A switch stack can have up to eight stacking-capable switches connected through their StackWise ports.
Only homogenous stacking is supported -Catalyst 9200 switches will only allow other 9200s as stack members.
Switch members can’t have different licenses
Overview
up to eight stacking-capable switches connected through their StackWise ports
The stack as seen as one device across Layers 2 and 3.
Active switch controls the operation and managment of the entire stack.
The active switch contains the saved and running configuration files for the switch stack. The configuration files include the system-level settings for the switch stack and the interface-level settings for each stack member. Each stack member has a current copy of these files for back-up purposes.
Mac Address and Bridge ID (Layer 2)
Configuring MAC persistency so that the stack MAC address never changes to a different MAC address to avoid LACP and PAgP flaps/inconsistencies.
If the changes, the MAC address of the new determines the new bridge ID and router MAC address.
If the entire switch stack reloads, the switch stack uses the MAC address of the .
Upgrading Software
auto-upgrade and auto-advise features enable a switch with software packages that are incompatible with the switch stack to be upgraded to a compatible software version so that it can join the switch stack.
Priority
The switch with the higher priority becomes the stack master. This can be seen by using the show switch command and looking at the priority values. switch x priority x if switch 1 priority 15 and switch 2 priority 10 than switch 1 will be elected the master.
Adding a new member
Power off the new switch.
Connect the new switch to the stack using the StackWise cables.
Power on the new switch.
Failure
If the stack master is removed or powered off the standby switch will become the new active switch. All other stack members in the stack remain as members and will not reboot.
If two devices become stack master one stack will have members the other stack master will show as a standalone device. Use the mode button and port LEDs on the device to identify which device is the master and which devices belong to that stack.
Configure a native supplicant profile for wireless clients
Configure a BYOD Portal for onboarding
Create the authentication policy that allows users to log in
Configure authorization policy that permits access to resources
Configure ACLs on WLC
Users will connect to the BYOD WLAN. If the mobile device does not have a certificate, the user will be prompted to enter their Active Directory Username and Password. Once they complete the onboarding process, ISE will initiate a Change of Authorization (CoA). This will disconnect the client and they will immediately re-associate to the WLAN using the new certificate.
Certificate Template
This is the certificate that clients will download when attempting to connect to the SSID “MGMT”.
Go to: Administration > System > Certificates > Certificate Authority > Certificate Templates
Select EAP_Authentication_Certificate_Template and Click Duplicate
Enter the name BYOD_EAP_Authentication_Certificate_Template
Edit the Organizational Unit and Organization
Set SCEP RA Profile to ISE Internal CA
Click Submit
Native Supplicant Profile
This is the wireless profile the device will use to connect to the WLAN once the device is onboarded.
Go to: Policy > Policy Element > Results > Client Provisioning > Resources
Click Add > Native Supplicant Profile
Enter a Name (BYOD_EAP_TLS_NSP)
Click Add under Wireless Profile
Enter the SSID
Set Security to WPA2 Enterprise
Set Allowed Protocol to TLS
Set Certificate Template to BYOD_EAP_Authentication_Certificate_Template
Click Submit
Client Provisioning Policy
This determines which Native Supplicant Profile gets installed on which type of device.
Policy > Client Provisioning
Edit each type of device with the Native Supplicant Profile that you created earlier
(Set Results to BYOD_EAP_TLS_NSP)
Click Save
BYOD Portal
This is the web page the user is redirected to in order to “onboard” their device.
Enter the Join Point Name (For instance, wifiworkshop_AD)
Enter the Active Directory Domain
Click Submit
Once the Join Point is created, Click the Groups Tab
Add AD Groups of users who will be allowed to onboard their device.
Authentication Policy
Policy > Policy Sets > Wireless Devices
Create an Authentication Policy above the default rule
Set the Condition to Radius:Called-Station-ID contains Mgmt
Set the Allowed Protocols to Default Network Access
Set Network Access:AuthenticationMethod EQUALS x509_PKI to use “Ge_Cert_CommonName”
Click the drop-down arrow next to Actions and Insert Row Above the Default Rule
Set Network Access:AuthenticationMethod EQUALS MSCHAPv2 to use “Ge”
Set the Default Rule to Deny Access
Authorization Profile
Work Centers > BYOD > Policy Elements > Results > Authorization Profiles
Click Add
Enter a Name (BYOD_NSP_AuthZ_Profile)
Select Web Redirection (CWA, MDM, NSP, CPP)
Set it to Native Supplicant Provisioning
Create an ACL named BYOD_REDIRECT
Set the Value BYOD WEB PAGE
Authorization Profile for Android Devices
Work Centers > BYOD > Policy Elements > Results > Authorization Profiles
Click Add
Enter a Name (BYOD_NSP_Google_AuthZ_Profile)
Select Web Redirection (CWA, MDM, NSP, CPP)
Set it to Native Supplicant Provisioning
Manually type in BYOD_Google_REDIRECT for the ACL
(You’ll create the ACL on the WLC later)
Set the Value BYOD WEB PAGE
Authorization Policy for Android Devices
Work Centers > BYOD > Policy Sets
Create a new Authorization Policy Rule above the default rule
Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2 AND Session:Device-OS EQUALS Android
Set Permissions to BYOD_NSP_Google_AuthZ_Profile
Authorization Policy for all other devices
Work Centers > BYOD > Policy Sets
Create a new Authorization Policy Rule above the default rule
Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2
Set Permissions to Ge_NSP_AuthZ_Profile
Add the ACL to the WLC
Deny statements in the ACL trigger the redirect on WLC. Create permit statements to allow traffic to the Policy Service Nodes and DNS (not redirected). Create a rule for each direction. Create deny statements for web traffic, so that they get redirected to the BYOD Portal
Log into the WLC
Security > Access Control Lists > Access Control Lists
Click New
Name it BYOD_DIRECT (or whatever you manually named the ACL in the Authorization Rule)
Click on the BYOD_DIRECT acl and click Add New Rule
Create Rule to permit traffic all traffic outbound from controller
Create Rule to permit TCP traffic on 8443 to all Policy Service Nodes
Create Rule to permit UDP traffic to DNS
Create Rule to permit UDP traffic to DHCP (I believe DHCP is allowed by default, so you may not need this rule.)
iBGP Split Horizon – When an iBGP speaker learns of an iBGP Prefix it will not send the prefix to another iBGP speaker.
This means you will need to configure either a full mesh of iBGP peerings or use a function like route reflection or confederation to work around this rule.
eBGP Peering – Peering between different Autonymous Systems.
eBGP multi-hop – Used whenever you want to peer between loopback addresses between eBGP peers.
eBGP Multi-hop Lab
Configure the BGP topology given in the diagram.
All peering should be formed between loopback addresses.
Do not form an iBGP peering between R2 and R3.
Allowed to create static routes in AS 400 and AS 500 if needed.
A C9200L had locked up. All switchports were dead/no light and the Fiber modules were a solid amber lit color. All ports had hosts on the other end that were still alive and sending electrical signal to their ports. I attempted to power cycle by pulling the power cables and reseating the redundant power supplies. After two attempts the switch was still locked up with fans staying on high after POST should have cleared.
Troubleshooting Information
Do any lights at all illuminate? I see the switchports don’t, but is any activity seen on the front panel? Sfp ports stayed solid amber – switchports none lit, no activity when reseating connections
Do the PSUs appear to power on? Yes both PSUs appear to power on, switch fans kick on during POST and stay on full speed
Has the device ever powered on? Yes device was pulled from production
What version of code was running (if known/applicable)? Fuji – 16.9.4
While attempting to swap the 9200L with a loaner switch I ran into the following warning messages. NOTE: The fiber and SFP modules were being reseated into different members of the stack until the RMA could come in.
No Big Deal
I had never ran into the Duplicate GBIC error before. While attempting to do some research on this I ran into bug reports of this occuring on 3850s.
Solution/Work Around
Remove the old switch member
no errdisable detect cause gbic-invalid
reseat connections
admin shut/no shut the module ports.
I figured that removing the stack member, reseating the connections would be enough but for some reason the ports were still errdisabled.
I had to shut/no shut the ports twice after reseating each connection. Once I did this the ports moved out of errdisable.
SWITCH-NAME(config)#
*Feb 24 15:00:25.568: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
SWITCH-NAME(config)#
*Feb 24 15:00:54.982: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2
SWITCH-NAME(config)#
*Feb 24 15:02:52.913: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/3 removed
SWITCH-NAME(config)#
*Feb 24 15:04:47.672: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3
SWITCH-NAME(config)#Warning: [1 51] is dup of [3 50]
SWITCH-NAME(config)#end
SWITCH-NAME#sh logg
Syslog logging: enabled (0 messages dropped, 7 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level emergencies, 0 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 173 messages logged, xml disabled, filtering disabled Logging to: vty2(7) Buffer logging: level debugging, 46694 messages logged, xml disabled, filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled File logging: disabled Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 46254 message lines logged Logging Source-Interface: VRF Name:
Log Buffer (4096 bytes):
port Gi1/0/26 and port Gi1/0/25
*Feb 24 14:25:45.184: %SYS-6-LOGOUT: User pete has exited tty session 2(10.10.16.40)
*Feb 24 14:46:24.069: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/1/2Warning: [2 50] is dup of [3 52]
*Feb 24 14:46:24.069: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te2/1/2, putting Te2/1/2 in err-disable state
*Feb 24 14:46:49.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:46:50.168: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:46:58.360: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
SWITCH-NAME#ter le 0
SWITCH-NAME#sh logg
*Feb 24 14:51:02.833: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
*Feb 24 14:51:48.227: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
*Feb 24 14:51:48.227: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/2, putting Te1/1/2 in err-disable state
*Feb 24 14:52:18.181: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
*Feb 24 14:52:38.420: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
*Feb 24 14:53:07.578: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3Warning: [1 51] is dup of [3 50]
*Feb 24 14:53:07.578: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/3, putting Te1/1/3 in err-disable state
SWITCH-NAME#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SWITCH-NAME(config)#no errdisable detect cause gbic-invalid
SWITCH-NAME(config)#exi
SWITCH-NAME#
*Feb 24 15:12:05.166: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/1/2 removed
SWITCH-NAME#
*Feb 24 15:12:32.313: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/1/2
SWITCH-NAME#Warning: [2 50] is dup of [3 52]
SWITCH-NAME#sh logg
*Feb 24 14:46:24.069: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/1/2Warning: [2 50] is dup of [3 52]
*Feb 24 14:46:24.069: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te2/1/2, putting Te2/1/2 in err-disable state
*Feb 24 14:46:49.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:46:50.168: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:46:58.360: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
*Feb 24 14:46:58.360: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/1, putting Te1/1/1 in err-disable state
*Feb 24 14:47:00.408: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:47:02.420: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:50:28.930: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:50:29.942: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:50:32.982: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:50:35.463: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:50:38.714: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:50:39.922: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/1 removed
*Feb 24 14:50:40.721: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:50:52.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:50:53.788: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:50:56.717: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:50:58.729: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:51:02.833: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
*Feb 24 14:51:48.227: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
*Feb 24 14:51:48.227: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/2, putting Te1/1/2 in err-disable state
*Feb 24 14:52:18.181: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
*Feb 24 14:52:38.420: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
*Feb 24 14:53:07.578: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3Warning: [1 51] is dup of [3 50]
*Feb 24 14:53:07.578: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/3, putting Te1/1/3 in err-disable state
*Feb 24 14:56:02.489: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: pete] [Source: 192.168.1.5] [localport: 23] at 14:56:02 UTC Wed Feb 24 2021
*Feb 24 15:00:25.568: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
*Feb 24 15:00:54.982: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2
*Feb 24 15:02:52.913: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/3 removed
*Feb 24 15:04:47.672: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3Warning: [1 51] is dup of [3 50]
*Feb 24 15:06:07.071: %SYS-5-CONFIG_I: Configured from console by pete on vty0 (192.168.1.5)
*Feb 24 15:11:22.731: %SYS-5-CONFIG_I: Configured from console by pete on vty0 (192.168.1.5)
*Feb 24 15:12:05.166: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/1/2 removed
*Feb 24 15:12:32.313: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/1/2Warning: [2 50] is dup of [3 52]
SWITCH-NAME#
*Feb 24 15:14:09.249: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
SWITCH-NAME#
*Feb 24 15:14:16.391: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2
SWITCH-NAME#Warning: [1 50] is dup of [3 51]
SWITCH-NAME#show sw
SWITCH-NAME#show switch
Switch/Stack Mac Address : 10b3.d582.9880 - Local Mac Address
Mac persistency wait time: Indefinite
H/W Current
Switch# Role Mac Address Priority Version State
1 Standby 4c71.0d81.xxxx 1 V01 Ready
2 Member 7c21.0e62.xxxx 1 V01 Ready
3 Member 0000.0000.xxxx 0 V01 Removed
*4 Active 10b3.d582.xxxx 1 V01 Ready
SWITCH-NAME#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SWITCH-NAME(config)#no switch 3 provision
SWITCH-NAME(config)#
*Feb 24 15:19:14.899: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/1 removed
SWITCH-NAME(config)#
*Feb 24 15:19:24.716: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1
SWITCH-NAME(config)#Warning: [1 49] is dup of [3 49]
SWITCH-NAME(config)#int ra te 1/1/1 - 2
SWITCH-NAME(config-if-range)#no shut
SWITCH-NAME(config-if-range)#do sh logg
Syslog logging: enabled (0 messages dropped, 7 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level emergencies, 0 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 183 messages logged, xml disabled, filtering disabled Logging to: vty2(17) Buffer logging: level debugging, 46704 messages logged, xml disabled, filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled File logging: disabled Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 46261 message lines logged Logging Source-Interface: VRF Name:
Log Buffer (4096 bytes):
PDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:46:50.168: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:46:58.360: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
*Feb 24 14:46:58.360: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/1, putting Te1/1/1 in err-disable state
*Feb 24 14:47:00.408: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:47:02.420: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:50:28.930: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:50:29.942: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:50:32.982: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:50:35.463: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:50:38.714: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:50:39.922: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/1 removed
*Feb 24 14:50:40.721: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:50:52.774: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:50:53.788: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to down
*Feb 24 14:50:56.717: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:50:58.729: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/42, changed state to up
*Feb 24 14:51:02.833: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
*Feb 24 14:51:48.227: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
*Feb 24 14:51:48.227: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/2, putting Te1/1/2 in err-disable state
*Feb 24 14:52:18.181: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
*Feb 24 14:52:38.420: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
*Feb 24 14:53:07.578: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3Warning: [1 51] is dup of [3 50]
*Feb 24 14:53:07.578: %PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/3, putting Te1/1/3 in err-disable state
*Feb 24 14:56:02.489: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: pete] [Source: 192.168.1.5] [localport: 23] at 14:56:02 UTC Wed Feb 24 2021
*Feb 24 15:00:25.568: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
*Feb 24 15:00:54.982: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2
*Feb 24 15:02:52.913: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/3 removed
*Feb 24 15:04:47.672: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/3Warning: [1 51] is dup of [3 50]
*Feb 24 15:06:07.071: %SYS-5-CONFIG_I: Configured from console by pete on vty0 (192.168.1.5)
*Feb 24 15:11:22.731: %SYS-5-CONFIG_I: Configured from console by pete on vty0 (192.168.1.5)
*Feb 24 15:12:05.166: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/1/2 removed
*Feb 24 15:12:32.313: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/1/2Warning: [2 50] is dup of [3 52]
*Feb 24 15:14:09.249: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/2 removed
*Feb 24 15:14:16.391: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/2Warning: [1 50] is dup of [3 51]
*Feb 24 15:19:14.899: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te1/1/1 removed
*Feb 24 15:19:24.716: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te1/1/1Warning: [1 49] is dup of [3 49]
SWITCH-NAME(config-if-range)#do sh clock
*15:33:51.262 UTC Wed Feb 24 2021
SWITCH-NAME(config-if-range)#shut
SWITCH-NAME(config-if-range)#no shut
SWITCH-NAME(config-if-range)#
*Feb 24 15:34:28.246: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/1, changed state to up
*Feb 24 15:34:28.259: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/2, changed state to up
SWITCH-NAME(config-if-range)#
*Feb 24 15:34:31.578: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/1, changed state to up
*Feb 24 15:34:31.757: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/2, changed state to up
SWITCH-NAME(config-if-range)#exi
SWITCH-NAME(config)#int te 2/1/2
SWITCH-NAME(config-if)#shut
SWITCH-NAME(config-if)#no shut
SWITCH-NAME(config-if)#
*Feb 24 15:34:54.208: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/1/2, changed state to up
SWITCH-NAME(config-if)#
*Feb 24 15:34:57.425: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/1/2, changed state to up
A network object represents one or more IP addresses. Network objects are used in various places, including access control policies, network variables, intrusion rules, identity rules, network discovery rules, event searches, reports, and so on.
It is a good idea to create objects for each VLAN
If possible creating objects for individual devices may be required.
It is a good idea to be as granular as possible because this will allow for flexibility and scalability to your rules offering more insights on what is happening within your network.
After the individual objects are created we will create a network group object that will encompass all of our internal network.
This group object will be used throughout our policy creation.
Ports
Port objects or groups represent different protocols. You can use port objects and groups in various places in the systems web interface, including access control policies, identity rules, network discovery rules, port variables, and event searches.
Just like our network objects we can create layer4 tcp/udp objects that will be used in the same manner.
You can also add service ports in the ACP when creating access control policies but they will not have a descriptive name.
Interfaces and Zones
Interface objects segment your network to help you manage and classify traffic flow. An interface object simply groups interfaces. These groups may span multiple devices; you can also configure multiple interface objects on a single device.
FTD is a zone based system creating security zones allows for easier management.
Application Filter
Application filters help you perform application control by organizing applications according to basic characteristics: type, risk, business relevance, category, and tags.
This can be used as a way to block web sites if you don’t have a license for URL filtering (This feature is included with the base license.
Add the selected filters.
You can choose the applications you want selected if you don’t want to choose all.
Add to Rule.
Save the new application filter.
Variable Sets
Variables represent values commonly used in intrusion rules to identify source and destination IP addresses and ports.You can also use variables in intrusion policies to represent IP addresses in rule suppressions, adaptive profile updates, and dynamic rule states.
Now we will edit our HOME_NET variable from ‘any’ to our network group object we created earlier.
This will help give a better insight and more security.
Update the new group object into the Included Networks list to remove the ‘any’ object.
After saving the new object we can see it has been applied and our new variable set has been created.
Hotspots are a portal where users can access an open SSID. Generally, they will need to accept an Acceptable Use Policy before being granted access to the internet. You can have different scenarios than just this lab scenario.
Log into the vWLC. Click the security tab at the top.
Click the New button to add a new AAA server.
Enter the IP address of the ISE server, port number is 1812, and that Support for COA is checked. *** Change of Authorization is a feature that allows a RADIUS server to adjust an active client session. ***
Create a Shared Secret and make note of it as ISE will need to be configured with the same secret. Click Apply.
Next click Accounting from the Security/AAA menu on the left. Hit New and enter the required information.
Next we will log into ISE and configure the WLC as a network device
Go to Work Centers, then Network Resources.
Click Add and fill out the WLC information. Check Radius Auth. Settings and be sure to fill out the Shared Secret we filled out earlier in the WLC.
After you save the network device you can verify it has been added by checking the Network Devices section.
Configuring the Guest SSID
Log into your WLC and click the WLANs tab. Choose Create New from the drop down box and click Go.
Enter a profile name and SSID.
Select Status Enabled, and the correct interface for your guest traffic. *** NOTE: My screen shot doesn’t show the Guest SSID as being enabled ***
Next click the Security tab.
Change Layer 2 Security to None, and check MAC Filtering.
Click AAA Servers, and change the Authentication and Authorization servers to the ISE server via the drop down boxes.
Click the Advanced tab.
Check Allow AAA Override.
Under NAC change the drop down to ISE NAC.
Uncheck Flex Connect Local Switching if enabled.
Check DHCP/HTTP profiling under Radius Client Profiling.
Next we have to create a few ACLs. One for Web Auth Redirect that will allow DNS and traffic to ISE and another ACL for restricting guest access.
You can verify your ACLs have been added to the vWLC from the Access control list section.
ISE Policies
Our policy goals will be:
redirect users who connect to the Guest network to a web portal.
Once the AUP has been accepted they will get a new policy applied to them restricting their access to internet only via the ACL we created earlier.
Log in to ISE. Go to Work Centers, Guest Access,Policy Elements.
Click Results and and go to Authorization Profiles.
Click Add to create a new profile.
Give the policy a descriptive name and description.
Scroll down to the Common Tasks and check Web Redirection.
Select Hotspot from the drop down.
Enter WEB_AUTH_REDIRECT as the ACL and the value will be the Hotspot guest portal.
Click Submit.
Click Add again, enter a new name and description. This policy will apply the guest restriction ACL we created on the WLC.
Scroll down into the Common Tasks and find Airespace ACL, enter the name Guest_ACL
Click Submit.
Now, go to Work Centers, Guest Access, Policy Sets.
Create a new policy set
Add a new profile above the one we just created
This will be for applying the Guest ACL for the user once going through the portal. Conditions will be Wireless_MAB, IdentityGroup = GuestEndpoints, and Guest_Flow. Result will be the Guest_Access policy we created which applies the ACL we created on the WLC.
Lastly, use whatever wireless device to verify you can connect to the new SSID.
