SLAAC with Stateless DHCP

As discussed in my previous post, we can use SLAAC to auto assign ip address based on the prefix advertised in the RA. However with SLAAC you only get the IPv6 address and the gateway and still need to depend on DHCP for the DNS server, domain name and the other options. This is called Stateless DHCP as it does not track the client mac and the ip (No dhcp binding table is formed).Please refer the the previous post on how SLAAC works and how to configure it.

http://rameshkumarroy.com/ipv6-slaac-gns3-example/

In this post we’ll build upon the previous post and will add Stateless DHCP to it to provide DNS server ip and the domain name to the host devices.

Since GNS3 VPCS was not giving options related to DNS I have created a loopback adapter on my laptop and will be using it to replicate a host machine shown in the topology as a Cloud.

Please refer to my previous posts on how to create a loopback adapter and how to use it in GNS3 as a host machine.

http://rameshkumarroy.com/creating-loopback-adapter-on-windows/

http://rameshkumarroy.com/using-vpcs-in-gns3-to-replicate-hos/

Following is the Topology I am using:

I have created an IPv6 DHCP pool on the R1 to provide only DNS Server ip and Domain name:

R1#show running-config | sec ipv6 dhcp

ipv6 dhcp pool Stateless_DHCP
 dns-server 2000:1000::1
 domain-name Test.com
 ipv6 dhcp server Stateless_DHCP

 

I am using the above dhcp pool just for vlan 10 and following configuration would be required on the vlan 10 SVI :

 

interface Vlan10
 no ip address
 ipv6 address 2000:1000::1/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server Stateless_DHCP

 

On the R2 the interface fa0/4 is mapped to vlan 10.
R2#show runn int fa 0/4
Building configuration…
Current configuration : 60 bytes
!
interface FastEthernet0/4
 switchport access vlan 10
end

 

I had to play with Spanning tree (The Fa 0/4 port was getting into blocked state) before the loopback adapter on my lab could get the ipv6 address and the dhcp configuration.

 

Ethernet adapter Local Area Connection 3:
   Connection-specific DNS Suffix  . : Test.com
   Description . . . . . . . . . . . : Microsoft Loopback Adapter
   Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2000:1000::651c:9aca:97a6:3a7e(Preferred)
   Temporary IPv6 Address. . . . . . : 2000:1000::8c84:1cb9:4268:7fd0(Preferred)
   Link-local IPv6 Address . . . . . : fe80::651c:9aca:97a6:3a7e%17(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.11(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::ce00:29ff:feb8:0%17
   DHCPv6 IAID . . . . . . . . . . . : 503447628
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-EE-19-AD-00-21-CC-C6-CF-CF
   DNS Servers . . . . . . . . . . . : 2000:1000::1
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :Test.com

 

You will also notice that once you configured the IPv6 dhcp scope on the R1 it also joined to some additional group addresses related to dhcpv6

 

R1#show ipv6 interface
Vlan10 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::CE00:29FF:FEB8:0
  Global unicast address(es):
    2000:1000::1, subnet is 2000:1000::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:2
    FF02::1:FF00:1
    FF02::1:FFB8:0
    FF05::1:3

 

ff02::1:2 All DHCP servers and relay agents on the local network segment (defined in RFC 3315)
ff05::1:3 All DHCP servers on the local network site (defined in RFC 3315)

 

With DHCPv6 there are very interesting, new terms used and implemented in the way how the DHCPv6 will assign ip addresses to the client devices.The DHCPv6 uses UDP port number 546 for clients and port number 547 for servers.
In IPv6 you had the concept of client identified which was the physical mac address of the client device requesting for the DHCP, with IPv6  we have something called a host identifier, named DUID – Device UID – and a set of interface identifiers. The RFC defines a DUID this way:
A DHCP Unique IDentifier for a DHCP participant; each DHCP client and server has exactly one DUID.
Also each interface has an ID, called IAID – Interface Association Identifier – that is a binding between the interface and one or several IP addresses. Each allocation in the DHCPv6 server is identified by a DUID and a IAID.
If you notices the IPv6 details from the host machine in the above topology it also has a DUID and IAID:

 DHCPv6 IAID . . . . . . . . . . . : 503447628
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-EE-19-AD-00-21-CC-C6-CF-CF
You can check the DUID on the Router using the command: show ipv6 dhcp.

R1#show ipv6 dhcp
This device’s DHCPv6 unique identifier(DUID): 00030001CC0029B8F000

At the moment there are three types of DUID defined:
1) Link-layer address plus time (DUID-LLT)
2) Vendor-assigned unique ID based on Enterprise Number
3) Link-layer address (DUID-LL)

 

Cisco uses a structure based on DUID-LLT (link-layer address plus time). The device uses the MAC address from the lowest numbered interface to form the DUID.
The type of DUID-LLT consists of:
• Two octet type field containing the value 1
• Two octet hardware type code. The hardware type MUST be a valid hardware type assigned by the IANA as described in RFC 826. Ethernet uses hardware type 1 and 48-bit MAC address of the device as the link-layer address.
• Four octets containing a time value
• Link-layer address of any one network interface that is connected to the DHCP device at the time that the DUID is generated. The time value is the time that the DUID is generated, represented in seconds since midnight (UTC), January 1, 2000, modulo 2^32.

 

Lets follow the wireshark capture collected on the PC.

1. The R1 sends out a RA in the Packet 313.
2. The host sends out a Multicast Listener Report to the IP destination address of FF02::16, to which all MLDv2-capable multicast routers listen.

 

 

Here once the host machine has got an RA it has assigned itself and ip address as : 2000:1000::8c84:1cb9:4268:7fd0, and as we know once the device gets a link local address or the Global IPv6 address it also makes itself as the member of the related solicited node multicast group (for both it’s link-local and global address). Here the host machine is sending out the multicast listerner report indicating its interest for the solicited node multicast address associated with its Global ipv6 address.

 

The solicited node multicast address is generated by adding last 24 bits of the link-local/ Global ipv6 address to the prefix : ff02::1:ff00:0/104.

 

Solicited-Node multicast addresses are used in Neighbor Discovery Protocol for obtaining the layer 2 link-layer addresses of other nodes. For our host the solicited node multicast address becomes:

 

ff02::1:ff00:0/104 + 68:7fd0 = ff02::1:ff68:7fd0
Please refer to the Wiki page:

 

 

3. The host machine sends out a network solicitation to the Router at its solicited node multicast address. Nodes send neighbor solicitations to request the link-layer address of a target node while also providing their own link-layer address to the target.

 

4. The Router sends neighbor advertisements in response to neighbor solicitations and sends unsolicited neighbor advertisements in order to propagate new information quickly.

 

5. The host sends out a dhcp information request to All dhcp server address ff02::1:2.

 

6. The server sends out a reply to the host device link local address:

Hope this was helpful 🙂

IPv6 SLAAC GNS3 Example

Like IPv4, there are a number of different ways that a host can be addressed in IPv6; the two most common in IPv4 are static addressing and via DHCP.  DHCP is often preffered as it not only provides a method of dynamically assigning addresses, it also provides a way to assign the host devices other
service information like DNS servers, domain names, and a number of different custom information (DHCP options).

 

While IPv6 static addressing works exactly the same as IPv4 static addressing, the other methods are quite different than IPv4.

To perform address configuration on IPv6 there are a couple of  methods generally divided into two categories : Stateless and Stateful.

Stateful Address Assignment means the DHCP server would be responsible for assigning ip address to the client devices and would also keep a track/record of the client and the ip addresses assigned to them. (This is also called Stateful DHCP address assignment).

With Stateless Address Assignment, the client would generate its own IPv6 address based on the address prefix advertised on the vlan (Interface). Here no DHCP server is involved and the client ip address is not tracked. SLAAC (Stateless Address Auto-config) is this method in which the client devices will generate an address for themselves based on the network prefix advertised in the Router Advertisement (RA) on the local network, by default SLAAC does not provide anything to the client except the IPv6 address and the default gateway, though you can still use DHCP with SLAAC i.e Stateless DHCP to provide the client with other dhcp options like domain name and stuff, however since this being Stateless the dhcp server does not track/record any client device and the ip address assignment.

SLAAC is implemented on the IPv6 client by listening for these local RA’s and then taking the prefix that is advertised to form a unique address that can be used on the network.
For this to work, the prefix that is advertised must advertise a prefix length of 64 bits (i.e., /64).

RA messages are sent by default by most IPV6 routers; these messages are sent out periodically by the router and include information including:

One or more IPv6 prefixes (Link-local scope)
Prefix lifetime information
Flag information
Default device information (Default router to use and its lifetime)

With SLAAC it uses the 64 bit prefix information advertised in the RA and will then dynamically form a host identifier that is 64 bits long and will be suffixed to the end of the advertised prefix to form an IPv6 address.

Originally, the host identifier was formed using the EUI-64 rules (the same that are used to form link local addresses) and many devices still use this method. However, some Microsoft operating systems by default do not use this original method. Instead, they take advantage of some additional privacy extensions that were defined in RFC4941.

Lets see how this was done using the EUI-64 process.

As we can see in the above captures the prefix advertised is 2000:2000::/64 in the Router Advertisement.  Lets assume a client whose mac address is : 0050:7966:6802.

The first step of EUI-64 conversion is to split the MAC address in half and place FF:FE in the middle which would be like: 0050:79FF:FE66:6802

Then flip the seventh bit for the resultant from the left i.e most significant byte. For us the most significant byte is 00, when converting it into binary we get 00000000, flipping the seventh bit from left we get : 00000010 in hex this becomes 02.

Thus the final host identifier becomes: 0250:79FF:FE66:6802

Now when the prefix is added to the host identified the final IPv6 address of the client becomes: 2000:2000::0250:79FF:FE66:6802/64.

I have setup a Lab using GNS3 and lets see the results that I get.

Following is the configuration done on Router 1 (Here Router 1 is the Gateway for the vlan 10 and vlan 20).

R1#show run
Building configuration…

Current configuration : 1248 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
ipv6 unicast-routing
!
!
!
interface FastEthernet0/0
 switchport mode trunk
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface Vlan1
no ip address
!
interface Vlan10
 no ip address
 ipv6 address 2000:1000::1/64
 ipv6 enable
!
interface Vlan20
 no ip address
 ipv6 address 2000:2000::1/64
 ipv6 enable
!
!
no ip http server
ip forward-protocol nd
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

 

 

Router 2 which is just acting as a L2 switch for our Scenario:

 

R2#show run
Building configuration…
Current configuration : 1154 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
interface FastEthernet0/0
 switchport mode trunk
!
interface FastEthernet0/1
 switchport access vlan 10
!
interface FastEthernet0/2
 switchport access vlan 10
!
interface FastEthernet0/3
 switchport access vlan 20
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface Vlan1
 no ip address
!
!
no ip http server
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

 

In this setup PC1 and PC2 are in vlan 10 while PC3 is in vlan 20. I am using GNS3 VPCS to simulate Host devices. Please refer to the previous post on VPCS for more information.

http://rameshkumarroy.com/using-vpcs-in-gns3-to-replicate-hos/

Validating the addresses in the host devices we can see that host devices has picked up related IPv6 address using SLAAC.

VPCS[3]> 1
VPCS[1]> show ipv6

NAME              : VPCS[1]
LINK-LOCAL SCOPE  : fe80::250:79ff:fe66:6800/64
GLOBAL SCOPE      : 2000:1000::2050:79ff:fe66:6800/64
ROUTER LINK-LAYER : cc:00:29:b8:00:00
MAC               : 00:50:79:66:68:00
LPORT             : 20000
RHOST:PORT        : 127.0.0.1:30000
MTU:              : 1500

VPCS[1]> 2
VPCS[2]> show ipv6

NAME              : VPCS[2]
LINK-LOCAL SCOPE  : fe80::250:79ff:fe66:6801/64
GLOBAL SCOPE      : 2000:1000::2050:79ff:fe66:6801/64
ROUTER LINK-LAYER : cc:00:29:b8:00:00
MAC               : 00:50:79:66:68:01
LPORT             : 20001
RHOST:PORT        : 127.0.0.1:30001
MTU:              : 1500

VPCS[2]> 3
VPCS[3]> show ipv6

NAME              : VPCS[3]
LINK-LOCAL SCOPE  : fe80::250:79ff:fe66:6802/64
GLOBAL SCOPE      : 2000:2000::2050:79ff:fe66:6802/64
ROUTER LINK-LAYER : cc:00:29:b8:00:00
MAC               : 00:50:79:66:68:02
LPORT             : 20002
RHOST:PORT        : 127.0.0.1:30002
MTU:              : 1500

 

The usefulness of SLAAC in any given organization greatly depends on the tracking requirements; because SLAAC does not provide direct tracking the way a stateful DHCP server would, there is no quick way to determine which machine traffic is coming from without tracking the MAC addresses of the clients and calculating their created IPv6 address. This is further complicated by operating systems (like Windows 7) that use SLAAC data protection extensions by default, making tracking even harder, if not impossible, without looking at the addresses assigned to each device. SLAAC isn’t without a purpose, however. On many small networks there is no real need for this specific tracking and the use of SLAAC can simplify the addressing of machines and allow them to access public sites (with or without Network Address Translation (NAT)).

Hope this was helpful 🙂

 

Mapping a Network/Share Drive

Having a share drive/folder on a central server and allowing access to it generally used for easy access to the shared content and to increase storage for the users. Once the shared folder is created on the Server the users and easily map it on their machines so that they need not to remember its name/ip each time they need to access this drive/folder.

Mapping is sometimes also referred to a “Mounting” i.e Mounting a network drive/Folder.

Lets see how we can map the shared folder on the Windows 7 machine.

Click on Start > Goto Computer.

It will bring up the window which will show the drives on your machine. Click on Map Network Drive on the top

 

 

 

This will bring up a new window, which will show you the drive name, which you can choose from the drop down from A-Z.
Also it will ask you to put in the folder name in the format : ServerShare  i.e you need to specify the Servername or ip which is hosting the shared folder followed by the share folder name.

In my case, my server admin has hosted this folder on the Server with ip address : 10.20.20.10 and the name of the folder being shared is : TFTPRoot so I’ll use the folder name as :\\10.20.20.10\TFTPRoot.

 

 

 

 

 

 

 

 

 

 

This will ask you to login with your credentials, contact your server admin and check in case your local credentials do not work.

Once authentication is successful, it will add in the drive name that you selected in your drive list.

 

Lets see how we can mount a drive on a Mac OS.

Open the finder which should be located on your Dock. Click on the Go menu and click on Connect to Server.

 

This will open up the Connect to Server window. In the Server address type in the Servername/ip followed by the folder name as we did for the Windows machine in the format: smb://10.20.20.10/TFTPRoot

Click on the Plus sign to add this folder in your favorite folder list so that next time you want to connect to it you can directly choose from this list. And then click on Connect.

 

You’ll be asked to authentication, please put in your credentials and click OK. It will create an icon of a Server on your desktop click on it to connect to your Share drive/folder.

Hope this was helpful 🙂

Creating chained certificate from an unchained certificate.

Many a times we see that the CA (Third Party Certificate Authority) does not provide a chained cert rather they provide  a signed Server Cert and might provide us the Intermediate CA cert and the Root CA cert separately.

 

In couple of cases they just provide you a signed Server Cert and might expect you to download the Intermediate cert and the Root cert and chain the final cert if required and use it. Many vendor devices do not support an unchained Server cert and they expect you to get a chained Server cert  before it could uploaded to the device.

 

Lets see how we can generate a chained cert from an unchained certificate. I’ll use the following server cert as an example.

 

 

 

The above cert is a Server cert issue by “Go Daddy” well known CA. However the certificate is not  chained, if you open the certificate in notepad you’ll find that it is just a Server cert.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For generating a chained cert you need to append the Server cert with the Intermediate CA cert and the Root CA cert. In our case “Go Daddy Secure Certificate Authority” is the Intermediate CA and “Go Daddy Class 2 Certificate Authority” is the Root CA.

 

The way you need to append the file is, you need to keep the Server cert on top, followed by Intermediate CA cert and then the Root CA cert i.e it is just the opposite as it is show in the Certificate Path on the server Cert. Open all the certificates in notepad, also open a blank notepad and copy paste the Server cert, followed by Intermediate cert and then the Root cert and save this as a final cert which should be ready to be uploaded to the device.
—–BEGIN CERTIFICATE—–
Server Cert
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Intermediate CA Cert
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Root CA Cert
—–END CERTIFICATE—–

 

 

All the certificates on windows 7 are stored in the windows register and not in any specific folder. You can view the certificates using the cert manager (Type certmgr.msc and it will bring up the following window).
For Mac users the certificates are stored in Keychain Access (In the Finder, open Utilities and then open Keychain Access.)
These are the repositories where all the certificates are stored and referenced to check if any certificate is valid or not i.e the Certificate Authority is a Trusted Root CA or not.
There are chances that the Intermediate CA certificate may have expired which will cause the entire certificate to go invalid (untrusted).
In a recent incident DigiCert’s Intermediate Certificate expired, which caused multiple users to get the untrusted certificate error.
The expired certificate in question was the “DigiCert High Assurance EV Root CA” [Expiration July 26, 2014] certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices.The problem was related to the locally installed legacy intermediate certificate that was no longer used and no longer required for the certificate installation. This certificate was not been used for over three years and was unnecessary for installations, however the device having issues were not updated. The users affected appear to have the expired intermediate in the ‘login’ keychain or stored locally on their server or in have the expired intermediate installed on a backend server or application.
DigiCert fixed the issue for the customer’s by getting the old cert removed from their machines and new valid Intermediate cert updated on these devices.
How to create the chained cert when the Root CA cert and Intermediate CA cert is not provided the CA.
Usually your CA will provide you the Intermediate CA cert and the Root CA cert or the steps to get them from their Website. However if this is not the case for you and if these are some well known CA’s we should already have their Intermediate and Root cert on your laptop in the registry or the Keychain Access. Lets see how we can get the Intermediate and the Root CA certificate.
Click on the Server cert to open it. Goto the “Certificate path” click on the Intermediate Certificate for your test certificate it is “Go Daddy Secure Certificate Authority”
Click on View Certificate on the lower right corner, which will open up the Intermediate CA cert. Now we want to export this cert so that we can use the cert for chaining. Goto the Details tab for the certificate.
Click on Copy to File, which should open up the export Wizard.

 

Click Next > Choose the format : ” Base-64 encoded x.59″
Click on Next > Browse and give a name to the file. (Remember this is the Intermediate CA cert so save it some where on your laptop and give it a name like intermediatecert). Click Next and Finish. This will successfully export the Intermediate CA cert on you desktop, now repeat the same process to get the Root CA cert exported on your desktop you click on the Root CA cert in the server or the Intermediate CA cert.
Once you have successfully exported both the Intermediate and the Root CA cert you can open them in notepad and append the Server cert as we already discussed initially.
Hope this was helpful 🙂

 

Added information:

The certificates are stored in the registry at HKLM/Software/Microsoft/SystemCertificates

Personal certificates, or other certificates specific to the logged in user are at HKCU/Software/Microsoft/SystemCertificates

They are stored as binary blobs, so they need to be decoded, and the MMC plugin is a good way to do this.

Music

My Guitar

 

This is an Ashton D20 darling, a beginners guitar.

Type: Dreadnought Acoustic
Back & Sides: Basswood
Neck: Maple

Product Specifications:
====================

Spruce Top
Basswood Back & Sides
Rosewood Fingerboard
Maple Neck
Matte Finish
Die Cast Chrome Machine heads
Black Binding
Natural Rosette

https://www.youtube.com/watch?v=F3-r48hdDVc

https://www.youtube.com/watch?v=hZSkIPj-qRs

Cisco Wireless HA N+1 configuration (Lab Testing)

With software release 7.4 and above Cisco has introduced the N+1 HA feature set within the Cisco Unified Wireless Network (CUWN) framework which allows a single WLC to be used as a backup WLC for N primary controllers.

 

Following is the configuration/documentation guide:

http://www.cisco.com/c/en/us/td/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide/Introduction.html

The N+1 HA architecture provides redundancy for controllers across geographically separate data centers with low cost of deployment. Lately I had been working in couple of scenarios and had been not been sure if this is supposed to work over L3 network and so did a small Lab to test the same.

My network setup:
=================

WLC1 (vlan 100)————-L3 Switch—————–WLC2(vlan200)
                                                 |
                                                 |
                                                 |
                                              APs
                                         (vlan 300)

Vlan 100: 192.168.100.0/24
Vlan 200: 192.168.200.0/24
Vlan 300: 192.168.300.0/24

WLC1 Primary:
==============

(WLC-Primary) >show interface summary

Number of Interfaces…………………….. 6

Interface Port Vlan Id IP Address Type Ap Mgr Guest
Name
——————————– —- ——–
management 1 100 192.168.100.5

(WLC-Primary) >show redundancy summary
Redundancy Mode = SSO DISABLED
Local State = ACTIVE
Peer State = N/A
Unit = Primary
Unit ID =50:3D:E5:1A:27:20
Redundancy State = N/A
Mobility MAC = 50:3D:E5:1A:27:20
Redundancy Management IP Address……….192.168.100.10
Peer Redundancy Management IP Address…..192.168.100.11
Redundancy Port IP Address…………….169.254.100.10
Peer Redundancy Port IP Address………..169.254.100.11

(WLC-Primary) >show advanced backup-controller

AP primary Backup Controller …………..WLC-Secondary 192.168.200.5
AP secondary Backup Controller ………………

WLC2 Secondary:
================
(WLC-Secondary) >show interface summary
Interface Port Vlan Id IP Address Ap Mgr Guest
Name
Number of Interfaces…………………….. 6
——————————– —- ——–
management 1 200 192.168.200.5 Static Yes No

(WLC-Secondary) >show redundancy summary
Redundancy Mode = SSO DISABLED
Local State = ACTIVE
Peer State = N/A
Unit = Secondary – HA SKU
Unit ID = E0:5F:B9:46:99:00
Redundancy State = N/A
Mobility MAC = 50:3D:E5:1A:27:20Redundancy
Management IP Address………..192.168.200.10
Peer Redundancy Management IP Address……192.168.200.11
Redundancy Port IP Address……………..169.254.200.10
Peer Redundancy Port IP Address…………169.254.200.11

(WLC-Secondary) >show advanced backup-controller

 AP primary Backup Controller ………………..0.0.0.0
AP secondary Backup Controller ………………

L3 Switch:
==========

AP-SWITCH1#show cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source
Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone,
D – Remote, C – CVTA, M – Two-port Mac RelayDevice ID Local Intrfce Holdtme Capability Platform Port ID
WLC-Secondary Gig 1/0/1 152 H AIR-CT550 Gig 0/0/1
TEST-AP-2 Gig 1/0/7 142 R T AIR-LAP12 Gig 0.1
TEST-AP-1 Gig1/0/20 150 R T AIR-CAP26 Gig 0.1
WLC-Primary Gig1/0/3 140 H AIR-CT550 Gig 0/0/1

AP-SWITCH1#show runn int gig 1/0/1
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport mode trunk
end

AP-SWITCH1#show runn int gig 1/0/3
switchport trunk encapsulation dot1q
switchport mode trunk
end

AP-SWITCH1#show runn int gig 1/0/7
switchport access vlan 300
switchport mode access

Testing:
========
APs configured with dhcp option 43 to join the Primary WLC (192.168.100.5). Once the APs join the Primary WLC , under high availability configured the Primary and the Secondary WLCs.

Make sure you have configured the secondary WLC (HA-SKU) on the other L3 network as Backup Primary Controller:

In our setup both the APs were on the Primary WLC initially:

Once the connectivity to the Primary WLC is lost (We shut down the port to the Primary-WLC on the Switch). We find the APs automatically falling back to the Secondary.

AP-SWITCH1(config)#int gig 1/0/3
AP-SWITCH1(config-if)#shut
AP-SWITCH1(config-if)#
1w1d: %LINK-5-CHANGED: Interface GigabitEthernet1/0/3, changed state to administratively down
1w1d: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to down

Licensing:

 

HA-SKU as Secondary Controller
============================
 
With Release 7.4, an HA-SKU controller can be used as a secondary controller. In this example, the secondary controller is running a 50 AP permanent license and is configured to be an HA-SKU controller. Therefore it has a maximum AP capacity of 500.

Hope this post was helpful….

Using VPCS in Gns3 to replicate host devices in the network topology

The latest version on Gns3 comes with the Virtual PC Simulator that can be used to simulate end host in the network topology in Gns3 and to do simple reachability tests like ping and traceroute. Thought there are other alternatives available as well like, Qemu and Virtual box guest however these are cpu intensive. VPCS is integrated with windows and linux machine and are very light on CPUThe latest version of the GNS3 can be downloaded from here:

http://www.gns3.net/download/

In this post we’ll see how we can configured and use VPCS in our small network topology we’ll be using. We’ll be using as simple L2 (Ethernet Switch) and connecting two PCs in the same vlan and we’ll do a simple ping test from one PC to the other.

Lets start building up the topology:

 

 

 

 

 

 

 

 

 

If you don’t like Cloud representing the PC you can change the symbol by right clicking on the Cloud.

 

 

 

 

 

 

 

 

 

 

 

Let me change the symbols in my topology.

 

 

 

 

 

 

 

 

 

Lets see what configuration is needed to use VPCS. Right click the PC-1 and click on configured. In the node configurator click on the C node and goto NOI UDP.

 

 

 

 

 

 

 

 

 

 

 

 

Use local port as 30000 and remote port as 20000 > click on Add and Apply. Similarly configure the other PC-2 accordingly with local port as 30001 and remote port as 20001.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Once both the PCs are configured, connect them to the Switch using the NOI UDP ports.

 

 

 

 

 

 

 

 

In this situation, both the switchport 1 and 2 are configured in the Vlan 1. Lets start the VPCS configure and assign ip address to the two PCs accordingly.

I would be assigning both the devices ip address in the same subnet (192.168.10.0/24).

Lets start up the VPCS. Goto Tools on the Gns3 window and click on VPCS.

 

 

 

 

 

 

 

 

 

 

This should automatically bring up the windows command prompt, with the VPCS prompt.

 

 

 

 

 

 

 

 

Following are the options available:

 

 

 

 

 

 

 

 

 

 

The VPCS prompt is the terminal for the PCs. You can type 1 to get to the VPCS 1 or 2 to get to the VPCS 2.

Lets assign ip address to both the virtual PCs. Following is the ip address assignment format for the VPCS:

VPCS[1]> ip ?

ip [arguments]
  Configure the current VPC’s IP settings
  arguments:
    <address> [/<mask>] [<gateway>]
    <address> [<gateway>] [/<mask>]
                   Set the VPC’s ip, default gateway ip and network mask
                   Default IPv4 mask is /24, IPv6 is /64. In the ether mode,
                   the ip of the tapx is the maximum host ID of the subnet.
                   ip 10.1.1.70 /26 10.1.1.65 set the VPC’s ip to 10.1.1.70,
                   the gateway to 10.1.1.65, the netmask to 255.255.255.192,
                   the tapx ip to 10.1.1.126 in the ether mode.
                   </mask> may be written as /26, 26 or 255.255.255.192
    auto           Attempt to obtain IPv6 address, mask and gateway using SLAAC
    dhcp -[d|r|x]  Attempt to obtain IPv4 address, mask, gateway, DNS via DHCP
          -d         Show DHCP packet decode
          -r         Renew DHCP lease
          -x         Release DHCP lease
    dns <ip>       Set DNS server <ip>, delete if <ip> is ‘0’
    domain <name>  set local domain name
    mtu <value>    Set IPv4 MTU to <value>, at least 576.

 

 

 

 

Assigning ip address to the second PC.

 

 

 

 

 

 

Now lets test a Ping from one PC to the other.

 

 

 

 

 

As you can see we can use this tool for simple reachability/connectivity test.

 

Using windows loopback adapter for the connectivity test:
=================================================

We can also use the windows loopback adapter for the similar purpose. Please find my other post on how to create a loopback adapter on windows machine:

http://rameshkumarroy.com/creating-loopback-adapter-on-windows/

You can create multiple loopback adapters on the windows machine and use it likewise. In the below snapshot you would see that I have created two loopback adapters Local Area Connection 3 and 5.

 

 

 

You can use the NOI Ethernet Tab on the Cloud to map the loopback adapter to the PCs. In our setup I have used the loopback adapter 3 and loopback adapter 5 to the two PCs accordingly.

 

 

 

 

 

 

 

 

Make the ethernet connectivity accordingly from these PCs to the ethernet switch.

 

 

 

 

 

 

 

You can assign ip addresses to the loopback adapter accordingly and do a ping test.

 

 

 

 

 

 

 

 

Hope this would be helpful. 🙂

Creating loopback adapter on windows machine.

Why would I need a loopback adapter on my laptop/desktop:

 

We can compare a loopback adapter to a loopback interface on any router. Like the loopback interface on a router is not associated to any physical interface and is always up irrespective of the physical connectivity to the Router, similar a a loopback adapter.

This is what the internet says on loopback interface:

A loopback interface is a virtual interface that resides on a router. It is not connected to any other device. Loopback interfaces are very useful because they will never go down, unless the entire router goes down.

There might be a situation where in you would need to assign an ip address to your laptop and use it for any testing/application. You would not be able to use the ip address assigned to your physical interface useless the physical interface itself is connected to a lan cable. May be a situation wherein the ip address assigned to your physical interface is via dhcp from your Service Provider router and changing the ip on the physical interface is not possible.

Above were the couple of scenario’s where you might need to create a loopback adapter on you windows machine and use it.

How to create a loopback adapter on windows machine :

Click Start > On the search Program and Files type : hdwwiz

 

 

 

 

 

 

 

 

 

 

or Open cmd and type:hdwwiz it should bring up the Hardware Wizard.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Once you get the add Hardware Wizard window click Next > Click on Install the hardware that I manually select from the list.

 

 

 

 

 

 

 

 

 

 

 

 

 

Click Next > In the Common Hardware type list scroll down and choose Network Adapter.

 

 

 

 

 

 

 

 

 

 

 

 

 

Click on Next. Choose Microsoft under the Manufacturer list and Choose Microsoft Loopback Adapter under the Network Adapter list.

 

 

 

 

 

 

 

 

 

 

 

 

 

Click Next and Click Next for the Install Process.

 

 

 

 

 

 

 

 

 

 

 

 

 

Once Installed Click on Finish.

 

 

 

 

 

 

 

 

 

 

 

 

You are ready to go.

Goto your network connections ( shortcut type ncpa.cpl in the cmd window), you should see a Local Area Connection 1 or 2 depending on the number of existing connections.

 

 

 

 

You can disable/enable this adpater as required and right click on properties to assign ip address and use it .

 

I have use loopback adapter for connectivity reachability test in GNS3 and for simulating host machines.

http://rameshkumarroy.com/using-vpcs-in-gns3-to-replicate-hos/

 

Hope this would be helpful.