User Guide for CISCO models including: Catalyst 9800 Series Wireless Controller Software Configuration, Catalyst 9800 Series, Wireless Controller Software Configuration, Controller Software Configuration, Software Configuration
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x - Cisco
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
First Published: 2021-03-31 Last Modified: 2021-08-04
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 2021 Cisco Systems, Inc. All rights reserved.
CONTENTS
PREFACE
CHAPTER 1 PART I CHAPTER 2
Preface lxxxiii Document Conventions lxxxiii Related Documentation lxxxv Communications, Services, and Additional Information lxxxv Cisco Bug Search Tool lxxxv Documentation Feedback lxxxv
Overview of Cisco 9800 Series Wireless Controllers 1 Elements of the New Configuration Model 1 Configuration Workflow 2 Initial Setup 3 Interactive Help 4
System Configuration 7
New Configuration Model 9 Information About New Configuration Model 9 Configuring a Wireless Profile Policy (GUI) 12 Configuring a Wireless Profile Policy (CLI) 12 Configuring a Flex Profile (GUI) 13 Configuring a Flex Profile 14 Configuring an AP Profile (GUI) 15 Configuring an AP Profile (CLI) 19 Configuring User for AP Management (CLI) 21 Setting a Private Configuration Key for Password Encryption 21 Configuring an RF Profile (GUI) 22
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x iii
Contents
CHAPTER 3
Configuring an RF Profile (CLI) 22 Configuring a Site Tag (GUI) 23 Configuring a Site Tag (CLI) 24 Configuring Policy Tag (GUI) 25 Configuring a Policy Tag (CLI) 25 Configuring Wireless RF Tag (GUI) 26 Configuring Wireless RF Tag (CLI) 27 Attaching a Policy Tag and Site Tag to an AP (GUI) 28 Attaching Policy Tag and Site Tag to an AP (CLI) 28 AP Filter 29
Introduction to AP Filter 29 Set Tag Priority (GUI) 30 Set Tag Priority 30 Create an AP Filter (GUI) 31 Create an AP Filter (CLI) 31 Set Up and Update Filter Priority (GUI) 32 Set Up and Update Filter Priority 32 Verify AP Filter Configuration 32 Configuring Access Point for Location Configuration 33 Information About Location Configuration 33 Prerequisite for Location Configuration 34 Configuring a Location for an Access Point (GUI) 34 Configuring a Location for an Access Point (CLI) 34 Adding an Access Point to the Location (GUI) 35 Adding an Access Point to the Location (CLI) 36 Configuring SNMP in Location Configuration 36
SNMP MIB 36 Verifying Location Configuration 37 Verifying Location Statistics 37
Wireless Management Interface 39 Information About Wireless Management Interface 39 Recommendations for Wireless Management Interface 39 Configuring your Controller with Wireless Management Interface (CLI) 41
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x iv
Contents
CHAPTER 4 CHAPTER 5 CHAPTER 6
Verifying Wireless Management Interface Settings 42 Information About Network Address Translation (NAT) 43 Information About CAPWAP Discovery 43 Configuring Wireless Management Interface with a NAT Public IP (CLI) 44 Configuring CAPWAP Discovery to Respond Only with Public or Private IP (CLI) 45
Configuring the Controller to Respond only with a Public IP (CLI) 45 Configuring the Controller to Respond only with a Private IP (CLI) 45 Verifying NAT Settings 46
BIOS Protection 47 BIOS Protection on the Controller 47 BIOS or ROMMON Upgrade with BIOS Protection 47 Upgrading BIOS 48
Management over Wireless 49 Information About Management over Wireless 49 Restrictions on Management over Wireless 49 Enabling Management over Wireless on Controller (GUI) 50 Enabling Management over Wireless on Controller (CLI) 50
Smart Licensing Using Policy 51 Introduction to Smart Licensing Using Policy 51 Information About Smart Licensing Using Policy 52 Overview 52 Supported Products 52 Architecture 53 Product Instance 53 CSLU 53 CSSM 54 Controller 54 SSM On-Prem 55 Concepts 56 License Enforcement Types 56 License Duration 57
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x v
Contents
Authorization Code 57 Policy 57 RUM Report and Report Acknowledgement 59 Trust Code 59 Supported Topologies 60 Connected to CSSM Through CSLU 60 Connected Directly to CSSM 61 CSLU Disconnected from CSSM 63 Connected to CSSM Through a Controller 64 No Connectivity to CSSM and No CSLU 66 SSM On-Prem Deployment 66 Interactions with Other Features 69 High Availability 69 Upgrades 71 Downgrades 72 How to Configure Smart Licensing Using Policy: Workflows by Topology 75 Workflow for Topology: Connected to CSSM Through CSLU 75 Workflow for Topology: Connected Directly to CSSM 77 Workflow for Topology: CSLU Disconnected from CSSM 79 Workflow for Topology: Connected to CSSM Through a Controller 81 Workflow for Topology: No Connectivity to CSSM and No CSLU 82 Workflow for Topology: SSM On-Prem Deployment 83 Tasks for Product Instance-Initiated Communication 83 Tasks for SSM On-Prem Instance-Initiated Communication 86 Migrating to Smart Licensing Using Policy 88 Example: Smart Licensing to Smart Licensing Using Policy 89 Example: SLR to Smart Licensing Using Policy 96 Example: Evaluation or Expired to Smart Licensing Using Policy 104 Migrating to a Version of SSM On-Prem That Supports Smart Licensing Using Policy 107 Task Library for Smart Licensing Using Policy 109 Logging into Cisco (CSLU Interface) 109 Configuring a Smart Account and a Virtual Account (CSLU Interface) 109 Adding a Product-Initiated Product Instance in CSLU (CSLU Interface) 110 Ensuring Network Reachability for Product Instance-Initiated Communication 110
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x vi
Contents
CHAPTER 7
Adding a CSLU-Initiated Product Instance in CSLU (CSLU Interface) 112 Collecting Usage Reports: CSLU Initiated (CSLU Interface) 112 Export to CSSM (CSLU Interface) 113 Import from CSSM (CSLU Interface) 114 Ensuring Network Reachability for CSLU-Initiated Communication 114 Assigning a Smart Account and Virtual Account (SSM On-Prem UI) 118 Validating Devices (SSM On-Prem UI) 119 Ensuring Network Reachability for Product Instance-Initiated Communication 119 Retrieving the Transport URL (SSM On-Prem UI) 122 Exporting and Importing Usage Data (SSM On-Prem UI) 122 Adding One or More Product Instances (SSM On-Prem UI) 123 Ensuring Network Reachability for SSM On-Prem-Initiated Communication 124 Setting Up a Connection to CSSM 129 Configuring Smart Transport Through an HTTPs Proxy 131 Configuring the Call Home Service for Direct Cloud Access 132 Configuring the Call Home Service for Direct Cloud Access through an HTTPs Proxy Server 135 Removing and Returning an Authorization Code 136 Removing the Product Instance from CSSM 138 Generating a New Token for a Trust Code from CSSM 139 Installing a Trust Code 139 Downloading a Policy File from CSSM 141 Uploading Data or Requests to CSSM and Downloading a File 141 Installing a File on the Product Instance 142 Setting the Transport Type, URL, and Reporting Interval 143 Configuring an AIR License 146 Sample Resource Utilization Measurement Report 148 Troubleshooting Smart Licensing Using Policy 148 System Message Overview 149 System Messages 150 Additional References for Smart Licensing Using Policy 159 Feature History for Smart Licensing Using Policy 160
Boot Integrity Visibility 163 Overview of Boot Integrity Visibility 163
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x vii
Contents
CHAPTER 8 PART II CHAPTER 9
CHAPTER 10
CHAPTER 11
Verifying Software Image and Hardware 163 Verifying Platform Identity and Software Integrity 164
Best Practices 167 Introduction 167
System Upgrade 169
Upgrading the Cisco Catalyst 9800 Wireless Controller Software 171 Overview of Upgrading the Controller Software 171 Upgrading the Controller Software (GUI) 172 Upgrade the Controller Software (CLI) 173 Converting From Bundle-Mode to Install-Mode 174 Copying a WebAuth Tar Bundle to the Standby Controller 177
In-Service Software Upgrade 179 Information About In-Service Software Upgrade 179 Prerequisites for Performing In-Service Software Upgrade 180 Guidelines and Restrictions for In-Service Software Upgrade 180 Upgrading Software Using In-Service Software Upgrade 181 Upgrading Software Using ISSU (GUI) 182 Upgrading Software Using In-Service Software Upgrade with Delayed Commit 183 Monitoring In-Service Software Upgrade 184 Troubleshooting ISSU 186
Software Maintenance Upgrade 189 Introduction to Software Maintenance Upgrade 189 Installing a SMU (GUI) 191 Installing SMU 192 Roll Back an Image (GUI) 193 Rollback SMU 193 Deactivate SMU 193 Configuration Examples for SMU 194 Information About AP Device Package 194
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x viii
Contents
CHAPTER 12 CHAPTER 13
Installing AP Device Package (GUI) 195 Installing AP Device Package (CLI) 196 Verifying APDP on the Controller 196 Information About Per Site or Per AP Model Service Pack (APSP) 197 Rolling AP Upgrade 198
Rolling AP Upgrade Process 198 Installing AP Service Package (GUI) 199 Installing AP Service Package (CLI) 200 Adding a Site to a Filter 201 Deactivating an Image 201 Roll Back APSP 202 Canceling the Upgrade 202 Verifying the Upgrade 202 Verifying of AP Upgrade on the Controller 205
Efficient Image Upgrade 207 Efficient Image Upgrade 207 Enable Pre-Download (GUI) 207 Enable Pre-Download (CLI) 208 Configuring a Site Tag (CLI) 208 Attaching Policy Tag and Site Tag to an AP (CLI) 209 Trigger Predownload to a Site Tag 210
Predownloading an Image to an Access Point 213 Information About Predownloading an Image to an Access Point 213 Restrictions for Predownloading an Image to an Access Point 213 Predownloading an Image to Access Points (CLI) 214 Predownloading an Image to Access Points (GUI) 216 Predownloading an Image to Access Points (YANG) 216 Monitoring the Access Point Predownload Process 217 Information About AP Image Download Time Enhancement (OEAP or Teleworker Only) 218 Configuring AP Image Download Time Enhancement (GUI) 219 Configuring AP Image Download Time Enhancement (CLI) 219 Verifying AP Image Download Time Enhancement Configuration 220
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x ix
Contents
CHAPTER 14 CHAPTER 15 CHAPTER 16
PART III CHAPTER 17
CHAPTER 18
N+1 Hitless Rolling AP Upgrade 221 N+1 Hitless Rolling AP Upgrade 221 Configuring Hitless Upgrade 222 Verifying Hitless Upgrade 223
NBAR Dynamic Protocol Pack Upgrade 225 NBAR Dynamic Protocol Pack Upgrade 225 Upgrading the NBAR2 Protocol Pack 226
Wireless Sub-Package for Switch 227 Introduction to Wireless Sub-package 227 Booting in Install Mode 228 Installing Sub-Package in a Single Step (GUI) 229 Installing Sub-Package in a Single Step 229 Multi-step Installation of Sub-Package 230 Installing on a Stack 230 Upgrading to a Newer Version of Wireless Package 231 Deactivating the Wireless Package 231 Enabling or Disabling Auto-Upgrade 231
Lightweight Access Points 233
Country Codes 235 Information About Country Codes 235 Prerequisites for Configuring Country Codes 235 Configuring Country Codes (GUI) 236 Configuring Country Codes (CLI) 236 Configuration Examples for Configuring Country Codes 238 Viewing Channel List for Country Codes 238
Sniffer Mode 241 Information about Sniffer 241 Prerequisites for Sniffer 241
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x x
CHAPTER 19 CHAPTER 20 CHAPTER 21
Restrictions on Sniffer 242 How to Configure Sniffer 242
Configuring an Access Point as Sniffer (GUI) 242 Configuring an Access Point as Sniffer (CLI) 243 Enabling or Disabling Sniffing on the Access Point (GUI) 243 Enabling or Disabling Sniffing on the Access Point (CLI) 244 Verifying Sniffer Configurations 244 Examples for Sniffer Configurations and Monitoring 244
Monitor Mode 247 Introduction to Monitor Mode 247 Enable Monitor Mode (GUI) 247 Enable Monitor Mode (CLI) 248
AP Priority 249 Failover Priority for Access Points 249 Setting AP Priority (GUI) 249 Setting AP Priority 250
FlexConnect 251 Information About FlexConnect 251 FlexConnect Authentication 253 Guidelines and Restrictions for FlexConnect 255 Configuring a Site Tag 259 Configuring a Policy Tag (CLI) 260 Attaching a Policy Tag and a Site Tag to an Access Point (GUI) 261 Attaching Policy Tag and Site Tag to an AP (CLI) 261 Linking an ACL Policy to the Defined ACL (GUI) 262 Applying ACLs on FlexConnect 263 Configuring FlexConnect 264 Configuring a Switch at a Remote Site 264 Configuring the Controller for FlexConnect 265 Configuring Local Switching in FlexConnect Mode (GUI) 265 Configuring Local Switching in FlexConnect Mode (CLI) 266
Contents
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xi
Contents
Configuring Central Switching in FlexConnect Mode (GUI) 266 Configuring Central Switching in FlexConnect Mode 267 Configuring an Access Point for FlexConnect 267 Configuring an Access Point for Local Authentication on a WLAN (GUI) 267 Configuring an Access Point for Local Authentication on a WLAN (CLI) 268 Connecting Client Devices to WLANs 268 Configuring FlexConnect Ethernet Fallback 269 Information About FlexConnect Ethernet Fallback 269 Configuring FlexConnect Ethernet Fallback 269 Flex AP Local Authentication (GUI) 270 Flex AP Local Authentication (CLI) 271 Flex AP Local Authentication with External Radius Server 273 Configuration Example: FlexConnect with Central and Local Authentication 276 NAT-PAT for FlexConnect 276 Configuring NAT-PAT for a WLAN or a Remote LAN 276 Creating a WLAN 276 Configuring a Wireless Profile Policy and NAT-PAT (GUI) 277 Configuring a Wireless Profile Policy and NAT-PAT 277 Mapping a WLAN to a Policy Profile 278 Configuring a Site Tag 279 Attaching a Policy Tag and a Site Tag to an Access Point (GUI) 279 Attaching a Policy Tag and a Site Tag to an Access Point 280 Split Tunneling for FlexConnect 280 Configuring Split Tunneling for a WLAN or Remote LAN 281 Defining an Access Control List for Split Tunneling (GUI) 281 Defining an Access Control List for Split Tunneling 281 Linking an ACL Policy to the Defined ACL 282 Creating a WLAN 283 Configuring a Wireless Profile Policy and a Split MAC ACL Name (GUI) 283 Configuring a Wireless Profile Policy and a Split MAC ACL Name 284 Mapping a WLAN to a Policy Profile (GUI) 285 Mapping WLAN to a Policy Profile 285 Configuring a Site Tag 286 Attaching a Policy Tag and Site Tag to an Access Point 286
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xii
Contents
VLAN-based Central Switching for FlexConnect 287 Configuring VLAN-based Central Switching (GUI) 287 Configuring VLAN-based Central Switching (CLI) 288
OfficeExtend Access Points for FlexConnect 289 Configuring OfficeExtend Access Points 290 Disabling OfficeExtend Access Point 290 Support for OEAP Personal SSID 291 Information About OEAP Personal SSID Support 291 Configuring OEAP Personal SSID (GUI) 291 Configuring OEAP Personal SSID (CLI) 292 Viewing OEAP Personal SSID Configuration 292 Clearing Personal SSID from an OfficeExtend Access Point 293 Example: Viewing OfficeExtend Configuration 293
Proxy ARP 294 Enabling Proxy ARP for FlexConnect APs (GUI) 294 Enabling Proxy ARP for FlexConnect APs 294
Overlapping Client IP Address in Flex Deployment 295 Overview of Overlapping Client IP Address in Flex Deployment 295 Enabling Overlapping Client IP Address in Flex Deployment (GUI) 295 Enabling Overlapping Client IP Address in Flex Deployment 296 Verifying Overlapping Client IP Address in Flex Deployment (GUI) 296 Verifying Overlapping Client IP Address in Flex Deployment 297
Lawful Interception 298 Lawful Interception of Traffic 298 Configuring Lawful Interception 298 Verifying the Status of Lawful Interception 299
Flex Resilient with Flex and Bridge Mode Access Points 300 Information About Flex Resilient with Flex and Bridge Mode Access Points 300 Configuring a Flex Profile (GUI) 300 Configuring a Flex Profile (CLI) 301 Configuring a Site Tag (CLI) 302 Configuring a Mesh Profile (CLI) 302 Associating Wireless Mesh to an AP Profile (CLI) 303 Attaching Site Tag to an Access Point (CLI) 304
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xiii
Contents
CHAPTER 22
CHAPTER 23 CHAPTER 24 CHAPTER 25 CHAPTER 26
Configuring Switch Interface for APs (CLI) 304 Verifying Flex Resilient with Flex and Bridge Mode Access Points Configuration 305
OEAP Link Test 307 Feature History for OEAP Link Test 307 Information About OEAP Link Test 307 Configuring OEAP Link Test (CLI) 308 Performing OEAP Link Test (GUI) 308 Verifying OEAP Link Test 308
Data DTLS 311 Information About Data Datagram Transport Layer Security 311 Configuring Data DTLS (GUI) 312 Configuring Data DTLS (CLI) 312
AP Crash File Upload 315 AP Crash File Upload 315 Configuring AP Crash File Upload (CLI) 316
Access Point Plug-n-Play 317 Overview of Access Point Plug-n-Play 317 Provisioning AP from PnP Server 317 Verifying AP Tag Configuration 318
802.11 Parameters for Cisco Access Points 319 2.4-GHz Radio Support 319 Configuring 2.4-GHz Radio Support for the Specified Slot Number 319 5-GHz Radio Support 321 Configuring 5-GHz Radio Support for the Specified Slot Number 321 Information About Dual-Band Radio Support 323 Configuring Default XOR Radio Support 324 Configuring XOR Radio Support for the Specified Slot Number (GUI) 326 Configuring XOR Radio Support for the Specified Slot Number 326
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xiv
Contents
CHAPTER 27 CHAPTER 28
Receiver Only Dual-Band Radio Support 328 Information About Receiver Only Dual-Band Radio Support 328 Configuring Receiver Only Dual-Band Parameters for Access Points 328 Enabling CleanAir with Receiver Only Dual-Band Radio on a Cisco Access Point (GUI) 328 Enabling CleanAir with Receiver Only Dual-Band Radio on a Cisco Access Point 329 Disabling Receiver Only Dual-Band Radio on a Cisco Access Point (GUI) 329 Disabling Receiver Only Dual-Band Radio on a Cisco Access Point 329
Configuring Client Steering (CLI) 330 Verifying Cisco Access Points with Dual-Band Radios 331
802.1x Support 333 Introduction to the 802.1X Authentication 333 EAP-FAST Protocol 333 EAP-TLS/EAP-PEAP Protocol 334 Limitations of the 802.1X Authentication 334 Topology - Overview 335 Configuring 802.1X Authentication Type and LSC AP Authentication Type (GUI) 335 Configuring 802.1X Authentication Type and LSC AP Authentication Type 336 Configuring the 802.1X Username and Password (GUI) 337 Configuring the 802.1X Username and Password (CLI) 337 Enabling 802.1X on the Switch Port 338 Verifying 802.1X on the Switch Port 340 Verifying the Authentication Type 340
CAPWAP Link Aggregation Support 341 Information About CAPWAP LAG Support 341 Restrictions for CAPWAP LAG Support 342 Enabling CAPWAP LAG Support on Controller (GUI) 342 Enabling CAPWAP LAG Support on Controller 342 Enabling CAPWAP LAG Globally on Controller 343 Disabling CAPWAP LAG Globally on Controller 343 Enabling CAPWAP LAG for an AP Profile (GUI) 343 Enabling CAPWAP LAG for an AP Profile 344 Disabling CAPWAP LAG for an AP Profile 344
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xv
Contents
CHAPTER 29 CHAPTER 30
CHAPTER 31 CHAPTER 32
Disabling CAPWAP LAG Support on Controller 345 Verifying CAPWAP LAG Support Configurations 345
DHCP and NAT Functionality on Root Access Point 347 Information About DHCP and NAT Functionality on Root AP (RAP) 347 Configuring DHCP Server on Root Access Point (RAP) 348 Verifying DHCP Server for Root AP Configuration 348
OFDMA Support for 11ax Access Points 349 Information About OFDMA Support for 11ax Access Points 349 Supported Modes on 11ax Access Points 349 Configuring 11AX (GUI) 350 Configuring Channel Width 350 Configuring 802.11ax Radio Parameters (GUI) 351 Configuring 802.11ax Radio Parameters (CLI) 351 Setting up the 802.11ax Radio Parameters 352 Configuring OFDMA on a WLAN 353 Verifying Channel Width 354 Verifying Client Details 355 Verifying Radio Configuration 356
AP Audit Configuration 359 Information About AP Audit Configuration 359 Restrictions for AP Audit Configuration 359 Configure AP Audit Parameters (CLI) 360 Verifying AP Audit Report Summary 360 Verifying AP Audit Report Detail 360
AP Support Bundle 363 Access Point Support Bundle 363 Exporting an AP Support Bundle (GUI) 363 Exporting an AP Support Bundle (CLI) 364 Monitoring the Status of Support Bundle Export 364
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xvi
Contents
CHAPTER 33 CHAPTER 34
CHAPTER 35 CHAPTER 36
PART IV CHAPTER 37
Cisco Flexible Antenna Port 365 Information About Cisco Flexible Antenna Port 365 Configuring a Cisco Flexible Antenna Port (GUI) 365 Configuring a Cisco Flexible Antenna Port (CLI) 366 Verifying Flexible Antenna Port Configuration 366
LED States for Access Points 367 Information About LED States for Access Points 367 Configuring LED State in Access Points (GUI) 367 Configuring LED State for Access Points in the Global Configuration Mode (CLI) 368 Configuring LED State in the AP Profile 368 Verifying LED State for Access Points 369
Access Points Memory Information 371 Information About Access Point Memory Information 371 Verifying Access Point Memory Information 371
Real-Time Access Points Statistics 373 Information About Access Point Real-Time Statistics 373 Configuring Access Point Real-Time Statistics (GUI) 373 Configuring Access Point Real-Time Statistics (CLI) 374 Monitoring Access Point Real-Time Statistics (GUI) 375 Verifying Access Point Real-Time Statistics 376
Radio Resource Management 379
Radio Resource Management 381 Information About Radio Resource Management 381 Radio Resource Monitoring 382 Information About RF Groups 382 RF Group Leader 383 RF Group Name 385 Secure RF Groups 386
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xvii
Contents
Transmit Power Control 386 Overriding the TPC Algorithm with Minimum and Maximum Transmit Power Settings 386 Dynamic Channel Assignment 387
Dynamic Bandwidth Selection 389 Coverage Hole Detection and Correction 389 Restrictions for Radio Resource Management 389 How to Configure RRM 390 Configuring Neighbor Discovery Type (GUI) 390 Configuring Neighbor Discovery Type (CLI) 391 Configuring RF Groups 391
Configuring RF Group Selection Mode (GUI) 392 Configuring RF Group Selection Mode (CLI) 392 Configuring an RF Group Name (CLI) 393 Configuring Members in an 802.11 Static RF Group (GUI) 393 Configuring Members in an 802.11 Static RF Group (CLI) 394 Configuring Transmit Power Control 394 Configuring Transmit Power (GUI) 394 Configuring the Tx-Power Control Threshold (CLI) 395 Configuring the Tx-Power Level (CLI) 395 Configuring 802.11 RRM Parameters 396 Configuring Advanced 802.11 Channel Assignment Parameters (GUI) 396 Configuring Advanced 802.11 Channel Assignment Parameters (CLI) 397 Configuring 802.11 Coverage Hole Detection (GUI) 400 Configuring 802.11 Coverage Hole Detection (CLI) 400 Configuring 802.11 Event Logging (CLI) 401 Configuring 802.11 Statistics Monitoring (GUI) 402 Configuring 802.11 Statistics Monitoring (CLI) 403 Configuring the 802.11 Performance Profile (GUI) 404 Configuring the 802.11 Performance Profile (CLI) 404 Configuring Advanced 802.11 RRM 405 Enabling Channel Assignment (GUI) 405 Enabling Channel Assignment (CLI) 406 Restarting DCA Operation 406 Updating Power Assignment Parameters (GUI) 406
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xviii
CHAPTER 38 CHAPTER 39 CHAPTER 40 CHAPTER 41
Updating Power Assignment Parameters (CLI) 407 Configuring Rogue Access Point Detection in RF Groups 407
Configuring Rogue Access Point Detection in RF Groups (CLI) 407 Monitoring RRM Parameters and RF Group Status 408
Monitoring RRM Parameters 408 Verifying RF Group Status (CLI) 409 Examples: RF Group Configuration 410 Information About ED-RRM 410 Configuring ED-RRM on the Cisco Wireless LAN Controller (CLI) 410
Coverage Hole Detection 413 Coverage Hole Detection and Correction 413 Configuring Coverage Hole Detection (GUI) 413 Configuring Coverage Hole Detection (CLI) 414 Configuring CHD for RF Tag Profile (GUI) 415 Configuring CHD for RF Profile (CLI) 416
Optimized Roaming 419 Optimized Roaming 419 Restrictions for Optimized Roaming 419 Configuring Optimized Roaming (GUI) 420 Configuring Optimized Roaming (CLI) 420
Cisco Flexible Radio Assignment 421 Information About Flexible Radio Assignment 421 Benefits of the FRA 422 Configuring an FRA Radio (CLI) 422 Configuring an FRA Radio (GUI) 424
XOR Radio Support 427 Information About Dual-Band Radio Support 427 Configuring Default XOR Radio Support 428 Configuring XOR Radio Support for the Specified Slot Number (GUI) 430 Configuring XOR Radio Support for the Specified Slot Number 430
Contents
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xix
Contents
CHAPTER 42 CHAPTER 43 CHAPTER 44
CHAPTER 45 CHAPTER 46
Cisco Receiver Start of Packet 433 Information About Receiver Start of Packet Detection Threshold 433 Restrictions for Rx SOP 433 Configuring Rx SOP (CLI) 434 Customizing RF Profile (CLI) 434
Client Limit 437 Information About Client Limit 437 Configuring Client Limit Per WLAN (GUI) 437 Configuring Client Limit Per WLAN (CLI) 437
IP Theft 439 Introduction to IP Theft 439 Configuring IP Theft (GUI) 440 Configuring IP Theft 440 Configuring the IP Theft Exclusion Timer 440 Adding Static Entries for Wired Hosts 441 Verifying IP Theft Configuration 442
Unscheduled Automatic Power Save Delivery 445 Information About Unscheduled Automatic Power Save Delivery 445 Viewing Unscheduled Automatic Power Save Delivery (CLI) 445
Target Wake Time 447 Target Wake Time 447 Extended Power-Savings Using Target Wake Time 447 Configuring Target Wake Time at the Radio Level (CLI) 448 Configuring Target Wake Time on WLAN 449 Enabling Target Wake Time on WLAN (CLI) 449 Disabling Target Wakeup Time on WLAN (CLI) 450 Configuring Target Wake Time (GUI) 451 Verifying Target Wakeup Time 451
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xx
Contents
CHAPTER 47 CHAPTER 48 CHAPTER 49
CHAPTER 50 CHAPTER 51
Enabling USB Port on Access Points 453 USB Port as Power Source for Access Points 453 Configuring an AP Profile (CLI) 454 Configuring USB Settings for an Access Point (CLI) 455 Configuring USB Settings for an Access Point (GUI) 455 Monitoring USB Configurations for Access Points (CLI) 456
Dynamic Frequency Selection 457 Feature History for Channel Availability Check (CAC) 457 Information About Dynamic Frequency Selection 457 Information About Channel Availability Check (CAC) 458 Verifying DFS 458
Cisco Access Points with Tri-Radio 459 Cisco Access Points with Tri-Radio 459 Guidelines and Restrictions for Tri-Radio Access Points 461 Configuring Tri-Radio 461 Configuring Tri-Radio for AP (GUI) 461 Configuring the Tri-Radio (CLI) 461 Configuring 5-GHz Dual Radio Mode for AP (GUI) 462 Configuring the Dual Radio Mode and Enabling Slots (CLI) 462 Setting Radio Roles for Slots 463 Configuring the Tri-Radio Dual Radio Role (CLI) 464 Verifying Tri-Radio Configuration on the Controller 464
Cisco DNA Center Assurance Wi-Fi 6 Dashboard 465 Cisco DNA Center Assurance Wi-Fi 6 Dashboard 465 Configuring Cisco DNA Center Assurance Wi-Fi 6 Dashboard Parameters (CLI) 466 Verifying AP DFS Counters (CLI) 467 Verifying Wi-Fi 6 Access Point Parameters 468
Antenna Disconnection Detection 469
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xxi
Contents
CHAPTER 52
PART V CHAPTER 53
CHAPTER 54
Feature History for Antenna Disconnection Detection 469 Information About Antenna Disconnection Detection 469 Recommendations and Limitations 470 Configuring Antenna Disconnection Detection (CLI) 470 Configuring Antenna Disconnection Detection (GUI) 471 Detecting Broken Antenna Using SNMP Trap (CLI) 472 Detecting Broken Antenna Using SNMP Trap (GUI) 472 Verifying Antenna Disconnection Detection 473 Verifying Antenna Disconnection Detection (GUI) 474
Neighbor Discovery Protocol Mode on Access Points 475 Information About Neighbor Discovery Protocol Mode 475 Configuring RRM Neighbor Discovery Mode (GUI) 476 Configuring the Neighbor Discovery Protocol Mode (CLI) 476 Configuring Neighbor Discovery Protocol Mode in the RF Profile (GUI) 477 Configuring Neighbor Discovery Protocol Mode in the RF Profile (CLI) 477 Monitoring Radio Statistics-NDP Capability and NDP Mode (GUI) 478 Verifying Neighbor Discovery Protocol Mode 479
Network Management 481
AP Packet Capture 483 Introduction to AP Client Packet Capture 483 Enabling Packet Capture (GUI) 483 Enabling Packet Capture (CLI) 484 Create AP Packet Capture Profile and Map to an AP Join Profile (GUI) 484 Create AP Packet Capture Profile and Map to an AP Join Profile 484 Start or Stop Packet Capture 485
DHCP Option82 487 Information About DHCP Option 82 487 Configuring DHCP Option 82 Global Interface 489 Configuring DHCP Option 82 Globally Through Server Override (CLI) 489 Configuring DHCP Option 82 Through Server Override (CLI) 489
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xxii
Contents
CHAPTER 55
CHAPTER 56 CHAPTER 57 CHAPTER 58
Configuring DHCP Option 82 Globally Through Different SVIs (GUI) 490 Configuring DHCP Option 82 Globally Through Different SVIs (CLI) 490 Configuring DHCP Option 82 Format 491 Configuring DHCP Option82 Through a VLAN Interface 492 Configuring DHCP Option 82 Through Option-Insert Command (CLI) 492 Configuring DHCP Option 82 Through the server-ID-override Command (CLI) 493 Configuring DHCP Option 82 Through a Subscriber-ID (CLI) 494 Configuring DHCP Option 82 Through server-ID-override and subscriber-ID Commands (CLI) 495 Configuring DHCP Option 82 Through Different SVIs (CLI) 496
RADIUS Realm 499 Information About RADIUS Realm 499 Enabling RADIUS Realm 500 Configuring Realm to Match the RADIUS Server for Authentication and Accounting 500 Configuring the AAA Policy for a WLAN 501 Verifying the RADIUS-Realm Configuration 503
RADIUS Accounting 505 Information About RADIUS Accounting of AP Events 505 Configuring Accounting Method-List for an AP Profile 505 Verifying the AP Accounting Information 506
RADIUS Call Station Identifier 507 RADIUS Call Station Identifier 507 Configuring a RADIUS Call Station Identifier 508
RADIUS VSA 509 Information About RADIUS VSA 509 Create an Attribute List 510 Create a AAA Policy and Map it to Attribute List 511 Map a AAA Policy to the WLAN Policy Profile 512 Map the WLAN Policy Profile to a WLAN 513
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xxiii
Contents
CHAPTER 59 CHAPTER 60 CHAPTER 61 CHAPTER 62 CHAPTER 63
Cisco StadiumVision 515 Cisco StadiumVision Overview 515 Configure Parameters for Cisco StadiumVision (GUI) 516 Configure Parameters for Cisco StadiumVision (CLI) 516 Verify StadiumVision Configurations 517
Persistent SSID Broadcast 519 Persistent SSID Broadcast 519 Configuring Persistent SSID Broadcast 519 Verifying Persistent SSID Broadcast 520
Network Monitoring 521 Network Monitoring 521 Status Information Received Synchronously - Configuration Examples 521 Alarm and Event Information Received Asynchronously - Configuration Examples 523
Creating a Lobby Ambassador Account 525 Information About Lobby Ambassador Account 525 Creating a Lobby Ambassador User Account (GUI) 525 Creating a User Account 526 Logging In Using the Lobby Account 527 Creating a Lobby Ambassador Account (CLI) 527
Lobby Ambassador Account 529 Information About Lobby Ambassador Account 529 Creating a Lobby Ambassador User Account (GUI) 530 Creating a User Account 530 Logging In Using the Lobby Account 531 Creating a Lobby Ambassador Account (CLI) 531 Configuring WLAN (GUI) 532 Client Allowed List 533 Restrictions for Client Allowed List 533
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xxiv
Contents
CHAPTER 64 PART VI CHAPTER 65
CHAPTER 66
Creating a Client Allowed List (GUI) 533 Adding Single MAC Address to Allowed List 533 Adding Bulk MAC Address to Allowed List 534
Managing Guest Users 534 Viewing a Client Allowed List 535
Guest User Accounts 537 Information About Creating Guest User Accounts 537 Creating a Guest User Account (GUI) 537 Creating a Guest User Account (CLI) 538 Verifying Guest User Account 539 Assigning Username to Guest Users in a WLAN (CLI) 540
System Management 541
Network Mobility Services Protocol 543 Information About Network Mobility Services Protocol 543 Radioactive Tracing for NMSP 544 Enabling NMSP on Premises Services 544 Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues 545 Modifying the NMSP Notification Threshold for Clients, RFID Tags, and Rogues 545 Configuring NMSP Strong Cipher 546 Verifying NMSP Settings 546 Examples: NMSP Settings Configuration 549 NMSP by AP Groups with Subscription List from CMX 549 Verifying NMSP by AP Groups with Subscription List from CMX 549 Probe RSSI Location 551 Configuring Probe RSSI 551 RFID Tag Support 553 Configuring RFID Tag Support 553 Verifying RFID Tag Support 554
Application Visibility and Control 557 Information About Application Visibility and Control 557
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xxv
Contents
CHAPTER 67
Prerequisites for Application Visibility and Control 559 Restrictions for Application Visibility and Control 559 AVC Configuration Overview 559 Create a Flow Monitor 560 Configuring a Flow Monitor (GUI) 562 Create a Flow Record 562 Create a Flow Exporter 564 Configuring a Policy Tag 565 Attaching a Policy Profile to a WLAN Interface (GUI) 566 Attaching a Policy Profile to a WLAN Interface (CLI) 566 Attaching a Policy Profile to an AP 567 Verify the AVC Configuration 568 Default DSCP on AVC 569 Configuring Default DSCP for AVC Profile (GUI) 569 Configuring Default DSCP for AVC Profile 569 Creating Class Map 569 Creating Policy Map 570 AVC-Based Selective Reanchoring 571 Restrictions for AVC-Based Selective Reanchoring 572 Configuring the Flow Exporter 572 Configuring the Flow Monitor 572 Configuring the AVC Reanchoring Profile 573 Configuring the Wireless WLAN Profile Policy 574 Verifying AVC Reanchoring 575
Cisco Hyperlocation 579 Information About Cisco Hyperlocation 579 Restrictions on Cisco Hyperlocation 581 Support for IPv6 in Cisco Hyperlocation or BLE Configuration 582 Configuring Cisco Hyperlocation (GUI) 582 Configuring Cisco Hyperlocation (CLI) 583 Configuring Hyperlocation BLE Beacon Parameters for AP (GUI) 584 Configuring Hyperlocation BLE Beacon Parameters for AP (CLI) 584 Configuring Hyperlocation BLE Beacon Parameters (CLI) 585
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xxvi
CHAPTER 68 CHAPTER 69
CHAPTER 70 CHAPTER 71 CHAPTER 72
Verifying Cisco Hyperlocation 586 Verifying Hyperlocation BLE Beacon Configuration 589 Verifying Hyperlocation BLE Beacon Configuration for AP 589
FastLocate for Cisco Catalyst Series Access Points 591 Information About FastLocate 591 Supported Access Points 591 FastLocate Network Components 592 Configuring FastLocate (GUI) 593 Verifying FastLocate on Cisco Catalyst APs 593
IoT Services Management 595 Information About IoT Services Management 595 Enabling the Dot15 Radio 596 Configuring the gRPC Token 596 Enabling gRPC in an AP Profile 597 Verifying BLE State and Mode 597 Verifying BLE Details 598 Verifying gRPC Summary, Status, and Statistics 599
IoT Module Management in the Controller 601 Information About IoT Module Management in the Controller 601 Enabling a USB on the Controller 601 Verifying the USB Modules 602
Cisco Spaces 605 Configuring Cisco Spaces 605 Verifying Cisco Spaces Configuration 606
EDCA Parameters 609 Enhanced Distributed Channel Access Parameters 609 Configuring EDCA Parameters (GUI) 609 Configuring EDCA Parameters (CLI) 610
Contents
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
xxvii
Contents
CHAPTER 73 CHAPTER 74
Adaptive Client Load-Based EDCA 613 Feature History for Adaptive Client Load-Based EDCA 613 Information About Adaptive Client Load-Based EDCA 613 Restrictions for Adaptive Client Load-Based EDCA 614 Configuration Workflow 614 Configuring Adaptive Client Load-Based EDCA (GUI) 614 Configuring Adaptive Client Load-Based EDCA (CLI) 615 Verifying Adaptive Client Load-Based EDCA Configuration 615
802.11 parameters and Band Selection 617 Information About Configuring Band Selection, 802.11 Bands, and Parameters 617 Band Select 617 802.11 Bands 618 802.11n Parameters 618 802.11h Parameters 618 Restrictions for Band Selection, 802.11 Bands, and Parameters 619 How to Configure 802.11 Bands and Parameters 619 Configuring Band Selection (GUI) 619 Configuring Band Selection (CLI) 620 Configuring the 802.11 Bands (GUI) 621 Configuring the 802.11 Bands (CLI) 622 Configuring a Band-Select RF Profile (GUI) 624 Configuring a Band-Select RF Profile (CLI) 624 Configuring 802.11n Parameters (GUI) 625 Configuring 802.11n Parameters (CLI) 626 Configuring 802.11h Parameters (CLI) 628 Monitoring Configuration Settings for Band Selection, 802.11 Bands, and Parameters 629 Verifying Configuration Settings Using Band Selection and 802.11 Bands Commands 629 Example: Viewing the Configuration Settings for the 5-GHz Band 629 Example: Viewing the Configuration Settings for the 2.4-GHz Band 631 Example: Viewing the status of 802.11h Parameters 632 Example: Verifying the Band-Selection Settings 633 Configuration Examples for Band Selection, 802.11 Bands, and Parameters 634
xxviii
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
CHAPTER 75 CHAPTER 76
CHAPTER 77
Examples: Band Selection Configuration 634 Examples: 802.11 Bands Configuration 635 Examples: 802.11n Configuration 635 Examples: 802.11h Configuration 636
NBAR Protocol Discovery 637 Introduction to NBAR Protocol Discovery 637 Configuring NBAR Protocol Discovery 637 Verifying Protocol Discovery Statistics 638
Conditional Debug, Radioactive Tracing, and Packet Tracing 639 Introduction to Conditional Debugging 639 Introduction to Radioactive Tracing 640 Conditional Debugging and Radioactive Tracing 640 Location of Tracefiles 641 Configuring Conditional Debugging (GUI) 641 Configuring Conditional Debugging 642 Radioactive Tracing for L2 Multicast 643 Recommended Workflow for Trace files 643 Copying Tracefiles Off the Box 644 Configuration Examples for Conditional Debugging 644 Verifying Conditional Debugging 645 Example: Verifying Radioactive Tracing Log for SISF 645 Information About Packet Tracing 646 Configuring Conditional Debugging Packet Tracing 647 Configuring Conditional Debugging Packet Tracing per AP 648 Configuring Conditional Debugging Packet Tracing per Client (GUI) 649 Configuring Conditional Debugging Packet Tracing per Client 649 Verifying Conditional Debugging Packet Tracing Configuration 649
Aggressive Client Load Balancing 651 Information About Aggressive Client Load Balancing 651 Enabling Aggressive Client Load Balancing (GUI) 652 Configuring Aggressive Client Load Balancing (GUI) 652
Contents
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xxix
Contents
CHAPTER 78 CHAPTER 79 CHAPTER 80
Configuring Aggressive Client Load Balancing (CLI) 653
Accounting Identity List 655 Configuring Accounting Identity List (GUI) 655 Configuring Accounting Identity List (CLI) 655 Configuring Client Accounting (GUI) 656 Configuring Client Accounting (CLI) 656
Support for Accounting Session ID 659 Information About Accounting Session ID 659 Configuring an Accounting Session ID (CLI) 659 Verifying an Account Session ID 660
Wireless Multicast 663 Information About Wireless Multicast 663 Multicast Optimization 664 IPv6 Global Policies 664 Information About IPv6 Snooping 664 IPv6 Neighbor Discovery Inspection 664 Prerequisites for Configuring Wireless Multicast 666 Restrictions on Configuring Wireless Multicast 667 Restrictions for IPv6 Snooping 667 Configuring Wireless Multicast 667 Configuring Wireless Multicast-MCMC Mode (CLI) 667 Configuring Wireless Multicast-MCUC Mode 668 Configuring Multicast Listener Discovery Snooping (GUI) 668 Configuring IPv6 MLD Snooping 669 Verifying the Multicast VLAN Configuration 669 IPv6 Multicast-over-Multicast 670 Configuring IPv6 Multicast-over-Multicast (GUI) 670 Configuring IPv6 Multicast-over-Multicast 671 Verifying IPv6 Multicast-over-Multicast 671 Verifying the Multicast Connection Between the Controller and the AP 671 Directed Multicast Service 672
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xxx
Contents
CHAPTER 81
CHAPTER 82 CHAPTER 83
Configuring Directed Multicast Service(GUI) 672 Configuring Directed Multicast Service 672 Verifying the Directed Multicast Service Configuration 673 Wireless Broadcast, Non-IP Multicast and Multicast VLAN 674 Configuring Non-IP Wireless Multicast (CLI) 674 Configuring Wireless Broadcast (GUI) 675 Configuring Wireless Broadcast (CLI) 676 Configuring Multicast-over-Multicast for AP Multicast Groups (CLI) 676 Verifying Wireless Multicast 677 Multicast Optimization 678 Configuring IP Multicast VLAN for WLAN (GUI) 678 Configuring IP Multicast VLAN for WLAN 678 Verifying the Multicast VLAN Configuration 679 Multicast Filtering 680 Information About Multicast Filtering 680 Configuring Multicast Filtering 681 Verifying Multicast Filtering 682
Map-Server Per-Site Support 683 Information About Map Server Per Site Support 683 Configuring the Default Map Server (GUI) 684 Configuring the Default Map Server (CLI) 684 Configuring a Map Server Per Site (GUI) 685 Configuring a Map Server Per Site (CLI) 685 Creating a Map Server for Each VNID (GUI) 686 Creating a Map Server for Each VNID 686 Creating a Fabric Profile and Associating a Tag and VNID (GUI) 687 Creating a Fabric Profile and Associating a Tag and VNID (CLI) 687 Verifying the Map Server Configuration 688
Volume Metering 691 Configuring Volume Metering 691
Enabling Syslog Messages in Access Points and Controller for Syslog Server 693
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xxxi
Contents
CHAPTER 84 CHAPTER 85 CHAPTER 86
Information About Enabling Syslog Messages in Access Points and Controller for Syslog Server 693 Configuring Syslog Server for an AP Profile 695 Configuring Syslog Server for the Controller (GUI) 696 Configuring Syslog Server for the Controller 697 Information About Syslog Support for Client State Change 698 Configuring Syslog Support for Client State Change (CLI) 699 Sample Syslogs 699 Verifying Syslog Server Configurations 700
Login Banner 705 Information About Login Banner 705 Configuring a Login Banner (GUI) 705 Configuring a Login Banner 706
Wi-Fi Alliance Agile Multiband 707 Introduction to Wi-Fi Alliance Agile Multiband 707 Limitations of MBO 709 Configuring MBO on a WLAN 709 Verifying MBO Configuration 710
Configuring Local and Wide Area Bonjour Domains 713 Cisco DNA Service for Bonjour Solution Overview 713 Restrictions 713 Cisco Wide Area Bonjour Service Workflow 714 Cisco Wide Area Bonjour Supported Network Design 714 Traditional Wired and Wireless Networks 714 Cisco SD Access Wired and Wireless Networks 715 Local and Wide Area Bonjour Policies 716 Configuring Local and Wide Area Bonjour Domains 722 How to configure Multicast DNS Mode for LAN and Wired Networks 722 Enabling mDNS Gateway on the Device 722 Creating Custom Service Definition (GUI) 724 Creating Custom Service Definition 724 Creating Service List (GUI) 725
xxxii
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Contents
CHAPTER 87 CHAPTER 88
Creating Service List 725 Creating Service Policy (GUI) 726 Creating Service Policy 727 Associating Service Policy to an Interface 727 How to Configure Local Area Bonjour in Multicast DNS Mode for Wireless Networks 729 Enabling mDNS Gateway on the Device 730 Creating Custom Service Definition 732 Creating Service List 732 Creating Service Policy 734 Associating Service Policy with Wireless Profile Policy 734 Configuring Wide Area Bonjour Domain 735 Enabling mDNS Gateway on the Device 735 Creating Custom Service Definition 737 Creating Service List 737 Creating Service Policy 738 Associating Service Policy with the Controller in Wide Area Bonjour Domain 739 Verifying Local Area Bonjour in Multicast DNS Mode for LAN and Wireless Networks 741 Verifying SDG-Agent Status 741 Verifying Wide Area Bonjour Controller Status 742 Verifying Local Area Bonjour Configuration for LAN and Wireless Networks 743 Additional References for DNA Service for Bonjour 744 Feature History for Cisco DNA Service for Bonjour 744
SNMP Traps 747 Information About Configuring SNMP Traps 747 Configuring SNMP Traps (GUI) 748 Enabling Access Points Traps (CLI) 748 Enabling Wireless Client Traps (CLI) 749 Enabling Mesh Traps (CLI) 749 Enabling RF Traps (CLI) 750 Enabling Rogue, Mobility, RRM, and General Traps (CLI) 750 Verifying SNMP Wireless Traps 751
Disabling Clients with Random MAC Address 753
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
xxxiii
Contents
PART VII CHAPTER 89
Information About Disabling Clients with Random MAC Addresses 753 Configuring Random MAC Address Deny (CLI) 753 Verifying Denial of Clients with a Random MAC Address 754
Security 757
IPv4 ACLs 759 Information about Network Security with ACLs 759 ACL Overview 759 Access Control Entries 759 ACL Supported Types 760 Supported ACLs 760 ACL Precedence 760 Port ACLs 760 Router ACLs 761 ACEs and Fragmented and Unfragmented Traffic 762 ACEs and Fragmented and Unfragmented Traffic Examples 762 Standard and Extended IPv4 ACLs 763 IPv4 ACL Switch Unsupported Features 763 Access List Numbers 763 Numbered Standard IPv4 ACLs 764 Numbered Extended IPv4 ACLs 765 Named IPv4 ACLs 765 ACL Logging 766 Hardware and Software Treatment of IP ACLs 766 IPv4 ACL Interface Considerations 767 Restrictions for Configuring IPv4 Access Control Lists 767 How to Configure ACLs 768 Configuring IPv4 ACLs (GUI) 768 Configuring IPv4 ACLs 768 Creating a Numbered Standard ACL (GUI) 769 Creating a Numbered Standard ACL (CLI) 769 Creating a Numbered Extended ACL (GUI) 771 Creating a Numbered Extended ACL (CLI) 771
xxxiv
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Contents
CHAPTER 90
Creating Named Standard ACLs (GUI) 775 Creating Named Standard ACLs 775 Creating Extended Named ACLs (GUI) 777 Creating Extended Named ACLs 777 Applying an IPv4 ACL to an Interface (GUI) 779 Applying an IPv4 ACL to an Interface (CLI) 779 Applying ACL to Policy Profile (GUI) 780 Applying ACL to Policy Profile 780 Configuration Examples for ACLs 781 Examples: Including Comments in ACLs 781 Examples: Applying an IPv4 ACL to a Policy Profile in a Wireless Environment 781 IPv4 ACL Configuration Examples 782
ACLs in a Small Networked Office 782 Examples: ACLs in a Small Networked Office 783 Example: Numbered ACLs 783 Examples: Extended ACLs 784 Examples: Named ACLs 784 Monitoring IPv4 ACLs 785
DNS-Based Access Control Lists 787 Information About DNS-Based Access Control Lists 787 Defining ACLs 788 Applying ACLs 789 Types of URL Filters 789 Restrictions on DNS-Based Access Control Lists 790 Flex Mode 791 Defining URL Filter List 791 Applying URL Filter List to Flex Profile 791 Configuring ISE for Central Web Authentication (GUI) 792 Local Mode 793 Defining URL Filter List 793 Applying URL Filter List to Policy Profile (GUI) 794 Applying URL Filter List to Policy Profile 794 Configuring ISE for Central Web Authentication 795
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xxxv
Contents
CHAPTER 91 CHAPTER 92 CHAPTER 93
Creating Authorization Profiles 795 Mapping Authorization Profiles to Authentication Rule 795 Mapping Authorization Profiles to Authorization Rule 796 Viewing DNS-Based Access Control Lists 796 Configuration Examples for DNS-Based Access Control Lists 797 Verifying DNS Snoop Agent (DSA) 798 Information About Flex Client IPv6 Support with WebAuth Pre and Post ACL 799 Enabling Pre-Authentication ACL for LWA and EWA (GUI) 800 Enabling Pre-Authentication ACL for LWA and EWA 800 Enabling Post-Authentication ACL for LWA and EWA (GUI) 802 Enabling Post-Authentication ACL for LWA and EWA 802 Enabling DNS ACL for LWA and EWA (GUI) 803 Enabling DNS ACL for LWA and EWA 803 Verifying Flex Client IPv6 Support with WebAuth Pre and Post ACL 804
Allowed List of Specific URLs 805 Allowed List of Specific URLs 805 Adding URL to Allowed List 805 Verifying URLs on the Allowed List 807
Policy Enforcement and Usage Monitoring 809 Policy Enforcement and Usage Monitoring 809 Configuring Policy Enforcement and Enabling Change-of-Authorization (CLI) 809 Example: Configuring Policy Enforcement and Usage Monitoring 810 Verifying Policy Usage and Enforcement 811
Web-Based Authentication 813 Local Web Authentication Overview 813 Device Roles 815 Authentication Process 816 Local Web Authentication Banner 817 Customized Local Web Authentication 819 Guidelines 819 Redirection URL for Successful Login Guidelines 821
xxxvi
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Contents
How to Configure Local Web Authentication 821 Configuring Default Local Web Authentication 821 Information About the AAA Wizard 821 Configuring AAA Authentication (GUI) 825 Configuring AAA Authentication (CLI) 826 Configuring the HTTP/HTTPS Server (GUI) 827 Configuring the HTTP Server (CLI) 827 Configuring HTTP and HTTPS Requests for Web Authentication 828 Information About Configuring HTTP and HTTPS Requests for Web Authentication 828 Guidelines and Limitations 830 Configuring HTTP and HTTPS Requests for Web Authentication (CLI) 830 Creating a Parameter Map (GUI) 831 Creating Parameter Maps 832 Configuring Local Web Authentication (GUI) 832 Configuring the Internal Local Web Authentication (CLI) 833 Configuring the Customized Local Web Authentication (CLI) 833 Configuring the External Local Web Authentication (CLI) 835 Configuring the Web Authentication WLANs 836 Configuring Pre-Auth Web Authentication ACL (GUI) 837 Configuring Pre-Auth Web Authentication ACL (CLI) 837 Configuring the Maximum Web Authentication Request Retries 839 Configuring a Local Banner in Web Authentication Page (GUI) 839 Configuring a Local Banner in Web Authentication Page (CLI) 840 Configuring Type WebAuth, Consent, or Both 840 Configuring Preauthentication ACL 841 Configuring TrustPoint for Local Web Authentication 842
Configuration Examples for Local Web Authentication 843 Example: Obtaining Web Authentication Certificate 843 Example: Displaying a Web Authentication Certificate 844 Example: Choosing the Default Web Authentication Login Page 845 Example: Choosing a Customized Web Authentication Login Page from an IPv4 External Web Server 845 Example: Choosing a Customized Web Authentication Login Page from an IPv6 External Web Server 846
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
xxxvii
Contents
CHAPTER 94
Example: Assigning Login, Login Failure, and Logout Pages per WLAN 846 Example: Configuring Preauthentication ACL 846 Example: Configuring Webpassthrough 847 Verifying Web Authentication Type 847 External Web Authentication (EWA) 848 Configuring EWA with Single WebAuth Server Address and Default Ports (80/443) (CLI) 848 Configuring EWA with Multiple Web Servers and/or Ports Different than Default (80/443) 850 Configuring Wired Guest EWA with Multiple Web Servers and/or Ports Different than Default
(80/443) 852 Authentication for Sleeping Clients 853
Information About Authenticating Sleeping Clients 853 Restrictions on Authenticating Sleeping Clients 853 Configuring Authentication for Sleeping Clients (GUI) 854 Configuring Authentication for Sleeping Clients (CLI) 854 Sleeping Clients with Multiple Authentications 855 Mobility Support for Sleeping Clients 855 Supported Combinations of Multiple Authentications 855 Configuring Sleeping Clients with Multiple Authentications 856 Configuring WLAN for Dot1x and Local Web Authentication 856 Configuring a WLAN for MAC Authentication Bypass and Local Web Authentication 857 Configuring a WLAN for Local Web Authentication and MAC Filtering 858 Configuring a PSK + LWA in a WLAN 859 Configuring a Sleeping Client 860 Verifying a Sleeping Client Configuration 861
Central Web Authentication 863 Information About Central Web Authentication 863 Prerequisites for Central Web Authentication 864 How to Configure ISE 864 Creating an Authorization Profile 864 Creating an Authentication Rule 864 Creating an Authorization Rule 865 How to Configure Central Web Authentication on the Controller 866 Configuring WLAN (GUI) 866
xxxviii
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Contents
CHAPTER 95
Configuring WLAN (CLI) 867 Configuring Policy Profile (CLI) 868 Configuring a Policy Profile (GUI) 870 Creating Redirect ACL 870 Configuring AAA for Central Web Authentication 871 Configuring Redirect ACL in Flex Profile (GUI) 872 Configuring Redirect ACL in Flex Profile (CLI) 873 Authentication for Sleeping Clients 874 Information About Authenticating Sleeping Clients 874 Restrictions on Authenticating Sleeping Clients 874 Configuring Authentication for Sleeping Clients (GUI) 875 Configuring Authentication for Sleeping Clients (CLI) 875 Sleeping Clients with Multiple Authentications 876 Mobility Support for Sleeping Clients 876 Supported Combinations of Multiple Authentications 876 Configuring Sleeping Clients with Multiple Authentications 877 Configuring WLAN for Dot1x and Local Web Authentication 877 Configuring a WLAN for MAC Authentication Bypass and Local Web Authentication 878 Configuring a WLAN for Local Web Authentication and MAC Filtering 879 Configuring a PSK + LWA in a WLAN 880 Configuring a Sleeping Client 881 Verifying a Sleeping Client Configuration 882
ISE Simplification and Enhancements 883 Utilities for Configuring Security 883 Configuring Multiple Radius Servers 884 Verifying AAA and Radius Server Configurations 885 Configuring Captive Portal Bypassing for Local and Central Web Authentication 885 Information About Captive Bypassing 885 Configuring Captive Bypassing for WLAN in LWA and CWA (GUI) 886 Configuring Captive Bypassing for WLAN in LWA and CWA (CLI) 887 Sending DHCP Options 55 and 77 to ISE 888 Information about DHCP Option 55 and 77 888 Configuration to Send DHCP Options 55 and 77 to ISE (GUI) 888
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
xxxix
Contents
CHAPTER 96
CHAPTER 97 CHAPTER 98
Configuration to Send DHCP Options 55 and 77 to ISE (CLI) 888 Configuring EAP Request Timeout (GUI) 889 Configuring EAP Request Timeout 890 Configuring EAP Request Timeout in Wireless Security (CLI) 890 Captive Portal 891 Captive Portal Configuration 891 Configuring Captive Portal (GUI) 891 Configuring Captive Portal 892 Captive Portal Configuration - Example 894
Authentication and Authorization Between Multiple RADIUS Servers 897 Information About Authentication and Authorization Between Multiple RADIUS Servers 897 Configuring 802.1X Security for WLAN with Split Authentication and Authorization Servers 898 Configuring Explicit Authentication and Authorization Server List (GUI) 898 Configuring Explicit Authentication Server List (GUI) 899 Configuring Explicit Authentication Server List (CLI) 899 Configuring Explicit Authorization Server List (GUI) 900 Configuring Explicit Authorization Server List (CLI) 901 Configuring Authentication and Authorization List for 802.1X Security (GUI) 902 Configuring Authentication and Authorization List for 802.1X Security 902 Configuring Web Authentication for WLAN with Split Authentication and Authorization Servers 903 Configuring Authentication and Authorization List for Web Authentication (GUI) 903 Configuring Authentication and Authorization List for Web Authentication 904 Verifying Split Authentication and Authorization Configuration 905 Configuration Examples 906
AAA Dead-Server Detection 907 Information About AAA Dead-Server Detection 907 Prerequisites for AAA Dead-Server Detection 908 Restrictions for AAA Dead-Server Detection 908 Configuring AAA Dead-Server Detection (CLI) 908 Verifying AAA Dead-Server Detection 909
RADIUS Server Load Balancing 911
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xl
Information About RADIUS Server Load Balancing 911 Prerequisites for RADIUS Server Load Balancing 913 Restrictions for RADIUS Server Load Balancing 913 Enabling Load Balancing for a Named RADIUS Server Group (CLI) 913
CHAPTER 99
Secure LDAP 915 Information About SLDAP 915 Prerequisite for Configuring SLDAP 917 Restrictions for Configuring SLDAP 917 Configuring SLDAP 917 Configuring an AAA Server Group (GUI) 918 Configuring a AAA Server Group 919 Configuring Search and Bind Operations for an Authentication Request 920 Configuring a Dynamic Attribute Map on an SLDAP Server 921 Verifying the SLDAP Configuration 921
CHAPTER 100
RADIUS DTLS 923 Information About RADIUS DTLS 923 Prerequisites 925 Configuring RADIUS DTLS Server 925 Configuring RADIUS DTLS Connection Timeout 926 Configuring RADIUS DTLS Idle Timeout 926 Configuring Source Interface for RADIUS DTLS Server 927 Configuring RADIUS DTLS Port Number 928 Configuring RADIUS DTLS Connection Retries 928 Configuring RADIUS DTLS Trustpoint 929 Configuring DTLS Dynamic Author 930 Enabling DTLS for Client 930 Configuring Client Trustpoint for DTLS 931 Configuring DTLS Idle Timeout 932 Configuring Server Trustpoint for DTLS 932 Verifying the RADIUS DTLS Server Configuration 933 Clearing RADIUS DTLS Specific Statistics 933
Contents
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xli
Contents
CHAPTER 101
Multiple Cipher Support 935 Default Ciphersuites Supported for CAPWAP-DTLS 935 Configuring Multiple Ciphersuites 936 Setting Server Preference 937 Verifying Operational Ciphersuites and Priority 937
CHAPTER 102
Internet Protocol Security 939 Information about Internet Protocol Security 939 Internet Key Exchange Version 1 Transform Sets 940 Configure IPSec Using Internet Key Exchange Version 1 941 Internet Key Exchange Version 2 Transform Sets 943 Configure IPSec Using Internet Key Exchange Version 2 944 IPsec Transforms and Lifetimes 946 Use of X.509 With Internet Key Exchange Version 947 For IKEv2 Commands 948 IPsec Session Interuption and Recovery 948 Example: Configure IPSec Using ISAKMP 949 Verifying IPSec Traffic 949 Example: Configure IPSec Using Internet Key Exchange Version 2 950 Verifying IPSec With Internet Key Exchange Version 2 Traffic 951
CHAPTER 103
MAC Filtering 955 MAC Filtering 955 MAC Filtering Configuration Guidelines 955 Configuring MAC Filtering for Local Authentication (CLI) 957 Configuring MAC Filtering (GUI) 958 Configuring MAB for External Authentication (CLI) 958
CHAPTER 104
IP Source Guard 961 Information About IP Source Guard 961 Configuring IP Source Guard (GUI) 961 Configuring IP Source Guard 962
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xlii
Contents
CHAPTER 105
Managing Rogue Devices 963 Rogue Detection 963 Rogue Devices 963 Information About Rogue Containment (Protected Management Frames (PMF) Enabled) 965 AP Impersonation Detection 965 Configuring Rogue Detection (GUI) 966 Configuring Rogue Detection (CLI) 966 Configuring RSSI Deviation Notification Threshold for Rogue APs (CLI) 967 Configuring Management Frame Protection (GUI) 968 Configuring Management Frame Protection (CLI) 968 Enabling Access Point Authentication 969 Verifying Management Frame Protection 969 Verifying Rogue Events 970 Verifying Rogue Detection 971 Examples: Rogue Detection Configuration 972 Configuring Rogue Policies (GUI) 973 Configuring Rogue Policies (CLI) 973 Rogue Detection Security Level 975 Setting Rogue Detection Security-level 976 Wireless Service Assurance Rogue Events 977 Monitoring Wireless Service Assurance Rogue Events 977
CHAPTER 106
Classifying Rogue Access Points 979 Information About Classifying Rogue Access Points 979 Guidelines and Restrictions for Classifying Rogue Access Points 981 How to Classify Rogue Access Points 981 Classifying Rogue Access Points and Clients Manually (GUI) 981 Classifying Rogue Access Points and Clients Manually (CLI) 982 Configuring Rogue Classification Rules (GUI) 983 Configuring Rogue Classification Rules (CLI) 984 Monitoring Rogue Classification Rules 987 Examples: Classifying Rogue Access Points 987
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xliii
Contents
CHAPTER 107
Configuring Secure Shell 989 Information About Configuring Secure Shell 989 SSH and Device Access 989 SSH Servers, Integrated Clients, and Supported Versions 989 SSH Configuration Guidelines 990 Secure Copy Protocol Overview 990 Secure Copy Protocol 991 SFTP Support 991 Prerequisites for Configuring Secure Shell 991 Restrictions for Configuring Secure Shell 992 How to Configure SSH 992 Setting Up the Device to Run SSH 992 Configuring the SSH Server 993 Monitoring the SSH Configuration and Status 995
CHAPTER 108
Private Shared Key 997 Information About Private Preshared Key 997 Configuring a PSK in a WLAN (CLI) 998 Configuring a PSK in a WLAN (GUI) 999 Applying a Policy Profile to a WLAN (GUI) 1000 Applying a Policy Profile to a WLAN (CLI) 1000 Verifying a Private PSK 1001
CHAPTER 109
Multi-Preshared Key 1005 Information About Multi-Preshared Key 1005 Restrictions on Multi-PSK 1006 Configuring Multi-Preshared Key (GUI) 1006 Configuring Multi-Preshared Key (CLI) 1009 Verifying Multi-PSK Configurations 1010
CHAPTER 110
Multiple Authentications for a Client 1013 Information About Multiple Authentications for a Client 1013 Information About Supported Combination of Authentications for a Client 1013
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xliv
Contents
Combination of Authentications on MAC Failure Not Supported on a Client 1014 Configuring Multiple Authentications for a Client 1015
Configuring WLAN for 802.1X and Local Web Authentication (GUI) 1015 Configuring WLAN for 802.1X and Local Web Authentication (CLI) 1015 Configuring WLAN for Preshared Key (PSK) and Local Web Authentication (GUI) 1017 Configuring WLAN for Preshared Key (PSK) and Local Web Authentication 1017 Configuring WLAN for PSK or Identity Preshared Key (iPSK) and Central Web Authentication
(GUI) 1019 Configuring WLAN for PSK or Identity Preshared Key (iPSK) and Central Web Authentication 1019
Configuring WLAN 1019 Applying Policy Profile to a WLAN 1020 Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Pre-Shared Key (CLI) 1021 Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with OWE (CLI) 1023 Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Secure Agile Exchange (CLI) 1025 Configuring 802.1x and Central Web Authentication on Controller (CLIs) 1026 Creating AAA Authentication 1026 Configuring AAA Server for External Authentication 1027 Configuring AAA for Authentication 1028 Configuring Accounting Identity List 1029 Configuring AAA for Central Web Authentication 1029 Defining an Access Control List for Radius Server 1030 Configuration Example to Define an Access Control List for Radius Server 1030 Configuring WLAN 1031 Configuring Policy Profile 1031 Mapping WLAN and Policy Profile to Policy Tag 1032 Configuring ISE for Central Web Authentication with Dot1x (GUI) 1033 Defining Guest Portal 1033 Defining Authorization Profile for a Client 1033 Defining Authentication Rule 1033 Defining Authorization Rule 1034 Creating Rules to Match Guest Flow Condition 1034 Verifying Multiple Authentication Configurations 1035
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xlv
Contents
CHAPTER 111
Cisco TrustSec 1039 Information about Cisco TrustSec 1039 Cisco TrustSec Features 1040 Security Group Access Control List 1041 Inline Tagging 1043 Policy Enforcement 1043 SGACL Support for Wireless Guest Access 1044 Enabling SGACL on the AP (GUI) 1044 Enabling SGACL on the AP 1045 Enabling SGACL Policy Enforcement Globally (CLI) 1046 Enabling SGACL Policy Enforcement Per Interface (CLI) 1047 Manually Configuring a Device STG (CLI) 1047 Configuring SGACL, Inline Tagging, and SGT in Local Mode (GUI) 1048 Configuring SGACL, Inline Tagging, and SGT in Local Mode 1048 Configuring ISE for TrustSec 1049 Verifying Cisco TrustSec Configuration 1050
CHAPTER 112
SGT Inline Tagging and SXPv4 1053 Introduction to SGT Inline Tagging on AP and SXPv4 1053 Creating an SXP Profile 1053 Configuring SGT Inline Tagging on Access Points 1054 Configuring an SXP Connection (GUI) 1054 Configuring an SXP Connection 1055 Verifying SGT Push to Access Points 1056
CHAPTER 113
Controller Self-Signed Certificate for Wireless AP Join 1059 Use Cases 1059 Prerequisites 1060 Configuring Clock Calendar (CLI) 1060 Enabling HTTP Server (CLI) 1061 Configuring CA Server (CLI) 1061 Configuring Trustpoint (CLI) 1063 Authenticating and Enrolling the PKI TrustPoint with CA Server (CLI) 1064
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xlvi
Contents
Tagging Wireless Management TrustPoint Name (CLI) 1065 Verifying Controller Certificates for Wireless AP Join 1065
CHAPTER 114
Locally Significant Certificates 1067 Information About Locally Significant Certificates 1067 Certificate Provisioning in Controllers 1068 Device Certificate Enrollment Operation 1068 Certificate Provisioning on Lightweight Access Point 1068 Restrictions for Locally Significant Certificates 1069 Provisioning Locally Significant Certificates 1069 Configuring RSA Key for PKI Trustpoint 1069 Configuring PKI Trustpoint Parameters 1070 Authenticating and Enrolling a PKI Trustpoint (GUI) 1071 Authenticating and Enrolling the PKI Trustpoint with CA Server (CLI) 1071 Configuring AP Join Attempts with LSC Certificate (GUI) 1073 Configuring AP Join Attempts with LSC Certificate (CLI) 1073 Configuring Subject-Name Parameters in LSC Certificate 1073 Configuring Key Size for LSC Certificate 1074 Configuring Trustpoint for LSC Provisioning on an Access Point 1074 Configuring an AP LSC Provision List (GUI) 1075 Configuring an AP LSC Provision List (CLI) 1076 Configuring LSC Provisioning for all the APs (GUI) 1076 Configuring LSC Provisioning for All APs (CLI) 1077 Configuring LSC Provisioning for the APs in the Provision List 1077 Importing a CA Certificate to the Trustpool (GUI) 1078 Importing a CA Certificate to the Trustpool (CLI) 1078 Cleaning the CA Certificates Imported in Trustpool (GUI) 1079 Cleaning CA Certificates Imported in Trustpool (CLI) 1079 Creating a New Trustpoint Dedicated to a Single CA Certificate 1080 Verifying LSC Configuration 1081 Configuring Management Trustpoint to LSC (GUI) 1081 Configuring Management Trustpoint to LSC (CLI) 1082 Information About MIC and LSC Access Points Joining the Controller 1082 Overview of Support for MIC and LSC Access Points Joining the Controller 1082
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xlvii
Contents
Recommendations and Limitations 1082 Configuration Workflow 1083 Configuring LSC on the Controller (CLI) 1083 Enabling the AP Certificate Policy on the APs (CLI) 1084 Configuring the AP Policy Certificate (GUI) 1085 Configuring the Allowed List of APs to Join the Controller (CLI) 1085 Verifying the Configuration Status 1086 Configuring Controller Self-Signed Certificate for Wireless AP Join 1087 Use Cases 1087 Prerequisites 1087 Configuring Clock Calendar (CLI) 1088 Enabling HTTP Server (CLI) 1088 Configuring CA Server (CLI) 1089 Configuring Trustpoint (CLI) 1090 Authenticating and Enrolling the PKI TrustPoint with CA Server (CLI) 1092 Tagging Wireless Management TrustPoint Name (CLI) 1092 Verifying Controller Certificates for Wireless AP Join 1093
CHAPTER 115
Certificate Management 1095 About Public Key Infrastructure Management (GUI) 1095 Authenticating and Enrolling a PKI Trustpoint (GUI) 1095 Generating an AP Self-Signed Certificate (GUI) 1096 Adding the Certificate Authority Server (GUI) 1096 Adding an RSA or EC Key for PKI Trustpoint (GUI) 1097 Adding and Managing Certificates 1097 1098
CHAPTER 116
Cisco Umbrella WLAN 1099 Information About Cisco Umbrella WLAN 1099 Registering Controller to Cisco Umbrella Account 1100 Configuring Cisco Umbrella WLAN 1101 Importing CA Certificate to the Trust Pool 1101 Creating a Local Domain RegEx Parameter Map 1103 Configuring Parameter Map Name in WLAN (GUI) 1103
xlviii
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Configuring the Umbrella Parameter Map 1104 Enabling or Disabling DNScrypt (GUI) 1104 Enabling or Disabling DNScrypt 1105 Configuring Timeout for UDP Sessions 1105
Configuring Parameter Map Name in WLAN (GUI) 1106 Configuring Parameter Map Name in WLAN 1106 Configuring the Umbrella Flex Profile 1107 Configuring the Umbrella Flex Profile (GUI) 1107 Configuring Umbrella Flex Parameters 1108 Configuring the Umbrella Flex Policy Profile (GUI) 1108 Verifying the Cisco Umbrella Configuration 1109
CHAPTER 117
Encrypted Traffic Analytics 1111 Information About Encrypted Traffic Analytics 1111 Exporting Records to IPv4 Flow Export Destination 1112 Exporting Records to IPv6 Flow Export Destination 1113 Exporting Records to IPv4 and IPv6 Destination over IPFIX 1113 Allowed List of Traffic 1114 Configuring Source Interface for Record Export 1115 Configuring Source Interface for Record Export Without IPFIX 1116 Configuring ETA Flow Export Destination (GUI) 1117 Enabling In-Active Timer 1117 Enabling ETA on WLAN Policy Profile 1118 Attaching Policy Profile to VLAN (GUI) 1119 Attaching Policy Profile to VLAN 1119 Verifying ETA Configuration 1120
CHAPTER 118
FIPS 1125 FIPS 1125 Guidelines and Restrictions for FIPS 1126 FIPS Self-Tests 1126 Configuring FIPS 1127 Configuring FIPS in HA Setup 1128 Verifying FIPS Configuration 1129
Contents
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x xlix
Contents
CHAPTER 119
Device Analytics 1131 Device Analytics 1131 Information About Device Analytics 1131 Restrictions for Device Analytics 1131 Configuring Device Analytics (GUI) 1132 Configuring Device Analytics (CLI) 1132 Verifying Device Analytics Configuration 1133 Adaptive 802.11r 1134 Information About Adaptive 802.11r 1134 Configuring Adaptive 802.11r (GUI) 1135 Verifying Adaptive 802.11r 1135
CHAPTER 120
Advanced WIPS 1137 Feature History for Advanced WIPS 1137 Information About Advanced WIPS 1137 Guidelines and Restrictions 1140 Enabling Advanced WIPS 1140 Advanced WIPS Solution Components 1141 Supported Modes and Platforms 1141 Enabling Advanced WIPS(GUI) 1142 Enabling Advanced WIPS (CLI) 1142 Viewing Advanced WIPS Alarms (GUI) 1143 Verifying Advanced WIPS 1143
CHAPTER 121
Wi-Fi Protected Access 3 1145 Simultaneous Authentication of Equals 1145 Opportunistic Wireless Encryption 1146 Configuring SAE (WPA3+WPA2 Mixed Mode) 1146 Configuring WPA3 Enterprise (GUI) 1147 Configuring WPA3 Enterprise 1148 Configuring the WPA3 OWE 1149 Configuring WPA3 OWE Transition Mode (GUI) 1150 Configuring WPA3 OWE Transition Mode 1150
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x l
Configuring WPA3 SAE (GUI) 1152 Configuring WPA3 SAE 1153 Configuring Anti-Clogging and SAE Retransmission (GUI) 1154 Configuring Anti-Clogging and SAE Retransmission 1155 Verifying WPA3 SAE and OWE 1156
CHAPTER 122
Transport Layer Security Tunnel Support 1161 Information About Transport Layer Security Tunnel Support 1161 Configuring a Transport Layer Security Tunnel 1162
CHAPTER 123
Local Extensible Authentication Protocol 1165 Information About Local EAP 1165 Restrictions for Local EAP 1166 Configuring Local EAP Profile (CLI) 1166 Configuring Local EAP profile (GUI) 1167 Configuring AAA Authentication (GUI) 1167 Configuring AAA Authorization Method (GUI) 1167 Configuring AAA Authorization Method (CLI) 1168 Configuring Local Advanced Methods (GUI) 1169 Configuring WLAN (GUI) 1169 Configuring WLAN (CLI) 1170 Creating a User Account (CLI) 1170 Attaching a Policy Profile to a WLAN Interface (GUI) 1171 Deploy Policy Tag to Access Points (GUI) 1172
CHAPTER 124
Disabling IP Learning in FlexConnect Mode 1173 Information About Disabling IP Learning in FlexConnect Mode 1173 Restrictions for Disabling IP Learning in FlexConnect Mode 1173 Disabling IP Learning in FlexConnect Mode (CLI) 1174 Verifying MAC Entries from Database 1174
PART VIII CHAPTER 125
Mobility 1175 Mobility 1177
Contents
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x li
Contents
Introduction to Mobility 1177 SDA Roaming 1180 Definitions of Mobility-related Terms 1181 Mobility Groups 1181
Guidelines and Restrictions 1182 Configuring Mobility (GUI) 1184 Configuring Mobility (CLI) 1185 Configuring Inter-Release Controller Mobility (GUI) 1187 Configuring Inter-Release Controller Mobility 1187 Verifying Mobility 1191
CHAPTER 126
NAT Support on Mobility Groups 1197 Information About NAT Support on Mobility Groups 1197 Restrictions for NAT Support on Mobility Groups 1198 Functionalities Supported on Mobility NAT 1198 Configuring a Mobility Peer 1199 Verifying NAT Support on Mobility Groups 1199
CHAPTER 127
Static IP Client Mobility 1201 Information About Static IP Client Mobility 1201 Restrictions 1201 Configuring Static IP Client Mobility (GUI) 1202 Configuring Static IP Client Mobility (CLI) 1202 Verifying Static IP Client Mobility 1203
CHAPTER 128
Mobility Domain ID - Dot11i Roaming 1205 Information about Mobility Domain ID - 802.11i Roaming 1205 Verifying Mobility Domain ID - 802.11i Roaming 1206
CHAPTER 129
802.11r Support for Flex Local Authentication 1207 Information About 802.11r Support for FlexConnect Local Authentication 1207 Support Guidelines 1207 Verifying 802.11r Support for Flex Local Authentication 1208
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lii
Contents
CHAPTER 130
Opportunistic Key Caching 1209 Information about Opportunistic Key Caching 1209 Enabling Opportunistic Key Caching 1210 Enabling Opportunistic Key Caching (GUI) 1210 Verifying Opportunistic Key Caching 1210
PART IX CHAPTER 131
High Availability 1213
High Availability 1215 Feature History for High Availability 1215 Information About High Availability 1216 Prerequisites for High Availability 1217 Restrictions on High Availability 1218 Configuring High Availability (CLI) 1219 Disabling High Availability 1221 Copying a WebAuth Tar Bundle to the Standby Controller 1222 System and Network Fault Handling 1223 Handling Recovery Mechanism 1227 Verifying High Availability Configurations 1228 Verifying AP or Client SSO Statistics 1228 Verifying High Availability 1230 Information About Redundancy Management Interface 1233 Configuring Redundancy Management Interface (GUI) 1237 Configuring Redundancy Management Interface (CLI) 1238 Configuring Gateway Monitoring (CLI) 1240 Configuring Gateway Monitoring Interval (CLI) 1241 Gateway Reachability Detection 1241 Information About Gateway Reachability Detection 1241 Configuration Workflow 1242 Migrating to RMI IPv6 1242 Monitoring the Health of the Standby Controller 1243 Monitoring the Health of Standby Parameters Using SNMP 1244 Standby Monitoring Using Standby RMI IP 1244
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x liii
Contents
Standby Monitoring Using the Active Controller 1244 Standby IOS Linux Syslogs 1245 Monitoring the Health of Standby Controller Using Programmatic Interfaces 1245 Monitoring the Health of Standby Controller Using CLI 1246 Verifying the Gateway-Monitoring Configuration 1249 Verifying the RMI IPv4 Configuration 1250 Verifying the RMI IPv6 Configuration 1251 Information About Auto-Upgrade 1251 Use Cases 1252 Configuration Workflow 1252 Configuring Auto-Upgrade (CLI) 1252
PART X CHAPTER 132
Quality of Service 1255
Quality of Service 1257 Wireless QoS Overview 1257 Wireless QoS Targets 1258 SSID Policies 1258 Client Policies 1258 Supported QoS Features on Wireless Targets 1258 Wireless QoS Mobility 1259 Precious Metal Policies for Wireless QoS 1259 Prerequisites for Wireless QoS 1260 Restrictions for QoS on Wireless Targets 1260 Metal Policy Format 1261 Metal Policy Format 1261 Auto QoS Policy Format 1265 Architecture for Voice, Video and Integrated Data (AVVID) 1267 How to apply Bi-Directional Rate Limiting 1268 Information about Bi-Directional Rate Limiting 1268 Prerequisites for Bi-Directional Rate Limiting 1269 Configure Metal Policy on SSID 1269 Configure Metal Policy on Client 1270 Configure Bi-Directional Rate Limiting for All Traffic 1271
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x liv
Contents
Configure Bi-Directional Rate Limiting Based on Traffic Classification 1271 Apply Bi-Directional Rate Limiting Policy Map to Policy Profile 1273 Apply Metal Policy with Bi-Directional Rate Limiting 1274 How to apply Per Client Bi-Directional Rate Limiting 1275 Information About Per Client Bi-Directional Rate Limiting 1275 Prerequisites for Per Client Bi-Directional Rate Limiting 1276 Restrictions on Per Client Bi-Directional Rate Limiting 1276 Configuring Per Client Bi-Directional Rate Limiting (GUI) 1276 Verifying Per Client Bi-Directional Rate Limiting 1277 Configuring BDRL Using AAA Override 1277 Verifying Bi-Directional Rate-Limit 1278 How to Configure Wireless QoS 1279 Configuring a Policy Map with Class Map (GUI) 1279 Configuring a Class Map (CLI) 1280 Configuring Policy Profile to Apply QoS Policy (GUI) 1281 Configuring Policy Profile to Apply QoS Policy (CLI) 1281 Applying Policy Profile to Policy Tag (GUI) 1282 Applying Policy Profile to Policy Tag (CLI) 1282 Attaching Policy Tag to an AP 1283 Configuring Custom QoS Mapping 1284 Configuring DSCP-to-User Priority Mapping Exception 1285 Configuring Trust Upstream DSCP Value 1286
CHAPTER 133
Wireless Auto-QoS 1289 Information About Auto QoS 1289 How to Configure Wireless AutoQoS 1290 Configuring Wireless AutoQoS on Profile Policy 1290 Disabling Wireless AutoQoS 1291 Rollback AutoQoS Configuration (GUI) 1291 Rollback AutoQoS Configuration 1291 Clearing Wireless AutoQoS Policy Profile (GUI) 1292 Clearing Wireless AutoQoS Policy Profile 1292 Viewing AutoQoS on policy profile 1293
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lv
Contents
CHAPTER 134
Native Profiling 1295 Information About Native Profiling 1295 Creating a Class Map (GUI) 1296 Creating a Class Map (CLI) 1297 Creating a Service Template (GUI) 1299 Creating a Service Template (CLI) 1300 Creating a Parameter Map 1301 Creating a Policy Map (GUI) 1301 Creating a Policy Map (CLI) 1302 Configuring Native Profiling in Local Mode 1304 Verifying Native Profile Configuration 1304
CHAPTER 135
Air Time Fairness 1307 Information About Air Time Fairness 1307 Restrictions on Cisco Air Time Fairness 1309 Cisco Air Time Fairness (ATF) Use Cases 1310 Configuring Cisco Air Time Fairness (ATF) 1310 Configuring Cisco Air Time Fairness 1310 Creating a Cisco ATF Profile (GUI) 1310 Creating Cisco ATF Profile (CLI) 1311 Attaching Cisco ATF Profile to a Policy Profile (GUI) 1312 Attaching Cisco ATF Profile to a Policy Profile (CLI) 1312 Enabling ATF in the RF Profile (GUI) 1313 Enabling ATF in the RF Profile (CLI) 1313 Verifying Cisco ATF Configurations 1314 Verifying Cisco ATF Statistics 1314
CHAPTER 136
IPv6 Non-AVC QoS Support 1317 Information About IPv6 Non-AVC QoS Support 1317 Configuring IPv6 Non-AVC QoS 1317 Marking DSCP Values for an IPv6 Packet 1318 Dropping an IPv6 Packet with DSCP Values 1318 Policing IPv6 Traffic 1319
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lvi
Contents
Verifying IPv6 Non-AVC QoS 1320
CHAPTER 137
QoS Basic Service Set Load 1321 Information About QoS Basic Set Service Load 1321 Configuring QBSS Load 1322 Configuring Wi-Fi Multimedia 1322 Enabling QoS Basic Set Service Load 1323 Verifying QoS Basic Set Service Load 1323
PART XI CHAPTER 138
IPv6 1325
IPv6 Client IP Address Learning 1327 Information About IPv6 Client Address Learning 1327 Address Assignment Using SLAAC 1327 Stateful DHCPv6 Address Assignment 1328 Router Solicitation 1329 Router Advertisement 1329 Neighbor Discovery 1329 Neighbor Discovery Suppression 1330 Router Advertisement Guard 1330 Router Advertisement Throttling 1331 Prerequisites for IPv6 Client Address Learning 1331 Configuring RA Throttle Policy (CLI) 1331 Applying RA Throttle Policy on VLAN (GUI) 1332 Applying RA Throttle Policy on a VLAN (CLI) 1333 Configuring IPv6 Interface on a Switch (GUI) 1333 Configuring IPv6 on Interface (CLI) 1334 Configuring DHCP Pool on Switch (GUI) 1335 Configuring DHCP Pool on Switch (CLI) 1335 Configuring Stateless Auto Address Configuration Without DHCP on Switch (CLI) 1336 Configuring Stateless Auto Address Configuration With DHCP on Switch 1337 Configuring Stateless Address Auto Configuration Without DHCP on Switch (CLI) 1339 Native IPv6 1340 Information About IPv6 1340
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lvii
Contents
Configuring IPv6 Addressing 1341 Creating an AP Join Profile (GUI) 1342 Creating an AP Join Profile (CLI) 1342 Configuring the Primary and Backup Controller (GUI) 1343 Configuring Primary and Backup Controller (CLI) 1343 Verifying IPv6 Configuration 1344
CHAPTER 139
IPv6 ACL 1345 Information About IPv6 ACL 1345 Understanding IPv6 ACLs 1345 Types of ACL 1345 Per User IPv6 ACL 1345 Filter ID IPv6 ACL 1346 Prerequisites for Configuring IPv6 ACL 1346 Restrictions for Configuring IPv6 ACL 1346 Configuring IPv6 ACLs 1346 Default IPv6 ACL Configuration 1347 Interaction with Other Features and Switches 1347 How To Configure an IPv6 ACL 1347 Creating an IPv6 ACL (GUI) 1347 Creating an IPv6 ACL 1348 Creating WLAN IPv6 ACL (GUI) 1352 Creating WLAN IPv6 ACL 1352 Verifying IPv6 ACL 1352 Displaying IPv6 ACLs 1352 Configuration Examples for IPv6 ACL 1353 Example: Creating an IPv6 ACL 1353 Example: Applying an IPv6 ACL to a Policy Profile in a Wireless Environment 1353 Displaying IPv6 ACLs 1354 Example: Displaying IPv6 ACLs 1354 Example: Configuring RA Throttling 1355
CHAPTER 140
IPv6 Client Mobility 1357 Information About IPv6 Client Mobility 1357
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lviii
Contents
Using Router Advertisment 1358 Router Advertisement Throttling 1358 IPv6 Address Learning 1359 Handling Multiple IP Addresses 1359 IPv6 Configuration 1359 Prerequisites for IPv6 Client Mobility 1359 Monitoring IPv6 Client Mobility 1360
CHAPTER 141
IPv6 Support on Flex and Mesh 1361 IPv6 Support on Flex + Mesh Deployment 1361 Configuring IPv6 Support for Flex + Mesh 1361 Configuring Preferred IP Address as IPv6 (GUI) 1362 Configuring Preferred IP Address as IPv6 1363 Verifying IPv6 on Flex+Mesh 1363
CHAPTER 142
IPv6 CAPWAP UDP Lite Support 1365 Information About UDP Lite 1365 Enabling UDP Lite Support 1365 Verifying UDP Lite Support Configuration 1366
CHAPTER 143
Neighbor Discovery Proxy 1367 Information About Neighbor Discovery 1367 Configure Neighbor Discovery Proxy (CLI) 1367 Configure Duplicate Address Detection Proxy (CLI) 1368
CHAPTER 144
Address Resolution Protocol Proxy 1371 Information About Address Resolution Protocol 1371 Configure Address Resolution Protocol Proxy (CLI) 1371
PART XII CHAPTER 145
CleanAir 1373
Cisco CleanAir 1375 Information About Cisco CleanAir 1375 Cisco CleanAir-Related Terms 1376
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lix
Contents
Cisco CleanAir Components 1376 Interference Types that Cisco CleanAir can Detect 1377 EDRRM and AQR Update Mode 1378 Prerequisites for CleanAir 1378 Restrictions for CleanAir 1379 How to Configure CleanAir 1379 Enabling CleanAir for the 2.4-GHz Band (GUI) 1379 Enabling CleanAir for the 2.4-GHz Band (CLI) 1380 Configuring Interference Reporting for a 2.4-GHz Device (GUI) 1380 Configuring Interference Reporting for a 2.4-GHz Device (CLI) 1381 Enabling CleanAir for the 5-GHz Band (GUI) 1382 Enabling CleanAir for the 5-GHz Band (CLI) 1383 Configuring Interference Reporting for a 5-GHz Device (GUI) 1383 Configuring Interference Reporting for a 5-GHz Device (CLI) 1384 Configuring Event Driven RRM for a CleanAir Event (GUI) 1385 Configuring EDRRM for a CleanAir Event (CLI) 1386 Verifying CleanAir Parameters 1387 Monitoring Interference Devices 1388 Configuration Examples for CleanAir 1388 CleanAir FAQs 1389
CHAPTER 146
Bluetooth Low Energy 1391 Information About Bluetooth Low Energy 1391 Enabling Bluetooth Low Energy Beacon (GUI) 1392 Enabling Bluetooth Low Energy Beacon 1392
CHAPTER 147
Persistent Device Avoidance 1395 Information about Cisco Persistent Device Avoidance 1395 Configuring Persistent Device Avoidance (GUI) 1396 Configuring Persistent Device Avoidance (CLI) 1396 Verifying Persistent Device Avoidance 1396
CHAPTER 148
Spectrum Intelligence 1399 Spectrum Intelligence 1399
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lx
Configuring Spectrum Intelligence 1400 Verifying Spectrum Intelligence Information 1400 Debugging Spectrum Intelligence on Supported APs (CLI) 1401
CHAPTER 149
Spectrum Analysis 1403 Information About Spectrum Analysis 1403 Live Spectrum Analysis 1404 Performing AP Spectrum Analysis (GUI) 1404 Configuring Spectrum Analysis 1405 Verifying Spectrum Analysis 1405
PART XIII CHAPTER 150
Mesh Access Points 1407
Mesh Access Points 1409 Introduction to the Mesh Network 1411 Restrictions for Mesh Access Points 1412 MAC Authorization 1413 Preshared Key Provisioning 1413 EAP Authentication 1414 Bridge Group Names 1415 Background Scanning 1415 Mesh Backhaul at 2.4 GHz and 5 GHz 1416 Information About Mesh Backhaul 1416 Dynamic Frequency Selection 1417 Country Codes 1417 Intrusion Detection System 1417 Mesh Interoperability Between Controllers 1418 Information About DHCP and NAT Functionality on Root AP (RAP) 1418 Mesh Convergence 1419 Noise-Tolerant Fast 1419 Ethernet Bridging 1419 Multicast Over Mesh Ethernet Bridging Network 1420 Radio Resource Management on Mesh 1421 Air Time Fairness on Mesh 1421
Contents
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxi
Contents
Spectrum Intelligence for Mesh 1422 Indoor Mesh Interoperability with Outdoor Mesh 1422 Workgroup Bridge 1422 Link Test 1423 Mesh Daisy Chaining 1423 Mesh Leaf Node 1424 Flex+Bridge Mode 1424 Backhaul Client Access 1424 Mesh CAC 1424 Prerequisites for Mesh Ethernet Daisy Chaining 1425 Restrictions for Mesh Ethernet Daisy Chaining 1425 Speeding up Mesh Network Recovery Through Fast Detection of Uplink Gateway Reachability
Failure 1426 Configuring MAC Authorization (GUI) 1426 Configuring MAC Authorization (CLI) 1427 Configuring MAP Authorization - EAP (GUI) 1428 Configuring MAP Authorization (CLI) 1429 Configuring PSK Provisioning (CLI) 1429 Configuring a Bridge Group Name (GUI) 1431 Configuring a Bridge Group Name (CLI) 1431 Configuring Background Scanning (GUI) 1431 Configuring Background Scanning 1432 Configuring Backhaul Client Access (GUI) 1432 Configuring Backhaul Client Access (CLI) 1432 Configuring Wireless Backhaul Data Rate (CLI) 1433 Configuring Mesh Backhaul (CLI) 1434 Configuring Dynamic Frequency Selection (CLI) 1434 Configuring the Intrusion Detection System (CLI) 1435 Configuring Ethernet Bridging (GUI) 1435 Configuring Ethernet Bridging (CLI) 1436 Configuring Multicast Modes over Mesh 1437 Configuring RRM on Mesh Backhaul (CLI) 1438 Selecting a Preferred Parent (GUI) 1439 Selecting a Preferred Parent (CLI) 1439
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxii
Contents
Changing the Role of an AP (GUI) 1440 Changing the Role of an AP (CLI) 1441 Configuring the Mesh Leaf Node (CLI) 1441 Configuring the Mesh Leaf Node (GUI) 1441 Configuring Subset Channel Synchronization 1442 Provisioning LSC for Bridge-Mode and Mesh APs (GUI) 1442 Provisioning LSC for Bridge-Mode and Mesh APs 1443 Specifying the Backhaul Slot for the Root AP (GUI) 1444 Specifying the Backhaul Slot for the Root AP (CLI) 1444 Using a Link Test on Mesh Backhaul (GUI) 1445 Using a Link Test on Mesh Backhaul 1445 Configuring Battery State for Mesh AP (GUI) 1446 Configuring Battery State for Mesh AP 1446 Configuring Mesh Convergence (CLI) 1446 Configuring DHCP Server on Root Access Point (RAP) 1447 Configuring Mesh Ethernet Daisy Chaining (CLI) 1448 Enabling Mesh Ethernet Daisy Chaining 1448 Configuring Mesh CAC (CLI) 1449 Configuring ATF on Mesh (GUI) 1449 Configuring ATF on Mesh 1450 Create an ATF Policy for a MAP 1450 Creating an ATF Policy (GUI) 1451 Adding an ATF to a Policy Profile (GUI) 1451 Enabling ATF Mode in an RF Profile (GUI) 1451 Configuring Fast Teardown for a Mesh AP Profile (CLI) 1452 Flex Resilient with Flex and Bridge Mode Access Points 1453
Information About Flex Resilient with Flex and Bridge Mode Access Points 1453 Configuring a Flex Profile (GUI) 1453 Configuring a Flex Profile (CLI) 1454 Configuring a Site Tag (CLI) 1455 Configuring a Mesh Profile (CLI) 1456 Associating Wireless Mesh to an AP Profile (CLI) 1456 Attaching Site Tag to an Access Point (CLI) 1457 Configuring Switch Interface for APs (CLI) 1458
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxiii
Contents
Verifying Flex Resilient with Flex and Bridge Mode Access Points Configuration 1458 Verifying ATF Configuration on Mesh 1459 Verifying Mesh Ethernet Daisy Chaining 1460 Verifying Mesh Convergence 1460 Verifying DHCP Server for Root AP Configuration 1461 Verifying Mesh Backhaul 1461 Verifying Mesh Configuration 1462
CHAPTER 151
Redundant Root Access Point (RAP) Ethernet Daisy Chaining 1471 Overview of Redundant RAP Ethernet Daisy Chaining 1471 Prerequisites for Redundant RAP Ethernet Daisy Chaining Support 1472 Configuring Redundant RAP Ethernet Daisy Chaining Support (CLI) 1472 Verifying Daisy Chain Redundancy (CLI) 1472
PART XIV CHAPTER 152
VideoStream 1475
VideoStream 1477 Information about Media Stream 1477 Prerequisites for Media Stream 1478 How to Configure Media Stream 1478 Configuring Multicast-Direct Globally for Media Stream (CLI) 1478 Configuring Media Stream for 802.11 Bands (CLI) 1479 Configuring a WLAN to Stream Video(GUI) 1481 Configuring a WLAN to Stream Video (CLI) 1481 Deleting a Media Stream (GUI) 1482 Deleting a Media Stream (CLI) 1482 Monitoring Media Streams 1483 Configuring the General Parameters for a Media Stream (GUI) 1483 Adding Media Stream (CLI) 1484 Enabling a Media Stream per WLAN (GUI) 1485 Enabling a Media Stream per WLAN (CLI) 1485 Configuring the General Parameters for a Media Stream (GUI) 1486 Configuring the General Parameters for a Media Stream (CLI) 1486 Configuring Multicast Direct Admission Control (GUI) 1487
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxiv
Configuring Multicast Direct Admission Control (CLI) 1487 Create and Attach Policy-based QoS Profile 1489
Create a QoS Profile (GUI) 1489 Create a QoS Profile (CLI) 1490 Create a Service Template (GUI) 1491 Create a Service Template (CLI) 1491 Map the Service Template to the Policy Map (GUI) 1492 Map the Service Template to the Policy Map (CLI) 1492 Map the Policy Map (GUI) 1494 Map the Policy Map (CLI) 1494 Viewing Media Stream Information 1494
PART XV CHAPTER 153
Software-Defined Access Wireless 1497
Software-Defined Access Wireless 1499 Information to Software-Defined Access Wireless 1499 Configuring SD-Access Wireless 1502 Configuring Default Map Server (GUI) 1502 Configuring Default Map Server (CLI) 1503 Configuring SD-Access Wireless Profile (GUI) 1503 Configuring SD-Access Wireless Profile (CLI) 1504 Configuring Map Server in Site Tag (GUI) 1504 Configuring Map Server in Site Tag (CLI) 1505 Configuring Map Server per L2-VNID (GUI) 1505 Configuring Map Server per L2-VNID (CLI) 1506 Verifying SD-Access Wireless 1506
CHAPTER 154
Passive Client 1507 Information About Passive Clients 1507 Enabling Passive Client on WLAN Policy Profile (GUI) 1507 Enabling Passive Client on WLAN Policy Profile (CLI) 1508 Enabling ARP Broadcast on VLAN (GUI) 1508 Enabling ARP Broadcast on VLAN (CLI) 1509 Configuring Passive Client in Fabric Deployment 1509
Contents
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxv
Contents
Enabling Broadcast Underlay on VLAN 1510 Enabling ARP Flooding 1511 Verifying Passive Client Configuration 1513
CHAPTER 155
Fabric in a Box with External Fabric Edge 1515 Introduction to Fabric in a Box with External Fabric Edge 1515 Configuring a Fabric Profile (CLI) 1515 Configuring a Policy Profile (CLI) 1516 Configuring a Site Tag (CLI) 1517 Configuring a WLAN (CLI) 1518 Configuring a Policy Tag (CLI) 1518 Configuring an AP Profile 1519 Configuring Map Server and AP Subnet (CLI) 1519 Configuring Fabric on FiaB Node 1520 Configuring a Fabric Edge Node 1526 Verifying Fabric Configuration 1533
PART XVI CHAPTER 156
VLAN 1539
VLANs 1541 Information About VLANs 1541 Logical Networks 1541 Supported VLANs 1541 VLAN Port Membership Modes 1541 VLAN Configuration Files 1542 Normal-Range VLAN Configuration Guidelines 1543 Extended-Range VLAN Configuration Guidelines 1543 Prerequisites for VLANs 1543 Restrictions for VLANs 1544 How to Configure VLANs 1544 How to Configure Normal-Range VLANs 1544 Creating or Modifying an Ethernet VLAN 1545 Assigning Static-Access Ports to a VLAN (GUI) 1546 Assigning Static-Access Ports to a VLAN 1546
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxvi
How to Configure Extended-Range VLANs 1547 Creating an Extended-Range VLAN (GUI) 1547 Creating an Extended-Range VLAN 1548
Monitoring VLANs 1548
CHAPTER 157
VLAN Groups 1549 Information About VLAN Groups 1549 Prerequisites for VLAN Groups 1550 Restrictions for VLAN Groups 1550 Creating a VLAN Group (GUI) 1550 Creating a VLAN Group (CLI) 1551 Adding a VLAN Group to Policy Profile (GUI) 1551 Adding a VLAN Group to a Policy Profile 1552 Viewing the VLANs in a VLAN Group 1552
PART XVII CHAPTER 158
WLAN 1553
WLANs 1555 Information About WLANs 1555 Band Selection 1556 Off-Channel Scanning Deferral 1556 DTIM Period 1556 Prerequisites for Configuring Cisco Client Extensions 1557 Peer-to-Peer Blocking 1557 Diagnostic Channel 1557 Prerequisites for WLANs 1558 Restrictions for WLANs 1558 How to Configure WLANs 1559 Creating WLANs (GUI) 1559 Creating WLANs (CLI) 1560 Deleting WLANs (GUI) 1560 Deleting WLANs 1561 Searching WLANs (CLI) 1561 Enabling WLANs (GUI) 1562
Contents
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxvii
Contents
Enabling WLANs (CLI) 1562 Disabling WLANs (GUI) 1562 Disabling WLANs (CLI) 1563 Configuring General WLAN Properties (CLI) 1563 Configuring Advanced WLAN Properties (CLI) 1564 Configuring Advanced WLAN Properties (GUI) 1566 Verifying WLAN Properties (CLI) 1568
CHAPTER 159
Remote LANs 1571 Information About Remote LANs 1571 Configuring Remote LANs (RLANs) 1573 Enabling or Disabling all RLANs 1573 Creating RLAN Profile (GUI) 1573 Creating RLAN Profile (CLI) 1573 Configuring RLAN Profile Parameters (GUI) 1574 Configuring RLAN Profile Parameters (CLI) 1575 Creating RLAN Policy Profile (GUI) 1576 Creating RLAN Policy Profile (CLI) 1576 Configuring RLAN Policy Profile Parameters (GUI) 1577 Configuring RLAN Policy Profile Parameters (CLI) 1578 Configuring Policy Tag and Mapping an RLAN Policy Profile to an RLAN Profile (CLI) 1580 Configuring LAN Port (CLI) 1581 Attaching Policy Tag to an Access Point (GUI) 1581 Attaching Policy Tag to an Access Point (CLI) 1582 Verifying RLAN Configuration 1582
CHAPTER 160
RLAN External Module 1587 Information About External Module 1587 Prerequisites for Configuring External Module 1587 Configuring External Module (GUI) 1587 Configuring External Module (CLI) 1588 Verifying External Module 1588
CHAPTER 161
Client Roaming Across Policy Profile 1589
lxviii
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Contents
Information about Client Roaming Policy Profile 1589 Configuring Client Roaming Across Policy Profile 1590 Verifying Client Roaming Across Policy Profiles 1591
CHAPTER 162
Network Access Server Identifier 1597 Information About Network Access Server Identifier 1597 Creating a NAS ID Policy(GUI) 1598 Creating a NAS ID Policy 1598 Attaching a Policy to a Tag (GUI) 1599 Attaching a Policy to a Tag (CLI) 1599 Verifying the NAS ID Configuration 1600
CHAPTER 163
DHCP for WLANs 1603 Information About Dynamic Host Configuration Protocol 1603 Internal DHCP Servers 1603 External DHCP Servers 1604 DHCP Assignments 1604 DHCP Option 82 1605 Restrictions for Configuring DHCP for WLANs 1606 Guidelines for DHCP Relay Configuration 1606 How to Configure DHCP for WLANs 1607 Configuring DHCP Scopes (GUI) 1607 Configuring DHCP Scopes (CLI) 1608 Configuring the Internal DHCP Server 1609 Configuring the Internal DHCP Server Under Client VLAN SVI (GUI) 1609 Configuring the Internal DHCP Server Under Client VLAN SVI (CLI) 1609 Configuring the Internal DHCP Server Under a Wireless Policy Profile (GUI) 1612 Configuring the Internal DHCP Server Under a Wireless Policy Profile 1612 Configuring the Internal DHCP Server Globally (GUI) 1615 Configuring the Internal DHCP Server Globally (CLI) 1615 Verifying Internal DHCP Configuration 1617 Configuring DHCP-Required for FlexConnect 1619 Information About FlexConnect DHCP-Required 1619 Restrictions and Limitations for FlexConnect DHCP-Required 1619
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxix
Contents
Configuring FlexConnect DHCP-Required (GUI) 1619 Configuring FlexConnect DHCP-Required (CLI) 1620 Verifying FlexConnect DHCP-Required 1620
CHAPTER 164
WLAN Security 1623 Information About WPA1 and WPA2 1623 Information About AAA Override 1624 Configuring AAA Override 1624 Information About VLAN Override 1625 Configuring Override VLAN for Central Switching 1625 Configuring Override VLAN for Local Switching 1626 VLAN Override on Layer 3 Web Authentication 1627 Verifying VLAN Override on Layer 3 Web Authentication 1627 Prerequisites for Layer 2 Security 1627 Restrictions for WPA2 and WP3 1628 How to Configure WLAN Security 1628 Configuring Static WEP Layer 2 Security Parameters (GUI) 1628 Configuring Static WEP Layer 2 Security Parameters (CLI) 1629 Configuring WPA + WPA2 Layer 2 Security Parameters (GUI) 1630 Configuring WPA + WPA2 Layer 2 Security Parameters (CLI) 1631
CHAPTER 165
Workgroup Bridges 1635 Cisco Workgroup Bridges 1635 Configuring Workgroup Bridge on a WLAN 1637 Verifying the Status of a Workgroup Bridge on the Controller 1639 Configuring Access Points as Workgroup Bridge 1639 Turning Cisco Aironet 2700/3700/1572 Series AP into Autonomous Mode 1639 Configuring Cisco Wave 2 APs in Workgroup Bridge or CAPWAP AP Mode (CLI) 1640 Configure an SSID Profile for Cisco Wave 2 APs (CLI) 1640 Configuring a Dot1X Credential (CLI) 1642 Configuring an EAP Profile (CLI) 1642 Configuring Manual-Enrollment of a Trustpoint for Workgroup Bridge (CLI) 1643 Configuring Auto-Enrollment of a Trustpoint for Workgroup Bridge (CLI) 1645 Configuring Manual Certificate Enrolment Using TFTP Server (CLI) 1646
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxx
Contents
Importing the PKCS12 Format Certificates from the TFTP Server (CLI) 1648 Configuring Radio Interface for Workgroup Bridges (CLI) 1648 Configuring Workgroup Bridge Timeouts (CLI) 1651 Configuring Bridge Forwarding for Workgroup Bridge (CLI) 1652
CHAPTER 166
Peer-to-Peer Client Support 1653 Information About Peer-to-Peer Client Support 1653 Configure Peer-to-Peer Client Support 1653
CHAPTER 167
Wireless Guest Access 1655 Wireless Guest Access 1655 Foreign Map Overview 1658 Wireless Guest Access: Use Cases 1658 Load Balancing Among Multiple Guest Controllers 1659 Guidelines and Limitations for Wireless Guest Access 1659 Troubleshooting IPv6 1659 Configure Mobility Tunnel for Guest Access (GUI) 1660 Configure Mobility Tunnel for Guest Access (CLI) 1660 Configuring Guest Access Policy (GUI) 1660 Configuring Guest Access Policy (CLI) 1661 Viewing Guest Access Debug Information (CLI) 1663 Configure Guest Access Using Different Security Methods 1663 Open Authentication 1663 Configure a WLAN Profile for Guest Access with Open Authentication (GUI) 1663 Configure a WLAN Profile For Guest Access with Open Authentication (CLI) 1664 Configuring a Policy Profile 1665 Local Web Authentication 1665 Configure a Parameter Map (GUI) 1666 Configure a Parameter Map (CLI) 1666 Configure a WLAN Profile for Guest Access with Local Web Authentication (GUI) 1667 Configure a WLAN Profile for Guest Access with Local Web Authentication (CLI) 1667 Configure an AAA Server for Local Web Authentication (GUI) 1668 Configure an AAA Server for Local Web Authentication (CLI) 1668 Global Configuration 1668
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxxi
Contents
Central Web Authentication 1669 Configure a WLAN Profile for Guest Access with Central Web Authentication (GUI) 1669 Configure a WLAN Profile for Guest Access with Central Web Authentication (CLI) 1670 AAA Server Configuration (GUI) 1671 AAA Server Configuration (CLI) 1671
Configuring 802.1x with Local Web Authentication 1672 Configuring Local Web Authentication with PSK Protocol 1673 Central Web Authentication with PSK Protocol 1674
Configure WLAN Profile for Central Web Authentication with PSK Protocol 1675 Central Web Authentication with iPSK Protocol 1675
Configure WLAN Profile for Central Web Authentication with iPSK Protocol 1676 Configure Web Authentication on MAC Address Bypass failure (GUI) 1676 Configure Web Authentication on MAC Address Bypass Failure (CLI) 1676 Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Pre-Shared
Key (CLI) 1678 Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with OWE
(CLI) 1680 Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Secure Agile
Exchange (CLI) 1681
CHAPTER 168
Wired Guest Access 1685 Information About Wired Guest Access 1685 Restrictions for Wired Guest Access 1688 Configuring Access Switch for Wired Guest Client 1688 Configuring Access Switch for Foreign Controller 1689 Configuring Foreign Controller with Open Authentication (GUI) 1690 Configuring Foreign Controller with Open Authentication 1690 Configuring Foreign Controller with Local Web Authentication (GUI) 1692 Configuring Foreign Controller with Local WEB Authentication 1693 Configuring Anchor Controller with Open Authentication (GUI) 1694 Configuring Anchor Controller with Open Authentication 1695 Configuring Anchor Controller with Local Web Authentication (GUI) 1696 Configuring Anchor Controller with Local Web Authentication 1697 Configuring Session Timeout for a Profile Policy 1698
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxxii
Contents
Global Configuration (GUI) 1699 Verifying Wired Guest Configurations 1699 Wired Guest Access--Use Cases 1703
CHAPTER 169
802.11r BSS Fast Transition 1705 Information About 802.11r Fast Transition 1705 Restrictions for 802.11r Fast Transition 1706 Monitoring 802.11r Fast Transition (CLI) 1707 Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI) 1708 Configuring 802.11r Fast Transition in an Open WLAN (CLI) 1709 Configuring 802.11r Fast Transition on a PSK SecurityEnabled WLAN (CLI) 1711 Disabling 802.11r Fast Transition (GUI) 1712 Disabling 802.11r Fast Transition (CLI) 1712
CHAPTER 170
BSS Coloring 1713 Information About BSS Coloring 1713 BSS Coloring 1714 OBSS-PD and Spatial Reuse 1714 Configuring BSS Color on AP (GUI) 1714 Configuring BSS Color in the Privileged EXEC Mode 1715 Configuring BSS Color Globally (GUI) 1715 Configuring BSS Color in the Configuration Mode 1716 Configuring Overlapping BSS Packet Detect (GUI) 1716 Configuring OBSS-PD Spatial Reuse Globally (CLI) 1717 Configuring OBSS PD in an RF Profile (GUI) 1717 Configuring OBSS-PD Spatial Reuse in the RF Profile Mode (CLI) 1718 Verifying BSS Color and OBSS-PD 1718
CHAPTER 171
Assisted Roaming 1721 802.11k Neighbor List and Assisted Roaming 1721 Restrictions for Assisted Roaming 1722 How to Configure Assisted Roaming 1722 Configuring Assisted Roaming (GUI) 1722 Configuring Assisted Roaming (CLI) 1723
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
lxxiii
Contents
Verifying Assisted Roaming 1724 Configuration Examples for Assisted Roaming 1724
CHAPTER 172
802.11v 1727 Information About 802.11v 1727 Enabling 802.11v Network Assisted Power Savings 1727 Prerequisites for Configuring 802.11v 1728 Restrictions for 802.11v 1728 Enabling 802.11v BSS Transition Management 1728 Configuring 802.11v BSS Transition Management (GUI) 1729 Configuring 802.11v BSS Transition Management (CLI) 1729
CHAPTER 173
802.11w 1731 Information About 802.11w 1731 Prerequisites for 802.11w 1734 Restrictions for 802.11w 1734 How to Configure 802.11w 1735 Configuring 802.11w (GUI) 1735 Configuring 802.11w (CLI) 1735 Disabling 802.11w 1736 Monitoring 802.11w 1737
CHAPTER 174
802.11ax Per Virtual Access Point 1739 Information About 802.11ax Mode Per Virtual Access Point 1739 Configuring 802.11ax Mode Per Virtual Access Point (GUI) 1739 Configuring 802.11ax Mode Per Virtual Access Point 1740 Verifying 802.11ax Mode Per Virtual Access Point 1740
CHAPTER 175
Management Frame Protection 1743 Information About Management Frame Protection 1743 Restrictions for Management Frame Protection 1744 Configuring Management Frame Protection (CLI) 1745 Verifying Management Frame Protection Settings 1745
lxxiv
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Contents
CHAPTER 176
Deny Wireless Client Session Establishment Using Calendar Profiles 1747 Information About Denial of Wireless Client Session Establishment 1747 Configuring Daily Calendar Profile 1748 Configuring Weekly Calendar Profile 1749 Configuring Monthly Calendar Profile 1750 Mapping a Daily Calendar Profile to a Policy Profile 1751 Mapping a Weekly Calendar Profile to a Policy Profile 1752 Mapping a Monthly Calendar Profile to a Policy Profile 1753 Verifying Calendar Profile Configuration 1754 Verifying Policy Profile Configuration 1755
CHAPTER 177
Ethernet over GRE 1757 Introduction to EoGRE 1757 EoGRE Configuration Overview 1758 Create a Tunnel Gateway 1759 Configuring the Tunnel Gateway (GUI) 1760 Configuring a Tunnel Domain 1760 Configuring Tunnel Domain (GUI) 1761 Configuring EoGRE Global Parameters 1762 Configuring EoGRE Global Parameters (GUI) 1762 Configuring a Tunnel Profile 1763 Configuring the Tunnel Profile (GUI) 1764 Associating WLAN to a Wireless Policy Profile 1765 Attaching a Policy Tag and a Site Tag to an AP 1766 Verifying the EoGRE Tunnel Configuration 1766
CHAPTER 178
Link Aggregation Group 1775 Information About Link Aggregation Group 1775 Link Aggregation Control Protocol 1775 Configuring LAG Using LACP 1776 Port Aggregation Protocol 1776 Configuring LAG Using PAgP 1776 Information About Port Channel Interface Number 1776
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxxv
Contents
Configuring LAG in ON Mode 1777 Multichassis Link Aggregation Group 1777 Prerequisites for Multi-LAG 1777 Restrictions for Multi-LAG 1778 Supported Topologies 1778 Configuring a Port Channel Interface (GUI) 1779 Create a Port-Channel Interface 1780 Configuring LAG in ON Mode 1780 Add an Interface to a Port Channel (LACP) 1781 Add an Interface to a Port Channel (PAgP) 1782 Add a VLAN to a Port Channel 1782 Remove a Port Channel Group from a Physical Interface 1783 Verify the LAG Configuration 1783
CHAPTER 179
Hotspot 2.0 1785 Introduction to Hotspot 2.0 1785 Open Roaming 1787 Configuring Hotspot 2.0 1789 Configuring an Access Network Query Protocol Server 1789 Configuring ANQP Global Server Settings (GUI) 1792 Configuring Open Roaming (CLI) 1792 Configuring Open Roaming (GUI) 1793 Configuring NAI Realms (GUI) 1793 Configuring Organizational Identifier Alias (GUI) 1794 Configuring WAN Metrics (GUI) 1795 Configuring WAN Metrics 1795 Configuring Beacon Parameters (GUI) 1796 Configuring Authentication and Venue (GUI) 1797 Configuring 3GPP/Operator (GUI) 1798 Configuring OSU Provider (GUI) 1798 Configuring an Online Sign-Up Provider 1799 Configuring Hotspot 2.0 WLAN 1800 Configuring an Online Subscription with Encryption WLAN 1801 Attaching an ANQP Server to a Policy Profile 1802
lxxvi
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Contents
Configuring Interworking for Hotspot 2.0 1802 Configuring the Generic Advertisement Service Rate Limit 1803 Configuring Global Settings 1804 Configuring Advice of Charge 1804 Configuring Terms and Conditions 1805 Defining ACL and URL Filter in AP for FlexConnect 1806 Configuring an OSEN WLAN (Single SSID) 1808 Verifying Hotspot 2.0 Configuration 1809 Verifying Client Details 1810
CHAPTER 180
User Defined Network 1811 Information About User Defined Network 1811 Restrictions for User Defined Network 1813 Configuring a User Defined Network 1813 Configuring a User Defined Network (GUI) 1814 Verifying User Defined Network Configuration 1815
CHAPTER 181
Express Wi-Fi by Facebook 1819 Information About Express Wi-Fi by Facebook 1819 Restrictions for Express Wi-Fi by Facebook 1820 Enabling Express Wi-Fi by Facebook NAC for Policy Profile (GUI) 1820 Enabling Accounting RADIUS Server for Flex Profile (GUI) 1821 Configuring Captive Portal for Express Wi-Fi by Facebook (GUI) 1821 Configuring Captive Portal for Express Wi-Fi by Facebook (CLI) 1821 Configuring Express Wi-Fi by Facebook Policy on Controller (CLI) 1822 Configuring RADIUS Server for Accounting and Authentication in FlexConnect Profile (CLI) 1824 Verifying Express Wi-Fi by Facebook Configurations on Controller 1825 Verifying Express Wi-Fi by Facebook Configurations on the AP 1825
CHAPTER 182
Aironet Extensions IE (CCX IE) 1829 Information About Aironet Extensions Information Element 1829 Configuring Aironet Extensions IE (GUI) 1829 Configuring Aironet Extensions IE (CLI) 1829 Verifying the Addition of AP Name 1830
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
lxxvii
Contents
CHAPTER 183
BSSID Counters 1833 BSSID Counters 1833 Enabling BSSID Statistics and BSSID Neighbor Statistics 1833 Verifying BSSID Statistics on the Controller 1834
CHAPTER 184
Fastlane+ 1837 Information About Fastlane+ 1837 Configuring an Fastlane+ on a WLAN (CLI) 1837 Configuring an Fastlane+ on a WLAN (GUI) 1838 Monitoring Fastlane+ 1838 Verifying Fastlane+ 1839
PART XVIII CHAPTER 185
Cisco DNA Service for Bonjour 1841
Cisco DNA Service for Bonjour Solution Overview 1843 About the Cisco DNA Service for Bonjour Solution 1843 Solution Components 1844 Supported Platforms 1845 Supported Network Design 1846 Traditional Wired and Wireless Networks 1846 Wired Networks 1847 Wireless Networks 1849 Cisco SD-Access Wired and Wireless Networks 1850 BGP EVPN Networks 1852
CHAPTER 186
Configuring Local Area Bonjour for Wireless Local Mode 1855 Overview of Local Area Bonjour for Wireless Local Mode 1855 Prerequisites for Local Area Bonjour for Wireless Local Mode 1855 Restrictions for Local Area Bonjour for Wireless Local Mode 1856 Understanding Local Area Bonjour for Wireless Local Mode 1856 Configuring Wireless AP Multicast 1857 Configuring Wireless AP Multicast (GUI) 1858 Configuring Wireless AP Multicast (CLI) 1858
lxxviii
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Contents
Configuring Multicast in IP Network (CLI) 1859 Configuring Local Area Bonjour for Wireless Local Mode 1860
Configuring mDNS Service Policy (GUI) 1860 Configuring mDNS Service Policy (CLI) 1861 Configuring Custom Service Definition (GUI) 1863 Configuring Custom Service Definition (CLI) 1864 Configuring mDNS Gateway on WLAN (GUI) 1864 Configuring mDNS Gateway on WLAN (CLI) 1865 Configuring Service-Routing on Service-Peer 1865 Configuring Location-Based mDNS on Service-Peer (GUI) 1867 Configuring Location-Based mDNS on Service-Peer (CLI) 1869 Verifying mDNS Gateway Configuration 1871 Reference 1873
CHAPTER 187
Configuring Local Area Bonjour for Wireless FlexConnect Mode 1875 Overview of Local Area Bonjour for Wireless FlexConnect Mode 1875 Restrictions for Local Area Bonjour for Wireless FlexConnect Mode 1875 Prerequisites for Local Area Bonjour for Wireless FlexConnect Mode 1876 Understanding mDNS Gateway Alternatives for Wireless FlexConnect Mode 1876 Understanding Local Area Bonjour for Wireless FlexConnect Mode 1878 Configuring Local Area Bonjour for Wireless FlexConnect Mode 1880 Configuring mDNS Gateway Mode (CLI) 1880 Configuring mDNS Service Policy (CLI) 1881 Configuring mDNS Location-Filter (CLI) 1884 Configuring Custom Service Definition (CLI) 1887 Configuring Service-Routing on Service-Peer (CLI) 1888 Configuring Location-Based mDNS 1890 Configuring Service-Routing on SDG Agent (CLI) 1890 Verifying Local Area Bonjour in Service-Peer Mode 1892 Verifying Local Area Bonjour in SDG Agent Mode 1894 Reference 1896
CHAPTER 188
Configuration Example for Local Mode - Wireless and Wired 1897 Overview 1897
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
lxxix
Contents
Configuring Wireless AP Multicast Mode 1898 Configuration Example for Customized Service List and Policy in Wide Area Bonjour Between
Multilayer Wired and Wireless Endpoints 1899 Example: Wired and Wireless Access Layer Service Peer Configuration 1899 Example: Wired and Wireless Distribution Layer SDG Agent Configuration 1901 Cisco DNA Center Traditional Multilayer Wired and Wireless Configuration 1902 Configuring Service Filters for Traditional Multilayer Wired and Wireless - Local Mode (GUI) 1902 Configuring Source SDG Agents in Traditional Multilayer Wired and Wireless - Local Mode
(GUI) 1903 Configuring Query SDG Agents in Traditional Multilayer Wired and Wireless - Local Mode
(GUI) 1903 Verifying Wide Area Bonjour Between Multilayer Wired and Wireless Local Mode 1904
Verifying Wired Service-Peer Configuration 1904 Verifying Wired SDG Agent Configuration and Service-Routing Status 1906 Verifying Wireless Service-Peer Configuration and Service Status 1908 Verifying Wireless SDG Agent Configuration and Service-Routing Status 1909 Verifying Cisco DNA-Center Configuration and Service-Routing Status 1910 Reference 1911
CHAPTER 189
Configuration Example for FlexConnect Mode - Wireless and Wired 1913 Overview 1913 Configuration Example for Customized Service List and Policy in FlexConnect Mode - Wireless and Wired 1914 Example: Wired and Wireless Access Layer Service Peer Configuration 1914 Example: Wired and Wireless Distribution Layer SDG Agent Configuration 1916 Cisco DNA Center Traditional Multilayer Wired and Wireless Configuration 1917 Configuring Service Filters for Traditional Multilayer Wired and Wireless FlexConnect LocalSwitching Mode (GUI) 1917 Configuring Source SDG Agents in Traditional Multilayer Wired and Wireless FlexConnect LocalSwitching Mode (GUI) 1917 Configuring Query SDG Agents in Traditional Multilayer Wired and Wireless FlexConnect LocalSwitching Mode (GUI) 1918 Verifying Configuration Example for FlexConnect Mode - Wireless and Wired 1919 Verifying Wired Service-Peer Configuration 1919 Verifying Wired SDG Agent Configuration and Service-Routing Status 1920
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x lxxx
Contents
Verifying Cisco DNA Center Configuration and Service Routing Status 1922 Reference 1923
PART XIX CHAPTER 190
Multicast Domain Name System 1925
Multicast Domain Name System 1927 Introduction to mDNS Gateway 1928 Guidelines and Restrictions for Configuring mDNS AP 1928 Enabling mDNS Gateway (GUI) 1930 Enabling or Disabling mDNS Gateway (GUI) 1930 Enabling or Disabling mDNS Gateway (CLI) 1930 Creating Default Service Policy 1932 Creating Custom Service Definition (GUI) 1932 Creating Custom Service Definition 1932 Creating Service List (GUI) 1933 Creating Service List 1934 Creating Service Policy (GUI) 1935 Creating Service Policy 1935 Configuring a Local or Native Profile for an mDNS Policy 1937 Configuring an mDNS Flex Profile (GUI) 1937 Configuring an mDNS Flex Profile (CLI) 1938 Applying an mDNS Flex Profile to a Wireless Flex Connect Profile (GUI) 1939 Applying an mDNS Flex Profile to a Wireless Flex Connect Profile (CLI) 1939 Enabling the mDNS Gateway on the VLAN Interface 1939 Location-Based Service Filtering 1940 Prerequisite for Location-Based Service Filtering 1940 Configuring mDNS Location-Based Filtering Using SSID 1941 Configuring mDNS Location-Based Filtering Using AP Name 1941 Configuring mDNS Location-Based Filtering Using AP Location 1942 Configuring mDNS Location-Based Filtering Using Regular Expression 1942 Configuring mDNS AP 1943 Enabling mDNS Gateway on the RLAN Interface 1944 Enabling mDNS Gateway on Guest LAN Interface 1947 Associating mDNS Service Policy with Wireless Profile Policy (GUI) 1948
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
lxxxi
Contents
Associating mDNS Service Policy with Wireless Profile Policy 1948 Enabling or Disabling mDNS Gateway for WLAN (GUI) 1950 Enabling or Disabling mDNS Gateway for WLAN 1950 mDNS Gateway with Guest Anchor Support and mDNS Bridging 1951 Configuring mDNS Gateway on Guest Anchor 1952 Configuring mDNS Gateway on Guest Foreign (Guest LAN) 1952 Configuring mDNS Gateway on Guest Anchor 1953 Configuring mDNS Gateway on Guest Foreign (Guest WLAN) 1953 Verifying mDNS Gateway Configurations 1954
lxxxii
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Preface
This preface describes the conventions of this document and information on how to obtain other documentation. It also provides information on what's new in Cisco product documentation.
· Document Conventions , on page lxxxiii · Related Documentation, on page lxxxv · Communications, Services, and Additional Information, on page lxxxv
Document Conventions
This document uses the following conventions:
Convention ^ or Ctrl
Description
Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard. For example, the key combination ^D or Ctrl-D means that you hold down the Control key while you press the D key. (Keys are indicated in capital letters but are not case sensitive.)
bold font
Commands and keywords and user-entered text appear in bold font.
Italic font
Document titles, new or emphasized terms, and arguments for which you supply values are in italic font.
Courier font Bold Courier font [x] ...
|
Terminal sessions and information the system displays appear in courier font.
Bold Courier font indicates text that the user must enter. Elements in square brackets are optional.
An ellipsis (three consecutive nonbolded periods without spaces) after a syntax element indicates that the element can be repeated.
A vertical line, called a pipe, indicates a choice within a set of keywords or arguments.
[x | y]
Optional alternative keywords are grouped in brackets and separated by vertical bars.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
lxxxiii
Preface
Preface
Convention {x | y} [x {y | z}]
string <> [] !, #
Description Required alternative keywords are grouped in braces and separated by vertical bars.
Nested set of square brackets or braces indicate optional or required choices within optional or required elements. Braces and a vertical bar within square brackets indicate a required choice within an optional element.
A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.
Nonprinting characters such as passwords are in angle brackets.
Default responses to system prompts are in square brackets.
An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.
Reader Alert Conventions This document may use the following conventions for reader alerts:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
Tip Means the following information will help you solve a problem.
Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph.
Warning IMPORTANT SAFETY INSTRUCTIONS Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Read the installation instructions before using, installing, or connecting the system to the power source. Use the statement number provided at the end of each warning statement to locate its translation in the translated safety warnings for this device. Statement 1071 SAVE THESE INSTRUCTIONS
lxxxiv
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
Preface
Related Documentation
Related Documentation
Note Before installing or upgrading the device, refer to the release notes at https://www.cisco.com/c/en/us/support/ wireless/catalyst-9800-series-wireless-controllers/products-release-notes-list.html.
· Cisco Catalyst 9800-40 Wireless Controller documentation, located at: http://www.cisco.com/go/c9800
· Cisco Catalyst 9800-80 Wireless Controller documentation, located at: http://www.cisco.com/go/c9800
· Cisco Catalyst 9800-L Wireless Controller documentation, located at: http://www.cisco.com/go/c9800
Communications, Services, and Additional Information
· To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager. · To get the business impact you're looking for with the technologies that matter, visit Cisco Services. · To submit a service request, visit Cisco Support. · To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit
Cisco DevNet. · To obtain general networking, training, and certification titles, visit Cisco Press. · To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.
Documentation Feedback
To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
lxxxv
Documentation Feedback
Preface
lxxxvi
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
1 C H A P T E R
Overview of Cisco 9800 Series Wireless Controllers
Cisco Catalyst 9800 Series Wireless Controllers are the next generation of wireless controllers built for the Intent-based networking. The Cisco Catalyst 9800 Series Controllers controllers are IOS XE based and integrates the RF Excellence from Aironet with Intent-based Networking capabilities of IOS XE to create the best-in-class wireless experience for your evolving and growing organization. The controllers are deployable in physical and virtual (private and public cloud) form factors and can be managed using Cisco DNA Center, Netconf/YANG, Cisco Prime Infrastructure, web-based GUI, or CLI. The Cisco Catalyst 9800 Series Wireless Controllers are available in multiple form factors to cater to your deployment options:
· Cisco Catalyst 9800 Series Wireless Controller Appliance · Cisco Catalyst 9800 Series Wireless Controller for Cloud · Cisco Catalyst 9800 Embedded Wireless for Switch The configuration data model is based on design principles of reusability, simplified provisioning, enhanced flexibility and modularization to help manage networks as they scale up and simplify the management of dynamically changing business and IT requirements. · Elements of the New Configuration Model, on page 1 · Configuration Workflow, on page 2 · Initial Setup, on page 3 · Interactive Help, on page 4
Elements of the New Configuration Model
The following diagram depicts the elements of the new configuration model.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1
Configuration Workflow
Overview of Cisco 9800 Series Wireless Controllers
Tags The property of a tag is defined by the property of the policies associated to it, which in turn is inherited by an associated client or an AP. There are various type of tags, each of which is associated to different profiles. Every tag has a default that is created when the system boots up.
Profiles Profiles represent a set of attributes that are applied to the clients associated to the APs or the APs themselves. Profiles are reusable entities that can be used across tags.
Configuration Workflow
The following set of steps defines the logical order of configuration. Apart from the WLAN profile, all the profiles and tags have a default object associated with it. 1. Create the following profiles:
· WLAN · Policy · AP Join · Flex · RF
2. Create the following tags: · Policy · Site
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 2
Overview of Cisco 9800 Series Wireless Controllers
· RF 3. Associate tags to an AP.
Figure 1: Configuration Workflow
Initial Setup
Initial Setup
Setting up the Controller The initial configuration wizard in Cisco Catalyst 9800 Series Wireless Controller is a simplified, out-of-the-box installation and configuration interface for controller. This section provides instructions to set up a controller
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 3
Interactive Help
Overview of Cisco 9800 Series Wireless Controllers
to operate in a small, medium, or large network wireless environment, where access points can join and together as a simple solution provide various services, such as corporate employee or guest wireless access on the network.
Setting Up the Controller Using GUI To set up the controller using GUI, see the Configuring Wireless Controller section in Cisco Catalyst 9800 Wireless Controller Series Web UI Deployment Guide.
Note If you make configuration changes in the Command Line Interface (CLI) and in the GUI simultaneously, you must click the Refresh button in the GUI to synch both the changes. You should always click the Refresh button in the GUI, to update the changes done through CLI.
Note The banner text is fetched from the controller when you land on the login page. You will be able to see this request on the RADIUS server.
Setting Up the Controller Using CLI To set up the controller using CLI, see the Performing the Initial Configuration on the Controller section of your respective controller installation guides.
· Cisco Catalyst 9800-80 Wireless Controller Hardware Installation Guide · Cisco Catalyst 9800-40 Wireless Controller Hardware Installation Guide · Cisco Catalyst 9800-L Wireless Controller Hardware Installation Guide · Cisco Catalyst 9800-CL Cloud Wireless Controller Installation Guide
Interactive Help
The Cisco Catalyst 9800 Series Wireless Controller GUI features an interactive help that walks you through the GUI and guides you through complex configurations. You can start the interactive help in the following ways:
· By hovering your cursor over the blue flap at the right-hand corner of a window in the GUI and clicking Interactive Help.
· By clicking Walk-me Thru in the left pane of a window in the GUI. · By clicking Show me How displayed in the GUI. Clicking Show me How triggers a specific interactive
help that is relevant to the context you are in. For instance, Show me How in Configure > AAA walks you through the various steps for configuring a RADIUS server. Choose Configuration> Wireless Setup > Advanced and click Show me How to trigger the interactive help that walks you through the steps relating to various kinds of authentication.
The following features have an associated interactive help:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 4
Overview of Cisco 9800 Series Wireless Controllers
Interactive Help
· Configuring AAA · Configuring FlexConnect Authentication · Configuring 802.1x Authentication · Configuring Local Web Authentication · Configuring OpenRoaming · Configuring Mesh APs
Note If the WalkMe launcher is unavailable on Safari, modify the settings as follows: 1. Choose Preferences > Privacy. 2. In the Website tracking section, uncheck the Prevent cross-site tracking check box to disable this action. 3. In the Cookies and website data section, uncheck the Block all cookies check box to disable this action.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 5
Interactive Help
Overview of Cisco 9800 Series Wireless Controllers
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 6
I P A R T
System Configuration
· New Configuration Model, on page 9 · Wireless Management Interface, on page 39 · BIOS Protection, on page 47 · Management over Wireless, on page 49 · Smart Licensing Using Policy, on page 51 · Boot Integrity Visibility, on page 163 · Best Practices, on page 167
2 C H A P T E R
New Configuration Model
· Information About New Configuration Model, on page 9 · Configuring a Wireless Profile Policy (GUI), on page 12 · Configuring a Wireless Profile Policy (CLI), on page 12 · Configuring a Flex Profile (GUI), on page 13 · Configuring a Flex Profile, on page 14 · Configuring an AP Profile (GUI), on page 15 · Configuring an AP Profile (CLI), on page 19 · Configuring User for AP Management (CLI), on page 21 · Setting a Private Configuration Key for Password Encryption, on page 21 · Configuring an RF Profile (GUI), on page 22 · Configuring an RF Profile (CLI), on page 22 · Configuring a Site Tag (GUI), on page 23 · Configuring a Site Tag (CLI), on page 24 · Configuring Policy Tag (GUI), on page 25 · Configuring a Policy Tag (CLI), on page 25 · Configuring Wireless RF Tag (GUI), on page 26 · Configuring Wireless RF Tag (CLI), on page 27 · Attaching a Policy Tag and Site Tag to an AP (GUI), on page 28 · Attaching Policy Tag and Site Tag to an AP (CLI), on page 28 · AP Filter, on page 29 · Configuring Access Point for Location Configuration, on page 33
Information About New Configuration Model
The configuration of Cisco Catalyst 9800 Series Wireless Controllers is simplified using different tags, namely rf-tag, policy-tag, and site-tag. The access points would derive their configuration from the profiles that are contained within the tags. Profiles are a collection of feature-specific attributes and parameters applied to tags. The rf-tag contains the radio profiles, the site-tag contains flex-profile and ap-join-profile, and the policy-tag contains the WLAN profile and policy profile. The FlexConnect configuration helps the central controller to manage sites that are geo-distributed, for example, retail, campus, and so on.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 9
Information About New Configuration Model
System Configuration
Policy Tag
The policy tag constitutes mapping of the WLAN profile to the policy profile. The WLAN profile defines the wireless characteristics of the WLAN. The policy profile defines the network policies and the switching policies for the client (Quality of Service [QoS] is an exception which constitutes AP policies as well).
The policy tag contains the map of WLAN policy profile. There are 16 such entries per policy tag. Changes to the map entries are effected based on the status of the WLAN profile and policy profile. For example, if a map (WLAN1 and Policy1) is added to the policy tag, and both the WLAN profile and the policy profile are enabled, the definitions are pushed to the APs using the policy tag. However, if one of them is in disabled state, the definition is not pushed to the AP. Similarly, if a WLAN profile is already being broadcast by an AP, it can be deleted using the no form of the command in the policy tag.
Site Tag
The site tag defines the properties of a site and contains the flex profile and the AP join profile. The attributes that are specific to the corresponding flex or remote site are part of the flex profile. Apart from the flex profile, the site tag also comprises attributes that are specific to the physical site (and hence cannot be a part of the profile that is a reusable entity). For example, the list of primary APs for efficient upgrade is a part of a site tag rather than that of a flex profile.
If a flex profile name or an AP profile name is changed in the site tag, the AP is forced to rejoin the controller by disconnecting the Datagram Transport Layer Security (DTLS) session. When a site tag is created, the AP and flex profiles are set to default values (default-ap-profile and default-flex-profile).
RF Tag
The RF tag contains the 2.4 GHz and 5 GHz RF profiles. The default RF tag contains the global configuration. Both these profiles contain the same default values for global RF profiles for the respective radios.
Profiles
Profiles are a collection of feature-specific attributes and parameters applied to tags. Profiles are reusable entities that can be used across tags. Profiles (used by tags) define the properties of the APs or its associated clients.
WLAN Profile
WLAN profiles are configured with same or different service set identifiers (SSIDs). An SSID identifies the specific wireless network for the controller to access. Creating WLANs with the same SSID allows to assign different Layer 2 security policies within the same wireless LAN.
To distinguish WLANs having the same SSID, create a unique profile name for each WLAN. WLANs with the same SSID must have unique Layer 2 security policies so that clients can select a WLAN based on the information advertised in the beacon and probe responses. The switching and network policies are not part of the WLAN definition.
Policy Profile
Policy profile broadly consists of network and switching policies. Policy profile is a reusable entity across tags. Anything that is a policy for a client that is applied on an AP or controller is moved to the policy profile, for example, VLAN, ACL, QoS, session timeout, idle timeout, AVC profile, bonjour profile, local profiling, device classification, BSSID QoS, and so on. However, all the wireless-related security attributes and features on the WLAN are grouped under the WLAN profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 10
System Configuration
Information About New Configuration Model
Flex Profile Flex profile contains policy attributes and remote site-specific parameters. For example, the EAP profiles that can be used when the AP acts as an authentication server for local RADIUS server information, VLAN-ACL mapping, VLAN name-to-ID mapping, and so on.
AP Join Profile The default AP join profile values will have the global AP parameters and the AP group parameters. The AP join profile contains attributes that are specific to AP, such as CAPWAP, IPv4 and IPv6, UDP Lite, High Availability, Retransmit config parameters, Global AP failover, Hyperlocation config parameters, Telnet and SSH, 11u parameters, and so on.
Note Telnet is not supported for the following Cisco AP models: 1542D, 1542I, 1562D, 1562E, 1562I, 1562PS, 1800S, 1800T, 1810T, 1810W,1815M, 1815STAR, 1815TSN, 1815T, 1815T, 1815W, 1832I, 1840I, 1852E, 1852I, 2802E, 2802I, 2802H, 3700C, 3800, 3802E, 3802I, 3802P, 4800, IW6300, ESW6300, 9105AXI, 9105AXW, 9115AXI, 9115AXE, 9117I, APVIRTUAL, 9120AXI, 9120AXE, 9124AXI, 9124AXD, 9130AXI, and 9130AXE.
RF Profile RF profile contains the common radio configuration for the APs. RF profiles are applied to all the APs that belong to an AP group, where all the APs in that group have the same profile settings.
Association of APs APs can be associated using different ways. The default option is by using Ethernet MAC address, where the MAC is associated with policy-tag, site tag, and RF tag. In filter-based association, APs are mapped using regular expressions. A regular expression (regex) is a pattern to match against an input string. Any number of APs matching that regex will have policy-tag, site tag, and RF tag mapped to them, which is created as part of the AP filter. In AP-based association, tag names are configured at the PnP server and the AP stores them and sends the tag name as part of discovery process. In location-based association, tags are mapped as per location and are pushed to any AP Ethernet MAC address mapped to that location.
Modifying AP Tags Modifying an AP tag results in DTLS connection reset, forcing the AP to rejoin the controller. If only one tag is specified in the configuration, default tags are used for other types, for example, if only policy tag is specified, the default-site-tag and default-rf-tag will be used for site tag and RF tag.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 11
Configuring a Wireless Profile Policy (GUI)
System Configuration
Configuring a Wireless Profile Policy (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Step 7 Step 8
Step 9
Choose Configuration > Tags & Profiles > Policy. On the Policy Profile page, click Add. In the Add Policy Profile window, in General tab, enter a name and description for the policy profile. The name can be ASCII characters from 32 to 126, without leading and trailing spaces. Do not use spaces as it causes system instability. To enable the policy profile, set Status as Enabled. Use the slider to enable or disable Passive Client and Encrypted Traffic Analytics. In the CTS Policy section, choose the appropriate status for the following:
· Inline Tagging--a transport mechanism using which a controller or access point understands the source SGT.
· SGACL Enforcement
Specify a default SGT. The valid range is from 2 to 65519. In the WLAN Switching Policy section, choose the following, as required:
· Central Switching: Tunnels both the wireless user traffic and all control traffic via CAPWAP to the centralized controller where the user traffic is mapped to a dynamic interface/VLAN on the controller. This is the normal CAPWAP mode of operation.
· Central Authentication: Tunnels client data to the controller, as the controller handles client authentication.
· Central DHCP: The DHCP packets received from AP are centrally switched to the controller and then forwarded to the corresponding VLAN based on the AP and the SSID.
· Central Association Enable: When central association is enabled, all switching is done on the controller.
· Flex NAT/PAT: Enables Network Address Translation(NAT) and Port Address Translation (PAT) mode.
Click Save & Apply to Device.
Configuring a Wireless Profile Policy (CLI)
Follow the procedure given below to configure a wireless profile policy:
Note When a client moves from an old controller to a new controller (managed by Cisco Prime Infrastructure), the old IP address of the client is retained, if the IP address is learned by ARP or data gleaning. To avoid this scenario, ensure that you enable ipv4 dhcp required command in the policy profile. Otherwise, the IP address gets refreshed only after a period of 24 hours.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 12
System Configuration
Configuring a Flex Profile (GUI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy rr-xyz-policy-1
Step 3
idle-timeout timeout
Example:
Device(config-wireless-policy)# idle-timeout 1000
(Optional) Configures the duration of idle timeout, in seconds.
Step 4
vlan vlan-id
Configures VLAN name or VLAN ID.
Example:
Device(config-wireless-policy)# vlan 24
Step 5
accounting-list list-name
Example:
Device(config-wireless-policy)# accounting-list user1-list
Sets the accounting list for IEEE 802.1x.
Step 6
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Step 7
show wireless profile policy summary
Example:
Device# show wireless profile policy summary
Displays the configured policy profiles.
Note
(Optional) To view detailed
information about a policy profile,
use the show wireless profile
policy detailed
policy-profile-name command.
Configuring a Flex Profile (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Tags & Profiles > Flex. Click Add.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 13
Configuring a Flex Profile
System Configuration
Step 3
Step 4 Step 5
Enter the Name of the Flex Profile. The name can be ASCII characters from 32 to 126, without leading and trailing spaces. In the Description field, enter a description for the Flex Profile. Click Apply to Device.
Configuring a Flex Profile
Follow the procedure given below to set a flex profile:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex-profile
Example:
Device(config)# wireless profile flex rr-xyz-flex-profile
Configures a Flex profile and enters Flex profile configuration mode.
Step 3
description
Example:
Device(config-wireless-flex-profile)# description xyz-default-flex-profile
(Optional) Enables default parameters for the flex profile.
Step 4
arp-caching
Example:
Device(config-wireless-flex-profile)# arp-caching
(Optional) Enables ARP caching.
Step 5
end
Example:
Device(config-wireless-flex-profile)# end
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Step 6
show wireless profile flex summary
Example:
Device# show wireless profile flex summary
(Optional) Displays the flex-profile parameters.
Note
To view detailed parameters about
the flex profile, use the show
wireless profile flex detailed
flex-profile-name command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 14
System Configuration
Configuring an AP Profile (GUI)
Configuring an AP Profile (GUI)
Before you begin The default AP join profile values will have the global AP parameters and the AP group parameters. The AP join profile contains attributes that are specific to AP, such as CAPWAP, IPv4/IPv6, UDP Lite, High Availability, retransmit configuration parameters, global AP failover, Hyperlocation configuration parameters, Telnet/SSH, 11u parameters, and so on.
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6
Step 7
Choose Configuration > Tags & Profiles > AP Join. On the AP Join Profile page, click Add.
The Add AP Join Profile page is displayed.
Note
DHCP fallback is enabled by default. So, if an AP is assigned a static IP address and unable to
reach the controller, the AP falls back to the DHCP. To stop an AP from moving the static IP to
DHCP, you must disable the DHCP fallback configuration in an AP join profile.
In the General tab, enter a name and description for the AP join profile. The name can be ASCII characters from 32 to 126, without leading and trailing spaces. Check the LED State check box to set the LED state of all APs connected to the device to blink so that the APs are easily located. In the Client tab and Statistics Timer section, enter the time in seconds that the AP sends its 802.11 statistics to the controller. In the TCP MSS Configuration section, check the Adjust MSS Enable check box to enter value for Adjust MSS. You can enter or update the maximum segment size (MSS) for transient packets that traverse a router. TCP MSS adjustment enables the configuration of the maximum segment size (MSS) for transient packets that traverse a router, specifically TCP segments with the SYN bit set.
In a CAPWAP environment, a lightweight access point discovers a device by using CAPWAP discovery mechanisms, and then sends a CAPWAP join request to the device. The device sends a CAPWAP join response to the access point that allows the access point to join the device.
When the access point joins the device, the device manages its configuration, firmware, control transactions, and data transactions.
In the CAPWAP tab, you can configure the following:
· High Availability
You can configure primary and secondary backup controllers for all access points (which are used if primary, secondary, or tertiary controllers are not responsive) in this order: primary, secondary, tertiary, primary backup, and secondary backup. In addition, you can configure various timers, including heartbeat timers and discovery request timers. To reduce the controller failure detection time, you can configure the fast heartbeat interval (between the controller and the access point) with a smaller timeout value. When the fast heartbeat timer expires (at every heartbeat interval), the access point determines if any data packets have been received from the controller within the last interval. If no packets have been received, the access point sends a fast echo request to the controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 15
Configuring an AP Profile (GUI)
System Configuration
a) In the High Availability tab, enter the time (in seconds) in the Fast Heartbeat Timeout field to configure the heartbeat timer for all access points. Specifying a small heartbeat interval reduces the amount of time it takes to detect device failure.
Note
Configure Fast Heartbeat Timeout to assist AP in sending primary discovery request
periodically to the configured backup controllers along with the primary, secondary, and
tertiary-base controllers.
b) In the Heartbeat Timeout field, enter the time (in seconds) to configure the heartbeat timer for all access points. Specifying a small heartbeat interval reduces the amount of time it takes to detect device failure.
c) In the Discovery Timeout field, enter a value between 1 and 10 seconds (inclusive) to configure the AP discovery request timer.
d) In the Primary Discovery Timeout field, enter a value between 30 and 3000 seconds (inclusive) to configure the access point primary discovery request timer.
e) In the Primed Join Timeout field, enter a value between 120 and 43200 seconds (inclusive) to configure the access point primed join timeout.
f) In the Retransmit Timers Count field, enter the number of times that you want the AP to retransmit the request to the device and vice-versa. Valid range is between 3 and 8.
g) In the Retransmit Timers Interval field, enter the time duration between retransmission of requests. Valid range is between 2 and 5.
h) Check the Enable Fallback check box to enable fallback. i) Enter the Primary Controller name and IP address. j) Enter the Secondary Controller name and IP address. k) Click Save & Apply to Device.
Note
The primary and secondary settings in the AP join profile are not used for AP fallback. This
means that the AP will not actively probe for those controllers (which are a part of the AP
join profile), when it has joined one of them.
This setting is used only when the AP loses its connection with the controller, and then prioritizes which other controller it should join. These controllers have a priority of 4 and 5, following APs in the High Availability tab of the AP page.
The APs that are added as the primary, secondary, and tertiary APs in the High Availability tab of the AP configuration page, are actively probed and are used for the AP fallback option.
· Advanced
a) In the Advanced tab, check the Enable VLAN Tagging check box to enable VLAN tagging. b) Check the Enable Data Encryption check box to enable Datagram Transport Layer Security (DTLS)
data encryption. c) Check the Enable Jumbo MTU to enable big maximum transmission unit (MTU). MTU is the largest
physical packet size, measured in bytes, that a network can transmit. Any messages larger than the MTU are divided into smaller packets before transmission. Jumbo frames are frames that are bigger than the standard Ethernet frame size, which is 1518 bytes (including Layer 2 (L2) header and FCS). The definition of frame size is vendor-dependent, as these are not part of the IEEE standard. d) Use the Link Latency drop-down list to select the link latency. Link latency monitors the round-trip time of the CAPWAP heartbeat packets (echo request and response) from the AP to the controller and back. e) From the Preferred Mode drop-down list, choose the mode. f) Click Save & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 16
System Configuration
Configuring an AP Profile (GUI)
Step 8
In the AP tab, you can configure the following: · General
a) In the General tab, check the Switch Flag check box to enable switches. b) Check the Power Injector State check box if power injector is being used. Power Injector increases
wireless LAN deployment flexibility of APs by providing an alternative powering option to local power, inline power-capable multiport switches, and multiport power patch panels.
Power Injector Selection parameter enables you to protect your switch port from an accidental overload if the power injector is inadvertently bypassed.
c) From the Power Injector Type drop-down list, choose power injector type from the following options:
· Installed--This option examines and remembers the MAC address of the currently connected switch port and assumes that a power injector is connected. Choose this option if your network contains older Cisco 6-Watt switches and you want to avoid possible overloads by forcing a double-check of any relocated access points.
If you want to configure the switch MAC address, enter the MAC address in the Injector Switch MAC Address text box. If you want the access point to find the switch MAC address, leave the Injector Switch MAC Address text box blank.
Note
Each time an access point is relocated, the MAC address of the new switch port fails to
match the remembered MAC address, and the access point remains in low-power mode.
You must then physically verify the existence of a power injector and reselect this option
to cause the new MAC address to be remembered.
· Override--This option allows the access point to operate in high-power mode without first verifying a matching MAC address. You can use this option if your network does not contain any older Cisco 6-W switches that could be overloaded if connected directly to a 12-W access point. The advantage of this option is that if you relocate the access point, it continues to operate in high-power mode without any further configuration. The disadvantage of this option is that if the access point is connected directly to a 6-W switch, an overload occurs.
d) In the Injector Switch MAC field, enter the MAC address of the switch. e) From the EAP Type drop-down list, choose the EAP type as EAP-FAST, EAP-TLS, or EAP-PEAP. f) From the AP Authorization Type drop-down list, choose the type as either CAPWAP DTLS + or CAPWAP
DTLS. g) In the Client Statistics Reporting Interval section, enter the interval for 5 GHz and 2.4 GHz radios in
seconds. h) Check the Enable check box to enable extended module. i) From the Profile Name drop-down list, choose a profile name for mesh. j) Click Save & Apply to Device.
· Hyperlocation: Cisco Hyperlocation is a location solution that allows to track the location of wireless clients with the accuracy of one meter. Selecting this option disables all other fields in the screen, except NTP Server.
a) In the Hyperlocation tab, check the Enable Hyperlocation check box. b) Enter the Detection Threshold value to filter out packets with low RSSI. The valid range is 100 dBm
to 50 dBm.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 17
Configuring an AP Profile (GUI)
System Configuration
Step 9
c) Enter the Trigger Threshold value to set the number of scan cycles before sending a BAR to clients. The valid range is 0 to 99.
d) Enter the Reset Threshold value to reset value in scan cycles after trigger. The valid range is 0 to 99. e) Enter the NTP Server IP address. f) Click Save & Apply to Device.
· BLE: If your APs are Bluetooth Low Energy (BLE) enabled, they can transmit beacon messages that are packets of data or attributes transmitted over a low energy link. These BLE beacons are frequently used for health monitoring, proximity detection, asset tracking, and in-store navigation. For each AP, you can customize BLE Beacon settings configured globally for all APs.
a) In the BLE tab, enter a value in the Beacon Interval field to indicate how often you want your APs to send out beacon advertisements to nearby devices. The range is from 1 to 10, with a default of 1.
b) In the Advertised Attenuation Level field, enter the attenuation level. The range is from 40 to 100, with a default of 59.
c) Click Save & Apply to Device.
· Packet Capture: Packet Capture feature allows to capture the packets on the AP for the wireless client troubleshooting. The packet capture operation is performed on the AP by the radio drivers on the current channel on which it is operational, based on the specified packet capture filter.
a) In the Packet Capture tab, choose an AP Packet Capture Profile from the drop-down list. b) You can also create a new profile by clicking the + sign. c) Enter a name and description for the AP packet capture profile. d) Enter the Buffer Size. e) Enter the Duration. f) Enter the Truncate Length information. g) In the Server IP field, enter the IP address of the TFTP server. h) In the File Path field, enter the directory path. i) Enter the username and password details. j) From the Password Type drop-down list, choose the type. k) In the Packet Classifiers section, use the option to select or enter the packets to be captured. l) Click Save. m) Click Save & Apply to Device.
In the Management tab, you can configure the following:
· Device
a) In the Device tab, enter the IPv4/IPv6 Address of the TFTP server, TFTP Downgrade section. b) In the Image File Name field, enter the name of the software image file. c) From the Facility Value drop-down list, choose the appropriate facility. d) Enter the IPv4 or IPv6 address of the host. e) Choose the appropriate Log Trap Value. f) Enable Telnet and/or SSH configuration, if required. g) Enable core dump, if required. h) Click Save & Apply to Device.
· User
a) In the User tab, enter username and password details.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 18
System Configuration
Configuring an AP Profile (CLI)
Step 10 Step 11
Step 12 Step 13 Step 14
Step 15 Step 16
b) Choose the appropriate password type. c) In the Secret field, enter a custom secret code. d) Choose the appropriate secret type. e) Choose the appropriate encryption type. f) Click Save & Apply to Device.
· Credentials
a) In the Credentials tab, enter local username and password details. b) Choose the appropriate local password type. c) Enter 802.1x username and password details. d) Choose the appropriate 802.1x password type. e) Enter the time in seconds after which the session should expire. f) Enable local credentials and/or 802.1x credentials as required. g) Click Save & Apply to Device.
· CDP Interface
a) In the CDP Interface tab, enable the CDP state, if required. b) Click Save & Apply to Device. In the Rogue AP tab, check the Rogue Detection check box to enable rogue detection. In the Rogue Detection Minimum RSSI field, enter the RSSI value. This field specifies the minimum RSSI value for which a Rogue AP should be reported. All Rogue APs with RSSI lower than what is configured will not be reported to controller.
In the Rogue Detection Transient Interval field, enter the transient interval value. This field indicates how long the Rogue AP should be seen before reporting the controller.
In the Rogue Detection Report Interval field, enter the report interval value. This field indicates the frequency (in seconds) of Rogue reports sent from AP to controller.
Check the Rogue Containment Automatic Rate Selection check box to enable rogue containment automatic rate selection. Here, the AP selects the best rate for the target Rogue, based on its RSSI.
Check the Auto Containment on FlexConnect Standalone check box to enable the feature. Here, the AP will continue containment in case it moves to flexconnect standalone mode.
Click Save & Apply to Device.
Configuring an AP Profile (CLI)
Follow the procedure given below to configure and AP profile:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 19
Configuring an AP Profile (CLI)
System Configuration
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile
Configures an AP profile and enters AP profile
Example:
configuration mode.
Device(config)# ap profile xyz-ap-profile Note
In an AP profile, the EAP-FAST is the default EAP type.
Note
When you delete a named profile,
the APs associated with that
profile will not revert to the
default profile.
Step 3 Step 4
description ap-profile-name
Adds a description for the ap profile.
Example:
Device(config-ap-profile)# description "xyz ap profile"
ip dhcp fallback
Example:
Device(config-ap-profile)# ip dhcp fallback
Configures DHCP fallback.
Note
DHCP fallback is enabled by
default. So, if an AP is assigned a
static IP address and unable to
reach the controller, the AP falls
back to the DHCP. To stop an AP
from moving the static IP to
DHCP, you must disable the
DHCP fallback configuration in
an AP join profile.
Step 5 Step 6 Step 7
cdp Example:
Device(config-ap-profile)# cdp
Enables CDP for all Cisco APs.
end Example:
Device(config-ap-profile)# end
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
show ap profile nameprofile-name detailed
Example:
Device# show ap profile name xyz-ap-profile detailed
(Optional) Displays detailed information about an AP join profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 20
System Configuration
Configuring User for AP Management (CLI)
Configuring User for AP Management (CLI)
Follow the procedure given below to configure a user for the AP management:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile
Example:
Device(config)# ap profile default-ap-profile
Configures an AP profile and enters AP profile configuration mode.
Step 3
mgmtuser username <username> password Specifies the AP management username and
{0 | 8} <password>
password for managing all of the access points
Example:
configured to the controller.
Device(config-ap-profile)# mgmtuser username myusername password 0 12345678
· 0: Specifies an UNENCRYPTED password.
· 8: Specifies an AES encrypted password.
Note
While configuring an username,
ensure that special characters are
not used as it results in error with
bad configuration.
Step 4
end Example:
Device(configure-ap-profile)# end
Returns to privileged EXEC mode.
Setting a Private Configuration Key for Password Encryption
Follow the procedure given below to set a private configuration key for password encryption:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 21
Configuring an RF Profile (GUI)
System Configuration
Step 2
Step 3 Step 4
Command or Action
key config-key password encrypt key <config-key>
Example:
Device(config)# key config-key password-encrypt 12345678
Purpose
Sets the password encryption keyword.
Here, config-key refers to any key value with minimum 8 characters.
Note
The config-key value must not
begin with the following special
characters:
!, #, and ;
password encryption aes
Enables the encrypted preshared key.
Example:
Device(config)# password encryption aes
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring an RF Profile (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7
Choose Configuration > Tags & Profiles > RF. On the RF Profile page, click Add. In the General tab, enter a name for the RF profile. The name can be ASCII characters from 32 to 126, without leading and trailing spaces. Choose the appropriate Radio Band. To enable the profile, set the status as Enable. Enter a Description for the RF profile. Click Save & Apply to Device.
Configuring an RF Profile (CLI)
Follow the procedure given below to configure an RF profile:
Before you begin Ensure that you use the same RF profile name that you create here, when configuring the wireless RF tag too. If there is a mismatch in the RF profile name (for example, if the RF tag contains an RF profile that does not exist), the corresponding radios will not come up.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 22
System Configuration
Configuring a Site Tag (GUI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 24ghz rf-profile rf-profile
Configures an RF profile and enters RF profile
Example:
configuration mode.
Device(config)# ap dot11 24ghz rf-profile Note rfprof24_1
Use the 24ghz command to configure the 802.11b parameters.
Use the 5ghz command to
configure the 802.11a parameters.
Step 3
default Example:
Device(config-rf-profile)# default
(Optional) Enables default parameters for the RF profile.
Step 4
no shutdown
Enables the RF profile on the device.
Example:
Device(config-rf-profile)# no shutdown
Step 5
end Example:
Device(config-rf-profile)# end
Exits configuration mode and returns to privileged EXEC mode.
Step 6
show ap rf-profile summary Example:
Device# show ap rf-profile summary
(Optional) Displays the summary of the available RF profiles.
Step 7
show ap rf-profile name rf-profile detail
Example:
Device# show ap rf-profile name rfprof24_1 detail
(Optional) Displays detailed information about a particular RF profile.
Configuring a Site Tag (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > Tags. On the Manage Tags page, click the Site tab. Click Add to view the Add Site Tag window. Enter a name and description for the site tag. The name can be ASCII characters from 32 to 126, without leading and trailing spaces.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 23
Configuring a Site Tag (CLI)
System Configuration
Step 5 Step 6 Step 7
Step 8
Choose the required AP Join Profile to be attached to the site tag. Choose the required Control Plane Name. If required, enable the Local Site. Disabling Local Site means that the site is remote and the deployment is FlexConnect mode.
Click Save & Apply to Device.
Configuring a Site Tag (CLI)
Follow the procedure given below to configure a site tag:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag site site-name
Example:
Device(config)# wireless tag site rr-xyz-site
Configures a site tag and enters site tag configuration mode.
Step 3
flex-profile flex-profile-name
Example:
Device(config-site-tag)# flex-profile rr-xyz-flex-profile
Configures a flex profile.
Note
You cannot remove the flex
profile configuration from a site
tag if local site is configured on
the site tag.
Note
The no local-site command needs
to be used to configure the Site
Tag as Flexconnect, otherwise the
Flex profile config does not take
effect.
Step 4 Step 5 Step 6
description site-tag-name Example:
Device(config-site-tag)# description "default site tag"
end Example:
Device(config-site-tag)# end
show wireless tag site summary
Adds a description for the site tag.
Saves the configuration and exits configuration mode and returns to privileged EXEC mode. (Optional) Displays the number of site tags.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 24
System Configuration
Configuring Policy Tag (GUI)
Command or Action
Purpose
Example:
Note
Device# show wireless tag site summary
To view detailed information about a site, use the show wireless tag site detailed site-tag-name command.
Note
The output of the show wireless
loadbalance tag affinity wncd
wncd-instance-number command
displays default tag (site-tag) type,
if both site tag and policy tag are
not configured.
Configuring Policy Tag (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6
Choose Configuration > Tags & Profiles > Tags > Policy. Click Add to view the Add Policy Tag window. Enter a name and description for the policy tag. The name can be ASCII characters from 32 to 126, without leading and trailing spaces. Click Add to map WLAN and policy. Choose the WLAN profile to map with the appropriate policy profile, and click the tick icon. Click Save & Apply to Device.
Configuring a Policy Tag (CLI)
Follow the procedure given below to configure a policy tag:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Purpose Enables privileged EXEC mode.
· Enter your password if prompted.
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 25
Configuring Wireless RF Tag (GUI)
System Configuration
Step 3
Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action
Purpose
wireless tag policy policy-tag-name
Configures policy tag and enters policy tag
Example:
configuration mode.
Device(config-policy-tag)# wireless tag Note policy default-policy-tag
When performing LWA, the clients connected to a controller
gets disconnected intermittently
before session timeout.
description description
Adds a description to a policy tag.
Example:
Device(config-policy-tag)# description "default-policy-tag"
remote-lan name policy profile-policy-name Maps a remote-LAN profile to a policy profile. {ext-module| port-id }
Example:
Device(config-policy-tag)# remote-lan rr-xyz-rlan-aa policy rr-xyz-rlan-policy1
port-id 2
wlan wlan-name policy profile-policy-name
Example:
Device(config-policy-tag)# wlan rr-xyz-wlan-aa policy rr-xyz-policy-1
Maps a policy profile to a WLAN profile.
end Example:
Device(config-policy-tag)# end
Exits policy tag configuration mode, and returns to privileged EXEC mode.
show wireless tag policy summary
(Optional) Displays the configured policy tags.
Example:
Note
Device# show wireless tag policy summary
To view detailed information about a policy tag, use the show wireless tag policy detailed policy-tag-name command.
Configuring Wireless RF Tag (GUI)
Procedure
Step 1 Step 2 Step 3
a) Choose Configuration > Tags & Profiles > Tags > RF.
Click Add to view the Add RF Tag window. Enter a name and description for the RF tag. The name can be ASCII characters from 32 to 126, without leading and trailing spaces.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 26
System Configuration
Configuring Wireless RF Tag (CLI)
Step 4 Step 5
Choose the required 5 GHz Band RF Profile and 2.4 GHz Band RF Profile to be associated with the RF tag.
Click Update & Apply to Device.
Configuring Wireless RF Tag (CLI)
Follow the procedure given below to configure a wireless RF tag:
Before you begin · You can use only two profiles (2.4-GHz and 5-GHz band RF profiles) in an RF tag. · Ensure that you use the same AP tag name that you created when configuring the AP tag task too.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag rf rf-tag Example:
Creates an RF tag and enters wireless RF tag configuration mode.
Device(config)# wireless tag rf rftag1
Step 3
24ghz-rf-policy rf-policy
Example:
Device(config-wireless-rf-tag)# 24ghz-rf-policy rfprof24_1
Attaches an IEEE 802.11b RF policy to the RF tag.
To configure a dot11a policy, use the 5ghz-rf-policy command.
Step 4
description policy-description
Example:
Device(config-wireless-rf-tag)# description Test
Adds a description for the RF tag.
Step 5
end Example:
Device(config-wireless-rf-tag)# end
Exits configuration mode and returns to privileged EXEC mode.
Step 6
show wireless tag rf summary Example:
Device# show wireless tag rf summary
Displays the available RF tags.
Step 7
show wireless tag rf detailed rf-tag Example:
Displays detailed information of a particular RF tag.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 27
Attaching a Policy Tag and Site Tag to an AP (GUI)
System Configuration
Command or Action
Device# show wireless tag rf detailed rftag1
Purpose
Attaching a Policy Tag and Site Tag to an AP (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Access Points. The All Access Points section displays details of all the APs on your network.
To edit the configuration details of an AP, select the row for that AP. The Edit AP window is displayed.
In the General tab and Tags section, specify the appropriate policy, site, and RF tags, that you created on the Configuration > Tags & Profiles > Tags page. Click Update & Apply to Device.
Attaching Policy Tag and Site Tag to an AP (CLI)
Follow the procedure given below to attach a policy tag and a site tag to an AP:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap mac-address Example:
Device(config)# ap F866.F267.7DFB
Purpose Enters global configuration mode.
Configures a Cisco AP and enters AP profile configuration mode.
Note
The mac-address should be a
wired mac address.
Step 3 Step 4
policy-tag policy-tag-name Example:
Device(config-ap-tag)# policy-tag rr-xyz-policy-tag
site-tag site-tag-name Example:
Maps a policy tag to the AP. Maps a site tag to the AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 28
System Configuration
AP Filter
Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action
Device(config-ap-tag)# site-tag rr-xyz-site
Purpose
rf-tag rf-tag-name Example:
Device(config-ap-tag)# rf-tag rf-tag1
Associates the RF tag.
end Example:
Device(config-ap-tag)# end
Saves the configuration, exits configuration mode, and returns to privileged EXEC mode.
show ap tag summary Example:
Device# show ap tag summary
(Optional) Displays AP details and the tags associated to it.
show ap name <ap-name> tag info Example:
Device# show ap name ap-name tag info
(Optional) Displays the AP name with tag information.
show ap name <ap-name> tag detail Example:
(Optional) Displays the AP name with tag detals.
Device# show ap name ap-name tag detail
AP Filter
Introduction to AP Filter
The introduction of tags in the new configuration model in the Cisco Catalyst 9800 Series Wireless Controller has created multiple sources for tags to be associated with access points (APs). Tag sources can be static configuration, AP filter engine, per-AP PNP, or default tag sources. In addition to this, the precedence of the tags also plays an important role. The AP filter feature addresses these challenges in a seamless and intuitive manner. AP filters are similar to the access control lists (ACLs) used in the controller and are applied at the global level. You can add AP names as filters, and other attributes can be added as required. Add the filter criteria as part of the discovery requests. The AP Filter feature organizes tag sources with the right priority, based on the configuration. You cannot disable the AP filter feature. However, the relative priority of a tag source can be configured using ap filter-priority priority filter-name command.
Note You can configure tag names at the PnP server (similar to the Flex group and AP group) and the AP stores and send the tag name as part of discovery and join requests.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 29
Set Tag Priority (GUI)
System Configuration
Set Tag Priority (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Tags & Profiles > Tags > AP > Tag Source. Drag and Drop the Tag Sources to change priorities.
Set Tag Priority
Multiple tag sources might result in ambiguity for network administrators. To address this, you can define priority for tags. When an AP joins the controller, the tags are picked based on priority. If precedence is not set, the defaults are used.
Use the following procedure to set tag priority:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
ap tag-source-priority source-priority source Configures AP tag source priority.
{filter | pnp}
Note
It is not mandatory to configure
Example:
AP filter. It comes with default
Device(config)# ap tag-source-priority 2 source pnp
priorities for Static, Filter, and PnP.
Step 3 Step 4
end Example:
Device(config)# end
ap tag-sources revalidate Example:
Device# ap tag-sources revalidate
Exits configuration mode and returns to privileged EXEC mode.
Revalidates AP tag sources. The priorities become active only after this command is run.
Note
If you change the priorities for
Filter and PnP, and want to
evaluate them, run the revalidate
command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 30
System Configuration
Create an AP Filter (GUI)
Create an AP Filter (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > Tags > AP > Filter.
Click Add.
In the Associate Tags to AP dialog box which is displayed, enter the Rule Name, the AP name regex and the Priority. Optionally, you can also choose the policy tag from the Policy Tag Name drop-down list, the site tag from the Site Tag Name drop-down list and the RF tag from the RF Tag Name drop-down list.
Click Apply to Device.
Create an AP Filter (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
ap filter name filter_name Example:
Device(config)# ap filter filter-1
Configures an AP filter.
Step 3
ap name-regex regular-expression
Configures the AP filter based on regular
Example:
expression.
Device(config-ap-filter)# ap name-regex For example, if you have named an AP as
testany
ap-lab-12, then you can configure the filter
with a regular expression, such as
ap-lab-\d+ , to match the AP name.
Step 4
tag policy policy-tag
Example:
Device(config-ap-filter)# tag policy pol-tag1
Configures a policy tag for this filter.
Step 5
tag rf rf-tag
Configures an RF tag for this filter.
Example:
Device(config-ap-filter)# tag rf rf-tag1
Step 6
tag site site-tag
Configures a site tag for this filter.
Example:
Device(config-ap-filter)# tag site site1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 31
Set Up and Update Filter Priority (GUI)
System Configuration
Step 7
Command or Action end Example:
Device(config-ap-filter)# end
Purpose
Exits configuration mode and returns to privileged EXEC mode.
Set Up and Update Filter Priority (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Tags & Profiles > Tags > AP > Filter.
a) If you want to setup a new AP filter, then click Add. In the Associate Tags to AP dialog box which is displayed, enter the Rule Name, the AP name regex and the Priority. Optionally, you can also select the Policy Tag Name, the Site Tag Name and the RF Tag Name. Click Apply to Device.
b) If you want to update the priority of an existing AP filter, click on the Filter and in the Edit Tags dialog box and change the Priority. In case the Filter is Inactive, no priority can be set to it. Click Update and Apply to Device.
Set Up and Update Filter Priority
Follow the procedure given below to set and update filter priority:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap filter priority priority filter-name filter-name
Example:
Device(config)# ap filter priority 10 filter-name test1
Configure AP filter priority. Valid values range from 0 to 1023; 0 is the highest priority.
Note
A filter without a priority is not
active. Similarly, you cannot set
a filter priority without a filter.
Step 3
end Example:
Device(config-ap)# end
Exits configuration mode and returns to privileged EXEC mode.
Verify AP Filter Configuration
The following show commands are used to display tag sources and filters, and their priorities.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 32
System Configuration
Configuring Access Point for Location Configuration
To view the tag source priorities, use the following command:
Device# show ap tag sources
Priority Tag source -------------------------------0 Static 1 Filter 2 AP 3 Default
To view the available filters, use the following command:
Device# show ap filter all
Filter Name
regex
Policy Tag
RF Tag
Site
Tag
-------------------------------------------------------------------------------------------------
first
abcd
pol-tag1
rf-tag1
site-tag1
test1
testany
site1
filter1
testany
To view the list of active filters, use the following command:
Device# show ap filters active
Priority Filter Name
regex
Policy Tag
RF Tag
Site Tag
--------------------------------------------------------------------------------------------------------------------
10
test1
testany
site1
To view the source of an AP tag, use the following command:
Device# show ap tag summary
Number of APs: 4
AP Name
AP Mac
Site Tag Name Policy Tag Name RF Tag Name
Misconfigured Tag Source
---------------------------------------------------------------------------------------------------------------------
AP002A.1034.CA78 002a.1034.ca78 named-site-tag named-policy-tag named-rf-tag No Filter
AP00A2.891C.2480 00a2.891c.2480 named-site-tag named-policy-tag named-rf-tag No Filter
AP58AC.78DE.9946 58ac.78de.9946 default-site-tag default-policy-tag default-rf-tag No AP AP0081.C4F4.1F34 0081.c4f4.1f34 default-site-tag default-policy-tag default-rf-tag No Default
Configuring Access Point for Location Configuration
Information About Location Configuration
During location configuration, you can perform the following: · Configure a site or location for an AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 33
Prerequisite for Location Configuration
System Configuration
· Configure a set of tags for this location. · Add APs to this location. Any location comprises of the following components: · A set of unique tags, one for each kind, namely: Policy, RF and Site. · A set of ethernet MAC addresses that applies to the tags. This feature works in conjunction with the existing tag resolution scheme. The location is considered as a new tag source to the existing system. Similar, to the static tag source.
Prerequisite for Location Configuration
If you configure an access point in one location, you cannot configure the same access point in another location.
Configuring a Location for an Access Point (GUI)
Before you begin
Note When you create local and remote sites in the Basic Setup workflow, corresponding policies and tags are created in the backend. These tags and policies that are created in the Basic Setup cannot be modified using the Advanced workflow, and vice versa.
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Wireless Setup > Basic. On the Basic Wireless Setup page, click Add. In the General tab, enter a name and description for the location. Set the Location Type as either Local or Flex. Use the slider to set Client Density as Low, Typical or High. Click Apply.
Configuring a Location for an Access Point (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 34
System Configuration
Adding an Access Point to the Location (GUI)
Step 2 Step 3
Step 4 Step 5
Command or Action
ap location name location_name Example:
Device(config)# ap location name location1
Purpose
Configures a location for an access point. Run the no form of this command to remove location for an access point.
tag {policy policy_name| rf rf_name | site site_name}
Configures tags for the location.
Example:
Device(config-ap-location)# tag policy policy_tag
Device(config-ap-location)# tag rf rf_tag
Device(config-ap-location)# tag site site_tag
location description
Example:
Device(config-ap-location)# location description
Adds description to the location.
end Example:
Device(config-ap-location)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Adding an Access Point to the Location (GUI)
Note When the tag source is not set to location, the AP count and AP location tagging will not be correctly reflected on the web UI. To change static tag source on the AP, run the no ap ap-mac command on the controller to change AP tag source to default (which is location).
Procedure
Step 1 Step 2
Step 3
Choose Configuration > Wireless Setup > Basic. On theBasic Wireless Setup page, click Add to configure the following:
· General · Wireless Networks · AP Provisioning
In the AP Provisioning tab and Add/Select APs section, enter the AP MAC address and click the right arrow to add the AP to the associated list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 35
Adding an Access Point to the Location (CLI)
System Configuration
Step 4 Step 5
You can also add a CSV file from your system. Ensure that the CSV has the MAC Address column.
Use the search option in the Available AP List to select the APs from the Selected AP list and click the right arrow to add the AP to the associated list. Click Apply.
Adding an Access Point to the Location (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap location name location_name
Example:
Device(config)# ap location name location1
Configures a location for an access point.
Step 3
ap-eth-mac ap_ethernet_mac
Adds an access point to the location.
Example:
Device(config-ap-location)# ap-eth-mac 188b.9dbe.6eac
Step 4
end Example:
Device(config-ap-location)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Note
After adding an AP to a location,
the AP may reset automatically to
get the new configuration
Configuring SNMP in Location Configuration
SNMP MIB
The SNMP MIB provides information on a set of managed objects that represent logical and physical entities, and relationships between them.
Table 1: MIB Objects and Notes
MIB Objects cLApLocationName
Notes Provides the name of the AP location.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 36
System Configuration
Verifying Location Configuration
MIB Objects
Notes
cLApLocationPolicyTag Provides the policy tag configured on the location.
cLApLocationSitetag Provides the site tag configured on the location.
cLApLocationRfTag Provides the RF tag configured on the location.
cLAssociatedApsApMac Provides the configured APs on the location.
Verifying Location Configuration
To view the summary of AP location configuration, use the following command:
Device# show ap location summary
Location Name Description
Policy Tag
RF Tag
Site Tag
---------------------------------------------------------------------------------------------------
first
first floor
default-policy-tag default-rf-tag default-site-tag
second
second floor default-policy-tag default-rf-tag default-site-tag
To view the AP location configuration details for a specific location, use the following command:
Device# show ap location details first
Location Name......................: first Location description...............: first floor Policy tag.........................: default-policy-tag Site tag...........................: default-site-tag RF tag.............................: default-rf-tag
Configured list of APs 005b.3400.0af0 005b.3400.0bf0
To view the AP tag summary, use the following command:
Device# show ap tag summary
Number of APs: 4
AP Name
AP Mac
Site Tag Name
Policy Tag Name
RF Tag Name
Misconfigured Tag Source
--------------------------------------------------------------------------------------------------------------------
Asim_5-1
005b.3400.02f0 default-site-tag default-policy-tag default-rf-tag Yes
Filter
Asim_5-2
005b.3400.03f0 default-site-tag default-policy-tag default-rf-tag No
Default
Asim_5-9
005b.3400.0af0 default-site-tag default-policy-tag default-rf-tag No
Location
Asim_5-10 005b.3400.0bf0 default-site-tag default-policy-tag default-rf-tag No
Location
Verifying Location Statistics
To view the AP location statistics, use the following command:
Device# show ap location stats
Location name APs joined
Clients joined
Clients on 11a
Clients on 11b
-----------------------------------------------------------------------------------------------
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 37
Verifying Location Statistics
first
2
0
second
0
0
System Configuration
3
4
0
0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 38
3 C H A P T E R
Wireless Management Interface
· Information About Wireless Management Interface, on page 39 · Recommendations for Wireless Management Interface, on page 39 · Configuring your Controller with Wireless Management Interface (CLI), on page 41 · Verifying Wireless Management Interface Settings, on page 42 · Information About Network Address Translation (NAT), on page 43 · Information About CAPWAP Discovery, on page 43 · Configuring Wireless Management Interface with a NAT Public IP (CLI), on page 44 · Configuring CAPWAP Discovery to Respond Only with Public or Private IP (CLI), on page 45 · Verifying NAT Settings, on page 46
Information About Wireless Management Interface
The Wireless Management Interface (WMI) is the mandatory Layer 3 interface on the Cisco Catalyst 9800 Wireless Controller. It is used for all communications between the controller and access points. Also, it is used for all CAPWAP or inter-controller mobility messaging and tunneling traffic. WMI is also the default interface for in-band management and connectivity to enterprise services, such as, AAA, syslog, SNMP, and so on. You can use the WMI IP address to remotely connect to the device using SSH or Telnet (or) access the Graphical User Interface (GUI) using HTTP or HTTPs by entering the wireless management interface IP address of the controller in the address field of your browser.
Recommendations for Wireless Management Interface
The Wireless Management Interface is a Layer 3 interface, which can be configured only with a single IP address (IPv4 or IPv6) or using a dual-stack configuration. It is always recommended to use a wireless management VLAN and configure WMI as a Switched VLAN Interface (SVI). If the uplink port or port-channel to the next-hop switch is configured as a dot1q trunk, the wireless management VLAN would be one of the allowed tagged VLAN on the trunk. The recommendation is true, independent of the deployment mode of APs (local, FlexConnect, or SDA) with the following exceptions:
· The WMI is configured as an L3 port for Cisco Catalyst 9800 Wireless Controller deployed in a Public Cloud environment.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 39
Recommendations for Wireless Management Interface
System Configuration
· The WMI is configured as a loopback interface for embedded wireless controller in Cisco Catalyst 9000 switches.
It is always recommended to statically assign IPv6 address in WMI and not configure using the ipv6 auto-config command.
Note The ipv6 auto-config command is not supported.
Note You can use only one AP manager interface on Cisco Catalyst 9800 Wireless Controller called the WMI to terminate CAPWAP traffic.
Note There is only one Wireless Management Interface (WMI) on the controller.
Note Layer 3 interface is not supported in Cisco Catalyst 9800-CL Cloud Wireless Controller Guest anchor scenarios. Instead, it is recommended to use the Layer 2 interfaces and SVI for WMI. It is recommended to use Layer 3 interface for Public cloud deployments only and not for on-premise as it poses some limitations. The following are the sample Layer 3 and Layer 2 interface configurations: Layer 3 interface configuration:
interface GigabitEthernet2 no switchport ip address <ip_address> <mask> negotiation auto no mop enabled no mop sysid end
Layer 2 interface configuration:
interface GigabitEthernet2 switchport trunk allowed vlan 25,169,504 switchport mode trunk negotiation auto no mop enabled no mop sysid end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 40
System Configuration
Configuring your Controller with Wireless Management Interface (CLI)
Configuring your Controller with Wireless Management Interface (CLI)
You can configure the Wireless Management interface using CLI by directly accessing the physical console (for the Cisco Catalyst 9800 appliances) (or) using the virtual console in case of the Cisco Catalyst 9800-CL Cloud Wireless Controller.
Note The example assumes that: · You have a Cisco Catalyst 9800-CL Cloud Wireless Controller and the GigabitEthernet 2 is connected to a trunk interface on the uplink switch.
· You want to configure multiple VLANs and dedicate one for Wireless Management interface.
Procedure
Step 1 Step 2
Step 3
Step 4 Step 5 Step 6
Step 7
Access the CLI using VGA or monitor console from the hypervisor of your choice. Terminate the configuration wizard.
Would you like to enter the initial configuration dialog? [yes/no]: no Would you like to terminate autoinstall? [yes]: yes
Enter the configuration mode and add the login credentials using the following command:
Device# conf t Enter configuration commands, one per line. End with CNTL/Z. Device(config)# username <name> privilege 15 password <yourpwd>
(Optional) Set a hostname.
Device(config)# hostname C9800
Configure the VLAN for wireless management interface:
Device(config)# vlan 201 Device(config-vlan)# name wireless_management
Configure the L3 SVI for wireless management interface:
Device(config)# int vlan 201 Device(config-if)# description wireless-management-interface Device(config-if)# ip address 172.16.201.21 255.255.255.192 Device(config-if)# no shutdown
Configure the interface GigabitEthernet 2 as trunk and allow the wireless management VLAN:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 41
Verifying Wireless Management Interface Settings
System Configuration
Step 8
Device(config-if)# interface GigabitEthernet2 Device(config-if)# switchport mode trunk Device(config-if)# switchport trunk allowed vlan 201,210,211 Device(config-if)# shut Device(config-if)# no shut
Note
VLANs 210 and 211 are added to the trunk to carry client traffic.
Configure a default route (or a more specific route) to reach the device:
Device(config-if)# ip route 0.0.0.0 0.0.0.0 172.16.201.1
At this point you can use SSH or Telnet, or GUI to access the device, or use the Cisco DNA Center or Cisco Prime to continue with the DAY 0 configuration.
Verifying Wireless Management Interface Settings
To verify if the Layer 3 interface is configured correctly, use the following command:
Device# show run int vlan 201
Building configuration...
Current configuration : 128 bytes ! interface Vlan201
description wireless-management-interface ip address 172.16.201.21 255.255.255.0 no mop enabled no mop sysid end
To verify if the wireless management VLAN is active on the uplink to the network, use the following command. In this case the uplink is a trunk interface, so the VLAN needs to be active and forwarding state.
Device# show interfaces trunk
Port Gi2 ..... Port Gi2 ..... Port Gi2 .... Port Gi2 ....
Mode on
Encapsulation Status
802.1q
trunking
Native vlan 1
Vlans allowed on trunk 201,210-211
Vlans allowed and active in management domain 201,210-211
Vlans in spanning tree forwarding state and not pruned 201,210-211
To verify if the wireless management interface is up, use the following command:
Device# show ip int brief | i Vlan201 Vlan201 172.16.201.21 YES NVRAM up up
To verify if the selected interface has been configured as wireless management, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 42
System Configuration
Information About Network Address Translation (NAT)
Device# show wireless interface summary
Wireless Interface Summary
Interface Name Interface Type VLAN ID IP Address IP Netmask NAT-IP Address MAC Address
--------------------------------------------------------------------------------------------------
Vlan201
Management
201 172.16.201.21 255.255.255.0 0.0.0.0
001e.e51c.a7ff
Information About Network Address Translation (NAT)
NAT enables private IP networks that use non-registered IP addresses to connect to the Internet. NAT operates on a device, usually connecting two networks. Before packets are forwarded onto another network, NAT translates the private (not globally unique) addresses from the internal network into public addresses. NAT can be configured to advertise to the outside world only few addresses for the entire internal network. This ability provides more security by effectively hiding the private network details.
If you want to deploy your Cisco Catalyst 9800 Wireless Controller on a private network and make it reachable from internet, you need to have the controller behind a router, firewall, or other gateway device that uses one-to-one mapping Network Address Translation (NAT).
To do so, perform the following:
· Configure the NAT device with 1:1 static mapping of the Wireless Management interface IP address (private IP) to a unique external (public) IP address configured on the NAT device.
· Enable the NAT feature on the Wireless Controller and specify its external public IP address. This public IP is used in the discovery responses to APs, so that the APs can then send CAPWAP packets to the right destination.
· Make sure that the external APs discover the public IP of the controller using DHCP, DNS, or PnP.
Note You need not enable NAT if the Cisco Catalyst 9800 Wireless Controller is deployed with a public address. Instead you will need to configure the public IP directly on the Wireless Management Interface (WMI).
Information About CAPWAP Discovery
In a CAPWAP environment, a lightweight access point discovers a wireless controller by using CAPWAP discovery mechanisms, and then sends a CAPWAP join request to the controller. The controller sends a CAPWAP join response to the access point that allows the access point to join the controller. If the wireless controller is behind a NAT device, the controller responds to the discovery response in the following ways:
· Using the public IP. · Using the private IP. · Using public and private IP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 43
Configuring Wireless Management Interface with a NAT Public IP (CLI)
System Configuration
The Public IP needs to be mapped to the controller's Private IP using static 1:1 NAT configuration on the router or firewall performing the NAT translation.
If your wireless controller manages only Access Points reachable through the public internet (external APs), you need to configure the controller so it responds with only the Public IP in the discovery response.
If your wireless controller manages both internal and external APs, you need to configure the controller so it responds with both Public and Private IPs in the discovery response.
Configuring Wireless Management Interface with a NAT Public IP (CLI)
The first step is to configure the controller to use the public NAT IP (this is the public IP that has been configured on the NAT device to statically map 1:1 the WMI's private IP address).
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless management interface interface-type Defines the management interface.
interface-number
Here,
Example:
Device(config)# wireless management interface vlan 20
· interface-type--Refers to the VLAN, Gigabit, or loopback types.
· interface-number--Is the interface
number.
Step 3 Step 4
public-ip external-public-ip
Defines the external NAT or Public IP.
Example:
Device(config-mgmt-interface)# public-ip 2.2.2.2
end Example:
Device(config-mgmt-interface)# end
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 44
System Configuration
Configuring CAPWAP Discovery to Respond Only with Public or Private IP (CLI)
Configuring CAPWAP Discovery to Respond Only with Public or Private IP (CLI)
Note By default, if the wireless management interface is configured with a public IP, the controller responds with both Public and Private IP in the CAPWAP discovery response.
The setting to determine the IP (private or public) to include in the discovery response is available in the AP Join profile.
Configuring the Controller to Respond only with a Public IP (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile profile-name Example:
Configures an AP profile and enters AP profile configuration mode.
Device(config)# ap profile xyz-ap-profile
Step 3
no capwap-discovery private
Example:
Device(config-ap-profile)# no capwap-discovery private
Instructs the controller to not respond with the internal IP. Enables AP to join the controller over Public IP only.
Step 4
end Example:
Device(config-ap-profile)# end
Returns to privileged EXEC mode.
Configuring the Controller to Respond only with a Private IP (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 45
Verifying NAT Settings
System Configuration
Step 2 Step 3 Step 4
Command or Action
Purpose
ap profile profile-name Example:
Configures an AP profile and enters AP profile configuration mode.
Device(config)# ap profile xyz-ap-profile
no capwap-discovery public
Example:
Device(config-ap-profile)# no capwap-discovery public
Instructs the controller to not respond with the public IP. Enables AP to join the controller over private IP only.
end Example:
Device(config-ap-profile)# end
Returns to privileged EXEC mode.
Verifying NAT Settings
To verify if the wireless management interface is configured with the correct NAT IP address or not, use the following command:
Device# show wireless interface summary
Wireless Interface Summary
Interface Name Interface Type VLAN ID IP Address
IP Netmask
NAT-IP Address MAC
Address
--------------------------------------------------------------------------------------------------
Vlan20
Management
20
10.58.20.25 255.255.255.0 2.2.2.2 001e.4963.1cff
To verify the settings in the AP join profile, use the following command
Device# show run | b ap profile
ap profile default-ap-profile no capwap-discovery private description "default ap profile"
...
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 46
4 C H A P T E R
BIOS Protection
· BIOS Protection on the Controller, on page 47 · BIOS or ROMMON Upgrade with BIOS Protection, on page 47 · Upgrading BIOS, on page 48
BIOS Protection on the Controller
BIOS Protection enables you to protect and securely update BIOS flash for Intel-based platforms. If BIOS Protection is not used, the flash utility that stores the BIOS for an Intel platform is not write-protected. As a result, when BIOS updates are applied, malicious code also makes its way through. By default, BIOS Protection works by bundling the flash containing the BIOS image, and by accepting updates only through the BIOS capsules that enable writing on the BIOS Flash.
BIOS or ROMMON Upgrade with BIOS Protection
To upgrade BIOS or ROMMON use the BIOS Protection feature as follows: 1. The new BIOS image capsule bundled together with the ROMMON binary is inserted into the media of
the Cisco device by the ROMMON upgrade scripts. 2. The Cisco device is then reset for the new BIOS/ROMMON upgrade to take place. 3. On reset, the original BIOS detects the updated capsule and determines if the updated BIOS is available. 4. The original BIOS then verifies the digital signature of the BIOS capsule. If the signature is valid, the
original BIOS will remove write-protection from the flash utility and update the SPI flash with the new BIOS image. If the BIOS capsule is invalid, the SPI flash is not updated. 5. After the new BIOS/ROMMON image is written to the SPI flash, the required regions of the SPI flash are once again write-protected. 6. After the card is reset, the updated BIOS is rebooted. 7. The capsule is deleted by BIOS.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 47
Upgrading BIOS
System Configuration
Upgrading BIOS
Procedure
Use the upgrade rom-monitor filename command to update the BIOS capsule. Example:
upgrade rom-monitor filename bootflash:capsule.pkg <slot>
Example The following example shows you how to verify a BIOS Protection upgrade:
Device# upgrade rom-monitor filename bootflash:qwlc-rommon-capsule-p106.pkg all Verifying the code signature of the ROMMON package... Chassis model AIR-CT5540-K9 has a single rom-monitor.
Upgrade rom-monitor
Target copying rom-monitor image file
Secure update of the ROMMON image will occur after a reload.
8388608+0 records in 8388608+0 records out 8388608 bytes (8.4 MB, 8.0 MiB) copied, 11.9671 s, 701 kB/s 131072+0 records in 131072+0 records out 131072 bytes (131 kB, 128 KiB) copied, 0.414327 s, 316 kB/s Copying ROMMON environment 8388608+0 records in 8388608+0 records out 8388608 bytes (8.4 MB, 8.0 MiB) copied, 31.1199 s, 270 kB/s 131072+0 records in 131072+0 records out 131072 bytes (131 kB, 128 KiB) copied, 2.44015 s, 53.7 kB/s 131072+0 records in 131072+0 records out 131072 bytes (131 kB, 128 KiB) copied, 2.43394 s, 53.9 kB/s ROMMON upgrade complete. To make the new ROMMON permanent, you must restart the RP. Device#reload
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 48
5 C H A P T E R
Management over Wireless
· Information About Management over Wireless, on page 49 · Restrictions on Management over Wireless, on page 49 · Enabling Management over Wireless on Controller (GUI) , on page 50 · Enabling Management over Wireless on Controller (CLI), on page 50
Information About Management over Wireless
The Management over Wireless feature allows operators to monitor and configure the controller using wireless clients connected to the wireless controller network.
Note By default, the Management over Wireless feature is disabled. You will need to keep the Management over Wireless feature disabled, if security is a concern.
This feature blocks the wireless management access to the same controller that the wireless client device is currently associated with. It does not prevent management access to a wireless client associated with another controller entirely. To completely block management access to wireless clients based on VLAN and so on, we recommend that you use Access Control Lists (ACLs) or a similar mechanism.
Restrictions on Management over Wireless
· Management over Wireless feature can be disabled only if clients are in central switching.
Note The Management over Wireless feature does not work for Embedded Wireless Controller (EWC) in AP as AP connected to the EWC are in FlexConnect (local switching) mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 49
Enabling Management over Wireless on Controller (GUI)
System Configuration
Enabling Management over Wireless on Controller (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Wireless > Wireless Global. Check the Management via Wireless check box. Click Apply.
Enabling Management over Wireless on Controller (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless mgmt-via-wireless
Example:
Device(config)# wireless mgmt-via-wireless
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Enables management over wireless. Use the no form of this command to disable the management over wireless.
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 50
6 C H A P T E R
Smart Licensing Using Policy
· Introduction to Smart Licensing Using Policy, on page 51 · Information About Smart Licensing Using Policy, on page 52 · How to Configure Smart Licensing Using Policy: Workflows by Topology , on page 75 · Migrating to Smart Licensing Using Policy, on page 88 · Task Library for Smart Licensing Using Policy, on page 109 · Troubleshooting Smart Licensing Using Policy, on page 148 · Additional References for Smart Licensing Using Policy, on page 159 · Feature History for Smart Licensing Using Policy, on page 160
Introduction to Smart Licensing Using Policy
Smart Licensing Using Policy is an enhanced version of Smart Licensing, with the overarching objective of providing a licensing solution that does not interrupt the operations of your network, rather, one that enables a compliance relationship to account for the hardware and software licenses you purchase and use. Smart Licensing Using Policy is supported starting with Cisco IOS XE Amsterdam 17.3.2a. The primary benefits of this enhanced licensing model are:
· Seamless day-0 operations After a license is ordered, no preliminary steps, such as registration or generation of keys etc., are required unless you use an export-controlled or enforced license. There are no export-controlled or enforced licenses on Cisco Catalyst Wireless Controllers and product features can be configured on the device right-away.
· Consistency in Cisco IOS XE Campus and industrial ethernet switching, routing, and wireless devices that run Cisco IOS XE software, have a uniform licensing experience.
· Visibility and manageability Tools, telemetry and product tagging, to know what is in-use.
· Flexible, time series reporting to remain compliant Easy reporting options are available, whether you are directly or indirectly connected to Cisco Smart Software Manager (CSSM), or in an air-gapped network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 51
Information About Smart Licensing Using Policy
System Configuration
This document provides conceptual, configuration, and troubleshooting information for Smart Licensing Using Policy on Cisco Catalyst Wireless Controllers.
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.
Information About Smart Licensing Using Policy
This section provides conceptual information about Smart Licensing Using Policy, supported products, an overview of each supported topology, and explains how Smart Licensing Using Policy interacts, with other features.
Overview
Smart Licensing Using Policy is a software license management solution that provides a seamless experience with the various aspects of licensing.
· Purchase licenses: Purchase licenses through the existing channels and use the Cisco Smart Software Manager (CSSM) portal to view product instances and licenses.
Note To simplify your implementation of Smart Licensing Using Policy, provide your Smart Account and Virtual Account information when placing an order for new hardware or software. This allows Cisco to install applicable policies and authorization codes (terms explained in the Concepts, on page 56 section below), at the time of manufacturing.
· Use: All licenses on Cisco Catalyst Wireless Controllers are unenforced. This means that you do not have to complete any licensing-specific operations, such as registering or generating keys before you start using the software and the licenses that are tied to it. License usage is recorded on your device with timestamps and the required workflows can be completed at a later date.
· Report license usage to CSSM: Multiple options are available for license usage reporting. You can use Cisco Smart Licensing Utility (CSLU), or report usage information directly to CSSM. For air-gapped networks, a provision for offline reporting where you download usage information and upload it to CSSM, is also available.The usage report is in plain text XML format. See: Sample Resource Utilization Measurement Report, on page 148.
· Reconcile: For situations where delta billing applies (purchased versus consumed).
Supported Products
This section provides information about the Cisco IOS-XE product instances that support Smart Licensing Using Policy. All models (Product IDs or PIDs) in a product series are supported unless indicated otherwise.
Table 2: Supported Product Instances: Cisco Catalyst Wireless Controllers
Cisco Catalyst Wireless Controllers Cisco Catalyst 9800-40 Wireless Controller
When Support for Smart Licensing Using Policy was Introduced
Cisco IOS XE Amsterdam 17.3.2a
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 52
System Configuration
Architecture
Cisco Catalyst Wireless Controllers Cisco Catalyst 9800-L Wireless Controller
When Support for Smart Licensing Using Policy was Introduced
Cisco IOS XE Amsterdam 17.3.2a
Cisco Catalyst 9800-CL Wireless Controller
Cisco IOS XE Amsterdam 17.3.2a
Cisco Catalyst 9800 embedded Wireless Controller
Cisco IOS XE Amsterdam 17.3.2a
Cisco Embedded Wireless Controller on Cisco Catalyst 9100 Cisco IOS XE Amsterdam 17.3.2a Access Points (EWC-AP)
Architecture
This section explains the various components that can be part of your implementation of Smart Licensing Using Policy. One or more components make up a topology.
Product Instance
A product instance is a single instance of a Cisco product, identified by a Unique Device Identifier (UDI).
A product instance records and reports license usage (RUM reports), and provides alerts and system messages about overdue reports, communication failures, etc. RUM reports and usage data are securely stored in the product instance.
Throughout this document, the term product instance refers to all supported physical and virtual product instances - unless noted otherwise. For information about the product instances that are within the scope of this document, see Supported Products, on page 52.
CSLU
Cisco Smart License Utility (CSLU) is a Windows-based reporting utility that provides aggregate licensing workflows. This utility performs the following key functions:
· Provides options relating to how workflows are triggered. The workflows can be triggered by CSLU or by a product instance.
· Collects usage reports from one or more product instances and uploads these usage reports to the corresponding Smart Account or Virtual Account online, or offline, using files. Similarly, the RUM report ACK is collected online, or offline, and sent back to the product instance.
· Sends authorization code requests to CSSM and receives authorization codes from CSSM, if applicable.
CSLU can be part of your implementation in the following ways: · Install the windows application, to use CSLU as a standalone tool that is connected to CSSM.
· Install the windows application, to use CSLU as a standalone tool that is disconnected from CSSM. With this option, the required usage information is downloaded to a file and then uploaded to CSSM. This is suited to air-gapped networks.
· Embedded (by Cisco) in a controller such as Cisco DNA Center.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 53
CSSM
System Configuration
CSSM Controller
Cisco Smart Software Manager (CSSM) is a portal that enables you to manage all your Cisco software licenses from a centralized location. CSSM helps you manage current requirements and review usage trends to plan for future license requirements. You can access the CSSM Web UI at https://software.cisco.com. Under the License tab, click the Smart Software Licensing link. See the Supported Topologies, on page 60 section to know about the different ways in which you can connect to CSSM In CSSM you can:
· Create, manage, or view virtual accounts. · Create and manage Product Instance Registration Tokens. · Transfer licenses between virtual accounts or view licenses. · Transfer, remove, or view product instances. · Run reports against your virtual accounts. · Modify your email notification settings. · View overall account information.
A management application or service that manages multiple product instances.
Note Throughout this chapter, and in the context of Smart Licensing Using Policy, the term "controller"or "Controller" always means a management application or service that manages a product instance. The term is not used to refer to Cisco Catalyst Wireless Controllers, which are product instances.
On Cisco Catalyst Wireless Controllers, Cisco DNA Center is the supported controller. Information about the controller, product instances that support the controller, and minimum required software versions on the controller and on the product instance is provided below:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 54
System Configuration
SSM On-Prem
Table 3: Support Information for Controller: Cisco DNA Center
Minimum Required Cisco DNA Minimum Required Cisco IOS XE Supported Product Instances Center Version for Smart Licensing Version2 Using Policy1
Cisco DNA Center Release 2.2.2 Cisco IOS XE Amsterdam 17.3.2a · Cisco Catalyst 9800-40 Wireless Controller
· Cisco Catalyst 9800-80 Wireless Controller
· Cisco Catalyst 9800-L Wireless Controller
· Cisco Catalyst 9800-CL Wireless Controller
· Cisco Catalyst 9800 embedded Wireless Controller
· Cisco Embedded Wireless Controller on Cisco Catalyst 9100 Access Points (EWC-AP)
1 The minimum required software version on the controller. This means support continues on all subsequent releases - unless noted otherwise
2 The minimum required software version on the product instance. This means support continues on all subsequent releases - unless noted otherwise.
For more information about Cisco DNA Center, see the support page at: https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/series.html.
SSM On-Prem
Smart Software Manager On-Prem (SSM On-Prem) is an asset manager, which works in conjunction with CSSM. It enables you to administer products and licenses on your premises instead of having to directly connect to CSSM.
Information about the required software versions to implement Smart Licensing Using Policy with SSM On-Prem, is provided below:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 55
Concepts
System Configuration
Minimum Required SSM On-Prem Minimum Required Cisco IOS XE Supported Product Instances Version for Smart Licensing Using Version4 Policy3
Version 8, Release 202102
Cisco IOS XE Amsterdam 17.3.3
· Cisco Catalyst 9800-40 Wireless Controller
· Cisco Catalyst 9800-80 Wireless Controller
· Cisco Catalyst 9800-L Wireless Controller
· Cisco Catalyst 9800-CL Wireless Controller
· Cisco Catalyst 9800 embedded Wireless Controller
· Cisco Embedded Wireless Controller on Cisco Catalyst 9100 Access Points (EWC-AP)
3 The minimum required SSM On-Prem version. This means support continues on all subsequent releases - unless noted otherwise
4 The minimum required software version on the product instance. This means support continues on all subsequent releases - unless noted otherwise.
For more information about SSM On-Prem, see Smart Software Manager On-Prem on the Software Download page. Hover over the .iso image to display the documentation links.
Concepts
This section explains the key concepts of Smart Licensing Using Policy.
License Enforcement Types
A given license belongs to one of three enforcement types. The enforcement type indicates if the license requires authorization before use, or not.
· Unenforced or Not Enforced
Unenforced licenses do not require authorization before use in air-gapped networks, or registration, in connected networks. The terms of use for such licenses are as per the end user license agreement (EULA).
All licenses available on Cisco Catalyst Wireless Controllers are unenforced licenses.
· Enforced
Licenses that belong to this enforcement type require authorization before use. The required authorization is in the form of an authorization code, which must be installed in the corresponding product instance.
An example of an enforced license is the Media Redundancy Protocol (MRP) Client license, which is available on Cisco's Industrial Ethernet Switches.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 56
System Configuration
License Duration
· Export-Controlled Licences that belong to this enforcement type are export-restricted by U.S. trade-control laws and these licenses require authorization before use. The required authorization code must be installed in the corresponding product instance for these licenses as well. Cisco may pre-install export-controlled licenses when ordered with hardware purchase. An example of an export-controlled license is the High Speed Encryption (HSECK9) license, which is available on certain Cisco Routers.
License Duration
This refers to the duration or term for which a purchased license is valid. A given license may belong to any one of the enforcement types mentioned above and be valid for the following durations:
· Perpetual: There is no expiration date for such a license. AIR Network Essentials and AIR Network Advantage licenses are examples of unenforced, perpetual licenses that are available on Cisco Catalyst Wireless Controllers.
· Subscription: The license is valid only until a certain date. AIR Digital Network Architecture (DNA) Essentials and AIR DNA Advantage licenses are examples of unenforced subscription licenses that are available on Cisco Catalyst Wireless Controllers.
Authorization Code
The Smart Licensing Authorization Code (SLAC) allows activation and continued use of a license that is export-controlled or enforced. A SLAC is not required for any of the licenses available on Cisco Catalyst Wireless Controllers, but if you are upgrading from an earlier licensing model to Smart Licensing Using Policy, you may have a Specific License Reservation (SLR) with its own authorization code. The SLR authorization code is supported after upgrade to Smart Licensing Using Policy.
Policy
Note While existing SLRs are carried over after upgrade, you cannot request a new SLR in the Smart Licensing Using Policy environment, because the notion of "reservation" does not apply. For an air-gapped network, the No Connectivity to CSSM and No CSLU topology applies instead
For more information about how the SLR authorization code is handled, see Upgrades, on page 71. If you want to return an SLR authorization code, see Removing and Returning an Authorization Code, on page 136.
A policy provides the product instance with these reporting instructions: · License usage report acknowledgement requirement (Reporting ACK required): The license usage report is known as a RUM Report and the acknowledgement is referred to as an ACK (See RUM Report and Report Acknowledgement). This is a yes or no value which specifies if the report for this product instance requires CSSM acknowledgement or not. The default policy is always set to "yes". · First report requirement (days): The first report must be sent within the duration specified here. If the value here is zero, no first report is required.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 57
Policy
System Configuration
· Reporting frequency (days): The subsequent report must be sent within the duration specified here. If the value here is zero, it means no further reporting is required unless there is a usage change.
· Report on change (days): In case of a change in license usage, a report must be sent within the duration specified here. If the value here is zero, no report is required on usage change. If the value here is not zero, reporting is required after the change is made. All the scenarios listed below count as changes in license usage on the product instance: · Changing licenses consumed (includes changing to a different license, and, adding or removing a license). · Going from consuming zero licenses to consuming one or more licenses. · Going from consuming one or more licenses to consuming zero licenses.
Note If a product instance has never consumed a license, reporting is not required even if the policy has a non-zero value for any of the reporting requirements (First report requirement, Reporting frequency, Report on change).
Understanding Policy Selection
CSSM determines the policy that is applied to a product instance. Only one policy is in use at a given point in time. The policy and its values are based on a number of factors, including the licenses being used.
Cisco default is the default policy that is always available in the product instance. If no other policy is applied, the product instance applies this default policy. The table below (Table 4: Policy: Cisco default, on page 58) shows the Cisco default policy values.
While you cannot configure a policy, you can request for a customized one, by contacting the Cisco Global Licensing Operations team. Go to Support Case Manager. Click OPEN NEW CASE > Select Software Licensing. The licensing team will contact you to start the process or for any additional information. Customized policies are also made available through your Smart account in CSSM.
Note To know which policy is applied (the policy in-use) and its reporting requirements, enter the show license all command in privileged EXEC mode.
Table 4: Policy: Cisco default
Policy: Cisco default
Default Policy Values
Export (Perpetual/Subscription)
Note
Applied only to licenses
with enforcement type
"Export-Controlled".
Reporting ACK required: Yes First report requirement (days): 0 Reporting frequency (days): 0 Report on change (days): 0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 58
System Configuration
RUM Report and Report Acknowledgement
Policy: Cisco default
Default Policy Values
Enforced (Perpetual/Subscription) Reporting ACK required: Yes
Note
Applied only to licenses First report requirement (days): 0
with enforcement type "Enforced".
Reporting frequency (days): 0
Report on change (days): 0
Unenforced/Non-Export Perpetual5 Reporting ACK required: Yes
First report requirement (days): 365
Reporting frequency (days): 0
Report on change (days): 90
Unenforced/Non-Export Subscription Reporting ACK required: Yes First report requirement (days): 90 Reporting frequency (days): 90 Report on change (days): 90
5 For Unenforced/Non-Export Perpetual: the default policy's first report requirement (within 365 days) applies only if you have purchased hardware or software from a distributor or partner.
RUM Report and Report Acknowledgement
A Resource Utilization Measurement report (RUM report) is a license usage report, which fulfils reporting requirements as specified by the policy. RUM reports are generated by the product instance and consumed by CSSM. The product instance records license usage information and all license usage changes in an open RUM report. At system-determined intervals, open RUM reports are closed and new RUM reports are opened to continue recording license usage. A closed RUM report is ready to be sent to CSSM.
A RUM acknowledgement (RUM ACK or ACK) is a response from CSSM and provides information about the status of a RUM report.
The reporting method, that is, how a RUM report is sent to CSSM, depends on the topology you implement.
CSSM displays license usage information as per the last received RUM report.
A RUM report may be accompanied by other requests, such as a trust code request, or a SLAC request. So in addition to the RUM report IDs that have been received, an ACK from CSSM may include authorization codes, trust codes, and policy files.
The policy that is applied to a product instance determines the following aspects of the reporting requirement:
· Whether a RUM report is sent to CSSM and the maximum number of days provided to meet this requirement.
· Whether the RUM report requires an acknowledgement (ACK) from CSSM.
· The maximum number of days provided to report a change in license consumption.
Trust Code
A UDI-tied public key, which the product instance uses to
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 59
Supported Topologies
System Configuration
· Sign a RUM report. This prevents tampering and ensures data authenticity.
· Enable secure communication with CSSM.
If a trust code is installed on the product instance, the output of the show license status command displays a timestamp in the Trust Code Installed: field.
Supported Topologies
This section describes the various ways in which you can implement Smart Licensing Using Policy. For each topology, refer to the accompanying overview to know the how the set-up is designed to work, and refer to the considerations and recommendations, if any. After Topology Selection After you have selected a topology, see How to Configure Smart Licensing Using Policy: Workflows by Topology , on page 75. These workflows are only for new deployments. They provide the simplest and fastest way to implement a topology. If you are migrating from an existing licensing model, see Migrating to Smart Licensing Using Policy, on page 88. After initial implementation, for any additional configuration tasks you have to perform, for instance, changing the AIR license, or synchronizing RUM reports, see the Task Library for Smart Licensing Using Policy.
Note Always check the "Supported topologies" where provided, before you proceed.
Connected to CSSM Through CSLU
Overview: Here, product instances in the network are connected to CSLU, and CSLU becomes the single point of interface with CSSM. A product instance can be configured to push the required information to CSLU. Alternatively, CSLU can be set-up to pull the required information from a product instance at a configurable frequency. Product instance-initiated communication (push): A product instance initiates communication with CSLU, by connecting to a REST endpoint in CSLU. Data that is sent includes RUM reports and requests for authorization codes, UDI-tied trust codes, and policies. You can configure the product instance to automatically send RUM reports to CSLU at required intervals. This is the default method for a product instance. CSLU-initiated communication (pull): To initiate the retrieval of information from a product instance, CSLU uses NETCONF, or RESTCONF, or gRPC with YANG models, or native REST APIs, to connect to the product instance. Supported workflows include retrieving RUM reports from the product instance and sending the same to CSSM, authorization code installation, UDI-tied trust code installation, and application of policies.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 60
System Configuration Figure 2: Topology: Connected to CSSM Through CSLU
Connected Directly to CSSM
Considerations or Recommendations: Choose the method of communication depending on your network's security policy.
Release-Wise Changes and Enhancements: This section outlines important release-wise software changes and enhancements that affect this topology.
· RUM report throttling In the product instance-initiated mode, the minimum reporting frequency is throttled to one day. This means the product instance does not send more than one RUM report a day. This resolves the problem of too many RUM reports being generated and sent for certain licenses. It also resolves the memory-related issues and system slow-down caused by an excessive generation of RUM reports. You can override the throttling restriction by entering the license smart sync command in privileged EXEC mode. RUM report throttling applies to the Cisco IOS XE Amsterdam 17.3.6 and later releases of the 17.3.x train.
Where to Go Next: To implement this topology, see Workflow for Topology: Connected to CSSM Through CSLU, on page 75.
Connected Directly to CSSM
Overview: This topology is available in the earlier version of Smart Licensing and continues to be supported with Smart Licensing Using Policy. Here, you establish a direct and trusted connection from a product instance to CSSM. The direct connection, requires network reachability to CSSM. For the product instance to then exchange messages and communicate with CSSM, configure one of the transport options available with this topology (described below). Lastly, the
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 61
Connected Directly to CSSM
System Configuration
establishment of trust requires the generation of a token from the corresponding Smart Account and Virtual Account in CSSM, and installation on the product instance.
You can configure a product instance to communicate with CSSM in the following ways:
· Use Smart transport to communicate with CSSM
Smart transport is a transport method where a Smart Licensing (JSON) message is contained within an HTTPs message, and exchanged between a product instance and CSSM, to communicate. The following Smart transport configuration options are available:
· Smart transport: In this method, a product instance uses a specific Smart transport licensing server URL. This must be configured exactly as shown in the workflow section.
· Smart transport through an HTTPs proxy: In this method, a product instance uses a proxy server to communicate with the licensing server, and eventually, CSSM.
· Use Call Home to communicate with CSSM.
Call Home provides e-mail-based and web-based notification of critical system events. This method of connecting to CSSM is available in the earlier Smart Licensing environment, and continues to be available with Smart Licensing Using Policy. The following Call Home configuration options are available:
· Direct cloud access: In this method, a product instance sends usage information directly over the internet to CSSM; no additional components are needed for the connection.
· Direct cloud access through an HTTPs proxy: In this method, a product instance sends usage information over the internet through a proxy server - either a Call Home Transport Gateway or an off-the-shelf proxy (such as Apache) to CSSM.
Figure 3: Topology: Connected Directly to CSSM
Considerations or Recommendations: Smart transport is the recommended transport method when directly connecting to CSSM. This recommendation applies to:
· New deployments. · Earlier licensing models. Change configuration after migration to Smart Licensing Using Policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 62
System Configuration
CSLU Disconnected from CSSM
· Registered licenses that currently use the Call Home transport method. Change configuration after migration to Smart Licensing Using Policy.
· Evaluation or expired licenses in an earlier licensing model. Change configuration after migration to Smart Licensing Using Policy.
To change configuration after migration, see Workflow for Topology: Connected Directly to CSSM, on page 77 > Product Instance Configuration > Configure a connection method and transport type > Option 1.
Release-Wise Changes and Enhancements: This section outlines important release-wise software changes and enhancements that affect this topology.
· RUM report throttling The minimum reporting frequency for this topology, is throttled to one day. This means the product instance does not send more than one RUM report a day. This resolves the problem of too many RUM reports being generated and sent for certain licenses. It also resolves the memory-related issues and system slow-down caused by an excessive generation of RUM reports. You can override the throttling restriction by entering the license smart sync command in privileged EXEC mode. RUM report throttling applies to the Cisco IOS XE Amsterdam 17.3.6 and later releases of the 17.3.x train.
Where to Go Next: To implement this topology, see Workflow for Topology: Connected Directly to CSSM, on page 77.
CSLU Disconnected from CSSM
Overview: Here, a product instance communicates with CSLU, and you have the option of implementing product instance-initiated communication or CSLU-initiated communication (as in the Connected to CSSM Through CSLU topology). The other side of the communication, between CSLU and CSSM, is offline. CSLU provides you with the option of working in a mode that is disconnected from CSSM. Communication between CSLU and CSSM is sent and received in the form of signed files that are saved offline and then uploaded to or downloaded from CSLU or CSSM, as the case may be.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 63
Connected to CSSM Through a Controller Figure 4: Topology: CSLU Disconnected from CSSM
System Configuration
Considerations or Recommendations: Choose the method of communication depending on your network's security policy.
Release-Wise Changes and Enhancements: This section outlines important release-wise software changes and enhancements that affect this topology.
· RUM report throttling In the product instance-initiated mode, the minimum reporting frequency is throttled to one day. This means the product instance does not send more than one RUM report a day. This resolves the problem of too many RUM reports being generated and sent for certain licenses. It also resolves the memory-related issues and system slow-down caused by an excessive generation of RUM reports. You can override the throttling restriction by entering the license smart sync command in privileged EXEC mode. RUM report throttling applies to the Cisco IOS XE Amsterdam 17.3.6 and later releases of the 17.3.x train.
Where to Go Next: To implement this topology, see Workflow for Topology: CSLU Disconnected from CSSM, on page 79.
Connected to CSSM Through a Controller
When you use a controller to manage a product instance, the controller connects to CSSM, and is the interface for all communication to and from CSSM. The supported controller for Cisco Catalyst Wireless Controllers is Cisco DNA Center.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 64
System Configuration
Connected to CSSM Through a Controller
Overview: If a product instance is managed by Cisco DNA Center as the controller, the product instance records license usage and saves the same, but it is the Cisco DNA Center that initiates communication with the product instance to retrieve RUM reports, report to CSSM, and return the ACK for installation on the product instance. All product instances that must be managed by Cisco DNA Center must be part of its inventory and must be assigned to a site. Cisco DNA Center uses the NETCONF protocol to provision configuration and retrieve the required information from the product instance - the product instance must therefore have NETCONF enabled, to facilitate this. In order to meet reporting requirements, Cisco DNA Center retrieves the applicable policy from CSSM and provides the following reporting options:
· Ad hoc reporting: You can trigger an ad hoc report when required.
· Scheduled reporting: Corresponds with the reporting frequency specified in the policy and is automatically handled by Cisco DNA Center.
Note Ad hoc reporting must be performed at least once before a product instance is eligible for scheduled reporting.
The first ad hoc report enables Cisco DNA Center to determine the Smart Account and Virtual Account to which subsequent RUM reports must be uploaded. You will receive notifications if ad hoc reporting for a product instance has not been performed even once. Cisco DNA Center also enables you to install and remove SLAC for export-controlled licenses. Since all available licenses on Cisco Catalyst Wireless Controllers are unenforced licenses, SLAC installation and removal do not apply. A trust code is not required.
Figure 5: Topology: Connected to CSSM Through a Controller
Considerations or Recommendations: This is the recommended topology if you are using Cisco DNA Center.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 65
No Connectivity to CSSM and No CSLU
System Configuration
Where to Go Next: To implement this topology, see Workflow for Topology: Connected to CSSM Through a Controller, on page 81.
No Connectivity to CSSM and No CSLU
Overview: Here you have a product instance and CSSM disconnected from each other, and without any other intermediary utilities or components. All communication is in the form of uploaded and downloaded files. These files can be RUM reports .
Figure 6: Topology: No Connectivity to CSSM and No CSLU
Considerations or Recommendations: This topology is suited to a high-security deployment where a product instance cannot communicate online, with anything outside its network.
Where to Go Next: To implement this topology, see Workflow for Topology: No Connectivity to CSSM and No CSLU, on page 82.
SSM On-Prem Deployment
Overview: SSM On-Prem is designed to work as an extension of CSSM that is deployed on your premises. Here, a product instance is connected to SSM On-Prem, and SSM On-Prem becomes the single point of interface with CSSM. Each instance of SSM On-Prem must be made known to CSSM through a mandatory registration and synchronization of the local account in SSM On-Prem, with a Virtual Account in CSSM.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 66
System Configuration
SSM On-Prem Deployment
When you deploy SSM On-Prem to manage a product instance, the product instance can be configured to push the required information to SSM On-Prem. Alternatively, SSM On-Prem can be set-up to pull the required information from a product instance at a configurable frequency.
· Product instance-initiated communication (push): The product instance initiates communication with SSM On-Prem, by connecting to a REST endpoint in SSM On-Prem. Data that is sent includes RUM reports and requests for authorization codes, trust codes, and policies. Options for communication between the product instance and SSM On-Prem in this mode: · Use a CLI command to push information to SSM On-Prem as and when required.
· Use a CLI command and configure a reporting interval, to automatically send RUM reports to SSM On-Prem at a scheduled frequency.
· SSM On-Prem-initiated communication (pull): To initiate the retrieval of information from a product instance, SSM On-Prem NETCONF, RESTCONF, and native REST API options, to connect to the product instance. Supported workflows include receiving RUM reports from the product instance and sending the same to CSSM, authorization code installation, trust code installation, and application of policies. Options for communication between the product instance and SSM On-Prem in this mode: · Collect usage information from one or more product instances as and when required (on-demand).
· Collect usage information from one or more product instances at a scheduled frequency.
In SSM On-Prem, the reporting interval is set to the default policy on the product instance. You can change this, but only to report more frequently (a narrower interval), or you can install a custom policy if available. After usage information is available in SSM On-Prem, you must synchronize the same with CSSM, to ensure that the product instance count, license count and license usage information is the same on both, CSSM and SSM On-Prem. Options for usage synchronization between SSM On-Prem and CSSM for the push and pull mode:
· Perform ad-hoc synchronization with CSSM (Synchronize now with Cisco).
· Schedule synchronization with CSSM for specified times.
· Communicate with CSSM through signed files that are saved offline and then upload to or download from SSM On-Prem or CSSM, as the case may be.
Note This topology involves two different kinds of synchronization between SSM On-Prem and CSSM. The first is where the local account is synchronized with CSSM - this is for the SSM On-Prem instance to be known to CSSM and is performed by using the Synchronization widget in SSM On-Prem. The second is where license usage is synchronized with CSSM, either by being connected to CSSM or by downloading and uploading files. You must synchronize the local account before you can synchronize license usage.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 67
SSM On-Prem Deployment Figure 7: Topology: SSM On-Prem Deployment
System Configuration
Considerations or Recommendations: This topology is suited to the following situations:
· If you want to manage your product instances on your premises, as opposed communicating directly with CSSM for this purpose.
· If your company's policies prevent your product instances from reporting license usage directly to Cisco (CSSM).
· If your product instances are in an air-gapped network and cannot communicate online, with anything outside their network.
Apart from support for Smart Licensing Using Policy, some of the key benefits of SSM On-Prem Version 8 include:
· Multi-tenancy: One tenant constitutes one Smart Account-Virtual Account pair. SSM On-Prem enables you to manage multiple pairs. Here you create local accounts that reside in SSM On-Prem. Multiple local accounts roll-up to a Smart Account-Virtual Account pair in CSSM. For more information, see the Cisco Smart Software Manager On-Prem User Guide > About Accounts and Local Virtual Accounts.
Note The relationship between CSSM and SSM On-Prem instances is still one-to-one.
· Scale: Supports up to a total of 300,000 product instances · High-Availability: Enables you to run two SSM On-Prem servers in the form of an active-standby cluster.
For more information, see the Cisco Smart Software On-Prem Installation Guide > Appendix 4. Managing a High Availability (HA) Cluster in Your System. High-Availability deployment is supported on the SSM On-Prem console and the required command details are available in the Cisco Smart Software On-Prem Console Guide. · Options for online and offline connectivity to CSSM.
SSM On-Prem Limitations:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 68
System Configuration
Interactions with Other Features
· Proxy support for communication with CSSM, for the purpose of license usage synchronization is available only from Version 8 202108 onwards. The use of a proxy for local account synchronization, which is performed by using the Synchronization widget, is available from the introductory SSM On-Prem release where Smart Licensing Using Policy is supported.
· SSM On-Prem-initiated communication is not supported on a product instance that is in a Network Address Translation (NAT) set-up. You must use product instance-initiated communication, and further, you must enable SSM On-Prem to support a product instance that is in a NAT setup. Details are provided in the workflow for this topology.
Release-Wise Changes and Enhancements: This section outlines important release-wise software changes and enhancements that affect this topology. From Cisco IOS XE Cupertino 17.9.1:
· RUM report throttling
In the product instance-initiated mode, the minimum reporting frequency is throttled to one day. This means the product instance does not send more than one RUM report a day. This resolves the problem of too many RUM reports being generated and sent for certain licenses. It also resolves the memory-related issues and system slow-down caused by an excessive generation of RUM reports. You can override the throttling restriction by entering the license smart sync command in privileged EXEC mode.
RUM report throttling applies to the Cisco IOS XE Amsterdam 17.3.6 and later releases of the 17.3.x train.
Where to Go Next: To implement this topology, see Workflow for Topology: SSM On-Prem Deployment, on page 83
If you are migrating from an existing version of SSM On-Prem, the sequence in which you perform the various upgrade-related activities is crucial. See Migrating to a Version of SSM On-Prem That Supports Smart Licensing Using Policy, on page 107
Interactions with Other Features
High Availability
This section explains considerations that apply to a High Availability configuration, when running a software version that supports Smart Licensing Using Policy. The following High Availability set-ups are within the scope of this document:
A dual-chassis set-up (could be fixed or modular), with the active in one chassis and a standby in the other chassis.
A wireless N+1 topology, where "n" number of wireless controllers act as primary and a "+1" wireless controller acts as the secondary or fallback wireless controller for Access Points (APs). Each Access Point is configured with a primary and a secondary wireless controller. In case of a failure on the primary, all access points that were connected to the primary now fallback to the secondary wireless controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 69
High Availability
System Configuration
Trust Code Requirements in a High Availability Set-Up The number of trust codes required depends on the number of UDIs. The active product instance can submit requests for all devices in the High Availability set-up and install all the trust codes that are returned in an ACK.
Policy Requirements in a High Availability Set-Up There are no policy requirements that apply exclusively to a High Availability set-up. As in the case of a standalone product instance, only one policy exists in a High Availability set-up as well, and this is on the active. The policy on the active applies to any standbys in the set-up.
Product Instance Functions in a High Availability Set-Up This section explains general product instance functions in a High Availability set-up, as well as what the product instance does when a new standby or secondary is added to an existing High Available set-up. For authorization and trust codes: The active product instance can request (if required) and install authorization codes and trust codes for standbys. For policies: The active product instance synchronizes with the standby. For reporting: Only the active product instance reports usage. The active reports usage information for all devices in the High Availability set-up. In addition to scheduled reporting, the following events trigger reporting:
· The addition or removal of a standby. The RUM report includes information about the standby that was added or removed.
· A switchover.
· A reload.
When one of the above events occur, the "Next report push" date of the show license status privileged EXEC command is updated. But it is the implemented topology and associated reporting method that determine if the report is sent by the product instance or not. For example, if you have implemented a topology where the product instance is disconnected (Transport Type is Off), then the product instance does not send RUM reports even if the "Next report push" date is updated. For addition or removal of a new standby:
· A product instance that is connected to CSLU, does not take any further action.
· A product instance that is directly connected to CSSM, performs trust synchronization. Trust synchronization involves the following: Installation of trust code on the standby if not installed already. If a trust code is already installed, the trust synchronization process ensures that the new standby is in the same Smart Account and Virtual Account as the active. If it is not, the new standby is moved to the same Smart Account and Virtual Account as the active. Installation of an authorization code, policy, and purchase information, if applicable Sending of a RUM report with current usage information.
For addition or removal of a secondary:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 70
System Configuration
Upgrades
There are no product instance functions that apply exclusively to the addition or removal of a secondary product instance. Further, all the secondary product instances are in the same Smart Account and Virtual Account as the primary product instance.
Upgrades
This section describes how upgrade or migration to Smart Licensing Using Policy is handled. It clarifies how Smart Licensing Using Policy handles all earlier licensing models including: the earlier version of Smart Licensing, Specific License Reservation (SLR), and how evaluation or expired licenses from any of the earlier licensing models.
To migrate to Smart Licensing Using Policy, you must upgrade to a software version that supports Smart Licensing Using Policy. After you upgrade, Smart Licensing Using Policy is the only supported licensing model and the product instance continues to operate without any licensing changes. The Migrating to Smart Licensing Using Policy, on page 88 section provides details and examples for migration scenarios that apply to Cisco Catalyst Wireless Controllers.
Device-led conversion is not supported for migration to Smart Licensing Using Policy.
Identifying the Current Licensing Model Before Upgrade
Before you upgrade to Smart Licensing Using Policy, if you want to know the current licensing model that is effective on the product instance, enter the show license all command in privileged EXEC mode.
How Upgrade Affects Enforcement Types for Existing Licenses
When you upgrade to a software version which supports Smart Licensing Using Policy, the way existing licenses are handled, depends primarily on the license enforcement type.
· An unenforced license that was being used before upgrade, continues to be available after the upgrade. All licenses on Cisco Catalyst Wireless Controllers are unenforced licenses. This includes licenses from all earlier licensing models:
· Smart Licensing
· Specific License Reservation (SLR), which has an accompanying authorization code. The authorization code continues to be valid after upgrade to Smart Licensing Using Policy and authorizes existing license consumption.
· Evaluation or expired licenses from any of the above mentioned licensing models.
· An enforced or export-controlled license that was being used before upgrade, continues to be available after upgrade if the required authorization exists.
There are no export-controlled or enforced licenses on any of the supported Cisco Catalyst Wireless Controllers, therefore, these enforcement types and the requisite SLAC do not apply.
How Upgrade Affects Reporting for Existing Licenses
Existing License
Reporting Requirements After Migration to Smart Licensing Using Policy
Specific License Reservation (SLR)
Required only if there is a change in license consumption.
An existing SLR authorization code authorizes existing license consumption after upgrade to Smart Licensing Using Policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 71
How Upgrade Affects Transport Type for Existing Licenses
System Configuration
Existing License
Smart Licensing (Registered and Authorized license)
Evaluation or expired licenses
Reporting Requirements After Migration to Smart Licensing Using Policy Depends on the policy.
Based on the reporting requirements of the Cisco default policy.
How Upgrade Affects Transport Type for Existing Licenses
The transport type, if configured in your existing set-up, is retained after upgrade to Smart Licensing Using Policy.
When compared to the earlier version of Smart Licensing, additional transport types are available with Smart Licensing Using Policy. There is also a change in the default transport mode. The following table clarifies how this may affect upgrades:
Transport type Before Upgrade
License or License State Before Transport Type After Upgrade Upgrade
Default (callhome)
evaluation
cslu (default in Smart Licensing Using Policy)
SLR
off
registered
callhome
smart
evaluation
off
SLR
off
registered
smart
How Upgrade Affects the Token Registration Process
In the earlier version of Smart Licensing, a token was used to register and connect to CSSM. ID token registration is not required in Smart Licensing Using Policy. The token generation feature is still available in CSSM, and is used to establish trust when a product instance is directly connected to CSSM. See Connected Directly to CSSM.
Downgrades
To downgrade, you must downgrade the software version on the product instance. This section provides information about downgrades for new deployments and existing deployments (you upgraded to Smart Licensing Using Policy and now want to downgrade).
New Deployment Downgrade
This section describes considerations and actions that apply if a newly purchased product instance with a software version where Smart Licensing Using Policy is enabled by default, is downgraded to a software version where Smart Licensing Using Policy is not supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 72
System Configuration
New Deployment Downgrade
The outcome of the downgrade depends on whether a trust code was installed while still operating in the Smart Licensing Using Policy environment, and further action may be required depending on the release you downgrade to.
If the topology you implemented while in the Smart Licensing Using Policy environment was "Connected Directly to CSSM", then a trust code installation can be expected or assumed, because it is required as part of topology implementation. For any of the other topologies, trust establishment is not mandatory. Downgrading product instances with one of these other topologies will therefore mean that you have to restore licenses to a registered and authorized state by following the procedures that are applicable in the Smart Licensing environment. See the table (Outcome and Action for New Deployment Downgrade to Smart Licensing) below.
Table 5: Outcome and Action for New Deployment Downgrade to Smart Licensing
In the Smart Licensing Using Policy Downgrade to.. Environment
Outcome and Further Action
Standalone product instance, connected directly to CSSM, and trust established.
Cisco IOS XE Amsterdam 17.3.1 No further action is required.
OR
The product instance attempts to
Cisco IOS XE Gibraltar 16.12.4 and later releases in Cisco IOS XE
renew trust with CSSM after downgrade.
Gibraltar 16.12.x
After a successful renewal, licenses
are in a registered state and the
earlier version of Smart Licensing
is effective on the product instance.
Any other release (other than the Action is required: You must
ones mentioned in the row above) reregister the product instance.
that supports Smart Licensing
Generate an ID token in the CSSM
Web UI and on the product
instance, configure the license
smart register idtoken idtoken
command in global configuration
mode.
High Availability set-up, connected Any release that supports Smart
directly to CSSM, and trust
Licensing
established.
Action is required: You must reregister the product instance.
Generate an ID token in the CSSM Web UI and on the product instance, configure the license smart register idtoken idtoken all command in global configuration mode.
Any other topology. (Connected to Any release that supports Smart CSSM Through CSLU, CSLU Licensing Disconnected from CSSM, No Connectivity to CSSM and No CSLU)
Action is required.
Restore licenses to a registered and authorized state by following the procedures that are applicable in the Smart Licensing environment.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 73
Upgrade and Then Downgrade
System Configuration
Upgrade and Then Downgrade
This section describes considerations and actions that apply if a product instance is upgraded to a software version that supports Smart Licensing Using Policy and then downgraded to an earlier licensing model.
When you downgrade such a product instance, license consumption does not change and any product features you have configured on the product instance are preserved only the features and functions that are available with Smart Licensing Using Policy are not available anymore. Refer to the corresponding section below to know more about reverting to an earlier licensing model.
Upgrade to Smart Licensing Using Policy and then Downgrade to Smart Licensing
The outcome of the downgrade depends on whether a trust code was installed while you were still operating in the Smart Licensing Using Policy environment, and further action may be required depending on the release you downgrade to. See the table below.
Table 6: Outcome and Action for Upgrade to Smart Licensing Using Policy and then Downgrade to Smart Licensing
In the Smart Licensing Using Policy Downgrade to.. Environment
Outcome and Further Action
Standalone product instance, connected directly to CSSM, and trust established.
Cisco IOS XE Amsterdam 17.3.1 No further action is required.
OR
The system recognizes the trust
Cisco IOS XE Gibraltar 16.12.4 and later releases in Cisco IOS XE Gibraltar 16.12.x
code and converts it back to a registered ID token, and this reverts the license to an AUTHORIZED and REGISTERED state.
Any other release (other than the Action is required: You must
ones mentioned in the row above) reregister the product instance.
that supports Smart Licensing
Generate an ID token in the CSSM
Web UI and on the product
instance, configure the license
smart register idtokenidtoken
command in global configuration
mode.
High Availability set-up, connected Any release that supports Smart
directly to CSSM, and trust
Licensing
established.
Action is required: You must reregister the product instance.
Generate an ID token in the CSSM Web UI and on the product instance, configure the license smart register idtoken idtoken all command in global configuration mode.
Any other topology (Connected to Any release that supports Smart CSSM Through CSLU, CSLU Licensing. Disconnected from CSSM, No Connectivity to CSSM and No CSLU)
Action is required.
Restore licenses to a registered and authorized state by following the procedures that are applicable in the Smart Licensing environment.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 74
System Configuration
How to Configure Smart Licensing Using Policy: Workflows by Topology
Note Licenses that were in an evaluation or expired state in the Smart Licensing environment, revert to that same state after downgrade.
Upgrade to Smart Licensing Using Policy and then Downgrade to SLR To revert to SLR, all that is required is for the image to be downgraded. The license remains reserved and authorized no further action is required. However, if you have returned an SLR while in the Smart Licensing Using Policy environment, then you must repeat the process of procuring an SLR as required, in the supported release.
How to Configure Smart Licensing Using Policy: Workflows by Topology
This section provides the simplest and fastest way to implement a topology.
Note These workflows are meant for new deployments only. If you are migrating from an existing licensing model, see Migrating to Smart Licensing Using Policy, on page 88.
Workflow for Topology: Connected to CSSM Through CSLU
Depending on whether you want to implement a product instance-initiated or CSLU-initiated method of communication, complete the corresponding sequence of tasks:
· Tasks for Product Instance-Initiated Communication · Tasks for CSLU-Initiated Communication
Tasks for Product Instance-Initiated Communication CSLU Installation CSLU Preference Settings Product Instance Configuration 1. CSLU Installation
Where task is performed: A Windows host (laptop, destop, or a Virtual Machine (VM) Download the file from Smart Software Manager > Smart Licensing Utility. Refer to Cisco Smart License Utility Quick Start Setup Guide for help with installation and set-up. 2. CSLU Preference Settings Where tasks are performed: CSLU a. Logging into Cisco (CSLU Interface), on page 109 b. Configuring a Smart Account and a Virtual Account (CSLU Interface), on page 109 c. Adding a Product-Initiated Product Instance in CSLU (CSLU Interface), on page 110
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 75
Workflow for Topology: Connected to CSSM Through CSLU
System Configuration
3. Product Instance Configuration
Where tasks are performed: Product Instance
a. Ensuring Network Reachability for Product Instance-Initiated Communication, on page 110
b. Ensure that transport type is set to cslu.
CSLU is the default transport type. If you have configured a different option, enter the license smart transport cslu command in global configuration mode. Save any changes to the configuration file.
Device(config)# license smart transport cslu Device(config)# exit Device# copy running-config startup-config
c. Specify how you want CSLU to be discovered (choose one):
· Option 1:
No action required. Name server configured for Zero-touch DNS discovery of cslu-local
Here, if you have configured DNS (the name server IP address is configured on the product instance), and the DNS server has an entry where hostname cslu-local is mapped to the CSLU IP address, then no further action is required. The product instance automatically discovers hostname cslu-local.
· Option 2:
No action required. Name server and domain configured for Zero-touch DNS discovery of
cslu-local.<domain>
Here if you have configured DNS (the name server IP address and domain is configured on the product instance), and the DNS server has an entry where cslu-local.<domain> is mapped to the CSLU IP address, then no further action is required. The product instance automatically discovers hostname cslu-local.
· Option 3:
Configure a specific URL for CSLU.
Enter the license smart url cslu http://<cslu_ip_or_host>:8182/cslu/v1/pi command in global configuration mode. For <cslu_ip_or_host>, enter the hostname or the IP address of the windows host where you have installed CSLU. 8182 is the port number and it is the only port number that CSLU uses.
Device(config)# license smart url cslu http://192.168.0.1:8182/cslu/v1/pi Device(config)# exit Device# copy running-config startup-config
Result:
Since the product instance initiates communication, it automatically sends out the first RUM report at the scheduled time, as per the policy. CSLU forwards the RUM report to CSSM and retrieves the ACK, which also contains the trust code. The ACK is applied to the product instance the next time the product instance contacts CSLU.
In the Cisco IOS XE Amsterdam 17.3.6 and later releases of the 17.3.x train: The product instance does not send more than one RUM report a day. You can override this for an on-demand synchronization between the product instance and CSSM, by entering the license smart sync command in privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 76
System Configuration
Workflow for Topology: Connected Directly to CSSM
To know when the product instance will be sending the next RUM report, enter the show license all command in privileged EXEC mode and in the output, check the date in the Next report push field. In case of a change in license usage, see Configuring an AIR License, on page 146 to know how it affects reporting.
Tasks for CSLU-Initiated Communication CSLU Installation CSLU Preference Settings Product Instance Configuration Usage Synchronization 1. CSLU Installation
Where task is performed: A Windows host (laptop, destop, or a Virtual Machine (VM) Download the file from Smart Software Manager > Smart Licensing Utility. Refer to Cisco Smart License Utility Quick Start Setup Guide for help with installation and set-up. 2. CSLU Preference Settings Where tasks is performed: CSLU a. Logging into Cisco (CSLU Interface), on page 109 b. Configuring a Smart Account and a Virtual Account (CSLU Interface), on page 109 c. Adding a CSLU-Initiated Product Instance in CSLU (CSLU Interface), on page 112
3. Product Instance Configuration Where tasks is performed: Product Instance Ensuring Network Reachability for CSLU-Initiated Communication, on page 114
4. Usage Synchronization Where tasks is performed: Product Instance Collecting Usage Reports: CSLU Initiated (CSLU Interface), on page 112
Result: Since CSLU is logged into CSSM, the reports are automatically sent to the associated Smart Account and Virtual Account in CSSM and CSSM will send an ACK to CSLU as well as to the product instance. It gets the ACK from CSSM and sends this back to the product instance for installation. The ACK from CSSM contains the trust code and SLAC if this was requested. In case of a change in license usage, see Configuring an AIR License, on page 146 to know how it affects reporting.
Workflow for Topology: Connected Directly to CSSM
Smart Account Set-Up Product Instance Configuration Trust Establishment with CSSM 1. Smart Account Set-Up
Where task is performed: CSSM Web UI, https://software.cisco.com/
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 77
Workflow for Topology: Connected Directly to CSSM
System Configuration
Ensure that you have a user role with proper access rights to a Smart Account and the required Virtual Accounts.
2. Product Instance Configuration Where tasks are performed: Product Instance a. Set-Up product instance connection to CSSM: Setting Up a Connection to CSSM , on page 129
b. Configure a connection method and transport type (choose one) · Option 1: Smart transport: Set transport type to smart and configure the corresponding URL. If the transport mode is set to license smart transport smart, and you configure license smart url default, the Smart URL (https://smartreceiver.cisco.com/licservice/license) is automatically configured. Save any changes to the configuration file.
Device(config)# license smart transport smart Device(config)# license smart url default Device(config)# exit Device# copy running-config startup-config
· Option 2: Configure Smart transport through an HTTPs proxy. See Configuring Smart Transport Through an HTTPs Proxy, on page 131
· Option 3: Configure Call Home service for direct cloud access. See Configuring the Call Home Service for Direct Cloud Access, on page 132.
· Option 4: Configure Call Home service for direct cloud access through an HTTPs proxy. See Configuring the Call Home Service for Direct Cloud Access through an HTTPs Proxy Server, on page 135.
3. Trust Establishment with CSSM Where task is performed: CSSM Web UI and then the product instance a. Generate one token for each Virtual Account you have. You can use same token for all the product instances that are part of one Virtual Account: Generating a New Token for a Trust Code from CSSM, on page 139
b. Having downloaded the token, you can now install the trust code on the product instance: Installing a Trust Code, on page 139
Result: After establishing trust, CSSM returns a policy. The policy is automatically installed on all product instances of that Virtual Account. The policy specifies if and how often the product instance reports usage. In the Cisco IOS XE Amsterdam 17.3.6 and later releases of the 17.3.x train: The product instance does not send more than one RUM report a day. You can override this for an on-demand synchronization between the product instance and CSSM, by entering the license smart sync command in privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 78
System Configuration
Workflow for Topology: CSLU Disconnected from CSSM
To change the reporting interval, configure the license smart usage interval command in global configuration mode. For syntax details see the license smart (privileged EXEC) command in the Command Reference for the corresponding release. In case of a change in license usage, see Configuring an AIR License, on page 146 to know how it affects reporting.
Workflow for Topology: CSLU Disconnected from CSSM
Depending on whether you want to implement a product instance-initiated or CSLU-initiated method of communication. Complete the corresponding table of tasks below.
· Tasks for Product Instance-Initiated Communication · Tasks for CSLU-Initiated Communication
Tasks for Product Instance-Initiated Communication CSLU Installation CSLU Preference Settings Product Instance Configuration Usage Synchronization 1. CSLU Installation
Where task is performed: A Windows host (laptop, destop, or a Virtual Machine (VM) Download the file from Smart Software Manager > Smart Licensing Utility. Refer to Cisco Smart License Utility Quick Start Setup Guide for help with installation and set-up. 2. CSLU Preference Settings Where tasks are performed: CSLU a. In the CSLU Preferences tab, click the Cisco Connectivity toggle switch to off. The field switches
to "Cisco Is Not Available". b. Configuring a Smart Account and a Virtual Account (CSLU Interface), on page 109 c. Adding a Product-Initiated Product Instance in CSLU (CSLU Interface), on page 110
3. Product Instance Configuration Where tasks are performed: Product Instance a. Ensuring Network Reachability for Product Instance-Initiated Communication, on page 110 b. Ensure that transport type is set to cslu. CSLU is the default transport type. If you have configured a different option, enter the license smart transport cslu command in global configuration mode. Save any changes to the configuration file.
Device(config)# license smart transport cslu Device(config)# exit Device# copy running-config startup-config
c. Specify how you want CSLU to be discovered (choose one) · Option 1: No action required. Name server configured for Zero-touch DNS discovery of cslu-local
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 79
Workflow for Topology: CSLU Disconnected from CSSM
System Configuration
Here, if you have configured DNS (the name server IP address is configured on the product instance), and the DNS server has an entry where hostname cslu-local is mapped to the CSLU IP address, then no further action is required. The product instance automatically discovers hostname cslu-local.
· Option 2:
No action required. Name server and domain configured for Zero-touch DNS discovery of
cslu-local.<domain>
Here if you have configured DNS (the name server IP address and domain is configured on the product instance), and the DNS server has an entry where cslu-local.<domain> is mapped to the CSLU IP address, then no further action is required. The product instance automatically discovers hostname cslu-local.
· Option 3:
Configure a specific URL for CSLU.
Enter the license smart url cslu http://<cslu_ip_or_host>:8182/cslu/v1/pi command in global configuration mode. For <cslu_ip_or_host>, enter the hostname or the IP address of the windows host where you have installed CSLU. 8182 is the port number and it is the only port number that CSLU uses.
Device(config)# license smart url cslu http://192.168.0.1:8182/cslu/v1/pi Device(config)# exit Device# copy running-config startup-config
4. Usage Synchronization
Where tasks are performed: CSLU and CSSM
Since the product instance initiates communication, it automatically sends out the first RUM report at the scheduled time, as per the policy. You can also enter the license smart sync privileged EXEC command to trigger this. Along with this first report, if applicable, it sends a request for a UDI-tied trust code. Since CSLU is disconnected from CSSM, perform the following tasks to send the RUM Reports to CSSM.
a. Export to CSSM (CSLU Interface), on page 113
b. Uploading Data or Requests to CSSM and Downloading a File, on page 141
c. Import from CSSM (CSLU Interface), on page 114
Result:
The ACK is applied to the product instance the next time the product instance contacts CSLU.
In the Cisco IOS XE Amsterdam 17.3.6 and later releases of the 17.3.x train: The product instance does not send more than one RUM report a day. You can override this for an on-demand synchronization between the product instance and CSSM, by entering the license smart sync command in privileged EXEC mode.
To know when the product instance will be sending the next RUM report, enter the show license all command in privileged EXEC mode and in the output, check the date for the Next report push field.
In case of a change in license usage, see Configuring an AIR License, on page 146 to know how it affects reporting.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 80
System Configuration
Workflow for Topology: Connected to CSSM Through a Controller
Tasks for CSLU-Initiated Communication CSLU Installation CSLU Preference Settings Product Instance Configuration Usage Synchronization 1. CSLU Installation
Where task is performed: A Windows host (laptop, destop, or a Virtual Machine (VM) Download the file from Smart Software Manager > Smart Licensing Utility. Refer to Cisco Smart License Utility Quick Start Setup Guide for help with installation and set-up. 2. CSLU Preference Settings Where tasks is performed: CSLU a. In the CSLU Preferences tab, click the Cisco Connectivity toggle switch to off. The field switches
to "Cisco Is Not Available". b. Configuring a Smart Account and a Virtual Account (CSLU Interface), on page 109 c. Adding a CSLU-Initiated Product Instance in CSLU (CSLU Interface), on page 112 d. Collecting Usage Reports: CSLU Initiated (CSLU Interface), on page 112
3. Product Instance Configuration Where task is performed: Product Instance Ensuring Network Reachability for CSLU-Initiated Communication, on page 114
4. Usage Synchronization Where tasks are performed: CSLU and CSSM Collect usage data from the product instance. Since CSLU is disconnected from CSSM, you then save usage data which CSLU has collected from the product instance to a file. Along with this first report, if applicable, an authorization code and a UDI-tied trust code request is included in the RUM report. Then, from a workstation that is connected to Cisco, upload it to CSSM. After this, download the ACK from CSSM. In the workstation where CSLU is installed and connected to the product instance, upload the file to CSLU. a. Export to CSSM (CSLU Interface), on page 113 b. Uploading Data or Requests to CSSM and Downloading a File, on page 141 c. Import from CSSM (CSLU Interface), on page 114
Result: The ACK you have imported from CSSM contains the trust code and SLAC if this was requested. The uploaded ACK is applied to the product instance the next time CSLU runs an update. In case of a change in license usage, see Configuring an AIR License, on page 146 to know how it affects reporting.
Workflow for Topology: Connected to CSSM Through a Controller
To deploy Cisco DNA Center as the controller, complete the following workflow:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 81
Workflow for Topology: No Connectivity to CSSM and No CSLU
System Configuration
Product Instance Configuration Cisco DNA Center Configuration
1. Product Instance Configuration
Where task is performed: Product Instance
Enable NETCONF. Cisco DNA Center uses the NETCONF protocol to provision configuration and retrieve the required information from the product instance - the product instance must therefore have NETCONF enabled, to facilitate this.
For more information, see the Programmability Configuration Guide, Cisco IOS XE Amsterdam 17.3.x. In the guide, go to Model-Driven Programmability > NETCONF Protocol.
2. Cisco DNA Center Configuration
Where tasks is performed: Cisco DNA Center GUI
An outline of the tasks you must complete and the accompanying documentation reference is provided below. The document provides detailed steps you have to complete in the Cisco DNA Center GUI:
a. Set-up the Smart Account and Virtual Account.
Enter the same log in credentials that you use to log in to the CSSM Web UI. This enables Cisco DNA Center to establish a connection with CSSM.
See the Cisco DNA Center Administrator Guide of the required release (Release 2.2.2 onwards) > Manage Licenses > Set Up License Manager.
b. Add the required product instances to Cisco DNA Center inventory and assign them to a site.
This enables Cisco DNA Center to push any necessary configuration, including the required certificates, for Smart Licensing Using Policy to work as expected.
See the Cisco DNA Center User Guide of the required release (Release 2.2.2 onwards) > Display Your Network Topology > Assign Devices to a Site.
Result:
After you implement the topology, you must trigger the very first ad hoc report in Cisco DNA Center, to establish a mapping between the Smart Account and Virtual Account, and product instance. See the Cisco DNA Center Administrator Guide of the required release (Release 2.2.2 onwards) > Manage Licenses > Upload Resource Utilization Details to CSSM. Once this is done, Cisco DNA Center handles subsequent reporting based on the reporting policy.
If multiple policies are available, Cisco DNA Center maintains the narrowest reporting interval. You can change this, but only to report more frequently (a narrower interval). See the Cisco DNA Center Administrator Guide of the required release (Release 2.2.2 onwards) > Manage Licenses > Modify License Policy.
If you want to change the license level after this, see the Cisco DNA Center Administrator Guide of the required release (Release 2.2.2 onwards) > Manage Licenses > Change License Level.
Workflow for Topology: No Connectivity to CSSM and No CSLU
Since you do not have to configure connectivity to any other component, the list of tasks required to set-up the topology is a small one. See, the Results section at the end of the workflow to know how you can complete requisite usage reporting after you have implemented this topology.
Product Instance Configuration
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 82
System Configuration
Workflow for Topology: SSM On-Prem Deployment
Where task is performed: Product Instance Set transport type to off. Enter the license smart transport off command in global configuration mode. Save any changes to the configuration file.
Device(config)# license smart transport off Device(config)# exit Device# copy running-config startup-config
Result: All communication to and from the product instance is disabled. To report license usage you must save RUM reports to a file on the product instance. From a workstation that has connectivity to the Internet and Cisco, upload the file to CSSM: 1. Generate and save RUM reports
Enter the license smart save usage command in provileged EXEC mode. In the example below, all RUM reports are saved to the flash memory of the product instance, in file all_rum.txt. In the example below, the file is first saved to bootflash and then copied to a TFTP location:
Device# license smart save usage all file bootflash:all_rum.txt Device# copy bootflash:all_rum.txt tftp://10.8.0.6/all_rum.txt
2. Upload usage data to CSSM: Uploading Data or Requests to CSSM and Downloading a File, on page 141.
3. Install the ACK on the product instance: Installing a File on the Product Instance, on page 142
If you want to change license usage, see Configuring an AIR License, on page 146. If you want to return an SLR authorization code, see Removing and Returning an Authorization Code, on page 136.
Workflow for Topology: SSM On-Prem Deployment
Depending on whether you want to implement a product instance-initiated (push) or SSM On-Prem-initiated (pull) method of communication, complete the corresponding sequence of tasks.
Tasks for Product Instance-Initiated Communication
SSM On-Prem Installation Addition and Validation of Product Instances (Only if Applicable) Product Instance Configuration Initial Usage Synchronization 1. SSM On-Prem Installation
Where task is performed: A physical server such as a Cisco UCS C220 M3 Rack Server, or a hardware-based server that meets the necessary requirements. Download the file from Smart Software Manager > Smart Software Manager On-Prem. Refer to the Cisco Smart Software On-Prem Installation Guide and the Cisco Smart Software On-Prem User Guide for help with installation. Installation is complete when you have deployed SSM On-Prem, configured a common name on SSM On-Prem (Security Widget > Certificates), synchronized the NTP server (Settings widget > Time Settings), and created, registered, and synchronized (Synchronization widget) the SSM On-Prem local account with your Smart Account and Virtual Account in CSSM.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 83
Tasks for Product Instance-Initiated Communication
System Configuration
Note Licensing functions in the On-Prem Licensing Workspace are greyed-out until you complete the creation, registration, and synchronization of the local account with your Smart Account in CSSM. The local accountsynchronization with CSSM is for the SSM On-Prem instance to be known to CSSM, and is different from usage synchronization which is performed in 4. Initial Usage Synchronization below.
2. Addition and Validation of Product Instances Where tasks are performed: SSM On-Prem UI This step ensures that the product instances are validated and mapped to the applicable Smart Account and Virtual account in CSSM. This step is required only in the following cases: · If you want your product instances to be added and validated in SSM On-Prem before they are reported in CSSM (for added security). · If you have created local virtual accounts (in addition to the default local virtual account) in SSM On-Prem. In this case you must provide SSM On-Prem with the Smart Account and Virtual Account information for the product instances in these local virtual accounts, so that SSM On-Prem can report usage to the correct license pool in CSSM.
a. Assigning a Smart Account and Virtual Account (SSM On-Prem UI), on page 118 b. Validating Devices (SSM On-Prem UI), on page 119
Note If your product instance is in a NAT set-up, also enable support for a NAT Setup when you enable device validation both toggle switches are in the same window.
3. Product Instance Configuration Where tasks are performed: Product Instance and the SSM On-Prem UI Remember to save any configuration changes on the product instance, by entering the copy running-config startup-config command in privileged EXEC mode. a. Ensuring Network Reachability for Product Instance-Initiated Communication, on page 119 b. Retrieving the Transport URL (SSM On-Prem UI), on page 122 c. Setting the Transport Type, URL, and Reporting Interval, on page 143 The transport type configuration for CSLU and SSM On-Prem are the same (license smart transport cslu command in global configuration mode), but the URLs are different.
4. Initial Usage Synchronization Where tasks are performed: Product instance, SSM On-Prem, CSSM a. Synchronize the product instance with SSM On-Prem. On the product instance, enter the license smart sync {all| local} command, in privileged EXEC mode. This synchronizes the product instance with SSM On-Prem, to send and receive any pending data. For example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 84
System Configuration
Tasks for Product Instance-Initiated Communication
Device# license smart sync local
You can verify this in the SSM On-Prem UI. Log in and select the Smart Licensing workspace. Navigate to the Inventory > SL Using Policy tab. In the Alerts column of the corresponding product instance, the following message is displayed: Usage report from product instance.
Note If you have not performed Step 2 above (Addition and Validation of Product Instances), completing this sub-step will add the product instance to the SSM On-Prem database.
b. Synchronize usage information with CSSM (choose one): · Option 1: SSM On-Prem is connected to CSSM: In the SSM On-Prem UI, Smart Licensing workspace, nagivate to Reports > Usage Schedules > Synchronize now with Cisco.
· Option 2: SSM On-Prem is not connected to CSSM: See Exporting and Importing Usage Data (SSM On-Prem UI), on page 122.
Result: You have completed initial usage synchronization. Product instance and license usage information is now displayed in SSM On-Prem. For subsequent reporting, you have the following options:
· To synchronize data between the product instance and SSM On-Prem: Schedule periodic synchronization between the product instance and the SSM On-Prem, by configuring the reporting interval. Enter the license smart usage interval interval_in_days command in global configuration mode. In the Cisco IOS XE Amsterdam 17.3.6 and later releases of the 17.3.x train: The product instance does not send more than one RUM report a day. You can override this for an on-demand synchronization between the product instance and CSSM, by entering the license smart sync command in privileged EXEC mode. To know when the product instance will be sending the next RUM report, enter the show license all command in privileged EXEC mode and in the output, check the Next report push: field.
· To synchronize usage information with CSSM schedule periodic synchronization, or , upload and download the required files: · Schedule periodic synchronization with CSSM. In the SSM On-Prem UI, navigate to Reports > Usage Schedules > Synchronization schedule with Cisco. Enter the following frequency information and save: · Days: Refers to how often synchronization occurs. For example, if you enter 2, synchronization occurs once every two days.
· Time of Day:: Refers to the time at which synchronization occurs, in the 24-hour notation system. For example, if you enter 14 hours and 0 minutes, synchronization occurs at 2 p.m. (1400) in your local time zone.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 85
Tasks for SSM On-Prem Instance-Initiated Communication
System Configuration
· Upload and download the required files for reporting: Exporting and Importing Usage Data (SSM On-Prem UI), on page 122).
Tasks for SSM On-Prem Instance-Initiated Communication
SSM On-Prem Installation Product Instance Addition Product Instance Configuration Initial Usage Synchronization 1. SSM On-Prem Installation
Where task is performed: A physical server such as a Cisco UCS C220 M3 Rack Server, or a hardware-based server that meets the necessary requirements. Download the file from Smart Software Manager > Smart Software Manager On-Prem. Refer to the Cisco Smart Software On-Prem Installation Guide and the Cisco Smart Software On-Prem User Guide for help with installation. Installation is complete when you have deployed SSM On-Prem, configured a common name on SSM On-Prem (Security Widget > Certificates), synchronized the NTP server (Settings widget > Time Settings), and created, registered, and synchronized (Synchronization widget) the SSM On-Prem local account with your Smart Account and Virtual Account in CSSM.
Note Licensing functions in the On-Prem Licensing Workspace are greyed-out until you complete the creation, registration, and synchronization of the local account with your Smart Account in CSSM. The local account synchronization with CSSM is for the SSM On-Prem instance to be known to CSSM, and is different from usage synchronization which is performed in 4. Initial Usage Synchronization below.
2. Product Instance Addition Where task is performed: SSM On-Prem UI Depending on whether you want to add a single product instance or multiple product instances, follow the corresponding sub-steps: Adding One or More Product Instances (SSM On-Prem UI), on page 123.
3. Product Instance Configuration Where tasks are performed: Product Instance and the SSM On-Prem UI Remember to save any configuration changes on the product instance, by entering the copy running-config startup-config command in privileged EXEC mode: Ensuring Network Reachability for SSM On-Prem-Initiated Communication, on page 124.
4. Initial Usage Synchronization Where tasks are performed: SSM On-Prem UI, and CSSM a. Retrieve usage information from the product instance. In the SSM On-Prem UI, navigate to Reports > Synchronisation pull schedule with the devices > Synchronise now with the device. In the Alerts column, the following message is displayed: Usage report from product instance.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 86
System Configuration
Tasks for SSM On-Prem Instance-Initiated Communication
Tip It takes 60 seconds before synchronization is triggered. To view progress, navigate to the On-Prem Admin Workspace, and click the Support Centre widget. The system logs here display progress.
b. Synchronize usage information with CSSM (choose one) · Option 1: SSM On-Prem is connected to CSSM: In the SSM On-Prem UI, Smart Licensing workspace, nagivate to Reports > Usage Schedules > Synchronize now with Cisco.
· Option 2: SSM On-Prem is not connected to CSSM. See: Exporting and Importing Usage Data (SSM On-Prem UI), on page 122.
Result: You have completed initial usage synchronization. Product instance and license usage information is now displayed in SSM On-Prem. SSM On-Prem automatically sends the ACK back to the product instance. To verify that the product instance has received the ACK, enter the show license status command in privileged EXEC mode, and in the output, check the date for the Last ACK received field. For subsequent reporting, you have the following options:
· To retrieve usage information from the product instance, you can: · In the SSM On-Prem UI, Smart Licensing workspace, nagivate to Reports > Usage Schedules > Synchronize now with Cisco.
· Schedule periodic retrieval of information from the product instance by configuring a frequency. In the SSM On-Prem UI, Smart Licensing workspace, nagivate to Reports > Usage Schedules > Synchronisation pull schedule with the devices. Enter values in the following fields: · Days: Refers to how often synchronization occurs. For example, if you enter 2, synchronization occurs once every two days.
· Time of Day:: Refers to the time at which synchronization occurs, in the 24-hour notation system. For example, if you enter 14 hours and 0 minutes, synchronization occurs at 2 p.m. (1400).
· Collect usage data from the product instance without being connected to CSSM. In the SSM On-Prem UI, Smart Licensing workspace, nagivate to Inventory > SL Using Policy tab. Select one or more product instances by enabling the coresponding check box. Click Actions for Selected... > Collect Usage. On-Prem connects to the selected Product Instance(s) and collects the usage reports. These usage reports are then stored in On-Prem's local library. These reports can then be transferred to Cisco if On-Prem is connected to Cisco, or (if you are not connected to Cisco) you can manually trigger usage collection by selecting Export/Import All.. > Export Usage to Cisco.
· To synchronize usage information with CSSM, you can: · Schedule periodic synchronization with CSSM. In the SSM On-Prem UI, navigate to Reports > Usage Schedules > Synchronization schedule with Cisco. Enter the following frequency information and save:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 87
Migrating to Smart Licensing Using Policy
System Configuration
· Days: Refers to how often synchronization occurs. For example, if you enter 2, synchronization occurs once every two days.
· Time of Day:: Refers to the time at which synchronization occurs, in the 24-hour notation system. For example, if you enter 14 hours and 0 minutes, synchronization occurs at 2 p.m. (1400).
· Upload and download the required files for reporting: Exporting and Importing Usage Data (SSM On-Prem UI), on page 122).
Migrating to Smart Licensing Using Policy
To upgrade to Smart Licensing Using Policy, you must upgrade the software version (image) on the product instance to a supported version.
Before you Begin Ensure that you have read the Upgrades, on page 71 section, to understand how Smart Licensing Using Policy handles all earlier licensing models. Smart Licensing Using Policy is introduced in Cisco IOS XE Amsterdam 17.3.2a. This is therefore the minimum required version for Smart Licensing Using Policy. Note that all the licenses that you are using prior to migration will be available after upgrade. This means that not only registered and authorized licenses (including reserved licenses), but also evaluation licenses will be migrated. The advantage with migrating registered and authorized licenses is that you will have fewer configuration steps to complete after migration, because your configuration is retained after upgrade (transport type configuration and configuration for connection to CSSM, all authorization codes). This ensures a smoother transition to the Smart Licensing Using Policy environment. Device-led conversion is not supported for migration to Smart Licensing Using Policy.
Upgrading the Wireless Controller Software For information about the upgrade procedure:
· For Cisco Embedded Wireless Controller on Cisco Catalyst 9100 Access Points, see the Software Upgrade section in the Cisco Embedded Wireless Controller on Catalyst Access Points Online Help
· For all other supported wireless controllers, see the System Upgrade > Upgrading the Cisco Catalyst 9800 Wireless Controller Software section of the Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide for the required release.
You can use the procedure to upgrade in install mode or ISSU (ISSU only on supported platforms and supported releases)
After Upgrading the Software Version · Complete topology implementation. If a transport mode is available in your pre-upgrade set-up, this is retained after you upgrade. Only in some cases, like with evaluation licenses or with licensing models where the notion of a transport type
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 88
System Configuration
Example: Smart Licensing to Smart Licensing Using Policy
does not exist, the default (cslu) is applied - in these cases you may have a few more steps to complete before you are set to operate in the Smart Licensing Using Policy environment.
No matter which licensing model you upgrade from, you can change the topology after upgrade.
· Synchronize license usage with CSSM
No matter which licensing model you are upgrading from and no matter which topology you implement, synchronize your usage information with CSSM. For this you have to follow the reporting method that applies to the topology you implement. This initial synchronization ensures that up-to-date usage information is reflected in CSSM and a custom policy (if available), is applied. The policy that is applicable after this synchronization also indicates subsequent reporting requirements. These rules are also tabled here: How Upgrade Affects Reporting for Existing Licenses, on page 71
Note After initial usage synchronization is completed, reporting is required only if the policy, or, system messages indicate that it is.
Sample Migration Scenarios Sample migration scenarios have been provided considering the various existing licensing models and licenses. All scenarios provide sample outputs before and after migration, any CSSM Web UI changes to look out for (as an indicator of a successful migration or further action), and how to identify and complete any necessary post-migration steps.
Note For SSM On-Prem, the sequence in which you perform the various upgrade-related activities is crucial. So only for this scenario, the migration sequence has been provided - and not an example.
Example: Smart Licensing to Smart Licensing Using Policy
The following is an example of a Cisco Catalyst 9800-CL Wireless Controller migrating from Smart Licensing to Smart Licensing Using Policy.
· Table 7: Smart Licensing to Smart Licensing Using Policy: show Commands, on page 89 · The CSSM Web UI After Migration, on page 93 · Reporting After Migration, on page 96
The show command outputs below call-out key fields to check, before and after migration.
Table 7: Smart Licensing to Smart Licensing Using Policy: show Commands
Before Upgrade (Smart Licensing)
After Upgrade (Smart Licensing Using Policy)
show license summary
The Status and License Authorization fields show that the license is REGISTERED and AUTHORIZED.
show license summary
The Status field shows that the licenses are now IN USE instead of registered and authorized.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 89
Example: Smart Licensing to Smart Licensing Using Policy
System Configuration
Before Upgrade (Smart Licensing)
After Upgrade (Smart Licensing Using Policy)
Device# show license summary
Device# show license summary
Smart Licensing is ENABLED
License Usage:
License
Entitlement Tag
Count
Registration:
Status
Status: REGISTERED
Smart Account: SA-Eg-Company-02
---------------------------------------------------------------
Virtual Account: Dept-02
Export-Controlled Functionality: ALLOWED
air-network-essentials (DNA_NWSTACK_E)
Last Renewal Attempt: None
1 IN USE
Next Renewal Attempt: May 01 08:19:02 2021 IST
air-dna-essentials
(AIR-DNA-E)
1 IN USE
License Authorization:
Status: AUTHORIZED
Last Communication Attempt: SUCCEEDED
Next Communication Attempt: Dec 02 08:19:09 2020 IST
License Usage: License
Status
Entitlement tag
Count
------------------------------------------------------------------
AP Perpetual Network... (DNA_NWSTACK_E)
1
AUTHORIZED
Aironet DNA Essentia... (AIR-DNA-E)
1
AUTHORIZED
Before Upgrade (Smart Licensing)
After Upgrade (Smart Licensing Using Policy)
show license usage
show license usage
One perpetual and one subscription license are being used before All licenses are migrated and the Enforcement Type field displays
upgrade.
NOT ENFORCED.
There are no export-controlled or enforced licenses on Cisco Catalyst Wireless Controllers.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 90
System Configuration
Example: Smart Licensing to Smart Licensing Using Policy
Before Upgrade (Smart Licensing)
After Upgrade (Smart Licensing Using Policy)
Device# show license usage
Device# show license usage
License Authorization: Status: AUTHORIZED on Nov 02 08:21:29 2020 IST
License Authorization: Status: Not Applicable
AP Perpetual Networkstack Essentials (DNA_NWSTACK_E): air-network-essentials (DNA_NWSTACK_E):
Description: AP Perpetual Network Stack entitled with Description: air-network-essentials
DNA-E
Count: 1
Count: 1
Version: 1.0
Version: 1.0
Status: IN USE
Status: AUTHORIZED
Export status: NOT RESTRICTED
Export status: NOT RESTRICTED
Feature Name: air-network-essentials
Feature Description: air-network-essentials
Aironet DNA Essentials Term Licenses (AIR-DNA-E):
Enforcement type: NOT ENFORCED
Description: DNA Essentials for Wireless
License type: Perpetual
Count: 1
Version: 1.0
air-dna-essentials (AIR-DNA-E):
Status: AUTHORIZED
Description: air-dna-essentials
Export status: NOT RESTRICTED
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: air-dna-essentials
Feature Description: air-dna-essentials
Enforcement type: NOT ENFORCED
License type: Perpetual
Before Upgrade (Smart Licensing) show license status
After Upgrade (Smart Licensing Using Policy)
show license status
The Transport: field shows that the transport type, which was configured before update, is retained after upgrade.
The Policy: header and details show that a custom policy was available in the Smart Account or Virtual Account this has also been automatically installed on the product instance. (After establishing trust, CSSM returns a policy. The policy is then automatically installed.)
The Usage Reporting: header: The Next report push: field provides information about when the product instance will send the next RUM report to CSSM.
The Trust Code Installed: field shows that the ID token is successfully converted and a trusted connected has been established with CSSM.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 91
Example: Smart Licensing to Smart Licensing Using Policy
System Configuration
Before Upgrade (Smart Licensing)
After Upgrade (Smart Licensing Using Policy)
Device# show license status Smart Licensing is ENABLED
Device# show license status Utility:
Status: DISABLED
Utility: Status: DISABLED
Smart Licensing Using Policy: Status: ENABLED
Data Privacy: Sending Hostname: yes Callhome hostname privacy: DISABLED Smart Licensing hostname privacy: DISABLED Version privacy: DISABLED
Data Privacy: Sending Hostname: yes Callhome hostname privacy: DISABLED Smart Licensing hostname privacy: DISABLED Version privacy: DISABLED
Transport: Type: Callhome
Transport: Type: Callhome
Registration:
Policy:
Status: REGISTERED
Policy in use: Installed On Nov 02 09:09:47 2020 IST
Smart Account: SA-Eg-Company-02
Policy name: SLE Policy
Virtual Account: Dept-02
Reporting ACK required: yes (Customer Policy)
Export-Controlled Functionality: ALLOWED
Unenforced/Non-Export Perpetual Attributes:
Initial Registration: SUCCEEDED on Nov 02 08:19:02
First report requirement (days): 60 (Customer
2020 IST
Policy)
Last Renewal Attempt: None
Reporting frequency (days): 60 (Customer Policy)
Next Renewal Attempt: May 01 08:19:01 2021 IST
Report on change (days): 60 (Customer Policy)
Registration Expires: Nov 02 08:14:06 2021 IST
Unenforced/Non-Export Subscription Attributes:
First report requirement (days): 30 (Customer
License Authorization:
Policy)
Status: AUTHORIZED on Nov 02 08:21:29 2020 IST
Reporting frequency (days): 30 (Customer Policy)
Last Communication Attempt: SUCCEEDED on Nov 02
Report on change (days): 30 (Customer Policy)
08:21:29 2020 IST
Enforced (Perpetual/Subscription) License Attributes:
Next Communication Attempt: Dec 02 08:19:09 2020 IST
Communication Deadline: Jan 31 08:14:15 2021 IST
First report requirement (days): 0 (CISCO default)
Reporting frequency (days): 90 (Customer Policy)
Export Authorization Key:
Report on change (days): 90 (Customer Policy)
Features Authorized:
Export (Perpetual/Subscription) License Attributes:
<none>
First report requirement (days): 0 (CISCO default)
Reporting frequency (days): 90 (Customer Policy)
Report on change (days): 90 (Customer Policy)
Miscellaneous: Custom Id: <empty>
Usage Reporting: Last ACK received: Nov 02 09:09:47 2020 IST Next ACK deadline: Jan 01 09:09:47 2021 IST Reporting push interval: 30 days Next ACK push check: Nov 02 09:13:54 2020 IST Next report push: Dec 02 09:05:45 2020 IST Last report push: Nov 02 09:05:45 2020 IST Last report file write: <none>
Trust Code Installed: Active: PID:C9800-CL-K9,SN:93BBAH93MGS INSTALLED on Nov 02 08:59:26 2020 IST Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN INSTALLED on Nov 02 09:00:45 2020 IST
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 92
System Configuration
Example: Smart Licensing to Smart Licensing Using Policy
Before Upgrade (Smart Licensing) show license udi
Device# show license udi UDI: PID:C9800-CL-K9,SN:93BBAH93MGS HA UDI List:
Active:PID:C9800-CL-K9,SN:93BBAH93MGS Standby:PID:C9800-CL-K9,SN:9XECPSUU4XN
After Upgrade (Smart Licensing Using Policy)
show license udi This is a High Availability set-up and the command displays all UDIs in the set-up. There is no change in the sample output before and after migration.
Device# show license udi UDI: PID:C9800-CL-K9,SN:93BBAH93MGS
HA UDI List: Active:PID:C9800-CL-K9,SN:93BBAH93MGS Standby:PID:C9800-CL-K9,SN:9XECPSUU4XN
The CSSM Web UI After Migration
Log in to the CSSM Web UI at https://software.cisco.com and click Smart Software Licensing. Under Inventory > Product Instances.
The product instance previously displayed with the host name (Catalyst 9800CL Cloud Wireless Controller in this example) is now displayed with the UDI instead. All migrated UDIs are displayed, that is, PID:C9800-CL-K9,SN:93BBAH93MGS, and PID:C9800-CL-K9,SN:9XECPSUU4XN.
Only the active product instance reports usage, therefore, PID:C9800-CL-K9,SN:93BBAH93MGS displays license consumption information under License Usage. The standby does not report usage and the License Usage for the standby displays No Records Found.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 93
Example: Smart Licensing to Smart Licensing Using Policy
System Configuration
Figure 8: Smart Licensing to Smart Licensing Using Policy: Hostname of Product Instance on the CSSM Web UI Before Migration
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 94
System Configuration
Example: Smart Licensing to Smart Licensing Using Policy
Figure 9: Smart Licensing to Smart Licensing Using Policy: UDI and License Usage Under Active Product Instance After Migration
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 95
Example: SLR to Smart Licensing Using Policy
System Configuration
Figure 10: Smart Licensing to Smart Licensing Using Policy: Standby Product Instance After Migration
It is always the active that reports usage, so if the active in this High Availabilty set-up changes, the new active product instance will display license consumption information and report usage.
Reporting After Migration The product instance sends the next RUM report to CSSM, based on the policy. If you want to change your reporting interval to report more frequently: on the product instance, configure the license smart usage interval command in global configuration mode. For syntax details see the license smart (global config) command in the Command Reference for the corresponding release.
Example: SLR to Smart Licensing Using Policy
The following is an example of a Cisco Catalyst 9800-CL Wireless Controller migrating from Specific License Reservation (SLR) to Smart Licensing Using Policy. This is a High Availability set-up with an active and standby. License conversion is automatic and authorization codes are migrated. No further action is required to complete migration. After migration the No Connectivity to CSSM and No CSLU, on page 66 topology is effective. For information about the SLR authorization code in the Smart Licensing Using Policy environment, see Authorization Code, on page 57.
· Table 8: SLR to Smart Licensing Using Policy: show Commands, on page 97 · The CSSM Web UI After Migration, on page 101
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 96
System Configuration
Example: SLR to Smart Licensing Using Policy
· Reporting After Migration, on page 103
The show command outputs below call-out key fields to check, before and after migration.
Table 8: SLR to Smart Licensing Using Policy: show Commands
Before Upgrade (SLR)
After Upgrade (Smart Licensing Using Policy)
show license summary
The Registration and License Authorization status fields show that the license was REGISTERED - SPECIFIC LICENSE RESERVATION and AUTHORIZED - RESERVED.
show license summary
Licenses are migrated , but none of the APs have joined the controller, current consumption (Count) is therefore zero, and the Status field shows that the licenses are NOT IN USE.
Device# show license summary
Smart Licensing is ENABLED License Reservation is ENABLED
Registration:
Device# show license summary License Reservation is ENABLED
License Usage: License
Status
Entitlement Tag
Count
Status: REGISTERED - SPECIFIC LICENSE RESERVATION ------------------------------------------------------------------
Export-Controlled Functionality: ALLOWED
Aironet DNA Advantag... (AIR-DNA-A)
0 NOT
License Authorization:
IN USE
Status: AUTHORIZED - RESERVED
AP Perpetual Network... (DNA_NWStack)
0 NOT
IN USE
License Usage:
License
Entitlement tag
Count
Status
-----------------------------------------------------------------
AP Perpetual Network... (DNA_NWStack) 1 AUTHORIZED
Aironet DNA Advantag... (AIR-DNA-A) 1 AUTHORIZED
Before Upgrade (SLR) show license reservation
After Upgrade (Smart Licensing Using Policy)
show license authorization
The Last Confirmation code: field shows that the SLR authorization code is successfully migrated for the active and standby product instances in the High Availability set-up.
The Specified license reservations: header shows that a perpetual license (AP Perpetual Networkstack Advantage) and a subscription license (Aironet DNA Advantage Term Licenses) are the migrated SLR licenses.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 97
Example: SLR to Smart Licensing Using Policy
System Configuration
Before Upgrade (SLR)
After Upgrade (Smart Licensing Using Policy)
Device# show license reservation License reservation: ENABLED
Overall status: Active: PID:C9800-CL-K9,SN:93BBAH93MGS Reservation status: SPECIFIC INSTALLED on Nov 02
03:16:01 2020 IST Export-Controlled Functionality: ALLOWED Last Confirmation code: 102fc949
Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN Reservation status: SPECIFIC INSTALLED on Nov 02
03:15:45 2020 IST Export-Controlled Functionality: ALLOWED Last Confirmation code: ad4382fe
Specified license reservations: Aironet DNA Advantage Term Licenses (AIR-DNA-A): Description: DNA Advantage for Wireless Total reserved count: 20 Term information: Active: PID:C9800-CL-K9,SN:93BBAH93MGS License type: TERM Start Date: 2020-OCT-14 UTC End Date: 2021-APR-12 UTC Term Count: 5 License type: TERM Start Date: 2020-JUN-18 UTC End Date: 2020-DEC-15 UTC Term Count: 5 Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN License type: TERM Start Date: 2020-OCT-14 UTC End Date: 2021-APR-12 UTC Term Count: 10 AP Perpetual Networkstack Advantage (DNA_NWStack): Description: AP Perpetual Network Stack entitled
with DNA-A Total reserved count: 20 Term information: Active: PID:C9800-CL-K9,SN:93BBAH93MGS License type: TERM Start Date: 2020-OCT-14 UTC End Date: 2021-APR-12 UTC Term Count: 5 License type: TERM Start Date: 2020-JUN-18 UTC End Date: 2020-DEC-15 UTC Term Count: 5 Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN License type: TERM Start Date: 2020-OCT-14 UTC End Date: 2021-APR-12 UTC Term Count: 10
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 98
System Configuration
Example: SLR to Smart Licensing Using Policy
Before Upgrade (SLR)
After Upgrade (Smart Licensing Using Policy)
Device# show license authorization Overall status:
Active: PID:C9800-CL-K9,SN:93BBAH93MGS Status: SPECIFIC INSTALLED on Nov 02 03:16:01 2020
IST Last Confirmation code: 102fc949
Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN Status: SPECIFIC INSTALLED on Nov 02 03:15:45 2020
IST Last Confirmation code: ad4382fe
Specified license reservations: Aironet DNA Advantage Term Licenses (AIR-DNA-A): Description: DNA Advantage for Wireless Total reserved count: 20 Enforcement type: NOT ENFORCED Term information: Active: PID:C9800-CL-K9,SN:93BBAH93MGS Authorization type: SPECIFIC INSTALLED on Nov
02 03:15:45 2020 IST License type: TERM Start Date: 2020-OCT-14 UTC End Date: 2021-APR-12 UTC Term Count: 5 Authorization type: SPECIFIC INSTALLED on Nov
02 03:15:45 2020 IST License type: TERM Start Date: 2020-JUN-18 UTC End Date: 2020-DEC-15 UTC Term Count: 5
Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN Authorization type: SPECIFIC INSTALLED on Nov
02 03:15:45 2020 IST License type: TERM Start Date: 2020-OCT-14 UTC End Date: 2021-APR-12 UTC Term Count: 10
AP Perpetual Networkstack Advantage (DNA_NWStack): Description: AP Perpetual Network Stack entitled
with DNA-A Total reserved count: 20 Enforcement type: NOT ENFORCED Term information: Active: PID:C9800-CL-K9,SN:93BBAH93MGS Authorization type: SPECIFIC INSTALLED on Nov
02 03:15:45 2020 IST License type: TERM Start Date: 2020-OCT-14 UTC End Date: 2021-APR-12 UTC Term Count: 5 Authorization type: SPECIFIC INSTALLED on Nov
02 03:15:45 2020 IST License type: TERM Start Date: 2020-JUN-18 UTC End Date: 2020-DEC-15 UTC Term Count: 5
Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN Authorization type: SPECIFIC INSTALLED on Nov
02 03:15:45 2020 IST License type: TERM Start Date: 2020-OCT-14 UTC End Date: 2021-APR-12 UTC
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 99
Example: SLR to Smart Licensing Using Policy
Before Upgrade (SLR)
Before Upgrade (SLR) show license status
System Configuration
After Upgrade (Smart Licensing Using Policy)
Term Count: 10 Purchased Licenses:
No Purchase Information Available
After Upgrade (Smart Licensing Using Policy) show license status Under the Transport: header, the Type: field displays that the transport type is set to off. Under the Usage Reporting: header, the Next report push: field displays if and when the next RUM report must be uploaded to CSSM.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 100
System Configuration
Example: SLR to Smart Licensing Using Policy
Before Upgrade (SLR)
-
After Upgrade (Smart Licensing Using Policy)
Device# show license status
Utility: Status: DISABLED
Smart Licensing Using Policy: Status: ENABLED
Data Privacy: Sending Hostname: yes Callhome hostname privacy: DISABLED Smart Licensing hostname privacy: DISABLED Version privacy: DISABLED
Transport: Type: Transport Off
Policy: Policy in use: Merged from multiple sources. Reporting ACK required: yes (CISCO default) Unenforced/Non-Export Perpetual Attributes: First report requirement (days): 365 (CISCO default)
Reporting frequency (days): 0 (CISCO default) Report on change (days): 90 (CISCO default) Unenforced/Non-Export Subscription Attributes: First report requirement (days): 90 (CISCO default)
Reporting frequency (days): 90 (CISCO default) Report on change (days): 90 (CISCO default) Enforced (Perpetual/Subscription) License Attributes:
First report requirement (days): 0 (CISCO default) Reporting frequency (days): 0 (CISCO default) Report on change (days): 0 (CISCO default) Export (Perpetual/Subscription) License Attributes: First report requirement (days): 0 (CISCO default) Reporting frequency (days): 0 (CISCO default) Report on change (days): 0 (CISCO default)
Miscellaneous: Custom Id: <empty>
Usage Reporting: Last ACK received: <none> Next ACK deadline: <none> Reporting push interval: 0 (no reporting) Next ACK push check: Nov 01 20:31:46 2020 IST Next report push: <none> Last report push: <none> Last report file write: <none>
Trust Code Installed: <none>
The CSSM Web UI After Migration
Log in to the CSSM Web UI at https://software.cisco.com and click Smart Software Licensing. Under Inventory > Product Instances.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 101
Example: SLR to Smart Licensing Using Policy
System Configuration
There are no changes in the Product Instances tab. The Last Contact column displays "Reserved Licenses" since there has been no usage reporting yet. After the requisite RUM report is uploaded and acknowledged "Reserved Licenses" is no longer displayed and license usage is displayed only in the active product instance.
Figure 11: SLR to Smart Licensing Using Policy: Active Product Instance Before Upgrade
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 102
System Configuration
Example: SLR to Smart Licensing Using Policy
Figure 12: SLR to Smart Licensing Using Policy: Active Product Instance After Upgrade
Reporting After Migration SLR licenses require reporting only when there is a change in license consumption (For example, when using a subscription license which is for specified term). In an air-gapped network, use the Next report push: date in the show license status output to know when the next usage report must be sent. This ensures that the product instance and CSSM are synchronized. Since all communication to and from the product instance is disabled, to report license usage you must save RUM reports to a file and upload it to CSSM (from a workstation that has connectivity to the internet, and Cisco): 1. Generate and save RUM reports
Enter the license smart save usage command in provileged EXEC mode. In the example below, all RUM reports are saved to the flash memory of the product instance, in file all_rum.txt. For syntax details see the license smart (privileged EXEC) command in the Command Reference. In the example, the file is first saved to bootflash and then copied to a TFTP location:
Device# license smart save usage all bootflash:all_rum.txt Device# copy bootflash:all_rum.txt tftp://10.8.0.6/all_rum.txt
2. Upload usage data to CSSM: Uploading Data or Requests to CSSM and Downloading a File, on page 141 3. Install the ACK on the product instance: Installing a File on the Product Instance, on page 142
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 103
Example: Evaluation or Expired to Smart Licensing Using Policy
System Configuration
Example: Evaluation or Expired to Smart Licensing Using Policy
The following is an example of a Cisco Catalyst 9800-CL Wireless Controller with evaluation expired licenses (Smart Licensing) that are migrated to Smart Licensing Using Policy.
The notion of evaluation licenses does not apply to Smart Licensing Using Policy. When the software version is upgraded to one that supports Smart Licensing Using Policy, all licenses are displayed as IN USE and the Cisco default policy is applied to the product instance. Since all licenses on Cisco Catalyst Wireless Controllers are unenforced (enforcement type), no functionality is lost.
· Table 9: Evaluation or Expired to Smart Licensing Using Policy: show Commands, on page 104
· The CSSM Web UI After Migration, on page 107
· Reporting After Migration, on page 107
The table below calls out key changes or new fields to check for in the show command outputs, after upgrade to Smart Licensing Using Policy
Table 9: Evaluation or Expired to Smart Licensing Using Policy: show Commands
Before Upgrade (Smart Licensing, Evaluation Mode)
After Upgrade (Smart Licensing Using Policy)
show license summary Licenses are UNREGISTERED and in EVAL MODE.
show license summary
All licenses are migrated and IN USE. There are no EVAL MODE licenses.
Device# show license summary Smart Licensing is ENABLED
Registration: Status: UNREGISTERED Export-Controlled Functionality: NOT ALLOWED
Device# show license summary
License Usage:
License
Entitlement Tag
Status
Count
-------------------------------------------------------------
License Authorization:
air-network-advantage (DNA_NWStack)
1
Status: EVAL EXPIRED
IN USE
air-dna-advantage
(AIR-DNA-A)
1
License Usage:
IN USE
License
Entitlement tag Count Status
--------------------------------------------------------------
EXPIRED EXPIRED
(DNA_NWStack) (AIR-DNA-A)
1 EVAL 1 EVAL
Before Upgrade (Smart Licensing, Evaluation Mode) show license usage
After Upgrade (Smart Licensing Using Policy)
show license usage
The Enforcement Type field displays NOT ENFORCED. (There are no export-controlled or enforced licenses on Cisco Catalyst Wireless Controllers).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 104
System Configuration
Example: Evaluation or Expired to Smart Licensing Using Policy
Before Upgrade (Smart Licensing, Evaluation Mode)
Device# show license usage License Authorization:
Status: EVAL EXPIRED on Apr 14 18:20:46 2020 UTC (DNA_NWStack):
Description: Count: 1 Version: 1.0 Status: EVAL EXPIRED Export status: NOT RESTRICTED (AIR-DNA-A): Description: Count: 1 Version: 1.0 Status: EVAL EXPIRED Export status: NOT RESTRICTED
Before Upgrade (Smart Licensing, Evaluation Mode) show license status
After Upgrade (Smart Licensing Using Policy)
Device# show license usage License Authorization:
Status: Not Applicable
air-network-advantage (DNA_NWStack): Description: air-network-advantage Count: 1 Version: 1.0 Status: IN USE Export status: NOT RESTRICTED Feature Name: air-network-advantage Feature Description: air-network-advantage Enforcement type: NOT ENFORCED License type: Perpetual
air-dna-advantage (AIR-DNA-A): Description: air-dna-advantage Count: 1 Version: 1.0 Status: IN USE Export status: NOT RESTRICTED Feature Name: air-dna-advantage Feature Description: air-dna-advantage Enforcement type: NOT ENFORCED License type: Perpetual
After Upgrade (Smart Licensing Using Policy)
show license status
The Transport: field displays that the default type is set, but a URL or a method for the product instance to discover CSLU is not specified.
The Trust Code Installed: field displays that a trust code is not installed.
The Policy: header and details show that the Cisco default policy is applied.
Under the Usage Reporting: header, the Next report push: field provides information about when the next RUM report must be sent to CSSM.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 105
Example: Evaluation or Expired to Smart Licensing Using Policy
System Configuration
Before Upgrade (Smart Licensing, Evaluation Mode)
Device# show license status
Smart Licensing is ENABLED
Utility: Status: DISABLED
Data Privacy: Sending Hostname: yes Callhome hostname privacy: DISABLED Smart Licensing hostname privacy: DISABLED Version privacy: DISABLED
Transport: Type: Callhome
Registration: Status: UNREGISTERED Export-Controlled Functionality: NOT ALLOWED
License Authorization: Status: EVAL EXPIRED on Apr 14 18:20:46 2020 UTC
Export Authorization Key: Features Authorized: <none>
After Upgrade (Smart Licensing Using Policy)
Device# show license status Utility:
Status: DISABLED
Smart Licensing Using Policy: Status: ENABLED
Data Privacy: Sending Hostname: yes Callhome hostname privacy: DISABLED Smart Licensing hostname privacy: DISABLED Version privacy: DISABLED
Transport: Type: cslu Cslu address: <empty> Proxy: Not Configured
Policy: Policy in use: Merged from multiple sources. Reporting ACK required: yes (CISCO default) Unenforced/Non-Export Perpetual Attributes: First report requirement (days): 365 (CISCO default)
Reporting frequency (days): 0 (CISCO default) Report on change (days): 90 (CISCO default) Unenforced/Non-Export Subscription Attributes: First report requirement (days): 90 (CISCO default)
Reporting frequency (days): 90 (CISCO default) Report on change (days): 90 (CISCO default) Enforced (Perpetual/Subscription) License Attributes:
First report requirement (days): 0 (CISCO default) Reporting frequency (days): 0 (CISCO default) Report on change (days): 0 (CISCO default) Export (Perpetual/Subscription) License Attributes: First report requirement (days): 0 (CISCO default) Reporting frequency (days): 0 (CISCO default) Report on change (days): 0 (CISCO default)
Miscellaneous: Custom Id: <empty>
Usage Reporting: Last ACK received: <none> Next ACK deadline: <none> Reporting push interval: 0 (no reporting) Next ACK push check: <none> Next report push: <none> Last report push: <none> Last report file write: <none>
Trust Code Installed: <none>
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 106
System Configuration
Migrating to a Version of SSM On-Prem That Supports Smart Licensing Using Policy
The CSSM Web UI After Migration Log in to the CSSM Web UI at https://software.cisco.com and click Smart Software Licensing. Under Inventory > Product Instances, the Last Contact field for the migrated product instances display an updated timestamp after migration.
Reporting After Migration Implement any one of the supported topologies, and fulfil reporting requirements. See Supported Topologies, on page 60 and How to Configure Smart Licensing Using Policy: Workflows by Topology , on page 75. The reporting method you can use depends on the topology you implement.
Migrating to a Version of SSM On-Prem That Supports Smart Licensing Using Policy
If you are using a version of SSM On-Prem that is earlier than the minimum required version (See SSM On-Prem, on page 55), you can use this section as an outline of the process and sequence you have to follow to migrate the SSM On-Prem version and the product instance. 1. Upgrade SSM On-Prem.
Upgrade to the minimum required Version 8, Release 202102 or a later version. Refer to the Cisco Smart Software Manager On-Prem Migration Guide. 2. Upgrade the product instance. For information about the minimum required software version, see SSM On-Prem, on page 55. For information about the upgrade procedure, see Upgrading the Wireless Controller Software, on page 88. 3. Re-Register a local account with CSSM Online and Offline options are available. Refer to the Cisco Smart Software Manager On-Prem Migration Guide > Re-Registering a local Account (Online Mode) or Manually Re-Registering a Local Account (Offline Mode) . Once re-registration is complete, the following events occur automatically:
· SSM On-Prem responds with new transport URL that points to the tenant in SSM On-Prem. · The transport type configuration on the product instance changes from from call-home or smart, to
cslu. The transport URL is also updated automatically.
4. Save configuration changes on the product instance, by entering the copy running-config startup-config command in privileged EXEC mode.
5. Clear older On-Prem Smart Licensing certificates on the product instance and reload the product instance. Do not save configuration changes after this.
Note This step is required only if the software version running on the product instance is Cisco IOS XE Amsterdam 17.3.x or Cisco IOS XE Bengaluru 17.4.x.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 107
Migrating to a Version of SSM On-Prem That Supports Smart Licensing Using Policy
System Configuration
Enter the licence smart factory reset and then the reload commands in privileged EXEC mode.
Device# licence smart factory reset Device# reload
6. Perform usage synchronization a. On the product instance, enter the license smart sync {all|local} command, in privileged EXEC mode. This synchronizes the product instance with SSM On-Prem, to send and receive any pending data.
Device(config)# license smart sync local
You can verify this in the SSM On-Prem UI. Go to Inventory > SL Using Policy. In the Alerts column, the following message is displayed: Usage report from product instance.
b. Synchronize usage information with CSSM (choose one) · Option 1: SSM On-Prem is connected to CSSM: In the SSM On-Prem UI, Smart Licensing workspace, nagivate to Reports > Usage Schedules > Synchronize now with Cisco.
· Option 2: SSM On-Prem is not connected to CSSM. See Exporting and Importing Usage Data (SSM On-Prem UI), on page 122.
Result: You have completed migration and initial usage synchronization. Product instance and license usage information is now displayed in SSM On-Prem. For subsequent reporting, you have the following options:
· To synchronize data between the product instance and SSM On-Prem: · Schedule periodic synchronization between the product instance and SSM On-Prem, by configuring the reporting interval. Enter the license smart usage interval interval_in_days command in global configuration mode. To know when the product instance will be sending the next RUM report, enter the show license all command in privileged EXEC mode and in the output, check the Next report push: field.
· Enter the license smart sync privileged EXEC command, for ad hoc or on-demand synchronization between the product instance and SSM On-Prem.
· To synchronize usage information with CSSM: · Schedule periodic synchronization with CSSM. In the SSM On-Prem UI, navigate to Reports > Usage Schedules > Synchronization schedule with Cisco. Enter the following frequency information and save: · Days: Refers to how often synchronization occurs. For example, if you enter 2, synchronization occurs once every two days.
· Time of Day:: Refers to the time at which synchronization occurs, in the 24-hour notation system. For example, if you enter 14 hours and 0 minutes, synchronization occurs at 2 p.m. (1400) in your local time zone.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 108
System Configuration
Task Library for Smart Licensing Using Policy
· Upload and download the required files for reporting. See Exporting and Importing Usage Data (SSM On-Prem UI), on page 122.
Task Library for Smart Licensing Using Policy
This section is a grouping of tasks that apply to Smart Licensing Using Policy. It includes tasks performed on a product instance, on the CSLU interface, and on the CSSM Web UI. To implement a particular topology, refer to the corresponding workflow to know the sequential order of tasks that apply. See How to Configure Smart Licensing Using Policy: Workflows by Topology , on page 75. To perform any additional configuration tasks, for instance, to configure a different license, or use an add-on license, or to configure a narrower reporting interval, refer to the corresponding task here. Check the "Supported Topologies" where provided, before you proceed.
Logging into Cisco (CSLU Interface)
Depending on your needs, when working in CSLU, you can either be in connected or disconnected mode. To work in the connected mode, complete these steps to connect with Cisco.
Procedure
Step 1 Step 2 Step 3
From the CSLU Main screen, click Login to Cisco (located at the top right corner of the screen). Enter: CCO User Name and CCO Password. In the CSLU Preferences tab, check that the Cisco connectivity toggle displays "Cisco Is Available".
Configuring a Smart Account and a Virtual Account (CSLU Interface)
Both the Smart Account and Virtual Account are configured through the Preferences tab. Complete the following steps to configure both Smart and Virtual Accounts for connecting to Cisco.
Procedure
Step 1 Step 2
Select the Preferences Tab from the CSLU home screen. Perform these steps for adding both a Smart Account and Virtual Account: a) In the Preferences screen navigate to the Smart Account field and add the Smart Account Name. b) Next, navigate to the Virtual Account field and add the Virtual Account Name.
If you are connected to CSSM (In the Preferences tab, Cisco is Available), you can select from the list of available SA/VAs.
If you are not connected to CSSM (In the Preferences tab, Cisco Is Not Available), enter the SA/VAs manually.
Note
SA/VA names are case sensitive.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 109
Adding a Product-Initiated Product Instance in CSLU (CSLU Interface)
System Configuration
Step 3
Click Save. The SA/VA accounts are saved to the system
Only one SA/VA pair can reside on CSLU at a time. You cannot add multiple accounts. To change to another SA/VA pair, repeat Steps 2a and 2b then Save. A new SA/VA account pair replaces the previous saved pair
Adding a Product-Initiated Product Instance in CSLU (CSLU Interface)
Complete these steps to add a device-created Product Instance using the Preferences tab.
Procedure
Step 1 Step 2 Step 3
Select the Preferences tab. In the Preferences screen, de-select the Validate Device check box. Set the Default Connect Method to Product Instance Initiated and then click Save.
Ensuring Network Reachability for Product Instance-Initiated Communication
This task provides possible configurations that may be required to ensure network reachability for product instance-initiated communication. Steps marked as "(Required)" are required for all product instances, all other steps my be required or optional, depending the kind of product instance and network requirements. Configure the applicable commands:
Before you begin Supported topologies: Connected to CSSM Through CSLU (product instance-initiated communication).
Procedure Step 1 Step 2 Step 3
Command or Action enable Example:
Device> enable
configure terminal Example:
Device# configure terminal
interface interface-type-number Example:
Device (config)# interface gigabitethernet0/0
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Enters interface configuration mode and specifies the Ethernet interface, subinterface, or VLAN to be associated with the VRF.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 110
System Configuration
Ensuring Network Reachability for Product Instance-Initiated Communication
Step 4 Step 5 Step 6
Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action vrf forwarding vrf-name Example:
Device(config-if)# vrf forwarding Mgmt-vrf
ip address ip-address mask Example:
Device(config-if)# ip address 192.168.0.1 255.255.0.0
negotiation auto Example:
Device(config-if)# negotiation auto
Purpose Associates the VRF with the Layer 3 interface. This command activates multiprotocol VRF on an interface
Defines the IP address for the VRF.
Enables auto-negotiation operation for the speed and duplex parameters of an interface.
Note
Cisco Catalyst 9800-L-F
Wireless Controller 10G Ports
do not support in an
auto-negotiation operation.
end Example:
Device(config-if)# end
Exits the interface configuration mode and enters global configuration mode.
ip http client source-interface interface-type-number
Example:
Device(config)# ip http client source-interface gigabitethernet0/0
Configures a source interface for the HTTP client.
ip route ip-address ip-mask subnet mask
Example:
Device(config)# ip route vrf mgmt-vrf 192.168.0.1 255.255.0.0 192.168.255.1
(Required) Configures a route and gateway on the product instance. You can configure either a static route or a dynamic route.
{ip|ipv6}name-server server-address 1 ...server-address 6]
Example:
Device(config)# Device(config)# ip name-server vrf mgmt-vrf 173.37.137.85
Configures Domain Name System (DNS) on the VRF interface.
ip domain lookup source-interface interface-type-number
Example:
Device(config)# ip domain lookup source-interface gigabitethernet0/0
Configures the source interface for the DNS domain lookup.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 111
Adding a CSLU-Initiated Product Instance in CSLU (CSLU Interface)
System Configuration
Step 12
Command or Action
ip domain name domain-name Example:
Device(config)# ip domain name example.com
Purpose
Configure DNS discovery of your domain. In accompanying example, the name-server creates entry cslu-local.example.com.
Adding a CSLU-Initiated Product Instance in CSLU (CSLU Interface)
Using the CSLU interface, you can configure the connect method to be CSLU Initiated. This connect method (mode) enables CSLU to retrieve Product Instance information from the Product Instance.
Note The default Connect Method is set in the Preferences tab. Complete these steps to add a Product Instance from the Inventory tab Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Go to the Inventory tab and from the Product Instances table, select Add Single Product. Enter the Host (IP address of the Host). Select the Connect Method and select one of the CSLU Initiated connect methods. In the right panel, click Product Instance Login Credentials. The left panel of the screen changes to show the User Name and Password fields. Enter the product instance User Name and Password. Click Save.
The information is saved to the system and the device is listed in the Product Instances table with the Last Contact listed as never.
Collecting Usage Reports: CSLU Initiated (CSLU Interface)
CSLU also allows you to manually trigger the gathering of usage reports from devices.
After configuring and selecting a product instance (selecting Add Single Product, filling in the Host name and selecting a CSLU-initiated connect method), click Actions for Selected > Collect Usage. CSLU connects to the selected product instances and collects the usage reports. These usage reports are stored in CSLU's local library. These reports can then be transferred to Cisco if CSLU is connected to Cisco, or (if you are not connected to Cisco) you can manually trigger usage collection by selecting Data > Export to CSSM.
If you are working in CSLU-initiated mode, complete these steps to configure CSLU to collect RUM reports from Product Instances.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 112
System Configuration
Export to CSSM (CSLU Interface)
Procedure
Step 1 Step 2 Step 3
Step 4
Click the Preference tab and enter a valid Smart Account and Virtual Account, and then selectan appropriate CSLU-initiated collect method. (If there have been any changes in Preferences, make sure you click Save). Click the Inventory tab and select one or more product instances. Click Actions for Selected > Collect Usage.
RUM reports are retrieved from each selected device and stored in the CSLU local library. The Last Contacted column is updated to show the time the report was received, and the Alerts column shows the status.
If CSLU is currently logged into Cisco the reports will be automatically sent to the associated Smart Account and Virtual Account in Cisco and Cisco will send an acknowledgement to CSLU as well as to the product instance. The acknowledgement will be listed in the alerts column of the Product Instance table. To manually transfer usage reports Cisco, from the CSLU main screen select Data > Export to CSSM.
From the Export to CSSM modal, select the local directory where the reports are to be stored. (<CSLU_WORKING_Directory>/data/default/rum/unsent)
At this point, the usage reports are saved in your local directory (library). To upload these usage reports to Cisco, follow the steps described in Uploading Data or Requests to CSSM and Downloading a File, on page 141.
Note
The Windows operating system can change the behavior of a usage report file properties by
dropping the extension when that file is renamed. The behavior change happens when you rename
the downloaded file and the renamed file drops the extension. For example, the downloaded
default file named UD_xxx.tar is renamed to UD_yyy. The file loses its TAR extension and cannot
function. To enable the usage file to function normally, after re-naming a usage report file, you
must also add the TAR extension back to the file name, for example UD_yyy.tar.
Export to CSSM (CSLU Interface)
The Download All for Cisco menu option is a manual process used for offline purposes. Complete these steps to use the Download For Cisco menu option
Procedure
Step 1
Step 2 Step 3
Step 4
Go to the Preferences tab, and turn off the Cisco Connectivity toggle switch. The field switches to "Cisco Is Not Available".
From the main menu in the CSLU home screen navigate to Data > Export to CSSM. Select the file from the modal that opens and click Save. You now have the file saved.
Note
At this point you have a DLC file, RUM file, or both.
Go to a station that has connectivity to Cisco, and complete the following: Uploading Data or Requests to CSSM and Downloading a File, on page 141
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 113
Import from CSSM (CSLU Interface)
System Configuration
Once the file is downloaded, you can import it into CSLU, see Import from CSSM (CSLU Interface), on page 114.
Import from CSSM (CSLU Interface)
Once you have received the ACK or other file (such as an authorization code) from Cisco, you are ready to Upload that file to your system. This procedure can be used for workstations that are offline. Complete these steps to select and upload files from Cisco.
Procedure
Step 1 Step 2 Step 3
Step 4
Ensure that you have downloaded the file to a location that is accessible to CSLU. From the main menu in the CSLU home screen, navigate to Data > Import from CSSM. An Import from CSSM modal open for you to either:
· Drag and Drop a file that resides on your local drive, or · Browse for the appropriate *.xml file, select the file and click Open.
If the upload is successful, you will get message indicating that the file was successfully sent to the server. If the upload is not successful, you will get an import error.
When you have finished uploading, click the x at the top right corner of the modal to close it.
Ensuring Network Reachability for CSLU-Initiated Communication
This task provides possible configurations that may be required to ensure network reachability for CSLU-initiated communication. Steps marked as "(Required)" are required for all product instances, all other steps may be required or optional, depending the kind of product instance and network requirements. Configure the applicable commands:
Before you begin Supported topologies: Connected to CSSM Through CSLU (CSLU-initiated communication).
Procedure Step 1 Step 2
Command or Action enable Example:
Device> enable
configure terminal Example:
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 114
System Configuration
Ensuring Network Reachability for CSLU-Initiated Communication
Step 3 Step 4 Step 5 Step 6 Step 7
Step 8
Step 9 Step 10
Command or Action
Device# configure terminal
Purpose
aaa new model Example:
Device(config)# aaa new model
(Required) Enable the authentication, authorization, and accounting (AAA) access control model.
aaa authentication login default local Example:
(Required) Sets AAA authentication to use the local username database for authentication.
Device(config)# aaa authentication login default local
aaa authorization exec default local
Sets the parameters that restrict user access to
Example:
a network. The user is allowed to run an EXEC shell.
Device(config)# aaa authorization exec
default local
ip routing Example:
Device(config)# ip routing
Enables IP routing.
{ip|ipv6}name-server server-address 1 ...server-address 6]
Example:
Device(config)# ip name-server vrf Mgmt-vrf 192.168.1.100 192.168.1.200 192.168.1.300
(Optional) Specifies the address of one or more name servers to use for name and address resolution.
You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The device sends DNS queries to the primary server first. If that query fails, the backup servers are queried.
ip domain lookup source-interface interface-type-number
Example:
Device(config)# ip domain lookup source-interface gigabitethernet0/0
Enables DNS-based hostname-to-address translation on your device. This feature is enabled by default.
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS).
ip domain name name
Example:
Device(config)# ip domain name vrf Mgmt-vrf cisco.com
Defines a default domain name that the software uses to complete unqualified hostnames (names without a dotted-decimal domain name).
no username name Example:
(Required) Clears the specified username, if it exists. For name , enter the same username you will create in the next step. This ensures
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 115
Ensuring Network Reachability for CSLU-Initiated Communication
System Configuration
Step 11
Step 12 Step 13 Step 14 Step 15
Command or Action
Device(config)# no username admin
Purpose
that a duplicate of the username you are going to create in the next step does not exist.
If you plan to use REST APIs for CSLU-initiated retrieval of RUM reports, you have to log in to CSLU. Duplicate usernames may cause the feature to work incorrectly if there are duplicate usernames in the system.
username name privilege level password (Required) Establishes a username-based
password
authentication system.
Example:
The privilege keyword sets the privilege level
Device(config)# username admin privilege for the user. A number between 0 and 15 that
15
specifies the privilege level for the user.
password 0 lab
The password allows access to the name
argument. A password must be from 1 to 25
characters, can contain embedded spaces, and
must be the last option specified in the
username command.
This enables CSLU to use the product instance native REST.
Note
Enter this username and
password in CSLU (Collecting
Usage Reports: CSLU Initiated
(CSLU Interface), on page 112 Step 4. f. CSLU can then collect
RUM reports from the product
instance.
interface interface-type-number Example:
Device (config)# interface gigabitethernet0/0
vrf forwarding vrf-name Example:
Device(config-if)# vrf forwarding Mgmt-vrf
ip address ip-address mask Example:
Device(config-if)# ip address 192.168.0.1 255.255.0.0
negotiation auto Example:
Device(config-if)# negotiation auto
Enters interface configuration mode and specifies the Ethernet interface, subinterface, or VLAN to be associated with the VRF.
Associates the VRF with the Layer 3 interface. This command activates multiprotocol VRF on an interface
Defines the IP address for the VRF.
Enables auto-negotiation operation for the speed and duplex parameters of an interface.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 116
System Configuration
Ensuring Network Reachability for CSLU-Initiated Communication
Step 16 Step 17 Step 18 Step 19
Step 20 Step 21 Step 22 Step 23 Step 24
Command or Action no shutdown Example:
Device(config-if)# no shutdown
Purpose Restarts a disabled interface.
end Example:
Device(config-if)# end
Exits the interface configuration mode and enters global configuration mode.
ip http server Example:
Device(config)# ip http server
(Required) Enables the HTTP server on your IP or IPv6 system, including a Cisco web browser user interface. The HTTP server uses the standard port 80, by default.
ip http authentication local Example: ip http authentication local
Device(config)#
(Required) Specifies a particular authentication method for HTTP server users.
The local keyword means that the login user name, password and privilege level access combination specified in the local system configuration (by the username global configuration command) should be used for authentication and authorization.
ip http secure-server Example:
Device(config)# ip http server
(Required) Enables a secure HTTP (HTTPS) server. The HTTPS server uses the Secure Sockets Layer (SSL) version 3.0 protocol.
ip http max-connections
(Required) Configures the maximum number
Example:
of concurrent connections allowed for the HTTP server. Enter an integer in the range
Device(config)# ip http max-connections from 1 to 16. The default is 5.
16
ip tftp source-interface interface-type-number Specifies the IP address of an interface as the
Example:
source address for TFTP connections.
Device(config)# ip tftp source-interface
GigabitEthernet0/0
ip route ip-address ip-mask subnet mask
Example:
Device(config)# ip route vrf mgmt-vrf 192.168.0.1 255.255.0.0 192.168.255.1
Configures a route and gateway on the product instance. You can configure either a static route or a dynamic route.
logging host
Example:
Device(config)# logging host 172.25.33.20 vrf Mgmt-vrf
Logs system messages and debug output to a remote host.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 117
Assigning a Smart Account and Virtual Account (SSM On-Prem UI)
System Configuration
Step 25 Step 26
Command or Action end Example:
Device(config)# end
show ip http server session-module Example:
Device# show ip http server session-module
Purpose
Exits the global configuration mode and enters priveleged EXEC mode.
(Required) Verifies HTTP connectivity. In the output, check that SL_HTTP is active. Additionally, you can also perform the following checks :
· From device where CSLU is installed, verify that you can ping the product instance. A successful ping confirms that the product instance is reachable.
· From a Web browser on the device where CSLU is installed verify https://<product-instance-ip>/. This ensures that the REST API from CSLU to the product instance works as expected.
Assigning a Smart Account and Virtual Account (SSM On-Prem UI)
You can use this procedure to import one or more product instances along with corresponding Smart Account and Virtual Account information, into the SSM On-Prem database. This enables SSM On-Prem to map product instances that are part of local virtual accounts (other than the default local virtual account), to the correct license pool in CSSM:
Before you begin Supported topologies: SSM On-Prem Deployment (product instance-initiated communication).
Procedure
Step 1 Step 2
Step 3 Step 4
Step 5
Log into the SSM On-Prem and select the Smart Licensing workspace. Navigate to Inventory > SL Using Policy > Export/Import All > Import Product Instances List The Upload Product Instances window is displayed.
Click Download to download the .csv template file and enter the required information for all the product instances in the template. Once you have filled-out the template, click Inventory > SL Using Policy > Export/Import All > Import Product Instances List. The Upload Product Instances window is displayed.
Now, click Browse and upload the filled-out .csv template.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 118
System Configuration
Validating Devices (SSM On-Prem UI)
Smart Account and Virtual Account information for all uploaded product instances is now available in SSM On-Prem.
Validating Devices (SSM On-Prem UI)
When device validation is enabled, RUM reports from an unknown product instance (not in the SSM On-Prem database) are rejected. By default, devices are not validated. Complete the following steps to enable it:
Before you begin Supported topologies: SSM On-Prem Deployment (product instance-initiated communication).
Procedure
Step 1 Step 2 Step 3
In the On-Prem License Workspace window, click Admin Workspace and log in, if prompted. The On-Prem Admin Workspace window is displayed.
Click the Settings widget. The Settings window is displayed.
Navigate to the CSLU tab and turn-on the Validate Device toggle switch. RUM reports from an unknown product instance will now be rejected. If you haven't already, you must now add the required product instances to the SSM On-Prem database before sending RUM reports. See Assigning a Smart Account and Virtual Account (SSM On-Prem UI), on page 118
Ensuring Network Reachability for Product Instance-Initiated Communication
This task provides possible configurations that may be required to ensure network reachability for product instance-initiated communication. Steps marked as "(Required)" are required for all product instances, all other steps my be required or optional, depending the kind of product instance and network requirements. Configure the applicable commands:
Note Ensure that you configure steps 13, 14, and 15 exactly as shown below. These commands must be configured to ensure that the correct trustpoint is used and that the necessary certificates are accepted for network reachability.
Before you begin Supported topologies: SSM On-Prem Deployment(product instance-initiated communication).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 119
Ensuring Network Reachability for Product Instance-Initiated Communication
System Configuration
Procedure Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8
Step 9
Command or Action enable Example:
Device> enable
Purpose
Enables privileged EXEC mode. Enter your password, if prompted.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
interface interface-type-number
Example:
Device (config)# interface gigabitethernet0/0
Enters interface configuration mode and specifies the Ethernet interface, subinterface, or VLAN to be associated with the VRF.
vrf forwarding vrf-name
Example:
Device(config-if)# vrf forwarding Mgmt-vrf
Associates the VRF with the Layer 3 interface. This command activates multiprotocol VRF on an interface
ip address ip-address mask
Example:
Device(config-if)# ip address 192.168.0.1 255.255.0.0
Defines the IP address for the VRF.
negotiation auto Example:
Device(config-if)# negotiation auto
Enables auto-negotiation operation for the speed and duplex parameters of an interface.
end Example:
Device(config-if)# end
Exits the interface configuration mode and enters global configuration mode.
ip http client source-interface interface-type-number
Example:
Device(config)# ip http client source-interface gigabitethernet0/0
Configures a source interface for the HTTP client.
ip route ip-address ip-mask subnet mask
Example:
Device(config)# ip route vrf mgmt-vrf 192.168.0.1 255.255.0.0 192.168.255.1
(Required) Configures a route and gateway on the product instance. You can configure either a static route or a dynamic route.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 120
System Configuration
Ensuring Network Reachability for Product Instance-Initiated Communication
Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17
Command or Action
{ip|ipv6}name-server server-address 1 ...server-address 6]
Example:
Device(config)# Device(config)# ip name-server vrf mgmt-vrf 198.51.100.1
Purpose
Configures Domain Name System (DNS) on the VRF interface.
ip domain lookup source-interface interface-type-number
Example:
Device(config)# ip domain lookup source-interface gigabitethernet0/0
Configures the source interface for the DNS domain lookup.
ip domain name domain-name
Example:
Device(config)# ip domain name example.com
Configure DNS discovery of your domain. In the accompanying example, the name-server creates entry cslu-local.example.com.
crypto pki trustpoint SLA-TrustPoint
Example:
Device(config)# crypto pki trustpoint SLA-TrustPoint Device(ca-trustpoint)#
(Required) Declares that the product instance should use trustpoint "SLA-TrustPoint" and enters the ca-trustpoint configuration mode. The product instance does not recognize any trustpoints until you declare a trustpoint using this command.
enrollment terminal
Example:
Device(ca-trustpoint)# enrollment terminal
Required) Specifies the certificate enrollment method.
revocation-check none
(Required) Specifes a method that is to be used
Example:
to ensure that the certificate of a peer is not revoked. For the SSM On-Prem Deployment
Device(ca-trustpoint)# revocation-check topology, enter the none keyword. This means
none
that a revocation check will not be performed
and the certificate will always be accepted.
exit
Example:
Device(ca-trustpoint)# exit Device(config)# exit
Exits the ca-trustpoint configuration mode and then the global configuration mode and returns to privileged EXEC mode.
copy running-config startup-config
Example:
Device# copy running-config startup-config
Saves your entries in the configuration file.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 121
Retrieving the Transport URL (SSM On-Prem UI)
System Configuration
Retrieving the Transport URL (SSM On-Prem UI)
You must configure the transport URL on the product instance when you deploy the product instance-initiated communication with SSM On-Prem deployment. This task show you how to easily copy the complete URL including the tenant ID from SSM On-Prem.
Before you begin Supported topologies: SSM On-Prem Deployment (product instance-initiated communication).
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Log into SSM On-Prem and select the Smart Licensing workspace. Navigate to the Inventory tab and from the dropdown list of local virtual accounts (top right corner), select the default local virtual account. When you do, the area under the Inventory tab displays Local Virtual Account: Default. Navigate to the General tab. The Product Instance Registration Tokens area is displayed.
In the Product Instance Registration Tokens area click CSLU Transport URL. The Product Registration URL pop-window is displayed.
Copy the entire URL and save it in an accessible place. You will require the URL when you configure the transport type and URL on the product instance.
Configure the transport type and URL. See: Setting the Transport Type, URL, and Reporting Interval, on page 143.
Exporting and Importing Usage Data (SSM On-Prem UI)
You can use this procedure to complete usage synchronization between SSM On-Prem and CSSM when SSM On-Prem is disconnected from CSSM.
Before you begin Supported topologies:
· SSM On-Prem Deployment (SSM On-Prem-initiated communication) · SSM On-Prem Deployment (product instance-initiated communication).
Reporting data must be available in SSM On-Prem. You must have either pushed the nessary reporting data from the product instance to SSM On-Prem (product instance-initiated communication) or retrieved the necessary reporting data from the product instance (SSM On-Prem-initiated communication).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 122
System Configuration
Adding One or More Product Instances (SSM On-Prem UI)
Procedure
Step 1 Step 2 Step 3
Step 4
Step 5 Step 6
Log into SSM On-Prem and select Smart Licensing. Navigate to Inventory > SL Using Policy tab. In the SL Using Policy tab area, click Export/Import All... > Export Usage to Cisco. This generates one .tar file with all the usage reports available in the SSM On-Prem server.
Complete this task in CSSM: Uploading Data or Requests to CSSM and Downloading a File, on page 141. At the end of this task you will have an ACK file to import into SSM On-Prem.
Again navigate to the Inventory > SL Using Policy tab. In the SL Using Policy tab area, click Export/Import All... > Import From Cisco . Upload the .tar ACK file. To verify ACK import, in the SL Using Policy tab area check the Alerts column of the corresponding product instance. The following message is displayed: Acknowledgement received from CSSM.
Adding One or More Product Instances (SSM On-Prem UI)
You can use this procedure to add one product instance or to import and add multiple product instances. It enables SSM On-Prem to retrieve information from the product instance.
Before you begin Supported topologies: SSM On-Prem Deployment (SSM On-Prem-initiated communication).
Procedure
Step 1 Step 2 Step 3 Step 4
Log into the SSM On-Prem UI and click Smart Licensing. Navigate to Inventory tab. Select a local virtual account from the drop-down list in the top right corner. Navigate to the SL Using Policy tab. Add a single product or import multiple product instances (choose one).
· To add a single product instance: a. In the SL Using Policy tab area, click Add Single Product.
b. In the Host field, enter the IP address of the host (product instance).
c. From the Connect Method dropdown list, select an appropriate SSM On-Prem-initiated connect method. The available connect methods for SSM On-Prem-initiated communication are: NETCONF, RESTCONF, and REST API.
d. In the right panel, click Product Instance Login Credentials. The Product Instance Login Credentials window is displayed
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 123
Ensuring Network Reachability for SSM On-Prem-Initiated Communication
System Configuration
Note
You need the login credentials only if a product instance requires a SLAC.
e. Enter the User ID and Password, and click Save.
This is the same user ID and password that you configured as part of commands required to establish network reachability (Ensuring Network Reachability for SSM On-Prem-Initiated Communication, on page 124).
Once validated, the product instance is displayed in the listing in the SL Using Policy tab area.
· To import multiple product instances: a. In SL Using Policy tab, click Export/Import All... > Import Product Instances List. The Upload Product Instances window is displayed.
b. Click Download to download the predefined .csv template.
c. Enter the required information for all the product instances in the .csv template. In the template, ensure that you provide Host, Connect Method and Login Credentials for all product instances. The available connect methods for SSM On-Prem-initiated communication are: NETCONF, RESTCONF, and REST API. Login credentials refer to the user ID and password that you configured as part of commands required to establish network reachability (Ensuring Network Reachability for SSM On-Prem-Initiated Communication, on page 124).
d. Again navigate to Inventory > SL Using Policy tab. Click Export/Import All.... > Import Product Instances List. The Upload Product Instances window is displayed.
e. Now upload the filled-out .csv template. Once validated, the product instances are displayed in the listing in the SL Using Policy tab.
Ensuring Network Reachability for SSM On-Prem-Initiated Communication
This task provides possible configurations that may be required to ensure network reachability for SSM On-Prem-initiated communication. Steps marked as "(Required)" are required for all product instances, all other steps may be required or optional, depending the kind of product instance and network requirements. Configure the applicable commands:
Note Ensure that you configure steps 25, 26, and 27 exactly as shown below. These commands must be configured to ensure that the correct trustpoint is used and that the necessary certificates are accepted for network reachability.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 124
System Configuration
Ensuring Network Reachability for SSM On-Prem-Initiated Communication
Before you begin Supported topologies: SSM On-Prem Deployment (SSM On-Prem-initiated communication).
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Step 8
Command or Action enable Example:
Device> enable
Purpose
Enables privileged EXEC mode. Enter your password, if prompted.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
aaa new model Example:
Device(config)# aaa new model
(Required) Enable the authentication, authorization, and accounting (AAA) access control model.
aaa authentication login default local Example:
(Required) Sets AAA authentication to use the local username database for authentication.
Device(config)# aaa authentication login default local
aaa authorization exec default local
Sets the parameters that restrict user access to
Example:
a network. The user is allowed to run an EXEC shell.
Device(config)# aaa authorization exec
default local
ip routing Example:
Device(config)# ip routing
Enables IP routing.
{ip|ipv6}name-server server-address 1 ...server-address 6]
Example:
Device(config)# ip name-server vrf Mgmt-vrf 192.168.1.100 192.168.1.200 192.168.1.300
(Optional) Specifies the address of one or more name servers to use for name and address resolution.
You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The device sends DNS queries to the primary server first. If that query fails, the backup servers are queried.
ip domain lookup source-interface interface-type-number
Example:
Device(config)# ip domain lookup source-interface gigabitethernet0/0
Enables DNS-based hostname-to-address translation on your device. This feature is enabled by default.
If your network devices require connectivity with devices in networks for which you do not
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 125
Ensuring Network Reachability for SSM On-Prem-Initiated Communication
System Configuration
Step 9 Step 10 Step 11
Step 12
Command or Action
Purpose
control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS).
ip domain name name
Example:
Device(config)# ip domain name vrf Mgmt-vrf cisco.com
Defines a default domain name that the software uses to complete unqualified hostnames (names without a dotted-decimal domain name).
no username name Example:
Device(config)# no username admin
(Required) Clears the specified username, if it exists. For name , enter the same username you will create in the next step. This ensures that a duplicate of the username you are going to create in the next step does not exist.
If you plan to use REST APIs for SSM On-Prem-initiated retrieval of RUM reports, you have to log in to SSM On-Prem. Duplicate usernames may cause the feature to work incorrectly if there are present in the system.
username name privilege level password (Required) Establishes a username-based
password
authentication system.
Example:
The privilege keyword sets the privilege level
Device(config)# username admin privilege for the user. A number between 0 and 15 that
15
specifies the privilege level for the user.
password 0 lab
The password allows access to the name
argument. A password must be from 1 to 25
characters, can contain embedded spaces, and
must be the last option specified in the
username command.
This enables SSM On-Prem to use the product instance native REST.
Note
Enter this username and
password in SSM On-Prem
(Adding One or More Product
Instances (SSM On-Prem UI), on
page 123). This enables SSM
On-Prem to collect RUM reports
from the product instance.
interface interface-type-number
Example:
Device (config)# interface gigabitethernet0/0
Enters interface configuration mode and specifies the Ethernet interface, subinterface, or VLAN to be associated with the VRF.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 126
System Configuration
Ensuring Network Reachability for SSM On-Prem-Initiated Communication
Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19
Step 20 Step 21
Command or Action
vrf forwarding vrf-name Example:
Device(config-if)# vrf forwarding Mgmt-vrf
Purpose
Associates the VRF with the Layer 3 interface. This command activates multiprotocol VRF on an interface
ip address ip-address mask
Example:
Device(config-if)# ip address 192.168.0.1 255.255.0.0
Defines the IP address for the VRF.
negotiation auto Example:
Device(config-if)# negotiation auto
Enables auto-negotiation operation for the speed and duplex parameters of an interface.
no shutdown Example:
Device(config-if)# no shutdown
Restarts a disabled interface.
end Example:
Device(config-if)# end
Exits the interface configuration mode and enters global configuration mode.
ip http server Example:
Device(config)# ip http server
(Required) Enables the HTTP server on your IP or IPv6 system, including a Cisco web browser user interface. The HTTP server uses the standard port 80, by default.
ip http authentication local Example: ip http authentication local
Device(config)#
(Required) Specifies a particular authentication method for HTTP server users.
The local keyword means that the login user name, password and privilege level access combination specified in the local system configuration (by the username global configuration command) should be used for authentication and authorization.
ip http secure-server Example:
Device(config)# ip http server
(Required) Enables a secure HTTP (HTTPS) server. The HTTPS server uses the Secure Sockets Layer (SSL) version 3.0 protocol.
ip http max-connections
(Required) Configures the maximum number
Example:
of concurrent connections allowed for the HTTP server. Enter an integer in the range
Device(config)# ip http max-connections from 1 to 16. The default is 5.
16
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 127
Ensuring Network Reachability for SSM On-Prem-Initiated Communication
System Configuration
Step 22 Step 23 Step 24 Step 25 Step 26 Step 27 Step 28 Step 29
Command or Action
Purpose
ip tftp source-interface interface-type-number Specifies the IP address of an interface as the
Example:
source address for TFTP connections.
Device(config)# ip tftp source-interface
GigabitEthernet0/0
ip route ip-address ip-mask subnet mask
Example:
Device(config)# ip route vrf mgmt-vrf 192.168.0.1 255.255.0.0 192.168.255.1
Configures a route and gateway on the product instance. You can configure either a static route or a dynamic route.
logging host
Example:
Device(config)# logging host 172.25.33.20 vrf Mgmt-vrf
Logs system messages and debug output to a remote host.
crypto pki trustpoint SLA-TrustPoint
Example:
Device(config)# crypto pki trustpoint SLA-TrustPoint Device(ca-trustpoint)#
(Required) Declares that the product instance should use trustpoint "SLA-TrustPoint" and enters the ca-trustpoint configuration mode. The product instance does not recognize any trustpoints until you declare a trustpoint using this command.
enrollment terminal
Example:
Device(ca-trustpoint)# enrollment terminal
Required) Specifies the certificate enrollment method.
revocation-check none
(Required) Specifes a method that is to be used
Example:
to ensure that the certificate of a peer is not revoked. For the SSM On-Prem Deployment
Device(ca-trustpoint)# revocation-check topology, enter the none keyword. This means
none
that a revocation check will not be performed
and the certificate will always be accepted.
end
Example:
Device(ca-trustpoint)# exit Device(config)# end
Exits the ca-trustpoint configuration mode and then the global configuration mode and returns to privileged EXEC mode.
show ip http server session-module
Example:
Device# show ip http server session-module
(Required) Verifies HTTP connectivity. In the output, check that SL_HTTP is active. Additionally, you can also perform the following checks :
· From device where SSM On-Prem is installed, verify that you can ping the product instance. A successful ping
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 128
System Configuration
Setting Up a Connection to CSSM
Command or Action
Step 30
copy running-config startup-config
Example:
Device# copy running-config startup-config
Purpose confirms that the product instance is reachable.
· From a Web browser on the device where SSM On-Prem is installed verify https://<product-instance-ip>/. This ensures that the REST API from SSM On-Prem to the product instance works as expected.
Saves your entries in the configuration file.
Setting Up a Connection to CSSM
The following steps show how to set up a Layer 3 connection to CSSM to verify network reachability. Steps marked as "(Required)" are required for all product instances, all other steps may be required or optional, depending the kind of product instance and network requirements. Configure the applicable commands:
Procedure Step 1 Step 2 Step 3
Step 4
Command or Action enable Example:
Device> enable
Purpose
Enables privileged EXEC mode. Enter your password, if prompted.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
{ip|ipv6}name-server server-address 1 ...server-address 6]
Example:
Device(config)# ip name-server 209.165.201.1 209.165.200.225 209.165.201.14 209.165.200.230
Specifies the address of one or more name servers to use for name and address resolution.
You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The device sends DNS queries to the primary server first. If that query fails, the backup servers are queried.
ip name-server vrf Mgmt-vrf server-address (Optional) Configures DNS on the VRF
1...server-address 6
interface. You can specify up to six name
Example:
Device(config)# ip name-server vrf
servers. Separate each server address with a space.
Mgmt-vrf
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 129
Setting Up a Connection to CSSM
System Configuration
Step 5 Step 6 Step 7 Step 8 Step 9
Step 10
Command or Action
209.165.201.1 209.165.200.225 209.165.201.14 209.165.200.230
Purpose Note
This command is an alternative to the ip name-server command.
ip domain lookup source-interface interface-type interface-number
Example:
Device(config)# ip domain lookup source-interface Vlan100
Configures the source interface for the DNS domain lookup.
ip domain name domain-name
Example:
Device(config)# ip domain name example.com
Configures the domain name.
ip host tools.cisco.com ip-address
Configures static hostname-to-address
Example:
mappings in the DNS hostname cache if automatic DNS mapping is not available.
Device(config)# ip host tools.cisco.com
209.165.201.30
interface interface-type-number Example:
Configures a Layer 3 interface. Enter an interface type and number or a VLAN.
Device(config)# interface Vlan100 Device(config-if)# ip address 192.0.2.10
255.255.255.0 Device(config-if)# exit
ntp server ip-address [version number] [key (Required) Activates the NTP service (if it has
key-id] [prefer]
not already been activated) and enables the
Example:
system to synchronize the system software clock with the specified NTP server. This
Device(config)# ntp server 198.51.100.100 version 2 prefer
ensures that the device time is synchronized with CSSM.
Use the prefer keyword if you need to use this command multiple times and you want to set a preferred server. Using this keyword reduces switching between servers.
switchport access vlan vlan_id
Example:
Device(config)# interface GigabitEthernet1/0/1 Device(config-if)# switchport access
Enables the VLAN for which this access port carries traffic and sets the interface as a nontrunking nontagged single-VLAN Ethernet interface.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 130
System Configuration
Configuring Smart Transport Through an HTTPs Proxy
Step 11 Step 12 Step 13 Step 14
Command or Action
vlan 100 Device(config-if)# switchport mode access Device(config-if)# exit OR Device(config)#
ip route ip-address ip-mask subnet mask Example:
Device(config)# ip route 192.0.2.0 255.255.255.255 192.0.2.1
ip http client source-interface interface-type-number Example:
Device(config)# ip http client source-interface Vlan100
exit Example:
Device(config)# exit
copy running-config startup-config Example:
Device# copy running-config startup-config
Purpose Note
This step is to be configured only if the switchport access mode is required. The switchport access vlan command may apply to Catalyst switching product instances, for example, and for routing product instances you may want to configure the ip address ip-address mask command instead.
Configures a route on the device. You can configure either a static route or a dynamic route.
(Required) Configures a source interface for the HTTP client. Enter an interface type and number or a VLAN.
Exits global configuration mode and returns to privileged EXEC mode.
Saves your entries in the configuration file.
Configuring Smart Transport Through an HTTPs Proxy
To use a proxy server to communicate with CSSM when using the Smart transport mode, complete the following steps:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 131
Configuring the Call Home Service for Direct Cloud Access
System Configuration
Step 3 Step 4 Step 5
Command or Action
Device# configure terminal
Purpose
license smart transport smart
Enables Smart transport mode.
Example:
Device(config)# license smart transport smart
license smart url default
Automatically configures the Smart URL
Example:
(https://smartreceiver.cisco.com/licservice/ license). For this option to work as expected,
Device(config)# license smart transport the transport mode in the previous step must be
default
configured as smart.
license smart proxy {address
Configures a proxy for the Smart transport
address_hostname|port port_num}
mode. When a proxy is configured, licensing
Example:
messages are sent to the proxy along with the final destination URL (CSSM). The proxy sends
Device(config)# license smart proxy
the message on to CSSM. Configure the proxy
address 192.168.0.1 Device(config)# license
smart
proxy
port
address
and
port
number
separately:
3128
· address address_hostname: Specifies the
proxy address. Enter the IP address or
hostname of the proxy server.
· port port_num: Specifies the proxy port. Enter the proxy port number.
Configuring the Call Home Service for Direct Cloud Access
The Call Home service provides email-based and web-based notification of critical system events to CSSM. To configure the transport mode, enable the Call Home service, and configure a destination profile (A destination profile contains the required delivery information for an alert notification. At least one destination profile is required.), complete the following steps:
Note All steps are required unless specifically called-out as "(Optional)".
Procedure Step 1 Step 2
Command or Action enable Example:
Device> enable
configure terminal Example:
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 132
System Configuration
Configuring the Call Home Service for Direct Cloud Access
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Step 9
Command or Action
Device# configure terminal
Purpose
license smart transport callhome
Enables Call Home as the transport mode.
Example:
Device(config)# license smart transport callhome
license smart url url
For the callhome transport mode, configure
Example:
Device(config)# license smart url
the CSSM URL exactly as shown in the example.
https://tools.cisco.com/its/service/oddce/services/DDCEService
service call-home Example:
Device(config)# service call-home
Enables the Call Home feature.
call-home Example:
Device(config)# call-home
Enters Call Home configuration mode.
no http secure server-identity-check Example:
Disables server identity check when HTTP connection is established.
Device(config-call-home)# no http secure
server-identity-check
contact-email-address email-address
Example:
Device(config-call-home)# contact-email-addr username@example.com
Assigns customer's email address and enables Smart Call Home service full reporting capability and sends a full inventory message from Call-Home TAC profile to Smart Call Home server to start full registration process. You can enter up to 200 characters in email address format with no spaces.
profile name
Example:
Device(config-call-home)# profile CiscoTAC-1 Device(config-call-home-profile)#
Enters the Call Home destination profile configuration submode for the specified destination profile.
By default:
· The CiscoTAC-1 profile is inactive. To use this profile with the Call Home service, you must enable the profile.
· The CiscoTAC-1 profile sends a full report of all types of events subscribed in the profile. The alternative is to additionally configure
Device(cfg-call-home-profile)#
anonymous-reporting-only
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 133
Configuring the Call Home Service for Direct Cloud Access
System Configuration
Step 10 Step 11
Step 12
Step 13 Step 14 Step 15 Step 16
Command or Action
Purpose
anonymous-reporting-only. When this is set, only crash, inventory, and test messages will be sent.
Use the show call-home profile all command to check the profile status.
active
Enables the destination profile.
Example:
Device(config-call-home-profile)# active
destination transport-method http{email |http}
Example:
Device(config-call-home-profile)# destination transport-method http AND Device(config-call-home-profile)# no destination transport-method
email
Enables the message transport method. In the example, Call Home service is enabled via HTTP and transport via email is disabled.
The no form of the command disables the method.
destination address { email email_address Configures the destination e-mail address or
|http url}
URL to which Call Home messages are sent.
Example:
Device(config-call-home-profile)# destination address http
When entering a destination URL, include either http:// (default) or https://, depending on whether the server is a secure server.
https://tools.cisco.com/its/service/oddce/services/DDCEService In the example provided here, a http://
AND Device(config-call-home-profile)# no destination address http
destination URL is configured; and the no form of the command is configured for https://.
https://tools.cisco.com/its/service/oddce/services/DDCEService
exit
Exits Call Home destination profile
Example:
configuration mode and returns to Call Home configuration mode.
Device(config-call-home-profile)# exit
exit Example:
Device(config-call-home)# end
Exits Call Home configuration mode and returns to privileged EXEC mode.
copy running-config startup-config
Example:
Device# copy running-config startup-config
Saves your entries in the configuration file.
show call-home profile {name |all}
Displays the destination profile configuration for the specified profile or all configured profiles.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 134
System Configuration
Configuring the Call Home Service for Direct Cloud Access through an HTTPs Proxy Server
Configuring the Call Home Service for Direct Cloud Access through an HTTPs Proxy Server
The Call Home service can be configured through an HTTPs proxy server. This configuration requires no user authentication to connect to CSSM.
Note Authenticated HTTPs proxy configurations are not supported. To configure and enable the Call Home service through an HTTPs proxy, complete the following steps:
Note All steps are required unless specifically called-out as "(Optional)".
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose
Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
license smart transport callhome
Enables Call Home as the transport mode.
Example:
Device(config)# license smart transport callhome
Step 4
service call-home Example:
Device(config)# service call-home
Enables the Call Home feature.
Step 5
call-home Example:
Device(config)# call-home
Enters Call Home configuration mode.
Step 6
http-proxy proxy-address proxy-port port-number
Example:
Device(config-call-home)# http-proxy 198.51.100.10 port 5000
Configures the proxy server information to the Call Home service.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 135
Removing and Returning an Authorization Code
System Configuration
Step 7 Step 8 Step 9
Command or Action exit Example:
Device(config-call-home)# exit
exit Example:
Device(config)# exit
copy running-config startup-config Example:
Device# copy running-config startup-config
Purpose Exits Call Home configuration mode and enters global configuration mode.
Exits global configuration mode and enters privileged EXEC mode.
Saves your entries in the configuration file.
Removing and Returning an Authorization Code
To remove and return an SLR authorization code, complete the following steps.
Before you begin Supported topologies: all
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose
Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
show license summary Example:
Device# show license summary
Ensure that the license that you want to remove and return is not in-use. If it is in-use, you must first disable the feature.
Step 3
license smart authorization
Returns an authorization code back to the
return{all|local}{offline[path]|online} license pool in CSSM. A return code is
Example:
displayed after you enter this command.
Device# license smart authorization
Specify the product instance:
return all online
· all: Performs the action for all connected
Enter this return code in Cisco Smart Software Manager portal:
product instances in a High Availability set-up.
UDI: PID:C9800-CL-K9,SN:93BBAH93MGS Return code:
· local: Performs the action for the active
CqaUPW-WSPYiq-ZNU2ci-SnWydS-hBCXHP-MuyPqyPJ1GiG-tPTGQj-S2h
product instance. This is the default option.
UDI: PID:C9800-CL-K9,SN:9XECPSUU4XN Return code:
Specify if you are connected to CSSM or not:
CNLwxR-eWiAEJ-XaTEQg-j4rrYW-dSRz9j-37VpcP-
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 136
System Configuration
Removing and Returning an Authorization Code
Step 4 Step 5
Command or Action
Purpose
imjuLD-mNeA4k-TXA
OR
Device# license smart authorization return local offline Enter this return code in Cisco Smart Software Manager portal: UDI: PID:C9800-CL-K9,SN:93BBAH93MGS
Return code: CqaUPW-WSPYiq-ZNU2ci-SnWydS-hBCXHP-MuyPqyPJ1GiG-tPTGQj-S2h UDI: PID:C9800-CL-K9,SN:9XECPSUU4XN
Return code: CNLwxR-eWiAEJ-XaTEQg-j4rrYW-dSRz9j-37VpcPimjuLD-mNeA4k-TXA
OR
Device# license smart authorization return local offline bootflash:return-code.txt
· If connected to CSSM, enter online. The code is automatically returned to CSSM and a confirmation is returned and installed on the product instance. If you choose this option, the return code is automatically submitted to CSSM.
· If not connected to CSSM, enter offline[path].
If you enter only the offline keyword, you must copy the return code that is displayed on the CLI and enter it in CSSM.
If you specify a file name and path, the return code is saved in the specified location. The file format can be any readable format. For example: Device#
license smart authorization return local offline
bootflash:return-code.txt.
For software versions Cisco IOS XE Cupertino 17.7.1 and later only: After you save the return request in a file, you can upload the file to CSSM in the same location and in the same way as you upload a RUM report: Uploading Data or Requests to CSSM and Downloading a File, on page 141.
To enter the return code in CSSM, complete this task: Removing the Product Instance from CSSM, on page 138. Proceed with the next step only after you complete this step.
configure terminal Example:
Device# configure terminal
no license smart reservation Example:
Device(config)# no license smart reservation
Enters the global configuration mode.
Disables SLR configuration on the product instance. You must complete the authorization code return process in Step 3 above - whether online or offline, before you enter the no license smart reservation command in this step. Otherwise, the return may not be reflected in CSSM or in the show command, and you will have to contact your Cisco technical support representative to rectify the problem.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 137
Removing the Product Instance from CSSM
System Configuration
Step 6 Step 7
Command or Action exit Example:
Device(config)# exit
Purpose Returns to privileged EXEC mode.
show license all
Displays licensing information. Check the
Example:
License Authorizations header in the output. If the return process is completed correctly, the
Device# show license all <output truncated> License Authorizations
Last return code: field displays the return code.
======================
Overall status:
Active: PID:C9800-CL-K9,SN:93BBAH93MGS
Status: NOT INSTALLED Last return code: CqaUPW-WSPYiq-ZNU2ci-SnWydS-hBCXHP-MuyPqy-PJ1GiG-tPTGQj-S2h
Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN
Status: NOT INSTALLED Last return code: CNLwxR-eWiAEJ-XaTEQg-j4rrYW-dSRz9j-37VpcP-imjuLD-mNeA4k-TXA <output truncated>
Removing the Product Instance from CSSM
To remove a product instance and return all licenses to the license pool, complete the following task:
Before you begin Supported topologies: No Connectivity to CSSM and No CSLU If you are removing a product instance that is using reserved licenses (SLR) ensure that you have generated a return code as shown in Removing and Returning an Authorization Code, on page 136. (Enter it in Step 7 in this task).
Procedure
Step 1
Step 2 Step 3 Step 4
Step 5 Step 6
Log in to the CSSM Web UI at https://software.cisco.com and click Smart Software Licensing. Log in using the username and password provided by Cisco.
Click the Inventory tab. From the Virtual Account drop-down list, choose your Virtual Account. Click the Product Instances tab. The list of product instances that are available is displayed.
Locate the required product instance from the product instances list. Optionally, you can enter a name or product type string in the search tab to locate the product instance. In the Actions column of the product instance you want to remove, click the Remove link.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 138
System Configuration
Generating a New Token for a Trust Code from CSSM
Step 7 Step 8
· If the product instance is not using a license with an SLR authorization code then the Confirm Remove Product Instance window is displayed.
· If the product instance is using a license with an SLR authorization code, then the Remove Product Instance window, with a field for return code entry is displayed.
In the Reservation Return Code field, enter the return code you generated.
Note
This step applies only if the product instance is using a license with an SLR authorization code.
Click Remove Product Instance. The license is returned to the license pool and the product instance is removed.
Generating a New Token for a Trust Code from CSSM
To generate a token to request a trust code, complete the following steps. Generate one token for each Virtual Account you have. You can use same token for all the product instances that are part of one Virtual Account.
Before you begin Supported topologies: Connected Directly to CSSM
Procedure
Step 1
Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Step 9 Step 10
Log in to the CSSM Web UI at https://software.cisco.com and click Smart Software Licensing.
Log in using the username and password provided by Cisco.
Click the Inventory tab. From the Virtual Account drop-down list, choose the required virtual account Click the General tab. Click New Token. The Create Registration Token window is displayed. In the Description field, enter the token description In the Expire After field, enter the number of days the token must be active. (Optional) In the Max. Number of Uses field, enter the maximum number of uses allowed after which the token expires. Click Create Token. You will see your new token in the list. Click Actions and download the token as a .txt file.
Installing a Trust Code
To manually install a trust code, complete the following steps
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 139
Installing a Trust Code
System Configuration
Before you begin Supported topologies:
· Connected Directly to CSSM
Procedure
Step 1
Command or Action
Purpose
Generating a New Token for a Trust Code from In case you have not completed this already,
CSSM, on page 139
generate and download a trust code file from
CSSM.
Step 2
enable Example:
Device> enable
Enables privileged EXEC mode. Enter your password, if prompted
Step 3
license smart trust idtoken id_token_value{local|all}[force]
Example:
Device# license smart trust idtoken NGMwMjk5mYtNZaxMS00NzMZmtgWm all force
Enables you to establish a trusted connection with CSSM. For id_token_value, enter the token you generated in CSSM.
Enter one of following options:
· local: Submits the trust request only for the active device in a High Availability set-up. This is the default option.
· all: Submits the trust request for all devices in a High Availability set-up.
Step 4
Enter the force keyword to submit the trust code request in spite of an existing trust code on the product instance.
Trust codes are node-locked to the UDI of the product instance. If a UDI is already registered, CSSM does not allow a new registration for the same UDI. Entering the force keyword sets a force flag in the message sent to CSSM to create a new trust code even if one already exists.
show license status
Displays date and time if trust code is installed.
Example:
<output truncated>
Date and time are in the local time zone. See field Trust Code Installed:.
Trust Code Installed:
Active: PID:C9800-CL-K9,SN:93BBAH93MGS
INSTALLED on Nov 02 08:59:26 2020 IST
Standby: PID:C9800-CL-K9,SN:9XECPSUU4XN
INSTALLED on Nov 02 09:00:45 2020 IST
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 140
System Configuration
Downloading a Policy File from CSSM
Downloading a Policy File from CSSM
If you have requested a custom policy or if you want to apply a policy that is different from the default that is applied to the product instance, complete the following task:
Before you begin Supported topologies:
· No Connectivity to CSSM and No CSLU · CSLU Disconnected from CSSM
Procedure
Step 1
Step 2 Step 3
Log in to the CSSM Web UI at https://software.cisco.com and click Smart Software Licensing. Log in using the username and password provided by Cisco.
Follow this directory path: Reports > Reporting Policy. Click Download, to save the .xml policy file. You can now install the file on the product instance. See Installing a File on the Product Instance, on page 142
Uploading Data or Requests to CSSM and Downloading a File
You can use this task to: · To upload a RUM report to CSSM and download an ACK. · To upload a SLAC or SLR authorization code return request. This applies only to the No Connectivity to CSSM and No CSLU topology and is supported starting with Cisco IOS XE Cupertino 17.7.1.
To upload a RUM report to CSSM and download an ACK when the product instance is not connected to CSSM or CSLU, complete the following task:
Before you begin Supported topologies:
· No Connectivity to CSSM and No CSLU · CSLU Disconnected from CSSM · SSM On-Prem Deployment (Product instance-initiated communication and SSM On-Prem-initiated
communication)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 141
Installing a File on the Product Instance
System Configuration
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Step 6
Log in to the CSSM Web UI at https://software.cisco.com.
Log in using the username and password provided by Cisco.
Select the Smart Account (upper left-hand corner of the screen) that will receive the report. Select Smart Software Licensing Reports Usage Data Files. Click Upload Usage Data. Browse to the file location (RUM report in tar format), select, and click Upload Data.
Upload a RUM report (.tar format), or a SLAC return request file (.txt format).
You cannot delete a usage report in CSSM, after it has been uploaded.
From the Select Virtual Accounts pop-up, select the Virtual Account that will receive the uploaded file. The file is uploaded to Cisco and is listed in the Usage Data Files table in the Reports screen showing the File Name, time is was Reported, which Virtual Account it was uploaded to, the Reporting Status, Number of Product Instances reported, and the Acknowledgement status. In the Acknowledgement column, click Download to save the .txt ACK file for the report you uploaded.
Wait for the ACK to appear in the Acknowledgement column. If there many RUM reports or requests to process, CSSM may take a few minutes.
Depending on the topology you have implemented, you can now install the file on the product instance, or transfer it to CSLU, or import it into SSM On-Prem.
Installing a File on the Product Instance
To install a SLAC, or policy, or ACK, on the product instance when the product instance is not connected to CSSM or CSLU, complete the following task:
Before you begin Supported topologies: No Connectivity to CSSM and No CSLU You must have the corresponding file saved in a location that is accessible to the product instance.
· For a policy, see Downloading a Policy File from CSSM, on page 141 · For an ACK, see Uploading Data or Requests to CSSM and Downloading a File, on page 141
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose
Enables privileged EXEC mode. Enter your password, if prompted
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 142
System Configuration
Setting the Transport Type, URL, and Reporting Interval
Step 2
Step 3 Step 4
Command or Action
Purpose
copy source bootflash:file-name
Copies the file from its source location or
Example:
directory to the flash memory of the product instance.
Device# copy tftp://10.8.0.6/example.txt
bootflash:
· source: This is the location of the source
file or directory to be copied. The source
can be either local or remote
· bootflash:: This is the destination for boot flash memory.
license smart import bootflash: file-name Example:
Device# license smart import bootflash:example.txt
show license all Example:
Device# show license all
Imports and installs the file on the product instance. After installation, a system message displays the type of file you just installed.
Displays license authorization, policy and reporting information for the product instance.
Setting the Transport Type, URL, and Reporting Interval
To configure the mode of transport for a product instance, complete the following task:
Before you begin Supported topologies: all
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose
Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Step 3
license smart
Configures a mode of transport for the product
transport{automatic|callhome|cslu|off|smart} instance to use. Choose from the following
Example:
options:
Device(config)# license smart transport · automatic: Sets the transport mode cslu.
cslu
· callhome: Enables Call Home as the
transport mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 143
Setting the Transport Type, URL, and Reporting Interval
System Configuration
Step 4
Command or Action
Purpose · cslu: This is the default transport mode. Enter this keyword if you are using CSLU or SSM On-Prem, with product instance-initiated communication.
While the transport mode keyword is the same for CSLU and SSM On-Prem, the transport URLs are different. See license smart url cslu cslu_or_on-prem_url in the next step.
· off: Disables all communication from the product instance.
· smart: Enables Smart transport.
license smart url{url |cslu
Sets a URL for the configured transport mode.
cslu_or_on-prem_url|default|smartsmart_url|utilitysmart_url} Depending on the transport mode you've chosen
Example:
in the previous step, configure the corresponding URL here:
Device(config)# license smart url cslu http://192.168.0.1:8182/cslu/v1/pi
· url: If you have configured the transport
mode as callhome, configure this option.
Enter the CSSM URL exactly as follows:
https://tools.cisco.com/its/service/oddce/services/DDCEService
The no license smart urlurl command reverts to the default URL.
· cslu cslu_or_on-prem_url: If you have configured the transport mode as cslu, configure this option with the URL for CSLU or SSM On-Prem, as applicable.
· If you are using CSLU, enter the URL as follows:
http://<cslu_ip_or_host>:8182/cslu/v1/pi
For <cslu_ip_or_host>, enter the hostname or the IP address of the windows host where you have installed CSLU. 8182 is the port number and it is the only port number that CSLU uses.
The no license smart url cslu cslu_url command reverts to
http://cslu-local:8182/cslu/v1/pi
· If you are using SSM On-Prem, enter the URL as follows:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 144
System Configuration
Command or Action
Setting the Transport Type, URL, and Reporting Interval
Purpose
http://<ip>/cslu/v1/pi/<tenant ID>
For <ip>, enter the hostname or the IP address of the server where you have installed SSM On-Prem. The <tenantID> must be the default local virtual account ID.
Tip
You can retrieve the
entire URL from SSM
On-Prem. See
Retrieving the
Transport URL (SSM
On-Prem UI), on page
122
The no license smart url cslu cslu_url command reverts to
http://cslu-local:8182/cslu/v1/pi
· default: Depends on the configured transport mode. Only the smart and cslu transport modes are supported with this option.
If the transport mode is set to cslu, and you configure license smart url default, the CSLU URL is configured automatically (https://cslu-local:8182/cslu/v1/pi).
If the transport mode is set to smart, and you configure license smart url default, the Smart URL is configured automatically (https://smartreceiver.cisco.com/licservice/license).
· smart smart_url: If you have configured the transport type as smart, configure this option. Enter the URL exactly as follows:
https://smartreceiver.cisco.com/licservice/license
When you configure this option, the system automatically creates a duplicate of the URL in license smart url url. You can ignore the duplicate entry, no further action is required.
The no license smart url smartsmart_url command reverts to the default URL.
· utility smart_url: Although available on the CLI, this option is not supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 145
Configuring an AIR License
System Configuration
Step 5
Step 6 Step 7
Command or Action
Purpose
license smart usage interval interval_in_days (Optional) Sets the reporting interval in days.
Example:
Device(config)# license smart usage interval 40
By default the RUM report is sent every 30 days. The valid value range is 1 to 3650.
If you do not configure an interval, the reporting
interval is determined entirely by the policy
value.
exit Example:
Device(config)# exit
Exits global configuration mode and returns to privileged EXEC mode.
copy running-config startup-config
Example:
Device# copy running-config startup-config
Saves your entries in the configuration file.
Configuring an AIR License
In the Smart Licensing Using Policy environment, you can use this task to configure a license, or change the license being used on the product instance, or configure an add-on license on the product instance. For example, if you are currently using AIR Network Advantage and you also want to use features available with a corresponding Digital Networking Architecture (DNA) Advantage license, you can configure the same using this task. Or for example, if you do not want to use an add-on license any more, reconfigure this command to use only the AIR Network Advantage license.
Information about available licenses can be found Smart Account or Virtual Account. The available licenses may be one of the following:
· AIR Network Essential
· AIR Network Advantage
· AIR DNA Essential
· AIR DNA Advantage
To configure or change the license in-use, follow this procedure:
Before you begin Supported topologies: all
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose
Enables the privileged EXEC mode. Enter your password, if prompted.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 146
System Configuration
Configuring an AIR License
Step 2 Step 3
Step 4 Step 5 Step 6 Step 7
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
license air level {air-network-advantage [addon air-dna-advantage ] | air-network-essentials [addon air-dna-essentials ] }
Example:
Device(config)# license air level air-network-essentials
addon air-dna-essentials
Activates the configured license on the product instance. In the accompanying example, the product instance activates the AIR DNA Essentials (along with the AIR Network Essential) license after reload.
exit Example:
Device(config)# exit
Returns to the privileged EXEC mode.
copy running-config startup-config
Example:
Device# copy running-config startup-config
Saves configuration changes.
reload Example:
Device# reload
Reloads the device.
show version Example:
Displays currently used license and the license that is effective at the next reload information.
Device# show version Cisco IOS XE Software, Version 17.03.02 Cisco IOS Software [Amsterdam], C9800-CL
Software (C9800-CL-K9_IOSXE), Version 17.3.2, RELEASE SOFTWARE <output truncated> AIR License Level: AIR DNA Essentials Next reload AIR license Level: AIR DNA Essentials
Smart Licensing Status: Registration Not Applicable/Not Applicable
<output truncated>
What to do next
After you configure a license level, the change is effective after a reload. To know if reporting is required, refer to the output of the show license status privileged EXEC command and check the Next ACK deadline: and Next report push: fields.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 147
Sample Resource Utilization Measurement Report
System Configuration
Note The change in license usage is recorded on the product instance. The next steps relating to reporting - if required - depend on your current topology.
· Connected to CSSM Through CSLU · Product Instance-initiated communication: The product instance triggers reporting and installs the returning ACK. CSLU sends the RUM report to CSSM and collects the ACK from CSSM. · CSLU-initiated communication: You have to collect usage from the CSLU interface: Collecting Usage Reports: CSLU Initiated (CSLU Interface), on page 112. CSLU sends the RUM report to CSSM and collects the ACK from CSSM.
· Connected Directly to CSSM: The product instance triggers reporting and installs the returning ACK. · CSLU Disconnected from CSSM:
· Product Instance-initiated communication: The product instance triggers reporting. You then have to report usage in the disconnected mode: Export to CSSM (CSLU Interface), on page 113 > Uploading Data or Requests to CSSM and Downloading a File, on page 141 > Import from CSSM (CSLU Interface), on page 114.
· CSLU-initiated communication: You have to collect usage from the CSLU interface and report usage in the disconnected mode: Collecting Usage Reports: CSLU Initiated (CSLU Interface), on page 112> Export to CSSM (CSLU Interface), on page 113 > Uploading Data or Requests to CSSM and Downloading a File, on page 141 > Import from CSSM (CSLU Interface), on page 114.
· No Connectivity to CSSM and No CSLU: License usage is recorded on the product instance. You must save RUM reports to a file on the product instance, and from a workstation that has connectivity to the internet, and Cisco, upload it to CSSM: Enter license smart save usage privileged EXEC command to save usage > Uploading Data or Requests to CSSM and Downloading a File, on page 141 > Installing a File on the Product Instance, on page 142.
Sample Resource Utilization Measurement Report
The following is a sample Resource Utilization Measurement (RUM) report, in XML format (See RUM Report and Report Acknowledgement, on page 59). Several such reports may be concatenated to form one report.
<?xml version="1.0" encoding="UTF-8"?> <smartLicense>
<RUMReport><![CDATA[{"payload":"{"aset_identification":{"aset":{"name":"regid.2018-05.com.cisco.WLC_950C,1.0_856585-b865-4e32-8184-510412fcb54"},"instance":{"sudi":{"udi_pid":"C980-CL-K9","udi_serial_number":"93BAH93MGS"},"signature":{"signing_type":"builtin","key":"regid.2018-05.com.cisco.WLC_950C,1.0_856585-b865-4e32-8184-510412fcb54","value":"PLfaPAeqEAqPN6vG0FxTNnBSKNy+7gqtJ6wQWdb5NcM="},"meta":{"entitlement_tag":"regid.2018-06.com.cisco.DNA_NWStack,1.0_e724e71-3ad5-4608-8bf0-d12f67c80896","report_id":160424086,"ha_udi":[{"role":"Active","sudi":{"udi_pid":"C980-CL-K9","udi_serial_number":"93BAH93MGS"},{"role":"Standby","sudi":{"udi_pid":"C980-CL-K9","udi_serial_number":"9XECPSU4XN"}]},"measurements":[{"log_time":1604270528,"metric_name":"ENTITLEMENT","start_time":1604270198,"end_time":1604270858,"sample_interval":60,"num_samples":2,"meta":{"aded_sudi_list":[{"udi_pid":"C9130AXE-B","udi_serial_number":"986745231140K001"}],"removed_sudi_list":[]},"value":{"type":"COUNT","value":"1"}]></RUMReport>
</smartLicense>
Troubleshooting Smart Licensing Using Policy
This section provides the list of Smart Licensing Using Policy-related system messages you may encounter, possible reasons for failure, and recommended action.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 148
System Configuration
System Message Overview
System Message Overview
The system software sends system messages to the console (and, optionally, to a logging server on another system). Not all system messages mean problems with your system. Some messages are informational, and others can help diagnose problems with communications lines, internal hardware, or the system software.
How to Read System Messages System log messages can contain up to 80 characters. Each system message begins with a percent sign (%) and is structured as follows:
%FACILITY Two or more uppercase letters that show the facility to which the message refers. A facility can be a hardware device, a protocol, or a module of the system software SEVERITY A single-digit code from 0 to 7 that reflects the severity of the condition. The lower the number, the more serious the situation.
Table 10: Message Severity Levels
Severity Level 0 - emergency 1 - alert 2 - critical 3 - error 4 - warning 5 - notification 6 - informational 7 - debugging
Description System is unusable. Immediate action required. Critical condition. Error condition. Warning condition. Normal but significant condition. Informational message only. Message that appears during debugging only.
MNEMONIC
A code that uniquely identifies the message.
Message-text
Message-text is a text string describing the condition. This portion of the message sometimes contains detailed information about the event, including terminal port numbers, network addresses, or addresses that correspond to locations in the system memory address space. Because the information in these variable fields changes from message to message, it is represented here by short strings enclosed in square brackets ([ ]). A decimal number, for example, is represented as [dec].
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 149
System Messages
System Configuration
Table 11: Variable Fields in Messages
Severity Level [char] [chars] [dec] [enet] [hex] [inet] [int] [node] [t-line]
[clock]
Description Single character Character string Decimal number Ethernet address (for example, 0000.FEED.00C0) Hexadecimal number Internet address (for example, 10.0.2.16) Integer Address or node name Terminal line number in octal (or in decimal if the decimal-TTY service is enabled) Clock (for example, 01:20:08 UTC Tue Mar 2 1993
System Messages
This section provides the list of Smart Licensing Using Policy-related system messages you may encounter, possible reasons for failure (incase it is a failure message), and recommended action (if action is required). For all error messages, if you are not able to solve the problem, contact your Cisco technical support representative with the following information: The message, exactly as it appears on the console or in the system log. The output from the show license tech support, show license history message, and the show platform software sl-infra privileged EXEC commands.
· %SMART_LIC-3-POLICY_INSTALL_FAILED · %SMART_LIC-3-AUTHORIZATION_INSTALL_FAILED · %SMART_LIC-3-COMM_FAILED · %SMART_LIC-3-COMM_RESTORED · %SMART_LIC-3-POLICY_REMOVED · %SMART_LIC-3-TRUST_CODE_INSTALL_FAILED · %SMART_LIC-4-REPORTING_NOT_SUPPORTED · %SMART_LIC-6-POLICY_INSTALL_SUCCESS · %SMART_LIC-6-AUTHORIZATION_INSTALL_SUCCESS · %SMART_LIC-6-AUTHORIZATION_REMOVED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 150
System Configuration
System Messages
· %SMART_LIC-6-REPORTING_REQUIRED · %SMART_LIC-6-TRUST_CODE_INSTALL_SUCCESS
Error Message %SMART_LIC-3-POLICY_INSTALL_FAILED: The installation of a new licensing policy has failed: [chars].
Explanation: A policy was installed, but an error was detected while parsing the policy code, and installation failed. [chars] is the error string with details of the failure. Possible reasons for failure include:
· A signature mismatch: This means that the system clock is not accurate. · A timestamp mismatch: This means the system clock on the product instance is not synchronized with
CSSM.
Note The device should have a valid clock and the NTP configuration.
Recommended Action: For both possible failure reasons, ensure that the system clock is accurate and synchronized with CSSM. Configure the ntp server command in global configuration mode. For example:
Device(config)# ntp server 198.51.100.100 version 2 prefer
If the above does not work and policy installation still fails, and contact your Cisco technical support representative.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Message %SMART_LIC-3-AUTHORIZATION_INSTALL_FAILED: The install of a new licensing authorization code has failed on [chars]: [chars].
This message is not applicable to Cisco Catalyst Access, Core, and Aggregation Switches, because there are no enforced or export-controlled licenses on these product instances.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Message %SMART_LIC-3-COMM_FAILED: Communications failure with the [chars] : [chars]
Explanation: Smart Licensing communication either with CSSM, or CSLU, or SSM On-Prem failed. The first [chars] is the currently configured transport type, and the second [chars] is the error string with details of the failure. This message appears for every communication attempt that fails. Possible reasons for failure include:
· CSSM, CSLU, SSM On-Prem is not reachable: This means that there is a network reachability problem. · 404 host not found: This means the CSSM server is down.
For topologies where the product instance initiates the sending of RUM reports (Connected to CSSM Through CSLU: Product Instance-Initiated Communication, Connected Directly to CSSM, CSLU Disconnected from
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 151
System Messages
System Configuration
CSSM: Product Instance-Initiated Communication, and SSM On-Prem Deployment: Product Instance-Initiated Communication) if this communication failure message coincides with scheduled reporting (license smart usage interval interval_in_days global configuration command), the product instance attempts to send out the RUM report for up to four hours after the scheduled time has expired. If it is still unable to send out the report (because the communication failure persists), the system resets the interval to 15 minutes. Once the communication failure is resolved, the system reverts the reporting interval to last configured value.
Recommended Action:
Troubleshooting steps are provided for when CSSM is not reachable or there is a missing client certificate, when CSLU is not reachable, and when SSM On-Prem is not reachable.
· If CSSM is not reachable and the configured transport type is smart:
1. Check if the smart URL is configured correctly. Use the show license status command in privileged EXEC mode, to check if the URL is exactly as follows: https://smartreceiver.cisco.com/licservice/ license. If it is not, reconfigure the license smart url smart smar_URL command in global configuration mode.
2. Check DNS resolution. Verify that the product instance can ping smartreceiver.cisco.com or the nslookup translated IP. The following example shows how to ping the translated IP
Device# ping 171.70.168.183 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 171.70.168.183, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
· If CSSM is not reachable and the configured transport type is callhome:
1. Check if the URL is entered correctly. Use the show license status command in privileged EXEC mode, to check if the URL is exactly as follows: https://tools.cisco.com/its/service/oddce/services/ DDCEService.
2. Check if Call Home profile CiscoTAC-1 is active and destination URL is correct. Use the show call-home profile all command in privileged EXEC mode:
Current smart-licensing transport settings: Smart-license messages: enabled Profile: CiscoTAC-1 (status: ACTIVE) Destination URL(s): https://tools.cisco.com/its/service/oddce/services/DDCEService
3. Check DNS Resolution. Verify that the product instance can ping tools.cisco.com, or the nslookup translated IP.
Device# ping tools.cisco.com Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 173.37.145.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 41/41/42 ms
If the above does not work check the following: if the product instance is set, if the product instance IP network is up. To ensure that the network is up, configure the no shutdown command in interface configuration mode.
Check if the device is subnet masked with a subnet IP, and if the DNS IP is confgured.
4. Verify that the HTTPs client source interface is correct.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 152
System Configuration
System Messages
Use the show ip http client command in privileged EXEC mode to display current configuration. Use ip http client source-interface command in global configuration mode to reconfigure it.
In case the above does not work, double-check your routing rules, and firewall settings.
· If CSLU is not reachable:
1. Check if CSLU discovery works.
· Zero-touch DNS discovery of cslu-local or DNS discovery of your domain..
In the show license all command output, check if the Last ACK received: field. If this has a recent timestamp it means that the product instance has connectivity with CSLU. If it is not, proceed with the following checks:
Check if the product instance is able to ping cslu-local. A successful ping confirms that the product instance is reachable.
If the above does not work, configure the name server with an entry where hostname cslu-local is mapped to the CSLU IP address (the windows host where you installed CSLU). Configure the ip domain name domain-name and ip name-server server-address commands in global configuration mode. Here the CSLU IP is 192.168.0.1 and name-server creates entry cslu-local.example.com:
Device(config)# ip domain name example.com Device(config)# ip name-server 192.168.0.1
· CSLU URL is configured.
In the show license all command output, under the Transport: header check the following: The Type: must be csluand Cslu address: must have the hostname or the IP address of the windows host where you have installed CSLU. Check if the rest of the address is configured as shown below and check if the port number is 8182.
Transport: Type: cslu Cslu address: http://192.168.0.1:8182/cslu/v1/pi
If it is not, configure the license smart transport cslu and license smart url cslu http://<cslu_ip_or_host>:8182/cslu/v1/pi commands in global configuration mode
2. For CSLU-initiated communication, in addition to the CSLU discovery checks listed above, check the following:
Verify HTTP connectivity. Use the show ip http server session-module command in privileged EXEC mode. In the output, under header HTTP server current connections:, check that SL_HTTP is active. If it is not re-configure the ip http commands as mentioned in Ensuring Network Reachability for CSLU-Initiated Communication, on page 114
From a Web browser on the device where CSLU is installed, verify https://<product-instance-ip>/. This ensures that the REST API from CSLU to the product instance works as expected.
· If SSM On-Prem is not reachable:
1. For product instance-initiated communication, check if the SSM On-Prem transport type and URL are configured correctly.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 153
System Messages
System Configuration
In the show license all command output, under the Transport: header check the following: The Type: must be csluand Cslu address: must have the hostname or the IP address of the server where you have installed SSM On-Prem and <tenantID> of the default local virtual account. See the example below:
Transport: Type: cslu Cslu address: https://192.168.0.1/cslu/v1/pi/on-prem-default
Check if you have the correct URL from SSM On-Prem (Retrieving the Transport URL (SSM On-Prem UI), on page 122) and then configure license smart transport cslu and license smart url cslu http://<ip>/cslu/v1/pi/<tenant ID> commands in global configuration mode.
Check that you have configured any other required commands for your network as mentioned in Ensuring Network Reachability for Product Instance-Initiated Communication, on page 119.
2. For SSM On-Prem-initiated communication, check HTTPs connectivity.
Use the show ip http server session-module command in privileged EXEC mode. In the output, under header HTTP server current connections:, check that SL_HTTP is active. If it is not re-configure the ip http commands as mentioned in Ensuring Network Reachability for SSM On-Prem-Initiated Communication, on page 124.
3. Check trustpoint and that certificates are accepted.
For both forms of communication in an SSM On-Prem Deployment, ensure that the correct trustpoint is used and that the necessary certificates are accepted:
Device(config)# crypto pki trustpoint SLA-TrustPoint Device(ca-trustpoint)# Device(ca-trustpoint)# enrollment terminal Device(ca-trustpoint)# revocation-check none Device(ca-trustpoint)# end Device# copy running-config startup-config
If the above does not work and policy installation still fails, contact your Cisco technical support representative.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Message %SMART_LIC-3-COMM_RESTORED: Communications with the [chars] restored. [chars] - depends on the transport type
- Cisco Smart Software Manager (CSSM) - Cisco Smart License utility (CSLU) Smart Agent communication with either the Cisco Smart Software Manager (CSSM) or the Cisco Smart License utility (CSLU) has been restored. No action required.
Explanation: Product instance communication with either the CSSM, or CSLU, or SSM On-Prem is restored.
Recommended Action: No action required.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Message %SMART_LIC-3-POLICY_REMOVED: The licensing policy has been removed.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 154
System Configuration
System Messages
Explanation: A previously installed custom licensing policy has been removed. The Cisco default policy is then automatically effective. This may cause a change in the behavior of smart licensing.
Possible reasons for failure include:
If you have entered the license smart factory reset command in privileged EXEC mode all licensing information including the policy is removed.
Recommended Action:
If the policy was removed intentionally, then no further action is required.
If the policy was removed inadvertantly, you can reapply the policy. Depending on the topology you have implemented, follow the corresponding method to retrieve the policy:
· Connected Directly to CSSM:
Enter show license status, and check field Trust Code Installed:. If trust is established, then CSSM will automatically return the policy again. The policy is automatically re-installed on product instances of the corresponding Virtual Account.
If trust has not been established, complete these tasks: Generating a New Token for a Trust Code from CSSM, on page 139 and Installing a Trust Code, on page 139. When you have completed these tasks, CSSM will automatically return the policy again. The policy is then automatically installed on all product instances of that Virtual Account.
· Connected to CSSM Through CSLU:
· For product instance-initiatied communication), enter the license smart sync command in privileged EXEC mode. The synchronization request causes CSLU to push the missing information (a policy or authurization code) to the product instance.
· For CSLU-initiated communication, complete this task: Collecting Usage Reports: CSLU Initiated (CSLU Interface), on page 112. This causes CSLU to detect and re-furnish the missing policy in an ACK response.
· CSLU Disconnected from CSSM:
· For product instance-initiatied communication), enter the license smart sync command in privileged EXEC mode. The synchronization request causes CSLU to push the missing information (a policy or authurization code) to the product instance. Then complete these tasks in the given order:Export to CSSM (CSLU Interface), on page 113 > Uploading Data or Requests to CSSM and Downloading a File, on page 141 > Import from CSSM (CSLU Interface), on page 114.
· For CSLU-initiated communication, complete this task: Collecting Usage Reports: CSLU Initiated (CSLU Interface), on page 112. This causes CSLU to detect and re-furnish the missing policy in an ACK response. Then complete these tasks in the given order: Export to CSSM (CSLU Interface), on page 113 > Uploading Data or Requests to CSSM and Downloading a File, on page 141 > Import from CSSM (CSLU Interface), on page 114.
· No Connectivity to CSSM and No CSLU
If you are in an entirely air-gapped network, from a workstation that has connectivity to the internet and CSSM complete this task: Downloading a Policy File from CSSM, on page 141.
Then complete this task on the product instance: Installing a File on the Product Instance, on page 142.
· SSM On-Prem Deployment
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 155
System Messages
System Configuration
· For product instance-initiatied communication), enter the license smart sync command in privileged EXEC mode. The causes the product instance to synchronize with SSM On-Prem and restore any required or missing information. Then synchronize SSM On-Prem with CSSM if required:
· For SSM On-Prem-initiated communication: In the SSM On-Prem UI, navigate to Reports > Synchronisation pull schedule with the devices > Synchronise now with the device.
For both forms of communication in an SSM On-Prem Deployment, synchronize with CSSM using either option:
· SSM On-Prem is connected to CSSM: In the SSM On-Prem UI, Smart Licensing workspace, nagivate to Reports > Usage Schedules > Synchronize now with Cisco.
· SSM On-Prem is not connected to CSSM: Exporting and Importing Usage Data (SSM On-Prem UI), on page 122.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Message %SMART_LIC-3-TRUST_CODE_INSTALL_FAILED: The install of a new licensing trust code has failed on [chars]: [chars].
Explanation: Trust code installation has failed. The first [chars] is the UDI where trust code installation was attempted. The second [chars] is the error string with details of the failure. Possible reasons for failure include:
· A trust code is already installed: Trust codes are node-locked to the UDI of the product instance. If the UDI is already registered, and you try to install another one, installation fails.
· Smart Account-Virtual Account mismatch: This means the Smart Account or Virtual Account (for which the token ID was generated) does not include the product instance on which you installed the trust code. The token generated in CSSM, applies at the Smart Account or Virtual Account level and applies only to all product instances in that account.
· A signature mismatch: This means that the system clock is not accurate.
· Timestamp mismatch: This means the product instance time is not synchronized with CSSM, and can cause installation to fail.
Recommended Action:
· A trust code is already installed: If you want to install a trust code inspite of an existing trust code on the product instance, re-configure the license smart trust idtoken id_token_value{local|all}[force] command in privileged EXEC mode, and be sure to include the force keyword this time. Entering the force keyword sets a force flag in the message sent to CSSM to create a new trust code even if one already exists.
· Smart Account-Virtual Account mismatch: Log in to the CSSM Web UI at https://software.cisco.com and click Smart Software Licensing>Inventory > Product Instances. Check if the product instance on which you want to generate the token is listed in the selected Virtual Account. If it is, proceed to the next step. If not, check and select the correct Smart Account and Virtual
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 156
System Configuration
System Messages
Account. Then complete these tasks again: Generating a New Token for a Trust Code from CSSM, on page 139 and Installing a Trust Code, on page 139. · Timestamp mismatch and signature mismatch: Configure the ntp server command in global configuration mode. For example:
Device(config)# ntp server 198.51.100.100 version 2 prefer
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Message %SMART_LIC-4-REPORTING_NOT_SUPPORTED: The CSSM OnPrem that this product instance is connected to is down rev and does not support the enhanced policy and usage reporting mode.
Explanation: Cisco Smart Software Manager On-Prem (formerly known as Cisco Smart Software Manager satellite) is supported in the Smart Licensing Using Policy environment starting with Cisco IOS XE Amsterdam 17.3.3 only (See SSM On-Prem, on page 55). In unsupported releases, the product instance will behave as follows:
· Stop sending registration renewals and authorization renewals. · Start recording usage and saving RUM reports locally.
Recommended Action: You have the following options:
· Refer to and implement one of the supported topologies instead. See: Supported Topologies, on page 60.
· Upgrade to a release where SSM On-Prem is supported with Smart Licensing Using Policy. See Migrating to a Version of SSM On-Prem That Supports Smart Licensing Using Policy, on page 107.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Message %SMART_LIC-6-POLICY_INSTALL_SUCCESS: A new licensing policy was successfully installed.
Explanation: A policy was installed in one of the following ways: · Using Cisco IOS commands. · CSLU-initiated communication. · As part of an ACK response.
Recommended Action: No action is required. If you want to know which policy is applied (the policy in-use) and its reporting requirements, enter the show license all command in privileged EXEC mode.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 157
System Messages
System Configuration
Error Message %SMART_LIC-6-AUTHORIZATION_INSTALL_SUCCESS: A new licensing authorization code was successfully installed on: [chars].
This message is not applicable to Cisco Catalyst Access, Core, and Aggregation Switches, because there are no enforced or export-controlled licenses on these product instances.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Message %SMART_LIC-6-AUTHORIZATION_REMOVED: A licensing authorization code has been removed from [chars]
Explanation: [chars] is the UDI where the authorization code was installed. The authorization code has been removed. This removes the licenses from the product instance and may cause a change in the behavior of smart licensing and the features using licenses. Recommended Action: No action is required. If you want to see the current state of the license, enter the show license all command in privileged EXEC mode.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Message %SMART_LIC-6-REPORTING_REQUIRED: A Usage report acknowledgement will be required in [dec] days.
Explanation: This is an alert which means that RUM reporting to Cisco is required. [dec] is the amount of time (in days) left to meet this reporting requirements. Recommended Action: Ensure that RUM reports are sent within the requested time. The topology you have implemented determines the reporting method.
· Connected to CSSM Through CSLU · For product instance-initiatied communication: Enter the license smart sync command in privileged EXEC mode. If CSLU is currently logged into CSSM the reports will be automatically sent to the associated Smart Account and Virtual Account in CSSM.
· For CSLU-initiated communication, complete this task: Collecting Usage Reports: CSLU Initiated (CSLU Interface), on page 112.
· Connected Directly to CSSM: Enter the license smart sync command in privileged EXEC mode.
· Connected to CSSM Through a Controller: If the product instance is managed by a controller, the controller will send the RUM report at the scheduled time.
If you are using Cisco DNA Center as the controller, you have the option of ad-hoc reporting. See the Cisco DNA Center Administrator Guide of the required release (Release 2.2.2 onwards) > Manage Licenses > Upload Resource Utilization Details to CSSM.
· CSLU Disconnected from CSSM: If the product instance is connected to CSLU, synchronize with the product instance as shown for "Connected to CSSM Through CSLU"above, then complete these tasks: Export to CSSM (CSLU Interface), on page 113, Uploading Data or Requests to CSSM and Downloading a File, on page 141, and Import from CSSM (CSLU Interface), on page 114.
· No Connectivity to CSSM and No CSLU: Enter the license smart save usage command in privileged EXEC mode, to save the required usage information in a file. Then, from a workstation where you have
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 158
System Configuration
Additional References for Smart Licensing Using Policy
connectivity to CSSM, complete these tasks: Uploading Data or Requests to CSSM and Downloading a File, on page 141 > Installing a File on the Product Instance, on page 142. · SSM On-Prem Deployment: Synchronize the product instance with SSM On-Prem:
· For product instance-initiatied communication: Enter the license smart sync command in privileged EXEC mode. If CSLU is currently logged into CSSM the reports will be automatically sent to the associated Smart Account and Virtual Account in CSSM.
· For SSM On-Prem-initiated communication, complete this task: In the SSM On-Prem UI, navigate to Reports > Synchronisation pull schedule with the devices > Synchronise now with the device.
Synchronize usage information with CSSM (choose one) · SSM On-Prem is connected to CSSM: In the SSM On-Prem UI, Smart Licensing workspace, nagivate to Reports > Usage Schedules > Synchronize now with Cisco. · SSM On-Prem is not connected to CSSM: Exporting and Importing Usage Data (SSM On-Prem UI), on page 122.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Error Message %SMART_LIC-6-TRUST_CODE_INSTALL_SUCCESS: A new licensing trust code was successfully installed on [chars].
Explanation:[chars] is the UDI where the trust code was successfully installed. Recommended Action: No action is required. If you want to verify that the trust code is installed, enter the show license status command in privileged EXEC mode. Look for the updated timestamp under header Trust Code Installed: in the output.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Additional References for Smart Licensing Using Policy
Topic
Document Title
For complete syntax and usage information for the commands used in this chapter, see the Command Reference of the corresponding release.
Cisco Catalyst 9800 Series Wireless Controller Command Reference
Cisco Smart Software Manager Help
Smart Software Manager Help
Cisco Smart License Utility (CSLU) installation and user guides
Cisco Smart License Utility Quick Start Setup Guide
Cisco Smart License Utility User Guide
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 159
Feature History for Smart Licensing Using Policy
System Configuration
Feature History for Smart Licensing Using Policy
This table provides release and related information for features explained in this module.
These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
Release
Feature
Feature Information
Cisco IOS XE Gibraltar Smart Licensing 16.10.1
A cloud-based, software license management solution that allows you to manage and track the status of your license, hardware, and software usage trends.
Cisco IOS XE Amsterdam Smart Licensing Using
17.3.2a
Policy
An enhanced version of Smart Licensing, with the overarching objective of providing a licensing solution that does not interrupt the operations of your network, rather, one that enables a compliance relationship to account for the hardware and software licenses you purchase and use.
Starting with this release, Smart Licensing Using Policy is automatically enabled on the device. This is also the case when you upgrade to this release.
By default, your Smart Account and Virtual Account in CSSM is enabled for Smart Licensing Using Policy.
Cisco DNA Center Support for Smart Licensing Using Policy
Cisco DNA Center supports Smart Licensing Using Policy functionality starting with Cisco DNA Center Release 2.2.2. When you use Cisco DNA Center to manage a product instance, Cisco DNA Center connects to CSSM, and is the interface for all communication to and from CSSM.
For information about the comptabile controller and product instance versions, see Controller, on page 54.
For information about this topology, see Connected to CSSM Through a Controller, on page 64 and Workflow for Topology: Connected to CSSM Through a Controller, on page 81.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 160
System Configuration
Feature History for Smart Licensing Using Policy
Release
Feature
Feature Information
Cisco IOS XE Amsterdam Smart Software Manager SSM On-Prem is an asset manager, which works in
17.3.3
On-Prem (SSM On-Prem) conjunction with CSSM. It enables you to administer
Support for Smart
products and licenses on your premises instead of
Licensing Using Policy having to directly connect to CSSM.
For information about the comptabile SSM On-Prem and product instance versions, see: SSM On-Prem, on page 55.
For an overview of this topology, and to know how to implement it see SSM On-Prem Deployment, on page 66 and Workflow for Topology: SSM On-Prem Deployment, on page 83.
For information about migrating from an exisiting version of SSM On-Prem, to one that supports Smart Licensing Using Policy, see Migrating to a Version of SSM On-Prem That Supports Smart Licensing Using Policy, on page 107.
Cisco IOS XE Cupertino New mechanism to send
17.9.1
data privacy related
information
A new mechanism to send all data privacy related information was introduced. This information is no longer included in a RUM report.If data privacy is disabled (no license smart privacy { all | hostname | version} global configuration command), data privacy related information is sent in a separate sync message or offline file.
Depending on the topology you have implemented, the product instance initiates the sending of this information in a separate message, or CSLU and SSM On-Prem initiates the retrieval of this information from the product instance, or this information is saved in the offline file that is generated when you enter the license smart save usage privileged EXEC command
In the command reference of the corresponding release, see the license smart (global config) command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 161
Feature History for Smart Licensing Using Policy
System Configuration
Release
Feature
Feature Information
Hostname support
If you configure a hostname on the product instance and disable the corresponding privacy setting (no license smart privacy hostname global configuration command), hostname information is sent from the product instance.
Depending on the topology you have implemented, the hostname information is received by CSSM, and CSLU or SSM On-Prem. It is then displayed on the corresponding user interface.
In the command reference of the corresponding release, see the license smart (global config) command.
Support for trust code in A trust code is automatically obtained in topologies additional topologies where CSLU initiates the retrieval of data from the
product instance.
See: Trust Code, on page 59, Connected to CSSM Through CSLU, on page 60, CSLU Disconnected from CSSM, on page 63.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 162
7 C H A P T E R
Boot Integrity Visibility
· Overview of Boot Integrity Visibility, on page 163 · Verifying Software Image and Hardware, on page 163 · Verifying Platform Identity and Software Integrity, on page 164
Overview of Boot Integrity Visibility
Boot Integrity Visibility allows the Cisco platform identity and software integrity information to be visible and actionable. Platform identity provides the platform's manufacturing installed identity. Software integrity exposes boot integrity measurements that can be used to assess whether the platform has booted trusted code. During the boot process, the software creates a checksum record of each stage of the bootloader activities. You can retrieve this record and compare it with a Cisco-certified record to verify if your software image is genuine. If the checksum values do not match, you may be running a software image that is either not certified by Cisco or has been altered by an unauthorized party.
Verifying Software Image and Hardware
This task describes how to retrieve the checksum record that was created during a switch bootup. Enter the following commands in privileged EXEC mode.
Note On executing the following commands, you might see the message % Please Try After Few Seconds displayed on the CLI. This does not indicate a CLI failure, but indicates setting up of underlying infrastructure required to get the required output. We recommend waiting for a few minutes and then try the command again.
The messages % Error retrieving SUDI certificate and % Error retrieving integrity data signify a real CLI failure.
Procedure
Step 1
Command or Action
Purpose
show platform sudi certificate [sign [nonce Displays checksum record for the specific
nonce]]
SUDI.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 163
Verifying Platform Identity and Software Integrity
System Configuration
Step 2
Command or Action
Purpose
Example:
· (Optional) sign - Show signature.
Device# show platform sudi certificate sign nonce 123
· (Optional) nonce - Enter a nonce value.
show platform integrity [sign [nonce nonce]] Displays checksum record for boot stages.
Example:
· (Optional) sign - Show signature.
Device# show platform integrity sign nonce 123
· (Optional) nonce - Enter a nonce value.
Verifying Platform Identity and Software Integrity
Verifying Platform Identity
The following example displays the Secure Unique Device Identity (SUDI) chain in PEM format. Encoded into the SUDI is the Product ID and Serial Number of each individual device such that the device can be uniquely identified on a network of thousands of devices. The first certificate is the Cisco Root CA 2048 and the second is the Cisco subordinate CA (ACT2 SUDI CA). Both certificates can be verified to match those published on https://www.cisco.com/security/pki/. The third is the SUDI certificate.
Important All the CLI outputs provided here are intended only for reference. The output differs based on the configuration of the device.
Device# show platform sudi certificate sign nonce 123 -----BEGIN CERTIFICATE----MIIDQzCCAiugAwIBAgIQX/h7KCtU3I1CoxW1aMmt/zANBgkqhkiG9w0BAQUFADA1 MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENB IDIwNDgwHhcNMDQwNTE0MjAxNzEyWhcNMjkwNTE0MjAyNTQyWjA1MRYwFAYDVQQK Ew1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwggEg MA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCwmrmrp68Kd6ficba0ZmKUeIhH xmJVhEAyv8CrLqUccda8bnuoqrpu0hWISEWdovyD0My5jOAmaHBKeN8hF570YQXJ FcjPFto1YYmUQ6iEqDGYeJu5Tm8sUxJszR2tKyS7McQr/4NEb7Y9JHcJ6r8qqB9q VvYgDxFUl4F1pyXOWWqCZe+36ufijXWLbvLdT6ZeYpzPEApk0E5tzivMW/VgpSdH jWn0f84bcN5wGyDWbs2mAag8EtKpP6BrXruOIIt6keO1aO6g58QBdKhTCytKmg9l Eg6CTY5j/e/rmxrbU6YTYK/CfdfHbBcl1HP7R2RQgYCUTOG/rksc35LtLgXfAgED o1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJ/PI FR5umgIJFq0roIlgX9p7L6owEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF BQADggEBAJ2dhISjQal8dwy3U8pORFBi71R803UXHOjgxkhLtv5MOhmBVrBW7hmW Yqpao2TB9k5UM8Z3/sUcuuVdJcr18JOagxEu5sv4dEX+5wW4q+ffy0vhN4TauYuX cB7w4ovXsNgOnbFp1iqRe6lJT37mjpXYgyc81WhJDtSd9i7rp77rMKSsH0T8lasz Bvt9YAretIpjsJyp8qS5UwGH0GikJ3+r/+n6yUA4iGe0OcaEb1fJU9u6ju7AQ7L4 CYNu/2bPPu8Xs1gYJQk0XuPL1hS27PKSb3TkL4Eq1ZKR4OCXPDJoBYVL0fdX4lId kxpUnwVwwEpxYB5DC2Ae/qPOgRnhCzU= -----END CERTIFICATE---------BEGIN CERTIFICATE----MIIEPDCCAySgAwIBAgIKYQlufQAAAAAADDANBgkqhkiG9w0BAQUFADA1MRYwFAYD VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw HhcNMTEwNjMwMTc1NjU3WhcNMjkwNTE0MjAyNTQyWjAnMQ4wDAYDVQQKEwVDaXNj bzEVMBMGA1UEAxMMQUNUMiBTVURJIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA0m5l3THIxA9tN/hS5qR/6UZRpdd+9aE2JbFkNjht6gfHKd477AkS 5XAtUs5oxDYVt/zEbslZq3+LR6qrqKKQVu6JYvH05UYLBqCj38s76NLk53905Wzp 9pRcmRCPuX+a6tHF/qRuOiJ44mdeDYZo3qPCpxzprWJDPclM4iYKHumMQMqmgmg+
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 164
System Configuration
Verifying Platform Identity and Software Integrity
xghHIooWS80BOcdiynEbeP5rZ7qRuewKMpl1TiI3WdBNjZjnpfjg66F+P4SaDkGb BXdGj13oVeF+EyFWLrFjj97fL2+8oauV43Qrvnf3d/GfqXj7ew+z/sXlXtEOjSXJ URsyMEj53Rdd9tJwHky8neapszS+r+kdVQIDAQABo4IBWjCCAVYwCwYDVR0PBAQD AgHGMB0GA1UdDgQWBBRI2PHxwnDVW7t8cwmTr7i4MAP4fzAfBgNVHSMEGDAWgBQn 88gVHm6aAgkWrSugiWBf2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3 LmNpc2NvLmNvbS9zZWN1cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEF BQcBAQREMEIwQAYIKwYBBQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3Vy aXR5L3BraS9jZXJ0cy9jcmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkV AQwAMEMwQQYIKwYBBQUHAgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5 L3BraS9wb2xpY2llcy9pbmRleC5odG1sMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJ KoZIhvcNAQEFBQADggEBAGh1qclr9tx4hzWgDERm371yeuEmqcIfi9b9+GbMSJbi ZHc/CcCl0lJu0a9zTXA9w47H9/t6leduGxb4WeLxcwCiUgvFtCa51Iklt8nNbcKY /4dw1ex+7amATUQO4QggIE67wVIPu6bgAE3Ja/nRS3xKYSnj8H5TehimBSv6TECi i5jUhOWryAK4dVo8hCjkjEkzu3ufBTJapnv89g9OE+H3VKM4L+/KdkUO+52djFKn hyl47d7cZR4DY4LIuFM2P1As8YyjzoNpK/urSRI14WdIlplR1nH7KNDl5618yfVP 0IFJZBGrooCRBjOSwFv8cpWCbmWdPaCQT2nwIjTfY8c= -----END CERTIFICATE---------BEGIN CERTIFICATE----MIIDfTCCAmWgAwIBAgIEAwQD7zANBgkqhkiG9w0BAQsFADAnMQ4wDAYDVQQKEwVD aXNjbzEVMBMGA1UEAxMMQUNUMiBTVURJIENBMB4XDTE4MDkyMzIyMzIwNloXDTI5 MDUxNDIwMjU0MVowaTEnMCUGA1UEBRMeUElEOkM5NjAwLVNVUC0xIFNOOkNBVDIy MzZMMFE5MQ4wDAYDVQQKEwVDaXNjbzEYMBYGA1UECxMPQUNULTIgTGl0ZSBTVURJ MRQwEgYDVQQDEwtDOTYwMC1TVVAtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBANsh0jcvgh1pdOjP9KnffDnDc/zEHDzbCTWPJi2FZcsaSE5jvq6CUqc4 MYpNAZU2Jym7NSD8iQbMXwbnCtoL64QtxQeFhRYmc4d5o933M7GwpEH0I7HUSbO/ Fxyp7JBmGPPgAkY7rKsYENiNK2hiR7Q2O7X2BidOKknEuofWdJMNyMaZgLYLOHbJ 5oXaORxhUy3VRaxNl6qI7kYxuugg2LcAbZ539sRXe8JtHyK8llURNSGMiQ0S17pS idGmrJJ0pEHA0EUVTZqEny3z+NW9uxLVSzu6+hEJYlqfI+YEf0DbVZly1cy5r/jF yNdGuGKvd5agvgCly8aYMZa3P+D5S8sCAwEAAaNvMG0wDgYDVR0PAQH/BAQDAgXg MAwGA1UdEwEB/wQCMAAwTQYDVR0RBEYwRKBCBgkrBgEEAQkVAgOgNRMzQ2hpcElE PVUxUk5TVEl3TVRjd05qSTFBQUFwZndBQUFBQUFBQUFBQUFBQUFBQUhtSlU9MA0G CSqGSIb3DQEBCwUAA4IBAQCrpHo/CUyk5Hs/asIcYW0ep8KocSkbNh8qamyd4oWD e/MGJW9Bs5f09IEbILWPdytCCS2lSyJbxz2HvVDzdxQdxjDwUNiWuu3dWMXN/i67 yuCGM+lA1AAG5dT6lNgWYHh+YzsZm9eoq1+4NM+JuMXWsnzAK8rSy+dSpBxqFsBq E0OlPsaK7y2h8gs+XrV9x+D48OZQkTRXpxhJfiWvs+EbdgsAM/vBxTAoTJPVmXWN Cmcj9X52Xl3i4MdOUXocZLO2kh6JSgOYGkFeZifJ0iDvMfAf0cJ6+cEF6bSxAqBL veel+8LmeiE/2O9h6qGHPPDacCaXA2oJCDHveAt8iPTG -----END CERTIFICATE-----
Signature version: 1 Signature: 3979C316CCA81F724E971976A6DA839E54A7B9843EDBB0A59B0205ED18075499481EE71C1643D3A4D200CD5B22FD5804B422BD7826ECEBFD0C15C37D77D6C4D8F7B07AA8A9EEB95EBAD62985C4642760E4D4718C13E82B4770790B8E7AD518F80784B8A32B814155A0AB5BF41FFE305543EB7A3590F288916D78EA524171FB1553891D9ED8054095DF66A98660F9A738E818D14F2847784F65E8AFFEFEFC8A13AF2C3DCCD05604DCE37BD286A6529B8D366964B6FC61F4FF4973971A271B756EFADEA46A5E863257AC424C209BB7607BE020ABD71623611C32C0DEE7642A89D2EBC42AF0107CDA245DCB69A055B0A9792B7DEFCF68CA16B95FB7C9E32697EB4F
The optional RSA 2048 signature is across the three certificates, the signature version and the user-provided nonce.
RSA PKCS#1v1.5 Sign {<Nonce (UINT64)> || <Signature Version (UINT32)> || <Cisco Root CA 2048 cert (DER)> || <Cisco subordinate CA (DER)> || <SUDI certificate (DER)> }
Cisco management solutions are equipped with the ability to interpret the above output. However, a simple script using OpenSSL commands can also be used to display the identity of the platform and to verify the signature, thereby ensuring its Cisco unique device identity.
[linux-host:~]openssl x509 -in sudi_id.pem -subject -noout subject= /serialNumber=PID:C9600-SUP-1 SN:CAT2239L06B/CN=C9600-SUP-1-70b3171eaa00
Verifying Software Integrity
The following example displays the checksum record for the boot stages. The hash measurements are displayed for each of the three stages of software successively booted. These hashes can be compared against
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 165
Verifying Platform Identity and Software Integrity
System Configuration
Cisco-provided reference values. An option to sign the output gives a verifier the ability to ensure the output is genuine and is not altered. A nonce can be provided to protect against replay attacks.
Note Boot integrity hashes are not MD5 hashes. For example, if you run verify /md5 cat9k_iosxe.16.10.01.SPA.bin command for the bundle file, the hash will not match.
The following is a sample output of the show platform integrity sign nonce 123 command. This output includes measurements of each installed package file.
Device# show platform integrity sign nonce 123 Platform: C9800-L-F-K9 Boot 0 Version: R04.1173930452019-06-11 Boot 0 Hash: A6C92C44976FC77DD42234444FFD87798FB9036A2762FAA4999A190A0258B18C Boot Loader Version: 16.12(1r) Boot Loader Hash: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF OS Version: 2020-03-19_20.26 OS Hashes: C9800-L-universalk9_wlc.2020-03-19_20.26.SSA.bin: 53E2DF1A1A082E36EA4CAB817C1794EC9D69AC0E90BCCBFECF9BCD0BCA9385AA9E9372ABF7431E4A08FC5E5B9670131C09D158E5B8A7B457501FE77AB9F1C26D C9800-L-mono-universalk9_wlc.2020-03-19_20.26.SSA.pkg: 1D3279D53B0311CE42C669824DF86FB5596CD7CA45CA8D7FDC3D10657B8C9A48F4B0508D7BCFFD645CB6571AC1E674A57A82414E3D6E1666BE64E6132F707671 PCR0: EE14A2D5099DA343B3941C54A429C4AC1D3EE8E9B609F1AC00049768A470734E PCR8: 78794D0F5667F8FA4E425E3CA2AF3CD99B90B219FD90222D622B3D563416BBAA
Note Only OS and package hashes are supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 166
8 C H A P T E R
Best Practices
· Introduction, on page 167
Introduction
This chapter covers the best practices recommended for configuring a typical Cisco Catalyst 9800 Series wireless infrastructure. The objective is to provide common settings that you can apply to most wireless network implementations. However, not all networks are the same. Therefore, some of the tips might not be applicable to your installation. Always verify them before you perform any changes on a live network. For more information, see Cisco Catalyst 9800 Series Configuration Best Practices guide.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 167
Introduction
System Configuration
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 168
I I P A R T
System Upgrade
· Upgrading the Cisco Catalyst 9800 Wireless Controller Software, on page 171 · In-Service Software Upgrade, on page 179 · Software Maintenance Upgrade, on page 189 · Efficient Image Upgrade, on page 207 · Predownloading an Image to an Access Point, on page 213 · N+1 Hitless Rolling AP Upgrade, on page 221 · NBAR Dynamic Protocol Pack Upgrade, on page 225 · Wireless Sub-Package for Switch, on page 227
9 C H A P T E R
Upgrading the Cisco Catalyst 9800 Wireless Controller Software
· Overview of Upgrading the Controller Software, on page 171 · Upgrading the Controller Software (GUI), on page 172 · Upgrade the Controller Software (CLI), on page 173 · Converting From Bundle-Mode to Install-Mode, on page 174 · Copying a WebAuth Tar Bundle to the Standby Controller, on page 177
Overview of Upgrading the Controller Software
This section describes the upgrade process and the methods to upgrade the Cisco Catalyst 9800 Series Wireless Controller Software. Newer versions of the controller software are released at regular intervals. This includes major releases as well as rebuild releases that focuses on bug fixes. The version of the AP software is also tied to the controller software release. Every major Cisco IOS XE software release contains new sets of features that are essential for the enterprise-class customers. Each Cisco IOS XE software release is classified as either a Standard-Support release or an Extended-Support release. Standard-Support Release
· A sustaining support lifetime of 12 months from First Customer Shipment (FCS) with two scheduled rebuilds
· Rebuilds are typically released at 6 months intervals after FCS.
Extended-Support release Details · A sustaining support lifetime of 36 months from FCS with ten scheduled rebuilds. · These rebuilds are at 3, 4, 4, 6, 7 months intervals after FCS or via SMU support. Last 12 months of support will be via SMU.
Based on your requirement, such as upgrading the full image or applying a software patch for bugs, you can go for an appropriate software upgrade, using either GUI or CLI.
· Upgrading the Controller Software (GUI)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 171
Upgrading the Controller Software (GUI)
System Upgrade
· Upgrade the Controller Software (CLI)
Software Upgrade Options · Software Maintenance Upgrade: This method installs a software package on the system to provide a patch fix or a security resolution to a released image. This upgrade package is provided on a per release and per component basis, and is specific to the platform. · Hitless Upgrade: This method allows the APs to be upgraded in a staggered manner, while still being connected to the same controller. This avoids upgrade downtime even for N+1 networks. · In-Service Software Upgrade: This method upgrades a wireless controller image to a later release while the network forwards packets. This feature is supported only within and between major releases.
Note We recommend In-Service Software Upgrade if you are upgrading the entire image or cold controller SMU. Use Software Maintenance Upgrade for software patches or bug fixes.
The software upgrade time is estimated to be less than 6 hours for a large network. However, the upgrade time depends on factors such as the number of APs, the percentage of APs to upgrade in each iteration, the controller type (9800-80, 9800-L, and so on), and the connectivity between the controller and the APs.
Device Upgrade Options The following device upgrade options are available:
· NBAR Dynamic Protocol Pack Upgrade: Protocol packs are software packages that update the Network-Based Application Recognition (NBAR) engine protocol support on a device without replacing the Cisco software on the device. A protocol pack contains information on applications that are officially supported by NBAR, and are compiled and packed together.
· Field Programmables Upgrade: These are hardware programmable packages released by Cisco to upgrade the hardware programmable firmware. Hardware programmable package upgrade is necessary only when a system message indicates that one of the field programmable devices needs an upgrade or when a Cisco technical support representative suggests an upgrade.
Upgrading the Controller Software (GUI)
Before you begin Clean up the old installation files using the Remove Inactive Files link.
Note For GUI options such as Software Maintenance Upgrade, AP Service Package, and AP Device Package, see the respective feature sections.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 172
System Upgrade
Upgrade the Controller Software (CLI)
Procedure
Step 1 Step 2
Step 3
Step 4 Step 5 Step 6
Choose Administration > Software Management . Choose an option from the Upgrade Mode drop-down list:
· INSTALL: The Install mode uses a package-provisioning file named packages.conf in order to boot a device.
· BUNDLE: The Bundle mode uses monolithic Cisco IOS images to boot a device. The Bundle mode consumes more memory than the Install mode because the packages are extracted from the bundle and copied to RAM.
Note
You get to view the Destination field only for BUNDLE upgrade mode.
From the Transport Type drop-down list, choose the transfer type to transfer the software image to your device as TFTP, SFTP, FTP, Device, or Desktop (HTTP).
· If you choose TFTP as the Transport Type, enter the Server IP Address of the TFTP server that you want to use. Also, enter the complete File Path.
In controllers, the IP TFTP source is mapped to the service port by default.
· If you choose SFTP as the Transport Type, enter the Server IP Address of the SFTP server that you want to use. Also, enter the SFTP Username, SFTP Password, and the complete File Path.
· If you choose FTP as the Transport Type, enter the Server IP Address of the FTP server that you want to use. Also, enter the FTP Username, FTP Password, and the complete File Path.
· If you choose Device as the Transport Type, choose the File System from the drop-down list. In the File Path field, browse through the available images or packages from the device and select one of the options, and click Select.
· If you choose Desktop (HTTPS) as the Transport Type, choose the File System from the drop-down list. In the Source File Path field, click Select File to select the file, and click Open.
Click Download & Install. To boot your device with the new software image, click Save Configuration &Activate. Click Commit after the device reboots to make the activation changes persistent across reloads.
Note
For 17.4 and later releases, this step is mandatory for the upgrade to be persisitent. If you do not
click Commit, the auto-timer terminates the upgrade operation after 6 hours, and the controller
reverts back to the previous image.
Upgrade the Controller Software (CLI)
Before you begin · Determine the Cisco IOS release that is currently running on your controller, and the filename of the system image using the show version command in user EXEC or privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 173
Converting From Bundle-Mode to Install-Mode
System Upgrade
· Clean up the old installation files using the install remove inactive command. · Use the show version | include Installation mode to verify the boot mode.
Note We recommend that you use install mode for the software upgrade. For steps on converting the device from bundle-mode to install-mode, see Converting From Bundle-Mode to Install-Mode.
Procedure
Step 1
Step 2 Step 3 Step 4
Download the software from Cisco.com: https://software.cisco.com/download/home/286316412/type a) Click IOS XE Software link. b) Select the release number you want to install, for example Gibraltar-16.12.3.
Note
Cisco recommended release is selected by default. For release designation information, see:
https://software.cisco.com/download/static/assets/i18n/reldesignation.html?context=sds
c) Click Download.
Copy the new image to flash using the command: copy tftp:image flash: Verify that the image has been successfully copied to flash using the command: dir flash: Upgrade the software by choosing an upgrade process from the options that are currently supported.
For a list of upgrade options, see Software Upgrade Options, on page 172.
Converting From Bundle-Mode to Install-Mode
Use the procedure given below to boot in install-mode:
Before you begin · Clean up the old installation files using the commandinstall remove inactive · Verify the boot mode using the command: show version | include Installation mode · Download the software image from Cisco.com. For steps on how to download the software, see Upgrading the Controller Software (CLI) .
Procedure
Step 1
Copy the new image to flash using the command: copy tftp:image flash:
Device# copy tftp://xx.x.x.x//C9800-universalk9_wlc.xx.xx.xx.SSA.bin flash:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 174
System Upgrade
Converting From Bundle-Mode to Install-Mode
Step 2
Destination filename [C9800-universalk9_wlc..xx.xx.xx..SSA.bin]? Accessing tftp://xx.x.x.x//C9800-universalk9_wlc.xx.xx.xx.SSA.bin... Loading /C9800-universalk9_wlc.xx.xx.xx.SSA.bin from xx.x.x.x (via GigabitEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK - 601216545 bytes] 601216545 bytes copied in 50.649 secs (11870255 bytes/sec)
Verify that the image has been successfully copied to flash using the command: dir flash:
Device# dir flash:*.bin
Directory of bootflash:/*.bin
On Active
Directory of bootflash:/
12 -rw- 1231746613 Jun 11 2020 23:15:49 +00:00 C9800-universalk9_wlc.BLD_POLARIS_DEV_LATEST_20200611_101837.SSA.bin
17 -rw- 1232457039 Jun 9 2020 21:14:40 +00:00 C9800-universalk9_wlc.BLD_POLARIS_DEV_LATEST_20200609_031801.SSA.bin
21 -rw- 1219332990 Jun 10 2020 02:06:14 +00:00 C9800-universalk9_wlc.BLD_V173_THROTTLE_LATEST_20200608_003622_V17_3_0_183.SSA.bin
18 -rw- 1232167230 Jun 8 2020 02:42:22 +00:00 C9800-universalk9_wlc.BLD_POLARIS_DEV_LATEST_20200607_002322.SSA.bin 24811823104 bytes total (16032391168 bytes free)
On Standby Directory of stby-bootflash:/*.bin
Directory of stby-bootflash:/
18 -rw- 1232167230 Jun 8 2020 02:42:22 +00:00 C9800-universalk9_wlc.BLD_POLARIS_DEV_LATEST_20200607_002322.SSA.bin
20 -rw- 1231746613 Jun 11 2020 23:15:49 +00:00 C9800-universalk9_wlc.BLD_POLARIS_DEV_LATEST_20200611_101837.SSA.bin
17 -rw- 1232457039 Jun 9 2020 21:14:40 +00:00 C9800-universalk9_wlc.BLD_POLARIS_DEV_LATEST_20200609_031801.SSA.bin
16 -rw- 1219332990 Jun 10 2020 02:06:14 +00:00 C9800-universalk9_wlc.BLD_V173_THROTTLE_LATEST_20200608_003622_V17_3_0_183.SSA.bin 26462998528 bytes total (17686335488 bytes free)
Step 3
Set the boot variable to bootflash:packages.conf.
Device(config)# boot sys flash bootflash:packages.conf
Step 4
Save your changes by entering this command: write memory.
Device(config)# write memory
Step 5
Verify whether the boot variable is set to bootflash:packages.conf using the command:show boot
Device# show boot
BOOT variable = bootflash:packages.conf,12; CONFIG_FILE variable = BOOTLDR variable does not exist Configuration register is 0x2102
Standby BOOT variable = bootflash:packages.conf,12; Standby CONFIG_FILE variable =
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 175
Converting From Bundle-Mode to Install-Mode
System Upgrade
Step 6
Standby BOOTLDR variable does not exist Standby Configuration register is 0x2102
Move the device from bundle-mode to install-mode using the command: install add file image.bin location activate commit
Device# install add file bootflash:C9800-universalk9_wlc.xx.xx.xx.SPA.bin activate commit
install_add_activate_commit: START Thu Dec 6 15:43:57 UTC 2018 Dec 6 15:43:58.669 %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install one-shot bootflash:C9800-xx-universalk9.xx.xx.xx.SPA.bin install_add_activate_commit: Adding PACKAGE
--- Starting initial file syncing --Info: Finished copying bootflash:C9800-xx-universalk9.xx.xx.xx.SPA.bin to the selected chassis Finished initial file syncing
--- Starting Add --Performing Add on all members [1] Add package(s) on chassis 1 [1] Finished Add on chassis 1 Checking status of Add on [1] Add: Passed on [1] Finished Add
Image added. Version: xx.xx.xx.216 install_add_activate_commit: Activating PACKAGE Following packages shall be activated: /bootflash/C9800-xx-rpboot.xx.xx.xx.SPA.pkg /bootflash/C9800-xx-mono-universalk9.xx.xx.xx.SPA.pkg This operation requires a reload of the system. Do you want to proceed? [y/n]y --- Starting Activate --Performing Activate on all members [1] Activate package(s) on chassis 1 --- Starting list of software package changes --Old files list: Removed C9800-xx-mono-universalk9.BLD_Vxxxx_THROTTLE_LATEST_20181022_153332.SSA.pkg Removed C9800-xx-rpboot.BLD_Vxxxx_THROTTLE_LATEST_20181022_153332.SSA.pkg New files list:
Added C9800-xx-mono-universalk9.xx.xx.xx.SPA.pkg Added C9800-xx-rpboot.xx.xx.xx.SPA.pkg Finished list of software package changes [1] Finished Activate on chassis 1 Checking status of Activate on [1] Activate: Passed on [1] Finished Activate
--- Starting Commit --Performing Commit on all members [1] Commit package(s) on chassis 1 [1] Finished Commit on chassis 1 Checking status of Commit on [1] Commit: Passed on [1] Finished Commit
Install will reload the system now! SUCCESS: install_add_activate_commit Thu Dec 6 15:49:21 UTC 2018 Dec 6 15:49:21.294 %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed install one-shot PACKAGE bootflash:C9800-xx-universalk9.xx.xx.xx.SPA.bin
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 176
System Upgrade
Copying a WebAuth Tar Bundle to the Standby Controller
Note
The system reloads automatically after executing the install add file activate commit command.
You do not have to manually reload the system.
If upgrade fails, cleanup is required before attempting the upgrade procedure again. An upgrade failure may occur due lack of disk space, validation failure of extracted image, system crashes, and so on. Should a system failure occurs during upgrade process, wait till the system is back in service and check the system image version.
· If it is a new image, check for the stability and functionality of the system, and decide whether to commit and complete the upgrade procedure or discard the upgrade procedure.
· If it is a new image, use the cleanup procedure and reattempt the upgrade procedure.
Step 7 Step 8
Click yes to all the prompts. Verify the boot mode using the command: show version
Device# show version | in Installation mode is
Installation mode is INSTALL
Copying a WebAuth Tar Bundle to the Standby Controller
Use the following procedure to copy a WebAuth tar bundle to the standby controller, in a high-availability configuration.
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Administration > Management > Backup & Restore. From the Copy drop-down list, choose To Device. From the File Type drop-down list, chooseWebAuth Bundle. From the Transfer Mode drop-down list, choose TFTP, SFTP, FTP, or HTTP. The Server Details options change based on the file transfer option selected.
· TFTP · IP Address (IPv4/IPv6): Enter the server IP address (IPv4 or IPv6) of the TFTP server that you want to use.
· File Path: Enter the file path. The file path should start with slash a (/path).
· File Name: Enter a file name. The file name should not contain spaces. Underscores (_) and hyphen (-) are the only special characters that are supported. Ensure that file name ends with .tar, for example, webauthbundle.tar.
· SFTP · IP Address (IPv4/IPv6): Enter the server IP address (IPv4 or IPv6) of the SFTP server that you want to use.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 177
Copying a WebAuth Tar Bundle to the Standby Controller
System Upgrade
· File Path: Enter the file path. The file path should start with slash a (/path). · File Name: Enter a file name.
The file name should not contain spaces. Underscores (_) and hyphen (-) are the only special characters that are supported. Ensure that file name ends with .tar, for example, webauthbundle.tar. · Server Login UserName: Enter the SFTP server login user name. · Server Login Password: Enter the SFTP server login passphrase.
· FTP · IP Address (IPv4/IPv6): Enter the server IP address (IPv4 or IPv6) of the TFTP server that you want to use. · File Path: Enter the file path. The file path should start with slash a (/path). · File Name: Enter a file name. The file name should not contain spaces. Underscores (_) and hyphen (-) are the only special characters that are supported. Ensure that file name ends with .tar, for example, webauthbundle.tar. · Logon Type: Choose the login type as either Anonymous or Authenticated. If you choose Authenticated, the following fields are activated: · Server Login UserName: Enter the FTP server login user name. · Server Login Password: Enter the FTP server login passphrase.
· HTTP · Source File Path: Click Select File to select the configuration file, and click Open.
Step 5 Step 6
Click the Yes or No radio button to back up the existing startup configuration to Flash.
Save the configuration to Flash to propagate the WebAuth bundle to other members, including the standby controller. If you do not save the configuration to Flash, the WebAuth bundle will not be propagated to other members, including the standby controller.
Click Download File.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 178
1 0 C H A P T E R
In-Service Software Upgrade
· Information About In-Service Software Upgrade, on page 179 · Prerequisites for Performing In-Service Software Upgrade, on page 180 · Guidelines and Restrictions for In-Service Software Upgrade, on page 180 · Upgrading Software Using In-Service Software Upgrade , on page 181 · Upgrading Software Using ISSU (GUI), on page 182 · Upgrading Software Using In-Service Software Upgrade with Delayed Commit, on page 183 · Monitoring In-Service Software Upgrade, on page 184 · Troubleshooting ISSU, on page 186
Information About In-Service Software Upgrade
In-Service Software Upgrade (ISSU) is a procedure to upgrade a wireless controller image to a later release while the network continues to forward packets. ISSU helps network administrators avoid a network outage when performing a software upgrade. ISSU can also be used to apply cold patches without impacting the active network. ISSU is supported only on the following Cisco Catalyst 9800 Series Wireless Controllers, and supports only upgrade.
· Cisco Catalyst 9800-80 Wireless Controller · Cisco Catalyst 9800-40 Wireless Controller · Cisco Catalyst 9800-L Wireless Controller · Cisco Catalyst 9800-CL Wireless Controller (Private Cloud)
High-Level Workflow of ISSU 1. Onboard the controller software image to the flash memory. 2. Download the AP image to the AP. 3. Install the controller software image. 4. Commit the changes.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 179
Prerequisites for Performing In-Service Software Upgrade
System Upgrade
Prerequisites for Performing In-Service Software Upgrade
· Ensure that both Active and Standby controllers are in install mode and are booted from bootflash:/packages.conf.
· Ensure that the network or device is not being configured during the upgrade.
· Schedule the upgrade when your network is stable and steady.
· Ensure uninterrupted power supply. A power interruption during upgrade procedure might corrupt the software image.
Guidelines and Restrictions for In-Service Software Upgrade
· If you do not run the install commit command within 6 hours of the install activate issu command, the system will revert to the original commit position. You can choose to delay the commit using the Upgrading Software Using In-Service Software Upgrade with Delayed Commit procedure.
· During ISSU upgrade, while AP rolling upgrade is in progress, the install abort command won't work. You should use the install abort issu command, instead to cancel the upgrade.
· During ISSU upgrade, the system displays a warning message similar to:
found 46 disjoint TDL objects
. You can ignore the warning message because it doesn't have any functional impact.
· During ISSU upgrade, if both the controllers (active and standby) have different images after the power cycle, an auto cancel of ISSU is triggered to bring both the controllers to the same version. The following is a sample scenario: Install Version1 (V1) software on the active controller and then apply a SMU hot patch and perform a commit. Now, upgrade the software to Version2 using ISSU, and then power cycle the active controller. At this point, the system has a version mismatch (V1 and V2). The active controller reloads at this stage, after the completion of bulk synchronization. Now, both the controllers come up with the same version (V1 and V1).
· An ISSU upgrade that is canceled because of configuration synchronization failure on the standby controller rolls back to V1 of the software image. However, this information isn't available in the show install command log. Run the show issu state detail command to see the current ISSU state.
· To enable the clear install command, you should first run the service internal command in global configuration mode, and then run the clear install command in privileged EXEC mode.
· Image rollback could be affected if the controller has a stale rollback history and the stack gets formed afterwards. We recommend that you run the clear install state command to clear stale information and boot the controller in bundle mode.
· The clear install state command doesn't delete the SMU file from flash or storage. To remove a SMU, use either the install remove file command or the install remove inactive command.
· When the new active controller comes up, after the image upgrade, it doesn't retain the old logs on web GUI window as part of show logs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 180
System Upgrade
Upgrading Software Using In-Service Software Upgrade
· If a stateful switchover (SSO) or a high-availability (HA) event occurs during the rolling AP upgrade procedure of the ISSU feature, the rolling AP upgrade stops. You should then use the ap image upgrade command to restart the upgrade process.
· If HA fails to form after the ISSU procedure, you should reload any one chassis again to form HA again. · Use clear ap predownload statistics command before using the show ap image command. This ensures
that you get the right data after every pre-download. · Manually cancel the ISSU process using the install issu abort command in the scenarios given below,
to avoid a software version mismatch between the active controller and the standby controller. · An RP link is brought down after standby HOT during an ISSU procedure and the links remains down even after the auto-abort timer expiry. · An RP link is brought down before the standby controller reaches standby HOT during an ISSU procedure.
· Cisco TrustSec (CTS) is not supported on the RMI interfaces. · If a switchover occurs while performing an AP upgrade using ISSU, the upgrade process will restart
automatically after the switchover.
Upgrading Software Using In-Service Software Upgrade
Use the following procedure to perform a complete image upgrade, that is, from one image to another.
Note ISSU is supported only within and between major releases, for example, 17.3.x to 17.3.y, 17.6.x to 17.6.y (within a major release) and 17.3.x to 17.6.x, 17.3.x to 17.9.x (among major releases), that is, for two releases after the current supported release. ISSU is NOT supported within and between minor releases or between minor and major releases, for example 17.4.x to 17.4.y or 17.4.x to 17.5.x or 17.3.x to 17.4.x. ISSU downgrade is not supported for Cisco Catalyst 9800 Series Wireless Controller platforms.
Note We recommend that you configure the percentage of APs to be upgraded by using the ap upgrade staggered command.
Procedure
Step 1
Command or Action install add file file-name Example:
Purpose
The controller software image is added to the flash and expanded.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 181
Upgrading Software Using ISSU (GUI)
System Upgrade
Step 2 Step 3
Step 4
Command or Action
Device# install add file <>
Purpose Note
In Cisco Catalyst 9800 Wireless Controller for Switch, run the install add file sub-package-file-name command to expand the wireless subpackage file.
ap image predownload Example:
Device# ap image predownload
Performs predownload of the AP image.
To see the progress of the predownload, use the show ap image command.
install activate issu [auto-abort-timer timer] Runs compatibility checks, installs the package,
Example:
and updates the package status details.
Device# install activate issu
Optionally, you can configure the time limit to cancel the addition of new software without
committing the image. Valid values are from
30 to 1200 minutes.
Run either of the following commands:
· install abort issu
Device# install abort issu
Cancels the upgrade process and returns the device to the previous installation state. This is applicable for both controller and the AP.
· install commit
Device# install commit
Commits the activation changes to be persistent across reloads.
Note
If you do not run the install
commit command within 6
hours of completing the
previous step, the system
will revert to the original
commit position.
Upgrading Software Using ISSU (GUI)
Before you begin 1. The device should be in Install mode. 2. The device should have an HA pair. The standby controller should be online and is in SSO mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 182
System Upgrade
Upgrading Software Using In-Service Software Upgrade with Delayed Commit
You can verify the details using show issu state detail command. Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Administration > Software Management. Under the Software Upgrade tab, check the ISSU Upgrade (HA Upgrade) (Beta) check box. In the AP Upgrade Configuration section, from the AP Upgrade per Iteration drop-down list choose the percentage of APs to be upgraded. Click Download & Install.
This initiates the upgrade process and you can view the progress in the Status dialog box.
Click the Show Logs link to view the upgrade process details.
Note
An SSO takes place while activating the image on the active controller. After the SSO, you should
login again to the controller.
The system enables the Commit and ISSU Abort buttons after the upgrade.
Click Commit to commit the activation changes, or ISSU Abort to terminate the upgrade process and return the device to the previous installation state.
Upgrading Software Using In-Service Software Upgrade with Delayed Commit
Use this procedure to upgrade the controller software with delayed commit, which will help you to run and test the new software without committing the image.
Procedure
Step 1
Command or Action install add file file-name Example:
Device# install add file <file>
Purpose
Adds and expands the controller software image to the flash.
Note
In Cisco Catalyst 9800 Wireless
Controller for Switch, run the
install add file
sub-package-file-name command
to expand the wireless subpackage
file.
Step 2
ap image predownload Example:
Device# ap image predownload
Performs predownload of the AP image.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 183
Monitoring In-Service Software Upgrade
System Upgrade
Step 3 Step 4 Step 5
Command or Action install auto-abort-timer stop Example:
Device# install auto-abort-timer stop
Purpose
Stops the termination timer so that the upgrade process is not terminated after the default termination time of 6-8 hours.
install activate issu Example:
Device# install activate issu
Runs compatibility checks, installs the package, and updates the package status details.
install commit Example:
Device# install commit
Commits the activation changes to be persistent across reloads.
Monitoring In-Service Software Upgrade
To view the ISSU state after the install add ISSU and before the install activate ISSU, use the following command:
Device# show issu state detail
-- Starting local lock acquisition on chassis 1 --Finished local lock acquisition on chassis 1 Current ISSU Status: Enabled Previous ISSU Operation: Abort Successful ======================================================= System Check Status ------------------------------------------------------Platform ISSU Support Yes Standby Online Yes Autoboot Enabled Yes SSO Mode Yes Install Boot Yes Valid Boot Media Yes ======================================================= No ISSU operation is in progress show install summary [ Chassis 1 2 ] Installed Package(s) Information: State (St): I - Inactive, U - Activated & Uncommitted, C - Activated & Committed, D - Deactivated & Uncommitted -------------------------------------------------------------------------------Type St Filename/Version -------------------------------------------------------------------------------IMG I 17.1.1.0.432 IMG C 16.12.2.0.2707 -------------------------------------------------------------------------------Auto abort timer: inactive --------------------------------------------------------------------------------
To view the ISSU state after activating ISSU, use the following command:
Device# show issu state detail
Current ISSU Status: In Progress Previous ISSU Operation: Abort Successful =======================================================
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 184
System Upgrade
Monitoring In-Service Software Upgrade
System Check Status ------------------------------------------------------Platform ISSU Support Yes Standby Online Yes Autoboot Enabled Yes SSO Mode Yes Install Boot Yes Valid Boot Media Yes ======================================================= Operation type: Step-by-step ISSU Install type : Image installation using ISSU Current state : Activated state Last operation: Switchover Completed operations: Operation Start time ------------------------------------------------------Activate location standby Chassis 2 2019-09-17:23:41:12 Activate location active Chassis 1 2019-09-17:23:50:06 Switchover 2019-09-17:23:52:03 State transition: Added -> Standby activated -> Active switched-over Auto abort timer: automatic, remaining time before rollback: 05:41:53 Running image: bootflash:packages.conf Operating mode: sso, terminal state reached show install summary [ Chassis 1/R0 2/R0 ] Installed Package(s) Information: State (St): I - Inactive, U - Activated & Uncommitted, C - Activated & Committed, D - Deactivated & Uncommitted -------------------------------------------------------------------------------Type St Filename/Version -------------------------------------------------------------------------------IMG U 17.1.1.0.432 -------------------------------------------------------------------------------Auto abort timer: active on install_activate, time before rollback - 05:41:49 --------------------------------------------------------------------------------
To view the ISSU state after installing the commit, use the following command:
Device# show issu state detail
--- Starting local lock acquisition on chassis 1 --Finished local lock acquisition on chassis 1 Current ISSU Status: Enabled Previous ISSU Operation: Successful ======================================================= System Check Status ------------------------------------------------------Platform ISSU Support Yes Standby Online Yes Autoboot Enabled Yes SSO Mode Yes Install Boot Yes Valid Boot Media Yes ======================================================= No ISSU operation is in progress show install summary [ Chassis 1/R0 2/R0 ] Installed Package(s) Information: State (St): I - Inactive, U - Activated & Uncommitted, C - Activated & Committed, D - Deactivated & Uncommitted -------------------------------------------------------------------------------Type St Filename/Version -------------------------------------------------------------------------------IMG C 17.1.1.0.432 -------------------------------------------------------------------------------Auto abort timer: inactive
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 185
Troubleshooting ISSU
System Upgrade
---------------------------------------------------------------------------------------------------------------------------------------------------------------
To view the ISSU state after terminating the ISSU process, use the following command:
Device# show issu state detail Current ISSU Status: In Progress Previous ISSU Operation: Abort Successful ======================================================= System Check Status ------------------------------------------------------Platform ISSU Support Yes Standby Online Yes Autoboot Enabled Yes SSO Mode Yes Install Boot Yes Valid Boot Media Yes ======================================================= Operation type: Step-by-step ISSU Install type : Image installation using ISSU Current state : Timeout-error state Last operation: Commit Chassis 1 Completed operations: Operation Start time ------------------------------------------------------Activate location standby Chassis 2 2019-09-17:23:41:12 Activate location active Chassis 1 2019-09-17:23:50:06 Switchover 2019-09-17:23:52:03 Abort 2019-09-18:00:14:13 Commit Chassis 1 2019-09-18:00:28:23 State transition: Added -> Standby activated -> Active switched-over -> Activated -> Timeout-error Auto abort timer: inactive Running image: bootflash:packages.conf Operating mode: sso, terminal state reached
To view the summary of the active packages in a system, use the following command:
Device# show install summary
[ Chassis 1 2 ] Installed Package(s) Information: State (St): I - Inactive, U - Activated & Uncommitted, C - Activated & Committed, D - Deactivated & Uncommitted -------------------------------------------------------------------------------Type St Filename/Version -------------------------------------------------------------------------------IMG C 16.12.2.0.2707 -------------------------------------------------------------------------------Auto abort timer: inactive --------------------------------------------------------------------------------
Troubleshooting ISSU
Using install activate issu command before completing AP pre-download.
The following scenario is applicable when you run the install activate issu command before completing AP pre-download. In such instances, you should run the ap image predownload command and then proceed with the activation.
Device# install activate issu
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 186
System Upgrade
Troubleshooting ISSU
install_activate: START Wed Jan 8 04:48:04 UTC 2020 System configuration has been modified. Press Yes(y) to save the configuration and proceed. Press No(n) for proceeding without saving the configuration. Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q] y Building configuration... [OK]Modified configuration has been saved install_activate: Activating ISSU NOTE: Going to start Activate ISSU install process STAGE 0: System Level Sanity Check =================================================== --- Verifying install_issu supported ----- Verifying standby is in Standby Hot state ----- Verifying booted from the valid media ----- Verifying AutoBoot mode is enabled ----- Verifying Platform specific ISSU admission criteria --CONSOLE: FAILED: Install operation is not allowed.
Reason -> AP pre-image download is mandatory f or hitless software upgrade.
Action -> Trigger AP pre-image download. FAILED: Platform specific ISSU admission criteria ERROR: install_activate exit(2 ) Wed Jan 8 04:48:37 UTC 2020
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 187
Troubleshooting ISSU
System Upgrade
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 188
1 1 C H A P T E R
Software Maintenance Upgrade
· Introduction to Software Maintenance Upgrade, on page 189 · Information About AP Device Package, on page 194 · Information About Per Site or Per AP Model Service Pack (APSP), on page 197
Introduction to Software Maintenance Upgrade
Software Maintenance Upgrade (SMU) is a package that can be installed on a system to provide a patch fix or a security resolution to a released image. A SMU package is provided for each release and per component basis, and is specific to the corresponding platform. A SMU provides a significant benefit over classic Cisco IOS software because it allows you to address the network issue quickly while reducing the time and scope of the testing required. The Cisco IOS XE platform internally validates the SMU compatibility and does not allow you to install noncompatible SMUs. All the SMUs are integrated into the subsequent Cisco IOS XE software maintenance releases. A SMU is an independent and self-sufficient package and does not have any prerequisites or dependencies. You can choose which SMUs to install or uninstall in any order.
Note SMUs are supported only on Extended Maintenance releases and for the full lifecycle of the underlying software release.
Note You can activate the file used in the install add file command only from the filesystems of the active device. You cannot use the file from the standby or member filesystems; the install add file command will fail in such instances.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 189
Introduction to Software Maintenance Upgrade
System Upgrade
Note When the SMU file is deleted and a reboot is performed, the device may display the following error message:
--- Starting SMU Add operation --Performing SMU_ADD on all members
FAILED: Improper State./bootflash/<previously-installed-smu-filename>.smu.bin not present. Please restore file for stability. Checking status of SMU_ADD on [1/R0] SMU_ADD: Passed on []. Failed on [1/R0] Finished SMU Add operation FAILED: add_activate_commit /bootflash/<tobeinstalled-wlc-smu-filename>.smu.bin Wed Aug 02
08:30:18 UTC 2023.
This error occurs because the previous SMU file was not properly removed from the controller. It may lead to functional errors, such as the inability to install new SMU or APSP files. We recommend that you use the install remove file command to remove previous instances of APSP or SMU files from the bootflash.
SMU infrastructure can be used to meet the following requirements in the wireless context: · Controller SMU: Controller bug fixes or Cisco Product Security Incident Response information (PSIRT). · APSP: AP bug fixes, PSIRTs, or minor features that do not require any controller changes. · APDP: Support for new AP models without introduction of new hardware or software capabilities.
Note The show ap image command displays cumulative statistics regarding the AP images in the controller. We recommend that you clear the statistics using the clear ap predownload statistics command, before using the show ap image command, to ensure that correct data is displayed.
SMU Workflow The SMU process should be initiated with a request to the SMU committee. Contact your customer support to raise an SMU request. During the release, the SMU package is posted on the Cisco Software Download page and can be downloaded and installed.
SMU Package An SMU package contains the metadata and fix for the reported issue the SMU is requested for.
SMU Reload The SMU type describes the effect on a system after installing the corresponding SMU. SMUs can be nontraffic-affecting or can result in device restart, reload, or switchover. A controller cold patch require a cold reload of the system during activation. A cold reload is the complete reload of the operating system. This action affects the traffic flow for the duration of the reload (~5 min). This reload ensures that all the processes are started with the correct libraries and files that are installed as part of the corresponding SMU. Controller hot patching support allows the SMU to be effective immediately after activation, without reloading the system. After the SMU is committed, the activation changes are persistent across reloads. Hot patching
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 190
System Upgrade
Installing a SMU (GUI)
SMU packages contain metadata that lists all processes that need to be restarted in order to activate the SMU. During SMU activation, each process in this list will be restarted one at a time until the SMU is fully applied.
Installing a SMU (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Step 5 Step 6
Choose Administration > Software Management and click the Software Maintenance Upgrade tab.
Click Add to add a SMU image.
From the Transport Type drop-down list, choose the transfer type to transfer the software image to your device as TFTP, SFTP, FTP, Device, or Desktop (HTTP).
a) If you choose TFTP as the Transport Type, you need to enter the Server IP Address (IPv4/IPv6), File path and choose a File System from the drop-down list. For example, if the SMU file is at the root of the TFTP server you can enter /C9800-universalk9_wlc.17.03.02a.CSCvw55275.SPA.smu.bin in the File path field.
b) If you choose SFTP as the Transport Type, you need to enter the Server IP Address (IPv4/IPv6), SFTP Username, SFTP Password, File path and choose a File System from the drop-down list.
c) If you choose FTP as the Transport Type, you need to enter the Server IP Address (IPv4/IPv6), FTP Username, FTP Password, File path, and choose a File System from the drop-down list.
d) If you choose Device as the Transport Type, you need to enter the File path and choose a File System from the drop-down list. This is possible when the software is already present on the device due to an earlier download and activation, followed by a subsequent deactivation.
Note
The File System depends upon the kind of device you are using. On physical controllers, you
have the option to store the file to the bootflash or hard disk, whereas in case of virtual
controllers, you can only store it in the bootflash.
e) If you choose Desktop (HTTPS) as the Transport Type, you need to choose a File System from the drop-down list and click Select File to navigate to the Source File Path.
Enter the File Name and click Add File.
This operation copies the maintenance update package from the location you selected above to the device and performs a compatibility check for the platform and image versions and adds the SMU package for all the members. After a SMU is successfully added to the system, a message is displayed about the successful operation and that the SMU can be activated on the device. The message displays the name of the package (SMU) that is now available to be activated. It lists the SMU Details - Name, Version, State (active or inactive), Type (reload, restart, or non-reload) and other compatibility details. If SMU is of the Type - reload, then any operation (activate, deactivate or rollback) will cause the device to reload; restart involves only a process restart and if it is non reload- no change in process takes place.
Select the SMU and click on Activate to activate the SMU on the system and install the package, and update the package status details. Select the SMU and click Commit to make the activation changes persistent across reloads.
The Commit operation creates commit points. These commit points are similar to snapshots using which you can determine which specific change you want to be activated or rolled back to, in case there is any issue with
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 191
Installing SMU
System Upgrade
the SMU. The commit can be done after activation when the system is up, or after the first reload. If a package is activated, but not committed, it remains active after the first reload, but not after the second reload.
Installing SMU
Procedure
Step 1
Command or Action
install add file bootflash: filename Example:
Device# install add file bootflash:<Filename>
Step 2
install activate file bootflash: filename
Example:
Device# install activate file bootflash:<Filename>
Step 3
install commit Example:
Device# install commit
Step 4 Step 5
show version Example:
Device# show version
show install summary Example:
Device# show install summary
Purpose
Copies the maintenance update package from a remote location to the device, and performs a compatibility check for the platform and image versions.
This command runs base compatibility checks on a file to ensure that the SMU package is supported on the platform. It also adds an entry in the package/SMU.sta file, so that its status can be monitored and maintained.
Runs compatibility checks, installs the package, and updates the package status details.
For a restartable package, the command triggers the appropriate post-install scripts to restart the necessary processes, and for non-restartable packages it triggers a reload.
Commits the activation changes to be persistent across reloads.
The commit can be done after activation while the system is up, or after the first reload. If a package is activated but not committed, it remains active after the first reload, but not after the second reload.
Displays the image version on the device.
Displays information about the active package.
The output of this command varies according to the install commands that are configured.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 192
System Upgrade
Roll Back an Image (GUI)
Roll Back an Image (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Administration > Software Management. Go to SMU, APSP or APDP. Click Rollback. In the Rollback to drop-down list, choose Base, Committed or Rollback Point. Click Add File.
Rollback SMU
Procedure
Step 1
Command or Action
Purpose
install rollback to {base | committed | id | Returns the device to the previous installation
committed } committed ID
state. After the rollback, a reload is required.
Example:
Device(config)# install rollback to id 1234
Step 2
install commit Example:
Device# install commit
Commits the activation changes to be persistent across reloads.
Deactivate SMU
Procedure
Step 1
Command or Action
install deactivate file bootflash: filename Example:
Device# install deactivate file bootflash:<Filename>
Step 2
install commit Example:
Device# install commit
Purpose Deactivates an active package, updates the package status, and triggers a process to restart or reload.
Commits the activation changes to be persistent across reloads.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 193
Configuration Examples for SMU
System Upgrade
Configuration Examples for SMU
The following is sample of the SMU configuration, after the install add for the SMU is done:
Device#show install summary
[ Chassis 1 2 ] Installed Package(s) Information: State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted -------------------------------------------------------------------------------Type St Filename/Version --------------------------------------------------------------------------------
IMG C 16.8.1.0.39751
------------------------------------------------------------------Auto abort timer: inactive -------------------------------------------------------------------
Information About AP Device Package
The controller supports rolling out critical bug fixes using Software Maintenance Upgrade (SMU). Similarly, if any new AP hardware model is introduced, the AP models need to be connected to the existing wireless network. Currently, when a new AP hardware model is introduced, those get shipped along with the corresponding controller related major software version. Then you need to wait for the release of a corresponding controller version relative to the new AP model and upgrade the entire network. From 16.11.1 onwards, you can introduce the new AP model into your wireless network using the SMU infrastructure without the need to upgrade to the new controller version. This solution is termed as AP Device Package (APDP).
SMU Process or Workflow The SMU process builds APDP to detect code changes and build APDP. It also supports addition of a new file (AP image file) to APDP and inclusion of those AP images into APDP. The workflow is as follows:
· install add
· ap image predownload
· install activate
· install commit
For more details, see Managing AP Device Package.
Note To ensure completion of the APSP or APDP activation or deactivation process, ensure that you run the install commit command after the install activate or install deactivate command. Failing to do so within 6 hours of the deactivate operation terminates the deactivate operation and moves it back to the original commit position.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 194
System Upgrade
Installing AP Device Package (GUI)
SMU Package
A SMU package contains the metadata that carry AP model and its capability related details.
AP Image Changes
When new AP models are introduced, there may or may not be corresponding new AP images. This means that AP images are mapped to the AP model families. If a new AP model belongs to an existing AP model family then you will have existing AP image entries (Example: ap3g3, ap1g5, and so on). For instance, if an AP model belongs to either ap3g3 or ap1g5, the respective image file is updated with the right AP image location. Also, the corresponding metadata file is updated with the new AP model capability information.
If a new AP model belongs to a new AP model family and new image file, the new image entry file is created in the right AP image location. Also, the corresponding metadata file is updated with the new AP model capability information.
During AP image bundling and packaging of APDP, the new AP model images and metadata file are packaged into APDP.
Note The APDP images must not be renamed to avoid impact on its functionality.
Installing AP Device Package (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7
Choose Administration > Software Management.
Click AP Device Package (APDP) tab.
Click Add.
From the Transport Type drop-down list, choose the transfer type to transfer the software image to your device as TFTP, SFTP, FTP, Device, or Desktop (HTTP).
a) If you choose TFTP as the Transport Type, you need to enter the Server IP Address (IPv4/IPv6), File path and choose a File System from the drop-down list.
b) If you choose SFTP as the Transport Type, you need to enter the Server IP Address (IPv4/IPv6), SFTP Username, SFTP Password, File path and choose a File System from the drop-down list.
c) If you choose FTP as the Transport Type, you need to enter the Server IP Address (IPv4/IPv6), FTP Username, FTP Password, File path, and choose a File System from the drop-down list.
d) If you choose Device as the Transport Type, you need to enter the File path and choose a File System from the drop-down list.
e) If you choose Desktop (HTTPS) as the Transport Type, you need to choose a File System from the drop-down list and click Select File to navigate to the Source File Path.
Enter the File Name and click Add File.
From the AP Upgrade Configuration section, choose the percentage of APs to be included from the AP Upgrade per iteration drop-down list.
Click Apply.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 195
Installing AP Device Package (CLI)
System Upgrade
Installing AP Device Package (CLI)
Procedure
Step 1
Command or Action
install add file bootflash: filename Example:
Device# install add file bootflash:<Filename>
Step 2
install activate file bootflash: filename
Example:
Device# install activate file bootflash:<Filename>
Step 3
install commit Example:
Device# install commit
Step 4 Step 5
install deactivate file bootflash: filename Example:
Device# install deactivate file bootflash:<Filename>
show version Example:
Device# show version
Purpose
Extracts AP images from APDP and places them in SMU or APDP specific mount location.
Note
Here, the SMU does not trigger
the Wireless module.
Adds the AP software in APDP to the existing current active AP image list.
Also, updates the capability information for the new AP models in the controller .
Note
Even if the new AP module
supports new hardware
capabilities, the controller
recognizes only the capability
information that its base version
supports.
At this point, the controller accepts the new connection from the new AP model. The new AP model then joins the controller .
Commits the new AP software to be persistent across reloads.
The commit can be done after activation while the system is up, or after the first reload. If a package is activated but not committed, it remains active after the first reload, but not after the second reload.
(Optional) Deactivates an active APDP, updates the package status, and triggers a process to restart or reload.
Displays the image version on the device.
Verifying APDP on the Controller
To verify the status of APDP packages on the controller , use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 196
System Upgrade
Information About Per Site or Per AP Model Service Pack (APSP)
Device# show install summary
[ Chassis 1 ] Installed Package(s) Information: State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted -------------------------------------------------------------------------------Type St Filename/Version -------------------------------------------------------------------------------APDP I bootflash:apdp_CSCvp12345.bin IMG C 17.1.0.0 -------------------------------------------------------------------------------Auto abort timer: inactive --------------------------------------------------------------------------------
Note The output of this command varies based on the packages, and the package states that are installed.
Information About Per Site or Per AP Model Service Pack (APSP)
The controller supports critical updates to the access points (APs) using Software Maintenance Update (SMU). Using the Per Site or Per AP Model Service Pack feature, you can roll out critical AP bug fixes to a subset of APs, on a site or group of sites, using SMU in a staggered manner. This feature allows to control the propagation of a SMU in your network by selecting the sites, to be included in the SMU activation, using Per Site AP SMU rollout. However, all sites should be brought to the same SMU level before a new SMU can be rolled out to a subset of sites or for a subsequent image upgrade to be initiated on the system.. Using Per AP model SMU, you can limit the update to only certain AP models. The software is predownloaded and is activated only to certain AP models, within a site. Note that if a certain number of model images are included in a SMU, all the future updates must contain software images for those models. This feature is supported in the flex-connect mode, local mode, and Software-Defined Access (SD-Access) wireless scenarios.
Note After applying the AP site filter for per site SMU upgrade, a new image installation will not be allowed without applying the site filter to all the other sites, or removing the existing site filter.
Workflow of AP SMU Upgrade · Run a query to check whether there are ongoing activities, such as AP image predownload or AP rolling upgrade. · Identify the site or sites to install the SMU in, and set up a site filter. · Trigger the predownload of SMU to the sites in the site filter. · Activate the SMU after the predownload is complete. · Commit the update.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 197
Rolling AP Upgrade
System Upgrade
Note You can add more sites to a filter after setting up the filter. However, you have to apply the filter again using the ap image site-filter file file-name apply command. If you clear the site filter, the update is made on all the remaining sites. Deactivation and rollback of the images are not filtered per site, and are applicable to all the sites.
Rolling AP Upgrade
Rolling AP upgrade is a method of upgrading the APs in a staggered manner such that some APs are always up in the network and provide seamless coverage to clients, while the other APs are selected to be upgraded.
Note The AP images should be downloaded before the rolling upgrade is triggered, so that all the APs that are to be upgraded have the new image version.
Rolling AP Upgrade Process
Rolling AP upgrade is done on a per controller basis. The number of APs to be upgraded at a given time, is the percentage of the total number of APs that are connected to the controller. The percentage is capped at a user configured value. The default percentage is 15. The non-client APs will be upgraded before the actual upgrade of APs begin. The upgrade process is as follows: 1. Candidate AP Set Selection
In this stage, a set of AP candidates are selected based on neighbouring AP information. For example, if you identify an AP for upgrade, a certain number (N) of its neighbours are excluded from candidate selection. The N values are generated in the following manner: If the user configurable capped percentage is 25%, then N=6 (Expected number of iterations =5) If the user configurable capped percentage is 15%, then N=12 (Expected number of iterations=12) If the user configurable capped percentage is 5%, then N=24 (Expected number of iterations =22) If the candidates cannot be selected using the neighbouring AP information, select candidates from indirect neighbours. If you still are not able to select candidates, the AP will be upgraded successfully without any failure.
Note After the candidates are selected, if the number of candidates are more than the configured percentage value, the extra candidates are removed to maintain the percentage cap.
2. Client Steering Clients that are connected to the candidate APs are steered to APs that are not there in the candidate AP list, prior to rebooting the candidate APs. The AP sends out a request to each of its associated clients with a list of APs that are best suited for them. This does not include the candidate APs. The candidate APs are marked as unavailable for neighbour lists. Later, the markings are reset in the AP rejoin and reload process.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 198
System Upgrade
Installing AP Service Package (GUI)
3. AP Rejoin and Reload Process
After the client steering process, if the clients are still connected to the candidate AP, the clients are sent a de-authorization and the AP is reloaded and comes up with a new image. A three-minute timer is set for the APs to rejoin. When this timer expires, all the candidates are checked and marked if they have either joined the controller or the mobility peer. If 90% of the candidate APs have joined, the iteration is concluded; if not, the timer is extended to three more minutes. The same check is repeated after three minutes. After checking thrice, the iteration ends and the next iteration begins. Each iteration may last for about 10 minutes.
For rolling AP upgrade, there is only one configuration that is required. It is the number of APs to be upgraded at a time, as a percentage of the total number of APs in the network.
Default value will be 15.
Device (config)#ap upgrade staggered <25 | 15 | 5>
Use the following command to trigger the rolling AP upgrade:
Device#ap image upgrade [test]
Note Rolling AP upgrade is not resumed after an SSO. You should run the ap image upgrade command to restart the rolling AP upgrade from the beginning and it affects all the APs, including the Mesh APs.
Installing AP Service Package (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Choose Administration > Software Management.
Click AP Service Package (APSP) tab.
Click Add.
From the Transport Type drop-down list, choose the transfer type to transfer the software image to your device as TFTP, SFTP, FTP, Device, or Desktop (HTTP).
a) If you choose TFTP as the Transport Type, you need to enter the Server IP Address (IPv4/IPv6), File path and choose a File System from the drop-down list.
b) If you choose SFTP as the Transport Type, you need to enter the Server IP Address (IPv4/IPv6), SFTP Username, SFTP Password, File path and choose a File System from the drop-down list.
c) If you choose FTP as the Transport Type, you need to enter the Server IP Address (IPv4/IPv6), FTP Username, FTP Password, File path, and choose a File System from the drop-down list.
d) If you choose Device as the Transport Type, you need to enter the File path and choose a File System from the drop-down list.
e) If you choose Desktop (HTTPS) as the Transport Type, you need to choose a File System from the drop-down list and click Select File to navigate to the Source File Path.
Enter the File Name and click Add File.
From the AP Upgrade Configuration section, choose the percentage of APs to be included from the AP Upgrade per iteration drop-down list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 199
Installing AP Service Package (CLI)
System Upgrade
Step 7 Click Apply.
Installing AP Service Package (CLI)
Use the following procedure to roll out critical bug fixes to a subset of APs using SMU.
Procedure
Step 1
Command or Action
install add file file-name Example:
Device# install add file flash:<file-name>
Purpose
Checks for ongoing activities, such as AP image predownload or AP rolling upgrade. If there are no such activities, populates the predownload directory to install a package file to the system.
Step 2
ap image site-filter file file-name add site-tag Adds a site tag to a site filter.
Example:
Device# ap image site-filter file flash:<file-name> add bgl18
Step 3
ap image site-filter file file-name remove site-tag
Example:
Device# ap image site-filter file flash:<file-name> remove bgl18
(Optional) Removes a site tag from a site filter.
Step 4
ap image predownload Example:
Device# ap image predownload
(Optional) Performs predownload of an AP image. This image predownload will be filtered by the site filter, set up in the previous step.
Step 5
install activate file file-name
Example:
Device# install activate file flash:<file-name>
Triggers the AP upgrade in rolling a staggered fashion for the APs added in site filter.
Step 6
install commit Example:
Device# install commit
Commits the image update.
During the commit, the mapping from file to site is saved in the persistent database so that it is available even after a reload.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 200
System Upgrade
Adding a Site to a Filter
Adding a Site to a Filter
Procedure
Step 1
Command or Action
Purpose
ap image site-filter file file-name add site-tag Adds a site tag to a site filter.
Example:
Repeat this step again to set up a multisite filter.
Device# ap image site-filter file flash:<file-name> add bgl18
Step 2
ap image site-filter file file-name apply
Example:
Device# ap image site-filter file flash:<file-name> apply
Predownloads the image and upgrades the APs based on the site filter.
Step 3
ap image site-filter file file-name clear
Example:
Device# ap image site-filter file flash:<file-name> clear
Clears the site filter table and predownloads the image and does a rolling AP upgrade to all sites where it is not active.
Deactivating an Image
Procedure
Step 1
Command or Action
install deactivate file flash file-name Example:
Device# install deactivate file flash:<file-name>
Purpose
Performs rolling AP upgrade based on the AP models present in the prepare file.
Deactivation is not filtered by site. Therefore, deactivation applies to all the sites.
Note
Action is taken if the APs in a site
are not running the SMU that is
being deactivated. Only internal
tables are updated to remove the
SMU.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 201
Roll Back APSP
System Upgrade
Roll Back APSP
Procedure
Step 1
Command or Action
Purpose
install add profile rollback_profile-name (Optional) Moves back to any rollback points
Example:
in a graceful way with AP image predownload support.
Device# install add profile rollback_id1 Note
To get a list of available rollback
profile names, use show install
profile command.
Step 2 Step 3
ap image predownload Example:
Device# ap image predownload
(Optional) Performs predownload of an AP image. This image predownload will be filtered by the site filter, set up in the previous step.
install rollback to rollback_id
Performs rollback of the image for the affected
Example:
AP models.
Device# install rollback to rollback_id1 The roll back action is not filtered by site. Therefore, rollback applies to all the sites.
Note
The APs that are in the base image
or in a point before the rollback
action takes effect are not
affected.
Canceling the Upgrade
Procedure
Step 1
Command or Action install abort Example:
Device# install abort
Purpose
Aborts the upgrade by resetting the APs in rolling fashion.
Verifying the Upgrade
To see the summary of the AP software install files, use the following command:
Device# show ap image file summary
AP Image Active List ============================ Install File Name: base_image.bin ------------------------------AP Image Type Capwap Version Size (KB)
Supported AP models
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 202
System Upgrade
Verifying the Upgrade
------------- --------------
--------------------------------------------------------------------
ap1g1
17.3.0.30
13300 NA
ap1g2
17.3.0.30
34324 NA
ap1g3
17.3.0.30
98549 AP803
ap1g4 OEAP1810
17.3.0.30
34324 AP1852E, AP1852I, AP1832I, AP1830I, AP1810W,
ap1g5
17.3.0.30
23492 AP1815W, AP1815T, OEAP1815, AP1815I, AP1800I,
AP1800S, AP1815M, 1542D, AP1542I, AP1100AC, AP1101AC, AP1840I
ap1g6
17.3.0.30
93472
AP2900I, C9117AXI
ap1g6a C9140AXT
17.3.0.30
247377
C9130AXI, C9130AXE, C9140AXI, C9140AXD,
ap1g7
17.3.0.30
C9120AXE, C9120AXP, C9120AXI
23988
AP1900I, C9115AXI, AP1900E, C9115AXE,
ap1g8
17.3.0.30
23473 C9105AXI, C9105AXW, C9110AXI, C9110AXE
ap3g1
17.3.0.30
23422 NA
ap3g2
17.3.0.30
23411 AP1702I
ap3g3
17.3.0.30
23090 AP3802E, AP3802I, AP3802P, AP4800, AP2802E,
AP2802I, AP2802H, AP3800, AP1562E, AP1562I, AP1562D, AP1562PS, IW-6300H-DC, IW-6300H-AC,
IW-6300H-DCW, ESW-6300
c1570
17.3.0.30
13000 AP1572E, 1573E, AP1572I
c3700
17.3.0.30
14032 AP3702E, AP3701E, AP3701I, AP3702I, AP3701P,
AP3702P, AP2702E, AP2702I, AP3702, IW3702, AP3701, AP3700C
virtApImg
17.3.0.30
177056
APVIRTUAL
AP Image Prepare List**
============================
Install File Name: base_image.bin
-------------------------------
============================
Install File Name: base_image.bin
-------------------------------
AP Image Type Capwap Version Size (KB)
Supported AP models
------------- --------------
--------------------------------------------------------------------
ap1g1
17.3.0.30
13300
NA
ap1g2
17.3.0.30
34324
NA
ap1g3
17.3.0.30
98549
AP803
ap1g4
17.3.0.30
AP1810W, OEAP1810
34324
AP1852E, AP1852I, AP1832I, AP1830I,
ap1g5
17.3.0.30
23492
AP1815W, AP1815T, OEAP1815, AP1815I,
AP1800I, AP1800S, AP1815M, 1542D, AP1542I, AP1100AC, AP1101AC, AP1840I
ap1g6
17.3.0.30
93472
AP2900I, C9117AXI
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 203
Verifying the Upgrade
System Upgrade
ap1g6a
17.3.0.30
C9140AXD, C9140AXT
247377
C9130AXI, C9130AXE, C9140AXI,
ap1g7
17.3.0.30
23988
C9120AXE, C9120AXP, C9120AXI
AP1900I, C9115AXI, AP1900E, C9115AXE,
ap1g8
17.3.0.30
23473
C9105AXI, C9105AXW, C9110AXI, C9110AXE
ap3g1
17.3.0.30
23422
NA
ap3g2
17.3.0.30
23411
AP1702I
ap3g3
17.3.0.30
23090
AP3802E, AP3802I, AP3802P, AP4800, AP2802E,
AP2802I, AP2802H, AP3800, AP1562E, AP1562I, AP1562D, AP1562PS, IW-6300H-DC, IW-6300H-AC,
IW-6300H-DCW, ESW-6300
c1570
17.3.0.30
13000
AP1572E, 1573E, AP1572I
c3700
17.3.0.30
14032
AP3702E, AP3701E, AP3701I, AP3702I, AP3701P,
AP3702P, AP2702E, AP2702I, AP3702, IW3702, AP3701, AP3700C
virtApImg
17.3.0.30
177056
APVIRTUAL
**Difference of Active and Prepare list gives images being predownloaded to Access Points.
To see the summary of the AP site-filtered upgrades, use the following command:
Device# show ap image site summary
Install File Name: vwlc_apsp_16.11.1.0_74.bin
Site Tag
Prepared
Activated
Committed
-------------------------------------------------------------------------------------------
bgl-18-1
Yes
Yes
Yes
bgl-18-2
Yes
Yes
Yes
bgl-18-3
Yes
Yes
Yes
default-site-tag
Yes
Yes
Yes
To see the summary of AP upgrades, use the following command:
Device# show ap upgrade summary
To check the status of an APSP, use the following command:
Device# show install summary [ Chassis 1 ] Installed Package(s) Information: State (St): I - Inactive, U - Activated & Uncommitted, C - Activated & Committed, D - Deactivated & Uncommitted -------------------------------------------------------------------------------Type St Filename/Version -------------------------------------------------------------------------------APSP I bootflash:vwlc_apsp_16.11.1.0_74.bin
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 204
System Upgrade
Verifying of AP Upgrade on the Controller
IMG C 16.11.1.0.1249
--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------
Verifying of AP Upgrade on the Controller
Use the following show command to verify the AP upgrade on the controller:
Device #show ap upgrade
AP upgrade is in progress From version: 8 16.9.1.6 To version: 9 16.9.1.30 Started at: 03/09/2018 21:33:37 IST Percentage complete: 0 Expected time of completion: 03/09/2018 22:33:37 IST Progress Report --------------Iterations ---------Iteration Start time End time AP count -------------------------------------------------------------------0 03/09/2018 21:33:37 IST 03/09/2018 21:33:37 IST 0 1 03/09/2018 21:33:37 IST ONGOING 0 Upgraded -------Number of APs: 0 AP Name Ethernet MAC Iteration Status -------------------------------------------------------------------In Progress ----------Number of APs: 1 AP Name Ethernet MAC ------------------------------------------------APf07f.06a5.d78c f07f.06cf.b910 Remaining --------Number of APs: 3 AP Name Ethernet MAC ------------------------------------------------APCC16.7EDB.6FA6 0081.c458.ab30 AP38ED.18CA.2FD0 38ed.18cb.25a0 AP881d.fce7.5ee4 d46d.50ee.33a0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 205
Verifying of AP Upgrade on the Controller
System Upgrade
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 206
1 2 C H A P T E R
Efficient Image Upgrade
· Efficient Image Upgrade, on page 207 · Enable Pre-Download (GUI), on page 207 · Enable Pre-Download (CLI), on page 208 · Configuring a Site Tag (CLI), on page 208 · Attaching Policy Tag and Site Tag to an AP (CLI), on page 209 · Trigger Predownload to a Site Tag, on page 210
Efficient Image Upgrade
Efficient Image upgrade is an efficient way of predownloading the image to the APs. It works similar to primary - subordinate model. An AP per model becomes the primary AP and downloads image from the controller through the WAN link. Once the primary AP has the downloaded image, the subordinate APs starts downloading the image from the primary AP. In this way, WAN latency is reduced. Primary AP selection is dynamic and random. A maximum of three subordinate APs per AP model can download the image from the primary AP.
Note Do not enable this feature on controllers running Cisco IOS XE Amsterdam 17.3.x when there are Cisco Catalyst 9124AX and Cisco Catalyst 9130AX APs in the same group.
Enable Pre-Download (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Wireless > Access Points. In the Access Points page, expand the All Access Points section and click the name of the AP to edit. In the Edit AP page, click the Advanced tab and from the AP Image Management section, click Predownload. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 207
Enable Pre-Download (CLI)
System Upgrade
Enable Pre-Download (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
wireless profile flex flex-profile
Example:
Device(config)# wireless profile flex rr-xyz-flex-profile
Configures a flex profile and enters the flex profile configuration mode.
Step 3
predownload
Example:
Device(config-wireless-flex-profile)# predownload
Enables predownload of the image.
Step 4
end
Example:
Device(config-wireless-flex-profile)# end
Exits the configuration mode and returns to privileged EXEC mode.
Configuring a Site Tag (CLI)
Follow the procedure given below to configure a site tag:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless tag site site-name
Example:
Device(config)# wireless tag site rr-xyz-site
Step 3
flex-profile flex-profile-name Example:
Purpose Enters global configuration mode.
Configures a site tag and enters site tag configuration mode.
Configures a flex profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 208
System Upgrade
Attaching Policy Tag and Site Tag to an AP (CLI)
Step 4 Step 5 Step 6
Command or Action
Device(config-site-tag)# flex-profile rr-xyz-flex-profile
Purpose Note
You cannot remove the flex profile configuration from a site tag if local site is configured on the site tag.
Note
The no local-site command needs
to be used to configure the Site
Tag as Flexconnect, otherwise the
Flex profile config does not take
effect.
description site-tag-name
Example:
Device(config-site-tag)# description "default site tag"
Adds a description for the site tag.
end Example:
Device(config-site-tag)# end
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
show wireless tag site summary
(Optional) Displays the number of site tags.
Example:
Note
Device# show wireless tag site summary
To view detailed information about a site, use the show wireless tag site detailed site-tag-name command.
Note
The output of the show wireless
loadbalance tag affinity wncd
wncd-instance-number command
displays default tag (site-tag) type,
if both site tag and policy tag are
not configured.
Attaching Policy Tag and Site Tag to an AP (CLI)
Follow the procedure given below to attach a policy tag and a site tag to an AP:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 209
Trigger Predownload to a Site Tag
System Upgrade
Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action ap mac-address Example:
Device(config)# ap F866.F267.7DFB
Purpose
Configures a Cisco AP and enters AP profile configuration mode.
Note
The mac-address should be a
wired mac address.
policy-tag policy-tag-name
Example:
Device(config-ap-tag)# policy-tag rr-xyz-policy-tag
Maps a policy tag to the AP.
site-tag site-tag-name
Example:
Device(config-ap-tag)# site-tag rr-xyz-site
Maps a site tag to the AP.
rf-tag rf-tag-name Example:
Device(config-ap-tag)# rf-tag rf-tag1
Associates the RF tag.
end Example:
Device(config-ap-tag)# end
Saves the configuration, exits configuration mode, and returns to privileged EXEC mode.
show ap tag summary Example:
Device# show ap tag summary
(Optional) Displays AP details and the tags associated to it.
show ap name <ap-name> tag info Example:
Device# show ap name ap-name tag info
(Optional) Displays the AP name with tag information.
show ap name <ap-name> tag detail Example:
(Optional) Displays the AP name with tag detals.
Device# show ap name ap-name tag detail
Trigger Predownload to a Site Tag
Follow the procedure given below to trigger image download to the APs:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 210
System Upgrade
Trigger Predownload to a Site Tag
Procedure
Step 1
Command or Action enable Example:
Device> configure terminal
Purpose Enters the privileged EXEC mode.
Step 2
ap image predownload site-tag site-tag start Instructs the primary APs to start image
Example:
predownload.
Device# ap image predownload site-tag rr-xyz-site start
Step 3
show ap master list Example:
Device# show ap master list
Displays the list of primary APs per AP model per site tag.
Step 4
show ap image Example:
Device# show ap image
Displays the predownloading state of primary and subordinate APs .
Note
To check if Flexefficient image
upgrade is enabled in the AP, use
the show capwap client rcb
command on the AP console.
The following sample outputs display the functioning of the Efficient Image Upgrade feature:
The following output displays the primary AP.
Device# show ap master list
AP Name
WTP Mac
AP Model
Site Tag
-----------------------------------------------------------------------------------------
AP0896.AD9D.3124
f80b.cb20.2460 AIR-AP2802I-D-K9 ST1
The following output shows that the primary AP has started predownloading the image.
Device# show ap image Total number of APs: 6
AP Name
Primary Image Backup Image Predownload Status Predownload Version
Next Retry Time Retry Count
--------------------------------------------------------------------------------------------------------------------------
APE00E.DA99.687A 16.6.230.37
0.0.0.0
None
0.0.0.0
N/A
0
AP188B.4500.4208 16.6.230.37
8.4.100.0
None
0.0.0.0
N/A
0
AP188B.4500.4480 16.6.230.37
0.0.0.0
None
0.0.0.0
N/A
0
AP188B.4500.5E28 16.6.230.37
16.4.230.35 None
0.0.0.0
N/A
0
AP0896.AD9D.3124 16.6.230.37
8.4.100.0
Predownloading
16.6.230.36
0
0
AP2C33.1185.C4D0 16.6.230.37
8.4.100.0
None
0.0.0.0
N/A
0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 211
Trigger Predownload to a Site Tag
System Upgrade
The following output shows that the primary AP has completed predownload and the predownload has been initiated in the subordinate AP.
Device# show ap image
Total number of APs: 6
AP Name
Primary Image Backup Image Predownload Status Predownload Version
Next Retry Time Retry Count
--------------------------------------------------------------------------------------------------------------------------
APE00E.DA99.687A 16.6.230.37
0.0.0.0
Initiated
16.6.230.36
N/A
0
AP188B.4500.4208 16.6.230.37
8.4.100.0
None
0.0.0.0
N/A
0
AP188B.4500.4480 16.6.230.37
0.0.0.0
None
0.0.0.0
N/A
0
AP188B.4500.5E28 16.6.230.37
16.4.230.35 None
0.0.0.0
N/A
0
AP0896.AD9D.3124 16.6.230.37
8.4.100.0
Complete
16.6.230.36
0
0
AP2C33.1185.C4D0 16.6.230.37
8.4.100.0
Initiated
16.6.230.36
0
0
The following output shows image status of a particular AP.
Device# show ap name APe4aa.5dd1.99b0 image AP Name : APe4aa.5dd1.99b0 Primary Image : 16.6.230.46 Backup Image : 3.0.51.0 Predownload Status : None Predownload Version : 000.000.000.000 Next Retry Time : N/A Retry Count : 0
The following output shows predownload completion on all APs.
Device# show ap image Total number of APs: 6
Number of APs
Initiated
:0
Predownloading
:0
Completed predownloading : 3
Not Supported
:0
Failed to Predownload
:0
AP Name
Primary Image Backup Image Predownload Status Predownload Version
Next Retry Time Retry Count
--------------------------------------------------------------------------------------------------------------------------
APE00E.DA99.687A 16.6.230.37
16.6.230.36 Complete
16.6.230.36
N/A
0
AP188B.4500.4208 16.6.230.37
8.4.100.0
None
0.0.0.0
N/A
0
AP188B.4500.4480 16.6.230.37
0.0.0.0
None
0.0.0.0
N/A
0
AP188B.4500.5E28 16.6.230.37
16.4.230.35 None
0.0.0.0
N/A
0
AP0896.AD9D.3124 16.6.230.37
16.6.230.36 Complete
16.6.230.36
0
0
AP2C33.1185.C4D0 16.6.230.37
16.6.230.36 Complete
16.6.230.36
0
0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 212
1 3 C H A P T E R
Predownloading an Image to an Access Point
· Information About Predownloading an Image to an Access Point, on page 213 · Restrictions for Predownloading an Image to an Access Point, on page 213 · Predownloading an Image to Access Points (CLI), on page 214 · Predownloading an Image to Access Points (GUI), on page 216 · Predownloading an Image to Access Points (YANG), on page 216 · Monitoring the Access Point Predownload Process, on page 217 · Information About AP Image Download Time Enhancement (OEAP or Teleworker Only), on page 218 · Configuring AP Image Download Time Enhancement (GUI), on page 219 · Configuring AP Image Download Time Enhancement (CLI), on page 219 · Verifying AP Image Download Time Enhancement Configuration, on page 220
Information About Predownloading an Image to an Access Point
To minimize network outages, download an upgrade image to an access point from the device without resetting the access point or losing network connectivity. Previously, you could download an upgrade image to the device and reset it, causing the access point to go into discovery mode. After the access point discovered the controller with the new image, the access point would download the new image, reset it, go into discovery mode, and rejoin the device. You can now download the upgrade image to the controller. When the controller is up with the upgrade image, the AP joins the controller and moves to Registered state, because the AP image has been predownloaded to the AP.
Restrictions for Predownloading an Image to an Access Point
The following are the restrictions for predownloading an image to an access point: · The maximum number of concurrent predownloads are limited to 100 per wncd instance (25 for 9800-L) in the controller. However, the predownloads are triggered in sets of 16 per wncd instance at the start, and is repeated every 60 seconds. · Access points with 16-MB total available memory may not have enough free memory to download an upgrade image and may automatically delete crash information files, radio files, and backup images, if any, to free up space. However, this limitation does not affect the predownload process because the predownload image replaces backup image, if any, on the access point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 213
Predownloading an Image to Access Points (CLI)
System Upgrade
· All of the primary, secondary, and tertiary controllers should run the same images. Otherwise, the feature will not be effective.
· At the time of reset, you must make sure that all of the access points have downloaded the image.
· An access point can store only 2 software images.
· The Cisco Wave 1 APs may download the image twice while moving from Cisco AireOS Release 8.3 to Cisco IOS XE Gibraltar 16.10.1. This increases the AP downtime during migration.
· The show ap image command displays cumulative statistics regarding the AP images in the controller. We recommend that you clear the statistics using the clear ap predownload statistics command, before using the show ap image command, to ensure that correct data is displayed.
· Cisco Catalyst 9800-CL Wireless Controller supports only self-signed certificates and does not support Cisco certificates. When you move the access points between Cisco Catalyst 9800-CL Wireless Controllers, and if the AP join failure occurs on the Cisco Catalyst 9800-CL controller, execute the capwap ap erase all command to remove the hash string stored on the APs.
· During AP image pre-download, the WNCD CPU may rise to 99 percent, which is normal and doesn't cause a crash or client or AP disconnect problems.
Predownloading an Image to Access Points (CLI)
Before you begin
There are some prerequisites that you must keep in mind while predownloading an image to an access point:
· Predownloading can be done only when the device is booted in the install mode.
· You can copy the new image either from the TFTP server, flash image, or USB.
· If the latest upgrade image is already present in the AP, predownload will not be triggered. Check whether the primary and backup image versions are the same as the upgrade image, using the show ap image command.
· The show ap image command displays cumulative statistics regarding the AP images in the controller. We recommend that you clear the statistics using the clear ap predownload statistics command, before using the show ap image command, to ensure that correct data is displayed.
· AP continues to be in predownloading state, if AP flaps post SSO during AP predownload. We recommended that you issue the ap image predownload abort command and then the clear ap predownload stats command only then the predownload can be intiated again.
Procedure
Step 1
Command or Action
install add file bootflash:file-name Example:
Device# install add file bootflash:image.bin
Purpose
The controller software image is added to the flash and expanded.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 214
System Upgrade
Predownloading an Image to Access Points (CLI)
Step 2 Step 3 Step 4 Step 5
Step 6
Step 7
Command or Action
Purpose
ap image predownload or ap name ap-name Downloads the new image to all the access
image predownload
points or a specific access point connected to
Example:
the device.
Device# ap image predownload Device# ap name ap1 image predownload
show ap image Example:
Device# show ap image
Verifies the access point's predownload status.
This command initially displays the status as Predownloading and then moves to Completed, when download is complete.
show ap name ap-name image Example:
Device# show ap name ap1 image
Provides image details of a particular AP.
ap image swap orap name ap-name image swap orap image swap completed
Example:
Device# ap image swap
Swaps the images of the APs that have completed predownload.
Note
You can swap the AP images
using ap image swap command
even without pre-downloading a
new image to the AP and there are
no restrictions or prerequisites to
swap the image.
ap image reset orap name ap-name reset Example:
Device# ap image reset
Resets the access points.
Note
To ensure that the APs do not
rollback to the old image, proceed
to the next steps quickly. If there
is a large time gap between this
step and the next one, the APs will
rejoin the controller which is still
running the previous software
version (possibly downloading the
software again and delaying the
upgrade).
install activate Example:
Device# install activate
Runs compatibility checks, installs the package, and updates the package status details.
For a restartable package, the command triggers the appropriate post-install scripts to restart the necessary processes, and for non-restartable packages it triggers a reload.
Note
This step reloads the complete
controller stack (both primary and
secondary controllers, if HA is
used).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 215
Predownloading an Image to Access Points (GUI)
System Upgrade
Step 8
Command or Action install commit Example:
Device# install commit
Purpose
Commits the activation changes to be persistent across reloads.
The commit can be done after activation while the system is up, or after the first reload. If the package is activated but not committed, it remains active after the first reload, but not after the second reload.
Predownloading an Image to Access Points (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Step 5 Step 6
Step 7
Choose Administration > Software Management and click the Software Upgrade tab. Note that you must be in the Install Mode to continue with the following steps.
Select the Transport Type, File System and File Path of your choice to from receive the file. Select the AP Image Predownload check box. If you already have an inactive image file on your device, a dialog box prompts you to remove the unused image and proceed with the latest image download.
Click Download & Install. This initiates the upgrade process and you can view and verify the predownload progress in the Status dialog box. You can also check the progress log by clicking on Show Logs icon.
Click the Save Configuration & Activate button after the predownload operation is successful. Click Yes to confirm the activate operation. This operation runs compatibility checks, installs the package, and updates the package status details. The device reloads after a successful activation. If there are uncommitted files, you are prompted to remove those.
Click the Commit button to complete the upgrade processs.
Predownloading an Image to Access Points (YANG)
YANG can be used with NETCONF and RESTCONF to provide the desired solution of automated and programmable network operations. The following RPC is used for Predownloading an Image to an Access Point:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101"> <set-rad-predownload-all
xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-wireless-access-point-cmd-rpc"> <uuid>12312341231234</uuid>
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 216
System Upgrade
Monitoring the Access Point Predownload Process
</set-rad-predownload-all> </rpc>
For more information on the YANG models, see the Cisco IOS XE Programmability Configuration Guide and YANG Data Models on Github at https://github.com/YangModels/yang/tree/master/vendor/cisco/xe.
You can contact the Developer Support Community for NETCONF/YANG features using the following link:
https://developer.cisco.com/
Monitoring the Access Point Predownload Process
This section describes the commands that you can use to monitor the access point predownload process.
While downloading an access point predownload image, enter the show ap image command to verify the predownload progress on the corresponding access point:
Device# show ap image Total number of APs : 1
Number of APs
Initiated
:1
Predownloading
:1
Completed predownloading : 0
Not Supported
:0
Failed to Predownload
:0
AP Name
Primary Image Backup Image Predownload Status
Predownload Ver... Next Retry Time Retry Count
------------------------------------------------------------------------------------------------------------------------------------------
AP1
10.0.1.66
10.0.1.66
Predownloading
10.0.1.67
NA
0
Device# show ap image
Total number of APs : 1
Number of APs
Initiated
:1
Predownloading
:0
Completed predownloading : 1
Not Supported
:0
Failed to Predownload
:0
AP Name
Primary Image Backup Image Predownload Status
Predownload Ver... Next Retry Time Retry Count
------------------------------------------------------------------------------------------------------------------------------------------
AP1
10.0.1.66
10.0.1.67
Complete
10.0.1.67
NA
0
Use the following command to view the image details of a particular AP:
Device# show ap name APe4aa.5dd1.99b0 image
AP Name : APe4aa.5dd1.99b0 Primary Image : 16.6.230.46 Backup Image : 3.0.51.0 Predownload Status : None Predownload Version : 000.000.000.000
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 217
Information About AP Image Download Time Enhancement (OEAP or Teleworker Only)
System Upgrade
Next Retry Time : N/A Retry Count : 0
Information About AP Image Download Time Enhancement (OEAP or Teleworker Only)
The wireless controller and the access point (AP) communicate with each other using CAPWAP. The CAPWAP has two channels, namely control and data. The control channel is used to send configuration messages, download images and client keys, or the context to the AP. The control channel has a single window in the current implementation. A single window means that every message that is sent from the controller has to be acknowledged by the AP. The next control packet is not transmitted till the earlier one is acknowledged by the AP.
The AP Image Download Time Enhancement feature adds support to multiple sliding windows for control packets going from controller to AP. The sliding window can be set to N (static) instead of a single window. The request queue size is decided based on the maximum window size the AP supports.
Table 12: Recommended Window Size
Link Bandwidth6
Less than 200 ms Greater than 200 ms
RTT
RTT
More than 20 Mbps 10
15
Between 5 and 20 10
15
Mbps
Between 1 and 5 Mbps 5
10
Less than 1 Mbps
3
5
6 The window size recommendation provided in the table is for packet loss of less than one percent (< 1%). If the network supporting the CAPWAP link has packet loss of more than one percent (> 1%), use a smaller value for window size. For good links with round-trip time (RTT) of about 100ms and packet drops of less than half a percent (< 0.5%), use a window size of up to 20 for better performance.
Note
· The window size can be changed only during the AP join process.
· All image upgrades should be in the install mode for faster upgrade. Image upgrade should be done from the one-shot command to include OEAP predownload.
· Configure the window size only for AP profiles that are exclusively used for Teleworker or Office Extend Access Points (OEAP).
· An AP reload is not required after disabling this feature.
· This feature is supported only on the OEAP profiles.
· GUI does not support AP predownload. Therefore, the AP downloads after disjoining the controller during CAPWAP join phase. This causes a long disruption in the network as the Image download for AP can take upto one hour.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 218
System Upgrade
Configuring AP Image Download Time Enhancement (GUI)
Important If you downgrade the software to Cisco IOS XE Gibraltar 16.12.4 or earlier from Cisco IOS XE Amsterdam 17.3.1, you should reset the CAPWAP multi window to a single window prior to the downgrade. Failure to do so necessitates a manual AP recovery.
High-Level Workflow of AP Image Download Time Enhancement 1. Select an existing AP join profile or create a new one. 2. Set the CAPWAP window size. 3. Associate the AP join profile to an existing site tag or new one. 4. Apply the site tag to the AP using: Static, Filter, Location, AP, or Default mapping method.
Configuring AP Image Download Time Enhancement (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Tags & Profiles > AP Join > CAPWAP > Advanced. In the CAPWAP Window Size field, enter the unit of measurement of the window. Click Save & Apply to Device.
Configuring AP Image Download Time Enhancement (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap-profile ap-profile
Example:
Device(config)# ap profile capwap_multiwindow
Step 3
capwap window size window-size Example:
Purpose Enters the global configuration mode.
Configures an AP profile.
Configures the AP CAPWAP control packet transmit queue size.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 219
Verifying AP Image Download Time Enhancement Configuration
System Upgrade
Step 4
Command or Action
Purpose
Device(config-ap-profile)# capwap window Note size 20
Configure the window size only for AP profiles that are exclusively used for teleworker or OEAP.
Be aware that any change in window size may impact other APs.
end Example:
Device(config-ap-profile)# end
Returns to privileged EXEC mode.
Verifying AP Image Download Time Enhancement Configuration
To view the CAPWAP window size present in an AP profile, use the following command:
Device# show ap profile name default-ap-profile detailed | in wind Capwap window size : 10
To view the CAPWAP status and modes, use the following command:
Device# show capwap client rcb
OperationState Name MwarHwVer Location ApMode ApSubMode CAPWAP Path MTU Software Initiated Reload Reason CAPWAP Sliding Window Active Window Size Last Request Send To Application Expected Seq Num Received Seq Num Request Packet Count Out Of Range Packets Count Window Moved Packets Count In Range Packets Count Expected Packets Count
: UP : AP4001.7A39.2D5A : 0.0.0.0 : default location : Remote Bridge : Not Configured : 1485 : Reload command
: 10 : 184 : 185 : 184 : 42424 :0 :0 : 960 : 41464
To view the AP configration details, including the CAPWAP window size, use the following command:
Device# show ap config general | in Wind
Capwap Active Window Size Capwap Active Window Size Capwap Active Window Size
:5 : 10 :1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 220
1 4 C H A P T E R
N+1 Hitless Rolling AP Upgrade
· N+1 Hitless Rolling AP Upgrade, on page 221 · Configuring Hitless Upgrade, on page 222 · Verifying Hitless Upgrade, on page 223
N+1 Hitless Rolling AP Upgrade
The existing CAPWAP implementation on the Cisco Catalyst 9800 Series Wireless Controller requires that the controller and all its associated APs have the same software version. It is possible to upgrade a set of APs using the N+1 Hitless Rolling AP Upgrade feature. However, all the APs cannot be upgraded at the same time without network downtime. You can upgrade wireless networks without network downtime when the same version skew is supported between the controller and the APs. This enables the APs to be upgraded in a staggered manner, while still being connected to the same controller. The version skew method can avoid upgrade downtime even for N+1 networks by using N+1 Hitless Rolling AP Upgrade feature and a spare controller. The following is the workflow for the N+1 Hitless Rolling AP Upgrade feature: 1. Establish a mobility tunnel from the controller (WLC1) to a mobility member (WLC2). 2. Upgrade the controller software (WLC1) using the command install add file bootflash:new_version.bin
. 3. Optionally, you can also upgrade the AP image. For more information, see Predownloading an Image to
an Access Point chapter. 4. Use the ap image upgrade destination controller-name controller-ip report-name privileged EXEC
command to upgrade and move all the APs from WLC1 (source) to WLC2 (destination). 5. Activate the new image in WLC1 using the install activate command. 6. Commit the changes using the install commit command. 7. Move the APs back to WLC1 from WLC2 using the ap image move destination controller-name
controller-ip report-name command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 221
Configuring Hitless Upgrade
System Upgrade
Note The ap image upgrade destination command does not work without an image pre-download. If you do not perform an image pre-download, use the ap image move command to move the APs. When APs download the image and join the destination controller, you must set the iteration time as high. Also, you can customise the iteration time by configuring the ap upgrade staggered iteration timeout command.
Configuring Hitless Upgrade
Follow the procedure given below to achieve a zero downtime network upgrade in an N+1 deployment.
Before you begin · Ensure that the hostname and wireless management IP of the destination controller is provided in the privileged EXEC command. · Ensure that access points are predownloaded with the image running on the destination controller.
Procedure
Step 1
Command or Action
Purpose
ap image upgrade destination wlc-name Moves APs to the specified destination
wlc-ip
controller with the swap and reset command.
Example:
After this, the parent controller activates new image, and reloads with the new image. After
Device# ap image upgrade destination wlc2 the mobility tunnel comes up, APs are moved
10.7.8.9
back to the parent controller without a swap and
reset.
Note
Ensure that you establish a
mobility tunnel from controller
(WLC1) to a mobility member
(WLC2) before image upgrade.
Step 2
ap image upgrade destination wlc-name (Optional) Moves APs to the specified
wlc-ip
destination controller with a swap and reset
Example:
command.
Device# ap image upgrade destination wlc2 Note 10.7.8.9
Perform Steps 2 to 4 only if you are not performing Step 1.
Step 3 Step 4
ap image move destination wlc-name wlc-ip Move the APs back to the parent controller.
Example:
Device# ap image move destination wlc1 10.7.8.6
ap image upgrade destination wlc-name wlc-ip [fallback]
(Optional) Moves APs to the specified destination controller with a swap and reset command. After that, APs are moved back to
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 222
System Upgrade
Verifying Hitless Upgrade
Step 5
Command or Action
Purpose
Example:
the parent controller (without a swap and reset)
Device# ap image upgrade destination wlc2 after manual install activate of the new image
10.7.8.9 fallback
and reloading of the parent controller.
ap image upgrade destination wlc-name (Optional) Moves APs to the specified
wlc-ip [reset]
destination controller with a swap and reset
Example:
command. After this, the parent controller activates the new image and reloads with the
Device# ap image upgrade destination wlc2 new image.
10.7.8.9 reset
Verifying Hitless Upgrade
Use the following show commands to verify hitless upgrade. To view all the upgrade report names, use the following command:
Device# show ap upgrade summary
Report Name
Start time
------------------------------------------------------------------------------------------
AP_upgrade_from_VIGK_CSR_2042018171639 05/20/2018 17:16:39 UTC
To view AP upgrade information based on the upgrade report name, use the following command:
Device# show ap upgrade name test-report
AP upgrade is complete From version: 16.10.1.4 To version: 16.10.1.4 Started at: 05/20/2018 17:16:39 UTC Percentage complete: 100 End time: 05/20/2018 17:25:39 UTC Progress Report --------------Iterations ---------Iteration Start time End time AP count -----------------------------------------------------------------------------------------------0 05/20/2018 17:16:39 UTC 05/20/2018 17:16:39 UTC 0 1 05/20/2018 17:16:39 UTC 05/20/2018 17:25:39 UTC 1 Upgraded -------Number of APs: 1 AP Name Ethernet MAC Iteration Status --------------------------------------------------------------------------------------AP-SIDD-CLICK 70db.9848.8f60 1 Joined In Progress ----------Number of APs: 0 AP Name Ethernet MAC ------------------------------------------------Remaining --------Number of APs: 0 AP Name Ethernet MAC -------------------------------------------------
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 223
Verifying Hitless Upgrade
System Upgrade
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 224
1 5 C H A P T E R
NBAR Dynamic Protocol Pack Upgrade
· NBAR Dynamic Protocol Pack Upgrade, on page 225 · Upgrading the NBAR2 Protocol Pack, on page 226
NBAR Dynamic Protocol Pack Upgrade
Protocol packs are software packages that update the Network-Based Application Recognition (NBAR) engine protocol support on a device without replacing the Cisco software on the device. A protocol pack contains information on applications that are officially supported by NBAR, and are compiled and packed together. In each application, the protocol pack includes information on application signatures and application attributes. Each software release has a built-in protocol pack bundled with it. The Application Visibility and Control (AVC) feature (used for deep-packet inspection [DPI]) supports wireless products using a distributed approach that benefits from NBAR running on the access points (AP) or controller whose goal is to run DPI and report the result using NetFlow messages. The AVC DPI technology supports the ability to update recognized traffic and to define the custom type of traffic (known as custom applications). The NBAR runs on the controller in local mode, and on the APs in Flex and Fabric modes. In local mode, all the traffic coming from the APs are tunneled towards the wireless controller.
Note
· Although NBAR is supported in all the modes, upgrade of NBAR protocol packs is supported only in
local mode (central switching) and in FlexConnect mode (central switching).
· Custom applications are available only in local mode (central switching) and in FlexConnect mode (central switching).
· When you upgrade the AVC protocol pack, copy the protocol pack to both RPs (active and standby). Otherwise, the protocol pack on the standby upgrade will fail and cause the synchronization failure crash.
Protocol packs provide the following features: · They can be loaded easily and quickly. · They can be upgraded to a later version protocol pack or revert to an earlier version protocol pack. · Device reload is not required.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 225
Upgrading the NBAR2 Protocol Pack
System Upgrade
· They do not disrupt any service.
Protocol Pack Upgrade Using protocol pack upgrades, you can update the NBAR engine to recognize new types of protocols or traffic without updating the entire switch or appliance image. It also eliminates the need to restart the entire system. NBAR protocol packs are available for download from Cisco Software Center: https://software.cisco.com/ download/navigator.html
Custom Applications Using custom applications, you can force the NBAR engine to recognize traffic based on a set of custom rules, for example, destination IP, hostname, URL, and so on. The custom application names then appear in the web UI or in the NetFlow collector.
Upgrading the NBAR2 Protocol Pack
Follow the procedure given below to upgrade the NBAR2 protocol pack:
Before you begin Download the protocol pack from Software Download page and copy it into the bootflash.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip nbar protocol-pack bootflash:pack-name Loads the protocol pack.
Example:
Device(config)# ip nbar protocol-pack bootflash:mypp.pack
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 226
1 6 C H A P T E R
Wireless Sub-Package for Switch
· Introduction to Wireless Sub-package, on page 227 · Booting in Install Mode, on page 228 · Installing Sub-Package in a Single Step (GUI), on page 229 · Installing Sub-Package in a Single Step, on page 229 · Multi-step Installation of Sub-Package, on page 230 · Installing on a Stack, on page 230 · Upgrading to a Newer Version of Wireless Package, on page 231 · Deactivating the Wireless Package, on page 231 · Enabling or Disabling Auto-Upgrade, on page 231
Introduction to Wireless Sub-package
Wireless-only Fabric uses fabric constructs to garner the benefits of a fabric. In this architecture, a fabric is built on top of existing traditional network designs such as multi-tier, Routed Access, and VSS network. It uses a LISP control plane together with VXLAN encapsulation for the overlay data plane traffic. The wireless control plane remains intact with CAPWAP tunnels initiating on the APs and terminating on a Cisco Catalyst 9800 Series Wireless Controller or AireOS controller. The Cisco Catalyst 9800 Series Wireless Controller controller can function in a dedicated appliance, directly in a switch, or in a VM. Cisco Catalyst 9800 Wireless Controller for Switch delivers all the benefits of a centralized control and management plane (easy to configure, upgrade, troubleshoot, etc) and the maximum throughput or performance of a distributed forwarding plane. The distributed data plane allows services such as AVC to scale. In this new model, the wireless control plane is not split between MC and MA. The switch is detached from the wireless control plane and the controller takes care of the wireless function and the traffic switching is done by the Cisco Access Switch. Since the wireless functionality is required to be enabled only on few nodes of the network, you can install Cisco Catalyst 9800 Series Wireless Controller as a separate package on the switch on a need basis. The sub-package is installed on top of the base image and a reload is required to activate the sub-package.
Note The sub-package is an optional binary that contains the entire Cisco Catalyst 9800 Series Wireless Controller software.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 227
Booting in Install Mode
System Upgrade
Note SNMP is not supported on Catalyst 9800 Embedded Wireless Controller for Switch.
How to Install Wireless Package 1. Install the base image (without wireless) on the switch. 2. Install the wireless package on the switch. 3. Upgrade the AP image. 4. Reload the switch. 5. Enable wireless on the switch using the wireless-controller configuration command, and configure
wireless features.
How to Remove Wireless Package 1. Uninstall the wireless package from the switch. 2. Reload the switch. 3. Run the write command. This removes the wireless configuration from the startup-configuration.
Upgrading to a Newer Version of Wireless Package 1. Install the base image (without wireless) on the switch. 2. Install the updated wireless package. 3. Reload the switch. 4. Commit the installation.
Booting in Install Mode
Use the procedure given below to boot the switch in install-mode:
Before you begin The sub-package does not work in bundle-mode. Use the show version command to verify the boot mode.
Procedure
Step 1
Step 2 Step 3
install add file image.bin location activate commit. This command moves the switch from bundle-mode to install-mode. Note that image.bin is the base image.
Click yes to all the prompts. reload
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 228
System Upgrade
Installing Sub-Package in a Single Step (GUI)
Reloads the switch. Ensure that you boot from flash:packages.conf. After the reload, the switch will be in install-mode.
Note
During Install mode image upgrade/downgrade, "Install add file" with flash:<file_name> command
is not supported. Instead of that "bootflash:<filename"> needs to be used.
Install add file bootflash:<file_name> activate commit
What to do next Verify the boot mode using the show version command.
Installing Sub-Package in a Single Step (GUI)
Procedure
Step 1 Step 2
Step 3
Choose Administration > Software Management > Software Upgrade.
Choose the upgrade mode from the Upgrade Mode drop-down list, the transport type from the Transport Type drop-down list and enter the Server IP Address (IPv4/IPv6), the File System and choose the location from the Source File Path drop-down list.
Click Download & Install.
Installing Sub-Package in a Single Step
Use the procedure given below to install sub-package in a single step: Before you begin
· Ensure that the switch is in install-mode. · Ensure that you boot only from flash:packages.conf.
Procedure
Step 1 Step 2
install add file flash:<controller>.bin activate commit
Installs the Cisco Catalyst 9800 Wireless Controller for Switch sub-package.
Note
The sub-package (flash:<controller>.bin) is available on www.cisco.com. You can also install
the sub-package directly from TFTP server.
Click yes to all the prompts.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 229
Multi-step Installation of Sub-Package
System Upgrade
What to do next Use the show install summary command to verify the installed image or package.
Multi-step Installation of Sub-Package
Use the procedure given below to install sub-package: Before you begin
· Ensure that the switch is in install-mode. · Ensure that you boot only from flash:packages.conf.
Procedure
Step 1 Step 2 Step 3
install add file flash:<controller>.bin The sub-package is added to the flash and expanded. install activate file flash:<controller>.bin Installs the sub-package. install commit Completes the installation by writing the files.
What to do next Use the show install summary command to verify the installed image or package.
Installing on a Stack
You can install the package on a stack using either Installing Sub-Package in a Single Step or Multi-step Installation of Sub-Package, on page 230. If a new member joins the stack, the two possible scenarios are:
· If auto-upgrade is enabled: The required software is installed on to the new member. It will match the version of software running on the stack as well as the wireless package.
· If auto-upgrade is disabled: As the software version is not the same as in the stack, the new member will remain in version mismatch state and it will not join the stack. You have to manually run the install autoupgrade command in EXEC mode to initiate the auto-upgrade procedure.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 230
System Upgrade
Upgrading to a Newer Version of Wireless Package
Upgrading to a Newer Version of Wireless Package
Use the procedure given below to upgrade to a newer version of wireless package: Procedure
Step 1 Step 2 Step 3 Step 4
install add file flash:<base-image>.bin The base image (without wireless) is added to the flash and expanded.
install add file flash:<controller-sub-package>.bin The sub-package is added to the flash and expanded.
install active Installs the base image and sub-package and triggers a reload. However, you can also rollback to the previous state after the reload.
install commit Completes the installation by writing the files.
Deactivating the Wireless Package
Follow the procedure given below to deactivate the wireless sub-package:
Procedure
Step 1
Command or Action
Purpose
install deactivate file flash:<controller>.bin
Example:
Device# install deactivate file flash:<controller>.bin
Removes the package and forces the switch to reboot.
Step 2
install commit Example:
Device# install commit
Commits the switch without wireless package.
Enabling or Disabling Auto-Upgrade
Follow the procedure given below to enable or disable auto-upgrade:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 231
Enabling or Disabling Auto-Upgrade
System Upgrade
Procedure
Step 1
Command or Action
software auto-upgrade enable Example:
Device(config)# software auto-upgrade enable
Purpose Enables software auto-upgrade.
Step 2
no software auto-upgrade enable
Disables software auto-upgrade.
Example:
Device(config)# no software auto-upgrade enable
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 232
I I I PA R T
Lightweight Access Points
· Country Codes, on page 235 · Sniffer Mode, on page 241 · Monitor Mode, on page 247 · AP Priority, on page 249 · FlexConnect, on page 251 · OEAP Link Test, on page 307 · Data DTLS, on page 311 · AP Crash File Upload, on page 315 · Access Point Plug-n-Play, on page 317 · 802.11 Parameters for Cisco Access Points, on page 319 · 802.1x Support, on page 333 · CAPWAP Link Aggregation Support, on page 341 · DHCP and NAT Functionality on Root Access Point, on page 347 · OFDMA Support for 11ax Access Points, on page 349 · AP Audit Configuration, on page 359 · AP Support Bundle, on page 363 · Cisco Flexible Antenna Port, on page 365 · LED States for Access Points, on page 367 · Access Points Memory Information, on page 371 · Real-Time Access Points Statistics, on page 373
Country Codes
1 7 C H A P T E R
· Information About Country Codes, on page 235 · Prerequisites for Configuring Country Codes, on page 235 · Configuring Country Codes (GUI), on page 236 · Configuring Country Codes (CLI), on page 236 · Configuration Examples for Configuring Country Codes, on page 238
Information About Country Codes
Controllers and access points are designed for use in many countries with varying regulatory requirements. The radios within the access points are assigned to a specific regulatory domain at the factory (such as -E for Europe), but the country code enables you to specify a particular country of operation (such as FR for France or ES for Spain). Configuring a country code ensures that each radio's broadcast frequency bands, interfaces, channels, and transmit power levels are compliant with country-specific regulations.
Information About Japanese Country Codes Country codes define the channels that can be used legally in each country. These country codes are available for Japan:
· J2: Allows only -P radios to join the controller
· J4: Allows 2.4G JPQU and 5G PQU to join the controller.
Prerequisites for Configuring Country Codes
· Generally, you should configure one country code per device; you configure one code that matches the physical location of the device and its access points. You can configure up to 200 country codes per device. This multiple-country support enables you to manage access points in various countries from a single device.
· When the multiple-country feature is used, all the devices that are going to join the same RF group must be configured with the same set of countries, configured in the same order.
· Access points are capable of using all the available legal frequencies. However, access points are assigned to the frequencies that are supported in their relevant domains.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 235
Configuring Country Codes (GUI)
Lightweight Access Points
· The country list configured on the RF group leader determines which channels the members will operate on. This list is independent of which countries have been configured on the RF group members.
· For devices in the Japan regulatory domain, you should have one or more Japan country codes (JP, J2, or J3) configured on your device at the time you last booted your device.
· For devices in the Japan regulatory domain, you should have one or more Japan country codes (J2, or J4) configured on your device at the time you last booted your device.
· For devices in the Japan regulatory domain, you must have at least one access point with a -J regulatory domain joined to your device.
· You cannot delete any country code using the configuration command wireless country country-code if the specified country was configured using the ap country list command and vice-versa.
Configuring Country Codes (GUI)
Procedure
Step 1 Step 2
Step 3
Choose Configuration > Wireless > Access Points > Country.
On the Country page, select the check box for each country where your access points are installed. If you selected more than one check box, a message is displayed indicating that RRM channels and power levels are limited to common channels and power levels.
Click Apply.
Configuring Country Codes (CLI)
Procedure Step 1 Step 2 Step 3
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
show wireless country supported Example:
Displays a list of all the available country codes.
Device# show wireless country supported
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 236
Lightweight Access Points
Configuring Country Codes (CLI)
Step 4 Step 5
Step 6 Step 7 Step 8 Step 9
Step 10 Step 11 Step 12
Command or Action
Purpose
ap dot11{ 24ghz| 5ghz }shutdown
Disables the 802.11b/g network, if you use
Example:
24ghz.
Device(config)# ap dot11 5ghz shutdown Disables the 802.11a network, if you use 5ghz.
ap country country_code Example:
Device(config)# ap country IN
Configures country code on the controller, so that access points joining controller matches the country code and its corresponding regulatory domain codes for the AP.
Note
More than one country code can
be configured.
wireless country country_code Example:
Device(config)# wireless country IN
Configures 200 country codes per device.
Note
This CLI is applicable for
deployments having more than
20 countries.
exit Example:
Device(config)# exit
Returns to privileged EXEC mode.
show wireless country configured
Displays the configured countries.
Example:
Device# show wireless country configured
show wireless country channels
Displays the list of available channels for the
Example:
country codes configured on your device.
Device# show wireless country channels Note
Perform Steps 9 through 17 only if you have configured multiple
country codes in Step 6.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
no ap dot11 { 24ghz | 5ghz} shutdown
Example:
Device(config)# no ap dot11 5ghz shutdown
Enables the 802.11b/g network, if you use 24ghz.
Enables the 802.11a network, if you use 5ghz.
ap name cisco-ap shutdown Example:
Device# ap name AP02 shutdown
Disables the access point.
Note
Ensure that you disable only the
access point for which you are
configuring country codes.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 237
Configuration Examples for Configuring Country Codes
Lightweight Access Points
Step 13 Step 14
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
ap name cisco-ap country country_code Example:
Device# ap name AP02 country US
Assigns each access point with a country code from the controller country code list.
Note
· Ensure that the country code
that you choose is
compatible with the
regulatory domain of at
least one of the access
point's radios.
· Disable the access point before changing country code.
Step 15
ap name cisco-ap no shutdown Example:
Device# ap name AP02 no shutdown
Enables the access point.
Configuration Examples for Configuring Country Codes
Viewing Channel List for Country Codes
This example shows how to display the list of available channels for the country codes on your device:
Device# show wireless country channels
Configured Country........................: US - United States
KEY: * = Channel is legal in this country and may be configured manually.
A = Channel is the Auto-RF default in this country.
. = Channel is not legal in this country.
C = Channel has been configured for use by Auto-RF.
x = Channel is available to be configured for use by Auto-RF.
(-,-) = (indoor, outdoor) regulatory domain allowed by this country.
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11bg
:
Channels
:
11111
12345678901234
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
(-A ,-AB ) US : A * * * * A * * * * A . . .
Auto-RF
:..............
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11a
:
1111111111111111
Channels
:3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6
4680246826040482604826093715
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
(-A ,-AB ) US : . A . A . A . A A A A A * * * * * . . . * * * A A A A*
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 238
Lightweight Access Points
Viewing Channel List for Country Codes
Auto-RF
:............................
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
4.9GHz 802.11a :
Channels
:
11111111112222222
12345678901234567890123456
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
US (-A ,-AB ) : * * * * * * * * * * * * * * * * * * * A * * * * * A
Auto-RF
:..........................
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 239
Viewing Channel List for Country Codes
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 240
1 8 C H A P T E R
Sniffer Mode
· Information about Sniffer, on page 241 · Prerequisites for Sniffer, on page 241 · Restrictions on Sniffer, on page 242 · How to Configure Sniffer, on page 242 · Verifying Sniffer Configurations, on page 244 · Examples for Sniffer Configurations and Monitoring, on page 244
Information about Sniffer
The controller enables you to configure an access point as a network "sniffer", which captures and forwards all the packets on a particular channel to a remote machine that runs packet analyzer software. These packets contain information on time stamps, signal strength, packet sizes, and so on. Sniffers allow you to monitor and record network activity, and detect problems. The packet analyser machine configured receives the 802.11 traffic encapsulated using the Airopeek protocol from the controller management IP address with source port UDP/5555 and destination UDP/5000. You must use Clear in AP mode to return the AP back to client-serving mode, for example the local mode or flexconnect mode depending on the remote site tag configuration.
Prerequisites for Sniffer
To perform sniffing, you need the following hardware and software: · A dedicated access point--An access point configured as a sniffer cannot simultaneously provide wireless access service on the network. To avoid disrupting coverage, use an access point that is not part of your existing wireless network. · A remote monitoring device--A computer capable of running the analyzer software. · Software and supporting files, plug-ins, or adapters--Your analyzer software may require specialized files before you can successfully enable.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 241
Restrictions on Sniffer
Lightweight Access Points
Restrictions on Sniffer
· Supported third-party network analyzer software applications are as follows: · Wildpackets Omnipeek or Airopeek · AirMagnet Enterprise Analyzer · Wireshark
· The latest version of Wireshark can decode the packets by going to the Analyze mode. Select decode as, and switch UDP5555 to decode as PEEKREMOTE..
· Sniffer mode is not supported when the controller L3 interface is the Wireless Management Interface (WMI).
· When an AP or a radio operates in the sniffer mode, irrespective of its current channel width settings, the AP sniffs or captures only on the primary channel.
How to Configure Sniffer
Configuring an Access Point as Sniffer (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6
Step 7 Step 8
Choose Configuration > Wireless > Access Points. On the General tab, update the name of the AP. The AP name can be ASCII characters from 33 to 126, without leading and trailing spaces. Specify the physical location where the AP is present. Choose the Admin Status as Enabled if the AP is to be in enabled state. Choose the mode for the AP as Sniffer. In the Tags section, specify the appropriate policy, site, and RF tags that you created on the Configuration > Tags & Profiles > Tags page.
Note
If the AP is in sniffer mode, you do not want to assign any tag.
Click Update & Apply to Device.
Choose the mode for the AP as Clear to return the AP back to the client-serving mode depending on the remote site tag configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 242
Lightweight Access Points
Configuring an Access Point as Sniffer (CLI)
Configuring an Access Point as Sniffer (CLI)
Procedure
Step 1
Command or Action enable Example:
Device>enable
Step 2
ap name ap-name mode sniffer Example:
Device# ap name access1 mode sniffer
Purpose Enables privileged EXEC mode.
Configures the access point as a sniffer. Where, ap-name is the name of the Cisco lightweight access point. Use the no form of this command to disable the access point as a sniffer.
Enabling or Disabling Sniffing on the Access Point (GUI)
Before you begin Change the access point AP mode to sniffer mode. Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6
Choose Configuration > Wireless > Access Points. On the Access Points page, click the AP name from the 5 GHz or 2.4 GHz list. In the Edit Radios > Configure > Sniffer Channel Assignment section, check the Sniffer Channel Assignment checkbox to enable.
Uncheck the checkbox to disable sniffing on the access point.
From the Sniff Channel drop-down list, select the channel. Enter the IP address in the Sniffer IP field. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 243
Enabling or Disabling Sniffing on the Access Point (CLI)
Lightweight Access Points
Enabling or Disabling Sniffing on the Access Point (CLI)
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode.
Step 2
ap name ap-name sniff {dot11a channel server-ip-address | dot11b channel server-ip-address | dual-band channel server-ip-address}
Example:
Device#ap name access1 sniff dot11b 1 9.9.48.5
Enables sniffing on the access point.
· channel is the valid channel to be sniffed. For 802.11a, the range is 36 to 165. For 802.11b, the range is 1 to 14.
· server-ip-address is the IP address of the remote machine running Omnipeek, Airopeek, AirMagnet, or Wireshark software.
Step 3
ap name ap-name no sniff {dot11a | dot11b Disables sniffing on the access point. | dual-band}
Example:
Device#ap name access1 no sniff dot11b
Verifying Sniffer Configurations
Table 13: Commands for verifying sniffer configurations
Commands show ap name ap-name config dot11 {24ghz | 5ghz | dual-band}
show ap name ap-name config slot slot-ID
Description Displays the sniffing details.
Displays the sniffing configuration details. slot-ID ranges from 0 to 3. All access points have slot 0 and 1.
Examples for Sniffer Configurations and Monitoring
This example shows how to configure an access point as Sniffer:
Device# ap name access1 mode sniffer
This example shows how to enable sniffing on the access point:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 244
Lightweight Access Points
Examples for Sniffer Configurations and Monitoring
Device# ap name access1 sniff dot11b 1 9.9.48.5
This example shows how to disable sniffing on the access point:
Device# ap name access1 no sniff dot11b
This example shows how to display the sniffing configuration details:
Device# show ap name access1 config dot11 24ghz Device# show ap name access1 config slot 0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 245
Examples for Sniffer Configurations and Monitoring
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 246
1 9 C H A P T E R
Monitor Mode
· Introduction to Monitor Mode, on page 247 · Enable Monitor Mode (GUI), on page 247 · Enable Monitor Mode (CLI), on page 248
Introduction to Monitor Mode
To optimize the monitoring and location calculation of RFID tags, you can enable tracking optimization on up to four channels within the 2.4-GHz band of an 802.11b/g/x access point radio. This feature allows you to scan only the channels on which tags are usually programmed to operate (such as channels 1, 6, and 11).
Note You can move an AP to a particular mode (sensor mode to local mode or flex mode) using the site tag with the corresponding mode. If the AP is not tagged to any mode, it will fall back to the mode specified in the default site tag.
You must use clear in AP mode to return the AP back to client-serving mode, for example the local mode or flexconnect mode depending on the remote site tag configuration.
Enable Monitor Mode (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Wireless > Access Points. In the Access Points page, expand the All Access Points section and click the name of the AP to edit. In the Edit AP page, click the General tab and from the AP Mode drop-down list, choose Monitor. Click Update & Apply to Device. Choose the mode for the AP as clear to return the AP back to the client-serving mode depending on the remote site tag configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 247
Enable Monitor Mode (CLI)
Lightweight Access Points
Enable Monitor Mode (CLI)
Procedure
Step 1
Command or Action ap name ap-name mode monitor Example:
Device# ap name 3602a mode monitor
Purpose Enables monitor mode for the access point.
Step 2
ap name ap-name monitor tracking-opt
Example:
Device# ap name 3602a monitor tracking-opt
Configures the access point to scan only the Dynamic Channel Assignment (DCA) channels supported by its country of operation.
Step 3
ap name ap-name monitor-mode dot11b fast-channel [first-channel second-channel third-channel fourth-channel ]
Example:
Device# ap name 3602a monitor dot11b 1 234
Chooses up to four specific 802.11b channels to be scanned by the access point.
In the United States, you can assign any value from 1 to 11 (inclusive) to the channel variable. Other countries support additional channels. You must assign at least one channel.
Note
Use the show ap dot11 24ghz
channel command to see the
available channels.
Step 4
show ap dot11 {24ghz | 5ghz} channel Example:
Device# show ap dot11 5ghz channel
Shows configuration and statistics of 802.11a channel assignment.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 248
AP Priority
2 0 C H A P T E R
· Failover Priority for Access Points, on page 249 · Setting AP Priority (GUI), on page 249 · Setting AP Priority, on page 250
Failover Priority for Access Points
Each controller has a defined number of communication ports for access points. When multiple controllers with unused access point ports are deployed on the same network and one controller fails, the dropped access points automatically poll for unused controller ports and associate with them. The following are some guidelines for configuring failover priority for access points:
· You can configure your wireless network so that the backup controller recognizes a join request from a higher-priority access point, and if necessary, disassociates a lower-priority access point as a means to provide an available port.
· Failover priority is not in effect during the regular operation of your wireless network. It takes effect only if there are more associations requests to controller than the avaiable AP capacity on the controller.
· AP priority is checked while connecting to the controller when the controller is in full scale or the primary controller fails, the APs fallback to the secondary controller.
· You can enable failover priority on your network and assign priorities to the individual access points.
· By default, all access points are set to priority level 1, which is the lowest priority level. Therefore, you need to assign a priority level only to those access points that warrant a higher priority.
Setting AP Priority (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Wireless > Access Points. Click the Access Point. In the Edit AP dialog box, go to High Availability tab.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 249
Setting AP Priority
Lightweight Access Points
Step 4 Step 5
Choose the priority from the AP failover priority drop-down list. Click Update and Apply to Device.
Setting AP Priority
Note Priority of access points ranges from 1 to 4, with 4 being the highest.
Procedure
Step 1
Command or Action
ap name ap-name priority priority Example:
Device# ap name AP44d3.ca52.48b5 priority 1
Purpose Specifies the priority of an access point.
Step 2
show ap config general Example:
Device# show ap config general
Displays common information for all access points.
Step 3
show ap name ap-name config general
Example:
Device# show ap name AP44d3.ca52.48b5 config general
Displays the configuration of a particular access point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 250
2 1 C H A P T E R
FlexConnect
· Information About FlexConnect, on page 251 · Guidelines and Restrictions for FlexConnect, on page 255 · Configuring a Site Tag, on page 259 · Configuring a Policy Tag (CLI), on page 260 · Attaching a Policy Tag and a Site Tag to an Access Point (GUI), on page 261 · Attaching Policy Tag and Site Tag to an AP (CLI), on page 261 · Linking an ACL Policy to the Defined ACL (GUI), on page 262 · Applying ACLs on FlexConnect, on page 263 · Configuring FlexConnect, on page 264 · Flex AP Local Authentication (GUI), on page 270 · Flex AP Local Authentication (CLI), on page 271 · Flex AP Local Authentication with External Radius Server, on page 273 · Configuration Example: FlexConnect with Central and Local Authentication , on page 276 · NAT-PAT for FlexConnect, on page 276 · Split Tunneling for FlexConnect, on page 280 · VLAN-based Central Switching for FlexConnect, on page 287 · OfficeExtend Access Points for FlexConnect, on page 289 · Proxy ARP, on page 294 · Overlapping Client IP Address in Flex Deployment, on page 295 · Lawful Interception, on page 298 · Flex Resilient with Flex and Bridge Mode Access Points, on page 300
Information About FlexConnect
FlexConnect is a wireless solution for branch office and remote office deployments. It enables customers to configure and control access points (AP) in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. The FlexConnect access points can also switch client data traffic locally and perform client authentication locally when their connection to the controller is lost. When they are connected to the controller, they can also send traffic back to the controller. FlexConnect access points support multiple SSIDs. In the connected mode, the FlexConnect access point can also perform local authentication.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 251
Information About FlexConnect Figure 13: FlexConnect Deployment
Lightweight Access Points
The controller software has a more robust fault tolerance methodology to FlexConnect access points. In previous releases, whenever a FlexConnect access point disassociates from a controller, it moves to the standalone mode. The clients that are centrally switched are disassociated. However, the FlexConnect access point continues to serve locally switched clients. When the FlexConnect access point rejoins the controller (or a standby controller), all the clients are disconnected and are authenticated again. This functionality has been enhanced and the connection between the clients and the FlexConnect access points are maintained intact and the clients experience seamless connectivity. When both the access point and the controller have the same configuration, the connection between the clients and APs is maintained. After the client connection is established, the controller does not restore the original attributes of the client. The client username, current rate and supported rates, and listen interval values are reset to the default or new configured values only after the session timer expires. The controller can send multicast packets in the form of unicast or multicast packets to an access point. In FlexConnect mode, an access point can receive only multicast packets. In Cisco Catalyst 9800 Series Wireless Controller, you can define a flex connect site. A flex connect site can have a flex connect profile associate with it. You can have a maximum of 100 access points for each flex connect site. FlexConnect access points support a 1-1 network address translation (NAT) configuration. They also support port address translation (PAT) for all features except true multicast. Multicast is supported across NAT boundaries when configured using the Unicast option. FlexConnect access points also support a many-to-one NAT or PAT boundary, except when you want true multicast to operate for all centrally switched WLANs. Workgroup bridges and Universal Workgroup bridges are supported on FlexConnect access points for locally switched clients. FlexConnect supports IPv6 clients by bridging the traffic to local VLAN, similar to an IPv4 operation. FlexConnect supports Client Mobility for a group of up to 100 access points. An access point does not have to reboot when moving from local mode to FlexConnect mode and vice-versa.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 252
Lightweight Access Points
FlexConnect Authentication
FlexConnect Authentication
When an access point boots up, it looks for a controller. If it finds one, it joins the controller, downloads the latest software image and configuration from the controller, and initializes the radio. It saves the downloaded configuration in nonvolatile memory for use in standalone mode.
Note Once the access point is rebooted after downloading the latest controller software, it must be converted to the FlexConnect mode.
Note 802.1X is not supported on the AUX port for Cisco Aironet 2700 series APs.
A FlexConnect access point can learn the controller IP address in one of these ways: · If the access point has been assigned an IP address from a DHCP server, it can discover a controller through the regular CAPWAP or LWAPP discovery process.
Note OTAP is not supported.
· If the access point has been assigned a static IP address, it can discover a controller through any of the discovery process methods except DHCP option 43. If the access point cannot discover a controller through Layer 3 broadcast, we recommend DNS resolution. With DNS, any access point with a static IP address that knows of a DNS server can find at least one controller.
· If you want the access point to discover a controller from a remote network where CAPWAP or LWAPP discovery mechanisms are not available, you can use priming. This method enables you to specify (through the access point CLI) the controller to which the access point is to connect.
When a FlexConnect access point can reach the controller (referred to as the connected mode), the controller assists in client authentication. When a FlexConnect access point cannot access the controller, the access point enters the standalone mode and authenticates clients by itself.
Note The LEDs on the access point change as the device enters different FlexConnect modes. See the hardware installation guide for your access point for information on LED patterns.
When a client associates to a FlexConnect access point, the access point sends all authentication messages to the controller and either switches the client data packets locally (locally switched) or sends them to the controller (centrally switched), depending on the WLAN configuration. With respect to client authentication (open, shared, EAP, web authentication, and NAC) and data packets, the WLAN can be in any one of the following states depending on the configuration and state of controller connectivity:
Note For the FlexConnect local switching, central authentication deployments, whenever passive client is enabled, the IP Learn timeout is disabled by default.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 253
FlexConnect Authentication
Lightweight Access Points
· central authentication, central switching--In this state, the controller handles client authentication, and all client data is tunneled back to the controller. This state is valid only in connected mode.
· central authentication, local switching--In this state, the controller handles client authentication, and the FlexConnect access point switches data packets locally. After the client authenticates successfully, the controller sends a configuration command with a new payload to instruct the FlexConnect access point to start switching data packets locally. This message is sent per client. This state is applicable only in connected mode.
· local authentication, local switching--In this state, the FlexConnect access point handles client authentication and switches client data packets locally. This state is valid in standalone mode and connected mode.
In connected mode, the access point provides minimal information about the locally authenticated client to the controller. The following information is not available to the controller:
· Policy type
· Access VLAN
· VLAN name
· Supported rates
· Encryption cipher
Local authentication is useful where you cannot maintain a remote office setup of a minimum bandwidth of 128 kbps with the round-trip latency no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 576 bytes. In local authentication, the authentication capabilities are present in the access point itself. Local authentication reduces the latency requirements of the branch office.
· Notes about local authentication are as follows:
· Guest authentication cannot be done on a FlexConnect local authentication-enabled WLAN.
· Local RADIUS on the controller is not supported.
· Once the client has been authenticated, roaming is only supported after the controller and the other FlexConnect access points in the group are updated with the client information.
· authentication down, switch down--In this state, the WLAN disassociates existing clients and stops sending beacon and probe requests. This state is valid in both standalone mode and connected mode.
· authentication down, local switching--In this state, the WLAN rejects any new clients trying to authenticate, but it continues sending beacon and probe responses to keep existing clients alive. This state is valid only in standalone mode.
When a FlexConnect access point enters standalone mode, WLANs that are configured for open, shared, WPA-PSK, or WPA2-PSK authentication enter the "local authentication, local switching" state and continue new client authentications. This configuration is also correct for WLANs that are configured for 802.1X, WPA-802.1X, WPA2-802.1X, or Cisco Centralized Key Management, but these authentication types require that an external RADIUS server be configured.
Other WLANs enter either the "authentication down, switching down" state (if the WLAN was configured for central switching) or the "authentication down, local switching" state (if the WLAN was configured for local switching).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 254
Lightweight Access Points
Guidelines and Restrictions for FlexConnect
When FlexConnect access points are connected to the controller (rather than in standalone mode), the controller uses its primary RADIUS servers and accesses them in the order specified on the RADIUS Authentication Servers page or in the config radius auth add CLI command (unless the server order is overridden for a particular WLAN). However, to support 802.1X EAP authentication, FlexConnect access points in standalone mode need to have their own backup RADIUS server to authenticate clients.
Note A controller does not use a backup RADIUS server. The controller uses the backup RADIUS server in local authentication mode.
You can configure a backup RADIUS server for individual FlexConnect access points in standalone mode by using the controller CLI or for groups of FlexConnect access points in standalone mode by using either the GUI or CLI. A backup server configured for an individual access point overrides the backup RADIUS server configuration for a FlexConnect. When web-authentication is used on FlexConnect access points at a remote site, the clients get the IP address from the remote local subnet. To resolve the initial URL request, the DNS is accessible through the subnet's default gateway. In order for the controller to intercept and redirect the DNS query return packets, these packets must reach the controller at the data center through a CAPWAP connection. During the web-authentication process, the FlexConnect access points allows only DNS and DHCP messages; the access points forward the DNS reply messages to the controller before web-authentication for the client is complete. After web-authentication for the client is complete, all the traffic is switched locally. When a FlexConnect access point enters into a standalone mode, the following occurs:
· The access point checks whether it is able to reach the default gateway via ARP. If so, it will continue to try and reach the controller.
If the access point fails to establish the ARP, the following occurs: · The access point attempts to discover for five times and if it still cannot find the controller, it tries to renew the DHCP on the ethernet interface to get a new DHCP IP.
· The access point will retry for five times, and if that fails, the access point will renew the IP address of the interface again, this will happen for three attempts.
· If the three attempts fail, the access point will fall back to the static IP and will reboot (only if the access point is configured with a static IP).
· Reboot is done to remove the possibility of any unknown error the access point configuration.
Once the access point reestablishes a connection with the controller, it disassociates all clients, applies new configuration information from the controller, and allows client connectivity again.
Guidelines and Restrictions for FlexConnect
· FlexConnect mode can support only 16 VLANs per AP.
· You can deploy a FlexConnect access point with either a static IP address or a DHCP address. In the context of DHCP, a DHCP server must be available locally and must be able to provide the IP address for the access point at bootup.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 255
Guidelines and Restrictions for FlexConnect
Lightweight Access Points
· FlexConnect supports up to 4 fragmented packets, or a minimum 576-byte maximum transmission unit (MTU) WAN link.
· Round-trip latency must not exceed 300 milliseconds (ms) between the access point and the controller, and CAPWAP control packets must be prioritized over all other traffic. In scenarios where you cannot achieve the 300-ms round-trip latency, configure the access point to perform local authentication.
· Client connections are restored only for locally switched clients that are in the RUN state when the access point moves from standalone mode to connected mode. After the access point moves, the access point's radio is also reset.
· When multiple APs come from standalone mode to connected mode on flexconnect and all the APs send the client entry in hybrid-REAP payload to the controller. In this scenario, the controller sends disassociation messages to the WLAN client. However, the WLAN client comes back successfully and joins the controller.
· When APs are in standalone mode, if a client roams to another AP, the source AP cannot determine whether the client has roamed or is just idle. So, the client entry at source AP will not be deleted until idle timeout.
· The configuration on the controller must be the same between the time the access point went into standalone mode and the time the access point came back to connected mode. Similarly, if the access point is falling back to a secondary or backup controller, the configuration between the primary and the secondary or backup controller must be the same.
· A newly connected access point cannot be booted in FlexConnect mode.
· FlexConnect mode requires that the client send traffic before learning the client's IPv6 address. Compared to in local mode where the controller learns the IPv6 address by snooping the packets during Neighbor Discovery to update the IPv6 address of the client.
· 802.11r fast transition roaming is not supported on APs operating in local authentication.
· The primary and secondary controllers for a FlexConnect access point must have the same configuration. Otherwise, the access point might lose its configuration, and certain features, such as WLAN overrides, VLANs, static channel number, and so on, might not operate correctly. In addition, make sure you duplicate the SSID of the FlexConnect access point and its index number on both controllers.
· If you configure a FlexConnect access point with a syslog server configured on the access point, after the access point is reloaded and the native VLAN other than 1, at the time of initialization, a few syslog packets from the access point are tagged with VLAN ID 1.
· MAC filtering is not supported on FlexConnect access points in standalone mode. However, MAC filtering is supported on FlexConnect access points in connected mode with local switching and central authentication. Also, Open SSID, MAC Filtering, and RADIUS NAC for a locally switched WLAN with FlexConnect access points is a valid configuration, where MAC is checked by Cisco ISE.
· FlexConnect does not display any IPv6 client addresses in the Client Detail window.
· FlexConnect access points with locally switched WLANs cannot perform IP source guard and prevent ARP spoofing. For centrally switched WLANs, the wireless controller performs IP source guard and ARP spoofing.
· To prevent ARP spoofing attacks in FlexConnect APs with local switching, we recommend that you use ARP inspection.
· Passive client feature is not supported on FlexConnect local switching mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 256
Lightweight Access Points
Guidelines and Restrictions for FlexConnect
· When you enable local switching on policy profile for FlexConnect APs, the APs perform local switching. However, for the APs in local mode, central switching is performed.
In a scenario where the roaming of a client between FlexConnect mode AP and Local mode AP is not supported, the client may not get the correct IP address due to VLAN difference after the move. Also, L2 and L3 roaming between FlexConnect mode AP and Local mode AP are not supported.
FlexConnect local switching is not supported on Cisco Aironet Cisco 1810T and 1815T (Teleworker) Access Points.
· Cisco Centralized Key Management (CCKM) is not supported in FlexConnect standalone mode. Hence, CCKM enabled client will not be able to connect when AP is in FlexConnect standalone mode.
· For Wi-Fi Protected Access Version 2 (WPA2) in FlexConnect standalone mode or local authentication in connected mode or Cisco Centralized Key Management fast roaming in connected mode, only Advanced Encryption Standard (AES) is supported.
· For Wi-Fi Protected Access (WPA) in FlexConnect standalone mode or local-auth in connected mode or Cisco Centralized Key Management fast-roaming in connected mode, only Temporal Key Integrity Protocol (TKIP) is supported.
· WPA2 with TKIP and WPA with AES is not supported in standalone mode, local-auth in connected mode, and Cisco Centralized Key Management fast-roaming in connected mode.
· Only open, WPA (PSK and 802.1x), and WPA2 (AES) authentication is supported on the Cisco Aironet 1830 Series and 1850 Series APs.
· Only 802.11r fast-transition roaming is supported on the Cisco Aironet 1830 Series and 1850 Series APs.
· AVC on locally switched WLANs is supported on second-generation APs.
· Local authentication fallback is not supported when a user is not available in the external RADIUS server.
· For WLANs configured for FlexConnect APs in local switching and local authentication, synchronization of dot11 client information is supported.
· DNS override is not supported on the Cisco Aironet 1830 Series and 1850 Series APs.
· The Cisco Aironet 1830 Series and 1850 Series APs do not support IPv6. However, a wireless client can pass IPv6 traffic across these APs.
· VLAN group is not supported in Flex mode under flex-profile.
· Configuring maximum number of allowed media streams on individual client or radio is not supported in FlexConnect mode.
· The WLAN client association limit will not work when the AP is in FlexConnect mode (connected or standalone) and is performing local switching and local authentication.
· A local switching client on FlexConnect mode will not get IP address for RLAN profile on the Cisco Aironet 1810 Series AP.
· Standard ACL is not supported on FlexConnect AP mode.
· IPv6 RADIUS Server is not configurable for FlexConnect APs. Only IPv4 configuration is supported.
· In Flex mode, IPv4 ACLs configured on WLAN gets pushed to AP but IPv6 ACLs does not.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 257
Guidelines and Restrictions for FlexConnect
Lightweight Access Points
· The client delete reason counters that are a part of the show wireless stats client delete reasons command, will be incremented only when the client record entry persists for join.
For example, when an AP in the FlexConnect mode performs local authentication with ACL mismatch, then the AP deletes the client, and the controller does not create any client record.
· Cisco Centralized Key Management (CCKM) is supported in wave 1 APs in FlexConnect when you use local association, but fails when you use central association.
· If the client roams from one AP to another and the roaming is successful, the following occurs:
· The client does not send any traffic to the new AP.
· The client's state is IP LEARN pending.
· The client is deauthenticated after 180 seconds, if there is no traffic for the entire duration. In case the DHCP Required flag is set, the deuathentication occurs after 60 seconds.
· Using custom VLANs under the policy profile of the FlexConnect locally switched WLANs stops the SSID broadcast. In such scenarios, run the shut and no shut commands on the policy profile to start the SSID broadcast.
SSIDs are broadcasted when you:
· Perform VLAN name to id mapping under FlexConnect profile and map the custom VLAN name under the policy profile.
· Use VLAN id or standard VLAN name, for example, VLANxxxx.
· In the FlexConnect mode, the group temporal key (GTK) timer is set to 3600 seconds by default on Cisco Wave 2 AP, and this value cannot be reconfigured.
· For Flex mode deployments, both local association and central association configured policy profiles are not supported at a given time on the WLAN. Only the local association command must be enabled. Ensure that central association is disabled by running the no central association command during configuration.
· From Cisco IOS XE Amsterdam 17.1.1 release onwards, the police rate per client in the flex connect APs in the controller, is represented as rate_out for Ingress (input) and rate_in for Egress (output). To verify police rate on the flex AP, use the show rate-limit client command.
· FlexConnect APs do not forward the DHCP packets after Change of Authorization (CoA) and change of VLANs using 802.1X encryption. You must disconnect the client from the WLAN and reconnect the client to enable the client to get an IP address in the second VLAN.
· Cisco Wave 2 and Catalyst Wi-Fi6 APs in FlexConnect local switching mode do not support Layer2(PSK, 802.1X) + Layer3(LWA, CWA, redirection-based posturing) + Dynamic AAA override + NAC.
· Network access control (NAC) is not supported in FlexConnect local authentication.
· Multicast traffic on an AAA overridden VLAN is not supported. Using this configuration may result in potential traffic leaks between VLANs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 258
Lightweight Access Points
Configuring a Site Tag
Configuring a Site Tag
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag site site-name
Example:
Device(config)# wireless tag site default-site-tag
Configures site tag and enters site tag configuration mode.
Step 3
flex-profile flex-profile-name
Example:
Device(config-site-tag)# flex-profile rr-xyz-flex-profile
Maps a flex profile to a site tag.
Step 4
ap-profile ap-profile
Example:
Device(config-site-tag)# ap-profile xyz-ap-profile
Assigns an AP profile to the wireless site.
Step 5
description site-tag-name
Example:
Device(config-site-tag)# description "default site tag"
Adds a description for the site tag.
Step 6
no local-site
Moves the access point to FlexConnect mode.
Example:
Device(config-site-tag)# no local-site
Step 7
end Example:
Device(config-site-tag)# end
Saves the configuration, exits the configuration mode, and returns to privileged EXEC mode.
Step 8
show wireless tag site summary
(Optional) Displays the summary of site tags.
Example:
Device# show wireless tag site summary
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 259
Configuring a Policy Tag (CLI)
Lightweight Access Points
Configuring a Policy Tag (CLI)
Follow the procedure given below to configure a policy tag:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode.
· Enter your password if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
wireless tag policy policy-tag-name
Configures policy tag and enters policy tag
Example:
configuration mode.
Device(config-policy-tag)# wireless tag Note policy default-policy-tag
When performing LWA, the clients connected to a controller
gets disconnected intermittently
before session timeout.
Step 4 Step 5
Step 6 Step 7 Step 8
description description
Adds a description to a policy tag.
Example:
Device(config-policy-tag)# description "default-policy-tag"
remote-lan name policy profile-policy-name Maps a remote-LAN profile to a policy profile. {ext-module| port-id }
Example:
Device(config-policy-tag)# remote-lan rr-xyz-rlan-aa policy rr-xyz-rlan-policy1
port-id 2
wlan wlan-name policy profile-policy-name
Example:
Device(config-policy-tag)# wlan rr-xyz-wlan-aa policy rr-xyz-policy-1
Maps a policy profile to a WLAN profile.
end Example:
Device(config-policy-tag)# end
Exits policy tag configuration mode, and returns to privileged EXEC mode.
show wireless tag policy summary Example:
(Optional) Displays the configured policy tags.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 260
Lightweight Access Points
Attaching a Policy Tag and a Site Tag to an Access Point (GUI)
Command or Action
Purpose
Device# show wireless tag policy summary Note
To view detailed information about a policy tag, use the show wireless tag policy detailed policy-tag-name command.
Attaching a Policy Tag and a Site Tag to an Access Point (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Wireless > Access Points. Click the Access Point name. Go to the Tags section. Choose the Policy Tag from the Policy drop-down list. Choose the Site Tag from the Site drop-down list. Click Update and Apply to Device.
Attaching Policy Tag and Site Tag to an AP (CLI)
Follow the procedure given below to attach a policy tag and a site tag to an AP:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap mac-address Example:
Device(config)# ap F866.F267.7DFB
Purpose Enters global configuration mode.
Configures a Cisco AP and enters AP profile configuration mode.
Note
The mac-address should be a
wired mac address.
Step 3 Step 4
policy-tag policy-tag-name Example:
Device(config-ap-tag)# policy-tag rr-xyz-policy-tag
site-tag site-tag-name Example:
Maps a policy tag to the AP. Maps a site tag to the AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 261
Linking an ACL Policy to the Defined ACL (GUI)
Lightweight Access Points
Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action
Device(config-ap-tag)# site-tag rr-xyz-site
Purpose
rf-tag rf-tag-name Example:
Device(config-ap-tag)# rf-tag rf-tag1
Associates the RF tag.
end Example:
Device(config-ap-tag)# end
Saves the configuration, exits configuration mode, and returns to privileged EXEC mode.
show ap tag summary Example:
Device# show ap tag summary
(Optional) Displays AP details and the tags associated to it.
show ap name <ap-name> tag info Example:
Device# show ap name ap-name tag info
(Optional) Displays the AP name with tag information.
show ap name <ap-name> tag detail Example:
(Optional) Displays the AP name with tag detals.
Device# show ap name ap-name tag detail
Linking an ACL Policy to the Defined ACL (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6
Choose Configuration > Tags & Profiles > Flex. Click Add. In the General tab, enter the Name of the Flex Profile. The name can be ASCII characters from 32 to 126, without leading and trailing spaces. In the Policy ACL tab, click Add. Select the ACL from the ACL Name drop-down list and click Save. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 262
Lightweight Access Points
Applying ACLs on FlexConnect
Applying ACLs on FlexConnect
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex-profile-name
Example:
Device(config)# wireless profile flex Flex-profile-1
Configures a wireless flex profile and enters wireless flex profile configuration mode.
Step 3
acl-policy acl-policy-name
Example:
Device(config-wireless-flex-profile)# acl-policy ACL1
Configures an ACL policy. Access control lists (ACLs) perform packet filtering to control the movement of packets through a network.
Step 4
exit Example:
Returns to wireless flex profile configuration mode.
Device(config-wireless-flex-profile-acl)# exit
Step 5
native-vlan-id
Example:
Device(config-wireless-flex-profile)# native-vlan-id 25
Configures native vlan-id information.
Step 6
vlan vlan-name
Example:
Device(config-wireless-flex-profile)# vlan-name VLAN0169
Configures a VLAN.
Step 7
acl acl-name
Configures an ACL for the interface.
Example:
Device(config-wireless-flex-profile-vlan)# acl ACL1
Step 8
vlan-idvlan-id
Configures VLAN information.
Example:
Device(config-wireless-flex-profile-vlan)# vlan-id 169
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 263
Configuring FlexConnect
Lightweight Access Points
Configuring FlexConnect
Configuring a Switch at a Remote Site
Procedure
Step 1 Step 2
Attach the access point, which will be enabled for FlexConnect, to a trunk or access port on the switch.
Note
The sample configuration in this procedure shows the FlexConnect access point connected to a
trunk port on the switch.
The following example configuration shows you how to configure a switch to support a FlexConnect access point.
In this sample configuration, the FlexConnect access point is connected to the trunk interface FastEthernet 1/0/2 with native VLAN 100. The access point needs IP connectivity on the native VLAN. The remote site has local servers or resources on VLAN 101. A DHCP pool is created in the local switch for both the VLANs in the switch. The first DHCP pool (NATIVE) is used by the FlexConnect access point, and the second DHCP pool (LOCAL-SWITCH) is used by the clients when they associate to a WLAN that is locally switched.
. . . ip dhcp pool NATIVE
network 209.165.200.224 255.255.255.224 default-router 209.165.200.225 dns-server 192.168.100.167 ! ip dhcp pool LOCAL-SWITCH network 209.165.201.224 255.255.255.224 default-router 209.165.201.225 dns-server 192.168.100.167 ! interface Gig1/0/1 description Uplink port no switchport ip address 209.165.202.225 255.255.255.224 ! interface Gig1/0/2 description the Access Point port switchport trunk encapsulation dot1q switchport trunk native vlan 100 switchport trunk allowed vlan 101 switchport mode trunk ! interface Vlan100 ip address 209.165.200.225 255.255.255.224 ! interface Vlan101 ip address 209.165.201.225 255.255.255.224 end ! .
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 264
Lightweight Access Points
Configuring the Controller for FlexConnect
. .
Configuring the Controller for FlexConnect
You can configure the controller for FlexConnect in two environments: · Centrally switched WLAN · Locally switched WLAN
The controller configuration for FlexConnect consists of creating centrally switched and locally switched WLANs. This table shows three WLAN scenarios.
Table 14: WLAN Scenarios
WLAN
Security
Employee
WPA1+WPA2
Employee-local
WPA1+WPA2 (PSK)
Guest-central
Web authentication
Employee-local-auth WPA1+WPA2
Authentication Switching Interface Mapping (GUEST VLAN)
Central
Central
Management (centrally switched GUEST VLAN)
Local
Local
101 (locally switched GUEST VLAN)
Central
Central
Management (centrally switched GUEST VLAN)
Local
Local
101 (locally switched VLAN)
Configuring Local Switching in FlexConnect Mode (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > Policy. On the Policy Profile page, click the name of a policy profile to edit it or click Add to create a new one. In the Add/Edit Policy Profile window that is displayed, uncheck the Central Switching and the Central Association check boxes. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 265
Configuring Local Switching in FlexConnect Mode (CLI)
Lightweight Access Points
Configuring Local Switching in FlexConnect Mode (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless profile policy profile-policy
Example:
Device(config)# wireless profile policy rr-xyz-policy-1
Step 3
no central switching
Example:
Device(config-wireless-policy)# no central switching
Step 4
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Configures WLAN policy profile and enters the wireless policy configuration mode.
Configures the WLAN for local switching.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Central Switching in FlexConnect Mode (GUI)
Before you begin Ensure that the policy profile is configured. If the policy profile is not configured, see Configuring a Policy Profile (GUI) section.
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > Policy. On the Policy Profile page, select a policy. In the Edit Policy Profile window, in General Tab, use the slider to enable or disable Central Switching. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 266
Lightweight Access Points
Configuring Central Switching in FlexConnect Mode
Configuring Central Switching in FlexConnect Mode
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy
Example:
Device(config)# wireless profile policy rr-xyz-policy-1
Configures WLAN policy profile and enters the wireless policy configuration mode.
Step 3
central switching
Configures the WLAN for central switching.
Example:
Device(config-wireless-policy)# central switching
Step 4
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring an Access Point for FlexConnect
For more information, see Configuring a Site Tag (CLI) topic in New Configuration Model chapter.
Configuring an Access Point for Local Authentication on a WLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > Policy. In the Policy Profile page, select a policy profile name. The Edit Policy Profile window is displayed. In the General tab, deselect Central Authentication check box. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 267
Configuring an Access Point for Local Authentication on a WLAN (CLI)
Lightweight Access Points
Configuring an Access Point for Local Authentication on a WLAN (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless profile policy profile-policy
Example:
Device(config)# wireless profile policy rr-xyz-policy-1
Step 3
no central authentication
Example:
Device(config-wireless-policy)# no central authentication
Step 4
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Configures WLAN policy profile and enters the wireless policy configuration mode.
Configures the WLAN for local authentication.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Connecting Client Devices to WLANs
Follow the instructions for your client device to create profiles to connect to the WLANs you created, as specified in the Configuring the Controller for FlexConnect, on page 265 .
In the example scenarios (see Configuring the Controller for FlexConnect, on page 265), there are three profiles on the client:
1. To connect to the employee WLAN, create a client profile that uses WPA or WPA2 with PEAP-MSCHAPV2 authentication. After the client is authenticated, the client is allotted an IP address by the management VLAN of the controller .
2. To connect to the local-employee WLAN, create a client profile that uses WPA or WPA2 authentication. After the client is authenticated, the client is allotted an IP address by VLAN 101 on the local switch.
3. To connect to the guest-central WLAN, create a client profile that uses open authentication. After the client is authenticated, the client is allocatted an IP address by VLAN 101 on the network local to the access point. After the client connects, a local user can enter any HTTP address in the web browser. The user is automatically directed to the controller to complete the web authentication process. When the web login window appears, the user should enter the username and password.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 268
Lightweight Access Points
Configuring FlexConnect Ethernet Fallback
Configuring FlexConnect Ethernet Fallback
Information About FlexConnect Ethernet Fallback
You can configure an AP to shut down its radio when the Ethernet link is not operational. When the Ethernet link comes back to operational state, you can configure the AP to set its radio back to operational state. This feature is independent of the AP being in connected or standalone mode. When the radios are shut down, the AP does not broadcast the WLANs, and therefore, the clients cannot connect to the AP, either through first association or through roaming.
Configuring FlexConnect Ethernet Fallback
Before you begin This feature is not applicable to APs with multiple ports.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex-profile-name
Example:
Device(config)# wireless profile flex test
Configures a wireless flex profile and enters wireless flex profile configuration mode.
Step 3
fallback-radio-shut
Example:
Device(config-wireless-flex-profile)# fallback-radio-shut
Enables radio interface shutdown.
Step 4
end
Example:
Device(config-wireless-flex-profile)# end
Exits configuration mode and returns to privileged EXEC mode.
Step 5
show wireless profile flex detailed flex-profile-name
Example:
Device# show wireless profile flex detailed test
(Optional) Displays detailed information about the selected profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 269
Flex AP Local Authentication (GUI)
Lightweight Access Points
Flex AP Local Authentication (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Tags & Profiles > Flex. In the Flex page, click the name of the Flex Profile or click Add to create a new one. In the Add/Edit Flex Profle window that is displayed, click the Local Authentication tab.
When local authentication and association is enabled in Access Point with Flex mode, the following occurs:
· AP handles the authentication.
· AP handles the rejection of client joins (in Mobility).
Note
The controller does not increment statistics when AP rejects client association.
Step 4 Step 5 Step 6 Step 7 Step 8
Step 9 Step 10 Step 11
Choose the server group from the RADIUS Server Group drop-down list. Use the Local Accounting Radius Server Group drop down to select the RADIUS server group. Check the Local Client Roaming check box to enable client roaming. Choose the profile from the EAP Fast Profile drop-down list. Choose to enable or disable the following:
· LEAP: Lightweight Extensible Authentication Protocol (LEAP) is an 802.1X authentication type for wireless LANs and supports strong mutual authentication between the client and a RADIUS server using a logon password as the shared secret. It provides dynamic per-user, per-session encryption keys.
· PEAP: Protected Extensible Authentication Protocol (PEAP) is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.
· TLS: Transport Layer Security (TLS) is a cryptographic protocol that provide communications security over a computer network.
· RADIUS: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.
In the Users section, click Add. Enter username and password details and click Save. Click Save & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 270
Lightweight Access Points
Flex AP Local Authentication (CLI)
Flex AP Local Authentication (CLI)
Note The Cisco Catalyst 9800 Series Wireless Controller + FlexConnect local authentication + AP acting as RADIUS are not supported on Cisco COS and IOS APs.
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action aaa new-model Example:
Device(config)# aaa new-model
Purpose Creates a AAA authentication model.
aaa session-id common Example:
Device(config)# aaa session-id common
Ensures that all the session IDs information that is sent out from the RADIUS group for a given call are identical.
dot1x system-auth-control
Example:
Device(config)# dot1x system-auth-control
Enables system authorization control for the RADIUS group.
eap profile name
Creates an EAP profile.
Example:
Device(config)# eap profile aplocal-test
method fast
Configures the FAST method on the profile.
Example:
Device(config-eap-profile)# method fast
exit Example:
Device(config-radius-server)# exit
Returns to configuration mode.
wireless profile flex flex-profile
Configures the flex policy.
Example:
Device(config)# wireless profile flex default-flex-profile
local-auth ap eap-fast name
Configures EAP-FAST profile details.
Example:
Device(config-wireless-flex-profile)# local-auth ap eap-fast aplocal-test
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 271
Flex AP Local Authentication (CLI)
Lightweight Access Points
Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18
Command or Action
Purpose
local-auth ap leap
Configures the LEAP method.
Example:
Device(config-wireless-flex-profile)# local-auth ap leap
local-auth ap peap
Configures the PEAP method.
Example:
Device(config-wireless-flex-profile)# local-auth ap peap
local-auth ap username username
Configures username and password.
Example:
Device(config-wireless-flex-profile)# local-auth ap username test1 test1
local-auth ap username username password Configures another username and password.
Example:
Device(config-wireless-flex-profile)# local-auth ap username test2 test2
exit
Returns to configuration mode.
Example:
Device(config-wireless-flex-profile)# exit
wireless profile policy policy-profile
Configures profile policy.
Example:
Device(config)# wireless profile policy default-policy-profile
shutdown
Disables the policy profile.
Example:
Device(config-wireless-policy)# shutdown
no central authentication
Example:
Device(config)# no central authentication
Disables central (controller) authentication.
vlan-id vlan-id Example:
Device(config)# vlan-id 54
Configures VLAN name or VLAN ID.
no shutdown Example:
Device(config)# no shutdown
Enables the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 272
Lightweight Access Points
Flex AP Local Authentication with External Radius Server
Flex AP Local Authentication with External Radius Server
In this mode, an access point handles client authentication and switches client data packets locally. This state is valid in standalone mode and connected mode.
Procedure Step 1 Step 2 Step 3 Step 4
Command or Action aaa new-model Example:
Device(config)# aaa new-model
Purpose Creates a AAA authentication model.
aaa session-id common Example:
Device(config)# aaa session-id common
Ensures that all the session ID's information that is sent out, from the RADIUS group for a given call are identical.
dot1x system-auth-control
Example:
Device(config)# dot1x system-auth-control
Enables the system authorization control for the RADIUS group.
radius server server-name
Example:
Device(config)# radius server Test-SERVER1
Specifies the RADIUS server name.
Note
To authenticate clients with
freeradius over RADSEC, you
should generate an RSA key
longer than 1024 bit. Use the
crypto key generate rsa
general-keys exportable label
name command to achieve this.
Do not configure key-wrap option under the radius server and radius server group, as it may lead to clients getting stuck in authentication state.
Step 5
address {ipv4 | ipv6} ip address {auth-port Specifies the primary RADIUS server
port-number | acct-port port-number }
parameters.
Example:
Device(config-radius-server)# address ipv4 124.3.50.62 auth-port 1112 acct-port 1113
Device(config-radius-server)# address ipv6 2001:DB8:0:20::15 auth-port 1812 acct-port 1813
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 273
Flex AP Local Authentication with External Radius Server
Lightweight Access Points
Step 6
Step 7 Step 8
Step 9 Step 10 Step 11 Step 12 Step 13
Command or Action
key string Example:
Device(config-radius-server)# key test123
Purpose
Specifies the authentication and encryption key used between the device and the RADIUS daemon running on the RADIUS server.
Note
The maximum number of
characters allowed for the shared
secret is 63.
radius server server-name
Example:
Device(config)# radius server Test-SERVER2
Specifies the RADIUS server name.
address {ipv4 | ipv6} ip address {auth-port Specifies the secondary RADIUS server
port-number | acct-port port-number }
parameters.
Example:
Device(config-radius-server)# address ipv4 124.3.52.62 auth-port 1112 acct-port 1113
Device(config-radius-server)# address ipv6 2001:DB8:0:21::15 auth-port 1812 acct-port 1813
key string
Example:
Device(config-radius-server)# key test113
Specifies the authentication and encryption key used between the device and the RADIUS daemon running on the RADIUS server.
exit Example:
Device(config-radius-server)# exit
Returns to configuration mode.
aaa group server radius server-group
Creates a RADIUS server group identification.
Example:
Note
Device(config)# aaa group server radius aaa_group_name
server-group refers to the server group name. The valid range is from 1 to 32 alphanumeric characters.
radius server server-name Example:
Device(config)# radius server Test-SERVER1
radius server server-name Example:
Device(config-radius-server)# radius server Test-SERVER2
Specifies the RADIUS server name. Specifies the RADIUS server name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 274
Lightweight Access Points
Flex AP Local Authentication with External Radius Server
Step 14 Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Step 21 Step 22
Command or Action exit Example:
Device(config-radius-server)# exit
Purpose Exit from RADIUS server configuration mode.
wireless profile flex flex-profile
Creates a new flex policy.
Example:
Device(config)# wireless profile flex default-flex-profile
local-auth radius-server-group server-group Configures the authentication server group
Example:
name.
Device(config-wireless-flex-profile)# local-auth radius-server-group aaa_group_name
exit
Returns to configuration mode.
Example:
Device(config-wireless-flex-profile)# exit
wireless profile policy policy-profile
Configures a WLAN policy profile.
Example:
Device(config)# wireless profile policy default-policy-profile
shutdown
Disables a policy profile.
Example:
Device(config-wireless-policy)# shutdown
no central authentication
Example:
Device(config-wireless-policy)# no central authentication
Disables central (controller) authentication.
vlan-id vlan-id
Configures a VLAN name or VLAN Id.
Example:
Device(config-wireless-policy)# vlan-id 54
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 275
Configuration Example: FlexConnect with Central and Local Authentication
Lightweight Access Points
Configuration Example: FlexConnect with Central and Local Authentication
To see configuration example on how to configure a controller for FlexConnect central and local authentication, see the FlexConnect Configuration with Central and Local Authentication on Catalyst 9800 Wireless Controllers document.
NAT-PAT for FlexConnect
If you want to use a central DHCP server to service clients across remote sites, NAT-PAT should be enabled. An AP translates the traffic coming from a client and replaces the client's IP address with its own IP address.
Note You must enable local switching, central DHCP, and DHCP required using the (ipv4 dhcp required) command to enable NAT and PAT.
Configuring NAT-PAT for a WLAN or a Remote LAN
Creating a WLAN
Follow the steps given here to create a WLAN.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan wlan-name wlan-id SSID-name
Example:
Device(config)# wlan wlan-demo 1 ssid-demo
Purpose Enters global configuration mode.
Enters the WLAN configuration sub-mode. · wlan-name--Enter the profile name. The range is from 1 to 32 alphanumeric characters. · wlan-id--Enter the WLAN ID. The range is from 1 to 512. · SSID-name--Enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 276
Lightweight Access Points
Configuring a Wireless Profile Policy and NAT-PAT (GUI)
Command or Action
Step 3 Step 4
no shutdown Example:
Device(config-wlan)# no shutdown
end Example:
Device(config-wlan)# end
Configuring a Wireless Profile Policy and NAT-PAT (GUI)
Procedure
Purpose Note
If you have already configured WLAN, enter wlan wlan-name command.
Shut down the WLAN.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Choose Configuration > Tags & Profiles > Policy. Click Add. In the General tab, enter the Name of the policy. Disable the Central Switching toggle button. Enable the Central DHCP toggle button. Enable the Flex NAT/PAT toggle button. In the Advanced tab, under the DHCP Settings, check the IPv4 DHCP Required check box. Click Apply to Device.
Configuring a Wireless Profile Policy and NAT-PAT
Follow the procedure given below to configure a wireless profile policy and NAT-PAT:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy
Configures the policy profile for NAT.
Example:
Device(config)# wireless profile policy nat-enabled-policy
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 277
Mapping a WLAN to a Policy Profile
Lightweight Access Points
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action
no central switching Example:
Device(config-wireless-policy)# no central switching
Purpose Configures the WLAN for local switching.
ipv4 dhcp required
Configures the DHCP parameters for WLAN.
Example:
Device(config-wireless-policy)# ipv4 dhcp required
central dhcp Example:
Configures the central DHCP for locally switched clients.
Device(config-wireless-policy)# central dhcp
flex nat-pat
Example:
Device(config-wireless-policy)# flex nat-pat
Enables NAT-PAT.
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables policy profile.
end Example:
Device(config-wireless-policy)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Mapping a WLAN to a Policy Profile
Follow the procedure given below to map a WLAN to a policy profile:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless tag policy policy-tag-name
Example:
Device(config)# wireless tag policy demo-tag
Purpose Enters global configuration mode.
Configures a policy tag and enters policy tag configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 278
Lightweight Access Points
Configuring a Site Tag
Step 3 Step 4
Command or Action
Purpose
wlan wlan-name policy profile-policy-name Maps a policy profile to a WLAN profile.
Example:
Device(config-policy-tag)# wlan wlan-demo policy nat-enabled-policy
end Example:
Device(config-policy-tag)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring a Site Tag
Follow the procedure given below to configure a site tag:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag site site-name
Example:
Device(config)# wireless tag site flex-site
Configures a site tag and enters site tag configuration mode.
Step 3
no local-site
Moves an access point to FlexConnect mode.
Example:
Device(config-site-tag)# no local-site
Step 4
end Example:
Device(config-site-tag)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Attaching a Policy Tag and a Site Tag to an Access Point (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Wireless > Access Points. Click the Access Point name. Go to the Tags section. Choose the Policy Tag from the Policy drop-down list. Choose the Site Tag from the Site drop-down list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 279
Attaching a Policy Tag and a Site Tag to an Access Point
Lightweight Access Points
Step 6 Click Update and Apply to Device.
Attaching a Policy Tag and a Site Tag to an Access Point
Follow the procedure given below to attach a policy tag and a site tag to an access point:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap mac-address Example:
Device(config)# ap F866.F267.7DFB
Configures Cisco APs and enters ap-tag configuration mode.
Step 3
policy-tag policy-tag-name
Example:
Device(config-ap-tag)# policy-tag demo-tag
Maps a policy tag to the AP.
Step 4
site-tag site-tag-name
Maps a site tag to the AP.
Example:
Device(config-ap-tag)# site-tag flex-site
Step 5
end Example:
Device(config-ap-tag)# end
Returns to privileged EXEC mode.
Split Tunneling for FlexConnect
If a client that connects over a WAN link that is associated with a centrally switched WLAN has to send traffic to a device present in the local site, this traffic should be sent over CAPWAP to the controller, and the same traffic is sent back to the local site either over CAPWAP or with the help of some off-band connectivity.
This process consumes WAN link bandwidth unnecessarily. To avoid this, you can use the Split Tunneling feature, which allows the traffic sent by a client to be classified based on the packet contents. The matching packets are locally switched and the rest of the traffic is centrally switched. The traffic that is sent by the client that matches the IP address of the device present in the local site can be classified as locally switched traffic, and the rest of the traffic as centrally switched.
To configure local split tunneling on an AP, ensure that you have enabled DCHP Required on the policy profile using the (ipv4 dhcp required) command. This ensures that the client that is associating with the split WLAN does DHCP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 280
Lightweight Access Points
Configuring Split Tunneling for a WLAN or Remote LAN
Note Apple iOS clients need option 6 (DNS) to be set in DHCP offer for split tunneling to work.
Note
· FlexConnect split tunneling (vlan-based central switching for flexconnect) on auto-anchor deployment
is not supported.
· Split tunneling does not work on RLAN clients. When the split-tunnel option is enabled on RLAN, traffic denied by the split tunnel ACL is not translated based on the IP address, instead the traffic is sent back to the controller through CAPWAP.
· URL filter must not be configured with wildcard URLs such as * and *.*
Configuring Split Tunneling for a WLAN or Remote LAN
Defining an Access Control List for Split Tunneling (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Step 7 Step 8 Step 9
Choose Configuration > Security > ACL. Click Add. In the Add ACL Setup dialog box, enter the ACL Name. Choose the ACL type from the ACL Type drop-down list. Under the Rules settings, enter the Sequence number and choose the Action as either permit or deny. Choose the required source type from the Source Type drop-down list. a) If you choose the source type as Host, then you must enter the Host Name/IP. b) If you choose the source type as Network, then you must specify the Source IP address and Source
Wildcard mask.
Check the Log check box if you want the logs. Click Add. Add the rest of the rules and click Apply to Device.
Defining an Access Control List for Split Tunneling
Follow the procedure given below to define an Access Control List (ACL) for split tunneling:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 281
Linking an ACL Policy to the Defined ACL
Lightweight Access Points
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip access-list extended name Example:
Defines an extended IPv4 access list using a name, and enters access-list configuration mode.
Device(config)# ip access-list extended split_mac_acl
Step 3
deny ip any host hostname
Allows the traffic to switch centrally.
Example:
Device(config-ext-nacl)# deny ip any host 9.9.2.21
Step 4
permit ip any any
Allows the traffic to switch locally.
Example:
Device(config-ext-nacl)# permit ip any any
Step 5
end Example:
Device(config-ext-nacl)# end
Exits configuration mode and returns to privileged EXEC mode.
Linking an ACL Policy to the Defined ACL
Follow the procedure given below to link an ACL policy to the defined ACL:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex-profile
Example:
Device(config)# wireless profile flex flex-profile
Configures the Flex profile and enters flex profile configuration mode.
Step 3
acl-policy acl policy name
Example:
Device(config-wireless-flex-profile)# acl-policy split_mac_acl
Configures an ACL policy for the defined ACL.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 282
Lightweight Access Points
Creating a WLAN
Step 4
Command or Action
end Example:
Device(config-wireless-flex-profile)# end
Purpose
Exits configuration mode and returns to privileged EXEC mode.
Creating a WLAN
Follow the procedure given below to create a WLAN.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan wlan-name wlan-id SSID-name
Example:
Device(config)# wlan wlan-demo 1 ssid-demo
Step 3 Step 4
no shutdown Example:
Device(config-wlan)# no shutdown
end Example:
Device(config-wlan)# end
Purpose Enters global configuration mode.
Specifies the WLAN name and ID: · wlan-name--Enter the profile name. The range is from 1 to 32 alphanumeric characters. · wlan-id--Enter the WLAN ID. The range is from 1 to 512. · SSID-name--Enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.
Enables the WLAN.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring a Wireless Profile Policy and a Split MAC ACL Name (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Tags & Profiles > Policy. Click Add. In the General tab, enter the Name of the policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 283
Configuring a Wireless Profile Policy and a Split MAC ACL Name
Lightweight Access Points
Step 4 Step 5 Step 6
Step 7
Step 8
Enable the Central Switching toggle button. Enable the Central DHCP toggle button. In the Advanced tab, under the DHCP settings, check the IPv4 DHCP Required check box and enter the DHCP Server IP Address. Under the WLAN Flex Policy setttings, choose the split MAC ACL from the Split MAC ACL drop-down list. Click Apply to Device.
Configuring a Wireless Profile Policy and a Split MAC ACL Name
Follow the procedure given below to configure a wireless profile policy and a split MAC ACL name:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy split-tunnel-enabled-policy
Step 3
flex split-mac-acl split-mac-acl-name
Example:
Device(config-wireless-policy)# flex split-mac-acl split_mac_acl
Configures a split MAC ACL name.
Note
You should use the same ACL
name for linking the flex and the
policy profile.
Step 4 Step 5 Step 6 Step 7
central switching
Configures WLAN for central switching.
Example:
Device(config-wireless-policy)# central switching
central dhcp Example:
Enables central DHCP for centrally switched clients.
Device(config-wireless-policy)# central dhcp
ipv4 dhcp required
Configures the DHCP parameters for a WLAN.
Example:
Device(config-wireless-policy)# ipv4 dhcp required
ipv4 dhcp server ip_address Example:
Configures the override IP address of the DHCP server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 284
Lightweight Access Points
Mapping a WLAN to a Policy Profile (GUI)
Step 8
Command or Action
Purpose
Device(config-wireless-policy)# ipv4 dhcp server 9.1.0.100
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables a policy profile.
Mapping a WLAN to a Policy Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Choose Configuration > Tags & Profiles > Tags. Click Add. Enter the Name of the Tag Policy. Under WLAN-POLICY Maps tab, click Add . Choose the WLAN Profile from the WLAN Profile drop-down list. Choose the Policy Profile from the Policy Profile drop-down list. Click the Tick Icon . Click Apply to Device.
Mapping WLAN to a Policy Profile
Follow the procedure given below to map WLAN to a policy profile.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag policy policy-tag-name
Example:
Device(config)# wireless tag policy split-tunnel-enabled-tag
Configures a policy tag and enters policy tag configuration mode.
Step 3
wlan wlan-name policy profile-policy-name Maps a policy profile to a WLAN profile.
Example:
Device(config-policy-tag)# wlan wlan-demo policy split-tunnel-enabled-policy
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 285
Configuring a Site Tag
Lightweight Access Points
Step 4
Command or Action end Example:
Device(config-policy-tag)# end
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring a Site Tag
Follow the procedure given below to configure a site tag:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag site site-name
Example:
Device(config)# wireless tag site flex-site
Configures a site tag and enters site tag configuration mode.
Step 3
no local-site
Local site is not configured on the site tag.
Example:
Device(config-site-tag)# no local-site
Step 4
flex-profile flex-profile-name
Example:
Device(config-site-tag)# flex-profile flex-profile
Configures a flex profile.
Step 5
end Example:
Device(config-site-tag)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Attaching a Policy Tag and Site Tag to an Access Point
Follow the procedure given below to attach a policy tag and site tag to an access point.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 286
Lightweight Access Points
VLAN-based Central Switching for FlexConnect
Step 2 Step 3 Step 4 Step 5
Command or Action ap ethernet-mac-address Example:
Device(config)# ap 188b.9dbe.6eac
Purpose
Configures an AP and enters ap tag configuration mode.
policy-tag policy-tag-name
Example:
Device(config-ap-tag)# policy-tag split-tunnel-enabled-tag
Maps a policy tag to an AP.
site-tag site-tag-name
Maps a site tag to an AP.
Example:
Device(config-ap-tag)# site-tag flex-site
end Example:
Device(config-ap-tag)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
VLAN-based Central Switching for FlexConnect
In FlexConnect local switching, if the VLAN definition is not available in an access point, the corresponding client does not pass traffic. This scenario is applicable when the AAA server returns the VLAN as part of client authentication.
When a WLAN is locally switched in flex and a VLAN is configured on the AP side, the traffic is switched locally. When a VLAN is not defined in an AP, the VLAN drops the packet.
When VLAN-based central switching is enabled, the corresponding AP tunnels the traffic back to the controller. The controller then forwards the traffic to its corresponding VLAN.
Note
· For VLAN-based central switching, ensure that VLAN is defined on the controller.
· VLAN-based central switching is not supported by mac filter.
· For local switching, ensure that VLAN is defined on the policy profile and FlexConnect profile.
Configuring VLAN-based Central Switching (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Tags & Profiles > Policy. Click the name of the policy profile. In the Edit Policy Profile window, perform these tasks:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 287
Configuring VLAN-based Central Switching (CLI)
Lightweight Access Points
Step 4 Step 5 Step 6
Step 7
a) Set Central Switching to Disabled state. b) Set Central DHCP to Disabled state. c) Set Central Authentication to Enabled state.
Click the Advanced tab. Under AAA Policy, check the Allow AAA Override check box to enable AAA override. Under WLAN Flex Policy, check the VLAN Central Switching check box, to enable VLAN-based central switching on the policy profile. Click Update & Apply to Device.
Configuring VLAN-based Central Switching (CLI)
Follow the procedure given below to configure VLAN-based central switching.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy
Configures a wireless policy profile.
Example:
Device(config)# wireless profile policy default-policy-profile
Step 3
no central switching
Example:
Device(config-wireless-policy)# no central switching
Configures a WLAN for local switching.
Step 4
no central dhcp
Example:
Device(config-wireless-policy)# no central dhcp
Configures local DHCP mode, where the DHCP is performed in an AP.
Step 5
central authentication
Configures a WLAN for central authentication.
Example:
Device(config-wireless-policy)# central authentication
Step 6
aaa-override
Example:
Device(config-wireless-policy)# aaa-override
Configures AAA policy override.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 288
Lightweight Access Points
OfficeExtend Access Points for FlexConnect
Step 7 Step 8 Step 9
Command or Action flex vlan-central-switching Example:
Device(config-wireless-policy)# flex vlan-central-switching
end Example:
Device(config-wireless-policy)# end
show wireless profile policy detailed default-policy-profile Example:
Device# show wireless profile policy detailed default-policy-profile
Purpose Configures VLAN-based central switching.
Returns to privileged EXEC mode.
(Optional) Displays detailed information of the policy profile.
OfficeExtend Access Points for FlexConnect
A Cisco OfficeExtend access point (OEAP) provides secure communications from a controller to a Cisco AP at a remote location, seamlessly extending the corporate WLAN over the Internet to an employee's residence. A user's experience at the home office is exactly the same as it would be at the corporate office. Datagram Transport Layer Security (DTLS) encryption between an access point and the controller ensures that all communications have the highest level of security.
Note Preconfigure the controller IP for a zero-touch deployment with OEAP. All other home users can use the same access point to connect for home use by configuring the local SSID from AP.
Note In releases prior to Cisco IOS XE Amsterdam 17.3.2, when an AP is converted to OEAP, the local DHCP server on the AP is enabled by default. If the DHCP server on home router has a similar configuration, a network conflict occurs and AP will not be able to join back to the controller. In such a scenario, we recommend that you change the default DHCP server on the Cisco AP using OEAP GUI.
Note For OEAP, when configuration changes are made from the OEAP GUI to the following: Radio Status, Radio Interface Status, 802.11 n-mode, 802.11 ac-mode, Bandwidth, and Channel Selection (2.4 GHz or 5 GHz), CAPWAP should be restarted for the configuration sync to take place between the AP and the controller. During this interval, the AP GUI may not respond until the AP rejoins the controller. We recommend that you wait for the AP to rejoin the controller (for about 1-2 minutes), before you make further changes from the OEAP GUI.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 289
Configuring OfficeExtend Access Points
Lightweight Access Points
Note In Cisco OfficeExtend access point (Cisco OEAP), if the OEAP local DHCP server is enabled and the user configures DNS IP from OEAP GUI, the wireless and wired clients connected to Cisco OEAP will receive that IP as DNS server IP in DHCP ACK.
Configuring OfficeExtend Access Points
Follow the procedure given below to configure OfficeExtend access points.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex-profile-name
Example:
Device(config)# wireless profile flex test
Configures a wireless flex profile and enters wireless flex profile configuration mode.
Step 3
office-extend
Example:
Device(config-wireless-flex-profile)# office-extend
Enables the OfficeExtend AP mode for a flexconnect AP.
Step 4
end
Example:
Device(config-wireless-flex-profile)# end
Exits configuration mode and returns to privileged EXEC mode.
Note
After creating a flex profile,
ensure that OEAP is in flex
connect mode and mapped to its
corresponding site tag.
OfficeExtend is disabled by default. To clear the access point's configuration and return it to the factory-defaults, use the clear ap config cisco-ap command.
Disabling OfficeExtend Access Point
Follow the procedure given below to disable an OfficeExtend access point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 290
Lightweight Access Points
Support for OEAP Personal SSID
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex-profile-name
Example:
Device(config)# wireless profile flex test
Configures a wireless flex profile and enters wireless flex profile configuration mode.
Step 3
no office-extend Example:
Disables OfficeExtend AP mode for a flexconnect AP.
Device(config-wireless-flex-profile)# no office-extend
Step 4
end
Example:
Device(config-wireless-flex-profile)# end
Exits configuration mode and returns to privileged EXEC mode.
Support for OEAP Personal SSID
Information About OEAP Personal SSID Support
The Cisco OfficeExtend Access Point supports personal SSID. This enables a local home client to use the same OfficeExtend Access Point for local networking and internet connectivity. With the help of the OEAP personal SSID feature, you can enable or disable personal SSID, enable or disable Datagram Transport Layer Security (DTLS) encryption between an access point and the controller, and enable rogue detection, using the knobs that are present on the AP profile page in the GUI. The local network access and DTLS encryption are enabled by default. The configurations described in this chapter is applicable for OEAP or for APs in the OEAP mode.
Configuring OEAP Personal SSID (GUI)
Procedure
Step 1
Step 2 Step 3
Choose Configuration > AP Tags & Profiles > AP Join.
The AP Join Profile section displays all the AP Join profiles.
To edit the configuration details of an AP Join profile, select APs in the OEAP mode. The Edit AP Join Profile window is displayed. In the General tab, under the OfficeExtend AP Configuration section, configure the following: a) Check the Local Access check box to enable the local network. By default, Local Access is enabled.
After the AP joins the controller using AP join profile where local access is enabled, the AP will not
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 291
Configuring OEAP Personal SSID (CLI)
Lightweight Access Points
broadcast the default personal SSID. Since the local access is enabled, you can login to the AP GUI and configure the personal SSID. b) Check the Link Encryption check box to enable data DTLS. By default, Link Encryption is enabled. c) Check the Rogue Detection check box to enable rogue detection. Rogue detection is disabled by default for OfficeExtend APs because these APs, deployed in a home environment, are likely to detect a large number of rogue devices.
Configuring OEAP Personal SSID (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile Example:
Device(config)# ap profile ap-profile
Configures an AP profile and enters the AP profile configuration mode.
Step 3
[no] oeap local-access
Example:
Device(config-ap-profile)# oeap local-access
Enables the the local access to AP. Local access consist of local AP GUI, LAN ports and personal SSID. The no form of this command disables the feature. If the local access is disabled, you will not be able to access the AP GUI, the local LAN port will be disabled, and personal SSID will not be broadcasted.
Step 4
[no] oeap link-encryption
Example:
Device(config-ap-profile)# oeap link-encryption
Enables DTLS encryption for OEAP APs or APs moving to the OEAP mode. The no form of this command disables the feature. This feature is enabled by default.
Step 5
[no] oeap rogue-detection
Example:
Device(config-ap-profile)# no oeap rogue-detection
Enables OEAP DTLS encryption in the AP profile configuration mode. This feature is disabled by default.
Viewing OEAP Personal SSID Configuration
To view the OEAP personal SSID configuration, run the following command.
Device# show ap profile name default-ap-profile detailed . . . OEAP Mode Config Link Encryption : ENABLED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 292
Lightweight Access Points
Clearing Personal SSID from an OfficeExtend Access Point
Rogue Detection : DISABLED Local Access : ENABLED
Clearing Personal SSID from an OfficeExtend Access Point
To clear the personal SSID from an access point, run the following command: ap name Cisco_AP clear-personal-ssid
Example: Viewing OfficeExtend Configuration
This example displays an OfficeExtend configuration:
Device# show ap config general
Cisco AP Name : ap_name =================================================
Cisco AP Identifier Country Code Regulatory Domain Allowed by Country AP Country Code AP Regulatory Domain
Slot 0 Slot 1 MAC Address IP Address Configuration IP Address IP Netmask Gateway IP Address CAPWAP Path MTU Telnet State SSH State Jumbo MTU Status Cisco AP Location Site Tag Name RF Tag Name Policy Tag Name AP join Profile Primary Cisco Controller Name Primary Cisco Controller IP Address Secondary Cisco Controller Name Secondary Cisco Controller IP Address Tertiary Cisco Controller Name Tertiary Cisco Controller IP Address Administrative State Operation State AP Mode AP Submode Office Extend Mode Remote AP Debug Logging Trap Severity Level Software Version Boot Version Mini IOS Version Stats Reporting Period LED State PoE Pre-Standard Switch PoE Power Injector MAC Address Power Type/Mode
: 70db.986d.a860 : Multiple Countries : US,IN : 802.11bg:-A 802.11a:-ABDN : US - United States
: -A : -D : 002c.c899.7b84 : DHCP : 9.9.48.51 : 255.255.255.0 : 9.9.48.1 : 1485 : Disabled : Disabled : Disabled : default location : flex-site : default-rf-tag : split-tunnel-enabled-tag : default-ap-profile : uname-controller : 9.9.48.34 : uname-controller1 : 0.0.0.0 : uname-ewlc2 : 0.0.0.0 : Enabled : Registered : FlexConnect : Not Configured : Enabled : Disabled : information : 16.8.1.1 : 1.1.2.4 : 0.0.0.0 :0 : Enabled : Disabled : Disabled : PoE/Full Power (normal mode)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 293
Proxy ARP
Lightweight Access Points
Proxy ARP
Proxy address resolution protocol (ARP) is the most common method for learning about MAC address through a proxy device. Enabling Proxy ARP known as ARP caching in Cisco Catalyst 9800 Series Wireless Controller means that the AP owning client is the destination of the ARP request, replies on behalf of that client and therefore does not send the ARP request to the client over the air. Access points not owning the destination client and receiving an ARP request through their wired connection will drop the ARP request. When the ARP caching is disabled, the APs bridge the ARP requests from wired-to-wireless and vice-versa increasing the air time usage and broadcasts over wireless. The AP acts as an ARP proxy to respond to ARP requests on behalf of the wireless clients.
Enabling Proxy ARP for FlexConnect APs (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > Flex. Click Add. In the General tab, enter the Name of the Flex Profile and check the ARP Caching check box. The name can be ASCII characters from 32 to 126, without leading and trailing spaces. Click Apply to Device.
Enabling Proxy ARP for FlexConnect APs
Follow the procedure given below to configure proxy ARP for FlexConnect APs.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex-policy
Example:
Device(config)# wireless profile flex flex-test
Configures WLAN policy profile and enters wireless flex profile configuration mode.
Step 3
arp-caching
Example:
Device(config-wireless-flex-profile)# arp-caching
Enables ARP caching.
Note
Use the no arp-caching command
to disable ARP caching.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 294
Lightweight Access Points
Overlapping Client IP Address in Flex Deployment
Step 4 Step 5 Step 6 Step 7
Command or Action
end Example:
Device(config-wireless-flex-profile)# end
Purpose Returns to privileged EXEC mode.
show running-config | section wireless profile Displays ARP configuration information. flex
Example:
Device# show running-config | section wireless profile flex
show wireless profile flex detailed flex-profile-name
Example:
Device# show wireless profile flex detailed flex-test
(Optional) Displays detailed information of the flex profile.
show arp summary Example:
Device# show arp summary
(Optional) Displays ARP summary.
Overlapping Client IP Address in Flex Deployment
Overview of Overlapping Client IP Address in Flex Deployment
In flex deployments, you can use cookie cutter configuration across sites and branches which also includes local DHCP servers configured with the same subnet. In this toplogy, controllers detect multiple client sessions with the same IP as IP THEFT and clients are put in blocked list. The Overlapping Client IP Address in Flex Deployment feature offers overlapping IP address across various flex sites and provides all the functionalities that are supported in flex deployments.
Enabling Overlapping Client IP Address in Flex Deployment (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > Flex and click Add. On the Add Flex Profile window and General tab. Check the IP Overlap check box to enable overlapping client IP Address in Flex deployment. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 295
Enabling Overlapping Client IP Address in Flex Deployment
Lightweight Access Points
Enabling Overlapping Client IP Address in Flex Deployment
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex-profile
Example:
Device(config)# wireless profile flex flex1
Configures a Flex profile and enters Flex profile configuration mode.
Step 3
[no] ip overlap
Example:
Device(config-wireless-flex-profile)# [no] ip overlap
Enables overlapping client IP address in flex deployment.
Note
By default, the configuration is
disabled.
Verifying Overlapping Client IP Address in Flex Deployment (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Monitoring > Wireless > Clients. Click the client in the table to view properties and statistics for each client. On the Client window and General tab, click Client Statistics tab to view the following details:
· Number of Bytes Received from Client · Number of Bytes Sent to Client · Number of Packets Received from Client · Number of Packets Sent to Client · Number of Policy Errors · Radio Signal Strength Indicator · Signal to Noise Ratio · IP - Zone ID Mapping
Click OK.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 296
Lightweight Access Points
Verifying Overlapping Client IP Address in Flex Deployment
Verifying Overlapping Client IP Address in Flex Deployment
To verify if the overlapping client IP address in Flex deployment feature is enabled or not, use the following command:
Device# show wireless profile flex detailed flex1
Fallback Radio shut
: DISABLED
ARP caching
: ENABLED
Efficient Image Upgrade
: ENABLED
OfficeExtend AP
: DISABLED
Join min latency
: DISABLED
IP overlap status
: DISABLED
To view additional details about the overlapping client IP address in Flex deployment feature, use the following command:
Device# show wireless device-tracking database ip
IP
ZONE-ID
STATE
DISCOVERY MAC
----------------------------------------------------------------------------------------------
9.91.59.154 6038.e0dc.3182
1000:1:2:3:90d8:dd1a:11ab:23c0 58ef.680d.c6c3
1000:1:2:3:f9b5:3074:d0da:f93b 58ef.680d.c6c3
2001:9:3:59:90d8:dd1a:11ab:23c0 58ef.680d.c6c3
2001:9:3:59:f9b5:3074:d0da:f93b 58ef.680d.c6c3
fe80::f9b5:3074:d0da:f93b 58ef.680d.c6c3
0x00000002 Reachable 0x00000002 Reachable 0x00000002 Reachable 0x00000002 Reachable 0x00000002 Reachable 0x80000001 Reachable
To view APs in various site tags, use the following command:
Device# show ap tag summary Number of APs: 5
IPv4 Packet IPv6 Packet IPv6 Packet IPv6 NDP IPv6 NDP IPv6 NDP
AP Name AP Mac Site Tag Name Policy Tag Name RF Tag Name Misconfigured Tag Source ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------AP3802 70b3.17f6.37aa flex_ip_overlap-site-tag-auto-3 flex_ip_overlap_policy_tag_1 default-rf-tag No Static AP-9117AX 0cd0.f894.0f8c default-site-tag default-policy-tag default-rf-tag No Default AP1852JJ9 38ed.18ca.2b48 flex_ip_overlap-site-tag-auto-2 flex_ip_overlap_policy_tag_2 default-rf-tag No Static AP1852I 38ed.18cc.61c0 flex_ip_overlap-site-tag-auto-1 flex_ip_overlap_policy_tag_1 default-rf-tag No Static AP1542JJ9 700f.6a84.1b30 flex_ip_overlap-site-tag-auto-2 flex_ip_overlap_policy_tag_2 default-rf-tag No Static
To view APs in FlexConnect mode, use the following command:
Device# show ap status
AP Name
Status
Mode
Country
-------------------------------------------------------------------------
AP3802
Disabled FlexConnect IN
AP1852I
Enabled FlexConnect US
AP-9117AX Enabled FlexConnect IN
AP1542JJ9 Disabled FlexConnect US
AP1852JJ9 Enabled FlexConnect US
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 297
Lawful Interception
Lightweight Access Points
Troubleshooting Overlapping Client IP Address in Flex Deployment To verify the WNCD instance for each of the APs, use the following command:
Device# show wireless loadbalance ap affinity wncd 0
AP Mac
Discovery Timestamp Join Timestamp
Tag
---------------------------------------------------------------------------------
0cd0.f894.0f8c 10/27/20 22:11:05 10/27/20 22:11:14 default-site-tag
38ed.18ca.2b48 10/27/20 22:06:09 10/27/20 22:06:19 flex_ip_overlap-site-tag-auto-2
700f.6a84.1b30 10/27/20 22:25:03 10/27/20 22:25:13 flex_ip_overlap-site-tag-auto-2
Lawful Interception
Lawful Interception of Traffic
Using the Cisco wireless solution, it is possible to lawfully intercept the flow of traffic for monitoring purposes. Cisco APs create syslog records for traffic and send the records to the controller. Traffic from both IPv4 and IPv6 protocols is recorded. The AP sends the syslog records at configured intervals to the controller and the controller forwards these records to the syslog server, as soon as they are received from AP.
Restrictions on Lawful Interception of Traffic · To support IPv6 protocol, enable IPv6 on the controller.
· This feature is supported on Cisco Wave 2 APs operating in Flex + Bridge mode and Cisco Wave 2 APs operating in Flex mode.
· Supports Cisco Wave 2 APs.
Configuring Lawful Interception
By default the lawful-interception command is disabled. Follow the procedure given below to enable the command:
Procedure
Step 1
Command or Action Configure Terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless lawful-interception host {ipv4 addr Enables lawful-interception on the controller,
| ipv6 addr}
and configures the IP address of the LI server;
Example:
on IPv4 and IPv6 host.
Device(config)# wireless lawful-interception host X:X:X:X::X
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 298
Lightweight Access Points
Verifying the Status of Lawful Interception
Step 3 Step 4 Step 5
Command or Action
ap profile <ap-profile-name> Example:
Device(config)# ap profile ap-profile-name
Purpose Configures the AP profile.
[no] lawful-interception
Example:
Device(config-ap-profile)# [no] lawful-interception
Enables the lawful-interception feature. Use the no form of the command to disable the feature. By default lawful interception feature is disabled.
lawful-interception timer timer-value
Configures the lawful interception report
Example:
interval in seconds. By default the timer is 60 seconds.
Device(config-ap-profile)#lawful-interception
timer 70
Verifying the Status of Lawful Interception
To verify the status of lawful interception, use the following show command:
Device#show wireless lawful-interception status
---------------------------------------------
Number AP profiles with LI enabled:
1
---------------------------------------------
Last Nexthop MAC address resolution state: Resolved
SRC IP address:
9.9.71.51
LI host IP address:
9.9.71.98
Ingress SRC MAC address: 0000.0002.0001
Egress SRC MAC address:
001e.7a9a.e9ff
Nexthop MAC address:
0050.56a0.80f4
--------------------------
LI Internal Data
--------------------------
Egress Vlan:
9
Plumb Ifid:
4026531841
Recent LI history (most recent on top):
Timestamp
Event
Context
-------------------------- -------------------------
---------------------------------06/21/2018 12:47:05.594163
NH_MAC_ADDR_RESULT
next_hop mac:0050.56a0.80f4
06/21/2018 12:47:05.594081 CPP_PLUMB
egress src mac:001e.7a9a.e9ff,vlan:9
06/21/2018 12:47:05.593739
NH_MAC_ADDR_RESULT
next_hop mac:0050.56a0.80f4
06/21/2018 12:47:05.590337 CPP_UNPLUMB
egress src mac:001e.7a9a.e9ff,vlan:9
06/21/2018 12:47:01.561553
NH_MAC_ADDR_RESULT
next_hop mac:0050.56a0.80f4
06/21/2018 12:47:01.555291 NH_MAC_ADDR_SUBSCRIBE
src IP: 9.9.71.51,dst IP: 9.9.71.98
06/21/2018 12:47:01.555060
MGMT_IF_CHANGE
06/21/2018 12:47:00.618530 06/21/2018 12:47:00.607985 06/21/2018 12:47:00.607290
CPP_PLUMB MAGIC_MAC_RESOLVED MAGIC_MAC_REQ
egress src mac:001e.7a9a.e9ff,vlan:9 0000.0002.0001
06/21/2018 12:47:00.606344 06/21/2018 12:47:00.601806 06/21/2018 12:47:00.600603
NH_MAC_ADDR_RESULT NH_MAC_ADDR_SUBSCRIBE
MGMT_IF_CHANGE
next_hop mac:0050.56a0.80f4 src IP: 9.9.71.51,dst IP: 9.9.71.98
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 299
Flex Resilient with Flex and Bridge Mode Access Points
Lightweight Access Points
06/21/2018 12:46:55.847387 06/21/2018 12:46:55.847094
NH_MAC_ADDR_SUBSCRIBE MGMT_IF_CHANGE
src IP: 9.9.71.51,dst IP: 9.9.71.98
06/21/2018 12:46:54.937173 06/21/2018 12:46:54.936310
NH_MAC_ADDR_SUBSCRIBE MGMT_IF_CHANGE
src IP: 9.9.71.51,dst IP: 9.9.71.98
06/21/2018 12:46:53.186883 06/21/2018 12:46:53.134721
NH_MAC_ADDR_SUBSCRIBE MGMT_IF_CHANGE
src IP: 9.9.71.51,dst IP: 9.9.71.98
06/21/2018 12:46:52.965403
MGMT_IF_CHANGE
To verify if lawful interception is enabled on a particular AP, use the following show command:
show ap name <ap_name> config general | include Lawful-Interception
Lawful-Interception Admin status
: Enabled
Lawful-Interception Oper status
: Enabled
Flex Resilient with Flex and Bridge Mode Access Points
Information About Flex Resilient with Flex and Bridge Mode Access Points
The Flex Resilient with Flex and Bridge Mode Access Points describe how to set up a controller with Flex+Bridge mode Access Points (APs) and Flex Resilient feature. The Flex Resilient feature works only in Flex+Bridge mode APs. The feature resides in Mesh link formed between RAP - MAP, once the link is UP and RAP loses connection to the CAPWAP controller, both RAP and MAP continue to bridge the traffic. A child Mesh AP (MAP) maintains its link to a parent AP and continues to bridge till the parent link is lost. A child MAP cannot establish a new parent or child link till it reconnects to the CAPWAP controller.
Note Existing wireless clients in locally switching WLAN can stay connected with their AP in this mode. No new or disconnected wireless client can associate to the Mesh AP in this mode. Client traffic in Flex+Bridge MAP is dropped at RAP switchport for the locally switched WLANs.
Configuring a Flex Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6
Choose Configuration > Tags & Profiles > Flex. Click a Flex Profile Name. The Edit Flex Profile dialog box appears. Under the General tab, choose the Flex Resilient check box to enable the Flex Resilient feature. Under the VLAN tab, choose the required VLANs. (Optionally) Under the Local Authentication tab, choose the desired server group from the Local Accounting RADIUS Server Group drop-down list. Also, choose the RADIUS check box. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 300
Lightweight Access Points
Configuring a Flex Profile (CLI)
Configuring a Flex Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode
Step 2
wireless profile flex flex-profile
Example:
Device(config)# wireless profile flex new-flex-profile
Configures a Flex profile and enters Flex profile configuration mode.
Step 3
arp-caching
Example:
Device(config-wireless-flex-profile)# arp-caching
Enables ARP caching.
Step 4
description description
Example:
Device(config-wireless-flex-profile)# description "new flex profile"
Enables default parameters for the Flex profile.
Step 5
native-vlan-id
Example:
Device(config-wireless-flex-profile)# native-vlan-id 2660
Configures native vlan-id information.
Step 6
resilient
Example:
Device(config-wireless-flex-profile)# resilient
Enables the resilient feature.
Step 7
vlan-name vlan_name
Example:
Device(config-wireless-flex-profile)# vlan-name VLAN2659
Configures VLAN name.
Step 8
vlan-id vlan_id
Example:
Device(config-wireless-flex-profile)# vlan-id 2659
Configures VLAN ID. The valid VLAN ID ranges from 1 to 4096.
Step 9
end
Example:
Device(config-wireless-flex-profile)# end
Exits configuration mode and returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 301
Configuring a Site Tag (CLI)
Lightweight Access Points
Configuring a Site Tag (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode
Step 2
wireless tag site site-name
Example:
Device(config)# wireless tag site new-flex-site
Configures a site tag and enters site tag configuration mode.
Step 3
flex-profile flex-profile-name
Example:
Device(config-site-tag)# flex-profile new-flex-profile
Configures a flex profile.
Step 4
no local-site
Local site is not configured on the site tag.
Example:
Device(config-site-tag)# no local-site
Step 5
site-tag site-tag-name
Example:
Device(config-site-tag)# site-tag new-flex-site
Maps a site tag to an AP.
Step 6
end Example:
Device(config-site-tag)# end
Exits configuration mode and returns to privileged EXEC mode.
Configuring a Mesh Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh Mesh_Profile
Configures a Mesh profile and enters the Mesh profile configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 302
Lightweight Access Points
Associating Wireless Mesh to an AP Profile (CLI)
Step 3 Step 4
Command or Action
Purpose
no ethernet-vlan-transparent Example:
Disables VLAN transparency to ensure that the bridge is VLAN aware.
Device(config-wireless-profile-mesh)# no ethernet-vlan-transparent
end
Example:
Device(config-wireless-profile-mesh)# end
Exits configuration mode and returns to privileged EXEC mode.
Associating Wireless Mesh to an AP Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode
Step 2
ap profile ap-profile-name
Example:
Device(config)# ap profile new-ap-join-profile
Configures the AP profile and enters AP profile configuration mode.
Step 3
mesh-profile mesh-profile-name Example:
Configures the Mesh profile in AP profile configuration mode.
Device(config-ap-profile)# mesh-profile Mesh_Profile
Step 4
ssh Example:
Device(config-ap-profile)# ssh
Configures the Secure Shell (SSH).
Step 5
mgmtuser username username password {0 Specifies the AP management username and
| 8} password
password for managing all of the access points
Example:
configured to the controller.
Device(config-ap-profile)# mgmtuser username Cisco password 0 Cisco secret
· 0: Specifies an UNENCRYPTED password.
0 Cisco
· 8: Specifies an AES encrypted password.
Note
While configuring an username,
ensure that special characters are
not used as it results in error with
bad configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 303
Attaching Site Tag to an Access Point (CLI)
Lightweight Access Points
Step 6
Command or Action end Example:
Device(config-ap-profile)# end
Purpose
Exits configuration mode and returns to privileged EXEC mode.
Attaching Site Tag to an Access Point (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap mac-address Example:
Device(config)# ap F866.F267.7DFB
Step 3
site-tag site-tag-name
Example:
Device(config-ap-tag)# site-tag new-flex-site
Step 4
end Example:
Device(config-ap-tag)# end
Purpose Enters global configuration mode
Configures Cisco APs and enters ap-tag configuration mode.
Maps a site tag to the AP.
Note
Associating Site Tag causes the
associated AP to reconnect.
Exits configuration mode and returns to privileged EXEC mode.
Configuring Switch Interface for APs (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
interface interface-id Example:
Device(config)# interface <int-id>
Step 3
switchport trunk native vlan vlan-id Example:
Purpose Enters global configuration mode
Enters the interface to be added to the VLAN.
Assigns the allowed VLAN ID to the port when it is in trunking mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 304
Lightweight Access Points
Verifying Flex Resilient with Flex and Bridge Mode Access Points Configuration
Step 4 Step 5
Step 6
Command or Action
Device(config-if)# switchport trunk native vlan 2660
Purpose
switchport trunk allowed vlan vlan-id
Example:
Device(config-if)# switchport trunk allowed vlan 2659,2660
Assigns the allowed VLAN ID to the port when it is in trunking mode.
switchport mode trunk
Sets the trunking mode to trunk unconditionally.
Example:
Note
Device(config-if)# switchport mode trunk
When the controller works as a host for spanning tree, ensure that you configure portfast trunk, using spanning-tree portfast trunk command, in the uplink switch to ensure faster convergence.
end Example:
Device(config-if)# end
Exits configuration mode and returns to privileged EXEC mode.
Verifying Flex Resilient with Flex and Bridge Mode Access Points Configuration
To view the AP mode and model details, use the following command:
Device# show ap name <ap-name> config general | inc AP Mode
AP Mode
: Flex+Bridge
AP Model
: AIR-CAP3702I-A-K9
To view the MAP mode details, use the following command:
Device# show ap name MAP config general | inc AP Mode
AP Mode
: Flex+Bridge
AP Model
: AIR-CAP3702I-A-K9
To view the RAP mode details, use the following command:
Device# show ap name RAP config general | inc AP Mode
AP Mode
: Flex+Bridge
AP Model
: AIR-AP2702I-A-K9
To view if the Flex Profile - Resilient feature is enabled or not, use the following command:
Device# show wireless profile flex detailed FLEX_TAG | inc resilient
Flex resilient
: ENABLED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 305
Verifying Flex Resilient with Flex and Bridge Mode Access Points Configuration
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 306
2 2 C H A P T E R
OEAP Link Test
· Feature History for OEAP Link Test, on page 307 · Information About OEAP Link Test, on page 307 · Configuring OEAP Link Test (CLI), on page 308 · Performing OEAP Link Test (GUI), on page 308 · Verifying OEAP Link Test, on page 308
Feature History for OEAP Link Test
This table provides release and related information for the feature explained in this module. This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.
Table 15: Feature History for OEAP Link Test
Release
Cisco IOS XE Bengaluru 17.5.1
Feature
OEAP Link Test
Feature Information
The Cisco OEAP Link Test feature allows you to determine the DTLS upload, link latency, and jitter of the link between an AP and the controller.
Information About OEAP Link Test
The Cisco OEAP Link Test feature allows you to determine the DTLS upload speed of the link between an AP and the controller. This feature helps in identifying network bottlenecks and reasons for functionality failures. You can determine the link latency by running a test on demand.
A link test is used to determine the quality of the link between the controller and an AP in OEAP mode. The AP sends synthetic packets to the controller and the controller echoes them back to the AP, which can then estimate the link quality.
Feature Scenarios
Cisco OfficeExtend Access Point (OEAP) users are complaining of poor performance when connected to a teleworker AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 307
Configuring OEAP Link Test (CLI)
Lightweight Access Points
Use Cases
This feature allows OEAP network admins to troubleshoot low throughput from the Cisco Catalyst 9800 Controller GUI by running OEAP link test.
The OEAP link test provides DTLS upload speed, link latency, and link jitter, all of which help the network administrators to narrow down the problem.
Configuring OEAP Link Test (CLI)
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enters privileged EXEC mode.
Step 2
ap name ap-name network-diagnostic Example:
Triggers network diagnostics on an OfficeExtend AP.
Device# ap name ap18 network-diagnostic
Performing OEAP Link Test (GUI)
Procedure
Step 1 Step 2
Choose Monitoring > Wireless > AP Statistics.
In the list of APs, a Link Test icon is displayed in the AP Name column for OEAP-capable APs.
Note
The Link Test icon is displayed only if an AP is OEAP capable and is configured to operate as
OEAP.
Click Link Test. A link test is run and the results are shown.
Verifying OEAP Link Test
The following example shows how to verify network diagnostics information:
Device# show flexconnect office-extend diagnostics Summary of OfficeExtend AP Link Latency
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 308
Lightweight Access Points
Verifying OEAP Link Test
CAPWAP Latency Heartbeat
Current: current latency (ms) Min: minimum latency (ms) Max: maximum latency (ms)
Link Test
Upload: DTLS Upload (Mbps) Latency: DTLS Link Latency (ms) Jitter: DTLS Link Jitter (ms)
AP Name Last Latency Heartbeat from AP Current Max Min Last Link Test Run Upload Latency
Jitter
----------------------------------------------------------------------------------------------------
ap-18 1 minute 1 second
0
0 0 12/04/20 09:19:48 8
2
0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 309
Verifying OEAP Link Test
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 310
2 3 C H A P T E R
Data DTLS
· Information About Data Datagram Transport Layer Security, on page 311 · Configuring Data DTLS (GUI), on page 312 · Configuring Data DTLS (CLI), on page 312
Information About Data Datagram Transport Layer Security
Data Datagram Transport Layer Security (DTLS) enables you to encrypt CAPWAP data packets that are sent between an access point and the controller using DTLS, which is a standards-track IETF protocol that can encrypt both control and data packets based on TLS. CAPWAP control packets are management packets that are exchanged between a controller and an access point while CAPWAP data packets encapsulate forwarded wireless frames. CAPWAP control and data packets are sent over separate UDP ports: 5246 (control) and 5247 (data). If an access point does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established. If an access point supports Data DTLS, it enables data DTLS after receiving the new configuration from the controller . The access point performs a DTLS handshake on port 5247 and after successfully establishing the DTLS session. All the data traffic (from the access point to the controller and the controller to the access point) is encrypted.
Note The throughput is affected for some APs that have data encryption enabled. The controller does not perform a DTLS handshake immediately after processing client-hello with a cookie, if the following incorrect settings are configured: · ECDHE-ECDSA cipher in "ap dtls-cipher <>" and RSA-based certificate in "wireless management trustpoint". · RSA cipher in "ap dtls-cipher <>" and EC-based certificate in "wireless management trustpoint".
Note This is applicable when you move from CC -> FIPS -> non-FIPS mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 311
Configuring Data DTLS (GUI)
Lightweight Access Points
Note If the AP's DHCP lease time is less and the DHCP pool is small, access point join failure or failure in establishing the Data Datagram Transport Layer Security (DTLS) session may occur. In such scenarios, associate the AP with a named site-tag and increase the DHCP lease time for at least 8 days.
Configuring Data DTLS (GUI)
Follow the procedure to enable DTLS data encryption for the access points on the controller : Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Click Configuration > Tags and Profile > AP Join. Click Add to create a new AP Join Profile or click an existing profile to edit it. Click CAPWAP > Advanced. Check Enable Data Encryption check box to enable Datagram Transport Layer Security (DTLS) data encryption. Click Update & Apply to Device.
Configuring Data DTLS (CLI)
Follow the procedure given below to enable DTLS data encryption for the access points on the controller :
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap profile ap-profile
Example:
Device(config)# ap profile test-ap-profile
Purpose Enters global configuration mode.
Configures an AP profile and enters AP profile configuration mode.
Note
You can use the default AP profile
(default-ap-profile) or create a
named AP profile, as shown in the
example.
Step 3
link-encryption
Example:
Device(config-ap-profile)# link-encryption
Enables link encryption based on the profile. Answer yes, when the system prompts you with this message:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 312
Lightweight Access Points
Configuring Data DTLS (CLI)
Step 4 Step 5 Step 6
Command or Action
Purpose Note
If you set stats-timer as as zero (0) under the AP profile, then the AP will not send the link encryption statistics.
Enabling link-encryption will reboot the APs with link-encryption.
Are you sure you want to continue? (y/n)[y]:
end Example:
Device(config-ap-profile)# end
Returns to privileged EXEC mode.
show wireless dtls connections Example:
Device# show wireless dtls connections
(Optional) Displays the DTLS session established for the AP that has joined this controller.
show ap link-encryption Example:
Device# show ap link-encryption
(Optional) Displays the link encryption-related statistics (whether link encryption is enabled or disabled) counter received from the AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 313
Configuring Data DTLS (CLI)
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 314
2 4 C H A P T E R
AP Crash File Upload
· AP Crash File Upload, on page 315 · Configuring AP Crash File Upload (CLI), on page 316
AP Crash File Upload
When a converted access point unexpectedly reboots, the access point stores a crash file on its local flash memory at the time of the crash. After the unit reboots, it sends the reason for the reboot to the device. If the unit rebooted because of a crash, the device pulls up the crash file using the existing CAPWAP messages and stores it in the device flash memory. The crash information copy is removed from the access point's flash memory when the device pulls it from the access point:
Note The system does not generate reports in case of a reload. During a process crash, the following are collected locally from the device: · Full process core · Trace logs · Cisco IOS syslogs (not guaranteed in case of nonactive crashes) · System process information · Bootup logs · Reload logs · Certain types of proc information All this information is stored in separate files, which are then archived and compressed into one bundle. This makes it convenient to get a crash snapshot in one place, and can be then moved off the box for analysis. This report is generated before the device goes down to ROMMON/bootloader.
Note Except for the full core and tracelogs, everything else is a text file.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 315
Configuring AP Crash File Upload (CLI)
Lightweight Access Points
Configuring AP Crash File Upload (CLI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6
enable Enters privileged EXEC mode.
ap name ap-name crash-file get-crash-data Collects AP crash information. The crash file is uploaded automatically after the AP reloads to ready state. Therefore, this command does not have to be manually executed.
ap name ap-name crash-file get-radio-core-dump slot {0 | 1} Collects the AP core dump file for slot 0 or slot 1.
ap name ap-name core-dump tftp-ip crash-file uncompress Uploads the AP crash coredump file to the given TFTP location.
show ap crash-file Example:
Device(config)# show ap crash-file Local Core Files: lrad_AP1130.rdump0 (156) The number in parentheses indicates the size of the file. The size should be greater than zero if a core dump file is available.
Displays the AP crash file, as well as the radio crash file.
dir bootflash Displays the crash file in bootflash with .crash extension.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 316
2 5 C H A P T E R
Access Point Plug-n-Play
· Overview of Access Point Plug-n-Play, on page 317 · Provisioning AP from PnP Server, on page 317 · Verifying AP Tag Configuration, on page 318
Overview of Access Point Plug-n-Play
The Plug and Play (PnP) server provides staging parameters to an access point (AP) before it joins a controller. Using this staging configuration, the AP receives the runtime configuration when it joins the controller. The AP PnP feature enables the PnP server to provide all tag-related information, as part of the preconfigured information to the AP and in turn, to the controller. You can upload configuration in PNP server in either TXT or JSON format and also add the AP details. The AP details are then mapped with the details in the TXT or JSON configuration file. While provisioning AP from PnP server, the AP acquires this configuration details. Based on the configuration details, the AP then joins the corresponding controller with the tag details.
Provisioning AP from PnP Server
You can provision AP from PnP Server in either ways: · Configure DHCP server or switch with Option 43. For example, you can refer to the following code sample:
ip dhcp pool vlan10 network 9.10.10.0 255.255.255.0 default-router 9.10.10.1 option 43 ascii 5A1D;B2;K4;|9.10.60.5;J80
· Configure DHCP server with DNS. For example, you can refer to the following code sample:
ip dhcp pool vlan10 network 9.10.10.0 255.255.255.0 default-router 9.10.10.1 dns-server 9.8.65.5 domain-name dns.com
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 317
Verifying AP Tag Configuration
Lightweight Access Points
Verifying AP Tag Configuration
The following example shows how to verify the AP tag configuration:
Device# show ap tag summary Number of APs: 5
AP Name RF Tag Name
AP Mac Misconfigured
Site Tag Name Tag Source
Policy Tag Name
----------------------------------------------------------------------------------------------------------------------------------------------
APd42c.4482.6102 default-rf-tag
d42c.4482.6102 default-site-tag
No
Default
default-policy-tag
AP00c1.64d8.6af0 named-rf-tag
00c1.64d8.6af0 named-site-tag
No
AP
named-policy-tag
Note The details in the second row reflect the tag source coming from a PNP server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 318
2 6 C H A P T E R
802.11 Parameters for Cisco Access Points
· 2.4-GHz Radio Support, on page 319 · 5-GHz Radio Support, on page 321 · Information About Dual-Band Radio Support , on page 323 · Configuring Default XOR Radio Support, on page 324 · Configuring XOR Radio Support for the Specified Slot Number (GUI), on page 326 · Configuring XOR Radio Support for the Specified Slot Number, on page 326 · Receiver Only Dual-Band Radio Support, on page 328 · Configuring Client Steering (CLI), on page 330 · Verifying Cisco Access Points with Dual-Band Radios, on page 331
2.4-GHz Radio Support
Configuring 2.4-GHz Radio Support for the Specified Slot Number
Before you begin
Note The term 802.11b radio or 2.4-GHz radio will be used interchangeably.
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
ap name ap-name dot11 24ghz slot 0 SI
Enables Spectrum Intelligence (SI) for the
Example:
dedicated 2.4-GHz radio hosted on slot 0 for a specific access point. For more information,
Device# ap name AP-SIDD-A06 dot11 24ghz Spectrum Intelligence section in this guide.
slot 0 SI
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 319
Configuring 2.4-GHz Radio Support for the Specified Slot Number
Lightweight Access Points
Step 3
Step 4 Step 5 Step 6 Step 7
Step 8
Command or Action
Purpose Here, 0 refers to the Slot ID.
ap name ap-name dot11 24ghz slot 0 antenna Configures 802.11b antenna hosted on slot 0
{ext-ant-gain antenna_gain_value | selection for a specific access point.
[internal | external]}
· ext-ant-gain: Configures the 802.11b
Example:
external antenna gain.
Device# ap name AP-SIDD-A06 dot11 24ghz slot 0 antenna selection internal
antenna_gain_value- Refers to the external antenna gain value in multiples of .5 dBi
units. The valid range is from 0 to
4294967295.
· selection: Configures the 802.11b antenna selection (internal or external).
ap name ap-name dot11 24ghz slot 0 beamforming
Configures beamforming for the 2.4-GHz radio hosted on slot 0 for a specific access point.
Example:
Device# ap name AP-SIDD-A06 dot11 24ghz slot 0 beamforming
ap name ap-name dot11 24ghz slot 0 channel Configures advanced 802.11 channel
{channel_number | auto}
assignment parameters for the 2.4-GHz radio
Example:
hosted on slot 0 for a specific access point.
Device# ap name AP-SIDD-A06 dot11 24ghz slot 0 channel auto
ap name ap-name dot11 24ghz slot 0 cleanair Enables CleanAir for 802.11b radio hosted on
Example:
slot 0 for a specific access point.
Device# ap name AP-SIDD-A06 dot11 24ghz slot 0 cleanair
ap name ap-name dot11 24ghz slot 0 dot11n Configures 802.11n antenna for 2.4-GHz radio
antenna {A | B | C | D}
hosted on slot 0 for a specific access point.
Example:
Here,
Device# ap name AP-SIDD-A06 dot11 24ghz A: Is the antenna port A.
slot 0 dot11n antenna A
B: Is the antenna port B.
C: Is the antenna port C.
D: Is the antenna port D.
ap name ap-name dot11 24ghz slot 0 shutdown
Disables 802.11b radio hosted on slot 0 for a specific access point.
Example:
Device# ap name AP-SIDD-A06 dot11 24ghz slot 0 shutdown
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 320
Lightweight Access Points
5-GHz Radio Support
Step 9
Command or Action
Purpose
ap name ap-name dot11 24ghz slot 0 txpower Configures transmit power level for 802.11b
{tx_power_level | auto}
radio hosted on slot 0 for a specific access point.
Example:
Device# ap name AP-SIDD-A06 dot11 24ghz slot 0 txpower auto
· tx_power_level: Is the transmit power level in dBm. The valid range is from 1 to 8.
· auto: Enables auto-RF.
5-GHz Radio Support
Configuring 5-GHz Radio Support for the Specified Slot Number
Before you begin
Note The term 802.11a radio or 5-GHz radio will be used interchangeably in this document.
Procedure Step 1 Step 2 Step 3
Step 4
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
ap name ap-name dot11 5ghz slot 1 SI
Enables Spectrum Intelligence (SI) for the
Example:
dedicated 5-GHz radio hosted on slot 1 for a specific access point.
Device# ap name AP-SIDD-A06 dot11 5ghz
slot 1 SI
Here, 1 refers to the Slot ID.
ap name ap-name dot11 5ghz slot 1 antenna Configures external antenna gain for 802.11a
ext-ant-gain antenna_gain_value
radios for a specific access point hosted on slot
Example:
1.
Device# ap name AP-SIDD-A06 dot11 5ghz antenna_gain_value--Refers to the external
slot 1 antenna ext-ant-gain
antenna gain value in multiples of .5 dBi units.
The valid range is from 0 to 4294967295.
ap name ap-name dot11 5ghz slot 1 antenna Configures the antenna mode for 802.11a
mode [omni | sectorA | sectorB]
radios for a specific access point hosted on slot
Example:
1.
Device# ap name AP-SIDD-A06 dot11 5ghz slot 1 antenna mode sectorA
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 321
Configuring 5-GHz Radio Support for the Specified Slot Number
Lightweight Access Points
Step 5 Step 6 Step 7 Step 8 Step 9
Step 10
Step 11
Command or Action
Purpose
ap name ap-name dot11 5ghz slot 1 antenna Configures the antenna selection for 802.11a
selection [internal | external]
radios for a specific access point hosted on slot
Example:
1.
Device# ap name AP-SIDD-A06 dot11 5ghz slot 1 antenna selection internal
ap name ap-name dot11 5ghz slot 1 beamforming
Configures beamforming for the 5-GHz radio hosted on slot 1 for a specific access point.
Example:
Device# ap name AP-SIDD-A06 dot11 5ghz slot 1 beamforming
ap name ap-name dot11 5ghz slot 1 channel Configures advanced 802.11 channel
{channel_number | auto | width [20 | 40 | 80 assignment parameters for the 5-GHz radio
| 160]}
hosted on slot 1 for a specific access point.
Example:
Here,
Device# ap name AP-SIDD-A06 dot11 5ghz channel_number- Refers to the channel
slot 1 channel auto
number. The valid range is from 1 to 173.
ap name ap-name dot11 5ghz slot 1 cleanair Enables CleanAir for 802.11a radio hosted on
Example:
slot 1 for a given or specific access point.
Device# ap name AP-SIDD-A06 dot11 5ghz slot 1 cleanair
ap name ap-name dot11 5ghz slot 1 dot11n Configures 802.11n for 5-GHz radio hosted
antenna {A | B | C | D}
on slot 1 for a specific access point.
Example:
Here,
Device# ap name AP-SIDD-A06 dot11 5ghz A- Is the antenna port A.
slot 1 dot11n antenna A
B- Is the antenna port B.
C- Is the antenna port C.
D- Is the antenna port D.
ap name ap-name dot11 5ghz slot 1 rrm channel channel
Is another way of changing the channel hosted on slot 1 for a specific access point.
Example:
Here,
Device# ap name AP-SIDD-A06 dot11 5ghz channel- Refers to the new channel created
slot 1 rrm channel 2
using 802.11h channel announcement. The
valid range is from 1 to 173, provided 173 is
a valid channel in the country where the access
point is deployed.
ap name ap-name dot11 5ghz slot 1 shutdown
Example:
Disables 802.11a radio hosted on slot 1 for a specific access point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 322
Lightweight Access Points
Information About Dual-Band Radio Support
Step 12
Command or Action
Purpose
Device# ap name AP-SIDD-A06 dot11 5ghz slot 1 shutdown
ap name ap-name dot11 5ghz slot 1 txpower Configures 802.11a radio hosted on slot 1 for
{tx_power_level | auto}
a specific access point.
Example:
Device# ap name AP-SIDD-A06 dot11 5ghz slot 1 txpower auto
· tx_power_level- Is the transmit power level in dBm. The valid range is from 1 to 8.
· auto- Enables auto-RF.
Information About Dual-Band Radio Support
The Dual-Band (XOR) radio in Cisco 2800, 3800, 4800, and the 9120 series AP models offer the ability to serve 2.4GHz or 5GHz bands or passively monitor both the bands on the same AP. These APs can be configured to serve clients in 2.4GHz and 5GHz bands, or serially scan both 2.4GHz and 5GHz bands on the flexible radio while the main 5GHz radio serves clients.
Cisco APs models up and through the Cisco 9120 APs are designed to support dual 5GHz band operations with the i model supporting a dedicated Macro/Micro architecture and the e and p models supporting Macro/Macro. The Cisco 9130AXI APs and the Cisco 9136 APs support dual 5-GHz operations as Micro/Messo cell.
When a radio moves between bands (from 2.4-GHz to 5-GHz and vice versa), clients need to be steered to get an optimal distribution across radios. When an AP has two radios in the 5GHz band, client steering algorithms contained in the Flexible Radio Assignment (FRA) algorithm are used to steer a client between the same band co-resident radios.
The XOR radio support can be steered manually or automatically:
· Manual steering of a band on a radio--The band on the XOR radio can only be changed manually.
· Automatic client and band steering on the radios is managed by the FRA feature that monitors and changes the band configurations as per site requirements.
Note RF measurement will not run when a static channel is configured on slot 1. Due to this, the dual band radio slot 0 will move only with 5GHz radio and not to the monitor mode.
When slot 1 radio is disabled, RF measurement will not run, and the dual band radio slot 0 will be only on 2.4GHz radio.
Note Only one of the 5-GHz radios can operate in the UNII band (100 - 144), due to an AP limitation to keep the power budget within the regulatory limit.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 323
Configuring Default XOR Radio Support
Lightweight Access Points
Configuring Default XOR Radio Support
Before you begin
Note The default radio points to the XOR radio hosted on slot 0.
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
ap name ap-name dot11 dual-band antenna Configures the 802.11 dual-band antenna on
ext-ant-gain antenna_gain_value
a specific Cisco access point.
Example:
antenna_gain_value: The valid range is from
Device# ap name ap-name dot11 dual-band 0 to 40.
antenna ext-ant-gain 2
ap name ap-name [no] dot11 dual-band Shuts down the default dual-band radio on a
shutdown
specific Cisco access point.
Example:
Use the no form of the command to enable the
Device# ap name ap-name dot11 dual-band radio.
shutdown
ap name ap-name dot11 dual-band role Switchs to clientserving mode on the Cisco
manual client-serving
access point.
Example:
Device# ap name ap-name dot11 dual-band role manual client-serving
ap name ap-name dot11 dual-band band Switchs to 2.4-GHz radio band. 24ghz
Example:
Device# ap name ap-name dot11 dual-band band 24ghz
ap name ap-name dot11 dual-band txpower Configures the transmit power for the radio on
{transmit_power_level | auto}
a specific Cisco access point.
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 324
Lightweight Access Points
Configuring Default XOR Radio Support
Step 7 Step 8 Step 9 Step 10 Step 11
Step 12
Command or Action
Purpose
Device# ap name ap-name dot11 dual-band Note txpower 2
When an FRA-capable radio (slot 0 on 9120 AP[for instance]) is set to Auto, you cannot configure static channel and Txpower on this radio.
If you want to configure static channel and Txpower on this radio, you will need to change the radio role to Manual Client-Serving mode.
ap name ap-name dot11 dual-band channel Enters the channel for the dual band.
channel-number
channel-number--The valid range is from 1
Example:
to 173.
Device# ap name ap-name dot11 dual-band channel 2
ap name ap-name dot11 dual-band channel Enables the auto channel assignment for the
auto
dual-band.
Example:
Device# ap name ap-name dot11 dual-band channel auto
ap name ap-name dot11 dual-band channel Chooses the channel width for the dual band. width{20 MHz | 40 MHz | 80 MHz | 160 MHz}
Example:
Device# ap name ap-name dot11 dual-band channel width 20 MHz
ap name ap-name dot11 dual-band cleanair Enables the Cisco CleanAir feature on the
Example:
dual-band radio.
Device# ap name ap-name dot11 dual-band cleanair
ap name ap-name dot11 dual-band cleanair Selects a band for the Cisco CleanAir feature.
band{24 GHz | 5 GMHz}
Use the no form of this command to disable
Example:
the Cisco CleanAir feature.
Device# ap name ap-name dot11 dual-band cleanair band 5 GHz
Device# ap name ap-name [no] dot11 dual-band cleanair band 5 GHz
ap name ap-name dot11 dual-band dot11n Configures the 802.11n dual-band parameters
antenna {A | B | C | D}
for a specific access point.
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 325
Configuring XOR Radio Support for the Specified Slot Number (GUI)
Lightweight Access Points
Step 13 Step 14
Command or Action
Purpose
Device# ap name ap-name dot11 dual-band dot11n antenna A
show ap name ap-name auto-rf dot11 dual-band
Displays the auto-RF information for the Cisco access point.
Example:
Device# show ap name ap-name auto-rf dot11 dual-band
show ap name ap-name wlan dot11 dual-band
Displays the list of BSSIDs for the Cisco access point.
Example:
Device# show ap name ap-name wlan dot11 dual-band
Configuring XOR Radio Support for the Specified Slot Number (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6
Click Configuration > Wireless > Access Points. In the Dual-Band Radios section, select the AP for which you want to configure dual-band radios.
The AP name, MAC address, CleanAir capability and slot information for the AP are displayed. If the Hyperlocation method is HALO, the antenna PID and antenna design information are also displayed.
Click Configure. In the General tab, set the Admin Status as required. Set the CleanAir Admin Status field to Enable or Disable. Click Update & Apply to Device.
Configuring XOR Radio Support for the Specified Slot Number
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 326
Lightweight Access Points
Configuring XOR Radio Support for the Specified Slot Number
Step 2 Step 3 Step 4 Step 5 Step 6
Step 7
Step 8
Command or Action
Purpose
ap name ap-name dot11 dual-band slot 0 Configures dual-band antenna for the XOR
antenna ext-ant-gain
radio hosted on slot 0 for a specific access point.
external_antenna_gain_value
external_antenna_gain_value - Is the external
Example:
antenna gain value in multiples of .5 dBi unit.
Device# ap name AP-SIDD-A06 dot11
The valid range is from 0 to 40.
dual-band slot 0 antenna ext-ant-gain 2
ap name ap-name dot11 dual-band slot 0 band {24ghz | 5ghz}
Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 band 24ghz
Configures current band for the XOR radio hosted on slot 0 for a specific access point.
ap name ap-name dot11 dual-band slot 0 Configures dual-band channel for the XOR
channel {channel_number | auto | width [160 radio hosted on slot 0 for a specific access point.
| 20 | 40 | 80]}
channel_number- The valid range is from 1 to
Example:
165.
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 channel 3
ap name ap-name dot11 dual-band slot 0 cleanair band {24Ghz | 5Ghz}
Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 cleanair band 24Ghz
Enables CleanAir features for dual-band radios hosted on slot 0 for a specific access point.
ap name ap-name dot11 dual-band slot 0 dot11n antenna {A | B | C | D}
Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 dot11n antenna A
Configures 802.11n dual-band parameters hosted on slot 0 for a specific access point. Here, A- Enables antenna port A. B- Enables antenna port B. C- Enables antenna port C. D- Enables antenna port D.
ap name ap-name dot11 dual-band slot 0 role Configures dual-band role for the XOR radio {auto | manual [client-serving | monitor]} hosted on slot 0 for a specific access point.
Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 role auto
The following are the dual-band roles:
· auto- Refers to the automatic radio role selection.
· manual- Refers to the manual radio role selection.
ap name ap-name dot11 dual-band slot 0 shutdown
Disables dual-band radio hosted on slot 0 for a specific access point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 327
Receiver Only Dual-Band Radio Support
Lightweight Access Points
Step 9
Command or Action Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 shutdown
Purpose
Use the no form of this command to enable the dual-band radio.
Device# ap name AP-SIDD-A06 [no] dot11 dual-band slot 0 shutdown
ap name ap-name dot11 dual-band slot 0 txpower {tx_power_level | auto}
Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 txpower 2
Configures dual-band transmit power for XOR radio hosted on slot 0 for a specific access point.
· tx_power_level- Is the transmit power level in dBm. The valid range is from 1 to 8.
· auto- Enables auto-RF.
Receiver Only Dual-Band Radio Support
Information About Receiver Only Dual-Band Radio Support
This feature configures the dual-band Rx-only radio features for an access point with dual-band radios. This dual-band Rx-only radio is dedicated for Analytics, Hyperlocation, Wireless Security Monitoring, and BLE AoA*. This radio will always continue to serve in monitor mode, therefore, you will not be able to make any channel and tx-rx configurations on the 3rd radio.
Configuring Receiver Only Dual-Band Parameters for Access Points
Enabling CleanAir with Receiver Only Dual-Band Radio on a Cisco Access Point (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Access Points. In the Dual-Band Radios settings, click the AP for which you want to configure the dual-band radios. In the General tab, enable the CleanAir toggle button. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 328
Lightweight Access Points
Enabling CleanAir with Receiver Only Dual-Band Radio on a Cisco Access Point
Enabling CleanAir with Receiver Only Dual-Band Radio on a Cisco Access Point
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
ap name ap-name dot11 rx-dual-band slot 2 Enables CleanAir with receiver only (Rx-only)
cleanair band {24Ghz | 5Ghz}
dual-band radio on a specific access point.
Example:
Here, 2 refers to the slot ID.
Device# ap name AP-SIDD-A06 dot11
Use the no form of this command to disable
rx-dual-band slot 2 cleanair band 24Ghz CleanAir.
Device# ap name AP-SIDD-A06 [no] dot11
rx-dual-band slot 2 cleanair band 24Ghz
Disabling Receiver Only Dual-Band Radio on a Cisco Access Point (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Access Points. In the Dual-Band Radios settings, click the AP for which you want to configure the dual-band radios. In the General tab, disable the CleanAir Status toggle button. Click Update & Apply to Device.
Disabling Receiver Only Dual-Band Radio on a Cisco Access Point
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
ap name ap-name dot11 rx-dual-band slot 2 Disables receiver only dual-band radio on a
shutdown
specific Cisco access point.
Example:
Here, 2 refers to the slot ID.
Device# ap name AP-SIDD-A06 dot11 rx-dual-band slot 2 shutdown
Device# ap name AP-SIDD-A06 [no] dot11 rx-dual-band slot 2 shutdown
Use the no form of this command to enable receiver only dual-band radio.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 329
Configuring Client Steering (CLI)
Lightweight Access Points
Configuring Client Steering (CLI)
Before you begin Enable Cisco CleanAir on the corresponding dual-band radio.
Procedure Step 1 Step 2 Step 3
Step 4
Step 5
Step 6
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
wireless macro-micro steering transition-threshold balancing-window number-of-clients(0-65535)
Example:
Device(config)# wireless macro-micro steering transition-threshold balancing-window 10
Configures the micro-macro client loadbalancing window for a set number of clients.
wireless macro-micro steering transition-threshold client count number-of-clients(0-65535)
Example:
Device(config)# wireless macro-micro steering transition-threshold client count 10
Configures the macro-micro client parameters for a minimum client count for transition.
wireless macro-micro steering transition-threshold macro-to-micro RSSI-in-dBm( 128--0)
Example:
Device(config)# wireless macro-micro steering transition-threshold macro-to-micro -100
Configures the macrotomicro transition RSSI.
wireless macro-micro steering transition-threshold micro-to-macro RSSI-in-dBm(128--0)
Example:
Device(config)# wireless macromicro steering transition-threshold micro-to-macro -110
Configures the microtomacro transition RSSI.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 330
Lightweight Access Points
Verifying Cisco Access Points with Dual-Band Radios
Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
wireless macro-micro steering probe-suppression aggressiveness number-of-cycles(128--0)
Example:
Device(config)# wireless macro-micro steering probe-suppression aggressiveness -110
Purpose
Configures the number of probe cycles to be suppressed.
wireless macro-micro steering
Configures the macro-to-micro probe in RSSI.
probe-suppression hysteresis RSSI-in-dBm The range is between 6 to 3.
Example:
Device(config)# wireless macro-micro steering probe-suppression hysteresis -5
wireless macro-micro steering probe-suppression probe-only
Enables probe suppression mode.
Example:
Device(config)# wireless macro-micro steering probe-suppression probe-only
wireless macro-micro steering probe-suppression probe-auth
Enables probe and single authentication suppression mode.
Example:
Device(config)# wireless macro-micro steering probe-suppression probe-auth
show wireless client steering Example:
Displays the wireless client steering information.
Device# show wireless client steering
Verifying Cisco Access Points with Dual-Band Radios
To verify the access points with dual-band radios, use the following command:
Device# show ap dot11 dual-band summary
AP Name Subband Radio
Mac Status Channel Power Level Slot ID Mode
----------------------------------------------------------------------------
4800 All 3890.a5e6.f360 Enabled (40)* *1/8
(22 dBm)
0 Sensor
4800 All 3890.a5e6.f360 Enabled N/A N/A
2
Monitor
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 331
Verifying Cisco Access Points with Dual-Band Radios
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 332
2 7 C H A P T E R
802.1x Support
· Introduction to the 802.1X Authentication, on page 333 · Limitations of the 802.1X Authentication, on page 334 · Topology - Overview, on page 335 · Configuring 802.1X Authentication Type and LSC AP Authentication Type (GUI), on page 335 · Configuring 802.1X Authentication Type and LSC AP Authentication Type, on page 336 · Enabling 802.1X on the Switch Port, on page 338 · Verifying 802.1X on the Switch Port, on page 340 · Verifying the Authentication Type, on page 340
Introduction to the 802.1X Authentication
IEEE 802.1X port-based authentication is configure on a device to prevent unauthorized devices from gaining access to the network. The device can combine the function of a router, switch, and access point, depending on the fixed configuration. Any device connecting to a switch port where 802.1X authentication is enabled must go through relevant EAP authentication model to start exchanging traffic. Currently, the Cisco Wave 2 and Wi-Fi 6 (802.11AX) APs support 802.1X authentication with switch port for EAP-FAST, EAP-TLS and EAP-PEAP methods. Now, you can enable configurations and provide credentials to the AP from the controller .
Note If the AP is dot1x EAP-FAST, when the AP reboots, it should perform an anonymous PAC provision. For performing PAC provision, the ADH cipher suites should be used to establish an authenticated tunnel. If the ADH cipher suites are not supported by radius servers, AP will fail to authenticate on reload.
EAP-FAST Protocol
In the EAP-FAST protocol developed by Cisco, in order to establish a secured TLS tunnel with RADIUS, the AP requires a strong shared key (PAC), either provided via in-band provisioning (in a secured channel) or via out-band provisioning (manual).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 333
EAP-TLS/EAP-PEAP Protocol
Lightweight Access Points
Note The EAP-FAST type configuration requires 802.1x credentials configuration for AP, since AP will use EAP-FAST with MSCHAP Version 2 method.
Note Local EAP is not supported on the Cisco 7925 phones.
Note In Cisco Wave 2 APs, for 802.1x authentication using EAP-FAST after PAC provisioning (caused by the initial connection or after AP reload), ensure that you configure the switch port to trigger re-authentication using one of the following commands: authentication timer restart num or authentication timer reauthenticate num.
Starting from Cisco IOS XE Amsterdam 17.1.1, TLS 1.2 is supported in EAP-FAST authentication protocol.
EAP-TLS/EAP-PEAP Protocol
The EAP-TLS protocol or EAP-PEAP protocol provides certificate based mutual EAP authentication. In EAP-TLS, both the server and the client side certificates are required, where the secured shared key is derived for the particular session to encrypt or decrypt data. Whereas, in EAP-PEAP, only the server side certificate is required, where the client authenticates using password based protocol in a secured channel.
Note The EAP-PEAP type configuration requires Dot1x credentials configuration for AP; and the AP also needs to go through LSC provisioning. AP uses the PEAP protocol with MSCHAP Version 2 method.
Limitations of the 802.1X Authentication
· 802.1X is not supported on dynamic ports or Ethernet Channel ports. · 802.1X is not supported in a mesh AP scenario. · There is no recovery from the controller on credential mismatch or the expiry/invalidity of the certificate
on AP. The 802.1X authentication has to be disabled on the switch port to connect the AP back to fix the configurations. · There are no certificate revocation checks implemented on the certificates installed in AP. · Only one Locally Significant Certificates (LSC) can be provisioned on the AP and the same certificate must be used for CAPWAP DTLS session establishment with controller and the 802.1X authentication with the switch. If global LSC configuration on the controller is disabled; AP deletes LSC which is already provisioned. · If clear configurations are applied on the AP, then the AP will lose the 802.1X EAP type configuration and the LSC certificates. AP should again go through staging process if 802.1X is required.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 334
Lightweight Access Points
Topology - Overview
· 802.1X for trunk port APs on multi-host authentication mode is supported. Network Edge Authentication Topology (NEAT) is not supported on COS APs.
Topology - Overview
The 802.1X authentication events are as follows: 1. The AP acts as the 802.1X supplicant and is authenticated by the switch against the RADIUS server which
supports EAP-FAST along with EAP-TLS and EAP-PEAP. When dot1x authentication is enabled on a switch port, the device connected to it authenticates itself to receive and forward data other than 802.1X traffic.
2. In order to authenticate with EAP-FAST method, the AP requires the credentials of the RADIUS server. It can be configured at the controller , from where it will be passed on to the AP via configuration update request. For, EAP-TLS or EAP-PEAP the APs use the certificates (device/ID and CA) made significant by the local CA server.
Figure 14: Figure: 1 Topology for 802.1X Authentication
Configuring 802.1X Authentication Type and LSC AP Authentication Type (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > AP Join. On the AP Join Profile page, click Add.
The Add AP Join Profile page is displayed.
In the AP > General tab, navigate to the AP EAP Auth Configuration section. From the EAP Type drop-down list, choose the EAP type as EAP-FAST, EAP-TLS, or EAP-PEAP to configure the dot1x authentication type. From the AP Authorization Type drop-down list, choose the type as either CAPWAP DTLS + or CAPWAP DTLS.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 335
Configuring 802.1X Authentication Type and LSC AP Authentication Type
Lightweight Access Points
Step 6 Click Save & Apply to Device.
Configuring 802.1X Authentication Type and LSC AP Authentication Type
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
ap profile profile-name
Specify a profile name.
Example:
Device(config)# ap profile new-profile
Step 4
dot1x {max-sessions | username | eap-type | Configures the dot1x authentication type.
lsc-ap-auth-state}
max-sessions: Configures the maximum 802.1X
Example:
sessions initiated per AP.
Device(config-ap-profile)# dot1x eap-type username: Configures the 802.1X username for all Aps.
eap-type: Configures the dot1x authentication type with the switch port.
lsc-ap-auth-state: Configures the LSC authentication state on the AP.
Step 5
dot1x eap-type {EAP-FAST | EAP-TLS | EAP-PEAP}
Configures the dot1x authentication type: EAP-FAST, EAP-TLS, or EAP-PEAP.
Example:
Device(config-ap-profile)# dot1x eap-type
Step 6
dot1x lsc-ap-auth-state {CAPWAP-DTLS | Configures the LSC authentication state on the
Dot1x-port-auth | Both}
AP.
Example:
Device(config-ap-profile)#dot1x lsc-ap-auth-state Dot1x-port-auth
CAPWAP-DTLS: Uses LSC only for CAPWAP DTLS.
Dot1x-port-auth: Uses LSC only for dot1x authentication with port.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 336
Lightweight Access Points
Configuring the 802.1X Username and Password (GUI)
Command or Action
Step 7
end Example:
Device(config-ap-profile)# end
Purpose Both: Uses LSC for both CAPWAP-DTLS and Dot1x authentication with port.
Exits the AP profile configuration mode and enters privileged EXEC mode.
Configuring the 802.1X Username and Password (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Choose Configuration > Tags & Profiles > AP Join. On the AP Join page, click the name of the AP Join profile or click Add to create a new one. Click the Management tab and then click the Credentials tab. Enter the local username and password details. Choose the appropriate local password type. Enter 802.1X username and password details. Choose the appropriate 802.1X password type. Enter the time in seconds after which the session should expire. Enable local credentials and/or 802.1X credentials as required. Click Update & Apply to Device.
Configuring the 802.1X Username and Password (CLI)
The following procedure configures the 802.1X password for all the APs:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
ap profile profile-name
Specify a profile name.
Example:
Device(config)# ap profile new-profile
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 337
Enabling 802.1X on the Switch Port
Lightweight Access Points
Step 4 Step 5
Command or Action
Purpose
dot1x {max-sessions | username | eap-type | Configures the dot1x authentication type.
lsc-ap-auth-state}
max-sessions: Configures the maximum 802.1X
Example:
sessions initiated per AP.
Device(config-ap-profile)# dot1x eap-type username: Configures the 802.1X username for all Aps.
eap-type: Configures the dot1x authentication type with the switch port.
lsc-ap-auth-state: Configures the LSC authentication state on the AP.
dot1x username <username> password {0 | 8} <password>
Example:
Configures the dot1x password for all the APs.
0: Specifies an unencrypted password will follow.
Device(config-ap-profile)#dot1x username 8: Specifies an AES encrypted password will
username password 0 password
follow.
Enabling 802.1X on the Switch Port
The following procedure enables 802.1X on the switch port:
Procedure Step 1 Step 2 Step 3 Step 4
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
aaa new-model Example:
Device(config)# aaa new-model
Enables AAA.
aaa authentication dot1x {default | listname} Creates a series of authentication methods that
method1[method2...]
are used to determine user privilege to access
Example:
the privileged command level so that the device can communicate with the AAA server.
Device(config)# aaa authentication dot1x
default group radius
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 338
Lightweight Access Points
Enabling 802.1X on the Switch Port
Step 5 Step 6 Step 7 Step 8
Step 9
Command or Action aaa authourization network group Example:
aaa authourization network group
Purpose
Enables AAA authorization for network services on 802.1X.
dot1x system-auth-control
Example:
Device(config)# dot1x system-auth-control
Globally enables 802.1X port-based authentication.
interface type slot/port
Example:
Device(config)# interface fastethernet2/1
Enters interface configuration mode and specifies the interface to be enabled for 802.1X authentication.
authentication port-control {auto | force-authorized | force-unauthorized}
Example:
Device(config-if)# authentication port-control auto
Enables 802.1X port-based authentication on the interface.
auto--Enables IEEE 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The Device requests the identity of the supplicant and begins relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the Device by using the supplicant MAC address.
force-authorized---Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client. This is the default setting.
force-unauthorized--Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The Device cannot provide authentication services to the supplicant through the port.
dot1x pae [supplicant | authenticator | both] Enables 802.1X authentication on the port with
Example:
default parameters.
Device(config-if)# dot1x pae authenticator
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 339
Verifying 802.1X on the Switch Port
Lightweight Access Points
Step 10
Command or Action end Example:
Device(config-if)# end
Purpose Enters privileged EXEC mode.
Verifying 802.1X on the Switch Port
The following show command displays the authentication state of 802.1X on the switch port:
Device# show dot1x all
Sysauthcontrol
Enabled
Dot1x Protocol Version
2
Dot1x Info for FastEthernet1
-----------------------------------
PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= MULTI_HOST
ReAuthentication
= Disabled
QuietPeriod
= 60
ServerTimeout
= 30
SuppTimeout
= 30
ReAuthPeriod
= 3600 (Locally configured)
ReAuthMax
=2
MaxReq
=2
TxPeriod
= 30
RateLimitPeriod
=0
Device#
Verifying the Authentication Type
The following show command displays the authentication state of an AP profile:
Device#show ap profile <profile-name> detailed ?
chassis Chassis
|
Output modifiers
<cr>
Device#show ap profile <profile-name> detailed
AP Profile Name Description ... Dot1x EAP Method LSC AP AUTH STATE
: default-ap-profile : default ap profile
: [EAP-FAST/EAP-TLS/EAP-PEAP/Not-Configured] : [CAPWAP DTLS / DOT1x port auth / CAPWAP DTLS + DOT1x port auth
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 340
2 8 C H A P T E R
CAPWAP Link Aggregation Support
· Information About CAPWAP LAG Support, on page 341 · Restrictions for CAPWAP LAG Support, on page 342 · Enabling CAPWAP LAG Support on Controller (GUI), on page 342 · Enabling CAPWAP LAG Support on Controller, on page 342 · Enabling CAPWAP LAG Globally on Controller, on page 343 · Disabling CAPWAP LAG Globally on Controller, on page 343 · Enabling CAPWAP LAG for an AP Profile (GUI), on page 343 · Enabling CAPWAP LAG for an AP Profile, on page 344 · Disabling CAPWAP LAG for an AP Profile, on page 344 · Disabling CAPWAP LAG Support on Controller , on page 345 · Verifying CAPWAP LAG Support Configurations, on page 345
Information About CAPWAP LAG Support
Link aggregation (LAG) simplifies controller configuration because you no longer require to configure primary and secondary ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the other ports. As long as at least one controller port is functioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to send and receive data. The CAPWAP LAG support feature is applicable for access points that support multiple ethernet ports for CAPWAP. The 11AC APs with dual ethernet ports require the CAPWAP AP LAG support for data channel. Cisco Aironet 1850, 2800, and 3800 Series APs' second Ethernet port is used as a link aggregation port, by default. It is possible to use this LAG port as an RLAN port when LAG is disabled. The following APs use LAG port as an RLAN port:
· 1852E · 1852I · 2802E · 2802I · 3802E
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 341
Restrictions for CAPWAP LAG Support
Lightweight Access Points
· 3802I · 3802P
Restrictions for CAPWAP LAG Support
· APs must be specifically enabled for CAPWAP AP LAG support. · CAPWAP data does not support IPv6. · Data DTLS must not be enabled when LAG is enabled. · APs behind NAT and PAT are not supported.
Enabling CAPWAP LAG Support on Controller (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Wireless > Wireless Global. Check the AP LAG Mode check box. Click Apply.
Enabling CAPWAP LAG Support on Controller
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap lag support Example:
Device(config)# ap lag support
Purpose Enters global configuration mode.
Enables CAPWAP LAG support on the controller.
Note
After executing this command,
you get to view the following
warning statement:
Changing the lag support will cause all the APs to disconnect.
Thus, all APs with LAG capability reboots and joins the enabled CAPWAP LAG.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 342
Lightweight Access Points
Enabling CAPWAP LAG Globally on Controller
Step 3
Command or Action end Example:
Device(config)# end
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Enabling CAPWAP LAG Globally on Controller
If the CAPWAP LAG is enabled globally on the controller, the following occurs: · AP joins the controller. · AP exchanges its CAPWAP support. · LAG mode starts, if LAG is enabled on AP.
Disabling CAPWAP LAG Globally on Controller
If the CAPWAP LAG is disabled globally on the controller, the following occurs: · AP joins the controller. · AP exchanges its CAPWAP support. · AP LAG config is sent to AP, if LAG is already enabled on AP. · AP reboots. · AP joins back with the disabled LAG.
Enabling CAPWAP LAG for an AP Profile (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > AP Join. Click Add. Under the General tab, enter the Name of the AP Profile and check the LAG Mode check box to set the CAPWAP LAG for the AP profile. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 343
Enabling CAPWAP LAG for an AP Profile
Lightweight Access Points
Enabling CAPWAP LAG for an AP Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile
Configures an AP profile and enters AP profile
Example:
configuration mode.
Device(config)# ap profile xyz-ap-profile Note
When you delete a named profile, the APs associated with that
profile will not revert to the
default profile.
Step 3 Step 4
lag Example:
Device(config-ap-profile)# lag
end Example:
Device(config-ap-profile)# end
Enables CAPWAP LAG for an AP profile.
Exits configuration mode and returns to privileged EXEC mode.
Disabling CAPWAP LAG for an AP Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile
Configures an AP profile and enters AP profile
Example:
configuration mode.
Device(config)# ap profile xyz-ap-profile Note
When you delete a named profile, the APs associated with that
profile will not revert to the
default profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 344
Lightweight Access Points
Disabling CAPWAP LAG Support on Controller
Step 3 Step 4
Command or Action no lag Example:
Device(config-ap-profile)# no lag
end Example:
Device(config-ap-profile)# end
Purpose Disables CAPWAP LAG for an AP profile.
Exits configuration mode and returns to privileged EXEC mode.
Disabling CAPWAP LAG Support on Controller
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
no ap lag support Example:
Device(config)# no ap lag support
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Disables CAPWAP LAG support on the controller .
Note
All APs with LAG capability
reboots and joins the disabled
CAPWAP LAG.
Exits configuration mode and returns to privileged EXEC mode.
Verifying CAPWAP LAG Support Configurations
To verify the global LAG status for all Cisco APs, use the following command:
Device# show ap lag-mode AP Lag-Mode Support Enabled
To verify the AP LAG configuration status, use the following command:
Device# show ap name <ap-name> config general Cisco AP Identifier : 0008.3291.6360 Country Code : US Regulatory Domain Allowed by Country : 802.11bg:-A 802.11a:-AB AP Country Code : US - United States :: AP Lag Configuration Status : Enabled/Disabled Has AP negotiated lag based on AP capability and per AP config.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 345
Verifying CAPWAP LAG Support Configurations
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 346
2 9 C H A P T E R
DHCP and NAT Functionality on Root Access Point
· Information About DHCP and NAT Functionality on Root AP (RAP), on page 347 · Configuring DHCP Server on Root Access Point (RAP), on page 348 · Verifying DHCP Server for Root AP Configuration, on page 348
Information About DHCP and NAT Functionality on Root AP (RAP)
Note This feature is applicable for Cisco Aironet 1542 series outdoor access points only. The access points associated to a mesh network can play one of the two roles: · Root Access Point (RAP) - An access point can be a root access point for multiple mesh networks. · Mesh Access Point (MAP) - An access point can be a mesh access point for only one single mesh network at a time.
DHCP and NAT Functionality on Root AP - IPv4 Scenario This feature enables the controller to send a TLV to RAP when a new RAP joins the controller. The following covers the workflow:
· Controller pushes TLV to RAP for enabling DHCP and NAT functionality. · Client associates to an SSID. · RAP executes DHCP funtionality to assign private IPv4 address to the client. · RAP executes NAT functionality to get the private IPv4 address of the client and allow access to the
network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 347
Configuring DHCP Server on Root Access Point (RAP)
Lightweight Access Points
Configuring DHCP Server on Root Access Point (RAP)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile-name
Example:
Device(config)# ap profile ap-profile-name
Configures an AP Profile.
Step 3
dhcp-server Example:
Configures DHCP server on the root access point.
Device(config-ap-profile)# dhcp-server
Step 4
end Example:
Device(config-ap-profile)# end
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Verifying DHCP Server for Root AP Configuration
To verify the DHCP server for root AP configuration, use the following command:
Device# show ap config general
Cisco AP Name : AP4C77.6DF2.D588
=================================================
<SNIP>
Dhcp Server
: Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 348
3 0 C H A P T E R
OFDMA Support for 11ax Access Points
· Information About OFDMA Support for 11ax Access Points, on page 349 · Configuring 11AX (GUI), on page 350 · Configuring Channel Width, on page 350 · Configuring 802.11ax Radio Parameters (GUI), on page 351 · Configuring 802.11ax Radio Parameters (CLI), on page 351 · Setting up the 802.11ax Radio Parameters, on page 352 · Configuring OFDMA on a WLAN, on page 353 · Verifying Channel Width, on page 354 · Verifying Client Details, on page 355 · Verifying Radio Configuration, on page 356
Information About OFDMA Support for 11ax Access Points
The Cisco Catalyst 9100 series access points are the next generation WiFi 802.11ax access point, which is ideal for high-density high-definition applications. The IEEE 802.11ax protocol aims to improve user experience and network performance in high density deployments for both 2.4 GHz and 5 GHz. The 802.11ax APs supports transmission or reception to more than one client simultaneously using Orthogonal Frequency Division Multiplexing (OFDMA). The IEEE 802.11ax supports uplink MU-MIMO and also adds OFDMA for multiple users in the uplink and downlink. All the users in IEEE 802.11ax OFDMA have the same time allocations and it ends at the same time. In MU-MIMO and OFDMA, multiple stations (STAs) either simultaneously transmit to a single STA or simultaneously receive from a single STA independent data streams over the same radio frequencies.
Supported Modes on 11ax Access Points
The following AP modes are supported: · Local mode · Flex-connect mode · Bridge mode · Flex+Mesh mode
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 349
Configuring 11AX (GUI)
Lightweight Access Points
Configuring 11AX (GUI)
You can configure 11ax for the frequencies, 5 GHz and 2.4 GHz. Procedure
Step 1 Step 2
Step 3
Choose Configuration > Radio Configurations > High Throughput. Click the 5 GHz Band tab. a) Expand the 11ax section. b) Select the Enable 11ax and Multiple Bssid check boxes, if required. c) Check either the Select All check box to configure all the data rates or select the desired options from the
available data rates list.
Click the 2.4 GHz Band tab. a) Expand the 11ax section. b) Select the Enable 11ax and Multiple Bssid check boxes, if required. c) Check either the Select All check box to configure all the data rates or select the desired options from the
available data rates list.
Configuring Channel Width
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
ap dot11{24ghz|5ghz}rrm channel dca chan-width 160
Configures channel width for 802.11 radios as 160.
Example:
Use the no form of the command to disable the
Device(config)# ap dot11 5ghz rrm channel configuration.
dca chan-width 160
Note
Cisco Catalyst 9115 and C9120
series APs do not support 80+80
channel width. Cisco Catalyst
9117 series APs do not support
OFDMA in 160 channel width.
Step 3
ap dot11{24ghz|5ghz}rf-profile profile-name Configures an RF profile and enters RF profile
Example:
configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 350
Lightweight Access Points
Configuring 802.11ax Radio Parameters (GUI)
Step 4
Command or Action
Purpose
Device(config)# ap dot11 5ghz rf-profile ax-profile
channel chan-width 160
Example:
Device(config-rf-profile)# channel chan-width 160
Configures the RF profile DCA channel width.
Configuring 802.11ax Radio Parameters (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7
Step 8 Step 9 Step 10 Step 11
Step 12
Choose Configuration > Radio Configurations > High Throughput > 5 GHz Band > 11ax. Check or uncheck the Enable 11 n check box. Check the check boxes for the desired MCS/(data rate) or to select all of them, check the Select All check box. Click Apply. Choose Configuration > Radio Configurations > High Throughput > 2.4 GHz Band > 11ax. Check or uncheck the Enable 11 n check box. Check the check boxes for the desired MCS/(data rate) or to select all of them, check the Select All check box. Click Apply. Choose Configuration > Wireless > Access Points. Click the Access Point. In the Edit AP dialog box, enable the LED State toggle button and choose the LED brightness level from the LED Brightness Level drop-down list. Click Update and Apply to Device.
Configuring 802.11ax Radio Parameters (CLI)
Follow the procedure given below to configure radio parameters:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 351
Setting up the 802.11ax Radio Parameters
Lightweight Access Points
Step 2 Step 3 Step 4
Command or Action ap dot11{24ghz|5ghz}dot11ax Example:
Device(config)# ap dot11 5ghz dot11ax
Purpose
Enables the 11ax 5 Ghz band radio. Use the no form of the command to disable the configuration.
ap dot11{24ghz|5ghz}dot11ax mcs tx index Enables the 11ax 5 Ghz band modulation and index spatial-stream spatial-stream-value coding scheme (MCS) transmission rates.
Example:
Device(config)# ap dot11 5ghz dot11ax mcs tx index 11 spatial-stream 8
ap led-brightness brightness-level Example:
Device(config)# ap led-brightness 6
(Optional) Configures the led brightness level.
Setting up the 802.11ax Radio Parameters
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
ap name ap-name led-brightness-level brightness-level
Example:
Device# ap name ax-ap led-brightness-level 6
Configures the led brightness level.
Step 3
ap name ap-namedot11{24ghz|5ghz}dot11n Configures the 802.11n - 5 GHz antenna
antenna antenna-port
selection.
Example:
Device# ap name ap1 dot11 5ghz dot11n antenna A
Use the no form of the command to disable the configuration.
Step 4
ap name ap-name dot11{24ghz|5ghz}channel width channel-width
Configures 802.11 channel width.
Example:
Device# ap name ap1 dot11 5ghz channel width 160
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 352
Lightweight Access Points
Configuring OFDMA on a WLAN
Step 5
Command or Action
ap name ap-name dot11{24ghz|5ghz}secondary-80 channel-num
Example:
Device# ap name ap1 dot11 5ghz secondary-80 12
Configuring OFDMA on a WLAN
Purpose
Configures the advanced 802.11 secondary 80Mhz channel assignment parameters.
Note For Cisco Catalyst 9115 and 9120 series APs, the configuration given below are per radio, and not per WLAN. This feature remains enabled on the controller, if it is enabled on any of the WLANs.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
wlan wlan1 Example:
Device(config)# wlan wlan1
Enters the WLAN configuration mode.
Step 3
dot11ax downlink-ofdma
Example:
Device(config-wlan)# dot11ax downlink-ofdma
Enables the downlink connection that uses the OFDMA technology.
Use the no form of the command to disable the configuration.
Step 4
dot11ax uplink-ofdma Example:
Enables the uplink connection that uses the OFDMA technology .
Device(config-wlan)# dot11ax uplink-ofdma
Step 5
dot11ax downlink-mumimo
Example:
Device(config-wlan)# dot11ax downlink-mumimo
Enables the downlink connection that uses the MUMIMO technology.
Step 6
dot11ax uplink-mumimo
Example:
Device(config-wlan)# dot11ax uplink-mumimo
Enables the uplink connection that uses the MUMIMO technology.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 353
Verifying Channel Width
Lightweight Access Points
Step 7
Command or Action
dot11ax twt-broadcast-support Example:
Device (config-wlan)# dot11ax twt-broadcast-support
Purpose Enables the TWT broadcast support operation.
Verifying Channel Width
To verify the channel width and other channel information, use the following show commands:
Device# show ap dot11 5ghz summary
AP Name
Mac Address
Slot Admin State Oper State Channel Width
Txpwr
--------------------------------------------------------------------------------------------------------
AP80e0.1d75.6954 80e0.1d7a.7620
1
Enabled
Up
(52)*
160
1(*)
Device# show ap dot11 dual-band summary
AP Name
Subband Radio Mac
Status
Channel Power Level Slot ID
Mode
---------------------------------------------------------------------------------------------------------
kartl28021mi All
002a.1058.38a0 Enabled (52)*
(1)*
1
REAP
Device# show ap name <ap-name> channel
802.11b/g Current Channel
: 11
Slot ID
:0
Allowed Channel List
: 1,2,3,4,5,6,7,8,9,10,11
802.11a Current Channel ....................... 52 (160 MHz)
Slot ID
:1
Allowed Channel List
:
36,40,44,48,52,56,60,64,100,104,108,112,116,132,136,140,149,153,157,161,165
Device# show ap name <ap-name> config slot <slot-num>
.
.
.
Phy OFDM Parameters
Configuration
: Automatic
Current Channel
: 52
Extension Channel
: No Extension
Channel Width
: 160 MHz
Allowed Channel List
:
36,40,44,48,52,56,60,64,100,104,108,112,116,132,136,140,149,153,157,161,165
TI Threshold
:0
Device# show ap dot11 5ghz channel . . .
DCA Sensitivity Level DCA 802.11n/ac Channel Width DCA Minimum Energy Limit . . .
: MEDIUM : 15 dB : 160 MHz : -95 dBm
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 354
Lightweight Access Points
Verifying Client Details
Device# show ap rf-profile name <name> detail
.
.
.
Unused Channel List
: 165
DCA Bandwidth
: 160 MHz
DCA Foreign AP Contribution
: Enabled
.
.
.
Verifying Client Details
To verify the client information, use the following show commands:
Device# show wireless client mac-address <mac-address> detail
Client MAC Address : a886.ddb2.05e9 Client IPv4 Address : 169.254.175.214 Client IPv6 Addresses : fe80::b510:a381:8099:4747
2009:300:300:57:4007:6abb:2c9a:61e2 Client Username: N/A Voice Client Type : Unknown AP MAC Address : c025.5c55.e400 AP Name: APe4c7.22b2.948e Device Type: N/A Device Version: N/A AP slot : 0 Client State : Associated Policy Profile : default-policy-profile Flex Profile : default-flex-profile Wireless LAN Id : 1 Wireless LAN Name: SSS_OPEN BSSID : c025.5c55.e406 Connected For : 23 seconds Protocol : 802.11ax - 5 GHz Channel : 8 Client IIF-ID : 0xa0000001 Association Id : 1 Authentication Algorithm : Open System Client CCX version : No CCX support Session Timeout : 86400 sec (Remaining time: 86378 sec)
. . .
Device# show wireless client summary
Number of Local Clients: 1
MAC Address AP Name
WLAN State
Protocol Method
Role
---------------------------------------------------------------------------------------------------
a886.ddb2.05e9 APe4c7.22b2.948e
1
Run
11ax(5) None
Local
Device# show wireless stats client detail
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 355
Verifying Radio Configuration
Lightweight Access Points
Total Number of Clients : 1
Protocol Statistics
-----------------------------------------------------------------------------
Protcol
Client Count
802.11b
0
802.11g
0
802.11a
0
802.11n-2.4 GHz
0
802.11n-5 GHz
0
802.11ac
0
80211ax
1
Verifying Radio Configuration
To verify the radio configuration information, use the following show commands:
Device# show ap dot11 5ghz network
802.11a Network . . . 802.11ax
DynamicFrag MultiBssid 802.11ax MCS Settings: MCS 7, Spatial Streams = 1 MCS 9, Spatial Streams = 1 MCS 11, Spatial Streams = 1 MCS 7, Spatial Streams = 2 MCS 9, Spatial Streams = 2 MCS 11, Spatial Streams = 2 MCS 7, Spatial Streams = 3 MCS 9, Spatial Streams = 3 MCS 11, Spatial Streams = 3 MCS 7, Spatial Streams = 4 MCS 9, Spatial Streams = 4 MCS 11, Spatial Streams = 4 MCS 7, Spatial Streams = 5 MCS 9, Spatial Streams = 5 MCS 11, Spatial Streams = 5 MCS 7, Spatial Streams = 6 MCS 9, Spatial Streams = 6 MCS 11, Spatial Streams = 6 MCS 7, Spatial Streams = 7 MCS 9, Spatial Streams = 7 MCS 11, Spatial Streams = 7 MCS 7, Spatial Streams = 8 MCS 9, Spatial Streams = 8 MCS 11, Spatial Streams = 8 Beacon Interval . . . Maximum Number of Clients per AP Radio
Device# show ap dot11 24ghz network
: Enabled
: Enabled : Enabled : Disabled
: Disabled : Disabled : Disabled : Supported : Supported : Supported : Supported : Disabled : Disabled : Supported : Supported : Supported : Supported : Supported : Supported : Supported : Supported : Supported : Supported : Supported : Supported : Supported : Supported : Supported : 100
: 200
802.11b Network
: Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 356
Lightweight Access Points
Verifying Radio Configuration
.
.
.
802.11axSupport...................................... Enabled
dynamicFrag................................ Disabled
multiBssid................................. Disabled
802.11ax
: Enabled
DynamicFrag
: Enabled
MultiBssid
: Enabled
802.11ax MCS Settings:
MCS 7, Spatial Streams = 1
: Supported
MCS 9, Spatial Streams = 1
: Supported
MCS 11, Spatial Streams = 1
: Supported
MCS 7, Spatial Streams = 2
: Supported
MCS 9, Spatial Streams = 2
: Supported
MCS 11, Spatial Streams = 2
: Supported
MCS 7, Spatial Streams = 3
: Supported
MCS 9, Spatial Streams = 3
: Supported
MCS 11, Spatial Streams = 3
: Supported
MCS 7, Spatial Streams = 4
: Disabled
MCS 9, Spatial Streams = 4
: Disabled
MCS 11, Spatial Streams = 4
: Disabled
Beacon Interval
: 100
.
.
.
Maximum Number of Clients per AP Radio : 200
Device# show wlan ID <wlan-id>
WLAN Profile Name
: ax-wlc
================================================
Identifier
:1
Network Name (SSID)
: ax-wlc
Status
: Enabled
Broadcast SSID
: Enabled
Universal AP Admin
: Disabled
Max Associated Clients per WLAN
:0
Max Associated Clients per AP per WLAN
:0
Max Associated Clients per AP Radio per WLAN : 200
Number of Active Clients
:0
CHD per WLAN
: Enabled
Multicast Interface
: Unconfigured
.
.
.
802.11ac MU-MIMO
: Disabled
802.11ax paramters
OFDMA Downlink
: Enabled
OFDMA Uplink
: Enabled
MU-MIMO Downlink
: Enabled
MU-MIMO Uplink
: Enabled
BSS Color
: Enabled
Partial BSS Color
: Enabled
BSS Color Code
:0
BSS Target Wake Up Time
: Enabled
Device# show ap led-brightness-level summary
AP Name
LED Brightness level
--------------------------------------------------------
AP00FC.BA01.CC00
Not Supported
AP70DF.2FA2.72EE
8
AP7069.5A74.6678
2
APb838.6159.e184
Not Supported
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 357
Verifying Radio Configuration
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 358
3 1 C H A P T E R
AP Audit Configuration
· Information About AP Audit Configuration, on page 359 · Restrictions for AP Audit Configuration, on page 359 · Configure AP Audit Parameters (CLI), on page 360 · Verifying AP Audit Report Summary, on page 360 · Verifying AP Audit Report Detail, on page 360
Information About AP Audit Configuration
The AP Audit Configuration feature helps to detect wireless service synchronization issues between the controller and an AP. In Cisco IOS XE Amsterdam, Release 17.3.1, two methods are implemented to support AP audit configuration.
· Config Checker: This functionality helps in auditing the application of wireless policies during the AP join phase. Any discrepancies at this stage is reported on the controller. This is a built-in functionality and you cannot disable the same. When you try to configure any of the AP attributes such as name, IP address, controller information, tag, mode, radio mode, and radio admin state, the AP parses the CAPWAP payload configuration from the controller and reports errors detected back to the controller with proper code. If a discrepancy is detected, the controller flags errors using the syslog.
· Config Audit: This functionality helps to perform a periodic comparison of operational states between an AP and the controller after the AP join phase and while the correspodning AP is still connected. Discrepancies, if any, are reported immediately on the controller. The consolidated report is available at the controller anytime. This functionality is disabled by default. The periodic auditing interval is a configurable parameter. Use the ap audit-report command to enable and configure audit report parameters. When triggered, AP sends configurations from the database to the controller, and the controller compares the configurations against the current configuration. If a discrepancy is detected, the controller flags the error using the syslog.
Restrictions for AP Audit Configuration
· Config checker alerts are available only through the syslog. · IOS AP is not supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 359
Configure AP Audit Parameters (CLI)
Lightweight Access Points
· The audit reports are not synchronized from the active to the standby controller. After SSO, they are not readily available until the next reporting interval of the already-connected APs.
· The audit reports are not available when an AP is in standalone mode.
· This feature is supported only on APs in FlexConnect mode.
Configure AP Audit Parameters (CLI)
The AP Audit Configuration feature helps you compare the operational states between an AP and the controller. The AP sends state view details to the controller, and the controller compares it with what it perceives as the AP state. This feature is disabled by default.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap audit-report enable
Enables audit reporting.
Example:
Device(config)# ap audit-report enable
Step 3
ap audit-report interval interval
Configures AP audit reporting interval. The
Example:
default value for interval is 1440 minutes. The valid range is from 10 to 43200.
Device(config)# ap audit-report interval
1300
Verifying AP Audit Report Summary
To verify the AP audit report summary, use the ap audit-report summary command:
Device# show ap audit-report summary
WTP Mac
Radio
Wlan
IPv4 Acl
IPv6 Acl
Last Report Time
-------------------------------------------------------------------------------------------------------------------------------
1880.90fd.6b40 OUT_OF_SYNC OUT_OF_SYNC IN_SYNC
IN_SYNC
01/01/1970
05:30:00 IST
Verifying AP Audit Report Detail
To verify an AP audit report's details, use the show ap name ap-name audit-report detail command:
Device# show ap name Cisco-AP audit-report detail
Cisco AP Name : Cisco-AP
=================================================
IPV4 ACL Audit Report Status
: IN_SYNC
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 360
Lightweight Access Points
Verifying AP Audit Report Detail
IPV6 ACL Audit Report Status
: IN_SYNC
Radio Audit Report Status
: IN_SYNC
WLAN Audit Report Status
:
Slot-id Wlan-id Vlan
State
SSID
Auth-Type
Other-Flag
-------------------------------------------------------------------------------------
0
4
IN_SYNC
IN_SYNC
IN_SYNC
IN_SYNC
IN_SYNC
1
4
IN_SYNC
IN_SYNC
IN_SYNC
IN_SYNC
IN_SYNC
bh-csr1#show ap audit-report summary
WTP-Mac
Radio
Wlan
IPv4-Acl
IPv6-Acl
Last-Report-Time
------------------------------------------------------------------------------------------------------
4001.7aca.5140 IN_SYNC
IN_SYNC
IN_SYNC
IN_SYNC
06/22/2020
13:17:39 IST
4001.7aca.5a60 IN_SYNC
IN_SYNC
IN_SYNC
IN_SYNC
06/22/2020
13:18:25 IST
7070.8b23.a1a0 IN_SYNC
IN_SYNC
IN_SYNC
IN_SYNC
06/22/2020
13:18:29 IST
a0f8.49dc.9460 IN_SYNC
IN_SYNC
IN_SYNC
IN_SYNC
06/22/2020
13:16:43 IST
a0f8.49dc.96e0 IN_SYNC
IN_SYNC
IN_SYNC
IN_SYNC
06/22/2020
13:17:55 IST
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 361
Verifying AP Audit Report Detail
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 362
3 2 C H A P T E R
AP Support Bundle
· Access Point Support Bundle, on page 363 · Exporting an AP Support Bundle (GUI), on page 363 · Exporting an AP Support Bundle (CLI), on page 364 · Monitoring the Status of Support Bundle Export, on page 364
Access Point Support Bundle
An access point (AP) support bundle contains core files, crash files, show run-configuration, configuration commands, msglogs, and traplogs. This topic describes how you can retrieve the support bundle information of an AP and export it to the controller or to an external server. (Until Cisco IOS XE, Release 17.2.1, you had to log in to the AP console to retrieve the AP support-bundle information.) The Access Point Support Bundle feature is supported only on Cisco Wave2 APs and Cisco Catalyst APs.
Exporting an AP Support Bundle (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4
Choose Configuration > Wireless > Access Points. Click the corresponding AP name. The Edit AP window is displayed. Click the Support Bundle tab. From the Destination drop-down list, choose one of the following:
· This Device: If you choose this, enter the values for the Server IP, Destination File Path, Username, and Password fields.
Note
When you choose This Device, a bundle is sent through Secure Copy (SCP) to the controller
(if you have configured the ip scp server enable command globally on the controller). You
can easily retrieve the bunde later from your browser, using the controller file manager.
· External Server: If you choose this, from the Transfer Mode drop-down list, choose either scp or tftp.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 363
Exporting an AP Support Bundle (CLI)
Lightweight Access Points
Step 5
If you choose the scp transfer mode, enter the values for the Server IP, Destination File Path, Username, and Password fields.
If you choose the tftp transfer mode, enter the values for the Server IP, and Destination File Path fields.
Note
Information about the Last Export Status, such as State, Transfer Mode, Server IP, File Path,
and Time of Export, is displayed on the right-hand side of the window.
Click Start Transfer.
Exporting an AP Support Bundle (CLI)
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose
Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
ap name Cisco-AP-name export
Exports the AP support bundle through the SCP
support-bundle mode { scp | tftp} target or TFTP transfer modes.
ip-address {A.B.C.D | X:X:X:X::X} path file-path
If you select the scp, you will be prompted to provide your username and password.
Example:
For tftp, username and password is not
Device> ap name Cisco-AP-name export required.
support-bundle mode scp target ip-address
10.1.1.1 path file-path
Monitoring the Status of Support Bundle Export
To monitor the status of a support bundle export, run the following command:
Device# show ap support-bundle summary
AP Name Server-IP Status
Last Successful Time
Path File-name
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AP_28XXX 81.1.1.10 Copy Success 04/24/2020 07:27:38 UTC
AP_28XXX_support.17.4.0.2.2020.07XXXX.tgz
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 364
3 3 C H A P T E R
Cisco Flexible Antenna Port
·
· Information About Cisco Flexible Antenna Port, on page 365 · Configuring a Cisco Flexible Antenna Port (GUI), on page 365 · Configuring a Cisco Flexible Antenna Port (CLI), on page 366 · Verifying Flexible Antenna Port Configuration, on page 366
Information About Cisco Flexible Antenna Port
The presence of multiple antennas on the transmitters and the receivers of access points (APs), results in better performance and reliability of the APs. Multiple antennas improve reception through the selection of stronger signals or a combination of individual signals, at the receiver. You can configure the antenna ports to be used in the APs as either dual-band antennas or as single-band antennas to optimize radio coverage.
· Dual-band antenna mode: APs operate in both the 2.4-GHz and 5-GHz bandwidth with all the four antennas--A, B, C, and D. An example of a dual-band antenna mode AP is the Cisco Industrial Wireless 3702 AP.
· Single-band antenna mode: Among the APs, antennas A and B operate in the 2.4-GHz bandwidth, and the antennas C and D operate in the 5-GHz bandwidth. An example of a single-band antenna mode AP is the Cisco Catalyst Industrial Wireless 6300 AP.
Configuring a Cisco Flexible Antenna Port (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Wireless > Access Points. Click AP Name. Click the Advanced tab. From the Antenna Mode drop-down list, choose the antenna mode. Click Apply & Update.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 365
Configuring a Cisco Flexible Antenna Port (CLI)
Lightweight Access Points
Configuring a Cisco Flexible Antenna Port (CLI)
Procedure
Step 1
Command or Action
ap name ap-name antenna-band-mode {dual | single}
Example:
Device# ap name ap-name antenna-brand-mode single
Purpose Configures antenna band mode as single or dual.
Verifying Flexible Antenna Port Configuration
The following is a sample output of the show ap name ap_name config general command that shows the bands selected on a specific AP:
Device# show ap name APXXXX.31XX.83XX config general
Cisco AP Name : APXXXX.31XX.83XX
=================================================
Cisco AP Identifier
: b4de.312e.00c0
Country Code
: Multiple Countries : US,IN
Regulatory Domain Allowed by Country : 802.11bg:-A 802.11a:-ABDN
AP Submode Antenna Band Mode
: Not Configured : Dual
The following is a sample output of the show ap name ap_name config slot 0 command that shows the bands selected on a specific AP with dual-band mode enabled:
Device# show ap name APXXXX.31XX.83XX config slot 0 | sec 802.11n Antennas
802.11n Antennas
A
: ENABLED
B
: ENABLED
C
: ENABLED
D
: ENABLED
802.11n Antennas MIMO Tx Rx
:x : Unknown : Unknown
The following is a sample output of the show ap name ap_name config slot 1 command that shows the bands selected on a specific AP with single-band mode enabled:
Device# show ap name APXXXX.31XX.83XX config slot 1 | sec 802.11n Antennas
802.11n Antennas
A
: DISABLED
B
: DISABLED
C
: ENABLED
D
: ENABLED
802.11n Antennas MIMO Tx Rx
:x : Unknown : Unknown
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 366
3 4 C H A P T E R
LED States for Access Points
· Information About LED States for Access Points, on page 367 · Configuring LED State in Access Points (GUI), on page 367 · Configuring LED State for Access Points in the Global Configuration Mode (CLI), on page 368 · Configuring LED State in the AP Profile, on page 368 · Verifying LED State for Access Points, on page 369
Information About LED States for Access Points
In a wireless LAN network where there are a large number of access points, it is difficult to locate a specific access point associated with the controller. You can configure the controller to set the LED state of an access point so that it blinks and the access point can be located. This configuration can be done in the wireless network on a global as well as per-AP level.
The LED state configuration at the global level takes precedence over the AP level.
Configuring LED State in Access Points (GUI)
Procedure
Step 1 Step 2
Step 3
Step 4 Step 5
Choose Configuration > Wireless > Access Points. Click an AP from the AP list. The Edit AP window is displayed. In the General tab, under the General section, click the box adjacent to the LED State field to enable or disable the LED state. From the LED Brightness Level drop-down list, choose a value from 1 to 8. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 367
Configuring LED State for Access Points in the Global Configuration Mode (CLI)
Lightweight Access Points
Configuring LED State for Access Points in the Global Configuration Mode (CLI)
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Step 2
ap name Cisco-AP-name led Example:
Device# ap name Cisco-AP-name led
Enables the LED state for Cisco APs, globally.
Step 3
ap name Cisco-AP-name led-brightness-level Configures the LED brightness level. Value of
1-8
the brightness is from 1 to 8.
Example:
Device# ap name Cisco-AP-name led-brightness-level 4
Configuring LED State in the AP Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap profile default-ap-profile
Example:
Device(config)#ap profile default-ap-profile
Step 3
led Example:
Device(config-ap-profile)# led
Purpose Enters global configuration mode. Enters the AP profile configuration mode.
Enables the LED-state for all Cisco APs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 368
Lightweight Access Points
Verifying LED State for Access Points
Verifying LED State for Access Points
To verify the LED state of the access points, use the following command:
show ap name AXXX-APXXXX.bdXX.f2XX config general
Device# show ap name AXXX-APXXXX.bdXX.f2XX config general
Cisco AP Name : AXXX-APXXXX.bdXX.f2XX ================================================= Cisco AP Identifier : 0cXX.bdXX.65XX Country Code : Multiple Countries : FR,IN,US Regulatory Domain Allowed by Country : 802.11bg:-AE 802.11a:-ABDEN AP Country Code : US - United States AP Regulatory Domain 802.11bg : -A 802.11a : -B . . . CAPWAP Preferred mode : IPv4 CAPWAP UDP-Lite : Not Configured AP Submode : WIPS Office Extend Mode : Disabled Dhcp Server : Disabled Remote AP Debug : Disabled Logging Trap Severity Level : information Logging Syslog facility : kern Software Version : 17.X.0.XXX Boot Version : 1.1.X.X Mini IOS Version : 0.0.0.0 Stats Reporting Period : 180 LED State : Enabled MDNS Group Id : 0 . . .
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 369
Verifying LED State for Access Points
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 370
3 5 C H A P T E R
Access Points Memory Information
· Information About Access Point Memory Information, on page 371 · Verifying Access Point Memory Information, on page 371
Information About Access Point Memory Information
With the introduction of the Acess Point Memory Information feature, you can view the acces point (AP) memory type, the CPU type, and the memory size per AP, after single sign-on authentication. APs share the the memory information with the controller during the join phase. To view the memory information of a specific AP, use the show ap name AP-NAMEconfig general command.
Verifying Access Point Memory Information
To verify the memory information of a specified AP, including the CPU type, memory type and memory size, use the following command:
Device# show ap name AP-NAME config general
Cisco AP Name : AP-NAME
=================================================
Cisco AP Identifier
: 00XX.f1XX.e0XX
Country Code
: Multiple Countries : FR,IN,US
Regulatory Domain Allowed by Country
: 802.11bg:-AE 802.11a:-ABDEN
AP Country Code
: US - United States
AP Regulatory Domain
802.11bg
: -A
802.11a
: -B
.
.
.
CPU Type
: ARMv7 Processor rev 1 (v7l)
Memory Type
: DDR4
Memory Size
: 1028096 KB
.
.
.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 371
Verifying Access Point Memory Information
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 372
3 6 C H A P T E R
Real-Time Access Points Statistics
·
· Information About Access Point Real-Time Statistics, on page 373 · Configuring Access Point Real-Time Statistics (GUI), on page 373 · Configuring Access Point Real-Time Statistics (CLI), on page 374 · Monitoring Access Point Real-Time Statistics (GUI), on page 375 · Verifying Access Point Real-Time Statistics, on page 376
Information About Access Point Real-Time Statistics
From Cisco IOS XE Bengaluru 17.5.1 onwards, you can track the CPU utilization and memory usage of an AP, and monitor the health of an AP, by generating real-time statistics for an AP.
SNMP traps are defined for CPU and memory utilization of APs and the controller. An SNMP trap is sent out when the threshold is crossed. The sampling period and statistics interval can be configured using SNMP, YANG, and CLI.
Statistics interval is used to process the data coming from an AP, and the average CPU utilization and memory utilization is computed over time. You can also configure an upper threshold for these statistics. When a statistic value surpasses the upper threshold, an alarm is enabled, and an SNMP trap is triggered.
Configuring Access Point Real-Time Statistics (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6
Choose Configuration > Tags & Profiles > AP Join. Click Add. The Add AP Join Profile page is displayed. Click the AP tab. Under the AP tab, click the AP Statistics tab. Click the Monitor Real Time Statistics toggle button to Enabled status. Click the Trigger Alarm for AP toggle button to Enabled status.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 373
Configuring Access Point Real-Time Statistics (CLI)
Lightweight Access Points
Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13
In the CPU Threshold to Trigger Alarm field, enter the threshold percentage of CPU usage. When the CPU usage crosses this threshold, an alarm is triggered.
In the Memory Threshold to Trigger Alarm field, enter the threshold percentage of memory usage. When the memory usage exceeds this threshold, an alarm is triggered.
In the Interval to Hold Alarm field, enter the time, in seconds, for which the alarm is held before it gets triggered.
In the Trap Retransmission Time field, enter the time, in seconds, between retransmissions of the alarm.
In the Sampling Interval field, enter the value, in seconds.The sampling interval defines how often data is collected from the AP.
In the Statistics Interval field, enter the value, in seconds.The statistics interval defines the interval for which statistics are to be calculated for the AP.
Click Apply to Device to save the configuration.
Configuring Access Point Real-Time Statistics (CLI)
To configure AP real-time statistics for an AP profile, follow the steps given below.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile-name
Example:
Device(config)# ap profile ap-profile-name
Configures the AP profile. The default AP join profile name is default-ap-profile.
Step 3
stats-timer 0-65535
Example:
Device(config-ap-profile)# stats-timer 60
Configures the statistics timer. This command is used to change the frequency of the statistics reports coming from the AP.
Step 4
statistics ap-system-monitoring enable
Example:
Device(config-ap-profile)# statistics ap-system-monitoring enable
Enables monitoring of AP real-time statistics (CPU and memory).
Step 5
statistics ap-system-monitoring alarm-enable Enables alarms for AP real-time statistics (CPU
Example:
and memory).
Device(config-ap-profile)# statistics ap-system-monitoring alarm-enable
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 374
Lightweight Access Points
Monitoring Access Point Real-Time Statistics (GUI)
Step 6 Step 7 Step 8 Step 9
Command or Action
statistics ap-system-monitoring cpu-threshold <0-100> percentage
Example:
Device(config-ap-profile)# statistics ap-system-monitoring cpu-threshold 90
Purpose
Defines the threshold for CPU usage on the AP (percentage) to trigger alarms.
statistics ap-system-monitoring mem-threshold <0-100> percentage
Example:
Device(config-ap-profile)# statistics ap-system-monitoring mem-threshold 90
Define the threshold for used memory usage on the AP (percentage) to trigger an alarm.
exit Example:
Device(config-ap-profile)# exit
Exits from AP profile configuration mode and returns to global configuration mode.
trapflags ap ap-stats Example:
Device(config)# trapflags ap ap-stats
Enables or disables sending AP-related traps. Traps are sent when statistics exceed the configured threshold.
Example
The following example shows how to configure AP real-time statistics.
Device(config)# ap profile default-policy-profile Device(config-ap-profile)# statistics ap-system-monitoring enable Device(config-ap-profile)#statistics ap-system-monitoring sampling-interval 90 Device(config-ap-profile)#statistics ap-system-monitoring stats-interval 120 Device(config-ap-profile)#statistics ap-system-monitoring alarm-enable Device(config-ap-profile)#statistics ap-system-monitoring alarm-hold-time 3 Device(config-ap-profile)#statistics ap-system-monitoring alarm-retransmit-time 10 Device(config-ap-profile)#statistics ap-system-monitoring cpu-threshold 90 Device(config-ap-profile)#statistics ap-system-monitoring mem-threshold 90
Device(config)# trapflags ap ap-stats
Note The sampling-interval, stats-interval, alarm-enable, alarm-hold-time, and alarm-retransmit, keyword configurations are optional.
Monitoring Access Point Real-Time Statistics (GUI)
Procedure Step 1 Choose Monitoring > Wireless > AP Statistics.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 375
Verifying Access Point Real-Time Statistics
Lightweight Access Points
Step 2 Step 3 Step 4
Step 5
Click the General tab. Click an AP name. The General window is displayed. To view the AP Statistics data, click the AP Statistics tab. The following information is displayed:
· Memory alarm last send time: Displays the time of the last memory trap sent. · Memory Alarm Status: Displays the state of the memory alarm. An alarm can be ACTIVE, INACTIVE,
INACTIVE_SOAKING, ACTIVE_SOAKING. An alarm is soaked until the configured hold time has passed. · Memory alarm raise time: Displays the last time the memory alarm was active. · Memory alarm clear time: Displays the last time the memory alarm was inactive. · Last statistics received: Displays the time of the last statistics report received from the AP. · Current CPU Usage: Displays the latest percentage of CPU usage reported. · Average CPU Usage: Displays the average CPU usage calculated. · Current Memory Usage: Displays the latest percentage of memory usage reported. · Average Memory Usage: Displays the average memory usage calculated. · Current window size: Displays the window size. The window size is calculated by dividing the statistics interval by the sampling interval. The average CPU and memory usage is calculated by the window size. · CPU alarm last send time: Displays the time of the last CPU trap sent. · CPU Alarm Status: Displays the state of the CPU alarm. An alarm can be ACTIVE, INACTIVE, INACTIVE_SOAKING, ACTIVE_SOAKING. An alarm is soaked until the configured hold time has passed. · CPU alarm raise time: Displays the last time the CPU alarm was active. · CPU alarm clear time: Displays the last time the CPU alarm was inactive.
Click OK.
Verifying Access Point Real-Time Statistics
To verify AP real-time statistics, run the show ap config general | section AP statistics command:
Device# show ap config general | section AP statistics !Last Statistics AP statistics : Enabled Current CPU usage : 4 Average CPU usage : 49 Current memory usage : 35 Average memory usage : 35 Last statistics received : 03/09/2021 15:25:08 !Statistics Configuration Current window size : 1 Sampling interval : 30
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 376
Lightweight Access Points
Verifying Access Point Real-Time Statistics
Statistics interval : 300 AP statistics alarms : Enabled !Alarm State - Active, Inactive, Inactive_Soaking, Inactive_Soaking Memory alarm status : Active Memory alarm raise time : 03/09/2021 15:24:29 Memory alarm clear time : NA Memory alarm last send time : 03/09/2021 15:24:59 CPU alarm status : Inactive CPU alarm raise time : 03/09/2021 15:24:25 CPU alarm clear time : 03/09/2021 15:25:05 CPU alarm last send time : 03/09/2021 15:25:05 !Alarm Configuration Alarm hold time : 6 Alarm retransmission time : 30 Alarm threshold cpu : 30 Alarm threshold memory : 32
To verify the statistics reporting period, run the show ap config general | i Stats Reporting Period command:
Device# show ap config general | i Stats Reporting Period Stats Reporting Period : 10
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 377
Verifying Access Point Real-Time Statistics
Lightweight Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 378
I V P A R T
Radio Resource Management
· Radio Resource Management, on page 381 · Coverage Hole Detection, on page 413 · Optimized Roaming, on page 419 · Cisco Flexible Radio Assignment, on page 421 · XOR Radio Support, on page 427 · Cisco Receiver Start of Packet, on page 433 · Client Limit, on page 437 · IP Theft, on page 439 · Unscheduled Automatic Power Save Delivery, on page 445 · Target Wake Time, on page 447 · Enabling USB Port on Access Points, on page 453 · Dynamic Frequency Selection, on page 457 · Cisco Access Points with Tri-Radio, on page 459 · Cisco DNA Center Assurance Wi-Fi 6 Dashboard, on page 465 · Antenna Disconnection Detection, on page 469 · Neighbor Discovery Protocol Mode on Access Points, on page 475
3 7 C H A P T E R
Radio Resource Management
· Information About Radio Resource Management, on page 381 · Restrictions for Radio Resource Management, on page 389 · How to Configure RRM, on page 390 · Monitoring RRM Parameters and RF Group Status, on page 408 · Examples: RF Group Configuration, on page 410 · Information About ED-RRM, on page 410
Information About Radio Resource Management
The Radio Resource Management (RRM) software that is embedded in the device acts as a built-in Radio Frequency (RF) engineer to consistently provide real-time RF management of your wireless network. RRM enables devices to continually monitor their associated lightweight access points for the following information:
· Traffic load--The total bandwidth used for transmitting and receiving traffic. It enables wireless LAN managers to track and plan network growth ahead of client demand.
· Interference--The amount of traffic coming from other 802.11 sources. · Noise--The amount of non-802.11 traffic that is interfering with the currently assigned channel. · Coverage--The Received Signal Strength (RSSI) and signal-to-noise ratio (SNR) for all connected
clients. · Other --The number of nearby access points. RRM performs these functions: · Radio resource monitoring · Power control transmission · Dynamic channel assignment · Coverage hole detection and correction · RF grouping
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 381
Radio Resource Monitoring
Radio Resource Management
Note RRM grouping does not occur when an AP operates in a static channel that is not in the DCA channel list. The Neighbor Discovery Protocol (NDP) is sent only on DCA channels; therefore, when a radio operates on a non-DCA channel, it does not receive NDP on the channel.
Radio Resource Monitoring
RRM automatically detects and configures new devices and lightweight access points as they are added to the network. It then automatically adjusts the associated and nearby lightweight access points to optimize coverage and capacity. Lightweight access points can scan all the valid channels for the country of operation as well as for channels available in other locations. The access points in local mode go offchannel for a period not greater than 70 ms to monitor these channels for noise and interference. Packets collected during this time are analyzed to detect rogue access points, rogue clients, ad-hoc clients, and interfering access points.
Note In the presence of voice traffic or other critical traffic (in the last 100 ms), access points can defer off-channel measurements. The access points also defer off-channel measurements based on the WLAN scan priority configurations.
Each access point spends only 0.2 percent of its time off channel. This activity is distributed across all the access points so that adjacent access points are not scanning at the same time, which could adversely affect wireless LAN performance.
Information About RF Groups
An RF group is a logical collection of controllers that coordinate to perform RRM in a globally optimized manner to perform network calculations on a per-radio basis. Separate RF groups exist for 2.4-GHz and 5-GHz networks. Clustering Cisco Catalyst 9800 Series Wireless Controller into a single RF group enables the RRM algorithms to scale beyond the capabilities of a single Cisco Catalyst 9800 Series Wireless Controller. An RF group is created based on the following parameters:
· User-configured RF network name.
· Neighbor discovery performed at the radio level.
· Country list configured on the controller.
RF grouping runs between controllers . Lightweight access points periodically send out neighbor messages over the air. Access points using the same RF group name validate messages from each other. When access points on different controllers hear validated neighbor messages at a signal strength of 80 dBm or stronger, the controllers dynamically form an RF neighborhood in auto mode. In static mode, the leader is manually selected and the members are added to the RF Group.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 382
Radio Resource Management
RF Group Leader
Note RF groups and mobility groups are similar, in that, they both define clusters of controllers , but they are different in terms of their use. An RF group facilitates scalable, system-wide dynamic RF management, while a mobility group facilitates scalable, system-wide mobility and controller redundancy.
RF Group Leader
RF Group Leader can be configured in two ways as follows:
Note RF Group Leader is chosen on the basis of the controller with the greatest AP capacity (platform limit.) If multiple controllers have the same capacity, the leader is the one with the highest management IP address.
· Auto Mode: In this mode, the members of an RF group elect an RF group leader to maintain a primary power and channel scheme for the group. The RF grouping algorithm dynamically chooses the RF group leader and ensures that an RF group leader is always present. Group leader assignments can and do change (for instance, if the current RF group leader becomes inoperable or RF group members experience major changes).
· Static Mode: In this mode, a user selects a controller as an RF group leader manually. In this mode, the leader and the members are manually configured and fixed. If the members are unable to join the RF group, the reason is indicated. The leader tries to establish a connection with a member every minute if the member has not joined in the previous attempt.
The RF group leader analyzes real-time radio data collected by the system, calculates the power and channel assignments, and sends them to each of the controllers in the RF group. The RRM algorithms ensure system-wide stability, and restrain channel and power scheme changes to the appropriate local RF neighborhoods.
Note When a controller becomes both leader and member for a specific radio, you get to view the IPv4 and IPv6 address as part of the group leader. When a Controller A becomes a member and Controller B becomes a leader, the Controller A displays either IPv4 or IPv6 address of Controller B using the address it is connected. So, if both leader and member are not the same, you get to view only one IPv4 or IPv6 address as a group leader in the member.
If Dynamic Channel Assignment (DCA) needs to use the worst-performing radio as the single criterion for adopting a new channel plan, it can result in pinning or cascading problems. The main cause of both pinning and cascading is that any potential channel plan changes are controlled by the RF circumstances of the worst-performing radio. The DCA algorithm does not do this; instead, it does the following:
· Multiple local searches: The DCA search algorithm performs multiple local searches initiated by different radios in the same DCA run rather than performing a single global search that is driven by a single radio. This change addresses both pinning and cascading, while maintaining the desired flexibility and adaptability of DCA and without jeopardizing stability.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 383
RF Group Leader
Radio Resource Management
· Multiple Channel Plan Change Initiators (CPCIs): Previously, the single worst radio was the sole initiator of a channel plan change. Now each radio in an RF group is evaluated and prioritized as a potential initiator. Intelligent randomization of the resulting list ensures that every radio is eventually evaluated, which eliminates the potential for pinning.
· Limiting the propagation of channel plan changes (Localization): For each CPCI radio, the DCA algorithm performs a local search for a better channel plan, but only the CPCI radio itself and its one-hop neighboring access points are actually allowed to change their current transmit channels. The impact of an access point triggering a channel plan change is felt only to within two RF hops from that access point, and the actual channel plan changes are confined to within a one-hop RF neighborhood. Because this limitation applies across all CPCI radios, cascading cannot occur.
· Non-RSSI-based cumulative cost metric: A cumulative cost metric measures how well an entire region, neighborhood, or network performs with respect to a given channel plan. The individual cost metrics of all the access points in that area are considered in order to provide an overall understanding of the channel plan's quality. These metrics ensure that the improvement or deterioration of each single radio is factored into any channel plan change. The objective is to prevent channel plan changes in which a single radio improves, but at the expense of multiple other radios experiencing a considerable performance decline.
The RRM algorithms run at a specified updated interval, which is 600 seconds by default. Between update intervals, the RF group leader sends keepalive messages to each of the RF group members and collects real-time RF data.
Note Several monitoring intervals are also available. See the Configuring RRM section for details.
RF Grouping Failure Reason Codes RF Grouping failure reason codes and their explanations are listed below:
Table 16: RF Grouping Failure Reason Codes
Reason Code
1
2
Description
Maximum number (20) of controllers are already present in the group. If the following conditions are met:
· The request is from a similar powered controller and, · Controller is the leader for the other band, OR · Requestor group is larger.
3
Group ID do not match.
4
Request does not include source type.
5
Group spilt message to all member while group is being reformed.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 384
Radio Resource Management
RF Group Name
Reason Code 6 9 11 12
13 14 15 16
18 19 20
21
22
Description
Auto leader is joining a static leader, during the process deletes all the members. Grouping mode is turned off. Country code does not match. Controller is up in hierarchy compared to sender of join command (static mode). Requestor is up in hierarchy (auto mode). Controller is configured as static leader and receives join request from another static leader. Controller is already a member of static group and receives a join request from another static leader. Controller is a static leader and receives join request from non-static member. Join request is not intended to the controller. Controller name and IP do not match. RF domain do not match. Controller received a Hello packet at incorrect state. Controller has already joined Auto leader, now gets a join request from static leader. Group mode change. Domain name change from CLI. Static member is removed from CLI. Max switch size (350) is reached
Additional Reference
Radio Resource Management White Paper: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/ 8-3/b_RRM_White_Paper/b_RRM_White_Paper_chapter_011.html
RF Group Name
A controller is configured in an RF group name, which is sent to all the access points joined to the controller and used by the access points as the shared secret for generating the hashed MIC in the neighbor messages. To create an RF group, you configure all of the controllers to be included in the group with the same RF group name.
If there is any possibility that an access point joined to a controller might hear RF transmissions from an access point on a different controller , you should configure the controller with the same RF group name. If RF transmissions between access points can be heard, then system-wide RRM is recommended to avoid 802.11 interference and contention as much as possible.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 385
Secure RF Groups
Radio Resource Management
Secure RF Groups
Secure RF groups enable to encrypt and secure RF grouping and RRM message exchanges over DTLS tunnel. During the DTLS handshake controllers authenticate each other with wireless management trust-point certificate.
Note If a controller has to be part of secure RF-group, that controller must be part of the same mobility group.
Transmit Power Control
The device dynamically controls access point transmit power based on the real-time wireless LAN conditions.
The Transmit Power Control (TPC) algorithm increases and decreases an access point's power in response to changes in the RF environment. In most instances, TPC seeks to lower an access point's power to reduce interference, but in the case of a sudden change in the RF coverage, for example, if an access point fails or becomes disabled, TPC can also increase power on the surrounding access points. This feature is different from coverage hole detection, which is primarily concerned with clients. TPC provides enough RF power to achieve the required coverage levels while avoiding channel interference between access points. We recommend that you select TPCv1; TPCv2 option is deprecated. With TPCv1, you can select the channel aware mode; we recommend that you select this option for 5 GHz, and leave it unchecked for 2.4 GHz.
Overriding the TPC Algorithm with Minimum and Maximum Transmit Power Settings
The TPC algorithm balances RF power in many diverse RF environments. However, it is possible that automatic power control will not be able to resolve some scenarios in which an adequate RF design was not possible to implement due to architectural restrictions or site restrictions, for example, when all the access points must be mounted in a central hallway, placing the access points close together, but requiring coverage to the edge of the building.
In these scenarios, you can configure maximum and minimum transmit power limits to override TPC recommendations. The maximum and minimum TPC power settings apply to all the access points through RF profiles in a RF network.
To set the Maximum Power Level Assignment and Minimum Power Level Assignment, enter the maximum and minimum transmit power used by RRM in the fields in the Tx Power Control window. The range for these parameters is -10 to 30 dBm. The minimum value cannot be greater than the maximum value; the maximum value cannot be less than the minimum value.
If you configure a maximum transmit power, RRM does not allow any access point attached to the controller, to exceed this transmit power level (whether the power is set by RRM TPC or by coverage hole detection). For example, if you configure a maximum transmit power of 11 dBm, no access point will transmit above 11 dBm, unless the access point is configured manually.
Cisco APs support power level changes in 3 dB granularity. TPC Min and Max power settings allow for values in 1 dB increments. The resulting power level will be rounded to the nearest value supported in the allowed powers entry for the AP model and the current serving channel.
Each AP model has its own set of power levels localized for its regulatory country and region. Moreover, the power levels for the same AP model will vary based on the band and channel it is set to. For more information on Allowed Power Level vs. Actual power(in dBm), use the show ap name <name> config slot <0|1|2|3>
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 386
Radio Resource Management
Dynamic Channel Assignment
command to view the specific number of power levels, the range of power levels allowed, and the current power level setting on the AP.
Dynamic Channel Assignment
Two adjacent access points on the same channel can cause either signal contention or signal collision. In a collision, data is not received by the access point. This functionality can become a problem, for example, when someone reading an e-mail in a café affects the performance of the access point in a neighboring business. Even though these are separate networks, someone sending traffic to the café on channel 1 can disrupt communication in an enterprise using the same channel. Devices can dynamically allocate access point channel assignments to avoid conflict and increase capacity and performance. Channels are reused to avoid wasting scarce RF resources. In other words, channel 1 is allocated to a different access point far from the café, which is more effective than not using channel 1 altogether.
The device's Dynamic Channel Assignment (DCA) capabilities are also useful in minimizing adjacent channel interference between access points. For example, two overlapping channels in the 802.11b/g band, such as 1 and 2, cannot simultaneously use 11 or 54 Mbps. By effectively reassigning channels, the device keeps adjacent channels that are separated.
Note We recommend that you use only nonoverlapping channels (1, 6, 11, and so on).
Note Channel change does not require you to shut down the radio.
The device examines a variety of real-time RF characteristics to efficiently handle channel assignments as follows:
· Access point received energy: The received signal strength measured between each access point and its nearby neighboring access points. Channels are optimized for the highest network capacity.
· Noise: Noise can limit signal quality at the client and access point. An increase in noise reduces the effective cell size and degrades user experience. By optimizing channels to avoid noise sources, the device can optimize coverage while maintaining system capacity. If a channel is unusable due to excessive noise, that channel can be avoided.
· 802.11 interference: Interference is any 802.11 traffic that is not a part of your wireless LAN, including rogue access points and neighboring wireless networks. Lightweight access points constantly scan all the channels looking for sources of interference. If the amount of 802.11 interference exceeds a predefined configurable threshold (the default is 10 percent), the access point sends an alert to the device. Using the RRM algorithms, the device may then dynamically rearrange channel assignments to increase system performance in the presence of the interference. Such an adjustment could result in adjacent lightweight access points being on the same channel, but this setup is preferable to having the access points remain on a channel that is unusable due to an interfering foreign access point.
In addition, if other wireless networks are present, the device shifts the usage of channels to complement the other networks. For example, if one network is on channel 6, an adjacent wireless LAN is assigned to channel 1 or 11. This arrangement increases the capacity of the network by limiting the sharing of frequencies. If a channel has virtually no capacity remaining, the device may choose to avoid this channel. In huge deployments in which all nonoverlapping channels are occupied, the device does its best, but you must consider RF density when setting expectations.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 387
Dynamic Channel Assignment
Radio Resource Management
· Load and utilization: When utilization monitoring is enabled, capacity calculations can consider that some access points are deployed in ways that carry more traffic than other access points, for example, a lobby versus an engineering area. The device can then assign channels to improve the access point that has performed the worst. The load is taken into account when changing the channel structure to minimize the impact on the clients that are currently in the wireless LAN. This metric keeps track of every access point's transmitted and received packet counts to determine how busy the access points are. New clients avoid an overloaded access point and associate to a new access point. This Load and utilization parameter is disabled by default.
The device combines this RF characteristic information with RRM algorithms to make system-wide decisions. Conflicting demands are resolved using soft-decision metrics that guarantee the best choice for minimizing network interference. The end result is optimal channel configuration in a three-dimensional space, where access points on the floor above and below play a major factor in an overall wireless LAN configuration.
Note DCA supports only 20-MHz channels in 2.4-GHz band.
Note In a Dynamic Frequency Selection (DFS) enabled AP environment, ensure that you enable the UNII2 channels option under the DCA channel to allow 100-MHz separation for the dual 5-GHz radios.
The RRM startup mode is invoked in the following conditions: · In a single-device environment, the RRM startup mode is invoked after the device is upgraded and rebooted. · In a multiple-device environment, the RRM startup mode is invoked after an RF Group leader is elected. · You can trigger the RRM startup mode from the CLI.
The RRM startup mode runs for 100 minutes (10 iterations at 10-minute intervals). The duration of the RRM startup mode is independent of the DCA interval, sensitivity, and network size. The startup mode consists of 10 DCA runs with high sensitivity (making channel changes easy and sensitive to the environment) to converge to a steady-state channel plan. After the startup mode is finished, DCA continues to run at the specified interval and sensitivity.
Note DCA algorithm interval is set to 1 hour, but DCA algorithm always runs in default interval of 10 min, channel allocation occurs at 10-min intervals for the first 10 cycles, and channel changes occur as per the DCA algorithm every 10 min. After that the DCA algorithm goes back to the configured time interval. This is common for both DCA interval and anchor time because it follows the steady state.
Note If Dynamic Channel Assignment (DCA)/Transmit Power Control (TPC) is turned off on the RF group member, and auto is set on RF group leader, the channel or TX power on a member gets changed as per the algorithm that is run on the RF group leader.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 388
Radio Resource Management
Dynamic Bandwidth Selection
Dynamic Bandwidth Selection
While upgrading from 11n to 11ac, the Dynamic Bandwidth Selection (DBS) algorithm provides a smooth transition for various configurations.
The following pointers describe the functionalities of DBS:
· It applies an additional layer of bias on top of those applied to the core DCA, for channel assignment in order to maximize the network throughput by dynamically varying the channel width.
· It fine tunes the channel allocations by constantly monitoring the channel and Base Station Subsystem (BSS) statistics.
· It evaluates the transient parameters, such as 11n or 11ac client mix, load, and traffic flow types.
· It reacts to the fast-changing statistics by varying the BSS channel width or adapting to the unique and new channel orientations through 11ac for selection between 40 MHz and 80 MHz bandwidths.
Coverage Hole Detection and Correction
The RRM coverage hole detection algorithm can detect areas of radio coverage in a wireless LAN that are below the level needed for robust radio performance. This feature can alert you to the need for an additional (or relocated) lightweight access point.
If clients on a lightweight access point are detected at threshold levels (RSSI, failed client count, percentage of failed packets, and number of failed packets) lower than those specified in the RRM configuration, the access point sends a "coverage hole" alert to the device. The alert indicates the existence of an area where clients are continually experiencing poor signal coverage, without having a viable access point to which to roam. The device discriminates between coverage holes that can and cannot be corrected. For coverage holes that can be corrected, the device mitigates the coverage hole by increasing the transmit power level for that specific access point. The device does not mitigate coverage holes caused by clients that are unable to increase their transmit power or are statically set to a power level because increasing their downstream transmit power might increase interference in the network.
Restrictions for Radio Resource Management
· The number of APs in a RF-group is limited to 3000.
· If an AP tries to join the RF-group that already holds the maximum number of APs it can support, the device rejects the application and throws an error.
· Disabling all data rates for default rf-profile or custom rf-profile, impacts ISSU upgrade and client join process after the software upgrade (ISSU or non-ISSU). To prevent this, you must enable at least one data rate (for example, ap dot11 24 rate RATE_5_5M enable) on the default rf-profile or custom rf-profile. We recommend that you enable the lowest data rate if efficiency is of prime concern.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 389
How to Configure RRM
Radio Resource Management
How to Configure RRM
Configuring Neighbor Discovery Type (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Radio Configurations > RRM. On the Radio Resource Management page, click either the 5 GHz Band or the 2.4 GHz Band tab. In the General tab, under each section enter the corresponding field details: a) Under the Profile Threshold For Traps section, enter the:
1. Interference Percentage: The foreign interference threshold is between 0 and 100 %. The default is 10 %.
2. Clients: The client threshold between 1 and 75 clients. The default is 12. 3. Noise: The foreign noise threshold between 127 dBm and 0dBm. The default is 70 dBm. 4. Utilization Percentage: The RF utilization threshold between 0 and 100 %. The default is 80 %. 5. Throughput: The average rate of successful messages delivery over a communication channel. Value
ranges from 1000 to 1000000 bps.
b) Under the Noise/Interference/Rogue/CleanAir/SI Monitoring Channels section, choose the: 1. Channel List from the drop-down list: · All Channels · Country Channels · DCA Channels
2. RRM Neighbor Discover Type from the drop-down list: · Transparent: Packets are sent as is. · Protected: Packets are protected.
3. RRM Neighbour Discovery Mode: · AUTO: If the NDP mode configured is AUTO, the controller selects On-Channel as the NDP mode. The default is set as AUTO. · OFF-CHANNEL: If the NDP mode configured is Off-Channel, the controller selects Off-Channel as the NDP mode.
c) Under the Monitor section, set:
· Neighbor Packet Frequency (seconds): Frequency (in seconds) in which the Neighbor Discovery Packets are sent. The default is 180 seconds.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 390
Radio Resource Management
Configuring Neighbor Discovery Type (CLI)
· Reporting Interval (seconds): The default is 180 seconds. Each channel dwell has to be completed within 180 seconds.
· Neighbor Timeout factor: Value in seconds used to determine when to prune access points from the neighbor list that have timed out. The default is 20 seconds.
Step 4 Click Apply to save your configuration.
Configuring Neighbor Discovery Type (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap dot11 {24ghz | 5ghz} rrm ndp-type {protected | transparent}
Example:
Step 3
Device(config)#ap dot11 24ghz rrm ndp-type protected
Device(config)#ap dot11 24ghz rrm ndp-type transparent
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Configures the neighbor discovery type. By default, the mode is set to "transparent".
· protected: Sets the neighbor discover type to protected. Packets are encrypted.
· transparent: Sets the neighbor discover type to transparent. Packets are sent as is.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring RF Groups
This section describes how to configure RF groups through either the GUI or the CLI.
Note When the multiple-country feature is being used, all controllers intended to join the same RF group must be configured with the same set of countries, configured in the same order.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 391
Configuring RF Group Selection Mode (GUI)
Radio Resource Management
Configuring RF Group Selection Mode (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Radio Configurations > RRM. On the RRM page, click the relevant band's tab: either 5 GHz Band or 2.4 GHz Band. Click the RF Grouping tab. Choose the appropriate Group Mode from these options:
· Automatic: Sets the 802.11 RF group selection to automatic update mode · Leader: Sets the 802.11 RF group selection to leader mode · Off: Disables the 802.11 RF group selection
Save the configuration.
Configuring RF Group Selection Mode (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap dot11 {24ghz | 5ghz} rrm group-mode{auto | leader | off}
Example:
Device(config)#ap dot11 24ghz rrm group-mode leader
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Configures RF group selection mode for 802.11 bands.
· auto: Sets the 802.11 RF group selection to automatic update mode.
· leader: Sets the 802.11 RF group selection to leader mode.
· off: Disables the 802.11 RF group selection.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 392
Radio Resource Management
Configuring an RF Group Name (CLI)
Configuring an RF Group Name (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless rf-network name
Example:
Device (config)# wireless rf-network test1
Purpose Enters global configuration mode.
Creates an RF group. The group name should be ASCII String up to 19 characters and is case sensitive.
Note
Repeat this procedure for each
controller that you want to include
in the RF group.
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Members in an 802.11 Static RF Group (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Choose Configuration > Radio Configurations > RRM. On the RRM page, click either the 5 GHz Band or 2.4 GHz Band tab. Click the RF Grouping tab. Choose the appropriate Group Mode from the following options:
· Automatic(default): Members of an RF group elect an RF group leader to maintain a primary power and channel scheme for the group. The RF grouping algorithm dynamically chooses the RF group leader and ensures that an RF group leader is always present. Group leader assignments can and do change (for instance, if the current RF group leader becomes inoperable or if RF group members experience major changes).
· Leader: A device as an RF group leader, manually. In this mode, the leader and the members are manually configured and are therefore fixed. If the members are unable to join the RF group, the reason is indicated. The members' management IP addresses and system name are used to request the member to join the leader. The leader tries to establish a connection with a member every 1 minute if the member has not joined in the previous attempt.
· Off: No RF group is configured.
Under Group Members section, click Add. In the Add Static Member window that is displayed, enter the controller name and the IPv4 or IPv6 address of the controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 393
Configuring Members in an 802.11 Static RF Group (CLI)
Radio Resource Management
Step 7 Click Save & Apply to Device.
Configuring Members in an 802.11 Static RF Group (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz} rrm group-member Configures members in a 802.11 static RF
group_name ip_addr
group. The group mode should be set as leader
Example:
for the group member to be active.
Step 3
Device(config)#ap dot11 24ghz rrm group-member Grpmem01 10.1.1.1
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Transmit Power Control
Configuring Transmit Power (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Step 5
Choose Configuration > Radio Configurations > RRM. On the 5 GHz Band or 2.4 GHz Band tab, click the TPC tab. Choose of the following dynamic transmit power assignment modes:
· Automatic(default): The transmit power is periodically updated for all APs that permit this operation. · On Demand: The transmit power is updated on demand. If you choose this option, you get to view the
Invoke Power Update Once. Click Invoke Power Update Once to apply the RRM data successfully. · Fixed: No dynamic transmit power assignments occur and values are set to their global default.
Enter the maximum and minimum power level assignment on this radio. If you configure maximum transmit power, RRM does not allow any access point attached to the device to exceed this transmit power level (whether the power is set by RRM TPC or by coverage hole detection). For example, if you configure a maximum transmit power of 11 dBm, then no access point would transmit above 11 dBm, unless the access point is configured manually. The range is 10 dBm to 30 dBm. In the Power Threshold field, enter the cutoff signal level used by RRM when determining whether to reduce an access point's power.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 394
Radio Resource Management
Configuring the Tx-Power Control Threshold (CLI)
Step 6
The default value for this parameter varies depending on the TPC version you choose. For TPCv1, the default value is 70 dBm, and for TPCv2, the default value is 67 dBm. The default value can be changed when access points are transmitting at higher (or lower) than desired power levels. The range for this parameter is 80 to 50 dBm.
Increasing this value (between 65 and 50 dBm) causes the access points to operate at higher transmit power rates. Decreasing the value has the opposite effect. In applications with a dense population of access points, it may be useful to decrease the threshold to 80 or 75 dBm in order to reduce the number of BSSIDs (access points) and beacons seen by the wireless clients. Some wireless clients might have difficulty processing a large number of BSSIDs or a high beacon rate and might exhibit problematic behavior with the default threshold.
Click Apply.
Configuring the Tx-Power Control Threshold (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz} rrm tpc-threshold Configures the Tx-power control threshold used
threshold_value
by RRM for auto power assignment. The range
Example:
is from 80 to 50.
Step 3
Device(config)#ap dot11 24ghz rrm tpc-threshold -60
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring the Tx-Power Level (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz} rrm
Configures the 802.11 tx-power level
txpower{trans_power_level | auto | max | min | once}
· trans_power_level--Sets the transmit power level.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 395
Configuring 802.11 RRM Parameters
Radio Resource Management
Step 3
Command or Action Example:
Purpose · auto--Enables auto-RF.
Device(config)#ap dot11 24ghz rrm txpower auto
· max--Configures the maximum auto-RF tx-power.
· min--Configures the minimum auto-RF tx-power.
· once--Enables one-time auto-RF.
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Configuring 802.11 RRM Parameters
Configuring Advanced 802.11 Channel Assignment Parameters (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6
Choose Configuration > Radio Configurations > RRM. In the DCA tab, choose a Channel Assignment Mode to specify the DCA mode:
· Automatic(default)--Causes the device to periodically evaluate and, if necessary, update the channel assignment for all joined APs.
· Freeze--Causes the device to evaluate and update the channel assignment for all joined APs. If you choose this option, you get to view the Invoke Channel Update Once. Click Invoke Channel Update Once to apply the RRM data successfully.
· Off--Turns off DCA and sets all AP radios to the first channel of the band, which is the default value. If you choose this option, you must manually assign channels on all radios.
From the Interval drop-down list, choose the interval that tells how often the DCA algorithm is allowed to run. The default interval is 10 minutes. From the AnchorTime drop-down list, choose a number to specify the time of day when the DCA algorithm must start. The options are numbers between 0 and 23 (inclusive) representing the hour of the day from 12:00 a.m. to 11:00 p.m. Check the Avoid Foreign AP Interference check box to cause the device's RRM algorithms to consider 802.11 traffic from foreign APs (those not included in your wireless network) when assigning channels to lightweight APs, or uncheck it to disable this feature. For example, RRM may adjust the channel assignment to have access points avoid channels close to foreign APs. By default, this feature is in enabled state. Check the Avoid Cisco AP Load check box to cause the device's RRM algorithms to consider 802.11 traffic from Cisco lightweight APs in your wireless network when assigning channels. For example, RRM can assign better reuse patterns to access points that carry a heavier traffic load. By default, this feature is in disabled state.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 396
Radio Resource Management
Configuring Advanced 802.11 Channel Assignment Parameters (CLI)
Step 7 Step 8
Step 9
Step 10 Step 11 Step 12 Step 13
Check the Avoid Non-802.11a Noise check box to cause the device's RRM algorithms to consider noise (non-802.11 traffic) in the channel when assigning channels to lightweight APs. For example, RRM may have APs avoid channels with significant interference from non-AP sources, such as microwave ovens. By default, this feature is in enabled state.
Check the Avoid Persistent Non-WiFi Interference check box to enable the device to take into account persistent non-Wi-Fi interference in DCA calculations. A persistent interfering device is any device from the following categories, which has been seen in the past 7 days - Microwave Oven, Video Camera, Canopy, WiMax Mobile, WiMax Fixed, Exalt Bridge. With Avoid Persistent Non-WiFi Interference enabled, if a Microwave Oven is detected, that interference from the Microwave Oven is taken into account in the DCA calculations for the next 7 days. After 7 days, if the interfering device is not detected anymore, it is no longer considered in the DCA calculations.
From the DCA Channel Sensitivity drop-down list, choose one of the following options to specify how sensitive the DCA algorithm is to environmental changes such as signal, load, noise, and interference when determining whether to change channels:
· Low--The DCA algorithm is not particularly sensitive to environmental changes. The DCA threshold is 30 dB.
· Medium (default)--The DCA algorithm is moderately sensitive to environmental changes. The DCA threshold is 15 dB.
· High --The DCA algorithm is highly sensitive to environmental changes. The DCA threshold is 5 dB.
Set the Channel Width as required. You can choose the RF channel width as 20 MHz, 40 MHz, 80 MHz, 160 MHz, or Best. This is applicable only for 802.11a/n/ac (5 GHZ) radio.
The Auto-RF Channel List section shows the channels that are currently selected. To choose a channel, check the corresponding check box.
Note
If you disable the serving radio channel of the root AP from the Auto-RF Channel List, you
will not be able to view the neighboring APs in the root APs.
In the Event Driven RRM section, check the EDRRM check box to run RRM when CleanAir-enabled AP detects a significant level of interference. If enabled, set the sensitivity threshold level at which the RRM is invoked, enter the custom threshold, and check the Rogue Contribution check box to enter the rogue duty-cycle.
Click Apply.
Configuring Advanced 802.11 Channel Assignment Parameters (CLI)
Procedure Step 1 Step 2
Command or Action
configure terminal Example:
Device# configure terminal
ap dot11 {24ghz | 5ghz} rrm channel cleanair-event sensitivity {high | low | medium}
Purpose Enters global configuration mode.
Configures CleanAir event-driven RRM parameters.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 397
Configuring Advanced 802.11 Channel Assignment Parameters (CLI)
Radio Resource Management
Step 3
Command or Action Example:
Device(config)#ap dot11 24ghz rrm channel cleanair-event sensitivity high
Purpose · HighSpecifies the most sensitivity to non-Wi-Fi interference as indicated by the air quality (AQ) value.
· LowSpecifies the least sensitivity to non-Wi-Fi interference as indicated by the AQ value.
· MediumSpecifies medium sensitivity to non-Wi-Fi interference as indicated by the AQ value.
ap dot11 {24ghz | 5ghz} rrm channel dca Configures Dynamic Channel Assignment
{add channel-number | anchor-time | global (DCA) algorithm parameters for the 802.11
{auto | once} | interval | min-metric | remove band.
channel-number | sensitivity {high | low | medium}}
· add channel-numberEnter a channel number to be added to the DCA list. The
Example:
range is between 1 to 14.
Device(config)#ap dot11 24ghz rrm channel dca interval 2
· anchor-timeConfigures the anchor time for the DCA. The range is between 0 and 23 hours.
· globalConfigures the DCA mode for all 802.11 Cisco APs.
· autoEnables auto-RF.
· onceEnables auto-RF only once.
· intervalConfigures the DCA interval value. The values are 1, 2, 3, 4, 6, 8, 12 and 24 hours and the default value 0 denotes 10 minutes.
· min-metricConfigures the DCA minimum RSSI energy metric. The range is between -100 and -60.
· remove channel-numberEnter the channel number to be removed from the DCA list. The range is between 1 to 14.
· sensitivityConfigures the DCA sensitivity level to changes in the environment.
· highSpecifies the most sensitivity.
· lowSpecifies the least sensitivity.
· mediumSpecifies medium sensitivity.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 398
Radio Resource Management
Configuring Advanced 802.11 Channel Assignment Parameters (CLI)
Step 4 Step 5
Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
Purpose
ap dot11 5ghz rrm channel dca chan-width Configures the DCA channel bandwidth for
{20 | 40 | 80 | best}
all 802.11 radios in the 5-GHz band. Sets the
Example:
channel bandwidth to 20 MHz, 40 MHz, or 80 MHz, ; 20 MHz is the default value for channel
bandwidth. 80 MHz is the default value for Device(config)#ap dot11 5ghz rrm channel best. Set the channel bandwidth to best before
dca chan-width best
configuring the constraints.
ap dot11 5ghz rrm channel dca chan-width Configures the maximum channel bandwidth
width-max {WIDTH_20MHz |
that can be assigned to a channel. In this
WIDTH_40MHz | WIDTH_80MHz |
example, WIDTH_80MHz assigns the channel
WIDTH_MAX}
bandwidth to 20 MHz, 40 MHz, or 80 MHz
Example:
but not greater than that.
Device(config)#ap dot11 5ghz rrm channel dca chan-width width-max WIDTH_80MHz
ap dot11 {24ghz | 5ghz} rrm channel device Configures the persistent non-Wi-Fi device
Example:
avoidance in the 802.11 channel assignment.
Device(config)#ap dot11 24ghz rrm channel device
ap dot11 {24ghz | 5ghz} rrm channel foreign Configures the foreign AP 802.11 interference
Example:
avoidance in the channel assignment.
Device(config)#ap dot11 24ghz rrm channel foreign
ap dot11 {24ghz | 5ghz} rrm channel load Configures the Cisco AP 802.11 load
Example:
avoidance in the channel assignment.
Device(config)#ap dot11 24ghz rrm channel load
ap dot11 {24ghz | 5ghz} rrm channel noise Configures the 802.11 noise avoidance in the
Example:
channel assignment.
Device(config)#ap dot11 24ghz rrm channel noise
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 399
Configuring 802.11 Coverage Hole Detection (GUI)
Radio Resource Management
Configuring 802.11 Coverage Hole Detection (GUI)
Procedure
Step 1
Step 2 Step 3 Step 4 Step 5 Step 6
Step 7 Step 8 Step 9
Step 10
Step 11
Choose Configuration > Radio Configurations > RRM to configure Radio Resource Management parameters for 802.11a/n/ac (5-GHz) and 802.11b/g/n (2.4-GHz) radios. On theRadio Resource Management page, click Coverage tab. To enable coverage hole detection, check the Enable Coverage Hole Detection check box. In the Data Packet Count field, enter the number of data packets. In the Data Packet Percentage field, enter the percentage of data packets. In the Data RSSI Threshold field, enter the actual value in dBm. Value ranges from -60 dBm to -90 dBm; the default value is 80 dBm. In the Voice Packet Count field, enter the number of voice data packets. In the Voice Packet Percentage field, enter the percentage of voice data packets. In the Voice RSSI Threshold field, enter the actual value in dBm. Value ranges from -60 dBm to -90 dBm; the default value is 80 dBm. In the Minimum Failed Client per AP field, enter the minimum number of clients on an AP with a signal-to-noise ratio (SNR) below the coverage threshold. Value ranges from 1 to 75 and the default value is 3. In the Percent Coverage Exception Level per AP field, enter the maximum desired percentage of clients on an access point's radio operating below the desired coverage threshold and click Apply. Value ranges from 0 to 100% and the default value is 25%.
Configuring 802.11 Coverage Hole Detection (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap dot11 {24ghz | 5ghz} rrm coverage data{fail-percentage | packet-count | rssi-threshold}
Example:
Device(config)#ap dot11 24ghz rrm coverage data fail-percentage 60
Purpose Enters global configuration mode.
Configures the 802.11 coverage hole detection for data packets.
· fail-percentage: Configures the 802.11 coverage failure-rate threshold for uplink data packets as a percentage that ranges from 1 to 100%.
· packet-count: Configures the 802.11 coverage minimum failure count threshold for uplink data packets that ranges from 1 to 255.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 400
Radio Resource Management
Configuring 802.11 Event Logging (CLI)
Step 3 Step 4 Step 5
Step 6
Command or Action
Purpose
· rssi-threshold: Configures the 802.11 minimum receive coverage level for data packets that range from 90 to 60 dBm.
ap dot11 {24ghz | 5ghz} rrm coverage exception global exception level
Example:
Configures the 802.11 Cisco AP coverage exception level as a percentage that ranges from 0 to 100%.
Device(config)#ap dot11 24ghz rrm coverage exception global 50
ap dot11 {24ghz | 5ghz} rrm coverage level global cli_min exception level
Example:
Configures the 802.11 Cisco AP client minimum exception level that ranges from 1 to 75 clients.
Device(config)#ap dot11 24ghz rrm coverage level global 10
ap dot11 {24ghz | 5ghz} rrm coverage voice{fail-percentage | packet-count | rssi-threshold}
Example:
Device(config)#ap dot11 24ghz rrm coverage voice packet-count 10
Configures the 802.11 coverage hole detection for voice packets.
· fail-percentage: Configures the 802.11 coverage failure-rate threshold for uplink voice packets as a percentage that ranges from 1 to 100%.
· packet-count: Configures the 802.11 coverage minimum failure count threshold for uplink voice packets that ranges from 1 to 255.
· rssi-threshold: Configures the 802.11 minimum receive coverage level for voice packets that range from 90 to 60 dBm.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring 802.11 Event Logging (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 401
Configuring 802.11 Statistics Monitoring (GUI)
Radio Resource Management
Step 2 Step 3
Command or Action
Device# configure terminal
Purpose
ap dot11 24ghz | 5ghz rrm logging{channel | coverage | foreign | load | noise | performance | txpower}
Example:
Configures event-logging for various parameters.
· channel--Configures the 802.11 channel change logging mode.
Device(config)#ap dot11 24ghz rrm logging channel
Device(config)#ap dot11 24ghz rrm logging coverage
Device(config)#ap dot11 24ghz rrm logging foreign
· coverage--Configures the 802.11 coverage profile logging mode.
· foreign--Configures the 802.11 foreign interference profile logging mode.
· load--Configures the 802.11 load profile logging mode.
Device(config)#ap dot11 24ghz rrm logging load
Device(config)#ap dot11 24ghz rrm logging noise
Device(config)#ap dot11 24ghz rrm logging performance
Device(config)#ap dot11 24ghz rrm logging txpower
· noise--Configures the 802.11 noise profile logging mode.
· performance--Configures the 802.11 performance profile logging mode.
· txpower--Configures the 802.11 transmit power change logging mode.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring 802.11 Statistics Monitoring (GUI)
Procedure
Step 1 Step 2
Step 3
Choose Configuration > Radio Configurations > RRM to configure Radio Resource Management parameters for 802.11a/n/ac (5 GHz) and 802.11b/g/n (2.4 GHz) radios.
In the Monitor Intervals(60 to 3600secs) section, proceed as follows:
a) To configure the 802.11 noise measurement interval (channel scan interval), set the AP Noise Interval. The valid range is from 60 to 3600 seconds.
b) To configure the 802.11 signal measurement interval (neighbor packet frequency), set the AP Signal Strength Interval. The valid range is from 60 to 3600 seconds.
c) To configure the 802.11 coverage measurement interval, set the AP Coverage Interval. The valid range is from 60 to 3600 seconds.
d) To configure the 802.11 load measurement, set the AP Load Interval. The valid range is from 60 to 3600 seconds.
Click Apply.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 402
Radio Resource Management
Configuring 802.11 Statistics Monitoring (CLI)
Configuring 802.11 Statistics Monitoring (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 24ghz | 5ghz rrm monitor channel-list{all | country | dca}
Example:
Sets the 802.11 monitoring channel-list for parameters such as noise/interference/rogue.
· all-- Monitors all channels.
Device(config)#ap dot11 24ghz rrm monitor channel-list all
· country-- Monitor channels used in configured country code.
· dca-- Monitor channels used by dynamic channel assignment.
Step 3 Step 4 Step 5 Step 6
ap dot11 24ghz | 5ghz rrm monitor coverage Configures the 802.11 coverage measurement
interval
interval in seconds that ranges from 60 to 3600.
Example:
Device(config)#ap dot11 24ghz rrm monitor coverage 600
ap dot11 24ghz | 5ghz rrm monitor load interval
Example:
Configures the 802.11 load measurement interval in seconds that ranges from 60 to 3600.
Device(config)#ap dot11 24ghz rrm monitor load 180
ap dot11 24ghz | 5ghz rrm monitor noise interval
Example:
Configures the 802.11 noise measurement interval (channel scan interval) in seconds that ranges from 60 to 3600.
Device(config)#ap dot11 24ghz rrm monitor noise 360
ap dot11 24ghz | 5ghz rrm monitor signal interval
Example:
Configures the 802.11 signal measurement interval (neighbor packet frequency) in seconds that ranges from 60 to 3600.
Device(config)#ap dot11 24ghz rrm monitor signal 480
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 403
Configuring the 802.11 Performance Profile (GUI)
Radio Resource Management
Step 7
Command or Action end Example:
Device(config)# end
Configuring the 802.11 Performance Profile (GUI)
Procedure
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Tags & Profiles > AP Join. On the AP Join page, click the name of the profile or click Add to create a new one. In the Add/Edit RF Profile window, click the RRM tab. In the General tab that is displayed, enter the following parameters: a) In the Interference (%) field, enter the threshold value for 802.11 foreign interference that ranges between
0 and 100 percent. b) In the Clients field, enter the threshold value for 802.11 Cisco AP clients that range between 1 and 75
clients. c) In the Noise (dBm) field, enter the threshold value for 802.11 foreign noise ranges between 127 and 0
dBm. d) In the Utilization(%) field, enter the threshold value for 802.11 RF utilization that ranges between 0 to
100 percent.
Click Update & Apply to Device.
Configuring the 802.11 Performance Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz} rrm profile clients Sets the threshold value for 802.11 Cisco AP
cli_threshold_value
clients that range between 1 and 75 clients.
Example:
Step 3
Device(config)#ap dot11 24ghz rrm profile clients 20
ap dot11 {24ghz | 5ghz}rrm profile foreign Sets the threshold value for 802.11 foreign
int_threshold_value
interference that ranges between 0 and 100%.
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 404
Radio Resource Management
Configuring Advanced 802.11 RRM
Step 4 Step 5 Step 6 Step 7
Command or Action
Purpose
Device(config)#ap dot11 24ghz rrm profile foreign 50
ap dot11 {24ghz | 5ghz} rrm profile noise Sets the threshold value for 802.11 foreign noise
for_noise_threshold_value
ranges between 127 and 0 dBm.
Example:
Device(config)#ap dot11 24ghz rrm profile noise -65
ap dot11 {24ghz | 5ghz} rrm profile throughput throughput_threshold_value
Example:
Sets the threshold value for 802.11 Cisco AP throughput that ranges between 1000 and 10000000 bytes per second.
Device(config)#ap dot11 24ghz rrm profile throughput 10000
ap dot11 {24ghz | 5ghz} rrm profile utilization rf_util_threshold_value
Example:
Sets the threshold value for 802.11 RF utilization that ranges between 0 to 100%.
Device(config)#ap dot11 24ghz rrm profile utilization 75
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Configuring Advanced 802.11 RRM
Enabling Channel Assignment (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Radio Configurations > RRM. In the RRM page, click the relevant band's tab: either 5 GHz Band or 2.4 GHz Band. Click the DCA tab In the Dynamic Channel Assignment Algorithm section, choose the appropriate Channel Assignment Mode from these options:
· Automatic: Sets the channel assignment to automatic.
· Freeze: Locks the channel assignment. Click Invoke Channel Update Once to refresh the assigned channels.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 405
Enabling Channel Assignment (CLI)
Radio Resource Management
Step 5 Click Apply.
Enabling Channel Assignment (CLI)
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
ap dot11 {24ghz | 5ghz} rrm channel-update Enables the 802.11 channel selection update for
Example:
each of the Cisco access points.
Note
After you enable ap dot11 {24ghz
Device# ap dot11 24ghz rrm channel-update
| 5ghz} rrm channel-update, a
token is assigned for channel
assignment in the DCA algorithm.
Restarting DCA Operation
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
ap dot11 {24ghz | 5ghz} rrm dca restart Example:
Purpose Enters privileged EXEC mode.
Restarts the DCA cycle for 802.11 radio.
Device# ap dot11 24ghz rrm dca restart
Updating Power Assignment Parameters (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Wireless > Access Points. On the Access Points page, click the AP name from the 5GHz or 2.4 GHz list. In the Edit Radios > Configure > Tx Power Level Assignment section, choose Custom from the Assignment Method droup-down list. Choose the value for Transmit Power from the drop-down list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 406
Radio Resource Management
Updating Power Assignment Parameters (CLI)
Step 5 Click Update & Apply to Device.
Updating Power Assignment Parameters (CLI)
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
ap dot11 {24ghz | 5ghz} rrm txpower update Updates the 802.11 transmit power for each of
Example:
the Cisco access points.
Device# ap dot11 24ghz rrm txpower update
Configuring Rogue Access Point Detection in RF Groups
Configuring Rogue Access Point Detection in RF Groups (CLI)
Before you begin Ensure that each controller in the RF group has been configured with the same RF group name.
Note The name is used to verify the authentication IE in all beacon frames. If the controller have different names, false alarms will occur.
Procedure
Step 1
Command or Action
Purpose
ap name Cisco_AP mode{monitor | clear | Perform this step for every access point
sensor | sniffer}
connected to the controller .
Example:
Device# ap name ap1 mode clear
Configures the following AP modes of operation:
· monitor:Sets the AP mode to monitor mode.
· clear: Resets AP mode to local or remote based on the site.
· sensor: Sets the AP mode to sensor mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 407
Monitoring RRM Parameters and RF Group Status
Radio Resource Management
Step 2 Step 3 Step 4 Step 5
Command or Action
Purpose
· sniffer: Sets the AP mode to wireless sniffer mode.
end Example:
Device(config)# end
configure terminal Example:
Device# configure terminal
wireless wps ap-authentication Example:
Device (config)# wireless wps ap-authentication
wireless wps ap-authentication threshold value Example:
Device (config)# wireless wps ap-authentication threshold 50
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. Enters global configuration mode.
Enables rogue access point detection.
Specifies when a rogue access point alarm is generated. An alarm occurs when the threshold value (which specifies the number of access point frames with an invalid authentication IE) is met or exceeded within the detection period.
The valid threshold range is from 1 to 255, and the default threshold value is 1. To avoid false alarms, you may want to set the threshold to a higher value.
Note
Enable rogue access point
detection and threshold value on
every controller in the RF group.
Note
If rogue access point detection is
not enabled on every controller in
the RF group, the access points on
the controller with this feature
disabled are reported as rogues.
Monitoring RRM Parameters and RF Group Status
Monitoring RRM Parameters
Table 17: Commands for monitoring Radio Resource Management
Commands
Description
show ap dot11 24ghz channel Displays the configuration and statistics of the 802.11b channel assignment.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 408
Radio Resource Management
Verifying RF Group Status (CLI)
Commands
Description
show ap dot11 24ghz coverage Displays the configuration and statistics of the 802.11b coverage.
show ap dot11 24ghz group Displays the configuration and statistics of the 802.11b grouping.
show ap dot11 24ghz logging Displays the configuration and statistics of the 802.11b event logging.
show ap dot11 24ghz monitor Displays the configuration and statistics of the 802.11b monitoring.
show ap dot11 24ghz profile Displays 802.11b profiling information for all Cisco APs.
show ap dot11 24ghz summary Displays the configuration and statistics of the 802.11b Cisco APs.
show ap dot11 24ghz txpower Displays the configuration and statistics of the 802.11b transmit power control.
show ap dot11 5ghz channel Displays the configuration and statistics of the 802.11a channel assignment.
show ap dot11 5ghz coverage Displays the configuration and statistics of the 802.11a coverage.
show ap dot11 5ghz group Displays the configuration and statistics of the 802.11a grouping.
show ap dot11 5ghz logging Displays the configuration and statistics of the 802.11a event logging.
show ap dot11 5ghz monitor Displays the configuration and statistics of the 802.11a monitoring.
show ap dot11 5ghz profile Displays 802.11a profiling information for all Cisco APs.
show ap dot11 5ghz summary Displays the configuration and statistics of the 802.11a Cisco APs.
show ap dot11 5ghz txpower Displays the configuration and statistics of the 802.11a transmit power control.
Verifying RF Group Status (CLI)
This section describes the new commands for RF group status. The following commands can be used to verify RF group status on the .
Table 18: Verifying Aggressive Load Balancing Command
Command
Purpose
show ap dot11 5ghz group Displays the controller name which is the RF group leader for the 802.11a RF network.
show ap dot11 24ghz group
Displays the controller name which is the RF group leader for the 802.11b/g RF network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 409
Examples: RF Group Configuration
Radio Resource Management
Examples: RF Group Configuration
This example shows how to configure RF group name:
Device# configure terminal Device(config)# wireless rf-network test1 Device(config)# ap dot11 24ghz shutdown Device(config)# end Device # show network profile 5
This example shows how to configure rogue access point detection in RF groups:
Device# ap name ap1 mode clear Device# end Device# configure terminal Device(config)# wireless wps ap-authentication Device(config)# wireless wps ap-authentication threshold 50 Device(config)# end
Information About ED-RRM
Spontaneous interference is interference that appears suddenly on a network, perhaps jamming a channel or a range of channels completely. The Cisco CleanAir spectrum event-driven RRM feature allows you to set a threshold for air quality (AQ) that, if exceeded, triggers an immediate channel change for the affected access point. Once a channel change occurs due to event-driven RRM, the channel is blocked list for three hours to avoid selection. Most RF management systems can avoid interference, but this information takes time to propagate through the system. Cisco CleanAir relies on AQ measurements to continuously evaluate the spectrum and can trigger a move within 30 seconds. For example, if an access point detects interference from a video camera, it can recover by changing channels within 30 seconds of the camera becoming active.
Configuring ED-RRM on the Cisco Wireless LAN Controller (CLI)
Procedure
Step 1
Trigger spectrum event-driven radio resource management (RRM) to run when a Cisco CleanAir-enabled access point detects a significant level of interference by entering these commands:
ap dot11 {24ghz | 5ghz} rrm channel cleanair-event --Configures CleanAir driven RRM parameters for the 802.11 Cisco lightweight access points.
ap dot11 {24ghz | 5ghz} rrm channel cleanair-event sensitivity {low | medium | high | custom}--Configures CleanAir driven RRM sensitivity for the 802.11 Cisco lightweight access points. Default selection is Medium.
ap dot11 {24ghz | 5ghz} rrm channel cleanair-event custom-threshold custom-threshold-value--Triggers the ED-RRM event at the set threshold value. The custom threshold values range from 1 to 99.
ap dot11 {24ghz | 5ghz} rrm channel cleanair-event rogue-contribution--Enables rogue contribution.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 410
Radio Resource Management
Configuring ED-RRM on the Cisco Wireless LAN Controller (CLI)
Step 2 Step 3
ap dot11 {24ghz | 5ghz} rrm channel cleanair-event rogue-contribution duty-cycle thresholdvalue--Configures threshold value for rogue contribution. The valid range is from 1 to 99, with 80 as the default.
Save your changes by entering this command:
write memory
See the CleanAir configuration for the 802.11a/n/ac or 802.11b/g/n network by entering this command:
show ap dot11 {24ghz | 5ghz} cleanair config
Information similar to the following appears:
CleanAir Solution................................ : Enabled Air Quality Settings: Air Quality Reporting........................ : Enabled Air Quality Reporting Period (min)........... : 15 Air Quality Alarms........................... : Disabled Air Quality Alarm Threshold.................. : 10 Unclassified Interference.................... : Disabled Unclassified Severity Threshold.............. : 35 Interference Device Settings: Interference Device Reporting................ : Enabled BLE Beacon............................... : Enabled Bluetooth Link........................... : Enabled Microwave Oven........................... : Enabled 802.11 FH................................ : Enabled Bluetooth Discovery...................... : Enabled TDD Transmitter.......................... : Enabled Jammer................................... : Enabled Continuous Transmitter................... : Enabled DECT-like Phone.......................... : Enabled Video Camera............................. : Enabled 802.15.4................................. : Enabled WiFi Inverted............................ : Enabled WiFi Invalid Channel..................... : Enabled SuperAG.................................. : Enabled Canopy................................... : Enabled Microsoft Device......................... : Enabled WiMax Mobile............................. : Enabled WiMax Fixed.............................. : Enabled Interference Device Types Triggering Alarms: BLE Beacon............................... : Disabled Bluetooth Link........................... : Disabled Microwave Oven........................... : Disabled 802.11 FH................................ : Disabled Bluetooth Discovery...................... : Disabled TDD Transmitter.......................... : Disabled Jammer................................... : Disabled Continuous Transmitter................... : Disabled DECT-like Phone.......................... : Disabled Video Camera............................. : Disabled 802.15.4................................. : Disabled WiFi Inverted............................ : Enabled WiFi Invalid Channel..................... : Enabled SuperAG.................................. : Disabled Canopy................................... : Disabled Microsoft Device......................... : Disabled WiMax Mobile............................. : Disabled WiMax Fixed.............................. : Disabled Interference Device Alarms................... : Disabled AdditionalClean Air Settings:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 411
Configuring ED-RRM on the Cisco Wireless LAN Controller (CLI)
CleanAir Event-driven RRM State.............. : Disabled CleanAir Driven RRM Sensitivity.............. : LOW CleanAir Driven RRM Sensitivity Level........ : 35 CleanAir Event-driven RRM Rogue Option....... : Disabled CleanAir Event-driven RRM Rogue Duty Cycle... : 80 CleanAir Persistent Devices state............ : Disabled CleanAir Persistent Device Propagation....... : Disabled
Radio Resource Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 412
3 8 C H A P T E R
Coverage Hole Detection
· Coverage Hole Detection and Correction, on page 413
Coverage Hole Detection and Correction
The RRM coverage hole detection algorithm can detect areas of radio coverage in a wireless LAN that are below the level needed for robust radio performance. This feature can alert you to the need for an additional (or relocated) lightweight access point. If clients on a lightweight access point are detected at threshold levels (RSSI, failed client count, percentage of failed packets, and number of failed packets) lower than those specified in the RRM configuration, the access point sends a "coverage hole" alert to the device. The alert indicates the existence of an area where clients are continually experiencing poor signal coverage, without having a viable access point to which to roam. The device discriminates between coverage holes that can and cannot be corrected. For coverage holes that can be corrected, the device mitigates the coverage hole by increasing the transmit power level for that specific access point. The device does not mitigate coverage holes caused by clients that are unable to increase their transmit power or are statically set to a power level because increasing their downstream transmit power might increase interference in the network.
Configuring Coverage Hole Detection (GUI)
Follow the procedure given below to configure client accounting.
Procedure
Step 1 Step 2
Click Configuration > Radio Configurations > RRM. On this page, you can configure Radio Resource Management parameters for 802.11a/n/ac (5 GHZ) and 802.11b/g/n (2.4 GHZ) radios, and flexible radio assignment parameters.
Check the Enable Coverage Hole Detection check box. Enables coverage hole detection.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 413
Configuring Coverage Hole Detection (CLI)
Radio Resource Management
Configuring Coverage Hole Detection (CLI)
Coverage Hole Detection (CHD) is based on upstream RSSI metrics observed by the AP. Follow the procedure given below to configure CHD:
Before you begin Disable the 802.11 network before applying the configuration.
Procedure
Step 1
Command or Action ap dot11 {24ghz | 5ghz} rrm coverage Example:
Device(config)# ap dot11 24ghz rrm coverage
Purpose
Configures the 802.11 coverage level for data packets.
Use the no form of the command to disable CHD.
Step 2
ap dot11 {24ghz | 5ghz} rrm coverage data {fail-percentage | packet-count | rssi-threshold}
Example:
Device(config)# ap dot11 24ghz rrm coverage data fail-percentage 60
Configures the 802.11 coverage level for data packets.
· fail-percentage: Configures the 802.11 coverage failure-rate threshold for uplink data packets as a percentage that ranges from 1 to 100%.
· packet-count: Configures the 802.11 coverage minimum failure count threshold for uplink data packets that ranges from 1 to 255.
· rssi-threshold: Configures the 802.11 minimum receive coverage level for data packets that range from 90 to 60 dBm.
Step 3
ap dot11 {24ghz | 5ghz} rrm coverage exception global exception level
Example:
Configures the 802.11 Cisco AP coverage exception level as a percentage that ranges from 0 to 100%.
Step 4
Device(config)# ap dot11 24ghz rrm coverage exception global 50
ap dot11{24ghz | 5ghz}rrm coverage level global cli_min exception level
Example:
Configures the 802.11 Cisco AP client minimum exception level that ranges from 1 to 75 clients.
Device(config)# ap dot11 24ghz rrm coverage level global 10
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 414
Radio Resource Management
Configuring CHD for RF Tag Profile (GUI)
Step 5
Step 6 Step 7
Command or Action
Purpose
ap dot11 {24ghz | 5ghz} rrm coverage voice Configures the 802.11 coverage hole detection
{fail-percentage | packet-count |
for voice packets.
rssi-threshold}
· fail-percentage: Configures the 802.11
Example:
coverage failure-rate threshold for uplink
voice packets as a percentage that ranges
Device(config)# ap dot11 24ghz rrm
from 1 to 100%.
coverage voice packet-count 10
· packet-count: Configures the 802.11
coverage minimum failure count threshold
for uplink voice packets that ranges from
1 to 255.
· rssi-threshold: Configures the 802.11 minimum receive coverage level for voice packets that range from 90 to 60 dBm.
end Example:
Device(config)# end
show ap dot11 {24ghz | 5ghz} coverage Example:
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Displays the CHD details.
Device# show ap dot11 5ghz coverage
Note If both the number and percentage of failed packets exceed the values entered in the packet-count and fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes. False positives are generally due to the poor roaming logic implemented on most clients. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in the coverage level global and coverage exception global commands over a 90-second period. The controller determines if the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.
Configuring CHD for RF Tag Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Radio Configurations > RRM. On the Coverage tab, select the Enable Coverage Hole Detection check box. In the Data Packet Count field, enter the number of data packets. In the Data Packet Percentage field, enter the percentage of data packets.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 415
Configuring CHD for RF Profile (CLI)
Radio Resource Management
Step 5 Step 6 Step 7 Step 8 Step 9
Step 10
Step 11
In the Data RSSI Threshold field, enter the actual value in dBm. Value ranges from -60 dBm to -90 dBm; the default value is 80 dBm.
In the Voice Packet Count field, enter the number of voice data packets.
In the Voice Packet Percentage field, enter the percentage of voice data packets.
In the Voice RSSI Threshold field, enter the actual value in dBm. Value ranges from -60 dBm to -90 dBm; the default value is 80 dBm.
In the Minimum Failed Client per AP field, enter the minimum number of clients on an AP with a signal-to-noise ratio (SNR) below the coverage threshold. Value ranges from 1 to 75 and the default value is 3.
In the Percent Coverage Exception Level per AP field, enter the maximum desired percentage of clients on an access point's radio operating below the desired coverage threshold and click Apply. Value ranges from 0 to 100% and the default value is 25%.
Click Apply.
Configuring CHD for RF Profile (CLI)
Follow the procedure given below to configure Coverage Hole Detection (CHD) for RF profile.
Before you begin Ensure that the RF profile is already created.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap dot11 {24ghz | 5ghz } rf-profile rf-profile-tag
Example:
Purpose Enters global configuration mode.
Configures the 802.11 coverage hole detection for data packets.
Step 3 Step 4
Device(config)# ap dot11 24ghz rf-profile
alpha-rfprofile-24ghz
coverage data rssi threshold threshold-value Configures the minimum RSSI value for data
Example:
packets received by the access point. Valid values range from -90 to -60 in dBm.
Device(config-rf-profile)# coverage data rssi
threshold -80
end Example:
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 416
Radio Resource Management
Configuring CHD for RF Profile (CLI)
Step 5
Command or Action
Purpose
Device(config-rf-profile)# end
show ap dot11 24ghz rf-profile summary Example:
Displays summary of the available RF profiles.
Device# show ap dot11 24ghz rf-profile summary
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 417
Configuring CHD for RF Profile (CLI)
Radio Resource Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 418
3 9 C H A P T E R
Optimized Roaming
· Optimized Roaming, on page 419 · Restrictions for Optimized Roaming, on page 419 · Configuring Optimized Roaming (GUI), on page 420 · Configuring Optimized Roaming (CLI), on page 420
Optimized Roaming
Optimized roaming resolves the problem of sticky clients that remain associated to access points that are far away and outbound clients that attempt to connect to a Wi-Fi network without having a stable connection. This feature disassociates clients based on the RSSI of the client data packets and data rate. The client is disassociated if the RSSI alarm condition is met and the current data rate of the client is lower than the optimized roaming data rate threshold. You can disable the data rate option so that only RSSI is used for disassociating clients. Optimized roaming also prevents client association when the client's RSSI is low. This feature checks the RSSI of the incoming client against the RSSI threshold. This check prevents the clients from connecting to a Wi-Fi network unless the client has a viable connection. In many scenarios, even though clients can hear beacons and connect to a Wi-Fi network, the signal might not be strong enough to support a stable connection. You can also configure the client coverage reporting interval for a radio by using optimized roaming. The client coverage statistics include data packet RSSIs, Coverage Hole Detection and Mitigation (CHDM) prealarm failures, retransmission requests, and current data rates. Optimized roaming is useful in the following scenarios:
· Addresses the sticky client challenge by proactively disconnecting clients. · Actively monitors data RSSI packets. · Disassociates client when the RSSI is lower than the set threshold.
This section contains the following subsections:
Restrictions for Optimized Roaming
· You cannot configure the optimized roaming interval until you disable the 802.11a/b network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 419
Configuring Optimized Roaming (GUI)
Radio Resource Management
· When basic service set (BSS) transition is sent to 802.11v-capable clients, and if the clients are not transitioned to other BSS before the disconnect timer expires, the corresponding client is disconnected forcefully. BSS transition is enabled by default for 802.11v-capable clients.
· The Cisco Catalyst 9800 controller increments the 80211v smart roam failed counter while disconnecting the client due to optimized roaming.
· We recommend that you do not use the optimized roaming feature with RSSI low check.
Configuring Optimized Roaming (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Wireless > Advanced. On the Advanced page, click the relevant band's tab: either 5 GHz Band or 2.4 GHz Band. Check the Optimized Roaming Mode check box to enable the feature. Choose the required Optimized Roaming Date Rate Threshold. The threshold value options are different for 802.11a and 802.11b networks.
Optimized roaming disassociates clients based on the RSSI of the client data packet and data rate. The client is disassociated if the current data rate of the client is lower than the Optimized Roaming Data Rate Threshold.
Click Apply to save the configuration.
Configuring Optimized Roaming (CLI)
Procedure
Step 1
Command or Action ap dot11 5ghz rrm optimized-roam
Step 2
ap dot11 5ghz rrm optimized-roam data-rate-threshold mbps
Step 3
show wireless statistics ap dot11 5ghz optimized-roaming statistics
Purpose
Configures 802.11a or 802.11b optimized roaming.
By default, optimized roaming is disabled.
Configure the threshold data rate for 802.11a networks.
For 802.11a, the configurable data rates are 1, 2, 6, 9, 12, 18, 24, 36, 48, and 54. You can configure DISABLE to disable the data rate.
Displays optimized roaming statistics for each band.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 420
4 0 C H A P T E R
Cisco Flexible Radio Assignment
· Information About Flexible Radio Assignment, on page 421 · Configuring an FRA Radio (CLI), on page 422 · Configuring an FRA Radio (GUI), on page 424
Information About Flexible Radio Assignment
Flexible Radio Assignment (FRA) takes advantage of the dual-band radios included in APs. The FRA is a new feature added to the RRM to analyze the Neighbor Discovery Protocol (NDP) measurements, which manages the hardware used to determine the role of the new flexible radio (2.4 GHz, 5 GHz, or monitor) in your network. Traditional legacy dualband APs always had 2 radio slots, (1 slot per band) and were organized by the band they were serving, that is slot 0= 802.11b,g,n and slot 1=802.11a,n,ac. XOR Support in 2.4-GHz or 5-GHz Bands The flexible radio (XOR) offers the ability to serve the 2.4-GHz or the 5-GHz bands, or passively monitor both bands on the same AP. The AP models that are offered are designed to support dual 5-GHz band operations, with the Cisco APs i model supporting a dedicated Macro/Micro architecture, and the e and p models supporting Macro/Macro architecture. When using FRA with the internal antenna (i series models), two 5-GHz radios can be used in a Micro/Macro cell mode. When using FRA with external antenna (e and p models) the antennas may be placed to enable the creation of two completely separate macro (wide-area cells) or two micro cells (small cells) for HDX or any combination. FRA calculates and maintains a measurement of redundancy for 2.4-GHz radios and represents this as a new measurement metric called COF (Coverage Overlap Factor). This feature is integrated into existing RRM and runs in mixed environments with legacy APs. The AP MODE selection sets the entire AP (slot 0 and slot1) into one of several operating modes, including:
· Local Mode · Monitor Mode · FlexConnect Mode · Sniffer Mode · Spectrum Connect Mode
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 421
Benefits of the FRA
Radio Resource Management
Before XOR was introduced, changing the mode of an AP propagated the change to the entire AP, that is both radio slot 0 and slot 1. The addition of the XOR radio in the slot 0 position provides the ability to operate a single radio interface in many of the previous modes, eliminating the need to place the whole AP into a mode. When this concept is applied to a single radio level, its is called role. Three such roles can be assigned now:
· Client Serving
· Either 2.4 GHz(1) or 5 GHz(2)
· Monitor-Monitor mode (3)
Note
· MODE: Assigned to a whole AP (slot 0 and slot 1)
· ROLE: Assigned to a single radio interface (slot 0)
Benefits of the FRA
· Solves the problem of 2.4GHz over coverage. · Creating two diverse 5GHz cells doubles the airtime that is available. · Permits one AP with one Ethernet drop to function like two 5GHz APs. · Introduces the concept of Macro/Micro cells for airtime efficiency. · Allows more bandwidth to be applied to an area within a larger coverage cell. · Can be used to address nonlinear traffic. · Enhances the High-Density Experience (HDX) with one AP. · XOR radio can be selected by the corresponding user in either bandservicing client mode or monitor
mode.
Configuring an FRA Radio (CLI)
Procedure Step 1 Step 2
Command or Action enable Example:
Device# enable
configure terminal Example:
Device# configure terminal
Purpose Enters privileged EXEC mode.
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 422
Radio Resource Management
Configuring an FRA Radio (CLI)
Step 3 Step 4 Step 5
Step 6 Step 7
Step 8 Step 9
Command or Action [no] ap fra Example:
Device(config)# [no] ap fra
Purpose Enables or disables FRA on the AP.
ap fra interval Example:
Device(config)# ap fra interval 3
Configures the FRA interval in hours. The range is 1 to 24 hours.
Note
The FRA interval has to be more
than the configured RRM
interval.
ap fra sensitivity {high | medium | low} Configures the FRA sensitivity.
Example:
Device(config)# ap fra sensitivity high
· high: Sets the FRA Coverage Overlap Sensitivity to high.
· medium: Sets the FRA Coverage Overlap Sensitivity to medium.
· low: Sets the FRA Coverage Overlap Sensitivity to low.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
ap fra revert {all | auto-only}{auto | static} Rolls back the XOR Radio state.
Example:
· all: Reverts all XOR Radios
Device# ap fra revert all auto
· auto-only: Revert only XOR radios currently in automatic band selection.
· auto: Sets the XOR radios in automatic band selection.
· static: Sets the XOR radio in static 2.4-GHz band.
show ap dot11 {24ghz | 5ghz} summary Example:
Device# show ap dot11 5ghz summary
Device# show ap fra Example:
Device# show ap fra
FRA State : Disabled
FRA Sensitivity : medium (95%)
Shows the configuration and statistics of 802.11 Cisco APs
Shows the current FRA configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 423
Configuring an FRA Radio (GUI)
Radio Resource Management
Step 10
Command or Action
FRA Interval
: 1 Hour(s)
Purpose
AP Name
MAC Address
Slot ID Current-Band
COF %
Suggested Mode
-------------------------------------------------------------------------------------------
AP00A6.CA36.295A
006b.f09c.8290
0
2.4GHz
None
2.4GHz
COF : Coverage Overlap Factor
test_machine#
show ap name ap-name config dot11 dual-band
Example:
Device# show ap name config dot11 dual-band
Shows the current 802.11 dual-band parameters in a given AP.
Configuring an FRA Radio (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Radio Configurations > RRM > FRA. In the Flexible Radio Assignment window, enable FRA status and determine the overlapping 2.4 GHz or 5 GHz coverage for each AP, choose Enabled in the FRA Status field. By default, the FRA status is disabled. Under the From the FRA Interval drop-down list, choose the FRA run interval. The interval values range from 1 hour to 24 hours. You can choose the FRA run interval value only after you enable the FRA status. From the FRA Sensitivity drop-down list, choose the percentage of Coverage Overlap Factor (COF) required to consider a radio as redundant. You can select the supported value only after you enable the FRA status.
The supported values are as follows:
· Low: 100 percent
· Medium (default): 95 percent
· High: 90 percent
The Last Run and Last Run Time fields will show the time FRA was run last and the time it was run.
Check the Client Aware check box to take decisions on redundancy.
When enabled, the Client Aware feature monitors the dedicated 5-GHz radio and when the client load passes a pre-set threshold, automatically changes the Flexible Radio assignment from a monitor role into a 5-GHz role, effectively doubling the capacity of the cell on demand. Once the capacity crisis is over and Wi-Fi load returns to normal, the radios resume their previous roles.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 424
Radio Resource Management
Configuring an FRA Radio (GUI)
Step 6 Step 7 Step 8
In the Client Select field, enter a value for client selection. The valid values range between 0 and 100 percent. The default value is 50 percent.
This means that if the dedicated 5-GHz interface reaches 50% channel utilization, this will trigger the monitor role dual-band interface to transition to a 5-GHz client-serving role.
In the Client Reset field, enter a reset value for the client. The valid values range between 0 and 100 percent. The default value is 5 percent.
Once the AP is operating as a dual 5-GHz AP, this setting indicates the reduction in the combined radios' overall channel utilization required to reset the dual-band radio to monitor role.
Click Apply to save the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 425
Configuring an FRA Radio (GUI)
Radio Resource Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 426
4 1 C H A P T E R
XOR Radio Support
· Information About Dual-Band Radio Support , on page 427 · Configuring Default XOR Radio Support, on page 428 · Configuring XOR Radio Support for the Specified Slot Number (GUI), on page 430 · Configuring XOR Radio Support for the Specified Slot Number, on page 430
Information About Dual-Band Radio Support
The Dual-Band (XOR) radio in Cisco 2800, 3800, 4800, and the 9120 series AP models offer the ability to serve 2.4GHz or 5GHz bands or passively monitor both the bands on the same AP. These APs can be configured to serve clients in 2.4GHz and 5GHz bands, or serially scan both 2.4GHz and 5GHz bands on the flexible radio while the main 5GHz radio serves clients. Cisco APs models up and through the Cisco 9120 APs are designed to support dual 5GHz band operations with the i model supporting a dedicated Macro/Micro architecture and the e and p models supporting Macro/Macro. The Cisco 9130AXI APs and the Cisco 9136 APs support dual 5-GHz operations as Micro/Messo cell. When a radio moves between bands (from 2.4-GHz to 5-GHz and vice versa), clients need to be steered to get an optimal distribution across radios. When an AP has two radios in the 5GHz band, client steering algorithms contained in the Flexible Radio Assignment (FRA) algorithm are used to steer a client between the same band co-resident radios. The XOR radio support can be steered manually or automatically:
· Manual steering of a band on a radio--The band on the XOR radio can only be changed manually. · Automatic client and band steering on the radios is managed by the FRA feature that monitors and changes
the band configurations as per site requirements.
Note RF measurement will not run when a static channel is configured on slot 1. Due to this, the dual band radio slot 0 will move only with 5GHz radio and not to the monitor mode. When slot 1 radio is disabled, RF measurement will not run, and the dual band radio slot 0 will be only on 2.4GHz radio.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 427
Configuring Default XOR Radio Support
Radio Resource Management
Note Only one of the 5-GHz radios can operate in the UNII band (100 - 144), due to an AP limitation to keep the power budget within the regulatory limit.
Configuring Default XOR Radio Support
Before you begin
Note The default radio points to the XOR radio hosted on slot 0.
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
ap name ap-name dot11 dual-band antenna Configures the 802.11 dual-band antenna on
ext-ant-gain antenna_gain_value
a specific Cisco access point.
Example:
antenna_gain_value: The valid range is from
Device# ap name ap-name dot11 dual-band 0 to 40.
antenna ext-ant-gain 2
ap name ap-name [no] dot11 dual-band Shuts down the default dual-band radio on a
shutdown
specific Cisco access point.
Example:
Use the no form of the command to enable the
Device# ap name ap-name dot11 dual-band radio.
shutdown
ap name ap-name dot11 dual-band role Switchs to clientserving mode on the Cisco
manual client-serving
access point.
Example:
Device# ap name ap-name dot11 dual-band role manual client-serving
ap name ap-name dot11 dual-band band Switchs to 2.4-GHz radio band. 24ghz
Example:
Device# ap name ap-name dot11 dual-band band 24ghz
ap name ap-name dot11 dual-band txpower Configures the transmit power for the radio on
{transmit_power_level | auto}
a specific Cisco access point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 428
Radio Resource Management
Configuring Default XOR Radio Support
Step 7 Step 8 Step 9 Step 10 Step 11
Step 12
Command or Action
Purpose
Example:
Note
Device# ap name ap-name dot11 dual-band txpower 2
When an FRA-capable radio (slot 0 on 9120 AP[for instance]) is set to Auto, you cannot configure static channel and Txpower on this radio.
If you want to configure static channel and Txpower on this radio, you will need to change the radio role to Manual Client-Serving mode.
ap name ap-name dot11 dual-band channel Enters the channel for the dual band.
channel-number
channel-number--The valid range is from 1
Example:
to 173.
Device# ap name ap-name dot11 dual-band channel 2
ap name ap-name dot11 dual-band channel Enables the auto channel assignment for the
auto
dual-band.
Example:
Device# ap name ap-name dot11 dual-band channel auto
ap name ap-name dot11 dual-band channel Chooses the channel width for the dual band. width{20 MHz | 40 MHz | 80 MHz | 160 MHz}
Example:
Device# ap name ap-name dot11 dual-band channel width 20 MHz
ap name ap-name dot11 dual-band cleanair Enables the Cisco CleanAir feature on the
Example:
dual-band radio.
Device# ap name ap-name dot11 dual-band cleanair
ap name ap-name dot11 dual-band cleanair Selects a band for the Cisco CleanAir feature.
band{24 GHz | 5 GMHz}
Use the no form of this command to disable
Example:
the Cisco CleanAir feature.
Device# ap name ap-name dot11 dual-band cleanair band 5 GHz
Device# ap name ap-name [no] dot11 dual-band cleanair band 5 GHz
ap name ap-name dot11 dual-band dot11n Configures the 802.11n dual-band parameters
antenna {A | B | C | D}
for a specific access point.
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 429
Configuring XOR Radio Support for the Specified Slot Number (GUI)
Radio Resource Management
Step 13 Step 14
Command or Action
Purpose
Device# ap name ap-name dot11 dual-band dot11n antenna A
show ap name ap-name auto-rf dot11 dual-band
Displays the auto-RF information for the Cisco access point.
Example:
Device# show ap name ap-name auto-rf dot11 dual-band
show ap name ap-name wlan dot11 dual-band
Displays the list of BSSIDs for the Cisco access point.
Example:
Device# show ap name ap-name wlan dot11 dual-band
Configuring XOR Radio Support for the Specified Slot Number (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6
Click Configuration > Wireless > Access Points. In the Dual-Band Radios section, select the AP for which you want to configure dual-band radios.
The AP name, MAC address, CleanAir capability and slot information for the AP are displayed. If the Hyperlocation method is HALO, the antenna PID and antenna design information are also displayed.
Click Configure. In the General tab, set the Admin Status as required. Set the CleanAir Admin Status field to Enable or Disable. Click Update & Apply to Device.
Configuring XOR Radio Support for the Specified Slot Number
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 430
Radio Resource Management
Configuring XOR Radio Support for the Specified Slot Number
Step 2 Step 3 Step 4 Step 5 Step 6
Step 7
Step 8
Command or Action
Purpose
ap name ap-name dot11 dual-band slot 0 Configures dual-band antenna for the XOR
antenna ext-ant-gain
radio hosted on slot 0 for a specific access point.
external_antenna_gain_value
external_antenna_gain_value - Is the external
Example:
antenna gain value in multiples of .5 dBi unit.
Device# ap name AP-SIDD-A06 dot11
The valid range is from 0 to 40.
dual-band slot 0 antenna ext-ant-gain 2
ap name ap-name dot11 dual-band slot 0 band {24ghz | 5ghz}
Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 band 24ghz
Configures current band for the XOR radio hosted on slot 0 for a specific access point.
ap name ap-name dot11 dual-band slot 0 Configures dual-band channel for the XOR
channel {channel_number | auto | width [160 radio hosted on slot 0 for a specific access point.
| 20 | 40 | 80]}
channel_number- The valid range is from 1 to
Example:
165.
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 channel 3
ap name ap-name dot11 dual-band slot 0 cleanair band {24Ghz | 5Ghz}
Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 cleanair band 24Ghz
Enables CleanAir features for dual-band radios hosted on slot 0 for a specific access point.
ap name ap-name dot11 dual-band slot 0 dot11n antenna {A | B | C | D}
Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 dot11n antenna A
Configures 802.11n dual-band parameters hosted on slot 0 for a specific access point. Here, A- Enables antenna port A. B- Enables antenna port B. C- Enables antenna port C. D- Enables antenna port D.
ap name ap-name dot11 dual-band slot 0 role Configures dual-band role for the XOR radio {auto | manual [client-serving | monitor]} hosted on slot 0 for a specific access point.
Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 role auto
The following are the dual-band roles:
· auto- Refers to the automatic radio role selection.
· manual- Refers to the manual radio role selection.
ap name ap-name dot11 dual-band slot 0 shutdown
Disables dual-band radio hosted on slot 0 for a specific access point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 431
Configuring XOR Radio Support for the Specified Slot Number
Radio Resource Management
Step 9
Command or Action Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 shutdown
Purpose
Use the no form of this command to enable the dual-band radio.
Device# ap name AP-SIDD-A06 [no] dot11 dual-band slot 0 shutdown
ap name ap-name dot11 dual-band slot 0 txpower {tx_power_level | auto}
Example:
Device# ap name AP-SIDD-A06 dot11 dual-band slot 0 txpower 2
Configures dual-band transmit power for XOR radio hosted on slot 0 for a specific access point.
· tx_power_level- Is the transmit power level in dBm. The valid range is from 1 to 8.
· auto- Enables auto-RF.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 432
4 2 C H A P T E R
Cisco Receiver Start of Packet
· Information About Receiver Start of Packet Detection Threshold, on page 433 · Restrictions for Rx SOP, on page 433 · Configuring Rx SOP (CLI), on page 434 · Customizing RF Profile (CLI), on page 434
Information About Receiver Start of Packet Detection Threshold
The Receiver Start of Packet (Rx SOP) Detection Threshold feature determines the Wi-Fi signal level in dBm at which an access point's radio demodulates and decodes a packet. As the Wi-Fi level increases, the radio sensitivity decreases and the receiver cell size becomes smaller. Reduction of the cell size affects the distribution of clients in the network.
Rx SOP is used to address clients with weak RF links, sticky clients, and client load balancing across access points. Rx SOP helps to optimize the network performance in high-density deployments, such as stadiums and auditoriums where access points need to optimize the nearest and strongest clients.
Restrictions for Rx SOP
· Rx SOP configuration is not applicable to the third radio module pluggable on Cisco Aironet 3600 Series APs.
· Rx SOP configurations are supported only in Local, FlexConnect, Bridge, and Flex+Bridge modes.
· Rx SOP configurations are not supported in the FlexConnect+PPPoE, FlexConnect+PPPoE-wIPS, and FlexConnect+OEAP submodes.
The following table shows the permitted range for the Rx SOP threshold.
Table 19: Rx SOP Threshold
Radio Band 2.4 GHz 5 GHz
Threshold High -79 dBm -76 dBm
Threshold Medium -82 dBm -78 dBm
Threshold Low -85 dBm -80 dBm
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 433
Configuring Rx SOP (CLI)
Radio Resource Management
Configuring Rx SOP (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
Step 3 Step 4 Step 5
ap dot11 {24ghz | 5ghz} rx-sop threshold {auto | custom | high | low | medium}
Example:
Device(config)# ap dot11 5ghz rx-sop threshold high
Configures the 802.11bg/802.11a radio Rx SOP threshold.
end
Returns to privileged EXEC mode.
show ap dot11 {24ghz | 5ghz} high-density Displays the 802.11bg/802.11a high-density
Example:
parameters.
Device# show ap dot11 5ghz high-density
show ap summary Example:
Device# show ap summary
Displays a summary of all the connected Cisco APs.
Customizing RF Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz } rf-profile profile-name
Configures the 802.11a and 11b parameters.
Example:
Device(config)# ap dot11 24ghz rf-profile AHS_2.4ghz
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 434
Radio Resource Management
Customizing RF Profile (CLI)
Step 3 Step 4 Step 5
Command or Action
Purpose
high-density rx-sop threshold {auto | custom Configures the 802.11bg, 802.11a high-density
| high | low | medium}
parameters.
Example:
Device(config-rf-profile)# high-density rx-sop threshold high
show ap summary Example:
Device# show ap summary
Displays a summary of all the connected Cisco APs.
end
Returns to privileged EXEC mode.
Note
· Irrespective of radio mode,
the controller configures the
radio with configured
RX-SOP value. The AP
determines whether to use
the configured RX-SOP
value.
· For the XOR radio (Slot 0), when the AP is in monitor mode the RX-SOP value that gets pushed to AP depends on the band it was operating before moving to monitor mode (basically if radio operating band is 24g then RX-SOP params picked from 24GHz RF profile (or default rf-profile). If it was in 5g then RX-SOP params picked from 5GHz RF profile (or default rf-profile) configured for the AP).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 435
Customizing RF Profile (CLI)
Radio Resource Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 436
4 3 C H A P T E R
Client Limit
· Information About Client Limit, on page 437 · Configuring Client Limit Per WLAN (GUI), on page 437 · Configuring Client Limit Per WLAN (CLI), on page 437
Information About Client Limit
This feature enforces a limit on the number of clients that can to be associated with an AP. Further, you can configure the number of clients that can be associated with each AP radio.
Configuring Client Limit Per WLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Tags & Profiles > WLANs. Click a WLAN from the list of WLANs. Click the Advanced tab. Under the Max Client Connections settings, enter the client limit for Per WLAN, Per AP Per WLAN, and Per AP Radio Per WLAN. Click Update & Apply to Device.
Configuring Client Limit Per WLAN (CLI)
Procedure
Step 1
Command or Action enable Example:
Purpose Enters privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 437
Configuring Client Limit Per WLAN (CLI)
Radio Resource Management
Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action
Device# enable
Purpose
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
wlan wlan-name Example:
Device(config)# wlan ramban
Specifies the WLAN name.
client association limit maximum-clients-per-WLAN
Configures the maximum number of clients that can be associated to the given WLAN.
Example:
Device(config-wlan)# client association limit 110
client association limit ap max-clients-per-AP-per-WLAN
Configures the maximum number of clients that can be associated to an AP in the WLAN.
Example:
Device(config-wlan)# client association limit ap 120
client association limit radio max-clients-per-AP-radio-per-WLAN
Configures the maximum number of clients that can be associated to an AP radio in the WLAN.
Example:
Device(config-wlan)# client association limit radio 100
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
show wlan id wlan-id Example:
Device# show wlan id 2
Displays the current configuration of the WLAN and the corresponding client association limits.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 438
4 4 C H A P T E R
IP Theft
· Introduction to IP Theft, on page 439 · Configuring IP Theft (GUI), on page 440 · Configuring IP Theft, on page 440 · Configuring the IP Theft Exclusion Timer, on page 440 · Adding Static Entries for Wired Hosts, on page 441 · Verifying IP Theft Configuration, on page 442
Introduction to IP Theft
The IP Theft feature prevents the usage of an IP address that is already assigned to another device. If the controller finds that two wireless clients are using the same IP address, it declares the client with lesser precedence binding as the IP thief and allows the other client to continue. If blocked list is enabled, the client is put on the exclusion list and thrown out. The IP Theft feature is enabled by default on the controller. The preference level of the clients (new and existing clients in the database) are also used to report IP theft. The preference level is a learning type or source of learning, such as Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), data glean (looking at the IP data packet that shows what IP address the client is using), and so on. The wired clients always get a higher preference level. If a wireless client tries to steal the wired IP, that client is declared as a thief. The order of preference for IPv4 clients are: 1. DHCPv4 2. ARP 3. Data packets
The order of preference for IPv6 clients are: 1. DHCPv6 2. NDP 3. Data packets
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 439
Configuring IP Theft (GUI)
Radio Resource Management
Note The static wired clients have a higher preference over DHCP.
Configuring IP Theft (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Security > Wireless Protection Policies > Client Exclusion Policies. Check the IP Theft or IP Reuse check box. Click Apply.
Configuring IP Theft
Follow the procedure given below to configure the IP Theft feature:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless wps client-exclusion ip-theft
Example:
Device(config)# wireless wps client-exclusion ip-theft
Purpose Enters global configuration mode.
Configures the client exclusion policy.
Configuring the IP Theft Exclusion Timer
Follow the procedure given below to configure the IP theft exclusion timer:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 440
Radio Resource Management
Adding Static Entries for Wired Hosts
Step 2 Step 3
Command or Action
Purpose
wireless profile policy profile-policy Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy default-policy-profile
exclusionlist timeout time-in-seconds
Example:
Device(config-wireless-policy)# exclusionlist timeout 5
Specifies the timeout, in seconds. The valid range is from 0-2147483647. Enter zero (0) for no timeout.
Adding Static Entries for Wired Hosts
Follow the procedure given below to create static wired bindings:
Note The statically configured wired bindings and locally configured SVI IP addresses have a higher precedence than DHCP.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
Use the first option to configure an IPv4 static Configures IPv4 or IPv6 static entry. entry or the second option to create an IPv6 static entry.
· device-tracking binding vlan vlan-id ipv4-address interface gigabitEthernetge-intf-num hardware-or-mac-address
· device-tracking binding vlan vlan-id ipv6-address interface gigabitEthernetge-intf-num hardware-or-mac-address
Example:
Device(config)# device-tracking binding vlan 20 20.20.20.5 interface
gigabitEthernet 1 0000.1111.2222
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 441
Verifying IP Theft Configuration
Radio Resource Management
Command or Action
Purpose
Device(config)# device-tracking binding vlan 20 2200:20:20::6 interface
gigabitEthernet 1 0000.444.3333
Verifying IP Theft Configuration
Use the following command to check if the IP Theft feature is enabled or not:
Device# show wireless wps summary
Client Exclusion Policy
Excessive 802.11-association failures : Enabled
Excessive 802.11-authentication failures: Enabled
Excessive 802.1x-authentication
: Enabled
IP-theft
: Enabled
Excessive Web authentication failure : Enabled
Cids Shun failure
: Enabled
Misconfiguration failure
: Enabled
Failed Qos Policy
: Enabled
Failed Epm
: Enabled
Use the following commands to view additional details about the IP Theft feature:
Device# show wireless client summary
Number of Local Clients: 1
MAC Address AP Name
WLAN State
Protocol Method
Role
-------------------------------------------------------------------------------------------
000b.bbb1.0001 SimAP-1
2 Run
11a
None
Local
Number of Excluded Clients: 1
MAC Address AP Name
WLAN State
Protocol Method
-------------------------------------------------------------------------------------------
10da.4320.cce9 charlie2
2 Excluded
11ac
None
Device# show wireless device-tracking database ip
IP
VLAN STATE
DISCOVERY MAC
-------------------------------------------------------------------------
20.20.20.2
20 Reachable Local
001e.14cc.cbff
20.20.20.6
20 Reachable IPv4 DHCP 000b.bbb1.0001
Device# show wireless exclusionlist
Excluded Clients
MAC Address
Description
Exclusion Reason
Time Remaining
-----------------------------------------------------------------------------------------
10da.4320.cce9
IP address theft
59
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 442
Radio Resource Management
Verifying IP Theft Configuration
Note Client exclusion timer deletes the entry from exclusion list with a granularity of 10 seconds. The entry is checked to retain or delete after every 10 seconds. There are chances that the running timer value for excluded clients might display negative values upto 10 seconds.
Device# show wireless exclusionlist client mac 12da.4820.cce9 detail
Client State : Excluded Client MAC Address : 12da.4820.cce9 Client IPv4 Address: 20.20.20.6 Client IPv6 Address: N/A Client Username: N/A Exclusion Reason : IP address theft Authentication Method : None Protocol: 802.11ac AP MAC Address : 58ac.780e.08f0 AP Name: charlie2 AP slot : 1 Wireless LAN Id : 2 Wireless LAN Name: mhe-ewlc VLAN Id : 20
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 443
Verifying IP Theft Configuration
Radio Resource Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 444
4 5 C H A P T E R
Unscheduled Automatic Power Save Delivery
· Information About Unscheduled Automatic Power Save Delivery, on page 445 · Viewing Unscheduled Automatic Power Save Delivery (CLI), on page 445
Information About Unscheduled Automatic Power Save Delivery
Unscheduled automatic power save delivery (U-APSD) is a QoS facility that is defined in IEEE 802.11e that extends the battery life of mobile clients. In addition to extending the battery life, this feature reduces the latency of traffic flow that is delivered over the wireless media. Because U-APSD does not require the client to poll each individual packet that is buffered at the access point, it allows delivery of multiple downlink packets by sending a single uplink trigger packet. U-APSD is enabled automatically when WMM is enabled.
Viewing Unscheduled Automatic Power Save Delivery (CLI)
Procedure
show wireless client mac-address client_mac detail Example:
Device# show wireless client mac-address 2B:5B:B3:18:56:E9 detail Output Policy State : Unknown Output Policy Source : Unknown WMM Support : Enabled U-APSD Support : Enabled
U-APSD value : 15 APSD ACs : BK(T/D), BE, VI(T/D), VO(T/D) Power Save : OFF Current Rate :
-------------------------BK : Background BE : Best Effort VI : Video VO : Voice.
T: UAPSD Trigger Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 445
Viewing Unscheduled Automatic Power Save Delivery (CLI)
D: UAPSD Delivery Enabled T/D : UAPSD Trigger and Delivery Enabled
Show detailed information of a client by MAC address.
Radio Resource Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 446
4 6 C H A P T E R
Target Wake Time
· Target Wake Time, on page 447 · Configuring Target Wake Time at the Radio Level (CLI), on page 448 · Configuring Target Wake Time on WLAN, on page 449 · Configuring Target Wake Time (GUI), on page 451 · Verifying Target Wakeup Time, on page 451
Target Wake Time
The existing Wi-Fi client power-saving mechanisms have been in use since 802.11b, where the client devices sleep between AP beacons or multiple beacons, waking up only when they have data to transmit (they can transmit at any time, as AP does not sleep), and beacons containing the Delivery Traffic Indication Map (DTIM), a bit-map, indicates that the AP has downlink traffic buffered for transmission to particular clients. If a client has a DTIM bit set, it can retrieve data from the AP by sending a Power-Save Poll (PS-Poll) frame to the AP. This power-save scheme is effective but only allows clients to doze for a small beacon interval. Clients still need to wake up several times per second to read DTIM from the beacon frame of the AP. With 802.11e, the new power-saving mechanism was introduced that helps voice-capable Wi-Fi devices, as voice packets are transmitted at short time intervals, typically 20 ms/sec. Unscheduled automatic power-save delivery (U-APSD) allows a power-save client to sleep at intervals within a beacon period. AP buffers the downlink traffic until the client wakes up and requests its delivery.
Extended Power-Savings Using Target Wake Time
Target wake time (TWT) allows an AP to manage activity in the Wi-Fi network, in order to minimize medium contention between Stations (STAs), and to reduce the required amount of time that an STA in the power-save mode needs to be awake. This is achieved by allocating STAs to operate at non-overlapping times, and/or frequencies, and concentrate the frame exchanges in predefined service periods. TWT capable STA can either negotiate an individual TWT agreement with TWT-scheduling AP, or it can elect to be part or member of Broadcast TWT agreement existing on the AP. An STA does not need to be aware that a TWT service period (SP) can be used to exchange frames with other STAs. Frames transmitted during a TWT SP can be carried in any PPDU format supported by the pair of STAs that have established the TWT agreement corresponding to that TWT SP, including High Efficiency Multi-User Physical Protocol Data Unit (HE MU PPDU), High Efficiency Trigger-Based Physical Protocol Data Unit (HE TB PPDU), and so on.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 447
Configuring Target Wake Time at the Radio Level (CLI)
Radio Resource Management
Following are the TWT Agreement Types:
Individual TWT
Single TWT session is negotiated between AP and an STA. This ensures a specific service period of DL and UL between AP and STA with expected traffic to be limited within the negotiated SP of 99% accuracy. The service period starts at specific offset from the target beacon transmission time (TBTT) and runs for the SP duration and repeats every SP interval.
TWT Requesting STA communicates the Wake Scheduling information to its TWT responding AP, which then devises a schedule and delivers the TWT values to the TWT requesting STA when a TWT agreement has been established between them.
Solicited TWT
STA initiates the TWT session with the AP.
Unsolicited TWT
AP initiates TWT setup with STA. AP sends TWT response with service period which is accepted by STA.
Broadcast TWT
High-Efficiency AP requests the STA to participate in the broadcast TWT operation, either on-going broadcast SP or new SP.
Configuring Target Wake Time at the Radio Level (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz } shutdown
Disables the 802.11a or 802.11b network.
Example:
Device(config)#ap dot11 24ghz shutdown
Step 3
ap dot11 {24ghz | 5ghz } dot11ax Example:
Device(conf)#ap dot11 24ghz dot11ax
Configures the 802.11ax parameters.
Step 4
[no] ap dot11 {24ghz | 5ghz } dot11ax target-wakeup-time
Example:
Device(config)#ap dot11 24ghz dot11ax target-wakeup-time
Configures the 802.11ax target wake-up time.
Step 5
[no] ap dot11 {24ghz | 5ghz} dot11ax target-waste-time
Configures the 802.11ax target waste-time.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 448
Radio Resource Management
Configuring Target Wake Time on WLAN
Step 6 Step 7
Command or Action Example:
Device(config)#ap dot11 24ghz dot11ax target waste-time
Purpose
no ap dot11 {24ghz | 5ghz } shutdown Enables the 802.11a or 802.11b network. Example:
Device(config)#no ap dot11 24ghz shutdown
show ap dot11 {24ghz | 5ghz } network
Example:
Device(config)#show ap dot11 24ghz network
Displays the 802.11ax network configuration details, which includes information about Target Wakeup Time and Target Wakeup Broadcast.
Configuring Target Wake Time on WLAN
Enabling Target Wake Time on WLAN (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-profile Example:
Device(config)# wlan wlan-profile
Enters WLAN configuration submode. The wlan-profile is the profile name of the configured WLAN.
Step 3
shutdown Example:
Device(conf-wlan)#shutdown
Disables the WLAN network
Step 4
dot11ax target-waketime
Configures target wake time mode on WLAN.
Example:
Device(conf-wlan)#dot11ax target-waketime
Step 5
dot11ax twt-broadcast-support
Example:
Device(conf-wlan)#dot11ax twt-broadcast-support
Configures the TWT broadcast support on WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 449
Disabling Target Wakeup Time on WLAN (CLI)
Radio Resource Management
Step 6 Step 7
Command or Action no shutdown Example:
Device(conf-wlan)#no shutdown
show wlan {all | id | name | summary} Example:
Device# show wlan all Device# show wlan id Device# show wlan name
Purpose Enables WLAN.
Displays the details of the configured WLAN, including Target Wakeup Time and Target Wakeup Time Broadcast.
Disabling Target Wakeup Time on WLAN (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name Example:
Device(config)# wlan wlan-profile
Step 3
shutdown Example:
Device(conf-wlan)#shutdown
Step 4
no dot11ax target-waketime
Example:
Device(conf-wlan)#no dot11ax target-waketime
Step 5
no dot11ax twt-broadcast-support
Example:
Device(conf-wlan)#no dot11ax twt-broadcast-support
Step 6
no shutdown Example:
Device(conf-wlan)#no shutdown
Purpose Enters global configuration mode.
Enters WLAN configuration submode. The wlan-profile is the profile name of the configured WLAN. Disables the WLAN network
Disables the target wake time mode on WLAN.
Disables the TWT broadcast support on WLAN.
Enables WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 450
Radio Resource Management
Configuring Target Wake Time (GUI)
Configuring Target Wake Time (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Radio Configurations > Parameters.
The parameters page is displayed where you can configure global parameters for 5 GHz Band and 2.4 GHz Band radios.
In the 11ax Parameters section, check the Target Wakeup Time check box and the Target Wakeup Time Broadcast check box to configure target wakeup time and broadcast target wakeup time.
Verifying Target Wakeup Time
To verify Target Wakeup Time and Target Wakeup Time Broadcast, use the following command:
show ap dot11 24ghz network
The following is a sample output:
Device#show ap dot11 24ghz network . . . 802.11ax Target Wakeup Time Target Wakeup Time Broadcast . . .
: Enabled : Enabled : Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 451
Verifying Target Wakeup Time
Radio Resource Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 452
4 7 C H A P T E R
Enabling USB Port on Access Points
· USB Port as Power Source for Access Points, on page 453 · Configuring an AP Profile (CLI), on page 454 · Configuring USB Settings for an Access Point (CLI), on page 455 · Configuring USB Settings for an Access Point (GUI), on page 455 · Monitoring USB Configurations for Access Points (CLI), on page 456
USB Port as Power Source for Access Points
Some Cisco APs have a USB port that can act as a source of power for some USB devices. The power can be up to 2.5W; if a USB device draws more than 2.5W of power, the USB port shuts down automatically. The port is enabled when the power draw is 2.5W and lower. Refer to the datasheet of your AP to check if the AP has a USB port that can act as a source of power.
Note Both IW6300 and ESW6300 APs have a USB port that can act as a source of power up to 4.5W for some USB devices.
Note The controller records the last five power-overdrawn incidents in its logs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 453
Configuring an AP Profile (CLI)
Radio Resource Management
Caution When unsupported USB device is connected to the Cisco AP, the following message is displayed:
The inserted USB module is not a supported device. The behavior of this USB device and the impact to the Access Point is not guaranteed. If Cisco determines that a fault or defect can be isolated due to the use of third-party USB modules installed by a customer or reseller, Cisco may withhold support under warranty or support program under contract. In the course of providing support for Cisco networking products, the end user may be required to install Cisco-supported USB modules in the event Cisco determines that removing third-party parts will assist Cisco in diagnosing root cause for troubleshooting purposes. Cisco also reserves the right to charge the customer per then-current time and material rates for services provided to the customer when Cisco determines, after having provided such services, that an unsupported device caused the root cause of the defective product
Configuring an AP Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile
Configures an AP profile and enters the AP
Example:
profile configuration mode.
Device(config)# ap profile xyz-ap-profile Note
When you delete a named profile, the APs associated with that
profile will not revert to the
default profile.
Step 3 Step 4
usb-enable Example:
Device(config-ap-profile)# usb-enable
Enables USB for each AP profile.
Note
By default, the USB for each AP
profile is enabled.
Use the no usb-enable command to disable USB for each AP profile.
end Example:
Device(config-ap-profile)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 454
Radio Resource Management
Configuring USB Settings for an Access Point (CLI)
Configuring USB Settings for an Access Point (CLI)
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
ap name ap-name usb-module
Example:
Device# ap name AP44d3.xy45.69a1 usb-module
Step 3
ap name ap-name usb-module override
Example:
Device# ap name AP44d3.xy45.69a1 usb-module override
Purpose Enters privileged EXEC mode.
Enables the USB port on the AP.
Use the ap name ap-name no usb-module command to disable the USB port on the AP.
Note
If you are using Cisco Catalyst
9105AXW AP and if you enable
the USB port (.3at PoE-in), it is
not possible to enable the USB
PoE-out at the same time.
Overrides USB status of the AP profile and considers the local AP configuration.
Use the ap name ap-name no usb-module override command to override USB status of the AP and consider the AP profile configuration.
Note
You can configure the USB status
for an AP only if you enable USB
override for it.
Configuring USB Settings for an Access Point (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Access Points. In the Access Points window, click the name of the AP. In the Edit AP window, click the Interfaces tab. In the USB Settings section, configure the USB Module State as either of the following:
· ENABLED: Enables the USB port on the AP · DISABLED: Disables the USB port on the AP
Note
If you are using Cisco Catalyst 9105AXW AP and if you enable the USB port (.3at PoE-in), it
is not possible to enable the USB PoE-out at the same time.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 455
Monitoring USB Configurations for Access Points (CLI)
Radio Resource Management
Step 5 Step 6
Configure USB Override as either of the following:
· ENABLED: Overrides USB status of the AP profile and considers the local AP configuration · DISABLED: Overrides USB status of the AP and considers the AP profile configuration
Note
You can configure the USB status for an AP only if you enable USB override for it.
Click Apply & Update to Device.
Monitoring USB Configurations for Access Points (CLI)
· To view the inventory details of APs, use the following command:
show ap name ap-name inventory
The following is a sample output:
Device# show ap name AP500F.8059.1620 inventory NAME: AP2800 , DESCR: Cisco Aironet 2800 Series (IEEE 802.11ac) Access Point PID: AIR-AP2802I-D-K9 , VID: 01, SN: XXX1111Y2ZZZZ2800 NAME: SanDisk , DESCR: Cruzer Blade PID: SanDisk , SN: XXXX1110010, MaxPower: 224
· To view the summary of an AP module, use the following command:
show ap module summary
The following is a sample output:
Device# show ap module summary
AP Name
External Module
External Module PID External Module
Description
----------------------------------------------------------------------------------------------
AP500F.1111.2222
Enable
SanDisk
Cruzer Blade
· To view the USB configuration details for each AP, use the following command:
show ap name ap-name config general
The following is a sample output:
Device# show ap name AP500F.111.2222 config general
. . . USB Module Type.................................. USB Module USB Module Status................................ Disabled USB Module Operational State..................... Enabled USB Override ................................... Enabled
· To view status of the USB module, use the following command:
show ap profile name xyz detailed
The following is a sample output:
Device# show ap profile name xyz detailed
USB Module
: ENABLED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 456
4 8 C H A P T E R
Dynamic Frequency Selection
· Feature History for Channel Availability Check (CAC), on page 457 · Information About Dynamic Frequency Selection, on page 457 · Information About Channel Availability Check (CAC), on page 458 · Verifying DFS, on page 458
Feature History for Channel Availability Check (CAC)
This table provides release and related information for features explained in this module. These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
Table 20: Feature History for Channel Availability Check (CAC)
Release
Cisco IOS XE Bengaluru 17.5.1
Feature
Channel Availability Check (CAC)
Feature Information
When a DFS channel is selected for an AP radio, the AP radio scans the channel to check for any radar signals before transmitting any frames in the DFS frequency. This process is called Channel Availability Check (CAC).
Information About Dynamic Frequency Selection
Dynamic Frequency Selection (DFS) is the process of detecting radar signals and automatically setting the frequency on a DFS-enabled 5.0-GHz (802.11a/h) radio to avoid interference with the radar signals. Radios configured for use in a regulatory domain must not interfere with radar systems.
In normal DFS, when a radar signal is detected on any of the channels in the 40-MHz or 80-MHz bandwidth, the whole channel is blocked. With Flex DFS, if the radar signals are not detected on the secondary channel, the AP is moved to a secondary channel with a reduction in the bandwidth, usually, by half.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 457
Information About Channel Availability Check (CAC)
Radio Resource Management
Information About Channel Availability Check (CAC)
When a DFS channel is selected for an AP radio, the AP radio scans the channel to check for any radar signals before transmitting any frames in the DFS frequency. This process is called Channel Availability Check (CAC).
Note CAC is executed before you set a DFS channel for the radio. If the AP detects that a radar is using a specific DFS channel, the AP marks the channel as non-available and excludes it from the list of available channels. This state lasts for 30 minutes after which the AP checks again to see, if the channel can be used for WiFi transmissions.
Note The CAC performed during a boot process takes anywhere between 1 and 10 minutes depending on the country. This is the reason as to why the DFS channels are not available immediately when an AP reboots.
Verifying DFS
Use the following commands to verify the DFS configuration: To display the 802.11h configuration, use the following command:
Device# show wireless dot11h
To display the auto-rF information for 802.11h configuration, use the following command:
Device# show ap auto-rf dot11 5ghz
To display the auto-rF information for a Cisco AP, use the following command:
Device# show ap name ap1 auto-rf dot11 5gh
To display the channel details for a Cisco AP, use the following command:
Device# show ap dot11 5ghz summary AP Name Mac Address Slot Admin State Oper State Width Txpwr Channel ----------------------------------------------------------------------------------------------------------------------pnp-ap 04eb.409e.b560 1 Enabled Up 40 *8/8 (3 dBm) (52,56) BLDG1-9130-RACK-1568 04eb.409f.11a0 1 Disabled Down 40 4/8 (15 dBm) (100,104)#
Note In the show command, # is added right next to the channel whenever CAC is running on an AP radio.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 458
4 9 C H A P T E R
Cisco Access Points with Tri-Radio
· Cisco Access Points with Tri-Radio, on page 459 · Guidelines and Restrictions for Tri-Radio Access Points, on page 461 · Configuring Tri-Radio, on page 461
Cisco Access Points with Tri-Radio
This topic describes the Tri-Radio feature for Cisco Access Points (APs). Access Points with three radios are designed for high density environments. The APs by default run one dedicated 2.4-GHz 4x4 mode radio and one 5-GHz 8x8 mode radio. In the default mode, the radios are managed by the Flexible Radio Assignment (FRA), and the Dual Radio Mode is in the disabled state indicating that the radios have either been assigned as client serving 8x8 radio or have not yet been evaluated by FRA. When you enable the dual radio mode setting, the 8x8 radio is split to two independent 5-GHz 4x4 radios. In this mode, slot 1 and slot 2 are active independent 4x4 radio interfaces. They can serve different user groups with different assigned channels.
Note To disable the dual radio mode, you must first disable the admin status of the subordinate radio. Otherwise, a warning message is displayed.
A tri-radio AP has upto two configurable 5-GHz radios. The following table describes the radio role and its deployment benefits:
Table 21: 5-GHz Radio Operational Modes and Criteria
Radio Role Radio 1 8x8 Client-Serving
Radio 2 None
Driving Factors
· Preferred operation: 160 MHz or 80 + 80 MHz
· Higher MU-MIMO stations · Required higher number of
Spatial Streams (SS)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 459
Cisco Access Points with Tri-Radio
Radio Resource Management
Radio Role Radio 1 4x4 Client-Serving
4x4 Client-Serving
Radio 2 4x4 Client-Serving
4x4 Monitor
Driving Factors
· Preferred operation: 80 MHz or below
· High Capacity in low or medium density
· Directional antenna units (Coverage Slicing)
· Preferred operation: 80 MHz or below
· Lower MU-MIMO stations · Better channel reuse in high
density · Monitoring application
requires 4x4 Rx
The following table lists the different radio modes and roles supported by the AP:
Table 22: Tri-Radio AP Radio Configuration
Setup 1 2 3
Radio Mode 2.4-GHz + 5-GHz
2.4-GHz + 5-GHz
2.4-GHz + 5-GHz + 5-GHz
Maximum Radio Capability
Dual Role Mode
2.4-GHz, 4 antennas, 4SS, Disabled and 20 MHz
5-GHz, 8 antennas, 4SS, and 160 MHz
2.4-GHz, 4 antennas, 4SS, Disabled and 20 MHz
5-GHz, 8 antennas, 8SS, and 80 MHz
2.4-GHz, 4 antennas, 4SS, Enabled and 20 MHz
5-GHz, 4 antennas, 4SS, and 80 MHz
5-GHz, 4 antennas, 4SS, and 80 MHz
In the Cisco IOS XE 17.2.1 Release, FRA manages the role assignment for each radio independently. You can set the radio mode as automatic or manual, and select either Client-Serving role or Monitor role as the
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 460
Radio Resource Management
Guidelines and Restrictions for Tri-Radio Access Points
radio role. Based on the dual radio mode configuration, the role selection is available for one or for both interfaces.
Guidelines and Restrictions for Tri-Radio Access Points
· Dual radio mode is set to Auto by default. FRA manages the dual radio mode in Auto mode. · The tri-radio support for AP with external antenna is as follows:
· RP-TNC antenna is supported in Cisco Catalyst 9130AX Series APs. · The C-ANT9101, C-ANT9102, and C-ANT9103 antennas on Cisco Catalyst 9130AX Series APs
support 2 radios (2.4-GHz (4x4) and 5-GHz (8x8)). This antennas does not support two 5-GHz (4x4) radios due to hardware limitation.
Configuring Tri-Radio
Configuring Tri-Radio for AP (GUI)
Procedure
Step 1
Step 2 Step 3
Choose Configuration > Radio Configurations > Network. The Network > 5 GHz Radios page is displayed.
In the General tab, select the Tri-Radio Mode check box to enable the Tri-Radio mode. Click Apply
Configuring the Tri-Radio (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
[no] ap tri-radio Example:
Device(config)# ap tri-radio
Purpose Enters global configuration mode.
Configures all supporting tri-radio AP's dual radio role in auto mode. Use the [no] form of the command to disable the feature.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 461
Configuring 5-GHz Dual Radio Mode for AP (GUI)
Radio Resource Management
Configuring 5-GHz Dual Radio Mode for AP (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Wireless > Access Points. On the Access Points page, click the 5 GHz Radios section and select a Cisco 9130 Series AP from the list. The Edit Radios 5 GHz Band window is displayed. In the Edit Radios 5-GHz Band > Configure > General tab, under Dual Radio Mode, select one from the following radio button options
· Auto: Permits FRA to decide the mode for this AP.
· Enabled: Enables Dual Radio mode for this AP.
· Disabled: Disables Dual Radio mode for this AP.
Click Update & Apply to Device.
Configuring the Dual Radio Mode and Enabling Slots (CLI)
Procedure
Step 1
Command or Action
Purpose
ap name ap-name dot11 5ghz slot {1 | 2 } (Optional) Disables the 802.11a radio on Cisco
shutdown
AP.
Example:
Device# ap name ap-name dot11 5ghz slot 1 shutdown
Step 2
ap name ap-name dot11 5ghz slot 1
Configures the 802.11a dual and tri-radio on
dual-radio mode { disable | enable| auto the AP. Enable auto to allow RRM to switch
}
the AP between dual radio or tri radio mode
Example:
based on the channel width configuration. In auto mode, the slot 2 state is managed by the
Device# ap name ap-name dot11 5ghz slot RRM. Use the disable keyword to disable the
1 dual-radio mode enable
dual-radio.
Note
When the AP is set to auto mode,
the dual radio mode is disabled by
default.
Step 3
ap name ap-name no dot11 5ghz slot {1 | 2 Enables the 802.11a radio on Cisco AP. } shutdown
Example:
Device# ap name ap-name no dot11 5ghz slot 1 shutdown
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 462
Radio Resource Management
Setting Radio Roles for Slots
Setting Radio Roles for Slots
The following section is applicable only if FRA is enabled.
Procedure
Step 1
Command or Action
ap name ap-name dot11 { 24ghz | 5ghz } shutdown
Example:
Device# ap name ap-name dot11 5ghz shutdown
Purpose Disables the radio on the AP.
Step 2
ap name ap-name dot11 { 24ghz | 5ghz } Sets the radio role manual to either client slot <slot ID> radio role {auto | manual serving or monitor. {monitor | client-serving}}
Example:
Device# ap name ap-name dot11 5ghz slot 2 radio role manual monitor
Step 3
ap name ap-name no dot11 { 24ghz | 5ghz Enables the radio on the AP.
} shutdown
Note
The RRM dynamic channel
Example:
allocation (DCA) algorithm
Device# ap name ap-name no dot11 5ghz shutdown
changes the radio role for slot2 and standby 5-GHz radio to
monitor mode if:
· The metric for the standby channel is not exhaustive (or)
· The available channel is not suitable for standby 5-GHz radio
The standby 5-GHz radio and slot2 role changes to client-serving mode once the DCA is able to locate a suitable channel for slot2 or the metric for the channel is suitable.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 463
Configuring the Tri-Radio Dual Radio Role (CLI)
Radio Resource Management
Configuring the Tri-Radio Dual Radio Role (CLI)
Procedure
Step 1
Command or Action
Purpose
ap name ap-name dot11 5ghz slot {1 | 2 } radio role {auto| manual {client-serving | monitor}
Example:
Configures the 802.11a radio role independently for each supporting AP's radio. The channel and the Tx power values can be configured when the radio role is set to manual mode.
Device# ap name 9130axtrial dot11 5ghz slot 1 radio role manual monitor
Step 2
ap name ap-name dot11 24ghz slot 0 radio role {auto| manual {client-serving | monitor}
Configures the 802.11b radio role independently for the supporting AP's radio.
Example:
Device# ap name 9130axtrial dot11 24ghz slot 0 radio role manual client-serving
Verifying Tri-Radio Configuration on the Controller
To verify that the dual radio mode is enabled, use the following show command:
· Device# show ap name APXXXX.4XXX.04XX config slot 1 | inc Dual
Dual Radio Capable
: True
Dual Radio Mode
: Enabled
Dual Radio Operation mode
: Auto
To verify that the slots are enabled and up, use the following show commands:
· Device# show ap triradio summary
AP Name
Mac Address
Slot
Admin State
Oper
State
-----------------------------------------------------------------------------------------
APXXXX.4XXX.04XX
04eb.409e.89c0 2
Enabled
Up
· Device# show ap dot11 5ghz summary
AP Name
Mac Address
Slot Admin State Oper State
Width Txpwr
Channel
Mode
---------------------------------------------------------------------------------------------------------------------------------------------------------
APXXXX.4XXX.04XX
04XX.40XX.8XXX 1
Enabled
Up
20
*5/8 (14 dBm) (36)*
Local
APXXXX.4XXX.04XX
04XX.40XX.8XXX 2
Enabled
Up
20
*8/8 (1 dBm) (36)*
To verify that the radio role is set, use the following show command:
· show ap name ap-name config slot <slot_number> | i Radio
Radio Type
: 802.11ax - 5 GHz
Radio Subband
: All
Radio Role
: Auto
Radio Mode
: Local
Radio SubType
: Main
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 464
5 0 C H A P T E R
Cisco DNA Center Assurance Wi-Fi 6 Dashboard
· Cisco DNA Center Assurance Wi-Fi 6 Dashboard, on page 465 · Configuring Cisco DNA Center Assurance Wi-Fi 6 Dashboard Parameters (CLI), on page 466 · Verifying AP DFS Counters (CLI), on page 467 · Verifying Wi-Fi 6 Access Point Parameters, on page 468
Cisco DNA Center Assurance Wi-Fi 6 Dashboard
Note We recommend you manage this feature using the Cisco DNA-Center UI. The procedures are to be executed with for debugging purposes only.
The Cisco DNA Center Assurance Wi-Fi 6 Dashboard provides a visual representation of your wireless network. The dashboard contains various dashlets which show you the Wi-Fi 6 Readiness, and the efficiency of the Wi-Fi 6 networks compared to non-Wi-Fi 6 networks. For more information, see the Monitor Wi-Fi 6 Readiness section in the Cisco DNA Assurance User Guide.
· Client Distribution by Capability: This dashlet shows all the clients associated and their capability in the wireless network. The inner circle shows the wireless protocol capabilities of all the different clients in the network. Capability here is the ability of wireless clients to associate with Wi-Fi 6 APs or non-Wi-fi 6 APs. The outer arc segment shows how many 802.11ax capable clients are joined to a Wi-Fi 6 network as well as how many of them are not.
· Wi-Fi 6 Network Readiness: This dashlet shows all the APs in the network. The inner circle shows the APs which are Wi-Fi 6 APs and non Wi-Fi 6 APs. The outer arc segment shows the number of Wi-Fi 6 enabled AP in the network.
· AP Distribution by Protocol: This dashlet shows the protocols enabled on your APs in real time. · Wireless Airtime Efficiency: This dashlet compares and displays the Airtime Efficiency between your
Wi-Fi 6 network and Non-Wi-Fi 6 network for each of the access categories (voice, video, best effort, background). The spectrum is efficiently utilized if the AP's radios can send more traffic (successful bytes transmitted to the client) in less airtime (microseconds) than other networks under similar RF conditions. · Wireless Latency by Client Count: This Dashlet compares the Wireless Latency between your Wi-Fi 6 and Non-Wi-Fi 6 Network for each of the access categories (voice, video, best effort, background).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 465
Configuring Cisco DNA Center Assurance Wi-Fi 6 Dashboard Parameters (CLI)
Radio Resource Management
Wireless latency is measured by the time (microseconds) it takes for a packet to be successfully transmitted from an AP to the client. Hence, AP radios with a higher client count generally have higher latency than compared to those with a lower client count under similar RF conditions.
Note Client count in this dashlet refers to the clients that are actively sending traffic for a given Access Category and are not just associated clients.
Configuring Cisco DNA Center Assurance Wi-Fi 6 Dashboard Parameters (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile profile-name Example:
Device(config)# ap profile pp-1
Enables configuration for all the APs that are associated with the specified AP profile name.
Step 3
statistics traffic-distribution
Example:
Device(config-ap-profile)#statistics traffic-distribution
Enables traffic distribution feature with the specified AP profile.
Step 4
statistics traffic-distribution interval interval-secs
Example:
Device(config-ap-profile)#statistics traffic-distribution interval 300
Configures the interval at which the AP sends the traffic distribution statistics. Default value is 300 seconds. Valid range is between 30 and 3600 seconds.
Note
Execute this command only with
the assistance from Cisco
Technical Assistance Center
(TAC) support engineer.
Step 5
end Example:
Device(config-ap-profile)#exit
Returns to privileged EXEC mode.
Step 6
show wireless stats ap name ap-name
Displays traffic distribution data by signal
traffic-distribution slot slot-id packet-count strength, if received from the AP in the latest
signal {average| good | poor}
statistics update interval. Use last-received
[last-received]
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 466
Radio Resource Management
Verifying AP DFS Counters (CLI)
Step 7 Step 8 Step 9
Command or Action
Purpose
Example:
keyword to view the statistics received in any
Device#show wireless stats ap name ff123a statistics update interval from the AP.
traffic-distribution slot 1 packet-count
signal good
show wireless stats ap name ap-name
Displays the Airtime efficiency data based on
traffic-distribution slot slot-id airtime
access category, if received from the AP in the
access-category {background | best-effort | latest statistics update interval. Use
video |voice} [last-received]
last-received keyword to view the statistics
Example:
received in any statistics update interval from the AP.
Device#show wireless stats ap name ff123a
traffic-distribution slot 1 airtime
access-category best-effort
show wireless stats ap name ap-name traffic-distribution slot slot-id airtime traffic-type {legacy | mu | ofdma | su} [last-received]
Example:
Displays the Airtime efficiency data based on traffic type, if received from the AP in the latest statistics update interval. Use last-received keyword to view the statistics received in any statistics update interval from the AP.
Device#show wireless stats ap name ff123a traffic-distribution slot 1 traffic-type ofdma
show wireless stats ap name ap-name traffic-distribution slot slot-id latency access-category {background | best-effort | video | voice} [last-received]
Example:
Displays wireless latency data based on access category, if received from the AP in the latest statistics update interval. Use last-received keyword to view the statistics received in any statistics update interval from the AP.
Device#show wireless stats ap name ff123a traffic-distribution slot 1 latency
access-category best-effort
Verifying AP DFS Counters (CLI)
Procedure · To verify the DFS counter for the selected radio band, use the following command: show ap auto-rf dot11 {24ghz | 5ghz | dual-band} ] Example:
Device#show ap auto-rf dot11 dual-band
· To verify the DFS counter for the selected radio band of a specific AP, use the following command: show ap name ap-name auto-rf dot11 {24ghz | dual-band} Example:
Device#show ap name ff32a auto-rf dot11 dual-band
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 467
Verifying Wi-Fi 6 Access Point Parameters
Radio Resource Management
· To verify the DFS counter for the selected 5-GHz slot of a specific AP, use the following command: show ap name ap-name auto-rf dot11 5ghz slot slot-id Example:
Device#show ap name ff32a auto-rf dot11 5ghz slot 1
Verifying Wi-Fi 6 Access Point Parameters
Enter these commands in the AP console. · To verify the traffic distribution statistics configuration, use the following command: show ap traffic distribution configuration · To verify the exported data from the AP to the controller, use the following command: show interfaces dot11Radio slot-id traffic distribution {cumulative | instantaneous | periodic} database · To verify Access Point DFS counters, use the following command: show interfaces dot11radio slot-iddfs · To debug the traffic distribution statistics, use the following command: {no} debug traffic wireless distribution dump {periodic | aggregated} · To clear the traffic distribution dump, use the following command: clear traffic distribution dump
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 468
5 1 C H A P T E R
Antenna Disconnection Detection
· Feature History for Antenna Disconnection Detection, on page 469 · Information About Antenna Disconnection Detection, on page 469 · Recommendations and Limitations, on page 470 · Configuring Antenna Disconnection Detection (CLI), on page 470 · Configuring Antenna Disconnection Detection (GUI), on page 471 · Detecting Broken Antenna Using SNMP Trap (CLI), on page 472 · Detecting Broken Antenna Using SNMP Trap (GUI), on page 472 · Verifying Antenna Disconnection Detection, on page 473 · Verifying Antenna Disconnection Detection (GUI), on page 474
Feature History for Antenna Disconnection Detection
This table provides release and related information for the features explained in this module. These features are available in all releases subsequent to the one they were introduced in, unless noted otherwise.
Release
Feature
Feature Information
Cisco IOS XE Bengaluru 17.4.1
Antenna Disconnection This feature detects the signal strength delta across the
Detection
antennas on the receiver. If the delta is more than the
defined limit for a specific duration, the corresponding
antenna is considered to have issues.
Information About Antenna Disconnection Detection
Having multiple antennas on the transmitter and receiver of an access point (AP) results in better performance and reliability. Multiple antennas improve reception through the selection of the stronger signal or a combination of individual signals at the receiver. Therefore, detection of an impaired antenna or physical breakage of an antenna is critical to the reliability of APs.
The Antenna Disconnection Detection feature is based on the signal strength delta across the antennas on the receiver. If the delta is more than the defined limit for a specific duration, the antenna is considered to have issues.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 469
Recommendations and Limitations
Radio Resource Management
For every detection time period that you configure, the AP sends an Inter-Access Point Protocol (IAPP) message that carries the antenna condition. This message is sent only once when the issue is detected and is displayed in the controller trap messages, SNMP traps, and controller debug logs.
Configuration Workflow 1. Configure APs. 2. Configure an AP profile. 3. Enable the feature in AP profile. 4. Configure feature parameters. 5. Verify the configuration.
Recommendations and Limitations
· The feature is supported only on the following APs: · Cisco Catalyst 9120AX Series Access Points · Cisco Catalyst 9130AX Series Access Points · Cisco Aironet 2800e Access Points · Cisco Aironet 3800e Access Points
· The SNMP trap is not supported on the Cisco Embedded Wireless Controller. · The IAPP message is sent only when there is a change in the error condition.
Configuring Antenna Disconnection Detection (CLI)
Antenna disconnection detection works by comparing the received signal strength intensity (RSSI) of each antenna with the antenna receiving the higher RSSI. If the delta is higher than the RSSI failure threshold, the corresponding antenna is declared as broken.
The weak-rssi is an absolute RSSI threshold value, expressed in dBm. If the antennas detect a lower RSSI value than the one configured in weak-rssi, all the antennas are reported as malfunctioning. The RSSI failure threshold is evaluated only if an antenna detects a signal over the weak-rssi value.
Follow the procedure given below to configure antenna disconnection detection:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 470
Radio Resource Management
Configuring Antenna Disconnection Detection (GUI)
Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Command or Action
Purpose
ap profile ap-profile Example:
Configures an AP profile and enters AP profile configuration mode.
Device(config)# ap profile xyz-ap-profile
antenna monitoring
Example:
Device(config-ap-profile)# antenna monitoring
Enables antenna disconnection detection.
To disable antenna disconnection detection, use the no antenna monitoring command.
antenna monitoring rssi-failure-threshold threshold-value
Example:
Device(config-ap-profile)# antenna monitoring rssi-failure-threshold 20
Configures RSSI failure threshold value, in dB. Valid values range from 10 to 90, with a default of 40.
antenna monitoring weak-rssi weak-rssi-value Configures weak RSSI value, in dBm. Valid
Example:
values range from -90 to -10, with a default of 60.
Device(config-ap-profile)# antenna
monitoring weak-rssi -90
antenna monitoring detection-time detect-time-in-mins
Example:
Device(config-ap-profile)# antenna monitoring detection-time 20
Configures the antenna disconnection detection time, in minutes. Valid values range from 9 to 180, with a default of 120.
end Example:
Device(config-ap-profile)# end
Saves the configuration and returns to privileged EXEC mode.
Configuring Antenna Disconnection Detection (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Tags & Profiles > AP Join. In the AP Join Profile window, click the General tab. In the Antenna Monitoring check box to enable antenna monitoring. In the RSSI Fail Threshold(dB) field, enter a value, in dB. Valid values range from 10 to 90, with a default of 40. In the Weak RSSI(dBm) field, enter a value, in dBm. Valid values range from -90 to -10, with a default of 60.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 471
Detecting Broken Antenna Using SNMP Trap (CLI)
Radio Resource Management
Step 6 Step 7
In the Detection Time(min) field, enter the antenna disconnection detection time, in minutes. Valid values range from 9 to 180, with a default of 120.
Click Update & Apply to Device.
Detecting Broken Antenna Using SNMP Trap (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
snmp-server enable traps Example:
Enables all the SNMP notification types that are available on the system.
Device(config)# snmp-server enable traps
Step 3
trapflags ap broken-antenna
Example:
Device(config)# trapflags ap broken-antenna
Enables an SNMP trap, which will be sent when an antenna fails in any Cisco AP.
Step 4
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Detecting Broken Antenna Using SNMP Trap (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Administration > Management > SNMP. Click the Wireless Traps tab. Set the Access Point status as Enabled, if not done already. Check the Broken Antenna check box to enable the trap. Click Apply.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 472
Radio Resource Management
Verifying Antenna Disconnection Detection
Verifying Antenna Disconnection Detection
To verify the Antenna Disconnection Detection feature configuration on an AP, use the following command:
Device# show ap name 3800-AP config general
Cisco AP Name: 3800-AP =================================================
Cisco AP Identifier Country Code Regulatory Domain Allowed by Country AP Country Code AP Regulatory Domain
Slot 0 Slot 1 MAC Address IP Address Configuration IP Address IP Netmask Gateway IP Address Fallback IP Address Being Used Domain Name Server CAPWAP Path MTU Capwap Active Window Size
: f4db.e632.df40 : Multiple Countries : US,IN,CN,CU : 802.11bg:-ACE 802.11a:-ABCDHN : CN - China
: -E : -C : f4db.e62f.165a : DHCP : 9.9.33.3 : 255.255.255.0 : 9.9.33.1 : : : : 1485 :1
. . .
AP broken antenna detection RSSI threshold Weak RSSI Detection Time
: Enabled : 40 : -80 : 120
. . .
To verify the Antenna Disconnection Detection feature configuration on an AP profile, use the following command:
Device# show ap profile name rf-profile-24g detailed
AP Profile Name: rf-profile-24g . . . AP broken antenna detection:
Status RSSI threshold Weak RSSI Detection Time
: ENABLED : 40 : -80 : 120
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 473
Verifying Antenna Disconnection Detection (GUI)
Radio Resource Management
Verifying Antenna Disconnection Detection (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Monitoring > Wireless > AP Statistics. Click an AP name or anywhere on the row corresponding to an AP in order to activate General window. Click the 360 View tab.
The 360 View tab is the default selection. The Antenna Monitoring field indicates whether the AP supports monitoring or not.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 474
5 2 C H A P T E R
Neighbor Discovery Protocol Mode on Access Points
· Information About Neighbor Discovery Protocol Mode, on page 475 · Configuring RRM Neighbor Discovery Mode (GUI), on page 476 · Configuring the Neighbor Discovery Protocol Mode (CLI), on page 476 · Configuring Neighbor Discovery Protocol Mode in the RF Profile (GUI), on page 477 · Configuring Neighbor Discovery Protocol Mode in the RF Profile (CLI), on page 477 · Monitoring Radio Statistics-NDP Capability and NDP Mode (GUI) , on page 478 · Verifying Neighbor Discovery Protocol Mode, on page 479
Information About Neighbor Discovery Protocol Mode
In Cisco Catalyst 9124AX outdoor Access Points, the Neighbor Discovery Protocol (NDP) packets are transmitted either ON-channel on the serving radio, or OFF-channel on the RF ASIC conventional radio. The controller has a knob to select the NDP mode for Cisco Catalyst 9124AX outdoor APs based on the deployment requirements. In Cisco IOS XE Bengaluru 17.5.1, Cisco Catalyst 9124AX outdoor APs support both ON-Channel and OFF-Channel NDP mode. The Cisco Catalyst 9124AX outdoor AP advertises the following NDP mode capabilities while joining the controller:
· ON-Channel (Serving channel) · OFF-Channel (RF ASIC radio) · Both (Serving channel and RF ASIC radio)
The supported values for NDP mode are AUTO and OFF-Channel. By default, the NDP mode is set to AUTO. If the configured NDP mode is AUTO, the AP determines which NDP mode is to be used. The Cisco Catalyst 9124AX outdoor AP uses ON-Channel when the controller is configured for AUTO NDP mode. If the NDP mode that is configured is OFF-Channel, the AP uses OFF-Channel for NDP mode.
Use Cases You must configure the controller NDP mode to OFF-channel in order to support brownfield deployment. A brownfield deployment refers to the mixed deployment of Cisco Catalyst 9124AX with other APs that do not
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 475
Configuring RRM Neighbor Discovery Mode (GUI)
Radio Resource Management
support RF ASIC conventional radio. APs that support RF ASIC conventional radio are Cisco Catalyst 9120 Series Access Points, Cisco Catalyst 9130 Series Access Points, and Cisco Catalyst 9124 Series Access Points.
Configuring RRM Neighbor Discovery Mode (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Radio Configurations > RRM. In the Radio Resource Management window, click either the 5 GHz Band or the 2.4 GHz Band tab. In the General tab, under the Noise/Interference/Rogue/CleanAir/SI Monitoring Channels section, click the RRM Neighbour Discovery Mode toggle button to configure either of the following modes:
· AUTO: If the NDP mode that is configured is AUTO, the controller selects ON-Channel as the NDP mode. (The default is set as AUTO).
· OFF-CHANNEL: If the NDP mode configured is OFF-CHANNEL, the controller selects OFF-CHANNEL as the NDP mode.
Click Apply.
Configuring the Neighbor Discovery Protocol Mode (CLI)
To configure the NDP mode for an AP, follow these steps:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz} rrm ndp-mode {auto Configures the operating mode for 802.11a
| off-channel}
neighbor discovery. The Off-channel command
Example:
Device(config)# ap dot11 24ghz rrm
enables NDP packets on the RF ASIC radio and the auto command enables the auto mode.
ndp-mode off-channel
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 476
Radio Resource Management
Configuring Neighbor Discovery Protocol Mode in the RF Profile (GUI)
Configuring Neighbor Discovery Protocol Mode in the RF Profile (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > RF. Click Add. The Add RF Profile window is displayed. Click the General tab. Click the NDP Mode toggle button to select the NDP mode as AUTO or as OFF-CHANNEL. Click Apply to Device.
Configuring Neighbor Discovery Protocol Mode in the RF Profile (CLI)
To configure the NDP mode for an AP under the RF profile, follow these steps:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz } rf-profile rf-profile-name
Enters the RF profile configuration.
Example:
Device(config)# ap dot11 24ghz rf-profile rf-profile-name
Step 3
ndp-mode {auto | off-channel}
Example:
Device(config-rf-profile)# ndp-mode off-channel
Configures the operating mode for neighbor discovery. Off-channel enables NDP packets on the RF ASIC radio and auto enables the auto mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 477
Monitoring Radio Statistics-NDP Capability and NDP Mode (GUI)
Radio Resource Management
Monitoring Radio Statistics-NDP Capability and NDP Mode (GUI)
Procedure
Step 1 Step 2
Step 3
Choose Monitoring > Wireless > Radio Statistics. Click either 5 GHz Radios, 2.4 GHz Radios, or Dual-Band Radios tab. The corresponding radio band window displays the list of configured APs. To view the general attributes of an AP, click the corresponding AP to display the General tab. The following information is displayed:
· AP Name: Displays the assigned identifier for the AP, which is unique within the network. The AP name can be ASCII characters from 32 to 126, without leading and trailing spaces.
· IP Address: Displays the IP address assigned to the AP in dotted-decimal format.
· AP Mode: Displays the configured AP mode. The supported modes are:
· Local: It is the default mode, and it offers a basic service set (BSS) on a specific channel.When the AP does not transmit wireless client frame, it scans other channels to measure noise interference, discover rogue devices, and check for matches against Intrusion Detection System (IDS) events.
· Monitor: An AP in monitor mode does not transmit. It is a dedicated sensor that checks IDS events, detects rogue APs, and determines the position of wireless stations.
· Sniffer: The controller enables you to configure an AP as a network sniffer, which captures and forwards all the packets on a particular channel to a remote machine that runs packet analyser software. These packets contain information on time stamps, signal strength, packet sizes, and so on. Sniffers allow you to monitor and record network activity and detect problems.
· Bridge: The AP becomes a dedicated point-to-point or point-to multipoint bridge. Two APs in bridge mode can connect two remote sites. Multiple APs can also form an indoor or outdoor mesh. Note that you cannot connect to the bridge with clients.
· Clear: Returns the AP back to client-serving mode depending on the remote site tag configuration.
· MAC Address: Displays the registered MAC address on the controller.
· Number of Slots : Displays the number of slots supported by the AP.
· Radio Type: Displays the radio band configured on the controller. By default, both, 802.11b/g/n (2.4-GHz) and 802.11a/n/ac (5-GHz) bands are enabled.
· Slot ID: Displays the slot on which radio is installed.
· Sub band Type: Displays the configured radio sub-band.
· NDP Capability: Displays the supported Neighbour Discovery Protocol (NDP) capability. The AP advertises the following NDP mode capabilities while joining the controller:
· ON-Channel (Serving channel)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 478
Radio Resource Management
Verifying Neighbor Discovery Protocol Mode
· OFF-Channel (RHL radio)
· Both (Serving channel and RHL radio)
Note
Only Cisco Catalyst 9124AX outdoor Access Points support both ON-channel and
OFF-channel NDP capability from Cisco IOS XE Bengaluru 17.5.1.
· NDP Mode: Displays the configured NDP mode. If the NDP mode that is configured is AUTO, the controller selects ON-Channel as the NDP mode. If the NDP-mode that is configured is OFF-Channel, the controller selects OFF-Channel as the NDP mode.
Verifying Neighbor Discovery Protocol Mode
To verify the NDP mode, run the following commands:
Device# show ap rf-profile name test-24g
Description
: test
RF Profile Name
: test-24g
Band
: 2.4 GHz
Transmit Power Threshold v1
: -70 dBm
Min Transmit Power
: -10 dBm
Max Transmit Power
: 30 dBm
.
.
.
NDP mode
: Auto
.
.
.
Device# show ap rf-profile name test-5g detail
Description
: Test
RF Profile Name
: test-5g
Band
: 5 GHz
Transmit Power Threshold v1
: -70 dBm
Min Transmit Power
: -10 dBm
Max Transmit Power
: 30 dBm
.
.
.
NDP mode
: Off-channel
.
.
.
Device# show ap name ap-name config dot11 24ghz
Cisco AP Identifier
: 3cxx.0exx.36xx
Cisco AP Name
: Cisco-9105AXW-AP
Country Code
: Multiple Countries: US,MK,J4,IN
Regulatory Domain Allowed by Country
: 802.11bg:-AEJPQU 802.11a:-ABDEIJNPQU
AP Country Code
: US - United States
AP Regulatory Domain
: -A
MAC Address
: 5cxx.0dxx.e0xx
IP Address Configuration
: DHCP
.
.
.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 479
Verifying Neighbor Discovery Protocol Mode
Radio Resource Management
NDP mode . . .
: Off-channel
Device# show ap name ap-name config dot11 5ghz Cisco AP Identifier Cisco AP Name Country Code Regulatory Domain Allowed by Country AP Country Code AP Regulatory Domain MAC Address IP Address Configuration IP Address . . . NDP mode . . .
: 3cxx.0exx.36xx : Cisco-9105AXW-AP : Multiple Countries: US,MK,J4,IN : 802.11bg:-AEJPQU 802.11a:-ABDEIJNPQU : US - United States : -B : 5cxx.0dxx.e0xx : DHCP : Disabled
: On-channel
Device# show ap dot11 24ghz monitor Default 802.11b AP monitoring
802.11b Monitor Mode 802.11b Monitor Channels 802.11b RRM Neighbor Discover Type 802.11b AP Coverage Interval 802.11b AP Load Interval 802.11b AP Measurement Interval 802.11b AP Reporting Interval 802.11b NDP RSSI Normalization 802.11b Neighbor Timeout factor 802.11b NDP mode
: Enabled : Country channels : Transparent : 180 seconds : 60 seconds : 180 seconds : 180 seconds : Enabled : 20 : Auto
Device# show ap dot11 5ghz monitor Default 802.11a AP monitoring
802.11a Monitor Mode 802.11a Monitor Channels 802.11a RRM Neighbor Discover Type 802.11a AP Coverage Interval 802.11a AP Load Interval 802.11a AP Measurement Interval 802.11a AP Reporting Interval 802.11a NDP RSSI Normalization 802.11a Neighbor Timeout factor 802.11a NDP mode
: Enabled : Country channels : Transparent : 180 seconds : 60 seconds : 180 seconds : 180 seconds : Enabled : 20 : Auto
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 480
V P A R T
Network Management
· AP Packet Capture, on page 483 · DHCP Option82, on page 487 · RADIUS Realm, on page 499 · RADIUS Accounting, on page 505 · RADIUS Call Station Identifier, on page 507 · RADIUS VSA, on page 509 · Cisco StadiumVision, on page 515 · Persistent SSID Broadcast, on page 519 · Network Monitoring, on page 521 · Creating a Lobby Ambassador Account, on page 525 · Lobby Ambassador Account, on page 529 · Guest User Accounts, on page 537
AP Packet Capture
5 3 C H A P T E R
· Introduction to AP Client Packet Capture, on page 483 · Enabling Packet Capture (GUI), on page 483 · Enabling Packet Capture (CLI), on page 484 · Create AP Packet Capture Profile and Map to an AP Join Profile (GUI), on page 484 · Create AP Packet Capture Profile and Map to an AP Join Profile, on page 484 · Start or Stop Packet Capture, on page 485
Introduction to AP Client Packet Capture
The AP Client Packet Capture feature allows the packets on an AP to be captured for wireless client troubleshooting. The packet capture operation is performed on the AP by the radio drivers on the current channel on which it is operational, based on the specified packet capture filter. All the packets that are captured for a specific client are uploaded to a file in the FTP server. This file can be opened in Wireshark for packet inspection.
Limitations for AP Client Packet Capture
· The packet capture task can be performed for only one client at a time per site.
· Packet capture can be started on a specific AP or a set of APs using static mode. It can be started or stopped for the same client on different APs, when the capture is in progress.
When packet capture is started in auto mode, system automatically selects the set of nearby APs to start packet capture for a specific client. In this mode, you cannot start or stop packet capture on individual APs. Use the stop all command to stop the packet capture when it is started in auto-mode.
· After the SSO is complete, the packet capture action will not continue after a switchover.
Enabling Packet Capture (GUI)
Procedure Step 1 Choose Troubleshooting > AP Packet Capture.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 483
Enabling Packet Capture (CLI)
Network Management
Step 2
Step 3 Step 4
On the Troubleshooting page, in the Start Packet Capture section, in the Client MAC Address field, enter the client's MAC address. From the Capture Mode options, choose Auto. Click Start.
Enabling Packet Capture (CLI)
Follow the procedure given below to enable packet capture:
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
ap packet-capture start client-mac-address auto
Example:
Device# ap packet-capture start 0011.0011.0011 auto
Enables packet capture for the specified client on a set of nearby access points.
Create AP Packet Capture Profile and Map to an AP Join Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Click Configuration > Tags & Profiles > AP Join Profile. Click Add to create a new AP Join Profile and enter the requisite details. In the Add AP Join Profile area, click AP > Packet Capture. Click the Plus icon to create a new Packet Capture profile or select one from the drop-down menu. Click Save.
Create AP Packet Capture Profile and Map to an AP Join Profile
While packet capture profile configurations are used for an AP, the packet capture profile is mapped to an AP profile. The AP profile is in turn mapped to site tag.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 484
Network Management
Start or Stop Packet Capture
While starting packet capture, APs use the packet capture profile configurations based on the site and AP join profile they belong to.
Follow the procedure given below to create an AP packet capture profile and map it to an AP join profile:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode..
Step 2
wireless profile ap packet-capture packet-capture-profile-name
Example:
Device(config)# wireless profile ap packet-capture test1
Configures an AP profile.
Step 3
ap profile profile-name
Example:
Device(config)# ap profile default-ap-profile
Configures an AP packet capture profile.
Step 4
packet-capture profile-name
Enables packet capture on the AP profile.
Example:
Device(config-ap-profile)# packet-capture capture-test
Step 5
end Example:
Device(config-ap-profile)# end
Exits the AP profile configuration mode.
Step 6
show wireless profile ap packet-capture detailed profile-name
Example:
Device# show wireless profile ap packet-capture detailed test1
Displays detailed information of the selected AP packet capture profile.
Start or Stop Packet Capture
Perform either of these tasks to start or stop a packet capture procedure.
Procedure
Step 1
Command or Action
ap packet-capture start client-mac-address {auto | static ap-name }
Purpose Enables packet capture for a client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 485
Start or Stop Packet Capture
Network Management
Step 2
Command or Action Example:
Device# ap packet-capture start 0011.0011.0011 auto
ap packet-capture stop client-mac-address {all | static ap-name }
Example:
Device# ap packet-capture stop 0011.0011.0011 all
Purpose Disables packet capture for a client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 486
5 4 C H A P T E R
DHCP Option82
· Information About DHCP Option 82, on page 487 · Configuring DHCP Option 82 Global Interface, on page 489 · Configuring DHCP Option 82 Format, on page 491 · Configuring DHCP Option82 Through a VLAN Interface, on page 492
Information About DHCP Option 82
DHCP Option 82 is organized as a single DHCP option that contains information known by the relay agent. This feature provides additional security when DHCP is used to allocate network addresses, and enables the Cisco controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. The controller can be configured to add Option 82 information to DHCP requests from clients before forwarding the requests to a DHCP server. The DHCP server can then be configured to allocate IP addresses to the wireless client based on the information present in DHCP Option 82. DHCP provides a framework for passing configuration information to hosts on a TCP/IP network. Configuration parameters and other control information are carried in tagged data items that are stored in the Options field of the DHCP message. The data items themselves are also called options. Option 82 contains information known by the relay agent. The Relay Agent Information option is organized as a single DHCP option that contains one or more suboptions that convey information known by the relay agent. Option 82 was designed to allow a DHCP Relay Agent to insert circuit-specific information into a request that is being forwarded to a DHCP server. This option works by setting two suboptions:
· Circuit ID · Remote ID
The Circuit ID suboption includes information that is specific to the circuit the request came in on. This suboption is an identifier that is specific to the relay agent. Thus, the circuit that is described will vary depending on the relay agent. The Remote ID suboption includes information on the remote hostend of the circuit. This suboption usually contains information that identifies the relay agent. In a wireless network, this would likely be a unique identifier of the wireless access point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 487
Information About DHCP Option 82
Network Management
Note All valid Remote ID combinations are separated with a colon (:) as the delimiter.
You can configure the following DHCP Option 82 options in a controller : · DHCP Enable · DHCP Opt82 Enable · DHCP Opt82 Ascii · DHCP Opt82 RID · DHCP Opt Format · DHCP AP MAC · DHCP SSID · DHCP AP ETH MAC · DHCP AP NAME · DHCP Site Tag · DHCP AP Location · DHCP VLAN ID
Note The controller includes the SSID in ASCII and the VLAN-ID in hexadecimal format within the remote-ID sub-option of option 82 in the outgoing DHCP packets to the server for the following configurations:
ipv4 dhcp opt82 format ssid ipv4 dhcp opt82 format vlan-id
However, if ipv4 dhcp opt82 ascii configuration is also present, the controller adds VLAN-ID and SSID in ASCII format.
For Cisco Catalyst 9800 Series Configuration Best Practices, see the following link: https://www.cisco.com/ c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 488
Network Management
Configuring DHCP Option 82 Global Interface
Configuring DHCP Option 82 Global Interface
Configuring DHCP Option 82 Globally Through Server Override (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip dhcp-relay information option server-override
Inserts global server override and link selection suboptions.
Example:
Device(config)# ip dhcp-relay information option server-override
Configuring DHCP Option 82 Through Server Override (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip dhcp compatibility suboption server-override [cisco | standard]
Example:
Device(config)# ip dhcp compatibility suboption server-override cisco
Configures the server override suboption to an RFC or Cisco specific value.
Step 3
ip dhcp compatibility suboption link-selection [cisco | standard]
Example:
Device(config)# ip dhcp compatibility suboption link-selection cisco
Configures the link-selection suboption to an RFC or Cisco specific value.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 489
Configuring DHCP Option 82 Globally Through Different SVIs (GUI)
Network Management
Configuring DHCP Option 82 Globally Through Different SVIs (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14
Choose Configuration > VLAN. Choose a VLAN from the drop-down list.
The Edit SVI window appears.
Click the Advanced tab. Choose an option from the IPv4 Inbound ACL drop-down list. Choose an option from the IPv4 Outbound ACL drop-down list. Choose an option from the IPv6 Inbound ACL drop-down list. Choose an option from the IPv6 Outbound ACL drop-down list. Enter an IP address in the IPv4 Helper Address field. Set the status to Enabled if you want to enable the Relay Information Option setting. Enter the Subscriber ID. Set the status to Enabled if you want to enable the Server ID Override setting. Set the status to Enabled if you want to enable the Option Insert setting. Choose an option from the Source-Interface Vlan drop-down list. Click Update & Apply to Device.
Configuring DHCP Option 82 Globally Through Different SVIs (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip dhcp-relay source-interface vlan vlan-id Sets global source interface for relayed
Example:
messages.
Device(config)# ip dhcp-relay source-interface vlan 74
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 490
Network Management
Configuring DHCP Option 82 Format
Configuring DHCP Option 82 Format
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wireless profile policy policy-name Example:
Enables configuration for the specified profile policy.
Device(config)# wireless profile policy pp3
shutdown
Shuts down the profile policy.
Example:
Device(config-wireless-policy)# shutdown
vlan vlan-name
Assigns the profile policy to a VLAN.
Example:
Device(config-wireless-policy)# vlan 72
session-timeout value-btwn-20-86400
Example:
Device(config-wireless-policy)# session-timeout 300
(Optional) Sets the session timeout value in seconds. The range is between 20-86400.
idle-timeout value-btwn-15-100000
Example:
Device(config-wireless-policy)# idle-timeout 15
(Optional) Sets the idle timeout value in seconds. The range is between 15-100000.
central switching
Enables central switching.
Example:
Device(config-wireless-policy)# central switching
ipv4 dhcp opt82
Example:
Device(config-wireless-policy)# ipv4 dhcp opt82
Enables DHCP Option 82 for the wireless clients.
ipv4 dhcp opt82 ascii Example:
(Optional) Enables ASCII on the DHCP Option 82 feature.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 491
Configuring DHCP Option82 Through a VLAN Interface
Network Management
Step 10 Step 11 Step 12
Command or Action
Device(config-wireless-policy)# ipv4 dhcp opt82 ascii
Purpose
ipv4 dhcp opt82 rid
Example:
Device(config-wireless-policy)# ipv4 dhcp opt82 rid
(Optional) Supports the addition of Cisco 2 byte Remote ID (RID) for the DHCP Option 82 feature.
ipv4 dhcp opt82 format
Enables DHCP Option 82 on the corresponding
{ap_ethmac|ap_location|apmac|apname|policy_tag|ssid|vlan_id} AP.
Example:
Device(config-wireless-policy)# ipv4 dhcp opt82 format apmac
For information on the various options available with the command, see Cisco Catalyst 9800 Series Wireless Controller Command Reference.
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the profile policy.
Configuring DHCP Option82 Through a VLAN Interface
Configuring DHCP Option 82 Through Option-Insert Command (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2 Step 3 Step 4
interface vlan vlan-id Example:
Device(config)# interface vlan 72
ip dhcp relay information option-insert Example:
Device(config-if)# ip dhcp relay information option-insert
ip address ip-address Example:
Configures a VLAN ID. Inserts relay information in BOOTREQUEST. Configures the IP address for the interface.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 492
Network Management
Configuring DHCP Option 82 Through the server-ID-override Command (CLI)
Step 5 Step 6 Step 7
Command or Action
Purpose
Device(config-if)# ip address 9.3.72.38 255.255.255.0
ip helper-address ip-address
Example:
Device(config-if)# ip helper-address 9.3.72.1
Configures the destination address for UDP broadcasts.
[no] mop enabled Example:
Device(config-if)# no mop enabled
Disables the MOP for an interface.
[no] mop sysid Example:
Disables the task of sending MOP periodic system ID messages.
Device(config-apgroup)# [no] mop sysid
Configuring DHCP Option 82 Through the server-ID-override Command (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip dhcp compatibility suboption server-override cisco
Example:
Device(config)# ip dhcp compatibility suboption server-override cisco
Configures the server-id override suboption to an RFC or Cisco specific value.
Step 3
ip dhcp compatibility suboption link-selection cisco
Example:
Device(config)# ip dhcp compatibility suboption link-selection cisco
Configures the link-selection suboption to an RFC or Cisco specific value.
Step 4
interface vlan vlan-id Example:
Device(config)# interface vlan 72
Configures a VLAN ID.
Step 5
ip dhcp relay information option server-id-override
Example:
Inserts the server id override and link selection suboptions.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 493
Configuring DHCP Option 82 Through a Subscriber-ID (CLI)
Network Management
Step 6 Step 7 Step 8 Step 9
Command or Action
Device(config-if)# ip dhcp relay information option server-id-override
Purpose
ip address ip-address
Configures the IP address for the interface.
Example:
Device(config-if)# ip address 9.3.72.38 255.255.255.0
ip helper-address ip-address
Example:
Device(config-if)# ip helper-address 9.3.72.1
Configures the destination address for UDP broadcasts.
[no] mop enabled Example:
Device(config-if)# no mop enabled
Disables MOP for an interface.
[no] mop sysid Example:
Device(config-if)# [no] mop sysid
Disables the task of sending MOP periodic system ID messages.
Configuring DHCP Option 82 Through a Subscriber-ID (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2 Step 3 Step 4
interface vlan vlan-id Example:
Device(config)# interface vlan 72
Configures a VLAN ID.
ip dhcp relay information option subscriber-id subscriber-id
Inserts the subscriber identifier suboption.
Example:
Device(config-if)# ip dhcp relay information option subscriber-id test10
ip address ip-address Example:
Configures the IP address for the interface.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 494
Network Management
Configuring DHCP Option 82 Through server-ID-override and subscriber-ID Commands (CLI)
Step 5 Step 6 Step 7
Command or Action
Purpose
Device(config-if)# ip address 9.3.72.38 255.255.255.0
ip helper-address ip-address
Example:
Device(config-if)# ip helper-address 9.3.72.1
Configures the destination address for UDP broadcasts.
[no] mop enabled Example:
Device(config-if)# no mop enabled
Disables MOP for an interface.
[no] mop sysid Example:
Disables the task of sending MOP periodic system ID messages.
Device(config-apgroup)# [no] mop sysid
Configuring DHCP Option 82 Through server-ID-override and subscriber-ID Commands (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2 Step 3 Step 4
interface vlan vlan-id Example:
Device(config)# interface vlan 72
Configures a VLAN ID.
ip dhcp relay information option server-id-override
Example:
Device(config-if)# ip dhcp relay information option server-id-override
Inserts server ID override and link selection suboptions.
ip dhcp relay information option subscriber-id subscriber-id
Inserts the subscriber identifier suboption.
Example:
Device(config-if)# ip dhcp relay information option subscriber-id test10
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 495
Configuring DHCP Option 82 Through Different SVIs (CLI)
Network Management
Step 5 Step 6 Step 7 Step 8
Command or Action
Purpose
ip address ip-address
Configures the IP address for the interface.
Example:
Device(config-if)# ip address 9.3.72.38 255.255.255.0
ip helper-address ip-address
Example:
Device(config-if)# ip helper-address 9.3.72.1
Configures the destination address for UDP broadcasts.
[no] mop enabled Example:
Device(config-if)# no mop enabled
Disables the MOP for an interface.
[no] mop sysid Example:
Disables the task of sending MOP periodic system ID messages.
Device(config-apgroup)# [no] mop sysid
Configuring DHCP Option 82 Through Different SVIs (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2 Step 3 Step 4
interface vlan vlan-id Example:
Device(config)# interface vlan 72
Configures a VLAN ID.
ip dhcp relay source-interface vlan vlan-id
Example:
Device(config-if)# ip dhcp relay source-interface vlan 74
Configures a source interface for relayed messages on a VLAN ID.
ip address ip-address
Configures the IP address for the interface.
Example:
Device(config-if)# ip address 9.3.72.38 255.255.255.0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 496
Network Management
Configuring DHCP Option 82 Through Different SVIs (CLI)
Step 5 Step 6 Step 7
Command or Action
ip helper-address ip-address Example:
Device(config-if)# ip helper-address 9.3.72.1
Purpose
Configure the destination address for UDP broadcasts.
[no] mop enabled Example:
Device(config-if)# no mop enabled
Disables the MOP for an interface.
[no] mop sysid Example:
Disables the task of sending MOP periodic system ID messages.
Device(config-apgroup)# [no] mop sysid
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 497
Configuring DHCP Option 82 Through Different SVIs (CLI)
Network Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 498
5 5 C H A P T E R
RADIUS Realm
· Information About RADIUS Realm, on page 499 · Enabling RADIUS Realm, on page 500 · Configuring Realm to Match the RADIUS Server for Authentication and Accounting, on page 500 · Configuring the AAA Policy for a WLAN, on page 501 · Verifying the RADIUS-Realm Configuration, on page 503
Information About RADIUS Realm
The RADIUS Realm feature is associated with the domain of the user. Using this feature, a client can choose the RADIUS server through which authentication and accounting is to be processed. When mobile clients are associated with a WLAN, RADIUS realm is received as a part of Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement (EAP-AKA) identity response request in the authentication request packet. The Network Access Identifier (NAI) format (EAP-AKA) for WLAN can be specified as username@domain.com. The realm in the NAI format is represented after the @ symbol, which is specified as domain.com. If vendor-specific attributes are added as test, the NAI format is represented as test@domain.com. The RADIUS Realm feature can be enabled and disabled on a WLAN. If Realm is enabled on a WLAN, the corresponding user should send the username in the NAI format. The controller sends the authentication request to the AAA server only when the realm, which is in the NAI format and is received from the client, is compiled as per the given standards. Apart from authentication, accounting requests are also required to be sent to the AAA server based on realm filtering.
Realm Support on a WLAN Each WLAN is configured to support NAI realms. After the realm is enabled on a particular SSID, the lookup is done to match the realms received in the EAP identity response against the configured realms on the RADIUS server. If the client does not send a username with the realm, the default RADIUS server that is configured on the WLAN is used for authentication. If the realm that is received from the client does not match the configured realms on the WLAN, the client is deauthenticated and dropped. If the RADIUS Realm feature is not enabled on a WLAN, the username that is received as part of the EAP identity request is directly used as the username and the configured RADIUS server is used for authentication and accounting. By default, the RADIUS Realm feature is disabled on WLANs.
· Realm Match for Authentication: In dot1x with EAP methods (similar to EAP AKA), the username is received as part of an EAP identity response. A realm is derived from the username and are matched
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 499
Enabling RADIUS Realm
Network Management
with the realms that are already configured in the corresponding RADIUS authentication server. If there is a match, the authentication requests are forwarded to the RADIUS server. If there is a mismatch, the client is deauthenticated.
· Realm Match for Accounting: A client's username is received through an access-accept message. When accounting messages are triggered, the realm is derived from the corresponding client's username and compared with the accounting realms configured on the RADIUS accounting server. If there is a match, accounting requests are forwarded to the RADIUS server. If there is a mismatch, accounting requests are dropped.
Enabling RADIUS Realm
Follow the procedure given below to enable RADIUS realm:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless aaa policy aaa-policy
Example:
Device(config)# wireless aaa policy policy-1
Step 3
aaa-realm enable
Example:
Device(config-aaa-policy)# aaa-realm enable
Purpose Enters global configuration mode.
Creates a new AAA policy.
Enables AAA RADIUS realm selection.
Note
Use the no aaa-realm enable or
the default aaa-realm enable
command to disable the RADIUS
realm.
Configuring Realm to Match the RADIUS Server for Authentication and Accounting
Follow the procedure given below to configure the realm to match the RADIUS server for authentication and accounting:
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 500
Network Management
Configuring the AAA Policy for a WLAN
Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action
Device# configure terminal
Purpose
aaa new-model Example:
Device(config)# aaa new-model
Creates a AAA authentication model.
aaa authorization network default group Sets the authorization method. radius-server-group
Example:
Device(config)# aaa authorization network default group aaa_group_name
aaa authentication dot1x realm group radius-server-group
Indicates that dot1x must use the realm group RADIUS server.
Example:
Device(config)# aaa authentication dot1x cisco.com group cisco1
aaa authentication login realm group radius-server-group
Defines the authentication method at login.
Example:
Device(config)# aaa authentication login cisco.com group cisco1
aaa accounting identity realm start-stop group radius-server-group
Example:
Enables accounting to send a start-record accounting notice when a client is authorized, and a stop-record at the end.
Device(config)# aaa accounting identity cisco.com start-stop group cisco1
Configuring the AAA Policy for a WLAN
Follow the procedure given below to configure the AAA policy for a WLAN:
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
wireless aaa policy aaa-policy-name Example:
Device(config)# wireless aaa policy aaa-policy-1
Purpose Enters global configuration mode.
Creates a new AAA policy for wireless.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 501
Configuring the AAA Policy for a WLAN
Network Management
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Step 11 Step 12
Command or Action
aaa-realm enable Example:
Device(config-aaa-policy)# aaa-realm enable
Purpose
Enables AAA RADIUS server selection by realm.
exit Example:
Device(config-aaa-policy)# exit
Returns to global configuration mode.
wireless profile policy wlan-policy-profile Configures a WLAN policy profile.
Example:
Device(config)# wireless profile policy wlan-policy-a
aaa-policy aaa-policy
Example:
Device(config-wireless-policy)# aaa-policy aaa-policy-1
Maps the AAA policy.
accounting-list acct-config-realm
Example:
Device(config-wireless-policy)# accounting-list cisco.com
Sets the accounting list.
exit Example:
Device(config-wireless-policy)# exit
Returns to global configuration mode.
wlan wlan-name wlan-id ssid
Configures a WLAN.
Example:
Device(config)# wlan wlan2 14 wlan-aaa
security dot1x authentication-list auth-list-realm
Example:
Device(config-wlan)# security dot1x authentication-list cisco.com
Enables the security authentication list for IEEE 802.1x.
exit Example:
Device(config-wireless-policy)# exit
Returns to global configuration mode.
wireless tag policy policy
Example:
Device(config)# wireless tag policy tag-policy-1
Configures a policy tag.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 502
Network Management
Verifying the RADIUS-Realm Configuration
Step 13 Step 14
Command or Action
Purpose
wlan wlan-name policy policy-profile
Maps a policy profile to the WLAN.
Example:
Device(config-policy-tag)# wlan Abc-wlan policy wlan-policy-a
exit Example:
Device(config-policy-tag)# exit
Returns to global configuration mode.
Verifying the RADIUS-Realm Configuration
Use the following command to verify the RADIUS-realm configuration:
Device# show wireless client mac-address 14bd.61f3.6a24 detail
Client MAC Address : 14bd.61f3.6a24
Client IPv4 Address : 9.4.113.103
Client IPv6 Addresses : fe80::286e:9fe0:7fa6:8f4
Client Username : sacthoma@cisco.com
AP MAC Address : 4c77.6d79.5a00
AP Name: AP4c77.6d53.20ec
AP slot : 1
Client State : Associated
Policy Profile : name-policy-profile
Flex Profile : N/A
Wireless LAN Id : 3
Wireless LAN Name: ha_realm_WLAN_WPA2_AES_DOT1X
BSSID : 4c77.6d79.5a0f
Connected For : 26 seconds
Protocol : 802.11ac
Channel : 44
Client IIF-ID : 0xa0000001
Association Id : 1
Authentication Algorithm : Open System
Client CCX version : No CCX support
Re-Authentication Timeout : 1800 sec (Remaining time: 1775 sec)
Input Policy Name : None
Input Policy State : None
Input Policy Source : None
Output Policy Name : None
Output Policy State : None
Output Policy Source : None
WMM Support : Enabled
U-APSD Support : Enabled
U-APSD value : 0
APSD ACs : BK, BE, VI, VO
Fastlane Support : Disabled
Power Save : OFF
Supported Rates : 9.0,18.0,36.0,48.0,54.0
Mobility:
Move Count
:0
Mobility Role
: Local
Mobility Roam Type
: None
Mobility Complete Timestamp : 06/12/2018 19:52:35 IST
Policy Manager State: Run
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 503
Verifying the RADIUS-Realm Configuration
Network Management
NPU Fast Fast Notified : No
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 25 seconds
Policy Type : WPA2
Encryption Cipher : CCMP (AES)
Authentication Key Management : 802.1x
Encrypted Traffic Analytics : No
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : PEAP
VLAN : 113
Multicast VLAN : 0
Access VLAN : 113
Anchor VLAN : 0
WFD capable : No
Managed WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Session Manager:
Interface
: capwap_9040000f
IIF ID
: 0x9040000F
Authorized
: TRUE
Session timeout : 1800
Common Session ID: 097704090000000DF4607B3B
Acct Session ID : 0x00000fa2
Aaa Server Details
Server IP
: 9.4.23.50
Auth Method Status List
Method : Dot1x
SM State
: AUTHENTICATED
SM Bend State : IDLE
Local Policies:
Service Template : wlan_svc_name-policy-profile_local (priority 254)
Absolute-Timer : 1800
VLAN
: 113
Server Policies:
Resultant Policies:
VLAN
: 113
Absolute-Timer : 1800
DNS Snooped IPv4 Addresses : None
DNS Snooped IPv6 Addresses : None
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Not implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 0
Fast BSS Transition Details :
Reassociation Timeout : 0
11v BSS Transition : Not implemented
FlexConnect Data Switching : Central
FlexConnect Dhcp Status : Central
FlexConnect Authentication : Central
FlexConnect Central Association : No
.
.
.
Fabric status : Disabled
Client Scan Reports
Assisted Roaming Neighbor List
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 504
5 6 C H A P T E R
RADIUS Accounting
· Information About RADIUS Accounting of AP Events, on page 505 · Configuring Accounting Method-List for an AP Profile, on page 505 · Verifying the AP Accounting Information, on page 506
Information About RADIUS Accounting of AP Events
This topic describes the configuration of a RADIUS server to monitor a network with regards to Access Points (APs). Prior to Cisco IOS XE Amsterdam 17.1.1 release, during times of network issues, the controller would not send accounting messages when APs join and disjoin from the controller. From Cisco IOS XE Amsterdam 17.1.1 release onwards, the RADIUS server keeps a record of all the APs that were down and have come up.
Configuring Accounting Method-List for an AP Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device#configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile-name
Example:
Device(config)# ap profile ap-profile-name
Configures the AP profile. The default AP join profile name is default-ap-profile.
Step 3
[no] accounting method-list method-list-name Configures the accounting method list for the
Example:
AP profile.
Device(config-ap-profile)# [no]
Use the no form of this command to disable the
accounting method-list method-list-name command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 505
Verifying the AP Accounting Information
Network Management
Verifying the AP Accounting Information
To verify the AP accounting information, use the following command:
Device#show wireless stats ap accounting
Base MAC
Total packet Send Total packet Received Methodlist
----------------------------------------------------------------------------------------
00b0.e192.0f20
4
3
abc
38ed.18cc.5788
8
8
ML_M
70ea.1ae0.af08
0
0
ML_A
To view the details of a method list that is configured for an AP profile, use the following command:
Device#show ap profile name Method-list detailed
AP Profile Name
: test-profile
Description
:
.
.
.
Method-list name
: Method-list
Packet Sequence Jump DELBA : ENABLED
Lag status
: DISABLED
.
Client RSSI Statistics
Reporting
: ENABLED
Reporting Interval
: 30 seconds
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 506
5 7 C H A P T E R
RADIUS Call Station Identifier
· RADIUS Call Station Identifier, on page 507 · Configuring a RADIUS Call Station Identifier, on page 508
RADIUS Call Station Identifier
The RADIUS called station identifier attribute allows a Network Access Server (NAS) to capture the Access-Request packet used by a phone number by means of Dialled Number Identification (DNIS) or similar technology. The IEEE 802.1X authenticators can use this attribute to store the bridge or Access Point MAC address in ASCII format. The called station identifier allows a RADIUS server to specify the MAC addresses or networks that a client can connect. One such attribute can be added in the Access-Request packet. The called station identifier is useful in scenarios where preauthentication is supported. In such instances, the called station identifier enables the RADIUS server to restrict the networks and attachment points the client can connect.
Note The called station identifier attribute is applicable only for Access-Request and not for Access-Accept or CoA-Request.
In Cisco IOS XE Bengaluru 17.4.1, the RADIUS called station identifier configuration is enhanced to include more attributes. The newly added options for authentication and accounting are listed below:
· policy-tag-name · flex-profile-name · ap-macaddress-ssid-flexprofilename · ap-macaddress-ssid-policytagname · ap-macaddress-ssid-sitetagname · ap-ethmac-ssid-flexprofilename · ap-ethmac-ssid-policytagname · ap-ethmac-ssid-sitetagname
For more information on the attributes listed above, see the following commands:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 507
Configuring a RADIUS Call Station Identifier
Network Management
· radius-server attribute wireless accounting call-station-id · radius-server attribute wireless authentication call-station-id
Configuring a RADIUS Call Station Identifier
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
radius-server attribute wireless
Configures a call station identifier sent in the
authentication call-station-id policy-tag-name RADIUS authentication messages.
Example:
Device(config)# radius-server attribute wireless authentication
call-station-id policy-tag-name
Step 3
radius-server attribute wireless accounting Configures a call station identifier sent in the
call-station-id policy-tag-name
RADIUS accounting messages.
Example:
Device(config)# radius-server attribute wireless accounting
call-station-id policy-tag-name
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 508
5 8 C H A P T E R
RADIUS VSA
· Information About RADIUS VSA, on page 509 · Create an Attribute List, on page 510 · Create a AAA Policy and Map it to Attribute List, on page 511 · Map a AAA Policy to the WLAN Policy Profile, on page 512 · Map the WLAN Policy Profile to a WLAN, on page 513
Information About RADIUS VSA
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using vendor specific attributes (VSA). VSA allow vendors to support their own extended attributes otherwise not suitable for general use. The controller uses these attributes value in authentication or accounting packets, or both based on specified usage format. VSA contains these three elements:
· Type · Length · String (also known as data)
· Vendor-ID · Vendor-Type · Vendor-Length · Vendor-Data
This feature is supported only in FlexConnect central authentication mode with local switching. FlexConnect local authentication mode is not supported. This feature is supported only for wireless sessions. This feature supports the following set of VSAs per WLAN for authentication and accounting requests, in addition to the existing AAA attributes.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 509
Create an Attribute List
Network Management
Table 23: Newly Supported Attributes
Attribute Name
Well-known Attribute
SVR-Zip-Code
26
SVR-Device-Type
26
SVR-Device-Model-Number 26
SVR-Lat-Long
26
SVR-Venue-Category 26
SVR-Network-Type
26
Aggregation-AAA
26
BW-Venue-Id
26
BW-Venue-TZ
26
BW-Class
26
BW-Venue-Description 26
BW-ISO-Country-Code 26
BW-E164-Country-Code 26
BW-State-Name
26
BW-City-Name
26
BW-Area-Code
26
BW-User-Group
26
BW-Venue-Name
26
BW-Operator-Name 26
VSA Sub-attribute 14 17 18 19 20 21 22 7 8 10 11 14 15 16 17 18 27 29 37
Vendor ID 14369 14369 14369 14369 14369 14369 14369 22472 22472 22472 22472 22472 22472 22472 22472 22472 22472 22472 22472
Create an Attribute List
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 510
Network Management
Create a AAA Policy and Map it to Attribute List
Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action
Purpose
aaa attribute list list
Creates a AAA attribute list.
Example:
Device(config)# aaa attribute list TEST
attribute type attribute-type
Specifies a AAA attribute type.
Example:
Device(config-attr-list)# attribute type BW-City-Name "MUMBAI"
attribute type attribute-type
(Optional) Specifies a AAA attribute type.
Example:
Device(config-attr-list)# attribute type BW-State-Name "MAHARASHTRA
attribute type attribute-type
(Optional) Specifies a AAA attribute type.
Example:
Device(config-attr-list)#attribute type BW-Venue-Name "WANKHEDE"
end Example:
Device(config-attr-list)# end
Returns to Privileged EXEC mode.
What to do next Create a AAA policy and map the attribute list.
Create a AAA Policy and Map it to Attribute List
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless aaa policy aaa-policy
Example:
Device(config)# wireless aaa policy policy-1
Creates a new AAA policy.
Step 3
attrlist authentication authentication-attr-list Configures VSA authentication attribute list. Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 511
Map a AAA Policy to the WLAN Policy Profile
Network Management
Step 4 Step 5
Command or Action
Device(config-aaa-policy)# attrlist authentication auth-attr-list
attrlist accounting accounting-attr-list Example:
Device(config-aaa-policy)# attrlist accounting acct-attr-list
end Example:
Device(config-aaa-policy)# end
Purpose Configures VSA accounting attribute list. Returns to Privileged EXEC mode.
What to do next Map the AAA policy to the WLAN policy profile.
Map a AAA Policy to the WLAN Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy
Creates a new wireless policy profile.
Example:
Device(config)# wireless profile policy EAP-AKA
Step 3
aaa-policy aaa-policy
Example:
Device(config-wireless-policy)# aaa-policy Verizon-aaa-policy
Creates a new AAA policy.
Step 4
end Example:
Device(config-wireless-policy)# end
Returns to Privileged EXEC mode.
What to do next Map the WLAN policy profile to a WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 512
Network Management
Map the WLAN Policy Profile to a WLAN
Map the WLAN Policy Profile to a WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag policy policy-name
Example:
Device(config)# wireless tag policy EAP-AKA
Creates a new policy tag.
Step 3
wlan wlan-profile-name policy aaa-policy Maps the policy profile to a WLAN.
Example:
Device(config-policy-tag)# wlan EAP-AKA policy EAP-AKA
Step 4
end Example:
Device(config-policy-tag)# end
Returns to Privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 513
Map the WLAN Policy Profile to a WLAN
Network Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 514
5 9 C H A P T E R
Cisco StadiumVision
· Cisco StadiumVision Overview, on page 515 · Configure Parameters for Cisco StadiumVision (GUI), on page 516 · Configure Parameters for Cisco StadiumVision (CLI), on page 516 · Verify StadiumVision Configurations, on page 517
Cisco StadiumVision Overview
Cisco StadiumVision solution is a proven, end-to-end, high-definition IPTV solution that provides advanced digital content management and delivery that can transform the look and feel of venues. It is built on top of the Cisco Connected Stadium solution and centrally-managed through the StadiumVision Director. Cisco StadiumVision solution enables the integration and automated delivery of customised and dynamic content from multiple sources to different areas of the stadium in high definition quality. This technology allows you to replay certain exciting and critical moments of a game on Wi-Fi capable devices. To enable Cisco StadiumVision solution on the controller , you need to configure these parameters: 1. On Wireless Controller :
· Multicast Data Rate · RX Sensitivity SOP · Multicast Buffer 2. CAPWAP 3. AP Radio Driver and Firmware: · Multicast Data Rate · RX Sensitivity SOP · Multicast Buffer
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 515
Configure Parameters for Cisco StadiumVision (GUI)
Network Management
Configure Parameters for Cisco StadiumVision (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Wireless > Advanced. Click the High Density tab. In the Multicast Data Rate section, set the data rate for 5 GHz radio or 2.4 GHz radio using the drop-down lists. Click Apply .
Configure Parameters for Cisco StadiumVision (CLI)
Note Multicast buffer and data rate configurations are supported for all AP models.
Procedure
Step 1
Command or Action wlan wlan-name wlan-id Example:
Device(config)# wlan wlan1 10
Purpose Configures a WLAN.
Step 2
multicast buffer multicast-buffer-number Configures enhanced multicast buffer size
Example:
between 30 (default) and 60 on a WLAN.
Device(config-wlan)# multicast buffer 45 Note
You can enable only two out of the possible 512 WLANs
configured on Controller
embedded wireless controller for
enhanced multicast buffers.
Step 3
ap dot11 [5ghz| 24ghz] multicast data-rate rate
Example:
Device(config)# ap dot11 [5ghz| 24ghz] rx-sop threshold custom -70
Configures the radio receive sensitivity SOP threshold between -60 to -85 dB, which can also be configured as predefined auto, low, high, medium values specific to 5ghz or 24ghz bands.
By default, the configuration is disabled and it's value is set to auto. If the RxSOP value of auto (0) is pushed, then the AP considers the value burnt-in during manufacturing.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 516
Network Management
Verify StadiumVision Configurations
Verify StadiumVision Configurations
· show ap rf-profile name rf-name detail · show ap dot11 5ghz high-density
Rx SOP
Device#show ap rf-profile name Typical_Client_Density_rf_5gh detail | i SOP
Rx SOP Threshold
: auto
Multicast Buffer
Device#show wlan id 1 | sec Buffer Multicast Buffer Multicast Buffer Size
: Enabled : 45
Device#
Device#sh wlan name vwlc-OpenAuth | inc Buffer
Multicast Buffer
: Enabled
Multicast Buffer Size
: 45
Device#
Multicast Data Rate
Device#sh ap dot11 24ghz high-density
AP Name
Mac Address
Slot
Rxsop
Threshold Type Value (dbm)
Multicast Data Rate(Mbps)
------------------------------------------------------------------------------------
------------------------------------------------
test-1800-AP
aaaa.bbbb.cccc
0
auto
0
54
AP4001.7AB2.BEB6
aaab.bbbb.cccc
2
auto
0
54
AP70DF.2FA2.72EE
aaac.bbbb.cccc
0
auto
0
0
Device#show ap dot11 5ghz high-density
AP Name
Mac Address
Slot
Rxsop
Threshold Type Value (dbm)
Multicast Data Rate(Mbps)
------------------------------------------------------------------------------------
-------------------------------------------------
Saji-1800-AP
aaab.bbbb.cccc
1
auto
0
12
Saji-2802I-AP
aaab.bbbb.cccc
0
custom
-82
12
Saji-2802I-AP
aaac.bbbb.cccc
1
custom
-82
12
AP4001.7AB2.BEB6
aaad.bbbb.cccc
0
custom
-82
12
AP4001.7AB2.BEB6
aaae.bbbb.cccc
1
custom
-82
0
AP500F.8086.8B56
aaaf.bbbb.cccc
0
custom
-82
12
AP500F.8086.8B56
aaag.bbb.cccc
1
custom
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 517
Verify StadiumVision Configurations
Network Management
-82 AP70DF.2FA2.72EE
0
12 aaah.bbbb.cccc 0
1
auto
Device# Device(config)#ap dot11 5ghz rf-profile test_5ghz_rf Device(config-rf-profile)#high-density multicast data-rate RATE_18M
Device# show ap rf-profile name test_5ghz_rf detail | inc Multicast
Multicast Data Rate
: 18 Mbps
Device#
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 518
6 0 C H A P T E R
Persistent SSID Broadcast
· Persistent SSID Broadcast, on page 519 · Configuring Persistent SSID Broadcast, on page 519 · Verifying Persistent SSID Broadcast, on page 520
Persistent SSID Broadcast
Access Points within a mesh network work as Root Access Points (RAP) or Mesh Access Points (MAP). RAPs have wired connection to the controller and MAPs have wireless connection to the controller . This feature is applicable only to the Cisco Aironet 1542 Access Points in the Flex+Bridge mode.
This feature is about the Root Access Points (RAPs) and Mesh Access Points (MAPs) broadcasting the SSID even when the WAN connectivity is down. This is required in order to isolate the responsibility; whether the fault is with backhaul or with the access wireless network, since there can be different operators owning each part of the network.
RAPs and MAPs broadcast SSID while in standalone mode, as long as the default gateway is reachable.
Also refer Mesh Deployment Guide for Cisco Catalyst 9800 Series Wireless Controllers.
Configuring Persistent SSID Broadcast
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap profile ap-profile-name
Example:
Device(config)# ap profile ap-profile-name
Purpose Enters global configuration mode.
Configures the AP profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 519
Verifying Persistent SSID Broadcast
Network Management
Step 3
Command or Action
[no]ssid broadcast persistent Example:
Device(config-ap-profile)# [no] ssid broadcast persistent
Purpose
The ssid broadcast command configures the SSID broadcast mode. The persistent keyword enables a persistent SSID broadcast, where the associated APs will re-join. Use the [no] form of the command to disable the feature.
Note
Enabling or disabling this feature
causes the AP to re-join.
Verifying Persistent SSID Broadcast
To view the configuration of all Cisco APs, use the following show command:
Device#show ap config general
Cisco AP Name : AP4C77.6DF2.D598
=================================================
Office Extend Mode
: Disabled
Persistent SSID Broadcast
: Enabled
Remote AP Debug
: Disabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 520
6 1 C H A P T E R
Network Monitoring
· Network Monitoring , on page 521 · Status Information Received Synchronously - Configuration Examples, on page 521 · Alarm and Event Information Received Asynchronously - Configuration Examples, on page 523
Network Monitoring
The mechanism that is used to transfer data to the third-party system is NETCONF/YANG. YANG can be used with the Network Configuration Protocol (NETCONF) to provide the desired solution of automated and programmable network operations. You can contact the API or Developer Support for NETCONF/YANG features using the following link: https://developer.cisco.com/site/support/# The two types of information provided are:
· Status information received synchronously - NETCONF is the management interface used for status information, which allows to publish the operational state of the device, including the controller .
· Alarm and event information sent asynchronously - NETCONF/YANG push is the solution used for alarm and event information, which provides the mechanism to send NETCONF notifications subscribed for.
Status Information Received Synchronously - Configuration Examples
NETCONF/YANG interface is used to accomplish customer requests. The prerequisite configuration for Status Information and Alarm and Event Information is to enable NETCONF server on the controller by using the following command: netconf-yang The above command not only enables notifications, but also allows for configuration and operation access (OAM) via Netconf/Yang. For more information on Netconf/Yang, see the NETCONF Protocol chapter of the Programmability Configuration Guide at: https://www.cisco.com/c/en/us/support/ios-nx-os-software/ ios-xe-17/products-installation-and-configuration-guides-list.html
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 521
Status Information Received Synchronously - Configuration Examples
Network Management
In the Status Information Received Synchronously type, the following information is exported though NETCONF:
· Name of the village · APs in each village · Status of each AP · Number of clients currently connected and logged on in each village and each AP
All the data for the items listed above is already available as the controller operational data exported through NETCONF. The examples below explain where the data items listed are available.
The following command is used in the controller :
wireless tag site village_name_1
The site tags can be retrieved by NETCONF using the get-config operation. Example output for Name of the Village:
<site-cfg-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-wireless-site-cfg"> [...] <site-tag-configs>
<site-tag-config> <site-tag-name>village_name_1</site-tag-name> <description>custom user site tag for a village</description>
</site-tag-config> [...] </site-tag-configs>
The controller 's operational data contains all the connected (joined) APs and lists their site tags. The example output displays the detailed information about the APs and the site tags. The following example displays the relevant fields and the corresponding controller show commands:
Example output of Access Point per Village:
<data>
<access-point-oper-data
xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-wireless-access-point-oper">
[...]
<radio-oper-data>
<wtp-mac>00:1b:0c:00:02:00</wtp-mac> #show ap dot11 {24ghz|5ghz} summary "MAC
Address"
<radio-slot-id>0</radio-slot-id>
#show ap dot11 {24ghz|5ghz} summary "Slot"
<ap-mac>00:1b:0c:00:02:00</ap-mac>
<slot-id>0</slot-id>
<radio-type>1</radio-type>
# 1 - 2.4GHz, 2 - 5GHz
<admin-state>enabled</admin-state>
#show ap dot11 {24ghz|5ghz} summary "Admin
State"
<oper-state>radio-up</oper-state>
#show ap dot11 {24ghz|5ghz} summary "Oper
State"
[...]
[...]
<capwap-data>
<wtp-mac>00:1b:0c:00:02:00</wtp-mac>
#show ap summary "Radio MAC"
<ap-operation-state>registered</ap-operation-state> #show ap summary "State"
<ip-addr>10.102.140.10</ip-addr>
#show ap summary "IP Address"
[...]
<admin-state>1</admin-state>
#show ap status "Status", 1 - Enabled,
2 - Disabled
<location>default-location </location> #show ap summary "Location"
<country-code>CH </country-code>
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 522
Network Management
Alarm and Event Information Received Asynchronously - Configuration Examples
<name>AP_A-1</name>
#show ap summary "AP Name"
[...]
<tag-info>
[...]
<site-tag>
<site-tag-name>village_name_1</site-tag-name> #show ap name AP_A-1 config general
"Site Tag Name"
[...]
</site-tag>
[...]
The operational data of the controller contains all the connected wireless clients information, which includes detailed client device information, such as the MAC address, IP address, State and the AP name.
Example output of the Number of clients currently online and logged in each village and each AP:
<data>
<client-oper-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-wireless-client-oper">
<common-oper-data>
<client-mac>00:00:1a:04:00:02</client-mac>
#show wireless client summary "MAC
Address"
<ap-name>AP_A-1</ap-name>
#show wireless client summary "AP
Name"
[...]
<co-state>client-status-run</co-state>
#show wireless client summary "State"
Alarm and Event Information Received Asynchronously Configuration Examples
The push functionality for the alarm and event information is fulfilled with on-change notifications through NETCONF dynamic subscriptions, with XML encoding.
Example output of AP Up/Down Events - Subscription
Request:
<?xml version="1.0" encoding="UTF-8"?> <rpc message-id="urn:uuid:b0c581c9-ff5a-4352-9e64-7f2ce1ec603a" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<establish-subscription xmlns="urn:ietf:params:xml:ns:yang:ietf-event-notifications" xmlns:yp="urn:ietf:params:xml:ns:yang:ietf-yang-push">
<stream>yp:yang-push</stream> <yp:xpath-filter>/access-point-oper-data/capwap-data/ap-operation-state</yp:xpath-filter>
<yp:dampening-period>0</yp:dampening-period> </establish-subscription> </rpc>
Reply:
<?xml version="1.0" encoding="UTF-8"?> <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:673b42b2-e988-4e20-a6c3-0679c08e6114"><subscription-result xmlns='urn:ietf:params:xml:ns:yang:ietf-event-notifications' xmlns:notif-bis="urn:ietf:params:xml:ns:yang:ietf-event-notifications">notif-bis:ok</subscription-result> <subscription-id
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 523
Alarm and Event Information Received Asynchronously - Configuration Examples
Network Management
xmlns='urn:ietf:params:xml:ns:yang:ietf-event-notifications'>2147483652</subscription-id>
</rpc-reply>
-->>
(Default Callback)
Event time
: 2018-03-09 15:08:21.880000+00:00
Subscription Id : 2147483651
Type
:2
Data
:
<datastore-changes-xml xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-push">
<yang-patch xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-patch">
<patch-id>null</patch-id>
<edit>
<edit-id>edit1</edit-id>
<operation>merge</operation>
<target>/access-point-oper-data/capwap-data</target>
<value>
<capwap-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-wireless-access-point-oper">
<ap-operation-state>registered</ap-operation-state> <wtp-mac>00ab11006600</wtp-mac> </capwap-data> </value> </edit> </yang-patch> </datastore-changes-xml> <<--
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 524
6 2 C H A P T E R
Creating a Lobby Ambassador Account
· Information About Lobby Ambassador Account, on page 525 · Creating a Lobby Ambassador User Account (GUI), on page 525 · Creating a Lobby Ambassador Account (CLI), on page 527
Information About Lobby Ambassador Account
A global administrator can create a lobby ambassador (lobby admin) user for creating guest users. While creating a guest user, a lobby ambassador can create and delete a guest user, besides setting the following parameters for a guest user:
· Password · Lifetime of the guest user · Guest role profiles (Quality-of-Service profiles that should be applied on a guest using the AAA attribute
list. You must ensure that the RADIUS server must be configured with Cisco-AV-pair privilege level with a value greater than zero.
Note You can create a lobby admin from a RADIUS or TACACS server, instead of creating one locally. Only the admin can create WLAN and web authentication policies. The admin can also create an AAA attribute list, which the lobby admin can use to map to the corresponding guest user. After an upgrade to Cisco Catalyst 9800 Controller Software release 17.2.x , you must clear the browser cache data to view the lobby admin GUI correctly.
Creating a Lobby Ambassador User Account (GUI)
You can configure administrator or lobby ambassador usernames and passwords to prevent unauthorized users from reconfiguring the controller and viewing configuration information.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 525
Creating a User Account
Network Management
Creating a User Account
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8
From the home page, choose Administration > User Administration. Click Add. In the User Name field, enter a user name for the new account. From the Policy drop-down list, choose the policy that you want to associate with the user. From the Privilege drop-down list, choose the privilege level that you want to associate with the user by clicking the user privilege icon. The following are the options:
· Go to Basic Mode
· Go to Advanced Mode
Go to Basic Mode: This privilege level defines the commands that users can enter using the CLI after they have logged into the device. Privilege 1 allows access in user EXEC mode and privilege 15 allows access in Privileged EXEC mode.
Go to Advanced Mode:
Admin: Users with Privilege 15 can execute all the show, config, and exec commands on the device. These users will have access to all the sections of the GUI. Read Only: Users with Privileges 1 to 14 are considered read-only users. The default privilege is 1 if a user is created using the GUI. These users will have access only to the Dashboard and the Monitoring sections. No Access: Users with Privilege 0 can log in to the device through Telnet or SSH and access the CLI. However, they cannot access the GUI. Lobby Admin: Users who can create only guest user accounts. While creating a guest user, a lobby ambassador can create and delete a guest user, besides setting the following parameters for a guest user:
· Password
· Lifetime of the guest user
· Guest role profiles (auality-of-service) profiles that should be applied on a guest using the AAA attribute list.
In the Password field, enter a password for the new account. In the Confirm Password field, enter the same password again to reconfirm. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 526
Network Management
Logging In Using the Lobby Account
Logging In Using the Lobby Account
Note Execute the following commands before logging in using the lobby credentials: aaa new-model aaa authorization exec default local ip http authentication aaa
Logout from the Administrator account and login using the lobby credentials. You get to view the Guest User page.
Creating a Lobby Ambassador Account (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
user-name user-name Example:
Device(config)# user-name lobby
Creates a user account.
Step 3
type lobby-admin
Example:
Device(config-user-name)# type lobby-admin
Specifies the account type as lobby admin.
Step 4
password 0 password
Example:
Device(config-user-name)# password 0 lobby
Creates a password for the lobby administrator account.
Step 5
aaa attribute list wlan_lobby_access
Creates attribute list for lobby admin access.
Example:
Device(config-user-name)# aaa attribute list lobby-access
Step 6
attribute type wlan-profile-name
Creates attribute type for lobby admin access.
Example:
Device(config-user-name)# attribute type wlan_wl_mab
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 527
Creating a Lobby Ambassador Account (CLI)
Network Management
Step 7
Command or Action exit Example:
Device(config-user-name)# exit
Purpose Returns to global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 528
6 3 C H A P T E R
Lobby Ambassador Account
· Information About Lobby Ambassador Account, on page 529 · Creating a Lobby Ambassador User Account (GUI), on page 530 · Creating a Lobby Ambassador Account (CLI), on page 531 · Configuring WLAN (GUI), on page 532 · Client Allowed List, on page 533 · Restrictions for Client Allowed List, on page 533 · Creating a Client Allowed List (GUI), on page 533 · Managing Guest Users, on page 534 · Viewing a Client Allowed List, on page 535
Information About Lobby Ambassador Account
A global administrator can create a lobby ambassador (lobby admin) user for creating guest users. While creating a guest user, a lobby ambassador can create and delete a guest user, besides setting the following parameters for a guest user:
· Password · Lifetime of the guest user · Guest role profiles (Quality-of-Service profiles that should be applied on a guest using the AAA attribute
list.
You must ensure that the RADIUS server must be configured with Cisco-AV-pair privilege level with a value greater than zero.
Note You can create a lobby admin from a RADIUS or TACACS server, instead of creating one locally. Only the admin can create WLAN and web authentication policies. The admin can also create an AAA attribute list, which the lobby admin can use to map to the corresponding guest user. After an upgrade to Cisco Catalyst 9800 Controller Software release 17.2.x , you must clear the browser cache data to view the lobby admin GUI correctly.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 529
Creating a Lobby Ambassador User Account (GUI)
Network Management
Creating a Lobby Ambassador User Account (GUI)
You can configure administrator or lobby ambassador usernames and passwords to prevent unauthorized users from reconfiguring the controller and viewing configuration information.
Creating a User Account
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8
From the home page, choose Administration > User Administration. Click Add. In the User Name field, enter a user name for the new account. From the Policy drop-down list, choose the policy that you want to associate with the user. From the Privilege drop-down list, choose the privilege level that you want to associate with the user by clicking the user privilege icon. The following are the options:
· Go to Basic Mode
· Go to Advanced Mode
Go to Basic Mode: This privilege level defines the commands that users can enter using the CLI after they have logged into the device. Privilege 1 allows access in user EXEC mode and privilege 15 allows access in Privileged EXEC mode.
Go to Advanced Mode:
Admin: Users with Privilege 15 can execute all the show, config, and exec commands on the device. These users will have access to all the sections of the GUI. Read Only: Users with Privileges 1 to 14 are considered read-only users. The default privilege is 1 if a user is created using the GUI. These users will have access only to the Dashboard and the Monitoring sections. No Access: Users with Privilege 0 can log in to the device through Telnet or SSH and access the CLI. However, they cannot access the GUI. Lobby Admin: Users who can create only guest user accounts. While creating a guest user, a lobby ambassador can create and delete a guest user, besides setting the following parameters for a guest user:
· Password
· Lifetime of the guest user
· Guest role profiles (auality-of-service) profiles that should be applied on a guest using the AAA attribute list.
In the Password field, enter a password for the new account. In the Confirm Password field, enter the same password again to reconfirm. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 530
Network Management
Logging In Using the Lobby Account
Logging In Using the Lobby Account
Note Execute the following commands before logging in using the lobby credentials: aaa new-model aaa authorization exec default local ip http authentication aaa
Logout from the Administrator account and login using the lobby credentials. You get to view the Guest User page.
Creating a Lobby Ambassador Account (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
user-name user-name Example:
Device(config)# user-name lobby
Creates a user account.
Step 3
type lobby-admin
Example:
Device(config-user-name)# type lobby-admin
Specifies the account type as lobby admin.
Step 4
password 0 password
Example:
Device(config-user-name)# password 0 lobby
Creates a password for the lobby administrator account.
Step 5
aaa attribute list wlan_lobby_access
Creates attribute list for lobby admin access.
Example:
Device(config-user-name)# aaa attribute list lobby-access
Step 6
attribute type wlan-profile-name
Creates attribute type for lobby admin access.
Example:
Device(config-user-name)# attribute type wlan_wl_mab
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 531
Configuring WLAN (GUI)
Network Management
Step 7
Command or Action exit Example:
Device(config-user-name)# exit
Purpose Returns to global configuration mode.
Configuring WLAN (GUI)
Before you begin You need to enable MAC filtering for Layer 2 authentication to download the redirect URL and ACL. Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > WLANs. In the WLANs window, click the name of the WLAN or click Add to create a new one. In the Add/Edit WLAN window that is displayed, click the General tab to configure the following parameters.
· In the Profile Name field, enter or edit the name of the profile. · In the SSID field, enter or edit the SSID name.
The SSID name can be alphanumeric, and up to 32 characters in length. · In the WLAN ID field, enter or edit the ID number.The valid range is between 1 and 512. · From the Radio Policy drop-down list, choose the 802.11 radio band. · Using the Broadcast SSID toggle button, change the status to either Enabled or Disabled . · Using the Status toggle button, change the status to either Enabled or Disabled .
Click the Security tab, and then Layer 2 tab to configre the following parameters: · From the Layer 2 Security Mode drop-down list, choose None. .This setting disables Layer 2 security. · Enter the Reassociation Timeout value, in seconds. This is the time after which a fast transition reassociation times out. · Check the Over the DS check box to enable Fast Transition over a distributed system. · Choose OWE, Opportunistic Wireless Encryption (OWE) provides data confidentiality with encryption over the air between an AP radio and a wireless client. OWE Transition Mode is meant to provide a sort of backwards compatibility. · Choose Fast Transition, 802.11r which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake with a new AP is done even before the corresponding client roams to the target access point. This concept is called Fast Transition. · Check the check box to enable MAC filtering in the WLAN. · Check the Lobby Admin Access check box to enable Lobby Admin access.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 532
Network Management
Client Allowed List
Step 5 Click Save & Apply to Device.
Client Allowed List
Clients in universities and hotels need access to networks for a limited period of time. These locations also receive many guests with multiple devices. Therefore it becomes important to protect the networks from misuse or unauthorized access, and allow legitimate clients to connect to the corresponding network.
The client listing feature addresses the need of creating an allowed list for clients on a particular WLAN or SSID- based MAC address.
When you create a new client MAC address as an allowed list user with an invalid WLAN profile name, you must be careful while you map the client MAC to the WLAN profile.
Client allowed list is supported only with MAC addresses that are without a delimiter format.
Two types of administrator roles defined are:
· Global Administrator: Creates a lobby admin user on the controller and enables the lobby administrators access each to the WLAN.
· Lobby Administrator: Adds or deletes a client from the allowed list to manage the association to a WLAN or SSID through the GUI only. Existing lobby administrators can also be used to configure the allowed list.
Restrictions for Client Allowed List
A lobby admin can add clients to allowed list only through the graphical user interface (GUI) and not through the command-line interface (CLI).
Creating a Client Allowed List (GUI)
This section provides multiple methods that you can use as a lobby administrator to create an allowed list for valid users for a WLAN.
Adding Single MAC Address to Allowed List
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Log into Lobby Admin portal. Click Whitelist Users. From the drop-down list, choose WLAN. Click Add New Whitelist User. Select By MAC Address radio button.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 533
Adding Bulk MAC Address to Allowed List
Network Management
Step 6 Step 7
Enter the MAC address and Description. Click Apply to Device.
Adding Bulk MAC Address to Allowed List
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Log into Lobby Admin portal. Click Whitelist Users. From the drop-down list, choose the WLAN. Click Add New Whitelist User. Select Bulk Import radio button. Select the CSV file that lists the clients in MAC Address, Description format. Click Apply to Device.
Managing Guest Users
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Step 7
Step 8
Log in to Lobby Admin portal using the lobby admin credentials. Click Whitelist Users. From the WLANdrop-down list, choose the correspondingWLAN. From the WLAN Mode, select Onboarding to enable clients to access the network. Click Apply. From the Connected/Not Whitelisted in the Whitelist window, select a MAC address . Once the clients join the controller, the MAC addresses are listed in the Connected/Not Whitelisted. In the Onboarding mode, MAC filtering in the selected WLAN is disabled. In such a scenario you can change the mode using Secure mode. Select Secure to automatically add the clients that are connected to the allowed list. In the secure mode, MAC filtering in the selected WLAN is enabled. Click Apply to Device.
The clients are listed in the Connected/Whitelisted.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 534
Network Management
Viewing a Client Allowed List
Viewing a Client Allowed List
Procedure
Step 1 Step 2 Step 3
Log in to the Lobby Admin portal. Click Whitelist Users. From the WLANdrop-down list, choose the corresponding WLAN .
The window lists the following information: · Connected/Whitelisted: Lists the clients that are connected and added to the allowed list by the Lobby admin.
· Connected/Not Whitelisted: Lists the clients that are connected, but not added to the allowed list by the Lobby admin.
· Not Connected/Whitelisted: Listed the clients that are not connected but added to the allowed list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 535
Viewing a Client Allowed List
Network Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 536
6 4 C H A P T E R
Guest User Accounts
· Information About Creating Guest User Accounts, on page 537 · Creating a Guest User Account (GUI), on page 537 · Creating a Guest User Account (CLI), on page 538 · Verifying Guest User Account, on page 539 · Assigning Username to Guest Users in a WLAN (CLI), on page 540
Information About Creating Guest User Accounts
The controller can provide guest user access on WLANs for which you must create guest user accounts. Guest user accounts can be created by network administrators, or, if you would like a non-administrator to be able to create guest user accounts on demand, you can do so through a lobby administrator account. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest user accounts. The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically. You can associate user name with WLAN profile name to restrict guest users in a specific WLAN.
Prerequisites for Guest Users · Guest users are created by administrator or lobby ambassador. · Guest user should not have device access either through telnet/ssh or WebUI. · Guest user should be role-based. · Guest user should be able to connect to the network and access internet.
Creating a Guest User Account (GUI)
Procedure
Step 1 Choose Configuration > Security > Guest User.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 537
Creating a Guest User Account (CLI)
Network Management
Step 2 Step 3 Step 4
Step 5 Step 6
On the Guest User page, click Add. Enter a user name, password, and description for the new account. Check the Generate password check box to automatically generate a password. Enter the number of simultaneous user logins. Valid values range between 0 to 64.
Enter 0 for unlimited users.
In the Lifetime section, choose the number of years, months, days, hours, and minutes. Click Save & Apply to Device.
Creating a Guest User Account (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
user-name guest-user-name Example:
Device(config)# user-name guest
Creates a guest user account.
Step 3
type network-user description description Specifies the account type as guest user account. guest-user max-login-limit number of simultaneous logins lifetime year yy month mm day day hour hour minute minute second second
Example:
Device(config-user-name)# type network-user description sample-description guest-user max-login-limit 3 lifetime 1 years 0 months 0 days 0 hours
0 mins 0 secs
Step 4
password 0 password
Example:
Device(config-user-name)# password 0 guest
Creates a password for the guest user account.
Step 5
aaa attribute list aaa-attribute-list-name Example:
Creates a AAA attribute list to apply QoS profiles on the guest user account.
Device(config-user-name)# aaa attribute list aaa-attribute-list-name
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 538
Network Management
Verifying Guest User Account
Step 6
Command or Action exit Example:
Device(config-user-name)# exit
Purpose
Returns to global configuration mode.
Note
If the lobby admin is local, enter
the following command:
aaa authentication login default local
If the lobby admin is a remote user, enter the following commands:
aaa authentication login default group radius/tacacs
aaa remote username <remote-lobby-admin-name>
In case of local or remote lobby, enter the following command to map the authorization policies:
aaa authorization exec default local
Verifying Guest User Account
To verify all the guest user accounts, use the following command:
Device# show aaa local guest_user all
User-Name
: new4
Type
: GUEST USER
Password
:*
Is_passwd_encrypted : No
Attribute-List
: Not-Configured
Viewname
: Not-Configured
Lobby Admin Name : NEW_LOBBY_ADMIN
Max Login Limit
:0
Description
: guest
Start-Time
: 07:56:39 IST Jan 25 2019
Lifetime
: 1 years 0 months 0 days 0 hours 0 mins 0 secs
Expiry-Time
: 07:56:39 IST Jan 20 2020 Remaining Lifetime : 0 years 11 months
29 days 22 hours 52 mins 49 secs
To verify a specific guest user account, use the following command:
Device# show aaa local guest_user new_guest3
User-Name
: new_guest3
Type
: GUEST USER
Password
:*
Is_passwd_encrypted : No
Attribute-List
: Not-Configured
Viewname
: Not-Configured
Lobby Admin Name : INVALID_ADMIN
Max Login Limit
:9
Description
: new
Start-Time
: 04:39:01 IST Feb 4 2019
Lifetime
: 1 years 0 months 0 days 0 hours 0 mins 0 secs
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 539
Assigning Username to Guest Users in a WLAN (CLI)
Network Management
Expiry-Time
: 04:39:01 IST Jan 30 2020
Remaining Lifetime : 0 years 11 months 11 days 21 hours 16 mins 34 secs
Assigning Username to Guest Users in a WLAN (CLI)
Before you begin · If wlan-profile-name is configured for a user, guest user authentication is allowed only from that WLAN. · If wlan-profile-name is not configured for a user, guest user authentication is allowed on any WLAN. · To work in a connected mode, you need to configure AAA policy override under both SSID policies before assigning a username to a guest user on a WLAN.
Procedure
Step 1 Step 2 Step 3 Step 4
Command or Action
Purpose
configure terminal
Enters configuration mode.
Example:
Device# configure terminal
username user_name mac wlan-profile-name Assigns a username to the WLAN profile.
profile_name
Note
The wlan-profile-name per user is
Example:
applicable for MAC type users.
Device(config)# username user_name mac wlan-profile-name profile_name
show aaa local guest_user new_guest3 Example:
(Optional) Displays the values of the WLAN profile.
Device# show aaa local guest_user new_guest3
end
Returns to privileged EXEC mode.
Example:
Device# end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 540
V I P A R T
System Management
· Network Mobility Services Protocol, on page 543 · Application Visibility and Control, on page 557 · Cisco Hyperlocation, on page 579 · FastLocate for Cisco Catalyst Series Access Points, on page 591 · IoT Services Management, on page 595 · IoT Module Management in the Controller, on page 601 · Cisco Spaces, on page 605 · EDCA Parameters, on page 609 · Adaptive Client Load-Based EDCA, on page 613 · 802.11 parameters and Band Selection, on page 617 · NBAR Protocol Discovery, on page 637 · Conditional Debug, Radioactive Tracing, and Packet Tracing, on page 639 · Aggressive Client Load Balancing, on page 651 · Accounting Identity List, on page 655 · Support for Accounting Session ID, on page 659 · Wireless Multicast, on page 663 · Map-Server Per-Site Support, on page 683 · Volume Metering, on page 691 · Enabling Syslog Messages in Access Points and Controller for Syslog Server, on page 693 · Login Banner, on page 705 · Wi-Fi Alliance Agile Multiband , on page 707 · Configuring Local and Wide Area Bonjour Domains, on page 713 · SNMP Traps, on page 747 · Disabling Clients with Random MAC Address, on page 753
6 5 C H A P T E R
Network Mobility Services Protocol
· Information About Network Mobility Services Protocol, on page 543 · Radioactive Tracing for NMSP, on page 544 · Enabling NMSP on Premises Services, on page 544 · Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues , on page 545 · Modifying the NMSP Notification Threshold for Clients, RFID Tags, and Rogues, on page 545 · Configuring NMSP Strong Cipher, on page 546 · Verifying NMSP Settings, on page 546 · Examples: NMSP Settings Configuration, on page 549 · NMSP by AP Groups with Subscription List from CMX, on page 549 · Verifying NMSP by AP Groups with Subscription List from CMX, on page 549 · Probe RSSI Location, on page 551 · Configuring Probe RSSI , on page 551 · RFID Tag Support, on page 553 · Configuring RFID Tag Support, on page 553 · Verifying RFID Tag Support, on page 554
Information About Network Mobility Services Protocol
Cisco Network Mobility Services Protocol (NMSP) is a secure two-way protocol that can be run over a connection-oriented (TLS) or HTTPS transport. The wireless infrastructure runs the NMSP server and Cisco Connected Mobile Experiences (Cisco CMX) acts as an NMSP client. The controller supports multiple services and multiple Cisco CMXs can connect to the NMSP server to get the data for the services (location of wireless devices, probe RSSI, hyperlocation, wIPS, and so on.) over the NMSP or HTTPS session. NMSP defines the intercommunication between Cisco CMX and the controller. Cisco CMX communicates to the controller over a routed IP network. Both publish-subscribe and request-reply communication models are supported. Typically, Cisco CMX establishes a subscription to receive services data from the controller in the form of periodic updates. The controller acts as a data publisher, broadcasting services data to multiple CMXs. Besides subscription, Cisco CMX can also send requests to the controller, causing the controller to send a response back. The following is a list of the Network Mobility Services Protocol features:
· NMSP is disabled by default.
· NMSP communicates with Cisco CMX using TCP, and uses TLS for encryption.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 543
Radioactive Tracing for NMSP
System Management
· Wireless intrusion prevention system (wIPS) is supported only over TCP and TLS.
· Bidirectional communication is supported and Cisco CMX can send a message asynchronously over the established channel.
Note HTTPS is not supported for data transport between controller and Cisco CMX.
Radioactive Tracing for NMSP
This feature collects and provides all CMX-related events. When a controller is added to CMX with an existing logging or serviceability tools, the following occurs:
· CMX reaches out to the controller through SNMP and CLI. · Configures the CMX hash key on the controller. · CMX requests the controller to open an NMSP connection.
RA tracing simplifies troubleshooting by allowing: · RA trace the CMX IP on the controller. · Collect all logs about it.
Enabling NMSP on Premises Services
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
nmsp enable Example:
Device(config)# nmsp enable
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Enables NMSP on premises services.
Note
By default, the NMSP is enabled
on the controller.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 544
System Management
Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues
Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues
NMSP manages communication between the Cisco Connected Mobile Experience (Cisco CMX) and the controller for incoming and outgoing traffic. If your application requires more frequent location updates, you can modify the NMSP notification interval (to a value between 1 and 180 seconds) for clients, active RFID tags, and rogue access points and clients.
Note The TCP port (16113) that the controller and Cisco CMX communicate over must be open (not blocked) on any firewall that exists between the controller and the Cisco CMX for NMSP to function.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
nmsp notification interval {rssi {clients | rfid Sets the NMSP notification interval value for
| rogues {ap | client } | spectrum interferers clients, RFID tags, rogue clients, and access
} interval}
points.
Example:
Device(config)# nmsp notification interval rssi rfid 50
interval-NMSP notification interval value, in seconds for RSSI measurement. Valid range is from 1 to 180.
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Modifying the NMSP Notification Threshold for Clients, RFID Tags, and Rogues
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 545
Configuring NMSP Strong Cipher
System Management
Step 2 Step 3
Command or Action
Purpose
location notify-threshold {clients | rogues ap Configures the NMSP notification threshold for
| tags } threshold
clients, RFID tags, rogue clients, and access
Example:
points.
Device(config)# location notify-threshold threshold- RSSI threshold value in db. Valid
clients 5
range is from 0 to 10, with a default value of
0..
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring NMSP Strong Cipher
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
nmsp strong-cipher Example:
Device(config)# nmsp strong-cipher
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Enable strong ciphers for NMSP server, which contains "ECDHE-RSA-AES128-GCM-SHA256:, ECDHE-ECDSA-AES128-GCM-SHA256:, AES256-SHA256:AES256-SHA:, and AES128-SHA256:AES128-SHA". Normal cipher suite contains, "ECDHE-RSA-AES128-GCM-SHA256:, ECDHE-ECDSA-AES128-GCM-SHA256:, and AES128-SHA".
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying NMSP Settings
To view the NMSP capabilities of the controller , use the following command:
Device# show nmsp capability
Service
Subservice
-----------------------------
RSSI
Rogue, Tags, Mobile Station,
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 546
System Management
Verifying NMSP Settings
Spectrum
Aggregate Interferer, Air Quality, Interferer,
Info
Rogue, Mobile Station,
Statistics
Rogue, Tags, Mobile Station,
AP Monitor
Subscription
On Demand Services Device Info
AP Info
Subscription
To view the NMSP notification intervals, use the following command:
Device# show nmsp notification interval NMSP Notification Intervals ---------------------------
RSSI Interval: Client RFID Rogue AP Rogue Client Spectrum
: 2 sec : 50 sec : 2 sec : 2 sec : 2 sec
To view the connection-specific statistics counters for all CMX connections, use the following command:
Device# show nmsp statistics connection
NMSP Connection Counters
------------------------
CMX IP Address: 10.22.244.31, Status: Active
State:
Connections : 1
Disconnections : 0
Rx Data Frames : 13
Tx Data Frames : 99244
Unsupported messages : 0
Rx Message Counters:
ID Name
Count
----------------------------------------------
1 Echo Request
6076
7 Capability Notification
2
13 Measurement Request
5
16 Information Request
3
20 Statistics Request
2
30 Service Subscribe Request
1
Tx Message Counters:
ID Name
Count
----------------------------------------------
2 Echo Response
6076
7 Capability Notification
1
14 Measurement Response
13
15 Measurement Notification
91120
17 Information Response
6
18 Information Notification
7492
21 Statistics Response
2
22 Statistics Notification
305
31 Service Subscribe Response
1
67 AP Info Notification
304
To view the common statistic counter of the controller 's NMSP service, use the following command:
Device# show nmsp statistics summary
NMSP Global Counters
--------------------
Number of restarts
:
SSL Statistics
--------------------
Total amount of verifications
:6
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 547
Verifying NMSP Settings
System Management
Verification failures
:6
Verification success
:0
Amount of connections created
:8
Amount of connections closed
:7
Total amount of accept attempts : 8
Failures in accept
:0
Amount of successful accepts
:8
Amount of failed registrations
:0
AAA Statistics
--------------------
Total amount of AAA requests
:7
Failed to send requests
:0
Requests sent to AAA
:7
Responses from AAA
:7
Responses from AAA to validate
:7
Responses validate error
:6
Responses validate success
:1
To view the overall NMSP connections, use the following command:
Device# show nmsp status NMSP Status -----------
CMX IP Address Active Tx Echo Resp Rx Echo Req Tx Data
Rx Data
Transport
-----------------------------------------------------------------------------------------
127.0.0.1
Active 6
6
1
2
TLS
To view all mobility services subscribed by all CMXs, use the following command:
Device# show nmsp subscription detail
CMX IP address 127.0.0.1:
Service
Subservice
-----------------------------
RSSI
Rogue, Tags, Mobile Station,
Spectrum
Info
Rogue, Mobile Station,
Statistics
Tags, Mobile Station,
AP Info
Subscription
To view all mobility services subscribed by a specific CMX, use the following command:
Device# show nmsp subscription detail <ip_addr>
CMX IP address 127.0.0.1:
Service
Subservice
-----------------------------
RSSI
Rogue, Tags, Mobile Station,
Spectrum
Info
Rogue, Mobile Station,
Statistics
Tags, Mobile Station,
AP Info
Subscription
To view the overall mobility services subscribed by all CMXs, use the following command:
Device# show nmsp subscription summary
Service
Subservice
-----------------------------
RSSI
Rogue, Tags, Mobile Station,
Spectrum
Info
Rogue, Mobile Station,
Statistics
Tags, Mobile Station,
AP Info
Subscription
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 548
System Management
Examples: NMSP Settings Configuration
Examples: NMSP Settings Configuration
This example shows how to configure the NMSP notification interval for RFID tags:
Device# configure terminal Device(config)# nmsp notification interval rssi rfid 50 Device(config)# end Device# show nmsp notification interval
This example shows how to configure the NMSP notification interval for clients:
Device# configure terminal Device(config)# nmsp notification interval rssi clients 180 Device(config)# end Device# show nmsp notification interval
NMSP by AP Groups with Subscription List from CMX
The Cisco CMX group support allows you to send only the required Network Mobility Services Protocol (NMSP) data to Cisco CMX (applicable to both on-premises and cloud-based CMX). The Cisco CMX can subscribe to NMSP data of specific APs or AP groups based on the active services in the wireless controller. This feature helps in load balancing and optimizing the data flow load, when the APs are distributed across different CMX servers. The Cisco CMX server creates a CMX AP group giving it a unique name and groups the APs under it.
Note The Cisco CMX AP Group is the list of Cisco APs managed by the Cisco CMX for location services. This AP group is not the same as the wireless controller AP group.
This feature supports the following services: · Client · Probe client filtering · Hyperlocation · BLE Services
Note NMSP subscription is available only for those services that are in enabled state in the wireless controller.
Verifying NMSP by AP Groups with Subscription List from CMX
To verify mobility services group subscription summary of all CMX connections, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 549
Verifying NMSP by AP Groups with Subscription List from CMX
System Management
Device# show nmsp subscription group summary
CMX IP address: 127.0.0.1 Groups subscribed by this CMX server: Group name: Group1
To view the services that are subscribed for an AP group by a CMX connection, use the following command: Device# show nmsp subscription group details services group-name cmx-IP-addrress
CMX IP address: 127.0.0.1
CMX Group name: Group1
CMX Group filtered services:
Service
Subservice
-----------------------------
RSSI
Mobile Station,
Spectrum
Info
Statistics
To view the AP MAC list that is subscribed for an AP group by a CMX connection, use the following command: Device show nmsp subscription group detail ap-list group-name cmx-IP-addrress
CMX IP address: 127.0.0.1 CMX Group name: Group1 CMX Group AP MACs: : 00:00:00:00:70:02 00:00:00:00:66:02
00:00:00:00:55:02 00:00:00:00:50:02 00:10:00:10:00:02 00:00:00:06:00:02 00:00:00:99:00:02 00:00:00:00:a0:02 00:00:00:00:00:92 00:00:00:00:00:82 00:00:00:50:00:42 00:00:0d:00:00:02 00:00:00:88:00:02 20:00:00:00:00:02 00:00:00:00:00:02 00:00:00:00:00:01
00:99:00:00:00:02 00:33:00:00:00:02 00:00:00:02:00:02 00:00:77:00:00:02 00:00:00:00:03:02 00:00:00:00:00:32 10:00:00:00:00:02 00:00:00:00:00:00
00:00:00:bb:00:02 00:d0:00:00:00:02 00:00:00:00:40:02 00:22:00:00:00:02 aa:00:00:00:00:02 00:00:00:cc:00:02 01:00:00:00:00:02
To view CMX-AP grouping details for all CMXs, use the following command:
Device# show nmsp subscription group detail all
CMX IP address: 127.0.0.1
Groups subscribed by this CMX server:
Group name: Group1
CMX Group filtered services:
Service
Subservice
-----------------------------
RSSI
Mobile Station,
Spectrum
Info
Statistics
CMX Group AP MACs: : 00:00:00:00:00:03 00:00:00:00:00:02 00:00:00:00:00:01
Group name: Group2
CMX Group filtered services:
Service
Subservice
-----------------------------
RSSI
Tags,
Spectrum
Info
Statistics
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 550
System Management
Probe RSSI Location
CMX Group AP MACs: : 00:00:00:00:03:00 00:00:00:00:02:00 00:00:00:00:01:00
Group name: Group3
CMX Group filtered services:
Service
Subservice
-----------------------------
RSSI
Rogue,
Spectrum
Info
Statistics
CMX Group AP MACs: : 00:00:00:03:00:00 00:00:00:02:00:00 00:00:00:01:00:00
To view all the AP lists subscribed by all CMXs, use the following command:
Device# show nmsp subscription group detail ap-list <group> <cmx-ip>
To view all the services subscribed by all CMXs, use the following command:
Device# show nmsp subscription group detail services <group> <cmx-ip>
Probe RSSI Location
The Probe RSSI Location feature allows the wireless controller and Cisco CMX to support the following:
· Load balancing
· Coverage Hole detection
· Location updates to CMX
When a wireless client is enabled, it sends probe requests to identify the wireless networks in the vicinity and also to find the received signal strength indication (RSSI) associated with the identified Service Set Identifiers (SSIDs).
The wireless client periodically performs active scanning in background even after being connected to an access point. This helps them to have an updated list of access points with best signal strength to connect. When the wireless client can no longer connect to an access point, it uses the access point list stored to connect to another access point that gives it the best signal strength. The access points in the WLAN gather these probe requests, RSSI and MAC address of the wireless clients and forwards them to the wireless controller s. The Cisco CMX gathers this data from the wireless controller and uses it to compute the updated location of the wireless client when it roams across the network.
Configuring Probe RSSI
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 551
Configuring Probe RSSI
System Management
Step 2
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action wireless probe filter Example:
Device(config)# wireless probe filter
Purpose
Enables filtering of unacknowledged probe requests from AP to improve the location accuracy. Filtering is enabled by default.
Use the no form of the command to disable the feature. This will forward both acknowledged and unacknowledged probe requests to the controller.
wireless probe limit limit-value interval
Configures the number of probe request
Example:
reported to the wireless controller from the AP for the same client on a given interval.
Device(config)# wireless probe limit 10
100
Use the no form of the command to revert to
the default limit, which is 2 probes at an interval
of 500 ms.
wireless probe locally-administered-mac
Example:
Device(config)# wireless probe locally-administered-mac
Enables the reporting of probes from clients having locally administered MAC address.
location algorithm rssi-average
Example:
Device(config)# location algorithm rssi-average
Sets the probe RSSI measurement updates to a more accurate algorithm but with more CPU overhead.
location algorithm simple
(Optional) Sets the probe RSSI measurement
Example:
updates to a faster algorithm with smaller CPU overhead, but less accuracy.
Device(config)# location algorithm simple
Use the no form of the command to revert the
algorithm type to the default one, which is
rssi-average.
location expiry client interval
Configures the timeout for RSSI values.
Example:
The no form of the command sets it to a default
Device(config)# location expiry client value of 15.
300
location notify-threshold client threshold-db Configures the notification threshold for clients.
Example:
The no form of the command sets it to a default
Device(config)# location notify-threshold value of 0.
client 5
location rssi-half-life client time-in-seconds Configures half life when averaging two RSSI
Example:
readings.
Device(config)# location rssi-half-life To disable this option, set the value to 0.
client 20
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 552
System Management
RFID Tag Support
What to do next Use the show wireless client probing command to view each probing client (associated and probing only) by batch of 10 MAC addresses.
RFID Tag Support
The controller enables you to configure radio frequency identification (RFID) tag tracking. RFID tags are small wireless battery-powered tags that continuously broadcast their own signal and are affixed to assets for real-time location tracking. They operate by advertising their location using special 802.11 packets, which are processed by access points, the controller , and the Cisco CMX. Only active RFIDs are supported. A combination of active RFID tags and wireless controller allows you to track the current location of equipment. Active tags are typically used in real-time tracking of high-value assets in closed-loop systems (that is,) systems in which the tags are not intended to physically leave the control premises of the tag owner or originator. For more information on RFID tags, see the Active RFID Tags section of the Wi-Fi Location-Based Services 4.1 Design Guide.
General Guidelines · Only Cisco-compliant active RFID tags are supported.
· You can verify the RFID tags on the controller .
· High Availability for RFID tags are supported.
Configuring RFID Tag Support
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless rfid Example:
Device(config)# wireless rfid
Enables RFID tag tracking.
The default value is enabled.
Use the no form of this command to disable RFID tag tracking.
Step 3
wireless rfid timeout timeout-value
Configures the RFID tag data timeout value to
Example:
cleanup the table.
Device(config)# wireless rfid timeout 90 The timeout value is the amount of time that the controller maintains tags before expiring
them. For example, if a tag is configured to
beacon every 30 seconds, we recommend that
you set the timeout value to 90 seconds
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 553
Verifying RFID Tag Support
System Management
Command or Action
Purpose
(approximately three times the beacon value). The default value is 1200 seconds.
Verifying RFID Tag Support
To view the summary of RFID tags that are clients, use the following command:
Device# show wireless rfid client
To view the detailed information for an RFID tag, use the following command:
Device# show wireless rfid detail <rfid-mac-address>
RFID address 000c.cc96.0001 Vendor Cisco Last Heard 6 seconds ago Packets Received 187 Bytes Received 226
Content Header ==============
CCX Tag Version 0 Tx power: 12 Channel: 11 Reg Class: 4 CCX Payload ============== Last Sequence Control 2735 Payload length 221 Payload Data Hex Dump: 00000000 00 02 00 00 01 09 00 00 00000010 07 42 03 20 00 00 0b b8 00000020 00 00 00 00 00 00 00 00 00000030 00 00 00 00 00 00 00 00 00000040 00 00 00 00 00 00 00 00
00 00 0c b8 ff ff ff 02 03 4b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|................| |.B. .....K......| |................| |................| |................|
To view the summary information for all known RFID tags, use the following command:
Device# show wireless rfid summary
Total RFID entries: : 16 Total Unique RFID entries : 16 RFID ID VENDOR Closet AP RSSI Time Since Last Heard 0012.b80a.c791 Cisco 7069.5a63.0520 -31 3 minutes 30 seconds ago 0012.b80a.c953 Cisco 7069.5a63.0460 -33 4 minutes 5 seconds ago 0012.b80b.806c Cisco 7069.5a63.0520 -46 15 seconds ago 0012.b80d.e9f9 Cisco 7069.5a63.0460 -38 4 minutes 28 seconds ago 0012.b80d.ea03 Cisco 7069.5a63.0520 -43 4 minutes 29 seconds ago 0012.b80d.ea6b Cisco 7069.5a63.0460 -39 4 minutes 26 seconds ago 0012.b80d.ebe8 Cisco 7069.5a63.0520 -43 3 minutes 21 seconds ago 0012.b80d.ebeb Cisco 7069.5a63.0520 -43 4 minutes 28 seconds ago 0012.b80d.ec48 Cisco 7069.5a63.0460 -42 4 minutes 7 seconds ago 0012.b80d.ec55 Cisco 7069.5a63.0520 -41 1 minute 52 seconds ago
To view the location-based system RFID statistics, use the following command:
Device# show wireless rfid stats
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 554
System Management
RFID stats : ============== RFID error db full : 0 RFID error invalid paylod : 0 RFID error invalid tag : 0 RFID error dot11 hdr : 0 RFID error pkt len : 0 RFID error state drop : 0 RFID total pkt received : 369 RFID populated error value : 0 RFID error insert records : 0 RFID error update records : 0 RFID total insert record : 16 RFID ccx payload error : 0 RFID total delete record : 0 RFID error exceeded ap count : 0 RFID error record remove : 0 RFID old rssi expired count: 0 RFId smallest rssi expireed count : 0 RFID total query insert : 0 RFID error invalid rssi count : 0
To view the NMSP notification interval, use the following command:
Device# show nmsp notification interval
NMSP Notification Intervals ---------------------------
RSSI Interval: Client RFID Rogue AP Rogue Client Spectrum
: 2 sec : 50 sec : 2 sec : 2 sec : 2 sec
Verifying RFID Tag Support
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 555
Verifying RFID Tag Support
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 556
6 6 C H A P T E R
Application Visibility and Control
· Information About Application Visibility and Control, on page 557 · Create a Flow Monitor, on page 560 · Configuring a Flow Monitor (GUI), on page 562 · Create a Flow Record, on page 562 · Create a Flow Exporter , on page 564 · Configuring a Policy Tag, on page 565 · Attaching a Policy Profile to a WLAN Interface (GUI), on page 566 · Attaching a Policy Profile to a WLAN Interface (CLI), on page 566 · Attaching a Policy Profile to an AP, on page 567 · Verify the AVC Configuration, on page 568 · Default DSCP on AVC, on page 569 · AVC-Based Selective Reanchoring, on page 571 · Restrictions for AVC-Based Selective Reanchoring, on page 572 · Configuring the Flow Exporter, on page 572 · Configuring the Flow Monitor, on page 572 · Configuring the AVC Reanchoring Profile, on page 573 · Configuring the Wireless WLAN Profile Policy , on page 574 · Verifying AVC Reanchoring, on page 575
Information About Application Visibility and Control
Application Visibility and Control (AVC) is a subset of the entire Flexible NetFlow (FNF) package that can provide traffic information. The AVC feature employs a distributed approach that benefits from NBAR running on the access point (AP) or controller whose goal is to run deep packet inspection (DPI) and reports the results using FNF messages. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades. Traffic flows are analyzed and recognized using the NBAR2 engine. The specific flow is marked with the recognized protocol or application. This per-flow information can be used for application visibility using FNF. After the application visibility is established, a user can define control rules with policing mechanisms for a client. Using AVC rules, you can limit the bandwidth of a particular application for all the clients joined on the WLAN. These bandwidth contracts coexist with per-client downstream rate limiting that takes precedence over the per-application rate limits.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 557
Information About Application Visibility and Control
System Management
FNF feature is supported in wireless, and relies on the NetFlow enablement on the controller for all modes: flex, local and Fabric. In local mode, the NBAR runs on the controller hardware and the process client traffic flows through the data plane of the controller using the AP CAPWAP tunnels. In FlexConnect or Fabric mode, NBAR runs on the AP, and only statistics are sent to the controller . When operating in these two modes, APs regularly send FNFv9 reports back to the controller . The controller's FNF feature consumes those FNFv9 reports to provide the application statistics shown by AVC. The Fabric mode of operation does not populate the FNF cache. It relays the FNFv9 reports at the time they arrive. As a result, some configuration of flow monitors, for example, cache timeout, is not taken into account. The behavior of the AVC solution changes based on the wireless deployments. The following sections describe the commonalities and differences in all scenarios:
Local Mode · NBAR is enabled on the controller . · AVC does not push the FNF configuration to the APs. · Roaming events are ignored. However, AVC supports L3 roams in local mode as traffic flows through the anchor controller (where NBAR was initially processing the roaming client's traffic when the client joined). · IOSd needs to trigger NBAR attach. · Supports flow monitor cache. · Supports NetFlow exporter.
Flex Mode · NBAR is enabled on an AP · AVC pushes the FNF configuration to the APs. · Supports context transfer for roaming in AVC-FNF. · Supports flow monitor cache. · Supports NetFlow exporter.
Fabric Mode · NBAR is enabled on an AP. · AVC pushes the FNF configuration to the APs. · Supports context transfer for roaming in AVC-FNF. · Flow monitor cache is not supported. · Supports NetFlow exporter (for the C9800 embedded on Catalyst switches for SDA, there is no FNF cache on the box).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 558
System Management
Prerequisites for Application Visibility and Control
Prerequisites for Application Visibility and Control
· The access points should be AVC capable. However, this requirement is not applicable in Local mode.
· For the control part of AVC (QoS) to work, the application visibility feature with FNF has to be configured.
Restrictions for Application Visibility and Control
· IPv6 (including ICMPv6 traffic) packet classification is not supported in FlexConnect mode and Fabric mode. However, it is supported in Local mode.
· Layer 2 roaming is not supported across controller controllers. · Multicast traffic is not supported.
· AVC is supported only on the following access points: · Cisco Catalyst 9100 Series Access Points · Cisco Aironet 1800 Series Access Points · Cisco Aironet 2700 Series Access Point · Cisco Aironet 2800 Series Access Point · Cisco Aironet 3700 Series Access Points · Cisco Aironet 3800 Series Access Points · Cisco Aironet 4800 Series Access Points · Cisco Industrial Wireless 3702 Access Point
· AVC is not supported on Cisco Aironet 702W, 702I (128 M memory), and 1530 Series access points. · Only the applications that are recognized with App visibility can be used for applying QoS control. · Data link is not supported for NetFlow fields in AVC. · You cannot map the same WLAN profile to both the AVC-not-enabled policy profile and the AVC-enabled
policy profile.
· AVC is not supported on the management port (Gig 0/0). · NBAR-based QoS policy configuration is allowed only on wired physical ports. Policy configuration is
not supported on virtual interfaces, for example, VLAN, port channel and other logical interfaces.
When AVC is enabled, the AVC profile supports only up to 23 rules, which includes the default DSCP rule. The AVC policy will not be pushed down to the AP, if rules are more than 23.
AVC Configuration Overview
To configure AVC, follow these steps: 1. Create a flow monitor using the record wireless avc basic command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 559
Create a Flow Monitor
System Management
2. Create a wireless policy profile. 3. Apply the flow monitor to the wireless policy profile. 4. Create a wireless policy tag. 5. Map the WLAN to the policy profile 6. Attach the policy tag to the APs.
Create a Flow Monitor
The NetFlow configuration requires a flow record, a flow monitor, and a flow exporter. This configuration should be the first step in the overall AVC configuration.
Note In Flex mode and Local mode, the default values for cache timeout active and cache timeout inactive commands are not optimal for AVC. We recommend that you set both the values to 60 in the flow monitor.
For Fabric mode, the cache timeout configuration does not apply.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
flow monitor monitor-name Example:
Device(config)# flow monitor fm_avc
Step 3
record wireless avc {ipv4|ipv6}basic Example:
Purpose Enters global configuration mode.
Creates a flow monitor.
Specifies the basic IPv4 or IPv6 wireless AVC flow template.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 560
System Management
Create a Flow Monitor
Step 4 Step 5
Command or Action
Device(config-flow-monitor)# record wireless avc ipv6 basic
cache timeout active value Example:
Device(config-flow-monitor)# cache timeout active 60
cache timeout inactive value Example:
Device(config-flow-monitor)# cache timeout
inactive 60
Purpose Note
If you want to have both Application Performance Monitoring (APM) and AVC-FNF in the device simultaneously, use the record wireless avc {ipv4 | ipv6} assurance command, which is a superset of the fields contained in record wireless avc {ipv4 | ipv6} basic command. If the containing flow monitor is configured with the local exporter using destination wlc local command, AVC-FNF will populate the statistics exactly as that of the record wireless avc {ipv4 | ipv6} basic configuration. As a result, both APM and AVC-FNF can be configured simultaneously with two flow monitors per direction, per IP version, in local (central switching) mode.
Note
The record wireless avc basic
command is same as record
wireless avc ipv4 basic
command. However, record
wireless avc ipv4 basic command
is not supported in Flex or Fabric
modes. In such scenarios, use the
record wireless avc basic
command.
Sets the active flow timeout in seconds.
Sets the inactive flow timeout in seconds.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 561
Configuring a Flow Monitor (GUI)
System Management
Configuring a Flow Monitor (GUI)
Before you begin You must have created a flow exporter to export data from the flow monitor. Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Services > Application Visibility and go to the Flow Monitor tab . In the Monitor area, click Add to add a flow monitor. In the Flow Monitor window, add a flow monitor and a description. Select the Flow exporter from the drop-down list to export the data from the flow monitor to a collector.
Note
To export wireless netflow data, use the templates below:
· ETA (Encrypted Traffic Analysis)
· wireless avc basic
· wireless avc basic IPv6
Step 5 Click Apply to Device to save the configuration.
Create a Flow Record
The default flow record cannot be edited or deleted. If you require a new flow record, you need to create one and map it to the flow monitor from CLI.
Procedure Step 1
Command or Action flow record flow_record_name Example:
Device(config)# flow record record1
Purpose
Creates a flow record.
Note
When a custom flow record is
configured in Flex and Fabric
modes, the optional fields (fields
that are not present in record
wireless avc basic) are ignored.
Step 2
description string Example:
(Optional) Describes the flow record as a maximum 63-character string.
Device(config-flow-record)# description IPv4flow
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 562
System Management
Create a Flow Record
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
Purpose
match ipv4 protocol
Specifies a match to the IPv4 protocol.
Example:
Device(config-flow-record)# match ipv4 protocol
match ipv4 source address Example:
Specifies a match to the IPv4 source address-based field.
Device(config-flow-record)# match ipv4 source address
match ipv4 destination address Example:
Specifies a match to the IPv4 destination address-based field.
Device(config-flow-record)# match ipv4 destination address
match transport source-port
Example:
Device(config-flow-record)# match transport source-port
Specifies a match to the transport layer's source port field.
match transport destination-port
Example:
Device(config-flow-record)# match transport destination-port
Specifies a match to the transport layer's destination port field.
match flow direction Example:
Specifies a match to the direction the flow was monitored in.
Device(config-flow-record)# match flow direction
match application name
Example:
Device(config-flow-record)# match application name
Specifies a match to the application name.
Note
This action is mandatory for
AVC support because this allows
the flow to be matched against
the application.
match wireless ssid
Example:
Device(config-flow-record)# match wireless ssid
Specifies a match to the SSID name identifying the wireless network.
collect counter bytes long
Example:
Device(config-flow-record)# collect counter bytes long
Collects the counter field's total bytes.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 563
Create a Flow Exporter
System Management
Step 12 Step 13 Step 14
Command or Action collect counter packets long Example:
Device(config-flow-record)# collect counter bytes long
collect wireless ap mac address Example:
Device(config-flow-record)# collect wireless ap mac address
collect wireless client mac address Example:
Device(config-flow-record)# collect wireless client mac address
Purpose Collects the counter field's total packets.
Collects the BSSID with the MAC addresses of the access points that the wireless client is associated with.
Collects the MAC address of the client on the wireless network.
Create a Flow Exporter
You can create a flow exporter to define the export parameters for a flow. This is an optional procedure for configuring flow exporter parameters.
Note For the AVC statistics to be visible at the controller , you should configure a local flow exporter using the following commands: · flow exporter my_local · destination local wlc
Also, your flow monitor must use this local exporter for the statistics to be visible at the controller .
Procedure
Step 1
Command or Action
Purpose
flow exporter flow-export-name
Creates a flow monitor.
Example:
Device(config)# flow exporter export-test
Step 2
description string Example:
Describes the flow record as a maximum 63-character string.
Device(config-flow-exporter)# description IPv4flow
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 564
System Management
Configuring a Policy Tag
Step 3 Step 4
Step 5 Step 6 Step 7
Command or Action
Purpose
destination {hostname/ipv4address | hostname/ipv6address |local {wlc}}
Example:
Specifies the hostname or IP address of the system or the local WLC to which the exporter sends data.
Device(config-flow-exporter)# destination local wlc
transport udp port-value
(Optional) Configures the destination UDP port
Example:
to reach the external collector. The default value is 9995.
Device(config-flow-exporter)# transport
udp 1024
Note
This step is required only for
external collectors; not required
for local wlc collector.
option application-table timeout seconds Example:
Device(config-flow-exporter)# option application-table timeout 500
end Example:
Device(config-flow-exporter)# end
show flow exporter Example:
Device# show flow exporter
(Optional) Specifies the application table timeout option, in seconds. The valid range is from 1 to 86400.
Returns to privileged EXEC mode.
(Optional) Verifies your configuration.
Configuring a Policy Tag
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag policy policy-tag-name Example:
Configures policy tag and enters policy tag configuration mode.
Device(config-policy-tag)# wireless tag policy rr-xyz-policy-tag
Step 3
end Example:
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 565
Attaching a Policy Profile to a WLAN Interface (GUI)
System Management
Command or Action
Device(config-policy-tag)# end
Purpose
Attaching a Policy Profile to a WLAN Interface (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Choose Configuration > Tags & Profiles > Tags. On theManage Tags page, click Policy tab. Click Add to view the Add Policy Tag window. Enter a name and description for the policy tag. Click Add to map WLAN and policy. Choose the WLAN profile to map with the appropriate policy profile, and click the tick icon. Click Save & Apply to Device.
Attaching a Policy Profile to a WLAN Interface (CLI)
Before you begin
· Do not attach different AVC policy profiles on the same WLAN across different policy tags.
The following is an example of incorrect configuration:
wireless profile policy avc_pol1 ipv4 flow monitor fm-avc1 input ipv4 flow monitor fm-avc1 output no shutdown
wireless profile policy avc_pol2 ipv4 flow monitor fm-avc2 input ipv4 flow monitor fm-avc2 output no shutdown
wireless tag policy avc-tag1 wlan wlan1 policy avc_pol1
wireless tag policy avc-tag2 wlan wlan1 policy avc_pol2
This example violates the restriction stated earlier, that is, the WLAN wlan1 is mapped to 2 policy profiles, avc_pol1 and avc_pol2. This configuration is, therefore, incorrect because the WLAN wlan1 should be mapped to either avc_pol1 or avc_pol2 everywhere.
· Conflicting policy profiles on the same WLAN are not supported. For example, policy profile (with and without AVC) applied to the same WLAN in different policy tags.
The following is an example of an incorrect configuration:
wireless profile policy avc_pol1 no shutdown
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 566
System Management
Attaching a Policy Profile to an AP
wireless profile policy avc_pol2 ipv4 flow monitor fm-avc2 input ipv4 flow monitor fm-avc2 output no shutdown
wireless tag policy avc-tag1 wlan wlan1 policy avc_pol1
wireless tag policy avc-tag2 wlan wlan1 policy avc_pol2
In this example, a policy profile with and without AVC is applied to the same WLAN in different tags.
Procedure
Step 1
Command or Action
wireless tag policy avc-tag Example:
Device(config)# wireless tag policy avc-tag
Purpose Creates a policy tag.
Step 2
wlan wlan-avc policy avc-policy
Attaches a policy profile to a WLAN profile.
Example:
Device(config-policy-tag)# wlan wlan_avc policy avc_pol
What to do next · Run the no shutdown command on the WLAN after completing the configuration.
· If the WLAN is already in no shutdown mode, run the shutdown command, followed by no shutdown command.
Attaching a Policy Profile to an AP
Procedure
Step 1
Command or Action ap ap-ether-mac Example:
Device(config)# ap 34a8.2ec7.4cf0
Step 2
policy-tag policy-tag Example:
Device(config)# policy-tag avc-tag
Purpose Enters AP configuration mode.
Specifies the policy tag that is to be attached to the access point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 567
Verify the AVC Configuration
System Management
Verify the AVC Configuration
Procedure
Step 1
Command or Action
Purpose
show avc wlan wlan-name top
Displays information about top applications and
num-of-applications applications {aggregate users using these applications.
| downstream | upstream}
Note
Ensure that wireless clients are
Example:
associated to the WLAN and
Device# show avc wlan wlan_avc top 2 applications aggregate
generating traffic, and then wait for 90 seconds (to ensure the
availability of statistics) before
running the command.
Step 2
show avc client mac top num-of-applications applications {aggregate | downstream | upstream}
Example:
Device# show avc client 9.3.4 top 3 applications aggregate
Displays information about the top number of applications.
Note
Ensure that wireless clients are
associated to the WLAN and
generating traffic, and then wait
for 90 seconds (to ensure the
availability of statistics) before
running the command.
Step 3 Step 4 Step 5
show avc wlan wlan-name application app-name top num-of-clients aggregate Example:
Device# show avc wlan wlan_avc application app top 4 aggregate
show ap summary Example:
Device# show ap summary
show ap tag summary Example:
Device# show ap tag summary
Displays information about top applications and users using these applications.
Displays a summary of all the access points attached to the controller .
Displays a summary of all the access points with policy tags.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 568
System Management
Default DSCP on AVC
Default DSCP on AVC
Configuring Default DSCP for AVC Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Step 9 Step 10
Choose Configuration > Services > QoS. Click Add. Enter the Policy Name. Click Add Class-Maps. Choose AVC in the AVC/User Defined drop-down list. Click either Any or All match type radio button. Choose DSCP in the Mark Type drop-down list. a) Check the Drop check box to drop traffic from specific sources. b) If you do not want to drop the traffic, enter the Police(kbps) and choose the match type from the Match
Type drop-down list. Choose the items from the available list and click move them to the selected list.
Click Save. Click Apply to Device.
Configuring Default DSCP for AVC Profile
In Cisco Catalyst 9800 Series Wireless Controller, only up to 32 filters can be specified in the policy. As there was no way of classifying the packets that are not specified in the filters, now, you can mark down these packets in the policy.
The marking action can be applied to the traffic when creating a class map and creating a policy map.
Creating Class Map
Procedure
Step 1
Command or Action Configure Terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
class class-map-name ]
Creates a class map.
Example:
Device(config-pmap)# class-map avc-class
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 569
Creating Policy Map
System Management
Step 3 Step 4
Command or Action
Purpose
match protocol { application-name |
Specifies match to the application name,
attribute category category-name | attribute category name, subcategory name, or
sub-category sub-category-name | attribute application group.
application-group application group-name
Example:
Device(config)# class-map avc-class Device(config-cmap)# match protocol avc-media Device(config)# class-map class-avc-category Device(config-cmap)# match protocol attribute category avc-media
Device# class-map class-avc-sub-category Device(config-cmap)# match protocol attribute sub-category avc-media
Device# class-map avcS-webex-application-group Device(config-cmap)# match protocol attribute application-group webex-media
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Creating Policy Map
Procedure
Step 1
Command or Action Configure Terminal Example:
Device# configure terminal
Step 2
policy-map policy-map-name Example:
Device(config)#policy-map avc-policy
Purpose Enters global configuration mode.
Creates a policy map by entering the policy map name, and enters policy-map configuration mode.
By default, no policy maps are defined.
The default behaviour of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged. No policing is performed.
Note
To delete an existing policy map,
use the no policy-map
policy-map-name global
configuration command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 570
System Management
AVC-Based Selective Reanchoring
Step 3
Step 4 Step 5 Step 6 Step 7
Command or Action
Purpose
class [ class-map-name | class-default ] Defines a traffic classification, and enters
Example:
policy-map class configuration mode.
Device(config-pmap)# class-map avc-class By default, no policy map and class maps are defined.
If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command.
A class-default traffic class is predefined and can be added to any policy. It is always placed at the end of a policy map. With an implied match any is included in the class-default class, all packets that have not already matched the other traffic classes will match class-default .
Note
To delete an existing class map,
use the no class class-map-name
policy-map configuration
command.
set dscp new-dscp Example:
Device(config-pmap-c)# set dscp 45
class class-default
set dscp default end
Classifies IP traffic by setting a new value in the packet. For dscp new-dscp , enter a new DSCP value to be assigned to the classified traffic. The range is 0 to 63.
Specifies the default class so that you can configure or modify its policy.
Configures the default DSCP.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
AVC-Based Selective Reanchoring
The AVC-Based Selective Reanchoring feature is designed to reanchor clients when they roam from one controller to another. Reanchoring of clients prevents the depletion of IP addresses available for new clients in Cisco WLC. The AVC profile-based statistics are used to decide whether a client must be reanchored or deferred. This is useful when a client is actively running a voice or video application defined in the AVC rules.
The reanchoring process also involves deauthentication of anchored clients. The clients get deauthenticated when they do not transmit traffic for the applications listed in the AVC rules while roaming between WLCs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 571
Restrictions for AVC-Based Selective Reanchoring
System Management
Restrictions for AVC-Based Selective Reanchoring
· This feature is supported only in local mode. FlexConnect and fabric modes are not supported. · This feature is not supported in guest tunneling and export anchor scenarios. · The old IP address is not released after reanchoring, until IP address' lease period ends.
Configuring the Flow Exporter
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
flow exporter name
Example:
Device(config)# flow exporter avc-reanchor
Purpose Enters global configuration mode.
Creates a flow exporter and enters flow exporter configuration mode.
Note
You can use this command to
modify an existing flow exporter
too.
Step 3
destination local wlc
Sets the exporter as local.
Example:
Device(config-flow-exporter)# destination local wlc
Configuring the Flow Monitor
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
flow monitor monitor-name Example:
Device(config)# flow monitor fm_avc
Purpose Enters global configuration mode.
Creates a flow monitor and enters Flexible NetFlow flow monitor configuration mode.
Note
You can use this command to
modify an existing flow monitor
too.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 572
System Management
Configuring the AVC Reanchoring Profile
Step 3 Step 4 Step 5 Step 6
Command or Action
exporter exporter-name Example:
Device(config-flow-monitor)# exporter avc-reanchor
Purpose Specifies the name of an exporter.
record wireless avc basic
Example:
Device(config-flow-monitor)# record wireless avc basic
Specifies the flow record to use to define the cache.
cache timeout active value
Example:
Device(config-flow-monitor)# cache timeout active 60
Sets the active flow timeout, in seconds.
cache timeout inactive value
Example:
Device(config-flow-monitor)# cache timeout inactive 60
Sets the inactive flow timeout, in seconds.
Configuring the AVC Reanchoring Profile
Before you begin
· Ensure that you use the AVC-Reanchor-Class class map. All other class-map names are ignored by Selective Reanchoring.
· During boot up, the system checks for the existence of the AVC-Reanchor-Class class map. If it is not found, default protocols, for example, jabber-video, wifi-calling, and so on, are created. If AVC-Reanchor-Class class map is found, configuration changes are not made and updates to the protocols that are saved to the startup configuration persist across reboots.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
class-map cmap-name
Example:
Device(config)# class-map AVC-Reanchor-Class
Purpose Enters global configuration mode.
Configures the class map.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 573
Configuring the Wireless WLAN Profile Policy
System Management
Step 3 Step 4
Command or Action match any Example:
Device(config-cmap)# match any
match protocol jabber-audio Example:
Device(config-cmap)# match protocol jabber-audio
Purpose Instructs the device to match with any of the protocols that pass through it.
Specifies a match to the application name. You can edit the class-map configuration later, in order to add or remove protocols, for example, jabber-video, wifi-calling, and so on, if required.
Configuring the Wireless WLAN Profile Policy
Follow the procedure given below to configure the WLAN profile policy:
Note Starting with Cisco IOS XE Amsterdam 17.1.1, IPv6 flow monitor is supported on Wave 2 APs. You can attach two flow monitors in a policy profile per direction (input and output) and per IP version (IPv4 and IPv6) in local (central switching) mode, when NBAR runs in the controller. However, only one flow monitor is supported per direction (input and output) and per IP version (IPv4 and IPv6) in flexconnect and fabric modes on Wave 2 APs, when NBAR runs on the corresponding AP.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-name Example:
Configures the WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy default-policy-profile
Step 3
shutdown
Disables the policy profile.
Example:
Device(config-wireless-policy)# shutdown
Step 4
no central switching
Example:
Device(config-wireless-policy)# no central switching
Disables central switching.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 574
System Management
Verifying AVC Reanchoring
Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action
Purpose
ipv4 flow monitor monitor-name input Example:
Specifies the name of the IPv4 ingress flow monitor.
Device(config-wireless-policy)# ipv4 flow monitor fm_avc input
ipv4 flow monitor monitor-name output Example:
Specifies the name of the IPv4 egress flow monitor.
Device(config-wireless-policy)# ipv4 flow monitor fm_avc output
ipv6 flow monitor monitor-name input Example:
Specifies the name of the IPv6 ingress flow monitor.
Device(config-wireless-policy)# ipv6 flow monitor fm_v6_avc input
ipv6 flow monitor monitor-name output Example:
Specifies the name of the IPv6 egress flow monitor.
Device(config-wireless-policy)# ipv6 flow monitor fm_v6_avc output
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the policy profile.
Verifying AVC Reanchoring
Use the following commands to verify the AVC reanchoring configuration:
Device# show wireless profile policy detailed avc_reanchor_policy
Policy Profile Name
: avc_reanchor_policy
Description
:
Status
: ENABLED
VLAN
:1
Wireless management interface VLAN
: 34
!
.
.
.
AVC VISIBILITY
: Enabled
Flow Monitor IPv4
Flow Monitor Ingress Name : fm_avc
Flow Monitor Egress Name : fm_avc
Flow Monitor IPv6
Flow Monitor Ingress Name : Not Configured
Flow Monitor Egress Name : Not Configured
NBAR Protocol Discovery
: Disabled
Reanchoring
: Enabled
Classmap name for Reanchoring
Reanchoring Classmap Name : AVC-Reanchor-Class
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 575
Verifying AVC Reanchoring
System Management
! . . .
-------------------------------------------------------
Device# show platform software trace counter tag wstatsd chassis active R0 avc-stats debug
Counter Name Thread ID Counter Value -----------------------------------------------------------------------------Reanch_deassociated_clients 28340 1 Reanch_tracked_clients 28340 4 Reanch_deleted_clients 28340 3
Device# show platform software trace counter tag wncd chassis active R0 avc-afc debug
Counter Name Thread ID Counter Value -----------------------------------------------------------------------------Reanch_co_ignored_clients 30063 1 Reanch_co_anchored_clients 30063 5 Reanch_co_deauthed_clients 30063 4
Device# show platform software wlavc status wncd
Event history of WNCD DB:
AVC key: [1,wlan_avc,N/A,Reanc,default-policy-tag] Current state : READY Wlan-id : 1 Wlan-name : wlan_avc Feature type : Reanchoring Flow-mon-name : N/A Policy-tag : default-policy-tag Switching Mode : CENTRAL
Timestamp FSM State Event RC Ctx -------------------------- ------------------- -------------------------- ---- ---06/12/2018 16:45:30.630342 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:45:28.822780 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:28.822672 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:15.172073 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:45:12.738367 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:12.738261 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:01.162689 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:44:55.757643 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:44:55.757542 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:44:04.468749 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:44:02.18857 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:44:02.18717 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:38:20.164304 2 :READY 3 :FSM_AFM_SWEEP 0 2 06/12/2018 16:35:20.163877 2 :READY 1 :FSM_AFM_BIND 0 2 06/12/2018 16:35:18.593257 1 :INIT 1 :FSM_AFM_BIND 0 2 06/12/2018 16:35:18.593152 1 :INIT 24:CREATE_FSM 0 0
AVC key: [1,wlan_avc,fm_avc,v4-In,default-policy-tag] Current state : READY Wlan-id : 1 Wlan-name : wlan_avc Feature type : Flow monitor IPv4 Ingress Flow-mon-name : fm_avc Policy-tag : default-policy-tag Switching Mode : CENTRAL
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 576
System Management
Verifying AVC Reanchoring
Timestamp FSM State Event RC Ctx -------------------------- ------------------- -------------------------- ---- ---06/12/2018 16:45:30.664772 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:45:28.822499 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:28.822222 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:15.207605 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:45:12.738105 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:12.737997 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:01.164225 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:44:55.757266 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:44:55.757181 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:44:04.472778 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:44:02.15413 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:44:02.15263 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:38:20.164254 2 :READY 3 :FSM_AFM_SWEEP 0 2 06/12/2018 16:35:20.163209 1 :INIT 1 :FSM_AFM_BIND 0 2 06/12/2018 16:35:20.163189 1 :INIT 24:CREATE_FSM 0 0
AVC key: [1,wlan_avc,fm_avc,v4-Ou,default-policy-tag] Current state : READY Wlan-id : 1 Wlan-name : wlan_avc Feature type : Flow monitor IPv4 Egress Flow-mon-name : fm_avc Policy-tag : default-policy-tag Switching Mode : CENTRAL
Timestamp FSM State Event RC Ctx -------------------------- ------------------- -------------------------- ---- ---06/12/2018 16:45:30.630764 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:45:28.822621 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:28.822574 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:15.172357 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:45:12.738212 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:12.738167 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:45:01.164048 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:44:55.757403 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:44:55.757361 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:44:04.472561 3 :ZOMBIE 1 :FSM_AFM_BIND 0 2 06/12/2018 16:44:02.18660 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:44:02.18588 2 :READY 2 :FSM_AFM_UNBIND 0 0 06/12/2018 16:38:20.164293 2 :READY 3 :FSM_AFM_SWEEP 0 2 06/12/2018 16:35:20.163799 1 :INIT 1 :FSM_AFM_BIND 0 2 06/12/2018 16:35:20.163773 1 :INIT 24:CREATE_FSM 0 0
Device# show platform software wlavc status wncmgrd
Event history of WNCMgr DB:
AVC key: [1,wlan_avc,N/A,Reanc,default-policy-tag] Current state : READY Wlan-id : 1 Wlan-name : wlan_avc Feature type : Reanchoring Flow-mon-name : N/A Policy-tag : default-policy-tag Switching Mode : CENTRAL Policy-profile : AVC_POL_PYATS
Timestamp FSM State Event RC Ctx -------------------------- ------------------- -------------------------- ---- ---06/12/2018 16:45:30.629278 3 :WLAN_READY 24:BIND_WNCD 0 0 06/12/2018 16:45:30.629223 3 :WLAN_READY 4 :FSM_BIND_ACK 0 0 06/12/2018 16:45:30.629179 3 :WLAN_READY 4 :FSM_BIND_ACK 0 0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 577
Verifying AVC Reanchoring
System Management
06/12/2018 16:45:30.510867 2 :PLUMB_READY 22:BIND_IOSD 0 0 06/12/2018 16:45:30.510411 2 :PLUMB_READY 2 :FSM_WLAN_UP 0 0 06/12/2018 16:45:30.510371 2 :PLUMB_READY 1 :FSM_WLAN_FM_PLUMB 0 0 06/12/2018 16:45:28.886377 2 :PLUMB_READY 20:UNBIND_ACK_IOSD 0 0 !
AVC key: [1,wlan_avc,fm_avc,v4-In,default-policy-tag] Current state : READY Wlan-id : 1 Wlan-name : wlan_avc Feature type : Flow monitor IPv4 Ingress Flow-mon-name : fm_avc Policy-tag : default-policy-tag Switching Mode : CENTRAL Policy-profile : AVC_POL_PYATS
Timestamp FSM State Event RC Ctx -------------------------- ------------------- -------------------------- ---- ---06/12/2018 16:45:30.664032 3 :WLAN_READY 24:BIND_WNCD 0 0 06/12/2018 16:45:30.663958 3 :WLAN_READY 4 :FSM_BIND_ACK 0 0 06/12/2018 16:45:30.663921 3 :WLAN_READY 4 :FSM_BIND_ACK 0 0 06/12/2018 16:45:30.511151 2 :PLUMB_READY 22:BIND_IOSD 0 0 06/12/2018 16:45:30.510624 2 :PLUMB_READY 2 :FSM_WLAN_UP 0 0 06/12/2018 16:45:30.510608 2 :PLUMB_READY 1 :FSM_WLAN_FM_PLUMB 0 0 06/12/2018 16:45:28.810867 2 :PLUMB_READY 20:UNBIND_ACK_IOSD 0 0 06/12/2018 16:45:28.807239 4 :READY 25:UNBIND_WNCD 0 0 06/12/2018 16:45:28.807205 4 :READY 23:UNBIND_IOSD 0 0 06/12/2018 16:45:28.806734 4 :READY 3 :FSM_WLAN_DOWN 0 0 !
AVC key: [1,wlan_avc,fm_avc,v4-Ou,default-policy-tag] Current state : READY Wlan-id : 1 Wlan-name : wlan_avc Feature type : Flow monitor IPv4 Egress Flow-mon-name : fm_avc Policy-tag : default-policy-tag Switching Mode : CENTRAL Policy-profile : AVC_POL_PYATS
Timestamp FSM State Event RC Ctx -------------------------- ------------------- -------------------------- ---- ---06/12/2018 16:45:30.629414 3 :WLAN_READY 24:BIND_WNCD 0 0 06/12/2018 16:45:30.629392 3 :WLAN_READY 4 :FSM_BIND_ACK 0 0 06/12/2018 16:45:30.629380 3 :WLAN_READY 4 :FSM_BIND_ACK 0 0 06/12/2018 16:45:30.510954 2 :PLUMB_READY 22:BIND_IOSD 0 0 06/12/2018 16:45:30.510572 2 :PLUMB_READY 2 :FSM_WLAN_UP 0 0 06/12/2018 16:45:30.510532 2 :PLUMB_READY 1 :FSM_WLAN_FM_PLUMB 0 0 06/12/2018 16:45:28.886293 2 :PLUMB_READY 20:UNBIND_ACK_IOSD 0 0 06/12/2018 16:45:28.807844 4 :READY 25:UNBIND_WNCD 0 0 06/12/2018 16:45:28.807795 4 :READY 23:UNBIND_IOSD 0 0 06/12/2018 16:45:28.806990 4 :READY 3 :FSM_WLAN_DOWN 0 0 !
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 578
6 7 C H A P T E R
Cisco Hyperlocation
· Information About Cisco Hyperlocation, on page 579 · Restrictions on Cisco Hyperlocation, on page 581 · Support for IPv6 in Cisco Hyperlocation or BLE Configuration, on page 582 · Configuring Cisco Hyperlocation (GUI), on page 582 · Configuring Cisco Hyperlocation (CLI), on page 583 · Configuring Hyperlocation BLE Beacon Parameters for AP (GUI), on page 584 · Configuring Hyperlocation BLE Beacon Parameters for AP (CLI), on page 584 · Configuring Hyperlocation BLE Beacon Parameters (CLI), on page 585 · Verifying Cisco Hyperlocation, on page 586 · Verifying Hyperlocation BLE Beacon Configuration, on page 589 · Verifying Hyperlocation BLE Beacon Configuration for AP, on page 589
Information About Cisco Hyperlocation
Cisco Hyperlocation is an ultraprecise location solution that allows you to track the location of wireless clients. This is possible with the Cisco Hyperlocation radio module in the Cisco Aironet 3600, 3700, and 4800 Series Access Points. The Cisco Hyperlocation module combines Wi-Fi and Bluetooth Low Energy (BLE) technologies to allow beacons, inventory, and personal mobile devices to be pinpointed. Hyperlocation is also supported in Fabric mode. In particular, when the wireless controller is running on the switch, the controller takes the necessary steps to provision the APs, so that they can generate Hyperlocation VxLAN packets that can traverse the fabric network taking advantage of the fabric infrastructure and be correctly delivered to the destination CMX. The Hyperlocation VxLAN packets are special packets marked with SGT 0 and using the L3VNID of the APs. For more information, refer to the SDA documentation. The Cisco Hyperlocation radio module provides the following:
· WSM or WSM2 radio module functions that are extended to: · 802.11ac · Wi-Fi Transmit · 20-MHz, 40-MHz, and 80-MHz channel bandwidth.
· Expanded location functionality:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 579
Information About Cisco Hyperlocation
System Management
· Low-latency location optimized channel scanning · 32-antenna angle of arrival (AoA); available only with the WSM2 module.
Note When using the WSM2 module (includes the WSM module and the antenna add-on), the accuracy of tracking the location of wireless clients can be as close as one meter.
Cisco Hyperlocation works in conjunction with Cisco Connected Mobile Experiences (CMX). Combining the Cisco Hyperlocation feature on Cisco Catalyst 9800 Series Wireless Controller with a CMX device allows you to achieve better location accuracy, which can result in delivering more targeted content to users. When you use CMX with Cisco CleanAir frequency scanning, it is simple to locate failed, lost, and even rogue beacons. The Cisco Hyperlocation radio module with an integrated BLE radio allows transmission of Bluetooth Low Energy (BLE) broadcast messages by using up to 5 BLE transmitters. Cisco Catalyst 9800 Series Wireless Controller is used to configure transmission parameters such as interval for the beacons, universally unique identifier (UUID), and transmission power, per beacon globally for all the access points. Also, the controller can configure major, minor, and transmission power value of each AP to provide more beacon granularity.
Note The Cisco Hyperlocation feature must be enabled on the controller and CMX and CMX must be connected for BLE to work.
In the absence of a Cisco Hyperlocation radio module, Hyperlocation will still work in a modality named Hyperlocation Local Mode, which guarantees a slightly lower location accuracy in the range between five meters and seven meters. This is accomplished through CPU cycle stealing. Using the controller, you can configure Cisco Hyperlocation for APs based on their profile.
Network Time Protocol Server Cisco Hyperlocation requires the AP to be synchronized with regard to time. To achieve this, the controller sends network time protocol (NTP) information to the AP. The AP then uses the NTP server to synchronize its clock. Therefore, the AP needs connectivity to the NTP server. APs can be geographically dispersed. Therefore, it is necessary to provide different NTP servers to different APs. This is achieved by allowing the configuration of NTP server information on a per AP profile basis. If NTP information is not configured on the AP profile, the controller uses one of the global NTP peers defined on its configuration or the management IP address is sent as the NTP server to be used if the controller is acting as an NTP server. If the NTP server is not available, Cisco Hyperlocation will be disabled.
Note In scale setup, the NTP server should be configured on the respective AP profiles, so that the APs and CA servers used for LSC provisioning are time synchronized. If the NTP server is not configured, a few APs would fail in LSC provisioning.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 580
System Management
Restrictions on Cisco Hyperlocation
Bluetooth Low Energy Configuration
The BLE configuration is split into two parts: per-AP profile and per AP. The BLE feature can be configured partially from the AP profile (by default, the AP profile BLE configuration is applied) and partially per-AP (some or all the attributes are applied).
Table 24: BLE Configuration Details
Attribute
BLE Configuration Per AP Profile BLE Configuration Per AP
Attributes with per-AP granularity (global for all the beacons)
· Interval
· Advertised transmission power
· Interval
· Advertised transmission power
Attributes with per-AP per0-beacon granularity
· Transmission power · UUID · Status
· Transmission power · UUID · Status · Major · Minor
Note The default-ap-profile BLE configuration can be considered the default BLE configuration because all the APs will join the default-ap-profile AP profile in case the other profiles are removed. For more information about Cisco Hyperlocation, see the following documents: · Cisco Hyperlocation Solution · Cisco CMX Configuration Guide to enable Cisco Hyperlocation · Cisco CMX Release Notes
Restrictions on Cisco Hyperlocation
· It is not possible to modify detection, trigger, and reset thresholds while Hyperlocation is in enabled state.
· Changes to the reset threshold are allowed for values in the range of zero to one less than the current threshold value. For example, if the current threshold reset value is 10, changes to the reset threshold are allowed for values in the range of 0 to 9.
· When Cisco Hyperlocation is in use on the Cisco Catalyst 9800 Series Wireless Controller in a non-Fabric deployment, CMX must be reachable through an SVI interface (VLAN). Deployments where CMX is reachable through an L3 port results in an error.
· In Fabric deployments, the wireless management interface (typically loopback interface) must not be in Fabric.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 581
Support for IPv6 in Cisco Hyperlocation or BLE Configuration
System Management
· It is not possible to set the wireless management interface to a loopback interface in non-Fabric deployments.
Support for IPv6 in Cisco Hyperlocation or BLE Configuration
Until Release 16.12, IPv4 was the only valid configuration. From Release 17.1 onwards, IPv6 is also supported for specific deployments.
Note CMX accepts only one IP configuration at a time (either IPv4 or IPv6).
The configuration combinations listed in the following tables are the valid deployments.
Table 25: Flex Deployment Mode
Controller Management Inferface and AP
CMX
IPv4
IPv4
IPv6
IPv6
Table 26: Fabric Deployment Mode
Controller Management Inferface and AP IPv4
CMX IPv4
Note Any other combination of IPv4 or IPv6 is not supported.
Configuring Cisco Hyperlocation (GUI)
Cisco Hyperlocation is a location solution that allows to track the location of wireless clients with the accuracy of one meter. Selecting this option disables all other fields in the screen, except NTP Server.
Procedure
Step 1
Step 2 Step 3
In the Configuration > Tags & Profiles > AP Join page, click Add. The Add AP Join Profile dialog box appears.
Under the AP > Hyperlocation tab, select the Enable Hyperlocation check box. In the Detection Threshold (dBm) field, enter a value to filter out packets with low RSSI. You must enter a value between 100 dBm and 50 dBm.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 582
System Management
Configuring Cisco Hyperlocation (CLI)
Step 4 Step 5 Step 6
In the Trigger Threshold (cycles) field, enter a value to set the number of scan cycles before sending a BAR to clients. You must enter a value between 0 and 99.
In the Reset Threshold is required field, enter a value to reset value in scan cycles after trigger. You must enter a value between 0 and 99.
Click Save & Apply to Device.
Configuring Cisco Hyperlocation (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile profile-name Example:
Configures an AP profile and enters AP profile configuration mode.
Device(config)# ap profile profile-name
Step 3
[no] hyperlocation
Example:
Device(config-ap-profile)# [no] hyperlocation
Enables Cisco Hyperlocation feature on all the supported APs that are associated with this AP profile.
Use the no form of the command to disable the Cisco Hyperlocation feature.
Step 4
[no] hyperlocation threshold detection value-in-dBm
Example:
Device(config-ap-profile)# [no] hyperlocation threshold detection -100
Sets threshold to filter out packets with low RSSI. The no form of this command resets the threshold to its default value. Valid range is between 100 and 50.
Step 5
[no] hyperlocation threshold reset value-btwn-0-99
Example:
Device(config-ap-profile)# [no] hyperlocation threshold reset 8
Resets the value of scan cycles after a trigger. The no form of this command resets the threshold to its default value.
Step 6
[no] hyperlocation threshold trigger value-btwn-1-100
Example:
Device(config-ap-profile)# [no] hyperlocation threshold trigger 10
Sets the number of scan cycles before sending a block acknowledgment request (BAR) to clients. The no form of this command resets the threshold to its default value.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 583
Configuring Hyperlocation BLE Beacon Parameters for AP (GUI)
System Management
Step 7
Command or Action
Purpose
[no] ntp ip ip-address Example:
Sets the IP address of the NTP server. The no form of this command removes the NTP server.
Device(config-ap-profile)# [no] ntp ip 9.0.0.4
Configuring Hyperlocation BLE Beacon Parameters for AP (GUI)
Procedure
Step 1
Step 2 Step 3 Step 4 Step 5 Step 6
Step 7
In the Configuration > Tags & Profiles > AP Join page, click Add. The Add AP Join Profile dialog box appears.
Under the AP tab, click BLE. In the Beacon Interval (Hz) field, enter a value. In the Advertised Attenuation Level (dBm) field, enter a value. Select the check box against each ID and click Reset, if required. Optional, click an ID to edit the values of the following fields, and click Save.
· Status · Tx Power (dBm) · UUID
Click Save & Apply to Device.
Configuring Hyperlocation BLE Beacon Parameters for AP (CLI)
Follow the procedure given below to configure hyperlocation BLE beacon parameters for an AP:
Procedure
Step 1
Command or Action
Purpose
ap name ap-name hyperlocation ble-beacon Configures Hyperlocation and related
beacon-id {enable | major major-value | parameters for an AP, and the specified beacon
minor minor-value | txpwr value-in-dBm ID:
| uuid uuid-value }
· enable--Enables BLE beacon on the AP.
Example:
Device# ap name test-ap hyperlocation ble-beacon 3 major 65535
· major major-value--Configures BLE beacon's major parameter. Valid value is
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 584
System Management
Configuring Hyperlocation BLE Beacon Parameters (CLI)
Step 2
Command or Action
Purpose between 0 and 65535; the default value is 0.
· minor minor-value--Configures BLE beacon's minor parameter. Valid value is between 0 and 65535; the default value is 0.
· txpwr value-in-dBm--Configures BLE beacon attenuation level. Valid value is between 52 dBm and 0 dBm.
· uuid uuid-value--Configures a UUID.
ap name ap-name hyperlocation ble-beacon advpwr value-in-dBm
Example:
Device# ap name test-ap hyperlocation ble-beacon advpwr 90
Configures BLE beacon's advertised attenuation level for an AP. The valid range for value-in-dBm is between 40 dBm and 100 dBm; the default value is 59 dBm (all values must be entered as positive integers).
Configuring Hyperlocation BLE Beacon Parameters (CLI)
Before you begin For Hyperlocation BLE to be enabled, CMX must be fully joined and enabled for Hyperlocation.
Procedure
Step 1
Command or Action
Purpose
ap profile profile-name Example:
Enables configuration for all the APs that are associated with the specified AP profile name.
Device(config)# ap profile profile-name
Step 2
hyperlocation ble-beacon beacon-id Example:
Specifies the BLE beacon parameters and enters BLE configuration mode.
Device(config-ap-profile)# hyperlocation ble-beacon 3
Step 3
enabled Example:
Device(config-halo-ble)# enabled
Enables BLE for the beacon ID specified.
Step 4
exit Example:
Device(config-halo-ble)# exit
Returns to AP profile configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 585
Verifying Cisco Hyperlocation
System Management
Step 5 Step 6
Command or Action
Purpose
hyperlocation ble-beacon interval value-in-hertz
Configures the BLE beacon interval as 1 Hz for the selected profile.
Example:
Device(config-ap-profile)# hyperlocation ble-beacon interval 1
hyperlocation ble-beacon advpwr
Configures the BLE beacon-advertised
value-in-dBm
attenuation level. Valid range is between 40
Example:
dBm and 100 dBm. The default value is 59 dBm.
Device(config-ap-profile)# hyperlocation
ble-beacon advpwr 40
Verifying Cisco Hyperlocation
To display the hyperlocation status values and parameters for all the AP profiles, use the following command:
Device# show ap hyperlocation summary
Profile Name: custom-profile
Hyperlocation operational status: Down Reason: Hyperlocation is administratively disabled Hyperlocation NTP server: 209.165.200.224 Hyperlocation admin status: Disabled Hyperlocation detection threshold (dBm): -100 Hyperlocation trigger threshold: 10 Hyperlocation reset threshold: 8
Profile Name: default-ap-profile
Hyperlocation operational status: Up Reason: N/A Hyperlocation NTP server: 209.165.200.224 Hyperlocation admin status: Enabled Hyperlocation detection threshold (dBm): -90 Hyperlocation trigger threshold: 22 Hyperlocation reset threshold: 8
To display both the overall and and the per-AP configuration values and operational status, use the following command:
Device# show ap hyperlocation detail
Profile Name: house24
Hyperlocation operational status: Up Reason: NTP server is not properly configured
Hyperlocation NTP server: 198.51.100.1 Hyperlocation admin status: Enabled Hyperlocation detection threshold (dBm): -90 Hyperlocation trigger threshold: 8 Hyperlocation reset threshold: 7
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 586
System Management
Verifying Cisco Hyperlocation
AP Name
Radio MAC
Method
CMX IP
AP Profile
--------------------------------------------------------------------------------------------------
APe865.49d9.bfe0
e865.49ea.a4b0 WSM2+Ant 198.51.100.2
house24
APa89d.21b9.69d0
a89d.21b9.69d0 Local
198.51.100.3
house24
APe4aa.5d3f.d750
e4aa.5d5f.3630 WSM
198.51.100.4
house24
To display the overall (profile specific) configuration values and operational status for a given profile, use the following command:
Device# show ap profile profile-name hyperlocation summary
Profile Name: profile-name Hyperlocation operational status: Up
Reason: N/A Hyperlocation NTP server: 209.165.200.224 Hyperlocation admin status: Enabled Hyperlocation detection threshold (dBm): -100 Hyperlocation trigger threshold: 10 Hyperlocation reset threshold: 8
To display both the overall (profile specific) and per-AP configuration values and operational status for a given profile, use the following command. The APs listed are only those APs that belong to the specified join profile.
Device# show ap profile profile-name hyperlocation detail
Profile Name: profile-name Hyperlocation operational status: Up
Reason: N/A Hyperlocation NTP server: 209.165.200.224 Hyperlocation admin status: Enabled Hyperlocation detection threshold (dBm): -90 Hyperlocation trigger threshold: 8 Hyperlocation reset threshold: 7
AP Name
Radio MAC
Method
CMX IP
----------------------------------------------------------------
APf07f.0635.2d40
f07f.0635.2d40 WSM2+Ant 198.51.100.2
APf07f.0635.2d41
f07f.0635.2d41 Local
198.51.100.3
APf07f.0635.2d42
f07f.0635.2d42 WSM
198.51.100.4
To display configuration values for an AP profile, use the following command:
Device# show ap profile profile-name detailed
Hyperlocation :
Admin State
: ENABLED
PAK RSSI Threshold Detection: -100
PAK RSSI Threshold Trigger : 10
PAK RSSI Threshold Reset : 8
.
.
.
To display the Cisco CMXs that are correctly joined and used by hyperlocation, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 587
Verifying Cisco Hyperlocation
System Management
Device# show ap hyperlocation cmx summary
Hyperlocation-enabled CMXs
IP
Port Dest MAC
Egress src MAC Egress VLAN Ingress src MAC Join time
-----------------------------------------------------------------------------------------------
198.51.100.4 2003 aaaa.bbbb.cccc aabb.ccdd.eeff 2
0000.0001.0001 12/14/18
09:27:14
To display the hyperlocation client statistics, use the following command:
Device# show platform hardware chassis active qfp feature wireless wlclient cpp-client summary
Client Type Abbreviations:
RG - REGULAR BL - BLE
HL - HALO LI - LWFL INT
Auth State Abbreviations:
UK - UNKNOWN IP - LEARN IP IV - INVALID
L3 - L3 AUTH RN - RUN
Mobility State Abbreviations:
UK - UNKNOWN IN - INIT
LC - LOCAL AN - ANCHOR
FR - FOREIGN MT - MTE
IV - INVALID
EoGRE Abbreviations:
N - NON EOGRE Y - EOGRE
CPP IF_H
DPIDX
MAC Address VLAN CT MCVL AS MS E WLAN POA
------------------------------------------------------------------------------
0X32
0XF0000001 0000.0001.0001 9 HL 0 RN LC N
NULL
To display the interface handle value statistics, use the following command:
Device# show platform hardware chassis active qfp feature wireless wlclient datapath cpp-if-handle 0x32 statistics start
To display the recorded flow, use the following command:
Device# show platform hardware chassis active qfp feature wireless wlclient datapath cpp-if-handle 0X32 statistics
Pkts
Bytes
Rx
26
3628
To stop statistics capture, use the following command:
Device# show platform hardware chassis active qfp feature wireless wlclient datapath cpp-if-handle 0x32 statistics stop
To view the APs requested by Cisco CMX with AP groups' support, use the following commands:
Device# show nmsp subscription group summary
CMX IP address: 198.51.100.4 Groups subscribed by this CMX server:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 588
System Management
Verifying Hyperlocation BLE Beacon Configuration
Group name: CMX_1198.51.100.4
Device# show nmsp subscription group detail ap-list CMX_198.51.100.1 198.51.100.1
CMX IP address: 198.51.100.1 CMX Group name: CMX_198.51.100.1 CMX Group AP MACs: : aa:bb:cc:dd:ee:01 aa:bb:cc:dd:ee:02 aa:bb:cc:dd:ee:03 aa:bb:cc:dd:ee:03
Verifying Hyperlocation BLE Beacon Configuration
To verify the list of configured BLE beacons, use the following command:
Device# show ap profile ap-profile-name hyperlocation ble-beacon BLE Beacon interval (Hz): 1 BLE Beacon advertised attenuation value (dBm): -59
ID
UUID
TX Power(dBm) Status
-----------------------------------------------------------------
0 ffffffff-aaaa-aaaa-aaaa-aaaaaaaaaaaa 0 Enabled
1 ffffffff-bbbb-bbbb-bbbb-bbbbbbbbbbbb 0 Enabled
2 ffffffff-gggg-gggg-gggg-gggggggggggg 0 Enabled
3 ffffffff-dddd-dddd-dddd-dddddddddddd 0 Enabled
4 ffffffff-eeee-eeee-eeee-eeeeeeeeeeee 0 Enabled
Verifying Hyperlocation BLE Beacon Configuration for AP
To verify the Hyperlocation BLE Beacon configuration for an AP, use the following command:
Device# show ap name test-ap hyperlocation ble-beacon BLE Beacon interval (Hz): 1 BLE Beacon advertised attenuation value (dBm): -60
ID Status UUID Major Minor TXPower(dBm) --------------------------------------------------------------------------0 Enabled 99999999-9999-9999-9999-999999999999 8 0 -0 1 Enabled bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb 8 1 -0 2 Enabled 88888888-8888-8888-8888-888888888888 8 2 -0 3 Enabled dddddddd-dddd-dddd-dddd-dddddddddddd 8 3 -0 4 Enabled eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee 8 4 -0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 589
Verifying Hyperlocation BLE Beacon Configuration for AP
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 590
6 8 C H A P T E R
FastLocate for Cisco Catalyst Series Access Points
· Information About FastLocate, on page 591 · Supported Access Points, on page 591 · FastLocate Network Components, on page 592 · Configuring FastLocate (GUI), on page 593 · Verifying FastLocate on Cisco Catalyst APs, on page 593
Information About FastLocate
Current Wi-Fi location technology relies on mobile devices sending received signal strength indication (RSSI) or location information, based on probe request messaging, to access points. This information is sent on most channels by the mobile device and received by neighbor APs on different channels. This helps in location estimation. Wi-Fi clients are moving towards lesser probing to discover an AP. This helps to conserve battery power. Depending on the client, operating system, driver, battery, current, and client activity, device probing frequency varies anywhere from 10 seconds to 5 minutes. This variation results in inadequate data points to represent real-world movement. Since data packets are more frequent than probe request packets, they can be aggregated better. FastLocate enables higher location refresh rates by collecting RSSI or location information through data packets received by the APs. Using these data packets, location- based services (LBS) updates are initiated by the network and are available more frequently.
Supported Access Points
Beginning with IOS XE 17.1.1, FastLocate feature is supported on the Cisco Catalyst 9120 Series Access Points. In IOS XE 17.3.1, the following APs support the FastLocate feature:
· Cisco Catalyst 9130 Series Access Points · Cisco Catalyst 9120 Series Access Points · Cisco Aironet 4800 Series Access Points.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 591
FastLocate Network Components
System Management
· Cisco Aironet 3800 Series Access Points. · Cisco Aironet 2800 Series Access Points.
In addition, Cisco Aironet 4800 Series Access Pointsalso supports the Angle of Arrival based location calculation (Hyperlocation). When FastLocate is enabled, the Cisco RF ASIC radios of these APs act as a WSSI module and transform into a monitoring role and off-channel scanning mode. The Cisco RF ASIC radios scan through all the 2.4-GHz channels and 5-GHz channels in a linear fashion, with each channel scanned for 150 milliseconds. This period is called the dwell time. The Cisco RF ASIC radios of the APs are synchronized with the NTP server. Using FastPath, all data packet RSSI records that are collected during one off-channel dwell is sent in a specific packet format to the Cisco controller, at the end of the dwell time.
FastLocate Network Components
For successful packet RSSI location computation, the following components with necessary functionalities are needed:
· Wireless client · Send data, management, and control packets
· Cisco Catalyst 9800 Series Wireless Controller · Configure NTP server information and location parameters on AP · Forward clients' RSSI related information to CMX/MSE via FastPath/datapath
· Cisco Catalyst 9120 Series AP · Location radio in monitor or equivalent role · Time synchronized with NTP server · Collect RSSI related data sent by clients (both associated and unassociated) · Send clients' RSSI data to the Cisco controller through CAPWAP
· Cisco CMX · Parse fastpath location data received by WLC · Calculate exact physical location of the client and render on GUI using algorithms
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 592
System Management
Configuring FastLocate (GUI)
Configuring FastLocate (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > AP Join. On the AP Join page, click the default-ap-profile AP join profile. In the Edit AP Join Profile window, click the AP tab. Under Hyperlocation, select the Enable Hyperlocation check box. Click Update & Apply to Device.
Verifying FastLocate on Cisco Catalyst APs
To verify FastLocate, use the below commands on the AP: Device# show ntp
Stratum Version Last Received Delay Offset Jitter NTP server
1
4
123sec ago 1.169ms -3.262ms 10.050ms 7.7.7.2
Device# show ap fast-path statistics
total packets sent : 90001
invalid app ID drops : 0
application
: 0 (HALO)
packets sent (CAPWAP)
: 90001
packets sent (APP HOST INTF) : 0
admin state drops
:0
no dest IP drops
:0
To view FastLocate admin status details on the AP, use the following command:
Device# show capwap client rcb
Hyperlocation Admin State : Enabled
MSE Gateway MAC
: 00:50:56:86:0F:9D
WLC Hyperlocation Source Port: 9999
MSE IP Address
: 10.0.0.1
To view FastPath-related parameters on the AP like source and destination IP addresses, port numbers, and the gateway MAC address, use the following command:
Device# show ap fast-path configuration hyperlocation
source IP address
: 10.0.0.2
destination IP address: 10.0.0.1
source port (WLC)
: 9999
destination port (MSE): 2003
gateway MAC
: 00:50:56:86:0F:9D
ewlc hyperlocation MAC: 00:00:00:01:00:01
To verify FastLocate on the Cisco Catalyst controller, use the appropriate command given below.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 593
Verifying FastLocate on Cisco Catalyst APs
System Management
To view the summary of applications that send fastpath or datapath data, use the below command. The hexcode for the HyperLocation and BLE port numbers are displayed.
Device# show platform hardware chassis active qfp feature wireless wlclient cpp-client summary
Client Type Abbreviations:
RG - REGULAR
BL - BLE
HL - HALO
LI - LWFL INT
Auth State Abbreviations:
UK - UNKNOWN
IP - LEARN IP IV - INVALID
L3 - L3 AUTH
RN - RUN
Mobility State Abbreviations:
UK - UNKNOWN
IN - INIT
LC - LOCAL
AN - ANCHOR
FR - FOREIGN
MT - MTE
IV - INVALID
EoGRE Abbreviations:
N - NON EOGRE Y - EOGRE
CPP IF_H DPIDX
MAC Address VLAN CT MCVL AS MS E WLAN POA
-----------------------------------------------------------------------
0X31 0XF0000002 0000.0003.0001 122 BL 0 RN LC N NULL 0X32 0XF0000001 0000.0001.0001 122
HL 0 RN LC N NULL
To capture statistics of a selected application, use the below command:
Device# show platform hardware chassis active qfp feature wireless wlclient datapath
cpp-if-handle register-code statistics start
The hex-value of the register-code is obtained from the show platform hardware chassis active qfp feature wireless wlclient cpp-client summary command mentioned earlier.
Device# show platform hardware chassis active qfp feature wireless wlclient datapath cpp-if-handle 0x32 statistics start
To display the statistics of the selected application, use the below command:
Device# show platform hardware chassis active qfp feature wireless wlclient datapath
cpp-if-handle register-code statistics
The hex-value of the register-code is obtained from the show platform hardware chassis active qfp feature wireless wlclient cpp-client summary command mentioned earlier.
Device# show platform hardware chassis active qfp feature wireless wlclient datapath cpp-if-handle 0x32 statistics
Pkts Bytes Rx 232 38850
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 594
6 9 C H A P T E R
IoT Services Management
· Information About IoT Services Management, on page 595 · Enabling the Dot15 Radio, on page 596 · Configuring the gRPC Token, on page 596 · Enabling gRPC in an AP Profile, on page 597 · Verifying BLE State and Mode, on page 597 · Verifying BLE Details, on page 598 · Verifying gRPC Summary, Status, and Statistics, on page 599
Information About IoT Services Management
Cisco Catalyst 9800 devices running the Cisco IOS-XE image Version 17.3.2 support Cisco Spaces: IoT Services along with the Network Assurance on Cisco Digital Network Architecture (DNA) Center. However, IoT Services and the Intelligent Capture (iCAP) port configuration are mutually exclusive. That is, if the iCAP feature needs to be enabled on a device, then IoT Services cannot be deployed. Similarly, if IoT Services needs to be enabled on a device, then iCAP feature cannot be deployed. From Cisco IOS XE Cupertino 17.7.1 Release onwards, IoT Services and Intelligent Capture (iCAP) port configuration are allowed to co-exist. That is, when both IoT Services and iCAP features are enabled on the controller, there will be two gRPC connections from the AP.
Following is a table that shows the pairs of configurations that can or cannot coexist on IOS-XE image version 17.3.2 and 17.7.
Cisco DNA-C Configuration
Cisco Spaces Configuration
Coexistence on IOS-XE Image Version 17.3.2
network-assurance enable
ap cisco-dna token token yes
network-assurance icap server port port ap cisco-dna token token no
Cisco Spaces: IoT Services is an end-to-end solution. Hence, you do not need to manually enable IoT services or Dot15 radio on the controller. Dot15 radio is enabled or disabled automatically through Cisco Spaces. However, you can verify if Dot15 radio is enabled from the controller.
Similarly, Cisco Spaces enables gRPC in the default ap profile configuration of the controller. You do not need to manually enable it. However, you can verify the same on the controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 595
Enabling the Dot15 Radio
System Management
Cisco Spaces enables the apphost configuration, which is required for the default ap profile configuration. If apphost is not enabled by Cisco Spaces, then you must manually enable it. This is required in order to host IOx applications on an AP.
Enabling the Dot15 Radio
When you enable the BLE radio configuration globally, the APs that are joined to the controller enable their BLE radio, if they have the BLE radio chip in their hardware. This configuration will be applied to all the APs that will join the controller after the configuration is enabled.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
no ap dot15 shutdown Example:
Device(config)# no ap dot15 shutdown
Step 3
ap dot15 shutdown Example:
Device(config)# ap dot15 shutdown
Purpose Enters global configuration mode.
Enables the dot15 radios for APs, globally.
Disables the dot15 radio for all APs, globally.
Configuring the gRPC Token
Note
· The configuration is pushed automatically from Cisco Spaces. There is no need to manually enable gRPC
on the default ap profile configuration. You can verify the same on the controller
· The NETCONF (NETCONF/YANG configuration) must be enabled on the device for the Cisco Spaces to push the required configuration to the controller. Secure Copy (ip scp server enable) must be enabled on the controller so that Cisco Spaces can push the gRPC certificate to the controller.
· The iCAP server port configuration should not be present in the configuration. If it exists, then run the iCAP server port 0 command.
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 596
System Management
Enabling gRPC in an AP Profile
Step 2
Command or Action
Device# configure terminal
Purpose
ap cisco-dna token {0 | 8} cisco-token-number Configures the Cisco Spaces gRPC token.
Example:
Device(config)# ap cisco-dna token 0 cisco-token-number
0: Specifies the string as an UNENCRYPTED password.
8: Indicates the placeholder for backward compatibility.
Enabling gRPC in an AP Profile
The Manage Streams feature of Cisco Spaces pushes the gRPC configuration only to the default AP profile, currently. If you are using a different AP profile, you must manually configure gRPC.
The following procedure explains how to manually enable gRPC on an AP profile that is not the default-ap-profile.Cisco Spaces may not push gRPC on all the AP profiles. Therefore, the following commands can be used to enable gRPC for individual AP profiles.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile-name
Example:
Device(config)# ap profile ap-profile-name
Configures the AP profile and enters the AP profile configuration mode.
Step 3
cisco-dna grpc Example:
Enables the gRPC channel on the APs, in the AP profile.
Device(config-ap-profile)# cisco-dna grpc
Verifying BLE State and Mode
To verify the BLE state and mode, run the following command:
Device# show ap ble summary
AP Name
BLE AP State
BLE mode
--------------------------------------------------------------------------
Axel-1
Up
Advanced (IOx)
Axel-2
Up
Advanced (IOx)
9117-1
Up
Advanced (IOx)
3800-1
Up
Base (Native)
1815
Up
Base (Native)
9120-3
Up
Advanced (IOx)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 597
Verifying BLE Details
System Management
9120-1
Up
9115-ax
Up
9120-2
Up
Base (Native) Base (Native) Base (Native)
Verifying BLE Details
To verify BLE details, run the following command:
Device# show ap name APXXXX.BDXX.29XX ble detail
Mode report time
: 07/28/2020 09:40:57
Mode
: Base (Native)
Radio mode
: BLE
Admin state report time : 07/28/2020 09:40:57
Admin state
: Up
Interface report time
: 07/28/2020 09:40:57
Interface
: MSM1
Interface state
: Open
Type
: Integrated
Capability report time : 07/14/2020 17:10:49
Capability
: BLE, Zigbee, USB,
Host data report time
: 07/28/2020 09:52:04
Host data
Device name
: APXXXXBDX
Dot15 Radio MAC
: 18:04:ed:c5:0e:c8
API version
:1
FW version
: 2.7.16
Broadcast count
: 4389
Uptime
: 596050 deciseconds
Active profile
: viBeacon
Scan Statistics report time : 07/28/2020 09:40:57
Scan statistics
Total scan records
:0
Scan role report time : 07/28/2020 09:43:19
Scan role
Scan state
: Disable
Scan interval
: 0 seconds
Scan window
: 800 milliseconds
Scan max value
:8
Scan filter
: Enable
Broadcaster role
Current profile type: iBeacon
Last report time
: N/A
UUID
: Unknown
Major
: Unknown
Minor
: Unknown
Transmit power
: Unknown
Frequency
: Unknown
Advertised transmit power : Unknown
Current profile type: Eddystone URL
Last report time
: 07/28/2020 09:47:17
URL
: https://www.cisco.com
Current profile type: Eddystone UID
Last report time
: 07/28/2020 09:43:25
Namespace
: 04d77XXXXXXXXXXXXXXX
Instance id
: 5df5XXXXXXXX
Current profile type: viBeacon
Last report time
: 07/28/2020 09:52:04
Interval
: 450 milliseconds
Beacon ID
:0
UUID
: 30XXXXXX-3XXX-4XXX-9XXX-d3XXXXXXXXXX
Major
: 36341
Minor
: 33196
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 598
System Management
Verifying gRPC Summary, Status, and Statistics
Transmit power
: 3 dBm
Advertised transmit power : 60 dBm
Enable
: Enable
Beacon ID
:1
UUID
: 57XXXXXX-cXXX-4XXX-aXXX-85XXXXXXXXXX
Major
: 3875
Minor
: 567
Transmit power
: 2 dBm
Advertised transmit power : 69 dBm
Enable
: Enable
.
.
.
Verifying gRPC Summary, Status, and Statistics
To verify the gRPC summary, run the following command:
Device# show ap grpc summary
AP Name
AP Mac
gRPC Status
-----------------------------------------------------------------------------------
APXXXX.BDXX.F2XX
0cXX.bdXX.66XX
Up
To verify the packet statistics on the gRPC channel that also shows the transmit and receive failures, run the following command:
Device# show ap name APXXXX.BDXX.F2XX grpc detail gRPC channel status : Up Packets transmit attempts : 62 Packets transmit failures : 0 Packets receive count : 62 Packets receive failures : 0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 599
Verifying gRPC Summary, Status, and Statistics
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 600
7 0 C H A P T E R
IoT Module Management in the Controller
· Information About IoT Module Management in the Controller, on page 601 · Enabling a USB on the Controller, on page 601 · Verifying the USB Modules, on page 602
Information About IoT Module Management in the Controller
The IoT Module Management feature uses the USB interface on the Cisco Catalyst 9105AXI, 9105AXW, 9115AX, 9117AX, 9120AX, and 9130AX Series access points (APs), to connect to the Cisco Internet of Things (IoT) connector. These APs host the third-party application software components, that act as containers. Cisco Digital Network Architecture (DNA) Center helps in the provisioning, deployment, and life cycle management of the container applications on the APs. The controller and the APs are managed by Cisco DNA Center.
You can connect the USB modules to the APs, and then log in to the controller and run commands to enable the USB modules and the Cisco IOx application in the APs associated with an AP profile group.
Enabling a USB on the Controller
To enable a USB for all the APs connected in an AP profile and to enable Cisco IOx on all the APs, follow this procedure.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap profile ap profile name Example:
Purpose Enters global configuration mode.
Configures an AP profile and enters AP profile configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 601
Verifying the USB Modules
System Management
Step 3 Step 4 Step 5 Step 6
Command or Action
Device(config)# ap profile ap-profile-test
Purpose Note
You can use the default AP profile (default-ap-profile) or create a named AP profile, as shown in the example in the adjacent column.
apphost Example:
Device(config-ap-profile)# apphost
Enables the apphost framework on Cisco APs.
usb-enable Example:
Device(config-ap-profile)# usb-enable
Enables a USB for Cisco APs.
exit Example:
Device(config-ap-profile)# exit
Exits AP profile configuration mode.
copy running-config startup-config
Example:
Device(config)# copy running-config startup-config
Writes running configuration to the memory.
Verifying the USB Modules
To verify the state of USB modules, run the following command:
Device# show ap config general
USB Module Type
: USB Module
USB Module State
: Enabled
USB Operational State
: Enabled
USB Override
: Disabled
To verify the apphost status, run the following command:
Device# show ap apphost summary
AP Name
AP Mac
Apphost Status
CAF Port
Apphost HW capable
---------------------------------------------------------------------------------------------------------
SS-2027
00xx.abXX.bXXX
Up
8443
Yes
Axel-2036
04xx.40XX.aXXX
Up
8443
Yes
Haida-PrePilot
0cxx.f8XX.0XXX
Up
8443
Yes
Somer-infra-2022
3cxx.0eXX.0XXX
Up
8443
Yes
AP5C71.0DEC.DB5C
3cxx.0eXX.0XXX
Up
8443
Yes
AP5C71.0DEC.E3D8
3cxx.0eXX.4XXX
Up
8443
Yes
Somer-WP-2021
3cxx.0eXX.5XXX
Up
8443
Yes
AP5C71.0DEC.EC60
3cxx.0eXX.9XXX
Up
8443
Yes
SS-2005
6cXX.05XX.dXXX
Up
8443
Yes
Vanc-2042
d4XX.bdXX.2XXX
Up
8443
Yes
To verify the apphost status, run the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 602
System Management
Verifying the USB Modules
Device# show ap module summary
AP Name
External Module
External Module PID External Module Description
----------------------------------------------------------------------------------------------
Axel-2036
Enable 10xx/eaXX/100 CP2XXXX
USB to UART Bridge C
Haxx-PrePilot Enable 10xx/eaXX/100 CP2XXXX
USB to UART Bridge C
APXXX.0XXX.EXX Enable 10xx/eaXX/100 CP2XXXX
USB to UART Bridge C
SS-2005
Enable 10xx/eaXX/100 CP2XXXX
USB to UART Bridge C
Vaxx-2006
Enable 10xx/eaXX/100 CP2XXXX
USB to UART Bridge C
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 603
Verifying the USB Modules
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 604
7 1 C H A P T E R
Cisco Spaces
Cisco Spaces is the next generation indoor location services platform. The Network Mobility Services Protocol (NMSP) cloud-service of the wireless controller communicates with Cisco Spaces using HTTPS as a transport protocol.
· Configuring Cisco Spaces, on page 605 · Verifying Cisco Spaces Configuration, on page 606
Configuring Cisco Spaces
Follow the procedure given below to configure Cisco Spaces:
Before you begin · Configure DNS--To resolve fully qualified domain names used by NMSP cloud-services, configure a DNS using the ip name-server server_address configuration command as shown in Step 2.
· Import 3rd party root CAs--The controller verifies the peer and the host based on the certificate that is sent by the CMX when a connection is established. However, root CAs are not preinstalled on the controller. You have to import a set of root CAs trusted by Cisco to the trustpool of the crypto PKI by using the crypto pki trustpool import url <url> configuration command as shown in Step 3.
· A successful registration to Cisco Spaces is required to enable server url and server token parameters configuration which is needed to complete this setup.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ip name-server namesvr-ip-addr
Example:
Device(config)#ip name-server 10.10.10.205
Purpose Enters global configuration mode.
Configures the DNS on the controller to resolve the FQDN names used by the NMSP cloud-services.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 605
Verifying Cisco Spaces Configuration
System Management
Step 3 Step 4 Step 5 Step 6 Step 7
Command or Action
Purpose
crypto pki trustpool import url url Example:
Imports the 3rd party root CA. The controller verifies the peer using the imported certificate.
Device(config)#crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b
[no] nmsp cloud-services server url url
Example:
Device(config)# nmsp cloud-services server url https://cisco.com
Configures the URL used for cloud services. Use the no form of the command to delete the server url from the configuration.
[no] nmsp cloud-services server token token Configures the authentication token for the
Example:
NMSP cloud service. Use the no form of the command to delete the server token from the
Device(config)# nmsp cloud-services server token test
configuration.
[no] nmsp cloud-services http-proxy proxy-server port
Example:
Device(config)# nmsp cloud-services http-proxy 10.0.0.1 10
(Optional) Configures HTTP proxy details for the NMSP cloud service. Use the no form of the command to disable the use of a HTTP proxy.
[no] nmsp cloud-services enable
Example:
Device(config)# nmsp cloud-services enable
Enables NMSP cloud services. Use the no form of the command to disable the feature.
Verifying Cisco Spaces Configuration
Use the following commands to verify the Cisco Spaces configuration. To view the status of active NMSP connections, use the following command:
Device# show nmsp status
MSE IP Address Tx Echo Resp Rx Echo Req Tx Data
Rx Data Transport
----------------------------------------------------------------------------
9.9.71.78
0
0
1
1
TLS
64.103.36.133 0
0
1230
2391
HTTPs
To view the NMSP cloud service status, use the following command:
Device# show nmsp cloud-services summary
CMX Cloud-Services Status -------------------------
Server: IP Address: Cmx Service: Connectivity:
https://yenth8.cmxcisco.com 64.103.36.133 Enabled https: UP
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 606
System Management
Verifying Cisco Spaces Configuration
Service Status: Last Request Status: Heartbeat Status:
Active HTTP/1.1 200 OK OK
To view the NMSP cloud service statistics, use the following command:
Device# show nmsp cloud-services statistics
CMX Cloud-Services Statistics -----------------------------
Tx DataFrames: Rx DataFrames: Tx HeartBeat Req: Heartbeat Timeout: Rx Subscr Req: Tx DataBytes: Rx DataBytes: Tx HeartBeat Fail: Tx Data Fail: Tx Conn Fail:
3213 1606 31785
0 2868 10069 37752
2 0 0
To view the mobility services summary, use the following command:
Device# show nmsp subscription summary
Mobility Services Subscribed: Index Server IP Services ----- --------- -------1 209.165.200.225 RSSI, Info, Statistics, AP Monitor, AP Info 2 209.165.200.225 RSSI, Statistics, AP Info
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 607
Verifying Cisco Spaces Configuration
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 608
7 2 C H A P T E R
EDCA Parameters
· Enhanced Distributed Channel Access Parameters, on page 609 · Configuring EDCA Parameters (GUI), on page 609 · Configuring EDCA Parameters (CLI), on page 610
Enhanced Distributed Channel Access Parameters
Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality of service (QoS) traffic. This section contains the following subsections:
Configuring EDCA Parameters (GUI)
Procedure
Step 1
Step 2 Step 3 Step 4 Step 5
Choose Configuration > Radio Configurations > Parameters. Using this page, you can configure global parameters for 802.11a/n/ac (5 GHz) and 802.11b/g/n (2.4 GHz) radios.
Note
You cannot configure or modify parameters, if the radio network is enabled. Disable the network
status on the Configuration > Radio Configurations > Network page before you proceed.
In the EDCA Parameters section, choose an EDCA profile from the EDCA Profile drop-down list. Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality-of-service (QoS) traffic.
For 802.11a/n/ac (5 GHZ) radios, in the (DFS 802.11h) section, enter the local power constraint. You cannot configure power constraint if the DTPC Support check box on the Configure > Radio Configurations > Network page is checked. The valid range is between 0 dBm and 30 dBm.
Check the Channel Switch Announcement Mode check box, if you want the AP to announce when it is switching to a new channel and the new channel number. The default value is disabled.
Check the Smart DFS check box to enable Dynamic Frequency Selection (DFS) and avoid interference with the radar signals.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 609
Configuring EDCA Parameters (CLI)
System Management
Step 6 Click Apply.
Configuring EDCA Parameters (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {5ghz | 24ghz } shutdown
Disables the radio network.
Example:
Device(config)# ap dot11 5ghz shutdown
Step 3
ap dot11 {5ghz | 24ghz} edca-parameters {custom-voice | fastlane | optimized-video-voice | optimized-voice | svp-voice | wmm-default}
Example:
Device(config)# ap dot11 5ghz edca-parameters optimized-voice
Enables specific EDCA parameters for the 802.11a or 802.11b/g network.
Note
The custom-voice option is not
supported for Cisco Catalyst 9800
Series Wireless Controller.
· custom-voice: Enables custom voice parameters for the 802.11a or 802.11b/g network.
· fastlane: Enables the fastlane parameters for the 802.11a or 802.11b/g network.
· optimized-video-voice: Enables EDCA voice-optimized and video-optimized parameters for the 802.11a or 802.11b/g network. Choose this option when both voice and video services are deployed on your network.
· optimized-voice: Enables non-SpectraLink voice-optimized profile parameters for the 802.11a or 802.11b/g network. Choose this option when voice services other than SpectraLink are deployed on your network.
· svp-voice: Enables SpectraLink voice-priority parameters for the 802.11a or 802.11b/g network. Choose this option if SpectraLink phones are deployed on your network to improve the quality of calls.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 610
System Management
Configuring EDCA Parameters (CLI)
Step 4 Step 5 Step 6
Command or Action
Purpose
· wmm-default: Enables the Wi-Fi Multimedia (WMM) default parameters for the 802.11a or 802.11b/g network. This is the default option. Choose this option when voice or video services are not deployed on your network.
no ap dot11 {5ghz | 24ghz} shutdown
Re-enables the radio network.
Example:
Device(config)# no ap dot11 5ghz shutdown
end Example:
Device(config)# end
Returns to privileged EXEC mode.
show ap dot11 {5ghz | 24ghz} network Example:
Device# show ap dot11 5ghz network
Displays the current status of MAC optimization for voice.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 611
Configuring EDCA Parameters (CLI)
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 612
7 3 C H A P T E R
Adaptive Client Load-Based EDCA
· Feature History for Adaptive Client Load-Based EDCA, on page 613 · Information About Adaptive Client Load-Based EDCA, on page 613 · Restrictions for Adaptive Client Load-Based EDCA, on page 614 · Configuration Workflow, on page 614 · Configuring Adaptive Client Load-Based EDCA (GUI), on page 614 · Configuring Adaptive Client Load-Based EDCA (CLI), on page 615 · Verifying Adaptive Client Load-Based EDCA Configuration, on page 615
Feature History for Adaptive Client Load-Based EDCA
This table provides release and related information for the features explained in this module. These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.
Table 27: Feature History for Adaptive Client Load-Based EDCA
Release
Cisco IOS XE Bengaluru 17.5.1
Feature
Adaptive Client Load-Based EDCA
Feature Information
This Adaptive Client Load-Based EDCA feature dynamically changes Enhanced Distributed Channel Access (EDCA) parameters of clients based on the active client and load that significantly reduce collisions.
Information About Adaptive Client Load-Based EDCA
The static EDCA configuration is good for small number of clients. In an enterprise multiclient deployment scenario, access points (APs) experience excessive collisions as the number of clients increases resulting in significant performance degradation. To overcome such a scenario, the Adaptive Client Load-Based EDCA feature has been introduced.
This feature dynamically changes EDCA parameters of clients based on the active client and load that significantly reduce collisions.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 613
Restrictions for Adaptive Client Load-Based EDCA
System Management
Feature Scenario Run-time EDCA configuration based on active clients and load.
Use Case In a dense multiclient deployment scenario, when a customer was testing 40 iPads in a class room or auditorium setup, he observed that the channel utilization was 60 to 70 percent. The overall AP throughput was less because of air collusion and RTS retries. After the adaptive client load-based EDCA feature was enabled, the overall throughput increased by 15 to 20 percent and collision decreased by 30 to 40 percent.
Restrictions for Adaptive Client Load-Based EDCA
· You must disable the 802.11b network if you want to access the 802.11a network.
Configuration Workflow
· Configuring Adaptive Client Load-Based EDCA (GUI) · Configuring Adaptive Client Load-Based EDCA (CLI)
Configuring Adaptive Client Load-Based EDCA (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7
Step 8
Choose Configuration > Radio Configurations > Parameters to configure global parameters for 802.11a/n/ac (5-GHz) and 802.11b/g/n (2.4-GHz) radios. In the EDCA Parameters section, from the EDCA Profile drop-down list, choose an EDCA profile. Click the Client Load Based Configuration toggle button to enable or disable. It is enabled by default. For 802.11a/n/ac (5-GHz) radios, in the DFS (802.11h) section, enter the local power constraint. You cannot configure power constraint if the DPTC Support check box in Configuration > Radio Configurations > Network is checked. The valid range for power constraint is between 0 dBm and 30 dBm. From the Channel Switch Announcement Mode drop-down list, choose either the Loud or Quiet mode. Click the Smart DFS toggle button to enable or disable. It is enabled by default. In the 11ax Parameters section, enable or disable the following, using the corresponding toggle button:
· Target Wakeup Time
· Target Wakeup Time Broadcast
· Multiple Bssid
Enable BSS color globally for the 5-GHz and 2.4-GHz radios by checking the BSS Color check box.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 614
System Management
Configuring Adaptive Client Load-Based EDCA (CLI)
Step 9 Click Apply.
Configuring Adaptive Client Load-Based EDCA (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz } edca-parameters client-load-based
Example:
Device(config)# ap dot11 24ghz edca-parameters client-load-based
Enables client load-based EDCA configuration for 802.11 radios.
Use the no form of this command to disable the configuration.
Note
To enable the configuration on an
802.11a radio, you must disable
the 802.11b network.
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Verifying Adaptive Client Load-Based EDCA Configuration
To verify whether the Adaptive Client Load-Based EDCA feature is enabled on an 802.11a or an 802.11b radio, use the following command:
Device# show ap dot11 24ghz network Device# show ap dot11 5ghz network EDCA profile type check Client Load Based EDCA Config
: default-wmm : Enabled
To verify whether the Adaptive Client Load-Based EDCA feature is enabled on APs, use the following command:
Device# show capwap client config
Client Load Based EDCA : Enabled
To view the Adaptive EDCA parameters running on the driver, use the following command:
Device# show controllers dot11Radio 0/1
EDCA Config: ==================== L:Local C:Cell A:Adaptive EDCA params
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 615
Verifying Adaptive Client Load-Based EDCA Configuration
AC Type CwMin CwMax Aifs Txop ACM AC_BE L 4 6 3 0 0 AC_BK L 4 10 7 0 0 AC_VI L 3 4 1 94 0 AC_VO L 2 3 1 47 0 AC_BE C 4 10 3 0 0 AC_BK C 4 10 7 0 0 AC_VI C 3 4 2 94 0 AC_VO C 2 3 2 47 0 AC_BE A 4 10 7 0 0 AC_BK A 4 10 3 0 0 AC_VI A 3 4 2 94 0 AC_VO A 2 3 2 47 0
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 616
7 4 C H A P T E R
802.11 parameters and Band Selection
· Information About Configuring Band Selection, 802.11 Bands, and Parameters, on page 617 · Restrictions for Band Selection, 802.11 Bands, and Parameters, on page 619 · How to Configure 802.11 Bands and Parameters, on page 619 · Monitoring Configuration Settings for Band Selection, 802.11 Bands, and Parameters, on page 629 · Configuration Examples for Band Selection, 802.11 Bands, and Parameters, on page 634
Information About Configuring Band Selection, 802.11 Bands, and Parameters
Band Select
Band select enables client radios that are capable of dual-band (2.4 and 5-GHz) operations to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of 3 nonoverlapping channels. To prevent these sources of interference and improve overall network performance, configure band selection on the device. Band select works by regulating probe responses to clients and it can be enabled on a per-WLAN basis. It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels. In an access point, the band select table can be viewed by running the show dot11 band-select command. It can also be viewed by running the show cont d0/d1 | begin Lru command.
Note You can enable both band selection and aggressive load balancing on the controller. They run independently and do not impact one another.
Band Select Algorithm The band select algorithm affects clients that use 2.4-GHz band. Initially, when a client sends a probe request to an access point, the corresponding client probe's Active and Count values (as seen from the band select table) become 1. The algorithm functions based on the following scenarios: · Scenario1: Client RSSI (as seen from the show cont d0/d1 | begin RSSIcommand output) is greater than both Mid RSSI and Acceptable Client RSSI.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 617
802.11 Bands
System Management
· Dual-band clients: No 2.4-GHz probe responses are seen at any time; 5-GHz probe responses are seen for all 5-GHz probe requests.
· Single-band (2.4-GHz) clients: 2.4-GHz probe responses are seen only after the probe suppression cycle.
· After the client's probe count reaches the configured probe cycle count, the algorithm waits for the Age Out Suppression time and then marks the client probe's Active value as 0. Then, the algorithm is restarted.
· Scenario2: Client RSSI (as seen from show cont d0/d1 | begin RSSI) lies between Mid-RSSI and Acceptable Client RSSI. · All 2.4-GHz and 5-GHz probe requests are responded to without any restrictions.
· This scenario is similar to the band select disabled.
Note The client RSSI value (as seen in the sh cont d0 | begin RSSI command output) is the average of the client packets received, and the Mid RSSI feature is the instantaneous RSSI value of the probe packets. As a result, the client RSSI is seen as weaker than the configured Mid RSSI value (7-dB delta). The 802.11b probes from the client are suppressed to push the client to associate with the 802.11a band.
802.11 Bands
You can configure the 802.11b/g/n (2.4 GHz) and 802.11a/n (5 GHz) bands for the controller to comply with the regulatory requirements in your country. By default, both 802.11b/g/n and 802.11a/n are enabled. This section contains the following subsections:
802.11n Parameters
This section provides instructions for managing 802.11n access points on your network. The 802.11n devices support the 2.4 and 5-GHz bands and offer high throughput data rates. The 802.11n high throughput rates are available on all the 802.11n access points for the WLANs using WMM with no Layer 2 encryption or with WPA2/AES encryption enabled.
Note To disable MCS rates for 802.11n, 802.11ac and 802.11ax, ensure that at least one MCS rate is enabled. To disable 802.11n on the controller to force APs to use only legacy 802.11a/b/g rates, first disable 802.11ax and 802.11ac on the controller for a particular band. Irrespective of the APs mapped to a Custom-RF-Profile, disabling 802.11n globally on the controller applies to all the APs.
802.11h Parameters
802.11h informs client devices about channel changes and can limit the transmit power of those client devices.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 618
System Management
Restrictions for Band Selection, 802.11 Bands, and Parameters
Restrictions for Band Selection, 802.11 Bands, and Parameters
· Band selection-enabled WLANs do not support time-sensitive applications such as voice and video because of roaming delays.
· Band selection is supported only on Cisco Wave 2 and 802.11ax APs.
For more information about support on specific APs, see https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html.
· Band selection operates only on APs that are connected to a controller. A FlexConnect AP without a controller connection does not perform band selection after a reboot.
· The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same AP, and it only runs on an AP when both the 2.4-GHz and 5-GHz radios are up and running.
· It is not possible to enable or disable band selection and client load balancing globally through the controller GUI or CLI. You can, however, enable or disable band selection and client load balancing for a particular WLAN. Band selection and client load balancing are enabled globally by default.
How to Configure 802.11 Bands and Parameters
Configuring Band Selection (GUI)
Before you begin Ensure that you have configured an AP Join Profile prior to configuring the primary and backup controllers. Procedure
Step 1 Step 2 Step 3
Step 4
Step 5
Step 6 Step 7
Choose Configuration > Wireless Advanced > Band Select.
In the Cycle Count field, enter a value between 1 and 10. The cycle count sets the number of suppression cycles for a new client. The default cycle count is 2.
In the Cycle Threshold (milliseconds) field, enter a value between 1 and 1000 milliseconds for the scan cycle period threshold. This setting determines the time threshold during which new probe requests from a client come from a new scanning cycle. The default cycle threshold is 200 milliseconds.
In the Age Out Suppression (seconds) field, enter a value between 10 and 200 seconds. Age-out suppression sets the expiration time for pruning previously known 802.11b/g/n clients. The default value is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.
In the Age Out Dual Band (seconds) field, enter a value between 10 and 300 seconds. The age-out period sets the expiration time for pruning previously known dual-band clients. The default value is 50 seconds. After this time elapses, clients become new and are subject to probe response suppression.
In the Client RSSI (dbm) field, enter a value between -90 to -20. This is the average of the client packets received.
In the Client Mid RSSI (dbm) field, enter a value between -90 to -20. This the instantaneous RSSI value of the probe packets.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 619
Configuring Band Selection (CLI)
System Management
Step 8 Step 9
On the AP Join Profile page, click the AP Join Profile name. Click Apply.
Configuring Band Selection (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless client band-select cycle-count cycle_count
Example:
Device(config)# wireless client band-select cycle-count 3
Sets the probe cycle count for band select. Valid range is between 1 and 10.
Step 3
wireless client band-select cycle-threshold milliseconds
Example:
Device(config)# wireless client band-select cycle-threshold 5000
Sets the time threshold for a new scanning cycle period. Valid range is between 1 and 1000.
Step 4
wireless client band-select expire suppression Sets the suppression expire to the band select.
seconds
Valid range is between 10 and 200.
Example:
Device(config)# wireless client band-select expire suppression 100
Step 5
wireless client band-select expire dual-band Sets the dual band expire. Valid range is
seconds
between 10 and 300.
Example:
Device(config)# wireless client band-select expire dual-band 100
Step 6
wireless client band-select client-rssi client_rssi
Example:
Device(config)# wireless client band-select client-rssi 40
Sets the client RSSI threshold. Valid range is between 20 and 90.
Step 7
wlan wlan_profile_name wlan_ID SSID_network_name band-select
Example:
Configures band selection on specific WLANs. Valid range is between 1 and 512. You can enter up to 32 alphanumeric characters for SSID_network_name parameter.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 620
System Management
Configuring the 802.11 Bands (GUI)
Command or Action
Device(config)# wlan wlan1 25 ssid12 Device(config-wlan)# band-select
Purpose
Configuring the 802.11 Bands (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Step 8 Step 9
Step 10 Step 11 Step 12
Step 13 Step 14
Choose Configuration > Radio Configurations > Network. Click either 5 GHz Band or 2.4 GHz Band. Uncheck the Network Status check box to disable the network in order to be able to configure the network parameters. In the Beacon Interval field, enter the rate at which the SSID is broadcast by the APs, from 100 to 600 milliseconds. The default is 100 milliseconds. For 802.11b/g/n (2.4-GHz) radios, to enable short preamble on the radio, check the Short Preamble check box. A short preamble improves throughput performance. In the Fragmentation Threshold (in bytes) field, enter a value between 256 to 2346 bytes. Packets larger than the size you specify here will be fragmented. Check the DTPC Support check box to advertise the transmit power level of the radio in the beacons and the probe responses. Client devices using dynamic transmit power control (DTPC) receive the channel and power level information from the access points and adjust their settings automatically. For example, a client device used primarily in Japan could rely on DTPC to adjust its channel and power settings automatically when it travels to Italy and joins a network there. You cannot configure a power constraint value on your 802.11a/n/ac (5-GHz) radio network if the DTPC Support check box is checked. Click Apply. In the CCX Location Measurement section, check the Mode check box to globally enable CCX radio management for the network. This parameter causes the APs connected to this device to issue broadcast radio measurement requests to clients running CCX v2 or later releases. In the Interval field, enter a value to specify how often the APs must issue broadcast radio measurement requests. Click Apply. In the Data Rates section, choose a value to specify the rates at which data can be transmitted between the access point and the client:
· Mandatory: Clients must support this data rate in order to associate to an access point on the controller embedded wireless controller.
· Supported: Any associated clients that support this data rate may communicate with the access point using that rate.
· Disabled: The clients specify the data rates used for communication.
Click Apply.
Save the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 621
Configuring the 802.11 Bands (CLI)
System Management
Configuring the 802.11 Bands (CLI)
Follow the procedure given below to configure 802.11 bands and parameters:
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
ap dot11 5ghz shutdown
Disables the 802.11a band.
Example:
Note
Device(config)# ap dot11 5ghz shutdown
You must disable the 802.11a band before configuring the 802.11a network parameters.
Step 3
ap dot11 24ghz shutdown
Disables the 802.11b band.
Example:
Note
Device(config)# ap dot11 24ghz shutdown
You must disable the 802.11b band before configuring the 802.11b network parameters.
Step 4 Step 5 Step 6
ap dot11 {5ghz | 24ghz } beaconperiod time_unit
Example:
Device(config)# ap dot11 5ghz beaconperiod 500
Specifies the rate at which the SSID is broadcast by the corresponding access point.
The beacon interval is measured in time units (TUs). One TU is 1024 microseconds. You can configure the access point to send a beacon every 20 to 1000 milliseconds.
ap dot11 {5ghz | 24ghz } fragmentation threshold
Example:
Device(config)# ap dot11 5ghz fragmentation 300
Specifies the size at which packets are fragmented.
The threshold is a value between 256 and 2346 bytes (inclusive). Specify a low number for areas where communication is poor or where there is a great deal of radio interference.
[no] ap dot11 {5ghz | 24ghz } dtpc
Enables access points to advertise their
Example:
channels and transmit the power levels in beacons and probe responses.
Device(config)# ap dot11 5ghz dtpc
The default value is enabled. Client devices Device(config)# no ap dot11 24ghz dtpc using dynamic transmit power control (DTPC)
receive the channel-level and power-level
information from the access points and adjust
their settings automatically. For example, a
client device used primarily in Japan can rely
on DTPC to adjust its channel and power
settings automatically when it travels to Italy
and joins a network there.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 622
System Management
Configuring the 802.11 Bands (CLI)
Step 7 Step 8
Step 9 Step 10 Step 11
Command or Action
Purpose
The no form of the command disables the DTPC setting.
wireless client association limit number interval milliseconds
Example:
Device(config)# wireless client association limit 50 interval 1000
Specifies the maximum allowed clients that can be configured.
You can configure the maximum number of association requests on a single access point slot at a given interval. The range of association limit that you can configure is from 1 to 100.
The association request limit interval is measured between 100 to 10000 milliseconds.
ap dot11 {5ghz | 24ghz} rate rate {disable | Specifies the rate at which data can be
mandatory | supported}
transmitted between the controller embedded
Example:
wireless controller and the client.
Device(config)# ap dot11 5ghz rate 36 mandatory
· disable: Defines that the clients specify the data rates used for communication.
· mandatory: Defines that the clients support this data rate in order to associate to an access point on the controller embedded wireless controller.
· supported: Any associated clients that support this data rate can communicate with the access point using that rate. However, the clients are not required to use this rate in order to associate.
· rate: Specifies the rate at which data is transmitted. For the 802.11a and 802.11b bands, the data is transmitted at the rate of 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps.
no ap dot11 5ghz shutdown Example:
Device(config)# no ap dot11 5ghz shutdown
no ap dot11 24ghz shutdown Example:
Device(config)# no ap dot11 24ghz shutdown
ap dot11 24ghz dot11g Example:
Enables the 802.11a band.
Note
The default value is enabled.
Enables the 802.11b band.
Note
The default value is enabled.
Enables or disables 802.11g network support.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 623
Configuring a Band-Select RF Profile (GUI)
System Management
Step 12
Command or Action
Device(config)# ap dot11 24ghz dot11g
Purpose
The default value is enabled. You can use this command only if the 802.11b band is enabled. If you disable this feature, the 802.11b band is enabled without 802.11g support.
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Configuring a Band-Select RF Profile (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Step 5
Step 6 Step 7 Step 8
Choose Configuration > Wireless > Advanced.
In the Band Select tab, enter a value between 1 and 10 in the Cycle Count field. The cycle count sets the number of suppression cycles for a new client. The default cycle count is 2.
In the Cycle Threshold field, enter a value between 1 and 1000 milliseconds for the scan cycle period threshold. This setting determines the time threshold during which new probe requests from a client come from a new scanning cycle. The default cycle threshold is 200 milliseconds.
In the Age Out Suppression field, enter a value between 10 and 200 seconds. Age-out suppression sets the expiration time for pruning previously known 802.11b/g/n clients. The default value is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.
In the Age Out Dual Band field, enter a value between 10 and 300 seconds. The age-out period sets the expiration time for pruning previously known dual-band clients. The default value is 50 seconds. After this time elapses, clients become new and are subject to probe response suppression.
In the Client RSSI field, enter a value between -90 dBm and -20 dBm. This is the minimum RSSI for a client to respond to a probe.
In the Client Mid RSSI field, enter a value between 20 dBm and 90 dBm. This parameter sets the mid-RSSI, whose value can be used for toggling 2.4 GHz probe suppression based on the RSSI value.
Click Apply.
Configuring a Band-Select RF Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 624
System Management
Configuring 802.11n Parameters (GUI)
Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action
Purpose
ap dot11 24ghz rf-profile rf-profile Example:
Configures the RF profile name and enters RF profile configuration mode.
Device(config)# ap dot11 24ghz rf-profile test1
band-select client {mid-rssi | rssi }dbm
Sets the band-select client threshold.
Example:
Device(config-rf-profile)# band-select client rssi -90
band-select cycle {count | threshold}count Sets the band-select cycle parameters.
Example:
Device(config-rf-profile)# band-select cycle count 10
band-select expire {dual-band | suppression Configures the RF profile's band-select expiry
}time
time.
Example:
Device(config-rf-profile)# band-select expire dual-band 100
band-select probe-response Example:
Enables the RF profile's band-select probe response.
Device(config-rf-profile)# band-select probe-response
Configuring 802.11n Parameters (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > RF. Click Add to view the Add RF Profile window. In the 802.11 tab, proceed as follows: a) Choose the required operational rates. b) Select the required 802.11n MCS Rates by checking the corresponding check boxes.
Click Save & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 625
Configuring 802.11n Parameters (CLI)
System Management
Configuring 802.11n Parameters (CLI)
Procedure Step 1 Step 2 Step 3
Step 4
Step 5 Step 6
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
ap dot11 {5ghz | 24ghz} dot11n Example:
Device(config)# ap dot11 5ghz dot11n
Enables 802.11n support on the network.
The no form of this command disables the 802.11n support on the network.
ap dot11 {5ghz | 24ghz} dot11n mcs tx rtu
Example:
Device(config)# ap dot11 5ghz dot11n mcs tx 20
Specifies the modulation and coding scheme (MCS) rates at which data can be transmitted between the access point and the client.
rtu-The valid range is between 0 and 23.
The no form of this command disables the MCS rates that are configured.
wlanwlan_profile_name wlan_ID SSID_network_name wmm require Example:
Device(config)# wlan wlan1 25 ssid12
Device(config-wlan)# wmm require
Enables WMM on the WLAN and uses the 802.11n data rates that you configured.
The require keyword requires client devices to use WMM. Devices that do not support WMM cannot join the WLAN.
ap dot11 {5ghz | 24ghz} shutdown
Disables the network.
Example:
Device(config)# ap dot11 5ghz shutdown
{ap | no ap} dot11 {5ghz | 24 ghz} dot11n a-mpdu tx priority {all | 0-7}
Example:
Device(config)# ap dot11 5ghz dot11n a-mpdu tx priority all
Specifies the aggregation method used for 802.11n packets.
Aggregation is the process of grouping packet data frames together, rather than transmitting them separately. Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated MAC Service Data Unit (A-MSDU). Both A-MPDU and A-MSDU are performed in the software.
You can specify the aggregation method for various types of traffic from the access point to the clients.
The list defines the priority levels (0-7) assigned per traffic type.
· 0--Best effort
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 626
System Management
Configuring 802.11n Parameters (CLI)
Step 7 Step 8
Command or Action
Purpose · 1--Background
· 2--Spare
· 3--Excellent effort
· 4--Controlled load
· 5--Video, less than 100-ms latency and jitter
· 6--Voice, less than 100-ms latency and jitter
· 7--Network control
You can configure each priority level independently, or you can use the all the parameters to configure all the priority levels at once. You can configure priority levels so that the traffic uses either A-MPDU transmission or A-MSDU transmission.
· When you use the ap command along with the other options, the traffic associated with that priority level uses A-MPDU transmission.
· When you use the no ap command along with the other options, the traffic associated with that priority level uses A-MSDU transmission.
Configure the priority levels to match the aggregation method used by the clients. By default, A-MPDU is enabled for priority level 0, 4, and 5, and the rest are disabled. By default, A-MPDU is enabled for all priorities except 6 and 7.
no ap dot11 {5ghz | 24ghz} shutdown
Example:
Device(config)# no ap dot11 5ghz shutdown
ap dot11 {5ghz | 24ghz} dot11n guard-interval {any | long}
Example:
Device(config)# ap dot11 5ghz dot11n guard-interval long
Re-enables the network. Configures the guard interval for the network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 627
Configuring 802.11h Parameters (CLI)
System Management
Step 9 Step 10
Command or Action
ap dot11 {5ghz | 24ghz} dot11n rifs rx Example:
Device(config)# ap dot11 5ghz dot11n rifs rx
Purpose
Configures the Reduced Interframe Space (RIFS) for the network.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring 802.11h Parameters (CLI)
Procedure
Step 1
Command or Action
Purpose
ap dot11 5ghz shutdown
Disables the 802.11 network.
Example:
Device(config)# ap dot11 5ghz shutdown
Step 2
{ap | no ap} dot11 5ghz channelswitch mode Enables or disables the access point to announce
switch_mode
when it is switching to a new channel.
Example:
Device(config)# ap dot11 5ghz channelswitch mode 0
switch_mode--Enter 0 or 1 to specify whether transmissions are restricted until the actual channel switch (0) or are not restricted (1). The default value is disabled.
Step 3
ap dot11 5ghz power-constraint value
Example:
Device(config)# ap dot11 5ghz power-constraint 200
Configures the 802.11h power constraint value in dB. The valid range is from 0 to 255.
The default value is 3.
Step 4
no ap dot11 5ghz shutdown
Re-enables the 802.11a network.
Example:
Device(config)# no ap dot11 5ghz shutdown
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 628
System Management
Monitoring Configuration Settings for Band Selection, 802.11 Bands, and Parameters
Monitoring Configuration Settings for Band Selection, 802.11 Bands, and Parameters
Verifying Configuration Settings Using Band Selection and 802.11 Bands Commands
The following commands can be used to verify band selection, 802.11 bands, and parameters on the .
Table 28: Monitoring Configuration Settings Using Band Selection and 802.11 Band Commands
Command
Purpose
show ap dot11 5ghz network Displays 802.11a band network parameters, 802.11a operational rates, 802.11n MCS settings, and 802.11n status information.
show ap dot11 24ghz network Displays 802.11b band network parameters, 802.11b/g operational rates, 802.11n MCS settings, and 802.11n status information.
show wireless dot11h
Displays 802.11h configuration parameters.
show wireless band-select Displays band-select configuration settings.
Example: Viewing the Configuration Settings for the 5-GHz Band
Device# show ap dot11 5ghz network 802.11a Network : Enabled 11nSupport : Enabled
802.11a Low Band : Enabled 802.11a Mid Band : Enabled 802.11a High Band : Enabled
802.11a Operational Rates 802.11a 6M : Mandatory 802.11a 9M : Supported 802.11a 12M : Mandatory 802.11a 18M : Supported 802.11a 24M : Mandatory 802.11a 36M : Supported 802.11a 48M : Supported 802.11a 54M : Supported
802.11n MCS Settings: MCS 0 : Supported MCS 1 : Supported MCS 2 : Supported MCS 3 : Supported MCS 4 : Supported MCS 5 : Supported MCS 6 : Supported MCS 7 : Supported MCS 8 : Supported MCS 9 : Supported
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 629
Example: Viewing the Configuration Settings for the 5-GHz Band
MCS 10 : Supported MCS 11 : Supported MCS 12 : Supported MCS 13 : Supported MCS 14 : Supported MCS 15 : Supported MCS 16 : Supported MCS 17 : Supported MCS 18 : Supported MCS 19 : Supported MCS 20 : Supported MCS 21 : Supported MCS 22 : Supported MCS 23 : Supported 802.11n Status: A-MPDU Tx:
Priority 0 : Enabled Priority 1 : Disabled Priority 2 : Disabled Priority 3 : Disabled Priority 4 : Enabled Priority 5 : Enabled Priority 6 : Disabled Priority 7 : Disabled A-MSDU Tx: Priority 0 : Enabled Priority 1 : Enabled Priority 2 : Enabled Priority 3 : Enabled Priority 4 : Enabled Priority 5 : Enabled Priority 6 : Disabled Priority 7 : Disabled Guard Interval : Any Rifs Rx : Enabled Beacon Interval : 100 CF Pollable mandatory : Disabled CF Poll Request Mandatory : Disabled CFP Period : 4 CFP Maximum Duration : 60 Default Channel : 36 Default Tx Power Level : 1 DTPC Status : Enabled Fragmentation Threshold : 2346 Pico-Cell Status : Disabled Pico-Cell-V2 Status : Disabled TI Threshold : 0 Legacy Tx Beamforming setting : Disabled Traffic Stream Metrics Status : Disabled Expedited BW Request Status : Disabled EDCA profile type check : default-wmm Call Admision Control (CAC) configuration Voice AC Voice AC - Admission control (ACM) : Disabled Voice Stream-Size : 84000 Voice Max-Streams : 2 Voice Max RF Bandwidth : 75 Voice Reserved Roaming Bandwidth : 6 Voice Load-Based CAC mode : Enabled Voice tspec inactivity timeout : Enabled CAC SIP-Voice configuration SIP based CAC : Disabled SIP Codec Type : CODEC_TYPE_G711 SIP call bandwidth : 64
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 630
System Management
Example: Viewing the Configuration Settings for the 2.4-GHz Band
SIP call bandwith sample-size : 20 Video AC
Video AC - Admission control (ACM) : Disabled Video max RF bandwidth : Infinite Video reserved roaming bandwidth : 0
Example: Viewing the Configuration Settings for the 2.4-GHz Band
Device# show ap dot11 24ghz network 802.11b Network : Enabled 11gSupport : Enabled 11nSupport : Enabled
802.11b/g Operational Rates 802.11b 1M : Mandatory 802.11b 2M : Mandatory 802.11b 5.5M : Mandatory 802.11g 6M : Supported 802.11g 9M : Supported 802.11b 11M : Mandatory 802.11g 12M : Supported 802.11g 18M : Supported 802.11g 24M : Supported 802.11g 36M : Supported 802.11g 48M : Supported 802.11g 54M : Supported 802.11n MCS Settings: MCS 0 : Supported MCS 1 : Supported MCS 2 : Supported MCS 3 : Supported MCS 4 : Supported MCS 5 : Supported MCS 6 : Supported MCS 7 : Supported MCS 8 : Supported MCS 9 : Supported MCS 10 : Supported MCS 11 : Supported MCS 12 : Supported MCS 13 : Supported MCS 14 : Supported MCS 15 : Supported MCS 16 : Supported MCS 17 : Supported MCS 18 : Supported MCS 19 : Supported MCS 20 : Supported MCS 21 : Supported MCS 22 : Supported MCS 23 : Supported 802.11n Status: A-MPDU Tx:
Priority 0 : Enabled Priority 1 : Disabled Priority 2 : Disabled Priority 3 : Disabled Priority 4 : Enabled Priority 5 : Enabled Priority 6 : Disabled Priority 7 : Disabled A-MSDU Tx:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 631
Example: Viewing the status of 802.11h Parameters
Priority 0 : Enabled Priority 1 : Enabled Priority 2 : Enabled Priority 3 : Enabled Priority 4 : Enabled Priority 5 : Enabled Priority 6 : Disabled Priority 7 : Disabled Guard Interval : Any Rifs Rx : Enabled Beacon Interval : 100 CF Pollable Mandatory : Disabled CF Poll Request Mandatory : Disabled CFP Period : 4 CFP Maximum Duration : 60 Default Channel : 11 Default Tx Power Level : 1 DTPC Status : true Call Admission Limit : 105 G711 CU Quantum : 15 ED Threshold : -50 Fragmentation Threshold : 2346 PBCC Mandatory : Disabled Pico-Cell Status : Disabled Pico-Cell-V2 Status : Disabled RTS Threshold : 2347 Short Preamble Mandatory : Enabled Short Retry Limit : 7 Legacy Tx Beamforming setting : Disabled Traffic Stream Metrics Status : Disabled Expedited BW Request Status : Disabled EDCA profile type : default-wmm Call Admision Control (CAC) configuration Voice AC Voice AC - Admission control (ACM) : Disabled Voice Stream-Size : 84000 Voice Max-Streams : 2 Voice Max RF Bandwidth : 75 Voice Reserved Roaming Bandwidth : 6 Voice Load-Based CAC mode : Enabled Voice tspec inactivity timeout : Enabled CAC SIP-Voice configuration SIP based CAC : Disabled SIP Codec Type : CODEC_TYPE_G711 SIP call bandwidth : 64 SIP call bandwith sample-size : 20 Video AC Video AC - Admission control (ACM) : Disabled Video max RF bandwidth : Infinite Video reserved roaming bandwidth : 0
Example: Viewing the status of 802.11h Parameters
Device# show wireless dot11h Power Constraint: 0 Channel Switch: 0 Channel Switch Mode: 0
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 632
System Management
Example: Verifying the Band-Selection Settings
Example: Verifying the Band-Selection Settings
The following example displays a band-select configuration:
Device# show wireless band-select
Band Select Probe Response Cycle Count Cycle Threshold (millisec) Age Out Suppression (sec) Age Out Dual Band (sec) Client RSSI (dBm) Client Mid RSSI (dBm)
: per WLAN enabling :2 : 200 : 20 : 60 : -80 : -80
The following example displays an AP RF profile details:
Device# show ap rf-profile name vid detail
Description RF Profile Name Band 802.11n client only Transmit Power Threshold v1 Min Transmit Power Max Transmit Power Operational Rates
802.11b 1M Rate 802.11b 2M Rate 802.11b 5.5M Rate 802.11b 11M Rate 802.11b 6M Rate 802.11b 9M Rate 802.11b 12M Rate 802.11b 18M Rate 802.11b 24M Rate 802.11b 36M Rate 802.11b 48M Rate 802.11b 54M Rate Max Clients Trap Threshold Clients Interference Noise Utilization Multicast Data Rate Rx SOP Threshold Band Select Probe Response Cycle Count Cycle Threshold Expire Suppression Expire Dual Band Client RSSI Client Mid RSSI High Speed Roam hsr mode hsr neighbor timeout Load Balancing Window Denial Coverage Data Data Voice
: : vid : 2.4 GHz : Disabled : -70 dBm : -10 dBm : 30 dBm
: Mandatory : Mandatory : Mandatory : Mandatory : Supported : Supported : Supported : Supported : Supported : Supported : Supported : Supported : 200
: 12 clients : 10% : -80 dBm : 10% : auto : auto
: Disabled : 2 cycles : 200 milliseconds : 20 seconds : 60 seconds : -80 dBm : -80 dBm
: Disabled :5
: 5 clients : 3 count
: -62 dBm : -80 dBm
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 633
Configuration Examples for Band Selection, 802.11 Bands, and Parameters
System Management
Minimum Client Level Exception Level DCA Channel List Unused Channel List DCA Foreign AP Contribution 802.11n MCS Rates MCS 0 MCS 1 MCS 2 MCS 3 MCS 4 MCS 5 MCS 6 MCS 7 MCS 8 MCS 9 MCS 10 MCS 11 MCS 12 MCS 13 MCS 14 MCS 15 MCS 16 MCS 17 MCS 18 MCS 19 MCS 20 MCS 21 MCS 22 MCS 23 MCS 24 MCS 25 MCS 26 MCS 27 MCS 28 MCS 29 MCS 30 MCS 31 State Client Network Preference
: 12 clients : 48% : 1,6,11 : 2,3,4,5,7,8,9,10 : Enabled
: Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Up : connectivity
Configuration Examples for Band Selection, 802.11 Bands, and Parameters
Examples: Band Selection Configuration
This example shows how to set the probe cycle count and time threshold for a new scanning cycle period for band select:
Device# configure terminal Device(config)# wireless client band-select cycle-count 3 Device(config)# wireless client band-select cycle-threshold 5000 Device(config)# end
This example shows how to set the suppression expiry time to the band select:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 634
System Management
Examples: 802.11 Bands Configuration
Device# configure terminal Device(config)# wireless client band-select expire suppression 100 Device(config)# end
This example shows how to set the dual-band expiry time for the band select:
Device# configure terminal Device(config)# wireless client band-select expire dual-band 100 Device(config)# end
This example shows how to set the client RSSI threshold for the band select:
Device# configure terminal Device(config)# wireless client band-select client-rssi 40 Device(config)# end
This example shows how to configure band selection on specific WLANs:
Device# configure terminal Device(config)# wlan wlan1 25 ssid12 Device(config-wlan)# band-select Device(config)# end
Examples: 802.11 Bands Configuration
This example shows how to configure 802.11 bands using beacon interval, fragmentation, and dynamic transmit power control:
Device# configure terminal Device(config)# ap dot11 5ghz shutdown Device(config)# ap dot11 24ghz shutdown Device(config)# ap dot11 5ghz beaconperiod 500 Device(config)# ap dot11 5ghz fragmentation 300 Device(config)# ap dot11 5ghz dtpc Device(config)# wireless client association limit 50 interval 1000 Device(config)# ap dot11 5ghz rate 36 mandatory Device(config)# no ap dot11 5ghz shutdown Device(config)# no ap dot11 24ghz shutdown Device(config)# ap dot11 24ghz dot11g Device(config)#end
Examples: 802.11n Configuration
This example shows how to configure 802.11n parameters for 5-GHz band using aggregation method:
Device# configure terminal Device(config)# ap dot11 5ghz dot11n Device(config)# ap dot11 5ghz dot11n mcs tx 20 Device(config)# wlan wlan1 25 ssid12 Device(config-wlan)# wmm require\ Device(config-wlan)# exit Device(config)# ap dot11 5ghz shutdown Device(config)# ap dot11 5ghz dot11n a-mpdu tx priority all
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 635
Examples: 802.11h Configuration
System Management
Device(config)# no ap dot11 5ghz shutdown Device(config)#exit
This example shows how to configure the guard interval for 5-GHz band:
Device# configure terminal Device(config)# ap dot11 5ghz dot11n Device(config)# ap dot11 5ghz dot11n mcs tx 20 Device(config)# wlan wlan1 25 ssid12 Device(config-wlan)# wmm require\ Device(config-wlan)# exit Device(config)# no ap dot11 5ghz shutdown Device(config)# ap dot11 5ghz dot11n guard-interval long Device(config)#end
This example shows how to configure the RIFS for 5-GHz band:
Device# configure terminal Device(config)# ap dot11 5ghz dot11n Device(config)# ap dot11 5ghz dot11n mcs tx 20 Device(config)# wlan wlan1 25 ssid12 Device(config-wlan)# wmm require\ Device(config-wlan)# exit Device(config)# ap dot11 5ghz shutdown Device(config)# ap dot11 5ghz dot11n rifs rx Device(config)#end
Examples: 802.11h Configuration
This example shows how to configure the access point to announce when it is switching to a new channel using restriction transmission:
Device# configure terminal Device(config)# ap dot11 5ghz shutdown Device(config)# ap dot11 5ghz channelswitch mode 0 Device(config)# no ap dot11 5ghz shutdown Device(config)#end
This example shows how to configure the 802.11h power constraint for 5-GHz band:
Device# configure terminal Device(config)# ap dot11 5ghz shutdown Device(config)# ap dot11 5ghz power-constraint 200 Device(config)# no ap dot11 5ghz shutdown Device(config)#end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 636
7 5 C H A P T E R
NBAR Protocol Discovery
· Introduction to NBAR Protocol Discovery, on page 637 · Configuring NBAR Protocol Discovery, on page 637 · Verifying Protocol Discovery Statistics, on page 638
Introduction to NBAR Protocol Discovery
The NBAR Protocol Discovery feature provides an easy way of discovering the application protocols passing through an interface. Network Based Application Recognition (NBAR) determines which protocols and applications are currently running on the network. With Protocol Discovery, you can discover any protocol traffic that is supported by NBAR and obtain statistics that are associated with that protocol.
NBAR provides several classification features that identify applications and protocols from Layer 4 through Layer 7. NBAR is also used in Cisco Application Visibility and Control (AVC). With AVC, NBAR provides better application performance through better QoS and policing, and provides finer visibility about the network that is being used.
Configuring NBAR Protocol Discovery
Follow the procedure given below to enable protocol discovery:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy nbar-proto-policy
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 637
Verifying Protocol Discovery Statistics
System Management
Step 3 Step 4
Command or Action
Purpose
central switching
Configures the wireless policy profile for central
Example:
switching.
Device(config-wireless-policy)# central Note switching
NBAR Protocol Discovery is supported in local mode (central
switching) and in FlexConnect
(central switching) mode.
ip nbar protocol-discovery Example:
Enables application recognition on the wireless policy profile by activating the NBAR2 engine.
Device(config-wireless-policy)# ip nbar protocol-discovery
Verifying Protocol Discovery Statistics
To view protocol discovery statistics, use the following command: Device# show ip nbar protocol-discovery wlan wlan-profile-name
wlan_profile_name (iif_id 0xF0400002) Last clearing of "show ip nbar protocol-discovery" counters 00:07:12
Input
Output
-----
------
Protocol
Packet Count
Packet Count
Byte Count
Byte Count
5min Bit Rate (bps)
5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate (bps)
------------------------ ------------------------ ------------------------
unknown
22
0
4173
0
0
0
2000
0
dhcp
3
2
1166
724
0
0
0
0
ping
2
2
204
236
0
0
0
0
Total
27
4
5543
960
0
0
2000
0
To clear protocol discovery statistics, use the following command: Device# clear ip nbar protocol-discovery wlan wlan-profile-name
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 638
7 6 C H A P T E R
Conditional Debug, Radioactive Tracing, and Packet Tracing
· Introduction to Conditional Debugging, on page 639 · Introduction to Radioactive Tracing, on page 640 · Conditional Debugging and Radioactive Tracing, on page 640 · Location of Tracefiles, on page 641 · Configuring Conditional Debugging (GUI), on page 641 · Configuring Conditional Debugging, on page 642 · Radioactive Tracing for L2 Multicast, on page 643 · Recommended Workflow for Trace files, on page 643 · Copying Tracefiles Off the Box, on page 644 · Configuration Examples for Conditional Debugging, on page 644 · Verifying Conditional Debugging, on page 645 · Example: Verifying Radioactive Tracing Log for SISF, on page 645 · Information About Packet Tracing, on page 646 · Configuring Conditional Debugging Packet Tracing, on page 647 · Configuring Conditional Debugging Packet Tracing per AP, on page 648 · Configuring Conditional Debugging Packet Tracing per Client (GUI), on page 649 · Configuring Conditional Debugging Packet Tracing per Client, on page 649 · Verifying Conditional Debugging Packet Tracing Configuration, on page 649
Introduction to Conditional Debugging
The Conditional Debugging feature allows you to selectively enable debugging and logging for specific features based on the set of conditions you define. This feature is useful in systems where a large number of features are supported. The Conditional debug allows granular debugging in a network that is operating at a large scale with a large number of features. It allows you to observe detailed debugs for granular instances within the system. This is very useful when we need to debug only a particular session among thousands of sessions. It is also possible to specify multiple conditions. A condition refers to a feature or identity, where identity could be an interface, IP Address, or a MAC address and so on.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 639
Introduction to Radioactive Tracing
System Management
This is in contrast to the general debug command, that produces its output without discriminating on the feature objects that are being processed. General debug command consumes a lot of system resources and impacts the system performance.
Introduction to Radioactive Tracing
Radioactive tracing (RA) provides the ability to stitch together a chain of execution for operations of interest across the system, at an increased verbosity level. This provides a way to conditionally print debug information (up to DEBUG Level or a specified level) across threads, processes and function calls.
Note
· The radioactive tracing supports First-Hop Security (FHS).
For more information on First Hop Security features, see System Management > Wireless Multicast > Information About Wireless Multicast > Information About IPv6 Snooping.
· The radioactive tracing filter does not work, if the certificate is not valid.
· For effective debugging of issues on mesh features, ensure that you add both Ethernet and Radio MAC address as conditional MAC for RA tracing, while collecting logs.
· To enable debug for wireless IPs, use the debug platform condition feature wireless ip ip-address command.
Table 29: Components Supporting Radio Active Tracing
Components SISF or FHS
LISP
Details
The first-hop security features, includes IPv6 Address Glean and IPv6 Device Tracking. For more information, see Information About IPv6 Snooping.
Locator or ID Separation Protocol.
Conditional Debugging and Radioactive Tracing
Radioactive Tracing when coupled with Conditional Debugging, enable us to have a single debug CLI to debug all execution contexts related to the condition. This can be done without being aware of the various control flow processes of the feature within the box and without having to issue debugs at these processes individually.
Note Use the clear platform condition all command to remove the debug conditions applied to the platform.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 640
System Management
Location of Tracefiles
Location of Tracefiles
By default the tracefile logs will be generated for each process and saved into either the /tmp/rp/trace or /tmp/fp/trace directory. In this temp directory, the trace logs are written to files, which are of 1 MB size each. You can verify these logs (per-process) using the show platform software trace message process_name chassis active R0 command. The directory can hold up to a maximum of 25 such files for a given process. When a tracefile in the /tmp directory reaches its 1MB limit or whatever size was configured for it during the boot time, it is rotated out to an archive location in the /crashinfo partition under tracelogs directory.
The /tmp directory holds only a single tracefile for a given process. Once the file reaches its file size limit it is rotated out to /crashinfo/tracelogs. In the archive directory, up to 25 files are accumulated, after which the oldest one is replaced by the newly rotated file from /tmp. File size is process dependent and some processes uses larger file sizes (upto 10MB). Similarly, the number of files in the tracelogs directory is also decided by the process. For example, WNCD process uses a limit of 400 files per instance, depending on the platform.
The tracefiles in the crashinfo directory are located in the following formats:
1. Process-name_Process-ID_running-counter.timestamp.gz
Example: IOSRP_R0-0.bin_0.14239.20151101234827.gz
2. Process-name_pmanlog_Process-ID_running-counter.timestamp.bin.gz
Example: wncmgrd_R0-0.27958_1.20180902081532.bin.gz
Configuring Conditional Debugging (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Step 9
Step 10
Choose Troubleshooting > Radioactive Trace. Click Add. Enter the MAC/IP Address. Click Apply to Device. Click Start to start or Stop to stop the conditional debug. Click Generate to create a radioactive trace log. Click the radio button to set the time interval. Click the Download Logs icon that is displayed next to the trace file name, to download the logs to your local folder. Click the View Logs icon that is displayed next to the trace file name, to view the log files on the GUI page. Click Load More to view more lines of the log file. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 641
Configuring Conditional Debugging
System Management
Configuring Conditional Debugging
Follow the procedure given below to configure conditional debugging:
Procedure
Step 1
Command or Action
Purpose
debug platform condition feature wireless Configures conditional debugging for a feature
mac {mac-address}
using the specified MAC address.
Example:
Note
Device# debug platform condition feature wireless mac b838.61a1.5433
This is supported with AP or client MAC/IP and also on CMX IP address and mobility peer IP.
Step 2
debug platform condition start Example:
Device# debug platform condition start
Starts conditional debugging (this will start radioactive tracing if there is a match on one of the conditions above).
Note
This is supported with AP or
client MAC/IP and also on CMX
IP address and mobility peer IP.
Step 3 Step 4
show platform condition OR show debug
Example:
Device# show platform condition Device# show debug
Displays the current conditions set.
debug platform condition stop Example:
Device# debug platform condition stop
Stops conditional debugging (this will stop radioactive tracing).
Note
This is supported with AP or
client MAC/IP and also on CMX
IP address and mobility peer IP.
Step 5
show logging profile wireless [counter | [last]{x days/hours} | filter mac{<mac address>} [to-file]{<destination>}
Example:
Device# show logging profile wireless start last 20 minutes to-file bootflash:logs.txt
Displays the logs from the latest wireless profile.
Note
You can use either the show
logging profile wireless
command or show logging
process command to collect the
logs.
Step 6
show logging process <process name> Example:
Displays the logs collection specific to the process.
Device# show logging process wncd to-file flash:wncd.txt
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 642
System Management
Radioactive Tracing for L2 Multicast
Step 7
Command or Action clear platform condition all Example:
Device# clear platform condition all
Purpose Clears all conditions.
What to do next
Note The command request platform software trace filter-binary wireless {mac-address} generates 3 flash files: · collated_log_<.date..> · mac_log <..date..> · mac_database .. file
Of these, mac_log <..date..> is the most important file, as it gives the messages for the MAC address we are debugging. The command show platform software trace filter-binary also generates the same flash files, and also prints the mac_log on the screen.
Radioactive Tracing for L2 Multicast
To identify a specific multicast receiver, specify the MAC address of the joiner or the receiver client, Group Multicast IP address and Snooping VLAN. Additionally, enable the trace level for the debug. The debug level will provide detailed traces and better visibility into the system.
debug platform condition feature multicast controlplane mac client-mac-addr ip group-ip-addr vlan id level debug level
Recommended Workflow for Trace files
The Recommended Workflow for Trace files is listed below: 1. To request the tracelogs for a specific time period.
EXAMPLE 1 day. Use the command: Device#show logging process wncd to-file flash:wncd.txt 2. The system generates a text file of the tracelogs in the location /flash: 3. Copy the file off the switchdevice. By copying the file, the tracelogs can be used to work offline. For more details on copying files, see section below. 4. Delete the tracelog file (.txt) file from /flash: location. This will ensure enough space on the switchdevice for other operations.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 643
Copying Tracefiles Off the Box
System Management
Copying Tracefiles Off the Box
An example of the tracefile is shown below:
Device# dir crashinfo:/tracelogs Directory of crashinfo:/tracelogs/
50664 -rwx 760 Sep 22 2015 11:12:21 +00:00 plogd_F0-0.bin_0.gz 50603 -rwx 991 Sep 22 2015 11:12:08 +00:00 fed_pmanlog_F0-0.bin_0.9558.20150922111208.gz 50610 -rw- 11 Nov 2 2015 00:15:59 +00:00 timestamp 50611 -rwx 1443 Sep 22 2015 11:11:31 +00:00 auto_upgrade_client_sh_pmanlog_R0-.bin_0.3817.20150922111130.gz 50669 -rwx 589 Sep 30 2015 03:59:04 +00:00 cfgwr-8021_R0-0.bin_0.gz 50612 -rwx 1136 Sep 22 2015 11:11:46 +00:00 reflector_803_R0-0.bin_0.1312.20150922111116.gz 50794 -rwx 4239 Nov 2 2015 00:04:32 +00:00 IOSRP_R0-0.bin_0.14239.20151101234827.gz 50615 -rwx 131072 Nov 2 2015 00:19:59 +00:00 linux_iosd_image_pmanlog_R0-0.bin_0
The trace files can be copied using one of the various options shown below:
Device# copy crashinfo:/tracelogs ? crashinfo: Copy to crashinfo: file system flash: Copy to flash: file system ftp: Copy to ftp: file system http: Copy to http: file system https: Copy to https: file system null: Copy to null: file system nvram: Copy to nvram: file system rcp: Copy to rcp: file system running-config Update (merge with) current system configuration scp: Copy to scp: file system startup-config Copy to startup configuration syslog: Copy to syslog: file system system: Copy to system: file system tftp: Copy to tftp: file system tmpsys: Copy to tmpsys: file system
The general syntax for copying onto a TFTP server is as follows:
Device# copy source: tftp: Device# copy crashinfo:/tracelogs/IOSRP_R0-0.bin_0.14239.20151101234827.gz tftp: Address or name of remote host []? 2.2.2.2 Destination filename [IOSRP_R0-0.bin_0.14239.20151101234827.gz]?
Note It is important to clear the generated report or archive files off the switch in order to have flash space available for tracelog and other purposes.
Configuration Examples for Conditional Debugging
The following is an output example of the show platform condition command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 644
System Management
Verifying Conditional Debugging
Device# show platform condition Conditional Debug Global State: Stop Conditions Direction ----------------------------------------------------------------------------------------------|--------MAC Address 0024.D7C7.0054 N/A Feature Condition Type Value -----------------------|-----------------------|-------------------------------Device#
The following is an output example of the show debug command.
Device# show debug IOSXE Conditional Debug Configs: Conditional Debug Global State: Start Conditions Direction ----------------------------------------------------------------------------------------------|--------MAC Address 0024.D7C7.0054 N/A Feature Condition Type Value -----------------------|-----------------------|-------------------------------Packet Infra debugs: Ip Address Port ------------------------------------------------------|---------Device#
Verifying Conditional Debugging
The table shown below lists the various commands that can be used to verify conditional debugging:
Command
Purpose
show platform condition
Displays the current conditions set.
show debug
Displays the current debug conditions set.
show platform software trace filter-binary request platform software trace filter-binary
Displays logs merged from the latest tracefile.
Displays historical logs of merged tracefiles on the system.
Example: Verifying Radioactive Tracing Log for SISF
The following is an output example of the show platform software trace message ios chassis active R0 | inc sisf command.
Device# show platform software trace message ios chassis active R0 | inc sisf
2017/10/26 13:46:22.104 {IOSRP_R0-0}{1}: [parser]: [5437]: UUID: 0, ra: 0 (note): CMD: 'show platform software trace message ios switch active R0 | inc sisf' 13:46:22 UTC Thu Oct
26 2017 2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug):
FF8E802918 semaphore system unlocked 2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug):
Unlocking, count is now 0 2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug):
FF8E802918 semaphore system unlocked 2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug):
Unlocking, count is now 1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 645
Information About Packet Tracing
System Management
2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug): Gi1/0/5 vlan 10 aaaa.bbbb.cccc Setting State to 2
2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug): Gi1/0/5 vlan 10 aaaa.bbbb.cccc Start timer 0
2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug): Gi1/0/5 vlan 10 aaaa.bbbb.cccc Timer value/granularity for 0 :299998/1000
2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug): Gi1/0/5 vlan 10 aaaa.bbbb.cccc Updated Mac Timer : 299998
2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug): Gi1/0/5 vlan 10 aaaa.bbbb.cccc Before Timer : 350000
2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug): Gi1/0/5 vlan 10 aaaa.bbbb.cccc Timer 0, default value is 350000
2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug): Allocating timer wheel for 0
2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug): Gi1/0/5 vlan 10 aaaa.bbbb.cccc No timer running
2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug): Granularity for timer MAC_T1 is 1000
2017/10/26 13:46:10.667 {IOSRP_R0-0}{1}: [sisf]: [5437]: UUID: 4800000000060, ra: 7 (debug): Gi1/0/5 vlan 10 aaaa.bbbb.cccc Current State :MAC-STALE, Req Timer : MAC_T1 Current Timer MAC_T1
Information About Packet Tracing
The Packet tracing feature cover details on how to perform data plane packet tracing for Cisco Catalyst 9800 Series Wireless Controller for Cloud software. This feature identifies the following issues:
· Misconfiguration
· Capacity overload
· Software bugs while troubleshooting
This feature identifies what happens to a packet in your system. The conditional debugging packet tracing feature is used for accounting and capturing per-packet processing details for user-defined conditions. You can trace packets on the controller using the following steps: 1. Enable conditional debugging on selected packets or traffic you want to trace on the controller.
2. Enable packet tracing (per-AP or per-Client).
Note You need to use per AP conditional debugging with MAC address as a filter when AP and controllers are in the same VLAN. If they are not in the same VLAN, the per AP packet tracing with MAC address does not capture packets as MAC address varies.
Limitation of Conditional Debugging Packet Tracing MAC or IP filter only applies to the outer Ethernet or IP header, so if a packet is CAPWAP encapsulated, the MAC or IP does not apply to the inner 802.11 MAC or IP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 646
System Management
Configuring Conditional Debugging Packet Tracing
Configuring Conditional Debugging Packet Tracing
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
debug platform packet-trace packet
Configures packet tracing to capture the last set
packet-count circular fia-trace data-size of packets.
data-size
Here,
Example:
packet-count--Valid range is from 16 to 8192.
Device# debug platform packet-trace
packet 8192 circular fia-trace data-size data-size--Valid range is from 2048 to 16384
2048
bytes.
Step 3
debug platform packet-trace copy packet Configures packet tracing for a copy of packet
both size packet-size
data.
Example:
Here,
Device# debug platform packet-trace copy packet-size--Valid range is from 16 to 2048
packet both size 2048
bytes.
Step 4
debug platform condition interface
Enables conditional debugging for an interface,
{intf-name | cpp} {mac | ipv4 | match} {both MAC, or IP filter.
| ingress | egress}
An interface refers to any physical port, port
Example:
channel, internal vlan, SVI, or wireless client.
Enables conditional debugging for TenGigabitEthernet 0/0/0 and match packets whose source and destination MAC is 0001.0001.0001:
Device# debug platform condition interface TenGigabitEthernet 0/0/0 mac 0001.0001.0001 both
Step 5
debug platform condition start
Starts conditional debugging packet tracing.
Example:
Device# debug platform condition start
Step 6
debug platform condition stop Example:
Device# debug platform condition stop
Stops conditional debugging packet tracing.
Step 7
show platform hardware chassis active qfp Redirects all traced packets to bootflash. feature packet-trace packet all | redirect bootflash:packet_trace.txt
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 647
Configuring Conditional Debugging Packet Tracing per AP
System Management
Command or Action
Purpose
Example:
Converts the packet_trace.txt to pcap and
Device# show platform hardware chassis downloads the pcap files. You can do so using active qfp feature packet-trace packet the following link:
all | redirect bootflash:packet_trace.txt
http://wwwin-dharton-dev.cisco.com/
pactrac2pcap.html
Configuring Conditional Debugging Packet Tracing per AP
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
debug platform condition interface {intf-name | cpp} {mac [mac-address | access-list acl-name] | ipv4 | match} {both | ingress | egress}
Example:
Enables conditional debugging with MAC filter.
Herein, the CLI matches the packets whose source or destination MAC address is 0001.0001.0001.
Device# debug platform condition interface TenGigabitEthernet 0/0/0 mac 0001.0001.0001 both
Device# debug platform condition interface TenGigabitEthernet 0/0/0 mac access-list mac-acl-name both
Step 3
debug platform condition interface
Enables conditional debugging with inline MAC
TenGigabitEthernet intf-number match mac ACL.
{H.H.H | any | host} {both | ingress | egress}
Example:
Device# debug platform condition interface TenGigabitEthernet 0/0/0 match
mac 0001.0001.0001 both
Step 4
debug platform condition interface TenGigabitEthernet intf-number ipv4 {A.B.C.D/nn | access-list acl-name | both | egress | ingress} {both | egress | ingress}
Example:
Enables conditional debugging with IP filter.
Here,
intf-number--Is the GigabitEthernet interface number.Valid range is from 1 to 32.
Device# debug platform condition interface TenGigabitEthernet 0/0/0 ipv4
192.168.1.2/32 both
Device# debug platform condition interface TenGigabitEthernet 0/0/0 ipv4
access-list ip-acl-name both
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 648
System Management
Configuring Conditional Debugging Packet Tracing per Client (GUI)
Command or Action
Purpose
Device# debug platform condition interface TenGigabitEthernet 0/0/0 match
ipv4 192.168.1.2/32 both
Configuring Conditional Debugging Packet Tracing per Client (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Troubleshooting > Radioactive Trace. Click Add. In the Add MAC/IP Address window, enter the MAC/IP Address. Click Apply to Device.
Configuring Conditional Debugging Packet Tracing per Client
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
debug platform condition interface
Enables conditional debugging for a wireless
{intf-name | cpp cpp-handle-index} {mac | ipv4 client interface.
| match [ipv4 | ipv6 | mac]} {both | ingress | egress}
Here,
Example:
cpp-handle-index--Valid range is from 1 to 4294967295.
Device# debug platform condition
interface cpp 0xa0000001 match ipv4
protocol icmp host 192.168.1.100 host
192.168.1.1 both
Verifying Conditional Debugging Packet Tracing Configuration
To view the summary of the traced packet, use the following command:
Device# show platform packet-trace summary
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 649
Verifying Conditional Debugging Packet Tracing Configuration
System Management
To view a specific traced packet, use the following command:
Device# show platform packet-trace packet packet-number
To view the wireless client interface handle, use the following command:
Device# show platform hardware chassis active qfp feature wireless wlclient cpp-client mac-address client-mac details Device# show platform hardware chassis active qfp feature wireless wlclient cpp-client mac-address 8825.93b0.b51f details Client Details for client cpp_if_handle: 0x34 Name : WLCLIENT-IF-0x00a0000001 Mac Addr : 8825.93b0.b51f pal_if_handle : 0xa0000001 Mobility State : LOCAL Multicast Action : FORWARD Auth State : RUN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 650
7 7 C H A P T E R
Aggressive Client Load Balancing
· Information About Aggressive Client Load Balancing, on page 651 · Enabling Aggressive Client Load Balancing (GUI), on page 652 · Configuring Aggressive Client Load Balancing (GUI), on page 652 · Configuring Aggressive Client Load Balancing (CLI), on page 653
Information About Aggressive Client Load Balancing
The Aggressive Client Load Balancing feature allows lightweight access points to load balance wireless clients across access points. When a wireless client attempts to associate to a lightweight access point, the associated response packets are sent to a client with an 802.11 response packet including status code 17. This code 17 indicates that the corresponding AP is busy. The AP does not respond with the response 'success' if the AP threshold is not met, and with code 17 (AP busy) if the AP utilization threshold is exceeded, and another less busy AP hears the client request. For example, if the number of clients on AP1 is more than the number of clients on AP2 and the load-balancing window, then AP1 is considered to be busier than AP2. When a client attempts to associate to AP1, the client receives an 802.11 response packet with status code 17, indicating that the access point is busy, and the client attempts to associate to a different access point. You can configure the controller to deny client associations up to 10 times (if a client attempts to associate 11 times, it will be allowed to associate on the 11th try). You can also enable or disable load balancing on a particular WLAN, which is useful if you want to disable load balancing for a select group of clients, such as time-sensitive voice clients.
Note A voice client does not authenticate when delay is configured to more than 300 ms. To avoid this, configure a central-authentication, local-switching WLAN with Cisco Centralized Key Management (CCKM), configure a pagent router between an AP and WLC with a delay of 600 ms (300 ms UP and 300 ms DOWN), and try associating the voice client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 651
Enabling Aggressive Client Load Balancing (GUI)
System Management
Note For a FlexConnect AP, the association is locally handled. The load-balancing decisions are taken at the controller. A FlexConnect AP sends an initial response to the client before knowing the result of the calculations in the controller. Load-balancing does not take effect when the FlexConnect AP is in standalone mode.
A FlexConnect AP does not send (re)association response with status 17 for load balancing the way local-mode APs do; instead, it first sends (re)association with status 0 (success) and then deauth with reason 5.
Note This feature is not supported on the APs joined on default-site-tag. This feature is not supported on the APs across different named site-tags. This feature is supported only on the APs within a named-site-tag.
Enabling Aggressive Client Load Balancing (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Wireless > WLANs > Wireless Networks. Select a WLAN to view the Edit WLAN window. Click Advanced tab. Select the Load Balance check box to enable the feature. Click Update & Apply to Device.
Configuring Aggressive Client Load Balancing (GUI)
Procedure
Step 1
Step 2 Step 3 Step 4
Choose Configuration > Wireless > Advanced. The Load Balancing window is displayed.
In the Aggressive Load Balancing Window (clients) field, enter the number of clients for the aggressive load balancing client window. In the Aggressive Load Balancing Denial Count field, enter the load balancing denial count. Click Apply.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 652
System Management
Configuring Aggressive Client Load Balancing (CLI)
Configuring Aggressive Client Load Balancing (CLI)
Procedure Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8 Step 9
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
wlan wlan-name Example:
Device(config)# wlan test-wlan
Specifies the WLAN name.
shutdown Example:
Device(config-wlan)# shutdown
Disables the WLAN.
load-balance Example:
Device(config-wlan)# load-balance
Configures a guest controller as mobility controller, in order to enable client load balance to a particular WLAN.
Configure the WLAN security settings as the WLAN requirements.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables WLAN.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
ap dot11
Configures the load balancing denial count.
{24ghz|5ghz}load-balancingdenial count
Example:
Device(config)# ap dot11 5ghz load-balancing denial 10
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 653
Configuring Aggressive Client Load Balancing (CLI)
System Management
Step 10
Step 11 Step 12
Command or Action
ap dot11 {24ghz|5ghz}load-balancingwindow clients
Example:
Device(config)# ap dot11 5ghz load-balancing denial 10
Purpose
Configures the number of clients for the aggressive load balancing client window.
end Example:
Device(config-wlan)# end
Returns to privileged EXEC mode.
show running-config | section wlan-name Displays a filtered section of the current
Example:
configuration.
Device# show running-config | section test-wlan
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 654
7 8 C H A P T E R
Accounting Identity List
· Configuring Accounting Identity List (GUI), on page 655 · Configuring Accounting Identity List (CLI), on page 655 · Configuring Client Accounting (GUI), on page 656 · Configuring Client Accounting (CLI), on page 656
Configuring Accounting Identity List (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6
Choose Configuration > Security > AAA. In the AAA Method List tab, go to the Accounting section, and click Add. In the Quick Setup: AAA Accounting window that is displayed, enter a name for your method list. Choose the type of authentication as identity, in the Type drop-down list. Choose the server groups you want to use to authenticate access to your network, from the Available Server Groups list and click > icon to move them to the Assigned Server Groups list. Click Save & Apply to Device.
Configuring Accounting Identity List (CLI)
Accounting is the process of logging the user actions and keeping track of their network usage. Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. Follow the procedure given below to configure accounting identity list.
Before you begin Configure the RADIUS server and AAA group server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 655
Configuring Client Accounting (GUI)
System Management
Procedure
Step 1
Command or Action
Purpose
aaa accounting identity named-list start-stop Enables accounting to send a start-record
group server-group-name
accounting notice when a client is authorized
Example:
and a stop-record at the end.
Device(config)# aaa accounting identity Note user1 start-stop group aaa-test
You can also use the default list, instead of a named list.
Whenever there is a change in the client attribute, for example, change in IP address, client roaming, and so on, an accounting interim update is sent to the RADIUS server.
Configuring Client Accounting (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > Policy. Click the Policy Profile Name and in the Edit Policy Profile window, go to the Advanced tab. From the Accounting List drop-down, select the appropriate accounting list for this policy profile. This will ensure that the policy profile undergoes that type of accounting you want to perform, before allowing it access to the network. Click Save & Apply to Device.
Configuring Client Accounting (CLI)
Follow the procedure given below to configure client accounting.
Before you begin Ensure that RADIUS accounting is configured.
Procedure
Step 1
Command or Action
Purpose
wireless profile policy profile-policy Example:
Configures WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy default-policy-profile
Step 2
shutdown Example:
Disables the policy profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 656
System Management
Configuring Client Accounting (CLI)
Step 3 Step 4
Command or Action
Purpose
Device(config-wireless-policy)# shutdown
accounting-list list-name
Example:
Device(config-wireless-policy)# accounting-list user1
Sets the accounting list.
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the policy profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 657
Configuring Client Accounting (CLI)
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 658
7 9 C H A P T E R
Support for Accounting Session ID
· Information About Accounting Session ID, on page 659 · Configuring an Accounting Session ID (CLI), on page 659 · Verifying an Account Session ID, on page 660
Information About Accounting Session ID
Accounting ID is a unique identifier for a wireless client session. This ID helps to identify the accounting data of a client in the AAA server. Accounting session ID is generated by the AAA module.
From Cisco IOS XE Bengaluru, Release 17.4.1 onwards, Accounting Session ID is supported in the AAA access request, while authenticating wireless client using IEEE 802.1x method. In the Cisco IOS XE Amsterdam, Release 17.3.x and earlier releases, the Accoutning Session ID was sent only as part of the accounting request. From Cisco IOS XE Bengaluru, Release 17.4.1 onwards, the Accounting Session ID is sent as part of the access request too.
Configuring an Accounting Session ID (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
radius-server attribute wireless 44 include-in-access-req
Sends the RADIUS authentication attribute 44, in the access request packet.
Example:
Device(config)# radius-server attribute wireless 44 include-in-access-req
Step 3
aaa accounting identity accounting-list-name Configures the accounting session identity of
start-stop group server-group-name
the AAA server.
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 659
Verifying an Account Session ID
System Management
Step 4 Step 5
Step 6 Step 7 Step 8
Command or Action
Purpose
Device(config)# aaa accounting identity accounting-list-name start-stop group
AAA_GROUP_1
wireless profile policy
Configures the WLAN policy profile.
Example:
Device(config)# wireless profile policy default-policy-profile
accounting-list-name start-stop group AAA_GROUP_1
accounting-list accounting-list-name
Example:
Device(config-wireless-policy)# accounting-list accounting-list-name
Configures the accounting list.
Note
The Accounting Session ID is
added as part of the account
request, only if radius-server
attribute wireless 44
include-in-access-req is enabled
along with the accounting
configuration under the wireless
policy.
description description-name
Example:
Device(config-wireless-policy)# description accounting-description
Adds a description for the policy profile.
vlan vlan-id
Configures the VLAN name or ID.
Example:
Device(config-wireless-policy)# vlan 40
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Verifying an Account Session ID
To verify if an Account Session ID is populated, use the following command:
Device# show wireless pmk-cache
Number of PMK caches in total : 1
Type
Station
Entry Lifetime
Accounting-Session-Id Audit-Session-Id
VLAN Override Username
IP Override
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
RSN
6c19.c0e6.a444
1768
NA
0x00000006
052DA8C1000000104E634C77
cwa-user
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 660
System Management
Verifying an Account Session ID
To display the current Accounting Session ID, use the following command:
Device# show wireless client mac-address<H.H.H>detail
Central NAT : DISABLED
Session Manager:
Point of Attachment : capwap_90000005
IIF ID
: 0x90000005
Authorized
: TRUE
Session timeout : 1800
Common Session ID: 000000000000000B14E9130A
Acct Session ID : 0x0000000c
Last Tried Aaa Server Details:
Server IP : 9.10.8.247
Auth Method Status List
Method : Dot1x
SM State
: AUTHENTICATED
SM Bend State : IDLE
Local Policies:
Service Template : wlan_svc_default-policy-profile (priority 254)
VLAN
:1
Server Policies:
Absolute-Timer : 1800
Resultant Policies:
VLAN Name
: default
VLAN
:1
Absolute-Timer : 1800
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 661
Verifying an Account Session ID
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 662
8 0 C H A P T E R
Wireless Multicast
· Information About Wireless Multicast, on page 663 · Prerequisites for Configuring Wireless Multicast, on page 666 · Restrictions on Configuring Wireless Multicast, on page 667 · Configuring Wireless Multicast, on page 667 · IPv6 Multicast-over-Multicast, on page 670 · Directed Multicast Service, on page 672 · Wireless Broadcast, Non-IP Multicast and Multicast VLAN, on page 674 · Multicast Filtering, on page 680
Information About Wireless Multicast
If the network supports packet multicasting, the multicast method that the controller uses can be configured. The controller performs multicast routing in two modes:
· Unicast mode: The controller unicasts every multicast packet to every access point associated to the controller. This mode is inefficient and generates a lot of extra traffic in the device and the network, but is required on networks that do not support multicast routing (needed if the APs are on different subnets than the device's wireless management interface).
· Multicast mode: The controller sends multicast packets to a CAPWAP multicast group. This method reduces the overhead on the controller processor and shifts the work of packet replication to the network, which is much more efficient than the unicast method.
The flexconnect mode has two submodes: local switching and central switching. In local switching mode, the data traffic is switched at the AP level and the controller does not see any multicast traffic. In central switching mode, the multicast traffic reaches the controller. However, IGMP snooping takes place at the AP. When the multicast mode is enabled and the controller receives a multicast packet from the wired LAN, the controller encapsulates the packet using CAPWAP and forwards the packet to the CAPWAP multicast group address. The controller always uses the management VLAN for sending multicast packets. Access points in the multicast group receive the packet and forward it to all the BSSIDs mapped to the VLAN on which clients receive multicast traffic. The controller supports all the capabilities of IGMP v1, including Multicast Listener Discovery (MLD) v1 snooping, but the IGMP v2 and IGMP v3 capabilities are limited. This feature keeps track of and delivers IPv6 multicast flows to the clients that request them. To support IPv6 multicast, global multicast mode should be enabled.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 663
Multicast Optimization
System Management
Internet Group Management Protocol (IGMP) snooping is introduced to better direct multicast packets. When this feature is enabled, the controller snooping gathers IGMP reports from the clients, processes them, creates unique multicast group IDs (MGIDs) based on the Layer 3 multicast address and the VLAN number, and sends the IGMP reports to the IGMP querier. The controller then updates the access-point MGID table on the corresponding access point with the client MAC address. When the controller receives multicast traffic for a particular multicast group, it forwards it to all the access points, but only those access points that have active clients listening or subscribed to that multicast group send multicast traffic on that particular WLAN. IP packets are forwarded with an MGID that is unique for an ingress VLAN and the destination multicast group. Layer 2 multicast packets are forwarded with an MGID that is unique for the ingress VLAN.
MGID is a 14-bit value filled in the 16-bit reserved field of wireless information in the CAPWAP header. The remaining two bits should be set to zero.
Multicast Optimization
Multicast optimization enables you to create a multicast VLAN that can be used for multicast traffic. One of the VLANs in the device can be configured as a multicast VLAN where multicast groups are registered. The clients are allowed to listen to a multicast stream on the multicast VLAN. The MGID is generated using the mulicast VLAN and multicast IP addresses. If multiple clients on different VLANs of the same WLAN are listening to a single multicast IP address, a single MGID is generated. The device makes sure that all the multicast streams from the clients on this VLAN group always go out on the multicast VLAN to ensure that the upstream router has one entry for all the VLANs of the VLAN group. Only one multicast stream hits the VLAN group even if the clients are on different VLANs. Therefore, the multicast packets that are sent out over the network is just one stream.
Note When VLAN groups are defined and uses multicast communication, then you need to enable the multicast VLAN.
IPv6 Global Policies
IPv6 global policies provide storage and access policy database services. IPv6 ND inspection and IPv6 RA guard are IPv6 global policies features. Every time an ND inspection is configured globally, the policy attributes are stored in the software policy database. The policy is then applied to an interface, and the software policy database entry is updated to include this interface to which the policy is applied.
IPv6 RA guard is enabled by default on the controller. RA from the wired side should be forwarded to the wireless clients if the Stateless Address Auto-Configuration (SLAAC) is deployed in the network.
Information About IPv6 Snooping
The following sections provide information about IPv6 snooping.
IPv6 Neighbor Discovery Inspection
The IPv6 Neighbor Discovery Inspection, or IPv6 snooping feature bundles several Layer 2 IPv6 first-hop security features, including IPv6 Address Glean and IPv6 Device Tracking. IPv6 neighbor discovery (ND) inspection operates at Layer 2, or between Layer 2 and Layer 3, and provides IPv6 features with security and scalability. This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism,
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 664
System Management
IPv6 Device Tracking
such as attacks on duplicate address detection (DAD), address resolution, device discovery, and the neighbor cache.
IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables and analyzes ND messages in order to build a trusted binding table. IPv6 ND messages that do not have valid bindings are dropped. An ND message is considered trustworthy if its IPv6-to-MAC mapping is verifiable. This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism, such as attacks on duplicate address detection (DAD), address resolution, device discovery, and the neighbor cache.
When IPv6 ND inspection is configured on a target (which varies depending on platform target support and may include device ports, switch ports, Layer 2 interfaces, Layer 3 interfaces, and VLANs), capture instructions are downloaded to the hardware to redirect the ND protocol and Dynamic Host Configuration Protocol (DHCP) for IPv6 traffic up to the switch integrated security features (SISF) infrastructure in the routing device. For ND traffic, messages such as NS, NA, RS, RA, and REDIRECT are directed to SISF. For DHCP, UDP messages sourced from port 546 or 547 are redirected.
IPv6 ND inspection registers its "capture rules" to the classifier, which aggregates all rules from all features on a given target and installs the corresponding ACL down into the platform-dependent modules. Upon receiving redirected traffic, the classifier calls all entry points from any registered feature (for the target on which the traffic is being received), including the IPv6 ND inspection entry point. This entry point is the last to be called, so any decision (such as drop) made by another feature supersedes the IPv6 ND inspection decision.
IPv6 Device Tracking
IPv6 device tracking provides IPv6 host liveness tracking so that a neighbor table can be immediately updated when an IPv6 host disappears.
IPv6 First-Hop Security Binding Table
The IPv6 First-Hop Security Binding Table recovery mechanism feature enables the binding table to recover in the event of a device reboot. A database table of IPv6 neighbors connected to the device is created from information sources such as ND snooping. This database, or binding, table is used by various IPv6 guard features to validate the link-layer address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.
This mechanism enables the binding table to recover in the event of a device reboot. The recovery mechanism will block any data traffic sourced from an unknown source; that is, a source not already specified in the binding table and previously learned through ND or DHCP gleaning. This feature recovers the missing binding table entries when the resolution for a destination address fails in the destination guard. When a failure occurs, a binding table entry is recovered by querying the DHCP server or the destination host, depending on the configuration.
Recovery Protocols and Prefix Lists
The IPv6 First-Hop Security Binding Table Recovery Mechanism feature introduces the capability to provide a prefix list that is matched before the recovery is attempted for both DHCP and NDP.
If an address does not match the prefix list associated with the protocol, then the recovery of the binding table entry will not be attempted with that protocol. The prefix list should correspond to the prefixes that are valid for address assignment in the Layer 2 domain using the protocol. The default is that there is no prefix list, in which case the recovery is attempted for all addresses. The command to associate a prefix list to a protocol is protocol {dhcp | ndp} [prefix-list prefix-list-name].
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 665
IPv6 Address Glean
System Management
IPv6 Address Glean
IPv6 address glean is the foundation for many other IPv6 features that depend on an accurate binding table. It inspects ND and DHCP messages on a link to glean addresses, and then populates the binding table with these addresses. This feature also enforces address ownership and limits the number of addresses any given node is allowed to claim.
The following figure shows how IPv6 address glean works.
Figure 15: IPv6 Address Glean
Prerequisites for Configuring Wireless Multicast
· To participate in IP multicasting, the multicast hosts, routers, and multilayer switches must have IGMP operating.
· When enabling multicast mode on the controller, a CAPWAP multicast group address should also be configured. Access points listen to the CAPWAP multicast group using IGMP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 666
System Management
Restrictions on Configuring Wireless Multicast
· You must be cautious when using IGMPv3 with switches that are enabled for IGMP snooping. The IGMPv3 messages are different from the messages used in IGMP Version 1 (IGMPv1) and Version 2 (IGMPv2). If your switch does not recognize IGMPv3 messages, the hosts do not receive traffic when IGMPv3 is used.
IGMPv3 devices do not receive multicast traffic in either cases:
· When IGMP snooping is disabled.
· When IGMPv2 is configured on the interface.
It is recommended to enable IGMPv3 on all intermediate or other Layer 3 network devices. Primarily, on each subnet used by multicast devices including controller and AP subnets.
Restrictions on Configuring Wireless Multicast
The following are the restrictions for configuring IP multicast forwarding: · Access points in monitor mode, sniffer mode, or rogue-detector mode do not join the CAPWAP multicast group address. · The CAPWAP multicast group configured on the controllers should be different for different controllers. · Multicast routing should not be enabled for the management interface. · Multicast with VLAN group is only supported in local mode AP. · Multicast traffic from wireless clients in non-multicast VLAN should be routed by the uplink switch. · Multicast traffic on an AAA overridden VLAN is not supported.
Restrictions for IPv6 Snooping
The IPv6 snooping feature is not supported on Etherchannel ports.
Configuring Wireless Multicast
The following sections provide information about the various wireless multicast configuration tasks:
Configuring Wireless Multicast-MCMC Mode (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 667
Configuring Wireless Multicast-MCUC Mode
System Management
Step 2 Step 3
Command or Action wireless multicastip-addr Example:
Device(config)# wireless multicast 231.1.1.1
end Example:
Device(config)# end
Purpose Enables multicast-over-multicast. Use the no form of this command to disable the feature.
Exits configuration mode.
Configuring Wireless Multicast-MCUC Mode
Note The wireless multicast to unicast (MCUC) mode is only supported in 9800-CL small template.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless multicast Example:
Device(config)# wireless multicast
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Enables the multicast traffic for wireless clients. By default, the feature is in disabled state. Use the no form of this command to disable the multicast traffic for wireless clients and disable mDNS bridging. Exits configuration mode.
Configuring Multicast Listener Discovery Snooping (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Services > Multicast. Click MLD Snooping. In the MLD Snooping section, click the toggle button to enable or disable MLD snooping. Enter the MLD Query Interval, in milliseconds. The value range is between 100 ms and 32767 ms. The default value is 1000 ms.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 668
System Management
Configuring IPv6 MLD Snooping
Step 5 Step 6
Move the required VLAN IDs listed in the Disabled section to the Enabled section. (By default, this feature is disabled on the VLAN.)
You can also search for a VLAN ID using the search field. You can click Disable All to move all the VLAN IDs from the Enabled list to the Disabled list, or click Enable All to move all the VLAN IDs from the Disabled list to the Enabled list.
Click Apply to Device.
Configuring IPv6 MLD Snooping
Procedure
Step 1
Command or Action configure terminal Example:
Device# ipv6 mld snooping
Step 2
ipv6 mld snooping Example:
Device(config)# ipv6 mld snooping
Purpose Enters global configuration mode.
Enables MLD snooping.
Verifying the Multicast VLAN Configuration
To view the multicast VLAN associated with a policy profile along with the VLAN assigned to that profile, use the following command:
Device# show wireless profile policy detail default-policy-profile
Policy Profile Name Description Status VLAN Multicast VLAN Client count Passive Client
: 84
: default-policy-profile : default policy profile : ENABLED : vlan-pool1
:0 : DISABLED
To view the multicast VLAN associated with a client, use the following command:
Device# show wireless client mac ac2b.6e4b.551e detail
Client MAC Address : ac2b.6e4b.551e Client IPv4 Address : 84.84.0.20 .......... VLAN : 82 Access VLAN : 82 Multicast VLAN: 84
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 669
IPv6 Multicast-over-Multicast
System Management
IPv6 Multicast-over-Multicast
IPv6 multicast allows a host to send a single data stream to a subset of all the hosts (group transmission) simultaneously. When IPv6 Multicast over Multicast is configured, all the APs join the IPv6 multicast address, and the multicast traffic from the wireless controller to the AP flows over the IPv6 multicast tunnel.
In mixed deployments (IPv4 and IPv6), the APs might join the wireless controller over IPv4 or IPv6. To enable Multicast over Multicast in mixed deployments, configure both IPv4 and IPv6 multicast tunnels. The IPv4 APs have a unicast IPv4 CAPWAP tunnel and join the IPv4 multicast group. The IPv6 APs will have a unicast IPv6 CAPWAP tunnel and joins the IPv6 multicast group.
Note Mixed mode of Multicast over Unicast and Multicast over Multicast over IPv4 and IPv6 is not supported in Cisco IOS XE Gibraltar 16.10.1.
Table 30: Multicast Support Per Platform
Platform
Cisco Catalyst 9800-40 Wireless Controller Cisco Catalyst 9800-80 Wireless Controller Cisco Catalyst 9800 Wireless Controller for Cloud Small Template Cisco Catalyst 9800 Wireless Controller for Cloud Medium Template Cisco Catalyst 9800 Wireless Controller for Cloud Large Template Cisco Catalyst 9800-L Wireless Controller
Multicast Support - Multicast Support Multicast over Unicast Multicast over Multicast
No
Yes
No
Yes
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Configuring IPv6 Multicast-over-Multicast (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Services > Multicast. From the AP Capwap Multicast drop-down list, select Multicast. Enter the AP Capwap IPv6 Multicast group Address. Click Apply.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 670
System Management
Configuring IPv6 Multicast-over-Multicast
Configuring IPv6 Multicast-over-Multicast
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless multicast {ipv4-address| ipv6 ipv6-address)
Configures IPv6 multicast-over-multicast address.
Example:
Device(config)# wireless multicast ipv6 ff45:1234::86
Verifying IPv6 Multicast-over-Multicast
To verify the IPv6 multicast-over-multicast configuration, use the following commands:
Device# show wireless multicast
Multicast : Enabled AP Capwap Multicast : Multicast AP Capwap IPv4 Multicast group Address : 231.1.1.1 AP Capwap IPv6 Multicast group Address : ff45:1234::86 Wireless Broadcast : Disabled Wireless Multicast non-ip-mcast : Disabled
Device# show running-configuration | inc multicast
show run | inc multicast:--
wireless multicast wireless multicast ipv6 ff45:1234::86 wireless multicast 231.1.1.1
Verifying the Multicast Connection Between the Controller and the AP
Cisco Catalyst 9800 Series Wireless Controller initiates a ping request that passes through the CAPWAP multicast tunnel onto the CAPWAP multicast receiver, which is the AP. In response, the AP pings the packets for CAPWAP multicast group IP address, and sends back the response to the controller. You can view the statistics on the AP for transmitted and received traffic to analyse the data that are sent and received through the multicast tunnel. Alternatively, you can also verify by enhancing the existing statistics on the AP for transmitted and received traffic to explicitly list the joins, leaves, data packets transmitted and received through the multicast tunnel.
To confirm if the APs receive multicast to multicast (mom) traffic sent by the controller, use the following command
Device# show ap multicast mom
AP Name
MOM-IP
TYPE MOM- STATUS
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 671
Directed Multicast Service
System Management
------------------------------------------------------
SS-E-1
IPv4
Up
SS-E-2
IPv4
Up
9130E-r3-sw2-g1012
IPv4
Up
9115i-r3-sw2-te1-0-38
IPv4
Up
AP9120-r3-sw3-Gi1-0-46
IPv4
Up
ap3800i-r2-sw1-te2-0-2
IPv4
Up
Directed Multicast Service
The Directed Multicast Service (DMS) feature allows a client to request access points (AP) to transmit multicast packets as unicast frames. After receiving this request, an AP buffers the multicast traffic for a client and transmits it as a unicast frame when the client wakes up. This allows the client to receive the multicast packets that were ignored while in sleep mode (to save battery power) and also ensures Layer 2 reliability. The unicast frames are transmitted to the client at a potentially higher wireless link rate, which enables the client to receive the packet quickly by enabling the radio for a shorter duration, thus saving more battery power. Without DMS, the client has to wake up at each Delivery Traffic Indication Map (DTIM) interval to receive multicast traffic.
Configuring Directed Multicast Service(GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Wireless > WLANs > Wireless Networks. Select a WLAN to view the Edit WLAN window. Click Advanced tab. Check the Directed Multicast Service check box to enable the feature. Click Update & Apply to Device.
Configuring Directed Multicast Service
Before you begin · This feature is enabled on receiving a request from a client. Ensure that this feature is configured under WLAN. · This feature is supported only on 802.11v-capable clients, such as Apple iPad and Apple iPhone.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 672
System Management
Verifying the Directed Multicast Service Configuration
Step 2 Step 3 Step 4 Step 5
Command or Action wlan profile-name Example:
Device(config)# wlan test5
shutdown Example:
Device(config-wlan)# shutdown
dms Example:
Device(config-wlan)# dms
no shutdown Example:
Device(config-wlan)# no shutdown
Purpose Configures the WLAN profile and enters WLAN profile configuration mode. Disables the WLAN profile.
Configures DMS processing per WLAN.
Enables the WLAN profile.
Verifying the Directed Multicast Service Configuration
To verify the status of the DMS configuration on the controller, use show commands below. The DMS status is displayed under IEEE 802.11v Parameters.
Device# show wlan id 5
WLAN Profile Name
: test
================================================
Identifier
:5
Network Name (SSID)
: test
Status
: Disabled
Broadcast SSID
: Enabled
Universal AP Admin
: Disabled
Max Associated Clients per WLAN
:0
Max Associated Clients per AP per WLAN
:0
Max Associated Clients per AP Radio per WLAN : 200
!
.
.
.
Assisted-Roaming
Neighbor List
: Disabled
Prediction List
: Disabled
Dual Band Support
: Disabled
! DMS status is displayed below.
IEEE 802.11v parameters Directed Multicast Service BSS Max Idle Protected Mode Traffic Filtering Service BSS Transition Disassociation Imminent Optimised Roaming Timer Timer WNM Sleep Mode
: Enabled : Disabled : Disabled : Disabled : Enabled : Disabled : 40 : 200 : Disabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 673
Wireless Broadcast, Non-IP Multicast and Multicast VLAN
System Management
802.11ac MU-MIMO 802.11ax paramters
OFDMA Downlink OFDMA Uplink MU-MIMO Downlink MU-MIMO Uplink BSS Color Partial BSS Color BSS Color Code
: Disabled
: unknown : unknown : unknown : unknown : unknown : unknown
To verify the status of the DMS configuration on the controller for clients, use the following command:
Device# show wireless client mac-address 6c96.cff2.83a0 detail | inc 11v
11v BSS Transition : implemented 11v DMS Capable : Yes
To verify the DMS request and response statistics, use the following command:
Device# show wireless stats client detail | inc DMS
Total DMS requests received in action frame
:0
Total DMS responses sent in action frame
:0
Total DMS requests received in Re-assoc Request : 0
Total DMS responses sent in Re-assoc Response : 0
To verify the DMS configuration Cisco Aironet 2700 and 3700 Series APs, use the following command:
AP# show controllers dot11Radio 0/1 | begin Global DMS
Global DMS - requests:0 uc:0 drop:408 DMS enabled on WLAN(s): dms-open
test-open
To verify the DMS configuration on the Cisco Aironet 2800, 3800, and 4800 Series APs, use the following command:
AP# show multicast dms all
vapid client
dmsid
TClas
0
1C:9E:46:7C:AF:C0
1 mask:0x55, version:4, proto:0x11, dscp:0x0, sport:0,
dport:9, sip:0.0.0.0, dip:224.0.0.251
Wireless Broadcast, Non-IP Multicast and Multicast VLAN
Configuring Non-IP Wireless Multicast (CLI)
Before you begin · The non-IP Multicast feature is disable globally, by default. · For non-IP multicast, global wireless multicast must be enabled for traffic to pass. · This feature is not supported in Fabric or Flex deployments.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 674
System Management
Configuring Wireless Broadcast (GUI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless multicast non-ip
Enables non-IP multicast in all the VLANs. By
Example:
default, the non-IP multicast in all the VLANs is in Disabled state. Wireless multicast must be
Device(config)# wireless multicast non-ip enabled for the traffic to pass. Use the no form
of this command to disable non-IP multicast in
all the VLANs.
Step 3
wireless multicast non-ip vlan vlanid
Enables non-IP multicast per VLAN. By
Example:
default, non-IP multicast per VLAN is in Disabled state. Both wireless multicast and
Device(config)# wireless multicast non-ip wireless multicast non-IP must be enabled for
vlan 5
traffic to pass. Use the no form of this command
to disable non-IP multicast per VLAN.
Step 4
end Example:
Device(config)# end
Exits configuration mode.
Configuring Wireless Broadcast (GUI)
Procedure
Step 1 Step 2
Step 3
Step 4
Choose Configuration > Services > Multicast. In the Multicast page, change the status of the Wireless Broadcast to enabled to broadcast packets for wireless clients. The default value is disabled.
From the Disabled VLAN table, click the arrow adjecent to the VLAN ID in the Disabled state to the Enabled state to enable broadcast packets for a VLAN. The default value is disabled.
Save the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 675
Configuring Wireless Broadcast (CLI)
System Management
Configuring Wireless Broadcast (CLI)
Before you begin · This feature is applicable only to non-ARP and DHCP broadcast packets. · This feature is disable globally, by default. · This feature is not supported in Fabric or Flex deployments.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless broadcast Example:
Device(config)# wireless broadcast
Enables broadcast packets for wireless clients. By default, the broadcast packets for wireless clients is in Disabled state. Enabling wireless broadcast enables broadcast traffic for each VLAN. Use the no form of this command to disable broadcasting packets.
Step 3
wireless broadcast vlan vlanid
Enables broadcast packets for single VLAN.
Example:
By default, the Broadcast Packets for a Single VLAN feature is in Disabled state. Wireless
Device(config)# wireless broadcast vlan broadcast must be enabled for broadcasting.
3
Use the no form of this command to disable
broadcast traffic for each VLAN.
Step 4
end Example:
Device(config)# end
Exits configuration mode.
Configuring Multicast-over-Multicast for AP Multicast Groups (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap capwap multicast IP address Example:
Purpose Enters global configuration mode.
Configures an all-AP multicast group to send a single packet to all the APs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 676
System Management
Verifying Wireless Multicast
Step 3 Step 4
Command or Action
Device(config)# ap capwap multicast 239.4.4.4
wireless multicast IP address Example:
Device(config)# wireless multicast 239.4.4.4
end Example:
Device(config)# end
Purpose
Enables Multicast-over-Multicast for multicasting client multicast group traffic to all the APs through the underlying all-AP multicast group. IP address--Multicast-over-multicast IP address.
Exits configuration mode.
Verifying Wireless Multicast
Table 31: Commands for Verifying Wireless Multicast
Command show wireless multicast
Description
Displays the multicast status and IP multicast mode, and each VLAN's broadcast and non-IP multicast status. Also displays the Multicast Domain Name System (mDNS) bridging state.
show wireless multicast group summary Displays all (Group and VLAN) lists and the corresponding MGID values.
show wireless multicast [source source] Displays details of the specified (S,G,V) and shows all the
group group vlan vlanid
clients associated with and their MC2UC status.
show ip igmp snooping wireless mcast-ipc-count
Displays the number of multicast IPCs per MGID sent to the wireless controller module.
show ip igmp snooping wireless mgid
Displays the MGID mappings.
show ip igmp snooping igmpv2-tracking Displays the client-to-SGV mappings and the SGV-to-client mappings.
show ip igmp snooping querier vlan vlanid Displays the IGMP querier information for the specified VLAN.
show ip igmp snooping querier detail
Displays the detailed IGMP querier information of all the VLANs.
show ipv6 mld snooping querier vlan vlanid Displays the MLD querier information for the specified VLAN.
show ipv6 mld snooping wireless mgid Displays MGIDs for the IPv6 multicast group.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 677
Multicast Optimization
System Management
Multicast Optimization
Multicast used to be based on the group of the multicast addresses and the VLAN as one entity, MGID. With the VLAN group, duplicate packets might increase. Using the VLAN group feature, every client listens to the multicast stream on a different VLAN. As a result, the device creates different MGIDs for each multicast address and the VLAN. Therefore, the upstream router sends a copy for each VLAN, which results in as many copies as the number of VLANs in the group. Because the WLAN remains the same for all the clients, multiple copies of the multicast packet are sent over the wireless network. To suppress the duplication of a multicast stream on the wireless medium between the device and the access points, the multicast optimization feature can be used.
Multicast optimization enables you to create a multicast VLAN that can be used for multicast traffic. One of the VLANs in the device can be configured as a multicast VLAN where multicast groups are registered. The clients are allowed to listen to a multicast stream on the multicast VLAN. The MGID is generated using the mulicast VLAN and multicast IP addresses. If multiple clients on different VLANs of the same WLAN are listening to a single multicast IP address, a single MGID is generated. The device makes sure that all the multicast streams from the clients on this VLAN group always go out on the multicast VLAN to ensure that the upstream router has one entry for all the VLANs of the VLAN group. Only one multicast stream hits the VLAN group even if the clients are on different VLANs. Therefore, the multicast packets that are sent out over the network is just one stream.
Configuring IP Multicast VLAN for WLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6
Choose Configuration > Tags & Profiles > Policy. Click Add. In the General tab, enter the Name and Description. Enable the Central Switching and Central Association toggle buttons. In the Access Policies tab, under the VLAN settings, choose the vlans from the VLAN/VLAN Group drop-down list and enter the Multicast VLAN. Click Apply to Device.
Configuring IP Multicast VLAN for WLAN
Before you begin · This feature is not supported in Fabric or Flex deployments. · Multicast VLAN is used for both IPv4 and IPv6 multicast forwarding to APs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 678
System Management
Verifying the Multicast VLAN Configuration
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy default-policy-profile
Step 3
central association Example:
Configures central association for locally switched clients.
Device(config-wireless-policy)# central association
Step 4
central switching
Configures WLAN for central switching.
Example:
Device(config-wireless-policy)# central switching
Step 5
description policy-profile-name
Example:
Device(config-wireless-policy)# description "test"
(Optional) Adds a description for the policy profile.
Step 6
vlan vlan-name
Assigns the profile policy to the VLAN.
Example:
Device(config-wireless-policy)# vlan 32
Step 7
multicast vlan vlan-id
Configures multicast for the VLAN.
Example:
Device(config-wireless-policy)# multicast vlan 84
Step 8
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the profile policy.
Verifying the Multicast VLAN Configuration
To view the multicast VLAN associated with a policy profile along with the VLAN assigned to that profile, use the following command:
Device# show wireless profile policy detail default-policy-profile
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 679
Multicast Filtering
System Management
Policy Profile Name Description Status VLAN Multicast VLAN Client count Passive Client
: 84
: default-policy-profile : default policy profile : ENABLED : vlan-pool1
:0 : DISABLED
To view the multicast VLAN associated with a client, use the following command:
Device# show wireless client mac ac2b.6e4b.551e detail
Client MAC Address : ac2b.6e4b.551e Client IPv4 Address : 84.84.0.20 .......... VLAN : 82 Access VLAN : 82 Multicast VLAN: 84
Multicast Filtering
Information About Multicast Filtering
In Cisco IOS XE Amsterdam, Release 17.2.1, the Multicast Filtering feature is supported on Layer 3 for IPv4.
You can enable or disable the multicast filtering feature per WLAN from the controller. When you enable this feature, the APs drop the Internet Group Management Protocol (IGMP) join request from a client that is part of the WLAN, for any Layer 3 multicast group address. When you disable this feature, the APs honor the IGMP join request from the client that is part of the WLAN.
In the Cisco IOS XE Amsterdam, Release 17.3.1, the Multicast Filtering feature is supported on Layer 3 for IPv6.
You can enable or disable the Multicast Filtering feature per WLAN, from the controller. The following table shows the AP behaviour with IPv4 and IPv6:
The Multicast Filtering feature is disabled by default.
Table 32: Multicast Filtering per WLAN
Multicast Filtering Feature Status IPv4
IPv6
Enabled
AP drops the Internet Group Management Protocol (IGMP) membership report from a client that is a part of a WLAN.
AP drops the Multicast Listener Discovery (MLD) report with multicast group address scope value greater than three, from a client that is a part of a WLAN.
Disabled
AP honors the IGMP membership AP honors the MLD report from report from the client that is a part the client that is a part of a WLAN. of a WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 680
System Management
Configuring Multicast Filtering
Supported L3 Multicast Report for Filtering APs will not honour and drop IGMP and MLD join requests from a client part of WLAN for any L3 multicast group address as per the below filtering options:
· IPv4: IGMP versions to be filtered: · V1 membership report (0x12) · V2 membership report (0x16) · V3 membership report (0x22)
· IPv6: ICMPv6 types to be filtered, except link-local multicast packets: · Multicast Listener report: MLD Version 1 (131) · Multicast Listener report: MLD Version 2 (143)
Note Filtering of supported types will prevent the creation or addition of a client entry to the AP multicast group table.
Configuring Multicast Filtering
Perform the procedure given here to create a policy profile and then enable Multicast Filtering on a WLAN:
Before you begin Create a WLAN.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy rr-xyz-policy-1
Step 3
multicast filter Example:
Configures a multicast filter. (Use the no form of this command to disable the feature.)
Device(config-wireless-policy)#multicast filter
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 681
Verifying Multicast Filtering
System Management
What to do next 1. Create a policy tag. For more information about creating policy tags, see Configuring a Policy Tag (CLI).
2. Map the policy tag to an AP. For more information about mapping a policy tag to an AP, see Attaching a Policy Tag and Site Tag to an AP (CLI).
Verifying Multicast Filtering
To verify if multicast filtering is enabled, use the show wireless profile policy detailed named-policy-profile command:
Device# show wireless profile policy detailed named-policy-profile
Policy Profile Name
: named-policy-profile
Description
:
Status
: DISABLED
VLAN
: 91
Multicast VLAN
:0
OSEN client VLAN
:
Multicast Filter
: ENABLED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 682
8 1 C H A P T E R
Map-Server Per-Site Support
· Information About Map Server Per Site Support, on page 683 · Configuring the Default Map Server (GUI), on page 684 · Configuring the Default Map Server (CLI), on page 684 · Configuring a Map Server Per Site (GUI), on page 685 · Configuring a Map Server Per Site (CLI), on page 685 · Creating a Map Server for Each VNID (GUI), on page 686 · Creating a Map Server for Each VNID, on page 686 · Creating a Fabric Profile and Associating a Tag and VNID (GUI), on page 687 · Creating a Fabric Profile and Associating a Tag and VNID (CLI), on page 687 · Verifying the Map Server Configuration, on page 688
Information About Map Server Per Site Support
The Map Server Per Site feature supports per-site map server and the selection of map server based on the client's subnet. This enables the controller to support multiple sites and to segregate each site's traffic. This feature is applicable to both Enterprise and Guest map servers. For the Layer 2 virtual extensible LAN network identifier-based (L2VNID-based) map server, the appropriate map server should be selected based on the L2 VNID. The following list shows the map server selection order for AP query and client registration:
· Per-L3 VNID map server · Per site (ap-group) map server · Default or global map server
Benefits Some of the benefits of using Map Server Per Site feature are listed below:
· You can use a single large site with horizontal scaling of the map server and border nodes. · You can share the controller across multiple sites, with each site can having its own map server and
virtual network or VNID and still segment traffic from each site. · You can share Guest map-server across multiple sites while keeping the Enterprise map-server separate.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 683
Configuring the Default Map Server (GUI)
System Management
· You can use the same SSID across different sites. Within a site, they can belong to a different virtual network domain.
Configuring the Default Map Server (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Choose Configuration > Wireless > Fabric. On the Fabric page, click the Control Plane tab. In the Control Plane Name list, click default-control-plane. In the Edit Control Plane window that is displayed, click Add. Enter the IP address of the map server. Set the Password Type as either Unencrypted or AES. Enter the Pre Shared Key. Click Save. Click Update & Apply to Device.
Configuring the Default Map Server (CLI)
Follow the procedure given below to configure the default map server.
Before you begin · The global map server is the default map server that is used for both AP query (when an AP joins) as well as for client registration (when a client joins). · We recommend that you configure map servers in pairs to ensure redundancy because s the LISP control-plane does not support redundancy inherently. · To share a map server set, create a map server group, which can be shared across site profiles, fabric profiles, Layer 2 and Layer3 VNID, as well with the default map server.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless fabric control-plane control-plane-name
Purpose Enters global configuration mode.
Configures the control plane name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 684
System Management
Configuring a Map Server Per Site (GUI)
Step 3
Command or Action Example:
Device(config)# wireless fabric control-plane test-map
Purpose
If you do not provide a control plane name, the default-control-plane that is auto generated is used.
ip address ip-address key pre-shared-key Example:
Configures IP address and the key for the control plane.
Device((config-wireless-cp)#ip address 10.12.13.14 key secret
Configuring a Map Server Per Site (GUI)
Before you begin Ensure that you have configured an AP Join Profile prior to configuring the primary and backup controllers. Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Choose Configuration > Tags & Profiles > AP Join. On the AP Join Profile page, click the AP Join Profile name. In the Edit AP Join Profile window, click the CAPWAP tab. In the High Availability tab under Backup Controller Configuration, check the Enable Fallback check box. Enter the primary and secondary controller names and IP addresses. Click Update & Apply to Device.
Configuring a Map Server Per Site (CLI)
Follow the procedure given below to configure per-site MAP server under site-tag.
Before you begin
You can configure map server for each site or each AP group. . If a map server is not configured for each VNID or subnet, per-site map server is used for AP queries and client registration.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 685
Creating a Map Server for Each VNID (GUI)
System Management
Step 2 Step 3
Command or Action wireless tag site site-tag Example:
Device(config)# wireless tag site test-site
fabric control-plane map-server-name Example:
Device(config-wireless-site)# fabric control-plane test-map
Purpose Configures a site tag and enters site tag configuration mode.
Associates a fabric control plane name with a site tag.
Creating a Map Server for Each VNID (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Click Configuration > Wireless Plus > Fabric > Fabric Configuration. In the Profiles tab, click Add to add a new Fabric Profile. In the Add New Profile window that is displayed, enter a name and description for the profile. Specify the L2 VNID and SGT Tag details. In the Map Servers section, specify the IP address and preshared key details for Server 1. Optionally, you can specify the IP address and preshared key details for Server 2. Click Save & Apply to Device.
Creating a Map Server for Each VNID
Follow the procedure given below to configure map server for each VNID in Layer 2 and Layer 3 or a map server for a client VNID.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
Choose one of the following:
· wireless fabric name vnid-map l2-vnid l2-vnid l3-vnid l3vnid ip network-ip subnet-mask control-plane control-plane-name
Configures a map server for each VNID in Layer 2 and Layer 3 or a map server for a client VNID.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 686
System Management
Creating a Fabric Profile and Associating a Tag and VNID (GUI)
Command or Action
Purpose
· wireless fabric name vnid-map l2-vnid l2-vnid control-plane control-plane-name
Example:
Device(config)# wireless fabric name test1 l2-vnid 12 l3-vnid 10 ip 10.8.6.2 255.255.255.236 control-plane
cp1
Example:
Device(config)# wireless fabric name test1 l2-vnid 22 control-plane cp1
Creating a Fabric Profile and Associating a Tag and VNID (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Click Configuration > Wireless > Fabric. In the Profiles tab on Fabric Configuration page, click Add to add a new profile. In the Add New Profile window that is displayed, enter a name and description for the profile. Specify the L2 VNID and SGT Tag details. Click Save & Apply to Device.
Creating a Fabric Profile and Associating a Tag and VNID (CLI)
Follow the procedure given below to create a fabric profile and associate the VNID to which the client belongs and the SGT tag to this profile.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile fabric fabric-profile-name Configures a fabric profile.
Example:
Device(config)# wireless profile fabric test-fabric
Step 3
sgt-tag value Example:
Configures an SGT tag.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 687
Verifying the Map Server Configuration
System Management
Step 4
Command or Action
Purpose
Device(config-wireless-fabric)# sgt-tag 5
client-l2-vnid vnid
Example:
Device(config-wireless-fabric)# client-l2-vnid 10
Configures a client Layer 2 VNID.
Verifying the Map Server Configuration
Use the following commands to verify the map server configuration: Device# show wireless fabric summary
Fabric Status
: Enabled
Control-plane:
Name
IP-address
Key
Status
--------------------------------------------------------------------------------------------
test-map
10.12.13.14
test1
Down
Fabric VNID Mapping:
Name
L2-VNID
L3-VNID
IP Address
Subnet
Control plane name
----------------------------------------------------------------------------------------------------------------------
test1 test2
12
10
10.6.8.9
255.255.255.236
Device# show wireless fabric vnid mapping
Fabric VNID Mapping:
Name
L2-VNID
L3-VNID
IP Address
Subnet
Control
Plane Name
--------------------------------------------------------------------------------------------------------------------
fabric1
1
0
9.6.51.0
255.255.255.0
map-server-name
Device# show wireless profile fabric detailed profile-name
Profile-name VNID SGT Type
: fabric-ap :1 : 500 : Guest
Control Plane Name
Control-Plane IP Control-Plane Key
--------------------------------------------------------------------------------
Ent-map-server
5.4.3.2
guest_1
Device# show ap name ap-name config general
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 688
System Management
Verifying the Map Server Configuration
Fabric status RLOC Control Plane Name : ent-map-server
: Enabled : 2.2.2.2
Device# show wireless client mac mac-address detail
Fabric status : Enabled
RLOC
: 2.2.2.2
Control Plane Name : ent-map-server
Device# show wireless tag site detailed site-tag
Site Tag Name
: default-site-tag
Description
: default site tag
----------------------------------------
AP Profile
: default-ap-profile
Local-site
: Yes
Fabric-control-plane: Ent-map-server
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 689
Verifying the Map Server Configuration
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 690
8 2 C H A P T E R
Volume Metering
The Volume Metering feature allows you to configure the interval at which an access point (AP) updates client accounting statistics to the controller and in turn to the RADIUS server. Currently, the report is sent from an AP to the controller every 90 seconds. With this feature, you can configure the time from 5 to 90 seconds. This helps reduce the delay in accounting data usage by a device.
· Configuring Volume Metering, on page 691
Configuring Volume Metering
Follow the procedure given below to configure volume metering:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile profile-name Example:
Configures an AP profile and enters ap profile configuration mode.
Device(config)# ap profile yy-ap-profile
Step 3 Step 4
dot11 24ghz reporting-interval reporting-interval
Configures the dot11 parameters.
Example:
Device(config-ap-profile)# dot11 24ghz reporting-interval 60
dot11 5ghz reporting-interval reporting-interval
Example:
Device(config-ap-profile)# dot11 5ghz reporting-interval 60
Configures the dot11 parameters.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 691
Configuring Volume Metering
System Management
Step 5 Step 6 Step 7
Command or Action exit Example:
Device(config-ap-profile)# exit
Purpose Returns to global configuration mode.
aaa accounting update periodic interval-in-minutes
Example:
Device(config)# aaa accounting update periodic 75
Sets the time interval (in minutes) at which the controller sends interim accounting updates of the client to the RADIUS server.
exit Example:
Device(config)# exit
Exits configuration mode and returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 692
8 3 C H A P T E R
Enabling Syslog Messages in Access Points and Controller for Syslog Server
· Information About Enabling Syslog Messages in Access Points and Controller for Syslog Server, on page 693
· Configuring Syslog Server for an AP Profile, on page 695 · Configuring Syslog Server for the Controller (GUI), on page 696 · Configuring Syslog Server for the Controller , on page 697 · Information About Syslog Support for Client State Change, on page 698 · Configuring Syslog Support for Client State Change (CLI), on page 699 · Sample Syslogs, on page 699 · Verifying Syslog Server Configurations, on page 700
Information About Enabling Syslog Messages in Access Points and Controller for Syslog Server
The Syslog server on access points and controller has many levels and facilities. The following are the Syslog levels:
· Emergencies · Alerts · Critical · Errors · Warnings · Notifications · Informational · Debugging
The following options are available for the Syslog facility: · auth--Authorization system.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 693
Information About Enabling Syslog Messages in Access Points and Controller for Syslog Server
System Management
· cron--Cron/ at facility. · daemon--System daemons. · kern--Kernel. · local0--Local use. · local1--Local use. · local2--Local use. · local3--Local use. · local4--Local use. · local5--Local use. · local6--Local use. · local7--Local use. · lpr--Line printer system. · mail--Mail system. · news--USENET news. · sys10--System use. · sys11--System use. · sys12--System use. · sys13--System use. · sys14--System use. · sys9--System use. · syslog--Syslog itself. · user--User process. · uucp--Unix-to-Unix copy system.
Note For more information about the usage of the syslog facilities and levels, refer to RFC 5424 (The Syslog Protocol).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 694
System Management
Configuring Syslog Server for an AP Profile
Configuring Syslog Server for an AP Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile Example:
Configures an AP profile and enters the AP profile configuration mode.
Device(config)# ap profile xyz-ap-profile
Step 3
syslog facility
Example:
Device(config-ap-profile)# syslog facility
Configures the facility parameter for Syslog messages.
Step 4
syslog host ip-address Example:
Configures the Syslog server IP address and parameters.
Device(config-ap-profile)# syslog host 9.3.72.1
Step 5
syslog level {alerts | critical | debugging Configures the Syslog server logging level.
| |
emergencies notifications
| |
errors | informational warnings}
The following are the Syslog server logging levels:
Example:
· emergencies--Signifies severity 0.
Device(config-ap-profile)# syslog level
Implies that the system is not usable.
· alerts--Signifies severity 1. Implies that an immediate action is required.
· critical--Signifies severity 2. Implies critical conditions.
· errors--Signifies severity 3. Implies error conditions.
· warnings--Signifies severity 4. Implies warning conditions.
· notifications--Signifies severity 5. Implies normal but significant conditions.
· informational--Signifies severity 6. Implies informational messages.
· debugging--Signifies severity 7. Implies debugging messages.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 695
Configuring Syslog Server for the Controller (GUI)
System Management
Command or Action
Step 6
end Example:
Device(config-ap-profile)# end
Purpose Note
To know the number of Syslog levels supported, you need to select a Syslog level. Once a Syslog level is selected, all the levels below it are also enabled.
If you enable critical Syslog level then all levels below it are also enabled. So, all three of them, namely, critical, alerts, and emergencies are enabled.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Syslog Server for the Controller (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Step 10
Choose Troubleshooting > Logs. Click Manage Syslog Servers button. In Log Level Settings, from the Syslog drop-down list, choose a security level. From the Message Console drop-down list, choose a logging level. In Message Buffer Configuration, from the Level drop-down list, choose a server logging level. In Size (bytes), enter the buffer size. The value can range between 4096 to 2147483647. In IP Configuration settings, click Add. Choose the Server Type, from the IPv4 / IPv6 or FQDN option. For Server Type IPv4 / IPv6, enter the IPv4 / IPv6 Server Address. For Server Type FQDN, enter the Host Name, choose the IP type and the appropriate VRF Name from the drop-down lists.
To delete a syslog server, click 'x' next to the appropriate server entry, under the Remove column.
Note
When creating a host name, spaces are not allowed.
Click Apply to Device.
Note
When you click on Apply to Device, the changes are configured. If you click on Cancel, the
configurations are discarded.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 696
System Management
Configuring Syslog Server for the Controller
Configuring Syslog Server for the Controller
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
logging host {hostname | ipv6} Example:
Enables Syslog server IP address and parameters.
Device(config)# logging host 124.3.52.62
Step 3
logging facility {auth | cron | daemon Enables facility parameter for the Syslog
| kern | local0 | local1 | local2 | messages.
local3 local7
| |
local4 lpr |
| local5 | local6 | mail | news | sys10
|
You can enable the following facility parameter for the Syslog messages:
sys11 | sys12 | sys13 | sys14 | sys9
| syslog | user | uucp}
· auth--Authorization system.
Example:
· cron--Cron facility.
Device(config)# logging facility syslog · daemon--System daemons.
· kern--Kernel. · local0 to local7--Local use. · lpr--Line printer system. · mail--Mail system. · news--USENET news. · sys10 to sys14 and sys9--System use. · syslog--Syslog itself. · user--User process. · uucp--Unix-to-Unix copy system.
Step 4
logging trap {severity-level | alerts | Enables Syslog server logging level.
critical | debugging | emergencies | errors | informational | notifications
|
severity-level- Refers to the logging severity level. The valid range is from 0 to 7.
warnings}
Example:
The following are the Syslog server logging levels:
Device(config)# logging trap 2
· emergencies--Signifies severity 0.
Implies that the system is not usable.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 697
Information About Syslog Support for Client State Change
System Management
Command or Action
Step 5
end Example:
Device(config)# end
Purpose · alerts--Signifies severity 1. Implies that an immediate action is required.
· critical--Signifies severity 2. Implies critical conditions.
· errors--Signifies severity 3. Implies error conditions.
· warnings--Signifies severity 4. Implies warning conditions.
· notifications--Signifies severity 5. Implies normal but significant conditions.
· informational--Signifies severity 6. Implies informational messages.
· debugging--Signifies severity 7. Implies debugging messages.
Note
To know the number of Syslog
levels supported, you need to
select a Syslog level. Once a
Syslog level is selected, all the
levels below it are also enabled.
If you enable critical Syslog level then all levels below it are also enabled. So, all three of them, namely, critical, alerts, and emergencies are enabled.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Information About Syslog Support for Client State Change
When a client joins, dissociates, or rejoins a wireless network, the Syslog Support for Client State Change feature enables you to track client details such as IP addresses, AP names, and so on. A syslog is generated in the following scenarios:
· When a client moves to RUN state. · When a client gets a new IP (IPv4 or IPv6) address in the RUN state. · When a client in RUN state is deleted.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 698
System Management
Configuring Syslog Support for Client State Change (CLI)
Note When Syslog Support for Client State Change feature is enabled, and the AP moves from standalone to connected, you may observe that usernames are null in syslog messages and in client detail for the 802.1X clients associated with that AP. You can ignore this behavior, as it does not have any operational impact. The usernames will get updated after 30 seconds.
Configuring Syslog Support for Client State Change (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless client syslog-detailed
Example:
Device(config)# wireless client syslog-detailed
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode. Enables detailed syslogs for client events.
Returns to privileged EXEC mode.
Sample Syslogs
802.11x Authentication The following example shows a client IP update:
Oct 1 14:41:27.785 IST: %CLIENT_ORCH_LOG-7-CLIENT_IP_UPDATED: Chassis 1 R0/0: wncd: Username (dev2), MAC: 0062.xxxx.0077, IP fe80::262:aff:xxxx:77 101.6.2.119 2001:300:8:0:362:aff:xxxx:77 2001:300:8:0:762:aff:xxxx:77
2001:300:8:0:562:aff:xxxx:77 2001:300:8:0:962:aff:xxxx:77 2001:300:8:0:462:aff:xxxx:77 IP address updated, associated to AP (Asim_06-11) with SSID (dev_abcd_wlan_1)
The following example shows a client RUN state:
Oct 1 14:41:27.779 IST: %CLIENT_ORCH_LOG-7-CLIENT_MOVED_TO_RUN_STATE: Chassis 1 R0/0: wncd: Username (dev2), MAC: 0062.xxxx.006a, IP 101.xxxx.2.106 associated to AP (Asim_06-10) with SSID (dev_abcd_wlan_1)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 699
Verifying Syslog Server Configurations
System Management
Open Authentication
The following example shows a client IP update:
Sep 18 03:22:35.902: %CLIENT_ORCH_LOG-7-CLIENT_IP_UPDATED: Chassis 1 R0/0: wncd: Username (null), MAC: 6014.xxxx.c5fb, IP 9.9.xxxx.252 fe80::643c:87c1:xxxx:c1c4 IP address updated, associated to AP (AP2C5A.xxxx.159A) with SSID (test1)
The following example shows a client RUN state:
Sep 18 03:22:35.257: %CLIENT_ORCH_LOG-7-CLIENT_MOVED_TO_RUN_STATE: Chassis 1 R0/0: wncd: Username (null), MAC: 6014.xxxx.c5fb, IP 9.9.xxxx.252 associated to AP (AP2C5A.xxxx.159A) with SSID (test1)
The following example shows a client delete state:
Sep 18 03:24:45.083: %CLIENT_ORCH_LOG-7-CLIENT_MOVED_TO_DELETE_STATE: Chassis 1 R0/0: wncd: Username (null), MAC: 6014.xxxx.c5fb, IP fe80::643c:xxxx:e316:c1c4 2001:300:42:0:643c:87c1:xxxx:c1c4 2001:300:42:0:xxxx:82ce:1ae4:5a32 9.9.xxxx.252 disconnected from AP (AP2C5A.xxxx.159A) with
SSID (test1)
Verifying Syslog Server Configurations
Verifying Global Syslog Server Settings for all Access Points
To view the global Syslog server settings for all access points that joins the controller, use the following command:
Device# show ap config general Cisco AP Name : APA0F8.4984.5E48 =================================================
Cisco AP Identifier : a0f8.4985.d360 Country Code : IN Regulatory Domain Allowed by Country : 802.11bg:-A 802.11a:-DN AP Country Code : IN - India AP Regulatory Domain Slot 0 : -A Slot 1 : -D MAC Address : a0f8.4984.5e48 IP Address Configuration : DHCP IP Address : 9.4.172.111 IP Netmask : 255.255.255.0 Gateway IP Address : 9.4.172.1 Fallback IP Address Being Used : Domain : Name Server : CAPWAP Path MTU : 1485 Telnet State : Disabled SSH State : Disabled Jumbo MTU Status : Disabled Cisco AP Location : default location Site Tag Name : ST1 RF Tag Name : default-rf-tag Policy Tag Name : PT3 AP join Profile : default-ap-profile Primary Cisco Controller Name : WLC2 Primary Cisco Controller IP Address : 9.4.172.31
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 700
System Management
Verifying Syslog Server Configurations
Secondary Cisco Controller Name : Not Configured Secondary Cisco Controller IP Address : 0.0.0.0 Tertiary Cisco Controller Name : Not Configured Tertiary Cisco Controller IP Address : 0.0.0.0 Administrative State : Enabled Operation State : Registered AP Certificate type : Manufacturer Installed Certificate AP Mode : Local AP VLAN tagging state : Disabled AP VLAN tag : 0 CAPWAP Preferred mode : Not Configured AP Submode : Not Configured Office Extend Mode : Disabled Remote AP Debug : Disabled Logging Trap Severity Level : notification Software Version : 16.10.1.24 Boot Version : 1.1.2.4 Mini IOS Version : 0.0.0.0 Stats Reporting Period : 180 LED State : Enabled PoE Pre-Standard Switch : Disabled PoE Power Injector MAC Address : Disabled Power Type/Mode : PoE/Full Power (normal mode) Number of Slots : 3 AP Model : AIR-AP1852I-D-K9 IOS Version : 16.10.1.24 Reset Button : Disabled AP Serial Number : KWC212904UB Management Frame Protection Validation : Disabled AP User Mode : Automatic AP User Name : Not Configured AP 802.1X User Mode : Global AP 802.1X User Name : Not Configured Cisco AP System Logging Host : 9.4.172.116 AP Up Time : 11 days 1 hour 15 minutes 52 seconds AP CAPWAP Up Time : 6 days 3 hours 11 minutes 6 seconds Join Date and Time : 09/05/2018 04:18:52 Join Taken Time : 3 minutes 1 second Join Priority : 1 Ethernet Port Duplex : Auto Ethernet Port Speed : Auto AP Link Latency : Disable AP Lag Configuration Status : Disabled AP Lag Operational Status : Disabled Lag Support for AP : Yes Rogue Detection : Enabled Rogue Containment auto-rate : Disabled Rogue Containment of standalone flexconnect APs : Disabled Rogue Detection Report Interval : 10 Rogue AP minimum RSSI : -90 Rogue AP minimum transient time : 0 AP TCP MSS Adjust : Enabled AP TCP MSS Size : 1250 AP IPv6 TCP MSS Adjust : Enabled AP IPv6 TCP MSS Size : 1250 Hyperlocation Admin Status : Disabled Retransmit count : 5 Retransmit interval : 3 Fabric status : Disabled FIPS status : Disabled WLANCC status : Disabled USB Module Type : USB Module USB Module State : Enabled USB Operational State : Disabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 701
Verifying Syslog Server Configurations
System Management
USB Override : Disabled Lawful-Interception Admin status : Disabled Lawful-Interception Oper status : Disabled
Verifying Syslog Server Settings for a Specific Access Point
To view the Syslog server settings for a specific access point, use the following command:
Device# show ap name <ap-name> config general show ap name APA0F8.4984.5E48 config general Cisco AP Name : APA0F8.4984.5E48 =================================================
Cisco AP Identifier : a0f8.4985.d360 Country Code : IN Regulatory Domain Allowed by Country : 802.11bg:-A 802.11a:-DN AP Country Code : IN - India AP Regulatory Domain Slot 0 : -A Slot 1 : -D MAC Address : a0f8.4984.5e48 IP Address Configuration : DHCP IP Address : 9.4.172.111 IP Netmask : 255.255.255.0 Gateway IP Address : 9.4.172.1 Fallback IP Address Being Used : Domain : Name Server : CAPWAP Path MTU : 1485 Telnet State : Disabled SSH State : Disabled Jumbo MTU Status : Disabled Cisco AP Location : default location Site Tag Name : ST1 RF Tag Name : default-rf-tag Policy Tag Name : PT3 AP join Profile : default-ap-profile Primary Cisco Controller Name : WLC2 Primary Cisco Controller IP Address : 9.4.172.31 Secondary Cisco Controller Name : Not Configured Secondary Cisco Controller IP Address : 0.0.0.0 Tertiary Cisco Controller Name : Not Configured Tertiary Cisco Controller IP Address : 0.0.0.0 Administrative State : Enabled Operation State : Registered AP Certificate type : Manufacturer Installed Certificate AP Mode : Local AP VLAN tagging state : Disabled AP VLAN tag : 0 CAPWAP Preferred mode : Not Configured AP Submode : Not Configured Office Extend Mode : Disabled Remote AP Debug : Disabled Logging Trap Severity Level : notification Software Version : 16.10.1.24 Boot Version : 1.1.2.4 Mini IOS Version : 0.0.0.0 Stats Reporting Period : 180 LED State : Enabled PoE Pre-Standard Switch : Disabled PoE Power Injector MAC Address : Disabled Power Type/Mode : PoE/Full Power (normal mode) Number of Slots : 3 AP Model : AIR-AP1852I-D-K9
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 702
System Management
Verifying Syslog Server Configurations
IOS Version : 16.10.1.24 Reset Button : Disabled AP Serial Number : KWC212904UB Management Frame Protection Validation : Disabled AP User Mode : Automatic AP User Name : Not Configured AP 802.1X User Mode : Global AP 802.1X User Name : Not Configured Cisco AP System Logging Host : 9.4.172.116 AP Up Time : 11 days 1 hour 15 minutes 52 seconds AP CAPWAP Up Time : 6 days 3 hours 11 minutes 6 seconds Join Date and Time : 09/05/2018 04:18:52 Join Taken Time : 3 minutes 1 second Join Priority : 1 Ethernet Port Duplex : Auto Ethernet Port Speed : Auto AP Link Latency : Disable AP Lag Configuration Status : Disabled AP Lag Operational Status : Disabled Lag Support for AP : Yes Rogue Detection : Enabled Rogue Containment auto-rate : Disabled Rogue Containment of standalone flexconnect APs : Disabled Rogue Detection Report Interval : 10 Rogue AP minimum RSSI : -90 Rogue AP minimum transient time : 0 AP TCP MSS Adjust : Enabled AP TCP MSS Size : 1250 AP IPv6 TCP MSS Adjust : Enabled AP IPv6 TCP MSS Size : 1250 Hyperlocation Admin Status : Disabled Retransmit count : 5 Retransmit interval : 3 Fabric status : Disabled FIPS status : Disabled WLANCC status : Disabled USB Module Type : USB Module USB Module State : Enabled USB Operational State : Disabled USB Override : Disabled Lawful-Interception Admin status : Disabled Lawful-Interception Oper status : Disabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 703
Verifying Syslog Server Configurations
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 704
8 4 C H A P T E R
Login Banner
· Information About Login Banner, on page 705 · Configuring a Login Banner (GUI), on page 705 · Configuring a Login Banner, on page 706
Information About Login Banner
Login banner is used to display a warning or message when you try to login to the controller. To create a login banner, you must configure a delimiting character that notifies the system that the following text string must be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any single character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string for the banner.
Note When HTTP authentication is configured using TACACS+/RADIUS, the banner message does not display on the Web UI.
Configuring a Login Banner (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Security > Web Auth. Click the Web Auth Parameter Map. In the General tab, click the Banner Text radio button under Banner Type. Enter the Banner Text, Maximum HTTPS connections and Init-State Timeout (secs). Choose the type from the Type drop-down list. Enter the Virtual IPv4 Address, Virtual IPv4 Hostname and Virtual IPv6 Hostname, Watch List Expiry Timeout (secs), Sleeping Client Timeout (minutes) and choose the trustpoint from the Trustpoint drop-down list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 705
Configuring a Login Banner
System Management
Step 7 Step 8
Check or uncheck the Turn-on Consent with Email, Web Auth intercept HTTPS, Watch List Enable, Captive Bypass Portal,Disable Success Window, Disable Logout Window and Sleeping Client Status check boxes.
Click Update & Apply .
Configuring a Login Banner
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
banner login c message c Example:
Device(config)# banner login $ Access for authorized users only. Please enter your username and password. $
Step 4 Step 5 Step 6
end Example:
Device(config)# end
show running-config Example:
Device# show running-config
copy running-config startup-config Example:
Device# copy running-config startup-config
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Enters global configuration mode.
Specifies the login message. · c-- Enters the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded. · message-- Enters a login message up to 255 characters. You cannot use the delimiting character in the message.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. Verifies your entries.
(Optional) Saves your entries in the configuration file.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 706
8 5 C H A P T E R
Wi-Fi Alliance Agile Multiband
· Introduction to Wi-Fi Alliance Agile Multiband, on page 707 · Limitations of MBO, on page 709 · Configuring MBO on a WLAN, on page 709 · Verifying MBO Configuration, on page 710
Introduction to Wi-Fi Alliance Agile Multiband
The Wi-Fi Alliance Agile Multiband (MBO) feature enables better use of Wi-Fi network resources. This feature is built on the fundamental premise that both Wi-Fi networks and client devices have information that can enable better roaming decisions and improve the overall performance of Wi-Fi networks and user experience.
Note This feature applies to MBO certified clients only. This feature certifies the interoperability of a bundle of features that are defined by the IEEE standard amendments 802.11k, 802.11v, and 802.11u, as well as the Wi-Fi-Alliance defined specifications. These technologies are used to exchange access points (AP), band, and channel preferences, link quality, and status information between AP and client device. MBO focuses on the following: · Interactions between the wireless clients and APs · Exchange of AP and client knowledge about the wireless medium (such as RF neighbors) · Allow clients to work with APs and take intelligent decisions on the connection and improve the quality of service.
Wi-Fi Alliance Agile Multiband Topology Multiple components form a Wi-Fi Agile Multiband wireless infrastructure network, which may vary based on the wireless network deployment. The following figure depicts the system topology for connecting Wi-Fi Agile Multiband devices.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 707
Introduction to Wi-Fi Alliance Agile Multiband Figure 16: Wi-Fi Agile Multiband Wireless Infrastructure Network
System Management
The following components form a Wi-Fi Agile Multiband wireless infrastructure network: · Access Point (AP): A Wi-Fi Agile Multiband wireless infrastructure network contains one or more Wi-Fi Agile Multiband APs. · WLAN Controller: A Wi-Fi Agile Multiband wireless infrastructure network contains zero or more WLAN controllers that provide centralized management and other features to the interconnected APs. · Client Station (STA): A Wi-Fi Agile Multiband wireless infrastructure network contains zero or more STAs. These client STAs are single WLAN capable only. · RADIUS Server: A Wi-Fi Agile Multiband wireless infrastructure network contains zero or more RADIUS Servers that provide Authentication, Authorization, and Accounting (AAA) services.
Supported MBO Components
MBO AP Capability
A new information element is added to the Beacon, Probe Response, Association Response and Re Association Response Frames for 802.11ax APs to inform clients about MBO support.
Note The new information element indicates that Cisco APs are not cellular data aware.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 708
System Management
Limitations of MBO
When an SSID is configured on an AP, the MBO AP capability is enabled.
802.11k/v/r Support
One of the prerequisites for MBO is that APs need to support 802.11k/v/r standard-based technologies. Each of the technologies has their own requirements, such as:
· 802.11k For 802.11k, send the preferred list of AP neighbors to the client upon request and send a beacon request to a client when AP requires a beacon report from the client.
· 802.11v For 802.11v, steer the client to a less congested AP (not in a MBO client's non-prefer/non-operable channel list that is sent during the association request and/or WNM notification request) using BSS transition.
· 802.11r The 802.11r MBO-related capabilities are not supported.
802.11u ANQP or GAS Support
For MBO, the 802.11ax APs must have 802.11u ANQP or GAS support. The following are the prerequisites:
· ANQP responds to the ANQP request for a neighbor report ANQP-element.
· Before authentication, Layer 2 transport needs to be available in the network between a mobile device and server for an advertisement protocol frame.
MBO Beacon Request
Whenever an AP sends a beacon request to the client, the MBO-compliant client responds with a beacon report.
MBO Associate Disallowed IE
Cisco APs include an Associate Disallowed IE in their Beacon/Probe response/(Re) association response when they cannot accommodate any new client.
Limitations of MBO
All non-802.11ax access points are not supported.
Configuring MBO on a WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan wlan-name wlan-id ssid Example:
Purpose Enters global configuration mode.
Configures a WLAN and enters the WLAN configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 709
Verifying MBO Configuration
System Management
Command or Action
Device(config)# wlan wlan-demo 1 ssid-demo
Step 3 Step 4
mbo Example:
Device(config-wlan)# mbo
end Example:
Device(config-wlan)# end
Purpose Note
If you use WPA2 WLAN while configuring MBO for WLAN, you need to enable PMF in your configuration.
Configures MBO support on WLAN.
Note
Use the no mbo command to
disable MBO configuration.
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying MBO Configuration
To view the MBO configuration, use the following command:
Device# show wlan id 1
WLAN Profile Name
: wlan-demo
================================================
Identifier
:1
Description
:
Network Name (SSID)
: ssid-demo
Status
: Disabled
Broadcast SSID
: Enabled
802.11ax paramters
OFDMA Downlink
: Enabled
OFDMA Uplink
: Enabled
MU-MIMO Downlink
: Enabled
MU-MIMO Uplink
: Enabled
BSS Color
: Enabled
Partial BSS Color
: Enabled
BSS Color Code
:0
BSS Target Wake Up Time
: Enabled
BSS Target Wake Up Time Broadcast Support : Enabled
mDNS Gateway Status
: Bridge
WIFI Alliance Agile Multiband
: Enabled
To view the non-operational or non-preferred channels, use the following command:
Device# show wireless client mac-address 3413.e8b5.f252 detail Client MAC Address : 3413.e8b5.f252 Client IPv4 Address : 192.165.1.53 Client IPv6 Addresses : fe80::98bb:ea89:f016:3332 Client Username: N/A AP MAC Address : 00ee.ab18.d920 AP Name: ssap-pp AP slot : 1 Client State : Associated Policy Profile : prof Flex Profile : N/A Wireless LAN Id: 1 WLAN Profile Name: mbo_1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 710
System Management
Wireless LAN Network Name (SSID): mbo_1
BSSID : 00ee.ab18.d92f
Connected For : 25 seconds
Protocol : 802.11ax - 5 GHz
Channel : 36
Client IIF-ID : 0xa0000001
Association Id : 1
Authentication Algorithm : Open System
Session Timeout : 1800 sec (Remaining time: 1779 sec)
Session Warning Time : Timer not running
Input Policy Name : None
Input Policy State : None
Input Policy Source : None
Output Policy Name : None
Output Policy State : None
Output Policy Source : None
WMM Support : Enabled
U-APSD Support : Enabled
U-APSD value : 0
APSD ACs : BK, BE, VI, VO
Fastlane Support : Disabled
Client Active State : Active
Power Save : OFF
Current Rate : 1.5
Supported Rates : 9.0,18.0,36.0,48.0,54.0
Mobility:
Move Count
:0
Mobility Role
: Local
Mobility Roam Type
: None
Mobility Complete Timestamp : 05/15/2019 16:03:34 IST
Client Join Time:
Join Time Of Client : 05/15/2019 16:03:34 IST
Policy Manager State: Run
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 26 seconds
Policy Type : N/A
Encryption Cipher : None
User Personal Network : Disabled
Encrypted Traffic Analytics : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
VLAN : default
Multicast VLAN : 0
WFD capable : No
Managed WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Session Manager:
Point of Attachment : capwap_90400001
IIF ID
: 0x90400001
Authorized
: TRUE
Session timeout : 1800
Common Session ID: 000000000000000BB92939C5
Acct Session ID : 0x00000000
Last Tried Aaa Server Details:
Server IP :
Auth Method Status List
Method : None
Local Policies:
Service Template : wlan_svc_prof_local (priority 254)
VLAN
: 165
Absolute-Timer : 1800
Server Policies:
Resultant Policies:
Verifying MBO Configuration
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 711
Verifying MBO Configuration
VLAN Name
: VLAN0165
VLAN
: 165
Absolute-Timer : 1800
DNS Snooped IPv4 Addresses : None
DNS Snooped IPv6 Addresses : None
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Not implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 0
Fast BSS Transition Details :
Reassociation Timeout : 0
11v BSS Transition : Implemented
11v DMS Capable : No
QoS Map Capable : Yes
Non-Preferred Channels : 40
Non-Operable Channels : 56
FlexConnect Data Switching : N/A
FlexConnect Dhcp Status : N/A
FlexConnect Authentication : N/A
FlexConnect Central Association : N/A
Client Statistics:
Number of Bytes Received : 0
Number of Bytes Sent : 0
Number of Packets Received : 0
Number of Packets Sent : 0
Number of Policy Errors : 0
Radio Signal Strength Indicator : -34 dBm
Signal to Noise Ratio : 56 dB
Fabric status : Disabled
Client Scan Reports
Assisted Roaming Neighbor List
Nearby AP Statistics:
EoGRE : No/Simple client
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 712
8 6 C H A P T E R
Configuring Local and Wide Area Bonjour Domains
· Cisco DNA Service for Bonjour Solution Overview, on page 713 · Configuring Local and Wide Area Bonjour Domains, on page 722 · Verifying Local Area Bonjour in Multicast DNS Mode for LAN and Wireless Networks, on page 741 · Additional References for DNA Service for Bonjour, on page 744 · Feature History for Cisco DNA Service for Bonjour, on page 744
Cisco DNA Service for Bonjour Solution Overview
Restrictions
· Cisco Service Discovery Gateway (SDG) and Wide Area Bonjour gateway function is supported on Cisco Catalyst Switch and Cisco ISR 4000 series routers. See Solution Components, on page 1844 for the complete list of supporting platforms, software versions and license levels.
· Cisco IOS supports classic and new method of building local Bonjour configuration policies. The classic method is based on service-list mdns-sd CLI whereas the new method is based on mdns-sd gateway. We recommend using the new mdns-sd gateway method since the classic configuration support will be deprecated in near future releases.
· The classic to new method CLI migration is manual procedure to convert the configuration.
· The Bonjour service policies on Cisco SDG Gateways are effective between local VLANs. In addition to these, a specific egress policy controls the type of services to be exported to the controller. The Layer 2 Multicast-DNS Bonjour communication between two end-points on same broadcast domain is transparent to gateway.
· To enable end-to-end Wide Area Bonjour solution on Wireless networks, the Cisco WLC controller must not enable mDNS Snooping function. The upstream IP gateway on the dedicated Cisco Catalyst switch must have the Bonjour gateway function enabled for wireless clients.
· Cisco Wireless LAN Controller must enable AP Multicast with unique Multicast group. Without AP joining WLC Multicast group the mDNS messages will not be processed between client and gateway switch. Multicast on Client SSID or VLAN is optional for other multicast applications and not mandatory or required for Bonjour solution.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 713
Cisco Wide Area Bonjour Service Workflow
System Management
· Cisco Catalyst 9800 WLC can be configured as mDNS Gateway. In this mode, the Cisco Catalyst 9800 WLC supports Local-Area Bonjour gateway solution limited to Wireless only networks. Cisco Catalyst 9800 does not support Wide Area Bonjour. For end-to-end Wired and Wireless Bonjour support, we recommend using upstream Cisco Catalyst Switch as IP and Bonjour gateway.
Cisco Wide Area Bonjour Service Workflow
The Cisco Wide Area Bonjour solution follows a client-server model. The SDG Agent functions as a client and the Cisco Wide Area Bonjour application Cisco DNA Center functions as a server. The following sections describe the workflow of service announcement and discovery in the IP network.
Announcing Services to the Network · The endpoint devices (Source) in the Local Area Bonjour domain send service announcements to the SDG Agent and specify what services they offer. For example, _airplay._tcp.local, _raop._tcp.local, _ipp._tcp.local, and so on. · The SDG Agent listens to these announcements and matches them against the configured Local Area SDG Agent policies. If the announcement matches the configured policies, the SDG Agent accepts the service announcement and routes the service to the controller.
Discovering Services Available in the Network · The endpoint device (Receiver) connected to the Local Area SDG Agent sends a Bonjour query to discover the services available, using the mDNS protocol. · If the query conforms to configured policies, SDG Agent responds with the services obtained from appropriate service routing via the Wide Area Bonjour Controller.
Wide Area Bonjour Multi-Tier Policies The various policies that can be used to control the Bonjour announcements and queries are classified as the following:
· Local Area SDG Agent Filters: Enforced on the SDG Agent in Layer-2 Network Domain. These bi-directional policies control the Bonjour announcements or queries between the SDG Agents and the Bonjour endpoints.
· Wide Area SDG Agent Filters: Enforced on the SDG Agent for export control to the Controller. This egress unidirectional policy controls the service routing from the SDG Agent to the controller.
· Cisco Wide Area Bonjour Policy: Enforced on Controller for global service discovery and distribution. Policy enforcement, between the controller and the IP network is bi-directional.
Cisco Wide Area Bonjour Supported Network Design
Traditional Wired and Wireless Networks
The Cisco DNA Service for Bonjour supports various LAN network designs commonly deployed in the enterprise. The SDG Agent providing Bonjour gateway functions is typically an IP gateway for wired end-points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 714
System Management
Cisco SD Access Wired and Wireless Networks
that could be residing in the distribution layer in multilayer network designs, or in the access layer in routed access network designs.
The following figure shows various topologies which are explained further in the section.
· Multilayer LAN: In this deployment mode, the Layer 2 Access switch provides the transparent bridging function of Bonjour services to Distribution-layer systems that act as the IP gateway and SDG Agent. There is no additional configurration or new requirement to modify the existing Layer-2 trunk settings between the Access and Distribution Layer Cisco Catalyst Switches.
· Routed Access: In this deployment mode, the first-hop switch is an IP gateway boundary and therefore, it must be combined with the SDG Agent role.
The Cisco DNA Service for Bonjour also supports various Wireless LAN network designs commonly deployed in the Enterprise. The SDG Agent provides consistent Bonjour gateway functions for the wireless endpoints as in wired networks. In general, the IP gateway of the wireless clients is also a Bonjour gateway. However, the placement of the SDG Agent may vary depending on the Wireless LAN deployment mode.
Cisco SD Access Wired and Wireless Networks
In Cisco SD-Access network, the Fabric Edge switch is configured as the SDG Agent for fabric-enabled wired and wireless networks. Wide Area Bonjour policies need to be aligned with the SD-Access network policies with respect to Virtual Networks and SGT policies, if any.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 715
Local and Wide Area Bonjour Policies
System Management
Wide Area Bonjour uses two logical components in a network: · SDG Agent: The Fabric Edge switch is configured as the SDG Agent, and the configuration is added only after the SD-Access is configured. · Wide Area Bonjour Controller: The Wide Area Bonjour application in the Cisco DNA Center acts as the Controller.
The Wide Area Bonjour communication between the SDG Agent and the Controller takes place through the network underlay. The SDG Agent forwards the endpoint announcements or queries to the Controller through the fabric underlay. After discovering a service, a Bonjour-enabled application establishes direct unicast communication with the discovered device through the fabric overlay. This communication is subject to any configured routing and SDG policies.
Local and Wide Area Bonjour Policies
The Cisco Wide Area Bonjour policy is divided into four unique function to enable policy based Bonjour services discovery and distribution in two-tier domains. The network administrator must identify the list of Bonjour services that needs to be enabled and set the discovery boundary that can be limited to local or global based on requirements. Figure below illustrates enforcement point and direction of all four types of Bonjour policies at the SDG Agent level and in Cisco DNA-Center Wide Area Bonjour application:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 716
System Management
Local Area Bonjour Policy
Local Area Bonjour Policy The Cisco IOS Bonjour policy structure is greatly simplified and scalable with the new configuration mode. The services can be enabled with intuitive user-friendly service-type instead individual mDNS PoinTeR (PTR) records types, for example select AirPlay that automatically enables video and audio service support from Apple TV or equivalent capable devices. Several common types of services in Enterprise can be enabled with built-in service-types. If built-in service type is limited, network administrator can create custom service-type and enable the service distribution in the network. The policy configuration for the Local Area Bonjour domain is mandatory, and is a three step process. Figure below illustrates the step-by-step procedure to build the Local-Area Bonjour policy, and apply to enable the gateway function on selected local networks:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 717
Local Area Bonjour Policy Figure 17: Local Area Bonjour Policy Hierarchy
System Management
To configure local area bonjour policies, enable mDNS globally. For the device to receive mDNS packets on the interface, configure mDNS gateway on the interface. Create a service-list by using filter options within it allow services into or out of a device or interface. After enabling mDNS gateway globally and on the interface, you can apply filters (IN-bound filtering or OUT-bound filtering) on service discovery information by using service-policy commands.
Built-In Service List The Cisco IOS software includes built-in list of services that may consist of one more Bonjour service-type. A single service-list may contain more than one service-type entries with default rule to accept service announcement from service-provider and the service query request from receiver end-points. If selected service-type contains more than one Bonjour service-types (PTR), then a service announcement or a service query is honoured when the announcement/query is for any one of these included Bonjour service-types. For example, Apple Time Capsule Data service-type consists of both_adisk and _afpovertcp built-in PTRs, however if any end-point announces or requests for only _afpovertcp service, then SDG Agent will successfully classify and process the announcement or request. The service-list contains implicit-deny for all un-defined built-in or custom services entries.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 718
System Management
Local Area Bonjour Policy
Table below illustrates complete list of built-in Bonjour services that can be used to create policies in local area Bonjour.
Table 33: Cisco IOS Built-In Bonjour Service Database
Service Apple TV AirServer Mirroring Service
Service Name airplay airserver
Apple AirTunes Amazon Fire TV Apple AirPrint
airtunes amazon-fire-tv apple-airprint
Apple TV 2 Apple File Share Apple HomeKit
apple-continuity apple-file-share apple-homekit
Apple iTunes Library
apple-itunes-library
Apple iTunes Music
apple-itunes-music
Apple iTunes Photo
apple-itunes-photo
Apple KeyNote Remote Control apple-keynote
Apple Remote Desktop
apple-rdp
Apple Remote Event Apple Remote Login
apple-remote-events apple-remote-login
Apple Screen Share Apple Time Capsule Data
apple-screen-share apple-timecapsule
Apple Time Capsule Management apple-timecapsule-mgmt Apple MS Window File Share apple-windows-fileshare
mDNS PTRs _airplay._tcp.local _airplay._tcp.local _airserver._tcp.local _raop._tcp.local _amzn-wplay._tcp.local _ipp._tcp.local _universal._sub._ipp._tcp.local _companion-link._tcp.local _afpovertcp._tcp.local _homekit._ipp.local _hap._tcp.local _atc._tcp.local _daap._tcp.local _dpap._tcp.local _keynotecontrol._tcp.local _keynotepair._tcp.local _afpovertcp._tcp.local _net-assistant._tcp.local _eppc._tcp.local _sftp-ssh._tcp.local _ssh._tcp.local _rfb._tcp.local _adisk._tcp.local _afpovertcp._tcp.local _airport._tcp.local _smb._tcp.local
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 719
Local Area Bonjour Policy
System Management
Service Fax Google ChromeCast Apple HomeSharing Apple iTunes Data Sync Multifunction Printer
Service Name fax google-chromecast homesharing itune-wireless-devicesharing2 multifunction-printer
Phillips Hue Lights
phillips-hue-lights
Printer Internet Printing Protocol printer-ipp
Printer IPP over SSL
printer-ipps
Linux Printer Line Printer Daemon
printer-lpd
Printer Socket
printer-socket
Roku Media Player
roku
Scanner
scanner
Spotify Music Service
spotify
Web-Server
web-server
WorkStation
workstation
mDNS PTRs _fax-ipp._tcp.local _googlecast._tcp.local _home-sharing._tcp.local _apple-mobdev2._tcp.local _ipp._tcp.local _scanner._tcp.local _fax-ipp._tcp.local _hap._tcp.local _ipp._tcp.local _ipps._tcp.local _printer._tcp.local
_pdl-datastream._tcp.local _rsp._tcp.local _scanner._tcp.local _spotify-connect._tcp.local _http._tcp.local _workstation._tcp.local
Custom Service List
The Custom service list allows network administrator to configure service if built-in Bonjour database does not support specific service or bundled service types. For example, the file-sharing requirement demands to support Apple Filing Protocol (AFP) between macOS users and Server Message Block (SMB) file transfer capability between macOS and Microsoft Windows devices. For such requirements the network administrator can create an custom service list combining AFP (_afpovertcp._tcp.local) and SMB (_smb._tcp.local).
The Service-List provides flexibility to network administrator to combine built-in and custom service definition under single list. There is no restriction on numbers of custom service definitions list and association to single service-list.
Policy Direction
The Local Area Bonjour policy in Cisco IOS provides flexibility to network administrator to construct service policies that can align service announcement and query management in same or different local networks. The service-policies can be tied to either ingress or egress direction to enforce service control in both directions. The following sub-sections provide more details on service policy configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 720
System Management
Wide Area Bonjour Policy
Ingress Service Policy
The ingress service policy is a mandatory configuration element that is used to permit the processing of incoming mDNS service announcement and query requests. Without ingress service policy, the Bonjour gateway function on a targeted Wired or Wireless network is not enabled. The ingress service policy provides flexibility to permit service announcement and query on each user-defined service-types, i.e. permit accepting AirPlay service announcement and query request, but enable Printer service query request only.
Egress Service Policy
The egress service policy is an optional configuration and not required in following two conditions:
· The egress service policy is not applicable in local VLAN where the expected Bonjour end-points are service-provider only, i.e. Service-VLAN network may contain only IT managed service-provider end-points such as Apple TV, Printers etc. as these end-points do not query for other service-types in the network.
· The Wired or Wireless users must receive services only from Wide Area Bonjour domain by Cisco DNA-Center, and not from other Bonjour end points connected to the same SDG Agent.. The egress service policy configuration is only required when an SDG-Agent must distribute locally discovered Bonjour services information from one VLAN to other. For example, based on ingress service policy the SDG-Agent discovered and cache the AirPrint capable Printer from VLAN-A, if the receiver endpoint in VLAN-B wants to discover Printer information from VLAN-A then the SDG-Agent must have ingress and egress service policy permitting AirPrint service on both VLANs.
Conditional Egress Service Policy
The network administrator can optionally customize the egress service policy to enable conditional service response from sourced from specific VLAN network. For example, based on ingress service policy the SDG-Agent may discover AirPrint capable Printers from VLAN-A and VLAN-C networks. With conditional Local Area Bonjour egress service policy rule, the network administrator may limit distributing Printer information discovered from VLAN-A to the receivers in VLAN-B network and automatically filters VLAN-C Printers. The conditional egress service policy support is optional setting and only applicable on out direction service policy.
Service Status Timer Management
The Bonjour service-provider end-points may announces one or more services in the network combining mDNS records and time-to-live (TTL) service timers for each record. The TTL value provides assurance of end-point availability and serviceability in the network. The SDG Agents ensures that it contains up to date information in its local and updates global services in Controller based on TTL and other events in Local Area Bonjour domain. The network administrator must configure the service status timer where service-provider endpoint discovery is permitted.
Wide Area Bonjour Policy
The SDG-Agent mandatorily requires the controller bound Wide Area Bonjour service export policy to control routing local services and discover remote services from Cisco DNA-Center. As the Cisco DNACenter and SDG-Agent builds trusted communication channel the remote service response from Wide Area Bonjour App is implicitly permitted at SDG-Agent. Hence the Wide Area Bonjour policy is unidirectional it only requires egress service policy towards controller.
The Wide Area Bonjour policy hierarchy and structure is identical as described in Local Area Bonjour Policy structure section. Following sub-section provides step-by-step reference configuration to build and enforce the policy to enable the successful communication with Wide Area Bonjour App in Cisco DNA-Center.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 721
Configuring Local and Wide Area Bonjour Domains
System Management
Service List Built-In and Custom The network administrator must create new controller bound egress service list for the Wide Area Bonjour domain. In most common network deployment model, the Wide Area Bonjour service list may contain same service-types as the Local Area Bonjour to implement common services between both domains. Based on requirements, certain services can be limited to Local Area and prevent routed in Wide Area Domain, then by default only allowed service list entries are permitted and rest are dropped with implicit deny rule.
Ingress Policy Direction The ingress service policy for Wide Area Bonjour domain is not required and cannot be associated to the controller.
Egress Policy Direction As described the Bonjour policy structure between Local Area and Wide Area is consistent, however the enforcement point is different. We recommend configuring separate Service-List and Service-Policy for Wide Area Bonjour domain as it may help building unique policy set for each domain.
Conditional Egress Service List The Wide Area Bonjour egress service list configuration can be customized to conditionally route the service or query request to the Cisco DNA-Center. With this alternative configuration settings, the network administrator can route the service or query the request in Wide Area Bonjour domain from specific local source VLAN network instead globally from entire system.
Wide Area Bonjour Service Status Timer Management The Cisco DNA-Center centralizes the services information from large scale distributed SDG-Agents across the network. To maintain a scale and performance of controller the services routing information is transmitted and synchronized periodically by each SDG-Agent network devices. To protect system and network performance the scheduler base service information exchange allows graceful and reliable way to discover and distribute Bonjour services across Wide Area Bonjour domain. In most large-scale network environment, the default Bonjour service timers on SDG-Agents are by default fine-tuned and may not need any further adjustments. Cisco recommends retaining the interval timer values to default and adjust only based on any user experience issue and consider modified parameters do not introduce scale and performance impact.
Configuring Local and Wide Area Bonjour Domains
How to configure Multicast DNS Mode for LAN and Wired Networks
This section provides information about how to configure Local Area Bonjour in multicast DNS mode.
Enabling mDNS Gateway on the Device
To configure mDNS on the device, follow these steps:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 722
System Management
Enabling mDNS Gateway on the Device
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
mdns-sd gateway Example:
Device(config)# mdns-sd gateway
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Enables mDNS on the device and enters mDNS gateway configuration mode.
Enter the following commands in mDNS gateway configuration mode to enable the respective functionalities:
· air-print-helper: Enables IOS devices like iPADs to discover and use older printers that support Bonjour
· cache-memory-max: Configures the percentage memory for cache
· ingress-client: Configures Ingress Client Packet Tuners
· rate-limit: Enables rate limiting of incoming mDNS packets
· service-announcement-count: Configures maximum service advertisement count
· service-announcement-timer: Configures advertisements announce timer periodicity
· service-query-count: Configures maximum query count
· service-query-timer: Configures query forward timer periodicity
Note
For cache-memory-max,
ingress-client, rate-limit,
service-announcement-count,
service-announcement-timer,
service-query-count, and
service-query-timer commands,
you can retain the default value of
the respective parameter for
general deployments. Configure
a different value, if required, for
a specific deployment.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 723
Creating Custom Service Definition (GUI)
System Management
Step 4
Command or Action exit Example:
Device(config-mdns-sd)# exit
Creating Custom Service Definition (GUI)
Procedure
Purpose Exits mDNS gateway configuration mode.
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Services > mDNS > Service Policy > Service Definition. Click Add. Enter the Service Definition Name and Description. Enter the Service Type and click the + icon. Click Apply to Device.
Creating Custom Service Definition
Service definition is a construct that provides an admin friendly name to one or more mDNS service types or PTR Resource Record Name. By default, a few built-in service definitions are already predefined and available for admin to use. In addition to built-in service definitions, admin can also define custom service definitions.
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
mdns-sd service-definition service-definition-name
Example:
Device(config)# mdns-sd service-definition CUSTOM1
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Configures mDNS service definition.
Note
All the created custom service
definitions are added to the
primary service list. Primary
service list comprises of a list of
custom and built-in service
definitions.
Step 4
service-type string Example:
Configures mDNS service type.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 724
System Management
Creating Service List (GUI)
Step 5 Step 6
Command or Action
Purpose
Device(config-mdns-ser-def)# service-type _custom1._tcp.local
Repeat step 4 to configure more than one service type in the custom service definition.
exit Example:
Device(config-mdns-ser-def)# exit
Exit mDNS service definition configuration mode.
Creating Service List (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7
Choose Configuration > Services > mDNS > Service Policy > Service List. Click Add. Enter the Service List Name and choose the direction from the Direction drop-down list. Click Add Service. Choose the service from the Available Services drop-down list and the message type from the Message Type drop-down list. Click Save. Click Apply to Device.
Creating Service List
mDNS service list is a collection of service definitions. To create a service list, follow these steps:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
mdns-sd service-list service-list-name {in | out}
Example:
Device(config)# mdns-sd service-list VLAN100-list in
Purpose Enables privileged EXEC mode. Enter your password, if prompted. Enters global configuration mode.
Configures mDNS service list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 725
Creating Service Policy (GUI)
System Management
Step 4 Step 5
Command or Action
Purpose
match service-definition-name [message-type Matches the service to the message type. Here,
{any | announcement | query}]
service-definition-name refers to the names of
Example:
Device(config-mdns-sl-in)# match PRINTER-IPPS message-type announcement
services, such as, airplay, airserver, airtunes, and so on.
Note
To add a service, the service name
must be part of the primary
service list.
If the mDNS service list is set to IN, the applicable command syntax is: match service-definition-name [message-type {any | announcement | query}].
If the mDNS service list is set to OUT, the applicable command syntax is: match service-definition-name [message-type {any | announcement | query}] [location-filter location-filter-name] [source-interface {mDNS-VLAN-number | mDNS-VLAN-range}].
exit Example:
Device(config-mdns-sl-in)# exit
Exits mDNS service list configuration mode.
Creating Service Policy (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Choose Configuration > Services > mDNS > Service Policy > Service Policy. Click Add. Enter the Service Policy Name. Choose the service list input from the Service List Input drop-down list. Choose the service list output from the Service List Output drop-down list. Choose the location from the Location drop-down list. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 726
System Management
Creating Service Policy
Creating Service Policy
A Service Policy that is applied to an interface specifies the allowed Bonjour service announcements or the queries of specific service types that should be processed, in ingress direction or egress direction or both. For this, the service policy specifies two service-lists, one each for ingress and egress directions. In the Local Area Bonjour domain, the same service policy can be attached to one or more Bonjour client VLANs; however, different VLANs may have different service policies.
To configure service policy with service lists, follow these steps:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
mdns-sd service-policy service-policy-name Configures mDNS service policy.
Example:
Device(config)# mdns-sd service-policy mdns-policy1
Step 4
service-list service-list-name {in | out} Example:
Configures service lists for IN and OUT directions.
Device(config-mdns-ser-pol)# service-list VLAN100-list in
Device(config-mdns-ser-pol)# service-list VLAN300-list out
Step 5
exit Example:
Device(config-mdns-ser-pol)# exit
Exits mDNS service policy configuration mode.
Associating Service Policy to an Interface
To configure mDNS on the device, follow these steps:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 727
Associating Service Policy to an Interface
System Management
Step 2 Step 3 Step 4
Command or Action configure terminal Example:
Device# configure terminal
interface interface-name Example:
Device(config)# interface Vlan 601
mdns-sd gateway Example:
Device(config-if)# mdns-sd gateway
Purpose Enters global configuration mode.
Enters interface mDNS configuration mode and enables interface configuration.
Configures mDNS gateway on the interface.
Enter the following commands in the interface mDNS gateway configuration mode to enable the respective functionalities:
· active-query: Sets the time interval for SDG agent to refresh the active status of connected Bonjour client services. The timer value ranges from 60 to 3600 seconds.
Note
This configuration is
mandatory only on VLANs
whose Bonjour policy is
configured to accept Bonjour
service announcements from
connected Bonjour clients. If
the VLAN is configured to
only accept Bonjour queries
but not Bonjour service
announcements, this
configuration is optional.
· service-instance-suffix(Optional) : Appends the service instance suffix to any announced service name that is forwarded to the controller.
· service-mdns-query [ptr | all]: Configures mDNS query request message processing for the specified query types.
If the service-mdns-query command is used without any keyword, then all Bonjour query types (PTR, SRV, and TXT) are processed by default. It is recommended to use the service-mdns-query ptr command.
· service-policy policy-name: Attaches the specified service policy to the VLAN. Bonjour announcements, and queries
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 728
System Management
How to Configure Local Area Bonjour in Multicast DNS Mode for Wireless Networks
Command or Action
Step 5
exit Example:
Device(config-if-mdns-sd)# exit
Purpose
received by and sent from the VLAN are governed by the policies configured in the service policy. This configuration is mandatory for all VLANs.
Note
Service policies can only be
attached at interface level.
· transport [all | ipv4 | ipv6] (Optional): Configures BCP parameter.
It is recommended to use transport ipv4 command, except in those networks where the Bonjour clients send only IPv6 announcements and queries.
Exits mDNS gateway configuration mode.
How to Configure Local Area Bonjour in Multicast DNS Mode for Wireless Networks
The configuration of local area Bonjour on a switch that acts as the SDG Agent in a wireless network involves the same set of procedures that are used to configure local area Bonjour on a switch that acts as the SDG Agent in a wired network.
The Bonjour protocol operates on service announcements and queries. Each query or advertisement is sent to the mDNS IPv4 address 224.0.0.251 and IPv6 address FF02::FB. The mDNS messages are carried over well-known industry standard UDP port 5353, over both Layer 3 transport types.
The Layer 2 address used by the Bonjour protocol is link-local multicast address and therefore it's only forwarded to the same Layer 2 network. As multicast DNS (mDNS) is limited to a Layer 2 domain, for a client to discover a service, it has to be a part of the same Layer 2 domain. This isn't always possible in a large-scale deployment or enterprise.
To enable mDNS communication between Wireless endpoints and Cisco Catalyst switch that acts as an SDG Agent, the intermediate WLC must transparently allow the network to transmit and receive mDNS messages.
Hence, for a Multicast DNS Mode Wireless network deployment, disable the mDNS Snooping on Cisco AireOS based WLC and enable mDNS Gateway feature on Cisco Catalyst 9800 series WLC and set the AP Multicast Mode to Multicast.
Figure below illustrates a prerequisite configuration for Wireless network to enable seamless communication between SDG-Agent switches and Wireless endpoints.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 729
Enabling mDNS Gateway on the Device
System Management
The Cisco WLC and Access Points by default prevent the forwarding of Layer 2 or Layer 3 Multicast frames between Wireless and Wired network infrastructure. The forwarding is supported with stateful capabilities enabled using AP Multicast. The network administrator must globally enable Multicast and configure a unique Multicast Group to advertise in the network. This multicast group is only required for Cisco Access Points to enable Multicast over Multicast (MCMC) capabilities across the LAN network. The Bonjour solution doesn't require any Multicast requirements on Wireless Client VLAN; thus, it's optional and applicable only for other Layer 3 Multicast applications. The core network must be configured with appropriate Multicast routing to allow the Access Points to join WLC Multicast Group. The Multicast configuration must be enabled on Cisco WLC management VLAN and on the Cisco Access Points of their respective distribution layer switch.
Enabling mDNS Gateway on the Device
To configure mDNS on the device, follow these steps:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 730
System Management
Enabling mDNS Gateway on the Device
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
mdns-sd gateway Example:
Device(config)# mdns-sd gateway
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Enables mDNS on the device and enters mDNS gateway configuration mode.
Enter the following commands in mDNS gateway configuration mode to enable the respective functionalities:
· air-print-helper: Enables IOS devices like iPADs to discover and use older printers that support Bonjour
· cache-memory-max: Configures the percentage memory for cache
· ingress-client: Configures Ingress Client Packet Tuners
· rate-limit: Enables rate limiting of incoming mDNS packets
· service-announcement-count: Configures maximum service advertisement count
· service-announcement-timer: Configures advertisements announce timer periodicity
· service-query-count: Configures maximum query count
· service-query-timer: Configures query forward timer periodicity
Note
For cache-memory-max,
ingress-client, rate-limit,
service-announcement-count,
service-announcement-timer,
service-query-count, and
service-query-timer commands,
you can retain the default value of
the respective parameter for
general deployments. Configure
a different value, if required, for
a specific deployment.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 731
Creating Custom Service Definition
System Management
Step 4
Command or Action exit Example:
Device(config-mdns-sd)# exit
Purpose Exits mDNS gateway configuration mode.
Creating Custom Service Definition
Service definition is a construct that provides an admin friendly name to one or more mDNS service types or PTR Resource Record Name. By default, a few built-in service definitions are already predefined and available for admin to use. In addition to built-in service definitions, admin can also define custom service definitions.
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
mdns-sd service-definition service-definition-name
Example:
Device(config)# mdns-sd service-definition CUSTOM1
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Configures mDNS service definition.
Note
All the created custom service
definitions are added to the
primary service list. Primary
service list comprises of a list of
custom and built-in service
definitions.
Step 4
Step 5 Step 6
service-type string
Configures mDNS service type.
Example:
Device(config-mdns-ser-def)# service-type _custom1._tcp.local
Repeat step 4 to configure more than one service type in the custom service definition.
exit Example:
Device(config-mdns-ser-def)# exit
Exit mDNS service definition configuration mode.
Creating Service List
mDNS service list is a collection of service definitions. To create a service list, follow these steps:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 732
System Management
Creating Service List
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
mdns-sd service-list service-list-name {in | out}
Example:
Device(config)# mdns-sd service-list VLAN100-list in
Configures mDNS service list.
Step 4
match service-definition-name [message-type Matches the service to the message type. Here,
{any | announcement | query}]
service-definition-name refers to the names of
Example:
Device(config-mdns-sl-in)# match PRINTER-IPPS message-type announcement
services, such as, airplay, airserver, airtunes, and so on.
Note
To add a service, the service name
must be part of the primary
service list.
If the mDNS service list is set to IN, the applicable command syntax is: match service-definition-name [message-type {any | announcement | query}].
If the mDNS service list is set to OUT, the applicable command syntax is: match service-definition-name [message-type {any | announcement | query}] [location-filter location-filter-name] [source-interface {mDNS-VLAN-number | mDNS-VLAN-range}].
Step 5
exit Example:
Device(config-mdns-sl-in)# exit
Exits mDNS service list configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 733
Creating Service Policy
System Management
Creating Service Policy
A Service Policy that is applied to an interface specifies the allowed Bonjour service announcements or the queries of specific service types that should be processed, in ingress direction or egress direction or both. For this, the service policy specifies two service-lists, one each for ingress and egress directions. In the Local Area Bonjour domain, the same service policy can be attached to one or more Bonjour client VLANs; however, different VLANs may have different service policies.
To configure service policy with service lists, follow these steps:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
mdns-sd service-policy service-policy-name Configures mDNS service policy.
Example:
Device(config)# mdns-sd service-policy mdns-policy1
Step 4
service-list service-list-name {in | out} Example:
Configures service lists for IN and OUT directions.
Device(config-mdns-ser-pol)# service-list VLAN100-list in
Device(config-mdns-ser-pol)# service-list VLAN300-list out
Step 5
exit Example:
Device(config-mdns-ser-pol)# exit
Exits mDNS service policy configuration mode.
Associating Service Policy with Wireless Profile Policy
A default mDNS service policy is already attached once the wireless profile policy is created. Use the following steps to override the default mDNS service policy with any of your service policy:
Procedure
Step 1
Command or Action enable Example:
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 734
System Management
Configuring Wide Area Bonjour Domain
Step 2 Step 3 Step 4
Step 5
Command or Action
Device> enable
Purpose
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
wireless profile policy profile-policy-name Configures wireless profile policy.
Example:
Device(config)# wireless profile policy default-policy-profile
mdns-sd service-policy custom-mdns-service-policy
Associates an mDNS service policy with the wireless profile policy.
Example:
The default mDNS service policy name is
Device(config-wireless-policy)# mdns-sd default-mdns-service-policy.
service-policy
custom-mdns-service-policy
exit Example:
Device(config-wireless-policy)# exit
Exits wireless profile policy configuration mode.
Configuring Wide Area Bonjour Domain
The Wide Area Bonjour domain configuration specifies the parameters of the controller, that is the Wide Area Bonjour Application running on Cisco DNA Center, as well as the service types that need to be exported to it from the SDG Agent. Configuring Wide Area Bonjour Domain involves creating service-lists and service policy similar to those created in Local Area Bonjour configuration; however, only egress policy from SDG Agent to controller is applicable.
Enabling mDNS Gateway on the Device
To configure mDNS on the device, follow these steps:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 735
Enabling mDNS Gateway on the Device
System Management
Step 3
Command or Action mdns-sd gateway Example:
Device(config)# mdns-sd gateway
Step 4
exit Example:
Device(config-mdns-sd)# exit
Purpose
Enables mDNS on the device and enters mDNS gateway configuration mode.
Enter the following commands in mDNS gateway configuration mode to enable the respective functionalities:
· air-print-helper: Enables IOS devices like iPADs to discover and use older printers that support Bonjour
· cache-memory-max: Configures the percentage memory for cache
· ingress-client: Configures Ingress Client Packet Tuners
· rate-limit: Enables rate limiting of incoming mDNS packets
· service-announcement-count: Configures maximum service advertisement count
· service-announcement-timer: Configures advertisements announce timer periodicity
· service-query-count: Configures maximum query count
· service-query-timer: Configures query forward timer periodicity
Note
For cache-memory-max,
ingress-client, rate-limit,
service-announcement-count,
service-announcement-timer,
service-query-count, and
service-query-timer commands,
you can retain the default value of
the respective parameter for
general deployments. Configure
a different value, if required, for
a specific deployment.
Exits mDNS gateway configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 736
System Management
Creating Custom Service Definition
Creating Custom Service Definition
Service definition is a construct that provides an admin friendly name to one or more mDNS service types or PTR Resource Record Name. By default, a few built-in service definitions are already predefined and available for admin to use. In addition to built-in service definitions, admin can also define custom service definitions.
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
mdns-sd service-definition service-definition-name
Example:
Device(config)# mdns-sd service-definition CUSTOM1
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Configures mDNS service definition.
Note
All the created custom service
definitions are added to the
primary service list. Primary
service list comprises of a list of
custom and built-in service
definitions.
Step 4
Step 5 Step 6
service-type string
Configures mDNS service type.
Example:
Device(config-mdns-ser-def)# service-type _custom1._tcp.local
Repeat step 4 to configure more than one service type in the custom service definition.
exit Example:
Device(config-mdns-ser-def)# exit
Exit mDNS service definition configuration mode.
Creating Service List
mDNS service list is a collection of service definitions. To create a service list, follow these steps:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 737
Creating Service Policy
System Management
Step 2 Step 3 Step 4
Step 5
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
mdns-sd service-list service-list-name {in | out}
Example:
Device(config)# mdns-sd service-list VLAN100-list in
Configures mDNS service list.
match service-definition-name [message-type Matches the service to the message type. Here,
{any | announcement | query}]
service-definition-name refers to the names of
Example:
services, such as, airplay, airserver, airtunes, and so on.
Device(config-mdns-sl-in)# match PRINTER-IPPS message-type announcement Note
To add a service, the service name
must be part of the primary
service list.
If the mDNS service list is set to IN, the applicable command syntax is: match service-definition-name [message-type {any | announcement | query}].
If the mDNS service list is set to OUT, the applicable command syntax is: match service-definition-name [message-type {any | announcement | query}] [location-filter location-filter-name] [source-interface {mDNS-VLAN-number | mDNS-VLAN-range}].
exit Example:
Device(config-mdns-sl-in)# exit
Exits mDNS service list configuration mode.
Creating Service Policy
A Service Policy that is applied to an interface specifies the allowed Bonjour service announcements or the queries of specific service types that should be processed, in ingress direction or egress direction or both. For this, the service policy specifies two service-lists, one each for ingress and egress directions. In the Local Area Bonjour domain, the same service policy can be attached to one or more Bonjour client VLANs; however, different VLANs may have different service policies.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 738
System Management
Associating Service Policy with the Controller in Wide Area Bonjour Domain
To configure service policy with service lists, follow these steps:
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
mdns-sd service-policy service-policy-name Configures mDNS service policy.
Example:
Device(config)# mdns-sd service-policy mdns-policy1
Step 4
service-list service-list-name {in | out} Example:
Configures service lists for IN and OUT directions.
Device(config-mdns-ser-pol)# service-list VLAN100-list in
Device(config-mdns-ser-pol)# service-list VLAN300-list out
Step 5
exit Example:
Device(config-mdns-ser-pol)# exit
Exits mDNS service policy configuration mode.
Associating Service Policy with the Controller in Wide Area Bonjour Domain
In Wide Area Bonjour, the service policy is configured globally and does not get associated with a VLAN as in the case of Local Area Bonjour.
To configure service policy globally, follow these steps:
Procedure Step 1 Step 2
Command or Action enable Example:
Device> enable
configure terminal Example:
Device# configure terminal
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 739
Associating Service Policy with the Controller in Wide Area Bonjour Domain
System Management
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
Purpose
service-export mdns-sd controller controller Specifies a name for the controller and enters
name
service-export mode
Example:
Device(config)# service-export mdns-sd controller DNAC-BONJOUR-CONTROLLER
controller-address ipv4-address
Example:
Device(config-mdns-sd-se)# controller-address 199.245.1.7
Specifies the controller address.
controller-port port-number
Example:
Device(config-mdns-sd-se)# controller-port 9991
Specifies the port number on which the controller is listening.
controller-source-interface interface-name Specifies the source-interface for the controller.
Example:
Device(config-mdns-sd-se)# controller-source-interface Loopback0
controller-service-policy service-policy-name Specifies the service policy to be used by the
out
controller.
Example:
Note
Device(config-mdns-sd-se)# controller-service-policy policy1 OUT
Only OUT policy is applicable for Wide Area Bonjour.
exit Example:
Device(config-mdns-sd)# exit
Exits controller service export configuration mode.
mdns-sd gateway Example:
Device(config)# mdns-sd gateway
Enters mDNS gateway configuration mode.
ingress-client query-suppression enable Example:
Enables ingress query suppression for better scale and performance.
Device(config-mdns-sd)# ingress-client query-suppression enable
exit Example:
Device(config-mdns-sd)# exit
Exits mDNS gateway configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 740
System Management
Verifying Local Area Bonjour in Multicast DNS Mode for LAN and Wireless Networks
Verifying Local Area Bonjour in Multicast DNS Mode for LAN and Wireless Networks
This section shows how to verify Local Area Bonjour in Multicast DNS mode for LAN and Wireless networks.
Verifying SDG-Agent Status
The following is a sample output of the show mdns-sd service-list service-list-name {in | out} command.
Name
Direction Service Message-Type
Source
============================================================
VLAN100-list In
Printer Announcement
-
In
Airplay Query
-
In
CUSTOM1 Any
-
VLAN300-list Out
Printer Announcement
Vl200
The following is a sample output of the show mdns-sd service-definitionservice-definition-name service-type {custom | built-in} command.
Service
PTR
Type
=========================================================================
apple-tv
_airplay._tcp.local
Built-In
_raop._tcp.local
apple-file-share
_afpovertcp._tcp.local
Built-In
CUSTOM1
_custom1._tcp.local
Custom
CUSTOM2
_customA._tcp.local
Custom
_customA._tcp.local
The following is a sample output of the show mdns-sd service-policy-name interface interface-name command.
Name Service-List-In Service-List-Out ================================================== mdns-policy-1 VLAN100-list VLAN300-list mdns-policy-2 VLAN400-list VLAN400-list
The following is a sample output of the show mdns-sd summary command.
mDNS Gateway: Enabled Mode: Service Peer Service Announcement Periodicity(in seconds): 30 Service Announcement Count: 50 Service Query Periodicity(in seconds): 15 Service Query Count: 50 Active Response Timer (in seconds): Disabled ANY Query Forward: Disabled SDG Agent IP: 9.8.57.10 Active Query Periodicity (in minutes): 30
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 741
Verifying Wide Area Bonjour Controller Status
System Management
mDNS Query Type: PTR only Transport Type: IPv4 mDNS AP service policy: default-mdns-service-policy
The following is a sample output of the show mdns-sd sp-sdg statistics command.
mDNS SP Statistics last reset time: 07/27/21 15:36:33 Messages sent: Query : 122 ANY query : 35 Advertisements : 12 Advertisement Withdraw : 1 Service-peer cache clear : 0 Resync response : 3 Srvc Discovery response : 0 Keep-Alive : 2043 Messages received: Query response : 0 ANY Query response : 0 Cache-sync : 9 Get service-instance : 0 Srvc Discovery request : 0 Keep-Alive Response : 2042
Verifying Wide Area Bonjour Controller Status
The following is a sample output of the show mdns controller summary command.
Device# show mdns controller summary
Controller Summary
=====================================
Controller Name : DNAC-BONJOUR-CONTROLLER
Controller IP : 10.104.52.241
State
: UP
Port
: 9991
Interface
: Loopback0
Filter List
: policy1
Dead Time
: 00:01:00
The following is a sample output of the show mdns controller export-summary command.
Device# show mdns controller export-summary
Controller Export Summary
=========================
Controller IP : 10.104.52.241
State
: UP
Filter List
: policy1
Count
: 100
Delay Timer
: 30 seconds
Export
: 300
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 742
System Management
Verifying Local Area Bonjour Configuration for LAN and Wireless Networks
Drop Next Export
:0 : 00:00:01
The following is a sample output of the show mdns controller statistics command.
Device# show mdns controller statistics
Total BCP message sent
: 47589
Total BCP message received
:3
Interface WITHDRAW messages sent : 0
Clear cache messages sent
:0
Total RESYNC state count
:0
Last successful RESYNC
: Not-Applicable
Service Advertisements: IPv6 advertised IPv4 advertised Withdraws sent Advertisements Filtered Total service resynced
:0 : 300 :0 :0 :0
Service Queries:
IPv6 queries sent
:0
IPv6 query responses received : 0
IPv4 queries sent
:0
IPv4 query responses received : 0
The following is a sample output of the show mdns controller detail command.
Device# show mdns controller detail
Controller : DNAC-BONJOUR-CONTROLLER IP : 10.104.52.241, Dest Port : 9991, Src Port : 0, State : UP Source Interface : Loopback0, MD5 Disabled Hello Timer 0 sec, Dead Timer 0 sec, Next Hello 00:00:00 Uptime 00:00:00
Service Announcement : Filter : policy1 Count 100, Delay Timer 30 sec, Pending Announcement 0, Pending Withdraw 0 Total Export Count 300, Next Export in 00:00:16
Service Query : Query Suppression Disabled Query Count 50, Query Delay Timer 15 sec, Pending 0 Total Query Count 0, Next Query in 00:00:01
Verifying Local Area Bonjour Configuration for LAN and Wireless Networks
The following is a sample output of the show run command.
mdns-sd gateway
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 743
Additional References for DNA Service for Bonjour
System Management
mdns-sd service-definition custom1 service-type _airplay._tcp.local service-type _raop._tcp.local
mdns-sd service-list list1 IN match custom1
mdns-sd service-list list2 OUT match custom1
mdns-sd service-policy policy1 service-list list1 IN service-list list2 OUT
service-export mdns-sd controller DNAC-CONTROLLER-POLICY controller-address 99.99.99.10 controller-service-policy policy1 OUT controller-source-interface Loopback0
Additional References for DNA Service for Bonjour
Related Topic
Document Title
Cisco Wide Area Bonjour Application on Cisco DNA Cisco Wide Area Bonjour Application on Cisco DNA
Center User Guide
Center User Guide, Release 1.3.1.0
MIBs MIB CISCO-SDG-MDNS-MIB
MIBs Link
This MIB module defines objects describing the statistics of 63 local area and wide area mDNS SDG agent. Statistics could be 64 either global or per interface specific.
Feature History for Cisco DNA Service for Bonjour
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 744
System Management
Release Cisco IOS 15.2(6) E2 Cisco IOS 15.5(1)SY4 Cisco IOS XE 3.11.0 E Cisco IOS XE Gibraltar 16.11.1
Cisco IOS XE Amsterdam 17.1.1
Feature History for Cisco DNA Service for Bonjour
Modification
Cisco DNA Service for Local Area Bonjour and Wide Area Bonjour was introduced on the following platforms:
· Cisco Catalyst 2960-X Series Switches · Cisco Catalyst 2960-XR Series Switches
Cisco DNA Service for Local Area Bonjour and Wide Area Bonjour was introduced on Cisco Catalyst 6800 Series Switches.
Cisco DNA Service for Local Area Bonjour and Wide Area Bonjour was introduced on the following platforms:
· Cisco Catalyst 4500-E Series Switches · Cisco Catalyst 4500-X Series Switches
Cisco DNA Service for Local Area Bonjour and Wide Area Bonjour was introduced on the following platforms:
· Cisco Catalyst 3650 Series Switches · Cisco Catalyst 3850 Series Switches · Cisco Catalyst 9300 Series Switches · Cisco Catalyst 9400 Series Switches · Cisco Catalyst 9500 Series Switches · Cisco Catalyst 9500 Series Switches -
High Performance · Cisco Catalyst 9600 Series Switches · Cisco Catalyst 9800 Series Wireless
Controllers · Cisco 5500 Series Wireless Controllers · Cisco 8540 Wireless Controllers · Cisco 4000 Series Integrated Services
Routers (ISR)
Cisco DNA Service for Local Area Bonjour and Wide Area Bonjour was introduced on Cisco Catalyst 9200 Series Switches.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 745
Feature History for Cisco DNA Service for Bonjour
Release Cisco IOS XE Amsterdam 17.2.1
Cisco IOS XE Amsterdam 17.3.2a
System Management
Modification Introduced Cisco DNA Service for Bonjour support for the following:
· SD-Access network · Unicast mode for LAN network
Introduced Cisco DNA Service for Bonjour support for the following:
· Multilayer networks · Location grouping in wired networks · mDNS AP group in wireless networks
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 746
8 7 C H A P T E R
SNMP Traps
· Information About Configuring SNMP Traps, on page 747 · Configuring SNMP Traps (GUI), on page 748 · Enabling Access Points Traps (CLI), on page 748 · Enabling Wireless Client Traps (CLI), on page 749 · Enabling Mesh Traps (CLI), on page 749 · Enabling RF Traps (CLI), on page 750 · Enabling Rogue, Mobility, RRM, and General Traps (CLI), on page 750 · Verifying SNMP Wireless Traps, on page 751
Information About Configuring SNMP Traps
Simple Network Management Protocol (SNMP) Traps are alert messages sent from a remote SNMP-enabled device such as the controller, to an SNMP manager. Traps are unreliable because the receiver does not send acknowledgments when the device receives traps. Hence, the sender cannot determine if the traps were received. In order to configure the controller to send SNMP notifications, you must enter at least one snmp-server host command. If you do not enter an snmp-server host command, no notifications are sent. In order to enable multiple hosts, you must specify separate snmp-server host command for each host. You can specify multiple notification types in the command for each host. When multiple snmp-server host commands are given for the same host and notification of either trap or inform, each command overwrites the previous command. Only the last snmp-server host command is taken into account. For example, if you enter an snmp-server host inform command for a host and then enter another snmp-server host inform command for the same host, the second command replaces the first. Specify the snmp-server enable traps wireless <TrapName> command in order to specify which SNMP notifications are sent globally. In order for a host to receive wireless notifications, at least one snmp-server enable traps wireless <TrapName> command and the snmp-server host command for that host must be enabled. However, some notification types cannot be controlled with the snmp-server enable command. And some notification types are enabled by default . For example, few AP related traps crash, register, and noradiocards are enabled by default.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 747
Configuring SNMP Traps (GUI)
System Management
Configuring SNMP Traps (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Administration > Management > SNMP. The SNMP page is displayed. By default, the SNMP mode is disabled. To enable or disable SMNP, click the SNMP Mode toggle button.
Choose the Wireless Traps tab. By default, all SNMP wireless traps are disabled except the Access Point trap. To enable all the wireless traps, click Enable All.
Select the wireless SNMP trap that you wish to enable. Click the Select All check box to enable all the trapflags present in the trap. For example, to enable all the trapflags in the Mesh trap section, check the Select All check box present at the right-hand corner of the section. Uncheck the Select All check box to remove selection.
Note
In the Access Point trap, Crash, No Radio Cards, and Register trapflags are enabled by default.
Select Broken Antenna trapflag to detect broken antenna. Select AP Stats trapflag to enable a
trap for AP statistics.
Click Apply.
Enabling Access Points Traps (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
snmp-server enable traps wireless AP
Enables wireless SNMP traps for access points.
Example:
Device# snmp-server enable traps wireless AP
Step 3
trapflags ap{authorization | broken-antenna | crash | interfaceup | ipaddrfallback | mfp | mode | noradiocards | register}
Enables or disables sending AP related trapflags. The crash, noradiocards, and register trapflags are enabled by default.
Example:
Device# trapflags ap authorization
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 748
System Management
Enabling Wireless Client Traps (CLI)
Enabling Wireless Client Traps (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
snmp-server enable traps wireless bsnMobileStation
Enables wireless client traps.
Example:
Device# snmp-server enable traps wireless bsnMobileStation
Step 3
trapflags client dot11 {assocfail | associate Enables or disables dot11 related trapflags for | authenticate | authfail | deauthenticate clients. | disassociate }
Example:
Device# trapflags client dot11 assocfail
Step 4
trapflags client excluded Example:
Device# trapflags client excluded
Enables the excluded trapflags for clients.
Enabling Mesh Traps (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
snmp-server enable traps wireless MESH Enables wireless mesh traps.
Example:
Device# snmp-server enable traps wireless MESH
Step 3
trapflags mesh {abate-snr |
Enables or disables mesh trapflags.
authentication-failure | child-moved |
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 749
Enabling RF Traps (CLI)
System Management
Command or Action
Purpose
excessive-children | excessive-hopcount | onset-snr | parent-change }
Example:
Device# trapflags mesh abate-snr
Enabling RF Traps (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
snmp-server enable traps wireless bsnAutoRF
Enables wireless RF related traps.
Example:
Device# snmp-server enable traps wireless bsnAutoRF
Step 3
trapflags rrm-params{channels | tx-power}
Example:
Device# trapflags rrm-params channels
Enables or disables sending RRM parameter update related traps.
Step 4
trapflags rrm-profile{coverage | interference | load | noise}
Enables or disables RRM profile related traps.
Example:
Device# trapflags rrm-profile coverage
Enabling Rogue, Mobility, RRM, and General Traps (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 750
System Management
Verifying SNMP Wireless Traps
Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8 Step 9
Command or Action
Purpose
snmp-server enable traps wireless rogue Enables traps for wireless rogue.
Example:
Device# snmp-server enable traps wireless rogue
trapflags rogue-ap Example:
Device# trapflags rogue-ap
Enables rogue AP detection trapflag.
trapflags rogue-client Example:
Device# trapflags rogue-client
Enables rogue client detection trapflag.
snmp-server enable traps wireless wireless_mobility
Enables traps for wireless mobility.
Example:
Device# snmp-server enable traps wireless wireless_mobility
trapflags anchor Example:
Device# trapflags anchor
Enables anchor trapflags.
snmp-server enable traps wireless RRM Enables traps for wireless RRM.
Example:
Device# snmp-server enable traps wireless RRM
trapflags rrm-params group Example:
Device# trapflags rrm-params group
Enables or disables the RRM parameter related traps, when the RF manager group changes.
snmp-server enable traps wireless bsnGeneral
Enables general controller traps.
Example:
Device# snmp-server enable traps wireless bsnGeneral
Verifying SNMP Wireless Traps
To verify the various SNMP traps enabled, use the following command:
Device# show run | sec trapflag
trapflags ap crash trapflags ap noradiocards
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 751
Verifying SNMP Wireless Traps
trapflags ap register trapflags rogue-client
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 752
8 8 C H A P T E R
Disabling Clients with Random MAC Address
· Information About Disabling Clients with Random MAC Addresses, on page 753 · Configuring Random MAC Address Deny (CLI), on page 753 · Verifying Denial of Clients with a Random MAC Address, on page 754
Information About Disabling Clients with Random MAC Addresses
Wireless clients used to associate with a wireless network using the MAC address that is assigned, for the Wi-Fi network interface card (NIC), during manufacture. This globally unique MAC address assigned by the manufacturer is also known as burn-in address (BIA). BIA tracks end users with the help of the MAC address of the Wi-Fi. To improve the privacy of end user products, a locally enabled random MAC address is enabled for Wi-Fi operations.
Prior to Cisco IOS XE Bengaluru 17.5.1 Release, clients joining a wireless network using a random MAC address could not be tracked with ease. From Cisco IOS XE Bengaluru 17.5.1 Release onwards, the controller is equipped with a knob that denies the entry of clients with a random MAC address into the network. When the local-admin-mac deny knob is enabled on the controller, the association of a client joining the network with a random MAC address is rejected. By default, this feature is disabled on the controller.
This feature is not supported in Cisco Wave 1 access points.
Configuring Random MAC Address Deny (CLI)
To stop the entry of clients with a random MAC addresses from joining a wireless network, enable the random MAC address deny knob, by following the steps given below.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 753
Verifying Denial of Clients with a Random MAC Address
System Management
Step 2
Step 3 Step 4 Step 5 Step 6
Command or Action
Purpose
wlan wlan-profile-name <1-4096> SSID-network-name
Configures the WLAN policy profile.
Example:
Device(config)# wlan wlan-profile-name 8 ssid-network-name
shutdown Example:
Device(config-wlan)# shutdown
Shuts down the WLAN.
[no] local-admin-mac deny
Enables the random MAC address deny knob.
Example:
Use the no form of this command to disable the
Device(config-wlan)# local-admin-mac deny feature.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
end Example:
Device(config-wlan)# end
Saves the configuration, exits the configuration mode, and returns to privileged EXEC mode.
Verifying Denial of Clients with a Random MAC Address
To verify the denial of a client with a random MAC address, run the show wlan name wlan-profile-name | begin locally command:
Device# show wlan name laa | begin locally
Locally Administerd Address Configuration
Deny LAA clients
: Enabled
To verify if a client address is a random MAC address, run the show wireless client mac-address MAC-address detail command:
Device# show wireless client mac-address 72xx.38xx.2axx detail
Client MAC Address : 72xx.38xx.2axx
Client MAC Type : Locally Administered Address
Client IPv4 Address
: 9.1.1.1
Client IPv6 Addresses : fexx::71xx:27xx:a7xx:efxx
Client Username
: 72xx.38xx.2axx
To verify how many random MAC clients are present in the system, run the show wireless stats client detail command:
Device# show wireless stats client detail Client Summary ----------------------------Current Clients : 1 Excluded Clients: 0 Disabled Clients: 0 Foreign Clients : 0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 754
System Management
Verifying Denial of Clients with a Random MAC Address
Anchor Clients : 0 Local Clients : 1 Idle Clients : 0 Locally Administered MAC Clients: 1
To display the statistics of a specific client, run the show wlan id <1-4096> client stats command:
Device# show wlan id 8 client stats
Wlan Profile Name: wlan-profile, Wlan Id: 8
Current client state statistics:
-----------------------------------------------------------------------------
Authenticating
:0
Mobility
:0
IP Learn
:0
Webauth Pending
:0
Run
:1
Locally Administered MAC Clients
:1
Note Run the show configuration wlan wlan-name command on an AP, to view the status of the locally administered address (LAA) on the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 755
Verifying Denial of Clients with a Random MAC Address
System Management
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 756
V I I PA R T
Security
· IPv4 ACLs , on page 759 · DNS-Based Access Control Lists, on page 787 · Allowed List of Specific URLs, on page 805 · Policy Enforcement and Usage Monitoring, on page 809 · Web-Based Authentication , on page 813 · Central Web Authentication, on page 863 · ISE Simplification and Enhancements, on page 883 · Authentication and Authorization Between Multiple RADIUS Servers, on page 897 · AAA Dead-Server Detection, on page 907 · RADIUS Server Load Balancing, on page 911 · Secure LDAP, on page 915 · RADIUS DTLS, on page 923 · Multiple Cipher Support, on page 935 · Internet Protocol Security, on page 939 · MAC Filtering, on page 955 · IP Source Guard, on page 961 · Managing Rogue Devices, on page 963 · Classifying Rogue Access Points, on page 979 · Configuring Secure Shell , on page 989 · Private Shared Key, on page 997 · Multi-Preshared Key, on page 1005 · Multiple Authentications for a Client, on page 1013 · Cisco TrustSec, on page 1039 · SGT Inline Tagging and SXPv4, on page 1053
· Controller Self-Signed Certificate for Wireless AP Join, on page 1059 · Locally Significant Certificates, on page 1067 · Certificate Management, on page 1095 · Cisco Umbrella WLAN, on page 1099 · Encrypted Traffic Analytics, on page 1111 · FIPS, on page 1125 · Device Analytics, on page 1131 · Advanced WIPS, on page 1137 · Wi-Fi Protected Access 3, on page 1145 · Transport Layer Security Tunnel Support, on page 1161 · Local Extensible Authentication Protocol, on page 1165 · Disabling IP Learning in FlexConnect Mode, on page 1173
8 9 C H A P T E R
IPv4 ACLs
· Information about Network Security with ACLs, on page 759 · Restrictions for Configuring IPv4 Access Control Lists, on page 767 · How to Configure ACLs, on page 768 · Configuration Examples for ACLs, on page 781 · Monitoring IPv4 ACLs, on page 785
Information about Network Security with ACLs
This chapter describes how to configure network security on the switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists.
ACL Overview
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter traffic as it passes through a controller and permit or deny packets crossing specified interfaces. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. One by one, it tests packets against the conditions in an access list. The first match decides whether the controller accepts or rejects the packets. Because the controller stops testing after the first match, the order of conditions in the list is critical. If no conditions match, the controller rejects the packet. If there are no restrictions, the controller forwards the packet; otherwise, the controller drops the packet. The controller can use ACLs on all packets it forwards. There is implcit any host deny deny rule. You configure access lists on a controller to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic.
Access Control Entries
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny depends on the context in which the ACL is used.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 759
ACL Supported Types
Security
Note The maximum number of ACEs that can be applied under an access policy (ACL) for central switching is 256 ACEs. The maximum number of ACEs applicable for Flex Mode or Local Switching is 64 ACEs.
ACL Supported Types
The switch supports IP ACLs and Ethernet (MAC) ACLs: · IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management Protocol (IGMP), and Internet Control Message Protocol (ICMP). · Ethernet ACLs filter non-IP traffic.
This switch also supports quality of service (QoS) classification ACLs.
Supported ACLs
The controller supports three types of ACLs to filter traffic:
· Port ACLs access-control traffic entering a Layer 2 interface. You can apply port ACLs to a Layer 2 interface in each direction to each access list type -- IPv4 and MAC.
· Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in a specific direction (inbound or outbound).
· FQDN ACL: FQDN ACL is encoded along with IPv6 ACL and sent to AP. FQDN ACL is always a custom ACL. AP does DNS snooping and sends the IPv4 and IPv6 addresses to the controller.
ACL Precedence
When Port ACLs, and router ACLs are configured on the same switch, the filtering precedence, from greatest to least for ingress traffic is port ACL, and then router ACL. For egress traffic, the filtering precedence is router ACL, and then port ACL.
The following examples describe simple use cases:
· When an input router ACL and input port ACL exist in a switch virtual interface (SVI), incoming packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming routed IP packets received on ports are filtered by the router ACL. Other packets are not filtered.
· When an output router ACL and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered.
Port ACLs
· Standard IP access lists using source addresses
· Extended IP access lists using source and destination addresses and optional protocol type information
· MAC extended access lists using source and destination MAC addresses and optional protocol type information
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 760
Security
Router ACLs
The switch examines ACLs on an interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network.
Figure 18: Using ACLs to Control Traffic in a Network
This is an example of using port ACLs to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.
Note You can't apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access list or MAC access list to the interface, the new ACL replaces the previously configured one.
Router ACLs
You can apply router ACLs on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs; on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces. You apply router ACLs on interfaces for specific directions (inbound or outbound). You can apply one router ACL in each direction on an interface.
The switch supports these access lists for IPv4 traffic:
· Standard IP access lists use source addresses for matching operations.
· Extended IP access lists use source and destination addresses and optional protocol type information for matching operations.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 761
ACEs and Fragmented and Unfragmented Traffic
Security
As with port ACLs, the switch examines ACLs associated with features configured on a given interface. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined. After packets are routed and before they are forwarded to the next hop, all ACLs associated with outbound features configured on the egress interface are examined. ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL, and can be used to control access to a network or to part of a network.
ACEs and Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the fragment containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP port numbers, ICMP type and code, and so on. All other fragments are missing this information. Some access control entries (ACEs) do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some Layer 4 information, the matching rules are modified:
· Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4 information might have been.
Note For TCP ACEs with L4 Ops, the fragmented packets will be dropped per RFC 1858.
· Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information.
ACEs and Fragmented and Unfragmented Traffic Examples
Consider access list 102, configured with these commands, applied to three fragmented packets:
Device(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp Device(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet Device(config)# access-list 102 permit tcp any host 10.1.1.2 Device(config)# access-list 102 deny tcp any any
Note In the first and second ACEs in the examples, the eq keyword after the destination address means to test for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and Telnet, respectively.
· Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port. If this packet is fragmented, the first fragment matches the first ACE (a permit) as if it were a complete packet because all Layer 4 information is present. The remaining fragments also match the first ACE, even though they do not contain the SMTP port information, because the first ACE only checks Layer 3 information when applied to fragments. The information in this example is that the packet is TCP and that the destination is 10.1.1.1.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 762
Security
Standard and Extended IPv4 ACLs
· Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4 information is present. The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information. Instead, they match the third ACE (a permit). Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet B is effectively denied. However, the later fragments that are permitted will consume bandwidth on the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
· Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3 information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit ACEs were checking different hosts.
Standard and Extended IPv4 ACLs
This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical. If no conditions match, the switch denies the packet. The software supports these types of ACLs or access lists for IPv4:
· Standard IP access lists use source addresses for matching operations. · Extended IP access lists use source and destination addresses for matching operations and optional
protocol-type information for finer granularity of control.
Note Only extended ACLs are supported while the standard ACLs are not supported.
IPv4 ACL Switch Unsupported Features
Configuring IPv4 ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The following ACL-related features are not supported:
· Non-IP protocol ACLs · IP accounting · Reflexive ACLs, URL Redirect ACLs and Dynamic ACLs are not supported.
Access List Numbers
The number you use to denote your ACL shows the type of access list that you are creating.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 763
Numbered Standard IPv4 ACLs
Security
This lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to 199 and 1300 to 2699.
Table 34: Access List Numbers
Access List Number 199 100199 200299 300399 400499 500599 600699 700799 800899 900999 10001099 11001199 12001299 13001999 20002699
Type IP standard access list IP extended access list Protocol type-code access list DECnet access list XNS standard access list XNS extended access list AppleTalk access list 48-bit MAC address access list IPX standard access list IPX extended access list IPX SAP access list Extended 48-bit MAC address access list IPX summary address access list IP standard access list (expanded range) IP extended access list (expanded range)
Supported Yes Yes No No No No No No No No No No No Yes Yes
In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list.
Numbered Standard IPv4 ACLs
When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.
The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don't care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don't care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
After creating a numbered standard IPv4 ACL, you can apply it to terminal lines (virtual teletype (VTY) lines), or to interfaces.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 764
Security
Numbered Extended IPv4 ACLs
Numbered Extended IPv4 ACLs
Although standard ACLs use only source addresses for matching, you can use extended ACL source and destination addresses for matching operations and optional protocol type information for finer granularity of control. When you are creating ACEs in numbered extended access lists, remember that after you create the ACL, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs from a numbered list. The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the type of service (ToS) minimize-monetary-cost bit. Some protocols also have specific parameters and keywords that apply to that protocol. You can define an extended TCP, UDP, ICMP, IGMP, or other IP ACL. The switch also supports these IP protocols: These IP protocols are supported:
· Authentication Header Protocol (ahp) · Encapsulation Security Payload (esp) · Enhanced Interior Gateway Routing Protocol (eigrp) · generic routing encapsulation (gre) · Internet Control Message Protocol (icmp) · Internet Group Management Protocol (igmp) · any Interior Protocol (ip) · IP in IP tunneling (ipinip) · KA9Q NOS-compatible IP over IP tunneling (nos) · Open Shortest Path First routing (ospf) · Payload Compression Protocol (pcp) · Protocol-Independent Multicast (pim) · Transmission Control Protocol (tcp) · User Datagram Protocol (udp)
Named IPv4 ACLs
You can identify IPv4 ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IPv4 access lists in a router than if you were to use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. However, at times, not all commands that use IP access lists accept a named access list.
Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers. That is, the name of a standard IP ACL can be 1 to 99 and . The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 765
ACL Logging
Security
ACL Logging
Consider these guidelines before configuring named ACLs: · Numbered ACLs are also available. · A standard ACL and an extended ACL cannot have the same name.
The controller software can provide logging messages about packets permitted or denied by a standard IP access list. That is, any packet that matches the ACL causes an informational logging message about the packet to be sent to the console. The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages.
Note Because routing is done in hardware and logging is done in software, if a large number of packets match a permit or deny ACE containing a log keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged.
The first packet that triggers the ACL causes a logging message right away, and subsequent packets are collected over 5-minute intervals before they appear or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
Note The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
Hardware and Software Treatment of IP ACLs
ACL processing is performed in hardware. If the hardware reaches its capacity to store ACL configurations, all packets on that interface are dropped. The ACL scale for controllers is as follows:
· Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-L Wireless Controller, Cisco Catalyst 9800-CL Wireless Controller (small and medium) support 128 ACLs with 128 Access List Entries (ACEs).
· Cisco Catalyst 9800-80 Wireless Controller and Cisco Catalyst 9800-CL Wireless Controller (large) support 256 ACLs and 256 ACEs.
· FlexConnect and Fabric mode APs support 96 ACLs.
Note If an ACL configuration cannot be implemented in the hardware due to an out-of-resource condition on the controller, then only the traffic in that VLAN arriving on that controller is affected.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 766
Security
IPv4 ACL Interface Considerations
When you enter the show ip access-lists privileged EXEC command, the match count displayed does not account for packets that are access controlled in hardware. Use the privileged EXEC command to obtain some basic hardware ACL statistics for switched and routed packets.
IPv4 ACL Interface Considerations
For inbound ACLs, after receiving a packet, the controller checks the packet against the ACL. If the ACL permits the packet, the controller continues to process the packet. If the ACL rejects the packet, the controller discards the packet. For outbound ACLs, after receiving and routing a packet to a controlled interface, the controller checks the packet against the ACL. If the ACL permits the packet, the controller sends the packet. If the ACL rejects the packet, the controller discards the packet. If an undefined ACL has nothing listed in it, it is an empty access list.
Restrictions for Configuring IPv4 Access Control Lists
The following are restrictions for configuring network security with ACLs:
General Network Security The following are restrictions for configuring network security with ACLs:
· A standard ACL and an extended ACL cannot have the same name. · Though visible in the command-line help strings, AppleTalk is not supported as a matching condition
for the deny and permit MAC access-list configuration mode commands. · DNS traffic is permitted by default with or without ACL entries for clients that are awaiting web
authentication.
IPv4 ACL Network Interfaces The following restrictions apply to IPv4 ACLs to network interfaces:
· When controlling access to an interface, you can use a named or numbered ACL. · You do not have to enable routing to apply ACLs to Layer 2 interfaces.
MAC ACLs on a Layer 2 Interface After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface. When you apply the MAC ACL, consider these guidelines:
· You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface. The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
· A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 767
How to Configure ACLs
Security
Note The mac access-group interface configuration command is only valid when applied to a physical Layer 2 interface. You cannot use the command on EtherChannel port channels.
IP Access List Entry Sequence Numbering · This feature does not support dynamic, reflexive, or firewall access lists.
How to Configure ACLs
Configuring IPv4 ACLs (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Choose Configuration > Security > ACL. Click Add. In the Add ACL Setup dialog box, enter the following parameters.
· ACL Name: Enter the name for the ACL. · ACL Type: IPv4 Standard. · Sequence: Enter the sequence number. · Action: Choose Permit or Deny the packet flow from the drop-down list. · Source Type: Choose any, Host or Network from which the packet is sent. · Log: Enable or disable logging.
Click Add. Add the rest of the rules and click Apply to Device.
Configuring IPv4 ACLs
Follow the procedure given below to use IP ACLs on the switch:
Procedure
Step 1 Step 2
Create an ACL by specifying an access list number or name and the access conditions. Apply the ACL to interfaces or terminal lines..
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 768
Security
Creating a Numbered Standard ACL (GUI)
Creating a Numbered Standard ACL (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Choose Configuration > Security > ACL. On the ACL page, click Add. In the Add ACL Setup window, enter the following parameters.
· ACL Name: Enter the name for the ACL. · ACL Type: IPv4 Standard. · Sequence: Enter the sequence number. · Action: Choose Permit or Deny access from the drop-down list. · Source Type: Choose any, Host or Network · Log: Enable or disable logging, this is limited to ACLs associated to Layer 3 interface only.
Click Add. Click Save & Apply to Device.
Creating a Numbered Standard ACL (CLI)
Follow the procedure given below to create a numbered standard ACL:
Procedure
Step 1
Command or Action enable Example:
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
access-list access-list-number {deny | permit} Defines a standard IPv4 access list by using a
source source-wildcard ]
source address and wildcard.
Example:
Device(config)# access-list 2 deny
The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 769
Creating a Numbered Standard ACL (CLI)
Security
Command or Action
your_host
Step 4
end Example:
Device(config)# end
Step 5
show running-config Example:
Device# show running-config
Step 6
copy running-config startup-config Example:
Device# copy running-config startup-config
Purpose Enter deny or permit to specify whether to deny or permit access if conditions are matched.
The source is the source address of the network or host from which the packet is being sent specified as:
· The 32-bit quantity in dotted-decimal format.
· The keyword any as an abbreviation for source and source-wildcard of 0.0.0.0 255.255.255.255. You do not need to enter a source-wildcard.
· The keyword host as an abbreviation for source and source-wildcard of source 0.0.0.0.
(Optional) The source-wildcard applies wildcard bits to the source.
Note
Logging is supported only on
ACLs attached to Layer 3
interfaces.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 770
Security
Creating a Numbered Extended ACL (GUI)
Creating a Numbered Extended ACL (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Choose Configuration > Security > ACL. On the ACL page, click Add. In the Add ACL Setup window, enter the following parameters.
· ACL Name: Enter the name for the ACL. · ACL Type: IPv4 Extended. · Sequence: Enter the sequence number. · Action: Choose Permit or Deny the packet flow from the drop-down list. · Source Type: Choose any, Host or Network from which the packet is sent. · Destination Type: Choose any, Host or Network to which the packet is sent. · Protocol: Choose a protocol from the drop-down list. · Log: Enable or disable logging. · DSCP: Enter to match packets with the DSCP value
Click Add. Click Save & Apply to Device.
Creating a Numbered Extended ACL (CLI)
Follow the procedure given below to create a numbered extended ACL:
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Device# configure terminal
Step 2
access-list access-list-number {deny | permit} Defines an extended IPv4 access list and the
protocol source source-wildcard destination access conditions.
destination-wildcard [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp]
The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 771
Creating a Numbered Extended ACL (CLI)
Security
Command or Action
Purpose
Example:
Enter deny or permit to specify whether to
deny or permit the packet if conditions are
Device(config)# access-list 101 permit matched.
ip host 10.1.1.2 any precedence 0 tos 0
log
For protocol, enter the name or number of an
P protocol: ahp, eigrp, esp, gre, icmp, igmp,
igrp, ip, ipinip, nos, ospf, pcp, pim, tcp, or
udp, or an integer in the range 0 to 255
representing an IP protocol number. To match
any Internet protocol (including ICMP, TCP,
and UDP), use the keyword ip.
Note
This step includes options for
most IP protocols. For additional
specific parameters for TCP,
UDP, ICMP, and IGMP, see the
following steps.
The source is the number of the network or host from which the packet is sent.
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the packet is sent.
The destination-wildcard applies wildcard bits to the destination.
Source, source-wildcard, destination, and destination-wildcard can be specified as:
· The 32-bit quantity in dotted-decimal format.
· The keyword any for 0.0.0.0 255.255.255.255 (any host).
· The keyword host for a single host 0.0.0.0.
The other keywords are optional and have these meanings:
· precedence--Enter to match packets with a precedence level specified as a number from 0 to 7 or by name: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), network (7).
· fragments--Enter to check non-initial fragments.
· tos--Enter to match by type of service level, specified by a number from 0 to 15
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 772
Security
Creating a Numbered Extended ACL (CLI)
Command or Action
Purpose
or a name: normal (0), max-reliability (2), max-throughput (4), min-delay (8).
· time-range--Specify the time-range name.
· dscp--Enter to match packets with the DSCP value specified by a number from 0 to 63, or use the question mark (?) to see a list of available values.
Note
Your controller must support
the ability to:
· Mark DCSP
· Mark UP
· Map DSCP and UP
For more information on DSCP-to-UP Mapping, see:
https://tools.ietf.org/html/ draft-ietf-tsvwg-ieee-802-11-01
Step 3
Note
If you enter a dscp value, you
cannot enter tos or precedence.
You can enter both a tos and a
precedence value with no dscp.
access-list access-list-number {deny | permit} Defines an extended TCP access list and the
tcp source source-wildcard [operator port] access conditions.
destination destination-wildcard [operator port] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] [flag]
The parameters are the same as those described for an extended IPv4 ACL, with these exceptions:
Example:
(Optional) Enter an operator and port to compare source (if positioned after source
source-wildcard) or destination (if positioned
Device(config)# access-list 101 permit tcp any any eq 500
after destination destination-wildcard) port.
Possible operators include eq (equal), gt
(greater than), lt (less than), neq (not equal),
and range (inclusive range). Operators require
a port number (range requires two port numbers
separated by a space).
Enter the port number as a decimal number (from 0 to 65535) or the name of a TCP port. Use only TCP port numbers or names when filtering TCP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 773
Creating a Numbered Extended ACL (CLI)
Security
Step 4
Command or Action
Purpose
The other optional keywords have these meanings:
· flag--Enter one of these flags to match by the specified TCP header bits: ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize), or urg (urgent).
access-list access-list-number {deny | permit} (Optional) Defines an extended UDP access list
udp source source-wildcard [operator port] and the access conditions.
destination destination-wildcard [operator port] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp]
The UDP parameters are the same as those described for TCP except that the [operator [port]] port number or name must be a UDP
Example:
port number or name, and the flag not valid for
UDP.
Device(config)# access-list 101 permit udp any any eq 100
Step 5 Step 6
access-list access-list-number {deny | permit} Defines an extended ICMP access list and the
icmp source source-wildcard destination
access conditions.
destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp]
The ICMP parameters are the same as those described for most IP protocols in an extended IPv4 ACL, with the addition of the ICMP message type and code parameters. These
Example:
optional keywords have these meanings:
Device(config)# access-list 101 permit icmp any any 200
· icmp-type--Enter to filter by ICMP message type, a number from 0 to 255.
· icmp-code--Enter to filter ICMP packets that are filtered by the ICMP message code type, a number from 0 to 255.
· icmp-message--Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name.
access-list access-list-number {deny | permit} (Optional) Defines an extended IGMP access
igmp source source-wildcard destination
list and the access conditions.
destination-wildcard [igmp-type] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp]
The IGMP parameters are the same as those described for most IP protocols in an extended IPv4 ACL, with this optional parameter.
Example:
igmp-type--To match IGMP message type,
enter a number from 0 to 15, or enter the
Device(config)# access-list 101 permit igmp any any 14
message name: dvmrp, host-query,
host-report, pim, or trace.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 774
Security
Creating Named Standard ACLs (GUI)
Step 7
Command or Action end Example:
Device(config)# end
Purpose Returns to privileged EXEC mode.
Creating Named Standard ACLs (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Click Configuration > Security > ACL. Click Add to create a new ACL setup. In the Add ACL Setup window, enter the following parameters.
· ACL Name: Enter the name for the ACL · ACL Type: IPv4 Standard · Sequence: The valid range is between 1 and 99 or 1300 and 1999 · Action: Choose Permit or Deny access from the drop-down list. · Source Type: Choose any, Host or Network · Log: Enable or disable logging, this is limited to ACLs associated to Layer 3 interface only.
Click Add to add the rule. Click Save & Apply to Device.
Creating Named Standard ACLs
Follow the procedure given below to create a standard ACL using names:
Procedure
Step 1
Command or Action enable Example:
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Device> enable
Step 2
configure terminal Example:
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 775
Creating Named Standard ACLs
Security
Command or Action
Device# configure terminal
Purpose
Step 3
ip access-list standard name
Defines a standard IPv4 access list using a
Example:
name, and enter access-list configuration mode.
The name can be a number from 1 to 99.
Device(config)# ip access-list standard 20
Step 4
Use one of the following:
· deny {source [source-wildcard] | host source | any} [log]
· permit {source [source-wildcard] | host source | any} [log]
In access-list configuration mode, specify one or more conditions denied or permitted to decide if the packet is forwarded or dropped.
· host source--A source and source wildcard of source 0.0.0.0.
Example:
Device(config-std-nacl)# deny 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
· any--A source and source wildcard of 0.0.0.0 255.255.255.255.
or
Device(config-std-nacl)# permit 10.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0
Step 5
end Example:
Device(config-std-nacl)# end
Step 6
show running-config Example:
Device# show running-config
Step 7
copy running-config startup-config Example:
Device# copy running-config startup-config
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 776
Security
Creating Extended Named ACLs (GUI)
Creating Extended Named ACLs (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Choose Configuration > Security > ACL. Click Add. In the Add ACL Setup window, enter the following parameters.
· ACL Name: Enter the name for the ACL. · ACL Type: IPv4 Extended. · Sequence: Enter the sequence number. · Action: Choose Permit or Deny the packet flow from the drop-down list. · Source Type: Choose any, Host or Network from which the packet is sent. · Destination Type: Choose any, Host or Network to which the packet is sent. · Protocol: Choose a protocol from the drop-down list. · Log: Enable or disable logging. · DSCP: Enter to match packets with the DSCP value
Click Add. Add the rest of the rules and click Apply to Device.
Creating Extended Named ACLs
Follow the procedure given below to create an extended ACL using names:
Procedure
Step 1
Command or Action enable Example:
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 777
Creating Extended Named ACLs
Security
Step 3
Command or Action
Purpose
ip access-list extended name
Defines an extended IPv4 access list using a
Example:
name, and enter access-list configuration mode.
The name can be a number from 100 to 199.
Device(config)# ip access-list extended 150
Step 4 Step 5
{deny | permit} protocol {source [source-wildcard] | host source | any} {destination [destination-wildcard] | host destination | any} [precedence precedence] [tos tos] [log] [time-range time-range-name]
Example:
In access-list configuration mode, specify the conditions allowed or denied. Use the log keyword to get access list logging messages, including violations.
· host source--A source and source wildcard of source 0.0.0.0.
Device(config-ext-nacl)# permit 0 any any
· host destintation--A destination and destination wildcard of destination 0.0.0.0.
· any--A source and source wildcard or destination and destination wildcard of 0.0.0.0 255.255.255.255.
end Example:
Returns to privileged EXEC mode.
Device(config-ext-nacl)# end
Step 6
show running-config Example:
Device# show running-config
Verifies your entries.
Step 7
copy running-config startup-config Example:
Device# copy running-config startup-config
(Optional) Saves your entries in the configuration file.
When you are creating extended ACLs, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 778
Security
Applying an IPv4 ACL to an Interface (GUI)
What to do next After creating a named ACL, you can apply it to interfaces or to VLANs.
Applying an IPv4 ACL to an Interface (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Security > ACL. Click Associating Interfaces. Choose the interface from the Available Interfaces list to view its ACL details on the right-hand side. You can change the ACL details, if required. Click Save & Apply to Device.
Applying an IPv4 ACL to an Interface (CLI)
This section describes how to apply IPv4 ACLs to network interfaces. Beginning in privileged EXEC mode, follow the procedure given below to control access to an interface:
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Device# configure terminal
Step 2
interface interface-id Example:
Device(config)#
Identifies a specific interface for configuration, and enter interface configuration mode.
The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface (router ACL).
Step 3
ip access-group {access-list-number | name} Controls access to the specified interface. {in | out} Example:
Device(config-if)# ip access-group 2 in
Step 4
end Example:
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 779
Applying ACL to Policy Profile (GUI)
Security
Command or Action
Device(config-if)# end
Step 5
show running-config Example:
Device# show running-config
Step 6
copy running-config startup-config Example:
Device# copy running-config startup-config
Purpose Displays the access list configuration.
(Optional) Saves your entries in the configuration file.
Applying ACL to Policy Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > Policy. On the Policy Profile page, click Add. In the Add Policy Profile window, click Access Policies tab. In the WLAN ACL area, choose the IPv4 ACL from the IPv4 ACL drop-down list. Click Apply to Device.
Applying ACL to Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy profile-policy
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 780
Security
Configuration Examples for ACLs
Step 3 Step 4
Command or Action
Purpose
ipv4 acl acl-name
Configures an IPv4 ACL.
Example:
Device(config-wireless-policy)# ipv4 acl test-acl
end Example:
Device(config-wireless-policy)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuration Examples for ACLs
Examples: Including Comments in ACLs
You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters. The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. To include a comment for IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command. To remove the remark, use the no form of this command. In this example, the workstation that belongs to Jones is allowed access, and the workstation that belongs to Smith is not allowed access:
Device(config)# access-list 1 remark Permit only Jones workstation through Device(config)# access-list 1 permit 171.69.2.88 Device(config)# access-list 1 remark Do not allow Smith through Device(config)# access-list 1 deny 171.69.3.13
For an entry in a named IP ACL, use the remark access-list configuration command. To remove the remark, use the no form of this command. In this example, the Jones subnet is not allowed to use outbound Telnet:
Device(config)# ip access-list extended telnetting Device(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Device(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet
Examples: Applying an IPv4 ACL to a Policy Profile in a Wireless Environment
This example shows how to apply an IPv4 ACL to a Policy Profile in a Wireless environment.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 781
IPv4 ACL Configuration Examples
Security
Note All IPv4 ACLs must be associated to a policy profile.
This example uses extended ACLs to permit TCP traffic. 1. Creating an IPv4 ACL.
Device(config)# ip access-list extended <acl-name> Device(config-ext-nacl)# 10 permit ip any 10.193.48.224 0.0.0.31 Device (config-ext-nacl)# 20 permit ip any any
2. Applying the IPv4 ACL to a policy profile.
Device(config)# wireless profile policy <policy-profile-name> Device(config-wireless-policy)# shutdown Device(config-wireless-policy)# ipv4 acl <acl-name> Device(config-wireless-policy)# no shutdown
IPv4 ACL Configuration Examples
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.4 and to the Configuring IP Services" section in the "IP Addressing and Services" chapter of the Cisco IOS IP Configuration Guide, Release 12.4.
ACLs in a Small Networked Office
Figure 19: Using Router ACLs to Control Traffic
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 782
Security
Examples: ACLs in a Small Networked Office
This shows a small networked office environment with routed Port 2 connected to Server A, containing benefits and other information that all employees can access, and routed Port 1 connected to Server B, containing confidential payroll data. All users can access Server A, but Server B has restricted access.
Use router ACLs to do this in one of two ways:
· Create a standard ACL, and filter traffic coming to the server from Port 1.
· Create an extended ACL, and filter traffic coming from the server into Port 1.
Examples: ACLs in a Small Networked Office
This example uses a standard ACL to filter traffic coming into Server B from a port, permitting traffic only from Accounting's source addresses 172.20.128.64 to 172.20.128.95. The ACL is applied to traffic coming out of routed Port 1 from the specified source address.
Device(config)# access-list 6 permit 172.20.128.64 0.0.0.31 Device(config)# end Device# how access-lists Standard IP access list 6
10 permit 172.20.128.64, wildcard bits 0.0.0.31 Device(config)# interface gigabitethernet1/0/1 Device(config-if)# ip access-group 6 out
This example uses an extended ACL to filter traffic coming from Server B into a port, permitting traffic from any source address (in this case Server B) to only the Accounting destination addresses 172.20.128.64 to 172.20.128.95. The ACL is applied to traffic going into routed Port 1, permitting it to go only to the specified destination addresses. Note that with extended ACLs, you must enter the protocol (IP) before the source and destination information.
Device(config)# access-list 106 permit ip any 172.20.128.64 0.0.0.31 Device(config)# end Device# show access-lists Extended IP access list 106
10 permit ip any 172.20.128.64 0.0.0.31 Device(config)# interface gigabitethernet1/0/1 Device(config-if)# ip access-group 106 in
Example: Numbered ACLs
In this example, network 10.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 10.0.0.0 address specify a particular host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch accepts addresses on all other network 10.0.0.0 subnets. The ACL is applied to packets entering a port.
Device(config)# access-list 2 permit 10.48.0.3 Device(config)# access-list 2 deny 10.48.0.0 0.0.255.255 Device(config)# access-list 2 permit 10.0.0.0 0.255.255.255 Device(config)# Device(config-if)# ip access-group 2 in
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 783
Examples: Extended ACLs
Security
Examples: Extended ACLs
In this example, the first line permits any incoming TCP connections with destination ports greater than 1023. The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP) port of host 128.88.1.2. The third line permits incoming ICMP messages for error feedback.
Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 gt 1023 Device(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25 Device(config)# access-list 102 permit icmp any any Device(config)# Device(config-if)# ip access-group 102 in
In this example, suppose that you have a network connected to the Internet, and you want any host on the network to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have a destination port of 25. Because the secure system of the network always accepts mail connections on port 25, the incoming are separately controlled.
Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23 Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25 Device(config)# Device(config-if)# ip access-group 102 in
Examples: Named ACLs
Creating named standard and extended ACLs This example creates a standard ACL named internet_filter and an extended ACL named marketing_group. The internet_filter ACL allows all traffic from the source address 1.2.3.4.
Device(config)# ip access-list standard Internet_filter Device(config-ext-nacl)# permit 1.2.3.4 Device(config-ext-nacl)# exit
The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Device(config)# ip access-list extended marketing_group Device(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet Device(config-ext-nacl)# deny tcp any any Device(config-ext-nacl)# permit icmp any any Device(config-ext-nacl)# deny udp any 171.69.0.0 0.0.255.255 lt 1024 Device(config-ext-nacl)# deny ip any any log Device(config-ext-nacl)# exit
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 784
Security
Monitoring IPv4 ACLs
The Internet_filter ACL is applied to outgoing traffic and the marketing_group ACL is applied to incoming traffic on a Layer 3 port.
Device(config)# interface gigabitethernet3/0/1 Device(config-if)# ip address 2.0.5.1 255.255.255.0 Device(config-if)# ip access-group Internet_filter out Device(config-if)# ip access-group marketing_group in
Deleting individual ACEs from named ACLs This example shows how you can delete individual ACEs from the named access list border-list:
Device(config)# ip access-list extended border-list Device(config-ext-nacl)# no permit ip host 10.1.1.3 any
Monitoring IPv4 ACLs
You can monitor IPv4 ACLs by displaying the ACLs that are configured on the switch, and displaying the ACLs that have been applied to interfaces and VLANs.
When you use the ip access-group interface configuration command to apply ACLs to a Layer 2 or 3 interface, you can display the access groups on the interface. You can also display the MAC ACLs applied to a Layer 2 interface. You can use the privileged EXEC commands as described in this table to display this information.
Table 35: Commands for Displaying Access Lists and Access Groups
Command show access-lists [number | name] show ip access-lists [number | name] show ip interface interface-id
show running-config [interface interface-id]
Purpose
Displays the contents of one or all current IP and MAC address a specific access list (numbered or named).
Displays the contents of all current IP access lists or a specific I (numbered or named).
Displays detailed configuration and status of an interface. If IP i the interface and ACLs have been applied by using the ip access-gr configuration command, the access groups are included in the d
Displays the contents of the configuration file for the switch or t interface, including all configured MAC and IP access lists and groups are applied to an interface.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 785
Monitoring IPv4 ACLs
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 786
9 0 C H A P T E R
DNS-Based Access Control Lists
· Information About DNS-Based Access Control Lists, on page 787 · Restrictions on DNS-Based Access Control Lists, on page 790 · Flex Mode, on page 791 · Local Mode, on page 793 · Viewing DNS-Based Access Control Lists, on page 796 · Configuration Examples for DNS-Based Access Control Lists, on page 797 · Verifying DNS Snoop Agent (DSA), on page 798 · Information About Flex Client IPv6 Support with WebAuth Pre and Post ACL, on page 799 · Enabling Pre-Authentication ACL for LWA and EWA (GUI), on page 800 · Enabling Pre-Authentication ACL for LWA and EWA, on page 800 · Enabling Post-Authentication ACL for LWA and EWA (GUI), on page 802 · Enabling Post-Authentication ACL for LWA and EWA, on page 802 · Enabling DNS ACL for LWA and EWA (GUI), on page 803 · Enabling DNS ACL for LWA and EWA, on page 803 · Verifying Flex Client IPv6 Support with WebAuth Pre and Post ACL, on page 804
Information About DNS-Based Access Control Lists
The DNS-based ACLs are used for wireless client devices. When using these devices, you can set pre-authentication ACLs on the Cisco Catalyst 9800 Series Wireless Controller to determine the data requests that are allowed or blocked. To enable DNS-based ACLs on the controller , you need to configure the allowed URLs or denied URLs for the ACLs. The URLs need to be pre-configured on the ACL. With DNS-based ACLs, the client when in registration phase is allowed to connect to the configured URLs. The controller is configured with the ACL name that is returned by the AAA server. If the ACL name is returned by the AAA server, then the ACL is applied to the client for web-redirection. At the client authentication phase, the AAA server returns the pre-authentication ACL (url-redirect-acl, which is the attribute name given to the AAA server). The DNS snooping is performed on the AP for each client until the registration is complete and the client is in SUPPLICANT PROVISIONING state. When the ACL configured with the URLs is received on the controller , the CAPWAP payload is sent to the AP enabling DNS snooping for the URLs to be snooped.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 787
Defining ACLs
Security
With URL snooping in place, the AP learns the IP address of the resolved domain name in the DNS response. If the domain name matches the configured URL, then the DNS response is parsed for the IP address, and the IP address is sent to the controller as a CAPWAP payload. The controller adds the IP address to the allowed list of IP addresses and thus the client can access the URLs configured. URL filtering allows access to the IP address for DNS ports 80 or 443. During pre-authentication or post-authentication, DNS ACL is applied to the client in the access point. If the client roams from one AP to another AP, the DNS learned IP addresses on the old AP is valid on the new AP as well.
Note URL filtering is used only for local mode, whereas enhanced URL filtering is used only for flex mode local switching.
Note URL filter needs to be attached to a policy profile in case of the local mode. In the flex mode, the URL filter is attached to the flex profile and it is not need to be attached to a policy profile.
Note DNS based URLs work with active DNS query from the client. Hence, for URL filtering, the DNS should be setup correctly.
Note URL filter takes precedence over punt or redirect ACL, and over custom or static pre-auth ACL.s
Defining ACLs
Extended ACLs are like standard ACLs but identifies the traffic more precisely. The following CLI allows you to define ACLs by name or by an identification number.
Device(config)#ip access-list extended ? <100-199> Extended IP access-list number <2000-2699> Extended IP access-list number (expanded range) WORD Access-list name
The following is the structure of a CLI ACL statement:
<sequence number> [permit/deny] <protocol> <address or any> eq <port number> <subnet> <wildcard>
For example:
1 permit tcp any eq www 192.168.1.0 0.0.0.255
The sequence number specifies where to insert the Access Control list Entry (ACE) in the ACL order of ACEs. You can define your statements with sequences of 10, 20, 30, 40, and so on. The controller GUI allows you to write a complete ACL going to the Configuration > Security > ACL page. You can view a list of protocols to pick from, and make changes to an existing ACL.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 788
Security
Applying ACLs
Applying ACLs
The following are the ways to apply ACLs:
· Security ACL: A security ACL defines the type of traffic that should be allowed through the device and that which should be blocked or dropped.
A security ACL is applied:
· On SVI interfaces: The ACL will only be evaluated against the traffic that is routed through the interface.
Device(config)# interface Vlan<number> Device(config-if)# ip access-group myACL in/out
· On a physical interface of the controller: The ACL will be evaluated against all traffic that passes through the interface. Along with applying ACLs on SVI, this is another option for restricting traffic on the controller management plane.
Device(config)#interface GigabitEthernet1 Device(config-if)#ip access-group myACL in/out
· In the wireless policy profile or WLAN: This option includes several places where you can configure an ACL that will be applied to the wireless client traffic, in case of central switching or local switching of traffic. Such ACLs are only supported in the inbound direction.
· On the AP: In case of FlexConnect local switching, the ACL is configured and applied from the policy profile on the controller. This ACL has to be downloaded on to the AP through the Flex profile. ACLs must be downloaded to the AP before they can be applied. As an exception, fabric mode APs (in case of Software Defined Access) also use Flex ACLs even though the AP is not operating in Flex mode.
· Punt ACL or Redirect ACL: Punt ACL or redirect ACL refers to an ACL that specifies as to which traffic will be sent to the CPU (instead of its normal expected handling by the dataplane) for further processing. For example, the Central Web Authentication (CWA) redirect ACL defines as to which traffic is intercepted and redirected to the web login portal. The ACL does not define any traffic to be dropped or allowed, but follows the regular processing or forwarding rules, and what will be sent to the CPU for interception.
A redirect ACL has an invisible last statement which is an implicit deny. This implicit deny is applied as a security access list entry (and therefore drops traffic that is not explicitly allowed through or sent to the CPU).
Types of URL Filters
The following are the two types of URL filters:
· Standard: Standard URL filters can be applied before client authentication (pre-auth) or after a successful client authentication (post-auth). Pre-auth filters are extremely useful in the case of external web authentication to allow access to the external login page, as well as, some internal websites before authentication takes place. Post-auth, they can work to block specific websites or allow only specific websites while all the rest is blocked by default. This type of URL filtering post-auth is better handled by using Cisco DNS Layer Security (formerly known as Umbrella) for more flexibility. The standard URL filters apply the same action (permit or deny) for the whole list of URLs. It is either all permit or all deny. Standard URL filter work on both local mode APs and FlexConnect APs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 789
Restrictions on DNS-Based Access Control Lists
Security
· Enhanced: Enhanced URL filters allow specification of a different action (deny or permit) for each URL inside the list and have per-URL hit counters. They are only supported on FlexConnect APs in local switching (or fabric APs).
In both types of URL filters, you can use a wildcard sub-domain such as *.cisco.com. URLfilters are standalone but always applied along with an IP-based ACL. A maximum of 20 URLs are supported in a given URL filter. Considering one URL can resolve multiple IP addresses, only up to 40 resolved IP addresses can be tracked for each client. Only DNS records are tracked by URL filters. The controller or APs do not track the resolved IP address of a URL if the DNS answer uses a CNAME alias record.
Restrictions on DNS-Based Access Control Lists
The restriction for DNS-based ACLs is as follows:
· Pre-authentication and Post-authentication filters are supported in local modes. Only Pre-authentication filter is supported in Flex (Fabric) mode.
· ACL override pushed from ISE is not supported.
· FlexConnect Local Switching with External Web authentication using URL filtering is not supported until Cisco IOS XE Gibraltar 16.12.x.
· Fully qualified domain name (FQDN) or DNS based ACLs are not supported on Cisco Wave 1 Access Points.
· The URL filter considers only the first 20 URLs, though you can add more.
· The URL filter employs regular regex patterns and permits wildcard characters only at the beginning or at the end of an URL.
· The URL ACLs are defined and added to the FlexConnect policy profile in which they associate with a WLAN. The URL ACL creation follows a similar mechanism as that of local mode URL ACLs.
· In FlexConnect mode, the URL domain ACL works only if they are connected to a FlexConnect policy profile.
· The ACL can be attached to a WLAN by associating a policy profile with a WLAN or local policies. However, you can override it using "url-redirect-acl".
· For the Cisco AV pair received from ISE, the policy that needs to be applied for a particular client is pushed as part of ADD MOBILE
message.
· When an AP joins or when an existing URL ACL is modified and applied on FlexConnect profile, the ACL definition along with mapped URL filter list is pushed to the AP.
· The AP stores the URL ACL definition with mapped ACL name and snoops the DNS packets for learning the first IP address for each URL in the ACL. When the AP learns the IP addresses, it updates the controller of the URL and IP bindings. The controller records this information in the client database for future use.
· When a client roams to another AP during the pre-authentication state, the learned IP addresses are pushed to a new AP. Otherwise, these learned IP addresses are purged when a client moves to a post-authentication state or when the TTL for the learned IP address expires.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 790
Security
Flex Mode
Flex Mode
Defining URL Filter List
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
urlfilter enhanced-list list-name
Configures the URL filter enhanced list.
Example:
Here, list-name refers to the URL filter list
Device(config)# urlfilter enhanced-list name. The list name must not exceed 32
urllist_flex_preauth
alphanumeric characters.
Step 3
url url-name preference 0-65535 action {deny Configures the action: permit (allowed list) or
| permit}
deny (blocked list).
Example:
Device(config-urlfilter-enhanced-params)# url url-name
preference 1 action permit
Step 4
end Example:
Device(config-urlfilter-params)# end
Returns to privileged EXEC mode.
Applying URL Filter List to Flex Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex default-flex-profile
Example:
Device(config)# wireless profile flex default-flex-profile
Creates a new flex policy.
The default flex profile name is default-flex-profile.
Step 3
acl-policy acl policy name Example:
Configures ACL policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 791
Configuring ISE for Central Web Authentication (GUI)
Security
Step 4 Step 5
Command or Action
Device(config-wireless-flex-profile)# acl-policy acl_name
Purpose
urlfilter list name
Applies the URL list to the Flex profile.
Example:
Device(config-wireless-flex-profile-acl)# urlfilter list
urllist_flex_preauth
end
Returns to privileged EXEC mode.
Example:
Device(config-wireless-flex-profile-acl)# end
Configuring ISE for Central Web Authentication (GUI)
Perform the following steps to configure ISE for Central Web Authentication.
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Step 12
Login to the Cisco Identity Services Engine (ISE). Click Policy and then click Policy Elements. Click Results. Expand Authorization and click Authorization Profiles. Click Add to create a new authorization profile for URL filter. Enter a name for the profile in the Name field. For example, CentralWebauth. Choose ACCESS_ACCEPT option from the Access Type drop-down list. Alternatively, in the Common Tasks section, check Web Redirection.. Choose the Centralized Web Auth option from the drop-down list. Specify the ACL and choose the ACL value from the drop-down list. In the Advanced Attributes Setting section, choose Cisco:cisco-av-pair from the drop-down list.
Note
Multiple ACL can be applied on the controller based on priority. In L2 Auth + webauth multi-auth
scenario, if the ISE returns ACL during L2 Auth then ISE ACL takes precedence over the default
webauth redirect ACL. This leads to traffic running in webauth pending state, if ISE ACL has
permit rule. To avoid this scenario, you need to set the precedence for L2 Auth ISE returned
ACL. The default webauth redirect ACL priority is 100. To avoid traffic issue, you need to
configure the redirect ACL priority above 100 for ACL returned by ISE.
Enter the following one by one and click (+) icon after each of them: · url-redirect-acl=<sample_name> · url-redirect=<sample_redirect_URL> For example,
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 792
Security
Local Mode
Step 13
Cisco:cisco-av-pair = priv-lvl=15 Cisco:cisco-av-pair = url-redirect-acl=ACL-REDIRECT2 Cisco:cisco-av-pair = url-redirect= https://9.10.8.247:port/portal/gateway? sessionId=SessionIdValue&portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a&daysToExpiry=value&action=cwa
Verify contents in the Attributes Details section and click Save.
Local Mode
Defining URL Filter List
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
urlfilter list list-name
Example:
Device(config)# urlfilter list urllist_local_preauth
Configures the URL filter list.
Here, list-name refers to the URL filter list name. The list name must not exceed 32 alphanumeric characters.
Step 3
action permit Example:
Configures the action: permit (allowed list) or deny (blocked list).
Device(config-urlfilter-params)# action permit
Step 4
filter-type post-authentication
Example:
Device(config-urlfilter-params)# filter-type post-authentication
Note
This step is applicable while
configuring post-authentication
URL filter only.
Configures the URL list as post-authentication filter.
Step 5
redirect-server-ip4 IPv4-address
Example:
Device(config-urlfilter-params)# redirect-server-ipv4 9.1.0.101
Configures the IPv4 redirect server for the URL list.
Here, IPv4-address refers to the IPv4 address.
Step 6
redirect-server-ip6 IPv6-address
Example:
Device(config-urlfilter-params)# redirect-server-ipv6 2001:300:8::82
Configures the IPv6 redirect server for the URL list.
Here, IPv6-address refers to the IPv6 address.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 793
Applying URL Filter List to Policy Profile (GUI)
Security
Step 7 Step 8
Command or Action url url Example:
Device(config-urlfilter-params)# url url1.dns.com
end Example:
Device(config-urlfilter-params)# end
Purpose Configures an URL. Here, url refers to the name of the URL.
Returns to privileged EXEC mode.
Applying URL Filter List to Policy Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > Policy. Click on the Policy Name. Go to Access Policies tab. In the URL Filters section, choose the filters from the Pre Auth and Post Auth drop-down lists. Click Update & Apply to Device.
Applying URL Filter List to Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy
Configures wireless policy profile.
Example:
Here, profile-policy refers to the name of the
Device(config)# wireless profile policy WLAN policy profile.
default-policy-profile
Step 3
urlfilter list {pre-auth-filter name |
Applies the URL list to the policy profile.
post-auth-filter name}
Here, name refers to the name of the
Example:
pre-authentication or post-authentication URL
Device(config-wireless-policy)# urlfilter filter list configured earlier.
list pre-auth-filter urllist_local_preauth
Note
During the client join, the URL filter configured on the policy will
be applied.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 794
Security
Configuring ISE for Central Web Authentication
Step 4
Command or Action
Purpose
Device(config-wireless-policy)# urlfilter list
post-auth-filter urllist_local_postauth
end Example:
Device(config-wireless-policy)# end
Returns to privileged EXEC mode.
Configuring ISE for Central Web Authentication
Creating Authorization Profiles
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Step 10
Login to the Cisco Identity Services Engine (ISE). Click Policy, and click Policy Elements. Click Results. Expand Authorization, and click Authorization Profiles. Click Add to create a new authorization profile for URL filter. In the Name field, enter a name for the profile. For example, CentralWebauth. Choose ACCESS_ACCEPT from the Access Type drop-down list. In the Advanced Attributes Setting section, choose Cisco:cisco-av-pair from the drop-down list. Enter the following one by one and click (+) icon after each of them:
· url-filter-preauth=<preauth_filter_name>
· url-filter-postauth=<postauth_filter_name>
For example,
Cisco:cisco-av-pair = url-filter-preauth=urllist_pre_cwa Cisco:cisco-av-pair = url-filter-postauth=urllist_post_cwa
Verify contents in the Attributes Details section and click Save.
Mapping Authorization Profiles to Authentication Rule
Procedure
Step 1 Step 2
In the Policy > Authentication page, click Authentication. Enter a name for your authentication rule. For example, MAB.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 795
Mapping Authorization Profiles to Authorization Rule
Security
Step 3 Step 4 Step 5 Step 6 Step 7
Step 8
In the If condition field, select the plus (+) icon. Choose Compound condition, and choose WLC_Web_Authentication. Click the arrow located next to and ... in order to expand the rule further. Click the + icon in the Identity Source field, and choose Internal endpoints. Choose Continue from the 'If user not found' drop-down list. This option allows a device to be authenticated even if its MAC address is not known.
Click Save.
Mapping Authorization Profiles to Authorization Rule
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13
Click Policy > Authorization. In the Rule Name field, enter a name.
For example, CWA Post Auth.
In the Conditions field, select the plus (+) icon. Click the drop-down list to view the Identity Groups area. Choose User Identity Groups > user_group. Click the plus (+) sign located next to and ... in order to expand the rule further. In the Conditions field, select the plus (+) icon. Choose Compound Conditions, and choose to create a new condition. From the settings icon, select Add Attribute/Value from the options. In the Description field, choose Network Access > UseCase as the attribute from the drop-down list. Choose the Equals operator. From the right-hand field, choose GuestFlow. In the Permissions field, select the plus (+) icon to select a result for your rule.
You can choose Standard > PermitAccess option or create a custom profile to return the attributes that you like.
Viewing DNS-Based Access Control Lists
To view details of a specified wireless URL filter, use the following command:
Device# show wireless urlfilter details <urllist_flex_preauth>
To view the summary of all wireless URL filters, use the following command:
Device# show wireless urlfilter summary
To view the URL filter applied to the client in the resultant policy section, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 796
Security
Configuration Examples for DNS-Based Access Control Lists
Device# show wireless client mac-address <MAC_addr> detail
Configuration Examples for DNS-Based Access Control Lists
Flex Mode Example: Defining URL Filter List This example shows how to define URL list in Flex mode:
Device# configure terminal Device(config)# urlfilter enhanced-list urllist_flex_pre Device(config-urlfilter-params)# url www.dns.com preference 1 action permit Device(config-urlfilter-params)# end
Example: Applying URL Filter List to Flex Profile This example shows how to apply an URL list to the Flex profile in Flex mode:
Device# configure terminal Device(config)# wireless profile flex default-flex-profile Device(config-wireless-flex-profile)# acl-policy acl_name Device(config-wireless-flex-profile-acl)# urlfilter list urllist_flex_preauth Device(config-wireless-flex-profile-acl)# end
Local Mode Example: Defining Preauth URL Filter List This example shows how to define URL filter list (pre-authentication):
Device# configure terminal Device(config)# urlfilter list urllist_local_preauth Device(config-urlfilter-params)# action permit Device(config-urlfilter-params)# redirect-server-ipv4 9.1.0.101 Device(config-urlfilter-params)# redirect-server-ipv6 2001:300:8::82 Device(config-urlfilter-params)# url url1.dns.com Device(config-urlfilter-params)# end
Example: Defining Postauth URL Filter List This example shows how to define URL filter list (post-authentication):
Device# configure terminal Device(config)# urlfilter list urllist_local_postauth Device(config-urlfilter-params)# action permit Device(config-urlfilter-params)# filter-type post-authentication Device(config-urlfilter-params)# redirect-server-ipv4 9.1.0.101 Device(config-urlfilter-params)# redirect-server-ipv6 2001:300:8::82 Device(config-urlfilter-params)# url url1.dns.com Device(config-urlfilter-params)# end
Example: Applying URL Filter List to Policy Profile This example shows how to apply an URL list to the policy profile in local mode:
Device# configure terminal
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 797
Verifying DNS Snoop Agent (DSA)
Security
Device(config)# wireless profile policy default-policy-profile Device(config-wireless-policy)# urlfilter list pre-auth-filter urllist_local_preauth Device(config-wireless-policy)# urlfilter list post-auth-filter urllist_local_postauth Device(config-wireless-policy)# end
Verifying DNS Snoop Agent (DSA)
To view details of the DNS snooping agent client, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent client
To view details of the DSA enabled interface, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent client enabled-intf
To view the pattern list in uCode memory, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent client hw-pattern-list
To view the OpenDNS string for the pattern list, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent client hw-pattern-list odns_string
To view the FQDN filter for the pattern list, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent client hw-pattern-list fqdn-filter <fqdn_filter_ID>
Note The valid range of fqdn_filter_ID is from 1 to 16.
To view details of the DSA client, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent client info
To view the pattern list in CPP client, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent client pattern-list
To view the OpenDNS string for the pattern list, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent client pattern-list odns_string
To view the FQDN filter for the pattern list, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent client pattern-list fqdn-filter <fqdn_filter_ID>
Note The valid range of fqdn_filter_ID is from 1 to 16.
To view details of the DSA datapath, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath
To view details of the DSA IP cache table, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 798
Security
Information About Flex Client IPv6 Support with WebAuth Pre and Post ACL
Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath ip-cache
To view details of the DSA address entry, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath ip-cache address {ipv4 <IPv4_addr> | ipv6 <IPv6_addr>}
To view details of all the DSA IP cache address, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath ip-cache all
To view details of the DSA IP cache pattern, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath ip-cache pattern <pattern>
To view details of the DSA datapath memory, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath memory
To view the DSA regular expression table, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath regexp-table
To view the DSA statistics, use the following command:
Device# show platform hardware chassis active qfp feature dns-snoop-agent datapath stats
Information About Flex Client IPv6 Support with WebAuth Pre and Post ACL
IOS IPv6 ACLs is used to send webauth ACL to an AP. A change in the ACL policies of the Flex profile (new ACL, deleted ACL or modified ACL). ACL definitions are pushed to AP in the following events:
· AP join. · New ACL mapping in a new Flex profile. · Configuring IPv6 ACL definition in Flex profile.
Default Local Web Authentication ACLs The pre-defined default LWA IPv6 ACL is pushed to AP and plumbed to data plane.
Default External Web Authentication ACL The default EWA ACLs are derived from the redirect portal address configured in the parameter map. The following list covers the types of default EWA ACLs:
· Security ACL--Pushed and plumbed to AP. · Intercept ACL--Pushed and plumbed to data plane.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 799
Enabling Pre-Authentication ACL for LWA and EWA (GUI)
Security
FQDN ACL · FQDN ACL is encoded along with IPv6 ACL and sent to AP. · FQDN ACL is always a custom ACL.
The following applies to Flex and Local mode: · If you are migrating from AireOS, you would explicitly need to execute the following commands:
redirect append ap-mac tag ap_mac redirect append wlan-ssid tag wlan redirect append client-mac tag client_mac
· If the login page has any resource that needs to be fetched from the server, you will need to include those resource URLs in URL filtering.
· If you are trying to access IPv6 URL and you have an IPv4 web server, the controller redirects the client to an internal page as domain redirection is not supported. It is recommended to have a dual-stack web server and configure virtual IPv6 address in the global parameter map.
Enabling Pre-Authentication ACL for LWA and EWA (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name, the SSID and the WLAN ID. Choose Security > Layer2 tab. Uncheck the WPAPolicy, AES and 802.1x check boxes. Choose Security > Layer3 tab. Choose the Web Auth Parameter Map from the Web Auth Parameter Map drop-down list and authentication list from the Authentication List drop-down list. Click Show Advanced Settings and under the Preauthenticated ACL settings, choose the IPv6 ACL from the IPv6 drop-down list. Choose Security > AAA tab. Choose the authentication list from the Authentication List drop-down list. Click Apply to Device.
Enabling Pre-Authentication ACL for LWA and EWA
Procedure Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 800
Security
Enabling Pre-Authentication ACL for LWA and EWA
Step 2
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action
wlan wlan-name wlan-id SSID-name Example:
Device(config)# wlan wlan-demo 1 ssid-demo
Purpose
Enters the WLAN configuration sub-mode.
· wlan-name--Enter the profile name. The range is from 1 to 32 alphanumeric characters.
· wlan-id--Enter the WLAN ID. The range is from 1 to 512.
· SSID-name--Enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.
Note
If you have already
configured WLAN, enter
wlan wlan-name
command.
ipv6 traffic-filter web acl_name-preauth Example:
Creates a pre-authentication ACL for web authentication.
Device(config-wlan)# ipv6 traffic-filter web preauth_v6_acl
no security wpa Example:
Device(config-wlan)# no security wpa
Disables the WPA security.
no security wpa wpa2 ciphers aes
Disables WPA2 ciphers for AES.
Example:
Device(config-wlan)#no security wpa wpa2 ciphers aes
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)#no security wpa akm dot1x
security web-auth
Configures web authentication.
Example:
Device(config-wlan)# security web-auth
security web-auth authentication-list authenticate-list-name
Enables authentication list for WLAN.
Example:
Device(config-wlan)# security web-auth
authentication-list wcm_dot1x
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 801
Enabling Post-Authentication ACL for LWA and EWA (GUI)
Security
Step 9 Step 10
Command or Action
Purpose
security web-auth parameter-map parameter-map-name
Maps the parameter map.
Example:
Device(config-wlan)# security web-auth
parameter-map param-custom-webconsent
no shutdown Example:
Device(config-wlan)# no shutdown
Shutdown the WLAN.
Enabling Post-Authentication ACL for LWA and EWA (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name. The Profile Name is the profile name of the policy profile. Enter the SSID and the WLAN ID. Click Apply to Device.
Enabling Post-Authentication ACL for LWA and EWA
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-name
Creates policy profile for the WLAN.
Example:
The profile-name is the profile name of the
Device(config)# wireless profile policy policy profile.
test1
Step 3
ipv6 acl acl_name
Creates a named WLAN ACL.
Example:
Device(config-wireless-policy)# ipv6 acl testacl
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 802
Security
Enabling DNS ACL for LWA and EWA (GUI)
Step 4
Command or Action end Example:
Device(config-wireless-policy)# end
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Enabling DNS ACL for LWA and EWA (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name. The Profile Name is the profile name of the policy profile. Enter the SSID and the WLAN ID. Click Apply to Device.
Enabling DNS ACL for LWA and EWA
Note Post-authentication DNS ACL is not supported.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-name
Creates policy profile for the WLAN.
Example:
The profile-name is the profile name of the
Device(config)# wireless profile policy policy profile.
test1
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 803
Verifying Flex Client IPv6 Support with WebAuth Pre and Post ACL
Security
Verifying Flex Client IPv6 Support with WebAuth Pre and Post ACL
To verify the client state after L2 authentication, use the following command:
Device# show wireless client summary Number of Local Clients: 1
MAC Address AP Name
WLAN State
Protocol Method
Role
---------------------------------------------------------------------------------------------------
1491.82b8.f8c1 AP4001.7A03.544C
4
Webauth Pending 11n(5) None
Local
Number of Excluded Clients: 0
To verify the IP state, discovery, and MAC, use the following command:
Device# show wireless dev da ip
IP
STATE
DISCOVERY MAC
----------------------------------------------------------------------------------
15.30.0.4
Reachable ARP
1491.82b8.f8c1
2001:15:30:0:d1d7:ecf3:7940:af60
Reachable IPv6 Packet 1491.82b8.f8c1
fe80::595e:7c29:d7c:3c84
Reachable IPv6 Packet 1491.82b8.f8c1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 804
9 1 C H A P T E R
Allowed List of Specific URLs
· Allowed List of Specific URLs, on page 805 · Adding URL to Allowed List, on page 805 · Verifying URLs on the Allowed List, on page 807
Allowed List of Specific URLs
This feature helps you to add specific URLs to allowed list on the controller or the AP so that those specific URLs are available for use, even when there is no connectivity to the internet. You can add URLs to allowed list for web authentication of captive portal and walled garden. Authentication is not required to access the allowed list of URLs. When you try to access sites that are not in allowed list, you are redirected to the Login page.
Adding URL to Allowed List
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
urlfilter list <urlfilter-name>
Example:
Device(config)# urlfilter list url-allowedlist-nbn
Configures the URL filter profile.
Step 3
action [deny | permit]
Configures the list as allowed list. The permit
Example:
command configures the list as allowed list and the deny command configures the list as
Device(config-urlfilter-params)# action blocked list.
permit
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 805
Adding URL to Allowed List
Security
Step 4 Step 5
Command or Action
Purpose
{redirect-server-ipv4 | redirect-server-ipv6} Configures the IP address of the redirect servers
Example:
to which the user requests will be redirected in case of denied requests.
Device(config-urlfilter-params)#
redirect-server-ipv4 X.X.X.X
url url-to-be-allowed
Example:
Device(config-urlfilter-params)# url www.cisco.com
Configures the URL to be allowed.
Note The controller uses two IP addresses and the mechanism only allows for one portal IP to be allowed. To allow pre-authentication access to more HTTP ressources, you need to use URL filters which will dynamically makes holes in the intercept (redirect) and security (preauth) ACLs for the IPs related to the website whose URL you enter in the URL filter. DNS requests will be dynamically snooped for the controller to learn the IP address of those URLs and add it to the ACLs dynamically.
Note redirect-server-ipv4 and redirect-server-ipv6 is applicable only in the local mode, specifically in post-authentication. For any further tracking or displaying any warning messages, the denied user request is redirected to the configured server.
But the redirect-server-ipv4 and redirect-server-ipv6 configurations do not apply to pre-authentication scenario as you will be redirected to the controller for the redirect login URL for any denied access.
You can associate the allowed URL with the ACL policy in flex profile.
Example
Associating the allowed URL with the ACL policy in flex profile:
Device(config)# wireless profile flex default-flex-profile Device(config-wireless-flex-profile)# acl-policy user_v4_acl Device(config-wireless-flex-profile-acl)# urlfilter list url_allowedlist_nbn Device(config-wireless-flex-profile-acl)# exit Device(config-wireless-flex-profile)# description "default flex profile"
Device(config)# urlfilter enhanced-list urllist_pre_cwa Device(config-urlfilter-enhanced-params)# url url1.dns.com preference 1 action permit Device(config-urlfilter-enhanced-params)# url url2.dns.com preference 2 action deny Device(config-urlfilter-enhanced-params)# url url3.dns.com preference 3 action permit
Device(config)# wlan wlan5 5 wlan5 Device(config-wlan)#ip access-group web user_v4_acl Device(config-wlan)#no security wpa Device(config-wlan)#no security wpa Device(config-wlan)#no security wpa wpa2 ciphers aes Device(config-wlan)#no security wpa akm dot1x Device(config-wlan)#security web-auth Device(config-wlan)#security web-auth authentication-list default
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 806
Security
Verifying URLs on the Allowed List
Device(config-wlan)#security web-auth parameter-map global Device(config-wlan)#no shutdown
Verifying URLs on the Allowed List
To verify the summary and the details of the URLs on the allowed list, use the following show commands:
Device# show wireless urlfilter summary Black-list - DENY White-list - PERMIT Filter-Type - Specific to Local Mode
URL-List
ID Filter-Type Action Redirect-ipv4 Redirect-ipv6
-------------------------------------------------------------------------------------------------------------
url-whitelist
1 PRE-AUTH
PERMIT 1.1.1.1
Device#
Device# show wireless urlfilter details url-whitelist List Name................. : url-whitelist Filter ID............... : : 1 Filter Type............... : PRE-AUTH Action.................... : PERMIT Redirect server ipv4...... : 1.1.1.1 Redirect server ipv6...... : Configured List of URLs
URL.................... : www.cisco.com
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 807
Verifying URLs on the Allowed List
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 808
9 2 C H A P T E R
Policy Enforcement and Usage Monitoring
· Policy Enforcement and Usage Monitoring, on page 809 · Configuring Policy Enforcement and Enabling Change-of-Authorization (CLI), on page 809 · Example: Configuring Policy Enforcement and Usage Monitoring, on page 810 · Verifying Policy Usage and Enforcement, on page 811
Policy Enforcement and Usage Monitoring
You can enforce dynamic QoS policies and upstream and downstream TCP or UDP data rates on 802.11 clients seamlessly without disrupting the client's ongoing sessions. The feature ensures that clients do not have to get dissociated from the network. All the authentication methods: 802.1X, PSK, web authentication, and so on, are supported.
The APs periodically send client statistics including bandwidth usage to the Controller. The AAA server receives Accounting-Interim messages which include the clients data utilization at the configured intervals. The AAA server accumulates information about data consumption for each client and when the client exhausts the data limit, the AAA server sends a change-of-authorization (CoA) message to the Controllers. Upon successful CoA handshakes, the Controllers apply and send new policies to the APs.
Restrictions on Policy Enforcement and Usage Monitoring
· Only FlexConnect local switching mode is supported.
Configuring Policy Enforcement and Enabling Change-of-Authorization (CLI)
For more information, follow the utility specified in Utilities for configuring Security section of this guide.
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 809
Example: Configuring Policy Enforcement and Usage Monitoring
Security
Step 2 Step 3 Step 4
Command or Action
Device# configure terminal
Purpose
aaa server radius dynamic-author
Example:
Device(config)# aaa server radius dynamic-author
Creates a local server RADIUS profile in the controller.
client client-ip-addr server-key key
Configures a server key for a RADIUS client.
Example:
Device(config-locsvr-da-radius)# client 3.2.4.3 server-key testpwd
[Optional] show aaa command handler Example:
Device#show aaa command handler
Displays the AAA CoA packet statistics.
Example: Configuring Policy Enforcement and Usage Monitoring
Policy enforcement and usage monitoring is applied on a group where a class-map is created for QOS policies. This is done via CoA.
Given below is a sample configuration for policy enforcement and usage monitoring:
aaa new-model radius server radius_free address ipv4 10.0.0.1 auth-port 1812 acct-port 1813 key cisco123 exit
aaa new-model aaa server radius dynamic-author client 10.0.0.1 server-key cisco123
aaa new-model aaa group server radius rad_eap server name radius_free exit
aaa new-model dot1x system-auth-control aaa authentication dot1x eap_methods group rad_eap dot1x system-auth-control
class-map client_dscp_clsmapout match dscp af13 exit class-map client_dscp_clsmapin match dscp af13 exit policy-map qos_new
class client_dscp_clsmapout police 512000 conform-action transmit exceed-action drop policy-map qos_nbn class client_dscp_clsmapin police 16000000 conform-action transmit exceed-action drop wlan test1 3 test2
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 810
Security
Verifying Policy Usage and Enforcement
broadcast-ssid security wpa wpa2 ciphers aes security dot1x authentication-list eap_methods no shutdown exit wireless profile policy named-policy-profile shutdown vlan 10 aaa-override no central association no central dhcp no central switching no shutdown wireless tag policy named-policy-tag wlan test1 policy named-policy-profile wireless profile flex FP_name_001 native-vlan-id 10 wireless tag site ST_name_001 no local-site flex-profile FP_name_001 exit ap test-ap policy-tag named-policy-tag site-tag ST_name_001 exit aaa authorization network default group radius exit
Verifying Policy Usage and Enforcement
To view the detailed information about the policies applied to a specific client, use the following command:
Device# show wireless client mac-address mac-address detail
To view client-level mobility statistics, use the following command:
Device# show wireless client mac-address mac-address mobility statistics
To view client-level roaming history for an active client in a sub-domain, use the following command:
Device# show wireless client mac-address mac-address mobility history
To view detailed parameters of a given profile policy, use the following command:
Device# show wireless profile policy detailed policy-name
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 811
Verifying Policy Usage and Enforcement
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 812
9 3 C H A P T E R
Web-Based Authentication
This chapter describes how to configure web-based authentication on the device. It contains these sections: · Local Web Authentication Overview, on page 813 · How to Configure Local Web Authentication, on page 821 · Configuration Examples for Local Web Authentication, on page 843 · External Web Authentication (EWA), on page 848 · Authentication for Sleeping Clients, on page 853 · Sleeping Clients with Multiple Authentications, on page 855
Local Web Authentication Overview
Web authentication is a Layer 3 security solution designed for providing easy and secure guest access to hosts on WLAN with open authentication or appropriate layer 2 security methods. Web authentication allows users to get authenticated through a web browser on a wireless client, with minimal configuration on the client side. It allows users to associate with an open SSID without having to set up a user profile. The host receives an IP address and DNS information from the DHCP server, however cannot access any of the network resources until they authenticate successfully. When the host connects to the guest network, the WLC redirects the host to an authentication web page where the user needs to enter valid credentials. The credentials are authenticated by the WLC or an external authentication server and if authenticated successfully is given full access to the network. Hosts can also be given limited access to particular network resources before authentication for which the pre-authentication ACL functionality needs to be configured. The following are the different types of web authentication methods:
· Local Web Authentication (LWA): Configured as Layer 3 security on the controller, the web authentication page and the pre-authentication ACL are locally configured on the controller. The controller intercepts htttp(s) traffic and redirects the client to the internal web page for authentication. The credentials entered by the client on the login page is authenticated by the controller locally or through a RADIUS or LDAP server.
· External Web Authentication (EWA): Configured as Layer 3 security on the controller, the controller intercepts htttp(s) traffic and redirects the client to the login page hosted on the external web server. The credentials entered by the client on the login page is authenticated by the controller locally or through a RADIUS or LDAP server. The pre-authentication ACL is configured statically on the controller.
· Central Web Authentication (CWA): Configured mostly as Layer 2 security on the controller, the redirection URL and the pre-authentication ACL reside on ISE and are pushed during layer 2 authentication
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 813
Local Web Authentication Overview
Security
to the controller. The controller redirects all web traffic from the client to the ISE login page. ISE validates the credentials entered by the client through HTTPS and authenticates the user.
Use the local web authentication feature, known as web authentication proxy, to authenticate end users on host systems that do not run the IEEE 802.1x supplicant. When a client initiates an HTTP session, local web authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users. The users enter their credentials, which the local web authentication feature sends to the authentication, authorization, and accounting (AAA) server for authentication. If authentication succeeds, local web authentication sends a Login-Successful HTML page to the host and applies the access policies returned by the AAA server. If authentication fails, local web authentication forwards a Login-Fail HTML page to the user, prompting the user to retry the login. If the user exceeds the maximum number of attempts, local web authentication forwards a Login-Expired HTML page to the host, and the user is excluded with the exclusion reason as Web authentication failure. When a client reaches maximum HTTP connections (maximum of 200 connections when configured), it will cause Transmission Control Protocol (TCP) resets and client exclusion.
Note You should use either global or named parameter-map under WLAN (for method-type, custom, and redirect) for using the same web authentication methods, such as consent, web consent, and webauth. Global parameter-map is applied by default, if none of the parameter-map is configured under WLAN.
Note The traceback that you receive when webauth client tries to do authentication does not have any performance or behavioral impact. It happens rarely when the context for which FFM replied back to EPM for ACL application is already dequeued (possibly due to timer expiry) and the session becomes `unauthorized'.
Note When command authorization is enabled as a part of AAA Authorization configuration through TACACS and the corresponding method list is not configured as a part of the HTTP configuration, WebUI pages will not load any data. However, some wireless feature pages may work as they are privilege based and not command based.
Based on where the web pages are hosted, the local web authentication can be categorized as follows: · Internal--The internal default HTML pages (Login, Success, Fail, and Expire) in the controller are used during the local web authentication. · Customized--The customized web pages (Login, Success, Fail, and Expire) are downloaded onto the controller and used during the local web authentication. · External--The customized web pages are hosted on the external web server instead of using the in-built or custom web pages.
Based on the various web authentication pages, the types of web authentication are as follows:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 814
Security
Device Roles
· Webauth--This is a basic web authentication. Herein, the controller presents a policy page with the user name and password. You need to enter the correct credentials to access the network.
· Consent or web-passthrough--Herein, the controller presents a policy page with the Accept or Deny buttons. You need to click the Accept button to access the network.
· Webconsent--This is a combination of webauth and consent web authentication types. Herein, the controller presents a policy page with Accept or Deny buttons along with user name or password. You need to enter the correct credentials and click the Accept button to access the network.
Note
· You can view the webauth parameter-map information using the show running-config command output.
· The wireless Web-Authentication feature does not support the bypass type.
· Change in web authentication parameter map redirect login URL does not occur until a AP rejoin happens. You must enable and disable the WLAN to apply the new URL redirection.
Note We recommend that you follow the Cisco guidelines to create a customized web authentication login page. If you have upgraded to the latest versions of Google Chrome or Mozilla Firefox browsers, ensure that your webauth bundle has the following line in the login.html file:
<body onload="loadAction();">
Device Roles
With local web authentication, the devices in the network have these specific roles: · Client--The device (workstation) that requests access to the network and the controller and responds to requests from the controller. The workstation must be running an HTML browser with Java Script enabled.
· Authentication server--Authenticates the client. The authentication server validates the identity of the client and notifies the controller that the client is authorized to access the network and the controller services or that the client is denied.
· Controller--Controls the physical access to the network based on the authentication status of the client. The controller acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 815
Authentication Process Figure 20: Local Web Authentication Device Roles
Security
Authentication Process
When the page is hosted on the controller, the controller uses its virtual IP (a non-routable IP like 192.0.2.1 typically) to serve the request. If the page is hosted externally, the web redirection sends the client first to the virtual IP, which then sends the user again to the external login page while it adds arguments to the URL, such as the location of the virtual IP. Even when the page is hosted externally, the user submits its credentials to the virtual IP. When you enable local web authentication, these events occur:
· The user initiates an HTTP session. · The HTTP traffic is intercepted, and authorization is initiated. The controller sends the login page to the
user. The user enters a username and password, and the controller sends the entries to the authentication server. · If the authentication succeeds, the controller downloads and activates the user's access policy from the authentication server. The login success page is sent to the user. · If the authentication fails, the controller sends the login fail page. The user retries the login. If the maximum number of attempts fails, the controller sends the login expired page, and the host is placed in a watch list. After the watch list times out, the user can retry the authentication process. · If authentication server is not available, after the web authentication retries, the client moves to the excluded state and the client receives an Authentication Server is Unavailable page. · The controller reauthenticates a client when the host does not respond to an ARP probe on a Layer 2 interface, or when the host does not send any traffic within the idle timeout on a Layer 3 interface. · Web authentication sessions can not apply new VLAN as part of the authorization policy, as the client already has been assigned an IP address and you will not be able to change the IP address in the client, in case the VLAN changes. · If the terminate action is default, the session is dismantled, and the applied policy is removed.
Note Do not use semicolons (;) while configuring username for GUI access.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 816
Security
Local Web Authentication Banner
Local Web Authentication Banner
With Web Authentication, you can create a default and customized web-browser banners that appears when you log in to the controller. The banner appears on both the login page and the authentication-result pop-up pages. The default banner messages are as follows:
· Authentication Successful
· Authentication Failed
· Authentication Expired
The Local Web Authentication Banner can be configured as follows: · Use the following global configuration command:
Device(config)# parameter map type webauth global Device(config-params-parameter-map)# banner ? file <file-name> text <Banner text> title <Banner title>
The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page.
Figure 21: Authentication Successful Banner
The banner can be customized as follows: · Add a message, such as switch, router, or company name to the banner:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 817
Local Web Authentication Banner
· New-style mode--Use the following global configuration command: parameter-map type webauth global banner text <text>
· Add a logo or text file to the banner: · New-style mode--Use the following global configuration command: parameter-map type webauth global banner file <filepath>
Figure 22: Customized Web Banner
Security
If you do not enable a banner, only the username and password dialog boxes appear in the web authentication login screen, and no banner appears when you log into the switch.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 818
Security Figure 23: Login Screen With No Banner
Customized Local Web Authentication
Customized Local Web Authentication
During the local web authentication process, the switch's internal HTTP server hosts four HTML pages to deliver to an authenticating client. The server uses these pages to notify you of these four authentication process states:
· Login: Your credentials are requested
· Success: The login was successful
· Fail: The login failed
· Expire: The login session has expired because of excessive login failures
Note Virtual IP address is mandatory to configure custom web authentication.
Guidelines
· You can substitute your own HTML pages for the default internal HTML pages. · You can use a logo or specify text in the login, success, failure, and expire web pages. · On the banner page, you can specify text in the login page. · The pages are in HTML.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 819
Guidelines
Security
· You must include an HTML redirect command in the success page to access a specific URL.
· The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL might cause page not found or similar errors on a web browser.
· If you configure web pages for HTTP authentication, they must include the appropriate HTML commands (for example, to set the page time out, to set a hidden password, or to confirm that the same page is not submitted twice). The custom page samples in the webauth bundle are provided with the image and the details of what you can and cannot change.
· The CLI command to redirect users to a specific URL is not available when the configured login form is enabled. The administrator should ensure that the redirection is configured in the web page.
· If the CLI command redirecting users to specific URL after authentication occurs is entered and then the command configuring web pages is entered, the CLI command redirecting users to a specific URL does not take effect.
· Configured web pages can be copied to the switch boot flash or flash.
· The login page can be on one flash, and the success and failure pages can be another flash (for example, the flash on the active switch or a member switch).
· You must configure all four pages.
· All of the logo files (image, flash, audio, video, and so on) that are stored in the system directory (for example, flash, disk0, or disk) and that are displayed on the login page must use web_auth_<filename> as the file name.
· The configured authentication proxy feature supports both HTTP and SSL.
You can substitute your HTML pages for the default internal HTML pages. You can also specify a URL to which users are redirected after authentication occurs, which replaces the internal Success page.
Figure 24: Customizable Authentication Page
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 820
Security
Redirection URL for Successful Login Guidelines
Redirection URL for Successful Login Guidelines
When configuring a redirection URL for successful login, consider these guidelines:
· If the custom authentication proxy web pages feature is enabled, the redirection URL feature is disabled and is not available in the CLI. You can perform redirection in the custom-login success page.
· If the redirection URL feature is enabled, a configured auth-proxy-banner is not used
· To remove the specification of a redirection URL, use the no form of the command.
· If the redirection URL is required after the web-based authentication client is successfully authenticated, then the URL string must start with a valid URL (for example, http://) followed by the URL information. If only the URL is given without http://, then the redirection URL on successful authentication might cause page not found or similar errors on a web browser.
How to Configure Local Web Authentication
Configuring Default Local Web Authentication
The following table shows the default configurations required for local web authentication.
Table 36: Default Local Web Authentication Configuration
Feature AAA RADIUS server
· IP address · UDP authentication port · Key
Default Setting Disabled
· None specified
Default value of inactivity timeout Inactivity timeout
3600 seconds Disabled
Information About the AAA Wizard
The AAA wizard helps you to add the authentication, authorization, and accounting details without having to access multiple windows.
Note When command authorization is enabled as a part of AAA Authorization configuration through TACACS and the corresponding method list is not configured as a part of the HTTP configuration, WebUI pages will not load any data. However, some wireless feature pages may work as they are privilege-based and not command based.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 821
Information About the AAA Wizard
Security
Note Note the following limitations for a TACACS+ user on the 9800 WebUI: · Users with privilege level 1-10 can only view the Monitor tab. · Users with privilege level 15 have full access. · Users with privilege level 15 and a command set allowing specific commands only, is not supported.
Note When you configure the AAA authentication and authorization attributes, the following format must be followed: · protocol:attr=bla · protocol:attr#0=bla · protocol:attr#*=bla · attr=bla · attr#0=bla · attr#*=bla
attr is mapped to the supported AAA attributes. If attr is an unknown or undefined attribute, a warning message parse unknown cisco vsa is displayed when you configure the radius-server disallow unknown vendor-code command. Otherwise, the transaction will be treated as a failure. We recommend that you configure the command as per the format discussed above. Otherwise, the transaction fails. Whenever the passed attribute does not match any of the patterns mentioned, then AAA fails to decode that specific attribute and marks the request as a failure.
To edit the details entered using the wizard, use the respective screens.
Procedure
Step 1 Step 2
Step 3
Choose Configuration > Security > AAA. Click + AAA Wizard.
The Add Wizard page is displayed.
Click RADIUS tab.
The RADIUS server option is enabled by default. You can switch between the Basic and Advanced options using the radio buttons.
a) In the Name field, enter the name of the RADIUS server. b) In the IPv4 / IPv6 Server Address field, enter the IPv4 or IPv6 address, or hostname. c) Check the PAC Key check box to enable the Protected Access Credential (PAC) authentication key
option. d) From the Key Type drop-down list, choose the authentication key type.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 822
Security
Information About the AAA Wizard
Step 4 Step 5
e) In the Key field, enter the authentication key. f) In the Confirm Key field, re-enter the authentication key. g) Click the Advanced radio button.
This enables the Advanced options.
h) In the Auth Port field, enter the authorization port number. i) In the Acct Port field, enter the accounting port number. j) In the Server Timeout field, enter the timeout duration, in seconds. k) In the Retry Count field, enter the number of retries. l) Use the Support for CoA toggle button to enable or disable change of authorization (CoA).
Check the TACACS+ check box.
This enables the TACACS+ options. You can switch between the Basic and Advanced options using the radio buttons.
a) In the Name field, enter the TACACS+ server name. b) In the IPv4 / IPv6 Server Address field, enter the IPv4 or IPv6 address, or hostname. c) In the Key field, enter the authentication key. d) In the Confirm Key field, re-enter the authentication key. e) Click the Advanced radio button.
This enables the Advanced options.
f) In the Port field, enter the port number to use. g) In the Server Timeout field, enter the timeout duration, in seconds.
Check the LDAP check box.
This enables the LDAP options. You can switch between the Basic and Advanced options using the radio buttons.
a) In the Server Name field, enter the LDAP server name. b) In the IPv4 / IPv6 Server Address field, enter the IPv4 or IPv6 address, or hostname. c) In the Port Number field, enter the port number to use. d) From the Simple Bind drop-down list, choose the authentication key type. e) In the User Base DN field, enter the details. f) Click the Advanced radio button.
This enables the Advanced options.
g) From the User Attribute drop-down list, choose the user attribute. h) In the User Object Type field, enter the object type details and click the + icon.
The objects that have been added are listed in the area below. Use the x mark adjacent to each object to remove it.
i) In the Server Timeout field, enter the timeout duration, in seconds. j) Check the Secure Mode check box to enable secure mode.
Checking this enables the Trustpoint Name drop-down list.
k) From the Trustpoint Name drop-down list, choose the trustpoint. l) Click Next.
This enables the Server Group Association page and the RADIUS tab is selected by default.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 823
Information About the AAA Wizard
Security
Step 6
Step 7 Step 8 Step 9 Step 10
Step 11
Perform the following actions under RADIUS tab. a) In the Name field, enter the name of the RADIUS server group. b) From the MAC-Delimiter drop-down list, choose the delimiter to be used in the MAC addresses that are
sent to the RADIUS servers. c) From the MAC Filtering drop-down list, choose a value based on which to filter MAC addresses. d) To configure the dead time for the server group and direct AAA traffic to alternative groups of servers
that have different operational characteristics, in the Dead-Time field, enter the amount of time, in minutes, after which a server is assumed to be dead. e) Choose the servers that you want to include in the server group from the Available Servers list and move them to the Assigned Servers list. f) Click Next.
The TACACS+ window is displayed, if you have selected TACACS+ in server configuration.
Use the TACACS+ window to enter the following details: a) In the Name field, enter the name of the TACACS+ server group. b) From the Available Servers list, choose the servers that you want to include in the server group from the
list and move them to the Assigned Servers list. c) Click Next.
The LDAP window is displayed, if you have selected LDAP under server configuration.
Use the LDAP window to enter the following details: a) In the Name field, enter the name of the LDAP server group. b) From the Available Servers list, choose the servers that you want to include in the server group from
the list and move them to the Assigned Servers list.
Click Next.
The MAP AAA window is displayed.
Use the check boxes to enable the Authentication, Authorization, and Accounting tabs. You cannot unselect all the three options. At least one option has to be selected.
Use the Authentication tab to enter the authentication details: a) In the Method List Name field, enter the name of the method list. b) From the Type drop-down list, choose the type of accounting that you want to perform before allowing
access to the network. c) From the Group Type drop-down list, choose a value depending on whether you want to assign a group
of servers as your access server, or want to use a local server to authenticate access.
If you choose the local option, the Fallback to local option is removed.
d) Check the Fallback to local check box to configure a local server to act as a fallback method when servers in the group are unavailable.
e) From the Available Server Groups list, choose the server groups that you want to use to authenticate access to your network and click the > icon to move them to the Assigned Server Groups list.
Check the Authorization check box to configure the authorization details: a) In the Method List Name field, enter the name of the method list. b) From the Type drop-down list, choose the type of authorization you want to perform before allowing
access to the network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 824
Security
Configuring AAA Authentication (GUI)
Step 12 Step 13
c) From the Group Type drop-down list, choose a value depending on whether you want to assign a group of servers as your access server, or want to use a local server to authorize access.
If you choose the local option, the Fallback to local option is removed.
d) Check the Fallback to local check box to configure a local server to act as a fallback method when the servers in the group are unavailable.
e) From the Available Server Groups list, choose the server groups you want to use to authorize access to your network and click > icon to move them to the Assigned Server Groups list.
Check the Accounting check box to configure the accounting details: a) In the Method List Name field, enter the name of the method list. b) From the Type drop-down list, choose the type of accounting that you want to perform. c) From the Available Server Groups list, choose the server groups that you want to use to authorize access
to your network and click the > icon to move them to the Assigned Server Groups list.
Click Apply to Device.
Configuring AAA Authentication (GUI)
Note The WebUI does not support the ipv6 radius source-interface under AAA radius server group configuration. Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Step 6
Step 7
Step 8
Choose Configuration > Security > AAA. In the Authentication section, click Add. In the Quick Setup: AAA Authentication window that is displayed, enter a name for your method list. Choose the type of authentication you want to perform before allowing access to the network, in the Type drop-down list.
Choose if you want to assign a group of servers as your access server, or if you want to use a local server to authenticate access, from the Group Type drop-down list.
To configure a local server to act as a fallback method when servers in the group are unavailable, check the Fallback to local check box. Choose the server groups you want to use to authenticate access to your network, from the Available Server Groups list and click > icon to move them to the Assigned Server Groups list. Click Save & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 825
Configuring AAA Authentication (CLI)
Security
Configuring AAA Authentication (CLI)
Procedure
Step 1
Command or Action aaa new-model Example:
Device(config)# aaa new-model
Purpose Enables AAA functionality.
Step 2 Step 3
aaa authentication login {default | named_authentication_list} group AAA_group_name
Example:
Defines the list of authentication methods at login.
named_authentication_list refers to any name that is not greater than 31 characters.
AAA_group_name refers to the server group
Device(config)# aaa authentication default group group1
login
name.
You
need
to
define
the
server-group
server_name at the beginning itself.
aaa authorization network {default | named} Creates an authorization method list for
group AAA_group_name
web-based authorization.
Example:
Device(config)# aaa authorization network default group group1
Step 4
tacacs server server-name Example:
Specifies an AAA server.
Device(config)# tacacs server yourserver
Step 5
address {ipv4 | ipv6}ip_address Example:
Configures the IP address for the TACACS server.
Device(config-server-tacacs)# address ipv4 10.0.1.12
Step 6 Step 7
single-connection
Example:
Device(config-server-tacacs)# single-connection
Multiplexes all packets over a single TCP connection to TACACS server.
tacacs-server host {hostname | ip_address} Specifies a AAA server. Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 826
Security
Configuring the HTTP/HTTPS Server (GUI)
Command or Action
Device(config)# tacacs-server host 10.1.1.1
Purpose
Configuring the HTTP/HTTPS Server (GUI)
Procedure
Step 1 Step 2
Step 3
Step 4 Step 5
Step 6 Step 7
Step 8
Step 9 Step 10 Step 11
Choose Administration > Management > HTTP/HTTPS/Netconf. In the HTTP/HTTPS Access Configuration section, enable HTTP Access and enter the port that will listen for HTTP requests. The default port is 80. Valid values are 80, and ports between 1025 and 65535. Enable HTTPS Access on the device and enter the designated port to listen for HTTPS requests. The default port is 1025. Valid values are 443, and ports between 1025 and 65535. On a secure HTTP connection, data to and from an HTTP server is encrypted before being sent over the Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring a switch from a Web browser. Choose the Personal Identity Verification as enabled or disabled. In the HTTP Trust Point Configuration section, enable Enable Trust Point to use Certificate Authority servers as trustpoints. From the Trust Points drop-down list, choose a trust point. In the Timeout Policy Configuration section, enter the HTTP timeout policy in seconds. Valid values can range from 1 to 600 seconds.
Enter the number of minutes of inactivity allowed before the session times out. Valid values can range from 180 to 1200 seconds.
Enter the server life time in seconds. Valid values can range from 1 to 86400 seconds.
Enter the maximum number of requests the device can accept. Valid values range from 1 to 86400 requests.
Save the configuration.
Configuring the HTTP Server (CLI)
To use local web authentication, you must enable the HTTP server within the device. You can enable the server for either HTTP or HTTPS.
Note The Apple psuedo-browser will not open if you configure only the ip http secure-server command. You should also configure the ip http server command.
Follow the procedure given below to enable the server for either HTTP or HTTPS:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 827
Configuring HTTP and HTTPS Requests for Web Authentication
Security
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ip http server Example:
Device(config)# ip http server
Purpose Enters global configuration mode.
Enables the HTTP server. The local web authentication feature uses the HTTP server to communicate with the hosts for user authentication.
Step 3 Step 4
ip http secure-server Example:
Device(config)# ip http secure-server
Enables HTTPS.
You can configure custom authentication proxy web pages or specify a redirection URL for successful login.
Note
To ensure secure authentication
when you enter the ip http
secure-server command, the login
page is always in HTTPS (secure
HTTP) even if the user sends an
HTTP request.
end Example:
Device(config)# end
Exits configuration mode.
Configuring HTTP and HTTPS Requests for Web Authentication
Information About Configuring HTTP and HTTPS Requests for Web Authentication
Using the Configuring HTTP and HTTPS Requests for Web Authentication feature, you can have HTTPS access to device management and HTTP access to web authentication. To control the HTTP and HTTPS requests being sent to the web authentication module, run the secure-webauth-disable and webauth-http-enable commands in the global parameter map mode.
Note The secure-webauth-disable and webauth-http-enable commands are not enabled by default; you must configure them explicitly.
The following table describes the various CLI combinations:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 828
Security
Information About Configuring HTTP and HTTPS Requests for Web Authentication
Table 37: CLI Combinations
Admin (Device Management)
HTTP Access
HTTPS Access
No
Yes
No
Yes
No
Yes
No
Yes
No
No
No
No
Yes
No
WebAuthentication
Required Configurations
HTTP Access HTTPS Access Admin
Web Authentication
Yes
Yes
No
Yes
Yes
No
No
No
No
Yes
Yes
No
Yes
No
no ip http server
ip http secure-server
no ip http server ip http secure-server
parameter-map type webauth global
webauth-http-enable
no ip http server
ip http secure-server
no ip http server ip http secure-server
no ip http server ip http secure-server
no ip http server ip http secure-server
parameter-map type webauth global
webauth-http-enable
secure-webauth-disable
no ip http server ip http secure-server
no ip http server ip http secure-server
parameter-map type webauth global
secure-webauth-disable
no ip http server Not Supported
no ip http
secure-server
no ip http server no ip http secure-server
no ip http server no ip http secure-server
parameter-map type webauth global
webauth-http-enable
ip http server no ip http secure-server
ip http server no ip http secure-server
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 829
Guidelines and Limitations
Security
Admin (Device Management)
HTTP Access
HTTPS Access
Yes
Yes
WebAuthentication
Required Configurations
HTTP Access HTTPS Access Admin
Web Authentication
Yes
No
ip http server ip http secure-server
ip http server ip http secure-server
parameter-map type webauth global
secure-webauth-disable
Note
· The ip http server and ip http secure-server commands allow access for HTTP and HTTPS, respectively.
For example, in the first row of the table, for HTTP access to web authentication, you do not require the
ip http server command. You can use the new webauth-http-enable command under the global
parameter map, to allow HTTP access.
· For HTTPS access to webauth, the ip http secure-server command is required. Therefore, HTTPS access for both admin and web authentication are enabled in the first row. To disable HTTPS access for web authentication, configure the secure-webauth-disable command. For example, in the fourth row of the table, HTTPS access is disabled for web authentication because the secure-webauth-disable command is configured.
Guidelines and Limitations
The following are the guidelines and limitations for configuring HTTP and HTTPS requests for web authentication:
· You cannot enable HTTPS web authentication without enabling HTTPS for device management.
· If the secure-webauth-disable command is configured, central web authentication cannot be performed, if the initial request from the client is https://< >.
Configuring HTTP and HTTPS Requests for Web Authentication (CLI)
To configure the HTTP and HTTPS requests being sent to the webauth module, complete the steps given below:
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 830
Security
Creating a Parameter Map (GUI)
Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Command or Action configure terminal Example:
Device# configure terminal
no ip http server Example:
Device(config)# no ip http server
ip http {server | secure-server} Example:
Device(config)# ip http server
parameter-map type webauth global Example:
Device(config)# parameter-map type webauth global
secure-webauth-disable Example:
Device(config-params-parameter-map)# secure-webauth-disable
webauth-http-enable Example:
Device(config-params-parameter-map)# webauth-http-enable
Purpose Enters global configuration mode.
Sets the HTTP server to its default.
Enables the HTTP server or the HTTP secure server. Enables the global parameter map mode.
Disables HTTP secure server for web authentication.
Enables HTTP server for web authentication.
Creating a Parameter Map (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Security > Web Auth. Click Add. Click Policy Map. Enter Parameter Name, Maximum HTTP connections, Init-State Timeout(secs) and choose webauth in the Type drop-down list. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 831
Creating Parameter Maps
Security
Creating Parameter Maps
Configuring Local Web Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Step 10 Step 11 Step 12 Step 13 Step 14 Step 15
Step 16
Choose Configuration > Security > Web Auth. On the Web Auth page, click Add. In the Create Web Auth Parameter window that is displayed, enter a name for the parameter map. In the Maximum HTTP Connections field, enter the maximum number of HTTP connections that you want to allow. In the Init-State Timeout field, enter the time after which the init state timer should expire due to user's failure to enter valid credentials in the login page. Choose the type of Web Auth parameter. Click Apply to Device. On the Web Auth page, click the name of the parameter map. In the Edit WebAuth Parameter window that is displayed, choose the required Banner Type.
· If you choose Banner Text, enter the required banner text to be displayed. · If you choose File Name, specify the path of the file from which the banner text has to be picked up.
Enter the virtual IP addresses as required. Set appropriate status of WebAuth Intercept HTTPS, Captive Bypass Portal. Set appropriate status for Disable Success Window, Disable Logout Window, and Login Auth Bypass for FQDN. Check the Sleeping Client Status check box to enable authentication of sleeping clients and then specify the Sleeping Client Timeout in minutes. Valid range is between 10 minutes and 43200 minutes. Click the Advanced tab. To configure external web authentication, perform these tasks: a) In the Redirect for log-in field, enter the name of the external server to send login request. b) In the Redirect On-Success field, enter the name of the external server to redirect after a successful login. c) In the Redirect On-Failure field, enter the name of the external server to redirect after a login failure. d) (Optional) Under Redirect to External Server in the Redirect Append for AP MAC Address field,
enter the AP MAC address. e) (Optional) In the Redirect Append for Client MAC Address field, enter the client MAC address. f) (Optional) In the Redirect Append for WLAN SSID field, enter the WLAN SSID. g) In the Portal IPV4 Address field, enter the IPv4 address of the portal to send redirects. h) In the Portal IPV6 Address field, enter the IPv6 address of the portal to send redirects, if IPv6 address
is used.
To configure customized local web authentication, perform these tasks: a) Under Customized Page, specify the following pages:
· Login Failed Page
· Login Page
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 832
Security
Configuring the Internal Local Web Authentication (CLI)
Step 17
· Logout Page · Login Successful Page
Click Update & Apply.
Configuring the Internal Local Web Authentication (CLI)
Follow the procedure given below to configure the internal local web authentication:
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Device# configure terminal
Step 2
parameter-map type webauth {parameter-map-name | global} Example:
Device(config)# parameter-map type webauth sample
Creates the parameter map.
The parameter-map-name must not exceed 99 characters.
Step 3
end Example:
Returns to privileged EXEC mode.
Device(config-params-parameter-map)# end
Configuring the Customized Local Web Authentication (CLI)
Follow the procedure given below to configure the customized local web authentication:
Note Virtual IP address is mandatory for custom web authentication.
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 833
Configuring the Customized Local Web Authentication (CLI)
Security
Command or Action
Device# configure terminal
Purpose
Step 2 Step 3
parameter-map type webauth parameter-map-name Example:
Device(config)# parameter-map type webauth sample
type {authbypass | consent | webauth | webconsent} Example:
Configures the webauth type parameter.
Note
You need to configure a virtual IP
in the global parameter map to use
the customized web authentication
bundle.
Configures webauth sub-types, such as passthru, consent, webauth, or webconsent.
Device(config-params-parameter-map)# type webauth
Step 4 Step 5 Step 6 Step 7 Step 8
custom-page login device html-filename Example:
Configures the customized login page.
Device(config-params-parameter-map)# custom-page login device bootflash:login.html
custom-page login expired device html-filename
Example:
Configures the customized login expiry page.
Device(config-params-parameter-map)# custom-page login expired device bootflash:loginexpired.html
custom-page success device html-filename Example:
Configures the customized login success page.
Device(config-params-parameter-map)# custom-page success device bootflash:loginsuccess.html
custom-page failure device html-filename Example:
Configures the customized login failure page.
Device(config-params-parameter-map)# custom-page failure device bootflash:loginfail.html
end Example:
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 834
Security
Configuring the External Local Web Authentication (CLI)
Command or Action
Purpose
Device(config-params-parameter-map)# end
Configuring the External Local Web Authentication (CLI)
Follow the procedure given below to configure the external local web authentication:
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Device# configure terminal
Step 2
parameter-map type webauth parameter-map-name Example:
Device(config)# parameter-map type webauth sample
Configures the webauth type parameter.
Step 3
type {authbypass | consent | webauth | webconsent}
Example:
Configures the webauth sub-types, such as authbypass, consent, passthru, webauth, or webconsent.
Device(config-params-parameter-map)# type webauth
Step 4 Step 5
redirect [for-login | on-failure | on-success] URL Example:
Device(config-params-parameter-map)# redirect for-login http://www.cisco.com/login.html
Configures the redirect URL for the login, failure, and success pages.
Note
In the redirect url, you need to
press Ctrl+v and type ? to
configure the ? character.
The ? character is commonly used in URL when ISE is configured as an external portal.
redirect portal {ipv4 | ipv6} ip-address Example:
Configures the external portal IPv4 address.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 835
Configuring the Web Authentication WLANs
Security
Step 6
Command or Action
Device(config-params-parameter-map)# redirect portal ipv4 23.0.0.1
Purpose Note
The IP address should be one of the associated IP addresses of the domain and not a random IP address when using FQDN. It is recommended to use the FQDN URL here, if a given domain resolves to more than a single IP address.
end Example:
Returns to privileged EXEC mode.
Device(config-params-parameter-map)# end
Configuring the Web Authentication WLANs
Follow the procedure given below to configure WLAN using web auth security and map the authentication list and parameter map:
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Device# configure terminal
Step 2 Step 3
wlan profile-name wlan-id ssid-name Example:
Device(config)# wlan mywlan 34 mywlan-ssid
no security wpa Example:
Specifies the WLAN name and ID.
profile-name is the WLAN name which can contain 32 alphanumeric characters.
wlan-id is the wireless LAN identifier. The valid range is from 1 to 512.
ssid-name is the SSID which can contain 32 alphanumeric characters.
Disables the WPA security.
Device(config-wlan)# no security wpa
Step 4
security web-auth Example:
Enables web authentication for WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 836
Security
Configuring Pre-Auth Web Authentication ACL (GUI)
Step 5 Step 6
Command or Action
Purpose
Device(config-wlan)# security web-auth
security web-auth {authentication-list authentication-list-name | parameter-map parameter-map-name}
Example:
Device(config-wlan)# security web-auth authentication-list webauthlistlocal
Device(config-wlan)# security web-auth parameter-map sample
Enables web authentication for WLAN.
Here,
· authentication-list authentication-list-name: Sets the authentication list for IEEE 802.1x.
· parameter-map parameter-map-name: Configures the parameter map.
Note
When security web-auth is
enabled, you get to map the
default authentication-list and
global parameter-map. This is
applicable for authentication-list
and parameter-map that are not
explicitly mentioned.
end Example:
Returns to privileged EXEC mode.
Device(config-wlan)# end
Configuring Pre-Auth Web Authentication ACL (GUI)
Before you begin Ensure that you have configured an access control list (ACL) and a WLAN. Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Tags & Profiles > WLANs. Click the name of the WLAN. In the Edit WLAN window, click the Security tab and then click the Layer3 tab. Click Show Advanced Settings. In the Preauthenticaion ACL section, choose the appropriate ACL to be mapped to the WLAN. Click Update & Apply to Device.
Configuring Pre-Auth Web Authentication ACL (CLI)
Follow the procedure given below to configure pre-auth web authentication ACL:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 837
Configuring Pre-Auth Web Authentication ACL (CLI)
Security
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
Step 3 Step 4
access-list access-list-number {deny | permit} Creates an ACL list.
hostname source-wildcard-bits
The access-list-number is a decimal number
Example:
from 1 to 99, 100 to 199, 300 to 399, 600 to
699, 1300 to 1999, 2000 to 2699, or 2700 to
Device(config)# access-list 2 deny
2799.
your_host 10.1.1.1 log
Enter deny or permit to specify whether to
deny or permit if the conditions are matched.
The source is the source address of the network or host from which the packet is being sent specified as:
· The 32-bit quantity in dotted-decimal format.
· The keyword any as an abbreviation for source and source-wildcard of 0.0.0.0 255.255.255.255. You do not need to enter a source-wildcard.
· The keyword host as an abbreviation for source and source-wildcard of source 0.0.0.0.
wlan profile-name wlan-id ssid-name Example:
Device(config)# wlan mywlan 34 mywlan-ssid
ip access-group web access-list-name Example:
(Optional) The source-wildcard applies wildcard bits to the source.
Creates the WLAN. profile-name is the WLAN name which can contain 32 alphanumeric characters. wlan-id is the wireless LAN identifier. The valid range is from 1 to 512. ssid-name is the SSID which can contain 32 alphanumeric characters.
Maps the ACL to the web auth WLAN. access-list-name is the IPv4 ACL name or ID.
Device(config-wlan)# ip access-group web name
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 838
Security
Configuring the Maximum Web Authentication Request Retries
Step 5
Command or Action end Example:
Device(config-wlan)# end
Purpose Returns to privileged EXEC mode.
Configuring the Maximum Web Authentication Request Retries
Follow these steps to configure the maximum web authentication request retries:
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Device# configure terminal
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3 Step 4
wireless security web-auth retries number number is the maximum number of web auth
Example:
request retries. The valid range is 0 to 20.
Device(config)# wireless security web-auth retries 2
end Example:
Returns to privileged EXEC mode.
Device(config)# end
Configuring a Local Banner in Web Authentication Page (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Security > Web Auth.
In the Webauth Parameter Map tab, click the parameter map name. The Edit WebAuth Parameter window is displayed.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 839
Configuring a Local Banner in Web Authentication Page (CLI)
Security
Step 3 Step 4
In the General tab and choose the required Banner Type: · If you choose Banner Text, enter the required banner text to be displayed. · If you choose File Name, specify the path of the file from which the banner text has to be picked up.
Click Update & Apply.
Configuring a Local Banner in Web Authentication Page (CLI)
Follow the procedure given below to configure a local banner in web authentication pages.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
parameter-map type webauth param-map
Example:
Device(config)# parameter-map type webauth param-map
Configures the web authentication parameters. Enters the parameter map configuration mode.
Step 3
banner [ file | banner-text |title]
Example:
Device(config-params-parameter-map)# banner http C My Switch C
Enables the local banner.
Create a custom banner by entering C banner-text C (where C is a delimiting character), or file that indicates a file (for example, a logo or text file) that appears in the banner, or title that indicates the title of the banner.
Step 4
end
Returns to privileged EXEC mode.
Example:
Device(config-params-parameter-map)# end
Configuring Type WebAuth, Consent, or Both
Procedure
Step 1
Command or Action configure terminal Example:
Device # configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 840
Security
Configuring Preauthentication ACL
Step 2 Step 3 Step 4 Step 5
Command or Action
Purpose
parameter-map type webauth parameter-map Configures the webauth type parameter. name
Example:
Device (config) # parameter-map type webauth webparalocal
type consent
Example:
Device (config-params-parameter-map) # type consent
Configures webauth type as consent. You can configure the type as webauth, consent, or both (webconsent).
end
Returns to privileged EXEC mode.
Example:
Device (config-params-parameter-map) # end
show running-config | section parameter-map Displays the configuration details. type webauth parameter-map
Example:
Device (config) # show running-config | section parameter-map type webauth test
Configuring Preauthentication ACL
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-name Example:
Device (config)# wlan ramban
For wlan-name, enter the profile name.
Step 3
shutdown Example:
Device (config-wlan)# shutdown
Disables the WLAN.
Step 4
ip access-group web preauthrule
Example:
Device (config-wlan)# ip access-group web preauthrule
Configures ACL that has to be applied before authentication.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 841
Configuring TrustPoint for Local Web Authentication
Security
Step 5 Step 6 Step 7
Command or Action no shutdown Example:
Device (config)# no shutdown
end Example:
Device (config-wlan)# end
show wlan name wlan-name Example:
Device# show wlan name ramban
Purpose Enables the WLAN.
Returns to privileged EXEC mode.
Displays the configuration details.
Configuring TrustPoint for Local Web Authentication
Before you begin
Ensure that a certificate is installed on your controller . Using trustpoint controller presents the domain specific certificate that client browser trusts when it gets redirected to *.com portal.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
parameter-map type webauth global
Example:
Device (config)# parameter-map type webauth global
Creates the parameter map.
Step 3
trustpoint trustpoint-name
Example:
Device (config-params-parameter-map)# trustpoint trustpoint-name
Configures trustpoint for local web authentication.
Step 4
end
Example:
Device (config-params-parameter-map)# end
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 842
Security
Configuration Examples for Local Web Authentication
Configuration Examples for Local Web Authentication
Example: Obtaining Web Authentication Certificate
This example shows how to obtain web authentication certificate.
Device# configure terminal Device(config)# crypto pki import cert pkcs12 tftp://9.1.0.100/ldapserver-cert.p12 cisco Device(config)# end Device# show crypto pki trustpoints cert
Trustpoint cert: Subject Name: e=rkannajr@cisco.com cn=sthaliya-lnx ou=WNBU o=Cisco l=SanJose st=California c=US Serial Number (hex): 00 Certificate configured.
Device# show crypto pki certificates cert Certificate
Status: Available Certificate Serial Number (hex): 04 Certificate Usage: General Purpose Issuer:
e=rkannajr@cisco.com cn=sthaliya-lnx ou=WNBU o=Cisco l=SanJose st=California c=US Subject: Name: ldapserver e=rkannajr@cisco.com cn=ldapserver ou=WNBU o=Cisco st=California c=US Validity Date: start date: 07:35:23 UTC Jan 31 2012 end date: 07:35:23 UTC Jan 28 2022 Associated Trustpoints: cert ldap12 Storage: nvram:rkannajrcisc#4.cer
CA Certificate Status: Available Certificate Serial Number (hex): 00 Certificate Usage: General Purpose Issuer: e=rkannajr@cisco.com cn=sthaliya-lnx ou=WNBU o=Cisco l=SanJose st=California
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 843
Example: Displaying a Web Authentication Certificate
Security
c=US Subject:
e=rkannajr@cisco.com cn=sthaliya-lnx ou=WNBU o=Cisco l=SanJose st=California c=US Validity Date: start date: 07:27:56 UTC Jan 31 2012 end date: 07:27:56 UTC Jan 28 2022 Associated Trustpoints: cert ldap12 ldap Storage: nvram:rkannajrcisc#0CA.cer
Example: Displaying a Web Authentication Certificate
This example shows how to display a web authentication certificate.
Device# show crypto ca certificate verb Certificate Status: Available Version: 3 Certificate Serial Number (hex): 2A9636AC00000000858B Certificate Usage: General Purpose Issuer:
cn=Cisco Manufacturing CA o=Cisco Systems Subject: Name: WS-C3780-6DS-S-2037064C0E80 Serial Number: PID:WS-C3780-6DS-S SN:FOC1534X12Q cn=WS-C3780-6DS-S-2037064C0E80 serialNumber=PID:WS-C3780-6DS-S SN:FOC1534X12Q CRL Distribution Points: http://www.cisco.com/security/pki/crl/cmca.crl Validity Date: start date: 15:43:22 UTC Aug 21 2011 end date: 15:53:22 UTC Aug 21 2021 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Signature Algorithm: SHA1 with RSA Encryption Fingerprint MD5: A310B856 A41565F1 1D9410B5 7284CB21 Fingerprint SHA1: 04F180F6 CA1A67AF 9D7F561A 2BB397A1 0F5EB3C9 X509v3 extensions: X509v3 Key Usage: F0000000
Digital Signature Non Repudiation Key Encipherment Data Encipherment X509v3 Subject Key ID: B9EEB123 5A3764B4 5E9C54A7 46E6EECA 02D283F7 X509v3 Authority Key ID: D0C52226 AB4F4660 ECAE0591 C7DC5AD1 B047F76C Authority Info Access: Associated Trustpoints: CISCO_IDEVID_SUDI Key Label: CISCO_IDEVID_SUDI
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 844
Security
Example: Choosing the Default Web Authentication Login Page
Example: Choosing the Default Web Authentication Login Page
This example shows how to choose a default web authentication login page.
Device# configure terminal Device(config)# parameter-map type webauth test This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding. Do you wish to continue? [yes]: yes Device(config)# wlan wlan50 Device(config-wlan)# shutdown Device(config-wlan)# security web-auth authentication-list test Device(config-wlan)# security web-auth parameter-map test Device(config-wlan)# no shutdown Device(config-wlan)# end Device# show running-config | section wlan50 wlan wlan50 50 wlan50
security wpa akm cckm security wpa wpa1 security wpa wpa1 ciphers aes security wpa wpa1 ciphers tkip security web-auth authentication-list test security web-auth parameter-map test session-timeout 1800 no shutdown
Device# show running-config | section parameter-map type webauth test parameter-map type webauth test
type webauth
Example: Choosing a Customized Web Authentication Login Page from an IPv4 External Web Server
This example shows how to choose a customized web authentication login page from an IPv4 external web server.
Device# configure terminal Device(config)# parameter-map type webauth global Device(config-params-parameter-map)# virtual-ip ipv4 192.0.2.1. Device(config-params-parameter-map)# parameter-map type webauth test Device(config-params-parameter-map)# type webauth Device(config-params-parameter-map)# redirect for-login http://9.1.0.100/login.html Device(config-params-parameter-map)# redirect portal ipv4 9.1.0.100 Device(config-params-parameter-map)# end Device# show running-config | section parameter-map parameter-map type webauth global virtual-ip ipv4 192.0.2.1. parameter-map type webauth test type webauth redirect for-login http://9.1.0.100/login.html redirect portal ipv4 9.1.0.100 security web-auth parameter-map rasagna-auth-map security web-auth parameter-map test
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 845
Example: Choosing a Customized Web Authentication Login Page from an IPv6 External Web Server
Security
Example: Choosing a Customized Web Authentication Login Page from an IPv6 External Web Server
This example shows how to choose a customized web authentication login page from an IPv6 external web server.
Device# configure terminal Device(config)# parameter-map type webauth global Device(config-params-parameter-map)# virtual-ip ipv6 2001:DB8::/48 Device(config-params-parameter-map)# parameter-map type webauth test Device(config-params-parameter-map)# type webauth Device(config-params-parameter-map)# redirect for-login http://9:1:1::100/login.html Device(config-params-parameter-map)# redirect portal ipv6 9:1:1::100 Device(config-params-parameter-map)# end Device# show running-config | section parameter-map parameter-map type webauth global virtual-ip ipv6 2001:DB8::/48 parameter-map type webauth test type webauth redirect for-login http://9:1:1::100/login.html redirect portal ipv6 9:1:1::100 security web-auth parameter-map rasagna-auth-map security web-auth parameter-map test
Example: Assigning Login, Login Failure, and Logout Pages per WLAN
This example shows how to assign login, login failure and logout pages per WLAN.
Device# configure terminal Device(config)# parameter-map type webauth test Device(config-params-parameter-map)# custom-page login device flash:loginsantosh.html Device(config-params-parameter-map)# custom-page login expired device flash:loginexpire.html Device(config-params-parameter-map)# custom-page failure device flash:loginfail.html Device(config-params-parameter-map)# custom-page success device flash:loginsucess.html Device(config-params-parameter-map)# end Device# show running-config | section parameter-map type webauth test
parameter-map type webauth test type webauth redirect for-login http://9.1.0.100/login.html redirect portal ipv4 9.1.0.100 custom-page login device flash:loginsantosh.html custom-page success device flash:loginsucess.html custom-page failure device flash:loginfail.html custom-page login expired device flash:loginexpire.html
Example: Configuring Preauthentication ACL
This example shows how to configure preauthentication ACL.
Device# configure terminal Device(config)# wlan fff Device(config-wlan)# shutdown Device(config-wlan)# ip access-group web preauthrule Device(config-wlan)# no shutdown
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 846
Security
Example: Configuring Webpassthrough
Device(config-wlan)# end Device# show wlan name fff
Example: Configuring Webpassthrough
This example shows how to configure webpassthrough.
Device# configure terminal Device(config)# parameter-map type webauth webparalocal Device(config-params-parameter-map)# type consent Device(config-params-parameter-map)# end Device# show running-config | section parameter-map type webauth test
parameter-map type webauth test type webauth redirect for-login http://9.1.0.100/login.html redirect portal ipv4 9.1.0.100
Verifying Web Authentication Type
To verify the web authentication type, run the following command:
Device# show parameter-map type webauth all Type Name --------------------------------Global global Named webauth Named ext Named redirect Named abc Named glbal Named ewa-2
Device# show parameter-map type webauth global Parameter Map Name : global Banner: Text : CisCo Type : webauth Auth-proxy Init State time : 120 sec Webauth max-http connection : 100 Webauth logout-window : Enabled Webauth success-window : Enabled Consent Email : Disabled Sleeping-Client : Enabled Sleeping-Client timeout : 60 min Virtual-ipv4 : 192.0.2.1. Virtual-ipv4 hostname : Webauth intercept https : Disabled Webauth Captive Bypass : Disabled Webauth bypass intercept ACL : Trustpoint name : HTTP Port : 80 Watch-list: Enabled : no Webauth login-auth-bypass:
Device# show parameter-map type webauth name global Parameter Map Name : global Type : webauth Auth-proxy Init State time : 120 sec Webauth max-http connection : 100 Webauth logout-window : Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 847
External Web Authentication (EWA)
Security
Webauth success-window : Enabled Consent Email : Disabled Sleeping-Client : Disabled Webauth login-auth-bypass:
External Web Authentication (EWA)
Configuring EWA with Single WebAuth Server Address and Default Ports (80/443) (CLI)
Procedure Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
aaa authentication login
Defines the authentication method at login.
Example:
Device(config)# aaa authentication login WEBAUTH local
parameter-map type webauth parameter-map-name
Example:
Device(config)# parameter-map type webauth ISE-Ext-Webauth_IP
Creates the parameter map.
The parameter-map-name must not exceed 99 characters.
type webauth
Example:
Device(config-params-parameter-map)# type webauth
Configures the webauth type parameter.
redirect for-login URL-String Example:
Configures the URL string for redirect during login.
Device(config-params-parameter-map)# redirect for-login https://192.168.0.98:443/portal/PortalSetup.action?portal=ad64b062-1098-11e7-8591-005056891b52
redirect portal ipv4 ip-address
Example:
Device(config-params-parameter-map)# redirect portal ipv4 192.168.0.98
Configures the external portal IPv4 address.
exit Example:
Returns to global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 848
Security
Configuring EWA with Single WebAuth Server Address and Default Ports (80/443) (CLI)
Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16
Command or Action
Device(config-params-parameter-map)# exit
Purpose
wlan wlan-name wlan-id SSID-name
Example:
Device(config)# wlan EWLC3-GUEST 3 EWLC3-GUEST
Configures a WLAN.
no security ft adaptive
Example:
Device(config-wlan)# no security ft adaptive
Disables adaptive 11r.
no security wpa Example:
Device(config-wlan)# no security wpa
Disables WPA security.
no security wpa wpa2
Example:
Device(config-wlan)# no security wpa wpa2
Disables WPA2 security.
no security wpa wpa2 ciphers aes
Example:
Device(config-wlan)# no security wpa wpa2 ciphers aes
Disables WPA2 ciphers for AES.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
security web-auth
Enables web authentication for WLAN.
Example:
Device(config-wlan)# security web-auth
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list WEBAUTH
security web-auth parameter-map
Configures the parameter map.
parameter-map-name
Note
If parameter map is not
Example:
associated with a WLAN, the
Device(config-wlan)# security web-auth parameter-map ISE-Ext-Webauth_IP
configuration is considered from the global parameter map.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 849
Configuring EWA with Multiple Web Servers and/or Ports Different than Default (80/443)
Security
Step 17
Command or Action end Example:
Device(config-wlan)# end
Purpose Returns to privileged EXEC mode.
Configuring EWA with Multiple Web Servers and/or Ports Different than Default (80/443)
Procedure Step 1 Step 2 Step 3
Step 4
Step 5 Step 6
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
ip access-list extended name
Defines an extended IPv4 access list using a
Example:
name, and enters access-list configuration mode.
Device(config)# ip access-list extended
preauth_ISE_Ext_WA
access-list-number permit tcp any host external_web_server_ip_address1 eq port-number
Permits access from any host to the external web server port number 8443.
Example:
Device(config)# 10 permit tcp any host 192.168.0.98 eq 8443
access-list-number permit tcp any host external_web_server_ip_address2 eq port-number
Permits access from any host to the external web server port number 8443.
Example:
Device(config)# 10 permit tcp any host 192.168.0.99 eq 8443
access-list-number permit udp any any eq Permits DNS UDP traffic. domain
Example:
Device(config)# 20 permit udp any any eq domain
access-list-number permit udp any any eq Permits DHCP traffic. bootpc
Example:
Device(config)# 30 permit udp any any eq bootpc
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 850
Security
Configuring EWA with Multiple Web Servers and/or Ports Different than Default (80/443)
Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14
Command or Action
Purpose
access-list-number permit udp any any eq Permits DHCP traffic. bootps
Example:
Device(config)# 40 permit udp any any eq bootps
access-list-number permit tcp host external_web_server_ip_address1 eq port_number any
Example:
Device(config)# 50 permit tcp host 192.168.0.98 eq 8443 any
Permits the access from the external web server port 8443 to any host.
access-list-number permit tcp host external_web_server_ip_address2 eq port_number any
Example:
Device(config)# 50 permit tcp host 192.168.0.99 eq 8443 any
Permits the access from the external web server port 8443 to any host.
access-list-number permit tcp any any eq Permits the DNS TCP traffic. domain
Example:
Device(config)# 60 permit tcp any any eq domain
access-list-number deny ip any any Example:
Device(config)# 70 deny ip any any
Denies all the other traffic.
wlan wlan-name wlan-id ssid
Example:
Device(config)# wlan EWLC3-GUEST 3 EWLC3-GUEST
Creates the WLAN.
ip access-group web name
Example:
Device(config-wlan)# ip access-group web preauth_ISE_Ext_WA
Configures the IPv4 WLAN web ACL. The variable name specifies the user-defined IPv4 ACL name.
end Example:
Device(config-wlan)# end
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 851
Configuring Wired Guest EWA with Multiple Web Servers and/or Ports Different than Default (80/443)
Security
Configuring Wired Guest EWA with Multiple Web Servers and/or Ports Different than Default (80/443)
Before you begin
You cannot assign a manual ACL to a wired guest LAN configuration. The workaround is to use the bypass ACL in the global parameter map.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip access-list extended name Example:
Defines an extended IPv4 access list using a name, and enters access-list configuration mode.
Device(config)# ip access-list extended BYPASS_ACL
Step 3
access-list-number deny ip any host hostname Allows the traffic to switch centrally.
Example:
Device(config)# 10 deny ip any host 192.168.0.45
Step 4
access-list-number deny ip any host hostname Allows the traffic to switch centrally.
Example:
Device(config)# 20 deny ip any host 4.0.0.1
Step 5
parameter-map type webauth global
Example:
Device(config)# parameter-map type webauth global
Creates a parameter map and enters parameter-map webauth configuration mode.
Step 6
webauth-bypass-intercept name
Example:
Device(config-params-parameter-map)# webauth-bypass-intercept BYPASS_ACL
Creates a WebAuth bypass intercept using the ACL name.
Note
You cannot apply a manual ACL
to the wired guest profile and
configure an external web
authentication with multiple IP
addresses or different ports. The
workaround is to use the bypass
ACL for wired guest profile.
Step 7
end Example:
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 852
Security
Authentication for Sleeping Clients
Command or Action
Purpose
Device(config-params-parameter-map)# end
Authentication for Sleeping Clients
Information About Authenticating Sleeping Clients
Clients with guest access that have had successful web authentication are allowed to sleep and wake up without having to go through another authentication process through the login page. You can configure the duration for which sleeping clients should be remembered for before reauthentication becomes necessary. The valid range is 10 minutes to 43200 minutes, with the default being 720 minutes. You can also configure this duration on WebAuth parameter map that is mapped to a WLAN. Note that the sleeping client timer comes into effect due to instances such as idle timeout, session timeout, disabling of the WLAN, and the AP being nonoperational.
This feature is supported in the following FlexConnect scenario: local switching and central authentication.
Caution If the MAC address of a client that goes to sleep mode is spoofed, the fake device such as a laptop can be authenticated.
Mobility Scenarios Following are some guidelines in a mobility scenario:
· L2 roaming in the same subnet is supported. · Anchor sleeping timer is applicable. · The sleeping client information is shared between multiple autoanchors when a sleeping client moves
from one anchor to another.
A sleeping client does not require reauthentication in the following scenarios: · Suppose there are two controller s in a mobility group. A client that is associated with one controller goes to sleep and then wakes up and gets associated with the other controller . · Suppose there are three controller s in a mobility group. A client that is associated with the second controller that is anchored to the first controller goes to sleep, wakes up, and gets associated with the third controller . · A client sleeps, wakes up and gets associated with the same or different export foreign controller that is anchored to the export anchor.
Restrictions on Authenticating Sleeping Clients
· The sleep client feature works only for WLAN configured with WebAuth security. · You can configure the sleeping clients only on a per WebAuth parameter-map basis.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 853
Configuring Authentication for Sleeping Clients (GUI)
Security
· The authentication of sleeping clients feature is supported only on WLANs that have Layer 3 security enabled.
· With Layer 3 security, the Authentication, Passthrough, and On MAC Filter failure web policies are supported. The Conditional Web Redirect and Splash Page Web Redirect web policies are not supported.
· The central web authentication of sleeping clients is not supported.
· The authentication of sleeping clients feature is not supported on guest LANs and remote LANs.
· A guest access sleeping client that has a local user policy is not supported. In this case, the WLAN-specific timer is applied.
Configuring Authentication for Sleeping Clients (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4
Choose Configuration > Security > Web Auth. In the Webauth Parameter Map tab, click the parameter map name. The Edit WebAuth Parameter window is displayed. Select Sleeping Client Status check box. Click Update & Apply to Device.
Configuring Authentication for Sleeping Clients (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
[no] parameter-map type webauth {parameter-map-name | global}
Example:
Device(config)# parameter-map type webauth global
Step 3
sleeping-client [timeout time]
Example:
Device(config-params-parameter-map)# sleeping-client timeout 100
Purpose Enters global configuration mode.
Creates a parameter map and enters parameter-map webauth configuration mode.
Configures the sleeping client timeout to 100 minutes. Valid range is between 10 minutes and 43200 minutes.
Note
If you do not use the timeout
keyword, the sleeping client is
configured with the default
timeout value of 720 minutes.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 854
Security
Sleeping Clients with Multiple Authentications
Step 4 Step 5
Step 6
Command or Action end
Purpose
Exits parameter-map webauth configuration mode and returns to privileged EXEC mode.
(Optional) show wireless client sleeping-client Shows the MAC address of the clients and the
Example:
time remaining in their respective sessions.
Device# show wireless client sleeping-client
(Optional) clear wireless client sleeping-client [mac-address mac-addr]
Example:
Device# clear wireless client sleeping-client mac-address 00e1.e1e1.0001
· clear wireless client sleeping-client--Deletes all sleeping client entries from the sleeping client cache.
· clear wireless client sleeping-client mac-address mac-addr--Deletes the specific MAC entry from the sleeping client cache.
Sleeping Clients with Multiple Authentications
Mobility Support for Sleeping Clients
From Release 17.1.1 onwards, mobility support for guest and nonguest sleeping clients.
Supported Combinations of Multiple Authentications
Multiple authentication feature supports sleeping clients configured in the WLAN profile. The following table outlines the supported combination of multiple authentications:
Table 38: Supported Combinations of Multiple Authentications
Layer 2 MAB MAB Failure Dot1x PSK
Layer 3 LWA LWA LWA LWA
Supported Yes Yes Yes Yes
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 855
Configuring Sleeping Clients with Multiple Authentications
Security
Configuring Sleeping Clients with Multiple Authentications
Configuring WLAN for Dot1x and Local Web Authentication
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
Step 3 Step 4 Step 5 Step 6 Step 7
wlan profile-name wlan-id SSID_name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Enters WLAN configuration submode.
· profile-name - Profile name of the configured WLAN.
· wlan-id - Wireless LAN identifier. Range is from 1 to 512.
· SSID_Name - SSID, which can contain up to 32 alphanumeric characters.
security dot1x authentication-list auth-list-name
Example:
Device(config-wlan)# security dot1x authentication-list default
Enables security authentication list for dot1x security. The configuration is similar for all dot1x security WLANs.
security web-auth
Configures web authentication.
Example:
Device(config-wlan)# security web-auth
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth parameter-map parameter-map-name
Example:
Device(config-wlan)# security web-auth parameter-map global
Maps the parameter map.
Note: If the parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.
no shutdown Example:
Enables WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 856
Security
Configuring a WLAN for MAC Authentication Bypass and Local Web Authentication
Command or Action
Device(config-wlan)# no shutdown
Purpose
Configuring a WLAN for MAC Authentication Bypass and Local Web Authentication
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id SSID_name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration submode. · profile-name - Profile name of the configured WLAN. · wlan-id - Wireless LAN identifier. Range is from 1 to 512. · SSID_Name - SSID, which can contain up to 32 alphanumeric characters.
Step 3 Step 4 Step 5 Step 6 Step 7
mac-filtering list-name
Example:
Device(config-wlan)# mac-filtering cat-radius
Sets the MAC filtering parameters.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
no security wpa wpa2 ciphers aes
Disables the WPA2 cipher.
Example:
aes--Excryption type that specifies WPA/AES
Device(config-wlan)# no security wpa wpa2 support.
ciphers aes
security web-auth parameter-map parameter-map-name
Example:
Device(config-wlan)# security web-auth parameter-map global
Maps the parameter map.
Note: If parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.
no shutdown Example:
Enables WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 857
Configuring a WLAN for Local Web Authentication and MAC Filtering
Security
Command or Action
Device(config-wlan)# no shutdown
Purpose
Configuring a WLAN for Local Web Authentication and MAC Filtering
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
Step 3 Step 4 Step 5 Step 6 Step 7
wlan profile-name wlan-id SSID_name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Enters WLAN configuration submode.
· profile-name - Profile name of the configured WLAN.
· wlan-id - Wireless LAN identifier. Range is from 1 to 512.
· SSID_Name - SSID, which can contain up to 32 alphanumeric characters.
mac-filtering list-name
Example:
Device(config-wlan)# mac-filtering cat-radius
Sets the MAC filtering parameters.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security Authenticated Key Management (AKM) for dot1x.
no security wpa wpa2 ciphers aes
Disables the WPA2 cipher.
Example:
aes: Excryption type that specifies WPA/AES
Device(config-wlan)# no security wpa wpa2 support.
ciphers aes
security web-auth on-macfilter-failure Example:
Configures the fallback policy with MAC filtering and web authentication.
Device(config-wlan)# security web-auth on-macfilter-failure wlan-id
security web-auth parameter-map parameter-map-name
Maps the parameter map.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 858
Security
Configuring a PSK + LWA in a WLAN
Step 8
Command or Action
Purpose
Example:
Note: If the parameter map is not associated
Device(config-wlan)# security web-auth with a WLAN, the configuration is considered
parameter-map global
from the global parameter map.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables WLAN.
Configuring a PSK + LWA in a WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id SSID_name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration submode. · profile-name - Profile name of the configured WLAN. · wlan-id - Wireless LAN identifier. Range is from 1 to 512. · SSID_Name - SSID, which can contain up to 32 alphanumeric characters.
Step 3 Step 4 Step 5 Step 6
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
security web-auth
Enables web authentication for a WLAN.
Example:
Device(config-wlan)# security web-auth
no security wpa wpa2 ciphers aes
Disables the WPA2 cipher.
Example:
aes: Excryption type that specifies WPA/AES
Device(config-wlan)# no security wpa wpa2 support.
ciphers aes
security wpa psk set-key ascii ascii/hex key Configures the preshared key on a WLAN.
Example:
Device(config-wlan)# security wpa psk set-key ascii 0 1234567
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 859
Configuring a Sleeping Client
Security
Step 7 Step 8 Step 9
Command or Action
security wpa akm psk Example:
Device(config-wlan)# security wpa akm psk
Purpose Configures PSK support.
security web-auth authentication-list authenticate-list-name
Enables the authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth parameter-map parameter-map-name
Example:
Device(config-wlan)# security web-auth parameter-map global
Maps the parameter map.
Note: If the parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.
Configuring a Sleeping Client
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2 Step 3
parameter-map type webauth {parameter-map-name | global} Example:
Device(config)# parameter-map type webauth MAP-2
sleeping client [timeout time] Example:
Device(config-params-parameter-map)# sleeping-client timeout 60
Creates a parameter map and enters parameter-map-name configuration mode.
The specific configuration commands supported for a global parameter map defined with the global keyword differ from the commands supported for a named parameter map defined with the parameter-map-name argument.
Configures the sleeping client timeout, in minutes. The available range for the time argument is from 10 to 43200.
Note: If you do not use the timeout keyword, the sleeping client is configured with the default timeout value of 720 minutes.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 860
Security
Verifying a Sleeping Client Configuration
Verifying a Sleeping Client Configuration
To verify a sleeping client configuration, use the following command:
Device# show wireless client sleeping-client Total number of sleeping-client entries: 1
MAC Address
Remaining time (mm:ss)
--------------------------------------------------------
2477.031b.aa18
59:56
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 861
Verifying a Sleeping Client Configuration
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 862
9 4 C H A P T E R
Central Web Authentication
· Information About Central Web Authentication, on page 863 · How to Configure ISE, on page 864 · How to Configure Central Web Authentication on the Controller, on page 866 · Authentication for Sleeping Clients, on page 874 · Sleeping Clients with Multiple Authentications, on page 876
Information About Central Web Authentication
Central web authentication offers the possibility to have a central device that acts as a web portal (in this example, the ISE). The major difference compared to the usual local web authentication is that it is shifted to Layer 2 along with MAC filtering or dot1x authentication. The concept also differs in that the radius server (ISE in this example) returns special attributes that indicate to the switch that a web redirection must occur. This solution eliminates any delay to start the web authentication. The following are the different types of web authentication methods:
· Local Web Authentication (LWA): Configured as Layer 3 security on the controller, the web authentication page and the pre-authentication ACL are locally configured on the controller. The controller intercepts htttp(s) traffic and redirects the client to the internal web page for authentication. The credentials entered by the client on the login page is authenticated by the controller locally or through a RADIUS or LDAP server.
· External Web Authentication (EWA): Configured as Layer 3 security on the controller, the controller intercepts htttp(s) traffic and redirects the client to the login page hosted on the external web server. The credentials entered by the client on the login page is authenticated by the controller locally or through a RADIUS or LDAP server. The pre-authentication ACL is configured statically on the controller.
· Central Web Authentication (CWA): Configured mostly as Layer 2 security on the controller, the redirection URL and the pre-authentication ACL reside on ISE and are pushed during layer 2 authentication to the controller. The controller redirects all web traffic from the client to the ISE login page. ISE validates the credentials entered by the client through HTTPS and authenticates the user.
Globally, if the MAC address of the client station is not known by the radius server (but other criteria can also be used), the server returns the redirection attributes, and the controller authorizes the station (using the MAC filtering) but places an access list to redirect the web traffic to the portal.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 863
Prerequisites for Central Web Authentication
Security
Once the user logs into the guest portal, it is possible to re-authenticate the client so that a new Layer 2 MAC filtering occurs using the Change of Authorization (CoA). This way, the ISE remembers that it was a webauth user and pushes the necessary authorization attributes to the controller for accessing the network.
Prerequisites for Central Web Authentication
· Cisco Identity Services Engine (ISE)
How to Configure ISE
To configure ISE, proceed as follows: 1. Create an authorization profile. 2. Create an authentication rule. 3. Create an authorization rule.
Creating an Authorization Profile
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Step 8 Step 9
Step 10
Click Policy, and click Policy Elements. Click Results. Expand Authorization, and click Authorization Profiles. Click Add to create a new authorization profile for central webauth. In the Name field, enter a name for the profile. For example, CentralWebauth. Choose ACCESS_ACCEPT from the Access Type drop-down list. Check the Web Redirection (CWA, MDM, NSP, CPP) check box, and choose Centralized Web Auth from the drop-down list. In the ACL field, enter the name of the ACL that defines the traffic to be redirected. For example, redirect. In the Value field, choose the default or customized values.
The Value attribute defines whether the ISE sees the default or a custom web portal that the ISE admin created.
Click Save.
Creating an Authentication Rule
Follow the procedure given below to use the authentication profile and create the authentication rule:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 864
Security
Creating an Authorization Rule
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Step 8
In the Policy > Authentication page, click Authentication. Enter a name for your authentication rule. For example, MAB. In the If condition field, select the plus (+) icon. Choose Compound condition, and choose Wireless_MAB. Click the arrow located next to and ... in order to expand the rule further. Click the + icon in the Identity Source field, and choose Internal endpoints. Choose Continue from the 'If user not found' drop-down list.
This option allows a device to be authenticated even if its MAC address is not known.
Click Save.
Creating an Authorization Rule
You can configure many rules in the authorization policy. The MAC not known rule is configured in this section:
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Step 10 Step 11
Step 12
Click Policy > Authorization. In the Rule Name field, enter a name. For example: Mac not known. In the Conditions field, click the plus (+) icon. Choose Compound Conditions, and choose Wireless_MAB. From the settings icon, select Add Attribute/Value from the options. In the Description field, choose Network Access > AuthenticationStatus as the attribute from the drop-down list. Choose the Equals operator. From the right-hand field, choose UnknownUser. In the Permissions field, choose the authorization profile name that you had created earlier.
The ISE continues even though the user (or MAC) is not known.
Unknown users are now presented with the Login page. However, once they enter their credentials, they are presented again with an authentication request on the ISE; therefore, another rule must be configured with a condition that is met if the user is a guest user. For example, if UseridentityGroup Equals Guest is used then it is assumed that all guests belong to this group.
In the Conditions field, click the plus (+) icon. Choose Compound Conditions, and choose to create a new condition.
The new rule must come before the MAC not known rule.
From the settings icon, select Add Attribute/Value from the options.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 865
How to Configure Central Web Authentication on the Controller
Security
Step 13 Step 14 Step 15 Step 16
In the Description field, choose Network Access > UseCase as the attribute from the drop-down list. Choose the Equals operator. From the right-hand field, choose GuestFlow. In the Permissions field, click the plus (+) icon to select a result for your rule.
You can choose Standard > PermitAccess option or create a custom profile to return the attributes that you like.
When the user is authorized on the login page, the ISE triggers a COA that results in the restart of Layer 2 authentication. When the user is identified as a guest user, the user is authorized.
How to Configure Central Web Authentication on the Controller
To configure central web authentication on the controller, proceed as follows: 1. Configure WLAN. 2. Configure policy profile. 3. Configure redirect ACL. 4. Configure AAA for central web authentication. 5. Configure redirect ACL in Flex profile.
Configuring WLAN (GUI)
Before you begin You need to enable MAC filtering for Layer 2 authentication to download the redirect URL and ACL. Procedure
Step 1 Step 2 Step 3
Choose Configuration > Tags & Profiles > WLANs. In the WLANs window, click the name of the WLAN or click Add to create a new one. In the Add/Edit WLAN window that is displayed, click the General tab to configure the following parameters.
· In the Profile Name field, enter or edit the name of the profile. · In the SSID field, enter or edit the SSID name.
The SSID name can be alphanumeric, and up to 32 characters in length. · In the WLAN ID field, enter or edit the ID number.The valid range is between 1 and 512. · From the Radio Policy drop-down list, choose the 802.11 radio band. · Using the Broadcast SSID toggle button, change the status to either Enabled or Disabled . · Using the Status toggle button, change the status to either Enabled or Disabled .
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 866
Security
Configuring WLAN (CLI)
Step 4 Step 5
Click the Security tab, and then Layer 2 tab to configre the following parameters: · From the Layer 2 Security Mode drop-down list, choose None. .This setting disables Layer 2 security.
· Enter the Reassociation Timeout value, in seconds. This is the time after which a fast transition reassociation times out.
· Check the Over the DS check box to enable Fast Transition over a distributed system.
· Choose OWE, Opportunistic Wireless Encryption (OWE) provides data confidentiality with encryption over the air between an AP radio and a wireless client. OWE Transition Mode is meant to provide a sort of backwards compatibility.
· Choose Fast Transition, 802.11r which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake with a new AP is done even before the corresponding client roams to the target access point. This concept is called Fast Transition.
· Check the check box to enable MAC filtering in the WLAN.
· Check the Lobby Admin Access check box to enable Lobby Admin access.
Click Save & Apply to Device.
Configuring WLAN (CLI)
Note You need to enable MAC filtering for Layer 2 authentication to download the redirect URL and ACL.
After completing the WLAN configuration, if the changes are not pushed to all the APs, the following syslog message appears:
2021/01/06 16:20:00.597927186 {wncd_x_R0-4}{1}: [wlanmgr-db] [20583]: UUID: 0, ra: 0, TID: 0 (note): Unable to push WLAN config changes to all APs, cleanup required for WlanId: 2, profile: wlan1 state: Delete pending
If the above mentioned syslog message appears for more than six minutes, reload the controller.
If the controller does not reload and still the syslog message appears, then collect the archive logs, wncd core file, and raise a case by clicking the following link: Support Case Manager.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-name wlan-id SSID-name Enters the WLAN configuration sub-mode.
Example:
wlan-name is the name of the configured WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 867
Configuring Policy Profile (CLI)
Security
Step 3
Step 4 Step 5 Step 6
Command or Action
Purpose
Device(config)# wlan wlanProfileName 1 wlan-id is the wireless LAN identifier. The
ngwcSSID
range is 1 to 512.
SSID-name is the SSID name which can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter wlan
wlan-name command.
mac-filtering [name]
Enables MAC filtering on a WLAN.
Example:
Note
Device(config-wlan)# mac-filtering name
While configuring mac-filtering the default authentication list is considered, if the authentication list is not configured earlier.
no security wpa Example:
Device(config-wlan)# no security wpa
no shutdown Example:
Device(config-wlan)# no shutdown
end Example:
Device(config-wlan)# end
Disable WPA security. Enables the WLAN. Returns to privileged EXEC mode.
Example
Device# config terminal Device(config)# wlan wlanProfileName 1 ngwcSSID Device(config-wlan)# mac-filtering default Device(config-wlan)# no security wpa Device(config-wlan)# no shutdown Device(config-wlan)# end
Configuring Policy Profile (CLI)
Note You need a AAA override to apply policies coming from the AAA or ISE servers. When a redirect URL and redirect ACL is received from the ISE server, NAC is used to trigger the Central Web Authentication (CWA).
Both NAC and AAA override must be available in the policy profile to which the client is being associated.
The default policy profile is associated to an AP, if the AP is not associated to any other policy profiles.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 868
Security
Configuring Policy Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy default-policy-profile Sets the policy profile.
Example:
Device(config)# wireless profile policy default-policy-profile
Step 3
vlan vlan-id
Maps the VLAN to a policy profile. If vlan-id
Example:
is not specified, the default native vlan 1 is applied. The valid range for vlan-id is 1 to 4096.
Device(config-wireless-policy)# vlan 41
Management VLAN is applied if no VLAN is
configured on the policy profile.
Step 4
aaa-override
Example:
Device(config-wireless-policy)# aaa-override
Configures AAA override to apply policies coming from the AAA or ISE servers.
Step 5
nac Example:
Device(config-wireless-policy)# nac
Configures Network Access Control in the policy profile. NAC is used to trigger the Central Web Authentication (CWA).
Step 6
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the WLAN.
Step 7
end Example:
Device(config-wireless-policy)# end
Returns to privileged EXEC mode.
Example
Device# configure terminal Device(config)# wireless profile policy default-policy-profile Device(config-wireless-policy)# vlan 41 Device(config-wireless-policy)# aaa-override Device(config-wireless-policy)# nac Device(config-wireless-policy)# no shutdown Device(config-wireless-policy)# end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 869
Configuring a Policy Profile (GUI)
Security
Configuring a Policy Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Step 7 Step 8
Step 9
Choose Configuration > Tags & Profiles > Policy. On the Policy Profile page, click Add. In the Add Policy Profile window, in General Tab, enter a name and description for the policy profile. To enable the policy profile, set Status as Enabled. Use the slider to enable or disable Passive Client and Encrypted Traffic Analytics. (Optional) In the CTS Policy section, choose the appropriate status for the following:
· Inline Tagging--a transport mechanism using which a controller embedded wireless controller or access point understands the source SGT.
· SGACL Enforcement
Specify a default SGT. The valid range is from 2 to 65519. In the WLAN Switching Policy section, choose the following, as required:
· Central Switching · Central Authentication · Central DHCP · Central Association Enable · Flex NAT/PAT
Click Save & Apply to Device.
Creating Redirect ACL
The redirect ACL is a punt ACL that needs to be predefined on the controller (or the AP in case of FlexConnect local switching): the AAA server returns the name of the ACL and not its definition. The redirect ACL defines traffic (matching "deny"statements, as it denies redirection for it) that will be allowed through on the data plane and traffic (matching "permit" statements) that will be sent to the control plane towards the CPU for further processing (that is, the web interception and redirection in this case). The ACL has implicit (that is, the invisible) statements allowing DHCP and DNS traffic towards all IPs, just like it is the case with LWA. It also ends with a statement that a security ACL implicit deny.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 870
Security
Configuring AAA for Central Web Authentication
Step 2 Step 3 Step 4 Step 5
Step 6
Command or Action
Purpose
ip access-list extended redirect
The HTTP and HTTPS browsing does not work
Example:
without authentication (per the other ACL) as ISE is configured to use a redirect ACL (named
Device(config)# ip access-list extended redirect).
redirect
deny ip any host ISE-IP-add
Example:
Device(config)# deny ip any host 123.123.134.112
Allows traffic to ISE and all other traffic is blocked.
deny ip host ISE-IP-add any
Example:
Device(config)# deny ip host 123.123.134.112 any
Allows traffic to ISE and all other traffic is blocked.
Note
This ACL is applicable for both
local and flex mode.
permit TCP any any eq web address/port-number
Example: In case of HTTP:
Device(config)# permit TCP any any eq www
Redirects all HTTP or HTTPS access to the ISE login page. port-number 80 is used for HTTP and port-number 443 is used for HTTPS.
For the ACE to allow traffic to ISE, ISE should be configured above the HTTP/HTTPS ACE.
Device(config)# permit TCP any any eq 80
Example: In case of HTTPS:
Device(config)# permit TCP any any eq 443
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Configuring AAA for Central Web Authentication
Procedure
Step 1
Command or Action
aaa server radius dynamic-author Example:
Device(config)# aaa server radius dynamic-author
Purpose
Configures the Change of Authorization (CoA) on the controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 871
Configuring Redirect ACL in Flex Profile (GUI)
Security
Step 2
Command or Action
Purpose
client ISE-IP-add server-key
Specifies a RADIUS client and the RADIUS
radius-shared-secret
key to be shared between a device and a
Example:
RADIUS client.
Device(config-locsvr-da-radius)# client ISE-IP-add is the IP address of the RADIUS
123.123.134.112 server-key
client.
0 SECRET
server-key is the radius client server-key.
radius-shared-secret covers the following:
· 0--Specifies unencrypted key.
· 6--Specifies encrypted key.
· 7--Specifies HIDDEN key.
· Word--Unencrypted (cleartext) server key.
The RADIUS shared secret should not exceed 240 characters while configuring WSMA data in GUI.
Note
All these steps work only if the
AAA configuration is in place.
See the Configuring AAA
Authentication for details.
Example
Device# config terminal Device(config)# aaa server radius dynamic-author Device(config-locsvr-da-radius)# client 123.123.134.112 server-key 0 SECRET Device(config-locsvr-da-radius)# end
Configuring Redirect ACL in Flex Profile (GUI)
The redirect ACL definition must be sent to the access point in the FlexConnect profile. For this, the redirect ACL associated with an AP must be configured in the FlexConnect profile where the client is hosted. If an access point is not configured with any of the FlexConnect profiles, the default FlexConnect profile is associated with it.
Procedure
Step 1 Step 2
Step 3
Choose Configuration > Tags & Profiles > Flex. On the Flex Profile page, click the name of the FlexConnect profile or click Add to create a new FlexConnect profile. In the Add/Edit Flex Profile window that is displayed, click the Policy ACL tab.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 872
Security
Configuring Redirect ACL in Flex Profile (CLI)
Step 4 Step 5 Step 6 Step 7
Click Add to map an ACL to the FlexConnect profile. Choose the ACL name, enable central web authentication, and specify the preauthentication URL filter. Click Save. Click Update & Apply to Device.
Configuring Redirect ACL in Flex Profile (CLI)
The redirect ACL definition must be sent to the access point in the Flex profile. For this, the redirect ACL associated to an AP must be configured in the Flex profile where the client is being hosted. If an access point is not configured with any of the Flex profiles, the default Flex profile is associated with it.
Note When the ACL is pushed down to the APs, the permission must change from deny to permit or vice-versa. This change does not occur if the ACL contains an object group, causing the ACL not to be fully translated, which may cause the redirection to fail.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex default-flex-profile
Example:
Device(config)# wireless profile flex default-flex-profile
Creates a new flex policy. The default flex profile name is default-flex-profile.
Step 3
acl-policy acl policy name
Example:
Device(config-wireless-flex-profile)# acl-policy acl1
Configures ACL policy.
Step 4
central-webauth
Configures central web authentication.
Example:
Device(config-wireless-flex-profile-acl)# central-webauth
Step 5
end
Returns to privileged EXEC mode.
Example:
Device(config-wireless-flex-profile-acl)# end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 873
Authentication for Sleeping Clients
Security
Authentication for Sleeping Clients
Information About Authenticating Sleeping Clients
Clients with guest access that have had successful web authentication are allowed to sleep and wake up without having to go through another authentication process through the login page. You can configure the duration for which sleeping clients should be remembered for before reauthentication becomes necessary. The valid range is 10 minutes to 43200 minutes, with the default being 720 minutes. You can also configure this duration on WebAuth parameter map that is mapped to a WLAN. Note that the sleeping client timer comes into effect due to instances such as idle timeout, session timeout, disabling of the WLAN, and the AP being nonoperational. This feature is supported in the following FlexConnect scenario: local switching and central authentication.
Caution If the MAC address of a client that goes to sleep mode is spoofed, the fake device such as a laptop can be authenticated.
Mobility Scenarios Following are some guidelines in a mobility scenario:
· L2 roaming in the same subnet is supported. · Anchor sleeping timer is applicable. · The sleeping client information is shared between multiple autoanchors when a sleeping client moves
from one anchor to another.
A sleeping client does not require reauthentication in the following scenarios: · Suppose there are two controller s in a mobility group. A client that is associated with one controller goes to sleep and then wakes up and gets associated with the other controller . · Suppose there are three controller s in a mobility group. A client that is associated with the second controller that is anchored to the first controller goes to sleep, wakes up, and gets associated with the third controller . · A client sleeps, wakes up and gets associated with the same or different export foreign controller that is anchored to the export anchor.
Restrictions on Authenticating Sleeping Clients
· The sleep client feature works only for WLAN configured with WebAuth security. · You can configure the sleeping clients only on a per WebAuth parameter-map basis. · The authentication of sleeping clients feature is supported only on WLANs that have Layer 3 security
enabled. · With Layer 3 security, the Authentication, Passthrough, and On MAC Filter failure web policies are
supported. The Conditional Web Redirect and Splash Page Web Redirect web policies are not supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 874
Security
Configuring Authentication for Sleeping Clients (GUI)
· The central web authentication of sleeping clients is not supported.
· The authentication of sleeping clients feature is not supported on guest LANs and remote LANs.
· A guest access sleeping client that has a local user policy is not supported. In this case, the WLAN-specific timer is applied.
Configuring Authentication for Sleeping Clients (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4
Choose Configuration > Security > Web Auth. In the Webauth Parameter Map tab, click the parameter map name. The Edit WebAuth Parameter window is displayed. Select Sleeping Client Status check box. Click Update & Apply to Device.
Configuring Authentication for Sleeping Clients (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
[no] parameter-map type webauth {parameter-map-name | global}
Example:
Device(config)# parameter-map type webauth global
Step 3
sleeping-client [timeout time]
Example:
Device(config-params-parameter-map)# sleeping-client timeout 100
Purpose Enters global configuration mode.
Creates a parameter map and enters parameter-map webauth configuration mode.
Configures the sleeping client timeout to 100 minutes. Valid range is between 10 minutes and 43200 minutes.
Note
If you do not use the timeout
keyword, the sleeping client is
configured with the default
timeout value of 720 minutes.
Step 4 end
Exits parameter-map webauth configuration mode and returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 875
Sleeping Clients with Multiple Authentications
Security
Step 5 Step 6
Command or Action
Purpose
(Optional) show wireless client sleeping-client Shows the MAC address of the clients and the
Example:
time remaining in their respective sessions.
Device# show wireless client sleeping-client
(Optional) clear wireless client sleeping-client [mac-address mac-addr]
Example:
Device# clear wireless client sleeping-client mac-address 00e1.e1e1.0001
· clear wireless client sleeping-client--Deletes all sleeping client entries from the sleeping client cache.
· clear wireless client sleeping-client mac-address mac-addr--Deletes the specific MAC entry from the sleeping client cache.
Sleeping Clients with Multiple Authentications
Mobility Support for Sleeping Clients
From Release 17.1.1 onwards, mobility support for guest and nonguest sleeping clients.
Supported Combinations of Multiple Authentications
Multiple authentication feature supports sleeping clients configured in the WLAN profile. The following table outlines the supported combination of multiple authentications:
Table 39: Supported Combinations of Multiple Authentications
Layer 2 MAB MAB Failure Dot1x PSK
Layer 3 LWA LWA LWA LWA
Supported Yes Yes Yes Yes
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 876
Security
Configuring Sleeping Clients with Multiple Authentications
Configuring Sleeping Clients with Multiple Authentications
Configuring WLAN for Dot1x and Local Web Authentication
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
Step 3 Step 4 Step 5 Step 6 Step 7
wlan profile-name wlan-id SSID_name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Enters WLAN configuration submode.
· profile-name - Profile name of the configured WLAN.
· wlan-id - Wireless LAN identifier. Range is from 1 to 512.
· SSID_Name - SSID, which can contain up to 32 alphanumeric characters.
security dot1x authentication-list auth-list-name
Example:
Device(config-wlan)# security dot1x authentication-list default
Enables security authentication list for dot1x security. The configuration is similar for all dot1x security WLANs.
security web-auth
Configures web authentication.
Example:
Device(config-wlan)# security web-auth
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth parameter-map parameter-map-name
Example:
Device(config-wlan)# security web-auth parameter-map global
Maps the parameter map.
Note: If the parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.
no shutdown Example:
Enables WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 877
Configuring a WLAN for MAC Authentication Bypass and Local Web Authentication
Security
Command or Action
Device(config-wlan)# no shutdown
Purpose
Configuring a WLAN for MAC Authentication Bypass and Local Web Authentication
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id SSID_name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration submode. · profile-name - Profile name of the configured WLAN. · wlan-id - Wireless LAN identifier. Range is from 1 to 512. · SSID_Name - SSID, which can contain up to 32 alphanumeric characters.
Step 3 Step 4 Step 5 Step 6 Step 7
mac-filtering list-name
Example:
Device(config-wlan)# mac-filtering cat-radius
Sets the MAC filtering parameters.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
no security wpa wpa2 ciphers aes
Disables the WPA2 cipher.
Example:
aes--Excryption type that specifies WPA/AES
Device(config-wlan)# no security wpa wpa2 support.
ciphers aes
security web-auth parameter-map parameter-map-name
Example:
Device(config-wlan)# security web-auth parameter-map global
Maps the parameter map.
Note: If parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.
no shutdown Example:
Enables WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 878
Security
Configuring a WLAN for Local Web Authentication and MAC Filtering
Command or Action
Device(config-wlan)# no shutdown
Purpose
Configuring a WLAN for Local Web Authentication and MAC Filtering
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
Step 3 Step 4 Step 5 Step 6 Step 7
wlan profile-name wlan-id SSID_name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Enters WLAN configuration submode.
· profile-name - Profile name of the configured WLAN.
· wlan-id - Wireless LAN identifier. Range is from 1 to 512.
· SSID_Name - SSID, which can contain up to 32 alphanumeric characters.
mac-filtering list-name
Example:
Device(config-wlan)# mac-filtering cat-radius
Sets the MAC filtering parameters.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security Authenticated Key Management (AKM) for dot1x.
no security wpa wpa2 ciphers aes
Disables the WPA2 cipher.
Example:
aes: Excryption type that specifies WPA/AES
Device(config-wlan)# no security wpa wpa2 support.
ciphers aes
security web-auth on-macfilter-failure Example:
Configures the fallback policy with MAC filtering and web authentication.
Device(config-wlan)# security web-auth on-macfilter-failure wlan-id
security web-auth parameter-map parameter-map-name
Maps the parameter map.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 879
Configuring a PSK + LWA in a WLAN
Security
Step 8
Command or Action
Purpose
Example:
Note: If the parameter map is not associated
Device(config-wlan)# security web-auth with a WLAN, the configuration is considered
parameter-map global
from the global parameter map.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables WLAN.
Configuring a PSK + LWA in a WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id SSID_name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration submode. · profile-name - Profile name of the configured WLAN. · wlan-id - Wireless LAN identifier. Range is from 1 to 512. · SSID_Name - SSID, which can contain up to 32 alphanumeric characters.
Step 3 Step 4 Step 5 Step 6
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
security web-auth
Enables web authentication for a WLAN.
Example:
Device(config-wlan)# security web-auth
no security wpa wpa2 ciphers aes
Disables the WPA2 cipher.
Example:
aes: Excryption type that specifies WPA/AES
Device(config-wlan)# no security wpa wpa2 support.
ciphers aes
security wpa psk set-key ascii ascii/hex key Configures the preshared key on a WLAN.
Example:
Device(config-wlan)# security wpa psk set-key ascii 0 1234567
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 880
Security
Configuring a Sleeping Client
Step 7 Step 8 Step 9
Command or Action
security wpa akm psk Example:
Device(config-wlan)# security wpa akm psk
Purpose Configures PSK support.
security web-auth authentication-list authenticate-list-name
Enables the authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth parameter-map parameter-map-name
Example:
Device(config-wlan)# security web-auth parameter-map global
Maps the parameter map.
Note: If the parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.
Configuring a Sleeping Client
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2 Step 3
parameter-map type webauth {parameter-map-name | global} Example:
Device(config)# parameter-map type webauth MAP-2
sleeping client [timeout time] Example:
Device(config-params-parameter-map)# sleeping-client timeout 60
Creates a parameter map and enters parameter-map-name configuration mode.
The specific configuration commands supported for a global parameter map defined with the global keyword differ from the commands supported for a named parameter map defined with the parameter-map-name argument.
Configures the sleeping client timeout, in minutes. The available range for the time argument is from 10 to 43200.
Note: If you do not use the timeout keyword, the sleeping client is configured with the default timeout value of 720 minutes.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 881
Verifying a Sleeping Client Configuration
Verifying a Sleeping Client Configuration
To verify a sleeping client configuration, use the following command:
Device# show wireless client sleeping-client Total number of sleeping-client entries: 1
MAC Address
Remaining time (mm:ss)
--------------------------------------------------------
2477.031b.aa18
59:56
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 882
9 5 C H A P T E R
ISE Simplification and Enhancements
· Utilities for Configuring Security, on page 883 · Configuring Captive Portal Bypassing for Local and Central Web Authentication, on page 885 · Sending DHCP Options 55 and 77 to ISE, on page 888 · Captive Portal, on page 891
Utilities for Configuring Security
This chapter describes how to configure all the RADIUS server side configuration using the following command: wireless-default radius server ip key secret This simplified configuration option provides the following:
· Configures AAA authorization for network services, authentication for web auth and Dot1x. · Enables local authentication with default authorization. · Configures the default redirect ACL for CWA. · Creates global parameter map with virtual IP and enables captive bypass portal. · Configures all the AAA configuration for a default case while configuring the RADIUS server. · The method-list configuration is assumed by default on the WLAN. · Enables the radius accounting by default. · Disables the radius aggressive failovers by default. · Sets the radius request timeouts to 5 seconds by default. · Enables captive bypass portal.
This command configures the following in the background:
aaa new-model aaa authentication webauth default group radius aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting identity default start-stop group radius ! aaa server radius dynamic-author
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 883
Configuring Multiple Radius Servers
Security
client <IP> server-key cisco123 ! radius server RAD_SRV_DEF_<IP>
description Configured by wireless-default address ipv4 <IP> auth-port 1812 acct-port 1813 key <key> ! aaa local authentication default authorization default aaa session-id common ! ip access-list extended CISCO-CWA-URL-REDIRECT-ACL-DEFAULT remark " CWA ACL to be referenced from ISE " deny udp any any eq domain deny tcp any any eq domain deny udp any eq bootps any deny udp any any eq bootpc deny udp any eq bootpc any deny ip any host <IP> permit tcp any any eq www ! parameter-map type webauth global
captive-bypass-portal virtual-ip ipv4 192.0.2.1 virtual-ip ipv6 1001::1 ! wireless profile policy default-policy-profile
aaa-override local-http-profiling local-dhcp-profiling accounting
Thus, you need not go through the entire Configuration Guide to configure wireless controller for a simple configuration requirement.
Configuring Multiple Radius Servers
Use the following procedure to configure a RADIUS server.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless-default radius server ip key secret Configures a radius server.
Example:
Note
Device(config)# wireless-default radius server 9.2.58.90 key cisco123
You can configure up to ten RADIUS servers.
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 884
Security
Verifying AAA and Radius Server Configurations
Verifying AAA and Radius Server Configurations
To view details of AAA server, use the following command:
Device# show run aaa ! aaa new-model aaa authentication webauth default group radius aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting Identity default start-stop group radius ! aaa server radius dynamic-author
client 9.2.58.90 server-key cisco123 ! radius server RAD_SRV_DEF_9.2.58.90
description Configured by wireless-default address ipv4 9.2.58.90 auth-port 1812 acct-port 1813 key cisco123 ! aaa local authentication default authorization default aaa session-id common ! ! ip access-list extended CISCO-CWA-URL-REDIRECT-ACL-DEFAULT remark " CWA ACL to be referenced from ISE " deny udp any any eq domain deny tcp any any eq domain deny udp any eq bootps any deny udp any any eq bootpc deny udp any eq bootpc any deny ip any host 9.2.58.90 permit tcp any any eq www ! parameter-map type webauth global
captive-bypass-portal virtual-ip ipv4 192.0.2.1 virtual-ip ipv6 1001::1 ! wireless profile policy default-policy-profile
aaa-override local-http-profiling local-dhcp-profiling accounting
Note The show run aaa output may change when new commands are added to this utility.
Configuring Captive Portal Bypassing for Local and Central Web Authentication
Information About Captive Bypassing
WISPr is a draft protocol that enables users to roam between different wireless service providers. Some devices (For example, Apple iOS devices) have a mechanism using which they can determine if the device is connected
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 885
Configuring Captive Bypassing for WLAN in LWA and CWA (GUI)
Security
to Internet, based on an HTTP WISPr request made to a designated URL. This mechanism is used for the device to automatically open a web browser when a direct connection to the internet is not possible. This enables the user to provide his credentials to access the internet. The actual authentication is done in the background every time the device connects to a new SSID.
The client device (Apple iOS device) sends a WISPr request to the controller , which checks for the user agent details and then triggers an HTTP request with a web authentication interception in the controller . After verification of the iOS version and the browser details provided by the user agent, the controller allows the client to bypass the captive portal settings and provides access to the Internet.
This HTTP request triggers a web authentication interception in the controller as any other page requests are performed by a wireless client. This interception leads to a web authentication process, which will be completed normally. If the web authentication is being used with any of the controller splash page features (URL provided by a configured RADIUS server), the splash page may never be displayed because the WISPr requests are made at very short intervals, and as soon as one of the queries is able to reach the designated server, any web redirection or splash page display process that is performed in the background is cancelled, and the device processes the page request, thus breaking the splash page functionality.
For example, Apple introduced an iOS feature to facilitate network access when captive portals are present. This feature detects the presence of a captive portal by sending a web request on connecting to a wireless network. This request is directed to http://www.apple.com/library/test/success.html for Apple iOS version 6 and older, and to several possible target URLs for Apple iOS version 7 and later. If a response is received, then the Internet access is assumed to be available and no further interaction is required. If no response is received, then the Internet access is assumed to be blocked by the captive portal and Apple's Captive Network Assistant (CNA) auto-launches the pseudo-browser to request portal login in a controlled window. The CNA may break when redirecting to an ISE captive portal. The controller prevents this pseudo-browser from popping up.
You can now configure the controller to bypass WISPr detection process, so the web authentication interception is only done when a user requests a web page leading to splash page load in user context, without the WISPr detection being performed in the background.
Configuring Captive Bypassing for WLAN in LWA and CWA (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4
Choose Configuration > Security > Web Auth. In the Webauth Parameter Map tab, click the parameter map name. The Edit WebAuth Parameter window is displayed. Select Captive Bypass Portal check box. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 886
Security
Configuring Captive Bypassing for WLAN in LWA and CWA (CLI)
Configuring Captive Bypassing for WLAN in LWA and CWA (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
parameter-map type webauth parameter-map-name
Example:
Device(config)# parameter-map type webauth WLAN1_MAP
Creates the parameter map.
The parameter-map-name must not exceed 99 characters.
Step 3
captive-bypass-portal Example:
Device(config)# captive-bypass-portal
Configures captive bypassing.
Step 4
wlan profile-name wlan-id ssid-name
Example:
Device(config)# wlan WLAN1_NAME 4 WLAN1_NAME
Specifies the WLAN name and ID.
· profile-name is the WLAN name which can contain 32 alphanumeric characters.
· wlan-id is the wireless LAN identifier. The valid range is from 1 to 512.
· ssid-name is the SSID which can contain 32 alphanumeric characters.
Step 5 Step 6
security web-auth
Enables the web authentication for the WLAN.
Example:
Device(config-wlan)# security web-auth
security web-auth parameter-map parameter-map-name
Example:
Device(config-wlan)# security web-auth parameter-map WLAN1_MAP
Maps the parameter map.
Note
If parameter map is not associated
with a WLAN, the configuration
is considered from the global
parameter map.
Step 7
end Example:
Device(config-wlan)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 887
Sending DHCP Options 55 and 77 to ISE
Security
Sending DHCP Options 55 and 77 to ISE
Information about DHCP Option 55 and 77
The DHCP sensors use the following DHCP options on the ISE for native and remote profiling: · Option 12: Hostname · Option 6: Class Identifier
Along with this, the following options needs to be sent to the ISE for profiling: · Option 55: Parameter Request List · Option 77: User Class
Configuration to Send DHCP Options 55 and 77 to ISE (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > Policy. On thePolicy Profile page, click Add to view the Add Policy Profile window. Click Access Policies tab, choose the RADIUS Profiling and DHCP TLV Caching check boxes to configure radius profiling and DHCP TLV Caching on a WLAN. Click Save & Apply to Device.
Configuration to Send DHCP Options 55 and 77 to ISE (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures WLAN policy profile and enters the wireless policy configuration mode.
Device(config)# wireless profile policy rr-xyz-policy-1
Step 3
dhcp-tlv-caching Example:
Configures DHCP TLV caching on a WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 888
Security
Configuring EAP Request Timeout (GUI)
Step 4 Step 5
Command or Action
Device(config-wireless-policy)# dhcp-tlv-caching
radius-profiling Example:
Device(config-wireless-policy)# radius-profiling
end Example:
Device(config-wireless-policy)# end
Purpose
Configures client radius profiling on a WLAN.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring EAP Request Timeout (GUI)
Follow the steps given below to configure the EAP Request Timeout through the GUI:
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7 Step 8 Step 9
Choose Configuration > Security > Advanced EAP.
In the EAP-Identity-Request Timeout field, specify the amount of time (in seconds) in which the device attempts to send an EAP identity request to wireless clients using local EAP.
In the EAP-Identity-Request Max Retries field, specify the maximum number of times that the device attempts to retransmit the EAP identity request to wireless clients using local EAP.
Set EAP Max-Login Ignore Identity Response to Enabled state to limit the number of clients that can be connected to the device with the same username. You can log in up to eight times from different clients (PDA, laptop, IP phone, and so on) on the same device. The default state is Disabled.
In the EAP-Request Timeout field, specify the amount of time (in seconds) in which the device attempts to send an EAP request to wireless clients using local EAP.
In the EAP-Request Max Retries field, specify the maximum number of times that the device attempts to retransmit the EAP request to wireless clients using local EAP.
In the EAPOL-Key Timeout field, specify the amount of time (in seconds) in which the device attempts to send an EAP key over the LAN to wireless clients using local EAP.
In the EAPOL-Key Max Retries field, specify the maximum number of times that the device attempts to send an EAP key over the LAN to wireless clients using local EAP.
In the EAP-Broadcast Key Interval field, specify the time interval between rotations of the broadcast encryption key used for clients and click Apply.
Note
After configuring the EAP-Broadcast key interval to a new time period, you must shut down or
restart the WLAN for the changes to take effect. Once the WLAN is shut down or restarted, the
M5 and M6 packets are exchanged when the configured timer value expires.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 889
Configuring EAP Request Timeout
Security
Configuring EAP Request Timeout
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless wps client-exclusion dot1x-timeout Enables exclusion on timeout and no response.
Example:
By default, this feature is enabled.
Device(config)# wireless wps client-exclusion dot1x-timeout
To disable, append a no at the beginning of the command.
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring EAP Request Timeout in Wireless Security (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless security dot1x request {retries 0 - Configures the EAP request retransmission
20 | timeout 1 - 120}
timeout value in seconds.
Example:
Device(config)# wireless security dot1x request timeout 60
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 890
Security
Captive Portal
Captive Portal
Captive Portal Configuration
This feature enables you to configure multiple web authentication URLs (including external captive URLs) for the same SSID based on an AP. The default setting is to use the Global URL for authentication. The override option is available at WLAN and AP level. The order of precedence is:
· AP · WLAN · Global configuration
Restrictions for Captive Portal Configuration · This configuration is supported in a standalone controller only. · Export-Anchor configuration is not supported.
Configuring Captive Portal (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8 Step 9 Step 10
Step 11 Step 12
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name, the SSID, and the WLAN ID. In the Security > Layer2 tab, uncheck the WPA Policy, AES and 802.1x check boxes. In the Security > Layer3 tab, choose the parameter map from the Web Auth Parameter Map drop-down list and authentication list from the Authentication List drop-down list. In the Security >AAA tab, choose the Authentication list from the Authentication List drop-down list. Click Apply to Device. Choose Configuration > Security > Web Auth. Choose a Web Auth Parameter Map. In the General tab, enter the Maximum HTTP connections, Init-State Timeout(secs) and choose webauth from the Type drop-down list. In the Advanced tab, under the Redirect to external server settings, enter the Redirect for log-in server. Click Update & Apply.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 891
Configuring Captive Portal
Security
Configuring Captive Portal
Procedure Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wlan {profile-name | shutdown} network-name
Example:
Device(config)# wlan edc6 6 edc
Configures the WLAN profile. Enables or Disables all WLANs and creates the WLAN identifier. The profile-name and the SSID network name should be up to 32 alphanumeric charcters.
ip {access-group | verify} web IPv4-ACL-Name
Example:
Device(config-wlan)# ip access-group web CPWebauth
Configures the WLAN web ACL.
Note
WLAN needs to be disabled
before performing this operation.
no security wpa Example:
Device(config-wlan)# no security wpa
Disables WPA security.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
no security wpa wpa2 ciphers aes
Example:
Device(config-wlan)# no security wpa wpa2 ciphers aes
Disables WPA2 ciphers for AES.
security web-auth {authentication-list Enables web authentication for WLAN. Here,
authentication-list-name | authorization-list authorization-list-name | on-macfilter-failure
· authentication-list
| parameter-map parameter-map-name}
authentication-list-name: Sets the
Example:
authentication list for IEEE 802.1x.
Device(config-wlan)# security web-auth · authorization-list
authentication-list cp-webauth
authorization-list-name: Sets the
Device(config-wlan)# security web-auth parameter-map parMap6
override-authorization list for IEEE 802.1x.
· on-macfilter-failure: Enables Web authentication on MAC filter failure.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 892
Security
Configuring Captive Portal
Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14
Command or Action
Purpose · parameter-map
parameter-map-name: Configures the parameter map.
Note
When security web-auth is
enabled, you get to map the
default authentication-list and
global parameter-map. This is
applicable for authentication-list
and parameter-map that are not
explicitly mentioned.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
exit Example:
Device(config-wlan)# exit
Exits from the WLAN configuration.
parameter-map type webauth parameter-map-name
Example:
Device(config)# parameter-map type webauth parMap6
Creates a parameter map and enters parameter-map webauth configuration mode.
parameter-map type webauth parameter-map-name
Example:
Device(config)# parameter-map type webauth parMap6
Creates a parameter map and enters parameter-map webauth configuration mode.
type webauth
Example:
Device(config-params-parameter-map)# type webauth
Configures the webauth type parameter.
timeout init-state sec <timeout-seconds>
Example:
Device(config-params-parameter-map)# timeout inti-state sec 3600
Configures the WEBAUTH timeout in seconds. Valid range for the time in sec parameter is 60 seconds to 3932100 seconds.
redirect for-login <URL-String> Example:
Configures the URL string for redirect during login.
Device(config-params-parameter-map)# redirect for-login https://172.16.100.157/portal/login.html
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 893
Captive Portal Configuration - Example
Security
Step 15 Step 16 Step 17 Step 18
Command or Action exit Example:
Device(config-params-parameter-map)# exit
wireless tag policy policy-tag-name Example:
Device(config)# wireless tag policy policy_tag_edc6
wlan wlan-profile-name policy policy-profile-name Example:
Device(config-policy-tag)# wlan edc6 policy policy_profile_flex
end Example:
Device(config-policy-tag)# end
Purpose Exits the parameters configuration.
Configures policy tag and enters policy tag configuration mode.
Attaches a policy profile to a WLAN profile.
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Captive Portal Configuration - Example
The following example shows how you can have APs at different locations, broadcasting the same SSID but redirecting clients to different redirect portals:
Configuring multiple parameter maps pointing to different redirect portal:
parameter-map type webauth parMap1 type webauth timeout init-state sec 21600 redirect for-login https://172.16.12.3:8080/portal/PortalSetup.action?portal=cfdbce00-2ce2-11e8-b83c-005056a06b27 redirect portal ipv4 172.16.12.3 ! ! parameter-map type webauth parMap11 type webauth timeout init-state sec 21600 redirect for-login https://172.16.12.4:8443/portal/PortalSetup.action?portal=094e7270-3808-11e8-9797-02421e4cae0c redirect portal ipv4 172.16.12.4 !
Associating these parameter maps to different WLANs:
wlan edc1 1 edc ip access-group web CPWebauth no security wpa no security wpa akm dot1x no security wpa wpa2 ciphers aes security web-auth security web-auth authentication-list cp-webauth security web-auth parameter-map parMap11
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 894
Security
no shutdown wlan edc2 2 edc ip access-group web CPWebauth no security wpa no security wpa akm dot1x no security wpa wpa2 ciphers aes security web-auth security web-auth authentication-list cp-webauth security web-auth parameter-map parMap1 no shutdown
Note All WLANs have identical SSIDs.
Associating WLANs to different policy tags:
wireless tag policy policy_tag_edc1 wlan edc1 policy policy_profile_flex wireless tag policy policy_tag_edc2 wlan edc2 policy policy_profile_flex
Assigning these policy tags to the desired APs:
ap E4AA.5D13.14DC policy-tag policy_tag_edc1 site-tag site_tag_flex ap E4AA.5D2C.3CAC policy-tag policy_tag_edc2 site-tag site_tag_flex
Captive Portal Configuration - Example
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 895
Captive Portal Configuration - Example
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 896
9 6 C H A P T E R
Authentication and Authorization Between Multiple RADIUS Servers
· Information About Authentication and Authorization Between Multiple RADIUS Servers, on page 897 · Configuring 802.1X Security for WLAN with Split Authentication and Authorization Servers, on page
898 · Configuring Web Authentication for WLAN with Split Authentication and Authorization Servers, on
page 903 · Verifying Split Authentication and Authorization Configuration, on page 905 · Configuration Examples, on page 906
Information About Authentication and Authorization Between Multiple RADIUS Servers
Cisco Catalyst 9800 Series Wireless Controller uses the approach of request and response transaction with a single RADIUS server that combines both authentication and authorization. You can split the authentication and authorization on the controller between multiple RADIUS servers. A RADIUS sever can assume the role of either an authentication server, authorization server, or both. In cases where there are disparate RADIUS servers for authentication and authorization, the Session Aware Networking (SANet) component on the controller now allows authentication on one server and authorization on another when a client joins the controller . Authentication can be done using the Cisco ISE, Cisco DNAC, Free RADIUS, or any third-party RADIUS Server. After successful authentication from an authentication server, the controller relays attributes received from the authentication server to another RADIUS sever designated as authorization server. The authorization server then performs the following:
· Processes received attributes with the other policies or rules defined on the server. · Derives attributes as part of the authorization response and returns it to the controller .
Note In a split authentication and authorization configuration, both servers must be available and must successfully authenticate and authorize with an ACCESS-ACCEPT for a session to be accepted by the controller .
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 897
Configuring 802.1X Security for WLAN with Split Authentication and Authorization Servers
Security
Configuring 802.1X Security for WLAN with Split Authentication and Authorization Servers
Configuring Explicit Authentication and Authorization Server List (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16
Step 17 Step 18
Choose Configuration > Security > AAA. On the Authentication Authorization and Accounting page, click the Servers/Groups tab. Click the type of AAA server you want to configure from the following options:
· RADIUS · TACACS+ · LDAP
In this procedure, the RADIUS server configuration is described.
With the RADIUS option selected, click Add. Enter a name for the RADIUS server and the IPv4 or IPV6 address of the server. Enter the authentication and encryption key to be used between the device and the key string RADIUS daemon running on the RADIUS server. You can choose to use either a PAC key or a non-PAC key. Enter the server timeout value; valid range is 1 to 1000 seconds. Enter a retry count; valid range is 0 to 100. Leave the Support for CoA field in Enabled state. Click Save & Apply to Device. On the Authentication Authorization and Accounting page, with RADIUS option selected, click the Server Groups tab. Click Add. In the Create AAA RADIUS Server Group window that is displayed, enter a name for the RADIUS server group. From the MAC-Delimiter drop-down list, choose the delimiter to be used in the MAC addresses that are sent to the RADIUS servers. From the MAC Filtering drop-down list, choose a value based on which to filter MAC addresses. To configure dead time for the server group and direct AAA traffic to alternative groups of servers that have different operational characteristics, in the Dead-Time field, enter the amount of time, in minutes, after which a server is assumed to be dead. Choose the servers that you want to include in the server group from the Available Servers list and move them to the Assigned Servers list. Click Save & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 898
Security
Configuring Explicit Authentication Server List (GUI)
Configuring Explicit Authentication Server List (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7
Step 8
Choose Configuration > Security > AAA > Servers/Groups. Choose RADIUS > Servers tab. Click Add to add a new server or click an existing server. Enter the Name, the Server Address, Key, Confirm Key, Auth Port and Acct Port. Check the PAC Key checkbox and enter the PAC key and Confirm PAC Key Click Apply to Device. Choose RADIUS > Server Groups and click Add to add a new server group or click an existing server group. Enter the Name of the server group and choose the servers that you want to include in the server group, from the Available Servers list and move them to the Assigned Servers list. Click Apply to Device.
Configuring Explicit Authentication Server List (CLI)
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
radius server server-name
Example:
Device(config)# radius server free-radius-authc-server
Specifies the RADIUS server name.
Step 4
address ipv4 address auth-port
Specifies the RADIUS server parameters.
auth_port_number acct-port acct_port_number
Example:
Device(config-radius-server)# address ipv4 9.2.62.56 auth-port 1812 acct-port
1813
Step 5
[pac] key key Example:
Specify the authentication and encryption key used between the Device and the key string
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 899
Configuring Explicit Authorization Server List (GUI)
Security
Step 6 Step 7
Step 8 Step 9
Command or Action
Purpose
Device(config-radius-server)# key cisco RADIUS daemon running on the RADIUS server.
exit Example:
Device(config-radius-server)# exit
Returns to the configuration mode.
aaa group server radius server-group
Creates a radius server-group identification.
Example:
server-group refers to the server group name.
Device(config)# aaa group server radius The valid range is from 1 to 32 alphanumeric
authc-server-group
characters.
If the IP address of the RADIUS server is not added to the routes defined for the controller, the default route is used. We recommend that you define a specific route to source the traffic from the defined SVI in the AAA server group.
server name server-name
Example:
Device(config)# server name free-radius-authc-server
Configures the server name.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
For more information, see Configuring AAA for External Authentication.
Configuring Explicit Authorization Server List (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7
Step 8
Choose Configuration > Security > AAA > Servers/Groups. Choose RADIUS > Servers tab. Click Add to add a new server or click an existing server. Enter the Name, the Server Address, Key, Confirm Key, Auth Port and Acct Port. Check the PAC Key checkbox and enter the PAC key and Confirm PAC Key Click Apply to Device. Choose RADIUS > Server Groups and click Add to add a new server group or click an existing server group. Enter the Name of the server group and choose the servers that you want to include in the server group, from the Available Servers list and move them to the Assigned Servers list. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 900
Security
Configuring Explicit Authorization Server List (CLI)
Configuring Explicit Authorization Server List (CLI)
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
radius server server-name
Example:
Device(config)# radius server cisco-dnac-authz-server
Specifies the RADIUS server name.
Step 4
address ipv4 address auth-port
Specifies the RADIUS server parameters.
auth_port_number acct-port acct_port_number
Example:
Device(config-radius-server)# address ipv4 9.4.62.32 auth-port 1812 acct-port
1813
Step 5
[pac] key key
Example:
Device(config-radius-server)# pac key cisco
Specify the authorization and encryption key used between the Device and the key string RADIUS daemon running on the RADIUS server.
Step 6
exit Example:
Device(config-radius-server)# exit
Returns to the configuration mode.
Step 7
aaa group server radius server-group
Creates a radius server-group identification.
Example:
Note
Device(config)# aaa group server radius authz-server-group
server-group refers to the server group name. The valid range is from 1 to 32 alphanumeric characters.
Step 8
server name server-name
Example:
Device(config)# server name cisco-dnac-authz-server
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 901
Configuring Authentication and Authorization List for 802.1X Security (GUI)
Security
Step 9
Command or Action end Example:
Device(config)# end
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Authentication and Authorization List for 802.1X Security (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name, the SSID, and the WLAN ID. In the Security > AAA tab, choose the Authentication list from the Authentication List drop-down list. Click Apply to Device.
Configuring Authentication and Authorization List for 802.1X Security
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
wlan wlan-name wlan-id SSID-name
Example:
Device(config)# wlan wlan-foo 222 foo-ssid
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Enters global configuration mode.
Enters WLAN configuration sub-mode.
· wlan-name: Is the name of the configured WLAN.
· wlan-id: Is the wireless LAN identifier. Range is from 1 to 512.
· SSID-name: Is the SSID name which can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter wlan
wlan-name command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 902
Security
Configuring Web Authentication for WLAN with Split Authentication and Authorization Servers
Step 4 Step 5 Step 6
Command or Action
Purpose
security dot1x authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security dot1x authentication-list authc-server-group
security dot1x authorization-list authorize-list-name
Example:
Device(config-wlan)# security dot1x authorization-list authz-server-group
Specifies authorization list for dot1x security.
For more information on the Cisco Digital Network Architecture Center (DNAC), see the DNAC documentation.
end Example:
Device(config-wlan)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Web Authentication for WLAN with Split Authentication and Authorization Servers
Configuring Authentication and Authorization List for Web Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name, the SSID, and the WLAN ID. In the Security > Layer2 tab, uncheck the WPAPolicy, AES and 802.1x check boxes. Check the MAC Filtering check box to enable the feature. With MAC Filtering enabled, choose the Authorization list from the Authorization List drop-down list. In the Security > AAA tab, choose the Authentication list from the Authentication List drop-down list. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 903
Configuring Authentication and Authorization List for Web Authentication
Security
Configuring Authentication and Authorization List for Web Authentication
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
wlan wlan-name wlan-id SSID-name
Enters WLAN configuration sub-mode.
Example:
Device(config)# wlan wlan-bar 1 bar-ssid
· wlan-name: Is the name of the configured WLAN.
· wlan-id: Is the wireless LAN identifier.
· SSID-name: Is the SSID name which can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter wlan
wlan-name command.
Step 4 Step 5 Step 6 Step 7
no security wpa Example:
Device(config-wlan)# no security wpa
Disables WPA security.
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
no security wpa wpa2
Disables WPA2 security.
Example:
Device(config-wlan)# no security wpa wpa2
security web-auth {authentication-list authenticate-list-name | authorization-list authorize-list-name}
Enables authentication or authorization list for dot1x security.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 904
Security
Verifying Split Authentication and Authorization Configuration
Step 8
Command or Action
Purpose
Example:
Note
Device(config-wlan)# security web-auth authentication-list authc-server-group
You get to view the following error, if you do not disable WPA security, AKM for dot1x, and WPA2 security:
% switch-1:dbm:wireless:web-auth cannot be enabled. Invalid WPA/WPA2 settings.
end Example:
Device(config-wlan)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying Split Authentication and Authorization Configuration
To view the WLAN details, use the following command:
Device# show run wlan wlan wlan-foo 2 foo-ssid security dot1x authentication-list authc-server-group security dot1x authorization-list authz-server-group
wlan wlan-bar 3 bar-ssid security web-auth authentication-list authc-server-group security web-auth authorization-list authz-server-group
To view the AAA authentication and server details, use the following command:
Device# show run aaa ! aaa authentication dot1x default group radius username cisco privilege 15 password 0 cisco ! ! radius server free-radius-authc-server
address ipv4 9.2.62.56 auth-port 1812 acct-port 1813 key cisco ! radius server cisco-dnac-authz-server address ipv4 9.4.62.32 auth-port 1812 acct-port 1813 pac key cisco ! ! aaa new-model aaa session-id common !
To view the authentication and authorization list for 802.1X security, use the following command:
Device# show wlan name wlan-foo | sec 802.1x 802.1x authentication list name 802.1x authorization list name
802.1x
: authc-server-group : authz-server-group : Enabled
To view the authentication and authorization list for web authentication, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 905
Configuration Examples
Security
Device# show wlan name wlan-bar | sec Webauth Webauth On-mac-filter Failure Webauth Authentication List Name Webauth Authorization List Name Webauth Parameter Map
: Disabled : authc-server-group : authz-server-group : Disabled
Configuration Examples
Configuring Cisco Catalyst 9800 Series Wireless Controller for Authentication with a Third-Party RADIUS Server: Example This example shows how to configure Cisco Catalyst 9800 Series Wireless Controller for authentication with a third-party RADIUS server:
Device(config)# radius server free-radius-authc-server Device(config-radius-server)# address ipv4 9.2.62.56 auth-port 1812 acct-port 1813 Device(config-radius-server)# key cisco Device(config-radius-server)# exit Device(config)# aaa group server radius authc-server-group Device(config)# server name free-radius-authc-server Device(config)# end
Configuring Cisco Catalyst 9800 Series Wireless Controller for Authorization with Cisco ISE or DNAC: Example This example shows how to configure Cisco Catalyst 9800 Series Wireless Controller for authorization with Cisco ISE or DNAC:
Device(config)# radius server cisco-dnac-authz-server Device (config-radius-server)# address ipv4 9.4.62.32 auth-port 1812 acct-port 1813 Device (config-radius-server)# pac key cisco Device (config-radius-server)# exit Device(config)# aaa group server radius authz-server-group Device(config)# server name cisco-dnac-authz-server Device(config)# end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 906
9 7 C H A P T E R
AAA Dead-Server Detection
· Information About AAA Dead-Server Detection, on page 907 · Prerequisites for AAA Dead-Server Detection, on page 908 · Restrictions for AAA Dead-Server Detection, on page 908 · Configuring AAA Dead-Server Detection (CLI), on page 908 · Verifying AAA Dead-Server Detection, on page 909
Information About AAA Dead-Server Detection
The AAA Dead-Server Detection feature allows you to configure the criteria to be used to mark a RADIUS server as dead. If you have more than one RADIUS server, the following concepts come into picture:
· Deadtime--Defines the time in minutes a server marked as DEAD is held in that state. Once the deadtime expires, the controller marks the server as UP (ALIVE) and notifies the registered clients about the state change. If the server is still unreachable after the state is marked as UP and if the DEAD criteria is met, then server is marked as DEAD again for the deadtime interval.
Note You can configure deadtime for each server group or on a global level.
· Dead-criteria--To declare a server as DEAD, you need to configure dead-criteria and configure the conditions that determine when a RADIUS server is considered unavailable or dead.
Using this feature will result in less deadtime and quicker packet processing.
Criteria for Marking a RADIUS Server As Dead The AAA Dead-Server Detection feature allows you to determine the criteria that are used to mark a RADIUS server as dead. That is, you can configure the minimum amount of time, in seconds, that must elapse from the time that the controller last received a valid packet from the RADIUS server to the time the server is marked as dead. If a packet has not been received since the controller booted, and there is a timeout, the time criterion will be treated as though it has been met. In addition, you can configure the number of consecutive timeouts that must occur on the controller before the RADIUS server is marked as dead. If the server performs both authentication and accounting, both types
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 907
Prerequisites for AAA Dead-Server Detection
Security
of packets are included in the number. Improperly constructed packets are counted as though they are timeouts. Both initial packet transmission and retransmissions are counted. (Each timeout causes one retransmission to be sent.)
Note Both the time criterion and tries criterion must be met for the server to be marked as dead.
The RADIUS dead-server detection configuration will result in the prompt detection of RADIUS servers that have stopped responding. This configuration will also result in the avoidance of servers being improperly marked as dead when they are "swamped" (responding slowly) and the avoidance of the state of servers being rapidly changed from dead to live to dead again. This prompt detection of non-responding RADIUS servers and the avoidance of swamped and dead-to-live-to-dead-again servers will result in less deadtime and quicker packet processing.
Prerequisites for AAA Dead-Server Detection
· You must have access to a RADIUS server. · You should be familiar with configuring a RADIUS server. · You should be familiar with configuring Authentication, Authorization, and Accounting (AAA). · Before a server can be marked as dead, you must configure radius-server dead-criteria time minutes
tries number-of-tries to mark the server as DOWN. Also, you must configure the radius-server deadtime time-in-mins to retain the server in DEAD status.
Restrictions for AAA Dead-Server Detection
· Original transmissions are not counted in the number of consecutive timeouts that must occur on the controller before the server is marked as dead--only the number of retransmissions are counted.
Configuring AAA Dead-Server Detection (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
aaa new-model Example:
Device(config)# aaa new-model
Purpose Enters global configuration mode.
Enables the AAA access control model.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 908
Security
Verifying AAA Dead-Server Detection
Step 3
Step 4 Step 5
Command or Action
Purpose
radius-server deadtime time-in-mins
Example:
Device(config)# radius-server deadtime 5
Defines the time in minutes when a server marked as DEAD is held in that state. Once the deadtime expires, the controller marks the server as UP (ALIVE) and notifies the registered clients about the state change. If the server is still unreachable after the state is marked as UP and if the DEAD criteria is met, then server is marked as DEAD again for the deadtime interval.
time-in-mins--Valid values range from 1 to 1440 minutes. Default value is zero. To return to the default value, use the no radius-server deadtime command.
The radius-server deadtime command can be configured globally or per aaa group server level.
You can use the show aaa dead-criteria or show aaa servers command to check for dead-server detection. If the default value is zero, deadtime is not configured.
radius-server dead-criteria [time minutes][tries number-of-tries]
Example:
Device(config)# radius-server dead-criteria time 5 tries 4
Declares a server as DEAD and configures the conditions that determine when a RADIUS server is considered unavailable or dead.
minutes--Time in seconds during which no response is received from the RADIUS server to consider it as dead. Valid values range from 1 to 120 seconds.
number-of-tries--Number of transmits to RADIUS server without responses before marking the server as dead. Valid values range from 1 to 100.
end Example:
Device(config)# end
Exits configuration mode and enters privileged EXEC mode.
Verifying AAA Dead-Server Detection
To verify dead-criteria, use the following command:
Device# show run | s dead-criteria radius-server dead-criteria time 20 tries 20
To verify the dead-criteria details, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 909
Verifying AAA Dead-Server Detection
Security
Device# sh aaa dead-criteria radius <server>
sh aaa dead-criteria radius 8.109.0.55 RADIUS Server Dead Criteria: Server Details: Address : 8.109.0.55 Auth Port : 1645 Acct Port : 1646 Server Group : radius Dead Criteria Details: Configured Retransmits : 3 Configured Timeout : 5 Estimated Outstanding Access Transactions: 2 Estimated Outstanding Accounting Transactions: 0 Dead Detect Time : 30s Computed Retransmit Tries: 6 Statistics Gathered Since Last Successful Transaction Max Computed Outstanding Transactions: 3 Max Computed Dead Detect Time: 90s Max Computed Retransmits : 18
To verify the state of servers, number of requests being processed, and so on, use the following command:
Device# show aaa servers | s WNCD
Platform State from WNCD (1) : current UP Platform State from WNCD (2) : current UP Platform State from WNCD (3) : current UP Platform State from WNCD (4) : current UP Platform State from WNCD (5) : current UP, duration 773s, previous duration 0s Platform Dead: total time 0s, count 0 Quarantined: No
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 910
9 8 C H A P T E R
RADIUS Server Load Balancing
· Information About RADIUS Server Load Balancing, on page 911 · Prerequisites for RADIUS Server Load Balancing, on page 913 · Restrictions for RADIUS Server Load Balancing, on page 913 · Enabling Load Balancing for a Named RADIUS Server Group (CLI), on page 913
Information About RADIUS Server Load Balancing
RADIUS Server Load Balancing Overview By default, if two RADIUS servers are configured in a server group, only one is used. The other server acts as standby, if the primary server is declared as dead, the secondary server receives all the load. If you need both servers to perform transactions actively, you need to enable Load Balancing.
Note By default, load balancing is not enabled on the RADIUS server group.
If you enable load balancing in a RADIUS server group with two or more RADIUS servers, the Server A and Server B receives a AAA transaction. The transaction queues are checked in Server A and Server B. The server with less number of outstanding transactions are assigned the next batch of AAA transaction. Load balancing distributes batches of transactions to RADIUS servers in a server group. Load balancing assigns each batch of transactions to the server with the lowest number of outstanding transactions in its queue. The process of assigning a batch of transactions is as follows: 1. The first transaction is received for a new batch. 2. All server transaction queues are checked. 3. The server with the lowest number of outstanding transactions is identified. 4. The identified server is assigned the next batch of transactions.
The batch size is a user-configured parameter. Changes in the batch size may impact CPU load and network throughput. As batch size increases, CPU load decreases, and network throughput increases. However, if a large batch size is used, all available server resources may not be fully utilized. As batch size decreases, CPU load increases and network throughput decreases.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 911
Information About RADIUS Server Load Balancing
Security
Note There is no set number for large or small batch sizes. A batch with more than 50 transactions is considered large and a batch with fewer than 25 transactions is considered small.
Note If a server group contains ten or more servers, we recommend that you set a high batch size to reduce CPU load.
Transaction Load Balancing Across RADIUS Server Groups You can configure load balancing either per-named RADIUS server group or for the global RADIUS server group. The load balancing server group must be referred to as "radius" in the authentication, authorization, and accounting (AAA) method lists. All public servers that are part of the RADIUS server group are then load balanced. You can configure authentication and accounting to use the same RADIUS server or different servers. In some cases, the same server can be used for preauthentication, authentication, or accounting transactions for a session. The preferred server, which is an internal setting and is set as the default, informs AAA to use the same server for the start and stop record for a session regardless of the server cost. When using the preferred server setting, ensure that the server that is used for the initial transaction (for example, authentication), the preferred server, is part of any other server group that is used for a subsequent transaction (for example, accounting). The preferred server is not used if one of the following criteria is true:
· The load-balance method least-outstanding ignore-preferred-server command is used.
· The preferred server is dead.
· The preferred server is in quarantine.
· The want server flag has been set, overriding the preferred server setting.
The want server flag, an internal setting, is used when the same server must be used for all stages of a multistage transaction regardless of the server cost. If the want server is not available, the transaction fails. You can use the load-balance method least-outstanding ignore-preferred-server command if you have either of the following configurations:
· Dedicated authentication server and a separate dedicated accounting server
· Network where you can track all call record statistics and call record details, including start and stop records and records that are stored on separate servers
If you have a configuration where authentication servers are a superset of accounting servers, the preferred server is not used.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 912
Security
Prerequisites for RADIUS Server Load Balancing
Note If a third-party RADIUS load balancer is used and RADIUS packets are routed based on the NAS source port, it is recommended to move to any other rule based on the following Attribute-Value Pairs (AVPs):
· If the load balancer uses NAS source port in the Access-Request to load balance, rules may not work as expected as the source port in NAS might change during transaction.
· If the load balancer compares AVPs between Access-Challenge and Access-Request to route packets, you will need to use the AVP value of t-State.
· If the load balancer compares AVPs in Access-Request from NAS, you will need to use one or a combination of the following AVPs:
· t-State value
· Calling-Station-ID and NAS IP or Identifier
Prerequisites for RADIUS Server Load Balancing
· Authentication, Authorization, and Accounting (AAA) must be configured on the RADIUS server. · AAA RADIUS server groups must be configured. · RADIUS must be configured for functions such as authentication, accounting, or static route download.
Restrictions for RADIUS Server Load Balancing
· Incoming RADIUS requests, such as Packet of Disconnect (POD) requests are not supported. · Load balancing is not supported on proxy RADIUS servers and private server groups. · Load balancing is not supported on Central Web Authentication (CWA).
Enabling Load Balancing for a Named RADIUS Server Group (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 913
Enabling Load Balancing for a Named RADIUS Server Group (CLI)
Security
Step 2 Step 3 Step 4 Step 5
Command or Action
Purpose
aaa group server radius group-name
Enters server group configuration mode.
Example:
Device(config)# aaa group server radius rad-sg
server ip-address [auth-port port-number] Configures the IP address of the RADIUS
[acct-port port-number]
server for the group server.
Example:
Device(config-sg-radius)# server 192.0.2.238 auth-port 2095 acct-port 2096
load-balance method least-outstanding
Enables the least-outstanding load balancing
[batch-size number] [ignore-preferred-server] for a named server group.
Example:
Device(config-sg-radius)# load-balance method least-outstanding batch-size 30
end Example:
Device(config-sg)# end
Exits server group configuration mode and enters privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 914
9 9 C H A P T E R
Secure LDAP
· Information About SLDAP, on page 915 · Prerequisite for Configuring SLDAP, on page 917 · Restrictions for Configuring SLDAP, on page 917 · Configuring SLDAP, on page 917 · Configuring an AAA Server Group (GUI), on page 918 · Configuring a AAA Server Group, on page 919 · Configuring Search and Bind Operations for an Authentication Request, on page 920 · Configuring a Dynamic Attribute Map on an SLDAP Server, on page 921 · Verifying the SLDAP Configuration, on page 921
Information About SLDAP
Transport Layer Security (TLS) The Transport Layer Security (TLS) is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. TLS relies upon certificates, public keys, and private keys to prove the identity of clients. The certificates are issued by the Certificate Authorities (CAs). Each certificate includes the following:
· The name of the authority that issued it. · The name of the entity to which the certificate was issued. · The public key of the entity. · The timestamps of the entity that indicate the expiration date of the certificate. You can find the TLS support for LDAP in the RFC2830 which is an extension to the LDAP protocol.
LDAP Operations Bind
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 915
Information About SLDAP
Security
The bind operation is used to authenticate a user to the server. It is used to start a connection with the LDAP server. LDAP is a connection-oriented protocol. The client specifies the protocol version and authentication information.
LDAP supports the following binds:
· Authenticated bind--An authenticated bind is performed when a root Distinguished Name (DN) and password are available.
· Anonymous bind--In the absence of a root DN and password, an anonymous bind is performed.
In LDAP deployments, the search operation is performed first and the bind operation later. This is because, if a password attribute is returned as part of the search operation, the password verification can be done locally on an LDAP client. Thus, there is no need to perform an extra bind operation. If a password attribute is not returned, the bind operation can be performed later. Another advantage of performing a search operation first and a bind operation later is that the DN received in the search result can be used as the user DN instead of forming a DN by prefixing the username (cn attribute) with the base DN. All entries stored in an LDAP server have a unique DN.
The DN consists of two parts:
· Relative Distinguished Name (RDN)
· Location in the LDAP server where the record resides.
Most of the entries that you store in an LDAP server will have a name, and the name is frequently stored in the Common Name (cn) attribute. Because every object has a name, most objects you store in an LDAP will use their cn value as the basis for their RDN.
Search
A search operation is used to search the LDAP server. The client specifies the starting point (base DN) of the search, the search scope (either the object, its children, or the subtree rooted at the object), and a search filter.
For authorization requests, the search operation is directly performed without a bind operation. The LDAP server can be configured with certain privileges for the search operation to succeed. This privilege level is established with the bind operation.
An LDAP search operation can return multiple user entries for a specific user. In such cases, the LDAP client returns an appropriate error code to AAA. To avoid these errors, you must configure appropriate search filters to match a single entry.
Compare
The compare operation is used to replace a bind request with a compare request for an authentication. The compare operation helps to maintain the initial bind parameters for the connection.
LDAP Dynamic Attribute Mapping
The Lightweight Directory Access Protocol (LDAP) is a powerful and flexible protocol for communication with AAA servers. LDAP attribute maps provide a method to cross-reference the attributes retrieved from a server to Cisco attributes supported by the security appliances.
When a user authenticates a security appliance, the security appliance, in turn, authenticates the server and uses the LDAP protocol to retrieve the record for that user. The record consists of LDAP attributes associated with fields displayed on the user interface of the server. Each attribute retrieved includes a value that was entered by the administrator who updates the user records.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 916
Security
Prerequisite for Configuring SLDAP
Prerequisite for Configuring SLDAP
If you are using a secure Transport Layer Security (TLS) secure connection, you must configure the X.509 certificates.
Restrictions for Configuring SLDAP
· LDAP referrals are not supported. · Unsolicited messages or notifications from the LDAP server are not handled. · LDAP authentication is not supported for interactive (terminal) sessions.
Configuring SLDAP
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
ldap server name Example:
Device(config)# ldap server server1
Defines a Lightweight Directory Access Protocol (LDAP) server and enters LDAP server configuration mode.
Step 4
ipv4 ipv4-address
Example:
Device(config-ldap-server)# ipv4 9.4.109.20
Specifies the LDAP server IP address using IPv4.
Step 5
timeout retransmit seconds
Example:
Device(config-ldap-server)# timeout retransmit 20
Specifies the number of seconds the Cisco Catalyst 9800 Series Wireless Controller embedded wireless controller waits for a reply to an LDAP request before retransmitting the request.
Step 6
bind authenticate root-dn password [0 string Specifies a shared secret text string used
| 7 string] string
between the Cisco Catalyst 9800 Series
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 917
Configuring an AAA Server Group (GUI)
Security
Step 7 Step 8 Step 9
Command or Action
Purpose
Example:
Wireless Controller embedded wireless
Device(config-ldap-server)# bind
controller and an LDAP server.
authenticate root-dn CN=ldapipv6user,CN=Users,DC=ca,DC=ssh2,DC=com
Use
the
0
line
option
to
configure
an
password Cisco12345
unencrypted shared secret.
Use the 7 line option to configure an encrypted shared secret.
base-dn string
Example:
Device(config-ldap-server)# base-dn CN=Users,DC=ca,DC=ssh2,DC=com
Specifies the base Distinguished Name (DN) of the search.
mode secure [no- negotiation] Example:
Configures LDAP to initiate the TLS connection and specifies the secure mode.
Device(config-ldap-server)# mode secure no- negotiation
end Example:
Device(config-ldap-server)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring an AAA Server Group (GUI)
Configuring a device to use AAA server groups helps you to group existing server hosts, select a subset of the configured server hosts and use them for a particular service. A server group is used with a global server-host list. The server group lists the IP addresses of the selected server hosts. You can create the following server groups:
Procedure
Step 1
RADIUS
a) Choose Services > Security > AAA > Server Groups > RADIUS. b) Click the Add button. The Create AAA Radius Server Group dialog box appears. c) Enter a name for the RADIUS server group in the Name field. d) Choose a desired delimiter from the MAC-Delimiter drop-down list. The available options are colon,
hyphen, and single-hyphen. e) Choose a desired filter from the MAC-Filtering drop-down list. The available options are mac and Key. f) Enter a value in the Dead-Time (mins) field to make a server non-operational. You must specify a value
between 1 and 1440. g) Choose any of the available servers from the Available Servers list and move them to the Assigned
Servers list by clicking the > button. h) Click the Save & Apply to Device button.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 918
Security
Configuring a AAA Server Group
Step 2 Step 3
TACACS+ a) Choose Services > Security > AAA > Server Groups > TACACS+. b) Click the Add button. The Create AAA Tacacs Server Group dialog box appears. c) Enter a name for the TACACS server group in the Name field. d) Choose any of the available servers from the Available Servers list and move them to the Assigned
Servers list by clicking the > button. e) Click the Save & Apply to Device button.
LDAP a) Choose Services > Security > AAA > Server Groups > LDAP. b) Click the Add button. The Create AAA Ldap Server Group dialog box appears. c) Enter a name for the LDAP server group in the Name field. d) Choose any of the available servers from the Available Servers list and move them to the Assigned
Servers list by clicking the > button. e) Click the Save & Apply to Device button.
Configuring a AAA Server Group
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
aaa new-model Example:
Device(config)# aaa new-model
Enables AAA.
Step 4
aaa group server ldap group-name
Example:
Device(config)# aaa group server ldap name1
Defines the AAA server group with a group name and enters LDAP server group configuration mode.
All members of a group must be of the same type, that is, RADIUS, LDAP, or TACACS+.
Step 5
server name Example:
Device(config-ldap-sg)# server server1
Associates a particular LDAP server with the defined server group.
Each security server is identified by its IP address and UDP port number.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 919
Configuring Search and Bind Operations for an Authentication Request
Security
Step 6
Command or Action exit Example:
Device(config-ldap-sg)# exit
Purpose Exits LDAP server group configuration mode.
Configuring Search and Bind Operations for an Authentication Request
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
aaa new-model Example:
Device(config)# aaa new-model
Step 4
ldap server name Example:
Device(config)# ldap server server1
Step 5
authentication bind-first
Example:
Device(config-ldap-server)# authentication bind-first
Step 6
authentication compare
Example:
Device(config-ldap-server)# authentication compare
Step 7
exit Example:
Device(config-ldap-server)# exit
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Enters global configuration mode.
Enables AAA.
Defines a Lightweight Directory Access Protocol (LDAP) server and enters LDAP server configuration mode. Configures the sequence of search and bind operations for an authentication request.
Replaces the bind request with the compare request for authentication.
Exits LDAP server group configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 920
Security
Configuring a Dynamic Attribute Map on an SLDAP Server
Configuring a Dynamic Attribute Map on an SLDAP Server
You must create LDAP attribute maps that map your existing user-defined attribute names and values to Cisco attribute names and values that are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or remove them as required.
Note To use the attribute mapping features correctly, you need to understand the Cisco LDAP and user-defined attribute names and values.
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
ldap attribute-map map-name Example:
Configures a dynamic LDAP attribute map and enters attribute-map configuration mode.
Device(config)# ldap attribute-map map1
Step 4
map type ldap-attr-type aaa-attr-type
Example:
Device(config-attr-map)# map type department supplicant-group
Defines an attribute map.
Step 5
exit Example:
Device(config-attr-map)# exit
Exits attribute-map configuration mode.
Verifying the SLDAP Configuration
To view details about the default LDAP attribute mapping, use the following command:
Device# show ldap attributes
To view the LDAP server state information and various other counters for the server, use the following command:
Device# show ldap server
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 921
Verifying the SLDAP Configuration
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 922
1 0 0 C H A P T E R
RADIUS DTLS
· Information About RADIUS DTLS, on page 923 · Prerequisites, on page 925 · Configuring RADIUS DTLS Server, on page 925 · Configuring DTLS Dynamic Author, on page 930 · Enabling DTLS for Client, on page 930 · Verifying the RADIUS DTLS Server Configuration, on page 933 · Clearing RADIUS DTLS Specific Statistics, on page 933
Information About RADIUS DTLS
The Remote Authentication Dial-In User Service (RADIUS) is a client or server protocol that provides centralized security for users attempting to gain management access to a network. The RADIUS protocol is a widely deployed authentication and authorization protocol that delivers a complete Authentication, Authorization, and Accounting (AAA) solution.
RADIUS DTLS Port The RADIUS port (DTLS server) is used for authentication and accounting. The default DTLS server port is 2083. You can change the RADIUS DTLS port number using dtls port port_number. For more information, see the Configuring RADIUS DTLS Port Numbersection.
Shared Secret You can use radius/dtls as the shared secret, if you have enabled DTLS for a specific server.
Handling PAC for CTS Communication You can download PAC from ISE for CTS communication. Once the PAC is downloaded, you need to encrypt all the CTS attributes with the PAC key instead of the shared secret. The ISE then decrypts these attributes using PAC.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 923
Information About RADIUS DTLS
Security
Session Management The RADIUS client purely depends on the response from the DTLS server. If the session is ideal for ideal timeout, then the session must be closed. In case of invalid responses, the sessions must be deleted. If you need to send the radius packets over DTLS, the DTLS session needs to be re-established with the specific server.
Load Balancing Multiple DTLS servers and load balancing methods are configured. You need to select the AAA server to which the request needs to be sent. Then use the DTLS context of the specific server to encrypt the RADIUS packet and send it back.
Connection Timeout After the encrypted RADIUS packet is sent, you need to start the retransmission timer. If you do not get a response before the retransmission timer expires, the packet is re-encrypted and re-transmitted. You can continue for number of times as per the dtls retries configuration or till the default value. Once the number of tries exceeds the limit, the server becomes unavailable and responses are sent back to the AAA clients.
Note The default connection timeout is 5 seconds.
Connection Retries As the RADIUS DTLS is UDP based, you need to retry the connection after a specific timeout interval for a specific number of retries. After all retries are exhausted, the DTLS connection performs the following:
· Is marked as unsuccessful. · Looks up for the next available server for processing the RADIUS requests.
Note The default connection retries is 5.
Idle Timeout When the idle timer expires and no transactions exists since the last idle timeout, the DTLS session remains closed. After you establish the DTLS session, you can start the idle timer. If you start the idle timer for 30 seconds and one of the RADIUS DTLS packet is sent, then after 30 seconds, the idle timer expires and checks for number of RADIUS DTLS transactions. If the idle timer value exceeds zero, the idle timer resets the transaction counter and restarts the timer.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 924
Security
Prerequisites
Note The default idle timeout is 60 seconds.
Handling Server and Server Group Failover
You can configure RADIUS servers with and without DTLS. It is recommended to create AAA server groups with DTLS enabled servers and non-DTLS servers. However, you will not find any such restriction while configuring AAA server groups.
Suppose you choose a DTLS server, the DTLS server establishes connection and RADIUS request packet is sent to the DTLS server. If the DTLS server does not respond after all RADIUS retries, it would fall over to the next configured server in the same server group. If the next server is a DTLS server, the processing of the RADIUS request packet continues with the next server. If the next server is a non-DTLS server, the processing of RADIUS request packet does not happen in that server group. Then the server group failover occurs and the same sequence continues with the next server group, if the next server group is available.
Note You need to use either only DTLS or non-DTLS servers in a server group.
Prerequisites
Support for IOS and BINOS AAA The AAA server runs in IOS and BINOS platforms. Once you complete the RADIUS DTLS support in IOS, the same needs to be ported to BINOS.
Configuring RADIUS DTLS Server
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
radius server server-name Example:
Device(config)# radius server R1
Purpose Enters privileged EXEC mode.
Enters global configuration mode.
Specifies the RADIUS server name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 925
Configuring RADIUS DTLS Connection Timeout
Security
Step 4 Step 5
Command or Action dtls Example:
Device(config-radius-server)# dtls
end Example:
Device(config-radius-server)# end
Purpose Configures DTLS parameters.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring RADIUS DTLS Connection Timeout
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
radius server server-name Example:
Device(config)# radius server R1
Step 4
dtls connectiontimeout timeout
Example:
Device(config-radius-server)# dtls connectiontimeout 1
Step 5
end Example:
Device(config-radius-server)# end
Purpose Enters privileged EXEC mode.
Enters global configuration mode.
Specifies the RADIUS server name.
Configures RADIUS DTLS connection timeout. Here, timeout refers to the DTLS connection timeout value. The valid range is from 1 to 65535. Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring RADIUS DTLS Idle Timeout
Procedure
Step 1
Command or Action enable Example:
Purpose Enters privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 926
Security
Configuring Source Interface for RADIUS DTLS Server
Step 2 Step 3 Step 4 Step 5
Command or Action
Device# enable
configure terminal Example:
Device# configure terminal
radius server server-name Example:
Device(config)# radius server R1
dtls idletimeout idle_timeout Example:
Device(config-radius-server)# dtls idletimeout 2
end Example:
Device(config-radius-server)# end
Purpose
Enters global configuration mode.
Specifies the RADIUS server name.
Configures RADIUS DTLS idle timeout. Here, idle_timeout refers to the DTLS idle timeout value. The valid range is from 1 to 65535. Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Source Interface for RADIUS DTLS Server
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
radius server server-name Example:
Device(config)# radius server R1
Specifies the RADIUS server name.
Step 4
dtls ip {radius source-interface Ethernet-Internal interface_number
Configures source interface for RADIUS DTLS server.
Example:
Here,
Device(config-radius-server)# dtls ip radius source-interface Ethernet-Internal
0
· interface_number refers to the Ethernet-Internal interface number. The default value is 0.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 927
Configuring RADIUS DTLS Port Number
Security
Step 5
Command or Action end Example:
Device(config-radius-server)# end
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring RADIUS DTLS Port Number
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
radius server server-name Example:
Device(config)# radius server R1
Specifies the RADIUS server name.
Step 4
dtls port port_number
Configures RADIUS DTLS port number.
Example:
Here,
Device(config-radius-server)# dtls port port_number refers to the DTLS port number.
2
Step 5
end Example:
Device(config-radius-server)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring RADIUS DTLS Connection Retries
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
configure terminal Example:
Purpose Enters privileged EXEC mode.
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 928
Security
Configuring RADIUS DTLS Trustpoint
Step 3 Step 4 Step 5
Command or Action
Device# configure terminal
radius server server-name Example:
Device(config)# radius server R1
dtls retries retry_number Example:
Device(config-radius-server)# dtls retries 3
end Example:
Device(config-radius-server)# end
Purpose
Specifies the RADIUS server name.
Configures RADIUS connection retries. Here, retry_number refers to the DTLS connection retries. The valid range is from 1 to 65535. Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring RADIUS DTLS Trustpoint
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
radius server server-name Example:
Device(config)# radius server R1
Specifies the RADIUS server name.
Step 4
dtls trustpoint {client LINE dtls | server LINE Configures trustpoint for client and server. dtls}
Example:
Device(config-radius-server)# dtls trustpoint client client1 dtls
Device(config-radius-server)# dtls trustpoint server server1 dtls
Step 5
end Example:
Device(config-radius-server)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 929
Configuring DTLS Dynamic Author
Security
Configuring DTLS Dynamic Author
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
aaa server radius dynamic-author
Example:
Device(config)# aaa server radius dynamic-author
Configures local server profile for RFC 3576 support.
Step 4
dtls Example:
Device(config-locsvr-da-radius)# dtls
Configures DTLS source parameters.
Step 5
end Example:
Device(config-locsvr-da-radius)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Enabling DTLS for Client
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
aaa server radius dynamic-author Example:
Purpose Enters privileged EXEC mode.
Enters global configuration mode.
Configures local server profile for RFC 3576 support.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 930
Security
Configuring Client Trustpoint for DTLS
Step 4 Step 5
Command or Action
Device(config)# aaa server radius dynamic-author
Purpose
client IP_addr dtls
Enables DTLS for the client.
Example:
Device(config-locsvr-da-radius)# client 10.104.49.14 dtls
end Example:
Device(config-locsvr-da-radius)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Client Trustpoint for DTLS
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
aaa server radius dynamic-author
Example:
Device(config)# aaa server radius dynamic-author
Configures local server profile for RFC 3576 support.
Step 4
client IP_addr dtls {client-tp client-tp-name | Configures client trustpoint for DTLS. server-tp server-tp-name}
Example:
Device(config-locsvr-da-radius)# client 10.104.49.14 dtls client-tp
client_tp_name
Step 5
end Example:
Device(config-locsvr-da-radius)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 931
Configuring DTLS Idle Timeout
Security
Configuring DTLS Idle Timeout
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters privileged EXEC mode.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
aaa server radius dynamic-author
Example:
Device(config)# aaa server radius dynamic-author
Configures local server profile for RFC 3576 support.
Step 4
client IP_addr dtls idletimeout
Configures DTLS idle time.
timeout-interval {client-tp client_tp_name | server-tp server_tp_name}
Here,
Example:
timeout-interval refers to the idle timeout interval. The valid range is from 60 to 600.
Device(config-locsvr-da-radius)# client
10.104.49.14 dtls idletimeout 62
client-tp dtls_ise
Step 5
end Example:
Device(config-locsvr-da-radius)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Server Trustpoint for DTLS
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
configure terminal Example:
Device# configure terminal
Purpose Enters privileged EXEC mode.
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 932
Security
Verifying the RADIUS DTLS Server Configuration
Step 3 Step 4 Step 5
Command or Action
aaa server radius dynamic-author Example:
Device(config)# aaa server radius dynamic-author
Purpose
Configures local server profile for RFC 3576 support.
client IP_addr dtls server-tp server_tp_name Configures server trust point.
Example:
Device(config-locsvr-da-radius)# client 10.104.49.14 dtls server-tp dtls_client
end Example:
Device(config-locsvr-da-radius)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying the RADIUS DTLS Server Configuration
To view information about the DTLS enabled servers, use the following command:
Device# show aaa servers DTLS: Packet count since last idletimeout 1, Send handshake count 3, Handshake Success 1, Total Packets Transmitted 1, Total Packets Received 1, Total Connection Resets 2, Connection Reset due to idle timeout 0, Connection Reset due to No Response 2, Connection Reset due to Malformed packet 0,
Clearing RADIUS DTLS Specific Statistics
To clear the radius DTLS specific statistics, use the following command:
Device# clear aaa counters servers radius {<server-id> | all}
Note Here, server-id refers to the server ID displayed by show aaa servers. The valid range is from 0 to 2147483647.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 933
Clearing RADIUS DTLS Specific Statistics
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 934
1 0 1 C H A P T E R
Multiple Cipher Support
· Default Ciphersuites Supported for CAPWAP-DTLS, on page 935 · Configuring Multiple Ciphersuites, on page 936 · Setting Server Preference, on page 937 · Verifying Operational Ciphersuites and Priority, on page 937
Default Ciphersuites Supported for CAPWAP-DTLS
From Cisco IOS XE Bengaluru 17.5.1, Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)/Galois Counter Mode (GCM) ciphersuite with perfect forward secrecy (PFS) capability is added in the default list along with the existing AES128-SHA ciphersuite. All Cisco access point (AP) models, except the Cisco IOS APs, will prioritize this PFS ciphersuite for CAPWAP-DTLS under default configuration.
Note If link encryption is enabled to secure data channel traffic, then the AP (DTLS client) will prioritize AES128-SHA over ECDHE/GCM ciphersuite.
During DTLS handshake, the preference order of the ciphersuites are important. This feature allows you to set the order of priority while configuring cipher suites. When explicit ciphersuites are not configured, default ciphersuites that are listed in the table below are applied.
Table 40: Default Ciphersuites
Security Mode FIPS and non-FIPS
Ciphersuite · TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 · TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 · TLS_RSA_WITH_AES_128_CBC_SHA
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 935
Configuring Multiple Ciphersuites
Security
Security Mode WLANCC
Ciphersuite · TLS_DHE_RSA_WITH_AES_128_CBC_SHA · TLS_DHE_RSA_WITH_AES_256_CBC_SHA · TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 · TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 · TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 · TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
This feature is supported on all variants of the Cisco Catalyst 9800 Series Wireless Controllers and APs, except Cisco Industrial Wireless 3702 Access Point.
For a list of controllers and APs supported in a particular release, see the release notes available at: https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/ products-release-notes-list.html
Configuring Multiple Ciphersuites
Note
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap dtls-ciphersuite priority priority-num ciphersuite
Example:
Device(config)# ap dtls-ciphersuite priority 2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Step 3
exit Example:
Device(config)# exit
Purpose Enters global configuration mode.
Sets priority for a paricular cipher suite. Use zero (0) to set the highest priority.
Note
Configuration changes, if any, will
automatically disconnect the
existing APs.
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 936
Security
Setting Server Preference
Setting Server Preference
Ciphersuite configuration enforces the priority order in a DTLS handshake. To give equal priority for all the configured ciphersuites, then use no ciphersuite server-preference command in the corresponding AP join profile. By default, server preference is enabled.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap profile profile-name Example:
Device(config)# ap profile xxy
Step 3
[no] ciphersuite server-preference
Example:
Device(config-ap-profile)# [no] ciphersuite server-preference
Step 4
exit Example:
Device(config)# exit
Purpose Enters global configuration mode.
Configures an AP profile and enters AP profile configuration mode.
Sets the cipher suite server preference. Use the no form of this command to disable server preference. By default, server preference is enabled. Returns to global configuration mode.
Verifying Operational Ciphersuites and Priority
To view the operational ciphersuites and their priority, use the following command:
Device# show wireless certification config
WLANCC AP DTLS Version
: Not Configured : DTLS v1.0 - v1.2
AP DTLS Cipher Suite List:
Priority
Ciphersuite
--------------------------------------------------------------------------------
0
AES128-SHA
1
DHE-RSA-AES256-SHA256
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 937
Verifying Operational Ciphersuites and Priority
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 938
1 0 2 C H A P T E R
Internet Protocol Security
· Information about Internet Protocol Security, on page 939 · Internet Key Exchange Version 1 Transform Sets, on page 940 · Configure IPSec Using Internet Key Exchange Version 1, on page 941 · Internet Key Exchange Version 2 Transform Sets, on page 943 · Configure IPSec Using Internet Key Exchange Version 2, on page 944 · IPsec Transforms and Lifetimes, on page 946 · Use of X.509 With Internet Key Exchange Version, on page 947 · IPsec Session Interuption and Recovery, on page 948 · Example: Configure IPSec Using ISAKMP, on page 949 · Verifying IPSec Traffic, on page 949 · Example: Configure IPSec Using Internet Key Exchange Version 2, on page 950 · Verifying IPSec With Internet Key Exchange Version 2 Traffic , on page 951
Information about Internet Protocol Security
Internet Protocol Security (IPsec) is a framework of open standards for ensuring secure private communications over the Internet. Based on standards developed by the Internet Engineering Task Force (IETF), IPsec ensures confidentiality, integrity, and authenticity of data communications across a public network. IPsec provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy. Cisco Catalyst 9800 Series Wireless Controller supports IPsec configuration. The support for IPSec secures syslog traffic. This section provides information about how to configure IPsec between Cisco Catalyst 9800 Series Wireless Controller and syslog (peer IP). IPsec provides the following network security services:
· Data confidentiality: The IPsec sender can encrypt packets before transmitting them across a network. · Data integrity: The IPsec receiver can authenticate packets sent by the IPsec sender to ensure that the
data has not been altered during transmission. · Data origin authentication: The IPsec receiver can authenticate the source of the sent IPsec packets. This
service is dependent upon the data integrity service. · Anti-replay: The IPsec receiver can detect and reject replayed packets.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 939
Internet Key Exchange Version 1 Transform Sets
Security
IPsec provides secure tunnels between two peers, such as two devices. The administrator defines which packets are considered sensitive and should be sent through these secure tunnels and specifies the parameters that should be used to protect these sensitive packets by specifying the characteristics of these tunnels. When the IPsec peer recognizes a sensitive packet, the peer sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.
More accurately, these tunnels are sets of security associations (SAs) that are established between two IPsec peers. The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol.
With IPsec, administrators can define the traffic that needs to be protected between two IPsec peers by configuring access lists and applying these access lists to interfaces using crypto map sets. Therefore, traffic may be selected on the basis of the source and destination address, and optionally the Layer 4 protocol and port. (The access lists used for IPsec are only used to determine the traffic that needs to be protected by IPsec, not the traffic that should be blocked or permitted through the interface. Separate access lists define blocking and permitting at the interface.)
A crypto map set can contain multiple entries, each with a different access list. The crypto map entries are searched in a sequence--the device attempts to match the packet to the access list specified in that entry.
When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as cisco, connections are established, if necessary. If the crypto map entry is tagged as ipsec-isakmp, IPsec is triggered. If there is no SA that the IPsec can use to protect this traffic to the peer, IPsec uses IKE to negotiate with the remote peer to set up the necessary IPsec SAs on behalf of the data flow. The negotiation uses information specified in the crypto map entry as well as the data flow information from the specific access list entry.
Once established, the set of SAs (outbound to the peer) is then applied to the triggering packet and to subsequent applicable packets as those packets exit the device. Applicable packets are packets that match the same access list criteria that the original packet matched. For example, all applicable packets could be encrypted before being forwarded to the remote peer. The corresponding inbound SAs are used when processing the incoming traffic from that peer.
Access lists associated with IPsec crypto map entries also represent the traffic that the device needs protected by IPsec. Inbound traffic is processed against crypto map entries--if an unprotected packet matches a permit entry in a particular access list associated with an IPsec crypto map entry, that packet is dropped because it was not sent as an IPsec-protected packet.
Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms, and other settings that can be applied to IPsec-protected traffic. During the IPsec SA negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
Internet Key Exchange Version 1 Transform Sets
An Internet Key Exchange version 1 (IKEv1) transform set represents a certain combination of security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
Privileged administrators can specify multiple transform sets and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPsec SA negotiation to protect the data flows specified by that crypto map entry's access list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 940
Security
Configure IPSec Using Internet Key Exchange Version 1
During IPsec security association negotiations with IKE, peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and applied to the protected traffic as part of both peers' IPsec SAs.
Note If a transform set definition is changed during operation that the change is not applied to existing security associations, but is used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all or part of the SA database by using the clear crypto sa command.
The following snippet helps to configure IPsec IKEv1 to use AES-CBC-128 for payload encryption. AES-CBC-256 can be selected with encryption aes 256:
device # conf t device (config)#crypto isakmp policy 1 device (config-isakmp)# hash sha device (config-isakmp)# encryption aes
Configure IPSec Using Internet Key Exchange Version 1
Follow the procedure given below to configure IPsec IKEv1 to use AES-CBC-128 for payloadencryption:
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
crypto isakmp policy priority
Defines an Internet Key Exchange (IKE)
Example:
policy and assigns a priority to the policy.
Device(config)# crypto isakmp policy 1
· priority: Uniquely identifies the IKE policy and assigns a priority to the policy.
Valid values: 1 to 10,000; 1 is the highest
priority.
Step 3 Step 4
hash sha Example:
Device(config-isakmp)# hash sha
Specifies the hash algorithm.
encryption aes Example:
Device(config-isakmp)# encryption aes
Configures IPsec IKEv1 to use AES-CBC-128 for payload encryption. AES-CBC-256 can be selected with `encryption aes 256'.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 941
Configure IPSec Using Internet Key Exchange Version 1
Security
Step 5 Step 6 Step 7
Step 8
Command or Action
Purpose Note
The authorized administrator must ensure that the keysize for this setting is greater than or equal to the keysize selected for ESP in section IPsec Transforms and Lifetimes. If AES 128 is selected here, then the highest keysize that can be selected on the device for ESP is AES 128 (either CBC or GCM).
Both confidentiality and integrity are configured with the hash sha and encryption aes commands respectively. As a result, confidentiality-only mode is disabled.
authentication pre-share
Example:
Device(config-isakmp)# authentication pre-share
Configures IPsec to use the specified preshared keys as the authentication method. Preshared keys require that you separately configure these preshared keys.
exit Example:
Device(config-isakmp)# exit
Exits config-isakmp configuration mode.
crypto isakmp key keystring address
Configures a preshared authentication key.
peer-address
Note
To ensure a secure configuration,
Example:
we recommend that you enter the
Device(config)# crypto isakmp key cisco123!cisco123!CISC address 192.0.2.1
pre-shared keys with at least 22 characters in length and can be
composed of any combination of
upper and lower case letters,
numbers, and special characters
(that include: "!", "@", "#", "$",
"%", "^", "&", "*", "(", and ")").
The device supports pre-shared keys up to 127 characters in length. While longer keys increase the difficulty of brute-force attacks, longer keys increase processing time.
group 14 Example:
Device(config-isakmp)# group 14
Specifies the Diffie-Hellman (DH) group identifier as 2048-bit DH group 14 and selects DH Group 14 (2048-bit MODP) for IKE. However, 19 (256-bit Random ECP), 24
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 942
Security
Internet Key Exchange Version 2 Transform Sets
Step 9
Step 10 Step 11
Command or Action
Purpose
(2048-bit MODP with 256-bit POS), 20 (384-bit Random ECP), 15 (3072 bit MODP), and 16 (4096-bit MODP) are also allowed and supported.
lifetime seconds Example:
Device(config-isakmp)# lifetime 86400
Specifies the lifetime of the IKE SA. The default time value for Phase 1 SAs is 24 hours (86400 seconds), but this setting can be changed using the command above with different values.
· seconds: Time, in seconds, before each SA expires. Valid values: 60 to 86,400; default value: 86,400.
Note
The shorter the lifetime (up to a
point), the more secure your IKE
negotiations will be. However,
with longer lifetimes, future
IPsec SAs can be set up more
quickly.
crypto isakmp aggressive-mode disable Example:
Device(config-isakmp)# crypto isakmp aggressive-mode disable
exit Example:
Device(config-isakmp)# exit
Ensures all IKEv1 Phase 1 exchanges will be handled in the default main mode.
Exits config-isakmp configuration mode.
Internet Key Exchange Version 2 Transform Sets
An Internet Key Exchange Version 2 (IKEv2) proposal is a set of transforms used in the negotiation of IKEv2 SA as part of the IKE_SA_INIT exchange. An IKEv2 proposal is regarded as complete only when it has at least an encryption algorithm, an integrity algorithm, and a Diffie-Hellman (DH) group configured. If no proposal is configured and attached to an IKEv2 policy, then the default proposal is used in the negotiation. The following snippet helps in configuring the IPsec with IKEv2 functionality for the device:
device # conf t device(config)#crypto ikev2 proposal sample device(config-ikev2-proposal)# integrity sha1 device (config-ikev2-proposal)# encryption aes-cbc-128 device(config-ikev2-proposal)# group 14 device(config-ikev2-proposal)# exit device(config)# crypto ikev2 keyring keyring-1 device (config-ikev2-keyring)# peer peer1 device (config-ikev2-keyring-peer)# address 192.0.2.4 255.255.255.0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 943
Configure IPSec Using Internet Key Exchange Version 2
Security
device (config-ikev2-keyring-peer)# pre-shared-key cisco123!cisco123!CISC device (config-ikev2-keyring-peer)# exit device(config)#crypto ikev2 keyring keyring-1 device (config-ikev2-keyring)# peer peer1 device (config-ikev2-keyring-peer)# address 192.0.2.4 255.255.255.0 device (config-ikev2-keyring-peer)# pre-shared-key cisco123!cisco123!CISC device (config-ikev2-keyring-peer)# exit device(config)#crypto logging ikev2
Configure IPSec Using Internet Key Exchange Version 2
Follow the procedure given below to configure the IPsec with IKEv2:
Procedure Step 1 Step 2 Step 3 Step 4
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
crypto ikev2 proposal name
Defines an IKEv2 proposal name.
Example:
Device(config)# crypto ikev2 proposal name
integrity sha1
Defines an IKEv2 proposal name.
Example:
Device(config-ikev2-proposal)# integrity sha1
encryption aes-cbc-128
Example:
Device(config-ikev2-proposal)# encryption aes-cbc-128
Configures IPsec IKEv2 to use AES-CBC-128 for payload encryption. AES-CBC-256 can be selected with encryption aes-cbc-256. AES-GCM-128 and AES-GCM-256 can also be selected similarly.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 944
Security
Configure IPSec Using Internet Key Exchange Version 2
Step 5 Step 6 Step 7 Step 8 Step 9
Step 10
Command or Action
Purpose Note
The authorized administrator must ensure that the keysize for this setting is greater than or equal to the keysize selected for ESP in section IPsec Transforms and Lifetimes. If AES 128 is selected here, then the highest keysize that can be selected on the device for ESP is AES 128 (either CBC or GCM).
Both confidentiality and integrity are configured with the hash sha and encryption aes commands respectively. As a result, confidentiality-only mode is disabled.
group 14
Selects DH Group 14 (2048-bit MODP) for
Example:
IKE. However, 19 (256-bit Random ECP), 24 (2048-bit MODP with 256-bit POS), 20
Device(config-ikev2-proposal)# group 14 (384-bit Random ECP), 15 (3072 bit MODP),
and 16 (4096-bit MODP) are also allowed and
supported.
exit Example:
Device(config-ikev2-proposal)# exit
Exists IKEv2 proposal configuration mode.
crypto ikev2 keyring keyring-name
Example:
Device(config)# crypto ikev2 keyring keyring-1
Defines an IKEv2 keyring.
peer peer-name
Defines the peer or peer group.
Example:
Device(config-ikev2-keyring)# peer peer1
address {ipv4-address [mask] | ipv6-address Specifies an IPv4 or IPv6 address or range for
prefix}
the peer.
Example:
Note
Device(config-ikev2-keyring)# address 192.0.2.4 255.255.255.0
This IP address is the IKE endpoint address and is independent of the identity address.
pre-shared-key local Example:
Specifies the preshared key for the peer. You can enter the local or remote keyword to
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 945
IPsec Transforms and Lifetimes
Security
Step 11 Step 12
Command or Action
Device(config-ikev2-keyring)# pre-shared-key cisco123!cisco123!CISC
Purpose
specify an asymmetric preshared key. By default, the preshared key is symmetric.
Note
To ensure a secure configuration,
we recommend that you enter the
pre-shared keys with at least 22
characters in length and can be
composed of any combination of
upper and lower case letters,
numbers, and special characters
(that include: "!", "@", "#", "$",
"%", "^", "&", "*", "(", and ")").
The device supports pre-shared keys up to 127 characters in length. While longer keys increase the difficulty of brute-force attacks, longer keys increase processing time.
HEX keys generated off system can also be input for IKEv2 using the following instead of the pre-shared-key command above: pre-shared-key hex [hex key]. For example: pre-shared-key hex 0x6A6B6C. This configures IPsec to use pre-shared keys.
exit Example:
Device(config-ikev2-keyring)# exit
crypto logging ikev2 Example:
Device(config)# crypto logging ikev2
Exits IKEv2 keyring peer configuration mode.
Enables IKEv2 syslog messages.
Note
The configuration above is not a
complete IKE v2 configuration,
and that additional settings will
be needed.
IPsec Transforms and Lifetimes
Regardless of the IKE version selected, the device must be configured with the proper transform for IPsec ESP encryption and integrity as well as IPsec lifetimes.
device (config)# crypto ipsec transform-set example esp-aes 128 esp-sha-hmac
Note that this configures IPsec ESP to use HMAC-SHA-1 and AES-CBC-128. To change this to the other allowed algorithms the following options can replace esp-aes 128 in the command above:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 946
Security
Use of X.509 With Internet Key Exchange Version
Encryption Algorithm AES-CBC-256 AES-GCM-128 AES-GCM-256
Command esp-aes 256 esp-gcm 128 esp-gcm 256
Note The size of the key selected here must be less than or equal to the key size selected for the IKE encryption setting. If AES-CBC-128 was selected there for use with IKE encryption, then only AES-CBC-128 or AES-GCM-128 may be selected here.
device(config-crypto)# mode tunnel
This configures tunnel mode for IPsec. Tunnel is the default, but by explicitly specifying tunnel mode, the device will request tunnel mode and will accept only tunnel mode.
device(config-crypto)# mode transport
This configures transport mode for IPsec.
device(config)# crypto ipsec security-association lifetime seconds 28800
The default time value for Phase 2 SAs is 1 hour. There is no configuration required for this setting since the default is acceptable. However to change the setting to 8 hours as claimed in the Security Target the crypto ipsec security-association lifetime command can be used as specified above.
device(config)# crypto ipsec security-association lifetime kilobytes 100000
This configures a lifetime of 100 MB of traffic for Phase 2 SAs. The default amount for this setting is 2560KB, which is the minimum configurable value for this command. The maximum configurable value for this command is 4GB.
Use of X.509 With Internet Key Exchange Version
Cisco Catalyst 9800 Series Wireless Controller supports RSA and ECDSA based certificates. Once X.509v3 keys are installed on the device, they can be set for use with IKEv1 with the commands:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
crypto isakmp policy-name Example:
Device(config)#crypto isakmp policy 1
Defines an Internet Key Exchange (IKE) policy and assigns a priority to the policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 947
For IKEv2 Commands
Security
Step 3 Step 4
Command or Action authentication [remote | local] rsa-sig Example:
Device(config-isakmp)#authentication rsa-sig
authentication [remote | local] ecdsa-sig Example:
Device(config-isakmp)#authentication ecdsa-sig
Purpose Uses RSA based certificates for IKEv1 authentication.
Uses ecdsa based certificates for IKEv1 authentication.
For IKEv2 Commands
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
crypto ikev2 profile sample
Example:
Device(config)# crypto ikev2 profile sample
Step 3
authentication [remote | local] rsa-sig
Example:
Device(config-ikev2-profile)# authentication rsa-sig
Step 4
authentication [remote | local] ecdsa-sig
Example:
Device(config-ikev2-profile)# authentication ecdsa-sig
Purpose Enters global configuration mode.
Defines an Internet Key Exchange (IKE) policy and assigns a profile.
Uses RSA based certificates for IKEv1 authentication.
Uses ecdsa based certificates for IKEv1 authentication. Authentication fails if an invalid certificate is loaded.
IPsec Session Interuption and Recovery
If an IPsec session with a peer is unexpectedly interrupted, the connection will be broken. In this scenario, no administrative interaction is required. The IPsec session will be reestablished (a new SA set up) once the peer is back online.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 948
Security
Example: Configure IPSec Using ISAKMP
Example: Configure IPSec Using ISAKMP
The following sample outputs display the IPSec isakmp configuration:
crypto isakmp policy 1 encr aes 256 hash sha256 authentication pre-share group 14 lifetime 28800
crypto isakmp key 0 Cisco!123 address 192.0.2.4 crypto isakmp peer address 192.0.2.4
crypto ipsec transform-set aes-gcm-256 esp-gcm 256 mode tunnel
crypto map IPSEC_ewlc_to_syslog 1 ipsec-isakmp set peer 192.0.2.4 set transform-set aes-gcm-256 match address acl_ewlc_to_syslog
interface Vlan15 crypto map IPSEC_ewlc_to_syslog
end
Verifying IPSec Traffic
The following example shows how to verify the IPSec traffic configuration in isakmp configuration:
Device# show crypto map Crypto Map IPv4 "IPSEC_ewlc_to_syslog" 1 ipsec-isakmp
Peer = 192.0.2.4 Extended IP access list acl_ewlc_to_syslog
access-list acl_ewlc_to_syslog permit ip host 192.0.2.2 host 192.0.2.4 Current peer: 192.0.2.4 Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Mixed-mode : Disabled Transform sets={
aes-gcm-256: { esp-gcm 256 } , } Interfaces using crypto map IPSEC_ewlc_to_syslog:
Vlan15
Device# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
192.0.2.5
192.0.2.4
state QM_IDLE
conn-id status 1011 ACTIVE
IPv6 Crypto ISAKMP SA Device# show crypto ipsec sa
interface: Vlan15 Crypto map tag: IPSEC_ewlc_to_syslog, local addr 192.0.2.5
protected vrf: (none) local ident (addr/mask/prot/port): (192.0.2.5/255.255.255.255/0/0)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 949
Example: Configure IPSec Using Internet Key Exchange Version 2
Security
remote ident (addr/mask/prot/port): (192.0.2.4/255.255.255.255/0/0) current_peer 192.0.2.4 port 500
PERMIT, flags={origin_is_acl,} #pkts encaps: 1626, #pkts encrypt: 1626, #pkts digest: 1626 #pkts decaps: 1625, #pkts decrypt: 1625, #pkts verify: 1625 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 192.0.2.5, remote crypto endpt.: 192.0.2.4 plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Vlan15 current outbound spi: 0x17FF2F4C(402599756) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x4B77AD78(1266134392) transform: esp-gcm 256 , in use settings ={Tunnel, } conn id: 2041, flow_id: HW:41, sibling_flags FFFFFFFF80004048, crypto map:
IPSEC_ewlc_to_syslog sa timing: remaining key lifetime (k/sec): (4607904/1933) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x17FF2F4C(402599756) transform: esp-gcm 256 , in use settings ={Tunnel, } conn id: 2042, flow_id: HW:42, sibling_flags FFFFFFFF80004048, crypto map:
IPSEC_ewlc_to_syslog sa timing: remaining key lifetime (k/sec): (4607904/1933) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
outbound ah sas: outbound pcp sas:
Device# show ip access-lists acl_ewlc_to_syslog Extended IP access list acl_ewlc_to_syslog
10 permit ip host 192.0.2.5 host 192.0.2.4 (17 matches)
Example: Configure IPSec Using Internet Key Exchange Version 2
The following sample outputs display the IPSec IKEv2 configuration:
topology : [192.0.2.6]DUT -- (infra) -- PEER[192.0.2.9]
ikev2 config in 192.0.2.6 (peer is 192.0.2.9) hostname for 192.0.2.9: Edison-M1 hostname for 192.0.2.6: prsna-nyquist-192.0.2.6
ip access-list extended ikev2acl permit ip host 192.0.2.6 host 192.0.2.9
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 950
Security
Verifying IPSec With Internet Key Exchange Version 2 Traffic
crypto ikev2 proposal PH1PROPOSAL encryption aes-cbc-256 integrity sha256 group 14
! crypto ikev2 policy PH1POLICY
proposal PH1PROPOSAL
crypto ikev2 keyring PH1KEY peer Edison-M1 address 192.0.2.9 pre-shared-key Cisco!123Cisco!123Cisco!123
crypto ikev2 profile PH1PROFILE match identity remote address 192.0.2.9 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local PH1KEY
crypto ipsec transform-set aes256-sha1 esp-aes 256 esp-sha-hmac mode tunnel
crypto map ikev2-cryptomap 1 ipsec-isakmp set peer 192.0.2.9 set transform-set aes256-sha1 set ikev2-profile PH1PROFILE match address ikev2acl
interface Vlan15 ip address 192.0.2.6 255.255.255.0 crypto map ikev2-cryptomap
Verifying IPSec With Internet Key Exchange Version 2 Traffic
The following example shows how to verify the IPSec traffic configuration in IKEv2 configuration:
Device# show ip access-lists Extended IP access list ikev2acl
10 permit ip host 192.0.2.6 host 192.0.2.9 (80 matches)
prsna-nyquist-192.0.2.6#show crypto map Crypto Map IPv4 "ikev2-cryptomap" 1 ipsec-isakmp
Peer = 192.0.2.9 IKEv2 Profile: PH1PROFILE Extended IP access list ikev2acl
access-list ikev2acl permit ip host 192.0.2.6 host 192.0.2.9 Current peer: 192.0.2.9 Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Mixed-mode : Disabled Transform sets={
aes256-sha1: { esp-256-aes esp-sha-hmac } , } Interfaces using crypto map ikev2-cryptomap:
Vlan15 Device# show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local
Remote
fvrf/ivrf
Status
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 951
Verifying IPSec With Internet Key Exchange Version 2 Traffic
Security
1
192.0.2.6/500
192.0.2.9/500
none/none
READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK,
Auth verify: PSK
Life/Active Time: 86400/1002 sec
CE id: 1089, Session-id: 2
Status Description: Negotiation done
Local spi: 271D20169FE91074
Remote spi: 13895472E3B910AF
Local id: 192.0.2.6
Remote id: 192.0.2.9
Local req msg id: 2
Remote req msg id: 0
Local next msg id: 2
Remote next msg id: 0
Local req queued: 2
Remote req queued: 0
Local window:
5
Remote window:
5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Device# show crypto ipsec sa detail
interface: Vlan15 Crypto map tag: ikev2-cryptomap, local addr 192.0.2.6
protected vrf: (none) local ident (addr/mask/prot/port): (192.0.2.6/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (192.0.2.9/255.255.255.255/0/0) current_peer 192.0.2.9 port 500
PERMIT, flags={origin_is_acl,} #pkts encaps: 80, #pkts encrypt:80, #pkts digest: 80 #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 192.0.2.6, remote crypto endpt.: 192.0.2.9 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan15 current outbound spi: 0xB546157A(3041269114) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x350925BC(889791932) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 838, flow_id: 838, sibling_flags FFFFFFFF80000040, crypto map:
ikev2-cryptomap sa timing: remaining key lifetime (k/sec): (4287660676/2560) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 952
Security
Verifying IPSec With Internet Key Exchange Version 2 Traffic
outbound esp sas: spi: 0xB546157A(3041269114) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 837, flow_id: 837, sibling_flags FFFFFFFF80000040, crypto map:
ikev2-cryptomap sa timing: remaining key lifetime (k/sec): (4287660672/2560) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 953
Verifying IPSec With Internet Key Exchange Version 2 Traffic
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 954
1 0 3 C H A P T E R
MAC Filtering
· MAC Filtering, on page 955 · Configuring MAC Filtering for Local Authentication (CLI), on page 957 · Configuring MAC Filtering (GUI), on page 958 · Configuring MAB for External Authentication (CLI), on page 958
MAC Filtering
You can configure the controller to authorize clients based on the client MAC address by using the MAC filtering feature. When MAC filtering is enabled, the controller uses the MAC address as the client identity. The authentication server has a database of client MAC addresses that are allowed network access. The controller sends the authentication server a RADIUS-access/request frame with a username and password based on the client MAC address as soon as it gets the association request from the client. If authorization succeeds, the controller sends a successful association response to the client. If authorization fails, the controller rejects the client association. Clients that were authorized with MAC filtering can be re-authenticated through the WLAN session timeout feature.
MAC Filtering Configuration Guidelines
· MAC filtering authentication occurs at the 802.11 association phase and delays the association response until authentication is done. If you use a RADIUS server for MAC filtering, it is advised to keep a low latency between the controller and the RADIUS server. When latency is too high, the client might timeout while waiting for the association response.
· MAC filtering can be combined with other authentication methods such as 802.1X, Pre-Shared Key or it can be used alone.
· MAC addresses can be spoofed and MAC filtering does not consist in a security measure. · Many clients can use a private MAC address to connect and change it at every session, therefore making
it harder to identify devices through their MAC address.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 955
MAC Filtering Configuration Guidelines
Security
Note If wlan-profile-name is configured for a user, guest user authentication is allowed only from that WLAN.
If wlan-profile-name is not configured for a user, guest user authentication is allowed on any WLAN.
The AP fails to join the controller due to an authentication rejection on the RADIUS server. The failure occurs on the Cisco Catalyst 9800 controller, only when the RADIUS server is configured to authenticate the APs with method MAB as endpoints. The reason is that the RADIUS calling-station-id attribute is required for MAB authentication and is not present within the access request packet during the AP join. The workaround is to use a different AP authentication method than MAB as endpoints such as PAP-ASCII using a username and a password.
If you want the client to connect to SSID1, but not to SSID2 using mac-filtering, ensure that you configure aaa-override in the policy profile.
In the following example, when a client with MAC address 1122.3344.0001 tries to connect to a WLAN, the request is sent to the local RADIUS server, which checks the presence of the client MAC address in its attribute list (FILTER_1 and FILTER_2). If the client MAC address is listed in an attribute list (FILTER_1), the client is allowed to join the WLAN (WLAN_1) that is returned as ssid attribute from the RADIUS server. The client is rejected, if the client MAC address is not listed in the attribute list.
Local RADIUS Server Configuration
!Configures an attribute list as FILTER_2 aaa attribute list FILTER_2 !Defines an attribute type that is to be added to an attribute list. attribute type ssid "WLAN_2"
!Username with the MAC address is added to the filter username 1122.3344.0002 mac aaa attribute list FILTER_2
! aaa attribute list FILTER_1 attribute type ssid "WLAN_1" username 1122.3344.0001 mac aaa attribute list FILTER_1
Controller Configuration
! Sets authorization to the local radius server aaa authorization network MLIST_MACFILTER local
!A WLAN with the SSID WLAN_2 is created and MAC filtering is set along with security parameters. wlan WLAN_2 2 WLAN_2 mac-filtering MLIST_MACFILTER no security wpa no security wpa wpa2 ciphers
!WLAN with the SSID WLAN_1 is created and MAC filtering is set along with security parameters. wlan WLAN_1 1 WLAN_1 mac-filtering MLIST_MACFILTER no security wpa no security wpa wpa2 ciphers aes no security wpa akm dot1x security web-auth security web-auth authentication-list WEBAUTH
! Policy profile to be associated with the above WLANs wireless profile policy MAC_FILTER_POLICY aaa-override
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 956
Security
Configuring MAC Filtering for Local Authentication (CLI)
vlan 504 no shutdown
Configuring MAC Filtering for Local Authentication (CLI)
Follow the procedure given below to configure MAB for local authentication.
Before you begin Configure AAA local authentication. Configure the username for WLAN configuration (local authentication) using username mac-address mac command.
Note The mac-address must be in the following format: abcdabcdabcd
Procedure
Step 1
Command or Action
wlan profile-name wlan-id Example:
wlan CR1_SSID_mab-local-default 1 CR1_SSID_mab-local-default
Purpose Specifies the WLAN name and ID.
Step 2
mac-filtering default
Example:
Device(config-wlan)# mac-filtering default
Sets MAC filtering support for the WLAN.
Step 3
no security wpa Example:
Device(config-wlan)# no security wpa
Disables WPA secuirty.
Step 4
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
Step 5
no security wpa wpa2
Disables WPA2 security.
Example:
Device(config-wlan)# no security wpa wpa2
Step 6
no security wpa wpa2 ciphers aes
Disables WPA2 ciphers for AES.
Example:
Device(config-wlan)# no security wpa wpa2 ciphers aes
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 957
Configuring MAC Filtering (GUI)
Security
Step 7
Command or Action no shutdown Example:
Device(config-wlan)# no shutdown
Purpose Enables the WLAN.
Configuring MAC Filtering (GUI)
Before you begin Configure AAA external authentication. Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Wireless > WLANs. On the Wireless Networks page, click the name of the WLAN. In the Edit WLAN window, click the Security tab. In the Layer2 tab, check the MAC Filtering check box to enable the feature. With MAC Filtering enabled, choose the Authorization List from the drop-down list. Save the configuration.
Configuring MAB for External Authentication (CLI)
Follow the procedure given below to configure MAB for external authentication.
Before you begin Configure AAA external authentication.
Procedure
Step 1
Command or Action
wlan wlan-name wlan-id ssid-name Example:
wlan CR1_SSID_mab-ext-radius 3 CR1_SSID_mab-ext-radius
Step 2
mac-filtering list-name
Example:
Device(config-wlan)# mac-filtering ewlc-radius
Purpose Specifies the WLAN name and ID.
Sets the MAC filtering parameters. Here, ewlc-radius is an example for the list-name
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 958
Security
Configuring MAB for External Authentication (CLI)
Step 3 Step 4 Step 5
Command or Action no security wpa Example:
Device(config-wlan)# no security wpa
Purpose Disables WPA secuirty.
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
no security wpa wpa2
Disables WPA2 security.
Example:
Device(config-wlan)# no security wpa wpa2
Step 6
mab request format attribute {1 groupsize Optional. Configures the delimiter while using
size separator separator [lowercase |
MAC filtering in a WLAN.
uppercase] | 2 {0 | 7 | LINE} LINE password | 32 vlan access-vlan}
Here,
Example:
Device(config)# mab request format attribute 1 groupsize 4 separator
1- Specifies the username format used for MAB requests.
groupsize size- Specifies the number of hex
digits per group. The valid values range from
1 to 12.
separator separator- Specifies how to separate groups. The separators are comma, semicolon, and full stop.
lowercase- Specifies the username in lowercase format.
uppercase- Specifies the username in uppercase format.
2- Specifies the global password used for all the MAB requests.
0- Specifies the unencrypted password.
7- Specifies the hidden password.
LINE- Specifies the encrypted or unencrypted password.
password- LINE password.
32- Specifies the NAS-Identifier attribute.
vlan- Specifies a VLAN.
access-vlan- Specifies the configured access VLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 959
Configuring MAB for External Authentication (CLI)
Security
Step 7 Step 8
Command or Action
Purpose
no security wpa wpa2 ciphers aes
Disables WPA2 ciphers for AES.
Example:
Device(config-wlan)# no security wpa wpa2 ciphers aes
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 960
1 0 4 C H A P T E R
IP Source Guard
· Information About IP Source Guard, on page 961 · Configuring IP Source Guard (GUI), on page 961 · Configuring IP Source Guard, on page 962
Information About IP Source Guard
IP Source Guard (IPSG) is a Layer 2 security feature in the Cisco Catalyst 9800 Series Wireless Controller . It supports both IPv4 and IPv6 wireless clients.
The IPSG feature prevents the wireless controller from forwarding the packets, with the source IP addresses that are not known to it. This security feature is not enabled by default and has to be explicitly configured. It is enabled on a per WLAN basis, and all the wireless clients joining that WLAN inherits this feature.
The wireless controller maintains an IP/MAC pair binding table for the IPSG feature. Using this table, the wireless controller keeps track of IP and MAC address combination (binding) information for all the wireless clients. This binding information is captured as part of the IP learning process. When the feature is enabled on a WLAN, the wireless controller forwards the incoming packets (from the wireless clients) only if it finds a matching binding table entry corresponding to the source IP and MAC address combination of those packets. Otherwise, the packets are dropped.
Configuring IP Source Guard (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > WLANs. Click the WLAN. In the Advanced tab, check the IP Source Guard checkbox. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 961
Configuring IP Source Guard
Security
Configuring IP Source Guard
Follow the procedure given below to configure IPSG:
Before you begin
Cisco Catalyst 9800 Series Wireless Controller supports only one IPv4 address for a client and up to 8 IPv6 addresses (including link local addresses) per client.
Procedure
Step 1
Command or Action
wlan profile-name wlan-id ssid Example:
Device(config)# wlan mywlan 34 mywlan-ssid
Purpose
Specifies the WLAN name and ID to use.
Note
If a WLAN is not already
configured, this step creates the
WLAN.
Step 2 Step 3 Step 4
shutdown Example:
Device(config-wlan)# shutdown
Disables the WLAN.
ip verify source mac-check
Example:
Device(config-wlan)# ip verify source mac-check
Enables the IP Source Guard feature.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 962
1 0 5 C H A P T E R
Managing Rogue Devices
· Rogue Detection, on page 963 · Rogue Detection Security Level, on page 975 · Setting Rogue Detection Security-level , on page 976 · Wireless Service Assurance Rogue Events, on page 977
Rogue Detection
Rogue Devices
Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain-text or other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to capture sensitive information, such as usernames and passwords. The hacker can then transmit a series of Clear to Send (CTS) frames. This action mimics an access point, informing a particular client to transmit, and instructing all the other clients to wait, which results in legitimate clients being unable to access network resources. Wireless LAN service providers have a strong interest in banning rogue access points from the air space. Because rogue access points are inexpensive and readily available, employees sometimes plug unauthorized rogue access points into existing LANs and build ad hoc wireless networks without their IT department's knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. There is an increased chance of enterprise security breach when wireless users connect to access points in the enterprise network. The following are some guidelines to manage rogue devices:
· The access points are designed to serve associated clients. These access points spend relatively less time performing off-channel scanning: about 50 milliseconds on each channel. If you want to detect a large number of rogue APs and clients with high sensitivity, a monitor mode access point must be used. Alternatively, you can reduce the scan intervals from 180 seconds to a lesser value, for example, 120 or 60 seconds, ensuring that the radio goes off-channel more frequently, which improves the chances of rogue detection. However, the access point continues to spend about 50 milliseconds on each channel.
· Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect many rogue devices.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 963
Rogue Devices
Security
· Client card implementation might mitigate the effectiveness of containment. This normally happens when a client might quickly reconnect to the network after receiving a "de-association/de-authentication" frame, so it might still be able to pass some traffic. However, the browsing experience of the rogue client would be badly affected when it is contained.
· It is possible to classify and report rogue access points by using rogue states and user-defined classification rules that enable rogues to automatically move between states.
· Each controller limits the number of rogue containments to three and six per radio for access points in the monitor mode.
· When manual containment is performed using configuration, the rogue entry is retained even after the rogue entry expires.
· When a rogue entry expires, the managed access points are instructed to stop any active containment on it.
· To validate a Rogue Client against AAA, add the rogue client MAC to the AAA user-database with relevant delimiter, username, and password being the MAC address with relevant delimiter. The Access-Accept contains the Cisco-AV-pair with one of the following keywords: rogue-ap-state=state
Note Here, state can be of three types, namely: alert, threat, and contain. For instance, rogue-ap-state=threat. If Access-Accept has no AV-Pair rogue-ap-class or an invalid value of rogue-ap-class, such a rogue client state is set to either of the following: · Contained, if the config is set to autocontain clients or untrusted AP.
· Threat
The Radius Access-Reject for rogue client AAA validation is ignored.
· When Validate Rogue Clients Against AAA is enabled, the controller requests the AAA server for rogue client validation only once. As a result, if rogue client validation fails on the first attempt then the rogue client will not be detected as a threat any more. To avoid this, add the valid client entries in the authentication server before enabling Validate Rogue Clients Against AAA.
Restrictions on Rogue Detection · Rogue containment is not supported on DFS channels.
A rogue access point is moved to a contained state either automatically or manually. The controller selects the best available access point for containment and pushes the information to the access point. The access point stores the list of containments per radio. For auto containment, you can configure the controller to use only the monitor mode access point. The containment operation occurs in the following two ways:
· The container access point goes through the list of containments periodically and sends unicast containment frames. For rogue access point containment, the frames are sent only if a rogue client is associated.
· Whenever a contained rogue activity is detected, containment frames are transmitted.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 964
Security
Information About Rogue Containment (Protected Management Frames (PMF) Enabled)
Individual rogue containment involves sending a sequence of unicast disassociation and deauthentication frames.
Cisco Prime Infrastructure Interaction and Rogue Detection Cisco Prime Infrastructure supports rule-based classification and uses the classification rules configured on the controller. The controller sends traps to Cisco Prime Infrastructure after the following events:
· If an unknown access point moves to the Friendly state for the first time, the controller sends a trap to Cisco Prime Infrastructure only if the rogue state is Alert. It does not send a trap if the rogue state is Internal or External.
· If a rogue entry is removed after the timeout expires, the controller sends a trap to Cisco Prime Infrastructure for rogue access points that are categorized as Malicious (Alert, Threat) or Unclassified (Alert). The controller does not remove rogue entries with the following rogue states: Contained, Contained Pending, Internal, and External.
Information About Rogue Containment (Protected Management Frames (PMF) Enabled)
From Cisco IOS XE Amsterdam, 17.3.1 onwards, rogue devices that are enabled with 802.11w Protected Management Frames (PMF) are not contained. Instead, the rogue device is marked as Contained Pending, and a WSA alarm is raised to inform about the Contained Pending event. Because the device containment is not performed, access point (AP) resources are not consumed unnecessarily.
Note This feature is supported only on the Wave 2 APs.
Run the show wireless wps rogue ap detailed command to verify the device containment, when PMF is enabled on a rogue device.
AP Impersonation Detection
The various methods to detect AP impersonation are: · AP impersonation can be detected if a managed AP reports itself as Rogue. This method is always enabled and no configuration is required.
· AP impersonation detection is based on MFP.
· AP impersonation detection based on AP authentication.
Infrastructure MFP protects 802.11 session management functions by adding message integrity check (MIC) information elements, to the management frames sent by APs (and not those sent by clients), which are then validated by other APs in the network. If infrastructure MFP is enabled, the managed APs check if the MIC information elements are present and if MIC information elements are as expected. If either of these conditions is not fulfilled, the managed AP sends rogue AP reports with updated AP authentication failure counter. The AP Authentication functionality allows you to detect AP impersonation. When you enable this functionality, the controller creates an AP domain secret and shares it with other APs in the same network. This allows the APs to authenticate each other. An AP Authentication information element is attached to beacon and probe response frames. If the AP Authentication information element has an incorrect Signature field, or the timestamp is off, or if the AP Authentication information element is missing, then the AP that has detected such a condition increments the
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 965
Configuring Rogue Detection (GUI)
Security
AP authentication failure count field. An impersonation alarm is raised after the AP authentication failure count field breaches its threshold. The rogue AP is classified as Malicious with state Threat. Run the show wireless wps rogue ap detail command to see when the impersonation is detected due to authentication errors.
Configuring Rogue Detection (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Choose Configuration > Tags & Profiles > AP Join. Click the AP Join Profile Name to edit the AP join profile properties. In the Edit AP Join Profile window, click the Rogue AP tab. Check the Rogue Detection check box to enable rogue detection. In the Rogue Detection Minimum RSSI field, enter the RSSI value. In the Rogue Detection Transient Interval field, enter the interval in seconds. In the Rogue Detection Report Interval field, enter the report interval value in seconds. In the Rogue Detection Client Number Threshold field, enter the threshold for rogue client detection. Check the Auto Containment on FlexConnect Standalone check box to enable auto containment. Click Update & Apply to Device.
Configuring Rogue Detection (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap profile profile-name rogue detection min-rssi rssi in dBm
Example:
Device(config)# ap profile profile1
Device(config)# rogue detection min-rssi -100
Purpose Enters global configuration mode.
Specify the minimum RSSI value that rogues should have for APs to detect and for rogue entry to be created in the device. Valid range for the rssi in dBm parameter is 128 dBm to -70 dBm, and the default value is -128 dBm.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 966
Security
Configuring RSSI Deviation Notification Threshold for Rogue APs (CLI)
Step 3 Step 4 Step 5
Command or Action
Purpose Note
This feature is applicable to all the AP modes. There can be many rogues with very weak RSSI values that do not provide any valuable information in rogue analysis. Therefore, you can use this option to filter rogues by specifying the minimum RSSI value at which APs should detect rogues.
ap profile profile-name rogue detection containment {auto-rate | flex-rate}
Example:
Device(config)# ap profile profile1
Device(config)# rogue detection containment flex-rate
Specifies the rogue containment options. The auto-rate option enables auto-rate for containment of rogues. The flex-rate option enables rogue containment of standalone flexconnect APs.
ap profile profile-name rogue detection enable Enables rogue detection on all APs. Example:
Device(config)# ap profile profile1 Device(config)# rogue detection enable
ap profile profile-name rogue detection report-interval time in seconds
Example:
Device(config)# ap profile profile1
Device(config)# rogue detection report-interval 120
Configures rogue report interval for monitor mode Cisco APs.
The valid range for reporting the interval in seconds is 10 seconds to 300 seconds.
Configuring RSSI Deviation Notification Threshold for Rogue APs (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless wps rogue ap notify-rssi-deviation
Example:
Device(config)# wireless wps rogue ap notify-rssi-deviation
Configures RSSI deviation notification threshold for Rogue APs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 967
Configuring Management Frame Protection (GUI)
Security
Step 3
Command or Action end Example:
Device(config)# end
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Management Frame Protection (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4
Choose Configuration > Security > Wireless Protection Policies. In the Rogue Policy tab, under the MFP Configuration section, check the Global MFP State check box and the AP Impersonation Detection check box to enable the global MFP state and the AP impersonation detection, respectively. In the MFP Key Refresh Interval field, specify the refresh interval in hours. Click Apply.
Configuring Management Frame Protection (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless wps mfp Example:
Device(config)# wireless wps mfp
Step 3
wireless wps mfp {ap-impersonation | key-refresh-interval}
Example:
Device(config)# wireless wps mfp ap-impersonation
Device(config)# wireless wps mfp key-refresh-interval
Step 4
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Configures a management frame protection.
Configures ap impersonation detection (or) MFP key refresh interval in hours. key-refresh-interval--Refers to the MFP key refresh interval in hours. The valid range is from 1 to 24. Default value is 24.
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 968
Security
Enabling Access Point Authentication
Enabling Access Point Authentication
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless wps ap-authentication
Example:
Device(config)# wireless wps ap-authentication
Step 3
wireless wps ap-authentication threshold threshold
Example:
Device(config)# wireless wps ap-authentication threshold 100
Step 4
wlan wlan-name wlan-id SSID-name
Example:
Device(config)# wlan wlan-demo 1 ssid-demo
Step 5
ccx aironet-iesupport
Example:
Device(config-wlan)# ccx aironet-iesupport
Step 6
end Example:
Device# end
Purpose Enters global configuration mode.
Configures the wireless WPS AP authentication.
Configures AP neighbor authentication and sets the threshold for AP authentication failures.
Configures a WLAN.
Enables support for Aironet Information Elements on this WLAN.
Returns to privileged EXEC mode.
Verifying Management Frame Protection
To verify if the Management Frame Protection (MFP) feature is enabled or not, use the following command:
Device# show wireless wps summary
Client Exclusion Policy
Excessive 802.11-association failures : unknown
Excessive 802.11-authentication failures: unknown
Excessive 802.1x-authentication
: unknown
IP-theft
: unknown
Excessive Web authentication failure : unknown
Failed Qos Policy
: unknown
Management Frame Protection
Global Infrastructure MFP state : Enabled
AP Impersonation detection
: Disabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 969
Verifying Rogue Events
Security
Key refresh interval
: 15
To view the MFP details, use the following command:
Device# show wireless wps mfp summary
Management Frame Protection
Global Infrastructure MFP state : Enabled
AP Impersonation detection
: Disabled
Key refresh interval
: 15
Verifying Rogue Events
To verify the rogue event history, run the show wireless wps rogue ap detailed command:
Device# show wireless wps rogue ap detailed d8b1.901c.3cfd
Rogue Event history
Timestamp
#Times Class/State Event
Ctx
RC
-------------------------- ------ ----------- ------------------- ------------------------
---
05/01/2020 08:37:03.55645 41616 Mal/CPend FSM_GOTO
ContPending(NotContYet)
0x0
05/01/2020 08:37:03.55427 28163 Mal/CPend EXPIRE_TIMER_START 1200s
0x0
05/01/2020 08:37:03.55380 28163 Mal/CPend RECV_REPORT
38ed.18cf.83e0/1
0x0
05/01/2020 08:36:54.659136 7356 Mal/CPend NO_OP_UPDATE
0x0
05/01/2020 08:36:33.347132 3185 Mal/CPend CHANNEL_CHANGE
e4aa.5d44.fec0/2,36->40
0x0
05/01/2020 08:25:19.573720 247 Mal/CPend LRAD_EXPIRE
7c21.0e41.0700/0
0x0
04/30/2020 07:55:37.977450 2
Mal/CPend PMF_CONTAINMENT ContPending(PMFDetected) 0x0
04/30/2020 07:55:37.977242 1
Unc/Alert INIT_TIMER_DONE
0xab9800439e00024f
0x0
04/30/2020 07:52:33.600332 1
Unk/Init INIT_TIMER_START 180s
0x0
04/30/2020 07:52:33.600326 1
Unk/Init CREATE
0x0
To verify the impersonations detected due to authentication errors, use the following command:
Device# show wireless wps rogue ap detailed
Rogue BSSID Last heard Rogue SSID 802.11w PMF required Is Rogue an impersonator Is Rogue on Wired Network Classification Manually Contained State First Time Rogue was Reported Last Time Rogue was Reported
: 0062.ecf3.8d30 : rogueA : No : Yes : No : Malicious : No : Threat : 01/07/2020 15:51:01 : 01/08/2020 08:08:35
Number of clients
:0
Reported By AP Name : AP38ED.18CE.45E0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 970
Security
Verifying Rogue Detection
MAC Address Detecting slot ID Radio Type SSID Channel Channel Width RSSI SNR ShortPreamble Security Policy Last reported by this AP Authentication Failure Count
: 38ed.18cf.83e0 :0 : dot11g, dot11n - 2.4 GHz : rogueA : 6 (From DS) : 20 MHz : -33 dBm : 52 dB : Disabled : WPA2/WPA/FT : 01/08/2020 08:02:53 : 237
Verifying Rogue Detection
This section describes the new command for rogue detection. The following command can be used to verify rogue detection on the device.
Table 41: Verifying Adhoc Rogues Information
Command
Purpose
show wireless wps rogue adhoc detailed mac_address Displays the detailed information for an Adhoc rogue.
show wireless wps rogue adhoc summary
Displays a list of all Adhoc rogues.
Table 42: Verifying Rogue AP Information
Command
Purpose
show wireless wps rogue ap clients mac_address Displays the list of all rogue clients associated with a rogue.
show wireless wps rogue ap custom summary Displays the custom rogue AP information.
show wireless wps rogue ap detailed mac_address Displays the detailed information for a rogue AP.
show wireless wps rogue ap friendly summary Displays the friendly rogue AP information.
show wireless wps rogue ap list mac_address
Displays the list of rogue APs detected by a given AP.
show wireless wps rogue ap malicious summary Displays the malicious rogue AP information.
show wireless wps rogue ap summary
Displays a list of all Rogue APs.
show wireless wps rogue ap unclassified summary Displays the unclassified rogue AP information.
Table 43: Verifying Rogue Auto-Containment Information
Command
Purpose
show wireless wps rogue auto-contain Displays the rogue auto-containment information.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 971
Examples: Rogue Detection Configuration
Security
Table 44: Verifying Classification Rule Information
Command
Purpose
show wireless wps rogue rule detailed rule_name Displays the detailed information for a classification rule.
show wireless wps rogue rule summary
Displays the list of all rogue rules.
Table 45: Verifying Rogue Statistics
Command
Purpose
show wireless wps rogue stats Displays the rogue statistics.
Table 46: Verifying Rogue Client Information
Command
Purpose
show wireless wps rogue client detailed mac_address Displays detailed information for a Rogue client.
show wireless wps rogue client summary
Displays a list of all the Rogue clients.
Table 47: Verifying Rogue Ignore List
Command
Purpose
show wireless wps rogue ignore-list Displays the rogue ignore list.
Examples: Rogue Detection Configuration
This example shows how to configure the minimum RSSI that a detected rogue AP needs to be at, to have an entry created in the device:
Device# configure terminal Device(config)# ap profile profile1 Device(config)# rogue detection min-rssi -100 Device(config)# end Device# show wireless wps rogue client summary/show wireless wps rogue ap summary
This example shows how to configure the classification interval:
Device# configure terminal Device(config)# ap profile profile1 Device(config)# rogue detection min-transient-time 500 Device(config)# end Device# show wireless wps rogue client summary/show wireless wps rogue ap summary
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 972
Security
Configuring Rogue Policies (GUI)
Configuring Rogue Policies (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Step 12 Step 13
Step 14 Step 15
Choose Configuration > Security > Wireless Protection Policies. In the Rogue Policies tab, use the Rogue Detection Security Level drop-down to select the security level. In the Expiration timeout for Rogue APs (seconds) field, enter the timeout value. Select the Validate Rogue Clients against AAA check box to validate rogue clients against AAA server. Select the Validate Rogue APs against AAA check box to validate rogue access points against AAA server. In the Rogue Polling Interval (seconds) field, enter the interval to poll the AAA server for rogue information. Select the Detect and Report Adhoc Networks check box to enable detection of rogue adhoc networks. In the Rogue Detection Client Number Threshold field, enter the threshold to generate SNMP trap. In the Auto Contain section, enter the following details. Use the Auto Containment Level drop-down to select the level. Select the Auto Containment only for Monitor Mode APs check box to limit the auto-containment only to monitor mode APs. Select the Rogue on Wire check box to limit the auto-containment only to rogue APs on wire. Select the Using our SSID check box to limit the auto-containment only to rogue APs using one of the SSID configured on the controller. Select the Adhoc Rogue AP check box to limit the auto-containment only to adhoc rogue APs. Click Apply.
Configuring Rogue Policies (CLI)
Procedure Step 1 Step 2
Step 3
Command or Action configure terminal Example:
Device# configure terminal
Example:
Device(config)# wireless wps rogue security-level custom
wireless wps rogue ap timeout number of seconds Example:
Purpose Enters global configuration mode.
Configures the rogue detection security level. You can select critical for highly sensitive deployments, custom for customizable security level, high for medium-scale deployments, and low for small-scale deployments.
Configures the expiration time for rogue entries, in seconds. Valid range for the time in seconds 240 seconds to 3600 seconds.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 973
Configuring Rogue Policies (CLI)
Security
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
Device(config)# wireless wps rogue ap timeout 250
Purpose
Example:
Device(config)# wireless wps rogue client aaa
Configures the use of AAA or local database to detect valid MAC addresses.
Example:
Device(config)# wireless wps rogue client mse
Configures the use of MSE to detect valid MAC addresses.
wireless wps rogue client notify-min-rssi RSSI threshold
Example:
Device(config)# wireless wps rogue client notify-min-rssi -128
Configures the minimum RSSI notification threshold for rogue clients. Valid range for the RSSI threshold in dB is -128 - dB to -70 dB.
wireless wps rogue client notify-min-deviation RSSI threshold
Example:
Device(config)# wireless wps rogue client notify-min-deviation 4
Configures the RSSI deviation notification threshold for rogue clients. Valid range for the RSSI threshold in dB is 0 dB to 10 dB.
wireless wps rogue ap aaa polling-interval Configures rogue AP AAA validation interval.
AP AAA Interval
The valid range for the AP AAA interval in
Example:
seconds is 60 seconds to 86400 seconds.
Device(config)# wireless wps rogue ap aaa polling-interval 120
wireless wps rogue adhoc Example:
Enables detecting and reporting adhoc rogue (IBSS).
Device(config)# wireless wps rogue adhoc
wireless wps rogue client client-threshold threshold
Example:
Device(config)# wireless wps rogue client client-threshold 100
Configures the rogue client per a rogue AP SNMP trap threshold. The valid range for the threshold is 0 to 256.
wireless wps rogue ap init-timer Example:
Configures the init timer for rogue APs. The default timer value is set to 180 seconds.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 974
Security
Rogue Detection Security Level
Command or Action
Device(config)# wireless wps rogue ap init-timer 180
Purpose Note
When a rogue AP is detected, an init timer is started and the rules are applied when this timer expires. This allows for rogue AP information to stabilize before applying any rules. However, you can change the value of this timer using this command. For instance, the init timer can be set to 0, if the rules need to be applied as soon as a new rogue AP is detected.
Rogue Detection Security Level
The rogue detection security level configuration allows you to set rogue detection parameters. The available security levels are:
· Critical: Basic rogue detection for highly sensitive deployments. · High: Basic rogue detection for medium-scale deployments. · Low: Basic rogue detection for small-scale deployments. · Custom: Default security-level, where all detection parameters are configurable.
Note When in Critical, High or Low, some rogue parameters are fixed and cannot be configured.
The following table shows parameter details for the three predefined levels:
Table 48: Rogue Detection: Predefined Levels
Parameter Cleanup Timer AAA Validate Clients Adhoc Reporting Monitor-Mode Report Interval Minimum RSSI Transient Interval
Critical 3600 Disabled Enabled 10 seconds
-128 dBm 600 seconds
High 1200 Disabled Enabled 30 seconds
-80 dBm 300 seconds
Low 240 Disabled Enabled 60 seconds
-80 dBm 120 seconds
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 975
Setting Rogue Detection Security-level
Security
Parameter
Critical
Auto Contain
Works only on Monitor Mode APs.
Disabled
Auto Contain Level
1
Auto Contain Same-SSID Disabled
Auto Contain Valid Clients on Rogue AP
Disabled
Auto Contain Adhoc Disabled
Containment Auto-Rate Enabled
Validate Clients with CMX
Enabled
Containment FlexConnect Enabled
High Disabled
1 Disabled Disabled
Disabled Enabled Enabled
Enabled
Low Disabled
1 Disabled Disabled
Disabled Enabled Enabled
Enabled
Setting Rogue Detection Security-level
Follow the procedure given below to set the rogue detection security-level:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless wps rogue security-level custom
Example:
Device(config)# wireless wps rogue security-level custom
Step 3
wireless wps rogue security-level low
Example:
Device(config)# wireless wps rogue security-level low
Step 4
wireless wps rogue security-level high
Example:
Device(config)# wireless wps rogue security-level high
Purpose Enters the global configuration mode.
Configures rogue detection security level as custom.
Configures rogue detection security level for basic rogue detection setup for small-scale deployments.
Configures rogue detection security level for rogue detection setup for medium-scale deployments.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 976
Security
Wireless Service Assurance Rogue Events
Step 5
Command or Action
wireless wps rogue security-level critical Example:
Device(config)# wireless wps rogue security-level critical
Purpose
Configures rogue detection security level for rogue detection setup for highly sensitive deployments.
Wireless Service Assurance Rogue Events
Wireless Service Assurance (WSA) rogue events, supported in Release 16.12.x and later releases, consist of telemetry notifications for a subset of SNMP traps. WSA rogue events replicate the same information that is part of the corresponding SNMP trap. For all the exported events, the following details are provided to the wireless service assurance (WSA) infrastructure:
· MAC address of the rogue AP
· Details of the managed AP and the radio that detected the rogue AP with strongest RSSI
· Event-specific data such as SSID, channel for potential honeypot event, and MAC address of the impersonating AP for impersonation event
The WSA rogue events feature can scale up to four times the maximum number of supported APs and half of the maximum number of supported clients. The WSA rogue events feature is supported on Cisco DNA Center and other third-party infrastructure.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
network-assurance enable Example:
Device# network-assurance enable
Enables wireless service assurance.
Step 3
wireless wps rogue network-assurance enable Enables wireless service assurance for rogue
Example:
Device# wireless wps rogue
devices. This ensures that the WSA rogue events are sent to the event queue.
network-assurance enable
Monitoring Wireless Service Assurance Rogue Events
Procedure · show wireless wps rogue stats
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 977
Monitoring Wireless Service Assurance Rogue Events
Security
Example:
Device# show wireless wps rogue stats
WSA Events
Total WSA Events Triggered
:9
ROGUE_POTENTIAL_HONEYPOT_DETECTED : 2
ROGUE_POTENTIAL_HONEYPOT_CLEARED : 3
ROGUE_AP_IMPERSONATION_DETECTED
:4
Total WSA Events Enqueued
:6
ROGUE_POTENTIAL_HONEYPOT_DETECTED : 1
ROGUE_POTENTIAL_HONEYPOT_CLEARED : 2
ROGUE_AP_IMPERSONATION_DETECTED
:3
In this example, nine events have been triggered, but only six of them have been enqueued. This is because three events were triggered before the WSA rogue feature was enabled.
· show wireless wps rogue stats internal show wireless wps rogue ap detailed rogue-ap-mac-addr These commands show information related to WSA events into the event history.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 978
1 0 6 C H A P T E R
Classifying Rogue Access Points
· Information About Classifying Rogue Access Points, on page 979 · Guidelines and Restrictions for Classifying Rogue Access Points, on page 981 · How to Classify Rogue Access Points, on page 981 · Monitoring Rogue Classification Rules, on page 987 · Examples: Classifying Rogue Access Points, on page 987
Information About Classifying Rogue Access Points
The controller software enables you to create rules that can organize and display rogue access points as Friendly, Malicious, Custom, or Unclassified. By default, none of the classification rules are used. You need to enable them. Therefore, all unknown access points are categorized as Unclassified. When you create or change a rule, configure conditions, and enable it, all rogue access points are then reclassified. Whenever you change a rule, it is applied to all the access points (friendly, malicious, and unclassified).
Note
· Rule-based rogue classification does not apply to ad hoc rogues and rogue clients.
· You can configure up to 64 rogue classification rules per controller .
When the controller receives a rogue report from one of its managed access points, it responds as follows: · If the unknown access point is in the friendly MAC address list, the controller classifies the access point as Friendly.
· If the unknown access point is not in the friendly MAC address list, the controller starts applying the rogue classification rules to the access point.
· If the rogue access point is manually classsified, rogue rules are not applied to it.
· If the rogue access point matches the configured rules criteria, the controller classifies the rogue based on the classification type configured for that rule.
· If the rogue access point does not match any of the configured rules, the rogue remains unclassified. The controller repeats the previous steps for all the rogue access points.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 979
Information About Classifying Rogue Access Points
Security
· If the rogue access point is detected on the same wired network, the controller marks the rogue state as Threat and classifies it as Malicious automatically, even if there are no configured rules. You can then manually contain the rogue to change the rogue state to Contained. If the rogue access point is not available on the network, the controller marks the rogue state as Alert. You can then manually contain the rogue.
· If desired, you can manually move the access point to a different classification type and rogue state.
· Before performing any classification, the rogue access points are temporarily marked as Pending.
Table 49: Classification Mapping
Rule-Based
Rogue State
Classification Type
Custom
· Alert--No action is taken other than notifying the management station. The management station in the controller manages the controller and wired networks.
· Contained--The unknown access point is contained. If none of the managed access points are available for containment, the rogue is in Contained Pending state.
Delete Friendly
Deletes the rogue access point.
· Internal--If the unknown access point poses no threat to WLAN security, you can manually configure it as Friendly, Internal. An example of this would be the access points in your lab network.
· External--If the unknown access point is outside the network and poses no threat to WLAN security, you can manually configure it as Friendly, External. An example of this would be the access point in your neighboring coffee shop.
· Alert--No action is taken other than notifying the management station. The management station manages the controller and wired networks.
Malicious
· Alert--No action is taken other than notifying the management station. The management station manages the controller and wired networks.
· Threat--The unknown access point is found to be on the network and poses a threat to WLAN security.
· Contained--The unknown access point is contained. If none of the managed access points are available for containment, the rogue is in Contained Pending state.
Unclassified
· Alert-- No action is taken other than notifying the management station. The management station manages the controller and wired networks.
· Contained--The unknown access point is contained. If none of the managed access points are available for containment, the rogue is in contained pending state.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 980
Security
Guidelines and Restrictions for Classifying Rogue Access Points
As mentioned earlier, the controller can automatically change the classification type and rogue state of an unknown access point based on user-defined rules. Alternatively, you can manually move the unknown access point to a different classification type and rogue state.
Guidelines and Restrictions for Classifying Rogue Access Points
· Classifying Custom type rogues is tied to rogue rules. Therefore, it is not possible to manually classify a rogue as Custom. Custom class change can occur only when rogue rules are used.
· Some SNMP traps are sent for containment by rule and every 30 minutes for rogue classification change.
· Rogue rules are applied on every incoming new rogue report in the controller in the order of their priority.
· After a rogue satisfies a rule and is classified, it does not move down the priority list for the same report.
· The rogue classification rules are re-evaluated at every report received by the managed access points. Hence, a rogue access point can move from one state to another, if a different rule matches the last report.
· If a rogue AP is classified as friendly or ignored, all rogue clients associated with it are not tracked.
· Until the controller discovers all the APs through neighbor reports from APs, the rogue APs are kept in unconfigured state for three minutes after they are detected. After 3 minutes, the rogue policy is applied on the rogue APs and the APs are moved to unclassified, friendly, malicious, or custom class. Rogue APs kept in unconfigured state means that no rogue policy has yet been applied on them.
· When a rogue BSSID is submitted for a containment on Cisco Catalyst 9800 Series Wireless Controller, if the controller has enough resources, it will contain. The APs that detect the particular contained rogue AP starts broadcasting the DEAUTH packets.
Wireless client connected to the contained rogue BSSID will disconnect once DEAUTH packets are received. However, when the client assumes being in a connected state, repeatedly tries to reconnect and the wireless client's user browsing experience would be badly affected.
Also, in a high RF environment like that of a stadium, though DEAUTH packets are broadcasted, client does not receive all of them because of RF disturbance. In this scenario, the client may not be fully disconnected but will be affected badly.
How to Classify Rogue Access Points
Classifying Rogue Access Points and Clients Manually (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Monitoring > Wireless > Rogues. In the Unclassified tab, select an AP to view the detail in the lower pane. Use the Class Type drop-down to set the status.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 981
Classifying Rogue Access Points and Clients Manually (CLI)
Security
Step 4 Click Apply.
Classifying Rogue Access Points and Clients Manually (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless wps rogue adhoc {alert mac-addr | Detects and reports the ad hoc rogue.
auto-contain | contain mac-addr containment-level | internal mac-addr | external mac-addr}
Enter one of these options after you enter the adhoc keyword:
Example:
· alert--Sets the ad hoc rogue access point to alert mode. If you choose this option,
Device(config)# wireless wps rogue adhoc alert 74a0.2f45.c520
enter the MAC address for the mac-addr parameter.
· auto-contain--Sets the automatically containing ad hoc rogue to auto-contain mode.
· contain--Sets the containing ad hoc rogue access point to contain mode. If you choose this option, enter the MAC address for the mac-addr parameter and containment level for the containment-level parameter. The valid range for containment-level is from 1 to 4.
· external--Sets the ad hoc rogue access point as external. If you choose this option, enter the MAC address for the mac-addr parameter.
· internal--Sets the ad hoc rogue access point as internal. If you choose this option, enter the MAC address for the mac-addr parameter.
Step 3
wireless wps rogue ap {friendly mac-addr Configures the rogue access points.
state [external | internal] | malicious mac-addr state [alert | contain containment-level]}
Enter one of the following options after the ap keyword:
Example:
· friendly--Configures the friendly rogue
access points. If you choose this option,
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 982
Security
Configuring Rogue Classification Rules (GUI)
Step 4 Step 5
Command or Action
Purpose
Device(config)# wireless wps rogue ap malicious 74a0.2f45.c520 state contain 3
enter the MAC address for the mac-addr parameter. After that enter the state keyword followed by either of these options: internal or external. If you select an internal option, it indicates that you trust a foreign access point. If you select an external option, it indicates that you acknowledge the presence of a rogue access point.
· malicious--Configures the malicious rogue access points. If you choose this option, enter the MAC address for the mac-addr parameter. After that enter the state keyword followed by either of these options: alert or contain.
· alert--Sets the malicious rogue access point to alert mode.
· contain--Sets the malicious rogue access point to contain mode. If you choose this option, enter the containment level for the containment-level parameter. The valid range is from 1 to 4.
wireless wps rogue client {contain mac-addr Configures the rogue clients.
containment-level}
Enter the following option after you enter the
Example:
client keyword:
Device(config)# wireless wps rogue client contain--Contains the rogue client. After you
contain 74a0.2f45.c520 2
choose this option, enter the MAC address for
the mac-addr parameter and the containment
level for containment-level parameter. The valid
range for containment-level is from 1 to 4.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Rogue Classification Rules (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Security > Wireless Protection Policies. In the Wireless Protection Policies page, choose Rogue AP Rules tab. On the Rogue AP Rules page, click the name of the Rule or click Add to create a new one.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 983
Configuring Rogue Classification Rules (CLI)
Security
Step 4 Step 5
In the Add/Edit Rogue AP Rule window that is displayed, enter the name of the rule in the Rule Name field. Choose the rule type from the following Rule Type drop-down list options:
· Friendly · Malicious · Unclassified · Custom
Configuring Rogue Classification Rules (CLI)
Procedure Step 1 Step 2
Step 3
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wireless wps rogue rule rule-name priority Creates or enables a rule. While creating a rule,
priority
you must enter the priority for the rule.
Example:
Note
Device(config)# wireless wps rogue rule rule_3 priority 3
After creating a rule, you can edit the rule and change the priority only for the rogue rules that are disabled. You cannot change the priority for the rogue rules that are enabled. While editing, changing the priority for a rogue rule is optional.
classify {friendly state {alert | external | Specifies the classification that needs to be
internal} | malicious state {alert | contained applied to the rogue access points matching
}}
this rule.
Example:
Device(config)# wireless wps rogue rule rule_3 priority 3
Device(config-rule)# classify friendly
· friendly--Configures the friendly rogue access points. After that enter the state keyword followed by either of these options: alert, internal, or external. If you select an internal option, it indicates that you trust a foreign access point. If you select an external option, it indicates that you acknowledge the presence of a rogue access point.
· malicious--Configures the malicious rogue access points. After that enter the state keyword followed by either of these options: alert or contained.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 984
Security
Configuring Rogue Classification Rules (CLI)
Step 4
Command or Action
Purpose · alert--Sets the malicious rogue access point to alert mode.
· contained--Sets the malicious rogue access point to contained mode.
condition {client-count value| duration Adds the following conditions to a rule, which
duration_value| encryption | infrastructure the rogue access point must meet:
| rssi | ssid ssid_name | wildcard-ssid}
· client-count--Requires that a minimum
Example:
number of clients be associated to the
Device(config)# wireless wps rogue rule rule_3 priority 3
rogue access point. For example, if the number of clients associated to the rogue
Device(config-rule)# condition client-count 5
access point is greater than or equal to the configured value, the access point could be classified as Malicious. If you choose
this option, enter the minimum number
of clients to be associated to the rogue
access point for the value parameter. The
valid range is from 1 to 10 (inclusive),
and the default value is 0.
· duration--Requires that the rogue access point be detected for a minimum period of time. If you choose this option, enter a value for the minimum detection period for the duration_value parameter. The valid range is from 0 to 3600 seconds (inclusive), and the default value is 0 seconds.
· encryption--Requires that the advertised WLAN does not have encryption enabled. You can choose any for any type of encryption, off for no encryption, wpa1 for WPA encryption, wpa2 for WPA2 encryption, wpa3-owe for WPA3 OWE encryption, or wpa3-sae for WPA3 SAE encryption.
· infrastructure--Requires the SSID to be known to the controller.
· rssi--Requires the rogue access point to be detected with a minimum RSSI value. If the classification is Friendly, the condition requires the rogue access point to be detected with a maximum RSSI value. The valid range is from 95 to 50 dBm (inclusive).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 985
Configuring Rogue Classification Rules (CLI)
Security
Step 5 Step 6 Step 7
Step 8 Step 9 Step 10
Command or Action
Purpose
· ssid--Requires the rogue access point to have a specific SSID. You could specify up to 25 different SSIDs. You should specify an SSID that is not managed by the controller. If you choose this option, enter the SSID for the ssid_name parameter. The SSID is added to the configured SSID list you just created.
· wildcard-ssid--Allows you to specify an expression that could match an SSID string. You can specify up to 25 of these SSIDs.
match {all | any}
Specifies whether a detected rogue access point
Example:
must meet all or any of the conditions specified by the rule for the rule to be matched and the
Device(config)# wireless wps rogue rule rogue access point to adopt the classification
rule_3 priority 3
type of the rule.
Device(config-rule)# match all
default
Sets a command to its default.
Example:
Device(config)# wireless wps rogue rule rule_3 priority 3
Device(config-rule)# default
exit
Exits the sub-mode.
Example:
Device(config)# wireless wps rogue rule rule_3 priority 3
Device(config-rule)# exit
Device(config)#
shutdown Example:
Disables a particular rogue rule. In this example, the rule rule_3 is disabled.
Device(config)# wireless wps rogue rule rule_3 priority 3
Device(config-rule)# shutdown
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 986
Security
Monitoring Rogue Classification Rules
Step 11 Step 12
Command or Action
Purpose
wireless wps rogue rule shutdown
Disables all the rogue rules.
Example:
Device(config)# wireless wps rogue rule shutdown
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Monitoring Rogue Classification Rules
You can monitor the rogue classification rules using the following commands:
Table 50: Commands for Monitoring Rogue Classification Rules
Command
Purpose
show wireless wps rogue rule detailed Displays detailed information of a classification rule.
show wireless wps rogue rule summary Displays a summary of the classification rules.
Examples: Classifying Rogue Access Points
This example shows how to classify a rogue AP with MAC address 00:11:22:33:44:55 as malicious and mark it for being contained by 2 managed APs:
Device# configure terminal Device(config)# wireless wps rogue ap malicious 0011.2233.4455 state contain 2
This example shows how to create a rule that can categorize a rogue AP that is using SSID my-friendly-ssid, and it is seen for at least for 1000 seconds as friendly internal:
Device# configure terminal Device(config)# wireless wps rogue rule ap1 priority 1 Device(config-rule)# condition ssid my-friendly-ssid Device(config-rule)# condition duration 1000 Device(config-rule)# match all Device(config-rule)# classify friendly state internal
This example shows how to apply a condition that a rogue access point must meet:
Device# configure terminal Device(config)# wireless wps rogue rule ap1 priority 1 Device(config-rule)# condition client-count 5 Device(config-rule)# condition duration 1000 Device(config-rule)# end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 987
Examples: Classifying Rogue Access Points
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 988
1 0 7 C H A P T E R
Configuring Secure Shell
· Information About Configuring Secure Shell , on page 989 · Prerequisites for Configuring Secure Shell, on page 991 · Restrictions for Configuring Secure Shell, on page 992 · How to Configure SSH, on page 992 · Monitoring the SSH Configuration and Status, on page 995
Information About Configuring Secure Shell
Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).
SSH and Device Access
Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). SSH functions the same in IPv6 as in IPv4. For IPv6, SSH supports IPv6 addresses and enables secure, encrypted connections with remote IPv6 nodes over an IPv6 transport.
SSH Servers, Integrated Clients, and Supported Versions
The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted connection to another Cisco device or to any other device running the SSH server. This connection provides functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for secure communication over an unsecured network. The SSH server and SSH integrated client are applications that run on the switch. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), 3DES, and password authentication. The switch supports an SSHv1 or an SSHv2 server. The switch supports an SSHv1 client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 989
SSH Configuration Guidelines
Security
Note The SSH client functionality is available only when the SSH server is enabled.
User authentication is performed like that in the Telnet session to the device. SSH also supports the following user authentication methods:
· TACACS+ · RADIUS · Local authentication and authorization
SSH Configuration Guidelines
Follow these guidelines when configuring the switch as an SSH server or SSH client: · An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse. · If the SSH server is running on an active switch and the active switch fails, the new active switch uses the RSA key pair generated by the previous active switch. · If you get CLI error messages after entering the crypto key generate rsa global configuration command, an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto key generate rsa command. · When generating the RSA key pair, the message No host name specified might appear. If it does, you must configure a hostname by using the hostname global configuration command. · When generating the RSA key pair, the message No domain specified might appear. If it does, you must configure an IP domain name by using the ip domain-name global configuration command. · When configuring the local authentication and authorization authentication method, make sure that AAA is disabled on the console.
Secure Copy Protocol Overview
The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch configurations or switch image files. SCP relies on Secure Shell (SSH), an application and a protocol that provides a secure replacement for the Berkeley r-tools. For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies on SSH for its secure transport. Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct configuration is necessary.
· Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch. · Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman
(RSA) key pair.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 990
Security
Secure Copy Protocol
Note When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted.
Secure Copy Protocol
The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying device configurations or switch image files. The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security. SCP also requires that authentication, authorization, and accounting (AAA) authorization be configured so the device can determine whether the user has the correct privilege level. To configure the Secure Copy feature, you should understand the SCP concepts.
SFTP Support
SFTP client support is introduced from Cisco IOS XE Gibraltar 16.10.1 release onwards. SFTP client is enabled by default and no separate configuration required. The SFTP procedures can be invoked using the copy command, which is similar to that of scp and tftp commands. A typical file download procedure using sftp command can be carried out as shown below: copy sftp://user :password @server-ip/file-name flash0:// file-name For more details on the copy command, see the following URL: https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/fund/copy.html
Prerequisites for Configuring Secure Shell
The following are the prerequisites for configuring the switch for secure shell (SSH): · For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private key pair. This is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure transport. · Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch. · Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair. · SCP relies on SSH for security. · SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level. · A user must have appropriate authorization to use SCP. · A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation. · The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 991
Restrictions for Configuring Secure Shell
Security
· Configure a hostname and host domain for your device by using the hostname and ip domain-name commands in global configuration mode.
Note While upgrading from 16.11 to a later version, if you encounter a host key change by SSH client, you need to know the following: · Wave 2 AP now supports a third key type ED25519 along with the RSA and ECDSA keys. · The RSA and ECDSA keys are used for normal operations. · The ED25519 key is used for FIPS mode.
Restrictions for Configuring Secure Shell
The following are restrictions for configuring the device for secure shell. · The switch supports Rivest, Shamir, and Adelman (RSA) authentication. · SSH supports only the execution-shell application. · The SSH server and the SSH client are supported only on Data Encryption Standard (DES) (56-bit) and 3DES (168-bit) data encryption software. In DES software images, DES is the only encryption algorithm available. In 3DES software images, both DES and 3DES encryption algorithms are available. · The device supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key, 192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported. · When using SCP, you cannot enter the password into the copy command. You must enter the password when prompted. · The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2. · The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when configuring the alternative method of Reverse SSH for console access. · To authenticate clients with freeradius over RADSEC, you should generate an RSA key longer than 1024 bit. Use the crypto key generate rsa general-keys exportable label label-name command to achieve this.
How to Configure SSH
Setting Up the Device to Run SSH
Follow the procedure given below to set up your device to run SSH:
Before you begin Configure user authentication for local or remote access.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 992
Security
Configuring the SSH Server
Procedure
Step 1
Command or Action configure terminal Example:
Device# Device# configure terminal
Purpose Enters global configuration mode.
Step 2
hostname hostname Example:
Device(config)# hostname your_hostname
Configures a hostname and IP domain name for your device.
Note
Follow this procedure only if you
are configuring the device as an
SSH server.
Step 3
ip domain name domain_name Example:
Configures a host domain for your device.
Device(config)# ip domain name your_domain
Step 4 Step 5
crypto key generate rsa
Enables the SSH server for local and remote
Example:
authentication on the device and generates an RSA key pair. Generating an RSA key pair for
the device automatically enables SSH.
Device(config)# crypto key generate rsa
We recommend that a minimum modulus size
of 1024 bits.
When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use.
Note
Follow this procedure only if you
are configuring the device as an
SSH server.
end Example:
Device(config)# end
Exits configuration mode.
Configuring the SSH Server
Follow the procedure given below to configure the SSH server:
Note This procedure is only required if you are configuring the device as an SSH server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 993
Configuring the SSH Server
Security
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ip ssh version [2] Example:
Device(config)# ip ssh version 2
Step 3
ip ssh window-size Example: Device(config)# ip ssh window-size
Purpose Enters global configuration mode.
(Optional) Configures the device to run SSH Version 2. If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client.
Specifies the SSH window size. The recommended window size is 32K or lesser that that. The default window size is 8912. Selecting window-size greater than 32K might have some impact on the CPU, until unless:
· The network bandwidth is good. · Client can accommodate this size. · No latency in network.
Note
This CLI is recommended only
for SCP operations and can be
disabled once the copy is done.
Step 4
ip ssh {timeout seconds | authentication-retries number} Example:
Device(config)# ip ssh timeout 90 authentication-retries 2
Configures the SSH control parameters:
· Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSH negotiation phase. After the connection is established, the device uses the default time-out values of the CLI-based sessions.
By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes.
· Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 994
Security
Monitoring the SSH Configuration and Status
Step 5
Command or Action
Purpose
Repeat this step when configuring both parameters.
Use one or both of the following:
· line vty line_number [ ending_line_number]
· transport input ssh
Example:
Device(config)# line vty 1 10
(Optional) Configures the virtual terminal line settings.
· Enters line configuration mode to configure the virtual terminal line settings. For line_number and ending_line_number, specify a pair of lines. The range is 0 to 15.
or
Device(config-line)# transport input ssh
· Specifies that the device prevent non-SSH Telnet connections. This limits the router to only SSH connections.
Step 6
end Example:
Device(config-line)# end
Returns to privileged EXEC mode.
Monitoring the SSH Configuration and Status
This table displays the SSH server configuration and status.
Table 51: Commands for Displaying the SSH Server Configuration and Status
Command Purpose show ip Shows the version and configuration information for the SSH server. ssh show ssh Shows the status of the SSH server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 995
Monitoring the SSH Configuration and Status
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 996
1 0 8 C H A P T E R
Private Shared Key
· Information About Private Preshared Key, on page 997 · Configuring a PSK in a WLAN (CLI), on page 998 · Configuring a PSK in a WLAN (GUI), on page 999 · Applying a Policy Profile to a WLAN (GUI), on page 1000 · Applying a Policy Profile to a WLAN (CLI), on page 1000 · Verifying a Private PSK, on page 1001
Information About Private Preshared Key
With the advent of Internet of Things (IoT), the number of devices that connect to the internet has increased multifold. Not all of these devices support the 802.1x supplicant and need an alternate mechanism to connect to the internet. One of the security mechanisms, WPA-PSK, could be considered as an alternative. With the current configuration, the PSK is the same for all the clients that connect to the same WLAN. In certain deployments, such as educational institutions, this results in the key being shared to unauthorized users leading to security breach. This necessitates the need to provision unique PSKs for different clients on a large scale. Identity PSKs are unique PSKs created for individuals or groups of users on the same SSID. No complex configuration is required for the clients. It provides the same simplicity of PSK, making it ideal for IoT, Bring your own device (BYOD), and guest deployments. Identity PSKs are supported on most devices, in which 802.1X is not, enabling stronger security for IoT. It is possible to easily revoke access, for a single device or individual without affecting everyone else. Thousands of keys can easily be managed and distributed through the AAA server.
Note Special characters, such as '<' and `>' are not supported in SSID Preshared key.
Note PSK supports whitespace in passwords (before or after or in-between) within double quotes only; single quotes for whitespaces are not supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 997
Configuring a PSK in a WLAN (CLI)
Security
IPSK Solution
During client authentication, the AAA server authorizes the client MAC address and sends the passphrase (if configured) as part of the Cisco-AV pair list. The Cisco Wireless Controller (WLC) receives this as part of the RADIUS response and processes this further for the computation of PSKs.
When a client sends an association request to the SSID broadcast by the corresponding access point, the controller forms the RADIUS request packet with the particular mac address of the client and relays to the RADIUS server.
The RADIUS server performs the authentication and checks whether the client is allowed or not and sends either ACCESS-ACCEPT or ACCESS-REJECT as response to the WLC.
To support Identity PSKs, in addition to sending the authentication response, the authentication server also provides the AV pair passphrase for this specific client. This is used for the computation of the PMK.
The RADIUS server might also provide additional parameters, such as username, VLAN, Quality of Service (QoS), and so on, in the response, that is specific to this client. For multiple devices owned by a single user, the passphrase can remain the same.
Note When the PSK length is less than 15 characters in Federal Information Processing Standard (FIPS), the controller allows the WLAN configuration but displays the following error message on the console:
"AP is allowed to join but corresponding WLAN will not be pushed to the access point"
Configuring a PSK in a WLAN (CLI)
Follow the procedure given below to configure a PSK in a WLAN:
Before you begin · Security should be configured for a pre-shared key (PSK) in a WLAN. · If there is no override from the AAA server, the value on the corresponding WLAN is considered for authentication. · In Federal Information Processing Standard (FIPS) and common criteria mode, ensure that the PSK WLAN has a minimum of 15 ASCII characters, else APs won't join the controller.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-name wlan-id ssid
Configures the WLAN and SSID.
Example:
Device(config)# wlan test-profile 4 abc
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 998
Security
Configuring a PSK in a WLAN (GUI)
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action
Purpose
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
security wpa akm psk
Example:
Device(config-wlan)# security wpa akm psk
Configures the security type PSK.
security wpa akm psk set-key ascii/hex key
Example:
Device(config-wlan)# security wpa akm psk set-key asci 0
Configures the PSK authenticated key management (AKM) shared key.
Note
You must set the psk set-key
before configuring AKM PSK.
security wpa akm psk
Example:
Device(config-wlan)# security wpa akm psk
Configures PSK support.
security wpa wpa2 mpsk
Example:
Device(config-wlan)# security wpa wpa2 mpsk
Configures multi-preshared key (MPSK) support.
Note
AKM PSK should be enabled for
MPSK to work.
mac-filtering auth-list-name
Specifies MAC filtering in a WLAN.
Example:
Device(config-wlan)# mac-filtering test1
Configuring a PSK in a WLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. On the Wireless Networks page, click Security tab. In the Layer 2 window that is displayed, go to the WPA Parameters section. From the Auth Key Mgmt drop-down, select the PSK format and type. Enter the Pre-Shared Key in hexadecimal characters.
· If you selected the PSK format as HEX, the key length must be exactly 64 characters.
· If you selected the PSK format as ASCII, the key length must be in the range of 8-63 characters.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 999
Applying a Policy Profile to a WLAN (GUI)
Security
Step 6
Note that once you have configured the key, these details are not visible even if you click on the eye icon next to the preshared key box, due to security reasons.
Click Save & Apply to Device.
Applying a Policy Profile to a WLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Choose Configuration > Tags & Profiles > Tags. On theManage Tags page, click Policy tab. Click Add to view the Add Policy Tag window. Enter a name and description for the policy tag. Click Add to map WLAN and policy. Choose the WLAN profile to map with the appropriate policy profile, and click the tick icon. Click Save & Apply to Device.
Applying a Policy Profile to a WLAN (CLI)
Follow the procedure given below to a apply policy profile to a WLAN:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-profile-name Configures the default policy profile.
Example:
Device(config)# wireless profile policy policy-iot
Step 3
aaa-override
Example:
Device(config-wireless-policy)# aaa-override
Configures AAA override to apply policies coming from the AAA server or ISE the Cisco Identify Services Engine (ISE) server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1000
Security
Verifying a Private PSK
Verifying a Private PSK
Use the following show commands to verify the configuration of a WLAN and a client:
Device# show wlan id 2
WLAN Profile Name
: test_ppsk
================================================
Identifier
:2
Network Name (SSID)
: test_ppsk
Status
: Enabled
Broadcast SSID
: Enabled
Universal AP Admin
: Disabled
Max Associated Clients per WLAN
:0
Max Associated Clients per AP per WLAN
:0
Max Associated Clients per AP Radio per WLAN : 0
Number of Active Clients
:0
Exclusionlist Timeout
: 60
CHD per WLAN
: Enabled
Interface
: default
Multicast Interface
: Unconfigured
WMM
: Allowed
WifiDirect
: Invalid
Channel Scan Defer Priority:
Priority (default)
:4
Priority (default)
:5
Priority (default)
:6
Scan Defer Time (msecs)
: 100
Media Stream Multicast-direct
: Disabled
CCX - AironetIe Support
: Enabled
CCX - Diagnostics Channel Capability
: Disabled
Peer-to-Peer Blocking Action
: Disabled
Radio Policy
: All
DTIM period for 802.11a radio
:1
DTIM period for 802.11b radio
:1
Local EAP Authentication
: Disabled
Mac Filter Authorization list name
: test1
Accounting list name
: Disabled
802.1x authentication list name
: Disabled
Security
802.11 Authentication
: Open System
Static WEP Keys
: Disabled
802.1X
: Disabled
Wi-Fi Protected Access (WPA/WPA2)
: Enabled
WPA (SSN IE)
: Disabled
WPA2 (RSN IE)
: Enabled
TKIP Cipher
: Disabled
AES Cipher
: Enabled
Auth Key Management
802.1x
: Disabled
PSK
: Enabled
CCKM
: Disabled
FT dot1x
: Disabled
FT PSK
: Disabled
PMF dot1x
: Disabled
PMF PSK
: Disabled
CCKM TSF Tolerance
: 1000
FT Support
: Disabled
FT Reassociation Timeout
: 20
FT Over-The-DS mode
: Enabled
PMF Support
: Disabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1001
Verifying a Private PSK
PMF Association Comeback Timeout PMF SA Query Time Web Based Authentication Conditional Web Redirect Splash-Page Web Redirect Webauth On-mac-filter Failure Webauth Authentication List Name Webauth Parameter Map Tkip MIC Countermeasure Hold-down Timer Call Snooping Passive Client Non Cisco WGB Band Select Load Balancing Multicast Buffer Multicast Buffer Size IP Source Guard Assisted-Roaming Neighbor List Prediction List Dual Band Support IEEE 802.11v parameters Directed Multicast Service BSS Max Idle Protected Mode Traffic Filtering Service BSS Transition Disassociation Imminent
Optimised Roaming Timer Timer WNM Sleep Mode 802.11ac MU-MIMO
:1 : 200 : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : 60 : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled :0 : Disabled
: Disabled : Disabled : Disabled
: Disabled : Disabled : Disabled : Disabled : Enabled : Disabled : 40 : 200 : Disabled : Disabled
Device# show wireless client mac-address a886.adb2.05f9 detail
Client MAC Address : a886.adb2.05f9 Client IPv4 Address : 9.9.58.246 Client Username : A8-86-AD-B2-05-F9 AP MAC Address : c025.5c55.e400 AP Name: saurabh-3600 AP slot : 1 Client State : Associated Policy Profile : default-policy-profile Flex Profile : default-flex-profile Wireless LAN Id : 6 Wireless LAN Name: SSS_PPSK BSSID : c025.5c55.e40f Connected For : 280 seconds Protocol : 802.11n - 5 GHz Channel : 60 Client IIF-ID : 0xa0000001 Association Id : 1 Authentication Algorithm : Open System Client CCX version : No CCX support Session Timeout : 320 sec (Remaining time: 40 sec) Input Policy Name : Input Policy State : None Input Policy Source : None Output Policy Name : Output Policy State : None Output Policy Source : None WMM Support : Enabled U-APSD Support : Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1002
Security
Security
Verifying a Private PSK
U-APSD value : 0
APSD ACs : BK, BE, VI, VO
Fastlane Support : Disabled
Power Save : OFF
Current Rate : m22
Supported Rates : 9.0,18.0,36.0,48.0,54.0
Mobility:
Move Count
:0
Mobility Role
: Local
Mobility Roam Type
: None
Mobility Complete Timestamp : 09/27/2017 16:32:25 IST
Policy Manager State: Run
NPU Fast Fast Notified : No
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 280 seconds
Policy Type : WPA2
Encryption Cipher : CCMP (AES)
Authentication Key Management : PSK
AAA override passphrase: Yes
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
VLAN : 58
Access VLAN : 58
Anchor VLAN : 0
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Session Manager:
Interface
: capwap_90000005
IIF ID
: 0x90000005
Device Type
: Apple-Device
Protocol Map
: 0x000001
Authorized
: TRUE
Session timeout : 320
Common Session ID: 1F3809090000005DC30088EA
Acct Session ID : 0x00000000
Auth Method Status List
Method : MAB
SM State
: TERMINATE
Authen Status : Success
Local Policies:
Service Template : wlan_svc_default-policy-profile (priority 254)
Absolute-Timer : 320
VLAN
: 58
Server Policies:
Resultant Policies:
VLAN
: 58
Absolute-Timer : 320
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Not implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 0
Fast BSS Transition Details :
Reassociation Timeout : 0
11v BSS Transition : Not implemented
FlexConnect Data Switching : Local
FlexConnect Dhcp Status : Local
FlexConnect Authentication : Central
FlexConnect Central Association : No
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1003
Verifying a Private PSK
Client Statistics: Number of Bytes Received : 59795 Number of Bytes Sent : 21404 Number of Packets Received : 518 Number of Packets Sent : 274 Number of EAP Id Request Msg Timeouts : Number of EAP Request Msg Timeouts : Number of EAP Key Msg Timeouts : Number of Policy Errors : 0 Radio Signal Strength Indicator : -32 dBm Signal to Noise Ratio : 58 dB
Fabric status : Disabled
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1004
1 0 9 C H A P T E R
Multi-Preshared Key
· Information About Multi-Preshared Key, on page 1005 · Restrictions on Multi-PSK, on page 1006 · Configuring Multi-Preshared Key (GUI), on page 1006 · Configuring Multi-Preshared Key (CLI), on page 1009 · Verifying Multi-PSK Configurations, on page 1010
Information About Multi-Preshared Key
Multi-PSK feature supports multiple PSKs simultaneously on a single SSID. You can use any of the configured PSKs to join the network. This is different from the Identity PSK (iPSK), wherein unique PSKs are created for individuals or groups of users on the same SSID. From 16.10 onwards, each SSID supports five PSKs, which can be extended In a traditional PSK, all the clients joining the network use the same password as shown in the below figure.
Figure 25: Traditional PSK
But with multi-PSK, client can use any of the configured pre-shared keys to connect to the network as shown in the below figure.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1005
Restrictions on Multi-PSK Figure 26: Multi-PSK
Security
In Multi-PSK, two passwords are configured (deadbeef and beefdead) for the same SSID. In this scenario, clients can connect to the network using either of the passwords.
Restrictions on Multi-PSK
· Central authentication is supported in local, flex, and fabric modes only. · In central authentication flex mode, the standalone AP allows client join with the highest priority PSK
(priority 0 key). New clients that do not use the highest priority PSK are rejected during the standalone mode. · Multi-PSK does not support local authentication.
Configuring Multi-Preshared Key (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > WLANs. On the Wireless Networks page, click the name of the WLAN. In the Edit WLAN window, click the Security tab. In the Layer2 tab, choose the Layer2 Security Mode from the following options:
· None: No Layer 2 security · 802.1X: WEP 802.1X data encryption type · WPA + WPA2: Wi-Fi Protected Access · Static WEP: Static WEP encryption parameters · Static WEP+802.1X: Both Static WEP and 802.1X parameters
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1006
Security
Parameters 802.1X WEP Key Size WPA + WPA2 Protected Management Frame
WPA Policy WPA Encryption WPA2 Policy WPA2 Encryption Auth Key Mgmt
Static WEP
Configuring Multi-Preshared Key (GUI)
Description
Choose the key size. The available values are None, 40 bits, and 104 bits.
Choose from the following options: · Disabled · Optional · Required
Check the check box to enable WPA policy. Choose the WPA encryption standard. A WPA encryption standard must be specified if you have enabled WPA policy. Check the check box to enable WPA2 policy. Choose the WPA2 encryption standard. A WPA encryption standard must be specified if you have enabled WPA policy. Choose the rekeying mechanism from the following options:
· 802.1X · FT + 802.1X · PSK: You must specify the PSK format and a
preshared key · Cisco Centralized Key Management: You must
specify a Cisco Centralized Key Management Timestamp Tolerance value · 802.1X + Cisco Centralized Key Management: You must specify a Cisco Centralized Key Management Timestamp Tolerance value · FT + 802.1X + Cisco Centralized Key Management: You must specify a Cisco Centralized Key Management Timestamp Tolerance value
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1007
Configuring Multi-Preshared Key (GUI)
Parameters Key Size
Key Index
Key Format Encryption Key Static WEP + 802.1X Key Size
Key Index
Key Format Encryption Key WEP Key Size
Step 5 Click Save & Apply to Device.
Security
Description Choose the key size from the following options:
· 40 bits · 104 bits
Choose a key index from 1 to 4. One unique WEP key index can be applied to each WLAN. As there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer2 encryption. Choose the encryption key format as either ASCII or HEX. Enter an encryption key that is 13 characters long.
Choose the key size from the following options: · 40 bits · 104 bits
Choose a key index from 1 to 4. One unique WEP key index can be applied to each WLAN. As there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer2 encryption. Choose the encryption key format as either ASCII or HEX. Enter an encryption key that is 13 characters long. Choose from the following options:
· None · 40 bits · 104 bits
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1008
Security
Configuring Multi-Preshared Key (CLI)
Configuring Multi-Preshared Key (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-name wlan-id ssid
Configures WLAN and SSID.
Example:
Device(config)# wlan mywlan 1 SSID_name
Step 3
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
Step 4
security wpa akm psk
Example:
Device(config-wlan)# security wpa akm psk
Configures PSK.
Step 5
security wpa wpa2 mpsk
Configures multi-PSK.
Example:
Device(config-wlan)# security wpa wpa2 mpsk
Step 6
priority priority_value set-key {ascii [0 | 8] Configures PSK priority and all its related pre-shared-key | hex [0 | 8] pre-shared-key} passwords.
Example:
The priority_value ranges from 0 to 4.
Device(config-mpsk)# priority 0 set-key Note ascii 0 deadbeef
You need to configure priority 0 key for multi-PSK.
Step 7 Step 8
no shutdown Example:
Device(config-mpsk)# no shutdown
exit Example:
Device(config-wlan)# exit
Enables WLAN.
Exits WLAN configuration mode and returns to configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1009
Verifying Multi-PSK Configurations
Security
Step 9
Command or Action end Example:
Device(config)# end
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying Multi-PSK Configurations
To verify the configuration of a WLAN and a client, use the following command:
Device# show wlan id 8
WLAN Profile Name
: wlan_8
================================================
Identifier
:8
Network Name (SSID)
: ssid_8
Status
: Enabled
Broadcast SSID
: Enabled
Universal AP Admin
: Disabled
Max Associated Clients per WLAN
:0
Max Associated Clients per AP per WLAN
:0
Max Associated Clients per AP Radio per WLAN : 200
Number of Active Clients
:0
CHD per WLAN
: Enabled
Multicast Interface
: Unconfigured
WMM
: Allowed
WifiDirect
: Invalid
Channel Scan Defer Priority:
Priority (default)
:5
Priority (default)
:6
Scan Defer Time (msecs)
: 100
Media Stream Multicast-direct
: Disabled
CCX - AironetIe Support
: Enabled
CCX - Diagnostics Channel Capability
: Disabled
Peer-to-Peer Blocking Action
: Disabled
Radio Policy
: All
DTIM period for 802.11a radio
:1
DTIM period for 802.11b radio
:1
Local EAP Authentication
: Disabled
Mac Filter Authorization list name
: Disabled
Mac Filter Override Authorization list name : Disabled
Accounting list name
:
802.1x authentication list name
: Disabled
802.1x authorization list name
: Disabled
Security
802.11 Authentication
: Open System
Static WEP Keys
: Disabled
802.1X
: Disabled
Wi-Fi Protected Access (WPA/WPA2/WPA3)
: Enabled
WPA (SSN IE)
: Disabled
WPA2 (RSN IE)
: Enabled
MPSK
: Enabled
AES Cipher
: Enabled
CCMP256 Cipher
: Disabled
GCMP128 Cipher
: Disabled
GCMP256 Cipher
: Disabled
WPA3 (WPA3 IE)
: Disabled
Auth Key Management
802.1x
: Disabled
PSK
: Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1010
Security
Verifying Multi-PSK Configurations
CCKM FT dot1x FT PSK FT SAE PMF dot1x PMF PSK SAE OWE SUITEB-1X SUITEB192-1X CCKM TSF Tolerance FT Support FT Reassociation Timeout FT Over-The-DS mode PMF Support PMF Association Comeback Timeout PMF SA Query Time Web Based Authentication Conditional Web Redirect Splash-Page Web Redirect Webauth On-mac-filter Failure Webauth Authentication List Name Webauth Authorization List Name Webauth Parameter Map Tkip MIC Countermeasure Hold-down Timer Non Cisco WGB Band Select Load Balancing Multicast Buffer Multicast Buffer Size IP Source Guard Assisted-Roaming Neighbor List Prediction List Dual Band Support IEEE 802.11v parameters Directed Multicast Service BSS Max Idle Protected Mode Traffic Filtering Service BSS Transition Disassociation Imminent Optimised Roaming Timer Timer WNM Sleep Mode 802.11ac MU-MIMO 802.11ax paramters OFDMA Downlink OFDMA Uplink MU-MIMO Downlink MU-MIMO Uplink BSS Color Partial BSS Color BSS Color Code
: Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : 1000 : Adaptive : 20 : Enabled : Disabled :1 : 200 : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : 60 : Disabled : Enabled : Disabled : Disabled :0 : Disabled
: Disabled : Disabled : Disabled
: Disabled : Disabled : Disabled : Disabled : Enabled : Disabled : 40 : 200 : Disabled : Disabled
: unknown : unknown : unknown : unknown : unknown : unknown :
To view the WLAN details, use the following command:
Device# show run wlan wlan wlan_8 8 ssid_8
security wpa psk set-key ascii 0 deadbeef no security wpa akm dot1x security wpa akm psk security wpa wpa2 mpsk
priority 0 set-key ascii 0 deadbeef priority 1 set-key ascii 0 deaddead
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1011
Verifying Multi-PSK Configurations
Security
priority 2 set-key ascii 0 d123d123 priority 3 set-key hex 0 0234567890123456789012345678901234567890123456789012345678901234
priority 4 set-key hex 0 1234567890123456789012345678901234567890123456789012345678901234
no shutdown
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1012
1 1 0 C H A P T E R
Multiple Authentications for a Client
· Information About Multiple Authentications for a Client, on page 1013 · Configuring Multiple Authentications for a Client, on page 1015 · Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Pre-Shared Key
(CLI), on page 1021 · Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with OWE (CLI),
on page 1023 · Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Secure Agile
Exchange (CLI), on page 1025 · Configuring 802.1x and Central Web Authentication on Controller (CLIs), on page 1026 · Configuring ISE for Central Web Authentication with Dot1x (GUI), on page 1033 · Verifying Multiple Authentication Configurations, on page 1035
Information About Multiple Authentications for a Client
Multiple Authentication feature is an extension of Layer 2 and Layer 3 security types supported for client join.
Note You can enable both L2 and L3 authentication for a given SSID.
Note The Multiple Authentication feature is applicable for regular clients only.
Information About Supported Combination of Authentications for a Client
The Multiple Authentications for a Client feature supports multiple combination of authentications for a given client configured in the WLAN profile.
The following table outlines the supported combination of authentications:
Layer 2
Layer 3
Supported
MAB
CWA
Yes
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1013
Combination of Authentications on MAC Failure Not Supported on a Client
Security
MAB
LWA
Yes
MAB + PSK
-
Yes
MAB + 802.1X
-
Yes
MAB Failure
LWA
Yes
802.1X
CWA
Yes
802.1X
LWA
Yes
PSK
-
Yes
PSK
LWA
Yes
PSK
CWA
Yes
iPSK
-
Yes
iPSK
CWA
Yes
iPSK + MAB
CWA
Yes
iPSK
LWA
No
MAB Failure + PSK
LWA
Yes
MAB Failure + PSK
CWA
No
MAB Failure + OWE
LWA
Yes
MAB Failure + SAE
LWA
Yes
From 16.10.1 onwards, 802.1X configurations on WLAN support web authentication configurations with WPA or WPA2 configuration. The feature also supports the following AP modes:
· Local · FlexConnect · Fabric
Combination of Authentications on MAC Failure Not Supported on a Client
The following table outlines the combination of authentications on MAC failure that are not supported on a given client:
Authentication Types Foreign
Anchor
Supported
WPA3-OWE+LWA
Cisco AireOS
Cisco Catalyst 9800
No
Controller
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1014
Security
Configuring Multiple Authentications for a Client
Authentication Types WPA3-SAE+LWA
Foreign Cisco AireOS
Anchor
Cisco Catalyst 9800 Controller
Supported No
Configuring Multiple Authentications for a Client
Configuring WLAN for 802.1X and Local Web Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Choose Configuration > Tags & Profiles > WLANs. Select the required WLAN from the list of WLANs displayed. Choose Security > Layer2 tab. Select the security method from the Layer 2 Security Mode drop-down list. In the Auth Key Mgmt, check the 802.1x check box. Check the MAC Filtering check box to enable the feature. After MAC Filtering is enabled, from the Authorization List drop-down list, choose an option. Choose Security > Layer3 tab. Check the Web Policy check box to enable web authentication policy. From the Web Auth Parameter Map and the Authentication List drop-down lists, choose an option. Click Update & Apply to Device.
Configuring WLAN for 802.1X and Local Web Authentication (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id SSID_Name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration sub-mode. · profile-name: Profile name of the configured WLAN. · wlan-id: Wireless LAN identifier. Range is from 1 to 512.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1015
Configuring WLAN for 802.1X and Local Web Authentication (CLI)
Security
Step 3 Step 4 Step 5 Step 6 Step 7
Command or Action
Purpose
· SSID_Name: SSID that can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter the wlan
profile-name command.
security dot1x authentication-list auth-list-name
Example:
Device(config-wlan)# security dot1x authentication-list default
Enables security authentication list for dot1x security.
The configuration is similar for all dot1x security WLANs.
security web-auth
Enables web authentication.
Example:
Device(config-wlan)# security web-auth
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth parameter-map parameter-map-name
Example:
Device(config-wlan)# security web-auth parameter-map WLAN1_MAP
Maps the parameter map.
Note
If a parameter map is not
associated with a WLAN, the
configuration is considered from
the global parameter map.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Example
wlan wlan-test 3 ssid-test security dot1x authentication-list default security web-auth security web-auth authentication-list default security web-auth parameter-map WLAN1_MAP no shutdown
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1016
Security
Configuring WLAN for Preshared Key (PSK) and Local Web Authentication (GUI)
Configuring WLAN for Preshared Key (PSK) and Local Web Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Step 8 Step 9 Step 10
Step 11
Choose Configuration > Tags & Profiles > WLANs. Select the required WLAN. Choose Security > Layer2 tab. Select the security method from the Layer 2 Security Mode drop-down list. In the Auth Key Mgmt, uncheck the 802.1x check box. Check the PSK check box. Enter the Pre-Shared Key and choose the PSK Format from the PSK Format drop-down list and the PSK Type from the PSK Type drop-down list. Choose Security > Layer3 tab. Check the Web Policy checkbox to enable web authentication policy. Choose the Web Auth Parameter Map from the Web Auth Parameter Map drop-down list and the authentication list from the Authentication List drop-down list. Click Update & Apply to Device.
Configuring WLAN for Preshared Key (PSK) and Local Web Authentication
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id SSID_Name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration sub-mode.
· profile-name- Is the profile name of the configured WLAN.
· wlan-id - Is the wireless LAN identifier. Range is from 1 to 512.
· SSID_Name - Is the SSID which can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter wlan
profile-name command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1017
Configuring WLAN for Preshared Key (PSK) and Local Web Authentication
Security
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action
security wpa psk set-key ascii/hex key password
Example:
Device(config-wlan)# security wpa psk set-key ascii 0 PASSWORD
Purpose Configures the PSK shared key.
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
security wpa akm psk
Example:
Device(config-wlan)# security wpa akm psk
Configures the PSK support.
security web-auth
Enables web authentication for WLAN.
Example:
Device(config-wlan)# security web-auth
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list webauth
security web-auth parameter-map parameter-map-name
Example:
(config-wlan)# security web-auth parameter-map WLAN1_MAP
Configures the parameter map.
Note
If parameter map is not associated
with a WLAN, the configuration
is considered from the global
parameter map.
Example
wlan wlan-test 3 ssid-test security wpa psk set-key ascii 0 PASSWORD no security wpa akm dot1x security wpa akm psk security web-auth security web-auth authentication-list webauth security web-auth parameter-map WLAN1_MAP
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1018
Security
Configuring WLAN for PSK or Identity Preshared Key (iPSK) and Central Web Authentication (GUI)
Configuring WLAN for PSK or Identity Preshared Key (iPSK) and Central Web Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Step 8 Step 9 Step 10 Step 11 Step 12
Step 13
Choose Configuration > Tags & Profiles > WLANs. Select the required WLAN. Choose Security > Layer2 tab. Select the security method from the Layer 2 Security Mode drop-down list. In the Auth Key Mgmt, uncheck the 802.1x check box. Check the PSK check box. Enter the Pre-Shared Key and choose the PSK Format from the PSK Format drop-down list and the PSK Type from the PSK Type drop-down list. Check the MAC Filtering check box to enable the feature. With MAC Filtering enabled, choose the Authorization List from the Authorization List drop-down list. Choose Security > Layer3 tab. Check the Web Policy checkbox to enable web authentication policy. Choose the Web Auth Parameter Map from the Web Auth Parameter Map drop-down list and the authentication list from the Authentication List drop-down list. Click Update &Apply to Device.
Configuring WLAN for PSK or Identity Preshared Key (iPSK) and Central Web Authentication
Configuring WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id SSID_Name
Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration sub-mode. · profile-name - Is the profile name of the configured WLAN. · wlan-id - Is the wireless LAN identifier. Range is from 1 to 512.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1019
Applying Policy Profile to a WLAN
Security
Step 3 Step 4 Step 5
Command or Action
Purpose
· SSID_Name - Is the SSID which can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter wlan
profile-name command.
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
security wpa psk set-key ascii/hex key password
Example:
Device(config-wlan)# security wpa psk set-key ascii 0 PASSWORD
Configures the PSK AKM shared key.
mac-filtering auth-list-name
Example:
Device(config-wlan)# mac-filtering test-auth-list
Sets the MAC filtering parameters.
Example
wlan wlan-test 3 ssid-test no security wpa akm dot1x security wpa psk set-key ascii 0 PASSWORD mac-filtering test-auth-list
Applying Policy Profile to a WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-profile-name Configures the default policy profile.
Example:
Device(config)# wireless profile policy policy-iot
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1020
Security
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Pre-Shared Key (CLI)
Step 3 Step 4 Step 5 Step 6
Command or Action aaa-override Example:
Device(config-wireless-policy)# aaa-override
nac Example:
Device(config-wireless-policy)# nac
no shutdown Example:
Device(config-wireless-policy)# no shutdown
end Example:
Device(config-wireless-policy)# end
Purpose Configures AAA override to apply policies coming from the AAA or ISE servers.
Configures NAC in the policy profile.
Shutdown the WLAN.
Returns to privileged EXEC mode.
Example
wireless profile policy policy-iot aaa-override nac no shutdown
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Pre-Shared Key (CLI)
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
wlan profile-name wlan-id SSID_Name Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration submode. · profile-name: Profile name of the configured WLAN. · wlan-id: Wireless LAN identifier. Range is from 1 to 512.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1021
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Pre-Shared Key (CLI)
Security
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
Purpose
· SSID_Name: SSID that can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter the wlan
profile-name command.
mac-filtering auth-list-name
Example:
Device(config-wlan)# mac-filtering test-auth-list
Sets the MAC filtering parameters.
security wpa psk set-key ascii/hex key password
Configures the PSK AKM shared key.
Example:
Device(config-wlan)# security wpa psk set-key ascii 0 PASSWORD
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
security wpa akm psk
Configures PSK support.
Example:
Device(config-wlan)# security wpa akm psk
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth authorization-list authorize-list-name
Enables authorization list for dot1x security.
Example:
Device(config-wlan)# security web-auth authorization-list default
security web-auth on-macfilter-failure Example:
Enables web authentication on MAC filter failure.
Device(config-wlan)# security web-auth on-macfilter-failure
security web-auth parameter-map parameter-map-name
Configures the parameter map.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1022
Security
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with OWE (CLI)
Step 11
Command or Action
Purpose
Example:
Note
Device(config-wlan)# security web-auth parameter-map WLAN1_MAP
If a parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with OWE (CLI)
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
wlan profile-name wlan-id SSID_Name Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration submode.
· profile-name: Profile name of the configured WLAN.
· wlan-id: Wireless LAN identifier. Range is from 1 to 512.
· SSID_Name: SSID that can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter the wlan
profile-name command.
Step 3 Step 4
mac-filtering auth-list-name Example:
Device(config-wlan)# mac-filtering test-auth-list
no security wpa akm dot1x Example:
Device(config-wlan)# no security wpa akm dot1x
Sets the MAC filtering parameters. Disables security AKM for dot1x.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1023
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with OWE (CLI)
Security
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
Purpose
security wpa wpa3
Enables WPA3 support.
Example:
Device(config-wlan)# security wpa wpa3
security wpa akm owe
Enables WPA3 OWE support.
Example:
Device(config-wlan)# security wpa akm owe
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth authorization-list authorize-list-name
Enables authorization list for dot1x security.
Example:
Device(config-wlan)# security web-auth authorization-list default
security web-auth on-macfilter-failure Example:
Enables web authentication on MAC filter failure.
Device(config-wlan)# security web-auth on-macfilter-failure
security web-auth parameter-map
Configures the parameter map.
parameter-map-name
Note
If a parameter map is not
Example:
associated with a WLAN, the
Device(config-wlan)# security web-auth parameter-map WLAN1_MAP
configuration is considered from the global parameter map.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1024
Security
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Secure Agile Exchange (CLI)
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Secure Agile Exchange (CLI)
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
wlan profile-name wlan-id SSID_Name Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration submode.
· profile-name: Profile name of the configured WLAN.
· wlan-id: Wireless LAN identifier. Range is from 1 to 512.
· SSID_Name: SSID that can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter the wlan
profile-name command.
Step 3 Step 4 Step 5 Step 6 Step 7
mac-filtering auth-list-name
Example:
Device(config-wlan)# mac-filtering test-auth-list
Sets the MAC filtering parameters.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
security wpa wpa3
Enables WPA3 support.
Example:
Device(config-wlan)# security wpa wpa3
security wpa akm sae
Enables AKM SAE support.
Example:
Device(config-wlan)# security wpa akm sae
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1025
Configuring 802.1x and Central Web Authentication on Controller (CLIs)
Security
Step 8 Step 9 Step 10 Step 11
Command or Action
Purpose
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth authorization-list authorize-list-name
Enables authorization list for dot1x security.
Example:
Device(config-wlan)# security web-auth authorization-list default
security web-auth on-macfilter-failure Example:
Enables web authentication on MAC filter failure.
Device(config-wlan)# security web-auth on-macfilter-failure
security web-auth parameter-map
Configures the parameter map.
parameter-map-name
Note
If a parameter map is not
Example:
associated with a WLAN, the
Device(config-wlan)# security web-auth parameter-map WLAN1_MAP
configuration is considered from the global parameter map.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Configuring 802.1x and Central Web Authentication on Controller (CLIs)
Creating AAA Authentication
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
aaa new-model Example:
Device(config)# aaa new-model
Purpose Enters global configuration mode.
Creates a AAA authentication model.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1026
Security
Configuring AAA Server for External Authentication
Configuring AAA Server for External Authentication
Procedure Step 1 Step 2
Step 3 Step 4 Step 5 Step 6 Step 7
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
radius-server attribute wireless
Configures a call station identifier sent in the
authentication call-station-id ap-name-ssid RADIUS authentication messages.
Example:
Device(config)# radius-server attribute wireless authentication call-station-id ap-name-ssid
radius server server-name Example:
Device(config)# radius server ISE2
Sets the RADIUS server.
address ipv4 radius-server-ip-address
Specifies the RADIUS server address.
Example:
Device(config-radius-server)# address ipv4 111.111.111.111
timeout seconds Example:
Specify the time-out value in seconds. The range is between 10 and 1000 seconds.
Device(config-radius-server)# timeout 10
retransmit number-of-retries Example:
Specify the number of retries to the server. The range is between 0 and 100.
Device(config-radius-server)# retransmit 10
key key
Specifies the authentication and encryption
Example:
key used between the device and the key string RADIUS daemon running on the RADIUS
Device(config-radius-server)# key cisco server.
key covers the following:
· 0--Specifies unencrypted key.
· 6--Specifies encrypted key.
· 7--Specifies HIDDEN key.
· Word--Unencrypted (cleartext) server key.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1027
Configuring AAA for Authentication
Security
Step 8 Step 9 Step 10 Step 11
Command or Action exit Example:
Device(config-radius-server)# exit
Purpose Returns to the configuration mode.
aaa group server radius server-group
Creates a RADIUS server-group identification.
Example:
Device(config)# aaa group server radius ISE2
server name server-name Example:
Device(config)# server name ISE2
Configures the server name.
radius-server deadtime time-in-minutes Defines the time in minutes when a server
Example:
marked as DEAD is held in that state. Once the deadtime expires, the controller marks the
Device(config)# radius-server deadtime server as UP (ALIVE) and notifies the
5
registered clients about the state change. If the
server is still unreachable after the state is
marked as UP and if the DEAD criteria is met,
then server is marked as DEAD again for the
deadtime interval.
time-in-mins--Valid values range from 1 to 1440 minutes. Default value is zero. To return to the default value, use the no radius-server deadtime command.
The radius-server deadtime command can be configured globally or per aaa group server level.
You can use the show aaa dead-criteria or show aaa servers command to check for dead-server detection. If the default value is zero, deadtime is not configured.
Configuring AAA for Authentication
Before you begin Configure the RADIUS server and AAA group server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1028
Security
Configuring Accounting Identity List
Procedure
Step 1
Command or Action
aaa authentication login Example:
Device# aaa authentication login ISE_GROUP group ISE2 local
Step 2
aaa authentication dot1x
Example:
Device(config)# aaa authentication network ISE_GROUP group ISE2 local
Purpose Defines the authentication method at login.
Defines the authentication method at dot1x.
Configuring Accounting Identity List
Before you begin Configure the RADIUS server and AAA group server.
Procedure
Step 1
Command or Action
Purpose
aaa accounting identity named-list start-stop Enables accounting to send a start-record
group server-group-name
accounting notice when a client is authorized
Example:
and a stop-record at the end.
Device# aaa accounting identity ISE start-stop group ISE2
Note
You can also use the default list instead of the named list.
Configuring AAA for Central Web Authentication
Before you begin Configure the RADIUS server and AAA group server.
Procedure
Step 1
Command or Action
Purpose
aaa server radius dynamic-author Example:
Configures the Change of Authorization (CoA) on the controller.
Device# aaa server radius dynamic-author
Step 2
client client-ip-addr server-key key Example:
Configures a server key for a RADIUS client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1029
Defining an Access Control List for Radius Server
Security
Command or Action
Purpose
Device(config-locsvr-da-radius)# client 111.111.111.111 server-key ciscokey
Defining an Access Control List for Radius Server
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip access-list extended redirect
The HTTP and HTTPS browsing does not work
Example:
without authentication (per the other ACL) as ISE is configured to use a redirect ACL (named
Device(config)# ip access-list extended redirect).
redirect
Step 3
sequence-number deny icmp any
Example:
Device(config-ext-nacl)# 10 deny icmp any
Specifies packets to reject according to the sequence number.
Note
You must have the DHCP, DNS,
and ISE servers in the reject
sequences. Refer to Configuration
Example to Define an Access
Control List for Radius Server,
wherein the 111.111.111.111
refers to the IP address of the ISE
server.
Step 4
permit TCP any any eq web-address Example:
Redirects all HTTP or HTTPS access to the Cisco ISE login page.
Device(config-ext-nacl)# permit TCP any any eq www
Configuration Example to Define an Access Control List for Radius Server
This example shows how to define an access control list for RADIUS server:
Device# configure terminal Device(config-ext-nacl) # 10 deny icmp any Device(config-ext-nacl) # 20 deny udp any any eq bootps Device(config-ext-nacl) # 30 deny udp any any eq bootpc Device(config-ext-nacl) # 40 deny udp any any eq domain Device(config-ext-nacl) # 50 deny tcp any host 111.111.111.111 eq 8443 Device(config-ext-nacl) # 55 deny tcp host 111.111.111.111 eq 8443 any Device(config-ext-nacl) # 40 deny udp any any eq domain Device(config-ext-nacl) # end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1030
Security
Configuring WLAN
Configuring WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan wlan-name Example:
Device(config)# wlan wlan30
Step 3
security dot1x authentication-list ISE_GROUP
Example:
Device(config-wlan)# security dot1x authentication-list ISE_GROUP
Step 4
no shutdown Example:
Device(config-wlan)# no shutdown
Purpose Enters global configuration mode. Enters WLAN configuration mode. Configures 802.1X for a WLAN.
Enables the WLAN.
Configuring Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-name
Configures policy profile.
Example:
Device(config)# wireless profile policy wireless-profile1
Step 3
aaa-override
Example:
Device(config-wireless-policy)# aaa-override
Configures AAA override to apply policies coming from the AAA or Cisco Identify Services Engine (ISE) server.
Step 4
accounting-list list-name Example:
Sets the accounting list for IEEE 802.1x.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1031
Mapping WLAN and Policy Profile to Policy Tag
Security
Step 5 Step 6 Step 7 Step 8
Command or Action
Device(config-wireless-policy)# accounting-list ISE
Purpose
ipv4 dhcp required
Configures DHCP parameters for WLAN.
Example:
Device(config-wireless-policy)# ipv4 dhcp required
nac Example:
Device(config-wireless-policy)# nac
Configures Network Access Control (NAC) in the policy profile. NAC is used to trigger the Central Web Authentication (CWA).
vlan 25
Configures guest VLAN profile.
Example:
Device(config-wireless-policy)# vlan 25
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables policy profile.
Mapping WLAN and Policy Profile to Policy Tag
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag policy policy-tag-name Example:
Configures policy tag and enters policy tag configuration mode.
Device(config-policy-tag)# wireless tag policy xx-xre-policy-tag
Step 3
wlan wlan-name policy profile-policy-name Maps a policy profile to a WLAN profile.
Example:
Device(config-policy-tag)# wlan wlan30 policy wireless-profile1
Step 4
end Example:
Device(config-policy-tag)# end
Saves the configuration and exits the configuration mode and returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1032
Security
Configuring ISE for Central Web Authentication with Dot1x (GUI)
Configuring ISE for Central Web Authentication with Dot1x (GUI)
Defining Guest Portal
Before you begin Define the guest portal or use the default guest portal. Procedure
Step 1 Step 2 Step 3
Login to the Cisco Identity Services Engine (ISE). Choose Work Centers > Guest Access > Portals & Components. Click Guest Portal.
Defining Authorization Profile for a Client
Before you begin You can define the authorization profile to use guest portal and other additional parameters as per the requirement. Authorization profile redirects the client to the authentication portal. In the latest Cisco ISE version, Cisco_Webauth authorization results exist already, and you can edit the same to modify the redirection ACL name to match the configuration in the controller.
Procedure
Step 1 Step 2 Step 3
Login to the Cisco Identity Services Engine (ISE). Choose Policy > Policy Elements > Authorization > Authorization Profiles. Click Add to create your own custom or edit the Cisco_Webauth default result.
Defining Authentication Rule
Procedure
Step 1 Step 2 Step 3
Login to the Cisco Identity Services Engine (ISE). Choose Policy > Policy Sets and click on the appropriate policy set. Expand Authentication policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1033
Defining Authorization Rule
Security
Step 4 Expand Options and choose an appropriate User ID.
Defining Authorization Rule
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6
Login to the Cisco Identity Services Engine (ISE). Choose Policy > Policy Sets > Authorization Policy. Create a rule that matches the condition for 802.1x with a specific SSID (using Radius-Called-Station-ID).
Note
You get to view the CWA redirect attribute.
Choose the already created authorization profile. From the Result/Profile column, choose the already created authorization profile. Click Save.
Note
The following image depicts the working configuration sample for your reference.
Figure 27: Working Configuration Sample
Creating Rules to Match Guest Flow Condition
Before you begin You must create a second rule that matches the guest flow condition and returns to network access details once the user completes authentication in the portal.
Procedure
Step 1 Step 2 Step 3
Step 4
Login to the Cisco Identity Services Engine (ISE). Choose Policy > Policy Sets > Authorization Policy. Create a rule that matches the condition for 802.1x with, Network Access-UseCase EQUALS Guest, and a specific SSID (using Radius-Called-Station-ID).
Note
You get to view the Permit Access.
From the Result/Profile column, choose the already created authorization profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1034
Security
Verifying Multiple Authentication Configurations
Step 5 Step 6
Choose the default or customized Permit Access. Click Save.
Verifying Multiple Authentication Configurations
Layer 2 Authentication
After L2 authentication (Dot1x) is complete, the client is moved to Webauth Pending state.
To verify the client state after L2 authentication, use the following commands:
Device# show wireless client summary Number of Local Clients: 1 MAC Address AP Name WLAN State Protocol Method Role -----------------------------------------------------------------------------------------------------------------
58ef.68b6.aa60 ewlc1_ap_1 3 Webauth Pending Number of Excluded Clients: 0
11n(5)
Device# show wireless client mac-address <mac_address> detail
Dot1x Local
Auth Method Status List
Method: Dot1x Webauth State: Init Webauth Method: Webauth Local Policies: Service Template: IP-Adm-V6-Int-ACL-global (priority 100) URL Redirect ACL: IP-Adm-V6-Int-ACL-global Service Template: IP-Adm-V4-Int-ACL-global (priority 100) URL Redirect ACL: IP-Adm-V4-Int-ACL-global Service Template: wlan_svc_default-policy-profile_local (priority 254) Absolute-Timer: 1800 VLAN: 50
Device# show platform software wireless-client chassis active R0
ID MAC Address
WLAN Client
State
----------------------------------------------------------------------------------------
0xa0000003
58ef.68b6.aa60 3
L3
Authentication
Device# show platform software wireless-client chassis active F0
ID
MAC Address WLAN Client
State AOM ID Status
-------------------------------------------------------------------------------------------------
0xa0000003 58ef.68b6.aa60 3
L3
Authentication.
730.
Done
Device# show platform hardware chassis active qfp feature wireless wlclient cpp-client summary
Client Type Abbreviations: RG REGULAR BLE BLE HL - HALO LI LWFL INT
Auth State Abbrevations: UK UNKNOWN IP LEARN L3 L3 AUTH RN RUN
IP IV INVALID
Mobility State Abbreviations:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1035
Verifying Multiple Authentication Configurations
Security
UK UNKNOWN LC LOCAL FR FOREIGN IV INVALID
IN INIT AN ANCHOR
MT MTE
EoGRE Abbreviations: N NON EOGRE Y - EOGRE
CPP IF_H DP IDX
MAC Address
VLAN CT MCVL AS MS E WLAN
POA
--------------------------------------------------------------------------------------
0X49
0XA0000003 58ef.68b6.aa60
50 RG
0 L3 LC N wlan-test 0x90000003
Device# show platform hardware chassis active qfp feature wireless wlclient datapath summary
Vlan DP IDX
MAC Address
VLAN CT MCVL AS MS E WLAN
POA
------------------------------------------------------------------------------------
0X49 0xa0000003 58ef.68b6.aa60
50 RG
0 L3 LC N wlan-test 0x90000003
Layer 3 Authentication Once L3 authentication is successful, the client is moved to Run state. To verify the client state after L3 authentication, use the following commands:
Device# show wireless client summary
Number of Local Clients: 1 MAC Address AP Name WLAN State Protocol Method Role -----------------------------------------------------------------------------------------------------------------
58ef.68b6.aa60 ewlc1_ap_1 3 Number of Excluded Clients: 0
Run 11n(5) Web Auth
Device# show wireless client mac-address 58ef.68b6.aa60 detail
Local
Auth Method Status List
Method: Web Auth Webauth State: Authz Webauth Method: Webauth Local Policies: Service Template: wlan_svc_default-policy-profile_local (priority 254) Absolute-Timer: 1800 VLAN: 50
Server Policies:
Resultant Policies: VLAN: 50 Absolute-Timer: 1800
Device# show platform software wireless-client chassis active R0
ID
MAC Address
WLAN Client State
--------------------------------------------------
0xa0000001 58ef.68b6.aa60 3
Run
Device# show platform software wireless-client chassis active f0
ID
MAC Address
WLAN Client State AOM ID. Status
--------------------------------------------------------------------
0xa0000001 58ef.68b6.aa60. 3
Run
11633 Done
Device# show platform hardware chassis active qfp feature wireless wlclient cpp-client summary
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1036
Security
Verifying Multiple Authentication Configurations
Client Type Abbreviations:
RG REGULAR BLE BLE
HL - HALO
LI LWFL INT
Auth State Abbrevations:
UK UNKNOWN IP LEARN IP IV INVALID
L3 L3 AUTH RN RUN
Mobility State Abbreviations:
UK UNKNOWN
IN INIT
LC LOCAL
AN ANCHOR
FR FOREIGN
MT MTE
IV INVALID
EoGRE Abbreviations:
N NON EOGRE Y - EOGRE
CPP IF_H DP IDX
MAC Address VLAN CT MCVL AS MS E WLAN
POA
---------------------------------------------------------------------------------
0X49
0XA0000003 58ef.68b6.aa60 50 RG 0 RN LC N wlan-test 0x90000003
Device# show platform hardware chassis active qfp feature wireless wlclient datapath summary
Vlan pal_if_hd1
mac
Input Uidb
Output Uidb
------------------------------------------------------------------
50
0xa0000003 58ef.68b6.aa60
95929
95927
Verifying PSK+Webauth Configuration
Device# show wlan summary Load for five secs: 0%/0%; one minute: 0%; five minutes: 0% Time source is NTP, 12:08:32.941 CEST Tue Oct 6 2020
Number of WLANs: 1 ID Profile Name SSID Status Security ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------23 Gladius1-PSKWEBAUTH Gladius1-PSKWEBAUTH UP [WPA2][PSK][AES],[Web Auth]
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1037
Verifying Multiple Authentication Configurations
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1038
1 1 1 C H A P T E R
Cisco TrustSec
· Information about Cisco TrustSec, on page 1039 · Cisco TrustSec Features, on page 1040 · Security Group Access Control List, on page 1041 · Inline Tagging, on page 1043 · Policy Enforcement, on page 1043 · SGACL Support for Wireless Guest Access, on page 1044 · Enabling SGACL on the AP (GUI), on page 1044 · Enabling SGACL on the AP, on page 1045 · Enabling SGACL Policy Enforcement Globally (CLI), on page 1046 · Enabling SGACL Policy Enforcement Per Interface (CLI), on page 1047 · Manually Configuring a Device STG (CLI), on page 1047 · Configuring SGACL, Inline Tagging, and SGT in Local Mode (GUI), on page 1048 · Configuring SGACL, Inline Tagging, and SGT in Local Mode, on page 1048 · Configuring ISE for TrustSec, on page 1049 · Verifying Cisco TrustSec Configuration, on page 1050
Information about Cisco TrustSec
Cisco TrustSec provides security improvements to Cisco network devices based on the capability to strongly identify users, hosts, and network devices within a network. TrustSec provides topology-independent and scalable access controls by uniquely classifying data traffic for a particular role. TrustSec ensures data confidentiality and integrity by establishing trust among authenticated peers and encrypting links with those peers. The key component of Cisco TrustSec is the Cisco Identity Services Engine (ISE). Cisco ISE can provision switches with TrustSec Identities and Security Group ACLs (SGACLs), though these may be configured manually on the switch.
Note You should manually clear the CTS environment data using the clear cts environment-data command before changing CTS server to a new one. This ensures that you get the updated data while running show cts environment-data command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1039
Cisco TrustSec Features
Security
Cisco TrustSec Features
The table below lists the TrustSec features to be eventually implemented on TrustSec-enabled Cisco switches. Successive general availability releases of TrustSec will expand the number of switches supported and the number of TrustSec features supported per switch.
Cisco TrustSec Feature 802.1AE Tagging (MACsec)
Description
Protocol for IEEE 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.
Between MACsec-capable devices, packets are encrypted on egress from the transmitting device, decrypted on ingress to the receiving device, and in the clear within the devices.
This feature is only available between TrustSec hardware-capable devices.
Endpoint Admission Control (EAC)
EAC is an authentication process for an endpoint user or a device connecting to the TrustSec domain. Usually EAC takes place at the access level switch. Successful authentication and authorization in the EAC process results in Security Group Tag assignment for the user or device. Currently EAC can be 802.1X, MAC Authentication Bypass (MAB), and Web Authentication Proxy (WebAuth).
Network Device Admission Control (NDAC)
NDAC is an authentication process where each network device in the TrustSec domain can verify the credentials and trustworthiness of its peer device. NDAC utilizes an authentication framework based on IEEE 802.1X port-based authentication and uses EAP-FAST as its EAP method. Successful authentication and authorization in NDAC process results in Security Association Protocol negotiation for IEEE 802.1AE encryption.
Security Group Access Control List (SGACL)
A Security Group Access Control List (SGACL) associates a Security Group Tag with a policy. The policy is enforced upon SGT-tagged traffic egressing the TrustSec domain.
Security Association Protocol (SAP)
After NDAC authentication, the Security Association Protocol (SAP) automatically negotiates keys and the cipher suite for subsequent MACSec link encryption between TrustSec peers. SAP is defined in IEEE 802.11i.
Security Group Tag (SGT)
An SGT is a 16-bit single label indicating the security classification of a source in the TrustSec domain. It is appended to an Ethernet frame or an IP packet.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1040
Security
Security Group Access Control List
Cisco TrustSec Feature SGT Exchange Protocol (SXP)
Description
Security Group Tag Exchange Protocol (SXP). With SXP, devices that are not TrustSec-hardware-capable can receive SGT attributes for authenticated users and devices from the Cisco Identity Services Engine (ISE) or the Cisco Secure Access Control System (ACS). The devices can then forward a sourceIP-to-SGT binding to a TrustSec-hardware-capable device will tag the source traffic for SGACL enforcement.
When both ends of a link support 802.1AE MACsec, SAP negotiation occurs. An EAPOL-key exchange occurs between the supplicant and the authenticator to negotiate a cipher suite, exchange security parameters, and manage keys. Successful completion of these tasks results in the establishment of a security association (SA).
Depending on your software version and licensing and link hardware support, SAP negotiation can use one of these modes of operation:
· Galois Counter Mode (GCM)--authentication and encryption
· GCM authentication (GMAC)-- GCM authentication, no encryption
· No Encapsulation--no encapsulation (clear text)
· Null--encapsulation, no authentication or encryption
Security Group Access Control List
A security group is a group of users, end-point devices, and resources that share access control policies. Security groups are defined by the administrator in Cisco Identity Services Engine (ISE). As new users and devices are added to the Cisco TrustSec domain, the authentication server assigns these new entities to the appropriate security groups. Cisco TrustSec assigns each of the security group a unique 16-bit number whose scope is global in a Cisco TrustSec domain. The number of security groups in a wireless device is limited to the number of authenticated network entities. You do not have to manually configure the security group numbers.
After a device is authenticated, Cisco TrustSec tags any packet that originates from that device with an SGT that contains the security group number of the device. The packet carries this SGT everywhere in the network, in the Cisco TrustSec header.
As the SGT contains the security group of the source, the tag can be referred to as the source SGT (S-SGT). The destination device is also assigned to a security group (destination SG) that can be referred to as the destination SGT (D-SGT), even though the Cisco TrustSec packet does not contain the security group number of the destination device.
You can control the operations that users can perform based on the security group assignments of users and destination resources, using the Security Group Access Control Lists (SGACLs). Policy enforcement in a Cisco TrustSec domain is represented by a permission matrix, with the source security group numbers on one axis and the destination security group numbers on the other axis. Each cell in the matrix body contains an ordered list of SGACLs, which specify the permissions that must be applied to packets originating from the source security group and destined for the destination security group. When a wireless client is authenticated, the controller downloads all the SGACLs in the matrix cells.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1041
Security Group Access Control List
Security
When a wireless client connects to the network, the client pushes all the ACLs to the controller . Cisco TrustSec achieves role-based topology-independent access control in a network by assigning users and devices in the network to security groups and applying access control between the security groups. The SGACLs define access control policies based on the device identities. As long as the roles and permissions remain the same, changes to the network topology do not change the security policy. When a user is added to the wireless group, you simply assign the user to an appropriate security group; the user immediately receives permissions to that group. The size of ACLs are reduced and their maintenance is simplified with the use of role-based permissions. With Cisco TrustSec, the number of Access Control Entities (ACEs) that are configured is determined by the number of permissions specified, resulting in a much smaller number of ACEs. To know the list of Cisco APs that support SGACL, see the release notes: https://www.cisco.com/c/en/us/ support/wireless/catalyst-9800-series-wireless-controllers/products-release-notes-list.html
Note Clients receive zero SGT value and DHCP clients receive an Automatic Private IP Addressing (APIPA) address when TrustSec policy "unknown to unknown" is denied in TrustSec matrix. Clients receive correct SGT values and DHCP clients receive an IP address when TrustSec policy "unknown to unknown" is permitted in TrustSec matrix.
The scenarios supported for SGACLs on the Cisco Catalyst 9800 Series Wireless Controller are: · Wireless-to-wireless (within Enterprise network): · Flex mode with local switching--SGACL enforcement is done on the egress AP when a packet leaves from a source wireless network to a destination wireless network.
· Flex mode with central switching--SGACL enforcement is done on the egress AP. To achieve this, controller should export IP address to security group tag (IP-SGT) binding over SGT Exchange Protocol (SXP).
· Wired-to-wireless (DC-to-Enterprise network)--Enforcement takes place when a packet reaches the destination AP.
· Wireless-to-wired (Enterprise network-to-DC)--Enforcement takes place on the uplink switch when a packet reaches the ingress of the wired network.
Guidelines and Restrictions · SGACL enforcement is carried out on the controller for local mode.
· SGACL enforcement is carried out on an AP for flex-mode APs performing local switching.
· SGACL enforcement for wireless clients is carried out either on the upstream switch or on the border gateway in a Branch-to-DC scenario.
· SGACL enforcement is not supported for non-IP or IP broadcast or multicast traffic.
· Per-WLAN SGT assignment is not supported.
· SGACL enforcement is not carried out for control-plane traffic between an AP and the wireless controller (for upstream or from upstream traffic).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1042
Security
Inline Tagging
· Non-static SGACL configurations are supported only for dynamic SGACL policies received from ISE. · Static SGACL configuration on an AP is not supported.
Inline Tagging
Inline tagging is a transport mechanism using which a controller or AP understands the source SGT. Transport mechanism is of two types:
· Central switching--For centrally switched packets, the controller performs inline tagging of all the packets sourced from wireless clients that are associated with the controller, by tagging it with the Cisco Meta Data (CMD) tag. For packets that are inbound from the distribution system, inline tagging also involves the controller stripping off the CMD header from the packet to learn the S-SGT tag. Thereafter, the controller forwards the packet including the S-SGT, for SGACL enforcement.
· Local switching--To transmit locally switched traffic, an AP performs inline tagging for packets that are associated with the AP and sourced from clients. To receive traffic, the AP handles both locally switched packets and centrally switched packets, uses the S-SGT tag for packets, and applies the SGACL policy.
With wireless Cisco TrustSec enabled on the controller , the choice of enabling and configuring SXP to exchange tags with the switches is optional. Both wireless Cisco TrustSec and SXP modes are supported; however, there is no use case to have both wireless Cisco TrustSec (on an AP) and SXP to be in the enabled state concurrently.
Consideration and Restriction for Inline Tagging over Port-Channel · Configure the cts manual command on port-channel and its member interfaces to send or receive a tagged packet. · If you downgrade to Cisco IOS XE releases that do not support inline tagging over port-channel, the port-channel may be suspended.
Note The inline tagging over port-channel is supported in Cisco IOS XE 17.3.5 release.
Policy Enforcement
Cisco TrustSec access control is implemented using ingress tagging and egress enforcement. At the ingress point to the Cisco TrustSec domain, the traffic from the source is tagged with an SGT containing the security group number of the source entity. The SGT is propagated across the domain with the traffic. At the egress point of the Cisco TrustSec domain, an egress device uses the source SGT (S-SGT) and the security group of the destination entity (D-SGT) to determine the access policy to apply from the SGACL policy matrix. Policy enforcement can be applied to both central and local switched traffic on an AP. If wired clients communicate with wireless clients, the AP enforces the downstream traffic. If wireless clients communicate with wired clients, the AP enforces the upstream traffic. This way, the AP enforces traffic in both downstream
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1043
SGACL Support for Wireless Guest Access
Security
and wireless-to-wireless traffic. You require S-SGT, D-SGT, and ACLs for the enforcement to work. APs get the SGT information for all the wireless clients from the information available on the Cisco ISE server.
Note A Cisco AP must be in either Listener or Both (Listener and Speaker) mode to enforce traffic because the Listener mode maintains the complete set of IP-SGT bindings. After you enable the enforcement on a an AP, the corresponding policies are downloaded and pushed to the AP.
SGACL Support for Wireless Guest Access
When a client joins the wireless network (WLAN), its session is managed by the Cisco Catalyst 9800 Series Wireless LAN Controller (WLC) that the AP is connected to is the foreign controller. Auto-Anchor Mobility allows a specific WLAN (for example, Guest WLAN) to be anchored to a particular controller, regardless of the client's entry point into the network. Auto-Anchor Mobility is the wireless Guest service where all guest traffic tunnels back to the DMZ controller irrespective of where they associate with the network.
In case of Auto-Anchor mobility, the following apply to Cisco TrustSec support:
· Classification: Occurs during authentication and hence on Foreign for Layer 2 security WLANs and on Anchor for Layer 3 security cases.
· Propagation: Always occurs at the Anchor where the client traffic enters the wired network.
· Enforcement: SGACL download and enforcement occurs on Anchor; the Anchor controller must have the connectivity to Cisco Identity Services Engine (ISE) and be registered as Network Access Server (NAS). Enforcement is not supported on foreign controller even when the enforcement CLI is configured on foreign controller.
This feature is supported in local mode and in Flex Central Switching of the controller. Flex mode with local switching and Fabric mode are not supported in guest scenarios as traffic does not go through the controller.
Roaming of a guest client occurs only at Guest Foreign controller and the Guest Anchor remains fixed. The different types of supported roam are Inter-Controller roaming and Intra-Controller roaming. Roaming under WebAuth pending is a special case which is also supported for Central Web Authentication (CWA) and Local Web Authentication (LWA).
Enabling SGACL on the AP (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > Flex. Click Add. In the General tab, check Inline Tagging and SGACL Enforcement check boxes and choose the CTS Profile Name from the CTS Profile Name drop-down list. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1044
Security
Enabling SGACL on the AP
Enabling SGACL on the AP
Note Use the no form of the commands given below to disable the configuration. For example, cts role-based enforcement disables role-based access control enforcement for APs.
Before you begin · Security Group Access Control List (SGACL) on an AP can be enabled only when the wireless controller is in flexconnect mode.
· Configure the cts manual command on the uplink port to send or receive a tagged packet.
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wireless profile flex flex-profile Example:
Configures an RF profile and enters RF profile configuration mode.
Device(config)# wireless profile flex xyz-flex-profile
cts role-based enforcement Example:
Enables role-based access control enforcement for the AP.
Device(config-wireless-flex-profile)# cts role-based enforcement
cts inline-tagging
Enables inline tagging on the AP.
Example:
Device(config-wireless-flex-profile)# cts inline-tagging
cts profile profile-name
Enables the CTS profile name.
Example:
Device(config-wireless-flex-profile)# cts profile xyz-profile
exit
Returns to global configuration mode.
Example:
Device(config-wireless-flex-profile)# exit
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1045
Enabling SGACL Policy Enforcement Globally (CLI)
Security
Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
wireless tag site site-name Example:
Device(config)# wireless tag site xyz-site
Purpose
Configures a site tag and enters site tag configuration mode.
flex-profile flex-profile-name
Configures a flex profile.
Example:
Device(config-site-tag)# flex-profile xyz-flex-profile
exit Example:
Device(config-site-tag)# exit
Returns to global configuration mode.
ap mac-address Example:
Device(config)# ap F866.F267.7DFB
Configures an AP and enters AP profile configuration mode.
site-tag site-tag-name
Maps a site tag to an AP.
Example:
Device(config-ap-tag)# site-tag xyz-site
What to do next Use the show cts ap sgt-info ap-namecommand to verify the SGACL configuration on the AP.
Enabling SGACL Policy Enforcement Globally (CLI)
You must enable SGACL policy enforcement globally on Cisco Catalyst 9800 Series Wireless Controller. The same configuration commands that are used for enforcement of IPv4 traffic apply for IPv6 traffic as well.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
cts role-based enforcement
Example:
Device(config)# cts role-based enforcement
Purpose Enters global configuration mode.
Enables Cisco TrustSec SGACL policy enforcement on routed interfaces.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1046
Security
Enabling SGACL Policy Enforcement Per Interface (CLI)
Enabling SGACL Policy Enforcement Per Interface (CLI)
After enabling the SGACL policy enforcement globally, you will have to enable Cisco TrustSec-on the uplink interfaces.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
interface gigabitethernet interface number Specifies interface on which to enable or disable
Example:
SGACL enforcement.
Device(config)# interface gigabitethernet 1
Step 3
cts role-based enforcement
Example:
Device(config-if)# cts role-based enforcement
Enables Cisco TrustSec SGACL policy enforcement on routed interfaces.
Step 4
do show cts interface
Verifies that SGACL enforcement is enabled.
Example:
Device(config-if)# do show cts interface
Manually Configuring a Device STG (CLI)
In normal Cisco TrustSec operation, the authentication server assigns an SGT to the device for packets originating from the device. You can manually configure an SGT to be used if the authentication server is not accessible, but an authentication server-assigned SGT will take precedence over a manually-assigned SGT.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy rr-xyz-policy-1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1047
Configuring SGACL, Inline Tagging, and SGT in Local Mode (GUI)
Security
Step 3 Step 4
Command or Action
Purpose
cts sgt sgt-value Example:
Specifies the Security Group Tag (SGT) number. Valid values are from 0 to 65,535.
Device(config-wireless-policy)# cts stg 200
exit Example:
Device(config-wireless-policy)# exit
Returns to global configuration mode.
Configuring SGACL, Inline Tagging, and SGT in Local Mode (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Tags & Profiles > Policy. Click the Policy Profile Name. The Edit Policy Profile is displayed. Choose General tab. In the CTS Policy settings, check or uncheck the Inline Tagging and SGACL Enforcement check boxes, and enter the Default SGT value. Click Update & Apply to Device.
Configuring SGACL, Inline Tagging, and SGT in Local Mode
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-name
Creates a policy profile for the WLAN.
Example:
Device(config)# wireless profile policy xyz-policy-profile
Step 3
cts inline-tagging Example:
Enables CTS inline tagging.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1048
Security
Configuring ISE for TrustSec
Step 4 Step 5
Command or Action
Device(config-wireless-policy)# cts inline-tagging
Purpose Note
You will also need to configure the cts manual in the physical interface. If the cts manual is configured in the physical interface and cts inline-tagging is skipped, the packets will still remain tagged at egress in the controller.
cts role-based enforcement
Example:
Device(config-wireless-policy)# cts role-based enforcement
Enables CTS SGACL enforcement.
cts sgt sgt-value
(Optional) Sets the default Security Group Tag
Example:
(SGT).
Device(config-wireless-policy)# cts sgt Note 100
SGT is required for a user session only when the client uses open
authentication, and not the ISE
server.
Configuring ISE for TrustSec
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
radius server server-name
Example:
Device(config)# radius server Test-SERVER1
Specifies the RADIUS server name.
Step 3
address ipv4 ip address
Example:
Device(config-radius-server)# address ipv4 124.3.50.62
Specifies the primary RADIUS server parameters.
Step 4
pac key key
Example:
Device(config-radius-server)# pac key cisco
Specify the authentication and encryption key used between the Device and the key string RADIUS daemon running on the RADIUS server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1049
Verifying Cisco TrustSec Configuration
Security
Step 5 Step 6
Step 7 Step 8
Command or Action exit Example:
Device(config-radius-server)# exit
Purpose Returns to the configuration mode.
aaa group server radius server-group
Creates a radius server-group identification.
Example:
Note
Device(config)# aaa group server radius authc-server-group
server-group refers to the server group name. The valid range is from 1 to 32 alphanumeric characters.
cts authorization list mlist-name
Creates a CTS authorization list.
Example:
Device(config)# cts authorization list authc-list
aaa authorization network mlist-name group Creates an authorization method list for
name
web-based authorization.
Example:
Note
Device(config)# aaa authorization network default group group1
Ensure that the ISE IP address configured on your controller is the same as the IP address configured on ISE (Work Center > TrustSec > Components > Trustsec AAA Servers)
Note
If the ISE version is
002.005(000.239),
002.004(000.357),
002.003(000.298),
002.002(000.470),
002.001(000.474),
002.000(001.130), or
002.000(000.306), use the
access-session tls-version 1.0
command to download PAC from
ISE. For other ISE versions, the
above command is not required.
Verifying Cisco TrustSec Configuration
To display the wireless CTS SGACL configuration summary, use the following command:
Device# show wireless cts summary Local Mode CTS Configuration
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1050
Security
Verifying Cisco TrustSec Configuration
Policy Profile Name
SGACL Enforcement
Inline-Tagging Default-Sgt
----------------------------------------------------------------------------------------
xyz-policy
DISABLED
ENABLED
0
wireless-policy1
DISABLED
DISABLED
0
w-policy-profile1
DISABLED
DISABLED
0
default-policy-profile
DISABLED
DISABLED
0
Flex Mode CTS Configuration
Flex Profile Name
SGACL Enforcement
Inline-Tagging
-----------------------------------------------------------------------
xyz-flex
DISABLED
ENABLED
demo-flex
DISABLED
DISABLED
flex-demo
DISABLED
DISABLED
xyz-flex-profile
DISABLED
DISABLED
default-flex-profile
DISABLED
DISABLED
To display CTS-specific configuration status for various wireless profiles, use the following command:
Device# show cts wireless profile policy xyz-policy
Policy Profile Name CTS
Role-based enforcement Inline-tagging
Default SGT : 100
: xyz-policy
: ENABLED : ENABLED
Policy Profile Name
: foo2
CTS
Role-based enforcement
: DISABLED
Inline-tagging
: ENABLED
Default SGT
: NOT-DEFINED
Policy Profile Name CTS
Role-based enforcement Inline-tagging Default SGT : 65001
: foo3
: DISABLED : DISABLED
To display CTS configuration for a given wireless profile, use the following command:
Device# show wireless profile policy detailed xyz-policy
Policy Profile Name Description Status VLAN Client count Passive Client ET-Analytics StaticIP Mobility ! . . .WGB Policy Params
Broadcast Tagging Client VLAN Mobility Anchor List IP Address CTS Role-based enforcement
: xyz-policy : : DISABLED :1 :0 : DISABLED : DISABLED : DISABLED
: DISABLED : DISABLED
: ENABLED
Priority
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1051
Verifying Cisco TrustSec Configuration
Inline-tagging Default SGT
: ENABLED : NOT-DEFINED
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1052
1 1 2 C H A P T E R
SGT Inline Tagging and SXPv4
· Introduction to SGT Inline Tagging on AP and SXPv4, on page 1053 · Creating an SXP Profile, on page 1053 · Configuring SGT Inline Tagging on Access Points, on page 1054 · Configuring an SXP Connection (GUI), on page 1054 · Configuring an SXP Connection, on page 1055 · Verifying SGT Push to Access Points, on page 1056
Introduction to SGT Inline Tagging on AP and SXPv4
The Cisco TrustSec (CTS) builds secure networks by establishing domains of trusted network devices. Each device in the domain is authenticated by its peers. Communication on the links between devices in the domain is secured with a combination of encryption, message integrity check, and data-path replay protection mechanisms.
The Scalable Group Tag (SGT) Exchange Protocol (SXP) is one of the several protocols that support CTS. CTS SXP version 4 (SXPv4) enhances the functionality of SXP by adding a loop detection mechanism to prevent stale binding in the network. In addition, Cisco TrustSec supports SGT inline tagging which allows propagation of SGT embedded in clear-text (unencrypted) ethernet packets.
When a wireless client is connected and is authenticated by ISE, the IP-SGT binding is generated on the controller . The same SGT is pushed to the AP along with the other client details.
For more details on SGT inline tagging on the AP and SXPv4, see the Cisco TrustSec Configuration Guide at: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/sec-usr-cts-xe-3s-book/ sec-cts-sxpv4.html
Creating an SXP Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1053
Configuring SGT Inline Tagging on Access Points
Security
Step 2 Step 3
Command or Action
Purpose
wireless cts-sxp profile profile-name Example:
Configures a wireless CTS profile and enters cts-sxp profile configuration mode.
Device(config)# wireless cts-sxp profile rr-profile
cts sxp enable
Enables SXP for Cisco TrustSec.
Example:
Device(config-cts-sxp-profile)# cts sxp enable
Configuring SGT Inline Tagging on Access Points
Follow the procedure given below to configure SGT inline tagging on APs:
Before you begin · The SGTs pushed to the AP for inline tagging will only be from dynamic SGT allocation through ISE authentication. It is not supported for static bindings configured on the controller .
· SGTs will be pushed to an AP only when it is operating in flex mode.
To know the list of Cisco APs that support SGT inline tagging, see the release notes: https://www.cisco.com/ c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-release-notes-list.html
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
wireless profile flex flex-profile
Example:
Device(config)# wireless profile flex rr-xyz-flex-profile
Configures a wireless flex profile and enters the wireless flex profile configuration mode.
Step 3
cts inline-tagging
Example:
Device(config-wireless-flex-profile)# cts inline-tagging
Enables inline-tagging on the AP.
Configuring an SXP Connection (GUI)
Perform the following steps to set SXP global configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1054
Security
Configuring an SXP Connection
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19
Step 20 Step 21 Step 22
Step 23 Step 24 Step 25
In the Global section, select the SXP Enabled check box to enable SXP. Enter an IP address in the Default Source IP field. Enter a value in the Reconciliation Period (sec) field. Enter a value in the Retry Period (sec) field. Select the Set New Default Password check box. Selecting this check box displays the Password Type and Enter Password fields. Choose any one of the available types from the Password Type drop-down list. Enter a value in the Enter Password field. Click the Apply button. In the Peer section, click the Add button. Enter an IP address in the Peer IP field. Enter an IP address in the Source IP field. Choose any one of the available types from the Password drop-down list. Choose any one of the available types from the Mode of Local Device drop-down list. Click the Save & Apply to Device button. In the AP tab, click the Add button. The Add SXP AP dialog box appears. Enter a name for the profile in the Profile Name field. Set the Status field to Enabled to enable AP. Enter a value in the Default Password field. Enter a value (in seconds) for the CTS Speaker Seconds, CTS Recon Period, CTS Retry Period, CTS Listener Maximum, and CTS Listener Minimum In the CTS SXP Profile Connections section, click Add. Enter an IP address in the Peer IP field. Choose any one of the modes from the Connection Mode drop-down list. The available modes are Both, Listener, and Speaker. From the Password Type drop-down list, choose either None or Default. Click the Add button. Click the Save & Apply to Device button.
Configuring an SXP Connection
Follow the procedure given below to configure an SXP connection:
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1055
Verifying SGT Push to Access Points
Security
Step 2 Step 3
Command or Action
Device# configure terminal
Purpose
cts sxp enable Example:
Device(config)# cts sxp enable
Enables CTS SXP support.
cts sxp connection peer ipv4-address password none mode local speaker
Configures the CTS-SXP peer address connection.
Example:
Note
Device(config)# cts sxp connection peer 1.1.1.1 password none mode local speaker
The password need not be none always and the mode can either be Speaker or Listener, or Both.
What to do next Use the following command to verify the configuration:
Device# show running-config | inc sxp
Verifying SGT Push to Access Points
When a wireless client is connected and authenticated by ISE, the IP-SGT binding is generated on the controller . This can be verified using the following commands:
Device# show cts role-based sgt-map all
Active IPv4-SGT Bindings Information
IP Address
SGT
Source
============================================
1.1.1.1
100
CLI
IP-SGT Active Bindings Summary
============================================
Total number of CLI
bindings = 1
Total number of active bindings = 1
Use the following command to verify the SXP connections status:
Device# show cts sxp connections
SXP
: Enabled
Highest Version Supported: 4
Default Password : Not Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP
: 40.1.1.1
Source IP
: 40.1.1.2
Conn status
: On
Conn version
:4
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1056
Security
Verifying SGT Push to Access Points
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode
: SXP Listener
Connection inst# : 1
TCP conn fd
:1
TCP conn password: none
Hold timer is running
Duration since last state change: 0:00:00:06 (dd:hr:mm:sec)
Total num of SXP Connections = 1
Use the following command to see the bindings learnt over SXP connection:
Device# show cts role-based sgt-map all
Active IPv4-SGT Bindings Information
IP Address
SGT
Source
============================================
1.1.1.1
100
CLI
IP-SGT Active Bindings Summary
============================================
Total number of CLI
bindings = 1
Total number of active bindings = 1
Use the following commands on the AP to check the status of inline tagging on the AP and its IP-SGT bindings:
AP# show capwap client rcb
AdminState
: ADMIN_ENABLED
OperationState
: UP
Name
: AP2C33.1185.C4D0
SwVer
: 16.6.230.41
HwVer
: 1.0.0.0
MwarApMgrIp
: 9.3.72.38
MwarName
: mohit-ewlc
MwarHwVer
: 0.0.0.0
Location
: default location
ApMode
: FlexConnect
ApSubMode
: Not Configured
CAPWAP Path MTU
: 1485
CAPWAP UDP-Lite
: Enabled
IP Prefer-mode
: IPv4
AP Link DTLS Encryption
: OFF
AP TCP MSS Adjust
: Disabled
LinkAuditing
: disabled
Efficient Upgrade State
: Disabled
Flex Group Name
: anrt-flex
AP Group Name
: default-group
Cisco Trustsec Config
AP Inline Tagging Mode
: Enabled
! The status can be Enabled or Disabled and is based on the tag that is pushed to the AP.
AP Sgacl Enforcement
: Disabled
AP Override Status
: Disabled
AP# show cts role-based sgt-map all
Active IPv4-SGT Bindings Information IP SGT SOURCE
9.3.74.101 17 LOCAL
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1057
Verifying SGT Push to Access Points
IP-SGT Active Bindings Summary ============================================ Total number of LOCAL bindings = 1 Total number of active bindings = 1
Active IPv6-SGT Bindings Information IP SGT SOURCE
fe80::c1d5:3da2:dc96:757d 17 LOCAL
IP-SGT Active Bindings Summary ============================================ Total number of LOCAL bindings = 1 Total number of active bindings = 1
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1058
1 1 3 C H A P T E R
Controller Self-Signed Certificate for Wireless AP Join
· Use Cases, on page 1059 · Prerequisites, on page 1060 · Configuring Clock Calendar (CLI), on page 1060 · Enabling HTTP Server (CLI), on page 1061 · Configuring CA Server (CLI), on page 1061 · Configuring Trustpoint (CLI), on page 1063 · Authenticating and Enrolling the PKI TrustPoint with CA Server (CLI), on page 1064 · Tagging Wireless Management TrustPoint Name (CLI), on page 1065 · Verifying Controller Certificates for Wireless AP Join, on page 1065
Use Cases
Use Case-1 Cisco Catalyst 9800-CL platform does not contain manufacturer installed SUDI certificates. You will need to configure Self-Signed Certificates on your controller.
Use Case-2 APs running on earlier versions and having Manufacturer Installed Certificate (MIC) issued by a SHA1 Cisco Trusted CA cannot join the controller with SHA2 SUDI certificate. During CAPWAP join process, the AP displays a bad certificate error and tears down the DTLS handshake. Workaround: To upgrade APs, configure controller Self-Signed certificates. Once done, you can delete the Self-Signed certificates and revert back to the SUDI certificate.
Note This workaround does not apply to the Embedded Wireless Controller running Catalyst 9k switches. But applies to other hardware appliance controllers, such as Cisco Catalyst 9800-40, Cisco Catalyst 9800-80, and Cisco Catalyst 9800-L.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1059
Prerequisites
Security
Note Certificate used in DTLS connections (AP and mobility) must use RSA key of size equal or more than 2048 bits. Otherwise, the APs and mobility connections will fail after reload. Run the show crypto pki certificate verbose _tp-name_ command to display the key size of the device certificate.
Prerequisites
· Ensure that the VLAN interface is up and it's IP is reachable. · Ensure that the ip http server is enabled. For more information, see Enabling HTTP Server (CLI). · Set the clock calendar-valid command appropriately. For more information, see Configuring Clock
Calendar (CLI), on page 1060. · Check if the PKI CA server is already configured or not. If configured, you will need to delete the existing
CA server configuration.
Note The show crypto pki server command output should not display anything.
Configuring Clock Calendar (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
clock calendar-valid Example:
Device(config)# clock calendar-valid
Step 3
exit Example:
Device(config)# exit
Purpose Enters global configuration mode.
Enables clock calendar.
Exits configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1060
Security
Enabling HTTP Server (CLI)
Enabling HTTP Server (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip http server Example:
Device(config)# ip http server
Enables the HTTP server on your IP or IPv6 system, including a Cisco web browser user interface. By default, the HTTP server uses the standard port 80.
Step 3
ip http secure-server Example:
Device(config)# ip http secure-server
Enables the HTTP server on your IP or IPv6 system, including a Cisco web browser user interface. By default, the HTTP server uses the standard port 80.
Step 4
exit Example:
Device(config)# exit
Exits configuration mode.
Configuring CA Server (CLI)
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
crypto key generate rsa general-keys
Configures a certificate for the controller.
modulus size_of_key_module label keypair_name
When you generate RSA keys, you are prompted to enter a modulus length. A longer
Example:
modulus length might be more secure, but it
Device(config)# crypto key generate rsa takes longer to generate and to use.
general-keys modulus 2048 label WLC_CA Note
The recommended key-pair name
is WLC_CA and key modulus is
2048 bits.
Step 3
crypto pki server certificate_server_name Enables IOS certificate server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1061
Configuring CA Server (CLI)
Security
Step 4
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
Purpose
Example:
Note
Device(config)# crypto pki server WLC_CA
The certificate_server_name must be the same name as the keypair_name.
issuer-name
Example:
Device(config)# issuer-name O=Cisco Virtual Wireless LAN Controller, CN=CA-vWLC
Configures X.509 distinguished name for the issuer CA certificate.
Note
You need to configure the same
issuer-name as suggested for AP
join.
grant auto Example:
Device(config)# grant auto
Grants certificate requests automatically.
hash sha256 Example:
Device(config)# hash sha256
(Optional) Specifies the hash function for the signature used in the granted certificates.
lifetime ca-certificate time-interval Example:
(Optional) Specifies the lifetime in days of a CA certificate.
Device(config)# lifetime ca-certificate 3650
lifetime certificate time-interval
Example:
Device(config)# lifetime certificate 3650
(Optional) Specifies the lifetime in days of a granted certificate.
database archive pkcs12 password password Sets the CA key and CA certificate archive
Example:
format and password to encrypt the file.
Device(config)# database archive pkcs12 password 0 cisco123
no shutdown Example:
Device(config)# no shutdown
Enables the certificate server.
Note
Issue this command only after
you have completely configured
your certificate server.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1062
Security
Configuring Trustpoint (CLI)
Configuring Trustpoint (CLI)
Procedure Step 1 Step 2
Step 3
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
crypto key generate rsa exportable general-keys modulus size-of-the-key-modulus label label
Example:
When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use.
Device(config)# crypto key generate rsa exportable general-keys modulus 2048
label ewlc-tp1
crypto pki trustpoint trustpoint_name
Example:
Device(config)# crypto pki trustpoint ewlc-tp1
Creates a new trust point for an external CA server. Here, trustpoint_name refers to the trustpoint name.
Note
Ensure that same names are used
for key-pair (label) and
trustpoint_name.
Step 4
rsakeypair RSA_key key_size
Example:
Device(ca-trustpoint)# rsakeypair ewlc-tp1
Maps RSA key with that of the trustpoint.
· RSA_key--Refers to the RSA key pair label.
· key_size--Refers to the signature key length. The value ranges from 360 to 4096.
Step 5 Step 6 Step 7
subject-name subject_name Example:
Creates subject name parameters for the trustpoint.
Device(ca-trustpoint)# subject-name O=Cisco Virtual Wireless LAN Controller,
CN=DEVICE-vWLC
revocation-check none
Checks revocation.
Example:
Device(ca-trustpoint)# revocation-check none
hash sha256 Example:
Device(ca-trustpoint)# hash sha256
Specifies the hash algorithm.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1063
Authenticating and Enrolling the PKI TrustPoint with CA Server (CLI)
Security
Step 8 Step 9 Step 10 Step 11
Step 12
Command or Action serial-number Example:
Device(ca-trustpoint)# serial-number
Purpose Specifies the serial number.
eku request server-auth client-auth
Example:
Device(ca-trustpoint)# eku request server-auth client-auth
(Optional) Sets certificate key-usage purpose.
password password Example:
Device(config)# password 0 cisco123
Enables password.
enrollment url url
Example:
Device(config)# enrollment url http://<management-IPv4>:80
Enrolls the URL.
Note
Replace the dummy IP with
management VLAN interface IP
of the controller where CA server
is configured.
exit Example:
Device(config)# exit
Exits the configuration.
Authenticating and Enrolling the PKI TrustPoint with CA Server (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
crypto pki authenticate trustpoint_name Fetches the CA certificate.
Example:
Device(config)# crypto pki authenticate ewlc-tp1
Certificate has the following attributes: Fingerprint MD5: 64C5FC9A C581D827 C25FC3CF 1A7F42AC Fingerprint SHA1: 6FAFF812 7C552783 6A8FB566 52D95849 CC2FC050
% Do you accept this certificate?
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1064
Security
Tagging Wireless Management TrustPoint Name (CLI)
Command or Action
Purpose
[yes/no]: yes Trustpoint CA certificate accepted.
Step 3 Step 4
crypto pki enroll trustpoint_name
Enrolls for client certificate.
Example:
Device(config)# crypto pki enroll ewlc-tp1 Enter following answers for UI interaction: % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Tagging Wireless Management TrustPoint Name (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless management trustpoint trustpoint_name
Example:
Device(config)# wireless management trustpoint ewlc-tp1
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Tags the wireless management trustpoint name.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying Controller Certificates for Wireless AP Join
To view the CA server details, use the following command:
Device# show crypto pki server Certificate Server WLC_CA: Status: enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1065
Verifying Controller Certificates for Wireless AP Join
State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: O=Cisco Virtual Wireless LAN Controller, CN=CA-vWLC CA cert fingerprint: 79A3DBD5 59A7E384 73ABD152 C133F4E2 Granting mode is: auto Last certificate issued serial number (hex): 1 CA certificate expiration timer: 12:04:00 UTC Mar 8 2029 CRL NextUpdate timer: 18:04:00 UTC Mar 11 2019 Current primary storage dir: nvram: Database Level: Minimum - no cert data written to storage
To view the trustpoint details, use the following command:
Device# show crypto pki trustpoint ewlc-tp1 status Trustpoint ewlc-tp1: ... State: Keys generated ............. Yes (General Purpose, exportable) Issuing CA authenticated ....... Yes Certificate request(s) ..... Yes
To view the wireless management trustpoint details, use the following command:
Device# do show wireless management trustpoint Trustpoint Name : ewlc-tp1 Certificate Info : Available Certificate Type : SSC Certificate Hash : 4a5d777c5b2071c17faef376febc08398702184e Private key Info : Available FIPS suitability : Not Applicable
To view the HTTP server status, use the following command:
Device# show ip http server status | include server status HTTP server status: Enabled HTTP secure server status: Enabled
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1066
1 1 4 C H A P T E R
Locally Significant Certificates
· Information About Locally Significant Certificates, on page 1067 · Restrictions for Locally Significant Certificates, on page 1069 · Provisioning Locally Significant Certificates, on page 1069 · Verifying LSC Configuration, on page 1081 · Configuring Management Trustpoint to LSC (GUI), on page 1081 · Configuring Management Trustpoint to LSC (CLI), on page 1082 · Information About MIC and LSC Access Points Joining the Controller, on page 1082 · Configuring Controller Self-Signed Certificate for Wireless AP Join, on page 1087
Information About Locally Significant Certificates
This module explains how to configure the Cisco Catalyst 9800 Series Wireless Controller and Lightweight Access Points (LAPs) to use the Locally Significant Certificate (LSC). If you choose the Public Key Infrastructure (PKI) with LSC, you can generate the LSC on the APs and controllers. You can then use the certificates to mutually authenticate the controllers and the APs. In Cisco controllers, you can configure the controller to use an LSC. Use an LSC if you want your own PKI to provide better security, have control of your Certificate Authority (CA), and define policies, restrictions, and usages on the generated certificates. You need to provision the new LSC certificate on the controller and then the Lightweight Access Point (LAP) from the CA Server. The LAP communicates with the controller using the CAPWAP protocol. Any request to sign the certificate and issue the CA certificates for LAP and controller itself must be initiated from the controller. The LAP does not communicate directly with the CA server. The CA server details must be configured on the controller and must be accessible. The controller makes use of the Simple Certificate Enrollment Protocol (SCEP) to forward certReqs generated on the devices to the CA and makes use of SCEP again to get the signed certificates from the CA. The SCEP is a certificate management protocol that the PKI clients and CA servers use to support certificate enrollment and revocation. It is widely used in Cisco and supported by many CA servers. In SCEP, HTTP is used as the transport protocol for the PKI messages. The primary goal of SCEP is the secure issuance of certificates to network devices. SCEP is capable of many operations, but for our release, SCEP is utilized for the following operations:
· CA and Router Advertisement (RA) Public Key Distribution
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1067
Certificate Provisioning in Controllers
Security
· Certificate Enrollment
Certificate Provisioning in Controllers
The new LSC certificates, both CA and device certificates, must be installed on the controller. With the help of SCEP, CA certificates are received from the CA server. During this point, there are no certificates in the controller. After the get operation of obtaining the CA certificates, are installed on the controller. The same CA certificates are also pushed to the APs when the APs are provisioned with LSCs.
Note We recommend that you use a new RSA keypair name for the newly configured PKI certificate. If you want to reuse an existing RSA keypair name (that is associated with an old certificate) for a new PKI certificate, do either of the following: · Do not regenerate a new RSA keypair with an existing RSA keypair name, reuse the existing RSA keypair name. Regenerating a new RSA keypair with an existing RSA keypair name will make all the certificates associated with the existing RSA keypair invalid.
· Manually remove the old PKI certificate configurations first, before reusing the existing RSA keypair name for the new PKI certificate.
Device Certificate Enrollment Operation
For both the LAP and the controller that request a CA-signed certificate, the certRequest is sent as a PKCS#10 message. The certRequest contains the Subject Name, Public Key, and other attributes to be included in the X.509 certificate, and must be digitally signed by the Private Key of the requester. These are then sent to the CA, which transforms the certRequest into an X.509 certificate. The CA that receives a PKCS#10 certRequest requires additional information to authenticate the requester's identity and verify if the request is unaltered. (Sometimes, PKCS#10 is combined with other approaches, such as PKCS#7 to send and receive the certificate request or response.) The PKCS#10 is wrapped in a PKCS#7 Signed Data message type. This is supported as part of the SCEP client functionality, while the PKCSReq message is sent to the controller. Upon successful enrollment operation, both the CA and device certificates are available on the controller.
Certificate Provisioning on Lightweight Access Point
In order to provision a new certificate on LAP, while in CAPWAP mode, the LAP must be able to get the new signed X.509 certificate. In order to do this, it sends a certRequest to the controller, which acts as a CA proxy and helps obtain the certRequest signed by the CA for the LAP. The certReq and the certResponses are sent to the LAP with the LWAPP payloads. Both the LSC CA and the LAP device certificates are installed in the LAP, and the system reboots automatically. The next time when the system comes up, because it is configured to use LSCs, the AP sends the LSC device certificate to the controller as part of the JOIN Request. As part of the JOIN Response, the controller sends the new device certificate and also validates the inbound LAP certificate with the new CA root certificate.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1068
Security
Restrictions for Locally Significant Certificates
What to Do Next To configure, authorize, and manage certificate enrollment with the existing PKI infrastructure for controller and AP, you need to use the LSC provisioning functionality.
Restrictions for Locally Significant Certificates
· LSC workflow is different in FIPS+WLANCC mode. CA server must support Enrollment over Secure Transport (EST) protocol and should be capable of issuing EC certificates in FIPS+WLANCC mode.
· Elliptic Curve Digital Signature Algorithm (ECDSA) cipher works only if both AP and controller are having EC certificates, provisioned with LSC.
· EC certificates (LSC-EC) can be provisioned only if CA server supports EST (and not SCEP). · FIPS + CC security modes is required to be configured in order to provision EC certificate.
Provisioning Locally Significant Certificates
Configuring RSA Key for PKI Trustpoint
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
crypto key generate rsa [exportable]
Configures RSA key for PKI trustpoint.
general-keys modulus key_size label RSA_key exportable is an optional keyword. You may
Example:
or may not want to configure an exportable-key.
Device(config)# crypto key generate rsa If selected, you can export the key out of the
exportable
box, if required
general-keys modulus 2048 label lsc-tp
· key_size: Size of the key modulus. The
valid range is from 2048 to 4096.
· RSA_key: RSA key pair label.
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1069
Configuring PKI Trustpoint Parameters
Security
Configuring PKI Trustpoint Parameters
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
crypto pki trustpoint trustpoint_name
Example:
Device(config)# crypto pki trustpoint microsoft-ca
Creates a new trustpoint for an external CA server. Here, trustpoint_name refers to the trustpoint name.
Step 3
enrollment url HTTP_URL
Specifies the URL of the CA on which your
Example:
router should send certificate requests.
Device(ca-trustpoint)# enrollment url url url: URL of the file system where your http://CA_server/certsrv/mscep/mscep.dll router should send certificate requests. An IPv6
address can be added in the URL enclosed in
brackets. For example: http://
[2001:DB8:1:1::1]:80. For more enrollment
method options, see the enrollment url
(ca-trustpoint) command page.
Step 4
subject-name subject_name Example:
Creates subject name parameters for the trustpoint.
Device(ca-trustpoint)# subject-name C=IN,
ST=KA, L=Bengaluru, O=Cisco, CN=eagle-eye/emailAddress=support@abc.com
Step 5
rsakeypair RSA_key key_size
Example:
Device(ca-trustpoint)# rsakeypair ewlc-tp1
Maps RSA key with that of the trustpoint. · RSA_key: RSA key pair label.
· key_size: Signature key length. Range is from 360 to 4096.
Step 6 Step 7
revocation {crl | none | ocsp}
Checks revocation.
Example:
Device(ca-trustpoint)# revocation none
end Example:
Device(ca-trustpoint)# end
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1070
Security
Authenticating and Enrolling a PKI Trustpoint (GUI)
Authenticating and Enrolling a PKI Trustpoint (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Security > PKI Management.
In the PKI Management window, click the Trustpoints tab.
In the Add Trustpoint dialog box, provide the following information:
a) In the Label field, enter the RSA key label. b) In the Enrollment URL field, enter the enrollment URL. c) Check the Authenticate check box to authenticate the Public Certificate from the enrollment URL. d) In the Subject Name section, enter the Country Code, State, Location, Organisation, Domain Name,
and Email Address. e) Check the Key Generated check box to view the available RSA keypairs. Choose an option from the
Available RSA Keypairs drop-down list. f) Check the Enroll Trustpoint check box. g) In the Password field, enter the password. h) In the Re-Enter Password field, confirm the password. i) Click Apply to Device.
The new trustpoint is added to the trustpoint name list.
Authenticating and Enrolling the PKI Trustpoint with CA Server (CLI)
Procedure Step 1 Step 2 Step 3
Step 4
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
crypto pki authenticate trustpoint_name Fetches the CA certificate.
Example:
Device(config)# crypto pki authenticate microsoft-ca
yes
Example:
Device(config)# % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.
crypto pki enroll trustpoint_name Example:
Enrolls the client certificate.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1071
Authenticating and Enrolling the PKI Trustpoint with CA Server (CLI)
Security
Step 5 Step 6 Step 7 Step 8 Step 9
Step 10
Command or Action
Purpose
Device(config)# crypto pki enroll microsoft-ca % % Start certificate enrollment .. % Create a challenge password. You will
need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.
password Example:
Device(config)# abcd123
Enters a challenge password to the CA server.
password Example:
Device(config)# abcd123
Re-enters a challenge password to the CA server.
yes
Example:
Device(config)# % Include the router serial number in the subject name? [yes/no]: yes
no Example:
Device(config)# % Include an IP address
in the subject name? [no]: no
yes
Example:
Device(config)# Request certificate from CA? [yes/no]:
yes % Certificate request sent to Certificate Authority % The 'show crypto pki certificate verbose client' command will show the fingerprint.
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1072
Security
Configuring AP Join Attempts with LSC Certificate (GUI)
Configuring AP Join Attempts with LSC Certificate (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Wireless > Access Points. In the All Access Points window, click the LSC Provision name. From the Status drop-down list, choose a status to enable LSC. From the Trustpoint Name drop-down list, choose the trustpoint. In the Number of Join Attempts field, enter the number of retry attempts that will be permitted. Click Apply.
Configuring AP Join Attempts with LSC Certificate (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap lsc-provision join-attempt number_of_attempts
Example:
Device(config)# ap lsc-provision join-attempt 10
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Specifies the maximum number of AP join failure attempts with the newly provisioned LSC certificate. When the number of AP joins exceed the specified limit, AP joins back with the Manufacturer Installed Certificate (MIC).
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Subject-Name Parameters in LSC Certificate
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1073
Configuring Key Size for LSC Certificate
Security
Step 2 Step 3
Command or Action
Purpose
ap lsc-provision subject-name-parameter Specifies the attributes to be included in the country country-str state state-str city city-str subject-name parameter of the certificate request domain domain-str org org-str email-address generated by an AP. email-addr-str
Example:
Device(config)# ap lsc-provision subject-name-parameter country India state Karnataka city Bangalore domain domain1 org Right email-address adc@gfe.com
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Configuring Key Size for LSC Certificate
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap lsc-provision key-size{ 2048 | 3072 | 4096}} Specifies the size of keys to be generated for
Example:
the LSC on AP.
Device(config)# ap lsc-provision key-size 2048
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Trustpoint for LSC Provisioning on an Access Point
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1074
Security
Configuring an AP LSC Provision List (GUI)
Step 2 Step 3
Command or Action ap lsc-provision trustpoint tp-name Example:
Device(config)# ap lsc-provision trustpoint microsoft-ca
end Example:
Device(config)# end
Purpose Specifies the trustpoint with which the LCS is provisioned to an AP. tp-name: The trustpoint name.
Returns to privileged EXEC mode.
Configuring an AP LSC Provision List (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Step 12
Choose Configuration > Wireless > Access Points. In the All Access Points window, click the corresponding LSC Provision name. From the Status drop-down list, choose a status to enable LSC. From the Trustpoint Name drop-down list, choose a trustpoint. In the Number of Join Attempts field, enter the number of retry attempts that are allowed. From the Key Size drop-down list, choose a key. In the Edit AP Join Profile window, click the CAPWAP tab. In the Add APs to LSC Provision List section, click Select File to upload the CSV file that contains AP details. Click Upload File. In the AP MAC Address field, enter the AP MAC address. and add them. (The APs added to the provision list are displayed in the APs in provision List .) In the Subject Name Parameters section, enter the following details:
· Country
· State
· City
· Organisation
· Department
· Email Address
Click Apply.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1075
Configuring an AP LSC Provision List (CLI)
Security
Configuring an AP LSC Provision List (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap lsc-provision mac-address mac-addr
Example:
Device(config)# ap lsc-provision mac-address 001b.3400.02f0
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Adds the AP to the LSC provision list.
Note
You can provision a list of APs
using the ap lsc-provision
provision-list command.
(Or)
You can provision all the APs using the ap lsc-provision command.
Returns to privileged EXEC mode.
Configuring LSC Provisioning for all the APs (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6
Step 7
Choose Configuration > Wireless > Access Points. In the Access Points window, expand the LSC Provision section. Set Status to Enabled state.
Note
If you set Status to Provision List, LSC provisioning will be configured only for APs that are a
part of the provision list.
From the Trustpoint Name drop-down list, choose the appropriate trustpoint for all APs. In the Number of Join Attempts field, enter the number of retry attempts that the APs can make to join the controller. From the Key Size drop-down list, choose the appropriate key size of the certificate:
· 2048 · 3072 · 4096
In the Add APs to LSC Provision List section, click Select File to upload the CSV file that contains the AP details.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1076
Security
Configuring LSC Provisioning for All APs (CLI)
Step 8 Step 9 Step 10
Step 11
Click Upload File. In the AP MAC Address field, enter the AP MAC address. (The APs that are added to the provision list are displayed in the APs in Provision List section.) In the Subject Name Parameters section, enter the following details: a. Country b. State c. City d. Organization e. Department f. Email Address
Click Apply.
Configuring LSC Provisioning for All APs (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap lsc-provision Example:
Device(config)# ap lsc-provision
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Enables LSC provisioning for all APs. By default, LSC provisioning is disabled for all APs. Returns to privileged EXEC mode.
Configuring LSC Provisioning for the APs in the Provision List
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1077
Importing a CA Certificate to the Trustpool (GUI)
Security
Step 2 Step 3
Command or Action ap lsc-provision provision-list Example:
Device(config)# ap lsc-provision provision-list
end Example:
Device(config)# end
Purpose Enables LSC provisioning for a set of APs configured in the provision list.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Importing a CA Certificate to the Trustpool (GUI)
PKI Trustpool Management is used to store a list of trusted certificates (either downloaded or built in) used by the different services on the controller. This is also used to authenticate a multilevel CA certificate. The built in CA certificate bundle in the PKI trustpool receives automatic updates from Cisco if they are not current, are corrupt, or if certain certificates need to be updated.
Perform this task to manually update the CA certificates in the PKI trustpool.
Note If your LSC has been issued by an intermediate CA, you must import the complete chain of CA certificates into the trustpool. Otherwise, you will not be able to provision the APs without the complete chain being present on the controller. The import step is not required if the certificate has been issued by a root CA.
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Security > PKI Management. In the PKI Management window, click the Trustpool tab. Click Import. In the CA Certificate field, copy and paste the CA certificate. Link together the multiple CA certificates in .pem format. Click Apply to Device.
Importing a CA Certificate to the Trustpool (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1078
Security
Cleaning the CA Certificates Imported in Trustpool (GUI)
Step 2 Step 3
Command or Action
Purpose
crypto pki trust pool import terminal
Example:
Device(config)# crypto pki trust pool import terminal % Enter PEM-formatted CA certificate. % End with a blank line or "quit" on a line by itself. -----BEGIN CERTIFICATE---------END CERTIFICATE---------BEGIN CERTIFICATE---------END CERTIFICATE---------BEGIN CERTIFICATE---------END CERTIFICATE----Aug 23 02:47:33.450: %PKI-6-TRUSTPOOL_DOWNLOAD_SUCCESS: Trustpool Download is successful
Imports the root certificate. For this, you need to paste the CA certificate from the digicert.com.
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Cleaning the CA Certificates Imported in Trustpool (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Security > PKI Management. In the PKI Management window, click the Trustpool tab. Click Clean.
Note
This erases the downloaded CA certificate bundles. However, it does not erase the built-in CA
certificate bundles.
Click Yes.
Cleaning CA Certificates Imported in Trustpool (CLI)
You cannot delete a specific CA certificate from the trustpool. However, you can clear all the CA certificates that are imported to the Trustpool.
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1079
Creating a New Trustpoint Dedicated to a Single CA Certificate
Security
Step 2 Step 3
Command or Action
Device# configure terminal
crypto pki trustpool clean Example:
Device(config)# crypto pki trustpool clean
end Example:
Device(config)# end
Purpose
Erases the downloaded CA certificate bundles. However, it does not erase the built-in CA certificate bundles.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Creating a New Trustpoint Dedicated to a Single CA Certificate
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
crypto pki trustpoint tp-name
Example:
Device(config)# crypto pki trustpoint tp_name
Creates a trustpoint.
Step 3
enrollment terminal
Example:
Device(ca-trustpoint)# enrollment terminal
Creates an enrollment terminal for the trustpoint.
Step 4
exit Example:
Device(ca-trustpoint)# exit
Exits from the truspoint configuration.
Step 5
crypto pki authenticate tp-name
Authenticates the trustpoint.
Example:
Device(config)# crypto pki authenticate tp_name
<<< PASTE CA-CERT in PEM format followed by quit >>>
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1080
Security
Verifying LSC Configuration
Verifying LSC Configuration
To view the details of the wireless management trustpoint, use the following command:
Device# show wireless management trustpoint
Trustpoint Name : microsoft-ca Certificate Info : Available Certificate Type : LSC Certificate Hash : 9e5623adba5307facf778e6ea2f5082877ea4beb
Private key Info : Available
To view the LSC provision-related configuration details for an AP, use the following command:
Device# show ap lsc-provision summary
AP LSC-provisioning : Disabled Trustpoint used for LSC-provisioning : lsc-root-tp Certificate chain status : Available Number of certs on chain : 2 Certificate hash : 7f9d05183deecac4e5a79db65d538245685e8e30 LSC Revert Count in AP reboots : 1
AP LSC Parameters : Country : IN State : KA City : BLR Orgn : ABC Dept : ABC Email : support@abc.com Key Size : 2048 EC Key Size : 384 bit
AP LSC-provision List :
Total number of APs in provision list: 2
Mac Addresses : -------------1880.90f5.1540 2c5a.0f70.84dc
Configuring Management Trustpoint to LSC (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Administration > Management > HTTP/HTTPS. In the HTTP Trust Point Configuration section, set Enable Trust Point to the Enabled state. From the Trust Points drop-down list, choose the appropriate trustpoint. Save the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1081
Configuring Management Trustpoint to LSC (CLI)
Security
Configuring Management Trustpoint to LSC (CLI)
After LSC provisioning, the APs will automatically reboot and join at the LSC mode after bootup. Similarly, if you remove the AP LSC provisioning, the APs reboot and join at non-LSC mode.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless management trustpoint trustpoint_name
Example:
Device(config)# wireless management trustpoint microsoft-ca
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Configures the management trustpoint to LSC.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Information About MIC and LSC Access Points Joining the Controller
Overview of Support for MIC and LSC Access Points Joining the Controller
In Cisco IOS XE Bengaluru 17.4.1 and earlier releases, APs with a default certificate (Manufacturing Installed Certificates [MIC]) or Secure Unique Device Identifier [SUDI]) fail to join a Locally Significant Certificate-deployed (LSC-deployed) controller, where the management certificate of the controller is an LSC. To resolve this issue, you must provision LSC on these APs using the provisioning controller before moving them to the LSC-deployed controller. From Cisco IOS XE Bengaluru 17.5.1 onwards, the new authorization policy configuration allows MIC APs to join the LSC-deployed controller, so that the LSC and MIC APs can coexist in the controller at the same time.
Recommendations and Limitations
· When the CA server is configured with manual enrollment (manual intervention) to accept Certificate Signing Request (CSR), the controller waits for the CA server to send the pending response. If there is no response from the CA server for 10 minutes, the fallback mode comes into effect. · Cisco Wave 2 APs regenerate CSR, and a fresh CSR is sent to the CA server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1082
Security
Configuration Workflow
· Cisco IOS APs restart, and then Cisco IOS APs send a fresh CSR, which is in turn sent to the CA server.
· Locally significant certificate (LSC) on the controller does not work on the password challenge. Therefore, for LSC to work, you must disable password challenge on the CA server.
· If you are using Microsoft CA, we recommend that you use Windows Server 2012 or later as the CA server.
Configuration Workflow
1. Configuring LSC on the Controller (CLI), on page 1083 2. Enabling the AP Certificate Policy on the APs (CLI), on page 1084 3. Configuring the AP Policy Certificate (GUI), on page 1085 4. Configuring the Allowed List of APs to Join the Controller (CLI), on page 1085
Configuring LSC on the Controller (CLI)
The server certificate used by the controller for CAPWAP-DTLS is based on the following configuration.
Before you begin · Ensure that you enable LSC by setting the appropriate trustpoints for the following wireless management services: · AP join process: CAPWAP DTLS server certificate · Mobility connections: Mobility DTLS certificate · NMSP and CMX connections: NMSP TLS certificate
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
[no] wireless management trustpoint trustpoint-name
Example:
Device(config)# wireless management trustpoint trustpoint-name
Purpose Enters global configuration mode.
Configures the LSC trustpoint in the LSC-deployed controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1083
Enabling the AP Certificate Policy on the APs (CLI)
Security
Enabling the AP Certificate Policy on the APs (CLI)
· If the management trustpoint is an LSC, by default, MIC APs fail to join the controller. This configuration acts as an enable or disable configuration knob that allows MIC APs to join the controller.
· This configuration is a controller authorization to allow APs to join MIC at the time of DTLS handshake.
To prevent manufacturing installed certificate (MIC) expiry failures, ensure that you configure a policy, as shown here:
· Create a certificate map and add the rules:
configure terminal crypto pki certificate map map1 1 issuer-name co Cisco Manufacturing CA
Note You can add multiple rules and filters under the same map. The rule mentioned in the example above specifies that any certificate whose issuer-name contains Cisco Manufacturing CA (case insensitive) is selected under this map.
· Use the certificate map under the trustpool policy:
configure terminal crypto pki trustpool policy match certificate map1 allow expired-certificate
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap auth-list ap-cert-policy allow-mic-ap trustpoint trustpoint-name
Configures the trustpoint name for the controller certificate chain.
Example:
Note
Device(config)# ap auth-list ap-cert-policy allow-mic-ap trustpoint trustpoint-name
The allow-mic-ap trustpoint command is required only for the virtual controller (Cisco Catalyst 9800-CL Wireless Controller for Cloud). In all the other appliance controller platforms, the default certificate is selected. This default certificate is manufacturer-installed SUDI.
Step 3
ap auth-list ap-cert-policy allow-mic-ap
Example:
Device(config)# ap auth-list ap-cert-policy allow-mic-ap
Enables the AP certificate policy during CAPWAP-DTLS handshake.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1084
Security
Configuring the AP Policy Certificate (GUI)
Step 4
Command or Action
Purpose
ap auth-list ap-cert-policy {mac-address H.H.H | serial-number serial-number-ap} policy-type mic
Enables the AP certificate policy as MIC.
Example:
Device(config)# ap auth-list ap-cert-policy mac-address 1111.1111.1111 policy-type mic
Configuring the AP Policy Certificate (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Wireless > Access Points
In the All Access Points window, click AP Certificate Policy .
In the AP Policy Certificate window, complete the following actions:
a) Click the Authorize APs joining with MIC toggle button to enable AP authorization. b) From the Trustpoint Name drop-down list, choose the required trustpoint. c) Click Add MAC or Serial Number to add a MAC address or a serial number manually or through a
.csv file. The Add MAC or Serial Number window is displayed. d) Click the AP Authlist Type and enter the MAC address or the serial number. Upload the .csv file or enter the MAC address in the list box. The newly added MAC address and serial numbers are displayed under List of MAC Address and Serial Numbers. e) Click Apply.
The AP certificate policy is added to the AP Inventory window.
Note
To add a new AP with MIC, perform Step 1 to Step 3 described in Configuring the AP Policy
Certificate (GUI) section. To add a new AP with LSC, perform the procedure described in the
Configuring AP LSC Provision List (GUI) and Step 1 to Step 3 in the Configuring the AP Policy
Certificate (GUI) section.
Configuring the Allowed List of APs to Join the Controller (CLI)
The allowed list of APs can either be populated based on the Ethernet MAC address or based on the serial number of the APs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1085
Verifying the Configuration Status
Security
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap auth-list ap-cert-policy {mac-address Configures the AP certificate policy based on
AP-Ethernet-MAC-address | serial-number the Ethernet MAC address or based on the
AP-serial-number}policy-type mic
assembly serial number of the AP.
Example:
Device# ap auth-list ap-cert-policy mac-address 00b0.e192.0d98 policy-type mic
Verifying the Configuration Status
To verify if the APs have been authorized by the AP certificate policy, use the following command:
Device# show ap auth-list ap-cert-policy Authorize APs joining with MIC : ENABLED MIC AP policy trustpoint Name : CISCO_IDEVID_SUDI Certificate status : Available Certificate Type : MIC Certificate Hash : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
To verify the AP certificate policy on the MAC address and the serial number of the AP, use the following commands:
Device# show ap auth-list ap-cert-policy mac-address
MAC address
AP cert policy
---------------------------------
1111.2222.3333 MIC
Device# show ap auth-list ap-cert-policy serial-number
Serial number AP cert policy
--------------------------------
F1234567890
MIC
Note If you set an invalid trustpoint (not SSC), the allow-mic-ap policy is not enabled. If you set an invalid trustpoint, the following error is displayed on the console:
Device(config)# ap auth-list ap-cert-policy allow-mic-ap trustpoint lsc-root-tp Dec 18 07:38:29.944: %CERT_MGR_ERRMSG-3-CERT_MGR_GENERAL_ERR: Chassis 1 R0/0: wncd: General
error: MIC AP Policy trustpoint: 'lsc-root-tp' cert-chain type is LSC, It must be either MIC or vWLC-SSC
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1086
Security
Configuring Controller Self-Signed Certificate for Wireless AP Join
Configuring Controller Self-Signed Certificate for Wireless AP Join
Use Cases
Use Case-1 Cisco Catalyst 9800-CL platform does not contain manufacturer installed SUDI certificates. You will need to configure Self-Signed Certificates on your controller.
Use Case-2 APs running on earlier versions and having Manufacturer Installed Certificate (MIC) issued by a SHA1 Cisco Trusted CA cannot join the controller with SHA2 SUDI certificate. During CAPWAP join process, the AP displays a bad certificate error and tears down the DTLS handshake. Workaround: To upgrade APs, configure controller Self-Signed certificates. Once done, you can delete the Self-Signed certificates and revert back to the SUDI certificate.
Note This workaround does not apply to the Embedded Wireless Controller running Catalyst 9k switches. But applies to other hardware appliance controllers, such as Cisco Catalyst 9800-40, Cisco Catalyst 9800-80, and Cisco Catalyst 9800-L.
Note Certificate used in DTLS connections (AP and mobility) must use RSA key of size equal or more than 2048 bits. Otherwise, the APs and mobility connections will fail after reload. Run the show crypto pki certificate verbose _tp-name_ command to display the key size of the device certificate.
Prerequisites
· Ensure that the VLAN interface is up and it's IP is reachable. · Ensure that the ip http server is enabled. For more information, see Enabling HTTP Server (CLI). · Set the clock calendar-valid command appropriately. For more information, see Configuring Clock
Calendar (CLI), on page 1060. · Check if the PKI CA server is already configured or not. If configured, you will need to delete the existing
CA server configuration.
Note The show crypto pki server command output should not display anything.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1087
Configuring Clock Calendar (CLI)
Security
Configuring Clock Calendar (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
clock calendar-valid Example:
Device(config)# clock calendar-valid
Step 3
exit Example:
Device(config)# exit
Purpose Enters global configuration mode.
Enables clock calendar.
Exits configuration mode.
Enabling HTTP Server (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip http server Example:
Device(config)# ip http server
Enables the HTTP server on your IP or IPv6 system, including a Cisco web browser user interface. By default, the HTTP server uses the standard port 80.
Step 3
ip http secure-server Example:
Device(config)# ip http secure-server
Enables the HTTP server on your IP or IPv6 system, including a Cisco web browser user interface. By default, the HTTP server uses the standard port 80.
Step 4
exit Example:
Device(config)# exit
Exits configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1088
Security
Configuring CA Server (CLI)
Configuring CA Server (CLI)
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
crypto key generate rsa general-keys
Configures a certificate for the controller.
modulus size_of_key_module label keypair_name
When you generate RSA keys, you are prompted to enter a modulus length. A longer
Example:
modulus length might be more secure, but it
Device(config)# crypto key generate rsa takes longer to generate and to use.
general-keys modulus 2048 label WLC_CA Note
The recommended key-pair name
is WLC_CA and key modulus is
2048 bits.
Step 3
crypto pki server certificate_server_name Enables IOS certificate server.
Example:
Note
Device(config)# crypto pki server WLC_CA
The certificate_server_name must be the same name as the keypair_name.
Step 4
issuer-name
Example:
Device(config)# issuer-name O=Cisco Virtual Wireless LAN Controller, CN=CA-vWLC
Configures X.509 distinguished name for the issuer CA certificate.
Note
You need to configure the same
issuer-name as suggested for AP
join.
Step 5 Step 6 Step 7 Step 8
grant auto Example:
Device(config)# grant auto
Grants certificate requests automatically.
hash sha256 Example:
Device(config)# hash sha256
(Optional) Specifies the hash function for the signature used in the granted certificates.
lifetime ca-certificate time-interval Example:
(Optional) Specifies the lifetime in days of a CA certificate.
Device(config)# lifetime ca-certificate 3650
lifetime certificate time-interval Example:
(Optional) Specifies the lifetime in days of a granted certificate.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1089
Configuring Trustpoint (CLI)
Security
Step 9 Step 10 Step 11
Command or Action
Device(config)# lifetime certificate 3650
Purpose
database archive pkcs12 password password Sets the CA key and CA certificate archive
Example:
format and password to encrypt the file.
Device(config)# database archive pkcs12 password 0 cisco123
no shutdown Example:
Device(config)# no shutdown
Enables the certificate server.
Note
Issue this command only after
you have completely configured
your certificate server.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Trustpoint (CLI)
Procedure Step 1 Step 2
Step 3
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
crypto key generate rsa exportable general-keys modulus size-of-the-key-modulus label label
Example:
When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use.
Device(config)# crypto key generate rsa exportable general-keys modulus 2048
label ewlc-tp1
crypto pki trustpoint trustpoint_name
Example:
Device(config)# crypto pki trustpoint ewlc-tp1
Creates a new trust point for an external CA server. Here, trustpoint_name refers to the trustpoint name.
Note
Ensure that same names are used
for key-pair (label) and
trustpoint_name.
Step 4
rsakeypair RSA_key key_size Example:
Maps RSA key with that of the trustpoint.
· RSA_key--Refers to the RSA key pair label.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1090
Security
Configuring Trustpoint (CLI)
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Step 12
Command or Action
Device(ca-trustpoint)# rsakeypair ewlc-tp1
Purpose
· key_size--Refers to the signature key length. The value ranges from 360 to 4096.
subject-name subject_name Example:
Creates subject name parameters for the trustpoint.
Device(ca-trustpoint)# subject-name O=Cisco Virtual Wireless LAN Controller,
CN=DEVICE-vWLC
revocation-check none
Checks revocation.
Example:
Device(ca-trustpoint)# revocation-check none
hash sha256 Example:
Device(ca-trustpoint)# hash sha256
Specifies the hash algorithm.
serial-number Example:
Device(ca-trustpoint)# serial-number
Specifies the serial number.
eku request server-auth client-auth
Example:
Device(ca-trustpoint)# eku request server-auth client-auth
(Optional) Sets certificate key-usage purpose.
password password Example:
Device(config)# password 0 cisco123
Enables password.
enrollment url url
Example:
Device(config)# enrollment url http://<management-IPv4>:80
Enrolls the URL.
Note
Replace the dummy IP with
management VLAN interface IP
of the controller where CA server
is configured.
exit Example:
Device(config)# exit
Exits the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1091
Authenticating and Enrolling the PKI TrustPoint with CA Server (CLI)
Security
Authenticating and Enrolling the PKI TrustPoint with CA Server (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
crypto pki authenticate trustpoint_name Fetches the CA certificate.
Example:
Device(config)# crypto pki authenticate ewlc-tp1
Certificate has the following attributes: Fingerprint MD5: 64C5FC9A C581D827 C25FC3CF 1A7F42AC Fingerprint SHA1: 6FAFF812 7C552783 6A8FB566 52D95849 CC2FC050
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Step 3 Step 4
crypto pki enroll trustpoint_name
Enrolls for client certificate.
Example:
Device(config)# crypto pki enroll ewlc-tp1 Enter following answers for UI interaction: % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Tagging Wireless Management TrustPoint Name (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless management trustpoint trustpoint_name
Purpose Enters global configuration mode.
Tags the wireless management trustpoint name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1092
Security
Verifying Controller Certificates for Wireless AP Join
Step 3
Command or Action Example:
Device(config)# wireless management trustpoint ewlc-tp1
end Example:
Device(config)# end
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying Controller Certificates for Wireless AP Join
To view the CA server details, use the following command:
Device# show crypto pki server Certificate Server WLC_CA: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: O=Cisco Virtual Wireless LAN Controller, CN=CA-vWLC CA cert fingerprint: 79A3DBD5 59A7E384 73ABD152 C133F4E2 Granting mode is: auto Last certificate issued serial number (hex): 1 CA certificate expiration timer: 12:04:00 UTC Mar 8 2029 CRL NextUpdate timer: 18:04:00 UTC Mar 11 2019 Current primary storage dir: nvram: Database Level: Minimum - no cert data written to storage
To view the trustpoint details, use the following command:
Device# show crypto pki trustpoint ewlc-tp1 status Trustpoint ewlc-tp1: ... State: Keys generated ............. Yes (General Purpose, exportable) Issuing CA authenticated ....... Yes Certificate request(s) ..... Yes
To view the wireless management trustpoint details, use the following command:
Device# do show wireless management trustpoint Trustpoint Name : ewlc-tp1 Certificate Info : Available Certificate Type : SSC Certificate Hash : 4a5d777c5b2071c17faef376febc08398702184e Private key Info : Available FIPS suitability : Not Applicable
To view the HTTP server status, use the following command:
Device# show ip http server status | include server status HTTP server status: Enabled HTTP secure server status: Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1093
Verifying Controller Certificates for Wireless AP Join
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1094
1 1 5 C H A P T E R
Certificate Management
· About Public Key Infrastructure Management (GUI), on page 1095 · Authenticating and Enrolling a PKI Trustpoint (GUI), on page 1095 · Adding the Certificate Authority Server (GUI), on page 1096 · Adding an RSA or EC Key for PKI Trustpoint (GUI), on page 1097 · Adding and Managing Certificates , on page 1097
About Public Key Infrastructure Management (GUI)
The Public Key Infrastructure (PKI) Management page displays the following tabs: Trustpoints tab: Used to add, create or enroll a new trustpoint. This page also displays the current trustpoints configured on the controller and other details of the trustpoint. You can also view if the trustpoint is in use for any of the features. For example, Webadmin or AP join (Wireless Management Interface ), and others. CA Server tab: Used to enable or disable the Certificate Authority (CA) server functionality on the controller. The CA server functionality should be enabled for the controller to generate a Self Signed Certificate (SSC). Key Pair Generation tab: Used to generate key pairs. Certificate Management tab: Used to generate and manage certificates, and perform all certificate related operations, on the controller.
Authenticating and Enrolling a PKI Trustpoint (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Security > PKI Management. In the PKI Management window, click the Trustpoints tab. In the Add Trustpoint dialog box, provide the following information: a) In the Label field, enter the RSA key label. b) In the Enrollment URL field, enter the enrollment URL. c) Check the Authenticate check box to authenticate the Public Certificate from the enrollment URL.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1095
Generating an AP Self-Signed Certificate (GUI)
Security
d) In the Subject Name section, enter the Country Code, State, Location, Organisation, Domain Name, and Email Address.
e) Check the Key Generated check box to view the available RSA keypairs. Choose an option from the Available RSA Keypairs drop-down list.
f) Check the Enroll Trustpoint check box. g) In the Password field, enter the password. h) In the Re-Enter Password field, confirm the password. i) Click Apply to Device.
The new trustpoint is added to the trustpoint name list.
Generating an AP Self-Signed Certificate (GUI)
Note This section is valid only for virtual controllers (Cisco Catalyst 9800-CL Wireless Controller for Cloud) and not applicable for appliance based controllers (Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, Cisco Catalyst 9800-L Wireless Controller (Copper Uplink), and Cisco Catalyst 9800-L Wireless Controller (Fiber Uplink)).
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Choose Configuration > Security > PKI Management. In the AP SSC Trustpoint area, click Generate to generate an AP SSC trustpoint. From the RSA Key-Size drop-down list, choose a key size. From the Signature Algorithm drop-down list, choose an option. From the Password Type drop-down list, choose a password type. In the Password field, enter a password. The valid range is between 8 and 32 characters. Click Apply to Device.
Adding the Certificate Authority Server (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Security > PKI Management.
In the PKI Management window, click the CA Server tab.
In the CA Server section, click the Shutdown Status toggle button, to enable the status. If you choose the shutdown status as Enabled, you must enter the password and confirm the same.
If you choose the shutdown status as Disabled, you must enter the Country Code, State, Location, Organisation, Domain Name, and Email Address.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1096
Security
Adding an RSA or EC Key for PKI Trustpoint (GUI)
Step 5 Step 6
Click Apply to add the CA server. Click Remove CA Server to delete the CA server.
Adding an RSA or EC Key for PKI Trustpoint (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Security > PKI Management. In the PKI Management window, click the Key Pair Generation tab. In the Key Pair Generation section, click Add. In the dialog box that is displayed, provide the following information: a) In the Key Name field, enter the key name. b) In the Key Type options, select either RSA Key or EC Key. c) In the Modulus Size field, enter the modulus value for the RSA key or the EC key. The default modulus
size for the RSA key is 4096 and the default value for the EC key is 521. d) Check the Key Exportable check box to export the key. By default, this is checked. e) Click Generate.
Adding and Managing Certificates
To add and manage certificates, use one of the following methods:
Note While configuring a password for the .pfx file, do not use the following ASCII characters: "*, ^, (), [], \, ", and +" Using these ASCII characters results in error with bad configuration and does not import the certificate to the controller.
Method 1
Procedure
Step 1 Step 2
Choose Configuration > Security > PKI Management > Add Certificate. Click Generate Certificate Signing Request. a) In the Certificate Name field, enter the certificate name. b) From the Key Name drop-down list, choose an RSA key pair. (Click the plus (+) icon under the Key Pair
Generation tab to create new RSA key pairs.).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1097
Security
Step 3 Step 4
c) Enter values the Country Code, Location, Organisation, State, Organizational Unit, and the Domain Name fields.
d) Click Generate. The generated Certificate Signing Request (CSR) is displayed on the right. Click Copy to copy and save a local copy. Click Save to Device to save the generated CSR to the /bootflash/csr directory.
Click Authenticate Root CA .
a) From the Trustpoint drop-down list, choose the trustpoint label generated in Step 2, or any other trustpoint label that you want to authenticate.
b) In the Root CA Certificate (.pem) field, copy and paste the certificate that you have received from the CA.
Note
Ensure that you copy and paste the PEM Base64 certificate of the issuing CA of the device
certificate.
c) Click Authenticate.
Click Import Device Certificate .
a) From the Trustpoint drop-down list, choose the trustpoint label that was generated in Step 2, or any other trustpoint label that you want to authenticate.
b) In the Signed Certificate (.pem) field, copy and paste the signed certificate that you received, from your CA.
c) Click Import.
This completes the device certificate import process and the certificate can now be assigned to features.
Method 2 Procedure
Click Import PKCS12 Certificate .
Note
You can import an entire certificate chain in the PKCS12 format using different transport types.
a) From the Transport Type drop-down list, choose either FTP, SFTP, TFTP, SCP, or Desktop (HTTPS). For FTP, SFTP, and SCP, enter values in the Server IP Address (IPv4/IPv6), Username, Password, Certificate File Path, Certificate Destination File Name, and Certificate Password fields. For TFTP, enter values in the Server IP Address (IPv4/IPv6), Certificate File Path, Certificate Destination File Name, and Certificate Password fields. For Desktop (HTTPS), enter values in the Source File Path and Certificate Password fields.
b) Click Import.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1098
1 1 6 C H A P T E R
Cisco Umbrella WLAN
· Information About Cisco Umbrella WLAN, on page 1099 · Registering Controller to Cisco Umbrella Account, on page 1100 · Configuring Cisco Umbrella WLAN, on page 1101 · Configuring the Umbrella Flex Profile, on page 1107 · Configuring the Umbrella Flex Profile (GUI), on page 1107 · Configuring Umbrella Flex Parameters, on page 1108 · Configuring the Umbrella Flex Policy Profile (GUI), on page 1108 · Verifying the Cisco Umbrella Configuration, on page 1109
Information About Cisco Umbrella WLAN
The Cisco Umbrella WLAN provides a cloud-delivered network security service at the Domain Name System (DNS) level, with automatic detection of both known and emergent threats. This feature allows you to block sites that host malware, bot networks, and phishing before they actually become malicious. Cisco Umbrella WLAN provides the following:
· Policy configuration per user group at a single point. · Policy configuration per network, group, user, device, or IP address.
The following is the policy priority order: 1. Local policy 2. AP group 3. WLAN
· Visual security activity dashboard in real time with aggregated reports. · Schedule and send reports through email. · Support up to 60 content categories, with a provision to add custom allowed list and blocked list entries. · Supports custom parameter-type Umbrella profiles. One Global profile and 15 custom profiles are
supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1099
Registering Controller to Cisco Umbrella Account
Security
· Although IPv6 is supported, device registration will always be over IPv4. There is no support of device registration over IPv6.
· The communication from device to the Umbrella Cloud can be done over IPv6 also. · In the Flexconnect mode, DNS handling takes place in the AP instead of the controller. Multiple profiles
are supported in the Flex mode.
This feature does not work in the following scenarios: · If an application or host use an IP address directly, instead of using DNS to query domain names. · If a client is connected to a web proxy and does not send a DNS query to resolve the server address.
Registering Controller to Cisco Umbrella Account
Before you Begin · You should have an account with Cisco Umbrella. · You should have an API token from Cisco Umbrella.
This section describes the process followed to register the controller to the Cisco Umbrella account. The controller is registered to Cisco Umbrella server using the Umbrella parameter map. Each of the Umbrella parameter map must have an API token. The Cisco Umbrella responds with the device ID for the controller . The device ID has a 1:1 mapping with the Umbrella parameter map name.
Fetching API token for Controller from Cisco Umbrella Dashboard From Cisco Umbrella dashboard, verify that your controller shows up under Device Name, along with their identities.
Applying the API Token on Controller Registers the Cisco Umbrella API token on the network.
DNS Query and Response Once the device is registered and Umbrella parameter map is configured on WLAN, the DNS queries from clients joining the WLAN are redirected to the Umbrella DNS resolver.
Note This is applicable for all domains not configured in the local domain RegEx parameter map.
The queries and responses are encrypted based on the DNScrypt option in the Umbrella parameter map. For more information on the Cisco Umbrella configurations, see the Integration for ISR 4K and ISR 1100 Security Configuration Guide.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1100
Security
Configuring Cisco Umbrella WLAN
Limitations and Considerations
The limitations and considerations for this feature are as follows:
· You will be able to apply the wireless Cisco Umbrella profiles to wireless entities, such as, WLAN or AP groups, if the device registration is successful.
· In case of L3 mobility, the Cisco Umbrella must be applied on the anchor controller always.
· When two DNS servers are configured under DHCP, two Cisco Umbrella server IPs are sent to the client from DHCP option 6. If only one DNS server is present under DHCP, only one Cisco Umbrella server IP is sent as part of DHCP option 6.
Configuring Cisco Umbrella WLAN
To configure Cisco Umbrella on the controller , perform the following: · You must have the API token from the Cisco Umbrella dashboard.
· You must have the root certificate to establish HTTPS connection with the Cisco Umbrella registration server: api.opendns.com. You must import the root certificate from digicert.com to the controller using the crypto pki trustpool import terminal command.
Importing CA Certificate to the Trust Pool
Before you begin
The following section covers details about how to fetch the root certificate and establish HTTPS connection with the Cisco Umbrella registration server:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
Perform either of the following tasks:
· crypto pki trustpool import url url
Device(config)# crypto pki trustpool import
url http://www.cisco.com/security/pki/trs/ios.p7b
Imports the root certificate directly from the Cisco website.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1101
Importing CA Certificate to the Trust Pool
Security
Step 3
Command or Action
Purpose
Note
The Trustpool bundle
contains the root certificate
of digicert.com together with
other CA certificates.
· crypto pki trustpool import terminal
Device(config)# crypto pki trustpool import terminal
Imports the root certificate by executing the import terminal command.
· Enter PEM-formatted CA certificate from the following location: See the Related Information section to download the CA certificate.
-----BEGIN CERTIFICATE----MIIE6jCCA9KgAwIBAgIQCjUI1VwpKwF9+K1lwA/35DANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAw HgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0yMDA5MjQwMDAwMDBaFw0zMDA5MjMy MzU5NTlaME8xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERp Z2lDZXJ0IFRMUyBSU0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6aqXodgojl EVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddng9/n00tnTCJRpt8OmRDt V1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuWraKImxW8oHzf6VGo1bDtN+I2tIJLYrVJ muzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGBAfr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkD Ka77SU+kFbnO8lwZV21reacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBrjCCAaowHQYDVR0OBBYE FLdrouqoqoSMeeq02g+YssWVdrn0MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgw BgEB/wIBADB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0 LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xv YmFsUm9vdENBLmNydDB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v RGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20v RGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMDAGA1UdIAQpMCcwBwYFZ4EMAQEwCAYGZ4EMAQIBMAgG BmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEBAHert3onPa679n/gWlbJhKrKW3EX 3SJH/E6f7tDBpATho+vFScH90cnfjK+URSxGKqNjOSD5nkoklEHIqdninFQFBstcHL4AGw+oWv8Z u2XHFq8hVt1hBcnpj5h232sb0HIMULkwKXq/YFkQZhM6LawVEWwtIwwCPgU7/uWhnOKK24fXSuhe 50gG66sSmvKvhMNbg0qZgYOrAKHKCjxMoiWJKiKnpPMzTFuMLhoClw+dj20tlQj7T9rxkTgl4Zxu YRiHas6xuwAwapu3r9rxxZf+ingkquqTgLozZXq8oXfpf2kUCwA/d5KxTVtzhwoT0JzI8ks5T1KE SaZMkE4f97Q= -----END CERTIFICATE-----
Imports the root certificate by pasting the CA certificate from the digicert.com.
quit Example:
Device(config)# quit
Imports the root certificate by entering the quit command.
Note
You will receive a message after
the certificate has been imported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1102
Security
Creating a Local Domain RegEx Parameter Map
Creating a Local Domain RegEx Parameter Map
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
parameter-map type regex parameter-map-name
Creates a regex parameter map.
Example:
Device(config)# parameter-map type regex dns_wl
Step 3
pattern regex-pattern
Example:
Device(config-profile)# pattern www.google.com
Configures the regex pattern to match.
Note
The following patterns are
supported:
· Begins with .*. For example: .*facebook.com
· Begins with .* and ends with * . For example: .*google*
· Ends with *. For example: www.facebook*
· No special character. For example: www.facebook.com
Step 4
end Example:
Device(config-profile)# end
Returns to privileged EXEC mode.
Configuring Parameter Map Name in WLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > Policy. Click on the Policy Profile Name. The Edit Policy Profile window is displayed. Choose the Advanced tab. In the Umbrella settings, from the Umbrella Parameter Map drop-down list, choose the parameter map.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1103
Configuring the Umbrella Parameter Map
Security
Step 5 Step 6
Enable or disable Flex DHCP Option for DNS and DNS Traffic Redirect toggle buttons. Click Update & Apply to Device.
Configuring the Umbrella Parameter Map
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
parameter-map type umbrella global | parameter-map-name
Example:
Device(config)# parameter-map type umbrella custom_pmap
Creates an umbrella global or customized parameter map.
Step 3
token token-value
Configures an umbrella token.
Example:
Device(config-profile)# token 5XXXXXXXXCXXXXXXXAXXXXXXXFXXXXCXXXXXXXX
Step 4
local-domain regex-parameter-map-name
Example:
Device(config-profile)# local-domain dns_wl
Configures local domain RegEx parameter map.
Step 5
resolver {IPv4 X.X.X.X | IPv6 X:X:X:X::X}
Example:
Device(config-profile)# resolver IPv6 10:1:1:1::10
Configures the Anycast address. The default address is applied when there is no specific address configured.
Step 6
end Example:
Device(config-profile)# end
Returns to privileged EXEC mode.
Enabling or Disabling DNScrypt (GUI)
Procedure
Step 1 Choose Configuration > Security > Threat Defence > Umbrella.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1104
Security
Enabling or Disabling DNScrypt
Step 2
Step 3 Step 4 Step 5
Enter the Registration Token received from Umbrella. Alternatively, you can click on Click here to get your Tokento get the token from Umbrella. Enter the Whitelist Domains that you want to exclude from filtering. Check or uncheck the Enable DNS Packets Encryption check box to encrypt or decrypt the DNS packets. Click Apply.
Enabling or Disabling DNScrypt
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
parameter-map type umbrella global
Example:
Device(config)# parameter-map type umbrella global
Step 3
[no] dnscrypt Example:
Device(config-profile)# no dnscrypt
Step 4
end Example:
Device(config-profile)# end
Purpose Enters global configuration mode.
Creates an umbrella global parameter map.
Enables or disables DNScrypt.
By default, the DNScrypt option is enabled.
Note
Cisco Umbrella DNScrypt is not
supported when DNS-encrypted
responses are sent in the
data-DTLS encrypted tunnel
(either mobility tunnel or AP
CAPWAP tunnel).
Returns to privileged EXEC mode.
Configuring Timeout for UDP Sessions
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1105
Configuring Parameter Map Name in WLAN (GUI)
Security
Step 2 Step 3
Step 4
Command or Action
parameter-map type umbrella global Example:
Device(config)# parameter-map type umbrella global
Purpose Creates an umbrella global parameter map.
udp-timeout timeout_value Example:
Device(config-profile)# udp-timeout 2
Configures timeout value for UDP sessions.
The timeout_value ranges from 1 to 30 seconds.
Note
The public-key and resolver
parameter-map options are
automatically populated with the
default values. So, you need not
change them.
end Example:
Device(config-profile)# end
Returns to privileged EXEC mode.
Configuring Parameter Map Name in WLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Tags & Profiles > Policy. Click on the Policy Profile Name. The Edit Policy Profile window is displayed. Choose the Advanced tab. In the Umbrella settings, from the Umbrella Parameter Map drop-down list, choose the parameter map. Enable or disable Flex DHCP Option for DNS and DNS Traffic Redirect toggle buttons. Click Update & Apply to Device.
Configuring Parameter Map Name in WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless profile policy profile-name Example:
Purpose Enters global configuration mode.
Creates policy profile for the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1106
Security
Configuring the Umbrella Flex Profile
Step 3 Step 4
Command or Action
Purpose
Device(config)# wireless profile policy The profile-name is the profile name of the
default-policy-profile
policy profile.
umbrella-param-map umbrella-name
Example:
Device(config-wireless-policy)# umbrella-param-map global
Configures the Umbrella OpenDNS feature for the WLAN.
end Example:
Device(config-wireless-policy)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring the Umbrella Flex Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex-profile-name
Example:
Device(config)# wireless profile flex default-flex-profile
Creates a new flex policy. Enters the flex profile configuration mode.
The flex-profile-name is the flex profile name.
Step 3
umbrella-profile umbrella-profile-name
Example:
Device(config-wireless-flex-profile)# umbrella-profile global
Configures the Umbrella flex feature. Use the no form of this command to negate the command or to set the command to its default.
Step 4
end Example:
Device(config-wireless-policy)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring the Umbrella Flex Profile (GUI)
Procedure Step 1 Choose Configuration > Tags & Profiles > Flex.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1107
Configuring Umbrella Flex Parameters
Security
Step 2 Step 3 Step 4 Step 5
Click a Flex Profile Name. The Edit Flex Profile dialog box appears. Under the Umbrella tab, click the Add button. Select a name for the parameter map from the Parameter Map Name drop-down list and click Save. Click the Update & Apply to Device button. The configuration changes are successfully applied.
Configuring Umbrella Flex Parameters
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy-name Configures the WLAN policy profile. Enters
Example:
the wireless policy profile configuration mode.
Device(config)# wireless profile policy The policy-profile-name is the WLAN policy
default-policy-profile
profile name.
Step 3
flex umbrella dhcp-dns-option Example:
Configures the Umbrella DHCP option for DNS. By default the option is enabled.
Device(config-wireless-policy-profile)# [no] flex umbrella dhcp-dns-option
Step 4
flex umbrella mode {force | ignore}
Configures the DNS traffic to be redirected to
Example:
Umbrella. You can either forcefully redirect the traffic or choose to ignore the redirected traffic
Device(config-wireless-policy-profile)# to Umbrella. The default mode is ignore.
[no] flex umbrella mode force
Step 5
end Example:
Device(config-wireless-policy)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring the Umbrella Flex Policy Profile (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Tags & Profiles > Policy. Click the Add button. The Add Policy Profile dialog box appears. In the Advanced tab, and under the Umbrella section, complete the following:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1108
Security
Verifying the Cisco Umbrella Configuration
Step 4
a) Select the parameter map from the Umbrella Parameter Map drop-down list. Click the Clear hyperlink to clear the selection.
b) Click the field adjacent to Flex DHCP Option for DNS to Disable the option. By default it is Enabled. c) Click the field adjacent to DNS Traffic Redirect to set the option to Force. By default it is set to Ignore.
Click the Apply to Device button.
Verifying the Cisco Umbrella Configuration
To view the Umbrella configuration details, use the following command:
Device# show umbrella config Umbrella Configuration ======================== Token: 5XXXXXXABXXXXXFXXXXXXXXXDXXXXXXXXXXXABXX API-KEY: NONE OrganizationID: xxxxxxx Local Domain Regex parameter-map name: dns_bypass DNSCrypt: Not enabled Public-key: NONE UDP Timeout: 5 seconds Resolver address: 1. 10.1.1.1 2. 5.5.5.5 3. XXXX:120:50::50 4. XXXX:120:30::30
To view the device registration details, use the following command:
Device# show umbrella deviceid Device registration details Param-Map Name global vj-1 GUEST EMP
Status 200 SUCCESS 200 SUCCESS 200 SUCCESS 200 SUCCESS
Device-id 010aa4eXXXXXXX8d 01XXXXXXXf4541e1 010a4f6XXXXXXX42 0XXXXXXXXd106ecd
To view the detailed description for the Umbrella device ID, use the following command:
Device# show umbrella deviceid detailed Device registration details
1.global Tag Device-id Description WAN interface
2.vj-1 Tag Device-id Description WAN interface
: global : 010aa4eXXXXXXX8d : Device Id recieved successfully : None
: vj-1 : 01XXXXXXXf4541e1 : Device Id recieved successfully : None
To view the Umbrella DNSCrypt details, use the following command:
Device# show umbrella dnscrypt DNSCrypt: Enabled
Public-key: B111:XXXX:XXXX:XXXX:3E2B:XXXX:XXXX:XXXE:XXX3:3XXX:DXXX:XXXX:BXXX:XXXB:XXXX:FXXX
Certificate Update Status: In Progress
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1109
Verifying the Cisco Umbrella Configuration
Security
To view the Umbrella global parameter map details, use the following command:
Device# show parameter-map type umbrella global
To view the regex parameter map details, use the following command:
Device# show parameter-map type regex <parameter-map-name>
To view the Umbrella statistical information, use the following command:
Device# show platform hardware chassis active qfp feature umbrella datapath stats
To view the wireless policy profile Umbrella configuration, use the following command:
Device#show wireless profile policy detailed vj-pol-profile | s Umbrella Umbrella information Cisco Umbrella Parameter Map : vj-2 DHCP DNS Option : ENABLED Mode : force
To view the wireless flex profile Umbrella configuration, use the following command:
Device#show wireless profile flex detailed vj-flex-profile | s Umbrella Umbrella Profiles : vj-1 vj-2 global
To view the Umbrella details on the AP, use the following command:
AP#show client opendns summary Server-IP role 208.67.220.220 Primary 208.67.222.222 Secondary
Server-IP role 2620:119:53::53 Primary 2620:119:35::35 Secondary
Wlan Id DHCP OpenDNS Override Force Mode 0 true false 1 false false ...
15 false false Profile-name Profile-id vj-1 010a29b176b34108 global 010a57bf502c85d4 vj-2 010ae385ce6c1256 AP0010.10A7.1000#
Client to profile command
AP#show client opendns address 50:3e:aa:ce:50:17 Client-mac Profile-name 50:3E:AA:CE:50:17 vj-1 AP0010.10A7.1000#
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1110
1 1 7 C H A P T E R
Encrypted Traffic Analytics
· Information About Encrypted Traffic Analytics, on page 1111 · Exporting Records to IPv4 Flow Export Destination, on page 1112 · Exporting Records to IPv6 Flow Export Destination, on page 1113 · Exporting Records to IPv4 and IPv6 Destination over IPFIX, on page 1113 · Allowed List of Traffic, on page 1114 · Configuring Source Interface for Record Export, on page 1115 · Configuring Source Interface for Record Export Without IPFIX, on page 1116 · Configuring ETA Flow Export Destination (GUI), on page 1117 · Enabling In-Active Timer, on page 1117 · Enabling ETA on WLAN Policy Profile, on page 1118 · Attaching Policy Profile to VLAN (GUI), on page 1119 · Attaching Policy Profile to VLAN, on page 1119 · Verifying ETA Configuration, on page 1120
Information About Encrypted Traffic Analytics
The Encrypted Traffic Analytics (ETA) leverages Flexible NetFlow (FNF) technology to export useful information about the flow to the collectors and gain visibility into the network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1111
Exporting Records to IPv4 Flow Export Destination
Security
Figure 28: Encrypted Traffic Analytics Deployed on Cisco Catalyst 9800 Series Wireless Controller in Local Mode
The wireless clients send data packets to the access point. The packets are then CAPWAP encapsulated and sent to the controller. This means that the actual client data is in the CAPWAP payload. To apply ETA on the client data, you need to strip the CAPWAP header before handing over the packet to the ETA module.
The ETA offers the following advantages:
· Enhanced telemetry based threat analytics.
· Analytics to identify malware.
Starting from Cisco IOS XE Amsterdam 17.1.1s, ETA inspection for IPv6 traffic is supported. ETA inspection for IPv6 traffic is enabled by default and no special configuration is required. This release also supports allowed list of IPv6 traffic, exporting ETA records to IPv4 or IPv6 export destination, exporting records over IPFIX (netflow v10), and configuring source interface for ETA exports. The records can be exported to IPv4 or IPv6 netflow collector.
Exporting Records to IPv4 Flow Export Destination
Follow the procedure given below to enable encrypted traffic analytics and configure a flow export destination:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
et-analytics Example:
Device(config)# et-analytics
Purpose Enters the global configuration mode.
Enables encrypted traffic analytics.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1112
Security
Exporting Records to IPv6 Flow Export Destination
Step 3 Step 4
Command or Action
Purpose
ip flow-export destination ip_address port_number
Example:
Device(config-et-analytics)# ip flow-export destination 120.0.0.1 2055
Configures the NetFlow record export. Here, port_number ranges from 1 to 65535.
end Example:
Device(config-et-analytics)# end
Returns to privileged EXEC mode.
Exporting Records to IPv6 Flow Export Destination
Follow the procedure given below to enable encrypted traffic analytics and configure an IPv6 flow export destination.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
et-analytics Example:
Device(config)# et-analytics
Enables encrypted traffic analytics.
Step 3
ipv6 flow-export destination ipv6-address Specifies netflow record export destination IPv6
port-number
address and port.
Example:
Note
Device(config-et-analytics)# ipv6 flow-export destination 2001:181:181::1
2055
The maximum configurable limit for flow-export destinations is four (both IPv4 and IPv6 combined).
Step 4
exit Example:
Device(config-et-analytics)# exit
Returns to global configuration mode.
Exporting Records to IPv4 and IPv6 Destination over IPFIX
This procedure provides efficient bandwidth utilization by allowing variable len fields for smaller data packets and also reduces the overall bandwidth requirements for transmission.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1113
Allowed List of Traffic
Security
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
et-analytics Example:
Device(config)# et-analytics
Enables encrypted traffic analytics.
Step 3
ip flow-export destination ip-address port-number ipfix
Specifies netflow record export destination IP address, port and format.
Example:
Device(config-et-analytics)# ip flow-export destination 192.168.19.2 2055
ipfix
Step 4
ipv6 flow-export destination ipv6-address Specifies netflow record export destination IPv6
port-number ipfix
address, port and format.
Example:
IPFIX allows you to collect flow information
Device(config-et-analytics)# ipv6
from network devices that support IPFIX
flow-export destination 2001:181:181::1 protocol and analyze the traffic flow
2055 ipfix
information by processing it through a netflow
analyzer.
Note
Maximum configurable limit for
flow-export destinations is four
(both IPv4 and IPv6 combined).
Step 5
exit Example:
Device(config-et-analytics)# exit
Returns to global configuration mode.
Allowed List of Traffic
You can add an allowed list of ACLs for both IPv4 and IPv6 traffic. Traffic from allowed list is skipped from ETA inspection and records are not generated for the matching traffic.
Before you begin Configure an IPv4 or IPv6 access list.
· IPv4 ACL: ip access-list standard acl_name
Device(config)# ip access-list standard eta-whitelist_ipv4
· IPv6 ACL: ipv6 access-list acl_name
Device(config)# ipv6 access-list eta-whitelist_ipv6
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1114
Security
Configuring Source Interface for Record Export
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
et-analytics Example:
Device(config)# et-analytics
Enables encrypted traffic analytics.
Step 3
whitelist acl acl-name
Configures an allowed list for IPv4 or IPv6.
Example:
Note
Device(config-et-analytics)# whitelist acl eta-whitelist
You cannot add both IPv4 and IPv6 client traffic simultaneously to an allowed list, as a single ACL cannot have both IPv4 and IPv6 terms.
Step 4 Step 5
exit Example:
Device(config-et-analytics)# exit
Returns to global configuration mode.
sequence sequence-num permit udp any any (Optional) Configures a sequence number and
eq tftp
the access conditions to add any IPv6 TFTP
Example:
traffic to allowed list.
Device(config-ipv6-acl)# sequence 10 permit udp any any eq tftp
Configuring Source Interface for Record Export
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
et-analytics Example:
Device(config)# et-analytics
Step 3
ip flow-export destination ip-address source-interface interface-name interface-number ipfix
Purpose Enters the global configuration mode.
Enables encrypted traffic analytics.
Specifies netflow record export destination IP address, source interface and format.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1115
Configuring Source Interface for Record Export Without IPFIX
Security
Step 4 Step 5
Command or Action
Purpose
Example:
This allows the ETA export to use the IP
Device(config-et-analytics)# ip
address of the specified interface, as against
flow-export destination 192.168.19.2 2055 using the IP address of the egress interface as
source-interface loopback0 ipfix
the source address.
The source interface is applicable for both IPv4
and IPv6 export destinations.
Note
Only one source interface can be
specified and all exports use this
source address.
ipv6 flow-export destination ipv6-address source-interface interface-nam interface-number ipfix
Specifies netflow record export destination IPv6 address, source interface and format.
Example:
Device(config-et-analytics)# ipv6 flow-export destination 2001:181:181::1
2055 source-interface Vlan160 ipfix
exit Example:
Device(config-et-analytics)# exit
Returns to global configuration mode.
Configuring Source Interface for Record Export Without IPFIX
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
et-analytics Example:
Device(config)# et-analytics
Enables encrypted traffic analytics.
Step 3
ip flow-export destination ip-address source-interface interface-name interface-number
Specifies netflow record export destination IP address, source interface and format.
Example:
Device(config-et-analytics)# ip flow-export destination 192.168.19.2 2055
source-interface loopback0 ipfix
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1116
Security
Configuring ETA Flow Export Destination (GUI)
Step 4 Step 5
Command or Action
Purpose
ipv6 flow-export destination ipv6-address source-interface interface-nam interface-number ipfix
Specifies netflow record export destination IPv6 address, source interface and format.
Example:
Device(config-et-analytics)# ipv6 flow-export destination 2001:181:181::1
2055 source-interface Vlan160
exit Example:
Device(config-et-analytics)# exit
Returns to global configuration mode.
Configuring ETA Flow Export Destination (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8
Step 9 Step 10 Step 11
Choose Configuration > Services > NetFlow. Click the Add button. The Create NetFlow dialog box appears. Choose any one of the available templates from the Netflow Template drop-down list. Enter an IPv4 or IPv6 address in the Collector Address field. From the Whitelist ACL drop-down list, choose the desired option.
Note
To use this option, ensure that you select Encrypted Traffic Analytics from the Netflow
Template drop-down list.
Enter a port number in the Exporter Port field. You must specify a value between 1 and 65535. Choose the desired option from the Export Interface IP drop-down list. Choose any one of the sampling methods from the Sampling Method drop-down list. The available options are Deterministic, Random, and Full Netflow. Enter a range for the sample. You must specify a value between 32 and 1032. Select the required interfaces/profile from the Available pane and move it to the Selected pane. Click the Save & Apply to Device button.
Enabling In-Active Timer
Follow the procedure given below to enable in-active timer:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1117
Enabling ETA on WLAN Policy Profile
Security
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
et-analytics Example:
Device(config)# et-analytics
Step 3
inactive-timeout timeout-in-seconds
Example:
Device(config-et-analytics)# inactive-timeout 15
Step 4
end Example:
Device(config-et-analytics)# end
Purpose Enters the global configuration mode.
Configures the encrypted traffic analytics.
Specifies the inactive flow timeout value. Here, timeout-in-seconds ranges from 1 to 604800.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Enabling ETA on WLAN Policy Profile
Follow the procedure given below to enable ETA on WLAN policy profile:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
wireless profile policy profile-name
Creates policy profile for the WLAN.
Example:
The profile-name is the profile name of the
Device(config)# wireless profile policy policy profile.
default-policy-profile
Step 3
et-analytics enable
Example:
Device(config-wireless-policy)# et-analytics enable
Enables encrypted traffic analytics on the policy.
Step 4
end Example:
Device(config-wireless-policy)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1118
Security
Attaching Policy Profile to VLAN (GUI)
Attaching Policy Profile to VLAN (GUI)
Perform the following steps to attach a policy profile to VLAN. Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7
Check the RADIUS Profilling checkbox. From the Local Subscriber Policy Name, choose the required policy name. In the WLAN Local Profiling section, enable or disable the Global State of Device Classification, check the checkbox for HTTP TLV Caching and DHCL TLV Caching. In the VLAN section, choose the VLAN/VLAN Group from the drop-down list. Enter the Muliticast VLAN. In the WLAN ACL section, choose the IPv4 ACL and IPv6 ACL from the drop-down list. In the URL Filters section, choose the Pre Auth and Post Auth from the drop-down list. Click Save & Apply to Device.
Attaching Policy Profile to VLAN
Follow the procedure given below to attach a policy profile to VLAN:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
wireless profile policy profile-name
Creates policy profile for the WLAN.
Example:
The profile-name is the profile name of the
Device(config)# wireless profile policy policy profile.
default-policy-profile
Step 3
vlan vlan-name
Example:
Device(config-wireless-policy)# vlan vlan-name
Assigns the policy profile to the VLANs.
Step 4
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the wireless policy profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1119
Verifying ETA Configuration
Security
Verifying ETA Configuration
Verifying ETA Globally To view the ETA global and interface details, use the following command:
Device# show platform software utd chassis active F0 et-analytics global
ET Analytics Global Configuration ID: 1 All Interfaces: Off IP address and port and vrf: 192.168.5.2:2055:0
To view the ETA global configuration, use the following command:
Device# show platform software et-analytics global
ET-Analytics Global state =========================
All Interfaces : Off IP Flow-record Destination: 192.168.5.2 : 2055 Inactive timer: 15
Note The show platform software et-analytics global command does not display the ETA enabled wireless client interfaces.
To view the ETA global state in datapath, use the following command:
Device# show platform hardware chassis active qfp feature et-analytics datapath runtime
ET-Analytics run-time information:
Feature state: initialized (0x00000004)
Inactive timeout
: 15 secs (default 15 secs)
WhiteList information :
flag: False
cgacl w0 : n/a
cgacl w1 : n/a
Flow CFG information :
instance ID
: 0x0
feature ID
: 0x1
feature object ID : 0x1
chunk ID : 0xC
To view the ETA memory details, use the following command:
Device# show platform hardware chassis active qfp feature et-analytics datapath memory
ET-Analytics memory information:
Size of FO No. of FO allocs No. of FO frees
: 3200 bytes :0 :0
To view the ETA flow export in datapath, use the following command:
Device# show platform hardware chassis active qfp feature et-analytics datapath stats export
ET-Analytics 192.168.5.2:2055 vrf 0 Stats:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1120
Security
Verifying ETA Configuration
Export statistics:
Total records exported
: 5179231
Total packets exported
: 3124873
Total bytes exported
: 3783900196
Total dropped records
:0
Total dropped packets
:0
Total dropped bytes
:0
Total IDP records exported :
initiator->responder : 1285146
responder->initiator : 979284
Total SPLT records exported:
initiator->responder : 1285146
responder->initiator : 979284
Total SALT records exported:
initiator->responder : 0
responder->initiator : 0
Total BD records exported :
initiator->responder : 0
responder->initiator : 0
Total TLS records exported :
initiator->responder : 309937
responder->initiator : 329469
To view the ETA flow statistics, use the following command:
Device# show platform hardware chassis active qfp feature et-analytics datapath stats flow
ET-Analytics Stats:
Flow statistics:
feature object allocs : 0
feature object frees : 0
flow create requests : 0
flow create matching : 0
flow create successful: 0
flow create failed, CFT handle: 0
flow create failed, getting FO: 0
flow create failed, malloc FO : 0
flow create failed, attach FO : 0
flow create failed, match flow: 0
flow create, aging already set: 0
flow ageout requests
:0
flow ageout failed, freeing FO: 0
flow ipv4 ageout requests
:0
flow ipv6 ageout requests
:0
flow whitelist traffic match : 0
Verifying ETA on Wireless Client Interface To view if a policy is configured with ETA, use the following command:
Device# show wireless profile policy detailed default-policy-profile
Policy Profile Name Description Status VLAN Multicast VLAN Passive Client ET-Analytics StaticIP Mobility WLAN Switching Policy
Central Switching Central Authentication Central DHCP
: default-policy-profile : default policy profile : ENABLED : 160 :0 : DISABLED : DISABLED : DISABLED
: ENABLED : ENABLED : ENABLED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1121
Verifying ETA Configuration
Security
Flex NAT PAT Central Assoc
: DISABLED : ENABLED
To view the ETA status in the wireless client detail, use the following command:
Device# show platform hardware chassis active qfp feature wireless wlclient datapath <client_mac>
Wlclient Details for Client mac: 0026.c635.ebf8
---------------------------------
Input VlanId : 160
Point of Presence
:0
Wlclient Input flags : 9
Instance ID : 3
ETA enabled : True
client_mac_addr
: 0026.c635.ebf8
bssid_mac_addr: 58ac.7843.037f
Point of Attachment : 65497
Output vlanId : 160
wlan_output_uidb
: -1
Wlclient Output flags : 9
Radio ID : 1
cgacl w0 : 0x0
cgacl w1 : 0x0
IPv6 addr number
:0
IPv6 addr learning
:0
To view clients in the ETA pending wireless client tree, use the following command:
Device# show platform hardware chassis active qfp feature wireless et-analytics eta-pending-client-tree
CPP IF_H
DPIDX
MAC Address VLAN AS MS WLAN
POA
-----------------------------------------------------------------------------
0X2A
0XA0000001 2c33.7a5b.827b 160 RN LC xyz_ssid
0x90000003
0X2B
0XA0000002 2c33.7a5b.80fb 160 RN LC xyz_ssid
0x90000003
To view the QFP interface handle, use the following command:
Device# show platform hardware chassis active qfp interface if-handle <qfp_interface_handle>
show platform hardware chassis active qfp interface if-handle 0X29
FIA handle - CP:0x27f3ce8 DP:0xd7142000
LAYER2_IPV4_INPUT_ARL_SANITY
WLCLIENT_INGRESS_IPV4_FWD
IPV4_TVI_INPUT_FIA
>>> ETA FIA Enabled
SWPORT_VLAN_BRIDGING
IPV4_INPUT_GOTO_OUTPUT_FEATURE (M)
Protocol 1 - ipv4_output
FIA handle - CP:0x27f3d30 DP:0xd7141780
IPV4_VFR_REFRAG (M)
IPV4_TVI_OUTPUT_FIA
>>> ETA FIA Enabled
WLCLIENT_EGRESS_IPV4_FWD
IPV4_OUTPUT_DROP_POLICY (M)
DEF_IF_DROP_FIA (M)
Note The qfp_interface_handle ranges from 1 to 4294967295. To view the ETA pending wireless client tree statistics, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1122
Security
Verifying ETA Configuration
Device# show platform hardware chassis active qfp feature wireless et-analytics statistics
Wireless ETA cpp-client plumbing statistics
Number of ETA pending clients : 2
Counter
Value
-------------------------------------------------------------------
Enable ETA on wireless client called
0
Delete ETA on wireless client called
0
ETA global cfg init cb TVI FIA enable error 0
ETA global cfg init cb output SB read error 0
ETA global cfg init cb output SB write error 0
ETA global cfg init cb input SB read error
0
ETA global cfg init cb input SB write error 0
ETA global cfg init cb TVI FIA enable success 0
ETA global cfg uninit cb ingress feat disable 0
ETA global cfg uninit cb ingress cfg delete e 0
ETA global cfg uninit cb egress feat disable 0
ETA global cfg uninit cb egress cfg delete er 0
ETA pending list insert entry called
4
ETA pending list insert invalid arg error
0
ETA pending list insert entry exists error
0
ETA pending list insert no memory error
0
ETA pending list insert entry failed
0
ETA pending list insert entry success
4
ETA pending list delete entry called
2
ETA pending list delete invalid arg error
0
ETA pending list delete entry missing
0
ETA pending list delete entry remove error
0
ETA pending list delete entry success
2
To view the allowed list configuration, use the following commands:
Device# show platform software et-analytics global
ET-Analytics Global state =========================
All Interfaces : Off IP Flow-record Destination: 192.168.5.2 : 2055 Inactive timer: 15 whitelist acl eta-whitelist
Device# show platform hardware chassis active qfp feature et-analytics datapath runtime
ET-Analytics run-time information:
Feature state: initialized (0x00000004)
Inactive timeout
: 15 secs (default 15 secs)
WhiteList information :
flag: True
cgacl w0 : 0xd9ae9c80
cgacl w1 : 0x20000000
Flow CFG information :
instance ID
: 0x0
feature ID
: 0x0
feature object ID : 0x0
chunk ID : 0x4
To view the ETA export statistics, use the following command:
Device# show platform hardware chassis active qfp feature et-analytics datapath stats export
ET-Analytics Stats: Export statistics: Total records exported Total packets exported Total bytes exported
: 5179231 : 3124873 : 3783900196
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1123
Verifying ETA Configuration
Security
Total dropped records
:0
Total dropped packets
:0
Total dropped bytes
:0
Total IDP records exported :
initiator->responder : 1285146
responder->initiator : 979284
Total SPLT records exported:
initiator->responder : 1285146
responder->initiator : 979284
Total SALT records exported:
initiator->responder : 0
responder->initiator : 0
Total BD records exported :
initiator->responder : 0
responder->initiator : 0
Total TLS records exported :
initiator->responder : 309937
responder->initiator : 329469
To view the ETA flow statistics, use the following command:
Device# show platform hardware chassis active qfp feature et-analytics datapath stats flow
ET-Analytics Stats:
Flow statistics:
feature object allocs : 0
feature object frees : 0
flow create requests : 0
flow create matching : 0
flow create successful: 0
flow create failed, CFT handle: 0
flow create failed, getting FO: 0
flow create failed, malloc FO : 0
flow create failed, attach FO : 0
flow create failed, match flow: 0
flow create, aging already set: 0
flow ageout requests
:0
flow ageout failed, freeing FO: 0
flow ipv4 ageout requests
:0
flow ipv6 ageout requests
:0
flow whitelist traffic match : 0
To view the ETA datapath runtime detail, use the following command:
Device# show platform hardware chassis active qfp feature et-analytics datapath runtime
ET-Analytics run-time information:
Feature state
: initialized (0x00000004)
Inactive timeout
: 15 secs (default 15 secs)
WhiteList information :
flag
: True
cgacl w0
: 0xd9ae1e10
cgacl w1
: 0x20000000
Flow CFG information :
instance ID
: 0x0
feature ID
: 0x0
feature object ID : 0x0
chunk ID
: 0x4
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1124
FIPS
1 1 8 C H A P T E R
FIPS
· FIPS, on page 1125 · Guidelines and Restrictions for FIPS, on page 1126 · FIPS Self-Tests, on page 1126 · Configuring FIPS, on page 1127 · Configuring FIPS in HA Setup, on page 1128 · Verifying FIPS Configuration, on page 1129
Federal Information Processing Standard (FIPS) 140-2 is a security standard used to validate cryptographic modules. The cryptographic modules are produced by the private sector for use by the U.S. government and other regulated industries (such as financial and healthcare institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.
Note Cisco TrustSec (CTS) is not supported when the controller is in FIPS mode.
For more information about FIPS, see https://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-140.html. With FIPS in enabled state, some passwords and pre-shared keys must have the following minimum lengths:
· For Software-Defined Access Wireless, between the controller and map server, a pre-shared key (for example, the LISP authentication key) is used in authentication of all TCP messages between them. This pre-shared key must be at least 14 characters long.
· The ISAKMP key (for example, the Crypto ISAKMP key) must be at least 14 characters long.
Limitations for FIPS · The console of APs get disabled when the controller is operating in FIPS mode. · The weak or legacy cipher like SHA1 is not supported in FIPS mode. · APs would not reload immediately, if you change the FIPS status.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1125
Guidelines and Restrictions for FIPS
Security
Note We recommend a minimum RSA key size of 2048 bits under RADSEC when operating in FIPS mode. Otherwise, the RADSEC fails.
Guidelines and Restrictions for FIPS
· In the controller switches, a legacy key is used to support the legacy APs. However, in FIPS mode, the crypto engine detects the legacy key as a weak key and rejects it by showing the following error message: "% Error in generating keys: could not generate test signature." We recommend that you ignore such error messages that are displayed during the bootup of the controller (when operating in FIPS mode).
· SSH clients using SHA1 will not be able to access the controller when you enable FIPS.
Note You need to use FIPS compliant SSH clients to access the controller.
· While configuring WLAN ensure that the PSK length must be minimum of 14 characters. If not, the APs will not be able to join the controller after changing tags.
· TrustSec is not supported. · PAC key configuration is not supported.
FIPS Self-Tests
A cryptographic module must perform power-up self-tests and conditional self-tests to ensure that it is functional. Power-up self-tests run automatically after the device powers up. A device goes into FIPS mode only after all self-tests are successfully completed. If any self-test fails, the device logs a system message and moves into an error state. Also, if the power-up self test fails, the device fails to boot. Using a known-answer test (KAT), a cryptographic algorithm is run on data for which the correct output is already known, and then the calculated output is compared to the previously generated output. If the calculated output does not equal the known answer, the known-answer test fails. Power-up self-tests include the following:
· Software integrity · Algorithm tests
Conditional self-tests must be run when an applicable security function or operation is invoked. Unlike the power-up self-tests, conditional self-tests are executed each time their associated function is accessed. The device uses a cryptographic algorithm known-answer test (KAT) to test FIPS mode for each FIPS 140-2-approved cryptographic function (encryption, decryption, authentication, and random number generation) implemented on the device. The device applies the algorithm to data for which the correct output is already
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1126
Security
Configuring FIPS
known. It then compares the calculated output to the previously generated output. If the calculated output does not equal the known answer, the KAT fails. Conditional self-tests run automatically when an applicable security function or operation is invoked. Unlike the power-up self-tests, conditional self-tests are executed each time their associated function is accessed. Conditional self-tests include the following:
· Pair-wise consistency test--This test is run when a public or private key-pair is generated.
· Continuous random number generator test--This test is run when a random number is generated.
· Bypass
· Software load
Configuring FIPS
Ensure that both the active and standby controllers have the same FIPS authorization key.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
fips authorization-key key
Example:
Device(config)# fips authorization-key 12345678901234567890123456789012
Enables the FIPS mode. The key length should be of 32 hexadecimal characters.
Note
When FIPS is enabled, you may
need to trigger more than one
factory reset using the reset
button.
Step 3
end Example:
Device(config)# end
To disable FIPS mode on the device, use the no form of this command.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
What to do next You must reboot the controller whenever you enable or disable the FIPS mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1127
Configuring FIPS in HA Setup
Security
Configuring FIPS in HA Setup
While bringing up HA pair in FIPS mode, you need to configure both active and standby controllers with the same FIPS authorization key independently before forming HA pair. If you configure FIPS authorization key after forming HA pair, the FIPS authorization key configuration will not be synced with the standby. Rebooting HA pair at this state causes reload loop. To avoid this, you need to perform the following:
· Break the HA pair. · Configure the same FIPS authorization key independently on both the members. · Pair up members.
To configure FIPS in HA setup, perform the following: 1. Power off both the members of the stack. 2. Power on only member1, and wait for the controller to come up and prompt for login from the console. 3. Login successfully with your valid credentials, and execute the following commands:
Show fips status Show fips authorization-key Show romvar Show chassis
Note Keep the configured FIPS authorization key handy.
4. Configure the FIPS key, if you have not configured one earlier.
conf t fips authorization-key <32 hex char>
5. Save and power off the member1. 6. Power on only member2 and wait for the controller to come up and prompt for login from the console. 7. Login successfully with your valid credentials, and execute the following commands:
Show fips status Show fips authorization-key Show romvar Show chassis
Note Keep the configured FIPS authorization key handy.
8. Configure the FIPS key, if you have not configured one earlier.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1128
Security
Verifying FIPS Configuration
Note The key value must be the same in both the members of the stack.
conf t fips authorization-key <32 hex char>
9. Save and power off the member2. 10. Power on both the members together, and wait for the stack to form. 11. Monitor any crash or unexpected reload.
Note It is expected that members must not reload due to FIPS issue.
Verifying FIPS Configuration
You can verify FIPS configuration using the following commands: Use the following show command to display the installed authorization key:
Device# show fips authorization-key FIPS: Stored key (16) : 12345678901234567890123456789012
Use the following show command to display the status of FIPS on the device:
Device# show fips status Chassis is running in fips mode
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1129
Verifying FIPS Configuration
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1130
1 1 9 C H A P T E R
Device Analytics
· Device Analytics, on page 1131 · Adaptive 802.11r, on page 1134
Device Analytics
Information About Device Analytics
The Device Analytics feature enhances the enterprise Wi-Fi experience for client devices to ensure seamless connectivity. This feature provides a set of data analytics tools for analysing wireless client device behaviour. With device profiling enabled on the controller, information is exchanged between the client device and the controller and AP. This data is encrypted using AES-256-CBC to ensure device security.
Note
· From 17.1.1 release onwards, this feature is applicable to Samsung devices.
Note Apple clients such as iPhones and iPads use 802.11k action frames to send device information to the controller. When they fail to send 802.11k action frames, the controller will not perform device classification based on the 802.11 protocol. Hence, this falls back to legacy device classification which is based on HTTP and DHCP protocols.
Restrictions for Device Analytics
· This feature is applicable only for Cisco device ecosystem partners. · This feature is supported only on the 802.11ax and Wave 2 APs. · This feature is supported using central authentication in either local mode or Flexconnect mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1131
Configuring Device Analytics (GUI)
Security
Configuring Device Analytics (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Tags & Profiles > WLANs. On the WLANs page, click the name of the WLAN. In the Edit WLAN window, click the Advanced tab. In the Device Analytics section, select the Advertise Support check box. (Optional) In the Device Analytics section, select the Share Data with Client check box. Click Update & Apply to Device.
Configuring Device Analytics (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-name wlan-id SSID-name
Enters the WLAN configuration sub-mode.
Example:
Device(config)# wlan device_analytics 1 device_analytics
· wlan-name--Enter the profile name. The range is from 1 to 32 alphanumeric characters.
· wlan-id--Enter the WLAN ID. The range is from 1 to 512.
· SSID-name--Enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.
Note
If you have already configured
WLAN, enter wlan wlan-name
command.
Step 3
client association limit {clients-per-wlan | apclients-per-ap-per-wlan | radio clients-per-ap-radio-per-wlan}
Sets the maximum number of clients, clients per AP, or clients per AP radio that can be configured on a WLAN.
Example:
Device(config)# client association limit 11
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1132
Security
Verifying Device Analytics Configuration
Step 4 Step 5
Step 6 Step 7
Command or Action [no] device-analytics Example:
Device(config)# device-analytics
Purpose
This is enabled by default.
Enables or disables device analytics. WLANs advertise analytics capability in beacons & probe responses.
[no] device-analytics [export]
When export option is set, the information from
Example:
Cisco devices are shared with compatible clients (such as, Samsung devices). Here, information
Device(config)# device-analytics export from Cisco devices refer to the Cisco controller
details, AP version, and model number.
This configuration is disabled by default.
no shutdown Example:
Device(config)# no shutdown
Enables the WLAN.
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Verifying Device Analytics Configuration
To view the status of device analytics export, use the following command:
Device# show wlan 1 test-wlan
WLAN Profile Name
: test-wlan
================================================
Identifier
:1
Description
:
Network Name (SSID)
: test-open-ssid
Status
: Enabled
Broadcast SSID
: Enabled
Advertise-Apname
: Disabled
Universal AP Admin
: Disabled
Device Analytics Advertise Support Share Data with Client
: Enabled : Disabled
To view client device information, use the following command:
Device# show device classifier mac-address 0040.96ae.xxx detail
Client Mac: 0040.96ae.xxxx Device Type: Samsung Galaxy S10e(Phone) Confidence Level: 40 Device Name: android-dhcp-9 Software Version(Carrier Code): SD7(TMB) Device OS: Android 9 Device Vendor: android-dhcp-9 Country: US
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1133
Adaptive 802.11r
Security
To view the last disconnect reason, use the following command:
Device# show device classifier mac-address 0040.96ae.xxxx detail
Client MAC Address : 0040.96ae.xxxx Client IPv4 Address : 12.1.0.52 Client IPv6 Addresses : fe80::631b:5b4f:f9b6:53cc Client Username: N/A AP MAC Address : 7069.5a51.53c0 AP Name: AP4C77.6D9E.61B2 AP slot : 1 Client State : Associated
Assisted Roaming Neighbor List Nearby AP Statistics: EoGRE : No/Simple client Last Disconnect Reason : User initiated disconnection - Device was powered off or Wi-Fi turned off
Adaptive 802.11r
Information About Adaptive 802.11r
The Cisco device ecosystem partner now supports 11r functionality on an adaptive 802.11r SSID. Samsung is one of the partners.
Note The Adaptive 802.11r is enabled by default. This means that when you create a WLAN, the adaptive 802.11r is configured by default.
Client device information such as its model number, supported operating system is shared with the controller and AP while the device receives information such as controller and AP type, software release, etc. Also, this enables 802.11r-compatible devices to benefit from adaptive 802.11r on Cisco networks. This ecosystem comes handy especially for troubleshooting device disconnection from the AP as the controller receives information such as the disconnect reason code from the client device.
Note Devices without 11r support cannot join an SSID where 11r is enabled. To use the 11r functionality on devices, you need to create a separate SSID with 11r enabled and another with 11r disabled to support the non-11r devices in the network. Adaptive dot11r is supported by Apple iPad, Apple iPhone, and Samsung S10 devices. However; some software update creates a MIC mismatch error in these devices. But these errors are transient and clients will successfully be able to associate to the SSID in subsequent results.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1134
Security
Configuring Adaptive 802.11r (GUI)
Configuring Adaptive 802.11r (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. On the WLANs page, click the name of the WLAN. In the Edit WLAN window, click the Security > Layer2 tab. In the WPA Parameters section and Fast Transition drop-down list, choose Adaptive Enabled. Click Update & Apply to Device.
Verifying Adaptive 802.11r
To view the details, use the following command: Device# show running-config all
wlan test-psk 2 test-psk security ft adaptive
"adaptive" is optional
Note The following command is used to enable or disable adaptive 11r: [no] security ft adaptive The following command is used to enable or disable 802.11r: [no] security ft
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1135
Verifying Adaptive 802.11r
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1136
1 2 0 C H A P T E R
Advanced WIPS
· Feature History for Advanced WIPS, on page 1137 · Information About Advanced WIPS, on page 1137 · Enabling Advanced WIPS, on page 1140 · Advanced WIPS Solution Components, on page 1141 · Supported Modes and Platforms, on page 1141 · Enabling Advanced WIPS(GUI), on page 1142 · Enabling Advanced WIPS (CLI), on page 1142 · Viewing Advanced WIPS Alarms (GUI), on page 1143 · Verifying Advanced WIPS, on page 1143
Feature History for Advanced WIPS
This table provides release and related information for the features explained in this module. These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
Table 52: Feature History for Advanced WIPS
Release
Feature Name
Cisco IOS XE Bengaluru 17.5.1 Advanced WIPS Signatures
Feature Information Up to 15 additional signatures are supported.
Information About Advanced WIPS
The Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is a wireless intrusion threat detection and mitigation mechanism. The aWIPS uses an advanced approach to wireless threat detection and performance management. The AP detects threats and generates alarms. It combines network traffic analysis, network device and topology information, signature-based techniques, and anomaly detection to deliver highly accurate and complete wireless threat prevention.
With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both wired and wireless networks and use that network intelligence to analyze attacks from multiple sources to accurately pinpoint and proactively prevent attacks, rather than wait until damage or exposure has occurred.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1137
Information About Advanced WIPS
Security
The following table shows the alarms introduced from Cisco IOS XE Bengaluru 17.5.1 onwards:
Table 53: Advanced WIPS Signatures and Definitions: From Cisco IOS XE Bengaluru 17.5.1 Onwards
Advanced WIPS Signature Deauthentication Flood by Pair Fuzzed Beacon
Fuzzed Probe Request Fuzzed Probe Response PS Poll Flood by Signature
Eapol Start V1 Flood by Signature Reassociation Request Flood by Destination
Beacon Flood by Signature
Definition
In the enhanced context of threat, both the source (attacker) and the destination (victim) of attacks (Track by Pair) have visibility.
Fuzzed beacon is when invalid, unexpected, or random data is introduced into the beacon and replays those modified frames into the air. This causes unexpected behavior on the destination device, including driver crashes, operating system crashes, and stack-based overflows. This in turn allows the execution of the arbitrary code of the affected system.
Fuzzed probe request is when invalid, unexpected, or random data is introduced into a probe request and replays those modified frames into the air.
Fuzzed probe response is when invalid, unexpected, or random data is introduced into a probe response and replays those modified frames into the air.
PS poll flood is when a potential hacker spoofs a MAC address of a wireless client and sends out a flood of PS poll frames. The AP sends out buffered data frames to the wireless client. This results in the client missing the data frames because it could be in the power safe mode.
Extensible Authentication Protocol over LAN (EAPOL) start flood is when an attacker attempts to bring down the AP by flooding the AP with EAPOL-start frames to exhaust the AP's internal resources.
Reassociation request flood is when a specific device tries to flood the AP with a large number of emulated and spoofed client reassociations to exhaust the AP's resources, particularly the client association table. When the client association table overflows, legitimate clients are not able to associate, causing a DoS attack.
Beacon flood is when stations actively search for a network that is bombarded with beacons from the networks that are generated using different MAC addresses and SSIDs. This flood prevents a valid client from detecting the beacons sent by corporate APs, which in turn initiates a DoS attack.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1138
Security
Information About Advanced WIPS
Advanced WIPS Signature Probe Response Flood by Destination Block Ack Flood by Signature
Airdrop Session
Malformed Association Request Authentication Failure Flood by Signature Invalid MAC OUI by Signature Malformed Authentication
Definition
Probe response flood is when a device tries to flood clients with a large number of spoofed probe responses from the AP. This prevents clients from detecting the valid probe responses sent by the corporate APs.
Block ack flood is when an attacker transmits an invalid Add Block Acknowledgement (ADDBA) frame to the AP while spoofing the MAC address of the valid client. This process causes the AP to ignore any valid traffic transmitted from the client until it reaches the invalid frame range.
Airdrop session refers to the Apple feature called AirDrop. AirDrop is used to set up a peer-to-peer link for file sharing. This might create a security risk because of unauthorized peer-to-peer networks created dynamically in your WLAN environment.
Malformed association request is when an attacker sends a malformed association request to trigger bugs in the AP. This results in a DoS attack.
Authentication failure flood is when a specific device tries to flood the AP with invalid authentication requests spoofed from a valid client. This results in disconnection.
Invalid MAC OUI is when a spoofed MAC address that does not have a valid OUI is used.
Malformed authentication is when an attacker sends malformed authentication frames that can expose vulnerabilities in some drivers.
The following table shows the alarms introduced prior to Cisco IOS XE Bengaluru 17.5.1:
Table 54: Advanced WIPS Signatures: Prior Cisco IOS XE Bengaluru 17.5.1
Advanced WIPS Signatures Authentication Flood Alarm Association Flood Alarm Broadcast Probe Flood Alarm Disassociation Flood Alarm Broadcast Dis-Association Flood Alarm De-Authentication Flood Alarm
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1139
Guidelines and Restrictions
Security
Advanced WIPS Signatures Broadcast De-Authentication Flood Alarm EAPOL-Logoff Flood Alarm CTS Flood Alarm RTS Flood Alarm
Guidelines and Restrictions
· In the aWIPS profile, Cisco Aironet 1850 Series Access Points, Cisco Catalyst 9117 Series Access Points, and Cisco Catalyst 9130AX Series Access Points can detect EAPOL logoff attack and raise alarms accordingly, only on off-channel. They can not detect EAPOL logoff attack and raise alarms on on-channel.
· aWIPS profile download is not supported when Cisco DNA Center is configured using the fully qualified domain name (FQDN).
Enabling Advanced WIPS
From Cisco IOS XE Release 17.5.1 onwards, aWIPS security gets a higher priority over Hyperlocation. The following are the possible scenarios.
This table is applicable for all modes except Monitor mode.
Hyperlocation Enable
Advanced WIPS Enable
Effective Feature aWIPS7
Enable
Disable
Hyperlocation
Disable
Disable
Hyperlocation and aWIPS are disabled.
Disable
Enable
aWIPS
7 In modes other than the Monitor mode, if both aWIPS and Hyperlocation are enabled, only aWIPS is available.
This table is applicable for Monitor mode.
Hyperlocation Enable Disable
Advanced WIPS Enable Enable
Effective Feature aWIPS and Hyperlocation8 aWIPS 9
Enable
Disable
Hyperlocation
Disable
Disable
Hyperlocation and aWIPS are disabled.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1140
Security
Advanced WIPS Solution Components
8 In Monitor mode, if both aWIPS and Hyperlocation are enabled, both aWIPS and Hyperlocation are available.
9 To monitor the status of aWIPS and Hyperlocation simultanueously on AP, use the show capwap client rcb command.
Advanced WIPS Solution Components
The aWIPS solution comprises the following components: · Cisco Catalyst 9800 Series Wireless Controller · Cisco Aironet Wave 2 APs · Cisco DNA Center
Because the aWIPS functionality is integrated into Cisco DNA Center, the aWIPS can configure and monitor WIPS policies and alarms and report threats. aWIPS supports the following capabilities:
· Static signatures From Cisco IOS XE, 17.4.1 onwards Cisco DNA Center can change threshold values and push new signature files to the AP.
· Enable or disable signature forensic capture from Cisco DNA Center. · Standalone signature detection only · Alarms only · GUI support · CLIs to view alarms · Static signature file packaged with controller and AP image · Export alarms to Cisco DNA Center through WSA channel
Note aWIPS alarm details such as the AP MAC address, alarm ID, alarm string, and signature ID are displayed on the Cisco Catalyst 9800 series wireless controller GUI.
Supported Modes and Platforms
aWIPS is supported on the following controllers: · Cisco Catalyst 9800 Series Wireless Controllers · Cisco Embedded Wireless Controller on Catalyst Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1141
Enabling Advanced WIPS(GUI)
Security
Note aWIPS is not supported on Cisco IOS APs.
Enabling Advanced WIPS(GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Choose Configuration > Tags & Profiles > AP Join. Click Add. The Add AP Join Profile window is displayed. In the Add AP Join Profile window, click the Security tab. Under the aWIPS section, check the aWIPS Enable check box. Click Apply to Device. You will go back the to General tab. Click the Security tab. Under the aWIPS section, check the Forensic Enable check box. Click Apply to Device.
Enabling Advanced WIPS (CLI)
To enable aWIPS from the controller and ensure that aWIPS has higher priority than Hyperlocation, perform the following:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap profile profile-name
Example:
Device(config)# ap profile ap-profile-name
Step 3
awips Example:
Device(config-ap-profile)# awips
Purpose Enters global configuration mode.
Configures the default AP profile.
Enables aWIPS.
Note
aWIPS is disabled by default on
the controller.
Step 4
awips forensic Example:
Enables forensics for aWIPS alarms.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1142
Security
Viewing Advanced WIPS Alarms (GUI)
Step 5 Step 6
Command or Action
Purpose
Device(conf-ap-profile)# awips forensic
hyperlocation Example:
Enables Hyperlocation on all the supported APs that are associated with this AP profile.
Device(config-ap-profile)# hyperlocation
end Example:
Device(config-ap-profile)# end
Returns to privileged EXEC mode.
Viewing Advanced WIPS Alarms (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Navigate to Monitoring > Security > aWIPS. To view the details of the alarms in the last 5 minutes, click the Current Alarms tab. To view the alarm count over an extended period of time, either hourly, for a day (24 hours) or more, click the Historical Statistics tab. Sort or filter the alarms based on the following parameters:
· AP Radio MAC address
· Alarm ID
· Time Stamp
· Signature ID
· Alarm Description
· Alarm Message Index
Verifying Advanced WIPS
To view the aWIPS status, use the show awips status radio_mac command:
Device# show awips status 0xx7.8xx8.2xx0
AP Radio MAC AWIPS Status Forensic Capture Status Alarm Message Count
----------------------------------------------------------------------------------
0xx7.8xx8.2xx0
ENABLED
CONFIG_NOT_ENABLED 14691
The various aWIPS status indicators are:
· ENABLED: aWIPS enabled.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1143
Verifying Advanced WIPS
Security
· NOT_SUPPORTED: The AP does not support AWIPS. · CONFIG_NOT ENABLED: aWIPS is not enabled on the AP.
To view details of specific alarm signatures, use the show awips alarm signature signature_id command:
Device# show awips alarm signature 10001
AP Radio MAC AlarmID Timestamp
SignatureID Alarm Description
Message
Index
-----------------------------------------------------------------------------------------------------------------
0xx7.8xx8.2f80 1714 11/02/2020 13:02:19 10001
Authentication Flood
3966
To view alarm message statistics, use the show awips alarm statistics command:
Device# show awips alarm statistics
To view a list of alarms since the last clear, use the show awips alarm ap ap_mac detailed command:
Device# show awips alarm ap 0xx7.8xx8.2f80 detailed
AP Radio MAC AlarmID
Timestamp
SignatureID Alarm Description
---------------------------------------------------------------------------------------------------------------
0xx7.8xx8.2f80 2491 08/02/2022 17:44:40
10009
RTS Flood
To view detailed alarm information, use the show awips alarm detailed command:
Device# show awips alarm detailed
AP Radio MAC AlarmID Timestamp SignatureID Alarm Description
--------------------------------------------------------------------------------------------------
7xx3.5xxd.d360 1
10/29/2020 23:21:27 10001 Authentication Flood by Source
dxxc.3xx5.9460 71
10/29/2020 23:21:27 10001 Authentication Flood by Source
7xx3.5xxd.d360 2
10/29/2020 23:21:28 10002 Association Request Flood by
Destination
dxxc.3xx5.9460 72
10/29/2020 23:21:28 10002 Association Request Flood by
Destination
To view the alarms on a specific AP, use the show awips alarm ap radio_mac detailed command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1144
1 2 1 C H A P T E R
Wi-Fi Protected Access 3
· Simultaneous Authentication of Equals, on page 1145 · Opportunistic Wireless Encryption, on page 1146 · Configuring SAE (WPA3+WPA2 Mixed Mode), on page 1146 · Configuring WPA3 Enterprise (GUI), on page 1147 · Configuring WPA3 Enterprise, on page 1148 · Configuring the WPA3 OWE, on page 1149 · Configuring WPA3 OWE Transition Mode (GUI), on page 1150 · Configuring WPA3 OWE Transition Mode, on page 1150 · Configuring WPA3 SAE (GUI), on page 1152 · Configuring WPA3 SAE, on page 1153 · Configuring Anti-Clogging and SAE Retransmission (GUI), on page 1154 · Configuring Anti-Clogging and SAE Retransmission, on page 1155 · Verifying WPA3 SAE and OWE, on page 1156
Simultaneous Authentication of Equals
WPA3 is the latest version of Wi-Fi Protected Access (WPA), which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks. WPA3 leverages Simultaneous Authentication of Equals (SAE) to provide stronger protections for users against password guessing attempts by third parties. SAE employs a discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is probably resistant to an offline dictionary attack. An offline dictionary attack is where an adversary attempts to determine a network password by trying possible passwords without further network interaction. WPA3-Personal brings better protection to individual users by providing more robust password-based authentication making the brute-force dictionary attack much more difficult and time-consuming, while WPA3-Enterprise provides higher grade security protocols for sensitive data networks. When the client connects to the access point, they perform an SAE exchange. If successful, they will each create a cryptographically strong key, from which the session key will be derived. Basically a client and access point goes into phases of commit and then confirm. Once there is a commitment, the client and access point can then go into the confirm states each time there is a session key to be generated. The method uses forward secrecy, where an intruder could crack a single key, but not all of the other keys.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1145
Opportunistic Wireless Encryption
Security
Opportunistic Wireless Encryption
Opportunistic Wireless Encryption (OWE) is an extension to IEEE 802.11 that provides encryption of the wireless medium. The purpose of OWE based authentication is avoid open unsecured wireless connectivity between the AP's and clients. The OWE uses the Diffie-Hellman algorithms based Cryptography to setup the wireless encryption. With OWE, the client and AP perform a Diffie-Hellman key exchange during the access procedure and use the resulting pairwise secret with the 4-way handshake. The use of OWE enhances wireless network security for deployments where Open or shared PSK based networks are deployed.
Configuring SAE (WPA3+WPA2 Mixed Mode)
Follow the procedure given below to configure WPA3+WPA2 mixed mode for SAE.
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wlan wlan-name wlan-id SSID-name Example:
Device(config)# wlan WPA3 1 WPA3
Enters the WLAN configuration sub-mode.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
no security ft over-the-ds
Example:
Device(config-wlan)# no security ft over-the-ds
Disables fast transition over the data source on the WLAN.
no security ft Example:
Device(config-wlan)# no security ft
Disables 802.11r fast transition on the WLAN.
security wpa wpa2 ciphers aes
Configures WPA2 cipher.
Example:
Note
Device(config-wlan)# security wpa wpa2 ciphers aes
You can check whether cipher is configured using no security wpa wpa2 ciphers aescommand. If cipher is not reset, configure the cipher.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1146
Security
Configuring WPA3 Enterprise (GUI)
Step 7 Step 8
Step 9 Step 10 Step 11 Step 12
Command or Action
Purpose
security wpa psk set-key ascii value preshared-key
Specifies a preshared key.
Example:
Device(config-wlan)# security wpa psk set-key ascii 0 Cisco123
security wpa wpa3
Enables WPA3 support.
Example:
Note
Device(config-wlan)# security wpa wpa3
If both WPA2 and WPA3 are supported (SAE and PSK together), it is optional to configure PMF. However, you cannot disable PMF. For WPA3, PMF is mandatory.
security wpa akm sae
Enables AKM SAE support.
Example:
Device(config-wlan)# security wpa akm sae
security wpa akm psk
Enables AKM PSK support.
Example:
Device(config-wlan)# security wpa akm psk
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
end Example:
Device(config-wlan)# end
Returns to the privileged EXEC mode.
Configuring WPA3 Enterprise (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name, the SSID and the WLAN ID. Choose Security > Layer2 tab. Choose WPA2+WPA3 in Layer 2 Security Mode drop-down list. Uncheck the WPA2 Policy and 802.1x check boxes.Check the WPA3 Policy and 802.1x-SHA256 check boxes.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1147
Configuring WPA3 Enterprise
Security
Step 6 Step 7
Choose Security > AAA tab, choose the Authentication List from the Authentication List drop-down list. Click Apply to Device.
Configuring WPA3 Enterprise
Follow the procedure given below to configure WPA3 enterprise.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-name wlan-id SSID-name
Enters the WLAN configuration sub-mode.
Example:
Device(config)# wlan wl-dot1x 4 wl-dot1x
Step 3
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
Step 4
no security wpa wpa2
Disables WPA2 security.
Example:
Device(config-wlan)# no security wpa wpa2
Step 5
security wpa akm dot1x-sha256
Example:
Device(config-wlan)# security wpa akm dot1x-sha256
Configures 802.1x support.
Step 6
security wpa wpa3
Enables WPA3 support.
Example:
Device(config-wlan)# security wpa wpa3
Step 7
security dot1x authentication-list list-name Configures security authentication list for dot1x
Example:
security.
Device(config-wlan)# security dot1x authentication-list ipv6_ircm_aaa_list
Step 8
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1148
Security
Configuring the WPA3 OWE
Step 9
Command or Action end Example:
Device(config-wlan)# end
Purpose
Returns to the privileged EXEC mode.
Note
A WLAN configured with WPA3
enterprise (SUITEB192-1X) is not
supported on C9115/C9120 APs.
Configuring the WPA3 OWE
Follow the procedure given below to configure WPA3 OWE.
Before you begin Configure PMF internally. The associated ciphers configuration can use the WPA2 ciphers.
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Command or Action configure terminal Example:
Device# configure terminal
wlan wlan-name wlan-id SSID-name Example:
Device(config)# wlan WPA3 1 WPA3
no security ft over-the-ds Example:
Device(config-wlan)# no security ft over-the-ds
no security ft Example:
Device(config-wlan)# no security ft
no security wpa akm dot1x Example:
Device(config-wlan)# no security wpa akm dot1x
no security wpa wpa2 Example:
Device(config-wlan)# no security wpa wpa2
security wpa wpa2 ciphers aes
Purpose Enters global configuration mode. Enters the WLAN configuration sub-mode. Disables fast transition over the data source on the WLAN. Disables 802.11r fast transition on the WLAN. Disables security AKM for dot1x.
Disables WPA2 security. PMF is disabled now.
Enables WPA2 ciphers for AES.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1149
Configuring WPA3 OWE Transition Mode (GUI)
Security
Step 8 Step 9 Step 10 Step 11
Command or Action
Purpose
Example:
Note
Device(config-wlan)# security wpa wpa2 ciphers aes
The ciphers for WPA2 and WPA3 are common.
security wpa wpa3
Enables WPA3 support.
Example:
Device(config-wlan)# security wpa wpa3
security wpa akm owe
Enables WPA3 OWE support.
Example:
Device(config-wlan)# security wpa akm owe
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
end Example:
Device(config-wlan)# end
Returns to the privileged EXEC mode.
Configuring WPA3 OWE Transition Mode (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name, the SSID and the WLAN ID. Choose Security > Layer2 tab. Choose WPA2+WPA3 in Layer 2 Security Mode drop-down list. Uncheck the WPA2 Policy, 802.1x, Over the DS, FT + 802.1x and FT + PSKcheck boxes.Check the WPA3 Policy, AES and OWE check boxes. Enter the Transition Mode WLAN ID. Click Apply to Device.
Configuring WPA3 OWE Transition Mode
Follow the procedure given below to configure the WPA3 OWE transition mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1150
Security
Configuring WPA3 OWE Transition Mode
Note Policy validation is not done between open WLAN and OWE WLAN. The operator is expected to configure them appropriately.
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wlan wlan-name wlan-id SSID-name Example:
Device(config)# wlan WPA3 1 WPA3
Enters the WLAN configuration sub-mode.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
no security ft over-the-ds
Example:
Device(config-wlan)# no security ft over-the-ds
Disables fast transition over the data source on the WLAN.
no security ft Example:
Device(config-wlan)# no security ft
Disables 802.11r fast transition on the WLAN.
no security wpa wpa2
Example:
Device(config-wlan)# no security wpa wpa2
Disables WPA2 security. PMF is disabled now.
security wpa wpa2 ciphers aes
Enables WPA2 ciphers for AES.
Example:
Device(config-wlan)# security wpa wpa2 ciphers aes
security wpa wpa3
Enables WPA3 support.
Example:
Device(config-wlan)# security wpa wpa3
security wpa akm owe Example:
Enables WPA3 OWE support.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1151
Configuring WPA3 SAE (GUI)
Security
Step 10
Step 11 Step 12
Command or Action
Purpose
Device(config-wlan)# security wpa akm owe
security wpa transition-mode-wlan-id wlan-id
Example:
Device(config-wlan)# security wpa transition-mode-wlan-id 1
Configures the open or OWE transition mode WLAN ID.
Note
Validation is not performed on
the transition mode WLAN. The
operator is expected to configure
it correctly with OWE WLAN
having open WLAN identifier
and the opposite way.
You should configure OWE WLAN ID as transition mode WLAN in open WLAN. Similarly, open WLAN should be configured as transition mode WLAN in OWE WLAN configuration.
no shutdown Example:
Device(config-wlan)# no shutdown
end Example:
Device(config-wlan)# end
Enables the WLAN. Returns to the privileged EXEC mode.
Configuring WPA3 SAE (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name, the SSID and the WLAN ID. Choose Security > Layer2 tab. Choose WPA2+WPA3 in Layer 2 Security Mode drop-down list. Uncheck the WPAPolicy, 802.1x, Over the DS, FT + 802.1x and FT + PSKcheck boxes.Check the WPA3 Policy, AES and PSK check boxes. Enter the Pre-Shared Key and choose the PSK Format from the PSK Format drop-down list and the PSK Type from the PSK Type drop-down list. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1152
Security
Configuring WPA3 SAE
Configuring WPA3 SAE
Follow the procedure given below to configure WPA3 SAE.
Before you begin Configure PMF internally. The associated ciphers configuration can use the WPA2 ciphers.
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wlan wlan-name wlan-id SSID-name Example:
Device(config)# wlan WPA3 1 WPA3
Enters the WLAN configuration sub-mode.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
no security ft over-the-ds
Example:
Device(config-wlan)# no security ft over-the-ds
Disables fast transition over the data source on the WLAN.
no security ft Example:
Device(config-wlan)# no security ft
Disables 802.11r fast transition on the WLAN.
no security wpa wpa2
Example:
Device(config-wlan)# no security wpa wpa2
Disables WPA2 security. PMF is disabled now.
security wpa wpa2 ciphers aes
Configures WPA2 cipher.
Example:
Note
Device(config-wlan)# security wpa wpa2 ciphers aes
You can check whether cipher is configured using no security wpa wpa2 ciphers aescommand. If cipher is not reset, configure the cipher.
Step 8
security wpa psk set-key ascii value preshared-key
Specifies a preshared key.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1153
Configuring Anti-Clogging and SAE Retransmission (GUI)
Security
Step 9
Step 10 Step 11 Step 12
Command or Action
Purpose
Example:
Device(config-wlan)# security wpa psk set-key ascii 0 Cisco123
security wpa wpa3
Enables WPA3 support.
Example:
Note
Device(config-wlan)# security wpa wpa3
If both WPA2 and WPA3 are supported (SAE and PSK together), it is optional to configure PMF. However, you cannot disable PMF. For WPA3, PMF is mandatory.
security wpa akm sae
Enables AKM SAE support.
Example:
Device(config-wlan)# security wpa akm sae
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
end Example:
Device(config-wlan)# end
Returns to the privileged EXEC mode.
Configuring Anti-Clogging and SAE Retransmission (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name, the SSID and the WLAN ID. Enable or disable Status and Broadcast SSID toggle buttons. From the Radio Policy drop-down list, choose a policy. Choose Security > Layer2 tab. Check the SAE check box. Enter the Anti Clogging Threshold, Max Retries and Retransmit Timeout. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1154
Security
Configuring Anti-Clogging and SAE Retransmission
Configuring Anti-Clogging and SAE Retransmission
Follow the procedure given below to configure anti-clogging and SAE retransmission.
Note If the simultaneous SAE ongoing sessions are more than the configured anti-clogging threshold, then anti-clogging mechanism is triggered.
Before you begin
Ensure that SAE WLAN configuration is in place, as the steps given below are incremental in nature, in addition to the SAE WLAN configuration.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-name wlan-id SSID-name Example:
Device(config)# wlan WPA3 1 WPA3
Enters the WLAN configuration sub-mode.
Step 3
shutdown Example:
Device(config-wlan)# no shutdown
Disables the WLAN.
Step 4
security wpa akm sae
Example:
Device(config-wlan)# security wpa akm sae
Enables simultaneous authentication of equals as a security protocol.
Step 5
security wpa akm sae anti-clogging-threshold Configures threshold on the number of open
threshold
sessions to trigger the anti-clogging procedure
Example:
for new sessions.
Device(config-wlan)# security wpa akm sae anti-clogging-threshold 2000
Step 6
security wpa akm sae max-retries retry-limit Configures the maximum number of
Example:
retransmissions.
Device(config-wlan)# security wpa akm sae max-retries 10
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1155
Verifying WPA3 SAE and OWE
Security
Step 7 Step 8 Step 9
Command or Action
security wpa akm sae retransmit-timeout retransmit-timeout-limit
Example:
Device(config-wlan)# security wpa akm sae retransmit-timeout 500
Purpose
Configures SAE message retransmission timeout value.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
end Example:
Device(config-wlan)# end
Returns to the privileged EXEC mode.
Verifying WPA3 SAE and OWE
To view the system level statistics for the client that has undergone successful SAE authentication, SAE authentication failures, SAE ongoing sessions, SAE commit and confirm message exchanges, use the following show command:
Device# show wireless stats client detail
Total Number of Clients : 0
client global statistics:
-----------------------------------------------------------------------------
Total association requests received
:0
Total association attempts
:0
Total FT/LocalAuth requests
:0
Total association failures
:0
Total association response accepts
:0
Total association response rejects
:0
Total association response errors
:0
Total association failures due to blacklist
:0
Total association drops due to multicast mac
:0
Total association drops due to throttling
:0
Total association drops due to unknown bssid
:0
Total association drops due to parse failure
:0
Total association drops due to other reasons
:0
Total association requests wired clients
:0
Total association drops wired clients
:0
Total association success wired clients
:0
Total peer association requests wired clients : 0
Total peer association drops wired clients
:0
Total peer association success wired clients
:0
Total 11r ft authentication requests received : 0
Total 11r ft authentication response success
:0
Total 11r ft authentication response failure
:0
Total 11r ft action requests received
:0
Total 11r ft action response success
:0
Total 11r ft action response failure
:0
Total AID allocation failures
:0
Total AID free failures
:0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1156
Security
Verifying WPA3 SAE and OWE
Total roam attempts
:0
Total CCKM roam attempts
:0
Total 11r roam attempts
:0
Total 11i fast roam attempts
:0
Total 11i slow roam attempts
:0
Total other roam type attempts
:0
Total roam failures in dot11
:0
Total WPA3 SAE attempts
:0
Total WPA3 SAE successful authentications
:0
Total WPA3 SAE authentication failures
:0
Total incomplete protocol failures
:0
Total WPA3 SAE commit messages received
:0
Total WPA3 SAE commit messages rejected
:0
Total unsupported group rejections
:0
Total WPA3 SAE commit messages sent
:0
Total WPA3 SAE confirm messages received
:0
Total WPA3 SAE confirm messages rejected
:0
Total WPA3 SAE confirm messgae field mismatch : 0
Total WPA3 SAE confirm message invalid length : 0
Total WPA3 SAE confirm messages sent
:0
Total WPA3 SAE Open Sessions
:0
Total SAE Message drops due to throttling
:0
Total Flexconnect local-auth roam attempts
:0
Total AP 11i fast roam attempts
:0
Total 11i slow roam attempts
:0
Total client state starts
:0
Total client state associated
:0
Total client state l2auth success
:0
Total client state l2auth failures
:0
Total blacklisted clients on dot1xauth failure : 0
Total client state mab attempts
:0
Total client state mab failed
:0
Total client state ip learn attempts
:0
Total client state ip learn failed
:0
Total client state l3 auth attempts
:0
Total client state l3 auth failed
:0
Total client state session push attempts
:0
Total client state session push failed
:0
Total client state run
:0
Total client deleted
:0
To view the WLAN summary details, use the following command.
Device# show wlan summary
Number of WLANs: 3
ID Profile Name
SSID
Status Security
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1 wlan-demo
ssid-demo
DOWN [WPA3][SAE][AES]
3 CR1_SSID_mab-ext-radius [WPA2][802.1x][AES]
CR1_SSID_mab-ext-radius
DOWN
109 guest-wlan1 [WPA2][802.1x][AES],[Web Auth]
docssid
DOWN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1157
Verifying WPA3 SAE and OWE
Security
To view the WLAN properties (WPA2 and WPA3 mode) based on the WLAN ID, use the following command.
Device# show wlan id 1
WLAN Profile Name
: wlan-demo
================================================
Identifier
:1
! ! ! Security
802.11 Authentication Static WEP Keys Wi-Fi Protected Access (WPA/WPA2/WPA3)
WPA (SSN IE) WPA2 (RSN IE) WPA3 (WPA3 IE)
AES Cipher CCMP256 Cipher GCMP128 Cipher GCMP256 Cipher Auth Key Management 802.1x PSK CCKM FT dot1x FT PSK Dot1x-SHA256 PSK-SHA256 SAE OWE SUITEB-1X SUITEB192-1X CCKM TSF Tolerance OSEN FT Support FT Reassociation Timeout FT Over-The-DS mode PMF Support PMF Association Comeback Timeout PMF SA Query Time Web Based Authentication Conditional Web Redirect Splash-Page Web Redirect Webauth On-mac-filter Failure Webauth Authentication List Name Webauth Authorization List Name Webauth Parameter Map ! ! !
: Open System : Disabled : Enabled : Disabled : Disabled : Enabled : Enabled : Disabled : Disabled : Disabled
: Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Enabled : Disabled : Disabled : Disabled : 1000 : Disabled : Adaptive : 20 : Enabled : Required :1 : 200 : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Disabled
To view the correct AKM for the client that has undergone SAE authentication, use the following command.
Device# show wireless client mac-address <e0ca.94c9.6be0> detail
Client MAC Address : e0ca.94c9.6be0 ! ! ! Wireless LAN Name: WPA3
!
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1158
Security
Verifying WPA3 SAE and OWE
! ! Policy Type : WPA3 Encryption Cipher : CCMP (AES) Authentication Key Management : SAE ! ! !
To view the correct AKM for the client that has undergone OWE authentication, use the following command.
Device# show wireless client mac-address <e0ca.94c9.6be0> detail
Client MAC Address : e0ca.94c9.6be0 ! ! ! Wireless LAN Name: WPA3
! ! ! Policy Type : WPA3 Encryption Cipher : CCMP (AES) Authentication Key Management : OWE ! ! !
To view the list of PMK cache stored locally, use the following command.
Device# show wireless pmk-cache
Number of PMK caches in total : 0
Type
Station
Entry Lifetime VLAN Override
IP Override
Audit-Session-Id
Username
--------------------------------------------------------------------------------------------------------------------------------------
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1159
Verifying WPA3 SAE and OWE
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1160
1 2 2 C H A P T E R
Transport Layer Security Tunnel Support
· Information About Transport Layer Security Tunnel Support, on page 1161 · Configuring a Transport Layer Security Tunnel, on page 1162
Information About Transport Layer Security Tunnel Support
The Cisco Catalyst 9800 Series Wireless Controller requires direct access to a public cloud to implement the teleworker solution using Cisco OfficeExtend Access Points (OEAPs). With the introduction of Transport Layer Security (TLS) tunnel support from Cisco IOS XE Amsterdam 17.3.2 onwards, the controller can now reach a public cloud automatically. This helps Digital Network Architecture (DNA) Center on Cloud to establish TLS communication channels with the controller to perform monitor and manage of wireless solutions. The TLS connection ensures that the configuration and telemetry are reliably and securely communicated between the controller and the Digital Network Architecture (DNA) on Cloud. The TLS tunnel encrypts all the data that is sent over the TCP connection. The TLS tunnel provides a more secure protocol across the internet. After the controller discovery, the Cisco DNA Center on Cloud uses Cisco DNA Assurance and Automation features to manage the controller centrally.
Cisco Plug and Play The Cisco Plug and Play solution is a converged solution that provides a highly secure, scalable, seamless, and unified zero-touch deployment experience. Plug-n-Play Agent The Cisco Plug and Play (PnP) agent is an embedded software component that is present in all the Cisco network devices that support simplified deployment architecture. The PnP agent understands and interacts only with a PnP server. The PnP agent, using DHCP, DNS, or other such methods, tries to acquire the IP address of the PnP server with which it wants to communicate. After a server is found and a connection is established, the agent communicates with the PnP server to perform deployment-related activities. For more information on Cisco Plug and Play, see the Cisco Plug and Play Feature Guide. The Transport Layer Security Tunnel (TLS) over PnP feature is supported on the following controllers:
· Cisco Catalyst 9800-80 Wireless Controller · Cisco Catalyst 9800-40 Wireless Controller · Cisco Catalyst 9800-L Wireless Controller
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1161
Configuring a Transport Layer Security Tunnel
Security
Configuring a Transport Layer Security Tunnel
Procedure Step 1 Step 2 Step 3 Step 4
Step 5
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
crypto tls-tunnel TLS-tunnel-name
Example:
Device(config)# crypto tls-tunnel cloud-primary
Configures a crypto TLS tunnel channel.
server {ipv4 <A.B.C.D> | ipv6 <X.X.X.X::X> Specifies the server IPv4 address, IPv6 | url <url-name>} port 443 <1025-65535> address, or URL name and the port number.
Example:
Device(config-crypto-tls-tunnel)# server ipv4 172.31.255.255 port 4043
overlay interface interface-name interface-num
Example:
Device(config-crypto-tls-tunnel)# overlay interface Loopback0
Specifies the overlay interface and interface number.
An overlay interface is a logical, multiaccess, multicast-capable interface. An overlay interface encapsulates Layer 2 frames in IP unicast or multicast headers.
local interface interface-name interface-num Specifies the LAN interface type, number, and
priority rank
the priority rank.
Example:
Device(config-crypto-tls-tunnel)# local-interface vlan 1 priority 1
Note
Currently, the tunnel supports only one WAN interface with priority 1 and does not support the list of WAN interfaces with multiple priorities.
Step 6 Step 7
psk id identity key options Example:
Specifies a preshared key and password options.
Device(config-crypto-tls-tunnel)# psk id test key
pki trustpoint trustpoint trustpoint-label Specifies the trustpoints for use with the RSA
[sign | verify]
signature authentication method as follows:
Example:
Device(config-crypto-tls-tunnel)# pki trustpoint tsp1 sign
· sign: Use the certificate from the trustpoint which is sent to the peer.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1162
Security
Configuring a Transport Layer Security Tunnel
Command or Action
Purpose
· verify: Use the certificate from the trustpoint to verify the certificate received from the peer.
Note
· If the sign or verify
keyword is not specified,
the trustpoint is used for
signing and verification.
· In TLS Tunnel block, authentication can be done using either pre-shared key (PSK) or PKI (certificate based).
Step 8 Step 9 Step 10
(Optional) cc-mode
Example:
Device(config-crypto-tls-tunnel)# cc-mode
Indicates a common criteria mode, which is a Federal Information Processing Standards (FIPS) mode.
no shutdown
Example:
Device(config-crypto-tls-tunnel)# no shutdown
Enables the TLS tunnel.
end
Returns to privileged EXEC mode.
Example:
Device(config-crypto-tls-tunnel)# end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1163
Configuring a Transport Layer Security Tunnel
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1164
1 2 3 C H A P T E R
Local Extensible Authentication Protocol
· Information About Local EAP, on page 1165 · Restrictions for Local EAP, on page 1166 · Configuring Local EAP Profile (CLI), on page 1166 · Configuring Local EAP profile (GUI), on page 1167 · Configuring AAA Authentication (GUI), on page 1167 · Configuring AAA Authorization Method (GUI), on page 1167 · Configuring AAA Authorization Method (CLI), on page 1168 · Configuring Local Advanced Methods (GUI), on page 1169 · Configuring WLAN (GUI), on page 1169 · Configuring WLAN (CLI), on page 1170 · Creating a User Account (CLI), on page 1170 · Attaching a Policy Profile to a WLAN Interface (GUI), on page 1171 · Deploy Policy Tag to Access Points (GUI), on page 1172
Information About Local EAP
Local Extensible Authentication Protocol (EAP) feature refers to the controller that acts as autheticator and authentication server. Local EAP allows 802.1x authentication on WPA Enterprise wireless clients without the use of any RADIUS server. The Local EAP refers to the EAP authentication server activity and not necessarily tied to the user credentials validation (for example) that can be delegated to an external LDAP database.
Feature Scenarios Local EAP is designed to allow administrators to use Enterprise-grade 802.1x authentication for a limited number of users in situations and branches where an external dedicated RADIUS server may not be available. It can also work as an emergency backup in case the RADIUS server is not available.
Use Cases You can implement Local EAP either with users local to the controller or use an external LDAP database to store the user credentials.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1165
Restrictions for Local EAP
Security
Restrictions for Local EAP
· It is not possible to configure AAA attributes, such as per-user ACL or per-user session timeout using local EAP.
· Local EAP only allows user database either locally on the controller or on an external LDAP database.
· Local EAP supports TLS 1.2 as of 17.1 and later software release.
· Local EAP uses the trustpoint of your choice on the controller. You will either need to install a publicly trusted certificate on the controller or import it on the clients for the EAP session to be trusted by the client.
· Local EAP supports EAP-FAST, EAP-TLS, and PEAP as EAP authentication methods.
Note PEAP-mschapv2 does not work when using certain external LDAP databases that only support clear text passwords.
Configuring Local EAP Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
eap profile name
Creates an EAP profile.
Example:
Device(config)# eap profile mylocapeap
Step 3
method peap
Configures the PEAP method on the profile.
Example:
Device(config-eap-profile)# method peap
Step 4
pki-trustpoint name
Example:
Device(config-eap-profile)# pki-trustpoint admincert
Configures the PKI trustpoint on the profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1166
Security
Configuring Local EAP profile (GUI)
Configuring Local EAP profile (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Security > Local EAP. Click Add. In the Create Local EAP Profiles page, enter a profile name.
Note
It is not advised to use LEAP EAP method due to its weak security. You can use any of the
following EAP methods to configure a trustpoint:
· EAP-FAST
· EAP-TLS
· PEAP
Clients do not trust the default controller certificate, so you need to deactivate the server certificate validation on the client side or install a certificate trustpoint on the controller.
Click Apply to Device.
Configuring AAA Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Security > AAA, and navigate to the AAA Method List > Authentication tabs. Click Add. Choose dot1x as the Type and local as the Group Type. Click Apply to Device.
Configuring AAA Authorization Method (GUI)
Procedure
Step 1 Step 2
Navigate to Authorization sub-tab. Create a new method for credential-download type and point it to local.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1167
Configuring AAA Authorization Method (CLI)
Note
Perform the same for network authorization type.
Security
Configuring AAA Authorization Method (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
aaa new-model Example:
Device(config)# aaa new-model
Creates a AAA authentication model.
Step 3
aaa authentication dot1x default local
Configures the default local RADIUS server.
Example:
Device(config)# aaa authentication dot1x default local
Step 4
aaa authorization credential-download default local
Example:
Device(config)# aaa authorization credential-download default local
Configures default database to download credentials from local server.
Step 5
aaa local authentication default authorization Configures the local authentication method list. default
Example:
Device(config)# aaa local authentication default authorization default
Step 6
aaa authorization network default local Configures authorization for network services.
Example:
Device(config)# aaa authorization network default local
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1168
Security
Configuring Local Advanced Methods (GUI)
Configuring Local Advanced Methods (GUI)
Procedure
Step 1 Step 2
In the Configuration > Security > AAA window, perform the following: a. Navigate to AAA Advanced tab. b. From the Local Authentication drop-down list, choose a default local authentication. c. From the Local Authorization drop-down list, choose a default local authorization.
Click Apply.
Configuring WLAN (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. In the WLANs window, click the name of the WLAN or click Add to create a new one. In the Add/EditWLAN window that is displayed, click the General tab to configure the following parameters.
· In the Profile Name field, enter or edit the name of the profile. · In the SSID field, enter or edit the SSID name.
The SSID name can be alphanumeric, and up to 32 characters in length. · In the WLAN ID field, enter or edit the ID number.The valid range is between 1 and 512. · From the Radio Policy drop-down list, choose the 802.11 radio band. · Using the Broadcast SSID toggle button, change the status to either Enabled or Disabled. · Using the Status toggle button, change the status to either Enabled or Disabled.
In the AAA tab, you can configure the following: a. Choose an authentication list from the drop-down. b. Check the Local EAP Authentication check box to enable local EAP authentication on the WLAN. Also,
choose the required EAP Profile Name from the drop-down list.
Click Save & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1169
Configuring WLAN (CLI)
Security
Configuring WLAN (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan wlan-name wlan-id SSID-name
Example:
Device(config)# wlan localpeapssid 1 localpeapssid
Purpose Enters global configuration mode.
Enters the WLAN configuration sub-mode.
wlan-name--Is the name of the configured WLAN.
wlan-id--Is the wireless LAN identifier. The range is 1 to 512.
SSID-name--Is the SSID name which can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter wlan
wlan-name command.
Step 3 Step 4
security dot1x authentication-list auth-list-name
Example:
Device(config-wlan)# security dot1x authentication-list default
local-auth profile name
Example:
Device(config-wlan)# local-auth mylocaleap
Enables security authentication list for dot1x security. The configuration is similar for all dot1x security WLANs.
Sets EAP Profile on an WLAN. profile name--Is the EAP profile on an WLAN.
Creating a User Account (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1170
Security
Attaching a Policy Profile to a WLAN Interface (GUI)
Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action user-name user-name Example:
Device(config)# user-name 1xuser
Purpose Creates a user account.
creation-time time
Creation time of the user account.
Example:
Device(config)# creation-time 1572730075
description user-name Example:
Device(config)# description 1xuser
Adds a user-defined description to the new user account.
password 0 password Example:
Device(config)# password 0 Cisco123
Creates a password for the user account.
type network-user description user-name
Example:
Device(config)# type network-user description 1xuser
Specifies the type of user account.
Attaching a Policy Profile to a WLAN Interface (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Choose Configuration > Tags & Profiles > Tags. On the Manage Tags page, click Policy tab. Click Add to view the Add Policy Tag window. Enter a name and description for the policy tag. Click Add to map the WLAN and policy. Choose the WLAN profile to map with the appropriate policy profile, and click the tick icon. Click Save & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1171
Deploy Policy Tag to Access Points (GUI)
Deploy Policy Tag to Access Points (GUI)
Procedure
Step 1 Step 2
Step 3
Choose Configuration > Wireless > Access Points. On the All Access Points page, click the access point you want to configure. Make sure that the tags assigned are the ones you configured.
Click Apply.
Security
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1172
1 2 4 C H A P T E R
Disabling IP Learning in FlexConnect Mode
· Information About Disabling IP Learning in FlexConnect Mode, on page 1173 · Restrictions for Disabling IP Learning in FlexConnect Mode, on page 1173 · Disabling IP Learning in FlexConnect Mode (CLI), on page 1174 · Verifying MAC Entries from Database , on page 1174
Information About Disabling IP Learning in FlexConnect Mode
In FlexConnext local switching scenarios, where clients from the same sites may share the same address range, there is a possibility of multiple clients being allocated or registered with the same IP address. The controller receives IP address information from the AP, and if more than one client attempts to use the same IP address, the controller discards the last device trying to register an already-used address as an IP theft event, potentially resulting in client exclusion. The Disabling IP learning in FlexConnect mode feature utilizes the no ip mac-binding command to ensure that no device tracking is done for clients, thus preventing the IP theft error.
Note
· This feature is applicable only for IPv4 addresses.
· Configuring ip overlap in FlexConnect Profile assists overlapping IP address support for clients across different sites in FlexConnect local switching.
Restrictions for Disabling IP Learning in FlexConnect Mode
· The wireless client ip deauthenticate command works by referring to the IP table binding entries directly. It does not work for client whose IPs are not learnt.
· Overlapping IP addresses within a single site tag and across different site tags require different settings. Furthermore, if a single site tag contains overlapping IP addresses, L3 web authentication is necessary. However, L3 web authentication relies on IP addresses, and ensuring the uniqueness of IP addresses cannot be guaranteed, making this combination incorrect.
· When IP Source Guard (IPSG) is enabled and multiple binding information is sent with the same IP and preference level (such as DHCP, ARP, and so on) to CPP, the CPP starts to ignore the later bindings
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1173
Disabling IP Learning in FlexConnect Mode (CLI)
Security
after the first binding creation. Hence, you should not configure IPSG and disable IP MAC binding together. If IPSG and no ip mac-binding are configured together then IPSG does not work.
Disabling IP Learning in FlexConnect Mode (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy-name Configures the wireless profile policy.
Example:
Device(config)# wireless profile policy test-profile-policy
Step 3
shutdown
Disables the wireless policy profile.
Example:
Note
Device(config-wireless-policy)# shutdown
Disabling policy profile results in associated AP and client to rejoin.
Step 4 Step 5 Step 6
no ip mac-binding
Example:
Device(config-wireless-policy)# no ip mac-binding
Disables IP learning in FlexConnect mode.
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the wireless policy profile.
exit Example:
Device(config-wireless-policy)# exit
Returns to privileged EXEC mode.
Verifying MAC Entries from Database
To verify the MAC details from database, use the following command:
Device# show wireless device-tracking database mac
MAC
VLAN IF-HDL
IP
--------------------------------------------------------------------------------------------------
6c96.cff2.889a 64 0x90000008 9.9.64.175
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1174
PART VIII
Mobility
· Mobility, on page 1177 · NAT Support on Mobility Groups, on page 1197 · Static IP Client Mobility, on page 1201 · Mobility Domain ID - Dot11i Roaming, on page 1205 · 802.11r Support for Flex Local Authentication, on page 1207 · Opportunistic Key Caching, on page 1209
1 2 5 C H A P T E R
Mobility
· Introduction to Mobility, on page 1177 · Guidelines and Restrictions, on page 1182 · Configuring Mobility (GUI), on page 1184 · Configuring Mobility (CLI), on page 1185 · Configuring Inter-Release Controller Mobility (GUI), on page 1187 · Configuring Inter-Release Controller Mobility, on page 1187 · Verifying Mobility, on page 1191
Introduction to Mobility
Mobility or roaming is a wireless LAN client's ability to maintain its association seamlessly from one access point to another access point securely and with as little latency as possible. This section explains how mobility works when controllers are included in a wireless network. When a wireless client associates and authenticates to an access point, the access point's controller places an entry for that client in its client database. This entry includes the client's MAC and IP addresses, security context and associations, quality of service (QoS) contexts, the WLAN, and the associated access point. The controller uses this information to forward frames and manage traffic to and from a wireless client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1177
Introduction to Mobility
Mobility
Figure 29: Intracontroller Roaming
This figure shows a wireless client that roams from one access point to another access point when both access points are joined to the same controller.
When a wireless client moves its association from one access point to another access point, the controller simply updates the client database with the newly associated access point. If necessary, new security context and associations are established as well. The process becomes more complicated, however, when a client roams from an access point joined to one controller to an access point joined to a different controller. It also varies based on whether the controllers are operating on the same subnet.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1178
Mobility
Introduction to Mobility
Figure 30: Intercontroller Roaming
This figure shows intercontroller roaming, which occurs when the wireless LAN interfaces of controllers are on the same IP subnet.
When a client joins an access point associated with a new controller, the new controller exchanges mobility messages with the original controller, and the client database entry is moved to the new controller. New security context and associations are established if necessary, and the client database entry is updated for the new access point. This process remains transparent to the user. Note All clients configured with 802.1X/Wi-Fi Protected Access (WPA) security complete a full authentication in
order to comply with the IEEE standard. Important Intersubnet Roaming is not supported for SDA.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1179
SDA Roaming
Mobility
Figure 31: Intersubnet Roaming
This figure shows intersubnet roaming, which occurs when the wireless LAN interfaces of controllers are on different IP subnets.
Intersubnet roaming is similar to intercontroller roaming in that, controllers exchange mobility messages on the client roam. However, instead of moving the client database entry to the new controller, the original controller marks the client with an anchor entry in its own client database. The database entry is copied to the new controller client database and marked with a foreign entry in the new controller. The roam remains transparent to the wireless client, and the client maintains its original IP address.
In intersubnet roaming, WLANs on both anchor and foreign controllers should have the same network access privileges, and no source-based routing or source-based firewalls in place. Otherwise, the clients may have network connectivity issues after the handoff.
In a static anchor setup using controllers and a RADIUS server, if AAA override is enabled to dynamically assign VLAN and QoS, the foreign controller updates the anchor controller with the right VLAN after a Layer 2 authentication (802.1x). For Layer 3 RADIUS authentication, the RADIUS requests for authentication are sent by the anchor controller.
Note The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667). The control path is DTLS encypted by default. Data path DTLS can be enabled when you add the mobility peer.
SDA Roaming
SDA supports two additional types of roaming, which are Intra-xTR and Inter-xTR. In SDA, xTR stands for an access-switch that is a fabric edge node. It serves both as an ingress tunnel router as well as an egress tunnel router.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1180
Mobility
Definitions of Mobility-related Terms
When a client on a fabric enabled WLAN, roams from an access point to another access point on the same access-switch, it is called Intra-xTR. Here, the local client database and client history table are updated with the information of the newly associated access point. When a client on a fabric enabled WLAN, roams from an access point to another access point on a different access-switch, it is called Inter-xTR. Here, the map server is also updated with the client location (RLOC) information. Also, the local client database is updated with the information of the newly associated access point.
Figure 32: SDA Roaming
This figure shows inter-xTR and intra-xTR roaming, which occurs when the client moves from one access point to another access point on the same switch or to a different switch in a Fabric topology.
Definitions of Mobility-related Terms
· Point of Attachment--A station's point of attachment is where its data path is initially processed upon entry into the network.
· Point of Presence--A station's point of presence is the place in the network where the station is being advertised.
· Station--A user's device that connects to and requests service from a network.
Mobility Groups
A mobility group is a set of controllers, identified by the same mobility group name, that defines the realm of seamless roaming for wireless clients. By creating a mobility group, you can enable multiple controllers
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1181
Guidelines and Restrictions
Mobility
in a network to dynamically share information and forward data traffic when intercontroller or intersubnet roaming occurs. Controllers in the same mobility group can share the context and state of client devices as well as their list of access points so that they do not consider each other's access points as rogue devices. With this information, the network can support intercontroller wireless LAN roaming and controller redundancy.
Note While moving an AP from one controller to another (when both controllers are mobility peers), a client associated to controller-1 before the move might stay there even after the move. This is due to a timeout period on controller-1, where the client entry is maintained (for the purposes of roaming/re-association scenarios). To avoid the client being anchored in controller-1, remove the mobility peer configuration of the controller.
Figure 33: Example of a Single Mobility Group
As shown in the figure above, each controller is configured with a list of the other members of the mobility group. Whenever a new client joins a controller, the controller sends out a unicast message (or multicast message if mobility multicast is configured) to all of the controllers in the mobility group. The controller to which the client was previously connected passes on the status of the client.
Guidelines and Restrictions
The following AireOS and Cisco Catalyst 9800 Series Wireless Controller platforms are supported for SDA Inter-Controller Mobility (AireOS controllerto-Cisco Catalyst 9800 Series Wireless Controller):
· AireOS
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1182
Mobility
Guidelines and Restrictions
· Cisco 3504 · Cisco 5520 · Cisco 8540
· Cisco Catalyst 9800 Series Wireless Controller · Cisco Catalyst 9800 Wireless Controller for Cloud · Cisco Catalyst 9800-80 Wireless Controller · Cisco Catalyst 9800-40 Wireless Controller · Cisco Catalyst 9800-L Wireless Controller
The following controller platforms are supported for SDA Inter-Controller Mobility: · Catalyst Switches · Cisco 9300
· Cisco Catalyst 9800 Series Wireless Controller · Cisco Catalyst 9800 Wireless Controller for Cloud · Cisco Catalyst 9800-40 Wireless Controller
· Ensure that the data DTLS configuration on the Cisco Catalyst 9800 Series Wireless Controller and AireOS are the same, as configuration mismatch is not supported on the Cisco Catalyst 9800 Series Wireless Controller and it causes the mobility data path to go down.
· In intercontroller roaming scenarios, policy profiles having different VLANs is supported as a Layer 3 roaming.
· In AireOS controller, L3 override is not supported in guest VLAN. Hence, the client does not trigger DHCP Discovery on the new VLAN automatically.
· Policy profile name and client VLAN under policy profile can be different across the controllers with the same WLAN profile mapped.
· In intracontroller roaming scenarios, client roaming is supported between same policy profiles, with WLAN mapped. From Cisco IOS XE Amsterdam 17.3.x, The controller allows seamless roaming between same WLAN associated with different policy profile. For more information, see Client Roaming Policy Profile feature.
· If a client roams in web authentication state, the client is considered as a new client on another controller instead of being identified as a mobile client.
· Controllers that are mobility peers must use the same DHCP server to have an updated client mobility move count on intra-VLAN.
· Data DTLS and SSC hash key must be same for mobility tunnels between members. · Mobility move count is updated under client detail only during inter-controller roaming. Intra-controller
roaming can be verified under client stats and mobility history.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1183
Configuring Mobility (GUI)
Mobility
· Anchor VLAN in Cisco Catalyst 9800 Series Wireless Controller is represented as Access VLAN on the Cisco AireOS controller.
· When clients are roaming, their mobility role is shown as Unknown. This is because the roaming clients are in IP learn state, and in such a scenario, there are many client additions to the new instance and deletions in the old instance.
· In inter-controller roaming between 9800 and 9800/AireOS, client roaming is not supported, whenever there is a WLAN profile mismatch.
· Only IPv4 tunnel is supported between Cisco Catalyst 9800 Series Wireless Controller and Cisco AireOS controller.
· Ensure that you configure the mobility MAC address using the wireless mobility mac-address command for High-Availability to work.
· Mobility tunnel will not work if ECDSA based certificate or trustpoint is used for wireless management.
· If Anchor and Foreign controllers are put in the same Layer 2 network, it creates a loop topology (one path is Layer 3 mobility tunnel between Anchor and Foreign, another path is Layer 2 wired connection between Anchor and Foreign). In this topology, MAC_CONFLICT warning message can be seen on both the Anchor and Foreign controllers. This MAC_CONFLICT warning message is printed once every minute. However,it doesn't have any functionality and performance impact. As a best practice, do not use management VLAN as client VLAN.
· Mobility Tunnel will go down and come up if SSO is triggered due to gateway check failure.
· If the current AP has 5-GHz slot2 radio on L2 and L3 mobility 5-GHz slot2, the WLAN BSSID is only added to the 11k or 11v neighbor information. As a result, the AP does not have the information of radio properties of the APs belonging to the other controllers. Hence, it can be assumed that the radio properties of the APs belonging to the other controllers are similar to that of the current AP. If the current AP does not have slot2, the other APs cannot be added as a neighbor. In such a scenario, the validation fails and does not add this radio to the neighbor list.
· We recommend that you use the default keepalive count and interval values to reduce convergence time between the Cisco AireOS Wireless Controllers and Cisco Catalyst 9800 Series Wireless Controllers while setting up a mobility tunnel.
· A new client may take up to 3 seconds to join the network when the mobility tunnel is UP and mobility peers are configured. This is because the system sends three mobile messages (one second apart) to find out whether the client is already part of the network.
Configuring Mobility (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Wireless > Mobility. The Wireless Mobility page is displayed on which you can perform global configuration and peer configuration. In the Global Configuration section, perform the following tasks: a) Enter a name for the mobility group. b) Enter the multicast IP address for the mobility group.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1184
Mobility
Configuring Mobility (CLI)
Step 3
c) In the Keep Alive Interval field, specify the number of times a ping request is sent to a mobility list member before the member is considered to be unreachable. The valid range is 3 to 20, and the default value is 3.
d) Specify the Mobility Keep Alive Count amount of time (in seconds) between each ping request sent to a mobility list member. The valid range is 1 to 30 seconds.
e) Enter the DSCP value for the mobility group. f) Enter the mobility MAC address. g) Click Apply.
In the Peer Configuration tab, perform the following tasks:
a) In the Mobility Peer Configuration section, click Add. b) In the Add Mobility Peer window that is displayed, enter the MAC address and IP address for the mobility
peer. . c) Additionally, when NAT is used, enter the optional public IP address to enter the mobility peer's NATed
address. When NAT is not used, the public IP address is not used and the device displays the mobility peer's direct IP address. d) Enter the mobility group to which you want to add the mobility peer. e) Select the required status for Data Link Encryption. f) Specify the SSC Hash as required.
SSC hash is required if the peer is a Cisco Catalyst 9800-CL Wireless Controller, which uses self-signed certificate and hence SSC hash is used as an additional validation. SSC hash is not required if peer is an appliance, which will have manufacturing installed certificates (MIC) or device certificates burned in the hardware.
g) Click Save & Apply to Device. h) In the Non-Local Mobility Group Multicast Configuration section, click Add. i) Enter the mobility group name. j) Enter the multicast IP address for the mobility group. k) Click Save.
Configuring Mobility (CLI)
Procedure
Step 1
Command or Action
Purpose
wireless mobility group name group-name Creates a mobility group named Mygroup.
Example:
Device(config)# wireless mobility group name Mygroup
Step 2
wireless mobility mac-address mac-addr
Example:
Device(config)# wireless mobility mac-address 00:0d:ed:dd:25:82
Configures the MAC address to be used in mobility messages.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1185
Configuring Mobility (CLI)
Mobility
Step 3 Step 4 Step 5 Step 6
Step 7
Command or Action
Purpose
wireless mobility dscp value-0-to-63 Example:
(Optional) Configures mobility intercontroller DSCP value.
Device(config)# wireless mobility dscp 10
wireless mobility group keepalive interval (Optional) Configures the interval between two
time-in-seconds
keepalives sent to a mobility member. Valid
Example:
range is between 1 and 30 seconds.
Device(config)# wireless mobility group Note keepalive interval 5
For controllers connected through mobility tunnels, ensure that both
controllers have the same
keepalive interval value.
wireless mobility group keepalive count count (Optional) Configures the keepalive retries
Example:
before a member status is termed DOWN.
Device(config)# wireless mobility group keepalive count 3
Use the options given below to configure IPv4 Adds a peer IPv4 or IPv6 address to a specific
or IPv6.
group.
· wireless mobility mac-address
To remove the peer from the local group, use
mac-address ip peer-ip-address group the no form of this command.
group-name data-link-encryption
· wireless mobility mac-address mac-address ip peer-ip-address public-ip public-ip-address group group-name
Example:
Device(config#) wireless mobility mac-address 001E.BD0C.5AFF ip 9.12.32.10 group test-group data-link-encryption
Device(config#) wireless mobility mac-address 001E.BD0C.5AFF ip fd09:9:2:49::55 public-ip fd09:9:2:49::55 group scalemobility
wireless mobility multicast {ipv4 | ipv6 (Optional) Configures a multicast IPv4 or IPv6
}ip-address or wireless mobility group
address for a local mobility group or a nonlocal
multicast-address group-name {ipv4 | ipv6 } mobility group.
ip-address
Note
Mobility Multicast--The
Example:
controller sends a multicast
Device(config)# wireless mobility multicast ipv4 224.0.0.4
message instead of a unicast message to all the members in the
Example:
Device(config)# wireless mobility group multicast-address Mygroup ipv4 224.0.0.5
mobility local group or a nonlocal group when a client joins or roams.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1186
Mobility
Configuring Inter-Release Controller Mobility (GUI)
Command or Action
Purpose Configures the multicast IPv4 address as 224.0.0.4 for a local mobility group.
Configures the multicast IPv4 address as 224.0.0.5 for a nonlocal mobility group.
Configuring Inter-Release Controller Mobility (GUI)
Procedure
Step 1 Step 2
Step 3
Choose Configuration > Wireless > Mobility > Global Configuration. Enter the Mobility Group Name, Multicast IPv4 Address, Multicast IPv6 Address, Keep Alive Interval (sec), Mobility Keep Alive Count, Mobility DSCP Value and Mobility MAC Address. Click Apply.
Configuring Inter-Release Controller Mobility
Inter-Release Controller Mobility (IRCM) is a set of features and functionality that enable interworking between controllers running different software releases. IRCM enables seamless mobility and wireless services across controllers running Cisco AireOS and Cisco IOS (for example, Cisco 8540 WLC to Cisco Catalyst 9800 Series Wireless Controller) for features such as Layer 2 and Layer 3 roaming and guest access or termination.
Note To configure IRCM for different combination of AireOS and Catalyst 9800 controllers, see the Cisco Catalyst 9800 Wireless Controller-Aireos IRCM Deployment Guide.
Follow the procedure described to configure mobility peers on the controller:
Before you begin The Inter-Release Controller Mobility (IRCM) feature is supported by the following Cisco Wireless Controllers.
· For IRCM deployment, we recommended that you configure: · Both Cisco AireOS and Cisco Catalyst 9800 Series Controllers as static RF leaders to avoid RF grouping between them. · Configure the same RF network name on both the controllers.
· Cisco Catalyst 9800 Series Wireless Controller platforms running Cisco IOS XE Software version 16.10.1 or later.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1187
Configuring Inter-Release Controller Mobility
Mobility
· Supports the following Cisco AireOS Wireless Controllers running Cisco AireOS 8.5.14x.x IRCM image based on the 8.5 Maintenance Release software: · Cisco 3504 Wireless Controllers · Cisco 5508 Wireless Controllers · Cisco 5520 Wireless Controllers · Cisco 8510 Wireless Controllers · Cisco 8540 Wireless Controllers
· By design, Cisco Catalyst 9800 Wireless Controllers does not have the Primary Mode configuration exposed that is to be sent in the Discovery Response. The controller always sends the Discovery Response with the Primary Mode enabled.
· Supported Cisco AireOS Wireless Controllers running AireOS 8.8.111.0 and later. The following controllers are supported: · Cisco 3504 Wireless Controllers · Cisco 5520 Wireless Controllers · Cisco 8540 Wireless Controllers
Note If the peer Cisco Catalyst 9800 Series Wireless Controller is virtual, configure the hash using command:
config mobility group member hash 172.20.227.73 3f93a86cee2039e9c3aada1822ad74b89fea30c1
config mobility group member hash 172.20.227.73 3f93a86cee2039e9c3aada1822ad74b89fea30c1
Optionally enable data tunnel encryption using command:
config mobility group member data-dtls 00:0c:29:a8:d5:77 enable/disable
The hash configure above can be obtained by running the following command on the Cisco Catalyst 9800 Series Wireless Controller:
show wireless management trustpoint Trustpoint Name : ewlc-tp1 Certificate Info : Available Certificate Type : SSC Certificate Hash : 3f93a86cee2039e9c3aada1822ad74b89fea30c1 Private key Info : Available
· The IRCM feature is not supported on the following Cisco AireOS Wireless Controllers: · Cisco 2504 Wireless Controllers
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1188
Mobility
Configuring Inter-Release Controller Mobility
· Cisco Flex 7510 Wireless Controllers
· Cisco WiSM 2
· IPv6 is not supported for SDA IRCM for fabric client roaming. IPv6 is supported for IRCM for non-fabric client roaming.
· Ensure that you use AireOS controller that supports Encrypted Mobility feature.
· AVC is not supported for IRCM.
· In mixed deployments (Catalyst 9800 and AireOS Controllers), the WLAN profile name and the policy profile name must be the same. This is due to AireOS not knowing about the policy profile and therefore only sends or receives the WLAN name as both the policy profile and WLAN profile.
· Mobility group multicast is not supported because AireOS does not support mobility multicast in encrypted mobility.
· There could be instances where the total number of clients count shown may be more than those supported on the roaming scale. This inconsistency is observed when the client roaming rate is very high, as the system requires time to update the records. Here, the clients presented on multiple wncds for a very short time are counted more than once. We recommend that you provide sufficient time for the process to obtain a consistent data before using one of the following methods: show CLIs, WebUI, DNAC, or SNMP.
· Link Local bridging is not supported. Ensure that you disable it also on the peer AireOS controller.
· IRCM is not supported in FlexConnect and FlexConnect+Bridge modes.
The following client features support IPv6 client mobility between AireOS controllers and Cisco Catalyst 9800 Series Wireless Controller: Accounting, L3 Security (Webauth), Policy (ACL and QoS), IP address assignment and learning through SLAAC and DHCPv6, IPv6 Source Guard, multiple IPv6 address learning, IPv6 multicast, and SISF IPv6 features (RA Guard, RA Throttling, DHCPv6 Guard, and ND Suppress).ß The following IPv6 features are not supported on Cisco Catalyst 9800 Series Wireless Controller:
· Configurable IPv6 timers
· RA Guard enabled on AP
· Global IPv6 disable
Note
· IPv6 CWA is not supported for both AireOS controllers and Cisco Catalyst 9800 Series Wireless
Controller.
· Only eight IPv6 addresses are supported per client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1189
Configuring Inter-Release Controller Mobility
Mobility
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
Use the options given below to configure IPv4 Adds a peer IPv4 or IPv6 address to a specific
or IPv6.
group.
· wireless mobility group member
To remove the peer from the local group, use
mac-address mac-address ip peer-ip the no form of this command.
group group-namedata-link-encryption
· wireless mobility group member
mac-address mac-address ip
peer-ip-address public-ip
public-ip-address group group-name
Example:
Device(config#) wireless mobility group member mac-address
001E.BD0C.5AFF ip 9.12.32.10 group test-group data-link-encryption
Device(config#) wireless mobility group member mac-address
001E.BD0C.5AFF ip fd09:9:2:49::55 public-ip fd09:9:2:49::55 group scalemobility
Step 3
wireless mobility group name group-name Adds a name for the local group. The default
Example:
local group name is "default".
Device(config#) wireless mobility group name test-group
Step 4
wireless mobility mac-address mac-address
Example:
Device(config#) wireless mobility mac-address 000d.bd5e.9f00
(Optional) Configures the MAC address to be used in mobility messages.
Step 5
wireless mobility group member ip peer-ip Adds a peer in the local group.
Example:
To remove the peer from the local group, use
Device(config#) wireless mobility group the no form of this command.
member ip 9.12.32.15
Step 6
wireless mobility dscp dscp-value Example:
(Optional) Configures DSCP. The default value is 48.
Device(config#) wireless mobility dscp 52
Step 7
wireless mobility group keepalive count count Configures the mobility control and data path
Example:
keepalive count. The default value is 3.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1190
Mobility
Verifying Mobility
Step 8
Command or Action
Purpose
Device(config#) wireless mobility group keepalive count 10
wireless mobility group keepalive interval Configures the mobility control and data path
interval
keepalive interval. The default value is 10.
Example:
Note
Device(config#) wireless mobility group keepalive interval 30
For controllers connected through mobility tunnels, ensure that both controllers have the same keepalive interval value.
Verifying Mobility
To display the summary of the mobility manager, use the following command:
Device# show wireless mobility summary
To display mobility peer information, use the following command:
Device# show wireless mobility peer ip 10.0.0.8
To display the list of access points known to the mobility group, use the following command:
Device# show wireless mobility ap-list
To display statistics for the mobility manager, use the following command:
Device# show wireless statistics mobility
Mobility event statistics:
Joined as
Local
:0
Foreign
:0
Export foreign
: 2793
Export anchor
:0
Delete
Local
: 2802
Remote
:0
Role changes
Local to anchor
:0
Anchor to local
:0
Roam stats
L2 roam count
:0
L3 roam count
:0
Flex client roam count
:0
Inter-WNCd roam count
:0
Intra-WNCd roam count
:0
Remote inter-cntrl roam count : 0
Remote WebAuth pending roams : 0
Anchor Request
Sent
:0
Grant received
:0
Deny received
:0
Received
:0
Grant sent
:0
Deny sent
:0
Handoff Status Received
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1191
Verifying Mobility
Success Group mismatch Client unknown Client blacklisted SSID mismatch Denied Handoff Status Sent Success Group mismatch Client unknown Client blacklisted SSID mismatch Denied Export Anchor Request Sent Response Received
Ok Deny - generic Client blacklisted Client limit reached Profile mismatch Deny - unknown reason Request Received Response Sent Ok Deny - generic Client blacklisted Client limit reached Profile mismatch MM mobility event statistics: Event data allocs Event data frees FSM set allocs FSM set frees Timer allocs Timer frees Timer starts Timer stops Invalid events Internal errors Delete internal errors Roam internal errors
:0 :0 :0 : 14 :0 :0
:0 :0 :0 :0 :0 :0
: 2812 : : 2793 : 19 :0 :0 :0 :0 :0 : :0 :0 :0 :0 :0
: 17083 : 17083 : 2826 : 2816 : 8421 : 8421 : 14045 : 14045 :0 :0 :0 :0
MMIF mobility event statistics:
Event data allocs
: 17088
Event data frees
: 17088
Invalid events
:0
Event schedule errors
:0
MMIF internal errors:
IPC failure
:0
Database failure
:0
Invalid parameters
:0
Mobility message decode failure : 0
FSM failure
:0
Client handoff success
:0
Client handoff failure
: 14
Anchor Deny
:0
Remote delete
:0
Tunnel down delete
:0
MBSSID down
:0
Unknown failure
:0
To display counters for all messages in mobility, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1192
Mobility
Mobility
Verifying Mobility
Device# show wireless stats mobility messages
MM datagram message statistics:
Message Type
Built Tx Rx
Retry Drops Allocs Frees
Processed Tx Error Rx Error Forwarded
----------------------------------------------------------------------------------------------------------------------
Mobile Announce
0
0
0
0
0
0
25350
5624 0
2826 2826
Mobile Announce Nak
0
0
0
0
0
0
0
0
0
0
0
Static IP Mobile Annc
0
0
0
0
0
0
0
0
0
0
0
Static IP Mobile Annc Rsp 0
0
0
0
0
0
0
0
0
0
0
Handoff
0
0
14 14
0
0
0
0
0
42
42
Handoff End
0
0
0
0
0
0
2783
0
0
2783 2783
Handoff End Ack
0
0
2783 2783
0
0
0
0
0
8349 8349
Anchor Req
0
0
0
0
0
0
0
0
0
0
0
Anchor Grant
0
0
0
0
0
0
0
0
0
0
0
Anchor Xfer
0
0
0
0
0
0
0
0
0
0
0
Anchor Xfer Ack
0
0
0
0
0
0
0
0
0
0
0
Export Anchor Req
0
0
0
0
0
0
2812
0
0
2812 2812
Export Anchor Rsp
0
0
2812 2812
0
0
0
0
0
8436 8436
AAA Handoff
0
0
0
0
0
0
0
0
0
0
0
AAA Handoff Ack
0
0
0
0
0
0
0
0
0
0
0
IPv4 Addr Update
0
0
2792 0
0
0
0
0
0
2792 2792
IPv4 Addr Update Ack
2792 2792 0
0
0
0
0
0
0
2792 2792
IPv6 ND Packet
0
0
0
0
0
0
0
0
0
0
0
IPv6 Addr Update
0
0
5587 0
0
0
0
0
0
5587 5587
IPv6 Addr Update Ack
5587 5587 0
0
0
0
0
0
0
5587 5587
Client Add
0
0
0
0
0
0
0
0
0
0
0
Client Delete
0
0
0
0
0
0
0
0
0
0
0
AP List Update
25585 25585 8512 8512
2
1
0
0
0
34098 34098
Client Device Profile Info 0
0
0
0
0
0
0
0
0
0
0
PMK Update
0
0
0
0
0
0
0
0
0
0
0
PMK Delete
0
0
0
0
0
0
0
0
0
0
0
PMK 11r Nonce Update
0
0
0
0
0
0
0
0
0
0
0
Device cache Update
0
0
0
0
0
0
0
0
0
0
0
HA SSO Announce
0
0
0
0
0
0
0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1193
Verifying Mobility
Mobility
0
0
0
0
HA SSO Announce Resp
0
0
0
0
0
0
0
0
0
0
0
Mesh Roam Request
0
0
0
0
0
0
0
0
0
0
0
Mesh Roam Response
0
0
0
0
0
0
0
0
0
0
0
Mesh AP PMK Time Upd
0
0
0
0
0
0
0
0
0
0
0
Mesh AP PMK Time Upd Ack 0
0
0
0
0
0
0
0
0
0
0
Mesh AP Channel List
0
3
1
0
0
1
0
0
0
2
2
Mesh AP Channel List Resp 0
0
0
0
0
0
0
0
0
0
0
AP upgrade
0
0
0
0
0
0
0
0
0
0
0
Keepalive Ctrl Req
34080 34080 17031 17031
0
0
0
0
0
51111 51111
Keepalive Ctrl Resp
17031 17031 34067 34067
0
0
0
0
0
51098 51098
Keepalive Data Req/Resp 238527 238527 221451 221451 0
0
0
0
0
459978 459978
To display mobility information of the client, use the following command:
Device# show wireless client mac-address 00:0d:ed:dd:35:80 detail
To display roaming history of the active client in the subdomain, use the following command:
Device# show wireless client mac-address 00:0d:ed:dd:35:80 mobility history
To display client-specific statistics for the mobility manager, use the following command:
Device# show wireless client mac-address 00:0d:ed:dd:35:80 stats mobility
To verify whether intercontroller roam is successful, use the following commands:
· show wireless client mac mac-address detail: (on the roamed-to Controller) Displays the roam type as L2 and the roam count is incremented by 1.
· show wireless client summary : (on the roamed-from controller) The client entry will not be there in the ouput.
Verifying SDA Mobility To verify whether intracontroller, intra-xTR roam is successful, use the following commands:
· show wireless client summary: Displays the new AP if the client has roamed across the APs on the same xTR.
· show wireless client mac mac-address detail: Displays the same RLOC as before the roam.
To verify whether intracontroller, inter-xTR roam is successful, use the following commands: · show wireless fabric client summary: Displays the new AP if the client has roamed across the APs on a different xTR.
· show wireless client mac mac-address detail: Displays the RLOC of the new xTR to which the client has roamed to.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1194
Mobility
Verifying Mobility
To check client status before and after intracontroller roaming, perform the following steps: 1. Check if client is on the old AP, using show wireless client summary command on the controller. 2. Check whether the client MAC is listed against the old AP, using show mac addr dyn command on the
xTR1. 3. Check whether the client IP is registered from current xTR1, and client MAC is registered from both
current xTR1, and WLC1, using show lisp site detail command on the MAP server. 4. After the intra-WLC roam, check whether the client is on the new AP, using the show wireless client
summary and show mac addr dyn commands on the WLC1 and xTR1. 5. After the Inter-xTR Roam (old and new APs on different xTRs), check whether the client is on the new
AP (connected to the new xTR2), using the show wireless client summary and show mac addr dyn commands on the WLC1 and xTR2. 6. Check whether the client is registered from the new xTR2, using the show lisp site detail command on the MAP server.
Verifying Roaming on MAP Server for SDA To verify roaming information for SDA, use the following commands: Run the following command on the MAP server, before and after the roam, to check whether the client IP is registered from current xTR, and client MAC is registered from both current xTR, and WLC.
Device# show lisp site detail
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1195
Verifying Mobility
Mobility
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1196
1 2 6 C H A P T E R
NAT Support on Mobility Groups
· Information About NAT Support on Mobility Groups, on page 1197 · Restrictions for NAT Support on Mobility Groups, on page 1198 · Functionalities Supported on Mobility NAT, on page 1198 · Configuring a Mobility Peer, on page 1199 · Verifying NAT Support on Mobility Groups , on page 1199
Information About NAT Support on Mobility Groups
The Network Address Translation (NAT) on Mobility Groups feature supports the establishment of mobility tunnels between peer controllers when one or both peers are behind a NAT. This is achieved by translating the public and private IP addresses of the peers (see figure below). Depending on the placement and number of NATs, translation might be required at one or both ends of the tunnel.
Figure 34: Mobility NAT
When configuring a NATed mobility peer, both the private IP address (address in the network before the NAT device) and the public IP address (address in the public network) have to be configured. Also, if you are using a firewall, ensure that the ports listed below can be accessed through the firewall:
· Port 16666 for mobility control messages
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1197
Restrictions for NAT Support on Mobility Groups
Mobility
· Port 16667 for mobility data messages
Restrictions for NAT Support on Mobility Groups
· Only 1:1 (static) NAT entries can exist for the controller peers that form the mobility tunnels. · Configuring multiple peers with the same public IP address is not supported. · Private IP addresses of the configured peers must be unique. · Port Address Translation (PAT) is not supported. · If peer controllers of different types, for example, Cisco AireOS and Cisco Catalyst 9800 Series) are
placed behind NAT, Inter-Release Controller Mobility (IRCM) is not supported for client roaming. · IPv6 address translation is not supported.
Functionalities Supported on Mobility NAT
The following table lists the functionalities supported on mobility NAT:
Table 55: Functionalities Supported on Mobility NAT
Two controllers, with the foreign controller behind a NAT device Yes (1to1 NAT only)
Two controllers, with the anchor controller behind a NAT device Yes (1to1 NAT only)
Two controllers, with the anchor and foreign controller behind a Yes NAT device (1to1 NAT only)
Multiple foreign and anchor controllers behind NATs (1to1 NAT Yes only)
Supported Cisco Catalyst 9800 Series Wireless Controllers
· Cisco Catalyst 9800-40 Wireless Controller
· Cisco Catalyst 9800-80 Wireless Controller
· Catalyst 9800 Wireless Controller for Cloud
· Cisco Catalyst 9800-L Wireless Controller
Number of peers supported
72
Manageability using SNMP, Yang, and web UI
Yes
IRCM support for mobility
Yes
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1198
Mobility
Configuring a Mobility Peer
SSO
Yes
Client roaming (Layer 2 and Layer 3) between Cisco Catalyst 9800 Yes Series Wireless Controllers
Client roaming (Layer 2 and Layer 3) between Cisco Catalyst 9800 No Series Wireless Controller and AireOS controller
Supported applications on the mobility tunnel
· Native profiling · AP list · PMK cache · Mesh AP
Configuring a Mobility Peer
Before you begin Ensure that the private and public IP addresses of a mobility peer are of the same type, either IPv4 or IPv6.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless mobility group member mac-address Adds a mobility peer to the list with an optional
peer_mac ip peer_private_ip[public-ip
public IP address.
peer_public_ip]group group_name
Note
You cannot configure multiple
Example:
peers with the same private or
Device(config)# wireless mobility group
public IP address.
member mac-address 001e.494b.04ff ip
11.0.0.2 public-ip 4.0.0.112 group dom1
Step 3
exit Example:
Device(config)# exit
Returns to privileged EXEC mode.
Verifying NAT Support on Mobility Groups
To display the mobility information of a client, use the following command:
Device# show wireless client mac-address 000a.bd15.0010 detail
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1199
Verifying NAT Support on Mobility Groups
Mobility
Client MAC Address : 000a.bd15.0010 Client IPv4 Address : 100.100.0.2 Client Username: N/A AP MAC Address : 000a.ad00.0800 AP Name: SIM-AP-7 AP slot : 1 . . .
To display mobility peer information using a private peer IP address, use the following command:
Device# show wireless mobility peer ip 21.0.0.2
Mobility Peer Info =================== Ip Address : 21.0.0.2 Public Ip Address : 3.0.0.22 MAC Address : cc70.ed02.c3b0 Group Name : dom1 . . .
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1200
1 2 7 C H A P T E R
Static IP Client Mobility
· Information About Static IP Client Mobility, on page 1201 · Restrictions, on page 1201 · Configuring Static IP Client Mobility (GUI), on page 1202 · Configuring Static IP Client Mobility (CLI), on page 1202 · Verifying Static IP Client Mobility, on page 1203
Information About Static IP Client Mobility
At times, you may want to configure static IP addresses for wireless clients. When these wireless clients move about in a network, they might try associating with other controllers. If the clients try to associate with a controller that does not support the same subnet as the static IP, the clients fail to connect to the network. However, now, you can enable static IP mobility for clients with static IP addresses. Static IP clients with static IP addresses can be associated with other controllers in which the client's subnet is supported by tunneling the traffic to another controller in the same mobility group. This feature enables you to configure your WLAN so that the network is serviced even though the clients use static IP addresses.
Restrictions
· This feature is not supported on the Fabric and Cisco Catalyst 9800 Wireless Controller for Switch platforms.
· IPv6 is not supported. · FlexConnect mode is not supported. · WebAuth (LWA and CWA) is not supported. · Supported only Open, Dot1x, and PSK authentication mechanisms. · Supports only on the WLANs that are exclusive of the mobility anchor configuration. If the mobility
anchor is already configured on a WLAN, and if static IP mobility is enabled, the feature is not supported. · Supported only when all the peers are configured for the static IP mobility that is enabled. · IRCM is not supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1201
Configuring Static IP Client Mobility (GUI)
Mobility
Configuring Static IP Client Mobility (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > Policy. On the Policy page, click the policy profile name or click Add to create a new one. Click the Mobility tab. Set the Static IP Mobility field to Enabled state. Click Update & Apply to Device.
Configuring Static IP Client Mobility (CLI)
Follow the procedure given below to configure static IP client mobility:
Before you begin · Configure the SVI interface (L3 VLAN interface) to service the static IP client on at least one of the peer controllers in the network. · For clients to join a controller, the VLAN (based on the VLAN number in the policy profile configuration) should be configured on the device.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy-name Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy static-ip-policy
Step 3
static-ip-mobility
Example:
Device(config-wireless-policy)# static-ip-mobility
Enables static IP mobility.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1202
Mobility
Verifying Static IP Client Mobility
Verifying Static IP Client Mobility
Use the following commands to verify the static IP client mobility configuration:
Device# show wireless profile policy detailed static-ip-policy
Policy Profile Name
: static-ip-policy
Description
:
Status
: DISABLED
VLAN
:1
Wireless management interface VLAN
: 34
Passive Client
: DISABLED
ET-Analytics
: DISABLED
StaticIP Mobility
: DISABLED
WLAN Switching Policy
Central Switching
: ENABLED
Central Authentication
: ENABLED
Central DHCP
: DISABLED
Flex NAT PAT
: DISABLED
Central Assoc
: DISABLED
WLAN Flex Policy
VLAN based Central Switching
: DISABLED
WLAN ACL
IPv4 ACL
: Not Configured
IPv6 ACL
: Not Configured
Layer2 ACL
: Not Configured
Preauth urlfilter list
: Not Configured
Postauth urlfilter list
: Not Configured
WLAN Timeout
Session Timeout
: 1800
Idle Timeout
: 300
Idle Threshold
:0
WLAN Local Profiling
Subscriber Policy Name
: Not Configured
RADIUS Profiling
: DISABLED
HTTP TLV caching
: DISABLED
DHCP TLV caching
: DISABLED
WLAN Mobility
Anchor
: DISABLED
AVC VISIBILITY
: Disabled
Flow Monitor IPv4
Flow Monitor Ingress Name : Not Configured
Flow Monitor Egress Name : Not Configured
Flow Monitor IPv6
Flow Monitor Ingress Name : Not Configured
Flow Monitor Egress Name : Not Configured
NBAR Protocol Discovery
: Disabled
Reanchoring
: Disabled
Classmap name for Reanchoring
Reanchoring Classmap Name : Not Configured
QOS per SSID
Ingress Service Name
: Not Configured
Egress Service Name
: Not Configured
QOS per Client
Ingress Service Name
: Not Configured
Egress Service Name
: Not Configured
Umbrella information
Ciso Umbrella Parameter Map : Not Configured
Autoqos Mode
: None
Call Snooping
: Disabled
Fabric Profile
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1203
Verifying Static IP Client Mobility
Profile Name
: Not Configured
Accounting list
Accounting List
: Not Configured
DHCP
required
: DISABLED
server address
: 0.0.0.0
Opt82
DhcpOpt82Enable
: DISABLED
DhcpOpt82Ascii
: DISABLED
DhcpOpt82Rid
: DISABLED
APMAC
: DISABLED
SSID
: DISABLED
AP_ETHMAC
: DISABLED
APNAME
: DISABLED
POLICY TAG
: DISABLED
AP_LOCATION
: DISABLED
VLAN_ID
: DISABLED
Exclusionlist Params
Exclusionlist
: ENABLED
Exclusion Timeout
: 60
AAA Policy Params
AAA Override
: DISABLED
NAC
: DISABLED
AAA Policy name
: default-aaa-policy
WGB Policy Params
Broadcast Tagging
: DISABLED
Client VLAN
: DISABLED
Mobility Anchor List
IP Address
Priority
-------------------------------------------------------
Device# show run | section profile policy
wireless profile policy default-policy-profile central switching description "default policy profile" static-ip-mobility vlan 50 no shutdown
Mobility
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1204
1 2 8 C H A P T E R
Mobility Domain ID - Dot11i Roaming
· Information about Mobility Domain ID - 802.11i Roaming, on page 1205 · Verifying Mobility Domain ID - 802.11i Roaming, on page 1206
Information about Mobility Domain ID - 802.11i Roaming
A mobility domain is a cluster of APs forming a continuous radio frequency space, where the Pairwise Master Key (PMK) can be synchronized, and fast roaming can be enabled for 802.11r (Fast Transition) or 802.11i (WPA). In the releases prior to Cisco IOS XE 17.2.1, the PMK cache was shared across the FlexConnect APs using the AP site tag. All the APs that are a part of a site tag share the PMK cache. This is applicable only for central authetication. From Cisco IOS XE 17.2.1, you can create a Mobility Domain ID (MDID) for each of the APs. All the APs with the same MDID share the PMK cache keys even if they are in different site tags. When MDID is configured for APs, the PMK cache keys are not shared with the APs that are not a part of the same MDID, even if they are a part of the same site tag. MDID supports PMK cache distribution for both central authentication and local authentication.
Note
· The Mobility Domain ID - 802.11i Roaming feature does not work when the Flex APs are in standalone
mode because the feature depends on the controller to share the keys.
· MDID is configured only through the open configuration model. There is no CLI or GUI support.
· In Cisco IOS XE Amsterdam 17.2.1, 100 APs per site-tag or per MDID are supported, and 1000 PMK entries are supported per AP.
The mobility domain can either be defined as a static configuration of clustered APs, all under a commonly configured MDID, or dynamically computed. You can implement a spatial clustering algorithm based on neighbor associations of APs. Each AP can only be a part of one roaming domain.
An MDID is used by 802.11r to define a network in which an 802.11r fast roam is supported. PMKs should be shared within mobility domains, allowing clients to support fast roaming. If defined, MDID takes precedence over a site tag.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1205
Verifying Mobility Domain ID - 802.11i Roaming
Mobility
MDID configurations are exercised only from open configuration models. For more information about open configuration models, see the https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/172/b_ 172_programmability_cg.html.
Verifying Mobility Domain ID - 802.11i Roaming
The following examples shows how to view and verify the 802.11i Roaming configuration:
Device# show running-config | section specific-config ap specific-config 58ac.70dc.xxxx hostname AP58AC.70DC.XXXX
roaming-domain roaming_domain_2 ap specific-config 78xc.f09d.xxxx hostname AP78XC.F09D.XXXX
roaming-domain roaming_domain_3
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1206
1 2 9 C H A P T E R
802.11r Support for Flex Local Authentication
· Information About 802.11r Support for FlexConnect Local Authentication, on page 1207 · Verifying 802.11r Support for Flex Local Authentication , on page 1208
Information About 802.11r Support for FlexConnect Local Authentication
In releases prior to Cisco IOS XE Amsterdam 17.2.1, the FlexConnect mode fast transition was supported only in centrally authenticated clients. This was achieved by sharing the Pairwise Master Key (PMK) to all the FlexConnect APs in the same site tag. From Cisco IOS XE Amsterdam 17.2.1, fast transition is supported even for locally authenticated clients. The client PMK cache entries are shared and distributed to all the APs in the same site tag. From Cisco IOS XE Amsterdam 17.2.1, another grouping called Mobility Domain ID (MDID) is introduced, for sharing the PMK cache entries. MDID can be configured for APs using the open configuration model only. There is no CLI or GUI support. The PMK cache distribution in a FlexConnect local site (using either the site tag or MDID) is restricted to 100 APs per group, with a maximum support for 1000 PMK entries per AP.
Support Guidelines
The following are the 802.11r support guidelines: · Supports 802.11r on FlexConnect local authentication only with Over-the-Air method of roaming. Over-the-DS (Distribution System) is not supported. · Supports adaptive 11r for Apple clients. · Supports both Fast Transition + 802.1x and Fast Transition + PSK.
Note This is supported only when clients join the standalone mode AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1207
Verifying 802.11r Support for Flex Local Authentication
Mobility
Verifying 802.11r Support for Flex Local Authentication
To verify the number of PMK caches, use the show wireless pmk-cache command:
Device# show wireless pmk-cache
Number of PMK caches in total : 1
Type
Station
Entry Lifetime VLAN Override
IP Override
Audit-Session-Id
Username
--------------------------------------------------------------------------------------------------------------------------------------
DOT11R 74xx.bx5a.07xx
87
NA
000000000000000FF3562B5D
jey
To verify the 802.11r flex roam attempts, use the show wireless client mac-address 74xx.bx5a.07xx mobility history command:
Device# show wireless client mac-address 74xx.bx5a.07xx mobility history
Recent association history (most recent on top):
AP Name
BSSID
Instance Mobility Role Run Latency (ms)
AP Slot Assoc Time Dot11 Roam Type
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
APM-9120-1-GCP
1
Local
d4xx.80xx.8fxx 1
12/11/2019 18:44:37
2
802.11R
APM-4800-3 1
Local
17547
f4xx.e6xx.08xx 1 N/A
show wireless stats client detail | sec roam
Total 11r flex roam attempts
:1
12/11/2019 18:43:02
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1208
1 3 0 C H A P T E R
Opportunistic Key Caching
· Information about Opportunistic Key Caching, on page 1209 · Enabling Opportunistic Key Caching, on page 1210 · Enabling Opportunistic Key Caching (GUI), on page 1210 · Verifying Opportunistic Key Caching, on page 1210
Information about Opportunistic Key Caching
Opportunistic Key Caching (OKC) is an enhancement of the WPA2 Pairwise Master Key ID (PMKID) caching method, which is why it is also named Proactive or Opportunistic PMKID Caching. Just like PMKID caching, OKC works with WPA2-EAP. The OKC technique allows wireless clients and the WLAN infrastructure to cache only one PMK for client association with a WLAN, even when roaming between multiple APs because they all share the original PMK that is used for the WPA2 4-way handshake. This is required to generate new encryption keys every time a client reassociates with APs. For APs to share the original PMK from a client session, they must all be under a centralized device that caches and distributes the original PMK to all the APs. Just as in PMKID caching, the initial association to an AP is a regular first-time authentication to the corresponding WLAN, where you must complete the entire 802.1X/EAP authentication for the authentication server, and the 4-way handshake for key generation, before sending data frames. OKC is a fast roaming technique supported by Microsoft and some Android clients. Another fast roaming method is the use of 802.11r, which is supported by Apple and few Andorid clients. OKC is enabled by default on a WLAN. This configuration enables the control of OKC on a WLAN. Disabling OKC on a WLAN disables the OKC even for the OKC-supported clients. A new configuration is introduced for each WLAN in the controller in Cisco IOS XE Amsterdam 17.2.1, to disable or enable fast and secure roaming with OKC at the corresponding AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1209
Enabling Opportunistic Key Caching
Mobility
Enabling Opportunistic Key Caching
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan profile-name wlan-identifier <1-4096> Enters WLAN configuration submode.
ssid-network-name
wlan-profile-name: Profile name of the
Example:
configured WLAN.
Device(config)# wlan wlan-profile-name 18 san-ssid
Step 3
okc Example:
Device(config-wlan)# okc
Enables Opportunistic Key Caching, if not enabled. By default, the OKC feature is enabled. (Use the no form of this command to disable the OKC feature.)
Enabling Opportunistic Key Caching (GUI)
Procedure
Step 1 Step 2
Step 3
Choose Configuration > Tags & Profiles > WLANs. Click Add.
The Add WLAN dialog box is displayed.
In the Add WLAN dialog box, click the Advanced tab and complete the following procedure: a) In the 11ax section, check the OKC check box to disable or enable the feature. By default this feature is
enabled. b) Click Update & Apply to Device.
Verifying Opportunistic Key Caching
The following example shows how to verify whether OKC is disabled for a WLAN profile.
· Device# show wlan id 18
WLAN Profile Name
: 18%wlanprofile
================================================
Identifier
: 18
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1210
Mobility
Verifying Opportunistic Key Caching
Description Network Name (SSID) Status Broadcast SSID Advertise-Apname Universal AP Admin Max Associated Clients per WLAN Max Associated Clients per AP per WLAN Max Associated Clients per AP Radio per WLAN OKC Number of Active Clients CHD per WLAN WMM Channel Scan Defer Priority:
Priority (default) Priority (default) Scan Defer Time (msecs) Media Stream Multicast-direct CCX - AironetIe Support Peer-to-Peer Blocking Action Radio Policy
: : san-ssid : Disabled : Enabled : Disabled : Disabled :0 :0 : 200 : Disabled :0 : Enabled : Allowed
:5 :6 : 100 : Disabled : Disabled : Disabled : All
· Device# show run wlan
wlan name 2 ssid-name wlan test 24 test wlan test2 15 test2 wlan test4 12 testssid
radio dot11a wlan wlan1 234 wlan1 wlan wlan2 14 wlan-aaa
security dot1x authentication-list realm wlan wlan7 27 wlan7 wlan test23 17 test23 wlan wlan_1 4 ssid_name
security dot1x authentication-list authenticate_list_name wlan wlan_3 5 ssid_3
security wpa wpa1 security wpa wpa1 ciphers aes wlan wlan_8 9 ssid_name no security wpa no security wpa wpa2 no security wpa wpa2 ciphers aes no security wpa akm dot1x security web-auth wlan test-wlan 23 test-wlan wlan wlan-test 1 wlan2 mac-filtering default wlan 18%wlanprofile 18 san-ssid no okc
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1211
Verifying Opportunistic Key Caching
Mobility
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1212
I X P A R T
High Availability
· High Availability, on page 1215
1 3 1 C H A P T E R
High Availability
· Feature History for High Availability, on page 1215 · Information About High Availability, on page 1216 · Prerequisites for High Availability, on page 1217 · Restrictions on High Availability, on page 1218 · Configuring High Availability (CLI), on page 1219 · Disabling High Availability, on page 1221 · Copying a WebAuth Tar Bundle to the Standby Controller, on page 1222 · System and Network Fault Handling, on page 1223 · Handling Recovery Mechanism, on page 1227 · Verifying High Availability Configurations, on page 1228 · Verifying AP or Client SSO Statistics, on page 1228 · Verifying High Availability, on page 1230 · Information About Redundancy Management Interface, on page 1233 · Configuring Redundancy Management Interface (GUI), on page 1237 · Configuring Redundancy Management Interface (CLI), on page 1238 · Configuring Gateway Monitoring (CLI), on page 1240 · Configuring Gateway Monitoring Interval (CLI), on page 1241 · Gateway Reachability Detection, on page 1241 · Monitoring the Health of the Standby Controller, on page 1243 · Monitoring the Health of Standby Parameters Using SNMP, on page 1244 · Monitoring the Health of Standby Controller Using Programmatic Interfaces, on page 1245 · Monitoring the Health of Standby Controller Using CLI, on page 1246 · Verifying the Gateway-Monitoring Configuration, on page 1249 · Verifying the RMI IPv4 Configuration, on page 1250 · Verifying the RMI IPv6 Configuration, on page 1251 · Information About Auto-Upgrade, on page 1251 · Configuration Workflow, on page 1252 · Configuring Auto-Upgrade (CLI), on page 1252
Feature History for High Availability
This table provides release and related information for the features explained in this module.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1215
Information About High Availability
High Availability
These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.
Table 56: Feature History for High Availability
Release Cisco IOS XE Amsterdam 17.1.1s
Cisco IOS XE Bengaluru 17.4.1 Cisco IOS XE Bengaluru 17.5.1
Cisco IOS XE Bengaluru 17.5.1
Feature
Feature Information
Redundant Management Interface
The Redundancy Management Interface (RMI) is used as a secondary link between the active and standby controllers. This interface is the same as the Wireless Management Interface and the IP address on this interface is configured in the same subnet as the Wireless Management Interface.
Gateway Reachability Detection
Gateway reachability feature mimimizes the downtime on APs and clients when the gateway reachability is lost on the active controller.
Standby Monitoring Enhancements
The Standby Monitoring Enhancements feature monitors the standby CPU or memory information from the active controller. Also, this feature independently monitors the standby controller using SNMP for the interface MIB.
The cLHaPeerHotStandbyEvent and cLHaPeerHotStandbyEvent MIB objects in CISCO-HA-MIB are used to monitor the standby HA status.
Auto-Upgrade
The auto-upgrade feature enables the standby controller to upgrade to active controller's software image, so that both controllers can form an high availability (HA) pair.
Information About High Availability
High Availability (HA) allows you to reduce the downtime of wireless networks that occurs due to the failover of controllers. The HA Stateful Switch Over (SSO) capability on the controller allows AP to establish a CAPWAP tunnel with the active controller. The active controller shares a mirror copy of the AP and client database with the standby controller. The APs won't go into the discovery state and clients don't disconnect when the active controller fails. The standby controller takes over the network as the active controller. Only one CAPWAP tunnel is maintained between the APs and the controller that is in an active state.
HA supports full AP and client SSO. Client SSO is supported only for clients that have completed the authentication and DHCP phase, and have started passing traffic. With Client SSO, the client information is synced to the standby controller when the client associates to the controller or when the client parameters change. Fully authenticated clients, for example, the ones in RUN state, are synced to the standby. Thus, client reassociation is avoided on switchover making the failover seamless for the APs and clients, resulting in zero client service downtime and zero SSID outage. This feature reduces major downtime in wireless networks due to failure conditions such as box failover, network failover, or power outage on the primary site.
Note
· In HA mode, the RP port shut or no shut should not be performed during the controller bootup.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1216
High Availability
Prerequisites for High Availability
Note When the controller works as a host for spanning tree, ensure that you configure portfast trunk, using spanning-tree port type edge trunk or spanning-tree portfast trunk commands, in the uplink switch to ensure faster convergence.
Note You can configure FIPS in HA setup. For information, see the Configuring FIPS in HA Setup.
Note The IPv4 secondary address is used internally for RMI purpose. So, it is not recommended to configure the secondary IPv4 address. In case of IPv6, only one management IPv6 is allowed, secondary address is configured for RMI-IPv6 purpose. It is not recommended to have more than one IPv6 management on the Wireless Management Interface (WMI). More than one management IPv4 and IPv6 addresses on WMI can result in unpredictable behaviour.
Prerequisites for High Availability
External Interfaces and IPs Because all the interfaces are configured only on the Active box, but are synchronized with the Standby box, the same set of interfaces are configured on both controllers. From external nodes, the interfaces connect to the same IP addresses, irrespective of the controllers they are connected to. For this purpose, the APs, clients, DHCP, Cisco PrimeInfrastructure, Cisco DNA Centre, and Cisco Identity Services Engine (ISE) servers, and other controller members in the mobility group always connect to the same IP address. The SSO switchover is transparent to them. But if there are TCP connections from external nodes to the controller, the TCP connections need to be reset and reestablished.
HA Interfaces The HA interface serves the following purposes:
· Provides connectivity between the controller pair before an IOSd comes up. · Provides IPC transport across the controller pair. · Enables redundancy across control messages exchanged between the controller pair. The control messages
can be HA role resolution, keepalives, notifications, HA statistics, and so on.
You can select either SFP or RJ-45 connection for HA port. Supported Cisco SFPs are: · GLC-SX-MMD · GLC-LH-SMD
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1217
Restrictions on High Availability
High Availability
When either SFP or RJ-45 connection is present, HA works between the two controllers. The SFP HA connectivity takes priority over RJ-45 HA connectivity. If SFP is connected when RJ-45 HA is up and running, the HA pair reloads. The reload occurs even if the link between the SFPs isn't connected.
Note
· It is recommended to have a dedicated physical NIC and vSwitch for RP when the HA pair is deployed
across two host machines. This avoids any keep-alive loses and false HA switchovers or alarms.
· Disable security scans on VMware virtual instances.
Restrictions on High Availability
· For a fail-safe SSO, wait till you receive the switchover event after completing configuration synchronization on the standby controller. If the standby controller has just been booted up, we recommend that you wait x minutes before the controller can handle switchover events without any problem. The value of x can change based on the platform. For example, a Cisco 9800-80 Series Controller running to its maximum capacity can take up to 24 minutes to complete the configuration synchronization before being ready for SSO. You can use the show wireless stats redundancy config database command to view the database-related statistics.
· The flow states of the NBAR engine are lost during a switchover in an HA scenario in local mode. Because of this, the classification of flows will restart, leading to incorrect packet classification as the first packet of the flow is missed.
· The HA connection supports only IPv4.
· Switchover and an active reload and forces a high availability link down from the new primary.
· Hyper threading is not supported and if enabled HA keepalives will be lost in case of an HA system that results in stack merge.
· Standby RMI interface does not support Web UI access.
· Two HA interfaces (RMI and RP) must be configured on the same subnet, and the subnet cannot be shared with any other interfaces on the device.
· It is not possible to synchronize a TCP session state because a TCP session cannot survive after a switchover, and needs to be reestablished.
· The Client SSO does not address clients that have not reached the RUN state because they are removed after a switchover.
· Statistics tables are not synced from active to standby controller.
· Machine snapshot of a VM hosting controller HA interfaces is not supported. It may lead to a crash in the HA controller.
· Mobility-side restriction: Clients which are not in RUN state will be forcefully reauthenticated after switchover.
· The following application classification may not be retained after the SSO:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1218
High Availability
Configuring High Availability (CLI)
· AVC limitation--After a switchover, the context transfer or synchronization to the Standby box does not occur and the new active flow needs to be relearned. The AVC QoS does not take effect during classification failure.
· A voice call cannot be recognized after a switchover because a voice policy is based on RTP or RTCP protocol.
· Auto QoS is not effective because of AVC limitation.
· The active controller and the standby controller must be paired with the same interface for virtual platforms. For hardware appliance, there is a dedicated HA port.
· Static IP addressing can synch to standby, but the IP address cannot be used from the standby controller.
· You can map a dedicated HA port to a 1 GB interface only.
· To use EtherChannels in HA mode in releases until, and including, Cisco IOS XE Gibraltar 16.12.x, ensure that the channel mode is set to On.
· Etherchannel Auto-mode is not supported in HA mode in releases until, and including, Cisco IOS XE Gibraltar 16.12.x.
· LACP and PAGP is not supported in HA mode in releases until, and including, Cisco IOS XE Gibraltar 16.12.x.
· When the controller works as a host for spanning tree, ensure that you configure portfast trunk in the uplink switch using spanning-tree port type edge trunk or spanning-tree portfast trunk command to ensure faster convergence.
· The clear chassis redundancy and write erase commands will not reset the chassis priority to the default value.
· While configuring devices in HA, the members must not have wireless trustpoint with the same name and different keys. In such a scenario, if you form an HA pair between the two standalone controllers, the wireless trustpoint does not come up after a subsequent SSO. The reason being the rsa keypair file exists but it is incorrect as the nvram:private-config file is not synched with the actual WLC_WLC_TP key pair. As a best practice, before forming an HA, it is recommended to delete the existing certificates and keys in each of the controllers which were previously deployed as standalone.
· After a switchover, when the recovery is in progress, do not configure the WLAN or WLAN policy. In case you configure, the controller can crash.
· After a switchover, clients that are not in RUN state and not connected to an AP are deleted after 300 seconds.
Configuring High Availability (CLI)
Before you begin The active and standby controller should be in the same mode, either Install mode or Bundle mode, with same image version. We recommend that you use Install mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1219
Configuring High Availability (CLI)
High Availability
Procedure
Step 1
Command or Action
Purpose
chassis chassis-num priority chassis-priority Example:
Device# chassis 1 priority 1
(Optional) Configures the priority of the specified device.
Note
From Cisco IOS XE Gibraltar
16.12.x onwards, device reload is
not required for the chassis
priority to become effective.
· chassis-num--Enter the chassis number. The range is from 1 to 2.
· chassis-priority--Enter the chassis priority. The range is from 1 to 2. The default value is 1.
Note
When both the devices boot up at
the same time, the device with
higher priority(2) becomes active,
and the other one becomes
standby. If both the devices are
configured with the same priority
value, the one with the smaller
MAC address acts as active and
its peer acts as standby.
Step 2
chassis redundancy ha-interface
Configures the chassis high availability
GigabitEthernet numlocal-ip
parameters.
local-chassis-ip-addr network-mask remote-ip remote-chassis-ip-addr
· num--GigabitEthernet interface number. The range is from 0 to 32.
Example:
Device# chassis redundancy ha-interface
· local-chassis-ip-addr--Enter the IP address of the local chassis HA interface.
GigabitEthernet 2 local-ip 4.4.4.1 /24 remote-ip 4.4.4.2
· network-mask--Enter the network mask or prefix length in the /nn or A.B.C.D format.
· remote-chassis-ip-addr--Enter the remote chassis IP address.
Step 3 Step 4
chassis redundancy keep-alive timer timer
Example:
Device# chassis redundancy keep-alive timer 6
Configures the peer keepalive timeout value.
Time interval is set in multiple of 100 ms (enter 1 for default).
chassis redundancy keep-alive retries retry-value
Example:
Configures the peer keepalive retry value before claiming peer is down. Default value is 5.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1220
High Availability
Disabling High Availability
Command or Action
Device# chassis redundancy keep-alive retries 8
Purpose
Disabling High Availability
If the controller is configured using RP method of SSO configuration, use the following command to clear all the HA-related parameters, such as local IP, remote IP, HA interface, mask, timeout, and priority: clear chassis redundancy If the controller is configured using RMI method, use the following command: no redun-management interface vlan chassis
Note Reload the devices for the changes to take effect.
After the HA unpairing, the standby controller startup configuration and the HA configuration will be cleared and standby will go to Day 0.
Before the command is executed, the user is prompted with the following warning on the active controller:
Device# clear chassis redundancy
WARNING: Clearing the chassis HA configuration will result in both the chassis move into Stand Alone mode. This involves reloading the standby chassis after clearing its HA configuration and startup configuration which results in standby chassis coming up as a totally clean after reboot. Do you wish to continue? [y/n]? [yes]:
*Apr 3 23:42:22.985: received clear chassis.. ha_supported:1yes WLC# *Apr 3 23:42:25.042: clearing peer startup config *Apr 3 23:42:25.042: chkpt send: sent msg type 2 to peer.. *Apr 3 23:42:25.043: chkpt send: sent msg type 1 to peer.. *Apr 3 23:42:25.043: Clearing HA configurations *Apr 3 23:42:26.183: Successfully sent Set chassis mode msg for chassis 1.chasfs file updated *Apr 3 23:42:26.359: %IOSXE_REDUNDANCY-6-PEER_LOST: Active detected chassis 2 is no longer standby
On the standby controller, the following messages indicate that the configuration is being cleared:
Device-stby#
*Apr 3 23:40:40.537: mcprp_handle_spa_oir_tsm_event: subslot 0/0 event=2 *Apr 3 23:40:40.537: spa_oir_tsm subslot 0/0 TSM: during state ready, got event 3(ready) *Apr 3 23:40:40.537: @@@ spa_oir_tsm subslot 0/0 TSM: ready -> ready *Apr 3 23:42:25.041: Removing the startup config file on standby
!Standby controller is reloaded after clearing the chassis.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1221
Copying a WebAuth Tar Bundle to the Standby Controller
High Availability
Copying a WebAuth Tar Bundle to the Standby Controller
Use the following procedure to copy a WebAuth tar bundle to the standby controller, in a high-availability configuration.
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Administration > Management > Backup & Restore. From the Copy drop-down list, choose To Device. From the File Type drop-down list, chooseWebAuth Bundle. From the Transfer Mode drop-down list, choose TFTP, SFTP, FTP, or HTTP. The Server Details options change based on the file transfer option selected.
· TFTP · IP Address (IPv4/IPv6): Enter the server IP address (IPv4 or IPv6) of the TFTP server that you want to use. · File Path: Enter the file path. The file path should start with slash a (/path).
· File Name: Enter a file name. The file name should not contain spaces. Underscores (_) and hyphen (-) are the only special characters that are supported. Ensure that file name ends with .tar, for example, webauthbundle.tar.
· SFTP · IP Address (IPv4/IPv6): Enter the server IP address (IPv4 or IPv6) of the SFTP server that you want to use. · File Path: Enter the file path. The file path should start with slash a (/path).
· File Name: Enter a file name. The file name should not contain spaces. Underscores (_) and hyphen (-) are the only special characters that are supported. Ensure that file name ends with .tar, for example, webauthbundle.tar.
· Server Login UserName: Enter the SFTP server login user name. · Server Login Password: Enter the SFTP server login passphrase.
· FTP · IP Address (IPv4/IPv6): Enter the server IP address (IPv4 or IPv6) of the TFTP server that you want to use. · File Path: Enter the file path. The file path should start with slash a (/path).
· File Name: Enter a file name. The file name should not contain spaces. Underscores (_) and hyphen (-) are the only special characters that are supported. Ensure that file name ends with .tar, for example, webauthbundle.tar.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1222
High Availability
System and Network Fault Handling
· Logon Type: Choose the login type as either Anonymous or Authenticated. If you choose Authenticated, the following fields are activated: · Server Login UserName: Enter the FTP server login user name.
· Server Login Password: Enter the FTP server login passphrase.
· HTTP · Source File Path: Click Select File to select the configuration file, and click Open.
Step 5 Step 6
Click the Yes or No radio button to back up the existing startup configuration to Flash.
Save the configuration to Flash to propagate the WebAuth bundle to other members, including the standby controller. If you do not save the configuration to Flash, the WebAuth bundle will not be propagated to other members, including the standby controller.
Click Download File.
System and Network Fault Handling
If the standby controller crashes, it reboots and comes up as the standby controller. Bulk sync follows causing the standby to become hot. If the active controller crashes, the standby becomes active. The new active controller assumes the role of primary and tries to detect a dual active.
The following matrices provide a clear picture of the conditions the controller switchover would trigger:
Table 57: System and Network Fault Handling
System Issues Trigger
RP Link Status
Critical process Up crash
Forced switchover Up
Critical process Up crash
Forced switchover Up
Critical process crash
Down
Forced switchover Down
Peer Reachability Switchover through RMI
Reachable
Yes
Reachable
Yes
Unreachable
Yes
Unreachable
Yes
Reachable
No
Reachable
N/A
Result
Switchover happens
Switchover happens Switchover happens
Switchover happens No action. One controller in recovery mode. No action. One controller in recovery mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1223
System and Network Fault Handling
High Availability
System Issues Trigger
RP Link Status
Critical process crash
Down
Peer Reachability Switchover through RMI
Unreachable
No
Forced switchover Down
Unreachable
N/A
Result
Double fault as mentioned in Network Error handling
Double fault as mentioned in Network Error handling
RP Link Up Up
Up
Peer Reachability Through RMI
Reachable
Reachable
Gateway From Gateway From Switchover
Active
Standby
Reachable Reachable
Reachable Unreachable
No SSO No SSO
Reachable
Unreachable Reachable
SSO
Result
No action
No action. Standby is not ready for SSO in this state, as it does not have gateway reachability. The standby is shown to be in standby-recovery mode. If the RP goes down, standby (in recovery mode) becomes active.
Gateway reachability message is exchanged over the RMI + RP links. Active reboots so that the standby becomes active.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1224
High Availability
System and Network Fault Handling
RP Link Up
Up Up
Up
Peer Reachability Through RMI
Reachable
Gateway From Gateway From Switchover
Active
Standby
Unreachable Unreachable No SSO
Unreachable Unreachable
Reachable Reachable
Reachable Unreachable
No SSO No SSO
Unreachable Unreachable Reachable
SSO
Result
With this, when the active SVI goes down, the standby SVI also goes down. A switchover is then triggered. If the new active discovers its gateway to be reachable, the system stabilizes in the Active Standby Recovery mode. Otherwise, switchovers happen in a ping-pong fashion.
No action
Standby is not ready for SSO in this state as it does not have gateway reachability. Standby moves in to recovery mode as LMP messages are exchanged over the RP link.
Gateway reachability message is exchanged over RP link. Active reboots so that standby becomes active.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1225
System and Network Fault Handling
High Availability
RP Link Up
Down
Down
Peer Reachability Through RMI
Unreachable
Gateway From Gateway From Switchover
Active
Standby
Unreachable Unreachable No SSO
Reachable
Reachable
Reachable
No SSO
Reachable
Reachable
Unreachable No SSO
Result
With this, when the active SVI goes down, the standby SVI also goes down. A switchover is then triggered. If the new active discovers its gateway to be reachable, the system stabilizes in Active Standby Recovery mode. Otherwise, switchovers happen in a ping-pong fashion.
Standby detects the presence of the Active over the RMI link and avoids switchover when the RP link goes down. In such a case, the standby goes to recovery mode. This mode is represented through suffix rp-rec-mode in the hostname. The standby in recovery mode reloads when the RP link comes up. Single faults are gracefully handled in the system.
Same as above.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1226
High Availability
Handling Recovery Mechanism
RP Link Down Down Down
Down Down Down
Peer Reachability Through RMI
Reachable
Reachable
Unreachable
Gateway From Gateway From Switchover
Active
Standby
Unreachable Unreachable Reachable
Unreachable Unreachable Reachable
No SSO No SSO SSO
Unreachable Reachable
Unreachable SSO
Unreachable Unreachable Reachable
SSO
Unreachable Unreachable Unreachable SSO
Result
Same as above.
Same as above.
Double fault this may result in a network conflict as there will be two active controllers. Standby becomes active. Old active also exists. Role negotiation has to happen once the connectivity is restored and keep the active that came up last.
Same as above.
Same as above.
Same as above.
Handling Recovery Mechanism
Active to Active Recovery · When RP is down and RMI is up at boot up, the Active Recovery occurs. · When HA is stable (active - standby), if RMI is down first and then RP goes down next, and later if RMI comes up before RP comes up, the Active to Active Recovery occurs. Once the RP is up, the Active Recovery reloads and HA is formed.
Standby to Standby Recovery · When Standby goes to Standby Recovery for Gateway alone, once the Gateway is up, the HA comes up without any reboot. · When Standby goes to Standby Recovery for RP down, once the RP is up, the standby recovery reboots automatically and HA is formed.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1227
Verifying High Availability Configurations
High Availability
Verifying High Availability Configurations
To view the HA configuration details, use the following command:
Device# show romvar ROMMON variables:
LICENSE_BOOT_LEVEL = MCP_STARTUP_TRACEFLAGS = 00000000:00000000 BOOTLDR = CRASHINFO = bootflash:crashinfo_RP_00_00_20180202-034353-UTC STACK_1_1 = 0_0 CONFIG_FILE = BOOT = bootflash:boot_image_test,1;bootflash:boot_image_good,1;bootflash:rp_super_universalk9.vwlc.bin,1;
RET_2_RTS = SWITCH_NUMBER = 1 CHASSIS_HA_REMOTE_IP = 10.0.1.9 CHASSIS_HA_LOCAL_IP = 10.0.1.10 CHASSIS_HA_LOCAL_MASK = 255.255.255.0 CHASSIS_HA_IFNAME = GigabitEthernet2 CHASSIS_HA_IFMAC = 00:0C:29:C9:12:0B RET_2_RCALTS = BSI = 0 RANDOM_NUM = 647419395
Verifying AP or Client SSO Statistics
To view the AP SSO statistics, use the following command:
Device# show wireless stat redundancy statistics ap-recovery wnc all AP SSO Statistics
Inst Timestamp
Dura(ms) #APs #Succ #Fail Avg(ms) Min(ms) Max(ms)
------------------------------------------------------------------------------
0 00:06:29.042
98
34
34
0
2
1
35
1 00:06:29.057
56
33
30
3
1
1
15
2 00:06:29.070
82
33
33
0
2
1
13
Statistics:
WNCD Instance : 0
No. of AP radio recovery failures
:0
No. of AP BSSID recovery failures
:0
No. of CAPWAP recovery failures
:0
No. of DTLS recovery failures
:0
No. of reconcile message send failed
:0
No. of reconcile message successfully sent : 34
No. of Mesh BSSID recovery failures: 0
No. of Partial delete cleanup done : 0
.
.
.
To view the Client SSO statistics, use the following command:
Device# show wireless stat redundancy client-recovery wncd all Client SSO statistics ----------------------
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1228
High Availability
Verifying AP or Client SSO Statistics
WNCD instance : 1
Reconcile messages received from AP
:1
Reconcile clients received from AP
:1
Recreate attempted post switchover
:1
Recreate attempted by SANET Lib
:0
Recreate attempted by DOT1x Lib
:0
Recreate attempted by SISF Lib
:0
Recreate attempted by SVC CO Lib
:1
Recreate attempted by Unknown Lib
:0
Recreate succeeded post switchover
:1
Recreate Failed post switchover
:0
Stale client entries purged post switchover
:0
Partial delete during heap recreate
:0
Partial delete during force purge
:0
Partial delete post restart
:0
Partial delete due to AP recovery failure
:0
Partial delete during reconcilation
:0
Client entries in shadow list during SSO
:0
Client entries in shadow default state during SSO
:0
Client entries in poison list during SSO
:0
Invalid bssid during heap recreate
:0
Invalid bssid during force purge
:0
BSSID mismatch with shadow rec during reconcilation
:0
BSSID mismatch with shadow rec reconcilation(WGB client): 0
BSSID mismatch with dot11 rec during heap recreate
:0
AID mismatch with dot11 rec during force purge
:0
AP slotid mismatch during reconcilation
:0
Zero aid during heap recreate
:0
AID mismatch with shadow rec during reconcilation
:0
AP slotid mismatch shadow rec during reconcilation
:0
Client shadow record not present
:0
To view the mobility details, use the following command:
Device# show wireless stat redundancy client-recovery mobilityd
Mobility Client Deletion Reason Statistics
-------------------------------------------
Mobility Incomplete State
:0
Inconsistency in WNCD & Mobility : 0
Partial Delete
:0
General statistics -------------------Cleanup sent to WNCD, Missing Delete case : 0
To view the Client SSO statistics for SISF, use the following command:
Device# show wireless stat redundancy client-recovery sisf
Client SSO statistics for SISF
--------------------------------
Number of recreate attempted post switchover : 1
Number of recreate succeeded post switchover : 1
Number of recreate failed because of no mac
:0
Number of recreate failed because of no ip
:0
Number of ipv4 entry recreate success
:1
Number of ipv4 entry recreate failed
:0
Number of ipv6 entry recreate success
:0
Number of ipv6 entry recreate failed
:0
Number of partial delete received
:0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1229
Verifying High Availability
High Availability
Number of client purge attempted
:0
Number of heap and db entry purge success
:0
Number of purge success for db entry only
:0
Number of client purge failed
:0
Number of garp sent
:1
Number of garp failed
:0
Number of IP entries validated in cleanup
:0
Number of IP entry address errors in cleanup : 0
Number of IP entry deleted in cleanup
:0
Number of IP entry delete failed in cleanup
:0
Number of IP table create callbacks on standby : 0
Number of IP table modify callbacks on standby : 0
Number of IP table delete callbacks on standby : 0
Number of MAC table create callbacks on standby : 1
Number of MAC table modify callbacks on standby : 0
Number of MAC table delete callbacks on standby : 0
To view the HA redundancy summary, use the following command:
Device# show wireless stat redundancy summary HA redundancy summary ---------------------
AP recovery duration (ms) SSO HA sync timer expired
: 264 : No
Verifying High Availability
Table 58: Commands for Monitoring Chassis and Redundancy
Command Name show chassis
Description
Displays the chassis information.
Note
When the peer timeout and retries are configured, the show
chassis ha-status command output may show incorrect values.
To check the peer keep-alive timer and retries, use the following commands:
· show platform software stack-mgr chassis active r0 peer-timeout
· show platform software stack-mgr chassis standby r0 peer-timeout
show redundancy
Displays details about Active box and Standby box.
show redundancy switchover Displays the switchover counts, switchover reason, and the switchover time. history
To start the packet capture in the redundancy HA port (RP), use the following commands: · test wireless redundancy packetdump start · test wireless redundancy packetdump stop
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1230
High Availability
Verifying High Availability
· test wireless redundancy packetdump start filter port 2300
Device# test wireless redundancy packetdump start Redundancy Port PacketDump Start Packet capture started on RP port.
Device# test wireless redundancy packetdump stop
Redundancy Port PacketDump Start
Packet capture started on RP port.
Redundancy Port PacketDump Stop
Packet capture stopped on RP port.
Device# dir bootflash:
Directory of bootflash:/
1062881 drwx
151552 Oct 20 2020 23:15:25 +00:00 tracelogs
47
-rw-
20480 Oct 20 2020 23:15:24 +00:00 haIntCaptureLo.pcap
1177345 drwx
4096 Oct 20 2020 19:56:14 +00:00 certs
294337 drwx
8192 Oct 20 2020 19:56:05 +00:00 license_evlog
15
-rw-
676 Oct 20 2020 19:56:01 +00:00 vlan.dat
14
-rw-
30 Oct 20 2020 19:55:16 +00:00 throughput_monitor_params
13
-rw-
134808 Oct 20 2020 19:54:57 +00:00 memleak.tcl
1586145 drwx
4096 Oct 20 2020 19:54:45 +00:00 .inv
1103761 drwx
4096 Oct 20 2020 19:54:39 +00:00 dc_profile_dir
17
-r--
114 Oct 20 2020 19:54:17 +00:00 debug.conf
1389921 drwx
4096 Oct 20 2020 19:54:17 +00:00 .installer
46
-rw-
1104760207 Oct 20 2020 19:26:41 +00:00 leela_katar_rping_test.SSA.bin
49057 drwx
4096 Oct 20 2020 16:11:21 +00:00 .prst_sync
45
-rw-
1104803200 Oct 20 2020 15:39:19 +00:00
C9800-L-universalk9_wlc.2020-10-20_14.57_yavadhan.SSA.bin
269809 drwx
4096 Oct 19 2020 23:41:49 +00:00 core
44
-rw-
1104751981 Oct 19 2020 17:42:12 +00:00
C9800-L-universalk9_wlc.BLD_POLARIS_DEV_LATEST_20201018_053825_2.SSA.bin
43
-rw-
1104286975 Oct 16 2020 12:05:47 +00:00
C9800-L-universalk9_wlc.BLD_POLARIS_DEV_LATEST_20201010_001654_2.SSA.bin
Device# test wireless redundancy packetdump start filter port 2300 Redundancy Port PacketDump Start Packet capture started on RP port with port filter 2300.
To check connection between the two HA Ports (RP) and check if there are any drops, delays, or jitter in the connection, use the following command:
Device# test wireless redundancy rping Redundancy Port ping PING 169.254.64.60 (169.254.64.60) 56(84) bytes of data. 64 bytes from 169.254.64.60: icmp_seq=1 ttl=64 time=0.083 ms 64 bytes from 169.254.64.60: icmp_seq=2 ttl=64 time=0.091 ms 64 bytes from 169.254.64.60: icmp_seq=3 ttl=64 time=0.074 ms
--- 169.254.64.60 ping statistics --3 packets transmitted, 3 received, 0% packet loss, time 2041ms rtt min/avg/max/mdev = 0.074/0.082/0.091/0.007 ms test wireless redundancy
To see the HA port interface setting status, use the show platform hardware slot R0 ha_port interface stats command.
Device# show platform hardware slot R0 ha_port interface stats HA Port ha_port Link encap:Ethernet HWaddr 70:18:a7:c8:80:70
UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1231
Verifying High Availability
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Memory:e0900000-e0920000
Settings for ha_port:
Supported ports:
[ TP ]
Supported link modes:
10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: Symmetric
Supports auto-negotiation: Yes
Supported FEC modes:
Not reported
Advertised link modes:
10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: Symmetric
Advertised auto-negotiation: Yes
Advertised FEC modes:
Not reported
Speed:
Unknown!
Duplex:
Unknown! (255)
Port:
Twisted Pair
PHYAD:
1
Transceiver:
internal
Auto-negotiation:
on
MDI-X:
off (auto)
Supports Wake-on:
pumbg
Wake-on:
g
Current message level:
0x00000007 (7)
drv probe link
Link detected:
no
NIC statistics:
rx_packets:
0
tx_packets:
0
rx_bytes:
0
tx_bytes:
0
rx_broadcast:
0
tx_broadcast:
0
rx_multicast:
0
tx_multicast:
0
multicast:
0
collisions:
0
rx_crc_errors:
0
rx_no_buffer_count:
0
rx_missed_errors:
0
tx_aborted_errors:
0
tx_carrier_errors:
0
tx_window_errors:
0
tx_abort_late_coll:
0
tx_deferred_ok:
0
tx_single_coll_ok:
0
tx_multi_coll_ok:
0
tx_timeout_count:
0
rx_long_length_errors: 0
rx_short_length_errors: 0
rx_align_errors:
0
tx_tcp_seg_good:
0
tx_tcp_seg_failed:
0
rx_flow_control_xon: 0
rx_flow_control_xoff: 0
tx_flow_control_xon: 0
tx_flow_control_xoff: 0
rx_long_byte_count:
0
tx_dma_out_of_sync:
0
tx_smbus:
0
High Availability
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1232
High Availability
Information About Redundancy Management Interface
rx_smbus:
0
dropped_smbus:
0
os2bmc_rx_by_bmc:
0
os2bmc_tx_by_bmc:
0
os2bmc_tx_by_host:
0
os2bmc_rx_by_host:
0
tx_hwtstamp_timeouts: 0
rx_hwtstamp_cleared: 0
rx_errors:
0
tx_errors:
0
tx_dropped:
0
rx_length_errors:
0
rx_over_errors:
0
rx_frame_errors:
0
rx_fifo_errors:
0
tx_fifo_errors:
0
tx_heartbeat_errors: 0
tx_queue_0_packets:
0
tx_queue_0_bytes:
0
tx_queue_0_restart:
0
tx_queue_1_packets:
0
tx_queue_1_bytes:
0
tx_queue_1_restart:
0
rx_queue_0_packets:
0
rx_queue_0_bytes:
0
rx_queue_0_drops:
0
rx_queue_0_csum_err: 0
rx_queue_0_alloc_failed:0
rx_queue_1_packets:
0
rx_queue_1_bytes:
0
rx_queue_1_drops:
0
rx_queue_1_csum_err: 0
rx_queue_1_alloc_failed:0
Information About Redundancy Management Interface
The Redundancy Management Interface (RMI) is used as a secondary link between the active and standby Cisco Catalyst 9800 Series Wireless Controllers. This interface is the same as the wireless management interface, and the IP address on this interface is configured in the same subnet as the Wireless Management IP. The RMI is used for the following purposes:
· Dual Active Detection
· Exchange resource health information between controllers, for instance, gateway reachability status from either controller.
· Gateway reachability is checked on the active and the standby controller through the RMI when the feature is enabled. It takes approximately the configured gateway monitoring interval to detect that a controller has lost gateway reachability. The default gateway monitoring interval value is 8 seconds.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1233
Information About Redundancy Management Interface
High Availability
Note
· The RMI might trigger a switchover based on the gateway status of the active controller.
· Cisco TrustSec is not supported on the RMI.
When the device SGT is used, the IP-SGT mapping for RMI address is also applied along with the WMI address. So, you need to ensure that the SGACL is defined appropriately to allow ICMP and ARP traffic between the active and standby RMI addresses.
· If the RP and RMI links are down, the HA setup breaks into two active controllers. This leads to IP conflict in the network. The HA setup forms again when the RP link comes up. Depending on the state of the external switch at this time, the ARP table may or may not be updated to point to the active controller. That is, the switch may fail to process the GARP packets from the controller. As a best practice, we recommend that you keep the ARP cache timeout value to a low value for faster recovery from multiple fault scenarios. You need to select a value that does not impact the network traffic, for instance, 30 minutes.
Note The AAA packets originating from the controller may use either the wireless management IP or the RMI IP. Therefore, ensure that you add RMI IP as the source IP along with WMI IP in the AAA server.
Active Controller
The primary address on the active controller is the management IP address. The secondary IPv4 address on the management VLAN is the RMI IP address for the active controller. Do not configure the secondary IPv4 addresses explicitly because a single secondary IPv4 address is configured automatically by RMI under the RMI.
Standby Controller
The standby controller does not have the wireless management IP configured; it has the RMI IP address configured as the primary IP address. When the standby controller becomes active, the management IP address becomes the primary IP address and the RMI IP address becomes the secondary IP address. If the interface on the active controller is administratively down, the same state is reflected on the standby controller.
Dual Stack Support on Management VLAN with RMI
Dual stack refers to the fact that the wireless management interface can be configured with IPv4 and IPv6 addresses. If an RMI IPv4 address is configured along with an IPv4 management IP address, you can additionally configure an IPv6 management address on the wireless management interface. This IPv6 management IP address will not be visible on the standby controller.
If an RMI IPv6 address is configured along with an IPv6 management IP address, you can additionally configure an IPv4 management address on the wireless management interface. This IPv4 management IP address will not be visible on the standby controller.
Therefore, you can monitor only the IPv6 gateway when the RMI IPv6 address is configured, or only the IPv4 gateway when the RMI IPv4 address is configured.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1234
High Availability
Information About Redundancy Management Interface
Note The RMI feature supports the RMI IPv4 or IPv6 addresses.
RMI-Based High-Availability Pairing You should consider the following scenarios for HA pairing:
· Fresh Installation · Already Paired Controllers · Upgrade Scenario · Downgrade Scenario
Dynamic HA pairing requires both the active controller and the standby controller to reload. However, dynamic HA pairing occurs on the Cisco Catalyst 9800-L Wireless Controller, Cisco Catalyst 9800-40 Wireless Controller, and the Cisco Catalyst 9800-80 Wireless Controller when one of them reloads and becomes the standby controller.
Note Chassis numbers identify individual controllers. Unique chassis numbers must be configured before forming an HA pair.
HA Pairing Without Previous Configuration
When HA pairing is done for the first time, no ROMMON variables are found for the RP IP addresses. You can choose from the existing privileged EXEC mode RP-based commands or the RMI IP-based mechanisms. However, the privileged EXEC mode RP-based commands will be deprecated soon. If you use Cisco DNA Center, you can choose the privileged EXEC mode RP-based CLI mechanism till the Cisco DNA Center migrates to support the RMI.
The RP IPs are derived from the RMI IPs after an HA pair is formed. Also, the privileged EXEC mode RP-based CLI method of clearing and forming an HA pair is not allowed after the RMI IP-based HA mechanism is chosen.
Note
· Although you can choose RP or RMI for a fresh installation, we recommend that you use RMI install
method.
· To view the ROMMON variables, use the show romvars command.
If you choose the privileged EXEC RP-based CLI mechanism, the RP IPs are configured the same way as in the 16.12 release. The following occurs when the RMI-based HA pairing is done on a brand-new system:
· RP IPs are derived from RMI IPs and used in HA pairing.
· Privileged EXEC mode RP-based CLIs are blocked.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1235
Information About Redundancy Management Interface
High Availability
Paired Controllers If the controllers are already in an HA pair, the existing EXEC mode RP-based commands will continue to be used. You can enable RMI to migrate to the RMI-based HA pairing. If the controllers are already paired and RMI is configured, it will overwrite the RP IPs with the RMI-derived IPs. The HA pair will not be disturbed immediately, but the controllers will pick up the new IP when the next reload happens. The RMI feature mandates a reload for the feature to be effective. When both the controllers are reloaded, they come up as a pair with the new RMI-derived RP IPs. The following occurs when the RMI configuration is done:
· The RP IPs derived from the RMI IPs are overwritten, and used for HA pairing. · If the active and standby controller already exist prior to HA pairing through the EXEC mode RP-based
command mechanism, the pair is not interrupted. · When the pair reloads later, the new RP IPs are used. · EXEC mode RP-based commands are blocked.
Upgrading from Cisco IOS XE 16.1.x to a Later Release A system that is being upgraded can choose to:
· Migrate with the existing RP IP configuration intact--In this case, the existing RP IP configuration will continue to be used. The EXEC mode RP-based commands are used for future modifications.
· Migrate after clearing the HA configuration--In this case, you can choose between the old (EXEC mode RP-based commands) and new RMI-based RP configuration methods.
Note In case the older configuration is retained, the RMI configuration updates the RP IPs with the IPs derived from the RMI IPs.
Downgrade Scenario
Note The downgrade scenario given below is not applicable for Cisco IOS XE Amsterdam 17.1.x.
The downgrade scenario will have only the EXEC mode RP-based commands. The following are the two possibilities:
· If the upgraded system used the RMI-based RP configuration. · If the upgraded system continued to use the EXEC mode RP-based commands.
Note In the above cases, the downgraded system uses the EXEC mode RP-based commands to modify the configuration. However, the downgraded system will continue to use the new derived RP IPs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1236
High Availability
Configuring Redundancy Management Interface (GUI)
Note When you downgrade the Cisco Catalyst 9800 Series Wireless Controller to any version below 17.1 and if the mDNS gateway is enabled on the WLAN/RLAN/GLAN interfaces, the mdns-sd-interface gateway goes down after the downgrade.
To enable the mDNS gateway on the WLAN/RLAN/GLAN interfaces in 16.12 and earlier versions, use the following commands:
wlan test 1 test
mdns-sd gateway
To enable the mDNS gateway on the WLAN/RLAN/GLAN interfaces from version 17.1 onwards, use the following command:
mdns-sd-interface gateway
Gateway Monitoring
From Cisco IOS XE Amsterdam 17.2.1 onwards, the method to configure the gateway IP has been modified. The ip default-gateway gateway-ip command is not used. Instead, the gateway IP is selected based on the static routes configured. From among the static routes configured, the gateway IP that falls in the same subnet as the RMI subnet (the broadest mask and least gateway IP) is chosen. If no matching static route is found, gateway failover will not work (even if management gateway-failover is enabled).
Configuring Redundancy Management Interface (GUI)
Before you begin Before configuring RMI + RP using GUI, ensure that WMI is available. Procedure
Step 1
In the Administration > Device > Redundancy window, perform the following:
a. Set the Redundancy Configuration toggle button to Enabled to activate redundancy configuration.
b. In the Redundancy Pairing Type field, select RMI+RP to perform RMI+RP redundancy pairing as follows:
· In the RMI IP for Chassis 1 field, enter RMI IP address for chassis 1.
· In the RMI IP for Chassis 2 field, enter RMI IP address for chassis 2.
· From the HA Interface drop-down list, choose one of the HA interface.
Note
You can select the HA interface only for Cisco Catalyst 9800 Series Wireless Controllers.
· Set the Management Gateway Failover toggle button to Enabled to activate management gateway failover.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1237
Configuring Redundancy Management Interface (CLI)
High Availability
Step 2
· In the Gateway Failure Interval field, enter an appropriate value. The valid range is between 6 and 12 (seconds). The default is 8 seconds.
c. In the Redundancy Pairing Type field, select RP to perform RP redundancy pairing as follows:
· In the Local IP field, enter an IP address for Local IP.
· In the Netmask field, enter the subnet mask assigned to all wireless clients.
· From the HA Interface drop-down list, choose one of the HA interface.
Note
You can select the HA interface only for Cisco Catalyst 9800 Series Wireless Controllers.
· In the Remote IP field, enter an IP address for Remote IP.
d. In the Keep Alive Timer field, enter an appropriate timer value. The valid range is between 1 and 10 (x100 milliseconds).
e. In the Keep Alive Retries field, enter an appropriate retry value. The valid range is between 3 and 10 seconds.
f. In the Active Chassis Priority field, enter a value.
Click Apply and reload controllers.
Configuring Redundancy Management Interface (CLI)
Procedure
Step 1
Command or Action
Purpose
chassis chassis-num priority chassis-priority Example:
Device# chassis 1 priority 1
(Optional) Configures the priority of the specified device.
Note
From Cisco IOS XE Gibraltar
16.12.x onwards, device reload is
not required for the chassis
priority to become effective.
· chassis-num--Enter the chassis number. The range is from 1 to 2.
· chassis-priority--Enter the chassis priority. The range is from 1 to 2. The default value is 1.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1238
High Availability
Configuring Redundancy Management Interface (CLI)
Step 2
Step 3 Step 4
Command or Action
Purpose Note
When both the devices boot up at the same time, the device with higher priority becomes active, and the other one becomes standby. If both the devices are configured with the same priority value, the one with the smaller MAC address acts as active and its peer acts as standby.
chassis redundancy ha-interface
Creates an HA interface for your controller.
GigabitEthernet interface-number
· interface-number: GigabitEthernet
Example:
interface number. The range is from 1 to
Device# chassis redundancy ha-interface
32.
GigabitEthernet 3
Note
This step is applicable only for
Cisco Catalyst 9800-CL Series
Wireless Controllers. The chosen
interface is used as the dedicated
interface for HA communication
between the 2 controllers.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
redun-management interface vlan
Configures Redundancy Management Interface.
vlan-interface-number chassis chassis-number address ip-address chassis chassis-number address ip-address
· vlan-interface-number : VLAN interface number. The valid range is from 1 to 4094.
Example:
Note
Here, the
vlan-interface-number is the
Device(config)# redun-management interface Vlan 200 chassis 1 address 9.10.90.147 chassis 2 address 9.10.90.149
same VLAN as the Management VLAN. That is, both must be on the same
subnet.
· chassis-number: Chassis number. The valid range is from 1 to 2.
· ip-address: Redundancy Management Interface IP address.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1239
Configuring Gateway Monitoring (CLI)
High Availability
Command or Action
Step 5 Step 6 Step 7
end Example:
Device(config)# end
write memory Example:
Device# write memory
reload Example:
Device# reload
Purpose Note
Each controller must have a unique chassis number for RMI to form the HA pair. The chassis number can be observed as SWITCH_NUMBER in the output of show romvar command. Modification of SWITCH_NUMBER is currently not available through the web UI.
To disable the HA pair, use the no redun-management interface vlan chassis command.
Returns to privileged EXEC mode.
Saves the configuration.
Reloads the controllers.
Note
When the RMI configuration is
done, you must reload the
controllers for the configuration
to take effect.
For Cisco Catalyst 9800-CL Wireless Controller VM, both the active and standby controllers reload automatically. In the case of hardware platforms, you should reload the active controller manually, as only standby the controller reloads automatically.
Configuring Gateway Monitoring (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1240
High Availability
Configuring Gateway Monitoring Interval (CLI)
Step 2 Step 3
Command or Action
[no] management gateway-failover enable Example:
Device(config)# management gateway-failover enable
Purpose
Enables gateway monitoring. (Use the no form of this command to disable gateway monitoring.)
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Note
To save the configuration, use the
write memory command.
Configuring Gateway Monitoring Interval (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
management gateway-failover interval interval-value
Example:
Device(config)# management gateway-failover interval 6
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Configures the gateway monitoring interval. interval-value - Refers to the gateway monitoring interval. The valid range is from 6 to 12. Default value is 8.
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Gateway Reachability Detection
Information About Gateway Reachability Detection
Gateway Reachability Detection feature mimimizes the downtime on APs and clients when the gateway reachability is lost on the active controller. Both active and standby controllers keep track of gateway reachability. The gateway reachability is detected by sending Internet Control Message Protocol (ICMP) and ARP requests periodically to the gateway. Both active and standby controllers use the RMI IP as the source IP. The messages are sent at 1 second interval. If it takes 8 (or configured value) consecutive failures in reaching the gateway, the controller declares the gateway as non-reachable. It takes approximately 8 seconds to detect if a controller has lost gateway reachability.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1241
Configuration Workflow
High Availability
Gateway monitoring with native IPv6 uses ICMP Neighbour Discovery protocols and ICMPv6 ECHO to check gateway reachability. Therefore, you can monitor only the IPv6 gateway when RMI IPv6 is configured. This means that only one IPv4 or IPv6 gateways can be monitored.
Note If the standby controller loses gateway, the standby moves to the standby recovery mode. If the active controller loses gateway, the active reloads and standby becomes active.
Configuration Workflow
1. Configuring Redundancy Management Interface (GUI), on page 1237 (or) Configuring Redundancy Management Interface (CLI), on page 1238
Note For RMI configuration to take effect, ensure that you reload your controllers. 2. Configuring IPv6 Static Route. For information, see Gateway Monitoring. 3. Configuring Gateway Monitoring Interval (CLI), on page 1241
Migrating to RMI IPv6
From RMI IPv4 1. Unconfigure the RMI IPv4 using the following CLIs:
Device# conf t Device(config)# no redun-management interface <vlan_name> chassis 1 address <ip_address1>
chassis 2 address <ip_address2>
Note This CLI unconfigures RMI on both the controllers.
2. Note Take a backup of the running config on active before you reload the controller.
Reload the controller. 3. Copy the backed up config to the running config on the box which would have lost all the config. 4. Configure the RMI IPv6 on both the controllers. For information on the CLI, see Configuring Redundancy
Management Interface (CLI), on page 1238. 5. Reload the controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1242
High Availability
Monitoring the Health of the Standby Controller
From HA Pairing (Without RMI) For information on HA pairing, see Configuring Redundancy Management Interface (GUI).
Monitoring the Health of the Standby Controller
The Standby Monitoring feature allows you to monitor the health of a system on a standby controller using programmatic interfaces and commands. This feature allows you to monitor parameters such as CPU, memory, interface status, power supply, fan failure, and the system temperature. Standby Monitoring is enabled when Redundancy Management Interface (RMI) is configured, no other configuration is required. The RMI itself is used to connect to the standby and perform standby monitoring. Standby Monitoring feature cannot be dynamically enabled or disabled.
Note The active controller uses the management or RMI IP to initiate AAA requests. Whereas, the standby controller uses the RMI IP to initiate AAA requests. Thus, the RMI IPs must be added in AAA servers for a seamless client authentication and standby monitoring.
To enable standby console, ensure that the following configuration is in place:
redundancy main-cpu secondary console enable
Note The Standby Monitoring feature is not supported on a controller in the active-recovery and the standby-recovery modes.
The Standby Monitoring feature supports only the following traffic on the RMI interface of the standby controller:
· Address Resolution Protocol (ARP) · Internet Control Message Protocol (ICMP) · TCP Traffic (to or from) ports: 22, 443, 830, and 3200 · UDP RADIUS ports:1645 and1646 · UDP Extended RADIUS ports: 21645 to 21844
Feature Scenarios · To monitor the health of the standby directly from the standby controller using Standby RMI IP. · To get syslogs from the standby controller using the Standby RMI IP.
Use Cases · Enabling SNMP agent and programmatic interfaces on the standby controller: You can directly perform an SNMP query or programmatic interface query to the standby's RMI IP and active controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1243
Monitoring the Health of Standby Parameters Using SNMP
High Availability
· Enabling syslogs on the standby controller: You can directly get the standby syslogs from the standby controller.
Monitoring the Health of Standby Parameters Using SNMP
Standby Monitoring Using Standby RMI IP
When an SNMP agent is enabled on the standby controller, you can directly perform an SNMP query to the standby's RMI IP. From Release 17.5 onwards, you can query the following MIB on the standby controller:
Table 59: MIB Name and Notes
MIB Name IF-MIB
Notes
This MIB is used to monitor the interface statistics of the standby controller using the standby RMI IP address.
Note If an SNMP agent is enabled on the active controller, by default, the SNMP is enabled on the standby controller.
Standby Monitoring Using the Active Controller
CISCO-LWAPP-HA-MIB The CISCO-LWAPP-HA-MIB monitors the health parameters of the standby controller, that is, memory, CPU, port status, power statistics, peer gateway latencies, and so on. You can query the following MIB objects of CISCO-LWAPP-HA-MIB.
Table 60: MIB Objects and Notes
MIB Objects cLHaPeerHotStandbyEvent
cLHaBulkSyncCompleteEvent
Notes
This object can be used to check if the standby controller has turned hot-standby or not.
This object represents the time at which the bulksync is completed.
CISCO-PROCESS-MIB
The CISCO-PROCESS-MIB monitors CPU and process statistics. Use it to monitor CPU-related or memory-related BINOS processes. The standby CISCO-PROCESS-MIB can be monitored using the active controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1244
High Availability
Standby IOS Linux Syslogs
ENTITY-MIB The ENTITY-MIB is used to monitor hardware details of the active and standby controllers using the active controller.
Note The standby Route Processor (RP) sensors are appended in the active RP sensors.
Standby IOS Linux Syslogs
The standby logs are relayed using the same method as on the active Cisco IOS for wireless controllers. From Release 17.5 onwards, external logging of syslogs from the standby IOS is enabled. As BINOS processes on standby also forwards the syslogs to Cisco IOS, all the syslogs generated on the standby controller is forwarded to the configured external server.
Note RMI IP address is used for logging purpose.
The following is the expected behavior when an HA pair is configured with the RMI IPv6 address, the active controller has dual stack, and logging is configured on the IPv4 address: The standby controller tries to send syslogs to the IPv4 server because logging is only configured on IPv4 even though IPv4 is not supported by standby.
Monitoring the Health of Standby Controller Using Programmatic Interfaces
You can monitor parameters such as CPU, memory, sensors, and interface status on a standby controller using programmatic interfaces such as NetConf and RestConf. The RMI IP of the standby controller can be used for access to the following operational models: The models can be accessed through .
· Cisco-IOS-XE-device-hardware-oper.yang · Cisco-IOS-XE-process-cpu-oper.yang · Cisco-IOS-XE-platform-software-oper.yang · Cisco-IOS-XE-process-memory-oper.yang · Cisco-IOS-XE-interfaces-oper.yang
For more information on the YANG models, see the Programmability Configuration Guide, Cisco IOS XE Amsterdam 17.3.x.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1245
Monitoring the Health of Standby Controller Using CLI
High Availability
Monitoring the Health of Standby Controller Using CLI
This section describes the different commands that can be used to monitor the standby device.
You can connect to the standby controller through SSH using the RMI IP of the standby controller. The user credentials must have been configured already. Both local authentication and RADIUS authentication are supported.
Note The redun-management command needs to be configured on both the controllers, primary and standby, prior to high availability (HA) pairing.
Monitoring Port State
The following is a sample output of the show interfaces interface-name command:
Device-standby# show interfaces GigabitEthernet1
GigabitEthernet1 is down, line protocol is down Shadow state is up, true line protocol is up
Hardware is CSR vNIC, address is 000c.2909.33c2 (bia 000c.2909.33c2) MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full Duplex, 1000Mbps, link type is force-up, media type is Virtual output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:06, output 00:00:24, output hang never Last clearing of "show interface" counters never Input queue: 30/375/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 389000 bits/sec, 410 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec
3696382 packets input, 392617128 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 18832 packets output, 1218862 bytes, 0 underruns Output 0 broadcasts (0 multicasts) 0 output errors, 0 collisions, 2 interface resets 3 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out
The following is a sample output of the show ip interface brief command:
Device# show ip interface brief
Interface GigabitEthernet1 GigabitEthernet0 Capwap1 Capwap2 Capwap3
IP-Address unassigned unassigned unassigned unassigned unassigned
OK? Method Status
Protocol
YES unset down
down
YES NVRAM administratively down down
YES unset up
up
YES unset up
up
YES unset up
up
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1246
High Availability
Monitoring the Health of Standby Controller Using CLI
Capwap10 Vlan1 Vlan56 Vlan111
unassigned unassigned unassigned 111.1.1.85
YES unset YES NVRAM YES unset YES NVRAM
up down down up
up down down up
Monitoring CPU or Memory The following is a sample output of the show process cpu sorted 5sec command:
Device-standby# show process cpu sorted 5sec
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID Runtime(ms)
Invoked
uSecs 5Sec 1Min 5Min TTY Process
10
1576556
281188
5606 0.15% 0.05% 0.05% 0 Check heaps
232
845057 54261160
15 0.07% 0.05% 0.06% 0 IPAM Manager
595
177
300
590 0.07% 0.02% 0.01% 2 Virtual Exec
138
1685973 108085955
15 0.07% 0.08% 0.08% 0 L2 LISP Punt Pro
193
19644
348767
56 0.07% 0.00% 0.00% 0 DTP Protocol
5
0
1
0 0.00% 0.00% 0.00% 0 CTS SGACL db cor
4
24
15
1600 0.00% 0.00% 0.00% 0 RF Slave Main Th
6
0
1
0 0.00% 0.00% 0.00% 0 Retransmission o
7
0
1
0 0.00% 0.00% 0.00% 0 IPC ISSU Dispatc
2
117631
348801
337 0.00% 0.00% 0.00% 0 Load Meter
8
0
1
0 0.00% 0.00% 0.00% 0 EDDRI_MAIN
To check CPU and memory utilization of binos processes, run the following command:
Device-standby# show platform software process slot chassis standby R0 monitor
top - 23:24:14 up 8 days, 3:38, 0 users, load average: 0.69, 0.79, 0.81 Tasks: 433 total, 1 running, 431 sleeping, 1 stopped, 0 zombie %Cpu(s): 1.7 us, 2.8 sy, 0.0 ni, 95.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st MiB Mem : 32059.2 total, 21953.7 free, 4896.8 used, 5208.6 buff/cache MiB Swap: 0.0 total, 0.0 free, 0.0 used. 26304.6 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 23565 root 20 0 2347004 229116 130052 S 41.2 0.7 5681:44 ucode_pkt+ 2306 root 20 0 666908 106760 46228 S 5.9 0.3 15:06.14 smand 22807 root 20 0 3473004 230020 152120 S 5.9 0.7 510:56.90 fman_fp_i+ 1 root 20 0 14600 11324 7424 S 0.0 0.0 0:31.07 systemd 2 root 20 0 0 0 0 S 0.0 0.0 0:00.28 kthreadd 3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp 4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp 6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0+ 7 root 20 0 0 0 0 I 0.0 0.0 0:00.49 kworker/u+ 8 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu+ 9 root 20 0 0 0 0 S 0.0 0.0 0:03.26 ksoftirqd+ . . . 32258 root 20 0 57116 3432 2848 S 0.0 0.0 0:00.00 rotee 32318 root 20 0 139560 9500 7748 S 0.0 0.0 0:55.67 pttcd 32348 root 20 0 31.6g 3.1g 607364 S 0.0 9.8 499:12.04 linux_ios+ 32503 root 20 0 3996 3136 2852 S 0.0 0.0 0:00.00 stack_snt+ 32507 root 20 0 3700 1936 1820 S 0.0 0.0 0:00.00 sntp
Monitoring Hardware
The following is a sample output of the show environment summary command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1247
Monitoring the Health of Standby Controller Using CLI
High Availability
Device# show environment summary
Number of Critical alarms: 0
Number of Major alarms:
0
Number of Minor alarms:
0
Slot
Sensor
Current State Reading
Threshold(Minor,Major,Critical,Shutdown)
---------- -------------- --------------- ------------
---------------------------------------
P0
Vin
Normal
231 V AC na
P0
Iin
Normal
2A
na
P0
Vout
Normal
12 V DC na
P0
Iout
Normal
30 A
na
P0
Temp1
Normal
25 Celsius (na ,na ,na ,na )(Celsius)
P0
Temp2
Normal
31 Celsius (na ,na ,na ,na )(Celsius)
P0
Temp3
Normal
37 Celsius (na ,na ,na ,na )(Celsius)
R0
VDMB1: VX1
Normal
1226 mV
na
R0
VDMB1: VX2
Normal
6944 mV
na
R0
Temp: DMB IN Normal
26 Celsius (45 ,55 ,65 ,70 )(Celsius)
R0
Temp: DMB OUT Normal
40 Celsius (70 ,75 ,80 ,85 )(Celsius)
R0
Temp: Yoda 0 Normal
54 Celsius (95 ,105,110,115)(Celsius)
R0
Temp: Yoda 1 Normal
62 Celsius (95 ,105,110,115)(Celsius)
R0
Temp: CPU Die Normal
43 Celsius (100,110,120,125)(Celsius)
R0
Temp: FC FANS Fan Speed 70% 26 Celsius (29 ,39 ,0 )(Celsius)
R0
VDDC1: VX1
Normal
1005 mV
na
R0
VDDC1: VX2
Normal
7084 mV
na
R0
VDDC2: VH
Normal
12003mV
na
R0
Temp: DDC IN Normal
25 Celsius (55 ,65 ,75 ,80 )(Celsius)
R0
Temp: DDC OUT Normal
35 Celsius (75 ,85 ,95 ,100)(Celsius)
P0
Stby Vin
Normal
230 V AC na
P0
Stby Iin
Normal
2A
na
P0
Stby Vout
Normal
12 V DC na
P0
Stby Iout
Normal
32 A
na
P0
Stby Temp1
Normal
24 Celsius (na ,na ,na ,na )(Celsius)
P0
Stby Temp2
Normal
29 Celsius (na ,na ,na ,na )(Celsius)
P0
Stby Temp3
Normal
35 Celsius (na ,na ,na ,na )(Celsius)
R0
Stby VDMB1: VX1 Normal
1225 mV
na
R0
Stby VDMB1: VX2 Normal
6979 mV
na
R0
Stby VDMB2: VX2 Normal
5005 mV
na
R0
Stby VDMB2: VX3 Normal
854 mV
na
R0
Stby VDMB3: VX1 Normal
972 mV
na
R0
Stby Temp: DMB INormal
22 Celsius (45 ,55 ,65 ,70 )(Celsius)
R0
Stby Temp: DMB ONormal
32 Celsius (70 ,75 ,80 ,85 )(Celsius)
R0
Stby Temp: Yoda Normal
43 Celsius (95 ,105,110,115)(Celsius)
R0
Stby Temp: Yoda Normal
45 Celsius (95 ,105,110,115)(Celsius)
R0
Stby Temp: CPU DNormal
33 Celsius (100,110,120,125)(Celsius)
R0
Stby Temp: FC FAFan Speed 70% 22 Celsius (29 ,39 ,0 )(Celsius)
R0
Stby VDDC1: VX1 Normal
1005 mV
na
R0
Stby VDDC1: VX2 Normal
7070 mV
na
R0
Stby VDDC2: VX2 Normal
752 mV
na
R0
Stby VDDC2: VX3 Normal
750 mV
na
R0
Stby Temp: DDC INormal
22 Celsius (55 ,65 ,75 ,80 )(Celsius)
R0
Stby Temp: DDC ONormal
28 Celsius (75 ,85 ,95 ,100)(Celsius)
Note The command displays both active and standby hardware details.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1248
High Availability
Verifying the Gateway-Monitoring Configuration
Note The show environment summary command displays data only for physical appliances such as Cisco Catalyst 9800-80 Wireless Controller, Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-L Wireless Controller, and Cisco Catalyst 9800 Embedded Wireless Controller for Switch. The command does not display data for Cisco Catalyst 9800 Wireless Controller for Cloud.
Verifying the Gateway-Monitoring Configuration
To verify the status of the gateway-monitoring configuration on an active controller, run the following command:
Device# show redundancy states
my state = 13 -ACTIVE peer state = 8 -STANDBY HOT Mode = Duplex Unit = Primary Unit ID = 1
Redundancy Mode (Operational) = sso Redundancy Mode (Configured) = sso Redundancy State = sso Maintenance Mode = Disabled Manual Swact = enabled Communications = Up
client count = 129 client_notification_TMR = 30000 milliseconds RF debug mask = 0x0 Gateway Monitoring = Disabled Gateway monitoring interval = 8 secs
To verify the status of the gateway-monitoring configuration on a standby controller, run the following command:
Device-stby# show redundancy states
my state = 8 -STANDBY HOT peer state = 13 -ACTIVE Mode = Duplex Unit = Primary Unit ID = 2
Redundancy Mode (Operational) = sso Redundancy Mode (Configured) = sso Redundancy State = sso Maintenance Mode = Disabled Manual Swact = cannot be initiated from this the standby unit Communications = Up
client count = 129 client_notification_TMR = 30000 milliseconds RF debug mask = 0x0 Gateway Monitoring = Disabled Gateway monitoring interval = 8 secs
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1249
Verifying the RMI IPv4 Configuration
High Availability
Verifying the RMI IPv4 Configuration
To verify the interface configuration for an active controller, use the following command:
Device# show running-config interface vlan management-vlan
Building configuration...
Current configuration : 109 bytes ! interface Vlan90 ip address 9.10.90.147 255.255.255.0 secondary ip address 9.10.90.41 255.255.255.0 end
To verify the interface configuration for a standby controller, use the following command:
Device-stby# show running-config interface vlan 90
Building configuration...
Current configuration : 62 bytes ! interface Vlan90 ip address 9.10.90.149 255.255.255.0 end
To verify the chassis redundancy management interface configuration for an active controller, use the following command:
Device# show chassis rmi
Chassis/Stack Mac Address : 000c.2964.1eb6 - Local Mac Address
Mac persistency wait time: Indefinite
H/W Current
Chassis# Role
Mac Address
Priority Version State IP
RMI-IP
--------------------------------------------------------------------------------------------------------
*1
Active 000c.2964.1eb6 1
V02
Ready 169.254.90.147 9.10.90.147
2
Standby 000c.2975.3aa6 1
V02
Ready 169.254.90.149 9.10.90.149
To verify the chassis redundancy management interface configuration for a standby controller, use the following command:
Device-stby# show chassis rmi
Chassis/Stack Mac Address : 000c.2964.1eb6 - Local Mac Address
Mac persistency wait time: Indefinite
H/W Current
Chassis# Role Mac Address
Priority Version State IP
RMI-IP
------------------------------------------------------------------------------------------------
1
Active 000c.2964.1eb6
1
V02
Ready 169.254.90.147 9.10.90.147
*2
Standby 000c.2975.3aa6
1
V02
Ready 169.254.90.149 9.10.90.149
To verify the ROMMON variables on an active controller, use the following command:
Device# show romvar | include RMI
RMI_INTERFACE_NAME = Vlan90 RMI_CHASSIS_LOCAL_IP = 9.10.90.147
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1250
High Availability
Verifying the RMI IPv6 Configuration
RMI_CHASSIS_REMOTE_IP = 9.10.90.149
To verify the ROMMON variables on a standby controller, use the following command:
Device-stby# show romvar | include RMI
RMI_INTERFACE_NAME = Vlan90 RMI_CHASSIS_LOCAL_IP = 9.10.90.149 RMI_CHASSIS_REMOTE_IP = 9.10.90.147
To verify the switchover reason, use the following command:
Device# show redundancy switchover history
Index
----1
Previous active --------
2
Current active -------
1
Switchover reason ---------Active lost GW
Switchover time ---------17:02:29 UTC Mon Feb 3 2020
Verifying the RMI IPv6 Configuration
To verify the chassis redundancy management interface configuration for both active and standby controllers, run the following command:
Device# show chassis rmi
Chassis/Stack Mac Address : 00a3.8e23.a540 - Local Mac Address
Mac persistency wait time: Indefinite
Local Redundancy Port Type: Twisted Pair
H/W Current
Chassis# Role
Mac Address Priority Version State
IP
RMI-IP
---------------------------------------------------------------------------------------------
1
Standby 706d.1536.23c0 1
V02
Ready 169.254.254.17 2020:0:0:1::211
*2
Active 00a3.8e23.a540 1
V02
Ready 169.254.254.18 2020:0:0:1::212
To verify the RMI related ROMMON variables for both active and standby controllers, run the following command
Device# show romvar | i RMI
RMI_INTERFACE_NAME = Vlan52 RMI_CHASSIS_LOCAL_IPV6 = 2020:0:0:1::212 RMI_CHASSIS_REMOTE_IPV6 = 2020:0:0:1::211
Information About Auto-Upgrade
The Auto-Upgrade feature enables the standby controller to upgrade with the software image of the active controller so that both controllers form an HA pair.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1251
Use Cases
High Availability
Note
· This feature supports the active controller in INSTALL mode.
· This feature supports Cisco Catalyst 9800 Series Wireless Controller software versions 17.5.1 and later.
· This feature is triggered in the standby controller only when the active image is in committed state.
Use Cases
The following are the use cases and functionalities supported by the Auto-Upgrade feature:
· Handling software version mismatch: During an upgrade, if one of the redundancy port is upgraded to a newer version, and the other one is not upgraded at the same time, the active port tries to copy its packages to the other port using the Auto-Upgrade feature. You can enable Auto-Upgrade in this situation using configuration or by manually running the software auto-upgrade enable privileged EXEC command.
The auto-upgrade configuration is enabled by default.
Note Auto-upgrade upgrades the mismatched redundancy port only when both the active redundancy port and the mismatched redundancy port are in INSTALL mode.
· HA pair: If one of the controller is not upgraded successfully, use Auto-Upgrade to upgrade the controller on the newly deployed HA pair, which can each be a different version.
· SMUs (APSP, APDP, and so on): If the SMUs that are successfully installed on the active controller when the standby controller was offline. In this scenario, when the standby controller comes up online, the Auto-Upgrade copies this SMU to the standby controller and installs it.
Configuration Workflow
Configuring Auto-Upgrade (CLI), on page 1252
Configuring Auto-Upgrade (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1252
High Availability
Configuring Auto-Upgrade (CLI)
Step 2 Step 3
Command or Action
software auto-upgrade enable Example:
Device(config)# software auto-upgrade enable
Purpose
Enables the Auto-Upgrade feature. (This feature is enabled by default.)
If you disable this feature using the no form of this command, you need to manually auto upgrade using the install autoupgrade command in privileged EXEC mode.
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1253
Configuring Auto-Upgrade (CLI)
High Availability
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1254
X P A R T
Quality of Service
· Quality of Service, on page 1257 · Wireless Auto-QoS, on page 1289 · Native Profiling, on page 1295 · Air Time Fairness, on page 1307 · IPv6 Non-AVC QoS Support, on page 1317 · QoS Basic Service Set Load, on page 1321
1 3 2 C H A P T E R
Quality of Service
· Wireless QoS Overview, on page 1257 · Wireless QoS Targets, on page 1258 · Wireless QoS Mobility, on page 1259 · Precious Metal Policies for Wireless QoS, on page 1259 · Prerequisites for Wireless QoS, on page 1260 · Restrictions for QoS on Wireless Targets, on page 1260 · Metal Policy Format, on page 1261 · How to apply Bi-Directional Rate Limiting, on page 1268 · How to apply Per Client Bi-Directional Rate Limiting, on page 1275 · How to Configure Wireless QoS, on page 1279 · Configuring Custom QoS Mapping, on page 1284 · Configuring DSCP-to-User Priority Mapping Exception, on page 1285 · Configuring Trust Upstream DSCP Value, on page 1286
Wireless QoS Overview
Quality of Service (QoS), provides the ability to prioritize the traffic by giving preferential treatment to specific traffic over the other traffic types. Without QoS, the device offers best-effort service for each packet, regardless of the packet contents or size. The device sends the packets without any assurance of reliability, delay bounds, or throughput. A target is the entity where the policy is applied. Wireless QoS policies for SSID and client are applied in the upstream and (or) downstream direction. The flow of traffic from a wired source to a wireless target is known as downstream traffic. The flow of traffic from a wireless source to a wired target is known as upstream traffic. The following are some of the specific features provided by wireless QoS:
· SSID and client policies on wireless QoS targets · Marking and Policing (also known as Rate Limiting ) of wireless traffic · Mobility support for QoS
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1257
Wireless QoS Targets
Quality of Service
Wireless QoS Targets
This section describes the various wireless QoS targets available on a device.
SSID Policies
You can create QoS policies on SSID in both the ingress and egress directions. If not configured, there is no SSID policy applied. The policy is applicable per AP per SSID. You can configure policing and marking policies on SSID.
Client Policies
Client policies are applicable in the ingress and egress direction. You can configure policing and marking policies on clients. AAA override is also supported.
Supported QoS Features on Wireless Targets
This table describes the various features available on wireless targets.
Table 61: QoS Features Available on Wireless Targets
Target
Features
SSID Client
· Set · Police · Drop
· Set · Police · Drop
Direction Where Policies Are Applicable Upstream and downstream
Upstream and downstream
This table describes the various features available on wireless targets.
Table 62: QoS Policy Actions
Policy Action Types
Police Set
Wireless Target Support Local Mode Supported Supported
Flex Mode Supported Supported
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1258
Quality of Service
Wireless QoS Mobility
This table describes the various features available on wireless targets.
Table 63: QoS Policy Set Actions
Set Action Types
Supported Local Mode
set dscp
Supported
set qos-group
Supported
set wlan user-priority (downstream Supported (BSSID only) only)
Flex Mode Supported Not Supported Supported (BSSID only)
Wireless QoS Mobility
Wireless QoS mobility enables you to configure QoS policies so that the network provides the same service anywhere in the network. A wireless client can roam from one location to another and as a result the client can get associated to different access points associated with a different device. Wireless client roaming can be classified into two types:
· Intra-device roaming
· Inter-device roaming
Note In a foreign WLC, client statistics are not displayed.
Note The client policies must be available on all of the devices in the mobility group. The same SSID policy must be applied to all devices in the mobility group so that the clients get consistent treatment.
Precious Metal Policies for Wireless QoS
The precious metal policies are system-defined policies that are available on the controller . They cannot be removed or changed. The following policies are available:
· Platinum--Used for VoIP clients. · Gold--Used for video clients. · Silver-- Used for traffic that can be considered best-effort. · Bronze--Used for NRT traffic.
These policies are pre-configured. They cannot be modified.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1259
Prerequisites for Wireless QoS
Quality of Service
For client metal policies, they can be pushed using AAA. Based on the policies applied, the 802.11e (WMM), and DSCP fields in the packets are affected. For more information about metal policies format see the Metal Policy Format, on page 1261 section. For more information about DSCP to UP mapping, see the Architecture for Voice, Video and Integrated Data (AVVID), on page 1267 table.
Prerequisites for Wireless QoS
Before configuring wireless QoS, you must have a thorough understanding of these items: · Wireless concepts and network topologies. · Understanding of QoS implementation. · Modular QoS CLI (MQC). For more information on Modular QoS, see the MQC guide · The types of applications used and the traffic patterns on your network. · Bandwidth requirements and speed of the network.
Restrictions for QoS on Wireless Targets
General Restrictions A target is an entity where a policy is applied. A policy can be applied to a wireless target, which can be an SSID or client target, in the downstream and/or upstream direction. Downstream indicates that traffic is flowing from the controller to the wireless client. Upstream indicates that traffic is flowing from wireless client to the controller.
· Hierarchical (Parent policy and child policy) QoS is not supported.
· SSID and client targets can be configured only with marking and policing policies. · One policy per target per direction is supported. · Class maps in a policy map can have different types of filters. However, only one marking action (set
dscp) is supported. · Only one set action per class is supported. · Access group matching is not supported. · Access group (ACL) matching is not supported by access points in flex mode for local switching traffic. · SIP Call Admission Control (CAC) is not supported on the central switching mode. · From Cisco IOS XE Amsterdam 17.3.1 onwards, SIP Call Admission Control (CAC) is not supported. · Applying QoS on the WMI interface is not supported, as it may reboot the controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1260
Quality of Service
Metal Policy Format
AP Side Restrictions · In Cisco Embedded Wireless Controller, FlexConnect local switching, and SDA deployments, the QoS policies are enforced on the AP. Due to this AP-side restriction, police actions (e.g., rate limiting) are only enforced at a per flow (5-tuple) level and not per client.
Control Plane Rate Limiting and Policing You need not explicitly configure control plane rate limiting or policing on the controller. The controller has embedded mechanisms (like policers) to protect the CPU by policing control plane traffic directed towards it. If you're migrating from AireOS to IOS-XE, this change is taken care of at the code level.
Metal Policy Format
Metal Policy Format
Metal Policies are system defined, and you cannot change it or delete it. There are four levels of metal policy - Platinum, Gold, Silver, and Bronze.
Note Each metal policy defines a DSCP ceiling so that the DSCP or the UP marking does not exceed a certain value. For Platinum the value is 46, Gold is AF41, Silver is 22, and Bronze is CS1.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1261
Metal Policy Format
Policy Name
platinum
gold silver
bronze
Policy-map Format
policy-map platinum class cm-dscp-34 set dscp af41 class cm-dscp-45 set dscp 45 class cm-dscp-46 set dscp ef class cm-dscp-47 set dscp 47
policy-map gold class cm-dscp-45 set dscp af41 class cm-dscp-46 set dscp af41 class cm-dscp-47 set dscp af41
policy-map silver class cm-dscp-34 set dscp default class cm-dscp-45 set dscp default class cm-dscp-46 set dscp default class cm-dscp-47 set dscp default
policy-map bronze class cm-dscp-0 set dscp cs1 class cm-dscp-34 set dscp cs1 class cm-dscp-45 set dscp cs1 class cm-dscp-46 set dscp cs1 class cm-dscp-47 set dscp cs1
Quality of Service
Class-map Format
class-map match-any cm-dscp-34
match dscp af41 class-map match-any cm-dscp-45
match dscp 45 class-map match-any cm-dscp-46
match dscp ef class-map match-any cm-dscp-47
match dscp 47 class-map match-any cm-dscp-0
match dscp default
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1262
Quality of Service
Policy Name
platinum-up
gold-up silver-up
bronze-up
Policy-map Format
policy-map platinum-up class cm-dscp-set1-for-up-4 set dscp af41 class cm-dscp-set2-for-up-4 set dscp af41 class cm-dscp-for-up-5 set dscp af41 class cm-dscp-for-up-6 set dscp ef class cm-dscp-for-up-7 set dscp ef
policy-map gold-up class cm-dscp-for-up-6 set dscp af41 class cm-dscp-for-up-7 set dscp af41
policy-map silver-up class cm-dscp-set1-for-up-4 set dscp default class cm-dscp-set2-for-up-4 set dscp default class cm-dscp-for-up-5 set dscp default class cm-dscp-for-up-6 set dscp default class cm-dscp-for-up-7 set dscp default
policy-map bronze-up class cm-dscp-for-up-0 set dscp cs1 class cm-dscp-for-up-1 set dscp cs1 class cm-dscp-set1-for-up-4 set dscp cs1 class cm-dscp-set2-for-up-4 set dscp cs1 class cm-dscp-for-up-5 set dscp cs1 class cm-dscp-for-up-6 set dscp cs1 class cm-dscp-for-up-7 set dscp cs1
Metal Policy Format
Class-map Format
class-map match-any cm-dscp-for-up-0
match dscp default match dscp cs2
class-map match-any cm-dscp-for-up-1
match dscp cs1
class-map match-any cm-dscp-set1-for-up-4
match dscp cs3 match dscp af31 match dscp af32 match dscp af33
class-map match-any cm-dscp-set2-for-up-4
match dscp af41 match dscp af42 match dscp af43
class-map match-any cm-dscp-for-up-5
match dscp cs4 match dscp cs5
class-map match-any cm-dscp-for-up-6
match dscp 44 match dscp ef
class-map match-any cm-dscp-for-up-7
match dscp cs6 match dscp cs7
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1263
Metal Policy Format
Policy Name
Policy-map Format
clwmm-platinum
policy-map clwmm-platinum class voice-plat set dscp ef class video-plat set dscp af41 class class-default set dscp default
clwmm-gold
policy-map clwmm-gold class voice-gold set dscp af41 class video-gold set dscp af41 class class-default set dscp default
clnon-wmm-platinum policy-map clnon-wmm-platinum class class-default
set dscp ef
clnon-wmm-gold policy-map clnon-wmm-gold class class-default
set dscp af41
clsilver
policy-map clsilver class class-default set dscp default
clbronze
policy-map clbronze class class-default set dscp cs1
Quality of Service
Class-map Format
class-map match-any voice-plat
match dscp ef class-map match-any video-plat
match dscp af41 class-map match-any voice-gold
match dscp ef class-map match-any video-gold
match dscp af41
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1264
Quality of Service
Auto QoS Policy Format
Auto QoS Policy Format
Policy Name Policy-map Format
Class-map Format
enterprise-avc
policy-map AutoQos-4.0-wlan-ET-SSID-Input-AVC-Policy class AutoQos-4.0-wlan-Voip-Data-Class set dscp ef class AutoQos-4.0-wlan-Voip-Signal-Class set dscp cs3 class AutoQos-4.0-wlan-Multimedia-Conf-Class set dscp af41 class AutoQos-4.0-wlan-Transaction-Class set dscp af21 class AutoQos-4.0-wlan-Bulk-Data-Class set dscp af11 class AutoQos-4.0-wlan-Scavanger-Class set dscp cs1 class class-default set dscp default
policy-map AutoQos-4.0-wlan-ET-SSID-Output-Policy class AutoQos-4.0-RT1-Class set dscp ef class AutoQos-4.0-RT2-Class set dscp af31 class class-default
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1265
Auto QoS Policy Format
Policy Name Policy-map Format
Quality of Service
Class-map Format
class-map match-any AutoQos-4.0-wlan-Voip-Data-Class
match dscp ef
class-map match-any AutoQos-4.0-wlan-Voip-Signal-Class
match protocol skinny
match protocol cisco-jabber-control
match protocol sip match protocol sip-tls
class-map match-any AutoQos-4.0-wlan-Multimedia-Conf-Class
match protocol cisco-phone-video
match protocol cisco-jabber-video
match protocol ms-lync-video
match protocol webex-media
class-map match-any AutoQos-4.0-wlan-Transaction-Class
match protocol cisco-jabber-im
match protocol ms-office-web-apps
match protocol salesforce
match protocol sap
class-map match-any AutoQos-4.0-wlan-Bulk-Data-Class
match protocol ftp match protocol ftp-data match protocol ftps-data match protocol cifs
class-map match-any AutoQos-4.0-wlan-Scavanger-Class
match protocol netflix
match protocol youtube
match protocol skype
match protocol bittorrent
class-map match-any AutoQos-4.0-RT1-Class match dscp ef
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1266
Quality of Service
Architecture for Voice, Video and Integrated Data (AVVID)
Policy Name Policy-map Format
Class-map Format
match dscp cs6
class-map match-any AutoQos-4.0-RT2-Class match dscp cs4 match dscp cs3 match dscp af41
voice
policy-map platinum-up class dscp-for-up-4 set dscp 34 class dscp-for-up-5 set dscp 34 class dscp-for-up-6 set dscp 46 class dscp-for-up-7 set dscp 46
policy-map platinum class cm-dscp-34 set dscp 34 class cm-dscp-46 set dscp 46
guest
Policy Map AutoQos-4.0-wlan-GT-SSID-Output-Policy Class class-default set dscp default
Policy Map AutoQos-4.0-wlan-GT-SSID-Input-Policy Class class-default set dscp default
port
(only applies to Local Mode)
policy-map AutoQos-4.0-wlan-Port-Output-Policy class AutoQos-4.0-Output-CAPWAP-C-Class priority level 1 class AutoQos-4.0-Output-Voice-Class priority level 2 class class-default
class-map match-any AutoQos-4.0-Output-CAPWAP-C-Class
match access-group name AutoQos-4.0-Output-Acl-CAPWAP-C
ip access-list extended AutoQos-4.0-Output-Acl-CAPWAP-C class-map match-any AutoQos-4.0-Output-Voice-Class
permit udp any eq 5246 16666 any match dscp ef
Architecture for Voice, Video and Integrated Data (AVVID)
IETF DiffServ Service Class
DSCP
Network Control
Telephony VOICE-ADMIT Signaling
(CS7) CS6 EF 44 CS5
IEEE 802.11e User Priority 0
6 6 5
Access Category AC_BE
AC_VO AC_VO AC_VI
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1267
How to apply Bi-Directional Rate Limiting
Quality of Service
IETF DiffServ Service Class
DSCP
Multimedia Conferencing AF41 AF42 AF43
Real-Time Interactive CS4
Multimedia Streaming
AF31 AF32 AF33
Broadcast Video
CS3
Low-Latency Data
AF21 AF22 AF23
OAM
CS2
High-Throughput Data
AF11 AF12 AF13
Standard
DF
Low-Priority Data
CS1
Remaining
Remaining
IEEE 802.11e User Priority 4
5 4
4 3
0 2
0 1 0
Access Category AC_VI
AC_VI AC_VI
AC_VI AC_BE
AC_BE AC_BK
AC_BE AC_BK
How to apply Bi-Directional Rate Limiting
Information about Bi-Directional Rate Limiting
Bi-Directional Rate Limiting (BDRL) feature defines rate limits on both upstream and downstream traffic. These rate limits are individually configured. The rate limits can be configured on WLAN directly instead of QoS profiles, which will override QoS profile values. The WLAN rate limiting will always supersede Global QoS setting for controller and clients. BDRL feature defines throughput limits for clients on their wireless networks and allows setting a priority service to a particular set of clients. The following four QoS profiles are available to configure the rate limits:
· Gold
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1268
Quality of Service
Prerequisites for Bi-Directional Rate Limiting
· Platinum
· Silver
· Bronze
The QoS profile is applied to all clients on the associated SSID. Therefore all clients connected to the same SSID will have the same rate limits. To configure BDRL, select the QoS profile and configure the various rate limiting parameters. When rate limiting parameters are set to 0, the rate limiting feature is not functional. Each WLAN has a QoS profile associated with it in addition to the configuration in the QoS profile.
Note BDRL in a mobility Anchor-Foreign setup must be configured both on Anchor and Foreign controller. As a best practice, it is recommended to perform identical configuration on both the controllers to avoid breakage of any feature. BDRL is is supported on Guest anchor scenarios. The feature is supported on IRCM guest scenarios with AireOS as Guest anchor or Guest Foreign. Cisco Catalyst 9800 Series Wireless Controller uses Policing option to rate limit the traffic.
To apply metal policy with BDRL, perform the following tasks: · Configure Metal Policy on SSID
· Configure Metal Policy on Client
· Configure Bi-Directional Rate Limiting for All Traffic, on page 1271
· Configure Bi-Directional Rate Limiting Based on Traffic Classification, on page 1271
· Apply Bi-Directional Rate Limiting Policy Map to Policy Profile, on page 1273
· Apply Metal Policy with Bi-Directional Rate Limiting, on page 1274
Prerequisites for Bi-Directional Rate Limiting
· Client metal policy is applied through AAA-override. · You must specify the metal policy on ISE server. · AAA-override must be enabled on policy profile.
Configure Metal Policy on SSID
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1269
Configure Metal Policy on Client
Quality of Service
Step 2 Step 3 Step 4 Step 5
Command or Action
Device# configure terminal
Purpose
wireless profile policy policy-profile-name Example:
Configures WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy policy-profile1
description description
Example:
Device(config-wireless-policy)# description policy-profile1
Adds a user defined description to the new wireless policy.
service-policy input input-policy
Example:
Device(config-wireless-policy)# service-policy input platinum-up
Sets platinum policy for input.
service-policy output output-policy
Example:
Device(config-wireless-policy)# service-policy output platinum
Sets platinum policy for output.
Configure Metal Policy on Client
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-profile-name Example:
Configures WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy policy-profile1
Step 3
description description
Example:
Device(config-wireless-policy)# description profile with aaa override
Adds a user defined description to the new wireless policy.
Step 4
aaa-override Example:
Enables AAA override on the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1270
Quality of Service
Configure Bi-Directional Rate Limiting for All Traffic
Command or Action
Device(config-wireless-policy)# aaa-override
Purpose Note
After AAA-override is enabled and ISE server starts sending policy, client policy defined in service-policy client will not take effect.
Configure Bi-Directional Rate Limiting for All Traffic
Use the police action in the policy-map to configure BDRL.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
policy-map policy-map
Creates a named object representing a set of
Example:
policies that are to be applied to a set of traffic classes. Policy-map names can contain
Device(config)# policy-map policy-sample alphabetic, hyphen, or underscore characters,
1
are case sensitive, and can be up to 40
characters.
Step 3
class class-map-name Example:
Associates a class map with the policy map, and enters policy-map class configuration mode.
Device(config-pmap)# class class-default
Step 4
police rate Example:
Device(config-pmap-c)# police 500000
Configures traffic policing (average rate, in bits per second). Valid values are 8000 to 200000000.
Configure Bi-Directional Rate Limiting Based on Traffic Classification
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
policy-map policy-map Example:
Purpose Enters global configuration mode.
Creates a named object representing a set of policies that are to be applied to a set of traffic classes. Policy-map names can contain
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1271
Configure Bi-Directional Rate Limiting Based on Traffic Classification
Quality of Service
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12
Command or Action
Device(config)# policy-map policy-sample2
Purpose
alphabetic, hyphen, or underscore characters, are case sensitive, and can be up to 40 characters.
class class-map-name
Example:
Device(config-pmap)# class class-sample-youtube
Associates a class map with the policy map, and enters policy-map class configuration mode.
police rate Example:
Device(config-pmap-c)# police 1000000
Configures traffic policing (average rate, in bits per second). Valid values are 8000 to 200000000.
conform-action drop
Example:
Device(config-pmap-c-police)# conform-action drop
Specifies the drop action to take on packets that conform to the rate limit.
exceed-action drop
Example:
Device(config-pmap-c-police)# exceed-action drop
Specifies the drop action to take on packets that exceeds the rate limit.
exit Example:
Device(config-pmap-c-police)# exit
Exits the policy-map class configuration mode.
set dscp default
Sets the DSCP value to default.
Example:
Device(config-pmap-c)# set dscp default
police rate Example:
Device(config-pmap-c)# police 500000
Configures traffic policing (average rate, in bits per second). Valid values are 8000 to 200000000.
exit Example:
Device(config-pmap-c)# exit
Exits the policy-map class configuration mode.
exit Example:
Device(config-pmap)# exit
Exits the policy-map configuration mode.
class-map match-any class-map-name Example:
Selects a class map.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1272
Quality of Service
Apply Bi-Directional Rate Limiting Policy Map to Policy Profile
Step 13
Command or Action
Device(config)# class-map match-any class-sample-youtube
match protocol protocol Example:
Device(config-cmap)# match protocol youtube
Purpose
Configures the match criteria for a class map on the basis of the specified protocol.
Apply Bi-Directional Rate Limiting Policy Map to Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-profile-name Example:
Configures WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy policy-profile3
Step 3
description description
Example:
Device(config-wireless-policy)# description policy-profile3
Adds a user defined description to the new wireless policy.
Step 4
service-policy client input input-policy
Sets the input client service policy as platinum.
Example:
Device(config-wireless-policy)# service-policy client input platinum-up
Step 5
service-policy client output output-policy
Example:
Device(config-wireless-policy)# service-policy client output platinum
Sets the output client service policy as platinum.
Step 6
service-policy input input-policy
Example:
Device(config-wireless-policy)# service-policy input platinum-up
Sets the input service policy as platinum.
Step 7
service-policy output output-policy
Example:
Device(config-wireless-policy)# service-policy output platinum
Sets the output service policy as platinum.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1273
Apply Metal Policy with Bi-Directional Rate Limiting
Quality of Service
Apply Metal Policy with Bi-Directional Rate Limiting
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wireless profile policy policy-profile-name Configures WLAN policy profile and enters
Example:
wireless policy configuration mode.
Device(config)# wireless profile policy policy-profile3
description description
Example:
Device(config-wireless-policy)# description policy-profile3
Adds a user defined description to the new wireless policy.
service-policy client input input-policy
Sets the input client service policy as platinum.
Example:
Device(config-wireless-policy)# service-policy client input platinum-up
service-policy client output output-policy Example:
Sets the output client service policy as platinum.
Device(config-wireless-policy)# service-policy client output platinum
service-policy input input-policy
Example:
Device(config-wireless-policy)# service-policy input platinum-up
Sets the input service policy as platinum.
service-policy output output-policy
Example:
Device(config-wireless-policy)# service-policy output platinum
Sets the output service policy as platinum.
exit Example:
Device(config-wireless-policy)# exit
Exits the policy configuration mode.
policy-map policy-map
Creates a named object representing a set of
Example:
policies that are to be applied to a set of traffic classes. Policy map names can contain
Device(config)# policy-map policy-sample alphabetic, hyphen, or underscore characters,
1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1274
Quality of Service
How to apply Per Client Bi-Directional Rate Limiting
Step 10 Step 11
Command or Action
Purpose
are case sensitive, and can be up to 40 characters.
class class-map-name
Associates a class map with the policy map,
Example:
and enters configuration mode for the specified system class.
Device(config-pmap)# class class-default
police rate Example:
Device(config-pmap-c)# police 500000
Configures traffic policing (average rate, in bits per second). Valid values are 8000 to 200000000.
How to apply Per Client Bi-Directional Rate Limiting
Information About Per Client Bi-Directional Rate Limiting
The Per Client Bi-Directional Rate Limiting feature adds bi-directional rate limiting for each wireless clients on 802.11ac Wave 2 APs in a Flex local switching configuration. Earlier, the Wave 2 APs supported only per-flow rate limiting for a wireless client. When wireless client starts multiple streams of traffic, the client-based rate limiting does not work as expected. This limitation is addressed by this feature.
For instance, if the controller is configured with QoS policy and you expect each client to have a rate limiting cap of 1000 kbps. Due to per-flow rate limiting on the AP, if the wireless client starts a Youtube stream and FTP stream, each of them will be rate limited at 1000 Kbps, therefore the client will be 2000 Kbps rates. This is not desirable.
Use Cases
The following are the use cases supported by the Per Client Bi-Directional Rate Limiting feature:
Use Case -1
Configuring only default class map
If policy map is configured only with default class map and mapped only to QoS client policy, AP does a per client rate limit to the client connected to AP.
Use Case-2
Changing from per client rate limit to per flow rate limit
If policy map is configured with another different class map along with a default class map and mapped to QoS client policy, AP performs per flow rate limit to client. As policy map has different class map along with the default class map. The per client rate limit values are cleared, if the AP has previously configured per client rate limit.
If the policy map has more than one class map, then additional class map is configured along with the default class map. So, the rate limit is applied from per client to per flow. The per client rate limit value is deleted from the rate info token bucket.
Use Case-3
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1275
Prerequisites for Per Client Bi-Directional Rate Limiting
Quality of Service
Changing from per flow rate limit to per client limit If different class map is removed from policy map and policy map has only one default class map, AP performs a per client rate limit to client. The following covers the high-level steps for Per Client Bi-Directional Rate Limiting feature: 1. Configure a policy map to WLAN through policy profile. 2. Map the QoS related policy map to WLAN. 3. Configure policy map with the default class map. 4. Configure different police rate value for class Default map.
Note If policy map has class Default with valid police rate value, AP applies that rate limit to the overall client data traffic flow.
5. Apply the policy map with class Default to QoS client policy in WLAN policy profile.
Prerequisites for Per Client Bi-Directional Rate Limiting
· This feature is exclusive to QoS client policy, that is, the policy profile must have only QoS Policy or policy target as client.
· If policy map has class default with valid police rate value, AP applies that rate limit value to the overall client data traffic flow.
Restrictions on Per Client Bi-Directional Rate Limiting
· If policy map has class map other than the class Default map, the per client rate limit does not work in AP.
Configuring Per Client Bi-Directional Rate Limiting (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4
Choose Configuration > Tags & Profiles > Policy. Click the Policy Profile Name.
The Edit Policy Profile window is displayed.
Note
The Edit Policy Profile window is displayed and configured in default class map only.
Choose the QOS And AVC tab. In the QoS Client Policy settings, choose the policies from the Egress and Ingress drop-down lists.
Note
You need to apply the default policy map to the QoS Client Policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1276
Quality of Service
Verifying Per Client Bi-Directional Rate Limiting
Step 5 Click Update & Apply to Device.
Verifying Per Client Bi-Directional Rate Limiting
To verify whether per client is applied in AP, use the following command:
Device# show rate-limit client
Config:
mac vap rt_rate_out rt_rate_in rt_burst_out rt_burst_in nrt_rate_out nrt_rate_in
nrt_burst_out nrt_burst_in
A0:D3:7A:12:6C:5E 0
0
0
0
0
0
0
0
0
Statistics:
name
up down
Unshaped
00
Client RT pass 697610 8200
Client NRT pass
00
Client RT drops
00
Client NRT drops
0 16
9 180 0
Per client rate limit:
mac vap rate_out rate_in
policy
A0:D3:7A:12:6C:5E 0
88
23 per_client_rate_2
Configuring BDRL Using AAA Override
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-name Example:
Configures the WLAN policy profile and enters wireless policy configuration mode.
Device (config)# wireless profile policy default-policy-profile
Step 3
aaa-override Example:
Device(config-wireless-policy)# aaa
Configures AAA override to apply policies coming from the AAA server or ISE the Cisco Identify Services Engine (ISE) server.
The following attributes are available in the RADIUS server:
· Airespace-Data-Bandwidth-Average-Contract: 8001
· Airespace-Real-Time-Bandwidth-Average-Contract: 8002
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1277
Verifying Bi-Directional Rate-Limit
Quality of Service
Command or Action
Purpose · Airespace-Data-Bandwidth-Burst-Contract: 8003
· Airespace-Real-Time-Bandwidth-Burst-Contract: 8004
· Airespace-Data-Bandwidth-Average-Contract-Upstream: 8005
· Airespace-Real-Time-Bandwidth-Average-Contract-Upstream: 8006
· Airespace-Data-Bandwidth-Burst-Contract-Upstream: 8007
· Airespace-Real-Time-Bandwidth-Burst-Contract-Upstream: 8008
Note
8001, 8002, 8003, 8004, 8005,
8006, 8007, and 8008 are the
desired rate-limit values
configured as an example.
Verifying Bi-Directional Rate-Limit
To verify the bi-directional rate limit, use the following command:
Device# show wireless client mac-address E8-8E-00-00-00-71 detailClient MAC Address :
e88e.0000.0071
Client MAC Type
: Universally Administered Address
Client IPv4 Address : 100.0.7.94
Client Username
: e88e00000071
AP MAC Address
: 0a0b.0c00.0200
AP Name
: AP6B8B4567-0002
AP slot
:0
Client State
: Associated
Policy Profile
: dnas_qos_profile_policy
Flex Profile
: N/A
Wireless LAN Id
: 10
WLAN Profile Name : QoS_wlan
Wireless LAN Network Name (SSID): QoS_wlan
BSSID : 0a0b.0c00.0200
Connected For
: 28 seconds
Protocol
: 802.11n - 2.4 GHz
Channel
:1
Client IIF-ID
: 0xa0000034
Association Id
: 10
Authentication Algorithm : Open System
Idle state timeout : N/A
Session Timeout
: 1800 sec (Remaining time: 1777 sec)
Session Warning Time : Timer not running
Input Policy Name : None
Input Policy State : None
Input Policy Source : None
Output Policy Name : None
Output Policy State : None
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1278
Quality of Service
How to Configure Wireless QoS
Output Policy Source : None
WMM Support
: Enabled
U-APSD Support
: Disabled
Fastlane Support
: Disabled
Client Active State : In-Active
Power Save
: OFF
Supported Rates : 1.0,2.0,5.5,6.0,9.0,11.0,12.0,18.0,24.0,36.0,48.0,54.0
AAA QoS Rate Limit Parameters:
QoS Average Data Rate Upstream
: 8005 (kbps)
QoS Realtime Average Data Rate Upstream : 8006 (kbps)
QoS Burst Data Rate Upstream
: 8007 (kbps)
QoS Realtime Burst Data Rate Upstream
: 8008 (kbps)
QoS Average Data Rate Downstream
: 8001 (kbps)
QoS Realtime Average Data Rate Downstream : 8002 (kbps)
QoS Burst Data Rate Downstream
: 80300 (kbps)
QoS Realtime Burst Data Rate Downstream : 8004 (kbps)
To verify the rate-limit details from the AP terminal, use the following command
Device# show rate-limit client Config: mac vap rt_rate_out rt_rate_in rt_burst_out rt_burst_in nrt_rate_out nrt_rate_in nrt_burst_out
nrt_burst_in 00:1C:F1:09:85:E7 0 8001 8002 8003 8004 8005 8006 8007 8008 Statistics: name up down Unshaped 0 0 Client RT pass 0 0 Client NRT pass 0 0 Client RT drops 0 0 Client NRT drops 0 0 Per client rate limit: mac vap rate_out rate_in policy
How to Configure Wireless QoS
Configuring a Policy Map with Class Map (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Services > QoS. Click Add to view the Add QoS window. In the text box next to the Policy Name, enter the name of the new policy map that is being added. Click Add Class-Maps. Configure AVC based policies or User Defined policies. To enable AVC based policies, and configure the following: a) Choose either Match Any or Match All. b) Choose the required Mark Type. If you choose DSCP or User Priority, you must specify the appropriate
Mark Value. c) Check the Drop check box to drop traffic from specific sources.
Note
When Drop is enabled, the Mark Type and Police(kbps) options are disabled.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1279
Configuring a Class Map (CLI)
Quality of Service
Step 6 Step 7
d) Based on the chosen Match Type, select the required protocols from the Available Protocol(s) list and move them to the Selected Protocol(s) list. These selected protocols are the ones from which traffic is dropped.
e) Click Save.
Note
To add more Class Maps, repeat steps 4 and 5.
To enable User-Defined QoS policy, and the configure the following:
a) Choose either Match Any or Match All. b) Choose either ACL or DSCP as the Match Type from the drop-down list, and then specify the appropriate
Match Value. c) Choose the required Mark Type to associate with the mark label. If you choose DSCP, you must specify
an appropriate Mark Value. d) Check the Drop check box to drop traffic from specific sources.
Note
When Drop is enabled, the Mark Type and Police(kbps) options are disabled.
e) Click Save.
Note
To define actions for all the remaining traffic, in the Class Default, choose Mark and/or
Police(kbps) accordingly.
Click Save & Apply to Device.
Configuring a Class Map (CLI)
Follow the procedure given below to configure class maps for voice and video traffic:
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Device# configure terminal
Step 2 Step 3
class-map class-map-name Example:
Device(config)# class-map test
match dscp dscp-value Example:
Device(config-cmap)# match dscp 46
Creates a class map.
Matches the DSCP value in the IPv4 and IPv6 packets.
Note
By default for the class map the
value is match-all.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1280
Quality of Service
Configuring Policy Profile to Apply QoS Policy (GUI)
Step 4 Step 5
Command or Action end Example:
Device(config-cmap)# end
Purpose
Exits the class map configuration and returns to the privileged EXEC mode.
show class-map class-map-name Example:
Device# show class-map class_map_name
Verifies the class map details.
Configuring Policy Profile to Apply QoS Policy (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Choose Configuration > Tags & Profiles > Policy. On the Policy Profile page, click the name of the policy profile. In the Edit Policy Profile window, click the QoS and AVC tab. Under QoS SSID Policy, choose the appropriate Ingress and Egress policies for WLANs.
Note
The ingress policies can be differentiated from the egress policies by the suffix -up. For example,
the Platinum ingress policy is named platinum-up.
Under QoS Client Policy, choose the appropriate Ingress and Egress policies for clients. Click Update & Apply to Device.
Note
Only custom policies are displayed under QoS Client Policy. AutoQoS policies are auto generated
and not displayed for user selection.
Configuring Policy Profile to Apply QoS Policy (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures WLAN policy profile and enters the wireless policy configuration mode.
Device(config)# wireless profile policy qostest
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1281
Applying Policy Profile to Policy Tag (GUI)
Quality of Service
Step 3 Step 4 Step 5
Command or Action service-policy client {input | output} policy-name Example:
Device(config-wireless-policy)# service-policy client input policy-map-client
Purpose
Applies the policy. The following options are available.
· input--Assigns the client policy for ingress direction on the policy profile.
· output--Assigns the client policy for egress direction on the policy profile.
service-policy {input | output} policy-name Example:
Device(config-wireless-policy)# service-policy input policy-map-ssid
Applies the policy to the BSSID. The following options are available.
· input--Assigns the policy-map to all clients in WLAN.
· output--Assigns the policy-map to all clients in WLAN.
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the wireless policy profile.
Applying Policy Profile to Policy Tag (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > Tags. On the Manage Tags page in the Policy tab, click Add. In the Add Policy Tag window that is displayed, enter a name and description for the policy tag. Map the required WLAN IDs and WLAN profiles with appropriate policy profiles. Click Update & Apply to Device.
Applying Policy Profile to Policy Tag (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1282
Quality of Service
Attaching Policy Tag to an AP
Command or Action
Device# configure terminal
Purpose
Step 2 Step 3 Step 4 Step 5
wireless tag policy policy-tag-name Example:
Configures policy tag and enters the policy tag configuration mode.
Device(config-policy-tag)# wireless tag policy qostag
wlan wlan-name policy profile-policy-name
Example:
Device(config-policy-tag)# wlan test policy qostest
Maps a policy profile to a WLAN profile.
end Example:
Device(config-policy-tag)# end
Saves the configuration and exits the configuration mode and returns to privileged EXEC mode.
show wireless tag policy summary
Displays the configured policy tags.
Example:
Note
Device# show wireless tag policy summary
To view the detailed information of a policy tag, use the show wireless tag policy detailed policy-tag-name command.
Attaching Policy Tag to an AP
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2 Step 3
ap mac-address Example:
Device(config)# ap F866.F267.7DFB
Configures Cisco APs and enters the ap profile configuration mode.
policy-tag policy-tag-name
Maps a Policy tag to the AP.
Example:
Device(config-ap-tag)# policy-tag qostag
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1283
Configuring Custom QoS Mapping
Quality of Service
Step 4 Step 5
Command or Action end Example:
Device(config-ap-tag)# end
show ap tag summary Example:
Device# show ap tag summary
Purpose Saves the configuration and exits the configuration mode and returns to privileged EXEC mode.
Displays the ap details and tags associated to it.
Configuring Custom QoS Mapping
For interworking with IP networks, a map is devised between the 802.11e user priorities and the IP differentiated services code point (DSCP). Enable Hotspot 2.0 on the WLAN to support mapping exception.
Note Custom QoS mapping only applies to Hotspot 2.0.
Mapping is specified as DSCP ranges to individual user priority values, and as a set of exceptions with one-to-one mapping between DSCP values and UP values. If a QoS map is enabled and user-configurable mappings are not added, the default values are used.
Note Egress = Downstream = Output and Ingress = Upstream = Input
The following table shows a QoS map, where an AP provides a wireless client with the required mapping from IP DSCP to 802.11e user priority.
Table 64: Default DSCP-Range-to-User Priority Mapping
IP DSCP Range 0-7 8-15 16-23 24-31 32-39 40-47 48-55 56-63
802.11e User Priority 0 1 2 3 4 5 6 7
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1284
Quality of Service
Configuring DSCP-to-User Priority Mapping Exception
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile profile-name Example:
Configures an AP profile and enters AP profile configuration mode.
Device(config)# ap profile hs2-profile
Step 3
qos-map dscp-to-up-range user-priority up-to-dscp dscp-start dscp-end
Example:
Device(config-ap-profile)# qos-map dscp-to-up-range 6 52 23 62
Configures DSCP-to-user priority mapping.
You can configure up to eight configuration entries; one for each user-priority value. If you do not configure a custom value, a nonconfigured value (0xFF) is sent to the AP.
Use the no form of this command to disable the configuration. To delete all the custom mappings, use the no dscp-to-up-range command.
Configuring DSCP-to-User Priority Mapping Exception
When you configure a QoS mapping or exception, a custom QoS map is created and sent to the corresponding AP. If there are no DSCP-to-user priority mapping or exception entries, an empty QoS map is used. The following table shows the set of exceptions with one-to-one mapping between DSCP values and user priority values.
Table 65: Default DSCP-Range-to-User Priority Mapping Exceptions
IP DSCP 0 2 4 6 10 12 14 18
802.11e User Priority 0 1 1 1 2 2 2 3
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1285
Configuring Trust Upstream DSCP Value
Quality of Service
IP DSCP 20 22 26 34 46 48 56
802.11e User Priority 3 3 4 5 6 7 7
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile profile-name Example:
Configures an AP profile and enters AP profile configuration mode.
Device(config)# ap profile hs2-profile
Step 3
qos-map dscp-to-up-exception dscp-num user-priority
Example:
Device(config-ap-profile)# qos-map dscp-to-up-exception 42 6
Configures DSCP-to-user priority exception.
Configuring Trust Upstream DSCP Value
The controller marks the 802.11 user priority value in Traffic Identifier (TID) field based on the DSCP value in IP header.
Note The AP forwards the DSCP value to Air, if 802.11 user priority value is set.
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1286
Quality of Service
Configuring Trust Upstream DSCP Value
Step 2 Step 3
Command or Action
Device# configure terminal
Purpose
ap profile profile-name Example:
Configures an AP profile and enters AP profile configuration mode.
Device(config)# ap profile hs2-profile
qos-map trust-dscp-upstream
Example:
Device(config-ap-profile)# qos-map trust-dscp-upstream
Configures the AP to trust upstream DSCP instead of user priority.
Use the no form of the command to disable the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1287
Configuring Trust Upstream DSCP Value
Quality of Service
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1288
1 3 3 C H A P T E R
Wireless Auto-QoS
·
· Information About Auto QoS, on page 1289 · How to Configure Wireless AutoQoS, on page 1290
Information About Auto QoS
Wireless Auto QoS automates deployment of wireless QoS features. It has a set of predefined profiles which can be further modified by the customer to prioritize different traffic flows. Auto-QoS matches traffic and assigns each matched packet to qos-groups. This allows the output policy map to put specific qos-groups into specific queues, including into the priority queue.
AutoQoS Policy Configuration
Table 66: AutoQoS Policy Configuration
Mode
Voice Guest Fastlane
Client Ingress N/A
N/A
N/A
Client Egress N/A
N/A
N/A
Enterprise-avc N/A
N/A
BSSID Ingress P3
P5
N/A
BSSID Egress P4
P6
N/A
P1
P2
Port Ingress Port Egress Radio
N/A
P7
N/A
P7
N/A
P7
N/A
P7
ACM on
edca-parameters fastlane
P1
AutoQos-4.0-wlan-ET-SSID-Input-AVC-Policy
P2
AutoQos-4.0-wlan-ET-SSID-Output-Policy
P3
platinum-up
P4
platinum
P5
AutoQos-4.0-wlan-GT-SSID-Input-Policy
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1289
How to Configure Wireless AutoQoS
Quality of Service
P6
AutoQos-4.0-wlan-GT-SSID-Output-Policy
P7
AutoQos-4.0-wlan-Port-Output-Policy
How to Configure Wireless AutoQoS
Configuring Wireless AutoQoS on Profile Policy
You can enable AutoQoS on a profile policy.
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Step 2
wireless autoqos policy-profile policy-name Configures AutoQoS wireless policy.
mode { enterprise-avc | fastlane | guest | voice}
· enterprise-avc--Enables AutoQos Wireless Enterprise AVC Policy.
Example:
Device# wireless autoqos policy-profile test-profile mode voice
· fastlane--Enable AutoQos Wireless Fastlane Policy.
· guest--Enable AutoQos Wireless Guest Policy.
· voice--Enable AutoQos Wireless Voice Policy.
Note
AutoQoS MIB attribute does not
support full functionality with
service policy. Service policy
must be configured manually.
Currently, there is only support
for AutoQoS mode.
What to do next
Note After enabling AutoQoS, we recommend that you wait for a few seconds for the policy to install and then try and modify the AutoQoS policy maps if required; or retry if the modification is rejected.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1290
Quality of Service
Disabling Wireless AutoQoS
Disabling Wireless AutoQoS
To globally disable Wireless AutoQoS:
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
shutdown Example:
Device# shutdown
Step 3
wireless autoqos disable Example:
Device# wireless autoqos disable
Step 4
[no] shutdown Example:
Device# no shutdown
Rollback AutoQoS Configuration (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Services > QoS. Click Disable AutoQoS. Click Yes to confirm.
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Shuts down the policy profile.
Globally disables wireless AutoQoS.
Enables the wireless policy profile.
Note
Disabling Auto QoS does not reset
global radio configurations like
CAC and EDCA parameters.
Rollback AutoQoS Configuration
Before you begin
Note AutoQoS MIB attribute does not support the full functionality with service policy. Currently, there is only support for AutoQoS mode. Service policy must be configured manually.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1291
Clearing Wireless AutoQoS Policy Profile (GUI)
Quality of Service
Procedure
Step 1
Command or Action enable Example:
Deviceenable
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Step 2
clear platform software autoqos config template { enterprise_avc | guest}
Example:
Resets AutoQoS configuration.
· enterprise-avc--Resets AutoQoS Enterprise AVC Policy Template.
Device# clear platform software autoqos config template guest
· guest--Resets AutoQoS Guest Policy Template.
Clearing Wireless AutoQoS Policy Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > Policy. Click on the Policy Profile Name. Go to QOS and AVC tab. From the Auto Qos drop-down list, choose None. Click Update & Apply to Device.
Clearing Wireless AutoQoS Policy Profile
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose
Enables privileged EXEC mode. Enter your password if prompted.
Step 2
shutdown Example:
Device# shutdown
Shuts down the policy profile.
Step 3
wireless autoqos policy-profile policy-name Clears the configured AutoQoS wireless policy. mode clear
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1292
Quality of Service
Viewing AutoQoS on policy profile
Step 4
Command or Action
Purpose
Device# wireless autoqos policy-profile test-profile mode clear
[no] shutdown Example:
no shutdown
Enables the wireless policy profile.
Viewing AutoQoS on policy profile
Before you begin
Autoqos is supported on the local mode and flex mode. Autoqos configures a set of policies and radio configurations depending on the template. It is possible to override the service-policy that is configured by autoqos. The latest configuration takes effect, with AAA override policy being of highest priority.
Procedure
Step 1
Command or Action enable Example:
Deviceenable
Step 2
show wireless profile policy detailed policy-profile-name
Example:
Device# show wireless profile policy detailed testqos
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Shows policy-profile detailed parameters.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1293
Viewing AutoQoS on policy profile
Quality of Service
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1294
1 3 4 C H A P T E R
Native Profiling
· Information About Native Profiling, on page 1295 · Creating a Class Map (GUI), on page 1296 · Creating a Class Map (CLI), on page 1297 · Creating a Service Template (GUI), on page 1299 · Creating a Service Template (CLI), on page 1300 · Creating a Parameter Map, on page 1301 · Creating a Policy Map (GUI), on page 1301 · Creating a Policy Map (CLI), on page 1302 · Configuring Native Profiling in Local Mode, on page 1304 · Verifying Native Profile Configuration, on page 1304
Information About Native Profiling
You can profile devices based on HTTP and DHCP to identify the end devices on the network. You can configure device-based policies and enforce these policies per user or per device policy on the network. Policies allow profiling of mobile devices and basic onboarding of the profiled devices to a specific VLAN. They also assign ACL and QoS or configure session timeouts. The policies are defined based on the following attributes:
· User group or user role · Device type such as Windows clients, smartphones, tablets, and so on · Service Set Identifier (SSID) · Location, based on the access point group that the end point is connected to · Time of the day · Extensible Authentication Protocol (EAP) type, to check what EAP method that the client is getting
connected to
When a wireless client joins an access point, certain QoS policies get enforced on the access point. One such feature is the native profiling for both upstream and downstream traffic at AP. The native profiling feature when clubbed with AAA override supports specific set of policies based on the time of day and day of week. The AAA override then applies these policies coming from a RADIUS server to the access point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1295
Creating a Class Map (GUI)
Quality of Service
Let's consider a use case of time of the day in conjunction with user role. Usually, the user role is used as an extra matching criteria along with the time of day. You can club the time of day usage with any matching criteria to get the desired result. The matching will be performed when the client joins the controller .
You can configure policies as two separate components:
· Defining policy attributes as service templates that are specific to clients joining the network and applying policy match criteria
· Applying match criteria to the policy.
Note Before proceeding with the native profile configuration, ensure that HTTP Profiling and DHCP Profiling are enabled.
Note Native profiling is not supported with FlexConnect Local Authentication and Local Switching. Hence, do not configure no central switching, no central authentication, and subscriber-policy-name name commands together. ISSU will fail for this type of configuration. Ensure that you remove the configuration before attempting ISSU.
To configure Native Profiling, use one of the following procedures: · Create a service template
· Create a class map
Note You can apply a service template using either a class map or parameter map.
· Create a parameter-map and associate the service template to parameter-map · Create a policy map 1. If class-map has to be used: Associate the class-map to the policy-map and associate the service-template to the class-map. 2. If parameter-map has to be used: Associate the parameter-map to the policy-map
· Associate the policy-map to the policy profile.
Creating a Class Map (GUI)
Procedure
Step 1 Step 2
Click Configuration > Services > QoS. In the Qos Policy area, click Add to create a new QoS Policy or click the one you want to edit.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1296
Quality of Service
Creating a Class Map (CLI)
Step 3 Step 4 Step 5
Add Add Class Map and enter the details. Click Save. Click Update and Apply to Device.
Creating a Class Map (CLI)
Note Configuration of class maps via CLI offer more options and can be more granular than GUI.
Procedure Step 1 Step 2
Step 3 Step 4
Step 5 Step 6
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
class-map type control subscriber match-any class-map-name
Specifies the class map type and name.
Example:
Device(config)# class-map type control subscriber match-any cls_user
match username username
Specifies the class map attribute filter criteria.
Example:
Device(config-filter-control-classmap)# match username ciscoise
class-map type control subscriber match-any class-map-name
Specifies the class map type and name.
Example:
Device(config)# class-map type control subscriber match-any cls_userrole
match user-role user-role
Specifies the class map attribute filter criteria.
Example:
Device(config-filter-control-classmap)# match user-role engineer
class-map type control subscriber match-any class-map-name
Specifies the class map type and name.
Example:
Device(config)# class-map type control subscriber match-any cls_oui
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1297
Creating a Class Map (CLI)
Quality of Service
Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13
Command or Action
Purpose
match oui oui-address
Specifies the class map attribute filter criteria.
Example:
Device(config-filter-control-classmap)# match oui 48.f8.b3
class-map type control subscriber match-any class-map-name
Specifies the class map type and name.
Example:
Device(config)# class-map type control subscriber match-any cls_mac
match mac-address mac-address
Specifies the class map attribute filter criteria.
Example:
Device(config-filter-control-classmap)# match mac-address 0040.96b9.4a0d
class-map type control subscriber match-any class-map-name
Specifies the class map type and name.
Example:
Device(config)# class-map type control subscriber match-any cls_devtype
match device-type device-type
Specifies the class map attribute filter criteria.
Example:
Device(config-filter-control-classmap)# match device-type windows
class-map type control subscriber match-all Specifies the class map type and name. class-map-name
Example:
Device(config)# class-map type control subscriber match-all match_tod
match join-time-of-day start-time end-time Specifies a match to the time of day.
Example:
Here, join time is considered for matching. For
Device(config-filter-control-classmap)# example, if the match filter is set from 11:00 match join-time-of-day 10:30 12:30 am to 2:00 pm, a device joining at 10:59 am
is not considered, even if it acquires credentials
after 11:00 am.
Here,
start-time and end-time specifies the 24-hour format.
Use the show class-map type control subscriber name name command to verify the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1298
Quality of Service
Creating a Service Template (GUI)
Step 14 Step 15 Step 16 Step 17 Step 18
Command or Action
Purpose Note
You should also disable AAA override for this command to work.
match day day-of-week
Matches day of the week.
Example:
Use the show class-map type control
Device(config-filter-control-classmap)# subscriber name name command to verify
match day Monday
the configuration.
class-map type control subscriber match-all Specifies the class map type and filter as EAP. class-map-name
Example:
Device(config)# class-map type control subscriber match-all match_eap
match eap-type eap-type
Specifies the policy match with EAP type.
Example:
Use the show class-map type control
Device(config-filter-control-classmap)# subscriber name name command to verify
match eap-type peap
the configuration.
class-map type control subscriber match-all Specifies the class map type and filter as
class-map-name
device.
Example:
Device(config)# class-map type control subscriber match-all match_device
match device-type device-name
Matches name using the device type. Type a
Example:
question mark (?) after the device type and select the device from the list.
Device(config-filter-control-classmap)#
match device-type android
Note
You should enable the device
classifier for the device list to be
populated.
Creating a Service Template (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Security > Local Policy. On the Local Policy page, Service Template tab, click ADD. In the Create Service Template window, enter the following parameters:
· Service Template Name: Enter a name for the template.
· VLAN ID: Enter the VLAN ID for the template. Valid range is between 1 and 4094.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1299
Creating a Service Template (CLI)
Quality of Service
Step 4
· Session Timeout (secs): Sets the timeout duration for the template. Valid range is between 1 and 65535. · Access Control List: Choose the Access Control List from the drop-down list. · Ingress QOS: Choose the input QoS policy for the client from the drop-down list · Egress QOS: Choose the output QoS policy for the client from the drop-down list.
Click Save & Apply to Device.
Creating a Service Template (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
service-template service-template-name Example:
Device(config)# service-template svc1
Enters service template configuration mode.
Step 3
vnid vnid
Example:
Device(config-service-template)# vnid test
Specifies the VXLAN network identifier (VNID).
Use the show service-template service-template-name command to verify the configuration.
Step 4
access-group access-list-name
Example:
Device(config-service-template)# access-group acl-auto
Specifies the access list to be applied.
Step 5
vlan vlan-id Example:
Specifies VLAN ID. Valid range is from 1-4094.
Device(config-service-template)# vlan 10
Step 6
absolute-timer timer
Example:
Device(config-service-template)# absolute-timer 1000
Specifies session timeout value for a service template. Valid range is from 1-65535.
Step 7
service-policy qos input qos-policy Example:
Configures an input QoS policy for the client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1300
Quality of Service
Creating a Parameter Map
Step 8
Command or Action
Device(config-service-template)# service-policy qos input in_qos
service-policy qos output qos-policy Example:
Device(config-service-template)# service-policy qos output out_qos
Purpose Configures an output QoS policy for the client.
Creating a Parameter Map
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
parameter-map type subscriber attribute-to-service parameter-map-name
Example:
Device(config)# parameter-map type subscriber attribute-to-service param
Specifies the parameter map type and name.
Step 3
map-indexmap device-type eqfilter-name
Example:
Device(config-parameter-map-filter)# 1 map device-type eq "windows" mac-address eq 3c77.e602.2f91 username eq "cisco"
Specifies the parameter map attribute filter criteria. Multiple filters are used in the example provided here.
Step 4
map-indexservice-templateservice-template-name Specifies the service template and its
precedence precedence-num
precedence.
Example:
Device(config-parameter-map-filter-submode)# 1 service-template svc1 precedence 150
Creating a Policy Map (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Security > Local Policy > Policy Map tab.. Enter a name for the Policy Map in the Policy Map Name text field.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1301
Creating a Policy Map (CLI)
Quality of Service
Step 3 Step 4 Step 5
Step 6 Step 7
Click Add Choose the service template from the Service Template drop-down list. For the following parameters select the type of filter from the drop-down list and enter the required match criteria
· Device Type · User Role · User Name · OUI · MAC Address
Click Add Criteria Click Update & Apply to Device.
Creating a Policy Map (CLI)
Before you begin
Before removing a policy map or parameter map, you should remove it from the target or shut down the WLAN profile or delete the session.
Procedure Step 1 Step 2
Step 3 Step 4
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
policy-map type control subscriber policy-map-name
Specifies the policy map type.
Example:
Device(config)# policy-map type control subscriber polmap5
event identity-update match-all
Specifies the match criteria to the policy map.
Example:
Device(config-event-control-policymap)# event identity-update match-all
You can apply a service template using either Configures the local profiling policy class map
a class map or a parameter map, as shown here. number and specifies how to perform the
· class-num class class-map-name do-until-failure
action or activates the service template or maps an identity-update attribute to an auto-configured template.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1302
Quality of Service
Creating a Policy Map (CLI)
Step 5 Step 6 Step 7
Step 8 Step 9
Command or Action
· action-index activate service-template service-template-name
· action-index map attribute-to-service table parameter-map-name
Purpose
Example:
The following example shows how a class-map with a service-template has to be applied:
Device(config-class-control-policymap)# 10 class cls_mac do-until-failure
Device(config-action-control-policymap)# 10 activate service-template svc1
Example:
The following example shows how a parameter map has to be applied (service template is already associated with the parameter map `param' while creating it):
Device(config-action-control-policymap)#1 map attribute-to-service table param
end
Exits configuration mode.
Example:
Device(config-action-control-policymap)# end
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
wireless profile policy
Configures a wireless policy profile.
wlan-policy-profile-name
Caution Do not configure aaa-override
Example:
for native profiling under a
Device(config)# wireless profile policy wlan-policy-profilename
named wireless profile policy. Native profiling is applied at a
lower priority than AAA policy.
If aaa-override is enabled, the
AAA policies will override
native profile policy.
description profile-policy-description Example:
Device(config-wireless-policy)# description "default policy profile"
dhcp-tlv-caching Example:
Adds a description for the policy profile. Configures DHCP TLV caching on a WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1303
Configuring Native Profiling in Local Mode
Quality of Service
Step 10 Step 11 Step 12 Step 13
Command or Action
Device(config-wireless-policy)# dhcp-tlv-caching
Purpose
http-tlv-caching
Example:
Device(config-wireless-policy)# http-tlv-caching
Configures client HTTP TLV caching on a WLAN.
subscriber-policy-name policy-name
Example:
Device(config-wireless-policy)# subscriber-policy-name polmap5
Configures the subscriber policy name.
vlan vlan-id
Configures a VLAN name or VLAN ID.
Example:
Device(config-wireless-policy)# vlan 1
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Saves the configuration.
Configuring Native Profiling in Local Mode
To configure native profiling in the local mode, you must follow the steps described in Creating a Policy Map (CLI), on page 1302. In the policy profile, you must enable central switching as described in the step given below in order to configure native profiling.
Procedure
Step 1
Command or Action
Purpose
central switching
Enables central switching.
Example:
Device(config-wireless-policy)# central switching
Verifying Native Profile Configuration
Use the following show commands to verify the native profile configuartion:
Device# show wireless client device summary
Active classified device summary
MAC Address
Device-type
User-role
Protocol-map
------------------------------------------------------------------------------------------------------
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1304
Quality of Service
Verifying Native Profile Configuration
1491.82b8.f94b 9
1491.82bc.2fd5 41
Microsoft-Workstation Windows7-Workstation
sales sales
Device# show wireless client device cache
Cached classified device info
MAC Address
Device-type
User-role
Protocol-map
------------------------------------------------------------------------------------------------------
2477.031b.aa18 Microsoft-Workstation
9
30a8.db3b.a753 Un-Classified Device
9
4400.1011.e8b5 Un-Classified Device
9
980c.a569.7dd0 Un-Classified Device
Device# show wireless client mac-address 4c34.8845.e32c detail | s
Session Manager:
Interface :
IIF ID
: 0x90000002
Device Type
: Microsoft-Workstation
Protocol Map
: 0x000009
Authorized
: TRUE
Session timeout : 1800
Common Session ID: 78380209000000174BF2B5B9
Acct Session ID : 0
Auth Method Status List
Method : MAB
SM State
: TERMINATE
Authen Status : Success
Local Polices:
Service Template : wlan_svc_C414.3CCA.0A51 (priority 254)
Absolute-Timer : 1800
Server Polices:
Resultant Policies:
Filter-ID
: acl-auto
Input QOS
: in_qos
Output QOS
: out_qos
Idle timeout
: 60 sec
VLAN
: 10
Absolute-Timer : 1000
Use the following show command to verify the class map details for a class map name:
Device# show class-map type control subscriber name test
Class-map
Action
Exec Hit Miss Comp
---------
------
---- --- ---- ---
match-any test
match day Monday
0
00
0
match-any test
match join-time-of-day 8:00 18:00 0
00
0
Key:
"Exec" - The number of times this line was executed
"Hit" - The number of times this line evaluated to TRUE
"Miss" - The number of times this line evaluated to FALSE
"Comp" - The number of times this line completed the execution of its
condition without a need to continue on to the end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1305
Verifying Native Profile Configuration
Quality of Service
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1306
1 3 5 C H A P T E R
Air Time Fairness
· Information About Air Time Fairness, on page 1307 · Restrictions on Cisco Air Time Fairness, on page 1309 · Cisco Air Time Fairness (ATF) Use Cases, on page 1310 · Configuring Cisco Air Time Fairness (ATF), on page 1310 · Verifying Cisco ATF Configurations, on page 1314 · Verifying Cisco ATF Statistics, on page 1314
Information About Air Time Fairness
Cisco Air Time Fairness (ATF) allows network administrators to group devices of a defined category and enables some groups to receive traffic from the WLAN more frequently than the other groups. Therefore, some groups are entitled to more air time than the other groups. Cisco ATF has the following capabilities:
· Allocates Wi-Fi air time for user groups or device categories. · Air time fairness is defined by the network administrator and not by the network. · Provides a simplified mechanism for allocating air time. · Dynamically adapts to changing conditions in a WLAN. · Enables a more efficient fulfillment of service-level agreements. · Augments standards-based Wi-Fi QoS mechanisms.
By enabling network administrators to define what fairness means in their environments with regards to the amount of air time per client group, the amount of traffic is also controlled. To control air time on a percentage basis, the air time including both uplink and downlink transmissions of a client or SSID is continuously measured. Only air time in the downlink direction, that is AP to client, can be controlled accurately by the AP. Although air time in the uplink direction, that is client to AP can be measured, it cannot be controlled. Although the AP can constrain air time for packets that it sends to clients, the AP can only measure air time for packets that it hears from clients because it cannot strictly limit their air time.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1307
Information About Air Time Fairness
Quality of Service
Cisco ATF establishes air time limits (defined as a percentage of total air time) and applies those limits on a per SSID basis, where the SSID is used as a parameter to define a client group. Other parameters can be used as well to define groups of clients. Furthermore, a single air time limit can be applied to individual clients. If the air time limit for an SSID (or client) is exceeded, the packets in the downlink direction are dropped. Dropping downlink packets (AP to client) frees up air time whereas dropping uplink packets (client to AP) does not do anything to free up air time because the packet has already been transmitted over the air by the client.
Client Fair Sharing Cisco Air Time Fairness can be enforced on clients that are associated with an SSID or WLAN. This ensures that all clients in an SSID or WLAN are treated equally based on their utilization of the radio bandwidth. This feature is useful in scenarios where one or a few clients could use the complete air time allocated for an SSID or WLAN, thereby depriving Wi-Fi experience for other clients associated with the same SSID or WLAN.
· The percentage of air time to be given to each client is recomputed every time a client connects or disconnects.
· Client fair sharing is applicable only to downstream traffic. · Clients can be categorized into usage groups at the policy level. · Client-based ATF metrics accumulation is performed in the transmit complete routine. This allows the
air time that is unused by clients in low-usage or medium-usage groups to be accumulated to a common share pool bucket where the high-usage clients can be replenished.
Supported Access Point Platforms Cisco ATF is supported on the following APs:
· Cisco Aironet 2700 Series Access Points · Cisco Aironet 3700 Series Access Points · Cisco Aironet 2800 Series Access Points · Cisco Aironet 3800 Series Access Points · Cisco Aironet 4800 Series Access Points · Cisco Aironet 1540 Series Access Points · Cisco Aironet 1560 Series Access Points
Note Cisco ATF is supported on MESH, if APs support ATF. ATF is supported on FlexConnect mode and the Local mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1308
Quality of Service
Restrictions on Cisco Air Time Fairness
Note Cisco Catalyst APs offer capabilities that are equivalent to ATF by leveraging the enhancements in the Wi-Fi 6 and 6E protocols. 802.11ax features such as OFDMA, bidirectional MU-MIMO, and BSS coloring, combined with the advanced QoS features in the Cisco Catalyst 9800 Series Wireless Controllers, help resolve scheduling and congestion problems, accommodate multiple users at the same time, and allocate bandwidth more efficiently.
Cisco ATF Modes Cisco ATF operates in the following modes:
· Monitor mode in which users can do the following: · View the air time · Report air time usage for all AP transmissions · View reports · per SSID or WLAN · per site group/tag
· Report air time usage at periodic intervals · No enforcement as part of Monitor mode
· Enforce Policy mode in which users can do the following: · Enforce air time based on configured policy · Enforce air time on the following: · A WLAN · All APs connected in a Cisco Catalyst 9800 Series Wireless Controller network · per site group/tag
Restrictions on Cisco Air Time Fairness
· Cisco ATF can be implemented only on data frames in the downstream direction. · When ATF is configured in per-SSID mode, all the WLANs are disabled before you enter any ATF
configuration commands. The WLANs are enabled after you enter all the ATF commands.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1309
Cisco Air Time Fairness (ATF) Use Cases
Quality of Service
Cisco Air Time Fairness (ATF) Use Cases
Public Hotspots (Stadium/Airport/Convention Center/Other) In this instance, a public network is sharing a WLAN between two (or more) service providers and the venue. Subscribers to each service provider can be grouped and allocated a certain percentage of air time.
Education In this instance, a university is sharing a WLAN between students, faculty, and guests. The guest network can be further partitioned by the service provider, for distribution of bandwidth privileges to the guests. Each group can be assigned a certain percentage of air time.
Enterprise/Hospitality/Retail In this instance, the venue is sharing a WLAN between employees and guests. The guest network can be further partitioned by service provider. The guests could be sub-grouped by tier of service type with each subgroup being assigned a certain percentage of air time, for example a paid group is entitled for more air time than the free group.
Time Shared Managed Hotspot In this instance, the business entity managing the hotspot, such as a service provider or an enterprise, can allocate and subsequently lease air time to other business entities.
Configuring Cisco Air Time Fairness (ATF)
Configuring Cisco Air Time Fairness
The following are the high-level steps to configure Cisco ATF: 1. Enable Monitor mode to determine network usage (optional). 2. Create Cisco ATF policies. 3. Add WLAN ATF policies per network or per site group/tag. 4. Determine, if optimization must be enabled. 5. Periodically check the Cisco ATF statistics.
Creating a Cisco ATF Profile (GUI)
Procedure
Step 1 Choose Configuration > Wireless > Air Time Fairness.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1310
Quality of Service
Creating Cisco ATF Profile (CLI)
Step 2 Step 3
Step 4 Step 5
Click the Profiles tab and click the Add button, to create a new ATF policy. The Add ATF Policy window is displayed.
Specify a name, ID, and weight to the ATF policy. Weighted ratio is used instead of percentages so that the total can exceed 100. The minimum weight that you can set is 5. For example, if you configure the weight as 50, this means that the air time for this ATF profile is 50% when applied to an policy profile.
Use the slider to enable or disable the Client Sharing feature. When you enable this option in the Web UI, the defaut ATF configuration is set to Enforce and not Monitor.
Click Apply to Device.
Creating Cisco ATF Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless profile airtime-fairness atf-policy-name atf-profile-id
Example:
Device(config)# wireless profile airtime-fairness atf-policy-name 1
Purpose Enters global configuration mode.
Creates a new Cisco ATF policy. · atf-policy-name--Enters the ATF profile name. · atf-profile-id--Enters the ATF profile ID. Range is from 0 to 511.
Step 3 Step 4 Step 5
weight policy-weight Example:
Device(config-config-atf)# weight 5
Adds a weight to the Cisco ATF policy.
· policy-weight--Enters the policy weight. Range is from 5 to 100.
client-sharing Example:
Enables or disables the client sharing for Cisco ATF policy.
Device(config-config-atf)# client-sharing
end Example:
Device(config-config-atf)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1311
Attaching Cisco ATF Profile to a Policy Profile (GUI)
Quality of Service
Attaching Cisco ATF Profile to a Policy Profile (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > Policy. Policy. Click Add. The Add Policy Profile window is displayed. Click the Advanced tab. Under the Air Time Fairness Policies section, select the required policy for 2.4 GHz and 5 GHz policies. Click Apply to Device.
Attaching Cisco ATF Profile to a Policy Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-name
Creates policy profile for the WLAN.
Example:
Device(config)# wireless profile policy profile-name
· profile-name --Is the profile name of the policy profile.
Step 3
dot11 {24ghz | 5ghz} airtime-fairness atf-policy-name
Configures air time fairness policy for 2.4- or 5-GHz radio.
Example:
Device(config-wireless-policy)# dot11 24ghz airtime-fairness atf-policy-name
· atf-policy-name--Is the name of the air time fairness policy. For more details on creating Cisco ATF policy, refer to the Creating Cisco ATF Profile (CLI).
Note
You can assign the same ATF
policy to both 2.4-GHz and 5-GHz
radios (or) have two different ATF
policies as well.
Step 4
end Example:
Device(config-wireless-policy)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1312
Quality of Service
Enabling ATF in the RF Profile (GUI)
Enabling ATF in the RF Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Choose Configuration > Tags & Profiles > RF. Click Add. The Add RF Profile window is displayed. Click the Advanced tab. Under the ATF Configuration section, complete the following : a) Use the slider to enable or disable the Status. The Mode field is displayed. b) Click the Monitor mode or Enforced mode radio option. If you enable the Enforced mode, use the slider
to enable or disable Optimization. c) Use the slider to enable to disable Bridge Client Access. This is applicable for mesh mode APs. Bridge
Client Access determines the percentage of the ATF policy weight that is allocated to clients connected to the mesh APs.
Specify the Airtime Allocation value between 5 and 90. Click Apply to Device.
Enabling ATF in the RF Profile (CLI)
Cisco ATF must be enabled on 2.4 GHz or 5 GHz radios separately.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz} rf-profile rf-profile Configures an RF profile for 2.4- or 5-GHz
Example:
radio.
Device(config)# ap dot11 24ghz rf-profile rfprof24_1
Step 3
airtime-fairness mode {enforce-policy | monitor}
Example:
Device(config-rf-profile)# airtime-fairness mode enforce-policy
Configures air time fairness in either of the modes:
· Enforce-policy--This mode signifies that the ATF is operational.
· Monitor--This mode gathers information about air time and reports air time usage.
Step 4 airtime-fairness optimization
Enables the air time fairness optimization.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1313
Verifying Cisco ATF Configurations
Quality of Service
Command or Action Example:
Device(config-rf-profile)# airtime-fairness optimization
Step 5
end Example:
Device(config-rf-profile)# end
Purpose
Optimization is effective when the current WLAN reaches the air time limit and the other available WLANs does not use air time to its full extent.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying Cisco ATF Configurations
You can verify Cisco ATF configurations using the following commands:
Table 67: Commands for Verifying Cisco ATF Configurations
Commands
Description
show wireless profile airtime-fairness summary Displays the summary of air time fairness profiles.
show wireless profile airtime-fairness mapping Displays the ATF policy mapping with the wireless profiles.
show ap airtime-fairness summary
Displays the ATF configuration summary of all radios.
show ap dot11 24ghz airtime-fairness
Displays the ATF configuration for 2.4-GHz radio.
show ap dot11 5ghz airtime-fairness
Displays the ATF configuration for 5-GHz radio.
show ap name ap-name airtime-fairness
Displays the ATF configuration or statistics for an AP.
show ap name ap-name dot11 {24ghz | 5ghz} airtime-fairness statistics summary
Displays the ATF statistics of 2.4- or 5GHz radio.
Verifying Cisco ATF Statistics
Table 68: ATF Statistics per WLAN
Commands show ap name ap-name dot11 {24ghz | 5ghz} airtime-fairness wlan wlan_name statistics
Table 69: ATF Statistics per ATF Policy
Commands show ap name ap-name dot11 {24ghz | 5ghz} airtime-fairness policy policy-name statistics
Description Displays the ATF statistics related to a WLAN.
Description Displays the ATF statistics related to an ATF policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1314
Quality of Service
Verifying Cisco ATF Statistics
Table 70: ATF Statistics per Client
Commands
Description
show ap airtime-fairness statistics client mac_address Displays the ATF statistics related to a client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1315
Verifying Cisco ATF Statistics
Quality of Service
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1316
1 3 6 C H A P T E R
IPv6 Non-AVC QoS Support
· Information About IPv6 Non-AVC QoS Support, on page 1317 · Configuring IPv6 Non-AVC QoS, on page 1317 · Verifying IPv6 Non-AVC QoS, on page 1320
Information About IPv6 Non-AVC QoS Support
From Cisco IOS XE Amsterdam 17.2.1, the IPv6 Non-AVC QoS feature is supported on Fabric and FlexConnect local switching, where QoS is performed at the AP, on par with the IPv4 functionality.
Note This feature is not supported on Cisco Aironet 1700 Series Access Points, Cisco Aironet 2700 Series Access Points, and Cisco Aironet 3700 Series Access Points.
The following actions are supported for IPv6 Non-AVC QoS: · Marking the DSCP value for IPv6 packets · Dropping IPv6 packets based on the DSCP value · Policing IPv6 traffic
Configuring IPv6 Non-AVC QoS
The following sections contain information about the various configurations that comprise the configuration of IPv6 Non-AVC QoS:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1317
Marking DSCP Values for an IPv6 Packet
Quality of Service
Marking DSCP Values for an IPv6 Packet
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
policy-map policy-map-name Example:
Device(config)# policy-map testpolicy
Creates a policy map.
Step 3
class class-map-name Example:
Device(config-pmap)#class testmap
Creates a policy criteria.
Step 4
set dscp <0-63> Example:
Device(config-pmap-c)#set dscp 34
Sets the DSCP value in an IPv6 packet between 0 and 63.
Dropping an IPv6 Packet with DSCP Values
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
policy-map policy-map-name Example:
Device(config)# policy-map drop_dscp
Creates a policy map.
Step 3
class class-map-name
Creates a policy criteria.
Example:
Device(config-pmap)#class drop_dscp_class
Step 4
police cir <8000 - 10000000000> Example:
Device(config-pmap-c)#police cir 8000
Polices the committed information rate between 8000 and 10000000000. Target bit rate (Bits per second).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1318
Quality of Service
Policing IPv6 Traffic
Step 5 Step 6
Command or Action
conform-action drop Example:
Device(config-pmap-c-police)#conform action drop
Purpose
Configures the conform-action drop command, the action when the rate is less than the conform burst.
exceed-action drop
Configures the exceed-action drop command,
Example:
the action when the rate is within the conform and conform plus exceed burst.
Device(config-pmap-c-police)#exceed-action
drop
Policing IPv6 Traffic
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
policy-map policy-map-name Example:
Device(config)# policy-map drop_dscp
Creates a policy map.
Step 3
class class-map-name
Creates a policy criteria.
Example:
Device(config-pmap)#class drop_dscp_class
Step 4
police cir <8000 - 10000000000> Example:
Device(config-pmap-c)#police cir 8000
Polices the committed information rate between 8000 and 10000000000. Target bit rate (Bits per second).
Step 5
conform-action transmit Example:
Configures the conform-action transmit command, for transmitting packets.
Device(config-pmap-c-police)#conform-action transmit
Step 6
exceed-action drop
Configures the exceed-action drop command,
Example:
the action when the rate is within conform and conform plus exceed burst.
Device(config-pmap-c-police)#exceed-action
drop
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1319
Verifying IPv6 Non-AVC QoS
Quality of Service
Verifying IPv6 Non-AVC QoS
· To verify the DSCP values for IPv6 packets, IPv6 packets that are dropped, and the policing of IPv6 traffic, use the show policy-map command:
The following is a sample output of the show command that verifies the DSCP value for an IPv6 packet:
Device# show policy-map 1 policymaps Policy Map Set-dscp type:qos client:default
Class Set-dscp1_ADV_UI_CLASS set dscp af41 (34) Class class-default no actions
· The following is a sample output of the show command that verifies the IPv6 packets that are dropped:
Device# show policy-map 1 policymaps Policy Map Drop-dscp type:qos client:default
Class Drop-dscp1_ADV_UI_CLASS drop
Class class-default no actions
· The following is a sample output of the show command that verifies the policing of IPv6 traffic:
Device# show policy-map 1 policymaps Policy Map Drop-traffic type:qos client:default
Class Drop-traffic1_ADV_UI_CLASS police rate 2000000 bps (250000Bytes/s) conform-action exceed-action
Class class-default no actions
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1320
1 3 7 C H A P T E R
QoS Basic Service Set Load
· Information About QoS Basic Set Service Load, on page 1321 · Configuring QBSS Load, on page 1322 · Verifying QoS Basic Set Service Load, on page 1323
Information About QoS Basic Set Service Load
The QoS Basic Set Service (QBSS) information element (IE) knob is a per-WLAN configuration that is configured to include or exclude the QBSS IE, which is sent in beacon frames and probe responses. QBSS IE advertises the channel load information of an AP. The QBSS IE functionality is enabled by default. Until Cisco IOS XE Amsterdam 17.1.1s, the enablement of Wi-Fi Multimedia (WMM) automatically enabled the QBSS load advertisement in the probes and beacons and there was no separate knob to turn on QBSS load IE. However, from Cisco IOS XE Amsterdam 17.2.1, this behavior has changed with the introduction of a separate configuration knob. Until Cisco IOS XE Amsterdam 17.1.1s:
· When WMM was enabled on WLAN, QBSS load was advertised in the beacon and probe frames. · When WMM was disabled on WLAN, QBSS IE was not advertised in the beacon and probe frames. From Cisco IOS XE Amsterdam 17.2.1, · When you enable WMM and QBSS ID on WLAN, QBSS IE is advertised in the beacon and probe frames. · When you enable WMM on WLAN and disable QBSS load IE on WLAN, QBSS load is not advertised
in the beacon and probe frames. · When you disable WMM on WLAN and enable QBSS load IE on WLAN, QBSS IE is advertised in the
beacon and probe frames.
Note By default, QBSS load IE is enabled. The behaviour can be configured on policy profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1321
Configuring QBSS Load
Quality of Service
Configuring QBSS Load
The following sections contain information about the various configurations that comprise the configuration of QoS basic service set load.
Configuring Wi-Fi Multimedia
Perform the procedure given below to create a WLAN and then enable WMM.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id [ssid]
Example:
Device(config)# wlan mywlan 34 mywlan-ssid
Purpose Enters global configuration mode.
Specifies the WLAN name and ID:
· profile-name: Profile name of the WLAN. You can use between 1 to 32 alphanumeric characters.
· wlan-id: WLAN ID. You can use between 1 to 512 alphanumeric characters.
· ssid: Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.
Note
By default, the WLAN is disabled.
Step 3 Step 4 Step 5 Step 6
no security wpa wpa2 ciphers aes Example:
Disables WPA2 ciphers for Advanced Encryption Standard (AES).
Device(config-wlan)# no security wpa wpa2 ciphers aes
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
wmm {allowed | require} Example:
Device(config-wlan)#wmm allowed
Configures WMM and allows WMM on the WLAN.
no shutdown Example:
Enables WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1322
Quality of Service
Enabling QoS Basic Set Service Load
Command or Action
Device(config-wlan)#no shutdown
Purpose
Enabling QoS Basic Set Service Load
Perform the procedure given below to enable QBSS load.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy rr-xyz-policy-1
Step 3
vlan vlan-id
Configures VLAN name or VLAN ID.
Example:
Device(config-wireless-policy)# vlan 24
Step 4
[no] qbss-load
Example:
Device(config-wireless-policy)#[no] qbss-load
Enables QoS enhanced basic service set information element. (Use the no form of this command to disable the feature.)
Step 5
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
What to do next
1. Create a policy tag. For more information about creating policy tags, refer to Configuring a Policy Tag (CLI).
2. Map the policy tag to the AP. For more information about mapping a policy tag to the AP, refer to Attaching a Policy Tag and Site Tag to an AP (CLI).
Verifying QoS Basic Set Service Load
To verify if QBSS load is enabled, use the show wireless profile policy detailed named-policy-profile command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1323
Verifying QoS Basic Set Service Load
Quality of Service
Device# show wireless profile policy detailed named-policy-profileshow wireless profile
policy detailed named-policy-profile
Policy Profile Name
: named-policy-profile
Description
:
Status
: ENABLED
VLAN
: 91
Multicast VLAN
:0
OSEN client VLAN
:
Multicast Filter
: DISABLED
QBSS Load
: ENABLED
Passive Client
: DISABLED
ET-Analytics
: DISABLED
StaticIP Mobility
: DISABLED
WLAN Switching Policy
Flex Central Switching
: ENABLED
Flex Central Authentication
: ENABLED
Flex Central DHCP
: ENABLED
Flex NAT PAT
: DISABLED
Flex Central Assoc
: ENABLED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1324
X I P A R T
IPv6
· IPv6 Client IP Address Learning, on page 1327 · IPv6 ACL, on page 1345 · IPv6 Client Mobility, on page 1357 · IPv6 Support on Flex and Mesh, on page 1361 · IPv6 CAPWAP UDP Lite Support, on page 1365 · Neighbor Discovery Proxy, on page 1367 · Address Resolution Protocol Proxy, on page 1371
1 3 8 C H A P T E R
IPv6 Client IP Address Learning
· Information About IPv6 Client Address Learning, on page 1327 · Prerequisites for IPv6 Client Address Learning, on page 1331 · Configuring RA Throttle Policy (CLI), on page 1331 · Applying RA Throttle Policy on VLAN (GUI), on page 1332 · Applying RA Throttle Policy on a VLAN (CLI), on page 1333 · Configuring IPv6 Interface on a Switch (GUI), on page 1333 · Configuring IPv6 on Interface (CLI), on page 1334 · Configuring DHCP Pool on Switch (GUI), on page 1335 · Configuring DHCP Pool on Switch (CLI), on page 1335 · Configuring Stateless Auto Address Configuration Without DHCP on Switch (CLI), on page 1336 · Configuring Stateless Auto Address Configuration With DHCP on Switch , on page 1337 · Configuring Stateless Address Auto Configuration Without DHCP on Switch (CLI), on page 1339 · Native IPv6, on page 1340
Information About IPv6 Client Address Learning
Client Address Learning is configured on device to learn the IPv4 and IPv6 address of wireless client, and the client's transition state maintained by the device on association and timeout. There are three ways for an IPv6 client to acquire IPv6 addresses:
· Stateless Address Auto-Configuration (SLAAC) · Stateful DHCPv6 · Static Configuration
In all of these methods, the IPv6 client always sends a neighbor solicitation Duplicate Address Detection (DAD) request to ensure that there is no duplicate IP address on the network. The device snoops on the Neighbor Discovery Protocol (NDP) and DHCPv6 packets of the client to learn about its client IP addresses.
Address Assignment Using SLAAC
The most common method for IPv6 client address assignment is SLAAC, which provides simple plug-and-play connectivity, where clients self-assign an address based on the IPv6 prefix.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1327
IPv6 Stateful DHCPv6 Address Assignment
SLAAC is configured as follows: · A host sends a Router Solicitation message. · The host waits for a Router Advertisement message. · The host take the first 64 bits of the IPv6 prefix from the Router Advertisement message and combines it with the 64 bit EUI-64 address (in the case of Ethernet, this is created from the MAC address) to create a global unicast message. The host also uses the source IP address, in the IP header, of the Router Advertisement message, as its default gateway. · Duplicate Address Detection is performed by the IPv6 clients to ensure that random addresses that are picked do not collide with other clients.
Note The last 64 bits of the IPv6 address can be learned by using one of the following algorithms: · EUI-64, which is based on the MAC address of the interface · Private addresses that are randomly generated
Figure 35: Address Assignment Using SLAAC
The following Cisco IOS configuration commands from a Cisco-capable IPv6 router are used to enable SLAAC addressing and router advertisements:
ipv6 unicast-routing interface Vlan20 description IPv6-SLAAC ip address 192.168.20.1 255.255.255.0 ipv6 address FE80:DB8:0:20::1 linklocal ipv6 address 2001:DB8:0:20::1/64 ipv6 enable end
Stateful DHCPv6 Address Assignment
The use of DHCPv6 is not required for IPv6 client connectivity if SLAAC is already deployed. There are two modes of operation for DHCPv6, that is, Stateless and Stateful. The DHCPv6 Stateless mode is used to provide clients with additional network information that is not available in the router advertisement, but not an IPv6 address, becuase this is already provided by SLAAC. This information includes the DNS domain name, DNS servers, and other DHCP vendor-specific options.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1328
IPv6 Figure 36: Stateful DHCPv6 Address Assignment
Router Solicitation
The following interface configuration is for a Cisco IOS IPv6 router implementing stateless DHCPv6 with SLAAC enabled:
ipv6 unicast-routing ipv6 dhcp pool IPV6_DHCPPOOL address prefix 2001:db8:5:10::/64 domain-name cisco.com dns-server 2001:db8:6:6::1 interface Vlan20 description IPv6-DHCP-Stateless ip address 192.168.20.1 255.255.255.0 ipv6 nd other-config-flag ipv6 dhcp server IPV6_DHCPPOOL ipv6 address 2001:DB8:0:20::1/64 end
Router Solicitation
A Router Solicitation message is issued by a host controller to facilitate local routers to transmit a Router Advertisement from which the controller can obtain information about local routing, or perform stateless auto configuration. Router Advertisements are transmitted periodically and the host prompts with an immediate Router Advertisement using a Router Solicitation such as - when it boots or following a restart operation.
Router Advertisement
A Router Advertisement message is issued periodically by a router or in response to a Router Solicitation message from a host. The information contained in these messages is used by a host to perform stateless auto configuration and to modify its routing table.
Neighbor Discovery
IPv6 Neighbor Discovery is a set of messages and processes that determine relationships between neighboring nodes. Neighbor Discovery replaces the Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP) Router Discovery, and ICMP Redirect used in IPv4.
IPv6 Neighbor Discovery inspection analyzes neighbor discovery messages in order to build a trusted binding table database, and IPv6 Neighbor Discovery packets that do not comply, are dropped. The neighbor binding table in the tracks each IPv6 address and its associated MAC address. Clients are removed from the table according to neighbor-binding timers.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1329
IPv6 Neighbor Discovery Suppression
Neighbor Discovery Suppression
The IPv6 addresses of wireless clients are cached by a device once the wireless client is in RUN state. When the device receives an NS multicast, it looks into the IPv6 addresses cached. If the target address is known to the device and belongs to one of its wireless clients, the device converts the NS from multicast to unicast and forward it to the wireless client. If the target address is not present in the cache, then device interprets that the Multicast NS is for a wired entity and forward it towards the wired side and not to the wireless client. The same behaviour is seen for ARP request in case of IPv4 address, where the device maintains IPv4 address of the wireless client in the cache. When neither of the configuration is enabled, and when the device receives Non-DAD or DAD NS multicast looking for an IPv6 address, and if the target address is known to the device and belongs to one of its clients, the device will convert the multicast NS to unicast NS, with the destination MAC address, replaced with client's MAC and forward the unicast packet towards client. When full-proxy is enabled, and when the device receives Non-DAD or DAD NS multicast, looking for an IPv6 address, and if the target address is known to the device and belongs to one of its clients, the device will reply with an NA message on behalf of the client. You can use the ipv6 nd proxy command to enable or disable DAD or full proxy. When the device receives an DAD-NS multicast looking for an IPv6 address, and if the target address is known to the device and belongs to one of its clients, the device will reply with an NA message on behalf of the client. When the device receives Non-DAD NS multicast looking for an IPv6 address, and if the target address is known to the device and belongs to one of its clients, the device will convert the multicast NS to unicast NS, with the destination MAC address, replaced with client's MAC and forward the unicast packet towards client. If the device does not have the IPv6 address of a wireless client, the device does not respond with NA; instead, it forwards the NS packet to the wired side. Reason for forwarding to Wired Side is due to the assumption that all wireless client IPv6 address and the its mapped MAC address should be available in the controller and if an IPv6 address required in the NS is not available, then that address is not a wireless client address, so forwarded to wired side.
Router Advertisement Guard
The RA Guard feature increases the security of the IPv6 network by dropping router advertisements coming from wireless clients. Without this feature, misconfigured or malicious IPv6 clients could announce themselves as a router for the network, often with a high priority, which could take precedence over legitimate IPv6 routers. By default, RA guard is always enabled on the controller.
· Port on which the frame is received · IPv6 source address · Prefix list
· Trusted or Untrusted ports for receiving the router advertisement guard messages · Trusted/Untrusted IPv6 source addresses of the router advertisement sender · Trusted/Untrusted Prefix list and Prefix ranges · Router preference
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1330
IPv6 Router Advertisement Throttling
Router Advertisement Throttling
RA throttling allows the controller to enforce limits to the RA packets headed toward the wireless network. By enabling RA throttling, routers that send multiple RA packets can be trimmed to a minimum frequency that will still maintain an IPv6 client connectivity. If a client sends an RS packet, an RA is sent back to the client. This RA is allowed through the controller and unicast to the client. This process ensures that the new clients or roaming clients are not affected by the RA throttling.
Prerequisites for IPv6 Client Address Learning
Before configuring IPv6 client address learning, configure the clients to support IPv6. To enable wireless IPv6 client connectivity, the underlying wired network must support IPv6 routing and an address assignment mechanism, such as SLAAC or DHCPv6. The wireless LAN controller must have L2 adjacency to the IPv6 router.
Note The AP learns IPv6 client address based on source IP address even though Neighbor Advertisements can hold rest of the IPv6 addresses. AP won't look into the Neighbor Advertisements to learn the IPv6 address learnt by the client. This behavior is seen only on Apple clients and not on Microsoft Windows clients.
Configuring RA Throttle Policy (CLI)
Configure RA Throttle policy to allow the enforce the limits
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Device# configure terminal
Step 2 Step 3
ipv6 nd ra-throttler policy ra-throttler1
Example:
Device(config)# ipv6 nd ra-throttler policy ra-throttler1
throttleperiod 500
Example:
Device(config-nd-ra-throttle)# throttleperiod 500
Define the router advertisement (RA) throttler policy name and enter IPv6 RA throttle policy configuration mode.
Configures the throttle period in an IPv6 RA throttler policy. Throttle period is in seconds and it is the time while the controller will not forward RA to the wireless clients.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1331
IPv6 Applying RA Throttle Policy on VLAN (GUI)
Step 4 Step 5
Command or Action max-through 10 Example:
Device(config-nd-ra-throttle)# max-through 15
allow-atleast 5 at-most 10 Example:
Device(config-nd-ra-throttle)# allow-atleast 5 at-most 10
Purpose Limits multicast RAs per VLAN per throttle period.
Limits the number of multicast RAs per device per throttle period in an RA throttler policy.
Applying RA Throttle Policy on VLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Step 8 Step 9 Step 10
Choose Configuration > Services > RA Throttle Policy. Click Add. The Add RA Throttle Policy dialog box appears. Enter a name for the policy in the Name field. Choose the desired option from the Medium Type drop-down list. Enter a value in the Throttle Period field. RA throttling takes place only after the Max Through limit is reached for the VLAN or the Allow At-Most value is reached for a particular router. Enter a value for the Max Through field, which is the maximum number of RA packets on a VLAN that can be sent before throttling takes place. The No Limit option allows an unlimited number of RA packets through with no throttling. Choose an Interval Option, which allows the device to act differently based on the RFC 3775 value set in IPv6 RA packets, from the following options:
· Ignore--Causes the RA throttle to treat packets with the interval option as a regular RA and subject to throttling if in effect.
· Passthrough--Allows any RA messages with the RFC 3775 interval option to go through without throttling.
· Throttle--Causes the RA packets with the interval option to always be subject to rate limiting.
Enter the minimum number of RA packets per router that can be sent as multicast before throttling takes place in the At Least Multicast RAs field. Enter the maximum number of RA packets per router that can be sent as multicast before throttling takes place in the At Most Multicast RAs field. The No Limit option allows an unlimited number of RA packets through the router. Click the Add & Apply to Device button.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1332
IPv6 Applying RA Throttle Policy on a VLAN (CLI)
Applying RA Throttle Policy on a VLAN (CLI)
Applying the RA Throttle policy on a VLAN. By enabling RA throttling, routers that send many RA packets can be trimmed to a minimum frequency that will still maintain an IPv6 client connectivity.
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Device# configure terminal
Step 2 Step 3
vlan configuration 1 Example:
Device(config)# vlan configuration 1
Configures a VLAN or a collection of VLANs and enters VLAN configuration mode.
ipv6 nd ra throttler attach-policy ra-throttler1
Attaches an IPv6 RA throttler policy to a VLAN or a collection of VLANs.
Example:
Device(config-vlan)# ipv6 nd ra throttler attach-policy ra-throttler1
Configuring IPv6 Interface on a Switch (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Step 8
Choose Configuration > Layer2 > VLAN > SVI. Click Add. Enter VLAN Number, Description and MTU (Bytes). Enable or disable the Admin Status toggle button. In IP Options, check the IPv6 check box. Choose the type of Static address from the drop-down list and enter the Static Address. Check or uncheck the DHCP, Autoconfig and Act as an IPv6 DHCP client check boxes.
If you check the DHCP check box, the Rapid Commit check box is displayed. Check or uncheck the Rapid Commit check box.
Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1333
IPv6 Configuring IPv6 on Interface (CLI)
Configuring IPv6 on Interface (CLI)
Follow the procedure given below to configure IPv6 on an interface:
Before you begin Enable IPv6 on the client and IPv6 support on the wired infrastructure.
Procedure
Step 1
Command or Action enable Example:
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
Device> enable
configure terminal Example:
Enters global configuration mode.
Device# configure terminal
Step 3 Step 4
Step 5 Step 6
interface vlan vlan-id Example:
Device(config)# interface vlan 10
ip address fe80::1 link-local
Example:
Device(config-if)# ip address 198.51.100.1 255.255.255.0
Device(config-if)# ipv6 address fe80::1 link-local
Device(config-if)# ipv6 address 2001:DB8:0:1:FFFF:1234::5/64
Device(config-if)# ipv6 address 2001:DB8:0:0:E000::F/64
ipv6 enable Example:
Device(config)# ipv6 enable
end Example:
Device(config)# end
Creates an interface and enters interface configuration mode. Configures IPv6 address on the GigabitEthernet interface using the link-local option.
(Optional) Enables IPv6 on the GigabitEthernet interface. Exits interface mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1334
IPv6 Configuring DHCP Pool on Switch (GUI)
Configuring DHCP Pool on Switch (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Step 12 Step 13
Choose Administration > DHCP. Click the Add button. The Create DHCP Pool dialog box appears. Enter a pool name in the DHCP Pool Name field. The name must not be greater than 236 characters in length. Choose either IPv4 or IPv6 from the IP Type drop-down list. Enter an IP address in the Network field. Choose any one of the available subnet masks from the Subnet Mask drop-down list. Enter an IP address in the Starting ip field. Enter an IP address in the Ending ip field. Optional, set the status of the Reserved Only field to Enabled if you wish to reserve the DHCP pool. Choose the desired option from the Lease drop-down list. Selecting the User Defined option from the Lease drop-down list enables the (0-365 days), (0-23 hours), and (0-59 minutes) fields. Enter appropriate values. Click the Save & Apply to Device button. For IPv6, Enter the DNS Server, DNS Domain Name, and Ipv6 Address Allocation.
Configuring DHCP Pool on Switch (CLI)
Follow the procedure given below to configure DHCP Pool on an interface:
Procedure
Step 1
Command or Action enable Example:
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Step 2
Device> enable
configure terminal Example:
Enters global configuration mode.
Device# configure terminal
Step 3
ipv6 dhcp pool vlan-id Example:
Device(config)# ipv6 dhcp pool 21
Enters the configuration mode and configures the IPv6 DHCP pool on the Vlan.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1335
IPv6 Configuring Stateless Auto Address Configuration Without DHCP on Switch (CLI)
Step 4
Step 5 Step 6 Step 7
Command or Action
Purpose
address prefix 2001:DB8:0:1:FFFF:1234::/64 lifetime 300 10
Enters the configuration-dhcp mode and configures the address pool and its lifetime on a Vlan.
Example:
Device(config-dhcpv6)# address prefix 2001:DB8:0:1:FFFF:1234::/64 lifetime 300
10
dns-server 2001:100:0:1::1
Example:
Device(config-dhcpv6)# dns-server 2001:20:21::1
Configures the DNS servers for the DHCP pool.
domain-name example.com
Example:
Device(config-dhcpv6)# domain-name example.com
Configures the domain name to complete unqualified host names.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Stateless Auto Address Configuration Without DHCP on Switch (CLI)
Follow the procedure given below to configure stateless auto address configuration without DHCP:
Procedure
Step 1
Command or Action enable Example:
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Step 2
Device> enable
configure terminal Example:
Enters global configuration mode.
Device# configure terminal
Step 3
interface vlan 1 Example:
Creates an interface and enters interface configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1336
IPv6 Configuring Stateless Auto Address Configuration With DHCP on Switch
Step 4
Step 5 Step 6 Step 7 Step 8
Command or Action
Device(config)# interface vlan 1
ip address fe80::1 link-local
Example:
Device(config-if)# ip address 198.51.100.1 255.255.255.0
Device(config-if)# ipv6 address fe80::1 link-local
Device(config-if)# ipv6 address 2001:DB8:0:1:FFFF:1234::5/64
Device(config-if)# ipv6 address 2001:DB8:0:0:E000::F/64
ipv6 enable Example:
Device(config)# ipv6 enable
no ipv6 nd managed-config-flag Example:
Device(config)# interface vlan 1 Device(config-if)# no ipv6 nd managed-config-flag
no ipv6 nd other-config-flag Example:
Device(config-if)# no ipv6 nd other-config-flag
end Example:
Device(config)# end
Purpose Configures IPv6 address on the GigabitEthernet interface using the link-local option.
(Optional) Enables IPv6 on the GigabitEthernet interface.
Ensures the attached hosts do not use stateful autoconfiguration to obtain addresses.
Ensures the attached hosts do not use stateful autoconfiguration to obtain non-address options from DHCP (domain etc).
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Stateless Auto Address Configuration With DHCP on Switch
Follow the procedure given below to configure stateless auto address configuration with DHCP:
Procedure Step 1
Command or Action enable Example:
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Device> enable
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1337
IPv6 Configuring Stateless Auto Address Configuration With DHCP on Switch
Step 2 Step 3 Step 4
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
interface vlan 1 Example:
Device(config)# interface vlan 1
ip address fe80::1 link-local Example:
Device(config-if)# ip address 198.51.100.1 255.255.255.0
Device(config-if)# ipv6 address fe80::1 link-local
Device(config-if)# ipv6 address 2001:DB8:0:1:FFFF:1234::5/64
Device(config-if)# ipv6 address 2001:DB8:0:0:E000::F/64
ipv6 enable Example:
Device(config)# ipv6 enable
ipv6 nd prefix ipaddress Example:
ipv6 nd prefix 2001:9:3:54::/64 no-advertise
no ipv6 nd managed-config-flag Example:
Device(config)# interface vlan 1 Device(config-if)# no ipv6 nd managed-config-flag
ipv6 nd other-config-flag Example:
Device(config-if)# no ipv6 nd other-config-flag
ipv6 dhcp server servername Example:
ipv6 dhcp server VLAN54
end Example:
Creates an interface and enters interface configuration mode.
Configures IPv6 address on the GigabitEthernet interface using the link-local option.
(Optional) Enables IPv6 on the GigabitEthernet interface.
Specifies a subnet prefix.
Ensures the attached hosts do not use stateful autoconfiguration to obtain addresses.
Ensures the attached hosts do not use stateful autoconfiguration to obtain non-address options from DHCP (domain etc). Displays the configuration parameters.
Exits interface mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1338
IPv6 Configuring Stateless Address Auto Configuration Without DHCP on Switch (CLI)
Command or Action
Device(config)# end
Purpose
Configuring Stateless Address Auto Configuration Without DHCP on Switch (CLI)
Follow the procedure given below to configure stateless auto address configuration without DHCP:
Procedure
Step 1
Command or Action enable Example:
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Step 2
Device> enable
configure terminal Example:
Enters global configuration mode.
Device# configure terminal
Step 3 Step 4
Step 5 Step 6
interface vlan 1
Example:
Device(config)# interface vlan 1
ip address fe80::1 link-local
Example:
Device(config-if)# ip address 198.51.100.1 255.255.255.0
Device(config-if)# ipv6 address fe80::1 link-local
Device(config-if)# ipv6 address 2001:DB8:0:1:FFFF:1234::5/64
Device(config-if)# ipv6 address 2001:DB8:0:0:E000::F/64
ipv6 enable
Example:
Device(config)# ipv6 enable
no ipv6 nd managed-config-flag
Example:
Device(config)# interface vlan 1 Device(config-if)# no ipv6 nd managed-config-flag
Creates an interface and enters interface configuration mode.
Configures IPv6 address on the GigabitEthernet interface using the link-local option.
(Optional) Enables IPv6 on the GigabitEthernet interface.
Ensures the attached hosts do not use stateful autoconfiguration to obtain addresses.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1339
IPv6 Native IPv6
Step 7 Step 8
Command or Action no ipv6 nd other-config-flag Example:
Device(config-if)# no ipv6 nd other-config-flag
end Example:
Device(config)# end
Purpose Ensures the attached hosts do not use stateful autoconfiguration to obtain non-address options from DHCP (domain etc).
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Native IPv6
Information About IPv6
IPv6 is a packet-based protocol used to exchange data, voice, and video traffic over digital networks. IPv6 is based on IP, but with a much larger address space, and improvements such as a simplified main header and extension headers. The architecture of IPv6 has been designed to allow existing IPv4 users to transition easily to IPv6 while continuing to use services such as end-to-end security, quality of service (QoS), and globally unique addresses. The larger IPv6 address space allows networks to scale and provide global reachability.
Note The features and functions that work on IPv4 networks with IPv4 addresses also work on IPv6 networks with IPv6 addresses.
General Guidelines · For IPv6 functionality to work, ensure that you disable IPv6 multicast routing. · The Wireless Management interface should have only one static IPv6 address. · Router advertisement should be suppressed on the wireless management interface and client VLANs (if IPv6 is configured on the client VLAN). · Preferred mode is part of an AP join profile. When you configure the preferred mode as IPv6, an AP attempts to join over IPv6 first. If it fails, the AP falls back to IPv4. · You should use MAC addresses for RA tracing of APs and clients. · APs can join IPv6 controllers only with an IPv6 static address. If you have a controller with auto configurations and multiple IPv6 addresses, APs cannot join the IPv6 controllers.
Unsupported Features · UDP Lite is not supported. · AP sniffer over IPv6 is not supported. · IPv6 is not supported for the HA port interface.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1340
IPv6 Configuring IPv6 Addressing
· Auto RF grouping over IPv6 is not supported. Only static RF grouping is supported.
Configuring IPv6 Addressing
Follow the procedure given below to configure IPv6 addressing:
Note All the features and functions that work on IPv4 networks with IPv4 addresses will work on IPv6 networks with IPv6 addresses too.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ipv6 unicast-routing Example:
Device(config)# ipv6 unicast-routing
Configures IPv6 for unicasting.
Step 3
interface vlan 1 Example:
Device(config)# interface vlan 1
Creates an interface and enters interface configuration mode.
Step 4
ipv6 address ipv6-address
Example:
Device(config-if)# ipv6 address FD09:9:2:49::53/64
Specifies a global IPv6 address.
Step 5
ipv6 enable Example:
Device(config-if)# ipv6 enable
Enables IPv6 on the interface.
Step 6
ipv6 nd ra suppress all Example:
Suppresses IPv6 router advertisement transmissions on the interface.
Device(config-if)# ipv6 nd ra suppress all
Step 7
exit Example:
Device(config-if)# exit
Returns to global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1341
IPv6 Creating an AP Join Profile (GUI)
Step 8 Step 9
Command or Action
wireless management interface gigabitEthernet gigabitEthernet-interfacevlan 64
Example:
Device(config)# wireless management interface gigabitEthernet vlan 64
ipv6 route ipv6-address
Example:
Device(config)# ipv6 route ::/0 FD09:9:2:49::1
Purpose Configures the ports that are connected to the supported APs with the wireless management interface.
Specifies IPv6 static routes.
Creating an AP Join Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Step 7
Choose Configuration > Tags & Profiles > AP Join. On the AP Join Profile window, click the General tab and click Add. In the Name field enter, a name for the AP join profile. (Optional) Enter a description for the AP join profile. Choose CAPWAP > Advanced. Under the Advanced tab, from the Preferred Mode drop-down list, choose IPv6. This sets the preferred mode of APs as IPv6. Click Save & Apply to Device.
Creating an AP Join Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile Example:
Configures an AP profile and enters AP profile configuration mode.
Device(config)# ap profile xyz-ap-profile
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1342
IPv6 Configuring the Primary and Backup Controller (GUI)
Step 3 Step 4
Command or Action
Purpose
description ap-profile-name
Adds a description for the AP profile.
Example:
Device(config-ap-profile)# description "xyz ap profile"
preferred-mode ipv6
Sets the preferred mode of APs as IPv6.
Example:
Device(config-ap-profile)# preferred-mode ipv6
Configuring the Primary and Backup Controller (GUI)
Before you begin Ensure that you have configured an AP join profile prior to configuring the primary and backup controller s. Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Choose Configuration > Tags & Profiles > AP Join. On the AP Join Profile window, click the AP join profile name. In the Edit AP Join Profile window, click the CAPWAP tab. In the High Availability tab, under Backup Controller Configuration, check the Enable Fallback check box. Enter the primary and secondary controller names and IP addresses. Click Update & Apply to Device.
Configuring Primary and Backup Controller (CLI)
Follow the procedure given below to configure the primary and secondary controllers for a selected AP:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile profile-name Example:
Configures an AP profile and enters AP profile configuration mode.
Device(config)# ap profile yy-ap-profile
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1343
IPv6 Verifying IPv6 Configuration
Step 3
Step 4 Step 5
Command or Action
Purpose
capwap backup primary
Configures AP CAPWAP parameters with the
primary-controller-name primary-controller-ip primary backup controller's name.
Example:
Device(config)# capwap backup primary WLAN-Controller-A 2001:DB8:1::1
Note
You need to enable fast heartbeat for capwap backup primary and capwap backup secondary to work.
AP disconnection may occur if the link between the controller and AP is not reliable and fast heartbeat is enabled.
ap capwap backup secondary secondary-controller-name secondary-controller-ip
Configures AP CAPWAP parameters with the secondary backup controller's name.
Example:
Device(config)# capwap backup secondary WLAN-Controller-B 2001:DB8:1::1
syslog host ipaddress Example:
Configures the system logging settings for the APs.
Device(config)# syslog host 2001:DB8:1::1
Step 6
tftp-downgrade tftp-server-ip imagename
Example:
Device(config)# tftp-downgrade 2001:DB8:1::1 testimage
Initiates AP image downgrade from a TFTP server for all the APs.
Verifying IPv6 Configuration
Use the following show command to verify the IPv6 configuration:
Device# show wireless interface summary Wireless Interface Summary
Interface Name Interface Type VLAN ID IP Address
IP Netmask
MAC Address
---------------------------------------------------------------------------------------
Vlan49
Management
49
0.0.0.0
255.255.255.0 001e.f64c.1eff
fd09:9:2:49::54/64
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1344
1 3 9 C H A P T E R
IPv6 ACL
· Information About IPv6 ACL, on page 1345 · Prerequisites for Configuring IPv6 ACL, on page 1346 · Restrictions for Configuring IPv6 ACL, on page 1346 · Configuring IPv6 ACLs , on page 1346 · How To Configure an IPv6 ACL, on page 1347 · Verifying IPv6 ACL, on page 1352 · Configuration Examples for IPv6 ACL, on page 1353
Information About IPv6 ACL
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller ). ACLs are configured on the device and applied to the management interface, the AP-manager interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients or to the controller central processing unit (CPU) to control all traffic destined for the CPU. You can also create a preauthentication ACL for web authentication. Such an ACL is used to allow certain types of traffic before authentication is complete. IPv6 ACLs support the same options as IPv4 ACLs including source, destination, source and destination ports.
Note You can enable only IPv4 traffic in your network by blocking IPv6 traffic. That is, you can configure an IPv6 ACL to deny all IPv6 traffic and apply it on specific or all WLANs.
Understanding IPv6 ACLs
Types of ACL
Per User IPv6 ACL
For the per-user ACL, the full access control entries (ACE) as the text strings are configured on the RADIUS server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1345
IPv6 Filter ID IPv6 ACL
The ACE is not configured on the Cisco 9800 controller. The ACE is sent to the device in the ACCESS-Accept attribute and applies it directly for the client. When a wireless client roams into an foreign device, the ACEs are sent to the foreign device as an AAA attribute in the mobility Handoff message. Output direction, using per-user ACL is not supported.
Filter ID IPv6 ACL
For the filter-Id ACL, the full ACEs and the acl name(filter-id) is configured on the Cisco 9800 controller and only the filter-id is configured on the RADIUS Server. The filter-id is sent to the device in the ACCESS-Accept attribute, and the device looks up the filter-id for the ACEs, and then applies the ACEs to the client. When the client L2 roams to the foreign device, only the filter-id is sent to the foreign device in the mobility Handoff message. Output filtered ACL, using per-user ACL is not supported. The foreign device has to configure the filter-id and ACEs beforehand.
Prerequisites for Configuring IPv6 ACL
You can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the Network Essentials license.
Restrictions for Configuring IPv6 ACL
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The IPv6 ACL does not support Flex connect mode. The device supports most of the Cisco IOS-supported IPv6 ACLs with some exceptions:
· The device does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
· The device does not support reflexive ACLs (the reflect keyword). · The device does not apply MAC-based ACLs on IPv6 frames. · When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of whether
or not they are supported on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the device checks to determine whether or not the ACL can be supported on the interface. If not, attaching the ACL is rejected. · If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the device does not allow the ACE to be added to the ACL that is currently attached to the interface
Configuring IPv6 ACLs
Follow the procedure given below to filter IPv6 traffic: 1. Create an IPv6 ACL, and enter IPv6 access list configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1346
IPv6 Default IPv6 ACL Configuration
2. Configure the IPv6 ACL to block (deny) or pass (permit) traffic. 3. Apply the IPv6 ACL to the interface where the traffic needs to be filtered. 4. Apply the IPv6 ACL to an interface. For router ACLs, you must also configure an IPv6 address on the
Layer 3 interface to which the ACL is applied.
Default IPv6 ACL Configuration
There are no IPv6 ACLs configured or applied.
Interaction with Other Features and Switches
· If a bridged frame is to be dropped due to a port ACL, the frame is not bridged. · You can create both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both IPv4 and
IPv6 ACLs to the same interface. Each ACL must have a unique name; an error message appears if you try to use a name that is already configured. You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example, an IPv4 command to attach an IPv6 ACL), you receive an error message.
· You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames. · If the hardware memory is full, for any additional configured ACLs, packets are processed to the CPU,
and the ACLs are applied in software. When the hardware is full a message is printed to the console indicating the ACL has been unloaded and the packets will be processed in software.
Note Only packets of the same type as the ACL that could not be added (ipv4, ipv6, MAC) will be processed in software.
· If the TCAM is full, for any additional configured ACLs, packets are forwarded to the CPU, and the ACLs are applied in software.
How To Configure an IPv6 ACL
Creating an IPv6 ACL (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Security > ACL. Click Add. In the Add ACL Setup dialog box, enter the following parameters.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1347
IPv6 Creating an IPv6 ACL
Step 4 Step 5
· ACL Name: Enter the name for the ACL · ACL Type: IPv6 · Sequence: The valid range is between 100 and 199 or 2000 and 26991 · Action: Choose Permit or Deny the packet flow from the drop-down list. · Source Type: Choose any, Host or Network from which the packet is sent. · Destination Type: Choose any, Host or Network to which the packet is sent. · Protocol: Choose a protocol from the drop-down list. · Log: Enable or disable logging. · DSCP: Enter to match packets with the DSCP value
Click Add. Add the rest of the rules and click Apply to Device.
Creating an IPv6 ACL
Procedure Step 1
Command or Action enable Example:
Step 2
Device> enable
configure terminal Example:
Device# configure terminal
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Enters global configuration mode.
Step 3 Step 4
ipv6 access-list acl_name
Example:
Device# ipv6 access-list access-list-name
Use a name to define an IPv6 access list and enter IPv6 access-list configuration mode.
{deny|permit} protocol
Enter deny or permit to specify whether to
Example:
deny or permit the packet if conditions are matched. These are the conditions:
{deny | permit} protocol
{source-ipv6-prefix/prefix-length | any · For protocol, enter the name or number
| host source-ipv6-address} [operator [port-number]]{destination-ipv6-prefix/prefix-length
of an Internet protocol: ahp, esp, icmp, ipv6, pcp, stcp, tcp, or udp, or an integer
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1348
IPv6 Creating an IPv6 ACL
Command or Action
Purpose
| any |host destination-ipv6-address} [operator [port-number]][dscp value] [fragments][log] [log-input] [routing][sequence value] [time-range name]
in the range 0 to 255 representing an IPv6 protocol number.
· The source-ipv6-prefix/prefix-length or destination-ipv6-prefix/ prefix-length is the source or destination IPv6 network or class of networks for which to set deny or permit conditions, specified in hexadecimal and using 16-bit values between colons (see RFC 2373).
· Enter any as an abbreviation for the IPv6 prefix ::/0.
· For host source-ipv6-address or destination-ipv6-address, enter the source or destination IPv6 host address for which to set deny or permit conditions, specified in hexadecimal using 16-bit values between colons.
· (Optional) For operator, specify an operand that compares the source or destination ports of the specified protocol. Operands are lt (less than), gt (greater than), eq (equal), neq (not equal), and range.
If the operator follows the source-ipv6-prefix/prefix-length argument, it must match the source port. If the operator follows the destination-ipv6prefix/prefix-length argument, it must match the destination port.
· (Optional) The port-number is a decimal number from 0 to 65535 or the name of a TCP or UDP port. You can use TCP port names only when filtering TCP. You can use UDP port names only when filtering UDP.
· (Optional) Enter dscp value to match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to 63.
· (Optional) For packet fragmentation, enter fragments to check noninitial
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1349
IPv6 Creating an IPv6 ACL
Step 5
Command or Action
Purpose
fragments. This keyword is visible only if the protocol is ipv6.
· (Optional) Enter log to cause an logging message to be sent to the console about the packet that matches the entry. Enter log-input to include the input interface in the log entry. Logging is supported only for router ACLs.
· (Optional) Enter routing to specify that IPv6 packets be routed.
· (Optional) Enter sequence value to specify the sequence number for the access list statement. The acceptable range is from 1 to 4294967295
· (Optional) Enter time-range name to specify the time range that applies to the deny or permit statement.
{deny|permit} tcp
(Optional) Define a TCP access list and the
Example:
access conditions.
{deny | permit} tcp
Enter tcp for Transmission Control Protocol.
{source-ipv6-prefix/prefix-length | any The parameters are the same as those described
| hostsource-ipv6-address}
in Step 3, with these additional optional
[operator
parameters:
[port-number]]{destination-ipv6-prefix/prefix-length
| any |hostdestination-ipv6-address} [operator [port-number]][ack] [dscp
· ack--Acknowledgment bit set.
value][established] [fin] [log][log-input] [neq {port |protocol}]
[psh] [range{port | protocol}] [rst][routing] [sequence value]
· established--An established connection. A match occurs if the TCP datagram has the ACK or RST bits set.
[syn] [time-range name][urg]
· fin--Finished bit set; no more data from
sender.
· neq {port | protocol}--Matches only packets that are not on a given port number.
· psh--Push function bit set.
· range {port | protocol}--Matches only packets in the port number range.
· rst--Reset bit set.
· syn--Synchronize bit set.
· urg--Urgent pointer bit set.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1350
IPv6 Creating an IPv6 ACL
Step 6 Step 7
Step 8 Step 9 Step 10
Command or Action
Purpose
{deny|permit} udp
(Optional) Define a UDP access list and the
Example:
access conditions.
{deny | permit} udp
Enter udp for the User Datagram Protocol. The
{source-ipv6-prefix/prefix-length | any UDP parameters are the same as those
| hostsource-ipv6-address}
described for TCP, except that the operator
[operator
[port]] port number or name must be a UDP
[port-number]]{destination-ipv6-prefix/prefix-length
| any | hostdestination-ipv6-address} port number or name, and the established
[operator [port-number]][dscp value] parameter is not valid for UDP.
[log][log-input]
[neq {port |protocol}] [range {port
|protocol}] [routing][sequence
value][time-range name]
{deny|permit} icmp
(Optional) Define an ICMP access list and the
Example:
access conditions.
{deny | permit} icmp
Enter icmp for Internet Control Message
{source-ipv6-prefix/prefix-length | any Protocol. The ICMP parameters are the same
| hostsource-ipv6-address}
as those described for most IP protocols in Step
[operator [port-number]]
3a, with the addition of the ICMP message
{destination-ipv6-prefix/prefix-length
| any | hostdestination-ipv6-address} type and code parameters. These optional
[operator [port-number]][icmp-type
keywords have these meanings:
[icmp-code] |icmp-message] [dscpvalue] [log] [log-input]
· icmp-type--Enter to filter by ICMP
[routing] [sequence value][time-range name]
message type, a number from 0 to 255.
· icmp-code--Enter to filter ICMP packets
that are filtered by the ICMP message
code type, a number from 0 to 255.
· icmp-message--Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name. To see a list of ICMP message type names and code names, use the ? key or see command reference for this release.
end Example:
Device(config)# end
show ipv6 access-list Example:
show ipv6 access-list
copy running-config startup-config Example:
copy running-config startup-config
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verify the access list configuration.
(Optional) Save your entries in the configuration file.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1351
IPv6 Creating WLAN IPv6 ACL (GUI)
Creating WLAN IPv6 ACL (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name, the SSID and the WLAN ID. Choose Security > Layer3 tab, click Show Advanced Settings and under the Preauthenticated ACL settings, choose the ACL from the IPv6 drop-down list. Click Apply to Device.
Creating WLAN IPv6 ACL
Procedure
Step 1
Command or Action configure terminal Example:
DeviceController # configure terminal
Purpose Configures the terminal.
Step 2
wireless profile policy profile-name
Creates policy profile for the WLAN.
Example:
The profile-name is the profile name of the
Device(config)# wireless profile policy policy profile.
test1
Step 3
ipv6 acl acl_name
Creates a named WLAN ACL.
Example:
Device(config-wireless-policy)# ipv6 acl testacl
Step 4
ipv6 traffic-filter web acl_name-preauth Example:
Creates a pre-authentication ACL for web authentication.
Device(config-wlan)# ipv6 traffic-filter web preauth1
Verifying IPv6 ACL
Displaying IPv6 ACLs
To display IPv6 ACLs, perform this procedure:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1352
IPv6 Configuration Examples for IPv6 ACL
Procedure
Step 1
Command or Action enable Example:
Step 2
Device> enable
configure terminal Example:
Device# configure terminal
Step 3 Step 4
show access-list Example:
Device# show access-lists
show ipv6 access-list acl_name Example:
Device# show ipv6 access-list [access-list-name]
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Enters global configuration mode.
Displays all access lists configured on the device
Displays all configured IPv6 access list or the access list specified by name.
Configuration Examples for IPv6 ACL
Example: Creating an IPv6 ACL
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000. The second deny also logs all matches to the console. The first permit entry in the list permits all ICMP packets. The second permit entry in the list permits all other traffic. The second permit entry is necessary because an implicit deny -all condition is at the end of each IPv6 access list.
Note Logging is supported only on Layer 3 interfaces.
Device(config)# ipv6 access-list CISCO Device(config-ipv6-acl)# deny tcp any any gt 5000 Device (config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log Device(config-ipv6-acl)# permit icmp any any Device(config-ipv6-acl)# permit any any
Example: Applying an IPv6 ACL to a Policy Profile in a Wireless Environment
This example shows how to apply an IPv6 ACL to a Policy Profile in a Wireless environment.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1353
IPv6 Displaying IPv6 ACLs
Note All IPv6 ACLs must be associated to a policy profile.
1. Creating an IPv6 ACL.
Device(config)# ipv6 access-list <acl-name> Device(config-ipv6-acl)# permit tcp 2001:DB8::/32 any Device(config-ipv6-acl)# permit udp 2001:DB8::/32 any
2. Applying the IPv6 ACL to a policy profile.
Device(config)# wireless profile policy <policy-profile-name> Device(config-wireless-policy)# shutdown Device(config-wireless-policy)# ipv6 acl <acl-name> Device(config-wireless-policy)# no shutdown
Displaying IPv6 ACLs
To display IPv6 ACLs, perform this procedure:
Procedure
Step 1
Command or Action show access-list Example:
Device# show access-lists
Step 2
show ipv6 access-list acl_name
Example:
Device# show ipv6 access-list [access-list-name]
Purpose Displays all access lists configured on the device
Displays all configured IPv6 access list or the access list specified by name.
Example: Displaying IPv6 ACLs
This is an example of the output from the show access-lists privileged EXEC command. The output shows all access lists that are configured on the switch or switch stack.
Device #show access-lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10
This is an example of the output from the show ipv6 access-lists privileged EXEC command. The output shows only IPv6 access lists configured on the switch or switch stack.
Device# show ipv6 access-list IPv6 access list inbound permit tcp any any eq bgp (8 matches) sequence 10 permit tcp any any eq telnet (15 matches) sequence 20 permit udp any any sequence 30
IPv6 access list outbound
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1354
IPv6 Example: Configuring RA Throttling
deny udp any any sequence 10 deny tcp any any eq telnet sequence 20
Example: Configuring RA Throttling
This task describes how to create an RA throttle policy in order to help the power-saving wireless clients from being disturbed by frequent unsolicited periodic RA's. The unsolicited multicast RA is throttled by the controller.
Before you begin Enable IPv6 on the client machine.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ipv6 nd ra-throttler policy Mythrottle
Example:
Device (config)# ipv6 nd ra-throttler policy Mythrottle
Creates a RA throttler policy called Mythrottle.
Step 3
throttle-period 20
Example:
Device (config-nd-ra-throttle)# throttle-period 20
Determines the time interval segment during which throttling applies.
Step 4
max-through 5
Example:
Device (config-nd-ra-throttle)# max-through 5
Determines how many initial RA's are allowed.
Step 5
allow at-least 3 at-most 5
Example:
Device (config-nd-ra-throttle)# allow at-least 3 at-most 5
Determines how many RA's are allowed after the initial RAs have been transmitted, until the end of the interval segment.
Step 6
switch (config)# vlan configuration 100
Creates a per vlan configuration.
Example:
Device (config)# vlan configuration 100
Step 7
ipv6 nd ra-th attach-policy attach-policy_name
Example:
Enables the router advertisement throttling.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1355
IPv6 Example: Configuring RA Throttling
Step 8
Command or Action
Device (config)# ipv6 nd ra-throttle attach-policy attach-policy_name
end Example:
Device(config)# end
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1356
1 4 0 C H A P T E R
IPv6 Client Mobility
· Information About IPv6 Client Mobility, on page 1357 · Prerequisites for IPv6 Client Mobility, on page 1359 · Monitoring IPv6 Client Mobility, on page 1360
Information About IPv6 Client Mobility
Link layer mobility is not enough to make wireless client Layer 3 applications continue to work seamlessly while roaming. Cisco IOSd's wireless mobility module uses mobility tunneling to retain seamless connectivity for the client's Layer 3 PoP (point of presence) when the client roams across different subnets on different switches. IPv6 is the next-generation network layer Internet protocol intended to replace IPv4 in the TCP/IP suite of protocols. This new version increases the internet global address space to accommodate users and applications that require unique global IP addresses. IPv6 incorporates 128-bit source and destination addresses, which provide significantly more addresses than the 32-bit IPv4 addresses. To support IPv6 clients across controllers, ICMPv6 messages must be dealt with specially to ensure the IPv6 client remains on the same Layer 3 network. The device keeps track of IPv6 clients by intercepting the ICMPv6 messages to provide seamless mobility and protect the network from network attacks. The NDP (neighbor discovery packets) packets are converted from multicast to unicast and delivered individually per client. This unique solution ensures that Neighbor Discovery and Router Advertisement packets are not leaked across VLANs. Clients can receive specific Neighbor Discovery and Router Advertisement packets ensuring correct IPv6 addressing to avoid unnecessary multicast traffic. The configuration for IPv6 mobility is the same as IPv4 mobility and requires no separate software on the client side to achieve seamless roaming. The device must be part of the same mobility group. Both IPv4 and IPv6 client mobility are enabled by default. IPv6 client mobility is used for the following:
· Retaining the client IPv6 multiple addresses in Layer-2 and Layer-3 roaming. · IPv6 Neighbor Discovery Prootcol (NDP) packet management. · Client IPv6 addresses learning.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1357
IPv6 Using Router Advertisment
Note The configuration for IPv6 mobility in SDA wireless and Local mode is the same as of IPv4 mobility and requires no different software configuration on the client side to achieve seamless roaming. Refer to IPv4 mobility section for configuration information.
Note If ipv6 address is configured on the SVI, you should configure ipv6 nd ra suppress all command on all client VLAN SVI interfaces on the controller. This prevents multiple devices from advertising themselves as the routers.
Using Router Advertisment
The Neighbor Discovery Protocol(NDP) operates in the link-layer and is responsible for the discovery of other nodes on the link. It determines the link-layer addresses of other nodes, finds the available routers, and maintains reachability information about the paths to other active neighbor nodes. Router Advertisement (RA) is one of the IPv6 Neighbor Discovery Protocol (NDP) packets that is used by the hosts to discover available routers, acquire the network prefix to generate the IPv6 addresses, link MTU, and so on. The routers send RA on a regular basis, or in response to hosts Router Solicitation messages. IPv6 wireless client mobility manages the IPv6 RA packet . The device forwards the link-local all-nodes multicast RA packets to the local and roaming wireless nodes mapped on same VLAN the RA was received on. Figure 1 illustrates how a roaming client "MN" receives RA from VLAN 200 in a foreign controller and how it acquires an new IP address and breaks into L3 mobility's point of presence.
Figure 37: Roaming Client Receives Valid RA from Router 1
Router Advertisement Throttling
RA throttling allows the controller to enforce limits to the RA packets headed toward the wireless network. By enabling RA throttling, routers that send multiple RA packets can be trimmed to a minimum frequency that will still maintain an IPv6 client connectivity. If a client sends an RS packet, an RA is sent back to the client. This RA is allowed through the controller and unicast to the client. This process ensures that the new clients or roaming clients are not affected by the RA throttling.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1358
IPv6 IPv6 Address Learning
IPv6 Address Learning
There are three ways for IPv6 client to acquire IPv6 addresses: · Stateless Address Auto-Configuration (SLAAC) · Stateful DHCPv6 · Static configuration
For these methods, the IPv6 client always sends NS DAD (duplicate address detection) to ensure that there is no duplicated IP address on the network. The device snoops the clients NDP and DHCPv6 packets to learn about its client IP addresses and then updates the controllers database. The database then informs the controller for the clients new IP address.
Handling Multiple IP Addresses
In the case when the new IP address is received after RUN state, whether an addition or removal, the controller updates the new IP addresses on its local database for display purposes. Essentially, the IPv6 uses the existing or same PEM state machine code flow as in IPv4. When the IP addresses are requested by external entities, for example, from Prime Infrastructure, the controller will include all the available IP addresses, IPv4 and IPv6, in the API/SPI interface to the external entities. An IPv6 client can acquire multiple IP addresses from stack for different purposes. For example, a link-local address for link local traffic, and a routable unique local or global address. When the client is in the DHCP request state and the controller receives the first IP address notification from the database for either an IPv4 or IPv6 address, the PEM moves the client into the RUN state. When a new IP address is received after the RUN state, either for addition or removal, the controller updates the new IP addresses on its local database for display purposes. When the IP addresses are requested by external entities, for example, from Prime Infrastructure, the controller provides the available IP addresses, both IPv4 and IPv6, to the external entities.
IPv6 Configuration
The device supports IPv6 client as seamlessly as the IPv4 clients. The administrator must manually configure the VLANs to enable the IPv6, IPv6's snooping and throttling functionality. This will enable the NDP packets to throttle between the device and its various clients.
Prerequisites for IPv6 Client Mobility
· To enable wireless IPv6 client connectivity, the underlying wired network must support IPv6 routing and an address assignment mechanism such as SLAAC or DHCPv6. The device must have L2 adjacency to the IPv6 router, and the VLAN needs to be tagged when the packets enter the device. APs do not require connectivity on an IPv6 network, as all traffic is encapsulated inside the IPv4 CAPWAP tunnel between the AP and device.
· When using the IPv6 Client Mobility, clients must support IPv6 with either static stateless auto configuration or stateful DHCPv6 IP addressing .
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1359
IPv6 Monitoring IPv6 Client Mobility
· To allow smooth operation of stateful DHCPv6 IP addressing, you must have a switch or router that supports the DHCP for IPv6 feature that is configured to act like a DHCPv6 server, or you need a dedicated server such as a Windows 2008 server with a built-in DHCPv6 server.
Monitoring IPv6 Client Mobility
The commands in Table 1 are used to monitor IPv6 Client mobility on the device.
Table 71: Monitoring IPv6 Client Mobility Commands
Commands
show wireless client summary
show wireless client mac-address (mac-addr-detail)
Description
Displays the wireless specific configuration of active clients.
Displays the wireless specific configuration of active clients based on their MAC address.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1360
1 4 1 C H A P T E R
IPv6 Support on Flex and Mesh
· IPv6 Support on Flex + Mesh Deployment, on page 1361 · Configuring IPv6 Support for Flex + Mesh, on page 1361 · Verifying IPv6 on Flex+Mesh , on page 1363
IPv6 Support on Flex + Mesh Deployment
IPv6 is the backhaul transport of the Service Provider. The IPv6 support over flex + mesh feature is now supported on the Cisco Catalyst 9800 Series Wireless Controller . WLAN accepts IPv6 clients and forward the traffic.
Configuring IPv6 Support for Flex + Mesh
Follow the procedure given below to enable the IPv6 routing on the controller :
Procedure Step 1 Step 2 Step 3 Step 4
Command or Action configure terminal Example:
Device# configure terminal
interface vlan vlan-interface-number Example:
Device(config)#interface vlan 89
shutdown Example:
Device(config-if)#shutdown
ipv6 enable Example:
Device(config-if)#ipv6 enable
Purpose Enters global configuration mode.
Creates an interface and enters the interface configuration mode. Disables the interface configuration.
Optional. Enables IPv6 on the interface.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1361
IPv6 Configuring Preferred IP Address as IPv6 (GUI)
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
ipv6 address X:X:X:X::X/<0-128> Example:
Device(config-if)#ipv6 address 1:1:1:1::1/64
Purpose
Configures IPv6 address on the interface using the IPv6 prefix option.
no shutdown Example:
Device(config-if)#no shutdown
Enables the IPv6 address.
no shutdown Example:
Device(config-if)#no shutdown
Enables the PIM dense-mode operation.
end Example:
Device(config-if)#end
Returns to privileged EXEC mode.
show ipv6 interface brief Example:
Device#show ipv6 interface brief
Verifies your entries.
ping ipv6 destination-address or hostname Example:
Device#ping ipv6 1:1:1:1::10
Checks the gateway connectivity.
Configuring Preferred IP Address as IPv6 (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > AP Join. Click the AP Join Profile Name. The Edit AP Join Profile window is displayed. Choose CAPWAP > Advanced. From the Preferred Mode drop-down list, select IPV6. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1362
IPv6 Configuring Preferred IP Address as IPv6
Configuring Preferred IP Address as IPv6
Procedure
Step 1
Command or Action Configure Terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile default-ap-profile
Example:
Device(config)# ap profile default-ap-profile
Enters AP profile configuration mode.
Step 3
preferred-mode ipv6
Uses IPv6 to join the controller .
Example:
Device(config-ap-profile)# preferred-mode ipv6
Step 4
end Example:
Device(config-ap-profile)# end
Exits the configuration mode and returns to privileged EXEC mode.
Verifying IPv6 on Flex+Mesh
To verify the IPv6 configuration on the controller , use the following show command:
Device#show ip interface brief
Interface
IP-Address
OK? Method Status
Protocol
GigabitEthernet2
unassigned
YES unset up
up
GigabitEthernet0
unassigned
YES NVRAM administratively down down
Capwap1
unassigned
YES unset up
up
Capwap2
unassigned
YES unset up
up
Vlan1
unassigned
YES NVRAM administratively down down
Vlan89
9.10.89.90
YES NVRAM up
up
Ewlc-9.10.89.90#show running-config interface vlan 89
Building configuration...
Current configuration : 120 bytes ! interface Vlan89
ip address 9.10.89.90 255.255.255.0 ip helper-address 9.1.0.100 no mop enabled no mop sysid end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1363
IPv6 Verifying IPv6 on Flex+Mesh
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1364
1 4 2 C H A P T E R
IPv6 CAPWAP UDP Lite Support
· Information About UDP Lite, on page 1365 · Enabling UDP Lite Support, on page 1365 · Verifying UDP Lite Support Configuration, on page 1366
Information About UDP Lite
The UDP Lite Support feature, which is an enhancement to the existing IPv6 functionality, supports the UDP Lite protocol. This feature is only applicable to the IPv6 addresses of the controller and APs. IPv6 mandates complete payload checksum for UDP. The UDP Lite Support feature minimises the performance impact on the controller and AP by restricting the checksum calculation coverage for the UDP Lite header to 8 bytes only. The use of the UDP Lite Support feature impacts intermediate firewalls to allow UDP Lite protocol (protocol ID of 136) packets. Existing firewalls might not provide the option to open specific ports on UDP Lite protocol. In such cases, the administrator must open up all the ports on UDP Lite.
Restrictions for UDP Lite Support · Mobility IPv6 tunnels do not support the UDP Lite Support feature.
Enabling UDP Lite Support
The following procedure describes the steps involved in enabling UDP Lite for an AP profile.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap profile ap-profile Example:
Purpose Enters global configuration mode.
Configures an AP profile and enters AP profile configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1365
IPv6 Verifying UDP Lite Support Configuration
Step 3 Step 4
Command or Action
Device(config)# ap profile default-ap-profile
Purpose
capwap udplite
Enables IPv6 CAPWAP UDP Lite on the AP.
Example:
Note
Device(config-ap-profile)# capwap udplite
The following message is displayed after the configuration:
This feature is supported only for IPv6 data packets, APs will be rebooted.
end Example:
Device(config-ap-profile)# end
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying UDP Lite Support Configuration
To verify the CAPWAP UDP Lite status, use the following command:
Device# show ap profile name default-ap-profile detailed
CAPWAP UDP-Lite
: ENABLED
Lawful-Interception
: ENABLED
LI timer
: 60
AWIPS
: DISABLED
AWIPS Forensic
: Unknown
Client RSSI Statistics
Reporting
: ENABLED
Reporting Interval
: 30 seconds
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1366
1 4 3 C H A P T E R
Neighbor Discovery Proxy
· Information About Neighbor Discovery, on page 1367 · Configure Neighbor Discovery Proxy (CLI), on page 1367 · Configure Duplicate Address Detection Proxy (CLI), on page 1368
Information About Neighbor Discovery
In IPv6 networks, Neighbor Discovery Protocol (NDP) uses ICMPv6 messages and solicited-node multicast addresses to track and discover the other IPv6 hosts present on the other side of connected interfaces. As part of this process, a host queries for other node link-layer addresses to verify neighbor reachability using Neighbor Solicitation (NS) messages. In response to the NS messages, a Neighbor Advertisement (NA) is sent to provide information to neighbors.
Configure Neighbor Discovery Proxy (CLI)
Neighbor Discovery (ND) Proxy is the ability of the controller to respond to the Neighbor Solicitation packet destined for wireless clients. During Neighbor Discovery suppression, the controller checks if proxy is enabled for the destined wireless clients. If proxy is enabled, the controller drops the Neighbor Solicitation packet and generates a response to the Neighbor Solicitation source in such a way that the packet appears to be coming from a wireless client. This helps in limiting the traffic to the wireless clients. If Neighbor Discovery Proxy is not enabled, the multicast Neighbor Solicitation is converted into unicast Neighbor Solicitation with the MAC address of the target client and is forwarded to that client.
Note
· Neighbor Discovery proxy is applicable only in central switching mode.
· A controller does not proxy the Neighbor Solicitation packet if the destination address is not that of a wireless client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1367
IPv6 Configure Duplicate Address Detection Proxy (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-profile-name Example:
Configures WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy policy-profile1
Step 3
ipv6 nd proxy full-proxy
Enables ND proxy.
Example:
Device(config-wireless-policy)# ipv6 nd proxy full-proxy
Configure Duplicate Address Detection Proxy (CLI)
The IPv6 Duplicate Address Detection (DAD) feature ensures that all the IP addresses assigned on a particular segment are unique. A proxy is required to ensure that multicast and unicast packets are not sent towards the wireless device for which it is enabled.
DAD verifies whether the host address is unique. The IPv6 DAD Proxy feature responds on behalf of the address owner when an address is in use.
However, in a scenario where nodes are restricted from talking to each other at Layer 2, DAD cannot detect a duplicate address. If DAD proxy is disabled, the multicast packet is converted into unicast and is sent to the target client.
Note
· DAD proxy is applicable only in central switching mode.
· A controller does not proxy the DAD NS packet if the destination address is not that of a wireless client.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-profile-name Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy policy-profile1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1368
IPv6 Configure Duplicate Address Detection Proxy (CLI)
Step 3
Command or Action
Purpose
ipv6 nd proxy dad-proxy
Enables DAD proxy.
Example:
Note
Device(config-wireless-policy)# ipv6 nd proxy dad-proxy
Full proxy configuration is a superset of ND proxy and DAD proxy configuration. Hence, use the ipv6 nd proxy full-proxy command also to enable DAD proxy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1369
IPv6 Configure Duplicate Address Detection Proxy (CLI)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1370
1 4 4 C H A P T E R
Address Resolution Protocol Proxy
· Information About Address Resolution Protocol, on page 1371 · Configure Address Resolution Protocol Proxy (CLI), on page 1371
Information About Address Resolution Protocol
The address resolution protocol (ARP) is a protocol used by the Internet Protocol (IP) [RFC826], specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol. When a wireless client sends an ARP request for an IP address of interest, the controller performs a search for that address in its database. If an entry is found in the controller database, then the ARP is converted to unicast and forwarded to that particular client. If there is no entry in the controller's database, the ARP request is flooded out to the VLAN wired ports.
Configure Address Resolution Protocol Proxy (CLI)
ARP Proxy is the ability of the controller to respond to the ARP request packet destined for the wireless clients. During broadcast suppression, the controller checks if proxy is enabled for the destined wireless clients. If proxy is enabled, the controller drops the ARP request packet and generates a response to the source of the ARP request in a way that the packet appears to be coming from the wireless client. This helps in limiting the traffic to the wireless clients. If ARP Proxy is not enabled, the broadcast ARP request is converted into an unicast ARP request with the MAC address of the target client, and is forwarded to only that client.
Note
· Proxy ARP is applicable only in central switching mode.
· A device will not proxy the ARP request if the destination address is not that of a wireless client.
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1371
IPv6 Configure Address Resolution Protocol Proxy (CLI)
Step 2 Step 3
Command or Action
Device# configure terminal
Purpose
wireless profile policy policy-profile-name Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy policy-profile1
ipv4 arp-proxy
Example:
Device(config-wireless-policy)# ipv4 arp-proxy
Enables ARP proxy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1372
X I I PA R T
CleanAir
· Cisco CleanAir, on page 1375 · Bluetooth Low Energy, on page 1391 · Persistent Device Avoidance, on page 1395 · Spectrum Intelligence, on page 1399 · Spectrum Analysis, on page 1403
1 4 5 C H A P T E R
Cisco CleanAir
· Information About Cisco CleanAir, on page 1375 · Prerequisites for CleanAir, on page 1378 · Restrictions for CleanAir, on page 1379 · How to Configure CleanAir, on page 1379 · Verifying CleanAir Parameters, on page 1387 · Configuration Examples for CleanAir, on page 1388 · CleanAir FAQs, on page 1389
Information About Cisco CleanAir
Cisco CleanAir is a solution designed to proactively manage the challenges of a shared wireless spectrum. It allows you to see all the users of a shared spectrum (both native devices and foreign interferers). It also enables the network to act upon this information. For example, you can manually remove the interfering device, or the system can automatically change the channel away from the interference. CleanAir provides spectrum management and Radio Frequency (RF) visibility. A Cisco CleanAir system consists of CleanAir-enabled access points and Cisco Catalyst 9800 Series Wireless Controller . These access points collect information about all the devices that operate in the industrial, scientific, and medical (ISM) bands, identify and evaluate the information as a potential interference source, and forward it to the controller . The controller controls the access points and displays the interference devices. For every device operating in the unlicensed band, Cisco CleanAir provides information about what it is, how it is impacting your wireless network, and what actions you or your network should take. It simplifies RF so that you do not have to be an RF expert. Wireless LAN systems operate in unlicensed 2.4-GHz and 5-GHz ISM bands. Many devices, such as microwave ovens, cordless phones, and Bluetooth devices also operate in these bands and can negatively affect the Wi-Fi operations. Some of the most advanced WLAN services, such as voice-over-wireless and IEEE 802.11 radio communications, might be significantly impaired by the interference caused by other legal users of the ISM bands. The integration of Cisco CleanAir functionality addresses this problem of RF interference.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1375
Cisco CleanAir-Related Terms
CleanAir
Cisco CleanAir-Related Terms
Table 72: CleanAir-Related Terms
Term AQI
AQR
DC EDRRM
IDR ISI RSSI
Decription
Air Quality Index. The AQI is an indicator of air quality, based on the air pollutants. An AQI of 0 is bad and an AQI > 85 is good.
Air Quality Report. AQRs contain information about total interference from all the identified sources represented by AQI and the summary of the most severe interference categories. AQRs are sent every 15 minutes to the Mobility Controller and every 30 seconds in the Rapid mode.
Duty Cycle. Percentage of time that the channel is utilized by a device.
Event-Driven RRM. EDRRM allows an access point in distress to bypass normal RRM intervals and immediately change channels.
Interference Device Reports that an access point sends to the controller .
Interference Severity Index. The ISI is an indicator of the severity of the interference.
Received Signal Strength Indicator. RSSI is a measurement of the power present in a received radio signal. It is the power at which an access point sees the interferer device.
Cisco CleanAir Components
The basic Cisco CleanAir architecture consists of Cisco CleanAir-enabled APs and device.
Figure 38: Cisco CleanAir Solution
An access point equipped with Cisco CleanAir technology collects information about Wi-Fi interference sources and processes it. The access point collects and sends the Air Quality Report (AQR) and Interference Device Report (IDR) to the controller . The controller controls and configures CleanAir-capable access points, and collects and processes spectrum data. The controller provides local user interfaces (GUI and CLI) to configure basic CleanAir features and services and display current spectrum information. The controller also detects, merges, and mitigates interference devices using RRM TPC and DCA For details, see Interference Device Merging.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1376
CleanAir
Interference Types that Cisco CleanAir can Detect
The device performs the following tasks in a Cisco CleanAir system: · Configures Cisco CleanAir capabilities on the access point. · Provides interfaces (GUI and CLI) for configuring Cisco CleanAir features and retrieving data. · Displays spectrum data. · Collects and processes AQRs from the access point and stores them in the air quality database. AQRs contain information about the total interference from all the identified sources represented by the Air Quality Index (AQI) and the summary for the most severe interference categories. The CleanAir system can also include unclassified interference information under per-interference type reports that enable you to take action in scenarios where interference because of unclassified interfering devices is more. · Collects and processes IDRs from the access point and stores them in the interference device database.
Note When Cisco CleanAir is disabled and Spectrum Intelligence (SI) is enabled in the controller, both CleanAir and Air Quality reporting are disabled. In spite of this, Air Quality is still populated for SI APs and viewed as disabled when show ap dot11 5ghz/24ghz cleanair config command is executed. This is an expected behaviour as SI APs report Air Quality. Here, Spectrum intelligence is a subset of CleanAir features. For more information on Spectrum Intelligence, see the Spectrum Intelligence Deployment Guide.
Interference Types that Cisco CleanAir can Detect
Cisco CleanAir access points can detect and report severity of the interference. Spectrum event-driven RRM is one such mitigation strategy. Wi-Fi chip-based RF management systems share these characteristics:
· Any RF energy that cannot be identified as a Wi-Fi signal is reported as noise. · Noise measurements that are used to assign a channel plan tend to be averaged over a period of time to
avoid instability or rapid changes that can be disruptive to certain client devices. · Averaging measurements reduces the resolution of the measurement. As such, a signal that disrupts
clients might not look like it needs to be mitigated after averaging. · All RF management systems available today are reactive in nature.
Cisco CleanAir is different and can positively identify not only the source of the noise but also its potential impact to a WLAN. Having this information allows you to consider the noise within the context of the network and make intelligent and, where possible, proactive decisions. Spontaneous interference event is commonly used for CleanAir.
Note Spectrum event-driven RRM can be triggered only by Cisco CleanAir-enabled access points in local mode.
Spontaneous interference is interference that appears suddenly on a network, perhaps jamming a channel or a range of channels completely. The Cisco CleanAir spectrum event-driven RRM feature allows you to set a threshold for air quality (AQ) which, if exceeded, triggers an immediate channel change for the affected access
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1377
EDRRM and AQR Update Mode
CleanAir
point. Most RF management systems can avoid interference, but this information takes time to propagate through the system. Cisco CleanAir relies on AQ measurements to continuously evaluate the spectrum and can trigger a move within 30 seconds. For example, if an access point detects interference from a video camera, it can recover by changing channels within 30 seconds of the camera becoming active. Cisco CleanAir also identifies and locates the source of interference so that more permanent mitigation of the device can be performed at a later time.
Microwave Ovens, Outdoor Ethernet bridges are two classes of devices that qualify as persistent, since once detected, it is likely that these devices will continue to be a random problem and are not likely to move. For these types of devices we can tell RRM of the detection and Bias the affected channel so that RRM "remembers" that there is a high potential for client impacting interference for the Detecting AP on the detected channel. For more information, see https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_RRM_ White_Paper/b_RRM_White_Paper_chapter_0100.html?bookSearch=true#id_15217.
CleanAir PDA devices include:
· Microwave Oven
· WiMax Fixed
· WiMax Mobile
· Motorola Canopy
In the case of Bluetooth devices, Cisco CleanAir-enabled access points can detect and report interference only if the devices are actively transmitting. Bluetooth devices have extensive power-save modes. For example, interference can be detected when data or voice is being streamed between the connected devices.
EDRRM and AQR Update Mode
EDRRM is a feature that allows an access point that is in distress to bypass normal RRM intervals and immediately change channels. A CleanAir access point always monitors AQ and reports the AQ every 15 minutes. AQ only reports classified interference devices. The key benefit of EDRRM is fast action time. If an interfering device is operating on an active channel and causes enough AQ degradation to trigger an EDRRM, then no clients will be able to use that channel or the access point. You must remove the access point from the channel. EDRRM is not enabled by default, you must first enable CleanAir and then enable EDRRM.
Prerequisites for CleanAir
You can configure Cisco CleanAir only on CleanAir-enabled access points.
Only Cisco CleanAir-enabled access points using the following access point modes can perform Cisco CleanAir spectrum monitoring:
· Local--In this mode, each Cisco CleanAir-enabled access point radio provides air quality and interference detection reports for the current operating channel only. An AP can only measure air quality and interference when the AP is not busy transmitting Wi-Fi frames. This implies that CleanAir detections will be drastically lower if the AP is having a high channel utilization.
· FlexConnect--When a FlexConnect access point is connected to the controller , its Cisco CleanAir functionality is identical to local mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1378
CleanAir
Restrictions for CleanAir
· Monitor--When Cisco CleanAir is enabled in monitor mode, the access point provides air quality and interference detection reports for all monitored channels. The following options are available: · All--All channels · DCA--Channel selection governed by the DCA list · Country--All channels are legal within a regulatory domain
Restrictions for CleanAir
· Access points in monitor mode do not transmit Wi-Fi traffic or 802.11 packets. They are excluded from radio resource management (RRM) planning and are not included in the neighbor access point list. IDR clustering depends on the device's ability to detect neighboring in-network access points. Correlating interference device detections from multiple access points is limited between monitor-mode access points.
· For 4800 AP slot 1 5 GHz is dedicated and cannot be individually moved to monitor mode. However, slot 0 is XOR and can be moved to monitor as well as 2.4/5 GHz. Slot 2 is dedicated monitor and will operate in 5GHz and in AP monitor mode, slot 2 will be disabled because a monitor radio is already available in both 2.4/5GHz. 3700 AP has dedicated 2.4GHz (slot0) and 5GHz (slot1).
· Do not connect access points in SE connect mode directly to any physical port on the controller.
· CleanAir is not supported wherein the channel width is 160 MHz.
How to Configure CleanAir
Enabling CleanAir for the 2.4-GHz Band (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Radio Configurations > CleanAir On the CleanAir page, click the me2.4 GHz Band > General tab. Check the Enable CleanAir checkbox. Click Apply.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1379
Enabling CleanAir for the 2.4-GHz Band (CLI)
CleanAir
Enabling CleanAir for the 2.4-GHz Band (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 24ghz cleanair Example:
Enables the CleanAir feature on the 802.11b network. Run the no form of this command to disable CleanAir on the 802.11b network.
Device(config)#ap dot11 24ghz cleanair
Device(config)#no ap dot11 24ghz cleanair
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Interference Reporting for a 2.4-GHz Device (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Radio Configurations > CleanAir. Click the 2.4 GHz Band tab. Choose the interference types and add them to the Interference Types to detect section. The following interference types are available:
· BLE Beacon--Bluetooth low energy beacon · Bluetooth Discovery · Bluetooth Link · Canopy · Continuous Transmitter · DECT-like Phone--Digital Enhanced Cordless Technology phone · 802.11 FH--802.11 frequency hopping device · WiFi Inverted--Device using spectrally inverted Wi-Fi signals · Jammer · Microwave Oven
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1380
CleanAir
Configuring Interference Reporting for a 2.4-GHz Device (CLI)
Step 4
· WiFi Invalid Channel--Device using nonstandard Wi-Fi channels · TDD Transmitter · Video Camera · SuperAG--802.11 SuperAG device · WiMax Mobile · WiMax Fixed · 802.15.4 · Microsoft Device · SI_FHSS
Click Apply.
Configuring Interference Reporting for a 2.4-GHz Device (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 24ghz cleanair device{ble-beacon | Configures the 2.4-GHz interference devices to
bt-discovery | bt-link | canopy | cont-tx | report to the device. Run the no form of this
dect-like | fh | inv | jammer | mw-oven |
command to disable the configuration.
nonstd | report | superag | tdd-tx | video | wimax-fixed | wimax-mobile | xbox | zigbee }
The following is a list of the keyword descriptions:
Example:
· ble-beacon--Bluetooth low energy beacon
· bt-discovery--Bluetooth discovery
Device(config)# ap dot11 24ghz cleanair
device ble-beacon
· bt-link--Bluetooth link
Device(config)# ap dot11 24ghz cleanair device bt-discovery
· canopy--Canopy device · cont-tx--Continuous transmitter
Device(config)# ap dot11 24ghz cleanair device bt-link
· dect-like--Digital Enhanced Cordless Communication-like phone
Device(config)# ap dot11 24ghz cleanair device canopy
Device(config)# ap dot11 24ghz cleanair device cont-tx
· fh--802.11-frequency hopping device
· inv--Device using spectrally inverted Wi-Fi signals
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1381
Enabling CleanAir for the 5-GHz Band (GUI)
CleanAir
Step 3
Command or Action
Purpose
Device(config)# ap dot11 24ghz cleanair device dect-like
Device(config)# ap dot11 24ghz cleanair device fh
Device(config)# ap dot11 24ghz cleanair device inv
· jammer--Jammer · mw-oven--Microwave oven · nonstd--Device using nonstandard Wi-Fi
channels · report--Interference device reporting
Device(config)# ap dot11 24ghz cleanair device jammer
Device(config)# ap dot11 24ghz cleanair device mw-oven
· superag--802.11 SuperAG device · tdd-tx--TDD transmitter · video--Video camera
Device(config)# ap dot11 24ghz cleanair device nonstd
Device(config)# ap dot11 24ghz cleanair device report
· wimax-fixed--WiMax Fixed · wimax-mobile--WiMax Mobile · microsoft xbox--Microsoft Xbox device
Device(config)# ap dot11 24ghz cleanair · zigbee--802.15.4 device
device superag
Device(config)# ap dot11 24ghz cleanair device tdd-tx
Device(config)# ap dot11 24ghz cleanair device video
Device(config)# ap dot11 24ghz cleanair device wimax-fixed
Device(config)# ap dot11 24ghz cleanair device wimax-mobile
Device(config)# ap dot11 24ghz cleanair device xbox
Device(config)# ap dot11 24ghz cleanair device zigbee
Device(config)# ap dot11 24ghz cleanair device alarm
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Enabling CleanAir for the 5-GHz Band (GUI)
Procedure
Step 1 Choose Configuration > Radio Configurations > CleanAir
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1382
CleanAir
Enabling CleanAir for the 5-GHz Band (CLI)
Step 2 Step 3 Step 4
On the CleanAir page, click the me5 GHz Band > General tab. Check the Enable CleanAir checkbox. Click Apply.
Enabling CleanAir for the 5-GHz Band (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 5ghz cleanair Example:
Device(config)#ap dot11 5ghz cleanair
Enables the CleanAir feature on a 802.11a network. Run the no form of this command to disable CleanAir on the 802.11a network.
Device(config)#no ap dot11 5ghz cleanair
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Interference Reporting for a 5-GHz Device (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Radio Configurations > CleanAir. Click the 5 GHz Band tab. Choose the interference types and add them to the Interference Types to detect section. The following interference types are available:
· Canopy · Continuous Transmitter · DECT-like Phone--Digital Enhanced Cordless Technology phone · 802.11 FH--802.11 frequency hopping device · WiFi Inverted--Device using spectrally inverted Wi-Fi signals · Jammer · WiFi Invalid Channel--Device using nonstandard Wi-Fi channels
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1383
Configuring Interference Reporting for a 5-GHz Device (CLI)
CleanAir
Step 4
· SuperAG--802.11 SuperAG device · TDD Transmitter · WiMax Mobile · WiMax Fixed · Video Camera
Click Apply.
Configuring Interference Reporting for a 5-GHz Device (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 5ghz cleanair device{canopy |
Configures a 5-GHz interference device to
cont-tx | dect-like | inv | jammer | nonstd | report to the device. Run the no form of this
report | superag | tdd-tx | video | wimax-fixed command to disable interference device
| wimax-mobile}
reporting.
Example:
The following is a list of the keyword descriptions:
Device(config)#ap dot11 5ghz cleanair device canopy
Device(config)#ap dot11 5ghz cleanair device cont-tx
Device(config)#ap dot11 5ghz cleanair device dect-like
Device(config)#ap dot11 5ghz cleanair device inv
· canopy--Canopy device
· cont-tx--Continuous transmitter
· dect-like--Digital Enhanced Cordless Communication-like phone
· fh--802.11-frequency hopping device
· inv--Device using spectrally-inverted Wi-Fi signals
Device(config)#ap dot11 5ghz cleanair device jammer
Device(config)#ap dot11 5ghz cleanair device nonstd
· jammer--Jammer
· nonstd--Device using nonstandard Wi-Fi channels
· superag--802.11 SuperAG device
Device(config)#ap dot11 5ghz cleanair device report
Device(config)#ap dot11 5ghz cleanair device superag
· tdd-tx--TDD transmitter · video--Video camera · wimax-fixed--WiMax fixed
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1384
CleanAir
Configuring Event Driven RRM for a CleanAir Event (GUI)
Step 3
Command or Action
Device(config)#ap dot11 5ghz cleanair device tdd-tx
Purpose · wimax-mobile--WiMax mobile
Device(config)#ap dot11 5ghz cleanair device video
Device(config)#ap dot11 5ghz cleanair device wimax-fixed
Device(config)#ap dot11 5ghz cleanair device wimax-mobile
Device(config)#ap dot11 5ghz cleanair device si_fhss
Device(config)#ap dot11 5ghz cleanair device alarm
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Event Driven RRM for a CleanAir Event (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Radio Configurations > RRM. The Radio Resource Management page is displayed. Click the DCA tab. In the Event Driven RRM section, check the EDRRM check box to run RRM when CleanAir-enabled AP detects a significant level of interference. Configure the Sensitivity Threshold level at which RRM has to be invoked from the following options:
· Low: Represents a decreased sensitivity to changes in the environment and its value is set at 35. · Medium: Represents medium sensitivity to changes in the environment at its value is set at 50. · High: Represents increased sensitivity to changes in the environment at its value is set at 60. · Custom: If you choose this option, you must specify a custom value in the Custom Threshold box.
To configure rogue duty cycle, check the Rogue Contribution check box and then specify the Rogue Duty-Cycle in terms of percentage. The default value of rogue duty cycle is 80 percent.
Note
Rogue Contribution is a new component included in ED-RRM functionality. Rogue Contribution
allows ED-RRM to trigger based on identified Rogue Channel Utilization, which is completely
separate from CleanAir metrics. Rogue Duty Cycle comes from normal off channel RRM metrics,
and invokes a channel change based on neighboring rogue interference. Because this comes from
RRM metrics and not CleanAir, the timing - assuming normal 180 second off channel intervals
- would be within 3 minutes or 180 seconds worst case. It is configured separately from CleanAir
ED-RRM and is disabled by default. This allows the AP to become reactive to Wi-Fi interference
that is not coming from own network and is measured at each individual AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1385
Configuring EDRRM for a CleanAir Event (CLI)
CleanAir
Step 6 Save the configuration.
Configuring EDRRM for a CleanAir Event (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap dot11 {24ghz | 5ghz} rrm channel cleanair-event
Example:
Purpose Enters global configuration mode.
Enables EDRRM CleanAir event. Run the no form of this command to disable EDRRM.
Step 3
Device(config)#ap dot11 24ghz rrm channel cleanair-event
Device(config)#no ap dot11 24ghz rrm channel cleanair-event
ap dot11 {24ghz | 5ghz} rrm channel cleanair-event [sensitivity {custom | high | low | medium}]
Example:
Configures the EDRRM sensitivity of the CleanAir event.
The following is a list of the keyword descriptions:
Device(config)#ap dot11 24ghz rrm channel cleanair-event sensitivity high
· Custom--Specifies custom sensitivity to non-WiFi interference as indicated by the AQ value.
· High--Specifies the most sensitivity to non-WiFi interference as indicated by the AQ value.
· Low--Specifies the least sensitivity to non-WiFi interference as indicated by the AQ value.
· Medium--Specifies medium sensitivity to non-WiFi interference as indicated by the AQ value.
Step 4
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1386
CleanAir
Verifying CleanAir Parameters
Verifying CleanAir Parameters
You can verify CleanAir parameters using the following commands:
Table 73: Commands for verifying CleanAir
Command Name show ap dot11 24ghz cleanair device type all
Description Displays all the CleanAir interferers for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type ble-beacon
Displays all the Bluetooth BLE beacons for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type bt-discovery
Displays CleanAir interferers of type BT Discovery for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type bt-link Displays CleanAir interferers of type BT Link for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type canopy Displays CleanAir interferers of type Canopy for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type cont-tx Displays CleanAir interferers of type Continuous transmitter for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type dect-like
Displays CleanAir interferers of type DECT Like for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type fh Displays CleanAir interferers of type 802.11FH for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type inv Displays CleanAir interferers of type Wi-Fi Inverted for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type jammer Displays CleanAir interferers of type Jammer for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type mw-oven
Displays CleanAir interferers of type MW Oven for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type nonstd Displays CleanAir interferers of type Wi-Fi inverted channel for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type superag
Displays CleanAir interferers of type SuperAG for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type tdd-tx Displays CleanAir interferers of type TDD Transmit for the 2.4-GHz band.
show ap dot11 24ghz cleanair device type video Displays CleanAir interferers of type Video Camera for the 2.4-GHz band.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1387
Monitoring Interference Devices
CleanAir
Command Name
show ap dot11 24ghz cleanair device type wimax-fixed
Description
Displays CleanAir interferers of type WiMax Fixed for the 2.4-GHz band.
Monitoring Interference Devices
When a CleanAir-enabled access point detects interference devices, detections of the same device from multiple sensors are merged together to create clusters. Each cluster is given a unique ID. Some devices conserve power by limiting the transmit time until actually needed, which results in the spectrum sensor to stop detecting the device temporarily. This device is then correctly marked as down. Such a device is correctly removed from the spectrum database. In cases when all the interferer detections for a specific device are reported, the cluster ID is kept alive for an extended period of time to prevent possible device-detection bouncing. If the same device is detected again, it is merged with the original cluster ID and the device-detection history is preserved.
For example, some bluetooth headsets operate on battery power. These devices employ methods to reduce power consumption, such as turning off the transmitter when not actually needed. Such devices can appear to come and go from the classification. To manage these devices, CleanAir keeps the cluster IDs for longer and they are remerged into a single record upon detection. This process smoothens the user records and accurately represents the device history.
Note The following is a prerequisite for monitoring the interference devices: You can configure Cisco CleanAir only on CleanAir-enabled access points.
Configuration Examples for CleanAir
This example shows how to enable CleanAir on the 2.4-GHz band and an access point operating in the channel:
Device#configure terminal Device(config)#ap dot11 24ghz cleanair Device(config)#exit Device#ap name TAP1 dot11 24ghz cleanair Device#end
This example shows how to enable an EDRRM CleanAir event in the 2.4-GHz band and configure high sensitivity to non-WiFi interference:
Device#configure terminal Device(config)#ap dot11 24ghz rrm channel cleanair-event Device(config)#ap dot11 24ghz rrm channel cleanair-event sensitivity high Device(config)#end
This example shows how to enable an access point in the monitor mode:
Device#ap name <ap-name> mode monitor
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1388
CleanAir
CleanAir FAQs
CleanAir FAQs
Q. Multiple access points detect the same interference device. However, the device shows them as separate clusters or different suspected devices clustered together. Why does this happen?
A. Access points must be RF neighbors for the device to consider merging the devices that are detected by these access points. An access point takes time to establish neighbor relationships. A few minutes after the device reboots or after there is a change in the RF group, and similar events, clustering will not be very accurate.
Q. How do I view neighbor access points? A. To view neighbor access points, use the show ap ap_name auto-rf dot11{24ghz | 5ghz} command.
This example shows how to display the neighbor access points:
Device#show ap name AS-5508-5-AP3 auto-rf dot11 24ghz
<snippet> Nearby APs
AP 0C85.259E.C350 slot 0 AP 0C85.25AB.CCA0 slot 0 AP 0C85.25C7.B7A0 slot 0 AP 0C85.25DE.2C10 slot 0 AP 0C85.25DE.C8E0 slot 0 AP 0C85.25DF.3280 slot 0 AP 0CD9.96BA.5600 slot 0 AP 24B6.5734.C570 slot 0 <snippet>
: -12 dBm on 1 (10.10.0.5) : -24 dBm on 6 (10.10.0.5) : -26 dBm on 11 (10.10.0.5) : -24 dBm on 6 (10.10.0.5) : -14 dBm on 11 (10.10.0.5) : -31 dBm on 6 (10.10.0.5) : -44 dBm on 6 (10.0.0.2) : -48 dBm on 11 (10.0.0.2)
Q. What are the AP debug commands available for CleanAir? A. The AP debug commands for CleanAir are:
· debug cleanair {bringup | event | logdebug | low | major | nsi | offchan}
· debug rrm {neighbor | off-channel | reports}
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1389
CleanAir FAQs
CleanAir
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1390
1 4 6 C H A P T E R
Bluetooth Low Energy
· Information About Bluetooth Low Energy, on page 1391 · Enabling Bluetooth Low Energy Beacon (GUI), on page 1392 · Enabling Bluetooth Low Energy Beacon, on page 1392
Information About Bluetooth Low Energy
Note This feature is not related to the Indoor IoT Services feature set that is part of Cisco Spaces. This feature describes how Access Points and Catalyst 9800 can detect BLE devices as wireless interferers using Clean Air - not the BLE radio that is available on some Access Point models. This feature is not meant to be used for BLE-based asset tracking, environmental monitoring, or tag management use cases, which are powered using Cisco Spaces. For full feature functionality of how BLE-related use cases are delivered in the Cisco solution, refer to Cisco Spaces configuration guides for Indoor IoT services.
Bluetooth low energy (BLE) is a wireless personal area network technology aimed at enhancing location services for mobile devices. The small bluetooth tag devices placed at strategic locations transmit universally unique identifiers (UUIDs) and, Major and Minor fields as their identity. These details are picked up by bluetooth-enabled smartphones and devices. The location information of these devices are sent to the corresponding back-end server. Relevant advertisements and other important information are then pushed to the devices using this location-specific information. By treating a tag device as an interferer and using the existing system capabilities, such as interference location, the tag device can be located on a map display in a wireless LAN deployment and its movement monitored. Besides this, information on missing tags can also be obtained. This feature can determine rogue and malicious tags using the unique identifier associated with each tag (or family of tags) against a predetermined allowed list from a customer. Using the management function, alerts can be displayed or emailed based on rogue tags, missing tags, or moved tags.
Limitations of BLE Feature · The wireless infrastructure must support Cisco CleanAir. · Supports a maximum of only 250 unique BLE beacons (cluster entries) and 1000 device entries.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1391
Enabling Bluetooth Low Energy Beacon (GUI)
CleanAir
· Cisco CleanAir feature is only supported on Cisco Aironet 3700 Series Access Points with Hyperlocation module RM3010. The BLE feature on Wave 2 and Wi-Fi 6 APs works in a different manner (through cloud beacon center) and is not covered by this feature.
Areas of Use Since the BLE feature provides granular location details of devices (smart phones or bluetooth-enabled devices) that helps push context-sensitive advertising and other information to users. Possible areas of application include retail stores, museums, zoo, healthcare, fitness, security, advertising, and so on.
Enabling Bluetooth Low Energy Beacon (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Radio Configurations > CleanAir > 2.4 GHz Band > General. Check the Enable CleanAir check box. From the Available Interference Types list, select and move BLE Beacon to the Interference Types to Detect list. Click Apply.
Enabling Bluetooth Low Energy Beacon
Bluetooth low energy (BLE) detection is enabled by default. Use the procedure given below to enable BLE when it is disabled.
Before you begin · The wireless infrastructure must support Cisco CleanAir. · Cisco CleanAir configuration and show commands are available only in Mobility Controller (MC) mode.
Procedure
Step 1
Command or Action configure terminal Example:
Controller# configure terminal
Step 2
[no] ap dot11 24ghz cleanair device [ble-beacon]
Example:
Controller(config)# ap dot11 24ghz cleanair device ble-beacon
Purpose Enters global configuration mode.
Enables the BLE feature on the 802.11b network. Use the no form of the command to disable BLE feature on the 802.11b network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1392
CleanAir
Enabling Bluetooth Low Energy Beacon
Step 3 Step 4
Command or Action exit Example:
Controller(config)# exit
Purpose Returns to privileged EXEC mode.
show ap dot11 24ghz cleanair config Example:
(Optional) Displays the BLE beacon configuration.
Controller# show ap dot11 24ghz cleanair config
Interference Device Settings: Interference Device
Reporting................ : Enabled Bluetooth
Link........................... : Enabled
Microwave Oven........................... : Enabled
BLE Beacon............................... :
Enabled
Step 5
show ap dot11 24ghz cleanair device type (Optional) Displays the BLE beacon device-type
ble-beacon
information.
Example:
Controller# show ap dot11 24ghz cleanair device type ble-beacon
DC = Duty Cycle (%) ISI = Interference Severity Index (1-Low Interference, 100-High Interference) RSSI = Received Signal Strength Index (dBm) DevID = Device ID
No ClusterID
DevID Type
AP Name
ISI RSSI
DC Channel
---------------------------------------------------------------------------------------------
1 2c:92:80:00:00:22 0xa001 BLE Beacon
5508_3_AP3600_f839
-- -74
0 unknown
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1393
Enabling Bluetooth Low Energy Beacon
CleanAir
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1394
1 4 7 C H A P T E R
Persistent Device Avoidance
· Information about Cisco Persistent Device Avoidance, on page 1395 · Configuring Persistent Device Avoidance (GUI), on page 1396 · Configuring Persistent Device Avoidance (CLI), on page 1396 · Verifying Persistent Device Avoidance, on page 1396
Information about Cisco Persistent Device Avoidance
The Cisco CleanAir Persistent device avoidance (PDA) feature is a part of spectrum management. Some interference devices, such as, outdoor bridges and microwave ovens, transmit signals only when required. These devices can cause significant interference to the local WLAN, becuase short-duration and periodic operations remain largely undetected by normal RF management metrics. With Cisco CleanAir (CleanAir), the RRM dynamic channel allocation (DCA) algorithm can detect, measure, register, and remember the impact, and adjust the RRM DCA algorithm. The PDA process minimizes the use of channels affected by persistent devices in the channel plan, local to the interference source. CleanAir detects and stores persistent device information in the controller. This information is used to mitigate the interfering channels. Persistent Devices Detection - CleanAir-capable monitor mode APs collect information about persistent devices on all the configured channels and store the information in the controller. Local or bridge mode APs detect interference devices only on the serving channels. The PDA feature works seamlessly on all platforms. All the AP models that are capable of CleanAir and Spectrum Intelligence support the PDA feature. The supported platforms are:
· Cisco Aironet 1852 Access Points · Cisco Aironet 1832 Access Points · Cisco Aironet 2700 Series Access Points · Cisco Aironet 2800 Series Access Points · Cisco Aironet 3700 Series Access Points · Cisco Aironet 3800 Series Access Points · Cisco Aironet 4800 Series Access Points · Cisco Catalyst 9115 Series Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1395
Configuring Persistent Device Avoidance (GUI)
CleanAir
· Cisco Catalyst 9117 Series Access Points · Cisco Catalyst 9120AX Series Access Points · Cisco Catalyst 9124AX Series Access Points · Cisco Catalyst 9130AX Access Points
Configuring Persistent Device Avoidance (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configurations > Radio Configurations > RRM Click the 5 GHz Band tab or the 2.4 GHz Band, and click the DCA tab. In the DCA window, under the Dynamic Channel Assignment Algorithm section, check the Avoid Persistent Non-WiFi Interference check box to enable the device to ignore persistent non-WiFi interference. Click Apply.
Configuring Persistent Device Avoidance (CLI)
You can enable and disable the PDA feature and PDA propagation configuration mode through the RRM Manager.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
[no] ap dot11 {24ghz | 5ghz} rrm channel Configures persistent non-WiFi device
device
avoidance in the 802.11a or 802.11b channel
Example:
assignment. Use the no form of this command to negate the command or to set its defaults.
Device# [no] ap dot11 24ghz rrm channel
device
Verifying Persistent Device Avoidance
To verify the current state of Device Aware detail of the channel, use the following command:
Device#show ap dot11 24ghz channel Leader Automatic Channel Assignment
Channel Assignment Mode
: AUTO
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1396
CleanAir
Verifying Persistent Device Avoidance
Channel Update Interval Anchor time (Hour of the day) Channel Update Contribution
Noise Interference Load Device Aware CleanAir Event-driven RRM option Channel Assignment Leader Last Run
: 600 seconds :0
: Enable : Enable : Disable : Enable : Disabled : cisco-vwlc (9.9.39.73) : 166 seconds ago
DCA Sensitivity Level DCA Minimum Energy Limit Channel Energy Levels
Minimum Average Maximum Channel Dwell Times Minimum Average Maximum 802.11b 2.4 GHz Auto-RF Channel List Allowed Channel List Unused Channel List
: MEDIUM : 10 dB : -95 dBm
: -82 dBm : -82 dBm : -82 dBm
: 8 days 0 hour 43 minutes 13 seconds : 8 days 0 hour 43 minutes 13 seconds : 8 days 0 hour 43 minutes 13 seconds
: 1,6,11 : 2,3,4,5,7,8,9,10
To verify all the reported interferers along with the class type, use the following command:
To verify the persistent device information under Auto-RF, use the following command:
Device#show ap auto-rf dot11 24ghz
Number of Slots
:2
AP Name
: VANC-AP
MAC Address
: d4c9.3ce5.c760
Slot ID
:0
Radio Type
: 802.11n - 2.4 GHz
................
Noise Information
..................
Persistent Interference Devices
Class Type
Channel DC (%%) RSSI (dBm)
------------------------- ------- ------ ---------
MW Oven
11
NA
-71
MW Oven
11
NA
-24
MW Oven
11
NA
-17
MW Oven
11
NA
-22
Last Update Time ---------------08/22/2019 12:03:18 UTC 08/22/2019 12:03:19 UTC 08/22/2019 12:03:16 UTC 08/22/2019 12:03:19 UTC
To verify the persistent device information under Auto-RF for specific Cisco APs, use the following command:
Device#show ap name ap_name auto-rf dot11 24ghz
Number of Slots
:2
AP Name
: VANC-AP
MAC Address
: d4c9.3ce5.c760
Slot ID
:0
Radio Type
: 802.11n - 2.4 GHz
................
Noise Information
..................
Persistent Interference Devices
Class Type
Channel DC (%%) RSSI (dBm)
------------------------- ------- ------ ---------
MW Oven
11
NA
-71
MW Oven
11
NA
-24
MW Oven
11
NA
-17
MW Oven
11
NA
-22
Last Update Time ---------------08/22/2019 12:03:18 UTC 08/22/2019 12:03:19 UTC 08/22/2019 12:03:16 UTC 08/22/2019 12:03:19 UTC
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1397
Verifying Persistent Device Avoidance
CleanAir
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1398
1 4 8 C H A P T E R
Spectrum Intelligence
· Spectrum Intelligence, on page 1399 · Configuring Spectrum Intelligence, on page 1400 · Verifying Spectrum Intelligence Information, on page 1400 · Debugging Spectrum Intelligence on Supported APs (CLI), on page 1401
Spectrum Intelligence
The Spectrum Intelligence feature scans for non-Wi-Fi radio interference on 2.4-GHz and 5-GHz bands. Spectrum intelligence provides basic functions to detect interferences of three types, namely microwave, continuous wave (like video bridge and baby monitor), wi-fi and frequency hopping (bluetooth and frequency-hopping spread spectrum (FHSS) cordless phone). The following Cisco access points (APs) support Spectrum Intelligence feature:
· Cisco Catalyst 9115 Series Wi-Fi 6 APs · Cisco Aironet 1852E/I APs · Cisco Aironet 1832I APs · Cisco Aironet 1815W/T/I/M APs · Cisco Aironet 1810W/T APs · Cisco Aironet 1800I/S APs · Cisco Aironet 1542D/I APs
Note You must enable Spectrum Intelligence feature on the Cisco Aironet 1832 and 1852 series APs to get radio details, such as noise, air-quality, interference, and radio utilization on the Cisco DNA Center Assurance AP health.
Restrictions · SI APs only report a single interference type in Local mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1399
Configuring Spectrum Intelligence
CleanAir
· SI does not support high availability for air quality or interference reports. High Availability is not supported because interference report/device reported will not be copied to standby after switchover. We expect AP to send it again, if at all interferer is still there.
· Spectrum Intelligence detects only three types of devices:
· Microwave
· Continuous wave--(video recorder, baby monitor)
· SI-FHSS--(Bluetooth, Frequency hopping Digital European Cordless Telecommunications (DECT) phones)
Configuring Spectrum Intelligence
Follow the procedure given below to configure spectrum intelligence:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap dot11 {24ghz | 5ghz} SI Example:
Device(config)# ap dot11 24ghz SI
Purpose Enters global configuration mode.
Configures the 2.4-GHz or 5-GHz Spectrum Intelligence feature on the 802.11a or 802.11b network. Add no form of the command to disable SI on the 802.11a or 802.11b network.
Verifying Spectrum Intelligence Information
Use the following commands to verify spectrum intelligence information: To display the SI information for a 2.4-GHz or 5-GHz band, use the following command:
Device# show ap dot11 24ghz SI config
SI Solution...................................... : Enabled Interference Device Settings:
SI_FHSS.................................. : Enabled Interference Device Types Triggering Alarms:
SI_FHSS.................................. : Disabled
To display SI interferers of type Continuous transmitter for a 2.4-GHz band, use the following command:
Device# show ap dot11 24ghz SI device type cont_tx
DC = Duty Cycle (%) ISI = Interference Severity Index (1-Low Interference, 100-High Interference) RSSI = Received Signal Strength Index (dBm)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1400
CleanAir
Debugging Spectrum Intelligence on Supported APs (CLI)
DevID = Device ID AP type = CA, clean air, SI spectrum intelligence
No ClusterID
DevID Type
AP Type AP Name
ISI RSSI DC Channel
--- --------------- ------ -------- ------- ----------------- ---- ----- ---- --- ------
xx:xx:xx:xx 0014 BT
CA myAP1
-- -69 00 133
xx:xx:xx:xx 0014 BT
SI myAP1
-- -69 00 133
To display 802.11a interference devices information for the given AP for 5-GHz, use the following command:
Device# show ap dot11 5ghz SI device type ap
DC = Duty Cycle (%) ISI = Interference Severity Index (1-Low Interference, 100-High Interference) RSSI = Received Signal Strength Index (dBm) DevID = Device ID AP type = CA, clean air, SI spectrum intelligence
No ClusterID/BSSID DevID Type AP Type AP Name
ISI RSSI DC Channel
--- ------------------ ------ ------- ------ ------------------------ ---- ----- ----
----------
To display all Cisco CleanAir interferers for a 2.4-GHz band, use the following command:
Device# show ap dot11 24ghz cleanair device type all
Debugging Spectrum Intelligence on Supported APs (CLI)
You need to enter these commands in the AP console. For information about APs that support this feature see https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html.
Procedure · Generate major Spectrum Intelligence logs for an AP by entering this command: debug cleanair major
· Verify the Spectrum Intelligence scan schedule of 5 seconds on an AP by entering this command: debug cleanair event
· Generate logs at 10-minute interval, when interference is not detected or reported by the AP, by entering this command: debug cleanair raw 10 This command creates three files under /tmp directory from dev shell. · spectrum.fft · spectrum.dbg · spectrum.int
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1401
Debugging Spectrum Intelligence on Supported APs (CLI)
CleanAir
· View the Spectrum Intelligence detected interfering devices by entering this command: show cleanair interferers
· View the Spectrum Intelligence configuration status by entering this command: show cleanair status
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1402
1 4 9 C H A P T E R
Spectrum Analysis
· Information About Spectrum Analysis, on page 1403 · Live Spectrum Analysis, on page 1404 · Performing AP Spectrum Analysis (GUI), on page 1404 · Configuring Spectrum Analysis, on page 1405 · Verifying Spectrum Analysis, on page 1405
Information About Spectrum Analysis
Cisco DNA Center receives a spectrogram stream from access points and visualizes spectrum analysis as a real-time spectrogram view. Network administrators receive RF violation issues from end users or radio frequency issue from the Cisco DNA Center. To analyze a violation, you should select the corresponding AP and analyze the spectrogram stream. Based on whether a setting is global or is meant for a specific channel, every AP uses a specific channel to communicate with clients. When a lot of clients join on the same AP, there is a high possibility of frames getting dropped off. When there is an issue of clients dropping quickly, or not getting onboarded, you should perform the spectrum analysis to check if the channels are clogged. You can enable spectrum analysis on every AP listed in the web UI and view the graphs based on the corresponding AP. When enabled, the APs send spectrum data to Cisco DNA Centre which then aggregates it into 3 distinct charts. You can view the following charts while performing a spectrum analysis:
· Persistance Charts: Plot the amplitude-to-power ratio of each signal at each channel for a period of five minutes. The chart is color coded with blue color representing one signal and red representing many signals. This chart also plots the opacity that represents the age of the signal data within the five minute interval, with older data being more transparent.
· Waterfall Charts: Plot all the signals that are analyzed in the channel for a period of five minutes with intensity on X axis, and with time represented in the Y axis. The chart is color coded, with blue color representing a low value and red representing a high value.
· Interference and Duty Charts: Plot the severity of detected interference for each channel band, and list the interference type. Interference is plotted as a circle, where the center represents the severity, and the radius represents the section of the channel band that is affected. The impact of the interference is measured
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1403
Live Spectrum Analysis
CleanAir
as severity, with values ranging from 0 to 100. The interference type is determined from RF signature identified by Cisco CleanAir technology of the interference.
Live Spectrum Analysis
You can perform a live spectrum analysis of the AP radios, and monitor the spectrum of frequencies generated by the radios of the corresponding AP using the web UI. The live spectrum capture uses radio 2 if it is available. Otherwise, both radio 0 and radio 1 are used. When you enable live spectrum analysis on radio 2, Cisco DNA Centre displays a consolidated view of the interference in both the 2.4 Ghz and 5 Ghz range. However; if the feature is enabled on radio 0 or radio 1, you can only view the part of the spectrum that the radios are associated with. You can select a radio in the web UI and view a live spectrum associated with this radio, for 10 minutes, and later extend the duration based on your requirement.
Performing AP Spectrum Analysis (GUI)
Before you begin Use the Cisco DNA Center Discovery functionality to locate an AP to perform a spectrum analysis. . Procedure
Step 1
Step 2
Step 3 Step 4 Step 5 Step 6
Choose Provision > Inventory. The Inventory window is displayed.
Click AP Name . The 360 degree Device window is displayed.
Click Intelligent Capture . Click Spectrum Analysis to view the graphs. From the Radio drop-down list, choose a radio. Click Start Spectrum Analysis . The graphs are displayed on the web UI for you to analyze. To stop the analysis, click Stop Spectrum Analysis.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1404
CleanAir
Configuring Spectrum Analysis
Configuring Spectrum Analysis
Procedure
Step 1 Step 2 Step 3
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Device# configure terminal
icap subscription ap rf spectrum enable Configures spectrum analysis on the AP.
Example:
Device# icap subscription ap rf spectrum enable
icap subscription ap rf spectrum slotnumber Selects a radio slot to enable spectrum analaysis.
Example:
Device# icap subscription ap rf spectrum slot 0
Verifying Spectrum Analysis
The following is a sample output of the show ap icap subscription name command that verifies spectrum analysis on a selected AP:
Device#show ap icap subscription name Subscription list ----------------Full Pkt Capture : Disabled Partial Pkt Capture : Enabled Anomaly Event : Enabled Debug : Disabled Stats : Disabled Ap Operational Data : Disabled Sensor Message : Enabled RRM Operational Data : Disabled Client Events : Disabled aWIPS Forensic Pkts: Disabled
MAC and Filters subscription list --------------------------------Full-packet-trace: None Partial-packet-trace: None Filters: None Anomaly Detection: None
Client Stats -----------None
RF Spectrum
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1405
Verifying Spectrum Analysis
----------Radio Slot(s): 1
CleanAir
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1406
PART XIII
Mesh Access Points
· Mesh Access Points, on page 1409 · Redundant Root Access Point (RAP) Ethernet Daisy Chaining, on page 1471
1 5 0 C H A P T E R
Mesh Access Points
· Introduction to the Mesh Network, on page 1411 · Restrictions for Mesh Access Points, on page 1412 · MAC Authorization, on page 1413 · Preshared Key Provisioning, on page 1413 · EAP Authentication, on page 1414 · Bridge Group Names, on page 1415 · Background Scanning, on page 1415 · Mesh Backhaul at 2.4 GHz and 5 GHz , on page 1416 · Information About Mesh Backhaul, on page 1416 · Dynamic Frequency Selection, on page 1417 · Country Codes, on page 1417 · Intrusion Detection System, on page 1417 · Mesh Interoperability Between Controllers, on page 1418 · Information About DHCP and NAT Functionality on Root AP (RAP), on page 1418 · Mesh Convergence, on page 1419 · Ethernet Bridging, on page 1419 · Multicast Over Mesh Ethernet Bridging Network, on page 1420 · Radio Resource Management on Mesh, on page 1421 · Air Time Fairness on Mesh, on page 1421 · Spectrum Intelligence for Mesh, on page 1422 · Indoor Mesh Interoperability with Outdoor Mesh, on page 1422 · Workgroup Bridge, on page 1422 · Link Test, on page 1423 · Mesh Daisy Chaining, on page 1423 · Mesh Leaf Node, on page 1424 · Flex+Bridge Mode, on page 1424 · Backhaul Client Access, on page 1424 · Mesh CAC, on page 1424 · Prerequisites for Mesh Ethernet Daisy Chaining, on page 1425 · Restrictions for Mesh Ethernet Daisy Chaining, on page 1425 · Speeding up Mesh Network Recovery Through Fast Detection of Uplink Gateway Reachability Failure,
on page 1426 · Configuring MAC Authorization (GUI), on page 1426
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1409
Mesh Access Points
· Configuring MAC Authorization (CLI), on page 1427 · Configuring MAP Authorization - EAP (GUI), on page 1428 · Configuring MAP Authorization (CLI), on page 1429 · Configuring PSK Provisioning (CLI), on page 1429 · Configuring a Bridge Group Name (GUI), on page 1431 · Configuring a Bridge Group Name (CLI), on page 1431 · Configuring Background Scanning (GUI), on page 1431 · Configuring Background Scanning, on page 1432 · Configuring Backhaul Client Access (GUI), on page 1432 · Configuring Backhaul Client Access (CLI), on page 1432 · Configuring Wireless Backhaul Data Rate (CLI), on page 1433 · Configuring Mesh Backhaul (CLI), on page 1434 · Configuring Dynamic Frequency Selection (CLI), on page 1434 · Configuring the Intrusion Detection System (CLI), on page 1435 · Configuring Ethernet Bridging (GUI), on page 1435 · Configuring Ethernet Bridging (CLI), on page 1436 · Configuring Multicast Modes over Mesh, on page 1437 · Configuring RRM on Mesh Backhaul (CLI), on page 1438 · Selecting a Preferred Parent (GUI), on page 1439 · Selecting a Preferred Parent (CLI), on page 1439 · Changing the Role of an AP (GUI), on page 1440 · Changing the Role of an AP (CLI), on page 1441 · Configuring the Mesh Leaf Node (CLI), on page 1441 · Configuring the Mesh Leaf Node (GUI), on page 1441 · Configuring Subset Channel Synchronization , on page 1442 · Provisioning LSC for Bridge-Mode and Mesh APs (GUI), on page 1442 · Provisioning LSC for Bridge-Mode and Mesh APs, on page 1443 · Specifying the Backhaul Slot for the Root AP (GUI), on page 1444 · Specifying the Backhaul Slot for the Root AP (CLI), on page 1444 · Using a Link Test on Mesh Backhaul (GUI), on page 1445 · Using a Link Test on Mesh Backhaul, on page 1445 · Configuring Battery State for Mesh AP (GUI), on page 1446 · Configuring Battery State for Mesh AP, on page 1446 · Configuring Mesh Convergence (CLI), on page 1446 · Configuring DHCP Server on Root Access Point (RAP), on page 1447 · Configuring Mesh Ethernet Daisy Chaining (CLI), on page 1448 · Enabling Mesh Ethernet Daisy Chaining, on page 1448 · Configuring Mesh CAC (CLI), on page 1449 · Configuring ATF on Mesh (GUI), on page 1449 · Configuring ATF on Mesh, on page 1450 · Create an ATF Policy for a MAP, on page 1450 · Creating an ATF Policy (GUI), on page 1451 · Adding an ATF to a Policy Profile (GUI), on page 1451 · Enabling ATF Mode in an RF Profile (GUI), on page 1451 · Configuring Fast Teardown for a Mesh AP Profile (CLI), on page 1452 · Flex Resilient with Flex and Bridge Mode Access Points, on page 1453
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1410
Mesh Access Points
Introduction to the Mesh Network
· Verifying ATF Configuration on Mesh, on page 1459 · Verifying Mesh Ethernet Daisy Chaining, on page 1460 · Verifying Mesh Convergence, on page 1460 · Verifying DHCP Server for Root AP Configuration, on page 1461 · Verifying Mesh Backhaul, on page 1461 · Verifying Mesh Configuration, on page 1462
Introduction to the Mesh Network
Mesh networking employs Cisco Aironet outdoor mesh access points and indoor mesh access points along with Cisco Wireless Controller and Cisco Prime Infrastructure to provide scalability, central management, and mobility between indoor and outdoor deployments. Control and Provisioning of Wireless Access Points (CAPWAP) protocol manages the connection of mesh access points to the network.
End-to-end security within the mesh network is supported by employing Advanced Encryption Standard (AES) encryption between wireless mesh access points and Wi-Fi Protected Access 2 (WPA2) clients. For connections to a mesh access point (MAP) wireless client, such as MAP-to-MAP and MAP-to-root access point, WPA2 is applicable.
The wireless mesh terminates on two points on the wired network. The first location is where the root access point (RAP) is attached to the wired network, and where all bridged traffic connects to the wired network. The second location is where the CAPWAP controller connect to the wired network; this location is where the WLAN client traffic from the mesh network is connected to the wired network. The WLAN client traffic from CAPWAP is tunneled to Layer 2. Matching WLANs should terminate on the same switch VLAN on which the wireless controllers are co-located. The security and network configuration for each of the WLANs on the mesh depend on the security capabilities of the network to which the wireless controller is connected.
In the new configuration model, the controller has a default mesh profile. This profile is mapped to the default AP-join profile, which is in turn is mapped to the default site tag. If you are creating a named mesh profile, ensure that these mappings are put in place, and the corresponding AP is added to the corresponding site-tag.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1411
Restrictions for Mesh Access Points
Mesh Access Points
Important The following are the mesh supported scenarios in IRCM from Cisco IOS XE Amsterdam 17.3 release up to Cisco IOS XE Cupertino 17.9 release, for the Cisco Wave 1 APs that are not supported: · Cisco Wave 1 APs are not supported in the releases post Cisco IOS XE Amsterdam 17.3. This includes mesh support as well. Therefore, it is not possible for a Cisco Wave 1 AP to join a Cisco Catalyst 9800 Series Wireless Controller (controller) with Cisco IOS XE Amsterdam 17.4 and later versions. We recommend the following deployment mode for Cisco Wave 1 APs. · In the case of Cisco mesh deployments, the following are the deployment limitations to be aware of, when the system is deployed: · MAP roaming is not allowed between Cisco Catalyst 9800 Series Wireless Controllers, if the controllers run different Cisco IOS XE versions (running on versions Cisco IOS XE Amsterdam 17.3 or Cisco IOS XE Cupertino 17.9) for any of the Cisco Wave 1 APs and Cisco Wave 2 APs. · You cannot have Cisco Wave 1 APs and Cisco Catalyst 9124 Series APs in the same mesh tree, in the releases post Cisco IOS XE Amsterdam 17.3.x. This can be achieved in 17.3.x, beginning from the 17.3.6 (upcoming) release. · The whole mesh tree containing Cisco Wave 1 APs must be joined to the 17.3 controller, by running the strict-bgn and mac filtering commands.
Note The limitations mentioned above are not valid for the Cisco Industrial Wireless 3702 Se which are supported until the Cisco IOS XE Cupertino 17.9 release.
Restrictions for Mesh Access Points
The Mesh feature is supported only on the following AP platforms: · Outdoor APs · Cisco Industrial Wireless 3702 Access Points (supported from Cisco IOS XE Gibraltar 16.11.1b). · Cisco Aironet 1542 Access Points · Cisco Aironet 1562 Access Points · Cisco Aironet 1572 Access Points · Cisco Catalyst IW6300 Heavy Duty Access Points · Cisco 6300 Series Embedded Services Access Points
· Indoor APs · Cisco Aironet 1815i Access Points · Cisco Aironet 1815m Access Points · Cisco Aironet 1815w Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1412
Mesh Access Points
MAC Authorization
· Cisco Aironet 1832i Access Points · Cisco Aironet 1852i Access Points · Cisco Aironet 1852e Access Points · Cisco Aironet 2802i Access Points · Cisco Aironet 2802e Access Points · Cisco Aironet 3802i Access Points · Cisco Aironet 3802e Access Points · Cisco Aironet 3802p Access Points · Cisco Aironet 4800 Access Points
The following mesh features are not supported: · Serial backhaul AP support with separate backhaul radios for uplink and downlink. · Public Safety channels (4.9-GHz band) support. · Passive Beaconing (Anti-Stranding)
Note Only Root APs support SSO. MAPs will disconnect and rejoin after SSO. The AP Stateful Switch Over (SSO) feature allows the access point (AP) to establish a CAPWAP tunnel with the Active controller and share a mirror copy of the AP database with the Standby controller. The overall goal for the addition of AP SSO support to the controller is to reduce major downtime in wireless networks due to failure conditions that may occur due to box failover or network failover.
MAC Authorization
You must enter the MAC address of an AP in the controller to make a MAP join the controller. The controller responds only to those CAPWAP requests from MAPs that are available in its authorization list. Remember to use the MAC address provided at the back of the AP. MAC authorization for MAPs connected to the controller over Ethernet occurs during the CAPWAP join process. For MAPs that join the controller over radio, MAC authorization takes place when the corresponding AP tries to secure an adaptive wireless path protocol (AWPP) link with the parent MAP. The AWPP is the protocol used in Cisco mesh networks. The Cisco Catalyst 9800 Series Wireless Controller supports MAC authorization internally as well as using an external AAA server.
Preshared Key Provisioning
Customers with mesh deployments can see their MAPs moving out of their network and joining another mesh network when both these mesh deployments use AAA with wild card MAC filtering to allow the association
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1413
EAP Authentication
Mesh Access Points
of MAPs. Since MAPs might use EAP-FAST, this cannot be controlled because a security combination of MAC address and type of AP is used for EAP, and no controlled configuration is available. The preshared key (PSK) option with a default passphrase also presents a security risk.
This issue is prominently seen in overlapping deployments of two service providers when the MAPs are used in a moving vehicle (public transportation, ferry, ship, and so on.). This way, there is no restriction on MAPs to remain with the service providers' mesh network, and MAPs can get hijacked or getting used by another service provider's network and cannot serve the intended customers of the original service providers in the deployment.
The PSK key provisioning feature enables a provisionable PSK functionality from the controller which helps make a controlled mesh deployment and enhance MAPs security beyond the default one. With this feature the MAPs that are configured with a custom PSK, will use the PSK key to do their authentication with their RAPs and controller.
EAP Authentication
Local EAP is an authentication method that allows users and wireless clients to be authenticated locally on the controller. It is designed for use in remote offices that want to maintain connectivity with wireless clients when the backend system gets disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, which in turn, removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports only the EAP-FAST authentication method for MAP authentication between the controller and wireless clients.
Local EAP uses an LDAP server as its backend database to retrieve user credentials for MAP authentication between the controller and wireless clients. An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user.
Note If RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if RADIUS servers are not found, timed out, or were not configured.
EAP Authentication with LSC
Locally significant certificate-based (LSC-based) EAP authentication is also supported for MAPs. To use this feature, you should have a public key infrastructure (PKI) to control certification authority, define policies, validity periods, and restrictions and usages on the certificates that are generated, and get these certificates installed on the APs and controller.
After these customer-generated certificates or LSCs are available on the APs and controller, the devices can start using these LSCs, to join, authenticate, and derive a session key.
LSCs do not remove any preexisting certificates from an AP. An AP can have both LSC and manufacturing installed certificates (MIC). However, after an AP is provisioned with an LSC, the MIC certificate is not used during boot-up. A change from an LSC to MIC requires the corresponding AP to reboot.
The controller also supports mesh security with EAP authentication to a designated server in order to:
· Authenticate the mesh child AP
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1414
Mesh Access Points
Bridge Group Names
· Generate a master session key (MSK) for packet encryption.
Bridge Group Names
Bridge group names (BGNs) control the association of MAPs to the parent mesh AP. BGNs can logically group radios to avoid two networks on the same channel from communicating with each other. The setting is also useful if you have more than one RAP in your network in the same sector (area). BGN is a string comprising a maximum of 10 characters. A BGN of NULL VALUE is assigned by default during manufacturing. Although not visible to you, it allows a MAP to join the network prior to your assignment of your network-specific BGN. If you have two RAPs in your network in the same sector (for more capacity), we recommend that you configure the two RAPs with the same BGN, but on different channels. When Strict Match BGN is enabled on a MAP, it will scan ten times to find a matching BGN parent. After ten scans, if the AP does not find the parent with matching BGN, it will connect to the nonmatched BGN and maintain the connection for 15 minutes. After 15 minutes, the AP will again scan ten times, and this cycle continues. The default BGN functionalities remain the same when Strict Match BGN is enabled. In Cisco Catalyst 9800 Series Wireless Controller, the BGN is configured on the mesh profile. Whenever a MAP joins the controller, the controller pushes the BGN that is configured on the mesh profile to the AP.
Preferred Parent Selection The preferred parent for a MAP enables you to enforce a linear topology in a mesh environment. With this feature, you can override the Adaptive Wireless Path Protocol-defined (AWPP-defined) parent selection mechanism and force a MAP to go to a preferred parent. For Cisco Wave 1 APs, when you configure a preferred parent, ensure that you specify the MAC address of the actual mesh neighbor for the desired parent. This MAC address is the base radio MAC address that has the letter "f" as the final character. For example, if the base radio MAC address is 00:24:13:0f:92:00, then you must specify 00:24:13:0f:92:0f as the preferred parent.
Device# ap name ap1 mesh parent preferred 00:24:13:0f:92:0f
For Cisco Wave 2 APs, when you configure a preferred parent, the MAC address is the base radio MAC address that has "0x11" added to the last two characters. For example, if the base radio MAC address is 00:24:13:0f:92:00, then you must specify 00:24:13:0f:92:11 as the preferred parent.
Device# ap name ap1 mesh parent preferred 00:24:13:0f:92:11
Background Scanning
Mesh background scanning improves convergence time, and reliability and stability of parent selection. With the help of the Background Scanning feature, a MAP can find and connect with a better potential parent across channels, and maintain its uplink with the appropriate parent all the time. When background scanning is disabled, a MAP has to scan all the channels of the regulatory domain after detecting a parent loss in order to find a new parent and go through the authentication process. This delays the time taken for the mesh AP to connect back to the controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1415
Mesh Backhaul at 2.4 GHz and 5 GHz
Mesh Access Points
When background scanning is enabled, a MAP can avoid scanning across the channels to find a parent after detecting a parent loss, and select a parent from the neighbor list and establish the AWPP link.
Mesh Backhaul at 2.4 GHz and 5 GHz
A backhaul is used to create only the wireless connection between MAPs. The backhaul interface is 802.11a/n/ac/g depending upon the AP. The default backhaul interface is 5-GHz. The rate selection is important for effective use of the available radio frequency spectrum. The rate can also affect the throughput of client devices. (Throughput is an important metric used by industry publications to evaluate vendor devices.) Mesh backhaul is supported at 2.4-GHz and 5-GHz. However, in certain countries it is not allowed to use mesh network with a 5-GHz backhaul network. The 2.4-GHz radio frequencies allow you to achieve much larger mesh or bridge distances. When a RAP gets a slot-change configuration, it gets propagated from the RAP to all its child MAPs. All the MAPs get disconnected and join the new configured backhaul slot.
Information About Mesh Backhaul
This section provides information about mesh backhaul at 2.4-GHz. By default, the backhaul interface for mesh APs is 802.11a/ac/ax. Certain countries do not allow the use of mesh network with a 5-GHz backhaul network. Even in countries where 5-GHz is permitted, we recommend that you use 2.4-GHz radio frequencies to achieve much larger mesh or bridge distances. The Mesh backhaul at 2.4-GHz is supported on the following access points:
· Cisco Catalyst 9124AX Series Outdoor Access Point · Cisco Aironet 1540 Series Outdoor Access Points · Cisco Aironet 1542D Outdoor Access Points · Cisco Aironet 1562D Outdoor Access Points · Cisco Aironet 1562E Outdoor Access Points · Cisco Aironet 1562I Outdoor Access Points · Cisco Aironet 1562PS Access Points · Cisco Aironet 1570 Series Outdoor Access Points · Cisco Aironet 1815i Access Points · Cisco Aironet 1815m Series Access Point · Cisco Aironet 1830 Series Access Points · Cisco Aironet 1850 Series Access Points · Cisco Aironet 2800e Access Points · Cisco Aironet 2800i Access Points · Cisco Aironet 3800 Series Access Points · Cisco Aironet 4800 Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1416
Mesh Access Points
Dynamic Frequency Selection
· Cisco Catalyst IW6300 DC Heavy Duty Access Point · Cisco Catalyst IW6300 DCW Heavy Duty Access Point · Cisco Catalyst IW6300 Series Heavy Duty Access Points · Cisco 6300 Series Embedded Services Access Points
Note In Israel, you must ensure that you run the ap country IO command to enable the outdoor country code for the selected radio. After you configure using the ap country IO command, the 2.4-GHz radio is enabled and 5-GHz radio is disabled.
Dynamic Frequency Selection
To protect the existing radar services, the regulatory bodies require that devices that have to share the newly opened frequency sub-band behave in accordance with the Dynamic Frequency Selection (DFS) protocol. DFS dictates that in order to be compliant, a radio device must be capable of detecting the presence of radar signals. When a radio detects a radar signal, the radio should stop transmitting for at least 30 minutes to protect that service. The radio should then select a different channel to transmit on, but only after monitoring it. If no radar is detected on the projected channel for at least one minute, the new radio service device can begin transmissions on that channel. The DFS feature allows mesh APs to immediately switch channels when a radar event is detected in any of the mesh APs in a sector.
Country Codes
Controllers and APs are designed for use in many countries having varying regulatory requirements. The radios within the APs are assigned to a specific regulatory domain at the factory (such as -E for Europe), but the country code enables you to specify a particular country of operation (such as FR for France or ES for Spain). Configuring a country code ensures that each radio's broadcast frequency bands, interfaces, channels, and transmit power levels are compliant with country-specific regulations. In certain countries, there is a difference in the following for indoor and outdoor APs:
· Regulatory domain code · Set of channels supported · Transmit power level
Intrusion Detection System
The Cisco Intrusion Detection System/Intrusion Prevention System (CIDS/CIPS) instructs controllers to block certain clients from accessing a wireless network when attacks involving these clients are detected in Layer 3 through Layer 7. This system offers significant network protection by helping to detect, classify, and stop threats, including worms, spyware or adware, network viruses, and application abuse.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1417
Mesh Interoperability Between Controllers
Mesh Access Points
Mesh Interoperability Between Controllers
Interoperability can be maintained between AireOS and the Cisco Catalyst 9800 Series Wireless Controller with the following support:
· MAPs can join an AireOS controller through a mesh network formed by APs connected to a Cisco Catalyst 9800 Series Wireless Controller.
· MAPs can join a Cisco Catalyst 9800 Series Wireless Controller through a mesh network formed by APs connected to as AireOS controller.
· MAP roaming is supported between parent mesh APs connected to AireOS and the Cisco Catalyst 9800 Series Wireless Controller by using PMK cache.
Note For seamless interoperability, AireOS controller and the Cisco Catalyst 9800 Series Wireless Controller should be in the same mobility group and use the image versions that support IRCM.
Information About DHCP and NAT Functionality on Root AP (RAP)
Note This feature is applicable for Cisco Aironet 1542 series outdoor access points only.
The access points associated to a mesh network can play one of the two roles: · Root Access Point (RAP) - An access point can be a root access point for multiple mesh networks. · Mesh Access Point (MAP) - An access point can be a mesh access point for only one single mesh network at a time.
DHCP and NAT Functionality on Root AP - IPv4 Scenario This feature enables the controller to send a TLV to RAP when a new RAP joins the controller. The following covers the workflow:
· Controller pushes TLV to RAP for enabling DHCP and NAT functionality. · Client associates to an SSID. · RAP executes DHCP funtionality to assign private IPv4 address to the client. · RAP executes NAT functionality to get the private IPv4 address of the client and allow access to the
network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1418
Mesh Access Points
Mesh Convergence
Mesh Convergence
Mesh convergence allows MAPs to reestablish connection with the controller, when it loses backhaul connection with the current parent. To improve the convergence time, each mesh AP maintains a subset of channels that is used for future scan-seek and to identify a parent in the neighbor list subset.
The following convergence methods are supported.
Table 74: Mesh Convergence
Mesh Convergence
Parent Loss Detection / Keepalive Timers
Standard
21 / 3 seconds
Fast
7 / 3 seconds
Very Fast
4 / 2 seconds
Noise-tolerant-fast 21 / 3 seconds
Noise-Tolerant Fast
Noise-tolerant fast detection is based on the failure to get a response for an AWPP neighbor request, which evaluates the current parent every 21 seconds in the standard method. Each neighbor is sent a unicast request every 3 seconds along with a request to the parent. Failure to get a response from the parent initiates either a roam if neighbors are available on the same channel or a full scan for a new parent.
Ethernet Bridging
For security reasons, the Ethernet port on all the MAPs are disabled by default. They can be enabled only by configuring Ethernet bridging on the root and its respective MAP.
Both tagged and untagged packets are supported on secondary Ethernet interfaces.
In a point-to-point bridging scenario, a Cisco Aironet 1500 Series MAP can be used to extend a remote network by using the backhaul radio to bridge multiple segments of a switched network. This is fundamentally a wireless mesh network with one MAP and no WLAN clients. Just as in point-to-multipoint networks, client access can still be provided with Ethernet bridging enabled, although if bridging between buildings, MAP coverage from a high rooftop might not be suitable for client access. To use an Ethernet-bridged application, enable the bridging feature on the RAP and on all the MAPs in that sector.
Ethernet bridging should be enabled for the following scenarios:
· Use mesh nodes as bridges.
· Connect Ethernet devices, such as a video camera on a MAP using its Ethernet port.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1419
Multicast Over Mesh Ethernet Bridging Network
Mesh Access Points
Note Ensure that Ethernet bridging is enabled for every parent mesh AP taking the path from the mesh AP to the controller.
In a mesh environment with VLAN support for Ethernet bridging, the secondary Ethernet interfaces on MAPs are assigned a VLAN individually from the controller. All the backhaul bridge links, both wired and wireless, are trunk links with all the VLANs enabled. Non-Ethernet bridged traffic, as well as untagged Ethernet bridged traffic travels along the mesh using the native VLAN of the APs in the mesh. It is similar for all the traffic to and from the wireless clients that the APs are servicing. The VLAN-tagged packets are tunneled through AWPP over wireless backhaul links.
VLAN Tagging for MAP Ethernet Clients
The backhaul interfaces of mesh APs are referred to as primary interfaces, and other interfaces are referred to as secondary interfaces.
Ethernet VLAN tagging allows specific application traffic to be segmented within a wireless mesh network and then forwarded (bridged) to a wired LAN (access mode) or bridged to another wireless mesh network (trunk mode).
Multicast Over Mesh Ethernet Bridging Network
Mesh multicast modes determine how bridging-enabled APs such as MAP and RAP, send multicast packets among Ethernet LANs within a mesh network. Mesh multicast modes manage only non-CAPWAP multicast traffic. CAPWAP multicast traffic is governed by a different mechanism.
Three different mesh multicast modes are available to manage multicast and broadcast packets on all MAPs. When enabled, these modes reduce unnecessary multicast transmissions within the mesh network and conserve backhaul bandwidth.
The three mesh multicast modes are:
· Regular mode: Data is multicast across the entire mesh network and all its segments by bridging-enabled RAP and MAP.
· In-only mode: Multicast packets received from the Ethernet by a MAP are forwarded to the corresponding RAP's Ethernet network. No additional forwarding occurs, which ensures that non-CAPWAP multicasts received by the RAP are not sent back to the MAP Ethernet networks within the mesh network (their point of origin), and MAP to MAP multicasts do not occur because such multicasts are filtered out.
· In-out mode: The RAP and MAP both multicast but in a different manner.
· If multicast packets are received at a MAP over Ethernet, they are sent to the RAP; however, they are not sent to other MAP over Ethernet, and the MAP-to-MAP packets are filtered out of the multicast.
· If multicast packets are received at a RAP over Ethernet, they are sent to all the MAPs and their respective Ethernet networks. When the in-out mode is in operation, it is important to properly partition your network to ensure that a multicast sent by one RAP is not received by another RAP on the same Ethernet segment and then sent back into the network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1420
Mesh Access Points
Radio Resource Management on Mesh
Radio Resource Management on Mesh
The Radio Resource Management (RRM) software embedded in the controller acts as a built-in RF engineer to consistently provide real-time RF management of your wireless network. RRM enables the controller to continually monitor the associated lightweight APs for information on traffic load, interference, noise, coverage, and other nearby APs:
The RRM measurement in the mesh AP backhaul is enabled based on the following conditions:
· Mesh AP has the Root AP role.
· Root AP has joined using Ethernet link.
· Root AP is not serving any child AP.
Air Time Fairness on Mesh
The Air Time Fairness (ATF) on Mesh feature is conceptually similar to the ATF feature for local access points (APs). ATF is a form of wireless quality of service (QoS) that regulates downlink airtime (as opposed to egress bandwidth). Before a frame is transmitted, the ATF budget for that SSID is checked to ensure that there is sufficient airtime budget to transmit the frame. Each SSID can be thought of as having a token bucket (1 token = 1 microsecond of airtime). If the token bucket contains enough airtime to transmit the frame, it is transmitted over air. Otherwise, the frame can either be dropped or deferred. Deferring a frame means that the frame is not admitted into the Access Category Queue (ACQ). Instead, it remains in the Client Priority Queue (CPQ) and transmitted at a later time when the corresponding token bucket contains a sufficient number of tokens (unless the CPQ reaches full capacity, at which point, the frame is dropped). The majority of the work involved in the context of ATF takes place on the APs. The wireless controller is used to configure the ATF on Mesh and display the results.
In a mesh architecture, the mesh APs (parent and child MAPs) in a mesh tree access the same channel on the backhaul radio for mesh connectivity between parent and child MAPs. The root AP is connected by wire to the controller, and MAPs are connected wirelessly to the controller. Hence, all the CAPWAP and Wi-Fi traffic are bridged to the controller through the wireless backhaul radio and through RAP. In terms of physical locations, normally, RAPs are placed at the roof top and MAPs in multiple hops are placed some distance apart from each other based on the mesh network segmentation guidelines. Hence, each MAP in a mesh tree can provide 100 percent of its own radio airtime downstream to its users though each MAP accessing the same medium. Compare this to a nonmesh scenario, where neighboring local-mode unified APs in the arena next to each other in different rooms, serving their respective clients on the same channel, and each AP providing 100% radio airtime downstream. ATF has no control over clients from two different neighboring APs accessing the same medium. Similarly, it is applicable for MAPs in a mesh tree.
For outdoor or indoor mesh APs, ATF must be supported on client access radios that serve regular clients similarly to how it is supported on ATF on nonmesh unified local mode APs to serve the clients. Additionally, it must also be supported on backhaul radios which bridge the traffic to/from the clients on client access radios to RAPs (one hop) or through MAPs to RAPs (multiple hops). It is a bit tricky to support ATF on the backhaul radios using the same SSID/Policy/Weight/Client fair-sharing model. Backhaul radios do not have SSIDs and it always bridge traffic through their hidden backhaul nodes. Therefore, on the backhaul radios in a RAP or a MAP, the radio airtime downstream is shared equally, based on the number of backhaul nodes. This approach provides fairness to users across a wireless mesh network, where clients associated to second-hop MAP can stall the clients associated to first-hop MAP where second-hop MAP is connected wireless to first-hop MAP
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1421
Spectrum Intelligence for Mesh
Mesh Access Points
through backhaul radio even though the Wi-Fi users in the MAPs are separated by a physical location. In a scenario where a backhaul radio has an option to serve normal clients through universal client access feature, ATF places the regular clients into a single node and groups them. It also enforces the airtime by equally sharing the radio airtime downstream, based on the number of nodes (backhaul nodes plus a single node for regular clients).
Spectrum Intelligence for Mesh
The Spectrum Intelligence feature scans for non-Wi-Fi radio interference on 2.4-GHz and 5-GHz bands. The feature supports client serving mode and monitor mode. The Cisco CleanAir technology in mesh backhaul and access radios provides an Interference Device Report (IDR) and Air Quality Index (AQI). Two key mitigation features (Event-Driven Radio Resource Management [EDRRM] and Persistence Device Avoidance [PDA]) are present in CleanAir. Both rely directly on information that can only be gathered by CleanAir. In the client-access radio band, they work the same way in mesh networks as they do in nonmesh networks in the backhaul radio band, the CleanAir reports are only displayed on the controller. No action is taken through ED-RRM.
Note that no specific configuration options are available to enable or disable CleanAir for MAPs.
For more information about Spectrum Intelligence, see Configuring Spectrum Intelligence, on page 1400 section.
Indoor Mesh Interoperability with Outdoor Mesh
Interoperability of indoor MAPs with outdoor APs are supported. This helps to bring coverage from outdoors to indoors. However, we recommend that you use indoor MAPs for indoor use only, and deploy them outdoors only under limited circumstances such as a simple short-haul extension from an indoor WLAN to a hop in a parking lot.
Mobility groups can be shared between outdoor mesh networks and indoor WLAN networks. It is also possible for a single controller to control indoor and outdoor MAPs simultaneously. Not that the same WLANs are broadcast out of both indoor and outdoor MAPs.
Workgroup Bridge
A workgroup bridge (WGB) is used to connect wired networks over a single wireless segment by informing the corresponding MAP of all the clients that the WGB has on its wired segment via IAPP messages. In addition to the IAPP control messages, the data packets for WGB clients contain an extra MAC address in the 802.11 header (four MAC headers, versus the normal three MAC data headers). The extra MAC in the header is the address of the workgroup bridge itself. This extra MAC address is used to route a packet to and from the corresponding clients.
APs can be configured as workgroup bridges. Only one radio interface is used for controller connectivity, Ethernet interface for wired client connectivity, and other radio interface for wireless client connectivity.
In Cisco Catalyst 9800 Series Wireless Controller, WGB acts as a client association, with the wired clients behind WGB supported for data traffic over the mesh network. Wired clients with different VLANs behind WGB are also supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1422
Mesh Access Points
Link Test
Link Test
A link test is used to determine the quality of the radio link between two devices. Two types of link-test packets are transmitted during a link test: request and response. Any radio receiving a link-test request packet fills in the appropriate text boxes and echoes the packet back to the sender with the response type set.
The radio link quality in the client-to-access point direction can differ from that in the access point-to-client direction due to the asymmetrical distribution of the transmit power and receive sensitivity on both sides. Two types of link tests can be performed: a ping test and a CCX link test.
With the ping link test, the controller can test link quality only in the client-to-access point direction. The RF parameters of the ping reply packets received by the access point are polled by the controller to determine the client-to-access point link quality.
With the CCX link test, the controller can also test the link quality in the access point-to-client direction. The controller issues link-test requests to the client, and the client records the RF parameters (received signal strength indicator [RSSI], signal-to-noise ratio [SNR], and so on). of the received request packet in the response packet. Both the link-test requestor and responder roles are implemented on the access point and controller. Not only can the access point or controller initiate a link test to a CCX v4 or v5 client, but a CCX v4 or v5 client can initiate a link test to the access point or controller.
Mesh Daisy Chaining
Mesh APs have the capability to daisy chain APs when they function as MAPs. The daisy chained MAPs can either operate the APs as a serial backhaul, allowing different channels for uplink and downlink access, thus improving backhaul bandwidth, or extend universal access. Extending universal access allows you to connect a local mode or FlexConnect mode Mesh AP to the Ethernet port of a MAP, thus extending the network to provide better client access.
Daisy chained APs must be cabled differently depending on how the APs are powered. If an AP is powered using DC power, an Ethernet cable must be connected directly from the LAN port of the Primary AP to the PoE in a port of the Subordinate AP.
The following are the guidelines for the daisy chaining mode:
· Primary MAP should be configured as mesh AP.
· Subordinate MAP should be configured as root AP.
· Daisy chaining should be enabled on both primary and subordinate MAP.
· Ethernet bridging should be enabled on all the APs in the Bridge mode. Enable Ethernet bridging in the mesh profile and map all the bridge mode APs in the sector to the same mesh profile.
· VLAN support should be enabled on the wired root AP, subordinate MAP, and primary MAP along with proper native VLAN configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1423
Mesh Leaf Node
Mesh Access Points
Mesh Leaf Node
You can configure a MAP with lower performance to work only as a leaf node. When the mesh network is formed and converged, the leaf node can only work as a child MAP, and cannot be selected by other MAPs as a parent MAP, thus ensuring that the wireless backhaul performance is not downgraded.
Flex+Bridge Mode
Flex+Bridge mode is used to enable FlexConnect capabilities on mesh (bridge mode) APs. Mesh APs inherit VLANs from the root AP that is connected to it. Any EWC capable AP in Flex mode connected to a MAP, should be in CAPWAP mode (AP-type CAPWAP). You can enable or disable VLAN trunking and configure a native VLAN ID on each AP for any of the following modes:
· FlexConnect · Flex+Bridge (FlexConnect+Mesh)
Backhaul Client Access
When Backhaul Client Access is enabled, it allows wireless client association over the backhaul radio. The backhaul radio can be a 2.4-GHz or 5-GHz radio. This means that a backhaul radio can carry both backhaul traffic and client traffic. When Backhaul Client Access is disabled, only backhaul traffic is sent over the backhaul radio, and client association is performed only over the access radio.
Note Backhaul Client Access is disabled by default. After the Backhaul Client Access is enabled, all the MAPs, except subordinate AP and its child APs in daisy-chained deployment, reboot.
Mesh CAC
The Call Admission Control (CAC) enables a mesh access point to maintain controlled quality of service (QoS) on the controller to manage voice quality on the mesh network. Bandwidth-based, or static CAC enables the client to specify how much bandwidth or shared medium time is required to accept a new call. Each access point determines whether it is capable of accommodating a particular call by looking at the bandwidth available and compares it against the bandwidth required for the call. If there is not enough bandwidth available to maintain the maximum allowed number of calls with acceptable quality, the mesh access point rejects the call.
· When client roams from one MAP to another in same site, bandwidth availability is checked again in the new tree for the active calls.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1424
Mesh Access Points
Prerequisites for Mesh Ethernet Daisy Chaining
· When MAP roams to new parent, the active calls are not terminated and it continues to be active with other active calls in the sub tree.
· High Availability (HA) for MAPs is not supported; calls attached to MAP's access radio are terminated on HA switchover.
· HA for RAP is supported, hence calls attached to RAP's access radio continues to be active in new controller after switchover.
· Mesh CAC algorithm is applicable only for voice calls. · For Mesh backhaul radio bandwidth calculation, static CAC is applied. Load-based CAC is not used as
the APs do not support load-based CAC in Mesh backhaul. · Calls are allowed based on available bandwidth on a radio. Airtime Fairness (ATF) is not accounted for
call admission and the calls that fall under ATF policy are given bandwidth as per ATF weight.
Mesh CAC is not supported for the following scenarios. · APs in a Mesh tree assigned with different site tags. · APs in a Mesh tree assigned with the default site tag.
Prerequisites for Mesh Ethernet Daisy Chaining
· Ensure that you have configured the AP role as root AP. · Ensure that you have enabled Ethernet Bridging and Strict Wired Uplink on the corresponding AP. · Ensure that you have disabled VLAN transparency. · To enable VLAN support on each root AP for bridge mode APs, use the ap name name-of-rap mesh
vlan-trunking [native] vlan-id command to configure a trunk VLAN on the corresponding RAP. · To enable VLAN support on each root AP, for Flex+Bridge APs, you must configure the native VLAN
ID under the corresponding flex profile. · Ensure that you use a 4-pair cables that support 1000 Mbps. This feature does not work properly with
2-pair cables supporting 100 Mbps.
Restrictions for Mesh Ethernet Daisy Chaining
· This feature is applicable to the Cisco Industrial Wireless 3702 AP and Cisco Catalyst 9124 Series APs. · This feature is applicable to APs operating in Bridge mode and Flex+Bridge mode only. · In Flex+Bridge mode, if local switching WLAN is enabled, the work group bridge (WGB) multiple
VLAN is not supported. · To support the Ethernet daisy chain topology, you must not connect the Cisco Industrial Wireless 3702
PoE out port to other Cisco Industrial Wireless 3702 PoE in the port, and the power injector must be used as power supply for the AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1425
Speeding up Mesh Network Recovery Through Fast Detection of Uplink Gateway Reachability Failure
Mesh Access Points
· The network convergence time increases when the number of APs increase in the chain.
· Any EWC capable AP which is part of daisy chaining and has been assigned the RAP role, must be in CAPWAP mode (ap-type capwap).
Speeding up Mesh Network Recovery Through Fast Detection of Uplink Gateway Reachability Failure
In all 802.11ac Wave 2 APs, the speed of mesh network recovery mechanism is increased through fast detection of uplink gateway reachability failure. The uplink gateway reachability of the mesh APs is checked using ICMP ping to the default gateway, either IPv4 or IPv6.
Mesh AP triggers the reachability check in the following two scenarios:
· After a new uplink is selected, until the mesh AP joins the controller
After a new uplink is selected, the mesh AP has a window of 45 seconds to reach gateway (via static IP or DHCP) through the selected uplink. If the mesh AP still fails to reach the gateway after 45 seconds, the current uplink is in blocked list and the uplink selection process is restarted. If the AP joins the controller within this 45-second window, the reachability check is stopped. Subsequently, there is no gateway reachability check during normal operations.
· As soon as the mesh AP times out its connection with the controller
After the mesh AP times out its connection with the controller and the AP fails to reach the gateway in 5 seconds, the current uplink is immediately added to the blocked list and the uplink selection process is restarted.
Configuring MAC Authorization (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6
Choose Configuration > Security > AAA > AAA Advanced > Device Authentication. Click Add. The Quick Step: MAC Filtering window is displayed. In the Quick Step: MAC Filtering window, complete the following: a) Enter the MAC Address. b) Choose the Attribute List Name from the drop-down list. c) Choose the WLAN Profile Name from the drop-down list. d) Click Apply to Device.
Choose Configuration > Security > AAA > AAA Method List > Authorization. Click Add. The Quick Step: AAA Authorization window is displayed. In the Quick Step: AAA Authorization window, complete the following: a) Enter the Method List Name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1426
Mesh Access Points
Configuring MAC Authorization (CLI)
Step 7 Step 8
Step 9 Step 10 Step 11 Step 12 Step 13
b) Choose the Type from the drop-down list. c) Choose the Group Type from the drop-down list. d) Check the Fallback to Local check box. e) Check the Authenticated check box. f) Move the required servers from the Available Server Groups to the Assigned Server Groups. g) Click Apply to Device.
Choose Configuration > Wireless > Mesh > Profiles. Click the mesh profile. The Edit Mesh Profile window is displayed. Click the Advanced tab. In the Security settings, from the Method drop-down list, choose EAP. Choose the Authentication Method from the drop-down list. Choose the Authorization Method from the drop-down list. Click Update & Apply to Device.
Configuring MAC Authorization (CLI)
Follow the procedure given below to add the MAC address of a bridge mode AP to the controller.
Before you begin · MAC filtering for bridge mode APs are enabled by default on the controller. Therefore, only the MAC address need to be configured. The MAC address that is to be used is the one that is provided at the back of the corresponding AP. · MAC authorization is supported internally, as well as using an external AAA server.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
username user-name Example:
Device(config)# username username1
Step 3
aaa authorization credential-download method-name local
Example:
Device(config)# aaa authorization credential-download list1 local
Purpose Enters global configuration mode.
Configures user name authentication for MAC filtering where username is MAC address.
Sets an authorization method list to use local credentials.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1427
Configuring MAP Authorization - EAP (GUI)
Mesh Access Points
Step 4 Step 5 Step 6
Command or Action
Purpose
aaa authorization credential-download
Sets an authorization method list to use a
method-name radius group server-group-name RADIUS server group.
Example:
Device(config)# aaa authorization credential-download auth1 radius group radius-server-1
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters mesh profile configuration mode.
method authorization method-name
Example:
Device(config-wireless-mesh-profile)# method authorization auth1
Configures the authorization method for mesh AP authorization.
Configuring MAP Authorization - EAP (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13
Choose Configuration > Security > AAA > AAA Method List > Device Authentication. Click Add. Enter Method List Name. Choose Type as dot1x and Group Type from the the drop-down lists.
dot1x
Check or uncheck the Fallback to Local check box. Move the required servers from the Available Server Groups to the Assigned Server Groups. Click Apply to Device. Choose Configuration > Wireless > Mesh > Profiles. Click the mesh profile. The Edit Mesh Profile window is displayed. Choose the Advanced tab. In the Security settings, from the Method drop-down list, choose EAP. Choose the options from the Authentication Method and Authorization Method drop-down lists. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1428
Mesh Access Points
Configuring MAP Authorization (CLI)
Configuring MAP Authorization (CLI)
Select and configure authentication method of EAP/PSK for MAP authentication.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
aaa authentication method-name radius group For local authentication:
server-group-name
Device(config)# aaa authentication dot1x
Example:
auth1 local
Device(config)# aaa authentication dot1x Sets an authentication method list to use a
auth1 radius group radius-server-1
RADIUS server group. This is required for EAP
authentication.
Step 3
wireless profile mesh profile--name local
Example:
Device(config)# wireless profile mesh mesh1
Sets an authorization method list to use local credentials.
Step 4
security eap server-group-name
Example:
Device(config-wireless-mesh-profile)# security eap / psk
Configures the mesh security EAP/PSK for mesh AP.
Step 5
method authentication method-name
Example:
Device(config-wireless-mesh-profile)# method authentication auth1
Configures the authentication method for mesh AP authentication.
Configuring PSK Provisioning (CLI)
When PSK provisioning is enabled, the APs join with default PSK initially. After that PSK provisioning key is set, the configured key is pushed to the newly joined AP. Follow the procedure given below to configure a PSK:
Before you begin The provisioned PSK should have been pushed to all the APs that are configured with PSK as mesh security.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1429
Configuring PSK Provisioning (CLI)
Mesh Access Points
Note
· PSKs are saved across reboots in the controller as well as on the corresponding mesh AP.
· A controller can have total of five PSKs and one default PSK.
· A mesh AP deletes its provisioned PSK only on factory reset.
· A mesh AP never uses the default PSK after receiving the first provisioned PSK.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless mesh security psk provisioning
Example:
Device(config)# wireless mesh security psk provisioning
Configures the security method for wireless as PSK.
Note
The provisioned PSK is pushed
only to those APs that are
configured with PSK as the mesh
security method.
Step 3 Step 4 Step 5
wireless mesh security psk provisioning key Configures a new PSK for mesh APs. index {0 | 8} pre-shared-key description
Example:
Device(config)# wireless mesh security psk provisioning key 1 0 secret secret-key
wireless mesh security psk provisioning default-psk
Enables default PSK-based authentication.
Example:
Device(config)# wireless mesh security psk provisioning default-psk
wireless mesh security psk provisioning inuse Specifies the PSK to be actively used.
index
Note
You should explicitly set the
Example:
in-use key index in the global
Device(config)# wireless mesh security psk provisioning inuse 1
configuration pointing to the PSK index.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1430
Mesh Access Points
Configuring a Bridge Group Name (GUI)
Configuring a Bridge Group Name (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Mesh > Profiles Click Add. In the Advanced tab, under the Bridge Group settings, enter the Bridge Group Name. Click Apply to Device.
Configuring a Bridge Group Name (CLI)
· If a bridge group name (BGN) is configured on a mesh profile, whenever a MAP joins the controller, it pushes the BGN configured on the mesh profile to the AP.
· Whenever a mesh AP moves from AireOS controller to the Cisco Catalyst 9800 Series Wireless Controller, the BGN configured on the mesh profile is pushed to that AP and stored there.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters mesh profile configuration mode.
Step 3
bridge-group name bridge-grp-name
Example:
Device(config-wireless-mesh-profile)# bridge-group name bgn1
Configures a bridge group name.
Configuring Background Scanning (GUI)
Procedure Step 1 Choose Configuration > Wireless > Mesh > Profiles
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1431
Configuring Background Scanning
Mesh Access Points
Step 2 Step 3 Step 4
Choose a profile. In General tab, check the Background Scanning check box. Click Update & Apply to Device.
Configuring Background Scanning
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters mesh profile configuration mode.
Step 3
background-scanning
Example:
Device(config-wireless-mesh-profile)# background-scanning
Configures background scanning in mesh deployments.
Configuring Backhaul Client Access (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Mesh > Profiles Choose a profile. In General tab, check the Backhaul Client Access check box. Click Update & Apply to Device.
Configuring Backhaul Client Access (CLI)
Note Backhaul client access is disabled by default. After it is enabled, all the MAPs, except subordinate AP and its child APs in daisy-chained deployment, reboot.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1432
Mesh Access Points
Configuring Wireless Backhaul Data Rate (CLI)
Follow the procedure given below to enable backhaul client access on a mesh profile:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters mesh profile configuration mode.
Step 3
client-access
Example:
Device(config-wireless-mesh-profile)# client-access
Configures backhaul with client access AP.
Configuring Wireless Backhaul Data Rate (CLI)
Backhaul is used to create a wireless connection between APs. A backhaul interface can be 802.11bg/a/n/ac depending on the AP. The rate selection provides for effective use of the available RF spectrum. Data rates can also affect the RF coverage and network performance. Lower data rates, for example, 6 Mbps, can extend farther from the AP than can have higher data rates, for example, 1300 Mbps. As a result, the data rate affects cell coverage, and consequently, the number of APs required.
Note You can configure backhaul data rate, preferably, through the mesh profile. In certain cases, where a specific data rate is needed, use the command to configure the data rate per AP.
Follow the procedure given below to configure wireless backhaul data rate in privileged EXEC mode or in mesh profile configuration mode.
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enters privileged EXEC mode.
Step 2
ap name ap-name mesh backhaul rate {auto Configures backhaul transmission rate. | dot11abg | dot11ac |dot11n}
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1433
Configuring Mesh Backhaul (CLI)
Mesh Access Points
Step 3 Step 4
Command or Action
Purpose
Device# #ap name ap1 mesh backhaul rate auto
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters mesh profile configuration mode.
backhaul rate dot11 {24ghz | 5ghz}dot11n RATE_6M
Example:
Device(config-wireless-mesh-profile)# backhaul rate dot11 5ghz dot11n mcs 31
Configures backhaul transmission rate.
Note
Note that the rate configured on
the AP (step 2) should match with
the rate configured on the mesh
profile (step4).
Configuring Mesh Backhaul (CLI)
This section describes how to configure mesh backhaul at 2.4 GHz.
Procedure
Step 1
Command or Action
Purpose
ap name ap_name mesh backhaul radio dot11 Changes the mesh backhaul to 2.4 GHz. 24ghz
Example:
Device # ap name test-ap mesh backhaul radio dot11 24ghz
Configuring Dynamic Frequency Selection (CLI)
DFS specifies the types of radar waveforms that should be detected along with certain timers for an unlicensed operation in the DFS channel.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters mesh profile configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1434
Mesh Access Points
Configuring the Intrusion Detection System (CLI)
Step 3
Command or Action
full-sector-dfs Example:
Device(config-wireless-mesh-profile)# full-sector-dfs
Purpose
Enables DFS.
Note
DFS functionality allows a MAP
that detects a radar signal to
transmit that up to the RAP, which
then acts as if it has experienced
radar and moves the sector. This
process is called the coordinated
channel change. The coordinated
channel change is always enabled
for Cisco Wave 2 and the later
versions. The coordinated channel
change can be disabled only for
Cisco Wave 1 APs.
Configuring the Intrusion Detection System (CLI)
When enabled, the intrusion detection system generates reports for all the traffic on the client access. However, this is not applicable for the backhaul traffic.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters mesh profile configuration mode.
Step 3
ids
Example:
Device(config-wireless-mesh-profile)# ids
Configures intrusion detection system reporting for mesh APs.
Configuring Ethernet Bridging (GUI)
Procedure Step 1 Choose Configuration > Wireless > Mesh > Profiles
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1435
Configuring Ethernet Bridging (CLI)
Mesh Access Points
Step 2 Step 3 Step 4 Step 5
Click Add. In General tab, enter the Name of the mesh profile. In Advanced tab, check the Ethernet Bridging check box. Click Apply to Device.
Configuring Ethernet Bridging (CLI)
The Ethernet port on the MAPs are disabled by default. It can be enabled only by configuring Ethernet bridging on the Root AP and the other respective MAPs. Ethernet bridging can be enabled for the following scenarios:
· To use the mesh nodes as bridges. · To connect Ethernet devices, such as a video camera, on a MAP using the MAP's Ethernet port.
Before you begin · Ensure that you configure the following commands under the mesh profile configuration for Ethernet bridging to be enabled: · ethernet-bridging: Enables the Ethernet Bridging feature on an AP. · no ethernet-vlan-transparent: Makes the wireless mesh bridge VLAN aware. Allows VLAN filtering with the following AP command: [no] mesh ethernet {0 | 1 | 2 | 3} mode trunk vlan allowed.
Note If you wish to have all the VLANs bridged (where bridge acts like a piece of wire), then you must enable VLAN transparency, which allows all VLANS to pass. If you choose to use VLAN transparent mode, it is best to filter the VLANS on the wired side of the network to avoid unnecessary traffic from flooding the network.
· The switch port to which the Root AP is connected should be configured as the trunk port for Ethernet bridging to work.
· For Bridge mode APs, use the ap name name-of-rap mesh vlan-trunking native vlan-id command to configure a trunk VLAN on the corresponding RAP. The Ethernet Bridging feature will not be enabled on the AP without configuring this command.
· For Flex+Brigde APs, configure the native VLAN ID under the corresponding flex profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1436
Mesh Access Points
Configuring Multicast Modes over Mesh
Note To ensure that the MAPs apply the Ethernet VLAN configuration on the controller, configure the native VLAN on the RAP by running the following command:
Device# ap name ap-name no mesh vlan-trunking Device# ap name ap-name mesh vlan-trunking native 247
Alternatively, you can configure native VLAN on the RAP and then the MAP in the following order:
Device# ap name ap-name no mesh vlan-trunking Device# ap name ap-name mesh vlan-trunking native vlan_id Device# ap name ap-name mesh ethernet 1 mode trunk vlan native native Device# ap name ap-name mesh ethernet 0 mode trunk vlan allowed allowed
To verify the status of RAP and MAP, run the following command:
Device# show mesh forwarding all
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
ap name ap-name mesh ethernet {0 | 1 | 2 | Configures the Ethernet port of the AP and sets
3}mode access vlan-id
the mode as trunk.
Example:
Device# ap name ap1 mesh ethernet 1 mode access 21
Step 3
ap name ap-name mesh ethernet {0 | 1 | 2 | Sets the native VLAN for the trunk port. 3}mode trunk vlan vlan-id
Example:
Device# ap name ap1 mesh ethernet 1 mode trunk vlan native 21
Step 4
ap name ap-name mesh ethernet {0 | 1 | 2 | Configures the allowed VLANs for the trunk
3}mode trunk vlan allowed vlan-id
port.
Example:
Permits VLAN filtering on an ethernet port of
Device# ap name ap1 mesh ethernet 1 mode any Mesh or Root Access Point. Active only
trunk vlan allowed 21
when VLAN transparency is disabled in the
mesh profile.
Configuring Multicast Modes over Mesh
· If multicast packets are received at a MAP over Ethernet, they are sent to the RAP. However, they are not sent to other MAPs. MAP-to-MAP packets are filtered out of the multicast.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1437
Configuring RRM on Mesh Backhaul (CLI)
Mesh Access Points
· If multicast packets are received at a RAP over Ethernet, they are sent to all the MAPs and their respective Ethernet networks.
· The in-out mode is the default mode. When this in-out mode is in operation, it is important to properly partition your network to ensure that a multicast sent by one RAP is not received by another RAP on the same Ethernet segment, and then sent back into the network.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters mesh profile configuration mode.
Step 3
multicast {in-only | in-out | regular}
Example:
Device(config-wireless-mesh-profile)# multicast regular
Configures mesh multicast mode.
Configuring RRM on Mesh Backhaul (CLI)
The RRM measurement in the mesh AP backhaul is enabled based on the following conditions: · Mesh AP has the Root AP role. · Root AP has joined using an Ethernet link. · Root AP is not serving any child AP.
Follow the procedure given below to enable RRM in the mesh backhaul:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless mesh backhaul rrm
Configures RRM on the mesh backhaul.
Example:
Device(config)# wireless mesh backhaul rrm
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1438
Mesh Access Points
Selecting a Preferred Parent (GUI)
Selecting a Preferred Parent (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Access Points. Click the Access Point. In the Mesh tab, enter the Preferred Parent MAC. Click Update & Apply to Device.
Selecting a Preferred Parent (CLI)
Follow the procedure given below to configure a preferred parent for a MAP. Using this mechanism, you can override the AWPP-defined parent selection mechanism and force a mesh AP to go to a preferred parent.
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
ap name ap-name mesh parent preferred mac-address
Example:
Purpose Enters privileged EXEC mode.
Configures mesh parameters for the AP and sets the mesh-preferred parent MAC address.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1439
Changing the Role of an AP (GUI)
Mesh Access Points
Command or Action
Purpose
Device# ap name ap1 mesh parent preferred Note 00:0d:ed:dd:25:8F
Ensure that you use the radio MAC address of the preferred parent.
For Cisco Wave 1 APs, when you configure a preferred parent, ensure that you specify the MAC address of the actual mesh neighbor for the desired parent. This MAC address is the base radio MAC address that has the letter "f" as the final character. For example, if the base radio MAC address is 00:24:13:0f:92:00, then you must specify 00:24:13:0f:92:0f as the preferred parent.
Device# ap name ap1 mesh
parent preferred
00:24:13:0f:92:0f
For Cisco Wave 2 APs, when you configure a preferred parent, the MAC address is the base radio MAC address that has "0x11" added to the last two characters. For example, if the base radio MAC address is 00:24:13:0f:92:00, then you must specify 00:24:13:0f:92:11 as the preferred parent.
Device# ap name ap1 mesh
parent preferred
00:24:13:0f:92:11
Changing the Role of an AP (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Access Points. Click the Access Point. In the Mesh tab, choose Root or Mesh from the Role drop-down list. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1440
Mesh Access Points
Changing the Role of an AP (CLI)
After the role change is triggered, the AP reboots.
Changing the Role of an AP (CLI)
Follow the procedure to change the AP from MAP to RAP or vice-versa. By default, APs join the controller in a mesh AP role.
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enters privileged EXEC mode.
Step 2
ap name ap-name role {mesh-ap | root-ap} Example:
Device# #ap name ap1 root-ap
Changes the role for the Cisco bridge mode APs. After the role change is triggered, the AP reboots.
Configuring the Mesh Leaf Node (CLI)
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enters privileged EXEC mode.
Step 2
ap name ap-name mesh block-child Example:
Device# #ap name ap1 mesh block-child
Sets the AP to work only as a leaf node. This AP cannot be selected by other MAPs as a parent MAP.
Note
Use the no form of this command
to change it to a regular AP.
Configuring the Mesh Leaf Node (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Wireless > Access Points. Click the Access Point.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1441
Configuring Subset Channel Synchronization
Mesh Access Points
Step 3 Step 4
In the Mesh tab, check the Block Child check box. Click Update & Apply to Device.
Configuring Subset Channel Synchronization
All the channels used by all the RAPs in a controller are sent to all the MAPs for future seek and convergence. The controller keeps a list of the subset channels for each Bridge Group Name (BGN). The list of subset channels are also shared across all the controllers in a mobility group.
Subset channel list is list of channels where RAP of particular BGN are operating. This list is communicated to all the MAPs within and across the controllers. The idea of subset channel list is for faster convergence of the Mesh APs. Convergence method can be selected in mesh profile. If the convergence method is not standard then subset channel list is pushed to MAPs.
Follow the procedure given below to configure subset channel synchronization for mobility group.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless mesh subset-channel-sync mac
Example:
Device(config)# wireless mesh subset-channel-sync
Purpose Enters global configuration mode.
Configures subset channel synchronization for a mobility group.
Provisioning LSC for Bridge-Mode and Mesh APs (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4
Step 5 Step 6 Step 7 Step 8
Choose Configuration > Wireless > Access Points > LSC Provision. In the Add APs to LSC Provision List settings, click the Select File option to upload a CSV file that contains AP details. Click Upload File. You can also use the AP MAC Address field to search for APs using the MAC address and add them. The APs added to the provision list are displayed in the APs in Provision List list. Click Apply. Choose Configuration > Wireless > Mesh > Profiles Click Add. In the General tab, enter the Name of the mesh profile and check the LSC check box.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1442
Mesh Access Points
Provisioning LSC for Bridge-Mode and Mesh APs
Step 9 Step 10
In the Advanced tab, under the Security settings, choose the authorization method from the Authorization Method drop-down list.
Click Apply to Device.
Provisioning LSC for Bridge-Mode and Mesh APs
· Configuring Locally Significant Certificate (LSC) will not remove pre-existing certificates from an AP. · An AP can have both LSC and Message Integrity Check (MIC) certificates. However, when an AP is
provisioned with LSC, the MIC certificate is not used on boot-up. A change from LSC to MIC requires the AP to reboot.
Follow the procedure given below to configure LSC for bridge-mode and mesh APs:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap lsc-provision Example:
Device(config)# ap lsc-provision
Purpose Enters global configuration mode.
Configures LSC provisioning on an AP.
Note
This step is applicable only for
mesh APs.
Step 3 Step 4 Step 5 Step 6
ap lsc-provision provision-list
Example:
Device(config)# ap lsc-provision provision-list
(Optional) Configures LSC provision for all the APs in the provision list.
aaa authentication dot1x auth-list radius group radius-server-grp
Example:
Configures named authorization list for downloading EAP credential from radius group server.
Device(config)# aaa authentication dot1x list1 radius group sg1
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters mesh profile configuration mode.
lsc-only-auth
Example:
Device(config-wireless-mesh-profile)# lsc-only-auth
Configures mesh security to LSC-only MAP authentication.
After this command is run, all the mesh APs reboot.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1443
Specifying the Backhaul Slot for the Root AP (GUI)
Mesh Access Points
Step 7
Command or Action
method authorization local Example:
Device(config-wireless-mesh-profile)# method authorization list1
Purpose
Configures an authorization method for mesh AP authorization.
Specifying the Backhaul Slot for the Root AP (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Wireless > Mesh > Profiles Click Add. In General tab, enter the Name of the mesh profile. In Advanced tab, choose the rate types from the Rate Types drop-down list for 5 GHz Band Backhaul and 2.4 GHz Band Backhaul. Click Apply to Device.
Specifying the Backhaul Slot for the Root AP (CLI)
Follow the procedure given below to set the mesh backhaul rate.
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enters privileged EXEC mode.
Step 2
ap name rap-name mesh backhaul radio dot11{24ghz | 5ghz} [slot slot-id]
Sets the mesh backhaul radio slot.
Example:
Device# ap name rap1 mesh backhaul radio dot11 24ghz slot 2
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1444
Mesh Access Points
Using a Link Test on Mesh Backhaul (GUI)
Using a Link Test on Mesh Backhaul (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Monitoring > Wireless > AP Statistics > General. Click the Access Point. Choose Mesh > Neighbor > Linktest. Choose the desired values from the Date Rates, Packets to be sent (per second), Packet Size (bytes) and Test Duration (seconds) drop-down lists.. Click Start.
Using a Link Test on Mesh Backhaul
Follow the procedure given below to trigger linktest between neighbor mesh APs.
Note Use the test mesh linktest mac-address neighbor-ap-mac rate data-rate fps frames-per-second frame-size frame-size command to perform link test from an AP.
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enters privileged EXEC mode.
Step 2
ap name ap-name mesh linktest dest-ap-mac Sets link test parameters. data-rate packet-per-sec packet-size test-duration
Example:
Device# #ap name ap1 mesh linktest F866.F267.7DFB 24 234 1200 200
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1445
Configuring Battery State for Mesh AP (GUI)
Mesh Access Points
Configuring Battery State for Mesh AP (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Mesh > Profiles Choose a profile. In General tab, check the Battery State for an AP check box. Click Update & Apply to Device.
Configuring Battery State for Mesh AP
Some Cisco outdoor APs come with the option of battery backup. There is also a POE-out port that can power a video surveillance camera. The integrated battery can be used for temporary backup power during external power interruptions.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters mesh profile configuration mode.
Step 3
battery-state
Example:
Device(config-wireless-mesh-profile)# battery-state
Configures the battery state for an AP.
Configuring Mesh Convergence (CLI)
This section provides information about how to configure mesh convergence.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1446
Mesh Access Points
Configuring DHCP Server on Root Access Point (RAP)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Creates a mesh profile.
Step 3
convergence {fast | noise-tolerant-fast | standard | very-fast}
Example:
Device(config-wireless-mesh-profile)# convergence fast
Configures mesh convergence method in a mesh profile.
Configuring DHCP Server on Root Access Point (RAP)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile ap-profile-name
Example:
Device(config)# ap profile ap-profile-name
Configures an AP Profile.
Step 3
dhcp-server Example:
Configures DHCP server on the root access point.
Device(config-ap-profile)# dhcp-server
Step 4
end Example:
Device(config-ap-profile)# end
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1447
Configuring Mesh Ethernet Daisy Chaining (CLI)
Mesh Access Points
Configuring Mesh Ethernet Daisy Chaining (CLI)
The following section provides information about how to configure the Mesh Ethernet Daisy Chaining feature on a mesh AP.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile default-ap-profile
Example:
Device(config)# ap profile default-ap-profile
Specifies an AP profile.
Step 3
ssid broadcast persistent
Configures persistent SSID broadcast and
Example:
ensures strict wired uplink. RAP will not switch to wireless backhaul when you configure this
Device(config-ap-profile)# ssid broadcast command.
persistent
Enabling Mesh Ethernet Daisy Chaining
The following section provides information about how to enable the Mesh Ethernet Daisy Chaining feature on a Cisco IW 3702 AP.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode
Step 2
wireless profile mesh default-mesh-profile
Example:
Device(config)# wireless profile mesh default-mesh-profile
Creates a mesh profile.
Step 3
ethernet-bridging Example:
Device(config)# ethernet-bridging
Connects remote wired networks to each other.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1448
Mesh Access Points
Configuring Mesh CAC (CLI)
Step 4
Command or Action
no ethernet-vlan-transparent Example:
Device(config)# no ethernet-vlan-transparent
Purpose
Disables VLAN transparency to ensure that the bridge is VLAN aware.
Configuring Mesh CAC (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless mesh cac Example:
Device(config)# wireless mesh cac
Purpose Enters global configuration mode.
Enables mesh CAC mode.
Configuring ATF on Mesh (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Wireless > Airtime Fairness > Global Config For 5 GHz Band and 2.4 GHz Band, enable the Status and the Bridge Client Access toggle button. To choose the Mode, click the Monitor or Enforced radio button. Enable or disable the Optimization toggle button. Enter the Airtime Allocation. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1449
Configuring ATF on Mesh
Mesh Access Points
Configuring ATF on Mesh
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11{24ghz|5ghz} rf-profile rf-profile Configures an RF profile and enters RF profile
Example:
configuration mode.
Device(config)# ap dot11 24ghz rf-profile rfprof24_1
Step 3
airtime-fairness bridge-client-access airtime-allocation allocation-weight-percentage
Example:
Device(config-rf-profile)# airtime-fairness bridge-client-access airtime-allocation 10
Configures airtime allocation weight percentage on mesh APs.
Create an ATF Policy for a MAP
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy rr-xyz-policy-1
Step 3
dot11 24ghz airtime-fairness atf-policy
Example:
Device(config-wireless-policy)# dot11 24ghz airtime-fairness atf-policy
Enables ATF in the existing RF profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1450
Mesh Access Points
Creating an ATF Policy (GUI)
Creating an ATF Policy (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7
Choose Configuration > Air Time Fairness > Profiles. On the Profiles window, click Add. In the Add ATF Policy window, specify a name, ID, and weight for the ATF policy.
Note
Weighted ratio is used instead of percentages so that the total can exceed 100. The minimum
weight that you can set is 5.
Use the slider to enable or disable the Client Sharing feature. Click Save & Apply to Device to save your ATF configuration. (Optional) To delete a policy, check the check box next to the appropriate policy and click Delete. (Optional) To edit an existing ATF policy, select the check box next to the policy you want to edit.
In the Edit ATF Policy window that is displayed, you can modify the weight and client sharing details for the policy.
Adding an ATF to a Policy Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Tags & Profiles > Policy. Click the name of the corresponding policy profile. Click the Advanced tab. In the Air Time Fairness Policies section, choose the appropriate status for the following: 2.4-GHz Policy and 5-GHz Policy. Click Update & Apply to Device.
Enabling ATF Mode in an RF Profile (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Tags & Profiles > RF. Click the name of the corresponding RF profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1451
Configuring Fast Teardown for a Mesh AP Profile (CLI)
Mesh Access Points
Step 3 Step 4
Step 5
In the RF Profile window, click the Advanced tab. In the ATF Configuration section, choose the appropriate status for the following:
· Status--If you choose Enabled as the status, select the Mode as either Monitor or Enforced. Also, you can enable or disable optimization for this mode.
· Bridge Client Access · Airtime Allocation--Enter the allocation value. You can set the value only after you enable the Bridge
Client Access.
Click Update & Apply to Device.
Configuring Fast Teardown for a Mesh AP Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh mesh1
Configures a mesh profile and enters the mesh profile configuration mode.
Step 3
fast-teardown
Example:
Device(config-wireless-mesh-profile)# fast-teardown
Enables the fast teardown of mesh network and configures the feature's parameter.
Step 4
enabled
Enables the fast teardown feature.
Example:
Device(config-wireless-mesh-profile-fast-teardown)# enabled
Step 5
interval duration Example:
(Optional) Configures the retry interval. The valid values range between 1 and 10 seconds.
Device(config-wireless-mesh-profile-fast-teardown)# interval 5
Step 6
latency-exceeded-threshold duration
(Optional) Specifies the latency interval at
Example:
which at least one ping must succeed in less than threshold time. The valid values range
Device(config-wireless-mesh-profile-fast-teardown)# between 1 and 30 seconds.
latency-exceeded-threshold 20
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1452
Mesh Access Points
Flex Resilient with Flex and Bridge Mode Access Points
Step 7 Step 8 Step 9
Command or Action
Purpose
latency-threshold threshold range
(Optional) Speficies the latency threshold. The
Example:
valid values range between 1 and 500 milliseconds.
Device(config-wireless-mesh-profile-fast-teardown)#
latency-threshold 20
retries retry limit
(Optional) Specifies the number of retries until
Example:
the gateway is considered unreachable. The valid values range between 1 and 10.
Device(config-wireless-mesh-profile-fast-teardown)#
retries 1
uplink-recovery-intervals recovery interval (Optional) Specifies the time during which root
Example:
access point uplink has to be stable to accept child connections. The valid values range
Device(config-wireless-mesh-profile-fast-teardown)# between 1 and 3600 seconds.
uplink-recovery-intervals 1
Flex Resilient with Flex and Bridge Mode Access Points
Information About Flex Resilient with Flex and Bridge Mode Access Points
The Flex Resilient with Flex and Bridge Mode Access Points describe how to set up a controller with Flex+Bridge mode Access Points (APs) and Flex Resilient feature. The Flex Resilient feature works only in Flex+Bridge mode APs. The feature resides in Mesh link formed between RAP - MAP, once the link is UP and RAP loses connection to the CAPWAP controller, both RAP and MAP continue to bridge the traffic. A child Mesh AP (MAP) maintains its link to a parent AP and continues to bridge till the parent link is lost. A child MAP cannot establish a new parent or child link till it reconnects to the CAPWAP controller.
Note Existing wireless clients in locally switching WLAN can stay connected with their AP in this mode. No new or disconnected wireless client can associate to the Mesh AP in this mode. Client traffic in Flex+Bridge MAP is dropped at RAP switchport for the locally switched WLANs.
Configuring a Flex Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > Flex. Click a Flex Profile Name. The Edit Flex Profile dialog box appears. Under the General tab, choose the Flex Resilient check box to enable the Flex Resilient feature. Under the VLAN tab, choose the required VLANs. (Optionally) Under the Local Authentication tab, choose the desired server group from the Local Accounting RADIUS Server Group drop-down list. Also, choose the RADIUS check box.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1453
Configuring a Flex Profile (CLI)
Mesh Access Points
Step 6 Click Update & Apply to Device.
Configuring a Flex Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode
Step 2
wireless profile flex flex-profile
Example:
Device(config)# wireless profile flex new-flex-profile
Configures a Flex profile and enters Flex profile configuration mode.
Step 3
arp-caching
Example:
Device(config-wireless-flex-profile)# arp-caching
Enables ARP caching.
Step 4
description description
Example:
Device(config-wireless-flex-profile)# description "new flex profile"
Enables default parameters for the Flex profile.
Step 5
native-vlan-id
Example:
Device(config-wireless-flex-profile)# native-vlan-id 2660
Configures native vlan-id information.
Step 6
resilient
Example:
Device(config-wireless-flex-profile)# resilient
Enables the resilient feature.
Step 7
vlan-name vlan_name
Example:
Device(config-wireless-flex-profile)# vlan-name VLAN2659
Configures VLAN name.
Step 8
vlan-id vlan_id
Example:
Device(config-wireless-flex-profile)# vlan-id 2659
Configures VLAN ID. The valid VLAN ID ranges from 1 to 4096.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1454
Mesh Access Points
Configuring a Site Tag (CLI)
Step 9
Command or Action
end Example:
Device(config-wireless-flex-profile)# end
Purpose
Exits configuration mode and returns to privileged EXEC mode.
Configuring a Site Tag (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode
Step 2
wireless tag site site-name
Example:
Device(config)# wireless tag site new-flex-site
Configures a site tag and enters site tag configuration mode.
Step 3
flex-profile flex-profile-name
Example:
Device(config-site-tag)# flex-profile new-flex-profile
Configures a flex profile.
Step 4
no local-site
Local site is not configured on the site tag.
Example:
Device(config-site-tag)# no local-site
Step 5
site-tag site-tag-name
Example:
Device(config-site-tag)# site-tag new-flex-site
Maps a site tag to an AP.
Step 6
end Example:
Device(config-site-tag)# end
Exits configuration mode and returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1455
Configuring a Mesh Profile (CLI)
Mesh Access Points
Configuring a Mesh Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh Mesh_Profile
Configures a Mesh profile and enters the Mesh profile configuration mode.
Step 3
no ethernet-vlan-transparent Example:
Disables VLAN transparency to ensure that the bridge is VLAN aware.
Device(config-wireless-profile-mesh)# no ethernet-vlan-transparent
Step 4
end
Example:
Device(config-wireless-profile-mesh)# end
Exits configuration mode and returns to privileged EXEC mode.
Associating Wireless Mesh to an AP Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode
Step 2
ap profile ap-profile-name
Example:
Device(config)# ap profile new-ap-join-profile
Configures the AP profile and enters AP profile configuration mode.
Step 3
mesh-profile mesh-profile-name Example:
Configures the Mesh profile in AP profile configuration mode.
Device(config-ap-profile)# mesh-profile Mesh_Profile
Step 4
ssh Example:
Configures the Secure Shell (SSH).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1456
Mesh Access Points
Attaching Site Tag to an Access Point (CLI)
Step 5 Step 6
Command or Action
Device(config-ap-profile)# ssh
Purpose
mgmtuser username username password {0 Specifies the AP management username and
| 8} password
password for managing all of the access points
Example:
configured to the controller.
Device(config-ap-profile)# mgmtuser username Cisco password 0 Cisco secret
· 0: Specifies an UNENCRYPTED password.
0 Cisco
· 8: Specifies an AES encrypted password.
Note
While configuring an username,
ensure that special characters are
not used as it results in error with
bad configuration.
end Example:
Device(config-ap-profile)# end
Exits configuration mode and returns to privileged EXEC mode.
Attaching Site Tag to an Access Point (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap mac-address Example:
Device(config)# ap F866.F267.7DFB
Step 3
site-tag site-tag-name
Example:
Device(config-ap-tag)# site-tag new-flex-site
Step 4
end Example:
Device(config-ap-tag)# end
Purpose Enters global configuration mode
Configures Cisco APs and enters ap-tag configuration mode.
Maps a site tag to the AP.
Note
Associating Site Tag causes the
associated AP to reconnect.
Exits configuration mode and returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1457
Configuring Switch Interface for APs (CLI)
Mesh Access Points
Configuring Switch Interface for APs (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode
Step 2
interface interface-id Example:
Device(config)# interface <int-id>
Enters the interface to be added to the VLAN.
Step 3
switchport trunk native vlan vlan-id
Example:
Device(config-if)# switchport trunk native vlan 2660
Assigns the allowed VLAN ID to the port when it is in trunking mode.
Step 4
switchport trunk allowed vlan vlan-id
Example:
Device(config-if)# switchport trunk allowed vlan 2659,2660
Assigns the allowed VLAN ID to the port when it is in trunking mode.
Step 5
switchport mode trunk
Sets the trunking mode to trunk unconditionally.
Example:
Note
Device(config-if)# switchport mode trunk
When the controller works as a host for spanning tree, ensure that you configure portfast trunk, using spanning-tree portfast trunk command, in the uplink switch to ensure faster convergence.
Step 6
end Example:
Device(config-if)# end
Exits configuration mode and returns to privileged EXEC mode.
Verifying Flex Resilient with Flex and Bridge Mode Access Points Configuration
To view the AP mode and model details, use the following command:
Device# show ap name <ap-name> config general | inc AP Mode
AP Mode
: Flex+Bridge
AP Model
: AIR-CAP3702I-A-K9
To view the MAP mode details, use the following command:
Device# show ap name MAP config general | inc AP Mode
AP Mode
: Flex+Bridge
AP Model
: AIR-CAP3702I-A-K9
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1458
Mesh Access Points
Verifying ATF Configuration on Mesh
To view the RAP mode details, use the following command:
Device# show ap name RAP config general | inc AP Mode
AP Mode
: Flex+Bridge
AP Model
: AIR-AP2702I-A-K9
To view if the Flex Profile - Resilient feature is enabled or not, use the following command:
Device# show wireless profile flex detailed FLEX_TAG | inc resilient
Flex resilient
: ENABLED
Verifying ATF Configuration on Mesh
You can verify Cisco ATF configurations on mesh APs using the following commands. Use the following show command to display the ATF configuration summary of all the radios:
Device# show ap airtime-fairness summary
AP Name
MAC Address
Slot Admin Oper
Mode
Optimization
-------------------------------- ----------------- ---- -------- ----------- --------------
------------
ap1/2
6c:99:89:0c:73:a0 0 ENABLED DOWN
Enforce-Policy
Enabled
ap1/2
6c:99:89:0c:73:a0 1 ENABLED UP
Enforce-Policy
Enabled
ap1/3
6c:99:89:0c:73:a1 0 ENABLED DOWN
Enforce-Policy
Enabled
ap1/3
6c:99:89:0c:73:a1 1 ENABLED UP
Enforce-Policy
Enabled
Use the following show command to display the ATF configuration for a 2.4-GHz radio:
Device# show ap dot11 24ghz airtime-fairness
AP Name
MAC Address
Slot Admin Oper
Mode
Optimization
------------------------------ ----------------- ---- -------- ----------- --------------
------------
ap1/2
6c:99:89:0c:73:a0 1 ENABLED UP
Enforce-Policy
Enabled
Use the following show command to display the ATF WLAN statistics:
Device# show ap name ap1 dot11 24ghz airtime-fairness wlan 12 statistics
AP Name
MAC Address
Slot Admin Oper
Mode
Optimization
-------------------------------- ----------------- ---- -------- ----------- --------------
------------
ap1/2
6c:99:89:0c:73:a0 0 ENABLED DOWN
Enforce-Policy
Enabled
ap1/2
6c:99:89:0c:73:a0 1 ENABLED UP
Enforce-Policy
Enabled
Network level
Use the following show command to display the wireless mesh summary:
Device# show wireless profile mesh summary
Number of Profiles: 2
Profile-Name
BGN
Security Bh-access Description
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1459
Verifying Mesh Ethernet Daisy Chaining
Mesh Access Points
----------------------------------------------------------------------------------------------------
mesh1
EAP
DISABLED
default-mesh-profile Device# show mesh atf client-access
EAP
DISABLED default mesh profile
AP Name
-----------------RAP RAP
Client Access Allocation
Default % Current %
--------- ---------
25
40
33
40
Override
-------Enabled Enabled
Current nodes
------------4 3
Verifying Mesh Ethernet Daisy Chaining
· The following is a sample output of the show ap config general command that displays whether a persistent SSID is configured for an AP.
Device# show ap 3702-RAP config general
Persistent SSID Broadcast
Enabled/Disabled
· The following is a sample output of the show wireless mesh persistent-ssid-broadcast summary command that displays the persistent SSID broadcast status of all the bridge RAPs.
Device# show wireless mesh persistent-ssid-broadcast summary
AP Name state ------3702-RAP 1560-RAP
AP Model BVI MAC
BGN
AP Role
-------- -------
---
-------
3702
5c71.0d07.db50 ap_name Root AP
1562E 380e.4dbf.c6b0 ap_name Root AP
Persistent SSID
--------------------Enabled
Disabled
Verifying Mesh Convergence
The following is a sample output of the show wireless profile mesh detailed command that displays the mesh convergence method used:
Device# show wireless profile mesh detailed default-mesh-profile
Mesh Profile Name
: default-mesh-profile
-------------------------------------------------
Description
: default mesh profile
Convergence Method
: Fast
The following is a sample output of the show wireless mesh convergence subset-channels command that displays the subset channels of the selected bridge group name:
Device# show wireless mesh convergence subset-channels
Bridge group name
Channel
------------------------------------------
Default
132
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1460
Mesh Access Points
Verifying DHCP Server for Root AP Configuration
Verifying DHCP Server for Root AP Configuration
To verify the DHCP server for root AP configuration, use the following command:
Device# show ap config general
Cisco AP Name : AP4C77.6DF2.D588
=================================================
<SNIP>
Dhcp Server
: Enabled
Verifying Mesh Backhaul
The following is a sample output of the show ap name mesh backhaul command that shows details of the mesh backhaul at 2.4 GHz:
Device# show ap name test-ap mesh backhaul
MAC Address : xxxx.xxxx.xxxx Current Backhaul Slot: 0 Radio Type: 0 Radio Subband: All Mesh Radio Role: DOWNLINK Administrative State: Enabled Operation State: Up Current Tx Power Level: Current Channel: (11) Antenna Type: N/A Internal Antenna Gain (in .5 dBm units): 0
The following is a sample output of the show wireless mesh ap backhaul command that shows the mesh backhaul details:
Device# show wireless mesh ap backhaul
MAC Address : xxxx.xxxx.0x11 Current Backhaul Slot: 1 Radio Type: Main Radio Subband: All Mesh Radio Role: Downlink Administrative State: Enabled Operation State: Up Current Tx Power Level: 6 Current Channel: (100)* Antenna Type: N/A Internal Antenna Gain (in .5 dBm units): 10
The following is a sample output of the show ap summary command that shows the radio MAC address and the corresponding AP name:
Device# show ap summary
Number of APs: 1
AP Name Slots AP Model
Ethernet
MAC Radio MAC Location
Country
IP Address State
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AP-Cisco-1 2
AIR-APXXXXX-E-K9 xxxx.xxxx.xxd4 xxxx.xxxx.0x11 default location DE
10.11.70.170 Registered
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1461
Verifying Mesh Configuration
Mesh Access Points
Verifying Mesh Configuration
Use the following show commands to verify the various aspects of mesh configuration. · show wireless mesh stats ap-name · show wireless mesh security-stats {all | ap-name} · show wireless mesh queue-stats {all | ap-name} · show wireless mesh per-stats summary {all | ap-name} · show wireless mesh neighbor summary {all | ap-name} · show wireless mesh neighbor detail ap-name · show wireless mesh ap summary · show wireless mesh ap tree · show wireless mesh ap backhaul · show wireless mesh config · show wireless mesh convergence detail bridge-group-name · show wireless mesh convergence subset-channels · show wireless mesh neighbor · show wireless profile mesh detailed mesh-profile-name · show wireless stats mesh security · show wireless stats mesh queue · show wireless stats mesh packet error · show wireless mesh ap summary · show ap name ap-name mesh backhaul · show ap name ap-name mesh neighbor detail · show ap name ap-name mesh path · show ap name ap-name mesh stats packet error · show ap name ap-name mesh stats queue · show ap name ap-name mesh stats security · show ap name ap-name mesh stats · show ap name ap-name mesh bhrate · show ap name ap-name config ethernet · show ap name ap-name cablemodem · show ap name ap-name environment
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1462
Mesh Access Points
Verifying Mesh Configuration
· show ap name ap-name gps location · show ap name ap-name environment · show ap name ap-name mesh linktest data dest-mac · show ap environment · show ap gps location
For details about these commands, see the Cisco Catalyst 9800 Series Wireless Controller Command Reference document.
MAC Authorization
Use the following show command to verify the MAC authorization configuration:
Device# show run aaa aaa authentication dot1x CENTRAL_LOCAL local aaa authorization credential-download CENTRAL_AUTHOR local username 002cc8de4f31 mac username 00425a0a53b1 mac
ewlc_eft#sh wireless profile mesh detailed madhu-mesh-profile
Mesh Profile Name
: abc-mesh-profile
-------------------------------------------------
Description
:
Bridge Group Name
: bgn-abbc
Strict match BGN
: ENABLED
Amsdu
: ENABLED
...
Battery State
: ENABLED
Authorization Method
: CENTRAL_AUTHOR
Authentication Method
: CENTRAL_LOCAL
Backhaul tx rate(802.11bg) : auto
Backhaul tx rate(802.11a)
: 802.11n mcs15
PSK Provisioning
Use the following show command to verify PSK provisioning configuration:
Device# show wireless mesh config Mesh Config
Backhaul RRM Mesh CAC Outdoor Ext. UNII B Domain channels(for BH) Mesh Ethernet Bridging STP BPDU Allowed Rap Channel Sync
: ENABLED : DISABLED : ENABLED : ENABLED : ENABLED
Mesh Alarm Criteria Max Hop Count Recommended Max Children for MAP Recommended Max Children for RAP Low Link SNR High Link SNR Max Association Number Parent Change Number
:4 : 10 : 20 : 12 : 60 : 10 :3
Mesh PSK Config PSK Provisioning Default PSK
: ENABLED : ENABLED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1463
Verifying Mesh Configuration
Mesh Access Points
PSK In-use key number
:1
Provisioned PSKs(Maximum 5)
Index -----1
Description ------------
key1
Bridge Group Name
Use the following show command to verify the bridge group name configuration:
Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name
: abc-mesh-profile
-------------------------------------------------
Description
:
Bridge Group Name
: bgn-abc
Strict match BGN
: ENABLED
Amsdu
: ENABLED
Background Scan
: ENABLED
Channel Change Notification : DISABLED
Backhaul client access
: ENABLED
Ethernet Bridging
: ENABLED
Ethernet Vlan Transparent
: DISABLED
Full Sector DFS
: ENABLED
IDS
: ENABLED
Multicast Mode
: In-Out
Range in feet
: 12000
Security Mode
: EAP
Convergence Method
: Fast
LSC only Authentication
: DISABLED
Battery State
: ENABLED
Authorization Method
: CENTRAL_AUTHOR
Authentication Method
: CENTRAL_LOCAL
Backhaul tx rate(802.11bg) : auto
Backhaul tx rate(802.11a)
: 802.11n mcs15
Backhaul Client Access
Use the following show command to verify the backhaul client access configuration:
Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name
: abc-mesh-profile
-------------------------------------------------
Description
:
Bridge Group Name
: bgn-abc
Strict match BGN
: ENABLED
Amsdu
: ENABLED
Background Scan
: ENABLED
Channel Change Notification : DISABLED
Backhaul client access
: ENABLED
Ethernet Bridging
: ENABLED
Ethernet Vlan Transparent
: DISABLED
...
Backhaul tx rate(802.11bg) : auto
Backhaul tx rate(802.11a)
: 802.11n mcs15
Wireless Backhaul Data Rate
Use the following show command to verify the wireless backhaul data rate configuration:
Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name
: abc-mesh-profile
-------------------------------------------------
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1464
Mesh Access Points
Verifying Mesh Configuration
Description Bridge Group Name Strict match BGN ... Authorization Method Authentication Method Backhaul tx rate(802.11bg) Backhaul tx rate(802.11a)
: : bgn-abc : ENABLED
: CENTRAL_AUTHOR : CENTRAL_LOCAL : auto : 802.11n mcs15
Dynamic Frequency Selection
Use the following show command to verify the dynamic frequency selection configuration:
Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name
: abc-mesh-profile
-------------------------------------------------
Description
:
Bridge Group Name
: bgn-abc
Strict match BGN
: ENABLED
Amsdu
: ENABLED
Background Scan
: ENABLED
Channel Change Notification : DISABLED
Backhaul client access
: ENABLED
Ethernet Bridging
: ENABLED
Ethernet Vlan Transparent
: DISABLED
Full Sector DFS
: ENABLED
...
Backhaul tx rate(802.11a)
: 802.11n mcs15
Intrusion Detection System
Use the following show command to verify the wireless backhaul data rate configuration:
Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name
: abc-mesh-profile
-------------------------------------------------
Description
:
Bridge Group Name
: bgn-abc
Strict match BGN
: ENABLED
Amsdu
: ENABLED
Background Scan
: ENABLED
Channel Change Notification : DISABLED
Backhaul client access
: ENABLED
Ethernet Bridging
: ENABLED
Ethernet Vlan Transparent
: DISABLED
Full Sector DFS
: ENABLED
IDS
: ENABLED
Multicast Mode
: In-Out
...
Backhaul tx rate(802.11a)
: 802.11n mcs15
Ethernet Bridging
Use the following show command to verify ethernet bridging configuration:
Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name
: abc-mesh-profile
-------------------------------------------------
Description
:
Bridge Group Name
: bgn-abc
Strict match BGN
: ENABLED
Amsdu
: ENABLED
Background Scan
: ENABLED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1465
Verifying Mesh Configuration
Mesh Access Points
Channel Change Notification Backhaul client access Ethernet Bridging Ethernet Vlan Transparent Full Sector DFS IDS Multicast Mode ... Backhaul tx rate(802.11a)
: DISABLED : ENABLED : ENABLED : DISABLED : ENABLED : ENABLED : In-Out
: 802.11n mcs15
Multicast over Mesh
Use the following show command to verify multicast over Mesh configuration:
Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name
: abc-mesh-profile
-------------------------------------------------
Description
:
Bridge Group Name
: bgn-abc
Strict match BGN
: ENABLED
Amsdu
: ENABLED
Background Scan
: ENABLED
Channel Change Notification : DISABLED
Backhaul client access
: ENABLED
Ethernet Bridging
: ENABLED
Ethernet Vlan Transparent
: DISABLED
Full Sector DFS
: ENABLED
IDS
: ENABLED
Multicast Mode
: In-Out
...
Backhaul tx rate(802.11a)
: 802.11n mcs15
RRM on Mesh Backhaul
Use the following show command to verify RRM on Mesh backhaul configuration:
Device# show wireless mesh config Mesh Config
Backhaul RRM Mesh CAC Outdoor Ext. UNII B Domain channels(for BH) Mesh Ethernet Bridging STP BPDU Allowed Rap Channel Sync
: ENABLED : DISABLED : ENABLED : ENABLED : ENABLED
Mesh Alarm Criteria Max Hop Count Recommended Max Children for MAP Recommended Max Children for RAP Low Link SNR High Link SNR Max Association Number Parent Change Number
:4 : 10 : 20 : 12 : 60 : 10 :3
Mesh PSK Config PSK Provisioning Default PSK PSK In-use key number Provisioned PSKs(Maximum 5)
: ENABLED : ENABLED :1
Index -----1
Description ------------
key1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1466
Mesh Access Points
Verifying Mesh Configuration
Preferred Parent Selection
Use the following show command to verify preferred parent configuration:
Device# show wireless mesh ap tree ======================================================================== AP Name [Hop Ctr,Link SNR,BG Name,Channel,Pref Parent,Chan Util,Clients] ========================================================================
[Sector 1] ----------1542-RAP [0, 0, bgn-madhu, (165), 0000.0000.0000, 1%, 0]
|-MAP-2700 [1, 67, bgn-madhu, (165), 7070.8b7a.6fb8, 0%, 0]
Number of Bridge APs : 2 Number of RAPs : 1 Number of MAPs : 1
(*) Wait for 3 minutes to update or Ethernet Connected Mesh AP. (**) Not in this Controller
AP Role Change
Use the following show command to verify AP role change configuration:
Device# show wireless mesh ap summary
AP Name
AP Model BVI MAC
BGN
-------
-------- -------
---
1542-RAP
1542D 002c.c8de.1338 bgn-abc
MAP-2700
2702I 500f.8095.01e4 bgn-abc
AP Role ------Root AP Mesh AP
Number of Bridge APs
:2
Number of RAPs
:1
Number of MAPs
:1
Number of Flex+Bridge APs : 0
Number of Flex+Bridge RAPs : 0
Number of Flex+Bridge MAPs : 0
Mesh Leaf Node
Use the following show command to verify mesh leaf node configuration:
Device# show ap name MAP-2700 config general Cisco AP Name : MAP-2700 =================================================
Cisco AP Identifier Country Code Regulatory Domain Allowed by Country AP Country Code AP Regulatory Domain
Slot 0 Slot 1 MAC Address ... AP Mode Mesh profile name AP Role Backhaul radio type Backhaul slot id Backhaul tx rate Ethernet Bridging Daisy Chaining
: 7070.8bbc.d3e0 : Multiple Countries : IN,US,IO,J4 : 802.11bg:-AEJPQU 802.11a:-ABDJNPQU : IN - India
: -A : -D : 500f.8095.01e4
: Bridge : abc-mesh-profile : Mesh AP : 802.11a :1 : auto : Enabled : Disabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1467
Verifying Mesh Configuration
Mesh Access Points
Strict Daisy Rap Bridge Group Name Strict-Matching BGN Preferred Parent Address Block child state PSK Key Timestamp ... FIPS status WLANCC status GAS rate limit Admin status WPA3 Capability EWC-AP Capability AWIPS Capability Proxy Hostname Proxy Port Proxy NO_PROXY list GRPC server status
: Disabled : bgn-abc : Enabled : 7070.8b7a.6fb8 : Disabled : Not Configured
: Disabled : Disabled : Disabled : Disabled
: Disabled : Disabled : Not Configured : Not Configured : Not Configured : Disabled
Subset Channel Synchronization
Use the following show command to verify the subset channel synchronization configuration:
Device# show wireless mesh config Mesh Config
Backhaul RRM Mesh CAC Outdoor Ext. UNII B Domain channels(for BH) Mesh Ethernet Bridging STP BPDU Allowed Rap Channel Sync
: ENABLED : DISABLED : ENABLED : ENABLED : ENABLED
Mesh Alarm Criteria Max Hop Count Recommended Max Children for MAP Recommended Max Children for RAP Low Link SNR High Link SNR Max Association Number Parent Change Number
:4 : 10 : 20 : 12 : 60 : 10 :3
Mesh PSK Config PSK Provisioning Default PSK PSK In-use key number Provisioned PSKs(Maximum 5)
: ENABLED : ENABLED :1
Index -----1
Description ------------
key1
Provisioning LSC for Bridge-Mode and Mesh APs
Use the following show command to verify the provisioning LSC for Bridge-Mode and Mesh AP configuration:
Device# show wireless profile mesh detailed default-mesh-profile
Mesh Profile Name
: default-mesh-profile
-------------------------------------------------
Description
: default mesh profile
Bridge Group Name
: bgn-abc
Strict match BGN
: DISABLED
Amsdu
: ENABLED
Background Scan
: ENABLED
Channel Change Notification : ENABLED
Backhaul client access
: ENABLED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1468
Mesh Access Points
Verifying Mesh Configuration
Ethernet Bridging Ethernet Vlan Transparent Full Sector DFS IDS Multicast Mode Range in feet Security Mode Convergence Method LSC only Authentication Battery State Authorization Method Authentication Method Backhaul tx rate(802.11bg) Backhaul tx rate(802.11a)
: DISABLED : ENABLED : ENABLED : DISABLED : In-Out : 12000 : EAP : Fast : DISABLED : ENABLED : default : default : auto : auto
Specify the Backhaul Slot for the Root AP
Use the following show command to verify the backhaul slot for the Root AP configuration:
Device# show ap name 1542-RAP mesh backhaul MAC Address : 380e.4d85.5e60
Current Backhaul Slot: 1 Radio Type: 0 Radio Subband: All Mesh Radio Role: DOWNLINK Administrative State: Enabled Operation State: Up Current Tx Power Level: Current Channel: (165) Antenna Type: N/A Internal Antenna Gain (in .5 dBm units): 18
Using a Link Test on Mesh Backhaul
Use the following show command to verify the use of link test on mesh backhaul configuration:
Device# show ap name 1542-RAP mesh linktest data 7070.8bbc.d3ef 380e.4d85.5e60 ==> 7070.8bbc.d3ef
Started at : 05/11/2020 20:56:28 Status: In progress
Configuration: ============== Data rate: Mbps Packets per sec: : 234 Packet Size: : 1200 Duration: : 200
Mesh CAC
Use the following show command to verify mesh CAC configuration:
Device# show wireless mesh config Mesh Config
Backhaul RRM Mesh CAC Outdoor Ext. UNII B Domain channels(for BH) Mesh Ethernet Bridging STP BPDU Allowed Rap Channel Sync
: ENABLED : DISABLED : ENABLED : ENABLED : ENABLED
Mesh Alarm Criteria Max Hop Count
:4
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1469
Verifying Mesh Configuration
Recommended Max Children for MAP Recommended Max Children for RAP Low Link SNR High Link SNR Max Association Number Parent Change Number
Mesh PSK Config PSK Provisioning Default PSK PSK In-use key number Provisioned PSKs(Maximum 5)
Index -----1
Description ------------
key1
: 10 : 20 : 12 : 60 : 10 :3
: ENABLED : ENABLED :1
Mesh Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1470
1 5 1 C H A P T E R
Redundant Root Access Point (RAP) Ethernet Daisy Chaining
· Overview of Redundant RAP Ethernet Daisy Chaining, on page 1471 · Prerequisites for Redundant RAP Ethernet Daisy Chaining Support, on page 1472 · Configuring Redundant RAP Ethernet Daisy Chaining Support (CLI), on page 1472 · Verifying Daisy Chain Redundancy (CLI), on page 1472
Overview of Redundant RAP Ethernet Daisy Chaining
The Root Access Point (RAP) Ethernet Daisy Chaining is a feature where RAPs are chained using wired Ethernet to avoid latency in backhaul link failure recovery. This feature proposes a redundancy in the daisy chain, wherein, two switches act as a redundant Designated Port (DP), each connected to either end of the daisy chain. In case of a link failure, the link direction is reversed using a new STP root. A redundant RAP ethernet daisy chain has similiar capabilities to the existing mesh daisy chain feature. In a redundant RAP ethernet daisy chain topology, the packet is encapsulated with CAPWAP header and forwarded to the controller from its wireless client for each AP. The packet is bridged to its primary ethernet interface from its secondary ethernet interface including the other AP's wireless client CAPWAP packets. Both 2.4G and 5G radio are used for client access.
Note The daisy chain strict RAP configuration is applicable to Cisco IOS access points only. Redundant RAP ethernet daisy chain is supported on the IW6300 AP model. In case of ethernet daisy chain topology, if a CAPWAP loss occurs on the first RAP connected to switch, the entire chain loses its uplink. This takes a long time to recover. Thereby, if the RAP ethernet daisy chain is enabled, the CAPWAP data keepalive is extended to three times.
Note Only wired uplink configuration is valid, if you configure an AP as Bridge or Flex Bridge mode Root AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1471
Prerequisites for Redundant RAP Ethernet Daisy Chaining Support
Mesh Access Points
Prerequisites for Redundant RAP Ethernet Daisy Chaining Support
· Ethernet bridging on should be enabled. · Strict-wired-uplink feature should be enabled.
Configuring Redundant RAP Ethernet Daisy Chaining Support (CLI)
Follow the procedure given below to enable redundant RAP ethernet daisy chaining on a mesh profile:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile mesh profile-name
Example:
Device(config)# wireless profile mesh default-mesh-profile
Configures a mesh profile and enters mesh profile configuration mode.
Step 3
daisychain-stp-redundancy
Example:
Device(config-wireless-mesh-profile)# daisychain-stp-redundancy
Configures daisy chain STP redundancy.
Verifying Daisy Chain Redundancy (CLI)
To verify the ethernet daisy chain summary, use the following command:
Device# show wireless mesh ethernet daisy-chain summary
AP Name
BVI MAC
BGN
Backhaul
Ethernet
STP Red
----------------------------------------------------------------------------------------------------------
RAP4
683b.78bf.15f0 IOT
Ethernet0
Up Up Dn Dn Enabled
RAP3
683b.78bf.1634 IOT
Ethernet0
Up Up Dn Dn Enabled
RAP1
6c8b.d383.b4d4 IOT
Ethernet0
Up Up Dn Dn Enabled
RAP2
6c8b.d383.b4e8 IOT
Ethernet0
Up Up Up Dn Enabled
To verify the ethernet daisy chain Bridge Group Name (BGN) details, use the following command:
Device# show wireless mesh ethernet daisy-chain bgn <IOT>
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1472
Mesh Access Points
Verifying Daisy Chain Redundancy (CLI)
AP Name BVI MAC
BGN Backhaul Ethernet
STP Red
----------------------------------------------------------------------------------------------------------
RAP4
683b.78bf.15f0 IOT Ethernet0 Up Up Dn Dn Enabled
RAP3
683b.78bf.1634 IOT Ethernet0 Up Up Dn Dn Enabled
RAP1
6c8b.d383.b4d4 IOT Ethernet0 Up Up Dn Dn Enabled
RAP2
6c8b.d383.b4e8 IOT Ethernet0 Up Up Up Dn Enabled
To verify the mesh profile, use the following command:
Device# show wireless profile mesh detailed default-mesh-profile
Mesh Profile Name : default-mesh-profile ------------------------------------------------Description : default mesh profile Bridge Group Name : IOT Strict match BGN : ENABLED Amsdu : ENABLED Background Scan : ENABLED Channel Change Notification : ENABLED Backhaul client access : ENABLED Ethernet Bridging : ENABLED Ethernet Vlan Transparent : DISABLED Daisy Chain STP Redundancy : ENABLED Full Sector DFS : ENABLED IDS : ENABLED Multicast Mode : In-Out Range in feet : 12000 Security Mode : EAP Convergence Method : Standard LSC only Authentication : DISABLED Battery State : ENABLED Authorization Method : eap_methods Authentication Method : eap_methods Backhaul tx rate(802.11bg) : auto Backhaul tx rate(802.11a) : auto ===============
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1473
Verifying Daisy Chain Redundancy (CLI)
Mesh Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1474
X I V PA R T
VideoStream
· VideoStream, on page 1477
1 5 2 C H A P T E R
VideoStream
· Information about Media Stream, on page 1477 · Prerequisites for Media Stream, on page 1478 · How to Configure Media Stream, on page 1478 · Monitoring Media Streams, on page 1483 · Configuring the General Parameters for a Media Stream (GUI), on page 1483 · Adding Media Stream (CLI), on page 1484 · Enabling a Media Stream per WLAN (GUI), on page 1485 · Enabling a Media Stream per WLAN (CLI), on page 1485 · Configuring the General Parameters for a Media Stream (GUI), on page 1486 · Configuring the General Parameters for a Media Stream (CLI), on page 1486 · Configuring Multicast Direct Admission Control (GUI), on page 1487 · Configuring Multicast Direct Admission Control (CLI), on page 1487 · Create and Attach Policy-based QoS Profile, on page 1489 · Viewing Media Stream Information, on page 1494
Information about Media Stream
The IEEE 802.11 wireless multicast delivery mechanism does not provide a reliable way to acknowledge lost or corrupted packets. As a result, if any multicast packet is lost in the air, it is not sent again which may cause an IP multicast stream unviewable. The Media Stream feature makes the delivery of the IP multicast stream reliable over air, by converting the multicast frame to a unicast frame over the air. Each Media Stream client acknowledges receiving a video IP multicast stream.
Note Support for IPv6 was added from Cisco IOS XE Gibraltar 16.12.1. You can use IPv6 multicast addresses in place of IPv4 multicast addresses to enable media stream on the IPv6 networks.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1477
Prerequisites for Media Stream
VideoStream
Prerequisites for Media Stream
· Make sure that the Multicast feature is enabled. We recommend that you configure IP multicast on the controller in multicast-multicast mode.
· Check for the IP address on the client machine. The machine should have an IP address from the respective VLAN.
· Verify that the access points have joined the controllers .
How to Configure Media Stream
Configuring Multicast-Direct Globally for Media Stream (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless multicast Example:
Device(config)# wireless multicast
Enables multicast for wireless forwarding.
Step 3
ip igmp snooping Example:
Device(config)# ip igmp snooping
Enables IGMP snooping on a per-VLAN basis. If the global setting is disabled, then all the VLANs are treated as disabled, whether they are enabled or not.
Step 4
ip igmp snooping querier
Enables a snooping querier on an interface when
Example:
there is no multicast router in the VLAN to generate queries.
Device(config)# ip igmp snooping querier
Step 5
wireless media-stream multicast-direct
Example:
(config)#wireless media-stream multicast-direct
Configures the global multicast-direct on the controller.
Step 6
wireless media-stream message
Configures various message-configuration
Example:
parameters such as phone, URL, email, and notes. That is, when a media stream is refused
(config)#wireless media-stream message (due to bandwidth constraints), a message can
? Email
Configure Session Announcement be sent to the corresponding user. These
Email
parameters configure the messages that are to
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1478
VideoStream
Configuring Media Stream for 802.11 Bands (CLI)
Step 7
Command or Action
Purpose
Notes Configure Session Announcement be sent to the IT support email address, notes
notes
(message be displayed explaining why the
URL Configure Session Announcement
URL
stream was refused), URL to which the user can
phone Configure Session Announcement be redirected, and the phone number that the
Phone number
user can call about the refused stream.
<cr>
wireless media-stream group name startIp endIp
Example:
(config)#wireless media-stream group grp1 231.1.1.1 239.1.1.3
Configures each media stream and its parameters such as expected multicast destination addresses, stream bandwidth consumption, and stream-priority parameters.
avg-packet-size Configure average packet size
default Set a command to its defaults
exit Exit sub-mode max-bandwidth Configure maximum expected stream bandwidth in Kbps no Negate a command or set its defaults policy Configure media stream admission policy priority Configure media stream priority, <1:Lowest - 8:Highest> qos Configure over the air QoS class, <'video'> ONLY rrc-evaluation Configure RRC re-evaluation admission violation Configure stream violation policy on periodic re-evaluation
Step 8
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Media Stream for 802.11 Bands (CLI)
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
ap dot11 {24ghz | 5ghz } media-stream multicast-direct
Purpose Enters global configuration mode.
Configures whether media stream (multicast to unicast ) is allowed for the 802.11 band.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1479
Configuring Media Stream for 802.11 Bands (CLI)
VideoStream
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action Example:
Device(config)#ap dot11 24ghz media-stream multicast-direct
Purpose
You must disable to 802.11 network to enable the mediastream.
ap dot11 {24ghz | 5ghz } media-stream video-redirect
Example:
Device(config)#ap dot11 24ghz media-stream video-redirect
Optional. Configures the redirection of unicast video traffic to the best-effort queue.
ap dot11 {24ghz | 5ghz } media-stream multicast-direct admission-besteffort
Example:
Device(config)#ap dot11 24ghz media-stream multicast-direct admission-besteffort
Configures the media stream to be sent through the best-effort queue if that media stream cannot be prioritized due to bandwidth-availability limitations. Run the no form of the command to drop the stream, if the media stream cannot be prioritized due to bandwidth-availability limitations.
ap dot11 {24ghz | 5ghz } media-stream Configures the maximum number of allowed
multicast-direct client-maximum value media streams per individual client. The
Example:
maximum is 15 and the default is 0. The value of 0 denotes unlimited streams.
Device(config)#ap dot11 24ghz
media-stream multicast-direct client-max
15
ap dot11 {24ghz | 5ghz } media-stream multicast-direct radio-maximum value
Example:
Device(config)#ap dot11 24ghz media-stream multicast-direct radio-maximum 20
Configures maximum number of radio streams. The valid range is from 1 to 20. Default is 0. The value of 0 denotes unlimited streams.
ap dot11 {24ghz | 5ghz } cac multimedia max-bandwidth bandwidth
Example:
Device(config)#ap dot11 24ghz cac multimedia max-bandwidth 60
Configures maximum media (voice + video) bandwidth, in percent. The range is between 5-85%.
ap dot11 {24ghz | 5ghz } cac media-stream Configures the minimum PHY rate needed for
multicast-direct min-client-rate dot11_rate a client to send a media stream as unicast.
Example:
Device(config)#ap dot11 24ghz cac media-stream multicast-direct min_client_rate
Clients communicating below this rate will not receive the media stream as a unicast flow. Typically, this PHY rate is equal to or higher than the rate at which multicast frames are sent.
ap dot11 {24ghz | 5ghz } cac media-stream Configures Call Admission Control (CAC)
Example:
parameters for media stream access category.
Device(config)#ap dot11 5ghz cac media-stream
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1480
VideoStream
Configuring a WLAN to Stream Video(GUI)
Step 10 Step 11 Step 12
Command or Action
ap dot11 {24ghz | 5ghz } cac multimedia Example:
Device(config)#ap dot11 5ghz cac multimedia
Purpose
Configures CAC parameters for media access category: used for voice and video.
ap dot11 {24ghz | 5ghz } cac voice Example:
Configures CAC parameters for voice access category.
Device(config)#ap dot11 5ghz cac voice
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring a WLAN to Stream Video(GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Wireless > WLANs > Wireless Networks. Select a WLAN to view the Edit WLAN window. Click Advanced tab. Check the Media Stream Multicast-Direct check box to enable the feature. Click Update & Apply to Device.
Configuring a WLAN to Stream Video (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan wlan_name Example:
(config)#wlan wlan50
Step 3
shutdown Example:
(config-wlan)#shutdown
Purpose Enters global configuration mode.
Enters WLAN configuration mode.
Disables the WLAN for configuring its parameters.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1481
Deleting a Media Stream (GUI)
VideoStream
Step 4 Step 5 Step 6
Command or Action
Purpose
media-stream multicast-direct Example:
Configures the multicast-direct on media stream for the WLAN.
(config)#media-stream multicast-direct
no shutdown Example:
(config-wlan)#no shutdown
Enables the WLAN.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Deleting a Media Stream (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Choose Configuration > Wireless > Media Stream. Click the Streams tab. Check the checkbox adjecent to the Stream Name you want to delete. To delete multiple streams, select multiple stream name checkboxes.
Click Delete. Click Yes on the confirmation window to delete the VLAN.
Deleting a Media Stream (CLI)
Before you begin The media stream should be enabled and configured for it to be deleted.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
no wireless media-stream group media_stream_name
Example:
Purpose Enters global configuration mode.
Deletes the media stream that bears the name mentioned in the command.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1482
VideoStream
Monitoring Media Streams
Step 3
Command or Action
Purpose
Device(config)#no wireless media-stream grp1
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Monitoring Media Streams
Table 75: Commands for monitoring media streams
Commands
Description
show wireless media-stream client detail group Displays media stream client details of the particular
name
group.
show wireless media-stream client summary Displays the media stream information of all the clients.
show wireless media-stream group detail group Displays the media stream configuration details of the
name
particular group.
show wireless media-stream group summary
Displays the media stream configuration details of all the groups.
show wireless media-stream message details Displays the session announcement message details.
show wireless multicast
Displays the multicast-direct configuration state.
show ap dot11 {24ghz | 5ghz} media-stream rrc Displays 802.11 media Resource-Reservation-Control configurations.
Configuring the General Parameters for a Media Stream (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Step 5 Step 6
Choose Configuration > Wireless > Media Stream. In the General tab, check the Multicast Direct Enable check box. In the Session Message Config section, check the Session Announcement State check box to enable the session announcement mechanism. If the session announcement state is enabled, clients are informed each time a controller is not able to serve the multicast direct data to the client. In the Session Announcement URL field, enter the URL where the client can find more information when an error occurs during the multicast media stream transmission. In the Session Announcement Email field, enter the e-mail address of the person who can be contacted. In the Session Announcement Phone field, enter the phone number of the person who can be contacted.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1483
Adding Media Stream (CLI)
VideoStream
Step 7 Step 8
In the Session Announcement Note field, enter a reason as to why a particular client cannot be served with a multicast media.
Click Apply.
Adding Media Stream (CLI)
Procedure
Step 1
Command or Action
wireless media-stream group groupName startIpAddr endIpAddr
Example:
Device(config)# wireless media-stream group group1 224.0.0.0 224.0.0.223
Purpose
Configures each media stream and its parameters, such as expected multicast destination addresses, stream bandwidth consumption , and stream priority parameters.
Step 2
avg-packet-size packetsize
Example:
Device(media-stream)# avg-packet-size 100
Configures the average packet size.
Step 3
max-bandwidth bandwidth Example:
Configures the maximum expected stream bandwidth, in Kbps.
Device(media-stream)# max-bandwidth 80
Step 4
policy {admit |deny } Example:
Device(media-stream)# policy admit
Configure the media stream admission policy.
Step 5
qos video Example:
Device(media-stream)# qos video
Configures over-the-air QoS class, as 'video'.
Step 6
violation {drop|fallback } Example:
Device(media-stream)# violation drop
Configures the violation mode.
Step 7
rrc-evaluation {initial|periodic }
Example:
Device(media-stream)# rrc-evaluation initial
Configure Resource Reservation Control (RRC) re-evaluation admission, which provides initial or periodic admission evaluation. The re-evaluation admission occurs at 2, 4,8, and so on seconds.
Step 8
priority priority-value Example:
Sets the priority value. The valid range is from 1-8, with 1 being the lowest.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1484
VideoStream
Enabling a Media Stream per WLAN (GUI)
Command or Action
Device(media-stream)# priority 6
Purpose
Enabling a Media Stream per WLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. On the WLANs page, click the name of the WLAN or click Add to create a new one. In the Add/Edit WLAN window that is displayed, click the Advanced tab. Check the Enabling a Media Stream for each WLAN check box to enable Media Stream on the WLAN. Save the configuration.
Enabling a Media Stream per WLAN (CLI)
Follow the procedure given below to enable a media stream for each WLAN:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan wlan_name Example:
Device(config)# wlan wlan5
Step 3
shutdown Example:
Device(config-wlan)# shutdown
Step 4
media-stream multicast-direct
Example:
Device(config-wlan)# media-stream multicast-direct
Step 5
no shutdown Example:
Device(config-wlan)# no shutdown
Purpose Enters global configuration mode.
Enters WLAN configuration mode.
Disables the WLAN for configuring its parameters. Configures multicast-direct for the WLAN.
Enables the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1485
Configuring the General Parameters for a Media Stream (GUI)
VideoStream
Configuring the General Parameters for a Media Stream (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Wireless > Media Stream. Check the Multicast Direct Enable check box to enable multicast direct globally on the local mode. In the Session Message Config section, enter the values for the following parameters
· Session Announcement URL · Session Announcement Email · Session Announcement Phone · Session Announcement Note
Save the configuration.
Configuring the General Parameters for a Media Stream (CLI)
Follow the procedure given below to configure the general parameters for a media stream:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless media-stream message {URL url Configures various message configuration
|email email-address |phone phone-no |notes parameters, such as phone, URL, email, and
notes }
notes.
Example:
Device(config)# wireless media-stream message url www.xyz.com
Step 3
wireless media-stream multicast-direct
Example:
Device(config)# wireless media-stream multicast-direct
Enables multicast direct globally for local mode.
Note
This configuration will not impact
flex and fabric media-stream
configurations.
Step 4
exit Example:
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1486
VideoStream
Configuring Multicast Direct Admission Control (GUI)
Command or Action
Device(config)# exit
Purpose
Configuring Multicast Direct Admission Control (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Step 6
Step 7
Choose Configuration > Wireless > Media Stream.
Check the Media Stream Admission Control (ACM) check box to enable multicast direct admission control.
In the Maximum Media Stream RF bandwidth (%) field, enter the percentage of the maximum bandwidth to be allocated for media applications on this radio band. Valid range is from 5 to 85. When the client reaches a specified value, the AP rejects new calls on this radio band.
In the Maximum Media Bandwidth (%) field, enter the bandwidth. Valid range is from 5 to 85%.
From the Client Minimum Phy Rate drop-down list, select the minimum transmission data rate or the rate in kilobits per second at which the client can operate. If the transmission data rate is below the physical rate, either the video will not start or the client may be classified as a bad client. The bad client video can be demoted for better effort QoS or subject to denial.
In the Maximum Retry Percent (%) field, enter the percentage of maximum retries that are allowed. The default value is 80. If it exceeds 80, either the video will not start or the client might be classified as a bad client. The bad client video can be demoted for better effort QoS or subject to denial.
Click Apply.
Configuring Multicast Direct Admission Control (CLI)
Follow the procedure given below to configure multicast direct admission control:
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
ap dot11 {24ghz | 5ghz } shutdown
Disables the 802.11 network.
Example:
Device(config)# ap dot11 24ghz shutdown
Step 3
ap dot11 {24ghz | 5ghz } media-stream video-redirect
Example:
Configures the redirection of the unicast video traffic to best-effort queue.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1487
Configuring Multicast Direct Admission Control (CLI)
VideoStream
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
Device(config)# ap dot11 24ghz media-stream video-redirect
Purpose
ap dot11 {24ghz | 5ghz } cac media-stream Enables admission control on the media-stream
acm
access category.
Example:
Device(config)# ap dot11 24ghz cac media-stream acm
ap dot11 {24ghz | 5ghz } cac media-stream Configures the maximum media bandwidth,
max-bandwidth bandwidth
in percent. The range is between 5-85%.
Example:
Device(config)# ap dot11 24ghz cac media-stream max-bandwidth 65
ap dot11 {24ghz | 5ghz } cac multimedia max-bandwidth bandwidth
Example:
Device(config)# ap dot11 24ghz cac multimedia max-bandwidth 65
Configures the maximum bandwidth allocated to Wi-Fi Multimedia (WMM) clients for media. The range is between 5-85%.
ap dot11 {24ghz | 5ghz } cac media-stream Configures the minimum PHY rate needed for
multicast-direct min-client-rate dot11Rate a client to receive media stream as unicast.
Example:
Clients communicating below this rate will not receive the media stream as a unicast flow.
Device(config)# ap dot11 24ghz cac media-stream multicast-direct min-client-rate 800
Typically, this PHY rate is equal to or higher than the rate at which multicast frames are sent.
ap dot11 {24ghz | 5ghz } cac media-stream Configures CAC parameter maximum retry
multicast-direct max-retry-percent
percent for multicast-direct streams.
retryPercent
Example:
Device(config)# ap dot11 24ghz cac media-stream multicast-direct max-retry-percent 50
ap dot11 {24ghz | 5ghz } media-stream multicast-direct radio-maximum value
Example:
Device(config)# ap dot11 24ghz media-stream multicast-direct radio-maximum 10
Configures the maximum number of radio streams. The range is from 1 to 20. Default is 0. Value 0 denotes unlimited streams.
ap dot11 {24ghz | 5ghz } media-stream multicast-direct client-maximum value
Example:
Device(config)# ap dot11 24ghz media-stream multicast-direct client-maximum 12
Configures the maximum number of allowed media streams per individual client. The maximum is 15 and the default is 0. Value 0 denotes unlimited streams.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1488
VideoStream
Create and Attach Policy-based QoS Profile
Step 11 Step 12
Command or Action ap dot11 {24ghz | 5ghz } media-stream multicast-direct admission-besteffort Example:
Device(config)# ap dot11 24ghz media-stream multicast-direct admission-besteffort
no ap dot11 {24ghz | 5ghz } shutdown Example:
Device(config)# no ap dot11 24ghz shutdown
Purpose
Configures the media stream to still be sent through the best effort queue if a media stream cannot be prioritized due to bandwidth availability limitations. Add no in the command to drop the stream if the media stream cannot be prioritized due to bandwidth availability limitations.
Enables the 802.11 network.
Create and Attach Policy-based QoS Profile
The high-level steps to create and attach policy-based QoS profile are as follows: 1. Create a QoS Profile 2. Create a Service Template 3. Map the Service Template to the Policy Map 4. Map the Policy Map to the Policy Profile
Create a QoS Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Click Configuration > Services > QoS. Click Add to create a new QoS Policy. Enter a Policy Name. Enter a Description for the policy. In the Class Default section, choose a value in the Mark drop-down list. Enter the Police(kbps) value. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1489
Create a QoS Profile (CLI)
VideoStream
Create a QoS Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
policy-map policy-map-name
Example:
Device(config)# policy-map QoS_Drop_Youtube
Creates a policy map.
Step 3
description description
Example:
Device(config-pmap)# description QoS_Drop_Youtube
Adds a description to the policy map.
Step 4
class class-map-name
Example:
Device(config-pmap)# class QoS_Drop_Youtube1_AVC_UI_CLASS
Creates a policy criteria.
Step 5
police cir committ-information-rate Example:
Polices the provided committed information rate.
Device(config-pmap-c)# police cir 8000
Step 6
conform-action drop
Example:
Device(config-pmap-c-police)# conform-action drop
Configures the action when the rate is less than the conform burst.
Step 7
exceed-action drop
Example:
Device(config-pmap-c-police)# exceed-action drop
Configures the action when the rate is within the conform and conform plus exceed burst.
Step 8
end Example:
Device(config-pmap-c-police)# end
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1490
VideoStream
Create a Service Template (GUI)
Create a Service Template (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Security > Local Policy. On the Local Policy page, Service Template tab, click Add. In the Create Service Template window, enter the following parameters:
· Service Template Name: Enter a name for the template. · VLAN ID: Enter the VLAN ID for the template. Valid range is between 1 and 4094. · Session Timeout (secs): Sets the timeout duration for the template. Valid range is between 1 and 65535. · Access Control List: Choose the Access Control List from the drop-down list. · Ingress QOS: Choose the input QoS policy for the client from the drop-down list · Egress QOS: Choose the output QoS policy for the client from the drop-down list.
Click Apply to Device.
Create a Service Template (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
service-template template-name
Example:
Device(config)# service-template qos-template
Configures the service-template or identity policy.
Step 3
vlan vlan-id
Specifies VLAN ID.
Example:
Device(config-service-template)# vlan 87
Step 4
absolute-timer timer
Example:
Device(config-service-template)# absolute-timer 3600
Specifies session timeout value for a service template.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1491
Map the Service Template to the Policy Map (GUI)
VideoStream
Step 5 Step 6 Step 7
Command or Action
Purpose
service-policy qos input qos-policy
Configures an input QoS policy for the client.
Example:
Device(config-service-template)# service-policy qos input QoS_Drop_Youtube
service-policy qos output qos-policy
Example:
Device(config-service-template)# service-policy qos output QoS_Drop_Youtube
Configures an output QoS policy for the client.
end Example:
Device(config-service-template)# end
Returns to privileged EXEC mode.
Map the Service Template to the Policy Map (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > Policy. On the Policy Profile page, select the Policy Profile to be mapped. In the Edit Policy Profile window, click Access Policies tab. Use the Local Subscriber Policy Name drop-down list to select the policy name. Click Update & Apply to Device.
Map the Service Template to the Policy Map (CLI)
Procedure Step 1 Step 2
Command or Action
configure terminal Example:
Device# configure terminal
parameter-map type subscriber attribute-to-service parameter-map-name Example:
Device(config)# parameter-map type subscriber attribute-to-service QoS-Policy_Map-param
Purpose Enters global configuration mode.
Specifies the parameter map type and name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1492
VideoStream
Map the Service Template to the Policy Map (CLI)
Step 3 Step 4
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
Purpose
map-index map device-type eq filter-name user-role eq user-name
Example:
Specifies the parameter map attribute filter criteria. Multiple filters are used in the example provided here.
Device(config-parameter-map-filter)# 1 map device-type eq "Android" user-role eq "student"
map-index service-template service-template-name precedence precedence-num
Specifies the service template.
Example:
Device(config-parameter-map-filter-submode)# 1 service-template Qos_template
end
Returns to privileged EXEC mode.
Example:
Device(config-parameter-map-filter-submode)# end
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
policy-map type control subscriber policy-map-name
Specifies the policy map type.
Example:
Device(config)# policy-map type control subscriber QoS-Policy_Map
event identity-update match-all
Specifies the match criteria to the policy map.
Example:
Device(config-event-control-policymap)# event identity-update match-all
class-num class always do-until-failure Applies a class-map with a service-template.
Example:
Device(config-event-control-policymap)# 1 class always do-until-failure
action-index map attribute-to-service table Applies a parameter map. parameter-map-name
Example:
Device(config-event-control-policymap)# 1 map attribute-to-service table
QoS-Policy_Map-param
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1493
Map the Policy Map (GUI)
VideoStream
Map the Policy Map (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Choose Configuration > Security > Local Policy > Policy Map tab. Click Add. Enter a name in the Policy Map Name text field. Click Add to add the matching criteria information. Choose the service template from the Service Template drop-down list. Choose the filters from Device Type, User Role, User Name, OUI and MAC Address drop-down lists. Click Add Criteria Click Apply to Device.
Map the Policy Map (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy wlan-policy-profile-name
Configures a wireless policy profile.
Example:
Device(config)# wireless profile policy test-policy-profile
Step 3
description profile-policy-description
Example:
Device(config-wireless-policy)# description "test policy profile"
Adds a description for the policy profile.
Step 4
subscriber-policy-name policy-name
Example:
Device(config-wireless-policy)# subscriber-policy-name QoS-Policy_Map
Configures the subscriber policy name.
Viewing Media Stream Information
Use the following show commands to view the media stream information.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1494
VideoStream
Viewing Media Stream Information
To view media stream general information and status, use the following commands:
Device# show wireless media-stream multicast-direct state
Multicast-direct State........................... : enabled
Allowed WLANs:
WLAN-Name
WLAN-ID
----------------------------------------------------------
zsetup_mc
1
vwlc-mc_mo
3
mcuc_test1
4
mcuc_test2
5
Device# show wireless media-stream group summary
Number of Groups:: 4
Stream Name
Start IP
End IP
Status
-------------------------------------------------------------------------------
new2
231.2.2.3
231.2.4.4
Enabled
my234
234.0.0.0
234.10.10.10
Enabled
uttest2
235.1.1.20
235.1.1.25
Enabled
uttest3
235.1.1.40
235.1.1.200
Enabled
To view the details of a particular media stream, use the show wireless media-stream client detail media_stream_name command:
Device# show wireless media-stream group detail uttest2
Media Stream Name
: uttest2
Start IP Address
: 235.1.1.20
End IP Address
: 235.1.1.25
RRC Parameters:
Avg Packet Size(Bytes) : 1200
Expected Bandwidth(Kbps) : 1000
Policy
: Admitted
RRC re-evaluation
: Initial
QoS
: video
Status
: Multicast-direct
Usage Priority
:4
Violation
: Drop
To view RRC information for a dot11 band, use the show ap dot11 {24ghz | 5ghz } mediastream rrccommand:
Device# show ap dot11 5ghz media-stream rrc
Multicast-direct Best Effort Video Re-Direct Max Allowed Streams Per Radio Max Allowed Streams Per Client Max Media-Stream Bandwidth Max Voice Bandwidth Max Media Bandwidth Min PHY Rate (Kbps) Max Retry Percentage
: Enabled : Disabled : Disabled : Auto :5 :5 : 50 : 43 : 6000 :5
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1495
Viewing Media Stream Information
VideoStream
To view session announcement message details, use the show wireless media-stream message details command:
Device# show wireless media-stream message details
URL
:
Email
: abc@cisc
Phone
:
Note
:
State
: Disabled
To view the list of clients in the blocked list database, use the show ip igmp snooping igmpv2-tracking command:
Device# show ip igmp snooping igmpv2-tracking
Client to SGV mappings ---------------------Client: 10.10.10.215 Port: Ca1
Group: 239.255.255.250 Vlan: 10 Source: 0.0.0.0 blacklisted: no Group: 234.5.6.7 Vlan: 10 Source: 0.0.0.0 blacklisted: no Group: 234.5.6.8 Vlan: 10 Source: 0.0.0.0 blacklisted: no Group: 234.5.6.9 Vlan: 10 Source: 0.0.0.0 blacklisted: no
Client: 10.10.101.177 Port: Ca2 Group: 235.1.1.14 Vlan: 10 Source: 0.0.0.0 blacklisted: no Group: 235.1.1.16 Vlan: 10 Source: 0.0.0.0 blacklisted: no Group: 235.1.1.18 Vlan: 10 Source: 0.0.0.0 blacklisted: no
SGV to Client mappings ---------------------Group: 234.5.6.7 Source: 0.0.0.0 Vlan: 10
Client: 10.10.10.215 Port: Ca1 Blacklisted: no
To view wireless client summary, use the show wireless media-stream client summary command:
Device# show wireless media-stream client summary
To view details of a specific wireless media stream, use the show wireless media-stream client detailcommand:
Device# show wireless media-stream client detail uttest2
Media Stream Name
: uttest2
Start IP Address
: 235.1.1.20
End IP Address
: 235.1.1.25
RRC Parameters:
Avg Packet Size(Bytes) : 1200
Expected Bandwidth(Kbps) : 1000
Policy
: Admitted
RRC re-evaluation
: Initial
QoS
: video
Status
: Multicast-direct
Usage Priority
:4
Violation
: Drop
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1496
X V P A R T
Software-Defined Access Wireless
· Software-Defined Access Wireless, on page 1499 · Passive Client, on page 1507 · Fabric in a Box with External Fabric Edge, on page 1515
1 5 3 C H A P T E R
Software-Defined Access Wireless
· Information to Software-Defined Access Wireless, on page 1499 · Configuring SD-Access Wireless, on page 1502 · Verifying SD-Access Wireless, on page 1506
Information to Software-Defined Access Wireless
The Enterprise Fabric provides end-to-end enterprise-wide segmentation, flexible subnet addressing, and controller-based networking with uniform enterprise-wide policy and mobility. It moves the enterprise network from current VLAN-centric architecture to a user group-based enterprise architecture, with flexible Layer 2 extensions within and across sites. Enterprise fabric is a network topology where traffic is passed through inter-connected switches, while providing the abstraction of a single Layer 2 or Layer 3 device. This provides seamless connectivity, with policy application and enforcement at the edge of the fabric. Fabric uses IP overlay, which makes the network appear as a single virtual entity without using clustering technologies. The following definitions are used for fabric nodes:
· Enterprise Fabric: A network topology where traffic is passed through inter-connected switches, while providing the abstraction of a single Layer 2 or Layer 3 device.
· Fabric Domain: An independent operation part of the network. It is administered independent of other fabric domains.
· End Points: Hosts or devices that connect to the fabric edge node are known as end points (EPs). They directly connect to the fabric edge node or through a Layer 2 network.
The following figure shows the components of a typical SD-Access Wireless. It consists of Fabric Border Nodes (BN), Fabric Edge Nodes (EN), Wireless Controller, Cisco DNA Center, and Host Tracking Database (HDB).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1499
Information to Software-Defined Access Wireless Figure 39: Software-Defined Access Wireless
Software-Defined Access Wireless
The figure covers the following deployment topologies: · All-in-one Fabric--When we have all Fabric Edge, Fabric Border, Control-Plane and controller functionality enabled on a Cat 9K switch. This toplogy is depicted in the mid part of the figure.
· Split topology--When we have Fabric Border, or Control Plane, or controller on a Cat 9K switch with separate Fabric Edge. This toplogy is depicted in the left-most part of the figure.
· Co-located Fabric Edge and Controller--When we have Fabric Edge and controller on a Cat 9K switch. This toplogy is depicted in the right-most part of the figure.
Cisco DNA Center: Is an open, software-driven architecture built on a set of design principles with the objective of configuring and managing Cisco Catalyst 9800 Series Wireless Controllers. Control Plane: This database allows the network to determine the location of a device or user. When the EP ID of a host is learnt, other end points can query the database about the location of the host. The flexibility of tracking subnets helps in summarization across domains and improves the scalability of the database. Fabric Border Node (Proxy Egress Tunnel Router [PxTR or PITR/PETR] in LISP): These nodes connect traditional Layer 3 networks or different fabric domains to the enterprise fabric domain. If there are multiple fabric domains, these nodes connect a fabric domain to one or more fabric domains, which could be of the same or different type. These nodes are responsible for translation of context from one fabric domain to another. When the encapsulation is the same across different fabric domains, the translation of fabric context is generally 1:1. The fabric control planes of two domains exchange reachability and policy information through this device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1500
Software-Defined Access Wireless
Information to Software-Defined Access Wireless
Fabric Edge Nodes (Egress Tunnel Router [ETR] or Ingress Tunnel Router [ITR] in LISP): These nodes are responsible for admitting, encapsulating or decapsulating, and forwarding of traffic from the EPs. They lie at the perimeter of the fabric and are the first points of attachment of the policy. EPs could be directly or indirectly attached to a fabric edge node using an intermediate Layer 2 network that lies outside the fabric domain. Traditional Layer 2 networks, wireless access points, or end hosts are connected to fabric edge nodes.
Wireless Controller: The controller provides AP image and configuration management, client session management and mobility. Additionally, it registers the mac address of wireless clients in the host tracking database at the time of client join, as well as updates the location at the time of client roam.
Access Points: AP applies all the wireless media specific features. For example, radio and SSID policies, webauth punt, peer-to-peer blocking, and so on. It establishes CAPWAP control and data tunnel to controller. It converts 802.11 data traffic from wireless clients to 802.3 and sends it to the access switch with VXLAN encapsulation.
The SDA allows to simplify:
· Addressing in wireless networks
· Mobility in wireless networks
· Guest access and move towards multi-tenancy
· Leverage Sub-net extension (stretched subnet) in wireless network
· Provide consistent wireless policies
Note Role co-location between wireless controller and fabric edge is supported.
Platform Support
Table 76: Supported Platforms for Software-Defined Access Wireless
Platforms
Support
Catalyst 9300
Yes
Catalyst 9400
Yes
Catalyst 9500H
Yes
Cisco Catalyst 9800 Series Wireless Controller for Yes Cloud
Cisco Catalyst 9800-40 Series Wireless Controller Yes
Cisco Catalyst 9800-80 Series Wireless Controller Yes
Table 77: Multi-Instance Support
Multi-instance Multiple LISP sessions
Support Yes
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1501
Configuring SD-Access Wireless
Software-Defined Access Wireless
Multi-instance Emulated database support Client roaming between WNCd instances
Table 78: Feature Support
Feature Inter-WLC roam for IRCM
DNS-IPv4-ACL
IPv6 ACL for clients
Location tracking/Hyperlocation Multicast Video-Stream (IPv4) Smart Licensing
Table 79: Outdoor Access Points Support
AP 1542 1560
Support Yes Yes
Support Only L2 mobility is supported as VLAN is stretched across the fabric.
· ACLs are enforced at AP. · Controller needs to push the DNS-ACL
information to AP.
Yes. Open, 802.11x, WebbAuth, PSK WLANs, IPv6 address visibility are also supported. Yes Yes Yes
Support Yes Yes
Configuring SD-Access Wireless
· To enable SD-Access wireless globally, you need to run the wireless fabric configuration command. · During SD-Access Wireless provisioning, ensure that L2-VNID value is unique.
Configuring Default Map Server (GUI)
Procedure
Step 1 Step 2
Click Configuration > Wireless Plus > Fabric > Fabric Configuration. In the Map Server section, specify the IP address and preshared key details for Server 1.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1502
Software-Defined Access Wireless
Configuring Default Map Server (CLI)
Step 3 Step 4
Optionally, you can specify the IP address and preshared key details for Server 2. Click Apply.
Configuring Default Map Server (CLI)
Follow the procedure given below to configure default map server:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
wireless fabric control-plane map-server-name Configures the default map server.
Example:
Device(config)# wireless fabric control-plane map-server-name
Here, map-server-name defines a pair of map servers.
Step 3
ip address ip-address key user_password reenter_password
Configures IP address for the default map server.
Example:
Device(config-wireless-cp)# ip address 200.0.0.0 key user-password user-password
Step 4
end Example:
Device(config-wireless-cp)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring SD-Access Wireless Profile (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Wireless > Fabric. On the Fabric page, click the Profiles tab and click Add. In the Add New Profile window that is displayed, specify the following parameters:
· Profile name · Description · L2 VNID; valid range is between 0 and 16777215 · SGT tag; valid range is between 2 and 65519
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1503
Configuring SD-Access Wireless Profile (CLI)
Software-Defined Access Wireless
Step 4 Click Save & Apply to Device.
Configuring SD-Access Wireless Profile (CLI)
Follow the procedure given below to configure SD-Access wireless profile:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
wireless profile fabric fabric-profile-name Example:
Configures the SD-Access wireless profile parameters.
Device(config)# wireless profile fabric fabric-profile-name
Step 3
sgt-tag sgt
Configures SGT tag.
Example:
Here, sgt refers to the sgt tag value. The valid
Device(config-wireless-fabric)# sgt-tag range is from 2-65519. The default value is 0.
2
Step 4
client-l2-vnid client-l2-vnid
Example:
Device(config-wireless-fabric)# client-l2-vnid client-l2-vnid
Configures client L2-VNID.
Here, client-l2-vnid refers to the client L2-VNID value. The valid range is from 0-16777215.
Step 5
end Example:
Device(config-wireless-fabric)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Map Server in Site Tag (GUI)
Before you begin Ensure that you have configured a control plane at the time of configuring Wireless Fabric. Procedure
Step 1 Step 2 Step 3
Choose Configuration > Tags & Profiles > Tags. On the Manage Tags page, click the Site tab. Click the name of the site tag.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1504
Software-Defined Access Wireless
Configuring Map Server in Site Tag (CLI)
Step 4 Step 5
In the Edit Site Tag window, choose the Fabric control plane name from the Control Plane Name drop-down list.
Save the configuration.
Configuring Map Server in Site Tag (CLI)
Follow the procedure given below to configure map server in site tag:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless tag site site-tag
Example:
Device(config)# wireless tag site default-site-tag
Step 3
fabric control-plane map-server-name
Example:
Device(config-site-tag)# fabric control-plane map-server-name
Step 4
end Example:
Device(config-site-tag)# end
Purpose Enters the global configuration mode.
Configures site tag. Here, site-tag refers to the site tag name.
Configures fabric control plane details. Here, map-server-name refers to the fabric control plane name associated with the site tag.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Map Server per L2-VNID (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Wireless > Fabric. On the Fabric Configuration page in the Fabric VNID Mapping section, click Add. In the Add Client and AP VNID window, specify a name for the Fabric, L2 VNID value (valid range is from 0 to 4294967295), control plane name. Save the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1505
Configuring Map Server per L2-VNID (CLI)
Software-Defined Access Wireless
Configuring Map Server per L2-VNID (CLI)
Follow the procedure given below to configure map server in site tag:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
wireless fabric name name l2-vnid l2-vnid-value l3-vnid l3-vnid-value ip network-ip subnet-mask control-plane-name control-plane-name
Configures the map server to the VNID map table.
· name refers to the fabric name.
Example:
Device(config)# wireless fabric name fabric_name l2-vnid 2 l3-vnid 2 ip 122.220.234.0 255.255.0.0 control-plane-name sample-control-plane
· l2-vnid-value refers to the L2 VNID value. The valid range is from 0 to 16777215.
· L3-vnid-value refers to the L3 VNID value. The valid range is from 0 to 16777215.
· control-plane-name refers to the control plane name.
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode.
Verifying SD-Access Wireless
You can verify the SD-Access wireless configurations using the following commands:
Table 80: Commands for Verifying SD-Access Wireless
Commands show wireless fabric summary show wireless fabric vnid mapping show wireless profile fabric detailed fabric_profile_name show ap name AP_name config general show wireless client mac MAC_addr detail
show wireless tag site detailed site_tag
Description Displays the fabric status. Displays all the VNID mapping details. Displays the details of a given fabric profile name.
Displays the general details of the Cisco AP. Displays the detailed information for a client by MAC address. Displays the detailed parameters for a site tag.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1506
Passive Client
1 5 4 C H A P T E R
· Information About Passive Clients, on page 1507 · Enabling Passive Client on WLAN Policy Profile (GUI), on page 1507 · Enabling Passive Client on WLAN Policy Profile (CLI), on page 1508 · Enabling ARP Broadcast on VLAN (GUI), on page 1508 · Enabling ARP Broadcast on VLAN (CLI), on page 1509 · Configuring Passive Client in Fabric Deployment, on page 1509 · Verifying Passive Client Configuration, on page 1513
Information About Passive Clients
Passive Clients are wireless devices, such as printers and devices configured using a static IP address. Such clients do no transmit any IP information after associating to an AP. That is why, the controller does not learn their IP address unless they perform the DHCP process.
In the controller, the clients just show up in the Learn IP state and get timed out because of the DHCP policy-timeout.
The Passive Client feature can be enabled on a per WLAN basis. Enabling this feature will change a few default behaviors in order to better accommodate passive clients. These changes include :
· No client will ever timeout in the IP_LEARN phase. The controller will keep on waiting to learn their IP address. Note that the idle timeout remains active and will delete the client entry after the timeout period expiry, if the client remains silent all along.
· ARP coming from the wired side is broadcasted to all the APs, if the controller does not know the client IP address, to ensure that it reaches the passive client. After this, the controller learns the client IP from the ARP response.
Enabling Passive Client on WLAN Policy Profile (GUI)
Procedure Step 1 Choose Configuration > Tags & Profiles > Policy page, click Add to open the Add Policy Profile page.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1507
Enabling Passive Client on WLAN Policy Profile (CLI)
Software-Defined Access Wireless
Step 2 Step 3
In the General tab, use the slider to enable Passive Client. Click Save & Apply to Device.
Enabling Passive Client on WLAN Policy Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-profile Example:
Configures WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy rr-xyz-policy-1
Step 3
[no] passive-client
Example:
Device(config-wireless-policy)# [no] passive-client
Enables Passive Client.
Step 4
end Example:
Device(config-wireless-policy)# end
Returns to privileged EXEC mode.
Enabling ARP Broadcast on VLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Layer2 > VLAN page, click VLAN tab. Click Add to view the Create VLAN window. Use the slider to enable ARP Broadcast. Click Save & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1508
Software-Defined Access Wireless
Enabling ARP Broadcast on VLAN (CLI)
Enabling ARP Broadcast on VLAN (CLI)
Note ARP Broadcast feature is not supported on VLAN groups.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
vlan configuration vlan-id Example:
Device(config)# vlan configuration 1
Configures a VLAN or a collection of VLANs and enters VLAN configuration mode.
Step 3
[no] arp broadcast
Enables ARP broadcast on VLAN.
Example:
Device(config-vlan)# [no] arp broadcast
Step 4
end Example:
Device(config-vlan)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Passive Client in Fabric Deployment
You need to enable the following for passive client feature to work: · ARP broadcast on VLANs · LISP multicast. For information on LISP multicast, see: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/ irl-lisp-multicast.html
For information on LISP (Locator ID Separation Protocol), see: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/ irl-cfg-lisp.html
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1509
Enabling Broadcast Underlay on VLAN
Software-Defined Access Wireless
Enabling Broadcast Underlay on VLAN
Note You can perform the following configuration tasks from Fabric Edge Node only and not from your controller.
Procedure Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8
Command or Action configure terminal Example:
FabricEdge# configure terminal
Purpose Enters global configuration mode.
router lisp Example:
FabricEdge(config)# router lisp
Enters LISP configuration mode.
instance-id instance
Example:
FabricEdge(config-router-lisp)# instance-id 3
Creates a LISP EID instance to group multiple services. Configurations under this instance-id are applicable to all services underneath it.
service ipv4 Example:
Enables Layer 3 network services for the IPv4 address family and enters the service submode.
FabricEdge(config-router-lisp-instance)# service ipv4
database-mapping eid locator-set RLOC Configures EID to RLOC mapping
name
relationship.
Example:
FabricEdge(config-router-lisp-instance-dynamic-eid)# database-mapping 66.66.66.64/32
locator-set rloc1
map-cache destination-eid map-request Example:
Generates a static map request for the destination EID.
FabricEdge(config-router-lisp-instance-service)# map-cache 0.0.0.0/0 map-request
exit-service-ipv4
Exits service submode.
Example:
FabricEdge(config-router-lisp-instance-service)# exit-service-ipv4
exit-instance-id Example:
Exits instance submode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1510
Software-Defined Access Wireless
Enabling ARP Flooding
Step 9 Step 10 Step 11 Step 12 Step 13 Step 14
Command or Action
Purpose
FabricEdge(config-router-lisp-instance)# exit-instance-id
instance-id instance
Example:
FabricEdge(config-router-lisp)# instance-id 101
Creates a LISP EID instance to group multiple services.
service ethernet Example:
Enables Layer 2 network services and enters service submode.
FabricEdge(config-router-lisp-instance)# service ethernet
eid-table vlan vlan-number
Associates the LISP instance-id configured
Example:
earlier with a VLAN through which the endpoint identifier address space is reachable.
FabricEdge(config-router-lisp-instance-service)#
eid-table vlan 101
broadcast-underlay multicast-group
Specifies the multicast group used by the
Example:
underlay to carry the overlay Layer 2 broadcast traffic.
FabricEdge(config-router-lisp-instance-service)#
broadcast-underlay 239.0.0.1
exit-service-ethernet
Exits service sub mode.
Example:
FabricEdge(config-router-lisp-instance-service)# exit-service-ethernet
exit-instance-id
Exits instance sub mode.
Example:
FabricEdge(config-router-lisp-instance)# exit-instance-id
Enabling ARP Flooding
Note You can perform the following configuration tasks from Fabric Edge Node only and not from your controller.
Procedure Step 1
Command or Action configure terminal Example:
FabricEdge# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1511
Enabling ARP Flooding
Software-Defined Access Wireless
Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action router lisp Example:
FabricEdge(config)# router lisp
Purpose Enters LISP configuration mode.
instance-id instance
Example:
FabricEdge(config-router-lisp)# instance-id 3
Creates a LISP EID instance to group multiple services. Configurations under this instance-id are applicable to all services underneath it.
service ipv4 Example:
Enables Layer 3 network services for the IPv4 address family and enters the service submode.
FabricEdge(config-router-lisp-instance)# service ipv4
database-mapping eid locator-set RLOC Configures EID to RLOC mapping
name
relationship.
Example:
FabricEdge(config-router-lisp-instance-dynamic-eid)# database-mapping 66.66.66.64/32
locator-set rloc1
map-cache destination-eid map-request Example:
Generates a static map request for the destination EID.
FabricEdge(config-router-lisp-instance-service)# map-cache 0.0.0.0/0 map-request
exit-service-ipv4
Exits service submode.
Example:
FabricEdge(config-router-lisp-instance-service)# exit-service-ipv4
exit-instance-id
Exits instance submode.
Example:
FabricEdge(config-router-lisp-instance)# exit-instance-id
instance-id instance
Example:
FabricEdge(config-router-lisp)# instance-id 101
Creates a LISP EID instance to group multiple services.
service ethernet Example:
Enables Layer 2 network services and enters service submode.
FabricEdge(config-router-lisp-instance)# service ethernet
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1512
Software-Defined Access Wireless
Verifying Passive Client Configuration
Step 11 Step 12 Step 13 Step 14 Step 15
Command or Action
Purpose
eid-table vlan vlan-number
Associates the LISP instance-id configured
Example:
earlier with a VLAN through which the endpoint identifier address space is reachable.
FabricEdge(config-router-lisp-instance-service)#
eid-table vlan 101
flood arp-nd
Enables ARP flooding.
Example:
FabricEdge(config-router-lisp-instance-service)# flood arp-nd
database-mapping mac locator-set RLOC Configures EID to RLOC mapping
name
relationship.
Example:
FabricEdge(config-router-lisp-instance-service)# database-mapping mac locator-set rloc1
exit-service-ethernet
Exits service sub mode.
Example:
FabricEdge(config-router-lisp-instance-service)# exit-service-ethernet
exit-instance-id
Exits instance sub mode.
Example:
FabricEdge(config-router-lisp-instance)# exit-instance-id
Verifying Passive Client Configuration
To verify the status of the Passive Client, use the following command:
Device# show wireless profile policy detailed sample-profile-policy
Policy Profile Name Description Status VLAN Client count Passive Client WLAN Switching Policy
Central Switching Central Authentication Central DHCP Override DNS Override NAT PAT Central Assoc . . .
: sample-profile-policy : sample-policy : ENABLED : 20 :0 : ENABLED <--------------------
: ENABLED : ENABLED : DISABLED : DISABLED : DISABLED : DISABLED
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1513
Verifying Passive Client Configuration
Software-Defined Access Wireless
To verify VLANs that have ARP broadcast enabled, use the following command:
Device# show platform software arp broadcast
Arp broadcast is enabled on vlans: 20
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1514
1 5 5 C H A P T E R
Fabric in a Box with External Fabric Edge
· Introduction to Fabric in a Box with External Fabric Edge, on page 1515 · Configuring a Fabric Profile (CLI), on page 1515 · Configuring a Policy Profile (CLI) , on page 1516 · Configuring a Site Tag (CLI), on page 1517 · Configuring a WLAN (CLI), on page 1518 · Configuring a Policy Tag (CLI), on page 1518 · Configuring an AP Profile, on page 1519 · Configuring Map Server and AP Subnet (CLI), on page 1519 · Configuring Fabric on FiaB Node, on page 1520 · Configuring a Fabric Edge Node, on page 1526 · Verifying Fabric Configuration, on page 1533
Introduction to Fabric in a Box with External Fabric Edge
From Cisco IOS XE Amsterdam 17.2.1, the Fabric in a Box (FiaB) topology supports external fabric edge nodes. In a fabric-enabled wireless environment using FiaB (border node, control plane, fabric edge, and wireless controller in the same box), you can expand the network by adding external fabric edge nodes. The external fabric edge helps to increase the port density and extend the wireless reach by adding more APs. The APs and clients can exist on both the FiaB and the external fabric edge nodes. Also, the clients can roam between the APs on the FiaB and the external fabric edge nodes.
Configuring a Fabric Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1515
Configuring a Policy Profile (CLI)
Software-Defined Access Wireless
Step 2 Step 3 Step 4 Step 5
Command or Action
Purpose
wireless profile fabric fabric-profile-name Example:
Configures the wireless fabric profile parameters.
Device(config)# wireless profile fabric test-fabric-profile
client-l2-vnid client-l2-vnid
Example:
Device(config-wireless-fabric)# client-l2-vnid 8189
Configures client L2-VNID.
Here, client-l2-vnid refers to the client L2-VNID value. The valid range is from 0 to 16777215.
description description
Example:
Device(config-wireless-fabric)# description test-fabric-profile
Adds a description for the fabric profile.
end Example:
Device(config-wireless-fabric)# end
Returns to privileged EXEC mode.
Configuring a Policy Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures wireless policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy test-policy-profile
Step 3
no central dhcp
Example:
Device(config-wireless-policy)# no central dhcp
Configures local DHCP mode, where the DHCP is performed in an AP.
Step 4
no central switching
Example:
Device(config-wireless-policy)# no central switching
Configures a WLAN for local switching.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1516
Software-Defined Access Wireless
Configuring a Site Tag (CLI)
Step 5 Step 6 Step 7
Command or Action
Purpose
fabric fabric-name
Applies the fabric profile.
Example:
Device(config-wireless-fabric)# fabric test-fabric-profile
no shutdown
Example:
Device(config-wireless-fabric)# no shutdown
Enables the policy profile.
end Example:
Device(config-wireless-fabric)# end
Returns to privileged EXEC mode.
Configuring a Site Tag (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless tag site site-tag
Example:
Device(config)# wireless tag site default-site-tag-fabric
Step 3
ap-profile ap-profile-name
Example:
Device(config-site-tag)# ap-profile default-ap-profile-fabric
Step 4
description description
Example:
Device(config-site-tag)# description fabric-site
Step 5
end Example:
Device(config-site-tag)# end
Purpose Enters the global configuration mode.
Configures site tag and enters site tag configuration mode. Assigns an AP profile to the wireless site.
Adds a description to the AP profile.
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1517
Configuring a WLAN (CLI)
Software-Defined Access Wireless
Configuring a WLAN (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan wlan-name wlan-id SSID-name
Example:
Device(config)# wlan test-wlan 1 test-wlan
Step 3
no shutdown Example:
Device(config-wlan)# no shutdown
Purpose Enters global configuration mode.
Configures a WLAN and enters WLAN configuration submode.
Enables the WLAN.
Configuring a Policy Tag (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag policy policy-tag-name
Example:
Device(config)# wireless tag policy test-policy-tag
Configures policy tag and enters policy tag configuration mode.
Step 3
wlan wlan-name policy profile-policy-name Maps a policy profile to a WLAN profile.
Example:
Device(config-policy-tag)# wlan test-wlan policy test-policy-profile
Step 4
end Example:
Device(config-site-tag)# end
Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1518
Software-Defined Access Wireless
Configuring an AP Profile
Configuring an AP Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters the global configuration mode.
Step 2
ap profile ap-profile-name
Example:
Device(config)# ap profile test-ap-profile
Configures an AP profile and enters AP profile configuration mode.
Step 3
ap ap-ether-mac
Example:
Device(config-ap-profile)# ap 006b.f126.036e
Enters AP configuration mode.
Step 4
policy-tag policy-tag
Example:
Device(config-ap-profile)# policy-tag test-policy-tag
Specifies the policy tag that is to be attached to the AP.
Step 5
end Example:
Device(config-ap-profile)# end
Returns to privileged EXEC mode.
Configuring Map Server and AP Subnet (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless fabric Example:
Device(config)# wireless fabric
Purpose Enters global configuration mode.
Enables SD-Access wireless globally.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1519
Configuring Fabric on FiaB Node
Software-Defined Access Wireless
Step 3
Step 4 Step 5 Step 6 Step 7
Command or Action
Purpose
wireless fabric name name l2-vnid l2-vnid-value l3-vnid l3-vnid-value ip network-ip subnet-mask
Configures AP subnet Layer 2 and Layer 3 VNIDs.
Example:
Device(config)# wireless fabric name 40_40_0_0-INFRA_VN l2-vnid 8188 l3-vnid
4097 ip 40.40.0.0 255.255.0.0
wireless fabric name name l2-vnid l2-vnid-value
Example:
Device(config)# wireless fabric name 41_41_0_0-DEFAULT_VN l2-vnid 8189
Defines client Layer 2 VNID AAA override.
wireless fabric control-plane name
Example:
Device(config)# wireless fabric control-plane default-control-plane
Configures the control plane name.
ip address ip-address key shared-key Example:
Configures the map server IP address and authentication key shared with the map server.
Device((config-wireless-cp)# ip address 5.5.5.5 key 0 3a18df
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Fabric on FiaB Node
Procedure Step 1 Step 2 Step 3
Command or Action configure terminal Example:
FiaB# configure terminal
router lisp Example:
FiaB(config)# router lisp
locator-table default Example:
Purpose Enters global configuration mode.
Enters LISP configuration mode.
Associates a default Virtual Routing and Forwarding (VRF) table through which the routing locator address space is reachable to a
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1520
Software-Defined Access Wireless
Configuring Fabric on FiaB Node
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12
Command or Action
Purpose
FiaB(config-router-lisp)# locator-table router Locator ID Separation Protocol (LISP)
default
instantiation.
locator-set locator-set-name Example:
Specifies a named locator set and enters LISP locator-set configuration mode.
FiaB(config-router-lisp)# locator-set WLC
ip-address Example:
Specifies an IP address of loopback or other egress tunnel router (ETR) interface.
FiaB(config-router-lisp-locator-set)# 5.5.5.5
exit-locator-set
Exits LISP locator-set configuration mode.
Example:
FiaB(config-router-lisp-locator-set)# exit-locator-set
locator-set rloc_loopback Example:
Specifies an existing locator set and enters LISP locator-set configuration mode.
FiaB(config-router-lisp)# locator-set rloc_loopback
ipv4-interface interface Example:
Configures a locator address by creating a locator entry.
FiaB(config-router-lisp-locator-set)# IPv4-interface Loopback0
auto-discover-rlocs
Example:
FiaB(config-router-lisp-locator-set)# auto-discover-rlocs
Configures the ETR to auto discover the locators registered by other xTRs. (Ingress tunnel router (ITR) and an ETR are known as an xTR.)
exit-locator-set
Exits LISP locator-set configuration mode.
Example:
FiaB(config-router-lisp-locator-set)# exit-locator-set
service ipv4 Example:
Enables Layer 3 network services for the IPv4 address family and enters service submode.
FiaB(config-router-lisp)# service ipv4
encapsulation vxlan
Example:
FiaB(config-lisp-srv-ipv4)# encapsulation vxlan
Configures VXLAN as encapsulation type for data packets.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1521
Configuring Fabric on FiaB Node
Software-Defined Access Wireless
Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Step 21 Step 22
Command or Action
itr map-resolver map-resolver-address Example:
FiaB(config-lisp-srv-ipv4)# itr map-resolver 5.5.5.5
Purpose
Configures map resolver address for sending map requests.
etr map-server map-server-address key key-type authentication-key
Example:
FiaB(config-lisp-srv-ipv4)# etr map-server 5.5.5.5 key 7 #########
Configures the map server for ETR registration.
etr Example:
FiaB(config-lisp-srv-ipv4)# etr
Configures a LISP ETR.
sgt Example:
FiaB(config-lisp-srv-ipv4)# sgt
Enables security group tag propagation in LISP-encapsulated traffic.
no map-cache away-eids send-map-request Removes the address family-specific map
Example:
cache configuration.
FiaB(config-lisp-srv-ipv4)# no map-cache away-eids send-map-request
proxy-itr ip-address
Example:
FiaB(config-lisp-srv-ipv4)# proxy-itr 5.5.5.5
Enables the Proxy Ingress Tunnel Router (PITR) functionality and specifies the address to use when LISP encapsulating packets to LISP sites.
map-server
Configures a LISP map server.
Example:
FiaB(config-lisp-srv-ipv4)# map-server
map-resolver
Configures a LISP map resolver.
Example:
FiaB(config-lisp-srv-ipv4)# map-resolver
map-cache away-eids send-map-request Example:
Exports table entries into the map cache, with the action set to send-map-request.
FiaB(config-lisp-srv-ipv4)# map-cache 40.40.0.0/16 send-map-request
route-export site-registrations Example:
Exports LISP site registrations to the routing information base (RIB).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1522
Software-Defined Access Wireless
Configuring Fabric on FiaB Node
Step 23 Step 24 Step 25 Step 26 Step 27 Step 28 Step 29 Step 30 Step 31
Command or Action
Purpose
FiaB(config-lisp-srv-ipv4)# route-export site-registrations
distance site-registrations num
Example:
FiaB(config-lisp-srv-ipv4)# distance site-registrations 250
Configures LISP installed routes of type site registrations.
map-cache site-registration Example:
Installs the map cache to a map request for site registrations.
FiaB(config-lisp-srv-ipv4)# map-cache site-registration
exit-service-ipv4
Example:
FiaB(config-lisp-srv-ipv4)# exit-service-ipv4
Exits LISP service-ipv4 configuration mode.
service ethernet
Example:
FiaB(config-router-lisp)# service ethernet
Selects service type as Ethernet and enters service submode.
database-mapping limit dynamic limit
Example:
FiaB(config-lisp-srv-eth)# database-mapping limit dynamic 5000
Configures the maximum number of dynamic local endpoint identifier (EID) prefix database entries.
itr map-resolver map-resolver-address
Example:
FiaB(config-lisp-srv-eth)# itr map-resolver 5.5.5.5
Configures the map-resolver address for sending map requests.
itr Example:
FiaB(config-lisp-srv-eth)# itr
Enables the LISP ITR functionality.
etr map-server map-server-address key key-type authentication-key
Example:
FiaB(config-lisp-srv-eth)# etr map-server 5.5.5.5 key 7 1234
Configures a map server for ETR registration.
etr Example:
FiaB(config-lisp-srv-eth)# etr
Enables the LISP ETR functionality.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1523
Configuring Fabric on FiaB Node
Software-Defined Access Wireless
Step 32 Step 33 Step 34 Step 35 Step 36 Step 37 Step 38
Step 39 Step 40
Command or Action
Purpose
map-server
Enables the LISP map server functionality.
Example:
FiaB(config-lisp-srv-eth)# map-server
map-resolver
Enables the LISP map resolver functionality.
Example:
FiaB(config-lisp-srv-eth)# map-resolver
exit-service-ethernet
Example:
FiaB(config-lisp-srv-eth)# exit-service-ethernet
Exits LISP service-ethernet configuration mode.
instance-id instance Example:
Creates a LISP EID instance to group multiple services.
FiaB(config-router-lisp)# instance-id 101
remote-rloc-probe on-route-change
Example:
FiaB(config-lisp-inst)# remote-rloc-probe on-route-change
Configures the parameters for probing of remote routing locators (RLOCs).
dynamic-eid dynamic-eid-name
Example:
FiaB(config-lisp-inst)# dynamic-eid 40_40_0_0-INFRA_VN-IPV4
Configures a dynamic EID and enters dynamic EID configuration mode.
database-mapping eid locator-set rloc_loopback
Configures EID prefix and locator-set for dynamic EID.
Example:
FiaB(config-router-lisp-dynamic-eid)# database-mapping 40.40.0.0/16 locator-set rloc_loopback
exit-dynamic-id
Exits LISP dynamic-eid configuration mode.
Example:
FiaB(config-router-lisp-dynamic-eid)# exit-dynamic-eid
exit-instance-id
Example:
FiaB(config-router-lisp-instance)# exit-instance-id
Exits LISP instance-id configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1524
Software-Defined Access Wireless
Configuring Fabric on FiaB Node
Step 41 Step 42 Step 43 Step 44 Step 45
Step 46 Step 47 Step 48 Step 49 Step 50
Command or Action
Purpose
instance-id instance Example:
Creates a LISP EID instance to group multiple services.
FiaB(config-router-lisp)# instance-id 101
remote-rloc-probe on-route-change
Example:
FiaB(config-lisp-inst)# remote-rloc-probe on-route-change
Configures parameters for probing remote RLOCs.
service ethernet Example:
Enables Layer 2 network services and enters service submode.
FiaB(config-lisp-inst)# service ethernet
eid-table vlan vlan-number
Example:
FiaB(config-lisp-inst-srv-eth)# eid-table vlan 101
Binds an EID table to VLAN.
database-mapping mac locator-set rloc_loopbac
Example:
FiaB(config-lisp-inst-srv-eth)# database-mapping mac locator-set rloc_loopbac
Configures an address family-specific local EID prefixes database.
exit-service-ethernet
Example:
FiaB(config-lisp-inst-srv-eth)# exit-service-ethernet
Exits LISP service-ethernet configuration mode.
exit-instance-id
Exits LISP instance-id configuration mode.
Example:
FiaB(config-lisp-inst)# exit-instance-id
map-server session passive-open server
Example:
FiaB(config-router-lisp)# map-server session passive-open WLC
Configures a map server with open passive TCP sockets to listen for incoming connections.
site site-name
Configures a LISP site on a map server.
Example:
FiaB(config-router-lisp)# site site_uci
description map-server-description Example:
Specifies a description text for the LISP site.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1525
Configuring a Fabric Edge Node
Software-Defined Access Wireless
Step 51 Step 52
Step 53 Step 54 Step 55 Step 56 Step 57
Command or Action
Purpose
FiaB(config-router-lisp-site)# description map-server configured from
Cisco DNA-Center
authentication-key key
Example:
FiaB(config-router-lisp-site)# authentication-key 7 ########
Configures the authentication key used by the LISP site.
eid-record instance-id instance-id address accept-more-specifics
Example:
Specifies that any EID prefix that is more specific than the EID prefix configured is accepted and tracked.
FiaB(config-router-lisp-site)# eid-record instance-id 4097 0.0.0.0/0 accept-more-specifics
eid-record instance-id instance-id any-mac Accepts registrations, if any, for Layer 2 EID
Example:
records.
FiaB(config-router-lisp-site)# eid-record instance-id 8188 any-mac
exit-site
Exits LISP site configuration mode.
Example:
FiaB(config-router-lisp-site)# exit-site
ipv4 locator reachability exclude-default Configures the IPv4 locator address of the
Example:
LISP.
FiaB(config-router-lisp)# ipv4 locator reachability exclude-default
ipv4 source-locator interface-name
Example:
FiaB(config-router-lisp)# ipv4 source-locator Loopback0
Configures the IPv4 source locator address of the interface.
exit-router-lisp
Example:
FiaB(config-router-lisp)# exit-router-lisp
Exits LISP router-lisp configuration mode.
Configuring a Fabric Edge Node
Note You can perform the following configuration tasks only from Fabric Edge Node, and not from your controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1526
Software-Defined Access Wireless
Configuring a Fabric Edge Node
Procedure Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8 Step 9
Command or Action configure terminal Example:
FabricEdge# configure terminal
Purpose Enters global configuration mode.
router lisp Example:
FabricEdge(config)# router lisp
Enters LISP configuration mode.
locator-table default
Example:
FabricEdge(config-router-lisp)# locator-table default
Associates a default VRF table through which the routing locator address space is reachable to a router LISP instantiation.
locator-set rloc_loopback
Example:
FabricEdge(config-router-lisp)# locator-set rloc_loopback
Specifies a named locator set and enters LISP locator-set configuration mode.
ipv4-interface interface-num priority priority Configures the IPv4 address of the interface
weight weight
as locator.
Example:
FabricEdge(config-router-lisp-locator-set)# IPv4-interface Loopback 0 priority 10 weight 10
exit-locator-set
Exits LISP locator-set configuration mode.
Example:
FabricEdge(config-router-lisp-locator-set)# exit-locator-set
exit-router-lisp
Example:
FabricEdge(config-router-lisp-)# exit-router-lisp
Exits LISP router-lisp configuration mode.
interface vlan interface-num
Configures an interface.
Example:
FabricEdge(config)# interface Vlan 2045
description description
Example:
FabricEdge(config-if)# description Configured from Cisco DNA-Center
Specifies a description text for the interface.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1527
Configuring a Fabric Edge Node
Software-Defined Access Wireless
Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19
Command or Action
mac-address mac-address Example:
FabricEdge(config-if)# mac-address 0000.0c9f.f85c
Purpose Sets an interface MAC address manually.
ip address ip-address mask
Example:
FabricEdge(config-if)# ip address 192.168.1.1 255.255.255.252
Configures an IP address for the interface.
ip helper-address ip-address Example:
Specifies a destination address for UDP broadcasts.
FabricEdge(config-if)# ip helper-address 9.9.9.9
no ip redirects
Disables sending of ICMP redirect messages.
Example:
FabricEdge(config-if)# no ip redirects
ip route-cache same-interface Example:
Enables fast-switching cache for outgoing packets on the same interface.
FabricEdge(config-if)# ip route-cache same-interface
no lisp mobility liveness test Example:
Removes liveness test on dynamic EID discovered on this interface.
FabricEdge(config-if)# no lisp mobility liveness test
lisp mobility dynamic-eid-name
Example:
FabricEdge(config-if)# lisp mobility 40_40_0_0-INFRA_VN-IPV4
Allows EID mobility on the interface.
exit Example:
FabricEdge(config-if)# exit
Exits from interface configuration mode.
router lisp Example:
FabricEdge(config)# router lisp
Enters LISP configuration mode.
locator-set locator-set-name
Example:
FabricEdge(config-router-lisp)# locator-set rloc_824ecb7
Specifies a locator set and enters LISP locator-set configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1528
Software-Defined Access Wireless
Configuring a Fabric Edge Node
Step 20 Step 21 Step 22 Step 23 Step 24 Step 25 Step 26 Step 27 Step 28
Command or Action
Purpose
exit-locator-set
Exits LISP locator-set configuration mode.
Example:
FabricEdge(config-router-lisp-locator-set)# exit-locator-set
service ipv4 Example:
Enables Layer 3 network services for the IPv4 address family and enters service submode.
FabricEdge(config-router-lisp)# service ipv4
use-petr ip-address
Example:
FabricEdge(config-lisp-srv-ipv4)# use-petr 5.5.5.5
Configures the loopback IP address of the Proxy Egress Tunnel Router (PETR).
encapsulation vxlan
Example:
FabricEdge(config-lisp-srv-ipv4)# encapsulation vxlan
Selects the encapsulation type as VXLAN for data packets.
itr map-resolver map-resolver-address Example:
Configures the map resolver address for sending map requests.
FabricEdge(config-lisp-srv-ipv4)# itr map-resolver 5.5.5.5
etr map-server map-server-address key key-type authentication-key
Configures the map server for ETR registration.
Example:
FabricEdge(config-lisp-srv-ipv4)# etr map-server 5.5.5.5 key 7 #########
etr map-server map-server-address proxy-reply authentication-key
Example:
FabricEdge(config-lisp-srv-ipv4)# etr map-server 5.5.5.5 proxy-reply
Configures the locator address of the LISP map server and the authentication key that this router, acting as a LISP ETR, will use to register with the LISP mapping system.
etr Example:
Configures a LISP Egress Tunnel Router (ETR).
FabricEdge(config-lisp-srv-ipv4)# etr
sgt Example:
Enable security group tag propagation in LISP encapsulated traffic.
FabricEdge(config-lisp-srv-ipv4)# sgt
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1529
Configuring a Fabric Edge Node
Software-Defined Access Wireless
Step 29 Step 30 Step 31 Step 32 Step 33 Step 34 Step 35 Step 36 Step 37 Step 38
Command or Action
Purpose
no map-cache away-eids send-map-request Removes the address family-specific map
Example:
cache configuration.
FabricEdge(config-lisp-srv-ipv4)# no map-cache away-eids send-map-request
proxy-itr ip-address
Example:
FabricEdge(config-lisp-srv-ipv4)# proxy-itr 5.5.5.5
Enables the Proxy Ingress Tunnel Router (PITR) functionality and specifies the address to use when LISP encapsulating packets to LISP sites.
exit-service-ipv4
Example:
FabricEdge(config-lisp-srv-ipv4)# exit-service-ipv4
Exits LISP service-ipv4 configuration mode.
service ethernet
Selects the service type as Ethernet.
Example:
FabricEdge(config-router-lisp)# service ethernet
itr map-resolver map-resolver-address
Example:
FabricEdge(config-lisp-srv-eth)# itr map-resolver 5.5.5.5
Configures the map-resolver address for sending map requests.
itr Example:
FabricEdge(config-lisp-srv-eth)# itr
Enables the LISP ITR functionality.
etr map-server map-server-address key key-type authentication-key
Example:
FabricEdge(config-lisp-srv-eth)# etr map-server 5.5.5.5 key 7 1234
Configures the map server for ETR registration.
etr Example:
FabricEdge(config-lisp-srv-eth)# etr
Enables the LISP ETR functionality.
exit-service-ethernet
Example:
FabricEdge(config-lisp-srv-eth)# exit-service-ethernet
Exits LISP service-ethernet configuration mode.
instance-id instance Example:
Creates a LISP EID instance to group multiple services.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1530
Software-Defined Access Wireless
Configuring a Fabric Edge Node
Step 39 Step 40 Step 41
Step 42 Step 43 Step 44 Step 45 Step 46 Step 47
Command or Action
FabricEdge(config-router-lisp)# instance-id 101
Purpose
remote-rloc-probe on-route-change
Example:
FabricEdge(config-lisp-inst)# remote-rloc-probe on-route-change
Configures the parameters for probing remote Routing locators (RLOCs).
dynamic-eid dynamic-eid-name
Example:
FabricEdge(config-lisp-inst)# dynamic-eid 40_40_0_0-INFRA_VN-IPV4
Configures a dynamic EID and enters dynamic EID configuration mode.
database-mapping eid locator-set rloc_loopback
Configures the EID prefix and locator set for the dynamic EID.
Example:
FabricEdge(config-router-lisp-dynamic-eid)# database-mapping 40.40.0.0/16
locator-set rloc_loopback
exit-dynamic-id
Exits dynamic instance submode.
Example:
FabricEdge(config-router-lisp-dynamic-eid)# exit-instance-id
service ipv4
Selects service type as IPv4.
Example:
FabricEdge(config-lisp-inst)# service ipv4
eid-table default
Binds an EID table.
Example:
FabricEdge(config-lisp-inst-srv-ipv4)# eid-table default
exit-service-ipv4
Exits LISP service-ipv4 configuration mode.
Example:
FabricEdge(config-lisp-inst-srv-ipv4)# exit-service-ipv4
exit-instance-id
Example:
FabricEdge(config-lisp-inst)# exit-instance-id
Exits LISP instance-id configuration mode.
service ipv4 Example:
Selects service type as IPv4.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1531
Configuring a Fabric Edge Node
Software-Defined Access Wireless
Step 48 Step 49 Step 50 Step 51 Step 52 Step 53 Step 54
Step 55 Step 56
Command or Action
Purpose
FabricEdge(config-router-lisp)# service ipv4
map-cache away-eids map-request
Example:
FabricEdge(config-lisp-srv-ipv4)# map-cache 40.40.0.0/16 map-request
Exports away table entries into the map cache, with the action set to send-map-request.
exit-service-ipv4
Example:
FabricEdge(config-lisp-srv-ipv4)# exit-service-ipv4
Exits LISP service-ipv4 configuration mode.
instance-id instance
Example:
FabricEdge(config-router-lisp)# instance-id 8188
Creates a LISP EID instance to group multiple services.
remote-rloc-probe on-route-change
Example:
FabricEdge(config-lisp-inst)# remote-rloc-probe on-route-change
Configures parameters for probing remote RLOCs.
service ethernet Example:
Enables Layer 2 network services and enters service submode.
FabricEdge(config-lisp-inst)# service ethernet
eid-table vlan vlan-number
Binds an EID table to VLAN.
Example:
FabricEdge(config-lisp-inst-srv-eth)# eid-table vlan 101
database-mapping maclocator-set rloc_loopbac
Configures address family-specific local EID prefixes database.
Example:
FabricEdge(config-lisp-inst-srv-eth)# database-mapping mac locator-set rloc_loopbac
exit-service-ethernet Example:
Exits LISP service-ethernet configuration mode.
FabricEdge(config-lisp-inst-srv-eth)# exit-service-ethernet
exit-instance-id Example:
Exits from LISP instance-id configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1532
Software-Defined Access Wireless
Verifying Fabric Configuration
Step 57 Step 58 Step 59
Command or Action
FabricEdge(config-lisp-inst)# exit-instance-id
Purpose
ipv4 locator reachability minimum-mask-length length
Configures the IPv4 locator address of the LISP.
Example:
FabricEdge(config-router-lisp)# ipv4 locator reachability minimum-mask-length
32
ipv4 source-locator interface-name
Example:
FabricEdge(config-router-lisp)# ipv4 source-locator Loopback0
Configures the IPv4 source locator address of the interface.
exit-router-lisp
Example:
FabricEdge(config-router-lisp)# exit-router-lisp
Exits LISP router-lisp configuration mode.
Verifying Fabric Configuration
Use the following commands to verify the fabric configuration.
To verify the LISP configuration on a device, use the following command:
FabricEdge# show running-config | section router lisp
router lisp locator-table default locator-set default exit-locator-set ! locator-set rloc_loopback IPv4-interface Loopback0 priority 10 weight 10 exit-locator-set ! locator default-set rloc_loopback service ipv4 encapsulation vxlan itr map-resolver 21.21.21.21 itr etr map-server 21.21.21.21 key tasman etr map-server 21.21.21.21 proxy-reply etr use-petr 21.21.21.21 priority 1 weight 100 exit-service-ipv4 ! service ethernet itr map-resolver 5.5.5.5 itr map-resolver 21.21.21.21 itr etr map-server 21.21.21.21 key tasman etr map-server 21.21.21.21 proxy-reply
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1533
Verifying Fabric Configuration
Software-Defined Access Wireless
etr exit-service-ethernet ! instance-id 0 loc-reach-algorithm lsb-reports ignore dynamic-eid eid_10_56_25
database-mapping 10.56.25.0/24 locator-set rloc_loopback exit-dynamic-eid ! service ipv4 eid-table default database-mapping 26.26.26.26/32 locator-set rloc_loopback exit-service-ipv4 ! exit-instance-id ! instance-id 1 service ethernet eid-table vlan 25 flood arp-nd database-mapping mac locator-set rloc_loopback exit-service-ethernet ! exit-instance-id ! instance-id 101 service ipv4 exit-service-ipv4 ! exit-instance-id ! instance-id 8188 exit-instance-id ! loc-reach-algorithm lsb-reports ignore exit-router-lisp
To verify the operational status of LISP as configured on a device, use the following command:
FabricEdge# show ip lisp
Information applicable to all EID instances:
Router-lisp ID:
0
Locator table:
default
Ingress Tunnel Router (ITR):
enabled
Egress Tunnel Router (ETR):
enabled
Proxy-ITR Router (PITR):
disabled
Proxy-ETR Router (PETR):
disabled
NAT-traversal Router (NAT-RTR):
disabled
Mobility First-Hop Router:
disabled
Map Server (MS):
disabled
Map Resolver (MR):
disabled
Mr-use-petr:
disabled
Delegated Database Tree (DDT):
disabled
Publication-Subscription:
enabled
Publisher(s):
*** NOT FOUND ***
ITR Map-Resolver(s):
21.21.21.21
ETR Map-Server(s):
21.21.21.21
xTR-ID:
0xD89893A6-0x98749B2C-0x89810431-0x92F33C9C
site-ID:
unspecified
ITR local RLOC (last resort):
*** NOT FOUND ***
ITR use proxy ETR RLOC(Encap IID):
21.21.21.21
ITR Solicit Map Request (SMR):
accept and process
Max SMRs per map-cache entry:
8 more specifics
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1534
Software-Defined Access Wireless
Verifying Fabric Configuration
Multiple SMR suppression time:
20 secs
ETR accept mapping data:
disabled, verify disabled
ETR map-cache TTL:
1d00h
Locator Status Algorithms:
RLOC-probe algorithm:
disabled
RLOC-probe on route change:
N/A (periodic probing disabled)
RLOC-probe on member change:
disabled
LSB reports:
ignore
IPv4 RLOC minimum mask length:
/0
IPv6 RLOC minimum mask length:
/0
Map-cache:
Map-cache limit:
32768
Map-cache activity check period:
60 secs
Persistent map-cache:
disabled
Source locator configuration:
GigabitEthernet1/0/1: 24.24.24.24 (Loopback0)
Vlan25: 24.24.24.24 (Loopback0)
Database:
Dynamic database mapping limit:
25000
To verify the operational status of the map cache on a device configured as an ITR or PITR, use the following command:
FabricEdge# show lisp instance-id iid ipv4 map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 5 entries
0.0.0.0/0, uptime: 2w5d, expires: never, via static-send-map-request Encapsulating to proxy ETR
10.56.25.0/24, uptime: 2w0d, expires: never, via dynamic-EID, send-map-request Encapsulating to proxy ETR
10.56.25.25/32, uptime: 2w5d, expires: 23:10:06, via map-reply, complete
Locator
Uptime State Pri/Wgt
Encap-IID
21.21.21.21 2w5d
up
0/0
-
22.0.0.0/8, uptime: 2w5d, expires: 00:04:54, via map-reply, forward-native Encapsulating to proxy ETR
26.26.26.26/32, uptime: 09:48:33, expires: 14:11:26, via map-reply, self, complete
Locator
Uptime State
Pri/Wgt
Encap-IID
24.24.24.24 09:48:33 up, self 50/50
-
To verify the operational status of the database mapping on a device configured as an ETR, use the following command:
FabricEdge# show lisp instance-id iid ipv4 database
LISP ETR IPv4 Mapping Database for EID-table default (IID 0), LSBs: 0x1 Entries total 3, no-route 0, inactive 0
10.56.25.27/32, dynamic-eid eid_10_56_25, skip reg, inherited from default locator-set
rloc_loopback
Uptime: 00:25:11, Last-change: 00:25:11
Domain-ID: unset
Locator
Pri/Wgt Source
State
24.24.24.24 10/10 cfg-intf site-self, reachable
10.56.25.67/32, dynamic-eid eid_10_56_25, inherited from default locator-set rloc_loopback
Uptime: 00:24:47, Last-change: 00:24:47
Domain-ID: unset
Locator
Pri/Wgt Source
State
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1535
Verifying Fabric Configuration
Software-Defined Access Wireless
24.24.24.24 10/10 cfg-intf site-self, reachable
26.26.26.26/32, locator-set rloc_loopback
Uptime: 2w5d, Last-change: 00:50:36
Domain-ID: unset
Locator
Pri/Wgt Source
State
24.24.24.24 10/10 cfg-intf site-self, reachable
To verify the configured LISP sites on a LISP map server, use the following command:
FabricEdge# show lisp instance-id iid ipv4 server
LISP Site Registration Information * = Some locators are down or unreachable # = Some registrations are sourced by reliable transport
Site Name eca
site_uci
Last Register never 04:52:53 04:07:09 03:21:16 04:52:53 03:47:04 2w0d never
Up
no yes# yes# yes# yes# yes# yes# no
Who Last Registered -21.21.21.21:40875 27.27.27.27:24949 24.24.24.24:23672 21.21.21.21:40875 24.24.24.24:23672 27.27.27.27:24949 --
Inst ID 0 0 0 0 0 0 0 4097
EID Prefix
10.56.25.0/24 10.56.25.25/32 10.56.25.64/32 10.56.25.67/32 23.23.23.23/32 26.26.26.26/32 29.29.29.29/32 0.0.0.0/0
To verify the operational status of LISP sites, use the following command in FiaB node:
FabricEdge# show lisp instance-id 1 ethernet server
================================================= Output for router lisp 0 instance-id 1 ================================================= LISP Site Registration Information
================================================= Output for router lisp 0 instance-id 1 ================================================= LISP Site Registration Information * = Some locators are down or unreachable # = Some registrations are sourced by reliable transport
Site Name eca
Last Register never 04:10:37 04:09:20 03:24:52 03:23:39
Up
no yes# yes# yes# yes#
Who Last Registered -27.27.27.27:24949 22.22.22.22:64083 24.24.24.24:23672 22.22.22.22:64083
Inst ID 1 1 1 1 1
EID Prefix
any-mac 00b0.e19c.2578/48 00b0.e19c.fc40/48 dcce.c130.0b70/48 dcce.c130.9820/48
To verify the operational status of LISP sites, use the following command in FiaB node:
FabricEdge# show lisp instance-id 0 ipv4 server
LISP Site Registration Information * = Some locators are down or unreachable # = Some registrations are sourced by reliable transport
Site Name
Last
Up
Register
Who Last Registered
Inst ID
EID Prefix
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1536
Software-Defined Access Wireless
Verifying Fabric Configuration
eca
never
no
--
0
10.56.25.0/24
6d18h
yes# 21.21.21.21:40875 0
10.56.25.25/32
01:23:56 yes# 27.27.27.27:24949 0
10.56.25.64/32
00:24:40 yes# 24.24.24.24:23672 0
10.56.25.72/32
6d18h
yes# 21.21.21.21:40875 0
23.23.23.23/32
6d17h
yes# 24.24.24.24:23672 0
26.26.26.26/32
3w0d
yes# 27.27.27.27:24949 0
29.29.29.29/32
To verify the operational status of LISP sites on IPv4 database, use the following command in fabric edge node:
FabricEdge# show lisp instance-id 0 ipv4 database
LISP ETR IPv4 Mapping Database for EID-table default (IID 0), LSBs: 0x1 Entries total 3, no-route 0, inactive 0
10.56.25.27/32, dynamic-eid eid_10_56_25, skip reg, inherited from default locator-set
rloc_loopback
Uptime: 00:25:54, Last-change: 00:25:54
Domain-ID: unset
Locator
Pri/Wgt Source
State
24.24.24.24 10/10 cfg-intf site-self, reachable
10.56.25.72/32, dynamic-eid eid_10_56_25, inherited from default locator-set rloc_loopback
Uptime: 00:25:25, Last-change: 00:25:25
Domain-ID: unset
Locator
Pri/Wgt Source
State
24.24.24.24 10/10 cfg-intf site-self, reachable
26.26.26.26/32, locator-set rloc_loopback
Uptime: 3w5d, Last-change: 6d17h
Domain-ID: unset
Locator
Pri/Wgt Source
State
24.24.24.24 10/10 cfg-intf site-self, reachable
To verify the operational status of LISP sites on mac mapping database, use the following command on the FE node:
FabricEdge# show lisp instance-id 1 ethernet database
LISP ETR MAC Mapping Database for EID-table Vlan 25 (IID 1), LSBs: 0x1 Entries total 2, no-route 0, inactive 0
cc98.911b.73f1/48, dynamic-eid Auto-L2-group-1, skip reg, inherited from default locator-set
rloc_loopback
Uptime: 00:00:49, Last-change: 00:00:49
Domain-ID: unset
Locator
Pri/Wgt Source
State
24.24.24.24 10/10 cfg-intf site-self, reachable
dcce.c130.0b70/48, dynamic-eid Auto-L2-group-1, inherited from default locator-set
rloc_loopback
Uptime: 00:00:50, Last-change: 00:00:50
Domain-ID: unset
Locator
Pri/Wgt Source
State
24.24.24.24 10/10 cfg-intf site-self, reachable
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1537
Verifying Fabric Configuration
Software-Defined Access Wireless
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1538
X V I PA R T
VLAN
· VLANs, on page 1541 · VLAN Groups, on page 1549
1 5 6 C H A P T E R
VLANs
· Information About VLANs, on page 1541 · How to Configure VLANs, on page 1544 · Monitoring VLANs, on page 1548
Information About VLANs
Logical Networks
A VLAN is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. VLANs have the same attributes as physical LANs, but you can group end stations even if they are not physically located on the same LAN segment. Any controller port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router or a controller supporting fallback bridging. Because a VLAN is considered a separate logical network, it contains its own bridge Management Information Base (MIB) information. VLANs are often associated with IP subnet. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the controller is assigned manually on an interface-by-interface basis. When you assign controller interfaces to VLANs by using this method, it is known as interface-based, or static, VLAN membership.
Supported VLANs
The controller supports VLANs in VTP client, server, and transparent modes. VLANs are identified by a number from 1 to 4094. VLAN 1 is the default VLAN and is created during system initialization. All of the VLANs except 1002 to 1005 are available for user configuration.
VLAN Port Membership Modes
You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries and the number of VLANs to which it can belong. When a port belongs to a VLAN, the controller learns and manages the addresses associated with the port on a per-VLAN basis.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1541
VLAN Configuration Files
VLAN
Table 81: Port Membership Modes and Characteristics
Membership Mode Static-access
Trunk IEEE 802.1Q) : · IEEE 802.1Q-- Industry-standard trunking encapsulation.
VLAN Membership Characteristics VTP Characteristics
A static-access port can belong to one VLAN and is manually assigned to that VLAN.
VTP is not required. If you do not want VTP to globally propagate information, set the VTP mode to transparent. To participate in VTP, there must be at least one trunk port on the controller connected to a trunk port of a second controller.
A trunk port is a member of all VTP is recommended but not
VLANs by default, including
required. VTP maintains VLAN
extended-range VLANs, but
configuration consistency by
membership can be limited by managing the addition, deletion,
configuring the allowed-VLAN list. and renaming of VLANs on a
network-wide basis. VTP
exchanges VLAN configuration
messages with other controller over
trunk links.
VLAN Configuration Files
Configurations for VLAN IDs 1 to 1005 are written to the vlan.dat file (VLAN database), and you can display them by entering the show vlan privileged EXEC command. The vlan.dat file is stored in flash memory. If the VTP mode is transparent, they are also saved in the controller running configuration file.
You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs. The results of these commands are written to the running-configuration file, and you can display the file by entering the show running-config privileged EXEC command.
When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the controller, the controller configuration is selected as follows:
· If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and VLAN configurations in the startup configuration file are used. The VLAN database revision number remains unchanged in the VLAN database.
· If the VTP mode or domain name in the startup configuration does not match the VLAN database, the domain name and VTP mode and configuration for the VLAN IDs 1 to 1005 use the VLAN database information.
· In VTP versions 1 and 2, if VTP mode is server, the domain name and VLAN configuration for VLAN IDs 1 to 1005 use the VLAN database information. VTP version 3 also supports VLANs 1006 to 4094.
Note Ensure that you delete the vlan.dat file along with the configuration files before you reset the switch configuration using write erase command. This ensures that the switch reboots correctly on a reset.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1542
VLAN
Normal-Range VLAN Configuration Guidelines
Normal-Range VLAN Configuration Guidelines
Follow these guidelines when creating and modifying normal-range VLANs in your network: · Normal-range VLANs are identified with a number between 1 and 1001. · VLAN configurations for VLANs 1 to 1005 are always saved in the VLAN database. If the VTP mode is transparent, VTP and VLAN configurations are also saved in the running configuration file. · If the controller is in VTP server or VTP transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.) · Extended-range VLANs created in VTP transparent mode are not saved in the VLAN database and are not propagated. VTP version 3 supports extended range VLAN (VLANs 1006 to 4094) database propagation in VTP server mode.
Extended-Range VLAN Configuration Guidelines
Extended-range VLANs are VLANs with IDs from 1006 to 4094. Follow these guidelines when creating extended-range VLANs:
· VLAN IDs in the extended range are not saved in the VLAN database and are not recognized by VTP unless the device is running VTP version 3.
· You cannot include extended-range VLANs in the pruning eligible range. · For VTP version 1 or 2, you can set the VTP mode to transparent in global configuration mode. You
should save this configuration to the startup configuration so that the device boots up in VTP transparent mode. Otherwise, you lose the extended-range VLAN configuration if the device resets. If you create extended-range VLANs in VTP version 3, you cannot convert to VTP version 1 or 2.
Prerequisites for VLANs
The following are prerequisites and considerations for configuring VLANs: · To configure VLAN through the Web UI, you must change the number of available Virtual Terminal (VTY) sessions to 50. Web UI uses VTY lines for processing HTTP requests. At times, when multiple connections are open, the default VTY lines of 15 set by the device gets exhausted. Therefore, you must change the VTY lines to 50 before using the Web UI.
Note To increase the VTY lines in a device, run the following command in the configuration mode:
Device# configure terminal Device(config)# service tcp-keepalives in Device(config)# service tcp-keepalives out
Device# configure terminal Device(config)# line vty 16-50
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1543
Restrictions for VLANs
VLAN
Note The maximum number of SSH VTY sessions supported on the standby controller is eight.
· Before you create VLANs, you must decide whether to use VLAN Trunking Protocol (VTP) to maintain global VLAN configuration for your network.
· Before adding a VLAN to a VLAN group, you should first create it on the device.
Restrictions for VLANs
The following are restrictions for VLANs: · You cannot delete a wireless management interface, if the associated VLAN interface is already deleted. To avoid this scenario, you should delete the wireless management interface before deleting the VLAN interface. · The device supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports. · When client VLAN is not configured for a policy profile, AP native VLAN is used. · The behavior of VLAN 1 changes depending on the AP mode. These scenarios are described below: · Local mode AP: If you use vlan-name, clients are assigned to VLAN 1. However, if you use vlan-id 1, clients are assigned to the wireless management interface. · FlexConnect mode AP: If you use vlan-name, clients are assigned to VLAN 1. However, if you use vlan-id 1, clients are assigned to the native VLAN defined in the flex profile.
By default, the policy profile assigns vlan-id 1 so that clients can use the wireless management VLAN. · You cannot use the same VLAN on the same SSID for local switching and central switching.
How to Configure VLANs
How to Configure Normal-Range VLANs
You can set these parameters when you create a new normal-range VLAN or modify an existing VLAN in the VLAN database:
· VLAN ID · VLAN name · VLAN type
· Ethernet · TrBRF or TrCRF
· VLAN state (active or suspended)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1544
VLAN
Creating or Modifying an Ethernet VLAN
· Parent VLAN number for TrCRF VLANs · VLAN number to use when translating from one VLAN type to another
You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan.dat file. If you want to modify the VLAN configuration, follow the procedures in this section.
Creating or Modifying an Ethernet VLAN
Before you begin
With VTP version 1 and 2, if the controller is in VTP transparent mode, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database.
The controller supports only Ethernet interfaces.
Procedure
Step 1
Command or Action vlan vlan-id Example:
Device(config)# vlan 20
Purpose
Enters a VLAN ID, and enters VLAN configuration mode. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify that VLAN.
Note
The available VLAN ID range for
this command is 1 to 4094.
Step 2 Step 3
name vlan-name Example:
Device(config-vlan)# name test20
media { ethernet | fd-net | trn-net } Example:
Device(config-vlan)# media ethernet
(Optional) Enters a name for the VLAN. If no name is entered for the VLAN, the default is to append the vlan-id value with leading zeros to the word VLAN. For example, VLAN0004 is a default VLAN name for VLAN 4.
Configures the VLAN media type.
Step 4
show vlan {name vlan-name | id vlan-id} Example:
Device# show vlan name test20 id 20
Verifies your entries.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1545
Assigning Static-Access Ports to a VLAN (GUI)
VLAN
Assigning Static-Access Ports to a VLAN (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Layer2 > VLAN > VLAN Click the VLAN tab. To assign Port Members, click the interfaces that are to be included as port members from the Available list and click on the arrow to move it to the Associated list. Click Update & Apply to Device.
Assigning Static-Access Ports to a VLAN
You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information by disabling VTP (VTP transparent mode). For more information on static-access ports, see VLAN Port Membership Modes.
If you assign an interface to a VLAN that does not exist, the new VLAN is created.
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode
Device# configure terminal
Step 2
interface interface-id Example:
Device(config)# interface gigabitethernet2/0/1
Enters the interface to be added to the VLAN.
Step 3
switchport mode access Example:
Defines the VLAN membership mode for the port (Layer 2 access port).
Device(config-if)# switchport mode access
Step 4
switchport access vlan vlan-id Example:
Assigns the port to a VLAN. Valid VLAN IDs are 1 to 4094.
Device(config-if)# switchport access vlan 2
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1546
VLAN
How to Configure Extended-Range VLANs
Step 5
Command or Action end Example:
Device(config-if)# end
Purpose Returns to privileged EXEC mode.
Step 6
show running-config interface interface-id Verifies the VLAN membership mode of the
Example:
interface.
Device# copy running-config startup-config
Step 7
show interfaces interface-id switchport Example:
Device# show interfaces gigabitethernet2/0/1
Verifies your entries in the Administrative Mode and the Access Mode VLAN fields of the display.
How to Configure Extended-Range VLANs
Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs. With VTP version 1 or 2, extended-range VLAN configurations are not stored in the VLAN database, but because VTP mode is transparent, they are stored in the controller running configuration file, and you can save the configuration in the startup configuration file. Extended-range VLANs created in VTP version 3 are stored in the VLAN database.
Creating an Extended-Range VLAN (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Choose Configuration > Layer2 > VLAN. In the VLAN page, click ADD. Enter the extended range VLAN ID in the VLAN ID field. The extended range is between range is 1006 and 4094.
Enter a VLAN name in the Name field. Save the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1547
Creating an Extended-Range VLAN
VLAN
Creating an Extended-Range VLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
vlan vlan-id Example:
Device(config)# vlan 2000
Step 3
show vlan id vlan-id Example:
Device# show vlan id 2000
Purpose Enters global configuration mode.
Enters an extended-range VLAN ID and enters VLAN configuration mode. The range is 1006 to 4094.
Verifies that the VLAN has been created.
Monitoring VLANs
Table 82: Privileged EXEC show Commands
Command
Purpose
show interfaces [vlan vlan-id] Displays characteristics for all interfaces or for the specified VLAN configured on the controller.
show vlan [ access-map name | Displays parameters for all VLANs or the specified VLAN on the brief | group |id vlan-id | ifindex controller. The following command options are available: | mtu | name name | summary ] · brief--Displays VTP VLAN status in brief.
· group--Displays the VLAN group with its name and the connected VLANs that are available.
· id--Displays VTP VLAN status by identification number.
· ifindex--Displays SNMP ifIndex.
· mtu--Displays VLAN MTU information.
· name--Displays the VTP VLAN information by specified name.
· summary--Displays a summary of VLAN information.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1548
1 5 7 C H A P T E R
VLAN Groups
· Information About VLAN Groups, on page 1549 · Prerequisites for VLAN Groups, on page 1550 · Restrictions for VLAN Groups, on page 1550 · Creating a VLAN Group (GUI), on page 1550 · Creating a VLAN Group (CLI), on page 1551 · Adding a VLAN Group to Policy Profile (GUI), on page 1551 · Adding a VLAN Group to a Policy Profile, on page 1552 · Viewing the VLANs in a VLAN Group, on page 1552
Information About VLAN Groups
Whenever a client connects to a wireless network (WLAN), the client is placed in a VLAN that is associated with the policy profile mapped to the WLAN. In a large venue, such as an auditorium, a stadium, or a conference room where there are numerous wireless clients, having only a single WLAN to accommodate many clients might be a challenge. The VLAN group feature uses a single policy profile that can support multiple VLANs. The clients can get assigned to one of the configured VLANs. This feature maps a policy profile to a single VLAN or multiple VLANs using the VLAN groups. When a wireless client associates to the WLAN, the VLAN is derived by an algorithm based on the MAC address of the wireless client. A VLAN is assigned to the client and the client gets the IP address from the assigned VLAN. The system marks VLAN as Dirty for 30 minutes when the clients are unable to receive IP addresses using DHCP. The system might not clear the Dirty flag from the VLAN even after 30 minutes for a VLAN group. After 30 minutes, when the VLAN is marked non-dirty, new clients in the IP Learn state can get assigned with IP addresses from the VLAN if free IPs are available in the pool and DHCP scope is defined correctly. This is the expected behavior because the timestamp of each interface has to be checked to see if it is greater than 30 minutes, due to which there is a lag of 5 minutes for the global timer to expire.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1549
Prerequisites for VLAN Groups
VLAN
Note The Controller marks the VLAN interface as Dirty when three or more clients fail to receive IP addresses through DHCP. The VLAN interface is deemed Dirty using the Non-Aggressive method, which involves counting one failure per association per client that surpasses the predefined IP_LEARN_TIMEOUT duration of 120 seconds. If a client sends a new association request before the IP_LEARN_TIMEOUT elapses, it will not be considered a failed client.
In Non-Aggressive method, each client gets a unique hash value derived from its MAC address. This approach ensures that clients belonging to the same vendor, which may differ only by a few bits, do not mistakenly trigger the Dirty marking of a VLAN.
Prerequisites for VLAN Groups
· A VLAN should be present in the device for it to be added to the VLAN group.
Restrictions for VLAN Groups
· If the number of VLANs in a VLAN group exceeds 32, the mobility functionality might not work as expected and Layer 2 multicast might break for some VLANs. Therefore, it is the responsibility of network administrators to configure a feasible number of VLANs in a VLAN group.
For the VLAN Groups feature to work as expected, the VLANs mapped in a group must be present in the controller. The static IP client behavior is not supported.
· The VLAN Groups feature works for access points in local mode.
· The VLAN Groups feature works only in central switching mode and it cannot be used in FlexConnect local switching mode.
· ARP Broadcast feature is not supported on VLAN groups.
· VLAN group Multicast with VLAN group is only supported in local mode AP. Multicast VLAN is required when VLAN group is configured and uses multicast traffic.
· While you configure VLAN groups with multiple VLANs and each VLAN is used by a different subnet, clients having static IP addresses might be assigned to a wrong VLAN if SVIs are not present on the controller. Hence, for every VLAN that belongs to the VLAN group, ensure that you configure an SVI interface with a valid IP address.
Creating a VLAN Group (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Layer2 > VLAN On the VLAN > VLAN page, click Add.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1550
VLAN
Creating a VLAN Group (CLI)
Step 3 Step 4 Step 5
Enter the VLAN ID in the VLAN ID field. The valid range is between 2 and 4094. Enter the VLAN name in the Name field. Configure the other parameters if required. Click Update & Apply to Device.
Creating a VLAN Group (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
vlan group WORD vlan-list vlan-ID
Example:
Device(config)#vlan group vlangrp1 vlan-list 91-95
Step 3
end Example:
Device(config)#end
Purpose Enters global configuration mode.
Creates a VLAN group with the given group name (vlangrp1) and adds all the VLANs listed in the command. The VLAN list ranges from 1 to 4096 and the maximum number of VLANs supported in a group is 64.
Exits the global configuration mode and returns to privileged EXEC mode. Alternatively, press CTRL-Z to exit the global configuration mode.
Adding a VLAN Group to Policy Profile (GUI)
Policy profile broadly consists of network and switching policies. Policy profile is a reusable entity across tags. Anything that is a policy for the client that is applied on the AP or controller is moved to the policy profile. For example, VLAN, ACL, QOS, Session timeout, Idle timeout, AVC profile, Bonjour profile, Local profiling, Device classification, BSSID QoS, etc. However, all wireless related security attributes and features on the WLAN are grouped under the WLAN profile.
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > Policy. On thePolicy Profile page, click on a policy profile name. Click Access Policies tab. Under VLAN section, use the VLAN/VLAN Group drop-down list to select a VLAN or VLAN Group.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1551
Adding a VLAN Group to a Policy Profile
VLAN
Step 5 Click Update & Apply to Device.
Adding a VLAN Group to a Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy wlan-policy-profile-name
Configures the WLAN policy profile.
Example:
Device(config)# wireless profile policy my-wlan-policy
Step 3
vlan vlan-group1
Example:
Device(config-wireless-policy)# vlan myvlan-group
Maps the VLAN group to the WLAN by entering the group name.
Step 4
end Example:
Device(config-wlan)# end
Exits global configuration mode and returns to privileged EXEC mode.
Viewing the VLANs in a VLAN Group
Command
Description
show vlan group
Displays the list of VLAN groups with name and the VLANs that are configured.
show vlan group group-name group_name
Displays the specified VLAN group details.
show wireless client mac-address client-mac-addr Displays the VLAN group assigned to the client. detail
show wireless vlan details
Displays VLAN details.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1552
PART XVII
WLAN
· WLANs, on page 1555 · Remote LANs, on page 1571 · RLAN External Module, on page 1587 · Client Roaming Across Policy Profile, on page 1589 · Network Access Server Identifier, on page 1597 · DHCP for WLANs, on page 1603 · WLAN Security, on page 1623 · Workgroup Bridges, on page 1635 · Peer-to-Peer Client Support, on page 1653 · Wireless Guest Access, on page 1655 · Wired Guest Access, on page 1685 · 802.11r BSS Fast Transition, on page 1705 · BSS Coloring, on page 1713 · Assisted Roaming, on page 1721 · 802.11v, on page 1727 · 802.11w, on page 1731 · 802.11ax Per Virtual Access Point, on page 1739 · Management Frame Protection, on page 1743 · Deny Wireless Client Session Establishment Using Calendar Profiles, on page 1747 · Ethernet over GRE , on page 1757 · Link Aggregation Group, on page 1775 · Hotspot 2.0, on page 1785 · User Defined Network, on page 1811 · Express Wi-Fi by Facebook, on page 1819
· Aironet Extensions IE (CCX IE) , on page 1829 · BSSID Counters, on page 1833 · Fastlane+, on page 1837
1 5 8 C H A P T E R
WLANs
· Information About WLANs, on page 1555 · Prerequisites for WLANs, on page 1558 · Restrictions for WLANs, on page 1558 · How to Configure WLANs, on page 1559 · Verifying WLAN Properties (CLI), on page 1568
Information About WLANs
This feature enables you to control WLANs for lightweight access points. Each WLAN has a separate WLAN ID, a separate profile name, and a WLAN SSID. All access points can advertise up to 16 WLANs. However, you can create up to 4096 WLANs and then selectively advertise these WLANs (using profiles and tags) to different access points for better manageability. You can configure WLANs with different SSIDs or with the same SSID. An SSID identifies the specific wireless network that you want the device to access.
Note The wireless client max-user-login concurrent command will work as intended even if the no configure max-user-identity response command is configured.
Note We recommend that you configure the password encryption aes and the key config-key password-encrypt key commands to encrypt your password.
Note For C9105, C9115, and C9120 APs, when a new WLAN is pushed from the controller and if the existing WLAN functional parameters are changed, the other WLAN clients will disconnect and reconnect.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1555
Band Selection
WLAN
Band Selection
Band select enables client radios that are capable of dual-band (2.4 and 5-GHz) operations to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of 3 nonoverlapping channels. To prevent these sources of interference and improve overall network performance, configure band selection on the device.
Off-Channel Scanning Deferral
A lightweight access point, in normal operational conditions, periodically goes off-channel and scans another channel. This is in order to perform RRM operations such as the following:
· Transmitting and receiving Neighbor Discovery Protocol (NDP) packets with other APs.
· Detecting rogue APs and clients.
· Measuring noise and interference.
During the off-channel period, which normally is about 70 milliseconds, the AP is unable to transmit or receive data on its serving channel. Therefore, there is a slight impact on its performance and some client transmissions might be dropped.
While the AP is sending and receiving important data, it is possible to configure off-channel scanning deferral so that the AP does not go off-channel and its normal operation is not impacted. You can configure off-channel scanning deferral on a per-WLAN basis, per WMM UP class basis, with a specified time threshold in milliseconds. If the AP sends or receives, on a particular WLAN, a data frame marked with the given UP class within the specified threshold, the AP defers its next RRM off-channel scan. For example, by default, off-channel scanning deferral is enabled for UP classes 4, 5, and 6, with a time threshold of 100 millseconds. Therefore, when RRM is about to perform an off-channel scan, a data frame marked with UP 4, 5, or 6 is received within the last 100 milliseconds, RRM defers going off-channel. The AP radio does not go off-channel when a voice call sending and receiving audio samples is marked as UP class 6 for every active 20 milliseconds.
Off-channel scanning deferral does come with a tradeoff. Off-channel scanning can impact throughput by 2 percent or more, depending on the configuration, traffic patterns, and so on. Throughput can be slightly improved if you enable off-channel scanning deferral for all traffic classes and increase the time threshold. However, by not going off-channel, RRM can fail to identify AP neighbors and rogues, resulting in negative impact to security, DCA, TPC, and 802.11k messages.
DTIM Period
In the 802.11 networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.
Typically, the DTIM value is set to 1 (to transmit broadcast and multicast frames after every beacon) or 2 (to transmit broadcast and multicast frames after every other beacon). For instance, if the beacon period of the 802.11 network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames for 10 times every second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames for 5 times every second. Either of these settings are suitable for applications, including Voice Over IP (VoIP), that expect frequent broadcast and multicast frames.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1556
WLAN
Prerequisites for Configuring Cisco Client Extensions
However, the DTIM value can be set as high as 255 (to transmit broadcast and multicast frames after every 255th beacon). The only recommended DTIM values are 1 and 2; higher DTIM values will likely cause communications problems.
Note A beacon period, which is specified in milliseconds on the device, is converted internally by the software to 802.11 Time Units (TUs), where 1 TU = 1.024 milliseconds. Depending on the AP model, the actual beacon period may vary slightly; for example, a beacon period of 100 ms may in practice equate to 104.448 ms.
Prerequisites for Configuring Cisco Client Extensions
· The software supports CCX versions 1 through 5, which enables devices and their access points to communicate wirelessly with third-party client devices that support CCX. CCX support is enabled automatically for every WLAN on the device and cannot be disabled. However, you can configure Aironet information elements (IEs).
· If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the device sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the device and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.
Peer-to-Peer Blocking
Peer-to-peer blocking is applied to individual WLANs, and each client inherits the peer-to-peer blocking setting of the WLAN to which it is associated. Peer-to-Peer enables you to have more control over how traffic is directed. For example, you can choose to have traffic bridged locally within the device, dropped by the device, or forwarded to the upstream VLAN. Peer-to-peer blocking is supported for clients that are associated with local and central switching WLANs.
Note Peer-to-peer blocking feature is VLAN-based. WLANs using the same VLAN has an impact, if Peer-to-peer blocking feature is enabled.
Diagnostic Channel
You can choose a diagnostic channel to troubleshoot why the client is having communication problems with a WLAN. You can test the client and access points to identify the difficulties that the client is experiencing and allow corrective measures to be taken to make the client operational on the network. You can use the device GUI or CLI to enable the diagnostic channel, and you can use the device diag-channel CLI to run the diagnostic tests.
Note We recommend that you enable the diagnostic channel feature only for nonanchored SSIDs that use the management interface. CCX Diagnostic feature has been tested only with clients having Cisco ADU card
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1557
Prerequisites for WLANs
WLAN
Prerequisites for WLANs
· You can associate up to 16 WLANs with each access point group and assign specific access points to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point (AP) does not advertise disabled WLANs in its access point group or WLANs that belong to another group.
· We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that devices properly route VLAN traffic.
Restrictions for WLANs
· Do not configure PSK and CCKM in a WLAN, as this configuration is not supported and impacts client join flow.
· Ensure that TKIP or AES ciphers are enabled with WPA1 configuration, else ISSU may break during upgrade process.
· When you change the WLAN profile name, then FlexConnect APs (using AP-specific VLAN mapping) will become WLAN-specific. If FlexConnect Groups are configured, the VLAN mapping will become Group-specific.
· Do not enable IEEE 802.1X Fast Transition on Flex Local Authentication enabled WLAN, as client association is not supported with Fast Transition 802.1X key management.
· Peer-to-peer blocking does not apply to multicast traffic.
· In FlexConnect, peer-to-peer blocking configuration cannot be applied only to a particular FlexConnect AP or a subset of APs. It is applied to all the FlexConnect APs that broadcast the SSID.
· The WLAN name and SSID can have up to 32 characters.
· WLAN and SSID names support only the following ASCII characters: · Numerals: 48 through 57 hex (0 to 9)
· Alphabets (uppercase): 65 through 90 hex (A to Z)
· Alphabets (lowercase): 97 through 122 hex (a to z)
· ASCII space: 20 hex
· Printable special characters: 21 through 2F, 3A through 40, and 5B through 60 hex, that is: ! " # $ %&'()*+,-./:;<=>?@[\]^_`{|}~
· WLAN name cannot be a keyword; for example, if you try to create a WLAN with the name as 's' by entering the wlan s command, it results in shutting down all WLANs because 's' is used as a keyword for shutdown.
· You cannot map a WLAN to VLAN 0. Similarly, you cannot map a WLAN to VLANs 1002 to 1006.
· Dual stack clients with a static-IPv4 address is not supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1558
WLAN
How to Configure WLANs
· In a dual-stack with IPv4 and IPv6 configured in the Cisco 9800 controller, if an AP tries to join controller with IPv6 tunnel before its IPv4 tunnel gets cleaned, you would see a traceback and AP join will fail.
· When creating a WLAN with the same SSID, you must create a unique profile name for each WLAN.
· When multiple WLANs with the same SSID get assigned to the same AP radio, you must have a unique Layer 2 security policy so that clients can safely select between them.
· The SSID that is sent as part of the user profile will work only if aaa override command is configured.
· RADIUS server overwrite is not configured on a per WLAN basis, but rather on a per AAA server group basis.
· Downloadable ACL (DACL) is not supported in the FlexConnect mode or the local mode.
· You cannot mix open configuration models with CLI-based, GUI-based, or DNA Center-based configurations. However, if you decide to use multiple model types, they must remain independent of each other. For example, in open configuration models, you can only manage configurations that have been created using an open configuration model, not a CLI-based or GUI-based model. Configurations that are created using open configuration models cannot be modified using a GUI-based model, or CLI-based model, or any other model.
Caution Some clients might not be able to connect to WLANs properly if they detect the same SSID with multiple security policies. Use this WLAN feature with care.
How to Configure WLANs
Creating WLANs (GUI)
Procedure
Step 1
Step 2 Step 3
In the Configuration > Tags & Profiles > WLANs page, click Add. The Add WLAN window is displayed.
Under the General tab and Profile Name field, enter the name of the WLAN. The name can be ASCII characters from 32 to 126, without leading and trailing spaces. Click Save & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1559
Creating WLANs (CLI)
WLAN
Creating WLANs (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id [ssid]
Example:
Device(config)# wlan mywlan 34 mywlan-ssid
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Specifies the WLAN name and ID:
· For the profile-name, enter the profile name. The range is from 1 to 32 alphanumeric characters.
· For the wlan-id, enter the WLAN ID. The range is from 1 to 512.
· For the ssid, enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.
Note
· You can create SSID using
GUI or CLI. However, we
recommend that you use CLI
to create SSID.
· By default, the WLAN is disabled.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Deleting WLANs (GUI)
Procedure
Step 1
Step 2 Step 3
In the Configuration > Tags & Profiles > WLANs page, check the checkbox adjacent to the WLAN you want to delete. To delete multiple WLANs, select multiple WLANs checkboxes.
Click Delete. Click Yes on the confirmation window to delete the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1560
WLAN
Deleting WLANs
Deleting WLANs
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
no wlan wlan-name wlan-id ssid Example:
Device(config)# no wlan test2
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Deletes the WLAN. The arguments are as follows:
· The wlan-name is the WLAN profile name.
· The wlan-id is the WLAN ID.
· The ssid is the WLAN SSID name configured for the WLAN.
Note
If you delete a WLAN that is part
of an AP group, the WLAN is
removed from the AP group and
from the AP's radio.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Searching WLANs (CLI)
To verify the list of all WLANs configured on the controller, use the following show command:
Device# show wlan summary Number of WLANs: 4
WLAN Profile Name
SSID
VLAN Status
--------------------------------------------------------------------------------
1 test1
test1-ssid
137 UP
3 test2
test2-ssid
136 UP
2 test3
test3-ssid
1 UP
45 test4
test4-ssid
1 DOWN
To use wild cards and search for WLANs, use the following show command:
Device# show wlan summary | include test-wlan-ssid
1 test-wlan
test-wlan-ssid
137 UP
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1561
Enabling WLANs (GUI)
WLAN
Enabling WLANs (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > WLANs. On the WLANs page, click the WLAN name. In the Edit WLAN window, toggle the Status button to ENABLED. Click Update & Apply to Device.
Enabling WLANs (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name Example:
Device(config)# wlan test4
Step 3
no shutdown Example:
Device(config-wlan)# no shutdown
Step 4
end Example:
Device(config-wlan)# end
Purpose Enters global configuration mode.
Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN. Enables the WLAN.
Returns to privileged EXEC mode.
Disabling WLANs (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > WLANs. In the WLANs window, click the WLAN name. In the Edit WLAN window, set the Status toggle button as DISABLED. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1562
WLAN
Disabling WLANs (CLI)
Disabling WLANs (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name Example:
Device(config)# wlan test4
Step 3
shutdown Example:
Device(config-wlan)# shutdown
Step 4
end Example:
Device(config-wlan)# end
Step 5
show wlan summary Example:
Device# show wlan summary
Configuring General WLAN Properties (CLI)
You can configure the following properties: · Media stream · Broadcast SSID · Radio
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name Example:
Device(config)# wlan test4
Purpose Enters global configuration mode.
Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN. Disables the WLAN.
Returns to privileged EXEC mode.
Displays the list of all WLANs configured on the device. You can search for the WLAN in the output.
Purpose Enters global configuration mode.
Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1563
Configuring Advanced WLAN Properties (CLI)
WLAN
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action shutdown Example:
Device(config-wlan)# shutdown
broadcast-ssid Example:
Device(config-wlan)# broadcast-ssid
dot11bg 11g Example:
Device(config-wlan)# dot11bg 11g
media-stream multicast-direct Example:
Device(config-wlan)# media-stream multicast-direct
no shutdown Example:
Device(config-wlan)# no shutdown
end Example:
Device(config-wlan)# end
Purpose Disables the WLAN.
Broadcasts the SSID for this WLAN.
Configures the WLAN radio policy for dot11 radios. Enables multicast VLANs on this WLAN.
Enables the WLAN.
Returns to privileged EXEC mode.
Configuring Advanced WLAN Properties (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name Example:
Device(config)# wlan test4
Step 3
chd Example:
Device(config-wlan)# chd
Purpose Enters global configuration mode.
Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.
Enables coverage hole detection for this WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1564
WLAN
Configuring Advanced WLAN Properties (CLI)
Step 4 Step 5
Step 6 Step 7
Command or Action
ccx aironet-iesupport Example:
Device(config-wlan)# ccx aironet-iesupport
Purpose Enables support for Aironet IEs for this WLAN.
client association limit {clients-per-wlan |ap Sets the maximum number of clients, clients
clients-per-ap-per-wlan
per AP, or clients per AP radio that can be
|radioclients-per-ap-radio--per-wlan}
configured on a WLAN.
Example:
Device(config-wlan)# client association limit ap 400
ip access-group web acl-name
Configures the IPv4 WLAN web ACL. The
Example:
variable acl-name specifies the user-defined IPv4 ACL name.
Device(config-wlan)# ip access-group web
test-acl-name
peer-blocking [allow-private-group |drop Configures peer to peer blocking parameters.
| forward-upstream]
The keywords are as follows:
Example:
Device(config-wlan)# peer-blocking drop
· allow-private-group--Enables peer-to-peer blocking on the Allow Private Group action.
· drop--Enables peer-to-peer blocking on the drop action.
· forward-upstream--No action is taken and forwards packets to the upstream.
Note
The forward-upstream
option is not supported for
Flex local switching. Traffic
is dropped even if this option
is configured. Also, peer to
peer blocking for local
switching SSIDs are
available only for the clients
on the same AP.
Step 8
channel-scan {defer-priority {0-7} | defer-time {0 - 6000}}
Example:
Device(config-wlan)# channel-scan defer-priority 6
Sets the channel scan defer priority and defer time. The arguments are as follows:
· defer-priority--Specifies the priority markings for packets that can defer off-channel scanning. The range is from 0 to 7. The default is 3.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1565
Configuring Advanced WLAN Properties (GUI)
WLAN
Command or Action
Step 9
end Example:
Device(config-wlan)# end
Purpose · defer-time--Deferral time in milliseconds. The range is from 0 to 6000. The default is 100.
Returns to privileged EXEC mode.
Configuring Advanced WLAN Properties (GUI)
Before you begin Ensure that you have configured an AP Join Profile prior to configuring the primary and backup controllers. Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Step 10
Choose Configuration > Tags & Profiles > WLANs . Click Add. Under the Advanced tab, check the Coverage Hole Detection check box. Check the Aironet IE check box to enable Aironet IE on the WLAN. Check the Diagnostic Channel check box to enable diagnostic channel on the WLAN. From the P2P Blocking Action drop-down list, choose the required value. Set the Multicast Buffer toggle button as enabled or diabled. Check the Media Stream Multicast-Direct check box to enable the feature. In the Max Client Connections section, specify the maximumui number of client connections for the following:
· In the Per WLAN field, enter a value. The valid range is between 0 and 10000.
· In the Per AP Per WLAN field, enter a value. The valid range is between 0 and 400.
· In the Per AP Radio Per WLAN field, enter a value. The valid range is between 0 and 200.
In the 11v BSS Transition Support section, perform the following configuration tasks: a) Check the BSS Transition check box to enable 802.11v BSS Transition support. b) In the Disassociation Imminent field, enter a value. The valid range is between 0 and 3000. c) In the Optimized Roaming Disassociation Timer field, enter a value. The valid range is between 0 and
40. d) Select the check box to enable the following:
· BSS Max Idle Service
· BSS Max Idle Protected
· Disassociation Imminent Service
· Directed Multicast Service
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1566
WLAN
Configuring Advanced WLAN Properties (GUI)
Step 11
· Universal Admin
· Load Balance
· Band Select
· IP Source Guard
In the 11ax section, perform the following configuration tasks: a) Select the check box to enable the following:
· Check the Enable 11ax checkbox to enable 802.11ax operation status on the WLAN.
· Check the Downlink OFDMA and Uplink OFDMA check boxes to enable downlink and uplink connections that use OFDMA.
Orthogonal Frequency Division Multiple Access (OFDMA) is a channel access mechanism that assures contention-free transmission to multiple clients in both the downlink (DL) and uplink (UL) within a respective single transmit opportunity.
· Check the Downlink MU-MIMO and Uplink MU-MIMO check boxes to enable downlink and uplink connections that use MU-MIMO.
With Multiuser MIMO (MU-MIMO), an AP can use its antenna resources to transmit multiple frames to different clients, all at the same time and over the same frequency spectrum.
· Enable the target wake up time configuration on the WLAN by checking the BSS Target Wake Up Time checkbox.
Target wake up time allows an AP to manage activity in the Wi-Fi network to minimize medium contention between stations, and to reduce the required amount of time that a station in the power-save mode needs to be awake. This is achieved by allocating stations to operate at non-overlapping times, and/or frequencies, and concentrate the frame exchanges in predefined service periods.
· Check the Universal Admin check box to enable Universal Admin support for the WLAN.
· Enable OKC on the WLAN by checking the OKC check box. Opportunistic Key Caching (OKC) allows the wireless client and the WLAN infrastructure to cache only one Pairwise Master Key (PMK) for the lifetime of the cli ent association with this WLAN, even when roaming between multiple APs. This is enabled by default.
· Check the Load Balance check box to enable Aggressive Client Load Balancing. This allows lightweight access points to load balance wireless clients across access points.
· Check the Band Select check box to enable band selection for the WLAN. Band selection enables client radios that are capable of dual-band (2.4 and 5-GHz) operations to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested with interference from other electronic devices as well as co-channel interference from other access points. Band selection helps prevent these sources of interference and improve overall network performance.
· Enable IP Source Guard on the WLAN by checking the IP Source Guard check box.IP Source Guard (IPSG) is a Layer 2 security feature that prevents the wireless controller from forwarding the packets with source IP addresses that are not known to it.
b) From the WMM Policy drop-down list, choose the policy as Allowed, Disabled, or Required. By default, the WMM policy is Allowed.Wi-Fi Multimedia (WMM) is used to prioritize different types of traffic.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1567
Verifying WLAN Properties (CLI)
WLAN
Step 12 Step 13
Step 14 Step 15
· Disabled: Disables WMM on the WLAN.
· Required: Requires client devices to use WMM. Devices that do not support WMM cannot join the WLAN.
· Allowed: Devices that cannot support WMM can join the WLAN but will not benefit from the 802.11n rates.
c) From the mDNS drop-down list, choose Bridging, Gateway, or Drop. Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the absence of any conventional Unicast DNS server. · Bridging: Packets with mDNS multicast IP and multicast mac will be sent on multicast CAPWAP tunnel.
· Gateway: All ingress mDNS packets received from the wired network on a L3 interface (SVI or physical) would be intercepted by the Controller software and processed.
· Drop: All ingress mDNS packets will be dropped.
In the Off Channel Scanning Defer section, choose the appropriate Defer Priority values and then specify the required Scan Defer Time value in milliseconds. In the Assisted Roaming (11k) section, choose the appropriate status for the following:
· Prediction Optimization
· Neighbor List
· Dual-Band Neighbor List
In the DTIM Period (in beacon intervals) section, specify a value for 802.11a/n and 802.11b/g/n radios. The valid range is from 1 to 255. Click Apply to Device.
Verifying WLAN Properties (CLI)
To verify the WLAN properties based on the WLAN ID, use the following show command:
Device# show wlan id wlan-id
To verify the WLAN properties based on the WLAN name, use the following show command:
Device# show wlan name wlan-name
To verify the WLAN properties of all the configured WLANs, use the following show command:
Device# show wlan all
To verify the summary of all WLANs, use the following show command:
Device# show wlan summary
To verify the running configuration of a WLAN based on the WLAN name, use the following show command:
Device# show running-config wlan wlan-name
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1568
WLAN
Verifying WLAN Properties (CLI)
To verify the running configuration of all WLANs, use the following show command:
Device# show running-config wlan
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1569
Verifying WLAN Properties (CLI)
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1570
1 5 9 C H A P T E R
Remote LANs
· Information About Remote LANs, on page 1571 · Configuring Remote LANs (RLANs), on page 1573
Information About Remote LANs
A Remote LAN (RLAN) is used for authenticating wired clients using the controller. Once the wired client successfully joins the controller, the LAN ports switch the traffic between central or local switching modes. The traffic from wired client is treated as wireless client traffic. The RLAN in Access Point (AP) sends the authentication request to authenticate the wired client. The authentication of wired client in RLAN is similar to the central authenticated wireless client. The supported AP models are:
· Cisco Catalyst 9105AXW · Cisco Aironet OEAP 1810 series · Cisco Aironet 1815T series · Cisco Aironet 1810W series · Cisco Aironet 1815W
Information About Ethernet (AUX) Port The second Ethernet port in Cisco Aironet 1850, 2800, and 3800 Series APs is used as a link aggregation (LAG) port, by default. It is possible to use this LAG port as an RLAN port when LAG is disabled. The following APs use LAG port as an RLAN port:
· 1852E · 1852I · 2802E · 2802I · 3802E · 3802I
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1571
Information About Remote LANs
WLAN
· 3802P · 4802
Limitation for RLAN · RLAN supports only a maximum of four wired clients regardless of the AP model.
Limitations for Using AUX port in Cisco 2700 Access Points · RLAN supports AUX port and non-native VLAN for this port. · Local mode supports wired client traffic on central switch. Whereas, Flexconnect mode does not support central switch. · Flexconnect mode supports wired client traffic on local switch and not on central switch. · AUX port cannot be used as a trunk port. Even switches or bridges cannot be added behind the port. · AUX port does not support dot1x.
Role of Controller · The controller acts as an authenticator, and Extensible Authentication Protocol (EAP) over LAN (EAPOL) messages from the wired client reaching the controller through an AP. · The controller communicates with the configured Authentication, Authorization, and Accounting (AAA) server. · The controller configures the LAN ports for an AP and pushes them to the corresponding AP.
Note
· RLAN is supported in APs that have more than one Ethernet port.
· In RLAN (local mode - local switching mode), if you want to use the AP native VLAN for client IP, the VLAN should be configured as either no vlan or vlan 1 in the RLAN policy profile. For example, if the native VLAN ID is 80, do not use the number 80 in the RLAN policy profile. Also, do not use VLAN name VLANxxxx to configure VLAN in the RLAN policy profile.
When a new client is connected to an AP, the client's details are available in the controller initially. However, after the CAPWAP DOWN/UP state, the client details are no longer listed in the controller.
· APs in local mode central switching do not support VLAN tagged traffic from RLAN clients, and the traffic gets dropped.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1572
WLAN
Configuring Remote LANs (RLANs)
Configuring Remote LANs (RLANs)
Enabling or Disabling all RLANs
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
[no] ap remote-lan shutdown
Example:
Device(config)# [no] ap remote-lan shutdown
Step 3
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Enables or disables all RLANs.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Creating RLAN Profile (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > Remote LAN. Click Add. Enter the Profile Name, RLAN ID and enable or disable the Status toggle button. The name can be ASCII characters from 32 to 126, without leading and trailing spaces. Click Apply to Device.
Creating RLAN Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1573
Configuring RLAN Profile Parameters (GUI)
WLAN
Step 2
Command or Action
ap remote-lan profile-name remote-lan-profile-name rlan-id
Example:
Device(config)# ap remote-lan profile-name rlan_profile_name 3
Purpose
Configures remote LAN profile.
· remote-lan-profile--Is the remote LAN profile name. Range is from 1 to 32 alphanumeric characters.
· rlan-id--Is the remote LAN identifier. Range is from 1 to 128.
Note
You can create a maximum of 128
RLANs. You cannot use the
rlan-id of an existing RLAN while
creating another RLAN.
Both RLAN and WLAN profile cannot have the same names. Similarly, RLAN and WLAN policy profile cannot have the same names.
Configuring RLAN Profile Parameters (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Step 5
Choose Configuration > Tags & Profiles > Remote LAN. On the RLAN Profile tab, click Add. The Add RLAN Profile window is displayed.
In the General tab: a) Enter a Name and RLAN ID for the RLAN profile. The name can be ASCII characters from 32 to 126,
without leading and trailing spaces. b) Set the number of client connections per RLAN in the Client Association Limit field.
The range depends on the maximum number of clients supported by the platform.
c) To enable the profile, set the status as Enable.
In the Security > Layer2 tab a) To enable 802.1x for an RLAN, set the 802.1x status as Enabled.
Note
You can activate either web or 802.1x authentication list at a time.
b) Choose the authorization list name from the MAC Filtering drop-down list. c) Choose the 802.1x for an RLAN authentication list name from the Authentication List drop-down list.
In the Security > Layer3 tab a) To enable web authentication for an RLAN, set the Web Auth status as Enabled.
Note
You can activate either web or 802.1x authentication list at a time.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1574
WLAN
Configuring RLAN Profile Parameters (CLI)
Step 6 Step 7
b) Choose the web authentication parameter map from the Webauth Parameter Map drop-down list. c) Choose the web authentication list name from the Authentication List drop-down list.
In the Security > AAA tab a) Set the Local EAP Authentication to enabled. Also, choose the required EAP Profile Name from the
drop-down list.
Save the configuration.
Configuring RLAN Profile Parameters (CLI)
Before you begin The configurations in this section are not mandatory for an RLAN profile. In case of central switching mode, you need to configure both central switching and central DHCP.
Procedure
Step 1
Command or Action
client association limit client-connections Example:
Device(config-remote-lan)# client association limit 1
Purpose
Configures client connections per RLAN.
client-connections--Is the maximum client connections per RLAN. Range is from 0 to 10000. 0 refers to unlimited.
Step 2
ip access-group web IPv4-acl-name
Example:
Device(config-remote-lan)# ip access-group web acl_name
Configures RLAN IP configuration commands.
IPv4-acl-name--Refers to the IPv4 ACL name or ID.
Step 3
local-auth profile name
Example:
Device(config-remote-lan)# local-auth profile_name
Sets EAP Profile on an RLAN. profile name--Is the EAP profile on an RLAN.
Step 4
mac-filtering mac-filter-name
Sets MAC filtering support on an RLAN.
Example:
mac-filter-name--Is the authorization list name.
Device(config-remote-lan)# mac-filtering mac_filter
Step 5
security dot1x authentication-list list-name Configures 802.1X for an RLAN.
Example:
list-name--Is the authentication list name.
Device(config-remote-lan)# security dot1x authentication-list dot1_auth_list
Step 6
security web-auth authentication-list list-name
Configures web authentication for an RLAN. list-name--Is the authentication list name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1575
Creating RLAN Policy Profile (GUI)
WLAN
Step 7 Step 8
Command or Action Example:
Device(config-remote-lan)# security web-auth authentication-list web_auth_list
[no] shutdown Example:
Device(config-remote-lan)# shutdown
end Example:
Device(config-remote-lan)# end
Purpose Note
You can activate either web or dot1x authentication list at a time.
Enables or disables RLAN profile.
Returns to privileged EXEC mode.
Creating RLAN Policy Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Remote LAN > RLAN Policy Click Add. In the General tab, enter the Policy Name. Click Apply to Device.
Creating RLAN Policy Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap remote-lan-policy policy-name profile name
Example:
Device(config)# ap remote-lan-policy policy-name rlan_policy_prof_name
Purpose Enters global configuration mode.
Configures RLAN policy profile and enters wireless policy configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1576
WLAN
Configuring RLAN Policy Profile Parameters (GUI)
Configuring RLAN Policy Profile Parameters (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Step 7 Step 8
Choose Configuration > Wireless > Remote LAN. On the Remote LAN page, click RLAN Policy tab. On the RLAN Policy page, click the name of the Policy or click Add to create a new one.
The Add/Edit RLAN Policy window is displayed.
In the General tab: a) Enter a Name and Description for the policy profile. b) Set Central Authentication to Enabled state. c) Set Central DHCP to Enabled state. d) Set the PoE check box to enable or disable state. e) To enable the policy, set the status as Enable.
In the Access Policies Tab, choose the VLAN name or number from the VLAN drop-down list.
Note
When central switching is disabled, the VLAN in the RLAN policy cannot be configured as the
AP's native VLAN. To use the AP's native VLAN for client IP, the VLAN should be configured
as either no vlan or vlan 1 in the RLAN policy profile.
From the Host Mode drop-down list, choose the Host Mode for the remote-LAN802.1x from the following options:
· Single-Host Mode--Is the default host mode. In this mode, the switch port allows only a single host to be authenticated and passes traffic one by one.
· Multi-Host Mode--The first device to authenticate opens up to the switch port, so that all other devices can use the port. You need not authenticate other devices independently, if the authenticated device becomes authorized the switch port is closed.
· Multi-Domain Mode--The authenticator allows one host from the data domain and another from the voice domain. This is a typical configuration on switch ports with IP phones connected.
Note
For an RLAN profile with open-auth configuration, you must map the RLAN-policy with single
host mode. Mapping RLAN-policy with multi-host or multi-domain mode is not supported.
Configure IPv6 ACL or Flexible Netflow.
· Under the Access Policies > Remote LAN ACL section, choose the IPv6 ACL from the drop-down list.
· Under the Access Policies > AVC > Flow Monitor IPv6 section, check the Egress Status and Ingress Status check boxes and choose the policies from the drop-down lists.
Click the Advanced tab. a) Configure the violation mode for Remote-LAN 802.1x from the Violation Mode drop-down list, choose
the violation mode type from the following options:
· Shutdown--Disables the port
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1577
Configuring RLAN Policy Profile Parameters (CLI)
WLAN
Step 9
· Replace--Removes the current session and initiates authentication for the new host. This is the default behavior.
· Protect--Drops packets with unexpected MAC addresses without generating a system message.
b) Enter the Session Timeout (sec) value to define the client's duration of a session. The range is between 20 and 86400 seconds.
c) Under AAA Policy Params section, check the AAA Override check box to enable AAA override. d) Under the Exclusionlist Params section, check the Exclusionlist check box and enter the Exclusionlist
Timeout value. This sets the exclusion time for a client. The range is between 0 and 2147483647 seconds. 0 refers to no timeout.
Save the configuration.
Configuring RLAN Policy Profile Parameters (CLI)
Before you begin RLAN does not support the following features:
· Central Web Authentication (CWA) · Quality of Service (QoS) · Bi-Directional Rate Limiting (BDRL) · Multicast and Broadcast · Identity PSK (iPSK)
Procedure Step 1 Step 2 Step 3
Command or Action central switching Example:
Device(config-remote-lan-policy)# central switching
central dhcp Example:
Device(config-remote-lan-policy)# central dhcp
exclusionlist timeout timeout Example:
Purpose Configures central switching.
Configures central DHCP.
Sets exclusion-listing on RLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1578
WLAN
Configuring RLAN Policy Profile Parameters (CLI)
Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action
Device(config-remote-lan-policy)# exclusionlist timeout 200
Purpose
timeout--Sets the time, up to which the client will be in excluded state. Range is from 0 to 2147483647 seconds. 0 refers to no timeout.
vlan vlan
Configures VLAN name or ID.
Example:
- vlan--Is the vlan name.
Device(config-remote-lan-policy)# vlan vlan1
Example:
Device(config-remote-lan-policy)# ipv6 acl ipv6_acl
aaa-override
Example:
Device(config-remote-lan-policy)# aaa-override
Configures AAA policy override.
session-timeout timeout in seconds
Example:
Device(config-remote-lan-policy)# session-timeout 21
Configures client session timeout.
timeout in seconds--Defines the duration of a session. Range is from 20 to 86400 seconds.
host-mode {multidomain voice domain | multihost |singlehost}
Example:
Device(config-remote-lan-policy)# host-mode multidomain
Configures host mode for remote-LAN 802.1x.
voice domain--Is the RLAN voice domain VLAN ID. Range is from 0 to 65535.
You can configure the following IEEE 802.1X authentication modes:
· Multi-Domain Mode--The authenticator allows one host from the data domain and another from the voice domain. This is a typical configuration on switch ports with IP phones connected.
· Multi-Host Mode--The first device to authenticate opens up to the switch port, so that all other devices can use the port. You need not authenticate other devices independently, if the authenticated device becomes authorized the switch port is closed.
· Single-Host Mode--Is the default host mode. In this mode, the switch port allows only a single host to be authenticated and passes traffic one by one.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1579
Configuring Policy Tag and Mapping an RLAN Policy Profile to an RLAN Profile (CLI)
WLAN
Step 9
Step 10 Step 11 Step 12
Command or Action
violation-mode {protect | replace | shutdown}
Example:
Device(config-remote-lan-policy)# violation-mode protect
Purpose
Configures violation mode for Remote-LAN 802.1x.
When a security violation occurs, a port is protected based on the following configured violation actions:
· Shutdown--Disables the port.
· Replace--Removes the current session and initiates authentication for the new host. This is the default behavior.
· Protect--Drops packets with unexpected MAC addresses without generating a system message. In the single-host authentication mode, a violation is triggered when more than one device is detected in data VLAN. In a multi-host authentication mode, a violation is triggered when more than one device is detected in data VLAN or voice VLAN.
[no] poe
Enables or disables PoE.
Example:
Device(config-remote-lan-policy)# poe
[no] shutdown
Example:
Device(config-remote-lan-policy)# shutdown
Enables or disables an RLAN policy profile.
end Example:
Device(config-remote-lan-policy)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Policy Tag and Mapping an RLAN Policy Profile to an RLAN Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1580
WLAN
Configuring LAN Port (CLI)
Step 2 Step 3
Step 4
Command or Action
wireless tag policy policy-tag-name Example:
Device(config)# wireless tag policy remote-lan-policy-tag
Purpose
Configures policy tag and enters policy tag configuration mode.
remote-lan remote-lan-profile-name policy rlan-policy-profile-name port-id port-id
Example:
Device(config-policy-tag)# remote-lan rlan_profile_name policy rlan_policy_profile port-id 2
Maps an RLAN policy profile to an RLAN profile.
· remote-lan-profile-name--Is the name of the RLAN profile.
· rlan-policy-profile-name--Is the name of the policy profile.
· port-id--Is the LAN port number on the access point. Range is from 1 to 4.
end Example:
Device(config-policy-tag)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring LAN Port (CLI)
Procedure
Step 1
Command or Action
Purpose
ap name ap name lan port-id lan port id {disable | enable}
Example:
Device# ap name L2_1810w_2 lan port-id 1 enable
Configures a LAN port. · enable--Enables the LAN port. · disable--Disables the LAN port.
Attaching Policy Tag to an Access Point (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Wireless > Access Points. Select the AP to attach the Policy Tag. Under the Tags section, use the Policy drop-down to select a policy tag. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1581
Attaching Policy Tag to an Access Point (CLI)
WLAN
Attaching Policy Tag to an Access Point (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap ap-ethernet-mac Example:
Device(config)# ap 00a2.891c.21e0
Step 3
policy-tag policy-tag-name
Example:
Device(config-ap-tag)# policy-tag remote-lan-policy-tag
Step 4
end Example:
Device(config-ap-tag)# end
Purpose Enters global configuration mode.
Configures MAP address for an AP and enters AP configuration mode.
Attaches policy tag to the access point. policy-tag-name--Is the name of the policy tag defined earlier.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying RLAN Configuration
To view the summary of all RLANs, use the following command:
Device# show remote-lan summary
Number of RLANs: 1
RLAN
Profile Name
Status
----------------------------------------------------------------
1
rlan_test_1
Enabled
To view the RLAN configuration by ID, use the following command:
Device# show remote-lan id <id>
Remote-LAN Profile Name
: rlan_test_1
====================================================
Identifier
:1
Status
: Enabled
Mac-filtering
: Not Configured
Number of Active Clients
:1
Security_8021X
: Disabled
8021.x Authentication list name
: Not Configured
Local Auth eap Profile Name
: Not Configured
Web Auth Security
: Disabled
Webauth Authentication list name
: Not Configured
Web Auth Parameter Map
: Not Configured
Client association limit
:0
Ipv4 Web Pre Auth Acl
: Not Configured
Ipv6 Web Pre Auth Acl
: Not Configured
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1582
WLAN
Verifying RLAN Configuration
To view the RLAN configuration by profile name, use the following command:
Device# show remote-lan name <profile-name>
Remote-LAN Profile Name
: rlan_test_1
========================================================
Identifier
:1
Status
: Enabled
Mac-filtering
: Not Configured
Number of Active Clients
:1
Security_8021X
: Disabled
8021.x Authentication list name
: Not Configured
Local Auth eap Profile Name
: Not Configured
Web Auth Security
: Disabled
Webauth Authentication list name
: Not Configured
Web Auth Parameter Map
: Not Configured
Client association limit
:0
Ipv4 Web Pre Auth Acl
: Not Configured
Ipv6 Web Pre Auth Acl
: Not Configured
To view the detailed output of all RLANs, use the following command:
Device# show remote-lan all
Remote-LAN Profile Name
: rlan_test_1
==================================================
Identifier
:1
Status
: Enabled
Mac-filtering
: Not Configured
Number of Active Clients
:1
Security_8021X
: Disabled
8021.x Authentication list name : Not Configured
Local Auth eap Profile Name
: Not Configured
Web Auth Security
: Disabled
Webauth Authentication list name : Not Configured
Web Auth Parameter Map
: Not Configured
Client association limit
:0
Ipv4 Web Pre Auth Acl
: Not Configured
Ipv6 Web Pre Auth Acl
: Not Configured
Remote-LAN Profile Name
: rlan_test_2
==================================================
Identifier
:2
Status
: Enabled
Mac-filtering
: Not Configured
Number of Active Clients
:1
Security_8021X
: Disabled
8021.x Authentication list name : Not Configured
Local Auth eap Profile Name
: Not Configured
Web Auth Security
: Disabled
Webauth Authentication list name : Not Configured
Web Auth Parameter Map
: Not Configured
Client association limit
:0
Ipv4 Web Pre Auth Acl
: Not Configured
Ipv6 Web Pre Auth Acl
: Not Configured
Device# show remote-lan policy summary Number of Policy Profiles: 1
Profile Name
Description
Status
---------------------------------------------------------------------------------------------
rlan_named_pp1
Testing RLAN policy profile
Enabled
To view the LAN port configuration of a Cisco AP, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1583
Verifying RLAN Configuration
WLAN
Device# show ap name <ap_name> lan port summary
LAN Port status for AP L2_1815w_1
Port ID
status
vlanId
poe
---------------------------------------------
LAN1
Enabled
20
Disabled
LAN2
Enabled
20
NA
LAN3
Disabled
0
NA
To view the summary of all clients, use the following command:
Device# show wireless client summary Number of Local Clients: 1
MAC Address
AP Name
WLAN
State Protocol Method
Role
---------------------------------------------------------------------------------------
d8eb.97b6.fcc6 L2_1815w_1
1
* Run
Ethernet None
Local
To view the client details with the specified username, use the following command:
Device# show wireless client username cisco
MAC Address
AP Name
Status
WLAN
Auth Protocol
----------------------------------------------------------------------------------------------------
0014.d1da.a977 L2_1815w_1
Run 1 *
Yes
Ethernet
d8eb.97b6.fcc6 L2_1815w_1
Run 1 *
Yes
Ethernet
To view the detailed information for a client by MAC address, use the following command:
Device# show wireless client mac-address d8eb.97b6.fcc6 detail
Client MAC Address : d8eb.97b6.fcc6
Client IPv4 Address : 9.2.20.78
Client IPv6 Addresses : fe80::1863:292f:feaa:2cf
Client Username: N/A
AP MAC Address : 707d.b99e.c2e0
AP Name: L2_1815w_1
AP slot : 2
Client State : Associated
Policy Profile : rlan_named_pp1
Flex Profile : rlan-flex-profile
Remote LAN Id : 1
Remote LAN Name: rlan_test_1
BSSID : 707d.b99e.c2e1
Connected For : 1159 seconds
Protocol : Ethernet
Channel : 0
Port ID: 2
Client IIF-ID : 0xa0000001
Association Id : 1
Authentication Algorithm : Open System
Client CCX version : No CCX support
Session Timeout : 1800 sec (Remaining time: 641 sec)
Input Policy Name : None
Input Policy State : None
Input Policy Source : None
Output Policy Name : None
Output Policy State : None
Output Policy Source : None
WMM Support : Disabled
Fastlane Support : Disabled
Power Save : OFF
Current Rate : 0.0
Mobility:
Move Count
:0
Mobility Role
: Local
Mobility Roam Type
: None
Mobility Complete Timestamp : 07/06/2018 11:25:26 IST
Policy Manager State: Run
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1584
WLAN
Verifying RLAN Configuration
NPU Fast Fast Notified : No
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 1159 seconds
Policy Type : N/A
Encryption Cipher : None
Encrypted Traffic Analytics : No
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
VLAN : 20
Access VLAN : 20
Anchor VLAN : 0
WFD capable : No
Managed WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Session Manager:
Interface
: capwap_90000008
IIF ID
: 0x90000008
Authorized
: TRUE
Session timeout : 1800
Common Session ID: 32130209000000136C48A29D
Acct Session ID : 0x00000000
Aaa Server Details
Server IP
:
Auth Method Status List
Method : None
Local Policies:
Service Template : wlan_svc_rlan_named_pp1_local (priority 254)
Absolute-Timer : 1800
VLAN
: 20
Server Policies:
Resultant Policies:
VLAN
: 20
Absolute-Timer : 1800
DNS Snooped IPv4 Addresses : None
DNS Snooped IPv6 Addresses : None
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Not implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 0
Fast BSS Transition Details :
Reassociation Timeout : 0
11v BSS Transition : Not implemented
FlexConnect Data Switching : Central
FlexConnect Dhcp Status : Central
FlexConnect Authentication : Central
FlexConnect Central Association : No
Client Statistics:
Number of Bytes Received : 6855
Number of Bytes Sent : 1640
Number of Packets Received : 105
Number of Packets Sent : 27
Number of Policy Errors : 0
Radio Signal Strength Indicator : 0 dBm
Signal to Noise Ratio : 0 dB
Fabric status : Disabled
Client Scan Reports
Assisted Roaming Neighbor List
To view the summary of all AP tags, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1585
Verifying RLAN Configuration
WLAN
Device# show ap tag summary Number of APs: 2
AP Name
AP Mac
Site Tag Name
Policy Tag Name
RF
Tag Name
Misconfigured
Tag Source
------------------------------------------------------------------------------------------------------------------------------------------------
L2_1810d_1
0008.3296.24c0
default-site-tag
default-policy-tag
default-rf-tag
No
Default
L2_1810w_2
00b0.e18c.5880
rlan-site-tag
rlan_pt_1
default-rf-tag
No
Static
To view the summary of all policy tags, use the following command:
Device# show wireless tag policy summary Number of Policy Tags: 2
Policy Tag Name
Description
------------------------------------------------------------------------
rlan_pt_1
default-policy-tag
default policy-tag
To view details of a specific policy tag, use the following command:
Device# show wireless tag policy detailed <rlan_policy_tag_name>
Policy Tag Name : rlan_pt_1
Description
:
Number of WLAN-POLICY maps: 0
Number of RLAN-POLICY maps: 2 REMOTE-LAN Profile Name
Policy Name
Port Id
--------------------------------------------------------------------------------------------
rlan_test_1
rlan_named_pp1
1
rlan_test_1
rlan_named_pp1
2
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1586
1 6 0 C H A P T E R
RLAN External Module
· Information About External Module, on page 1587 · Prerequisites for Configuring External Module, on page 1587 · Configuring External Module (GUI), on page 1587 · Configuring External Module (CLI), on page 1588 · Verifying External Module, on page 1588
Information About External Module
The External Module feature enables traffic to flow in and out from the Cisco Aironet Developer Platform module when an access point (AP) is in both local and flex connect mode.
Prerequisites for Configuring External Module
Before you begin, you must ensure the following: · The external module is powered on. · The RLAN status is enabled.
Configuring External Module (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Tags & Profiles > Tags. In the Policy tab, select one of the Policy Tag Name and click Add. In Add Policy Tag page and RLAN-POLICY Maps section, click Add. From the Port ID drop-down list, choose ext-module. From the RLAN Profile drop-down list, choose an RLAN profile. From the RLAN Policy Profile drop-down list, choose an RLAN policy profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1587
Configuring External Module (CLI)
WLAN
Step 7 Click the check mark icon.
Configuring External Module (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag policy default-policy-tag
Example:
Device(config)# wireless tag policy default-policy-tag
Configures a policy tag to the external module for the remote LAN.
Step 3
remote-lan rlan-profile policy rlan-policy Configures a remote LAN policy to the external
ext-module
module.
Example:
Device(default-policy-tag)# remote-lan rlan policy abc ext-module
Verifying External Module
To view the external module remote LAN configuration, use the following command:
Device# show ap name ap_name lan port summary
LAN Port status for AP ap_name
Port ID
status
vlanId
poe
power-level
RLAN
----------------------------------------------------------------------
ext-module Enabled
39
NA
NA
Enabled
To view the external module inventory details, use the following command:
Device# show ap name abc inventory NAME: AP3800, DESCR: Cisco Aironet 3800 Series (IEEE 802.11ac) Access Point PID: AIR-AP3802I-D-K9, VID: 01, SN: xxxxxxxxxxx
MODULE NAME: Expansion Module, DESCR: Cisco HDK Module (rev2) PID: Unknown, SN: xxxxxxxxxxx, MaxPower: 2700mW VersionID: V22, Capabilities: RLAN (UP)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1588
1 6 1 C H A P T E R
Client Roaming Across Policy Profile
· Information about Client Roaming Policy Profile, on page 1589 · Configuring Client Roaming Across Policy Profile, on page 1590 · Verifying Client Roaming Across Policy Profiles, on page 1591
Information about Client Roaming Policy Profile
In Cisco Catalyst 9800 Series Wireless controller, each WLAN must be associated to a policy profile using a policy tag. Since the policy profile represent the policy defined by the administrator, the general rule is that the controller will not allow seamless roaming between same WLAN associated with different policy profile. The client will be disconnected hence disrupting seamless roaming and client will be required to join again and the new policy can be evaluated and implemented. When you enable roaming across policy profile, if the two policy profiles differ only in the settings as listed, then client seamless roaming is allowed to same wlan associated to different policy profiles. A typical use case is when clients roaming across two APs that belong to different policy tag and have WLAN associated with different policy profiles with different VLAN setting for each policy profile. If roaming across policy profile is enabled, the controller allows seamless roaming to another policy profile even if the VLAN is different and the client retains the original IP address. The controller applies all other attributes except VLAN from the new policy profile to which client has joined. Client roaming across policy profiles is not allowed if there are different policy profile configurations. However; the following are the exceptions:
· Accounting list · CTS · DHCP-TLV-caching · Dot11 5 Ghz airtime-fairness · Dot11 24 Ghz airtime-fairness · ET-analytics enable · http-TLV-caching · Idle-threshold · Idle-timeout
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1589
Configuring Client Roaming Across Policy Profile
WLAN
· MDnS-SD service policy · IPv4 ACL · IPv6 ACL · QBSS load · RADIUS profiling · Session timeout · SIP CAC disassociation client · SIP CAC send-486busy · VLAN
You must execute the configuration in the global configuration mode. When a client roam across policy profile is attempted, the roam is either a success or a failure. However; the total roam across policy profiles counter under client global statistics section increments. But when the roam across policy profile is denied then roam across policy profile deny delete reason counter is incremented.
Note This feature is not supported on fabric and on Cisco 9800 FlexConnect.
The following is an example in which case a client roams across policy profiles PP1 and PP2 will be denied.
wireless profile policy PP1 vlan 42 no shutdown wireless profile policy PP2 aaa-override vlan 43 no shutdown
Configuring Client Roaming Across Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless client vlan-persistent
Example:
Device(config) # wireless client vlan-persistent
Step 3
end Example:
Purpose Enables configuration mode
Enables client roaming across different policy profiles.
Ends the session.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1590
WLAN
Verifying Client Roaming Across Policy Profiles
Command or Action
Device(config) # end
Purpose
Verifying Client Roaming Across Policy Profiles
The following shows the client roaming from policy profile PP1 configured with VLAN 42 to policy profile PP2 configured with VLAN 43.
The following is the sample output of the show wireless client mac-address xxxx.xxxx.xxxx detail command that shows the client is connected to policy profile PP1.
Device#show wireless client mac-address xxxx.xxxx.xxxx detail
Client MAC Address : xxxx.xxxx.xxxx
Client MAC Type : Universally Administered Address
Client IPv4 Address : 169.254.189.170
Client Username : cisco
AP MAC Address : xxxx.xxxx.xxxx
AP Name: vinks_ios
AP slot : 1
Client State : Associated
Policy Profile : PP1
Flex Profile : N/A
Wireless LAN Id: 3
WLAN Profile Name: prateekk_dot1x
Wireless LAN Network Name (SSID): prateekk_dot1x
BSSID : 0081.c4f6.6bfb
Connected For : 688 seconds
Protocol : 802.11ac
Channel : 161
Client IIF-ID : 0xa0000001
Association Id : 1
Authentication Algorithm : Open System
Idle state timeout : N/A
Re-Authentication Timeout : 1800 sec (Remaining time: 1112 sec)
Session Warning Time : Timer not running
Input Policy Name : client-default
Input Policy State : Installed
Input Policy Source : QOS Internal Policy
Output Policy Name : client-default
Output Policy State : Installed
Output Policy Source : QOS Internal Policy
WMM Support : Enabled
U-APSD Support : Enabled
U-APSD value : 0
APSD ACs : BK, BE, VI, VO
Fastlane Support : Disabled
Client Active State : Active
Power Save : OFF
Current Rate : m8 ss1
Supported Rates : 9.0,18.0,36.0,48.0,54.0
Mobility:
Move Count
:0
Mobility Role
: Local
Mobility Roam Type
: None
Mobility Complete Timestamp : 07/13/2020 02:00:22 UTC
Client Join Time:
Join Time Of Client : 07/13/2020 02:00:22 UTC
Client State Servers : None
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1591
Verifying Client Roaming Across Policy Profiles
Client ACLs : None
Policy Manager State: Run
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 688 seconds
Policy Type : WPA2
Encryption Cipher : CCMP (AES)
Authentication Key Management : 802.1x
User Defined (Private) Network : Disabled
User Defined (Private) Network Drop Unicast : Disabled
Encrypted Traffic Analytics : No
Protected Management Frame - 802.11w : No
EAP Type : EAP-FAST
VLAN Override after Webauth : No
VLAN : 42
Multicast VLAN : 0
WiFi Direct Capabilities:
WiFi Direct Capable
: No
Central NAT : DISABLED
Session Manager:
Point of Attachment : capwap_90400006
IIF ID
: 0x90400006
Authorized
: TRUE
Session timeout : 1800
Common Session ID: 3C2A09090000000E45E6D59E
Acct Session ID : 0x00000000
Last Tried Aaa Server Details:
Server IP : 9.10.8.247
Auth Method Status List
Method : Dot1x
SM State
: AUTHENTICATED
SM Bend State : IDLE
Local Policies:
Service Template : wlan_svc_PP1_local (priority 254)
VLAN
: 42
Absolute-Timer : 1800
Server Policies:
Resultant Policies:
VLAN Name
: VLAN0042
VLAN
: 42
Absolute-Timer : 1800
DNS Snooped IPv4 Addresses : None
DNS Snooped IPv6 Addresses : None
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Not implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 0
Fast BSS Transition Details :
Reassociation Timeout : 0
11v BSS Transition : Not implemented
11v DMS Capable : No
QoS Map Capable : No
FlexConnect Data Switching : N/A
FlexConnect Dhcp Status : N/A
FlexConnect Authentication : N/A
FlexConnect Central Association : N/A
Client Statistics:
Number of Bytes Received from Client : 19442
Number of Bytes Sent to Client : 3863
Number of Packets Received from Client : 197
Number of Packets Sent to Client : 36
Number of Policy Errors : 0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1592
WLAN
WLAN
Verifying Client Roaming Across Policy Profiles
Radio Signal Strength Indicator : -39 dBm
Signal to Noise Ratio : 55 dB
Fabric status : Disabled
Radio Measurement Enabled Capabilities
Capabilities: None
Client Scan Report Time : Timer not running
Client Scan Reports
Assisted Roaming Neighbor List
Nearby AP Statistics:
EoGRE : Pending Classification
Device Type
: Apple-Device
Device Name
: APPLE, INC.
Protocol Map
: 0x000001 (OUI)
Max Client Protocol Capability: 802.11ac Wave 2
Cellular Capability : N/A
Apple Specific Requests(ASR) Capabilities/Statistics Summary
Regular ASR support: : DISABLED
The following is the sample output of the show wireless client mac-address xxxx.xxxx.xxxx detail command after client has roamed to a policy profile PP2.
Client MAC Address : xxxx.xxxx.xxxx
Client MAC Type : Universally Administered Address
Client IPv4 Address : 9.9.42.236
Client Username : cisco
AP MAC Address : xxxx.xxxx.xxxx
AP Name: prateekk_cos_1
AP slot : 1
Client State : Associated
Policy Profile : PP2
Flex Profile : N/A
Wireless LAN Id: 3
WLAN Profile Name: prateekk_dot1x
Wireless LAN Network Name (SSID): prateekk_dot1x
BSSID : a0f8.4985.0029
Connected For : 11 seconds
Protocol : 802.11ac
Channel : 36
Client IIF-ID : 0xa0000001
Association Id : 1
Authentication Algorithm : Open System
Idle state timeout : N/A
Re-Authentication Timeout : 1800 sec (Remaining time: 1789 sec)
Session Warning Time : Timer not running
Input Policy Name : client-default
Input Policy State : Installed
Input Policy Source : QOS Internal Policy
Output Policy Name : client-default
Output Policy State : Installed
Output Policy Source : QOS Internal Policy
WMM Support : Enabled
U-APSD Support : Enabled
U-APSD value : 0
APSD ACs : BK, BE, VI, VO
Fastlane Support : Disabled
Client Active State : Active
Power Save : OFF
Current Rate : m9 ss3
Supported Rates : 9.0,18.0,36.0,48.0,54.0
Mobility:
Move Count
:0
Mobility Role
: Local
Mobility Roam Type
: L2
Mobility Complete Timestamp : 07/13/2020 02:12:19 UTC
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1593
Verifying Client Roaming Across Policy Profiles
Client Join Time:
Join Time Of Client : 07/13/2020 02:12:19 UTC
Client State Servers : None
Client ACLs : None
Policy Manager State: Run
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 728 seconds
Policy Type : WPA2
Encryption Cipher : CCMP (AES)
Authentication Key Management : 802.1x
User Defined (Private) Network : Disabled
User Defined (Private) Network Drop Unicast : Disabled
Encrypted Traffic Analytics : No
Protected Management Frame - 802.11w : No
EAP Type : EAP-FAST
VLAN Override after Webauth : No
VLAN : 43
Multicast VLAN : 0
WiFi Direct Capabilities:
WiFi Direct Capable
: No
Central NAT : DISABLED
Session Manager:
Point of Attachment : capwap_90000005
IIF ID
: 0x90000005
Authorized
: TRUE
Session timeout : 1800
Common Session ID: 3C2A09090000000E45E6D59E
Acct Session ID : 0x00000000
Last Tried Aaa Server Details:
Server IP : 9.10.8.247
Auth Method Status List
Method : Dot1x
SM State
: AUTHENTICATED
SM Bend State : IDLE
Local Policies:
Service Template : vlan-42-template (priority 200)
VLAN
: 42
Service Template : wlan_svc_PP2_local (priority 254)
Absolute-Timer : 1800
Server Policies:
Resultant Policies:
VLAN Name
: VLAN0042
VLAN
: 42
Absolute-Timer : 1800
DNS Snooped IPv4 Addresses : None
DNS Snooped IPv6 Addresses : None
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Not implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 0
Fast BSS Transition Details :
Reassociation Timeout : 0
11v BSS Transition : Not implemented
11v DMS Capable : No
QoS Map Capable : No
FlexConnect Data Switching : N/A
FlexConnect Dhcp Status : N/A
FlexConnect Authentication : N/A
FlexConnect Central Association : N/A
Client Statistics:
Number of Bytes Received from Client : 23551
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1594
WLAN
WLAN
Verifying Client Roaming Across Policy Profiles
Number of Bytes Sent to Client : 12588
Number of Packets Received from Client : 239
Number of Packets Sent to Client : 71
Number of Policy Errors : 0
Radio Signal Strength Indicator : -28 dBm
Signal to Noise Ratio : 60 dB
Fabric status : Disabled
Radio Measurement Enabled Capabilities
Capabilities: None
Client Scan Report Time : Timer not running
Client Scan Reports
Assisted Roaming Neighbor List
Nearby AP Statistics:
prateekk_cos_1 (slot 1)
antenna 0: 13 s ago ........ -25 dBm
antenna 1: 13 s ago ........ -25 dBm
EoGRE : No/Simple client
Device Type
: Apple-Device
Device Name
: APPLE, INC.
Protocol Map
: 0x000001 (OUI)
Protocol
: DHCP
Type
:0 0
Data
: 00
Max Client Protocol Capability: 802.11ac Wave 2 Cellular Capability : N/A Apple Specific Requests(ASR) Capabilities/Statistics Summary
Regular ASR support: : DISABLED
The following is the sample output of the show wireless stats client detail command that displays that client roam across policy profile is attempted and roam across policy is not denied.
Device #show wireless stats client detail | in Roam Total Roam Across Policy Profiles : 1 Roam across policy profile deny : 0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1595
Verifying Client Roaming Across Policy Profiles
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1596
1 6 2 C H A P T E R
Network Access Server Identifier
· Information About Network Access Server Identifier, on page 1597 · Creating a NAS ID Policy(GUI), on page 1598 · Creating a NAS ID Policy, on page 1598 · Attaching a Policy to a Tag (GUI), on page 1599 · Attaching a Policy to a Tag (CLI), on page 1599 · Verifying the NAS ID Configuration, on page 1600
Information About Network Access Server Identifier
Network access server identifier (NAS-ID) is used to notify the source of a RADIUS access request, which enables the RADIUS server to choose a policy for that request. You can configure one on each WLAN profile, VLAN interface, or access point group. The NAS-ID is sent to the RADIUS server by the controller through an authentication request to classify users to different groups. This enables the RADIUS server to send a customized authentication response.
Note The acct-session-id is sent with the RADIUS access request only when accounting is enabled on the policy profile.
If you configure a NAS-ID for an AP group, it overrides the NAS-ID that is configured for a WLAN profile or the VLAN interface. Similarly, if you configure a NAS-ID for a WLAN profile, it overrides the NAS-ID that is configured for the VLAN interface. The following options can be configured for a NAS ID:
· sys-name (System Name) · sys-ip (System IP Address) · sys-mac (System MAC Address) · ap-ip (AP's IP address) · ap-name (AP's Name) · ap-mac (AP's MAC Address) · ap-eth-mac (AP's Ethernet MAC Address)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1597
Creating a NAS ID Policy(GUI)
WLAN
· ap-policy-tag (AP's policy tag name) · ap-site-tag (AP's site tag name) · ssid (SSID Name) · ap-location (AP's Location)
Creating a NAS ID Policy(GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7
Choose Configuration > Security > Wireless AAA Policy. On the Wireless AAA Policy page, click the name of the Policy or click Add to create a new one. In the Add/Edit Wireless AAA Policy window that is displayed, enter the name of the policy in the Policy Name field. Choose from one of the NAS ID options from the Option 1 drop-down list. Choose from one of the NAS ID options from the Option 2 drop-down list. Choose from one of the NAS ID options from the Option 3 drop-down list. Save the configuration.
Creating a NAS ID Policy
Follow the procedure given below to create NAS ID policy:
Before you begin · NAS ID can be a combination of multiple NAS ID options; the maximum options are limited to 3.
· The maximum length of the NAS ID attribute is 253. Before adding a new attribute, the attribute buffer is checked, and if there is no sufficient space, the new attribute is ignored.
· By default, a wirleess aaa policy (default-aaa-policy) is created with the default configuration (sys-name). You can update this policy with various NAS ID options. However, the default-aaa-policy cannot be deleted.
· If a NAS ID is not configured, the default sys-name is considered as the NAS ID for all wireless-specific RADIUS packets (authentication and accounting) from the controller .
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1598
WLAN
Attaching a Policy to a Tag (GUI)
Step 2 Step 3 Step 4 Step 5
Command or Action
Device# configure terminal
Purpose
wireless aaa policy policy-name
Configures a new AAA policy.
Example:
Device(config)# wireless aaa policy test
nas-id option1 sys-name
Configures NAS ID for option1.
Example:
Device(config-aaa-policy)# nas-id option1 sys-name
nas-id option2 sys-ip
Configures NAS ID for option2.
Example:
Device(config-aaa-policy)# nas-id option2 sys-ip
nas-id option3 sys-mac
Configures NAS ID for option3.
Example:
Device(config-aaa-policy)# nas-id option3 sys-mac
Attaching a Policy to a Tag (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Tags & Profiles > Tags page, click Policy tab. Click Add to view the Add Policy Tag window. Enter a name and description for the policy tag. Click Add to map WLAN profile and Policy profile. Choose the WLAN Profile to map with the appropriate Policy Profile, and click the tick icon. Click Save & Apply to Device.
Attaching a Policy to a Tag (CLI)
Follow the procedure given below to attach a NAS ID policy to a tag:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1599
Verifying the NAS ID Configuration
WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-name
Configures a WLAN policy profile.
Example:
Device(config)# wireless profile policy test1
Step 3
aaa-policy aaa-policy-name
Example:
Device(config-wireless-policy)# aaa-policy policy-aaa
Configures a AAA policy profile.
Step 4
exit Example:
Device(config-wireless-policy)# exit
Returns to global configuration mode.
Step 5
wireless tag policy policy-tag
Example:
Device(config)# wireless tag policy policy-tag1
Configures a wireless policy tag.
Step 6
wlan wlan1 policy policy-name
Maps a WLAN profile to a policy profile.
Example:
Note
Device(config)# wlan wlan1 policy test1
You can also use the ap-tag option to configure a NAS ID for an AP group, which will override the NAS ID that is configured for a WLAN profile or the VLAN interface.
Verifying the NAS ID Configuration
Use the following show command to verify the NAS ID configuration:
Device# show wireless profile policy detailed test1
Policy Profile Name Description Status VLAN Client count
: : AAA Policy Params
: test1 : : ENABLED :1 :0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1600
WLAN
AAA Override NAC AAA Policy name
: DISABLED : DISABLED : test
Verifying the NAS ID Configuration
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1601
Verifying the NAS ID Configuration
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1602
1 6 3 C H A P T E R
DHCP for WLANs
· Information About Dynamic Host Configuration Protocol, on page 1603 · Restrictions for Configuring DHCP for WLANs, on page 1606 · Guidelines for DHCP Relay Configuration, on page 1606 · How to Configure DHCP for WLANs, on page 1607 · Configuring the Internal DHCP Server, on page 1609 · Configuring DHCP-Required for FlexConnect, on page 1619
Information About Dynamic Host Configuration Protocol
You can configure WLANs to use the same or different Dynamic Host Configuration Protocol (DHCP) servers or no DHCP server. Two types of DHCP servers are available--internal and external.
Internal DHCP Servers
The device contains an internal DHCP server. This server is typically used in branch offices that do not have a DHCP server. A wireless network generally contains a maximum of 10 APs or less, with the APs on the same IP subnet as the device. The internal server provides DHCP addresses to wireless clients, direct-connect APs, and DHCP requests that are relayed from APs. Only lightweight APs are supported. If you want to use the internal DHCP server, ensure that you configure SVI for the client VLAN, and set the IP address as DHCP server IP address. DHCP option 43 is not supported on the internal server. Therefore, the APs must use an alternative method to locate the management interface IP address of the device, such as local subnet broadcast, Domain Name System (DNS), or priming. When clients use the internal DHCP server of the device, IP addresses are not preserved across reboots. As a result, multiple clients can be assigned to the same IP address. To resolve any IP address conflicts, clients must release their existing IP address and request a new one. Wired guest clients are always on a Layer 2 network connected to a local or foreign device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1603
External DHCP Servers
WLAN
Note
· VRF is not supported in the internal DHCP servers.
· DHCPv6 is not supported in the internal DHCP servers.
General Guidelines · Internal DHCP server serves both wireless client and wired client (wired client includes AP).
· To serve wireless client with internal DHCP server, an unicast DHCP server IP address must be configured for wireless client. Internal DHCP server IP address must be configured under the server facing interface, which can be loopback interface, SVI interface, or L3 physical interface.
· To use internal DHCP server for both wireless and wired client VLAN, an IP address must be configured under client VLAN SVI interface.
· For wireless client, in DHCP helper address configuration, the IP address of the internal DHCP server must be different from address of wireless client VLAN SVI interface.
· For wireless client with internal DHCP server support, the internal DHCP server can be configured using global configuration command, under the client VLAN SVI interface or under the wireless policy profile.
· An internal DHCP server pool can also serve clients of other controllers .
External DHCP Servers
The operating system is designed to appear as a DHCP relay to the network and as a DHCP server to clients with industry-standard external DHCP servers that support DHCP Relay, which means that each controller appears as a DHCP relay agent to the DHCP server, and as a DHCP server in the virtual IP address to wireless clients. Because the controller captures the client IP address that is obtained from a DHCP server, it maintains the same IP address for that client during intra controller, inter controller, and inter-subnet client roaming.
Note External DHCP servers support DHCPv6.
DHCP Assignments
You can configure DHCP on a per-interface or per-WLAN basis. We recommend that you use the primary DHCP server address that is assigned to a particular interface. You can assign DHCP servers for individual interfaces. You can configure the management interface, AP manager interface, and dynamic interface for a primary and secondary DHCP server, and configure the service-port interface to enable or disable DHCP servers. You can also define a DHCP server on a WLAN (in this case, the server overrides the DHCP server address on the interface assigned to the WLAN).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1604
WLAN
DHCP Option 82
Security Considerations
For enhanced security, we recommend that you ask all clients to obtain their IP addresses from a DHCP server. To enforce this requirement, you can configure all the WLANs with a DHCP Address. Assignment Required setting, which disallows client static IP addresses. If DHCP Address Assignment Required is selected, clients must obtain an IP address through DHCP. Any client with a static IP address is not allowed on the network. The controller monitors DHCP traffic because it acts as a DHCP proxy for the clients.
Note
· WLANs that support management over wireless must allow management (device-servicing) clients to
obtain an IP address from a DHCP server.
· The operating system is designed to appear as a DHCP relay to the network and as a DHCP server to clients with industry-standard external DHCP servers that support DHCP relay. This means that each controller appears as a DHCP relay to the DHCP server and as a DHCP server at the virtual IP address to wireless clients.
You can create WLANs with DHCP Address Assignment Required disabled. If you do this, clients have the option of using a static IP address or obtaining an IP address from a designated DHCP server. However, note that this might compromise security.
Note DHCP Address Assignment Required is not supported for wired guest LANs.
You can create separate WLANs with DHCP Address Assignment Required configured as disabled. This is applicable only if DHCP proxy is enabled for the controller. You must not define the primary or secondary configuration DHCP server instead you should disable the DHCP proxy. These WLANs drop all the DHCP requests and force clients to use a static IP address. These WLANs do not support management over wireless connections.
DHCP Option 82
DHCP option 82 provides additional security when DHCP is used to allocate network addresses. It enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can configure the controller to add option 82 information to DHCP requests from clients before forwarding the requests to the DHCP server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1605
Restrictions for Configuring DHCP for WLANs Figure 40: DHCP Option 82
WLAN
The AP forwards all the DHCP requests from a client to the controller. The controller adds the DHCP option 82 payload and forwards the request to the DHCP server. The payload can contain the MAC address or the MAC address and SSID of the AP, depending on how you configure this option.
Note DHCP packets that already include a relay agent option are dropped at the controller. For DHCP option 82 to operate correctly, DHCP proxy must be enabled.
Restrictions for Configuring DHCP for WLANs
· If you override the DHCP server in a WLAN, you must ensure that you configure the underlying Cisco IOS configuration to make sure that the DHCP server is reachable.
· WLAN DHCP override works only if DHCP service is enabled on the controller. You can configure DHCP service in either of the following ways: · Configuring the DHCP pool on the controller. · Configuring a DHCP relay agent on the SVI. Note that the VLAN of the SVI must be mapped to the WLAN where DHCP override is configured.
Guidelines for DHCP Relay Configuration
Relay Agent Source IP · If you configure source interface VLAN in the SVI interface, the IP address of the VLAN interface configured as source is used. · If the Realy Agent source IP is not mentioned, the IP address of the SVI interface created for the corresponding client's VLAN is used. · If the Realy Agent source IP is not mentioned, the source address specified at the global level is used.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1606
WLAN
How to Configure DHCP for WLANs
Note
· The DHCP packets are sourced from the IP address of the Wireless Management Interface (WMI), if
VLAN is not configured in the policy profile and AAA override.
· The SVI interface configuration is mandatory to achieve the DHCP relay functionality in central DHCP or local switching.
· Even though many interface options are available in the ip dhcp relay source-interface <> command, only VLAN interface is applicable.
DHCP Server
· If the DHCP server address is configured in the wireless policy profile, the server address configured in the policy profile takes precedence.
· If the DHCP server address is not configured in the policy profile, the server address configured in SVI takes precedence.
Note You can configure two server addresses in the SVI. In this case, the DHCP packets from the client are sent to both the servers.
The Option 82 configured in policy profile, SVI, and globally is considered and honoured together.
How to Configure DHCP for WLANs
Configuring DHCP Scopes (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5
Step 6 Step 7 Step 8 Step 9
Choose Administration > DHCP Pools. In the Pools section, click Add to add a new DHCP pool.
The Create DHCP Pool dialog box is displayed.
In the DHCP Pool Name field, enter a name for the new DHCP pool. From the IP Type drop-down list, choose the IP address type. In the Network field, enter the network served by this DHCP scope. This IP address is used by the management interface with netmask applied, as configured in the Interfaces window. In the Subnet Mask field, enter the subnet mask assigned to all the wireless clients. In the Starting ip field, enter the starting IP address. In the Ending ip field, enter the trailing IP address. In the Reserved Only field, enable or disable it.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1607
Configuring DHCP Scopes (CLI)
WLAN
Step 10 Step 11 Step 12 Step 13
Step 14
Step 15
Step 16 Step 17
Step 18 Step 19
From the Lease drop-down list, choose the lease type as either User Defined or Never Expires. If you choose User Defined, you can enter the amount of time that an IP address is granted to a client.
To perform advanced configuration for DHCP scope, click Advanced.
Check the Enable DNS Proxy check box to enable DNS proxy.
In the Default Router(s) field, enter the IP address of the optional router or routers that connect to the device and click the + icon to add them to the list. Each router must include a DHCP forwarding agent that enables a single device to serve the clients of multiple devices.
In the DNS Server(s) field, enter the IP address of the optional DNS server or servers and click the + icon to add them to the list. Each DNS server must be able to update a client's DNS entry to match the IP address assigned by the DHCP scope.
In the NetBios Name Server(s) field, enter the IP address of the optional Microsoft NetBIOS name server or servers, such as Microsoft Windows Internet Naming Service (WINS) server, and click the + icon to add them to the list.
In the Domain field, enter the optional domain name of the DHCP scope for use with one or more DNS servers.
To add DHCP options, click Add in the DHCP Options List section. DHCP provides an internal framework for passing configuration parameters and other control information, such as DHCP options, to the clients on your network. DHCP options carry parameters as tagged data stored within protocol messages exchanged between the DHCP server and its clients.
Enter the DHCP option that you want to add.
Click Save & Apply to Device.
Configuring DHCP Scopes (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip dhcp pool pool-name
Configures the DHCP pool address.
Example:
Device(config)# ip dhcp pool test-pool
Step 3
network network-name mask-address
Example:
Device(dhcp-config)# network 209.165.200.224 255.255.255.0
Specifies the network number in dotted-decimal notation and the mask address.
Step 4
dns-server hostname
Example:
Device(dhcp-config)# dns-server example.com
Specifies the DNS name server. You can specify an IP address or a hostname.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1608
WLAN
Configuring the Internal DHCP Server
Step 5
Command or Action end Example:
Device(dhcp-config)# end
Purpose Returns to privileged EXEC mode.
Configuring the Internal DHCP Server
Configuring the Internal DHCP Server Under Client VLAN SVI (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Layer2 > VLAN > SVI. Click an SVI. Click the Advanced tab. Under DHCP Relay settings, enter the IPV4 Helper Address. Click Update & Apply to Device.
Configuring the Internal DHCP Server Under Client VLAN SVI (CLI)
Before you begin · For wireless clients, only two DHCP servers are supported. · To use the internal DHCP server for both wireless and wired client VLAN, an IP address must be configured under the client VLAN SVI. · For wireless clients, the IP address of the internal DHCP server must be different from the address of the wireless client VLAN SVI (in the DHCP helper address configuration). · For wireless clients, the internal DHCP server can be configured under the client VLAN SVI or under the wireless policy profile.
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
interface loopback interface-number Example:
Purpose Enters global configuration mode.
Creates a loopback interface and enters interface configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1609
Configuring the Internal DHCP Server Under Client VLAN SVI (CLI)
WLAN
Step 3 Step 4 Step 5 Step 6 Step 7
Step 8 Step 9 Step 10 Step 11
Command or Action
Device(config)# interface Loopback0
Purpose
ip address ip-address
Configures the IP address for the interface.
Example:
Device(config-if)# ip address 10.10.10.1 255.255.255.255
exit Example:
Device(config-if)# exit
Exits interface configuration mode.
interface vlan vlan-id Example:
Device(config)# interface vlan 32
Configures the VLAN ID.
ip address ip-address
Example:
Device(config-if)# ip address 192.168.32.100 255.255.255.0
Configures the IP address for the interface.
ip helper-address ip-address
Example:
Device(config-if)# ip helper-address 10.10.10.1
Configures the destination address for UDP broadcasts.
Note
If the IP address used in the ip
helper-address command is an
internal address of the controller
an internal DHCP server is used.
Otherwise, the external DHCP
server is used.
no mop enabled Example:
Device(config-if)# no mop enabled
Disables the Maintenance Operation Protocol (MOP) for an interface.
no mop sysid Example:
Device(config-if)# no mop sysid
Disables the task of sending MOP periodic system ID messages.
exit Example:
Device(config-if)# exit
Exits interface configuration mode.
ip dhcp excluded-address ip-address Example:
Specifies the IP address that the DHCP server should not assign to DHCP clients.
Device(config)# ip dhcp excluded-address 192.168.32.1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1610
WLAN
Configuring the Internal DHCP Server Under Client VLAN SVI (CLI)
Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Step 21
Command or Action
Purpose
ip dhcp excluded-address ip-address Example:
Specifies the IP addresses that the DHCP server should not assign to DHCP clients.
Device(config)# ip dhcp excluded-address 192.168.32.100
ip dhcp pool pool-name
Configures the DHCP pool address.
Example:
Device(config)# ip dhcp pool pool-vlan32
network network-name mask-address
Example:
Device(dhcp-config)# network 192.168.32.0 255.255.255.0
Specifies the network number in dotted-decimal notation, along with the mask address.
default-router ip-address
Example:
Device(dhcp-config)# default-router 192.168.32.1
Specifies the IP address of the default router for a DHCP client.
exit Example:
Device(dhcp-config)# exit
Exits DHCP configuration mode.
wireless profile policy profile-policy Example:
Configures the WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy default-policy-profile
central association Example:
Configures central association for locally switched clients.
Device(config-wireless-policy)# central association
central dhcp Example:
Configures the central DHCP for locally switched clients.
Device(config-wireless-policy)# central dhcp
central switching
Configures WLAN for central switching.
Example:
Device(config-wireless-policy)# central switching
description policy-proile-name
Example:
Device(config-wireless-policy)# description "default policy profile"
Adds a description for the policy profile
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1611
Configuring the Internal DHCP Server Under a Wireless Policy Profile (GUI)
WLAN
Step 22 Step 23
Command or Action
Purpose
vlan vlan-name
Assigns the profile policy to the VLAN.
Example:
Device(config-wireless-policy)# vlan 32
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the wireless profile policy.
Configuring the Internal DHCP Server Under a Wireless Policy Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Tags & Profiles > Policy. Click a policy name. Click the Advanced tab. Under DHCP settings, check or uncheck the IPv4 DHCP Required check box and enter the DHCP Server IP Address. Click Update & Apply to Device.
Configuring the Internal DHCP Server Under a Wireless Policy Profile
Procedure Step 1 Step 2 Step 3 Step 4
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
interface loopback interface-number Example:
Device(config)# interface Loopback0
Creates a loopback interface and enters interface configuration mode.
ip address ip-address
Configures the IP address for the interface.
Example:
Device(config-if)# ip address 10.10.10.1 255.255.255.255
exit Example:
Exits interface configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1612
WLAN
Configuring the Internal DHCP Server Under a Wireless Policy Profile
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14
Command or Action
Device(config-if)# exit
Purpose
interface vlan vlan-id Example:
Device(config)# interface vlan 32
Configures the VLAN ID.
ip address ip-address
Example:
Device(config-if)# ip address 192.168.32.100 255.255.255.0
Configures the IP address for the interface.
no mop enabled Example:
Device(config-if)# no mop enabled
Disables the Maintenance Operation Protocol (MOP) for an interface.
no mop sysid Example:
Device(config-if)# no mop sysid
Disables the task of sending MOP periodic system ID messages.
exit Example:
Device(config-if)# exit
Exits interface configuration mode.
ip dhcp excluded-address ip-address Example:
Specifies the IP address that the DHCP server should not assign to DHCP clients.
Device(config)# ip dhcp excluded-address 192.168.32.100
ip dhcp pool pool-name
Configures the DHCP pool address.
Example:
Device(config)# ip dhcp pool pool-vlan32
network network-name mask-address
Example:
Device(dhcp-config)# network 192.168.32.0 255.255.255.0
Specifies the network number in dotted-decimal notation along with the mask address.
default-router ip-address
Example:
Device(dhcp-config)# default-router 192.168.32.1
Specifies the IP address of the default router for a DHCP client.
exit Example:
Device(dhcp-config)# exit
Exits DHCP configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1613
Configuring the Internal DHCP Server Under a Wireless Policy Profile
WLAN
Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Step 21 Step 22 Step 23 Step 24
Command or Action
Purpose
wireless profile policy profile-policy Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy default-policy-profile
central association Example:
Configures central association for locally switched clients.
Device(config-wireless-policy)# central association
central switching
Configures local switching.
Example:
Device(config-wireless-policy)# central switching
description policy-proile-name
Example:
Device(config-wireless-policy)# description "default policy profile"
Adds a description for the policy profile.
ipv4 dhcp opt82
Example:
Device(config-wireless-policy)# ipv4 dhcp opt82
Enables DHCP Option 82 for the wireless clients.
ipv4 dhcp opt82 ascii
Example:
Device(config-wireless-policy)# ipv4 dhcp opt82 ascii
Enables ASCII on DHCP Option 82.
ipv4 dhcp opt82 format vlan_id
Example:
Device(config-wireless-policy)# ipv4 dhcp opt82 format vlan32
Enables VLAN ID.
ipv4 dhcp opt82 rid vlan_id
Example:
Device(config-wireless-policy)# ipv4 dhcp opt82 rid
Supports the addition of Cisco 2-byte Remote ID (RID) for DHCP Option 82.
ipv4 dhcp server ip-address
Configures the WLAN's IPv4 DHCP server.
Example:
Device(config-wireless-policy)# ipv4 dhcp server 10.10.10.1
vlan vlan-name Example:
Assigns the profile policy to the VLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1614
WLAN
Configuring the Internal DHCP Server Globally (GUI)
Step 25
Command or Action
Purpose
Device(config-wireless-policy)# vlan 32
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the wireless profile policy.
Configuring the Internal DHCP Server Globally (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6
Choose Administration > DHCP Pools > Pools. Click Add. The Create DHCP Pool window is displayed.
Enter the DHCP Pool Name, Network, Starting ip, and Ending ip. From the IP Type, Subnet Mask, and Lease drop-down lists, choose a value. Click the Reserved Only toggle button. Click Apply to Device.
Configuring the Internal DHCP Server Globally (CLI)
Procedure Step 1 Step 2 Step 3 Step 4
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
interface loopback interface-num Example:
Device(config)# interface Loopback0
Creates a loopback interface and enters interface configuration mode.
ip address ip-address
Configures the IP address for the interface.
Example:
Device(config-if)# ip address 10.10.10.1 255.255.255.255
exit Example:
Device(config-if)# exit
Exits interface configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1615
Configuring the Internal DHCP Server Globally (CLI)
WLAN
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14
Command or Action interface vlanvlan-id Example:
Device(config)# interface vlan 32
Purpose Configures the VLAN ID.
ip address ip-address
Example:
Device(config-if)# ip address 192.168.32.100 255.255.255.0
Configures the IP address for the interface.
no mop enabled Example:
Device(config-if)# no mop enabled
Disables the Maintenance Operation Protocol (MOP) for an interface.
no mop sysid Example:
Device(config-if)# no mop sysid
Disables the task of sending the MOP periodic system ID messages.
exit Example:
Device(config-if)# exit
Exits the interface configuration mode.
ip dhcp-server ip-address
Example:
Device(config)# ip dhcp-server 10.10.10.1
Specifies the target DHCP server parameters.
ip dhcp excluded-address ip-address Example:
Specifies the IP address that the DHCP server should not assign to DHCP clients.
Device(config)# ip dhcp excluded-address 192.168.32.100
ip dhcp pool pool-name
Configures the DHCP pool address.
Example:
Device(config)# ip dhcp pool pool-vlan32
network network-name mask-address
Example:
Device(dhcp-config)# network 192.168.32.0 255.255.255.0
Specifies the network number in dotted-decimal notation along with the mask address.
default-router ip-address
Example:
Device(dhcp-config)# default-router 192.168.32.1
Specifies the IP address of the default router for a DHCP client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1616
WLAN
Verifying Internal DHCP Configuration
Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Step 21 Step 22
Command or Action exit Example:
Device(dhcp-config)# exit
Purpose Exits DHCP configuration mode.
wireless profile policy profile-policy Example:
Configures a WLAN policy profile and enters wireless policy configuration mode.
Device(config)# wireless profile policy default-policy-profile
central association Example:
Configures central association for locally switched clients.
Device(config-wireless-policy)# central association
central dhcp Example:
Configures central DHCP for locally switched clients.
Device(config-wireless-policy)# central dhcp
central switching
Configures local switching.
Example:
Device(config-wireless-policy)# central switching
description policy-proile-name
Example:
Device(config-wireless-policy)# description "default policy profile"
Adds a description for the policy profile.
vlan vlan-name
Assigns the profile policy to the VLAN.
Example:
Device(config-wireless-policy)# vlan 32
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the profile policy.
Verifying Internal DHCP Configuration
To verify client binding, use the following command:
Device# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address
Client-ID/
Lease expiration
Interface
Hardware address/
Type
State
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1617
Verifying Internal DHCP Configuration
WLAN
192.168.32.3 Loopback0
User name 0130.b49e.491a.53
Mar 23 2018 06:42 PM Automatic Active
To verify the DHCP relay statistics for a wireless client, use the following command:
Device# show wireless dhcp relay statistics
DHCP Relay Statistics ---------------------
DHCP Server IP : 10.10.10.1
Message
Count
--------------------------
DHCPDISCOVER
:1
BOOTP FORWARD
: 137
BOOTP REPLY
:0
DHCPOFFER
:0
DHCPREQUEST
: 54
DHCPACK
:0
DHCPNAK
:0
DHCPDECLINE
:0
DHCPRELEASE
:0
DHCPINFORM
: 82
Tx/Rx Time : -----------LastTxTime : 18:42:18 LastRxTime : 00:00:00
Drop Counter : ------------TxDropCount : 0
To verify the DHCP packet punt statistics in CPP, use the following command:
Device# show platform hardware chassis active qfp feature wireless punt statistics
CPP Wireless Punt stats:
App Tag ------CAPWAP_PKT_TYPE_DOT11_PROBE_REQ CAPWAP_PKT_TYPE_DOT11_MGMT CAPWAP_PKT_TYPE_DOT11_IAPP CAPWAP_PKT_TYPE_DOT11_RFID CAPWAP_PKT_TYPE_DOT11_RRM CAPWAP_PKT_TYPE_DOT11_DOT1X CAPWAP_PKT_TYPE_CAPWAP_KEEPALIVE CAPWAP_PKT_TYPE_MOBILITY_KEEPALIVE CAPWAP_PKT_TYPE_CAPWAP_CNTRL CAPWAP_PKT_TYPE_CAPWAP_DATA CAPWAP_PKT_TYPE_MOBILITY_CNTRL WLS_SMD_WEBAUTH SISF_PKT_TYPE_ARP SISF_PKT_TYPE_DHCP SISF_PKT_TYPE_DHCP6 SISF_PKT_TYPE_IPV6_ND SISF_PKT_TYPE_DATA_GLEAN SISF_PKT_TYPE_DATA_GLEAN_V6 SISF_PKT_TYPE_DHCP_RELAY
Packet Count ------------
14442 50
9447 0 0 0
2191 0
7034 0 0 0
5292 140
1213 350 44 51 122
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1618
WLAN
Configuring DHCP-Required for FlexConnect
CAPWAP_PKT_TYPE_CAPWAP_RESERVED
0
Configuring DHCP-Required for FlexConnect
Information About FlexConnect DHCP-Required
The DHCP-Required knob on a policy profile forces a connected wireless client to get the IP address from DHCP. When the client completes the DHCP process and acquires an IP address, this IP address is learnt by the controller and only then the client traffic is switched on to the network. The DHCP-Required feature is already supported in central switching.
In Cisco IOS XE Amsterdam 17.2.1, the feature is supported on FlexConnect local switching clients. Prior to Release 17.2.1, DHCP-Required was not enforced on FlexConnect local switching clients. The IP address learnt by the AP or the controller for the wireless client is tracked to create an IP-MAC binding. As part of this feature, when a FlexConnect local switching client roams from one AP to another, the client need not do the DHCP again in the same L2 network, because the controller tracks the IP address and pushes the binding to the newly roaming AP.
The FlexConnect DHCP-Required feature can be configured from open configuration models, CLI, and from the GUI. The CLI and GUI configurations are described in this chapter. For more information about the open configuration modes, see the https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/172/b_ 172_programmability_cg.html.
Restrictions and Limitations for FlexConnect DHCP-Required
The following are the restrictions and limitations for the FlexConnect DHCP-Required feature:
· The DHCP-Required feature is applicable for IPv4 addresses only.
· The IP-MAC binding can be pushed to other APs only through the custom policy profile. IP-MAC binding is not available in the default policy. The mapping is propagated to all the APs in the same custom policy profile.
· The DHCP-Required feature works on IP-MAC binding basis and is not supported with third party workgroup bridge (WGB), where WGB wired client information is not shared to AP by the WGB.
· Cisco Wave 2 APs take 180 seconds to remove a client entry with static IP, when DHCP-required is enabled.
Configuring FlexConnect DHCP-Required (GUI)
Perform the steps given below to configure the FlexConnect DHCP-Required feature through the GUI:
Procedure
Step 1 Step 2
Choose Configuration > Tags & Profiles > Policy.
On the Policy window, click the name of the corresponding Policy Profile. The Edit Policy Profile window is displayed.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1619
Configuring FlexConnect DHCP-Required (CLI)
WLAN
Step 3 Step 4 Step 5
Click the Advanced tab. In the DHCP section, check the IPv4 DHCP Required check box to enable the feature. Click Update & Apply to Device.
Configuring FlexConnect DHCP-Required (CLI)
Perform the procedure given below to configure FlexConnect DHCP-Required through the CLI:
Procedure
Step 1
Command or Action configure terminal Example:
Device#configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy
Example:
Device#wireless profile policy rr-xyz-policy-1
Configures WLAN policy profile and enters the wireless policy configuration mode.
Step 3
ipv4 dhcp required Example:
Enables the FlexConnect DHCP-Required feature.
Device(config-wireless-policy)#ipv4 dhcp required
Step 4
no shutdown
Example:
Device(config-wireless-policy)#no shutdown
Saves the configuration.
Verifying FlexConnect DHCP-Required
· To verify the IP address learnt for a client on an IP DHCP-Required policy-enabled WLAN, use the show wireless client summary command:
Note The controller or AP does not learn the IP address through other means such as ARP or data gleaning, when IPv4 DHCP-Required is enabled.
Device# show wireless client summary
Number of Clients: 1
MAC Address
AP Name
Type ID State
Protocol
Method
Role
-------------------------------------------------------------------------------------------------------------------------
1cXX.bXXX.59XX
APXXXX.7XXX.4XXX WLAN 3 IP Learn
11ac
Dot1x
Local
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1620
WLAN
Verifying FlexConnect DHCP-Required
· This example shows that the client IP is in the Run state, indicating that the client has received the IP address from DHCP:
Device# show wireless client summary
Number of Clients: 1
MAC Address
AP Name
Type
ID
State
Protocol
Method
Role
-------------------------------------------------------------------------------------------------------------------------
5XXX.37XX.c3XX APXXXX.4XXX.4XXX WLAN
3
Run
11n(5)
None
Local
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1621
Verifying FlexConnect DHCP-Required
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1622
1 6 4 C H A P T E R
WLAN Security
· Information About WPA1 and WPA2, on page 1623 · Information About AAA Override, on page 1624 · Prerequisites for Layer 2 Security, on page 1627 · Restrictions for WPA2 and WP3, on page 1628 · How to Configure WLAN Security, on page 1628
Information About WPA1 and WPA2
Wi-Fi Protected Access (WPA or WPA1) and WPA2 are standards-based security solutions from the Wi-Fi Alliance that provide data protection and access control for wireless LAN systems. WPA1 is compatible with the IEEE 802.11i standard but was implemented prior to the standard's ratification; WPA2 is the Wi-Fi Alliance's implementation of the ratified IEEE 802.11i standard. By default, WPA1 uses Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) for data protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). By default, both WPA1 and WPA2 use the 802.1X for authenticated key management. However, the following options are also available:
· PSK--When you choose PSK (also known as WPA preshared key or WPA passphrase), you need to configure a preshared key (or a passphrase). This key is used as the Pairwise Master Key (PMK) between clients and authentication server.
· Cisco Centralized Key Management uses a fast rekeying technique that enables clients to roam from one access point to another without going through the controller , typically in under 150 milliseconds (ms). Cisco Centralized Key Management reduces the time required by the client to mutually authenticate with the new access point and derive a new session key during reassociation. Cisco Centralized Key Management fast secure roaming ensures that there is no perceptible delay in time-sensitive applications, such as wireless Voice over IP (VoIP), Enterprise Resource Planning (ERP), or Citrix-based solutions. Cisco Centralized Key Management is a CCXv4-compliant feature. If Cisco Centralized Key Management is selected, only Cisco Centralized Key Management clients are supported. When Cisco Centralized Key Management is enabled, the behavior of access points differs from the controller 's for fast roaming in the following ways: · If an association request sent by a client has Cisco Centralized Key Management enabled in a Robust Secure Network Information Element (RSN IE) but Cisco Centralized Key Management IE is not
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1623
Information About AAA Override
WLAN
encoded and only PMKID is encoded in RSN IE, then the controller does not do a full authentication. Instead, the controller validates the PMKID and does a four-way handshake.
· If an association request sent by a client has Cisco Centralized Key Management enabled in RSN IE and Cisco Centralized Key Management IE is encoded and only PMKID is present in the RSN IE, then the AP does a full authentication. The access point does not use PMKID sent with the association request when Cisco Centralized Key Management is enabled in RSN IE.
· 802.1X+Cisco Centralized Key Management--During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and Cisco Centralized Key Management fast secure roaming, Cisco Centralized Key Management-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+Cisco Centralized Key Management is considered as an optional Cisco Centralized Key Management because both Cisco Centralized Key Management and non-Cisco Centralized Key Management clients are supported when this option is selected.
On a single WLAN, you can allow WPA1, WPA2, and 802.1X/PSK/Cisco Centralized Key Management/802.1X+Cisco Centralized Key Management clients to join. All of the access points on such a WLAN advertise WPA1, WPA2, and 802.1X/PSK/Cisco Centralized Key Management/ 802.1X+Cisco Centralized Key Management information elements in their beacons and probe responses. When you enable WPA1 and/or WPA2, you can also enable one or two ciphers, or cryptographic algorithms, designed to protect data traffic. Specifically, you can enable AES and/or TKIP data encryption for WPA1 and/or WPA2. TKIP is the default value for WPA1, and AES is the default value for WPA2.
Information About AAA Override
The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the returned RADIUS attributes from the AAA server.
Configuring AAA Override
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy Example:
Configures WLAN policy profile and enters the wireless policy configuration mode.
Device(config)# wireless profile policy test-wgb
Step 3
aaa-override Example:
Configures AAA policy override.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1624
WLAN
Information About VLAN Override
Step 4
Command or Action
Device(config-wireless-policy)# aaa-override
end Example:
Device(config-wireless-policy)# end
Purpose Note
If VLAN is not pushed from the RADIUS server, the VLAN Override feature can be disabled from the RADIUS server.
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Information About VLAN Override
The VLAN override requires the AAA Override to be enabled under the Policy Profile. You can assign VLAN from the RADIUS server in two ways:
· Using IEFT RADIUS attributes 64, 65, and 81--The attribute 81 can be a VLAN ID, VLAN name, or VLAN group name. Both VLAN name and VLAN group are supported. Therefore, VLAN ID does not need to be predetermined on RADIUS. The RADIUS user attributes used for the VLAN ID assignment are: · 64 (Tunnel-Type)--Must be set to VLAN (Integer = 13).
· 65 (Tunnel-Medium-Type)--Must be set to 802 (Integer = 6).
· 81 (Tunnel-Private-Group-ID)--Must be set to the corresponding VLAN ID, VLAN name, or VLAN group name.
· Using Aire-Interface-Name attribute--Use this attribute to assign a successfully authenticated user to a VLAN interface name (or VLAN ID) as per the user configuration. When you use this attribute, the VLAN name is returned as a string.
The VLAN ID is 12-bits, and takes a value between 1 and 4094, inclusive. Because the Tunnel-Private-Group-ID is of type string, as defined in RFC2868 for use with IEEE 802.1X, the VLAN ID integer value is encoded as a string. When these tunnel attributes are sent, it is necessary to fill in the Tag field.
Configuring Override VLAN for Central Switching
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
vlan vlan-id Example:
Purpose Enters global configuration mode.
Defines VLANs that can be pushed from the RADIUS server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1625
Configuring Override VLAN for Local Switching
WLAN
Step 3 Step 4
Command or Action
Device(config)# vlan 20
Purpose Note
The valid VLAN ID ranges from 1 to 4094.
name vlan-name Example:
Device(config-vlan)# name vlan_ascii
end Example:
Device(config-vlan)# end
(Optional) Changes the default name of the VLAN.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Override VLAN for Local Switching
If the VLAN name ID mapping under flex profile is newly added or updated, then the WLAN policy profiles having a matching VLAN name configured, must be shut and unshut. This is to ensure that the updated WLAN-VLAN mapping is pushed to the APs and the client receives the IP address from the intended VLAN.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex_profile_name
Example:
Device(config)# wireless profile flex rr-xyz-flex-profile
Configures a Flex profile.
Step 3
vlan-name vlan_name
Example:
Device(config-wireless-flex-profile)# vlan-name vlan_123
Defines VLANs that can be pushed from the RADIUS server.
Step 4
vlan-id vlan_id
Configures VLAN ID.
Example:
The valid VLAN ID ranges from 1 to 4096.
Device(config-wireless-flex-profile-vlan)# vlan-id 23
Step 5
end
Returns to privileged EXEC mode.
Example:
Alternatively, you can also press Ctrl-Z to exit
Device(config-wireless-flex-profile-vlan)# global configuration mode.
end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1626
WLAN
VLAN Override on Layer 3 Web Authentication
VLAN Override on Layer 3 Web Authentication
The VLAN override can be pushed from the RADIUS server during Layer 3 authentication.
When a client gets connected to the controller and authenticated using the RADIUS server for Local Web Authentication (LWA) and Central Web Authentication (CWA), the RADIUS server pushes back in access-accept the new VLAN. If the RADIUS server pushes back a new VLAN in the access-accept, the client goes back to IP learn state on the controller. The controller de-associates the client while maintaining the client state for 30 seconds. Once the client re-associates, the client lands immediately to the new VLAN and re-triggers a new DHCP request. The client then learns a new IP and moves to the RUN state on the controller.
The VLAN Override on Layer 3 Web authentication supports the following:
· Local clients
· Anchored clients
· FlexConnect central authentication, central or local switching
Verifying VLAN Override on Layer 3 Web Authentication
To display the VLAN override after L3 authentication, use the following command:
Device# show wireless client mac <mac> detail [...]
Vlan Override after L3 Auth: True
To display the statistics about client, use the following command:
Device# show wireless stats client detail
[...]
Total L3 VLAN Override vlan change received
:1
Total L3 VLAN Override disassociations sent
:1
Total L3 VLAN Override re-associations received : 1
Total L3 VLAN Override successful VLAN change : 1
[...]
L3 VLAN Override connection timeout
:0
Prerequisites for Layer 2 Security
WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on the information advertised in beacon and probe responses. The available Layer 2 security policies are as follows:
· None (open WLAN)
· WPA+WPA2
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1627
Restrictions for WPA2 and WP3
WLAN
Note · Although WPA and WPA2 cannot be used by multiple WLANs with the same SSID, you can configure two WLANs with the same SSID with WPA/TKIP with PSK and Wi-Fi Protected Access (WPA)/Temporal Key Integrity Protocol (TKIP) with 802.1X, or with WPA/TKIP with 802.1X or WPA/AES with 802.1X.
· A WLAN configured with TKIP support will not be enabled on an RM3000AC module.
· Static WEP (not supported on Wave 2 APs)
· WPA2+WPA3
· Enhanced Open
Restrictions for WPA2 and WP3
· You cannot enable security ft or ft-adaptive without enabling WPA2 or WPA3. · You cannot enable ft-dot1x or ft-psk without enabling WPA2 or WPA3. · You cannot enable 802.1x or PSK simultaneously with SHA256 key derivation type without enabling
WPA2 or WPA3 on a WLAN. · You cannot configure PMF on WPA1 WLAN without WPA2 security. · IOS APs do not support WPA3.
How to Configure WLAN Security
Configuring Static WEP Layer 2 Security Parameters (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6
Choose Configuration > Tags & Profiles > WLANs. On the WLANs page, click the name of the WLAN. In the Edit WLAN window, click the Security tab. From the Layer 2 Security Mode drop-down list, select the Static WEP option. (Optional) Check the Shared Key Authentication check box to set the authentication type as shared. By leaving the check box unchecked, the authentication type is set to open. Set the Key Size as either 40 bits or 104 bits.
· 40 bits: The keys with 40-bit encryption must contain 5 ASCII text characters or 10 hexadecimal characters.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1628
WLAN
Configuring Static WEP Layer 2 Security Parameters (CLI)
Step 7 Step 8 Step 9
Step 10
· 104 bits: The keys with 104-bit encryption must contain 13 ASCII text characters or 26 hexadecimal characters.
Set the appropriate Key Index; you can choose between 1 to 4. Set the Key Format as either ASCII or Hex. Enter a valid Encryption Key.
· 40 bits: The keys with 40-bit encryption must contain 5 ASCII text characters or 10 hexadecimal characters. · 104 bits: The keys with 104-bit encryption must contain 13 ASCII text characters or 26 hexadecimal
characters.
Click Update & Apply to Device.
Configuring Static WEP Layer 2 Security Parameters (CLI)
Before you begin You must have administrator privileges.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id SSID_Name Example:
Device# wlan test4 1 test4
Step 3 Step 4
disable ft Example:
Device(config-wlan)# disable ft
no security ft over-the-ds Example:
Purpose Enters global configuration mode.
Enters the WLAN configuration submode.
profile-name is the profile name of the configured WLAN.
wlan-id is the wireless LAN identifier. The range is 1 to 512.
SSID_Name is the SSID which can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter wlan
profile-name command.
Disables fast transition.
Disables fast transition over the data source on the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1629
Configuring WPA + WPA2 Layer 2 Security Parameters (GUI)
WLAN
Step 5 Step 6 Step 7 Step 8
Step 9
Command or Action
Device(config-wlan)# no security ft over-the-ds
Purpose
no security ft Example:
Device(config-wlan)# no security ft
Disables 802.11r Fast Transition on the WLAN.
no security wpa{akm | wpa1 | wpa2}
Disables the WPA/WPA2 support for a WLAN.
Example:
Device(config-wlan)# no security wpa wpa1 ciphers tkip
security static-wep-key [authentication {open | shared}]
Example:
Device(config-wlan)# security static-wep-key authentication open
The keywords are as follows:
· static-wep-key--Configures Static WEP Key authentication.
· authentication--Specifies the authentication type you can set. The values are open and shared.
security static-wep-key [encryption {104 | The keywords are as follows:
40} {ascii | hex} [0 | 8]]
· static-wep-key--Configures Static WEP
Example:
Key authentication.
Device(config-wlan)# security static-wep-key encryption 104 ascii 0 1234567890123 1
· encryption--Specifies the encryption type that you can set. The valid values are 104 and 40. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters. 104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters.
· ascii--Specifies the key format as ASCII.
· hex--Specifies the key format as HEX.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring WPA + WPA2 Layer 2 Security Parameters (GUI)
Procedure
Step 1 Step 2
Click Configuration > Tags and Profiles > WLANs. Click Add to add a new WLAN Profile or click the one you want to edit.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1630
WLAN
Configuring WPA + WPA2 Layer 2 Security Parameters (CLI)
Step 3 Step 4 Step 5
In the Edit WLAN window, click Security > Layer2. From Layer 2 Security Mode drop-down menu, select WPA + WPA2. Configure the security parameters and then click Save and Apply to Device.
Configuring WPA + WPA2 Layer 2 Security Parameters (CLI)
Note The default values for security policy WPA2 are: · Encryption is AES. · Authentication Key Management (AKM) is dot1x.
Before you begin You must have administrator privileges.
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
wlan profile-name wlan-id SSID_Name Example:
Device# wlan test4 1 test4
Purpose Enters global configuration mode.
Enters the WLAN configuration submode.
· profile-name is the profile name of the configured WLAN.
· wlan-id is the wireless LAN identifier. The range is 1 to 512.
· SSID_Name is the SSID that contains 32 alphanumeric characters.
Note
If you have already configured
this command, enter wlan
profile-name command.
Step 3 Step 4
security wpa {akm | wpa1 | wpa2} Example:
Device(config-wlan)# security wpa
Enables WPA or WPA2 support for WLAN.
security wpa wpa1
Enables WPA.
Example:
Device(config-wlan)# security wpa wpa1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1631
Configuring WPA + WPA2 Layer 2 Security Parameters (CLI)
WLAN
Step 5 Step 6 Step 7
Command or Action
Purpose
security wpa wpa1 ciphers [aes | tkip] Specifies the WPA1 cipher. Choose one of the
Example:
following encryption types:
Device(config-wlan)# security wpa wpa1 · aes--Specifies WPA/AES support.
ciphers aes
· tkip--Specifies WPA/TKIP support.
The default values are TKIP for WPA1 and AES for WPA2.
Note
You can enable or disable TKIP
encryption only using the CLI.
Configuring TKIP encryption is
not supported in GUI.
When you have VLAN configuration on WGB, you need to configure the encryption cipher mode and keys for a particular VLAN, for example, encryption vlan 80 mode ciphers tkip. Then, you need to configure the encryption cipher mode globally on the multicast interface by entering the following command: encryption mode ciphers tkip.
security wpa akm {cckm| dot1x | dot1x-sha256 | ft | psk |psk-sha256}
Example:
Device(config-wlan)# security wpa akm psk-sha256
Enable or disable Cisco Centralized Key Management, 802.1x, 802.1x with SHA256 key derivation type, Fast Transition, PSK or PSK with SHA256 key derivation type.
Note
· You cannot enable 802.1x
and PSK with SHA256 key
derivation type
simultaneously.
· When you configure Cisco Centralized Key Management SSID, you must enable the ccx aironet-iesupport for Cisco Centralized Key Management to work.
· WPA3 Enterprise dot1x-sha256 is supported only in local mode.
security wpa psk set-key {ascii | hex}{0 | 8} Enter this command to specify a preshared key,
password
if you have enabled PSK.
Example:
WPA preshared keys must contain 8 to 63
Device(config-wlan)# security wpa psk ASCII text characters or 64 hexadecimal
set-key ascii 0 test
characters.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1632
WLAN
Configuring WPA + WPA2 Layer 2 Security Parameters (CLI)
Step 8 Step 9 Step 10 Step 11
Command or Action
Purpose
security wpa akm ft {dot1x | psk| sae}
Example:
Device(config-wlan)# security wpa akm ft psk
Enable or disable authentication key management suite for fast transition.
Note
You can now choose between
PSK and fast transition PSK as
the AKM suite.
security wpa wpa2
Enables WPA2.
Example:
Device(config-wlan)# security wpa wpa2
security wpa wpa2 ciphers aes
Configure WPA2 cipher.
Example:
· aes--Specifies WPA/AES support.
Device(config-wlan)# security wpa wpa2
Example:
show wireless pmk-cache
Displays the remaining time before the PMK cache lifetime timer expires.
If you have enabled WPA2 with 802.1X authenticated key management or WPA1 or WPA2 with Cisco Centralized Key Management authenticated key management, the PMK cache lifetime timer is used to trigger reauthentication with the client when necessary. The timer is based on the timeout value received from the AAA server or the WLAN session timeout setting.
If you configure 802.1x with session timeout between 0 and 299, Pairwise Master Key (PMK) cache is created with a timer of 1 day 84600 seconds.
Note
· The command will show
VLAN ID with VLAN
pooling feature in
VLAN-Override field.
· Sticky key caching (SKC) is not supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1633
Configuring WPA + WPA2 Layer 2 Security Parameters (CLI)
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1634
1 6 5 C H A P T E R
Workgroup Bridges
· Cisco Workgroup Bridges, on page 1635 · Configuring Workgroup Bridge on a WLAN, on page 1637 · Verifying the Status of a Workgroup Bridge on the Controller, on page 1639 · Configuring Access Points as Workgroup Bridge, on page 1639
Cisco Workgroup Bridges
A workgroup bridge (WGB) is an Access Point (AP) mode to provide wireless connectivity to wired clients that are connected to the Ethernet port of the WGB AP. A WGB connects a wired network over a single wireless segment by learning the MAC addresses of its wired clients on the Ethernet interface and reporting them to the WLC through infrastructure AP using Internet Access Point Protocol (IAPP) messaging. The WGB establishes a single wireless connection to the root AP, which in turn, treats the WGB as a wireless client.
Figure 41: Example of a WGB
The following features are supported for use with a WGB:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1635
Cisco Workgroup Bridges
WLAN
Table 83: WGB Feature Matrix
Feature
Cisco Wave 1 APs
Cisco Wave 2
802.11r
Supported
Supported
QOS
Supported
Supported
UWGB mode
Supported
Supported on Wave 2 APs
IGMP Snooping or Multicast
Supported
Supported
802.11w
Supported
Supported
PI support (without SNMP)
Supported
Not supported
IPv6
Supported
Supported
VLAN
Supported
Supported
802.11i (WPAv2)
Supported
Supported
Broadcast tagging/replicate
Supported
Supported
Unified VLAN client
Implicitly supported (No CLI required)
Supported
WGB client
Supported
Supported
802.1x PEAP, EAP-FAST, EAP-TLS
Supported
Supported
NTP
Supported
Supported
Wired client support on all LAN Supported in Wired-0 and Wired-1 Supported in all Wired-0, 1 and
ports
interfaces
LAN ports 1, 2, and 3
The following table shows the supported and unsupported authentication and switching modes for Cisco APs when connecting to a WGB.
Table 84: Supported Access Points and Requirements
Access Points
Requirements
Cisco Aironet 2700, 3700, and 1572 Series
Requires autonomous image.
Cisco Aironet 1800, 2800, 3800, 4800, 1562, and CAPWAP image starting from Cisco AireOS 8.8 Cisco Catalyst 9105, 9115, IW6300 and ESW6300 release. Series
Table 85: WGB Support on APs
WGB WLAN Support Central Authentication
Cisco Wave 2 APs Supported
Cisco Catalyst 9100 Series APs Supported
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1636
WLAN
Configuring Workgroup Bridge on a WLAN
WGB WLAN Support Central Switching Local Authentication Local Switching
Cisco Wave 2 APs Supported Not Supported Supported
Cisco Catalyst 9100 Series APs Supported Not Supported Supported
· MAC filtering is not supported for wired clients.
· Idle timeout is not supported for both WGB and wired clients.
· Session timeout is not applicable for wired clients.
· Web authentication is not supported.
· WGB supports only up to 20 clients.
· If you want to use a chain of certificates, copy all the CA certificates to a file and install it under a trust point on the WGB, else server certificate validation may fail.
· Wired clients connected to the WGB are not authenticated for security. Instead, the WGB is authenticated against the access point to which it associates. Therefore, we recommend that you physically secure the wired side of the WGB.
· Wired clients connected to a WGB inherit the WGB's QoS and AAA override attributes.
· To enable the WGB to communicate with the root AP, create a WLAN and make sure that Aironet IE is enabled under the Advanced settings.
Configuring Workgroup Bridge on a WLAN
Follow the procedure given below to configure a WGB on a WLAN: For WGB to join a wireless network there are specific settings on the WLAN and on the related policy profile.
Note For the configuration given below, it is assumed that the WLAN security is already configured.
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
wlan profile-name Example:
Device(config)# wlan WGB_Test
Purpose Enters global configuration mode.
Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1637
Configuring Workgroup Bridge on a WLAN
WLAN
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12
Command or Action
ccx aironet-iesupport Example:
Device(config-wlan)# ccx aironet-iesupport
Purpose
Configures the Cisco Client Extensions option and sets the support of Aironet IE on the WLAN.
exit Example:
Device(config-wlan)# exit
Exits the WLAN configuration submode.
wireless profile policy profile-policy Example:
Configures WLAN policy profile and enters the wireless policy configuration mode.
Device(config)# wireless profile policy test-wgb
description description
Example:
Device(config-wireless-policy)# description "test-wgb"
Adds a description for the policy profile.
vlan vlan-no
Assigns the profile policy to the VLAN.
Example:
Device(config-wireless-policy)# vlan 48
wgb vlan
Configures WGB VLAN client support.
Example:
Device(config-wireless-policy)# wgb vlan
wgb broadcast-tagging
Example:
Device(config-wireless-policy)# wgb broadcast-tagging
Configures WGB broadcast tagging on a WLAN.
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Restarts the policy profile.
exit Example:
Device(config-wireless-policy)# exit
Exits the wireless policy configuration mode.
wireless tag policy policy-tag
Example:
Device(config)# wireless tag policy WGB_Policy
Configures policy tag and enters policy tag configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1638
WLAN
Verifying the Status of a Workgroup Bridge on the Controller
Step 13 Step 14
Command or Action
Purpose
wlan profile-name policy profile-policy
Maps a policy profile to a WLAN profile.
Example:
Device(config-policy-tag)# wlan WGB_Test policy test-wgb
end Example:
Device(config-policy-tag)# end
Exits policy tag configuration mode, and returns to privileged EXEC mode.
Verifying the Status of a Workgroup Bridge on the Controller
Use the following commands to verify the status of a WGB. To display the wireless-specific configuration of active clients, use the following command:
Device# show wireless client summary
To display the WGBs on your network, use the following command:
Device# show wireless wgb summary
To display the details of wired clients that are connected to a particular WGB, use the following command:
Device# show wireless wgb mac-address 00:0d:ed:dd:25:82 detail
Configuring Access Points as Workgroup Bridge
Turning Cisco Aironet 2700/3700/1572 Series AP into Autonomous Mode
Before you begin
Download the autonomous image for the specific access point from software.cisco.com and place it on a TFTP server.
Procedure
Step 1
Command or Action debug capwap console cli Example:
Device# debug capwap console cli
Purpose Enables the console CLI.
Step 2
archive download-sw force-reload overwrite Downloads the autonomous image to the access
tftp:ipaddress filepath filename
point.
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1639
Configuring Cisco Wave 2 APs in Workgroup Bridge or CAPWAP AP Mode (CLI)
WLAN
Command or Action
Device(config)# archive download-sw force-reload overwrite tftp://10.10.10.1/tftp/c1800.tar
Purpose
Configuring Cisco Wave 2 APs in Workgroup Bridge or CAPWAP AP Mode (CLI)
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enters in to the privileged mode of the AP.
Step 2
ap-type workgroup-bridge Example:
Device# ap-type workgroup-bridge
Moves the AP in to the Workgroup Bridge mode.
Step 3
configure ap address ipv4 dhcp or configure Configures DHCP or Static IP address. ap address ipv4 staticip-address netmask gateway-ipaddress
Example: DHCP IP Address
Device# configure ap address ipv4 dhcp
Static IP Address
Device# configure ap address ipv4 static 10.10.10.2 255.255.255.234 192.168.4.1
Step 4
configure ap management add username Configures an username for the AP username password password secret secret management.
Example:
Device# configure ap management add username xyz-user password ****** secret
cisco
Step 5
configure ap hostnamehost-name
Configures the AP hostname.
Example:
Device# configure ap hostname xyz-host
Configure an SSID Profile for Cisco Wave 2 APs (CLI)
This procedure is an AP procedure. The CLIs listed in the procedure given below work only on the AP console and not on the controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1640
WLAN
Configure an SSID Profile for Cisco Wave 2 APs (CLI)
Procedure
Step 1
Command or Action
Purpose
configure ssid-profile ssid-profile-name ssid Choose an authentication protocol (Open, PSK, radio-serv-name authentication {open | psk or EAP) for the SSID profile. preshared-key key-management {dot11r | wpa2 | dot11w |{optional | required }}| eap profile eap-profile-name key-management {dot11r | wpa2 | dot11w|{optional | required}}
Example: SSID profile with open authentication.
Device# configure ssid-profile test WRT s1 authentication open
SSID profile with PSK authentication.
Device# configure ssid-profile test WRT s1 authentication psk 1234 key-management dot11r optional
SSID profile with EAP authentication.
Device# configure ssid-profile test WRT s1 authentication eap profile test2 key-management dot11r optional
Step 2
configure dot11radio radio-interface mode Attaches an SSID profile to a radio interface. wgb ssid-profile profle-name
Example:
Device# configure dot11radio r1 mode wgb ssid-profile doc-test
Step 3
configure ssid-profile profle-namedelete (Optional) Deletes an SSID profile.
Example:
Device# configure ssid-profile doc-test delete
Step 4
show wgb ssid Example:
Device# show wgb ssid
(Optional) Displays summary of configured and connected SSIDs.
Step 5
show wgb packet statistics Example:
Device# show wgb packet statistics
(Optional) Displays management, control, and data packet statistics.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1641
Configuring a Dot1X Credential (CLI)
WLAN
Configuring a Dot1X Credential (CLI)
Procedure
Step 1
Command or Action
configure dot1x credential profile-name username name password password
Example:
Device# configure dot1x credential test1 username XYZ password *****
Purpose Configures a dot1x credential.
Step 2
configure dot1x credential profile-name delete Removes a dot1x profile.
Example:
Device# configure dot1x credential test1 delete
Step 3
clear wgb client{all | single mac-addr }
Example:
Device# clear wgb client single xxxx.xxxx.xxxx.xxxx
Deauthenticates a WGB client.
Configuring an EAP Profile (CLI)
Procedure
Step 1
Command or Action
Purpose
configure eap-profile profile-name method Configures an EAP profile. {fast | leap | peap | tls}
Example:
Device# configure eap-profile test-eap method fast
Step 2
configure eap-profile profile-name trustpoint Configures an EAP profile with a trustpoint. default or configure eap-profile profile-name trustpoint name trustpoint-name
Example: EAP Profile to Trustpoint with MIC Certificate.
Device# configure eap-profile test-eap trustpoint default
EAP Profile to Trustpoint with CA Certificate.
Device# configure eap-profile test-eap trustpoint cisco
Step 3
configure eap-profile profile-name trustpoint Attaches the CA trustpoint. {default | name trustpoint-name}
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1642
WLAN
Configuring Manual-Enrollment of a Trustpoint for Workgroup Bridge (CLI)
Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action
Purpose
Example:
Note
Device# configure eap-profile test-eap trustpoint default
With the default profile, WGB uses the internal MIC certificate for authentication.
configure eap-profile profile-name dot1x-credential profile-name
Configures the 802.1X credential profile.
Example:
Device# configure eap-profile test-eap dot1x-credential test-profile
configure eap-profile profile-name delete (Optional) Deletes an EAP profile.
Example:
Device# configure eap-profile test-eap delete
show wgb eap dot1x credential profile
Example:
Device# show wgb eap dot1x credential profile
(Optional) Displays the WGB EAP dot1x profile summary.
show wgb eap profile Example:
Device# show wgb eap profile
(Optional) Displays the EAP profile summary.
show wgb eap profile all Example:
Device# show wgb eap profile all
(Optional) Displays the EAP and dot1x profiles.
Configuring Manual-Enrollment of a Trustpoint for Workgroup Bridge (CLI)
Procedure
Step 1
Command or Action
Purpose
configure crypto pki trustpoint ca-server-name enrollment terminal
Configures a trustpoint in WGB.
Example:
Device# configure crypto pki trustpoint
ca-server-US enrollment terminal
Step 2
configure crypto pki trustpoint ca-server-name authenticate
Example:
Authenticates a trustpoint manuallly.
Enter the base 64 encoded CA certificate and end the certificate by entering quit in a new line.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1643
Configuring Manual-Enrollment of a Trustpoint for Workgroup Bridge (CLI)
WLAN
Step 3 Step 4
Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action
Purpose
Device# configure crypto pki trustpoint
ca-server-US authenticate
configure crypto pki trustpoint ca-server-name key-size key-length
Configures a private key size.
Example:
Device# configure crypto pki trustpoint
ca-server-Us key-size 60
configure crypto pki trustpoint ca-server-name subject-name name [2ltr-country-code |state-name |locality |org-name |org-unit |email]
Configures the subject name.
Example:
Device# configure crypto pki trustpoint
ca-server-US subject-name test US CA abc cisco AP test@cisco.com
configure crypto pki trustpoint ca-server-name enrol
Generates a private key and Certificate Signing Request (CSR).
Example:
Afterwards, create the digitally signed
Device# configure crypto pki trustpoint certificate using the CSR output in the CA server.
ca-server-US enroll
configure crypto pki trustpoint
Import the signed certificate in WGB.
ca-server-name import certificate
Enter the base 64 encoded CA certificate and
Example:
end the certificate by using quit command in a
Device# configure crypto pki trustpoint new line.
ca-server-US import certificate
configure crypto pki trustpoint ca-server-name delete
(Optional) Delete a trustpoint.
Example:
Device# configure crypto pki trustpoint
ca-server-US delete
show crypto pki trustpoint Example:
Device# show crypto pki trustpoint
(Optional) Displays the trustpoint summary.
show crypto pki trustpoint trustpoint-name (Optional) Displays the content of the
certificate
certificates that are created for a trustpoint.
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1644
WLAN
Configuring Auto-Enrollment of a Trustpoint for Workgroup Bridge (CLI)
Command or Action
Device# show crypto pki trustpoint ca-server-US certificate
Purpose
Configuring Auto-Enrollment of a Trustpoint for Workgroup Bridge (CLI)
Procedure Step 1 Step 2 Step 3 Step 4
Step 5
Command or Action
Purpose
configure crypto pki trustpoint
Enrols a trustpoint in WGB using the server
ca-server-name enrollment url ca-server-url URL.
Example:
Device# configure crypto pki trustpoint
ca-server-US enrollment url https://cisco/certsrv
configure crypto pki trustpoint ca-server-name authenticate
Authenticates a trustpoint by fetching the CA certificate from CA server automatically.
Example:
Device# configure crypto pki trustpoint
ca-server-US authenticate
configure crypto pki trustpoint ca-server-name key-size key-length
Configures a private key size.
Example:
Device# configure crypto pki trustpoint
ca-server-Us key-size 60
configure crypto pki trustpoint ca-server-name subject-name name [2ltr-country-code |state-name |locality |org-name |org-unit |email ]
Configures the subject name.
Example:
Device# configure crypto pki trustpoint
ca-server-US subject-name test US CA abc cisco AP test@cisco.com
configure crypto pki trustpoint ca-server-name enrol l
Example:
Enrols the trustpoint.
Request the digitally signed certificate from the CA server.
Device# configure crypto pki trustpoint
ca-server-US enroll
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1645
Configuring Manual Certificate Enrolment Using TFTP Server (CLI)
WLAN
Step 6
Step 7 Step 8 Step 9 Step 10
Command or Action
Purpose
configure crypto pki trustpoint ca-server-name auto-enroll enable renew-percentage
Example:
Enable sauto-enroll of the trustpoint.
You can disable auto-enrolling by using the disable option in the command.
Device# configure crypto pki trustpoint
ca-server-US auto-enroll enable 10
configure crypto pki trustpointtrustpoint-name delete
(Optional) Deletes a trustpoint.
Example:
Device# configure crypto pki trustpoint
ca-server-US delete
show crypto pki trustpoint Example:
Device# show crypto pki trustpoint
(Optional) Displays the trustpoint summary.
show crypto pki trustpointtrustpoint-name (Optional) Displays the content of the
certificate
certificates that are created for a trustpoint.
Example:
Device# show crypto pki trustpoint ca-server-US certificate
show crypto pki timers Example:
Device# show crypto pki timers
(Optional) Displays the PKI timer information.
Configuring Manual Certificate Enrolment Using TFTP Server (CLI)
Procedure
Step 1
Command or Action
Purpose
configure crypto pki trustpoint
Specifies the enrolment method to retrieve the
ca-server-name enrollment tftp addr/file-name CA certificate and client certificate for a
Example:
trustpoint in WGB.
Device# configure crypto pki trustpoint
ca-server-US enrollment tftp://10.8.0.6/all_cert.txt
Step 2
configure crypto pki trustpoint ca-server-name authenticate
Example:
Retrieves the CA certificate and authenticates it from the specified TFTP server. If the file specification is included, the wgb will append the extension ".ca" to the specified filename.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1646
WLAN
Configuring Manual Certificate Enrolment Using TFTP Server (CLI)
Step 3 Step 4
Step 5 Step 6 Step 7 Step 8
Command or Action
Purpose
Device# configure crypto pki trustpoint
ca-server-US authenticate
configure crypto pki trustpoint ca-server-name key-size key-length
Configures a private key size.
Example:
Device# configure crypto pki trustpoint
ca-server-Us key-size 60
configure crypto pki trustpoint ca-server-name subject-name name [2ltr-country-code |state-name |locality |org-name |org-unit |email ]
Configures the subject name.
Example:
Device# configure crypto pki trustpoint
ca-server-US subject-name test US CA abc cisco AP test@cisco.com
configure crypto pki trustpoint
Generate a private key and Certificate Signing
ca-server-name enrol
Request (CSR) and writes the request out to the
Example:
TFTP server. The filename to be written is appended with the extension ".req".
Device# configure crypto pki trustpoint
ca-server-US enroll
configure crypto pki trustpoint
Import the signed certificate in WGB using
ca-server-name import certificate
TFTP at the console terminal, which retrieves
Example:
the granted certificate.
Device# configure crypto pki trustpoint The WGB will attempt to retrieve the granted certificate using TFTP using the same filename
ca-server-US import certificate
and the file name append with ".crt" extension.
show crypto pki trustpoint Example:
Device# show crypto pki trustpoint
(Optional) Displays the trustpoint summary.
show crypto pki trustpoint trustpoint-name certificate
Example:
Device# show crypto pki trustpoint ca-server-US certificate
(Optional) Displays the content of the certificates that are created for a trustpoint.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1647
Importing the PKCS12 Format Certificates from the TFTP Server (CLI)
WLAN
Importing the PKCS12 Format Certificates from the TFTP Server (CLI)
Procedure
Step 1
Command or Action
Purpose
configure crypto pki trustpoint ca-server-name import pkcs12 tftp addr/file-name password pwd
Imports PKCS12 format certificate from the TFTP server.
Example:
Device# configure crypto pki trustpoint
ca-server-US enrollment tftp://10.8.0.6/all_cert.txt password ******
Step 2
show crypto pki trustpoint Example:
Device# show crypto pki trustpoint
(Optional) Displays the trustpoint summary.
Step 3
show crypto pki trustpoint trustpoint-name certificate
Example:
Device# show crypto pki trustpoint ca-server-US certificate
(Optional) Displays the content of the certificates that are created for a trustpoint.
Configuring Radio Interface for Workgroup Bridges (CLI)
From the available two radio interfaces, before configuring WGB or UWGB mode on one radio interface, configure the other radio interface to root AP mode.
Procedure Step 1
Command or Action
Purpose
configure dot11radio radio-int mode root-ap Maps a radio interface as root AP.
Example:
Note
Device# configure dot11Radio 0/3/0 mode root-ap
When an active SSID or EAP profile is modified, you need to reassociate the profile to the radio interface for the updated profile to be active.
Step 2
configure dot11Radio <0|1> beacon-period Configures the periodic beacon interval in
beacon-interval
milli-seconds. The value range is between 2
Example:
and 2000 milli-seconds.
Device# configure dot11radio 1 beacon-period 120
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1648
WLAN
Configuring Radio Interface for Workgroup Bridges (CLI)
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
Purpose
configure dot11Radio radio-int mode wgb Maps a radio interface to a WGB SSID profile. ssid-profile ssid-profile-name
Example:
Device# configure dot11Radio 0/3/0 mode wgb ssid-profile bgl18
configure dot11Radio radio-int mode uwgb Maps a radio interface to a WGB SSID profile. mac-addr ssid-profile ssid-profile-name
Example:
Device# configure dot11Radio 0/3/0 mode uwgb 0042.5AB6.0EF0 ssid-profile bgl18
configure dot11Radio radio-int {enable| Configures a radio interface.
disable}
Note
After configuring the uplink to
Example:
the SSID profile, we recommend
Device# configure dot11Radio 0/3/0 mode enable
that you disable and enable the radio for the changes to be active.
configure dot11Radio radio-int antenna {a-antenna | ab-antenna | abc-antenna | abcd-antenna}
Example:
Device# configure dot11Radio 0/3/0 antenna a-antenna
Configures a radio antenna.
configure dot11Radio radio-int encryption Configures the radio interface. mode ciphers aes-ccm {
Example:
Device# configure dot11Radio radio-int encryption mode ciphers aes-ccm
configure wgb mobile rate {basic 6 9 18 24 Configures the device channel rate. 36 48 54 | mcs mcs-rate}
Example:
Device# configure wgb mobile rate basic 6 9 18 24 36 48 54
configure wgb mobile period secondsthres-signal
Configure the threshold duration and signal strength to trigger scanning.
Example:
Device# configure wgb mobile period 30 50
configure wgb mobile station interface Configures the static roaming channel. dot11Radio radio-int scan channel-number add
Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1649
Configuring Radio Interface for Workgroup Bridges (CLI)
WLAN
Step 11
Step 12 Step 13
Step 14 Step 15 Step 16 Step 17 Step 18
Command or Action
Device# configure wgb mobile station interface dot11Radio 0/3/0 scan 2 add
Purpose
configure wgb mobile station interface (Optional) Delete the mobile channel. dot11Radio radio-int scan channel-number delete
Example:
Device# configure wgb mobile station interface dot11Radio 0/3/0 scan 2 delete
configure wgb mobile station interface dot11Radio radio-int scan disable
Example:
Device# configure wgb mobile station interface dot11Radio 0/3/0 scan disable
(Optional) Disable the mobile channel.
configure wgb beacon miss-count value (Optional) Configure the beacon miss-count.
Example:
By default, this is set to disabled.
Device# configure wgb beacon miss-count Note 12
When you set the beacon miss-count value to 10 or lower,
then the beacon miss-count gets
disabled. Set the value to 11 or
higher to enable this function.
show wgb wifi wifi-interface stats Example:
Device# show wgb wifi 0/3/0 stats
(Optional) Displays the Wi-Fi station statistics.
show controllers dot11Radio radio-interface (Optional) Displays the radio antenna statistics. antenna
Example:
Device# show controllers dot11Radio 0/3/0 antenna
show wgb mobile scan channel Example:
Device# show wgb mobile scan channel
(Optional) Displays the mobile station channels scan configuration.
show configuration Example:
Device# show configuration
(Optional) Displays the configuration that is stored in the NV memory.
show running-config Example:
(Optional) Displays the running configuration in the device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1650
WLAN
Configuring Workgroup Bridge Timeouts (CLI)
Command or Action
Device# show running-config
Purpose
Configuring Workgroup Bridge Timeouts (CLI)
Procedure
Step 1
Command or Action
Purpose
configure wgb association response timeout Configures the WGB association response
response-millisecs
timeout. The default value is 5000 milliseconds.
Example:
The valid range is between 300 and 5000 milliseconds.
Device# configure wgb association
response timeout 4000
Step 2
configure wgb authentication response timeout response-millisecs
Example:
Device# configure wgb authentication response timeout 4000
Configures the WGB authentication response timeout. The default value is 5000 milliseconds. The valid range is between 300 and 5000 milliseconds.
Step 3
configure wgb uclient timeout timeout-secs Configure the Universal WGB client response
Example:
timeout. The default timeout value is 60 seconds. The valid range is between 1 and
Device# configure wgb uclient timeout 70 65535 seconds..
Step 4
configure wgb eap timeout timeout-secs Example:
Device# configure wgb eap timeout 20
Configures the WGB EAP timeout. The default timeout value is 3 seconds. The valid range is between 2 and 60 seconds.
Step 5
configure wgb channel scan timeout {fast| medium | slow}
Example:
Device# configure wgb channel scan timeout slow
Configures the WGB channel scan timeout.
Step 6
configure wgb dhcp response timeout timeout-secs
Example:
Device# configure wgb dhcp response timeout 70
Configures the WGB DHCP response timeout. The default value is 60 seconds. The valid range is between 1000 and 60000 milliseconds.
Step 7
show wgb dot11 association Example:
Device# show wgb dot11 association
Displays the WGB association summary.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1651
Configuring Bridge Forwarding for Workgroup Bridge (CLI)
WLAN
Configuring Bridge Forwarding for Workgroup Bridge (CLI)
Before you begin The Cisco Wave 2 APs as Workgroup Bridge recognizes the Ethernet clients only when the traffic has the bridging tag. We recommend setting the WGB bridge client timeout value to default value of 300 seconds, or less in environment where change is expected, such as:
· Ethernet cable is unplugged and plugged back.
· Endpoint is changed.
· Endpoint IP is changed (static to DHCP and vice versa).
If you need to retain the client entry in the WGB table for a longer duration, we recommend you increase the client WGB bridge timeout duration.
Procedure
Step 1
Command or Action
Purpose
configure wgb bridge client add mac-address Adds a WGB client using the MAC address.
Example:
Device# configure wgb bridge client add F866.F267.7DFB-
Step 2
configure wgb bridge client timeout timeout-secs
Example:
Device# configure wgb bridge client timeout 400
Configures the WGB bridge client timeout. Default timeout value is 300 seconds. The valid range is between 10 and 1000000 seconds.
Step 3
show wgb bridge Example:
Device# show wgb bridge
Displays the WGB wired clients over the bridge.
Step 4
show wgb bridge wired gigabitEthernet interface
Example:
Device# show wgb bridge wired gigabitEthernet 0/1
Displays the WGB Gigabit wired clients over the bridge.
Step 5
show wgb bridge dot11Radio interface-number
Displays the WGB bridge radio interface summary.
Example:
Device# show wgb bridge dot11Radio 0/3/1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1652
1 6 6 C H A P T E R
Peer-to-Peer Client Support
· Information About Peer-to-Peer Client Support, on page 1653 · Configure Peer-to-Peer Client Support, on page 1653
Information About Peer-to-Peer Client Support
Peer-to-peer client support can be applied to individual WLANs, with each client inheriting the peer-to-peer blocking setting of the WLAN to which it is associated. The peer-to-Peer Client Support feature provides a granular control over how traffic is directed. For example, you can choose to have traffic bridged locally within a device, dropped by a device, or forwarded to the upstream VLAN. Peer-to-peer blocking is supported for clients that are associated with the local switching WLAN. Restrictions
· Peer-to-peer blocking does not apply to multicast traffic. · Peer-to-peer blocking is not enabled by default. · In FlexConnect, peer-to-peer blocking configuration cannot be applied only to a particular FlexConnect
AP or a subset of APs. It is applied to all the FlexConnect APs that broadcast the SSID. · FlexConnect central switching clients supports peer-to-peer upstream-forward. However, this is not
supported in the FlexConnect local switching. This is treated as peer-to-peer drop and client packets are dropped. FlexConnect central switching clients supports peer-to-peer blocking for clients associated with different APs. However, for FlexConnect local switching, this solution targets only clients connected to the same AP. FlexConnect ACLs can be used as a workaround for this limitation.
Configure Peer-to-Peer Client Support
Follow the procedure given below to configure Peer-to-Peer Client Support:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1653
Configure Peer-to-Peer Client Support
WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan profile-name Example:
Device(config)# wlan wlan1
Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.
Step 3
peer-blocking [allow-private-group |drop Configures peer to peer blocking parameters.
| forward-upstream]
The keywords are as follows:
Example:
Device(config-wlan)# peer-blocking drop
· allow-private-group--Enables peer-to-peer blocking on the Allow Private Group action.
· drop--Enables peer-to-peer blocking on the drop action.
· forward-upstream--No action is taken and forwards packets to the upstream.
Note
The forward-upstream
option is not supported for
Flex local switching. Traffic
is dropped even if this option
is configured. Also, peer to
peer blocking for local
switching SSIDs are
available only for the clients
on the same AP.
Step 4 Step 5
end Example:
Device(config)# end
show wlan id wlan-id Example:
Device# show wlan id 12
Returns to privileged EXEC mode. Displays the details of the selected WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1654
1 6 7 C H A P T E R
Wireless Guest Access
· Wireless Guest Access, on page 1655 · Load Balancing Among Multiple Guest Controllers, on page 1659 · Guidelines and Limitations for Wireless Guest Access, on page 1659 · Configure Mobility Tunnel for Guest Access (GUI), on page 1660 · Configure Mobility Tunnel for Guest Access (CLI), on page 1660 · Configuring Guest Access Policy (GUI), on page 1660 · Configuring Guest Access Policy (CLI), on page 1661 · Viewing Guest Access Debug Information (CLI), on page 1663 · Configure Guest Access Using Different Security Methods, on page 1663
Wireless Guest Access
The Wireless Guest Access feature addresses the need to provide internet access to guests in a secure and accountable manner. The implementation of a wireless guest network uses the enterprise's existing wireless and wired infrastructure to the maximum extent. This reduces the cost and complexity of building a physical overlay network. Wireless Guest Access solution comprises of two controllers - a Guest Foreign and a Guest Anchor. An administrator can limit bandwidth and shape the guest traffic to avoid impacting the performance of the internal network.
Note
· When a client joins through a capwap tunnel from an AP, the RADIUS NAS-Port-Type is set as "wireless
802.11". Here, Point of Attachment (PoA) and Point of Presence (PoP) is the same.
· When a client joins through a mobility tunnel, the RADIUS NAS-Port-Type is set as "virtual". Here, PoA is the Foreign controller and PoP is the Anchor controller as the client is anchored. For information on the standard types, see the following link:
https://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-13
Wireless Guest Access feature comprises the following functions: · Guest Anchor controller is the point of presence for a client.
· Guest Anchor Controller provides internal security by forwarding the traffic from a guest client to a Cisco Wireless Controller in the demilitarized zone (DMZ) network through the anchor controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1655
Wireless Guest Access
WLAN
· Guest Foreign controller is the point of attachment of the client.
· Guest Foreign Controller is a dedicated guest WLAN or SSID and is implemented throughout the campus wireless network wherever guest access is required. A WLAN with mobility anchor (guest controller) configured on it identifies the guest WLAN.
· Guest traffic segregation implements Layer 2 or Layer 3 techniques across the campus network to restrict the locations where guests are allowed.
· Guest user-level QoS is used for rate limiting and shaping, although it is widely implemented to restrict the bandwidth usage for a guest user.
· Access control involves using embedded access control functionality within the campus network, or implementing an external platform to control guest access to the Internet from the enterprise network.
· Authentication and authorization of guests that are based on variables, including date, duration, and bandwidth.
· An audit mechanism to track who is currently using, or has used, the network.
· A wider coverage is provided by including areas such as lobbies and other common areas that are otherwise not wired for network connectivity.
· The need for designated guest access areas or rooms is removed.
Note To use IRCM with AireOS in your network, contact Cisco TAC for assistance.
Table 86: Supported Controllers
Controller Name
Supported as Guest Anchor
Cisco Catalyst 9800-40 Wireless Yes Controller
Cisco Catalyst 9800-80 Wireless Yes Controller
Cisco Catalyst 9800-CL Wireless Yes Controller
Cisco Catalyst 9800-L Wireless Yes Controller
Cisco Catalyst 9800 Embedded No Wireless Controller for Switch
Supported as Guest Foreign Yes Yes Yes Yes No
Note The Cisco Catalyst 9105 Series APs, Cisco Catalyst 9115 Series APs, Cisco Catalyst 9117 Series APs, Cisco Catalsyt 9120AX Series APs, Cisco Catalsyt 9124AX Series APs, and Cisco Catalyst 9130 Series APs are not supported for both Guest Anchor and Guest Foreign.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1656
WLAN
Wireless Guest Access
Following is a list of features supported by Cisco Guest Access:
Supported Features · Sleeping Clients · FQDN · AVC (AP upstream and downstream) · Native Profiling · Open Authentication · OpenDNS · Supported Security Methods: · MAB Central Web Authentication (CWA) · Local Web Authentication (LWA) · LWA on MAB Failure · 802.1x + CWA · 802.1x · PSK · 802.1x + LWA · PSK + CWA · PSK + LWA · iPSK + CWA · MAB Failure + PSK · MAB Failure + OWE · MAB Failure + SAE
· SSID QoS Upstream and Downstream (Foreign) · AP/ Client SSO · Static IP Roaming · Client IPv6 · Roaming across controllers · RADIUS Accounting
Note In a guest access scenario, accounting is always performed at the foreign controller for all authentication methods.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1657
Foreign Map Overview
WLAN
· QoS: Client-Level Rate Limiting · Guest Anchor Load Balancing · Workgroup Bridges (WGB)
Note To enable the controller to support multiple VLANs from a WGB, use wgb vlan command.
Foreign Map Overview
Guest Access supports Foreign Map using Policy Profile and WLAN Profile configuration models in Cisco Catalyst 9800 Series Wireless Controller. Foreign Map support in Cisco Catalyst 9800 Series Wireless Controller is achieved with the following policy profile and WLAN profile config model.
· Guest Foreign commands: · Foreign1: wlanProf1 PolicyProf1 · Foreign2: wlanProf2 PolicyProf2
· Guest Anchor commands: · wlanProf1, wlanProf2 · PolicyProf1: Vlan100 - subnet1 · PolicyProf2: Vlan200 - subnet2
Foreign Map Roaming Configure two different WLAN profiles on the two Guest Foreigns and seamless roaming is not allowed between them. This is expected configuration. However, seamless roaming is allowed if the same WLAN profile is configured on two Guest Foreigns, but it prevents Foreign Map feature from working.
Wireless Guest Access: Use Cases
The wireless guest access feature can be used to meet different requirements. Some of the possibilities are shared here.
Scenario One: Providing Secured Network Access During Company Merger This feature can be configured to provide employees of company A who are visiting company B to access company A resources on company B network securedly.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1658
WLAN
Load Balancing Among Multiple Guest Controllers
Scenario Two: Shared Services over Existing Setup Using this feature, you can provide multiple services using multiple vendors piggy backing on the existing network. A company can provide services on an SSID which is anchored on the existing controller. This is while the existing service continues to serve over the same controller and network.
Load Balancing Among Multiple Guest Controllers
· You can configure export anchors to load balance large guest client volumes. For a single export foreign guest WLAN configuration, up to 72 controllers are allowed. To configure mobility guest controllers, use mobility anchor ip address.
· You can specify primary anchors with priority (1,3) and choose another anchor as backup in case of failure.
· In a multi-anchor scenario, when the primary anchor goes down, the clients get disconnected from the primary anchor and joins the secondary anchor.
Guidelines and Limitations for Wireless Guest Access
· Match the security profiles under WLAN on both Guest Foreign, and Guest Anchor. · Match the policy profile attributes such as NAC and AAA Override on both Guest Foreign, and Guest
Anchor controllers. · On Export Anchor, the WLAN profile name and Policy profile name is chosen when a client joins at
runtime and the same should match with the Guest Foreign controller.
Troubleshooting IPv6
When a guest export client cannot get a routable IPv6 address through SLAAC or cannot pass traffic when the IPv6 address is learned through DHCPv6, you can use the following workarounds:
· On IPv6 Routers: You can work around the RA multicast to unicast conversion by modifying behaviour on the IPv6 gateway. Depending on the product, this may be the default behaviour or may require configuration. · On Cisco IPv6 Routers · Cisco Nexus platform: Has solicited unicast RA enabled by default to help with wireless deployment. · Cisco IOS-XE platform: Use the following configuration command to turn on unicast RA to help with wireless deployment: ipv6 nd ra solicited unicast
· On non-Cisco IPv6 Routers: If non-Cisco network devices do not support configuration command to enable solicited unicast RA then a work around does not exist.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1659
Configure Mobility Tunnel for Guest Access (GUI)
WLAN
Configure Mobility Tunnel for Guest Access (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configure > Tags and Profiles > WLANs. In the Wireless Networks area, click the relevant WLAN or RLAN and click Mobility Anchor. In the Wireless Network Details section, choose a device from the Switch IP Address drop-down list. Click Apply.
Configure Mobility Tunnel for Guest Access (CLI)
Follow the procedure given below to configure a mobility tunnel.
Procedure
Step 1
Command or Action
Purpose
wireless mobility group name group name Configures a mobility group.
Example:
Device(config)# wireless mobility group name mtunnelgrp
Step 2
wireless mobility mac-address mac address Configures a mobility MAC address.
Example:
Device(config)# wireless mobility mac-address 0d:4c:da:3a:f2:21
Step 3
wireless mobility group member mac mac Configures a mobility peer. address ip ip address group group name
Example:
Device(config)# wireless mobility group member mac-address df:07:a1:a7:a8:55 ip 206.223.123.2 group mtgrp
Configuring Guest Access Policy (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Tags & Profiles > Policy. Click Add.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1660
WLAN
Configuring Guest Access Policy (CLI)
Step 3 Step 4
Step 5 Step 6 Step 7
In the General tab, enter the Name and enable the Central Switching toggle button. In the Access Policies tab, under the VLAN settings, choose the vlans from the VLAN/VLAN Group drop-down list. In the Mobility tab, under the Mobility Anchors settings, check the Export Anchor check box. In the Advanced tab, under the WLAN Timeout settings, enter the Idle Timeout (sec). Click Apply to Device.
Configuring Guest Access Policy (CLI)
Follow the procedure given below to create and configure the guest access profile policy. Alternately, you may use the existing default policy profile after configuring the mobility anchor to that policy.
You can only configure anchors which are peers. Ensure that the IP address that is used is a mobility peer and is included in the mobility group. The system shows an invalid anchor IP address error message when any other IP address is used.
To delete the mobility group, ensure that the mobility peer which is also a mobility anchor is removed from the policy profile.
Note
· No payload is sent to Guest Foreign to display the VLAN.
· To avoid a client exclusion from occurring due to VLAN, Cisco Catalyst 9800 Series Controllers need to define VLAN along with the associated name being pushed from ISE.
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wireless profile policy wlan_policy_profile Configures the policy profile and enters
Example:
wireless profile configuration mode.
Device(config)# wireless profile policy Note guest-test-policy
· You can use the default-policy-profile to
configure the profile policy.
Step 3 Step 4
shutdown Example:
Shuts down the policy if it exists before configuring the anchor.
Device(config-wireless-policy)# shutdown
central switching Example:
(Optional) Enables central switching.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1661
Configuring Guest Access Policy (CLI)
WLAN
Step 5
Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
Purpose
Device(config-wireless-policy)# central switching
Choose the first option to configure the Guest Configures Guest Foreign or Guest Anchor. Foreign or second option to configure the Guest Anchor:
· mobility anchor anchor-ip-address · mobility anchor
Example: For Guest Foreign:
Device(config-wireless-policy)# mobility anchor 19.0.2.1
For Guest Anchor:
Device(config-wireless-policy)# mobility anchor
idle-timeout timeout
Example:
Device (config-wireless-policy)# idle-timeout 1000
(Optional) Configures duration of idle timeout, in seconds.
vlan vlan-id
Configures VLAN name or VLAN Id.
Example:
Note
Device(config-wireless-policy)# vlan 2
VLAN is optional for a Guest Foreign controller.
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables policy profile.
end Example:
Device(config-wireless-policy)# end
Exits the configuration mode and returns to privileged EXEC mode.
show wireless profile policy summary
Example:
Device# show wireless profile policy summary
(Optional) Displays the configured profiles.
show wireless profile policy detailed policy-profile-name
Example:
Device# show wireless profile policy detailed guest-test-policy
(Optional) Displays detailed information of a policy profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1662
WLAN
Viewing Guest Access Debug Information (CLI)
Viewing Guest Access Debug Information (CLI)
· To display client level detailed information about mobility state and the anchor IP address, use the following command:. show wireless client mac-add mac-address detail
· To display the client mobility statistics, use the following command: show wireless client mac-address mac-address mobility statistics
· To display client level roam history for an active client in sub-domain, use the following command: show wireless client mac-address mac-address mobility history
· To display detailed parameters of a given profile policy, use the following command: show wireless profile policy detailed policy-name
· To display the global level summary for all mobility messages, use the following command: show wireless mobility summary
· To display the statistics for the Mobility manager, use the following command: show wireless stats mobility
Configure Guest Access Using Different Security Methods
The following sections provide information about the following:
Open Authentication
To configure the guest access with open authentication, follow the steps: 1. Configuring the WLAN Profile 2. Configuring Guest Access Policy (CLI), on page 1661
Note No tag is required unless AVC is enabled.
Configure a WLAN Profile for Guest Access with Open Authentication (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Tags & Profiles > WLANs. Click Add.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1663
Configure a WLAN Profile For Guest Access with Open Authentication (CLI)
WLAN
Step 3
Step 4 Step 5
In the General tab, enter the Profile Name, the SSID and the WLAN ID. Choose the radio policy from the Radio Policy drop-down list. Enable or disable the Status and Broadcast SSID toggle buttons. Choose Security > Layer2 tab. Uncheck the WPA Policy, WPA2 Policy, AES and 802.1x check boxes. Click Apply to Device.
Configure a WLAN Profile For Guest Access with Open Authentication (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan profile-name wlan-id ssid-name.
Example:
Device(config)# wlan mywlan 34 mywlan-ssid
Configures the WLAN and SSID.
Step 3
no security wpa Example:
Device(config-wlan)# no security wpa
Disables WPA security.
Step 4
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
Step 5
no security wpa wpa2
Disables WPA2 security.
Example:
Device(config-wlan)# no security wpa wpa2
Step 6
no security wpa wpa2 ciphers aes
Disables WPA2 ciphers for AES.
Example:
Device(config-wlan)# no security wpa wpa2 ciphers aes
Step 7
no shutdown Example:
Device(config-wlan)# no shutdown
Saves the configuration.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1664
WLAN
Configuring a Policy Profile
Configuring a Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy wlan-policy-profile Example:
Configures WLAN policy profile and enters the wireless policy configuration mode.
Device(config)# wireless profile policy open_it
Step 3
Choose the first option to configure a Guest Configures Guest Foreign or Guest Anchor. Foreign or second option to configure a Guest Anchor:
· mobility anchor anchor-ip-address · mobility anchor
Example: For Guest Foreign:
Device (config-wireless-policy)# mobility anchor 19.0.2.1
For Guest Anchor:
Device (config-wireless-policy)# mobility anchor
Step 4
central switching.
Enables Central switching
Example:
Device(config-wireless-policy)# central switching
Step 5
vlan id
Configures a VLAN name or VLAN ID.
Example:
Note
Device(config-wireless-policy)# vlan 16
VLAN is optional for a Guest Foreign controller.
Step 6
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the policy profile.
Local Web Authentication
To configure LWA, follow these steps: 1. Configure a Parameter Map (CLI)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1665
Configure a Parameter Map (GUI)
WLAN
2. Configure a WLAN Profile for Guest Access with Local Web Authentication (CLI) 3. Applying Policy Profile on a WLAN 4. Configure an AAA Server for Local Web Authentication (CLI)
Configure a Parameter Map (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Security > Web Auth. Click Add. Enter the Parameter-map name, Maximum HTTP connections,Init-State Timeout(secs) and choose webauth in the Type drop-down list. Click Apply to Device.
Configure a Parameter Map (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
parameter-map type webauth global
Example:
Device(config)# parameter-map type webauth global
Creates a parameter map and enters parameter-map webauth configuration mode.
Step 3
type webauth
Configures the webauth type parameter.
Example:
Device(config-params-parameter-map)#type webauth
Step 4
timeout init-state sec timeout-seconds
Example:
Device(config-params-parameter-map)# timeout inti-state sec 3600
Configures the WEBAUTH timeout in seconds.
Valid range for the time in sec parameter is 60 to 3932100 seconds.
Step 5
virtual-ip ipv4 virtual_IP_address
Configures a VLAN name or VLAN ID.
Example:
Device(config-params-parameter-map)#virtual-ip ipv4 209.165.201.1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1666
WLAN
Configure a WLAN Profile for Guest Access with Local Web Authentication (GUI)
Configure a WLAN Profile for Guest Access with Local Web Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Choose Configuration > Tags & Profiles > WLANs. Click on the WLAN name. Choose Security > Layer3. Check the Web Policy check box. Choose a parameter map from the Web Auth Parameter Map drop-down list. Choose an authentication list from the Authentication List drop-down list. Click Update & Apply to Device.
Configure a WLAN Profile for Guest Access with Local Web Authentication (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-id ssid-name
Configures the WLAN and SSID.
Example:
Device# Device(config)# wlan mywlan 38 mywlan-ssid1
Step 3
security web-auth
Enables web authentication for a WLAN.
Example:
Device(config-wlan)# security web-auth
Step 4
security web-auth parameter-map default Configure the default parameter map.
Example:
Note
Device(config-wlan)# security web-auth parameter-map default
When security web-auth is enabled, you get to map the default authentication-list and global parameter-map. This is applicable for authentication-list and parameter-map that are not explicitly mentioned.
Step 5
security web-auth parameter-map global Configure the global parameter map.
Example:
Device(config-wlan)# security web-auth parameter-map global
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1667
Configure an AAA Server for Local Web Authentication (GUI)
WLAN
Step 6
Command or Action
Purpose
security web-auth authentication-list LWA-AUTHENTICATION
Sets the authentication list for IEEE 802.1x.
Example:
Device(config-wlan)# security web-auth authentication-list LWA-AUTHENTICATION
Configure an AAA Server for Local Web Authentication (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5
Choose Configuration > Security > AAA > AAA Advanced > Global Config. Choose the options from the Local Authentication, Authentication Method List, Local Authorization and Authorization Method List drop-down lists. Enable or Disable the Radius Server Load Balance using toggle button. Check the Interim Update check box. Click Apply.
Configure an AAA Server for Local Web Authentication (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
aaa authentication login LWA-AUTHENTICATION local
Defines the authentication method at login.
Example:
Device(config)#aaa authentication login lwa-authentication local
Step 3
aaa authorization network default local if-authenticated
Sets the authorization method to local if the user has authenticated.
Example:
Device(config)#aaa authorization network default local if-authenticated
Global Configuration
Follow the procedure given below for global configuration:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1668
WLAN
Central Web Authentication
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
username name password 0 clear-text-passowrd
Sets the clear text password for the user.
Example:
Device(config)# #username base password 0 pass1
Step 3
ip http server Example:
Device(config)#ip http server
Enables the HTTP server.
Step 4
ip http authentication local
Example:
Device(config)#ip http authentication local
Sets the HTTP server authentication method to local.
Note
You will get the admin access
rights regardless of the user
privilege, if the ip http
authentication local is disabled
and username is the same as
enable password.
Central Web Authentication
To configure CWA, follow these steps: 1. Configure a WLAN Profile for Guest Access with Central Web Authentication (CLI) 2. Applying Policy Profile to a WLAN, on page 1020 3. AAA Server Configuration (CLI) 4. Creating Redirect ACL, on page 870
Configure a WLAN Profile for Guest Access with Central Web Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > WLANs. Click Add. In the General tab, enter the Profile Name, the SSID, and the WLAN ID. To enable the WLAN, set Status as Enabled.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1669
Configure a WLAN Profile for Guest Access with Central Web Authentication (CLI)
WLAN
Step 5 Step 6 Step 7 Step 8
Step 9
From the Radio Policy drop-down list, select the radio policy. To enable the Broadcast SSID, set the status as Enabled. Choose Security > Layer2 tab. Uncheck the WPA Policy, WPA2 Policy, AES and 802.1x check boxes. Check the MAC Filtering check box to enable the feature. With MAC Filtering enabled, choose the Authorization list from the Authorization List drop-down list. Click Apply to Device.
Configure a WLAN Profile for Guest Access with Central Web Authentication (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-id ssid-name
Configures the WLAN and SSID.
Example:
Device# Device(config)# wlan mywlan 38 mywlan-ssid1
Step 3
mac-filtering remote_authorization_list_name Enables MAB authentication for the remote
Example:
RADIUS server.
Device(config-wlan)# mac-filtering auth-list
Step 4
no security wpa Example:
Device(config-wlan)# no security wpa
Disables WPA security.
Step 5
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
Step 6
no security wpa wpa2
Disables WPA2 security.
Example:
Device(config-wlan)# no security wpa wpa2
Step 7
no security wpa wpa2 ciphers aes
Disables WPA2 ciphers for AES.
Example:
Device(config-wlan)# no security wpa wpa2 ciphers aes
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1670
WLAN
AAA Server Configuration (GUI)
Step 8
Command or Action no shutdown Example:
Device(config-wlan)# no shutdown
AAA Server Configuration (GUI)
Procedure
Purpose Saves the configuration.
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Step 12 Step 13
Choose Configuration > Security > AAA > Servers/Groups > RADIUS > Server Groups. Click the RADIUS server group. From the MAC-Delimiter drop-down list, choose an option. From the MAC-Filtering drop-down list, choose an option. Enter the Dead-Time (mins). From the Available Servers on the left, move the servers you need to Assigned Servers on the right. Click Update & Apply to Device. Choose Configuration > Security > AAA > Servers/Groups > RADIUS > Servers. Click the RADIUS server. Enter the IPv4/IPv6 Server Address, Auth Port, Acct Port, Server Timeout (seconds) and Retry Count. Check or uncheck the PAC Key checkbox and choose the Key Type from the Key Type drop-down list. Enter the Key and Confirm Key. Enable or disable the Support for CoA toggle button. Click Update & Apply to Device.
AAA Server Configuration (CLI)
Note Configure AAA server for Guest Foreign only.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
aaa authorization network authorization-listlocal group Server-group-name
Example:
Purpose Enters global configuration mode.
Sets the authorization method to local.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1671
Configuring 802.1x with Local Web Authentication
WLAN
Step 3
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action
Purpose
Device(config)#aaa authorization network cwa local group ise
aaa group server radius server-group-name Configures RADIUS server group definition.
Example:
Note
Device(config)#aaa group server radius ise
server-group-name refers to the server group name. The valid range is from 1 to 32 alphanumeric characters.
server name radius-server-name
Configures the RADIUS server name.
Example:
Device(config-sg-radius)#server name ise1
subscriber mac-filtering security-mode mac Sets the MAC address as the password.
Example:
Device(config-sg-radius)#$mac-filtering security-mode mac
mac-delimiter colon
Sets the MAC address delimiter to colon.
Example:
Device(config-sg-radius)#mac-delimiter colon
end Example:
Device(config-sg-radius)#end
Saves the configuration, exits configuration mode, and returns to privileged EXEC mode.
radius server name Example:
Device(config)#radius server ISE1
Sets the RADIUS server name
address ipv4 radius-server-ipaddress
Configures the RADIUS server IP address
auth-port port-number acct-port port-number authentication and accounting ports.
Example:
Device(config-radius-server)#address ipv4 209.165.201.1 auth-port 1635 acct-port 33
Configuring 802.1x with Local Web Authentication
Procedure
Step 1
Command or Action configure terminal Example:
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1672
WLAN
Configuring Local Web Authentication with PSK Protocol
Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action
Device# configure terminal
Purpose
wlan wlan-profile wlan-id ssid
Example:
Device(config)# wlan testwprofile 22 ssid-3
Configures the WLAN and SSID.
security dot1x authentication-list default
Example:
Device(config-wlan)# security dot1x authentication-list default
Configures 802.1X for an WLAN.
security web-auth authentication-list authenticate-list-name
Enables authentication list for 802.1x security on the WLAN.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth parameter-map global Configures the global parameter map.
Example:
Device(config-wlan)# security web-auth parameter-map global
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Configuring Local Web Authentication with PSK Protocol
Procedure Step 1 Step 2
Step 3
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wlan wlan-profile wlan-id ssid
Configures the WLAN and SSID.
Example:
Device(config)# wlan psksec-profile 22 ssid-4
no security wpa Example:
Device(config-wlan)# no security wpa
Disables WPA secuirty.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1673
Central Web Authentication with PSK Protocol
WLAN
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
no security wpa wpa2 Example:
Device(config-wlan)# no security wpa wpa2
Purpose Disables WPA2 security.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
security wpa psk
Enables the security type as PSK.
Example:
Device(config-wlan)# security wpa akm psk
security wpa psk set-key {ascii|hex} key Configures the PSK shared key.
Example:
Device(config-wlan)# security wpa akm psk set-key asci 0
security web-auth
Enables the web authentication for theWLAN.
Example:
Device(config-wlan)# security web-auth
security web-auth authentication-list default Enables authentication list for the WLAN. Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth parameter-map global Configure the global parameter map. Example:
Device(config-wlan)# security web-auth parameter-map global
Central Web Authentication with PSK Protocol
To configure the CWA with PSK security protocol, follow the steps: 1. Configure WLAN Profile for Central Web Authentication with PSK Protocol 2. Applying Policy Profile on a WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1674
WLAN
Configure WLAN Profile for Central Web Authentication with PSK Protocol
Configure WLAN Profile for Central Web Authentication with PSK Protocol
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-profile wlan-id ssid
Configures the WLAN and SSID.
Example:
Device(config)# wlan cwasec-profile 27 ssid-5
Step 3
no security wpa Example:
Device(config-wlan)# no security wpa
Disables WPA security.
Step 4
no security wpa wpa2
Disables WPA2 security.
Example:
Device(config-wlan)# no security wpa wpa2
Step 5
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
Step 6
security wpa psk Example:
Device(config-wlan)# security wpa psk
Enables the security type as PSK.
Step 7
security wpa psk set-key {ascii|hex} key
Example:
Device(config-wlan)# security wpa psk set-key asci 0
Configures the PSK shared key.
Step 8
mac-filtering authorization_list_name
Example:
Device(config-wlan)# mac-filtering cwa-list
Enables MAC filtering for PSK web authentication.
Central Web Authentication with iPSK Protocol
To configure the CWA with iPSK security protocol, follow the steps: 1. Configure WLAN Profile for Central Web Authentication with iPSK Protocol
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1675
Configure WLAN Profile for Central Web Authentication with iPSK Protocol
WLAN
Configure WLAN Profile for Central Web Authentication with iPSK Protocol
Procedure
Step 1
Command or Action
Purpose
wlan guest-wlan-name wlan-id ssid
Configures guest WLAN.
Example:
config# wlan ipsk-cwa-profile 28 ssid-6
Step 2
no security wpa akm dot1x
Disables security AKM for 802.1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
Step 3
security wpa akm psk set-key {ascii|hex} key
Example:
Device(config-wlan)# security wpa akm psk set-key asci 0
Configures the PSK AKM shared key.
Step 4
mac-filtering authorization_list_name
Example:
Device(config-wlan)# mac-filtering cwa-list
Enables MAC filtering for iPSK authentication.
Configure Web Authentication on MAC Address Bypass failure (GUI)
Procedure
Step 1 Step 2 Step 3
Click Configuration > Tags and Profiles > WLANs. Click Add to add a new WLAN Profile or click the one you want to edit. In the Edit WLAN window, complete the following steps: a) Choose Security > Layer2 and check the MAC Filtering check box ot enable MAC filtering. b) From the Authorization List drop-down list, select a value. c) Choose the Layer3 tab. d) Click Show Advanced Settings and check the On MAC Filter Failure checkbox.
Configure Web Authentication on MAC Address Bypass Failure (CLI)
You can configure authentication to fall back to web authentication, if a client cannot authenticate using MAC filter (Local or RADIUS), while trying to connect to a WLAN. To enable this feature, configure both MAC filtering and Web Authentication on the device. This can also avoid disassociations that happen only because of MAC filter authentication failure. To configure this feature, follow the procedure:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1676
WLAN
Configure a Policy Profile
Configure a Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-name Example:
Configures WLAN policy profile and enters the wireless policy configuration mode.
Device(config)# wireless profile policy cwa
Step 3
central switching
Enables Central switching.
Example:
Device(config-wireless-policy)# central switching
Step 4
Choose the first option to configure a Guest Configures Guest Foreign or Guest Anchor. Foreign or second option to configure a Guest Anchor:
· mobility anchor anchor-ip-address · mobility anchor
Example: For Guests Foreign:
Device (config-wireless-policy)# mobility anchor 19.0.2.1
For Guest Anchor:
Device (config-wireless-policy)# mobility anchor
Step 5
vlan name
Configures a VLAN name or VLAN ID.
Example:
Note
Device(config-wireless-policy)# vlan 16
VLAN is optional for a Guest Foreign controller.
Step 6
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the policy profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1677
Configure a WLAN Profile
WLAN
Configure a WLAN Profile
Procedure
Step 1
Command or Action
Purpose
wlan guest-wlan-name wlan-id ssid
Configures guest WLAN.
Example:
config# wlan test-wlan-guest 10 wlan-ssid
Step 2
mac-filtering mac-auth-listname
Configures MAC filtering support on WLAN.
authorization-override override-auth-listname
Example:
config-wlan# mac-filtering mac-auth-listname authorization-override
Step 3
security web-auth Example:
config-wlan# security web-auth
Enables web authentication.
Step 4
security web-auth on-macfilter-failure
Example:
config-wlan# security web-auth on-macfilter-failure
Enables web authentication if MAC filter authentication fails.
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Pre-Shared Key (CLI)
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
wlan profile-name wlan-id SSID_Name Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration submode. · profile-name: Profile name of the configured WLAN. · wlan-id: Wireless LAN identifier. Range is from 1 to 512. · SSID_Name: SSID that can contain 32 alphanumeric characters.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1678
WLAN
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Pre-Shared Key (CLI)
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
Purpose Note
If you have already configured this command, enter the wlan profile-name command.
mac-filtering auth-list-name
Example:
Device(config-wlan)# mac-filtering test-auth-list
Sets the MAC filtering parameters.
security wpa psk set-key ascii/hex key password
Configures the PSK AKM shared key.
Example:
Device(config-wlan)# security wpa psk set-key ascii 0 PASSWORD
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
security wpa akm psk
Configures PSK support.
Example:
Device(config-wlan)# security wpa akm psk
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth authorization-list authorize-list-name
Enables authorization list for dot1x security.
Example:
Device(config-wlan)# security web-auth authorization-list default
security web-auth on-macfilter-failure Example:
Enables web authentication on MAC filter failure.
Device(config-wlan)# security web-auth on-macfilter-failure
security web-auth parameter-map
Configures the parameter map.
parameter-map-name
Note
If a parameter map is not
Example:
associated with a WLAN, the
Device(config-wlan)# security web-auth parameter-map WLAN1_MAP
configuration is considered from the global parameter map.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1679
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with OWE (CLI)
WLAN
Step 11
Command or Action no shutdown Example:
Device(config-wlan)# no shutdown
Purpose Enables the WLAN.
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with OWE (CLI)
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
wlan profile-name wlan-id SSID_Name Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration submode.
· profile-name: Profile name of the configured WLAN.
· wlan-id: Wireless LAN identifier. Range is from 1 to 512.
· SSID_Name: SSID that can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter the wlan
profile-name command.
Step 3 Step 4 Step 5 Step 6
mac-filtering auth-list-name
Example:
Device(config-wlan)# mac-filtering test-auth-list
Sets the MAC filtering parameters.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
security wpa wpa3
Enables WPA3 support.
Example:
Device(config-wlan)# security wpa wpa3
security wpa akm owe Example:
Enables WPA3 OWE support.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1680
WLAN
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Secure Agile Exchange (CLI)
Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
Purpose
Device(config-wlan)# security wpa akm owe
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth authorization-list authorize-list-name
Enables authorization list for dot1x security.
Example:
Device(config-wlan)# security web-auth authorization-list default
security web-auth on-macfilter-failure Example:
Enables web authentication on MAC filter failure.
Device(config-wlan)# security web-auth on-macfilter-failure
security web-auth parameter-map
Configures the parameter map.
parameter-map-name
Note
If a parameter map is not
Example:
associated with a WLAN, the
Device(config-wlan)# security web-auth parameter-map WLAN1_MAP
configuration is considered from the global parameter map.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Secure Agile Exchange (CLI)
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
wlan profile-name wlan-id SSID_Name Example:
Device(config)# wlan wlan-test 3 ssid-test
Purpose Enters global configuration mode.
Enters WLAN configuration submode. · profile-name: Profile name of the configured WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1681
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Secure Agile Exchange (CLI)
WLAN
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
Purpose · wlan-id: Wireless LAN identifier. Range is from 1 to 512.
· SSID_Name: SSID that can contain 32 alphanumeric characters.
Note
If you have already configured
this command, enter the wlan
profile-name command.
mac-filtering auth-list-name
Example:
Device(config-wlan)# mac-filtering test-auth-list
Sets the MAC filtering parameters.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
security wpa wpa3
Enables WPA3 support.
Example:
Device(config-wlan)# security wpa wpa3
security wpa akm sae
Enables AKM SAE support.
Example:
Device(config-wlan)# security wpa akm sae
security web-auth authentication-list authenticate-list-name
Enables authentication list for dot1x security.
Example:
Device(config-wlan)# security web-auth authentication-list default
security web-auth authorization-list authorize-list-name
Enables authorization list for dot1x security.
Example:
Device(config-wlan)# security web-auth authorization-list default
security web-auth on-macfilter-failure Example:
Enables web authentication on MAC filter failure.
Device(config-wlan)# security web-auth on-macfilter-failure
security web-auth parameter-map parameter-map-name
Configures the parameter map.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1682
WLAN
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Secure Agile Exchange (CLI)
Step 11
Command or Action
Purpose
Example:
Note
Device(config-wlan)# security web-auth parameter-map WLAN1_MAP
If a parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1683
Configure WLAN for Web Authentication on MAC Authentication Bypass Failure with Secure Agile Exchange (CLI)
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1684
1 6 8 C H A P T E R
Wired Guest Access
· Information About Wired Guest Access, on page 1685 · Restrictions for Wired Guest Access, on page 1688 · Configuring Access Switch for Wired Guest Client, on page 1688 · Configuring Access Switch for Foreign Controller, on page 1689 · Configuring Foreign Controller with Open Authentication (GUI), on page 1690 · Configuring Foreign Controller with Open Authentication, on page 1690 · Configuring Foreign Controller with Local Web Authentication (GUI), on page 1692 · Configuring Foreign Controller with Local WEB Authentication, on page 1693 · Configuring Anchor Controller with Open Authentication (GUI), on page 1694 · Configuring Anchor Controller with Open Authentication, on page 1695 · Configuring Anchor Controller with Local Web Authentication (GUI), on page 1696 · Configuring Anchor Controller with Local Web Authentication, on page 1697 · Configuring Session Timeout for a Profile Policy, on page 1698 · Global Configuration (GUI), on page 1699 · Verifying Wired Guest Configurations, on page 1699 · Wired Guest Access--Use Cases, on page 1703
Information About Wired Guest Access
The Wired Guest Access feature enables guest users of an enterprise network that supports both wired and wireless access to connect to the guest access network. The wired guest clients can connect from the designated and configured wired Ethernet ports for the guest access after they complete the configured authentication methods. Wired session guests are directed to a wireless guest controller in a demilitarized zone (DMZ) through a Control And Provisioning of Wireless Access Points (CAPWAP) tunnel. Wired guest access can be configured in a dual-controller configuration that uses both an anchor controller and a foreign controller. A dual-controller configuration isolates wired guest access traffic from the enterprise user traffic. The wired session guests are provided open or web-authenticated access from the wireless controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1685
Information About Wired Guest Access Figure 42: Guest Access Architecture
WLAN
IPv6 Router Advertisement Forwarding for a Wired Guest Wired clients get the IPv6 based connectivity when they receive the IPv6 Router Advertisement (RA) message. The IPv6 router sends these RA messages and it contains information such as IPv6 prefix and router link-local address. These RA messages are sent as Unicast or Multicast messages. The Unicast RA messages are routed as same as the client directed traffic. The Multicast RA messages are forwarded to all the clients present in the intended VLAN. RA message forwarding is enabled by default and requires no specific configuration. Guest Anchor Controller: Guest anchor controller forwards the RA packets, from the receiving VLAN, to all the foreign controllers using the mobility data tunnel. The RA packets are tagged with the anchor VLAN to ensure the message is forwarded to the correct clients using the foreign controller data path. Guest Foreign Controller: Guest foreign controller forwards the received RAs from the guest anchor to the wired ports on which the wired guest clients are connected. To forward the RAs to the intended clients, the guest foreign controller keeps a track of the wired guest clientsper interface, access VLANs, and anchor VLANs.
Supported Features · Cisco Catalyst 9800 Series Wireless Controllers-Anchor · Cisco AireOS Wireless Controllers-Anchor · Cisco Catalyst 9800 Series Wireless Controllers-Foreign · Cisco AireOS Wireless Controllers-Foreign · Dual controller solution (foreign + anchor) and access switch · Trunk Ports · Open Authentication · Local Web Authentication
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1686
WLAN
Information About Wired Guest Access
To configure Web Authentication, see Web-based Authentication section of the Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide.
· Local Web Authentication (web consent).
Note In AireOS, this is referred to as web pass-through. · Local Web Authentication + ISE (External Web Authentication). · LWA (local web authentication), with a username and a password. · Web consent (LWA + consent), that is with a username, a password and the check box of acceptance.
· Scale max 2k clients and 5 guest-LANs (5 VLANs max) · Client IPv6 support · Idle Timeout and Session Timeout · Accounting on Foreign
Note Statistics computation not supported. · Manageability (SNMP/Yang/WebUI) · QoS Rate-Limiting and MQC Policies (Upstream at foreign, Upstream, and Downstream at the anchor)
Note QoS rate-limiting supports bps rate-limiting, pps rate-limiting is not supported. · QoS support with AireOS Anchor setup · Stateful Switch Over (SSO) · Port Channel support on Anchor and Foreign with no restrictions to the controller's role. · Access Port on Foreign · Cisco Umbrella (not supported in AireOS Anchor) · ACL support at anchor · Fully Qualified Domain Name (FQDN) URL filtering is supported at Anchor controller. · IP theft detection · Sleeping Client
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1687
Restrictions for Wired Guest Access
WLAN
Restrictions for Wired Guest Access
· A maximum of five guest LANs are supported on the foreign controller. · A maximum of 2000 clients per foreign are supported. · No Multicast or Broadcast support. · You can map only one wired VLAN to a guest LAN. · You can map only one guest LAN to one policy profile. · Every guest LAN has a unique name and this name cannot be shared with RLAN or WLAN. · Ensure that the Anchor VLAN ID and the wired VLAN ID configured on the Foreign controller is not
the same. · QoS is not supported on VLAN and on physical interfaces of the controller.
Configuring Access Switch for Wired Guest Client
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
vlan vlan-id Example:
Device(config)#vlan 200
Creates the VLAN ID.
Step 3
exit Example:
Device(config)#exit
Returns to configuration mode.
Step 4
interface GigabitEthernetinterface number
Example:
Device(config)#interface GigabitEthernet1/0/1
Enters the interface to be added to the VLAN.
Step 5
switchport access vlan vlan-id Example:
Assigns the port to a VLAN. The valid VLAN IDs range is between 1 and 4094.
Device(config-if)#switchport access vlan 200
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1688
WLAN
Configuring Access Switch for Foreign Controller
Step 6 Step 7 Step 8
Command or Action
Purpose
switchport mode access Example:
Defines the VLAN membership mode for the port.
Device(config-if)#switchport mode access
no cdp enable Example:
Device(config-if)#no cdp enable
Disables CDP on the interface.
end Example:
Device(config-if)#end
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Configuring Access Switch for Foreign Controller
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
vlan vlan-id Example:
Device(config)#vlan 200
Creates the VLAN ID.
Step 3
exit Example:
Device(config)#exit
Returns to configuration mode.
Step 4
interface GigabitEthernetinterface number
Example:
Device(config)#interface GigabitEthernet1/0/2
Enters the interface to be added to the VLAN.
Step 5
switchport trunk allowed vlan vlan-id
Example:
Device(config-if)#switchport trunk allowed vlan 200
Assigns the allowed VLAN ID to the port when it is in trunking mode.
Step 6
switchport mode trunk
Sets the trunking mode to trunk unconditionally.
Example:
Device(config-if)#switchport mode trunk
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1689
Configuring Foreign Controller with Open Authentication (GUI)
WLAN
Step 7
Command or Action end Example:
Device(config-if)#end
Purpose
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Configuring Foreign Controller with Open Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19
Choose Configuration > Tags & Profiles > Policy. Click on a Policy Name. Go to the Mobility tab. In the Mobility Anchors section, check the Export Anchor check box. Click Apply to Device. Choose Configuration > Wireless > Guest LAN > Guest LAN Configuration Click Add. In the General tab, enter the Profile Name, Guest LAN ID, Client Association Limit. Choose the desired mode from the mDNS Mode drop-down list. Enable or disable the Status and Wired VLAN Status toggle button. In the Security tab, disable the Web Auth toggle button. ClickApply to Device. Choose Configuration > Wireless > Guest LAN > Guest LAN Map Configuration Click Add Map. In the Add Guest LAN Map window, enter the Guest LAN Map. Click Apply to Device. Click Add. Choose the values from the Profile Name and Policy Name drop-down lists. Click Save.
Configuring Foreign Controller with Open Authentication
Procedure Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1690
WLAN
Configuring Foreign Controller with Open Authentication
Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
Purpose
wireless profile policy wlan-policy-profile-name
Configures the WLAN policy profile.
Example:
Device(config)#wireless profile policy testpro-1
mobility anchor non-local-mobility-cntlr-ip Configures the mobility anchor and sets its
priority priority
priority.
Example:
Device(config-wireless-policy)#mobility anchor 192.168.201.111 priority 1
no shutdown
Example:
Device(config-wireless-policy)#no shutdown
Enables the configuration.
exit Example:
Device(config-wireless-policy)#exit
Returns to configuration mode.
guest-lan profile-name guest-profile-name Configures guest LAN profile with a wired
guest-lan-id wired-vlan wired-vlan-id
VLAN.
Example:
Note
Device(config)#guest-lan profile-name gstpro-1 1 wired-vlan 25
Configure the wired VLAN only for the Guest Foreign controller.
no security web-auth
Example:
Device(config-guest-lan)#no security web-auth
Disables web-authentication.
no shutdown Example:
Device(config-guest-lan)#no shutdown
Enables the guest LAN.
exit Example:
Device(config-guest-lan)#exit
Returns to configuration mode.
wireless guest LAN map gst-map-name Configures a guest LAN map.
Example:
Device(config)#wireless guest LAN map gstmap-1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1691
Configuring Foreign Controller with Local Web Authentication (GUI)
WLAN
Step 11 Step 12
Command or Action
Purpose
guest-lan guest-profile-name policy wlan-policy-profile-name
Attaches a guest LAN map to the policy profile.
Example:
Device(config-guest-lan-map)#guest-lan gstpro-1 policy testpro-1
exit Example:
Device(config-guest-lan-map)#exit
Returns to configuration mode.
Configuring Foreign Controller with Local Web Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13
Step 14 Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Step 21
Choose Configuration > Tags & Profiles > Policy. Select a Policy Name. Go to the Mobility tab. In the Mobility Anchors section, check the Export Anchor check box. Click Update & Apply to Device. Choose Configuration > Wireless > Guest LAN > Guest LAN Configuration Click Add. In the General tab, enter the Profile Name, Guest LAN ID, Client Association Limit. Choose the desired mode from the mDNS Mode drop-down list. Enable or disable the Status and Wired VLAN Status using toggle button. Go to the Security tab. Enable the Web Auth using toggle button. Choose the values from the Web Auth Parameter Map, Authentication List and Authorization List drop-down lists. ClickApply to Device. Choose Configuration > Wireless > Guest LAN > Guest LAN Map Configuration Click Add Map. In the Add Guest LAN Map window, enter the Guest LAN Map. Click Apply to Device. Click Add. Choose the values from the Profile Name and Policy Name drop-down lists. Click Save.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1692
WLAN
Configuring Foreign Controller with Local WEB Authentication
Configuring Foreign Controller with Local WEB Authentication
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wireless profile policy wlan-policy-profile-name
Configures the WLAN policy profile.
Example:
Device(config)#wireless profile policy testpro-1
mobility anchor non-local-mobility-cntlr-ip Configures the mobility anchor and sets its
priority priority
priority.
Example:
Device(config-wireless-policy)#mobility anchor 192.168.201.111 priority 1
no shutdown
Example:
Device(config-wireless-policy)#no shutdown
Enables the configuration.
exit Example:
Device(config-wireless-policy)#exit
Returns to configuration mode.
guest-lan profile-name guest-profile-name Configures guest LAN profile with a wired
guest-lan-id wired-vlan wired-vlan-id
VLAN.
Example:
Device(config)#guest-lan profile-name gstpro-2 3 wired-vlan 26
security web-auth
Example:
Device(config-guest-lan)#security web-auth
Enables web-authentication.
security web-auth authentication-list auth-list-name
Example:
Device(config-guest-lan)#security web-auth authentication-list default
Configures the authentication list for a IEEE 802.1x network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1693
Configuring Anchor Controller with Open Authentication (GUI)
WLAN
Step 9 Step 10 Step 11 Step 12 Step 13 Step 14
Command or Action
security web-auth parameter-map parameter-map-name
Example:
Device(config-guest-lan)#security web-auth parameter-map global
Purpose
Configures the security web-auth parameter map.
no shutdown Example:
Device(config-guest-lan)#no shutdown
Enables the guest LAN.
exit Example:
Device(config-guest-lan)#exit
Returns to configuration mode.
wireless guest-lan map gst-map-name
Configures a guest LAN map.
Example:
Device(config)#wireless guest-lan map gstmap-2
guest-lan guest-lan-profile-name policy policy-profile-name
Attaches a guest LAN map to the policy profile.
Example:
Device(config-guest-lan-map)#guest-lan gstpro-2 policy testpro-1
exit Example:
Device(config-guest-lan-map)#exit
Returns to configuration mode.
What to do next
For more information about Local Web Authentication, see https://www.cisco.com/c/en/us/td/docs/wireless/ controller/9800/config-guide/b_wl_16_10_cg/wireless-web-authentication.html
Configuring Anchor Controller with Open Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > Policy. Click Add. In the General tab, enter the Name. Go to the Access Policies tab. Under the VLAN settings, choose the vlans from the VLAN/VLAN Group drop-down list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1694
WLAN
Configuring Anchor Controller with Open Authentication
Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13
Go to the Mobility tab. Under the Mobility Anchors settings, check the Export Anchor check box. Click Apply to Device. Choose Configuration > Wireless > Guest LAN. Click Add. In the General tab, enter the Profile Name, the Guest LAN ID and the Client Association Limit. In the Security tab, under the Layer3 settings, disable the Web Auth toggle button. Click Apply to Device.
Configuring Anchor Controller with Open Authentication
Procedure Step 1 Step 2
Step 3 Step 4 Step 5 Step 6
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wireless profile policy wlan-policy-profile-name
Configures the WLAN policy profile.
Example:
Device(config)#wireless profile policy testpro-2
mobility anchor
Configures the mobility anchor.
Example:
Device(config-wireless-policy)#mobility anchor
vlan vlan-id
Configure a VLAN name or a VLAN ID.
Example:
Device(config-wireless-policy)#vlan 29
no shutdown
Example:
Device(config-wireless-policy)#no shutdown
Enables the configuration.
exit Example:
Device(config-wireless-policy)#exit
Returns to configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1695
Configuring Anchor Controller with Local Web Authentication (GUI)
WLAN
Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
Purpose
guest-lan profile-name guest-profile-name Configures the guest LAN profile with a wired
guest-lan-id
VLAN.
Example:
Device(config)#guest-lan profile-name testpro-2 1
client association limit guest-lan-client-limit Configures the maximum client connections
Example:
Device(config-guest-lan)#client
per guest LAN. The valid range is between 1 and 2000.
association limit
no security web-auth
Example:
Device(config-guest-lan)#no security web-auth
Disables web authentication.
no shutdown Example:
Device(config-guest-lan)#no shutdown
Enables the guest LAN.
exit Example:
Device(config-guest-lan)#exit
Returns to configuration mode.
Configuring Anchor Controller with Local Web Authentication (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Choose Configuration > Tags & Profiles > Policy. Click Add. In the General tab, enter the Name. Go to the Access Policies tab. Under the VLAN settings, choose the vlans from the VLAN/VLAN Group drop-down list. Go to the Mobility tab. Under the Mobility Anchors settings, check the Export Anchor check box. Click Apply to Device. Choose Configuration > Wireless > Guest LAN. Click Add. In the General tab, enter the Profile Name, the Guest LAN ID and the Client Association Limit.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1696
WLAN
Configuring Anchor Controller with Local Web Authentication
Step 12 Step 13
In the Security tab, under the Layer3 settings, enable the Web Auth toggle button. Choose the Parameter map from the Web Auth Parameter Map drop-down list and the authentication list from the Authentication List drop-down list.
Click Apply to Device.
Configuring Anchor Controller with Local Web Authentication
Procedure Step 1 Step 2
Step 3 Step 4 Step 5 Step 6 Step 7
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wireless profile policy wlan-policy-profile-name
Configures the WLAN policy profile.
Example:
Device(config)#wireless profile policy testpro-2
mobility anchor
Configures the mobility anchor.
Example:
Device(config-wireless-policy)#mobility anchor
vlan vlan-id
Configure a VLAN name or a VLAN ID.
Example:
Device(config-wireless-policy)#vlan 30
no shutdown
Example:
Device(config-wireless-policy)#no shutdown
Enables the configuration.
exit Example:
Device(config-wireless-policy)#exit
Returns to configuration mode.
guest-lan profile-name guest-profile-name Configure a guest LAN profile with a wired
guest-lan-id
VLAN.
Example:
Device(config)#guest-lan profile-name testpro-2 1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1697
Configuring Session Timeout for a Profile Policy
WLAN
Step 8 Step 9 Step 10 Step 11 Step 12 Step 13
Command or Action
Purpose
client association limit guest-lan-client-limit Configures the maximum client connections
Example:
Device(config-guest-lan)#client
per guest LAN. The valid range is between 1 and 2000.
association limit
security web-auth
Example:
Device(config-guest-lan)#security web-auth
Configures web authentication.
security web-auth parameter-map parameter-map-name
Example:
Device(config-guest-lan)#security web-auth parameter-map testmap-1
Configures the security web-auth parameter map.
security web-auth authentication-list authentication-list-name
Configures the authentication list for the IEEE 802.1x network.
Example:
Device(config-guest-lan)#security web-auth authentication-list testlwa-1
no shutdown Example:
Device(config-guest-lan)#no shutdown
Enables the guest-LAN.
exit Example:
Device(config-guest-lan)#exit
Returns to configuration mode.
Configuring Session Timeout for a Profile Policy
Session Timeout for a wired guest is set to infinite by default. Perform the following procedure to configure the timeout values to the wired guest.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless profile policy wlan-policy-profile-name
Purpose Enters global configuration mode.
Configures the WLAN policy profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1698
WLAN
Global Configuration (GUI)
Step 3 Step 4
Command or Action
Purpose
Example:
Device(config)#wireless profile policy testpol-1
guest-lan enable-session-timeout Example:
Enables the client session timeout on the guest LAN.
Device(config-wireless-policy)#guest-lan enable-session-timeout
session-timeout timeout-duration
Configures the client session timeout in
Example:
seconds. The valid range is between 0 and 86400 seconds.
Device(config-wireless-policy)#session-timeout
1000
Global Configuration (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Step 8 Step 9
Choose Administration > User Administration. Click Add. Enter the Username, Password and Confirm Password. Choose the desired value from the Policy and Privilege drop-down lists. Click Apply to Device. Choose Administration > Management > HTTP/HTTPS/Netconf. In the HTTP/HTTPS Access Configuration settings, enable or disable the HTTP Access, HTTPS Access and Personal Identity Verification toggle buttons. Enter the HTTP Port and HTTPS Port. Click Apply.
Verifying Wired Guest Configurations
To validate the wireless configuration, use the following command: Device# wireless config validate
Wireless Management Trustpoint Name: 'WLC-29c_WLC_TP' Trustpoint certificate type is WLC-SSC
Wireless management trustpoint config is valid
Jan 22 07:49:15.371: %CONFIG_VALIDATOR_MESSAGE-5-EWLC_GEN_ERR: Chassis 1 R0/0: wncmgrd: Error in No record found for VLAN 9, needed by Guest-LAN open-wired
To display the summary of all Guest-LANs, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1699
Verifying Wired Guest Configurations
Device# show guest-lan summary
Number of Guest LANs: 1
GLAN GLAN Profile Name
Status
----------------------------------------------
1
wired_guest_open
UP
To view the detailed output of all Guest-LANs, use the following command: Device# show guest-lan all
Guest-LAN Profile Name
: open
================================================
Guest-LAN ID
:1
Wired-Vlan
: 200
Status
: Enabled
Number of Active Clients
:1
Max Associated Clients
: 2000
Security
WebAuth
: Enabled
Webauth Parameter Map
: global
Webauth Authentication List
: LWA-AUTHENTICATION
Webauth Authorization List
: LWA-AUTHENTICATION
To view the guest-LAN configuration by ID, use the following command:
Device# show guest-lan id 1
Guest-LAN Profile Name
: open
================================================
Guest-LAN ID
:1
Wired-Vlan
: 200
Status
: Enabled
Number of Active Clients
:1
Max Associated Clients
: 2000
Security
WebAuth
: Enabled
Webauth Parameter Map
: global
Webauth Authentication List
: LWA-AUTHENTICATION
Webauth Authorization List
: LWA-AUTHENTICATION
To view the guest-LAN configuration by profile name, use the following command: Device# show guest-lan name open
Guest-LAN Profile Name
: open
================================================
Guest-LAN ID
:1
Wired-Vlan
: 200
Status
: Enabled
Number of Active Clients
:1
Max Associated Clients
: 2000
Security
WebAuth
: Enabled
Webauth Parameter Map
: global
Webauth Authentication List
: LWA-AUTHENTICATION
Webauth Authorization List
: LWA-AUTHENTICATION
To view the guest-LAN map summary, use the following command:
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1700
WLAN
Verifying Wired Guest Configurations
Device# show wireless guest-lan-map summary
Number of Guest-Lan Maps: 2
WLAN Profile Name
Policy Name
------------------------------------------------------------------------
open_wired_guest
open_wired_guest
lwa_wired_guest
lwa_wired_guest
To view the active clients, use the following command: Device# show wireless client summary
Number of Local Clients: 1
MAC Address AP Name
Type ID State
Protocol Method
Role
-------------------------------------------------------------------------------------------------------------------------
000a.bd15.0001 N/A
GLAN 1 Run
802.3 Web Auth Export Foreign
To view the detailed information about a client by MAC address, use the following command: Device# show wireless client mac-address 3383.0000.0001 detail
Client MAC Address : 3383.0000.0001
Client IPv4 Address : 155.165.152.151
Client Username: N/A
AP MAC Address: N/A
AP slot : N/A
Client State : Associated
Policy Profile : guestlan_lwa
Flex Profile : N/A
Guest Lan:
GLAN Id: 2
GLAN Name: guestlan_lwa
Wired VLAN: 312
Wireless LAN Network Name (SSID) : N/A
BSSID : N/A
Connected For : 128 seconds
Protocol : 802.3
Channel : N/A
Client IIF-ID : 0xa0000002
Association Id : 0
Authentication Algorithm : Open System
Session Timeout : 1800 sec (Timer not running)
Session Warning Time : Timer not running
Input Policy Name : clsilver
Input Policy State : Installed
Input Policy Source : AAA Policy
Output Policy Name : None
Output Policy State : None
Output Policy Source : None
WMM Support : Disabled
Fastlane Support : Disabled
Power Save : OFF
AAA QoS Rate Limit Parameters:
QoS Average Data Rate Upstream
: 0 (kbps)
QoS Realtime Average Data Rate Upstream : 0 (kbps)
QoS Burst Data Rate Upstream
: 0 (kbps)
QoS Realtime Burst Data Rate Upstream
: 0 (kbps)
QoS Average Data Rate Downstream
: 0 (kbps)
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1701
Verifying Wired Guest Configurations
QoS Realtime Average Data Rate Downstream : 0 (kbps)
QoS Burst Data Rate Downstream
: 0 (kbps)
QoS Realtime Burst Data Rate Downstream : 0 (kbps)
Mobility:
Anchor IP Address
: 101.0.0.1
Point of Attachment
: 0x00000008
Point of Presence
: 0xA0000001
AuthC status
: Enabled
Move Count
:0
Mobility Role
: Export Foreign
Mobility Roam Type
: L3 Requested
Mobility Complete Timestamp : 05/07/2019 22:31:45 UTC
Client Join Time:
Join Time Of Client : 05/07/2019 22:31:42 UTC
Policy Manager State: Run
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 125 seconds
Policy Type : N/A
Encryption Cipher : N/A
Encrypted Traffic Analytics : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
VLAN : default
Multicast VLAN : 0
Access VLAN : 153
Anchor VLAN : 155
WFD capable : No
Managed WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Session Manager:
Point of Attachment : TenGigabitEthernet0/0/0
IIF ID
: 0x00000008
Authorized
: TRUE
Session timeout : 1800
Common Session ID: 00000000000000CB946C8BA3
Acct Session ID : 0x00000000
Last Tried Aaa Server Details:
Server IP :
Auth Method Status List
Method : Web Auth
Webauth State : Authz
Webauth Method : Webauth
Local Policies:
Service Template : wlan_svc_guestlan_lwa_local (priority 254)
VLAN
: 153
Absolute-Timer : 1800
Server Policies:
QOS Level
:0
Resultant Policies:
VLAN Name
: VLAN0153
QOS Level
:0
VLAN
: 153
Absolute-Timer : 1800
DNS Snooped IPv4 Addresses : None
DNS Snooped IPv6 Addresses : None
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Not implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 0
Fast BSS Transition Details :
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1702
WLAN
WLAN
Wired Guest Access--Use Cases
Reassociation Timeout : 0 11v BSS Transition : Not implemented 11v DMS Capable : No QoS Map Capable : No FlexConnect Data Switching : N/A FlexConnect Dhcp Status : N/A FlexConnect Authentication : N/A FlexConnect Central Association : N/A Client Statistics:
Number of Bytes Received : 0 Number of Bytes Sent : 0 Number of Packets Received : 8 Number of Packets Sent : 0 Number of Policy Errors : 0 Radio Signal Strength Indicator : 0 dBm Signal to Noise Ratio : 0 dB Idle time : 0 seconds Last idle time update : 05/07/2019 22:32:27 Last statistics update : 05/07/2019 22:32:27 Fabric status : Disabled Client Scan Reports Assisted Roaming Neighbor List Nearby AP Statistics: EoGRE : Pending Classification
Wired Guest Access--Use Cases
This feature while performing as a guest access feature can be used to meet different requirements. Some of the possibilities are shared here.
Scenario OneEquiptment Software Update
This feature can be configured to allow the wired port to connect to the manufacture or vendor website for equipment maintenance, software, or firmware updates.
Scenario TwoVideo Streaming
This feature can be configured to allow devices that are connected to a wired port to stream video to visitor information screens.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1703
Wired Guest Access--Use Cases
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1704
1 6 9 C H A P T E R
802.11r BSS Fast Transition
· Information About 802.11r Fast Transition, on page 1705 · Restrictions for 802.11r Fast Transition, on page 1706 · Monitoring 802.11r Fast Transition (CLI), on page 1707 · Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI), on page 1708 · Configuring 802.11r Fast Transition in an Open WLAN (CLI), on page 1709 · Configuring 802.11r Fast Transition on a PSK SecurityEnabled WLAN (CLI), on page 1711 · Disabling 802.11r Fast Transition (GUI), on page 1712 · Disabling 802.11r Fast Transition (CLI), on page 1712
Information About 802.11r Fast Transition
802.11r, which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake with a new AP is done even before the corresponding client roams to the target access point. This concept is called Fast Transition. The initial handshake allows a client and the access points to do the Pairwise Transient Key (PTK) calculation in advance. These PTK keys are applied to the client and the access points after the client responds to the reassociation request or responds to the exchange with new target AP. The FT key hierarchy is designed to allow clients to make fast BSS transitions between APs without requiring reauthentication at every AP. WLAN configuration contains a new Authenticated Key Management (AKM) type called FT (Fast Transition).
Client Roaming For a client to move from its current AP to a target AP using the FT protocols, message exchanges are performed using one of the following methods:
· Over-the-Air--The client communicates directly with the target AP using IEEE 802.11 authentication with the FT authentication algorithm.
· Over-the-Distribution System (DS)--The client communicates with the target AP through the current AP. The communication between the client and the target AP is carried in FT action frames between the client and the current AP and is then sent through the device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1705
Restrictions for 802.11r Fast Transition Figure 43: Message Exchanges when OvertheAir Client Roaming is Configured
WLAN
Figure 44: Message Exchanges when OvertheDS Client Roaming is Configured
Restrictions for 802.11r Fast Transition
· EAP LEAP method is not supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1706
WLAN
Monitoring 802.11r Fast Transition (CLI)
· Traffic Specification (TSPEC) is not supported for 802.11r fast roaming. Therefore, RIC IE handling is not supported.
· If WAN link latency exists, fast roaming is also delayed. Voice or data maximum latency should be verified. The Cisco WLC handles 802.11r Fast Transition authentication requests during roaming for both Over-the-Air and Over-the-DS methods.
· Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r-capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled.
The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r-enabled WLANs.
Another workaround is to have two SSIDs with the same name, but with different security settings (FT and non-FT).
· Fast Transition resourcerequest protocol is not supported because clients do not support this protocol. Also, the resourcerequest protocol is an optional protocol.
· To avoid any Denial of Service (DoS) attack, each Cisco WLC allows a maximum of three Fast Transition handshakes with different APs.
· Non-802.11rcapable devices will not be able to associate with FT-enabled WLAN.
· We do not recommend 802.11r FT + PMF.
· We recommend 802.11r FT Over-the-Air roaming for FlexConnect deployments.
· 802.11r ft-over-ds is enabled by default, when a WLAN is created in the controller . In Cisco Wave 2 APs, local switching local authentication with 802.11r is not supported. To make the local switching local authentication work with Cisco Wave 2 APs, explicitly disable 802.11r in WLAN. A sample configuration is given below:
wlan local-dot1x 24 local-dot1x no security ft over-the-ds no security ft adaptive security dot1x authentication-list spwifi_dot1x no shutdown
Monitoring 802.11r Fast Transition (CLI)
The following command can be used to monitor 802.11r Fast Transition:
Command show wlan name wlan-name
Description
Displays a summary of the configured parameters on the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1707
Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI)
WLAN
Command show wireless client mac-address mac-address
Description
Displays the summary of the 802.11r authentication key management configuration on a client.
... ... Client Capabilities
CF Pollable : Not implemented CF Poll Request : Not implemented Short Preamble : Not implemented PBCC : Not implemented Channel Agility : Not implemented Listen Interval : 15 Fast BSS Transition : Implemented Fast BSS Transition Details : Client Statistics: Number of Bytes Received : 9019 Number of Bytes Sent : 3765 Number of Packets Received : 130 Number of Packets Sent : 36 Number of EAP Id Request Msg Timeouts : 0 Number of EAP Request Msg Timeouts : 0 Number of EAP Key Msg Timeouts : 0 Number of Data Retries : 1 Number of RTS Retries : 0 Number of Duplicate Received Packets : 1 Number of Decrypt Failed Packets : 0 Number of Mic Failured Packets : 0 Number of Mic Missing Packets : 0 Number of Policy Errors : 0 Radio Signal Strength Indicator : -48 dBm Signal to Noise Ratio : 40 dB ... ...
Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name Example:
Device# wlan test4
Purpose Enters global configuration mode.
Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1708
WLAN
Configuring 802.11r Fast Transition in an Open WLAN (CLI)
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action client vlan vlan-name Example:
Device(config-wlan)# client vlan 0120
Purpose Associates the client VLAN to this WLAN.
local-auth local-auth-profile-eap Example:
Device(config-wlan)# local-auth
Enables the local auth EAP profile.
security dot1x authentication-list default
Example:
Device(config-wlan)# security dot1x authentication-list default
Enables security authentication list for dot1x security. The configuration is similar for all dot1x security WLANs.
security ft Example:
Device(config-wlan)# security ft
Enables 802.11r Fast Transition on the WLAN.
security wpa akm ft dot1x
Enables 802.1x security on the WLAN.
Example:
Device(config-wlan)# security wpa akm ft dot1x
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
end Example:
Device(config-wlan)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode
Configuring 802.11r Fast Transition in an Open WLAN (CLI)
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
wlan profile-name Example:
Device# wlan test4
Purpose Enters global configuration mode.
Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1709
Configuring 802.11r Fast Transition in an Open WLAN (CLI)
WLAN
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action
Purpose
client vlan vlan-id
Associates the client VLAN to the WLAN.
Example:
Device(config-wlan)# client vlan 0120
no security wpa Example:
Device(config-wlan)# no security wpa
Disables WPA secuirty.
no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpa akm dot1x
Disables security AKM for dot1x.
no security wpa wpa2
Example:
Device(config-wlan)# no security wpa wpa2
Disables WPA2 security.
no wpa wpa2 ciphers aes
Example:
Device(config-wlan)# no security wpa wpa2 ciphers aes
Disables WPA2 ciphers for AES.
security ft Example:
Device(config-wlan)# security ft
Specifies the 802.11r Fast Transition parameters.
no shutdown Example:
Device(config-wlan)# shutdown
Shuts down the WLAN.
end Example:
Device(config-wlan)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1710
WLAN
Configuring 802.11r Fast Transition on a PSK SecurityEnabled WLAN (CLI)
Configuring 802.11r Fast Transition on a PSK SecurityEnabled WLAN (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan profile-name Example:
Device# wlan test4
Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.
Step 3
client vlan vlan-name Example:
Device(config-wlan)# client vlan 0120
Associates the client VLAN to this WLAN.
Step 4
no security wpa akm dot1x
Disables security AKM for dot1x.
Example:
Device(config-wlan)# no security wpa akm dot1x
Step 5
security wpa akm ft psk
Configures Fast Transition PSK support.
Example:
Device(config-wlan)# security wpa akm ft psk
Step 6
security wpa akm psk set-key {ascii {0 | 8} | Configures PSK AKM shared key. hex {0 | 8}}
Example:
Device(config-wlan)# security wpa akm psk set-key ascii 0 test
Step 7
security ft Example:
Device(config-wlan)# security ft
Configures 802.11r Fast Transition.
Step 8
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1711
Disabling 802.11r Fast Transition (GUI)
WLAN
Step 9
Command or Action end Example:
Device(config-wlan)# end
Purpose
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode
Disabling 802.11r Fast Transition (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Tags & Profiles > WLANs. On the WLANs page, click the WLAN name. In the Edit WLAN window, click the Security > Layer2 tab. From the Fast Transition drop-down list, choose Disabled. Note that you cannot enable or disable Fast Transition, if you have configured an SSID with Open Authentication. Click Update & Apply to Device.
Disabling 802.11r Fast Transition (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name Example:
Device# wlan test4
Step 3
no security ft [over-the-ds | reassociation-timeout timeout-in-seconds]
Example:
Device(config-wlan)# no security ft over-the-ds
Step 4
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN. Disables 802.11r Fast Transition on the WLAN.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1712
1 7 0 C H A P T E R
BSS Coloring
· Information About BSS Coloring , on page 1713 · Configuring BSS Color on AP (GUI), on page 1714 · Configuring BSS Color in the Privileged EXEC Mode, on page 1715 · Configuring BSS Color Globally (GUI), on page 1715 · Configuring BSS Color in the Configuration Mode, on page 1716 · Configuring Overlapping BSS Packet Detect (GUI), on page 1716 · Configuring OBSS-PD Spatial Reuse Globally (CLI), on page 1717 · Configuring OBSS PD in an RF Profile (GUI), on page 1717 · Configuring OBSS-PD Spatial Reuse in the RF Profile Mode (CLI), on page 1718 · Verifying BSS Color and OBSS-PD, on page 1718
Information About BSS Coloring
The 802.11 Wi-Fi standard minimizes the chance of multiple devices interfering with one another by transmitting at the same time. This carrier-sense multiple access with collision avoidance (CSMA/CA) technology is based on static thresholds that allow Wi-Fi devices to avoid interfering with each other on air. However, with an increase in density and the number of Wi-Fi devices, these static thresholds often lead to CSMA/CA causing devices to defer transmissions unnecessarily.
For example, if two devices that are associated with different BSS, can hear every transmission from each other at relatively low signal strengths, each device should defer its transmission when it receives a transmission from the other. But if both the devices were to transmit at the same time, it is likely that neither would cause enough interference at the other BSS' receiver to cause reception failure for either transmission.
Devices today must demodulate packets to look at the MAC header in order to determine whether or not a received packet belongs to their own BSS. This process of demodulation consumes power, which can be saved if devices can quickly identify the BSS by looking at the PHY header alone, and subsequently drop packets that are from a different BSS. Prior to Wi-Fi 6, there was no provision for devices to do this.
The new 802.11ax (Wi-Fi 6) standard addresses both of the issues discussed above, through the new BSS Coloring and Spatial Reuse mechanism. BSS Coloring is a new provision that allows devices operating in the same frequency space to quickly distinguish between packets from their own BSS and packets from an Overlapping BSS (OBSS), by simply looking at the BSS color value contained in the HE PHY header. In some scenarios, Spatial Reuse allows devices, to transmit at the same time as the OBSS packets they receive, instead of deferring transmissions because of legacy interference thresholds. Since every Wi-Fi 6 device understands the BSS color, it can be leveraged to increase power savings by dropping packets earlier, and to identify spatial reuse opportunities.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1713
BSS Coloring
WLAN
BSS Coloring
BSS Coloring is a method used to differentiate between the BSS of access points and their clients on the same RF channel. Wi-Fi 6 enables each AP radio to assign a value (from 1 to 63), known as BSS color, to be included in the PHY header of all HE transmissions from devices in its BSS. With devices of each BSS transmitting a locally-unique color, a device can quickly and easily distinguish transmissions coming from its BSS from those of a neighboring BSS. The following platforms support this feature:
· Cisco Catalyst 9800 Series Wireless Controllers
· Cisco Catalyst 9115 Access Points
· Cisco Catalyst 9117 Access Point
· Cisco Catalyst 9120AX Series Access Points
· Cisco Catalyst 9124AX Series Access Points
· Cisco Catalyst 9130AX Access Points
OBSS-PD and Spatial Reuse
Overlapping BSS Packet Detect (OBSS-PD) is a more aggressive Wi-Fi packet detect threshold for inter-BSS packets, which can be higher than the typical/legacy -82 dBm. Inter-BSS packets are easily identified by comparing the BSS color in the HE PHY header of the packets received with the BSS color of the device.
In OBSS-PD based Spatial Reuse, to improve throughput and network efficiency by increasing transmitting opportunities, a Wi-Fi 6 or 802.11ax device can transmit over an inter-BSS packet with an RSSI that is below the OBSS-PD threshold instead of deferring.
Configuring BSS Color on AP (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Wireless > Access Points. Click the 5 GHz Radios section or the 2.4 GHz Radios section. The list of the AP radios in the band is displayed. Click the required AP name. The Edit Radios window is displayed. From the Edit Radios window, select the Configure tab. The general information, Antenna Parameters, RF Channel Assignment, Tx Power Level Assignment, and BSS Color are displayed. In the BSS Color area and from the BSS Color Configuration drop-down list, choose Custom configuration
· Custom: To manually select the BSS color configuration for the AP radio.
a. Click the BSS Color Status field to disable or enable the feature.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1714
WLAN
Configuring BSS Color in the Privileged EXEC Mode
b. In the Current BSS Color field, specify a corresponding BSS color for the AP radio. The valid range is between 1 and 63.
Step 6 Click Update & Apply to Device.
Configuring BSS Color in the Privileged EXEC Mode
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose
Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
ap name ap-name dot11 {24ghz |5ghz | Sets the BSS color on the 2.4-GHz, 5-GHz, or
dual-band [ slot slot-id ]} dot11ax bss-color dual-band radio, for a specific access point on
<1-63>
the following slots:
Example:
· 5 GHz: Slot 1 and 2
Device#ap name apn dot11 24ghz slot 0 dot11ax bss-color 12
Example:
· 2.4 GHz: Slot 0 · Dual-band: Slot 0
Device#ap name apn no dot11 24ghz slot
0 dot11ax bss-color
Use the no form of this command to disable
BSS color.
Configuring BSS Color Globally (GUI)
Procedure
Step 1 Step 2
Choose Configuration > Radio Configurations > Parameters.
In the 11ax Parameters section, enable BSS color globally for the 5 GHz and 2.4 GHz radios by checking the BSS Color check box.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1715
Configuring BSS Color in the Configuration Mode
WLAN
Configuring BSS Color in the Configuration Mode
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
[no] ap dot11 {24ghz |5ghz } dot11ax bss-color
Example:
Device(config)#[no] ap dot11 24ghz dot11ax bss-color
Purpose Enables privileged EXEC mode. Enter your password if prompted.
Enters global configuration mode.
Enables the 802.11ax BSS color on all 2.4-GHz or 5-GHz radios. Use the no form of this command to disable BSS color.
Configuring Overlapping BSS Packet Detect (GUI)
Procedure
Step 1
Step 2 Step 3
Choose Configuration > Radio Configurations > Parameters.
The parameters page is displayed where you can configure global parameters for 5 GHz Band and 2.4 GHz Band radios.
In the 11ax Parameters section, check the OBSS PD check box to enable the overlapping BSS packet detect (OBSS PD) feature. In the Non-SRG OBSS PD Max Threshold field, enter the threshold in decibel-milliwatts. Value range is between -82 dBm and -62 dBm.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1716
WLAN
Configuring OBSS-PD Spatial Reuse Globally (CLI)
Configuring OBSS-PD Spatial Reuse Globally (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
[no] ap dot11 {24ghz |5ghz } dot11ax spatial-reuse obss-pd
Example:
Device(config)#[no] ap dot11 24ghz dot11ax spatial-reuse obss-pd
Configures 802.11ax OBSS PD based spatial reuse on all 2.4-GHz or 5-GHz radios.
Use the no form of this command to disable this feature.
Step 3
ap dot11 {24ghz |5ghz } dot11ax
Configure 802.11ax non-SRG OBSS PD max
spatial-reuse obss-pd non-srg-max -82 - -62 on all 2.4-GHz or 5-GHz radios. The default
Example:
value is -62.
Device(config)#[no] ap dot11 24ghz dot11ax spatial-reuse obss-pd non-srg-max
-62
Configuring OBSS PD in an RF Profile (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4
Choose Configuration > Tags & Profiles > RF. On theRF Profile page, click Add to configure the following:
· General · 802.11 · RRM · Advanced
In the Advanced tab, under the 11ax Parameters section, complete the following: a) Use the toggle button to enable or disable the OBSS PD field. b) In the Non-SRG OBSS PD Max Threshold (dBm), enter the threshold value. The default value is -62
dBm. Values range between -82 dBm and -62 dBm. Click Save & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1717
Configuring OBSS-PD Spatial Reuse in the RF Profile Mode (CLI)
WLAN
Configuring OBSS-PD Spatial Reuse in the RF Profile Mode (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap dot11 {24ghz | 5ghz } rf-profile rf-profile-name
Configures an RF profile and enters RF profile configuration mode.
Example:
Device(config)# ap dot11 24ghz rf-profile rfprof24_1
Step 3
[no] dot11ax spatial-reuse obss-pd
Example:
Device(config-rf-profile)#[no] dot11ax spatial-reuse obss-pd
Configures 802.11ax OBSS PD based spatial reuse in the RF profile configuration mode.
Use the no form of this command to disable this feature.
Step 4
dot11ax spatial-reuse obss-pd non-srg-max Configure 802.11ax non-SRG OBSS PD max
-82 - -62
on all 2.4-GHz or 5-GHz radios. The default
Example:
value is -62.
Device(config-rf-profile)# dot11ax spatial-reuse obss-pd non-srg-max -62
Verifying BSS Color and OBSS-PD
To verify if the global per-band BSS color and OBSS-PD are enabled, use the following show command:
Device# show ap dot11 24ghz network 802.11b Network 11gSupport 11nSupport . . . 802.11ax
DynamicFrag MultiBssid Target Wakeup Time Target Wakeup Time Broadcast BSS Color OBSS PD Non-SRG OBSS PD Max 802.11ax MCS Settings: MCS 7, Spatial Streams = 1 . . .
: Enabled : Enabled : Enabled
: Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : Enabled : -62 dBm
: Supported
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1718
WLAN
Verifying BSS Color and OBSS-PD
To view the RF profile OBSS-PD configuration, use the following show command:
Device# show ap rf-profile name rf-profile-name detail
Description
: pre configured rfprofile for 5gh radio
RF Profile Name
: rf-profile-name
Band
: 5 GHz
Transmit Power Threshold v1
: -65 dBm
Min Transmit Power
: 7 dBm
Max Transmit Power
: 30 dBm
.
.
.
802.11ax
OBSS PD
: Enabled
Non-SRG OBSS PD Max
: -62 dBm
NDP mode
: Auto
To view the BSS color configuration of all the AP radios on a band in the summary list, along with Channel, TX Power and so on, use the following show command:
Device# show ap dot11 24ghz summary extended
AP Name
Mac Address
Slot Admin State Oper State Width
Txpwr
Channel
BSS Color
------------------------------------------------------------------------------------------------------------------------------------------------------
Ed2-JFW-AP1
84b2.61ba.4730 1
Enabled
Up
40
1/6 (17 dBm) (136,132)*
11AX-9120-AP1
d4ad.bda2.3fc0 1
Enabled
Up
20
1/8 (23 dBm) (36)
30
Ed2-JFW-AP2
f8c2.8885.59f0 1
Enabled
Up
20
1/5 (15 dBm) (40)
To view the BSS color configuration and the capability of an AP radio, use the following show commands:
Device# show ap name AP7069.5A74.816C config dot11 24ghz
Cisco AP Identifier
: 502f.a876.1e60
Cisco AP Name
: AP7069.5A74.816C
Attributes for Slot 0
Radio Type
: 802.11b
Radio Mode
: REAP
Radio Role
: Auto
Radio SubType
: Main
Administrative State
: Enabled
Operation State
: Up
.
.
.
Phy OFDM Parameters
Configuration
: Automatic
Current Channel
:6
Channel Width
: 20 MHz
TI Threshold
: 1157693440
Antenna Type
: External
External Antenna Gain (in .5 dBi units)
:8
.
.
.
!BSS color details are displayed below:
802.11ax Parameters
HE Capable
: Yes
BSS Color Capable
: Yes
BSS Color Configuration
: Customized
Current BSS Color
: 34
Device# show ap name AP70XX.5XX4.8XXX config slot 0
Cisco AP Identifier
: 502f.a876.1e60
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1719
Verifying BSS Color and OBSS-PD
Cisco AP Name Country Code AP Country Code AP Regulatory Domain MAC Address IP Address Configuration IP Address . . . Attributes for Slot 0
Radio Type Radio Role Radio Mode Radio SubType Administrative State . . . Phy OFDM Parameters
Configuration Current Channel Channel Assigned By Extension Channel Channel Width Allowed Channel List TI Threshold DCA Channel List Antenna Type External Antenna Gain (in .5 dBi units) Diversity 802.11n Antennas
A B C D . . . !BSS color details are displayed below: 802.11ax Parameters HE Capable BSS Color Capable BSS Color Configuration Current BSS Color . . .
: AP70XX.5XX4.8XXX : US : US - United States : -A : 7069.5a74.816c : DHCP : Disabled
: 802.11n - 2.4 GHz : Auto : REAP : Main : Enabled
: Automatic :6 : DCA : NONE : 20 : 1,2,3,4,5,6,7,8,9,10,11 : 1157693440 : : EXTERNAL_ANTENNA :8 : DIVERSITY_ENABLED
: ENABLED : ENABLED : ENABLED : ENABLED
: Yes : Yes : Customized : 34
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1720
1 7 1 C H A P T E R
Assisted Roaming
· 802.11k Neighbor List and Assisted Roaming, on page 1721 · Restrictions for Assisted Roaming, on page 1722 · How to Configure Assisted Roaming, on page 1722 · Verifying Assisted Roaming, on page 1724 · Configuration Examples for Assisted Roaming, on page 1724
802.11k Neighbor List and Assisted Roaming
The 802.11k standard allows an AP to inform 802.11k-capable clients of neighboring BSSIDs (APs in the same SSID). This can help the client to optimize its scanning and roaming behavior. Additionally, the Assisted Roaming Prediction Optimization feature can be used with non-802.11k clients, to discourage them from roaming to suboptimal APs.
Note We recommend not configuring two SSIDs with the same name in the controller, which may cause roaming issues.
Prediction Based Roaming - Assisted Roaming for Non-802.11k Clients You can optimize roaming for non-802.11k clients by generating a prediction neighbor list for each client without sending an 802.11k neighbor list request. When prediction based roaming enables a WLAN, after each successful client association/re-association, the same neighbor list optimization applies on the non-802.11k client to generate and store the neighbor list in the mobile station software data structure. Clients at different locations have different lists because the client probes are seen with different RSSI values by the different neighbors as the clients usually probe before any association or re-association. This list is created with the most updated probe data and predicts the next AP that the client is likely to roam to. The wireless infrastructure discourages clients from roaming to those less desirable neighbors by denying association if the association request to an AP does not match the entries on the stored prediction neighbor list.
· Denial count: Maximum number of times a client is refused association. · Prediction threshold: Minimum number of entries required in the prediction list for the assisted roaming
feature to activate.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1721
Restrictions for Assisted Roaming
WLAN
For more information, see https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/ Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/ Chapter-11.html#pgfId-1140097.
Restrictions for Assisted Roaming
· This feature is supported only on 802.11n capable indoor access points. For a single band configuration, a maximum of 6 neighbors are visible in a neighbor list. For dual band configuration, a maximum of 12 neighbors are visible.
· You can configure assisted roaming only using the device CLI.
How to Configure Assisted Roaming
Configuring Assisted Roaming (GUI)
Assisted roaming allows clients to request neighbor reports containing information about known neighbor access points that are candidates for a service set transition.
Before you begin Ensure that you have configured an AP Join Profile prior to configuring the primary and backup controllers.
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags&Profiles > WLAN and click Add to add a WLAN or select an existing WLAN.
On the Advanced tab, go to the Assisted Roaming (11K) and select the Prediction Optimization checkbox to optimize roaming for non 802.11k clients by generating a prediction neighbor list for each client without sending an 802.11k neighbor list request.
Select the Neighbor List checkbox to optimize roaming for 802.11K clients by generating a neighbor list for each client without sending an 802.11k neighbor list request. By default, the neighbor list contains only neighbors in the same band with which the client is associated. However, if you select the Dual Band Neighbor List checkbox, it allows 802.11k to return neigbors in both bands.
Click Apply to Device. .
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1722
WLAN
Configuring Assisted Roaming (CLI)
Configuring Assisted Roaming (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless assisted-roaming floor-bias dBm Configures neighbor floor label bias. The valid
Example:
range is from 5 to 25 dBm, and the default value is 15 dBm.
Device(config)# wireless assisted-roaming
floor-bias 20
Step 3
wlan wlan-id Example:
Device(config)# wlan wlan1
Enters the WLAN configuration submode. The wlan-name is the profile name of the configured WLAN.
Step 4
assisted-roaming neighbor-list
Example:
Device(wlan)# assisted-roaming neighbor-list
Configures an 802.11k neighbor list for a WLAN. By default, assisted roaming is enabled on the neighbor list when you create a WLAN. The no form of the command disables assisted roaming neighbor list.
Step 5
assisted-roaming dual-list
Configures a dual-band 802.11k dual list for a
Example:
WLAN. By default, assisted roaming is enabled on the dual list when you create a WLAN. The
Device(wlan)# assisted-roaming dual-list no form of the command disables assisted
roaming dual list.
Step 6
assisted-roaming prediction
Configures assisted roaming prediction list
Example:
feature for a WLAN. By default, the assisted roaming prediction list is disabled.
Device(wlan)# assisted-roaming prediction
Note
A warning message is displayed
and load balancing is disabled for
the WLAN if load balancing is
already enabled for the WLAN.
Step 7
wireless assisted-roaming prediction-minimum count
Example:
Device# wireless assisted-roaming prediction-minimum
Configures the minimum number of predicted APs required for the prediction list feature to be activated. The default value is 3.
Note
If the number of the AP in the
prediction assigned to the client
is less than the number that you
specify, the assisted roaming
feature will not apply on this
roam.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1723
Verifying Assisted Roaming
WLAN
Step 8 Step 9
Command or Action
Purpose
wireless assisted-roaming denial-maximum count
Example:
Device# wireless assisted-roaming denial-maximum 8
Configures the maximum number of times a client can be denied association if the association request is sent to an AP does not match any AP on the prediction. The valid range is from 1 to 10, and the default value is 5.
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Verifying Assisted Roaming
The following command can be used to verify assisted roaming configured on a WLAN:
Command show wlan id wlan-id
Description Displays the WLAN parameters on the WLAN.
Configuration Examples for Assisted Roaming
This example shows how to configure the neighbor floor label bias:
Device# configure terminal Device(config)# wireless assisted-roaming floor-bias 10 Device(config)# end Device# show wlan id 23
This example shows how to disable neighbor list on a specific WLAN:
Device# configure terminal Device(config)# wlan test1 Device(config (wlan)# no assisted-roaming neighbor-list Device(config)(wlan)# end Device# show wlan id 23
This example shows how to configure the prediction list on a specific WLAN:
Device# configure terminal Device(config)# wlan test1 Device(config)(wlan)# assisted-roaming prediction Device(config)(wlan)# end Device# show wlan id 23
This example shows how to configure the prediction list based on assisted roaming prediction threshold and maximum denial count on a specific WLAN:
Device# configure terminal Device(config)# wireless assisted-roaming prediction-minimum 4
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1724
WLAN
Configuration Examples for Assisted Roaming
Device(config)# wireless assisted-roaming denial-maximum 4 Device(config)(wlan)# end Device# show wlan id 23
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1725
Configuration Examples for Assisted Roaming
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1726
1 7 2 C H A P T E R
802.11v
· Information About 802.11v, on page 1727 · Prerequisites for Configuring 802.11v, on page 1728 · Restrictions for 802.11v, on page 1728 · Enabling 802.11v BSS Transition Management, on page 1728 · Configuring 802.11v BSS Transition Management (GUI), on page 1729 · Configuring 802.11v BSS Transition Management (CLI), on page 1729
Information About 802.11v
The controller supports 802.11v amendment for wireless networks, which describes numerous enhancements to wireless network management. One such enhancement is Network assisted Power Savings which helps clients to improve the battery life by enabling them to sleep longer. As an example, mobile devices typically use a certain amount of idle period to ensure that they remain connected to access points and therefore consume more power when performing the following tasks while in a wireless network. Another enhancement is Network assisted Roaming which enables the WLAN to send requests to associated clients, advising the clients as to better APs to associate to. This is useful for both load balancing and in directing poorly connected clients.
Enabling 802.11v Network Assisted Power Savings
Wireless devices consume battery to maintain their connection to the clients, in several ways: · By waking up at regular intervals to listen to the access point beacons containing a DTIM, which indicates buffered broadcast or multicast traffic that the access point delivers to the clients. · By sending null frames to the access points, in the form of keepalive messages to maintain connection with access points. · Devices also periodically listen to beacons (even in the absence of DTIM fields) to synchronize their clock to that of the corresponding access point.
All these processes consume battery and this consumption particularly impacts devices (such as Apple), because these devices use a conservative session timeout estimation, and therefore, wake up often to send keepalive messages. The 802.11 standard, without 802.11v, does not include any mechanism for the controller or the access points to communicate to wireless clients about the session timeout for the local client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1727
Prerequisites for Configuring 802.11v
WLAN
To save the power of clients due to the mentioned tasks in wireless network, the following features in the 802.11v standard are used:
· Directed Multicast Service · Base Station Subsystem (BSS) Max Idle Period
Directed Multicast Service Using Directed Multicast Service (DMS), the client requests the access point to transmit the required multicast packet as unicast frames. This allows the client to receive the multicast packets it has ignored while in sleep mode and also ensures Layer 2 reliability. Furthermore, the unicast frame is transmitted to the client at a potentially higher wireless link rate which enables the client to receive the packet quickly by enabling the radio for a shorter duration, thus also saving battery power. Since the wireless client also does not have to wake up at each DTIM interval in order to receive multicast traffic, longer sleeping intervals are allowed.
BSS Max Idle Period The BSS Max Idle period is the timeframe during which an access point (AP) does not disassociate a client due to nonreceipt of frames from the connected client. This helps ensure that the client device does not send keepalive messages frequently. The idle period timer value is transmitted using the association and reassociation response frame from the access point to the client. The idle time value indicates the maximum time that a client can remain idle without transmitting any frame to an access point. As a result, the clients remain in sleep mode for a longer duration without transmitting the keepalive messages often. This in turn contributes to saving battery power.
Prerequisites for Configuring 802.11v
· Applies for Apple clients like Apple iPad, iPhone, and so on, that run on Apple iOS version 7 or later. · Supports local mode; also supports FlexConnect access points in central authentication modes only.
Restrictions for 802.11v
Client needs to support 802.11v BSS Transition.
Enabling 802.11v BSS Transition Management
802.11v BSS Transtion is applied in the following three scenarios: · Solicited request--Client can send an 802.11v Basic Service Set (BSS) Transition Management Query before roaming for a better option of AP to reassociate with. · Unsolicited Load Balancing request--If an AP is heavily loaded, it sends out an 802.11v BSS Transition Management Request to an associated client. · Unsolicited Optimized Roaming request--If a client's RSSI and rate do not meet the requirements, the corresponding AP sends out an 802.11v BSS Transition Management Request to this client.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1728
WLAN
Configuring 802.11v BSS Transition Management (GUI)
Note 802.11v BSS Transition Management Request is a suggestion (or advice) given to a client, which the client can choose to follow or ignore. To force the task of disassociating a client, turn on the disassociation-imminent function. This disassociates the client after a period if the client is not reassociated to another AP.
Configuring 802.11v BSS Transition Management (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. Click Add to create WLANs.
The Add WLAN page is displayed.
In the Advanced tab and 11v BSS Transition Support section, select the BSS Transition check box to enable BSS transition per WLAN. Enter the Disassociation Imminent value. The valid range is from 0 to 3000 TBTT. Click Save & Apply to Device.
Configuring 802.11v BSS Transition Management (CLI)
802.11v BSS Transtion is applied in the following three scenarios:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name Example:
Device(config)# wlan test-wlan
Step 3
shut Example:
Device(config-wlan)# shut
Step 4
bss-transition Example:
Device(config-wlan)# bss-transition
Purpose Enters the global configuration mode.
Configures WLAN profile and enters the WLAN profile configuration mode. Shutdown the WLAN profile.
Configure BSS transition per WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1729
Configuring 802.11v BSS Transition Management (CLI)
WLAN
Step 5 Step 6 Step 7
Command or Action bss-transition disassociation-imminent Example:
Device(config-wlan)# bss-transition disassociation-imminent
no shutdown Example:
Device(config-wlan)# no shutdown
end Example:
Device(config-wlan)# end
Purpose Configure BSS transition disassociation Imminent per WLAN.
Enables the WLAN profile.
Return to privilege EXEC mode. Alternatively, you can press CTRL + Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1730
1 7 3 C H A P T E R
802.11w
· Information About 802.11w, on page 1731 · Prerequisites for 802.11w, on page 1734 · Restrictions for 802.11w, on page 1734 · How to Configure 802.11w, on page 1735 · Disabling 802.11w, on page 1736 · Monitoring 802.11w, on page 1737
Information About 802.11w
Wi-Fi is a broadcast medium that enables any device to eavesdrop and participate either as a legitimate or rogue device. Management frames such as authentication, de-authentication, association, dissociation, beacons, and probes are used by wireless clients to initiate and tear down sessions for network services. Unlike data traffic, which can be encrypted to provide a level of confidentiality, these frames must be heard and understood by all clients and therefore must be transmitted as open or unencrypted. While these frames cannot be encrypted, they must be protected from forgery to protect the wireless medium from attacks. For example, an attacker could spoof management frames from an AP to attack a client associated with the AP. The 802.11w protocol applies only to a set of robust management frames that are protected by the Protected Management Frames ( PMF) service. These include Disassociation, De-authentication, and Robust Action frames. Management frames that are considered as robust action and therefore protected are the following:
· Spectrum Management · QoS · DLS · Block Ack · Radio Measurement · Fast BSS Transition · SA Query · Protected Dual of Public Action · Vendor-specific Protected
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1731
Information About 802.11w
WLAN
When 802.11w is implemented in the wireless medium, the following occur:
· Client protection is added by the AP adding cryptographic protection to de-authentication and dissociation frames preventing them from being spoofed in a DOS attack.
· Infrastructure protection is added by adding a Security Association (SA) tear down protection mechanism consisting of an Association Comeback Time and an SA-Query procedure preventing spoofed association request from disconnecting an already connected client.
802.11w has introduced a new IGTK Key, which is used to protect broadcast/multicast robust management frames:
· IGTK is a random value assigned by the authenticator STA (WLC) and used to protect MAC management protocol data units (MMPDUs) from that source STA.
When Management Frame Protection is negotiated, the AP encrypts the GTK and IGTK values in the EAPOL-Key frame, which is delivered in Message 3 of 4-way handshake.
Figure 45: IGTK Exchange in 4-way Handshake
· If the AP later changes the GTK, it sends the new GTK and IGTK to the client using the Group Key Handshake .
802.11w defines a new Broadcast/Multicast Integrity Protocol (BIP) that provides data integrity and replay protection for broadcast/multicast robust management frames after successful establishment of an IGTKSA - It adds a MIC that is calculated using the shared IGTK key.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1732
WLAN
802.11w Information Elements (IEs)
Figure 46: 802.11w Information Elements
Information About 802.11w
1. Modifications made in the RSN capabilities field of RSNIE. a. Bit 6: Management Frame Protection Required (MFPR) b. Bit 7: Management Frame Protection Capable (MFPC)
2. Two new AKM Suites, 5 and 6 are added for AKM Suite Selectors. 3. New Cipher Suite with type 6 is added to accommodate BIP. The WLC adds this modified RSNIE in association and re-association responses and the APs add this modified RSNIE in beacons and probe responses. The following Wireshark captures shows the RSNIE capabilities and the Group Management Cipher Suite elements.
Figure 47: 802.11w Information Elements
Security Association (SA) Teardown Protection SA teardown protection is a mechanism to prevent replay attacks from tearing down the session of an existing client. It consists of an Association Comeback Time and an SA-Query procedure preventing spoofed association requests from disconnecting an already connected client. If a client has a valid security association, and has negotiated 802.11w, the AP shall reject another Association Request with status code 30. This status code stands for "Association request rejected temporarily; Try again later". The AP should not tear down or otherwise modify the state of the existing association until the SA-Query
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1733
Prerequisites for 802.11w
WLAN
procedure determines that the original SA is invalid and shall include in the Association Response an Association Comeback Time information element, specifying a comeback time when the AP would be ready to accept an association with this client.
The following capture shows the Association Reject message with status code 0x1e (30) and the Association comeback time set to 10 seconds.
Figure 48: Association Reject with Comeback Time
Following this, if the AP is not already engaged in an SA Query with the client, the AP shall issue an SA Query until a matching SA Query response is received or the Association Comeback time expires. An AP may interpret reception of a valid protected frame as an indication of a successfully completed SA Query. If a SA QUERY response with a matching transaction identifier within the time period, the AP shall allow the association process to be started without starting additional SA Query procedures.
Prerequisites for 802.11w
· To configure 802.11w feature for optional and mandatory, you must have WPA and AKM configured.
Note The RNS (Robust Secure Network) IE must be enabled with an AES Cipher. · To configure 802.11w as mandatory, you must enable SHA256 related AKM in addition to WPA AKM.
Restrictions for 802.11w
· 802.11w cannot be applied on an open WLAN, WEP-encrypted WLAN, or a TKIP-encrypted WLAN. · Cisco Catalyst 9800 Series Wireless Controller supports 802.11w + PMF combination for non-Apple
clients. But Apple iOS version 11 and earlier require fix from the Apple iOS side to resolve the association issues. · The controller will ignore disassociation or deauthentication frames sent by the clients if they are not using 802.11w PMF. The client entry will only get deleted immediately upon reception of such a frame if the client uses PMF. This is to avoid denial of service by malicious device since there is no security on those frames without PMF.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1734
WLAN
How to Configure 802.11w
How to Configure 802.11w
Configuring 802.11w (GUI)
Before you begin WPA and AKM must be configured. Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Tags & Profiles > WLANs. Click Add to create WLANs. The Add WLAN page is displayed.
In the Security > Layer2 tab, navigate to the Protected Management Frame section. Choose PMF as Disabled, Optional, or Required. By default, the PMF is disabled. If you choose PMF as Optional or Required, you get to view the following fields:
· Association Comeback Timer--Enter a value between 1 and 10 seconds to configure 802.11w association comeback time.
· SA Query Time--Enter a value between 100 to 500 (milliseconds). This is required for clients to negotiate 802.11w PMF protection on a WLAN.
Click Save & Apply to Device.
Configuring 802.11w (CLI)
Before you begin WPA and AKM must be configured.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan profile-name wlan-id ssid Example:
Configures a WLAN and enters configuration mode.
Device(config)# wlan wlan-test 12 alpha
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1735
Disabling 802.11w
WLAN
Step 3 Step 4 Step 5 Step 6
Command or Action security wpa akm dot1x-sha256 Example:
Device(config-wlan)#security wpa akm dot1x-sha256
security pmf association-comeback comeback-interval Example:
Device(config-wlan)# security pmf association-comeback 10
security pmf mandatory Example:
Device(config-wlan)# security pmf mandatory
security pmf saquery-retry-time timeout Example:
Device(config-wlan)# security pmf saquery-retry-time 100
Purpose Configures 802.1x support.
Configures the 802.11w association comeback time.
Requires clients to negotiate 802.11w PMF protection on a WLAN.
Time interval identified in milliseconds before which the SA query response is expected. If the device does not get a response, another SQ query is tried.
Disabling 802.11w
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan profile-name wlan-id ssid Example:
Configures a WLAN and enters configuration mode.
Device(config)# wlan wlan-test 12 alpha
Step 3
no security wpa akm dot1x-sha256
Disables 802.1x support.
Example:
Device(config-wlan)# no security wpa akm dot1x-sha256
Step 4
no security pmf association-comeback comeback-interval
Example:
Device(config-wlan)# no security pmf association-comeback 10
Disables the 802.11w association comeback time.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1736
WLAN
Monitoring 802.11w
Step 5 Step 6
Command or Action
no security pmf mandatory Example:
Device(config-wlan)# no security pmf mandatory
Purpose
Disables client negotiation of 802.11w PMF protection on a WLAN.
no security pmf saquery-retry-time timeout Disables SQ query retry.
Example:
Device(config-wlan)# no security pmf saquery-retry-time 100
Monitoring 802.11w
Use the following commands to monitor 802.11w. Procedure
Step 1 Step 2
show wlan name wlan-name Displays the WLAN parameters on the WLAN. The PMF parameters are displayed.
.... .... Auth Key Management
802.1x PSK CCKM FT dot1x FT PSK FT SAE Dot1x-SHA256 PSK-SHA256 SAE OWE SUITEB-1X SUITEB192-1X CCKM TSF Tolerance FT Support FT Reassociation Timeout FT Over-The-DS mode PMF Support PMF Association Comeback Timeout PMF SA Query Time .... ....
: Disabled : Disabled : Disabled : Disabled : Disabled : Disabled : Enabled : Disabled : Disabled : Disabled : Disabled : Disabled : 1000 : Adaptive : 20 : Enabled : Required :1 : 500
show wireless client mac-address mac-address detail Displays the summary of the 802.11w authentication key management configuration on a client.
.... .... Policy Manager State: Run
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1737
Monitoring 802.11w
NPU Fast Fast Notified : No Last Policy Manager State : IP Learn Complete Client Entry Create Time : 497 seconds Policy Type : WPA2 Encryption Cipher : CCMP (AES) Authentication Key Management : 802.1x-SHA256 Encrypted Traffic Analytics : No Management Frame Protection : No Protected Management Frame - 802.11w : Yes EAP Type : LEAP VLAN : 39 Multicast VLAN : 0 Access VLAN : 39 Anchor VLAN : 0 WFD capable : No Manged WFD capable : No .... ....
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1738
1 7 4 C H A P T E R
802.11ax Per Virtual Access Point
·
· Information About 802.11ax Mode Per Virtual Access Point, on page 1739 · Configuring 802.11ax Mode Per Virtual Access Point (GUI), on page 1739 · Configuring 802.11ax Mode Per Virtual Access Point, on page 1740 · Verifying 802.11ax Mode Per Virtual Access Point, on page 1740
Information About 802.11ax Mode Per Virtual Access Point
Prior to Cisco IOS XE Bengaluru Release 17.4.1, the 802.11ax mode was configured per radio band. In this configuration, the 11ax mode was either enabled or disabled for all the virtual access points (AP) that were configured per radio, all at once. When 11ax was enabled per radio, the 11ac clients were not able to scan or connect to the SSID if the beacon had 11ax information elements. Client could not probe an access point (AP), if the beacon has 11ax IE.
Therefore, a 11ax configuration knob per virtual AP is introduced, from Cisco IOS XE Bengaluru Release 17.5.1. This knob is introduced under the WLAN profile. By default, the 11ax knob per VAP is now enabled on the controller.
Configuring 802.11ax Mode Per Virtual Access Point (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4
Choose Configuration > Tags & Profiles > WLANs. Click Add. The Add WLAN window is displayed. Click the Advanced tab. In the 11ax section, check the Enable 11ax check box to enable 802.11ax operation status on the WLAN.
Note
When 11ax is disabled, beacons will not display 11ax IE, and all the 11ax features will be
operationally disabled on the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1739
Configuring 802.11ax Mode Per Virtual Access Point
WLAN
Step 5 Click Apply to Device.
Configuring 802.11ax Mode Per Virtual Access Point
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan wlan-profile-name Example:
Device(config)# wlan wlan-profile
Step 3
dot11ax Example:
Device(config-wlan)# dot11ax
Step 4
no dot11ax Example:
Device(config-wlan)# no dot11ax
Purpose Enters global configuration mode.
Specifies the WLAN name and enters the WLAN configuration mode. Configures 802.11ax on a WLAN.
Disables 802.11ax on the WLAN profile.
Verifying 802.11ax Mode Per Virtual Access Point
To display the status of the 11ax parameter, run the following command:
Device# show wlan id 6
WLAN Profile Name
: power
================================================
Identifier
:6
Description
:
Network Name (SSID)
: power
Status
: Enabled
Broadcast SSID
: Enabled
Advertise-Apname
: Disabled
Universal AP Admin
: Disabled
Max Associated Clients per WLAN
:0
Max Associated Clients per AP per WLAN
:0
Max Associated Clients per AP Radio per WLAN : 200
.
.
.
802.11ac MU-MIMO
: Enabled
802.11ax parameters
802.11ax Operation Status
: Enabled
OFDMA Downlink
: Enabled
OFDMA Uplink
: Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1740
WLAN
Verifying 802.11ax Mode Per Virtual Access Point
MU-MIMO Downlink
: Enabled
MU-MIMO Uplink
: Enabled
BSS Target Wake Up Time
: Enabled
BSS Target Wake Up Time Broadcast Support : Enabled
.
.
.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1741
Verifying 802.11ax Mode Per Virtual Access Point
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1742
1 7 5 C H A P T E R
Management Frame Protection
· Information About Management Frame Protection, on page 1743 · Restrictions for Management Frame Protection, on page 1744 · Configuring Management Frame Protection (CLI), on page 1745 · Verifying Management Frame Protection Settings, on page 1745
Information About Management Frame Protection
By default, 802.11 management frames are unauthenticated and hence not protected against spoofing. Infrastructure management frame protection (MFP) and 802.11w protected management frames (PMF) provide protection against such attacks. Infrastructure MFP Infrastructure MFP protects management frames by detecting adversaries that are invoking denial-of-service attacks, flooding the network with associations and probes, interjecting as rogue APs, and affecting network performance by attacking the QoS and radio measurement frames. Infrastructure MFP is a global setting that provides a quick and effective means to detect and report phishing incidents. Specifically, infrastructure MFP protects 802.11 session management functions by adding message integrity check information elements (MIC IEs) to the management frames emitted by APs (and not those emitted by clients), which are then validated by other APs in the network. Infrastructure MFP is passive, can detect and report intrusions but has no means to stop them. Infrastructure MFP consists of three main components:
· Management frame protection: The AP protects the management frames it transmits by adding a MIC IE to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing any receiving AP configured to detect MFP frames to report the discrepancy. MFP is supported for use with Cisco Aironet lightweight APs.
· Management frame validation: In infrastructure MFP, the AP validates every management frame that it receives from other APs in the network. It ensures that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an AP that is configured to transmit MFP frames, it reports the discrepancy to the network management system. In order for the timestamps to operate properly, all controllers must be Network Time Protocol (NTP) synchronized.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1743
Restrictions for Management Frame Protection
WLAN
· Event reporting: The AP notifies the controller when it detects an anomaly, and the controller aggregates the received anomaly events and can report the results through SNMP traps to the network management system.
Infrastructure MFP is disabled by default, and you can enable it globally. When you upgrade from a previous software release, infrastructure MFP is disabled globally if you have enabled AP authentication because the two features are mutually exclusive. When you enable infrastructure MFP globally, signature generation (adding MICs to outbound frames) can be disabled for selected WLANs, and validation can be disabled for selected APs.
Note CCXv5 client MFP is no longer supported. Client MFP is enabled as optional by default on WLANs that are configured for WPA2. However, client MFP is not supported on Wave 2 APs or 802.11ax Wi-Fi6 APs, and there exist no clients that support CCXv5.
Supported Access Point Models Cisco MFP is supported on the following AP models:
· Cisco Aironet 2802, 3802, and 4802 series access points · Cisco Aironet 2800, 3800, 4800, and 1560 series access points
Unsupported Access Point Models Cisco MFP is not supported on the following AP models:
· Cisco Aironet 1800 and 1900 series access points · Cisco 802.11ax access points · All Cisco IOS access points
Restrictions for Management Frame Protection
· Lightweight access points support infrastructure MFP in local and monitor modes and in FlexConnect mode when the access point is connected to a controller.
· Client MFP is not supported on Cisco Wave 1 APs and Cisco Wave 2 APs. · OEAP 600 series access points do not support MFP. · 802.11ax access points do not support MFP. · Non-CCXv5 clients may associate to a WLAN, if client MFP is disabled or optional. · Error reports generated on a FlexConnect access point in standalone mode cannot be forwarded to the
controller and are dropped. · Keys are generated using random number generator but you can improve the keys by changing to SHA. · MFP key for each BSSID is not supported.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1744
WLAN
Configuring Management Frame Protection (CLI)
Configuring Management Frame Protection (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless wps mfp Example:
Device(config)# wireless wps mfp
Step 3
wireless wps mfp {ap-impersonation | key-refresh-interval}
Example:
Device(config)# wireless wps mfp ap-impersonation
Device(config)# wireless wps mfp key-refresh-interval
Step 4
end Example:
Device(config)# end
Purpose Enters global configuration mode.
Configures a management frame protection.
Configures ap impersonation detection (or) MFP key refresh interval in hours. key-refresh-interval--Refers to the MFP key refresh interval in hours. The valid range is from 1 to 24. Default value is 24.
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Verifying Management Frame Protection Settings
To verify if the Management Frame Protection (MFP) feature is enabled or not, use the following command:
Device# show wireless wps summary
Client Exclusion Policy
Excessive 802.11-association failures : unknown
Excessive 802.11-authentication failures: unknown
Excessive 802.1x-authentication
: unknown
IP-theft
: unknown
Excessive Web authentication failure : unknown
Failed Qos Policy
: unknown
Management Frame Protection
Global Infrastructure MFP state : Enabled
AP Impersonation detection
: Disabled
Key refresh interval
: 15
To view the MFP details, use the following command:
Device# show wireless wps mfp summary Management Frame Protection
Global Infrastructure MFP state : Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1745
Verifying Management Frame Protection Settings
WLAN
AP Impersonation detection Key refresh interval
: Disabled : 15
To view the MFP statistics details, use the following command:
Device# show wireless wps mfp statistics
BSSID
Radio DetectorAP
FrameTypes
LastSourceAddr Error
Count
aabb.ccdd.eeff a
AP3800
Beacon, Probe Response
Beacon, Probe Response
aabb.ccdd.eeff Invalid MIC
10
Invalid MIC
20
To verify if access points support MFP validation and protection, use the following command:
Device# show wireless wps mfp ap summary
AP Name
Radio MAC
Validation
Protection
------------------------------------------------------------------------------------------
AP002A.1087.CBF4
00a2.eefd.bdc0
Enabled
Enabled
AP58AC.78DE.9946
00a2.eeb8.4ae0
Enabled
Enabled
APb4de.3196.caac
4c77.6d83.6b90
Enabled
Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1746
1 7 6 C H A P T E R
Deny Wireless Client Session Establishment Using Calendar Profiles
· Information About Denial of Wireless Client Session Establishment, on page 1747 · Configuring Daily Calendar Profile, on page 1748 · Configuring Weekly Calendar Profile, on page 1749 · Configuring Monthly Calendar Profile, on page 1750 · Mapping a Daily Calendar Profile to a Policy Profile, on page 1751 · Mapping a Weekly Calendar Profile to a Policy Profile, on page 1752 · Mapping a Monthly Calendar Profile to a Policy Profile, on page 1753 · Verifying Calendar Profile Configuration, on page 1754 · Verifying Policy Profile Configuration, on page 1755
Information About Denial of Wireless Client Session Establishment
Denial of client session establishment feature allows the controller to stop client session establishment based on a particular time. This helps control the network in efficient and controlled manner without any manual intervention. In Cisco Catalyst 9800 Series Wireless Controller , you can deny the wireless client session based on the following recurrences:
· Daily · Weekly · Monthly The Calendar Profiles created are then mapped to the policy profile. By attaching the calendar profile to a policy profile, you will be able to create different recurrences for the policy profile using different policy tag.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1747
Configuring Daily Calendar Profile
WLAN
Note You need to create separate Calendar Profile for Daily, Weekly, and Monthly sub-categories. The following is the workflow for denial of wireless client session establishment feature: · Create a calendar profile. · Apply the calendar profile to a policy profile.
Note A maximum of 100 calendar profile configuration and 5 calendar profile association to policy profile is supported.
Points to Remember If you boot up your controller, the denial of client session establishment feature kicks in after a minute from the system boot up. If you change the system time after the calendar profile is associated to a policy profile, you can expect a maximum of 30 second delay to adapt to the new clock timings.
Note You cannot use the no action deny-client command to disable action while associating the calendar profile to a policy profile.
If you want to disable the action command, you need to disassociate the calendar profile from the policy profile, and re-configure again.
Configuring Daily Calendar Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile calendar-profile name name Configures a calendar profile.
Example:
Here,
Device(config)# wireless profile calendar-profile name daily_calendar_profile
name refers to the name of the calendar profile.
Step 3
start start_time end end_time Example:
Configures start and end time for the calendar profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1748
WLAN
Configuring Weekly Calendar Profile
Step 4 Step 5
Command or Action
Purpose
Device(config-calendar-profile)# start 09:00:00 end 17:00:00
Here,
start_time is the start time for the calendar profile. You need to enter start time in HH:MM:SS format.
end_time is the end time for the calendar profile. You need to enter end time in HH:MM:SS format.
recurrence daily
Example:
Device(config-calendar-profile)# recurrence daily
Configures daily recurrences for a calendar profile.
end Example:
Device(config-calendar-profile)# end
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Note
When the calendar profile kicks
in, the AP power profile rules (for
example, radio state and USB
device state) that are defined for
the Ethernet speed are not applied
and continue to be as per the fixed
power profile.
Configuring Weekly Calendar Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile calendar-profile name name Configures a calendar profile.
Example:
Here,
Device(config)# wireless profile calendar-profile name weekly_calendar_profile
name refers to the name of the calendar profile.
Step 3
start start_time end end_time
Example:
Device(config-calendar-profile)# start 18:00:00 end 19:00:00
Configures start and end time for the calendar profile.
Here,
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1749
Configuring Monthly Calendar Profile
WLAN
Step 4 Step 5
Step 6
Command or Action
Purpose
start_time is the start time for the calendar profile. You need to enter start time in HH:MM:SS format.
end_time is the end time for the calendar profile. You need to enter end time in HH:MM:SS format.
recurrence weekly
Example:
Device(config-calendar-profile)# recurrence weekly
Configures weekly recurrences for the calendar profile.
day {friday | monday | saturday | sunday | thursday | tuesday | wednesday}
Example:
Device(config-calendar-profile)# day friday Device(config-calendar-profile)# day monday
Configure days when the weekly calendar needs to be active.
Note
You can configure multiple days
using this command.
end Example:
Device(config-calendar-profile)# end
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Monthly Calendar Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile calendar-profile name name Configures a calendar profile.
Example:
Here,
Device(config)# wireless profile calendar-profile name monthly_calendar_profile
name refers to the name of the calendar profile.
Step 3
start start_time end end_time
Example:
Device(config-calendar-profile)# start 18:00:00 end 19:00:00
Configures start and end time for the calendar profile.
Here,
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1750
WLAN
Mapping a Daily Calendar Profile to a Policy Profile
Step 4 Step 5
Step 6
Command or Action
Purpose
start_time is the start time for the calendar profile. You need to enter start time in HH:MM:SS format.
end_time is the end time for the calendar profile. You need to enter end time in HH:MM:SS format.
recurrence monthly
Example:
Device(config-calendar-profile)# recurrence monthly
Configures monthly recurrences for the calendar profile.
date value
Configures a date for the calendar profile.
Example:
Note
Device(config-calendar-profile)# date 25
If the requirement is to perform denial of service in certain timing, such as, 2,10, and 25 of every month, all three days need to be configured using the date command. There is no range for date. You need to configure the dates as per your requirement.
end Example:
Device(config-calendar-profile)# end
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Mapping a Daily Calendar Profile to a Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-name
Creates policy profile for the WLAN.
Example:
The profile-name is the profile name of the
Device(config)# wireless profile policy policy profile.
default-policy-profile
Step 3
calender-profile name calendar-profile-name Maps a calender profile to a policy profile. Example:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1751
Mapping a Weekly Calendar Profile to a Policy Profile
WLAN
Step 4 Step 5
Command or Action
Device(config-wireless-policy)# calender-profile name daily_calendar_profile
Purpose
The calendar-profile-name is the name of the calendar profile name created in Configuring Daily Calendar Profile, on page 1748.
Note
You need to disable Policy Profile
before associating a calendar profile
to a policy profile. The following
needs to be done:
Device(config-wireless-policy)# shutdown
action deny-client
Configures deny client session establishment
Example:
during calendar profile interval.
Device(config-policy-profile-calender)# Note action deny-client
Client associations are denied daily between timeslot 9:00:00 to
17:00:00. For start and end time
details, see Configuring Daily
Calendar Profile, on page 1748.
end
Returns to privileged EXEC mode.
Example:
Alternatively, you can also press Ctrl-Z to exit
Device(config-policy-profile-calender)# global configuration mode.
end
Mapping a Weekly Calendar Profile to a Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-name
Creates policy profile for the WLAN.
Example:
The profile-name is the profile name of the
Device(config)# wireless profile policy policy profile.
default-policy-profile
Step 3
calender-profile name calendar-profile-name Maps a calender profile to a policy profile.
Example:
Device(config-wireless-policy)# calender-profile name weekly_calendar_profile
The calendar-profile-name is the name of the calendar profile name created in Configuring Weekly Calendar Profile, on page 1749.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1752
WLAN
Mapping a Monthly Calendar Profile to a Policy Profile
Step 4 Step 5
Command or Action
Purpose Note
You need to disable Policy Profile before associating a calendar profile to a policy profile. The following needs to be done:
Device(config-wireless-policy)# shutdown
action deny-client
Configures deny client session establishment
Example:
during calendar profile interval.
Device(config-policy-profile-calender)# Note action deny-client
Client associations are denied daily between timeslot 9:00:00 to
17:00:00. For start and end time
details, see Configuring Weekly
Calendar Profile, on page 1749.
On Monday and Tuesday, clients are denied between 17:30:00 and 19:00:00 besides regular time 9:00:00 to 17:00:00.
On 25th of every month, clients are denied between 18:00:00 and 19:00:00 besides regular time 9:00:00 to 17:00:00.
end
Returns to privileged EXEC mode.
Example:
Alternatively, you can also press Ctrl-Z to exit
Device(config-policy-profile-calender)# global configuration mode.
end
Mapping a Monthly Calendar Profile to a Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-name
Creates policy profile for the WLAN.
Example:
The profile-name is the profile name of the
Device(config)# wireless profile policy policy profile.
default-policy-profile
Step 3 calender-profile name calendar-profile-name Maps a calender profile to a policy profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1753
Verifying Calendar Profile Configuration
WLAN
Step 4 Step 5
Command or Action Example:
Device(config-wireless-policy)# calender-profile name monthly_calendar_profile
Purpose
The calendar-profile-name is the name of the calendar profile name created in Configuring Monthly Calendar Profile, on page 1750.
action deny-client
Configures deny client session establishment
Example:
for the defined calendar profile interval.
Device(config-policy-profile-calender)# Note action deny-client
Every day client associations are denied between timeslot 9:00:00
to 17:00:00. For start and end time
details, see Configuring Monthly
Calendar Profile, on page 1750.
On Monday and Tuesday, clients are denied between 17:30:00 and 19:00:00 besides regular time 9:00:00 to 17:00:00.
On 25th of every month, clients are denied between 18:00:00 and 19:00:00 besides regular time 9:00:00 to 17:00:00.
end
Returns to privileged EXEC mode.
Example:
Alternatively, you can also press Ctrl-Z to exit
Device(config-policy-profile-calender)# global configuration mode.
end
Verifying Calendar Profile Configuration
To view the summary of calendar profiles, use the following command:
Device# show wireless profile calendar-profile summary Number of Calendar Profiles: 3
Profile-Name --------------------------------monthly_25_profile weekly_mon_profile daily_calendar_profile
To view the calendar profile details for a specific profile name, use the following command:
Device# show wireless profile calendar-profile detailed daily_calendar_profile
Calendar profiles
: daily_calendar_profile
------------------------------------------------------------------
Recurrence
: DAILY
Start Time
: 09:00:00
End Time
: 17:00:00
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1754
WLAN
Verifying Policy Profile Configuration
Verifying Policy Profile Configuration
To view the detailed parameters for a specific policy profile, use the following command:
Device# show wireless profile policy detailed default-policy-profile
Tunnel Profile
Profile Name
: Not Configured
Calendar Profile
Profile Name
: monthly_25_profile
Wlan Enable
: Not Configured
Client Block
: Client Block Configured
----------------------------------------------------
Profile Name
: weekly_mon_profile
Wlan Enable
: Not Configured
Client Block
: Client Block Configured
----------------------------------------------------
Profile Name
: daily_calendar_profile
Wlan Enable
: Not Configured
Client Block
: Client Block Configured
----------------------------------------------------
Fabric Profile
Profile Name
: Not Configured
To view the configured calendar profile information under policy profile, use the following command:
Device# show wireless profile policy all Tunnel Profile Profile Name : Not Configured Calendar Profile Profile Name : daily_calendar_profile Wlan Enable : Not Configured Client Block : Client Block Configured ---------------------------------------------------Profile Name : weekly_calendar_profile Wlan Enable : Not Configured Client Block : Client Block Configured ---------------------------------------------------Fabric Profile Profile Name : Not Configured
Note The anchor priority is always displayed as local. Priorities can be assigned on the foreign controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1755
Verifying Policy Profile Configuration
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1756
1 7 7 C H A P T E R
Ethernet over GRE
· Introduction to EoGRE, on page 1757 · Create a Tunnel Gateway, on page 1759 · Configuring the Tunnel Gateway (GUI), on page 1760 · Configuring a Tunnel Domain, on page 1760 · Configuring Tunnel Domain (GUI), on page 1761 · Configuring EoGRE Global Parameters, on page 1762 · Configuring EoGRE Global Parameters (GUI), on page 1762 · Configuring a Tunnel Profile, on page 1763 · Configuring the Tunnel Profile (GUI), on page 1764 · Associating WLAN to a Wireless Policy Profile, on page 1765 · Attaching a Policy Tag and a Site Tag to an AP, on page 1766 · Verifying the EoGRE Tunnel Configuration, on page 1766
Introduction to EoGRE
Ethernet over GRE (EoGRE) is an aggregation solution for grouping Wi-Fi traffic from hotspots. This solution enables customer premises equipment (CPE) devices to bridge the Ethernet traffic coming from an end-host, and encapsulate the traffic in Ethernet packets over an IP Generic Routing Encapsulation (GRE) tunnel. When the IP GRE tunnels are terminated on a service provider's broadband network gateway, the end-host traffic is forwarded and subscriber sessions are initiated.
Client IPv6 Client IPv6 traffic is supported on IPv4 EoGRE tunnels. A maximum of eight different client IPv6 addresses are supported per client. Wireless controller s send all the client IPv6 addresses that they have learned to the accounting server using the accounting update message. All RADIUS or accounting messages exchanged between controller s and tunnel gateways or RADIUS servers are outside the EoGRE tunnel.
EoGRE for WLAN To enable EoGRE for a WLAN, the wireless policy profile should be mapped to a tunnel profile, which may contain the following:
· AAA override: Allows you to bypass rule filtering for a client. · Gateway RADIUS proxy: Allows forwarding of AAA requests to tunnel gateways.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1757
EoGRE Configuration Overview
WLAN
· Tunnel rules: Defines the domain to use for each realm. They also define VLAN tagging for the client traffic towards tunnel gateways.
· DHCP option 82: Provides a set of predefined fields.
EoGRE Deployment with Multiple Tunnel Gateways The wireless controller embedded wireless controller sends keepalive pings to the primary and secondary tunnel gateways and keeps track of the missed pings. When a certain threshold level is reached for the missed pings, switchover is performed and the secondary tunnel is marked as active. This switchover deauthenticates all the clients to enable them to rejoin the access points (APs). When the primary tunnel come back online, all the client traffic are reverted to the primary tunnel. However, this behavior depends on the type of redundancy.
Load Balancing in EtherChannels Load balancing of tunneled traffic over Etherchannels works by hashing the source or destination IP addresses or mac addresses of the tunnel endpoint pair. Because the number of tunnels is very limited when compared to clients (each tunnel carries traffic for many clients), the spreading effect of hashing is highly reduced and optimal utilization of Etherchannel links can be hard to achieve. Using the EoGRE configuration model, you can use the tunnel source option of each tunnel interface to adjust the load-balancing parameters and spread tunnels across multiple links. You can use different source interfaces on each tunnel for load balancing based on the source or destination IP address. For that choose the source interface IP address in such a way that traffic flows take different links for each src-dest IP pair. The following is an example with four ports:
Client traffic on Tunnel1 Src IP: 40.143.0.72 Dest IP: 40.253.0.2 Client traffic on Tunnel2 Src IP: 40.146.0.94 Dest IP: 40.253.0.6 Client traffic on Tunnel3 Src IP: 40.147.0.74 Dest IP: 40.253.0.10
Use the show platform software port-channel link-select interface port-channel 4 ipv4 src_ip dest_ip command to determine the link that a particular flow will take.
EoGRE Configuration Overview
The EoGRE solution can be deployed in two different ways: · Central-Switching: EoGRE tunnels connect the controller to the tunnel gateways.
· Flex or Local-Switching: EoGRE tunnels are initiated on the APs and terminated on the tunnel gateways.
To configure EoGRE, perform the following tasks: 1. Create a set of tunnel gateways.
2. Create a set of tunnel domains.
3. Create a tunnel profile with rules that define how to match clients to domains.
4. Create a policy profile and attach the tunnel profile to it.
5. Map the policy profile to WLANs using policy tags.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1758
WLAN
Create a Tunnel Gateway
Note The EoGRE tunnel fallback to the secondary tunnel is triggered after the max-skip-count ping fails in the last measurement window. Based on the starting and ending instance of the measurement window, the fall-back may take more time than the duration that is configured.
Table 87: EoGRE Authentication Methods
Method Name PSK Open LWA Dot1x CWA
First Supported Release 17.2.1 16.12.1 16.12.1 16.12.1 16.12.1
Mode
Local/Flex (central authentication) Local/Flex (central authentication) Local/Flex (central authentication) Local/Flex (central authentication) Local/Flex (central authentication)
Create a Tunnel Gateway
Note In the Cisco Catalyst 9800 Series Wireless Controller , a tunnel gateway is modeled as a tunnel interface.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
interface tunnel tunnel_number Example:
Device(config)# interface tunnel 21
Configures a tunnel interface and enters interface configuration mode.
Step 3
tunnel source source_intf Example:
Device(config-if)# tunnel source 22
Sets the source address of the tunnel interface. The source interface can be VLAN, Gigabit Ethernet or loopback.
Step 4
tunnel destination tunnel-address
Example:
Device(config-if)# tunnel destination 10.11.12.13
Sets the destination address of the tunnel.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1759
Configuring the Tunnel Gateway (GUI)
WLAN
Step 5
Command or Action
Purpose
tunnel mode ethernet gre {ipv4 |ipv6} p2p Sets the encapsulation mode of the tunnel to
Example:
Ethernet over GRE IPv4 or Ethernet over GRE IPv6.
Device(config-if)# tunnel mode ethernet
gre ipv4 p2p
Configuring the Tunnel Gateway (GUI)
Follow the steps given below to configure the tunnel gateway: Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Step 7
Choose Configuration > Tags & Profiles > EoGRE. Click the Gateways tab. The Add Gateway window is displayed. In the Tunnel Id field, specify the tunnel ID. In the Destination address(IPv4/IPv6) field, specify the IPv4 or IPv6 address. From the Source Interface drop-down list, select an interface. In the AAA Proxy section, slide the AAA Proxy slider to Enabled. When AA Proxy is enabled, complete the following steps: a) From the Encryption Type drop-down list, select either UNENCRYPTED or AES ENCRYPTION. b) In the Key Phrase field, specify the key phrase.
Click Apply to Device.
Configuring a Tunnel Domain
Note Tunnel domains are a redundancy grouping of tunnels. The following configuration procedure specifies a primary and a secondary tunnel, along with a redundancy model.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1760
WLAN
Configuring Tunnel Domain (GUI)
Step 2 Step 3 Step 4 Step 5
Command or Action
Purpose
tunnel eogre domain domain
Configures EoGRE redundancy domain.
Example:
Device(config)# tunnel eogre domain dom1
primary tunnel primary-tunnel_intf
Example:
Device(config-eogre-domain)# primary tunnel 21
Configures the primary tunnel.
secondary tunnel secondary-tunnel_intf
Configures the secondary tunnel.
Example:
Device(config-eogre-domain)# secondary tunnel 22
redundancy revertive
Sets the redundancy model as revertive.
Example:
When redundancy is set to revertive and the
Device(config-eogre-domain)# redundancy primary tunnel goes down, a switchover to
revertive
secondary tunnel is performed. When the
primary tunnel comes back up, a switchover to
the primary tunnel is performed, because the
primary tunnel has priority over the secondary
tunnel.
When redundancy is not set to revertive, tunnels will have the same priority, and a switchover to the primary tunnel is not performed if the active tunnel is the secondary tunnel and the primary tunnel comes back up.
Configuring Tunnel Domain (GUI)
Follow the steps given below to configure the tunnel domain: Procedure
Step 1 Step 2
Step 3
Step 4 Step 5 Step 6 Step 7
Choose Configuration > Tags & Profiles > EoGRE. Click the Domains tab. The Add Domain window is displayed. In the Name field, specify the domain name. The name can be ASCII characters from 32 to 126, without leading and trailing spaces. From the Primary Tunnel Gateway drop-down list, choose an option. From the Secondary Tunnel Gateway drop-down list, choose an option. Slide the Status button to Enabled, to activate the domain status. Slide the Revertive Redundancy button to Enabled, to activate revertive redundancy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1761
Configuring EoGRE Global Parameters
WLAN
Step 8 Click Apply to Device.
Configuring EoGRE Global Parameters
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
tunnel eogre heartbeat interval interval-value Sets EoGRE tunnel heartbeat periodic interval.
Example:
Device(config)# tunnel eogre heartbeat interval 600
Step 3
tunnel eogre heartbeat max-skip-count skip-count
Sets the maximum number of tolerable dropped heartbeats.
Example:
Device(config)# tunnel eogre heartbeat max-skip-count 7
After reaching the maximum number of heartbeats that can be dropped, the tunnel is declared as down and a switchover is performed.
Step 4
tunnel eogre source loopback tunnel_source Sets the tunnel EoGRE source interface.
Example:
Device(config)# tunnel eogre source loopback 12
Step 5
tunnel eogre interface tunnel tunnel-intf aaa (Optional) Configures AAA proxy RADIUS
proxy key key key-name
key for the AAA proxy setup.
Example:
Note
Device(config)# tunnel eogre interface tunnel 21 aaa proxy key 0 mykey
When the tunnel gateway is behaving as the AAA proxy server, only this step is required for the configuration.
Configuring EoGRE Global Parameters (GUI)
Follow the steps given below to configure the EoGRE global parameters: Procedure
Step 1 Choose Configuration > Tags & Profiles > EoGRE.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1762
WLAN
Configuring a Tunnel Profile
Step 2
Step 3
Step 4 Step 5
The EoGRE Global Config tab is displayed. In the Heartbeat Interval (seconds) field, specify an appropriate timer value for heartbeat interval. The valid range is between 60 and 600 seconds. In the Max Heartbeat Skip Count field, specify the maximum heartbeat skip count. The valid range is between 3 and 10. From the Interface Name drop-down list, choose an interface name. Click Apply.
Configuring a Tunnel Profile
Before you begin
Ensure that you define the destination VLAN on the controller. If you do not define the VLAN, clients will not be able to connect.
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wireless profile policy profile-policy-name Configures a WLAN policy profile.
Example:
Device(config)# wireless profile policy eogre_policy
tunnel-profile tunnel-profile-name
Example:
Device(config-wireless-policy)# tunnel-profile tunnel1
Creates a tunnel profile.
exit Example:
Device(config-wireless-policy)# exit
Returns to global configuration mode.
wireless profile tunnel tunnel-profile-name Configures a wireless tunnel profile.
Example:
Device(config)# wireless profile tunnel wl-tunnel-1
dhcp-opt82 enable Example:
Activates DHCP Option 82 for the tunneled clients.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1763
Configuring the Tunnel Profile (GUI)
WLAN
Step 7
Step 8 Step 9 Step 10 Step 11
Command or Action
Device(config-tunnel-profile)# dhcp-opt82 enable
Purpose
dhcp-opt82 remote-id remote-id
Example:
Device(config-tunnel-profile)# dhcp-opt82 remote-id vlan
Configures Remote ID options.
Choose from the comma-separated list of options such as ap-mac, ap-ethmac, ap-name, ap-group-name, flex-group-name, ap-location, vlan, ssid-name, ssid-type, and client-mac.
aaa-override
Example:
Device(config-tunnel-profile)# aaa-override
Enables AAA policy override.
gateway-radius-proxy
Example:
Device(config-tunnel-profile)# gateway-radius-proxy
Enables the gateway RADIUS proxy.
gateway-accounting-radius-proxy
Example:
Device(config-tunnel-profile)# gateway-accounting-radius-proxy
Enables the gateway accounting RADIUS proxy.
rule priority realm-filter realm domain Creates a rule to choose a domain, using the
domain-name vlan vlan-id
realm filter, for client Network Access
Example:
Identifier (NAI), tunneling domain name, and destination VLAN.
Device(config-tunnel-profile)# rule 12
realm-filter realm domain dom1 vlan 5
Configuring the Tunnel Profile (GUI)
Follow the steps given below to configure the tunnel profile: Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > EoGRE. Click the Tunnel Profiles tab. Click the Add button. The Add Tunnel Profile window is displayed. Click the General tab and complete the following steps: a) In the Name field, specify the tunnel profile name. The name can be ASCII characters from 32 to 126,
without leading and trailing spaces.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1764
WLAN
Associating WLAN to a Wireless Policy Profile
Step 5 Step 6
b) In the Status field, slide the button to change the status to Enabled. c) In the Central Forwarding field, slide the button to Enabled, to enable the feature. d) In the DHCP Option-82 section, change the Status field and the ASCII field to Enabled, as per
requirement. e) In the Delimiter field, specify the delimiter. f) From the Circuit ID Available Services list, select an available services and click the > sign to add the
services to the assigned list. g) From the Remote ID Available Services list, select an available services and click the > sign to add the
services to the assigned list. h) In the AAA section, choose an appropriate status for the Radius Proxy field, the Accounting Proxy field,
and the Override field.
Click the Rules tab, and complete the following steps: a) Click the Add Rules button. b) In the Priority field, specify the priority of the rule from a range of 1 to 100. c) In the Realm field, specify a realm. d) From the Domain drop-down list, choose a domain. e) In the VLAN Id field, specify the VLAN ID that ranges between 1 and 4094. f) Click Save.
Click Apply to Device.
Associating WLAN to a Wireless Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless tag policy policy-tag-name
Example:
Device(config)# wireless tag policy eogre_tag
Configures a policy tag and enters policy tag configuration mode.
Step 3
wlan wlan-name policy profile-policy-name
Example:
Device(config-policy-tag)# wlan eogre_open_eogre policy eogre_policy
Maps an EoGRE policy profile to a WLAN profile.
Step 4
end Example:
Device(config-policy-tag)# end
Saves the configuration, exits configuration mode, and returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1765
Attaching a Policy Tag and a Site Tag to an AP
WLAN
Attaching a Policy Tag and a Site Tag to an AP
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap mac-address Example:
Device(config)# ap 80E8.6FD4.0BB0
Step 3
policy-tag policy-tag-name
Example:
Device(config-ap-tag)# policy-tag eogre_tag
Step 4
site-tag site-tag-name
Example:
Device(config-ap-tag)# site-tag sp-flex-site
Step 5
end Example:
Device(config-ap-tag)# end
Purpose Enters global configuration mode.
Configures an AP and enters AP profile configuration mode. Maps the EoGRE policy tag to the AP.
Maps a site tag to the AP.
Saves the configuration, exits configuration mode, and returns to privileged EXEC mode.
Verifying the EoGRE Tunnel Configuration
The show tunnel eogre command displays the EoGRE clients, domains, gateways, global-configuration, and manager information in the local mode.
To display the EoGRE domain summary in the local mode, use the following command:
Device# show tunnel eogre domain summary
Domain Name
Primary GW Secondary GW
Active GW
Redundancy
-------------------------------------------------------------------------------
domain1
Tunnel1
Tunnel2
Tunnel1
Non-Revertive
eogre_domain
Tunnel1
Tunnel2
Tunnel1
Non-Revertive
To display the details of an EoGRE domain in the local mode, use the following command:
Device# show tunnel eogre domain detailed domain-name
Domain Name : eogre_domain Primary GW : Tunnel1 Secondary GW : Tunnel2
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1766
WLAN
Verifying the EoGRE Tunnel Configuration
Active GW Redundancy
: Tunnel1 : Non-Revertive
To view the EoGRE tunnel gateway summary and statistics in the local mode, use the following command: Device# show tunnel eogre gateway summary
Name
Type Address
AdminState State Clients
---------------------------------------------------------------------------------------------
Tunnel1
IPv4 9.51.1.11
Up
Up
0
Tunnel2
IPv4 9.51.1.12
Up
Down 0
Tunnel10
IPv6 fd09:9:8:21::90
Down
Down 0
Tunnel11
IPv4 9.51.1.11
Up
Up
0
Tunnel12
IPv6 fd09:9:8:21::90
Up
Down 0
Tunnel100
IPv4 9.51.1.100
Up
Down 0
To view the details of an EoGRE tunnel gateway in the local mode, use the following command: Device# show tunnel eogre gateway detailed gateway-name
Gateway : Tunnel1
Mode : IPv4
IP
: 9.51.1.11
Source : Vlan51 / 9.51.1.1
State : Up
SLA ID : 56
MTU : 1480
Up Time: 4 minutes 45 seconds
Clients
Total Number of Wireless Clients
:0
Traffic
Total Number of Received Packets
:0
Total Number of Received Bytes
:0
Total Number of Transmitted Packets : 0
Total Number of Transmitted Bytes
:0
Keepalives
Total Number of Lost Keepalives
:0
Total Number of Received Keepalives : 5
Total Number of Transmitted Keepalives: 5
Windows
:1
Transmitted Keepalives in last window : 2
Received Keepalives in last window : 2
To view the client summary of EoGRE in the local mode, use the following command: Device# show tunnel eogre client summary
Client MAC
AP MAC
Domain
Tunnel
VLAN Local
-------------------------------------------------------------------------------------------
74da.3828.88b0 80e8.6fd4.9520 eogre_domain
N/A
2121 No
To view the details of an EoGRE global configuration in the local mode, use the following command:
Device# show tunnel eogre global-configuration
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1767
Verifying the EoGRE Tunnel Configuration
WLAN
Heartbeat interval
: 60
Max Heartbeat skip count : 3
Source Interface
: (none)
To view the details of the global tunnel manager statistics in the local mode, use the following command:
Device# show tunnel eogre manager stats global
Tunnel Global Statistics Last Updated EoGRE Objects
Gateways Domains
: 02/18/2019 23:50:35
:6 :2
EoGRE Flex Objects
AP Gateways
:2
AP Domains
:1
AP Gateways HA inconsistencies : 0
AP Domains HA inconsistencies : 0
Config events IOS Tunnel updates IOS Domain updates Global updates Tunnel Profile updates Tunnel Rule updates AAA proxy key updates
: 806 : 88 : 48 : 120 : 16 :0
AP events
Flex AP Join
:1
Flex AP Leave
:0
Local AP Join
:0
Local AP leave
:0
Tunnel status (rx)
:4
Domain status (rx)
:1
IAPP stats msg (rx)
:3
Client count (rx)
:6
VAP Payload msg (tx)
:4
Domain config (tx)
:1
Global config (tx)
:1
Client delete (tx)
:1
Client delete per domain (tx) : 3
DHCP option 82 (tx)
:4
Client events Add-mobile Run-State Delete Cleanup Join Plumb Join Errors HandOff MsPayload FT Recover Zombie GW counter increase Zombie GW counter decrease Tunnel Profile reset Client deauth HA reconciliation
:2 :3 :1 :0 :2 :0 :0 :0 :2 :0 :0 :0 : 88 :0 :0
Client Join Events
Generic Error
:0
MSPayload Fail
:0
Invalid VLAN
:0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1768
WLAN
Verifying the EoGRE Tunnel Configuration
Invalid Domain
:0
No GWs in Domain
:0
Domain Shut
:0
Invalid GWs
:0
GWs Down
:0
Rule Match Error
:0
AAA-override
:0
Flex No Active GW
:0
Open Auth join attempt
:2
Dot1x join attempt
:2
Mobility join attempt
:0
Tunnel Profile not valid
:2
Tunnel Profile valid
:2
No rule match
:0
Rule match
:2
AAA proxy
:0
AAA proxy accounting
:0
AAA eogre attributes
:0
Has aaa override
:0
Error in handoff payload
:0
Handoff AAA override
:0
Handoff no AAA override
:0
Handoff payload received
:0
Handoff payload sent
:0
SNMP Traps
Client
:0
Tunnel
:2
Domain
:0
IPC
IOSd TX messages
:0
Zombie Client
Entries
:0
To view the tunnel manager statistics of a specific process instance in the local mode, use the following command:
Device# show tunnel eogre manager stats instance instance-number
Tunnel Manager statistics for process instance : 0
Last Updated
: 02/18/2019 23:50:35
EoGRE Objects
Gateways
:6
Domains
:2
EoGRE Flex Objects
AP Gateways
:2
AP Domains
:1
AP Gateways HA inconsistencies : 0
AP Domains HA inconsistencies : 0
Config events IOS Tunnel updates IOS Domain updates Global updates Tunnel Profile updates Tunnel Rule updates AAA proxy key updates
: 102 : 11 :6 : 15 :2 :0
AP events
Flex AP Join
:1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1769
Verifying the EoGRE Tunnel Configuration
Flex AP Leave
:0
Local AP Join
:0
Local AP leave
:0
Tunnel status (rx)
:4
Domain status (rx)
:1
IAPP stats msg (rx)
:3
Client count (rx)
:6
VAP Payload msg (tx)
:4
Domain config (tx)
:1
Global config (tx)
:1
Client delete (tx)
:1
Client delete per domain (tx) : 3
DHCP option 82 (tx)
:4
Client events Add-mobile Run-State Delete Cleanup Join Plumb Join Errors HandOff MsPayload FT Recover Zombie GW counter increase Zombie GW counter decrease Tunnel Profile reset Client deauth HA reconciliation
:2 :3 :1 :0 :2 :0 :0 :0 :2 :0 :0 :0 : 11 :0 :0
Client Join Events
Generic Error
:0
MSPayload Fail
:0
Invalid VLAN
:0
Invalid Domain
:0
No GWs in Domain
:0
Domain Shut
:0
Invalid GWs
:0
GWs Down
:0
Rule Match Error
:0
AAA-override
:0
Flex No Active GW
:0
Open Auth join attempt
:2
Dot1x join attempt
:2
Mobility join attempt
:0
Tunnel Profile not valid
:2
Tunnel Profile valid
:2
No rule match
:0
Rule match
:2
AAA proxy
:0
AAA proxy accounting
:0
AAA eogre attributes
:0
Has aaa override
:0
Error in handoff payload
:0
Handoff AAA override
:0
Handoff no AAA override
:0
Handoff payload received
:0
Handoff payload sent
:0
SNMP Traps
Client
:0
Tunnel
:2
Domain
:0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1770
WLAN
WLAN
Verifying the EoGRE Tunnel Configuration
IPC
IOSd TX messages
:0
Zombie Client
Entries
:0
The show ap tunnel eogre command displays the tunnel domain information, EoGRE events, and the tunnel gateway status on the APs, in the flex mode.
To view the summary information of an EoGRE tunnel gateway in the flex mode, use the following command:
Device# show ap tunnel eogre domain summary
AP MAC
Domain
Active Gateway
-------------------------------------------------------------------------------
80e8.6fd4.9520 eogre_domain
Tunnel1
To view the wireless tunnel profile summary, use the following command:
Device# show wireless profile tunnel summary
Profile Name
AAA-Override AAA-Proxy DHCP Opt82 Enabled
-------------------------------- ------------ --------- ---------- --------
eogre_tunnel
No
No
Yes
Yes
eogre_tunnel_set
No
No
Yes
No
eogre_tunnel_snmp
No
No
No
No
To view a wireless tunnel profile's details, use the following command: Device# show wireless profile tunnel detailed profile-name
Profile Name : eogre_tunnel Status : Enabled
AAA-Proxy/Accounting-Proxy: Disabled / Disabled AAA-Override : Disabled DHCP Option82 : Enabled
Circuit-ID : ap-mac,ap-ethmac,ap-location,vlan Remote-ID : ssid-name,ssid-type,client-mac,ap-name
Tunnel Rules
Priority Realm
Vlan Domain (Status/Primary GW/Secondary GW)
-------- -------------------- ---- ---------------------------------------------
1
*
2121 eogre_domain (Enabled/Tunnel1/Tunnel2)
To view detailed information about an EoGRE tunnel domain's status, use the following command: Device# show ap tunnel eogre domain detailed
Domain
: eogre_domain
AP MAC
: 80e8.6fd4.9520
Active GW : Tunnel1
To view the EoGRE events on an AP, use the following command: Device# show ap tunnel eogre events
AP 80e8.6fd4.9520 Event history
Timestamp
#Times Event
RC Context
----------------------- -------- ------------------- --
----------------------------------------
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1771
Verifying the EoGRE Tunnel Configuration
WLAN
02/18/2019 23:50:26.341 6 02/18/2019 23:49:40.222 2 02/18/2019 23:48:43.549 1 02/18/2019 23:47:33.127 1 02/18/2019 23:47:33.124 4 02/18/2019 23:47:33.124 1 02/18/2019 23:47:33.124 2 02/18/2019 23:47:33.120 3 02/18/2019 23:47:31.763 2 02/18/2019 23:47:31.753 4 wlan:pyats_eogre
IAPP_STATS
0 GW Tunnel2 uptime:0s
CLIENT_JOIN
0 74da.3828.88b0, (eogre_domain/2121)
CLIENT_LEAVE
0 74da.3828.88b0, (eogre_domain/2121)
DOMAIN_STATUS
0 eogre_domain Active GW: Tunnel1
AP_TUNNEL_STATUS
0 Tunnel2 Dn
MSG_CLIENT_DEL
0 GW Tunnel2 (IP: 9.51.1.12)
TUNNEL_ADD
0 GW Tunnel2
MSG_CLIENT_DEL_PD 0 GW Tunnel1 (IP: 9.51.1.11)
AP_DOMAIN_PUSH
0 Delete:eogre_domain_set, 0 GWs
AP_VAP_PUSH
0 profile:'eogre_tunnel',
To view the summary information of the EoGRE tunnel gateway, use the following command: Device# show ap tunnel eogre gateway summary
AP MAC
Gateway
Type IP
State Clients
---------------------------------------------------------------------------------------------
80e8.6fd4.9520 Tunnel1
IPv4 9.51.1.11
Up
1
80e8.6fd4.9520 Tunnel2
IPv4 9.51.1.12
Down 0
To view detailed information about an EoGRE tunnel gateway, use the following command:
Device# show ap tunnel eogre gateway detailed gateway-name
Gateway : Tunnel1
Mode : IPv4
IP
: 9.51.1.11
State : Up
MTU : 1476
Up Time: 14 hours 25 minutes 2 seconds
AP MAC : 80e8.6fd4.9520
Clients Total Number of Wireless Clients
Traffic Total Number of Received Packets Total Number of Received Bytes Total Number of Transmitted Packets Total Number of Transmitted Bytes Total Number of Lost Keepalive
:1
:6 : 2643 : 94 : 20629 :3
To view summary information about the EoGRE tunnel gateway status, use the following command: Device# show ap tunnel eogre domain summary
AP MAC
Domain
Active Gateway
-------------------------------------------------------------------------------
80e8.6fd4.9520 eogre_domain
Tunnel1
To view information about EoGRE events on an AP, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1772
WLAN
Verifying the EoGRE Tunnel Configuration
Device# show ap name ap-name tunnel eogre events
AP 80e8.6fd4.9520 Event history
Timestamp
#Times Event
RC Context
----------------------- -------- ------------------- --
----------------------------------------
02/18/2019 23:50:26.341 6
IAPP_STATS
0 GW Tunnel2 uptime:0s
02/18/2019 23:49:40.222 2
CLIENT_JOIN
0 74da.3828.88b0, (eogre_domain/2121)
02/18/2019 23:48:43.549 1
CLIENT_LEAVE
0 74da.3828.88b0, (eogre_domain/2121)
02/18/2019 23:47:33.127 1
DOMAIN_STATUS
0 eogre_domain Active GW: Tunnel1
02/18/2019 23:47:33.124 4
AP_TUNNEL_STATUS
0 Tunnel2 Dn
02/18/2019 23:47:33.124 1
MSG_CLIENT_DEL
0 GW Tunnel2 (IP: 9.51.1.12)
02/18/2019 23:47:33.124 2
TUNNEL_ADD
0 GW Tunnel2
02/18/2019 23:47:33.120 3
MSG_CLIENT_DEL_PD 0 GW Tunnel1 (IP: 9.51.1.11)
02/18/2019 23:47:31.763 2
AP_DOMAIN_PUSH
0 Delete:eogre_domain_set, 0 GWs
02/18/2019 23:47:31.753 4 wlan:pyats_eogre
AP_VAP_PUSH
0 profile:'eogre_tunnel',
To view the summary information about EoGRE tunnel domain's status on an AP, use the following command:
Device# show ap name ap-name tunnel eogre domain summary
AP MAC
Domain
Active Gateway
-------------------------------------------------------------------------------
80e8.6fd4.9520 eogre_domain
To view the detailed information about EoGRE tunnel domain on an AP, use the following command: Device# show ap name ap-name tunnel eogre domain detailed
Domain Name Primary GW Secondary GW Active GW Redundancy AdminState
: eogre_domain : Tunnel1 : Tunnel2 : Tunnel1 : Non-Revertive : Up
To view the summary information about EoGRE tunnel gateways on an AP, use the following command: Device# show ap name ap-name tunnel eogre gateway summary
AP MAC
Gateway
Type IP
State Clients
---------------------------------------------------------------------------------------------
80e8.6fd4.9520 Tunnel1
IPv4 9.51.1.11
Up
1
80e8.6fd4.9520 Tunnel2
IPv4 9.51.1.12
Down 0
To view detailed information about an EoGRE tunnel gateway's status on an AP, use the following command: Device# show ap name ap-name tunnel eogre gateway detailed gateway-name
Gateway : Tunnel2 Mode : IPv4
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1773
Verifying the EoGRE Tunnel Configuration
IP
: 9.51.1.12
State : Down
MTU : 0
AP MAC : 80e8.6fd4.9520
Clients Total Number of Wireless Clients
Traffic Total Number of Received Packets Total Number of Received Bytes Total Number of Transmitted Packets Total Number of Transmitted Bytes Total Number of Lost Keepalive
:0
:0 :0 :0 :0 : 151
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1774
1 7 8 C H A P T E R
Link Aggregation Group
· Information About Link Aggregation Group, on page 1775
Information About Link Aggregation Group
A link aggregation group (LAG) bundles all of the controller's distribution system ports into a single 802.3ad port channel. This reduces the number of IP addresses required to configure the ports on your controller. When LAG is enabled, the system dynamically manages port redundancy and load balances access points transparently to the corresponding user. LAG simplifies controller configuration because you no longer have to configure ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the other ports. As long as at least one controller port is functioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to send and receive data.
Note The wireless management VLAN can only be part of one port channel.
Note LACP is supported on a standalone controller from Cisco IOS XE Gibraltar 16.12.x release. LACP is supported on an SSO pair from Cisco IOS XE Amsterdam 17.1.1s onwards.
Link Aggregation Control Protocol
Link Aggregation Control Protocol (LACP) is a part of an IEEE specification (802.3ad) that allows you to bundle several physical ports together to form a single logical channel. LACP allows a switch to negotiate an automatic bundle by sending LACP packets to a peer. By using the LACP, the wireless controller learns the identity of peers that are capable of supporting LACP, and the capabilities of each port. The LACP then dynamically groups similarly configured ports into a single logical link (channel or aggregate port). Similarly, configured ports are grouped based on hardware, administrative, and port parameter constraints. If any of the controller ports fail, traffic is automatically migrated to one of the other ports. As long as at least one controller port is functioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to send and receive data.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1775
Configuring LAG Using LACP
WLAN
Configuring LAG Using LACP
To configure LAG using LACP, multiple port-channel interfaces must be created, and these interfaces should be added to the corresponding port bundle. LACP should also be configured on the uplink switch for the LACP bundle to come up.
· Create a Port-Channel Interface
· Add an Interface to a Port Channel (LACP)
· Add a VLAN to a Port Channel
· Add an Interface to a Port Channel (PAgP)
Port Aggregation Protocol
Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that you can run on controllers. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports. PAgP packets are sent between Fast EtherChannel-capable ports in order to form a channel. When any of the active ports fail, a standby port becomes active. By using PAgP, the controller learns the identity of partners that are capable of supporting PAgP and the capabilities of each port. PAgP then dynamically groups similarly configured ports (on a single device in a stack) into a single logical link (channel or aggregate port). Similarly, configured ports are grouped based on hardware, administrative, and port parameter constraints.
Configuring LAG Using PAgP
To configure LAG using PAgP, multiple port-channel interfaces must be created, and these interfaces should be added to the corresponding port bundle. PAgP should also be configured on the uplink switch for the PAgP bundle to come up.
· Create a Port-Channel Interface
· Add an Interface to a Port Channel (PAgP)
Information About Port Channel Interface Number
From Cisco IOS XE Bengaluru 17.5.1 onwards, the flexibility to number the port channel interface numbers between 1 and 64 is supported on the following Cisco Catalyst 9800 Series Wireless Controllers:
· Cisco Catalyst 9800-CL Wireless Controller for Cloud: The available range on the CLI is 1 to 64. The maximum supported port channel interfaces are 64.
· Cisco Catalyst 9800-L Wireless Controller: The available range on the CLI is 1 to 64. The maximum supported port channel interfaces are 14.
· Cisco Catalyst 9800-40 Wireless Controller: The available range on the CLI is 1 to 64. The maximum supported port channel interfaces are 16.
· Cisco Catalyst 9800-80 Wireless Controller: The available range on the CLI is 1 to 64. The maximum supported port channel interfaces are 64.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1776
WLAN
Configuring LAG in ON Mode
For example on the Cisco Catalyst 9800-L Wireless Controller, port-channel interface numbers can be anywhere between 1 and 64, as long as the total number of port-channel interfaces are 14 or lesser.
Note If you have configured 16 port-channel interfaces on the Cisco Catalyst 9800-40 Wireless Controller, and if the configured port-channel interfaces have reached their limitation, the following error message is displayed when you try to configure the 17th port-channel interface:
Device(config)# Dec 15 08:58:22.209 CST: %ETC-5-CANNOT_ALLOCATE_AGGREGATOR: Aggregator limit reached, cannot
allocate aggregator for group 17
When you downgrade from Cisco IOS XE Bengaluru 17.5.1 to an earlier version, and if the port channels are configured with a higher range than the supported range in the earlier version, the following errors are displayed when the earlier version is started. The nonsupported port channels disappear after the downgrade is completed.
interface Port-channel29 ^% Invalid input detected at '^' marker. interface Port-channel35 ^% Invalid input detected at '^' marker.
Note that the HA pairing remains intact after downgrade.
Configuring LAG in ON Mode
To configure LAG in ON mode, multiple port-channel interfaces must be created, and these interfaces should be added to the corresponding port bundle. LACP should also be configured on the uplink switch for the LACP bundle to come up.
· Configuring LAG in ON Mode, on page 1780
Multichassis Link Aggregation Group
From Cisco IOS XE Amsterdam 17.2.1, Multichassis Link Aggregation Group (multi-LAG), which provides flexibility in connecting the controller to a switch's infrastructure is supported. Using multi-LAG, you can connect the multiple uplinks from the controller to the separated uplink switches. The controller supports VLAN-based traffic splitting when connected to a multiswitch topology. This provides the ability to distribute traffic on different uplinks, based on VLANs, for example, supporting a use case where guest traffic can be completely isolated to a different switch or network from the enterprise network. Same VLAN cannot be configured on both the uplinks. You can connect a LAG to a single switch. However, different VLANs must be connected to different LAGs. The redundancy port must be connected to the same distribution switch as the uplinks, or back to back. Multi-LAG is supported in LAG ON mode, LACP, and PAgP modes.
Prerequisites for Multi-LAG
· Each LAG must be connected to a single switch.
· Different VLANs must be assigned to different LAGs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1777
Restrictions for Multi-LAG
WLAN
Restrictions for Multi-LAG
· If the primary LAG fails, automatic failover to secondary LAG is not supported. · The interface on the controller does not come up when you shut or unshut the port on the switch port.
Note This is specific to Cisco Catalyst 9800-CL Cloud Wireless Controller in KVM environment for SR-IOV.
Supported Topologies
The Cisco Catalyst 9800-80 Wireless Controller has eight ports, while the Cisco Catalyst 9800-40 and Cisco Catalyst 9800-L wireless controllers have four ports each. You can create multi-LAGs of ports with similar capabilities, for example, 2.5 G and 2.5 G, or 10 G and 10 G. You cannot have a 2.5 G and a 10 G port in a port channel group with a minimum of two ports in one LAG.
Figure 49: Single Controller with Multi-LAG
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1778
WLAN
Figure 50: SSO Pair with Multi-LAG
Configuring a Port Channel Interface (GUI)
Configuring a Port Channel Interface (GUI)
Procedure
Step 1 Step 2
Step 3
Step 4
Choose Configuration > Interface > Logical. Click the Port Channel tab to configure the Port Channel interface.
The Port Channel tab lists all the logical port-channel interfaces on the device.
Click Add to add to a new logical port channel interface.
The Add Port Channel Interface window is displayed.
In the Add Port Channel Interface complete the following procedure: a) In the Port Channel Number field, enter the port channel number. The valid values are between 1 to 64. b) In the Description field, enter the port channel description. c) Click the Admin Status toggle button to set the admin status as UP or DOWN. d) Click the Enable Layer 3 Address toggle button to enable the Layer 3 address. e) In the Port Members section, select the port members from the list displayed in the Available list box,
and add it to the Associated list. f) From the Switchport Mode drop-down list, choose a switch mode for the interface.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1779
Create a Port-Channel Interface
WLAN
· If you choose access as the switch mode, enter the access VLAN ID in the Access VLAN field.
· If you choose trunk as the switch mode, enter the VLAN IDs that you want to assign as trunk links. To allow all VLAN IDs as trunk links, set the Allowed VLANs to All. Specify a native VLAN.
· If you choose dynamic auto or dynamic desirable as the switch mode, enter the access VLAN ID. Enter the VLAN IDs you want to assign as trunk links. To allow all VLAN IDs as trunk links, set the Allowed VLANs to All. Specify a native VLAN.
g) Click Update & Apply to Device.
Create a Port-Channel Interface
Follow the procedure given below to create a port-channel interface.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
interface port-channel port-channel
Example:
Device(config)# interface port-channel 2
Configures the port channel and enters interface configuration mode.
The valid values for the port channel number ranges from 1 to 64.
Step 3
switchport mode trunk
Configures the port as trunk.
Example:
Device(config-if)# switchport mode trunk
Step 4
no shutdown Example:
Device(config-if)# no shutdown
Enables the interface.
Configuring LAG in ON Mode
Follow the procedure given below to configure LAG in ON mode.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1780
WLAN
Add an Interface to a Port Channel (LACP)
Step 2 Step 3 Step 4 Step 5 Step 6
Command or Action
interface TenGigabitEthernet port-slot Example:
Device(config)# interface TenGigabitEthernet0/0/0
Purpose Configures the port.
switchport mode trunk
Configures the port as trunk.
Example:
Device(config-if)# switchport mode trunk
no shutdown Example:
Device(config-if)# no shutdown
Disables the interface.
channel-group group-number mode on
Assigns the port to a channel group, and
Example:
specifies the ON mode.
Device(config-if)# channel-group 3 mode The valid values for the port channel number
on
ranges from 1 to 64.
switchport trunk allowed vlan vlan-id
Example:
Device(config-if)# switchport trunk allowed vlan 16,17
Assigns the allowed VLAN ID to the port when it is in trunking mode.
Add an Interface to a Port Channel (LACP)
Follow the procedure given below to add an interface to a port channel using the LACP.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
interface TenGigabitEthernet port-slot
Example:
Device(config)# interface TenGigabitEthernet0/0/0
Configures the port.
Step 3
channel-group group-number {active | passive}
Assigns the port to a channel group, and specifies the LACP mode.
Example:
The valid values for the port channel number
Device(config-if)# channel-group 1 mode ranges from 1 to 64.
active
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1781
Add an Interface to a Port Channel (PAgP)
WLAN
Step 4
Command or Action
Purpose
switchport mode trunk
Configures the port as trunk.
Example:
Device(config-if)# switchport mode trunk
Add an Interface to a Port Channel (PAgP)
Follow the procedure given below to add an interface to a port channel using the PAgP.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
interface TenGigabitEthernet port-slot
Example:
Device(config)# interface TenGigabitEthernet0/0/0
Configures the TenGigabit Ethernet interface.
Step 3
channel-group group-number {auto | desirable}
Assigns the port to a channel group, and specifies the PAgP mode.
Example:
The valid values for the port channel number
Device(config-if)# channel-group 1 mode ranges from 1 to 64.
auto
Step 4
switchport mode trunk
Configures the port as trunk.
Example:
Device(config-if)# switchport mode trunk
Add a VLAN to a Port Channel
Follow the procedure given below to add different VLANs under a port channel.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
interface port-channel port-channel Example:
Purpose Enters global configuration mode.
Configures the port channel.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1782
WLAN
Remove a Port Channel Group from a Physical Interface
Step 3
Command or Action
Purpose
Device(config)# interface port-channel Valid values for the port channel number range
1
from 1 to 64.
switchport trunk allowed vlan vlan-id
Example:
Device(config-if)# switchport trunk allowed vlan 10,30,50
Adds VLANs to the list of allowed VLANs.
Remove a Port Channel Group from a Physical Interface
Perform this task to remove a port channel group from a physical port.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
interface TenGigabitEthernet port-slot
Example:
Device(config)# interface TenGigabitEthernet0/0/0
Step 3
no channel-group Example:
Device(config-if)# no channel-group
Step 4
end Example:
Device(config-if)# end
Purpose Enters global configuration mode.
Enters the TenGigabit Ethernet interface.
Removes the port channel group from the physical port. Exits interface configuration mode.
Verify the LAG Configuration
To view a port channel's state, use the following command:
Device# show etherchannel summary
Flags:
D - down
P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3
S - Layer2
U - in use
f - failed to allocate aggregator
M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1783
Verify the LAG Configuration
WLAN
A - formed by Auto LAG
Number of channel-groups in use: 1
Number of aggregators:
1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
3
Po3(SU)
LACP
Tw0/0/0(P)
Tw0/0/1(P)
4
Po4(SU)
LACP
Tw0/0/2(P)
Tw0/0/3(P)
To verify an LACP or PAgP configuration, use the following commands:
Device# show running-config interface tenGigabitEthernet 0/0/0
Building configuration...
Current configuration : 114 bytes ! interface TwoGigabitEthernet0/0/0
switchport trunk allowed vlan 16,17 switchport mode trunk speed 1000 no negotiation auto no snmp trap link-status channel-group 3 mode on
Device# show running-config interface port-channel 1
Building configuration...
Current configuration : 54 bytes ! interface Port-channel1
switchport mode trunk switchport trunk allowed vlan 10,30,50 end
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1784
1 7 9 C H A P T E R
Hotspot 2.0
· Introduction to Hotspot 2.0, on page 1785 · Open Roaming, on page 1787 · Configuring Hotspot 2.0, on page 1789
Introduction to Hotspot 2.0
The Hotspot 2.0 feature enables IEEE 802.11 devices to interwork with external networks. The interworking service aids network discovery and selection, enabling information transfer from external networks. It provides information to the stations about the networks before association. Interworking not only helps users within the home, enterprise, and public access domains, but also assists manufacturers and operators to provide common components and services for IEEE 802.11 customers. These services are configured on a per-WLAN basis on the Cisco Wireless Controller (controller). Hotspot 2.0, also known as HS2 and Wi-Fi Certified Passpoint, is based on the IEEE 802.11u and Wi-Fi Alliance Hotspot 2.0 standards. It seeks to provide better bandwidth and services-on-demand to end users. The Hotspot 2.0 feature allows mobile devices to join a Wi-Fi network automatically, including during roaming, when the devices enter the Hotspot 2.0 area. The Hotspot 2.0 feature has four distinct parts:
· Hotspot 2.0 Beacon Advertisement: Allows a mobile device to discover Hotspot 2.0-compatible and 802.11u-compatible WLANs.
· Access Network Query Protocol (ANQP) Queries: Sends queries about the networks from IEEE 802.11 devices, such as network type (private or public); connectivity type (local network, internet connection, and so on), or the network providers supported by a given network.
· Online Sign-up: Allows a mobile device to obtain credentials to authenticate itself with the Hotspot 2.0 or WLAN.
· Authentication and Session Management: Provides authentication (802.1x) and management of the STA session (session expiration, extension, and so on).
In order to mark a WLAN as Hotspot 2.0-compatible, the 802.11u-mandated information element and the Hotspot 2.0 information element is added to the basic service set (BSS) beacon advertised by the corresponding AP, and in WLAN probe responses.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1785
Introduction to Hotspot 2.0
WLAN
Note The Hotspot 2.0 feature supports only local mode or FlexConnect mode (central switching and central authentication).
FlexConnect local switching is only supported when the Open Roaming configuration template is set up using the wireless hotspot anqp-server server-name type open-roaming command. If the configuration diverges from this template, FlexConnect local switching will not be supported.
The following figure shows a standard deployment of the Hotspot 2.0 network architecture:
Figure 51: Hotspot 2.0 Deployment Topology
Hotspot 2.0 Enhancements From Cisco IOS XE Amsterdam 17.3.1, the Hotspot 2.0 feature has been enhanced with the following options:
· New ANQP elements: · Advice of charge: Provides information on the financial charges for using the SSID of the NAI realm · Operator icon metadata · Venue URL: Defines an optional URL for each of the configured venue names
· Introduction of Terms and Conditions: This requires a user to accept certain Terms and Conditions before being allowed internet access, after connecting to a Hotspot SSID.
· Integration of OSEN security and WPA2 security on the same SSID.
From Cisco IOS XE Amsterdam 17.3.1 onwards, two encryption methods are supported on a single SSID, namely WPA2 802.1x for Hotspot 2.0 and OSEN for online sign-up. Based on the type of encryption selected during client association, the client will be put on Hotspot 2.0 VLAN or online sign-up VLAN. In WPA2 802.1x authentication, a client should match the credentials provisioned on a device. In online sign-up, a service provider WLAN is used by a client to perform online sign-up. For Hotspot 2.0 SSIDs, the RADIUS server enforces the terms and conditions before allowing internet connectivity to clients. This release also supports OSEN-specific VLAN in a policy profile. If an OSEN VLAN is defined in a policy profile, OSEN clients are added to the VLAN. Otherwise, clients are added to the regular policy profile VLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1786
WLAN
Open Roaming
or to the default VLAN. If OSEN is enabled with WPA2 on an SSID, it is mandatory to define an OSEN VLAN in the policy profile. Otherwise, clients cannot join the VLAN. In FlexConnect mode, if an OSEN VLAN is defined in a policy profile, the same VLAN needs to be added to the flex profile. Failing to do so excludes the clients from the VLAN.
Note When Hotspot 2.0 is enabled in a WLAN, the Wi-Fi direct clients that support cross-connect feature should not be allowed to associate to the Hotspot 2.0 WLAN. To make sure this policy is enforced, ensure that the following configuration is in place:
wlan <wlan-name> <wlan-name> <ssid> wifi-direct policy xconnect-not-allow
Restrictions · Clients are excluded if an OSEN VLAN is not added to a flex profile. · In FlexConnect mode, clients are excluded if an OSEN VLAN is not added in a flex profile. · In FlexConnect deployments, the URL filter should reference an existing URL filter (configured using the urlfilter list urlfilter-name command). Otherwise, a client is added to the excluded list, after authentication. · Only central authentication is supported. · Fragmented ANQP replies are not synchronized to the standby controller in high-availability mode. Therefore, clients have to re-issue a query if there is a switchover.
Open Roaming
From Cisco IOS XE Amsterdam Release 17.2.1, the controller supports open roaming configuration, which enables mobile users to automatically and seamlessly roam across Wi-Fi and cellular networks. The new configuration template of the open roaming ANQP server simplifies the task of setting up a Hotspot 2.0 ANQP server. When you configure open roaming, fixed ANQP parameters are automatically populated. You can configure different identity types by defining roaming organizational identifiers. The organizational unique identifier (OUI) is a three-octet number that identifies the type of organizations available in a given roaming consortium. The OUI list determines the type of identities allowed to roam into the network. The default configuration allows all the identities on the access network. However, access networks can customize the Roaming Consortium Organisation Identifier (RCOI) they advertise. You can configure three types of policies for access networks:
· Allow all: Accepts users from any identity provider (IDP), with any privacy policy. · Real ID: Accepts users from any IDP, but only with a privacy policy that shares real identity (anonymous
not accepted). · Custom: Accepts users of select identity types and privacy policies associated with the identity types;
basically all the other RCOIs.
Users can select the following privacy modes:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1787
Open Roaming
WLAN
· Anoymous · Share real identity
The list of currently defined organizational identifiers and their aliases are given in the following table.
Table 88: Roaming Organizational Identifiers and Aliases
Description
Roaming Organizational Identifier
All
004096
All with real ID
00500b
All paid members
00500f
Device manufacturer all ID 00502a
Device manufacturer real ID only 0050a7
Cloud or Social ID
005014
Cloud or Social real ID
0050bd
Enterprise Employee ID
00503e
Enterprise Employee real ID 0050d1
Enterprise Customer ID
005050
Enterprise Customer real ID 0050e2
Loyalty Retail ID Loyalty Retail real ID Loyalty Hospitality ID Loyalty Hospitality real ID SP free Bronze Qos SP free Bronze Qos Real ID SP paid Bronze QoS SP paid Bronze QoS real ID SP paid Silver QoS SP paid Silver QoS real ID SP paid Gold QoS
005053 0050f0 005054 00562b 005073 0057D2 -
WBA Value Display Name
5A03BA0000 All
5A03BA1000 All with real-id only
BAA2D00000 All paid
5A03BA0A00 Device Manufacturer
5A03BA1A00 Device Manufacturer real-id
5A03BA0200 Cloud ID
5A03BA1200 Cloud ID real-id
5A03BA0300 Enterprise ID
5A03BA1300 Enterprise ID real ID
-
Enterprise Customer program ID
-
Enterprise Customer program real
ID
5A03BA0B00 Loyalty Retail
5A03BA1B00 Loyalty Retail real ID
5A03BA0600 Loyalty Hospitality
5A03BA1600 Loyalty Hospitality real ID
5A03BA0100 SP free Bronze Qos
5A03BA1100 SP free Bronze Qos Real ID
BAA2D00100 SP paid Bronze QoS
BAA2D01100 SP paid Bronze QoS real ID
BAA2D02100 SP paid Silver QoS
BAA2D03100 SP paid Silver QoS real ID
BAA2D04100 SP paid Gold QoS
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1788
WLAN
Configuring Hotspot 2.0
Description
Roaming Organizational Identifier
SP paid Gold QoS real ID
-
Government ID free
-
Automotive ID free
-
Automotive Paid
-
Education or Research ID free -
Cable ID free
-
WBA Value Display Name
BAA2D05100 SP paid Gold QoS real ID 5A03BA0400 Government ID free 5A03BA0500 Automotive ID free BAA2D00500 Automotive Paid 5A03BA0800 Education or Research ID free 5A03BA0900 Cable ID free
Configuring Hotspot 2.0
Configuring an Access Network Query Protocol Server
The Access Network Query Protocol Server (ANQP) is a query and response protocol that defines the services offered by an AP, usually at a Wi-Fi Hotspot 2.0.
Note When configuring roaming-oi in the ANQP server, ensure that you set the beacon keyword for at least one roaming-oi, as mandated by the 802.11u standard.
Procedure Step 1 Step 2 Step 3 Step 4
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wireless hotspot anqp-server server-name
Example:
Device(config)# wireless hotspot anqp-server my_server
Configures a Hotspot 2.0 ANQP server.
description description
Example:
Device(config-wireless-anqp-server)# description "My Hotspot 2.0"
Adds a description for the ANQP server.
3gpp-info mobile-country-code mobile-network-code
Configures a 802.11u Third Generation Partnership Project (3GPP) cellular network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1789
Configuring an Access Network Query Protocol Server
WLAN
Step 5 Step 6 Step 7 Step 8
Step 9 Step 10
Command or Action Example:
Device(config-wireless-anqp-server)# 3gpp-info us mcc
Purpose
The mobile-country-code should be a 3-digit decimal number. The mobile-network-code should be a 2-digit or 3-digit decimal number.
anqp fragmentation-threshold threshold-value
Example:
Device(config-wireless-anqp-server)# anqp fragmentation-threshold 100
Configures the ANQP reply fragmentation threshold, in bytes.
The ANQP protocol can be customized by setting the fragmentation threshold, after which the ANQP reply is split into multiple messages.
Note
We recommend that you use the
default values for the
deployment.
anqp-domain-id domain-id
Example:
Device(config-wireless-anqp-server)# anqp-domain-id 100
Configures the Hotspot 2.0 ANQP domain identifier.
authentication-type {dns-redirect
Configures the 802.11u network authentication
|http-https-redirect |online-enrollment | type. Depending on the authentication type, a
terms-and-conditions}
URL is needed for HTTP and HTTPS.
Example:
Device(config-wireless-anqp-server)# authentication-type online-enrollment
connection-capability ip-protocol port-number {closed|open|unknown}
Example:
Device(config-wireless-anqp-server)# connection-capability 12 40 open
Configures the Hotspot 2.0 protocol and port capabilities.
Note
Hotspot 2.0 specifications require
that you predefine some open
ports and protocols. Ensure that
you meet these requirements in
order to comply with the Hotspot
2.0 specifications. See the
connection-capability command
in the Cisco Catalyst 9800 Series
Wireless Controller Command
Reference document for a list of
open ports and protocols.
domain domain-name Example:
Device(config-wireless-anqp-server)# domain my-domain
ipv4-address-type ipv4-address-type Example:
Configures an 802.11u domain name. You can configure up to 32 domain names. The domain-name should not exceed 220 characters.
Configures an 802.11u IPv4 address type in the Hotspot 2.0 network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1790
WLAN
Configuring an Access Network Query Protocol Server
Step 11 Step 12 Step 13 Step 14
Step 15 Step 16
Step 17
Command or Action
Device(config-wireless-anqp-server)# ipv4-address-type public
ipv6-address-type ipv6-address-type Example:
Device(config-wireless-anqp-server)# ipv6-address-type available
nai-realm realm-name Example:
Device(config-wireless-anqp-server)# nai cisco.com
operating-class class-id Example:
Device(config-wireless-anqp-server)# operating-class 25
operator operator-name language-code Example:
Device(config-wireless-anqp-server)# operator XYZ-operator eng
Purpose
Configures an 802.11u IPv6 address type in the Hotspot 2.0 network.
Configures an 802.11u NAI realm profile that identifies the realm that is accessible using the AP.
Configures a Hotspot 2.0-operating class identifier.
Configures a Hotspot 2.0 operator-friendly name in a given language. Use only the first three letters of the language, in lower case, for the language code. For example, use eng for English.
To see the full list of language codes, go to: http://www.loc.gov/standards/iso639-2/php/ code_list.php.
Note
You can configure only one
operator per language.
osu-ssid SSID Example:
Device(config-wireless-anqp-server)# osu-ssid test
roaming-oi OI-value [beacon] Example:
Device(config-wireless-anqp-server)# roaming-oi 24 beacon
Configures the SSID that wireless clients will use for OSU.
The SSID length can be up to 32 characters.
Configures the 802.11u roaming organization identifier.
If the beacon keyword is specified, the roaming OUI is advertised in the AP WLAN beacon or probe response. Otherwise, it will only be returned while performing the roaming OUI ANQP query.
Note
The hex string of a roaming OUI
should contain only lowercase
letters.
venue venue-name language-code
Configures the 802.11u venue information.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1791
Configuring ANQP Global Server Settings (GUI)
WLAN
Command or Action Example:
Device(config-wireless-anqp-server)# venue bank eng
Purpose
The venue-name should not exceed 220 characters and the language-code should only be 2 or 3 lowercase letters (a-z) in length.
Configuring ANQP Global Server Settings (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Step 9
Choose Configuration > Wireless > Hotspot/OpenRoaming. Select an existing server from the list of servers. Click the Server Settings tab. Go to the Global Server Settings section. From the IPv4 Type drop-down list, choose an IPv4 type. From the IPv6 Type drop-down list, choose an IPv6 type. In the OSU SSID field, enter the SSID that wireless clients will use for Online Sign-Up (OSU). Click the Show Advanced Configuration link to view the advanced options.
· In the Fragmentation Threshold (bytes) field, enter the fragmentation threshold.
Note
Packets that are larger than the size you specify here will be fragmented.
· In the GAS Request Timeout (ms) field, enter the number of Generic Advertisement Services (GAS) request action frames sent that can be sent to the controller by an AP in a given interval.
Click Apply to Device.
Configuring Open Roaming (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless hotspot anqp-server server-name Configures a Hotspot 2.0 ANQP server with
type open-roaming
open roaming.
Example:
Device(config)# wireless hotspot anqp-server my-server type open-roaming
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1792
WLAN
Configuring Open Roaming (GUI)
Step 3 Step 4
Command or Action open-roaming-oi alias Example:
Device(config-wireless-anqp-server)# open-roaming-oi allow-all
domain domain-name Example:
Device(config)# domain my-domain
Purpose Sets the open roaming element alias.
Configures a preferred domain name to ensure that clients roam into a preferred network. You can configure up to 32 domain names. The domain-name should not exceed 220 characters.
Configuring Open Roaming (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5
Step 6 Step 7 Step 8
Choose Configuration > Wireless > Hotspot/OpenRoaming. Click Add. The Add New ANQP Server window is displayed.
In the Name field, enter a name for the server. In the Description field, enter a description for the server. Check the OpenRoaming Server check box to use the server as an open roaming server.
Note
You can set the server as an open roaming server only at the time of server creation.
Check the Internet Access check box to enable internet access for the server. From the Network Type drop-down list, choose the network type. Click Apply to Device.
Configuring NAI Realms (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Choose Configuration > Wireless > Hotspot/OpenRoaming. Select an existing server from the list of servers. Go to the NAI Realms section. Click Add. The Add NAI Realm window is displayed.
In the NAI Realm Name field, enter an 802.11u NAI realm of the OSU operator.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1793
Configuring Organizational Identifier Alias (GUI)
WLAN
Step 6 Step 7
In the EAP Methods section, use the toggle button to enable the required EAP methods. After an EAP method is enabled, a pane is displayed to configure the details. Users are shown a configuration section where they can enable credential, inner-auth-eap, inner-auth-non-eap, tunneled-eap-credential. The user can select multiple options for each of the configuration.
· The Credential window has options such as certificate, hw-token, nfc, none, sim, softoken, username-password, and usim. Check the corresponding check box.
· The inner-auth-eap window has options such as eap-aka, eap-fast, eap-sim, eap-tls, eap-ttls, eap-leap, and eap-peap. Check the corresponding check box.
· The inner-auth-eap window has options such as eap-aka, eap-fast, eap-sim, eap-tls, eap-ttls, eap-leap, and eap-peap. Check the corresponding check box.
· The tunneled-eap-credential window has options such as anonymous, certificate, hw-token, nfc, sim, softoken, username-password, and usim. Check the corresponding check box.
· Click Save.
Click Apply to Device.
Configuring Organizational Identifier Alias (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Step 7 Step 8 Step 9
Choose Configuration > Wireless > Hotspot/OpenRoaming. Select an existing server from the list of servers. In the Roaming OIs area, enter an 802.11u roaming organization identifier in the Roaming OI field. Check the Beacon State check box to enable the beacon.
If the beacon is specified, the roaming OUI is advertised in the AP WLAN beacon or probe response. Otherwise, it will only be returned while performing the roaming OUI ANQP query.
Note
Only three OUIs can be enabled in the beacon state.
Click Add to add a roaming OI. In the Available OpenRoaming OI window, a list of organizational identifiers are displayed, along with the ones you have added. Select an organizational identifier and click the right arrow to add an OpenRoaming OI. In the Domains area, enter an 802.11u domain name in the Domain Name field. Click Add to use the domain name that you have entered as the preferred domain. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1794
WLAN
Configuring WAN Metrics (GUI)
Configuring WAN Metrics (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12
Choose Configuration > Wireless > Hotspot/OpenRoaming. Select an existing server from the list of servers. Click the Server Settings tab. Go to the WAN Metrics area. In the Downlink Load field, enter the WAN downlink load. In the Downlink Speed (kbps) field, enter the WAN downlink speed, in kbps. In the Load Duration (100ms) field, enter the load duration. In the Upload Load field, enter the WAN upload load. In the Upload Speed (kbps) field, enter the WAN upload speed, in kbps. From the Link Status drop-down list, choose the link status. Use the Full Capacity Linktoggle button to enable the WAN link to operate at its maximum capacity. Click Apply to Device.
Configuring WAN Metrics
This procedure shows you how to configure the Wide Area Network (WAN) parameters such as uplink and downlink speed, link status, load, and so on.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless hotspot anqp-server server-name
Example:
Device(config)# wireless hotspot anqp-server my_server
Step 3
wan-metrics downlink-load load-value
Example:
Device(config-wireless-anqp-server)# wan-metrics downlink-load 100
Step 4
wan-metrics downlink-speed speed Example:
Purpose Enters global configuration mode. Configures a Hotspot 2.0 ANQP server.
Configures the WAN downlink load.
Configures the WAN downlink speed, in kbps.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1795
Configuring Beacon Parameters (GUI)
WLAN
Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action
Device(config-wireless-anqp-server)# wan-metrics downlink-speed 1000
wan-metrics full-capacity-link Example:
Device(config-wireless-anqp-server)# wan-metrics full-capacity-link
wan-metrics link-status {down|not-configured|test-state|up} Example:
Device(config-wireless-anqp-server)# wan-metrics link-status down
wan-metrics load-measurement-duration duration Example:
Device(config-wireless-anqp-server)# wan-metrics load-measurement-duration 100
wan-metrics uplink-load load-value Example:
Device(config-wireless-anqp-server)# wan-metrics uplink-load 100
wan-metrics uplink-speed speed Example:
Device(config-wireless-anqp-server)# wan-metrics uplink-speed 1000
Purpose Configures the WAN link to operate at its maximum capacity. Sets the WAN link status.
Configures the uplink or downlink load measurement duration.
Configures the WAN uplink load.
Configures the WAN uplink speed, in kbps.
Configuring Beacon Parameters (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Choose Configuration > Wireless > Hotspot/OpenRoaming. Select an existing server from the list of servers. Click Server Settings tab. Go to the Beacon Parameters section. In the Hess id field, enter the homogenous extended service set identifier. In the Domain id field, enter the domain's identifier. From the Venue Type drop-down list, select the venue.
Choosing a venue activates the subvenue type.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1796
WLAN
Configuring Authentication and Venue (GUI)
Step 8 Step 9
From the subvenue-type drop-down list, select the sub-venue. Click Apply to Device.
Configuring Authentication and Venue (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7
Step 8
Step 9 Step 10 Step 11 Step 12
Step 13 Step 14 Step 15
Step 16 Step 17
Choose Configuration > Wireless > Hotspot/OpenRoaming. Select an existing server from the list of servers. Click the Authentication/Venue tab. Under the Network Auth Types section, check the DNS Redirect, Online Enrolment, HTTP/HTTPS Redirect, Terms and Conditions check boxes.
For HTTP/HTTPS Redirect and Terms and Conditions, the URL field is enabled after selecting them.
Add the URL for the corresponding authentication type. Click Apply. Go to the Venues section and click Add.
The Venue Details pane is displayed.
In the Language Code field, enter the language code.
Use the first two or three letters of the language, in lower case, for the language code. For example, use eng for English. To see the full list of language codes, go to: http://www.loc.gov/standards/iso639-2/php/code_list.php.
In the Venue URL field, enter the URL of the venue. In the Venue Name field, enter the name of the venue. Click check mark icon to add the venue details. Go to the Connection Capability section and click Add.
The Connection Capabilities pane is displayed. See the connection-capability command in the Cisco Catalyst 9800 Series Wireless Controller Command Reference document for a list of open ports and protocols.
In the Port Number field, enter the port number. From the Connection Status drop-down list, choose a connection status. In the IP Protocol field, enter the IP protocol number.
Hotspot 2.0 specifications require that you predefine some open ports and protocols. Ensure that you meet these requirements in order to comply with the Hotspot 2.0 specifications. See the connection-capability command in the Cisco Catalyst 9800 Series Wireless Controller Command Reference document for a list of open ports and protocols.
Click the check mark icon to add the connection details. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1797
Configuring 3GPP/Operator (GUI)
WLAN
Configuring 3GPP/Operator (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Step 6 Step 7
Step 8 Step 9
Step 10
Step 11 Step 12 Step 13
Choose Configuration > Wireless > Hotspot/OpenRoaming. Select an existing server from the list of servers. Go to the 3GPP/Operator tab. In the Operating Class Indicator field, enter the operating class identifier and click the + icon.
The operating class identifier is added and displayed in the pane below. Use the delete icon to delete them, if required.
Note
Class IDs should be in the following ranges: 81-87, 94-96, 101-130, 180, and 192-254.
Go to the 3GPP Cellular Networks section and click Add. The 3GPP Network Details pane is displayed.
In the Mobile Country Code (MCC) field, enter the mobile country code, which should be a 3-digit decimal number. In the Mobile Network Code (MNC) field, enter the mobile network code, which should be a 2 or 3-digit decimal number. For the list of Mobile Country Codes (MCC) and Mobile Network Codes (MNC), see the following links: https://www.itu.int/pub/T-SP-E.212B-2018 or https://www.mcc-mnc.com.
Click check mark icon to add the network details. Go to the Hotspot 2.0 Operators section and click Add. The Operator Details pane is displayed.
In the Language Code field, enter the language code. Use only the first three letters of the language, in lower case, for the language code. For example, use eng for English. To see the full list of language codes, go to: http://www.loc.gov/standards/iso639-2/php/code_list.php.
In the Name field, enter the name of the OSU operator. Click check mark icon to add the operator details. Click Apply to Device.
Configuring OSU Provider (GUI)
Procedure
Step 1 Step 2 Step 3
Choose Configuration > Wireless > Hotspot/OpenRoaming. Select an existing server from the list of servers. Go to the OSU Provider tab.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1798
WLAN
Configuring an Online Sign-Up Provider
Step 4
Step 5 Step 6 Step 7
Step 8
Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Step 21
Click Add.
The General Config pane is displayed.
In the Provider Name field, enter the OSU provider name. In the NAI Realm field, enter the Network Access Identifier (NAI) realm of the OSU operator. From the Primary Method drop-down list, choose the primary supported OSU method of the OSU operator.
This activates the Secondary Method drop-down list. If you choose None as the primary supported OSU method, you will not get the secondary method.
(Optional) From the Secondary Method drop-down list, choose the secondary supported OSU method of the OSU operator. In the Server URI field, enter the server Uniform Resource Identifier (URI) of the OSU operator. Click Icon Config tab. Click Add. From the Icon Name drop-down list, choose the icon name. Click Save. Click Friendly Names tab. Click Add. In the Language field, enter the language code. In the Name field, enter the name of the OSU operator. In the Description field, enter the description for the OSU operator. Click Save. Click the check mark icon to save. Click Apply to Device.
Configuring an Online Sign-Up Provider
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless hotspot icon bootflash:system-file-name media-type language-code icon-width icon-height
Example:
Device(config)# wireless hotspot icon bootflash:logo1 image eng 100 200
Configures an icon for Hotspot 2.0 and its parameters, such as media type, language code, icon width, and icon height.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1799
Configuring Hotspot 2.0 WLAN
WLAN
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action
wireless hotspot anqp-server server-name Example:
Device(config)# wireless hotspot anqp-server my_server
Purpose Configures a Hotspot 2.0 ANQP server.
osu-provider osu-provider-name
Example:
Device(config-wireless-anqp-server)# osu-provider my-osu
Configures a Hotspot 2.0 OSU provider name.
name osu-operator-name lang-code description Configures the name of the OSU operator in a
Example:
given language.
Device(config-anqp-osu-provider)# name The osu-operator-name and description should
xyz-oper
not exceed 220 characters. The language code
eng xyz-operator
should be 2 or 3 lower-case letters (a-z).
server-uri server-uri
Example:
Device(config-anqp-osu-provider)# server-uri cisco.com
Configures the server Uniform Resource Identifier (URI) of the OSU operator.
method {oma-dm|soap-xml-spp} Example:
Configures the primary supported OSU method of the OSU operator.
Device(config-anqp-osu-provider)# method oma-dm
nai-realm nai-realm
Example:
Device(config-anqp-osu-provider)# nai-realm cisco.com
Configures the Network Access Identifier (NAI) realm of the OSU operator.
The nai-realm should not exceed 220 characters.
icon file-name
Configures the icon for the OSU provider.
Example:
The file-name should not exceed 100 characters.
Device(config-anqp-osu-provider)# icon xyz.jpeg
Configuring Hotspot 2.0 WLAN
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1800
WLAN
Configuring an Online Subscription with Encryption WLAN
Step 2 Step 3 Step 4
Command or Action wlan wlan-name wlan-id ssid Example:
Device(config)# wlan hs2 1 hs2
security wpa wpa2 gtk-randomize Example:
Device(config-wlan)# security wpa wpa2 gtk-randomize
no shutdown Example:
Device(config-wlan)# no shutdown
Purpose Configures a WLAN and enters WLAN configuration mode.
Configures random GTK for hole 196 mitigation. Hole 196 is the name of WPA2 vulnerability.
Enables the WLAN.
Configuring an Online Subscription with Encryption WLAN
Online subscription with Encryption (OSEN) WLAN is used to onboard a Hotspot 2.0 network (to get the necessary credentials) in a secure manner.
Note You cannot apply a policy profile to the OSEN WLAN if a Hotspot 2.0 server is enabled on the WLAN.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan wlan-name wlan-id ssid Example:
Device(config)# wlan hs2 1 hs2
Configures a WLAN and enters WLAN configuration mode.
Step 3
security wpa osen
Enables WPA OSEN security support.
Example:
Note
Device(config-wlan)# security wpa osen
OSEN and robust security network (RSN) are mutually exclusive. If RSN is enabled on a WLAN, OSEN cannot be enabled on the same WLAN.
Step 4
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1801
Attaching an ANQP Server to a Policy Profile
WLAN
Attaching an ANQP Server to a Policy Profile
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy policy-profile-name ssid Configures a policy profile.
Example:
Device(config)# wireless profile policy policy-hotspot
Step 3
shutdown
Disables the policy profile.
Example:
Device(config-wireless-policy)# shutdown
Step 4
hotspot anqp-server server-name Example:
Attaches the Hotspot 2.0 ANQP server to the policy profile.
Device(config-wireless-policy)# hotspot
anqp-server my-server
Step 5
no shutdown
Example:
Device(config-wireless-policy)# no shutdown
Enables the policy profile.
What to do next Attach the policy profile to the WLAN to make the WLAN Hotspot 2.0 enabled.
Configuring Interworking for Hotspot 2.0
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless hotspot anqp-server server-name
Example:
Device(config)# wireless hotspot anqp-server my_server
Purpose Enters global configuration mode.
Configures a Hotspot 2.0 ANQP server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1802
WLAN
Configuring the Generic Advertisement Service Rate Limit
Step 3 Step 4 Step 5
Command or Action
network-type allowed network-type internet-access{allowed|forbidden}
Example:
Device(config-wireless-anqp-server)# network-type guest-private internet-access allowed
hessid HESSID-value Example:
Device(config-wireless-anqp-server)# hessid 12.13.14
group venue-group venue-type Example:
Device(config-wireless-anqp-server)# group business bank
Purpose Configures a 802.11u network type.
(Optional) Configures a homogenous extended service set.
Selects a group type and venue type from the list of available options.
Configuring the Generic Advertisement Service Rate Limit
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ap profile profile-name Example:
Configures an AP profile and enters AP profile configuration mode.
Device(config)# ap profile hs2-profile
Step 3
gas-ap-rate-limit request-number interval
Example:
Device(config-ap-profile)# gas-ap-rate-limit 20 120
Configures the number of Generic Advertisement Services (GAS) request action frames sent to the controller by an AP in a given interval.
Step 4
exit Example:
Device(config-ap-profile)# exit
Returns to global configuration mode.
Step 5
wireless hotspot gas-rate-limit gas-requests-to-process
Example:
Device(config)# wireless hotspot gas-rate-limit 100
Configures the number of GAS request action frames to be processed by the controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1803
Configuring Global Settings
WLAN
Configuring Global Settings
Procedure
Step 1 Step 2
Step 3 Step 4
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Choose Configuration > Wireless > Hotspot/OpenRoaming > Global Settings. In the Gas Rate Limit (Requests per sec) field, enter the number of GAS request action frames to be processed by the controller. Go to the Icons Configuration area. Click Add.
The Add Global Icon window is displayed.
From the System Path drop-down list, choose the path. In the Icon Name field, enter the icon name. In the Icon Type field, enter the icon type. In the Language Code field, enter the language code. In the Icon Height field, enter the icon height. In the Icon Width field, enter the icon width. Click Apply to Device.
Configuring Advice of Charge
Use the following procedure to configure the advice of charge information for using the SSID of the Network Access Identifier (NAI) realm.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless hotspot anqp-server server-name
Example:
Device(config)# wireless hotspot anqp-server my_server
Step 3
advice-charge type
Example:
Device(config-wireless-anqp-server)# advice-charge data
Purpose Enters global configuration mode.
Configures a Hotspot 2.0 ANQP server.
Configures advice of charge for data usage. Advice of charge provides information on the financial charges for using the SSID of the NAI realm.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1804
WLAN
Configuring Terms and Conditions
Step 4 Step 5
Command or Action
Purpose
plan language currency info plan-info-file Configures advice of charge information, which
Example:
includes language, currency, and plan information.
Device(config-anqp-advice-charge)# plan
eng eur info bootflash:plan_eng.xml Note
You can configure up to 32 plans.
nai-realm nai-realm
Example:
Device(config-anqp-advice-charge)# nai-realm cisco
Configures NAI realm for this advice of charge.
Note
You can configure up to 32
realms.
Configuring Terms and Conditions
Before you begin
Define a URL filter list, as shown in the following example:
urlfilter list <url-filter-name> action permit filter-type post-authentication url <allow-url>
For information on configuring an URL list, see the Defining URL Filter List section.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless hotspot anqp-server server-name
Example:
Device(config)# wireless hotspot anqp-server my_server
Configures a Hotspot 2.0 ANQP server.
Step 3
terms-conditions filename file-name
Example:
Device(config-wireless-anqp-server)# terms-conditions filename xyz-file
Configures the terms and conditions filename for the clients.
Step 4
terms-conditions timestamp date time
Example:
Device(config-wireless-anqp-server)# terms-conditions timestamp 2020-02-20 20:20:20
Configures the terms and conditions timestamp.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1805
Defining ACL and URL Filter in AP for FlexConnect
WLAN
Step 5
Command or Action
Purpose
terms-conditions urlfilter list url-filter-list Configures the terms and conditions URL filter
Example:
list name.
Device(config-wireless-anqp-server)# terms-conditions urlfilter list filter-yy
Defining ACL and URL Filter in AP for FlexConnect
Procedure Step 1 Step 2
Step 3
Step 4 Step 5 Step 6
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
sequence-number permit udp any eq bootpc Defines an extended UDP access list and sets
any eq bootps
the access conditions to match only the packets
Example:
on a given port number of bootstrap protocol (BOOTP) clients from any source host to
Device(config-ext-nacl)# 10 permit udp match only the packets on a given port number
any eq bootpc any eq bootps
of the bootstrap protocol (BOOTP) server of
a destination host.
sequence-number permit udp any eq bootps Defines an extended UDP access list to
any eq bootpc
forward packets and sets the access conditions
Example:
to match only the packets on a given port number of bootstrap protocol (BOOTP) server
Device(config-ext-nacl)# 20 permit udp from any source host to match only the packets
any eq bootps any eq bootpc
of a given port number of the bootstrap
protocol (BOOTP) clients of a destination host.
sequence-number permit udp any eq domain Defines an extended UDP access list to
any eq domain
forward packets and sets the access conditions
Example:
to match a destination host Domain Name Service (DNS) with only the packets from a
Device(config-ext-nacl)# 30 permit udp given port number of the source DNS.
any eq domain any eq domain
sequence-number permit ip any host dest-address
Example:
Defines an extended IP access list to forward packets from a source host to a single destination host.
Device(config-ext-nacl)# 40 permit ip any host 10.10.10.8
sequence-number permit ip host dest-address Defines an extended IP access list to forward
any
packets from a single source host to a
Example:
destination host.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1806
WLAN
Defining ACL and URL Filter in AP for FlexConnect
Step 7 Step 8 Step 9 Step 10 Step 11
Step 12 Step 13 Step 14
Command or Action
Device(config-ext-nacl)# 50 permit ip host 10.10.10.8 any
Purpose
exit Example:
Device(config-ext-nacl)# exit
Returns to global configuration mode.
wireless profile flex flex-profile-name Example:
Configures a new FlexConnect policy and enters wireless flex profile configuration mode.
Device(config)# wireless profile flex test-flex-profile
acl-policy acl-policy-name
Configures an ACL policy.
Example:
Device(config-wireless-flex-profile)# acl-policy acl_name
urlfilter list url-filter-name Example:
Applies the URL filter list to the FlexConnect profile.
Device(config-wireless-flex-profile)# urlfilter list urllist_flex
vlan-name prod-vlanID
Configures a production VLAN.
Example:
Device(config-wireless-flex-profile)# vlan-name test-vlan
Ensure that filter-type post-authentication configuration is in place for the URL filter to work. For information on configuring URL filter list, see the Defining URL Filter List section of the chapter DNS-Based Access Control Lists.
vlan-id prod-vlanID
Creates a new production VLAN ID.
Example:
Device(config-wireless-flex-profile-vlan)# vlan-id 10
vlan-name OSU-vlanID Example:
vlan-name test-vlan
Configures an OSU VLAN.
vlan-id OSU-vlanID Example:
vlan-id 20
Creates an OSU VLAN ID.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1807
Configuring an OSEN WLAN (Single SSID)
WLAN
Configuring an OSEN WLAN (Single SSID)
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
wlan wlan-name wlan-id ssid Example:
Device(config)# wlan hs2 1 hs2
Configures a WLAN and enters WLAN configuration mode.
no security ft over-the-ds
Example:
Device(config-wlan)# no security ft over-the-ds
Disables fast transition over the data source on the WLAN.
no security ft adaptive
Example:
Device(config-wlan)# no security ft adaptive
Disables adaptive 11r.
security wpa wpa2
Enables WPA2 security.
Example:
Device(config-wlan)# security wpa wpa2
security wpa wpa2 ciphers aes
Enables WPA2 ciphers for AES.
Example:
Device(config-wlan)# security wpa wpa2 ciphers aes
security wpa osen
Enables WPA OSEN security support.
Example:
Device(config-wlan)# security wpa osen
no shutdown Example:
Device(config-wlan)# no shutdown
Enables the WLAN.
exit Example:
Device(config-wlan)# exit
Returns to global configuration mode.
wireless profile policy policy-profile-name Configures a policy profile. ssid
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1808
WLAN
Verifying Hotspot 2.0 Configuration
Step 11 Step 12
Command or Action
Purpose
Example:
Device(config)# wireless profile policy policy-hotspot
hotspot anqp-server server-name Example:
Attaches the Hotspot 2.0 ANQP server to the policy profile.
Device(config-wireless-policy)# hotspot anqp-server my-server
vlan vlan encryption osen Example:
Configures the VLAN ID with OSEN encryption for single SSID.
Device(config-wireless-policy)# vlan 10 encryption osen
Verifying Hotspot 2.0 Configuration
Use the following show commands to verify the quality of service (QoS) and AP GAS rate limit. To view whether a QoS map ID is user configured or the default one, use the following command:
Device# show ap profile <profile name> detailed
QoS Map
: user-configured
To view the QoS map values used and their source, use the following command:
Device# show ap profile <profile name> qos-map
QoS Map
: default
DSCP ranges to User Priorities
User Priority DSCP low DSCP high Upstream UP to DSCP
-----------------------------------------------------------
0
0
7
0
2
16
23
10
3
24
31
18
4
32
39
26
5
40
47
34
6
48
55
46
7
56
63
48
DSCP to UP mapping exceptions
DSCP User Priority
---------------------
0
0
2
1
4
1
6
1
10
2
12
2
14
2
18
3
20
3
22
3
To view the AP rate limiter configuration, use the following command:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1809
Verifying Client Details
WLAN
Device# show ap name AP0462.73e8.f2c0 config general | i GAS
GAS rate limit Admin status Number of GAS request per interval GAS rate limit interval (msec)
: Enabled : 30 : 100
Verifying Client Details
To verify the wireless-specific configuration of active clients based on their MAC address, use the following command:
Device# show wireless client mac 001e.f64c.1eff detail
.
.
.
Hotspot version : Hotspot 2.0 Release 2
Hotspot PPS MO ID :
Hotspot Terms and Conditions URL :
http://host1.ciscohotspot.com/terms.php?addr=b8:27:eb:5a:dc:39&ap=123
.
.
.
Policy Type : OSEN (within RSN)
Resultant Policies:
VLAN Name
: VLAN0010
VLAN
: 10
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1810
1 8 0 C H A P T E R
User Defined Network
· Information About User Defined Network, on page 1811 · Restrictions for User Defined Network, on page 1813 · Configuring a User Defined Network, on page 1813 · Configuring a User Defined Network (GUI), on page 1814 · Verifying User Defined Network Configuration, on page 1815
Information About User Defined Network
A user defined network (UDN) is a solution that is aimed at providing secure and remote on-boarding of devices in shared service environments like dormitory rooms, resident halls, class rooms and auditoriums. This solution allows users to securely use Simple Discovery Protocols (SDP) like Apple Bonjour and mDNS-based protocols (Air Play, Air Print, Screen Cast, Print, and so on.), and UPnP based protocols to interact and share information with only their registered devices in a shared environment. It also enables the users to share their devices and resources with friends and roommates securely. The UDN solution provides an easy way to create a virtual segment that allows user to create a private segment to add their devices. Traffic (unicast, non-Layer 3 multicast, or broadcast) to these devices can be seen only by other devices and users in the private segment. This feature also eliminates the security concern where users knowingly or unknowingly take control of devices that belong to other users in a shared environment. As of now, the UDN is supported only in local mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1811
Information About User Defined Network Figure 52: User Defined Network Topology
WLAN
User Defined Network Solution Workflow · User Defined Network is enabled on the controller, using policy profile, and the policy configuration is pushed to all the WLANs on a site. · User Defined Network association is automatically generated by the UDN cloud service and is inherited by all the devices belonging to an user. · Users can add or modify devices to the User Defined Network assigned to them by using a web portal or a mobile application. Users can also add devices to another User Defined Network, if they are invited to join that User Defined Network. · The controller is updated with the client or resource information assigned to the User Defined Network.
Note Cisco Identity Services Engine (ISE) policy infrastructure is not used to update User Defined Network information. Whenever, there is a change in the User Defined Network, the ISE updates the controller with an explicit or a separate Change of Authorization (CoA) containing only the change of the User Defined Network ID.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1812
WLAN
Restrictions for User Defined Network
Restrictions for User Defined Network
· A user can be associated to only one UDN. · Roaming across controllers is not supported. · This feature is not applicable for Cisco Mobility Express and Cisco AireOS platforms. Hence, IRCM is
not supported. · This feature is supported only in local mode on the Wave 2 access points and Cisco Catalyst 9100 series
access points. · This feature is supported only for centrally switched SSIDs. · This feature is not supported for Flex mode APs. · This feature is not supported for Fabric SSIDs. · This feature is not supported for Guest Anchor scenario. · Layer 2 and Layer 3 roaming is not supported. · Layer 3 multicast (except SSDP/UPnP) containment using UDN is not supported, L3 multicast will
continue to work as it is today.
Configuring a User Defined Network
The User Defined Network configuration is site based and is added as part of a policy profile. When applied, the policy is enforced to all the clients or devices in a network for a site, across WLANs. When enabled, the policy profile also enforces the filtering of mDNS queries based on the UDN-ID.
Before you begin · RADIUS server should be configured for the UDN solution to work. · Configure aaa-override in the policy profile.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-name
Creates a policy profile.
Example:
profile-name is the profile name of the policy
Device(config)# wireless profile policy profile.
policy-wpn
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1813
Configuring a User Defined Network (GUI)
WLAN
Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Command or Action user-defined-network Example:
Device(config-wireless-policy)# user-defined-network
user-defined-network drop-unicast Example:
Device(config-wireless-policy)# user-defined-network drop-unicast
exit Example:
Device(config-wireless-policy)# exit
ap remote-lan-policy policy-name policy-name Example:
Device(config)# ap remote-lan-policy policy-name policy-wpn
user-defined-network Example:
Device(config-remote-lan-policy)# user-defined-network
user-defined-network drop-unicast Example:
Device(config-remote-lan-policy)# user-defined-network drop-unicast
Purpose Enables user defined private-network.
Sets action to drop unicast traffic. By default, unicast traffic is allowed across UDN. Enters global configuration mode.
Configures a remote LAN policy profile.
Enables user defined private-network.
Sets action to drop unicast traffic.
Configuring a User Defined Network (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > Policy. In the Policy Profile window, select a policy profile. In the Edit Policy Profile window, click the Advanced tab. In the User Defined Network section, check the Status check box to enable a user personal network. Check the Drop Unicast check box to set the action to Drop Unicast traffic.
By default, unicast traffic is not contained.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1814
WLAN
Verifying User Defined Network Configuration
Verifying User Defined Network Configuration
To view the status of the UDN feature (either enabled or disabled) and also information about the drop unicast flag, use the following command:
Device# show wireless profile policy detailed default-policy-profile
User Defined (Private) Network
: Enabled
User Defined (Private) Network Unicast Drop : Enabled
To view the name of the UDN to which the client belongs, use the following command:
Device# show wireless client mac-address 00:0d:ed:dd:35:80 detailed
User Defined (Private) Network : Enabled User Defined (Private) Network Drop Unicast : Enabled
Private group name: upn*group*7 Private group id : 7777 Private group owner: 1 Private group name: upn*group*7 Private group id : 7777 Private group owner:
To view the UDN payload sent from an AP to the controller, use the following command:
Device# show wireless stats client detail | inc udn
Total udn payloads sent
:1
When mDNS gateway is enabled on the controller, the mDNS services are automatically filtered based on the user private network ID for all the clients on the WLANs where user private network is enabled.
To view the service instances of a private network, use the following command:
Device# show mdns-sd cache udn 7777 detail
Name: _services._dns-sd._udp.local Type: PTR TTL: 4500 WLAN: 2 WLAN Name: mdns-psk VLAN: 16 Client MAC: f4f9.51e2.a6a6 AP Ethernet MAC: 002a.1087.d68a Remaining-Time: 4486 Site-Tag: default-site-tag mDNS Service Policy: madhu-mDNS-Policy Overriding mDNS Service Policy: NO UDN-ID: 7777 UDN-Status: Enabled Rdata: _airplay._tcp.local
. . .
To view the service instances that are learnt from a shared UDN ID, use the following command:
Device# show mdns-sd cache udn shared
------------------------------------------------------------- PTR Records
-----------------------------------------------------------------
RECORD-NAME
TTL
TYPE
ID CLIENT-MAC
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1815
Verifying User Defined Network Configuration
WLAN
RR-RECORD-DATA
-------------------------------------------------------------------------------------------------------------------------------------------
9.1.1.7.5.D.E.F.F.F.6.C.7.E.2.1.0.0.0.0.0.0.0 4500
WLAN
2
10e7.c6d5.7119
HP10E7C6D57119-2860.local
_services._dns-sd._udp.local
4500
WLAN
2
10e7.c6d5.7119
_ipps._tcp.local
_universal._sub._ipps._tcp.local
4500
WLAN
2
10e7.c6d5.7119
HP DeskJet 5000 series [D57119] (3127)._ipps._tcp.
_print._sub._ipps._tcp.local
4500
WLAN
2
10e7.c6d5.7119
HP DeskJet 5000 series [D57119] (3127)._ipps._tcp.
_ePCL._sub._ipps._tcp.local
4500
WLAN
2
10e7.c6d5.7119
HP DeskJet 5000 series [D57119] (3127)._ipps._tcp.
_ipps._tcp.local
4500
WLAN
2
10e7.c6d5.7119
HP DeskJet 5000 series [D57119] (3127)._ipps._tcp.
_services._dns-sd._udp.local
4500
WLAN
2
10e7.c6d5.7119
_ipp._tcp.local
_universal._sub._ipp._tcp.local
4500
WLAN
2
10e7.c6d5.7119
HP DeskJet 5000 series [D57119] (3127)._ipp._tcp.l
_print._sub._ipp._tcp.local
4500
WLAN
2
10e7.c6d5.7119
HP DeskJet 5000 series [D57119] (3127)._ipp._tcp.l
_ePCL._sub._ipp._tcp.local
4500
WLAN
2
10e7.c6d5.7119
HP DeskJet 5000 series [D57119] (3127)._ipp._tcp.l
_ipp._tcp.local
4500
WLAN
2
10e7.c6d5.7119
HP DeskJet 5000 series [D57119] (3127)._ipp._tcp.l
.
.
.
------------------------------------------------------------- SRV Records
-----------------------------------------------------------------
RECORD-NAME
TTL
TYPE
ID CLIENT-MAC
RR-RECORD-DATA
-------------------------------------------------------------------------------------------------------------------------------------------
HP DeskJet 5000 series [D57119] (3127)._ipp._ 4500
WLAN
2
10e7.c6d5.7119 0
0 631 HP10E7C6D57119-2860.local
HP DeskJet 5000 series [D57119] (3127)._http. 4500
WLAN
2
10e7.c6d5.7119 0
0 80 HP10E7C6D57119-2860.local
HP DeskJet 5000 series [D57119] (3127)._ipps. 4500
WLAN
2
10e7.c6d5.7119 0
0 631 HP10E7C6D57119-2860.local
HP DeskJet 5000 series [D57119] (3127)._uscan 4500
WLAN
2
10e7.c6d5.7119 0
0 8080 HP10E7C6D57119-2860.local
.
.
.
------------------------------------------------------------ A/AAAA Records
---------------------------------------------------------------
RECORD-NAME
TTL
TYPE
ID CLIENT-MAC
RR-RECORD-DATA
-------------------------------------------------------------------------------------------------------------------------------------------
HP10E7C6D57119-2860.local
4500
WLAN
2
10e7.c6d5.7119
8.16.16.99
------------------------------------------------------------- TXT Records
-----------------------------------------------------------------
RECORD-NAME
TTL
TYPE
ID CLIENT-MAC
RR-RECORD-DATA
-------------------------------------------------------------------------------------------------------------------------------------------
HP DeskJet 5000 series [D57119] (3127)._ipp._ 4500
WLAN
2
10e7.c6d5.7119
[502]'txtvers=1''adminurl=http://HP10E7C6D57119-28
HP DeskJet 5000 series [D57119] (3127)._http. 4500
WLAN
2
10e7.c6d5.7119
[1]''
HP DeskJet 5000 series [D57119] (3127)._ipps. 4500
WLAN
2
10e7.c6d5.7119
[502]'txtvers=1''adminurl=http://HP10E7C6D57119-28
.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1816
WLAN
Verifying User Defined Network Configuration
. .
To view the multicast DNS (mDNS) Service Discovery cache detail, use the following command:
Device# show mdns-sd cache detail
Name: _printer._tcp.local Type: PTR TTL: 4500 VLAN: 21 Client MAC: ace2.d3bc.047e Remaining-Time: 4383 mDNS Service Policy: default-mdns-service-policy Rdata: HP OfficeJet Pro 8720 [BC047E] (2)._printer._tcp.local
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1817
Verifying User Defined Network Configuration
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1818
1 8 1 C H A P T E R
Express Wi-Fi by Facebook
· Information About Express Wi-Fi by Facebook, on page 1819 · Restrictions for Express Wi-Fi by Facebook, on page 1820 · Enabling Express Wi-Fi by Facebook NAC for Policy Profile (GUI), on page 1820 · Enabling Accounting RADIUS Server for Flex Profile (GUI), on page 1821 · Configuring Captive Portal for Express Wi-Fi by Facebook (GUI), on page 1821 · Configuring Captive Portal for Express Wi-Fi by Facebook (CLI), on page 1821 · Configuring Express Wi-Fi by Facebook Policy on Controller (CLI), on page 1822 · Configuring RADIUS Server for Accounting and Authentication in FlexConnect Profile (CLI), on page
1824 · Verifying Express Wi-Fi by Facebook Configurations on Controller, on page 1825 · Verifying Express Wi-Fi by Facebook Configurations on the AP, on page 1825
Information About Express Wi-Fi by Facebook
Express Wi-Fi by Facebook is a cloud-based, low-cost solution for local entrepreneurs and SMBs in emerging countries to provide Wi-Fi access. Using Express Wi-Fi by Facebook, users can buy data packs and find nearby hotspots. Facebook provides the software (and sometimes hardware) infrastructure while the ISP or SMB provides internet connectivity and deployments to the subscribers. These service providers provision guest access through a captive portal. This can include both free and paid services including paid internet access with quota enforcement. Express Wi-Fi by Facebook feature is enabled through a FlexConnect deployment based on the cloud-hosted Cisco Catalyst 9800 Series Wireless Controller where the Cisco AP performs client-related functions such as web authentication, captive portal redirect, matching and accounting of traffic classes and connection to the RADIUS server. This feature also supports FQDN (DNS ACLs) and IP ACLs as well as MAC authentication on the AP. The controller provisions the AP with the required configuration for these tasks.
Note If an AP reboots in standalone mode, the flexconnect URL ACL is not retained. This will cause Express Wi-Fi by Facebook to stop working.
The Express Wi-Fi by Facebook solution comprises the following components: · Cisco Catalyst 9800 Series Wireless Controller
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1819
Restrictions for Express Wi-Fi by Facebook
WLAN
· Cisco Aironet Wave 2 or Catalyst APs · Facebook infrastructure
Restrictions for Express Wi-Fi by Facebook
· Express Wi-Fi by Facebook is supported only in a FlexConnect deployment with local switching, local authentication, and local association.
· Express Wi-Fi by Facebook is supported only on Cisco Aironet Wave 2 and Catalyst access points.
· Only three traffic classes are supported.
· The AP supports only three ACLs per client.
· All APs forming a roaming domain should have Layer 2 reachability.
· Upto 64 complex rules and 512 simple rules per ACL are supported, where a simple rule comprises of a destination IP address and port. A complex rule contains more than a destination IP address and port information.
· Only RADIUS CoA messages with the Facebook attribute are supported on the AP.
Enabling Express Wi-Fi by Facebook NAC for Policy Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Step 6 Step 7 Step 8 Step 9 Step 10
Choose Configuration > Tags & Profiles > Policy.
On the Policy page, click the name of the desired Policy Profile.
In the Edit Policy Profile window, click the Advanced tab.
In the AAA Policy section, enable the AAA overide . The AAA Override option of a WLAN enables you to configure the WLAN for identity networking. It enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the returned RADIUS attributes from the AAA server.
Enable the NAC State check box to enable Cisco Network Admission Control (NAC).
Note
You can enable NAC state only when AAA override is enabled.
From the NAC Type drop-down list, select the type of NAC. The default is XWF. From the Policy Name drop-down list, choose a policy name. From the Accounting List drop-down list, choose an accounting list. Enable Interim Accounting to maintain a session with NAC. Click Update & Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1820
WLAN
Enabling Accounting RADIUS Server for Flex Profile (GUI)
Enabling Accounting RADIUS Server for Flex Profile (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Tags & Profiles > Flex. On the Flex page, click the name of the desired Flex Profile. In the Edit Flex Profile window, click the Local Authentication tab. Choose the desired server group from the Local Accounting RADIUS Server Group drop-down list. Select the Local Client Roaming check box. Click Update & Apply to Device.
Configuring Captive Portal for Express Wi-Fi by Facebook (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Security > Web Auth. On the Web Auth page, click the name of the desired parameter map. In the Edit Web Auth Parameter window, click the Advanced tab. In the Redirect to External Server section, select the Express Wi-Fi Key Type from the drop-down list. Enter the vendor specific key in the Express Wi-Fi Key field. Click Update & Apply to Device.
Configuring Captive Portal for Express Wi-Fi by Facebook (CLI)
Before you begin · Configure the URL filter list. · Configure the IP ACL.
Procedure
Step 1
Command or Action configure terminal Example: Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1821
Configuring Express Wi-Fi by Facebook Policy on Controller (CLI)
WLAN
Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Command or Action
Purpose
parameter-map type webauth parameter-map- name
Creates a parameter map and enters parameter-map webauth configuration mode.
Example:
Device(config)# parameter-map type webauth FACEBOOK-MAP
type webauth
Example:
Device(config-params-parameter-map)#
type webauth
Configures the webauth type parameter.
redirect for-login url-string Example:
Configures the URL string for redirection during login.
Device(config-params-parameter-map)#
redirect for-login https://xwfcisco-
us.expresswifi.com/customer/captive_portal
captive-bypass-portal
Example:
Device(config-params-parameter-map)#
captive-bypass-portal
Configures captive bypassing.
redirect vendor-specific xwf key 0 vendor-key Configures the URL string for redirection
Example:
during login.
Device(config-params-parameter-map)#
redirect vendor-specific xwf key 0 vendor-key
end
Returns to privileged EXEC mode.
Example:
Device(config-params-parameter-map)# end
Configuring Express Wi-Fi by Facebook Policy on Controller (CLI)
Before you begin · Enable web authentication and MAC filtering on the WLAN. · Configure RADIUS proxy server and accounting server.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1822
WLAN
Configuring Express Wi-Fi by Facebook Policy on Controller (CLI)
Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action configure terminal Example: Device# configure terminal
Purpose Enters global configuration mode.
wireless profile policy policy-profile-name
Example: Device(config)# wireless profile policy default-policy- profile
Configures the wireless profile policy.
aaa-override
Example: Device(config-wireless-policy)# aaa override
Configures AAA override to apply policies coming from the AAA or ISE servers.
no central switching
Example: Device(config-wireless-policy)# no central switching
Disables central switching and enables local switching.
no central association
Example: Device(config-wireless-policy)# no central association
Disables central association and enables local association for locally switched clients.
no central authentication
Example: Device(config-wireless-policy)# no central authentication
Disables central authentication and enables local authentication.
nac xwf
Example: Device(config-wireless-policy)# nac xwf
Configures NAC in the policy profile.
vlan vlan-name
Configures a VLAN name or VLAN ID.
Example:
Device(config-wireless-policy)# vlan
9
no shutdown Example:
Enables the profile policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1823
Configuring RADIUS Server for Accounting and Authentication in FlexConnect Profile (CLI)
WLAN
Step 10
Command or Action Device(config-wireless-policy)# no shutdown
end Example:
Device(config)# end
Purpose Returns to privileged EXEC mode.
Configuring RADIUS Server for Accounting and Authentication in FlexConnect Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example: Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex flex-profile-name
Example: Device(config)# wireless profile flex default-flex- profile
Configures the wireless flex profile and enters wireless flex profile configuration mode.
Step 3
local-auth radius-server-group group-name Configures the authentication server group
Example:
name.
Device(config-wireless-flex-profile)#
local-auth radius-server-group
FB_GROUP
Step 4
local-accounting radius-server-group group-name
Example:
Device(config-wireless-flex-profile)#
local-accounting radius-server-group group-name
Configures the accounting server group name.
Step 5
local-roaming
Example:
Device(config-wireless-flex-profile)#
local-roaming
Enables local roaming.
Step 6
acl-policy policy-name Example:
Configures ACL policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1824
WLAN
Verifying Express Wi-Fi by Facebook Configurations on Controller
Step 7 Step 8
Command or Action
Device(config-wireless-flex-profile)#
acl-policy fbs
Purpose
urlfilter list list-name
Example:
Device(config-wireless-flex-profile)#
urlfilter list fbs
Applies the URL list to the Flex profile.
Here, list-name refers to the URL filter list name. The list name must not exceed 32 alphanumeric characters.
Note: For a given traffic class, the list-name should match the above ACL policy-name.
end
Example:
Device(config-wireless-flex-profile)# end
Returns to privileged EXEC mode.
Verifying Express Wi-Fi by Facebook Configurations on Controller
To view ACLs applied on a specific client and the associated AP's MAC address, use the following command:
Device# show wireless client mac-address 0102.0304.0506 detail
[...] Local Roaming Client: Client ACLs: xwf,fbs Client State Servers: a03d.6f6b.bebe, cc16.7edc.27d8
Verifying Express Wi-Fi by Facebook Configurations on the AP
To view client state, use the following command:
Device# show flexconnect client
To view all ACLs applied to a specific client, use the following command:
Device# show client access-list {post-auth | pre-auth} all client_mac_address
Device# show client access-list post-auth all 1C:36:BB:10:1B:2C
Post-Auth URL ACLs for Client: 1C:36:BB:10:1B:2C IPv4 ACL: xwf Fbs IPv6 ACL: ACTION URL-LIST allow cisco.com allow yahoo.com allow google.com allow xwf.facebook.com allow xwf-static.xx.fbcdn.net allow cisco-us.expresswifi.com allow xwf-scontent.xx.fbcdn.net
allow xwfcisco-us.expresswifi.com Resolved IPs for Client: 1C:36:BB:10:1B:2C HIT-COUNT URL ACTION IP-LIST xwf rule 0:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1825
Verifying Express Wi-Fi by Facebook Configurations on the AP
WLAN
rule 1: rule 2: rule 3: rule 4: rule 5: rule 6: allow true and ip proto 6 and dst port 22 allow true and ip proto 6 and src port 22 allow true and dst 171.70.168.183 mask 255.255.255.255 allow true and src 171.70.168.183 mask 255.255.255.255 allow true and dst 157.240.22.50 mask 255.255.255.255 allow true and src 157.240.22.50 mask 255.255.255.255 allow true and src 30.1.1.155 mask 255.255.255.255 and dst 30.1.1.18 mask 255.255.255.255 and ip proto 1 rule 7: allow true and src 30.1.1.18 mask 255.255.255.255 and dst 30.1.1.155 mask 255.255.255.255 and ip proto 1 rule 8: allow true and ip proto 17 rule 9: allow true and ip proto 17 rule 10: deny all fbs rule 0: allow true and dst 31.13.0.0 mask 255.255.0.0 rule 1: allow true and dst 66.220.0.0 mask 255.255.0.0 rule 6: allow true and src 31.13.0.0 mask 255.255.0.0 rule 10: allow true and src 179.60.0.0 mask 255.255.0.0 rule 12: allow true and dst 171.70.168.183 mask 255.255.255.255 rule 14: allow true and ip
proto 17 rule 16: deny all
No IPv6 ACL found
Device# show client access-list pre-auth all 1C:36:BB:10:1B:2C
Pre-Auth URL ACLs for Client: 1C:36:BB:10:1B:2C IPv4 ACL: xwf IPv6 ACL: ACTION URL-LIST allow cisco.com allow yahoo.com allow google.com allow xwf.facebook.com allow xwf-static.xx.fbcdn.net allow cisco-us.expresswifi.com allow xwf-scontent.xx.fbcdn.net
allow xwfcisco-us.expresswifi.com Resolved IPs for Client: 1C:36:BB:10:1B:2C HIT-COUNT URL ACTION IP-LIST xwf rule 0: allow true and ip proto 6 and dst port 22 rule 1: allow true and ip proto 6 and src port 22 rule 2: allow true and dst 171.70.168.183 mask 255.255.255.255 rule 3: allow true and src 171.70.168.183 mask 255.255.255.255 rule 4: allow true and dst 157.240.22.50 mask 255.255.255.255 rule 5: allow true and src 157.240.22.50 mask 255.255.255.255 rule 6: allow
true and src 30.1.1.155 mask 255.255.255.255 and dst 30.1.1.18 mask 255.255.255.255 and ip proto 1 rule 7: allow true and src 30.1.1.18 mask 255.255.255.255 and dst 30.1.1.155 mask 255.255.255.255 and ip proto 1 rule 8: allow true and ip proto 17 rule 9: allow true and ip proto 17 rule 10: deny all No IPv6 ACL found Redirect URL for client: 1C:36:BB:10:1B:2C https://xwfcisco-us.expresswifi.com/customer/captive_portal
To view authentication server details applied to a specific client, use the following command where the wlan_id ranges from 1 to 15:
Device# show running-config authentication dot11radio {0 | 1} wlan wlan_id
Device# show running-config authentication dot11radio 1 wlan 1
bssid=00:a7:42:f6:4a:8e ssid=aa_namsoo_webauth beacon_period=100 auth=LOCAL AP_OPER_MODE=CONNECTED AP_OPER_MODE from WPA=CONNECTED AUTH_SERVER[0]=30.1.1.18 AUTH_SERVER_PORT[0]=2812 ACCT_SERVER[0]=30.1.1.18 ACCT_SERVER_PORT[0]=2813 AUTH_SERVER[0]=30.1.1.18 AUTH_SERVER_PORT[0]=2812 ACCT_SERVER[0]=30.1.1.18 ACCT_SERVER_PORT[0]=2813
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1826
WLAN
Verifying Express Wi-Fi by Facebook Configurations on the AP
To view client accounting details, use the following command:
Device# show controller dot11Radio {0|1} client client_mac_address
Device# show client access-list pre-auth redirect-url 1C:36:BB:10:1B:2C
Redirect URL for client: 1C:36:BB:10:1B:2C https://xwfcisco-us.expresswifi.com/customer/captive_portal
To view DCDS (distributed client datastore) or roaming configuration details for an associated client, use the following command:
Device# show dot11 clients data-store details client_mac_address
Device# show dot11 clients data-store details 1C:36:BB:10:1B:2C
First AP Name: APF8B7.E2CC.5D48 Current AP Name: APF8B7.E2CC.5D48 Current AP IP: 30.1.1.169 Current AP BSSID: f8:b7:e2:cd:cb:8e Current AP SSID: aa_namsoo_webauth Client VLAN: 1 Client State: 4 Audit Session ID: 3204365612 Accounting Session ID High: 0 Accounting Session ID Low: 0 Client Traffic Class Name: xwf Client Traffic Class Name: fbs
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1827
Verifying Express Wi-Fi by Facebook Configurations on the AP
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1828
1 8 2 C H A P T E R
Aironet Extensions IE (CCX IE)
· Information About Aironet Extensions Information Element , on page 1829 · Configuring Aironet Extensions IE (GUI), on page 1829 · Configuring Aironet Extensions IE (CLI), on page 1829 · Verifying the Addition of AP Name, on page 1830
Information About Aironet Extensions Information Element
The Cisco Aironet Extensions Information Element (IE) is an attribute used by Cisco devices for better connectivity. It contains information such as the AP name, device type, radio type, AP load, and the number of associated clients, in the beacon and probe responses of the WLAN. The Cisco Client Extensions use this information to associate with the best AP.
The Aironet Extensions IE configuration is disabled by default. With this feature you can set the AP name not through enabling the whole IE extension, but by just inserting just the AP name.
Configuring Aironet Extensions IE (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4
Choose Configuration > Tags & Profiles > WLANs . In the WLANs window, click Add. In the Add WLAN window, under the Advanced tab, check the Aironet IE check box to enable Aironet IE on the WLAN. Click Apply to Device.
Configuring Aironet Extensions IE (CLI)
Perform this procedure to create a WLAN and enable the Aironet Extensions IE feature on the WLAN:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1829
Verifying the Addition of AP Name
WLAN
Note For more information about the open configuration models, refer to the Programmability Configuration Guide, Cisco IOS XE Amsterdam 17.1.x.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id [ssid]
Example:
Device(config)# wlan mywlan 34 mywlan-ssid
Purpose Enters global configuration mode.
Specifies the WLAN name and ID:
· profile-name: Profile name. The range is from 1 to 32 alphanumeric characters.
· wlan-id: WLAN ID. The range is from 1 to 512.
· ssid: Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.
Note
By default, the WLAN is disabled.
Step 3
[no] ccx aironet-iesupport
Configures the Cisco Client Extensions option
Example:
and sets the support of Aironet IE on the WLAN.
Device(config-wlan)#ccx aironet-iesupport
(Use the no form of this command to disable
the configuration.)
What to do next
1. Create a policy tag. For more information about creating policy tags, refer to Configuring a Policy Tag (CLI).
2. Map the policy tag to the AP. For more information about mapping a policy tag to the AP, refer to Attaching a Policy Tag and Site Tag to an AP (CLI).
Verifying the Addition of AP Name
The following example shows how to verify the addition of the AP Name (using Open Configuration) in the beacon without enabling IE:
Device# show wlan id 1
WLAN Profile Name
: wlan-test
================================================
Identifier
:1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1830
WLAN
Verifying the Addition of AP Name
Description
:
Network Name (SSID)
: wlan2
Status
: Disabled
Broadcast SSID
: Enabled
Advertise-Apname
: Enabled
Universal AP Admin
: Disabled
Max Associated Clients per WLAN
:0
Max Associated Clients per AP per WLAN
:0
Max Associated Clients per AP Radio per WLAN : 200
OKC
: Enabled
Number of Active Clients
:0
CHD per WLAN
: Enabled
WMM
: Allowed
Channel Scan Defer Priority:
Priority (default)
:5
Priority (default)
:6
Scan Defer Time (msecs)
: 100
Media Stream Multicast-direct
: Disabled
CCX - AironetIe Support
: Disabled
Peer-to-Peer Blocking Action
: Disabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1831
Verifying the Addition of AP Name
WLAN
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1832
1 8 3 C H A P T E R
BSSID Counters
· BSSID Counters, on page 1833 · Enabling BSSID Statistics and BSSID Neighbor Statistics, on page 1833 · Verifying BSSID Statistics on the Controller, on page 1834
BSSID Counters
This feature helps to retrieve the BSSID statistics when a client is associated with a WLAN for every configured interval. A new configuration is introduced in the controller per AP profile to enable or disable BSSID statistics on the access points. The feature is disabled by default.
Note BSSID counter is not supported on the Cisco Aironet 1800 series APs and Cisco Catalyst 9100 series APs.
Enabling BSSID Statistics and BSSID Neighbor Statistics
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap profile ap-profile-name
Example:
Device(config)# ap profile ap-profile-name
Step 3
bssid-stats
Example:
Device(config-ap-profile)#[no] bssid-stats
Purpose Enters global configuration mode.
Enters the AP profile configuration submode. ap-profile-name is the profile name of the configured AP.
Enables BSSID statistics. Use the no form of the command to disable the feature.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1833
Verifying BSSID Statistics on the Controller
WLAN
Step 4 Step 5 Step 6
Command or Action
Purpose
bssid-stats bssid-stats-frequency bssid-timer-seconds
Example:
Sets the BSSID stats frequency timer. BSSID statistics frequency timer is in the range of 1 to 180 seconds.
Device(config-ap-profile)# bssid-stats bssid-stats-frequency 40
bssid-neighbor-stats
Example:
Device(config-ap-profile)# [no] bssid-neighbor-stats
Enables BSSID neighbor statistics. Use the no form of the command to disable the feature.
bssid-neighbor-stats interval bssid-interval <1-180>
Example:
Device(config-ap-profile)# [no] bssid-neighbor-stats interval 50
Sets the interval at which BSSID neighbor statistics is sent from the AP. The BSSID neighbor stats interval is in the range of 1to 180 seconds.
Verifying BSSID Statistics on the Controller
To verify the BSSID statistics on the controller, use the following command:
· show wireless stats ap name ap-name dot11 24ghz slot 0 wlan-id <wlan-id> statistics
Device# show wireless stats ap name APXXXX.6DXX.58XX dot11 24ghz slot 0 wlan-id 18 stat
BSSID
: 7069.5a38.112e
WLAN ID
: 18
Client Count
:1
TX Statistics
-------------------------------------------------------------------------------
Mgmt
Retries
Data Bytes
Data Retries
Subframe Retries
-------------------------------------------------------------------------------
12
18
16081
18
0
RX Statistics
-------------------------------------------------------------------------------
Mgmt
Data Bytes
-------------------------------------------------------------------------------
74
17693
Data Distribution
-------------------------------------------------------------------------------
Bytes
RX
TX
-------------------------------------------------------------------------------
0-64
55
93
65-128
66
40
129-256
21
5
257-512
10
3
513-1024
1
9
1025-2048
0
1
2049-4096
0
0
4097-8192
0
0
8193-16384
0
0
16385-32768
0
0
32769-65536
0
0
65537-131072
0
0
131073-262144
0
0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1834
WLAN
Verifying BSSID Statistics on the Controller
262145-524288
0
0
524289-1048576
0
0
WMM Statistics
-------------------------------------------------------------------------------
RX
TX
-------------------------------------------------------------------------------
Voice
0
43
Video
0
0
Best Effort
154
39
Background
0
0
MCS
-------------------------------------------------------------------------------
MCS
RX
TX
-------------------------------------------------------------------------------
mcs0
39
0
mcs1
2
0
mcs2
5
0
mcs3
7
0
mcs4
25
0
mcs5
59
0
mcs6
290
0
mcs7
1148
3
mcs8
2288
0
mcs9
4440
2
· show ap name ap_name neighbor summary
Device#show ap name APXXXX.6DXX.59XX neighbor summary
BSSID
Channel Channel-width Slot SSID
RSSI
Last-Heard Neighbour
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0008.2f1c.8040
1
20 Mhz
0
-39
03/17/2020
18:25:14
aprusty-un-dot1x
FALSE
0008.2f1c.8041 18:25:14
1
20 Mhz
0
aprusty-sim-11
-39
03/17/2020
FALSE
0008.2f1c.8042 18:25:14
1
20 Mhz
0
one-ph
-39
03/17/2020
FALSE
0008.2f1c.8044 18:25:14
1
20 Mhz
0
aprusty-test
-38
03/17/2020
FALSE
0008.3296.f340 10:39:27
11
20 Mhz
0
ewlc-ap-dot1x
-51
03/18/2020
FALSE
0008.3296.f341 10:39:27
11
20 Mhz
0
vewlc_small_psk
-49
03/18/2020
FALSE
002a.1022.d950 18:25:14
1
20 Mhz
0
ewlc-ap-dot1x
-57
03/17/2020
FALSE
002a.105c.bfd0 18:25:14
1
20 Mhz
0
ewlc-ap-dot1x
-36
03/17/2020
FALSE
002a.105c.bfd1 18:25:14
1
20 Mhz
0
vewlc_small_psk
-37
03/17/2020
FALSE
002c.c864.76d0 10:37:37
11
20 Mhz
0
rajwlan
-61
03/18/2020
FALSE
BSSID
Channel Channel-width Slot
RSSI
Last-Heard
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1835
Verifying BSSID Statistics on the Controller
WLAN
SSID
Neighbour
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
002c.c8de.59e0
1
20 Mhz
0
-48
03/17/2020
18:25:14
WQ
FALSE
002c.c8de.5d80 10:39:27
11
20 Mhz
0
ewlc-ap-dot1x
-54
03/18/2020
FALSE
002c.c8de.5d81 10:39:27
11
20 Mhz
0
vewlc_small_psk
-55
03/18/2020
FALSE
002c.c8de.7260 10:39:27
11
20 Mhz
0
ewlc-ap-dot1x
-53
03/18/2020
FALSE
002c.c8de.7261 10:39:27
11
20 Mhz
0
vewlc_small_psk
-54
03/18/2020
FALSE
005d.7390.e1e0 18:25:14
1
20 Mhz
0
rlan
-54
03/17/2020
FALSE
006b.f114.95a0 18:25:14
1
20 Mhz
0
zavc
-60
03/17/2020
FALSE
006b.f114.b0e0 18:25:14
1
20 Mhz
0
ewlc-ap-dot1x
-46
03/17/2020
FALSE
006c.bc61.2340 18:24:44
1
20 Mhz
0
dnac-swim
-63
03/17/2020
FALSE
006c.bc72.5ce0 10:39:17
11
20 Mhz
0
dnac-swim
-58
03/18/2020
FALSE
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1836
1 8 4 C H A P T E R
Fastlane+
· Information About Fastlane+, on page 1837 · Configuring an Fastlane+ on a WLAN (CLI), on page 1837 · Configuring an Fastlane+ on a WLAN (GUI), on page 1838 · Monitoring Fastlane+, on page 1838 · Verifying Fastlane+, on page 1839
Information About Fastlane+
IEEE 802.11ax allows scheduled access-based uplink transmissions by periodically collecting buffer status reports from clients. The Fastlane+ feature improves the effectiveness of estimating the uplink buffer status for clients, thereby enhancing the user experience for latency-sensitive applications. The Fastlane+ feature can be enabled or disabled on a per-WLAN basis. Support for this feature is indicated in the beacons and probe responses transmitted by an AP.
Note This feature works only if Protected Management Frame (PMF) is configured as optional or mandatory for a WLAN.
Configuring an Fastlane+ on a WLAN (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id SSID_Name Example:
Purpose Enters global configuration mode.
Configures a WLAN and enters WLAN configuration submode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1837
Configuring an Fastlane+ on a WLAN (GUI)
WLAN
Command or Action
Device(config)# wlan wlan-test 3 ssid-test
Step 3
scheduler asr Example:
Device(config-wlan)# scheduler asr
Purpose Note
If you have already configured a WLAN, enter the wlan profile-name command.
Configures Fastlane+ feature on a WLAN.
Configuring an Fastlane+ on a WLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. Select a WLAN. Click Advanced tab. Check the Advanced Scheduling Requests Handling check box to enable the feature on a per-WLAN basis. Click Update & Apply to Device.
Monitoring Fastlane+
Procedure
Step 1 Step 2
Step 3 Step 4
Step 5
Choose Monitoring >Wireless > Clients. Click a client name from the client list. The Client window with multiple tabs is activated.
Click General tab. Click Client Statistics tab. The most recent uplink latency statistics received from the client is displayed in the Uplink Latency Distribution section.
Click Client Properties tab. The Fastlane+ feature-related client capabilities information is displayed at the bottom of the window.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1838
WLAN
Verifying Fastlane+
Verifying Fastlane+
The following example shows how to verify whether Fastlane+ is enabled or disabled for a WLAN:
Device# show wlan 2 | include ASR
Advanced Scheduling Requests Handling : Enabled
The following example shows how to verify Fastlane+ capability information and the most recent client uplink latency statistics:
Device# show wireless client mac-address f45c.89b0.xxxx detail . . . Regular ASR support: : ENABLED Non-default Fastlane Profile: : Active Range Voice Video Background Best-Effort ---------------------------------------------------------------------------------------[0-20ms] 400 300 200 100 [20-40ms] 401 301 201 101 [40-100ms] 402 302 202 102 [>100ms] 403 303 203 103
The following example shows how to verify Fastlane+ statistics along with Fastlane+ capability and uplink latency statistics for all the Fastlane+ clients on a WLAN.
Note show interfaces dot11radio asr-info all is an AP command, and does not work on the controller.
Device# show interfaces Dot11Radio 1 asr-info all
[*10/12/2020 18:45:21.0149]
[*10/12/2020 18:45:21.0150] Client-MAC:[26:52:CF:C8:D0:1C] AID:[3] ASR-Capability:[0x1]
[*10/12/2020 18:45:21.0150] BE- LAT[0-20]:[267] LAT[20-40]:[57] LAT[40-100]:[32]
LAT[>100]:[26]
[*10/12/2020 18:45:21.0150] BK- LAT[0-20]:[0] LAT[20-40]:[0] LAT[40-100]:[0] LAT[>100]:[0]
[*10/12/2020 18:45:21.0150] VI- LAT[0-20]:[0] LAT[20-40]:[0] LAT[40-100]:[0] LAT[>100]:[0]
[*10/12/2020 18:45:21.0150] VO- LAT[0-20]:[2222] LAT[20-40]:[409] LAT[40-100]:[224]
LAT[>100]:[163]
[*10/12/2020 18:45:21.0150]
[*10/12/2020 18:45:21.0206] HTT_PEER_DETAILS_TLV:
[*10/12/2020 18:45:21.0206] peer_type = 0
[*10/12/2020 18:45:21.0206] sw_peer_id = 98
[*10/12/2020 18:45:21.0206] vdev_id = 25
[*10/12/2020 18:45:21.0206] pdev_id = 0
[*10/12/2020 18:45:21.0206] ast_idx = 1187
[*10/12/2020 18:45:21.0206] mac_addr = 26:52:cf:c8:d0:1c
[*10/12/2020 18:45:21.0206] peer_flags = 0x200006f9
[*10/12/2020 18:45:21.0206] qpeer_flags = 0x8
[*10/12/2020 18:45:21.0206]
[*10/12/2020 18:45:21.0206] HTT_STATS_PEER_ASR_STATS_TLV
[*10/12/2020 18:45:21.0206] asr_bmap: 0x8
[*10/12/2020 18:45:21.0206] asr_muedca_update_cnt: 1
[*10/12/2020 18:45:21.0206] asr_muedca_reset_cnt: 1
[*10/12/2020 18:45:21.0206] asr_ul_mu_bsr_trigger: 2376
[*10/12/2020 18:45:21.0206] asr_min_trig_intv- BE:0
BK:0 VI:0 VO:19
[*10/12/2020 18:45:21.0206] asr_max_trig_intv- BE:0
BK:0 VI:0 VO:20
[*10/12/2020 18:45:21.0207] asr_min_alloc_rate- BE:0
BK:0 VI:0 VO:12
[*10/12/2020 18:45:21.0207] asr_ul_su_data_ppdu_cnt- BE:0
BK:0 VI:0 VO:2149
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1839
Verifying Fastlane+
WLAN
[*10/12/2020 18:45:21.0207] asr_ul_su_data_ppdu_bytes- BE:0 [*10/12/2020 18:45:21.0207] asr_ul_mu_trig_ppdu_cnt- BE:0 [*10/12/2020 18:45:21.0207] asr_ul_mu_trig_ppdu_bytes- BE:0 [*10/12/2020 18:45:21.0207] asr_ul_mu_data_ppdu_cnt- BE:0 [*10/12/2020 18:45:21.0207] asr_ul_mu_data_ppdu_bytes- BE:0 [*10/12/2020 18:45:21.0207] asr_ul_mu_data_padding_bytes- BE:0
BK:0 VI:0 VO:757546 BK:0 VI:0 VO:5002
BK:0 VI:0 VO:2400960 BK:0 VI:0 VO:2134
BK:0 VI:0 VO:736578 BK:0 VI:0 VO:2953488
The following examples show how to verify scheduling statistics along with capability and uplink latency statistics for a given client on a WLAN:
Note The show interfaces dot11radio asr-info is an AP command and it will not work on the controller.
Device# show interfaces Dot11Radio 1 asr-info 26:XX:CF:XX:D0:XX
[*10/12/2020 18:45:21.0149]
[*10/12/2020 18:45:21.0150] Client-MAC:[26:52:CF:C8:D0:1C] AID:[3] ASR-Capability:[0x1]
[*10/12/2020 18:45:21.0150] BE- LAT[0-20]:[267] LAT[20-40]:[57] LAT[40-100]:[32]
LAT[>100]:[26]
[*10/12/2020 18:45:21.0150] BK- LAT[0-20]:[0] LAT[20-40]:[0] LAT[40-100]:[0] LAT[>100]:[0]
[*10/12/2020 18:45:21.0150] VI- LAT[0-20]:[0] LAT[20-40]:[0] LAT[40-100]:[0] LAT[>100]:[0]
[*10/12/2020 18:45:21.0150] VO- LAT[0-20]:[2222] LAT[20-40]:[409] LAT[40-100]:[224]
LAT[>100]:[163]
[*10/12/2020 18:45:21.0150]
[*10/12/2020 18:45:21.0206] HTT_PEER_DETAILS_TLV:
[*10/12/2020 18:45:21.0206] peer_type = 0
[*10/12/2020 18:45:21.0206] sw_peer_id = 98
[*10/12/2020 18:45:21.0206] vdev_id = 25
[*10/12/2020 18:45:21.0206] pdev_id = 0
[*10/12/2020 18:45:21.0206] ast_idx = 1187
[*10/12/2020 18:45:21.0206] mac_addr = 26:xx:cf:xx:d0:xx
[*10/12/2020 18:45:21.0206] peer_flags = 0x200006f9
[*10/12/2020 18:45:21.0206] qpeer_flags = 0x8
[*10/12/2020 18:45:21.0206]
[*10/12/2020 18:45:21.0206] HTT_STATS_PEER_ASR_STATS_TLV
[*10/12/2020 18:45:21.0206] asr_bmap: 0x8
[*10/12/2020 18:45:21.0206] asr_muedca_update_cnt: 1
[*10/12/2020 18:45:21.0206] asr_muedca_reset_cnt: 1
[*10/12/2020 18:45:21.0206] asr_ul_mu_bsr_trigger: 2376
[*10/12/2020 18:45:21.0206] asr_min_trig_intv- BE:0
BK:0 VI:0 VO:19
[*10/12/2020 18:45:21.0206] asr_max_trig_intv- BE:0
BK:0 VI:0 VO:20
[*10/12/2020 18:45:21.0207] asr_min_alloc_rate- BE:0
BK:0 VI:0 VO:12
[*10/12/2020 18:45:21.0207] asr_ul_su_data_ppdu_cnt- BE:0
BK:0 VI:0 VO:2149
[*10/12/2020 18:45:21.0207] asr_ul_su_data_ppdu_bytes- BE:0
BK:0 VI:0 VO:757546
[*10/12/2020 18:45:21.0207] asr_ul_mu_trig_ppdu_cnt- BE:0
BK:0 VI:0 VO:5002
[*10/12/2020 18:45:21.0207] asr_ul_mu_trig_ppdu_bytes- BE:0
BK:0 VI:0 VO:2400960
[*10/12/2020 18:45:21.0207] asr_ul_mu_data_ppdu_cnt- BE:0
BK:0 VI:0 VO:2134
[*10/12/2020 18:45:21.0207] asr_ul_mu_data_ppdu_bytes- BE:0
BK:0 VI:0 VO:736578
[*10/12/2020 18:45:21.0207] asr_ul_mu_data_padding_bytes- BE:0
BK:0 VI:0 VO:2953488
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1840
PART XVIII
Cisco DNA Service for Bonjour
· Cisco DNA Service for Bonjour Solution Overview, on page 1843 · Configuring Local Area Bonjour for Wireless Local Mode, on page 1855 · Configuring Local Area Bonjour for Wireless FlexConnect Mode, on page 1875 · Configuration Example for Local Mode - Wireless and Wired, on page 1897 · Configuration Example for FlexConnect Mode - Wireless and Wired, on page 1913
1 8 5 C H A P T E R
Cisco DNA Service for Bonjour Solution Overview
· About the Cisco DNA Service for Bonjour Solution, on page 1843 · Solution Components, on page 1844 · Supported Platforms, on page 1845 · Supported Network Design, on page 1846
About the Cisco DNA Service for Bonjour Solution
The Apple Bonjour protocol is a zero-configuration solution that simplifies rich services and enables intuitive experience between connected devices, services, and applications. Using Bonjour, you can discover and use IT-managed, peer-to-peer, audio and video, or Internet of Things (IoT) services with minimal intervention and technical knowledge. Bonjour is originally designed for single Layer 2 small to mid-size networks, such as home or branch networks. The Cisco DNA Service for Bonjour solution eliminates the single Layer 2 domain constraint and expands the matrix to enterprise-grade traditional wired and wireless networks, including overlay networks such as Cisco Software-Defined Access (SD-Access) and industry-standard BGP EVPN with VXLAN. The Cisco Catalyst 9000 Series LAN switches, Cisco Nexus 9300 Series Switches, and Cisco Catalyst 9800 Series Wireless Controller follow the industry standard, RFC 6762-based multicast DNS (mDNS) specification to support interoperability with various compatible wired and wireless consumer products in enterprise networks. The Cisco Wide Area Bonjour application on Cisco DNA Center enables mDNS service routing to advertise and discover services across enterprise-grade wired and wireless networks. The new-distributed architecture is designed to eliminate mDNS flood boundaries and transition to unicast-based service routing, providing policy enforcement points and enabling the management of Bonjour services. The following figure illustrates how the Cisco Wide Area Bonjour application operates across two integrated service-routing domains.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1843
Solution Components Figure 53: Cisco Wide Area Bonjour Solution Architecture
Cisco DNA Service for Bonjour
· Local Area Service Discovery Gateway Domain - Unicast Mode: The new enhanced Layer 2 unicast policy-based deployment model. The new mDNS service discovery and distribution using the Layer 2 unicast address enables flood-free LAN and wireless networks. Cisco Catalyst 9000 Series Switches and Cisco Catalyst 9800 Series Wireless Controller in Layer 2 mode introduce a new service-peer role, replacing the classic flood-n-learn, for new unicast-based service routing support in the network. The service-peer switch and wireless controller also replace mDNS flood-n-learn with unicast-based communication with any RFC 6762 mDNS-compatible wired and wireless endpoints.
· Wide-Area Service Discovery Gateway Domain: The Wide Area Bonjour domain is a controller-based solution. The Bonjour gateway role and responsibilities of Cisco Catalyst and Cisco Nexus 9300 Series Switches are extended from a single SDG switch to an SDG agent, enabling Wide Area Bonjour service routing beyond a single IP gateway. The network-wide distributed SDG agent devices establish a lightweight, stateful, and reliable communication channel with a centralized Cisco DNA Center controller running the Cisco Wide Area Bonjour application. The SDG agents route locally discovered services based on the export policy.
Note The classic Layer 2 multicast flood-n-learn continues to be supported on wired and wireless networks with certain restrictions to support enhanced security and location-based policy enforcement. The Cisco Catalyst and Cisco Nexus 9300 Series Switches at Layer 3 boundary function as an SDG to discover and distribute services between local wired or wireless VLANs based on applied policies.
Solution Components
The Cisco DNA Service for Bonjour solution is an end-to-end solution that includes the following key components and system roles to enable unicast-based service routing across the local area and Wide Area Bonjour domain:
· Cisco Service Peer: Cisco Catalyst Switches and Cisco Wireless Controllers in Layer 2 access function in service peer mode to support unicast-based communication with local attached endpoints and export service information to the upstream Cisco Catalyst SDG agent in the distribution layer.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1844
Cisco DNA Service for Bonjour
Supported Platforms
Note Cisco Nexus 9300 Series Switches don't support unicast-based service routing with downstream Layer 2 access network devices.
· Cisco SDG Agent: Cisco Catalyst and Cisco Nexus 9300 Series Switches function as an SDG agent and communicate with the Bonjour service endpoints in Layer 3 access mode. At the distribution layer, the SDG agent aggregates information from the downstream Cisco service peer switch and wireless controller, or local Layer 2 networks, and exports information to the central Cisco DNA controller.
Note Cisco Nexus 9300 Series Switches don't support multilayer LAN-unicast deployment mode.
· Cisco DNA controller: The Cisco DNA controller builds the Wide Area Bonjour domain with network-wide and distributed trusted SDG agents using a secure communication channel for centralized services management and controlled service routing.
· Endpoints: A Bonjour endpoint is any device that advertises or queries Bonjour services conforming to RFC 6762. The Bonjour endpoints can be in either LANs or WLANs. The Cisco Wide Area Bonjour application is designed to integrate with RFC 6762-compliant Bonjour services, including AirPlay, Google Chrome cast, AirPrint, and so on.
Supported Platforms
The following table lists the supported controllers, along with the supported hardware and software versions.
Table 89: Supported Controllers with Supported Hardware and Software Versions
Supported Controller Cisco DNA Center appliance
Cisco Wide Area Bonjour application
Hardware DN2-HW-APL DN2-HW-APL-L DN2-HW-APL-XL --
Software Version Cisco DNA Center, Release 2.3.6
2.4.660.75403
The following table lists the supported SDG agents along with their licenses and software requirements.
Table 90: Supported SDG Agents with Supported License and Software Requirements
Supported Platform Supported Role
Cisco Catalyst 9200 SDG agent Series Switches Service peer
Local Area SDG
Cisco DNA Advantage
Wide Area SDG
Cisco DNA Advantage
Minimum Software
Cisco IOS XE Release 17.11.1
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1845
Supported Network Design
Cisco DNA Service for Bonjour
Supported Platform Supported Role
Cisco Catalyst 9200L Series Switches
SDG agent Service peer
Cisco Catalyst 9300 Service peer
and 9300-X Series Switches
SDG agent
Cisco Catalyst 9400 Service peer
and 9400-X Series Switches
SDG agent
Cisco Catalyst 9500 Service peer
and 9500-X Series Switches
SDG agent
Cisco Catalyst 9500 Service peer
High Performance Series Switches
SDG agent
Cisco Catalyst 9600 Service peer
and 9600-X Series Switches
SDG agent
Cisco Catalyst 9800 Service peer Wireless Controller
Cisco Catalyst 9800-L Wireless Controller
Service peer
Cisco Nexus 9300 SDG agent Series Switches
Local Area SDG Cisco DNA Advantage
Cisco DNA Advantage
Cisco DNA Advantage
Cisco DNA Advantage
Cisco DNA Advantage
Cisco DNA Advantage
Cisco DNA Advantage Cisco DNA Advantage
Cisco DNA Advantage
Wide Area SDG Cisco DNA Advantage
Cisco DNA Advantage
Cisco DNA Advantage
Cisco DNA Advantage
Cisco DNA Advantage
Cisco DNA Advantage
Cisco DNA Advantage Cisco DNA Advantage
Cisco DNA Advantage
Minimum Software Cisco IOS XE Release 17.11.1
Cisco IOS XE Release 17.11.1
Cisco IOS XE Release 17.11.1
Cisco IOS XE Release 17.11.1
Cisco IOS XE Release 17.11.1
Cisco IOS XE Release 17.11.1
Cisco IOS XE Release 17.11.1 Cisco IOS XE Release 17.11.1
Cisco NX-OS Release 10.2(3)F
Supported Network Design
The Cisco DNA Service for Bonjour supports a broad range of enterprise-grade networks. The end-to-end unicast-based Bonjour service routing is supported on traditional, Cisco SD-Access, and BGP EVPN-enabled wired and wireless networks.
Traditional Wired and Wireless Networks
Traditional networks are classic Layer 2 or Layer 3 networks for wired and wireless modes deployed in enterprise networks. Cisco DNA Service for Bonjour supports a broad range of network designs to enable end-to-end service routing and replace flood-n-learn-based deployment with a unicast mode-based solution. The following figure illustrates traditional LAN and central-switching wireless local mode network designs that are commonly deployed in an enterprise.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1846
Cisco DNA Service for Bonjour Figure 54: Enterprise Traditional LAN and Wireless Local Mode Network Design
Wired Networks
Wired Networks
The following figure shows the supported traditional LAN network designs that are commonly deployed in an enterprise.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1847
Wired Networks Figure 55: Enterprise Wired Multilayer and Routed Access Network Design
Cisco DNA Service for Bonjour
The Cisco Catalyst or Cisco Nexus 9300 Series Switches in SDG agent role that provide Bonjour gateway functions are typically IP gateways for wired endpoints that could reside in the distribution layer in multilayer network designs, or in the access layer in Layer 3 routed access network designs:
· Multilayer LAN--Unicast Mode: In this deployment mode, the Layer 2 access switch provides the first-hop mDNS gateway function to locally attached wired endpoints. In unicast mode, the mDNS services are routed to the distribution layer systems providing IP gateway and SDG agent mode. The policy-based service routing between the SDG agents is performed by the Cisco DNA Center controller.
· Multilayer LAN--Flood-n-Learn Mode: In this deployment mode, the Layer 2 access switch or wireless controller are in mDNS passthrough modes with the Cisco Catalyst or Cisco Nexus 9300 Series Switches operating in the SDG agent mode. The mDNS gateway function at distribution layer in a network enables inter-VLAN mDNS local proxy. It also builds stateful Wide Area Bonjour unicast service routing with the Cisco DNA Center to discover or distribute mDNS services beyond a single IP gateway.
· Routed Access: In this deployment mode, the first-hop Cisco Catalyst or Cisco Nexus 9300 Series Switch is an IP gateway boundary and, therefore, it must also perform the SDG agent role. The policy-based service routing between the SDG agents is performed by the Cisco DNA Center controller.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1848
Cisco DNA Service for Bonjour
Wireless Networks
Wireless Networks
The Cisco DNA Service for Bonjour extends the single wireless controller mDNS gateway function into the Wide Area Bonjour solution. The mDNS gateway on Cisco Catalyst 9800 Series Wireless Controller can be deployed in an enhanced mode as a service peer. In this mode, the wireless controller builds unicast service routing with an upstream Cisco Catalyst gateway switch for end-to-end mDNS service discovery. It replaces the classic flood-n-learn mDNS services from wired network using mDNS AP or other methods.
The following figure shows the supported traditional wireless LAN network designs that are commonly deployed in an enterprise. Based on the wireless network design, the mDNS gateway function may be on the wireless controller, or first-hop Layer 2 or Layer 3 Ethernet switch of an Access Point in local-switching mode.
Figure 56: Enterprise Traditional Wireless LAN Network Design
The Cisco DNA Service for Bonjour supports the following modes for wireless LAN networks: · Local Mode: In the central switching wireless deployment mode, the m-DNS traffic from local mode Cisco access points is terminated on the Cisco Catalyst 9800 Series Wireless Controller. The Cisco Catalyst 9800 Series Wireless Controller extends the mDNS gateway function to the new service peer mode. The wireless controller can discover and distribute services to local wireless users and perform unicast service routing over a wireless management interface to the upstream Cisco Catalyst Switch in the distribution layer, which acts as the IP gateway and the SDG agent.
· FlexConnect--Central: The mDNS gateway function for Cisco access point in FlexConnect central switch SSID functions consistently as described in Local Mode. The new extended mDNS gateway mode on the Cisco Wireless Controller and upstream service routing with SDG agent operate consistently to discover services across network based on policies and locations.
· FlexConnect--Local: In FlexConnect local switching mode, the Layer 2 access switch in mDNS gateway service peer mode provides the policy-based mDNS gateway function to locally attached wired and wireless users. The Cisco Catalyst Switches in the distribution layer function as SDG agents and enable
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1849
Cisco SD-Access Wired and Wireless Networks
Cisco DNA Service for Bonjour
mDNS service-routing across all Layer 2 ethernet switches to support unicast-based service routing to LAN and wireless LAN user groups.
· Embedded Wireless Controller--Access Point: The Layer 2 access switch in service peer mode provides unified mDNS gateway function to wired and wireless endpoints associated with Cisco Embedded Wireless Controller on Cisco Catalyst 9100 Series Access Points. The SDG agent in the distribution layer provides unicast service routing across all Layer 2 service peer switches in the Layer 2 network block without any mDNS flooding.
Cisco SD-Access Wired and Wireless Networks
Cisco SD-Access-enabled wired and wireless networks support Cisco DNA Service for Bonjour across fabric networks. The Cisco Catalyst 9000 Series Switches support VRF-aware Wide Area Bonjour service routing to provide secure and segmented mDNS service discovery and distribution management for virtual networks. The VRF-aware unicast service routing eliminates the need to extend Layer 2 flooding, and improves the scale and performance of the fabric core network and endpoints.
Figure 57: Cisco SD-Access Wired and Wireless Network Design
Cisco SD-Access supports flexible wired and wireless network design alternatives to manage fully distributed, integrated, and backward-compatible traditional network infrastructure. Wide Area Bonjour service routing is supported in all network designs providing intuitive user experience. The following figure illustrates the various SD-Access enabled wired and wireless network design alternatives.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1850
Cisco DNA Service for Bonjour
Cisco SD-Access Wired and Wireless Networks
Figure 58: Cisco SD-Access Wired and Wireless Network Design Alternatives
The Cisco DNA Service for Bonjour for SD-Access enabled wired and fabric, or traditional mode-wireless networks use two-tier service routing providing end-to-end unicast-based mDNS solution. Based on the network design, each solution component is enabled in a unique role to support the Wide Area Bonjour domain:
· Fabric Edge SDG Agent: The Layer 3 Cisco Catalyst Fabric Edge switch in the access layer configured as SDG agent provides unicast-based mDNS gateway function to the locally attached wired and wireless endpoints. The VRF-aware mDNS service policy provides network service security and segmentation in a virtual network environment. The mDNS services can be locally distributed and routed through centralized Cisco DNA Center.
· Policy Extended Node: The Layer 2 Cisco Catalyst access layer switch enables first-hop mDNS gateway function without flooding across the Layer 2 broadcast domain. The unicast-based service routing with upstream Fabric Edge switch in the distribution layer enables mDNS service routing within the same Layer 2 network block. It can also perform remote service discovery and distribution from centralized Cisco DNA Center.
· Cisco Wireless Controller: Based on the following wireless deployment modes, Cisco Wireless Controller supports unique function to enable mDNS service routing in Cisco SD-Access enabled network:
· Fabric-Enabled Wireless: Cisco Wireless Controller doesn't require any mDNS gateway capability to be enabled in distributed fabric-enabled wireless deployments.
· Local Mode Wireless: As Cisco Wireless Controller provides central control and data plane termination, it provides mDNS gateway in service peer mode for wireless endpoints. The wireless controller provides mDNS gateway between locally associated wireless clients. The wireless controller builds service routing with upstream SDG agent Catalyst switch providing IP gateway and service routing function for wireless endpoints.
· Embedded Wireless Controller--Switch: The Cisco Embedded Wireless Controller solution enables the lightweight integrated wireless controller function within the Cisco Catalyst 9300 Series
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1851
BGP EVPN Networks
Cisco DNA Service for Bonjour
Switch. The Cisco Catalyst switches in the distribution layer function as SDG agents to the wired and wireless endpoints. The SDG agent in the distribution layer provides unicast service routing across all wireless access points and Layer 2 service peer switches without mDNS flooding.
· Cisco DNA Center Controller: The Cisco Wide Area Bonjour application on Cisco DNA Center supports policy and location-based service discovery, and distribution between network-wide distributed Fabric Edge switches in SDG agent mode.
The Wide Area Bonjour communication between the SDG agent and controller takes place through the network underlay. Based on policies, the SDG agent forwards the endpoint announcements or queries to the Cisco DNA Center. After discovering a service, the endpoints can establish direct unicast communication through the fabric overlay in the same virtual network. The inter-virtual network unicast communication takes place through the Fusion router or external Firewall system. This communication is subject to the configured overlay IP routing and Security Group Tag (SGT) policies.
BGP EVPN Networks
The BGP EVPN-based technology provides a flexible Layer 3 segmentation and Layer 2 extension overlay network. The VRF and EVPN VXLAN-aware Wide Area Bonjour service routing provides secure and segmented mDNS service solution. The overlay networks eliminate mDNS flooding over EVPN-enabled Layer 2 extended networks and solve the service reachability challenges for Layer 3 segmented routed networks in the fabric.
The following figure shows the BGP EVPN leaf switch in the distribution layer, supporting overlay Bonjour service routing for a BGP EVPN-enabled traditional Layer 2 wired access switch and traditional wireless local mode enterprise network interconnected through various types of Layer 2 networks and Layer 3 segmented VRF-enabled networks.
Figure 59: Overlay Bonjour Service for a BGP EVPN-Enabled Enterprise Network
Cisco DNA Service for Bonjour supports all the industry-standard overlay network designs enabling end-to-end unicast-based mDNS service routing, and preventing flooding and service boundary limitation across wired and wireless networks. The following figure illustrates the various BGP EVPN VXLAN reference overlay network design alternatives. This network design enables end-to-end mDNS service discovery and distribution based on overlay network policies.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1852
Cisco DNA Service for Bonjour Figure 60: BGP EVPN VXLAN Wired and Wireless Design Alternatives
BGP EVPN Networks
The Cisco Catalyst and Cisco Nexus 9000 Series Switches can be deployed in Layer 2 or Layer 3 leaf roles supporting mDNS service routing for a broad range of overlay networks. In any role, the mDNS communication is limited locally and supports end-to-end unicast-based service routing across Wide Area Bonjour domain:
· Layer 2 Leaf SDG Agent: The Cisco Catalyst or Cisco Nexus switches can be deployed as Layer 2 leaf supporting end-to-end bridged network with IP gateway within or beyond BGP EVPN VXLAN fabric network. By default, the mDNS is flooded as Broadcast, Unknown Unicast, Multicast (BUM) over the fabric-enabled core network. This mDNS flooding may impact network performance and security. The Layer 2 leaf, enabled as SDG agent, prevents mDNS flooding over VXLAN and supports unicast-based service routing.
· Layer 3 Leaf SDG Agent: The Cisco Catalyst or Cisco Nexus switches can be deployed as SDG agent supporting Layer 3 overlay network in BGP EVPN VXLAN fabric. The IP gateway and mDNS service boundary is terminated at the SDG agent switches and remote services can be discovered or distributed through centralized Cisco DNA Center.
· Local Mode Wireless: The centralized wireless local mode network can be terminated within or outside the EVPN VXLAN fabric domain to retain network segmentation and service discovery for wireless endpoints. The Cisco Catalyst 9800 Series Wireless Controller in service peer mode can build unicast service routing with distribution layer IP and SDG agent Cisco Catalyst switch to discover services from BGP EVPN VXLAN fabric overlay network.
· Cisco DNA Center: Cisco DNA Center supports Wide Area Bonjour capability to dynamically discover and distribute mDNS services based on Layer 2 or Layer 3 Virtual Network ID (VNID) policies to route the mDNS services between SDG agent switches in the network.
For more information about BGP EVPN networks, see Cisco DNA Service for Bonjour Configuration Guide, Cisco IOS XE Bengaluru 17.6.x (Catalyst 9600 Switches).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1853
BGP EVPN Networks
Cisco DNA Service for Bonjour
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1854
1 8 6 C H A P T E R
Configuring Local Area Bonjour for Wireless Local Mode
· Overview of Local Area Bonjour for Wireless Local Mode, on page 1855 · Prerequisites for Local Area Bonjour for Wireless Local Mode, on page 1855 · Restrictions for Local Area Bonjour for Wireless Local Mode, on page 1856 · Understanding Local Area Bonjour for Wireless Local Mode, on page 1856 · Configuring Wireless AP Multicast, on page 1857 · Configuring Local Area Bonjour for Wireless Local Mode, on page 1860 · Verifying mDNS Gateway Configuration, on page 1871 · Reference, on page 1873
Overview of Local Area Bonjour for Wireless Local Mode
The Cisco Catalyst 9800 series controller introduces unicast mode function in Local Area Bonjour network domain. The enhanced gateway function at the first hop of Wired and Wireless networks communicates directly with any industry standard RFC 6762 compliant Multicast DNS (mDNS) end point in Layer 2 Unicast mode. The controller also introduces new service-peer mode expanding classic single-gateway controller to end-to-end service-routing with upstream SDG agent switch to enable unicast-mode, increased scale, performance and resiliency in the network.
Prerequisites for Local Area Bonjour for Wireless Local Mode
The Cisco Catalyst 9800 series controller must be successfully configured and be operational before implementing Cisco Local Area Bonjour for local mode wireless networks. The following list provides the prerequisites for the controller that is to be deployed in service-peer mode:
· Ensure that the targeted controller for the service-peer role has the required Cisco IOS-XE software version. See Supported SDG Agents with Supported Licenses and Software Requirements table in Cisco DNA Service for Bonjour Solution Overview chapter.
· Ensure that the controller runs a valid Cisco DNA-Advantage license. · Ensure that the upstream distribution-layer Cisco Catalyst switch in SDG agent mode runs a valid Cisco
DNA-Advantage license.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1855
Restrictions for Local Area Bonjour for Wireless Local Mode
Cisco DNA Service for Bonjour
· Ensure that the controller is interconnected as Layer 2 trunk in static 802.1Q mode, when Layer 2 Unicast service-routing is running between SDG agent in distribution-layer and the controller service-peer.
· Ensure that the controller has IP reachability to upstream Cisco Catalyst 9000 series switches in SDG agent mode over same the IPv4 wireless management subnet.
· Ensure that global multicast is enabled on the controller and AP is set to multicast mode. All local mode APs must join the multicast group in the network to successfully process mDNS messages.
Restrictions for Local Area Bonjour for Wireless Local Mode
· Controller management port is not supported for service-routing with upstream Catalyst SDG Agent switch.
· The controller in service peer mode supports location-based service for access points in local mode and FlexConnect central switching mode.
· The controller supports location-based capabilities only between wireless connected service provider and the receiver.
· The controller does not support service-routing configuration using GUI.
Understanding Local Area Bonjour for Wireless Local Mode
The traditional wireless controller supported mDNS snooping function with various advancements for wireless networks. As the enterprise requirements expands, it drives the IT organization to introduce new network deployment models, supporting mobile devices and distributed zero-configuration services following increased scale, granular security control and resiliency for mission critical networks. The unified Cisco IOS-XE operating system across Cisco Catalyst 9000 series LAN switches and Cisco Catalyst 9800 series controller enables distributed Bonjour gateway function at the network edge. With end-to-end Wide Area Bonjour service-routing, the new solution enables service-oriented enterprise networks with intuitive user-experience. The following figure illustrates the controller platform supporting mDNS gateway function to wireless users in local mode and builds service-routing peering with upstream Cisco Catalyst 9000 series switch for network-wide services discovery and distribution based on IT-managed granular policies and locations. The unicast based service-routing between the controller in service-peer mode and upstream SDG-Agent switch eliminates mDNS flooding over Layer 2 trunk ports and provide increase bandwidth and eliminates mDNS flood over wireless networks and Layer 2 trunk to upstream network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1856
Cisco DNA Service for Bonjour
Configuring Wireless AP Multicast
Figure 61: Cisco Catalyst 9800 Series ControllerLocal Area Bonjour for Wireless Local Mode
Configuring Wireless AP Multicast
The controller and AP by default prevents forwarding of Layer 2 or Layer 3 Multicast frames between wireless and wired network infrastructure. The forwarding is supported with stateful capabilities enabled using AP multicast. To allow mDNS message processing over a wireless network, multicast must be enabled and unique AP multicast group must be configured on the controller to advertise in IP core network. This AP multicast group is only required for APs to enable Multicast over Multicast (MCMC) capabilities in the network. The Bonjour solution do not require any other multicast requirements on wireless client VLAN; thus, it is optional and applicable only for other Layer 3 multicast applications. The figure given below illustrates end-to-end wireless multicast configuration requirement to ensure wireless APs successfully join the controller-announced multicast group.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1857
Configuring Wireless AP Multicast (GUI) Figure 62: Multicast Routing in IP Core Network
Cisco DNA Service for Bonjour
Configuring Wireless AP Multicast (GUI)
This procedure configures wireless AP multicast on a controller in service-peer mode.
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Choose Configuration > Services > Multicast. Set the Global Wireless Multicast Mode to Enabled. From the AP Capwap Multicast drop-down list, select Multicast. Enter a unique IP address at AP Capwap IPv4 Multicast group Address. Click Apply. Click Save.
Configuring Wireless AP Multicast (CLI)
This procedure configures wireless AP multicast on a controller in service-peer mode.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless multicast Example:
Device(config)# wireless multicast
Purpose Enters global configuration mode.
Enable global IP multicast processing.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1858
Cisco DNA Service for Bonjour
Configuring Multicast in IP Network (CLI)
Step 3 Step 4
Command or Action wireless multicast IPv4-multicast-address Example:
Device(config)# wireless multicast 239.254.254.1
exit Example:
Device(config-mdns-sd)# exit
Purpose Enables AP CAPWAP mode to Multicast with unique IPv4 multicast address configurations.
Exits mDNS gateway configuration mode.
Configuring Multicast in IP Network (CLI)
This procedure configures IP Multicast under AP VLAN, Management VLAN and IP core interfaces on upstream Catalyst LAN distribution-layer switch.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
ip multicast-routing Example:
Device(config)# ip multicast-routing
Enables IP multicast processing.
Step 3
interface interface-id
Example:
Device(config)# interface TenGigabitEthernet 1/0
Selects an interface that is connected to hosts and network devices on which PIM can be enabled.
Step 4
ip pim sparse-mode Example:
Device(config-if)# ip pim sparse-mode
Enables IP Multicast on Layer 3 interfaces of distribution and core layer network switches:
· AP VLAN Enables IP multicast on SVI interface on VLAN assigned to wireless APs of wireless AP distribution layer switch.
· Management VLAN Enables IP multicast on SVI interface on VLAN assigned to controller management VLAN of wireless distribution layer switch.
· Layer 3 Interface Enable IP multicast routing on all core network devices and Layer 3 interfaces.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1859
Configuring Local Area Bonjour for Wireless Local Mode
Cisco DNA Service for Bonjour
Step 5 Step 6
Command or Action exit Example:
Device(config-if)# exit
ip pim rp-address rp-address Example:
Device(config)# ip pim rp-address 239.254.254.100
Purpose Exits interface configuration mode.
Configures IP Multicast RP address on core and distribution network switches. IP network may have alternate multicast routing method.
Configuring Local Area Bonjour for Wireless Local Mode
This section provides configuration guidelines to implement Cisco Catalyst 9800 series controller as mDNS gateway and enable service-peer mode to enable service-routing with upstream distribution-layer Cisco Catalyst 9000 series switch in SDG-Agent mode to build Local Area Bonjour.
Configuring mDNS Service Policy (GUI)
The mDNS service policy consists of creating a service-list to permit built-in or user-defined custom service-types, associate service-list to a service-policy to enforce in ingress or egress direction and apply the service-policy to targeted Wireless Profile. This configuration is common on the controller in service peer or single-gateway solution for wireless networks. This procedure configures mDNS Service-Policy on a controller in service-peer mode.
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Step 7 Step 8 Step 9
Step 10
Choose Configuration > Services > mDNS. Set the mDNS Gateway button to Enabled. Click Service Policy Tab. Click Service List and click Add.
This activates the Service List window.
In the Service List Name field, enter a unique name with alphanumeric value. From the Direction drop-down list, select service list policy direction. Use IN for ingress or OUT for egress mDNS message matching policy. Click +Add Services to add mDNS service-types in selected service list. From the Available Services drop-down list, select built-in or custom mDNS service-type. From the Message Type drop-down list, select Announcement to accept service advertisement or Query to permit service discovery from the network. Default message-type is any. Click Save button to add mDNS service-type entry.
Note
Repeat Step-7 to Step-9 to add more mDNS service-types in selected service list.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1860
Cisco DNA Service for Bonjour
Configuring mDNS Service Policy (CLI)
Step 11
Step 12 Step 13 Step 14 Step 15 Step 16 Step 17
Step 18 Step 19 Step 20 Step 21
Step 22
Step 23
Click Apply to Device.
This creates a new mDNS Service List for selected direction.
Note
Repeat Step-5 to Step-11 for bi-directional service list.
Click Service-Policy tab. Click +Add to create new mDNS service-policy. In the Service Policy Name field, enter a unique mDNS service policy name. From the Service List Input drop-down list, select ingress mDNS service list input to enforce mDNS policies on ingress direction from wireless networks. From the Service List Output drop-down list, select mDNS policies on egress direction to wireless networks. Click Apply to Device. This creates a new mDNS service policy.
Choose Configuration > Tags & Profiles > Policy Choose or create a new Policy Profile. Click Advanced tab. From the mDNS Service Policy drop-down list, select an mDNS service policy. Refer to Cisco Catalyst 9800 Series Configuration Guide to configure other policy profile parameters.
Click Apply to Device button. This creates a new policy profile or updates an existing policy profile with mDNS service policy.
Click Save.
Configuring mDNS Service Policy (CLI)
This procedure builds and applies service-policies on target wireless profile in service-peer mode.
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
mdns-sd service-list service-list-name {in| out}
Example:
Device(config)# mdns-sd service-list VLAN100-LIST-IN in Device(config)# mdns-sd service-list VLAN100-LIST-OUT out
Configures mDNS service-list to classify one or more service-types. Unique service-list is required to process incoming mDNS message and outbound response to requesting end points.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1861
Configuring mDNS Service Policy (CLI)
Cisco DNA Service for Bonjour
Step 3
Step 4
Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action
Purpose
match service-definition-name
Matches inbound service-list. The controller
[message-type {any| announcement| validates to accept or drop incoming mDNS
query}]
service-type (for example, Apple TV)
Example:
advertisement or query matching message type. The service-list contains implicit deny at the
Device(config)# mdns-sd service-list end. Default message-type is "any".
VLAN100-LIST-IN in
Device(config-mdns-sl-in)# match
APPLE-TV
Device(config-mdns-sl-in)# match
PRINTER-IPPS message-type announcement
match service-definition-name [message-type {any| announcement| query}]
Example:
Device(config)# mdns-sd service-list VLAN100-LIST-OUT out Device(config-mdns-sl-in)# match APPLE-TV Device(config-mdns-sl-in)# match PRINTER-IPPS
Matches an outbound service-list. The controller provides local service proxy function by responding matching service-type to the requesting end points. For example, the Apple-TV and Printer learnt from VLAN 100 will be distributed to receiver in same VLAN 100. The service-list contains implicit deny at the end.
The message-type for outbound service-list is not required.
exit Example:
Device(config-mdns-sl-in)# exit
Returns to global configuration mode.
mdns-sd service-policy service-policy-name Creates a unique mDNS service-policy.
Example:
Device(config)# mdns-sd service-policy VLAN100-POLICY
service-list service-list-name {in| out}
Example:
Device(config-mdns-ser-policy)# service-list VLAN100-LIST-IN in Device(config-mdns-ser-policy)# service-list VLAN100-LIST-OUT out
Configure mDNS service-policy to associate service-list for each direction.
exit Example:
Device(config-mdns-ser-policy)# exit
Exits mDNS service policy configuration mode.
wireless profile policy policy-name Example:
Configures unique wireless profile policy name to associate mDNS service-policy.
Device(config)# wireless profile policy WLAN-PROFILE
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1862
Cisco DNA Service for Bonjour
Configuring Custom Service Definition (GUI)
Step 10 Step 11
Command or Action
Purpose
mdns-sd service-policy service-policy
Associates mDNS service-policy to configured
Example:
VLAN IDs.
Device(config-wireless-policy)# mdns-sd Note service-policy VLAN100-POLICY
This step requires wireless profile policy to be
administratively shutdown prior
association service-policy and
re-activate with no shutdown to
make service-policy effective.
exit Example:
Device(config-mdns-sd)# exit
Exits mDNS gateway configuration mode.
Configuring Custom Service Definition (GUI)
The Cisco IOS-XE supports various built-in well-known mDNS service-definition types mapping to key mDNS PTR records to user-friendly names. For example, built-in Apple-TV service-type is associated with _airplay. _tcp.local and _raop. _tcp.local PTR records to successfully enable service in the network. The network administrator can create custom service-definition with matching mDNS PTR records to enable end mDNS service-routing in the network.
This procedure configures custom mDNS service definition and applies it to policy.
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7
Step 8
Step 9 Step 10
Step 11
Choose Configuration > Services > mDNS. Set the mDNS Gateway button to Enabled. Click Service Policy Tab. Click Add to create new custom mDNS service-list definition.
This activates Service Definition window.
In the Service Definition Name filed, enter a unique aplhanumeric value. (Optional) In the Description field, enter a description for the service definition. In the Service Type field, enter single mDNS PoinTeR (PTR) record entry in _<service-type>. _<protocol>.local regular expression format. For example, _airplay. _tcp.local Click + to add custom mDNS service-type in selected definition list.
Note
Repeat Steps 7 and Step 8 to add more custom service-type in selected definition list.
Click Apply. Perform steps give in Configuring mDNS Service Policy (GUI) by selecting built-in or custom service-type to configure service list. Click Save.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1863
Configuring Custom Service Definition (CLI)
Cisco DNA Service for Bonjour
Configuring Custom Service Definition (CLI)
This procedure creates custom service-definition configuration to discover mDNS services from local wireless networks.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
mdns-sd service-definition-name service-definition-name
Example:
Device(config)# mdns-sd service-definition APPLE-CLASSROOM
Creates unique service-definition name for custom service-types.
Step 3
service-type custom-mDNS-PTR Example:
Configure an regular-expression string for custom mDNS PoinTeR(PTR) record.
Device(config-mdns-ser-def)# service-type _classroom._tcp.local
Step 4
exit Example:
Device(config-mdns-ser-def)# exit
Returns to global configuration mode.
Configuring mDNS Gateway on WLAN (GUI)
The mDNS gateway activation on targeted WLAN is required to start processing incoming mDNS messages from associated wireless clients. To activate mDNS gateway the WLAN must be administratively shutdown and re-enable thus it may require network downtime planning. This procedure configures custom mDNS gateway and required policies.
Procedure
Step 1 Step 2
Step 3 Step 4 Step 5
Choose Configuration > Tags & Profiles > WLANs. Click to enable the mDNS Gateway on existing WLAN row of Catalyst 9800 controller. Click + Add button to create new WLAN if required. Refer to Catalyst 9800 Series Wireless Controller Configuration Guide for step-by-step WLAN configuration. Click Advanced tab. From the mDNS Mode drop-down list, select Gateway to activate mDNS Gateway on the selected WLAN. Click Apply to Device.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1864
Cisco DNA Service for Bonjour
Configuring mDNS Gateway on WLAN (CLI)
Step 6 Click Save.
Configuring mDNS Gateway on WLAN (CLI)
This procedure implements mDNS gateway on a targeted WLAN of the controller in service-peer mode.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wlan profile-name WLAN-ID SSID-name
Example:
Device(config)# wlan WLAN-PROFILE 1 blizzard
Creates a unique WLAN.
Step 3
mdns-sd-interface gateway
Configure mDNS gateway on targeted WLAN.
Example:
Note
Device(config-wlan)# mdns-sd-interface gateway
This step requires wireless profile policy to be administratively shutdown prior association service-policy and re-activate with no shutdown to make service-policy effective.
Step 4
exit Example:
Device(config-wlan)# exit
Returns to global configuration mode.
Configuring Service-Routing on Service-Peer
The controller deployed in Service-Peer mode extends mDNS service discovery and distribution boundary beyond single controller to global IP network using on unicast based service-routing. The controller service peer must establish IP based unicast service-routing with Cisco Catalyst 9000 series switch in distribution layer network for global service-routing.
This procedure configures the controller in service peer mode.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1865
Configuring Service-Routing on Service-Peer
Cisco DNA Service for Bonjour
Step 2
Command or Action mdns-sd gateway Example:
Device(config)# mdns-sd gateway
Purpose
Enables mDNS and enters in mDNS gateway configuration mode. The following optional parameters are available:
· active-query: Periodic mDNS query to refresh dynamic cache.
· active-response: Periodic active mDNS response instead per request processing.
· mode: Set Catalyst 9800 in service-peer mode.
· sdg-agent: Unicast service-routing with targeted SDG-Agent.
· service-announcement-count: Configures maximum advertisements in service-routing to SDG-Agent.
· service-announcement-timer: Configures advertisements announce timer periodicity in service-routing to SDG-Agent.
· service-query-count: Configures maximum queries in service-routing to SDG-Agent.
· service-query-timer: Configures query forward timer periodicity in service-routing to SDG-Agent.
· source-interface: Configures the source interface. If the source interface is configured, it will be used for all mDNS transactions. By default, wireless management interface will be used.
· transport: Use IPv4 (default) or IPv6 transport for mDNS messaging to end points.
Note
For rate-limit,
service-announcement-count,
service-announcement-timer,
service-query-count and
service-query-timer commands,
you can retain the default value of
the respective parameter for
general deployments. Configure
a different value, if required, for
a specific deployment.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1866
Cisco DNA Service for Bonjour
Configuring Location-Based mDNS on Service-Peer (GUI)
Step 3 Step 4 Step 5
Command or Action
Purpose
mode [service-peer] Example:
Configure mDNS gateway in service-peer mode.
Device(config-mdns-sd)# mode service-peer
sdg-agent [IPv4 Address]
Example:
Device(config-mdns-sd)# sdg-agent 10.0.2.254
Configure SDG Agent IPv4 address. Typically, the management VLAN gateway address. If FHRP mode, then use FHRP Virtual-IP address of management VLAN.
exit Example:
Device(config-mdns-sd)# exit
Returns to global configuration mode.
Configuring Location-Based mDNS on Service-Peer (GUI)
Cisco Catalyst 9800 series controller supports location-based mDNS service discovery and distribution between wireless service provider and receiver endpoints. The location-based mDNS service support can be implemented using multiple supporting AP classification methods to implement policy-based service distributions in wireless networks. The location-based mDNS service is effective and supported on wireless APs in Local-Mode or FlexConnect Central Switching modes.
The figure given below illustrates various LSS based mDNS service mode discovery and distribution support:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1867
Configuring Location-Based mDNS on Service-Peer (GUI) Figure 63: Location-Based mDNS Gateway
Cisco DNA Service for Bonjour
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6
Step 7 Step 8
This procedure configures location-based mDNS service policy.
Procedure
Choose Configuration > Services > mDNS. Set the mDNS Gateway button to Enabled. Click Service Policy Tab. Click Service List and click Add. This acivates the Service List window.
In the Service List Name field, enter a unique name with alphanumeric value. From the Direction drop-down list, select service list policy direction. Use IN for ingress or OUT for egress mDNS message matching policy. Click +Add Services to add mDNS service-types in selected service list. From the Available Services drop-down list, select built-in or custom mDNS service-type.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1868
Cisco DNA Service for Bonjour
Configuring Location-Based mDNS on Service-Peer (CLI)
Step 9 Step 10
Step 11
Step 12 Step 13 Step 14 Step 15 Step 16 Step 17
Step 18 Step 19 Step 20 Step 21
Step 22
Step 23
From the Message Type drop-down list, select Announcement to accept service advertisement or Query to permit service discovery from the network. Default message-type is any.
Click Save button to add mDNS service-type entry.
Note
Repeat Step-7 to Step-9 to add more mDNS service-types in selected service list.
Click Apply to Device.
This creates a new mDNS Service List for selected direction.
Note
Repeat Step-5 to Step-11 for bi-directional service list.
Click Service-Policy tab. Click +Add to create new mDNS service-policy. In the Service Policy Name field, enter a unique mDNS service policy name. From the Service List Input drop-down list, select ingress mDNS service list input to enforce mDNS policies on ingress direction from wireless networks. From the Service List Output drop-down list, select mDNS policies on egress direction to wireless networks. Click Apply to Device. This creates a new mDNS service policy.
Choose Configuration > Tags & Profiles > Policy Choose or create a new Policy Profile. Click Advanced tab. From the mDNS Service Policy drop-down list, select an mDNS service policy. Refer to Cisco Catalyst 9800 Series Configuration Guide to configure other policy profile parameters.
Click Apply to Device button. This creates a new policy profile or updates an existing policy profile with mDNS service policy.
Click Save.
Configuring Location-Based mDNS on Service-Peer (CLI)
This procedure implements LSS based mDNS service discovery and distribution between wireless endpoints on the targeted WLAN of the controller in service-peer mode.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1869
Configuring Location-Based mDNS on Service-Peer (CLI)
Cisco DNA Service for Bonjour
Step 2 Step 3
Command or Action
Purpose
mdns-sd service-policy service-policy-name Creates a unique mDNS service-policy.
Example:
Device(config)# mdns-sd service-policy VLAN100-POLICY
location {ap-location |ap-name |lss |regex Creates a unique mDNS service-policy.
|site-tag |ssid}
· ap-location: Enables mDNS service
Example:
discovery and distribution between
Device(config-mdns-ser-policy)# location ap-location
wireless service provider and receiver connected to one or more AP configured
in the same location name. The mDNS
services from non-matching AP location
is automatically filtered.
· ap-name: Enables mDNS service discovery and distribution between wireless service provider and receiver connected to single AP matching same AP name. The mDNS services from non-matching AP name is automatically filtered.
· lss: Enables mDNS service discovery and distribution between wireless service provider and receiver connected to same and neighboring one or more AP based on RRM. The mDNS services from non-matching AP neighbor-list is automatically filtered.
· regex: Enables mDNS service discovery and distribution between wireless service provider and receiver connected to one or more AP configured within matching AP name or AP Location name using regular-expression string. The mDNS services from non-matching AP names is automatically filtered.
· site-tag: Enables mDNS service discovery and distribution between wireless service provider and receiver connected to one or more AP configured same site tag name. The mDNS services from non-matching site tag is automatically filtered.
· ssid: Enables mDNS service discovery and distribution between wireless service provider and receiver connected to one or more AP configured same SSID name. The
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1870
Cisco DNA Service for Bonjour
Verifying mDNS Gateway Configuration
Step 4
Command or Action
Purpose
mDNS services from non-matching SSID is automatically filtered.
exit Example:
Device(config-mdns-ser-policy)# exit
Exits mDNS service policy configuration mode.
Verifying mDNS Gateway Configuration
This section provides guidelines to verify various Local Area Bonjour domain mDNS service configuration parameters, cache records, statistics and more on the controller in service peer mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1871
Verifying mDNS Gateway Configuration
Cisco DNA Service for Bonjour
Table 91:
Command or Action
Purpose
show mdns-sd cache {ap-mac |client-mac |detail Displays available mDNS cache records supporting
|glan-ID |mdns-ap |rlan-id|statistics |type |udn multiple following variables providing granular source
|wired |wlan-id}
details:
· ap-mac: Displays one or more mDNS service instance cache records discovered from provided AP MAC address.
· client-mac: Displays one or more mDNS service instance(s) cache records discovered from service provider wireless client MAC address.
· detail: Displays mDNS record detail information combined with client and network attributes and other service parameters.
· glan-ID: Displays one or more mDNS service instance(s) cache records discovered from provided Wired Guest LAN ID MAC address.
· mdns-ap: Displays one or more mDNS service instance(s) cache records discovered from provided Wireless mDNS AP MAC address.
· rlan-id: Displays one or more mDNS service instances(s) cache records discovered from provided Wired Remote LAN ID. Range 1-128.
· statistics: Displays detail global bi-directional mDNS statistics for IPv4 and IPv6 transports with packet processing count for each mDNS record-type.
· type: Displays one or more service-instance(s) cache records matching mDNS record-type, i.e., A-AAAA, PTR, SRV and TXT.
· udn: Displays one or more mDNS service instance(s) cache records discovered from segmented Wireless service provider in User-Defined-Group (UDN) or shared-services.
· wired: Displays one or more mDNS service instance(s) cache records discovered from upstream Layer 2 wired network.
· wlan-id: Displays one or more mDNS service instance(s) cache records discovered from matching provided wlan-ID. Range 1-4096.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1872
Cisco DNA Service for Bonjour
Reference
Command or Action show mdns-sd statistics {debug |flexconnect |glan-id |rlan-id |wired |wlan-id}
show mdns-sd summary
Purpose
Displays detailed mdns statistics processed bi-directionally by system on each mDNS gateway enabled VLAN configured mDNS in Unicast mode. The expanded keyword of mDNS statistics can provide detail view on interface, policy, service-list and services.
Displays brief information about mDNS gateway and key configuration status on all VLANs and interfaces of the system.
Verifying Catalyst WLC Service-Peer Configuration This section provides guidelines to verify service peer service configuration and statistics.
Table 92:
Command or Action show mdns-sd sp-sdg statistics
show mdns-sd summary
Purpose
Displays mDNS service-routing statistics between Catalyst 9800 service-peer and upstream SDG Agent switch for global service discovery and distribution.
Displays brief information about mDNS gateway and key configuration status and parameters of the system.
Reference
Table 93:
Related Topic
Document Title
DNA Service for Bonjour Deployment on Cisco Catalyst 9600 Switch
Cisco Catalyst 9600 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9500 Switch
Cisco Catalyst 9500 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9400 Switch
Cisco Catalyst 9400 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9300 Switch
Cisco Catalyst 9300 Series Switch Software Configuration Guide, Release 17.5.X
Cisco Wide Area Bonjour Application on Cisco DNA Cisco Wide Area Bonjour Application on Cisco DNA
Center User Guide
Center User Guide, Release 2.2.2
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1873
Reference
Cisco DNA Service for Bonjour
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1874
1 8 7 C H A P T E R
Configuring Local Area Bonjour for Wireless FlexConnect Mode
· Overview of Local Area Bonjour for Wireless FlexConnect Mode, on page 1875 · Restrictions for Local Area Bonjour for Wireless FlexConnect Mode, on page 1875 · Prerequisites for Local Area Bonjour for Wireless FlexConnect Mode, on page 1876 · Understanding mDNS Gateway Alternatives for Wireless FlexConnect Mode, on page 1876 · Understanding Local Area Bonjour for Wireless FlexConnect Mode, on page 1878 · Configuring Local Area Bonjour for Wireless FlexConnect Mode, on page 1880 · Verifying Local Area Bonjour in Service-Peer Mode, on page 1892 · Verifying Local Area Bonjour in SDG Agent Mode, on page 1894 · Reference, on page 1896
Overview of Local Area Bonjour for Wireless FlexConnect Mode
The Cisco Catalyst 9800 series controller introduces unicast mode function in Local Area Bonjour network domain. The enhanced gateway function at the first hop of Wired and Wireless networks communicates directly with any industry standard RFC 6762 compliant Multicast DNS (mDNS) end point in Layer 2 Unicast mode. The controller also introduces new service-peer mode expanding single-gateway to end-to-end service-routing with upstream SDG-Agent switch to enable unicast-mode, increased scale, performance and resiliency in the network.
Restrictions for Local Area Bonjour for Wireless FlexConnect Mode
· In FlexConnect mode network deployments, the mDNS gateway and service-peer mode on the controller must not be configured and must be in disabled state.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1875
Prerequisites for Local Area Bonjour for Wireless FlexConnect Mode
Cisco DNA Service for Bonjour
Prerequisites for Local Area Bonjour for Wireless FlexConnect Mode
The Cisco Catalyst 9800 series controller must be successfully configured and operational before implementing Cisco Local Area Bonjour for FlexConnect mode wireless networks. The following list provides the prerequisites for the controller that is to be deployed to enable successful mDNS gateway solution for Wireless FlexConnect:
· Ensure that the targeted Layer 2 Catalyst 9000 Series Ethernet switch is configured in service-peer role and running the required Cisco IOS-XE software version.
· Ensure that the Catalyst 9000 Series Ethernet switch runs a valid Cisco DNA-Advantage license.
· Ensure that the upstream distribution-layer Cisco Catalyst switch for Wired and FlexConnect Local Switching Wireless networks is configured in SDG-Agent mode and runs a valid Cisco DNA-Advantage license.
Understanding mDNS Gateway Alternatives for Wireless FlexConnect Mode
The controller continues to innovate mDNS gateway function to address evolving business and technical requirements in the Enterprise networks. The FlexConnect Local Switching based wireless networks implement mDNS gateway using the following two methods depicted in the figure:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1876
Cisco DNA Service for Bonjour
Understanding mDNS Gateway Alternatives for Wireless FlexConnect Mode
Figure 64: mDNS Gateway Alternatives for FlexConnect Mode
Based on the operating network environment, the mDNS gateway for FlexConnect mode wireless network can be implemented in one of the following modes to address service discovery and distribution:
· Switch Based mDNS Gateway--In Layer 2 access, the Cisco Catalyst 9000 series Ethernet switch must be implemented as mDNS gateway in Service-Peer role. The following are the key benefits: · Replaces flood-n-learn with the new enhanced Unicast-based mDNS communication with FlexConnect mode wireless users. · Eliminates mDNS flood with Unicast service-routing to LAN distribution. The Unicast service-routing between LAN distribution and Layer 2 access layer switches forms Local Area Bonjour domain to enable policy and location-based service discovery and distribution. The Unicast based service-routing over Layer 2 trunk eliminates mDNS flood-free and enables service-oriented wireless networks. · Eliminates the requirement to forward wired network traffic to wireless Access Points improving wireless scale, performance, and network reliability.
· AP Based mDNS Gateway--The Cisco FlexConnect mode wireless access points can alternatively be implemented as mDNS gateway when connected to unsupported LAN access switch. In this method, the mDNS service discovery and distribution follows flood-n-learn mechanism over the Layer 2 wireless network. To implement AP based mDNS gateway, see the Multicast Domain Name System chapter.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1877
Understanding Local Area Bonjour for Wireless FlexConnect Mode
Cisco DNA Service for Bonjour
Understanding Local Area Bonjour for Wireless FlexConnect Mode
The controller supports mDNS gateway function with various advancements for broad range of wireless networks. As the enterprise requirements expands it drives IT organization to introduce new network deployment models, supporting mobile devices and distributed zero-configuration services following increased scale, granular security control and resiliency for mission critical networks. The common unified Cisco IOS-XE operating system across Cisco Catalyst 9000 series LAN switches and Cisco Catalyst 9800 series controller enables distributed Bonjour gateway function at network edge. With end-to-end Wide Area Bonjour service-routing, the new solution enables service-oriented enterprise networks with intuitive user-experience.
The following figure illustrates how the controller connected to wireless access points support mDNS gateway function to wireless users in FlexConnect Local Switching mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1878
Cisco DNA Service for Bonjour
Understanding Local Area Bonjour for Wireless FlexConnect Mode
Figure 65: Cisco Catalyst 9800 Series Controller Local Area Bonjour for Wireless - FlexConnect Mode
The Cisco Catalyst 9000 series switches in the Layer 2 access layer and Layer 3 distribution layer must be configured in the following mDNS gateway mode to enable Unicast-based mDNS service-routing between wired and FlexConnect Local Switching mode wireless users within the same Layer 2 network block:
· Service-Peer - The Layer 2 access switch connecting wireless access point in FlexConnect Local Switching mode must be configured with mDNS gateway in Service-Peer mode. Each Layer 2 access switch provides mDNS gateway function between locally attached wired and FlexConnect mode wireless users. The Unicast-based mDNS service discovery and distribution within same or different VLANs is supported with bi-directional mDNS policies on single Layer 2 access switch.
· SDG Agent - The mDNS flood-n-learn based method in Layer 2 network is replaced with simple Unicast based service-routing between Layer 2 access switch in Service-Peer mode and upstream distribution-layer
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1879
Configuring Local Area Bonjour for Wireless FlexConnect Mode
Cisco DNA Service for Bonjour
in mDNS gateway SDG Agent mode. The Unicast based mDNS service-routing eliminates mDNS flood over Layer 2 trunk ports providing increased bandwidth, enhanced security, location-based services, and flood control management in wired and FlexConnect wireless network.
Configuring Local Area Bonjour for Wireless FlexConnect Mode
This section provides configuration guidelines to implement Cisco Catalyst 9000 series Ethernet switch as mDNS gateway and enable service-peer and SDG Agent mode to enable service-routing with upstream distribution-layer Cisco Catalyst 9000 series switch in SDG Agent mode to build Local Area Bonjour.
Configuring mDNS Gateway Mode (CLI)
To enable mDNS gateway and Service-Peer mode on Layer 2 access switch and SDG Agent mode on Layer 3 distribution layer switch, perform the following:
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
mdns-sd gateway Example:
Device(config)# mdns-sd gateway
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Enables mDNS on the Layer 2 Catalyst switch and enters the mDNS gateway configuration mode. (Optional) You can configure the following additional parameters:
· air-print-helper: Enables communication between Apple iOS devices like iPhone or iPad to discover and use older printers that does not support driverless AirPrint function.
· cache-memory-max: Configures the percentage memory for cache.
· ingress-client: Configures Ingress client packet tuners.
· rate-limit: Enables rate limiting of incoming mDNS packets.
· service-announcement-count: Configures maximum advertisements.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1880
Cisco DNA Service for Bonjour
Configuring mDNS Service Policy (CLI)
Step 4 Step 5
Command or Action
Purpose · service-announcement-timer: Configures advertisements announcement timer periodicity.
· service-query-count: Configures maximum queries.
· service-query-timer: Configures query forward timer periodicity.
Note
For cache-memory-max,
ingress-client, rate-limit,
service-announcement-count,
service-announcement-timer,
service-query-count,
service-query-timer commands,
you can retain the default value of
the respective parameter for
general deployments. Configure
a different value, if required, for
a specific deployment.
mode {service-peer | sdg-agent}
Configure mDNS gateway in one of the
Example:
following modes based on the system settings:
Device(config-mdns-sd)# mode service-peer Device(config-mdns-sd)# mode sdg-agent
· service-peer Enables Layer 2 Catalyst access switch in mDNS Service-Peer mode.
· sdg-agent Default. Enables Layer 3 distribution layer Catalyst switch in SDG Agent mode to peer with central Cisco DNA Center controller for Wide Area Bonjour service routing.
exit Example:
Device(config-mdns-sd)# exit
Exits mDNS gateway configuration mode.
Configuring mDNS Service Policy (CLI)
You need to perform the following to configure an mDNS service policy: 1. Create service-list to permit built-in or user-defined custom service types. 2. Associate service-list to a service-policy to enforce ingress or egress direction. 3. Apply the service policy to the new VLAN configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1881
Configuring mDNS Service Policy (CLI)
Cisco DNA Service for Bonjour
Note You will need this configuration in Service-Peer mode for Layer 2 Catalyst switch and SDG agent mode for Layer 3 Catalyst switch.
The following figure shows how to configure mDNS policies on Catalyst switch in Service-Peer and SDG agent modes.
Figure 66: mDNS Service Policy Configuration on Catalyst Switch in Service-Peer and SDG Agent Modes
This procedure builds and applies service-policies on target VLAN in service-peer and SDG agent modes.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1882
Cisco DNA Service for Bonjour
Configuring mDNS Service Policy (CLI)
Procedure Step 1 Step 2 Step 3
Step 4
Step 5
Step 6 Step 7
Command or Action enable Example:
Device# enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
mdns-sd service-list service-list-name {in | out}
Example:
Device(config)# mdns-sd service-list VLAN100-LIST-IN in
Device(config)# mdns-sd service-list VLAN100-LIST-OUT out
Configure mDNS service-list to classify one or more service types. Unique service-list is required to process incoming mDNS message and outbound response to request locally connected wired or FlexConnect wireless end points.
match service-definition-name [message-type Matches inbound service-list.
{any | announcement | query}]
The Catalyst switch validates to accept or drop
Example:
incoming mDNS service-type (such as, Apple
Device(config)# mdns-sd service-list TV) advertisement or query matching message
VLAN100-LIST-IN in
type from locally connected wired or
Device(config-mdns-sl-in)# match APPLE-TV
FlexConnect wireless end points. The service-list contains implicit deny at the end.
Device(config-mdns-sl-in)# match
The default message-type used is any.
PRINTER-IPPS message-type announcement
match service-definition-name [message-type Matches outbound service-list.
{any | announcement | query}]
The Catalyst switch provides local service
Example:
proxy function by responding matching
Device(config)# mdns-sd service-list service-type to the requesting end point(s). For
VLAN100-LIST-OUT out
example, the Apple-TV and Printer learnt from
Device(config-mdns-sl-in)# match APPLE-TV
Device(config-mdns-sl-in)# match
VLAN 100 will be distributed to FlexConnect wireless receiver in same VLAN 100. The service-list contains implicit deny at the end.
PRINTER-IPPS
The message-type for outbound service-list is
not required.
mdns-sd service-policy service-policy-name Creates unique mDNS service-policy in global
Example:
configuration mode.
Device(config)# mdns-sd service-policy VLAN100-POLICY
service-list service-list-name {in | out} Example:
Configures mDNS service-policy to associate service-list for each direction.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1883
Configuring mDNS Location-Filter (CLI)
Cisco DNA Service for Bonjour
Step 8
Step 9 Step 10 Step 11
Command or Action
Purpose
Device(config)# mdns-sd service-policy VLAN100-POLICY
Device(config-mdns-ser-policy)# service-list VLAN100-LIST-IN in
Device(config-mdns-ser-policy)# service-list VLAN100-LIST-OUT out
vlan configuration ID
Enables wired or wireless FlexConnect user
Example:
VLAN configuration for advanced service parameters. One or more VLANs can be
Device(config)# vlan configuration 100 created for the same settings.
Here, ID refers to the VLAN configuration ID. The range is from 101 to 110 and 200. This range allows to configure consecutive and non-consecutive VLAN ID(s).
mdns-sd gateway Example:
Device(config-vlan)# mdns-sd gateway
Enables mDNS gateway on configured wired or FlexConnect wireless user VLAN ID(s).
service-policy service-policy-name
Associates mDNS service-policy to the
Example:
configured wired or FlexConnect wireless user VLAN ID(s).
Device(config-vlan-mdns)# service-policy
VLAN100-POLICY
exit Example:
Device(config-vlan-mdns)# exit
Exits mDNS gateway configuration mode.
Configuring mDNS Location-Filter (CLI)
Optionally, you can configure mDNS location-filter to allow service discovery and distribution between locally configured VLAN IDs associated to FlexConnect wireless user networks.
The following figure illustrates and references location-filter policy on Catalyst switch in Service-Peer mode permitting to discover and distribute mDNS services between wired and FlexConnect wireless user VLANs.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1884
Cisco DNA Service for Bonjour Figure 67: Catalyst Service-Peer mDNS Location-Filter Configuration
Configuring mDNS Location-Filter (CLI)
To enable local service proxy on Cisco Catalyst switch in Service-Peer mode and discover mDNS services between local wired and wireless FlexConnect user VLANs, perform the following:
Procedure Step 1 Step 2 Step 3
Step 4
Command or Action enable Example:
Device# enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
mdns-sd location-filter location-filter-name Configures a unique location-filter in global
Example:
configuration mode.
Device(config)# mdns-sd location-filter LOCAL-PROXY
match location-group {all | default | ID} vlan Configures the match criteria to mutually
[ID]
distribute the permitted services between
Example:
grouped VLANs. For example, mDNS services can be discovered and distributed using the
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1885
Configuring mDNS Location-Filter (CLI)
Cisco DNA Service for Bonjour
Step 5 Step 6
Step 7 Step 8 Step 9 Step 10 Step 11
Command or Action
Device(config-mdns-loc-filter)# match location-group default vlan 100
Device(config-mdns-loc-filter)# match location-group default vlan 101
Purpose
Unicast mode between wireless FlexConnect user VLAN ID 100 and wired user VLAN ID 101.
mdns-sd service-list service-list-name {in | out}
Example:
Device(config)# mdns-sd service-list VLAN100-LIST-OUT out
Configures the mDNS service-list to classify one or more service types.
The service-list configuration is required to process any incoming or outgoing mDNS messages.
match service-definition-name [message-type Associates location-filter to one or more
{any | announcement | query}]
service types to enable local proxy between
Example:
local VLANs. For example, the Apple-TV learnt from VLAN 100 and VLAN 101 will
Device(config)# mdns-sd service-list be distributed to receiver in VLAN 100.
VLAN100-LIST-OUT out
Device(config-mdns-sl-out)# match APPLE-TV location-filter LOCAL-PROXY
Note
You do not require a message-type for the outbound service-list.
mdns-sd service-policy service-policy-name Creates unique mDNS service-policy in global
Example:
configuration mode.
Device(config)# mdns-sd service-policy VLAN100-POLICY
service-list service-list-name {in | out} Example:
Configures mDNS service-policy to associate service-list for each direction.
Device(config)# mdns-sd service-policy VLAN100-POLICY
Device(config-mdns-ser-policy)# service-list VLAN100-LIST-OUT out
vlan configuration ID
Enables VLAN configuration for advanced
Example:
service parameters. You can create one or more VLANs with the same settings.
Device(config)# vlan configuration 100
Here, ID refers to the VLAN configuration ID.
The range is from 101 to 110 and 200. This
range allows to configure consecutive and
non-consecutive VLAN ID(s).
mdns-sd gateway
Example:
Device(config-vlan-config)# mdns-sd gateway
Enables mDNS gateway on configured VLAN ID(s).
service-policy service-policy-name Example:
Associates mDNS service-policy to the configured VLAN ID(s).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1886
Cisco DNA Service for Bonjour
Configuring Custom Service Definition (CLI)
Step 12
Command or Action
Device(config-vlan-mdns-sd)# service-policy VLAN100-POLICY
exit Example:
Device(config-vlan-mdns-sd)# exit
Purpose Exits mDNS gateway configuration mode.
Configuring Custom Service Definition (CLI)
The Cisco IOS-XE supports mapping of various built-in well-known mDNS service-definition types to key mDNS PTR records and user-friendly names. For example, built-in Apple-TV service-type is associated with _airplay. _tcp.local and _raop. _tcp.local PTR records to successfully enable service in the network. Network administrators create custom service-definition with matching mDNS PTR records to enable end mDNS service-routing in the network.
The custom service-definition can be associated to the service-list as described in the following steps:
Procedure
Step 1
Command or Action enable Example:
Device# enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
mdns-sd service-definition service-definition-name
Example:
Device(config)# mdns-sd service-definition APPLE-CLASSROOM
Creates a unique service-definition name for custom service-types.
Step 4
service-type custom-mDNS-PTR Example:
Configures a regular-expression string for custom mDNS PoinTeR(PTR) record.
Device(config-mdns-ser-def)# service-type _classroom. _tcp.local
Step 5
exit Example:
Device(config-mdns-ser-def)# exit
Exits mDNS gateway configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1887
Configuring Service-Routing on Service-Peer (CLI)
Cisco DNA Service for Bonjour
Configuring Service-Routing on Service-Peer (CLI)
The Layer 2 Cisco Catalyst switch in Service-Peer mode builds a service-routing with an upstream distribution-layer switch in the SDG Agent mode. To build service-routing, the Layer 2 Cisco Catalyst switch requires at least one interface with valid IP address to reach the upstream SDG Agent Catalyst switch. The switch management port is unsupported.
The following figure illustrates the topology to enable unicast-based service-routing over Layer 2 trunk between access-layer Catalyst switch in the Service-Peer mode and distribution-layer Catalyst switch in SDG Agent mode.
Figure 68: Catalyst Service-Peer Service-Routing Configuration
To enable service-routing on Cisco Catalyst switch in Service-Peer mode and setup mDNS trust interface settings, follow the procedure given below:
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
configure terminal Example:
Purpose Enables Privileged EXEC mode. Enter your password, if prompted.
Enters the global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1888
Cisco DNA Service for Bonjour
Configuring Service-Routing on Service-Peer (CLI)
Step 3 Step 4
Step 5 Step 6 Step 7
Command or Action
Device# configure terminal
Purpose
vlan configuration ID Example:
Device(config)# vlan configuration 100
Enables Wired and FlexConnect user VLAN configuration for advanced service parameters. One or more VLANs can be created for the same settings.
Here, ID refers to the VLAN configuration ID. For example, vlan configuration 101-110, 200 range, allows to configure consecutive and non-consecutive VLAN ID(s).
mdns-sd gateway
Example:
Device(config-vlan-config)# mdns-sd gateway
Enables mDNS gateway on configured VLAN ID(s).
To enable the respective functionalities, enter the following commands in the mDNS gateway configuration mode:
· active-query timer [sec]: Configure to enable refresh discovered services and their records with periodic mDNS Query message for permitted service types. The valid range is from 60 to 3600 seconds. The recommended value is 3600 seconds.
· service-mdns-query {ptr | srv | txt}: Permits processing specific Query type. The default query type is PTR.
· transport {ipv4 | ipv6 | both}: Permits processing for IPv4, IPv6, or both. It is recommended to use one network type to reduce redundant processing and respond with the same information over two network types. The default network type is IPv4.
source-interface ID
Example:
Device(config-vlan-mdns-sd)# source-interface vlan 4094
Selects the interface with a valid IP address to source service-routing session with the upstream Cisco Catalyst SDG Agent switch. Typically, the management VLAN interface can be used.
sdg-agent [IPv4_address]
Example:
Device(config-vlan-mdns-sd)# sdg-agent 10.0.0.254
Configures the SDG Agent IPv4 address, typically, the management VLAN gateway address. If FHRP mode, then use the FHRP virtual IP address of the management VLAN.
exit Example:
Device(config-vlan-mdns-sd)# exit
Exits the mDNS gateway configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1889
Configuring Location-Based mDNS
Cisco DNA Service for Bonjour
Configuring Location-Based mDNS
By default, the Layer 2 Catalyst switch in the Service-Peer mode enables per-switch mDNS discovery and distribution in FlexConnect wireless users attached locally to the switch. This default per-switch location-based mDNS is supported even when the FlexConnect user VLANs may be extended between multiple Layer 2 Catalyst switches for user mobility purpose. The mDNS service-policy configuration SDG Agent is required to accept policy-based mDNS service provider and receiver information from downstream Service-Peer access-layer switch.
Figure 69: Per-Switch Location-Based FlexConnect Configuration
Note Configure the mDNS service policy on the distribution layer SDG Agent switch before proceeding to the next configuration step. For more information, see the Configuring mDNS Service Policy (CLI) section.
Configuring Service-Routing on SDG Agent (CLI)
The Cisco Catalyst 9000 series switches support SDG Agent mode automatically at the distribution layer and enables Unicast mode Bonjour service-routing with the downstream Layer 2 access-layer Ethernet switches connected to the FlexConnect wireless users. The SDG Agent must be configured with mDNS service-policy on wireless FlexConnect user VLAN to accept mDNS service cache from downstream Service-Peer switches. This section provides step-by-step configuration guidelines to enable policy-based service discovery and distribution between locally paired Layer 2 access network switches in the Service-Peer mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1890
Cisco DNA Service for Bonjour
Configuring Service-Routing on SDG Agent (CLI)
The following figure illustrates unicast service-routing on SDG Agent and downstream Layer 2 access network switches in the Service-Peer mode.
Figure 70: Catalyst SDG Agent Service-Routing Configuration
Note Configure the mDNS service policy on the distribution layer SDG Agent switch before proceeding to the next configuration step. For more information, see the Configuring mDNS Service Policy (CLI) section.
To enable the mDNS service policy and peer-group on SDG Agent switch, and enable Unicast mode service-routing with Layer 2 access network switches in Service-Peer mode, perform the following:
Procedure
Step 1
Command or Action enable Example:
Device# enable
Step 2
configure terminal Example:
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1891
Verifying Local Area Bonjour in Service-Peer Mode
Cisco DNA Service for Bonjour
Step 3 Step 4 Step 5 Step 6
Step 7
Command or Action
Device# configure terminal
Purpose
mdns-sd service-peer group service-peer-group-name
Example:
Device(config)# mdns-sd service-peer group group_1
Configures a unique Service-Peer group.
peer-group [ID]
Assigns a unique peer-group ID to the
Example:
Service-Peers pair permitting mDNS service discovery and distribution within the assigned
Device(config-mdns-svc-peer)# peer-group group list.
1
The valid peer-group range is from 1 to 1000
for each SDG Agent switch.
service-policy service-policy-name
Example:
Device(config-mdns-svc-peer-grp)# service-policy VLAN100-POLICY
Associates an mDNS service policy to accept service advertisements and query from the paired Service-Peers.
service-peer [IPv4_address] location-group {all | default | id}
Example:
Device(config-mdns-svc-peer-grp)# service-peer 10.0.0.1 location-group default
Device(config-mdns-svc-peer-grp)# service-peer 10.0.0.2 location-group default
Configures at least one Service-Peer to accept the mDNS service advertisement or query message. When a group has more than one Service-Peers, the SDG Agent provides Layer 2 Unicast mode routing between the configured peers.
For example, the SDG Agent provides Unicast based service gateway function between three (10.0.0.1 and 10.0.0.2) Layer 2 Service-Peer switches matching the associated service-policy.
The mDNS service information from the unpaired Layer 2 Service-Peer (10.0.0.3) cannot announce or receive mDNS services with the other grouped Service-Peers (10.0.0.1 and 10.0.0.2).
exit
Exits mDNS gateway configuration mode.
Example:
Device(config-mdns-svc-peer-grp)# exit
Verifying Local Area Bonjour in Service-Peer Mode
This section provides guidelines to verify various Local Area Bonjour domain mDNS service configuration parameters, cache records, statistics and more on the controller in service-peer mode
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1892
Cisco DNA Service for Bonjour
Verifying Local Area Bonjour in Service-Peer Mode
Table 94:
Command or Action
Purpose
show mdns-sd cache {all | interface | mac | name | Displays available mDNS cache records supporting
service-peer | static | type | vlan}
multiple variables providing granular source details
received from wired or wireless FlexConnect user
VLANs. The variables are as follows:
· all Displays all available cache records discovered from multiple source connections of a system.
· interface Displays available cache records discovered from the specified Layer 3 interface.
· mac - Displays available cache records discovered from the specified MAC address.
· name - Displays available cache records based on the service provider announced name.
· service-peer - Displays available cache records discovered from the specified Layer 2 Service-Peer.
· static Displays locally configured static mDNS cache entry.
· type Displays available cache records based on the specific mDNS record type, such as, PTR, SRV, TXT, A or AAAA.
· vlan - Displays available cache records discovered from the specified Layer 2 VLAN ID in the Unicast mode.
show mdns-sd service-definition {name | type} show mdns-sd service-list {direction | name} show mdns-sd service-policy {interface | name}
Displays built-in and user-defined custom service-definition that maps service name to the mDNS PTR records. The service-definition can be filtered by name or type.
Displays inbound or outbound direction list of configured service-list to classify matching service-types for service-policy. The list can be filtered by name or specific direction.
Displays list of mDNS service-policy mapped with inbound or outbound service-list. The service-policy list can be filtered by an associated specified interface or name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1893
Verifying Local Area Bonjour in SDG Agent Mode
Cisco DNA Service for Bonjour
Command or Action
Purpose
show mdns-sd statistics {all | cache | debug | interface | service-list | service-policy | services | vlan}
Displays detailed mDNS statistics processed bi-directionally by the system on each mDNS gateway enabled VLAN configured mDNS in Unicast mode. The expanded keyword for mDNS statistics can provide detailed view on interface, policy, service-list, and services.
Note
This command displays all mDNS
packets received from directly connected
(Local Mode) or Flex clients in WLAN.
show mdns-sd summary {interface | vlan}
Displays brief information about mDNS gateway and key configuration status on all wired and wireless FlexConnect user VLANs, and interfaces of the system.
Verifying Local Area Bonjour in SDG Agent Mode
This section provides guidelines to verify various Local Area Bonjour domain mDNS service configuration parameters, cache records, statistics and more on the controller in SDG Agent mode
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1894
Cisco DNA Service for Bonjour
Verifying Local Area Bonjour in SDG Agent Mode
Table 95:
Command or Action
Purpose
show mdns-sd cache {all | interface | mac | name | Displays available mDNS cache records supporting
service-peer | static | type | vlan | vrf}
multiple variables providing granular source details.
The variables are as follows:
· all Displays all available cache records discovered from multiple source connections of a system.
· interface Displays available cache records discovered from the specified Layer 3 interface.
· mac - Displays available cache records discovered from the specified MAC address.
· name - Displays available cache records based on the service provider announced name.
· service-peer - Displays available cache records discovered from the specified Layer 2 Service-Peer.
· static Displays locally configured static mDNS cache entry.
· type Displays available cache records based on the specific mDNS record type, such as, PTR, SRV, TXT, A or AAAA.
· vlan - Displays available cache records discovered from the specified Layer 2 VLAN ID in the Unicast mode.
· vrf - Displays per-VRF available cache records based on specific mDNS record type, i.e., PTR, SRV, TXT, A or AAAA.
show mdns-sd service-definition {name | type} show mdns-sd service-list {direction | name} show mdns-sd service-policy {interface | name}
Displays built-in and user-defined custom service-definition that maps service name to the mDNS PTR records. The service-definition can be filtered by name or type.
Displays inbound or outbound direction list of the configured service-list to classify matching service-types for service-policy. The list can be filtered by name or specific direction.
Displays list of mDNS service-policy mapped with inbound or outbound service-list. The service-policy list can be filtered by an associated specified interface or name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1895
Reference
Cisco DNA Service for Bonjour
Command or Action
Purpose
show mdns-sd statistics {all | cache | debug | interface | service-list | service-policy | services | vlan}
Displays detailed mDNS statistics processed bi-directionally by the system on each mDNS gateway enabled VLAN configured mDNS in Unicast mode. The expanded keyword for mDNS statistics can provide detailed view on interface, policy, service-list, and services.
show mdns-sd summary {interface | vlan}
Displays brief information about mDNS gateway and key configuration status on all VLANs and interfaces of the system.
Reference
Table 96:
Related Topic
Document Title
DNA Service for Bonjour Deployment on Cisco Catalyst 9600 Switch
Cisco Catalyst 9600 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9500 Switch
Cisco Catalyst 9500 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9400 Switch
Cisco Catalyst 9400 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9300 Switch
Cisco Catalyst 9300 Series Switch Software Configuration Guide, Release 17.5.X
Cisco Wide Area Bonjour Application on Cisco DNA Cisco Wide Area Bonjour Application on Cisco DNA
Center User Guide
Center User Guide, Release 2.2.2
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1896
1 8 8 C H A P T E R
Configuration Example for Local Mode - Wireless and Wired
· Overview, on page 1897 · Configuring Wireless AP Multicast Mode, on page 1898 · Configuration Example for Customized Service List and Policy in Wide Area Bonjour Between Multilayer
Wired and Wireless Endpoints, on page 1899 · Cisco DNA Center Traditional Multilayer Wired and Wireless Configuration, on page 1902 · Verifying Wide Area Bonjour Between Multilayer Wired and Wireless Local Mode, on page 1904 · Reference, on page 1911
Overview
This chapter provides configuration guidelines to implement Wide Area Bonjour enabling end-to-end policy-based mDNS service discovery and distribution across multilayer wired and wireless local mode. The first hop mDNS gateway at Layer 2 access switch and the controller must be implemented in service peer mode and paired with LAN and wireless distribution-layer switch in SDG agent role. The network-wide distributed SDG agent must be paired with the Cisco DNA-Center to enable mDNS service-routing across IP core network based on multiple services and network attributes. The following figure illustrates unicast mode bonjour network environment with AirPrint capable printer and user computer (macOS, Microsoft Windows, etc.) connected to same Ethernet switch. The computers and mobile devices of the wireless user are associated to wireless AP in local mode across multi-hop IP boundary from printers.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1897
Configuring Wireless AP Multicast Mode
Cisco DNA Service for Bonjour
Figure 71: Wide Area Bonjour Service-Routing Multilayer Wired and Wireless Local Mode
Configuring Wireless AP Multicast Mode
This procedure configures wireless AP multicast on the controller for local mode APs and IP network.
The controller must be configured with unique IP multicast address for wireless AP in local mode to permit mDNS communication across wired and wireless networks.
Step
Controller Service Peer Configuration
Step-1
Enable global IP Multicast on Cisco Catalyst 9800 series controller.
! wireless multicast !
Step-2
!
wireless multicast 239.254.254.1
Configure Wireless AP mode to Multicast with unique !
IP Multicast address.
The following table provides step-by-step IP multicast configuration guidelines on SDG agent (SDG-1 and SDG-2) at the distribution layer network.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1898
Cisco DNA Service for Bonjour Configuration Example for Customized Service List and Policy in Wide Area Bonjour Between Multilayer Wired and Wireless Endpoints
Step
Switch SDG Agent Configuration WLC SDG Agent Configuration
Step-1
Enable IP multicast-routing on distribution layer switches connecting Cisco Wireless Local Mode Access Point and Cisco Wireless LAN Controller.
! ip multicast-routing !
! ip multicast-routing !
Step-2
Configure IP PIM Rendezvous-Point (RP) on distribution layer switches.
!
!
ip pim rp-address 10.150.255.1 ip pim rp-address 10.150.255.1
!
!
Step-3
!
interface Vlan 101
Enable IP PIM on SVI Interface of description CONNECTED TO
distribution layer switches
WIRELESS AP LOCAL MODE
connected Cisco Wireless Local
ip pim sparse-mode !
Mode Access Point and Cisco WLC
Management VLAN.
! interface Vlan 4094
description CONNECTED TO WIRELESS MGMT WLC
ip pim sparse-mode !
Step-4
!
interface range
Enable IP PIM on Layer 3 uplink FortyGigabitEthernet 1/1/1
Interface of distribution layer
2
switches connected Cisco Wireless
description CORE NETWORK
CONNECTED
TO
IP
Local Mode Access Point and
ip pim sparse-mode
Cisco WLC Management VLAN. !
! interface range FortyGigabitEthernet 1/1/1 2
description CONNECTED TO IP CORE NETWORK ip pim sparse-mode !
Note IP Multicast must be enabled in the Layer 3 core network to allow Cisco wireless APs in local mode to successfully join the WLC announced multicast group. For more information, refer to the Cisco online documentation to implement IP multicast networks.
Configuration Example for Customized Service List and Policy in Wide Area Bonjour Between Multilayer Wired and Wireless Endpoints
This section provides guidance on configuring Service-Peer, SDG Agent and Cisco DNA-Center, allowing the wired and wireless endpoints to dynamically discover printer using Layer 2 unicast and policy.
Example: Wired and Wireless Access Layer Service Peer Configuration
The following table provides a sample configuration of wired and wireless controller access layer service peer.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1899
Example: Wired and Wireless Access Layer Service Peer Configuration
Cisco DNA Service for Bonjour
Table 97: Configuring Wired and Wireless Access Layer Service Peer
Configuration Step
Sample Configuration: Switch Service Peer
Step-1: Enable mDNS gateway and !
set the gateway mode.
mdns-sd gateway mode service-peer
Note
In wireless controller, !
service peer mode is
enabled by default
with mDNS gateway
configuration.
Sample Configuration: Wireless Controller Service Peer
! mdns-sd gateway !
Step-2: Create unique mDNS ! inbound policy to permit ingress mdns-sd service-list
LOCAL-AREA-SERVICES-IN in
AirPrint service announcement on match printer-ipp the Catalyst Switch and wireless !
controller in service peer mode.
! mdns-sd service-list LOCAL-AREA-SERVICES-IN in
match printer-ipp !
Step-3: Create unique mDNS outbound policy to permit egress AirPrint service response on the Catalyst Switch and wireless controller in service peer mode
! mdns-sd service-list LOCAL-AREA-SERVICES-OUT out
match printer-ipp !
! mdns-sd service-list LOCAL-AREA-SERVICES-OUT out
match printer-ipp !
Step-4: Associate inbound and outbound service list to a unique service policy.
! mdns-sd service-policy LOCAL-AREA-POLICY
service-list LOCAL-AREA-SERVICES-IN
service-list LOCAL-AREA-SERVICES-OUT !
mdns-sd service-policy LOCAL-AREA-POLICY
service-list LOCAL-AREA-SERVICES-IN
service-list LOCAL-AREA-SERVICES-OUT !
Step-5: Activate unicast mDNS gateway and attach service policy on wired VLAN and WLAN.
· Switch: Activate mDNS gateway per VLAN.
! vlan configuration 10, 20
mdns-sd gateways service-policy
LOCAL-AREA-POLICY active-query timer 3600
!
· Controller: Activate mDNS gateway per WLAN policy profile and SSID
! wireless profile policy WLAN-PROFILE
shutdown mdns-sd service-policy LOCAL-AREA-POLICY no shutdown ! wlan WLAN-PROFILE 1 blizzard shutdown mdns-sd-interface gateway no shutdown !
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1900
Cisco DNA Service for Bonjour
Example: Wired and Wireless Distribution Layer SDG Agent Configuration
Configuration Step
Sample Configuration: Switch Service Peer
Sample Configuration: Wireless Controller Service Peer
Step-6: (Optional) Enable service routing on wired service peer mDNS between local VLANs. Also, enable location-based
!
!
mdns-sd location-filter
mdns-sd service-policy
LOCAL-PROXY
LOCAL-AREA-POLICY
match location-group default location ap-location
vlan 10
!
wireless service on the controller. match location-group default
vlan 20
· Switch: Configure location !
filter group to discover and mdns-sd service-list
distribute between paired local
LOCAL-AREA-SERVICES-OUT match printer-ipps
OUT
VLAN.
location-filter LOCAL-PROXY
!
· Controller: Configure
wireless location-based
services.
Step-7: Enable unicast service
!
routing between wired and wireless vlan configuration 10, 20
mdns-sd gateway
mdns-sd gateways
source-interface vlan 4094
service peer and SDG agent.
source-interface vlan 4094 sdg-agent 10.2.1.254
· Switch: Configure SDG agent ! sdg-agent 10.1.1.254
!
IP and wired management
source VLAN ID and IP
address.
· Controller: Configure SDG Agent IP and wireless management source VLAN ID and IP address.
Example: Wired and Wireless Distribution Layer SDG Agent Configuration
The following table provides a sample configuration of distribution layer SDG agent.
Table 98: Configuring Distribution Layer SDG Agent
Configuration Step
Sample Configuration: Wired SDG Sample Configuration: Wireless
Agent
SDG Agent
Step-1: Enable mDNS gateway and !
set the gateway mode.
mdns-sd gateway !
! mdns-sd gateway !
Step-2: Activate unicast mDNS !
gateway on wired VLAN and
vlan configuration 10, 20
mdns-sd gateway
wireless user VLAN on respective !
SDG agents.
! vlan configuration 30
mdns-sd gateway !
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1901
Cisco DNA Center Traditional Multilayer Wired and Wireless Configuration
Cisco DNA Service for Bonjour
Configuration Step
Sample Configuration: Wired SDG Sample Configuration: Wireless
Agent
SDG Agent
Step-3: Create unique controller bound mDNS policy to permit egress AirPrint service discovery and distribution from Catalyst
! mdns-sd service-list WIDE-AREA-SERVICES-OUT out
match printer-ipp !
Switch in SDG agent mode.
Inbound policy towards controller
is not required.
! mdns-sd service-list WIDE-AREA-SERVICES-OUT out
match printer-ipp !
Step-4: Associate outbound service-list to a unique service-policy.
! mdns-sd service-policy WIDE-AREA-POLICY
service-list WIDE-AREA-SERVICES-OUT !
! mdns-sd service-policy WIDE-AREA-POLICY
service-list WIDE-AREA-SERVICES-OUT !
Step-5: Enable Wide Area Bonjour !
!
service-routing with service export service-export mdns-sd
service-export mdns-sd
controller
configuration association controller DNAC-CONTROLLER-POLICY
controller DNAC-CONTROLLER-POLICY
IP Address, source interface for controller-address 100.0.0.1 controller-address 100.0.0.1
stateful connection and mandatory controller-source-interface controller-source-interface
egress policy for Wide Area service-routing.
LOOPBACK 0 controller-service-policy
WIDE-AREA-POLICY
LOOPBACK 0 controller-service-policy
WIDE-AREA-POLICY
!
!
Cisco DNA Center Traditional Multilayer Wired and Wireless Configuration
Configuring Service Filters for Traditional Multilayer Wired and Wireless Local Mode (GUI)
This procedure implements global service filters, which permit the Cisco Wide Area Bonjour application to dynamically discover and distribute service information between trusted Cisco Catalyst SDG agent switches across the IP network.
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5
Navigate to the Configuration tab in the Wide Area Bonjour application. From the sidebar, select the subdomain for which you want to create the service filter. Check the Service Filter box. Click Service Filter icon from the topology to view a list of the service filters for the selected domain. You can also manually edit existing service filters from this list. Click Create Service Filter.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1902
Cisco DNA Service for Bonjour
Configuring Source SDG Agents in Traditional Multilayer Wired and Wireless - Local Mode (GUI)
Step 6 Step 7 Step 8 Step 9 Step 10
From the Network Mode drop-down list, choose Traditional (the default mode). Enter a unique name for the service filter. (Optional) Enter a description for the service filter. Select one or more service types to permit announcements and queries. Enable or disable service filters after creating them. By default, service filters are enabled.
Configuring Source SDG Agents in Traditional Multilayer Wired and Wireless - Local Mode (GUI)
This procedure configures discovery of wired printer sources from the LAN distribution switches paired with Layer 2 Catalyst Switches in a service peer role. The wireless distribution switches paired with a controller in a service peer role receive query responses for wired printers and distribute the responses to querying devices over the wireless local mode network.
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Step 11 Step 12 Step 13
Click Add in the upper-right portion of the DNA-Center Policy screen. Select the Query SDG agent radio button. By default, the Source radio button is selected. From the SDG Agent/IP drop-down list, select an SDG agent (100.0.0.101) which announces the services, for example, Printer. Select Peer from the Service Layer drop-down list. Uncheck the box Any. By default, this is enabled. Select the query VLAN (Vlan-10) to distribute services (Printer) from a specific network. Enable or disable services from the selected query IPv4 subnet. By default, this is enabled. Enable or disable services from the selected query IPv6 subnet. By default, this is enabled. Enter the service peer IPv4 address (10.1.1.1). Click the + icon to add more service peers, if any. Select Any to accept services from any peer on a selected VLAN. (Optional) Click Add Next to add more source SDG agents. (Repeat the preceding steps.) Click DONE. Click CREATE.
Configuring Query SDG Agents in Traditional Multilayer Wired and Wireless - Local Mode (GUI)
This procedure configures distributed services to query SDG agents connected to a controller in service peer mode, based on a policy.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1903
Verifying Wide Area Bonjour Between Multilayer Wired and Wireless Local Mode
Cisco DNA Service for Bonjour
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Step 11 Step 12 Step 13
Click Add in the upper-right portion of the DNA-Center Policy screen. Select the Query SDG agent radio button. By default, the Source radio button is selected. From the SDG Agent/IP drop-down list, select an SDG agent (100.0.0.102) that receives queries for the services (Printer). Select Peer from the Service Layer drop-down list. Uncheck the box Any. By default, this is enabled. Select the query VLAN (Vlan-30) to distribute services (Printer) to a specific network. Enable or disable services from the selected query IPv4 subnet. By default, this is enabled. Enable or disable services from the selected query IPv6 subnet. By default, this is enabled. Enter the service peer IPv4 address (10.2.1.254). Click the + icon to add more service-peers, if any. Select Any to accept services from any peer on a selected VLAN. (Optional) Click Add Next to add more query agents. (Repeat the preceding steps.) Click DONE. Click CREATE.
Verifying Wide Area Bonjour Between Multilayer Wired and Wireless Local Mode
This section provides step-by-step mDNS configuration and service discovery and distribution status based on applied policy on Wired Layer 2 access switch in service peer and SDG agent mode.
Verifying Wired Service-Peer Configuration
Use the following commands on the Cisco Catalyst switch in service peer (SP-1) mode to determine the operational status after applying configuration and discovering the AirPrint service from the local network.
Device# show mdns-sd summary vlan 10
VLAN: 10 ========================================== mDNS Gateway: Enabled mDNS Service Policy: LOCAL-AREA-POLICY Active Query: Enabled
: Periodicity 3600 Seconds Transport Type: IPv4 Service Instance Suffix: Not Configured mDNS Query Type: ALL SDG Agent IP: 10.1.1.254 Source Interface: Vlan4094
Device# show mdns-sd service-policy name LOCAL-AREA-POLICY
Service Policy Name Service List IN Name Service List Out Name
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1904
Cisco DNA Service for Bonjour
Verifying Wired Service-Peer Configuration
===============================================================================
LOCAL-AREA-POLICY
LOCAL-AREA-SERVICES-IN
LOCAL-AREA-SERVICES-OUT
Device# show mdns-sd cache vlan 10
Name
_universal. _sub. _ipp. _tcp.local _ipp. _tcp.local
Bldg-1-FL1PRN. _ipp. _tcp.local Bldg-1-FL1PRN.local Bldg-1-FL1PRN.local Bldg-1-FL1PRN. _ipp. _tcp.local
Type TTL/ Remaining
PTR 4500/4486
PTR 4500/4486
SRV 4500/4486
A
4500/4486
AAAA 4500/4486
TXT 4500/4486
Device# show mdns-sd statistics vlan 10
mDNS Statistics
Vl10:
mDNS packets sent
: 612
IPv4 sent
: 612
IPv4 advertisements sent : 0
IPv4 queries sent
: 612
IPv6 sent
:0
IPv6 advertisements sent : 0
IPv6 queries sent
:0
Unicast sent
:0
mDNS packets rate limited
:0
mDNS packets received
: 42
advertisements received
: 28
queries received
: 14
IPv4 received
: 42
IPv4 advertisements received: 28
IPv4 queries received
: 14
IPv6 received
:0
IPv6 advertisements received: 0
IPv6 queries received
:0
mDNS packets dropped
:0
=========================================
Vlan-Id/
MAC Address RR Record Data
Interface-name
Vl10
ac18.2651.03fe Bldg-1-FL1-PRN. _ipp. _tcp.local
Vl10
ac18.2651.03fe Bldg-1-FL1-PRN. _ipp. _tcp.local
Vl10
ac18.2651.03fe Bldg-1-FL1-PRN. local
Vl10
ac18.2651.03fe 10.153.1.1
Vl10 Vl10
ac18.2651.03fe 2001:10:153: 1:79: A40C:6BEE: AEEC
ac18.2651.03fe (451)'txtvers=1''priorit ty=EPSON WF-3620 usb_MFG=EPSON'' usb_MDL=W~'~
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1905
Verifying Wired SDG Agent Configuration and Service-Routing Status
Cisco DNA Service for Bonjour
Query Type
: Count
=========================================
PTR
: 12
SRV
:0
A
:0
AAAA
:0
TXT
:0
ANY
:3
=================================================
PTR Name
Advertisement
Query
=================================================
_ipp. _tcp.local
9
4
Verifying Wired SDG Agent Configuration and Service-Routing Status
This section provides information on mDNS configuration and service-routing on Wired SDG Agent (SDG-1) with locally attached Layer 2 access switches in Service-Peer (SP-1) mode and with centrally paired Cisco DNA-Center for Wide Area Bonjour service-routing.
Device# show mdns-sd summary vlan 10
VLAN: 10
==========================================
mDNS Gateway
: Enabled
mDNS Service Policy
: LOCAL-AREA-POLICY
Active Query
: Disabled
Transport Type
: IPv4
Service Instance Suffix : Not-Configured
mDNS Query Type
: ALL
SDG Agent IP
: Not-Configured
Source Interface
: Not-Configured
Device# show mdns-sd cache vlan 10
VLAN: 10
==========================================
mDNS Gateway
: Enabled
mDNS Service Policy
: LOCAL-AREA-POLICY
Active Query
: Disabled
Transport Type
: IPv4
Service Instance Suffix : Not-Configured
mDNS Query Type
: ALL
SDG Agent IP
: Not-Configured
Source Interface
: Not-Configured
Name
Type
TTL/ Remaining
Vlan-Id
MAC Address RR Record Data
/Interface-name
_universal.
PTR
_sub._ipp
._tcp.local
4500/4500
Vl10
ac18.2651.03fe Bldg-1-FL1-PRN. _ipp. _tcp.local
_ipp. _tcp.local PTR
4500/4500
Vl10
ac18.2651.03fe Bldg-1-FL1-PRN. _ipp. _tcp.local
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1906
Cisco DNA Service for Bonjour
Verifying Wired SDG Agent Configuration and Service-Routing Status
Name
Type
Bldg-1-FL1PRN. _ipp. _tcp.local
Bldg-1-FL1 -PRN.local
Bldg-1-FL1PRN.local
SRV A AAAA
Bldg-1-FL1- TXT
PRN. _ipp. _tcp.local
TTL/ Remaining 4500/4500
4500/4500
Vlan-Id
MAC Address RR Record Data
/Interface-name
Vl10
ac18.2651.03fe 0 0 631 Bldg-1-FL1-PRN.
local
Vl10
ac18.2651.03fe 10.153.1.1
4500/4500
Vl10
4500/4500
Vl10
ac18.2651.03fe 2001:10:153: 1:79:
A40C:6BEE: AEEC
ac18.2651.03fe (451)'txtvers=1'priority=30'
ty=EPSON WF-3620 Series''
usb_MFG=EPSONu'sb'_MDL=W~'
Device# show mdns-sd sp-sdg statistics
Average Input rate (pps) Average Output rate (pps)
Messages received: Query ANY query Advertisements Advertisement Withdraw Interface down Vlan down Service-peer ID change Service-peer cache clear Resync response
Messages sent: Query response ANY Query response Cache-sync Get service-instance
One min, 5 mins, 1 hour
: 0,
0,
0
: 0,
0,
0
: 15796 :0 : 28 :0 :0 :0 :0 : 12 :6
: 5975 :0 : 61 :0
Device# show mdns-sd controller detail
Controller: DNAC-Policy IP: 100.0.0.1, Dest Port : 9991, Src Port : 42446, State : UP Source Interface : Loopback0, MD5 Disabled Hello Timer 30 sec, Dead Timer 120 sec, Next Hello 00:00:24 Uptime 2d05h (17:02:37 UTC Jan 15 2021) Service Buffer: Enabled
Service Announcement: Filter: DNAC-CONTROLLER-POLICY Count 50, Delay Timer 30 sec, Pending Announcement 0, Pending Withdraw 0 Total Export Count 56, Next Export in 00:00:24
Service Query:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1907
Verifying Wireless Service-Peer Configuration and Service Status
Cisco DNA Service for Bonjour
Query Suppression Enabled Query Count 50, Query Delay Timer 15 sec, Pending 0 Total Query Count 15791, Next Query in 00:00:09
Verifying Wireless Service-Peer Configuration and Service Status
The command given below helps determine the operational status after applying configuration and discovering the AirPrint service from the remote network.
Device# show mdns-sd summary
mDNS Gateway: Enabled Mode: Service Peer Service Announcement Periodicity (in seconds): 30 Service Announcement Count: 50 Service Query Periodicity (in seconds): 15 Service Query Count: 50 Active Response Timer (in seconds): Disabled ANY Query Forward: Disabled SDG Agent IP: 10.2.1.254 Source Interface: Vlan4094 Active Query Periodicity (in minutes): 15 Transport Type: IPv4 mDNS AP service policy: default-mdns-service-policy
Device# show wireless profile policy detailed WLAN-PROFILE | sec mDNS
mDNS Gateway mDNS Service Policy name
: LOCAL-AREA-POLICY
Device# show mdns-sd statistics wlan-id 1
mDNS Packet Statistics ------------------------------------------------mDNS stats last reset time: 01/10/21 21:38:19 mDNS packets sent: 4592
IPv4 sent: 4592 IPv4 advertisements sent: 4592 IPv4 queries sent: 0
IPv6 sent: 0 IPv6 advertisements sent: 0 IPv6 queries sent: 0
Multicast sent: 0 IPv4 sent: 0 IPv6 sent: 0
mDNS packets received: 297 advertisements received: 80 queries received: 217 IPv4 received: 297 IPv4 advertisements received: 80 IPv4 queries received: 217 IPv6 received: 0 IPv6 advertisements received: 0 IPv6 queries received: 0
mDNS packets dropped: 297 Query Type Statistics
PTR queries received: 1720 SRV queries received: 8 A query received: 8 AAAA queries received: 8 TXT queries received: 97
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1908
Cisco DNA Service for Bonjour
Verifying Wireless SDG Agent Configuration and Service-Routing Status
ANY queries received: 153 OTHER queries received: 0
Device# show mdns-sd sp-sdg statistics
mDNS SP Statistics last reset time: 01/10/21 21:37:36
Messages sent: Query ANY query Advertisements Advertisement Withdraw Service-peer ID change Service-peer cache clear Resync response
Messages received: Query response ANY Query response Cache-sync Get service-instance
: 12675 :0 : 24
:0 :0 :7 :5
: 4619 :0 : 48 :0
Device# show mdns-sd query-db
MDNS QUERY DB
Client MAC: 4c32. 7593.e3af Vlan ID: 30 Wlan ID: 1 Location Group ID: 0 PTR Name(s): _ipp. _tcp.local
Verifying Wireless SDG Agent Configuration and Service-Routing Status
This section providees information on mDNS configuration and service-routing on Wireless SDG Agent (SDG-2) with locally attached controller in service peer (SP-2) mode and with centrally paired Cisco DNA-Center for Wide Area Bonjour service-routing.
Device# show mdns-sd summary vlan 30
VLAN: 30
==========================================
mDNS Gateway
: Enabled
mDNS Service Policy
: LOCAL-AREA-POLICY
Active Query
: Disabled
Transport Type
: IPv4
Service Instance Suffix : Not Configured
mDNS Query Type
: ALL
SDG Agent IP
: Not Configured
Source Interface
: Not Configured
Device# show mdns-sd sp-sdg statistics
Average Input rate (pps) Average Output rate (pps)
Messages received: Query ANY query Advertisements
One min, 5 mins, 1 hour
:0,
0,
0
:0,
0,
0
: 12191 :0 :0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1909
Verifying Cisco DNA-Center Configuration and Service-Routing Status
Cisco DNA Service for Bonjour
Advertisement Withdraw Interface down Vlan down Service-peer ID change Service-peer cache clear Resync response Messages sent: Query response ANY Query response Cache-sync Get service-instance
:0 :0 :0 :0 : 18 : 10
: 1975 :0 : 19 :0
Device# show mdns-sd controller detail
Controller: DNAC-Policy IP: 100.0.0.1, Dest Port : 9991, Src Port : 42931, State : UP Source Interface: Loopback0, MD5 Disabled Hello Timer 30 sec, Dead Timer 120 sec, Next Hello 00:00:19 Uptime 2d05h (17:10:18 UTC Jan 15 2021) Service Buffer: Enabled
Service Announcement: Filter: DNAC-CONTROLLER-POLICY Count 50, Delay Timer 30 sec, Pending Announcement 0, Pending Withdraw 0 Total Export Count 0, Next Export in 00:00:19
Service Query: Query Suppression Enabled Query Count 50, Query Delay Timer 15 sec, Pending 0 Total Query Count 17093, Next Query in 00:00:19
Verifying Cisco DNA-Center Configuration and Service-Routing Status
The Cisco Wide Area Bonjour application supports comprehensive assurance capabilities to manage service-routing with network-wide distributed Cisco Catalyst switches in SDG-Agent role and mDNS services discovered over Wide Area Bonjour domain. The assurance capabilities in Cisco Wide Area Bonjour provides ability to determine service-routing state, mDNS service state and many more information at various levels for day-2 operations, analysis and troubleshooting. Each category serves unique function to manage and troubleshoot Wide Area Bonjour service-routing for day-2 operation.
This sub-section provides brief overview for each category of monitor function:
· Dashboard: The landing page of Cisco Wide Area Bonjour application provides key statistics in various formats to quickly determine service-routing health across the network. The network administrator can monitor operational status of service-routing with SDG Agent devices, historical chart of service discovery request, processing and drops from network-wide distributed devices and top five talkers across the network.
· Sub-Domain 360°: The network administrator can briefly collect statistics and status counts in 360° view. The left-panel monitoring, and configuration bar is automatically open upon clicking selected sub-domain to verify configured policies, discovered service-instances on per sub domain basis of the configuration section.
· Monitor: A comprehensive 3-tier monitoring and troubleshooting function of Cisco Wide Area Bonjour application for various day-2 operations. The detail view of SDG Agent, Service-Instance and advanced Troubleshooting capabilities allows network administrator to manage and troubleshoot Wide Area Bonjour domain with single of glass on Cisco DNA-Center.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1910
Cisco DNA Service for Bonjour
Reference
For more information, see Cisco Wide Area Bonjour on Cisco DNA Center User Guide, Release 2.1.2 guide. The assurance capabilities and operation details are explained in Monitor the Cisco Wide Area Bonjour Application chapter to manage Cisco Wide Area Bonjour application with various supporting service-routing assurance function.
Reference
Table 99:
Related Topic
Document Title
DNA Service for Bonjour Deployment on Cisco Catalyst 9600 Switch
Cisco Catalyst 9600 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9500 Switch
Cisco Catalyst 9500 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9400 Switch
Cisco Catalyst 9400 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9300 Switch
Cisco Catalyst 9300 Series Switch Software Configuration Guide, Release 17.5.X
Cisco Wide Area Bonjour Application on Cisco DNA Cisco Wide Area Bonjour Application on Cisco DNA
Center User Guide
Center User Guide, Release 2.2.2
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1911
Reference
Cisco DNA Service for Bonjour
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1912
1 8 9 C H A P T E R
Configuration Example for FlexConnect Mode Wireless and Wired
· Overview, on page 1913 · Configuration Example for Customized Service List and Policy in FlexConnect Mode - Wireless and
Wired, on page 1914 · Verifying Configuration Example for FlexConnect Mode - Wireless and Wired, on page 1919 · Reference, on page 1923
Overview
This chapter provides configuration guidelines to implement Local Area Bonjour enabling end-to-end policy-based mDNS service discovery and distribution across multilayer wired and wireless FlexConnect local-switching mode. The first hop mDNS gateway at Layer 2 access switch must be implemented in service peer mode and paired with common distribution-layer switch in SDG agent role IP gateway function to wired and wireless clients. The network-wide distributed SDG agent can be paired alternatively with the Cisco DNA Center to enable mDNS service-routing across IP core network providing mDNS service assurance, monitoring and troubleshooting. The following figure illustrates unicast mode bonjour network environment with AirPrint capable printer and wireless user computer (macOS, Microsoft Windows, and so on.) connected to the same Ethernet switch. The network administrator implements the policy permitting additional endpoints associated to nearby location Ethernet switch to discover and use remote AirPrint capable Printer without flooding mDNS over wired and wireless networks.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1913
Configuration Example for Customized Service List and Policy in FlexConnect Mode - Wireless and Wired
Cisco DNA Service for Bonjour
Figure 72: Local Area Bonjour Service-Routing Multilayer Wired and Wireless FlexConnect Local-Switching Mode
Configuration Example for Customized Service List and Policy in FlexConnect Mode - Wireless and Wired
This section provides guidance on configuring Service-Peer, SDG Agent, and Cisco DNA Center, allowing the wired and wireless endpoints to dynamically discover printer using Layer 2 unicast and policy.
Example: Wired and Wireless Access Layer Service Peer Configuration
The following table provides a sample configuration of wired and wireless controller access layer service peer.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1914
Cisco DNA Service for Bonjour
Example: Wired and Wireless Access Layer Service Peer Configuration
Table 100: Configuring Wired and Wireless Access Layer Service Peer
Configuration Step
Sample Configuration: SP-1 Service-Peer Configuration
Sample Configuration: SP-2 Service-Peer Configuration
Step-1: Enable mDNS gateway and !
set the gateway mode.
mdns-sd gateway mode service-peer
!
! mdns-sd gateway
mode service-peer
!
Step-2: Create unique mDNS ! inbound policy to permit ingress mdns-sd service-list
LOCAL-AREA-SERVICES-IN in
AirPrint service announcement and match printer-ipp query on the Catalyst Switch in !
service peer mode.
! mdns-sd service-list LOCAL-AREA-SERVICES-IN in
match printer-ipp !
Step-3: Create unique mDNS outbound policy to permit egress AirPrint service response on the Catalyst Switch in service peer mode
! mdns-sd service-list LOCAL-AREA-SERVICES-OUT out
match printer-ipp !
! mdns-sd service-list LOCAL-AREA-SERVICES-OUT out
match printer-ipp !
Step-4: Associate inbound and outbound service list to a unique service policy.
! mdns-sd service-policy LOCAL-AREA-POLICY
service-list LOCAL-AREA-SERVICES-IN
service-list LOCAL-AREA-SERVICES-OUT !
mdns-sd service-policy LOCAL-AREA-POLICY
service-list LOCAL-AREA-SERVICES-IN
service-list LOCAL-AREA-SERVICES-OUT !
Step-5: Activate unicast mDNS gateway and attach service policy on wired VLAN and wireless FlexConnect user VLAN of SP-1 and SP-2 Layer 2 access switch.
! vlan configuration 10, 30
mdns-sd gateway service-policy
LOCAL-AREA-POLICY active-query timer 3600
!
! vlan configuration 20, 30
mdns-sd gateway service-policy
LOCAL-AREA-POLICY active-query timer 3600
!
Step-6: Enable service routing on !
wired service peer mDNS between mdns-sd location-filter
LOCAL-PROXY
mDNS source and receiver local match location-group default
VLANs.
vlan 10
Note
match location-group default
This step is optional vlan 30
for SP-2 switch as it !
does not have local mDNS service provider endpoints or
mdns-sd service-list LOCAL-AREA-SERVICES-OUT OUT
match printer-ipps location-filter LOCAL-PROXY
VLANs.
!
Step-7: Enable unicast service
!
routing between wired and wireless vlan configuration 10, 30
vlan configuration 20, 30
mdns-sd gateway
mdns-sd gateway
service peer and SDG agent using
source-interface vlan 4094 source-interface vlan 4094
wired management source VLAN sdg-agent 10.1.1.254
sdg-agent 10.1.1.254
ID and IP address.
!
!
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1915
Example: Wired and Wireless Distribution Layer SDG Agent Configuration
Cisco DNA Service for Bonjour
Example: Wired and Wireless Distribution Layer SDG Agent Configuration
The following table provides a sample configuration of distribution layer SDG agent.
Table 101: Configuring Wired and Wireles Distribution Layer SDG Agent
Configuration Step
Sample Configuration: SDG-1 SDG Agent
Step-1: Enable mDNS gateway and set the gateway
mode. The default mode is sdg-agent.
! mdns-sd gateway
!
Step-2: Create a unique mDNS inbound policy to permit ingress AirPrint service announcement and query the Catalyst Switch in Service-Peer mode.
! mdns-sd service-list LOCAL-AREA-SERVICES-IN in
match printer-ipp !
Step-3: Create a unique mDNS outbound policy to permit egress AirPrint service response on Catalyst Switch in Service-Peer mode.
! mdns-sd service-list LOCAL-AREA-SERVICES-OUT
out match printer-ipp !
Step-4: Associate the inbound and outbound service-list to a unique service-policy.
! mdns-sd service-policy LOCAL-AREA-POLICY
service-list LOCAL-AREA-SERVICES-IN service-list LOCAL-AREA-SERVICES-OUT !
Step-5: Activate unicast mDNS gateway on wired VLAN and wireless user VLAN on SDG agents.
! vlan configuration 10, 20, 30
mdns-sd gateway !
Step-6: Configure the service peer-group and attach service-policy on the SDG agent distribution switch and enable service-routing between the assigned Service Peer switch group.
! mdns-sd service-peer group
peer-group 1 service-policy LOCAL-AREA-POLICY service-peer 10.1.1.1 location-group default
service-peer 10.1.1.2 location-group default !
Step-7: Create a unique controller bound mDNS policy to permit egress AirPrint service discovery and !
mdns-sd service-list WIDE-AREA-SERVICES-OUT
distribution from Catalyst Switch in SDG agent mode. out Inbound policy towards controller is not required. match printer-ipp
!
Step-8: Associate outbound service-list to a unique service-policy.
! mdns-sd service-policy WIDE-AREA-POLICY
service-list WIDE-AREA-SERVICES-OUT !
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1916
Cisco DNA Service for Bonjour
Cisco DNA Center Traditional Multilayer Wired and Wireless Configuration
Configuration Step
Sample Configuration: SDG-1 SDG Agent
Step-9: Enable Wide Area Bonjour service-routing with service export configuration association controller IP Address, source interface for stateful connection, and mandatory egress policy for Wide Area service-routing.
! service-export mdns-sd controller DNAC-CONTROLLER-POLICY
controller-address 100.0.0.1 controller-source-interface LOOPBACK 0 controller-service-policy WIDE-AREA-POLICY !
Cisco DNA Center Traditional Multilayer Wired and Wireless Configuration
Configuring Service Filters for Traditional Multilayer Wired and Wireless FlexConnect LocalSwitching Mode (GUI)
This procedure implements global service filters, which permit the Cisco Wide Area Bonjour application to dynamically discover and distribute service information between trusted Cisco Catalyst SDG agent switches across the IP network.
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Navigate to the Configuration tab in the Wide Area Bonjour application. From the sidebar, select the sub-domain for which you want to create the service filter. Check the Service Filter box. Click Service Filter icon from the topology to view a list of the service filters for the selected domain. You can also manually edit existing service filters from this list. Click Create Service Filter. From the Network Mode drop-down list, choose Traditional (the default mode). Enter a unique name for the service filter. (Optional) Enter a description for the service filter. Select one or more service types to permit announcements and queries. Enable or disable service filters after creating them. By default, service filters are enabled.
Configuring Source SDG Agents in Traditional Multilayer Wired and Wireless FlexConnect LocalSwitching Mode (GUI)
This procedure configures discovery of wired printer sources from the LAN distribution switches paired with Layer 2 Catalyst Switches in a service peer role. The wireless distribution switches paired with a controller in a service peer role receive query responses for wired printers and distribute the responses to querying devices over the wireless FlexConnect local switching mode network.
Procedure
Step 1
Click Add on the upper-right of DNAC.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1917
Cisco DNA Service for Bonjour Configuring Query SDG Agents in Traditional Multilayer Wired and Wireless FlexConnect Local- Switching Mode (GUI)
Step 2 Step 3
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Step 10 Step 11 Step 12
Click the Source radio button to select a source SDG agent. By default, this radio button is selected. From the SDG Agent/IP drop-down list, select an SDG agent (100.0.0.101) which announces the services, for example, Printer. Select Peer from the Service Layer drop-down list. Uncheck the box Any. By default, this is unchecked. Select the query VLAN (Vlan-10) to distribute services (Printer) from a specific network. Enable or disable services from the selected query IPv4 subnet. By default, this is enabled. Enable or disable services from the selected query IPv6 subnet. By default, this is enabled. Enter the service peer IPv4 address (10.1.1.1).
Note
Select Any to accept services from any peer on a selected VLAN.
(Optional) Click Add Next to add more source SDG agents. (Repeat the preceding steps.) Click DONE. Click CREATE.
Configuring Query SDG Agents in Traditional Multilayer Wired and Wireless FlexConnect LocalSwitching Mode (GUI)
This procedure configures distributed services to query SDG agents connected to a controller in service peer mode, based on a policy. If the network environment is different, see the Cisco Wide Area Bonjour on Cisco DNA Center User Guide, Release 2.1.2.
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Step 11 Step 12 Step 13
Click Add on the upper-right of DNAC. Select the Query SDG agent radio button. By default, the Source radio button is selected. From the SDG Agent/IP drop-down list, select an SDG agent (100.0.0.102) that receives queries for the services (Printer). Select Peer from the Service Layer drop-down list. Uncheck the box Any. By default, this is enabled. Select the query VLAN (Vlan-30) to distribute services (Printer) to a specific network. Enable or disable services from the selected query IPv4 subnet. By default, this is enabled. Enable or disable services from the selected query IPv6 subnet. By default, this is enabled. Enter the service peer IPv4 address (10.2.1.254). Click the + icon to add more service-peers, if any. Select Any to accept services from any peer on a selected VLAN. (Optional) Click Add Next to add more query agents. (Repeat the preceding steps.) Click DONE. Click CREATE.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1918
Cisco DNA Service for Bonjour
Verifying Configuration Example for FlexConnect Mode - Wireless and Wired
Verifying Configuration Example for FlexConnect Mode Wireless and Wired
This section provides step-by-step mDNS configuration and service discovery and distribution status based on applied policy on Wired Layer 2 access switch in service peer and SDG agent mode.
Verifying Wired Service-Peer Configuration
Use the following commands on the Cisco Catalyst switch in service peer (SP-1 and SP-2) mode to determine the operational status after applying configuration and discovering the AirPrint service from the local network.
Device# show mdns-sd summary vlan 10
VLAN: 10 ========================================== mDNS Gateway: Enabled mDNS Service Policy: LOCAL-AREA-POLICY Active Query: Enabled
: Periodicity 3600 Seconds Transport Type: IPv4 Service Instance Suffix: Not Configured mDNS Query Type: ALL SDG Agent IP: 10.1.1.254 Source Interface: Vlan4094
Device# show mdns-sd service-policy name LOCAL-AREA-POLICY
Service Policy Name
Service List IN Name
Service List Out Name
===============================================================================
LOCAL-AREA-POLICY
LOCAL-AREA-SERVICES-IN LOCAL-AREA-SERVICES-OUT
Device# show mdns-sd cache vlan 10
Name
Type TTL/ Remaining
_universal. _sub. _ipp. _tcp.local PTR 4500/4486
_ipp. _tcp.local
PTR 4500/4486
Bldg-1-FL1-PRN. _ipp. _tcp.local SRV 4500/4486
Bldg-1-FL1PRN.local
A
4500/4486
Bldg-1-FL1PRN.local
AAAA 4500/4486
Vlan-Id/
MAC Address RR Record Data
Interface-name
Vl10
ac18.2651.03fe Bldg-1-FL1-PRN. _ip
Vl10
ac18.2651.03fe Bldg-1-FL1-PRN. _ip
Vl10
ac18.2651.03fe 0 0 631 Bldg-1-FL1-P
Vl10
ac18.2651.03fe 10.153.1.1
Vl10
ac18.2651.03fe 2001:10:153: 1:79:A4
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1919
Verifying Wired SDG Agent Configuration and Service-Routing Status
Cisco DNA Service for Bonjour
Name
Type
Bldg-1-FL1-PRN. _ipp. _tcp.local TXT
TTL/ Remaining 4500/4486
Vlan-Id/
MAC Address RR Record Data
Interface-name
Vl10
ac18.2651.03fe (451)'txtvers=1''priority=3 ty=EPSON WF-3620 Ser usb_MFG=EPSON'' usb_MDL=W~'~
Device# show mdns-sd statistics vlan 10
mDNS Statistics
Vl10:
mDNS packets sent
: 612
IPv4 sent
: 612
IPv4 advertisements sent : 0
IPv4 queries sent
: 612
IPv6 sent
:0
IPv6 advertisements sent : 0
IPv6 queries sent
:0
Unicast sent
:0
mDNS packets rate limited
:0
mDNS packets received
: 42
advertisements received
: 28
queries received
: 14
IPv4 received
: 42
IPv4 advertisements received: 28
IPv4 queries received
: 14
IPv6 received
:0
IPv6 advertisements received: 0
IPv6 queries received
:0
mDNS packets dropped
:0
=========================================
Query Type
: Count
=========================================
PTR
: 12
SRV
:0
A
:0
AAAA
:0
TXT
:0
ANY
:3
=================================================
PTR Name
Advertisement
Query
=================================================
_ipp. _tcp.local
9
4
Verifying Wired SDG Agent Configuration and Service-Routing Status
This section provides information on mDNS configuration and service-routing on Wired and Wireless SDG Agent (SDG-1) with locally attached Layer 2 access switches in Service-Peer (SP-1 and SP-2) mode and with centrally paired Cisco DNA Center for Wide Area Bonjour service-routing.
Device# show mdns-sd summary vlan 10
VLAN: 10
==========================================
mDNS Gateway
: Enabled
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1920
Cisco DNA Service for Bonjour
Verifying Wired SDG Agent Configuration and Service-Routing Status
mDNS Service Policy Active Query Transport Type Service Instance Suffix mDNS Query Type SDG Agent IP Source Interface
: LOCAL-AREA-POLICY : Disabled : IPv4 : Not Configured : ALL : Not-Configured : Not-Configured
Device# show mdns-sd cache vlan 10
Name
Type
_universal. _sub. PTR _ipp. _tcp.local
_ipp._tcp.local PTR
Bldg-1-FL1- SRV
PRN. _ipp._tcp.local
Bldg-1-FL1 A -PRN.local
Bldg-1-FL1PRN.local
AAAA
Bldg-1-FL1-PRN. TXT _ipp._tcp.local
TTL/ Remaining 4500/4500
4500/4500
4500/4500
Vlan-Id
MAC Address RR Record Data
/Interface-name
Vl10
ac18.2651.03fe Bldg-1-FL1-PRN. _ipp. _tcp.local
Vl10
ac18.2651.03fe Bldg-1-FL1-PRN. _ipp. _tcp.local
Vl10
ac18.2651.03fe 0 0 631 Bldg-1-FL1-PRN.local
4500/4500
Vl10
ac18.2651.03fe 10.153.1.1
4500/4500
Vl10
4500/4500
Vl10
ac18.2651.03fe 2001:10:153: 1:79
A40C:6BEE: AEEC
ac18.2651.03fe (451)'txtvers=1'priority=30'
ty=EPSON WF-3620 Series''
usb_MFG=EPSONu'sb'_MDL=W~'
Device# show mdns-sd sp-sdg statistics
Average Input rate (pps) Average Output rate (pps)
Messages received: Query ANY query Advertisements Advertisement Withdraw Interface down Vlan down Service-peer ID change Service-peer cache clear Resync response
Messages sent: Query response ANY Query response
One min, 5 mins, 1 hour
: 0,
0,
0
: 0,
0,
0
: 15796 :0 : 28 :0 :0 :0 :0 : 12 :6
: 5975 :0
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1921
Verifying Cisco DNA Center Configuration and Service Routing Status
Cisco DNA Service for Bonjour
Cache-sync Get service-instance
: 61 :0
Device# show mdns-sd controller detail
Controller: DNAC-Policy IP: 100.0.0.1, Dest Port : 9991, Src Port : 42446, State : UP Source Interface: Loopback0, MD5 Disabled Hello Timer 30 sec, Dead Timer 120 sec, Next Hello 00:00:24 Uptime 2d05h (17:02:37 UTC Jan 15 2021) Service Buffer: Enabled
Service Announcement: Filter: DNAC-CONTROLLER-POLICY Count 50, Delay Timer 30 sec, Pending Announcement 0, Pending Withdraw 0 Total Export Count 56, Next Export in 00:00:24
Service Query: Query Suppression Enabled Query Count 50, Query Delay Timer 15 sec, Pending 0 Total Query Count 15791, Next Query in 00:00:09
Verifying Cisco DNA Center Configuration and Service Routing Status
The Cisco Wide Area Bonjour application supports comprehensive assurance capabilities to manage service routing with network-wide distributed Cisco Catalyst switches in SDG Agent role and mDNS services discovered over Wide Area Bonjour domain. The assurance capabilities in Cisco Wide Area Bonjour provides the ability to determine service routing state, mDNS service state, and many more information at various levels for day-2 operations, analysis and troubleshooting. Each category serves unique function to manage and troubleshoot Wide Area Bonjour service routing for day-2 operation.
This sub-section provides brief overview for each category of monitor function:
· Dashboard: The landing page of Cisco Wide Area Bonjour application provides key statistics in various formats to quickly determine service routing health across the network. The network administrator can monitor operational status of service routing with SDG Agent devices, historical chart of service discovery request, processing and drops from network-wide distributed devices and top five talkers across the network.
· Sub-Domain 360°: The network administrator can briefly collect statistics and status counts in 360° view. The left-panel monitoring, and configuration bar is automatically open upon clicking selected sub-domain to verify configured policies, discovered service-instances on per sub-domain basis of the configuration section.
· Monitor: A comprehensive 3-tier monitoring and troubleshooting function of Cisco Wide Area Bonjour application for various day-2 operations. The detail view of SDG Agent, Service-Instance, and advanced Troubleshooting capabilities allows network administrator to manage and troubleshoot Wide Area Bonjour domain with a single pane of glass on Cisco DNA Center.
For more information, see Cisco Wide Area Bonjour on Cisco DNA Center User Guide, Release 2.1.2 guide. The assurance capabilities and operation details are explained in Monitor the Cisco Wide Area Bonjour Application chapter to manage Cisco Wide Area Bonjour application with various supporting service routing assurance function.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1922
Cisco DNA Service for Bonjour
Reference
Reference
Table 102:
Related Topic
Document Title
DNA Service for Bonjour Deployment on Cisco Catalyst 9600 Switch
Cisco Catalyst 9600 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9500 Switch
Cisco Catalyst 9500 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9400 Switch
Cisco Catalyst 9400 Series Switch Software Configuration Guide, Release 17.5.X
DNA Service for Bonjour Deployment on Cisco Catalyst 9300 Switch
Cisco Catalyst 9300 Series Switch Software Configuration Guide, Release 17.5.X
Cisco Wide Area Bonjour Application on Cisco DNA Cisco Wide Area Bonjour Application on Cisco DNA
Center User Guide
Center User Guide, Release 2.2.2
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1923
Reference
Cisco DNA Service for Bonjour
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1924
X I X PA R T
Multicast Domain Name System
· Multicast Domain Name System, on page 1927
1 9 0 C H A P T E R
Multicast Domain Name System
· Introduction to mDNS Gateway, on page 1928 · Guidelines and Restrictions for Configuring mDNS AP, on page 1928 · Enabling mDNS Gateway (GUI), on page 1930 · Enabling or Disabling mDNS Gateway (GUI), on page 1930 · Enabling or Disabling mDNS Gateway (CLI), on page 1930 · Creating Default Service Policy, on page 1932 · Creating Custom Service Definition (GUI), on page 1932 · Creating Custom Service Definition, on page 1932 · Creating Service List (GUI), on page 1933 · Creating Service List, on page 1934 · Creating Service Policy (GUI), on page 1935 · Creating Service Policy, on page 1935 · Configuring a Local or Native Profile for an mDNS Policy, on page 1937 · Configuring an mDNS Flex Profile (GUI), on page 1937 · Configuring an mDNS Flex Profile (CLI), on page 1938 · Applying an mDNS Flex Profile to a Wireless Flex Connect Profile (GUI), on page 1939 · Applying an mDNS Flex Profile to a Wireless Flex Connect Profile (CLI), on page 1939 · Enabling the mDNS Gateway on the VLAN Interface, on page 1939 · Location-Based Service Filtering, on page 1940 · Configuring mDNS AP, on page 1943 · Enabling mDNS Gateway on the RLAN Interface, on page 1944 · Enabling mDNS Gateway on Guest LAN Interface, on page 1947 · Associating mDNS Service Policy with Wireless Profile Policy (GUI), on page 1948 · Associating mDNS Service Policy with Wireless Profile Policy, on page 1948 · Enabling or Disabling mDNS Gateway for WLAN (GUI), on page 1950 · Enabling or Disabling mDNS Gateway for WLAN, on page 1950 · mDNS Gateway with Guest Anchor Support and mDNS Bridging, on page 1951 · Configuring mDNS Gateway on Guest Anchor, on page 1952 · Configuring mDNS Gateway on Guest Foreign (Guest LAN), on page 1952 · Configuring mDNS Gateway on Guest Anchor, on page 1953 · Configuring mDNS Gateway on Guest Foreign (Guest WLAN), on page 1953 · Verifying mDNS Gateway Configurations, on page 1954
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1927
Introduction to mDNS Gateway
Multicast Domain Name System
Introduction to mDNS Gateway
Multicast Domain Name System (mDNS) is an Apple service discovery protocol which locates devices and services on a local network with the use of mDNS service records.
The Bonjour protocol operates on service announcements and queries. Each query or advertisement is sent to the Bonjour multicast address ipv4 224.0.0.251 (ipv6 FF02::FB). This protocol uses mDNS on UDP port 5353.
The address used by the Bonjour protocol is link-local multicast address and therefore is only forwarded to the local L2 network. As, multicast DNS is limited to an L2 domain for a client to discover a service it has to be part of the same L2 domain, This is not always possible in any large scale deployment or enterprise.
In order to address this issue, the Cisco Catalyst 9800 Series Wireless Controller acts as a Bonjour Gateway. The controller then listens for Bonjour services, caches these Bonjour advertisements (AirPlay, AirPrint, and so on) from the source or host. For example, Apple TV responds back to Bonjour clients when asked or requested for a service. This way you can have sources and clients in different subnets.
By default, the mDNS gateway is disabled on the controller. To enable mDNS gateway functionality, you must explicitly configure mDNS gateway using CLI or Web UI.
Prerequisite
Since the Cisco Catalyst 9800 Series Wireless Controller will respond and advertise for services cached when acting as a Bonjour Gateway, it must have an SVI interface with a valid IP address on every VLAN where mDNS is allowed or used. This will be the source IP address of those mDNS packets that are coming out from the controller acting as mDNS Gateway.
Guidelines and Restrictions for Configuring mDNS AP
· Cisco recommends deploying scalable Wide Area Bonjour to route mDNS service between Wired and Wireless networks. Cisco Catalyst 9800 Series Wireless LAN Controller (WLC) introduces a new mDNS gateway called Service-Peer mode to replace the classic mDNS flood-n-learn to support Enterprise-grade scalable, stateful, and reliable complete unicast-based mDNS service-routing with upstream gateway Cisco Catalyst 9000 Series Switches. For more information, see Cisco DNA Service for Bonjour.
· The mDNS AP (classic flood-n-learn based feature) is enhanced with complete unicast-based service-routing using Cisco Wide Area Bonjour supporting flood-free Wired and Wireless networks to overcome several operational, scalable, and service resiliency challenges.
· The mDNS AP extends the mDNS flood from Wired VLANs to AP and further extends over the CAPWAP tunnel to WLC for central processing across Core network. Cisco recommends that the mDNS AP must be considered only for small network environments.
· The mDNS AP is supported only in Local and Monitor modes. If Cisco Wireless AP is in FlexConnect mode, the Fabric mode AP does not support mDNS AP feature. For more information on how to enable the mDNS service-routing for various distributed Wireless modes, see Cisco DNA Service for Bonjour.
· Wireless users connected to mDNS AP may not be able to browse the Wired mDNS services across flooded Wired VLAN to mDNS AP.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1928
Multicast Domain Name System
Guidelines and Restrictions for Configuring mDNS AP
· The Wired mDNS service-provider VLANs must be extended to flood the mDNS traffic upto mDNS AP ethernet port in trunk mode settings. The Wired VLAN extension to mDNS AP may include other Wired flood traffic, such as Broadcast, Unknown Unicast, and Layer 2 Multicast that impacts the mDNS AP scale and performance.
· It is recommended to have minimum one mDNS AP for each Layer 3 Access switch. All Wired mDNS traffic is flooded using alternate L2 methods, if single mDNS AP is shared between multiple Layer 3 Access switch.
· The maximum mDNS AP scale limit for each Cisco Catalyst 9800 Series Wireless LAN Controller (WLC) is limited.
· The maximum mDNS Wired VLAN count for each WLC is limited.
· The old Wired mDNS service entry continues to be advertised to all Wireless users up to 4500 seconds based on the mDNS cache timers on WLC. The stale entries require manual clearing from local cache in WLC.
· The mDNS AP does not support mDNS Query packet suppression or rate-limiter in AP. The Wired mDNS flood from all Wired VLAN is extended to WLC for central processing of policy enforcement.
· The maximum number of flooded packets for each second processing from Wired VLANs to mDNS AP is limited. The mDNS AP performance and reliability may get compromised in large network environments.
· A maximum of 10 Wired VLANs' mDNS flood can be extended to mDNS AP. Combined large Wired VLAN and mDNS AP scale may impact scale and performance in AP and WLC.
· Only one mDNS AP is supported for each Wired VLAN. Multiple mDNS APs cannot be configured to map the same Wired VLAN ID as it causes service instability and duplicate processing.
· High Availability is not supported in multiple mDNS AP. The mDNS services across Wired and Wireless network gets disrupted when connectivity to mDNS AP is lost due to any kinds of failures.
· Only one Wired mDNS service-policy is supported for all network-wide mDNS AP.
· All WLAN users can discover all flooded Wired mDNS services without granular Location-Based service. The mDNS AP in large and flooded network impacts user-experience on mobile devices.
· The mDNS AP do not support IPv6 for Wired mDNS service-provider or service-receiver. Only IPv4 is supported.
· The mDNS AP do not support role-based mDNS service filtering between Wired and Wireless networks.
· The mDNS AP do not detect and auto-resolve duplicate mDNS service-instance names across Wired VLANs. The Cisco Catalyst 9800 Series Wireless LAN Controller (WLC) discovers and records the first service instance with unique name in its local cache database. If a duplicate service instance name is discovered, the WLC rejects the duplicate name and does not distribute it to the Wireless clients.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1929
Enabling mDNS Gateway (GUI)
Multicast Domain Name System
Enabling mDNS Gateway (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Step 6
Choose Configuration > Services > mDNS. In the Global section, toggle the slider to enable or disable the mDNS Gateway. From the Transport drop-down list, choose one of the following types:
· ipv4 · ipv6 · both
Enter an appropriate timer value in Active-Query Timer. The valid range is between 15 to 120 minutes. The default is 30 minutes.
From the mDNS-AP Service Policy drop-down list, choose an mDNS service policy.
Note
Service policy is optional only if mDNS-AP is configured. If mDNS-AP is not configured, the
system uses default-service-policy.
Click Apply.
Enabling or Disabling mDNS Gateway (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Choose Configuration > Services > mDNS > Global. Enable or disable the mDNS Gateway toggle button. Choose ipv4 or ipv6 or both from the Transport drop-down list. Enter the Active-Query Timer. Click Apply.
Enabling or Disabling mDNS Gateway (CLI)
Note
· mDNS gateway is disabled by default globally on the controller.
· You need both global and WLAN configurations to enable mDNS gateway.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1930
Multicast Domain Name System
Enabling or Disabling mDNS Gateway (CLI)
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
mdns-sd gateway Example:
Device(config)# mdns-sd gateway
Enables mDNS gateway.
Step 4
transport {ipv4 | ipv6 | both} Example:
Device(config-mdns-sd)# transport ipv4
Processes mDNS message on a specific transport.
Here,
ipv4 signifies that the IPv4 mDNS message processing is enabled. This is the default value.
ipv6 signifies that the IPv6 mDNS message processing is enabled.
both signifies that the IPv4 and IPv6 mDNS message is enabled for each network.
Step 5
active-query timer active-query-periodicity
Example:
Device(config-mdns-sd)# active-query timer 15
Changes the periodicity of mDNS multicast active query.
Note
An active query is a periodic
mDNS query to refresh dynamic
cache.
Step 6
exit Example:
Device(config-mdns-sd)# exit
Here,
active-query-periodicity refers to the active query periodicity in Minutes. The valid range is from 15 to 120 minutes. Active query runs with a default periodicity of 30 minutes.
Returns to global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1931
Creating Default Service Policy
Multicast Domain Name System
Creating Default Service Policy
When the mdns gateway is enabled on any of the WLANs by default, mdns-default-service-policy is associated with it. Default service policy consists of default-service-list and their details are explained in this section. You can override the default service policy with a custom service policy.
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Create a service-definition if the service is not listed in the preconfigured services. Create a service list for IN and OUT by using the service-definitions. Use the existing service list to create a new service. For more information, refer to Creating Service Policy section. Attach the mdns-service-policy to the profile or VLAN that needs to be enforced. To check the default-mdns-service list, use the following command: show mdns-sd default-service-list
Creating Custom Service Definition (GUI)
Procedure
Step 1 Step 2 Step 3
Step 4 Step 5
Choose Configuration > Services > mDNS. In the Service Definition section, click Add. In the Quick Setup: Service Definition page that is displayed, enter a name and description for the service definition. Enter a service type and click + to add the service type. Click Apply to Device.
Creating Custom Service Definition
Service definition is a construct that provides an admin friendly name to one or more mDNS service types or A pointer (PTR) Resource Record Name. By default, few built-in service definitions are already predefined and available for admin to use. In addition to built-in service definitions, admin can also define custom service definitions. You can execute the following command to view the list of all the service definitions (built-in and custom):
Device# show mdns-sd master-service-list
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1932
Multicast Domain Name System
Creating Service List (GUI)
Procedure
Step 1
Command or Action enable Example:
Device> enable
Step 2
configure terminal Example:
Device# configure terminal
Step 3
mdns-sd service-definition service-definition-name
Example:
Device(config)# mdns-sd service-definition CUSTOM1
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Enters global configuration mode.
Configures mDNS service definition.
Note
· All the created custom
service definitions are added
to the primary service list.
· Primary service list comprises of a list of custom and built-in service definitions.
Step 4 Step 5
service-type string
Configures mDNS service type.
Example:
Device(config-mdns-ser-def)# service-type _custom1._tcp.local
exit Example:
Device(config-mdns-ser-def)# exit
Returns to global configuration mode.
Creating Service List (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7
Choose Configuration > Services > mDNS. In the Service List section, click Add. In the Quick Setup: Service List page that is displayed, enter a name for the service list. From the Direction drop-down list, choose IN for inbound filtering or OUT for outbound filtering. From the Available Services drop-down list, choose a service type to match the service list.
Note
To allow all services, choose the all option.
Click Add Services. From the Message Type drop-down list, choose the message type to match from the following options:
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1933
Creating Service List
Multicast Domain Name System
Step 8 Step 9
· any--To allow all messages. · announcement--To allow only service advertisements or announcements for the device. · query--To allow only a query from the client for a service in the network.
Click Save to add services. Click Apply to Device.
Creating Service List
mDNS service list is a collection of service definitions.
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
mdns-sd service-list service-list-name {IN | OUT}
Example:
Device(config)# mdns-sd service-list Basic-In IN
Device(config)# mdns-sd service-list Basic-Out OUT
Configures mDNS service list. · IN: Provides inbound filtering. · Out: Provides outbound filtering.
Step 4
match service-definition-name message-type Matches the service to the message type.
{announcement | any | query}
Here, service-definition-name refers to the
Example:
names of services, such as, airplay, airserver,
Device(config-mdns-sl-in)# match CUSTOM1 airtunes, and so on.
message-type query
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1934
Multicast Domain Name System
Creating Service Policy (GUI)
Step 5 Step 6
Command or Action
Purpose Note
To add a service, the service name must be part of the primary service list.
If the mDNS service list is set to IN, you get to view the following command: match service-definition-name message-type {announcement | any | query}.
If the mDNS service list is set to Out, you get to view the following command: match service-definition-name.
show mdns-sd service-list {direction | name Displays inbound or outbound direction list of
}
the configured service-list to classify matching
service-types for service-policy. The list can be
filtered by name or specific direction.
exit Example:
Device(config-mdns-sl-in)# exit
Returns to global configuration mode.
Creating Service Policy (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Choose Configuration > Services > mDNS. In the Service Policy section, click Add. In the Quick Setup: Service Policy page that is displayed, enter a name for the service policy. From the Service List Input drop-down list, choose one of the types. From the Service List Output drop-down list, choose one of the types. From the Location drop-down list, choose the location you want to associate with the service list. Click Apply to Device.
Creating Service Policy
mDNS service policy is used for service filtering while learning services or responding to queries.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1935
Creating Service Policy
Multicast Domain Name System
Procedure
Step 1
Command or Action enable Example:
Device> enable
Purpose Enables privileged EXEC mode. Enter your password, if prompted.
Step 2
configure terminal Example:
Device# configure terminal
Enters global configuration mode.
Step 3
mdns-sd service-policy service-policy-name Enables mDNS service policy.
Example:
Device(config)# mdns-sd service-policy mdns-policy1
Step 4
location {lss | site-tag}
Example:
Device(config-mdns-ser-pol)# location lss
Filters mDNS service types based on LSS or site-tag.
Note
In Location Specific Services
(LSS) based filtering, the mDNS
gateway responds with the service
instances learnt from the
neighboring APs of the querying
client AP. Other service instances
for the rest of APs are filtered.
In Site tag based filtering, the mDNS gateway responds with the service instances that belong to the same site-tag as that of querying client.
The mDNS gateway responds back with wired services even if the location based filtering is configured.
Step 5
service-list service-list-name {IN | OUT} Configures various service-list names for IN
Example:
and OUT directions.
Device(config-mdns-ser-pol)# service-list Note VLAN100-list IN
If an administrator decides to create or use a custom service
policy, then the custom service
policy must be configured with
service-lists for both directions
(IN and OUT); otherwise, the
mDNS Gateway will not work
(will not learn services if there is
no IN service-list, or will not reply
or announce services learned if
there is no OUT service-list).
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1936
Multicast Domain Name System
Configuring a Local or Native Profile for an mDNS Policy
Step 6
Command or Action exit Example:
Device(config-mdns-ser-pol)# exit
Purpose Returns to global configuration mode.
Configuring a Local or Native Profile for an mDNS Policy
When an administrator configures local authentication and authorization and does not expect to get any mDNS policy from the AAA server, the administrator can configure a local or native profile to select a mDNS policy based on user, role, or device type. When this local or native profile is mapped to the wireless profile policy, mDNS service policy is applied on the mDNS packets that are processed on that WLAN.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
service-template template-name Example:
Device(config)# service-template mdns
Configures the service-template or identity policy.
Step 3
mdns-service-policy mdns-policy-name
Example:
Device(config-service-template)# mdns-service-policy mdnsTV
Configures the mDNS policy.
Step 4
exit Example:
Device(config-service-template)# exit
Returns to global configuration mode.
Configuring an mDNS Flex Profile (GUI)
Procedure
Step 1 Step 2
Step 3
Choose Configuration > Services > mDNS. In the mDNS Flex Profile section, click Add. The Add mDNS Flex Profile window is displayed. In the Profile Name field, enter the flex mDNS profile name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1937
Configuring an mDNS Flex Profile (CLI)
Multicast Domain Name System
Step 4 Step 5 Step 6 Step 7
In the Service Cache Update Timer field, specify the service cache update time. The default value is 1 minute. The valid range is from 1 to 100 minutes.
In the Statistics Update Timer field, specify the statistics update timer. The default value is 1 minute. The valid range is from 1 to 100 minutes.
In the VLANs field, specify the VLAN ID. You can enter multiple VLAN IDs separated by commas, or enter a range of VLAN IDs. Maximum number of VLANs allowed is 16.
Click Apply to Device.
Configuring an mDNS Flex Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
mdns-sd flex-profile mdns-flex-profile-name Enters the mDNS Flex Profile mode.
Example:
Device(config)# mdns-sd flex-profile mdns-flex-profile-name
Step 3
update-timer service-cache service-cache timer-value <1-100>
Example:
Device(config-mdns-flex-profile)# update-timer service-cache 60
Configures the mDNS update service cache timer for the flex profile.
The default value is 1 minute. Value range is between 1 minute and 100 minutes.
Step 4
update-timer statistics statistics timer-value Configures the mDNS update statistics timer
<1-100>
for the flex profile.
Example:
Device(config-mdns-flex-profile)# update-timer statistics 65
The default value is 1 minute. The valid range is from 1 to 100 minutes.
Step 5
wired-vlan-range wired-vlan-range value
Example:
Device(config-mdns-flex-profile)# wired-vlan-range 10 - 20
Configures the mDNS wired VLAN range for the flex profile.
The default value is 1 minute. The valid range is from 1 minute to 100 minutes.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1938
Multicast Domain Name System
Applying an mDNS Flex Profile to a Wireless Flex Connect Profile (GUI)
Applying an mDNS Flex Profile to a Wireless Flex Connect Profile (GUI)
Procedure
Step 1 Step 2
Step 3
Step 4
Choose Configuration > Tags & Profiles > Flex. Click Add. The Add Flex Profile window is displayed. Under the General tab, from the mDNS Flex Profile drop-down list, choose a flex profile name from the list. Click Apply to Device.
Applying an mDNS Flex Profile to a Wireless Flex Connect Profile (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile flex wireless-flex-profile-name Enters wireless flex profile configuration mode.
Example:
Device# wireless profile flex wireless-flex-profile-name
Step 3
mdns-sd mdns-flex-profile
Example:
Device(config-wireless-flex-profile)# mdns-sd mdns-flex-profile-name
Enables the mDNS features for all the APs in the profile
Enabling the mDNS Gateway on the VLAN Interface
This procedure configures the mDNS service policy for a specific VLAN. This allows the administrator to configure different settings to the mDNS packets on per VLAN interface basis and not on per WLAN basis.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1939
Location-Based Service Filtering
Multicast Domain Name System
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
interface vlan vlan-interface-number Example:
Device(config)# interface vlan 200
Configures a VLAN ID and enters interface configuration mode.
Step 3
ip address ip-address subnet-mask
Configures the IP address for the interface.
Example:
Device(config-if)# ip address 111.1.1.1 255.255.255.0
Step 4
mdns-sd gateway Example:
Device(config-if)# mdns-sd gateway
Enables mDNS configuration on a VLAN interface.
Step 5
service-policy service-policy-name
Configures the service policy.
Example:
Note
Device(config-if-mdns-sd)# service-policy test-mDNS-service-policy
If specific service-policy-name is not defined, the VLAN will use the default-mdns-service-policy by default.
By default, default-mDNS-service-policy gets created in the system and it will use default-mDNS-service-list configuration for filtering mDNS service announcement and queries.
Step 6
end Example:
Device(config-if-mdns-sd)# end
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Location-Based Service Filtering
Prerequisite for Location-Based Service Filtering
You need to create the Service Definition and Service Policy. For more information, see Creating Custom Service Definition section and Creating Service Policy section.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1940
Multicast Domain Name System
Configuring mDNS Location-Based Filtering Using SSID
Configuring mDNS Location-Based Filtering Using SSID
When a service policy is configured with the SSID as the location name, the response to the query will be the services that were learnt on that SSID.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
mdns-sd service-policy service-policy-name Configures the service policy.
Example:
Device(config)# mdns-sd service-policy mdns-policy1
Step 3
location ssid
Example:
Device(config-mdns-ser-pol)# location ssid
Configures location-based filtering using SSID.
Step 4
end Example:
Device(config-mdns-ser-pol)# end
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring mDNS Location-Based Filtering Using AP Name
When a service policy is configured with the AP name as the location, the response to the query will be the services that were learnt on that AP.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
mdns-sd service-policy service-policy-name Configures the service policy.
Example:
Device(config)# mdns-sd service-policy mdns-policy1
Step 3
location ap-name Example:
Configures location-based filtering using an AP name.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1941
Configuring mDNS Location-Based Filtering Using AP Location
Multicast Domain Name System
Step 4
Command or Action
Device(config-mdns-ser-pol)# location ap-name
Purpose
end Example:
Device(config-mdns-ser-pol)# end
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring mDNS Location-Based Filtering Using AP Location
When a service policy is configured with location as the AP-location, the response to the query will be the services that were learnt on all the APs using the same AP "location" name (not to be confused with "site-tag").
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
mdns-sd service-policy service-policy-name Configures the service policy.
Example:
Device(config)# mdns-sd service-policy mdns-policy1
Step 3
location ap-location
Example:
Device(config-mdns-ser-pol)# location ap-location
Configures location-based filtering using the AP location.
Step 4
end Example:
Device(config-mdns-ser-pol)# end
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring mDNS Location-Based Filtering Using Regular Expression
· When a service policy is configured with the location as a regular expression that matches the corresponding AP name, the response to the query will be the services that were learnt on a group of APs based on the AP name.
· When a service policy is configured with the location as a regular expression that matches the corresponding AP location, the response to the query will be the services that were learnt on a group of APs based on the AP location.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1942
Multicast Domain Name System
Configuring mDNS AP
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
mdns-sd service-policy service-policy-name Configures the service policy.
Example:
Device(config)# mdns-sd service-policy mdns-policy1
Step 3
location regex {ap-location regular-expression Configures location-based filtering using regular
| ap-name regular-expression}
expression.
Example:
Device(config-mdns-ser-pol)# location regex ap-location dns_location
Device(config-mdns-ser-pol)# location regex ap-name dns_name
Step 4
end
Returns to privileged EXEC mode.
Example:
Device(config-mdns-ser-pol)# end
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Note
To filter the services for which AP
names have the specific keyword
such as AP-2FLR-SJC-123, you
can use the regex AP name as
AP-2FLR- to match the services
that are learnt from the set of
access points.
Configuring mDNS AP
In most of the deployments, the services may be available in VLANs that the APs can hear in the wired side (allowed in the switchport where the AP is directly connected: its own VLAN, or even more VLANs if switchport is a trunk).
The following procedure shows how to configure mDNS AP:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1943
Enabling mDNS Gateway on the RLAN Interface
Multicast Domain Name System
Step 2 Step 3
Step 4 Step 5 Step 6 Step 7
Command or Action mdns-sd gateway Example:
Device(config)# mdns-sd gateway
Purpose Configures the mDNS gateway.
ap name ap-name mdns-ap enable vlan vlan-id
Enables mDNS on the AP, and configures a VLAN for the mDNS AP.
Example:
Device# ap name ap1 mdns-ap enable vlan 22
ap name ap-name mdns-ap vlan add vlan-id Adds a VLAN to the mDNS AP. vlan-id ranges
Example:
from 1 to 4096.
Device# ap name ap1 mdns-ap vlan add 200
ap name ap-name mdns-ap vlan del vlan-id Deletes a VLAN from the mDNS AP. Example:
Device# ap name ap1 mdns-ap vlan del 2
ap name ap-name mdns-ap disable Example:
Device# ap name ap1 mdns-ap disable
(Optional) Disables the mDNS AP.
end Example:
Device# end
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Note
You can configure a maximum of
10 VLANs per AP.
Enabling mDNS Gateway on the RLAN Interface
By configuring the mDNS gateway mode on the RLAN interface, you can configure the mDNS service policy for a specific RLAN.
Procedure Step 1 Step 2
Command or Action configure terminal Example:
Device# configure terminal
ap remote-lan profile-name remote-lan-profile-name rlan-id
Purpose Enters global configuration mode.
Configures a remote LAN profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1944
Multicast Domain Name System
Enabling mDNS Gateway on the RLAN Interface
Step 3
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Command or Action Example:
Device(config)# ap remote-lan profile-name rlan_test_1 1
Purpose · remote-lan-profile: Remote LAN profile name. Range is from 1 to 32 alphanumeric characters.
· rlan-id: Remote LAN identifier. Range is from 1 to 128.
Note
You can create a maximum of
128 RLANs. Also, you cannot
use the rlan-id of an existing
RLAN while creating another
RLAN.
mdns-sd-interface {gateway | drop} Example: mdns-sd-interface
Device(config-remote-lan)# mdns-sd-interface gateway
Enables mDNS configuration on an RLAN interface.
no shutdown
Restarts the RLAN profile.
Example:
Device(config-remote-lan)# no shutdown
exit Example:
Device(config-remote-lan)# exit
Exits remote LAN configuration mode.
ap remote-lan-policy policy-name profile name
Example:
Device(config)# ap remote-lan-policy policy-name rlan_named_pp1
Configures the RLAN policy profile and enters wireless policy configuration mode.
mdns-sd service-policy service-policy-name Enables an mDNS service policy.
Example:
Device(config-remote-lan-policy)# mdns-sd service-policy mdnsTV6
central switching
Example:
Device(config-remote-lan-policy)# central switching
Configures the RLAN for central switching.
central dhcp
Example:
Device(config-remote-lan-policy)# central dhcp
Configures the central DHCP for centrally switched clients.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1945
Enabling mDNS Gateway on the RLAN Interface
Multicast Domain Name System
Step 10 Step 11 Step 12 Step 13
Step 14 Step 15 Step 16 Step 17
Command or Action
Purpose
vlan vlan-name
Assigns the profile policy to a VLAN.
Example:
Device(config-remote-lan-policy)# vlan 141
no shutdown
Example:
Device(config-remote-lan-policy)# no shutdown
Restarts the RLAN profile.
wireless tag policy policy-tag-name
Example:
Device(config)# wireless tag policy rlan_pt_1
Configures a policy tag.
remote-lan remote-lan-profile-name policy Maps the RLAN policy profile to the RLAN
rlan-policy-profile-name port-id port-id
profile.
Example:
Device(config-policy-tag)# remote-lan rlan_test_1 policy rlan_named_pp1 port-id 1
Device(config-policy-tag)# remote-lan rlan_test_1 policy rlan_named_pp1 port-id 2
Device(config-policy-tag)# remote-lan rlan_test_1 policy rlan_named_pp1 port-id 3
· remote-lan-profile-name: Name of the RLAN profile.
· rlan-policy-profile-name: Name of the policy profile.
· port-id: LAN port number on the access point. Range is from 1 to 4.
Device(config-policy-tag)# remote-lan rlan_test_1 policy rlan_named_pp1 port-id 4
exit Example:
Device(config-policy-tag)# exit
Returns to global configuration mode.
ap mac-address Example:
Device (config)# ap 0042.5AB6.0EF0
Configures the AP and enters the AP tag configuration mode.
Note
Use the Ethernet MAC address.
policy-tag policy-tag-name Example:
Device (config-ap-tag)# policy-tag rlan_pt_1
end Example:
Device(config-guest-lan)# end
Maps a policy tag to the AP. Returns to privileged EXEC mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1946
Multicast Domain Name System
Enabling mDNS Gateway on Guest LAN Interface
Enabling mDNS Gateway on Guest LAN Interface
By configuring the mDNS gateway mode on a Guest LAN interface, you can configure the mDNS service policy for a specific Guest LAN interface.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
guest-lan profile-name guest_lan_profile_name num wired-vlan wired_vlan_num
Example:
Configures guest LAN profile with a wired VLAN.
Note
Configures the wired VLAN only
for the Guest Foreign controller.
Device(config)# guest-lan profile-name open 1 wired-vlan 666
· num: Guest LAN identifier. The valid range is from 1 to 5.
· wired_vlan_num: Wired VLAN number. The valid range is from 1 to 4094.
Step 3 Step 4
guest-lan profile-name guest_lan_profile_name num
Configures the guest LAN profile without a VLAN for the Guest Anchor controller.
Example:
Device(config)# guest-lan profile-name open 1
mdns-sd-interface {gateway | drop}
Configures the mDNS gateway for a Guest
Example:
LAN.
Device(config-guest-lan)# mdns-sd gateway Note
You need to enable mDNS gateway globally for the Guest
LAN to work.
Step 5
end Example:
Device(config-guest-lan)# end
Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1947
Associating mDNS Service Policy with Wireless Profile Policy (GUI)
Multicast Domain Name System
Associating mDNS Service Policy with Wireless Profile Policy (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > Policy. Click the policy profile name. In the Advanced tab, choose the mDNS service policy from the mDNS Service Policy drop-down list. Click Update & Apply to Device.
Associating mDNS Service Policy with Wireless Profile Policy
Note You must globally configure the mDNS service policy before associating it with the wireless profile policy.
A default mDNS service policy is already attached once the wireless profile policy is created. You can use the following commands to override the default mDNS service policy with any of your service policy:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless profile policy profile-policy
Configures wireless profile policy.
Example:
Here, profile-policy refers to the name of the
Device(config)# wireless profile policy WLAN policy profile.
default-policy-profile
Step 3
mdns-sd service-policy custom-mdns-service-policy
Associates an mDNS service policy with the wireless profile policy.
Example:
The default mDNS service policy name is
Device(config-wireless-policy)# mdns-sd default-mdns-service-policy.
service-policy
custom-mdns-service-policy
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1948
Multicast Domain Name System
Command or Action
Associating mDNS Service Policy with Wireless Profile Policy
Purpose Note
The default-mdns-profile-policy uses default-mdns-service-list configuration for filtering mDNS service announcement and queries.
In wireless network, the mDNS packets are consumed by the mDNS gateway and clients or device is deprived of learning this service. To share the service with the device and provide ease of configuration to the administrator, a list of few standard service types are shared by default on the wireless network. The list of such standard service types is termed as default service policy that comprises a set of service types.
The table covers a sample service list in the default service policy.
Table 103: Default Name and mDNS Service Type
Default Name mDNS Service Type
Apple
_home-sharing._tcp.local
HomeSharing
Printer-IPPS _ipps._tcp.local
Google-chromecast _googlecast._tcp.local
Note
· Location would be disabled
on mDNS default service
policy.
· You cannot change the contents of the mDNS default service policy. However, you can create separate mDNS service policies and associate them under the wireless policy profile.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1949
Enabling or Disabling mDNS Gateway for WLAN (GUI)
Multicast Domain Name System
Step 4
Command or Action exit Example:
Device(config-wireless-policy)# exit
Purpose Returns to global configuration mode.
Enabling or Disabling mDNS Gateway for WLAN (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4
Choose Configuration > Tags & Profiles > WLANs. Click on the WLAN. In the Advanced tab, choose the mode in mDNS Mode drop-down list. Click Update & Apply to Device.
Enabling or Disabling mDNS Gateway for WLAN
Note Bridging is the default behaviour. This means that the mDNS packets are always bridged.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wlan profile-name wlan-id ssid-name Example:
Device(config)# wlan test 24 ssid1
Purpose Enters global configuration mode.
Specifies the WLAN name and ID.
· profile-name is the WLAN name which can contain 32 alphanumeric characters
· wlan-id is the wireless LAN identifier. The valid range is from 1 to 512.
· ssid-name is the SSID which can contain 32 alphanumeric characters.
Note
Global configuration must be in
place for mDNS gateway to work.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1950
Multicast Domain Name System
mDNS Gateway with Guest Anchor Support and mDNS Bridging
Step 3 Step 4 Step 5 Step 6
Command or Action mdns-sd-interface {gateway | drop} Example:
Device(config-wlan)# mdns-sd gateway Device(config-wlan)# mdns-sd drop
Purpose
Enables or disables mDNS gateway and bridge functions on WLAN.
exit Example:
Device(config-wlan)# exit
Returns to global configuration mode.
show wlan name wlan-name | show wlan all Verifies the status of mDNS on WLAN.
Example:
Device# show wlan name test | show wlan all
show wireless profile policy Example:
Device# show wireless profile policy
Verifies the service policy configured in WLAN.
mDNS Gateway with Guest Anchor Support and mDNS Bridging
When mDNS Gateway is enabled on both Anchor and Foreign controller, the mDNS gateway functionality is supported in guest anchor deployment where clients on guest LAN or WLAN with guest anchor enabled will be responded with any services or cache from export foreign controller itself. All advertisements received on Guest LAN or WLAN on export foreign are learnt on the export foreign itself. All queries received on guest LAN or WLAN are responded by the export foreign itself.
When mDNS Gateway is enabled on Anchor and Disabled on Foreign controller [Bridging Mode], the mDNS gateway functionality is supported in guest anchor deployment where clients on guest LAN or WLAN with guest anchor enabled will be responded with any services or cache from export Anchor even though the clients are connected on Foreign. All advertisements received on guest LAN or WLAN on export foreign is forwarded to Anchor and the cache is stored on the Anchor itself. All queries received on guest LAN or WLAN are responded by the export Anchor itself.
Note
· You must configure the guest-LAN to a wireless profile policy which is configured with the required
mDNS service-policy.
· To configure non guest LAN mDNS gateway, see the Introduction to mDNS Gateway chapter.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1951
Configuring mDNS Gateway on Guest Anchor
Multicast Domain Name System
Configuring mDNS Gateway on Guest Anchor
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
guest-lan profile-name guest-lan-profile-name Configures the guest LAN profile with a wired
guest-lan-id
VLAN.
Example:
Device(config)# guest-lan profile-name g-lanpro 2
Step 3
mdns-sd gateway
Enables mDNS gateway on the guest LAN.
Example:
Device(config-guest-lan)# mdns-sd gateway
Configuring mDNS Gateway on Guest Foreign (Guest LAN)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
guest-lan profile-name guest-lan-profile-name Configures guest LAN profile with a wired
guest-lan-id wired-vlan vlan-id
VLAN.
Example:
Note
Device(config)# guest-lan profile-name g-lanpro 2 wired-vlan 230
Configure the wired VLAN only for the Guest Foreign controller.
Step 3
mdns-sd gateway
Enables mDNS gateway on the guest LAN.
Example:
Device(config-guest-lan)# mdns-sd gateway
Step 4
exit Example:
Device(config-wireless-policy)# exit
Returns to global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1952
Multicast Domain Name System
Configuring mDNS Gateway on Guest Anchor
Configuring mDNS Gateway on Guest Anchor
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
guest-wlan profile-name guest-lan-profile-name guest-wlan-id
Configures the guest WLAN profile with a wired VLAN.
Example:
Device(config)# guest-wlan profile-name g-lanpro 2
Step 3
mdns-sd gateway
Example:
Device(config-guest-wlan)# mdns-sd gateway
Enables mDNS gateway on the guest WLAN.
Configuring mDNS Gateway on Guest Foreign (Guest WLAN)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
guest-wlan profile-name guest-lan-profile-name guest-wlan-id wired-vlan vlan-id
Example:
Configures guest WLAN profile with a wired VLAN.
Note
Configure the wired VLAN only
for the Guest Foreign controller.
Device(config)# guest-wlan profile-name g-lanpro 2 wired-vlan 230
Step 3
mdns-sd gateway
Example:
Device(config-guest-wlan)# mdns-sd gateway
Enables mDNS gateway on the guest WLAN.
Step 4
exit Example:
Returns to global configuration mode.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1953
Verifying mDNS Gateway Configurations
Multicast Domain Name System
Command or Action
Device(config-wireless-policy)# exit
Purpose
Verifying mDNS Gateway Configurations
To verify the mDNS summary, use the following command:
Device# show mdns-sd summary mDNS Gateway: Enabled Active Query: Enabled
Periodicity (in minutes): 30 Transport Type: IPv4
To verify the mDNS cache, use the following command:
Device# show mdns-sd cache
----------------------------------------------------------- PTR Records
---------------------------------------
RECORD-NAME
TTL
WLAN CLIENT-MAC
RR-RECORD-DATA
--------------------------------------------------------------------------------------------------------------
_airplay._tcp.local
4500
30
07c5.a4f2.dc01 CUST1._airplay._tcp.local
_ipp._tcp.local
4500
30
04c5.a4f2.dc01 CUST3._ipp._tcp.local2
_ipp._tcp.local
4500
15
04c5.a4f2.dc01 CUST3._ipp._tcp.local4
_ipp._tcp.local
4500
10
04c5.a4f2.dc01 CUST3._ipp._tcp.local6
_veer_custom._tcp.local
4500
10
05c5.a4f2.dc01
CUST2._veer_custom._tcp.local8
To verify the mDNS cache from wired service provider, use the following command:
Device# show mdns-sd cache wired
----------------------------------------------------------- PTR Records
---------------------------------------
RECORD-NAME
TTL
VLAN
CLIENT-MAC
RR-RECORD-DATA
---------------------------------------------------------------------------------------------------------------
_airplay._tcp.local
4500
16
0866.98ec.97af
wiredapple._airplay._tcp.local
_raop._tcp.local
4500
16
0866.98ec.97af
086698EC97AF@wiredapple._raop._tcp.local
---------------------------------------------------------- SRV Records
-----------------------------------------
RECORD-NAME
TTL
VLAN
CLIENT-MAC
RR-RECORD-DATA
-----------------------------------------------------------------------------------------------------------------
wiredapple._airplay._tcp.local
4500
16
0866.98ec.97af 0 0 7000
wiredapple.local
086698EC97AF@wiredapple._raop._tcp.local 4500
16
0866.98ec.97af 0 0 7000
wiredapple.local
---------------------------------------------------------- A/AAAA Records
----------------------------------------
RECORD-NAME
TTL
VLAN
CLIENT-MAC
RR-RECORD-DATA
------------------------------------------------------------------------------------------------------------------
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1954
Multicast Domain Name System
Verifying mDNS Gateway Configurations
wiredapple.local 2001:8:16:16:e5:c446:3218:7437
4500
16
0866.98ec.97af
----------------------------------------------------------- TXT Records
-------------------------------------------
RECORD-NAME
TTL
VLAN
CLIENT-MAC
RR-RECORD-DATA
--------------------------------------------------------------------------------------------------------------------
wiredapple._airplay._tcp.local
4500
16
0866.98ec.97af
[343]'acl=0''deviceid=08:66:98:EC:97:AF''features=
086698EC97AF@wiredapple._raop._tcp.local 4500
16
0866.98ec.97af
[193]'cn=0,1,2,3''da=true''et=0,3,5''ft=0x5A7FFFF7
To verify the mdns-sd type PTR, use the following command:
Device# show mdns-sd cache type {PTR | SRV | A-AAA | TXT}
RECORD-NAME
TTL
WLAN
CLIENT-MAC
RR-Record-Data
-------------------------------------------------------------------------------------------------------------------------------------
_custom1._tcp.local
4500
2
c869.cda8.77d6
service_t1._custom1._tcp.local
_custom1._tcp.local
4500
2
c869.cda8.77d6
vk11._custom1._tcp.local
_ipp._tcp.local
4500
2
c869.cda8.77d6
service-4._ipp._tcp.local
To verify the mdns-sd cache for a client MAC, use the following command:
Device# show mdns-sd cache {ap-mac <ap-mac> | client-mac <client-mac> | glan-id <glan-id>
| mdns-ap <mac-address> | rlan-id <rlan-id> | wlan-id <wlan-id> | wired}
RECORD-NAME
TTL
WLAN
CLIENT-MAC
RR-Record-Data
-------------------------------------------------------------------------------------------------------------------------------------
_custom1._tcp.local
4500
2
c869.cda8.77d6
service_t1._custom1._tcp.local
_custom1._tcp.local
4500
2
c869.cda8.77d6
vk11._custom1._tcp.local
_ipp._tcp.local
4500
2
c869.cda8.77d6
service-4._ipp._tcp.local
----------------------------------------------------------- SRV Records
-------------------------------------------------------------
RECORD-NAME
TTL
WLAN
CLIENT-MAC
RR-Record-Data
-------------------------------------------------------------------------------------------------------------------------------------
service-4._ipp._tcp.local
4500
2
c869.cda8.77d6 0 0 1212
mDNS-Client1s-275.local
vk11._custom1._tcp.local
4500
2
c869.cda8.77d6 0 0 987
mDNS-Client1s-275.local
service_t1._custom1._tcp.local
4500
2
c869.cda8.77d6 0 0 197
mDNS-Client1s-275.local
---------------------------------------------------------- A/AAAA Records
-----------------------------------------------------------
RECORD-NAME
TTL
WLAN
CLIENT-MAC
RR-Record-Data
-------------------------------------------------------------------------------------------------------------------------------------
mDNS-Client1s-275.local
4500
2
c869.cda8.77d6 120.1.1.33
----------------------------------------------------------- TXT Records
-------------------------------------------------------------
RECORD-NAME
TTL
WLAN
CLIENT-MAC
RR-Record-Data
-------------------------------------------------------------------------------------------------------------------------------------
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1955
Verifying mDNS Gateway Configurations
Multicast Domain Name System
service-4._ipp._tcp.local
4500
2
c869.cda8.77d6 'CLient1'
vk11._custom1._tcp.local 'txtvers=11' service_t1._custom1._tcp.local 'txtvers=12'
4500
2
4500
2
c869.cda8.77d6 c869.cda8.77d6
To verify the mdns-sd cache with respect to the RLAN ID, use the following command:
Device# show mdns-sd cache rlan-id 1 detail
Name: _printer._tcp.local
Type: PTR TTL: 4500 RLAN: 1 RLAN Name: rlan_test_1 VLAN: 141 Client MAC: 000e.c688.3942 AP Ethernet MAC: 0042.5ab6.0ef0 Remaining-Time: 4485 Site-Tag: default-site-tag mDNS Service Policy: mdnsTV6 Overriding mDNS Service Policy: NO UPN-Status: Disabled Rdata: printer._printer._tcp.local
Name: lab-47-187.local Type: A/AAAA TTL: 4500 RLAN: 1 RLAN Name: rlan_test_1 VLAN: 141 Client MAC: 000e.c688.3942 AP Ethernet MAC: 0042.5ab6.0ef0 Remaining-Time: 4485 Site-Tag: default-site-tag mDNS Service Policy: mdnsTV6 Overriding mDNS Service Policy: NO UPN-Status: Disabled Rdata: 10.15.141.124
To verify the mdns-sd cache with respect to mDNS-AP, use the following command:
Device# show mdns-sd cache mdns-ap 706b.b97d.b060 detail Name: _printer._tcp.local
Type: PTR TTL: 4500 VLAN: 145 Client MAC: 0050.b626.5bfa mDNS AP Radio MAC: 706b.b97d.b060 mDNS AP Ethernet MAC: 706b.b97c.5208 Remaining-Time: 4480 mDNS Service Policy: mdnsTV Rdata: printer._printer._tcp.local
Name: Client-46-153.local Type: A/AAAA TTL: 4500 VLAN: 145 Client MAC: 0050.b626.5bfa mDNS AP Radio MAC: 706b.b97d.b060 mDNS AP Ethernet MAC: 706b.b97c.5208
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1956
Multicast Domain Name System
Verifying mDNS Gateway Configurations
Remaining-Time: 4480 mDNS Service Policy: mdnsTV Rdata: 10.15.145.103
To verify the mdns-sd cache in detail, use the following command:
Device# show mdns-sd cache detail
Name: _custom1._tcp.local Type: PTR TTL: 4500 WLAN: 2 WLAN Name: mdns120 VLAN: 120 Client MAC: c869.cda8.77d6 AP Ethernet MAC: 7069.5ab8.33d0 Expiry-Time: 09/09/18 21:50:47 Site-Tag: default-site-tag Rdata: service_t1._custom1._tcp.local
To verify the mdns-sd cache statistics, use the following command:
Device# show mdns-sd cache statistics
mDNS Cache Stats
Total number of Services: 4191
To verify the mdns-sd statistics, use the following command:
Device# show mdns-sd statistics
-----------------------------------------------------Consolidated mDNS Packet Statistics -----------------------------------------------------mDNS stats last reset time: 03/11/19 04:17:35 mDNS packets sent: 61045
IPv4 sent: 30790 IPv4 advertisements sent: 234 IPv4 queries sent: 30556
IPv6 sent: 30255 IPv6 advertisements sent: 17 IPv6 queries sent: 30238
Multicast sent: 57558 IPv4 sent: 28938 IPv6 sent: 28620
mDNS packets received: 72796 advertisements received: 13604 queries received: 59192 IPv4 received: 40600 IPv4 advertisements received: 6542 IPv4 queries received: 34058 IPv6 received: 32196 IPv6 advertisements received: 7062 IPv6 queries received: 25134
mDNS packets dropped: 87
-----------------------------------------------------Wired mDNS Packet Statistics -----------------------------------------------------mDNS stats last reset time: 03/11/19 04:17:35 mDNS packets sent: 61033
IPv4 sent: 30778 IPv4 advertisements sent: 222 IPv4 queries sent: 30556
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1957
Verifying mDNS Gateway Configurations
Multicast Domain Name System
IPv6 sent: 30255 IPv6 advertisements sent: 17 IPv6 queries sent: 30238
Multicast sent: 57558 IPv4 sent: 28938 IPv6 sent: 28620
mDNS packets received: 52623 advertisements received: 1247 queries received: 51376 IPv4 received: 32276 IPv4 advertisements received: 727 IPv4 queries received: 31549 IPv6 received: 20347 IPv6 advertisements received: 520 IPv6 queries received: 19827
mDNS packets dropped: 63
-----------------------------------------------------mDNS Packet Statistics, for WLAN: 2 -----------------------------------------------------mDNS stats last reset time: 03/11/19 04:17:35 mDNS packets sent: 12
IPv4 sent: 12 IPv4 advertisements sent: 12 IPv4 queries sent: 0
IPv6 sent: 0 IPv6 advertisements sent: 0 IPv6 queries sent: 0
Multicast sent: 0 IPv4 sent: 0 IPv6 sent: 0
mDNS packets received: 20173 advertisements received: 12357 queries received: 7816 IPv4 received: 8324 IPv4 advertisements received: 5815 IPv4 queries received: 2509 IPv6 received: 11849 IPv6 advertisements received: 6542 IPv6 queries received: 5307
mDNS packets dropped: 24
To verify the default service list details, use the following command:
Device# show mdns-sd default-service-list
-------------------------------------------mDNS Default Service List
--------------------------------------------
Service Definition: airplay Service Names: _airplay._tcp.local
Service Definition: airtunes Service Names: _raop._tcp.local
Service Definition: homesharing Service Names: _home-sharing._tcp.local
Service Definition: printer-ipp Service Names: _ipp._tcp.local
Service Definition: printer-lpd Service Names: _printer._tcp.local
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1958
Multicast Domain Name System
Verifying mDNS Gateway Configurations
Service Definition: printer-ipps Service Names: _ipps._tcp.local
Service Definition: printer-socket Service Names: _pdl-datastream._tcp.local
Service Definition: google-chromecast Service Names: _googlecast._tcp.local
Service Definition: itune-wireless-devicesharing2 Service Names: _apple-mobdev2._tcp.local
To verify the primary service list details, use the following command:
Device# show mdns-sd master-service-list
-------------------------------------------mDNS Master Service List
--------------------------------------------
Service Definition: fax Service Names: _fax-ipp._tcp.local
Service Definition: roku Service Names: _rsp._tcp.local
Service Definition: airplay Service Names: _airplay._tcp.local
Service Definition: scanner Service Names: _scanner._tcp.local
Service Definition: spotify Service Names: _spotify-connect._tcp.local
Service Definition: airtunes Service Names: _raop._tcp.local
Service Definition: airserver Service Names: _airplay._tcp.local
_airserver._tcp.local
. . .
Service Definition: itune-wireless-devicesharing2 Service Names: _apple-mobdev2._tcp.local
To verify the mdns-sd service statistics on the controller, use the following command:
Device# show mdns-sd service statistics
Service Name
Service Count
-----------------------------------------------------------------------------
_atc._tcp.local
137
_hap._tcp.local
149
_ipp._tcp.local
149
_rfb._tcp.local
141
_smb._tcp.local
133
_ssh._tcp.local
142
_daap._tcp.local
149
_dpap._tcp.local
149
_eppc._tcp.local
138
_adisk._tcp.local
149
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1959
Verifying mDNS Gateway Configurations
Multicast Domain Name System
To verify the mDNS-AP configured on the controller and VLAN(s) associated with it, use the following command:
Device# show mdns-sd ap
Number of mDNS APs.................................. 1
AP Name Ethernet MAC Number of Vlans Vlanidentifiers
----------------------------------------------------------------------------------------------------
AP3600-1 7069.5ab8.33d0
1
300
Further Debug To debug mDNS further, use the following procedure: 1. Run this command at the controller:
set platform software trace wncd <0-7> chassis active R0 mdns debug
2. Reproduce the issue. 3. Run this command to gather the traces enabled:
show wireless loadbalance ap affinity wncd 0
AP MAC Discovery Timestamp Join Timestamp
Tag Vlanidentifiers
---------------------------------------------------------------------------------------
0cd0.f894.0600
06/30/21 12:39:48 06/30/21 12:40:021 default-site-tag
300
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x 1960
DITA Open Toolkit XEP 4.30.961; modified using iText 2.1.7 by 1T3XT