No. I am not upgrading the FUS version to use AVC and NetFlow. And yes. The FUS version upgrade can be a quite delicate process. That is why I want to have as much certainty of the current FUS version to either: - Upgrade it to the latest version (because some day the FUS version must be upgraded to whatever version is released.) - Or leave it (knowing for a fact it has the latest version). And yes. I will be: - Phiscally present for the upgrade. - With the Console Cable attached to the device. - The device will be connected to a UPS. Thanks anyway for the advices.
... View more
No. The FUS version and the Bootloader version are two different things. The Bootloader Version of 1.0.20 is not the FUS version. Downloads Homepage in the Cisco website As you can see in the image above, there is no thing such as 1.0.20 FUS version. I am quite sure I can upgrade directly the WLC to Software Version 220.127.116.11. but I would really like to also upgrade the FUS version (if that is the case), for future maintenance of the WLC (after all, one day I will have to upgrade the FUS). Anyway, thanks for the reply
... View more
Hello people at the Community: I would like to ask for some help with the following question: I would like to make an upgrade process for the FUS Version and IOS Software version of a AIR-CT2504-K9 Wireless LAN Controller. The WLC has attached to it 16 APs: 15 AIR-CAP1602E-A-K9 access points and 1 AIR-AP2802E-A-K9 access point. This WLC right now has the following version: (Cisco Controller) >show sysinfo Manufacturer's Name.............................. Cisco Systems Inc. Product Name..................................... Cisco Controller Product Version.................................. 18.104.22.168 Bootloader Version............................... 1.0.20 Field Recovery Image Version..................... 22.214.171.124 Firmware Version................................. PIC 16.0 Build Type....................................... DATA + WPS System Name...................................... Cisco_26:30:04 System Location.................................. System Contact................................... System ObjectID.................................. 126.96.36.199.188.8.131.52.1279 Summary screen of the WLC Current AP List of the WLC I would like to upload the WLC to the following versions: Field Upgrade Software: 184.108.40.206 Wireless LAN Controller Software: 220.127.116.11(ED) To do the upgrade, the Software Release Documentation says that the WLC must have FUS 18.104.22.168 or higher to upgrade to version 22.214.171.124(ED). So the questions I now have are: Based on the Bootloader Version, and the Field Upgrade Version, What is the Current FUS version of this WLC? The Release Notes documents for FUS 126.96.36.199 and FUS 188.8.131.52 say contradictory things about the FUS version. I am kinda confused... - The Release Notes for 184.108.40.206 says that the combination of Field Recovery Image: 220.127.116.11 and Bootloader: 1.0.20 means the WLC has a 18.104.22.168 FUS version. - The Release Notes for 22.214.171.124 says that Bootloader: 1.0.20 (It does not mention the Field Recovery Image version) means the WLC has a 126.96.36.199 FUS version. Based on the answer to the upper question, Can I upgrade the FUS version to 188.8.131.52 directly without problems? (to avoid the CSCuu46671 bug related to FUS 184.108.40.206) Or does the WLC already have the FUS 220.127.116.11? (in which case I must not install it again: The FUS Release Notes document says that the FUS image must be installed only once in a WLC). The upgrade to Wireless LAN Controller Software 18.104.22.168(ED) supports both the 1602E and 2802E Access Points without problems, right? If you need any more information, please let me know. Thanks a lot for any help in this issue.
... View more
Thanks again for your answer.
What you say it's very reasonable: To work in parts, one topic at a time using the test topology that I attach again (a little better drawn) in this post.
1) So let's start with the static DHCP bindings. To do that I will configure this:
SWCOPB01(config)#ip dhcp pool Network80 SWCOPB01(dhcp-config)#network 10.10.80.0 255.255.255.0 SWCOPB01(dhcp-config)#dns-server 192.168.5.13 22.214.171.124 SWCOPB01(dhcp-config)#default-router 10.10.80.1 SWCOPB01(dhcp-config)#domain-name abc.com.ec SWCOPB01(dhcp-config)#exit
I will not exclude those 80.35 and 80.36 ip addresses that I will attempt to use later, right? Also it will somehow create "three dhcp pools: one parent and two children" (the main one with 10.10.80.0/24 and two hosts with 10.10.80.35 and 10.10.80.36). It is correct, right?
2) To create the DHCP static mapping to the users:
SWCOPB01(config)#ip dhcp pool ManualDHCPUser1 SWCOPB01(dhcp-config)#host 10.10.80.35 255.255.255.0 SWCOPB01(dhcp-config)#client-identifier 01d4.3d7e.e906.3c
SWCOPB01(dhcp-config)#exit SWCOPB01(config)#ip dhcp pool ManualDHCPUser2 SWCOPB01(dhcp-config)#host 10.10.80.36 255.255.255.0 SWCOPB01(dhcp-config)#client-identifier 013c.970e.9050.f5
3) I will verify the configurations with the show ip dhcp bindings command. It should come out like this:
SWCOPB01#show ip dhcp bind Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 10.10.80.35 01 d4.3d7e.e906.3c Infinite Manual
10.10.80.36 013c.970e.9050.f5 Infinite Manual
4) I will configure on the user PCs a DHCP ip configuration (in Network and Sharing Center - Network Connection - Local Area Connection since they are Windows users ) , and check that they receive the .80.35 and .80.36 ip addresses (in cmd - ipconfig)
5) After all that is done we can continue with other topics like DHCP snooping and IPsg with port security
Please take this into consideration:
- When I last created all the configuration (as I said in my previous post), the show ip dhcp bindings command showed me correct static bindings as I expected (.80.35 and .80.36), but the actual users still got different IP addresses via DHCP (.80.2 and .80.3 that are part of the DHCP pool that I defined).
I still don't know why it got wrong...
I will keep you posted about the results of this configuration.
See you. Bye.
... View more
Thanks for your patience and support.
These days I extensively tried making the configurations we have been discussing, but I have been partially successful.
I was successful in configuring the the IPsg with a static IP configuration for the users, but I could not make it work with a DHCP IP addressing.
Please take a look at the attached diagram that explains the scenario I used as a test.
The steps done were:
1) Definition of a DHCP Pool in the Core Switch
SWCOPB01(config)#ip dhcp pool Network80 SWCOPB01(dhcp-config)#network 10.10.80.0 255.255.255.0 SWCOPB01(dhcp-config)#dns-server 192.168.5.13 126.96.36.199 SWCOPB01(dhcp-config)#default-router 10.10.80.1 SWCOPB01(dhcp-config)#domain-name abc.com.ec SWCOPB01(dhcp-config)#exit SWCOPB01(config)#ip dhcp excluded-address 10.10.80.30 10.10.80.40
It is correctly defined as seen:
SWCOPB01#show runn | sec ip dhcp pool Network80 ip dhcp pool Network80 network 10.10.80.0 255.255.255.0 default-router 10.10.80.1 domain-name abc.com.ec dns-server 192.168.5.13 188.8.131.52
2) C onfigure DHCP Snooping in the access switch and trust the uplink port
SWACPB01(config)# ip dhcp snooping SWACPB01(config)# ip dhcp snooping vlan 80 SWACPB01(config)# interface GigabitEthernet 0/1 SWACPB01(config-if)# ip dhcp snooping trust SWACPB01(config-if)# end
3) Configure IPsg
SWACPB01(config)#ip source binding d43d.7ee9.063c vlan 80 10.10.80.35 int fa0/46
SWACPB01(config)#ip source binding 3c97.0e90.50f5 vlan 80 10.10.80.36 int fa0/48
SWACPB01(config)#int fa 0/46 SWACPB01(config-if)#ip verify source SWACPB01(config-if)#switchport port-security SWACPB01(config-if)#exit SWACPB01(config)#int fa0/48 SWACPB01(config-if)#ip verify source SWACPB01(config-if)#switchport port-security SWACPB01(config-if)#exit
It seems to work:
SWACPB01(config)#do show ip source bind MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 3C:97:0E:90:50:F5 10.10.80.36 infinite static 80 FastEthernet0/48 D4:3D:7E:E9:06:3C 10.10.80.35 infinite static 80 FastEthernet0/46 Total number of bindings: 2
4) I assign static IP addresses to User1 and User2 PCs (with the same 10.10.80.35 and 10.10.80.36 addresses as stated in the commands)
This solution seems to work, because if I change the IP addresses of either user to any other one, the user loses connectivity.
But the solution done above does not use DHCP scheme as I originally wanted.
So I tried to combine it with the DHCP by doing this:
5) Make a DHCP static mapping to those users:
SWCOPB01(config)#ip dhcp pool ManualDHCPUser1 SWCOPB01(dhcp-config)#host 10.10.80.35 255.255.255.0 SWCOPB01(dhcp-config)#client-identifier d43d.7ee9.063c
SWCOPB01(dhcp-config)#exit SWCOPB01(config)#ip dhcp pool ManualDHCPUser2 SWCOPB01(dhcp-config)#host 10.10.80.36 255.255.255.0 SWCOPB01(dhcp-config)#client-identifier 3c97.0e90.50f5
Those pools work:
SWCOPB01#show ip dhcp bind Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 10.10.80.35 d43d.7ee9.063c Infinite Manual
10.10.80.36 3c97.0e90.50f5 Infinite Manual
6) But if I configure DHCP addresses to User1 and U ser2 PCs (Network and sharing center - Network Connection - Local Area connection for Windows users ) the DHCP won't assign them the previously defined binding in the DHCP server switch.
They will be assigned the IP addresses 10.10.80.2 and 10.10.80.3 via DHCP, and they are not able to reach internet. I did not try assigning them another IP address via static configuration.
So, with that said I have some more questions:
- Are the DHCP Pools correctly defined? Do I have to exclude the IP addresses (from the main DHCP Pool) that will later be used as hosts in the two DHCP Pools for hosts? I get confusing information about this topic from different sources (some pages say that I should exclude those addresses, and some others say I don't have to).
- How can I change the configuration that worked (IPsg for static IP addresses) to include DHCP static assignments?. The goal is that the users will be given "DHCP addresses" (but defined by me), so if they want to change them (to other static IP addresses) they will lose connectivity.
How do I have to configure that static dhcp bindings joined to the IPsg configuration?
- Does that configuration include those two definitions of bindings (the one done in the IPsg and the same one done in the DHCP static mapping)? I suspect the problem is around here...
- By the way, how does the DHCP snooping activation in the switch affect traffic from/to other vlans defined there (but not included in the dhcp snooping configuration)?. I suffered problems in other vlans (like wireless vlans), and I suspect it's because of that snooping activation.
By the way, should I also "trust" the uplink port to an access point attached to the access switch? What about ports connected to servers?
Thanks in advance for your cooperation and patience. I think we are close to the solution. (I am not forgetting that I have to mark your posts as "correct solution" once we are finished)
Have a nice day. Bye
... View more
Thanks a lot for the follow up you are doing to this topic.
From the answer you gave me I understand this sequence of configuration:
1) I have to configure DHCP Snooping in the access switches.
* And the ip dhcp snooping trust command in the uplinks to the core switch.
2) I can let the DHCP snooping database to be dynamically built (although I am quite sure I should build it statically to assure the correct MAC to IP bindings)
3) Then I configure IPsg in the access switches.
* The IPsg should not be applied in the uplink ports to the core.
I have some more questions regarding this topic:
- If I build the DHCP snooping database statically I should have more control over the MAC to IP addressing, right?
- What are the disadvantages of building a statically DHCP snooping database? I guess it should be the best way to get more security in most cases.
- Either way, I have discovered that the IPsg configuration also includes a mac to IP binding:
SWACPB02(config)#int gi0/5 SWACPB02(config)#ip source binding 3c97.0e90.50f5 vlan 120 10.10.120.62 int gi0/5 SWACPB02(config-if)#ip verify source
Is that configuration consistent with the previous configuration of the DHCP Snooping (specially with the database previously discussed)?. Should I (do I have to) configure both mappings with the same information? What could happen if these two tables (the DHCP snooping table and the IPsg binding table) have different information?
(It would believe it points as an advantage of the static DHCP snooping table... )
- I also checked that ARP dynamic inspection you mentioned. It seems that it's useful just to prevent MitM attacks because of an ARP spoofing attack, right?
Do you believe it's useful to apply this in my scenario? What advantages could I have if I do so?
Thanks in advance for your help.
... View more
Hello Rasmus. Thanks for your answer
As I have checked in the link you provided, the solution that I want may be given by IP source guard. It restricts IP traffic by filtering the traffic based on a DHCP snooping binding, right?
It seems that to configure that IP source guard I have to configure DHCP Snooping, that filters untrusted DHCP messages based on a table, right?
Please remember the topology I have. It's attached in this post.
As I have checked on some links, to configure that DHCP snooping, I have to do it this way:
SWACPB02(config)# ip dhcp snooping SWACPB02(config)# ip dhcp snooping vlan 120 SWACPB02(config)# interface GigabitEthernet 0/5 SWACPB02(config-if)# ip dhcp snooping trust SWACPB02(config-if)# end SWACPB02# show ip dhcp snooping
It should give this kind of output:
SWACPB02#sh ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 120 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ———————— ——- —————- GigabitEthernet 0/5 yes unlimited
Then I have to define a dhcp snooping database (in an external file like one located in a TFTP server). I don't find much information about what it is for or how to configure it.
Once I have those things, I can configure the IP Source Guard. To configure that IP source guard I have to to this:
SWACPB02(config)#int gi0/5 SWACPB02(config)#ip source binding 3c97.0e90.50f5 vlan 120 10.10.120.62 int gi0/5 SWACPB02(config-if)#ip verify source SWACPB02(config-if)#switchport port-security
To verify that, I can use
SWACPB02# show ip source binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 3c:97:0e:90:50:f5 10.10.120.62 infinite static 120 GigabitEthernet0/5
SWACPB02# show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------- ----------- ----------- --------------- ----------------- ---- Gi0/5 ip mac active 10.10.120.62 3c:97:0e:90:50:f5 120
I have several questions regarding these topics and configurations:
- In my topology are the configurations (HDCP Snooping and IPsg) done in the access switches or in the core switch? The info you mentioned is about a 4500/6500 switch.
- The IPsg configuration has to be done in access ports (those connected to the final users), right? Will they give any error if they are applied in interswitch link ports?
- Do I have to define a dhcp snooping database prior to configure that IP Source Guard? What is that for? How do I configure it?
- With that IP source guard configuration do assure that users get a unique IP address (via DHCP) based on the MAC so they will not be able to change it to a different one statically?
Thanks a lot for further clarifications about this solution.
... View more
Thanks a lot for your answer.
As I see in that configuration, you:
- Create a general DHCP pool with excluded addresses,
- Then you define things like domain, lease time, default addresses
- Interestingly, you also list a default boot file for the DHCP client with the bootfile command.
- You also define two DHCP Static pools (for two users). The addresses that you assign to them are part of the excluded addresses defined in the general pool. The definition of these pools include client names and domain.
As I see, that configuration is not so different from mine (it only includes more options), so I daresay it would give the same results as the one that I already tried.
Could you please explain to me the following things:
- How does the configuration you propose solve the issue I want to solve? That is to assign static IP addresses to the users based on their MAC addresses, so that each user will get a unique IP address (via DHCP) and will not be able to change it to a different one statically .
- Does any of the options you configure in your example help to solve the issue?
- Also I am not familiar with the bootfile pxelinux.0 command Could you please explain what is it for? Is that a file that includes the DHCP mapping? I read somewhere it can be done that way, but that file needs to be in a TFTP server. Where is located that file in your configuration example?
- Is the solution that I look related to DHCP configuration, or does it go beyond this topic? Any other way to configure this?
Thanks in advance for your time.
... View more
Thanks for your reply:
I already tried doing that, because I read that suggestion in a post somewhere in this Cisco Support Forum.
I changed the syntax of that command adding that 01. It did not give me an error (something that I find confusing, since a MAC address is 12 hex digits, and that syntax changes the MAC to 14 digits in a format 01aa.bbbb.cccc.dd which is weird...)
The output of the show ip dhcp bindings stayed the same (the static DHCP assignment worked), but the main problem persists :
if I release the static DHCP provided IP address, and I configure the network settings of another user with that IP address (statically), that IP address gets assigned to the other user.
The main question that I have is still there:
- How can I configure a solution for the wired users like the one I want? One that:
* Assigns a static IP addresses to the user PCs based on their MAC addresses.
* So those users will always get that assign IP address, even if they try to "renew" their IP addresses in their PCs (or like when they turn off their PCs at the end of the day and return the next day).
* And they will not be able to change it to a different one statically, that means, the DHCP configuration supersedes the static attempt.
- Could it be that this solution is beyond the scope of DHCP configuration? What should I configure to obtain this?
... View more
Hello. I would like to ask for help with the following topic:
I have a network that has two 3750X switch in stack (running IOS 15.2) acting as core switch, and several 2960+ access switches across different floors (also running IOS 15.2) that have several final users (PCs) attached to them.
I attach a diagram with the topology.
The Core Switch is acting as a DHCP server and has several DHCP Pools for the wired and wireless networks. The wired and wireless users receive DHCP IP addresses, but there have been problems lately because users would change their assigned IP addresses to static ones manually, and that has created conflicts with duplicated IP addresses, users getting more privileges than they should, and DHCP pools that are running out of space. (these final users have computer systems knowledge).
To solve this problem I would like to implement the following thing for the wired clients: I would like to assign static IP addresses to several user PCs based on their MAC addresses, so that a user will get a unique IP address (via DHCP) and will not be able to change it to a different one statically .
I tried creating a bunch of manual bindings in the HDCP server configuration using the following commands:
SWCOPB01(config)#ip dhcp pool ManualDHCPUser1 SWCOPB01(dhcp-config)#host 10.10.120.62 255.255.255.0 SWCOPB01(dhcp-config)#client-identifier 3c97.0e90.50f5 SWCOPB01(config)#ip dhcp pool ManualDHCPUser2 SWCOPB01(dhcp-config)#host 10.10.120.50 255.255.255.0 SWCOPB01(dhcp-config)#client-identifier 507b.9d61.f1d4
As I understood, I had to create one "DHCP Pool" for each user, because those DHCP pools created for hosts just support one user per pool. Also, I checked that the address to be used are not excluded in any existent DHCP pool. I had to do it like 30 times, because I wanted this solution for like 30 users.
It apparently succeeded, because I got this kind of answer:
SWCOPB01#show ip dhcp bind Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 10.10.120.62 3c97.0e90.50f5 Infinite Manual
10.10.120.50 507b.9d61.f1d4 Infinite Manual
But it does not work as I desire, because if I unplug the network cable of user1, and I configure the network settings of a user3 with that 10.10.120.62 IP address (statically), that IP address gets assigned to user3, and then user1 will not get a proper IP address when he wants to connect to the wired network.
I also tried using the hardware-address option instead of client-identifier while creating the static DHCP pools with the same results.
So, my question is: how can I configure a solution for the wired users like the one I want? One that behaves like this:
- Assign a static IP addresses to the user PCs based on their MAC addresses.
- So those users will always get that assign IP address, even if they try to "renew" their IP addresses in their PCs (or like when they turn off their PCs at the end of the day and return the next day).
- And they will not be able to change it to a different one statically, that means, the DHCP configuration supersedes the static attempt.
That being said:
- Is this a topic that can be solved with DHCP configuration, or is this solution beyond the scope of this topic? Any suggestions to do this?
- And just out of curiosity, will the solution work the same for the wireless users, or is the approach any different in that case?
Thanks in advance for any help in this topic.
If you need any more information, please let me know.
... View more