In this post we will see how to configure an ACL on a WLC via CLI. Let’s assume following ACL (in IOS syntax) you want to create on a WLC & apply it on a guest WLAN.

 permit udp any any eq 53
 permit udp any eq 53 any
 permit ip any host 10.11.6.244
 permit ip host 10.11.6.244 any
 deny ip any any

In WLC how you do this. First you need to create an ACL on WLC & then add rules onto that.

(4402-a) >config acl ?               
apply          Applies the ACL to the data path.
counter        Start/Stop the ACL Counters.
cpu            Configure the CPU Acl Information
create         Create a new ACL.
delete         Delete an ACL.
rule           Configure rules in the ACL.

(4402-a) >config acl create ?               
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl create acl-guest

When adding rules, it is not like single entry as in IOS. You have to configure source port, destination port, action as individual lines. For the rule1 you need to specify

Action: Permit
Protocol : 17 (UDP)
Source Address :Default to any (no explicit config required)
Source port range : 0 65535 (any)
Destination Address : Not required, default to any
Destination Port range : 53 53 (DNS)
Direction : any (no explicit config required)

Here how you do this.

(4402-a) >config acl rule ?               
action         Configure a rule's action.
add            Add a new rule.
change         Change a rule's index.
delete         Delete a rule.
destination    Configure a rule's destination IP address, netmask and port range.
direction      Configure a rule's direction.
dscp           Configure a rule's DSCP.
protocol       Configure a rule's IP Protocol.
source         Configure a rule's source IP address, netmask and port range.
swap           Swap two rules' indices.

(4402-a) >config acl rule add ?              
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl rule add acl-guest ?              
<index>        Enter rule index between 1 and 64.

(4402-a) >config acl rule add acl-guest 1 

(4402-a) >config acl rule protocol ?               
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl rule protocol acl-guest ?               
<index>        Enter rule index between 1 and 64.

(4402-a) >config acl rule protocol acl-guest 1 ?               
<protocol>     Enter a number between 0 and 255, or 'any'.

(4402-a) >config acl rule protocol acl-guest 1 17

(4402-a) >config acl rule action ?               
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl rule action acl-guest ?               
<index>        Enter rule index between 1 and 64.

(4402-a) >config acl rule action acl-guest 1 ?               
<action permit/deny>Enter action: permit/deny.               

(4402-a) >config acl rule action acl-guest 1 permit

(4402-a) >config acl rule source port ?               
range          Configure a rule's source port range.

(4402-a) >config acl rule source port range ?               
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl rule source port range acl-guest ?               
<index>        Enter rule index between 1 and 64.

(4402-a) >config acl rule source port range acl-guest 1 ?               
<start port>   Enter port number between 0 and 65535.

(4402-a) >config acl rule source port range acl-guest 1 0 ?               
<end port>     Enter port number between 0 and 65535.

(4402-a) >config acl rule source port range acl-guest 1 0 65535

(4402-a) >config acl rule destination port range acl-guest 1 ?               
<start port>   Enter port number between 0 and 65535.

(4402-a) >config acl rule destination port range acl-guest 1 53 ?               
<end port>     Enter port number between 0 and 65535.

(4402-a) >config acl rule destination port range acl-guest 1 53 53

In summary here is the rule1 configuration lines.

config acl rule add acl-guest 1
config acl rule action acl-guest 1 permit
config acl rule protocol acl-guest 1 17
config acl rule source port range acl-guest 1 0 65535
config acl rule destination port range acl-guest 1 53 53

If you copy this to notepad & then modify the rule index, protocol, source,destination, action details you can derive other rules. Here is the other rules derived in that way.

config acl rule add acl-guest 2
config acl rule action acl-guest 2 permit
config acl rule protocol acl-guest 2 17
config acl rule source port range acl-guest 2 53 53
config acl rule destination port range acl-guest 2 0 65535

config acl rule add acl-guest 3
config acl rule action acl-guest 3 permit
config acl rule protocol acl-guest 3 any
config acl rule source port range acl-guest 3 0 65535
config acl rule destination address acl-guest 3 10.11.6.244 255.255.255.255
config acl rule destination port range acl-guest 3 0 65535

config acl rule add acl-guest 4
config acl rule action acl-guest 4 permit
config acl rule protocol acl-guest 4 any
config acl rule source address acl-guest 4 10.11.6.244 255.255.255.255
config acl rule source port range acl-guest 4 0 65535
config acl rule destination port range acl-guest 4 0 65535

config acl rule add acl-guest 5
config acl rule action acl-guest 5 deny
config acl rule protocol acl-guest 5 any
config acl rule source port range acl-guest 5 0 65535
config acl rule destination port range acl-guest 5 0 65535

If you look at the WLC configuration afterwards it will looks like this related to ACL config. As you can see here by default, protocols/ source-destination address & ports are “any”. So you do not want to configure it if you want to choose “any option”.

Also like normal IOS ACL implied deny rule will be there (index number 65). So you do not want to configure deny any any rules explicitly. Because of this you need to ensure all required protocols are permitted if the  given task does not allow to use permit any any rule.

config acl create acl-guest 

config acl rule add acl-guest 1 
config acl rule destination port range acl-guest 1 53 53 
config acl rule protocol acl-guest 1 17 
config acl rule action acl-guest 1 permit

config acl rule add acl-guest 2 
config acl rule protocol acl-guest 2 17 
config acl rule action acl-guest 2 permit 
config acl rule source port range acl-guest 2 53 53 

config acl rule add acl-guest 3 
config acl rule destination address acl-guest 3 10.11.6.244 255.255.255.255 
config acl rule action acl-guest 3 permit 

config acl rule add acl-guest 4 
config acl rule action acl-guest 4 permit 
config acl rule source address acl-guest 4 10.11.6.244 255.255.255.255 

config acl rule add acl-guest 5 
config acl rule add acl-guest 65

Finally you can apply ACL onto data path. Also if you want to enable ACL counters you can do that as well. If you apply an ACL to a WLAN it will override the interface ALC.

(4402-a) >config acl counter ?               
start          Start ACL Counters.
stop           Stop ACL Counters.

(4402-a) >config acl counter start

(4402-a) >config acl apply ?               
<name>         Enter ACL name up to 32 alphanumeric characters.

(4402-a) >config acl apply acl-guest.

(4402-a) >config wlan acl <wlan-id> <acl-name>

In GUI, it will be looks like this .

You can verify your config by using “show acl summary” and “show acl detailed <acl-name> ” CLI commands as shown below.

(4402-a) >show acl summary 
ACL Counter Status               Enabled
----------------------------------------
ACL Name                         Applied
-------------------------------- -------
acl-guest                        Yes  

(4402-a) >show acl detailed acl-guest
                       Source                        Destination                Source Port  Dest Port
Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter 
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
     1 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0           17     0-65535    53-53     Any Permit           0 
     2 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0           17    53-53        0-65535  Any Permit           0 
     3 Any         0.0.0.0/0.0.0.0             10.11.6.244/255.255.255.255  Any     0-65535     0-65535  Any Permit           0 
     4 Any     10.11.6.244/255.255.255.255         0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit           0 
     5 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any   Deny           0 

 DenyCounter : 0

.

Related Posts

1. WLC – Access Control List (ACL)

For my study preparation I have used online racks from Fastlane & IPexpert. This is just simple comparison of these remote rack services.  Here is the hardware comparison of their racks.

Rack Availability:
With IPExpert (or proctorlabs.com) we can book a remote rack minimum for 4 hour slot (effectively 3 hr & 45 min). With Fastlane racks we cannot book it for few hours. You have to book a rack at least for a day or week (effectively 4.5 days).

Therefore flexibility wise IPExpert racks are much better than Fastlane as you can book it when you want it. Since you cannot do labs 24 hrs a day per hour cost of Fastlane racks are much expensive.

Cost:
4 hour slot of rack time is 30$ with IPExpert. You can book 1,5,10,25 slots & you will get discount if you book bulk slots at once. You can check their pricing information from here. You can buy rack time via online payment

Fastlane remote rack is 195$ per day. Their website says they will give 10% discount for consecutive 3 days & 25% for consecutive 5 days. But what I heard was they will use same pods for other wireless classes (like CCNP wireless etc) and no dedicated pods available for CCIE wireless rental purpose (therefor cannot guarantee a rack is available when you need it).  You cannot buy via online payment & sales inquiry responses was very poor.

Remote Support:
During business hours (Monday to Friday US-EST 9:00AM to 5:00PM) IPExpert support staff available to help you via chat. But after hours it will be via email & no staff available at rack locations. So if you suspect a hardware issue no body will be there to check it for you.

In Fastlane, there will be 24×7 remote support and person will be available via skype. So it does not matter which timezone you are working, you will get the same level of support all the time. In that sense fastlane is much better than IPExpert.

Initial Configuration:
In IPExpert remote racks support both  their Volume1 (6 Labs) & Volume2 (5 Labs). You can load initial configuration depend on the labs you want to practice.But you have to sacrifice 15-30 mins to fully load a rack (revert to zero config & then load your lab initial config). Therefore your effective lab time per slot will be around 3 hours if you go with a single slot at a time.

In Fastlane,there is no pre-configuration & you have to build your lab from scratch. No multiple labs available & no option for pre-load configuration. It is pretty much like your home lab.

MSE/ACS/WCS Access:
In fastlane labs these devices SSH access is not available. You have to rely on remote support if you want to check something for you. Due to this you cannot do certain task which you require SSH access.

In IPExpert racks you can do SSH to these devices & you can to almost any task. In that regards IPExpert racks are much better.

CME & VoIP:
This is one area lacking in both racks. There is no way of practicing Voice specific configs by using any of these racks.

In summary I would prefer IPExpert racks over Fastlane & planning to use it for full 8 hr lab (Volume 2 Labs) practices in coming weeks.

By creating AP Groups you can control  What SSIDs advertise on which APs, What dynamic interface map to each AP group (to reduce the broadcast size while having the same SSID). In latest codes of WLC software, via AP Group you can control RF profiles as well.Therefore you can have different RF characteristics to certain APs in your network.Also it supports 802.11u settings via AP Group. WLC code used in this post is 7.0.116.0.

You can create access point groups (AP Groups) and assign up to 16 WLANs to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point does not advertise disabled WLANs in its access point group or WLANs that belong to another group.
You can create up to 50 access point groups for Cisco 2100 Series Controller and controller network modules; up to 300 access point groups for Cisco 4400 Series Controllers, Cisco WiSM, and 3750G wireless LAN controller switch; and up to 500 access point groups for Cisco 5500 Series Controllers.

By default there is a AP Group called “default-group” created on your WLC and all the WLANs where WLAN ID is between 1-16 map to this group.  All the access points in the WLC also map to this group. This mean any WLAN (ID 1-16) will be available in any of the APs belong default group. If your WLAN ID is greater than 16,  you have to create an AP group to advertise that WLAN (or SSID). Also if you want to advertize certain WLANs on particular APs (AP Group), you have to create an AP group for this.

Here is the topology for this post. 3502-a will be on AP group called “APG1″ & 3502-d will be on “APG2″ ap group. Both APs having 4402-c as primary controller & 4402-d as secondary controller. APG1 will map to vlan11 interface & APG2 will map to vlan12 interfaces on 4402-c (primary controller). In the event of AP fail-over to 4402-d (secondary controller) APG1 will map to vlan41 & APG2 will map to vlan42.

First we will create dynamic interfaces on 4402-c as shown below. Ensure that DHCP configured on the switch to support clients get dynamic IPs.

3750-b
ip dhcp excluded-address 192.168.11.1 192.168.11.100
ip dhcp excluded-address 192.168.11.150 192.168.11.254
ip dhcp excluded-address 192.168.12.1 192.168.12.100
ip dhcp excluded-address 192.168.12.150 192.168.12.254
ip dhcp pool VLAN11
   network 192.168.11.0 255.255.255.0
   default-router 192.168.11.1 
   domain-name mrn.com
ip dhcp pool VLAN12
   network 192.168.12.0 255.255.255.0
   default-router 192.168.12.1 
   domain-name mrn.com

(4402-c) >config interface create vlan11 11
(4402-c) >config interface address dynamic-interface vlan11 192.168.11.33 255.255.255.0 192.168.11.1
(4402-c) >config interface dhcp dynamic-interface vlan11 primary 192.168.11.1

(4402-c) >config interface create vlan12 12                                                         
(4402-c) >config interface address dynamic-interface vlan12 192.168.12.33 255.255.255.0 192.168.12.1
(4402-c) >config interface dhcp dynamic-interface vlan12 primary 192.168.12.1

First we will create an WLAN called “wlan<16″ (with WLAN ID 6). For simplicity we will disable the L2 security & make it open SSID. Other settings will be leave as default.

(4402-c) >config wlan create 6 wlan<16 wlan<16
(4402-c) >config wlan interface 6 vlan11
(4402-c) >config wlan security wpa disable 6
(4402-c) >config wlan enable 6

Now we will configure APG1 & APG2 & map interface vlan11 & vlan2 for the WLAN created.

(4402-c) >config wlan apgroup ?               
add            Creates a new AP Group.
delete         Deletes a existing ap group.
description    Configures a description for an AP group.
interface-mapping Adds or deletes a new apgroup/WLAN/interface mapping.
nac-snmp       Configures NAC SNMP functionality on given AP-Group. 
radio-policy   Configures Radio Policy on given AP-Group. 

(4402-c) >config wlan apgroup add ?               
<apgroup name> Specify the name of the apgroup to configure.

(4402-c) >config wlan apgroup add APG1 ?              
<description>  (optional) Specify the description for the AP group.

(4402-c) >config wlan apgroup add APG1 "AP Group 1"
(4402-c) >config wlan apgroup add APG2 "AP Group 2"

(4402-c) >config wlan apgroup interface-mapping ?               
add            Adds a new apgroup/WLAN/interface mapping.
delete         Adds a new apgroup/WLAN/interface mapping.

(4402-c) >config wlan apgroup interface-mapping add ?               
<apgroup name> Specify the name of the apgroup to configure.

(4402-c) >config wlan apgroup interface-mapping add APG1 ?               
<WLAN or Remote LAN Id> Enter WLAN or Remote LAN Identifier between 1 and 512.

(4402-c) >config wlan apgroup interface-mapping add APG1 6 ?              
<Interface Name> Specify the interface name.

(4402-c) >config wlan apgroup interface-mapping add APG1 6 vlan11
(4402-c) >config wlan apgroup interface-mapping add APG2 6 vlan12

Then you can assign APs to AP group created as shown below.

(4402-c) >show ap summary 
Number of APs.................................... 2
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
3502-a               2     AIR-CAP3502I-N-K9     cc:ef:48:72:0b:bd      3750-B Port1  LAG      AU       1
3502-d               2     AIR-CAP3502I-N-K9     44:d3:ca:af:43:43      3750-A Port4  LAG      AU       3

(4402-c) >config ap group-name ?               
<groupname>    Enter the group name of Cisco APs as String

(4402-c) >config ap group-name APG1 ?               
<Cisco AP>     Enter the name of the Cisco AP.

(4402-c) >config ap group-name APG1 3502-a
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y

(4402-c) >config ap group-name APG2 3502-d
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y

You can check the connectivity by enabling 1 AP at a time to see correct IP range is given to user. First we will disable 3502-a & check the client IP once associated.

(4402-c) >config ap disable 3502-a
(4402-c) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 3502-d            Associated    6              Yes  802.11n(5 GHz)   29   No

(4402-c) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. N/A
AP MAC Address................................... 64:ae:0c:91:94:20
AP Name.......................................... 3502-d            
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 6  
BSSID............................................ 64:ae:0c:91:94:2f  
Connected For ................................... 45 secs
Channel.......................................... 149
IP Address....................................... 192.168.12.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
config wlan apgroup add mrn-default

Let’s enable 3502-a & disable 3502-d. As you can see below since my client had vlan12 IP this time, client is moved to 3502-a without changing its IP.

(4402-c) >config ap enable 3502-a             
(4402-c) >config ap disable 3502-d
(4402-c) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 3502-a            Associated    6              Yes  802.11n(5 GHz)   29   No

(4402-c) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. N/A
AP MAC Address................................... 2c:3f:38:2a:b1:20
AP Name.......................................... 3502-a            
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 6  
BSSID............................................ 2c:3f:38:2a:b1:2f  
Connected For ................................... 30 secs
Channel.......................................... 149
IP Address....................................... 192.168.12.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Silver
802.1P Priority Tag.............................. 3
WMM Support...................................... Enabled
Power Save....................................... OFF
Current Rate..................................... m7
Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
    ............................................. 48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... N/A
Encryption Cipher................................ None
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ vlan12
VLAN............................................. 12
Quarantine VLAN.................................. 0
Access VLAN...................................... 12

But if you deauthenticate the client & forced to join again you will see client will get an vlan11 IP.

(4402-c) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 3502-a            Associated    6              Yes  802.11n(5 GHz)   29   No

(4402-c) >config client deauthenticate 04:f7:e4:ea:5b:66

(4402-c) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. N/A
AP MAC Address................................... 2c:3f:38:2a:b1:20
AP Name.......................................... 3502-a            
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 6  
BSSID............................................ 2c:3f:38:2a:b1:2f  
Connected For ................................... 27 secs
Channel.......................................... 149
IP Address....................................... 192.168.11.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0

As you can see with AP group client will put in to configured vlans as they associate to network. But if they moved from an AP to another AP (in different AP group) client will keep the original IP address.

Now lets see how this works when AP fail-over to a secondary controller (4402-d).

3750-d
interface Vlan41
 ip address 192.168.41.1 255.255.255.0
 ip helper-address 192.168.10.3
!
interface Vlan42
 ip address 192.168.42.1 255.255.255.0
 ip helper-address 192.168.10.3

(4402-d) >config interface create vlan41 41
(4402-d) >config interface address dynamic-interface vlan41 192.168.41.44 255.255.255.0 192.168.41.1
(4402-d) >config interface dhcp dynamic-interface vlan41 primary 192.168.10.3

(4402-d) >config interface create vlan42 42
(4402-d) >config interface address dynamic-interface vlan42 192.168.42.44 255.255.255.0 192.168.42.1
(4402-d) >config interface dhcp dynamic-interface vlan42 primary 192.168.10.3

(4402-d) >config wlan create 6 wlan<16 wlan<16
(4402-d) >config wlan interface 6 vlan41
(4402-d) >config wlan security wpa disable 6
(4402-d) >config wlan enable 6

Let’s configure the secondary controller for two APs.

(4402-c) >config ap secondary-base 4402-d 3502-a 192.168.40.44
(4402-c) >config ap secondary-base 4402-d 3502-d 192.168.40.44

(4402-c) >show ap config general 3502-a
Cisco AP Identifier.............................. 4
Cisco AP Name.................................... 3502-a
Country code..................................... AU  - Australia
Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-N
AP Country code.................................. AU  - Australia
AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N 
Switch Port Number .............................. 29
MAC Address...................................... cc:ef:48:72:0b:bd
IP Address Configuration......................... DHCP
IP Address....................................... 192.168.20.61
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 192.168.20.254
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ 3750-B Port1
Cisco AP Group Name.............................. APG1
Primary Cisco Switch Name........................ 4402-c
Primary Cisco Switch IP Address.................. 192.168.10.33
Secondary Cisco Switch Name...................... 4402-d
Secondary Cisco Switch IP Address................ 192.168.40.44
Tertiary Cisco Switch Name....................... 
Tertiary Cisco Switch IP Address................. Not Configured

Now if you disconnect 4402-c (or shutdown G1/0/1-2) you will see two APs fail over to 4402-d.

(4402-d) >show ap summary 
Number of APs.................................... 2
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
3502-a               2     AIR-CAP3502I-N-K9     cc:ef:48:72:0b:bd      3750-B Port1  LAG      AU       1
3502-d               2     AIR-CAP3502I-N-K9     44:d3:ca:af:43:43      3750-A Port4  LAG      AU       3

(4402-d) >show ap config general 3502-a
Cisco AP Identifier.............................. 0
Cisco AP Name.................................... 3502-a
Country code..................................... AU  - Australia
Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-N
AP Country code.................................. AU  - Australia
AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N 
Switch Port Number .............................. 29
MAC Address...................................... cc:ef:48:72:0b:bd
IP Address Configuration......................... DHCP
IP Address....................................... 192.168.20.61
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 192.168.20.254
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ 3750-B Port1
Cisco AP Group Name.............................. default-group
Primary Cisco Switch Name........................ 4402-c
Primary Cisco Switch IP Address.................. 192.168.10.33
Secondary Cisco Switch Name...................... 4402-d
Secondary Cisco Switch IP Address................ 192.168.40.44
Tertiary Cisco Switch Name....................... 
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED

Since we have not created any AP Group on secondary controller by default both ap will be put into default group. So client will be get vlan41 IPs as that is map to “wlan<16″ WLAN.

(4402-d) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 3502-a            Associated    6              Yes  802.11n(5 GHz)   29   No

(4402-d) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. N/A
AP MAC Address................................... 2c:3f:38:2a:b1:20
AP Name.......................................... 3502-a            
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 6  
BSSID............................................ 2c:3f:38:2a:b1:2a  
Connected For ................................... 80 secs
Channel.......................................... 149
IP Address....................................... 192.168.41.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0

Now let’s configure the two AP groups configured on 4402-c & see when fail-over occur those two AP goes into correct group as they were in the primary controller.

(4402-d) >config wlan apgroup add APG1 "AP Group 1"
(4402-d) >config wlan apgroup add APG2 "AP Group 2"

(4402-d) >config wlan apgroup interface-mapping add APG1 6 vlan41
(4402-d) >config wlan apgroup interface-mapping add APG2 6 vlan42

Now this time you can see 3502-a will go into APG1 where as 3502-d goes into APG2 as they were in the primary controller.

(4402-d) >show ap summary 
Number of APs.................................... 2
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
3502-a               2     AIR-CAP3502I-N-K9     cc:ef:48:72:0b:bd      3750-B Port1  LAG      AU       1
3502-d               2     AIR-CAP3502I-N-K9     44:d3:ca:af:43:43      3750-A Port4  LAG      AU       3

(4402-d) >show ap config general 3502-d
Cisco AP Identifier.............................. 3
Cisco AP Name.................................... 3502-d
Country code..................................... AU  - Australia
Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-N
AP Country code.................................. AU  - Australia
AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N 
Switch Port Number .............................. 29
MAC Address...................................... 44:d3:ca:af:43:43
IP Address Configuration......................... Static IP assigned
IP Address....................................... 10.10.20.4
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 10.10.20.1
Domain........................................... 
Name Server...................................... 
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ 3750-A Port4
Cisco AP Group Name.............................. APG2
Primary Cisco Switch Name........................ 4402-c
Primary Cisco Switch IP Address.................. 192.168.10.33
Secondary Cisco Switch Name...................... 4402-d
Secondary Cisco Switch IP Address................ 192.168.40.44
Tertiary Cisco Switch Name....................... 
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ................................. REGISTERED

(4402-d) >show ap config general 3502-a
Cisco AP Identifier.............................. 2
Cisco AP Name.................................... 3502-a
Country code..................................... AU  - Australia
Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-N
AP Country code.................................. AU  - Australia
AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N 
Switch Port Number .............................. 29
MAC Address...................................... cc:ef:48:72:0b:bd
IP Address Configuration......................... DHCP
IP Address....................................... 192.168.20.61
IP NetMask....................................... 255.255.255.0
Gateway IP Addr.................................. 192.168.20.254
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ 3750-B Port1
Cisco AP Group Name.............................. APG1
Primary Cisco Switch Name........................ 4402-c
Primary Cisco Switch IP Address.................. 192.168.10.33
Secondary Cisco Switch Name...................... 4402-d

You can verify clients are getting vlan42 & vlan41 IP depend on where they are associated to (3502-d & 350-a respectively)

(4402-d) >config ap disable 3502-a
(4402-d) >show client summary 
Number of Clients................................ 1
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
04:f7:e4:ea:5b:66 3502-d            Associated    6              Yes  802.11n(5 GHz)   29   No

(4402-d) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. N/A
AP MAC Address................................... 64:ae:0c:91:94:20
AP Name.......................................... 3502-d            
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 6  
BSSID............................................ 64:ae:0c:91:94:2f  
Connected For ................................... 35 secs
Channel.......................................... 36 
IP Address....................................... 192.168.42.101
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0

Therefore it is important to configure AP groups in all primary, secondary & tertiary controllers in a similar manner if you want to advertise same set of WLANs, map to required dynamic interface.

As an exercise you can try to use a WLAN ID greater than 16 (called “wlan>16″) & see how it works in a similar scenario.

Rogue detection is enabled by default on a Wireless LAN Controller & you can view detected Rogue APs in “Monitor > Rogue > Unclassified APs” section. Here is screen capture of that in one of my controller.

In a typical campus environment there are lots of other APs in the environment. Some of them are not posing threat and can classified as friendly. Most of them are belongs to 3rd party shops, other organization sharing the premises, etc. So these AP you can categorized as “Friendly External“. Another category of  friendly APs are “internal” which mean those are belong to your organization, but not managed by your WLCs. You can categorized them as “Friendly Internal“

Let’s create a Rogue Rule to classify certain APs which advertize  known SSIDs (belong to another organization in your premises) as Friendly External. You can do this via GUI in “Security > Wireless Protection Policies > Rogue Rules” section. You have to give a Rule Name & Rule Type as “Friendly” with State as ” External”.

Once you create the rule, you can add conditions. In this example we will use SSID as condition & use “match any” as match operation. If you configure as “match all”, all conditions to be met in order to classify as Friendly External. In this example we will configure “SuniTAFE-STUDENTS”, “SuniTAFE-STAFF”, “SuniTAFE-Guest” avertising SSID as Friendly  External.

Here are complete list of conditions  which can be used for Rogue Classification.

1. SSID—Requires that the rogue access point have a specific user-configured SSID. If you choose this option, enter the SSID in the User Configured SSID text box, and click Add SSID.
2. RSSI—Requires that the rogue access point have a minimum received signal strength indication (RSSI) value. For example, if the rogue access point has an RSSI that is greater than the configured value, then the access point could be classified as malicious. If you choose this option, enter the minimum RSSI value in the Minimum RSSI text box. The valid range is -95 to -50 dBm (inclusive), and the default value is 0 dBm.
3. Duration—Requires that the rogue access point be detected for a minimum period of time. If you choose this option, enter a value for the minimum detection period in the Time Duration text box. The valid range is 0 to 3600 seconds (inclusive), and the default value is 0 seconds.
4. Client Count—Requires that a minimum number of clients be associated to the rogue access point. For example, if the number of clients associated to the rogue access point is greater than or equal to the configured value, then the access point could be classified as malicious. If you choose this option, enter the minimum number of clients to be associated to the rogue access point in the Minimum Number of Rogue Clients text box. The valid range is 1 to 10 (inclusive), and the default value is 0.
5. No Encryption—Requires that the rogue access point’s advertised WLAN does not have encryption enabled. If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it. No further configuration is required for this option.
6. Managed SSID—Requires that the rogue access point’s managed SSID (the SSID configured for the WLAN) be known to the controller. No further configuration is required for this option.

Note The SSID and Managed SSID conditions cannot be used with the Match All operation because these two SSID lists are mutually exclusive. If you define a rule with Match All and have these two conditions configured, the rogue access points are never classified as friendly or malicious because one of the conditions can never be met.

You can configure up to 64 rogue classification rules per controller using the controller GUI or CLI. If you look at controller configuration you will see the following CLI commands related to the rogue classification.

 config rogue rule add ap priority 1 classify friendly notify all state external SuniTAFE
 config rogue rule match any SuniTAFE
 config rogue rule condition ap set ssid SuniTAFE-GUEST SuniTAFE
 config rogue rule condition ap set ssid SuniTAFE-STAFF SuniTAFE
 config rogue rule condition ap set ssid SuniTAFE-STUDENTS SuniTAFE
 config rogue rule enable SuniTAFE

In the above shown Rogue classification in one of my production WLC which is on WLC 7.4.100.6 software code.

We will see how to configure this on WLC 7.0.116.0 which is  the version in the CCIEW v2.0 lab exam. Here how you can create a Rogue Rule under Security Section.

As you can see, you cannot set STATE in to one of  “Internal, External or Alert” on the global setting in this version. You can change it to either “Internal” or “External” by clicking each individual AP. By default it is set to “Internal”

Now if you go to “Monitor > Rogue > Friendly AP” you would see something like this.

You can configure this feature via CLI as well. Here is the steps to do that via CLI.

(WLC2) >config rogue ?               
adhoc          Configures adhoc rogue (IBSS).
ap             Configures rogue access points.
auto-contain   Configures rogue auto-containment parameters.
client         Configures rogue clients.
detection      Configures APs to detect rogue devices and configure reporting interval for monitor-mode APs
rule           Configures rogue classification rules.

(WLC2) >config rogue rule ?               
add            Adds a rule with Match Any criteria. Maximum of 64 rules are allowed.
classify       Classifies a rule.
condition      Configures a condition.
delete         Deletes a rule.
disable        Disables a rule.
enable         Enables a rule.
match          Configures matching criteria for a rule.
priority       Configures rule priority.

(WLC2) >config rogue rule add ?               
ap             Configures rules for APs.

(WLC2) >config rogue rule add ap ?               
priority       Configures priority for a rule.

(WLC2) >config rogue rule add ap priority 1 ?               
classify       Classifies a rule.

(WLC2) >config rogue rule add ap priority 1 classify friendly ?             
<rule-name>    Rogue classification rule name.

(WLC2) >config rogue rule add ap priority 1 classify friendly ROGUE-1
Rule 'ROGUE-1' created successfully. Use 'config rogue rule enable ROGUE-1' to activate the rule.

(WLC2) >config rogue rule match any ROGUE-1
Rule is already set to this match operation.

(WLC2) >config rogue rule condition ?               
ap             Configures condition for the APs.

(WLC2) >config rogue rule condition ap ?               
set            Configures a condition for the rule.
delete         Deletes a condition from the rule.

(WLC2) >config rogue rule condition ap set ?              
client-count   Requires a minimum number of clients to be associated with the rogue AP.
duration       Requires that the rogue has been detected for a minimum period of time.
managed-ssid   Requires the SSID to be known to the controller.
no-encryption  Requires that the advertised WLAN does not have encryption enabled.
rssi           Requires a minimum RSSI value.
ssid           Requires a specific SSID.

(WLC2) >config rogue rule condition ap set ssid ?             
<ssid>         Enter SSID name.

(WLC2) >config rogue rule condition ap set ssid mrn-cciew ?               
<rule-name>    Rogue classification rule name.

(WLC2) >config rogue rule condition ap set ssid mrn-cciew ROGUE-1

(WLC2) >config rogue rule enable ROGUE-1

You can verify using following CLI commands.

 (WLC2) >show rogue rule summary 
Priority Rule Name               State    Type          Match Hit Count
-------- ----------------------- -------- ------------- ----- ---------
1        ROGUE-1                 Enabled  Friendly      Any   1 
Priority......................................... 1
Rule Name........................................ ROGUE-1
State............................................ Enabled
Type............................................. Friendly
Match Operation.................................. Any
Hit Count........................................ 1
Total Conditions................................. 1
Condition 1
    type......................................... Ssid
    SSID Count................................... 1
    SSID 1....................................... mrn-cciew

(WLC2) >show rogue ap summary 
Rogue on wire Auto-Contain....................... Disabled
Rogue using our SSID Auto-Contain................ Disabled
Valid client on rogue AP Auto-Contain............ Disabled
Rogue AP timeout................................. 1200
Monitor Mode Report Interval..................... 10

MAC Address        Classification     # APs # Clients Last Heard             
-----------------  ------------------ ----- --------- -----------------------
00:26:99:34:20:60  Friendly           1     0         Sat Jun  1 22:48:27 2013
00:26:99:34:20:6e  Unclassified       1     0         Sat Jun  1 22:42:29 2013
00:26:99:34:20:6f  Friendly           1     0         Sat Jun  1 22:48:27 2013
9c:c7:a6:29:e1:99  Friendly           1     0         Sat Jun  1 22:48:27 2013

(WLC2) >show rogue ap detailed 9c:c7:a6:29:e1:99       
Rogue BSSID...................................... 9c:c7:a6:29:e1:99
Is Rogue on Wired Network........................ No
Classification................................... Friendly        
Manual Contained................................. No              
State............................................ External           
First Time Rogue was Reported.................... Sat Jun  1 22:29:57 2013
Last Time Rogue was Reported..................... Sat Jun  1 22:48:27 2013
Reported By
    AP 1
        MAC Address.............................. a0:cf:5b:9e:e8:20  
        Name..................................... LAP2
        Radio Type............................... 802.11n5G
        SSID..................................... mrn-cciew
        Channel.................................. (44,48)
        RSSI..................................... -25 dBm
        SNR...................................... 71 dB
        Encryption............................... Enabled
        ShortPreamble............................ Not Supported
        WPA Support.............................. Enabled
        Last reported by this AP................. Sat Jun  1 22:48:27 2013

(WLC2) >show rogue ap detailed 00:26:99:34:20:60
Rogue BSSID...................................... 00:26:99:34:20:60
Is Rogue on Wired Network........................ No
Classification................................... Friendly        
Manual Contained................................. No              
Rule Name........................................ ROGUE-1         
State............................................ Alert              
First Time Rogue was Reported.................... Sat Jun  1 22:39:30 2013
Last Time Rogue was Reported..................... Sat Jun  1 22:54:25 2013
Reported By
    AP 1
        MAC Address.............................. a0:cf:5b:9e:e8:20  
        Name..................................... LAP2
        Radio Type............................... 802.11a
        SSID..................................... mrn-cciew
        Channel.................................. 36
        RSSI..................................... -79 dBm
        SNR...................................... 18 dB
        Encryption............................... Enabled
        ShortPreamble............................ Not Supported
        WPA Support.............................. Enabled
        Last reported by this AP................. Sat Jun  1 22:54:25 2013

You can change a Rogue AP’s state as below.

(WLC2) >config rogue ap classify ?              
friendly       Configures rogue access point classification to friendly.
malicious      Configures rogue access point classification to malicious.
unclassified   Configures rogue access point classification to unclassified.

(WLC2) >config rogue ap classify friendly ?               
state          Configures rogue access points rogue state.

(WLC2) >config rogue ap classify friendly state ?               
external       Acknowledge presence of an access point.
internal       Trust a foreign access point.

(WLC2) >config rogue ap classify friendly state internal ?               
<MAC addr>     Enter the MAC address of the rogue AP (e.g. 01:01:01:01:01:01).

(WLC2) >config rogue ap classify friendly state internal 00:26:99:34:20:60
(WLC2) >config rogue ap classify friendly state internal 9c:c7:a6:29:e1:99

Now let’s say you have few other SSIDs to add to list as “Friendly AP” so you can do it like this. In my example I would configure “LTUWireless2″ & “eduroam” SSID advertising AP as friendly as well.

(WLC2) >config rogue rule condition ap set ssid LTUWireless2 ROGUE-1
(WLC2) >config rogue rule condition ap set ssid eduroam ROGUE-1

(WLC2) >show rogue rule detailed ROGUE-1                  
Priority......................................... 1
Rule Name........................................ ROGUE-1
State............................................ Disabled
Type............................................. Friendly
Match Operation.................................. Any
Hit Count........................................ 1
Total Conditions................................. 1
Condition 1
    type......................................... Ssid
    SSID Count................................... 3
    SSID 1....................................... LTUWireless2
    SSID 2....................................... eduroam
    SSID 3....................................... mrn-cciew

Now we will add another condition only these SSID beacon hear above -90dBm only we will classify as Friendly Rogue. In this case you have to have 3 rules each with match condition all (both SSID & RSSI). Will delele the existing condition & write the new 3 rules as below.

(WLC2) >
config rogue rule condition ap delete all ROGUE-1

config rogue rule add ap priority 1 classify friendly ROGUE-1
config rogue rule match all ROGUE-1
config rogue rule condition ap set ssid mrn-cciew ROGUE-1
config rogue rule condition ap set rssi -90 ROGUE-1
config rogue rule enable ROGUE-1

config rogue rule add ap priority 2 classify friendly ROGUE-2
config rogue rule match all ROGUE-2
config rogue rule condition ap set ssid LTUWireless2 ROGUE-2
config rogue rule condition ap set rssi -90 ROGUE-2
config rogue rule enable ROGUE-2

config rogue rule add ap priority 3 classify friendly ROGUE-3
config rogue rule match all ROGUE-3
config rogue rule condition ap set ssid eduroam ROGUE-3
config rogue rule condition ap set rssi -90 ROGUE-3
config rogue rule enable ROGUE-3

(WLC2) >show rogue rule summary 
Priority Rule Name               State    Type          Match Hit Count
-------- ----------------------- -------- ------------- ----- ---------
1        ROGUE-1                 Enabled  Friendly      All   1       
2        ROGUE-2                 Enabled  Friendly      All   0       
3        ROGUE-3                 Enabled  Friendly      All   1       

(WLC2) >show rogue rule detailed ROGUE-1
Priority......................................... 1
Rule Name........................................ ROGUE-1
State............................................ Enabled
Type............................................. Friendly
Match Operation.................................. All
Hit Count........................................ 1
Total Conditions................................. 2
Condition 1
    type......................................... Rssi
    value (dBm).................................. -90
Condition 2
    type......................................... Ssid
    SSID Count................................... 1
    SSID 1....................................... mrn-cciew

(WLC2) >show rogue rule detailed ROGUE-2
Priority......................................... 2
Rule Name........................................ ROGUE-2
State............................................ Enabled
Type............................................. Friendly
Match Operation.................................. All
Hit Count........................................ 0
Total Conditions................................. 2
Condition 1
    type......................................... Rssi
    value (dBm).................................. -90
Condition 2
    type......................................... Ssid
    SSID Count................................... 1
    SSID 1....................................... LTUWireless2

(WLC2) >show rogue rule detailed ROGUE-3
Priority......................................... 3
Rule Name........................................ ROGUE-3
State............................................ Enabled
Type............................................. Friendly
Match Operation.................................. All
Hit Count........................................ 1
Total Conditions................................. 2
Condition 1
    type......................................... Rssi
    value (dBm).................................. -90
Condition 2
    type......................................... Ssid
    SSID Count................................... 1
    SSID 1....................................... eduroam

In a future post we will look at how to manage these Rogue AP (Containing)

In this post we will do a configuration example for DHCP option 82 in WLC 7.0.116.0 release. (later releases have additional options & refer specific config guides). As you aware with DHCP option 82 feature, DHCP relay (WLC in this case) add some additional information onto DHCP request payload which will be verify by the DHCP server prior to issuing an IP.( Refer “Understanding DHCP Option 82” post for basic understanding of this feature)

Here is the topology for this post. When users connecting to “data-13″ WLAN via LAP1 they will get IP addresses in the range of 192.168.13.101-120 where as connecting via LAP2 will get in the range of 192.168.13.201-220.

First of all you need to define DHCP pools in CAT2 with an option called DHCP class.

ip dhcp pool VLAN13
   network 192.168.13.0 255.255.255.0
   default-router 192.168.13.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   class LAP2
      address range 192.168.13.201 192.168.13.220
   class LAP1
      address range 192.168.13.101 192.168.13.120

Then you have to define the DHCP Classes in a way how you want to differentiate user IP ranges when they connect to WLAN based on their location(or point of attachment). DHCP Class configuration is having following syntax.

ip dhcp class <class_name>
relay agent information
relay-information hex <string>

NOTE – “STRING” can be divided into following parts “circuit-id” + “agent_type” + “length_of_remote-id” + “remote-id”.

• Circuit-id – 010400000000 – This is fixed for all Cisco wireless controller.
• Agent_Type – 02 – This is fixed for all cisco wireless controller.
• Length of Remote-id – This is not fixed and varies based on “remote-id”. If you select AP-ETHMAC or AP-MAC it would be “06” since it is 6 byte long. For AP-MAC-SSID it will be varying as SSID name length could vary.
• Remote-id – value of DHCP Option-82 attribute configured on wireless controller. In 7.0.116 WLC code it can be AP-MAC (by default), AP-ETHMAC or AP-MAC-SSID.

In our example we will use “AP-ETHMAC” as remote-id. Therefore string will be in the format of “01040000000006<AP-ETHMAC>”. You can easily verify AP-ETHMAC by “show ap summary” command.

(WLC3) >show ap summary 
Number of APs.................................... 2
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name             Slots  AP Model              Ethernet MAC       Location          Port  Country  Priority
------------------  -----  --------------------  -----------------  ----------------  ----  -------  ------
LAP2                 2     AIR-LAP1131AG-N-K9    00:1e:7a:be:e0:fe       CAT2-FA1011  1        AU       1
LAP1                 2     AIR-CAP3502I-N-K9     cc:ef:48:8c:fd:41          CAT4-F03  1        AU       1

Based on this you can add DHCP Class configuration on to CAT2.

ip dhcp class LAP2
   relay agent information
      relay-information hex 0104000000000206001e7abee0fe
ip dhcp class LAP1
   relay agent information
      relay-information hex 0104000000000206ccef488cfd41

Now you can go to CAT4 & define the SVI for “data-13″ WLAN. Remember to configure “ip helper-address ” command to specify the DHCP server address.

interface Vlan13
 ip address 192.168.13.1 255.255.255.0
 ip helper-address 10.10.10.3

Next you can configure  dynamic interface & WLAN on WLC3 as shown below. I have used “open” authentication for simplicity.

config interface create vlan13 13
config interface address dynamic-interface vlan13 192.168.13.30 255.255.255.0 192.168.13.1
config interface dhcp dynamic-interface vlan13 primary 10.10.10.3
config interface port vlan13 1
config wlan create 13 data-13 data-13
config wlan interface 13 vlan13
config wlan security wpa disable 13
config wlan enable 13

Once configured you can check “DHCP Option 82″ of the vlan13 interface by “show interface detailed vlan13” CLI command.

(WLC3) >show interface detailed vlan13

Interface Name................................... vlan13
MAC Address...................................... 00:1b:d5:cf:e6:00
IP Address....................................... 192.168.13.30
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.13.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 13        
Quarantine-vlan.................................. 0
Physical Port.................................... 1         
Primary DHCP Server.............................. 10.10.10.3
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled

You can enable this on vlan13 interface via following CLI config. In 7.0.116.0 this cannot be done via GUI (in later releases you can do this via GUI)

config interface dhcp dynamic-interface vlan13 option-82 enable

Now you can verify Remote-ID option set by WLC by using “show dhcp opt-82” CLI command. As you can see it will set as “AP Radio MAC address” which is not what we wanted. Since we have configured our DHCP classes in server to check “AP Ethernet MAC Address” we have to change this default behavior as follows.

(WLC3) >show dhcp opt-82 
DHCP Opt-82 RID Format: <AP radio MAC address>

(WLC3) >config dhcp opt-82 ?
remote-id      Set Format for RemoteId field in DHCP option 82               

(WLC3) >config dhcp opt-82 remote-id ?
ap-mac         Set RemoteID format as <AP radio MAC address>
apmac:ssid     Set RemoteID format as <AP radio MAC address>:<SSID>
ap-ethmac      Set RemoteID format as <AP Ethernet MAC address>

(WLC3) >config dhcp opt-82 remote-id ap-ethmac

This can be done via GUI as well. you can do this via “Controller > Advanced > DHCP” section as shown below. It is worth to  note that “DHCP Proxy” feature needs to be enabled (which is the default behavior)  in order to Option-82 to work. Otherwise all DHCP request from client transparently pass to DHCP server & WLC will not do any modification.

Now it is ready to test. You can verify these Option-82 information by “debug ip dhcp server class” on CAT2 (which is DHCP server). First we will disable LAP2 & let client associate to LAP1. You would see a similar to following DHCP debug output stating input relay information matches class LAP1.

CAT2#debug ip dhcp server class 
DHCP server class debugging is on.
*Mar  7 02:08:21.542 AEDT: DHCPD: Class 'LAP2' matched by default
*Mar  7 02:08:21.542 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206ccef488cfd41' in class LAP2
*Mar  7 02:08:21.542 AEDT: DHCPD: Class 'LAP1' matched by default
*Mar  7 02:08:21.542 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206ccef488cfd41' in class LAP1
*Mar  7 02:08:21.542 AEDT: DHCPD: input pattern 'relay-information 0104000000000206ccef488cfd41' matches class LAP1
*Mar  7 02:08:21.542 AEDT: DHCPD: input matches class LAP1

You can verify client has got an IP from the correct range (192.168.13.101-120)

CAT2#sho ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.13.101      0104.f7e4.ea5b.66       Mar 08 1993 02:08 AM    Automatic

You can verify the same using “debug ip dhcp server events” command as well. See below

CAT2#debug ip dhcp server events 
DHCP server event debugging is on.
*Mar  9 05:18:42.314 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 05:18:42.314 AEDT:   DHCPD: htype 1 chaddr 0022.fa94.6858
*Mar  9 05:18:42.314 AEDT:   DHCPD: remote id ccef488cfd41
*Mar  9 05:18:42.314 AEDT:   DHCPD: circuit id 00000000
*Mar  9 05:18:42.314 AEDT:   DHCPD: giaddr = 192.168.13.30
*Mar  9 05:18:42.314 AEDT:   DHCPD: interface = FastEthernet1/0/4
*Mar  9 05:18:42.314 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 05:18:42.322 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 05:18:44.335 AEDT: DHCPD: Adding binding to radix tree (192.168.13.101)
*Mar  9 05:18:44.335 AEDT: DHCPD: Adding binding to hash tree
*Mar  9 05:18:44.335 AEDT: DHCPD: assigned IP address 192.168.13.101 to client 0100.22fa.9468.58. (1022 0)
*Mar  9 05:18:44.335 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 05:18:44.335 AEDT:   DHCPD: htype 1 chaddr 0022.fa94.6858
*Mar  9 05:18:44.335 AEDT:   DHCPD: remote id ccef488cfd41
*Mar  9 05:18:44.335 AEDT:   DHCPD: circuit id 00000000
*Mar  9 05:18:44.335 AEDT:   DHCPD: giaddr = 192.168.13.30
*Mar  9 05:18:44.335 AEDT:   DHCPD: interface = FastEthernet1/0/4
*Mar  9 05:18:44.335 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 05:18:44.335 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 05:18:44.335 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 05:18:44.335 AEDT:   DHCPD: htype 1 chaddr 0022.fa94.6858
*Mar  9 05:18:44.335 AEDT:   DHCPD: remote id ccef488cfd41
*Mar  9 05:18:44.335 AEDT:   DHCPD: circuit id 00000000
*Mar  9 05:18:44.335 AEDT:   DHCPD: giaddr = 192.168.13.30
*Mar  9 05:18:44.335 AEDT:   DHCPD: interface = FastEthernet1/0/4
*Mar  9 05:18:44.335 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 05:18:44.335 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 05:18:44.335 AEDT: DHCPD: Sending notification of ASSIGNMENT:
*Mar  9 05:18:44.335 AEDT:  DHCPD: address 192.168.13.101 mask 255.255.255.0
*Mar  9 05:18:44.335 AEDT:   DHCPD: htype 1 chaddr 0022.fa94.6858
*Mar  9 05:18:44.344 AEDT:   DHCPD: lease time remaining (secs) = 86400
*Mar  9 05:18:44.344 AEDT:   DHCPD: interface = FastEthernet1/0/4
*Mar  9 05:18:44.344 AEDT:   DHCPD: out_vlan_id 0

Now you can try to associate the same client via LAP2. You have to clear the IP DHCP binding & disable LAP1 & enable LAP2 as shown below.

CAT2#clear ip dhcp binding 192.168.13.101

(WLC3) >config ap disable LAP1
(WLC3) >config ap enable LAP2

This time you would see a output similar to this in CAT2′s “debug ip dhcp server class“. You would noticed this time DHCP relay information matches class defined for LAP2 which include LAP2′s ethernet MAC address as part of the string.

CAT2#
*Mar  7 03:30:34.067 AEDT: DHCPD: Class 'LAP1' matched by default
*Mar  7 03:30:34.067 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206001e7abee0fe' in class LAP1
*Mar  7 03:30:36.148 AEDT: DHCPD: Class 'LAP2' matched by default
*Mar  7 03:30:36.148 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206001e7abee0fe' in class LAP2
*Mar  7 03:30:36.148 AEDT: DHCPD: input pattern 'relay-information 0104000000000206001e7abee0fe' matches class LAP2
*Mar  7 03:30:36.148 AEDT: DHCPD: input matches class LAP2

This time you would see the same client got 192.168.13.201-220 IP as it is connected to LAP2.

CAT2#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.13.201      0104.f7e4.ea5b.66       Mar 08 1993 03:30 AM    Automatic

You can play with additional tweaking as long as you got basic configuration working as above.

You can refer following Cisco document(DOC-28639) for additional information of this feature.

DHCP Option 82 – Service Provider Wi-Fi

Related Posts

1. Understanding DHCP
2. Understanding DHCP Snooping
3. Understanding DHCP Option 43
4. Understanding DHCP Option 82
5. Hex to String Conversion

When I play with DHCP option-82 feature in WLC came across an option that I can set “AP-MAC:SSID” as remote id. Rather than rely on the debug output I wonder I could get the hex value of that remote-id. If you are good at “string to hex” conversion you can do that.

For an example, if your WLAN name is “data-13” then you can derive equivalent hex string should be “64 61 74 61 2d 31 33″ for that SSID name. You can do the conversion by using following conversion table (Refer ASCII-DEC-HEX conversion table for full list).

Therefore if your AP Radio MAC address is “64a0e7af4740″ the DHCP 82 remote ID string would be “64a0e7af47403a64 6174612d3133“  in the format of <ap-radio-mac>:<ssid>

If you look at the “debug ip dhcp server class” you can confirm the above. As you aware DHCP relay information consist of <circuit-id><agent-type><remote-id-length><remote-id> format. In the output below dhcp realay information is 010400000000022764a0e7af47403a646174612d313300000000000000000000000000000000000000000000000000.
As remote-id length is 39 (equivalnt to 27 in hex) bytes padding will be done with additional zero.

Here is the output of “debug ip dhcp server class” when the DHCP class configured properly with relay-information that consist of <ap-map>:<ssid> information.

*Mar  1 16:21:07.793: DHCPD: Class 'LAP1' matched by default
*Mar  1 16:21:07.793: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a646174612d313300000000000000000000000000000000000000000000000000' in class LAP1
*Mar  1 16:21:12.206: DHCPD: Class 'LAP2' matched by default
*Mar  1 16:21:12.206: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a646174612d313300000000000000000000000000000000000000000000000000' in class LAP2
*Mar  1 16:21:12.206: DHCPD: input pattern 'relay-information 010400000000022764a0e7af47403a646174612d313300000000000000000000000000000000000000000000000000' matches class LAP2
*Mar  1 16:21:12.206: DHCPD: input matches class LAP2

Let’s do another conversion. if you define your SSID as “mrn-cciew” then equivalent hex conversion of my SSID would be “6d726e2d6363696577″. If you configure this WLAN on the same WLC where LAP2 (with radio MAC 64a0e7af4740) your remote id option should start with “64a0e7af47403a6d726e2d6363696577” padding additional zeros to fill 39 byte field.

(WLC3) >config interface create vlan19 19
(WLC3) >config interface address dynamic-interface vlan19 192.168.19.30 255.255.255.0 192.168.19.1
(WLC3) >config interface dhcp dynamic-interface vlan19 primary 192.168.19.1
(WLC3) >config interface port vlan19 1
(WLC3) >config interface dhcp dynamic-interface vlan19 option-82 enable
(WLC3) >config wlan create 12 mrn-cciew mrn-cciew
(WLC3) >config wlan interface 12 vlan19
(WLC3) >config wlan security wpa disable 12
(WLC3) >config wlan enable 12  

(WLC3) >config dhcp opt-82 remote-id apmac:ssid


CAT4#
*Mar  1 17:30:37.320: DHCPD: Class 'LAP2' matched by default
*Mar  1 17:30:37.320: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' in class LAP2
*Mar  1 17:30:37.320: DHCPD: Class 'LAP1' matched by default
*Mar  1 17:30:37.320: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' in class LAP1
*Mar  1 17:30:39.568: DHCPD: Class 'LAP2' matched by default
*Mar  1 17:30:39.568: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' in class LAP2

Once you configure this string on your DHCP class you would see IP address allocated to client properly.

ip dhcp pool VLAN19
   network 192.168.19.0 255.255.255.0
   default-router 192.168.19.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   class LAP2
      address range 192.168.19.221 192.168.19.240
   class LAP1
      address range 192.168.19.121 192.168.19.140

ip dhcp class LAP2
   relay agent information
      relay-information hex 010400000000022764a0e7af47403a646174612d313300000000000000000000000000000000000000000000000000
      relay-information hex 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000

Once you configure the correct string you would see debug output like this & client get the IP

*Mar  1 17:38:44.426: DHCPD: Class 'LAP1' matched by default
*Mar  1 17:38:44.426: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' in class LAP1
*Mar  1 17:38:48.881: DHCPD: Class 'LAP2' matched by default
*Mar  1 17:38:48.881: DHCPD: Searching for a match to 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' in class LAP2
*Mar  1 17:38:48.889: DHCPD: input pattern 'relay-information 010400000000022764a0e7af47403a6d726e2d63636965770000000000000000000000000000000000000000000000' matches class LAP2
*Mar  1 17:38:48.889: DHCPD: input matches class LAP2

CAT4#sh ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.19.222      0104.f7e4.ea5b.66       Mar 03 1993 04:39 AM    Automatic

In this way you can different range of IP (in the same subnet) based on the client attachment to the network.

Related Posts

1. Understanding DHCP Option 82
2. WLC – DHCP Option 82 Configuration Example

IP Address reservation is a commonly used feature in any DHCP deployment. You may want to have fixed IPs for certain hosts (like printers, BMS devices) without configuring them for static IPs. All other hosts will get dynamically assign IP without having a requirement to  keep the same IP all the time.

In this post we will see how we can do this on IOS DHCP server. There are primarily two ways of doing this.

1. Address reservation under the same DHCP pool configuration.
2. Defining multiple host pool for each static Hosts.

There are two terms used in DHCP configuration to identify a client.

1. Hardware Address (chaddr)
2. Client Identifier

Hardware Address: It is the MAC address of the client device who is requesting an DHCP IP. This is the value of the CHADDR (Client Hardware Address) field of the BootP message.

Client Identifier: This is used by DHCP client to identify them-self to DHCP server instead of using CHADDR (hardware address). Usually this is derived from the hardware address. In  most deployments you can derive client Identifier by adding “01” prefix to its hardware address.  For example if your client MAC address is “001f.1618.dfec” then client identifier would be “0100.1f16.18df.ec”.

Why this is important in IOS DHCP configurations ? A DHCP server needs to use some unique identifier to associate a client with its lease. The client MAY choose to explicitly provide the identifier through the ‘client identifier‘ option. If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’ in all subsequent messages, and the server MUST use that identifier to identify the client. If the client does not provide a ‘client identifier’ option, the server MUST use the contents of the ‘chaddr‘ field to identify the client.

This mean DHCP server always prefer “Client Identifier” over “Hardware Address” when allocating IP addresses to clients. Therefore you have to use “Client ID” option when reserving IPs to client instead of “hardware-address”.

You can configure IOS DHCP server to ignore BOOTP request (then it will only responds to DHCP discovery or request messages coming from clients). You can use the following CLI command to do this.

ip dhcp bootp ignore

Now lets configure an  IP address reservation using a single DHCP pool. Command to use is “address <ip-address> {hardware-address|client-id} <mac-add|client-id>“. For the above mentioned reason, you have to always use Client-ID option when configuring this.

CAT2(config)#ip dhcp pool VLAN9
CAT2(dhcp-config)#address ?
  A.B.C.D  IP address in dotted-decimal notation

CAT2(dhcp-config)#address 192.168.9.199 ?
  client-id         Client identified by Client-ID option
  hardware-address  Client identified by MAC address

CAT2(dhcp-config)#address 192.168.9.199 cl
CAT2(dhcp-config)#address 192.168.9.199 client-id ?
  WORD  Client MAC or Client-ID value

Here is the full DHCP pool configuration for an address reservation for a device with MAC address (001f.1618.dfec) or client ID (0100.1f16.18df.ec)

ip dhcp pool VLAN9
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.9.199 client-id 0100.1f16.18df.ec

You can verify this client will get 192.168.9.199 IP when they connect to network. You can use “debug ip dhcp server events” to verify this.

CAT2#
*Mar  9 09:17:58.356 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 09:17:58.356 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 09:17:58.356 AEDT:   DHCPD: interface = Vlan9
*Mar  9 09:17:58.356 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 09:17:58.356 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 09:17:58.356 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 09:17:58.356 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 09:17:58.356 AEDT:   DHCPD: interface = Vlan9
*Mar  9 09:17:58.356 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 09:17:58.356 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 09:17:58.356 AEDT: DHCPD: DHCPOFFER notify setup address 192.168.9.199 mask 255.255.255.0
*Mar  9 09:17:58.356 AEDT: DHCPD: Sending notification of ASSIGNMENT:
*Mar  9 09:17:58.356 AEDT:  DHCPD: address 192.168.9.199 mask 255.255.255.0
*Mar  9 09:17:58.356 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 09:17:58.356 AEDT:   DHCPD: lease time remaining (secs) = 4294967295
*Mar  9 09:17:58.356 AEDT:   DHCPD: interface = Vlan9
*Mar  9 09:17:58.356 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 09:18:20.905 AEDT: DHCPD: checking for expired leases.

The otherway of doing this is create host IP pool for this device. First of all you have to remove the previous reservation if you are using the same cleint.

CAT2(config)#
ip dhcp excluded-address 192.168.9.1 192.168.9.99

ip dhcp pool VLAN9
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1 
   domain-name mrn.com
   dns-server 192.168.200.1
   no  address 192.168.9.199 client-id 0100.1f16.18df.ec

ip dhcp pool PRINTER-1
   host 192.168.9.99 255.255.255.0
   client-identifier 0100.1f16.18df.ec

You can verify the client will get allocated IP when connecting to the network. Here is the “debug ip dhcp server events” output.

*Mar  9 10:16:02.022 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 10:16:02.022 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 10:16:02.022 AEDT:   DHCPD: interface = Vlan9
*Mar  9 10:16:02.022 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 10:16:02.022 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 10:16:02.022 AEDT: DHCPD: Sending notification of DISCOVER:
*Mar  9 10:16:02.022 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 10:16:02.022 AEDT:   DHCPD: interface = Vlan9
*Mar  9 10:16:02.022 AEDT:   DHCPD: class id 4d53465420352e30
*Mar  9 10:16:02.022 AEDT:   DHCPD: out_vlan_id 0
*Mar  9 10:16:02.022 AEDT: DHCPD: DHCPOFFER notify setup address 192.168.9.99 mask 255.255.255.0
*Mar  9 10:16:02.022 AEDT: DHCPD: Sending notification of ASSIGNMENT:
*Mar  9 10:16:02.022 AEDT:  DHCPD: address 192.168.9.99 mask 255.255.255.0
*Mar  9 10:16:02.022 AEDT:   DHCPD: htype 1 chaddr 001f.1618.dfec
*Mar  9 10:16:02.022 AEDT:   DHCPD: lease time remaining (secs) = 4294967295
*Mar  9 10:16:02.022 AEDT:   DHCPD: interface = Vlan9
*Mar  9 10:16:02.022 AEDT:   DHCPD: out_vlan_id 0

From CCIE wireless lab perspective, if you want to APs to stick with same IP all the time (specially important with H-REAP) you can use these IP reservation configuration unless static IP configuration allowed.

Here is an debug output (both dhcp server events & dhcp packet detail) of an AP getting a reserved IP. In this switch I have not configured “ip dhcp bootp ignore” & you can see switch is replying for both BootP messages & DHCP messages. You can see the difference where bootp reply goes with “hardware address” & DHCP messages go with “client identifier“.

ip dhcp excluded-address 10.10.23.193 10.10.23.200
!
ip dhcp pool VLAN23
   network 10.10.23.192 255.255.255.192
   default-router 10.10.23.193 
   dns-server 192.168.200.1 
   domain-name mrn.com
   address 10.10.23.250 client-id 01cc.ef48.8cfd.41
   address 10.10.23.251 client-id 0100.1e7a.bee0.fe

CAT4#debug ip dhcp server packet detail 
DHCP server packet detail debugging is on.          
CAT4#debug ip dhcp server events 
DHCP server event debugging is on
*Mar  1 06:54:51.328: DHCPD: Reload workspace interface Vlan23 tableid 0.
*Mar  1 06:54:51.328: DHCPD: tableid for 10.10.23.193 on Vlan23 is 0
*Mar  1 06:54:51.328: DHCPD: client's VPN is .
*Mar  1 06:54:51.328: DHCPD: using received relay info.
*Mar  1 06:54:51.328: DHCPD: Sending notification of DISCOVER:
*Mar  1 06:54:51.328:   DHCPD: htype 1 chaddr 001e.7abe.e0fe
*Mar  1 06:54:51.328:   DHCPD: interface = Vlan23
*Mar  1 06:54:51.328:   DHCPD: class id 436973636f204150206331313330
*Mar  1 06:54:51.328:   DHCPD: out_vlan_id 0
*Mar  1 06:54:51.328: DHCPD: DHCPDISCOVER received from client 0100.1e7a.bee0.fe on interface Vlan23.
*Mar  1 06:54:51.328: DHCPD: using received relay info.
*Mar  1 06:54:51.328: DHCPD: Sending notification of DISCOVER:
*Mar  1 06:54:51.328:   DHCPD: htype 1 chaddr 001e.7abe.e0fe
*Mar  1 06:54:51.328:   DHCPD: interface = Vlan23
*Mar  1 06:54:51.328:   DHCPD: class id 436973636f204150206331313330
*Mar  1 06:54:51.328:   DHCPD: out_vlan_id 0
*Mar  1 06:54:51.328: DHCPD: DHCPOFFER notify setup address 10.10.23.251 mask 255.255.255.192
*Mar  1 06:54:51.328: DHCPD: Sending DHCPOFFER to client 0100.1e7a.bee0.fe (10.10.23.251).
*Mar  1 06:54:51.328: DHCPD: no option 125
*Mar  1 06:54:51.328: DHCPD: broadcasting BOOTREPLY to client 001e.7abe.e0fe.
*Mar  1 06:54:51.337: DHCPD: Reload workspace interface Vlan23 tableid 0.
*Mar  1 06:54:51.337: DHCPD: tableid for 10.10.23.193 on Vlan23 is 0
*Mar  1 06:54:51.337: DHCPD: client's VPN is .
*Mar  1 06:54:51.337: DHCPD: DHCPREQUEST received from client 0100.1e7a.bee0.fe.
*Mar  1 06:54:51.337: DHCPD: Sending notification of ASSIGNMENT:
*Mar  1 06:54:51.337:  DHCPD: address 10.10.23.251 mask 255.255.255.192
*Mar  1 06:54:51.337:   DHCPD: htype 1 chaddr 001e.7abe.e0fe
*Mar  1 06:54:51.337:   DHCPD: lease time remaining (secs) = 4294967295
*Mar  1 06:54:51.337:   DHCPD: interface = Vlan23
*Mar  1 06:54:51.337:   DHCPD: out_vlan_id 0
*Mar  1 06:54:51.337: DHCPD: Sending DHCPACK to client 0100.1e7a.bee0.fe (10.10.23.251).
*Mar  1 06:54:51.337: DHCPD: no option 125
*Mar  1 06:54:51.337: DHCPD: broadcasting BOOTREPLY to client 001e.7abe.e0fe.

It is important you understand these configuration options.

A WGB is a device which associate to an AP (either Lightweight or Autonomous) & provides transparent bridging to its wired clients. Each wired client that WGB learn on its Ethernet get reported to WGB’s root via Inter-Access Point Protocol (IAPP) which is a Cisco proprietary protocol. You can use following CLI command to specify an AP’s radio as WGB.

station role workgroup-bridge

If you want to configure a WGB to work with non-cisco APs, then you have to configure WGB as universal WGB (or uWGB). Then only single device can be connected behind WGB. You can use following CLI under radio interface to configure it as universal WGB.

station-role workgroup-bridge universal ?
  H.H.H  Universal Client MAC Address

There are two modes in WGB when it connects to Autonomous AP. In unified wireless architecture it only support client mode WGB

1. Infrastructure mode (supports multiple vlan behind WGB)
2. Client BSS mode (supports single vlan behind WGB)

Let’s see a basic configuration of a Root AP & WGB & how we can configure PSK (Pre-shared key security) later on.

Here is the basic config of AAP without any security. You can configure SSID as infrastructrue-SSID to allow only infrastructure devices (such as other AP configured as WGB, bridges) can connect to it. Infrastructure SSID should always map to native VLAN (20 in my example)

hostname AAP1
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   infrastructure-ssid 
!         
interface Dot11Radio1
 ssid MRN-WGB
 station-role root
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.20.99 255.255.255.0
ip default-gateway 192.168.20.254
sntp server 10.10.205.20

Here is the WGB configuration.

hostname WGB
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   infrastructure-ssid 
!
interface Dot11Radio1
 ssid MRN-WGB
 station-role workgroup-bridge
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
! 
interface BVI1
 no ip address

You can verify WGB & its client association by using “show dot11 associations client” CLI command in Root AP.(wired client is behind WGB get its IP from DHCP defined on CAT2)

AAP1#show dot11 associations client 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
001f.1618.dfec 192.168.20.100  WGB-client    -               44d3.caaf.4343 Assoc    
44d3.caaf.4343 0.0.0.0         WGB           WGB             self           Assoc

In WGB you can see the its association to parent by “show dot11 association” command.

WGB#show dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
a40c.c31a.ee60 192.168.20.99   ap1140-Parent AAP1            -              Assoc

By default WGB associate to  ROOT as normal client. If you want to send broacast/ multicast traffic reliably to WGB connected clients you can configure “infrastructure-client” on the radio interface of Root AP. In this way root AP will send a unicast copy of multicast packets to WGB where it can acknowledge.This is good for if your WGB is not roaming frequently (like printers,etc).  Let’s configure AAP Radio 1 for this.

AAP1(config)#int d1
AAP1(config-if)#infrastructure-client

Once you configure this “infrastructure-client” you cannot see WGB itself as client in “show dot11 association client” output. You have to use “sh dot11 associations all-client” to see WGB as shown below.

AAP1#sh dot11 associations client 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
001f.1618.dfec 192.168.20.100  WGB-client    -               44d3.caaf.4343 Assoc 

AAP1#sh dot11 associations all-client 
Address           : 001f.1618.dfec     Name             : NONE
IP Address        : 192.168.20.100     Interface        : Dot11Radio 1
Device            : WGB-client         Software Version : NONE 
CCX Version       : NONE               Client MFP       : Off

State             : Assoc              Parent           : 44d3.caaf.4343    
SSID              : MRN-WGB                         
VLAN              : 20
Hops to Infra     : 0                  
Clients Associated: 0                  Repeaters associated: 0

Address           : 44d3.caaf.4343     Name             : WGB
IP Address        : 0.0.0.0            Interface        : Dot11Radio 1
Device            : WGB                Software Version : 15.2
CCX Version       : 5                  Client MFP       : Off

State             : Assoc              Parent           : self               
SSID              : MRN-WGB                         
VLAN              : 20
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 1                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : Off
Current Rate      : m15.               Capability       : WMM ShortHdr 11h
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -29  dBm           Connected for    : 356 seconds
Signal to Noise   : 67  dB            Activity Timeout : 30 seconds
Power-save        : Off                Last Activity    : 0 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 20770              Packets Output   : 29793     
Bytes Input       : 3084148            Bytes Output     : 33230505  
Duplicates Rcvd   : 11                 Data Retries     : 1793      
Decrypt Failed    : 0                  RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0

You can use “debug dot11 dot11Radio 1 trace print uplink” to see the steps going through by WGB.

WGB#debug dot11 dot11Radio 1 trace print uplink 
*Mar  1 01:30:12.882: %DOT11-4-UPLINK_DOWN: Interface Dot11Radio1, parent lost: Received deauthenticate (1) failure
*Mar  1 01:30:12.882: 474268BE-1 Uplink: Lost AP, Received deauthenticate (1) failure
*Mar  1 01:30:12.882: 47426948-1 Uplink: Wait for driver to stop
*Mar  1 01:30:12.882: 47426980-1 Uplink: Enabling active scan
*Mar  1 01:30:12.885: 47426986-1 Uplink: Not busy, scan all channels
*Mar  1 01:30:12.885: 4742698D-1 Uplink: Scanning
*Mar  1 01:30:13.583: 474D1B25-1 Uplink: Rcvd response from a40c.c31a.ee60 channel 157 638
*Mar  1 01:30:14.275: 4757AAB0-1 Uplink: no rsnie or ssnie chk
*Mar  1 01:30:14.275: 4757AABD-1 Uplink: ssid MRN-WGB auth open
*Mar  1 01:30:14.275: 4757AAC4-1 Uplink: try a40c.c31a.ee60, enc 0 key 0, priv 0, eap 0
*Mar  1 01:30:14.275: 4757AACD-1 Uplink: Authenticating
*Mar  1 01:30:14.275: 4757AD35-1 Uplink: Associating
*Mar  1 01:30:14.379: 47593FA1-1 Uplink: Lost AP, Received deauthenticate (1) failure
*Mar  1 01:30:14.379: 47593FB0-1 Uplink: Reject for 0 seconds
*Mar  1 01:30:14.379: 47593FB6-1 Uplink: Scanning
*Mar  1 01:30:14.392: 47597452-1 Uplink: Rcvd response from a40c.c31a.ee60 channel 157 627
*Mar  1 01:30:15.084: 476403D1-1 Uplink: no rsnie or ssnie chk
*Mar  1 01:30:15.084: 476403DE-1 Uplink: ssid MRN-WGB auth open
*Mar  1 01:30:15.084: 476403E3-1 Uplink: try a40c.c31a.ee60, enc 0 key 0, priv 0, eap 0
*Mar  1 01:30:15.084: 476403ED-1 Uplink: Authenticating
*Mar  1 01:30:15.084: 4764065F-1 Uplink: Associating
*Mar  1 01:30:15.087: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AAP1 a40c.c31a.ee60 [None]
*Mar  1 01:30:15.087: 4764102F-1 Uplink: Done

Let’s add WPA2-PSK security for this WGB.

In both AAP1 & WGB
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii MRN-CCIEW
interface Dot11Radio1
 encryption vlan 20 mode ciphers aes-ccm

You could see the debug messages like below on WGB

*Mar  1 01:45:44.306: 7ED5007F-1 Uplink: Wait for driver to stop
*Mar  1 01:45:44.306: 7ED500FE-1 Uplink: Enabling active scan
*Mar  1 01:45:44.310: 7ED50104-1 Uplink: Not busy, scan all channels
*Mar  1 01:45:44.310: 7ED5010A-1 Uplink: Scanning
*Mar  1 01:45:44.939: 7EDEB144-1 Uplink: Rcvd response from a40c.c31a.ee60 channel 40 682
*Mar  1 01:45:45.008: 7EDFBD20-1 Uplink: dot11_uplink_scan_done: rsnie_accept returns 0x0 key_mgmt 0xFAC02 encrypt_type 0x200
*Mar  1 01:45:45.008: 7EDFBD36-1 Uplink: 
*Mar  1 01:45:45.008: 7EDFBD3D-1 Uplink: try a40c.c31a.ee60, enc 200 key 4, priv 1, eap 0
*Mar  1 01:45:45.008: 7EDFBD47-1 Uplink: Authenticating
*Mar  1 01:45:45.008: 7EDFBF9A-1 Uplink: Associating
*Mar  1 01:45:45.011: 7EDFC814-1 Uplink: EAP authenticating
*Mar  1 01:45:45.112: 7EE15737-1 Uplink: Done
*Mar  1 01:45:45.112: 7EE15751-1 Interface up
*Mar  1 01:45:45.115: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar  1 01:45:45.118: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AAP1 a40c.c31a.ee60 [None WPAv2 PSK]
*Mar  1 01:45:46.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

You can verify WGB use configured security methods using “show dot11 association <root-ap-mac> ” commands as well.

WGB#show dot11 ass a40c.c31a.ee60
Address           : a40c.c31a.ee60     Name             : AAP1
IP Address        : 192.168.20.99      
Gateway Address   : 0.0.0.0            
Netmask Address   : 0.0.0.0            Interface        : Dot11Radio 1
Device            : ap1140-Parent      Software Version : 12.4
CCX Version       : 5                  Client MFP       : On
State             : Assoc              Parent           : -                  
SSID              : MRN-WGB                         
VLAN              : 20
Hops to Infra     : 0                  Association Id   : 1
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
Current Rate      : m12-               Capability       : WMM ShortHdr 11h
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0-2 m1-2 m2-2 m3-2 m4-2 m5-2 m6-2 m7-2 m8-2 m9-2 m10-2 m11-2 m12-2 m13-2 m14-2 m15-2
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -32  dBm           Connected for    : 402 seconds
Signal to Noise   : 64  dB            Activity Timeout : 14 seconds
Power-save        : Off                Last Activity    : 1 seconds ago
Apsd DE AC(s)     : NONE
Packets Input     : 4532               Packets Output   : 174       
Bytes Input       : 877308             Bytes Output     : 52789     
Duplicates Rcvd   : 0                  Data Retries     : 100       
Decrypt Failed    : 0                  RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0

If a wired client does not send traffic for an extended period of time (like printers), the WGB removes the client from its bridge table, even if traffic is continuously sent to the wired client. As a result the traffic flow to the wired client fails. To prevent wired client being removed from the bridge table you have to configure aging-out timer on the WGB to a larger value using the “bridge <bridge group no> aging-time <seconds>” command.

WGB#sh bridge 
Total of 300 station blocks, 293 free
Codes: P - permanent, S - self
Bridge Group 1:

    Address       Action   Interface       Age   RX count   TX count
a088.b435.c2f0   forward   Vi0.20            0       2212          7
001f.1618.dfec   forward   Gi0.20            0      21488      29759
0026.0b63.caf4   forward   Vi0.20            0        129          0
7081.0503.7cef   forward   Vi0.20            0        131          0
001a.e3a7.ff50   forward   Vi0.20            0      29905      19704
7073.cbdc.58ea   forward   Vi0.20            7         86          0
001a.e3a7.ff0f   forward   Vi0.20            0       7731          0

WGB(config)#bridge ?
  <1-255>            Bridge Group number for Bridging.
  crb                Concurrent routing and bridging
  irb                Integrated routing and bridging
  mac-address-table  MAC-address table configuration commands

WGB(config)#bridge 1 ?
  acquire                   Dynamically learn new, unconfigured stations
  address                   Block or forward a particular Ethernet address
  aging-time                Set forwarding entry aging time
  bitswap-layer3-addresses  Bitswap embedded layer 3 MAC addresses
  bridge                    Specify a protocol to be bridged in this bridge group
  circuit-group             Circuit-group
  domain                    Establish multiple bridging domains
  forward-time              Set forwarding delay time
  hello-time                Set interval between HELLOs
  lat-service-filtering     Perform LAT service filtering
  max-age                   Maximum allowed message age of received Hello BPDUs
  priority                  Set bridge priority
  protocol                  Specify spanning tree protocol
  route                     Specify a protocol to be routed in this bridge group
  subscriber-policy         Subscriber group bridging

WGB(config)#bridge 1 aging-time ?
  <10-1000000>  Seconds

WGB(config)#bridge 1 aging-time 86400

Related Posts

1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB Roaming
5. WGB-IOS AP with Multiple VLAN
6. WGB-CAPWAP with Multiple VLAN

In this post we will see how to configure Multiple VLAN on a work group bridge in Unified Wireless environment. This is useful if you want to put wired client behind WGB into different vlan. Here is the topology for this post where we will create two different vlan for WGB clients. WGB will associate to a unified wireless AP (LAP2) which is joined to WLC1.

Here is the WLC1 config where we have 3 dynamic interfaces 8,9 & 20 (vlan20 will be the WGB native vlan). MRN-WGB wlan configured with WPA2-PSK. First of all you have to configure necessary DHCP pools & SVI interfaces on CAT2. Also WLC should connected via trunk port & LAP2 is connected via access port as shown in the below.

ip dhcp excluded-address 192.168.8.1 192.168.8.99
ip dhcp excluded-address 192.168.9.1 192.168.9.99
ip dhcp excluded-address 192.168.20.1 192.168.20.99
!
ip dhcp pool VLAN9
   network 192.168.9.0 255.255.255.0
   default-router 192.168.9.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.9.100 client-id 0100.1f16.18df.ec <- PC IP reservation
!
ip dhcp pool VLAN8
   network 192.168.8.0 255.255.255.0
   default-router 192.168.8.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.8.100 client-id 0000.18fe.a5dc.3e <-Printer IP reservation
!
ip dhcp pool vlan20
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254 
   dns-server 192.168.200.1  
   domain-name mrn.com
   address 192.168.20.199 client-id 0158.bfea.59f8.01 <- CAT5 IP reservation
   address 192.168.20.120 client-id 0144.d3ca.af43.43 <- WGB IP Reservation
!
interface Vlan8
 ip address 192.168.8.1 255.255.255.0
interface Vlan9
 ip address 192.168.9.1 255.255.255.0
interface Vlan20
 ip address 192.168.20.254 255.255.255.0
!
interface GigabitEthernet1/0/1
 description WLC1 Port1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 8-18,20,23,111,113
 switchport mode trunk
 switchport nonegotiate
 mls qos trust cos
 spanning-tree portfast trunk
!
interface FastEthernet1/0/11
 description TEMP LAP2
 switchport access vlan 20
 switchport mode access
 mls qos trust dscp
 spanning-tree portfast

Here is the WLC1 config related to this. Since I have used a WLAN ID (>16) AP group to be configured to advertise this SSID. Radio policy configured for “802.11a-only” since WGB configured on 5GHz band.

(WLC1) >config interface create vlan20 20
(WLC1) >config interface address dynamic-interface vlan20 192.168.20.10 255.255.255.0 192.168.20.254           
(WLC1) >config interface dhcp dynamic-interface vlan20 primary 192.168.20.254
(WLC1) >config interface port vlan20 1
(WLC1) >config interface create vlan8 8
(WLC1) >config interface address dynamic-interface vlan8 192.168.8.10 255.255.255.0 192.168.8.1           
(WLC1) >config interface dhcp dynamic-interface vlan8 primary 192.168.8.1
(WLC1) >config interface port vlan8 1
(WLC1) >config interface create vlan9 9
(WLC1) >config interface address dynamic-interface vlan8 192.168.9.10 255.255.255.0 192.168.9.1           
(WLC1) >config interface dhcp dynamic-interface vlan8 primary 192.168.9.1
(WLC1) >config interface port vlan9 1

(WLC1) >config wlan create 20 MRN-WGB MRN-WGB
(WLC1) >config wlan radio 20 802.11a-only
(WLC1) >config wlan broadcast-ssid disable 20
(WLC1) >config wlan security wpa wpa2 ciphers aes enable 20
(WLC1) >config wlan security wpa akm psk set-key ascii MRN-CCIEW 20
(WLC1) >config wlan enable 20

(WLC1) >config  wlan apgroup add mrn-wgb "WGB AP GROUP"
(WLC1) >config wlan apgroup interface-mapping add mrn-wgb 20 vlan20
(WLC1) >config ap group-name mrn-wgb LAP2

Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n) y

In order to have multiple VLAN support you have to configure VLAN tagging feature on WGB. When this feature is enabled, the WGB removes the 802.1q header while sending the packet from a VLAN client to the wireless LAN controller (WLC). WGB gets the packet to a VLAN client without 802.1q header and WGB code has to be modified to add the 802.1q header while forwarding the frame to the switch behind WGB. You can use following CLI command on WGB to do this.

WGB(config)#workgroup-bridge unified-vlan-client

WGB updates the WLC with the wired-client VLAN information in the Internet Access Point Protocol (IAPP) Association message. WLC treats the WGB client as a VLAN-client and forwards the packet in the right VLAN interface based on the source-mac-address.

In the upstream direction, WGB removes the 802.1q header from the packet while sending to the WLC. In the downstream direction while forwarding the packet to the switch connecting the wired-client, the WLC sends the packet to WGB without the 802.1q tag and WGB adds a 4-byte 802.1q header based on the destination mac-address.

Also note that “bridge 8 address 0018.fea5.dc3e forward GigabitEthernet0.8” command to prevent passive client behind WGB loose its connectivity. This command will add a permanent entry into WGB bridge table of this client (it is required as passive client does not trigger any traffic towards network) which will update via IAPP to the LAP2 by WGB.

Here is the full configuration of WGB. I have assigned DHCP IP (in native VLAN 20) to WGB itself in order to manage it. This is also help to sync WGB to a NTP server.

dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii MRN-CCIEW
!
interface Dot11Radio1
 encryption vlan 20 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role workgroup-bridge
!
interface Dot11Radio1.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface Dot11Radio1.9
 encapsulation dot1Q 9
 bridge-group 9
!
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface GigabitEthernet0.9
 encapsulation dot1Q 9
 bridge-group 9
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
workgroup-bridge unified-vlan-client
bridge 8 address 0018.fea5.dc3e forward GigabitEthernet0.8

Here is the CAT5 configuration where I have used dynamic IP assignment in order to check WGB client connectivity. You could have assign IP statically as well.

vlan 8-9,20
!
interface GigabitEthernet0/1
 description WGB TRUNK
 switchport trunk native vlan 20
 switchport trunk allowed vlan 7-9,20
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
!
interface GigabitEthernet0/6
 description WGB-PC
 switchport access vlan 9
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/8
 description WGB-Printer
 switchport access vlan 8
 switchport mode access
 spanning-tree portfast
!
interface Vlan20
 description NetMgmt
 ip dhcp client client-id hex 0158BFEA59F801
 ip address dhcp
!
ip default-gateway 192.168.20.254

Now you can verify clients will get IPs from each individual VLANs as you expected.

WGB#sh bridge 
Total of 300 station blocks, 291 free
Codes: P - permanent, S - self

Bridge Group 1:
    Address       Action   Interface       Age   RX count   TX count
001f.caca.ea4f   forward   Vi0.20            2          0          0
001a.e3a7.ff50   forward   Vi0.20            1          0          0
001a.e3a7.ff46   forward   Vi0.20            1        319          0
58bf.ea59.f801   forward   Gi0.20            0      23748          2

Bridge Group 8:
0018.fea5.dc3e   forward   Gi0.8            P         362          0
58bf.ea59.f801   forward   Gi0.8             0      23748          0

Bridge Group 9:
001f.1618.dfec   forward   Gi0.9             0     156349          0
58bf.ea59.f801   forward   Gi0.9             0      23109          0

WGB#show dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
001f.caca.ea4f 10.10.111.10    LWAPP-Parent LAP2            -              Assoc    

WGB#show dot11 associations 001f.caca.ea4f
Address           : 001f.caca.ea4f     Name             : LAP2
IP Address        : 10.10.111.10       
Gateway Address   : 0.0.0.0            
Netmask Address   : 0.0.0.0            Interface        : Dot11Radio 1
Device            : LWAPP-Parent      Software Version : NONE 
CCX Version       : 5                  Client MFP       : On

State             : Assoc              Parent           : -                  
SSID              : MRN-WGB                         
VLAN              : 20
Hops to Infra     : 0                  Association Id   : 1
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
Current Rate      : 54.0               Capability       : WMM
Supported Rates   : 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -23  dBm           Connected for    : 3060 seconds
Signal to Noise   : 72  dB            Activity Timeout : 15 seconds
Power-save        : Off                Last Activity    : 0 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 35230              Packets Output   : 11730     
Bytes Input       : 5725422            Bytes Output     : 3095817   
Duplicates Rcvd   : 0                  Data Retries     : 171       
Decrypt Failed    : 1763               RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0

From WLC you can verify the client connectivity as well.

(WLC1) >show wgb summary 
WGB Vlan Client Support.......................... Enabled
Number of WGBs................................... 1
MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
-----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
44:d3:ca:af:43:43  192.168.20.120  LAP2               Assoc     20    Yes   802.11n(5 GHz)     4

(WLC1) >show  wgb detail 44:d3:ca:af:43:43
Number of wired client(s): 4
MAC Address        IP Address      AP Name            Mobility   WLAN Auth
-----------------  --------------- -----------------  ---------- ---- ----
58:bf:ea:59:f8:01  192.168.20.199  LAP2               Local      20   Yes
00:18:fe:a5:dc:3e  192.168.8.100   LAP2               Local      20   Yes
00:1f:16:18:df:ec  192.168.9.100   LAP2               Local      20   Yes
58:bf:ea:59:f8:41  192.168.20.199  LAP2               Local      20   Yes

(WLC1) >show client summary 
Number of Clients................................ 5
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:18:fe:a5:dc:3e LAP2              Associated    20             Yes  N/A              1    No
00:1f:16:18:df:ec LAP2              Associated    20             Yes  N/A              1    No
44:d3:ca:af:43:43 LAP2              Associated    20             Yes  802.11n(5 GHz)   1    No
58:bf:ea:59:f8:01 LAP2              Associated    20             Yes  N/A              1    No
58:bf:ea:59:f8:41 LAP2              Associated    20             Yes  N/A              1    No

(WLC1) >show client detail 58:bf:ea:59:f8:01
Client MAC Address............................... 58:bf:ea:59:f8:01
Client Username ................................. N/A
AP MAC Address................................... 00:1f:ca:ca:ea:40
AP Name.......................................... LAP2              
Client State..................................... Associated     
Client NAC OOB State............................. Access
Workgroup Bridge Client.......................... WGB: 44:d3:ca:af:43:43
Wireless LAN Id.................................. 20 
BSSID............................................ 00:1f:ca:ca:ea:4f  
Connected For ................................... 3978 secs
Channel.......................................... 36 
IP Address....................................... 192.168.20.199
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Silver
802.1P Priority Tag.............................. 3
WMM Support...................................... Disabled

(WLC1) >show client detail 44:d3:ca:af:43:43
Client MAC Address............................... 44:d3:ca:af:43:43
Client Username ................................. N/A
AP MAC Address................................... 00:1f:ca:ca:ea:40
AP Name.......................................... LAP2              
Client State..................................... Associated     
Client NAC OOB State............................. Access
Workgroup Bridge................................. 4 client(s)
Wireless LAN Id.................................. 20 
BSSID............................................ 00:1f:ca:ca:ea:4f  
Connected For ................................... 4002 secs
Channel.......................................... 36 
IP Address....................................... 192.168.20.120
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... 5  
Client E2E version............................... No E2E support
Diagnostics Capability........................... Not Supported
S69 Capability................................... Not Supported
Mirroring........................................ Disabled

(WLC1) >show client detail 00:18:fe:a5:dc:3e
Client MAC Address............................... 00:18:fe:a5:dc:3e
Client Username ................................. N/A
AP MAC Address................................... 00:1f:ca:ca:ea:40
AP Name.......................................... LAP2              
Client State..................................... Associated     
Client NAC OOB State............................. Access
Workgroup Bridge Client.......................... WGB: 44:d3:ca:af:43:43
Wireless LAN Id.................................. 20 
BSSID............................................ 00:1f:ca:ca:ea:4f  
Connected For ................................... 4047 secs
Channel.......................................... 36 
IP Address....................................... 192.168.8.100
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Session Timeout.................................. 0  
Client CCX version............................... No CCX support
Mirroring........................................ Disabled
QoS Level........................................ Silver
802.1P Priority Tag.............................. 3
WMM Support...................................... Disabled

You can access WGB via GUI using its assigned IP(192.168.20.120)

You can refer following Cisco Documents as well.

1. Mesh & WGB Multiple VLAN support config example
2. Outdoor Mesh Design Guide

In next post we will see how to configure WGB-Roaming related settings.

Related Posts

1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB with PSK
5. WGB Roaming
6. WGB-IOS AP with Multiple VLAN
7. Packet Retries & Max-Retries
8. WGB Config Example

In this post we will see how to configure a WGB to support multiple VLAN for the wired clients behind WGB. Here is the topology for this post where VLAN7 & VLAN8 defined for the wired clients behind WGB. VLAN20 is used as native VLAN & AAP1, WGB & CAT5 is assigned IPs in that vlan.

In Autonomous mode, WGB should be a “infrastructure-client” in order to support Multiple VLAN.

Here is the CAT2 configuration where DHCP pools & SVI defined.

ip dhcp excluded-address 192.168.7.1 192.168.7.99
ip dhcp excluded-address 192.168.8.1 192.168.8.99
ip dhcp excluded-address 192.168.20.1 192.168.20.99
!
ip dhcp pool VLAN7
   network 192.168.7.0 255.255.255.0
   default-router 192.168.7.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.7.100 client-id 0100.1f16.18df.ec <- PC IP reservation
!
ip dhcp pool VLAN8
   network 192.168.8.0 255.255.255.0
   default-router 192.168.8.1 
   domain-name mrn.com
   dns-server 192.168.200.1 
   address 192.168.8.100 client-id 0000.18fe.a5dc.3e <- Printer IP reservation
!
ip dhcp pool vlan20
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254 
   dns-server 192.168.200.1 192.231.203.132 192.231.203.3 
   domain-name mrn.com
   address 192.168.20.120 client-id 0144.d3ca.af43.43<- WGB IP reservation
!
interface FastEthernet1/0/13
 description TEMP-AAP1-1142
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk

You can configure AAP1 as shown below. Note that SSID configured as “infrastructure-SSID” in order to only infrastructure devices can associate to SSID. Also configured Dot11 Radio 1 as “infrastructure-client” in order to make sure WGB associate in “infrastructure-client” mode. This is mandatory to support multiple vlan behind WGB in this IOS-AP-WGB mode.(In Unified method still client mode WGB support this feature with “workgroup-bridge unified-vlan-client” on WGB). This also give reliability for Multicast traffic for the client behind WGB. WLAN security is configured with WPA2-PSK.

hostname AAP1
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   infrastructure-ssid
   wpa-psk ascii MRN-CCIEW
!
interface Dot11Radio1
 encryption vlan 20 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role root
 infrastructure-client
!
interface Dot11Radio1.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface Dot11Radio1.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface GigabitEthernet0.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.20.99 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.20.254
sntp server 10.10.205.20

WGB can be configured as shown in below. “station-role” should be “workgroup-bridge”.

hostname WGB
dot11 ssid MRN-WGB
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   infrastructure-ssid
   wpa-psk ascii MRN-CCIEW
!
interface Dot11Radio1
 encryption vlan 20 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role workgroup-bridge
!
interface Dot11Radio1.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface Dot11Radio1.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface Dot11Radio1.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface GigabitEthernet0.8
 encapsulation dot1Q 8
 bridge-group 8
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip dhcp client client-id GigabitEthernet0 <- IP for WGB Mgmt purposes
 ip address dhcp

CAT5 (Switch Behind WGB) can be configured as follows.

vlan 7-8,20
!
interface GigabitEthernet0/1
 description WGB TRUNK
 switchport trunk native vlan 20
 switchport trunk allowed vlan 7-9,20
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
!
interface GigabitEthernet0/7
 description WGB-PC
 switchport access vlan 7
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/8
 description WGB-Printer
 switchport access vlan 8
 switchport mode access
 spanning-tree portfast
!
interface Vlan20
 description SW-MGMT
 ip address 192.168.20.199 255.255.255.0
!
ip default-gateway 192.168.20.254
ntp server 10.10.205.20

Once you configure like this, you can verify the devices will get the IP addresses from each VLAN.

AAP1#sh dot11 associations client 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
0018.fea5.dc3e 192.168.8.100   WGB-client    -               44d3.caaf.4343 Assoc    
001f.1618.dfec 192.168.7.100   WGB-client    -               44d3.caaf.4343 Assoc    
58bf.ea59.f801 0.0.0.0         WGB-client    -               44d3.caaf.4343 Assoc    
58bf.ea59.f841 192.168.20.199  WGB-client    -               44d3.caaf.4343 Assoc

Initially you could reach all of the wired clients behind WGB. But few minutes later You would notice you could not ping the printer IP. This is because printer is a passive client (where no traffic initiated from it) to keep it is MAC address in the WGB bridge table.

You could avoid this in following ways.

1. Increase the aging-out timer
2. Add static entry in WGB for the passive client

You can configure aging time for a bridge-group as follows. You can configure larger aging-time for the bridge group where Printer (or passive client) associates. In my case I will configure this for bridge-group 8.

WGB(config)#bridge ?
  <1-255>            Bridge Group number for Bridging.
  crb                Concurrent routing and bridging
  irb                Integrated routing and bridging
  mac-address-table  MAC-address table configuration commands

WGB(config)#bridge 8 ?
  acquire                   Dynamically learn new, unconfigured stations
  address                   Block or forward a particular Ethernet address
  aging-time                Set forwarding entry aging time
  bitswap-layer3-addresses  Bitswap embedded layer 3 MAC addresses
  bridge                    Specify a protocol to be bridged in this bridge group
  circuit-group             Circuit-group
  domain                    Establish multiple bridging domains
  forward-time              Set forwarding delay time
  hello-time                Set interval between HELLOs
  lat-service-filtering     Perform LAT service filtering
  max-age                   Maximum allowed message age of received Hello BPDUs
  priority                  Set bridge priority
  protocol                  Specify spanning tree protocol
  route                     Specify a protocol to be routed in this bridge group
  subscriber-policy         Subscriber group bridging

WGB(config)#bridge 8 aging-time ?
  <10-1000000>  Seconds

WGB(config)#bridge 8 aging-time 86400

You can achieve the same by configuring static entry in the WrGB bridge table. In this way given MAC address will not be age out from the WGB table.

WGB(config)#bridge 8 ?
  acquire                   Dynamically learn new, unconfigured stations
  address                   Block or forward a particular Ethernet address
  aging-time                Set forwarding entry aging time
  bitswap-layer3-addresses  Bitswap embedded layer 3 MAC addresses
  bridge                    Specify a protocol to be bridged in this bridge group
  circuit-group             Circuit-group
  domain                    Establish multiple bridging domains
  forward-time              Set forwarding delay time
  hello-time                Set interval between HELLOs
  lat-service-filtering     Perform LAT service filtering
  max-age                   Maximum allowed message age of received Hello BPDUs
  priority                  Set bridge priority
  protocol                  Specify spanning tree protocol
  route                     Specify a protocol to be routed in this bridge group
  subscriber-policy         Subscriber group bridging

WGB(config)#bridge 8 address ?
  H.H.H  Ethernet mac-address

WGB(config)#bridge 8 address 0018.fea5.dc3e ?
  discard  Discard datagrams from/to this address
  forward  Forward datagrams from/to this address

WGB(config)#bridge 8 address 0018.fea5.dc3e forward ?
  Async               Async interface
  Auto-Template       Auto-Template interface
  BVI                 Bridge-Group Virtual Interface
  CDMA-Ix             CDMA Ix interface
  CTunnel             CTunnel interface
  Dialer              Dialer interface
  Dot11Radio          Dot11 interface
  GigabitEthernet     GigabitEthernet IEEE 802.3z
  LongReachEthernet   Long-Reach Ethernet interface
  Loopback            Loopback interface
  Multilink           Multilink-group interface
  Null                Null interface
  Tunnel              Tunnel interface
  Vif                 PGM Multicast Host interface
  Virtual-Dot11Radio  Virtual dot11 interface
  Virtual-PPP         Virtual PPP interface
  Virtual-Template    Virtual Template interface
  Virtual-TokenRing   Virtual TokenRing
  vmi                 Virtual Multipoint Interface

WGB(config)#bridge 8 address 0018.fea5.dc3e forward g0.8

There are few other timers available if you require further optimization of these timer values.(Introduced in 12.4(25d)JA release & later). I have not changed default timer values in this example.

WGB(config)#workgroup-bridge ?
  client-vlan          Ethernet client VLAN number
  timeouts             Fine tuning WGB time-outs config commands
  unified-vlan-client  Enable Unified VLAN client

WGB(config)#workgroup-bridge timeouts ?
  assoc-response  Association Response time-out value
  auth-response   Authentication Response time-out value
  client-add      client-add time-out value
  eap-timeout     EAP Timeout value
  iapp-refresh    IAPP Refresh time-out value

WGB(config)#workgroup-bridge timeouts assoc-response ?
  <300-5000>  Milli Seconds  <- Default 5000 ms

WGB(config)#workgroup-bridge timeouts auth-response ?
  <300-5000>  Milli Seconds <- Default 5000 ms   

WGB(config)#workgroup-bridge timeouts client-add ?
  <300-5000>  Milli Seconds <- Default 5000 ms

WGB(config)#workgroup-bridge timeouts eap-timeout ?
  <2-60>  Seconds <-Defult 0

WGB(config)#workgroup-bridge timeouts iapp-refresh ?
  <100-1000>  Milli Seconds <- Default 5000 ms

In case the switch behind the WGB is not supporting VLAN (like Hub, etc) you can assign all wired client to a single VLAN by using “workgroup-bridge client vlan <vlan-id>” command.

You can refer the following Reference guide for CLI command explanations in detail.

1. IOS Command Reference – Cisco IOS Releases 15.2(2)JA, 12.4(25d)JA, and 12.3(8)JEE
2. Cisco DOC-21999 :WGB with multiple VLANs

Related Posts

1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB with PSK
5. WGB Roaming
6. WGB-CAPWAP with Multiple VLAN
7. Packet Retries & Max-Retries
8. WGB Config Example

In Autonomous(IOS) AP, you can configure number of attempts the wireless device makes to send a packet before giving up & dropping the packet. There are two ways of configuring this feature. One method for best effort (priority value 0) traffic & another method for non-best effort (priority value 1-7)

1. Best-effort Traffic (packet retries command)
2. Non-Best-effort Traffic (packet max-retries command )

First we will look at how to configure this for best effort traffic (Priority value 0 traffic). These to be configured under the Radio interfaces (d0 for 2.4GHz or d1 for 5GHz ). You can use the packet retries configuration interface command to specify the maximum number of attempts to send a packet. The default number of retries is 32.

Below example shows how to configure Radio Interface 1 (5GHz) to attempt 16 times before giving up the sending wireless packet. By using “drop-packet” keyword at the end you can enforce not to drop the association, instead just drop the packet when maximum retries reached. Remember that this is only applicable for best effort (priority 0) traffic.

AAP1(config)#int d1
AAP1(config-if)#packet ?
  max-retries  maximum non-best-effort data packet retries before discard pkt
  retries      maximum best-effort data packet retries
  speed        qos user-priority(up) downlink rates for discard-enabled packets
  timeout      up packet aging/discard timeout threshold

AAP1(config-if)#packet retries ?
  <1-128>  number of packet retries before giving up

AAP1(config-if)#packet retries 16 ?
  drop-packet  Don't disassociate station, instead just drop packets when maximum retries is reached

AAP1(config-if)#packet retries 16 drop-packet

Next We will look at how to configure that parameter for non-best-effort traffic (ie priority value 1-7 traffic). You can use “packet max-retries”  interface CLI configuration command to specify the maximum number of attempts per non-best-effort data packet before discarding the packet.  Here is the syntax of the CLI command.

packet max-retries <number 1> <number 2> fail-threshold <number 3> <number 4> priority <value> drop-packet

max-retries <number 1> <number 2>
Specifies the maximum number (0 to 128) of non-best-effort data packet retries before discarding the packet. number 1 retries is used if number 3 fail-threshold has not exceeded and number 2 retries is used if number 3 fail-threshold has been exceeded. number 1 default is 3 and number 2 default is 0

fail-threshold <number 3> <number 4>
Specifies the thresholds for the maximum number of consecutive dropped packets (0 to 1000). number 3 fail-threshold is used to switch max-retries from number 1 to number 2 as described above. If number 4 fail-threshold has exceeded, the client will be disassociated. number 3 default is 100 and number 4 default is 500.

priority <value>
Specifies the QOS user priority (1 to 7). value does not have a default value.

drop-packet
Specifies that priority packets should not be retried and that the packets should be dropped when the maximum number of retries has been reached.

Here is a configuration example for priority value 5 traffic. This will do the following.

1. If consecutive drop packets(of priority 5) is below 25 it will try max 5 times before discarding that packet.
2. If consecutive drop packet (of priority 5) is more than 25 (but less than 100) it will try max 2 times before discarding that packet.
3. If consecutive drop packets (of priority 5) is reached 100 client will be disassociated.

AAP1(config-if)#packet max-retries ?
  <0-128>  # packet retries before dropping pkt if first fail-threshold not reached

AAP1(config-if)#packet max-retries 5 ?
  <0-128>  # packet retries before dropping pkt if 2nd fail-threshold not reached

AAP1(config-if)#packet max-retries 5 2 ?
  fail-threshold  maximum # consecutive dropped packets thresholds

AAP1(config-if)#packet max-retries 5 2 fail-threshold ?
  <0-1000>  # consecutive dropped packets before switching max-retries thresholds

AAP1(config-if)#packet max-retries 5 2 fail-threshold 25 ?
  <0-1000>  number of consecutive dropped packets before disassociating client

AAP1(config-if)#packet max-retries 5 2 fail-threshold 25 100 ?
  priority  qos user-priority

AAP1(config-if)#packet max-retries 5 2 fail-threshold 25 100 priority ?
  <0-7>  qos user-priority number

AAP1(config-if)#packet max-retries 5 2 fail-threshold 25 100 priority 5 ?
  drop-packet  Don't retry pkts, just drop packets when max retries reached

AAP1(config-if)#packet max-retries 5 2 fail-threshold 25 100 priority 5 drop-packet

There are other two configuration parameters available related to “packet max-retry“  interface configuration.

1. packet speed
2. packet timeout

You can use the packet speed configuration interface command to specify down-link data rates and priorities for packets which have been declared discard-eligible in the “packet max-retries” command. This command has following syntax

packet speed [rate1....rateN | default] priority <0-7>

802.11b default data rates (Mbps): 5.5, 11.0
802.11a default data rates (Mbps): 6.0, 12.0, 24.0
802.11g default data rates (Mbps): 5.5, 6.0, 11.0, 12.0, 24.0
Priority default is 6(voice). Currently, only priority 6 is allowed pending future releases.

Here is an configuration example

AAP1(config-if)#packet speed ?
  12.0      Allow 12.0 Mb/s rate
  18.0      Allow 18.0 Mb/s rate
  24.0      Allow 24.0 Mb/s rate
  36.0      Allow 36.0 Mb/s rate
  48.0      Allow 48.0 Mb/s rate
  54.0      Allow 54.0 Mb/s rate
  6.0       Allow 6.0 Mb/s rate
  9.0       Allow 9.0 Mb/s rate
  default   Set default rates
  priority  qos user-priority(first enter rates, followed by priority)

AAP1(config-if)#packet speed default ?
  12.0      Allow 12.0 Mb/s rate
  18.0      Allow 18.0 Mb/s rate
  24.0      Allow 24.0 Mb/s rate
  36.0      Allow 36.0 Mb/s rate
  48.0      Allow 48.0 Mb/s rate
  54.0      Allow 54.0 Mb/s rate
  6.0       Allow 6.0 Mb/s rate
  9.0       Allow 9.0 Mb/s rate
  priority  qos user-priority(first enter rates, followed by priority)

AAP1(config-if)#packet speed default priority ?
  <6-6>  qos user-priority number, currently only support voice priority = 6

AAP1(config-if)#packet speed default priority 6

You can use the “packet timeout” configuration interface command to specify the packet timeout period for a priority. Queued packets whose age has exceeded the timeout threshold will be discarded if they have been declared discard-eligible in the “packet max-retries” command. The timeout default is 35 milliseconds.This command is having following syntax “packet timeout <1-128> priority <0-7>”

AAP1(config-if)#packet timeout ?
  <0-128>  discard up pkt in queue if exceed timeout threshold in msec 

AAP1(config-if)#packet timeout 25 ?
  priority  qos user-priority

AAP1(config-if)#packet timeout 25 p
AAP1(config-if)#packet timeout 25 priority ?
  <0-7>  qos user-priority number

AAP1(config-if)#packet timeout 25 priority 6

Related Posts

There is another CCIE Wireless Techtorial is happening during next week CiscoLive 2013-Orlando. In my opinion this is the best opportunity to any CCIE wireless candidate could get (though I haven’t being to any of those mainly due to its only available in US-Ciscolive) to clarify your doubts. I have being to past 3 Ciscolive event in Melbourne & none of them had this session.

Here are the presenters of this session & you should be lucky if you could meet four of them at same time & clarify your questions.

If any one of you going for this session please share some of valuable inputs given by these people. Here are few generic questions I have.

1. When will be the CCIEv3.0 announce ? (or How long do we have time to do v2.0 exam)
2. CCIE Wireless statistics (How many wireless CCIEs are there ?)
3. What is the current passing mark based on the success rate of candidates (I know general pass mark is 80% & it is a variable as well)
4. How wireless lab task are graded ? Specially voice calls, etc
5. How deep we need to dig in QoS (Prioritizing, Queuing )
6. Is there known technical issues in this lab which we need to go to proctor (SSID not seen, etc)
7. Why slow GUI response to Sydney Lab location (if anyone going from APAC who did wireless lab in Sydney)

Related Posts

1. Do you know enough about CCIEW v2.0

Worldwide wireless CCIE count listed as 64 in a one of CCIE-Service Provider (BRKCCIE-9163-CCIE Service Provider) breakout session during CiscoLive US (June 2013). According to this stats are updated as of March 2013.

Interesting question is how wireless CCIE count drops (93 to 64) from 2012 to 2013 ? I DO NOT believe this is accurate. Only possibility is this latest figures shows only active CCIEs & 29 of wireless CCIEs status become inactive within last year ( I seriously doubted this could happen)

Here is the similar information given in 2012.

Here is the statistics given in 2011 Feb

Only Cisco can clarify these figures & I have asked the question in a support forum. Hope someone clarify this for us.

Declining Wireless CCIE Count ?

Update @2nd July: Cisco has deleted this thread since they are not made these certification numbers public any longer.

Related Posts

1. How many CCIEs are in the world ?
2.

Let’s consider the following scenario.

A WGB is connected to a root AP (AAP1) using EAP-FAST as security method. AAP1 is having 192.168.20.99 (Vlan20) management IP.  A Printer (Passive Client) connected to WGB should get an IP from 192.168.7.0/24 (Vlan7) which is different to AAP management VLAN.

Here are few basic rules to remember when configuring WGB

1. WGB will associate to root AP using bridge-group 1 (native vlan)
2. If WGB to support multiple VLANs then it should be in “infrastructure” mode (in Unified Wirelss or WLC based WGB, this is not required)
3. If WGB itself require an IP (for mgmt purposes) it should be on native VLAN (of WGB)

Based on the above rules, Here are the two different valid options to fulfill this requirement.

Option 1:
Configure WGB to support multiple VLAN & assign all clients behind WGB to vlan 7. In this case WGB itself will take an IP from VLAN20 which is native vlan on WGB.

Option 2:
Make VLAN 7 as native on WGB while keeping AAP native VLAN to 20. In this way WGB & clients get IP from VLAN7 & no multiple VLAN support on WGB.

Since I have written a post on how to configure EAP-FAST, I will not describe the steps here simply use the configuration required, please read that post if you require more information.

Here how you could configure Option 1 as a solution for this.
In AAP1 “infrastructure-client” command under dot11 radio 0 interface make WGB “infrastructure” mode which is required to support multiple vlan on WGB.

hostname AAP1
!
aaa new-model
aaa group server radius RAD-GROUP
 server 192.168.20.99 auth-port 1812 acct-port 1813
!
aaa authentication login EAP-METHODS group RAD-GROUP
!
radius-server local
  nas 192.168.20.99 key Cisco123
  user wgb password Cisco123
!
radius-server host 192.168.20.99 auth-port 1812 acct-port 1813 key Cisco123
!
dot11 ssid MRN-WGB
   vlan 20
   authentication open eap EAP-METHODS 
   authentication network-eap EAP-METHODS 
   authentication key-management wpa version 2
!
interface Dot11Radio0
 encryption vlan 20 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role root
 infrastructure-client
!
interface Dot11Radio0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface Dot11Radio0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.20.99 255.255.255.0     
ip default-gateway 192.168.20.254
sntp server 10.10.205.20

Here is the WGB configuration looks like.”workgroup-bridge client-vlan 7” command will enforce client behind WGB to be on vlan 7. “ip address dhcp” under BVI1 interface will ensure WGB will get an IP from native vlan which is 20 to manage WGB itself. “bridge 7 address 0018.fea5.dc3e forward GigabitEthernet0.7” ensure if WGB client is “passive-client” (Printer in my case) with MAC address 0018.fea5.dc3e remain in WGB bridge table without aging-out.

hostname WGB
!
dot11 ssid MRN-WGB
   vlan 20
   authentication open eap EAP-METHODS 
   authentication network-eap EAP-METHODS 
   authentication key-management wpa version 2
   dot1x credentials FAST
   dot1x eap profile FAST
!
eap profile FAST
 method fast
!
dot1x credentials FAST
 username wgb
 password Cisco1123
!
interface Dot11Radio0
 encryption vlan 20 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role workgroup-bridge
!
interface Dot11Radio0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface Dot11Radio0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip address dhcp
sntp server 10.10.205.20
!
bridge 7 address 0018.fea5.dc3e forward GigabitEthernet0.7 
workgroup-bridge client-vlan 7

If you do this you can see your printer will get an IP in the range of 192.168.7.x/24 where as WGB itself will get an IP 192.168.20.x/24 range. I have configured DHCP on CAT2 for these two VLAN. Here is the CAT2 config for this example.

interface FastEthernet1/0/13
 description TEMP-AAP1-1142
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
!
ip dhcp excluded-address 192.168.20.1 192.168.20.99
ip dhcp excluded-address 192.168.7.1 192.168.7.99
!
ip dhcp pool VLAN7
   network 192.168.7.0 255.255.255.0
   default-router 192.168.7.1 
   domain-name mrn.com
   dns-server 192.168.200.1
!
ip dhcp pool vlan20
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254 
   dns-server 192.168.200.1  
   domain-name mrn.com

You can verify this “show dot11 association” output on AAP1 & then ping these IP from CAT2

AAP1#sh dot11 ass
802.11 Client Stations on Dot11Radio0: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
0018.fea5.dc3e 192.168.7.109   WGB-client    -               44d3.caaf.4343 Assoc    
44d3.caaf.4343 192.168.20.143  WGB           WGB             self           EAP-Assoc

CAT2#ping 192.168.7.109
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.109, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

CAT2#ping 192.168.20.143
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.143, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Now let’s see how to configure this in Option 2 to achieve the same outcome. In this case we will make Vlan7 on WGB as native vlan. In this way WGB clients (including WGB itself) get vlan 7 IPs. Since AAP1 has to be on vlan 20, native vlan should be 20 for the AAP1.

Here is the AAP1 configuration.

hostname AAP1
!
aaa new-model
!
aaa group server radius RAD-GROUP
 server 192.168.20.99 auth-port 1812 acct-port 1813
!
aaa authentication login EAP-METHODS group RAD-GROUP
!
radius-server local
  nas 192.168.20.99 key Cisco123
  user wgb password Cisco123
!
radius-server host 192.168.20.99 auth-port 1812 acct-port 1813 key Cisco123
!
dot11 ssid MRN-WGB
   vlan 7
   authentication open eap EAP-METHODS 
   authentication network-eap EAP-METHODS 
   authentication key-management wpa version 2
!
interface Dot11Radio0
 encryption vlan 7 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role root
!
interface Dot11Radio0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface Dot11Radio0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7
 bridge-group 7
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.20.99 255.255.255.0
!
ip default-gateway 192.168.20.254
sntp server 10.10.205.20

Here is the WGB configuration.

hostname WGB
!
dot11 ssid MRN-WGB
   vlan 7 
   authentication open eap EAP-METHODS 
   authentication network-eap EAP-METHODS 
   authentication key-management wpa version 2
   dot1x credentials FAST
   dot1x eap profile FAST
!
eap profile FAST
 method fast
!
dot1x credentials FAST
 username wgb
 password Cisco123
!
interface Dot11Radio0
 encryption vlan 7 mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role workgroup-bridge
!
interface Dot11Radio0.7
 encapsulation dot1Q 7 native
 bridge-group 1
!
interface GigabitEthernet0.7
 encapsulation dot1Q 7 native
 bridge-group 1
!
interface BVI1
 ip address dhcp
!
bridge 1 address 0018.fea5.dc3e forward GigabitEthernet0.7 
!
sntp server 10.10.205.20

You can verify the Printer & WGB IP details & connectivity to rest of the network as follows.

AAP1#show dot11 associations 
802.11 Client Stations on Dot11Radio0: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
0018.fea5.dc3e 192.168.7.109   WGB-client    -               44d3.caaf.4343 Assoc    
44d3.caaf.4343 192.168.7.112   WGB           WGB             self           EAP-Assoc

CAT2#ping 192.168.7.109 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.109, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

CAT2#ping 192.168.7.112
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.112, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

.

Related Posts

1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB with PSK
5. WGB Roaming
6. IOS AP-WGB with Multiple VLAN
7. Unified AP-WGB with Multiple VLAN
8. Packet Retries & Max-Retries
9.

In this post we will see how to manipulate STP root port selection in a given topology. We will use the VLAN 10 (management vlan) STP instance to see which ports will be Root Port in each switch. Any given switch Bridge ID consist of Bridge Priority (default 32768 + system extend ID) & MAC address. Since we are taking vlan10 as example default bridge priority will be 32778.

Here are the basic rules of STP

1. Lowest bridge ID (Priority:MAC Address) switch becomes the Root-Bridge
2. Each non-root bridge should have ONE root port (RP) which is the port having lowest path-cost to Root Bridge.
3. All ports in Root Bridge become Designated Ports (DP)
4. Each segment should have one Designated Port (DP)
5. All RP/DPs will be in FORWARDING state & all other ports will be in BLOCKING state.

According to the topology CAT1 is having lowest MAC address (hence lowest bridge  ID) & will become the Root Bridge. Butif you do not want to rely on MAC addreses you can lower priority of a given switch to make them as the Root Bridge for all VLANs. In my case will make priority for all Vlans to lowest value( which is 0) in CAT1.

CAT1(config)#spanning-tree vlan 1-4094 priority ?
  <0-61440>  bridge priority in increments of 4096

CAT1(config)#spanning-tree vlan 1-4094 priority 0
CAT1#sh spanning-tree vlan 10
VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    10
             Address     0017.94ba.bc80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    10     (priority 0 sys-id-ext 10)
             Address     0017.94ba.bc80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Now we will look at which port become Root Port in each non-root bridges (CAT2,CAT3,CAT4). Root Port selection is based on the port having lowest cost to the Root Bridge (CAT1). For PVST (Per VLAN Spanning Tree) path cost will depend on bandwidth of links and cost value is as shown below for most commonly used links.

10Gbps -> 2
1 Gbps -> 4
100 Mbps -> 19
10 Mbps -> 100

Also it is important to understand how path cost calculate. From Root Bridge it will send BPDU with cost to Root Bridge as “0″. When this BPDU receive by any other switch it will add its own port cost (according to the above mentioned value). So if BPDU receive by a Fast Ethernet port (100 Mbps) it will calculate path cost to root as 19 (0+19). 

For CAT3, it has 3 different option (label b,t,p). Here Root Port choice is obvious, only via Fa 0/22 (b) is having lowest path cost to Root Bridge. So that will become the Root Port.

For CAT2′s it has 4 different ports (label d,f,u,r). Out of which two ports (d & f) are having same path cost (19) to Root Bridge. Via port “u” it is having path cost of 38 & via port “r” it is having path cost of 57. Since we have two equal cost paths, you need to know tie breaking rules in this scenario. Here they are,

1. Lowest Sending Bridge ID
2. Lowest Port Priority (of sender)
3. Lowest Interface number (of sender)

In our case both port “d” & “f” receiving BPDU from same bridge (CAT1) which suggest “lowest port priority of sender” will be the tie breaker. By default each port is having priority value of 128 (can be 0-256 multiplier of 16). This makes “lowest interface number of sender” it tie breaker. In our case CAT1′s fa1/0/23 is having lower interface number & therefore that BPDU received by CAT2′s fa1/0/24 will become root port.

CAT2#sh spanning-tree vlan 10
VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    10
             Address     0017.94ba.bc80
             Cost        19
             Port        26 (FastEthernet1/0/24)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     001a.e3a7.ff00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/2             Desg FWD 19        128.4    P2p 
Fa1/0/21            Desg FWD 19        128.23   P2p 
Fa1/0/23            Altn BLK 19        128.25   P2p 
Fa1/0/24            Root FWD 19        128.26   P2p

Now let’s see what will happen if you change CAT1′s fa1/0/24 port priority.

CAT1(config-if)#spanning-tree vlan 10 port-priority ?
  <0-240>  port priority in increments of 16

CAT1(config-if)#spanning-tree vlan 10 port-priority 0

CAT1(config-if)#do sh span vlan 10
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/22            Desg FWD 19        128.24   P2p 
Fa1/0/23            Desg FWD 19        128.25   P2p 
Fa1/0/24            Desg FWD 19          0.26   P2p

Now if you look in CAT2 you would see Fa1/0/23 (connected to CAT1′s fa1/0/24) will become root port because of the lower port priority of sender.

CAT2#sh spanning-tree vlan 10
VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    10
             Address     0017.94ba.bc80
             Cost        19
             Port        25 (FastEthernet1/0/23)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     001a.e3a7.ff00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/2             Desg FWD 19        128.4    P2p 
Fa1/0/21            Desg FWD 19        128.23   P2p 
Fa1/0/23            Root FWD 19        128.25   P2p 
Fa1/0/24            Altn BLK 19        128.26   P2p

For CAT4, both port G0/3 “q” & G0/2 “s” are having equal path cost(38) to root bridge(CAT1). But in this case port “s” is getting BPDU from a lower bridge id switch CAT2 (32778: 001a.e3a7.ff00) comparison to port “q” from CAT3 (32778: 0024.137b.5a00). In this case Port “s” – G0/2 become root port & Port Priority or Interface ID won’t come into play.

CAT4#sh span vlan 10
VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    10
             Address     0017.94ba.bc80
             Cost        38
             Port        2 (GigabitEthernet0/2)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     58bf.ea59.f800
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  15  sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Root FWD 19        128.2    P2p 
Gi0/3               Altn BLK 19        128.3    P2p

But in here if you want to make G0/3 as root port you can change it’s port cost to a lower value which results lower path cost to root. In this example I will change it to cost of 1 which  resulting path cost to root is 20 via that port. So that will become root port.

CAT5(config-if)#spanning-tree vlan 10 cost ?
  <1-200000000>  Change an interface's per VLAN spanning tree path cost 

CAT5(config-if)#spanning-tree vlan 10 cost 1

CAT5#sh spanning-tree vlan 10
VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    10
             Address     0017.94ba.bc80
             Cost        20
             Port        3 (GigabitEthernet0/3)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     58bf.ea59.f800
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Altn BLK 19        128.2    P2p 
Gi0/3               Root FWD 1         128.3    P2p

Now you know which port becomes a root port in each non-root switches. So  Port “b”, “f” & “q” will become root port in this topology. If you want to identify which ports become Designated Ports (DP) you can follow below rules.

1. All ports in Root Bridge will become Designated Ports
2. Each segment (link) will have ONE Designated Port.

If a given link does not have a Root Port, either of them could be a designated port. But lower bridge ID switch port wins in this situation (“u” in “t-u” link & “r” in “r-s” link ) become a DP.  In this way ports other than “d”, “t” & “s” will become either DP or RP. Hence those will become “FORWARDING” ports & others (d,t,s) become  “BLOCKING” Ports as shown in the below diagram.

Here is “show spanning tree vlan 10″ output to verify the above.

CAT2#sh spanning-tree vlan 10
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/2             Desg FWD 19        128.4    P2p 
Fa1/0/21            Desg FWD 19        128.23   P2p 
Fa1/0/23            Root FWD 19        128.25   P2p 
Fa1/0/24            Altn BLK 19        128.26   P2p <- "port d"

CAT3#sh spanning-tree vlan 10
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/3               Desg FWD 19        128.3    P2p 
Fa0/21              Altn BLK 19        128.21   P2p <- "Port t"
Fa0/22              Root FWD 19        128.22   P2p 

CAT4#sh spanning-tree vlan 10
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Altn BLK 19        128.2    P2p <- "port S"
Gi0/3               Root FWD 1         128.3    P2p

In this way you can manipulate the Root Port selection of your network.

References:
1. VLAN Load Balancing between Trunk link
2. Understanding Rapid Spanning Tree Protocol (802.1w)

As per the RFC3580 (IEEE 802.1X RADIUS Usage Guidelines) here are the definition of two terms “Called Station ID” & “Calling Station ID“. As you can see if your wireless deployment is RFC3580 compliant, you should get AP Radio MAC & SSID information as “Called Station ID” where as supplicant mac address as “Calling Station ID”. These are useful to enforce policies to your wireless traffic based on SSID information.

Called Station ID:
For IEEE 802.1X Authenticators, this attribute is used to store the
bridge or Access Point MAC address in ASCII format (upper case only),
with octet values separated by a "-".  Example: "00-10-A4-23-19-C0".
In IEEE 802.11, where the SSID is known, it SHOULD be appended to the
Access Point MAC address, separated from the MAC address with a ":".
Example "00-10-A4-23-19-C0:AP1".

Calling Station ID:
For IEEE 802.1X Authenticators, this attribute is used to store the
Supplicant MAC address in ASCII format (upper case only), with octet
values separated by a "-".  Example: "00-10-A4-23-19-C0".

We will see how this works in Cisco Local & H-REAP mode deployment. Here is the basic topology where I have two APs, WLC & ACS.

Here is the L1130-1 (Local Mode) AP information.

Here is the L1250-1 (H-REAP Mode) AP information.

I have configured WLAN called “RFC-3580″ to test this out & configured for WAP2/AES & 802.1x for RADIUS authentication. Below picture shows the few important settings (H-REAP local switching) while most of others kept its default.

First of all we will test Local Mode AP (L1130-1) connection by connecting to this SSID & then go to ACS Monitoring logs. You would see something like this. As you can see “Called Station ID” is coming as “AP Radio MAC: SSID” which is comply to RFC3580. Also calling station ID appear as supplicant MAC address separated by “-” which is comply to the standard.

Now will test this with H-REAP mode. In H-REAP there will be two scenarios as “Connected” & “Standalone” mode. In connected mode, WLC will be sending authentication request to radius server where as in Standalone mode AP itself sending authentication request.

Here is the similar output when client is associated to H-REAP in Connected Mode. As you can see both parameters information is comply with RFC3580. Note that this time L1250-1 Radio MAC (54:75:d0:cd:05:70) is part of called station ID.

Finally we will test this in “H-REAP Standalone” mode. You can do this by shutdown the switchport connect to WLC.  You can verify this by using “show capwap reap status” on AP CLI.

L1250-1#show capwap reap status 
 AP Mode:         REAP, Standalone
 Radar detected on:

Here is the ACS log information this time. You can see clearly this time both Calling Station ID &  Called Station ID is not RFC3580 compliant (No SSID info in Called station ID & MAC info is not separated by “-”). If you looked carefully Called Station MAC address is not Radio MAC address (54:75:d0:cd:05:70) but BSSID which is derived from the base radio MAC address. Since my WLAN ID is 10, If you increment base MAC by 10 you will end up with 54:75:d0:cd:05:79 which is BSSID in this case.

Can you change this default behavior in H-REAP standalone mode ? Since AP config is controlled by WLC, unless it is configurable from WLC there is no permanent fix (unless Cisco Change this bbehavior to comply with RFC 3580). But if you really want you can modify AP config locally (but would not prevail if AP reboots)

If you configure “radius-server vsa send authentication” you can send the SSID information to ACS.

L1250-1#debug capwap console cli
This command is meant only for debugging/troubleshooting 
Any configuration change may result in different
behavior from centralized configuration. 

CAPWAP console CLI allow/disallow debugging is on
L1250-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z

L1250-1(config)#radius-server vsa send ?
  accounting      Send in accounting requests
  authentication  Send in access requests
  cisco-nas-port  Send cisco-nas-port VSA(2)
  <cr>

L1250-1(config)#radius-server vsa send authentication ?
  3gpp2  Send 3GPP2 VSAs in accounting requests
  <cr>

L1250-1(config)#radius-server vsa send authentication

Here is the output once configure this on the AP locally. SSID information coming under “Cisco-AVPair” as you can see below.

Looks like there are commands to change the radius attribute on the AP CLI, but none of this make information send is RFC 3580 compliant in this scenario.

L1250-1(config)#radius-server attribute ?
  11        Filter-Id attribute configuration
  188       Num-In-Multilink attribute configuration
  218       Address-Pool attribute
  25        Class attribute
  30        DNIS attribute
  31        Calling Station ID
  32        NAS-Identifier attribute
  4         NAS IP address attribute
  44        Acct-Session-Id attribute
  55        Event-Timestamp attribute
  6         Service-Type attribute
  69        Tunnel-Password attribute
  77        Connect-Info attribute
  8         Framed IP address attribute
  list      List of Attribute Types
  nas-port  NAS-Port attribute configuration

L1250-1(config)#radius-server attribute 31 mac format 
  default      format ex: 0000.4096.3e4a
  ietf         format ex: 00-00-40-96-3E-4A
  unformatted  format ex: 000040963e4a

L1250-1(config)#radius-server attribute 31 mac format  ietf

There is a support forum question related to this, Hopefully Cisco will answer to this when this available in WLC/H-REAP.

WLC Problem with append SSID in Called Station ID in H-REAP

Related Posts

1. EAP Overview
2. AAA Basics – Part 1
3. PEAP & EAP-FAST with ACS 5.2
4. AAA Override with ACS 5.2
5.

In this post we will look at how to configure QoS for a switch port where H-REAP is connected. In this example we are considering H-REAP local switching scenario &  normally a switch port is configured as Trunk port to facilitate this. Here is the basic set up for this post.

Here is the switch port configuration of H-REAP & Wireshark PC.

R3750#
interface FastEthernet1/0/4
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 50
 switchport trunk allowed vlan 50,146
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet1/0/7
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
monitor session 1 source interface Fa1/0/4
monitor session 1 destination interface Fa1/0/7 encapsulation replicate

So what should you trust to give better QoS, CoS or DSCP ? Let’s see what’s best suit in this scenario by looking at the packet capture of H-REAP connected switch port (Fa 1/0/4). Let’s look at two different traffic type (management & user traffic).

Here is CAPWAP control (udp 5246) traffic coming from H-REAP. As you can see there is no layer 2 tag (as Vlan 50 is native vlan on the trunk link) & hence no QoS information in the layer 2 header packet coming from H-REAP (192.168.50.52), though original IP packet is having CS6 DSCP value.

Here is a data packet coming from wireless phone. As you can see that packet include layer 2 tag (VLAN 146) which include CoS (or priority) value for QoS. In this case RTP traffic marked to CoS value 5.

Now, if you considering trusting CoS value for the switch port (Fa 1/0/4) connected to H-REAP all you control traffic marked with default CoS 0 (as no QoS value comes in layer 2). All other tagged vlan traffic will trust CoS value coming in those frames.

On the other hand if you trusting DSCP for Fa 1/0/4, then both management traffic & user traffic will get prioritized based on original packets DSCP value (ignoring AP imposed CoS value for tagged frame).

Therefore you have to trust DSCP if you want to provide QoS for ALL traffic coming from H-REAP which include management traffic & user traffic.

R3750(config-if)#do sh run int fa1/0/4
 interface FastEthernet1/0/4
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 50
 switchport trunk allowed vlan 50,146
 switchport mode trunk
 mls qos trust dscp
 spanning-tree portfast trunk

Now we will look how a packet capture with different QoS profile (Platinum, Gold, Silver, Bronze). In the above RFC-3580 WLAN QoS profile was set to Platinum. Let’s change it to Silver & see a packet capture. As expected in this time layer 2 CoS value is capped as per the Silver Profile, even though layer 3  DSCP is EF.

Since we are trusting DSCP packet will get the EF priority irrespective of the layer2  CoS value. So it is very important to understand we cannot keep AP imposed QoS (based on QoS-Profile) preserved in this scenario (trust DSCP) unless you trust CoS on that switch port. If you trust CoS then no way of giving required QoS for management traffic coming from H-REAP(since those are un-tagged).

If you consider H-REAP central switching scenario, still you have to trust DSCP in order to preserve outer CAPWAP information for H-REAP to WLC communication.

So in conclusion what should you trust in H-REAP deployment, answer is IT DEPENDS.

1. If you want to classify ALL traffic (management & user traffic) based on the packet DSCP value then you have to trust DSCP at the switch port.

2. If you are considering only user traffic & you want to preserve the QoS value impose by AP then you have to trust CoS. In this scenario ONLY user traffic will be classified correctly where 802.1q tag comes with the frame.

Related Posts

1. Understanding Wireless QoS – Part 1
2. Understanding Wireless QoS – Part 2
3. Understanding Wireless QoS – Part 3
4. Understanding Wireless QoS – Part 4
5. Understanding Wireless QoS – Part 5
6. 3750/3560/2960 Wired QoS
7. Who do you trust ? (DSCP or CoS)
8. BYOD with QoS

WGB Roaming time is the time taken by a WGB radio role to disassociate from one AP and reassociate to another AP. During this interval there is no data transfer & therefore roaming time is significant to maintain sessions.

Roaming involves two main processes

1. Scanning
2. Reassociation

Scanning:
WGB support two main modes of roaming operation

1. Static mode (default) – Roaming is based on two main vairiables: “Packet retransmissions” or “loss of 8 consecutive beacons”
2. Mobile Station mode – On top of previous variables, the AP can do periodic analysis of signal level drops and data rate shifts.

When any of the above criteria is met, WGB will trigger roaming process, scanning approximately 10-20ms/channel. You can also limit the channels to be scanned through configuration. For example you can set only CH1, CH6 & CH11 to be scan in 2.4GHz radio deployment.

Scanning methodology followed is “Active Scanning“. Instead of listening to beacons from APs, WGB will actively send out  “probe request” packets and waits for 20ms to get a response in every channel. The AP will stop scanning after it receives the first response with satisfying signal. So scanning time may last approximately 40ms & may be shorter depending on radio hardware type.

There are two forms of configuring WGB roaming parameters

1. Use “packet retries” command : This will allow more conservative approach where WGB will not start a roaming process until data loss is detected or 8 consecutive beacons are missed.

int d0 or d1
packet retries <1-128> {drop-packet}

2. Use “mobile station” command : This will start a regular process on WGB to do preemptive roaming, which monitor the signal levels & rate speed changes and force a new roaming before the current AP signal is too low. This scan process will trigger small gaps in radio transmission when the radio is performing the channel scan. Starting from 12.4(25d)JA, minimum data rate can be configured to trigger a roaming event in case of data rate change. If you want to limit the number of channel to scan you can use the “mobile station scan” command.

int d0 or d1
mobile station
mobile station period <1-1000s> threshold <1-100>
mobile station minimum-rate <min-data-rate>
mobile station scan <scanning-channels>

If the WGB starts scanning because of a loss of eight consecutive beacons, the message “Too many missed beacons” is displayed on the console. In this case, the WGB is acting as a Universal Bridge Client, much like any other wireless client in its behavior.

In some situations, it is interesting to use the optional “drop” option in the packet retries, to preserve the association, even on the failure to transmit a data packet. This is useful for challenging RF environments, where the roaming can be also triggered by mobile scan command.

The mobile station algorithm evaluates two variables: data rate shift and signal strength and responds as:
1. If the driver does a long-term down shift in the transmit rate for packets to the parent, the WGB initiates a scan for a new parent (no more than once every configured period).
2. If the driver detect the RSSI from its parent is below the configured threshold, WGB initiates a scan for a new parent (no more than once every configured period).

The data-rate shift can be displayed using this command:

debug dot11 dot11Radio 0 trace print rates
!
*Mar  1 00:33:20.371: 436472AA-0 BBF420 - Set rate: m15.-2s 144 Mbps (20F), Rssi 29 dBm
*Mar  1 00:33:44.379: 44D32696-0 BBF420 - Set rate:    m15. 130 Mbps (10F), Rssi 29 dBm
*Mar  1 00:33:47.380: 4500FD0C-0 BBF420 - Set rate: m15.-2s 144 Mbps (20F), Rssi 29 dBm
*Mar  1 00:34:04.386: 4604BC7B-0 BBF420 - Set rate:    m15. 130 Mbps (10F), Rssi 29 dBm
*Mar  1 00:34:05.386: 461403FF-0 BBF420 - Set rate: m15.-2s 144 Mbps (20F), Rssi 30 dBm

However, this will not show the actual data rate shift algorithm in action, but only the changes in data rate. This determines the time period to scan, depending on how much the data rate was decreased.

The mobile station period should be set depending on the application. The default is 20 seconds. This delay period prevents the WGB from constantly scanning for a better parent if, for example, the threshold is below the configured value.

Some situations may require a faster timer; for example, on high speed trains. The period should not be lower than the time that is required by the AP to complete the authentication process. For example, for 802.1x + CCKM networks, it should not be set below 2 seconds. PSK networks may use one second. The actual period will always have one second added to the timer, product of the AP scheduler resolution for this task.

The threshold sets the level at which the algorithm is triggered to scan for a better parent. This threshold should be set to noise+20dBm but not more than -70dBm (+70 because input for threshold is positive). The default is -70 dBm. The correct threshold will depend on the intended data rate, versus the coverage level offered in the environment where the WGB will operate. Assuming a proper coverage, we should set this threshold to be a little less than then “breaking point” for the needed data rate for the applications in use. Here is the RSSI sensitivity values for a 3502I AP (you can find the full table from AP’s data sheet)

When you enable these settings, the WGB scans for a new parent association when it encounters a poor Received Signal Strength Indicator (RSSI), excessive radio interference, or a high frame-loss percentage. Using this criteria, a WGB configured as a mobile station searches for a new parent association and roams to a new parent before it loses its current association. When the mobile station setting is disabled (the default setting) the WGB does not search for a new association until it loses its current association.

There are 3 types of scans implemented for the WGB
1. Normal Scan
2. Fast Scan
3. Very fast Scan

A normal scan begins on the associated channel & continues to cycle through the rest of the channels. For example if WGB is associated to CH6, then it will start  its scan on CH6, CH7 … CH13, CH1…. CH5. Upon scanning all channels & receiving more than one probe response WGB will do compare function that compares (RSSI, Load, Hops, etc) all responding APs to the one it was previously associated.

WGB perform a fast scan when traffic is between 10-20 packets per second. The WGB scans and associate to first responding AP during fast scan.

During a very fast scan, the WGB does not scan at all and try to associate to the best AP in the adjacent list that is build up with IAPP and CCX.

In certain situations depending the application parent list may have “directionality”. For example a train is traveling to given directions would not have any benefits of the neighbor-list since train is moving away from them. You can configure the following command to ignore neighbor-list.

int d0 or d1
mobile station ignore neighbor-list

We will look at the Reassociation in the next post.

Reference
1. Outdoor Mobility Design Guide
2. https://supportforums.cisco.com/docs/DOC-14944

Related Posts

1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB with PSK
5. IOS AP-WGB with Multiple VLAN
6. Unified AP-WGB with Multiple VLAN
7. Packet Retries & Max-Retries
8. WGB Roaming-Part 2
9.

Let’s see how we can configure a switchport connected to VoIP phone. Here is my setup for this post.

Here is the SPAN configuration.

monitor session 1 source interface Fa1/0/7
monitor session 1 destination interface Fa1/0/9 encapsulation replicate
!
interface FastEthernet1/0/9
 description BACKTRACK

First we will configure as a simple access vlan & see what’s  happen.

interface FastEthernet1/0/7
 description VOIP PHONE
 switchport mode access
 switchport access vlan 130
 spanning-tree portfast

If you look at a packet capture in this scenario, you would see a CDP packets send by both Phone & Switch.

Here is the CDP information send by Switch.

Here is the information send by phone via CDP. As you can see phone will inform power requirement via CDP. Therefore it is very important to have CDP enable on these switch port where you connect VoIP phones (this applies to any cisco PoE devices like AP, Camera, etc)

Then Phone & PC get IP via DHCP on vlan 130 & start normal communication. Here is SCCP & RTP packets coming from 7965 phone in this scenario. Since switchport is access port no vlan-tag is coming in those frames.

Here is a packet coming from PC.

In the above method both Phone & PC would be on the same vlan. In best practice scenario you would like to put phones & PC in two different vlan. By using “switchport voice vlan x” command you can do this. In that scenario switchport is carry two different VLAN traffic even though we have not configured it as a trunk port.

interface FastEthernet1/0/7
 description VOIP PHONE
 switchport access vlan 140
 switchport voice vlan 130
 spanning-tree portfas

As you can see below, switch will inform voice vlan  information to the phone via CDP. Also note that this time layer 2 vlan tagging is available in these frames

Here is a CDP packet coming from Phone is same as previous time.

Here is the SCCP packet coming from Phone this time. Note that it comes with layer2 vlan tag which include priority.

Here is the RTP traffic coming from the phone. You can see phone will set CoS value 5 for this RTP traffic in layer 2 header.

All traffic coming from PC will be on vlan 140 will be un-tagged (as Phone will only tagged it’s own traffic with layer 2 vlan)

But you can see from switch to Phone still traffic will be tagged on vlan 140.

From QoS perspective you wanted to trust priority set by phone for voice traffic. For PC traffic is “untrusted” in normal scenario you do not want to trust DSCP value of those packets. So best option is to trust CoS at the switchport. You can do this trust relationship conditionally  in order to end device directly connect to switchport & sending frame with layer 2 tag. So in this example as long as siwtch detect a Cisco-Phone via CDP it will trust CoS value set by that phone.

C3750-1(config)#int fa1/0/7
C3750-1(config-if)#mls qos trust cos

C3750-1(config-if)#mls qos trust device ?
  cisco-phone  Cisco IP Phone
  cts          Cisco-telepresence
  ip-camera    Cisco video surveillance camera
C3750-1(config-if)#mls qos trust device cisco-phone

If you want to prioritize voice traffic (EF) over any other traffic, you have to enable priority-queue in 3750/3560/2960 switch platforms as it is not ON by default.

C3750-1(config-if)#priority-queue ?
  out  egress priority queue
C3750-1(config-if)#priority-queue out

So final switchport configuration is looks like this.

interface FastEthernet1/0/7
 description VOIP PHONE
 switchport mode access
 switchport access vlan 140
 switchport voice vlan 130
 priority-queue out 
 mls qos trust device cisco-phone
 mls qos trust cos
 spanning-tree portfast

You can verify switch port configured features by using “show interface x switchport” command.

C3750-1#sh interfaces fa1/0/7 switchport 
Name: Fa1/0/7
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 140 (MyHome)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 130 (Voice)
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Hope this is useful to understand switch port configuration to be done when it comes to VoIP phone connection.

Here is few reference talk about this voice vlan configuration.

1. Good Explanation of Voice Vlan
2. Switchport Voice Vlan – What does it do ?

Related Posts

1. 3750/3560/2960 Wired QoS
2. Who do you trust ? (DSCP or CoS)
3. QoS for H-REAP
4. Best Practice QoS Config
5.

In my home lab, I have used Cisco 3725 router as my Call Manager Express (CME). Even though it is not expected CME related configuration in your wireless lab exam, it is important to have it in your lab studies to test voice over wireless deployment scenarios.

I found “10 Steps to Configure CCME” document is really helpful for this. Here is the snapshot of this document with its original URL