Configuring Mobility with AOS-8 Level 3 v20.21 (CAM L3)

Welcome to this week's class



Please be sure you have downloaded the learner guide and lab guide as per the instructions you received from an email you would have received from HPE last week.  Check your email history, spam folder, etc... for the keyword "OnSecure" if you cannot find the email. (you can print from Kortex, but only during the first 10 days you have access, otherwise, you can view the learner guide for one year)

    Today's Notes

    • SSID: xxx      password: see whiteboard in class
    • read this lab tips blog, it details:
      • how to set up long logout timers for console access
      • set up a known AP console password (or none for that matter)
      • using "ap-boot" on the MC console to quickly reboot your ap
      • etc...

  • In this spreadsheet, you will find the links for:
    • My Contact Details
    • Course Evaluation Link
    • Lab Access Login Details
      • Notice your name listed, you will find your table assignment
    • Lab Guide 1, 2, and the Scenario Guide
    This weeks Questions/Answers

  1. What does bootdelay mean?
    • Answer
    • It is undocumented, but I am sure it is the delay time to interfere with Bootrom.
  2. What is the difference between tech-support on and MC vs an AP?
    • Answer:
      1. Mobility Controller (show tech-support): Provides a comprehensive system-wide snapshot of the controller's health, including global configurations, clustering status, hardware resource utilization, and logs for all managed users and services.
      2. Access Point (show ap tech-support): Focuses exclusively on a single AP unit. It captures the provisioning parameters, radio health, and local debug information specific to that hardware to diagnose connectivity or RF issues. 

    Lab Notes

    • Jakarta Customized Schedule (Feb 9-11, 2026)


Day 1 - Lecture Modules & Labs

    M00: Course Introduction

    M01: Troubleshooting Overview

    M02: MM L2 vs. L3 Redundancy

    • Lab Section 1: Preparing the Lab
      • Task 1: MCR base configuration
      • Task 2: Global License Pool
    • Lab Section 2: Mobility Conductor Redundancy
      • relevant CLI commands
        • show vrrp <vrid> #show vrrp summary
        • show vrrp stats all
        • show clock 
        • show configuration pending
        • configuration purge-pending-config
        • logging system process vrrp subcat all level debugging
        • logging system process vrrp level debugging
        • logging network process fpapps level debugging
        • show log system <number> | include vrrp
        • show log network <number> 
      • Task 1: VRRP
      • Task 2: Troubleshooting VRRP
      • Task 3: Configuring Database Synchronization
      • Task 4: Troubleshooting MM Redundancy
    • Lab Section 3: Multi-controller Operations
      • Task 1: Hierarchy Group Structure
      • Task 2: Named VLANS
      • Task 3: Connect MC to MCR
      • Task 4: Troubleshooting MCR and MC Communications
        • 4.Step A Exercise #1: Part 2: Verify Connectivity

          • page 60: on MC2, both 0/0/0 and 0/0/1 might be in the forwarding state
          • check your switch spanning-tree state, you may find your switch is blocking int 1/1/23 with alternate state
          • you can proceed with lab as is
      • Task 5: Creating License Pools
      • Task 6: Secure Employee WLAN Requirements
    • Lab Section 4: AP Provisioning
      • Task 1: Provision AP1
      • Task 2: Troubleshooting AP & MC Communications
        • 2.Step B Exercise #1 Test Connectivity to AP2
        • 2.Step C Exercise #2 Remove employee VLAN X1 map from MC1
      • Task 3: Troubleshooting Client Association & Authentication (OPTIONAL)
        • 3.Step A Exercise #1: Remove employee VLAN X1 map from MC1
          • "Station Manager Logs": unable to locate unassociated clients
          • note: it is easier to locate unassociated clients using:
            • #show wms client tree | include <client-mac>
              •  here you see a list of monitoring stations and their respective RSSI to the client in question.
Monitor Eth MAC    PHY Type  MAC                ESSID              RSSI  Dur  Cnt  Class        BSSID
---------------    --------  ---                -----              ----  ---  ---  -----        -----
70:3a:0e:cd:71:62  80211A    70:4d:7b:10:9e:c1  P4-Employee6       56    1    1    valid        70:3a:0e:57:16:30
70:3a:0e:ce:1d:08  80211A    70:4d:7b:10:9e:c1  P4-Employee6       54    179  10   valid        70:3a:0e:57:16:30
        • 3.Step B Exercise #2: 802.1x Authentication Issue
          3.Step C Exercise #3: 802.11b mode, disabled data rates
      • Task 4: Secure AP Console
    • NOTE: on "Day 1" you should finish up to:
        • Lab Sections (1-4) must be finished before moving forward

    Day 2 - Lecture Modules & Labs

        M03: Clustering (L2 & L3 Deploy & Hitless failover)

          M04: Multizone (skipped for this delivery)

          M05: Role Derivation Process

        • Lab Section 5: Clustering
          • Task 1: Setup Clustering
            • page 135: notice your cluster nodes appear to have a communications issue
              • ISOLATED leader, SECURE-TUNNEL-NEGOTIATING
          • Task 2: Troubleshooting
        • Lab Section 6: Advanced Clustering
          • Task 1: COA
          • Task 2: Troubleshooting
        • Lab Section 7: MultiZone & Guest Access Using External Captive Portal
          • Task 1: Initialize VMC1
          • Task 2: Configure VMC1 Guest WLAN
          • Task 3: MultiZone Settings
          • Task 4: Guest Post-authentication Role
          • Task 5: Troubleshooting
        • Lab Section 8: Role Derivation & Firewall Policies
          • Task 1: Setup Employee Role
          • Task 2: Configure VMC1 Guest WLAN
            • note: see Errata for LG vol 2 task 2, Step a, Page 263
              • notice the last page of Errata for update graphic as well
          • Task 3: Configure MultiZone Settings
          • Task 4: Guest Post-authentication Role
          • Task 5: Troubleshooting

      • Note: on "Day 2":
          • Jakarta Feb 2026: Lab 5,6,8,9, and 10 must be finished before moving forward
          • Lab Sections (5 - 8) must be finished before moving forward
          • If you're fluent with Roles/Policies/Services:
            • create the role with “any any any ip permit” and move forward to save time

      Day 3Lecture Modules & Labs

          M06: Dynamic Segmentation

            M07: Voice & Video Optimization

            M08: Dynamic RF Management

          • Lab Section 09: Remote AP
            • Task 1: Create remployee role on VMC1
            • Task 2: REmployee WLAN on VMC1
            • Task 3: Create RPGuestX WLAN
            • Task 4: Troubleshooting
          • Lab Section 10: Dynamic Segmentation
            • Task 1: Configure Dynamic Segmentation 
            • Task 2: Troubleshooting
          • Lab Section 11: Voice & Video Optimization
            • relevant CLI commands
              • show ucc call-info cdrs    (call detail records)
              • show ucc client-info
              • show dpi application all | include alg
              • show dpi application <app-name>
            • here are some of the LAB equivalent CLI commands
            cd /md
             configure terminal
            user-role employee
               access-list session skype4b-acl position 3
               access-list session voip-applications-acl position 3
            user-role contractor
               access-list session skype4b-acl position 3
               access-list session voip-applications-acl position 3
            user-role authenticated
               access-list session skype4b-acl position 3
               access-list session voip-applications-acl position 3
               exit
            exit
            write memory             
            • Task 1: Setup and Test OpenFlow and VoIP 
            • Task 2: Multicast Optimization
            • Task 3: Troubleshooting Voice and Video Optimization
          • Lab Section 12: Dynamic Radio Management
            • Task 1: Adjust AirMatch Schedule
            • Task 2: Enable preferred-access Shaping Policy
            • Task 3: Troubleshooting and Verification of AirMatch
        • NOTE: on "Day 3 & 4" you should finish up to:
            • pick and choose which Lab Sections you would like to work on based on the importance of that lab/section for you
            • your minimum goal should be to get at least 15 section of the SuperLab completed the first 4 days of this class. 

        Day 4 - Lecture Modules & Labs

            M09: AirGroup

            M10: IAP VPN (skipped for this delivery)

            M11: RFProtect (skipped for this delivery)

          • Lab Section 13: AirGroup
            • Task 1: Setup and test AirGroup
          • Lab Section 14: Monitoring and Management (AirWave)
            • Task 1: MC & AP
            • Task 2: Wired Devices (AOS-CX swtich)
              • page ?: Add Devices to AirWave
                • do NOT include the enable "password"
                • just leave that field blank, 8.x does not use it
            • Task 3: Visual RD
            • Task 4: Reports, Triggers and Alerts
              • note: see Errata for LG vol 2 task 4, Step c
            • Task 5: Enhanced Security
            • Task 6: Using AirWave to Troubleshoot
              • note: see Errata for LG vol 2 task 6, Exercise 1

              • Lab Section 15: Advanced AOS Features
                • Task 1: Denylisting Clients
                • Task 2: Configure EAP Termination and NPS Radius
                • Task 3: Modify Firewall Settings
            Minimum Superlab Goals Achieved
              • Lab Section 16: Spectrum Analysis
              • Lab Section 17: Air Monitor
              • Lab Section 18: IAP
                • check what code you are running on your IAP, you may need to backrev to 8.3.0.x
                • if you are running 8.4 or higher, you may need to know the serial number to login
                  • power cycle your IAP
                  • intervene with boot rom
                  • run "mfginfo" cmd and use the reported serial number as your default admin password
                              apboot> mfginfo
                              Inventory:
                              Card 0: System
                              	Date Code           : 100616
                              	Serial              : CNC7J0Y4XY
                              	Wired MAC           : a8:bd:27:c4:c7:2a
                              	Wired MAC Count     : 2
                              	Radio 5G SN         : NIDFG40019D1X01
                              	Radio 2G SN         : NIDEG40001C7X01
              • Lab Section 19: Guest Access using Internal Captive Portal of MC
                • Task 1: Setup Guest WLAN on Internal CP
                • Task 2: Change SSID and RF Properties, Provision AP
                • Task 3: Prevent rogue DHCP Servers on Guest WLAN
                • Task 4: Create the post-auth-guest-policy
                • Task 5: Guest Provisioning
                • Task 6: Troubleshooting

            Day 5 - TroubleShooting (10 tickets)

            • Day 5: ensure you finished at least 17 of the modules of the SuperLab, preferably all 19.
                • Once complete, move on to the Troubleshooting tickets section of the course.
                • You will have to reset your equipment to do so.
              • Ticket 1
                • note: see Errata for LG vol 3 Ticket 1, Page 14,15

                Appendix

              • Acronyms
                • EAP: Extensible Authentication Protocol
                • MC: Mobility Controller
                • MG: Mobility Gateway (MC converted to run AOS-10)
                • MCR: Mobility Conductor (formerly known as MM)
                • RTP: Real-Time Transport Protocol
                  • network protocol that delivers streaming audio or video usually in east west directions within campus or between campus, or across internet

                  Lab Access Errata

                • when experiencing any problems with remote lab access (WebGate):
                  • be sure your browser is in private (incognito) mode
                  • restart your browser and clear your cache and cookies
                  • do not try to login unless you are 100 percent sure the login page is fully loaded (the tab favicon will look similar to an orange triangle)
              Neal Vadekar, SME, ACEX, ACSX, ACMX, ACDX, ACCP, ACNSP, ADCNS

              Comments

              Post a Comment

              Popular posts from this blog

              Arubanetworks Webgate - Copy and Paste instructions

              Copy/Paste Text from local to remote  Copy/Paste from local to remote  You need to copy the text between local and remote devices as follows: Copy the text from your local machine as usual Press Ctrl+Alt+Shift to get the menu (don't do this on the network diagram, only on telnet / RDP sessions) on macOS, type Co ntrol+Option+Shift Paste the text in the box that shows on the menu (this copies the text to the remote server) Press Ctrl+Alt+Shift to close the menu (or do this after the next step) Right-click on the device to paste in telnet or paste normally in the remote RDP session Copy/Paste from remote to local To copy to your local machine from the remote switch reverse this: Select the text like you would with Putty Press Ctrl+Alt+Shift to get the menu (don't do this on the network diagram, only on telnet / RDP sessions) Copy text from box on menu Press Ctrl+Alt+Shift to close the menu (or do this after the next step) Paste as usual on your local PC Copy/Paste an Archive of ...
              Read more