Join us in congratulating the following CCIEs on their great achievement;

• Jason Stepp CCIE #39934 (Voice)
• Simon Carron CCIE #39900 (Voice)
• Jay Peralta CCIE # 39958 (Voice)
• Phil Priest CCIE #39930 (R&S)

Ramcharan Arya, CCIE # 28926 (From 7/19/2013 success story list)

I am highly excited to share great news on passing CCIE Voice lab exam. Thank you IPexpert for providing excellent study material for CCIE voice exam preparation. Special Thanks for Vik for his outstanding efforts towards conducting 5 days CCIE Voice Troubleshooting bootcamp to present methodology and approach in solving complex troubleshooting scenario  and  details on and lab exam tips and strategy for passing CCIE voice exam.

Vik’s presentation covers details on voice protocols and without understanding it is not easy to pass CCIE voice lab. 5 Lab handbook is excellent aid in preparation of CCIE voice lab exam. Finally, Thank you to IPexpert support team for their help.

IPexpert is proud to boast the industry’s most complete and updated self-study portfolio for the CCIE Routing & Switching Lab,CCIE Voice Lab, CCIE Security Lab, CCIE Data Center Lab, and CCIE Wireless Lab exams. Have you also used IPexpert or Proctor Labs to help you pass the CCIE lab exam? If so, we want to hear your story! Please email us at success@ipexpert.com

This post will wrap up the hardware recommendations for your home lab.  We’ve already talked about all networking gear and all servers.  Now we will touch on a few last pieces that you may want to consider.

Terminal Server

This is something that I would give some thought to.  What a terminal server allows you to do is to reverse telnet to the console ports of your network devices.  So rather than moving a console cable around from device to device, you just open a telnet session to a specific port on the terminal server and you are on the console of your device.  This is handy to save time/effort and it also allows you to get a console session when you are not right next to your rack.  You can also have a console session open to every device at the same time.

The classic hardware to do this in a home lab is a 2509 or 2511 Cisco router.  The 2509 will support 8 console connections and the 2511 will support 16.  If you buy the standard routers, you’ll need to purchase octal cables to connect the routers to the network devices.  But there is a model  AS2511-RJ that allows you to just use Ethernet cables between the router and the network devices.  In the end, you’ll spend around $275 either way.

One other thing to know is that the routers don’t have a native RJ45 Ethernet port.  So you’ll need a transceiver to convert the Ethernet port to an RJ45 port.

VoIP Phones

If you want to have VoIP phones in your lab to practice with, go with the 7921 for a wireless phone.  The phone in the lab is a 7925.  The 7921 and the 7925 are nearly identical in terms of features.  It’s not worth the extra money to go with the 7925.  A 7921 will run about $180.  Don’t forget to purchase a charging cable/station as well.  For a wired phone, you can pick most anything.  Just get a cheap 7912 or 7940.  That way, your 7921/25 has something to call.

Test Laptop

It would be helpful to have a laptop to use specifically for associating to your APs.  If you use the same laptop that you are using to configure the APs/WLCs, you will continually lose your connections to your devices as you connect to the lab APs.  So try and have another laptop running the Cisco AnyConnect client that you will use for testing your lab configs.

VPN Connectivity

You may want VPN connectivity into your lab in case you want to practice while away from home.  I have already mentioned one possibility in the first post with the 2811 router.  If you do not have a router, or do not want to use your router, you could also use something like a PIX or an ASA 5505.  Maybe your home router even has some sort of VPN feature if it’s fancy.  There are many options for achieving this.  Whatever method you choose, life will probably be easier if you can get a static IP address on your home internet connection.  Otherwise, your IP may change from time to time.  So you may need to train your significant other on how to find out your IP when you are away.

Equipment Rack

If you don’t want to just have your equipment lying on the floor, you may want to invest in a rack.  If you are looking to replicate our racks, you’ll need at least 12U of rack height.  Any of the equipment that I’ve recommended will work with a two post rack, with the exception of an actual rack mounted server for your ESXi server.  Those typically mount to a four post rack.  Though you could probably get by just setting it on top of the rest of your equipment and have it pulled forward to move the center of gravity forward.

Don’t feel like this is a requirement.  I just had my equipment stacked on top of each other with the bottom one sitting on a board.  You probably don’t want them just sitting on carpet.  It acts as an insulator and might also gather static electricity.

If you do purchase a rack, you are going to have to purchase rack ears for all of your equipment.  You’d be surprised at how fast that can add to the cost.

In this final post in the series, I will pull together all of the previous posts in the series and discuss the pros and cons of building a home lab versus renting rack time.

Home Lab- Pros

There are a number of advantages to building your own home lab that often makes it attractive to people.  This biggest is usually convenience.  You almost always have a lab available to you any hour of the day for as short or as long as you need it.  I say almost because you can run into issues that would prevent you from using your home lab (equipment failure, VPN connectivity goes down, etc).  But for the most part, it’s always there for you.

You can customize it as you please.  Say you wanted to configure your own topology that’s different from what we use.  You can do that with just a bit of re-cabling.

You can start working through a scenario, leave it for a day, and come back and continue where you left off.  On a rack rental, your ending configs from your first session would have been lost.  So unless you copied it to a local text file, you’d have to reconfigure all of your devices from scratch.  Servers would always have to be configured from scratch since there is no good way for you to back up their state in a rack rental scenario.

Purchasing your own rack is a relatively known expense.  It’s a onetime cost to purchase the equipment for unlimited use.   You will have collateral expenses that I’ll talk about in the next section.  But the vast majority of the expense is up front and one time.  So it’s easier to plan for the expense.

Lastly, the lab is there for you after the CCIE for further studying.  So if you bought equipment that is valid with current code (like a 2500 or 5500 series WLC), you could install the latest code and have a lab to use with your current job.

Home Lab- Cons

Many people only see the pros of owning your own home lab and aren’t aware of the cons involved.  Some are obvious and some you don’t realize until you’ve purchased all of the equipment.  So here are some of the things to know before you spend your money.

Home labs have a large upfront investment, following by varying costs later.  Some of us won’t be able to afford a decent lab all at once.  Unfortunately, buying pieces of your lab over time isn’t all that conducive to studying most of the time.  Once you have purchased your lab, you have the additional cost of powering your lab and the additional burden to cooling your house when it’s air conditioning season.  You also run the risk of equipment failing on you and having to spend money to replace it.  This can be painful when it’s one of your expensive WLCs or your ESXi server.

Some of you might chime in saying that you’d buy from ebay sellers that offer a year warranty.  So that would at least prevent additional expense due to equipment failure.  But now you are without equipment for possibly weeks while you work with your seller to get a replacement for your failed hardware.  That’s possibly time lost studying that you cannot get back.  This is another risk.  Loss of study time due to equipment failure.

Another drawback of the home lab is the time needed to get it up and running as well as supporting it.  First you have to purchase all of the equipment and wait for it to arrive.  Then you need to physically install everything and get all of the appropriate code downloaded and installed.  You need to get your initial configs implemented and determine your topology and IP schema.  This is a little easier if you just plan on following what we are doing on our racks.  But it’s time spent none the less.  Then you need to build all of your servers.  This can take a lot of time if you are having to hunt for downloads.  Also, getting the services on the Windows 2003 server up and running can take some time if you haven’t done it before.  If something isn’t working right, you need to fix it on your own time.  If what you ordered didn’t have enough resources, you need to wait until the upgrades are ordered and arrive.  Getting CME services up and running can be difficult if you don’t have someone in the know assisting you.  It all takes time.  This is generally either not considered, or vastly underestimated if you are building a home lab for the first time.  So count the cost of the time spent on this versus the time that you could be spending in a rack rental.  Time is often one of our most precious resources.

Another logistical concern is where to install the equipment.  You’ll want it somewhere relatively cool and not overly humid.  It’s also going to be making a fair amount of noise from the fans.  Significant others aren’t always thrilled to have it in a more public area of the house/apartment or having to hear it all the time.  If you have small kids, you’ll want it out of their reach.  If you have a lot of APs, those can be a bit of a pain to place.  If you actually have a suspended ceiling to mount them to, that would be great.  Otherwise, you have to spread them out on the floor or different surfaces near the rack.  You may want to buy a half sheet of plywood, stand it somewhat vertically and mount the APs to that.  If you want to mount the APs to anything, add in the cost of mounting brackets.

With a home lab, you are often making some compromises on the equipment.  Hardly anyone will actually buy a 5508 controller and the APs that are actually in the lab.  Most will purchase older generation hardware that can do the majority of what you need.  So there will be some differences that you will need to reconcile in terms of functionality.  Also, you’ll need to tweak any of our initial lab load configuration files to suite your hardware.  It’s not the end of the world.  But it’s a hurdle that can get annoying after a while if you are spending a lot of time in our workbooks, which were written based off of the proctorlabs.com racks.

What do you do with the lab after you get your CCIE?  A large portion of what you buy isn’t all that useful after the lab.  The 2100 and 4400 series WLCs will not run any code past 7.0.x.x.  The non 802.11n APs  are soon to be not supported when newer code comes out.  Even the 1252 is losing support soon.  Your ESX server can be used for newer software.  But if you buy a lower powered server, you won’t be able to run many of the newer servers like Prime Infrastructure, the newer virtual MSE, and ISE.  Those require significantly more resources in terms of CPU, RAM ,and hard drive space.  You can always sell your equipment after you pass your CCIE.  But a good rule of thumb would be to expect to recoup no more than half of what you spent.  This will be due to depreciation and fees associated with selling.  The longer you hold on to the equipment, the less it’s worth.

Lastly, what happens if you are in the middle of your studies and a version update to the lab is announced with all new hardware?   I don’t anticipate an update in the near future.  But you never know how long your CCIE journey will take.  Life has a way of sidetracking you sometimes.  Maybe it’s a new relationship, a new kid, or a new job.  Maybe it’s an illness.  The causes can be numerous, but it’s a definite risk to your investment.  The double whammy of this risk is that the new hardware is going to be expensive because it will be current hardware.   You will have to at least have 2500/5500 series WLCs for newer code and probably even a switch or two that will run the new unified access code for IOS based controllers.  AP updates may be needed as well if the new code doesn’t support what you are using.  You will probably need a beefier ESX box to run the newer servers.  Those costs will add up quickly.

Rack Rentals

So if you aren’t able to do a home lab, or if you want to investigate the alternative, rack rentals are a great way to go.  Since proctorlabs.com is our rack provider, I’ll frame the discussion based on what they offer for wireless rack rentals.

Rack rentals overcome each of the cons that I listed above for home labs.  You don’t have to undergo a large up front expense to get practicing.  You don’t have the added expenses of power/cooling and hardware failures are no longer your responsibility.  The racks are already there for you, so you can be up and studying right away.  The racks have all of the servers running at the correct versions and the Windows services are already configured.  So you don’t need to worry about obtaining the server software or licenses and getting everything running.

While the equipment isn’t 100% lab accurate, you have all of the wireless gear represented (5508 WLCs and 1040/1260/3500 series APs).  All of the servers are there.  But there aren’t any 6500 series switches.  That’s a minor thing though, and including them would have increased the cost to the student dramatically for little return on studying.  So you can do almost everything in the lab blueprint.  Definitely more than most home labs would afford.

Proctorlabs.com can automate lab loads for you.  So you can be off and running with little effort.  No need to tweak config files and paste them into every device yourself.

You can book time slots in 4 hour increments.  That’s about as convenient as you will get with rack rentals in terms of scheduling.  Not that there are many serious competitors out there in the wireless space, but the biggest competitor rents by the day.  So if you want to study for a few hours in the evening, you can do that with proctorlabs.com and not have to pay for way more hours than what you needed.

Lastly, you have future proofing for lab updates.  Rack rental prices may go up a bit after a hardware refresh.  But it would be a pittance compared to the price of upgrading your home lab.

Cost Comparison

So what are the costs for home labs and rack rentals and how do they compare with each other?  It’s important to keep in mind that cost is just one factor.  But it’s often one of the biggest ones.  Most of us are on a budget.  So too high of a cost can totally invalidate an option altogether.  The chart below shows some options for building your home lab.  The basic lab would be a starting point if you couldn’t afford a larger lab to begin with or if you wanted something to supplement using rack rentals as your main hands-on practice method.  The medium lab would allow you to practice the majority of the blueprint from a technology perspective.  But you would have trouble following along with our volume 1 workbook, and it would not work for using our volume 2 workbook.  The full kit is if you wanted to replicate the topology of our racks so you could do all of the workbook labs on your home rack without too much difficulty.

This wouldn’t include the costs of things like racks, Ethernet cables, software, etc.  It also doesn’t take into consideration ongoing costs of electricity, cooling, and hardware replacements.

Now let’s look at what those investments will buy you in terms of rack rental hours at proctorlabs.com.  Each session lasts for 3.75 hours.  But if you link sessions together, you get the full 4 hours on each session except for the last one.  But we’ll just stick with the 3.75 hours for our calculations.  A single session costs $30.  But once you get up to the 25 session SKU, the per session cost drops to $22 ($550 for 25 sessions).  Once you get up to that 25 session level, if you need more you can definitely work with your sales person to buy additional smaller sets of rentals at the same $22 per session price.  Since all of our kits above make it to that 25 session level, we will assume a price of $22 for each rental session.

Below shows a chart of how many sessions you could buy for the price of each kit above and how many hours that translates to.  You’ll notice I rounded down for the number of sessions.

In general, I estimate that most people will need around 250 hours of hands-on time (give or take 50 hours) during their CCIE studies.  Based off of these numbers, rack rentals are definitely a viable option to save money over purchasing your own home lab.  Even if you resell all of your equipment, it can still be a better deal.

Jeff’s Recommendation

In my past, I’ve built home racks for both of my CCIEs.  I built my R&S lab out of my own pocket and spent thousands of dollars.  I built my Wireless lab totally out of extra equipment lying around at work.  Since I started at IPexpert, I’ve been using proctorlabs.com racks pretty much exclusively on a day-to-day basis.  So I’ve had extensive firsthand experience with both sides.  I’ve come to the conclusion that home labs are extremely convenient to have, but a hassle to build, maintain, and adapt to workbooks.  There are a number of benefits to rack rentals that a home lab will never have.  I like making the maintenance of a rack someone else’s job.  I like knowing that I don’t have to worry about upgrades.  My wife likes not having the office space invaded by nerd gear.

If I were to do it all over again, this is what I would do.  Snag as much equipment from my office as I can (without getting into trouble).  If I can build up even a small home lab for free, it would be a good asset to have.  If I’m close to a lab that can do most everything that I want it to, I’ll purchase a some extra pieces if it’s not too much of an investment.  It also doesn’t hurt to ask work to subsidize any purchases.  Then I’ll use rack rentals for studying that my home gear cannot sufficiently allow me to do.

For those of you with no access to gear from work, I’d suggest just going straight rack rentals.  Even the smallest lab will cost about the same as 100 hours of rack time.  That alone could allow you to work your way through the volume 1 workbook, or go through volume 2 twice.

Join us in congratulating the following CCIE on his great achievement;

• Claudio Bullanguero Elorza Hidalgo CCIE #40112 (Security)

IPexpert is proud to boast the industry’s most complete and updated self-study portfolio for the CCIE Routing & Switching Lab,CCIE Voice Lab, CCIE Security Lab, CCIE Data Center Lab, and CCIE Wireless Lab exams. Have you also used IPexpert or Proctor Labs to help you pass the CCIE lab exam? If so, we want to hear your story! Please email us at success@ipexpert.com

Join us in congratulating the following CCIE on his great achievement;

• Sumit Mahla CCIE #26418 (Data Center & Security)

Sumit Mahla CCIE #26418:
“I wanted to express my thank to IPexpert for my success in the CCIE Data Center lab exam.
The Data Center CCIE workbooks by IPexpert authored by Rick Mur is a great resource, also I would say the CCIE Data Center rack rentals have been really impressive. I have enjoyed the practice session on your racks.  The workbooks cover everything on the blueprint and helps in practicing different scenarios for different technologies.

I recommend IPexpert’s Data Center workbooks and rack rentals to students looking to clear Data Center exam, they are must for getting in depth knowledge and cracking the exam.

I would like to see you guys coming up with VCDX course as well.”

IPexpert is proud to boast the industry’s most complete and updated self-study portfolio for the CCIE Routing & Switching Lab,CCIE Voice Lab, CCIE Security Lab, CCIE Data Center Lab, and CCIE Wireless Lab exams. Have you also used IPexpert or Proctor Labs to help you pass the CCIE lab exam? If so, we want to hear your story! Please email us at success@ipexpert.com

Join us in congratulating the following CCIEs on their great achievement;

• Neil Moore CCIEx7 #10044 (Data Center, R/S, Security, Service Provider, Voice, Storage, Wireless)
  
• Andy Lambert #18556 (Data Center, Security)
• Rasika Nayanajith CCIE #22989 (Wireless, R&S)

Andy Lambert CCIE #18556:

“I passed the CCIE Datacenter lab on August 5 in San Jose, CA. IPExpert’s workbooks were definitely of great assistance. I found Rick’s material to be very structured and dive quite a bit deeper than competing products in the market. Without the deeper dive, I found that learning the material at the required CCIE level wasn’t possible. I did like the fact that IPExpert was a full environment with maximum flexibility. All scenarios and technologies could be tested/practiced.”

IPexpert is proud to boast the industry’s most complete and updated self-study portfolio for the CCIE Routing & Switching Lab,CCIE Voice Lab, CCIE Security Lab, CCIE Data Center Lab, and CCIE Wireless Lab exams. Have you also used IPexpert or Proctor Labs to help you pass the CCIE lab exam? If so, we want to hear your story! Please email us at success@ipexpert.com

Join us in congratulating the following CCIEs on their great achievement;

• Mark Holm CCIE #34763 (Data Center)
  
• Ankit Bhatnagar CCIE #38032 (Voice)

Mark Holm CCIE #34763:

“I passed my CCIE DC lab at Cisco Live! in Orlando. Ahead of the lab date goes approx. four months of intensive studying and labbing. One of my primary sources of lab tasks has been IPexpert’s CCIE Data Center workbook. The workbooks are written in a precise and easy-to-understand manner. Speaking of the workbooks, I have to mention the excellent work, Rick Mur has been putting in to authoring the workbooks. Without any doubts, Rick’s rigerous work has certainly prepared me for the exam giving me the knowledge needed.

Additionally, Rick has been very helpful and open to feedback if I ran into issues with the technology labs and/or mocklab.”

Ankit Bhatnagar CCIE #38032:

I got my CCIE Voice Number earlier this year. I used  CCIE Voice 5 Lab Handbook, I found it very helpful.  I highly recommend this product to all CCIE students.

IPexpert is proud to boast the industry’s most complete and updated self-study portfolio for the CCIE Routing & Switching Lab,CCIE Voice Lab, CCIE Security Lab, CCIE Data Center Lab, and CCIE Wireless Lab exams. Have you also used IPexpert or Proctor Labs to help you pass the CCIE lab exam? If so, we want to hear your story! Please email us at success@ipexpert.com

Let’s consider a following situation – an employee brings his or her own Access Point into a well-secured environment and connects it to a wall socket. As a result anyone with a wireless-enabled device can now associate with the AP (or least a group of people that know the PSK if WEP/WPA was configured) and get access to our internal (wired) network. This is what’s known as a Rogue Access Point – in simple words we can say that Rogue AP is an AP that is not under our control. These Rogue APs can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall and/or IPS.

I will now discuss one of the wireless security features available on WLC (so this will be Unified Wireless Architecture) that is used to detect and deal with Rogue devices. This is what’s collectively known as Rogue Management.

In short we can say that there are three phases in the Rogue Management process :

1. Detection
2. Classification
3. Containment

In this blog post our focus is going to be Rogue Detection.

ROGUE DETECTION

Two main methods used to detect Rogue APs are : Infrastructure Scanning and RF Groups.

With Infrastructure Scanning our APs will be listening for rogue beacons and if a rogue device is detected they will inform about it WLC. A pre-requisite to use this method is to enable our AP to work in one of three modes – Local, FlexConnect or Monitor.

Local (or FlexConnect) Mode is the normal operation of an AP. This mode allows data clients to be serviced while configured channels are scanned for noise and rogues (AP splits its cycles between serving WLAN clients and scanning channels for threats). This works by allowing AP to go off-channel for 50 ms to listen for Rogues and then go back to the original channel to service the clients (a single channel switchover takes 10ms). Since the default interval is 180 seconds, it means that each of 11 channels will be scanned at least once (within the interval) since the clients are services for 16 seconds in a single channel. By the way the interval and the channels to scan are configurable (we’ll take a look at it in one of the later posts).

Monitor Mode turns your AP into more of a passive device – this is a listen-only configuration (radio is only received with one small exception, namely the ability of sending so-called de-authentication frames). When an AP is configured in the Monitor Mode, it will scan all configured channels every ~12 seconds (it utilizes 100% of the radio’s time for scanning and this way listens for about 1.2 seconds on each channel). This provides better detection – Monitor Mode APs are far superior at detecting Rogues as they have a more comprehensive view of the activity. A disadvantage here is the inability to use Rogue Location Discovery Protocol, RLDP (since a Monitor Mode AP cannot establish an association). RLDP is one of the protocols used in the Classification phase – we’ll talk about it in the next post.

Another method used by WLC to detect Rogues uses a concept of a RF Group. Each of your controllers is configured with a RF Group name (this is one of the elements you configure when you initialize WLC which is something you may be asked to do in the real lab). Once a AP registers with a controller, it embeds an authentication Information Element that is specific to the RF Group configured on the controller in all its beacons/probe response frames. When the AP hears beacons/ probe response frames from an AP either without this IE or with wrong IE, then the AP reports that AP as a Rogue, records its BSSID in a Rogue Table, and sends the table to the WLC.

This active scanning, combined with neighbor messages, identifies which APs are Rogues and which APs are valid and part of the network. The bottom line is that once APs detect Rogue APs or Clients, they send this information to the Controller for further processing.

In the second part of this article we are gonna discuss how WLC will actually handle the information about detected Rogues – I’ll keep you posted.

–

Piotr Kaluzny

CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com

In the first blog post related to Wireless Security we took a look at the Initial Phase of Rogue Management – Detection. Now we are going to discuss what happens next – how the WLC is gonna deal with the devices that were marked as “Rogues”. This is what’s known as the Classification Phase.

ROGUE CLASSIFICATION
Once a Rogue AP is detected, next step taken by the WLC is to classify it. There are three types of Rogue APs :
-        Unclassified
-        Friendly
-        Malicious

By default, all Rogues that are detected by the Cisco UWN are considered to be “Unclassified” with just one exception – when the Rogue is also detected on our network it will be automatically re-classified to “Malicious”. This holds true even if there is no Classification Rules (more on this later) configured on the Controller.

OK, so now the question is what’s the difference between the three types of Rogues?

1. A Friendly AP is an AP that is not directly controlled by the WLC but we know about it existence – e.g. a neighboring network AP. Key thing about Friendly APs is that we know they do not pose any threat to our network. You can either define Friendly Access Points manually in the “Friendly MAC List” or classify Rogues as Friendly manually based on the Classification Rules.
2. Malicious APs are those that were setup with malicious intent and that are not controlled by our WLC. These will be all APs we did not classify as “Friendly” that were either seen on our wired network or were classified as “Malicious” based on our Classification Rules.
3. Unclassified AP is an Access Point that was not classified as “Friendly” or “Malicious” (it is neither good nor bad). As mentioned earlier, by default if no Classification Rules exists and Rogue is not seen on the wired network it will be marked as “Unclassified”.

OK before we get to the Classification Rules, I mentioned that if a Rogue AP is seen on our wired network it will be classified as “Malicious”. But how do we actually know if it is there or not? Well, there are three technologies used to answer that question :

1. Rogue Location Detection Protocol (RLDP)
2. A special AP Mode setting known as “Rogue Detector”
3. Switchport Tracing

With RLDP enabled, our legitimate APs will try to connect to the Rogue AP’s SSID acting as if they were the clients (note that our APs’ legitimate clients will be dropped/not serviced during that time). After they connect they will send a packet destined to the WLC over-the-air, through the Rogue AP, to see if the traffic actually goes to our wired network. Note that this option will only work when the Rogue AP is configured with Open Authentication (no authentication).

For situations when WEP or WPA is used to protect the communication with the Rogue AP, another method can be used – Rogue Detector Mode, which is a passive approach (radio is turned off)). It works similar to an IDS – AP listens for wired traffic only (ARP frames specifically) and compares source MACs to the known MACs of the Rogue devices (which were learned from WLC).  This feature is pretty limited since it is not looking at the exact “wired” MAC of the Rogue AP but it more tries to guess it based on the wireless-NIC MAC (looking at MACs +1/-1 different from the learned one). As a side note, to use this mode the switchport connected to the Rouge-Detector AP must be configured as a trunk with all “wireless” VLANs allowed.

The third method used to figure out if a Rogue is on the wired segment or not is called Switchport Tracing. This one relies on WCS (Wireless Control System) where WCS retrieves CDP information from an AP that detected a Rogue. This tells WCS what is the neighboring switch – and it can then poll it via SNMP to obtain information about MAC addresses from the CAM. Once this is done it can compare the retrieved MACs to the Rogue MACs – if there is a match it means the Rogue is on the wired side as well. This method, assuming SNMP was configured for read-write access, can be also used to shutdown the switchport where the Rogue turns out to be Malicious (in the Containment Phase).

Rogue Classification Rules
As we said earlier, an AP gets marked as “Unclassified” unless it was detected on the wired network (ending up as “Malicious” AP) or it was manually classified as “Friendly” (by adding it to the “Friendly MAC List”). There is, however, another method we can use to classify newly detected Rogues as “Friendly” or “Malicious” – based on the rules and conditions we create that match our security policy and/or other requirements.  For example, some elements you may want to take into account that may suggest that Rogue AP should be treated as “Malicious”, are :
-        This AP uses your SSID
-        It has a strong signal (RSSI)
-        Has the connected client

These are the actual matching criteria we will be able to use in our Classification Rules :
-        Managed SSID (WLC-known SSIDs that we configured on the Controller)
-        User-defined SSID (an arbitrary SSID)
-        No Encryption (requires that Rogue AP’s SSID does not have encryption enabled)
-        Minimum Received Signal Strength Indication (RSSI) – useful when we only want to match Rogues that are “close” to our network
-        Time Duration (the minimum period of time during which the Rogue is being detected)
-        Number of associated clients

Similarly to MQC class-maps, we have two matching options that ultimately affect how many conditions must be met in a rule to be a match (“match-all” and “match-any”). Match-all means that all conditions must be met whereas “match-any” says that we’ll have a hit for the rule if at least one condition is met (no matter which).

Classification Rules come into play when a Rogue was not found on the Friendly MAC List (which is configured manually). Rules are processed in order (top-down) starting with Malicious Rules. If there is no match in any Malicious Rule, then Friendly Rules are processed. If there is no match here too, the AP ends up as “Unclassified” – so same as what happens by default if no rules are present and AP is not on the wired network.

Once you re-classify a rogue, it won’t be tried to be re-classified anymore. The only exception is when an “Unclassified” AP at some point gets detected on the wired segment – then the type of the AP will be automatically moved to “Malicious”.

In the third part of this article we will discuss methods used to prevent Malicious APs from hijacking our clients and finally I will also show you how to configure Rogue Management on WLC.

–
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com

Join us in congratulating the following CCIE on his great achievement;

• Bartosz Wojtecki CCIE #40125 (R&S)
  

Bartosz Wojtecki CCIE #40125:

“Thanks to IPexpert! After long journey recently I’ve became CCIE in R&S, without IPexpert it would be hard. Thanks for such great CCIE R&S study materials!”

IPexpert is proud to boast the industry’s most complete and updated self-study portfolio for the CCIE Routing & Switching Lab,CCIE Voice Lab, CCIE Security Lab, CCIE Data Center Lab, and CCIE Wireless Lab exams. Have you also used IPexpert or Proctor Labs to help you pass the CCIE lab exam? If so, we want to hear your story! Please email us at success@ipexpert.com

As I said in the last part of this article, in this post we will discuss the methods used to deal with Malicious APs and then in the next post I am also going to show you how to configure WLC for Rogue Detection, Classification and Containment.

Before I start talking about real Rogue Containment feature, let me mention one additional method you could potentially use to mitigate all problems related to a Malicious Rogue AP found in your network – Switchport Tracing. This is something you can enable from a Wireless Control System – WCS (which by the way is NOT listed on the 4.0 security blueprint). With this method being used once a MAC is found on the wired port you have an option to shut this interface down from the WCS.

ROGUE CONTAINMENT
OK, now let’s talk about Containment. Containment is a method of using over-the-air packets to temporarily interrupt service on a Rogue device until it can physically be removed (which is the best thing you can do when a Rogue AP is connected to your network). It works by sending de-authentication packets with the spoofed source address of the Rogue AP so that any clients associated with the Rogue are kicked off (until you remove the bad AP).

A particular Rogue can be contained using 1 to 4 APs, where each AP can contain up to 3 Rogue devices per radio when running Local Mode or up to 6 when AP is configured in the Monitor Mode. By default, the controller uses one AP for containing a client. If two APs are able to detect a particular Rogue, the AP with the highest RSSI contains the client regardless of the AP mode.

Containment is normally configured manually, on a per-Rogue basis, but there is also a feature known as Auto-Containment that provides the ability to automatically launch Containment under four certain scenarios :

a)     Rogue on Wire – If a rogue device is identified to be attached to the wired network
b)     Using our SSID – If a rogue device is using an SSID which is the same as that configured on the Controller. This feature aims to address a honey-pot attack before it causes damage
c)     Valid client on Rogue AP – If a client listed in ACS or ISE is found to be associated with a rogue device. This is preventing it from associating to any non-managed AP
d)     AdHoc Rogue AP – If an ad-hoc network is discovered

Finally note that Auto-Containment is disabled by default and it should only be enabled to nullify the most damaging threats – it could have legal consequences if you started containing other party’s devices working on un-licensed frequencies opened for a public use such as ISM (and it is always possible that the other side may also start containing our APs, treating them as Malicious Rogues).

–
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com

Let me now show you how to configure the Rogue Management feature on WLC. We’ll take a look at each individual Phase, one by one, starting with Detection.

Detection Configuration

Rogue Detection is enabled by default for all access points joined to the Controller except for OfficeExtend access points (OfficeExtend APs are those deployed at home and they are likely to detect large number of Rogue Devices) :

show ap config general LWAP4

Cisco AP Identifier.............................. 0
Cisco AP Name.................................... LWAP4
…
Rogue Detection.................................. Enabled
AP TCP MSS Adjust................................ Disabled
Venue Name....................................... Not configured
Venue Group...................................... Unspecified
Venue Type....................................... Unspecified
Language Code.................................... Not configured

The enable way to disable this feature is to do it on a per-AP basis (under “Wireless” -> “Access Points” –> “All APs” -> “Advanced” – you would mark the checkbox off to disable the feature for this AP) :

Of course to this to work you want to make sure that the AP Mode is set to either Local, FlexConnect or Monitor (same menu, just change the tab to “General”) :

One more thing you can configure in this Phase are the actual Channels that are being scanned for Rogues (by default it is set to “Country Channels” so Channels 1 through 11). This can be configured under “Wireless” -> “802.11a/n” or “802.11b/g/n” -> “RRM” -> “General” :

The scanning time period through these Channels can be configured in the same window, under Monitor Intervals (60 to 3600 seconds). By default, the listening interval for off-channel noise and Rogues is 180 seconds. This means that each Channel is scanned every 180 seconds.

Classification Configuration
Before we get to the Classification Rules configuration let’s first focus on configuring RLDP and/or Rogue Detector features.

To configure an AP as Rogue Detector simply change its Mode :

Then you also need to modify the switchport config (interface that corresponds to the AP) :

interface F0/22
switchport trunk encapsulation dot1q
switchport trunk native vlan X
switchport mode trunk
switchport trunk allowed vlan …
spanning−tree portfast trunk

To configure RLDP go under “Security” -> “Wireless Protection Policies” -> “Rogue Policies” -> “General”. There is a couple options we can set here :

First thing note that RLDP is off by default. You can enable it either for All APs (Local or FlexConnect Mode) or only APs running in the Monitor Mode. Next is the Expiration Timeout – a Rogue device will be removed after this time if its state was either “Alert” or “Threat”. Then “Validate Rogue Clients Against AAA” can be used to ask ACS/ISE/Local DB if the Rogue client is a valid client or not. Next is Ad-Hoc Networks – they will be detected by default. Finally one more useful setting here is the Minimum RSSI value – if a Rogue is far away you may not want to let the WLC know about it.

So far, so good. Now before I show you how to add Classification Rules, let’s go ahead and see what Rouges have been detected in our network (“Monitor” -> “Rogues” -> “Unclassified APs”) :

Looking at this table let’s assume that Rogue with SSID GB_Guest (00:17:c5:86:23:e8) is a Friendly AP and we want to manually add it to the Friendly MAC List before we create any Classification Rules. To do this, click on the blue box on the very right for this entry and remove this AP. Then navigate under  “Wireless Protection Policies” -> “Rogue Policies” –> “Friendly Rogue” and add an entry for this MAC :

OK, great. So at this point we can be sure this AP is always gonna be treated as Friendly no matter what our Classification Rules say. Now to create our Rules,  go under “Security” -> “Wireless Protection Policies” -> “Rogue Policies” –> “Rogue Rules” :

And we will create two rules here – one to classify APs as Malicious and one as Friendly. Malicious APs are gonna be those that have at least 1 client associated OR which RSSI is at least -70dBm :

Note that “match any” was selected for the Match Operation to meet our needs.

Now one more rule, this time for Friends. Let’s say that any AP that advertises SSID “HQData1-Pod1” should be treated as a Friendly :

How can you verify if the rules are working? Go under “Monitor” -> “Rogues”) and look at Malicious/Friendly Rogues.

In our case there is a lot of Malicious APs due to our RSSI condition and just two Friendly APs (one added manually and the other matched by the HQData1-Pod1 SSID) :

To check out the details, click on one of the MACs, for instance on the first “Voice-Pod1” SSID AP  :

This one matched our Rule because its RSSI is lower than 70 (meaning it is more far away than what we want to match – the closer RSSI to zero, the closer is the Rogue).

There is also one more option I did not talk about previously that is visible under “Monitor” -> “Rogues” – it is the Rogue AP Ignore List. This one will be automatically populated by WCS (if you use one) to tell WLC about Autonomous APs that were added manually to the WCS maps – these APs will be ignored by the Controller during Rogue Management processing.

Containment Configuration
All right, the last thing I want to show you here is how to contain an AP. So as discussed in the previous post we can do it either manually or using the Auto-Containment feature. First the manual stuff – just go under an AP details and select “Update Status” – change it to “Contain” and select the max number of APs you want to use to perform this operation :

Then for the Auto-Containment it can be configured from the “Security” -> “Wireless Protection Policies” -> “Rogue Policies” -> “General”, same as RLDP. Here we say that the only APs we want to automatically contain are those which are detected on our wired network :

(Cisco Controller) >show rogue ap summary

Rogue on wire Auto-Contain....................... Enabled
Rogue using our SSID Auto-Contain................ Disabled
Valid client on rogue AP Auto-Contain............ Disabled
Rogue AP timeout................................. 1200
Rogue Detection Report Interval.................. 10
Rogue Detection Min Rssi......................... -128
Rogue Detection Transient Interval............... 0

MAC Address        Classification     # APs # Clients Last Heard
-----------------  ------------------ ----- --------- -----------------------
00:13:7f:8c:3b:80  Malicious          1     9         Thu Aug 29 20:07:03 2013
00:17:c5:86:23:e8  Friendly           0     0         Not Heard
00:3a:9a:b1:e5:50  Malicious          1     0         Thu Aug 29 20:07:03 2013
00:3a:9a:b1:e5:51  Malicious          1     0         Thu Aug 29 20:04:03 2013
00:3a:9a:da:fd:f0  Unclassified       1     0         Thu Aug 29 19:58:03 2013
1c:e6:c7:84:3c:10  Malicious          1     0         Thu Aug 29 20:04:03 2013
1c:e6:c7:84:3c:11  Malicious          1     0         Thu Aug 29 20:07:03 2013
1c:e6:c7:84:3c:12  Malicious          1     0         Thu Aug 29 20:07:03 2013
20:3a:07:97:a7:b0  Unclassified       1     0         Thu Aug 29 20:04:03 2013
34:a8:4e:c5:84:80  Malicious          1     0         Thu Aug 29 20:01:03 2013
34:a8:4e:c5:84:81  Malicious          1     0         Thu Aug 29 20:04:03 2013
54:78:1a:73:78:c0  Malicious          1     0         Thu Aug 29 20:04:03 2013
54:78:1a:73:78:c1  Malicious          1     0         Thu Aug 29 20:07:03 2013
54:78:1a:73:78:c2  Malicious          1     0         Thu Aug 29 20:04:03 2013
58:6d:8f:52:1b:10  Unclassified       1     0         Thu Aug 29 20:07:03 2013
b0:77:ac:37:db:00  Unclassified       1     0         Thu Aug 29 19:49:03 2013

(Cisco Controller) >show rogue ap malicious summary

Number of APs.................................... 11

MAC Address        State              # APs # Clients Last Heard
-----------------  ------------------ ----- --------- -----------------------
00:13:7f:8c:3b:80  Alert              1     10        Thu Aug 29 20:10:03 2013
00:3a:9a:b1:e5:50  Alert              1     0         Thu Aug 29 20:10:03 2013
00:3a:9a:b1:e5:51  Alert              1     0         Thu Aug 29 20:04:03 2013
1c:e6:c7:84:3c:10  Alert              1     0         Thu Aug 29 20:10:03 2013
1c:e6:c7:84:3c:11  Alert              1     0         Thu Aug 29 20:07:03 2013
1c:e6:c7:84:3c:12  Contained          1     0         Thu Aug 29 20:07:03 2013
34:a8:4e:c5:84:80  Alert              1     0         Thu Aug 29 20:10:03 2013
34:a8:4e:c5:84:81  Alert              1     0         Thu Aug 29 20:04:03 2013
54:78:1a:73:78:c0  Alert              1     0         Thu Aug 29 20:04:03 2013
54:78:1a:73:78:c1  Alert              1     0         Thu Aug 29 20:07:03 2013
54:78:1a:73:78:c2  Alert              1     0         Thu Aug 29 20:04:03 2013

–

Piotr Kaluzny

CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com

For those CCIE Voice’s out there wondering what the evolution path is to gain the Collaboration certification- the wait is over. Learning at Cisco has provided three options for folks who have already passed CCIE Voice or might pass between now and the launch of CCIE Collaboration (Feb 2014).

Option (1) If you have passed CCIE Voice lab exam already and are emotionally attached to it and are vehemently opposed to option (2) and (3) below then this is the option for you. You simply have to continue your normal re-certification process and you will be CCIE Voice forever more. The normal re-certification process involves passing a CCIE Written exam from any track every two years.

Option (2) If you want to ditch your CCIE Voice and move onto the “le mot du jour” (that is word of the day for the few non French speakers who might be reading this) then you can pass the CCIE Collaboration written and open a support case to permanently convert your CCIE Voice into a CCIE Collaboration. This is a one time offer that lasts until Feb 13 2016. And there is no going back. If you go down this route you can wave a teary good bye to the CCIE Voice cert and get your business cards re-printed.

Option (3) The most likely option. You will have to pass the CCIE Collaboration written as well as the lab exam and this will entitle you to the “CCIE Voice” as well as the “CCIE Collaboration” certification. Wow! That means you get two for the price of one if you have kept up to date with technology on the Collaboration blueprint and are prepared to put in some hard yards.

Anyhow- I think this is a great outcome that caters for everybody who has the current CCIE Voice certification (but they may have set a precedence in the future here!!!).

The document published by Cisco can be found here: https://learningnetwork.cisco.com/docs/DOC-21915

Vik Malhi

Join us in congratulating the following CCIEs on their great achievement;

• Hector Viltres Flores CCIE #29909 (R&S, Voice)
• Fernando Ferraioli CCIE #40600 (Voice)

IPexpert is proud to boast the industry’s most complete and updated self-study portfolio for the CCIE Routing & Switching Lab,CCIE Voice Lab, CCIE Security Lab, CCIE Data Center Lab, and CCIE Wireless Lab exams. Have you also used IPexpert or Proctor Labs to help you pass the CCIE lab exam? If so, we want to hear your story! Please email us at success@ipexpert.com

Join us in congratulating the following CCIEs on their great achievement;

• Prasanna Yabaluri, CCIE # 41124 (Wireless)
• Martin Sloan, CCIE# 41076 (Voice)
• Stephen Guilfoil CCIE #41160 (Voice)

IPexpert is proud to boast the industry’s most complete and updated self-study portfolio for the CCIE Routing & Switching Lab, CCIE Voice Lab, CCIE Security Lab, CCIE Data Center Lab, and CCIE Wireless Lab exams. Have you also used IPexpert or Proctor Labs to help you pass the CCIE lab exam? If so, we want to hear your story! Please email us at success@ipexpert.com

CCIE Data Center Candidates:

This weekend, we are honoring a $300 discount if you purchase a seat in our upcoming Mastering Unified Computing for CCIE Data Center Candidates class. You will get a streaming copy of this recorded class upon completion – which will also be added to your Member’s Area a few days after the class has been completed! Don’t miss out on this class if you’re looking to ACE the UCS portion of your CCIE Data Center lab! To get your $300 discoun, CLICK THIS LINK, and enter coupon code: UCSn300

CCIE Collaboration Candidates:

This weekend, we are running a 2-day promotion on a class that’s JUST been added to our schedule, a 5-day Online-HD-ILT CCIE Collaboration Written Bootcamp – taught by Vik. As like the Data Center course, you will get a streaming copy of this recorded class upon completion. This class sells for $999, but for this weekend only you will receive a $400 discount, and pay just $599 for this weekend course! Just go to HERE and purchase with the coupon code: CWWKNDn13

Happy Friday evening all!

Due to an amazing number of requests, Marko’s vLecture on MPLS has been posted on our YouTube channel. You can also get to the direct link by clicking HERE.

I’m also going to be posting the vLecture Vik did on H.323 FastStart tonight or tomorrow and will announce it. Have a great weekend! – Wayne

As promised, here’s the H.323 FastStart vLecture Vik delivered on Friday. These videos are all posted on our YouTube.com channel – so please subscribe or follow us on Twitter and / or Facebook. Hope you’re all having an awesome weekend! – Wayne

Just a friendly reminder that there’s just a few hours remaining to take advantage of the following weekend promotions:

CCIE Data Center Candidates:

This weekend, we are honoring a $300 discount if you purchase a seat in our upcoming Mastering Unified Computing for CCIE Data Center Candidates class. You will get a streaming copy of this recorded class upon completion – which will also be added to your Member’s Area a few days after the class has been completed! Don’t miss out on this class if you’re looking to ACE the UCS portion of your CCIE Data Center lab! To get your $300 discoun, CLICK THIS LINK, and enter coupon code: UCSn300

CCIE Collaboration Candidates:

This weekend, we are running a 2-day promotion on a class that’s JUST been added to our schedule, a 5-day Online-HD-ILT CCIE Collaboration Written Bootcamp – taught by Vik. As like the Data Center course, you will get a streaming copy of this recorded class upon completion. This class sells for $999, but for this weekend only you will receive a $400 discount, and pay just $599 for this weekend course! Just go to HERE and purchase with the coupon code: CWWKNDn13