In this post we will see QoS configuration of a WLAN via CLI. As you see previously here is the default settings.

(WLC2) > config wlan ?

qos            Configures Quality of Service policy.
wmm            Configures WMM (WME).
7920-support   Configures support for phones.
media-stream   Configures Media Stream.
uapsd          Configures UAPSD.

Prior to change the QoS profile you need to make sure correct 802.1p value configured for each profile. By default no value set for 802.1p value in any profile (Platinum, Gold, Silver & Bronze) and therefore no QoS tags pass onto wired network from the controller. You required to disable 802.11a/b network before configuring QoS profile values. Here are the CLI commands to configure these.

(WLC2) >config 802.11b disable network
(WLC2) >config 802.11a disable network

(WLC2) >config qos  ?

average-data-rate     Configure QoS Average Data Rate
average-realtime-rate Configure QoS Realtime Average Data Rate
burst-data-rate       Configure QoS Burst Data Rate
burst-realtime-rate   Configure QoS Realtime Burst Data Rate
description           Configure QoS Description
dot1p-tag             Configure QoS 802.1P Tag
protocol-type         Configure QoS Protocol Type

(WLC2) >config qos protocol-type platinum ?               
dot1p          QoS Protocol Type 'dot1p'
none           QoS Protocol Type 'none'

(WLC2) >config qos protocol-type platinum dot1p

(WLC2) >config qos  dot1p-tag ?             
bronze         [bronze profile]
gold           [gold profile]
platinum       [platinum profile]
silver         [silver profile]

(WLC2) >config qos  dot1p-tag platinum               
<dot1p>        802.1p Tag (0 ~ 7)

(WLC2) >config qos  dot1p-tag platinum 6

*** Here are the other QoS profile configurations ***

(WLC2) >config qos protocol-type gold dot1p
(WLC2) >config qos  dot1p-tag gold 5
(WLC2) >config qos protocol-type silver dot1p
(WLC2) >config qos dot1p-tag silver 3
(WLC2) >config qos protocol-type bronze dot1p
(WLC2) >config qos dot1p-tag bronze 0

(WLC2) >config 802.11b enable network
(WLC2) >config 802.11a enable network

Now you can assign the QoS profile to WLAN you created.

(WLC2) >config wlan qos ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.
foreignAp      Third Party Access Points.

(WLC2) >config wlan qos 17 ?             
bronze         Bronze QoS policy
gold           Gold QoS policy
platinum       Platinum QoS policy
silver         Silver QoS policy

(WLC2) >config wlan qos 17 platinum

You can configure the WMM setting as below. If you select “Require” option then non-WMM client cannot associate with this WLAN. Default option is “Allow” which permit both WMM & non-WMM client to join. But all non-WMM client will get the QoS setting configured under WLAN. In my case if I choose WMM-Allow all traffic coming from non-WMM client will mark as 802.1p of 6 which is equivalent to DSCP EF at the wired side of the network.

(WLC2) >config wlan wmm ?               
allow          Allows WMM on the WLAN.
disable        Disables WMM on the WLAN.
require        Requires WMM enabled clients on the WLAN.

(WLC2) >config wlan wmm require ?          
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan wmm require 17

If you are not using WMM & you have old 7920 phones (which is not compatible with WMM anyway) you can enabe 7920 specific QoS as below. As you can see client-cac is use draft 802.11e QBSS IE you cannot configure WMM & this feature. Those are mutually exclusive.

(WLC2) >config wlan 7920-support ?               
ap-cac-limit   Supports phones that expect the Cisco Vendor-Specific IE.
client-cac-limit Supports phones that expect the IEEE 802.11e Draft 6 QBSS-Load IE.

(WLC2) >config wlan 7920-support ap-cac-limit ?              
enable         Supports phones that expect the Cisco Vendor-Specific IE.
disable        Supports phones that expect the Cisco Vendor-Specific IE 

(WLC2) >config wlan 7920-support client-cac-limit        
enable         Supports phones that expect the IEEE 802.11e Draft 6 QBSS-Load IE.
disable        Supports phones that expect the IEEE 802.11e Draft 6 QBSS-Load IE.

If you require to enable U-APSD (Unscheduled Auto Power Save Delivery) support  when you enable WMM, you have to configure it like below.

(WLC2) >config wlan uapsd ?           
compliant-client Configures UAPSD Compliant Client support.

(WLC2) >config wlan uapsd compliant-client ?             
disable        Disables UAPSD Compliant Client support on the WLAN.
enable         Enables UAPSD Compliant Client support on the WLAN.

(WLC2) >config wlan uapsd compliant-client enable ?             
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan uapsd compliant-client enable 17

If you have configured the video stream feature on the controller and you need to enable that on this WLAN you can use “config wlan media strem ” CLI command as shown below. If you haven’t configure a video stream, then this command would not accept.

(WLC2) >config wlan media-stream ?                           
multicast-direct Configures Multicast-direct for WLAN

(WLC2) >config wlan media-stream multicast-direct ?             
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan media-stream multicast-direct 17 ?            
enable         Enables Multicast-direct on the WLAN
disable        Disables Multicast-direct on the WLAN.

(WLC2) >config wlan media-stream multicast-direct 17 enable

So here is the finally your WLAN QoS section looks like in GUI.

In CLI here is the corresponding CLI command to achieve the above

config wlan qos 17 platinum 
config wlan wmm require 17 
config wlan uapsd compliant-client enable 17 
config wlan media-stream multicast-direct 17 enable 

You can verify your configuration using “show wlan 17″ CLI command.

(4402-c) >show wlan 17
WLAN Identifier.................................. 17
Profile Name..................................... Test-17
Network Name (SSID).............................. Test-17
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Platinum (voice)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Required
WMM UAPSD Compliant Client Support............... Enabled
Media Stream Multicast-direct.................... Enabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=6)
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers

In next post we will see how to configure Security Specific settings via CLI.

Related Posts.

1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 4
4. Configuring WLAN via CLI – Part 5

In this post we will see how to configure WLAN security settings via CLI. Here are the security related config options in CLI “config wlan x” command.

security       Configures the security policy for a WLAN.

webauth-exclude Enable/Disable WebAuth Exclusion
custom-web     Configures the Web Authentication Page per Profile.

radius_server  Configures the WLAN's RADIUS Servers.
ldap           Configures the WLAN's LDAP servers.
local-auth     Configures Local EAP Authentication.
mac-filtering  Configures MAC filtering on a WLAN.

If you want to configure layer2 security settings you can use the following CLI options. Let’s say you want to enable WPA2/AES with Pre-Shared Key.

(4402-c) >config wlan security ?              
802.1X         Configures 802.1X.
cond-web-redir Configured Conditional Web Redirect.
passthru       Configures IPSec passthru.
splash-page-web-redir Configured Splash-Page Web Redirect.
static-wep-key Configures static WEP keys on a WLAN.
web-auth       Configures Web authentication.
web-passthrough Configures Web Captive Portal with no authentication required.
wpa            Configures WPA/WPA2 Support for a WLAN             
ckip           Configures CKIP Security on WLAN.            
tkip           Configures TKIP MIC countermeasures hold-down timer (0-60 seconds)

(4402-c) >config wlan security wpa ?             
akm            Configures Auth Key Management
disable        Disables WPA/WPA2 Support for a WLAN
enable         Enables WPA/WPA2 Support for a WLAN
wpa1           Configures WPA support
wpa2           Configures WPA2 support

(4402-c) >config wlan security wpa wpa2                
ciphers        Configures WPA2 ciphers
disable        Disables WPA2 support
enable         Enables WPA2 support

(4402-c) >config wlan security wpa wpa2 ciphers ?           
aes            Configures WPA2/AES support
tkip           Configures WPA2/TKIP support

(4402-c) >config wlan security wpa wpa2 ciphers aes               
disable        Disables WPA2/AES support
enable         Enables WPA2/AES support

(4402-c) >config wlan security wpa wpa2 ciphers aes enable 17

(4402-c) >config wlan security wpa akm ?              
802.1x         Configures 802.1x support
cckm           Configures CCKM support
ft             Configures 802.11r fast transition 802.1x support
psk            Configures PSK support

(4402-c) >config wlan security wpa akm psk ?               
disable        Disables PSK support
enable         Enables PSK support
set-key        Configures the pre-shared-key

(4402-c) >config wlan security wpa akm psk set-key ?               
<ascii/hex>    Specificies for key format (ascii or hex)

(4402-c) >config wlan security wpa akm psk set-key ascii ?               
<psk>          Enter the pre-shared-key (PSK)

(4402-c) >config wlan security wpa akm psk set-key ascii Cisco123 ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(4402-c) >config wlan security wpa akm psk set-key ascii Cisco123 17

Above settings is identical to what you have seen in the below screen.

Now let’s say you want to create a WLAN with no layer2 security & only with layer3 webauth. Let’s create WLAN called guest with WLAN ID 18 & assign it to AP-Group (mrn-apgroup) created. You can practice this via CLI & you should enter following CLI to do this.

(WLC2) >config wlan create 18 guest guest
(WLC2) >config wlan radio 18 802.11a-only
(WLC2) >config wlan interface 18 vlan12
(WLC2) >config wlan qos 18 bronze
(WLC2) >config wlan apgroup interface-mapping add mrn-apgroup 18 vlan12

Now let’s change security settings of this WLAN. We will use the Web Passthrough with Email Input as web auth method.

(WLC2) >config wlan security wpa ?              
akm            Configures Auth Key Management
disable        Disables WPA/WPA2 Support for a WLAN
enable         Enables WPA/WPA2 Support for a WLAN
wpa1           Configures WPA support
wpa2           Configures WPA2 support

(WLC2) >config wlan security wpa disable ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan security wpa disable 18 

(WLC2) >config wlan security ?
802.1X         Configures 802.1X.
cond-web-redir Configured Conditional Web Redirect.
passthru       Configures IPSec passthru.
splash-page-web-redir Configured Splash-Page Web Redirect.
static-wep-key Configures static WEP keys on a WLAN.
web-auth       Configures Web authentication.
web-passthrough Configures Web Captive Portal with no authentication required.
wpa            Configures WPA/WPA2 Support for a WLAN              
ckip           Configures CKIP Security on WLAN.                
tkip           Configures TKIP MIC countermeasures hold-down timer (0-60 seconds)              

(WLC2) >config wlan security web-passthrough ?               
acl            Configures Access Control List.
disable        Disables Web Captive Portal with no authentication required.
email-input    Configures Web Captive Portal using email address.
enable         Enables Web Captive Portal with no authentication required.

(WLC2) >config wlan security web-passthrough enable 18

(WLC2) >config wlan security web-passthrough email-input ?             
enable         Enables Web Captive Portal using email address.
disable        Disables Web Captive Portal using email address.

(WLC2) >config wlan security web-passthrough email-input enable  18

Now your Guest WLAN is ready from the security perspective. If you look at the WLC configuration you would see the following in your configuration.The two config lines in purple color automatically added once you disable the WPA as those settings enabled by default when you create a WLAN.

config wlan security wpa disable 18
config wlan security wpa wpa2 disable 18 
config wlan security wpa akm 802.1x disable 18 
config wlan security web-passthrough enable 18
config wlan security web-passthrough email-input enable 18

This is the identical GUI setting for the above scenario.

If you want to configure this Guest WLAN for Web Authentication instead of Web Passthrough you can do this as follows. First you have to disable web passthrough which you enabled in the previous task.  Also you have to configure radius authentication on the WLAN if your user credential verified via radius.

(WLC2) >config wlan security web-passthrough disable 18
(WLC2) >config wlan security web-passthrough email-input disable 18

(WLC2) >config wlan security web-auth ?              
acl            Configures Access Control List.
disable        Disables Web authentication.
enable         Enables Web authentication.
on-macfilter-failure  Enables Web authentication on MAC filter failure.
server-precedence Configures the authentication server precedence order for Web-Auth users.

(WLC2) >config wlan security web-auth enable 18

(WLC2) >config wlan radius_server auth ?               
add            Adds a link to a configured RADIUS Server.
delete         Deletes a link to a configured RADIUS Server.
disable        Disable RADIUS authentication for this WLAN
enable         Enable RADIUS authentication for this WLAN

(WLC2) >config wlan radius_server auth enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan radius_server auth enable 18

(WLC2) >config wlan radius_server auth add ?                   
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan radius_server auth add 18 ?              
<Server id>    Enter the RADIUS Server Index.

(WLC2) >config wlan radius_server auth add 18 1

In GUI you will see something like this once you configured above on CLI.

In next post we will see how to configure WLAN advanced settings via CLI

Related Posts

1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 3
4. Configuring WLAN via CLI – Part 5

In this post we will look at WLAN advanced tab configurations via CLI. Here is the full list of features. I know this will be the longest post in my blog as I have to cover all these features.

(WLC2) > config wlan ?
aaa-override   Configures user policy override via AAA on a WLAN.
chd            Enable/Disable CHD per WLAN
session-timeout Configures client timeout.
ccx            Configure Cisco Client Extension options.
diag-channel   Configures Diagnostics Channel Capability on a WLAN.
IPv6Support    Configures IPv6 support on a WLAN.
acl            Specify a per-WLAN ACL
peer-blocking  Configure peer-to-peer blocking on a WLAN.
exclusionlist  Configures Exclusion-list timeout.
channel-scan   Configures off channel scanning deferral parameters.
h-reap         Configures H-REAP options for wlan.
dhcp_server    Configures the WLAN's DHCP Server.
static-ip      Configures static IP client tunneling support on a WLAN.
mfp            Configures Management Frame Protection.
dtim           Configures the DTIM Period for a WLAN
nac            Configures NAC on wlan/guest-lan/remote-lan.
load-balance   Allow|Disallow Load Balance on a WLAN.
band-select    Allow|Disallow Band Select on a WLAN.
call-snoop     Configures Call Snooping.
sip-cac        Configure SIP CAC Failure policy.
roamed-voice-client Configure Voice Client Re-Anchor policy

We will create a new WLAN called “Test-19″ with wlan-id 19 with following basic settings

- 802.11a only clients
- Gold QoS profile
- WPA2/AES (or support 802.11n data rates)
- Multicast direct feature
- PSK
- UAPSD support

So basic CLI commands you require is like this.

(WLC2) >config wlan create 19 Test-19 Test-19  
(WLC2) >config wlan radio 19 802.11a-only
(WLC2) >config wlan interface 19 vlan11
(WLC2) >config wlan multicast interface 19 enable vlan11             
(WLC2) >config wlan security wpa wpa2 ciphers aes enable 19
(WLC2) >config wlan qos 19 gold 
(WLC2) >config wlan wmm require 19
(WLC2) >config wlan uapsd compliant-client enable 19
(WLC2) >config wlan security wpa akm psk set-key ascii Cisco123 19

Before go into advanced tab configuration you can take a backup of the WLC config & verify the above & any additional configs related to your WLAN.

config wlan security wpa akm psk enable 19 
config wlan security wpa akm 802.1x disable 19 
config wlan security wpa enable 19 
config wlan wmm require 19 
config wlan exclusionlist 19 60 
config wlan broadcast-ssid enable 19 
config wlan interface 19 vlan11 
config wlan create 19 Test-19 Test-19 
config wlan qos 19 gold 
config wlan radio 19 802.11a-only 
config wlan radio 19 802.11a 
config wlan session-timeout 19 0

Advanced config page of the WLAN looks like this.

Now we will look at each individual feature configurations via CLI. It is long list, but will cover them all.

1. AAA Override
This is for ACS to override the client attributes (vlan, acl , QoS, etc)

(WLC2) >config wlan aaa-override ?             
disable        Disables policy override.
enable         Enables policy override.

(WLC2) >config wlan aaa-override enable ?             
<WLAN id>      Enter WLAN Identifier between 1 and 512.
foreignAp      Third Party Access Points.

(WLC2) >config wlan aaa-override enable 19

2. Coverage Hole Detection(CHD)
This is enabled by default & client can trigger power changes of the AP. Let’s disable

(WLC2) >config wlan chd ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan chd 19 ?               
enable         enable CHD per WLAN
disable        disable CHD per WLAN

(WLC2) >config wlan chd 19 disable 

3. Session Timeout
The session timeout is the maximum time for a client session to remain active before requiring reauthorization.This is enabled by default & set to 1800s (30 min). You can change this value or disable it. It is important to know different type of security method have diff max values. When I try to set 1 day for my WPA2-PSK WLAN it’s rejected. So will set it for 4 hours (14400s)

(WLC2) >config wlan session-timeout ?
<WLAN id>      Enter WLAN Identifier between 1 and 512.
foreignAp      Third Party Access Points.

(WLC2) >config wlan session-timeout 19 ?
<seconds>      The duration of session in seconds (0 = infinity is true only for open system).

(WLC2) >config wlan session-timeout 19 86400 
Invalid parameter specified.
System Type              Timeout Range

Open system              0-65535   (sec)
802.1x                   300-86400 (sec)
static wep               0-65535   (sec)
cranite                  0-65535   (sec)
fortress                 0-65535   (sec)
CKIP                     0-65535   (sec)
open+web auth            0-65535   (sec)
web pass-thru            0-65535   (sec)
wpa-psk                  0-65535   (sec) 
disable                  To disable reauth/session-timeout timers.
                         Reauth is valid for non-psk and non-static cases. Session-timeout
                         is valid for all other cases.

(WLC2) >config wlan session-timeout 19 14400 

4. Aironet IE (CCX)
The Cisco Client Extensions (CCX) software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco access points and to support Cisco features that other client devices do not, including those features that are related to increased security, enhanced performance, fast roaming, and power management.

This is enabled by default.CCX support is enabled automatically for every WLAN on the controller and cannot be disabled. However, you can configure Aironet information elements (IEs)

If Aironet IE support is enabled, the access point sends an Aironet IE 0×85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0×85 and 0×95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0×85 in the reassociation request.

(WLC2) >config wlan ccx ?        
AironetIeSupport Configure the support of Aironet IE.

(WLC2) >config wlan ccx aironetIeSupport ?              
enable         Enable the support of Aironet IE.
disable        Disable the support of Aironet IE.

(WLC2) >config wlan ccx aironetIeSupport enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan ccx aironetIeSupport enable 19 ?

(WLC2) >config wlan ccx aironetIeSupport enable 19 
CCX Aironet IE Support already in the requested state.

5. Diagnostic Channel
The diagnostic channel feature enables you to troubleshoot problems in regard to client communication with a WLAN. The client and Access Points can be put through a defined set of tests to identify the cause of communication difficulties that the client experiences and then allow corrective measures to be taken to make the client operational on the network. Since this is only using for troubleshooting & we cannot change any settings of diagnostic WLAN we will leave it disable.

(WLC2) >config wlan diag-channel ?              
disable        Disables Diagnostics Channel Capability on a WLAN.
enable         Enables Diagnostics Channel Capability on a WLAN.

(WLC2) >config wlan diag-channel disable ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan diag-channel disable 19

6. IPv6 Support
This is trivial as it allow to support IPv6.

(WLC2) >config wlan ipv6Support ?               
enable         Enable IPv6 support on a WLAN.
disable        Disable IPv6 support on a WLAN.

(WLC2) >config wlan ipv6Support enable ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan ipv6Support enable 19

7. ACL override
If you want to override interface ALC for this specific WLAN you can configure an ACL an apply it to WLAN.

(WLC2) >config wlan acl ?             
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan acl 19 ?               
<ACL Name>     Enter the ACL Name ('none' will clear the ACL)

(WLC2) >config wlan acl 19 none

8. Peer to Peer Blocking
This will allow to control client-to-client direction communication. In voice WLAN we need to ensure P2P blocking is disabled (otherwise voice conversation between two end point will be impacted). For this example we will enable it on this WLAN.

(WLC2) >config wlan peer-blocking ?               
disable        Disable peer-to-peer blocking on a WLAN.
drop           Enable peer-to-peer blocking and set the action to 'Drop'.
forward-upstream Enable peer-to-peer blocking and set the action to 'Forward-Upstream'.

(WLC2) >config wlan peer-blocking drop 19

9. Client Exclusion
This to exclude  a client for certain amount of seconds after violating client exclusion policy settings. By default this is enabled & client will be excluded for 60s if violate the configured policy. In this example will extend that time to 300s

(WLC2) >config wlan exclusionlist ?

<WLAN id>      Enter WLAN Identifier between 1 and 512.
foreignAp      Third Party Access Points.

(WLC2) >config wlan exclusionlist 19 ?               
<seconds>      Exclusion-list timeout (in seconds). zero (0) requires admin override.
disabled       Disables exclusion-listing.
enabled        Enables exclusion-listing.

(WLC2) >config wlan exclusionlist 19 enabled
(WLC2) >config wlan exclusionlist 19 300

10. Maximum allowed clients
This is to set a value of max client associated to this WLAN. In this example will set it to 1000.

(WLC2) >config wlan max-associated-clients ?              
<max no. of clients> Maximum no. of client connections to be accepted

(WLC2) >config wlan max-associated-clients 1000 ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan max-associated-clients 1000 19

11. Static IP tunneling
Normally Static IP wireless clients roaming won’t work unless you enable this feature. If you want to support Static IP wireless users in the WLAN to roam between different controller you have to enable this feature. This feature & IPv6 support cannot co-exist. So I have disabled IPv6 support on this WLAN.

(WLC2) >config wlan static-ip ?               
tunneling      Configures static IP client tunneling support on a WLAN.

(WLC2) >config wlan static-ip tunneling ?               
enable         Enable static IP client tunneling support on a WLAN.
disable        Disable static IP client tuneling support on a WLAN.

(WLC2) >config wlan static-ip tunneling enable ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan static-ip tunneling enable 19 
Static IP tunneling cannot be configured since IPv6 is enabled for wlan.

(WLC2) >config wlan ipv6Support disable 19
(WLC2) >config wlan static-ip tunneling enable 19

12. Off Channel Scanning
In deployments with certain power-save clients, you sometimes need to defer the Radio Resource Management’s (RRM) normal off-channel scanning to avoid missing critical information from low-volume clients (for example, medical devices that use power-save mode and periodically send telemetry information). This feature improves the way that Quality of Service (QoS) interacts with the RRM scan defer feature.

You can use a client’s Wi-Fi Multimedia (WMM) UP marking to configure the access point to defer off-channel scanning for a configurable period of time if it receives a packet marked UP.

You can assign a QoS policy (bronze, silver, gold, and platinum) to a WLAN to affect how packets are marked on the downlink connection from the access point regardless of how they were received on the uplink from the client. UP=1,2 is the lowest priority, and UP=0,3 is the next higher priority. The marking results of each QoS policy are as follows:

Bronze marks all downlink traffic to UP= 1.
Silver marks all downlink traffic to UP= 0.
Gold marks all downlink traffic to UP=4.
Platinum marks all downlink traffic to UP=6.

By default this feature is enabled for UP of 4,5,6 packets & will defer the RRM off-channel scan for 100ms. We will enable this on UP of 3 as well & increase the defer-time to 200ms for all of those.

(WLC2) >config wlan channel-scan ?              
defer-priority Configures priority markings for packets that can defer off channel scan. 
defer-time     Configures minimum allowable elapsed time since a defer-priority pkt is seen.                

(WLC2) >config wlan channel-scan defer-priority ?              
<priority>     User priority value, 0-7 

(WLC2) >config wlan channel-scan defer-priority 3 ?               
disable        Disable packet at given priority to defer off channel scanning. 
enable         Enable packet at given priority to defer off channel scanning. 

(WLC2) >config wlan channel-scan defer-priority 3 enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan channel-scan defer-priority 3 enable 19

(WLC2) >config wlan channel-scan defer-time ?               
<msecs>        Deferral time in msecs <0-60000> 

(WLC2) >config wlan channel-scan defer-time 200 ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan channel-scan defer-time 200 19

13. H-REAP
This is to enable H-REAP local switching, Local Authentication features on this WLAN. Will enable those features on this WLAN. There are certain limitation where you cannot configure this when static IP tunneling is enabled. You should familiar with this under H-REAP configuration.

(WLC2) >config wlan h-reap ?               
ap-auth        Configures ap authentication (WLAN must be locally switched).              
learn-ipaddr   Configures IP address learning (WLAN must be locally switched).               
local-switching Configures local switching of client data associated to H-REAP.

(WLC2) >config wlan h-reap ap-auth ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan h-reap ap-auth 19 ?               
enable         Enables ap authentication.               
disable        Disables ap authentication.

(WLC2) >config wlan h-reap local-switching 19 enable
(WLC2) >config wlan h-reap ap-auth 19 enable

14. DHCP
You can override interface configured DHCP server by this setting. Also certain type of WLAN (like guest) you can make DHCP IP assignment is mandatory. Since I have configured static IP tunnel support earlier I will leave this as it is. Also worth to note that this only applicable for defalt ap group. So if your WLAN ID is greater than 16 you cannot override the interface DHCP server configuration.

(WLC2) >config wlan dhcp_server ?               
<WLAN id>      Enter the WLAN ID.
foreignAp      Third Party Access Points.

(WLC2) >config wlan dhcp_server 19 ?              
<IP addr>      Enter the override DHCP server's IP Address (0.0.0.0 = default interface value).

(WLC2) >config wlan dhcp_server 19 192.168.200.1 ?               
required       Optionally specify whether DHCP address assignment is required.

(WLC2) >config wlan dhcp_server 19 192.168.200.1 required 
Cannot mandate dhcp required when Static IP tunneling is enabled.
DHCP server override is applicable only to the default AP group.

15. Management Frame Protection(MFP)
This is to provide protection to management frame between client & AP. You need to remember this is Cisco implmentation of MFP & not IEEE standard version (802.11w). So if you client support proper IEEE 802.11w it may not work with cisco MFP. So better to disable this as a best practice in today’s world. By default it is set to optional.

(WLC2) >config wlan mfp ?               
client         Configures Client MFP.

(WLC2) >config wlan mfp client ?              
disable        Disables MFP protection on a WLAN.
enable         Enables MFP protection on a WLAN.

(WLC2) >config wlan mfp client enable ?               
<WLAN id>      Enter a WLAN Identifier between 1 and 512.

(WLC2) >config wlan mfp client enable 19 ?               
required       Clients must negotiate MFP

(WLC2) >config wlan mfp client enable 19 required
(WLC2) >config wlan mfp client disable 19

16. DTIM
In 802.11a/n and 802.11b/g/n networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.

Typically, the DTIM value is set to 1 (to transmit broadcast and multicast frames after every beacon) or 2 (to transmit after every other beacon). For instance, if the beacon period of the 802.11a/n or 802.11b/g/n network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings are suitable for applications, including Voice Over IP (VoIP), that expect frequent broadcast and multicast frames.

However, the DTIM value can be set as high as 255 (to transmit broadcast and multicast frames after every 255th beacon) if all 802.11a/n or 802.11b/g/n clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently which results in a longer battery life. For example, if the beacon period is 100 ms and you set the DTIM value to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds. This rate allows the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, which results in a longer battery life.

A beacon period, which is specified in milliseconds on the controller, is converted internally by the software to 802.11 Time Units (TUs), where 1 TU = 1.024 milliseconds. On Cisco’s 802.11n access points, this value is rounded to the nearest multiple of 17 TUs. For example, a configured beacon period of 100 ms results in an actual beacon period of 104 ms

(WLC2) >config wlan dtim ?               
802.11a        Configure the DTIM Period for 802.11a radio for a WLAN
802.11b        Configure the DTIM Period for 802.11b/g radio for a WLAN

(WLC2) >config wlan dtim 802.11a ?               
<value>        Enter the DTIM period, valid values 1 to 255

(WLC2) >config wlan dtim 802.11a 200 ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan dtim 802.11a 200 19
(WLC2) >config wlan dtim 802.11b 150 19

17. NAC
Not sure about this at the time of this writing.

(WLC2) >config wlan nac ?              
snmp           Configures SNMP NAC support(Legacy OOB).
radius         Configures Radius NAC support(Identity Service Engine).

(WLC2) >config wlan nac radius ?               
enable         Enable Radius NAC for this WLAN
disable        Disable Radius NAC for this WLAN

(WLC2) >config wlan nac radius enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan nac radius enable 19 
Request failed - Radius NAC is available only for WLANs that are configured for 802.1X/WPA/WPA2 Layer 2 security.

18. Client Load Balance
This will allow load balance the client association between APs. As warning message indicated when configuring this is not good for voice services and you should disable it on voice WLANs.

(WLC2) >config wlan load-balance ?               
allow          Allow|Disallow Load Balance on a WLAN.

(WLC2) >config wlan load-balance allow ?               
enable         Allow Load Balance on a WLAN.
disable        Disallow Load Balance on a WLAN.

(WLC2) >config wlan load-balance allow enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan load-balance allow enable 19 
 WARNING: Allowing load balance on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y

19. Band Select
Band selection enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of three nonoverlapping channels. To prevent these sources of interference and improve overall network performance, you can configure band selection on the controller.

Band selection works by regulating probe responses to clients. It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels

On a side note, this will only effect if you configure radio policy all for a given WLAN. Otherwise this will have no effect even though you configured. GUI output shows it as “unticked” even though CLI config shows it is enabled. Also for voice clients this could introduce some additional delays and recommended to turn it off if you are servicing voice.

(WLC2) >config wlan band-select ?               
allow          Allow|Disallow Band Select on a WLAN.

(WLC2) >config wlan band-select allow ?               
enable         Allow Band Select on a WLAN.
disable        Disallow Band Select on a WLAN.

(WLC2) >config wlan band-select allow enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan band-select allow enable 19 
 WARNING: Allow Band Select on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y

20. Voice- SIP
This will allow you to configure SIP specfic settings for a voice WLAN. You need to have Platinum QoS profile in order to support this feature.

(WLC2) >config wlan call-snoop ?               
enable         Enables Call Snooping on the WLAN.
disable        Disables call Snooping on the WLAN.               

(WLC2) >config wlan call-snoop enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan call-snoop enable 19 
Request failed. Please set WLAN QoS to Platinum to enable call-snooping

(WLC2) >config wlan roamed-voice-client ?               
re-anchor      Roamed client Re-Anchor policy

(WLC2) >config wlan roamed-voice-client re-anchor ?               
disable        Disable Roamed Client Re-Anchor policy
enable         Enable Roamed Client Re-Anchor policy

(WLC2) >config wlan roamed-voice-client re-anchor enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan roamed-voice-client re-anchor enable 19 

(WLC2) >config wlan sip-cac ?                  
send-486busy   Configure SIP 486 Busy on CAC Failure.
disassoc-client Configure Client Dis-Assoc on SIP CAC Failure.

(WLC2) >config wlan sip-cac send-486busy ?               
disable        Disable sending SIP 486 Busy on SIP CAC Failure.
enable         Enable sending SIP 486 Busy on SIP CAC Failure.

(WLC2) >config wlan sip-cac send-486busy enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan sip-cac send-486busy enable 19 
Configuration is already in the requested state

(WLC2) >config wlan sip-cac disassoc-client ?               
disable        Disable Client Dis-Assoc on SIP CAC Failure.
enable         Enable Client Dis-Assoc on SIP CAC Failure.

(WLC2) >config wlan sip-cac disassoc-client enable ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan sip-cac disassoc-client enable 19 
Warning! Enabling this functionality will Dis-Associate the Client in case of SIP CAC Failure

That covers all the advanced features of a WLAN via CLI configuration. So my WLAN configuration looks like this on GUI.

Next post we will look at few example CLI configurations of different WLANs.

Related Posts

1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 3
4. Configuring WLAN via CLI – Part 4
5. Configuring WLAN via CLI – Part 6

In this post we will see how DHCP option 82 works. The DHCP Information option (Option 82) is commonly used in large enterprise deployments to provide additional information on “physical attachment” of the client. Option 82 is supposed to be used in distributed DHCP server/relay environment, where relays insert additional information to identify the client’s point of attachment. Here is the topology for this post.

In my example CAT4 is acting as DHCP Relay & CAT2 acting as DHCP Server. First we will look at this from wired network perspective & then see how it configure in wireless environment. Here is the basic configuration of CAT2  & CAT4

CAT2
ip dhcp excluded-address 192.168.50.1 192.168.50.100
ip dhcp pool VLAN50
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1

CAT4
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
 ip helper-address 10.10.10.3
!
interface FastEthernet1/0/5
 switchport access vlan 50
 switchport mode access
 spanning-tree portfast

As you can see below DHCP discovery message relayed by CAT4 does not have any DHCP option 82 information elements.

If you want to DHCP relay to add option 82 information you have to configure the DHCP relay for that. I have given a subscriber identification “MRN-DHCP82″

CAT4
interface Vlan50
 ip dhcp relay information option subscriber-id MRN-DHCP82
 ip dhcp relay information option-insert

Now if you do “debug ip dhcp server packet detail“  output on CAT2 you will see similar output like below.

*Mar 12 13:24:14.294: DHCPD: DHCPDISCOVER received from client 0100.1cc0.1a68.1c on interface Vlan50.
*Mar 12 13:24:14.294: DHCPD: using received relay info.
*Mar 12 13:24:14.294: DHCPD: Looking up binding using address 192.168.50.1
*Mar 12 13:24:14.294: DHCPD: setting giaddr to 192.168.50.1.
*Mar 12 13:24:14.294: DHCPD: adding relay information option.
*Mar 12 13:24:14.294: DHCPD: relay information option content (add/replace):
*Mar 12 13:24:14.294:  DHCPD: 521a020c020a0000c0a832010a000000060a4d524e2d444843503832
*Mar 12 13:24:14.294: DHCPD: BOOTREQUEST from 0100.1cc0.1a68.1c forwarded to 10.10.10.3.
*Mar 12 13:24:14.302: DHCPD: Reload workspace interface FastEthernet1/0/23 tableid 0.
*Mar 12 13:24:14.302: DHCPD: tableid for 172.16.99.10 on FastEthernet1/0/23 is 0

Here is the wireshark packet output for this DHCP discover messaged relayed by CAT4

DHCP option 82 message format is having <option><length> <option content>. 52 in hex is 82 in decimal which indicate it is option 82 information. Now in DHCP server you need to define a DHCP class which matches the subscriber identification to issue IP for this client. Also server should know the relay information it should expect. If these matches it will issue an IP to client. Otherwise DHCP packets will drop by the DHCP server. So here is the CAT2 configuration.

ip dhcp class MRN-DHCP82
   relay agent information
      relay-information hex 020c020a0000c0a832010a000000060a4d524e2d444843503832
!
ip dhcp pool VLAN50
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1 
   class MRN-DHCP82
      address range 192.168.50.200 192.168.50.210

If you do ” debug ip dhcp server packet detail” on CAT2 you will see something like this.

*Mar 13 00:22:44.899 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0.
*Mar 13 00:22:44.899 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0
*Mar 13 00:22:44.899 AEDT: DHCPD: client's VPN is .
*Mar 13 00:22:44.899 AEDT: DHCPD: using received relay info.
*Mar 13 00:22:44.899 AEDT: DHCPD: DHCPDISCOVER received from client 0100.1cc0.1a68.1c through relay 192.168.51.1.
*Mar 13 00:22:44.899 AEDT: DHCPD: using received relay info.
*Mar 13 00:22:44.899 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default
*Mar 13 00:22:44.899 AEDT: DHCPD: Searching for a match to 'relay-information 020c020a0000c0a833010b000000060a4d524e2d444843503832' 
*Mar 13 00:24:12.839 AEDT: DHCPD: DHCPDISCOVER received from client 0100.1cc0.1a68.1c through relay 192.168.50.1.
*Mar 13 00:24:12.839 AEDT: DHCPD: using received relay info.
*Mar 13 00:24:12.839 AEDT: DHCPD: Sending DHCPOFFER to client 0100.1cc0.1a68.1c (192.168.50.200).
*Mar 13 00:24:12.839 AEDT: DHCPD: no option 125
*Mar 13 00:24:12.839 AEDT: DHCPD: unicasting BOOTREPLY for client 001c.c01a.681c to relay 192.168.50.1.
*Mar 13 00:24:12.856 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0.
*Mar 13 00:24:12.856 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0
*Mar 13 00:24:12.856 AEDT: DHCPD: client's VPN is .
*Mar 13 00:24:12.856 AEDT: DHCPD: DHCPREQUEST received from client 0100.1cc0.1a68.1c.
*Mar 13 00:24:12.856 AEDT: DHCPD: Sending DHCPACK to client 0100.1cc0.1a68.1c (192.168.50.200)

Now will see how this works in Wireless environment. As you know  for  a wireless client , WLC will act as DHCP-relay and pass the DHCP discover & request messages to DHCP server. We will create a WLAN with open authentication & assign it to vlan50 interface created on the controller. If you are familiar with WLC CLI command you can do this with following commands.

(WLC3) >config interface create vlan50 50
(WLC3) >config interface address dynamic-interface vlan50 192.168.50.20 255.255.255.0 192.168.50.1
(WLC3) >config interface dhcp dynamic-interface vlan50 primary 10.10.10.3
(WLC3) >config interface port vlan50 1
(WLC3) >config wlan create 15 dhcp-82 dhcp-82
(WLC3) >config wlan security wpa disable 15
(WLC3) >config wlan enable 15

Now if you trying to associate to this WLAN, you will not get an IP from the DHCP server. If you check the CAT2 “debug ip dhcp packet detail” output you would see similar output to this. Server is complain about DHCP option 82 information not available in the messages coming from the DHCP relay (WLC3)

*Mar 13 01:28:25.637 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0.
*Mar 13 01:28:25.637 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0
*Mar 13 01:28:25.637 AEDT: DHCPD: client's VPN is .
*Mar 13 01:28:25.637 AEDT: DHCPD: using received relay info.
*Mar 13 01:28:25.637 AEDT: DHCPD: DHCPDISCOVER received from client 0104.f7e4.ea5b.66 through relay 192.168.50.20.
*Mar 13 01:28:25.637 AEDT: DHCPD: using received relay info.
*Mar 13 01:28:25.637 AEDT: DHCPD: input does not contain option 82

This is the default behaviour of a WLC ( I am in 7.0.116.0 code) & you have to configure to add DHCP option 82. You can verify this by “show interface detail vlan50″ command outpt as well.

(WLC3) >show interface detailed vlan50
Interface Name................................... vlan50
MAC Address...................................... 00:1b:d5:cf:e6:00
IP Address....................................... 192.168.50.20
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.50.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 50        
Quarantine-vlan.................................. 0
Physical Port.................................... 1         
Primary DHCP Server.............................. 10.10.10.3
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled

You can enable it on an interface by using following CLI command

(WLC3) >config interface dhcp dynamic-interface vlan50 ?               
primary        Primary DHCP Server.
option-82      Configures the DHCP option 82 on the interface

(WLC3) >config interface dhcp dynamic-interface vlan50 option-82 ?               
enable         Enables the DHCP option 82 on the interface               
disable        Disables the DHCP option 82 on the interface

(WLC3) >config interface dhcp dynamic-interface vlan50 option-82 enable 

Now if you check CAT2 debug output you should see the DHCP realy information provided option 82 information as below.

*Mar 13 01:37:10.682 AEDT: DHCPD: using received relay info.
*Mar 13 01:37:10.682 AEDT: DHCPD: DHCPDISCOVER received from client 0104.f7e4.ea5b.66 through relay 192.168.50.20.
*Mar 13 01:37:10.682 AEDT: DHCPD: using received relay info.
*Mar 13 01:37:10.682 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default
*Mar 13 01:37:10.682 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206a0cf5b9ee820' in class MRN-DHCP82

We will define a new DHCP class & allocate different IP address range for wireless clients

ip dhcp class L3500
   relay agent information
      relay-information hex 0104000000000206a0cf5b9ee820
!
ip dhcp pool VLAN50
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1 
   class MRN-DHCP82
      address range 192.168.50.200 192.168.50.210
   class L3500
      address range 192.168.50.222 192.168.50.230

Once you configure this you would see your wireless client get an IP from the range you specified. It should be within 192.16850.222-230 in my example.

*Mar 13 01:41:44.601 AEDT: DHCPD: using received relay info.
*Mar 13 01:41:44.601 AEDT: DHCPD: DHCPDISCOVER received from client 0104.f7e4.ea5b.66 through relay 192.168.50.20.
*Mar 13 01:41:44.601 AEDT: DHCPD: using received relay info.
*Mar 13 01:41:44.601 AEDT: DHCPD: Sending DHCPOFFER to client 0104.f7e4.ea5b.66 (192.168.50.222).
*Mar 13 01:41:44.601 AEDT: DHCPD: no option 125
*Mar 13 01:41:44.601 AEDT: DHCPD: unicasting BOOTREPLY for client 04f7.e4ea.5b66 to relay 192.168.50.20.
*Mar 13 01:41:45.658 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0.
*Mar 13 01:41:45.658 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0
*Mar 13 01:41:45.658 AEDT: DHCPD: client's VPN is .
*Mar 13 01:41:45.658 AEDT: DHCPD: DHCPREQUEST received from client 0104.f7e4.ea5b.66.
*Mar 13 01:41:45.658 AEDT: DHCPD: Sending DHCPACK to client 0104.f7e4.ea5b.66 (192.168.50.222).

Here is the wireshark packet capture of the DCHP discovery message relayed by WLC.

If you look at the DHCP option 82 information more closely you would see Agent Remote ID is AP Radio MAC address (a0cf5b9ee820). This is because by default WLC use AP Radio MAC address. You can verify this via controller GUI (Controller -> Advanced -> DHCP) or “show dhcp opt-82” CLI command.

(WLC3) >show dhcp opt-82 
DHCP Opt-82 RID Format: <AP radio MAC address>

(WLC3) >config dhcp opt-82 ?
remote-id      Set Format for RemoteId field in DHCP option 82

(WLC3) >config dhcp opt-82 remote-id ?
ap-mac         Set RemoteID format as <AP radio MAC address>
apmac:ssid     Set RemoteID format as <AP radio MAC address>:<SSID>
ap-ethmac      Set RemoteID format as <AP Ethernet MAC address>

As you can see other options are include AP Ethernet MAC address or AP Radio MAC & SSID. Let’s change this to AP Ethernet MAC & see the debug output. Before that will check the LAP2 MAC addresses.

Once we changed Option 82 Remote-ID to AP ethernet MAC (708105037cef) address we should see option 82 information contain that instead of AP Radio MAC address. You can change it via GUI or CLI. Below show the CLI command.

(WLC3) >config dhcp opt-82 remote-id ap-ethmac

CAT2
*Mar 13 02:40:12.687 AEDT: DHCPD: using received relay info.
*Mar 13 02:40:12.687 AEDT: DHCPD: DHCPDISCOVER received from client 0100.22fa.9468.58 through relay 192.168.50.20.
*Mar 13 02:40:12.687 AEDT: DHCPD: using received relay info.
*Mar 13 02:40:12.687 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default
*Mar 13 02:40:12.687 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206708105037cef' in class MRN-DHCP82
*Mar 13 02:40:12.687 AEDT: DHCPD: Class 'L3500' matched by default
*Mar 13 02:40:12.687 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206708105037cef' in class L3500

As you can see now relay information include AP ethernet MAC address & we have to change the relay information on DHCP server (CAT2) in order to accept these messages coming from WLC & allocate an IP address for the client.

ip dhcp class L3500
   relay agent information
      relay-information hex 0104000000000206708105037cef
      relay-information hex 0104000000000206a0cf5b9ee820

Now you can see the client get an IP & packet capture verify option 82 remote id is AP Ethernet MAC address as well.

Finally we change the option-82 remote id to AP-Radio MAC address & SSID option. This time you can see the DHCP option 82 information is different to previous times.

*Mar 13 03:08:30.441 AEDT: DHCPD: using received relay info.
*Mar 13 03:08:30.441 AEDT: DHCPD: DHCPDISCOVER received from client 0120.02af.12e4.f7 through relay 192.168.50.20.
*Mar 13 03:08:30.441 AEDT: DHCPD: using received relay info.
*Mar 13 03:08:30.441 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default
*Mar 13 03:08:30.441 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000227a0cf5b9ee8203a646863702d383200000000000000000000000000000000000000000000000000' in class MRN-DHCP82

Once you add this information on to DHCP class relay information on CAT2 you would see client will get an IP.

ip dhcp class L3500
   relay agent information
      relay-information hex 0104000000000206708105037cef
      relay-information hex 0104000000000206a0cf5b9ee820
      relay-information hex 0104000000000227a0cf5b9ee8203a646863702d383200000000000000000000000000000000000000000000000000

Here is the wireshark capture of this time.

That’s cover the DHCP option 82.  You can refer following youtube video from Jerome Henry for further information.

CCIE Wireless DHCP Option 82

Related Posts

1. Understanding DHCP
2. Understanding DHCP Snooping
3. Understanding DHCP Option 43
4.

In this post we will see how to configure WLC mobility config via CLI. If you prefer GUI you can refer one of my previous post (Configuring Mobility on WLC).

Here is the basic setup. In Head Quarters (Mobility Group:HQ) is having two wireless controller WLC1 & WLC2. WLC1 is used for guest traffic termination & will put it in a different mobility Group called DMZ.  There is a branch office where you have WLC3 & it is in the Mobility Group named MO.

Initially we will configure Mobility without using Multicast & then will use multicast for mobility communication. Diagram shows multiple controller in each mobility group, but in my test lab I do not have that many controllers, so has to go with 3 controller. Real advantage of Multicast is if you have multiple controllers in the same mobility group.

Configuration task wise you have to configure a mobility group name & then add mobility group members (local & non-local) in to the mobility list (or sometime refer as domain). Local group members are having same group name as your configuring WLC. Non-local group members are having a different group name to the group name of your configuring WLC.

You require to have WLCs MAC address & IP address information for the mobility configuration. So better to have this ready prior to your configuration. “show sysinfo” should give you the required output. Here is the info in my example

(WLC1) >show sysinfo 
System Name...................................... WLC1
IP Address....................................... 10.10.111.10
Burned-in MAC Address............................ 00:0B:85:43:D8:60
!
(WLC2) >show sysinfo
System Name...................................... WLC2
IP Address....................................... 10.10.112.10
Burned-in MAC Address............................ 00:0B:85:40:A1:C0
!
(WLC3) >show sysinfo 
System Name...................................... WLC3
IP Address....................................... 10.10.120.140
Burned-in MAC Address............................ 00:1B:D5:CF:E6:00

“config mobility ? ” is the CLI command you need to use for the configuration. Here is how I configure mobility group name for a WLC & add members to the mobility list.

(WLC1) >config mobility ?              
dscp           Configures the Mobility inter controller DSCP value.
group          Configures the Mobility group parameters.
multicast-mode Configures the Multicast Mode for mobility messages
statistics     Resets the mobility statistics.

(WLC1) >config mobility group ?                     
anchor         Configures the Mobility WLAN anchor list.
domain         Configures the Mobility domain name.
keepalive      Keepalive ping parameters to be configured
member         Configures the Mobility group members list.
multicast-address Configures the Multicast IP Address for a mobility group

(WLC1) >config mobility group domain DMZ

(WLC1) >config mobility group member add ?               
<MAC addr>     Member switch MAC address

(WLC1) >config mobility group member add 00:0B:85:40:A1:C0 ?              
<IP addr>      Member switch IP address

(WLC1) >config mobility group member add 00:0B:85:40:A1:C0 10.10.112.10 ?              
<group name>   Optional member switch group name (if different from default group name)

(WLC1) >config mobility group member add 00:0B:85:40:A1:C0 10.10.112.10 HQ              
(WLC1) >config mobility group member add 00:1B:D5:CF:E6:00 10.10.120.140 BR

In WLC2 & WLC3 you can workout these are the CLI commands required.

(WLC2) >config mobility group domain HQ
(WLC2) >config mobility group member add 00:0B:85:43:D8:60 10.10.111.10 DMZ
!
(WLC3) >config mobility group domain BR
(WLC3) >config mobility group member add 00:0B:85:43:D8:60 10.10.111.10 DMZ

Now basic mobility configuration has been done. Once you “show mobility summary” you should be able to see the status of your configuration.

(WLC1) >show mobility summary 
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... DMZ
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x43cd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:0b:85:40:a1:c0  10.10.112.10     HQ                                0.0.0.0          Up
 00:0b:85:43:d8:60  10.10.111.10     DMZ                               0.0.0.0          Up
 00:1b:d5:cf:e6:00  10.10.120.140    BR                                0.0.0.0          Up

In WLC2 you should see a output like this.

(WLC2) >show mobility summary 
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... HQ
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x6b2f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:0b:85:40:a1:c0  10.10.112.10     HQ                                0.0.0.0          Up
 00:0b:85:43:d8:60  10.10.111.10     DMZ                               0.0.0.0          Up

In WLC3 “show mobility summary” output should looks like this.

(WLC3) >show mobility summary 
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... BR
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0xad23
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:0b:85:43:d8:60  10.10.111.10     DMZ                               0.0.0.0          Up
 00:1b:d5:cf:e6:00  10.10.120.140    BR                                0.0.0.0          Up

You can change the Keepalive count, interval & DSCP value of mobility packets as follows. I leave it to default values shown it to the above output.

(WLC3) >config mobility group keepalive ?              
count          No of keep alive retries before a member status is termed DOWN              
interval       Interval between two keep alives sent to a mobility member

(WLC3) >config mobility group keepalive count ?            
<number>       Number in range of 3-20

(WLC3) >config mobility group keepalive interval ?               
<number>       Number in range of <1 - 30 seconds>, interval between two ping tries 
!
(WLC3) >config mobility dscp ?               
<dscp_value>   <0-63>

In the above method, each WLC will use unicast messages to communicate with each local group members & configured non-local group members. Since this mobility information needs to update each other very frequently this would become a processor intensive as each controller has to send multiple copies of the same message to different controller configured in mobility list.

Multicast communication would help in this regards as a given controller send only one copy of the mobility messages to configured multicast group address and all the controllers in same mobility group receive that message. You can configure multicast address for non-local group members as well. In my example WLC1 has two non-local group members & you can configure another multicast group address for this communication.

As per the diagram we will configure 239.11.11.11 for DMZ local group member communication in WLC1. We will use 239.12.12.12 for DMZ & HQ inter group mobility communication. Similar to that we will use 239.22.22.22 for WLC2 local-group mobility (ie members in HQ mobility group) communication & 239.33.33.33 for WLC3 local-group mobility communication (ie Members in mobility group MO). Also 239.13.13.13 for the mobility group MO & DMZ communication. Here how you configure this via CLI.

You can configure local group multicast communication using “config mobility multicast-mode {enable|disable} <local-multicast-address> ” CLI command.

(WLC3) >config mobility multicast-mode enable ?               
<local-multicast-address> Configures the Multicast IP Address for the local group.

(WLC3) >config mobility multicast-mode enable 239.33.33.33
(WLC2) >config mobility multicast-mode enable 239.22.22.22
(WLC1) >config mobility multicast-mode enable 239.11.11.11

You can configure multicast group for  non-local member communication as follows.

(WLC1) >config mobility group multicast-address ?              
<group_name>   Specify the Mobility Group whose Multicast IP Address is to be set

(WLC1) >config mobility group multicast-address HQ ?              
<ip_address>   Configures the Multicast IP Address for a mobility group

(WLC1) >config mobility group multicast-address HQ 239.12.12.12
(WLC1) >config mobility group multicast-address BR 239.13.13.13

(WLC2) >config mobility group multicast-address DMZ 239.12.12.12

(WLC3) >config mobility group multicast-address DMZ 239.13.13.13

It is important to remember that multicast mode to work you have to properly configure your L3 infrastructure to support multicast. Once you check show mobility summary you should see somthing like this.

(WLC1) >show mobility summary 

Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... DMZ
Multicast Mode .................................. Enabled
Mobility Domain ID for 802.11r................... 0x43cd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:0b:85:40:a1:c0  10.10.112.10     HQ                                239.12.12.12     Up
 00:0b:85:43:d8:60  10.10.111.10     DMZ                               239.11.11.11     Up
 00:1b:d5:cf:e6:00  10.10.120.140    BR                                239.13.13.13     Up

If you require to configure Auto Anchoring (for wired or wireless Guest traffic) you can do this via “config mobility group anchor {wlan|guest-lan} {wlan-id|guest-lan-id} {anchor-wlc-ip}” CLI command.

(WLC1) >config mobility group anchor add wlan ?              
<WLAN Id>      WLAN identifier between 1 and 512.

(WLC1) >config mobility group anchor add wlan 17 ?               
<IP addr>      Member switch IP address to anchor WLAN

(WLC1) >config mobility group anchor add guest-lan ?          
<Guest LAN Id> Guest LAN identifier between 1 and 5

(WLC1) >config mobility group anchor add guest-lan 1 ?              
<IP addr>      Member switch IP address to anchor WLAN

See “WLAN config via CLI- Part6” for Wireless Guest WLAN configuration via CLI.

You can refer complete list of 7.0.116.0 CLI commands via the below link.
Configure Mobility Commands

Related Posts

1. Configuring Mobility on WLC
2. Auto Anchor Mobility
3. WLAN config via CLI – Part6

In this post we will look at configuration example of a WLAN using CLI only. To make it comprehensive I will illustrate a Guest WLAN configuration with Auto Anchoring feature as well. Here is the basic topology.

Here are the conditions for this Guest WLAN.
- All Guest users will get 192.168.9.0/24 IP from WLC1
- User able to join the network with email address as credential
- Guest user traffic should get lowest QoS priority.
- WMM to be disabled.
- Clients with static IP should not allow to join
- Guest users only able to get 802.11a & 802.11g data rates.
- Users should not trigger power changes of the AP

Before configuring this you need to identify the tasks you have to do

1. QoS profile configuration with required 802.1p values
2. Configure the interface for vlan9 on WLC1 & map it onto “guest-9″ WLAN.
3. Define “guest-09″ WLAN on WLC2 & WLC3 & assign management interface (No dynamic interfaces)
4. Configure Mobility Anchor for “guest-9″ WLAN.5.

Here is the CLI configuration of each task. For the QoS profile configuration you have to disable 802.11 radios (both 2.4GHz & 5GHz). It is advisable to configure all 4 QoS profiles even though this only require Bronze profile to configure.

(WLC3) >config 802.11b disable network
(WLC3) >config 802.11a disable network
Disabling the 802.11a network may strand mesh APs. Are you sure you want to continue? (y/n)y
(WLC3) >config qos protocol-type platinum dot1p 
(WLC3) >config qos dot1p-tag platinum 6
(WLC3) >config qos protocol-type gold dot1p 
(WLC3) >config qos dot1p-tag gold 5
(WLC3) >config qos protocol-type silver dot1p 
(WLC3) >config qos dot1p-tag silver 3
(WLC3) >config qos protocol-type bronze dot1p 
(WLC3) >config qos dot1p-tag bronze 1
(WLC3) >config 802.11a enable network
(WLC3) >config 802.11b enable network

You need to copy these lines onto both WLC1 & WLC2 as well. Now we will configure the WLC1 dynamic interface for guest-9 WLAN. Here are the CLI config for this

(WLC1) >config interface create vlan9 9
(WLC1) >config interface address dynamic-interface vlan9 192.168.9.10 255.255.255.0 192.168.9.1
(WLC1) >config interface dhcp dynamic-interface vlan9 primary 192.168.9.1
(WLC1) >config interface port vlan9 1

You need to ensure CAT2 is configured to provide DHCP addresses & act as gateway for wirless guest users. Also make sure vlan9 is trunk to WLC1 as well

ip dhcp excluded-address 192.168.9.1 192.168.9.99
ip dhcp pool VLAN9
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1 
interface Vlan9
 ip address 192.168.9.1 255.255.255.0
!
interface GigabitEthernet1/0/1
 description WLC1 Po1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 9-18,23,111,113
 switchport mode trunk
 switchport nonegotiate
 mls qos trust cos
 spanning-tree portfast trunk

Now you can define the “guest-9″ WLAN & map vlan9 interface onto it. Even though we are not using GUI, you need to remember the General, Security, QoS, Advanced parameters to be modified as per the requirement. CLI commands flow is in that order. Note that since we do not want to override interface DHCP server, we will use 0.0.0.0 as DHCP server address & only make DHCP address required when configuring that feature.

(WLC1) >config wlan create 9 guest-9 guest-9
(WLC1) >config wlan radio 9 802.11ag
(WLC1) >config wlan interface 9 vlan9 
(WLC1) >config wlan security wpa disable 9
(WLC1) >config wlan security web-passthrough enable 9
(WLC1) >config wlan security web-passthrough email-input enable 9
(WLC1) >config wlan qos 9 bronze
(WLC1) >config wlan wmm disable 9
(WLC1) >config wlan chd 9 disable
(WLC1) >config wlan dhcp_server 9 0.0.0.0 required
(WLC1) >config wlan enable 9

Now you can copy this configuration to WLC2 & WLC without the line “config wlan interface 9 vlan9″. By default newly created WLAN will map to management interface. Here is the configs in WLC3 for example. Do the same on WLC2 as well.

(WLC3) >config wlan create 9 guest-9 guest-9
(WLC3) >config wlan radio 9 802.11ag
(WLC3) >config wlan security wpa disable 9
(WLC3) >config wlan security web-passthrough enable 9
(WLC3) >config wlan security web-passthrough email-input enable 9
(WLC3) >config wlan qos 9 bronze
(WLC3) >config wlan wmm disable 9
(WLC3) >config wlan chd 9 disable
(WLC3) >config wlan dhcp_server 9 0.0.0.0 required
DHCP server override is applicable only to the default AP group.
(WLC3) >config wlan enable 9

Final step of configuration is creating Auto Anchor Mobility tunnels. First of all you have to configure the mobility group name in each controller & then add members to mobility list. In this example I have used DMZ, HQ, & MO for the mobility groupname of WLC1, WLC2 & WLC3. Also multicast  group address 239.11.11.11, 239.22.22.22 & 239.33.33.33 for local-group members mobility communication  in WLC1, WLC2 & WLC3. Also used multicast group address 239.12.12.12 between WLC1-WLC2 mobility communication & 239.13.13.13 for WLC1-WLC3 mobility communication.

WLC1
config mobility group domain DMZ
config mobility multicast-mode enable 239.11.11.11
config mobility group multicast-address DMZ 239.11.11.11 
config mobility group multicast-address HQ 239.12.12.12 
config mobility group multicast-address BR 239.13.13.13  
config mobility group member add 00:0b:85:40:a1:c0 10.10.112.10 HQ 
config mobility group member add 00:1b:d5:cf:e6:00 10.10.120.140 BR 

WLC2
config mobility group domain HQ
config mobility multicast-mode enable 239.22.22.22 
config mobility group multicast-address HQ 239.22.22.22 
config mobility group multicast-address DMZ 239.12.12.12 
config mobility group member add 00:0b:85:43:d8:60 10.10.111.10 DMZ

WLC3 
config mobility group domain BR 
config mobility multicast-mode enable 239.33.33.33 
config mobility group multicast-address BR 239.33.33.33 
config mobility group multicast-address DMZ 239.13.13.13
config mobility group member add 00:0b:85:43:d8:60 10.10.111.10 DMZ 

Once you configure the mobility config as above you should see the mobility status up between each other. Here is the output of WLC1.

(WLC1) >show mobility summary 
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... DMZ
Multicast Mode .................................. Enabled
Mobility Domain ID for 802.11r................... 0x43cd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:0b:85:40:a1:c0  10.10.112.10     HQ                                239.12.12.12     Up
 00:0b:85:43:d8:60  10.10.111.10     DMZ                               239.11.11.11     Up
 00:1b:d5:cf:e6:00  10.10.120.140    BR                                239.13.13.13     Up

Now you can configure “Auto Anchor mobility” for guest-09 WLAN. You can do it as follows. You have to disable WLAN prior to configure mobility anchor feature. On the Anchor controller(WLC1) you have to anchor it to itself & on WLC2 & WLC3 it has to anchor to WLC1 IP.

(WLC1) >config wlan disable 9
(WLC1) >config wlan mobility anchor ?                 
add            Add/Change a Mobility anchor to a WLAN.
delete         Delete a Mobility anchor from a WLAN.

(WLC1) >config wlan mobility anchor add ?              
<WLAN Id>      WLAN identifier between 1 and 512.

(WLC1) >config wlan mobility anchor add 9 ?               
<IP addr>      Member switch IP address to anchor WLAN

(WLC1) >config wlan mobility anchor add 9 10.10.111.10
(WLC1) >config wlan enable 9

(WLC2) >config wlan disable 9
(WLC2) >config wlan mobility anchor add 9 10.10.111.10
(WLC2) >config wlan enable 9

(WLC3) >config wlan disable 9
(WLC3) >config wlan mobility anchor add 9 10.10.111.10
(WLC3) >config wlan enable 9

You can test the wireless guest service in each controller. Let’s check branch end first. You can either disable guuest-09 wlan on WLC2 or shutdown LAP2 connected switchport. Ensure LAP1 is registered to WLC3

(WLC3) >show ap summary 
Number of APs.................................... 1
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
LAP1                 2     AIR-CAP3502I-N-K9     cc:ef:48:8c:fd:41          CAT4-F03  1        AU       1

Once you connect to this WLAN & open up a browser page, it should prompt you to enter your email address. Once login is successful you should able to see the client detail on your anchor controller(WLC1).

(WLC1) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 10.10.120.140     Associated    9              Yes  Mobile           1    No

(WLC1) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. mrncciew@gmail.com
AP MAC Address................................... 00:00:00:00:00:00
AP Name.......................................... N/A               
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 9  
BSSID............................................ 00:00:00:00:00:ff  
Connected For ................................... 102 secs
Channel.......................................... N/A
IP Address....................................... 192.168.9.103
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Bronze
802.1P Priority Tag.............................. 1
WMM Support...................................... Disabled
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.10.120.140
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ vlan9
VLAN............................................. 9

Once you enable LAP2 ( disable guest-9 on WLC3) you should be able to check it in HQ end.

(WLC3) >config wlan disable 9
!
(WLC2) >show ap summary 
Number of APs.................................... 1
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
LAP2                 2     AIR-CAP3502I-N-K9     70:81:05:03:7c:ef        CAT2-Fa102  LAG      AU       1
!
(WLC1) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 10.10.112.10      Associated    9              Yes  Mobile           1    No

(WLC1) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. rasika.nayanajith@yahoo.com
AP MAC Address................................... 00:00:00:00:00:00
AP Name.......................................... N/A               
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 9  
BSSID............................................ 00:00:00:00:00:ff  
Connected For ................................... 62 secs
Channel.......................................... N/A
IP Address....................................... 192.168.9.103
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Bronze
802.1P Priority Tag.............................. 1
WMM Support...................................... Disabled
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.10.112.10
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ vlan9
VLAN............................................. 9
Quarantine VLAN.................................. 0
Access VLAN...................................... 9

If you do “Debug mobility handoff enable” at WLC1  you can verify client state changes & mobility communication between foreign & anchor controllers.

(WLC1) >debug mobility handoff enable 
(WLC1) >*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 Mobility packet received from:
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58   10.10.120.140, port 16666
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58   type: 3(MobileAnnounce)  subtype: 0  version: 1  xid: 20  seq: 2167  len 116 flags 0
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58   group id: d8475d5f c64367e3 4d21c8d6 ef580f61
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58   mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 0
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58   VLAN IP: 10.10.120.140, netmask: 255.255.255.192
*mmListen: May 19 09:27:07.097: Switch IP: 10.10.120.140 
*mmListen: May 19 09:27:07.098: Vlan List payload not found, ignoring ...
*mmListen: May 19 09:27:07.098: IP Address don't compare for client 00:22:fa:94:68:58 is 0
*mmListen: May 19 09:27:07.098: 00:22:fa:94:68:58 Ignoring Announce, client record for not found
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 Mobility packet received from:
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58   10.10.120.140, port 16666
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58   type: 16(MobileAnchorExport)  subtype: 0  version: 1  xid: 21  seq: 2168  len 241 flags 0
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58   group id: d8475d5f c64367e3 4d21c8d6 ef580f61
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58   mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 0
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58   VLAN IP: 10.10.120.140, netmask: 255.255.255.192
*mmListen: May 19 09:27:08.097: Switch IP: 10.10.120.140 
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 Received Anchor Export request: from Switch IP: 10.10.120.140
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv:, Mobility role is Unassoc
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv  Ssid=guest-9 Security Policy=0x3040
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv  vapId= 9, Ssid=guest-9 AnchorLocal=0x0
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 0.0.0.0 START (0) mobility role update request from Unassociated to Export Anchor
  Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.10.111.10
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 Received Anchor Export policy update, valid mask 0x0:
  Qos Level: 3, DSCP: 0, dot1p: 1  Interface Name: , ACL Name: 
*mmListen: May 19 09:27:08.098: Anchor Mac : 00.0b.85.43.d8.60
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 Mobility packet sent to:
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58   10.10.120.140, port 16666
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58   type: 17(MobileAnchorExportAck)  subtype: 0  version: 1  xid: 21  seq: 571  len 275 flags 0
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58   group id: fe2f34f3 9b7a7cea 68f48181 316db999
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58   mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 1
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58   VLAN IP: 192.168.9.10, netmask: 255.255.255.0
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 0.0.0.0 DHCP_REQD (7) Plumbing duplex mobility tunnel to 10.10.120.140
    as Export Anchor (VLAN 9)
*DHCP Proxy DTL Recv Task: May 19 09:27:16.084: 00:22:fa:94:68:58 192.168.9.100 WEBAUTH_REQD (8) Plumbing duplex mobility tunnel to 10.10.120.140
    as Export Anchor (VLAN 9)
*emWeb: May 19 09:27:39.269: 00:22:fa:94:68:58 192.168.9.100 RUN (20) Plumbing duplex mobility tunnel to 10.10.120.140
    as Export Anchor (VLAN 9)

Finally you can configure foreign mapping for this where you can allocate 192.168.9.x/24 if you are connecting from Branch & 192.168.8.x/24 when you are connecting via Head Quarters.

So we will create vlan8 interface on WLC1 & trunk this to WLC1 on CAT2 g1/0/1 where WLC1 connected to.

(WLC1) >config interface create vlan8 8
(WLC1) >config interface address dynamic-interface vlan8 192.168.8.10 255.255.255.0 192.168.8.1
(WLC1) >config interface dhcp dynamic-interface vlan8 primary 192.168.8.1
(WLC1) >config interface port vlan8 1
!
CAT2(config)#vlan 8
CAT2(config-vlan)#exit
CAT2(config)#int vlan 8
CAT2(config-if)#ip add 192.168.8.1 255.255.255.0
CAT2(config-if)#int g1/0/1
CAT2(config-if)#sw tr al vl add 8
CAT2(config)#ip dhcp excluded-address 192.168.8.1 192.168.8.100
CAT2(config)#ip dhcp pool VLAN8
CAT2(dhcp-config)#default-router 192.168.8.1
CAT2(dhcp-config)#netw 192.168.8.0 /24
CAT2(dhcp-config)# domain-name mrn.com
CAT2(dhcp-config)# dns-server 192.168.200.1

Now on WLC1 you can configure foreign mapping for guest-9 WLAN using the foreign controller MAC address as shown below. For WLC3 (00:1b:d5:cf:e6:00) Guest traffic would get 192.168.8.0/24 IP & for WLC2(00:0b:85:40:a1:c0) will get 192.168.9.0/24 IP range.

(WLC1) >config wlan disable 9
(WLC1) >config wlan mobility foreign-map add 9 00:1b:d5:cf:e6:00 vlan8
(WLC1) >config wlan mobility foreign-map add 9 00:0b:85:40:a1:c0 vlan9
(WLC1) >config wlan enable 9

Here is the verification when Guest user connecting via WLC2.

(WLC1) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. mrncciew@gmail.com
AP MAC Address................................... 00:00:00:00:00:00
AP Name.......................................... N/A               
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 9  
BSSID............................................ 00:00:00:00:00:ff  
Connected For ................................... 56 secs
Channel.......................................... N/A
IP Address....................................... 192.168.9.103
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Bronze
802.1P Priority Tag.............................. 1
WMM Support...................................... Disabled
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.10.112.10

Here is the same output when guest user is connecting via WLC3. You could see client get 192.168.8.x/24 IP this time.

(WLC1) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. mrncciew@gmail.com
AP MAC Address................................... 00:00:00:00:00:00
AP Name.......................................... N/A               
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 9  
BSSID............................................ 00:00:00:00:00:ff  
Connected For ................................... 40 secs
Channel.......................................... N/A
IP Address....................................... 192.168.8.101
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Bronze
802.1P Priority Tag.............................. 1
WMM Support...................................... Disabled
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.10.120.140
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN

That’s all for wireless guest wlan configuration tasks via CLI. If you understand & remember the steps then you are pretty safe even if your WLC GUI is very slow during the exam.

We will see a wired guest wlan configuration via CLI in a future post.

Related Posts

1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 3
4. Configuring WLAN via CLI – Part 4
5. Configuring WLAN via CLI – Part 5
6. Mobility Config via CLI

In this post we will see how to use “AAA override” feature of a WLAN combined with RADIUS server configuration,  to override settings assigned by WLAN. You can change VLAN, QoS profile with 802.1p, ACL, etc using this this.

We will create a WLAN called “data-7″ on WLC2 with WPA2/AES authentication /encryption & map it onto management interface. Once a guest user is authenticated via ACS, AAA should override this user vlan to vlan7 (192.168.7.x/24) and QoS profile to Gold with 802.1p value of 5.

I have used CLI config to define WLAN & if you prefer GUI you can follow that method as well. First you need to create interface on WLC & trunk it across the switch port connected WLC2.

(WLC2) >config interface create vlan7 7
(WLC2) >config interface address dynamic-interface vlan8 192.168.7.15 255.255.255.0 192.168.7.1
(WLC2) >config interface dhcp dynamic-interface vlan7 primary 192.168.7.1
!
CAT3
interface Port-channel1
 switchport trunk native vlan 999
 switchport trunk allowed vlan 7-18,112
 switchport mode trunk
 switchport nonegotiate
!
CAT2
interface Vlan7
 ip address 192.168.7.1 255.255.255.0
ip dhcp excluded-address 192.168.7.1 192.168.7.100
ip dhcp pool VLAN7
   network 192.168.7.0 255.255.255.0
   default-router 192.168.7.1 
   domain-name mrn.com
   dns-server 192.168.200.1

Then you can define WLAN on WLC2 with  AAA- override feature enable. Keep in mind by default layer2 security would be WPA2/AES &  hence you do not want to configure any additional security settings. You can configure Radius server under WLAN security ->AAA server section.

(WLC2) >config wlan aaa-override enable 7
(WLC2) >config wlan radius_server auth add 7 1
(WLC2) >config wlan enable 7

Now we can configure ACS for AAA override. I will not shown how to configure WLC for radius & assume ACS is already configured to peer with WLC. If you are not sure see one of my previous post “Configuring WLC for RADIUS“.

Once you do that you would see WLC2 in ACS as below.

I have configured user called “user1″ with password “user1″ on ACS.

Then under “Policy Element-> Authorization & Permissions -> Network Access” you have to configure an “Authorization Profile” by specifying the VLAN you want to assigned to user. You can use Common Attribute – VLAN to configure this easily without going through Radius Attributes.

Once you configure it you can verify the “Radius Attribute” selected for the VLAN assignment. You should see a output similar to below.

Then in “Access Policy” you should have correct identity policy & Authorization policy for this.

Here is my  basic Authorization Policy which resulting “guest-8″ authorization profile we created earlier.

Now it is ready to test the client connectivity. Once client associated & authenticated  you would see client’s IP is 192.168.7.x even though the WLAN is map to management interface 10.10.112.x.

(WLC2) >show client summary  
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 LAP2              Associated    7              Yes  802.11n(5 GHz)   29   No

(WLC2) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. user1
AP MAC Address................................... a0:cf:5b:9e:e8:20
AP Name.......................................... LAP2              
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 7  
BSSID............................................ a0:cf:5b:9e:e8:29  
Connected For ................................... 27 secs
Channel.......................................... 149
IP Address....................................... 192.168.7.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Client CCX version............................... No CCX support
Re-Authentication Timeout........................ 1789
Mirroring........................................ Disabled
QoS Level........................................ Silver
802.1P Priority Tag.............................. 3
WMM Support...................................... Enabled
Power Save....................................... OFF
Supported Rates.................................. 24.0,36.0,48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................ vlan7
VLAN............................................. 7
Quarantine VLAN.................................. 0
Access VLAN...................................... 7

In ACS, “Monitoring & Report-> Monitoring & Report Viewer -> AAA Protocol -> Radius Authentication” section  you can verify the successful authentication as shown below.

If you click the magnifying glass icon you can see the complete details of the different attributes used. These attributes can be used to create custom policy on your ACS.

Now we will see how we can override the QoS profile using AAA override. For this you can create an another Authorizatoin Profile under “Policy Elements”. This time you have to go to Radius Attributes & select “RADIUS-Cisco Airespace” Dictionary type & then QoS type & 802.1p tag as attribute.

Once you configure these attribute it should looks like this.

Now you can choose this profile(AAA-QoS-Gold) in addition to AAA-VL7 as shown below. Based on the attributes seen in the detail page I have selected a compound condition which contain “data-7″ in called staion-id in order to this AAA override behaviour only applicable to “data-7″ SSID.

This time if you authenticated, you should see QoS profile is gold & 802.1p value is 5, even though WLAN is configured for Silver Profile with 802.1p value of 3.

(WLC2) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. user1
AP MAC Address................................... a0:cf:5b:9e:e8:20
AP Name.......................................... LAP2              
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 7  
BSSID............................................ a0:cf:5b:9e:e8:29  
Connected For ................................... 7 secs
Channel.......................................... 149
IP Address....................................... 192.168.7.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Client CCX version............................... No CCX support
Re-Authentication Timeout........................ 1771
Mirroring........................................ Disabled
QoS Level........................................ Gold
802.1P Priority Tag.............................. 5
WMM Support...................................... Enabled
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 24.0,36.0,48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................ vlan7
VLAN............................................. 7
Quarantine VLAN.................................. 0
Access VLAN...................................... 7

This is how you can use this “AAA- Override” feature to dynamically assign the VLAN & QoS profile according to your custom requirement.

In this post we will see how to do a wired guest configuration via CLI. Here is the topology for this post.

These are the steps you need to do

1. Configure a wired guest vlan on 3750-d (vlan 49) & trunk it to 4402-d (foreign controller).
2. Configure a guest WLAN on 4402-d with egress interface as Mgmt & ingress as guest vlan (vlan 49). This WLAN should use Web Auth or Webpassthrough like normal wireless guest WLAN.
3. Configure the basic Mobility configuration on Anchor & foreign controllers (ie Mobility group name & add members to required group)
4. Configure Auto Anchor for guest-lan on foreign controller.
5. Configure the dynamic interface(vlan19) on Anchor Controller for wired guest. Ensure DHCP configs done on L3 switch.
6. Configure guest-lan on Anchor controller. Ingress interfaces should be “none” & egress interface should be vlan 19.
7. Configure Auto Anchor for the guest-lan on Anchor controller.
8. Test the wired guest connectivity.

First on 3750-d we will configure just layer2 vlan49 & trunk it to PortChannel 40 used for 4402-d.

3750-d(config)#vlan 49
3750-d(config-vlan)#exit
3750-d(config)
!
3750-d(config)#int po40
3750-d(config-if)#sw tr al vl ad 49

Now in 4402-d we will define the interface & Guest WLAN. Configuration option for guesl-lan you can do in a similar way like normal wlan. In this case you have to use “config guest-lan x ” CLI commands instead of “config wlan x “. In guest-lan you can only configure webauth or web-passthrough. In this example I will use web-passthrough option.

(4402-d) >config interface create vlan49 49
(4402-d) >config interface guest-lan ?               
<interface-name> Enter interface name.

(4402-d) >config interface guest-lan vlan49 ?               
enable         Enable Guest LAN vlan
disable        Disable Guest LAN vlan
(4402-d) >config interface guest-lan vlan49 enable

(4402-d) >config guest-lan ?                     
aaa-override   Configures user policy override via AAA on a Guest LAN.
acl            Specify a per-Guest-LAN ACL
create         Creates a WLAN.
custom-web     Configures the Web Authentication Page per Profile.
delete         Deletes a Guest LAN.
dhcp_server    Configures the Guest Lan's DHCP Server.
disable        Disables a Guest LAN.
enable         Enables a Guest LAN.
exclusion-timeout Configures Exclusion-list timeout.
exclusionlist  Configures Exclusion-list timeout.
ingress-interface Configures the Guest LAN's ingress interface.
interface      Configures the Guest LAN's interface.
ldap           Configures the Guest LAN's LDAP servers.
max-associated-clients Configures maximum no. of client connections on wlan/guest-lan/remote-lan. 
mobility       Configures the Inter-Switch Mobility Manager
nac            Configures NAC on wlan/guest-lan/remote-lan.
qos            Configures Quality of Service policy.
radius_server  Configures the Guest LAN's RADIUS Servers.
roamed-voice-client Configure Voice Client Re-Anchor policy
security       Configures the security policy for a Guest LAN.
session-timeout Configures client timeout.
sip-cac        Configure SIP CAC Failure policy.
uapsd          Configures UAPSD.
webauth-exclude Enable/Disable WebAuth DHCP Server Exclusion
!
(4402-d) >config guest-lan create ?              
<guest-lan-id> Enter Guest LAN Identifier between 1 and 5.

(4402-d) >config guest-lan create 1 ?              
<name>         Enter Profile Name up to 32 alphanumeric characters.

(4402-d) >config guest-lan create 1 wired-guest 

(4402-d) >config guest-lan ingress-interface ?               
<guest-lan-id> Enter Guest LAN Identifier between 1 and 5.

(4402-d) >config guest-lan ingress-interface 1 ?              
<interface-name/none> Enter the interface name upper case not supported.

(4402-d) >config guest-lan ingress-interface 1 vlan49

(4402-d) >config guest-lan security ?               
web-auth       Configures Web authentication.
web-passthrough Configures Web Captive Portal with no authentication required.

(4402-d) >config guest-lan security web-auth disable 1
WebAuth Successfully Disabled.

(4402-d) >config guest-lan security web-passthrough ?               
acl            Configures Access Control List.
disable        Disables Web Captive Portal with no authentication required.
email-input    Configures Web Captive Portal using email address.
enable         Enables Web Captive Portal with no authentication required.

(4402-d) >config guest-lan security web-passthrough enable 1                 

(4402-d) >config guest-lan security web-passthrough email-input ?               
enable         Enables Web Captive Portal using email address.
disable        Disables Web Captive Portal using email address.

(4402-d) >config guest-lan security web-passthrough email-input enable ?               
<guest-lan-id> Enter Guest LAN Identifier between 1 and 5.

(4402-d) >config guest-lan security web-passthrough email-input enable 1

Here is the advanced settings options you can change in “guest-lan” type.

If you check the WLC configuration you will see following lines in the config.Default config lines are highlighted in purple color

config interface create vlan49 49
config interface guest-lan vlan49 enable 
config interface vlan vlan49 49 

config guest-lan create 1 wired-guest
config guest-lan ingress-interface 1 vlan49 
config guest-lan interface 1 management 
config guest-lan security web-auth disable 1 
config guest-lan security web-passthrough email-input enable 1 
config guest-lan security web-passthrough enable 1 
config guest-lan exclusion-timeout 1 60
config guest-lan enable 1

Now we have to configure Mobility config on those two controller. We will add 4402-d into “MO” mobility group & 4402-c into “DMZ” mobility group. Will use unicast method for the simplicity.

(4402-d) >config mobility group domain MO
(4402-d) >config mobility group member add 00:22:55:90:c9:60 192.168.10.33 DMZ

(4402-c) >config mobility group domain DMZ
(4402-c) >config mobility group member add 00:21:55:07:38:e0 192.168.40.44 MO

You can verify mobility status by “show mobility summary” command. Output should be similar to this.

(4402-d) >show mobility summary 
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... MO
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0xe0a3
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:21:55:07:38:e0  192.168.40.44    MO                                0.0.0.0          Up
 00:22:55:90:c9:60  192.168.10.33    DMZ                               0.0.0.0          Up

Then you can configure 4402-c as Mobility Anchor for this wired-guest LAN.

(4402-d) >config guest-lan disable 1
(4402-d) >config guest-lan mobility anchor add 1 192.168.10.33 
(4402-d) >config guest-lan enable 1

Now we will configure the 4402-c. First you have to create an interface where wired guest can get an IP. we will use vlan19 for this & DHCP defined on 3750-b. Here is the interface configuration on WLC.

3750-b
interface Vlan19
 ip address 192.168.19.1 255.255.255.0
!
ip dhcp excluded-address 192.168.19.1 192.168.19.100
!
ip dhcp pool VLAN19
   network 192.168.19.0 255.255.255.0
   default-router 192.168.19.1 
   domain-name mrn.com
!
interface Port-channel10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 10-20,100,200
 switchport mode trunk

(4402-c) >config interface create vlan19 19
(4402-c) >config interface address dynamic-interface vlan19 192.168.19.30 255.255.255.0 192.168.19.1
(4402-c) >config interface dhcp dynamic-interface vlan19 primary 192.168.19.1

Now you can define the guest-lan with same settings you did on 4402-d. In this time egress interface should be vlan19 & ingress interface should be none. Remember that until you configure Mobility anchor you cannot enable this guest-lan. You can copy & past previous configs done on 4402-d with ingress interface & egress interface modification

config guest-lan create 1 wired-guest
config guest-lan interface 1 vlan19 
config guest-lan ingress-interface 1 none
config guest-lan security web-auth disable 1 
config guest-lan security web-passthrough email-input enable 1 
config guest-lan security web-passthrough enable 1

Now before enabling this guest-lan you have to configure the mobility anchor.

(4402-c) >config guest-lan mobility anchor add 1 192.168.10.33
(4402-c) >config guest-lan enable 1

Now you are ready to test. You have to connect a wired PC to a vlan49 port on 3750-d & you should see that device get an IP from the range of 192.168.19.101-192.168.19.254.

Here is the “show client summary ” & “show client detail <mac-add>” command output on 4402-c where wired guest termination occurs. This is the output prior to user enter email on his browser

(4402-c) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:26:b9:9f:c9:0b 192.168.40.44     Associated    1              No   802.3            29   Yes

(4402-c) >show  client detail 00:26:b9:9f:c9:0b
Client MAC Address............................... 00:26:b9:9f:c9:0b
Client Username ................................. N/A
Client State..................................... Associated     
Client NAC OOB State............................. Access
guest-lan........................................ 1  
IP Address....................................... 192.168.19.101
Session Timeout.................................. 0  
QoS Level........................................ Silver
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 192.168.40.44
Security Policy Completed........................ No
Policy Manager State............................. WEBAUTH_REQD
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Interface........................................ vlan19
VLAN............................................. 19
Quarantine VLAN.................................. 0
Access VLAN...................................... 19

This is the output once user enter the email address.

(4402-c) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:26:b9:9f:c9:0b 192.168.40.44     Associated    1              Yes  802.3            29   Yes

(4402-c) >show  client detail 00:26:b9:9f:c9:0b
Client MAC Address............................... 00:26:b9:9f:c9:0b
Client Username ................................. mrncciew@gmail.com
Client State..................................... Associated     
Client NAC OOB State............................. Access
guest-lan........................................ 1  
IP Address....................................... 192.168.19.101
Session Timeout.................................. 0  
QoS Level........................................ Silver
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 192.168.40.44
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Interface........................................ vlan19
VLAN............................................. 19
Quarantine VLAN.................................. 0
Access VLAN...................................... 19

You can see client get successfully authenticated & in “RUN” states. Here is the 4402-d ( Export Foreign controller) output

(4402-d) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:26:b9:9f:c9:0b N/A               Associated    1              Yes  802.3            29   Yes

(4402-d) >show client detail 00:26:b9:9f:c9:0b
Client MAC Address............................... 00:26:b9:9f:c9:0b
Client Username ................................. N/A
Client State..................................... Associated     
Client NAC OOB State............................. Access
guest-lan........................................ 1  
IP Address....................................... Unknown
Session Timeout.................................. 0  
QoS Level........................................ Silver
Supported Rates.................................. 
Mobility State................................... Export Foreign
Mobility Anchor IP Address....................... 192.168.10.33
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Interface........................................ management
VLAN............................................. 40
Quarantine VLAN.................................. 0
Access VLAN...................................... 40

Related Posts

1. Wired Guest Access (via GUI)
2. Mobility Config via CLI
3. Wireless Guest Config via CLI
4.
5.

In this post we will see the Media Stream configuration via CLI. If you want to configure this across multiple controllers it is good idea to learn CLI commands in order to save some time during your lab exam.

Here are the steps of configuring this feature.

1. Enable Multicast direct globally & set the General settings.
2. Define Media stream with RRC parameters.
3. Configure CAC for voice/video (Media) under each radio band.
4. Ensure WLC is configured for Multicast & IGMP
5. Test/Verify the configuration.

First of all you need to enable this feature globally & define general settings and steam specific information. Here are the two GUI screen if you are familiar with it.

Here are the CLI config for this

(WLC3) >config media-stream ?
add            Configure New Media Stream by template or individual parameters
admit          Allow traffic for the media stream
delete         Remove Media Stream Configuration
deny           Block traffic for the media stream
multicast-direct Configure Media Stream Multicast-direct
message        Configure Session Announcement Message

(WLC3) >config media-stream multicast-direct ?               
enable         Enable Global Multicast to Unicast Conversion
disable        Disable Global Multicast to Unicast Conversion

(WLC3) >config media-stream multicast-direct enable 
WARNING: Media Stream Multicast-direct requires Load Based CAC to run,
Voice deployment employing Static CAC needs to convert to Load Based CAC.

(WLC3) >config media-stream message ?               
url            Configure Session Announcement URL
email          Configure Session Announcement e-mail
phone          Configure Session Announcement phone number
note           Configure Session Announcement notes 
state          Configure Session Announcement Message State 

(WLC3) >config media-stream message state ?               
enable         Configure Session Announcement Message State Enable 
disable        Configure Session Announcement Message State Disable

(WLC3) >config media-stream message state enable

(WLC3) >config media-stream message note ?              
denial         Configure Session Announcement notes denial

(WLC3) >config media-stream message note denial CIO-IS-SPEAKING

Here are the CLI config for this.

(WLC3) >config media-stream add ?               
multicast-direct Add Media Stream for Multicast-direct

(WLC3) >config media-stream add multicast-direct ?               
<Media Stream Name> Media Stream Name

(WLC3) >config media-stream add multicast-direct MRN-TV ?               
<Start IP Address> IP Multicast Destination Start Address

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 ?               
<End IP Address> IP Multicast Destination End Address

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 ?
detail         Configure Media Stream with Specific Parameters
template       Configure Media Stream from Templates

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 template ?               
very-coarse    Apply very-coarse template (< 300 Kbps Bandwidth)
coarse         Apply Coarse template (< 500 Kbps Bandwidth)
ordinary       Apply Ordinary template (< 750 Kbps Bandwidth)
low-resolution Apply Low-Resolution template (< 1 Mbps Bandwidth)
med-resolution Apply Medium-Resolution template (< 3 Mbps Bandwidth)
high-resolution Apply High-Resolution template (< 5 Mbps Bandwidth)

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 template high-resolution

Even though you entered above line if you check your WLC configuration you would see something like this in your configuration.That mean in High Resolution template bandwidth is 5000kbps, packet size 1200 bytes, enable periodic update, RRC priority 3 and drop as traffic violation policy.

config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic video 3 drop

If the required task is not fulfill by these default values you have to configure it in detail method with specific setting you require. Let’s say scenario like this “MRN TV streaming channel use 239.239.239.1. Streaming Video feeds are high quality, but still less than 5Mbps. Ensure flow will get highest priority and the other denied flow will get a message saying “CIO-IS-SPEAKING”.

So we will first delete the media stream created & re-configure it with this new settings.

(WLC3) >config media-stream delete MRN-TV
IGMP snooping will be disabled and enabled again. All clients will observe a glitch on Multicast traffic.
Are you sure you want to continue? (y/n)
media-stream is deleted

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 ?                                       
detail         Configure Media Stream with Specific Parameters
template       Configure Media Stream from Templates

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail ?               
<Max Bandwidth> Maximum Expected Stream Bandwidth, <1-35000> Kbps

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 ?               
<Average Packet Size> Average Packet Size, <100-1500>

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 ?               
periodic       Periodic admission evaluation
initial        Initial admission evaluation

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic ?               
<Qos>          Over the AIR QoS class, <'video'> ONLY

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic video ?               
<Usage Priority> Media Stream Priotity, <1:Lowest - 8:Highest>

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic video 8 ?               
drop           Stream will be dropped on periodic re-evaluation
fallback       Stream demoted to BestEffort class on periodic re-evaluation

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic video 8 fallback

Then you need to configure required admission control or CAC in 802.11a/n or 802.11b/g/n band as required. In my example I will only configure 802.11b/g/n. In GUI this is under “Wireless > 802.11b/g/n > Media” section & default settings shown in the screenshot.

Here are the CLI commands to change these settings. You have to makesure radio interface is disabled prior to this configuration & enable it once you finish config. We will customize this to allow max 3 stream session per client.

(WLC3) >config 802.11b disable network
(WLC3) >config 802.11b media-stream multicast-direct enable 
(WLC3) >config 802.11b media-stream multicast-direct radio-maximum ?               
<value>        From 1 to 20 streams               
no-limit       Maximum number of allowed streams on 2.4/5 GHz band

(WLC3) >config 802.11b media-stream multicast-direct radio-maximum no-limit

(WLC3) >config 802.11b media-stream multicast-direct admission-besteffort ?               
enable         Enable/Disable media stream BestEffort queue admission               
disable        Enable/Disable media stream BestEffort queue admission

(WLC3) >config 802.11b media-stream multicast-direct admission-besteffort disable 

(WLC3) >config 802.11b media-stream multicast-direct client-maximum ?                            
<value>        From 1 to 20 streams               
no-limit       Maximum number of allowed streams on individual client

(WLC3) >config 802.11b media-stream multicast-direct client-maximum 3

(WLC3) >config 802.11b cac ?               
defaults       Set Default CAC parameters for 802.11b radio.
media-stream   Configure CAC parameters for media stream access category
multimedia     Configure CAC parameters for media access category, used for voice and video.
video          Configure CAC parameters for video access category, used for voice signalling.
voice          Configure CAC parameters for voice access category.

(WLC3) >config 802.11b cac media-stream ?               
multicast-direct Configure CAC parameters for multicast-direct streams

(WLC3) >config 802.11b cac media-stream multicast-direct ?               
max-retry-percent Configure CAC parameter maximum retry percent for multicast-direct streams
min-client-rate Configure CAC parameter minimun physical rate for multicast-direct streams

(WLC3) >config 802.11b cac media-stream multicast-direct min-client-rate ?               
<dot11-rate>   Kbps: 1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000 or 11n rates

(WLC3) >config 802.11b cac media-stream multicast-direct max-retry-percent ?               
<retry-percentage> 0 to 100 maximum retry percent for multicast-direct streams

(WLC3) >config 802.11b cac media-stream multicast-direct max-retry-percent 80

(WLC3) >config 802.11b cac multimedia ?               
max-bandwidth  Configure the max bandwidth allocated to WMM clients for media in % (5-85).

(WLC3) >config 802.11b cac multimedia max-bandwidth ?               
<bandwidth>    Configure the max bandwidth allocated to WMM clients for media in % (5-85).

(WLC3) >config 802.11b cac multimedia max-bandwidth 80

When you check the WLC configuration you will not see  default setting config lines (lines highlighted in purple).

config 802.11b media-stream multicast-direct client-maximum 3
config 802.11b media-stream multicast-direct radio-maximum no-limit
config 802.11b media-stream multicast-direct enable
config 802.11b media-stream multicast-direct admission-besteffort disable
config 802.11b cac media-stream multicast-direct min-client-rate 6000
config 802.11b cac media-stream multicast-direct max-retry-percent 80
config 802.11b cac multimedia max-bandwidth 80

Since Media bandwidth settings is for both voice & video, you need to ensure voice and video bandwidth reservation does not exceed 80% configured  under media tab. Also remember that Voice CAC should be “load-based” when you enable Video Stream feature. In this example we will allocate max RF bandwidth 50% for Video & 30% voice. Here is the default setting GUI screenshot.

You can use “config 802.11b cac {voice|video} x ” CLI configuration to do the necessary modification.

(WLC3) >config 802.11b cac ?                       
defaults       Set Default CAC parameters for 802.11b radio.
media-stream   Configure CAC parameters for media stream access category
multimedia     Configure CAC parameters for media access category, used for voice and video.
video          Configure CAC parameters for video access category, used for voice signalling.
voice          Configure CAC parameters for voice access category.

(WLC3) >config 802.11b cac video ?               
acm            Enable/disable admission control on video access category.
max-bandwidth  Configure the max RF bandwidth allocated to WMM clients for video.
tspec-inactivity-timeout Configure TSPEC inactivity timeout processing mode.

(WLC3) >config 802.11b cac video acm ?               
disable        Disable admission control on video AC.
enable         Enable admission control on video AC.

(WLC3) >config 802.11b cac video acm enable 

(WLC3) >config 802.11b cac video ?               
acm            Enable/disable admission control on video access category.
max-bandwidth  Configure the max RF bandwidth allocated to WMM clients for video.
tspec-inactivity-timeout Configure TSPEC inactivity timeout processing mode.

(WLC3) >config 802.11b cac video max-bandwidth ?               
<bandwidth>    Enter the max RF bandwith for Video in % (5-85).

(WLC3) >config 802.11b cac video max-bandwidth 50

Here is the Voice specific settings.

(WLC3) >config 802.11b cac voice ?               
acm            Enable/disable admission control on voice access category.
cac-method     Configure CAC method(static or dynamic) on voice access category.
max-bandwidth  Configure the max RF bandwidth allocated to WMM clients for voice.
roam-bandwidth Configure the % of max RF bandwidth reserved for roaming clients for voice (0-25).
sip            Configure CAC parameters for SIP based Calls.
stream-size    Max data rate of the stream acceptable
tspec-inactivity-timeout Configure TSPEC inactivity timeout processing mode.

(WLC3) >config 802.11b cac voice max-bandwidth ?               
<bandwidth>    Enter the max RF bandwith for Voice in % (5-85).

(WLC3) >config 802.11b cac voice max-bandwidth 30
(WLC3) >config 802.11b cac voice acm enable 

You can configure EDCA parameters to optimize both Voice & Video.

(WLC3) >config advanced 802.11b edca-parameters ?              
custom-voice   Enable Custom Voice EDCA parameters for 802.11b.
optimized-video-voice Enable combined video-voice-optimized parameters for 802.11b.
optimized-voice Enable non-spectralink voice-optimized parameters for 802.11b.
svp-voice      Enable SpectraLink Voice Priority (SVP) parameters for 802.11b.
wmm-default    Enable WMM default parameters for 802.11b. 

(WLC3) >config advanced 802.11b edca-parameters optimized-video-voice 

Once you configure the above you can enable the radio band. It is good idea to enable 802.11n support with this feature.

(WLC3) >config 802.11b 11nSupport ?               
a-mpdu         Configure 802.11n-2.4Ghz A-MPDU mode
a-msdu         Configure 802.11n-2.4Ghz A-MSDU mode
antenna        Configure 802.11n - 2.4 GHz antenna selection
disable        Disable 802.11n-2.4Ghz support
enable         Enable 802.11n-2.4Ghz support
guard_interval Configure 802.11n-2.4Ghz guard interval
mcs            Configure 802.11n-2.4Ghz MCS rates
rifs           Configure 802.11n-2.4Ghz rifs

(WLC3) >config 802.11b 11nSupport enable                
(WLC3) >config 802.11b enable network

You can enable it on a WLAN like below

(WLC3) >config wlan media-stream multicast-direct 17 ?               
enable         Enables Multicast-direct on the WLAN
disable        Disables Multicast-direct on the WLAN.

(WLC3) >config wlan media-stream multicast-direct 17 enable 

In Summary here are the CLI config required in my example. So if you want to configure this feature any other WLC, you can simply paste the below config on them.

config media-stream multicast-direct enable 
config media-stream message state enable
config media-stream message note denial CIO-IS-SPEAKING
config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic video 8 fallback

config 802.11b disable network
config 802.11b media-stream multicast-direct enable 
config 802.11b media-stream multicast-direct client-maximum 3
config 802.11b cac multimedia max-bandwidth 80
config 802.11b cac video acm enable
config 802.11b cac video max-bandwidth 50
config 802.11b cac voice max-bandwidth 30
config 802.11b cac voice acm enable 
config advanced 802.11b edca-parameters optimized-video-voice
config 802.11b 11nSupport enable                
config 802.11b enable network

You can use following CLI verification commands to verify your settings.

(4402-a) >show media-stream group summary 
Stream Name   Start IP       End IP         Operation Status
------------- -------------- -------------- ----------------
MRN-TV        239.239.239.1  239.239.239.1  Multicast-direct 

(4402-a) >show media-stream group detail MRN-TV
Media Stream Name................................ MRN-TV
Start IP Address................................. 239.239.239.1
End IP Address................................... 239.239.239.1
 RRC Parmmeters
 Avg Packet Size(Bytes).......................... 1200
 Expected Bandwidth(Kbps)........................ 5000
 Policy.......................................... Admit
 RRC re-evaluation............................... periodic
 QoS............................................. Video
 Status.......................................... Multicast-direct
 Usage Priority.................................. 8
 Violation....................................... fallback

(4402-a) >show 802.11b media-stream rrc   
Multicast-direct................................. Enabled
Best Effort...................................... Disabled
Video Re-Direct.................................. Enabled
Max Allowed Streams Per Radio.................... Auto
Max Allowed Streams Per Client................... 3
Max Video Bandwidth.............................. 50
Max Voice Bandwidth.............................. 30
Max Media Bandwidth.............................. 80
Min PHY Rate..................................... 6000
Max Retry Percentage............................. 80

(4402-a) >show media-stream message details 
URL.............................................. 
E-mail........................................... 
Phone............................................ 
Note............................................. CIO-IS-SPEAKING
State............................................ enable

It is important to note that your infrastructure network should be configured to support Multicast & WLC multicast/IGMP needs to be enabled to get this feature working. Even in the exam if they asked to configure this feature, you need to verify your L3 multicast & WLC multicast properly enabled with IGMP support.

Related Posts

1. Understanding Video Stream Feature
2. Wireless Multicast Not working-Why ?
3. Configuring Multicast on WLC

In this post we will see how to configure an ACL on a WLC via CLI. Let’s assume following ACL (in IOS syntax) you want to create on a WLC & apply it on a guest WLAN.

 permit udp any any eq 53
 permit udp any eq 53 any
 permit ip any host 10.11.6.244
 permit ip host 10.11.6.244 any
 deny ip any any

In WLC how you do this. First you need to create an ACL on WLC & then add rules onto that.

(4402-a) >config acl ?               
apply          Applies the ACL to the data path.
counter        Start/Stop the ACL Counters.
cpu            Configure the CPU Acl Information
create         Create a new ACL.
delete         Delete an ACL.
rule           Configure rules in the ACL.

(4402-a) >config acl create ?               
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl create acl-guest

When adding rules, it is not like single entry as in IOS. You have to configure source port, destination port, action as individual lines. For the rule1 you need to specify

Action: Permit
Protocol : 17 (UDP)
Source Address :Default to any (no explicit config required)
Source port range : 0 65535 (any)
Destination Address : Not required, default to any
Destination Port range : 53 53 (DNS)
Direction : any (no explicit config required)

Here how you do this.

(4402-a) >config acl rule ?               
action         Configure a rule's action.
add            Add a new rule.
change         Change a rule's index.
delete         Delete a rule.
destination    Configure a rule's destination IP address, netmask and port range.
direction      Configure a rule's direction.
dscp           Configure a rule's DSCP.
protocol       Configure a rule's IP Protocol.
source         Configure a rule's source IP address, netmask and port range.
swap           Swap two rules' indices.

(4402-a) >config acl rule add ?              
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl rule add acl-guest ?              
<index>        Enter rule index between 1 and 64.

(4402-a) >config acl rule add acl-guest 1 

(4402-a) >config acl rule protocol ?               
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl rule protocol acl-guest ?               
<index>        Enter rule index between 1 and 64.

(4402-a) >config acl rule protocol acl-guest 1 ?               
<protocol>     Enter a number between 0 and 255, or 'any'.

(4402-a) >config acl rule protocol acl-guest 1 17

(4402-a) >config acl rule action ?               
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl rule action acl-guest ?               
<index>        Enter rule index between 1 and 64.

(4402-a) >config acl rule action acl-guest 1 ?               
<action permit/deny>Enter action: permit/deny.               

(4402-a) >config acl rule action acl-guest 1 permit

(4402-a) >config acl rule source port ?               
range          Configure a rule's source port range.

(4402-a) >config acl rule source port range ?               
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl rule source port range acl-guest ?               
<index>        Enter rule index between 1 and 64.

(4402-a) >config acl rule source port range acl-guest 1 ?               
<start port>   Enter port number between 0 and 65535.

(4402-a) >config acl rule source port range acl-guest 1 0 ?               
<end port>     Enter port number between 0 and 65535.

(4402-a) >config acl rule source port range acl-guest 1 0 65535

(4402-a) >config acl rule destination port range acl-guest 1 ?               
<start port>   Enter port number between 0 and 65535.

(4402-a) >config acl rule destination port range acl-guest 1 53 ?               
<end port>     Enter port number between 0 and 65535.

(4402-a) >config acl rule destination port range acl-guest 1 53 53

In summary here is the rule1 configuration lines.

config acl rule add acl-guest 1
config acl rule action acl-guest 1 permit
config acl rule protocol acl-guest 1 17
config acl rule source port range acl-guest 1 0 65535
config acl rule destination port range acl-guest 1 53 53

If you copy this to notepad & then modify the rule index, protocol, source,destination, action details you can derive other rules. Here is the other rules derived in that way.

config acl rule add acl-guest 2
config acl rule action acl-guest 2 permit
config acl rule protocol acl-guest 2 17
config acl rule source port range acl-guest 2 53 53
config acl rule destination port range acl-guest 2 0 65535

config acl rule add acl-guest 3
config acl rule action acl-guest 3 permit
config acl rule protocol acl-guest 3 any
config acl rule source port range acl-guest 3 0 65535
config acl rule destination address acl-guest 3 10.11.6.244 255.255.255.255
config acl rule destination port range acl-guest 3 0 65535

config acl rule add acl-guest 4
config acl rule action acl-guest 4 permit
config acl rule protocol acl-guest 4 any
config acl rule source address acl-guest 4 10.11.6.244 255.255.255.255
config acl rule source port range acl-guest 4 0 65535
config acl rule destination port range acl-guest 4 0 65535

config acl rule add acl-guest 5
config acl rule action acl-guest 5 deny
config acl rule protocol acl-guest 5 any
config acl rule source port range acl-guest 5 0 65535
config acl rule destination port range acl-guest 5 0 65535

If you look at the WLC configuration afterwards it will looks like this related to ACL config. As you can see here by default, protocols/ source-destination address & ports are “any”. So you do not want to configure it if you want to choose “any option”.

Also like normal IOS ACL implied deny rule will be there (index number 65). So you do not want to configure deny any any rules explicitly. Because of this you need to ensure all required protocols are permitted if the  given task does not allow to use permit any any rule.

config acl create acl-guest 

config acl rule add acl-guest 1 
config acl rule destination port range acl-guest 1 53 53 
config acl rule protocol acl-guest 1 17 
config acl rule action acl-guest 1 permit

config acl rule add acl-guest 2 
config acl rule protocol acl-guest 2 17 
config acl rule action acl-guest 2 permit 
config acl rule source port range acl-guest 2 53 53 

config acl rule add acl-guest 3 
config acl rule destination address acl-guest 3 10.11.6.244 255.255.255.255 
config acl rule action acl-guest 3 permit 

config acl rule add acl-guest 4 
config acl rule action acl-guest 4 permit 
config acl rule source address acl-guest 4 10.11.6.244 255.255.255.255 

config acl rule add acl-guest 5 
config acl rule add acl-guest 65

Finally you can apply ACL onto data path. Also if you want to enable ACL counters you can do that as well. If you apply an ACL to a WLAN it will override the interface ALC.

(4402-a) >config acl counter ?               
start          Start ACL Counters.
stop           Stop ACL Counters.

(4402-a) >config acl counter start

(4402-a) >config acl apply ?               
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl apply acl-guest.

(4402-a) >config wlan acl <wlan-id> <acl-name>

In GUI, it will be looks like this .

You can verify your config by using “show acl summary” and “show acl detailed <acl-name> ” CLI commands as shown below.

(4402-a) >show acl summary 
ACL Counter Status               Enabled
----------------------------------------
ACL Name                         Applied
-------------------------------- -------
acl-guest                        Yes  

(4402-a) >show acl detailed acl-guest
                       Source                        Destination                Source Port  Dest Port
Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter 
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
     1 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0           17     0-65535    53-53     Any Permit           0 
     2 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0           17    53-53        0-65535  Any Permit           0 
     3 Any         0.0.0.0/0.0.0.0             10.11.6.244/255.255.255.255  Any     0-65535     0-65535  Any Permit           0 
     4 Any     10.11.6.244/255.255.255.255         0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit           0 
     5 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any   Deny           0 

 DenyCounter : 0

.

Related Posts

1. WLC – Access Control List (ACL)

For my study preparation I have used online racks from Fastlane & IPexpert. This is just simple comparison of these remote rack services.  Here is the hardware comparison of their racks.

Rack Availability:
With IPExpert (or proctorlabs.com) we can book a remote rack minimum for 4 hour slot (effectively 3 hr & 45 min). With Fastlane racks we cannot book it for few hours. You have to book a rack at least for a day or week (effectively 4.5 days).

Therefore flexibility wise IPExpert racks are much better than Fastlane as you can book it when you want it. Since you cannot do labs 24 hrs a day per hour cost of Fastlane racks are much expensive.

Cost:
4 hour slot of rack time is 30$ with IPExpert. You can book 1,5,10,25 slots & you will get discount if you book bulk slots at once. You can check their pricing information from here. You can buy rack time via online payment

Fastlane remote rack is 195$ per day. Their website says they will give 10% discount for consecutive 3 days & 25% for consecutive 5 days. But what I heard was they will use same pods for other wireless classes (like CCNP wireless etc) and no dedicated pods available for CCIE wireless rental purpose (therefor cannot guarantee a rack is available when you need it).  You cannot buy via online payment & sales inquiry responses was very poor.

Remote Support:
During business hours (Monday to Friday US-EST 9:00AM to 5:00PM) IPExpert support staff available to help you via chat. But after hours it will be via email & no staff available at rack locations. So if you suspect a hardware issue no body will be there to check it for you.

In Fastlane, there will be 24×7 remote support and person will be available via skype. So it does not matter which timezone you are working, you will get the same level of support all the time. In that sense fastlane is much better than IPExpert.

Initial Configuration:
In IPExpert remote racks support both  their Volume1 (6 Labs) & Volume2 (5 Labs). You can load initial configuration depend on the labs you want to practice.But you have to sacrifice 15-30 mins to fully load a rack (revert to zero config & then load your lab initial config). Therefore your effective lab time per slot will be around 3 hours if you go with a single slot at a time.

In Fastlane,there is no pre-configuration & you have to build your lab from scratch. No multiple labs available & no option for pre-load configuration. It is pretty much like your home lab.

MSE/ACS/WCS Access:
In fastlane labs these devices SSH access is not available. You have to rely on remote support if you want to check something for you. Due to this you cannot do certain task which you require SSH access.

In IPExpert racks you can do SSH to these devices & you can to almost any task. In that regards IPExpert racks are much better.

CME & VoIP:
This is one area lacking in both racks. There is no way of practicing Voice specific configs by using any of these racks.

In summary I would prefer IPExpert racks over Fastlane & planning to use it for full 8 hr lab (Volume 2 Labs) practices in coming weeks.

By creating AP Groups you can control  What SSIDs advertise on which APs, What dynamic interface map to each AP group (to reduce the broadcast size while having the same SSID). In latest codes of WLC software, via AP Group you can control RF profiles as well.Therefore you can have different RF characteristics to certain APs in your network.Also it supports 802.11u settings via AP Group. WLC code used in this post is 7.0.116.0.

You can create access point groups (AP Groups) and assign up to 16 WLANs to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point does not advertise disabled WLANs in its access point group or WLANs that belong to another group.
You can create up to 50 access point groups for Cisco 2100 Series Controller and controller network modules; up to 300 access point groups for Cisco 4400 Series Controllers, Cisco WiSM, and 3750G wireless LAN controller switch; and up to 500 access point groups for Cisco 5500 Series Controllers.

By default there is a AP Group called “default-group” created on your WLC and all the WLANs where WLAN ID is between 1-16 map to this group.  All the access points in the WLC also map to this group. This mean any WLAN (ID 1-16) will be available in any of the APs belong default group. If your WLAN ID is greater than 16,  you have to create an AP group to advertise that WLAN (or SSID). Also if you want to advertize certain WLANs on particular APs (AP Group), you have to create an AP group for this.

Here is the topology for this post. 3502-a will be on AP group called “APG1″ & 3502-d will be on “APG2″ ap group. Both APs having 4402-c as primary controller & 4402-d as secondary controller. APG1 will map to vlan11 interface & APG2 will map to vlan12 interfaces on 4402-c (primary controller). In the event of AP fail-over to 4402-d (secondary controller) APG1 will map to vlan41 & APG2 will map to vlan42.

First we will create dynamic interfaces on 4402-c as shown below. Ensure that DHCP configured on the switch to support clients get dynamic IPs.

3750-b
ip dhcp excluded-address 192.168.11.1 192.168.11.100
ip dhcp excluded-address 192.168.11.150 192.168.11.254
ip dhcp excluded-address 192.168.12.1 192.168.12.100
ip dhcp excluded-address 192.168.12.150 192.168.12.254
ip dhcp pool VLAN11
   network 192.168.11.0 255.255.255.0
   default-router 192.168.11.1 
   domain-name mrn.com
ip dhcp pool VLAN12
   network 192.168.12.0 255.255.255.0
   default-router 192.168.12.1 
   domain-name mrn.com

(4402-c) >config interface create vlan11 11
(4402-c) >config interface address dynamic-interface vlan11 192.168.11.33 255.255.255.0 192.168.11.1
(4402-c) >config interface dhcp dynamic-interface vlan11 primary 192.168.11.1

(4402-c) >config interface create vlan12 12                                                         
(4402-c) >config interface address dynamic-interface vlan12 192.168.12.33 255.255.255.0 192.168.12.1
(4402-c) >config interface dhcp dynamic-interface vlan12 primary 192.168.12.1

First we will create an WLAN called “wlan<16″ (with WLAN ID 6). For simplicity we will disable the L2 security & make it open SSID. Other settings will be leave as default.

(4402-c) >config wlan create 6 wlan<16 wlan<16
(4402-c) >config wlan interface 6 vlan11
(4402-c) >config wlan security wpa disable 6
(4402-c) >config wlan enable 6

Now we will configure APG1 & APG2 & map interface vlan11 & vlan2 for the WLAN created.

(4402-c) >config wlan apgroup ?               
add            Creates a new AP Group.
delete         Deletes a existing ap group.
description    Configures a description for an AP group.
interface-mapping Adds or deletes a new apgroup/WLAN/interface mapping.
nac-snmp       Configures NAC SNMP functionality on given AP-Group. 
radio-policy   Configures Radio Policy on given AP-Group. 

(4402-c) >config wlan apgroup add ?               
<apgroup name> Specify the name of the apgroup to configure.

(4402-c) >config wlan apgroup add APG1 ?              
<description>  (optional) Specify the description for the AP group.

(4402-c) >config wlan apgroup add APG1 "AP Group 1"
(4402-c) >config wlan apgroup add APG2 "AP Group 2"

(4402-c) >config wlan apgroup interface-mapping ?               
add            Adds a new apgroup/WLAN/interface mapping.
delete         Adds a new apgroup/WLAN/interface mapping.

(4402-c) >config wlan apgroup interface-mapping add ?               
<apgroup name> Specify the name of the apgroup to configure.

(4402-c) >config wlan apgroup interface-mapping add APG1 ?               
<WLAN or Remote LAN Id> Enter WLAN or Remote LAN Identifier between 1 and 512.

(4402-c) >config wlan apgroup interface-mapping add APG1 6 ?              
<Interface Name> Specify the interface name.

(4402-c) >config wlan apgroup interface-mapping add APG1 6 vlan11
(4402-c) >config wlan apgroup interface-mapping add APG2 6 vlan12

Then you can assign APs to AP group created as shown below.

(4402-c) >show ap summary 
Number of APs.................................... 2
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
3502-a               2     AIR-CAP3502I-N-K9     cc:ef:48:72:0b:bd      3750-B Port1  LAG      AU       1
3502-d               2     AIR-CAP3502I-N-K9     44:d3:ca:af:43:43      3750-A Port4  LAG      AU       3

(4402-c) >config ap group-name ?               
<groupname>    Enter the group name of Cisco APs as String

(4402-c) >config ap group-name APG1 ?               
<Cisco AP>     Enter the name of the Cisco AP.

(4402-c) >config ap group-name APG1 3502-a
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y

(4402-c) >config ap group-name APG2 3502-d
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y

You can check the connectivity by enabling 1 AP at a time to see correct IP range is given to user. First we will disable 3502-a & check the client IP once associated.

(4402-c) >config ap disable 3502-a
(4402-c) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 3502-d            Associated    6              Yes  802.11n(5 GHz)   29   No

(4402-c) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. N/A
AP MAC Address................................... 64:ae:0c:91:94:20
AP Name.......................................... 3502-d            
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 6  
BSSID............................................ 64:ae:0c:91:94:2f  
Connected For ................................... 45 secs
Channel.......................................... 149
IP Address....................................... 192.168.12.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
config wlan apgroup add mrn-default

Let’s enable 3502-a & disable 3502-d. As you can see below since my client had vlan12 IP this time, client is moved to 3502-a without changing its IP.

(4402-c) >config ap enable 3502-a             
(4402-c) >config ap disable 3502-d
(4402-c) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 3502-a            Associated    6              Yes  802.11n(5 GHz)   29   No

(4402-c) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. N/A
AP MAC Address................................... 2c:3f:38:2a:b1:20
AP Name.......................................... 3502-a            
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 6  
BSSID............................................ 2c:3f:38:2a:b1:2f  
Connected For ................................... 30 secs
Channel.......................................... 149
IP Address....................................... 192.168.12.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Silver
802.1P Priority Tag.............................. 3
WMM Support...................................... Enabled
Power Save....................................... OFF
Current Rate..................................... m7
Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
    ............................................. 48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ vlan12
VLAN............................................. 12
Quarantine VLAN.................................. 0
Access VLAN...................................... 12

But if you deauthenticate the client & forced to join again you will see client will get an vlan11 IP.

(4402-c) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 3502-a            Associated    6              Yes  802.11n(5 GHz)   29   No

(4402-c) >config client deauthenticate 04:f7:e4:ea:5b:66

(4402-c) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. N/A
AP MAC Address................................... 2c:3f:38:2a:b1:20
AP Name.......................................... 3502-a            
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 6  
BSSID............................................ 2c:3f:38:2a:b1:2f  
Connected For ................................... 27 secs
Channel.......................................... 149
IP Address....................................... 192.168.11.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0

As you can see with AP group client will put in to configured vlans as they associate to network. But if they moved from an AP to another AP (in different AP group) client will keep the original IP address.

Now lets see how this works when AP fail-over to a secondary controller (4402-d).

3750-d
interface Vlan41
 ip address 192.168.41.1 255.255.255.0
 ip helper-address 192.168.10.3
!
interface Vlan42
 ip address 192.168.42.1 255.255.255.0
 ip helper-address 192.168.10.3

(4402-d) >config interface create vlan41 41
(4402-d) >config interface address dynamic-interface vlan41 192.168.41.44 255.255.255.0 192.168.41.1
(4402-d) >config interface dhcp dynamic-interface vlan41 primary 192.168.10.3

(4402-d) >config interface create vlan42 42
(4402-d) >config interface address dynamic-interface vlan42 192.168.42.44 255.255.255.0 192.168.42.1
(4402-d) >config interface dhcp dynamic-interface vlan42 primary 192.168.10.3

(4402-d) >config wlan create 6 wlan<16 wlan<16
(4402-d) >config wlan interface 6 vlan41
(4402-d) >config wlan security wpa disable 6
(4402-d) >config wlan enable 6

Let’s configure the secondary controller for two APs.

(4402-c) >config ap secondary-base 4402-d 3502-a 192.168.40.44
(4402-c) >config ap secondary-base 4402-d 3502-d 192.168.40.44

(4402-c) >show ap config general 3502-a
Cisco AP Identifier.............................. 4
Cisco AP Name.................................... 3502-a
Country code..................................... AU  - Australia
Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-N
AP Country code.................................. AU  - Australia
AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N 
Switch Port Number .............................. 29
MAC Address...................................... cc:ef:48:72:0b:bd
IP Address Configuration......................... DHCP
IP Address....................................... 192.168.20.61
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 192.168.20.254
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ 3750-B Port1
Cisco AP Group Name.............................. APG1
Primary Cisco Switch Name........................ 4402-c
Primary Cisco Switch IP Address.................. 192.168.10.33
Secondary Cisco Switch Name...................... 4402-d
Secondary Cisco Switch IP Address................ 192.168.40.44
Tertiary Cisco Switch Name....................... 
Tertiary Cisco Switch IP Address................. Not Configured

Now if you disconnect 4402-c (or shutdown G1/0/1-2) you will see two APs fail over to 4402-d.

(4402-d) >show ap summary 
Number of APs.................................... 2
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
3502-a               2     AIR-CAP3502I-N-K9     cc:ef:48:72:0b:bd      3750-B Port1  LAG      AU       1
3502-d               2     AIR-CAP3502I-N-K9     44:d3:ca:af:43:43      3750-A Port4  LAG      AU       3

(4402-d) >show ap config general 3502-a
Cisco AP Identifier.............................. 0
Cisco AP Name.................................... 3502-a
Country code..................................... AU  - Australia
Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-N
AP Country code.................................. AU  - Australia
AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N 
Switch Port Number .............................. 29
MAC Address...................................... cc:ef:48:72:0b:bd
IP Address Configuration......................... DHCP
IP Address....................................... 192.168.20.61
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 192.168.20.254
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ 3750-B Port1
Cisco AP Group Name.............................. default-group
Primary Cisco Switch Name........................ 4402-c
Primary Cisco Switch IP Address.................. 192.168.10.33
Secondary Cisco Switch Name...................... 4402-d
Secondary Cisco Switch IP Address................ 192.168.40.44
Tertiary Cisco Switch Name....................... 
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED

Since we have not created any AP Group on secondary controller by default both ap will be put into default group. So client will be get vlan41 IPs as that is map to “wlan<16″ WLAN.

(4402-d) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 3502-a            Associated    6              Yes  802.11n(5 GHz)   29   No

(4402-d) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. N/A
AP MAC Address................................... 2c:3f:38:2a:b1:20
AP Name.......................................... 3502-a            
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 6  
BSSID............................................ 2c:3f:38:2a:b1:2a  
Connected For ................................... 80 secs
Channel.......................................... 149
IP Address....................................... 192.168.41.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0

Now let’s configure the two AP groups configured on 4402-c & see when fail-over occur those two AP goes into correct group as they were in the primary controller.

(4402-d) >config wlan apgroup add APG1 "AP Group 1"
(4402-d) >config wlan apgroup add APG2 "AP Group 2"

(4402-d) >config wlan apgroup interface-mapping add APG1 6 vlan41
(4402-d) >config wlan apgroup interface-mapping add APG2 6 vlan42

Now this time you can see 3502-a will go into APG1 where as 3502-d goes into APG2 as they were in the primary controller.

(4402-d) >show ap summary 
Number of APs.................................... 2
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
3502-a               2     AIR-CAP3502I-N-K9     cc:ef:48:72:0b:bd      3750-B Port1  LAG      AU       1
3502-d               2     AIR-CAP3502I-N-K9     44:d3:ca:af:43:43      3750-A Port4  LAG      AU       3

(4402-d) >show ap config general 3502-d
Cisco AP Identifier.............................. 3
Cisco AP Name.................................... 3502-d
Country code..................................... AU  - Australia
Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-N
AP Country code.................................. AU  - Australia
AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N 
Switch Port Number .............................. 29
MAC Address...................................... 44:d3:ca:af:43:43
IP Address Configuration......................... Static IP assigned
IP Address....................................... 10.10.20.4
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 10.10.20.1
Domain........................................... 
Name Server...................................... 
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ 3750-A Port4
Cisco AP Group Name.............................. APG2
Primary Cisco Switch Name........................ 4402-c
Primary Cisco Switch IP Address.................. 192.168.10.33
Secondary Cisco Switch Name...................... 4402-d
Secondary Cisco Switch IP Address................ 192.168.40.44
Tertiary Cisco Switch Name....................... 
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED

(4402-d) >show ap config general 3502-a
Cisco AP Identifier.............................. 2
Cisco AP Name.................................... 3502-a
Country code..................................... AU  - Australia
Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-N
AP Country code.................................. AU  - Australia
AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N 
Switch Port Number .............................. 29
MAC Address...................................... cc:ef:48:72:0b:bd
IP Address Configuration......................... DHCP
IP Address....................................... 192.168.20.61
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 192.168.20.254
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ 3750-B Port1
Cisco AP Group Name.............................. APG1
Primary Cisco Switch Name........................ 4402-c
Primary Cisco Switch IP Address.................. 192.168.10.33
Secondary Cisco Switch Name...................... 4402-d

You can verify clients are getting vlan42 & vlan41 IP depend on where they are associated to (3502-d & 350-a respectively)

(4402-d) >config ap disable 3502-a
(4402-d) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 3502-d            Associated    6              Yes  802.11n(5 GHz)   29   No

(4402-d) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. N/A
AP MAC Address................................... 64:ae:0c:91:94:20
AP Name.......................................... 3502-d            
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 6  
BSSID............................................ 64:ae:0c:91:94:2f  
Connected For ................................... 35 secs
Channel.......................................... 36 
IP Address....................................... 192.168.42.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0

Therefore it is important to configure AP groups in all primary, secondary & tertiary controllers in a similar manner if you want to advertise same set of WLANs, map to required dynamic interface.

As an exercise you can try to use a WLAN ID greater than 16 (called “wlan>16″) & see how it works in a similar scenario.

Rogue detection is enabled by default on a Wireless LAN Controller & you can view detected Rogue APs in “Monitor > Rogue > Unclassified APs” section. Here is screen capture of that in one of my controller.

In a typical campus environment there are lots of other APs in the environment. Some of them are not posing threat and can classified as friendly. Most of them are belongs to 3rd party shops, other organization sharing the premises, etc. So these AP you can categorized as “Friendly External“. Another category of  friendly APs are “internal” which mean those are belong to your organization, but not managed by your WLCs. You can categorized them as “Friendly Internal“

Let’s create a Rogue Rule to classify certain APs which advertize  known SSIDs (belong to another organization in your premises) as Friendly External. You can do this via GUI in “Security > Wireless Protection Policies > Rogue Rules” section. You have to give a Rule Name & Rule Type as “Friendly” with State as ” External”.

Once you create the rule, you can add conditions. In this example we will use SSID as condition & use “match any” as match operation. If you configure as “match all”, all conditions to be met in order to classify as Friendly External. In this example we will configure “SuniTAFE-STUDENTS”, “SuniTAFE-STAFF”, “SuniTAFE-Guest” avertising SSID as Friendly  External.

Here are complete list of conditions  which can be used for Rogue Classification.

1. SSID—Requires that the rogue access point have a specific user-configured SSID. If you choose this option, enter the SSID in the User Configured SSID text box, and click Add SSID.
2. RSSI—Requires that the rogue access point have a minimum received signal strength indication (RSSI) value. For example, if the rogue access point has an RSSI that is greater than the configured value, then the access point could be classified as malicious. If you choose this option, enter the minimum RSSI value in the Minimum RSSI text box. The valid range is -95 to -50 dBm (inclusive), and the default value is 0 dBm.
3. Duration—Requires that the rogue access point be detected for a minimum period of time. If you choose this option, enter a value for the minimum detection period in the Time Duration text box. The valid range is 0 to 3600 seconds (inclusive), and the default value is 0 seconds.
4. Client Count—Requires that a minimum number of clients be associated to the rogue access point. For example, if the number of clients associated to the rogue access point is greater than or equal to the configured value, then the access point could be classified as malicious. If you choose this option, enter the minimum number of clients to be associated to the rogue access point in the Minimum Number of Rogue Clients text box. The valid range is 1 to 10 (inclusive), and the default value is 0.
5. No Encryption—Requires that the rogue access point’s advertised WLAN does not have encryption enabled. If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it. No further configuration is required for this option.
6. Managed SSID—Requires that the rogue access point’s managed SSID (the SSID configured for the WLAN) be known to the controller. No further configuration is required for this option.

Note The SSID and Managed SSID conditions cannot be used with the Match All operation because these two SSID lists are mutually exclusive. If you define a rule with Match All and have these two conditions configured, the rogue access points are never classified as friendly or malicious because one of the conditions can never be met.

You can configure up to 64 rogue classification rules per controller using the controller GUI or CLI. If you look at controller configuration you will see the following CLI commands related to the rogue classification.

 config rogue rule add ap priority 1 classify friendly notify all state external SuniTAFE
 config rogue rule match any SuniTAFE
 config rogue rule condition ap set ssid SuniTAFE-GUEST SuniTAFE
 config rogue rule condition ap set ssid SuniTAFE-STAFF SuniTAFE
 config rogue rule condition ap set ssid SuniTAFE-STUDENTS SuniTAFE
 config rogue rule enable SuniTAFE

In the above shown Rogue classification in one of my production WLC which is on WLC 7.4.100.6 software code.

We will see how to configure this on WLC 7.0.116.0 which is  the version in the CCIEW v2.0 lab exam. Here how you can create a Rogue Rule under Security Section.

As you can see, you cannot set STATE in to one of  “Internal, External or Alert” on the global setting in this version. You can change it to either “Internal” or “External” by clicking each individual AP. By default it is set to “Internal”

Now if you go to “Monitor > Rogue > Friendly AP” you would see something like this.

You can configure this feature via CLI as well. Here is the steps to do that via CLI.

(WLC2) >config rogue ?               
adhoc          Configures adhoc rogue (IBSS).
ap             Configures rogue access points.
auto-contain   Configures rogue auto-containment parameters.
client         Configures rogue clients.
detection      Configures APs to detect rogue devices and configure reporting interval for monitor-mode APs
rule           Configures rogue classification rules.

(WLC2) >config rogue rule ?               
add            Adds a rule with Match Any criteria. Maximum of 64 rules are allowed.
classify       Classifies a rule.
condition      Configures a condition.
delete         Deletes a rule.
disable        Disables a rule.
enable         Enables a rule.
match          Configures matching criteria for a rule.
priority       Configures rule priority.

(WLC2) >config rogue rule add ?               
ap             Configures rules for APs.

(WLC2) >config rogue rule add ap ?               
priority       Configures priority for a rule.

(WLC2) >config rogue rule add ap priority 1 ?               
classify       Classifies a rule.

(WLC2) >config rogue rule add ap priority 1 classify friendly ?             
<rule-name>    Rogue classification rule name.

(WLC2) >config rogue rule add ap priority 1 classify friendly ROGUE-1
Rule 'ROGUE-1' created successfully. Use 'config rogue rule enable ROGUE-1' to activate the rule.

(WLC2) >config rogue rule match any ROGUE-1
Rule is already set to this match operation.

(WLC2) >config rogue rule condition ?               
ap             Configures condition for the APs.

(WLC2) >config rogue rule condition ap ?               
set            Configures a condition for the rule.
delete         Deletes a condition from the rule.

(WLC2) >config rogue rule condition ap set ?              
client-count   Requires a minimum number of clients to be associated with the rogue AP.
duration       Requires that the rogue has been detected for a minimum period of time.
managed-ssid   Requires the SSID to be known to the controller.
no-encryption  Requires that the advertised WLAN does not have encryption enabled.
rssi           Requires a minimum RSSI value.
ssid           Requires a specific SSID.

(WLC2) >config rogue rule condition ap set ssid ?             
<ssid>         Enter SSID name.

(WLC2) >config rogue rule condition ap set ssid mrn-cciew ?               
<rule-name>    Rogue classification rule name.

(WLC2) >config rogue rule condition ap set ssid mrn-cciew ROGUE-1

(WLC2) >config rogue rule enable ROGUE-1

You can verify using following CLI commands.

 (WLC2) >show rogue rule summary 
Priority Rule Name               State    Type          Match Hit Count
-------- ----------------------- -------- ------------- ----- ---------
1        ROGUE-1                 Enabled  Friendly      Any   1 
Priority......................................... 1
Rule Name........................................ ROGUE-1
State............................................ Enabled
Type............................................. Friendly
Match Operation.................................. Any
Hit Count........................................ 1
Total Conditions................................. 1
Condition 1
    type......................................... Ssid
    SSID Count................................... 1
    SSID 1....................................... mrn-cciew

(WLC2) >show rogue ap summary 
Rogue on wire Auto-Contain....................... Disabled
Rogue using our SSID Auto-Contain................ Disabled
Valid client on rogue AP Auto-Contain............ Disabled
Rogue AP timeout................................. 1200
Monitor Mode Report Interval..................... 10

MAC Address        Classification     # APs # Clients Last Heard             
-----------------  ------------------ ----- --------- -----------------------
00:26:99:34:20:60  Friendly           1     0         Sat Jun  1 22:48:27 2013
00:26:99:34:20:6e  Unclassified       1     0         Sat Jun  1 22:42:29 2013
00:26:99:34:20:6f  Friendly           1     0         Sat Jun  1 22:48:27 2013
9c:c7:a6:29:e1:99  Friendly           1     0         Sat Jun  1 22:48:27 2013

(WLC2) >show rogue ap detailed 9c:c7:a6:29:e1:99       
Rogue BSSID...................................... 9c:c7:a6:29:e1:99
Is Rogue on Wired Network........................ No
Classification................................... Friendly        
Manual Contained................................. No              
State............................................ External           
First Time Rogue was Reported.................... Sat Jun  1 22:29:57 2013
Last Time Rogue was Reported..................... Sat Jun  1 22:48:27 2013
Reported By
    AP 1
        MAC Address.............................. a0:cf:5b:9e:e8:20  
        Name..................................... LAP2
        Radio Type............................... 802.11n5G
        SSID..................................... mrn-cciew
        Channel.................................. (44,48)
        RSSI..................................... -25 dBm
        SNR...................................... 71 dB
        Encryption............................... Enabled
        ShortPreamble............................ Not Supported
        WPA Support.............................. Enabled
        Last reported by this AP................. Sat Jun  1 22:48:27 2013

(WLC2) >show rogue ap detailed 00:26:99:34:20:60
Rogue BSSID...................................... 00:26:99:34:20:60
Is Rogue on Wired Network........................ No
Classification................................... Friendly        
Manual Contained................................. No              
Rule Name........................................ ROGUE-1         
State............................................ Alert              
First Time Rogue was Reported.................... Sat Jun  1 22:39:30 2013
Last Time Rogue was Reported..................... Sat Jun  1 22:54:25 2013
Reported By
    AP 1
        MAC Address.............................. a0:cf:5b:9e:e8:20  
        Name..................................... LAP2
        Radio Type............................... 802.11a
        SSID..................................... mrn-cciew
        Channel.................................. 36
        RSSI..................................... -79 dBm
        SNR...................................... 18 dB
        Encryption............................... Enabled
        ShortPreamble............................ Not Supported
        WPA Support.............................. Enabled
        Last reported by this AP................. Sat Jun  1 22:54:25 2013

You can change a Rogue AP’s state as below.

(WLC2) >config rogue ap classify ?              
friendly       Configures rogue access point classification to friendly.
malicious      Configures rogue access point classification to malicious.
unclassified   Configures rogue access point classification to unclassified.

(WLC2) >config rogue ap classify friendly ?               
state          Configures rogue access points rogue state.

(WLC2) >config rogue ap classify friendly state ?               
external       Acknowledge presence of an access point.
internal       Trust a foreign access point.

(WLC2) >config rogue ap classify friendly state internal ?               
<MAC addr>     Enter the MAC address of the rogue AP (e.g. 01:01:01:01:01:01).

(WLC2) >config rogue ap classify friendly state internal 00:26:99:34:20:60
(WLC2) >config rogue ap classify friendly state internal 9c:c7:a6:29:e1:99

Now let’s say you have few other SSIDs to add to list as “Friendly AP” so you can do it like this. In my example I would configure “LTUWireless2″ & “eduroam” SSID advertising AP as friendly as well.

(WLC2) >config rogue rule condition ap set ssid LTUWireless2 ROGUE-1
(WLC2) >config rogue rule condition ap set ssid eduroam ROGUE-1

(WLC2) >show rogue rule detailed ROGUE-1                  
Priority......................................... 1
Rule Name........................................ ROGUE-1
State............................................ Disabled
Type............................................. Friendly
Match Operation.................................. Any
Hit Count........................................ 1
Total Conditions................................. 1
Condition 1
    type......................................... Ssid
    SSID Count................................... 3
    SSID 1....................................... LTUWireless2
    SSID 2....................................... eduroam
    SSID 3....................................... mrn-cciew

Now we will add another condition only these SSID beacon hear above -90dBm only we will classify as Friendly Rogue. In this case you have to have 3 rules each with match condition all (both SSID & RSSI). Will delele the existing condition & write the new 3 rules as below.

(WLC2) >
config rogue rule condition ap delete all ROGUE-1

config rogue rule add ap priority 1 classify friendly ROGUE-1
config rogue rule match all ROGUE-1
config rogue rule condition ap set ssid mrn-cciew ROGUE-1
config rogue rule condition ap set rssi -90 ROGUE-1
config rogue rule enable ROGUE-1

config rogue rule add ap priority 2 classify friendly ROGUE-2
config rogue rule match all ROGUE-2
config rogue rule condition ap set ssid LTUWireless2 ROGUE-2
config rogue rule condition ap set rssi -90 ROGUE-2
config rogue rule enable ROGUE-2

config rogue rule add ap priority 3 classify friendly ROGUE-3
config rogue rule match all ROGUE-3
config rogue rule condition ap set ssid eduroam ROGUE-3
config rogue rule condition ap set rssi -90 ROGUE-3
config rogue rule enable ROGUE-3

(WLC2) >show rogue rule summary 
Priority Rule Name               State    Type          Match Hit Count
-------- ----------------------- -------- ------------- ----- ---------
1        ROGUE-1                 Enabled  Friendly      All   1       
2        ROGUE-2                 Enabled  Friendly      All   0       
3        ROGUE-3                 Enabled  Friendly      All   1       

(WLC2) >show rogue rule detailed ROGUE-1
Priority......................................... 1
Rule Name........................................ ROGUE-1
State............................................ Enabled
Type............................................. Friendly
Match Operation.................................. All
Hit Count........................................ 1
Total Conditions................................. 2
Condition 1
    type......................................... Rssi
    value (dBm).................................. -90
Condition 2
    type......................................... Ssid
    SSID Count................................... 1
    SSID 1....................................... mrn-cciew

(WLC2) >show rogue rule detailed ROGUE-2
Priority......................................... 2
Rule Name........................................ ROGUE-2
State............................................ Enabled
Type............................................. Friendly
Match Operation.................................. All
Hit Count........................................ 0
Total Conditions................................. 2
Condition 1
    type......................................... Rssi
    value (dBm).................................. -90
Condition 2
    type......................................... Ssid
    SSID Count................................... 1
    SSID 1....................................... LTUWireless2

(WLC2) >show rogue rule detailed ROGUE-3
Priority......................................... 3
Rule Name........................................ ROGUE-3
State............................................ Enabled
Type............................................. Friendly
Match Operation.................................. All
Hit Count........................................ 1
Total Conditions................................. 2
Condition 1
    type......................................... Rssi
    value (dBm).................................. -90
Condition 2
    type......................................... Ssid
    SSID Count................................... 1
    SSID 1....................................... eduroam

In a future post we will look at how to manage these Rogue AP (Containing)

In this post we will do a configuration example for DHCP option 82 in WLC 7.0.116.0 release. (later releases have additional options & refer specific config guides). As you aware with DHCP option 82 feature, DHCP relay (WLC in this case) add some additional information onto DHCP request payload which will be verify by the DHCP server prior to issuing an IP.( Refer “Understanding DHCP Option 82” post for basic understanding of this feature)

Here is the topology for this post. When users connecting to “data-13″ WLAN via LAP1 they will get IP addresses in the range of 192.168.13.101-120 where as connecting via LAP2 will get in the range of 192.168.13.201-220.

First of all you need to define DHCP pools in CAT2 with an option called DHCP class.

ip dhcp pool VLAN13
   network 192.168.13.0 255.255.255.0
   default-router 192.168.13.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   class LAP2
      address range 192.168.13.201 192.168.13.220
   class LAP1
      address range 192.168.13.101 192.168.13.120

Then you have to define the DHCP Classes in a way how you want to differentiate user IP ranges when they connect to WLAN based on their location(or point of attachment). DHCP Class configuration is having following syntax.

ip dhcp class <class_name>
relay agent information
relay-information hex <string>

NOTE – “STRING” can be divided into following parts “circuit-id” + “agent_type” + “length_of_remote-id” + “remote-id”.

• Circuit-id – 010400000000 – This is fixed for all Cisco wireless controller.
• Agent_Type – 02 – This is fixed for all cisco wireless controller.
• Length of Remote-id – This is not fixed and varies based on “remote-id”. If you select AP-ETHMAC or AP-MAC it would be “06” since it is 6 byte long. For AP-MAC-SSID it will be varying as SSID name length could vary.
• Remote-id – value of DHCP Option-82 attribute configured on wireless controller. In 7.0.116 WLC code it can be AP-MAC (by default), AP-ETHMAC or AP-MAC-SSID.

In our example we will use “AP-ETHMAC” as remote-id. Therefore string will be in the format of “01040000000006<AP-ETHMAC>”. You can easily verify AP-ETHMAC by “show ap summary” command.

(WLC3) >show ap summary 
Number of APs.................................... 2
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
LAP2                 2     AIR-LAP1131AG-N-K9    00:1e:7a:be:e0:fe       CAT2-FA1011  1        AU       1
LAP1                 2     AIR-CAP3502I-N-K9     cc:ef:48:8c:fd:41          CAT4-F03  1        AU       1

Based on this you can add DHCP Class configuration on to CAT2.

ip dhcp class LAP2
   relay agent information
      relay-information hex 0104000000000206001e7abee0fe
ip dhcp class LAP1
   relay agent information
      relay-information hex 0104000000000206ccef488cfd41

Now you can go to CAT4 & define the SVI for “data-13″ WLAN. Remember to configure “ip helper-address ” command to specify the DHCP server address.

interface Vlan13
 ip address 192.168.13.1 255.255.255.0
 ip helper-address 10.10.10.3

Next you can configure  dynamic interface & WLAN on WLC3 as shown below. I have used “open” authentication for simplicity.

config interface create vlan13 13
config interface address dynamic-interface vlan13 192.168.13.30 255.255.255.0 192.168.13.1
config interface dhcp dynamic-interface vlan13 primary 10.10.10.3
config interface port vlan13 1
config wlan create 13 data-13 data-13
config wlan interface 13 vlan13
config wlan security wpa disable 13
config wlan enable 13

Once configured you can check “DHCP Option 82″ of the vlan13 interface by “show interface detailed vlan13” CLI command.

(WLC3) >show interface detailed vlan13

Interface Name................................... vlan13
MAC Address...................................... 00:1b:d5:cf:e6:00
IP Address....................................... 192.168.13.30
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.13.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 13        
Quarantine-vlan.................................. 0
Physical Port.................................... 1         
Primary DHCP Server.............................. 10.10.10.3
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled

You can enable this on vlan13 interface via following CLI config. In 7.0.116.0 this cannot be done via GUI (in later releases you can do this via GUI)

config interface dhcp dynamic-interface vlan13 option-82 enable

Now you can verify Remote-ID option set by WLC by using “show dhcp opt-82” CLI command. As you can see it will set as “AP Radio MAC address” which is not what we wanted. Since we have configured our DHCP classes in server to check “AP Ethernet MAC Address” we have to change this default behavior as follows.

(WLC3) >show dhcp opt-82 
DHCP Opt-82 RID Format: <AP radio MAC address>

(WLC3) >config dhcp opt-82 ?
remote-id      Set Format for RemoteId field in DHCP option 82               

(WLC3) >config dhcp opt-82 remote-id ?
ap-mac         Set RemoteID format as <AP radio MAC address>
apmac:ssid     Set RemoteID format as <AP radio MAC address>:<SSID>
ap-ethmac      Set RemoteID format as <AP Ethernet MAC address>

(WLC3) >config dhcp opt-82 remote-id ap-ethmac

This can be done via GUI as well. you can do this via “Controller > Advanced > DHCP” section as shown below. It is worth to  note that “DHCP Proxy” feature needs to be enabled (which is the default behavior)  in order to Option-82 to work. Otherwise all DHCP request from client transparently pass to DHCP server & WLC will not do any modification.

Now it is ready to test. You can verify these Option-82 information by “debug ip dhcp server class” on CAT2 (which is DHCP server). First we will disable LAP2 & let client associate to LAP1. You would see a similar to following DHCP debug output stating input relay information matches class LAP1.

CAT2#debug ip dhcp server class 
DHCP server class debugging is on.
*Mar  7 02:08:21.542 AEDT: DHCPD: Class 'LAP2' matched by default
*Mar  7 02:08:21.542 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206ccef488cfd41' in class LAP2
*Mar  7 02:08:21.542 AEDT: DHCPD: Class 'LAP1' matched by default
*Mar  7 02:08:21.542 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206ccef488cfd41' in class LAP1
*Mar  7 02:08:21.542 AEDT: DHCPD: input pattern 'relay-information 0104000000000206ccef488cfd41' matches class LAP1
*Mar  7 02:08:21.542 AEDT: DHCPD: input matches class LAP1

You can verify client has got an IP from the correct range (192.168.13.101-120)

CAT2#sho ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.13.101      0104.f7e4.ea5b.66       Mar 08 1993 02:08 AM    Automatic

Now you can try to associate the same client via LAP2. You have to clear the IP DHCP binding & disable LAP1 & enable LAP2 as shown below.

CAT2#clear ip dhcp binding 192.168.13.101

(WLC3) >config ap disable LAP1
(WLC3) >config ap enable LAP2

This time you would see a output similar to this in CAT2′s “debug ip dhcp server class“. You would noticed this time DHCP relay information matches class defined for LAP2 which include LAP2′s ethernet MAC address as part of the string.

CAT2#
*Mar  7 03:30:34.067 AEDT: DHCPD: Class 'LAP1' matched by default
*Mar  7 03:30:34.067 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206001e7abee0fe' in class LAP1
*Mar  7 03:30:36.148 AEDT: DHCPD: Class 'LAP2' matched by default
*Mar  7 03:30:36.148 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206001e7abee0fe' in class LAP2
*Mar  7 03:30:36.148 AEDT: DHCPD: input pattern 'relay-information 0104000000000206001e7abee0fe' matches class LAP2
*Mar  7 03:30:36.148 AEDT: DHCPD: input matches class LAP2

This time you would see the same client got 192.168.13.201-220 IP as it is connected to LAP2.

CAT2#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.13.201      0104.f7e4.ea5b.66       Mar 08 1993 03:30 AM    Automatic

You can play with additional tweaking as long as you got basic configuration working as above.

You can refer following Cisco document(DOC-28639) for additional information of this feature.

DHCP Option 82 – Service Provider Wi-Fi

Related Posts

1. Understanding DHCP
2. Understanding DHCP Snooping
3. Understanding DHCP Option 43
4. Understanding DHCP Option 82
5. Hex to String Conversion

When I play with DHCP option-82 feature in WLC came across an option that I can set “AP-MAC:SSID” as remote id. Rather than rely on the debug output I wonder I could get the hex value of that remote-id. If you are good at “string to hex” conversion you can do that.

For an example, if your WLAN name is “data-13” then you can derive equivalent hex string should be “64 61 74 61 2d 31 33″ for that SSID name. You can do the conversion by using following conversion table (Refer ASCII-DEC-HEX conversion table for full list).

Therefore if your AP Radio MAC address is “64a0e7af4740″ the DHCP 82 remote ID string would be “64a0e7af47403a64 6174612d3133“  in the format of <ap-radio-mac>:<ssid>

If you look at the “debug ip dhcp server class” you can confirm the above. As you aware DHCP relay information consist of <circuit-id><agent-type><remote-id-length><remote-id> format. In the output below dhcp realay information is 010400000000022764a0e7af47403a646174612d313300000000000000000000000000000000000000000000000000.
As remote-id length is 39 (equivalnt to 27 in hex) bytes padding will be done with additional zero.

Here is the output of “debug ip dhcp server class” when the DHCP class configured properly with relay-information that consist of <ap-map>:<ssid> information.

*Mar  1 16:21:07.793: DHCPD: Class 'LAP1' matched by default
*Mar  1 16:21:07.793: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a646174612d313300000000000000000000000000000000000000000000000000' in class LAP1
*Mar  1 16:21:12.206: DHCPD: Class 'LAP2' matched by default
*Mar  1 16:21:12.206: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a646174612d313300000000000000000000000000000000000000000000000000' in class LAP2
*Mar  1 16:21:12.206: DHCPD: input pattern 'relay-information 010400000000022764a0e7af47403a646174612d313300000000000000000000000000000000000000000000000000' matches class LAP2
*Mar  1 16:21:12.206: DHCPD: input matches class LAP2

Let’s do another conversion. if you define your SSID as “mrn-cciew” then equivalent hex conversion of my SSID would be “6d726e2d6363696577″. If you configure this WLAN on the same WLC where LAP2 (with radio MAC 64a0e7af4740) your remote id option should start with “64a0e7af47403a6d726e2d6363696577” padding additional zeros to fill 39 byte field.

(WLC3) >config interface create vlan19 19
(WLC3) >config interface address dynamic-interface vlan19 192.168.19.30 255.255.255.0 192.168.19.1
(WLC3) >config interface dhcp dynamic-interface vlan19 primary 192.168.19.1
(WLC3) >config interface port vlan19 1
(WLC3) >config interface dhcp dynamic-interface vlan19 option-82 enable
(WLC3) >config wlan create 12 mrn-cciew mrn-cciew
(WLC3) >config wlan interface 12 vlan19
(WLC3) >config wlan security wpa disable 12
(WLC3) >config wlan enable 12  

(WLC3) >config dhcp opt-82 remote-id apmac:ssid


CAT4#
*Mar  1 17:30:37.320: DHCPD: Class 'LAP2' matched by default
*Mar  1 17:30:37.320: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' in class LAP2
*Mar  1 17:30:37.320: DHCPD: Class 'LAP1' matched by default
*Mar  1 17:30:37.320: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' in class LAP1
*Mar  1 17:30:39.568: DHCPD: Class 'LAP2' matched by default
*Mar  1 17:30:39.568: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' in class LAP2

Once you configure this string on your DHCP class you would see IP address allocated to client properly.

ip dhcp pool VLAN19
   network 192.168.19.0 255.255.255.0
   default-router 192.168.19.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   class LAP2
      address range 192.168.19.221 192.168.19.240
   class LAP1
      address range 192.168.19.121 192.168.19.140

ip dhcp class LAP2
   relay agent information
      relay-information hex 010400000000022764a0e7af47403a646174612d313300000000000000000000000000000000000000000000000000
      relay-information hex 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000

Once you configure the correct string you would see debug output like this & client get the IP

*Mar  1 17:38:44.426: DHCPD: Class 'LAP1' matched by default
*Mar  1 17:38:44.426: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' in class LAP1
*Mar  1 17:38:48.881: DHCPD: Class 'LAP2' matched by default
*Mar  1 17:38:48.881: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' in class LAP2
*Mar  1 17:38:48.889: DHCPD: input pattern 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' matches class LAP2
*Mar  1 17:38:48.889: DHCPD: input matches class LAP2

CAT4#sh ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.19.222      0104.f7e4.ea5b.66       Mar 03 1993 04:39 AM    Automatic

In this way you can different range of IP (in the same subnet) based on the client attachment to the network.

Related Posts

1. Understanding DHCP Option 82
2. WLC – DHCP Option 82 Configuration Example

IP Address reservation is a commonly used feature in any DHCP deployment. You may want to have fixed IPs for certain hosts (like printers, BMS devices) without configuring them for static IPs. All other hosts will get dynamically assign IP without having a requirement to  keep the same IP all the time.

In this post we will see how we can do this on IOS DHCP server. There are primarily two ways of doing this.

1. Address reservation under the same DHCP pool configuration.
2. Defining multiple host pool for each static Hosts.

There are two terms used in DHCP configuration to identify a client.

1. Hardware Address (chaddr)
2. Client Identifier

Hardware Address: It is the MAC address of the client device who is requesting an DHCP IP. This is the value of the CHADDR (Client Hardware Address) field of the BootP message.

Client Identifier: This is used by DHCP client to identify them-self to DHCP server instead of using CHADDR (hardware address). Usually this is derived from the hardware address. In  most deployments you can derive client Identifier by adding “01” prefix to its hardware address.  For example if your client MAC address is “001f.1618.dfec” then client identifier would be “0100.1f16.18df.ec”.

Why this is important in IOS DHCP configurations ? A DHCP server needs to use some unique identifier to associate a client with its lease. The client MAY choose to explicitly provide the identifier through the ‘client identifier‘ option. If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’ in all subsequent messages, and the server MUST use that identifier to identify the client. If the client does not provide a ‘client identifier’ option, the server MUST use the contents of the ‘chaddr‘ field to identify the client.

This mean DHCP server always prefer “Client Identifier” over “Hardware Address” when allocating IP addresses to clients. Therefore you have to use “Client ID” option when reserving IPs to client instead of “hardware-address”.

You can configure IOS DHCP server to ignore BOOTP request (then it will only responds to DHCP discovery or request messages coming from clients). You can use the following CLI command to do this.

ip dhcp bootp ignore

Now lets configure an  IP address reservation using a single DHCP pool. Command to use is “address <ip-address> {hardware-address|client-id} <mac-add|client-id>“. For the above mentioned reason, you have to always use Client-ID option when configuring this.

CAT2(config)#ip dhcp pool VLAN9
CAT2(dhcp-config)#address ?
  A.B.C.D  IP address in dotted-decimal notation

CAT2(dhcp-config)#address 192.168.9.199 ?
  client-id         Client identified by Client-ID option
  hardware-address  Client identified by MAC address

CAT2(dhcp-config)#address 192.168.9.199 cl
CAT2(dhcp-config)#address 192.168.9.199 client-id ?
  WORD  Client MAC or Client-ID value

Here is the full DHCP pool configuration for an address reservation for a device with MAC address (001f.1618.dfec) or client ID (0100.1f16.18df.ec)

ip dhcp pool VLAN9
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.9.199 client-id 0100.1f16.18df.ec

You can verify this client will get 192.168.9.199 IP when they connect to network. You can use “debug ip dhcp server events” to verify this.

CAT2#
*Mar  9 09:17:58.356 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 09:17:58.356 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 09:17:58.356 AEDT:   DHCPD: interface = Vlan9
*Mar  9 09:17:58.356 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 09:17:58.356 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 09:17:58.356 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 09:17:58.356 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 09:17:58.356 AEDT:   DHCPD: interface = Vlan9
*Mar  9 09:17:58.356 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 09:17:58.356 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 09:17:58.356 AEDT: DHCPD: DHCPOFFER notify setup address 192.168.9.199 mask 255.255.255.0
*Mar  9 09:17:58.356 AEDT: DHCPD: Sending notification of ASSIGNMENT:
*Mar  9 09:17:58.356 AEDT:  DHCPD: address 192.168.9.199 mask 255.255.255.0
*Mar  9 09:17:58.356 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 09:17:58.356 AEDT:   DHCPD: lease time remaining (secs) = 4294967295
*Mar  9 09:17:58.356 AEDT:   DHCPD: interface = Vlan9
*Mar  9 09:17:58.356 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 09:18:20.905 AEDT: DHCPD: checking for expired leases.

The otherway of doing this is create host IP pool for this device. First of all you have to remove the previous reservation if you are using the same cleint.

CAT2(config)#
ip dhcp excluded-address 192.168.9.1 192.168.9.99

ip dhcp pool VLAN9
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1 
   domain-name mrn.com
   dns-server 192.168.200.1
   no  address 192.168.9.199 client-id 0100.1f16.18df.ec

ip dhcp pool PRINTER-1
   host 192.168.9.99 255.255.255.0
   client-identifier 0100.1f16.18df.ec

You can verify the client will get allocated IP when connecting to the network. Here is the “debug ip dhcp server events” output.

*Mar  9 10:16:02.022 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 10:16:02.022 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 10:16:02.022 AEDT:   DHCPD: interface = Vlan9
*Mar  9 10:16:02.022 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 10:16:02.022 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 10:16:02.022 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 10:16:02.022 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 10:16:02.022 AEDT:   DHCPD: interface = Vlan9
*Mar  9 10:16:02.022 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 10:16:02.022 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 10:16:02.022 AEDT: DHCPD: DHCPOFFER notify setup address 192.168.9.99 mask 255.255.255.0
*Mar  9 10:16:02.022 AEDT: DHCPD: Sending notification of ASSIGNMENT:
*Mar  9 10:16:02.022 AEDT:  DHCPD: address 192.168.9.99 mask 255.255.255.0
*Mar  9 10:16:02.022 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 10:16:02.022 AEDT:   DHCPD: lease time remaining (secs) = 4294967295
*Mar  9 10:16:02.022 AEDT:   DHCPD: interface = Vlan9
*Mar  9 10:16:02.022 AEDT:   DHCPD: out_vlan_id 0

From CCIE wireless lab perspective, if you want to APs to stick with same IP all the time (specially important with H-REAP) you can use these IP reservation configuration unless static IP configuration allowed.

Here is an debug output (both dhcp server events & dhcp packet detail) of an AP getting a reserved IP. In this switch I have not configured “ip dhcp bootp ignore” & you can see switch is replying for both BootP messages & DHCP messages. You can see the difference where bootp reply goes with “hardware address” & DHCP messages go with “client identifier“.

ip dhcp excluded-address 10.10.23.193 10.10.23.200
!
ip dhcp pool VLAN23
   network 10.10.23.192 255.255.255.192
   default-router 10.10.23.193 
   dns-server 192.168.200.1 
   domain-name mrn.com
   address 10.10.23.250 client-id 01cc.ef48.8cfd.41
   address 10.10.23.251 client-id 0100.1e7a.bee0.fe

CAT4#debug ip dhcp server packet detail 
DHCP server packet detail debugging is on.          
CAT4#debug ip dhcp server events 
DHCP server event debugging is on
*Mar  1 06:54:51.328: DHCPD: Reload workspace interface Vlan23 tableid 0.
*Mar  1 06:54:51.328: DHCPD: tableid for 10.10.23.193 on Vlan23 is 0
*Mar  1 06:54:51.328: DHCPD: client's VPN is .
*Mar  1 06:54:51.328: DHCPD: using received relay info.
*Mar  1 06:54:51.328: DHCPD: Sending notification of DISCOVER:
*Mar  1 06:54:51.328:   DHCPD: htype 1 chaddr 001e.7abe.e0fe
*Mar  1 06:54:51.328:   DHCPD: interface = Vlan23
*Mar  1 06:54:51.328:   DHCPD: class id 436973636f204150206331313330
*Mar  1 06:54:51.328:   DHCPD: out_vlan_id 0
*Mar  1 06:54:51.328: DHCPD: DHCPDISCOVER received from client 0100.1e7a.bee0.fe on interface Vlan23.
*Mar  1 06:54:51.328: DHCPD: using received relay info.
*Mar  1 06:54:51.328: DHCPD: Sending notification of DISCOVER:
*Mar  1 06:54:51.328:   DHCPD: htype 1 chaddr 001e.7abe.e0fe
*Mar  1 06:54:51.328:   DHCPD: interface = Vlan23
*Mar  1 06:54:51.328:   DHCPD: class id 436973636f204150206331313330
*Mar  1 06:54:51.328:   DHCPD: out_vlan_id 0
*Mar  1 06:54:51.328: DHCPD: DHCPOFFER notify setup address 10.10.23.251 mask 255.255.255.192
*Mar  1 06:54:51.328: DHCPD: Sending DHCPOFFER to client 0100.1e7a.bee0.fe (10.10.23.251).
*Mar  1 06:54:51.328: DHCPD: no option 125
*Mar  1 06:54:51.328: DHCPD: broadcasting BOOTREPLY to client 001e.7abe.e0fe.
*Mar  1 06:54:51.337: DHCPD: Reload workspace interface Vlan23 tableid 0.
*Mar  1 06:54:51.337: DHCPD: tableid for 10.10.23.193 on Vlan23 is 0
*Mar  1 06:54:51.337: DHCPD: client's VPN is .
*Mar  1 06:54:51.337: DHCPD: DHCPREQUEST received from client 0100.1e7a.bee0.fe.
*Mar  1 06:54:51.337: DHCPD: Sending notification of ASSIGNMENT:
*Mar  1 06:54:51.337:  DHCPD: address 10.10.23.251 mask 255.255.255.192
*Mar  1 06:54:51.337:   DHCPD: htype 1 chaddr 001e.7abe.e0fe
*Mar  1 06:54:51.337:   DHCPD: lease time remaining (secs) = 4294967295
*Mar  1 06:54:51.337:   DHCPD: interface = Vlan23
*Mar  1 06:54:51.337:   DHCPD: out_vlan_id 0
*Mar  1 06:54:51.337: DHCPD: Sending DHCPACK to client 0100.1e7a.bee0.fe (10.10.23.251).
*Mar  1 06:54:51.337: DHCPD: no option 125
*Mar  1 06:54:51.337: DHCPD: broadcasting BOOTREPLY to client 001e.7abe.e0fe.

It is important you understand these configuration options.

A WGB is a device which associate to an AP (either Lightweight or Autonomous) & provides transparent bridging to its wired clients. Each wired client that WGB learn on its Ethernet get reported to WGB’s root via Inter-Access Point Protocol (IAPP) which is a Cisco proprietary protocol. You can use following CLI command to specify an AP’s radio as WGB.

station role workgroup-bridge

If you want to configure a WGB to work with non-cisco APs, then you have to configure WGB as universal WGB (or uWGB). Then only single device can be connected behind WGB. You can use following CLI under radio interface to configure it as universal WGB.

station-role workgroup-bridge universal ?
  H.H.H  Universal Client MAC Address

There are two modes in WGB when it connects to Autonomous AP. In unified wireless architecture it only support client mode WGB

1. Infrastructure mode (supports multiple vlan behind WGB)
2. Client BSS mode (supports single vlan behind WGB)

Let’s see a basic configuration of a Root AP & WGB & how we can configure PSK (Pre-shared key security) later on.

Here is the basic config of AAP without any security. You can configure SSID as infrastructrue-SSID to allow only infrastructure devices (such as other AP configured as WGB, bridges) can connect to it. Infrastructure SSID should always map to native VLAN (20 in my example)

hostname AAP1
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   infrastructure-ssid 
!         
interface Dot11Radio1
 ssid MRN-WGB
 station-role root
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.20.99 255.255.255.0
ip default-gateway 192.168.20.254
sntp server 10.10.205.20

Here is the WGB configuration.

hostname WGB
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   infrastructure-ssid 
!
interface Dot11Radio1
 ssid MRN-WGB
 station-role workgroup-bridge
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
! 
interface BVI1
 no ip address

You can verify WGB & its client association by using “show dot11 associations client” CLI command in Root AP.(wired client is behind WGB get its IP from DHCP defined on CAT2)

AAP1#show dot11 associations client 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
001f.1618.dfec 192.168.20.100  WGB-client    -               44d3.caaf.4343 Assoc    
44d3.caaf.4343 0.0.0.0         WGB           WGB             self           Assoc

In WGB you can see the its association to parent by “show dot11 association” command.

WGB#show dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
a40c.c31a.ee60 192.168.20.99   ap1140-Parent AAP1            -              Assoc

By default WGB associate to  ROOT as normal client. If you want to send broacast/ multicast traffic reliably to WGB connected clients you can configure “infrastructure-client” on the radio interface of Root AP. In this way root AP will send a unicast copy of multicast packets to WGB where it can acknowledge.This is good for if your WGB is not roaming frequently (like printers,etc).  Let’s configure AAP Radio 1 for this.

AAP1(config)#int d1
AAP1(config-if)#infrastructure-client

Once you configure this “infrastructure-client” you cannot see WGB itself as client in “show dot11 association client” output. You have to use “sh dot11 associations all-client” to see WGB as shown below.

AAP1#sh dot11 associations client 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
001f.1618.dfec 192.168.20.100  WGB-client    -               44d3.caaf.4343 Assoc 

AAP1#sh dot11 associations all-client 
Address           : 001f.1618.dfec     Name             : NONE
IP Address        : 192.168.20.100     Interface        : Dot11Radio 1
Device            : WGB-client         Software Version : NONE 
CCX Version       : NONE               Client MFP       : Off

State             : Assoc              Parent           : 44d3.caaf.4343    
SSID              : MRN-WGB                         
VLAN              : 20
Hops to Infra     : 0                  
Clients Associated: 0                  Repeaters associated: 0

Address           : 44d3.caaf.4343     Name             : WGB
IP Address        : 0.0.0.0            Interface        : Dot11Radio 1
Device            : WGB                Software Version : 15.2
CCX Version       : 5                  Client MFP       : Off

State             : Assoc              Parent           : self               
SSID              : MRN-WGB                         
VLAN              : 20
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 1                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : Off
Current Rate      : m15.               Capability       : WMM ShortHdr 11h
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -29  dBm           Connected for    : 356 seconds
Signal to Noise   : 67  dB            Activity Timeout : 30 seconds
Power-save        : Off                Last Activity    : 0 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 20770              Packets Output   : 29793     
Bytes Input       : 3084148            Bytes Output     : 33230505  
Duplicates Rcvd   : 11                 Data Retries     : 1793      
Decrypt Failed    : 0                  RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0

You can use “debug dot11 dot11Radio 1 trace print uplink” to see the steps going through by WGB.

WGB#debug dot11 dot11Radio 1 trace print uplink 
*Mar  1 01:30:12.882: %DOT11-4-UPLINK_DOWN: Interface Dot11Radio1, parent lost: Received deauthenticate (1) failure
*Mar  1 01:30:12.882: 474268BE-1 Uplink: Lost AP, Received deauthenticate (1) failure
*Mar  1 01:30:12.882: 47426948-1 Uplink: Wait for driver to stop
*Mar  1 01:30:12.882: 47426980-1 Uplink: Enabling active scan
*Mar  1 01:30:12.885: 47426986-1 Uplink: Not busy, scan all channels
*Mar  1 01:30:12.885: 4742698D-1 Uplink: Scanning
*Mar  1 01:30:13.583: 474D1B25-1 Uplink: Rcvd response from a40c.c31a.ee60 channel 157 638
*Mar  1 01:30:14.275: 4757AAB0-1 Uplink: no rsnie or ssnie chk
*Mar  1 01:30:14.275: 4757AABD-1 Uplink: ssid MRN-WGB auth open
*Mar  1 01:30:14.275: 4757AAC4-1 Uplink: try a40c.c31a.ee60, enc 0 key 0, priv 0, eap 0
*Mar  1 01:30:14.275: 4757AACD-1 Uplink: Authenticating
*Mar  1 01:30:14.275: 4757AD35-1 Uplink: Associating
*Mar  1 01:30:14.379: 47593FA1-1 Uplink: Lost AP, Received deauthenticate (1) failure
*Mar  1 01:30:14.379: 47593FB0-1 Uplink: Reject for 0 seconds
*Mar  1 01:30:14.379: 47593FB6-1 Uplink: Scanning
*Mar  1 01:30:14.392: 47597452-1 Uplink: Rcvd response from a40c.c31a.ee60 channel 157 627
*Mar  1 01:30:15.084: 476403D1-1 Uplink: no rsnie or ssnie chk
*Mar  1 01:30:15.084: 476403DE-1 Uplink: ssid MRN-WGB auth open
*Mar  1 01:30:15.084: 476403E3-1 Uplink: try a40c.c31a.ee60, enc 0 key 0, priv 0, eap 0
*Mar  1 01:30:15.084: 476403ED-1 Uplink: Authenticating
*Mar  1 01:30:15.084: 4764065F-1 Uplink: Associating
*Mar  1 01:30:15.087: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AAP1 a40c.c31a.ee60 [None]
*Mar  1 01:30:15.087: 4764102F-1 Uplink: Done

Let’s add WPA2-PSK security for this WGB.

In both AAP1 & WGB
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii MRN-CCIEW
interface Dot11Radio1
 encryption vlan 20 mode ciphers aes-ccm

You could see the debug messages like below on WGB

*Mar  1 01:45:44.306: 7ED5007F-1 Uplink: Wait for driver to stop
*Mar  1 01:45:44.306: 7ED500FE-1 Uplink: Enabling active scan
*Mar  1 01:45:44.310: 7ED50104-1 Uplink: Not busy, scan all channels
*Mar  1 01:45:44.310: 7ED5010A-1 Uplink: Scanning
*Mar  1 01:45:44.939: 7EDEB144-1 Uplink: Rcvd response from a40c.c31a.ee60 channel 40 682
*Mar  1 01:45:45.008: 7EDFBD20-1 Uplink: dot11_uplink_scan_done: rsnie_accept returns 0x0 key_mgmt 0xFAC02 encrypt_type 0x200
*Mar  1 01:45:45.008: 7EDFBD36-1 Uplink: 
*Mar  1 01:45:45.008: 7EDFBD3D-1 Uplink: try a40c.c31a.ee60, enc 200 key 4, priv 1, eap 0
*Mar  1 01:45:45.008: 7EDFBD47-1 Uplink: Authenticating
*Mar  1 01:45:45.008: 7EDFBF9A-1 Uplink: Associating
*Mar  1 01:45:45.011: 7EDFC814-1 Uplink: EAP authenticating
*Mar  1 01:45:45.112: 7EE15737-1 Uplink: Done
*Mar  1 01:45:45.112: 7EE15751-1 Interface up
*Mar  1 01:45:45.115: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar  1 01:45:45.118: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AAP1 a40c.c31a.ee60 [None WPAv2 PSK]
*Mar  1 01:45:46.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

You can verify WGB use configured security methods using “show dot11 association <root-ap-mac> ” commands as well.

WGB#show dot11 ass a40c.c31a.ee60
Address           : a40c.c31a.ee60     Name             : AAP1
IP Address        : 192.168.20.99      
Gateway Address   : 0.0.0.0            
Netmask Address   : 0.0.0.0            Interface        : Dot11Radio 1
Device            : ap1140-Parent      Software Version : 12.4
CCX Version       : 5                  Client MFP       : On
State             : Assoc              Parent           : -                  
SSID              : MRN-WGB                         
VLAN              : 20
Hops to Infra     : 0                  Association Id   : 1
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
Current Rate      : m12-               Capability       : WMM ShortHdr 11h
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0-2 m1-2 m2-2 m3-2 m4-2 m5-2 m6-2 m7-2 m8-2 m9-2 m10-2 m11-2 m12-2 m13-2 m14-2 m15-2
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -32  dBm           Connected for    : 402 seconds
Signal to Noise   : 64  dB            Activity Timeout : 14 seconds
Power-save        : Off                Last Activity    : 1 seconds ago
Apsd DE AC(s)     : NONE
Packets Input     : 4532               Packets Output   : 174       
Bytes Input       : 877308             Bytes Output     : 52789     
Duplicates Rcvd   : 0                  Data Retries     : 100       
Decrypt Failed    : 0                  RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0

If a wired client does not send traffic for an extended period of time (like printers), the WGB removes the client from its bridge table, even if traffic is continuously sent to the wired client. As a result the traffic flow to the wired client fails. To prevent wired client being removed from the bridge table you have to configure aging-out timer on the WGB to a larger value using the “bridge <bridge group no> aging-time <seconds>” command.

WGB#sh bridge 
Total of 300 station blocks, 293 free
Codes: P - permanent, S - self
Bridge Group 1:

    Address       Action   Interface       Age   RX count   TX count
a088.b435.c2f0   forward   Vi0.20            0       2212          7
001f.1618.dfec   forward   Gi0.20            0      21488      29759
0026.0b63.caf4   forward   Vi0.20            0        129          0
7081.0503.7cef   forward   Vi0.20            0        131          0
001a.e3a7.ff50   forward   Vi0.20            0      29905      19704
7073.cbdc.58ea   forward   Vi0.20            7         86          0
001a.e3a7.ff0f   forward   Vi0.20            0       7731          0

WGB(config)#bridge ?
  <1-255>            Bridge Group number for Bridging.
  crb                Concurrent routing and bridging
  irb                Integrated routing and bridging
  mac-address-table  MAC-address table configuration commands

WGB(config)#bridge 1 ?
  acquire                   Dynamically learn new, unconfigured stations
  address                   Block or forward a particular Ethernet address
  aging-time                Set forwarding entry aging time
  bitswap-layer3-addresses  Bitswap embedded layer 3 MAC addresses
  bridge                    Specify a protocol to be bridged in this bridge group
  circuit-group             Circuit-group
  domain                    Establish multiple bridging domains
  forward-time              Set forwarding delay time
  hello-time                Set interval between HELLOs
  lat-service-filtering     Perform LAT service filtering
  max-age                   Maximum allowed message age of received Hello BPDUs
  priority                  Set bridge priority
  protocol                  Specify spanning tree protocol
  route                     Specify a protocol to be routed in this bridge group
  subscriber-policy         Subscriber group bridging

WGB(config)#bridge 1 aging-time ?
  <10-1000000>  Seconds

WGB(config)#bridge 1 aging-time 86400

Related Posts

1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB Roaming
5. WGB-IOS AP with Multiple VLAN
6. WGB-CAPWAP with Multiple VLAN

In this post we will see how to configure Multiple VLAN on a work group bridge in Unified Wireless environment. This is useful if you want to put wired client behind WGB into different vlan. Here is the topology for this post where we will create two different vlan for WGB clients. WGB will associate to a unified wireless AP (LAP2) which is joined to WLC1.

Here is the WLC1 config where we have 3 dynamic interfaces 8,9 & 20 (vlan20 will be the WGB native vlan). MRN-WGB wlan configured with WPA2-PSK. First of all you have to configure necessary DHCP pools & SVI interfaces on CAT2. Also WLC should connected via trunk port & LAP2 is connected via access port as shown in the below.

ip dhcp excluded-address 192.168.8.1 192.168.8.99
ip dhcp excluded-address 192.168.9.1 192.168.9.99
ip dhcp excluded-address 192.168.20.1 192.168.20.99
!
ip dhcp pool VLAN9
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.9.100 client-id 0100.1f16.18df.ec <- PC IP reservation
!
ip dhcp pool VLAN8
   network 192.168.8.0 255.255.255.0
   default-router 192.168.8.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.8.100 client-id 0000.18fe.a5dc.3e <-Printer IP reservation
!
ip dhcp pool vlan20
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254 
   dns-server 192.168.200.1  
   domain-name mrn.com
   address 192.168.20.199 client-id 0158.bfea.59f8.01 <- CAT5 IP reservation
   address 192.168.20.120 client-id 0144.d3ca.af43.43 <- WGB IP Reservation
!
interface Vlan8
 ip address 192.168.8.1 255.255.255.0
interface Vlan9
 ip address 192.168.9.1 255.255.255.0
interface Vlan20
 ip address 192.168.20.254 255.255.255.0
!
interface GigabitEthernet1/0/1
 description WLC1 Port1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 8-18,20,23,111,113
 switchport mode trunk
 switchport nonegotiate
 mls qos trust cos
 spanning-tree portfast trunk
!
interface FastEthernet1/0/11
 description TEMP LAP2
 switchport access vlan 20
 switchport mode access
 mls qos trust dscp
 spanning-tree portfast

Here is the WLC1 config related to this. Since I have used a WLAN ID (>16) AP group to be configured to advertise this SSID. Radio policy configured for “802.11a-only” since WGB configured on 5GHz band.

(WLC1) >config interface create vlan20 20
(WLC1) >config interface address dynamic-interface vlan20 192.168.20.10 255.255.255.0 192.168.20.254           
(WLC1) >config interface dhcp dynamic-interface vlan20 primary 192.168.20.254
(WLC1) >config interface port vlan20 1
(WLC1) >config interface create vlan8 8
(WLC1) >config interface address dynamic-interface vlan8 192.168.8.10 255.255.255.0 192.168.8.1           
(WLC1) >config interface dhcp dynamic-interface vlan8 primary 192.168.8.1
(WLC1) >config interface port vlan8 1
(WLC1) >config interface create vlan9 9
(WLC1) >config interface address dynamic-interface vlan8 192.168.9.10 255.255.255.0 192.168.9.1           
(WLC1) >config interface dhcp dynamic-interface vlan8 primary 192.168.9.1
(WLC1) >config interface port vlan9 1

(WLC1) >config wlan create 20 MRN-WGB MRN-WGB
(WLC1) >config wlan radio 20 802.11a-only
(WLC1) >config wlan broadcast-ssid disable 20
(WLC1) >config wlan security wpa wpa2 ciphers aes enable 20
(WLC1) >config wlan security wpa akm psk set-key ascii MRN-CCIEW 20
(WLC1) >config wlan enable 20

(WLC1) >config  wlan apgroup add mrn-wgb "WGB AP GROUP"
(WLC1) >config wlan apgroup interface-mapping add mrn-wgb 20 vlan20
(WLC1) >config ap group-name mrn-wgb LAP2

Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y

In order to have multiple VLAN support you have to configure VLAN tagging feature on WGB. When this feature is enabled, the WGB removes the 802.1q header while sending the packet from a VLAN client to the wireless LAN controller (WLC). WGB gets the packet to a VLAN client without 802.1q header and WGB code has to be modified to add the 802.1q header while forwarding the frame to the switch behind WGB. You can use following CLI command on WGB to do this.

WGB(config)#workgroup-bridge unified-vlan-client

WGB updates the WLC with the wired-client VLAN information in the Internet Access Point Protocol (IAPP) Association message. WLC treats the WGB client as a VLAN-client and forwards the packet in the right VLAN interface based on the source-mac-address.

In the upstream direction, WGB removes the 802.1q header from the packet while sending to the WLC. In the downstream direction while forwarding the packet to the switch connecting the wired-client, the WLC sends the packet to WGB without the 802.1q tag and WGB adds a 4-byte 802.1q header based on the destination mac-address.

Also note that “bridge 8 address 0018.fea5.dc3e forward GigabitEthernet0.8” command to prevent passive client behind WGB loose its connectivity. This command will add a permanent entry into WGB bridge table of this client (it is required as passive client does not trigger any traffic towards network) which will update via IAPP to the LAP2 by WGB.

Here is the full configuration of WGB. I have assigned DHCP IP (in native VLAN 20) to WGB itself in order to manage it. This is also help to sync WGB to a NTP server.

dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii MRN-CCIEW
!
interface Dot11Radio1
 encryption vlan 20 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role workgroup-bridge
!
interface Dot11Radio1.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface Dot11Radio1.9
 encapsulation dot1Q 9
 bridge-group 9
!
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface GigabitEthernet0.9
 encapsulation dot1Q 9
 bridge-group 9
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
workgroup-bridge unified-vlan-client
bridge 8 address 0018.fea5.dc3e forward GigabitEthernet0.8

Here is the CAT5 configuration where I have used dynamic IP assignment in order to check WGB client connectivity. You could have assign IP statically as well.

vlan 8-9,20
!
interface GigabitEthernet0/1
 description WGB TRUNK
 switchport trunk native vlan 20
 switchport trunk allowed vlan 7-9,20
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
!
interface GigabitEthernet0/6
 description WGB-PC
 switchport access vlan 9
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/8
 description WGB-Printer
 switchport access vlan 8
 switchport mode access
 spanning-tree portfast
!
interface Vlan20
 description NetMgmt
 ip dhcp client client-id hex 0158BFEA59F801
 ip address dhcp
!
ip default-gateway 192.168.20.254

Now you can verify clients will get IPs from each individual VLANs as you expected.

WGB#sh bridge 
Total of 300 station blocks, 291 free
Codes: P - permanent, S - self

Bridge Group 1:
    Address       Action   Interface       Age   RX count   TX count
001f.caca.ea4f   forward   Vi0.20            2          0          0
001a.e3a7.ff50   forward   Vi0.20            1          0          0
001a.e3a7.ff46   forward   Vi0.20            1        319          0
58bf.ea59.f801   forward   Gi0.20            0      23748          2

Bridge Group 8:
0018.fea5.dc3e   forward   Gi0.8            P         362          0
58bf.ea59.f801   forward   Gi0.8             0      23748          0

Bridge Group 9:
001f.1618.dfec   forward   Gi0.9             0     156349          0
58bf.ea59.f801   forward   Gi0.9             0      23109          0

WGB#show dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
001f.caca.ea4f 10.10.111.10    LWAPP-Parent LAP2            -              Assoc    

WGB#show dot11 associations 001f.caca.ea4f
Address           : 001f.caca.ea4f     Name             : LAP2
IP Address        : 10.10.111.10       
Gateway Address   : 0.0.0.0            
Netmask Address   : 0.0.0.0            Interface        : Dot11Radio 1
Device            : LWAPP-Parent      Software Version : NONE 
CCX Version       : 5                  Client MFP       : On

State             : Assoc              Parent           : -                  
SSID              : MRN-WGB                         
VLAN              : 20
Hops to Infra     : 0                  Association Id   : 1
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
Current Rate      : 54.0               Capability       : WMM
Supported Rates   : 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -23  dBm           Connected for    : 3060 seconds
Signal to Noise   : 72  dB            Activity Timeout : 15 seconds
Power-save        : Off                Last Activity    : 0 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 35230              Packets Output   : 11730     
Bytes Input       : 5725422            Bytes Output     : 3095817   
Duplicates Rcvd   : 0                  Data Retries     : 171       
Decrypt Failed    : 1763               RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0

From WLC you can verify the client connectivity as well.

(WLC1) >show wgb summary 
WGB Vlan Client Support.......................... Enabled
Number of WGBs................................... 1
MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
-----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
44:d3:ca:af:43:43  192.168.20.120  LAP2               Assoc     20    Yes   802.11n(5 GHz)     4

(WLC1) >show  wgb detail 44:d3:ca:af:43:43
Number of wired client(s): 4
MAC Address        IP Address      AP Name            Mobility   WLAN Auth
-----------------  --------------- -----------------  ---------- ---- ----
58:bf:ea:59:f8:01  192.168.20.199  LAP2               Local      20   Yes
00:18:fe:a5:dc:3e  192.168.8.100   LAP2               Local      20   Yes
00:1f:16:18:df:ec  192.168.9.100   LAP2               Local      20   Yes
58:bf:ea:59:f8:41  192.168.20.199  LAP2               Local      20   Yes

(WLC1) >show client summary 
Number of Clients................................ 5
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:18:fe:a5:dc:3e LAP2              Associated    20             Yes  N/A              1    No
00:1f:16:18:df:ec LAP2              Associated    20             Yes  N/A              1    No
44:d3:ca:af:43:43 LAP2              Associated    20             Yes  802.11n(5 GHz)   1    No
58:bf:ea:59:f8:01 LAP2              Associated    20             Yes  N/A              1    No
58:bf:ea:59:f8:41 LAP2              Associated    20             Yes  N/A              1    No

(WLC1) >show client detail 58:bf:ea:59:f8:01
Client MAC Address............................... 58:bf:ea:59:f8:01
Client Username ................................. N/A
AP MAC Address................................... 00:1f:ca:ca:ea:40
AP Name.......................................... LAP2              
Client State..................................... Associated     
Client NAC OOB State............................. Access
Workgroup Bridge Client.......................... WGB: 44:d3:ca:af:43:43
Wireless LAN Id.................................. 20 
BSSID............................................ 00:1f:ca:ca:ea:4f  
Connected For ................................... 3978 secs
Channel.......................................... 36 
IP Address....................................... 192.168.20.199
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Silver
802.1P Priority Tag.............................. 3
WMM Support...................................... Disabled

(WLC1) >show client detail 44:d3:ca:af:43:43
Client MAC Address............................... 44:d3:ca:af:43:43
Client Username ................................. N/A
AP MAC Address................................... 00:1f:ca:ca:ea:40
AP Name.......................................... LAP2              
Client State..................................... Associated     
Client NAC OOB State............................. Access
Workgroup Bridge................................. 4 client(s)
Wireless LAN Id.................................. 20 
BSSID............................................ 00:1f:ca:ca:ea:4f  
Connected For ................................... 4002 secs
Channel.......................................... 36 
IP Address....................................... 192.168.20.120
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... 5  
Client E2E version............................... No E2E support
Diagnostics Capability........................... Not Supported
S69 Capability................................... Not Supported
Mirroring........................................ Disabled

(WLC1) >show client detail 00:18:fe:a5:dc:3e
Client MAC Address............................... 00:18:fe:a5:dc:3e
Client Username ................................. N/A
AP MAC Address................................... 00:1f:ca:ca:ea:40
AP Name.......................................... LAP2              
Client State..................................... Associated     
Client NAC OOB State............................. Access
Workgroup Bridge Client.......................... WGB: 44:d3:ca:af:43:43
Wireless LAN Id.................................. 20 
BSSID............................................ 00:1f:ca:ca:ea:4f  
Connected For ................................... 4047 secs
Channel.......................................... 36 
IP Address....................................... 192.168.8.100
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Silver
802.1P Priority Tag.............................. 3
WMM Support...................................... Disabled

You can access WGB via GUI using its assigned IP(192.168.20.120)

You can refer following Cisco Documents as well.

1. Mesh & WGB Multiple VLAN support config example
2. Outdoor Mesh Design Guide

In next post we will see how to configure WGB-Roaming related settings.

Related Posts

1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB with PSK
5. WGB Roaming
6. WGB-IOS AP with Multiple VLAN
7. Packet Retries & Max-Retries
8. WGB Config Example

In this post we will see how to configure a WGB to support multiple VLAN for the wired clients behind WGB. Here is the topology for this post where VLAN7 & VLAN8 defined for the wired clients behind WGB. VLAN20 is used as native VLAN & AAP1, WGB & CAT5 is assigned IPs in that vlan.

In Autonomous mode, WGB should be a “infrastructure-client” in order to support Multiple VLAN.

Here is the CAT2 configuration where DHCP pools & SVI defined.

ip dhcp excluded-address 192.168.7.1 192.168.7.99
ip dhcp excluded-address 192.168.8.1 192.168.8.99
ip dhcp excluded-address 192.168.20.1 192.168.20.99
!
ip dhcp pool VLAN7
   network 192.168.7.0 255.255.255.0
   default-router 192.168.7.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.7.100 client-id 0100.1f16.18df.ec <- PC IP reservation
!
ip dhcp pool VLAN8
   network 192.168.8.0 255.255.255.0
   default-router 192.168.8.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.8.100 client-id 0000.18fe.a5dc.3e <- Printer IP reservation
!
ip dhcp pool vlan20
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254 
   dns-server 192.168.200.1 192.231.203.132 192.231.203.3 
   domain-name mrn.com
   address 192.168.20.120 client-id 0144.d3ca.af43.43<- WGB IP reservation
!
interface FastEthernet1/0/13
 description TEMP-AAP1-1142
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk

You can configure AAP1 as shown below. Note that SSID configured as “infrastructure-SSID” in order to only infrastructure devices can associate to SSID. Also configured Dot11 Radio 1 as “infrastructure-client” in order to make sure WGB associate in “infrastructure-client” mode. This is mandatory to support multiple vlan behind WGB in this IOS-AP-WGB mode.(In Unified method still client mode WGB support this feature with “workgroup-bridge unified-vlan-client” on WGB). This also give reliability for Multicast traffic for the client behind WGB. WLAN security is configured with WPA2-PSK.

hostname AAP1
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   infrastructure-ssid
   wpa-psk ascii MRN-CCIEW
!
interface Dot11Radio1
 encryption vlan 20 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role root
 infrastructure-client
!
interface Dot11Radio1.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface Dot11Radio1.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface GigabitEthernet0.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.20.99 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.20.254
sntp server 10.10.205.20

WGB can be configured as shown in below. “station-role” should be “workgroup-bridge”.

hostname WGB
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   infrastructure-ssid
   wpa-psk ascii MRN-CCIEW
!
interface Dot11Radio1
 encryption vlan 20 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role workgroup-bridge
!
interface Dot11Radio1.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface Dot11Radio1.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface GigabitEthernet0.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip dhcp client client-id GigabitEthernet0 <- IP for WGB Mgmt purposes
 ip address dhcp

CAT5 (Switch Behind WGB) can be configured as follows.

vlan 7-8,20
!
interface GigabitEthernet0/1
 description WGB TRUNK
 switchport trunk native vlan 20
 switchport trunk allowed vlan 7-9,20
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
!
interface GigabitEthernet0/7
 description WGB-PC
 switchport access vlan 7
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/8
 description WGB-Printer
 switchport access vlan 8
 switchport mode access
 spanning-tree portfast
!
interface Vlan20
 description SW-MGMT
 ip address 192.168.20.199 255.255.255.0
!
ip default-gateway 192.168.20.254
ntp server 10.10.205.20

Once you configure like this, you can verify the devices will get the IP addresses from each VLAN.

AAP1#sh dot11 associations client 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
0018.fea5.dc3e 192.168.8.100   WGB-client    -               44d3.caaf.4343 Assoc    
001f.1618.dfec 192.168.7.100   WGB-client    -               44d3.caaf.4343 Assoc    
58bf.ea59.f801 0.0.0.0         WGB-client    -               44d3.caaf.4343 Assoc    
58bf.ea59.f841 192.168.20.199  WGB-client    -               44d3.caaf.4343 Assoc

Initially you could reach all of the wired clients behind WGB. But few minutes later You would notice you could not ping the printer IP. This is because printer is a passive client (where no traffic initiated from it) to keep it is MAC address in the WGB bridge table.

You could avoid this in following ways.

1. Increase the aging-out timer
2. Add static entry in WGB for the passive client

You can configure aging time for a bridge-group as follows. You can configure larger aging-time for the bridge group where Printer (or passive client) associates. In my case I will configure this for bridge-group 8.

WGB(config)#bridge ?
  <1-255>            Bridge Group number for Bridging.
  crb                Concurrent routing and bridging
  irb                Integrated routing and bridging
  mac-address-table  MAC-address table configuration commands

WGB(config)#bridge 8 ?
  acquire                   Dynamically learn new, unconfigured stations
  address                   Block or forward a particular Ethernet address
  aging-time                Set forwarding entry aging time
  bitswap-layer3-addresses  Bitswap embedded layer 3 MAC addresses
  bridge                    Specify a protocol to be bridged in this bridge group
  circuit-group             Circuit-group
  domain                    Establish multiple bridging domains
  forward-time              Set forwarding delay time
  hello-time                Set interval between HELLOs
  lat-service-filtering     Perform LAT service filtering
  max-age                   Maximum allowed message age of received Hello BPDUs
  priority                  Set bridge priority
  protocol                  Specify spanning tree protocol
  route                     Specify a protocol to be routed in this bridge group
  subscriber-policy         Subscriber group bridging

WGB(config)#bridge 8 aging-time ?
  <10-1000000>  Seconds

WGB(config)#bridge 8 aging-time 86400

You can achieve the same by configuring static entry in the WrGB bridge table. In this way given MAC address will not be age out from the WGB table.

WGB(config)#bridge 8 ?
  acquire                   Dynamically learn new, unconfigured stations
  address                   Block or forward a particular Ethernet address
  aging-time                Set forwarding entry aging time
  bitswap-layer3-addresses  Bitswap embedded layer 3 MAC addresses
  bridge                    Specify a protocol to be bridged in this bridge group
  circuit-group             Circuit-group
  domain                    Establish multiple bridging domains
  forward-time              Set forwarding delay time
  hello-time                Set interval between HELLOs
  lat-service-filtering     Perform LAT service filtering
  max-age                   Maximum allowed message age of received Hello BPDUs
  priority                  Set bridge priority
  protocol                  Specify spanning tree protocol
  route                     Specify a protocol to be routed in this bridge group
  subscriber-policy         Subscriber group bridging

WGB(config)#bridge 8 address ?
  H.H.H  Ethernet mac-address

WGB(config)#bridge 8 address 0018.fea5.dc3e ?
  discard  Discard datagrams from/to this address
  forward  Forward datagrams from/to this address

WGB(config)#bridge 8 address 0018.fea5.dc3e forward ?
  Async               Async interface
  Auto-Template       Auto-Template interface
  BVI                 Bridge-Group Virtual Interface
  CDMA-Ix             CDMA Ix interface
  CTunnel             CTunnel interface
  Dialer              Dialer interface
  Dot11Radio          Dot11 interface
  GigabitEthernet     GigabitEthernet IEEE 802.3z
  LongReachEthernet   Long-Reach Ethernet interface
  Loopback            Loopback interface
  Multilink           Multilink-group interface
  Null                Null interface
  Tunnel              Tunnel interface
  Vif                 PGM Multicast Host interface
  Virtual-Dot11Radio  Virtual dot11 interface
  Virtual-PPP         Virtual PPP interface
  Virtual-Template    Virtual Template interface
  Virtual-TokenRing   Virtual TokenRing
  vmi                 Virtual Multipoint Interface

WGB(config)#bridge 8 address 0018.fea5.dc3e forward g0.8

There are few other timers available if you require further optimization of these timer values.(Introduced in 12.4(25d)JA release & later). I have not changed default timer values in this example.

WGB(config)#workgroup-bridge ?
  client-vlan          Ethernet client VLAN number
  timeouts             Fine tuning WGB time-outs config commands
  unified-vlan-client  Enable Unified VLAN client

WGB(config)#workgroup-bridge timeouts ?
  assoc-response  Association Response time-out value
  auth-response   Authentication Response time-out value
  client-add      client-add time-out value
  eap-timeout     EAP Timeout value
  iapp-refresh    IAPP Refresh time-out value

WGB(config)#workgroup-bridge timeouts assoc-response ?
  <300-5000>  Milli Seconds  <- Default 5000 ms

WGB(config)#workgroup-bridge timeouts auth-response ?
  <300-5000>  Milli Seconds <- Default 5000 ms   

WGB(config)#workgroup-bridge timeouts client-add ?
  <300-5000>  Milli Seconds <- Default 5000 ms

WGB(config)#workgroup-bridge timeouts eap-timeout ?
  <2-60>  Seconds <-Defult 0

WGB(config)#workgroup-bridge timeouts iapp-refresh ?
  <100-1000>  Milli Seconds <- Default 5000 ms

In case the switch behind the WGB is not supporting VLAN (like Hub, etc) you can assign all wired client to a single VLAN by using “workgroup-bridge client vlan <vlan-id>” command.

You can refer the following Reference guide for CLI command explanations in detail.

1. IOS Command Reference – Cisco IOS Releases 15.2(2)JA, 12.4(25d)JA, and 12.3(8)JEE
2. Cisco DOC-21999 :WGB with multiple VLANs

Related Posts

1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB with PSK
5. WGB Roaming
6. WGB-CAPWAP with Multiple VLAN
7. Packet Retries & Max-Retries
8. WGB Config Example

In Autonomous(IOS) AP, you can configure number of attempts the wireless device makes to send a packet before giving up & dropping the packet. There are two ways of configuring this feature. One method for best effort (priority value 0) traffic & another method for non-best effort (priority value 1-7)

1. Best-effort Traffic (packet retries command)
2. Non-Best-effort Traffic (packet max-retries command )

First we will look at how to configure this for best effort traffic (Priority value 0 traffic). These to be configured under the Radio interfaces (d0 for 2.4GHz or d1 for 5GHz ). You can use the packet retries configuration interface command to specify the maximum number of attempts to send a packet. The default number of retries is 32.

Below example shows how to configure Radio Interface 1 (5GHz) to attempt 16 times before giving up the sending wireless packet. By using “drop-packet” keyword at the end you can enforce not to drop the association, instead just drop the packet when maximum retries reached. Remember that this is only applicable for best effort (priority 0) traffic.

AAP1(config)#int d1
AAP1(config-if)#packet ?
  max-retries  maximum non-best-effort data packet retries before discard pkt
  retries      maximum best-effort data packet retries
  speed        qos user-priority(up) downlink rates for discard-enabled packets
  timeout      up packet aging/discard timeout threshold

AAP1(config-if)#packet retries ?
  <1-128>  number of packet retries before giving up

AAP1(config-if)#packet retries 16 ?
  drop-packet  Don't disassociate station, instead just drop packets when maximum retries is reached

AAP1(config-if)#packet retries 16 drop-packet

Next We will look at how to configure that parameter for non-best-effort traffic (ie priority value 1-7 traffic). You can use “packet max-retries”  interface CLI configuration command to specify the maximum number of attempts per non-best-effort data packet before discarding the packet.  Here is the syntax of the CLI command.

packet max-retries <number 1> <number 2> fail-threshold <number 3> <number 4> priority <value> drop-packet

max-retries <number 1> <number 2>
Specifies the maximum number (0 to 128) of non-best-effort data packet retries before discarding the packet. number 1 retries is used if number 3 fail-threshold has not exceeded and number 2 retries is used if number 3 fail-threshold has been exceeded. number 1 default is 3 and number 2 default is 0

fail-threshold <number 3> <number 4>
Specifies the thresholds for the maximum number of consecutive dropped packets (0 to 1000). number 3 fail-threshold is used to switch max-retries from number 1 to number 2 as described above. If number 4 fail-threshold has exceeded, the client will be disassociated. number 3 default is 100 and number 4 default is 500.

priority <value>
Specifies the QOS user priority (1 to 7). value does not have a default value.

drop-packet
Specifies that priority packets should not be retried and that the packets should be dropped when the maximum number of retries has been reached.

Here is a configuration example for priority value 5 traffic. This will do the following.

1. If consecutive drop packets(of priority 5) is below 25 it will try max 5 times before discarding that packet.
2. If consecutive drop packet (of priority 5) is more than 25 (but less than 100) it will try max 2 times before discarding that packet.
3. If consecutive drop packets (of priority 5) is reached 100 client will be disassociated.

AAP1(config-if)#packet max-retries ?
  <0-128>  # packet retries before dropping pkt if first fail-threshold not reached

AAP1(config-if)#packet max-retries 5 ?
  <0-128>  # packet retries before dropping pkt if 2nd fail-threshold not reached

AAP1(config-if)#packet max-retries 5 2 ?
  fail-threshold  maximum # consecutive dropped packets thresholds

AAP1(config-if)#packet max-retries 5 2 fail-threshold ?
  <0-1000>  # consecutive dropped packets before switching max-retries thresholds

AAP1(config-if)#packet max-retries 5 2 fail-threshold 25 ?
  <0-1000>  number of consecutive dropped packets before disassociating client

AAP1(config-if)#packet max-retries 5 2 fail-threshold 25 100 ?
  priority  qos user-priority

AAP1(config-if)#packet max-retries 5 2 fail-threshold 25 100 priority ?
  <0-7>  qos user-priority number

AAP1(config-if)#packet max-retries 5 2 fail-threshold 25 100 priority 5 ?
  drop-packet  Don't retry pkts, just drop packets when max retries reached

AAP1(config-if)#packet max-retries 5 2 fail-threshold 25 100 priority 5 drop-packet

There are other two configuration parameters available related to “packet max-retry“  interface configuration.

1. packet speed
2. packet timeout

You can use the packet speed configuration interface command to specify down-link data rates and priorities for packets which have been declared discard-eligible in the “packet max-retries” command. This command has following syntax

packet speed [rate1....rateN | default] priority <0-7>

802.11b default data rates (Mbps): 5.5, 11.0
802.11a default data rates (Mbps): 6.0, 12.0, 24.0
802.11g default data rates (Mbps): 5.5, 6.0, 11.0, 12.0, 24.0
Priority default is 6(voice). Currently, only priority 6 is allowed pending future releases.

Here is an configuration example

AAP1(config-if)#packet speed ?
  12.0      Allow 12.0 Mb/s rate
  18.0      Allow 18.0 Mb/s rate
  24.0      Allow 24.0 Mb/s rate
  36.0      Allow 36.0 Mb/s rate
  48.0      Allow 48.0 Mb/s rate
  54.0      Allow 54.0 Mb/s rate
  6.0       Allow 6.0 Mb/s rate
  9.0       Allow 9.0 Mb/s rate
  default   Set default rates
  priority  qos user-priority(first enter rates, followed by priority)

AAP1(config-if)#packet speed default ?
  12.0      Allow 12.0 Mb/s rate
  18.0      Allow 18.0 Mb/s rate
  24.0      Allow 24.0 Mb/s rate
  36.0      Allow 36.0 Mb/s rate
  48.0      Allow 48.0 Mb/s rate
  54.0      Allow 54.0 Mb/s rate
  6.0       Allow 6.0 Mb/s rate
  9.0       Allow 9.0 Mb/s rate
  priority  qos user-priority(first enter rates, followed by priority)

AAP1(config-if)#packet speed default priority ?
  <6-6>  qos user-priority number, currently only support voice priority = 6

AAP1(config-if)#packet speed default priority 6

You can use the “packet timeout” configuration interface command to specify the packet timeout period for a priority. Queued packets whose age has exceeded the timeout threshold will be discarded if they have been declared discard-eligible in the “packet max-retries” command. The timeout default is 35 milliseconds.This command is having following syntax “packet timeout <1-128> priority <0-7>”

AAP1(config-if)#packet timeout ?
  <0-128>  discard up pkt in queue if exceed timeout threshold in msec 

AAP1(config-if)#packet timeout 25 ?
  priority  qos user-priority

AAP1(config-if)#packet timeout 25 p
AAP1(config-if)#packet timeout 25 priority ?
  <0-7>  qos user-priority number

AAP1(config-if)#packet timeout 25 priority 6

Related Posts