introduction to 3850 gui - lab guide v2.5

October 16th, 2013

Introduction to Wireless on the 3850

Lab Exercises

Version 2.5

Another hands-on lab from team MIDAS

2

October 16th, 2013 Introduction to Wireless on the 3850

Table of Contents Introduction ......................................................................................................................... 3 Logical Topology ................................................................................................................. 4 Physical Topology ................................................................................................................ 5 Disclaimer ............................................................................................................................ 6 Build Information ................................................................................................................ 6 Prerequisite knowledge ....................................................................................................... 6 Lab Overview ....................................................................................................................... 7 Access Lab Pod .................................................................................................................... 8 Exercise 1: Licensing and basic configuration of the 3850 ............................................... 11 Exercise 2: Configure the 3850 to support an AP via the GUI ........................................... 48 Exercise 3: Configure and Test Corp WLAN on the 3850 .................................................. 74 Appendix A: Answers to Exercise Questions ..................................................................... 92 Appendix B: Final Device Configurations .......................................................................... 93

3


Introduction Your integration company has been asked to configure the new 3850, including wireless capabilities, for a company called Example.com. Example is moving away from legacy equipment and would like you to configure a prototype for a wireless environment. Example.com plans to have only corporate users connect to the network wirelessly, and expects to grow to forty access points over the next four years. The customer would like to implement the Cisco 3850 Unified Access Switch. Your job is to set up the 3850, build a corporate WLAN, and test network access via the WLAN. One of the key requirements of the customer is that the 3850 and wireless configuration be manageable via a GUI. Here is some good news. A junior team member has been helping you get things set up. Under your direction, the following prerequisite tasks have been completed:

• The prototype network has been cabled • The router has been configured for internet reachability and NTP services • The 3750 Core Switch has been configured for network access

Based on the requirements, and with the above prerequisite tasks completed, you will perform the following:

• Configure the 3850 for network access • Configure and access the 3850 GUI • Configure a CAPWAP VLAN to support an AP • Configure Mobility and register an AP with the 3850. • Secure the CAPWAP data between the 3850 and AP • Configure a Corporate WLAN. • Configure a DHCP scope for the Corporate WLAN • Test Corporate WLAN access

Please review the diagrams on the following pages carefully, before proceeding with the lab. It may help to display them on a second window, when completing the lab.

4


Logical Topology The diagram below depicts the logical L3 topology of your prototype network. Please note that the PCs, Servers, and ISE platform are VMware images with non-persistent disks. If you shut down any of these platforms, you will lose all changes made to them up to that point, and become disconnected. Please ensure that you use restart or logoff as necessary. Avoid using shutdown at all costs. (If shutdown, contact lab admin.)

5


Physical Topology The diagram below depicts the L2 topology of the network, as it has been cabled by your junior resource.

6


Disclaimer This exercise is intended to demonstrate one way to configure the network, to meet the specified requirements of this lab. There are various ways that this can be accomplished, depending on the situation and the customer’s goals/requirements. Please ensure that you consult all current official Cisco documentation before proceeding with a design or installation. This lab is primarily intended to be a learning tool, and may not necessarily follow best practice recommendation at all times, in order to convey specific information.

Build Information As of the writing of this document, the current relevant documentation could be found on CCO at the following links: 3850 Series configuration guides

http://www.cisco.com/en/US/products/ps12686/products_installation_and_configuration_guides_list.html

The labs were constructed using the following software versions from CCO:

3850 03.02.02SE (Model: WS-C3850-24P) AP 3501 15.2.58-SE2 (Downloaded 1/8/2013) ISE ISE 1.2 Beta code

Prerequisite knowledge A solid understanding of networking, including routing and switching is assumed. A basic understanding of the concepts of wireless security is very helpful. Familiarity with the IOS-XE command line is helpful. The 3850 is built on the IOS-XE platform. Some background with Cisco Wireless would be helpful, but is not necessary.

http://www.cisco.com/en/US/products/ps12686/products_installation_and_configuration_guides_list.html

7


Lab Overview The lab will focus on getting the 3850 from 0-60. You will configure network reachability; connect an access point, and configure the 3850 via the GUI.

The key focus of the lab is to get comfortable with the new 3850 wireless feature set, and familiar with creating and managing WLANs, connecting APs, utilizing the GUI, and working on the IOS-XE platform.

8


Access Lab Pod At this point, you should have been supplied with several pieces of information for accessing your lab pod. You should have the following:

• The URL to access the lab portal • The user ID and password used for logging into the Midas Student lab portal • Your pod number (very important for accessing your device consoles)

Using the information provided, please log into the lab now. Begin by opening a browser and accessing the lab portal URL. The URL is typically https://128.107.69.142/student for accessing your pod. When you are prompted with a certificate warning from our VPN Gateway, please accept the self-signed certificate and continue.

Carefully enter the username and password supplied, and click “Login”.

https://128.107.69.142/student

9


Click “Continue” in the resulting welcome message.

You are now logged into the student portal, and should be presented with a list of bookmarks to access the images for your pod.

Verify access to the images by attempting to access PC1. Carefully click on the the “double boxes with arrows” on the far left of the bookmark for PC1. This should open PC1 in a new window. Please note that a current version of JAVA is required. (Disable pop-up blocker to see java updates.) If you have an issue, try updating java from Java.com, before contacting the lab administrator.

You should see a new window open, and a connection attempt initiated. Take note: the IP addresses and port information in the connection attempt message point at the VMware image on the backend of the VPN. You do not need direct access to these addresses.

10


In just a moment, you should be connected to PC1. Note: A JAVA applet will load in the browser environment, providing the TightVNC access to the VMware image on the backend. This is why a current version of JAVA is required. The resulting PC1 image is shown below.

At this point, you are ready to proceed with the lab. During the lab, you will be asked to access your images from the student portal. Simply use the bookmarks on the portal to access the images, as you just did for PC1. You may open all your images concurrently, using the “open in new window” functionality, just like you did for PC1. Stay logged into the student portal and proceed on.

Good luck with the lab!

11


Exercise 1: Licensing and basic configuration of the 3850 The primary focus of this exercise is to utilize the correct licensing for this implementation of the 3850. This will be followed by setting basic parameters and enabling connectivity to both the network and GUI. You will accomplish this, as well as configure NTP, and prepare to enable the 3850 to act as a mobility controller. Section 1.1 Access the 3850 Switch and explore the licensing options The goal of this section is to license the 3850 for our specific needs given our scenario, and become familiar with the commands to view and change licensing. Begin by accessing the “PC1 JumpBox” image from the student portal (should be open). Log into PC1, using the default user “John Doe”, and a password of “cisco123”. Password: cisco123

Access the out of band (OoB) consoles shortcut, at the top left of the desktop on PC1.

12


Now, choose your “Pod Number” in the second drop down menu “Intro to 3850 GUI” for the content pack. Then, click the “Access Console Maps” button to the right. ***Note: This shortcut page is dynamically built based on your selection. It is crucial that the pod number selected is yours, or you will be unable to complete the lab.

Before moving on, make sure that your pod number is displayed at the top of the page. Click on the “3850 Switch” in the center of the picture. This will open the console window. ***Note: This shortcut webpage has been created for lab purposes only. These shortcuts simply connect you to the console port of each device represented.

13


In the resulting console window, hit “enter” until the “Would you like to enter the initial configuration dialog?” prompt appears. Enter the commands shown below to skip the initial configuration dialog and enter enable mode, and make sure that this is the only switch. (It is not part of a stack)

No Yes

en show switch

14


Enter the commands below to view the 3850’s current licensing.

show license right-to-use

show license right-to-use summary

Remove the current licensing on the 3850 for AP’s with the command shown below. (If needed; there may be none present.) The AP count “#” you must specify can be found in the show commands you just entered. Remove all current AP licenses, so we can replace them. ***Note: replace # in the command below with the number of current AP license count found in the 3850. Re-enter the previously shown command to find this number if needed.

license right-to-use deactivate apcount # slot 1

15


Enter the command shown below to make sure the AP licenses were removed. Once you have confirmed there are no active licenses on the 3850, activate 5 AP licenses as shown below. show license right-to-use summary

license right-to-use active apcount 5 slot 1 acceptEULA

Check to make sure the AP licenses took affect before moving on. Make sure 5 AP licenses are present. Then take a look at the active feature license on the 3850. show license right-to-use summary

16


***Note: The “lanbase” license does not support wireless functionality on the 3850. Now deactivate the current feature license in the 3850. In the below command exchange “feature***” for “lanbase”, “ipbase”, or “ipservices” depending on the above show command output.

license right-to-use deactivate feature*** all

license right-to-use activate ipbase all acceptEULA

The 3850 will display a message indicating as seen above, that a reboot is required to enact this change. Check the license level one more time, and then proceed with a reboot.

show license right-to-use summary

17


Take note of the “license level on reboot”, and make sure that on reboot the intended “ipbase” license is specified. The 3850 will always allow configurations of wireless and other features that require a higher license lever to work. Understand that just because the commands are present in the 3850, it does not mean they will take effect. ***Note: Both “ipbase” and “ipservices” support wireless. Lanbase does not, although the commands are present in CLI. Before reloading the 3850 to complete the licensing change, enter the command below to check the boot variables. The switch should be set to manual Boot. ***Note: For lab resets, the 3850 has been configured to stop at rommon. Do not alter the boot variable on the 3850. Show boot

Now reload the 3850 with the command shown below. reload

The reload process for the 3850 will take a few moments. The 3850 is built on the IOS-XE platform and will look a little different from classic IOS. When the 3850 reaches the “switch” prompt, enter the command below to boot the device. boot flash:packages.conf

18


When the 3850 is finished booting, enter enable mode. en

19


Confirm the new license level of “ipbase” after the reboot, and 5 “apcount” licenses, using the command below. show license right-to-use summary

Now that the 3850 has an “ipbase” and licensing for 5 aps, it is ready to support wireless configuration and WLANs. Q1.1: What are the three types of feature licenses on the 3850, and which ones support wireless?

20


Q1.2: What other two licenses are required to register access points with the 3850? Make sure you can answer both of these questions before moving on to the next section. It is critical to understand the licenses, and that all commands are present and configurable, even if the licenses required for them to work are not installed.

21


Section 1.2 Complete the basic configuration of the 3850 This section will cover configuring the 3850 for network access and reachability, followed by enabling GUI access. Before proceeding, take a look at the below layer 2 and layer 3 diagrams representing the current configured state of the network.

22


Now take a look at the final layer 2 and 3 diagrams to review the intended build.

23


Begin by configuring the L3 Handoff between the existing 3750 and the new 3850. Start by accessing the console of the 3850. Use the out of band (OoB) consoles on the desktop of PC1, just as before. Enter enable mode by submitting the command below. en

Configure the L3 link on the 3850 with the commands below. config t int g1/0/1

no switchport desc L3 link to 3750 ip address 10.1.101.2 255.255.255.0 no shut exit exit

24


Now access the console of the 3750, via the out of band (OoB) consoles, just like for the 3850. Log in with the credentials and enter the commands shown below to configure the 3750 side of the L3 link.

Username: admin Password: cisco123

Now configure the link to the 3850 with the following commands. en config t int fa1/0/8 no switchport desc L3 link to 3850 ip address 10.1.101.1 255.255.255.0 no shut exit exit

25


Test the new L3 link with pings from both sides. From the 3750 console, ping the 3850 with the command below. ping 10.1.101.2

Return to the 3850 console, and test connectivity to the 3750 side address with the following command. Do not proceed with the lab if either of these pings are unsuccessful. ping 10.1.101.1

26


Still on the console of the 3850, configure the following basic parameters.

config t hostname 3850-Switch

no ip domain-lookup ip routing ip domain-name example.com

***Note: On the 3850 and other IOS-XE devices, it is critical to enter the “ip routing” command in order to enable traffic passing through the device to be routed. If this command is missing from the configuration, the 3850 will successfully route its own traffic, but will drop all traversing traffic without a directly connected destination, even if a valid route is present in the routing table. Now configure encrypted passwords, a local user account, and configure timestamps and a server for logging. service password-encryption service timestamp log datetime show-timezone msec service timestamp debug datetime show-timezone msec logging trap debugging logging 10.1.20.254 enable secret cisco123 username admin priv 15 secret cisco123

27


Configure the VTP mode and name. Set the spanning tree mode, and specify the intended root bridge as this 3850. vtp mode transparent vtp domain example.com spanning-tree mode rapid-pvst spanning-tree vlan 1-500 priority 4096 errdisable recovery cause bpduguard

Configure console access. line con 0 logging synchronous

login local exec-timeout 60 0 privilege level 15

Configure Telnet and SSH access, followed by generating a crypto key.

line vty 0 15 logging sync login local exec-t 60 0 priv lev 15

transport input telnet ssh crypto key generate rsa modulus 1024

28


do show ip ssh (View the newly generated SSH key)

Exit and save the configuration. exit copy running-config startup-config

Check your work, and review the global running configuration in the 3850. Show run

29


30


31


***Note: The Gigabit Ethernet 0/0 interface in the 3850 is configured by default with a VRF named “Mgmt-vrf”. In this lab, we will not be utilizing the management interface, but be aware of this default.

32


33


34


At this point, we have configured the basics on the 3850. The 3850 has secure access, deliberate VTP and spanning tree configuration, and remote logging. Now configure access to the 3850 GUI with the following commands. config t ip http server exit

***Note: In order to access the GUI of the 3850, there are three prerequisite configurations that are required. The first is enabling the http server functionality, second is IP connectivity to the 3850, and the third is a local admin account. Now, before testing access to the 3850 GUI, attempt to ping the 3850 from the desktop of PC1. Open a console window from the desktop shortcut, and enter the following command. ping 10.1.101.2

35


The test pings to the 3850 have failed because there are no return routes from the device. Go back to the console of the 3850, and enter the following commands to configure a default route to the 3750.

config t ip route 0.0.0.0 0.0.0.0 10.1.101.1 exit copy running-config startup-config

36


Now that the 3850 has a return route for traffic via the 3750, test connectivity from the desktop of PC1, using a ping. ping 10.1.101.2

These pings should be successful. Do not continue in the lab until PC1 can successfully ping the 3850. To access the 3850 GUI, open a Firefox window from the desktop of PC1. Enter the following URL. https://10.1.101.2/wireless

https://10.1.101.2/wireless

37


On the resulting page, expand “I Understand the Risk”, and click on “Add Exception…” to continue to the 3850 GUI.

Click on “Confirm Security Exception” in the resulting window.

38


A login prompt will appear as shown below. This is where the local user account on the 3850 is required.

39


Enter the following username and password, and then click “OK” to access the 3850 GUI. Username: admin Password: cisco123

The resulting first page of the 3850 GUI is shown below.

At this point the 3850 has network access. The GUI is accessible from PC1, and the 3850 has a basic configuration.

40


***Note: In order to utilize the 3850 GUI as shown above, the 3850 must be running IOS-XE version 03.02.02SE as shown above in the display.

41


Section 1.3 Network Configurations on the 3850 This section will cover the CLI configuration of VLANs, SVIs, NTP to support the desired network topology and WLAN. Take a look again at this final layer 3 diagram of the intended network before beginning.

Access the console of the 3850 and log in, then enter enable mode. Use the out of band (OoB) consoles on the desktop of PC1. Enter the username and password as shown below, to access the 3850 console. Username: admin Password: cisco123

Begin by creating and naming the following VLANs on the 3850, by entering the commands as shown below.

42


config t vlan 225 name Corp-Wireless vlan 222 name Bldg2-APs exit exit

Check your work with the following command. show vlan

43


Configure respective SVIs for the VLANs we created above, with the commands below, to reflect the diagram. config t

int vlan 222 ip address 10.1.222.1 255.255.255.0 desc Bldg2-APs

exit int vlan 225 ip address 10.1.225.1 255.255.255.0 desc Corp-Wireless exit exit

Now check the SVI configuration with the below shown command. show ip int br

Configure a Loopback interface on the 3850 per the diagram. Enter the following commands on the 3850 console. config t

int lo 0 ip address 10.1.255.2 255.255.255.255 desc Primary Loopback – Do not change! exit exit

44


Check the configuration of this Loopback with a display command.

show run | begin Loopback0

Save the configuration. copy running-config startup-config

Access the console of the 3750 from the consoles page, and log in with the username and password shown below. Username: admin Password: cisco123

45


Configure routes to the 3850 for the three new subnets that were just created. Enter the following commands. config t ip route 10.1.222.0 255.255.255.0 10.1.101.2 ip route 10.1.225.0 255.255.255.0 10.1.101.2 ip route 10.1.255.2 255.255.255.255 10.1.101.2 exit

46


Return to the command line of the 3850, and configure the interface connecting to the access point. Use the following command to place the AP in VLAN 222, and add a description. Log back into the 3850 with the username and password, and enter configuration mode. Username: admin Password: cisco123 config t

From configure terminal, enter the commands below. int g1/0/24 desc AP connected in vlan 222 switchport mode access switchport access vlan 222 switchport no no shut exit exit

47


At this point, we have completed the needed configuration to support wireless via the CLI. Save the running configuration of the 3850 with a “wr mem”, and continue to the next Exercise.

48


Exercise 2: Configure the 3850 to support an AP via the GUI In exercise 2, you will configure the 3850 with two DHCP scopes, to connect the AP to the 3850, and support wireless user. Then configure the 3850 to support wireless via the GUI, and connect the AP.

Section 2.1 Configure DHCP scopes from the 3850 GUI In this section you will configure two DHCP scopes for VLANs 222 and 225 in the 3850 via the GUI; as well as review syslog information. Access the 3850 GUI and log in with the following information. This time, use the loopback address of the 3850 to connect to the GUI. https://10.1.255.2/wireless Username: admin Password: cisco123


49


Before proceeding with the DHCP configuration, access the domain controller and setup logging. Return to the Student Portal page, and select the DC.

50


Click on the “Send Ctrl-Alt-Del” button to reach the login prompt of the DC.

Log in using the credentials below. Username: administrator Password: cisco123

51


At the desktop of the DC, open the Kiwi Syslog Daemon, using the shortcut at the top left of the desktop.

This is where the messages from the 3850 and APs will be displayed when the registration process starts. You can return here later to review the messages, and is an excellent place to troubleshoot any problems with the lab from here on.

52


Return to the desktop of PC1 and the 3850 GUI.

Now from the home screen of the 3850 GUI, navigate to “Configuration>Controller”, to configure the two DHCP scopes.

53


On the resulting page shown below, navigate to “Internal DHCP Server>DHCP Scope” on the left hand side.

On the resulting page named “DHCP Scope”, click the “New” button near the top left.

54


On this page, enter the parameters listed below. DHCP Scope Name: BLDG2-APs Network: 10.1.222.0 Subnet Mask: 255.255.255.0 Lease Time Days (0-365): 1 Hours (0-23): 12 Minutes (0-59): 0 Default Routers Server 1: 10.1.222.1 DNS Domain Name: example.com Server 1: 10.1.20.254 The GUI DHCP page should appear as shown below.

55


Once the information is filled in, click on the “Apply” button at the top right of page.

The following message should be the result. Click the “OK” button.

After the message, the GUI will return to the DHCP Scope page, where the BLDG2-APs scope will be listed as shown below.

56


Navigate back to the home screen of the 3850 GUI by clicking on “Home” at the top left under the Cisco icon.

The resulting page is shown below. Take note of the current “Access Point Summary” counts. There are currently no APs registered.

57


At this point, the AP can receive an IP address from the 3850 DHCP scope, but will not be registered because the 3850 is not yet configured as a mobility controller. Navigate back to “Configuration>Controller”, to build a second DHCP scope for the WLAN clients.

From the “configuration>controller” page, click on “DHCP Scope” on the left under “Internal DHCP Server”.

Back at the “DHCP Scope” page, click the “New” button to build another scope.

58


On the resulting page, fill in the following information, to create a DHCP scope for the WLAN clients who will connect to the 3850. ***Note: Always follow best practices when configuring DHCP scopes for clients. The 3850 may not be the best place to do this based on customer requirements. It has been configured this way in the lab only to demonstrate the 3850 capabilities. DHCP Scope Name: Corp-Wireless Network: 10.1.225.0 Subnet Mask: 255.255.255.0 Lease Time Days (0-365): 1 Hours (0-23): 12 Minutes (0-59): 0 Default Routers Server 1: 10.1.225.1 DNS Domain Name: example.com Server 1: 10.1.20.254 The GUI DHCP page should appear as shown below. Click “Apply” when you are done, to complete the scope.

59


After clicking “Apply”, the message shown below should appear. Click “OK” to continue.

At this point in the lab, two DHCP scopes have been configured on the 3850 via the GUI. Make sure of this by reviewing the resulting “DHCP Scope” page. It should appear as shown below with two scopes listed.

60


Section 2.2 Configure the 3850 as a Mobility Controller In this section, you will configure the 3850 to support a WLAN by enabling mobility controller functionality. A 3850 must be a mobility controller in order to register APs and offer WLANs, unless it is registered with another Mobility controller.

From PC1, access the GUI of the 3850 if not already there, by navigating to the address below and logging in with the following credentials. https://10.1.255.2/wireless Username: admin Password: cisco123

From the “Home” page of the 3850 GUI that is displayed upon logging in, navigate to “Configuration>Controller”.


61


From the resulting page shown below, navigate to “Mobility Management>Mobility Global Config” on the left of the page.

On the resulting “Mobility Agent Configuration” page, expand the “Mobility Role” drop down at the top of the page, and select “Mobility Controller”.

62


With “Mobility Controller” selected from the “Mobility Role” dropdown, click the “Apply” button on the right of the page.

Upon clicking “Apply”, the message displayed below will appear. Read it carefully.

In order for the 3850 to change mobility roles, it will need to reboot. Before rebooting, you will need to save the current configuration. Click the “OK” button to accept the message. The following message will appear upon clicking “OK”.

Again, click “OK” to accept after reading it. At the top right of the GUI web page, click on the “Save Configuration” link.

63


Upon clicking the “Save configuration” link, the following message will appear. Click “OK” to save the 3850 current configuration.

After a moment, a conformation message will appear like the one shown below. Click “OK” to continue.

Now it is time to reload the 3850 to enable Mobility Controller functionality. Navigate in the 3850 GUI to “Configuration>Commands”.

64


On the resulting screen, click on “Reboot”; it will be under “Commands” on the left of the page.

On the “Reboot” page, notice the warning.

65


Click on the “Save and Reboot” button at the top left of the screen.

After clicking the button, the following message will appear. Click “OK” to save and reload the 3850.

It will take the 3850 a few moments to reboot, but for lab reset reasons the 3850 has been configured to stop at ROMMON. You will need to access the 3850 console via the consoles page and issue the following command to initiate a boot. boot flash:packages.conf

66


Once the 3850 has reached the login prompt, you can return to the GUI via the address below. You will need to close the old browser window, and open a new one. https://10.1.255.2/wireless


67


After accepting the certificate; log into the 3850 again with the following username and password. Username: admin Password: cisco123

After logging in, you will reach the 3850 GUI “Home” screen shown below.

68


This is one more configuration change that must be completed to enable the 3850 to register an AP. Access the 3850 CLI just as before and log in. Username: admin Password: cisco123

69


From the CLI, enter the folloing command, to view the current Mobility setup on the 3850. show wireless mobility summary

Take note that the IP is 169.254.1.1, which is the system default. This will need to become the BLDG2-APs VLAN 222 SVI in order to register the AP. Below is a section of the L3 diagram of the intended configuration. The 10.1.222.1 interface in VLAN 222 will need to be the wireless management interface in order to register the AP.

Configure this now with the CLI commands below. config t wireless management interface vlan 222 exit

70


Once again, enter the display command below, to confirm the configuration change.

show wireless mobility summary

At this point the 3850 is a “Mobility Controller”, and is using 10.1.222.1 as its Mobility IP. Return to the 3850 GUI, and review the “Home Page”. If it is still open, refresh the page by clicking on “refresh” link at the top right. If you need to reconnect, use the address below. https://10.1.255.2/wireless


71


Once you reach the “Home” page in the 3850 GUI, review the “Access point Summary” half way down on the left side.

There should now be “1” under “Access Point Summary”, meaning that the AP has registered with the 3850. To confirm this, navigate in the GUI to “Monitor>Wireless”.

72


On the resulting page shown below, will be an AP designated by its MAC address. Click on the address to view it in detail.

After clicking on the address, the following page will appear.

73


At this point the 3850 is configured as a Mobility Controller, and has successfully registered an AP. Continue to the next exercise.

74


Exercise 3: Configure and Test Corp WLAN on the 3850 In this exercise, you will configure a Corp-Wireless WLAN on the 3850 via the GUI, and test connectivity via PC2. The WLAN will be configured with a PSK and broadcast SSID. Section 3.1 Configure the WLAN In this section, you will configure a WLAN on the 3850 via the GUI. Begin by accessing the 3850 GUI. From PC1, go to the following address and log in with the username and password below. https://10.1.225.2/wireless Username: admin Password: cisco123

From the initial “Home” page in the 3850 GUI, navigate to “Configuration>Wireless”.


75


From the resulting page, navigate to “WLAN>WLANs” on the left side.

Once at the “WLANs” page shown below, click on “New”, to create a WLAN.

76


On the following page, enter the information below respectively, and click the “Apply” button when complete. WLAN ID: 1 (An Identifier in the configuration) SSID: Corp-Pod*-GUI (Make * YOUR POD NUMBER) Profile Name: Corp-Wireless (Name of WLAN in Configuration)

After clicking “Apply’, the following message will appear. Click “OK”.

The resulting page is shown below. Click on the new “Corp-Wireless” link in blue to configure it in detail.

77


The resulting page is shown below.

Take note of the “Interface/Interface Group(G)” parameter which is currently “Default”. This is the VLAN and corresponding SVI that the WLAN will service. Expand the dropdown, and select “Corp-Wireless” from the list.

78


Now that the intended network will service the WLAN, check the “Status” box, to enable the WLAN.

Once complete, click the “Apply” button at the top right of the screen.

Click the “OK” button to accept the conformation message.

79


Now navigate in the GUI, still under the WLAN, to the “Security” tab shown below.

The following screen is shown below.

For simplicity in this lab, the WLAN will be secured with a Pre-Shared Key (PSK). Select “PSK” from the “Auth Key Mgmt” dropdown. ***Note: The use of a PSK is not best practice and is utilized in the lab for simplicity. This is not an encouraged method for securing a production WLAN.

80


After selecting “PSK” from the dropdown, the page will change. The resulting page is displayed below.

In the box under “ASCII”, enter the following password for the WLAN. Password: cisco123

81


Once completed, click the “Apply” button on the top right of the page.

After clicking “Apply”, the message shown below will appear. Click “OK” to accept it.

At this point, the WLAN has the basic required configuration to enable client access and has been enabled. Now, save the 3850 configuration. Click the “Save Configuration” link at the top right of the page.

82


Click “OK” to save the 3850 current configuration.

Click “OK” to accept the resulting conformation message.

At this point, the Corp-Wireless WLAN is ready to test. Continue to the next section.

83


Section 3.2 Test Access to the Corp-Wireless WLAN In this section, you will test access to the Corp-Wireless WLAN on the 3850 from PC2. Begin by accessing PC2 from the student portal.

Log in with the following username and password. Username: Jane Doe (Already Filled In) Password: cisco123

84


Below is the desktop of PC2; click on the wireless icon. It is toward the bottom right, on the task bar.

In the resulting pop-up, select the wireless network that you created on the 3850. It should be named “Corp-Pod*-GUI” where * is your pod number.

Click the “Connect” button to access the wireless LAN.

85


In the resulting window, enter the key you set for the WLAN. Security key: cisco123

86


After a moment, PC2 should register and receive a DHCP address from the 3850. The wireless icon should look like the image below when the client has connected.

At this point, open a browser window using the desktop shortcut, and test internet access.

87


At this point, the first client has been able to successfully connect to the network via wireless. From this new browser window, access the 3850 GUI by entering the address shown below. https://10.1.255.2/wireless


88


Add the exception for the untrusted site and log into the 3850 GUI, using the following credentials. Username: admin Password: cisco123

89


The 3850 GUI home page should be displayed, as shown below.

There are two things to now take note of. First, on the right hand side of the page under “Top WLANs” is “Number of Clients”, where across from Corp-Wireless, you should see a count of 1. The second thing to note is from PC2, which is a WLAN client, you were able to access the 3850 GUI. In production it is recommended to restrict access to the 3850 GUI using an access list. Now navigate in the GUI to “Monitor>Clients” to view the details of PC2s connection.

90


On the resulting page, you should see one MAC address listed under “Clients”, as shown below. Click on the address to view the client details.

On the resulting page shown below, note that the client has received an IPv4 address in the 10.1.225.0/24 address space from the 3850 DHCP scope.

91


From this display, (May need to scroll to the left to see) you can also see through which AP the client connected, as well as a host of other information.

At this point the 3850 has been configured to support the Corp-Wireless WLAN, an AP has been registered, and the configuration has been tested with a client.

Congratulations. This completes the lab!

92


Appendix A: Answers to Exercise Questions Q1.1: How many Aps is the WLC licensed for, and for how long? The current license supports 15 access points and is non-expiring aka lifetime of the device. Q1.2: What other two licenses are required to register access points with the 3850? IPBase and IPservices. LAN Base does not support Wireless on the 3850.

93


Appendix B: Final Device Configurations Cisco 3850 Final Device Configuration ! ! Last configuration change at 02:42:36 UTC Fri Oct 4 2013 by admin ! version 15.0 no service pad service timestamps debug datetime msec show-timezone service timestamps log datetime msec show-timezone service password-encryption service compress-config ! hostname 3850-Switch ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging console emergencies enable secret 4 1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6 ! username admin privilege 15 secret 4 1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6 no aaa new-model switch 1 provision ws-c3850-24p ip routing ! no ip domain-lookup ip domain-name example.com ip device tracking ! ip dhcp pool BLDG2-APs

94


network 10.1.222.0 255.255.255.0 dns-server 10.1.20.254 default-router 10.1.222.1 domain-name example.com lease 1 12 ! ip dhcp pool Corp-Wireless network 10.1.225.0 255.255.255.0 dns-server 10.1.20.254 default-router 10.1.225.1 domain-name example.com lease 1 12 ! ! qos wireless-default-untrust vtp domain example.com vtp mode transparent ! crypto pki trustpoint TP-self-signed-3617301112 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3617301112 revocation-check none rsakeypair TP-self-signed-3617301112 ! ! crypto pki certificate chain TP-self-signed-3617301112 certificate self-signed 01 nvram:IOS-Self-Sig#22.cer ! ! ! ! ! errdisable recovery cause bpduguard diagnostic bootup level minimal identity policy webauth-global-inactive inactivity-timer 3600 ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 1-500 priority 4096 ! redundancy mode sso !

95


! vlan 222 name Bldg2-Aps ! vlan 225 name Corp-Wirelss ! ! class-map match-any non-client-nrt-class match non-client-nrt ! policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 ! ! ! ! ! ! interface Loopback0 description Primary Loopback - Do not change! ip address 10.1.255.2 255.255.255.255 ip mtu 1500 ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 description L3 link to 3750 no switchport ip address 10.1.101.2 255.255.255.0 ! interface GigabitEthernet1/0/2 ! interface GigabitEthernet1/0/3 ! interface GigabitEthernet1/0/4 ! interface GigabitEthernet1/0/5 ! interface GigabitEthernet1/0/6

96


! interface GigabitEthernet1/0/7 ! interface GigabitEthernet1/0/8 ! interface GigabitEthernet1/0/9 ! interface GigabitEthernet1/0/10 ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 ! interface GigabitEthernet1/0/13 ! interface GigabitEthernet1/0/14 ! interface GigabitEthernet1/0/15 ! interface GigabitEthernet1/0/16 ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 ! interface GigabitEthernet1/0/24 description AP connected in VLAN 222 switchport access vlan 222 switchport mode access ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 !

97


interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface TenGigabitEthernet1/1/1 ! interface TenGigabitEthernet1/1/2 ! interface TenGigabitEthernet1/1/3 ! interface TenGigabitEthernet1/1/4 ! interface Vlan1 no ip address shutdown ! interface Vlan222 description Bldg2-APs ip address 10.1.222.1 255.255.255.0 ! interface Vlan225 description Corp-Wireless ip address 10.1.225.1 255.255.255.0 ! ip http server ip http authentication local ip http secure-server ip route 0.0.0.0 0.0.0.0 10.1.101.1 ! ! logging trap notifications logging 10.1.20.254 ! ! ! line con 0 exec-timeout 60 0 privilege level 15 logging synchronous login local stopbits 1 line aux 0 stopbits 1 line vty 0 4

98


exec-timeout 60 0 privilege level 15 logging synchronous login local transport input telnet ssh line vty 5 15 exec-timeout 60 0 privilege level 15 logging synchronous login local transport input telnet ssh ! wsma agent exec profile httplistener profile httpslistener wsma agent config profile httplistener profile httpslistener wsma agent filesys profile httplistener profile httpslistener wsma agent notify profile httplistener profile httpslistener ! wsma profile listener httplistener transport http ! wsma profile listener httpslistener transport https wireless mobility controller wireless management interface Vlan222 wlan Corp-Wireless 1 Corp-Pod1-GUI client vlan Corp-Wirelss no security wpa akm dot1x security wpa akm psk set-key ascii 0 cisco123 session-timeout 1800 no shutdown ap dot11 24ghz rrm channel dca 1 ap dot11 24ghz rrm channel dca 6 ap dot11 24ghz rrm channel dca 11 ap dot11 5ghz rrm channel dca 36 ap dot11 5ghz rrm channel dca 40 ap dot11 5ghz rrm channel dca 44

99


ap dot11 5ghz rrm channel dca 48 ap dot11 5ghz rrm channel dca 52 ap dot11 5ghz rrm channel dca 56 ap dot11 5ghz rrm channel dca 60 ap dot11 5ghz rrm channel dca 64 ap dot11 5ghz rrm channel dca 149 ap dot11 5ghz rrm channel dca 153 ap dot11 5ghz rrm channel dca 157 ap dot11 5ghz rrm channel dca 161 ap group default-group end

introduction to 3850 gui - lab guide v2.5

Documents

test network access

access lab pod

access points

wireless configuration

prototype network

wireless capabilities

wireless environment

unified access switch