Sunday, November 29, 2015

Connecting GNS3 Device to the Internet

I'm contemplating on selling my Cisco lab gear next year and just keep some of the hard to find pieces such as my Cisco 2511 router that's used for my terminal server, my ASA 5505 firewall since it can still run the 9.x code, my Cisco 871w router for my home wifi and a Cisco 3560 8-port switch. I've started studying for CompTIA Network+ (which is a prelude to my CCIE R/S studies) and plan to sit for the N10-006 exam early next year. So, I'll be using my Cisco lab gear probably one last time and setup a CCNA Routing and Switching lab.

My network lab helped me a lot in preparing for my CCNP Security, Security+ (CCNA Security review) and CCDP (CCNP ROUTE and CCNP SWITCH review). I'll be virtualizing my lab next year in preparation for my CCIE Routing and Switching studies and started looking for a mini server to run VMWare ESXi. So I've been practicing again in GNS3 and in order to connect an emulated device to the Internet, we first create a Microsoft Loopback interface. We issue hdwwiz in Windows command prompt and the Add Hardware dialog box appears. Select Install the hardware that I manually select from a list (Advanced) > Network adapters > Microsoft > Microsoft Loopback Adapter.
 

We "bridge" our LAN adapter connected to the Internet to our MS Loopback by clicking "Allow other network users to connect through this computer's Internet connection" under Local Area Connection properties. For this scenario, I've used my wireless adapter and bridged it to Local Area Connection 2, which is my MS Loopback interface.


It will pop up a warning saying we could only use 192.168.137.1 for our LAN adapter (MS Loopback). We manually assign the TCP/IPv4 settings for the MS Loopback interface as below:



We'll need to configure the network device in GNS3 as below:

For a router:

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface fastethernet0/0
R1(config-if)#ip address 192.168.137.2 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Mar  1 00:01:56.827: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:01:57.827: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#do ping 192.168.137.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.137.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/13/28 ms
R1(config-if)#do ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1(config)#do ping www.cisco.com
Translating "www.cisco.com"
% Unrecognized host or address, or protocol not running.

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.137.1
R1(config)#ip domain-lookup
R1(config)#ip name-server 8.8.8.8
R1(config)#do ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/39/44 ms
R1(config)#do ping www.cisco.com
Translating "www.cisco.com"...domain server (192.168.137.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 125.252.216.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms



For an ASA firewall:

ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:

ciscoasa(config)# interface gigabitethernet0
ciscoasa(config-if)# ip address 192.168.137.2 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ping 192.168.137.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.137.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config-if)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
No route to host 8.8.8.8

Success rate is 0 percent (0/1)
ciscoasa(config-if)# route outside 0 0 192.168.137.1
ciscoasa(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
ciscoasa(config)# ping www.cisco.com
                       ^
ERROR: % Invalid Hostname
ciscoasa(config)# dns ?

configure mode commands/options:
  domain-lookup       Enable/Disable DNS host-to-address translation
  expire-entry-timer  Specify DNS entry expire timer
  name-server         Specify DNS servers
  poll-timer          Specify dns update interval
  retries             Configure DNS retries
  server-group        Configure a DNS server group
  timeout             Configure DNS query timeout

exec mode commands/options:
  update  Update FQDN IP addresses
ciscoasa(config)# dns domain-lookup ?

configure mode commands/options:
Current available interface(s):
  outside  Name of interface GigabitEthernet0
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# dns name-server 8.8.8.8
ciscoasa(config)# ping www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 60.254.168.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/40/50 ms

Saturday, November 14, 2015

Cisco WLC AP license

I had a site that needs 10 access points (APs) but was given a Cisco WLC 2504 that only supports 5 APs by default. Cisco's website mentioned that AP license can be added in increments of 1, 5 and 25. So I availed for a 25 AP license (L-LIC-CT2504-25A) in order to accommodate the future growth of the wireless system. I followed these steps to apply the AP license.




The first step is to go to Cisco's licensing portal and register the license Product Authorization Key (PAK) that was sent via e-mail in PDF form (e-license) or hard copy.  Register the license PAK using the Product ID (PID) and serial number found in the WLC by going to Controller > Inventory. The same info can be seen using the show license udi command.




Be extra careful and double check the info that was typed in the licensing portal to avoid issues with the license not taking effect even after reboot. I've personally encountered this mistake a couple of times and had to go through Cisco TAC to re-issue a new license. TAC usually respond within a day or two.

To install the AP license, go to Management > Software Activation > Commands > Actions > Install License, and for or some strange reason only 3CDaemon works. After transferring the license via TFTP, the WLC will prompt to restart in order for the license to take effect. You can also optionally save the license.







After WLC has been rebooted, you can verify the license by going to Management > Software Activation > License. Click on the license to show more details.





Here are some useful WLC CLI commands to verify the license.

(Cisco Controller) >show license ?
              
all            Displays All The License(s).
capacity       Displays License currently used by AP
detail         Displays Details Of A Given License.
evaluation     Displays Evaluation License(s).
expiring       Displays Expiring License(s).
feature        Displays License Enabled Features.
file           Displays All The License File(s).
handle         Displays License Handles.
image-level    Display the image level
in-use         Displays License That Are In-Use.
permanent      Displays Permanent License(s).
statistics     Displays License Statistics.
status         Displays License Status.
summary        Displays Brief Summary Of All License(s).
udi            Displays UDI Values For Licenses.

(Cisco Controller) >show license summary

License Store: Primary License Storage
StoreIndex:  0  Feature: base                              Version: 1.0
        License Type: Permanent
        License State: Active, Not in Use
        License Count: Non-Counted
        License Priority: Medium
License Store: Primary License Storage
StoreIndex:  1  Feature: base-ap-count                     Version: 1.0
        License Type: Permanent
        License State: Inactive
        License Count: 5 / 0 (Active/In-use)
        License Priority: Medium
License Store: Primary License Storage
StoreIndex:  2  Feature: base-ap-count                     Version: 1.0
        License Type: Permanent
        License State: Active, In Use
        License Count: 30 /30 (Active/In-use)
        License Priority: Medium
License Store: Evaluation License Storage
StoreIndex:  0  Feature: base-ap-count                     Version: 1.0
        License Type: Evaluation
        License State: Inactive
            Evaluation total period: 12 weeks  6 days
            Evaluation period left: 12 weeks  5 days
        License Count: 75 / 0 (Active/In-use)
        License Priority: Low


(Cisco Controller) >show license feature

Feature name        Enforcement   Evaluation  Clear Allowed  Enabled
base-ap-count       yes           yes         yes            yes   
data_encryption     yes           no          yes            no    


(Cisco Controller) >show license capacity


Licensed Feature    Max Count         Current Count     Remaining Count
-----------------------------------------------------------------------
AP Count            30                5                 25