9216 is default

 

N7K-AGG-1# sho run all | inc "jumbomtu"

system jumbomtu 9216

 

It's a default so it doesn't show up in the configuration without the all keyword.

The interface MTU is 1500 bytes by default.

With no changes, the MTU will be 1500 on both M-series line cards and F-series Line cards.

Changes required to enable Jumbo Frames

F-Series Line Cards

  • Modify the network-qos policy-map in the admin VDC
    • This is a disruptive change and may cause drops on some interfaces
  • Change the MTU on the individual interfaces
    • This is non-intrusive
    • Can only be set to either 1500 or the system jumbo MTU - any other value will display an error saying as much

Example in Admin VDC

policy-map type network-qos custom-nq-7e

class type network-qos c-nq-7e-drop

congestion-control tail-drop

mtu 9216

class type network-qos c-nq-7e-ndrop-fcoe

pause

mtu 2112

system qos

service-policy type network-qos custom-nq-7e

 

Example Interface Change

interface port-channel1021

switchport

switchport mode fabricpath

mtu 9216

 

M-Series Line Cards

  • Interface level MTU change with same guideline as above

interface Ethernet3/1

mtu 9216

ip address 10.6.1.13/30

ip ospf network point-to-point

ip router ospf 1 area 0.0.0.0

 

Nexus 5k



MTU is configured in a policy-map of type network-qos and applied to the system QoS.

  • Be careful as only one of each type of policy-map can be applied at a time
  • changing system level MTU can have disruptive impact on vPCs and/or port-channels, update in parallel pairs of Nexus 5ks.

network-qos Policy-Map Example

 

policy-map type network-qos pmap-marking

class type network-qos class-fcoe

pause no-drop

mtu 2158

class type network-qos qmap-marking-voicemedia

set cos 5

class type network-qos qmap-marking-videomedia

set cos 4

class type network-qos qmap-marking-ucsignalling

set cos 3

class type network-qos qmap-marking-businesscritical

set cos 2

mtu 9216

class type network-qos class-default

mtu 9216

multicast-optimize

set cos 0


Applying the policy-map to System QoS Example


system qos

service-policy type queuing input pmap-queuing-in

service-policy type queuing output pmap-queuing-out

service-policy type network-qos pmap-marking

service-policy type qos input pmap-classify



 


References


http://www.intel.com/support/network/sb/CS-001911.htm

 

http://www.ccierants.com/2012/11/jumbo-frames-gotchas-you-need-to-know.html

 

http://www.maximumpc.com/article/howtos/how_enable_jumbo_frames

 

http://www.networkworld.com/community/blog/jumbo-frames

 

Nexus 7000

Interface Configuration

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/interfaces/configuration/guide/if_cli/if_basic.html

 

QoS Configuration

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/qos/configuration/guide/nx-os_qos_book/nt_qos.html

 

Nexus 5500

 

QoS Configuration

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/qos/6x/b_5500_QoS_Config_6x/b_5500_QoS_Config_602N12_chapter_0110.html