In this post we will look at how to control per user bandwidth in wireless environment. This is based on 7.0.116.0 WLC code (which is in CCIEW v2.0 lab) & in later software codes Cisco has enhanced this feature.

Here is the test setup where a wireless client (Laptop) is on a WLAN (named WGB-CAPWAP) & a PC attached to a switch. We will test the bandwidth usage of wireless client by copying a file between these two hosts.

Here is the  QoS profile configuration settings for Silver where my WLAN is configured for(by default all wlan created associate with QoS profile silver).As you can see per user bandwidth you can set in kbps. “Average Data Rate” & “Burst Data Rate” apply for TCP traffic & corresponds to avg & peak value. “Average Real-Time Rate” & “Burst Real-Time Rate” is refer to UDP traffic.

Here is how I applied this profile onto my “WGB-CAPWAP” wlan.(by the way this is default configuration & you can change this as needed)

First we will check the wireless user bandwidth usage with this setting. Here is the wireless client bandwidth usage when file copy from Laptop to PC (in other words upstream traffic from wireless client). As you can see it is around 54Mbps (144Mbps*37%)

Then I copy the file from PC to Laptop which is reflecting downstream traffic of wireless client. Again it is around ~50 Mbps mark (144 Mbps *36%)

Now we have a baseline to test. So will change the QoS profile settings to limit user traffic to 20Mbps. I have given Burst Data Rate 21 Mpbs (Peak value always should be greater than Average value). Also note that my traffic is TCP (file transfer), So I have only set those specific settings.

Now let’s do the test again. Here is the same file transfer from Laptop to PC (Wireless Upstream traffic). As you see here it is almost same bandwidth consumption around ~54 Mbps. No effect of our restrictions.

Let’s see the other way around from PC to Laptop (Wireless downstream). Here we go… you can bandwidth is restricted to ~ 20 Mbps (144 Mbps *15%) and our configuration is works. But only downstream direction.

This is the behavior of software code 7.0.x  & in will only limit the per user bandwidth only downstream direction. Again no option to apply this to selected WLAN and applicable for all WLAN configured with QoS profile.

I think there is some wrong information in WLC 7.0.116.0 configuration guide (page 4-65 to page 4-68) where the screen captures shown are not from 7.0.116.0 code. Max RF-Usage per AP & Queue depth is not available to configure in 7.0.116.0 ( I think these captures were taken from previous codes). So be careful  when reading those config guides as there may be some wrong info

Since 7.2 onwards Cisco introduced upstream & downstream user bandwidth restrictions & you can apply this on per WLAN as well. Here is the configuration page looks like in a later code (this is from 7.4.0.100)

You can read following Cisco deployment guide to understand how this configure on these latest codes.

Bi Directional Rate Limit – Deployment Guide (Doc ID 113682)

I found this “Cisco Unified Wireless Tech Note-DOC-116056” document published by Cisco nicely summarize the topic. Here is the URL for the same.

Here are the key points I extracted.

1. WLC management interface MUST have a vlan tag in order to have proper wireless QoS ( In other words WLC management IP should not be on the same vlan where you configure as native vlan on the WLC-SW trunks. Native vlan & WLC Management vlan shoud be on two different vlans.)

2. If you deploying voice, video, data services through single WLAN, “WMM- Required” is the option you have to select. (If you select “WMM-Allowed” and if that WLAN is configured for platinum QoS then all non-WMM traffic will tagged with voice priority)

3. WLC only can do CoS based tagging, so you have to trust CoS (ie “mls qos trust cos”) on the switch ports connected to WLC.

.

Event Driven RRM (ED-RRM) is a feature that allows an AP in distress to bypass normal RRM intervals and immediately change channels.

A CleanAir AP is always monitoring AQ, and reports on this in 15 second intervals. AirQuality is a better metric than relying on normal Wi-Fi chip noise measurements because AirQuality only reports on Classified Interference devices. This makes AirQuality a reliable metric because it is known what is reported is not because of Wi-Fi energy (and hence not a transient normal spike).

Before configuring ED-RRM you have to enable Clean Air functionality on the WLC. You can do this under ” Wireless -> 802.11a/n or 802.11b/g/n -> Clean Air” section as shown below. You can customize sources of interference, AQI trap threshold, enable interference traps, etc.

If you want to enable this feature on specific AP, you can do that as well. You can do this via “Wireless -> Access Points-> Radio -> 802.11a/n or 802.11b/g/n ” section by selecting the required AP. This setting will override the global band settings.

For ED-RRM a channel change only occurs if the Air Quality is sufficiently impacted. Because Air Quality can only be affected by a classified known to CleanAir non- Wi-Fi source of interference (or an adjacent overlapping Wi-Fi channel), the impact is understood:

1. Not a Wi-Fi anomaly
2. A crisis condition at this AP

Crisis means that CCA is blocked. No clients or the AP can use the current channel. Under these conditions RRM would change the channel on the next DCA pass. However, that could be a few minutes away (up to ten minutes depending on when the last run was performed), or the user could have changed the default interval and it could be longer (selected an anchor time and interval for longer DCA operation). ED-RRM reacts very quickly (30 seconds) so the users that change with the AP are likely unaware of the crisis that was close. 30 -50 seconds is not long enough to call a help desk. The users that do not are in no worse shape than they would have been in the first place.

In all cases the interference source was identified and the AP change reason logs that source, and the users that have poor roaming receives an answer as to why this change was made. The channel change is not random. It is picked based on device contention, thus it is an intelligent alternate choice.

Once the channel is changed there is protection against triggering ED-RRM again in a hold down timer (60 seconds). The event channel is also marked in RRM DCA for the affected AP to prevent a return to the event channel (3 hours) in the event the interferer is an intermittent event and DCA does not see it immediately. In all cases the impact of the channel change is isolated to the affected AP.

Suppose a hacker or someone of ill intent fires up a 2.4 GHz jammer and all channels are blocked. First off, all the users within the radius are out of business anyway. However, suppose ED-RRM triggers on the all APs that can see it. All APs change channels once, then hold for 60 seconds. The condition would be met again, so another change would fire with the condition still being met after 60 seconds. There would be no channels left to change to and ED-RRM activity would stop. A security alert would fire off on the jammer (default action) and you would need to provide a location (if with MSE) or nearest detecting AP. ED-RRM would log a major AQ event for all affected channels. The reason would be RF jammer. The event would be contained within the effected RF domain and well alerted.

You can enable ED-RRM under “Wireless-> {802.11a/n|802.11b/n} -> RRM -> DCA” section as shown below. There are 3 sensitivity level of Air Quality threshold which could trigger ED-RRM. By default it is set to Medium ( which is AQ of 50). You can set it either High Sensitivity ( AQ of 60) or Low sensitivity (AQ of 35).

Persistent Device Avoidance is another mitigation feature that is only possible with CleanAir APs. A device that operates periodically, such as a microwave oven, can introduce destructive levels of interference while it is operating. However, once it is no longer in use the air goes quiet again. Devices such as video cameras, outdoor bridge equipment, and microwave ovens are all examples of a type of device called persistent.

These devices can operate continuously or periodically, but what they all have in common is that they do not move frequently. RRM of course sees levels of RF noise on a given channel. If the device is operating long enough RRM even moves an active AP off the channel that has interference. However, once the device goes quiet, it is likely that the original channel presents as the better choice once again. Because each CleanAir AP is a spectrum sensor the center of the interference source can be evaluated and located. Also, you can understand which APs are affected by a device that you know is there, and potentially operates and disrupts the network when it does. Persistent Device Avoidance allows us to log the existence of such interference and remember that it is there so you do not place an AP back on the same channel. Once a Persistent Device has been identified it is “remembered” for seven days. If it is not seen again then it is cleared from the system. Each time you see it, the clock starts over.

You can configure this setting on the same section “Wireless -> 802.11 -> RRM -> DCA ” section as shown below.

You can monitor Clean Air in “Monitor -> Cisco CleanAir” section in each band. Normally you would see 80.211b/g/n with lower AQI due to large number of devices operate in that band & always congested.

Here is the Cisco Clean Air Design Guide (Doc ID 112139) used as reference for this. You can read this for complete understanding of this feature & how you can configure WCS/MSE for reporting on your wireless network.

As outlined in one of my previous post (AP Registration) there are multiple methods (Broadcast, Static configs, DHCP option 43, DNS) available for a Ligthweight Access Point (LAP) to discover a WLC. In this post we will see how broadcast mechanism can be used for this.

After the LAP gets an IP address from the DHCP server, the LAP broadcasts a Layer 3 CAPWAP discovery message on to its local subnet Normally these broadcast are limited to local subnet as it will not cross layer 3 boundaries. If you want to forward these to a particular WLC you have to configure WLC IP address in “ip helper-address” on layer 3 interface where LAP is associated with. Then L3 device forwards these broadcasts to the IP addresses configured with the ip-helper command on the interface on which the broadcast is heard.

When you use the ip helper-address command, DIRECTED BROADCASTS, as well as unicasts, eight different UDP ports are forwarded automatically. Those ports are

1. Trivial File Transfer (TFTP) (Port 69)
2. Domain Name System (Port 53)
3. Time Service (Port 37)
4. NetBIOS Name Server (Port 137)
5. NetBIOS Datagram Server (Port 138)
6. Boot Protocol (BOOTP) Client (Port 67)
7. Boot Protocol (BOOTP) Server (Port 68)
8. TACACS service (Port 49).

Since CAPWAP broadcast uses UDP port 5246 it must be explicitly forwarded on the router. You have to use “ip forward-protocol udp <port-no>” CLI command for this. Here is our testing set up.

CAT2 & CAT4 is having layer 3 link in between. LAP connected to CAT4 is configured for obtaining IP addresses from Microsoft DHCP server. Only options provide are IP address & default gateway (No DNS or Option 43). We will use broadcast forward method to register this AP to WLC1 connected to CAT2.

Here is the basic config of CAT2 with respect to VLAN 121 where AP is connected to.

interface Vlan121
 description MOLWAP1
 ip address 10.10.121.193 255.255.255.192
 ip helper-address 192.168.200.1
!
interface FastEthernet1/0/3
 description TEMP-LWAP-03
 switchport access vlan 121
 switchport mode access
 spanning-tree portfast

Here is the AP console output. You can see AP got an IP from the DHCP server & but could not find an WLC to join.

*Mar  1 00:13:22.248: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.121.201, mask 255.255.255.192, hostname APccef.488c.fd41
*Mar  1 00:13:32.927:  status of voice_diag_test from WLC is false
*Mar  1 00:13:32.987: Logging LWAPP message to 255.255.255.255.
*Mar  1 00:13:35.705: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar  1 00:13:35.796: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar  1 00:13:35.891: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:13:36.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar  1 00:13:36.715: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
*Mar  1 00:13:36.809: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
Translating "CISCO-CAPWAP-CONTROLLER.mrn.com"...domain server (192.168.20.7)
*Mar  1 00:14:43.008: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
Not in Bound state.
*Mar  1 00:14:51.523: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
*Mar  1 00:14:51.533: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.121.201, mask 255.255.255.192, hostname APccef.488c.fd41

If you do “debug ip udp” on CAT4 you will see the UDP traffic on the switch. Since CAPWAP control is using udp 5246 port, you should see traffic coming for that. (Be careful with enable this debug in production network as there may a flood of debug messages could impact the device performance). In my test lab no problem at all

As you can see below, CAT4 receives UDP broadcast (destination port 5246 which is CAPWAP control).

CAT4#debug ip udp 
UDP packet debugging is on
CAT4#
.May  3 06:21:07.421: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131
.May  3 06:21:17.361: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131
.May  3 06:21:27.302: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131
.May  3 06:21:31.672: UDP: rcvd src=10.10.10.3(123), dst=10.10.20.1(123), length=76
.May  3 06:21:38.232: UDP: rcvd src=10.10.121.201(50047), dst=255.255.255.255(514), length=133
.May  3 06:21:42.712: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=310
.May  3 06:21:42.712: UDP: sent src=10.10.121.193(67), dst=192.168.200.1(67), length=310
.May  3 06:21:42.712: UDP: rcvd src=192.168.200.1(67), dst=10.10.121.193(67), length=308
.May  3 06:21:42.712: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=308
.May  3 06:21:42.712: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=328
.May  3 06:21:42.712: UDP: sent src=10.10.121.193(67), dst=192.168.200.1(67), length=328
.May  3 06:21:42.729: UDP: rcvd src=192.168.200.1(67), dst=10.10.121.193(67), length=308
.May  3 06:21:42.729: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=308
.May  3 06:21:45.833: UDP: rcvd src=10.10.121.201(50047), dst=255.255.255.255(514), length=115

Normally broadcast packets are not forwarded to other interfaces (except the 8 different type of packets described earlier). Since CAPWAP broadcast not belongs to those you have to configure the switch to forward udp 5246 traffic. You can use “ip forward-protocol udp 5246” for this. Here is the configuration option available with that command.

CAT4(config)#ip forward-protocol udp ?
  <0-65535>      Port number
  biff           Biff (mail notification, comsat, 512)
  bootpc         Bootstrap Protocol (BOOTP) client (68)
  bootps         Bootstrap Protocol (BOOTP) server (67)
  discard        Discard (9)
  dnsix          DNSIX security protocol auditing (195)
  domain         Domain Name Service (DNS, 53)
  echo           Echo (7)
  isakmp         Internet Security Association and Key Management Protocol
                 (500)
  mobile-ip      Mobile IP registration (434)
  nameserver     IEN116 name service (obsolete, 42)
  netbios-dgm    NetBios datagram service (138)
  netbios-ns     NetBios name service (137)
  netbios-ss     NetBios session service (139)
  non500-isakmp  Internet Security Association and Key Management Protocol
                 (4500)
  ntp            Network Time Protocol (123)
  pim-auto-rp    PIM Auto-RP (496)
  rip            Routing Information Protocol (router, in.routed, 520)
  snmp           Simple Network Management Protocol (161)
  snmptrap       SNMP Traps (162)
  sunrpc         Sun Remote Procedure Call (111)
  syslog         System Logger (514)
  tacacs         TAC Access Control System (49)
  talk           Talk (517)
  tftp           Trivial File Transfer Protocol (69)
  time           Time (37)
  who            Who service (rwho, 513)
  xdmcp          X Display Manager Control Protocol (177)

CAT4(config)#ip forward-protocol udp 5246

Here the debug output once we configure this command on CAT4. ( I had two l3 links from CAT4 to CAT2 & that’s why you would see these broadcast forwarded on those two different interfaces)

.May  3 06:29:18.420: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=308
.May  3 06:29:21.406: UDP: rcvd src=10.10.121.201(50047), dst=255.255.255.255(514), length=115
.May  3 06:29:38.284: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131
.May  3 06:29:38.284: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23
.May  3 06:29:48.225: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131
.May  3 06:29:48.225: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/22
.May  3 06:29:58.165: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131
.May  3 06:29:58.165: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23
.May  3 06:30:03.677: UDP: rcvd src=10.10.10.3(123), dst=10.10.20.1(123), length=76
.May  3 06:30:08.097: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131
.May  3 06:30:08.097: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/22

As you can see in the above, now UDP 5246 broadcast packets forwarded to 192.168.200.1. Why is this ? This is because you have configured “ip helper-address 192.168.200.1″ on vlan 121 interface in order to AP to get IP address from Microsoft DHCP server. In order to forward these UDP 5246 packets to WLC, you have to configure “IP helper-address ” command with WLC management IP. At the same time we will enable “debug capwap packet enable” on the WLC to see the registration information.(Again this debug will generate lots of output & you may having risk of crash/hang yourself on wlc)

CAT4(config)#interface Vlan121
CAT4(config-if)# ip helper-address 10.10.111.10

CAT4(config-if)#do sh logg | in 5246
.May  3 06:38:19.080: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131
.May  3 06:38:19.080: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23
.May  3 06:38:19.080: UDP: forwarded broadcast 5246 from 10.10.121.201 to 10.10.111.10 on FastEthernet1/0/22
.May  3 06:40:28.710: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131
.May  3 06:40:28.710: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23
.May  3 06:40:28.718: UDP: forwarded broadcast 5246 from 10.10.121.201 to 10.10.111.10 on FastEthernet1/0/22

Here is the AP console output showing successful registration to WLC1

APccef.488c.fd41#renew dhcp g0
 wmmAC status is FALSE
*May  3 06:38:19.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.111.11 peer_port: 5246
*May  3 06:38:19.000: %CAPWAP-5-CHANGED: CAPWAP changed state to  
*May  3 06:38:19.430: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.111.11 peer_port: 5246
*May  3 06:38:19.434: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.111.11
*May  3 06:38:19.434: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May  3 06:38:19.594: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May  3 06:38:19.717: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*May  3 06:38:19.726: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*May  3 06:38:19.726: %CAPWAP-5-CHANGED: CAPWAP changed state to UP
*May  3 06:38:19.776: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC1
*May  3 06:38:19.821: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

If you take a wireshark packet capture of the WAN link between during this process you should be able to see the WLC discovery request goes to WLC1. Here is that output where you can see “Discovery type is 0″ which indicate it is broadcast method in use.

You can find details of all discovery methods from this Cisco document (Cisco Doc 70333)

Lightweight AP (LAP) Registration to a WLC

Also this document may help you to troubleshoot LAP registration issues to a WLC. (Cisco Doc 99948)

Troubleshoot a Lightweight Access Point Not Joining a WLC

Related Posts

1. Split MAC vs Local MAC Architecture
2. AP Registration
3. WLC Discovery via DHCP Option 43
4. WLC Discovery via DNS
5.

When the access point supports the Cisco Client Extensions (CCX) proxy ARP information element, the idle battery life will be optimized. Proxy ARP (It is enabled by default & cannot disable it) allows the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G to remain in sleep mode longer versus waking up at each Delivery Traffic Indicator Message (DTIM) period to check for incoming broadcasts.

To optimize battery life, the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G will utilize either U-APSD or PSPOLL power save methods depending on whether Wi-Fi MultiMedia (WMM) is enabled in the Access Point configuration or not.

U-APSD will be utilized when WMM is enabled on the Access Point.When on call U-APSD, PS-POLL, or active mode will be utilized depending on the Cisco Unified Wireless IP Phone 7925G,7925G-EX, and 7926G call power save mode configuration and the access point configuration. When in idle (no active call), the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G depending on the Access Point configuration will utilize U-APSD or PS-POLL.

Unscheduled Auto Power Save Delivery (U-APSD):
The Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G will utilize U-APSD (Unscheduled Auto Power Save Delivery) for power management as long as Wi-Fi MultiMedia (WMM) is enabled in the access point configuration and the call power save mode on the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G is set to U-APSD/PS-POLL. U-APSD helps optimize battery life and reduces management overhead.

Below is a sample packet sequence when using U-APSD

Power Save Poll (PS-POLL):
If WMM is disabled (disabling U-APSD support) or U-APSD support is not available on the access point, then the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G will utilize PS-POLL for power management when the call power save mode on the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G is set to U-APSD/ PS-POLL.
Below is a sample packet sequence when using PS-POLL.

Delivery Traffic Indicator Message (DTIM):
The Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G can use the DTIM period to schedule wakeup periods to check for broadcast and multicast packets as well as any unicast packets. If proxy ARP is enabled, then the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G do not have to wake up at DTIM. For optimal battery life and performance, we recommend setting the DTIM period to 2 with a beacon period of 100 ms.

The DTIM period is a tradeoff between battery life and multicast performance.
Broadcast and multicast traffic will be queued until the DTIM period when there are power save enabled clients associated to the access point, so DTIM will determine how quickly these packets can be delivered to the client. If using multicast applications, a shorter DTIM period can be used. If multiple multicast streams exist on the wireless LAN frequently, then it is recommended to set the DTIM period to 1.

Scan Modes:
There are three different scan modes (Auto, Continuous, Single AP), which can be configured for the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G in the Cisco Unified Communications Manager.

When using multiple access points where seamless roaming is required, Auto (default) or Continuous scan mode should be enabled (Single AP scan mode should not be used if multiple access points exist).Auto scan mode is the default scan mode, which will optimize idle battery life as well as offer seamless roaming.

When on an active call with Auto scan mode enabled, the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G will continuously be scanning. If in idle (not on an active call) and Auto scan mode is enabled, then the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G will only start to scan once the scan threshold is met for the currently connected access point.

Continuous scan mode is recommended for environments where frequent roams occur or where smaller cells (pico cells) exist.Continuous scan mode can also help with location tracking. With Continuous scan mode, scans occur regardless of the current call state (idle or on call) or current access point signal level (RSSI). There will be a slight decrease in idle battery life when using Continuous scan mode in comparison to using Auto scan mode.

If using only one access point, select Single AP mode on the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G to reduce scanning and optimize battery life.

Ref: Cisco 7925G Deployment Guide (page 25-28)

Related Posts

1.7925 Deployment Guidelines Summary
2.7 Guidelines for Better VoWLAN
3.WLC Config for VoWLAN
4.

As per the 7925 Deployment Guide, these are the guidelines for Unified Wireless deployment for voice.

• Ensure CCKM is Enabled if utilizing 802.1x authentication
• Set Quality of Service (QoS) to Platinum
• Set the WMM Policy to Required
• Ensure Session Timeout is enabled and configured correctly
• Ensure Aironet IE is Enabled
• Set DTPC Support to Enabled
• Disable P2P (Peer to Peer) Blocking Action / Public Secure Packet Forwarding (PSPF)
• Ensure Client Exclusion is configured correctly
• Disable DHCP Address Assignment Required
• Set MFP Client Protection to Optional or Disabled
• Set the DTIM Period to 2
• Set Client Load Balancing to Disabled
• Set Client Band Select to Disabled
• Set IGMP Snooping to Enabled
• Enable Symmetric Mobile Tunneling Mode if Layer 3 mobility is utilized
• Enable Short Preamble if using 2.4 GHz
• Enable ClientLink if utilizing Cisco 802.11n capable access points
• Configure the Data Rates as necessary
• Enable CCX Location Measurement
• Configure Auto RF as necessary
• Set Admission Control Mandatory to Enabled for Voice
• Set Load Based CAC to Enabled for Voice
• Enable Traffic Stream Metrics for Voice
• Set Admission Control Mandatory to Disabled for Video
• Set EDCA Profile to Voice Optimized or Voice and Video Optimized
• Set Enable Low Latency MAC to Disabled
• Ensure that Power Constraint is Disabled
• Enable Channel Announcement and Channel Quiet Mode
• Enable CleanAir if utilizing Cisco access points with CleanAir technology
• Configure Multicast Direct Feature as necessary
• Set the 802.1p tag to 6 for the Platinum QoS profile

Related Posts

1.7925G – Power Management
2.7 Guidelines for Better VoWLAN
3.WLC Config for VoWLAN
4.

Here are some important VoWLAN specific configurations as per the 7925 deployment Guide. This is not the complete (you should read the full Deployment Guide end to end)

WLAN Advanced Settings

* Configure Enable Session Timeout as necessary per your requirements. It is recommended to either disable the session timeout or extend the timeout (e.g. 24 hours / 86400 seconds) to avoid possible interruptions during audio or video calls. If disabled it will avoid any potential interruptions altogether, but enabling session timeout can help to re-validate client credentials periodically to ensure that the client is using valid credentials.
* Enable Aironet Extensions (Aironet IE).
* Peer to Peer (P2P) Blocking Action should be disabled.
* Configure Client Exclusion as necessary.
* Off Channel Scanning Defer can be tuned to defer scanning for certain queues as well as the scan defer time. If using best effort applications frequently (e.g. web browsing, VPN, etc.) or if DSCP values for priority applications (e.g. voice, video, call control) are not preserved to the access point, then is recommended to enable the lower priority queues (0-3) along with the higher priority queues (4-6) to defer off channel scanning as well as potentially increasing the scan defer time.
* The Maxium Allowed Clients Per AP Radio can be configured as necessary.
* DHCP Address Assignment Required should be disabled.

802.11 Network Settings

* If using 5 GHz, ensure the 802.11a network status is Enabled.
* Set the Beacon Period to 100 ms.
* Ensure DTPC Support is enabled.
* If using 802.11n capable access points, ensure ClientLink is enabled.
* With the current releases, Maximum Allowed Clients can be configured.
* Configure 12 Mbps as the mandatory (basic) rate and 18 – 24 or 54 Mbps as supported (optional) rates. 36-54 Mbps can optionally be disabled, if there are not any applications that can benefit from those rates (e.g. video).
* Enable CCX Location Measurement.

* If using 2.4 GHz, ensure the 802.11b/g network status and 802.11g is enabled.
* Set the Beacon Period to 100 ms.
* Short Preamble should be Enabled in the 2.4 GHz radio configuration setting on the access point when no legacy clients that require a long preamble are present in the wireless LAN. By using the short preamble instead of long preamble, the wireless network performance is improved.
* Ensure DTPC Support is enabled.
* If using 802.11n capable access points, ensure ClientLink is enabled. With the current releases, Maximum Allowed Clients can be configured.
* Configure 12 Mbps as the mandatory (basic) rate and 18 – 24 or 54 Mbps as supported (optional) rates assuming that there will not be any 802.11b only clients that will connect to the wireless LAN. If 802.11b clients exist, then 11 Mbps should be set as the mandatory (basic) rate and 12-24 or 54 Mbps as supported (optional).
36-54 Mbps can optionally be disabled, if there are not any applications that can benefit from those rates (e.g. video).
* Enable CCX Location Measurement.

Call Admission Control

* It is recommended to enable Admission Control Mandatory for Voice and configure the maximum bandwidth and reserved roaming bandwidth percentages for either 5 or 2.4 GHz depending on which frequency band is to be utilized. The maximum bandwidth default setting for voice is 75% where 6% of that bandwidth is reserved for roaming clients. Roaming clients are not limited to using the reserved roaming bandwidth, but roaming bandwidth is to reserve some bandwidth for roaming clients in case all other bandwidth is utilized.
* If CAC is to be enabled, will want to ensure Load-based CAC is enabled, which is available for the Cisco Unified Wireless LAN Controller, but not currently available on the Cisco Autonomous access point platform. Load-based CAC will account for non-TSPEC clients as well as other energy on the channel.
* Enable Traffic Stream Metrics (TSM).

In the Media settings, Unicast Video Redirect and Multicast Direct Enable should be enabled

DFS (802.11h)

* In the DFS (802.11h) configuration, channel announcement and quiet mode should be enabled.
* Power Constraint should be left un-configured or set to 0 dBm as DTPC will be used by the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926 to control the transmission power. In later versions of the Cisco Unified Wireless LAN Controller it does not allow both TPC (Power Constraint) and DTPC (Dynamic Transmit Power Control) to be enabled simultaneously.
* Channel Announcement and Channel Quiet Mode should be enabled.

CCKM Timestamp Tolerance

* As of the 7.0.98.218 release, the CCKM timestamp tolerance is configurable.
In previous releases, the CCKM timestamp tolerance was set to 1000 ms and non-configurable. The default CCKM timestamp tolerance is still set to 1000 ms in the later releases.
* It is recommended to adjust the CCKM timestamp tolerance to 5000 ms to optimize the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G roaming experience.

(WLC) >config wlan security wpa akm cckm timestamp-tolerance <tolerance>

Allow CCKM IE time-stamp tolerance <1000 to 5000> milliseconds; Default tolerance 1000 msecs
Use the following command to configure the CCKM timestamp tolerance per Cisco recommendations.
(WLC) > config wlan security wpa akm cckm timestamp-tolerance 5000 <WLAN id >

To confirm the change, enter “show wlan <WLAN id>”, where the following will be displayed.
CCKM tsf Tolerance…………………………. 5000

Auto-Immune

The Auto-Immune feature can optionally be enabled for protection against denial of service (DoS) attacks. Although when this feature is enabled there can be interruptions introduced with voice over wireless LAN, therefore it is recommended to disable the Auto-Immune feature on the Cisco Unified Wireless LAN Controller. The Auto-Immune feature was introduced in the 4.2.176.0 release, which was enabled by default and non-configurable. As of the 4.2.207.0, 5.2.193.0 and 6.0.182.0 releases this feature is disabled by default but can be enabled optionally.
To view the Auto-Immune configuration on the Cisco Unified Wireless LAN Controller, telnet or SSH to the controller and enter the following command.
(WLC) >show wps summary
Auto-Immune
Auto-Immune……………………………… Disabled

WLAN Controller Advanced EAP Settings

Need to ensure that the advanced EAP settings in the Cisco Unified Wireless LAN Controller are configured per the information below. To view the EAP configuration on the Cisco Unified Wireless LAN Controller, telnet or SSH to the controller and enter the
following command.

(Cisco Controller) >show advanced eap
EAP-Identity-Request Timeout (seconds)……….. 30
EAP-Identity-Request Max Retries…………….. 2
EAP Key-Index for Dynamic WEP……………….. 0
EAP Max-Login Ignore Identity Response……….. enable
EAP-Request Timeout (seconds)……………….. 30
EAP-Request Max Retries…………………….. 2
EAPOL-Key Timeout (milliseconds)…………………. 400
EAPOL-Key Max Retries………………………. 4

If using 802.1x or WPA/WPA2, the EAP-Request Timeout on the Cisco Unified Wireless LAN Controller should be set to at least 20 seconds. In later versions of Cisco Unified Wireless LAN Controller software, the default EAP-Request Timeout was changed from 2 to 30 seconds. The default timeout on the Cisco ACS server is 20 seconds. To change the EAP-Request Timeout on the Cisco Unified Wireless LAN Controller, telnet or SSH to the controller and enter the following command.
(Cisco Controller) >config advanced eap request-timeout 30

* If using WPA/WPA2 PSK then it is recommended to reduce the EAPOL-Key Timeout to 400 milliseconds from the default of 1000 milliseconds with EAPOL-Key Max Retries set to 4 from the default of 2.
* If using WPA/WPA2, then using the default values where the EAPOL-Key Timeout is set to 1000 milliseconds and EAPOLKey Max Retries are set to 2 should work fine, but is still recommended to set those values to 400 and 4 respectively.

* The EAPOL-Key Timeout should not exceed 1 second (1000 milliseconds). To change the EAPOL-Key Timeout on the Cisco Unified Wireless LAN Controller, telnet or SSH to the controller and enter the following command.
(Cisco Controller) >config advanced eap eapol-key-timeout 400

* To change the EAPOL-Key Max Retries Timeout on the Cisco Unified Wireless LAN Controller, telnet or SSH to the controller and enter the following command.
(Cisco Controller) >config advanced eap eapol-key-retries 4

Related Posts

1.7925G – Power Management
2.7925 Deployment Guidelines Summary
3.7 Guidelines for Better VoWLAN
4.

I found this Cisco document is very useful to make 7925 Deployment better in 802.11a band. I hope information is fairly up to date (as I did not check each individual bug status as at now in May 2013) since it was documented late last year (Oct 2012). Here is the content of it without comments (you should read those as well)

1. Have solid coverage in 5GHz – and lock your phones to 802.11a

Your network’s ability to perform is fundamentally dependent on a solid physical layer.  VoWLAN uses both the 2.4GHz and 5GHz bands.  Of these, the 2.4GHz band’s lower frequency signals carry further – however, the constrained bandwidth (only three non-overlapping channels) and ever increasing interference, render 2.4GHz, in most cases, unsuitable for reliable voice.  Network providers who want to deliver a reliable VoWLAN service will ensure that their design adheres to the following standard:

Every spot in the coverage area is serviced by at least two viable 5GHz access points, at -67dBm or stronger.You can easily validate the necessary coverage by setting your phone into site survey mode, and walking throughout your coverage area.

Additionally, AP placement, antenna selection, building construction, etc. must be such that multipath distortion is kept to a minimum.  To ensure gap-free roaming, a moving phone must be able to hear each roamed-to AP at least 5 seconds before it needs to roam to it – so place all APs in the middle of halls, at corridor junctions, etc., rather than in blind spots.

2. Run 1.4.3 or above – nothing earlier

The 1.4.2 firmware introduced a greatly improved scanning and roaming algorithm in the 792x phones.  1.4.3 introduces other critical fixes.  If you are experiencing audio problems with your phones – never, ever run any firmware prior to 1.4.3.

Be aware that, for newer hardware revisions of the 792x phones, it is not possible to run any firmware prior to 1.4(3)SR1 – see the release notes.  Therefore, for new or RMAd phones, you can’t run the bad old firmware, even if you want to.

3. Access points in local mode, not Flexconnect (H-REAP) local switching

Flexconnect (H-REAP) local switching suffers from the following severe bug:CSCtz31572 HREAP local switching – ARP , broadcast key on standalone transition

This bug causes one-way audio, and affects all 7.0 and 7.2 CUWN releases.  Until this bug is fixed, be sure always to use local mode APs, never Flexconnect local switching, for your VoWLAN clients.  If your WAN link between the APs and the WLC is high latency or low bandwidth, then install a WLC at the site where the phones are.

4. Use WPA2/AES EAP/CCKM or static WEP – never PSK

WPA2/AES Enterprise with CCKM is the recommended security scheme for 792x phones – you should never use any other security method.  You may use Local Authentication on the WLC, if you do not want to use an external RADIUS server.  (When using CCKM, use the WLC command “config wlan security wpa akm cckm timestamp-tolerance 5000″ to increase the likelihood of performing a fast roam.)  (Also see the CCKM Client Disconnect Bugs in 7.0/7.2 tip.)

If security is not a concern, then static WEP will work well.

Do not use WPA/WPA2 Preshared Key (PSK.)  This is because the 792x phones suffer from the following unresolved bug, which prevents WPA key exchanges from completing:

CSCtt38270 7925 sometimes takes 1+ second to respond to WPA M1 key message

Until this bug is resolved, WPA PSK deployments will experience audio gaps of up to several seconds intermittently at roam time.

5. Optimize channels, power, and data rates

• channels:
  • use at least 8 channels, at most 12
  • use channels from UNII-1 (36-48), UNII-2 (52-64), UNII-2 Extended (100-140), and/or UNII-3 (149-161 but not 165)
  • if coverage is weak, avoid channels with lower power limits
  • if radar detection is frequent, avoid the DFS channels (UNII-2, UNII-2 extended)
• power:
  • in 5GHz, use a minimum power level of at least 11dBm
  • in all 5GHz deployments but the very densest ones, you can simply set a power level of 1 (maximum)
• data rates:
  • set 6Mbps as the lowest mandatory rate, be sure that 12 and 24Mbps are enabled
• remember to make any changes on all WLCs in the RF group

6. Enable continuous scan mode (in CUCM)

If continuous scan mode is not enabled, then the phone will not scan vigorously unless in call.  This means that it may drop incoming calls and pages.

7. Configure all QoS, and everything else, exactly as documented in the 7925 DG

Go through the entire 7925G Deployment Guide, and configure the phones and the wireless network exactly as per its recommendations (with the exception of any of the guidance above.)  In particular, make sure that all QoS configurations are set as per best practice, throughout your wireless and wired network.

Conclusion

With strict adherence to every single one of the above guidelines, there is a high probability that your VoWLAN service will meet your clients’ performance expectations.

Related Posts

1.7925G – Power Management
2.7925 Deployment Guidelines Summary
3.WLC Config for VoWLAN
4.

I did my CCIE wireless lab attempt yesterday (7th May) & was not able to go over the line.  Here is my experience & have to better prepared for the next time.

1. Approach
I had a basic plan of  reading the questions within 30 min & do initial troubleshooting to fix L2/L3 infrastructure section within next hour. I felt I was too slow on this and nearly It took me 1 hr to go through the questions & note down what they have asked us to do. Troubleshooting is another time killer & you have to do these so fast. I knew what I have to do (verifying IP address, subnet mask, gateway, DHCP options, ping, debugs, PIM, STP, NTP, routing etc), but it took time than I thought. So you have to practice these many times & that’s the only way you can speed this up (Lesson 1- learned)

2. GUI vs CLI
There will be around 20 separate desktop icons for   lab devices connectivity (Telnet & RDP) which you need to open as separate windows (No tab options in SecureCRT). So managing this in order & go back to them without wasting time, you need to well organized.  On top of that in GUI, I felt it is too slow (you have to wait 3-5 seconds each time you click a button in WLC GUI to take effect. Most of the time if that complain about some mistake I have to re-tick everything and time waste is double). Not sure this was the behavior other lab locations. Definitely If you sit for exam at Sydney Lab you will feel it. This impacted most of my unified deployment section & I tried to managed it via CLI as much as I can. but I never prepared to do this purely on CLI. But next time I will ( Lesson 2 – learned)

3. How much do you know ACS 5.2
I knew this was one of my weak area and during the exam it proves me again. Unless you know in and out how to configure advanced policies, troubleshooting you will get trap somewhere. If you are new to this like me, never mind learn it well. Be comfortable with it’s configuration (Lesson 3 – learned)

4. Autonomous – Advance Config
This is another area let me down during the exam. To be honest I haven’t go through all the advanced radio configurations given in the configuration guide. So it bites me trying to find out solutions for what they ask for. Also they have given us half-done configuration, so you need to know troubleshooting commands to find out what’s missing. (Not like you configure everything from fresh).You have to know all  these well if you want to get 100% marks on this section ( Lesson 4 learned)

5. Too many sub items in a given question.
This is one thing I feel really uncomfortable. There are so many items to be completed to claim the point in the question. Sometime this make very hard to claim the point as you may easily miss a piece. You will notice this difference in wireless specific tasks (unified, autonomous) compare to L2/L3 & Infrastructure services questions. I could not get my head around to summarize what they have asked for on those sorts of question. I think that make this CCIE wireless too tough & I do not see a way around unless we face it and absorb as much as we can. (Accept this & keep you mind ready)

6. Technical issues
Before starting the exam, proctor mentioned there may be some issues with the lab. Specially If you cannot see the SSID you created on remote PC let him know straight away. I had that issue during the exam (since I was slow, I was able to test this later part of the exam) & proctor had to reboot the remote PC to fix it. Not sure what are the other known technical issues on this wireless lab, did not encounter this time (may be next time )

7. Practice, Practice & Practice
This is the most important thing you should have. Even though I knew what I have to do, I could not do it within 8 hrs considering all the challenges I came across (item 1 to 5 above). During the last 2 weeks I managed to get some time off from my work & dedicated for studies. Booked some rack time with IPExpert & Fastlane to practice. Only last week I was able to practice IPX-Volume 2 labs as their racks/workbook not ready until that. But that 5-6 days practice on full scale labs would not sufficient. You have to practice at least 2-3 times of those 5 labs (There are no any other Mock labs to practice)

So what’s next.
Next available lab dates in Sydney in August (3 months time). So I have booked 20th Aug as my next lab date. Now I have to close my skill gaps & be prepared for the next round.

In this post we will see how to learn CLI commands to configure a WLAN.  I have created a WLAN called “Test-15″ with wlan-id 15. Here are the default settings once you create a WLAN.

Here are the CLI commands generated by this basic WLAN creation. Once you take a back up of the WLC configuration you can derive this.

config wlan create 15 Test-15 Test-15
config wlan interface 15 management
config wlan broadcast-ssid enable 15
config wlan security wpa enable 15

config wlan wmm allow 15

config wlan session-timeout 15 1800
config wlan exclusionlist 15 60
config wlan mfp client enable 15

As you can see all the CLI commands start with “config wlan” & as long as you master the “config wlan” CLI commands you should be able to configure any WLAN specific features via CLI. Here is the full list

(WLC2) >config wlan ?

7920-support   Configures support for phones.
IPv6Support    Configures IPv6 support on a WLAN.
aaa-override   Configures user policy override via AAA on a WLAN.
acl            Specify a per-WLAN ACL
apgroup        Manage AP Groups VLAN feature.
band-select    Allow|Disallow Band Select on a WLAN.
broadcast-ssid Configures SSID Broadcast on a WLAN.
call-snoop     Configures Call Snooping.
ccx            Configure Cisco Client Extension options.
channel-scan   Configures off channel scanning deferral parameters. 
chd            Enable/Disable CHD per WLAN
create         Creates a WLAN.
custom-web     Configures the Web Authentication Page per Profile.
delete         Deletes a WLAN.
dhcp_server    Configures the WLAN's DHCP Server.
diag-channel   Configures Diagnostics Channel Capability on a WLAN.
disable        Disables a WLAN.
dtim           Configures the DTIM Period for a WLAN
enable         Enables a WLAN.
exclusionlist  Configures Exclusion-list timeout.
h-reap         Configures H-REAP options for wlan.
interface      Configures the WLAN's interface.
ldap           Configures the WLAN's LDAP servers.
load-balance   Allow|Disallow Load Balance on a WLAN.
local-auth     Configures Local EAP Authentication.
mac-filtering  Configures MAC filtering on a WLAN.
max-associated-clients Configures maximum no. of client connections on wlan/guest-lan/remote-lan. 
media-stream   Configures Media Stream.
mfp            Configures Management Frame Protection.
mobility       Configures the Inter-Switch Mobility Manager
multicast      Configures the WLAN's multicast parameters.
nac            Configures NAC on wlan/guest-lan/remote-lan.
peer-blocking  Configure peer-to-peer blocking on a WLAN.
qos            Configures Quality of Service policy.
radio          Configures the Radio Policy.
radius_server  Configures the WLAN's RADIUS Servers.
roamed-voice-client Configure Voice Client Re-Anchor policy
security       Configures the security policy for a WLAN.
session-timeout Configures client timeout.
sip-cac        Configure SIP CAC Failure policy.
static-ip      Configures static IP client tunneling support on a WLAN.
uapsd          Configures UAPSD.
webauth-exclude Enable/Disable WebAuth Exclusion
wmm            Configures WMM (WME).

There are 44 commands… How do you remember this… Let’s break it down to the section corresponds to GUI.

Here is the corresponding CLI for this section.

(WLC2) >config wlan ?

create         Creates a WLAN.
broadcast-ssid Configures SSID Broadcast on a WLAN.
interface      Configures the WLAN's interface.
disable        Disables a WLAN.
enable         Enables a WLAN.
delete         Deletes a WLAN.
radio          Configures the Radio Policy.
multicast      Configures the WLAN's multicast parameters.

Here is the security section related configs

security       Configures the security policy for a WLAN.

webauth-exclude Enable/Disable WebAuth Exclusion
custom-web     Configures the Web Authentication Page per Profile.

radius_server  Configures the WLAN's RADIUS Servers.
ldap           Configures the WLAN's LDAP servers.
local-auth     Configures Local EAP Authentication.
mac-filtering  Configures MAC filtering on a WLAN.

Here is the QoS related configurations

(WLC2) > config wlan ?

qos            Configures Quality of Service policy.
wmm            Configures WMM (WME).
7920-support   Configures support for phones.
media-stream   Configures Media Stream.
uapsd          Configures UAPSD.

Next Advanced Configuration Settings of a WLAN

Here is the CLI commands relevant to this section

(WLC2) > config wlan ?

aaa-override   Configures user policy override via AAA on a WLAN.
chd            Enable/Disable CHD per WLAN
session-timeout Configures client timeout.
ccx            Configure Cisco Client Extension options.
diag-channel   Configures Diagnostics Channel Capability on a WLAN.
IPv6Support    Configures IPv6 support on a WLAN.
acl            Specify a per-WLAN ACL
peer-blocking  Configure peer-to-peer blocking on a WLAN.
exclusionlist  Configures Exclusion-list timeout.
channel-scan   Configures off channel scanning deferral parameters.
h-reap         Configures H-REAP options for wlan.
dhcp_server    Configures the WLAN's DHCP Server.
static-ip      Configures static IP client tunneling support on a WLAN.
mfp            Configures Management Frame Protection.
dtim           Configures the DTIM Period for a WLAN
nac            Configures NAC on wlan/guest-lan/remote-lan.
load-balance   Allow|Disallow Load Balance on a WLAN.
band-select    Allow|Disallow Band Select on a WLAN.
call-snoop     Configures Call Snooping.
sip-cac        Configure SIP CAC Failure policy.
roamed-voice-client Configure Voice Client Re-Anchor policy

There are two other places we will configure WLAN features. If you want to configure “Auto Anchor” or “AP Group” you have to use the following CLI commands

mobility       Configures the Inter-Switch Mobility Manage
apgroup        Manage AP Groups VLAN feature.

While going through the list I found this command which I cannot fine any GUI reference. Looks like a CLI only command

max-associated-clients Configures maximum no. of client connections on wlan/guest-lan/remote-lan.

In next post we will drill in to more detail on each section.

Related Posts

1. Configuring WLAN via CLI – Part 2
2. Configuring WLAN via CLI – Part 3
3. Configuring WLAN via CLI – Part 4
4. Configuring WLAN via CLI – Part 5

In this post we will look at General WLAN configuration CLI commands in detail. Here is the default settings of General Tab once you create a WLAN

Here is the CLI commands related to this.

(WLC2) >config wlan ?

create         Creates a WLAN.
broadcast-ssid Configures SSID Broadcast on a WLAN.
interface      Configures the WLAN's interface.
disable        Disables a WLAN.
enable         Enables a WLAN.
delete         Deletes a WLAN.
radio          Configures the Radio Policy.
multicast      Configures the WLAN's multicast parameters.

Let’s create a new WLAN with ID of 17 & SSID called “Test-17″ by using CLI commands. Here is the  how you create a new WLAN using CLI.

(WLC2) >config wlan create ?                            
foreignAp      Third Party Access Points.
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan create 17 ?              
<name>         Enter Profile Name up to 32 alphanumeric characters.              

(WLC2) >config wlan create 17 Test-17 ?
<ssid>         Enter SSID (Network Name) up to 32 alphanumeric characters.

(WLC2) >config wlan create 17 Test-17 Test-17

If you want to broadcast this SSID (as oppose to hidden) you can enable “broadcast ssid” on this WLAN.

(WLC2) >config wlan broadcast-ssid ?               
disable        Disables Broadcast SSID on a WLAN.
enable         Enables Broadcast SSID on a WLAN.

(WLC2) >config wlan broadcast-ssid enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan broadcast-ssid enable 17

You can map this WLAN to interface or interface group you created on your WLC. Here is the CLI for that. I have simply use management interface

(WLC2) >config wlan interface ?             
<WLAN id>      Enter WLAN Identifier between 1 and 512.
foreignAp      Third Party Access Points.

(WLC2) >config wlan interface 17 ?            
<interface-name> Enter the interface name upper case not supported.

(WLC2) >config wlan interface 17 management

Let’s create interface group called “int-group-1″ & map interface “vlan11″ & “vlan12″ (which is already created prior to this & not shown configuration in this post”. Here is the CLI config for interface group creation & mapping interface on to that.

(WLC2) >config interface group create int-group-1 "Interface Group 1" 
(WLC2) >config interface group interface add int-group-1 vlan11
(WLC2) >config interface group interface add int-group-1 vlan12

Now let’s map Test-17 WLAN to this interface group. You have to simply use interface group name instead of interface name.

(WLC2) >config wlan interface 17 int-group-1

Now let’s enable radio policy for this WLAN. Here are the option available. Without impacting other WLANs if you only want to certain type of clients able to join this network you have to configure this settings correctly. Let’s say no clients in 2.4 GHz should associate with less than 11Mbps data rates to this WLAN (In other words 802.11b clients should not associate). So you have to select 802.11g-only. In this example we will enable 802.11a & 802.11g clients to join this WLAN.

(WLC2) >config wlan radio 17 ?

802.11a-only   Configures the WLAN on 802.11a only.
802.11ag       Configures the WLAN on 802.11a and 802.11g only.
802.11bg       Configures the WLAN on 802.11b/g only (802.11b only, if 802.11g is disabled).
802.11g-only   Configures the WLAN on 802.11g only.
all            Configures the WLAN on all Radio bands.

(WLC2) >config wlan radio 17 802.11ag

Since we map this WLAN onto an interface group, multiple interface IP assign to same WLAN clients. Therefore to optimize multicast with this configuration you need to enable “multicast vlan select” feature. This will nominate 1 vlan for multicast communication for the entire interface group instead of each individual vlan send IGMP query for its client.

(WLC2) >config wlan multicast ?     
interface      Configures the WLAN's multicast interface.

(WLC2) >config wlan multicast interface ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan multicast interface 17 ?               
enable         Enables the multicast-interface feature for a WLAN.
disable        Disables the multicast-interface feature for a WLAN.

(WLC2) >config wlan multicast interface 17 enable ?               
<interface-name> Enter the interface name upper case not supported.

(WLC2) >config wlan multicast interface 17 enable vlan11

You can enable this WLAN by simply following CLI commands

(WLC2) >config wlan enable 17

Now if you look at the GUI WLAN general tab you would see something like this.

Now if you try to join this SSID, even though you enable broadcast SSID you cannot see it visible. Why is this ? You have to remember only WLAN ID 1-16 are broadcast by default. If you create any WLAN ID greater than 16, then you have to create an AP Group to broadcast them.  Therefore let’s create an AP Group called “mrn-apgroup” and put my ap into this group.

(WLC2) >config wlan apgroup ?              
add            Creates a new AP Group.
delete         Deletes a existing ap group.
description    Configures a description for an AP group.
interface-mapping Adds or deletes a new apgroup/WLAN/interface mapping.
nac-snmp       Configures NAC SNMP functionality on given AP-Group. 
radio-policy   Configures Radio Policy on given AP-Group. 

(WLC2) >config wlan apgroup add ?              
<apgroup name> Specify the name of the apgroup to configure.

(WLC2) >config wlan apgroup add mrn-apgroup ?              
<description>  (optional) Specify the description for the AP group.

(WLC2) >config wlan apgroup add mrn-apgroup 

(WLC2) >config wlan apgroup interface-mapping ?              
add            Adds a new apgroup/WLAN/interface mapping.
delete         Adds a new apgroup/WLAN/interface mapping.

(WLC2) >config wlan apgroup interface-mapping add ?              
<apgroup name> Specify the name of the apgroup to configure.

(WLC2) >config wlan apgroup interface-mapping add mrn-apgroup ?              
<WLAN or Remote LAN Id> Enter WLAN or Remote LAN Identifier between 1 and 512.

(WLC2) >config wlan apgroup interface-mapping add mrn-apgroup 17 ?               
<Interface Name> Specify the interface name.

(WLC2) >config wlan apgroup interface-mapping add mrn-apgroup 17 int-group-1

Now let’s add AP in to the AP-Group created. Remember that AP will reboot & impact the clients if you are doing this on a production AP.

(WLC2) >show  ap summary 
Number of APs.................................... 1
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
LAP2                 2     AIR-CAP3502I-N-K9     70:81:05:03:7c:ef        CAT2-Fa102  LAG      AU       1

(WLC2) >config ap group-name ?   
<groupname>    Enter the group name of Cisco APs as String

(WLC2) >config ap group-name mrn-apgroup ?        
<Cisco AP>     Enter the name of the Cisco AP.

(WLC2) >config ap group-name mrn-apgroup  LAP2

In GUI you will see like this

Once you do this you will see “Test-17″ SSID is visible to clients.

In the next post we will look at how to do the QoS specific configuration of a WLAN via CLI.

Related Posts

1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 3
3. Configuring WLAN via CLI – Part 4
4. Configuring WLAN via CLI – Part 5

In this post we will see QoS configuration of a WLAN via CLI. As you see previously here is the default settings.

(WLC2) > config wlan ?

qos            Configures Quality of Service policy.
wmm            Configures WMM (WME).
7920-support   Configures support for phones.
media-stream   Configures Media Stream.
uapsd          Configures UAPSD.

Prior to change the QoS profile you need to make sure correct 802.1p value configured for each profile. By default no value set for 802.1p value in any profile (Platinum, Gold, Silver & Bronze) and therefore no QoS tags pass onto wired network from the controller. You required to disable 802.11a/b network before configuring QoS profile values. Here are the CLI commands to configure these. You have to map 802.1p value of 6,5,3,1 for Platinum, Gold, Silver & Bronze respectively.

(WLC2) >config 802.11b disable network
(WLC2) >config 802.11a disable network

(WLC2) >config qos  ?

average-data-rate     Configure QoS Average Data Rate
average-realtime-rate Configure QoS Realtime Average Data Rate
burst-data-rate       Configure QoS Burst Data Rate
burst-realtime-rate   Configure QoS Realtime Burst Data Rate
description           Configure QoS Description
dot1p-tag             Configure QoS 802.1P Tag
protocol-type         Configure QoS Protocol Type

(WLC2) >config qos protocol-type platinum ?               
dot1p          QoS Protocol Type 'dot1p'
none           QoS Protocol Type 'none'

(WLC2) >config qos protocol-type platinum dot1p

(WLC2) >config qos  dot1p-tag ?             
bronze         [bronze profile]
gold           [gold profile]
platinum       [platinum profile]
silver         [silver profile]

(WLC2) >config qos  dot1p-tag platinum               
<dot1p>        802.1p Tag (0 ~ 7)

(WLC2) >config qos  dot1p-tag platinum 6

*** Here are the other QoS profile configurations ***

(WLC2) >config qos protocol-type gold dot1p
(WLC2) >config qos  dot1p-tag gold 5
(WLC2) >config qos protocol-type silver dot1p
(WLC2) >config qos dot1p-tag silver 3
(WLC2) >config qos protocol-type bronze dot1p
(WLC2) >config qos dot1p-tag bronze 1

(WLC2) >config 802.11b enable network
(WLC2) >config 802.11a enable network

Now you can assign the QoS profile to WLAN you created.

(WLC2) >config wlan qos ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.
foreignAp      Third Party Access Points.

(WLC2) >config wlan qos 17 ?             
bronze         Bronze QoS policy
gold           Gold QoS policy
platinum       Platinum QoS policy
silver         Silver QoS policy

(WLC2) >config wlan qos 17 platinum

You can configure the WMM setting as below. If you select “Require” option then non-WMM client cannot associate with this WLAN. Default option is “Allow” which permit both WMM & non-WMM client to join. But all non-WMM client will get the QoS setting configured under WLAN. In my case if I choose WMM-Allow all traffic coming from non-WMM client will mark as 802.1p of 6 which is equivalent to DSCP EF at the wired side of the network.

(WLC2) >config wlan wmm ?               
allow          Allows WMM on the WLAN.
disable        Disables WMM on the WLAN.
require        Requires WMM enabled clients on the WLAN.

(WLC2) >config wlan wmm require ?          
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan wmm require 17

If you are not using WMM & you have old 7920 phones (which is not compatible with WMM anyway) you can enabe 7920 specific QoS as below. As you can see client-cac is use draft 802.11e QBSS IE you cannot configure WMM & this feature. Those are mutually exclusive.

(WLC2) >config wlan 7920-support ?               
ap-cac-limit   Supports phones that expect the Cisco Vendor-Specific IE.
client-cac-limit Supports phones that expect the IEEE 802.11e Draft 6 QBSS-Load IE.

(WLC2) >config wlan 7920-support ap-cac-limit ?              
enable         Supports phones that expect the Cisco Vendor-Specific IE.
disable        Supports phones that expect the Cisco Vendor-Specific IE 

(WLC2) >config wlan 7920-support client-cac-limit        
enable         Supports phones that expect the IEEE 802.11e Draft 6 QBSS-Load IE.
disable        Supports phones that expect the IEEE 802.11e Draft 6 QBSS-Load IE.

If you require to enable U-APSD (Unscheduled Auto Power Save Delivery) support  when you enable WMM, you have to configure it like below.

(WLC2) >config wlan uapsd ?           
compliant-client Configures UAPSD Compliant Client support.

(WLC2) >config wlan uapsd compliant-client ?             
disable        Disables UAPSD Compliant Client support on the WLAN.
enable         Enables UAPSD Compliant Client support on the WLAN.

(WLC2) >config wlan uapsd compliant-client enable ?             
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan uapsd compliant-client enable 17

If you have configured the video stream feature on the controller and you need to enable that on this WLAN you can use “config wlan media strem ” CLI command as shown below. If you haven’t configure a video stream, then this command would not accept.

(WLC2) >config wlan media-stream ?                           
multicast-direct Configures Multicast-direct for WLAN

(WLC2) >config wlan media-stream multicast-direct ?             
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan media-stream multicast-direct 17 ?            
enable         Enables Multicast-direct on the WLAN
disable        Disables Multicast-direct on the WLAN.

(WLC2) >config wlan media-stream multicast-direct 17 enable

So here is the finally your WLAN QoS section looks like in GUI.

In CLI here is the corresponding CLI command to achieve the above

config wlan qos 17 platinum 
config wlan wmm require 17 
config wlan uapsd compliant-client enable 17 
config wlan media-stream multicast-direct 17 enable 

You can verify your configuration using “show wlan 17″ CLI command.

(4402-c) >show wlan 17
WLAN Identifier.................................. 17
Profile Name..................................... Test-17
Network Name (SSID).............................. Test-17
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Platinum (voice)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Required
WMM UAPSD Compliant Client Support............... Enabled
Media Stream Multicast-direct.................... Enabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=6)
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers

In next post we will see how to configure Security Specific settings via CLI.

Related Posts.

1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 4
4. Configuring WLAN via CLI – Part 5

In this post we will see how to configure WLAN security settings via CLI. Here are the security related config options in CLI “config wlan x” command.

security       Configures the security policy for a WLAN.

webauth-exclude Enable/Disable WebAuth Exclusion
custom-web     Configures the Web Authentication Page per Profile.

radius_server  Configures the WLAN's RADIUS Servers.
ldap           Configures the WLAN's LDAP servers.
local-auth     Configures Local EAP Authentication.
mac-filtering  Configures MAC filtering on a WLAN.

If you want to configure layer2 security settings you can use the following CLI options. Let’s say you want to enable WPA2/AES with Pre-Shared Key.

(4402-c) >config wlan security ?              
802.1X         Configures 802.1X.
cond-web-redir Configured Conditional Web Redirect.
passthru       Configures IPSec passthru.
splash-page-web-redir Configured Splash-Page Web Redirect.
static-wep-key Configures static WEP keys on a WLAN.
web-auth       Configures Web authentication.
web-passthrough Configures Web Captive Portal with no authentication required.
wpa            Configures WPA/WPA2 Support for a WLAN             
ckip           Configures CKIP Security on WLAN.            
tkip           Configures TKIP MIC countermeasures hold-down timer (0-60 seconds)

(4402-c) >config wlan security wpa ?             
akm            Configures Auth Key Management
disable        Disables WPA/WPA2 Support for a WLAN
enable         Enables WPA/WPA2 Support for a WLAN
wpa1           Configures WPA support
wpa2           Configures WPA2 support

(4402-c) >config wlan security wpa wpa2                
ciphers        Configures WPA2 ciphers
disable        Disables WPA2 support
enable         Enables WPA2 support

(4402-c) >config wlan security wpa wpa2 ciphers ?           
aes            Configures WPA2/AES support
tkip           Configures WPA2/TKIP support

(4402-c) >config wlan security wpa wpa2 ciphers aes               
disable        Disables WPA2/AES support
enable         Enables WPA2/AES support

(4402-c) >config wlan security wpa wpa2 ciphers aes enable 17

(4402-c) >config wlan security wpa akm ?              
802.1x         Configures 802.1x support
cckm           Configures CCKM support
ft             Configures 802.11r fast transition 802.1x support
psk            Configures PSK support

(4402-c) >config wlan security wpa akm psk ?               
disable        Disables PSK support
enable         Enables PSK support
set-key        Configures the pre-shared-key

(4402-c) >config wlan security wpa akm psk set-key ?               
<ascii/hex>    Specificies for key format (ascii or hex)

(4402-c) >config wlan security wpa akm psk set-key ascii ?               
<psk>          Enter the pre-shared-key (PSK)

(4402-c) >config wlan security wpa akm psk set-key ascii Cisco123 ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(4402-c) >config wlan security wpa akm psk set-key ascii Cisco123 17

Above settings is identical to what you have seen in the below screen.

Now let’s say you want to create a WLAN with no layer2 security & only with layer3 webauth. Let’s create WLAN called guest with WLAN ID 18 & assign it to AP-Group (mrn-apgroup) created. You can practice this via CLI & you should enter following CLI to do this.

(WLC2) >config wlan create 18 guest guest
(WLC2) >config wlan radio 18 802.11a-only
(WLC2) >config wlan interface 18 vlan12
(WLC2) >config wlan qos 18 bronze
(WLC2) >config wlan apgroup interface-mapping add mrn-apgroup 18 vlan12

Now let’s change security settings of this WLAN. We will use the Web Passthrough with Email Input as web auth method.

(WLC2) >config wlan security wpa ?              
akm            Configures Auth Key Management
disable        Disables WPA/WPA2 Support for a WLAN
enable         Enables WPA/WPA2 Support for a WLAN
wpa1           Configures WPA support
wpa2           Configures WPA2 support

(WLC2) >config wlan security wpa disable ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan security wpa disable 18 

(WLC2) >config wlan security ?
802.1X         Configures 802.1X.
cond-web-redir Configured Conditional Web Redirect.
passthru       Configures IPSec passthru.
splash-page-web-redir Configured Splash-Page Web Redirect.
static-wep-key Configures static WEP keys on a WLAN.
web-auth       Configures Web authentication.
web-passthrough Configures Web Captive Portal with no authentication required.
wpa            Configures WPA/WPA2 Support for a WLAN              
ckip           Configures CKIP Security on WLAN.                
tkip           Configures TKIP MIC countermeasures hold-down timer (0-60 seconds)              

(WLC2) >config wlan security web-passthrough ?               
acl            Configures Access Control List.
disable        Disables Web Captive Portal with no authentication required.
email-input    Configures Web Captive Portal using email address.
enable         Enables Web Captive Portal with no authentication required.

(WLC2) >config wlan security web-passthrough enable 18

(WLC2) >config wlan security web-passthrough email-input ?             
enable         Enables Web Captive Portal using email address.
disable        Disables Web Captive Portal using email address.

(WLC2) >config wlan security web-passthrough email-input enable  18

Now your Guest WLAN is ready from the security perspective. If you look at the WLC configuration you would see the following in your configuration.The two config lines in purple color automatically added once you disable the WPA as those settings enabled by default when you create a WLAN.

config wlan security wpa disable 18
config wlan security wpa wpa2 disable 18 
config wlan security wpa akm 802.1x disable 18 
config wlan security web-passthrough enable 18
config wlan security web-passthrough email-input enable 18

This is the identical GUI setting for the above scenario.

If you want to configure this Guest WLAN for Web Authentication instead of Web Passthrough you can do this as follows. First you have to disable web passthrough which you enabled in the previous task.  Also you have to configure radius authentication on the WLAN if your user credential verified via radius.

(WLC2) >config wlan security web-passthrough disable 18
(WLC2) >config wlan security web-passthrough email-input disable 18

(WLC2) >config wlan security web-auth ?              
acl            Configures Access Control List.
disable        Disables Web authentication.
enable         Enables Web authentication.
on-macfilter-failure  Enables Web authentication on MAC filter failure.
server-precedence Configures the authentication server precedence order for Web-Auth users.

(WLC2) >config wlan security web-auth enable 18

(WLC2) >config wlan radius_server auth ?               
add            Adds a link to a configured RADIUS Server.
delete         Deletes a link to a configured RADIUS Server.
disable        Disable RADIUS authentication for this WLAN
enable         Enable RADIUS authentication for this WLAN

(WLC2) >config wlan radius_server auth enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan radius_server auth enable 18

(WLC2) >config wlan radius_server auth add ?                   
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan radius_server auth add 18 ?              
<Server id>    Enter the RADIUS Server Index.

(WLC2) >config wlan radius_server auth add 18 1

In GUI you will see something like this once you configured above on CLI.

In next post we will see how to configure WLAN advanced settings via CLI

Related Posts

1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 3
4. Configuring WLAN via CLI – Part 5

In this post we will look at WLAN advanced tab configurations via CLI. Here is the full list of features. I know this will be the longest post in my blog as I have to cover all these features.

(WLC2) > config wlan ?
aaa-override   Configures user policy override via AAA on a WLAN.
chd            Enable/Disable CHD per WLAN
session-timeout Configures client timeout.
ccx            Configure Cisco Client Extension options.
diag-channel   Configures Diagnostics Channel Capability on a WLAN.
IPv6Support    Configures IPv6 support on a WLAN.
acl            Specify a per-WLAN ACL
peer-blocking  Configure peer-to-peer blocking on a WLAN.
exclusionlist  Configures Exclusion-list timeout.
channel-scan   Configures off channel scanning deferral parameters.
h-reap         Configures H-REAP options for wlan.
dhcp_server    Configures the WLAN's DHCP Server.
static-ip      Configures static IP client tunneling support on a WLAN.
mfp            Configures Management Frame Protection.
dtim           Configures the DTIM Period for a WLAN
nac            Configures NAC on wlan/guest-lan/remote-lan.
load-balance   Allow|Disallow Load Balance on a WLAN.
band-select    Allow|Disallow Band Select on a WLAN.
call-snoop     Configures Call Snooping.
sip-cac        Configure SIP CAC Failure policy.
roamed-voice-client Configure Voice Client Re-Anchor policy

We will create a new WLAN called “Test-19″ with wlan-id 19 with following basic settings

- 802.11a only clients
- Gold QoS profile
- WPA2/AES (or support 802.11n data rates)
- Multicast direct feature
- PSK
- UAPSD support

So basic CLI commands you require is like this.

(WLC2) >config wlan create 19 Test-19 Test-19  
(WLC2) >config wlan radio 19 802.11a-only
(WLC2) >config wlan interface 19 vlan11
(WLC2) >config wlan multicast interface 19 enable vlan11             
(WLC2) >config wlan security wpa wpa2 ciphers aes enable 19
(WLC2) >config wlan qos 19 gold 
(WLC2) >config wlan wmm require 19
(WLC2) >config wlan uapsd compliant-client enable 19
(WLC2) >config wlan security wpa akm psk set-key ascii Cisco123 19

Before go into advanced tab configuration you can take a backup of the WLC config & verify the above & any additional configs related to your WLAN.

config wlan security wpa akm psk enable 19 
config wlan security wpa akm 802.1x disable 19 
config wlan security wpa enable 19 
config wlan wmm require 19 
config wlan exclusionlist 19 60 
config wlan broadcast-ssid enable 19 
config wlan interface 19 vlan11 
config wlan create 19 Test-19 Test-19 
config wlan qos 19 gold 
config wlan radio 19 802.11a-only 
config wlan radio 19 802.11a 
config wlan session-timeout 19 0

Advanced config page of the WLAN looks like this.

Now we will look at each individual feature configurations via CLI. It is long list, but will cover them all.

1. AAA Override
This is for ACS to override the client attributes (vlan, acl , QoS, etc)

(WLC2) >config wlan aaa-override ?             
disable        Disables policy override.
enable         Enables policy override.

(WLC2) >config wlan aaa-override enable ?             
<WLAN id>      Enter WLAN Identifier between 1 and 512.
foreignAp      Third Party Access Points.

(WLC2) >config wlan aaa-override enable 19

2. Coverage Hole Detection(CHD)
This is enabled by default & client can trigger power changes of the AP. Let’s disable

(WLC2) >config wlan chd ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan chd 19 ?               
enable         enable CHD per WLAN
disable        disable CHD per WLAN

(WLC2) >config wlan chd 19 disable 

3. Session Timeout
The session timeout is the maximum time for a client session to remain active before requiring reauthorization.This is enabled by default & set to 1800s (30 min). You can change this value or disable it. It is important to know different type of security method have diff max values. When I try to set 1 day for my WPA2-PSK WLAN it’s rejected. So will set it for 4 hours (14400s)

(WLC2) >config wlan session-timeout ?
<WLAN id>      Enter WLAN Identifier between 1 and 512.
foreignAp      Third Party Access Points.

(WLC2) >config wlan session-timeout 19 ?
<seconds>      The duration of session in seconds (0 = infinity is true only for open system).

(WLC2) >config wlan session-timeout 19 86400 
Invalid parameter specified.
System Type              Timeout Range

Open system              0-65535   (sec)
802.1x                   300-86400 (sec)
static wep               0-65535   (sec)
cranite                  0-65535   (sec)
fortress                 0-65535   (sec)
CKIP                     0-65535   (sec)
open+web auth            0-65535   (sec)
web pass-thru            0-65535   (sec)
wpa-psk                  0-65535   (sec) 
disable                  To disable reauth/session-timeout timers.
                         Reauth is valid for non-psk and non-static cases. Session-timeout
                         is valid for all other cases.

(WLC2) >config wlan session-timeout 19 14400 

4. Aironet IE (CCX)
The Cisco Client Extensions (CCX) software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco access points and to support Cisco features that other client devices do not, including those features that are related to increased security, enhanced performance, fast roaming, and power management.

This is enabled by default.CCX support is enabled automatically for every WLAN on the controller and cannot be disabled. However, you can configure Aironet information elements (IEs)

If Aironet IE support is enabled, the access point sends an Aironet IE 0×85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0×85 and 0×95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0×85 in the reassociation request.

(WLC2) >config wlan ccx ?        
AironetIeSupport Configure the support of Aironet IE.

(WLC2) >config wlan ccx aironetIeSupport ?              
enable         Enable the support of Aironet IE.
disable        Disable the support of Aironet IE.

(WLC2) >config wlan ccx aironetIeSupport enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan ccx aironetIeSupport enable 19 ?

(WLC2) >config wlan ccx aironetIeSupport enable 19 
CCX Aironet IE Support already in the requested state.

5. Diagnostic Channel
The diagnostic channel feature enables you to troubleshoot problems in regard to client communication with a WLAN. The client and Access Points can be put through a defined set of tests to identify the cause of communication difficulties that the client experiences and then allow corrective measures to be taken to make the client operational on the network. Since this is only using for troubleshooting & we cannot change any settings of diagnostic WLAN we will leave it disable.

(WLC2) >config wlan diag-channel ?              
disable        Disables Diagnostics Channel Capability on a WLAN.
enable         Enables Diagnostics Channel Capability on a WLAN.

(WLC2) >config wlan diag-channel disable ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan diag-channel disable 19

6. IPv6 Support
This is trivial as it allow to support IPv6.

(WLC2) >config wlan ipv6Support ?               
enable         Enable IPv6 support on a WLAN.
disable        Disable IPv6 support on a WLAN.

(WLC2) >config wlan ipv6Support enable ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan ipv6Support enable 19

7. ACL override
If you want to override interface ALC for this specific WLAN you can configure an ACL an apply it to WLAN.

(WLC2) >config wlan acl ?             
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan acl 19 ?               
<ACL Name>     Enter the ACL Name ('none' will clear the ACL)

(WLC2) >config wlan acl 19 none

8. Peer to Peer Blocking
This will allow to control client-to-client direction communication. In voice WLAN we need to ensure P2P blocking is disabled (otherwise voice conversation between two end point will be impacted). For this example we will enable it on this WLAN.

(WLC2) >config wlan peer-blocking ?               
disable        Disable peer-to-peer blocking on a WLAN.
drop           Enable peer-to-peer blocking and set the action to 'Drop'.
forward-upstream Enable peer-to-peer blocking and set the action to 'Forward-Upstream'.

(WLC2) >config wlan peer-blocking drop 19

9. Client Exclusion
This to exclude  a client for certain amount of seconds after violating client exclusion policy settings. By default this is enabled & client will be excluded for 60s if violate the configured policy. In this example will extend that time to 300s

(WLC2) >config wlan exclusionlist ?

<WLAN id>      Enter WLAN Identifier between 1 and 512.
foreignAp      Third Party Access Points.

(WLC2) >config wlan exclusionlist 19 ?               
<seconds>      Exclusion-list timeout (in seconds). zero (0) requires admin override.
disabled       Disables exclusion-listing.
enabled        Enables exclusion-listing.

(WLC2) >config wlan exclusionlist 19 enabled
(WLC2) >config wlan exclusionlist 19 300

10. Maximum allowed clients
This is to set a value of max client associated to this WLAN. In this example will set it to 1000.

(WLC2) >config wlan max-associated-clients ?              
<max no. of clients> Maximum no. of client connections to be accepted

(WLC2) >config wlan max-associated-clients 1000 ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan max-associated-clients 1000 19

11. Static IP tunneling
Normally Static IP wireless clients roaming won’t work unless you enable this feature. If you want to support Static IP wireless users in the WLAN to roam between different controller you have to enable this feature. This feature & IPv6 support cannot co-exist. So I have disabled IPv6 support on this WLAN.

(WLC2) >config wlan static-ip ?               
tunneling      Configures static IP client tunneling support on a WLAN.

(WLC2) >config wlan static-ip tunneling ?               
enable         Enable static IP client tunneling support on a WLAN.
disable        Disable static IP client tuneling support on a WLAN.

(WLC2) >config wlan static-ip tunneling enable ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan static-ip tunneling enable 19 
Static IP tunneling cannot be configured since IPv6 is enabled for wlan.

(WLC2) >config wlan ipv6Support disable 19
(WLC2) >config wlan static-ip tunneling enable 19

12. Off Channel Scanning
In deployments with certain power-save clients, you sometimes need to defer the Radio Resource Management’s (RRM) normal off-channel scanning to avoid missing critical information from low-volume clients (for example, medical devices that use power-save mode and periodically send telemetry information). This feature improves the way that Quality of Service (QoS) interacts with the RRM scan defer feature.

You can use a client’s Wi-Fi Multimedia (WMM) UP marking to configure the access point to defer off-channel scanning for a configurable period of time if it receives a packet marked UP.

You can assign a QoS policy (bronze, silver, gold, and platinum) to a WLAN to affect how packets are marked on the downlink connection from the access point regardless of how they were received on the uplink from the client. UP=1,2 is the lowest priority, and UP=0,3 is the next higher priority. The marking results of each QoS policy are as follows:

Bronze marks all downlink traffic to UP= 1.
Silver marks all downlink traffic to UP= 0.
Gold marks all downlink traffic to UP=4.
Platinum marks all downlink traffic to UP=6.

By default this feature is enabled for UP of 4,5,6 packets & will defer the RRM off-channel scan for 100ms. We will enable this on UP of 3 as well & increase the defer-time to 200ms for all of those.

(WLC2) >config wlan channel-scan ?              
defer-priority Configures priority markings for packets that can defer off channel scan. 
defer-time     Configures minimum allowable elapsed time since a defer-priority pkt is seen.                

(WLC2) >config wlan channel-scan defer-priority ?              
<priority>     User priority value, 0-7 

(WLC2) >config wlan channel-scan defer-priority 3 ?               
disable        Disable packet at given priority to defer off channel scanning. 
enable         Enable packet at given priority to defer off channel scanning. 

(WLC2) >config wlan channel-scan defer-priority 3 enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan channel-scan defer-priority 3 enable 19

(WLC2) >config wlan channel-scan defer-time ?               
<msecs>        Deferral time in msecs <0-60000> 

(WLC2) >config wlan channel-scan defer-time 200 ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan channel-scan defer-time 200 19

13. H-REAP
This is to enable H-REAP local switching, Local Authentication features on this WLAN. Will enable those features on this WLAN. There are certain limitation where you cannot configure this when static IP tunneling is enabled. You should familiar with this under H-REAP configuration.

(WLC2) >config wlan h-reap ?               
ap-auth        Configures ap authentication (WLAN must be locally switched).              
learn-ipaddr   Configures IP address learning (WLAN must be locally switched).               
local-switching Configures local switching of client data associated to H-REAP.

(WLC2) >config wlan h-reap ap-auth ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan h-reap ap-auth 19 ?               
enable         Enables ap authentication.               
disable        Disables ap authentication.

(WLC2) >config wlan h-reap local-switching 19 enable
(WLC2) >config wlan h-reap ap-auth 19 enable

14. DHCP
You can override interface configured DHCP server by this setting. Also certain type of WLAN (like guest) you can make DHCP IP assignment is mandatory. Since I have configured static IP tunnel support earlier I will leave this as it is. Also worth to note that this only applicable for defalt ap group. So if your WLAN ID is greater than 16 you cannot override the interface DHCP server configuration.

(WLC2) >config wlan dhcp_server ?               
<WLAN id>      Enter the WLAN ID.
foreignAp      Third Party Access Points.

(WLC2) >config wlan dhcp_server 19 ?              
<IP addr>      Enter the override DHCP server's IP Address (0.0.0.0 = default interface value).

(WLC2) >config wlan dhcp_server 19 192.168.200.1 ?               
required       Optionally specify whether DHCP address assignment is required.

(WLC2) >config wlan dhcp_server 19 192.168.200.1 required 
Cannot mandate dhcp required when Static IP tunneling is enabled.
DHCP server override is applicable only to the default AP group.

15. Management Frame Protection(MFP)
This is to provide protection to management frame between client & AP. You need to remember this is Cisco implmentation of MFP & not IEEE standard version (802.11w). So if you client support proper IEEE 802.11w it may not work with cisco MFP. So better to disable this as a best practice in today’s world. By default it is set to optional.

(WLC2) >config wlan mfp ?               
client         Configures Client MFP.

(WLC2) >config wlan mfp client ?              
disable        Disables MFP protection on a WLAN.
enable         Enables MFP protection on a WLAN.

(WLC2) >config wlan mfp client enable ?               
<WLAN id>      Enter a WLAN Identifier between 1 and 512.

(WLC2) >config wlan mfp client enable 19 ?               
required       Clients must negotiate MFP

(WLC2) >config wlan mfp client enable 19 required
(WLC2) >config wlan mfp client disable 19

16. DTIM
In 802.11a/n and 802.11b/g/n networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.

Typically, the DTIM value is set to 1 (to transmit broadcast and multicast frames after every beacon) or 2 (to transmit after every other beacon). For instance, if the beacon period of the 802.11a/n or 802.11b/g/n network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings are suitable for applications, including Voice Over IP (VoIP), that expect frequent broadcast and multicast frames.

However, the DTIM value can be set as high as 255 (to transmit broadcast and multicast frames after every 255th beacon) if all 802.11a/n or 802.11b/g/n clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently which results in a longer battery life. For example, if the beacon period is 100 ms and you set the DTIM value to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds. This rate allows the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, which results in a longer battery life.

A beacon period, which is specified in milliseconds on the controller, is converted internally by the software to 802.11 Time Units (TUs), where 1 TU = 1.024 milliseconds. On Cisco’s 802.11n access points, this value is rounded to the nearest multiple of 17 TUs. For example, a configured beacon period of 100 ms results in an actual beacon period of 104 ms

(WLC2) >config wlan dtim ?               
802.11a        Configure the DTIM Period for 802.11a radio for a WLAN
802.11b        Configure the DTIM Period for 802.11b/g radio for a WLAN

(WLC2) >config wlan dtim 802.11a ?               
<value>        Enter the DTIM period, valid values 1 to 255

(WLC2) >config wlan dtim 802.11a 200 ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan dtim 802.11a 200 19
(WLC2) >config wlan dtim 802.11b 150 19

17. NAC
Not sure about this at the time of this writing.

(WLC2) >config wlan nac ?              
snmp           Configures SNMP NAC support(Legacy OOB).
radius         Configures Radius NAC support(Identity Service Engine).

(WLC2) >config wlan nac radius ?               
enable         Enable Radius NAC for this WLAN
disable        Disable Radius NAC for this WLAN

(WLC2) >config wlan nac radius enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan nac radius enable 19 
Request failed - Radius NAC is available only for WLANs that are configured for 802.1X/WPA/WPA2 Layer 2 security.

18. Client Load Balance
This will allow load balance the client association between APs. As warning message indicated when configuring this is not good for voice services and you should disable it on voice WLANs.

(WLC2) >config wlan load-balance ?               
allow          Allow|Disallow Load Balance on a WLAN.

(WLC2) >config wlan load-balance allow ?               
enable         Allow Load Balance on a WLAN.
disable        Disallow Load Balance on a WLAN.

(WLC2) >config wlan load-balance allow enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan load-balance allow enable 19 
 WARNING: Allowing load balance on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y

19. Band Select
Band selection enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of three nonoverlapping channels. To prevent these sources of interference and improve overall network performance, you can configure band selection on the controller.

Band selection works by regulating probe responses to clients. It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels

On a side note, this will only effect if you configure radio policy all for a given WLAN. Otherwise this will have no effect even though you configured. GUI output shows it as “unticked” even though CLI config shows it is enabled. Also for voice clients this could introduce some additional delays and recommended to turn it off if you are servicing voice.

(WLC2) >config wlan band-select ?               
allow          Allow|Disallow Band Select on a WLAN.

(WLC2) >config wlan band-select allow ?               
enable         Allow Band Select on a WLAN.
disable        Disallow Band Select on a WLAN.

(WLC2) >config wlan band-select allow enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan band-select allow enable 19 
 WARNING: Allow Band Select on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y

20. Voice- SIP
This will allow you to configure SIP specfic settings for a voice WLAN. You need to have Platinum QoS profile in order to support this feature.

(WLC2) >config wlan call-snoop ?               
enable         Enables Call Snooping on the WLAN.
disable        Disables call Snooping on the WLAN.               

(WLC2) >config wlan call-snoop enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan call-snoop enable 19 
Request failed. Please set WLAN QoS to Platinum to enable call-snooping

(WLC2) >config wlan roamed-voice-client ?               
re-anchor      Roamed client Re-Anchor policy

(WLC2) >config wlan roamed-voice-client re-anchor ?               
disable        Disable Roamed Client Re-Anchor policy
enable         Enable Roamed Client Re-Anchor policy

(WLC2) >config wlan roamed-voice-client re-anchor enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan roamed-voice-client re-anchor enable 19 

(WLC2) >config wlan sip-cac ?                  
send-486busy   Configure SIP 486 Busy on CAC Failure.
disassoc-client Configure Client Dis-Assoc on SIP CAC Failure.

(WLC2) >config wlan sip-cac send-486busy ?               
disable        Disable sending SIP 486 Busy on SIP CAC Failure.
enable         Enable sending SIP 486 Busy on SIP CAC Failure.

(WLC2) >config wlan sip-cac send-486busy enable ?               
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan sip-cac send-486busy enable 19 
Configuration is already in the requested state

(WLC2) >config wlan sip-cac disassoc-client ?               
disable        Disable Client Dis-Assoc on SIP CAC Failure.
enable         Enable Client Dis-Assoc on SIP CAC Failure.

(WLC2) >config wlan sip-cac disassoc-client enable ?              
<WLAN id>      Enter WLAN Identifier between 1 and 512.

(WLC2) >config wlan sip-cac disassoc-client enable 19 
Warning! Enabling this functionality will Dis-Associate the Client in case of SIP CAC Failure

That covers all the advanced features of a WLAN via CLI configuration. So my WLAN configuration looks like this on GUI.

Next post we will look at few example CLI configurations of different WLANs.

Related Posts

1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 3
4. Configuring WLAN via CLI – Part 4
5. Configuring WLAN via CLI – Part 6

In this post we will see how DHCP option 82 works. The DHCP Information option (Option 82) is commonly used in large enterprise deployments to provide additional information on “physical attachment” of the client. Option 82 is supposed to be used in distributed DHCP server/relay environment, where relays insert additional information to identify the client’s point of attachment. Here is the topology for this post.

In my example CAT4 is acting as DHCP Relay & CAT2 acting as DHCP Server. First we will look at this from wired network perspective & then see how it configure in wireless environment. Here is the basic configuration of CAT2  & CAT4

CAT2
ip dhcp excluded-address 192.168.50.1 192.168.50.100
ip dhcp pool VLAN50
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1

CAT4
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
 ip helper-address 10.10.10.3
!
interface FastEthernet1/0/5
 switchport access vlan 50
 switchport mode access
 spanning-tree portfast

As you can see below DHCP discovery message relayed by CAT4 does not have any DHCP option 82 information elements.

If you want to DHCP relay to add option 82 information you have to configure the DHCP relay for that. I have given a subscriber identification “MRN-DHCP82″

CAT4
interface Vlan50
 ip dhcp relay information option subscriber-id MRN-DHCP82
 ip dhcp relay information option-insert

Now if you do “debug ip dhcp server packet detail“  output on CAT2 you will see similar output like below.

*Mar 12 13:24:14.294: DHCPD: DHCPDISCOVER received from client 0100.1cc0.1a68.1c on interface Vlan50.
*Mar 12 13:24:14.294: DHCPD: using received relay info.
*Mar 12 13:24:14.294: DHCPD: Looking up binding using address 192.168.50.1
*Mar 12 13:24:14.294: DHCPD: setting giaddr to 192.168.50.1.
*Mar 12 13:24:14.294: DHCPD: adding relay information option.
*Mar 12 13:24:14.294: DHCPD: relay information option content (add/replace):
*Mar 12 13:24:14.294:  DHCPD: 521a020c020a0000c0a832010a000000060a4d524e2d444843503832
*Mar 12 13:24:14.294: DHCPD: BOOTREQUEST from 0100.1cc0.1a68.1c forwarded to 10.10.10.3.
*Mar 12 13:24:14.302: DHCPD: Reload workspace interface FastEthernet1/0/23 tableid 0.
*Mar 12 13:24:14.302: DHCPD: tableid for 172.16.99.10 on FastEthernet1/0/23 is 0

Here is the wireshark packet output for this DHCP discover messaged relayed by CAT4

DHCP option 82 message format is having <option><length> <option content>. 52 in hex is 82 in decimal which indicate it is option 82 information. Now in DHCP server you need to define a DHCP class which matches the subscriber identification to issue IP for this client. Also server should know the relay information it should expect. If these matches it will issue an IP to client. Otherwise DHCP packets will drop by the DHCP server. So here is the CAT2 configuration.

ip dhcp class MRN-DHCP82
   relay agent information
      relay-information hex 020c020a0000c0a832010a000000060a4d524e2d444843503832
!
ip dhcp pool VLAN50
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1 
   class MRN-DHCP82
      address range 192.168.50.200 192.168.50.210

If you do ” debug ip dhcp server packet detail” on CAT2 you will see something like this.

*Mar 13 00:22:44.899 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0.
*Mar 13 00:22:44.899 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0
*Mar 13 00:22:44.899 AEDT: DHCPD: client's VPN is .
*Mar 13 00:22:44.899 AEDT: DHCPD: using received relay info.
*Mar 13 00:22:44.899 AEDT: DHCPD: DHCPDISCOVER received from client 0100.1cc0.1a68.1c through relay 192.168.51.1.
*Mar 13 00:22:44.899 AEDT: DHCPD: using received relay info.
*Mar 13 00:22:44.899 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default
*Mar 13 00:22:44.899 AEDT: DHCPD: Searching for a match to 'relay-information 020c020a0000c0a833010b000000060a4d524e2d444843503832' 
*Mar 13 00:24:12.839 AEDT: DHCPD: DHCPDISCOVER received from client 0100.1cc0.1a68.1c through relay 192.168.50.1.
*Mar 13 00:24:12.839 AEDT: DHCPD: using received relay info.
*Mar 13 00:24:12.839 AEDT: DHCPD: Sending DHCPOFFER to client 0100.1cc0.1a68.1c (192.168.50.200).
*Mar 13 00:24:12.839 AEDT: DHCPD: no option 125
*Mar 13 00:24:12.839 AEDT: DHCPD: unicasting BOOTREPLY for client 001c.c01a.681c to relay 192.168.50.1.
*Mar 13 00:24:12.856 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0.
*Mar 13 00:24:12.856 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0
*Mar 13 00:24:12.856 AEDT: DHCPD: client's VPN is .
*Mar 13 00:24:12.856 AEDT: DHCPD: DHCPREQUEST received from client 0100.1cc0.1a68.1c.
*Mar 13 00:24:12.856 AEDT: DHCPD: Sending DHCPACK to client 0100.1cc0.1a68.1c (192.168.50.200)

Now will see how this works in Wireless environment. As you know  for  a wireless client , WLC will act as DHCP-relay and pass the DHCP discover & request messages to DHCP server. We will create a WLAN with open authentication & assign it to vlan50 interface created on the controller. If you are familiar with WLC CLI command you can do this with following commands.

(WLC3) >config interface create vlan50 50
(WLC3) >config interface address dynamic-interface vlan50 192.168.50.20 255.255.255.0 192.168.50.1
(WLC3) >config interface dhcp dynamic-interface vlan50 primary 10.10.10.3
(WLC3) >config interface port vlan50 1
(WLC3) >config wlan create 15 dhcp-82 dhcp-82
(WLC3) >config wlan security wpa disable 15
(WLC3) >config wlan enable 15

Now if you trying to associate to this WLAN, you will not get an IP from the DHCP server. If you check the CAT2 “debug ip dhcp packet detail” output you would see similar output to this. Server is complain about DHCP option 82 information not available in the messages coming from the DHCP relay (WLC3)

*Mar 13 01:28:25.637 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0.
*Mar 13 01:28:25.637 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0
*Mar 13 01:28:25.637 AEDT: DHCPD: client's VPN is .
*Mar 13 01:28:25.637 AEDT: DHCPD: using received relay info.
*Mar 13 01:28:25.637 AEDT: DHCPD: DHCPDISCOVER received from client 0104.f7e4.ea5b.66 through relay 192.168.50.20.
*Mar 13 01:28:25.637 AEDT: DHCPD: using received relay info.
*Mar 13 01:28:25.637 AEDT: DHCPD: input does not contain option 82

This is the default behaviour of a WLC ( I am in 7.0.116.0 code) & you have to configure to add DHCP option 82. You can verify this by “show interface detail vlan50″ command outpt as well.

(WLC3) >show interface detailed vlan50
Interface Name................................... vlan50
MAC Address...................................... 00:1b:d5:cf:e6:00
IP Address....................................... 192.168.50.20
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.50.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 50        
Quarantine-vlan.................................. 0
Physical Port.................................... 1         
Primary DHCP Server.............................. 10.10.10.3
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled

You can enable it on an interface by using following CLI command

(WLC3) >config interface dhcp dynamic-interface vlan50 ?               
primary        Primary DHCP Server.
option-82      Configures the DHCP option 82 on the interface

(WLC3) >config interface dhcp dynamic-interface vlan50 option-82 ?               
enable         Enables the DHCP option 82 on the interface               
disable        Disables the DHCP option 82 on the interface

(WLC3) >config interface dhcp dynamic-interface vlan50 option-82 enable 

Now if you check CAT2 debug output you should see the DHCP realy information provided option 82 information as below.

*Mar 13 01:37:10.682 AEDT: DHCPD: using received relay info.
*Mar 13 01:37:10.682 AEDT: DHCPD: DHCPDISCOVER received from client 0104.f7e4.ea5b.66 through relay 192.168.50.20.
*Mar 13 01:37:10.682 AEDT: DHCPD: using received relay info.
*Mar 13 01:37:10.682 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default
*Mar 13 01:37:10.682 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206a0cf5b9ee820' in class MRN-DHCP82

We will define a new DHCP class & allocate different IP address range for wireless clients

ip dhcp class L3500
   relay agent information
      relay-information hex 0104000000000206a0cf5b9ee820
!
ip dhcp pool VLAN50
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1 
   class MRN-DHCP82
      address range 192.168.50.200 192.168.50.210
   class L3500
      address range 192.168.50.222 192.168.50.230

Once you configure this you would see your wireless client get an IP from the range you specified. It should be within 192.16850.222-230 in my example.

*Mar 13 01:41:44.601 AEDT: DHCPD: using received relay info.
*Mar 13 01:41:44.601 AEDT: DHCPD: DHCPDISCOVER received from client 0104.f7e4.ea5b.66 through relay 192.168.50.20.
*Mar 13 01:41:44.601 AEDT: DHCPD: using received relay info.
*Mar 13 01:41:44.601 AEDT: DHCPD: Sending DHCPOFFER to client 0104.f7e4.ea5b.66 (192.168.50.222).
*Mar 13 01:41:44.601 AEDT: DHCPD: no option 125
*Mar 13 01:41:44.601 AEDT: DHCPD: unicasting BOOTREPLY for client 04f7.e4ea.5b66 to relay 192.168.50.20.
*Mar 13 01:41:45.658 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0.
*Mar 13 01:41:45.658 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0
*Mar 13 01:41:45.658 AEDT: DHCPD: client's VPN is .
*Mar 13 01:41:45.658 AEDT: DHCPD: DHCPREQUEST received from client 0104.f7e4.ea5b.66.
*Mar 13 01:41:45.658 AEDT: DHCPD: Sending DHCPACK to client 0104.f7e4.ea5b.66 (192.168.50.222).

Here is the wireshark packet capture of the DCHP discovery message relayed by WLC.

If you look at the DHCP option 82 information more closely you would see Agent Remote ID is AP Radio MAC address (a0cf5b9ee820). This is because by default WLC use AP Radio MAC address. You can verify this via controller GUI (Controller -> Advanced -> DHCP) or “show dhcp opt-82” CLI command.

(WLC3) >show dhcp opt-82 
DHCP Opt-82 RID Format: <AP radio MAC address>

(WLC3) >config dhcp opt-82 ?
remote-id      Set Format for RemoteId field in DHCP option 82

(WLC3) >config dhcp opt-82 remote-id ?
ap-mac         Set RemoteID format as <AP radio MAC address>
apmac:ssid     Set RemoteID format as <AP radio MAC address>:<SSID>
ap-ethmac      Set RemoteID format as <AP Ethernet MAC address>

As you can see other options are include AP Ethernet MAC address or AP Radio MAC & SSID. Let’s change this to AP Ethernet MAC & see the debug output. Before that will check the LAP2 MAC addresses.

Once we changed Option 82 Remote-ID to AP ethernet MAC (708105037cef) address we should see option 82 information contain that instead of AP Radio MAC address. You can change it via GUI or CLI. Below show the CLI command.

(WLC3) >config dhcp opt-82 remote-id ap-ethmac

CAT2
*Mar 13 02:40:12.687 AEDT: DHCPD: using received relay info.
*Mar 13 02:40:12.687 AEDT: DHCPD: DHCPDISCOVER received from client 0100.22fa.9468.58 through relay 192.168.50.20.
*Mar 13 02:40:12.687 AEDT: DHCPD: using received relay info.
*Mar 13 02:40:12.687 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default
*Mar 13 02:40:12.687 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206708105037cef' in class MRN-DHCP82
*Mar 13 02:40:12.687 AEDT: DHCPD: Class 'L3500' matched by default
*Mar 13 02:40:12.687 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206708105037cef' in class L3500

As you can see now relay information include AP ethernet MAC address & we have to change the relay information on DHCP server (CAT2) in order to accept these messages coming from WLC & allocate an IP address for the client.

ip dhcp class L3500
   relay agent information
      relay-information hex 0104000000000206708105037cef
      relay-information hex 0104000000000206a0cf5b9ee820

Now you can see the client get an IP & packet capture verify option 82 remote id is AP Ethernet MAC address as well.

Finally we change the option-82 remote id to AP-Radio MAC address & SSID option. This time you can see the DHCP option 82 information is different to previous times.

*Mar 13 03:08:30.441 AEDT: DHCPD: using received relay info.
*Mar 13 03:08:30.441 AEDT: DHCPD: DHCPDISCOVER received from client 0120.02af.12e4.f7 through relay 192.168.50.20.
*Mar 13 03:08:30.441 AEDT: DHCPD: using received relay info.
*Mar 13 03:08:30.441 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default
*Mar 13 03:08:30.441 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000227a0cf5b9ee8203a646863702d383200000000000000000000000000000000000000000000000000' in class MRN-DHCP82

Once you add this information on to DHCP class relay information on CAT2 you would see client will get an IP.

ip dhcp class L3500
   relay agent information
      relay-information hex 0104000000000206708105037cef
      relay-information hex 0104000000000206a0cf5b9ee820
      relay-information hex 0104000000000227a0cf5b9ee8203a646863702d383200000000000000000000000000000000000000000000000000

Here is the wireshark capture of this time.

That’s cover the DHCP option 82.  You can refer following youtube video from Jerome Henry for further information.

CCIE Wireless DHCP Option 82

Related Posts

1. Understanding DHCP
2. Understanding DHCP Snooping
3. Understanding DHCP Option 43
4.

In this post we will see how to configure WLC mobility config via CLI. If you prefer GUI you can refer one of my previous post (Configuring Mobility on WLC).

Here is the basic setup. In Head Quarters (Mobility Group:HQ) is having two wireless controller WLC1 & WLC2. WLC1 is used for guest traffic termination & will put it in a different mobility Group called DMZ.  There is a branch office where you have WLC3 & it is in the Mobility Group named MO.

Initially we will configure Mobility without using Multicast & then will use multicast for mobility communication. Diagram shows multiple controller in each mobility group, but in my test lab I do not have that many controllers, so has to go with 3 controller. Real advantage of Multicast is if you have multiple controllers in the same mobility group.

Configuration task wise you have to configure a mobility group name & then add mobility group members (local & non-local) in to the mobility list (or sometime refer as domain). Local group members are having same group name as your configuring WLC. Non-local group members are having a different group name to the group name of your configuring WLC.

You require to have WLCs MAC address & IP address information for the mobility configuration. So better to have this ready prior to your configuration. “show sysinfo” should give you the required output. Here is the info in my example

(WLC1) >show sysinfo 
System Name...................................... WLC1
IP Address....................................... 10.10.111.10
Burned-in MAC Address............................ 00:0B:85:43:D8:60
!
(WLC2) >show sysinfo
System Name...................................... WLC2
IP Address....................................... 10.10.112.10
Burned-in MAC Address............................ 00:0B:85:40:A1:C0
!
(WLC3) >show sysinfo 
System Name...................................... WLC3
IP Address....................................... 10.10.120.140
Burned-in MAC Address............................ 00:1B:D5:CF:E6:00

“config mobility ? ” is the CLI command you need to use for the configuration. Here is how I configure mobility group name for a WLC & add members to the mobility list.

(WLC1) >config mobility ?              
dscp           Configures the Mobility inter controller DSCP value.
group          Configures the Mobility group parameters.
multicast-mode Configures the Multicast Mode for mobility messages
statistics     Resets the mobility statistics.

(WLC1) >config mobility group ?                     
anchor         Configures the Mobility WLAN anchor list.
domain         Configures the Mobility domain name.
keepalive      Keepalive ping parameters to be configured
member         Configures the Mobility group members list.
multicast-address Configures the Multicast IP Address for a mobility group

(WLC1) >config mobility group domain DMZ

(WLC1) >config mobility group member add ?               
<MAC addr>     Member switch MAC address

(WLC1) >config mobility group member add 00:0B:85:40:A1:C0 ?              
<IP addr>      Member switch IP address

(WLC1) >config mobility group member add 00:0B:85:40:A1:C0 10.10.112.10 ?              
<group name>   Optional member switch group name (if different from default group name)

(WLC1) >config mobility group member add 00:0B:85:40:A1:C0 10.10.112.10 HQ              
(WLC1) >config mobility group member add 00:1B:D5:CF:E6:00 10.10.120.140 BR

In WLC2 & WLC3 you can workout these are the CLI commands required.

(WLC2) >config mobility group domain HQ
(WLC2) >config mobility group member add 00:0B:85:43:D8:60 10.10.111.10 DMZ
!
(WLC3) >config mobility group domain BR
(WLC3) >config mobility group member add 00:0B:85:43:D8:60 10.10.111.10 DMZ

Now basic mobility configuration has been done. Once you “show mobility summary” you should be able to see the status of your configuration.

(WLC1) >show mobility summary 
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... DMZ
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x43cd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:0b:85:40:a1:c0  10.10.112.10     HQ                                0.0.0.0          Up
 00:0b:85:43:d8:60  10.10.111.10     DMZ                               0.0.0.0          Up
 00:1b:d5:cf:e6:00  10.10.120.140    BR                                0.0.0.0          Up

In WLC2 you should see a output like this.

(WLC2) >show mobility summary 
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... HQ
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x6b2f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:0b:85:40:a1:c0  10.10.112.10     HQ                                0.0.0.0          Up
 00:0b:85:43:d8:60  10.10.111.10     DMZ                               0.0.0.0          Up

In WLC3 “show mobility summary” output should looks like this.

(WLC3) >show mobility summary 
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... BR
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0xad23
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:0b:85:43:d8:60  10.10.111.10     DMZ                               0.0.0.0          Up
 00:1b:d5:cf:e6:00  10.10.120.140    BR                                0.0.0.0          Up

You can change the Keepalive count, interval & DSCP value of mobility packets as follows. I leave it to default values shown it to the above output.

(WLC3) >config mobility group keepalive ?              
count          No of keep alive retries before a member status is termed DOWN              
interval       Interval between two keep alives sent to a mobility member

(WLC3) >config mobility group keepalive count ?            
<number>       Number in range of 3-20

(WLC3) >config mobility group keepalive interval ?               
<number>       Number in range of <1 - 30 seconds>, interval between two ping tries 
!
(WLC3) >config mobility dscp ?               
<dscp_value>   <0-63>

In the above method, each WLC will use unicast messages to communicate with each local group members & configured non-local group members. Since this mobility information needs to update each other very frequently this would become a processor intensive as each controller has to send multiple copies of the same message to different controller configured in mobility list.

Multicast communication would help in this regards as a given controller send only one copy of the mobility messages to configured multicast group address and all the controllers in same mobility group receive that message. You can configure multicast address for non-local group members as well. In my example WLC1 has two non-local group members & you can configure another multicast group address for this communication.

As per the diagram we will configure 239.11.11.11 for DMZ local group member communication in WLC1. We will use 239.12.12.12 for DMZ & HQ inter group mobility communication. Similar to that we will use 239.22.22.22 for WLC2 local-group mobility (ie members in HQ mobility group) communication & 239.33.33.33 for WLC3 local-group mobility communication (ie Members in mobility group MO). Also 239.13.13.13 for the mobility group MO & DMZ communication. Here how you configure this via CLI.

You can configure local group multicast communication using “config mobility multicast-mode {enable|disable} <local-multicast-address> ” CLI command.

(WLC3) >config mobility multicast-mode enable ?               
<local-multicast-address> Configures the Multicast IP Address for the local group.

(WLC3) >config mobility multicast-mode enable 239.33.33.33
(WLC2) >config mobility multicast-mode enable 239.22.22.22
(WLC1) >config mobility multicast-mode enable 239.11.11.11

You can configure multicast group for  non-local member communication as follows.

(WLC1) >config mobility group multicast-address ?              
<group_name>   Specify the Mobility Group whose Multicast IP Address is to be set

(WLC1) >config mobility group multicast-address HQ ?              
<ip_address>   Configures the Multicast IP Address for a mobility group

(WLC1) >config mobility group multicast-address HQ 239.12.12.12
(WLC1) >config mobility group multicast-address BR 239.13.13.13

(WLC2) >config mobility group multicast-address DMZ 239.12.12.12

(WLC3) >config mobility group multicast-address DMZ 239.13.13.13

It is important to remember that multicast mode to work you have to properly configure your L3 infrastructure to support multicast. Once you check show mobility summary you should see somthing like this.

(WLC1) >show mobility summary 

Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... DMZ
Multicast Mode .................................. Enabled
Mobility Domain ID for 802.11r................... 0x43cd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:0b:85:40:a1:c0  10.10.112.10     HQ                                239.12.12.12     Up
 00:0b:85:43:d8:60  10.10.111.10     DMZ                               239.11.11.11     Up
 00:1b:d5:cf:e6:00  10.10.120.140    BR                                239.13.13.13     Up

If you require to configure Auto Anchoring (for wired or wireless Guest traffic) you can do this via “config mobility group anchor {wlan|guest-lan} {wlan-id|guest-lan-id} {anchor-wlc-ip}” CLI command.

(WLC1) >config mobility group anchor add wlan ?              
<WLAN Id>      WLAN identifier between 1 and 512.

(WLC1) >config mobility group anchor add wlan 17 ?               
<IP addr>      Member switch IP address to anchor WLAN

(WLC1) >config mobility group anchor add guest-lan ?          
<Guest LAN Id> Guest LAN identifier between 1 and 5

(WLC1) >config mobility group anchor add guest-lan 1 ?              
<IP addr>      Member switch IP address to anchor WLAN

See “WLAN config via CLI- Part6” for Wireless Guest WLAN configuration via CLI.

You can refer complete list of 7.0.116.0 CLI commands via the below link.
Configure Mobility Commands

Related Posts

1. Configuring Mobility on WLC
2. Auto Anchor Mobility
3. WLAN config via CLI – Part6

In this post we will look at configuration example of a WLAN using CLI only. To make it comprehensive I will illustrate a Guest WLAN configuration with Auto Anchoring feature as well. Here is the basic topology.

Here are the conditions for this Guest WLAN.
- All Guest users will get 192.168.9.0/24 IP from WLC1
- User able to join the network with email address as credential
- Guest user traffic should get lowest QoS priority.
- WMM to be disabled.
- Clients with static IP should not allow to join
- Guest users only able to get 802.11a & 802.11g data rates.
- Users should not trigger power changes of the AP

Before configuring this you need to identify the tasks you have to do

1. QoS profile configuration with required 802.1p values
2. Configure the interface for vlan9 on WLC1 & map it onto “guest-9″ WLAN.
3. Define “guest-09″ WLAN on WLC2 & WLC3 & assign management interface (No dynamic interfaces)
4. Configure Mobility Anchor for “guest-9″ WLAN.5.

Here is the CLI configuration of each task. For the QoS profile configuration you have to disable 802.11 radios (both 2.4GHz & 5GHz). It is advisable to configure all 4 QoS profiles even though this only require Bronze profile to configure.

(WLC3) >config 802.11b disable network
(WLC3) >config 802.11a disable network
Disabling the 802.11a network may strand mesh APs. Are you sure you want to continue? (y/n)y
(WLC3) >config qos protocol-type platinum dot1p 
(WLC3) >config qos dot1p-tag platinum 6
(WLC3) >config qos protocol-type gold dot1p 
(WLC3) >config qos dot1p-tag gold 5
(WLC3) >config qos protocol-type silver dot1p 
(WLC3) >config qos dot1p-tag silver 3
(WLC3) >config qos protocol-type bronze dot1p 
(WLC3) >config qos dot1p-tag bronze 1
(WLC3) >config 802.11a enable network
(WLC3) >config 802.11b enable network

You need to copy these lines onto both WLC1 & WLC2 as well. Now we will configure the WLC1 dynamic interface for guest-9 WLAN. Here are the CLI config for this

(WLC1) >config interface create vlan9 9
(WLC1) >config interface address dynamic-interface vlan9 192.168.9.10 255.255.255.0 192.168.9.1
(WLC1) >config interface dhcp dynamic-interface vlan9 primary 192.168.9.1
(WLC1) >config interface port vlan9 1

You need to ensure CAT2 is configured to provide DHCP addresses & act as gateway for wirless guest users. Also make sure vlan9 is trunk to WLC1 as well

ip dhcp excluded-address 192.168.9.1 192.168.9.99
ip dhcp pool VLAN9
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1 
interface Vlan9
 ip address 192.168.9.1 255.255.255.0
!
interface GigabitEthernet1/0/1
 description WLC1 Po1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 9-18,23,111,113
 switchport mode trunk
 switchport nonegotiate
 mls qos trust cos
 spanning-tree portfast trunk

Now you can define the “guest-9″ WLAN & map vlan9 interface onto it. Even though we are not using GUI, you need to remember the General, Security, QoS, Advanced parameters to be modified as per the requirement. CLI commands flow is in that order. Note that since we do not want to override interface DHCP server, we will use 0.0.0.0 as DHCP server address & only make DHCP address required when configuring that feature.

(WLC1) >config wlan create 9 guest-9 guest-9
(WLC1) >config wlan radio 9 802.11ag
(WLC1) >config wlan interface 9 vlan9 
(WLC1) >config wlan security wpa disable 9
(WLC1) >config wlan security web-passthrough enable 9
(WLC1) >config wlan security web-passthrough email-input enable 9
(WLC1) >config wlan qos 9 bronze
(WLC1) >config wlan wmm disable 9
(WLC1) >config wlan chd 9 disable
(WLC1) >config wlan dhcp_server 9 0.0.0.0 required
(WLC1) >config wlan enable 9

Now you can copy this configuration to WLC2 & WLC without the line “config wlan interface 9 vlan9″. By default newly created WLAN will map to management interface. Here is the configs in WLC3 for example. Do the same on WLC2 as well.

(WLC3) >config wlan create 9 guest-9 guest-9
(WLC3) >config wlan radio 9 802.11ag
(WLC3) >config wlan security wpa disable 9
(WLC3) >config wlan security web-passthrough enable 9
(WLC3) >config wlan security web-passthrough email-input enable 9
(WLC3) >config wlan qos 9 bronze
(WLC3) >config wlan wmm disable 9
(WLC3) >config wlan chd 9 disable
(WLC3) >config wlan dhcp_server 9 0.0.0.0 required
DHCP server override is applicable only to the default AP group.
(WLC3) >config wlan enable 9

Final step of configuration is creating Auto Anchor Mobility tunnels. First of all you have to configure the mobility group name in each controller & then add members to mobility list. In this example I have used DMZ, HQ, & MO for the mobility groupname of WLC1, WLC2 & WLC3. Also multicast  group address 239.11.11.11, 239.22.22.22 & 239.33.33.33 for local-group members mobility communication  in WLC1, WLC2 & WLC3. Also used multicast group address 239.12.12.12 between WLC1-WLC2 mobility communication & 239.13.13.13 for WLC1-WLC3 mobility communication.

WLC1
config mobility group domain DMZ
config mobility multicast-mode enable 239.11.11.11
config mobility group multicast-address DMZ 239.11.11.11 
config mobility group multicast-address HQ 239.12.12.12 
config mobility group multicast-address BR 239.13.13.13  
config mobility group member add 00:0b:85:40:a1:c0 10.10.112.10 HQ 
config mobility group member add 00:1b:d5:cf:e6:00 10.10.120.140 BR 

WLC2
config mobility group domain HQ
config mobility multicast-mode enable 239.22.22.22 
config mobility group multicast-address HQ 239.22.22.22 
config mobility group multicast-address DMZ 239.12.12.12 
config mobility group member add 00:0b:85:43:d8:60 10.10.111.10 DMZ

WLC3 
config mobility group domain BR 
config mobility multicast-mode enable 239.33.33.33 
config mobility group multicast-address BR 239.33.33.33 
config mobility group multicast-address DMZ 239.13.13.13
config mobility group member add 00:0b:85:43:d8:60 10.10.111.10 DMZ 

Once you configure the mobility config as above you should see the mobility status up between each other. Here is the output of WLC1.

(WLC1) >show mobility summary 
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... DMZ
Multicast Mode .................................. Enabled
Mobility Domain ID for 802.11r................... 0x43cd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:0b:85:40:a1:c0  10.10.112.10     HQ                                239.12.12.12     Up
 00:0b:85:43:d8:60  10.10.111.10     DMZ                               239.11.11.11     Up
 00:1b:d5:cf:e6:00  10.10.120.140    BR                                239.13.13.13     Up

Now you can configure “Auto Anchor mobility” for guest-09 WLAN. You can do it as follows. You have to disable WLAN prior to configure mobility anchor feature. On the Anchor controller(WLC1) you have to anchor it to itself & on WLC2 & WLC3 it has to anchor to WLC1 IP.

(WLC1) >config wlan disable 9
(WLC1) >config wlan mobility anchor ?                 
add            Add/Change a Mobility anchor to a WLAN.
delete         Delete a Mobility anchor from a WLAN.

(WLC1) >config wlan mobility anchor add ?              
<WLAN Id>      WLAN identifier between 1 and 512.

(WLC1) >config wlan mobility anchor add 9 ?               
<IP addr>      Member switch IP address to anchor WLAN

(WLC1) >config wlan mobility anchor add 9 10.10.111.10
(WLC1) >config wlan enable 9

(WLC2) >config wlan disable 9
(WLC2) >config wlan mobility anchor add 9 10.10.111.10
(WLC2) >config wlan enable 9

(WLC3) >config wlan disable 9
(WLC3) >config wlan mobility anchor add 9 10.10.111.10
(WLC3) >config wlan enable 9

You can test the wireless guest service in each controller. Let’s check branch end first. You can either disable guuest-09 wlan on WLC2 or shutdown LAP2 connected switchport. Ensure LAP1 is registered to WLC3

(WLC3) >show ap summary 
Number of APs.................................... 1
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
LAP1                 2     AIR-CAP3502I-N-K9     cc:ef:48:8c:fd:41          CAT4-F03  1        AU       1

Once you connect to this WLAN & open up a browser page, it should prompt you to enter your email address. Once login is successful you should able to see the client detail on your anchor controller(WLC1).

(WLC1) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 10.10.120.140     Associated    9              Yes  Mobile           1    No

(WLC1) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. mrncciew@gmail.com
AP MAC Address................................... 00:00:00:00:00:00
AP Name.......................................... N/A               
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 9  
BSSID............................................ 00:00:00:00:00:ff  
Connected For ................................... 102 secs
Channel.......................................... N/A
IP Address....................................... 192.168.9.103
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Bronze
802.1P Priority Tag.............................. 1
WMM Support...................................... Disabled
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.10.120.140
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ vlan9
VLAN............................................. 9

Once you enable LAP2 ( disable guest-9 on WLC3) you should be able to check it in HQ end.

(WLC3) >config wlan disable 9
!
(WLC2) >show ap summary 
Number of APs.................................... 1
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
LAP2                 2     AIR-CAP3502I-N-K9     70:81:05:03:7c:ef        CAT2-Fa102  LAG      AU       1
!
(WLC1) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 10.10.112.10      Associated    9              Yes  Mobile           1    No

(WLC1) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. rasika.nayanajith@yahoo.com
AP MAC Address................................... 00:00:00:00:00:00
AP Name.......................................... N/A               
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 9  
BSSID............................................ 00:00:00:00:00:ff  
Connected For ................................... 62 secs
Channel.......................................... N/A
IP Address....................................... 192.168.9.103
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Bronze
802.1P Priority Tag.............................. 1
WMM Support...................................... Disabled
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.10.112.10
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ vlan9
VLAN............................................. 9
Quarantine VLAN.................................. 0
Access VLAN...................................... 9

If you do “Debug mobility handoff enable” at WLC1  you can verify client state changes & mobility communication between foreign & anchor controllers.

(WLC1) >debug mobility handoff enable 
(WLC1) >*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 Mobility packet received from:
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58   10.10.120.140, port 16666
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58   type: 3(MobileAnnounce)  subtype: 0  version: 1  xid: 20  seq: 2167  len 116 flags 0
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58   group id: d8475d5f c64367e3 4d21c8d6 ef580f61
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58   mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 0
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58   VLAN IP: 10.10.120.140, netmask: 255.255.255.192
*mmListen: May 19 09:27:07.097: Switch IP: 10.10.120.140 
*mmListen: May 19 09:27:07.098: Vlan List payload not found, ignoring ...
*mmListen: May 19 09:27:07.098: IP Address don't compare for client 00:22:fa:94:68:58 is 0
*mmListen: May 19 09:27:07.098: 00:22:fa:94:68:58 Ignoring Announce, client record for not found
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 Mobility packet received from:
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58   10.10.120.140, port 16666
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58   type: 16(MobileAnchorExport)  subtype: 0  version: 1  xid: 21  seq: 2168  len 241 flags 0
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58   group id: d8475d5f c64367e3 4d21c8d6 ef580f61
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58   mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 0
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58   VLAN IP: 10.10.120.140, netmask: 255.255.255.192
*mmListen: May 19 09:27:08.097: Switch IP: 10.10.120.140 
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 Received Anchor Export request: from Switch IP: 10.10.120.140
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv:, Mobility role is Unassoc
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv  Ssid=guest-9 Security Policy=0x3040
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv  vapId= 9, Ssid=guest-9 AnchorLocal=0x0
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 0.0.0.0 START (0) mobility role update request from Unassociated to Export Anchor
  Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.10.111.10
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 Received Anchor Export policy update, valid mask 0x0:
  Qos Level: 3, DSCP: 0, dot1p: 1  Interface Name: , ACL Name: 
*mmListen: May 19 09:27:08.098: Anchor Mac : 00.0b.85.43.d8.60
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 Mobility packet sent to:
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58   10.10.120.140, port 16666
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58   type: 17(MobileAnchorExportAck)  subtype: 0  version: 1  xid: 21  seq: 571  len 275 flags 0
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58   group id: fe2f34f3 9b7a7cea 68f48181 316db999
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58   mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 1
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58   VLAN IP: 192.168.9.10, netmask: 255.255.255.0
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 0.0.0.0 DHCP_REQD (7) Plumbing duplex mobility tunnel to 10.10.120.140
    as Export Anchor (VLAN 9)
*DHCP Proxy DTL Recv Task: May 19 09:27:16.084: 00:22:fa:94:68:58 192.168.9.100 WEBAUTH_REQD (8) Plumbing duplex mobility tunnel to 10.10.120.140
    as Export Anchor (VLAN 9)
*emWeb: May 19 09:27:39.269: 00:22:fa:94:68:58 192.168.9.100 RUN (20) Plumbing duplex mobility tunnel to 10.10.120.140
    as Export Anchor (VLAN 9)

Finally you can configure foreign mapping for this where you can allocate 192.168.9.x/24 if you are connecting from Branch & 192.168.8.x/24 when you are connecting via Head Quarters.

So we will create vlan8 interface on WLC1 & trunk this to WLC1 on CAT2 g1/0/1 where WLC1 connected to.

(WLC1) >config interface create vlan8 8
(WLC1) >config interface address dynamic-interface vlan8 192.168.8.10 255.255.255.0 192.168.8.1
(WLC1) >config interface dhcp dynamic-interface vlan8 primary 192.168.8.1
(WLC1) >config interface port vlan8 1
!
CAT2(config)#vlan 8
CAT2(config-vlan)#exit
CAT2(config)#int vlan 8
CAT2(config-if)#ip add 192.168.8.1 255.255.255.0
CAT2(config-if)#int g1/0/1
CAT2(config-if)#sw tr al vl add 8
CAT2(config)#ip dhcp excluded-address 192.168.8.1 192.168.8.100
CAT2(config)#ip dhcp pool VLAN8
CAT2(dhcp-config)#default-router 192.168.8.1
CAT2(dhcp-config)#netw 192.168.8.0 /24
CAT2(dhcp-config)# domain-name mrn.com
CAT2(dhcp-config)# dns-server 192.168.200.1

Now on WLC1 you can configure foreign mapping for guest-9 WLAN using the foreign controller MAC address as shown below. For WLC3 (00:1b:d5:cf:e6:00) Guest traffic would get 192.168.8.0/24 IP & for WLC2(00:0b:85:40:a1:c0) will get 192.168.9.0/24 IP range.

(WLC1) >config wlan disable 9
(WLC1) >config wlan mobility foreign-map add 9 00:1b:d5:cf:e6:00 vlan8
(WLC1) >config wlan mobility foreign-map add 9 00:0b:85:40:a1:c0 vlan9
(WLC1) >config wlan enable 9

Here is the verification when Guest user connecting via WLC2.

(WLC1) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. mrncciew@gmail.com
AP MAC Address................................... 00:00:00:00:00:00
AP Name.......................................... N/A               
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 9  
BSSID............................................ 00:00:00:00:00:ff  
Connected For ................................... 56 secs
Channel.......................................... N/A
IP Address....................................... 192.168.9.103
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Bronze
802.1P Priority Tag.............................. 1
WMM Support...................................... Disabled
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.10.112.10

Here is the same output when guest user is connecting via WLC3. You could see client get 192.168.8.x/24 IP this time.

(WLC1) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. mrncciew@gmail.com
AP MAC Address................................... 00:00:00:00:00:00
AP Name.......................................... N/A               
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 9  
BSSID............................................ 00:00:00:00:00:ff  
Connected For ................................... 40 secs
Channel.......................................... N/A
IP Address....................................... 192.168.8.101
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Bronze
802.1P Priority Tag.............................. 1
WMM Support...................................... Disabled
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 10.10.120.140
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN

That’s all for wireless guest wlan configuration tasks via CLI. If you understand & remember the steps then you are pretty safe even if your WLC GUI is very slow during the exam.

We will see a wired guest wlan configuration via CLI in a future post.

Related Posts

1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 3
4. Configuring WLAN via CLI – Part 4
5. Configuring WLAN via CLI – Part 5
6. Mobility Config via CLI

In this post we will see how to use “AAA override” feature of a WLAN combined with RADIUS server configuration,  to override settings assigned by WLAN. You can change VLAN, QoS profile with 802.1p, ACL, etc using this this.

We will create a WLAN called “data-7″ on WLC2 with WPA2/AES authentication /encryption & map it onto management interface. Once a guest user is authenticated via ACS, AAA should override this user vlan to vlan7 (192.168.7.x/24) and QoS profile to Gold with 802.1p value of 5.

I have used CLI config to define WLAN & if you prefer GUI you can follow that method as well. First you need to create interface on WLC & trunk it across the switch port connected WLC2.

(WLC2) >config interface create vlan7 7
(WLC2) >config interface address dynamic-interface vlan8 192.168.7.15 255.255.255.0 192.168.7.1
(WLC2) >config interface dhcp dynamic-interface vlan7 primary 192.168.7.1
!
CAT3
interface Port-channel1
 switchport trunk native vlan 999
 switchport trunk allowed vlan 7-18,112
 switchport mode trunk
 switchport nonegotiate
!
CAT2
interface Vlan7
 ip address 192.168.7.1 255.255.255.0
ip dhcp excluded-address 192.168.7.1 192.168.7.100
ip dhcp pool VLAN7
   network 192.168.7.0 255.255.255.0
   default-router 192.168.7.1 
   domain-name mrn.com
   dns-server 192.168.200.1

Then you can define WLAN on WLC2 with  AAA- override feature enable. Keep in mind by default layer2 security would be WPA2/AES &  hence you do not want to configure any additional security settings. You can configure Radius server under WLAN security ->AAA server section.

(WLC2) >config wlan aaa-override enable 7
(WLC2) >config wlan radius_server auth add 7 1
(WLC2) >config wlan enable 7

Now we can configure ACS for AAA override. I will not shown how to configure WLC for radius & assume ACS is already configured to peer with WLC. If you are not sure see one of my previous post “Configuring WLC for RADIUS“.

Once you do that you would see WLC2 in ACS as below.

I have configured user called “user1″ with password “user1″ on ACS.

Then under “Policy Element-> Authorization & Permissions -> Network Access” you have to configure an “Authorization Profile” by specifying the VLAN you want to assigned to user. You can use Common Attribute – VLAN to configure this easily without going through Radius Attributes.

Once you configure it you can verify the “Radius Attribute” selected for the VLAN assignment. You should see a output similar to below.

Then in “Access Policy” you should have correct identity policy & Authorization policy for this.

Here is my  basic Authorization Policy which resulting “guest-8″ authorization profile we created earlier.

Now it is ready to test the client connectivity. Once client associated & authenticated  you would see client’s IP is 192.168.7.x even though the WLAN is map to management interface 10.10.112.x.

(WLC2) >show client summary  
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 LAP2              Associated    7              Yes  802.11n(5 GHz)   29   No

(WLC2) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. user1
AP MAC Address................................... a0:cf:5b:9e:e8:20
AP Name.......................................... LAP2              
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 7  
BSSID............................................ a0:cf:5b:9e:e8:29  
Connected For ................................... 27 secs
Channel.......................................... 149
IP Address....................................... 192.168.7.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Client CCX version............................... No CCX support
Re-Authentication Timeout........................ 1789
Mirroring........................................ Disabled
QoS Level........................................ Silver
802.1P Priority Tag.............................. 3
WMM Support...................................... Enabled
Power Save....................................... OFF
Supported Rates.................................. 24.0,36.0,48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................ vlan7
VLAN............................................. 7
Quarantine VLAN.................................. 0
Access VLAN...................................... 7

In ACS, “Monitoring & Report-> Monitoring & Report Viewer -> AAA Protocol -> Radius Authentication” section  you can verify the successful authentication as shown below.

If you click the magnifying glass icon you can see the complete details of the different attributes used. These attributes can be used to create custom policy on your ACS.

Now we will see how we can override the QoS profile using AAA override. For this you can create an another Authorizatoin Profile under “Policy Elements”. This time you have to go to Radius Attributes & select “RADIUS-Cisco Airespace” Dictionary type & then QoS type & 802.1p tag as attribute.

Once you configure these attribute it should looks like this.

Now you can choose this profile(AAA-QoS-Gold) in addition to AAA-VL7 as shown below. Based on the attributes seen in the detail page I have selected a compound condition which contain “data-7″ in called staion-id in order to this AAA override behaviour only applicable to “data-7″ SSID.

This time if you authenticated, you should see QoS profile is gold & 802.1p value is 5, even though WLAN is configured for Silver Profile with 802.1p value of 3.

(WLC2) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. user1
AP MAC Address................................... a0:cf:5b:9e:e8:20
AP Name.......................................... LAP2              
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 7  
BSSID............................................ a0:cf:5b:9e:e8:29  
Connected For ................................... 7 secs
Channel.......................................... 149
IP Address....................................... 192.168.7.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Client CCX version............................... No CCX support
Re-Authentication Timeout........................ 1771
Mirroring........................................ Disabled
QoS Level........................................ Gold
802.1P Priority Tag.............................. 5
WMM Support...................................... Enabled
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 24.0,36.0,48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................ vlan7
VLAN............................................. 7
Quarantine VLAN.................................. 0
Access VLAN...................................... 7

This is how you can use this “AAA- Override” feature to dynamically assign the VLAN & QoS profile according to your custom requirement.

In this post we will see how to do a wired guest configuration via CLI. Here is the topology for this post.

These are the steps you need to do

1. Configure a wired guest vlan on 3750-d (vlan 49) & trunk it to 4402-d (foreign controller).
2. Configure a guest WLAN on 4402-d with egress interface as Mgmt & ingress as guest vlan (vlan 49). This WLAN should use Web Auth or Webpassthrough like normal wireless guest WLAN.
3. Configure the basic Mobility configuration on Anchor & foreign controllers (ie Mobility group name & add members to required group)
4. Configure Auto Anchor for guest-lan on foreign controller.
5. Configure the dynamic interface(vlan19) on Anchor Controller for wired guest. Ensure DHCP configs done on L3 switch.
6. Configure guest-lan on Anchor controller. Ingress interfaces should be “none” & egress interface should be vlan 19.
7. Configure Auto Anchor for the guest-lan on Anchor controller.
8. Test the wired guest connectivity.

First on 3750-d we will configure just layer2 vlan49 & trunk it to PortChannel 40 used for 4402-d.

3750-d(config)#vlan 49
3750-d(config-vlan)#exit
3750-d(config)
!
3750-d(config)#int po40
3750-d(config-if)#sw tr al vl ad 49

Now in 4402-d we will define the interface & Guest WLAN. Configuration option for guesl-lan you can do in a similar way like normal wlan. In this case you have to use “config guest-lan x ” CLI commands instead of “config wlan x “. In guest-lan you can only configure webauth or web-passthrough. In this example I will use web-passthrough option.

(4402-d) >config interface create vlan49 49
(4402-d) >config interface guest-lan ?               
<interface-name> Enter interface name.

(4402-d) >config interface guest-lan vlan49 ?               
enable         Enable Guest LAN vlan
disable        Disable Guest LAN vlan
(4402-d) >config interface guest-lan vlan49 enable

(4402-d) >config guest-lan ?                     
aaa-override   Configures user policy override via AAA on a Guest LAN.
acl            Specify a per-Guest-LAN ACL
create         Creates a WLAN.
custom-web     Configures the Web Authentication Page per Profile.
delete         Deletes a Guest LAN.
dhcp_server    Configures the Guest Lan's DHCP Server.
disable        Disables a Guest LAN.
enable         Enables a Guest LAN.
exclusion-timeout Configures Exclusion-list timeout.
exclusionlist  Configures Exclusion-list timeout.
ingress-interface Configures the Guest LAN's ingress interface.
interface      Configures the Guest LAN's interface.
ldap           Configures the Guest LAN's LDAP servers.
max-associated-clients Configures maximum no. of client connections on wlan/guest-lan/remote-lan. 
mobility       Configures the Inter-Switch Mobility Manager
nac            Configures NAC on wlan/guest-lan/remote-lan.
qos            Configures Quality of Service policy.
radius_server  Configures the Guest LAN's RADIUS Servers.
roamed-voice-client Configure Voice Client Re-Anchor policy
security       Configures the security policy for a Guest LAN.
session-timeout Configures client timeout.
sip-cac        Configure SIP CAC Failure policy.
uapsd          Configures UAPSD.
webauth-exclude Enable/Disable WebAuth DHCP Server Exclusion
!
(4402-d) >config guest-lan create ?              
<guest-lan-id> Enter Guest LAN Identifier between 1 and 5.

(4402-d) >config guest-lan create 1 ?              
<name>         Enter Profile Name up to 32 alphanumeric characters.

(4402-d) >config guest-lan create 1 wired-guest 

(4402-d) >config guest-lan ingress-interface ?               
<guest-lan-id> Enter Guest LAN Identifier between 1 and 5.

(4402-d) >config guest-lan ingress-interface 1 ?              
<interface-name/none> Enter the interface name upper case not supported.

(4402-d) >config guest-lan ingress-interface 1 vlan49

(4402-d) >config guest-lan security ?               
web-auth       Configures Web authentication.
web-passthrough Configures Web Captive Portal with no authentication required.

(4402-d) >config guest-lan security web-auth disable 1
WebAuth Successfully Disabled.

(4402-d) >config guest-lan security web-passthrough ?               
acl            Configures Access Control List.
disable        Disables Web Captive Portal with no authentication required.
email-input    Configures Web Captive Portal using email address.
enable         Enables Web Captive Portal with no authentication required.

(4402-d) >config guest-lan security web-passthrough enable 1                 

(4402-d) >config guest-lan security web-passthrough email-input ?               
enable         Enables Web Captive Portal using email address.
disable        Disables Web Captive Portal using email address.

(4402-d) >config guest-lan security web-passthrough email-input enable ?               
<guest-lan-id> Enter Guest LAN Identifier between 1 and 5.

(4402-d) >config guest-lan security web-passthrough email-input enable 1

Here is the advanced settings options you can change in “guest-lan” type.

If you check the WLC configuration you will see following lines in the config.Default config lines are highlighted in purple color

config interface create vlan49 49
config interface guest-lan vlan49 enable 
config interface vlan vlan49 49 

config guest-lan create 1 wired-guest
config guest-lan ingress-interface 1 vlan49 
config guest-lan interface 1 management 
config guest-lan security web-auth disable 1 
config guest-lan security web-passthrough email-input enable 1 
config guest-lan security web-passthrough enable 1 
config guest-lan exclusion-timeout 1 60
config guest-lan enable 1

Now we have to configure Mobility config on those two controller. We will add 4402-d into “MO” mobility group & 4402-c into “DMZ” mobility group. Will use unicast method for the simplicity.

(4402-d) >config mobility group domain MO
(4402-d) >config mobility group member add 00:22:55:90:c9:60 192.168.10.33 DMZ

(4402-c) >config mobility group domain DMZ
(4402-c) >config mobility group member add 00:21:55:07:38:e0 192.168.40.44 MO

You can verify mobility status by “show mobility summary” command. Output should be similar to this.

(4402-d) >show mobility summary 
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... MO
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0xe0a3
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:21:55:07:38:e0  192.168.40.44    MO                                0.0.0.0          Up
 00:22:55:90:c9:60  192.168.10.33    DMZ                               0.0.0.0          Up

Then you can configure 4402-c as Mobility Anchor for this wired-guest LAN.

(4402-d) >config guest-lan disable 1
(4402-d) >config guest-lan mobility anchor add 1 192.168.10.33 
(4402-d) >config guest-lan enable 1

Now we will configure the 4402-c. First you have to create an interface where wired guest can get an IP. we will use vlan19 for this & DHCP defined on 3750-b. Here is the interface configuration on WLC.

3750-b
interface Vlan19
 ip address 192.168.19.1 255.255.255.0
!
ip dhcp excluded-address 192.168.19.1 192.168.19.100
!
ip dhcp pool VLAN19
   network 192.168.19.0 255.255.255.0
   default-router 192.168.19.1 
   domain-name mrn.com
!
interface Port-channel10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 10-20,100,200
 switchport mode trunk

(4402-c) >config interface create vlan19 19
(4402-c) >config interface address dynamic-interface vlan19 192.168.19.30 255.255.255.0 192.168.19.1
(4402-c) >config interface dhcp dynamic-interface vlan19 primary 192.168.19.1

Now you can define the guest-lan with same settings you did on 4402-d. In this time egress interface should be vlan19 & ingress interface should be none. Remember that until you configure Mobility anchor you cannot enable this guest-lan. You can copy & past previous configs done on 4402-d with ingress interface & egress interface modification

config guest-lan create 1 wired-guest
config guest-lan interface 1 vlan19 
config guest-lan ingress-interface 1 none
config guest-lan security web-auth disable 1 
config guest-lan security web-passthrough email-input enable 1 
config guest-lan security web-passthrough enable 1

Now before enabling this guest-lan you have to configure the mobility anchor.

(4402-c) >config guest-lan mobility anchor add 1 192.168.10.33
(4402-c) >config guest-lan enable 1

Now you are ready to test. You have to connect a wired PC to a vlan49 port on 3750-d & you should see that device get an IP from the range of 192.168.19.101-192.168.19.254.

Here is the “show client summary ” & “show client detail <mac-add>” command output on 4402-c where wired guest termination occurs. This is the output prior to user enter email on his browser

(4402-c) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:26:b9:9f:c9:0b 192.168.40.44     Associated    1              No   802.3            29   Yes

(4402-c) >show  client detail 00:26:b9:9f:c9:0b
Client MAC Address............................... 00:26:b9:9f:c9:0b
Client Username ................................. N/A
Client State..................................... Associated     
Client NAC OOB State............................. Access
guest-lan........................................ 1  
IP Address....................................... 192.168.19.101
Session Timeout.................................. 0  
QoS Level........................................ Silver
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 192.168.40.44
Security Policy Completed........................ No
Policy Manager State............................. WEBAUTH_REQD
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Interface........................................ vlan19
VLAN............................................. 19
Quarantine VLAN.................................. 0
Access VLAN...................................... 19

This is the output once user enter the email address.

(4402-c) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:26:b9:9f:c9:0b 192.168.40.44     Associated    1              Yes  802.3            29   Yes

(4402-c) >show  client detail 00:26:b9:9f:c9:0b
Client MAC Address............................... 00:26:b9:9f:c9:0b
Client Username ................................. mrncciew@gmail.com
Client State..................................... Associated     
Client NAC OOB State............................. Access
guest-lan........................................ 1  
IP Address....................................... 192.168.19.101
Session Timeout.................................. 0  
QoS Level........................................ Silver
Supported Rates.................................. 
Mobility State................................... Export Anchor
Mobility Foreign IP Address...................... 192.168.40.44
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Interface........................................ vlan19
VLAN............................................. 19
Quarantine VLAN.................................. 0
Access VLAN...................................... 19

You can see client get successfully authenticated & in “RUN” states. Here is the 4402-d ( Export Foreign controller) output

(4402-d) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:26:b9:9f:c9:0b N/A               Associated    1              Yes  802.3            29   Yes

(4402-d) >show client detail 00:26:b9:9f:c9:0b
Client MAC Address............................... 00:26:b9:9f:c9:0b
Client Username ................................. N/A
Client State..................................... Associated     
Client NAC OOB State............................. Access
guest-lan........................................ 1  
IP Address....................................... Unknown
Session Timeout.................................. 0  
QoS Level........................................ Silver
Supported Rates.................................. 
Mobility State................................... Export Foreign
Mobility Anchor IP Address....................... 192.168.10.33
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Interface........................................ management
VLAN............................................. 40
Quarantine VLAN.................................. 0
Access VLAN...................................... 40

Related Posts

1. Wired Guest Access (via GUI)
2. Mobility Config via CLI
3. Wireless Guest Config via CLI
4.
5.

In this post we will see the Media Stream configuration via CLI. If you want to configure this across multiple controllers it is good idea to learn CLI commands in order to save some time during your lab exam.

Here are the steps of configuring this feature.

1. Enable Multicast direct globally & set the General settings.
2. Define Media stream with RRC parameters.
3. Configure CAC for voice/video (Media) under each radio band.
4. Ensure WLC is configured for Multicast & IGMP
5. Test/Verify the configuration.

First of all you need to enable this feature globally & define general settings and steam specific information. Here are the two GUI screen if you are familiar with it.

Here are the CLI config for this

(WLC3) >config media-stream ?
add            Configure New Media Stream by template or individual parameters
admit          Allow traffic for the media stream
delete         Remove Media Stream Configuration
deny           Block traffic for the media stream
multicast-direct Configure Media Stream Multicast-direct
message        Configure Session Announcement Message

(WLC3) >config media-stream multicast-direct ?               
enable         Enable Global Multicast to Unicast Conversion
disable        Disable Global Multicast to Unicast Conversion

(WLC3) >config media-stream multicast-direct enable 
WARNING: Media Stream Multicast-direct requires Load Based CAC to run,
Voice deployment employing Static CAC needs to convert to Load Based CAC.

(WLC3) >config media-stream message ?               
url            Configure Session Announcement URL
email          Configure Session Announcement e-mail
phone          Configure Session Announcement phone number
note           Configure Session Announcement notes 
state          Configure Session Announcement Message State 

(WLC3) >config media-stream message state ?               
enable         Configure Session Announcement Message State Enable 
disable        Configure Session Announcement Message State Disable

(WLC3) >config media-stream message state enable

(WLC3) >config media-stream message note ?              
denial         Configure Session Announcement notes denial

(WLC3) >config media-stream message note denial CIO-IS-SPEAKING

Here are the CLI config for this.

(WLC3) >config media-stream add ?               
multicast-direct Add Media Stream for Multicast-direct

(WLC3) >config media-stream add multicast-direct ?               
<Media Stream Name> Media Stream Name

(WLC3) >config media-stream add multicast-direct MRN-TV ?               
<Start IP Address> IP Multicast Destination Start Address

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 ?               
<End IP Address> IP Multicast Destination End Address

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 ?
detail         Configure Media Stream with Specific Parameters
template       Configure Media Stream from Templates

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 template ?               
very-coarse    Apply very-coarse template (< 300 Kbps Bandwidth)
coarse         Apply Coarse template (< 500 Kbps Bandwidth)
ordinary       Apply Ordinary template (< 750 Kbps Bandwidth)
low-resolution Apply Low-Resolution template (< 1 Mbps Bandwidth)
med-resolution Apply Medium-Resolution template (< 3 Mbps Bandwidth)
high-resolution Apply High-Resolution template (< 5 Mbps Bandwidth)

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 template high-resolution

Even though you entered above line if you check your WLC configuration you would see something like this in your configuration.That mean in High Resolution template bandwidth is 5000kbps, packet size 1200 bytes, enable periodic update, RRC priority 3 and drop as traffic violation policy.

config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic video 3 drop

If the required task is not fulfill by these default values you have to configure it in detail method with specific setting you require. Let’s say scenario like this “MRN TV streaming channel use 239.239.239.1. Streaming Video feeds are high quality, but still less than 5Mbps. Ensure flow will get highest priority and the other denied flow will get a message saying “CIO-IS-SPEAKING”.

So we will first delete the media stream created & re-configure it with this new settings.

(WLC3) >config media-stream delete MRN-TV
IGMP snooping will be disabled and enabled again. All clients will observe a glitch on Multicast traffic.
Are you sure you want to continue? (y/n)
media-stream is deleted

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 ?                                       
detail         Configure Media Stream with Specific Parameters
template       Configure Media Stream from Templates

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail ?               
<Max Bandwidth> Maximum Expected Stream Bandwidth, <1-35000> Kbps

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 ?               
<Average Packet Size> Average Packet Size, <100-1500>

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 ?               
periodic       Periodic admission evaluation
initial        Initial admission evaluation

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic ?               
<Qos>          Over the AIR QoS class, <'video'> ONLY

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic video ?               
<Usage Priority> Media Stream Priotity, <1:Lowest - 8:Highest>

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic video 8 ?               
drop           Stream will be dropped on periodic re-evaluation
fallback       Stream demoted to BestEffort class on periodic re-evaluation

(WLC3) >config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic video 8 fallback

Then you need to configure required admission control or CAC in 802.11a/n or 802.11b/g/n band as required. In my example I will only configure 802.11b/g/n. In GUI this is under “Wireless > 802.11b/g/n > Media” section & default settings shown in the screenshot.

Here are the CLI commands to change these settings. You have to makesure radio interface is disabled prior to this configuration & enable it once you finish config. We will customize this to allow max 3 stream session per client.

(WLC3) >config 802.11b disable network
(WLC3) >config 802.11b media-stream multicast-direct enable 
(WLC3) >config 802.11b media-stream multicast-direct radio-maximum ?               
<value>        From 1 to 20 streams               
no-limit       Maximum number of allowed streams on 2.4/5 GHz band

(WLC3) >config 802.11b media-stream multicast-direct radio-maximum no-limit

(WLC3) >config 802.11b media-stream multicast-direct admission-besteffort ?               
enable         Enable/Disable media stream BestEffort queue admission               
disable        Enable/Disable media stream BestEffort queue admission

(WLC3) >config 802.11b media-stream multicast-direct admission-besteffort disable 

(WLC3) >config 802.11b media-stream multicast-direct client-maximum ?                            
<value>        From 1 to 20 streams               
no-limit       Maximum number of allowed streams on individual client

(WLC3) >config 802.11b media-stream multicast-direct client-maximum 3

(WLC3) >config 802.11b cac ?               
defaults       Set Default CAC parameters for 802.11b radio.
media-stream   Configure CAC parameters for media stream access category
multimedia     Configure CAC parameters for media access category, used for voice and video.
video          Configure CAC parameters for video access category, used for voice signalling.
voice          Configure CAC parameters for voice access category.

(WLC3) >config 802.11b cac media-stream ?               
multicast-direct Configure CAC parameters for multicast-direct streams

(WLC3) >config 802.11b cac media-stream multicast-direct ?               
max-retry-percent Configure CAC parameter maximum retry percent for multicast-direct streams
min-client-rate Configure CAC parameter minimun physical rate for multicast-direct streams

(WLC3) >config 802.11b cac media-stream multicast-direct min-client-rate ?               
<dot11-rate>   Kbps: 1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000 or 11n rates

(WLC3) >config 802.11b cac media-stream multicast-direct max-retry-percent ?               
<retry-percentage> 0 to 100 maximum retry percent for multicast-direct streams

(WLC3) >config 802.11b cac media-stream multicast-direct max-retry-percent 80

(WLC3) >config 802.11b cac multimedia ?               
max-bandwidth  Configure the max bandwidth allocated to WMM clients for media in % (5-85).

(WLC3) >config 802.11b cac multimedia max-bandwidth ?               
<bandwidth>    Configure the max bandwidth allocated to WMM clients for media in % (5-85).

(WLC3) >config 802.11b cac multimedia max-bandwidth 80

When you check the WLC configuration you will not see  default setting config lines (lines highlighted in purple).

config 802.11b media-stream multicast-direct client-maximum 3
config 802.11b media-stream multicast-direct radio-maximum no-limit
config 802.11b media-stream multicast-direct enable
config 802.11b media-stream multicast-direct admission-besteffort disable
config 802.11b cac media-stream multicast-direct min-client-rate 6000
config 802.11b cac media-stream multicast-direct max-retry-percent 80
config 802.11b cac multimedia max-bandwidth 80

Since Media bandwidth settings is for both voice & video, you need to ensure voice and video bandwidth reservation does not exceed 80% configured  under media tab. Also remember that Voice CAC should be “load-based” when you enable Video Stream feature. In this example we will allocate max RF bandwidth 50% for Video & 30% voice. Here is the default setting GUI screenshot.

You can use “config 802.11b cac {voice|video} x ” CLI configuration to do the necessary modification.

(WLC3) >config 802.11b cac ?                       
defaults       Set Default CAC parameters for 802.11b radio.
media-stream   Configure CAC parameters for media stream access category
multimedia     Configure CAC parameters for media access category, used for voice and video.
video          Configure CAC parameters for video access category, used for voice signalling.
voice          Configure CAC parameters for voice access category.

(WLC3) >config 802.11b cac video ?               
acm            Enable/disable admission control on video access category.
max-bandwidth  Configure the max RF bandwidth allocated to WMM clients for video.
tspec-inactivity-timeout Configure TSPEC inactivity timeout processing mode.

(WLC3) >config 802.11b cac video acm ?               
disable        Disable admission control on video AC.
enable         Enable admission control on video AC.

(WLC3) >config 802.11b cac video acm enable 

(WLC3) >config 802.11b cac video ?               
acm            Enable/disable admission control on video access category.
max-bandwidth  Configure the max RF bandwidth allocated to WMM clients for video.
tspec-inactivity-timeout Configure TSPEC inactivity timeout processing mode.

(WLC3) >config 802.11b cac video max-bandwidth ?               
<bandwidth>    Enter the max RF bandwith for Video in % (5-85).

(WLC3) >config 802.11b cac video max-bandwidth 50

Here is the Voice specific settings.

(WLC3) >config 802.11b cac voice ?               
acm            Enable/disable admission control on voice access category.
cac-method     Configure CAC method(static or dynamic) on voice access category.
max-bandwidth  Configure the max RF bandwidth allocated to WMM clients for voice.
roam-bandwidth Configure the % of max RF bandwidth reserved for roaming clients for voice (0-25).
sip            Configure CAC parameters for SIP based Calls.
stream-size    Max data rate of the stream acceptable
tspec-inactivity-timeout Configure TSPEC inactivity timeout processing mode.

(WLC3) >config 802.11b cac voice max-bandwidth ?               
<bandwidth>    Enter the max RF bandwith for Voice in % (5-85).

(WLC3) >config 802.11b cac voice max-bandwidth 30
(WLC3) >config 802.11b cac voice acm enable 

You can configure EDCA parameters to optimize both Voice & Video.

(WLC3) >config advanced 802.11b edca-parameters ?              
custom-voice   Enable Custom Voice EDCA parameters for 802.11b.
optimized-video-voice Enable combined video-voice-optimized parameters for 802.11b.
optimized-voice Enable non-spectralink voice-optimized parameters for 802.11b.
svp-voice      Enable SpectraLink Voice Priority (SVP) parameters for 802.11b.
wmm-default    Enable WMM default parameters for 802.11b. 

(WLC3) >config advanced 802.11b edca-parameters optimized-video-voice 

Once you configure the above you can enable the radio band. It is good idea to enable 802.11n support with this feature.

(WLC3) >config 802.11b 11nSupport ?               
a-mpdu         Configure 802.11n-2.4Ghz A-MPDU mode
a-msdu         Configure 802.11n-2.4Ghz A-MSDU mode
antenna        Configure 802.11n - 2.4 GHz antenna selection
disable        Disable 802.11n-2.4Ghz support
enable         Enable 802.11n-2.4Ghz support
guard_interval Configure 802.11n-2.4Ghz guard interval
mcs            Configure 802.11n-2.4Ghz MCS rates
rifs           Configure 802.11n-2.4Ghz rifs

(WLC3) >config 802.11b 11nSupport enable                
(WLC3) >config 802.11b enable network

You can enable it on a WLAN like below

(WLC3) >config wlan media-stream multicast-direct 17 ?               
enable         Enables Multicast-direct on the WLAN
disable        Disables Multicast-direct on the WLAN.

(WLC3) >config wlan media-stream multicast-direct 17 enable 

In Summary here are the CLI config required in my example. So if you want to configure this feature any other WLC, you can simply paste the below config on them.

config media-stream multicast-direct enable 
config media-stream message state enable
config media-stream message note denial CIO-IS-SPEAKING
config media-stream add multicast-direct MRN-TV 239.239.239.1 239.239.239.1 detail 5000 1200 periodic video 8 fallback

config 802.11b disable network
config 802.11b media-stream multicast-direct enable 
config 802.11b media-stream multicast-direct client-maximum 3
config 802.11b cac multimedia max-bandwidth 80
config 802.11b cac video acm enable
config 802.11b cac video max-bandwidth 50
config 802.11b cac voice max-bandwidth 30
config 802.11b cac voice acm enable 
config advanced 802.11b edca-parameters optimized-video-voice
config 802.11b 11nSupport enable                
config 802.11b enable network

You can use following CLI verification commands to verify your settings.

(4402-a) >show media-stream group summary 
Stream Name   Start IP       End IP         Operation Status
------------- -------------- -------------- ----------------
MRN-TV        239.239.239.1  239.239.239.1  Multicast-direct 

(4402-a) >show media-stream group detail MRN-TV
Media Stream Name................................ MRN-TV
Start IP Address................................. 239.239.239.1
End IP Address................................... 239.239.239.1
 RRC Parmmeters
 Avg Packet Size(Bytes).......................... 1200
 Expected Bandwidth(Kbps)........................ 5000
 Policy.......................................... Admit
 RRC re-evaluation............................... periodic
 QoS............................................. Video
 Status.......................................... Multicast-direct
 Usage Priority.................................. 8
 Violation....................................... fallback

(4402-a) >show 802.11b media-stream rrc   
Multicast-direct................................. Enabled
Best Effort...................................... Disabled
Video Re-Direct.................................. Enabled
Max Allowed Streams Per Radio.................... Auto
Max Allowed Streams Per Client................... 3
Max Video Bandwidth.............................. 50
Max Voice Bandwidth.............................. 30
Max Media Bandwidth.............................. 80
Min PHY Rate..................................... 6000
Max Retry Percentage............................. 80

(4402-a) >show media-stream message details 
URL.............................................. 
E-mail........................................... 
Phone............................................ 
Note............................................. CIO-IS-SPEAKING
State............................................ enable

It is important to note that your infrastructure network should be configured to support Multicast & WLC multicast/IGMP needs to be enabled to get this feature working. Even in the exam if they asked to configure this feature, you need to verify your L3 multicast & WLC multicast properly enabled with IGMP support.

Related Posts

1. Understanding Video Stream Feature
2. Wireless Multicast Not working-Why ?
3. Configuring Multicast on WLC