Motorola Wireless: Point To Point Bridge Portal/Client (Mesh) Config

I had to do a Motorola wireless bridge here recently from one building to another, probably about 200 yards from each other.  I thought I'd post the Portal and Client config here below.
Topology:

Portal Config:

wlan P2PBridge
 description Wireless bridge
 ssid building2\ Bridge
 vlan 3
 bridging-mode local
 encryption-type ccmp
 authentication-type none
 no broadcast-ssid
 no answer-broadcast-probes
 wpa-wpa2 psk 0 $BrideKey$
 data-rates 2.4GHz gn
 data-rates 5GHz an
 use aaa-policy AAA_POLICY_P2PBridge
!
profile ap6532 P2P-Bridge
 ip name-server 192.168.176.12
 ip name-server 192.168.176.13
 ip domain-name company.com
 area building2
 ip default-gateway 192.168.3.1
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 interface radio1
  shutdown
 interface radio2
  P2PBridge bss 1 primary
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 3
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,2,3,4,5
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface vlan3
 interface pppoe1
 use firewall-policy default
 service pm sys-restart
 router ospf
!
rf-domain P2P-Bridge
 location building1\ and\ building2
 timezone America/Chicago
 country-code us
 control-vlan 3
!
ap6532 11-22-33-44-55-66
 radio-count 2
 use profile P2P-Bridge
 use rf-domain P2P-Bridge
 hostname P2P-Bridge-Portal
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 model-number AP-6532-66040-US
 bridge vlan 3
  bridging-mode tunnel
 floor building1
 interface radio1
  shutdown
  no mesh
 interface radio2
  power 27
  mesh portal
  mesh psk 0 $BrideKey$
  P2PBridge bss 1 primary
  aggregation amsdu tx-rx
  rifs tx-rx
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 3
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,2,3,4,5
 interface vlan3
  ip address 192.168.3.7/24
!
!
end

Client Config:

wlan P2PBridge
 description Wireless bridge
 ssid building2\ Bridge
 vlan 3
 bridging-mode local
 encryption-type ccmp
 authentication-type none
 no broadcast-ssid
 no answer-broadcast-probes
 wpa-wpa2 psk 0 $BrideKey$
 data-rates 2.4GHz gn
 data-rates 5GHz an
 use aaa-policy AAA_POLICY_P2PBridge
!
profile ap6532 P2P-Bridge
 ip name-server 192.168.176.12
 ip name-server 192.168.176.13
 ip domain-name company.com
 area building2
 ip default-gateway 192.168.3.1
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 interface radio1
  shutdown
 interface radio2
  P2PBridge bss 1 primary
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 3
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,2,3,4,5
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface vlan3
 interface pppoe1
 use firewall-policy default
 service pm sys-restart
 router ospf
!
rf-domain P2P-Bridge
 location building1\ and\ building2
 timezone America/Chicago
 country-code us
 control-vlan 3
!
ap6532 77-88-99-11-22-33
 radio-count 2
 use profile P2P-Bridge
 use rf-domain P2P-Bridge
 hostname P2P-Bridge-Client
 license AP VIRTUAL_CONTROLLER_DEFAULT_AP_LICENSE
 model-number AP-6532-66040-US
 bridge vlan 3
  bridging-mode tunnel
 floor building2
 interface radio1
  shutdown
  no mesh
 interface radio2
  power 27
  mesh client
  mesh psk 0 $BrideKey$
  P2PBridge bss 1 primary
  aggregation amsdu tx-rx
  rifs tx-rx
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 3
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,2,3,4,5
 interface vlan3
  ip address 192.168.3.8/24
!
!
end

Routing Across VLANs With No Default Gateway On The PC

Its funny how sometimes you run across a client that denies Internet access to only a handful of computers while allowing all the others.  For instance, in this case, I have a customer that denies Internet to employees who work in a warehouse.  Their fix for this was to not have a default gateway on the PC accessible to the warehouse employees , which is a good idea.  However, that threw a wrench into my VLAN project.  Thats ok, these sort of things dont bother me.  I simply do persistent routes.  I really like that you can manipulate routing on any layer 3 capable device, and that does include PCs.
Im going to simulate what I would see at customer site with my own laptop.  This is what the routing table looked like with no default-gateway:

Notice above that I can get to the 192.168.2.0 network without any issues.  That is because of ARP, not because of routing.  You just can not 'route' to a device on the same subnet as you are on.  Therefore, you use ARP.   Now, on the PCs at my client, here is a command I did in DOS to add a route in for a new VLAN I created:

Now, keep in mind, I wanted this permanent, so I put a '-p' at the end of the statement.  So above, I added the 10.1.1.0 network in my routing table on my PC.  This gets me to route my traffic destined to a 10.1.1.0 network to the gateway of 192.168.2.1.  With that said, that is literally the only other network besides 192.168.2.0 that I can get on.  Just those two, and no others.
So, what does the routing table look like after I add the command?

See the first line in the routing table above.  When I do a 'route print', it shows me the above routing table on the PC.  You see that 10.1.1.0/24 was added into the routing table when I put that last command in.  Thats pretty cool to manipulate a routing table like that.  And you can do that for almost any purpose if you want.
Now I know what you are thinking.  You can easily control this on the firewall or a router.  But, what if you don't have access  to those devices and they are managed by someone else who doesn't play well with other IT folks?  There is always a way if you need to accomplish something. 

The Band "Skillet" Has Some Wise Song Lyrics

Ok, I know this isn't technical, but this song is pretty awesome.  If you have a few minutes, I would encourage you to listen to this song.  If you are younger, you might not get this song.  But if you are little older, I know you get it.  Younger folks, please take heed to these words.  The song is by Skillet and its called "One Day Too Late". 

"One Day Too Late" - Skillet
Tick tock hear the clock countdown
Wish the minute hand could be rewound
So much to do and so much I need to say
Will tomorrow be too late

Feel the moment slip into the past
Like sand through an hourglass
In the madness I guess I just forget
To do all the things I said

[Pre]
Time passes by
Never thought I'd wind up
One step behind
Now I've made my mind up

[Chorus]
Today I'm gonna try a little harder
Gonna make every minute last longer
Gonna learn to forgive and forget
'Cause we don't have long, gonna make the most of it

Today I'm gonna love my enemies
Reach out to somebody who needs me
Make a change, make the world a better place
'Cause tomorrow could be one day too late
One day too late
One day too late

[V2]
Tick tock hear my life pass by
I can't erase and I can't rewind
Of all the things I regret the most I do...
Wish I'd spent more time with you

Here's my chance for a new beginning
I saved the best for a better ending
And in the end I'll make it up to you, you'll see
You'll get the very best of me

[Bridge]
Your time is running out
You're never gonna get it back
Make the most of every moment
Stop saving the best for last

Today I'm gonna try a little harder
Gonna make every minute last longer
Gonna learn to forgive and forget
'Cause we don't have long, gonna make the most of it

Today I'm gonna love my enemies
Reach out to somebody who needs me
Make a change, make the world a better place
'Cause tomorrow could be one day too late
One day too late

Network Changes For Increased Performance

I have to say one of the things I really like to do is to take a network that is far behind in technology and bring it up to a better state.  I went in this past Friday to a customer and worked overnight to implement a new Brocade FCX with Advance code on it (as the new core switch) and to implement VLANs on it to try to separate traffic.  We also upgraded a few switches to Gig switches and changed some topology as well.  There were a few surprised along the way, which did slow things down quite a bit.  We didnt get to accomplish all the goals we wanted, so there will be a phase II to this project now.  But all in all, I do really enjoy taking a network from point A to point B to better the performance.  I guess that sounds nerdy, but I really enjoy it.

The Worst Part Of Wireless

I went onsite today to do a point to point bridge for a Motorola wireless solution today.  I have decided that the worst part of this job is what is pictured below.  This is one of my co-workers, who happens to know a lot about construction, etc.  He is mounting the uni-directional antenna for the Motorola 6532 that is going in place.

Cisco ASA: Problem With Return NAT Traffic Across VPN

I found this problem very interesting today. Take a look at the packet captures below.  The first capture image is taffic going across a VPN to a test remote site.  The second capture image is traffic coming back to the main site.  We were NAT'ing this traffic to a public IP address, and sending from an internal IP of  10.15.1.46.  Notice that when the ICMP packet returns, it is destined back to a different address (10.15.1.6).  Its very interesting.
Packet going across to remote site:

Traffic coming back across the VPN to the main site:

So, what caused this?  Well, I thought it was some NAT issue, but as it turns out, it turned out that I needed to add a statement under the global policy.
policy-map global_policy
 class inspection_default
  inspect icmp  

Once I put the 'inspect icmp' command in, the NAT came back correct.  However, as it turns out, the regular data did NAT appropriately.  
 

Cisco ASA SSL VPN: Multiple Profiles

I had a customer today that needed the capability of having multiple profiles for their SSL VPN.  Well, I wasnt sure that it could be done, but as it turns out, it can be.  You would have to create a new profile and give it the attributes that they need, but in essence, there is a place in particular that you have to give attention to in the ASDM.  Below there is a check box that allows you to use multiple profiles.  Ive circled it in red.

Cisco Voice Gateway: Translation Rules/Manipulating Outgoing Numbers

When I dialed out with a fax machine, I was getting 4 digits out.  Meaning, on my cell phone display, it read something like '1234' instead of '205-555-1234'.  So, I needed to manipulate the digits going out so that it would send 10 digits out.  The Telco made me send out 10, or they wouldnt accept the call going outbound.  So, what to do? Ah, voice translation!  Here is a config of how to do that.  Im basically taking my 4 digit extensions from my fax machines and making them report 10 digits on the PRI so that the Telco will accept the call and forward it on out to its destination.  If I left it at 4, they would drop the call.  What a pain, but here is how to overcome.

voice translation-rule 2
 rule 1 /^\(....\)$/ /205555\1/

voice translation-profile outbound_calls
 translate calling 2

 translation-profile outgoing outbound_calls
Sample_2911#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Sample_2911(config)#voice translation-rule 2
Sample_2911(cfg-translation-rule)# rule 1 /^\(....\)$/ /205555\1/
Sample_2911(cfg-translation-rule)#voice translation-profile outbound_calls
Sample_2911(cfg-translation-profile)# translate calling 2
Sample_2911(cfg-translation-profile)#exit
Sample_2911(config)#dial-peer voice 1003 pots
Sample_2911(config-dial-peer)#translation-profile outgoing outbound_calls
Sample_2911(config-dial-peer)#exit
Sample_2911(config)#exit
Sample_2911#wr mem

Brocade Is Coming On Strong These Days

I spoke recently via email with an IT services engineer in Kansas named Brian.  Looks like he is knee deep in Brocade wireless and switching gear.  Good job on a successful Brocade install Brian. I really enjoy meeting new people around the world.  If any of you want to ever just introduce yourself via email, that always makes me happy.  I hope you all have a good day.

Cisco Voice H323 Gateway: Striping The '9' Off The Dialed Phone Number

Have you ever needed to strip the '9' off the number dialed that goes out a PRI, and you needed to do that on the voice gateway?  Well, I have.  Below is a Cisco H323 gateway where I had to strip the 9 off the 10 digit number.  Yes, I could have done it in the CUCM, but in this case, I needed to do something specific and 'had' to strip the 9 at the gateway instead.  Here is how I did that.

dial-peer voice 28 pots
 destination-pattern 918665554444    <----------- Notice there is 12 digits
 port 0/0/0:23        <----------- Goes out my PRI
 forward-digits 11    <----------- Where the magic happens. Notice it says forward 11 digits!

So by forwarding the 11 right most digits, we strip off the 9 this way.  It works well if you need to do this on the gateway.

Encryption: AES vs 3DES

I have the belief that we should be using the strongest encryption we possibly can.  I understand that some encryption schemes have not be broken as of yet, but I still prefer higher security for my customers.  If you were my customer, wouldn't that make sense to you?  It does to me.  More security is always best in my opinion.  And, in the case of AES vs 3DES, AES is much faster as well.  In fact, AES-192 and AES-256 is much faster than 3DES.
 I run into this question when setting up new VPNs for customers.  I occasionally find that someone wants to use 3DES instead of AES.  I will usually ask them to use AES-256 instead.  Isn't your data worth securing?  I think it is.

Cisco ASA: "Show Crypto Ipsec SA Peer" Command - Verifying Two Way Traffic

How do you know if VPN traffic is going across and back or not?  Well, here is how you do that on an Cisco ASA.  If you look at the example below, circled in red, you will see encrypt and decrypt.  Encrypt is your ASA encrypting traffic going across to the remote side.  Decrypt is traffic being decrypted come back from the remote side.  If you see your encrypt numbers going up, and decrypt numbers staying the same, then you know you are getting across, but nothing is coming back.  If you see your decrypt numbers going up, but your encrypt numbers staying the same, then you know that you are getting traffic from the remote side, but not sending anything back.  You need to see both numbers going up to know you have two way traffic. 
Notice the command "show crypto ipsec sa peer 5.5.5.5".  That shows you the following Phase II information (shorted for brevity).

Testing Outside At The Telco Box For Dial Tone

Sometimes you just have to do it.  When you don't have dial tone inside and you need to know if its your customer wiring or if they just didn't pay the bill.  Sometimes you have to open the Telco box and test for yourself. Here I am testing with a butt set.  Dial tone on one, but not the other.

Google Search Tip

So something that I didnt realize until the other day is that when you do a search on Google (and probably any other search site), you can tell the search engine to exclude certain words by putting a minus sign ( - ) in front of the word you dont want it to find.  For example, I was doing a search on HUDlite and Trixbox, but I did NOT want Fonality to show up (since they seem to only want to sell you something instead of tell you anything, from my personal experience).  All that would show up when I did a search on HUDlite and Trixbox was Fonality sites.  Well, for fun, I put a minus sign in front of Fonality in my search ( -fonality ) and what do you know.  It took out all Fonality site listings.  Just what I needed.
Just thought I put in a quick search tip.  I didn't realize this until the other day. 

Brocade vs Cisco: Hardware Specs Comparison

I just put together a spreadsheet for the Clear Winds sales team on a comparison between Cisco 3750-X switches and below, as opposed to Brocade ICX 6610 switches and below.  When you are comparing apples to apples (and you should), Brocade always seems to win from my perspective.
Here are the apples to apples comparisons:
Cisco 3750-X compares to a Brocade ICX 6610
Cisco 3750G/3560-X compares to a Brocade FCX series/ICX 6610
Cisco 2960-S compares to a Brocade ICX 6450

Note that there will be a difference between 24 and 48 port switching hardware.
Now, with that said, I do mean in hardware specs only.  Cisco certainly has a more feature rich capabilities.  You should always determine if you need those features or not before going with Brocade.  For example, object tracking.
If you decide you are truly doing a hardware comparison and want to have a copy of the spreadsheet I created, you can send me an email and I can give you a copy. Its not completely complete, but its enough to see the hardware differences. And hey, if you do email me looking for it, please ask for it nicely. I don't typically respond well to demands like I've had in the past.  You can email me at shane.killen@gmail.com .  Thanks.

Random Funny Things To Me

A few things around that I thought were funny.

Below, Im trying to figure out what '99 cent General Happy Price' is?  Nothing in that store was 99 cents!

This sign is on our main interstate down the middle of the state.   Its a little lacking on the relationship side of Christianity.  It says "Go to church, or the devil will get you".

I took a pistol class not long ago.  It was about gun safety, etc.  Apparently, the safety part didn't take with some folks! Never point a gun at anyone, unless you are about to use it.  I dont think the person got the message.

Cisco ASA: Radius Authentication Using LDAP For Remote-Access VPN Users

Yesterday I integrated a company's remote-access vpn users from a local database on their Cisco ASA to using radius authentication via LDAP.  I really like this solution for several reasons.  One password for each user instead of two, logging of who logs in and out via VPN, etc.  I used IAS on a Microsoft 2003 server.  Its free and works great.  There is some configuration on the Microsoft server, but I wanted to concentrate on the ASA configuration.  Ill assume that you have remote-access already setup on your ASA.  I think Ive covered it extensively already on this site. So here is what I did on the ASA for the integration with Active Directory.

tunnel-group testusergroup general-attributes
 address-pool remote-access-pool
 authentication-server-group LDAP_SRV_GRP
 default-group-policy testusergroup

aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 192.168.1.2
 server-port 389
 ldap-base-dn dc=test, dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password ADpassword
 ldap-login-dn skillen@test.com
 server-type microsoft