By creating AP Groups you can control What SSIDs advertise on which APs, What dynamic interface map to each AP group (to reduce the broadcast size while having the same SSID). In latest codes of WLC software, via AP Group you can control RF profiles as well.Therefore you can have different RF characteristics to certain APs in your network.Also it supports 802.11u settings via AP Group. WLC code used in this post is 7.0.116.0.
You can create access point groups (AP Groups) and assign up to 16 WLANs to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point does not advertise disabled WLANs in its access point group or WLANs that belong to another group.
You can create up to 50 access point groups for Cisco 2100 Series Controller and controller network modules; up to 300 access point groups for Cisco 4400 Series Controllers, Cisco WiSM, and 3750G wireless LAN controller switch; and up to 500 access point groups for Cisco 5500 Series Controllers.
By default there is a AP Group called “default-group” created on your WLC and all the WLANs where WLAN ID is between 1-16 map to this group. All the access points in the WLC also map to this group. This mean any WLAN (ID 1-16) will be available in any of the APs belong default group. If your WLAN ID is greater than 16, you have to create an AP group to advertise that WLAN (or SSID). Also if you want to advertize certain WLANs on particular APs (AP Group), you have to create an AP group for this.
Here is the topology for this post. 3502-a will be on AP group called “APG1″ & 3502-d will be on “APG2″ ap group. Both APs having 4402-c as primary controller & 4402-d as secondary controller. APG1 will map to vlan11 interface & APG2 will map to vlan12 interfaces on 4402-c (primary controller). In the event of AP fail-over to 4402-d (secondary controller) APG1 will map to vlan41 & APG2 will map to vlan42.
First we will create dynamic interfaces on 4402-c as shown below. Ensure that DHCP configured on the switch to support clients get dynamic IPs.
3750-b ip dhcp excluded-address 192.168.11.1 192.168.11.100 ip dhcp excluded-address 192.168.11.150 192.168.11.254 ip dhcp excluded-address 192.168.12.1 192.168.12.100 ip dhcp excluded-address 192.168.12.150 192.168.12.254 ip dhcp pool VLAN11 network 192.168.11.0 255.255.255.0 default-router 192.168.11.1 domain-name mrn.com ip dhcp pool VLAN12 network 192.168.12.0 255.255.255.0 default-router 192.168.12.1 domain-name mrn.com (4402-c) >config interface create vlan11 11 (4402-c) >config interface address dynamic-interface vlan11 192.168.11.33 255.255.255.0 192.168.11.1 (4402-c) >config interface dhcp dynamic-interface vlan11 primary 192.168.11.1 (4402-c) >config interface create vlan12 12 (4402-c) >config interface address dynamic-interface vlan12 192.168.12.33 255.255.255.0 192.168.12.1 (4402-c) >config interface dhcp dynamic-interface vlan12 primary 192.168.12.1
First we will create an WLAN called “wlan<16″ (with WLAN ID 6). For simplicity we will disable the L2 security & make it open SSID. Other settings will be leave as default.
(4402-c) >config wlan create 6 wlan<16 wlan<16 (4402-c) >config wlan interface 6 vlan11 (4402-c) >config wlan security wpa disable 6 (4402-c) >config wlan enable 6
Now we will configure APG1 & APG2 & map interface vlan11 & vlan2 for the WLAN created.
(4402-c) >config wlan apgroup ? add Creates a new AP Group. delete Deletes a existing ap group. description Configures a description for an AP group. interface-mapping Adds or deletes a new apgroup/WLAN/interface mapping. nac-snmp Configures NAC SNMP functionality on given AP-Group. radio-policy Configures Radio Policy on given AP-Group. (4402-c) >config wlan apgroup add ? <apgroup name> Specify the name of the apgroup to configure. (4402-c) >config wlan apgroup add APG1 ? <description> (optional) Specify the description for the AP group. (4402-c) >config wlan apgroup add APG1 "AP Group 1" (4402-c) >config wlan apgroup add APG2 "AP Group 2" (4402-c) >config wlan apgroup interface-mapping ? add Adds a new apgroup/WLAN/interface mapping. delete Adds a new apgroup/WLAN/interface mapping. (4402-c) >config wlan apgroup interface-mapping add ? <apgroup name> Specify the name of the apgroup to configure. (4402-c) >config wlan apgroup interface-mapping add APG1 ? <WLAN or Remote LAN Id> Enter WLAN or Remote LAN Identifier between 1 and 512. (4402-c) >config wlan apgroup interface-mapping add APG1 6 ? <Interface Name> Specify the interface name. (4402-c) >config wlan apgroup interface-mapping add APG1 6 vlan11 (4402-c) >config wlan apgroup interface-mapping add APG2 6 vlan12
Then you can assign APs to AP group created as shown below.
(4402-c) >show ap summary Number of APs.................................... 2 Global AP User Name.............................. Not Configured Global AP Dot1x User Name........................ Not Configured AP Name Slots AP Model Ethernet MAC Location Port Country Priority ------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------ 3502-a 2 AIR-CAP3502I-N-K9 cc:ef:48:72:0b:bd 3750-B Port1 LAG AU 1 3502-d 2 AIR-CAP3502I-N-K9 44:d3:ca:af:43:43 3750-A Port4 LAG AU 3 (4402-c) >config ap group-name ? <groupname> Enter the group name of Cisco APs as String (4402-c) >config ap group-name APG1 ? <Cisco AP> Enter the name of the Cisco AP. (4402-c) >config ap group-name APG1 3502-a Changing the AP's group name will cause the AP to reboot. Are you sure you want to continue? (y/n) y (4402-c) >config ap group-name APG2 3502-d Changing the AP's group name will cause the AP to reboot. Are you sure you want to continue? (y/n) y
You can check the connectivity by enabling 1 AP at a time to see correct IP range is given to user. First we will disable 3502-a & check the client IP once associated.
(4402-c) >config ap disable 3502-a (4402-c) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 04:f7:e4:ea:5b:66 3502-d Associated 6 Yes 802.11n(5 GHz) 29 No (4402-c) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. N/A AP MAC Address................................... 64:ae:0c:91:94:20 AP Name.......................................... 3502-d Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 6 BSSID............................................ 64:ae:0c:91:94:2f Connected For ................................... 45 secs Channel.......................................... 149 IP Address....................................... 192.168.12.101 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 config wlan apgroup add mrn-default
Let’s enable 3502-a & disable 3502-d. As you can see below since my client had vlan12 IP this time, client is moved to 3502-a without changing its IP.
(4402-c) >config ap enable 3502-a (4402-c) >config ap disable 3502-d (4402-c) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 04:f7:e4:ea:5b:66 3502-a Associated 6 Yes 802.11n(5 GHz) 29 No (4402-c) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. N/A AP MAC Address................................... 2c:3f:38:2a:b1:20 AP Name.......................................... 3502-a Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 6 BSSID............................................ 2c:3f:38:2a:b1:2f Connected For ................................... 30 secs Channel.......................................... 149 IP Address....................................... 192.168.12.101 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Silver 802.1P Priority Tag.............................. 3 WMM Support...................................... Enabled Power Save....................................... OFF Current Rate..................................... m7 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0, ............................................. 48.0,54.0 Mobility State................................... Local Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ vlan12 VLAN............................................. 12 Quarantine VLAN.................................. 0 Access VLAN...................................... 12
But if you deauthenticate the client & forced to join again you will see client will get an vlan11 IP.
(4402-c) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 04:f7:e4:ea:5b:66 3502-a Associated 6 Yes 802.11n(5 GHz) 29 No (4402-c) >config client deauthenticate 04:f7:e4:ea:5b:66 (4402-c) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. N/A AP MAC Address................................... 2c:3f:38:2a:b1:20 AP Name.......................................... 3502-a Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 6 BSSID............................................ 2c:3f:38:2a:b1:2f Connected For ................................... 27 secs Channel.......................................... 149 IP Address....................................... 192.168.11.101 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0
As you can see with AP group client will put in to configured vlans as they associate to network. But if they moved from an AP to another AP (in different AP group) client will keep the original IP address.
Now lets see how this works when AP fail-over to a secondary controller (4402-d).
3750-d interface Vlan41 ip address 192.168.41.1 255.255.255.0 ip helper-address 192.168.10.3 ! interface Vlan42 ip address 192.168.42.1 255.255.255.0 ip helper-address 192.168.10.3 (4402-d) >config interface create vlan41 41 (4402-d) >config interface address dynamic-interface vlan41 192.168.41.44 255.255.255.0 192.168.41.1 (4402-d) >config interface dhcp dynamic-interface vlan41 primary 192.168.10.3 (4402-d) >config interface create vlan42 42 (4402-d) >config interface address dynamic-interface vlan42 192.168.42.44 255.255.255.0 192.168.42.1 (4402-d) >config interface dhcp dynamic-interface vlan42 primary 192.168.10.3 (4402-d) >config wlan create 6 wlan<16 wlan<16 (4402-d) >config wlan interface 6 vlan41 (4402-d) >config wlan security wpa disable 6 (4402-d) >config wlan enable 6
Let’s configure the secondary controller for two APs.
(4402-c) >config ap secondary-base 4402-d 3502-a 192.168.40.44 (4402-c) >config ap secondary-base 4402-d 3502-d 192.168.40.44 (4402-c) >show ap config general 3502-a Cisco AP Identifier.............................. 4 Cisco AP Name.................................... 3502-a Country code..................................... AU - Australia Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-N AP Country code.................................. AU - Australia AP Regulatory Domain............................. 802.11bg:-A 802.11a:-N Switch Port Number .............................. 29 MAC Address...................................... cc:ef:48:72:0b:bd IP Address Configuration......................... DHCP IP Address....................................... 192.168.20.61 IP NetMask....................................... 255.255.255.0 Gateway IP Addr.................................. 192.168.20.254 NAT External IP Address.......................... None CAPWAP Path MTU.................................. 1485 Telnet State..................................... Disabled Ssh State........................................ Disabled Cisco AP Location................................ 3750-B Port1 Cisco AP Group Name.............................. APG1 Primary Cisco Switch Name........................ 4402-c Primary Cisco Switch IP Address.................. 192.168.10.33 Secondary Cisco Switch Name...................... 4402-d Secondary Cisco Switch IP Address................ 192.168.40.44 Tertiary Cisco Switch Name....................... Tertiary Cisco Switch IP Address................. Not Configured
Now if you disconnect 4402-c (or shutdown G1/0/1-2) you will see two APs fail over to 4402-d.
(4402-d) >show ap summary Number of APs.................................... 2 Global AP User Name.............................. Not Configured Global AP Dot1x User Name........................ Not Configured AP Name Slots AP Model Ethernet MAC Location Port Country Priority ------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------ 3502-a 2 AIR-CAP3502I-N-K9 cc:ef:48:72:0b:bd 3750-B Port1 LAG AU 1 3502-d 2 AIR-CAP3502I-N-K9 44:d3:ca:af:43:43 3750-A Port4 LAG AU 3 (4402-d) >show ap config general 3502-a Cisco AP Identifier.............................. 0 Cisco AP Name.................................... 3502-a Country code..................................... AU - Australia Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-N AP Country code.................................. AU - Australia AP Regulatory Domain............................. 802.11bg:-A 802.11a:-N Switch Port Number .............................. 29 MAC Address...................................... cc:ef:48:72:0b:bd IP Address Configuration......................... DHCP IP Address....................................... 192.168.20.61 IP NetMask....................................... 255.255.255.0 Gateway IP Addr.................................. 192.168.20.254 NAT External IP Address.......................... None CAPWAP Path MTU.................................. 1485 Telnet State..................................... Disabled Ssh State........................................ Disabled Cisco AP Location................................ 3750-B Port1 Cisco AP Group Name.............................. default-group Primary Cisco Switch Name........................ 4402-c Primary Cisco Switch IP Address.................. 192.168.10.33 Secondary Cisco Switch Name...................... 4402-d Secondary Cisco Switch IP Address................ 192.168.40.44 Tertiary Cisco Switch Name....................... Tertiary Cisco Switch IP Address................. Not Configured Administrative State ............................ ADMIN_ENABLED Operation State ................................. REGISTERED
Since we have not created any AP Group on secondary controller by default both ap will be put into default group. So client will be get vlan41 IPs as that is map to “wlan<16″ WLAN.
(4402-d) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 04:f7:e4:ea:5b:66 3502-a Associated 6 Yes 802.11n(5 GHz) 29 No (4402-d) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. N/A AP MAC Address................................... 2c:3f:38:2a:b1:20 AP Name.......................................... 3502-a Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 6 BSSID............................................ 2c:3f:38:2a:b1:2a Connected For ................................... 80 secs Channel.......................................... 149 IP Address....................................... 192.168.41.101 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0
Now let’s configure the two AP groups configured on 4402-c & see when fail-over occur those two AP goes into correct group as they were in the primary controller.
(4402-d) >config wlan apgroup add APG1 "AP Group 1" (4402-d) >config wlan apgroup add APG2 "AP Group 2" (4402-d) >config wlan apgroup interface-mapping add APG1 6 vlan41 (4402-d) >config wlan apgroup interface-mapping add APG2 6 vlan42
Now this time you can see 3502-a will go into APG1 where as 3502-d goes into APG2 as they were in the primary controller.
(4402-d) >show ap summary Number of APs.................................... 2 Global AP User Name.............................. Not Configured Global AP Dot1x User Name........................ Not Configured AP Name Slots AP Model Ethernet MAC Location Port Country Priority ------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------ 3502-a 2 AIR-CAP3502I-N-K9 cc:ef:48:72:0b:bd 3750-B Port1 LAG AU 1 3502-d 2 AIR-CAP3502I-N-K9 44:d3:ca:af:43:43 3750-A Port4 LAG AU 3 (4402-d) >show ap config general 3502-d Cisco AP Identifier.............................. 3 Cisco AP Name.................................... 3502-d Country code..................................... AU - Australia Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-N AP Country code.................................. AU - Australia AP Regulatory Domain............................. 802.11bg:-A 802.11a:-N Switch Port Number .............................. 29 MAC Address...................................... 44:d3:ca:af:43:43 IP Address Configuration......................... Static IP assigned IP Address....................................... 10.10.20.4 IP NetMask....................................... 255.255.255.0 Gateway IP Addr.................................. 10.10.20.1 Domain........................................... Name Server...................................... NAT External IP Address.......................... None CAPWAP Path MTU.................................. 1485 Telnet State..................................... Disabled Ssh State........................................ Disabled Cisco AP Location................................ 3750-A Port4 Cisco AP Group Name.............................. APG2 Primary Cisco Switch Name........................ 4402-c Primary Cisco Switch IP Address.................. 192.168.10.33 Secondary Cisco Switch Name...................... 4402-d Secondary Cisco Switch IP Address................ 192.168.40.44 Tertiary Cisco Switch Name....................... Tertiary Cisco Switch IP Address................. Not Configured Administrative State ............................ ADMIN_ENABLED Operation State ................................. REGISTERED (4402-d) >show ap config general 3502-a Cisco AP Identifier.............................. 2 Cisco AP Name.................................... 3502-a Country code..................................... AU - Australia Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-N AP Country code.................................. AU - Australia AP Regulatory Domain............................. 802.11bg:-A 802.11a:-N Switch Port Number .............................. 29 MAC Address...................................... cc:ef:48:72:0b:bd IP Address Configuration......................... DHCP IP Address....................................... 192.168.20.61 IP NetMask....................................... 255.255.255.0 Gateway IP Addr.................................. 192.168.20.254 NAT External IP Address.......................... None CAPWAP Path MTU.................................. 1485 Telnet State..................................... Disabled Ssh State........................................ Disabled Cisco AP Location................................ 3750-B Port1 Cisco AP Group Name.............................. APG1 Primary Cisco Switch Name........................ 4402-c Primary Cisco Switch IP Address.................. 192.168.10.33 Secondary Cisco Switch Name...................... 4402-d
You can verify clients are getting vlan42 & vlan41 IP depend on where they are associated to (3502-d & 350-a respectively)
(4402-d) >config ap disable 3502-a (4402-d) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 04:f7:e4:ea:5b:66 3502-d Associated 6 Yes 802.11n(5 GHz) 29 No (4402-d) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. N/A AP MAC Address................................... 64:ae:0c:91:94:20 AP Name.......................................... 3502-d Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 6 BSSID............................................ 64:ae:0c:91:94:2f Connected For ................................... 35 secs Channel.......................................... 36 IP Address....................................... 192.168.42.101 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0
Therefore it is important to configure AP groups in all primary, secondary & tertiary controllers in a similar manner if you want to advertise same set of WLANs, map to required dynamic interface.
As an exercise you can try to use a WLAN ID greater than 16 (called “wlan>16″) & see how it works in a similar scenario.
