Describe Layer 1 concepts, such as RF power, RSSI, SNR, interference noise,band and channels, and wireless client devices capabilities
SNR (Signal-to-Noise Ratio) is a ratio based value that evaluates your signal based on the noise being seen.SNR is comprised of 2 values and is measured as a positive value between 0db and 120db and the closer it is to 120db the better: signal value and noise value typically these are expressed in decibels (db).
RSSI (Received signal strength indication) will look at the Signal (Also known as RSSI) first this value is measured in decibels from 0 (zero) to -120 (minus 120) now when looking at this value the closer to 0 (zero) the stronger the signal is which means it's better, typically voice networks require a -65db or better signal level while a data network needs -80db or better.
Normal range in a network would be -45db to -87db depending on power levels and design; since the signal is affected by the APs transmit power & antenna as well as the clients antenna.
Signal strength (RSSI, “signal strength”, Signal/Noise Ratio.) It’s generally best to focus on RSSI
EIRP (Effective Isotropic Radiated Power) is the actual amount of signal leaving the antenna and is a value measured in db that is based on 3 things: Transmit Power (db), Cable Loss (db), & Antenna Gain (dbi). To determine EIRP follow this equation: Transmit Power - Cable Loss + Antenna Gain = EIRP.
EXAMPLE: We have a AP 124 access points running at full power with a 6dbi antenna on the 802.11a radio and a 2.5dbi antenna on the 802.11bg radio.
802.11a EIRP = 17db (40mw) - 0db + 6dbi = 23db = 200mw of actual output power
802.11bg EIRP = 20db (100mw) - 0db + 2.5dbi = 22.5db = 150mw (approx.) of actual output power, based on the example above in theory if you were to measure it right at the antenna you could get an RSSI of -23 or -22.5 respectively.
Free Space Path Loss is a measure of how much signal power you lose over a given distance typically you lose about 0.020 db per foot in an outdoor or wide open office; doors, walls, glass, and etc. affect this. This is why as you walk away from an AP your signal gets weaker.
Describe AP modes and antenna types
Cisco dCloud content include support for wireless clients and devices. Wireless connectivity is provided by Cisco Access Points (APs). Client connectivity to the AP is determined by how the AP is configured.
Access Point Mode of Operation: A Cisco Access Point (AP) is configured to operate in either lightweight mode or autonomous mode.
LAP (Lightweight AP Protocol [LWAPP]): A Cisco LAP is part of the Cisco Unified Wireless Network architecture. An LAP is an AP designed to be connected to a wireless LAN controller (WLC). The WLC manages the AP configurations and firmware; therefore, the LAP cannot act independently of a WLC. This mode is sometimes called controller-based. Enterprise Networking and Security content require lightweight mode.
Autonomous AP: A Cisco IOS Software-based AP that functions independently of a WLC. This mode is sometimes called standalone. Collaboration and Customer Collaboration content require autonomous mode.
Access Point Connectivity: A Cisco AP can be included in most Cisco dCloud sessions. Cisco dCloud supports three (3) types of AP connectivity:
Embedded: The AP is integrated into the router chassis. The 819W is a common example of this type of connection.
AP behind an endpoint router: The AP is a separate physical unit connected to an Ethernet port on a Cisco dCloud configured router.
AP only: The AP is a separate physical unit connected to the network through some other means.
Note: When you are deploying the AP on your network, you must decide what mode you want to run. If you are dealing with a single location, a small office or home network, autonomous mode is recommended. If you are setting up a wireless network for a larger office space that requires more than 3 access points locally or remotely across multiple geographic locations, deploying in Lightweight mode is recommended.
On a lightweight AP, the MAC function is divided between the AP hardware and the wireless LAN controller (WLC). Therefore, the architecture is known as split-MAC.
Split-MAC Architecture: The LAP-WLC division of labor is known as a split-MAC architecture, where the normal MAC operations are pulled apart into two distinct locations. This occurs for every LAP in the network; each one must boot and bind itself to a WLC to support wireless clients. The WLC becomes the central hub that supports a number of LAPs scattered about in the network. The two devices must use a tunneling protocol between them, to carry 802.11-related messages and also client data. Remember that the AP and WLC can be located on the same VLAN or IP subnet, but they do not have to be. Instead, they can be located on two entirely different IP subnets in two different locations.
By default, a controller has a limited initial configuration, so no WLANs are defined. Before you create a new WLAN, the following parameters it will need to have:
SSID string
Controller interface and VLAN number
Type of wireless security needed
Describe access point discovery and join process (discovery algorithms, WLC selection process)
The switch interfaces feeding a WLC should be configured as trunk links. Some WLCs need a single interface, others have several interfaces that should be bundled into a single EtherChannel. The WLC shown in Figure has a four-interface Gigabit EtherChannel. Note that we need to use the command "channel-group 1 mode on" because the WLC cannot negotiate an EtherChannel. Therefore, we cannot use other options like "desirable".
The EtherChannel also provides link redundancy. If one of the bundled links fail, the traffic through the failed link is distributed to other working links in the channel. The failover is transparent to the end user. Similarly traffic again flows through the restored link, as and when a link is restored.
Because the network is built with a WLC and LAPs, CAPWAP tunnels are required. One CAPWAP tunnel connects each LAP to the WLC, for a total of 32 tunnels. CAPWAP encapsulates wireless traffic inside an additional IP header, so the tunnel packets are routable across a Layer 3 network. That means the LAPs and WLC can reside on any IP subnet as long as the subnets are reachable. There is no restrictions for the LAPs and WLC to lie on the same Layer 2 VLAN or Layer 3 IP subnet.
An LAP builds a CAPWAP (Control and Provisioning of Wireless Access Points protocol) tunnel with a WLC. The CAPWAP tunneling allows the AP and WLC to be separated geographically and logically. CAPWAP communications between the controller and lightweight access points are conducted at Layer 3. Layer 2 mode does not support CAPWAP.
CAPWAP (Control and Provisioning of Wireless Access Points): CAPWAP encapsulates the data between LAP and WLC within new IP packets. The tunneled data is then switched or routed over a campus network.
CAPWAP control messages:They are used to configure the AP and manage its operation. The control messages are authenticated and encrypted so the AP is securely controlled by only the appropriate WLC,then transported over the control tunnel. Only the CAPWAP(Control and Provisioning of Wireless Access Points) control tunnel is secured by default. Client data passes over the CAPWAP data tunnel, but is optionally encrypted. DHCP requests are client data and are not encrypted by default. Finally, 802.11 beacons are sent over the air from an LAP, so they are not encrypted or transported by CAPWAP.
In a converged design, an access layer switch also functions as a WLC so that all user access (wired and wireless) converges in a single layer. Catalyst 3650, 3850, and 4500 offer converged wireless capability.
Wireless Controller ports are physical connections to the switched network infrastructure. Controller Ports are the physical ports of the device. The following are the most important Controller physical ports.
Service Port (SP):Used for initial boot function, system recovery and out of band management. If you want to configure the controller with GUI you need to connect your computer with service port.
Redundancy Port (RP): This port is used to connect another controller for redundant operations.
Distribution Ports: These ports are used for all Access Points and management traffic. A Distribution Port connects to a switch port in trunk mode. 4400 series controllers have four distribution ports and 5500 series controllers have eight distribution ports.
Console port: Used for out-of-band management, system recovery and initial boot functions.
Describe the main principles and use cases for Layer 2 and Layer 3 roaming
Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible.
Layer2 Roaming:Layer 2 roaming, which occurs when the wireless LAN interfaces of the controllers are on the same IP subnet. When the client associates to an access point joined to a new controller, the new controller exchanges mobility messages with the original controller, and the client database entry is moved to the new controller. New security context and associations are established if necessary, and the client database entry is updated for the new access point. This process remains transparent to the user.
Layer3 Roaming:Layer 3 roaming, which occurs when the wireless LAN interfaces of the controllers are on different IP subnets. Layer 3 roaming is similar to Layer 2 roaming in that the controllers exchange mobility messages on the client roam. However, instead of moving the client database entry to the new controller, the original controller marks the client with an “Anchor” entry in its own client database. The database entry is copied to the new controller client database and marked with a “Foreign” entry in the new controller. The roam remains transparent to the wireless client, and the client maintains its original IP address.
Guidelines and Restrictions
If the management VLAN of one controller is present as a dynamic VLAN on another controller, the mobility feature is not supported.
If a client roams in web authentication state, the client is considered as a new client on another controller instead of considering it as a mobile client.
When the primary and secondary controller fail to ping each other’s IPv6 addresses, and they are in the same VLAN, you need to disable snooping to get the controller to ping each other successfully.
Cisco Wireless Controllers (that are mobility peers) must use the same DHCP server to have an updated client mobility move count on intra-VLAN.
Troubleshoot WLAN configuration and wireless client connectivity issues
Management interface: Used for normal management traffic, such as RADIUS user authentication, WLC-to-WLC communication, web-based and SSH sessions, SNMP, Network Time Protocol (NTP), syslog, and so on. The management interface is also used to terminate CAPWAP tunnels between the controller and its Aps.
Virtual interface: IP address facing wireless clients when the controller is relaying client DHCP requests, performing client web authentication, and supporting client mobility.
Service port interface: Bound to the service port and used for out-of-band management.
Dynamic interface: Used to connect a VLAN to a WLAN.
Describe Network Time Protocol (NTP)
This is an example of output from the "show ntp status" command:
SW01#show ntp status Clock is synchronized, stratum 2, reference is 10.4.2.254 nominal freq is 250.0000 Hz, actual freq is 250.5320 Hz, precision is 2**18 reference time is D36968F7.7E3019A9 (02:12:07.492 UTC Fri Mar 05 2020) <output omitted>
From the above output, we know that the IP address of the reference is 10.4.2.254 and that the Switch SW01 has synchronized with the reference.
Configure and verify NAT/PAT
Note that the packets leaving port S0 on the NAT router should have global IP addresses. The source IP address should be within the pool allocated. In this case, only one IP address is allocated with "overload" command. Hence, the public IP 200.200.1.1 will be used as the source IP address for a packet leaving the NAT router.
The correct syntax for enabling dynamic NAT to translate many inside hosts to an inside global IP address is:
ip nat inside source list < access-list-number > pool < pool-name > overload
where < access-list-number > is the standard access list number, and < pool-name > is the pool name.
Note that the option 'overload' specifies many to one relationship.This configuration is typically used when many hosts with private IP addresses need to access Internet through a specified globally unique IP address.
Given below are the four important forms of NAT (Network Address Translation):
Static NAT: It is a one-to-one mapping between an unregistered IP address and a registered IP address. Static NAT maps an unregistered IP address to registered IP (globally unique) addresses on one-to-one basis.
The command used for this purpose is: ip nat inside source static < local-ip > < global-ip >
where, < local-ip > is the local IP address assigned to a host on the inside network.
< global-ip > is the globally unique IP address of an inside host as it appears to the outside world.
Dynamic NAT: Usually, Dynamic NAT is implemented, where a pool of public IP addresses is shared by an entire private IP subnet. When a private host initiates a connection, a public IP address is selected. The mapping of the computer's non-routable IP address matched to the selected IP address is stored in the NAT Table. As long as the outgoing connection is maintained, the private host can be reached by incoming packets sent to the specified public address. When the binding expires, the address is returned to the pool for reuse. Dynamic NAT maps an unregistered IP address to a registered (globally unique) IP address from a group of registered (globally unique) IP addresses.
Overloading: A variation of Dynamic NAT, also known as Network Address Port Translation (NAPT) maps multiple unregistered IP addresses to a single registered IP address by multiplexing streams differentiated by the TCP/UDP port number. A special case of dynamic NAT that maps multiple unregistered IP addresses to a single registered (globally unique) IP address by using different port numbers. Dynamic NAT with overloading is also known also as PAT (Port Address Translation).
Overlapping - This occurs when your internal IP addresses belong to global IP address range that belong to another network. In such case, the internal IP addresses need to be hidden from the outside network to prevent duplication. NAT overlapping allows the use of internal global addresses by mapping them to globally unique IP addresses using static or dynamic NAT. When Overlapping is employed, the IP addresses used on the internal network are registered IP addresses utilized on another network. To avoid conflict, a NAT Table is built to translate these redundant internal addresses to a unique IP address. Vice versa, when sending packets into the private network, the registered addresses must be translated to an address unique in the network.
Enable dynamic NAT on an interface include the following:
1. Defining a standard IP access-list using the command: access-list < access-list-number > {permit | deny} < local-ip-address >
2. Defining an IP NAT pool for the inside network using the command: ip nat pool < pool-name > < start-ip > < end-ip > {netmask < net-mask > | prefix-length < prefix-length >} [type-rotary]
Note that type-rotary is optional command. It indicates that the IP address range in the address pool identifies hosts among which TCP load is distributed.
3. Mapping the access-list to the IP NAT pool by using the command: ip nat inside source list < access-list-number > pool < pool-name >
4. Enabling NAT on at least one inside and one outside interface using the command: ip nat {inside | outside}
Configure first hop redundancy protocols, such as HSRP and VRRP
The command: standby < group-number > preempt is used to force an interface to resume Active router state. Note that the priority of the router should be higher than the current Active router.
The correct command syntax for configuring a router as a member of an HSRP standby group is: R(config-if)#standby < group-number > ip < virtual-ip-address >
For group number 45 and virtual IP address of 192.32.16.5, the command is: R(config-if)#standby 45 ip 192.32.16.5
All routers in an HSRP standby group can send and/or receive HSRP message. Also, HSRP protocol packets are addressed to all-router address (224.0.0.2) with a TTL of 1. Note that the HSRP messages are encapsulated in the data portion of UDP packets.
An HSRP router status can be displayed by using the command: RouterA# show standby
The above command displays the router priority, state (active/standby), group number among other things.
Also, to enable HSRP debugging, use the command: RouterA# debug standby
To disable debugging, use the command: no debug standby
1. HSRP: Hot Standby Router Protocol (HSRP): HSRP is a Cisco proprietary protocol that offers router redundancy. Here one router is elected as active router, and another router is elected as standby router. All other routers are put in listen HSRP state. HSRP messages are exchanges using multicast destination address 244.0.0.2 to keep a router aware of all others in the group.
2. Virtual Router Redundancy Protocol (VRRP): VRRP is very similar to HSRP. VRRP is a standards based protocol and defined in RFC 2338. VRRP sends advertisements to multicast destination address 244.0.0.18 using IP protocol.
3. Gateway Load Balancing Protocol (GLBP): GLBP overcomes some of the limitations of HSRP/VRRP. Here, instead of just one active router, all routers in the group can participate and offer load balancing.
4. Server Load Balancing (SLB): SLB provides a virtual server IP address to which client machines can connect. The virtual server, in turn, is a group of real physical servers arranged in a server farm.
HSRP authentication is carried out in clear text.
Given below are the important characteristics of Virtual Router Redundancy Protocol (VRRP):
a. VRRP advertisements are sent at 1-second intervals.
b. VRRP has no mechanism for tracking interfaces to allow more capable routers to take over the master role.
c. Router priorities range from 1 to 254.
d. The default VRRP router priority is 100
e. The Virtual Router Redundancy Protocol (VRRP) is a standards-based protocol
f. The router with highest priority is called Master router
The multicast address 224.0.0.18 is used by VRRP to send advertisements. It uses IP protocol 112.
Contrast this with HSRP that uses multicast address 224.0.0.3 UDP port 1985 for sending its hello messages.
The default HSRP standby priority is 100. If the standby priorities of routers participating in HSRP are same, the router with the highest IP address becomes the Active router.
Within the standby group of routers, the router with the highest standby priority in the group becomes the active router. For example, a router with a priority of 100 will become active router over a router with a priority of 50. The active router forwards packets sent to the virtual router. It maintains its active state by using Hello messages.
Each router in a standby group can be assigned a priority value. The range of priority values is between 0 and 255 (including 0 and 255). The default priority assigned to a router in a standby group is 100. The router with numerically higher priority value will become Active router in the HSRP standby group.
The command used to set the router's priority in standby group is: R(config-if)# standby <group-number > priority <priority-value >.
HSRP, or Hot Standby Routing Protocol, is a Cisco proprietary protocol that allows two or more routers to work together to represent a single virtual IP address to the end-user. Among the HSRP configured routers, one will work as Active and the others (one or more) work as Standby routers. The Active and Standby routers are determined by a set of rules. Only the virtual IP address that was created within the HSRP configuration along with a virtual MAC address is known to other hosts on the network. Hosts will use the virtual IP address as their default gateway. The active router will respond to ARP requests for the virtual IP with the virtual MAC address.
When an Active router fails in HSRP environment, Standby router assumes the Active router role. This new Active router will remain as Active router even if the failed Active router comeback to service, irrespective of the priority levels.
To enable the previous Active router to resume its activity as Active router by taking over the role from a lower priority Active router, use the command: Rtr(config-if)# standby < group-number > preempt
Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP), which were introduced before Gateway Load Balancing Protocol (GLBP), balance the packet load per subnet.
Gateway Load Balancing Protocol (GLBP) is a Cisco proprietary solution for redundancy and load balancing in an IP network. GLBP allow automatic selection and simultaneous recovery from first hop router failures. GLBP provides load balancing over multiple (router) gateways using a single virtual IP address and multiple virtual MAC addresses. Each host is configured with the same virtual IP address, and all routers in the virtual router group participate in forwarding packets.
HSRP stands for Hot Standby Routing Protocol. The following are members of HSRP group:
1. Virtual router: virtual router is what is seen by the end user device. The virtual router has its own IP and MAC addresses.
2. Active router: Forwards packets sent to the virtual router. An active router assumes the IP and MAC addresses of the virtual router.
3. Standby router: Standby router monitors the state of HSRP by using Hello massages. It assumes the role of Active router, should the current Active router fail.
Image router does not exist and is not a part of HSRP group.
The following are true about Virtual Router Redundancy protocol (VRRP):
1. VRRP will have one master router, and all other routers are in the backup state.
2. VRRP router priorities range from 1 to 254. By default, the priority is set to 100. 254 is the highest priority.
3. The MAC address of the virtual router is of the form 0000.5e00.01xx, where xx is the VRRP group number in the range 0 to 255 or 0 to ff hex.
4. The interval for VRRP advertisements is 1 second by default.
5. All VRRP routers are configured to preempt the current master router by default. The router priority should be highest for the preemption to occur.
Describe multicast protocols, such as PIM and IGMP v2/v3
There are currently five PIM operating modes:
PIM Dense Mode (PIM-DM)
PIM Sparse Mode (PIM-SM)
PIM Sparse Dense Mode
PIM Source Specific Multicast (PIM-SSM)
PIM Bidirectional Mode (Bidir-PIM)
PIM routers can be configured for PIM Dense Mode (PIM-DM) when it is safe to assume that the receivers of a multicast group are located on every subnet within the network -in other words, when the multicast group is densely populated across the network.
PIM is a multicast routing protocol that routes multicast traffic between network segments. PIM can use any of the unicast routing protocols to identify the path between the source and receivers.
PIM Distribution Trees: Multicast routers create distribution trees that define the path that IP multicast traffic follows through the network to reach the receivers. The two basic types of multicast distribution trees are source trees, also known as shortest path trees (SPTs),and shared trees.
There are 3 versions of IGMP, IGMPv1 is old and rarely used. IGMPv2 is common in most multicast networks, and IGMPv3 used by SSM.
In IGMPv2, when a receiver sends a membership report to join a multicast group, it does not specify which source it would like to receive multicast traffic from. IGMPv3 is an extension of IGMPv2 that adds support for multicast source filtering, which gives the receivers the capability to pick the source they wish to accept multicast traffic from. IGMPv3 is designed to coexist with IGMPv1 and IGMPv2.
IGMPv3 supports all IGMPv2's IGMP message types and is backward compatible with IGMPv2. The differences between the two are that IGMPv3 added new fields to the IGMP membership query and introduced a new IGMP message type called Version 3 membership report to support source filtering.
IGMPv3 is enabled by using the following command: Device(config-if)# ip igmp version 3
Enables IGMPv3 on this interface. The default version of IGMP is IGMP version 2. Version 3 is required by SSM.
Note: IGMPv3 is used to provide source filtering for Source Specific Multicast (SSM).
Internet Group Management Protocol (IGMP): IGMP snooping constrains the flooding of IPv4 multicast traffic on VLANs on a device. With IGMP snooping enabled, the device monitors IGMP traffic on the network and uses what it learns to forward multicast traffic to only the downstream interfaces that are connected to interested receivers. The device conserves bandwidth by sending multicast traffic only to interfaces connected to devices that want to receive the traffic, instead of flooding the traffic to all the downstream interfaces in a VLAN
Benefits of IGMP Snooping
Optimized bandwidth utilization:IGMP snooping's main benefit is to reduce flooding of packets. The device selectively forwards IPv4 multicast data to a list of ports that want to receive the data instead of flooding it to all ports in a VLAN.
Multicast communication is a technology that optimizes network bandwidth utilization and conserves system resources. It relies on Internet Group Management Protocol (IGMP) for its operation in Layer 2 networks and Protocol Independent Multicast (PIM) for its operation in Layer 3 networks.
Internet Group Management Protocol (IGMP):Used by a host to notify the local router that it wishes to receive (or stop receiving) multicast traffic for a given destination address or "group". 2. RFC 2236 specifies version 2 of IGMP and RFC 3376 specifies version 3 of IGMP
Protocol Independent Multicast(PIM) Used by a router to notify an upstream router that it wishes to receive (or stop receiving) multicast traffic for a given group (G).
Open Shortest Path First(OSPF):Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS). It is defined as OSPF Version 2 in RFC 2328 .
Auto-RP is a Cisco proprietary mechanism that automates the distribution of group-to-RP mappings in a PIM network.
BSR (Bootstrap) is similar to Cisco's AutoRP, it's a protocol that automatically find the RP (Rendezvous Point) in multicast network. BSR however, is a standard and included in PIMv2, unlike AutoRP which is a Cisco proprietary protocol.
In an OSPF network, when a packet need to traverse from one area to another area to reach its destination, it is routed as below:
Source Area > Source ABR -> Backbone Area -> Destination ABR -> Destination Area Routers
Cost is a number from 1 to 65535 that indicates the metric assigned to the interface.
The cost of external route depends on the configuration of ASBR. There are two external packet types possible.
1.Type 1 (E1) - Here the metric is calculated by adding the external cost to the internal cost of each link that the packet crosses.
2.Type 2 (E2): E2 is the default route type for routes learned via redistribution.
