Configure Dynamic Channel Assignment

In this post we will learn about DCA and it’s a really cool feature of RRM.

DCA is managed by RF Group Leader (How to define RF leader, we saw in one of my last post)

DCA used to determine the optimal AP channel based on these parameters.

Load: Percentage of time spent transmitting 802.11 frames

Noise: Measurement of non-802.11 signals on every serviced channel

Interference: Percentage of radio time used by neighbor 802.11 transmissions

Signal strength: Received signal strength indication (RSSI) measurement of the received neighbor messages

These values are then used by the Group Leader to determine if another channel schema will result in at least a bettering of the worst performing AP by 5dB (SNR) or in other words: Based on these metrics, if the worst performing AP will benefit by at least 5 dB or more, a channel change will take place. The decision to change the channel of an AP is also weighted to prevent a mass change within the RF group. We would not want to have a single AP change channel and have that change result in 20 other APs having to change their channel. The controller also takes into account how heavily an AP is used. A less utilized AP is more likely to have a channel change instead of a heavily used neighbor (isn’t it an interesting feature?). This helps mitigate client disassociations during a DCA event because a radio channel change disconnects all associated clients.

***Note: When an AP first boots up out the box, it transmits on channel 1 on the 802.11b/g radio and channel 36 for the 802.11a radio. The channels change according to any DCA adjustments if necessary. If a reboot occurs, the APs remain on the same channel they were using before the reboot until a DCA event occurs. If an AP is on channel 152 and reboots, it will continue to use channel 152 when it comes back up.

***Note: Radios using 40-MHz channels in the 2.4-GHz band or or 80MHz channels are not supported by DCA.

The RRM startup mode is invoked in the following conditions:

  • In a single-controller environment, the RRM startup mode is invoked after the controller is rebooted.
  • In a multiple-controller environment, the RRM startup mode is invoked after an RF Group leader is elected.

Configure DCA:

***We must disable 802.11a and b radio before changing the config. for DCA and then enable it again. Simplest way to enable/disable the radio is via CLI:

(WLAN1) >config 802.11a disable network
(WLAN1) >config 802.11a enable network

Go to Wireless > 802.11a/n or 802.11b/g/n > RRM > DCA

DCA1

DCA2

There is three type of Channel Assignment Method.

Channel Assignment Mode:

  • Automatic: This mode will cause the controller to periodically evaluate and, if necessary, update the channel assignment for all joined access points.
  • Freeze: It will Causes the controller to evaluate and update the channel assignment for all joined access points, but only when we click Invoke Channel Update Once.
  • OFF: Turns off DCA and sets all access point radios to the first channel of the band.

Avoid Foreign AP Interference:  It detect foreign AP and take into consideration while changing the channel.

Avoid Cisco AP Load: When its enabled then the AP load is taken into account before result in which AP will change the channel (least loaded AP will change the channel first.

Avoid Non-802.11a (802.11b) Noise: It cause the controller’s RRM algorithms to consider noise (non-802.11 traffic) in the channel when assigning channels to lightweight access points.

Avoid Persistent Non-Wi-Fi Interference:  Its enable the controller to ignore or avoid from persistent non-Wi-Fi interference.

Channel Assignment Leader: The IP address of the RF group leader, which is fully responsible for channel assignment.

Last Auto Channel Assignment: The last time RRM evaluated the current channel assignments.

DCA Channel Sensitivity: We have 3 levels (Low, Medium and High)

Channel Width:  depends on the 802.11a or b radios:  5GHz select 40MHz. In 2.4 GHz it will be 20MHz.

Avoid check for non-DFS channel: Enabled then the controller avoid checks for non-DFS channels. (Apply only for outdoor APs)

DCA Channel List: This option shows the selected channel on this radio.

 

Dont forget to enable both radios after changing the parameter in this section by using these commands 🙂

RRM (Radio Resource Management) Overview

The RRM feature is also known as Auto-RF or act as a built –in RF engineer in controller, uses the RF information gathered by the APs to make decisions on whether channel assignment or power levels need to be adjusted.

In other words: It uses the RF information gathered by the APs to make decisions on whether channel assignment or power levels need to be adjusted. Just because the RF environment has changed does not necessarily mean that the controller will change.

Before covering the intricacies of the RRM algorithm and RF grouping, following is a high-level overview of the basic workflow involved:

Step 1: The controllers and their APs use the configured RF group name to determine if other APs they hear are part of their RF group.

Step 2: The APs use neighbor messages (sent every 60 seconds) that are authenticated by other APs that hear them. The neighbor messages include information about the AP, the controller, and the configured RF group name.

Step 3: The APs that hear the neighbor message of another AP authenticate that message using the RF group name and pass it to their respective controller.

Step 4: The controllers use this information to determine what other controllers should be in their RF group, and then form logical groups to share the RF information from their respective APs, and elect an RF group leader.

Step 5: The RF group leader runs the RRM algorithm against the RF information from all the APs in the RF group. Depending on the outcome, a power level or channel change for an AP or group of APs might take place.

To know more details about RRM, check this previous post:

https://rscciew.wordpress.com/2013/12/04/radio-resource-management/

Also don’t forget to see these YouTube video by Jerome Henry:

  1. http://www.youtube.com/watch?v=gwCxVwmHnRw – describes RRM principles
  2. http://www.youtube.com/watch?v=XhmnXeeLQBc – goes deeper into RRM and provides useful information if you are to take a Cisco exam on Wireless related topics! 🙂
  3. http://www.youtube.com/watch?v=3EnvhxjzEWU – details how RRM controls the AP channel assignment with DCA (Dynamic Channel Assignment).
  4. http://www.youtube.com/watch?v=32YWzuXTg5M – explains how RRM dynamically reduces AP power with TPC (Transmit Power Control)
  5. http://www.youtube.com/watch?v=yot63RsKOCg – explains how the Radio Coverage Detection Algorithm works.

RRM feature enables controllers to continually monitor their associated LAP for the following information:

  • Traffic load: The total bandwidth used for transmitting and receiving traffic. It enables wireless LAN managers to track and plan network growth ahead of client demand.
  • Interference: The amount of traffic coming from other 802.11 sources.
  • Noise: The amount of non-802.11 traffic that is interfering with the currently assigned channel.
  • Coverage: The received signal strength (RSSI) and signal-to-noise ratio (SNR) for all connected clients.
  • Other: The number of nearby access points.

RRM performs these functions:

  • Radio resource monitoring
  • Transmit power control
  • Dynamic channel assignment
  • Coverage hole detection and correction

In this post we will see the configuration guide of RRM on WLC.

Configure an RF Group Name

Via GUI:

First step to configure RRM is to ensure WLC has the RF Group Name configured. This can be done through the controller web interface. Go to Controller > General and then type a RF Group Name value.

RRM1

Via CLI:

Create an RF group by entering the config network rf-network-name name command:

(WLAN1) >config network rf-network-name mywlc

Configuring the RF Group Mode:

Via GUI

Go to Wireless > 802.11a/n or 802.11b/g/n > RRM > RF Grouping

RRM2

Via CLI:

config advanced {802.11a | 802.11b} group-mode {auto | leader| off | restart}

(WLAN1) >config advanced 802.11a group-mode ?
 auto           Sets the 802.11a RF group selection to automatic update mode.
 leader         Sets the 802.11a RF group selection to static mode, and sets this controller as the group leader.
 off            Sets the 802.11a RF group selection off.
 restart        Restarts the 802.11a RF group selection.
(WLAN1) >config advanced 802.11a group-mode auto

On this screen we can see the details of RF group

Group Mode: Auto (It can be static or we can disable it)

Group Role: Auto Leader or Static Leader

Group Update Interval: The group update interval value indicates how often the RF Grouping algorithm is run and it cannot be modified.

Group Leader: This field displays the IP Address of the WLC that is currently the RF Group Leader.

Last Group Update: The RF Grouping algorithm runs every 600 seconds (10 minutes). This field indicates the time (in seconds) since the algorithm last ran.

RRM3

*** A configured static leader cannot become a member of another controller until its mode is set to “auto”.

No we will change the Group mode on Controller”WLAN1” as leader.

RRM4

Add a controller as member:

RRM5

Via CLI:

Add a controller as a static member of the RF group (if the mode is set to “leader”) by entering this command:

config advanced {802.11a | 802.11b} group-mode {auto | leader| off | restart}

(WLAN1) >config advanced 802.11agroup-mode leader

config advanced 802.11a | 802. group-member add controller_name controller_ip_address

(WLAN1) >config advanced 802.11a | 802. group-member add WLAN2 10.35.80.3

To see RF grouping status

(WLAN1) >show advanced 802.11a group
 Radio RF Grouping
 802.11a Group Mode............................. STATIC
 802.11a Group Update Interval.................. 600 seconds
 802.11a Group Leader........................... WLAN1 (10.35.80.1)
 802.11a Group Member......................... WLAN1 (10.35.80.1)
 802.11a Group Member......................... WLAN2 (10.35.80.3)
 802.11a Last Run............................... 17 seconds ago
 * indicates member has not joined the group.
 (WLAN1) >

*** Same procedure for 802.11b network

***Info:

There are few things we must take care before forcing a WLC to be a RF leader:

  1. All WLC members must have the same mobility and RF group name.
  2. All WLCs AP must be in the range of each other.

In next post we will learn TPC, DCA and CHD.

ACLs on WLC

In this post we will learn how to use ACL on WLC.
As we all know that we use ACL to prohibit/restrict the access from specific clients.

Mostly we use two type of ACL:

  1. CPU (Be careful before assigning)
  2. WLAN/Interface Based ACL
  3. Pre-Authentication ACL

Basic Info:

Limitations:

  • We can configure max 64 filters with 64 rules.
  • ACLs can impact the performance of the controller.
  • ACLs can’t block access to the virtual IP address (1.1.1.1) of WLC. Therefore, DHCP cannot be blocked for wireless clients.
  • ACLs do not affect the service port of the WLC.
  • We can only block IP traffic

Parameter used in ACL:

Sequence: Here starts the order that ACL lines are processed against the packet. Even after creation of ACL with sequence number 1, we can replace it with new sequence. Means it also allows us to insert ACL lines anywhere in the ACL even after the ACL is created.

Source IP & Destination IP: Here we have to enter the host or subnet IP and mask (From & To, The masks of the ACL are not wild-masks but normal masks).

Protocol: We need to enter the Protocol to add this in IP packet header.

Here is the list of all which we can use: Any (all protocol numbers are matched)

TCP (6), UDP (17), ICMP (1), ESP (50), AH (51), GRE (47), IP (4), Eth Over IP (97), OSPF (89), Other (Specify)

Source & Destination Port: TCP or UDP can only be specified.

DSCP: Differentiated Services Code Point allows us to specify specific DSCP values to match in the IP packet header (Only 2 option available: Specific & Any).

Direction: Which direction to enforce: Inbound, Outbound and Any

Inbound: Packet sourced from the wireless client. (Client à WLC)

Outbound: Packets destined to the wireless client (Or from WLC à Client)

Any: Sourced from the wireless client and destined to the wireless client are inspected to see if they match the ACL line. We must apply to both Inbound & Outbound directions.

Action: Either Permit or Deny

Rules:

  • We can only specify protocol numbers in the IP header (UDP, TCP, etc…) in ACL lines, because ACLs are restricted to IP packets only.
  • If the source AND destination is any, then the direction is also ANY.
  • If the source or destination is NOT any, then the direction must be specified.
  • The direction is faced FROM the controller.
  • Inbound: Wireless client To WLC
  • Outbound: WLC To wireless client
  • Remember that at last we have an implicit deny at the end.

Let’s start doing configuration.

First we will create an ACL and apply to either WLAN or Interface.

Login to WLC then Security > Access Control lists > Access Control lists, click on New.

Also check the Enable counter to see the statics.

ACwlc1

CPU Access list

In my example:

  1. Block Telnet from a specific workstation on management interface

Workstation: 192.168.128.8
WLC2: 192.168.10.3

Create Access List and Apply it.

*** To remove this ACL either we have to uncheck “Enable CPU ACL” box or Via CLI we must use this command”config acl cpu none”. Remember this command if we stuck into the case where we can’t access WLC anymore then via console run this command to get the access back.

*** LWAPP/CAPWAP control traffic is not affected by CPU ACLs.

***By default Telnet is disabled on WLC, we must enable it for testing.(From Management > Telnet-SSH)

Here is my access List: We can see the hit numbers.

ACwlc2

Apply it: Security > Access Control List > CPU Access List

ACwlc3

How it looks in CLI:

(WLC2) >show acl cpu
 CPU Acl Name................................ TestACL
 Wireless Traffic............................ Enabled
 Wired Traffic............................... Enabled
(WLC2) >show acl summary
 ACL Counter Status               Enabled
 ----------------------------------------
 IPv4 ACL Name                    Applied
 -------------------------------- -------
 TestACL                          Yes
 ----------------------------------------
 IPv6 ACL Name                    Applied
 -------------------------------- -------
(WLC2) >show acl detailed TestACL
 Source                         Destination                 Source Port  Dest Port
 Index  Dir       IP Address/Netmask               IP Address/Netmask       Prot    Range       Range    DSCP  Action      Counter
 ------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
 1  In      192.168.128.8/255.255.255.255      192.168.10.3/255.255.255.255    6     0-65535    23-23     Any   Deny           3
 2 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit          14
 DenyCounter : 0
 URLs configured in this ACL
 ---------------------------
(WLC2) >

WLAN / Interface ACL

ACwlc4

Where to Apply:

  1. Under WLAN

ACwlc5

  1. Under Dynamic interface

ACwlc6

Preauthentication ACL

As its name suggest that this kind ACL is used before any authentication

We usually create this type of pre-authentication ACL for web authentication. Such an ACL could be used to allow certain types of traffic before authentication is complete.

Creation or write an ACL is same as we did in above section, so I will not repeat the same steps here.

Where we can apply this ACL:

  • Go to WLANs > WLANs
  • Click the ID number of the WLAN to open the WLANs > Edit
  • Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page
  • Preauthentication ACL drop-down box, choose the desired ACL and click Apply

ACwlc7

That’s all  🙂

AAA Override

In this post we will learn about the AAA override feature which is used with ACS (Radius Server).

This AAA Override function used to configure for identity networking. It allows us to configure VLAN tagging, QoS and ACL for specific clients.

Basic Info:

By using this feature we can reduce or minimize WLANs and can provide or segregate network segmentation within the network.

IN this post we take an example especially for dynamic VLAN assignment. This feature allows a single SSID to serve multiple users as per their roles (as per their VLANs).

How it works:

  1. Wireless client associates to the AP on specific WLAN.
  2. Wireless Client start RADIUS authentication process.
  3. When the wireless client authenticates successfully, the RADIUS server assign this client to a specific VLAN (as we configured on RADIUS server), regardless of the VLAN assigned to SSID the client is using on the AP. If the RADIUS server does not return any VLAN attribute for the wireless client, the client is assigned to the VLAN specified by the SSID mapped locally on the AP.

Limitation:

  • To apply an ACL we must disable & then enable the WLAN so that client must re-authenticate again otherwise ACL does not take effect.
  • If we don’t have ACL on WLC or put the wrong name, then the clients are not allowed to be authenticated.
  • In HREAP/Flexconnect local switching, Multicast is forwarded only for the VLAN that the SSID is mapped to and not to any overridden VLANs.
  • When the interface group is mapped to a WLAN and clients connect to the WLAN, the client does not get the IP address in a round robin fashion. The AAA override with interface group is supported.
  • AAA override is done at the RADIUS server.
  • On WLC, enable AAA Override parameter using the GUI or CLI. Enabling this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller then applies these attributes to its clients.

Enable this feature on WLAN:

Via GUI:

AAAoverride2

Via CLI:

WLC > config wlan aaa-override enable <wlan-id>

In next post we will see how this function can be used with an example.

Foreign Mapping/ Auto Anchor Mobility

In this post we will learn about how to configure the foreign mapping between 2 controllers.

Auto-Anchor mobility, also known as Foreign Mapping, allows us to configure users that are on different foreign controllers from different physical location to obtain IP addresses from a subnet or group of subnets based on their physical location.

  1. First of all Both controller must have added each other in its mobility list.
  2. Auto anchoring must have conifgured.

How to Configure Mobility

How to Configure Auto Anchoring

Steps to conifgure Foreign Maping on Anchor ControllerL

***Make sure that it is only configured on Anchor Controller or where we want to terminate the client to get IP address.

Step1: Select the WLANs tab.

Step2: Click the Blue drop down arrow for the WLAN(iN my case RSCCIEW) and choose Foreign-Maps.

Step3: The foreign mappings page appears. This page also lists the MAC addresses of the foreign controllers that are in the mobility group and interfaces which are created on Anchor WLC.

Step4: Select the desired foreign controller MAC(WLC2 in my case) and the interface(rscciew) to which it must be mapped and click on Add Mapping.

Anchor WLC configuration:

Foreignmap1

Foreignmap2

Foreignmap3

Foreignmap4

Verification:

Anchor WLC:

(WLC1) >show client  summary
 Number of Clients................................ 2
 GLAN/
 RLAN/
 MAC Address       AP Name           Slot Status        WLAN  Auth Protocol         Port Wired PMIPV6  Role
 ----------------- ----------------- ---- ------------- ----- ---- ---------------- ---- ----- ------- ----------------
 48:43:7c:8b:c3:92 192.168.10.3         N/A Associated     3    Yes  Mobile           13   No    No      Export Anchor
(WLC1) >show client detail 48:43:7c:8b:c3:92
 Client MAC Address............................... 48:43:7c:8b:c3:92
 Client Username ................................. N/A
 AP MAC Address................................... 00:00:00:00:00:00
 AP Name.......................................... N/A
 AP radio slot Id................................. N/A
 Client State..................................... Associated
 Client User Group................................
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 3
 Wireless LAN Network Name (SSID)................. RSCCIEW
 Wireless LAN Profile Name........................ RSCCIEW
 Hotspot (802.11u)................................ Not Supported
 BSSID............................................ 00:00:00:00:00:ff
 Connected For ................................... 133 secs
 Channel.......................................... N/A
 IP Address....................................... 192.168.82.11
 Gateway Address.................................. 192.168.82.254
 Netmask.......................................... 255.255.255.0
 IPv6 Address..................................... fe80::
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 Avg data Rate.................................... 0
 Burst data Rate.................................. 0
 Avg Real time data Rate.......................... 0
 Burst Real Time data Rate........................ 0
 802.1P Priority Tag.............................. disabled
 CTS Security Group Tag........................... Not Applicable
 KTS CAC Capability............................... No
 WMM Support...................................... Disabled
 Supported Rates..................................
 Mobility State................................... Export Anchor
 Mobility Foreign IP Address...................... 192.168.10.3
 Mobility Move Count.............................. 1
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 Audit Session ID................................. 0a63500100000085546f33bd
 AAA Role Type.................................... none
 Local Policy Applied............................. none
 IPv4 ACL Name.................................... none
 FlexConnect ACL Applied Status................... Unavailable
 IPv4 ACL Applied Status.......................... Unavailable
 IPv6 ACL Name.................................... none
 IPv6 ACL Applied Status.......................... Unavailable
 Layer2 ACL Name.................................. none
 Layer2 ACL Applied Status........................ Unavailable
 mDNS Status...................................... Enabled
 mDNS Profile Name................................ default-mdns-profile
 No. of mDNS Services Advertised.................. 0
 Policy Type...................................... N/A
 Encryption Cipher................................ None
 Protected Management Frame ...................... No
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ rscciew
 VLAN............................................. 82
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 82
 Local Bridging VLAN.............................. 10
 .
 .
 (WLC1) >

Foreign WLC:

(WLC2) >show client summary
 Number of Clients................................ 1
 RLAN/
 MAC Address       AP Name           Slot Status        WLAN  Auth Protocol         Port Wired PMIPV6 Role
 ----------------- ----------------- ---- ------------- ----- ---- ---------------- ---- ----- ------ ----------------
 48:43:7c:8b:c3:92 AP002             1   Associated     5    Yes  802.11n(5 GHz)   1    N/A   No     Export foreign
(WLC2) >show client detail 48:43:7c:8b:c3:92
 Client MAC Address............................... 48:43:7c:8b:c3:92
 Client Username ................................. N/A
 AP MAC Address................................... 84:80:2d:c3:6c:d0
 AP Name.......................................... AP002
 AP radio slot Id................................. 1
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 5
 Hotspot (802.11u)................................ Not Supported
 BSSID............................................ 84:80:2d:c3:6c:db
 Connected For ................................... 123 secs
 Channel.......................................... 64
 IP Address....................................... 192.168.82.11
 Gateway Address.................................. Unknown
 Netmask.......................................... Unknown
 IPv6 Address..................................... fe80::
 Association Id................................... 2
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 Avg data Rate.................................... 0
 Burst data Rate.................................. 0
 Avg Real time data Rate.......................... 0
 Burst Real Time data Rate........................ 0
 802.1P Priority Tag.............................. disabled
 CTS Security Group Tag........................... Not Applicable
 KTS CAC Capability............................... No
 WMM Support...................................... Enabled
 APSD ACs.......................................  BK  BE  VI  VO
 Power Save....................................... ON
 Current Rate..................................... m7
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Export Foreign
 Mobility Anchor IP Address....................... 192.168.10.1
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 Audit Session ID................................. 0a63500300000073546f33bd
 AAA Role Type.................................... none
 Local Policy Applied............................. none
 IPv4 ACL Name.................................... none
 FlexConnect ACL Applied Status................... Unavailable
 IPv4 ACL Applied Status.......................... Unavailable
 IPv6 ACL Name.................................... none
 IPv6 ACL Applied Status.......................... Unavailable
 Layer2 ACL Name.................................. none
 Layer2 ACL Applied Status........................ Unavailable
 mDNS Status...................................... Enabled
 mDNS Profile Name................................ default-mdns-profile
 No. of mDNS Services Advertised.................. 0
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Protected Management Frame ...................... No
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 10
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 10
 .
 .
 (WLC2) >

That’s all about Foreign Mapping 🙂

Office Extend AP

In this post we will learn how to setup an Office extend AP. In my example I am using the normal AP (2600 series).

Basic Info:

As its name indicates, it “extends” our wireless network to a remote home office. It provides to remote home workers with the same type of enterprise access they’d get within the corporate office.

Cisco has specific APs for this use and that’s oEAP600:

The Aironet 600 is a simultaneous dual-band access point providing both 2.4 and 5 Ghz radios. Hooks noted that by having a simultaneous radio, one can be used for personal use, while the other can be dedicated for corporate access, using separate SSIDs.

Cisco has released special Access Point series (OEAP 600 series) have 4 LAN ports. One port is for Remote-LAN, other 3 ports are for local LAN connectivity. For the corporate WLAN extended, max of 3 WLAN can be extended & max of 15 clients can be joined. Configuration wise OEAP is only requires WLC IP to be pre-configured.

OEAP tunnels back to a Cisco WLC with an IPsec VPN tunnel. One more interesting is it keeps enterprise access and authentication extended across the VPN without the need for any addition configuration.  OfficeExtend AP requires an internal Cisco Wireless LAN Controller.

As per Cisco best practices and proper security we need 2 WLCs (DMZ & Internal). 2nd WLC is normally placed into DMZ and must have a NAT address assigned to it with ports UDP 5246 and 5247 open to it.

We just need to prepare the AP with the public address set on the WLC and connect to our Fritzbox or DSL router. Once the AP comes up then we can use our corporate networks with all of their security requirements, without any VPN connection.

Remembering Points:

  1. Before connection to Frtiz box or DSL router it must be primed with WLC IP.
  2. Then connect the AP to Fritz box / DSL router and gets an IP address, joins to primed controller and it creates encrypted DTLS tunnel. Then we can use the all SSID which we normally used in our Office.
  3. We must enable the NAT on our WLC with correct IP address by using this command:
config network ap-discovery nat-ip-only enable

OEAP1

Configuration Guide:

I am using the 2600 series AP (At the moment CCIE LAB don’t have OEAP600 series)

In my case first I joined the AP to WLC as local mode. Once it’s connected we must have to change to Flexconnect/HREAP mode.

Wireless > All APs, select specific AP which we want to convert then go under General tab, select FlexConnect mode, click Apply. After that it will reboot.

OEAP2

Once it will come up as Flexconnect mode, we can see that there is one more tab “FlexConnect”.

Now to convert it to OEAP mode we must check Enable OfficeExtend AP box.

OEAP3

Just after selecting the box we can see that there are two prompts:

  1. Do you want to enable encryption –> Select OK
  1. Do you want to disable Rouge Detection –> Select OK

***If we choose the encryption enable then all traffic will be encrypted. (DTLS)

In my case I don’t have right license for DTLS so can’t encrypt this Tunnel.

Then click on Apply.

Now try to reach OEAP over web access: https://<ip address of AP>

It will ask about the username and password. After successful authentication of user, this page will appear:

OEAP4

Click on Enter

OEAP5

We can also create a Personal SSID. Traffic from this SSID will not go through DTLS tunnel.

Configuration > Check the Personal SSID box, enter the details and click Apply.

OEAP6

If want then we can also broadcast the specific WLANs from HQ to this by creating AP groups otherwise by default it will be default-group.

Other Info:

By default, the WLC will only respond with the NAT IP address during AP Discovery when NAT is enabled. If APs exist on the inside and outside of the NAT gateway, issue this command in order to set the WLC to respond with both the NAT IP address and Non-NAT (inside) Management IP address:

config network ap-discovery nat-ip-only disable

More info then please visit: OEAP Conifg Guide

Wired Guest Access with two WLC

In this post we will learn how to implement wired guest access with only two WLC.

DMZ and Internal WLC Scenario:

Here is my Topology:

WiredGuest2wlc1

Foreign WLC Configuration:

  1. Configure a dynamic interface (in my case: wiredguestin) for wired guest user access on foreign WLC.
  2. Create a WLAN and assign the Ingess interface to wiredguestin(created in last step) and egress interface to management.
  3. Assign Mobility anchor to WLAN.

Foreign WLC:

Step1: Create a wired interface on WLC2:

WiredGuest2wlc2

Step2: WLAN creation on WLC2:

WiredGuest2wlc3

Step3: Assign the mobility anchor for right WLAN:

WiredGuest2wlc4

 

Anchor WLC Configuration:

  1. Configure a normal dynamic interface(In my cast it is guest) in which we want to assign to have IP for guest.( already created )
  2. Create a wired LAN for guest user access.
  3. Assign the mobility anchor to self(Means local)
  4. Create a test users locally on WLC
  5. Verification

Anchor WLC (WLC1):

I have already created a guest interface on my WLC to have internet access.

Step1: Skip

Step2: Create a WLAN (Same as we did on WLC2-Foreign WLC). Make sure that here we assign the interface in which we want to put clients (In my case its guest)

Assign Ingress interface as None and Egress as guest

WiredGuest2wlc5

Step3: Assign Mobility anchor to self (Means local 🙂

WiredGuest2wlc6

Step4: Local guest user creation

WiredGuest2wlc7

Verification:

Foreign WLC (WLC2):

WiredGuest2wlc8

Anchor WLC (WLC1):

WiredGuest2wlc9

WiredGuest2wlc10