WING5 CLI Tip: Running config at-a-glance

Often you have to deal with existing AP/Controller and need to understand what’s configured on it. Of course, you can click 100500 times in the GUI all over the place, or read through 20+ pages of “show run” output (those who’ve been to my WING5 training should remember the little space-bar-thrashing exercise). For instance, the full config dump for the WING5 class is about 21KB ~= 29 pages.

Or you can do this to quickly :

mywing5device>sh run | include ^\\w

and get this:

version 2.1
ip access-list BROADCAST-MULTICAST-CONTROL
ip access-list fw-acl-full
ip access-list fw-acl-limited
ip access-list fw-acl-verylimited
mac access-list 12-block-mint
mac access-list PERMIT-ARP-AND-IPv4
mac access-list l2-block-mint
firewall-policy default
firewall-policy lab-fw-wips
role-policy lab-rolepol
mint-policy global-default
wlan-qos-policy default
radio-qos-policy default
aaa-policy lab-aaapol
captive-portal lab-hotspot
wlan ADSP-TRG
wlan team6-eap
wlan team6-hotspot
wlan team6-psk1
wlan team6-psk2
smart-rf-policy lab-smartrf
wips-policy lab-wips-basic
advanced-wips-policy lab-wips-adv
auto-provisioning-policy lab-autopolicy
radius-group radgroup-fullusers
radius-group radgrp-hotspot
radius-user-pool-policy lab-radpool
radius-server-policy lab-radius
dhcp-server-policy ADSPLAB
dhcp-server-policy RFS2
management-policy default
management-policy lab-mgmt
l2tpv3 policy default
profile rfs4000 default-rfs4000
profile rfs4000 lab-rfs4000
profile ap71xx lab-7131
profile ap650 default-ap650
profile ap650 lab-ap650
profile ap6521 lab-6521
profile ap621 lab-621
rf-domain default
rf-domain lab-rfdomain
rfs4000 5C-0E-8B-1B-9B-44
ap650 5C-0E-8B-98-C5-44
ap6521 5C-0E-8B-E8-31-68
ap621 5C-0E-8B-97-C2-48
ap621 5C-0E-8B-97-DA-AA

Now you can see all the configured rf-domains, profiles, policies, ACLs, WLANs, devices etc in a nice quick overview.

Since WiNG5 controller contains the configuration for the entire network this thing can be very helpful – try fishing this out of the full dump when you have several hundred sites and thousands of devices!

<IMHO>Overall, the way the distributed configuration and reporting is implemented in WiNG5, and how many cool shortcuts and features are available for mass management/deployment/troubleshooting, deserves a dedicated series of articles. After I really don’t want to go back to previous generation UIs</IMHO>

So, what really happened?

show runโ€ฆ |include <regexp> only shows lines that include regexp.

The config (i.e. “pure” show run) looks like this (note the indentations):

! <header>
<version>
!
<section X>
 <line>
 <line>
 ..
!
<section Y>
 <line>
 <line>
 ..
!
...
!
<end>

Thus, essentially, we need to only show the lines that don’t have space or ‘!’ at the beginning to get all the section names. Alternatively, we could just say, that the line should begin with a letter.

The regexp for “letter” is ‘\w‘. The regexp for “line begins with” is ‘^‘. Thus we get ‘^\w‘ –ย  “begins with a letter“. However, because we’re using a backslash in the CLI, we need to escape it with another backslash, hence ‘^\\w‘. This is it!

P.S. Two pages on text to describe a one-liner… Was there a shorter way? What do you think?

Advertisements

What is nSight?

One of the three key highlight of WiNG 5.8 release is nSight – a new WLAN monitoring, visualization and troubleshooting support solution. I am currently demonstrating nSight as part on our WLN2018 next-gen WING5 class, and students seem to like it a lot. This post briefly outlines the key high-level ideas behind nSight. I’m planning on posting something more detailed after WiNG 5.8.1 is released with more nSight enhancements.

What is it really?

A long time ago wise folks making AirDefence WIPS thought “Hey, we’re already gathering hundreds of WLAN stats to monitor security, can we use them for troubleshooting?” This is how AirDefense Network Assurance came to life. Over the years even more features were added and AirDefense WIPS evolved into AirDefense Services Platform (ADSP).

It turned out, however, that real-time performance monitoring and analysis puts much higher strain on platform internals. ADSP WIPS works well for huge networks (10 000s of APs), but with Network Assurance we started running into scaling issues. Instead of rewriting the whole ADSP from scratch (which still works well as WIPS), the decision was made to port the Network Assurance functionality to WiNG5 and integrate it even tighter. This is how nSight came to be.

Now, Engineering says that we have an insanely scalable engine with some interesting features such as automatic DB sync and failover across cluster, modern UI and much better scalability both in terms of the number of managed devices and adding new features. Hope so ๐Ÿ™‚

Thus, technically, nSight is an enhanced port of ADSP Network Assurance to WiNG. With greater scalability, tighter integration (and attractive HTML5 UI!), which gives us ability to develop it further. Currently, it doesn’t have 100% of ADSP NA features, but you get ~85% right now, and more will come in subsequent releases.

Realistically, though, it’s troubleshooting tool that is really useful, since it’s much more intuitive and can be used right away, unlike ADSP that required lengthy setup and muddling through the UI.

What can it do?

Here I planned to write another page or two about nSight features, but turns out there’s this 3-minute video that explains it all and shows the UI, so please take some time watching it. Just bear in mind that not everything is implemented as of initial 5.8.0 release. Marketing… I will focus on important/interesting technical details instead.

Here’s I’ll list a few things I find interesting about nSight.

  • Heatmap visualizations for quick triage. Floorplans and heatmaps are already available in WING5 w/o any extra modules (just upload the floor plan images and enable SMART RF). With nSight, however, they become much more useful for quick triage and troubleshooting. First, you can adjust the filtering values (for example, if your application requires SNR or 10dB to work, just set the “min SNR” slider to 10 and see where you might expect problems with your application). Second, many of the elements are instantly clickable for drill-down, so you don’t have to wander in the GUI finding that specific stat for that specific client.
    Click on the picture below for a view of current nSight visualization filters. Some of these checkboxes hide dialogs with further selections. Selecting some options grays out others, takes a minute to sort things out the first time.

nSight visualization filters

  • DPI integration for Application-level visibility and control. DPI and AVC (Deep Packet Inspection, Application Visibility and Control) are another big highlight of WiNG5.8 release (deserving a post on their own). However, “plain” WING5 can only store stats for 24hrs and those stats are not really aggregated (well, that’s a lot of stats). With nSight your options are much broader. Now you can find out things like Top 10 Apps utilizing your network, or clients by app, etc. Time to see how much time those BYOD devices spend doing real work, and who’s hogging your bandwidth (and AVC feature allows you to apply proper traffic engineering to it) ๐Ÿ™‚
    Click on a picture below for a larger view of a sample.

nSight DPI

  • Ease of configuration and Cluster support for peace of mind. nSight licenses are shared in the cluster, database is synchronized across the cluster, service will fail over automatically. All this is literally configured with 4 lines of config file.
  • Visibility scopingย  for site admins and managed services providers. Many of our partners want to run WiNG-as-a-Service (as a Managed Service Provider, MSP). While this was possible before, it wasn’t part of WiNG. The problem is that any WiNG user can see the entire network. With nSight, however, you can create users that have only access to nSight monitoring UI (not WING5 configuration UI) and only to site(s) you let them see. Thus, hosting multiple tenants on the same system, or giving site admins insight into their own locations is now possible. What’s more, you can re-use dashboards across those sites, so you save yourself quite some time and effort. Ever considered creating dashboards for non-IT users? For example, a dashboard for warehouse manager to show the overall state of WLAN, status of their WLAN devices and application server availability – all they need, but nothing more than that – and generate a daily/weekly automatic report on how great their network performs ๐Ÿ™‚nSight 01
  • Simple licensing for simple demos and pilots. nSight runs for 30 days without license – enough to play with it on your own demo VX9000 or pilot at a customer’s site. When the license expires, the data is still collected, just not displayed anymore (UI is shut down), which makes easy to move from pilot to production.

There’s more to nSight, but I think there’s already enough pages in this post. ๐Ÿ™‚

What to do next?

nSight seems to excite people who see it a lot. However, I am not a big fan on “x.0” releases, so I’d focus on being able to understand it, talk about it and demo it right now (get that demo setup running!), and be ready to implement it with customers when 5.8.1 comes out (with additional features and many “x.0 release”
restrictions lifted
). When playing with nSight yourself, ensure you can feed more than one AP into it (3-4 at least on the same site) or it will make no sense ๐Ÿ™‚

Was that useful? Write in the comments on what you want to know about nSight!

ShellShock and Motorola WLAN Equipment

A tech support article has been published on Motorola’s support portal regarding ShellShock vulnerability. A brief note:

  • APxxxx, RFSxxxx, WSxxxx, CBxxxx (existing and legacy) – NOT vulnerable, as they don’t have bash at all.
  • NXxxxx and VXxxxx – KIND OF. They have unpatched bash, but it’s not exposed through any APIs/UIs unless you already somehow get the shell (which defeats the purpose of this vulnerability). Nevertheless, “Never say never” and a patch will be released in due time just to be sure, but there’s no rush.

Source: What Motorola products are affected by Bash/Shellshock vulnerability?