Cisco Wireless

Complete Guide: How to Download & Deploy The Cisco 9800-CL Virtual Wireless Controller on VMware ESXi

2024-08-02T15:52:03+10:00

This article covers the deployment of the Cisco WLC 9800-CL cloud-based controller on the VMware ESXi platform. We explain the CPU, RAM and storage requirements, provide URLs to easily download and install the WLC controller using the OVA template, select the appropriate WLC 9800 deployment size (small, medium, large) and help you understand and configure the different WLC VM network interfaces.

Key Topics:

Introduction to the Cisco 9800 WLC Virtual Controller

Cisco released their next-generation 9800 series Wireless Controllers back in 2018, also offering a cloud-based version that supports VMware ESXi, Microsoft Hyper-V, Amazon AWS, Microsoft Azure, Google Cloud Platform (GCP), Ubuntu/Red Hat Enterprise Linux using KVM, and Cisco NFVIS environments.

The virtualized version of the WLC controller offers great flexibility for organizations while at the same time provides considerable savings thanks to its zero-price tag. Customers are able to freely download and deploy the appliance, with the only restriction being the AP licenses that need to be purchased as an ongoing subscription.

Virtualization offers additional benefits which include:

Hardware independence. Not hardware involved. Lead times for the hardware-based controllers can sometimes exceed 6-9 months depending on the market demand and other circumstances.
Decreased cost. The VM option means organizations are saving 6-figure amounts for every 9800-40 or greater model they require. If you’re considering introducing High-Availability (HA), then the Cloud-based controller becomes a much cheaper architecture. Additional savings are added since Smartnet contracts for the hardware are not required.
Better utilization of virtualization infrastructure. Utilizing the existing virtualization platform increases its ROI.
Greater Deployment Flexibility. VMs allow you to easily move them from one physical server to another, even between different datacenters or physical locations.
Increased Redundancy & Backups. Backing up a VM is an easy and simple process. You can even use specialized free VM Backup tools for this process.

Cisco 9800 WLC Virtual Controller VMware ESXi Requirements

Deploying the WLC 9800-CL in an ESXi environment is, as you’ll discover, a simple process. Cisco provides a single OVA file package, roughly around 1.25GB in size:

Easily Convert Cisco Autonomous - Standalone AP to Lightweight Mode & Register it to a Cisco WLC Controller

2018-10-12T20:07:52+11:00

This article explains how to convert a local or remote Autonomous / Standalone Cisco Aironet Access Point to Lightweight and register it to a Cisco WLC Controller. Included are detailed steps, commands, full text logs of the conversion process and screenshots to ensure an easy and successful upgrade - WLC registration.

Key Topics:

Restrictions & Considerations when Converting Autonomous APs to Lightweight Mode

Converting an Autonomous AP to Lightweight Mode is a straight forward process however it is important to keep a few things in mind before performing the conversion procedure as there are some restrictions users should be aware of.

Depending on the level of experience some of these notes/restrictions might be considered basic or redundant knowledge. For sake of simplicity we are presenting them in bullet format:

All Cisco lightweight access points are capable of supporting up to 16 BSSIDs per radio and a total of 16 WLANs per access point.
Access points converted to lightweight mode require a DHCP server to obtain an IP address and discover the WLC via DNS or IP broadcast.
Lightweight access points do not support Wireless Domain Services (WDS). All lightweight APs communicate with the WLC.
Lightweight AP console port provides read-only access to the AP.

The Different Type of Access Point Image Files (k9w8 & rcvk9w8)

Before we begin the conversion process it is necessary to download the CAPWAP software file that matches the Access Point to be converted. These files can be downloaded from Cisco’s website and usually require an active Smartnet contract. Alternatively, a search on the web might reveal other sources from which they can be downloaded.

There are two type of AP CAPWAP software files we can download and install:

Fully functional CAPWAP Image file (full image) – Identified by the k9w8 string in their filename and are usually large in size (10-20Mb). Once loaded, the AP is able to join the WLC and download its configuration. Example file name: ap3g1-k9w8-tar.152-4.JB6.tar

Recovery mode CAPWAP Image file – Identified by the rcvk9w8 string in their filename. These are smaller in size (5-8Mb) and used to help the AP boot and join the controller so it can then download the full image from the WLC. Example filename: ap3g1-rcvk9w8-tar.152-4.JB6.tar

Regardless of the type of image loaded during the conversion process, the AP will always download the full image from the WLC as soon as it joins. The only exception to this rule is when the fully functional CAPWAP image file loaded on the AP is the same version as the one contained in the WLC.

Cisco AP Autonomous to Lightweight Conversion Process

First download a fully functional or recovery mode CAPWAP file suitable for the AP model. In our example we will be converting a Cisco 3502 AP and decided to download the appropriate recovery mode file: ap3g1-rcvk9w8-tar.152-4.JB6.tar.

Since the AP will automatically download the full image from the WLC once it joins, using the recovery mode file will speed up the conversion process.

We’ll need to have a FTP server running so we can configure the AP to download the file from it.

STEP 1: Power up the Autonomous AP & Configure a FTP server form where the AP will download the image

STEP 2: Connect the Autonomous AP to a network switch or directly to the workstation serving the AP image via a FTP server.

STEP 3: Configure the AP with an IP address appropriate for the network or set it to DHCP

In our example we configure the AP to obtain its IP address from a DHCP server:

ap(config)# interface bvi1

ap(config-if)# ip address dhcp

*Mar 1 00:27:53.248: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.2.83, mask 255.255.255.0, hostname ap

The AP confirms once it has successfully obtained an IP address from the DHCP server.

Note: BVI interface indicates that the Radio interface (e.g Dot11Radio0) and Ethernet interface (e.g GigabitEthernet0) are bridged (bridge-group x). If this is not your case, apply the configuration to the AP’s Ethernet interface.

STEP 4: Configure the AP with the FTP user account credentials as configured on the FTP server. This will allow the AP to access and download the image file. Once configured, begin the software download procedure using the archive download-sw command.

Here is the complete text log of the procedure:

ap# configure terminal

ap(config)# ip ftp username admin

ap(config)# ip ftp password cisco1234

ap(config)# exit

ap# archive download-sw /force-reload /overwrite ftp://192.168.2.61/ap3g1-rcvk9w8-tar.152-4.JB6.tar

Mar 1 00:30:46.348: %SYS-5-CONFIG_I: Configured from console

Mar 1 00:30:50.563: Loading ap3g1-rcvk9w8-tar.152-4.JB6.tar

extracting info (264 bytes)!

Image info:

Version Suffix: rcvk9w8-

Image Name: ap3g1-rcvk9w8-mx

Version Directory: ap3g1-rcvk9w8-mx

Ios Image Size: 123392

Total Image Size: 7936512

Image Feature: WIRELESS LAN|LWAPP

Image Family: AP3G1

Wireless Switch Management Version: 7.6.100.0

MwarVersion:07066400.First AP Supported Version:07000000.

Image version check passed

*Mar 1 00:30:46.348: Loading ap3g1-rcvk9w8-tar.152-4.JB6.tar

Extracting files...

ap3g1-rcvk9w8-mx/ (directory) 0 (bytes)

extracting ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx (121199 bytes)

extracting ap3g1-rcvk9w8-mx/ap3g1-boot-m_upg (393216 bytes)!!

extracting ap3g1-rcvk9w8-mx/u-boot.bin (393216 bytes)!

extracting ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-xx (7016987 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!

extracting ap3g1-rcvk9w8-mx/info (264 bytes)

extracting ap3g1-rcvk9w8-mx/file_hashes (712 bytes)

extracting ap3g1-rcvk9w8-mx/final_hash (141 bytes)

extracting ap3g1-rcvk9w8-mx/img_sign_rel.cert (1375 bytes)

extracting ap3g1-rcvk9w8-mx/img_sign_rel_sha2.cert (1371 bytes)!

extracting info.ver (264 bytes)

[OK - 7946240/4096 bytes]

Deleting target version: flash:/ap3g1-rcvk9w8-mx...done.

Deleting current version: flash:/ap3g1-k9w7-mx.153-3.JF5...

Set booting path to recovery image: ''...done.

New software image installed in

Writing out the event log to flash:/event.log ...

flash:/ap3g1-rcvk9w8-mx

Configuring system to use new image...done.

Requested system reload in progress...

archive download: takes 221 seconds

*Mar 1 00:34:31.088: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to IOS reload

*Mar 1 00:34:31.088: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to IOS reload

*Mar 1 00:34:31.094: %SYS-5-RELOAD: Reload requested by Exec. Reload Reason: Reason unspecified.

The /force-reload parameter will automatically reload the AP as soon as the new software image is installed while the /overwrite parameter is required to replace the autonomous image with the CAPWAP image.

Console cable can be used for the conversion process of local APs. Alternatively SSH/Telnet can be used for the conversion of both local and remote APs.

Registering Cisco Lightweight AP to WLC Controller

Once the CAPWAP image has been successfully loaded on the AP it reload and begin searching to register with a WLC Controller. As soon as the AP successfully registers with the WLC it will compare its image with that of the controller and if found different begin to download and install it.

It is important to ensure there is an active DHCP server on the same VLAN/network as the AP to provide it with an IP address, subnetmask, gateway and DNS parameters. DNS parameters are not mandatory but will speed up the WLC discovery processes if the DNS server contains an “A Type” resource record of “CISCO-CAPWAP-CONTROLLER” pointing to the WLC’s IP address.

In the logs below we can see our AP searching for the WLC (Translating "CISCO-CAPWAP-CONTROLLER"...domain server) after its initial reload (we’ve just installed recovery mode image). It then discovers the WLC (both WLC and AP are on the same VLAN), registers and downloads the WLC full CAPWAP image:

Click to enlarge

Mar 1 00:00:41.806: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3560CX-12PC-S (0076.8697.b603)

*Mar 1 00:00:46.122: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.50.12, mask 255.255.255.0, hostname APe05f.b9a7.e290

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (8.8.8.8)

*Mar 1 00:00:57.113: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP. (8.8.4.4)

*Mar 1 00:01:15.119: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER

*Mar 1 00:01:25.120: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Sep 6 09:54:05.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.50.5 peer_port: 5246

examining image...

extracting info (287 bytes)

Image info:

Version Suffix: k9w8-.153-3.JD4

Image Name: ap3g1-k9w8-mx.153-3.JD4

Version Directory: ap3g1-k9w8-mx.153-3.JD4

Ios Image Size: 9042432

Total Image Size: 10138112

Image Feature: WIRELESS LAN|LWAPP

Image Family: AP3G1

Wireless Switch Management Version: 8.3.112.0

Extracting files...

ap3g1-k9w8-mx.153-3.JD4/ (directory) 0 (bytes)

extracting ap3g1-k9w8-mx.153-3.JD4/u-boot.bin (393216 bytes)

*Sep 6 09:54:07.258: %CAPWAP-5-DTLSREQSUCC: DTLS connection created successfully peer_ip: 192.168.50.5 peer_port: 5246

The following screenshot was taken after the AP joined the WLC and begun automatically downloading the new image:

As soon as the AP downloads and installs the new image, it will automatically reload and register with the WLC again. At this point the AP is ready to be configured and used as required.

Finally notice the date/time correction (*Sep 6 09:54:05.000) as soon as the AP registers with the WLC controller. This is the first indication its registered correctly with the WLC at IP address 192.168.50.5

Summary

This article showed how to convert an Autonomous or Standalone Cisco Access Point to Lightweight mode and join it to a Cisco WLC Controller. We covered the different restrictions and considerations during the AP conversion process, explained the difference between the fully functional CAPWAP (k9w8) and recovery mode CAPWAP (rcvk9w8) image files. Finally we provided the necessary commands & tips to configure the AP, transfer the image and register it with the WLC.

Configuring Cisco WLC Link Aggregation (LAG) with Port-Channel EtherChannel. LAG Restrictions for WLC Models

2018-09-21T19:44:30+10:00

Cisco Wireless Controllers (WLC) support the configuration of Link Aggregation (IEEE 802.3ad - LAG) which bundles the controller ports into a single port channel. This helps simplify the configuration of the WLC interface ports, increase available bandwidth between the wireless and wired network, provide load-balancing capabilities between physical WLC ports and increase port redundancy.

To learn more about WLC interfaces refer to our article Cisco WLC Interfaces, Ports & Their Functionality article

The diagram below shows an example of a WLC 2504 with ports P1 and P2 in a LAG configuration connecting to a Cisco Catalyst or Nexus switch. In the configuration below WLC ports P1 and P2 are aggregated to provide a total of 2Gbps bandwidth:

Key Topics:

Link Aggregation Restrictions - Considerations

While LAG is the preferred method of connecting the WLC to the network there however a number of restrictions we need to be aware of to ensure we don’t stumble into any unpleasant surprises.

On 2504 and 3504 WLCs you can bundle all 4 ports into a single link.
On 5508 WLC you can bundle up to 8 ports into a single link.
Link Aggregation Control Protocol (LACP) or Cisco proprietary Port Aggregation Protocol (PAgP) are not supported by the WLC. Port-Channel members must be set unconditionally to LAG (shown in the configuration below).
Only one LAG Group is supported per WLC, you can therefore connect a WLC only to one switch unless using VSS (Catalyst) or vPC (Nexus) technologies.
When LAG is enabled, if a single link fails, traffic is automatically switched to the other links.
After enabling LAG the WLC must be rebooted.
When enabling LAG, all dynamic AP manager interfaces and untagged interfaces will be deleted. (See related article WLC Interfaces – Logical Interfaces)
After enabling LAG, all Virtual Interfaces use the LAG interface. No backup port (under the Virtual Interface settings) is configurable:

Click to enlarge

Wireless Controller LAG Configuration – Enabling LAG

First step is to enable LAG. Log into the WLC and click on the Advanced menu option (firmware v8 and above only). Next, select the Controller menu option and set the LAG Mode on next reboot option to Enabled and click on the Apply button:

At this point the WLC will pop up a warning window explaining the changes that are about to take place. As mentioned previously, all dynamic AP manager interfaces and untagged interfaces will be deleted. (See related article WLC Interfaces – Logical Interfaces to understand the implications):

Once we click on OK the WLC will proceed to enable LAG mode and present us with another notification requesting that we save the configuration and reboot the controller:

Note: Ignore the DNS Server IP that was presented in our Lab environment.

Next, click on the Save Configuration button on the top right corner. To reboot the controller, click on Commands menu, select Reboot from the right menu column and finally click on the Reboot button on the right:

Click on OK in the popup message to confirm the reboot.

At this point the WLC will reboot and we won’t be able to ping or access the WLC web interface until we configure the switch. All access points and wireless networks will also be unavailable.

Configuring Switch Port-Channel to Support Link Aggregation

The Port-channel configuration is a straight forward process. It’s best to ensure all interfaces participating in the Port-channel are set to their default configuration. This will remove any existing configuration, minimizing errors during the switchport configuration process.

First remove existing configuration from the interfaces participating in the Port-channel (Gigabitethernet 0/6 & 0/7), then make them members of Port-channel 1. If the Port-channel doesn’t exist, it will be automatically created:

3560cx-HQ(config)# default interface range Gigabitethernet 0/6-7
3560cx-HQ(config)# interface range GigabitEthernet 0/6-7
3560cx-HQ(config-if-range)# channel-group 1 mode on

Creating a port-channel interface Port-channel 1
3560cx-HQ(config-if-range)# description WLC2504
3560cx-HQ(config-if-range)# switchport mode trunk
3560cx-HQ(config-if-range)# switchport trunk allowed vlan 2,15,16,22,26
3560cx-HQ(config-if-range)# no shutdown

Below is the complete Port-channel and interface configuration:

!
interface Port-channel1
description WLC2504
switchport trunk allowed vlan 2,15,16,22,26
switchport mode trunk
!
interface GigabitEthernet0/6
switchport trunk allowed vlan 2,15,16,22,26
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet0/7
switchport trunk allowed vlan 2,15,16,22,26
switchport mode trunk
channel-group 1 mode on
!

Notice that the channel-group mode is set to on which enables Etherchannel without any LACP or PAgP support. This is because the WLC doesn’t support LACP or PAgP and requires a plain vanilla Etherchannel.

When connecting the WLC to a modular Catalyst or Nexus switch its always advisable to use ports on different modules as this will increase redundancy in the event of a module failure.

Finally during the Port-channel configuration process, ensure to allow all necessary VLANs used by the WLC controller and wireless network.

Once the configuration is complete, we’ll should be able to ping and access the WLC again.

A simple show interface port-channel 1 will also confirm both configured links are up and we have a total bandwidth of 2Gbps:

3560cx-HQ# show interface port-channel 1

Port-channel1 is up, line protocol is up (connected)
Hardware is EtherChannel, address is 0076.8697.b607 (bia 0076.8697.b607)
Description: WLC2504
MTU 1500 bytes, BW 2000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
Members in this channel: Gi0/6 Gi0/7
ARP type: ARPA, ARP Timeout 04:00:00

Additional useful commands that can be used to obtain more information on the Etherchannel are:

Show etherchannel 1 summary
Show etherchannel 1 status
Show etherchannel 1 port-channel
Show etherchannel 1 protocol

Summary

This article explained the advantages and showed how to configure Link Aggregation (LAG) on your Cisco WLC. We included a number of important LAG restrictions for WLCs while noting restrictions for specific WLC models (2504, 5508 etc). Cisco switch port configuration using Port-channel interfaces was also included along side with an explanation on why Etherchannel must be used as WLC LAG does not support LACP or PAgP. Finally we included a number of useful commands to verify and troubleshoot Link Aggregation or Port-channel interfaces.

Cisco WLC Interfaces, Ports & Their Functionality. Understand How WLCs Work, Connect to the Network Infrastructure & Wi-Fi SSID/VLAN mappings

2015-03-16T08:26:21+11:00

Our previous article introduced Cisco’s popular Wireless ControllerCisco’s popular Wireless Controller (WLC) devices and examined their benefits to enterprise networks, different models offered and finally took a look at their friendly GUI interfaces. This article continues by explaining the purpose and functionality of each WLC interface (Management interface, Virtual interface, AP-Manager interface, Dynamic interfaces etc), WLC Port (Service port, Redundant port, Distribution ports etc), how WLCs connect to the network infrastructure, VLAN requirements and mapping to SSIDs.

Users can freely download Cisco's WLC product portfolio in our Cisco's Wireless Controller Datasheets download section. The datasheets contain all currently available WLC models, brief specification overview/comparison and much more.

WLC Interface Concepts – Understanding Ports & Logical Interfaces

Every WLC is fitted with a number of ports (physical interfaces) and logical interfaces, all critical for the device’s proper operation and integration with the network infrastructure. It is important that engineers working with WLCs, understand the purpose of each interface and how it should be used. This will help maximize the stability and scalability of any WLC deployment by correctly configuring all necessary interfaces and attached devices.

WLC Ports (Physical Interfaces)

We will now take a look at the different ports that can be found on WLCs and explain their purpose. Depending on the WLC model, some ports might or might not be present. The Console Port and Distribution System Ports are found on all WLCs.

Figure 1. Available Ports on a Cisco WLC 5500

Redundancy Port

This port is used for High-Availability (HA) deployment designs when there are two WLCs available. In this setup, both WLCs are physically connected with each other through the Redundant Port using an Ethernet cable. The redundancy port is used for configuration, operational data synchronization and role negotiation between the primary and secondary controllers.

The redundancy port checks for peer reachability by sending UDP keepalive messages every 100 milliseconds from the standby-hot WLC to the active WLC. Finally, the first two octets of the redundancy port’s IP address is always 169.254.xxx.xxx.

Service Port

The service port is used for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is important to note that the service port does not support VLAN trunking or VLAN tagging and is therefore required to connect to an access port on the switch.

It is also recommended not to connect the service port to the same VLAN as the wired clients network because by doing so, administrators will not be able to access the management interface (analysed later) of the controller.

SFP/Ethernet Distribution System Ports

The distribution system ports are the most important ports on the WLC as they connect the internal logical interfaces (analysed below) and wireless client traffic to the rest of our network. High-end WLCs as the WLC 5500 series above, have multiple SFP-based distribution system ports allowing engineers to connect the WLC with the network backbone using different configurations. The SFP Ports are able to accept fiber optic or Ethernet copper interfaces, with the use of the appropriate SFPs.

Figure 2. Picture of Fiber & Ethernet Copper SFPs

Lower-end WLCs such as the WLC2504 or the older WLC2100 series provide Ethernet interfaces only, because of the limited number of access points supported. For example, the WLC2504 provides up to 4 Gigabit Ethernet ports and can support up to 75 access points, while the WLC2125 provides up to 8 FastEthernet ports and supports up to 25 access points.

Figure 3. Pictures of WLC2504 & WLC2124

WLC Interfaces (logical Interfaces)

In this section, we will examine the logical interfaces that can be found on all WLCs. Understanding the functionality of each logical interface is crucial for the correct setup and deployment of any Cisco WLC-based wireless network.

The WLC’s logical interfaces are used to help manage the Wireless SSIDs broadcasted by the access points, manage the controller, access point and user data, plus more.

The diagram below provides and visual layout of the logical interfaces and how they connect to the physical ports of a WLC:

Figure 4. Cisco Wireless Controller Interfaces & Ports (click to enlarge)

The above layout shows how each Wireless SSID (WLAN 1, WLAN 2 etc), maps to a Dynamic interface. In turn, each Dynamic interface maps to a specific VLAN. The number of WLANs & Dynamic interfaces depend on the WLC model. The bigger the WLC model, the more SSIDs (Wireless Networks)/Dynamic interfaces it supports.

All Dynamic interfaces and AP-Manager/Manager interfaces connect to the network infrastructure via the Distribution ports which depending on the WLC model are SFP or Ethernet (10/100 or Gigabit) interfaces.

Because all WLCs have multiple physical Distribution ports, it is possible to assign all Dynamic interfaces and AP-Manager/Manager interfaces to one physical Distribution port, as shown in the above diagram. In this case, the Distribution port is configured as an 802.1q Trunk port. Alternatively, Dynamic interfaces can also be assigned to separate physical Distribution ports, so that a specific WLAN/Dynamic interface can tunnel its traffic through a single Distribution port.

The dedicated Service-Port seen in the above diagram can be found only on the WLC 5500 series and 7500/8500 series which connects directly to the network.

Let’s take a closer look at each logical interface and explain its purpose:

Management Interface

The management interface is the default interface used to access and manage the WLC. The management interface is also used by the access points to communicate with the WLC. The management interface IP address is the only ping-able IP address and is used by administrators to manage the WLC.

Administrators can log into the WLC’s configuration GUI by entering the management interface IP address in a web browser and logging into the system.

AP-Manager Interface

A controller can have one of more AP-Manager interfaces which are used for all Layer 3 communications between the controller and lightweight access points after they have joined the controller. The AP-Manager IP address is used as the tunnel source for CAPWAP/LWAPP packets from the controller to the access points, and as the destination IP address for CAPWAP/ LWAPP packets from the access points to the controller.

While the configuration and usage of the AP-Manager interfaces is optional, models such as the WLC2504 and WLC5508, do not have a dedicated AP-Manager interface. For these models, under the Management interface settings, there is an option labeled Enable Dynamic AP Management, that allows the Management interface to work as an AP-Manager interface at the same time:

Figure 5. Cisco WL2504 - Management interface, Dynamic AP Management option (click to enlarge)

According to Cisco's documentation, each AP-Manager interface can handle up to 48 access points, however we belieive with the latest firmware updates that this limit has been increased to 75, because the smaller WLC model (2504) can now handle up to 75 access points with its dual-purpose management/AP-Manager interface. If more access points are installed, then multiple AP-Manager interfaces are required to be configured.

Virtual Interface

The virtual interface is used to manage and support wireless clients by providing DHCP relay functionality, guest web authentication, VPN termination and other services. The virtual interface plays the following two primary roles:

Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server.
Serves as the redirect address for the web authentication login page (if configured).

The virtual interface IP address is only used for communications between the controller and wireless clients. It never appears as the source or destination address of a packet that goes out through the distribution ports and on to the local network.

Finally, the IP address of the virtual interface must be unique on the network. For this reason, a common IP address used for the virtual interface is 1.1.1.1. All controllers within a mobility group must be configured with the same virtual interface IP address to ensure inter-controller roaming works correctly without connectivity loss.

Service-Port Interface

The service-port interface is used for out-of-band management of the controller. If the management workstation is in a remote subnet, it may be necessary to add a IPv4 route on the controller in order to manage the controller from the remote workstation.

It is important to note that the service-port IP address must not reside on the same subnet as the Manager/AP-Manager interface.

Smaller WLC models such as the WLC2124, WLC2504 do not have a service-port interface.

Dynamic Interface

The easiest way to explain dynamic interfaces is to think of them as VLAN interfaces for your wireless networks (SSIDs). One dynamic interface is created per wireless network/SSID. The wireless network or SSID is mapped to a dynamic interface, which is then mapped to a specific VLAN network.

As mentioned earlier, dynamic interfaces can be assigned to separate physical distribution ports, so that traffic from specific WLANs, pass to the wired network via specific distribution ports. In this scenario, each distribution port is a single access-link carrying one VLAN only.

Alternatively, all dynamic interfaces can be mapped to one distribution port, in which case will be a trunk port so that it can carry all WLANs/VLANs. This is a common setup method for smaller networks.

Finally, each dynamic interface must be on a different VLAN or IP subnet from all other interfaces.

Since the WLC2504 controller can handle up to 16 SSIDs, it can have a maximum of 16 dynamic interfaces, and support a maximum of 16 VLANs.

Distribution Port - Link Aggregation

All WLCs support the aggregation of multiple distribution ports into a single port using the 802.3ad port standard. This allows an administrator to create one large link between the WLC and the local switch.

For example, the WLC2504 provides 4 Gigabit Ethernet ports, allowing us to aggregate all 4 ports with the neighbour switch and create a 4 Gigabit Ethernet link with the wired network. EtherChannel will have to be configured on the local switch for the link aggregation to work.

WLCs do not support Link Aggregation Control Protocol (LACP) or Cisco’s proprietary Port Aggregation Protocol (PAgP), and therefore the switch must be set unconditionally to LAG. Only one LAG group is supported per controller.

Conclusion

This article introduced the Cisco Wireless LAN Controller interfaces. We covered the interfaces and ports found on WLCs, and analysed each interface's purpose, including Ethernet distribution ports, service port, redundancy port, interfaces such as the management interface, ap-manager interface, virtual interface and dynamic interfaces.

Introduction To Cisco Wireless Controllers (WLC) - Basic Concepts – WLC Models, Benefits & Their Friendly GUI Interface

2015-03-11T06:11:36+11:00

The Cisco Wireless Controller (WLC) series devices provide a single solution to configure, manage and support corporate wireless networks, regardless of their size and locations. Cisco WLCs have become very popular during the last decade as companies move from standalone Access Point (AP) deployment designs to a centralized controller-based design, reaping the enhanced functionality and redundancy benefits that come with controller-based designs.

Cisco currently offers a number of different WLC models, each targeted for different sized networks. As expected, the larger models (WLC 8500, 7500, 5760 etc) offer more high-speed gigabit network interfaces, high availability and some advanced features required in large & complex networks, for example supporting more VLANs and WiFi networks, thousands of AP & Clients per WLC device and more.

Recently, Cisco has begun offering WLC services in higher-end Catalyst switches by embedding the WLC inside Catalyst switches e.g Catalyst 3850, but also as a virtual image 'Virtual WLC' that runs under VMware ESX/ESXi 4.x/5.x. Finally Cisco ISR G2 routers 2900 & 3900 series can accept Cisco UCS–E server modules, adding WLC functionality and supporting up to 200 access points and 3000 clients.

Figure 1. A few of the larger Cisco WLC models and Catalyst 3850

More detailed information on the current available models and their specifications can be obtained from our Cisco Wireless Controller Product and Datasheet section and freely download WLC datasheets containing each model’s features, deployment modes, supported VLANs, maximum access points & clients, encryption features, wireless standards support (802.11xx) and many more.

Learn about WLC interfaces, their physical and logical ports, how they connect to the network and how Wireless SSIDs are mapped to VLAN interfaces, plus much more, in our Cisco WLC Interfaces, Ports & Their Functionality. Understand How WLCs Work, Connect to the Network Infrastructure & Wi-Fi SSID/VLAN mappings article.

Working With The Cisco WLC

While all WLC models support GUI and CLI based configuration, in contrast with Cisco routers and switches which are usually configured via CLI, WLCs are most often configured via their nicely designed web GUI. The CLI is mandatory only during the initial configuration, where the engineer is required to assign an IP address to the WLC device, along with a few other important parameters.

Working with any WLC model gives the engineer a great advantage as the interface is identical across all WLC models, making it easy to manage and configure, regardless of the WLC model:

Figure 2. Cisco WLC 8500 (left) and Cisco WLC 2500 (right) web interface

Unlike other Cisco products, the WLC’s GUI interface is extremely well designed with a logical layout.

When logging into the WLC GUI, the administrator is presented with a healthy amount of information, including a front view of the controller from where he can see the status of each physical port and more details which we’ll be looking into right now.

Below is a screenshot of the WLC2504 homepage web interface:

Figure 3. Cisco 2504 WLC – Click to enlarge

The great part is that the homepage provides all necessary information an administrator would want to see during a routine check and that includes:

Visual state of the controller’s physical ports
Status of the controller's hardware (up time, IP address, CPU/Memory usage, temperature, firmware version etc)
Summary of Access Points connected and up/down radio interfaces
Current connected clients (on all wireless networks)
Top wireless networks and number of clients connected to each
Rogue Access Points and Clients detected
Recent traps generated by the controller

Obtaining more information on any section can be easily done by clicking on the Detail link next to it.

The following screenshot shows the information presented by the controller when clicking on the Detail link under the Access Point Summary > All Access Points section:

Figure 4. Browsing through All APs currently registered – Click to enlarge

The information shown is extremely useful as it contains each access point's name, model, MAC address, Up time (extremely useful when troubleshooting client connection issues), access point admin state (enabled/disabled), firmware version and many more.

Equally useful information is provided when clicking on the Detail link of the Client Summary > Current Clients section:

Figure 5. Viewing currently connected clients – Click to enlarge

In this screen, the controller shows each client’s MAC address, the AP to which its connected, WLAN Profile used, WLAN SSID the client is connected to, protocol used (802.11a/b/g/n), status and much more. We would however like to have the option to also show the IP address of the wireless client on this page – for this information you currently need to click on its MAC address, after which a page loads the IP address of the client alongside with other information.

When necessary, the administrator can dive further and obtain more information on almost any aspect of the Wireless network, SSIDs, clients connected, client speeds etc – the list is endless!

Summary

This article introduced the Cisco Wireless LAN Controller (WLC). We explained the basic concepts behind the product, and talked about the different models available and their main features. We took a look at the intuitive GUI interface used to setup and monitor the controller and the whole wireless infrastructure. More information on Cisco Wireless Controllers and wireless technology can be found in our Cisco Wireless Section. Users can also read about WLC interfaces-ports and their purpose, VLAN/SSID mappings and much more, in our next article: Cisco WLC Interfaces, Ports & Their Functionality. Understand How WLCs Work, Connect to the Network Infrastructure & Wi-Fi SSID/VLAN mappings.

Cisco Wireless Controllers (WLC) Datasheets Available for Download

2015-03-11T05:24:54+11:00

We would like to inform our readers that Firewall.cx has just made available as a free download all of Cisco's Wireless Controller Datasheets.

The datasheets provide valuable infomation for all currently available Cisco Wireless Controllers including:

Scalability,
Performance speed
RF Management
QoS features
Supported Access Points models
Maximum Access Points & SSIDs
Supported Wireless Standard (802.11xx)
Physical interfaces
Redundancy options
Security standards
RFC compliance and support
Supported encryption methods
Authentication - Authorization & Accounting (AAA) support
Ordering information (product-id)
Optional accessories
License upgrade options their product-id

Read our article on Cisco Wireless Controllers - Basic concepts, models and benefits they provide to companies.

Readers can head directly to our Cisco Product Datasheets & Guides where they can find the Cisco Wireless Controllers (WLC) Datasheet section amongst other Cisco products.

Cisco Aironet 1100 & 1200 Series (1110, 1121, 1142, 1230, 1240, 1242AG) Factory Reset & Configuration Password Reset Procedure via CLI and Web GUI

2012-12-27T05:29:52+11:00

Resetting a Cisco Aironet access point can be required if you’ve lost your password or need to wipe out the configuration of a previously configured access point. Cisco provides two main methods to perform a factory reset on the Aironet 1100 and 1200 series access points and these are: 1) Via the Mode Button 2) Via Web Interface.

The first method (Mode Button) does not require any user credentials or passwords as the reset procedure is performed during the boot up process and does not involve logging into the access point.

The second method (Web Interface) requires username and password with privileged access 15 (administrator privileges) in order to perform the reset procedure.

Both reset procedures described below will reset all configuration settings to factory defaults. This means it will erase all passwords, SSIDs, WEP/WPA keys, IP address and anything else configured on the access point.

When the Cisco Aironet access point factory-reset procedure is complete, the default credentials will need to be used to access it. Both username and passwords are Cisco with a capital “C” (case-sensitive). In addition, the factory default IP address for the access point will be 10.0.0.1.

Factory Reset via MODE Button

This is the most common reset method engineers look for, and we’ve got it covered in four easy-to-follow steps!

Step 1
Disconnect power (the power jack for external power or the Ethernet cable for in-line power) from the access point.

Step 2
Press and hold the MODE button while you reconnect power to the access point.

Step 3
Hold the MODE button until the Status LED turns amber (approximately 1 to 2 seconds), and release the button.

Step 4
Reboot the access point by performing a power-cycle (switch off and then on) After the access point reboots, you must reconfigure the access point by using the Web-browser interface or the CLI.

CLI Output During Factory Reset via MODE Button

Below is the CLI output during the Mode button reset method. It is clear that once the access point sees the MODE button pressed for 20 seconds (the time it takes until the status LED turns amber), it initiates the recovery process:

flashfs[0]: 147 files, 7 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories

flashfs[0]: Total bytes: 32385024

flashfs[0]: Bytes used: 5549056

flashfs[0]: Bytes available: 26835968

flashfs[0]: flashfs fsck took 20 seconds.

Reading cookie from system serial eeprom...Done

Base Ethernet MAC address: 1c:de:0f:94:b7:b8

Ethernet speed is 100 Mb - FULL duplex

button pressed for 20 seconds

process_config_recovery: set IP address and config to default 10.0.0.1

process_config_recovery: image recovery

image_recovery: Download default IOS tar image tftp://255.255.255.255/c1140-k9w7-tar.default

examining image...

Factory Reset via Web Interface (Recommended Option for Remote Reset)

Resetting your Cisco access point via its web interface is an easy process. Following are the steps required:

Step 1
Open a web browser and enter the IP address of your Cisco access point

Step 2
Enter the necessary credentials (username & password)

Step 3
Once successfully logged in, you’ll be presented with Summary Status page:

Step 4
From the main menu, select System Software and then System Configuration sub-menu. The access point will present a number of different management options.

Here we can select the Reset to Defaults to initiate the factory reset or alternatively the Reset to Defaults (Except IP) if we wish to reset to factory defaults but keep the current IP address. The second option is especially handy in case you are required to perform this procedure remotely.

This completes the Factory Reset procedure for all Cisco Aironet 1100 & 1200 series access points.

Understanding, Configuring & Tweaking Web-based Cisco Aironet Access Point. Network Interface Radio0 802.11a/b/g Settings

2012-01-13T09:09:51+11:00

Cisco Aironet Access Points, just like most Cisco devices, provide a web interface from which we are able to configure the device. It is often we are presented with a number of options and settings, which we really are not sure why they exist, what they do, and how they can affect the performance of our wireless access point. This is all about to change!

This article aims to help cover this gap by explaining the various configuration options and settings found in Cisco's Aironet series Web-Based configuration page. While the web-based interface allows the configuration of many functions within the Aironet device, we will be focusing on the 'Network Interfaces: Radio0-802.11a/b/g' Settings, which is perhaps the most important section for the device's proper wireless operation.

Understanding and configuring correctly your Cisco Aironet Access Points can really make a difference in your clients wireless performance and connectivity range. You'd be suprised on the performance difference of your wireless network, when tweaking your Cisco Aironet Access Points to adapt to the working environment.

This article explains all the network options found under the Cisco Aironet web-interface setup, in a step-by-step manner. To help make it easier to track, we have broken the page into three sections, each containing a screenshot of the covered options.

Please note that some features and settings will not appear on your Cisco Aironet Access Point as they are supported only on specific models:

Cisco Aironet Network Interfaces: Radio0-802.11a/b/g Settings

Enable Radio

If enabled, the access point sends packets through its 802.11a/b/g radio interface and monitors when other devices use the 802.11a/b/g radio interface to send packets. To change the administrative state of the radio from up to down, choose Disable. To change the administrative state of the radio from down to up, choose Enable.

Current Status (Software/Hardware)

Software - Indicates whether the interface has been enabled or disabled by the user.
Hardware - Indicates whether the line protocol for the interface is up or down.

Role in Radio Network

Select the role of the access point on your network. Choose one of the three access point (root) settings if the access point is connected to the wired LAN.

Access Point Root (Fallback to Radio Island): This default setting enables wireless clients to continue to associate even when there is no connection to the wired LAN.

Access Point Root (Fallback to Radio Shutdown): When the wired connection is lost, the radio shuts down. This fallback forces the clients to associate to another access point if one is available.

Access Point Root (Fallback to Repeater): When the wired connection is lost, the radio becomes a repeater. The repeater parent should be configured to allow data to be wirelessly transferred to another access point.

Repeater Non-Root: Choose this setting if the access point is not connected to the wired LAN. Client data is transferred to the access point selected as the repeater parent. The repeater parent may be configured as an access point or another repeater.

Fallback Mode Upon Loss of Ethernet Connection: Access points operate as root access points by default. When set to defaults, Cisco Aironet 1400 Series Wireless Bridges start up in install mode and adopt the root role if they do not associate to another bridge. If a 1400 series bridge associates to another bridge at start-up, it automatically adopts the non-root role. Cisco Aironet 1300 Series Wireless Bridges operate as root bridges by default.

Repeater: Specifies that the access point is configured for repeater operation. Repeater operation indicates the access point is not connected to a wired LAN and must associate to a root access point that is connected to the wired LAN.

Root: On access points, specifies that the access point is configured for root mode operation and connected to a wired LAN. This parameter also specifies that the access point should attempt to continue access point operation when the primary Ethernet interface is not functional.

Root Bridge: On 1300 series bridges, specifies that the bridge functions as a root access point. If the Ethernet interface is not functional, the unit attempts to continue access point operation. However, you can specify a fallback mode for the radio. This option is supported only on 1300 series bridges.

Non-root Bridge: On 1400 series bridges, specifies that the bridge operates as a non-root bridge and must associate to a root bridge. This option is supported only on 1400 series bridges.

Fallback Shutdown (Optional): Specifies that the access point should shutdown when the primary Ethernet interface is not functional. This option is supported only on access points and on 1300 series bridges in access point mode.

Fallback Repeater (Optional): Specifies that the access point should operate in repeater mode when the primary Ethernet interface is not functional. This option is supported only on access points and on 1300 series bridges in access point mode.

Install: On 1400 series bridges, configures the bridge for installation mode. In installation mode, the bridge flashes its LEDs to indicate received signal strength (RSSI) to assist in antenna alignment. This option is supported only on 1400 series bridges.

Workgroup-Bridge: On 1300 series bridges, specifies that the bridge operates in workgroup bridge mode. As a workgroup bridge, the device associates to an access point or bridge as a client and provides a wireless LAN connection for devices connected to its Ethernet port. This option is supported only on 1300 series bridges.

Universal Workgroup Bridge Mode: When configuring the universal workgroup bridge roll, you must include the client's MAC address. The workgroup bridge will associate with this MAC address only if it is present in the bridge table and is not a static entry. If validation fails, the workgroup bridge associates with its BVI's MAC address. In universal workgroup bridge mode, the workgroup bridge uses the Ethernet client's MAC address to associate with Cisco or non-Cisco root devices. The universal workgroup bridge is transparent and is not managed.

Scanner: This option is supported only when used with a WLSE device on your network. It specifies that the access point operates as a radio scanner only and does not accept associations from client devices. As a scanner, the access point collects radio data and sends it to the WDS access point on your network. This option is supported only on access points.

Data Rates

Use the data rates setting to choose the data transmission rates. The rates are expressed in megabits per second. The device always attempts to transmit at the highest rate selected. If there are obstacles or interference, the device steps down to the highest rate that enables data transmission.

Click the Best Range button to optimize access point range or the Best Throughput button to optimize throughput.

Note: When you configure the 802.11g access point radio for best throughput, the access point sets all 802.11g data rates to basic (required). This setting blocks association from 802.11b client devices.

For each of the rates, choose Require, Enable, or Disable.

Require - Enables transmission at this rate for all packets, both unicast and multicast. At least one data rate must be set to Require. A client must support a required rate before it can associate.
Enable - Enables transmission at this rate for unicast packets only.
Disable - Does not allow transmission at this rate.

Note: The client must support the basic rate you select or it cannot associate with the access point.

Transmit Power: This setting determines the power level of the radio transmission. The default power setting is the highest transmit power allowed in your regulatory domain.

Note: Government regulations define the highest allowable power level for radio devices. This setting must conform to established standards for the country in which you use the device.

To reduce interference, limit the range of your access point, or to conserve power, select a lower power setting.

For an 802.11g radio, Transmit Power is divided into CCK Transmit Power and OFDM Transmit power. CCK is the modulation used in 802.11g for the lower frequency rates, and OFDM is the modulation used in 802.11g for higher data rates (above 20 Mbps).

Note: The 100 mW (20dBM) value is not available for rates greater than 12 Mbps.

Power Translation Table (mW/dBm)

The power settings may be in mW or in dBm depending on the particular radio that is being configured. This table translates between mW and dBm.

Limit Client Power (mw): Determine the maximum power level allowed on client devices that associate to the access point. When a client device associates to the access point, the access point sends the maximum power level setting to the client.

Note: The 100 mW value is not available for rates greater than 12 Mbps.

Default Radio Channel: The available selection of radio channels is determined by your regulatory domain. The default setting is the least-congested frequency. With this setting, the device scans for the radio channel that is least busy and selects that channel for use. The device scans at power-up and when the radio settings are changed. You can also select specific channel settings from the Default Radio Channel drop-down menu.

Short Slot Time (for 802.11g radios only): Determine if you want to enable support for the Extended-Rate-PHY short slot time. Enabling this setting reduces the slot time from the standard 20 microseconds to 9 microseconds to increase throughput.

Least Congested Channel Search: This selection list is available only when Default Radio Channel is set to Least Congested Frequency. You can search for least congested channels but exclude some channel(s) which are known to be problematic or already in use by other applications. By default, all channels are selected and searched. To select more than one channel, hold down the Ctrl or Shift keys to highlight multiple channels.

World Mode Multi-Domain Operation (for 802.11b and 802.11g only): World mode operation is disabled by default. If you uncheck Disable, the device adds channel carrier set information to its beacon. Client devices with world-mode enabled receive the carrier set information and adjust their settings automatically. If you select the dot11d option, you must enter an ISO country code. If you select the legacy option, you enable Cisco legacy world mode.

With world mode enabled, the access point advertises the local settings, such as allowed frequencies and transmitter power levels. Clients with this capability then passively detect and adopt the advertised world settings, and then actively scan for the best access point.

Country Code (required only for dot11d option): A country code can be selected only if the dot11d option was chosen in the World Mode option above. Use the drop-down menu to select the appropriate country. After the country code, you must enter indoor or outdoor to indicate the placement of the access point.

Radio Preamble (802.11b and 802.11g only): The radio preamble is a section of data at the head of a packet that contains information the access point and the client devices need when sending and receiving packets. Keep the setting on short unless you want to test with long preambles. If you have the radio preamble set to short and a client associates that does not support short preamble associates, the access point will send only long preamble packets to this client.

Short - A short preamble improves throughput performance. Cisco Aironet's Wireless LAN Adapter supports short preambles. The access point and client negotiate the use of the short preamble. Early models of Cisco Aironet's Wireless LAN Adapter require long preambles.
Long - A long preamble ensures compatibility between the access point and all early models of Cisco Aironet Wireless LAN Adapters.

Receive Antenna and Transmit Antenna:

Diversity - This default setting tells the device to use the antenna that receives the best signal. If your device has two fixed (non-removable) antennas, you should use this setting for both receive and transmit.
Left (secondary)- If your device has removable antennas and you install a high-gain antenna on the left connector, you should use this setting for both receive and transmit. When you look at the back panel, the left antenna is on the left.
Right (primary)- If your device has removable antennas and you install a high-gain antenna on the right connector, you should use this setting for both receive and transmit. When you look at the back panel, the right antenna is on the right.

Note: The device receives and transmits using only one antenna at a time, so you cannot increase range by installing high-gain antennas on both connectors and pointing one north and one south. When the device uses the north-pointing antenna, client devices to the south should be ignored by the access point.

External Antenna Configuration: This feature is currently not operational, but it may be supported in future releases.

Antenna Gain(dB): The gain of an antenna is a measure of the antenna's ability to direct or focus radio energy over a region of space. High-gain antennas have a more focused radiation pattern in a specific direction. This setting is disabled on the bridge.

Aironet Extensions: Select Enable to use Cisco Aironet 802.11 extensions. This setting must be set to Enable so that you can use load balancing, MIC, and TKIP.

Ethernet Encapsulation Transform: Choose 802.1h or RFC1042to set Ethernet encapsulation type. Data packets that are not 802.2 packets must be formatted to 802.2 with 802.1h or RFC1042. Cisco Aironet equipment defaults to RFC1042 because it provides optimum interoperability.

802.1h - This setting provides optimum performance for Cisco Aironet wireless products.
RFC1042 - Use this setting to ensure interoperability with non-Cisco Aironet wireless equipment. RFC1042 does not provide the interoperability advantages of 802.1h but is used by other manufacturers of wireless equipment.

Reliable Multicast to WGB: Normally, an access point treats a workgroup bridge as an infrastructure device and not as a client. The access point uses the reliable multicast protocol to ensure delivery of all multicast packets. The extra traffic caused by reliable delivery limits the number of workgroup bridges that can be associated. Select Disableto allow the workgroup bridge to be treated as a non-infrastructure device and thus allow the maximum number of workgroup bridges to be associated.

Public Secure Packet Forwarding: Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN.

No exchange of unicast, broadcast, or multicast traffic occurs between protected ports. Choose Enable so that the protected port can be used for secure mode configuration.

PSPF must be set per VLAN.

Note: To prevent communication between clients associated to different access points on your wireless LAN, you must set up protected ports on the switch to which your access points are connected.

Short Slot Time: You can increase throughput on the 802.11g radio by enabling short slot time. Reducing the slot time from the standard 20 microseconds to the 9-microsecond short slot time decreases the overall backoff time, which increases throughput. Backoff time, which is a multiple of the slot time, is the random length of time that a station waits before sending a packet on the LAN.

When you enable short slot time, the access point/bridge uses the short slot time only when all clients associated to the 802.11g radio support short slot time. Short slot time is disabled by default.

Beacon Privacy Guest-Mode: This command must be configured if you wish the beacon frames to use the privacy settings of the guest-mode SSID. If there is no guest-mode SSID configured, the command has no effect. If there is a guest-mode SSID and the command is configured, the privacy bit present in the beacon frames are set to ON/OFF according to how the security (encryption) settings of the guest-mode SSID are configured.

The command has no effect in MBSSID mode.

Beacon Period: The beacon period is the amount of time between access point/bridge beacons in kilomicroseconds. One Kusec equals 1,024 microseconds. The default beacon period is 100

Data Beacon Rate (DTIM): This setting, always a multiple of the beacon period, determines how often the beacon contains a delivery traffic indication message (DTIM). A traffic indication map is present in every beacon. The DTIM notifies power-save client devices that a packet is waiting for them. If power save clients are active, the access point buffers any multicast traffics and delivers them immediately after the DTIM beacon. Power save nodes always wake for the DTIM beacons. The longer the time, the more buffering the access point does, and the longer the multicasts are delayed.

If the beacon period is set at 100 (its default setting), and the data beacon rate is set at 2 (its default setting), then the device sends a beacon containing a DTIM every 200 Kusec. One Kusec equals 1,024 microseconds.

Max. Data Retries: The maximum number of attempts the device makes to send a packet before giving up, dropping the packet, and disassociating the client.

RTS Max. Retries: The maximum number of times the device issues an RTS before stopping the attempt to send the packet through the radio. Enter a value from 1 to 128.

Fragmentation Threshold: This setting determines the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.

RTS Threshold: This setting determines the packet size at which the device issues a request to send (RTS) before sending the packet. A low RTS Threshold setting can be useful in areas where many client devices are associating with the access point or in areas where the clients are far apart and can detect only the access point and not each other.

Repeater Parent AP Timeout: If this timeout is enabled, the access point in repeater mode looks only for the parent access point specified in the following Repeater Parent AP MAC definition for this given amount of time. If the timeout expires, the list is ignored, and the unit associates to an access point that matches its requirements, regardless of its MAC address. If the timeout is disabled, the repeater associates only to parents in the list and continues the search.

Repeater Parent AP MAC 1-4: Normally, a repeater access point (without a wired LAN connection) associates much like a normal client, choosing the best access point it can find. Enter MAC addresses in this list if you want to control the parent access point to which a repeater may associate. If MAC addresses are entered in this list, a repeater associates only to a parent whose MAC address matches an entry in the list. If the first MAC address is not available, the access point continues through the list and waits the amount of time specified in Repeater Parent AP Timeout field before trying the next.

Wireless (Wifi) WEP WPA WPA2 Key Generator

2011-11-27T09:43:40+11:00

The Firewall.cx Wireless LAN Key Generator will allow the generation of a WEP or WPA ASCII based encryption key and will provide the equivalent HEX or ASCII string so it can be inserted directly into a Cisco Access Point configuration.

As many engineers know, it is a common problem that when configuring a WEP encryption key in a Cisco Access Point, the IOS will not allow the input of the actual ASCII key, but instead requires the HEX equivalent. With our WLAN Key generator, simply insert your desired pass phrase and it will generate the necessary HEX value encryption key that needs to be used in the CLI or Web-Based configuration of the Cisco Access Point.

The Wireless LAN Key Generator allows for quick and valid WEP/WPA key generation.

You can use the Random WEP/WPA Key Generator to generate a random WEP or WPA key. Simply choose the desired key length using the drop-down menu, and one will be generated for you.

The WEP/WPA Key Generator supports 64bit, 128bit, 152bit & 256bit WEP keys, and 160bit, 504bit WPA/WPA2 keys for maximum security.

Alternatively, if you require to generate a key based on a custom passphrase (most cases), you can use the Custom WEP/WPA Key Generator. Just enter your password phrase into the Custom WEP/WPA Key Generator - ASCII text fields, and its HEX equivalent will be generated automatically. You can also insert the HEX Value and the system will reveal the actual ASCII value - handy if you want to discover what password phrase has been used for the encryption.

WEP/WPA Key Generator
Random WEP/WPA Key Generator
Key Length:
ASCII :
HEX :

Custom WEP/WPA Key Generator Note: use 5/13/16/29 characters for 64/128/152/256-bit WEP Encryption
ASCII :	#
HEX :

Calculate Key Now! Clear Form

Notes: WEP encryption uses 24 bit "Initilization Vector" in addition to the "secret key". Therefore, 40 bit WEP can be refered to as 64 bit WEP, and 104 bit can be refered to as 128 bit, depending on whether the "initialization vector" is counted or not.

Cisco Aironet 1242AG /1240 - Multiple SSID & 802.1q Trunk VLAN Link Configuration

2011-10-19T09:17:23+11:00

This article explains how the Cisco 1240 series access point can be setup to provide support for multiple SSID, each SSID assigned to a separate VLAN. This type of configuration is ideal for supporting different wireless networks, each one with its own characteristics.

Frequently used setup of Cisco access points involve at least one wireless network (SSID) for accessing the local network (VLAN1) and another SSID for Internet access (Guest VLAN).

It is important to note that this guide is also valid for the following Cisco Access Points: Cisco Aironet 1240 Series, Cisco Aironet 1040 series, Cisco Aironet 1130 AG Series, Cisco Aironet 1140 Series, Cisco Aironet 1200 Series, Cisco Aironet 1250 Series and Cisco Aironet 1260 Series. Configuration of multiple SSIDs with Trunk links is almost identical, with minor differences in the interfaces (where we have more than one radio) and channels, depending if there is support for 802.11a/b/g/n.

Cisco Access Point Multiple SSID Configuration

Configuring multiple SSIDs on a Cisco access point is a straight-forward process, however it does contain a few details we will analyse as we progress.

We need to now create the two SSIDs by defining their name, which will be broadcasted so users can find them, encryption method plus keys and VLAN assignment.

AP (config)# dot11 ssid Company
AP (config-ssid)# vlan 1
AP (config-ssid)# authentication open
AP (config-ssid)# authentication key-management wpa
AP (config-ssid)# guest-mode
AP (config-ssid)# mbssid guest-mode
AP (config-ssid)# infrastructure-ssid optional
AP (config-ssid)# wpa-psk ascii 0 firewall.cx
AP (config-ssid)# exit
AP (config)# dot11 ssid Hotspot
AP (config-ssid)# vlan 2
AP (config-ssid)# authentication open
AP (config-ssid)# authentication key-management wpa
AP (config-ssid)# mbssid guest-mode
AP (config-ssid)# wpa-psk ascii 0 free-access
AP (config-ssid)# exit
AP (config)# dot11 vlan-name vlan1 vlan1
AP (config)# dot11 vlan-name vlan2 vlan2

The above configuration is quite different from setups with one SSID. Reason being the multiple SSID and VLAN configuration required to ensure each SSID is assigned to the correct vlan. The 'Company' wireless network is assigned to VLAN 1 and the 'Hotspot' wireless network to VLAN 2.

Notice that when using multiple SSIDs on a Cisco aironet access point, it is imperative to use the mbssid guest-mode command otherwise the SSID name of the wireless network will not be broadcasted correctly.

The 'dot11 <vlan-name>' command ensures the correct mapping of vlans and their respective VLAN names. In our example, the VLAN names follow the actual VLANs. So, VLAN 1 has been named 'vlan1'. This helps keep track of them.

Next, we must ensure the integrated routing and bridging (IRB) feature is enabled to allow the routing of our protocols (IP) between routed interfaces and bridge groups. This command is most likely already present in the configuration, but let's play safe and enter it:

AP (config)# bridge irb

Configuring The Dot11Radio0 Interface

Configuring the Dot11Radio0 interface is our next step. Dot11Radio0 is the actual radio interface of the integrated Cisco access point. We will need to assign the SSIDs configured previously to this interface, along with the encryption methods and a few more parameters.

AP (config)# interface Dot11Radio0
AP (config-if)# encryption vlan1 mode ciphers tkip
AP (config-if)# encryption vlan2 mode ciphers tkip
AP (config-if)# ssid Company
AP (config-if)# ssid Hotspot
AP (config-if)# mbssid
AP (config-if)# station-role root
AP (config-if)# speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
AP (config-if)# channel 2462

Most commands are self-explanatory. We will however explain the basic and important ones:

The Encryption VLAN commands set the encryption mode for each VLAN and, therefore, each SSID.

The SSID command assigns the SSIDs to this interface.

The mbssid command ensures both SSIDs are broadcast and are viewable to our wireless clients.

The station-role root is a default command and makes the access point act as a root station, in other words as an autonomous access point.

Note the speed basic command. This as well is a default command that sets the supported speeds. The first portion, 1.0 to 54.0 refers to the 802.11 b/g protocol. If you have a dual radio on your access point you can configure the Dot11Radio1 (Second radio) interface accordingly.

Configuring The Dot11Radio0 Sub-interfaces

At this point we are required to configure sub-interfaces on Dot11Radio0, assigning each sub-interface to a VLAN.

AP (config)# interface Dot11Radio0.1
AP (config-subif)# encapsulation dot1Q 1 native
AP (config-subif)# no ip route-cache
AP (config-subif)# bridge-group 1
AP (config-subif)# bridge-group 1 subscriber-loop-control
AP (config-subif)# bridge-group 1 block-unknown-source
AP (config-subif)# no bridge-group 1 source-learning
AP (config-subif)# no bridge-group 1 unicast-flooding
AP (config-subif)# bridge-group 1 spanning-disabled
AP (config)# exit
AP (config)# interface Dot11Radio0.2
AP (config-subif)# encapsulation dot1Q 2
AP (config-subif)# no ip route-cache
AP (config-subif)# bridge-group 2
AP (config-subif)# bridge-group 2 block-unknown-source
AP (config-subif)# no bridge-group 2 source-learning
AP (config-subif)# no bridge-group 2 unicast-flooding
AP (config-subif)# bridge-group 2 spanning-disabled

When creating the subinterfaces, we always use easy-to-identify methods of mapping. Thus, interface Dot11Radio0.1 means this interface will be mapped to VLAN 1, while interface Dot11Radio0.2 will map to VLAN 2.

The encapsulation dot1Q 1 native command surves two purposes. It maps VLAN 1 to sub-interface Dot11Radio0.1 and tells the ap that this VLAN (1) is the native vlan. This means that untagged VLAN traffic belongs to VLAN 1. More information on VLAN is available in our VLAN Section - be sure to visit it.

Similarly, under interface Dot11Radio0.2, the encapsulation dotQ 2 command maps VLAN 2 traffic to this sub-interface.

The bridge-group command assigns each sub-interface to a bridge group. Each sub-interface is assigned to its own bridge-group. The bridge group essentially connects the wireless sub-interfaces with the Fast Ethernet interface this access point has. This is analysed below.

Configuring Cisco 1242AG / 1240 Access Point Fast Ethernet0, Sub-Interfaces & BVI interface

As with all Cisco Aironet access points, you'll find a Fast Ethernet0 interface that is used to connect the access point to our LAN switch. On Cisco Aironet models that support 802.11n technology e.g Cisco Aironet 1140, this interface is replaced with a Gigabit Ethernet interace, desinged to handle the increased capacity and throughput of the access point.

Following is the configuration required to create the necessary GigabitEthernet sub-interfaces and map the Dot11Radio0.X interfaces previously created, with them:

AP (config)# interface FastEthernet0
AP (config-if)# no ip address
AP (config-if)# no ip route-cache
AP (config-if)# exit

AP (config)# interface FastEthernet0.1
AP (config-if)# encapsulation dot1Q 1 native
AP (config-if)# no ip route-cache
AP (config-if)# bridge-group 1
AP (config-if)# no bridge-group 1 source-learning
AP (config-if)# bridge-group 1 spanning-disabled
AP (config-if)# exit

AP (config)# interface FastEthernet0.2
AP (config-if)# encapsulation dot1Q 2
AP (config-if)# no ip route-cache
AP (config-if)# bridge-group 2
AP (config-if)# no bridge-group 2 source-learning
AP (config-if)# bridge-group 2 spanning-disabled
AP (config-if)# exit

AP (config)# interface BVI1
AP (config-if)# ip address 192.168.30.5 255.255.255.0
AP (config-if)# no ip route-cache

The FastEthernet interface and sub-interface configuration follows the same logic as the Dot11Radio0 interface. Notice that each FastEthernet sub-interface is mapped to the same VLAN and bridge-group as the Dot11Radio0 sub-interfaces.

Next, we create the one and only BVI1 interface and assign it an IP Address. This is basically the IP Address of our access point and is reachable from our LAN network, so it's best to assign it an IP Address from your LAN network (VLAN 1).

It is important to note that only one bridge-interface (BVI Interface) is configured with an IP Address. The rest of the bridge groups are not required to have a BVI interface as all traffic is trunked through the BVI1 Interface. This is per Cisco design.

Finally, we must enable ip routing for bridge 1:

AP (config)# bridge 1 protocol ieee
AP (config)# bridge 1 route ip

Configuring DHCP Service For Both VLAN Interfaces

First step is to define the DHCP service and ip address pools for our two Vlans, and therefore SSID's.

If you prefer to configure the DHCP service on your Cisco router, detailed instructionscan be found at our Cisco Router DHCP Server Configuration article.

To help make it easy, we are providing the necessary commands for our example:

AP(config)# ip dhcp excluded-address 192.168.30.1 192.168.30.20
AP(config)# ip dhcp excluded-address 192.168.40.1 192.168.40.20

AP(config)# ip dhcp pool Company
AP(dhcp-config)# network 192.168.30.0 255.255.255.0
AP(dhcp-config)# dns-server 192.168.30.1
AP(dhcp-config)# default-router 192.168.30.1

AP(config)# ip dhcp pool Hotspot
AP(dhcp-config)# network 192.168.40.0 255.255.255.0
AP(dhcp-config)# default-router 192.168.40.1
AP(dhcp-config)# dns-server 192.168.40.1

This configuration assumes that your router has two VLAN interfaces configured with the appropriate Internet access and Firewall configuration.

On another note, NAT Overload is required in most cases to ensure both VLAN networks have Internet access.. This is covered extensively in our Cisco Router NAT Overload article.

Summary

This article provided an in-depth coverage on how to configure a Cisco Aironet 1242AG / 1240 series access point to support multiple SSID wireless networks and connect via 802.1q Trunk link to a local switch. The information provided not only covers the basic commands, but also analyses the background theory and logic, to ensure the reader fully understands why this configuration method is used.

Cisco Wireless

Complete Guide: How to Download & Deploy The Cisco 9800-CL Virtual Wireless Controller on VMware ESXi

Easily Convert Cisco Autonomous - Standalone AP to Lightweight Mode & Register it to a Cisco WLC Controller

Related Articles

STEP 1: Power up the Autonomous AP & Configure a FTP server form where the AP will download the image

STEP 2: Connect the Autonomous AP to a network switch or directly to the workstation serving the AP image via a FTP server.

STEP 3: Configure the AP with an IP address appropriate for the network or set it to DHCP

STEP 4: Configure the AP with the FTP user account credentials as configured on the FTP server. This will allow the AP to access and download the image file. Once configured, begin the software download procedure using the archive download-sw command.

Configuring Cisco WLC Link Aggregation (LAG) with Port-Channel EtherChannel. LAG Restrictions for WLC Models

Related Articles

Cisco WLC Interfaces, Ports & Their Functionality. Understand How WLCs Work, Connect to the Network Infrastructure & Wi-Fi SSID/VLAN mappings

WLC Interface Concepts – Understanding Ports & Logical Interfaces

WLC Ports (Physical Interfaces)

Redundancy Port

Service Port

SFP/Ethernet Distribution System Ports

WLC Interfaces (logical Interfaces)

Management Interface

AP-Manager Interface

Virtual Interface

Service-Port Interface

Dynamic Interface

Distribution Port - Link Aggregation

Conclusion

Introduction To Cisco Wireless Controllers (WLC) - Basic Concepts – WLC Models, Benefits & Their Friendly GUI Interface

Working With The Cisco WLC

Summary

Cisco Wireless Controllers (WLC) Datasheets Available for Download

Cisco Aironet 1100 & 1200 Series (1110, 1121, 1142, 1230, 1240, 1242AG) Factory Reset & Configuration Password Reset Procedure via CLI and Web GUI

Factory Reset via MODE Button

CLI Output During Factory Reset via MODE Button

Factory Reset via Web Interface (Recommended Option for Remote Reset)

Understanding, Configuring & Tweaking Web-based Cisco Aironet Access Point. Network Interface Radio0 802.11a/b/g Settings

Cisco Aironet Network Interfaces: Radio0-802.11a/b/g Settings

Enable Radio

Current Status (Software/Hardware)

Role in Radio Network

Data Rates

Wireless (Wifi) WEP WPA WPA2 Key Generator

Cisco Aironet 1242AG /1240 - Multiple SSID & 802.1q Trunk VLAN Link Configuration

Cisco Access Point Multiple SSID Configuration

Configuring The Dot11Radio0 Interface

Configuring The Dot11Radio0 Sub-interfaces

Configuring Cisco 1242AG / 1240 Access Point Fast Ethernet0, Sub-Interfaces & BVI interface

Configuring DHCP Service For Both VLAN Interfaces

Summary