Cisco WLC – HA SSO upgrade

“Is the upgrade procedure for a high-availability pair of Cisco Wireless LAN Controllers the same as the procedure for a single Cisco WLC?” Several customers asked me this questions and the answer is YES.

First you check the current and backup firmware image.

(Cisco Controller) >show boot
Primary Boot Image…………………………. 8.2.111.0 (default) (active)
Backup Boot Image………………………….. 8.1.102.0

Next you check if your SSO configuration is working as expected.

(Cisco Controller) >show redundancy summary
Redundancy Mode = SSO ENABLED
Local State = ACTIVE
Peer State = STANDBY HOT
Unit = Primary
Unit ID = 00:81:C4:87:3B:C9
Redundancy State = SSO
Mobility MAC = 00:81:C4:87:3B:C9
BulkSync Status = Complete
Average Redundancy Peer Reachability Latency = 177 Micro Seconds
Average Management Gateway Reachability Latency = 935 Micro Seconds

Upload the new firmware to the controller by using an TFTP or FTP server. I am using an TFTP server in this example.

(Cisco Controller) >transfer download datatype code
(Cisco Controller) >transfer download filename AIR-CT5520-K9-8-2-141-0.aes
(Cisco Controller) >transfer download path .
(Cisco Controller) >transfer download serverip 10.200.8.83
(Cisco Controller) >transfer download mode tftp
(Cisco Controller) >transfer download start

After the TFTP session is finished you’ll notice that the the software is automatically transferred from the active to the standby unit.

TFTP Code transfer starting.

TFTP receive complete… extracting components.

Checking Version Built.

Image version check passed.

Informing the standby to start the transfer download process

Waiting for the Transfer & Validation result from Standby.

Standby – Standby receive complete… extracting components.

Standby – Image version check passed.

Transfer & validation on Standby success, proceed to Flash write on Active.

Writing new AP Image Bundle to flash disk.

Executing fini script.

File transfer is successful.
Reboot the controller for update to complete.
Optionally, pre-download the image to APs before rebooting to reduce network downtime.

Transfer Download complete on Active & Standby

The last step is to reload both controllers to activate the firmware. After you reboot the active controller, you are able to access the standby controller and reboot that controller too. You have the option to reboot both controllers with one command.

(Cisco Controller) >reset system both in 00:05:00 image no-swap reset-aps

The controller also has the option to pre download the firmware from the controller to the access-points. This speeds up the upgrade process for the access-points, because the access-point don’t need to download the firmware after the controllers are online again. The access-point only need to reboot when the loose the connection with the controller. I will describe this process in a separate post.

After the controllers are back online, you should check the primary and backup boot firmware to see if the upgrade was successful.

(Cisco Controller) >show boot
Primary Boot Image…………………………. 8.2.141.0 (default)
Backup Boot Image………………………….. 8.2.111.0 (active)

ClearPass – dual interface and routing

When you are using both interfaces on a ClearPass server (MGMT and DATA) than ClearPass uses the DATA interface to connect to services, like LDAPS to Active Directory, SMTP delivery, Active Directory joining and more. ClearPass uses the DATA interface as default gateway if no specific route is available on the MGMT interface.

That being said, you have the option to add routes to the ClearPass routing table. Routes are added via the ClearPass shell. Use the following command to add a route.

Usage:

network ip add <mgmt|data|greN|vlanN> [-i <id>] <[-s <SrcAddr>] [-d <DestAddr>]> [-g <ViaAddr>]

Where:

  • greN — Name of the gre tunnel where N corresponds to the gre
    tunnel number ranging from 1,2,3…N
  • vlanN — Vlan interface where N corresponds to the vlan id ranging from 1,2,3…N. For example if the configured vlan identifier is ’85’ then input ‘vlan85’
  • -i — Optional parameter. Id of the network ip rule. If unspecified the system will auto generate the Id
  • -s <SrcAddr> — Optional parameter. The source interface ip address or netmask from where the network ip rule is specified. The allowed values are valid IP Address or Netmask or ‘0/0’
  • -d <DestAddr> — Optional parameter. The destination interface ip address or netmask where the network ip rule is specified. The allowed values are valid IP Address or Netmask or ‘0/0’
  • -g <ViaAddr> — Optional parameter. The via or gateway ip address through which the network traffic should flow. The allowed value is valid IP Address

An example:

[appadmin@CPPM01]# network ip add mgmt -d 10.10.10.0/24 -g 20.20.20.1
INFO – Added route for destination=10.10.10.0/24 via=20.20.20.1
INFO – New ip rule created with the id = 12000

You can check the routing table via the command: network ip list.

Cisco FMC – Dashboard Widgets

Some widgets on the dashboard don’t generate graphs after deploying a default configuration of Cisco FireSight Management Center.

The first two widgets, Top Server Applications Seen and Top Operating Systems Seen, are generated after the configuration of a Network Discovery Profile. The configuration of the Network Discover Profile is done via Policies – Network Discovery – Networks. I always configure a Network Discovery Profile to profile all Hosts, Users and Application for the RFC1918 IP address space.

To generate graphs for the URL widgets, you need to make sure that the correct options for the URL filtering service are enable. The URL filtering service configuration is done via System – Integration – Cisco CSI. I use the following settings for URL filtering.

After this you should wait a while (about one hour) to check if the graphs are generated. If you don’t want to wait, you can check the Analysis tab to see if information is gathered and displayed by the Cisco FireSight Management Center appliance.

AirWave & VMware Tools installation

It is recommended to install the VMware Tools before running the AMP setup. After deploying the AMP ova file and starting the VM, you can interrupt the installation process via CTRL+C. This gives you access to the AMP shell. Use the following steps to install VMware Tools on a HPE Aruba AirWave Management Platform appliance:

  1. From the VMware vSphere Client, open the console to the VM and select VM – Guest – Install/Update VMware Tools;
  2. Type mkdir -p /media/cdrom
  3. Mount the CD-ROM via mount /dev/cdrom /media/cdrom
  4. Copy the installation file cp /media/cdrom/VMwareTools-*.tar.gz /tmp
  5. Unmount the CD-ROM umount /media/cdrom
  6. Extract the installation file cd /tmp; tar -zxvf VMwareTools-*.tar.gz
  7. Run the VMware Tools setup and install script by typing /tmp/vmware-toolsdistrib/vmware-install.pl –default (2x hyphen)

The installation will take a few minutes. After the installation is finished you can restart the VM via the command init 6 or reboot.

Check the VMware Tools installation after the reboot by interrupting the AMP installation again and type the command vmware-toolbox-cmd -vThis will give you information about the installed version of VMware Tools.

You can now start the AMP installation again via the command /root/amp-install.

iPhone – Sleep Timer and playing music

Something completely different in this blog post, so no technical stuff on networking. Last week I visited the Fortinet Global Partner Conference in Las Vegas, NV. Travelling from the Netherlands to Las Vegas and back in 5 days results in a big JET LAG for me!! Not only after the flight from the Netherlands to Las Vegas, but also after the flight back I had some problems with sleeping. I bought and tried to take some extra melatonin. This helps to get you in that “sleepy feeling”, but I still had problems to get to bed during the “regular” hours.

I also like it to listen to music to fall in sleep, but it’s not really helpful when the music keeps playing on all night long. After some toggling on the iPhone I found the Sleep Timer function and the possibility to stop playing music after the Sleep Timer counts back to zero. I tested the functionality successfully with several apps, like Apple Music, Spotify and SoundCloud. I guess more apps will support this functionality. Use the following steps to active the Sleep Timer to stop the music from playing:

  1. Start playing for favorite music. I used Apple Music, Spotify and SoundCloud;
  2. Start the “Clock” app;
  3. Select “Timer” at the bottom;
  4. Set the duration to keep playing music;
  5. Select “Stop Playing” as action for “When Timer Ends”;

Like it or not, but it this definitely helped me….