Migrate Cisco standalone AP’s to a controller based solution

Earlier this week I had to migrate a lot of standalone AP to a brand new WLC. Like all the real IT guys and gals I hate it to do manual tasks more than 2 times in a row. So this is what I did to make this hell of a job suck a little less…

This customer had all standalone access-points in the management tool called “Kiwi CatTools” to pull a back-up of the running-configuration every night… nice πŸ˜€

0. Run a task to gather the base MAC address of all the access-points, you gonna need those later to figure out which access-point is which when all connect to the controller.
1. Upload the .tar file with to the TFTP directory in the “CatTools” directory in program files.
2. Create a new task to push the following lines of configuration to all the access-points:
copy tftp://x.x.x.x/load.tar flash:/
This step is gonna take a while depending of how many AP’s and the bandwidth between the AP’s and the controller. Also, in my case it was almost a DDOS attack on the server because of the many incoming connections. However the CatTools tftp deamon didn’t look really bothered.. πŸ™‚
3. Install the software on the AP’s with a new task:
archive download-sw flash:/load.tar
This step is gonna take a while, at least 5 minutes.
4. Here comes the tricky part. If you want the access-points to join the controller based on a DHCP option, you have to make sure that all the static IPv4 information is flushed. This information is not removed with a simple “write erase” so watch out! I created a new task:
reload in 1
y
conf t
interface bvi xx
ip address dhcp

5. After the reload kicks in the access-point will use option 43 or one of the other options for discover the WLC and tries to join it.

Notes
– Make sure that you have the option “answer yes to questions” enabled in all of the tasks in CatTools.
– Repeat step 1 to 3 for all the different types access-points you have in your environment
– Pick the new access-points software carefully and close to the release on the WLC.

I love automation… πŸ˜€

CCNP: TSHOOT rocks!

Never in my life I left a testing facility with a smile that big like I did on 16 august last year. It was just minutes ago that I received my score on the Cisco CCNP Troubleshoot (TSHOOT) exam. It was the magic 1000 points, incredible high! Not that the a lower score should had matter, the reason behind the smile was the fun I had in answering the tickets. All the pain of doing the CCNP route exam twice earlier that year was suddenly disappeared.. πŸ™‚

Cisco did a very good job in creating this exam. I have to troubleshoot a lot in my daily work, so for me troubleshooting is like a second nature. However I do have a few recommendation to make it more fun;
– Create a few tickets where more than one thing is broken, stuff like that happens in the real world!
– I missed the option “it is not the network, it is the server..” sounds like a joke but with the ability to look into the network traffic and spot a “tcp reset” from the server could prove a configuration failure on the server. (yes, that kind of prove is sometimes necessary…)
– Where was the option “It is a IOS bug, create a TAC case”? πŸ˜‰

Cisco Aironet 1600/2600/3600 AP back on track from rommon

There where Cisco lacks in writing documentation on this subject at this point, I figured out that it could be handy to write the (small) steps down on how to get a 1600/2600/3600 AP in rommon back on track (autonomous or controller based).

So here you have it… πŸ™‚

ap: set IP_ADDR 192.168.1.2
ap: ether_init
ap: tftp_init
ap: tar -xtract tftp://192.168.1.1/ap3g2-k9w7-tar.152-2.JA.tar flash:
ap: set BOOT flash:/ap3g2-k9w7-mx.152-2.JA/ap3g2-k9w7-mx.152-2.JA
ap: boot

Cisco ASA’s en HTTP / L7 inspection

With Cisco ASA’s you can open HTTP network traffic so you can inspect it and even block websites if you want to. Remember that this only works for non-encrypted traffic, if you want to inspect encrypted traffic you gonna need a solution where you can do a MITM (Man In The Middle) attack.

Here you have a very simple example where the dutch website “autoblog.nl” is being blocked for clients in VLAN 10 with a IPv4 address in the 192.168.10.0/24 network.

regex URL-AUTOBLOG.NL ".autoblog.nl"
access-list ACL-CMAP-VLAN10-HTTP extended permit tcp 192.168.10.0 255.255.255.0 any eq www
class-map type regex match-any CMAP-REGEX-HTTP
match regex URL-AUTOBLOG.NL
class-map CMAP-VLAN10-HTTP
match access-list ACL-CMAP-VLAN10-HTTP
policy-map type inspect http PMAP-VLAN10-HTTP
parameters
match request header host regex class CMAP-REGEX-HTTP
reset log

service-policy PMAP-VLAN10 interface VLAN10