Cisco CCNA 200-301 – Network Automation and Programmability Part 5

9. Ansible Lab Demo

In this lecture, you’ll see how to configure wireless networks with a wireless LAN controller with a lab demo. So it’s the same lab scenario as from the last video where I configured the switch. Now I’m going to configure all of the wireless network settings on the wireless LAN controller. We’re going to configure a couple of different W Lans. So I’m going to have the corporate wireless network and also the guest WLAN as well. The corporate WLAN is for internal staff.

So for them to log in, we’re going to need to supply a username and password. And that is going to be authenticated by the Radius server here using 802 one x authentication. For guests, they don’t need to enter a username and password, they just need to enter a pre shared key. So for the guest network that’s going to be using WPA personal authentication for the corporate network that is going to be using WPA to enterprise, corporate users will have access to all of the internal resources.

So they’re going to be assigned to the corporate VLAN and the corporate IP subnet. Guest users will be in a different guest VLAN and guest IP subnet and they’ll just have access to the Internet. Okay, so let’s get this all set up. So first off, I need to connect to the admin GUI on the wireless LAN controller. If I click on the wireless LAN controller and go into the configure and packet tracer and look at the management interface, you can see that it’s already been given an IP address.

One thing, two one 6810 eleven. So when you’re working on a real world wireless LAN controller, the first thing you need to do is go through the initial setup to give it an IP address. After that, when you’re actually working on the wireless LAN controller, you’re going to be working in the GUI. You can do configuration in the command line as well, but it’s much easier to work in the GUI. That’s what pretty much everybody does. But before you can connect to the GUI, it needs to have an IP address.

So when you take a wireless LAN controller out of the box for the first time, you’ll hook up to it with a console cable. And then at the command line that you get through the console connection, you’ll go through the Initial Setup Wizard and that’s where you configure the basic settings such as the IP address subnet, mask and default gateway. So for this lab demo, I’ve already done that, I’ve gone through the Initial Setup Wizard at the command line just to get an IP address on the wireless land controller. Now that is done, I’ll be able to connect to its admin GUI from my admin laptop here.

So I will go on to my admin laptop. You can see I’ve gone to Https 19216 810 eleven on the wireless LAN controller and I’ve entered my username and password for management. And I’m going to log in. And this is going to land me on the dashboard. Okay, next first thing I’m going to do is to configure my integration with the Radius server. So let’s look back in the main packet tracer window and look in my Radius server. I’ll click on that, and if I go to the config, you can see that it’s got IP address 19216 810 Ten.

And if I look at the services and then looking here at AAA, you can see that Radius has been enabled. And I have added a username flackbox with the password flackbox too. And I’ve also done the Radius server side configuration for integrating it with the wireless LAN controller. So I’ve added the wireless LAN controller here, and I’ve specified its IP address is one thing two one, 6810, eleven. And the shared key is flatbox one. So now I need to add the Radius server on the wireless LAN controller.

So let’s do that. So back on my admin laptop, on the GUI for the wireless LAN controller, I’ll go to Security. That’s where I’m going to configure integration with AAA servers. And under AAA and Radius and authentication, I will click on there and I’m going to add a new server. So I click on New. The Radius server IP address is 19216 810. And the shared secret was flatbox one.

So I will type that in and then click on Apply up here in the top right. And that is my integration done now with my Radius server. And I can see it in the main page for my authentication servers here. Okay, next thing that I’m going to do. So before I configure my W lands, I need to get the global settings configured first. That’s why I configured the Radius server. Another thing that I need to do is when wireless clients connect to those W Lans, we’re going to need to get an IP address from DHCP.

We could use static IP addresses, but much more likely we’re going to be using DHCP there. So we could use an external DHCP server. But for this demo, I’m going to be using the DHCP service on the wireless LAN controller. So I need to configure a DHCP scope for both the corporate and the guest W Lans. So for that, I go to Controller and then internal DHCP server and DHCP scope.

You can see there’s already a default scope in here. I’m going to click New to create a new one. And this first one, I will name it Corporate to match the name of my VLAN and my WLAN. And then I click on it here to edit. So I just created it to edit it. Click on it again here. And the start address I’m going to use 192168. My IP subnet for corporate was 1921-6822. And I’m going to start giving out addresses beginning with one. The last address I’ll use, winding 216-82-2254, the network 192-16-8220, subnetmask 255-255-2550.

The default router is my multi layer switch at 192-16-8221. And in a real world environment, you would enter in the DNS details here as well. I’m not using DNS in my lab here, so I can leave that blank and click on Apply. So that’s going to give out addresses to clients who connect to the corporate WLAN. I need to give addresses to the guest clients as well. So I’m going to create another new scope. I will name this guest and click on Apply. Click on it to edit it. And the starting address 192168. The guest subnet is 23. I’ll start with 101.

The ending address 1921-682-3254. The network 192-16-8230, subnetmask 252-5250, and the default router is 192-16-8231. Okay, so that is my DHCP scopes done. Click on apply. I can see them there and I can see that the pools look good. Okay, next thing that I need to do is configure virtual interfaces on my wireless LAN controller. Again. One for each wn. And when I configure the virtual interfaces, I need to associate them with the physical port that is connected to the switch. So let’s check and see what port that is. So I will click on Ports, and then when the page loads there, I can see that the port is part one because I can see the link is up, so it’s part one. So in my lab environment here, I’ve just got one physical port connected into the switch. In a real world environment, you would want to use a lag link aggregation, which is an ether channel, to bundle multiple ports together to give you additional bandwidth. Okay, so here I’m going to be using port one.

So now I can go to interfaces. This is going to create virtual interfaces which are similar to an Svi like interface VLAN that you would see on a switch. I have got my default interfaces in there already. I’m going to create a new one and I will name this corporate. And the VLAN that this is in is violence 22, my corporate VLAN. And then click on Apply. And then on the next page I need to specify the physical port that this is going to be associated with, that this VLAN can be carried over, which was port one.

The VLAN identifier was 22. And I’m going to give this IP address 192-16-8222, because my switch is using one subnet mask is 255-255-2550. The default gateway for the subnet is one thing 216-8221. And then the primary DHCP server. Well, I configured the DHCP scope here on my wireless LAN controller. So I will enter in the management address of my wireless LAN controller, which is one thing two, one, 6810, eleven. So you can see here, when you configure a multilayer switch, you’re going to have your VLAN interfaces on there if it’s acting as a default gateway.

And on those VLAN interfaces, you’re going to have the DHCP helper address so that the clients can get to the DHCP server but we’re doing the same thing here. So now when the wireless clients connect to the WLAN, they need to get access to their DHCP server. So that’s why I had to configure the logical interface here, give it an IP address and specify the address of the DHCP server. Okay, so I have done that for the corporate network. I click on Apply and it’s going to say that changing the interface parameters can cause temporarily loss if connected to the Able. I don’t have any clients connected yet so that’s no problem. So I’ll click on OK here and then I can go back to the interfaces page again. I see my corporate interface is there. I need to create another new one for Guest. So I’ll click on you. I’ll give this the name of Guest. The von ID is von 23 for my Guest network and click on Apply. Then on the next page I’m going to associate this with port number one.

So both of my VLANs are going to be trunked over the same underlying physical port. The IP address here 192-16-8232. Because the default gateway was one, I need to use something that’s not used elsewhere. Subnet mask 255-2550. And the gateway is one thing 216-8231. And again for both the corporate and the Guest clients they’re both using the same DHCP server which is here on the wireless land controller with the IP address. One thing, two, one 6810 eleven. So I can click on Apply there and click on OK again. And then click on Interfaces. And there I can see, I have got my interfaces configured. Okay, so I’ve got my integration done with the Radius server, I’ve got my DHCP scopes configured, I’ve configured my logical interfaces. So now I am ready to configure my wireless local area networks. So for that I click on the W Lans tab and then I am going to choose to create new and click Go there. And then the type is WLAN, the profile name. Again, I’m going to use the same naming convention. So I’m going to call this Corporate and the SSID is also going to be Corporates.

You can use a different profile name and SSID. Normally you want to keep these the same. It just makes things more logical, easier to see what’s going on. The ID is just an index number so it starts at one and goes up from there. So one is fine here and I will click on Apply. And then when this page loads I can specify the settings for my wife. So first thing I need to do is make sure that it is associated with the corporate interface that I just created. So I click on the drop down here and it’s going to be associated with corporate. It’s going to get those settings, it’s going to get the correct DHCP scope. Click on there and then I’m not going to enable it yet because I haven’t configured the security. So I want to make sure that I don’t have any clients connecting in here. Before I’ve configured for security settings. I knew I need to remember to come back here and enable it when I’m done though. Okay, so let’s do the security. So I will click on Security and then the layer two security. I will click on the drop down there and I’m going to configure this for 802 one x authentication.

And you can see that that is an option. But on the wireless Van controller, if you choose this, it’s using 802 one x with the old web authentication which we don’t want to use anymore. So I’m going to use WPA and WPA two. So I select that and you can see the able two. One x is an option underneath here. Okay, so I’ve gone WPA and WPA two. And then for the policy, I don’t want WPA to be enabled, I just want WPA two. So I will click that and I want to use AES encryption, don’t want to use TKIP and I’m going to be using 802 one x for the authentication here. And then I also need to click on the AAA Servers tab and see where my Radius server is. Click on the drop down here and there I can see, is the Radius server that I added earlier and select that. And then I am going to click on Apply. So that is all of my settings done. And the thing I need to not forget, which is easy to forget. Also click on Enabled and apply that. Okay, so that is my corporate WLAN configured. You see there’s other settings in here as well such as QoS policies, et cetera. Don’t need to do any of those here.

So now I’ll go back to the main WLAN’s page again and there is my corporate WLAN. I need to create my guest WLAN as well. So I’ll go create New and click on go. I will give it the profile name Guest and the SSID guest as well. It uses the next ID index number, which is two. I click on Apply and then on the next page again. I haven’t set this security yet, so I’m not going to enable it yet. And the interface that this is associated with is my Guest interface. Under the radio policy, this is where you can specify whether you want to have 800 and 211 AC or N or G and so on. That’s where you can specify which of the standards are you want to have enabled for this WM. Okay, so next up, I need to do the security. I’ll click on the drop down here and again I’m going to be using WPA and WPA two. But rather than 802 one x here, I am using a pre shared key. I need to specify what the pre shared key is. So I will enter that in the box here and then I can apply. I forgot to specify that it’s WPA Two that I want to use here and AES.

Okay so I just selected that and now I should be able to click apply and this will work. Okay so that’s all good. Again I need to remember to enable it. So I’ll take the enable checkbox and click on apply and that is my WLAN’s now all configured. So last thing I need to do is actually check that it is working but let’s check the W lands are there. So I’ll just go back to the WLAN’s main page again and there I can see there is corporate and Guest. I can see Guest is using a pre shared key and corporate is using a two one X authentication. Okay so let’s go back to the packet tracer main window. You can see I’ve got corporate laptop and a guest laptop here. So a test, this is working. I’m going to go to the corporate laptop, I’m going to go to the config and for my wireless interface in here I’m going to say that I want to connect to the corporate SSID and I’m using WPA 20, WPA two and WPA Two pre shared key. Well I’m using WPA two enterprise so this is the option here.

Again, it’s not 802 one X which is the legacy way of doing it, it’s WPA two and then in here I specify my user ID which was flatbox and the password is flatbox two. So that is the user credentials that were configured on the Radius server. So I’ve done that and then I’ll just click out of here to make it take effect and go back again and go back to the wireless interface. I might need to just give this a minute or two to get the IP address from DHCP. So while that is going on, let’s configure the Guest laptop as well. I’ll click on that and then go to the configuration go to my wireless network card. The SSID that I’m going to connect to is Guest and this is with WPA two preshared key so I don’t get the granularity of a username and password. It’s just the same password that’s being used for everybody and that was flatbox three that I used there. Right can click out of there and make sure that that’s taking effect and go back to the config. That all looks good actually.

What did I do for the corporate laptop? Did I put in the wrong password there? Let’s double check. No, it’s password flatbox too so that’s good. Yeah, that’s fine. And I can see it has now got an IP address so that looks good. So if I look back in the main packet tracer window from this indicators here I can see that they are both connected to the wireless network and if I was on a real world wireless Lank controller I could go back into the dashboard there and I would be able to see information about those clients. Okay, so that was it. That’s how to configure wireless networking with the wireless LAN controller in a Cisco environment. And that wraps up the wireless section. See it in the next lecture.

10. SDN Software Defined Networking

You’ll learn about Sdn software defined networking. Before I explain what Sdn is, we need to review the planes on our routers and switches. That’s the data control and management planes. The data plane, which can also be known as a forwarding plane, that’s where traffic is forwarded through the device. So if, for example, you’re sitting in the office and you open up a web page out on the Internet, and that traffic, the packets are going through the router, then those packets are passing through the data plane. So any normal production traffic which the router is forwarding through its interfaces, that is going through the data plane. The next plane that we’ve got is the control plane. The control plane makes decisions about how to forward traffic. Control plane packets, such as routing protocol updates at layer three or spanning to the updates at layer two are destined to or locally originated on the device itself.

So if, for example, we’ve got a couple of routers, R One and R Two, and they’re sharing OSPF updates with each other, well, when R One advertises a route to R Two, that packet originates on R One and then it’s destined to R Two. So unlike the packets in the data plane which are passing through the router, packets in the control plane originate from and terminate on the routers or the switches. Finally, we have got the management plane. The device is configured and monitored in the management plane. For example, if you’re connecting to the router or switch to manage it through Telnet or SSH, you’re working in the management plane. You could also be managing it via a Gui using Https or via SNMP or an API application programming interface. Okay, so those are our three planes. Network infrastructure devices. Your routers and switches are responsible for their own individual control and data planes in a traditional environment.

So all the packets that are passing through a router or a switch or switch that is responsible for forwarding them in the data plane, and also, again, using OSPF as the example, in the control plane, each individual router is responsible for updating its own routing table, which is how it makes those forwarding decisions. With software defined networking, it breaks with the traditional model. So with Sdn, it decouples the data and control planes, rather than having both the data and control planes running individually one at a time on each of our network devices. With Sdn, the control plane is moved off to a centralized Sdn controller. So the network infrastructure devices are still responsible for forwarding traffic. So they’re still controlling their own data plane. But the control plane intelligence moves to a centralized Sdn controller.

Rules for packet handling are sent to the network infrastructure devices from the controller, and the network infrastructure devices query the controller for guidance is needed, and they provide it with information about traffic that they are handling. We can run Sdn either as a pure Sdn or as a hybrid Sdn. With a pure Sdn, the control plane runs purely on the Sdn controller and the data plane runs purely on the network devices with a hybrid Sdn. The majority of the control plane intelligence is again provided by the Sdn controller. But the network devices retain some control plane intelligence as well as the data plane operations. And most implementations, including used by Cisco, use a hybrid Sdn because it can be more efficient and higher performance that way. Okay, so let’s look at the Sdn architecture. The information on this slide you definitely want to know for the CCNA exam. So with the architecture, everything is from the point of view of the Sdn controller.

So we’ll start there. That is at the control layer we’ve got our Sdn controller, which provides the network services. Then it’s going to be managing our network devices, our routers, our switches, etc. That they are living in the infrastructure layer, which in the hierarchy is going to be below the control layer with the Sdn. And because everything in the architecture is from the point of view of the Sdn controller and the network devices are below it in the hierarchy, then we’re going to be using Southbound APIs from the controller to control the network devices. The APIs could be using Open Flow, which was one of the earlier Sdn protocols. It’s open source. Other ways that the Sdn controller can control the devices is via SNMP arrest, API, NETCONF RESTCONF or SSH.

This depends on the particular implementation which will be used often. Controllers can use different protocols and they will use whichever one is supported by the particular device they are managing. We also have the application layer. That’s where we have our Sdn business applications. And because this is above the controller in the hierarchy, from the controller’s point of view, it’s going to be communicating with that with northbound APIs. Northbound APIs are typically going to be using Rest. Okay, so let’s have a look at this actually in action so you can visualize it. So I’ll go back to my AWS example again. So if in Amazon Web Services, I’m going to be provisioning a virtual machine there, at this point, I’ve already configured all my settings. I’m just going to the review page now, and you can see here that in this web based front end, I’ve configured my network settings that I want on my virtual machine here. So I’ve specified the network subnet if I want it to have a public IP address.

I’ve also specified my Fireball rules here as well. So this is the front end that the user is going to be interacting with me when I’m provisioning my virtual machine. And from here we need to get the server configured. So I need to have the operating system installed. Also, I need to have all my network infrastructure devices. So I’ve configured all my settings in here. Looking at our hierarchical model, this is at the application layer. So this is my front end Sdn business application. I fill in the information there, and then when I click the button to actually provision the virtual machine, the Northbound APIs using Rest are going to communicate with the Sdn controller. And then it’s an Sdn controller, which is actually going to push the configuration to my network devices below there, because that’s how it’s typically going to work. You’re going to have a front end that the user or the administrator is going to be interacting with that’s at the application layer, it uses a Rest API to communicate with the controller, and then the controller will use its Southbound APIs to actually push the config to the devices.

Finally, let’s look at what Sdn controllers are available from Cisco. First up, we’ve got the APIC, which stands for Application Policy Infrastructure Controller. And the APEC is the main component of Cisco ACI, which stands for application centric, infrastructure. The Apex is designed to manage data center environments with Nexus switches. So when you’re in an It environment, typically it’s your data center that is going to have your higher end devices in there. That’s where all your services are located. So you want to have high performance there. And because of this, the data center is often the first place that new technologies are going to be implemented in.

And that was the case with Cisco Sdn. So if you had a Cisco based data center, you were using Nexus switches there, you were able or you still are able to control that with Sdn using the Cisco APIC. After the APIC was released, that’s been available for several years. The next one that was available was the APIC Em. The APIC Em stands for Application Policy infrastructure controller. Enterprise module. So where the APEC is designed for use in data center environments, and it controls Nexus switches, the APEC Em is designed to manage enterprise environments such your campus, your branch, and Wan.

Now, the Apex Em has actually been upgraded recently to the DNA Center. So DNA Center, it’s got most of the same features and functions that the Apex Em had. The Apex Em has not gone end of life yet, as I am recording this. It will do some time, though, because DNA Center is really the new version of Apex. The APIC used in data center environments is not covered in the CCNA exam, but DNA Center for your enterprise environments is. So in the next lecture, we’ll be looking in more detail at DNA.

• Category: Uncategorized