I had this problem in my home lab’s CME router where it has a faulty fan & every 30s it generates a syslog msg saying “%FAN-3-FAN_FAILED: Fans had a rotation error reported“. This will fill up my logging buffer & come to console every time while I am doing something which annoy me . Here is an sample view of my logging buffer

Jul 27 07:21:42.601: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:22:12.602: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:22:42.604: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:23:12.605: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:23:42.607: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:24:12.609: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:24:42.610: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:25:12.612: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:25:42.613: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:26:12.615: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:26:42.617: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:27:12.618: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:27:42.620: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:28:12.621: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:28:42.623: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:29:12.625: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:29:42.626: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:30:12.628: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:30:42.629: %FAN-3-FAN_FAILED: Fans had a rotation error reported.
Jul 27 07:31:12.631: %FAN-3-FAN_FAILED: Fans had a rotation error reported

I wanted to suppress this message appearing on my console or logging buffer (or even do not want to send it to a syslog server).

What can I do about this ?  Changing the logging severity is one option. Since current syslog message is having severity 3, if you change logging severity to 2 then you won’t see this. But that will drop everything in severity 3 & not suppressing only this message. Also since I want to do debugs (severity 7) time to time this will not be an option for me.

CME(config)#logging buffered ? 
  <0-7>              Logging severity level
  <4096-2147483647>  Logging buffer size
  alerts             Immediate action needed           (severity=1)
  critical           Critical conditions               (severity=2)
  debugging          Debugging messages                (severity=7)
  discriminator      Establish MD-Buffer association
  emergencies        System is unusable                (severity=0)
  errors             Error conditions                  (severity=3)
  filtered           Enable filtered logging
  informational      Informational messages            (severity=6)
  notifications      Normal but significant conditions (severity=5)
  warnings           Warning conditions                (severity=4)
  xml                Enable logging in XML to XML logging buffer

So I posted this question in Cisco support forum & found the answer how to do this. It is “logging discriminator” command. This command introduced to IOS 12.4(11)T software release onwards. Here is the release history of this command.

Here is the command syntax & you can find more detail from the command reference section from here.

Let’s configure a logging discriminator to get rid of this message from my CME router.

CME(config)#logging discriminator ?
  WORD  discriminator name; string; max. 8 characters

CME(config)#logging discriminator FAN-FAIL ?
  facility    Facility pattern for messsage filtering
  mnemonics   Mnemonics pattern for messsage filtering
  msg-body    Msg-body pattern for messsage filtering
  rate-limit  Rate-limit value for messsage rate control
  severity    Severity group for messsage filtering
  <cr>

CME(config)#logging discriminator FAN-FAIL severity ?
  drops     To drop messages including the specified severities
  includes  To deliver messages including the specified severities

CME(config)#logging discriminator FAN-FAIL severity drops ?
  WORD  Specify a severity group delimited by ",", example 0,1,3,6,7 

CME(config)#logging discriminator FAN-FAIL severity drops 3 ?
  facility    Facility pattern for messsage filtering
  mnemonics   Mnemonics pattern for messsage filtering
  msg-body    Msg-body pattern for messsage filtering
  rate-limit  Rate-limit value for messsage rate control
  <cr>

CME(config)#logging discriminator FAN-FAIL severity drops 3 facility ?
  drops     To drop messages including the specified regular expression string
  includes  To deliver messages including the specified regular expression
            string

CME(config)#logging discriminator FAN-FAIL severity drops 3 facility drops ?
  WORD  Specify a regular expression string for message filtering

CME(config)#$criminator FAN-FAIL severity drops 3 facility drops FAN ?       
  mnemonics   Mnemonics pattern for messsage filtering
  msg-body    Msg-body pattern for messsage filtering
  rate-limit  Rate-limit value for messsage rate control
  <cr>

CME(config)#$ FAN-FAIL severity drops 3 facility drops FAN mnemonics drops ?
  WORD  Specify a regular expression string for message filtering

CME(config)#$severity drops 3 facility drops FAN mnemonics drops FAN_FAILED ?
  msg-body    Msg-body pattern for messsage filtering
  rate-limit  Rate-limit value for messsage rate control
  <cr>

CME(config)#$severity drops 3 facility drops FAN mnemonics drops FAN_FAILED 
Specified MD by the name FAN-FAIL is not found.
Adding new MD instance with specified MD attribute values.

CME(config)#do sh logg
Syslog logging: enabled (12 messages dropped, 5 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)

Inactive Message Discriminator:
FAN-FAIL  severity group drops    3
          facility       drops    FAN
          mnemonics      drops    FAN_FAILED

Once you define your logging discriminator, you can apply it to different logging methods (to make it active). I have applied it to console log, buffered logs, syslog server & monitor logs as shown below.

CME(config)#logging buffered discriminator FAN-FAIL 100000  
CME(config)#logging console discriminator FAN-FAIL
CME(config)#logging monitor discriminator FAN-FAIL
CME(config)#logging host 192.168.100.10 discriminator FAN-FAIL

Now you should not see this message anymore

You can verify this

CME(config)#do sh logg
Syslog logging: enabled (12 messages dropped, 5 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)

Active Message Discriminator:
FAN-FAIL  severity group drops    3
          facility       drops    FAN
          mnemonics      drops    FAN_FAILED

No Inactive Message Discriminator.
    Console logging: level debugging, 2742 messages logged, xml disabled,
                     filtering disabled, discriminator(FAN-FAIL), 
                     0 messages rate-limited, 1247 messages dropped-by-MD
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled, discriminator(FAN-FAIL), 
                     0 messages rate-limited, 14 messages dropped-by-MD
    Buffer logging:  level debugging, 0 messages logged, xml disabled,
                     filtering disabled, discriminator(FAN-FAIL), 
                     0 messages rate-limited, 15 messages dropped-by-MD
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.
ESM: 0 messages dropped
    Trap logging: level informational, 3998 message lines logged
        Logging to 192.168.100.10  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              5 message lines logged, 
              0 message lines rate-limited, 
              1255 message lines dropped-by-MD, 
              xml disabled, sequence number disabled
              filtering enabled, discriminator (FAN-FAIL)

Log Buffer (100000 bytes):

This is a very handy command if you want to get rid of specific syslog message flooding your syslog server or console of affected devices as long as it is not an important alert for you.

In this post, we will have a closer look at QoS in Autonomous AP. Primary focus of the QoS in autonomous AP deployment is for radio downstream (arrow B)

I have very basic  configuration in AAP1 as shown below.

hostname AAP1
!
dot11 ssid ONE
  vlan 1
  authentication open
  mbssid guest-mode
!
interface Dot11Radio0
 ssid ONE
 mbssid
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1
 bridge-group 10
!
interface Dot11Radio0.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1
 bridge-group 10
!
interface GigabitEthernet0.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.99.99 255.255.255.0
ip default-gateway 192.168.99.1

C3750 switch port configured as below. (only shown AAP1 & wireshark PC switchport config)

interface Vlan999
 ip address 192.168.99.1 255.255.255.0
!
interface FastEthernet1/0/11
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 1,3,6,999
 switchport mode trunk
!
interface FastEthernet1/0/9
 description BACKTRACK
!
monitor session 1 source interface Fa1/0/11
monitor session 1 destination interface Fa1/0/9 encapsulation replicate

Let’s have a close look at packet captures in this case. We will  analyze traffic between  7921 wireless phone to 7965 wired phone. We will take signalling traffic(SCCP) & voice traffic(RTP) for this analysis.

Here is traffic goes from switch to AP (Ethernet Downstream – Arrow A). SCCP traffic mark with CoS=3 & RTP traffic mark with CoS=5.

Now if you look at Radio Downstream (Arrow B) you will observe the following. As shown below, you would notice AP will not do any mapping AVVID CoS value to 802.11e UP by default. They will pass CoS value as it is onto 802.11UP value.

Here is the wireless traffic coming from 7921 wireless phone to AP (radio upstream – Arrow C). As you can see SCCP traffic comes with 802.11e UP of 4 & RTP traffic comes with 802.11e UP of 6. Note that SCCP traffic coming from 7921 have DSCP of 0, still 802.11e UP of 4. This UP value is the important parameter as it get translated in to CoS value at the AP.

finally if you look at Ethernet Upstream (AP to switch – Arrow D) you will see the following. Note that by default UP value does not convert into appropriate CoS value and all traffic goes as CoS of 0 (Best Effort).

Let’s enable 802.11e to AVVID mapping on AP & see what would be the effect. This would map CoS 5 packet coming from ethernet side on to 802.11e UP of 6 prior to send it to wireless client.

AAP1(config)#dot11 priority-map ?
  avvid  Map priority 5 packets to priority 6

AAP1(config)#dot11 priority-map avvid

Here is the packet capture  (arrow B) after this configuration. You can see this time CoS values correctly map to 802.11e UP values (ie CoS 3 -> UP 4, CoS 5 -> UP 6)

Also this time 802.11e values correctly map onto CoS value before sending it ethernet upstream towards the switch.

From switch port perspective it has to trust CoS value set by AP in order to preserve the correct QoS settings. Again remember that management traffic goes to AP is untagged & do not have CoS value. Therefore switch will apply default CoS=0 for those traffic (Best Effort)

interface FastEthernet1/0/11
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 1,3,6,999
 switchport mode trunk
 priority-queue out 
 mls qos trust cos

Here is few guidelines for AAP QoS. You can refer configuration guide for more detail

The QoS implementation for wireless LANs differs from QoS implementations on other Cisco devices. With QoS enabled, access points perform the following:

• They do not classify packets; they prioritize packets based on DSCP value, client type (such as a wireless phone), or the priority value in the 802.1q or 802.1p tag.
• They do not construct internal DSCP values; they only support mapping by assigning IP DSCP, Precedence, or Protocol values to Layer 2 COS values.
• They carry out EDCF like queuing on the radio egress port only.
• They do only FIFO queueing on the Ethernet egress port.
• They support only 802.1Q/P tagged packets. Access points do not support ISL.
• They support only MQC policy-map set cos action.
• They prioritize the traffic from voice clients (such as Symbol phones) over traffic from other clients when the QoS Element for Wireless Phones feature is enabled.
• They support Spectralink phones using the class-map IP protocol clause with the protocol value set to 119.

Related Posts

1. 3750/3560/2960 Wired QoS
2. Who do you trust ? (DSCP or CoS)
3. QoS for H-REAP
4. Best Practice QoS Config
5. VoIP Phone – Switchport Config
6. Autonomous AP – QoS

In this post we will see the impact of enabling or disabling WMM (Wireless Multi Media) to QoS of wireless traffic in a given WLAN.

WMM setting is based on IEEE 802.11e standard to provide QoS to wireless network. An 802.11e (or WMM) client that obtain medium access must not utilize radio resources for a duration longer than specified limit (called  transmission opportunity or TXOP). Also WMM client will classify their traffic in to four access classes (AC_VO, AC_VI, AC_BE & AC_BK). Below diagram show the difference with legacy system & WMM capable system.

Ref: Analysis of IEEE 802.11e for QoS Support in Wireless LAN

Here is the topology for our post. Wireless Phone is connected to a WLAN configured with Platinum QoS profile. Traffic flow “D” & “E” will be looked at in detail for QoS analysis while WMM is enabled & disabled on this WLAN.

Here is the basic WLAN configuration

(4402-3) >config interface create vlan1 1
(4402-3) >config interface address dynamic-interface vlan1 192.168.2.249 255.255.255.0 192.168.2.250
(4402-3) >config interface dhcp dynamic-interface vlan1 primary 192.168.2.250
(4402-3) >config wlan create 1 ONE ONE
(4402-3) >config wlan interface 1 vlan1
(4402-3) >config wlan radio 1 802.11a-only
(4402-3) >config wlan security wpa disable 1
(4402-3) >config wlan qos 1 platinum 
(4402-3) >config wlan wmm require 1
(4402-3) >config wlan enable 1

Here is the QoS settings in GUI if you are familiar with it than CLI.

In this configuration we have restricted only WMM capable clients can join to this WLAN (by selecting WMM require option). WLAN is configured for Platinum profile where upto CoS =5 (or DSCP EF) QoS is allowed.

When 7921 phone make a call to 7965 phone here are the two different type of traffic (signalling – SCCP & media – RTP) wireless frame captures.

When AP receive these frames it will convert 802.11e priority value to CAPWAP header DSCP values. Since we have configured Platinum profile it will allow upto 802.11e priority value of 6. So in this case Voice traffic CAPWAP header DSCP would be EF & Signalling traffic CAPWAP header DSCP would be AF31 (as per the 802.11e to AVVID 802.1p mapping table). Below captures prove this.

As long as you trust DSCP on AP connected switch port(Fa1/0/4) & CoS on WLC connected switchport (G1/0/1), this traffic will go to wired network with CoS=5 for voice & CoS=3 for signalling traffic.

Now let’s disable WMM on this WLAN & see what impact it would do on the traffic QoS. You can disable it via GUI or CLI & here is the CLI way of doing that.

(4402-3) >config wlan disable 1
(4402-3) >config wlan wmm disable 1
Warning: 802.11n requires WMM to be enabled
(4402-3) >config wlan enable 1

As you see above this will impact the 802.11n functionality. If you disable WMM on a WLAN client won’t get 802.11n data rates.

Once WMM is disabled, AP is not negotiating any WMM settings and client wireless traffic comes without any WMM priority information. You can see both SCCP & RTP traffic wireless frames no WMM information available.

Since no priority values comes in wireless frames ALL traffic will get the QoS profile’s DSCP/CoS value in this time. So both traffic will get DSCP EF in CAPWAP header & translated into CoS of 5 prior to send to to wired network by WLC. So in this time all traffic coming from wireless client will mark as EF. Here is the capture of AP connected switch port.

Therefore it is important to understand this difference when you configuring QoS profile & WMM settings.

When enabling WMM there is another option called “WMM Allowed”. In this scenario it will allow both WMM capable client & non-WMM capable client to join the WLAN. But all non-WMM client traffic will mark as per the configured QoS profile.

Related Posts

1. Understanding Wireless QoS – Part 1
2. Understanding Wireless QoS – Part 2
3. Understanding Wireless QoS – Part 3
4. Understanding Wireless QoS – Part 4
5. Understanding Wireless QoS – Part 5
6. 3750/3560/2960 Wired QoS
7. Who do you trust ? (DSCP or CoS)
8. BYOD with QoS
9. QoS for H-REAP
10. VoIP Phone – Switchport Config
11. Autonomous AP – QoS
12. AAP QoS – A Closer Look

In this post we will look at a wireless bridge configuration with QoS. Here is the topology for this post.

A VoIP phone (vlan 1) and a Laptop (vlan 6) is connected to a 2960 Switch where it is connected to Non-Root Bridge AAP2 (3502). A 3750 switch connected to a Root Bridge AAP1 (1142) where a wireless bridge is setup between AAP1 & AAP2 with native vlan 999 . All SVI, DHCP pools are defined on 3750 switch. A wireless phone is connected to network via a LAP (L1130) controlled by a WLC (4402-3)

I have not used any security  for encryption/authentication (for simplicity). Also only configure 5 GHz (int d1). Here is the Root Bridge (AAP1) configuration looks like.

hostname AAP1
!
dot11 ssid MGMT
  vlan 999
  authentication open
  infrastructure-ssid
!
interface Dot11Radio1
 ssid MGMT
 station-role root bridge
!
interface Dot11Radio1.1
 encapsulation dot1Q 1
 bridge-group 10
!
interface Dot11Radio1.6
 encapsulation dot1Q 6
 bridge-group 60
!
interface Dot11Radio1.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1
 bridge-group 10
!
interface GigabitEthernet0.6
 encapsulation dot1Q 6
 bridge-group 60
!
interface GigabitEthernet0.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.99.99 255.255.255.0
!
ip default-gateway 192.168.99.1

Here is the Non Root Bridge (AAP2) configuration

hostname AAP2
!
dot11 ssid MGMT
  vlan 999
  authentication open
  infrastructure-ssid
!
interface Dot11Radio1
 ssid MGMT
 station-role non-root bridge
!
interface Dot11Radio1.1
 encapsulation dot1Q 1
 bridge-group 10
!
interface Dot11Radio1.6
 encapsulation dot1Q 6
 bridge-group 60
!
interface Dot11Radio1.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface g0.1
 encapsulation dot1Q 1
 bridge-group 10
!
interface g0.6
 encapsulation dot1Q 6
 bridge-group 60
!
interface g0.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.99.100 255.255.255.0
!
ip default-gateway 192.168.99.1

Once  you configure like above you should see AAP2 is associate to AAP1. Your PC & 7965 phone should get IP from respective vlan via DHCP configured on 3750. You can verify AAP2 association like below.

AAP1#sh dot11 ass

802.11 Client Stations on Dot11Radio1: 

SSID [MGMT] : 

MAC Address    IP address      Device        Name            Parent         State     
64ae.0c91.9420 0.0.0.0         Br-client     -               64ae.0c93.7590 Assoc    
64ae.0c93.7590 192.168.99.100  bridge        AAP2            self           Assoc    

AAP1#show dot11 associations all-client 
Address           : 64ae.0c91.9420     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 1
Device            : Br-client          Software Version : NONE 
CCX Version       : NONE               Client MFP       : Off
State             : Assoc              Parent           : 64ae.0c93.7590    
SSID              : MGMT                            
VLAN              : 0
Hops to Infra     : 0                  
Clients Associated: 0                  Repeaters associated: 0

Address           : 64ae.0c93.7590     Name             : AAP2
IP Address        : 192.168.99.100     Interface        : Dot11Radio 1
Device            : bridge             Software Version : 12.4
CCX Version       : 5                  Client MFP       : Off
State             : Assoc              Parent           : self               
SSID              : MGMT                            
VLAN              : 999
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 1                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : Off
Current Rate      : 54.0               Capability       : WMM ShortHdr 11h
Supported Rates   : 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -50  dBm           Connected for    : 137591 seconds
Signal to Noise   : 42  dB            Activity Timeout : 29 seconds
Power-save        : Off                Last Activity    : 1 seconds ago
Apsd DE AC(s)     : NONE

Now if you want to make sure QoS is configured end to end (VoIP phone to wireless phone) you can verify it like this. We will start from the 7965 end.

1. Since Phone is connected to switchport where voice vlan is configured, you have to trust CoS on R2960 G 0/1. You have to ensure QoS is enabled on switch & CoS to DSCP maps 5-> 46 & 3-> 26 for at least these two type of traffic (if you want any other DSCP values you can change this mapping table).

mls qos
mls qos map cos-dscp 0 10 18 26 34 46 48 56

interface GigabitEthernet0/1
 description VOIP+PC
 switchport access vlan 6
 switchport mode access
 switchport voice vlan 1
 priority-queue out 
 mls qos trust device cisco-phone
 mls qos trust cos
 spanning-tree portfast

2. Then AAP2 is connected to R2960 via a trunk port. For the traffic coming from phone already trusted at G0/1, so that configuring QoS on G0/8 won’t impact traffic initiating from 7965. But traffic coming to 7965 is going to be impacted by the QoS config on G 0/8. Since AAP2 translated wireless frame UP value on to CoS value before sending it to R2960, you have to trust CoS in G0/8.

interface GigabitEthernet0/8
 switchport trunk native vlan 999
 switchport trunk allowed vlan 1,6,999
 switchport mode trunk
 priority-queue out 
 mls qos trust cos

3. You need to make sure 802.11e to AVVID mapping happening at the AAP2. This will ensure Priority 6 value converted to CoS 5 for RTP traffic & Priority 4 value converted to CoS 3 for SCCP signalling traffic (vice versa as well). By default radio interfaces is trusting WMM UP values of wireless frames. If not you have to enable it “dot11 qos mode wmm” CLI command under radio interface.

AAP2#
dot11 priority-map avvid

Similar concept applies to AAP1 where you have to enable 802.11e to AVVID mapping.

AAP1#
dot11 priority-map avvid

4. For AAP1 connected switchport, you have to trust CoS as user traffic comes with 802.1q header which include CoS value set by AAP1.

mls qos
mls qos map cos-dscp 0 10 18 26 34 46 48 56

interface FastEthernet1/0/11
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 1,6,999
 switchport mode trunk
 priority-queue out 
 mls qos trust cos

5.  In the unified wireless section, WLC connected port, you have to trust CoS since controller is changing 802.1p value according to QoS configuration of the controller.

interface GigabitEthernet1/0/1
 description 4402-3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 140,998
 switchport mode trunk
 switchport nonegotiate
 priority-queue out 
 mls qos trust cos
 channel-group 1 mode on
 spanning-tree portfast trunk

5. Finally for the L1130 connected switchport you have to trust DSCP as WLC to AP traffic is always CAPWAP & only DSCP value is in the IP header.

interface FastEthernet1/0/3
 switchport access vlan 20
 switchport mode access
 priority-queue out 
 mls qos trust dscp
 spanning-tree portfast

6.Since SCCP signalling traffic is going between CME & phones (7965 & 7921), you have to trust packet marking of CME on the port fa1/0/14 of 3750. Since this  is access port, only DSCP value exist on the packets coming from CME. So trust DSCP is the only choice.

interface FastEthernet1/0/14
 description CME - INTERNET
 no switchport
 ip address 192.168.128.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mls qos trust dscp

Once you configure like this you could make sure end to end traffic QoS is preserved across you network.

I have taken two packet captures, one by SAPN port G0/8 of R2960 switch & the othe one by sniffing wireless packet in 5 GHz to see what’s going on the bridge.

Here is the SCCP & RTP traffic coming from the 7965 VoIP phone. You can see SCCP traffic comes with CoS of 3 &  Voice traffic comes with CoS of 5.

If you look at the traffic to 7965 VoIP phone it will looks like this. You can see RTP traffic comes with  CoS 5 & SCCP traffic comes with CoS 3. This proves end to end QoS is preserved from wireless phone to wired phone.

Now if you look at a wireless capture it will looks like this. Since AAP1 to AAP2 , it use Cisco proprietary IAPP protocol wireshark capture shows as “Encapsulated Ethernet” in the data section.

But you can verify wireless header information as below. You can verify BSSID of AAP1 & AAP2, then determine packets direction.

AAP1#sh dot11 bssid 
Interface      BSSID         Guest  SSID
Dot11Radio1   a40c.c31a.ee60  No   MGMT

AAP2#sho dot11 bssid 
Interface      BSSID         Guest  SSID
Dot11Radio1   64ae.0c93.7590  No   MGMT

Based on the above information you can see the below frame is from AAP2 to AAP1. Based on the User Priority of wireless frame we can tell it is signalling traffic (SCCP) going from 7965 to CME. Since we configured “dot11 priority-map avvid” on AAP1 these priority value translate to CoS of 3 when it goes to 3750 fa1/0/11.

Here is the return traffic coming from AAP1 to AAP2, as you can see it has the similar priority in wireless frames.

Here is the RTP traffic wireless captures where you can see traffic comes with priority value of 6 in wireless frames.

Related Posts

1. Understanding Wireless QoS – Part 1
2. Understanding Wireless QoS – Part 2
3. Understanding Wireless QoS – Part 3
4. Understanding Wireless QoS – Part 4
5. Understanding Wireless QoS – Part 5
6. 3750/3560/2960 Wired QoS
7. Who do you trust ? (DSCP or CoS)
8. BYOD with QoS
9. QoS for H-REAP
10. VoIP Phone – Switchport Config
11. Autonomous AP – QoS
12. AAP QoS – A Closer Look
13. WMM & QoS Profile

In my R&S CCIE lab exam this is one thing I used all the time. There are multiple verification commands you need to run all the time & “Alias” will help you to execute those commands without typing the full command.

Even in Wireless CCIE exam, you can use these alias configuration for the commands you have to run many times during the exam. Specially if you want to verify the initial configuration this may help you. Here are few of my favourites, you can work it out yourself any other verification requirement you have.

1. “sh archive config differences nvram:startup-config system:running-config“
This will give you the running config & startup config differences, If I configure any given task I would verify using this command to make sure all the commands added/removed is as expected.

Here how you can use “alias config” to run this command in global config mode without exiting from that prompt & without typing the full command syntax. If you want to run this command in “exec” mode, you have to use “alias exec … ” option. If it is an interface configuration you have to use “alias interface ….”

C3750-1(config)#alias ?
  SASL-profile               SASL profile configuration mode
  aaa-attr-list              AAA attribute list config mode
  aaa-user                   AAA user definition
  address-family             Address Family configuration mode
  archive                    Archive the router configuration mode
  arp-nacl                   ARP named ACL configuration mode
  cns-connect-config         CNS Connect Info Mode
  cns-connect-intf-config    CNS Connect Intf Info Mode
  cns-tmpl-connect-config    CNS Template Connect Info Mode
  config-ip-sla-http-rr      IP SLAs HTTP raw request Configuration
  configure                  Global configuration mode
  crypto-ca-cert-chain       Crypto certificate entry mode
  crypto-ca-cert-comm        Certificate query  mode
  crypto-ca-cert-map         Certificate map entry mode
  crypto-ca-profile-enroll   Certificate enrollment profile entry mode
  crypto-ca-root             Certificate authority trusted root entry mode
  crypto-ca-trustpoint       Certificate authority trustpoint entry mode
  crypto-pubkey              Crypto subsystem public key entry mode
  dhcp                       DHCP pool configuration mode
  dhcp-class                 DHCP class configuration mode
  dhcp-pool-class            Per DHCP pool class configuration mode
  dhcp-relay-info            DHCP class relay agent info configuration mode

C3750-1(config)#alias configure ?
  WORD  Alias name

C3750-1(config)#alias configure diff ?
  LINE  New alias

C3750-1(config)#alias configure diff do sh archive config differences nvram:startup-config system:running-config
C3750-1(config)#alias exec diff sh archive config differences nvram:startup-config system:running-config

Now if you issue the “diff” command in config mode it should give the same output as you issue the full “show archive ….” command in exec prompt.

R2960(config)#diff
!
!Contextual Config Diffs:
+mls qos map cos-dscp 0 10 18 26 34 46 48 56
crypto pki certificate chain TP-self-signed-3931764736
 +certificate self-signed 01
  +3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  +31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  +69666963 6174652D 33393331 37363437 3336301E 170D3933 30333031 30303030
  +35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  +4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39333137
  +36343733 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  +8100DA7B 48D89795 A5E15EF8 742210BB 6BC3FDB6 4046F577 21A9A1C3 C3A2A0CB
  +7472DAFF A678D559 6493D779 178516B3 AC7252AF 7FA527B9 63DF34BB ED8EAA7D
  +3B8A137A ADC24C7C 4678053C C625E504 EFA15FF6 E70238BF 12553BB3 C4558705
  +84DB52B5 FEF3D93E 1F34FED9 724CECB5 80F15D07 E35D4D69 B22B1584 2614137A
  +2B510203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  +551D1104 0A300882 06523239 36302E30 1F060355 1D230418 30168014 B0C052AF
  +7C068EA6 E181B1C2 F0D41C9E 7FA9601D 301D0603 551D0E04 160414B0 C052AF7C
  +068EA6E1 81B1C2F0 D41C9E7F A9601D30 0D06092A 864886F7 0D010104 05000381
  +8100AECC F11A0E9F F4CDE08C 7FC01A3B 27E87EFD 3A9EF10F 2B21C933 8259FD62
  +52500E4C 5FDD6F31 25F94933 78F9CE65 E5393E5C 0F380599 1FA5FA99 DFDA7D71
  +5A645893 BB306C04 D417956A 896BD06C D0EE7C02 BB789A00 4FC97AB6 00AD6227
  +D51B9E77 70CF9737 18DF1007 AAE25227 82564078 47846112 A3439EAC B6A7F6EF 0BDD
  +quit   
interface GigabitEthernet0/8
 +priority-queue out
 +mls qos trust cos
+alias configure diff do sh archive config differences nvram:startup-config system:running-config
-mls qos map cos-dscp 0 8 16 24 32 46 48 56
crypto pki certificate chain TP-self-signed-3931764736
 -certificate self-signed 01 nvram:IOS-Self-Sig#3636.cer

2. If you want to verify IP address configuration with subnet mask you could use this “sh run | in (interface|ip add) “. If you want to alias config for this it will look like this.

DSW1(config)#alias exec ipadd sh run | in (interface|ip add)
DSW1(config)#alias configure ipadd do sh run | in (interface|ip add)

DSW1(config)#ipadd
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
interface GigabitEthernet1/0/8
interface GigabitEthernet1/0/9
interface GigabitEthernet1/0/10
interface GigabitEthernet1/0/11
interface GigabitEthernet1/0/12
interface GigabitEthernet1/0/13
interface GigabitEthernet1/0/14
interface GigabitEthernet1/0/15
interface GigabitEthernet1/0/16
interface GigabitEthernet1/0/17
interface GigabitEthernet1/0/18
interface GigabitEthernet1/0/19
interface GigabitEthernet1/0/20
interface GigabitEthernet1/0/21
interface GigabitEthernet1/0/22
interface GigabitEthernet1/0/23
interface GigabitEthernet1/0/24
interface GigabitEthernet1/0/25
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
interface Vlan1
 no ip address
interface Vlan10
 ip address 192.168.10.11 255.255.255.0
interface Vlan20
 ip address 192.168.20.254 255.255.255.0
interface Vlan100
 ip address 192.168.100.254 255.255.255.0
interface Vlan200
 ip address 192.168.200.254 255.255.255.0
alias configure ipadd do sh run | in (interface|ip add)
alias exec ipadd sh run | in (interface|ip add)

3. If you want to verify QoS trust status & any QoS related config in each individual interface you can use “show run | in (interface|mls|queue|srr)“. You can use a alias for this if you need to use these regularly.

DSW1(config)#alias configure qos do sh run | in (inter|mls|srr|queue)
DSW1(config)#alias exec qos sh run | in (inter|mls|srr|queue)        
DSW1(config)#qos
vlan internal allocation policy ascending
interface GigabitEthernet1/0/1
 mls qos trust cos
interface GigabitEthernet1/0/2
 mls qos trust dscp
interface GigabitEthernet1/0/3
 mls qos trust dscp
interface GigabitEthernet1/0/4
 mls qos trust dscp
interface GigabitEthernet1/0/5
 mls qos trust dscp
interface GigabitEthernet1/0/6
 mls qos trust dscp
interface GigabitEthernet1/0/7
 mls qos trust dscp
interface GigabitEthernet1/0/8
 mls qos trust dscp
interface GigabitEthernet1/0/9
 mls qos trust dscp
interface GigabitEthernet1/0/10
 mls qos trust dscp
interface GigabitEthernet1/0/11
 mls qos trust dscp
interface GigabitEthernet1/0/12
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
 mls qos trust device cisco-phone
 mls qos trust cos

Finally your alias config looks like this. If you intend to use alias during your lab exam better to configure those on IOS devices (mainly switches, autonomous AP)

DSW1(config)#do sh run | in alias
alias configure ipadd do sh run | in (interface|ip add)
alias configure qos do sh run | in (inter|mls|srr|queue)
alias configure diff do sh archive config differences nvram:startup-config system:running-config
alias exec ipadd sh run | in (interface|ip add)
alias exec qos sh run | in (inter|mls|srr|queue)
alias exec diff sh archive config differences nvram:startup-config system:running-config

Once you finish using these it is better to remove it from your network devices. You can use “no alias exec” & “no alias configure” to remove those.

Related Posts

1. “show archive config differences” is your Friend

In this post we will see how multicast can be configured on WGB (workgroup bridge) solution. Here is the topology for this post. WGB (3502I) is connected to Autonomous AP (AAP2- 1131), where a wireled client (multicast receiver) is connected behind WGB. A multicast source is connected to L3 switch where all the SVI & DHCP pool defined.(VLC player is used to simulate multicast streaming & receving it at the other end)

AAP2 is connected to C3750  Fa1/0/12 which is configured as trunk port with native vlan 999.

interface FastEthernet1/0/11
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 1,6,999
 switchport mode trunk
 priority-queue out 
 mls qos trust cos

Here is the config of Root AP (AAP1)

hostname AAP2
!
dot11 ssid WGB
   vlan 999
   authentication open 
!
interface Dot11Radio1
 ssid WGB
 station-role root
!
interface Dot11Radio1.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface FastEthernet0.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.99.199 255.255.255.0
!
ip default-gateway 192.168.99.1

Here is the config of WGB.

hostname WGB
!
dot11 ssid WGB
   authentication open 
!
interface Dot11Radio1
 ssid WGB
 station-role workgroup-bridge
 bridge-group 1
!
interface GigabitEthernet0
 bridge-group 1
!
interface BVI1
 ip address 192.168.99.100 255.255.255.0

Once you configure this you should see the WGB & its client association on AAP1 like below.

AAP2#sh dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
001f.1618.dfec 192.168.99.207  WGB-client    -               44d3.caaf.4343 Assoc    
44d3.caaf.4343 192.168.99.100  WGB           WGB             self           Assoc

Now it is ready to test your multicast, I am streaming a video from PC1 to multicast group address 238.2.3.8 & then from PC2 behind the WGB, joining to this group. Now if you do a wireless packet capture you could see the traffic going to across this link. Here is a sample output of that capture.

If you look at one individual packet in detail it will looks like this

You can see in the wireless frame header there are 4 different address (Receiver, Destination, Transmitter – AAP1 & Source – PC1). But both Receiver address & Destination address is same as the multicast MAC address. In other words these multicast frames are not acknowledged by WGB, so reliability of packet delivery cannot be ensured.

You can improved the reliability of multicast packet delivery by configuring WGB as infrastructure-client instead of normal client. You have to configure “infrastructure-client” command on root AP (AAP2) radio interface.

AAP2
interface Dot11Radio1
 infrastructure-client

Let’s see the difference it makes this time.

This time you can see each multicast frame is acknowledge by WGB. Here is the inside of a multicast packet this time.

You can see this time Receiver address is WGB mac address, so it is a unicast frame where WGB will acknowledge every time. The advantage is that if you have several clients behind the WGB, you send one broadcast (or one multicast), then a second copy of that broadcast/multicast encapsulated into a unicast frame to the WGB and the ACK from the WGB confirms that the frame was received and is going to be relayed to the wired clients. This increases reliability (usually, broadcasts and multicasts are never acknowledged)..

The downside is that it also increases traffic on the radio, as packets that are usually not acknowledged are now acknowledged (and you send as many unicast copies as you have WGBs). So the limitation of this mode is that the AP will not allow more than 20 WGB clients.

Normally in this scenario WGB receive same multicast frame twice. You can configure the workgroup bridge multicast mode to either “client” or “infrastructure” mode. If you configure it as “infrastructure” it will only accept 4 different MAC address frames & drop 3 MAC address frames (where destination & receiver address identical).

WGB(config-if)#station-role workgroup-bridge ?         
  multicast  configure multicast
  universal  Universal Client
  <cr>

WGB(config-if)#station-role workgroup-bridge multicast ?
  mode  configure multicast mode

WGB(config-if)#station-role workgroup-bridge multicast mo
WGB(config-if)#station-role workgroup-bridge multicast mode ?
  client          Client-mode accepts only 3-MAC address header mulitcast
                  packets
  infrastructure  Infrastructure-mode accepts only 4-MAC address header
                  multicast
             packets

WGB(config-if)#station-role workgroup-bridge multicast mode client 
*Jul  6 19:55:34.932: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AAP2 0019.a945.fb00       
*Jul  6 19:55:35.526: %DOT11-6-MCAST_DISCARD: infrastructure mode multicast packets are discarded  in client mode  multicast mode

WGB(config-if)#station-role workgroup-bridge multicast mode infrastructure

In a future post we will see how we can do this when WGB is connected to Light Weight Access point as root.

Related Posts

1. Test Yourself- Basic Multicast
2. Configuring Multicast on WLC
3. Wireless Multicast is not working – Why ?
4. Understanding “VideoStream” feature
5. IGMP Basics
6. Multicast Address Allocation
7. Multicast Deployment Types
8. PIM-SM Static RP Configurations
9. PIM-SM Auto-RP configurations
10. PIM-BSR Bootstrap Router Configurations
11. Anycast with MSDP
12. PIM-SSM Source Specific Multicast

This was my dream blog post I have been waiting to write for last 12 months (since I passed my written exam 30th Aug 2012). After 15 hours of nervous time since finishing my lab exam finally I got my result. Now I have become a CCIE wireless. Yes my lucky day was 20th Aug 2013 .

This sort of satisfaction is hard to come by. You  have to earn it & I had to put enormous number of hours to get it. Wake up 4:00AM & study 2-3 hours before go to work & then study full time over the weekend. That was my life most of past 12 months.

I got a very good support from my company & they really support me during this tough journey. But without the support I got from my family, this was an impossible task. They made great scarification to make my journey success. So I would dedicate my CCIE wireless to my wife Rajika, daughter Dewmi  (4yr) & son Manuka (1yr) for the contribution they made on this. Also through this blog I met lot of colleagues in the same field & that help as well.

Here is some celebration I had when I came home with my exam result from work (Thaththa mean “Dad” in our language)

Time to enjoy this for now & I will write a separate post on my strategy this time.

Related Posts

1. What did I learn from my 1st Attempt ?

Prior to go for my 2nd attempt I knew what are my weaknesses through my 1st attempt in May. Here are they.

1. Slow Approach (planned for 30 min, took 1 hr & 15 min )
2. Heavily relied on GUI & GUI was very slow (couldn’t finish task on time, without knowing CLI, stuck in certain tasks)
3. Did not master ACS 5.2 configs
4. Did not know Autonomous advanced config
5. Felt questions was too long…
6. Lack of practice & felt my speed was slow.

This was my winning strategy this time.

Approach: Since it was my 2nd attempt, I was almost familiar with the topology already. Also content was very similar too. So did not have to read to word by word to get what they ask for. In the given A4-rough sheet I did the following while reading the paper in the initial 30 min.

1. Time/Point tracking table (for overall progress tracking)
2. WLAN table (for WLAN creation)
3. Device Connectivity table (for QoS)

Here is a sample rough-sheet which I did during  a practice lab at home. This helped me to measure how I progress with time & then I knew exactly whether I am ok or not during my real exam.

Also if you need to configure QoS for a given network, in this way you do not miss any devices by accident and as long as you know what trusting model you have to use in each types of devices connected interfaces then you are ready for QoS config.

WLAN table helps me to maps all the features into a table where I do not want to read the question again until the final verification done.

Planning: It was obvious I had to improve my speed & should able to finish my exam within 6 hours to give last 2 hours at the end to verification. There are 3 ways to do the same tasks

1. Use WLC GUI
2. Use WCS templates
3. Use CLI

Based on my last lab experience of slow GUI at Sydeny lab, I do not wanted to take any risk this time. So I decided option 3 as my preferred option. So learn almost every thing (include RRM, Mobility, WLAN creation, Clean Air, Video Stream, SNMP, Syslog, Radius, etc) to do via CLI between my 1st attempt & 2nd attempt. This was the biggest success factor which brings the difference for me.

I spent nearly 45 min to complete my notepad with the CLI command required to complete each tasks. Also the CLI verification commands to run each time once the configuration done.  I aggregate configuration tasks (QoS, Media, CleanAir,TPC,DCA, etc) to be done while radio bands disabled. So when configuring it I apply those commands, so every band specific tasks were configured in one go. So did not want to disable/enable radio band multiple times.Make sure you do this right for the first time & that will save time of reworking.

Used following two alias config in all IOS devices. Every time I do a configuration task I would verify it by typing “d” in either config mode or exec mode in order to configuration addition was accurate. I used the other alias to QoS config verification.(I removed those alias config within last 30 min of my lab)

alias exec q sh run | in (inter|mls|srr|wrr|queue)
alias configure q do sh run | in (inter|mls|srr|wrr|queue)

alias exec d sh archive config differences nvram:startup-config system:running-config
alias configure d do sh archive config differences nvram:startup-config system:running-config

Here are some of CLI verification commands I have regularly used.

sh clock
sh ntp association
sh ip route
sh standby brief
sh spanning-tree root
sh etherchannel summary

show ap  summary
show dhcp proxy
show dhcp opt-82
show interface detailed <int-name>
show snmpversion
show snmpcommunity
show snmpv3user
show ap config global
show logging
show ap config general <ap-name>
show radius summary 
show interface summary
show interface detailed <int-name>
show wlan summary 
show wlan <wlan-id>
show client summary 
show client detail <client-mac>
show mobility summary
show network summary
show advanced {802.11b|802.11a} group 
show dot11 ass

End of the day, I have spent 1 hr & 15 min without doing any lab configuration tasks till that point , so what is the difference between the 1st attempt & 2nd attempt ? But this time I was very confident it will take very short time to copy & paste from notepad to CLI. Last time I did not have that comfort…

Executing: This time I had very clear plan what would be the sequence of configuration I have to do. I did not have it last time & followed the flow of the question & I did RRM towards end of my exam. That may not be a very good strategy as those configuration will take ~2 hrs to take effect. So In this time below was my sequence of configuration. In this way by lunch time (I was between task 8-9) I was able to test 1 or 2 WLAN with anyconnect client. I managed to finish ACS related config within 30  mins (as long as you master that, this is easy task) & then I only used it for verification only.

1. Check NTP & reachability to NTP server from all switches & WLC. If not work fix those issues
2. Configure the Mobility groups
3. Configure the RRM requirement
4. Register all LAPs to each controller
5. Configura AP modes as requested (H-REAP & OEAP )
6. Configure the ACS policy & Rules
7. Configure SNMP & add controller to WLC
8. Create SSID
9. Check the connectivity in sequentially.
10. Configure Autonomous AP tasks
11. Add MSE & Maps
12. Configure QoS
13. Verify, Verify & Verify

Verification: 2 hours from lunch, I was able to finish everything in the lab & give 2 hours to verify. When I was configuring I have verified for first time using CLI. But in last 2 hours I was going through GUI of the WLC’s to verify configuration in  different way. This was very effective to finding mistakes you have done.

Since I got enough time, I checked WLANs in each controller (by disabling WLAN in other controllers), make sure AP failover works as expected, Guest Tunneling in each controllers, Voice phone works in different authentication methods, etc. So I was very confident at the end of the lab where I gave my best shot this time. According to my tracking table I got around 85 marks excluding points for all doubtful questions.

What about technical issues this time ? I had couple of issues.

When I created WLANs I could not see it on my anyconnect client. I had to report this issue 2-3 times to proctor during my exam & he had to restart the client PC to fix it.(I utilized that time to do some other task & NOT impacted me negatively)

I still felt WCS/WLC’s GUI were slow, There was certain tasks I had to use GUI (as some constraints of doing it via CLI). Specially it it involve screen pop-up it will take noticeable time to do those tasks. Fortunately my strategy did not involve using any of those GUI for more than  5-10% of lab tasks. Therefore I was not fuzzy about that this time even though last time I complaint about it.

In conclusion, you have to plan to do this lab exam within 6 hours (including the initial ~1 hr planning exercise). Spend last 2 hours for verification, verification & verification. If you are able to do this definitely you will pass this exam & will get this prestigious certification.

PS: I never regret failing this exam 1st time & had to encounter this slow GUI issue at Sydney lab, Unless that happen I never learn these CLI commands & get the confidence level now I am having.

Related Posts

1. 20th Aug – My Lucky Day
2. What did I learn from my 1st Attempt ?
3. How to Become a CCIE Wireless

I started my wireless CCIE journey in July 2012. Like any other CCIE track, most important task was planing the journey. For me I had an additional advantage of going through a similar process in 2008 when I did my R&S lab exam & knew what it looks like. It is not only about your sole sacrifice, but the contribution of your family, your friends & everyone else around you. Therefore first of all I got the permission from my wife to dedicate another 12 months for my wireless journey.It was not an easy task as well, since we are alone in abroad with two young kids, had to organize alternative ways of supporting my family during this time. My mother-in-law & father-in-law agreed to visit us & stay with us 6 months each.

Once environment is ready, I had to come up with a proper study plan. This was the other key element of this journey. While you are studying you should be able to track how you progress & make sure you get the confidence as time goes on. My strategy was 4 hours of study in every week day & 12 hours a day in weekends. Below is a sample of my time tracker in excel. I wanted to ensure not many red cells (actual hours is less than planned)

Your time management skills are really important for this journey. Also you have to have your goals setup with time line against each other. For me I wanted to finish this within year 2013 & I have already planned 3 attempts if needed (you have to be realistic with your targets as well).

Getting start was the hard part for me. Initially I thought doing small scale lab & getting ready for the lab exam would help me to pass written exam on my way. It was very difficult to be focused in that way & finally gave up that idea. Then I focused the written exam & developed a mini-strategy to clear that. In wireless , I did not have any formal certification like CCNA-Wireless, CCNP-Wireless & wanted to challenge myself to go for a CCIE without those. I purchased the below mentioned materials for CCIE-Wireless written exam & went through them.

1. CCNA Wireless (640-722 IUWNE) Quick Reference – by Jerome Henry
2. CCNP-Wirless (642-732 CUWSS) Quick Reference – by Jerome Henry
3. CCNP-Wirless (642-737 IAUWS) Quick Reference – by Jerome Henry
4. CCNP-Wirless (642-747 IUWMS) Quick Reference – by Jerome Henry
5. CCNP-Wirless (642-742 IUWVN) Quick Reference – by Jerome Henry
6. CCIE-Wireless Exam (350-050) Quick Reference – By Roger Nobel, Federico Ziliotto, Federico Lovison, Fabian Riesen, Erik Vangrunderbeek

Written exam is all about theoretical concepts, you are ready to go for the exam as long as you refresh your knowledge about blueprint topics. So I booked my wireless written exam on 30th Aug 2012 & cleared it first time. I started my own blog (www.mrncciew.com) to keep my notes & to stay connected with the world of similar interest. This was a very big + point for my success & it helped me to keep up my enthusiasm on right focus throughout my journey.

Immediately after that I have booked my lab exam on 7th May 2013. This is another important thing to remember in your journey, once you lock down the lab date you won’t be deviating your schedule much. I booked it on May purposely  to leave me 6 months for 2nd & 3rd attempts within 2013. Availability of the CCIE Wireless lab exam at Cisco’s Sydney was one of the crucial point for me. I wanted to sit for the exam under the similar timezone where I studied. Sometimes little things become important matters. It is not easy to adjust to completely different clock to do the exam where your body clock working in a different timezone.

First challenge was to find good study materials for the lab exam. It was the time where CCIE wireless blueprint updated to version 2.0 (done in Nov 2011) & none of the vendors (IPexpert & Fastlane)have updated their full materials. I purchased Fastlane CCIEW workbook & IPexpert Wireless Self Study Bundle since there were not many choices (only volume 1 was ready for v2.0 by that time  & it took nearly 8 months to ready their remote racks for volume 2). Therefore I had to setup my own lab to do my preparations & that was another key success of my journey. I was fortunate to find few equipments for free from my company as we did some refresh in our wireless environment. This was my home lab with 2×4402, 1×2106, 2×3750, 2×2960, 1×3725 (CME) 1×1841 (WAN) & ESX for ACS,WCS,AD,DHCP (Dell Optiplex 745)

You have to assess your strengths & weaknesses & then need to allocate time to your study. For me “L2/L3 network infrastructure” & “Infrastructure Application Services” were two of my strong topics. “Autonomous deployment” & “Unified deployment-specific to network security) were my weak areas. “WCS” &  “WLAN services” are ok, but need some improvement.

I was struggling to get hold a grip of those topics since I have very very limited experience with Autonomous deployments. There aren’t many good documentations about these deployments.So I had to spend lot of hours to get basic understanding while creating basic lab setup for each scenario (like Bridge, Repeater, WGB,etc). Then studied security & advanced configuration with that basic knowledge.

Another tough topic was wireless QoS, I spent many hours to test it by doing sniffers & finally get a proper understanding how it works in wireless environment. This is very important as QoS plays a pivotal role in wireless lab exam. Same goes with Multicast as well.

ACS was another topic of similar nature. I haven’t worked with it in daily basis & had to learn it from scratch. I had a good friend who is a CCIE-Security helped me a lot to get the basic understanding of ACS & how to configure it. Spend 2 hours in every weekend with that friend (via phone & remote sharing) to learn this topic.

I studied almost all the Configuration Examples & Technotes related to lab exam blueprint topics. I had all of them in one excel file, so I can easily refer them when needed.  Below is a part of that excel sheet with respect to 5508 related config examples.

There was a boot camp in Australia  for CCIE wireless in Feb 2013.  I was very hopeful that we can learn from Jerome Henry who was well regarded as No 1 CCIE wireless instructor in the world since it was organized by  Fastlane affiliated company. Unfortunately by the time he has left Fastlane & joined Cisco, so we did not get any positive outcome from that bootcamp. We were given Fastlane workbook again & left us alone to do it.I was disappointing about that & had to fight with them to get additional rack hours due to the poor quality of the bootcamp.

I took 3 weeks off from my work to study for my 1st attempt on 7th May. I spent most of that time with IPexpert rented racks to do some sort of full scale labs. It was difficult to use their racks effectively since racks were not ready for Volume 2 ( 5 mock labs). I wasn’t 100% confident about ACS & Autonomous related advanced topics, but I had the confidence to give a good try.

I went to Sydney on 6th May from Melbourne. A wireless lab is held once a week every Tuesday in Sydney lab. I was the only candidate on that day (normally 4-5 people doing other tracks every day), and was comfortable in the lab environment. After the proctor’s initial briefing started my lab around 8:15AM. Even though I had a plan to finish reading the paper & do the initial planning work within 30-45 min, it was almost 1hr & 15 min once I complete that task. Then started to do pre-config verification & troubleshooting to get basic connectivity working. There were few questions in Autonomous & ACS related, which I did not know the answers, but for ACS I had some workaround & went ahead with zero points. When I reached the Unified deployment section I had the biggest hurdle in my exam. WLC’s GUI was very slow & I was never comfortable with that. Tried to use WCS for some QoS template configuration & encountered some errors. Finally did certain WLAN configs via WLC GUI in one of the controller & took a back up of it via WCS. Then try to derived CLI commands to apply it for other controllers. Time went very fast & I knew I never going to make it this time.  So in last 1-2 hours try to read some of the questions many times which I do not know the answers to better prepared for next time.

Around 4:45PM finished my lab exam & straight after took a taxi back to Airport. By the time I came home around 10:30PM, an email was there in my inbox which I did not want to see. As expected Unified deployment section I have scored very low & then Autonomous section. Even I thought  I did well in L2/L3, I did not score 100%. For the WCS section I got 100% & I was very happy about that.

Without much of thinking I went ahead & booked my 2nd attempt on 20th August. I had to wait 3 months as no other lab dates available in Sydney for wireless. Then re-assessed what happened to my first attempt & below are the weaknesses I found.

1. Slow Approach (planned for 30 min, took 1 hr & 15 min )
2. Heavily rely on GUI & GUI was very slow (couldn’t finish task on time, without knowing CLI, stuck in certain tasks)
3. Did not master ACS 5.2 configs
4. Did not know Autonomous advanced config
5. Felt questions was too long…
6. Lack of practice & felt my speed was too slow.

Between the first attempt & second attempt, I spent my time to fix my weaknesses. Most importantly I did not want to take any risk of being uncomfortable with slow GUI & rely on that to do my config. So decided to learn CLI method of doing things. Initially started with WLAN config via CLI & then move to Mobility, RRM, Video Stream & 802.11 band specific configs, SNMP, Syslog, RADIUS, etc. Once I did this multiple times I felt it was not too hard, as long as you know the commands it will take very little time to configure it on multiple controllers (simple copy & paste exercise).

I revisited Autonomous Config Guide, Config examples & Technotes. Also ACS configurations to see how I can do the same task in different ways. Again I spent time with IPexpert remote racks, by this time their racks were ready to do their mock labs. Once I did few 8 hours labs, I felt my improvements. Then I simulated few exam scenarios & made sure I can do that if it comes again. Also this time I had a very clear plan of sequence of configuration task I would do. In first time I went with the question flows rather my own way of tackling it.

Again went back for the exam on 20th August. This time there were 3 other candidates (for Voice, SP & RS) to do their exam. Exam started around 8:25AM & I started reading. Initial 30 min I did my own time/point tracking table, device connectivity table & WLAN table. Content was very similar to the previous time & did not have to read word by word to get what they asked for. Then started preparing my notepad with CLI commands required to do each task with verification CLI commands as well. By that time all other candidates started hitting their key boards & made environment noisy. I was bit nervous, but I knew I have practiced this routine earlier & need to keep calm & execute my plan. It took me around 45 min to complete my notepad, so again 1 hr & 15 min gone without doing any config task . But I was very comfortable this time knowing that I have answers in my notepad.

I started doing things in following sequence & every time I did some configuration task I have verified it via CLI. I had every thing in my notepad, it was just matter of “Copy & Paste”. By lunch time I was in between step 9-10. I was very confident as I have checked couple of WLANs connectivity before lunch & all worked. I felt everything was going according to my plan this time & did not panic at all.

1. Check NTP & reachability to NTP server from all switches & WLC. If not work fix those issues
2. Configure the Mobility groups
3. Configure the RRM requirement
4. Register all LAPs to each controller
5. Configure AP modes as requested (H-REAP & OEAP )
6. Configure RADIUS in WLCs
7. Configure the ACS policy & Rules
8. Configure SNMP & add controller to WLC
9. Configure WLANs
10. Check the connectivity with Anyconnect.
11. Configure Autonomous AP tasks
12. Add MSE & Maps
13. Configure QoS
14. Verify, Verify & Verify

Within 2 hours after lunch I completely finished my exam. I spent last 2 hours to go through GUI of each controller & see whether I have made any configuration errors. This is another effective way of finding your errors(by doing it in a one way- CLI & verifying it in another way -GUI) This is very important in any CCIE track, you have to have at least 2 hours for final verification. If you get this much of time then you are very close to pass this hurdle. I had couple of doubtful questions, but when I added up my points I got around 85 marks excluding those. So I was very confident that I gave my best this time & should get through it. In CCIE, it is too early to celebrate until you get the confirmation from Cisco.

I thought, I would get my result by the time I go home as last time. This time I could not wait for this email and checked couple of times prior to board onto the flight back to Melbourne, but no emails.I went home around 10:30PM & checked my email again, but nothing was there. I didn’t have a goodnight sleep and woke up around 5:00AM & checked my email, but no mails from Cisco. Then I went to work & checked my mail again. There were no email from Cisco, then I checked my spam folder & finally saw an email from Cisco. It has arrived around 8:00AM (15 hrs from my exam). Nervously opened that email & I found out finally I have become a CCIE Wireless

In conclusion here are my advise to anyone who is willing to go for this journey.

1. Do your written exam early & just focus on that during early stages.
2. Book your lab exam immediately after you pass the written exam allocating sufficient time to study for lab exam.
3. If possible keep a blog running, this help you to connect with the rest of the world of similar interest & motivate yourself to pursuit your goal.
4. Build your home lab & start practicing technology area (not full scale labs)
5. Go through Config Examples & Technotes related to blue print topics/products of CCIE wireless lab exam.
6. If you can afford, buy training materials from a preferred supplier of your choice & practice it.
7. Towards end of your preparation, do full 8 hour labs (by using remote racks) & have your own strategy how to tackle it.
8. Learn about different ways of doing the same thing & select less riskier option better suited to you & practice it many times.
9. Go for the lab exam & try to execute your plan, if unable to succeed re-assess your strategy & go back again within 1-2 months.
10. Until you get below repeat step 9. You will get it one day

Related Posts

1. What Did I learn from my 1st Attempt
2. 20th Aug – My Lucky Day
3. My winning Strategy

WLC 7.5 introduced lots of new features  and you can see the full feature list from WLC 7.5.102.0 Release Notes. From my network environment perspective there are few key features that I would like to have,

1. 802.11ac module support for 3600 AP (if anyone need to play with 802.11ac with Cisco wireless this is the code you should have in your 5508)

2. New Mobility – CAPWAP for Inter-controller mobility instead of EoIP (All Next Gen WLC – 3850,5760 only support CAPWAP, so if you want to have mix of old gen & new gen WLCs with mobility you have to have this enabled). I have 1×5760 & around 50×3850 switches in my access layer. One day I want to use them as WLCs.

3. mDNS enhancements

Even though I like to have these, there are certain points you need to consider before this upgrade.

1. You have to upgrade Prime Infrastructure to 1.4 & MSE to 7.5 to be fully compatible with WLC 7.5.x (PI 1.4 is not a successor release to 1.3, it is an parallel track to 1.3 to support WLC 7.5 code. Next upgrade to 1.3 would be 2.0 where as 1.4 would be upgrade to 2.1 code. It is all confusing & refer this Cisco support forum post for some clarity). There is no downgrade option from 1.4 to 1.3

2. Even with Prime 1.4 you cannot manage next gen WLCs (3850,5760).

3. There are large number of un-resolved bugs (which Cisco known about) listed in the release notes. As always there may be lots of unknown bugs since this code is just released. We went ahead with 7.4.x as they released & found out few bugs which hurts us during last 6-8 months(refer this for more detail) So we do not want to go through a similar pain with 7.5.x unless benefits outweigh drawbacks.

Therefore it is too early & risky for me to go upgrade all my 5508 (x9 of them servicing ~12k concurrent devices) running 7.4.107.0 to this release. But I cannot resist it too long. There was a request from a VIP to have the capability of printing to his home printer while he is connected to corporate SSID at home. Yes it is a feature called “Split Tunneling” only supported in WLC 7.5.x onwards. This is the WLC 7.5.102.0 release note says about this

“You can configure split tunneling for the Cisco OEAP to enable or disable local printer access. You can enable or disable split tunneling on a per WLAN or per remote LAN basis, or you can enable or disable split tunneling globally on the Cisco OEAP themselves.“

Therefore I will be upgrading my DMZ (only that one for the time being) 5508 to 7.5.102.0 shortly to enable this feature for Office Extend Home users. I will not enable “New Mobility” feature, since that will break my guest tunneling without upgrading all other controllers. I hope still I can manage this via PI 1.3 (which is the current prime version) once upgraded to 7.5.102.0 (Even Cisco document says in is not compatible).

Once I read the release notes I found few other cool features as well. Here are they,

1. Output filtering using grep command
You can now use the grep command to print only the lines that match a pattern. This is especially useful when the output of certain show commands is lengthy and you have to scroll multiple times to get to the information that you need. Here are few examples

(WLC) >grep include 'Up Time' 'show sysinfo' 
Press yes to continue(y)y
System Up Time........................0 days 0 hrs 48 mins 35 secs
There are 1 lines matching the pattern Up Time 

(WLC) >grep include 'Split' 'show wlan 2'
Press yes to continue(y)y
Split Tunnel (Printers).......................... Enabled
There are 1 lines matching the pattern Split

2. Client deauthentication by username, IP Adderess instead of MAC address.
You can now deauthenticate a client by specifying the username or the IP address of the client. In the earlier releases, you could do this by specifying only the MAC address of the client. This enhancement allows multiple client sessions with the same username to be deauthenticated

config client deauthenticate {mac-addr | ipv4-addr | ipv6-addr | user-name}

3. Ping from a dynamic interface of your choice. Like source interface in extended ping command in normal IOS devices.
It is now possible to choose the interface name from which you ping:Ping from an interface of your choice by entering this command:

ping ip-addr interface-name

I will do a separate post on this Split Tunneling feature of WLC 7.5.x & how it works once I test it.

When I came to work today I got an envelop on my desk with below message inside it. It is from one of a VP in my organization & it made my day. Even small things like this goes distance in memory lane..

I like it & thanks Natalie for the appreciation.

Split Tunneling introduced to Flexconnect APs in WLC7.3.x releases. This will allow certain traffic to be locally switched & all other traffic to Centrally switch from a Flexconnect AP.

In this post we will see how this feature can be enabled & use it in  Office Extend- Home user scenario. This feature works little bit differently with OEAP 600 series AP & will look at that in a separate post. In this post I have used 3502 AP model converted into Office Extend mode.

Below diagram shows a typical home users network connectivity. There won’t be an OEAP in normal set up, I have added it here since it is the primary focus of this post.

Once you changed the AP mode to Flexconnect  & priming it  for your corporate WLC (typically in a DMZ) it is ready to give to end user to plug it into his home network. Then it will give him the corporate SSID available at his home. If you are giving end user the capability of creating their own personal SSID then you can enable “office extend” feature on the AP itself. Refer this post to see how you could do that.

Prior to 7.3.x all corporate user devices traffic go back to wireless controller in their corporate office. In other words if that user connected to corporate SSID, he cannot access his local network devices (like printer, home PC, etc). Some times user want to print to his home printer while connecting to corporate SSID. This leads to enable this “Split Tunnel” feature on WLC software.

This is how it works. Let’s say you have setup your home personal network to 192.168.x.x (private network). You have completely different network at your corporate office (let’s say 131.172.x.x/16). Therefore when you connected to your office SSID while you are at home you will get 131.172.x.x range IP. If you are trying to access 192.168.x.x, from those IP, that traffic will go back to WLC & then it will drop since those private IP cannot routable across internet.

Once you enable split tunneling feature with defining ACL to classify what traffic need to locally switched, you can reach your home network devices while you are connecting to office SSID.

Here are the steps you need to follow. My wireless controller running with version 7.5.102.0 & you may see little bit different screens in your controller if version is different.

First you have to define a FlexConnect ACL to classify your local traffic. You can do this  in GUI vial “Security  -> Access Control List -> FlexConnect ACL-> New“. I have defined a ACL called “Flex-Split-Tunnel” like below. I have specified any traffic destined to 192.168.x.x to be treated as local traffic.

Then you need to create a FlexConnect Group & map this ACL to the WLAN you suppose to advertise via OEAP. You can do this in GUI via “Wireless -> FlexConnect Groups -> ACL Mapping -> WLAN ACL-mapping -> Local Split ACL Mapping” section. In my case I have created a group called “LTU-OEAP600″ & map “Flex-Split-Tunnel” ACL to two corporate WLAN named “eduroam” & “LTUWireless2″.

This is how you want to configure it in CLI

(WLC) >config flexconnect group ?            
<groupName>    flexconnect group name

(WLC) >config flexconnect group LTU-OEAP600

(WLC) >config ap flexconnect ?             
central-dhcp   Configures central-dhcp on AP per Wlan
local-split    Configures local-split on Wlan
policy         Add/Deletes policy flexconnect ACL on AP.
radius         Config flexconnect backup Radius Server in standalone mode
vlan           Enables/Disables VLAN on the flexconnect.
web-auth       Maps Web-Auth/Web Passthrough ACL to WLAN for an AP.
wlan           Configure wlan and vlan mapping

(WLC) >config ap flexconnect local-split ?               
<Wlan-Id>      Wlan Id

(WLC) >config ap flexconnect local-split 1 ?              
<Cisco AP>     Enter the name of the Cisco AP.

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN ?              
enable         Enable disables local-split tunnel on WLAN              
disable        Enable disables local-split tunnel on WLAN

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable ?               
acl            ACL configurations

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable acl ?              
<acl-name>     ACL Nam

(WLC) >config ap flexconnect local-split 1 OE-AP013-RasikaN enable acl Flex-Split-Tunnel            
(WLC) >config ap flexconnect local-split 2 OE-AP013-RasikaN enable acl Flex-Split-Tunnel
 

Then you can add FlexConnect AP into this group. If you tick the “Select AP from current controller” option it will list down all the FlexConnect AP in that controller where you can choose from. In my case I have put my home OEAP in to this group.

Here is the CLI way of doing this

(WLC) >config flexconnect ?             
acl            Configures Access Control Lists.
group          Configure flexconnect group tables.
join           Enables or disables the latency base join mode for an OfficeExtend AP
office-extend  Enables or disables the  OfficeExtend AP mode for a flexconnect AP

(WLC) >config flexconnect group ?              
<groupName>    flexconnect group name

(WLC) >config flexconnect group LTU-OEAP600 ?               
add            Adds flexconnect group 
ap             Configure flexconnect group AP information.
central-dhcp   Configures central-dhcp on Flexconnect group per Wlan
delete         Deletes flexconnect group
local-split    Config local-split acl on Flexconnect Group.
multicast      Sets Multicast/Broadcast across L2 Broadcast Domain on Overridden interface for locally switched clients
policy         Config policy acl on Flexconnect Group.
predownload    Sets Efficient Upgrade for group 
radius         RADIUS server for client authentication in standalone mode
vlan           Config Vlan on Flexconnect Group.
web-auth       Config web-auth acl on Flexconnect Group.
wlan-vlan      Configure Wlan-Vlan mapping on flexconnect group.

(WLC) >config flexconnect group LTU-OEAP600 ap ?               
add            Add AP <MacAddress> to flexconnect group table.
delete         Delete AP <MacAddress> from flexconnect group table.

(WLC) >config flexconnect group LTU-OEAP600 ap add ?               
<MacAddress>   AP Mac Address.

(WLC) >config flexconnect group LTU-OEAP600 ap add 70:81:05:03:7c:ef

By using following CLI you can verify your configurations.

(WLC) >show flexconnect ?              
acl            Display system Access Control Lists.
group          Display flexconnect group information.
office-extend  Display flexconnect OfficeExtend AP information.

(WLC) >show flexconnect acl ?               
summary        Display a summary of the Access Control Lists.
detailed       Display detailed Access Control List information.

(WLC) >show flexconnect acl summary  
ACL Name                         Status
-------------------------------- -------
Flex-Split-Tunnel                Applied

(BUN-PW00-WC01) >show flexconnect acl detailed Flex-Split-Tunnel
                   Source                        Destination                Source Port  Dest Port
Index        IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action
------ ------------------------------- ------------------------------- ---- ----------- ----------- ----- -------
     1         0.0.0.0/0.0.0.0             192.168.0.0/255.255.0.0      Any     0-65535     0-65535  Any Permit
     2         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any   Deny

(WLC) >show flexconnect group ?               
detail         Display detail for a specific flexconnect group.
summary        Display list of flexconnect groups.

(WLC) >show flexconnect group summary 
FlexConnect Group Summary: Count: 1
Group Name                # Aps
LTU-OEAP600                        1

(WLC) >show flexconnect group detail LTU-OEAP600 
Number of AP's in Group: 1 
70:81:05:03:7c:ef    OE-AP013-RasikaN     Joined 
Efficient AP Image Upgrade ..... Disabled

Master-AP-Mac     Master-AP-Name                    Model      Manual

Group Radius Servers Settings:
Type           Server Address    Port   
-------------  ----------------  -------
                                         Primary       Unconfigured      Unconfigured
                                                                                      Secondary     Unconfigured      Unconfigured
Group Radius AP Settings:
AP RADIUS server............ Disabled
EAP-FAST Auth............... Disabled
LEAP Auth................... Disabled
EAP-TLS Auth................ Disabled
EAP-TLS CERT Download....... Disabled
PEAP Auth................... Disabled
Server Key Auto Generated... No
Server Key..................     <hidden>    
Authority ID................ 436973636f0000000000000000000000
Authority Info.............. Cisco A_ID
PAC Timeout................. 0
Multicast on Overridden interface config: Disabled
Number of User's in Group: 0
Group-Specific FlexConnect Local-Split ACLs :
WLAN ID     SSID                            ACL 
--------   --------------------            ----- 
1          eduroam                          Flex-Split-Tunnel               
2          LTUWireless2                     Flex-Split-Tunnel               
Group-Specific FlexConnect Wlan-Vlan Mapping:
WLAN ID     Vlan ID          
--------   --------------------

WLAN ID   SSID                            Central-Dhcp  Dns-Override  Nat-Pat

Once you do this you are ready to test your feature. As you can see my client get 131.x.x.14 IP, but still I can reach my local network 192.168.20.x at home.

It is working fine, How can you see what changes it makes on the AP config once you enable this feature. “show derived config” is the CLI command you need to run on AP console to see config changes pushed by WLC to AP. Here is the relevant section of this output (not all). As you can see it will create NAT configuration with ACL defined for Split Tunneling (similar config you use in IOS device to configure split tunneling).

OE-AP013-RasikaN#show derived-config 

dot11 ssid LTUWireless2 1 <--Corporate SSID 1
dot11 ssid eduroam 2  <- Corporate SSID 2
dot11 ssid mrn-cciew 16 <- Personal SSID
!
interface Dot11Radio1
 antenna gain 0
 traffic-metrics aggregate-report
 peakdetect
 beamform ofdm
 mbssid
 speed  basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 power client local
 packet retries 64 drop-packet
 no cdp enable
!
interface Dot11Radio1.1
 encapsulation dot1Q 1
 bridge-group 18
!
interface Dot11Radio1.2
 encapsulation dot1Q 2
 bridge-group 18
!
interface Dot11Radio1.17
 encapsulation dot1Q 17 native
 bridge-group 1
!
interface Dot11Radio1.18
 encapsulation dot1Q 18
 bridge-group 18
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 bridge-group 1
!
interface BVI1
 ip address dhcp client-id BVI1
 ip nat outside
!
interface BVI18
 ip address 149.x.x.x 255.255.248.0 secondary <- gateway address of dyanamic interface for WLAN1
 ip address 131.x.x.x 255.255.248.0 <- gateway address of dyanamic interface for WLAN2
 ip nat inside
!
ip nat inside source list reap_local_central_acl interface BVI1 overload
!
ip access-list extended Flex-Split-Tunnel
 permit ip any 192.168.0.0 0.0.255.255
 deny   ip any any
ip access-list extended reap_local_central_acl
 permit ip 131.x.x.0 0.0.7.255 any <- WLAN1 dynamic interface subnet
 permit ip 149.x.x.0 0.0.7.255 any <- WLAN1 dynamic interface subnet
!
arp 149.x.x.18 04f7.e4ea.5b66 ARPA <- Client1 IP Address 
arp 131.x.x.14 a088.b435.c2f0 ARPA <- Client2 IP Address 

In next post we will see how this feature works in OEAP 600 series.

Reference:
1. Configuring FlexConnect – WLC 7.5 Release
2. FlexConnect Split Tunneling – Cisco DOC-27758

As described in the previous post, Split tunneling feature was available in FlexConnect AP since WLC 7.3.x onwards. Cisco introduced this feature to OEAP600 series AP model in WLC 7.5.x onwards.

In this post we will see how we can configure this for those 600 series AP. Before go into Split Tunnel Configuration you should know few important points about this 600 series AP model.

1. It has 4-LAN ports (like home grade wireless internet router)
2. Port 4 is called Remote-LAN where you can extend one of your office wired vlan.
3. Max 15 client devices can connect via wireless for Corporate SSID advertise (not include personal SSID)
4. Max 4 wired clients supported.
5. WAN port has to connect to your home internet router (or any port where public internet access is available)
6. This AP need to configure for local DHCP for the personal SSID you create or local wired clients connecting via Port 1-3.(WAN port & Local LAN ports cannot be in same network)

When you connect this to your home network connectivity looks like this.

As you can see above when you plug OEAP600 series into your home network & you are planning to use personal SSID or Local LAN ports, those devices will get an IP defined by the AP itself. It won’t be the same home network you already having.(WAN port of the OEAP will be in same network 192.168.20.x/24)

Therefore with this AP model, if you enable split tunneling you would able to reach local network -10.30.83.0 /24 (sitting on OEAP itself) while you are connecting to corporate SSID. You won’t be able to access your home network -192.168.20.024 while you are connecting to corporate SSID.

Here how you configure this feature on WLC running 7.5.102.0 onwards for OEAP600 series AP. First of all you need to enable split tunneling globally. By default it was disabled (as shown) & you have to un-ticked that check box.

Then you need to go to WLAN-Advanced settings where you can enable this feature for specific WLAN.

Now Split Tunneling is there in your OEAP600 series AP. Once you connect to corporate SSID (which is enabled with Split Tunnel) you can reach any device connect to your OEAP personal SSID or Local LAN ports.

So if you want to have print, then you have to move your printer back to OEAP local port. Then what above you other local devices in 192.168.20.x communicating back to Printer (or any device in 10.30.83.0/24 range). Since your home internet router does not know existence of a such network within your home, that won’t work.

What are the solution to get it working ?
1. You can add a static route entry in your home internet router pointing to OEAP for 10.30.83.0/24
2. Use your OEAP as home network & all wired connection behind OEAP (this works only you have 2-3 devices) as it has limited wired MAC address limit.
3. Turn off your home internet router wireless & only used OEAP personal SSID.

But if you are giving this solution to your corporate office staff to use at their home, do you want to involve their home network configuration ? most probably answer would be NO, since it will give you additional administrative overhead.

That’s why I preferred FlexConnect AP using as OEAP instead of giving OEAP600 to meet this requirement (local printing while connecting to corporate SSID). But commercial term wise OEAP would be a viable option if you planning to give this in volumes to your staff.

Ref
1. Configuring Office Extend Access Point – 7.5 Config Guide
2. 600 Series OEAP Config Guide

Related Posts

1. Split Tunneling with OEAP

I found this CiscoLive presentation (BRKCRS-2890-Converged Access QoS) is really useful to get an insight of QoS in these latest 3850 integrated controllers. Please go through it

Here are some snapshots of that presentation.

I am eager to learn this product (specially QoS in detail). I will do post about this product as I learn bit by bit

In this post we will see how to configure a Cisco3850 switch for basic wireless connectivity. This is part of Converged Access product platform & you should have some familiarity with new architecture (which will not discussed in this post). Here ae the few key points you need to remember when using 3850 as WLC.

1. You have to attach your access points directly to your 3850 switches (yes, every wiring closet you should have this in order to all building AP to be connect to this new environment)

2. Wireless management vlan & AP management vlan should be identical. If you configure vlan 21 as wireless management in 3850 switch all your APs connected to this switch should be on access vlan 21.

3. You have to enable Mobility Controller (MC) functionality to terminate CAPWAP (MC functionality can be in the same 3850 switch, another 3850 switch or 5508/5760 centralized controller). By default, when you enable wireless management, switch will act as Mobility Agent (MA) & not able to terminate CAPWAP.

4.“ipbase” or “ipservices” feature set to be there for MC functionality.”lanbase” cannot be used for MC functionality switch stack.

5. Given 3850 switch stack can support maximum 50 APs.

In my lab setup I have two 3850 switches stacked together. Before getting started, we will ensure we will have latest software code on this switch. At the time of this write up, IOS-XE 3.2.3SE is the latest code available for this 3850 platform. You can refer 3850 IOS-XE 3.2.x SE release note for more details of the features/restrictions/etc.

Let’s copy this new image to flash of our 3850.

3850-1#copy tftp://192.168.20.51/firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin flash:
Destination filename [cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin]? 
Accessing tftp://192.168.20.51/firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin...
Loading firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin from 192.168.20.51 (via Vlan999): 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!
[OK - 223743040 bytes]

There are two modes called “INSTALL” & “BUNDLE” available in these new switches. If you want to boot in “INSTALL” mode you have to copy the image onto flash first. In “BUNDLE” mode, you can still  keep the image on TFTP & boot from there if required. But in BUNDLE mode switch require more memory to do this function & preferred method is do it via “INSTALL” mode.

You can use “software install file <file_location> ” command to install new software onto your switch. At the end it will prompt to reload the switch as shown below.

3850-1#software install file flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
Preparing install operation ...
[1]: Copying software from active switch 1 to switch 2
[1]: Finished copying software to switch 2
[1 2]: Starting install operation
[1 2]: Expanding bundle flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
[1 2]: Copying package files
[1 2]: Package files copied
[1 2]: Finished expanding bundle flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
[1 2]: Verifying and copying expanded package files to flash:
[1 2]: Verified and copied expanded package files to flash:
[1 2]: Starting compatibility checks
[1 2]: Finished compatibility checks
[1 2]: Starting application pre-installation processing
[1 2]: Finished application pre-installation processing
[1]: Old files list:
 Removed cat3k_caa-base.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-infra.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 Removed cat3k_caa-platform.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-wcm.SPA.10.0.111.0.pkg
[2]: Old files list:
 Removed cat3k_caa-base.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-infra.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 Removed cat3k_caa-platform.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-wcm.SPA.10.0.111.0.pkg
[1]: New files list:
 Added cat3k_caa-base.SPA.03.02.03.SE.pkg
 Added cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 Added cat3k_caa-infra.SPA.03.02.03.SE.pkg
 Added cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 Added cat3k_caa-platform.SPA.03.02.03.SE.pkg
 Added cat3k_caa-wcm.SPA.10.0.120.0.pkg
[2]: New files list:
 Added cat3k_caa-base.SPA.03.02.03.SE.pkg
 Added cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 Added cat3k_caa-infra.SPA.03.02.03.SE.pkg
 Added cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 Added cat3k_caa-platform.SPA.03.02.03.SE.pkg
 Added cat3k_caa-wcm.SPA.10.0.120.0.pkg
[1 2]: Creating pending provisioning file
[1 2]: Finished installing software. New software will load on reboot.
[1 2]: Committing provisioning file
[1 2]: Do you want to proceed with reload? [yes/no]: yes
[2]: Reloading
[1]: Pausing before reload

Now if you look at your contents of your flash directory you will see multiple .pkg files .conf files. Depending on the image came with your switch & how many time you upgraded the switch, there could be multiple versions of the .conf files & .pkg files. You can clean this directory using “software clean” command which will result deleting all unwanted file from your directory. In this way you will only keep 3.2.3SE related files on your flash.

3850-1#dir
Directory of flash:/
85193 -rw- 2097152 Sep 28 2013 14:28:26 +10:00 nvram_config
85187 -rw- 74410468 Jan 1 1970 11:01:11 +11:00 cat3k_caa-base.SPA.03.02.00SE.pkg
85188 -rw- 2773680 Jan 1 1970 11:01:12 +11:00 cat3k_caa-drivers.SPA.03.02.00.SE.pkg
85189 -rw- 32478044 Jan 1 1970 11:01:12 +11:00 cat3k_caa-infra.SPA.03.02.00SE.pkg
85190 -rw- 30393116 Jan 1 1970 11:01:12 +11:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg
85191 -rw- 18313952 Jan 1 1970 11:01:12 +11:00 cat3k_caa-platform.SPA.03.02.00.SE.pkg
85192 -rw- 63402700 Jan 1 1970 11:01:12 +11:00 cat3k_caa-wcm.SPA.10.0.100.0.pkg
85199 -rw- 1224 Sep 28 2013 14:19:19 +10:00 packages.conf
85196 -rw- 8916 Sep 26 2013 15:59:58 +10:00 vlan.dat
85195 -rw- 114 Jun 6 2013 08:31:45 +10:00 express_setup.debug
85194 -rw- 1224 Sep 25 2013 02:20:20 +10:00 packages.conf.00-
 7750 -rw- 74369252 Sep 25 2013 02:20:16 +10:00 cat3k_caa-base.SPA.03.02.02.SE.pkg
 7751 -rw- 5808828 Sep 25 2013 02:20:16 +10:00 cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 7752 -rw- 32488292 Sep 25 2013 02:20:16 +10:00 cat3k_caa-infra.SPA.03.02.02.SE.pkg
 7753 -rw- 30403764 Sep 25 2013 02:20:16 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 7754 -rw- 16079584 Sep 25 2013 02:20:16 +10:00 cat3k_caa-platform.SPA.03.02.02.SE.pkg
 7755 -rw- 64580300 Sep 25 2013 02:20:17 +10:00 cat3k_caa-wcm.SPA.10.0.111.0.pkg
85186 -rw- 223743040 Sep 28 2013 13:30:24 +10:00 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
85198 -rw- 1218 Jan 1 1970 11:01:22 +11:00 packages.conf.01-
30979 -rw- 74369716 Sep 28 2013 14:19:15 +10:00 cat3k_caa-base.SPA.03.02.03.SE.pkg
30980 -rw- 5808828 Sep 28 2013 14:19:15 +10:00 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
30981 -rw- 32496484 Sep 28 2013 14:19:15 +10:00 cat3k_caa-infra.SPA.03.02.03.SE.pkg
30982 -rw- 30418104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
30983 -rw- 16059104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-platform.SPA.03.02.03.SE.pkg
30984 -rw- 64586444 Sep 28 2013 14:19:15 +10:00 cat3k_caa-wcm.SPA.10.0.120.0.pkg
1621966848 bytes total (723390464 bytes free)

3850-1#software clean 
Preparing clean operation ...
[1 2]: Cleaning up unnecessary package files
[1 2]: No path specified, will use booted path flash:packages.conf
[1 2]: Cleaning flash:
[1]: Preparing packages list to delete ...
 cat3k_caa-base.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-infra.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 File is in use, will not delete.
 cat3k_caa-platform.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-wcm.SPA.10.0.120.0.pkg
 File is in use, will not delete.
 packages.conf
 File is in use, will not delete.
[2]: Preparing packages list to delete ...
 cat3k_caa-base.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-infra.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 File is in use, will not delete.
 cat3k_caa-platform.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-wcm.SPA.10.0.120.0.pkg
 File is in use, will not delete.
 packages.conf
 File is in use, will not delete.
[1]: Files that will be deleted:
 cat3k_caa-base.SPA.03.02.00SE.pkg
 cat3k_caa-base.SPA.03.02.02.SE.pkg
 cat3k_caa-drivers.SPA.03.02.00.SE.pkg
 cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 cat3k_caa-infra.SPA.03.02.00SE.pkg
 cat3k_caa-infra.SPA.03.02.02.SE.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 cat3k_caa-platform.SPA.03.02.00.SE.pkg
 cat3k_caa-platform.SPA.03.02.02.SE.pkg
 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
 cat3k_caa-wcm.SPA.10.0.100.0.pkg
 cat3k_caa-wcm.SPA.10.0.111.0.pkg
 packages.conf.00-
 packages.conf.01-
[2]: Files that will be deleted:
 cat3k_caa-base.SPA.03.02.00SE.pkg
 cat3k_caa-base.SPA.03.02.02.SE.pkg
 cat3k_caa-drivers.SPA.03.02.00.SE.pkg
 cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 cat3k_caa-infra.SPA.03.02.00SE.pkg
 cat3k_caa-infra.SPA.03.02.02.SE.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 cat3k_caa-platform.SPA.03.02.00.SE.pkg
 cat3k_caa-platform.SPA.03.02.02.SE.pkg
 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
 cat3k_caa-wcm.SPA.10.0.100.0.pkg
 cat3k_caa-wcm.SPA.10.0.111.0.pkg
 packages.conf.00-
 packages.conf.01-
[1 2]: Do you want to proceed with the deletion? [yes/no]: yes
[1 2]: Clean up completed

3850-1#dir
Directory of flash:/
85193 -rw- 2097152 Sep 28 2013 14:28:26 +10:00 nvram_config
85199 -rw- 1224 Sep 28 2013 14:19:19 +10:00 packages.conf
85196 -rw- 8916 Sep 26 2013 15:59:58 +10:00 vlan.dat
85195 -rw- 114 Jun 6 2013 08:31:45 +10:00 express_setup.debug
30979 -rw- 74369716 Sep 28 2013 14:19:15 +10:00 cat3k_caa-base.SPA.03.02.03.SE.pkg
30980 -rw- 5808828 Sep 28 2013 14:19:15 +10:00 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
30981 -rw- 32496484 Sep 28 2013 14:19:15 +10:00 cat3k_caa-infra.SPA.03.02.03.SE.pkg
30982 -rw- 30418104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
30983 -rw- 16059104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-platform.SPA.03.02.03.SE.pkg
30984 -rw- 64586444 Sep 28 2013 14:19:15 +10:00 cat3k_caa-wcm.SPA.10.0.120.0.pkg
1621966848 bytes total (1393401856 bytes free)

You can verify switch is having upgraded image in each member of the switch stack.

3850-1#sh ver | be SW 

Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
     1 56    WS-C3850-48P       03.02.03.SE       cat3k_caa-universalk9 INSTALL
     2 56    WS-C3850-48P       03.02.03.SE       cat3k_caa-universalk9 INSTALL

You can verify boot configuration of your switch using “show boot” CLI command. As you can see “packages.conf” file is the boot loading file used in the booting process. If this file is not exist or corrupted switch will go onto ROMMON mode.

3850-1#sh boot 
---------------------------
Switch 1
---------------------------
Current Boot Variables:
BOOT variable = flash:packages.conf;

Boot Variables on next reload:
BOOT variable = flash:packages.conf;
Manual Boot = no
Enable Break = no

You can access wireless controller GUI using https://<switch-ipaddress>/wireless URL.

It is different look & feel compare to CUWN controllers (5508,2504, etc). Let’s see how we can configure the wireless controller config on this switch. First of all you need to ensure you have the correct license to start with.

3850-1#show license right-to-use ?
 default Displays the default license information.
 detail Displays details of all the licenses in the stack.
 eula Displays the EULA text.
 mismatch Displays mismatch license information.
 slot Specify switch number
 summary Displays consolidated stack wide license information.
 usage Displays the usage details of all licenses.
 | Output modifiers
 <cr>

3850-1#show license right-to-use summary 
License Name Type Count Period left
-----------------------------------------------
 lanbase permanent N/A Lifetime
 apcount base 0 Lifetime
 apcount adder 0 Lifetime
 --------------------------------------------
 License Level In Use: ipbase
 License Level on Reboot: ipbase
 Evaluation AP-Count: Disabled
 Total AP Count Licenses: 0 
 AP Count Licenses In-use: 0
 AP Count Licenses Remaining: 0

In Converged Access architecture, 3850 can act as Mobility Agent (MA) or Mobility Controller (MC). By default it is a MA. Normally AP licence should be on a MC where CAPWAP tunnels from AP get terminated. In this case we have only 3850 switch for everything (MC & MA) so you have to install AP licence onto this switch. Remember that maximume 50 APs can be supported by a 3850 switch stack. In our case we will configure 25 licence each for the first two members of stack & all APs to be terminated in these two switches (max 25 in each member).

3850-1#license right-to-use ?
 activate activate particular license level
 deactivate deactivate particular license level

3850-1#license right-to-use activate ?
 apcount configure the AP-count licenses on the switch
 ipbase activate ipbase license on the switch
 ipservices activate Ipservices license on the switch
 lanbase activate lanbase license on the switch

3850-1#license right-to-use activate apcount ?
 <1-50> configure the number of adder licenses
 evaluation activate evaluation license

3850-1#license right-to-use activate apcount 50 ?
 slot Specify switch number

3850-1#license right-to-use activate apcount 50 slot ?
 <1-9> Specify switch number

3850-1#license right-to-use activate apcount 50 slot 1 ?
 acceptEULA automatically accept the EULA for the given license
 <cr>

3850-1#license right-to-use activate apcount 50 slot 1 acceptEULA 
3850-1#license right-to-use activate apcount 50 slot 2 acceptEULA 
% switch-2:stack-mgr:ACTIVATION FAIL : Total AP Count Licenses exceed maximum limit
!
3850-1#license right-to-use deactivate apcount 25 slot 1 
3850-1#license right-to-use activate apcount 25 slot 2 acceptEULA

You have to enable the MC functionality of 3850 by using the “wireless mobility controller” CLI command as shown below.

3850-1(config)#wireless mobility ?
 controller Configures mobility controller settings
 dscp Configures the Mobility inter controller DSCP value
 group Configures the Mobility group parameters
 load-balance Configure mobility load-balance status
 multicast Configures the Multicast Mode for mobility messages
 oracle Configures mobility oracle settings

3850-1(config)#wireless mobility controller ?
 ip no description
 peer-group Configures mobility peer groups 
 <cr>

3850-1(config)#wireless mobility controller

Now we are one step away to register our AP. To register AP you should nominate an interface as wireless management interface. You have to remember that all your AP should be configured with same vlan access port where you configured for wireless management, otherwise AP won’t join. In our case we will use vlan21 as wireless management interface & configure switch port connected to AP in vlan 21

interface Vlan21
 ip address 192.168.21.1 255.255.255.0
!
wireless management interface Vlan21
!
interface GigabitEthernet1/0/1
switchport access vlan 21
switchport mode access
spanning-tree portfast

Now if you type “show ap summary” you would see your AP get registered to your 3850 WLC

3850-1#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured

AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
bc16.6516.790e                    3602I     bc16.6516.790e  f41f.c298.c2a0  Registered

You can change any AP specific configuration by using “ap name <AP-NAME> x” CLI commands. Following are the all options available. we will change the name as example.

5508-1#ap name bc16.6516.790e ?

  ap-groupname      Set groupname
  bhrate            Bridge Backhaul Tx Rate
  bridgegroupname   Set bridgegroupname
  bridging          Enable Ethernet-to-Ethernet bridging
  capwap            AP Capwap parameters
  command           Remote execute a command on Cisco AP
  console-redirect  Enable redirecting remote debug output of Cisco AP to
                    console
  core-dump         Enable memory core dump on Cisco AP
  country           Configure the country of operation
  crash-file        Manage crash data and radio core files for Cisco AP
  dot11             Configures 802.11 parameters
  dot1x-user        Enable the 802.1X credential for the current AP
  ethernet          Configure Ethernet Port of the AP
  image             Configure image
  led               Enable LED-state for Cisco AP
  link-encryption   Enable link encryption state on Cisco AP
  link-latency      Enable Link Latency on Cisco AP
  location          Configure AP location
  mfp               Enable Management Frame Protection
  mgmtuser          Configures user name, password and secret for AP management
  mode              Select AP mode of operation
  monitor-mode      Monitor-mode channel optimization
  name              Configure AP name
  no                Negate a command or set its defaults
  power             Configure Cisco Power over Ethernet (PoE) feature for AP
  reset             Reset AP
  reset-button      Disable or enable reset button on AP
  shutdown          Disable AP
  slot              Set slot number
  sniff             Enable sniffing on dot11a/b radio
  ssh               Enable SSH
  static-ip         Set Cisco AP static IP address configuration
  stats-timer       Set the frequency at which statistics are sent from AP
  syslog            Set the system logging settings for Cisco AP
  tcp-adjust-mss    TCP MSS configuration for an AP
  telnet            Enable telnet for Cisco AP
  tftp-downgrade    Initiate AP image downgrade from a TFTP server

5508-1#ap name bc16.6516.790e name L3600-1

5508-1#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured

AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
L3600-1                           3602I     bc16.6516.790e  f41f.c298.c2a0  Registered

You can use “show ap name <AP_NAME> x” CLI commands to view specific AP configurations.

5508-1#show ap name L3600-1 ?                    
  auto-rf          Auto-RF information for a Cisco AP
  bhmode           Show Cisco Bridge Backhaul Mode
  bhrate           Show Cisco Bridge Backhaul Rate
  cac              Display Call Admission Control details
  capwap           AP Capwap parameters
  ccx              Shows ccx related information
  cdp              Shows Cisco AP cdp information
  channel          Shows the channel information of an Cisco AP
  config           Shows the configuration of an Cisco AP
  core-dump        Shows the AP memory core dump setting for an Cisco AP
  data-plane       Show data plane status
  dot11            Show 802.11 parameters
  ethernet         Shows ethernet information
  eventlog         Downloads and displays the event log of a Cisco AP
  image            Shows the images present on a Cisco AP
  inventory        Displays the inventory of a Cisco AP
  link-encryption  Show link encryption status
  service-policy   Show service policy information
  tcp-adjust-mss   Show tcp-adjust-mss  for an AP
  wlan             Show BSSIDs for each AP

5508-1#show ap name L3600-1 config general 
Cisco AP Name                                   : L3600-1
Cisco AP Identifier                             : 3
Country Code                                    : AU  - Australia
Regulatory Domain Allowed by Country            : 802.11bg:-A     802.11a:-N
AP Country Code                                 : AU  - Australia
AP Regulatory Domain                            : Unconfigured
Switch Port Number                              : Gi1/0/1
MAC Address                                     : bc16.6516.790e
IP Address Configuration                        : DHCP
IP Address                                      : 192.168.21.53
IP Netmask                                      : 255.255.255.0
Gateway IP Address                              : 192.168.21.254
CAPWAP Path MTU                                 : 1500
Telnet State                                    : Disabled
SSH State                                       : Disabled
Cisco AP Location                               : default location
Cisco AP Group Name                             : default-group
Administrative State                            : Enabled
Operation State                                 : Registered
AP Mode                                         : Local
AP Submode                                      : Not Configured
Remote AP Debug                                 : Disabled
Logging Trap Severity Level                     : informational
Software Version                                : 10.0.101.0
Boot Version                                    : 15.2.2.4
Stats Reporting Period                          : 180
LED State                                       : Enabled
PoE Pre-Standard Switch                         : Disabled
PoE Power Injector MAC Address                  : Disabled
Power Type/Mode                                 : Power Injector/Normal Mode
Number of Slots                                 : 2
AP Model                                        : 3602I
AP Image                                        : C3600-K9W8-M
IOS Version                                     : 15.2(2)JN$
Reset Button                                    : Enabled
AP Serial Number                                : FGL1721X3K5
AP Certificate Type                             : Manufacture Installed
Management Frame Protection Validation          : Disabled
AP User Mode                                    : Automatic
AP User Name                                    : Not Configured
AP 802.1X User Mode                             : Not Configured
AP 802.1X User Name                             : Not Configured
Cisco AP System Logging Host                    : 255.255.255.255
AP Up Time                                      : 3 days 20 hours 14 minutes 26 seconds 
AP CAPWAP Up Time                               : 3 days 20 hours 12 minutes 57 seconds 
Join Date and Time                              : 09/24/2013 19:01:11

If you want to configure global settings for all APs then you have to go for the configuration mode & then use “ap x ” CLI command as shown below. We will change Country code as example. You can add upto 20 country codes if you have AP in multiple countries.

3850-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
3850-1(config)#ap ?
  auth-list         Configure Access Point authorization list
  bridging          Enable/Disable Ethernet-to-Ethernet bridging on all Cisco APs
  capwap            ap capwap parameters
  cdp               Enable/Disable CDP for all Cisco APs
  core-dump         Enable/Disable memory core dump on all Cisco APs
  country           Configure the country of operation
  dot11             Configures 802.11 parameters
  dot1x             Configure the 802.1X credential for all APs
  ethernet          Configure Ethernet Port on all Cisco APs
  group             Manage AP Groups VLAN feature
  led               Enable/Disable LED-state for all Cisco APs
  link-encryption   Enable link encryption state on all Cisco AP's
  link-latency      Enable Link Latency on all Cisco AP's
  mgmtuser          Configure the user for AP management
  power             Configure Cisco Power over Ethernet (PoE) feature for all AP's
  reporting-period  Configure AP rogue/error reporting period
  reset-button      Enable/Disable reset button for all Cisco APs
  static-ip         Set Cisco AP static IP address configuration
  syslog            Configure the system logging settings for Cisco AP
  tcp-adjust-mss    Enable/Disable TCP MSS configuration for all Cisco APs
  tftp-downgrade    Initiate AP image downgrade from a TFTP server for all Cisco APs

3850-1(config)#ap country ?
  WORD  Enter the country code (e.g. US,MX,IN) upto a maximum of 20 countries

3850-1(config)#ap country AU
Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. 
Are you sure you want to continue? (y/n)[y]: y
3850-1(config)#

Next we will configure a WLAN.

5508-1(config)#wlan ?
  WORD      Enter Profile Name up to 32 alphanumeric characters
  shutdown  Enable/disable all WLANs

5508-1(config)#wlan MRN-CCIEW ?
  <1-64>  Create WLAN Identifier
  <cr>

5508-1(config)#wlan MRN-CCIEW 1 ?
  WORD  Enter SSID (Network Name) up to 32 alphanumeric characters
  <cr>

5508-1(config)#wlan MRN-CCIEW 1 MRN-CCIEW 
5508-1(config-wlan)#no shutdown

you can verify WLAN configuration in your “show running-config all” output.

5508-1#show running-config all | section wlan
wlan MRN-CCIEW 1 MRN-CCIEW
 accounting-list 
 channel-scan defer-time 100
 client association limit 0
 client vlan default
 dtim dot11 24ghz 1
 dtim dot11 5ghz 1
 exclusionlist timeout 60
 ip access-group web none
 ip access-group none
 ip dhcp server 0.0.0.0
 ipv6 traffic-filter web none
 ipv6 traffic-filter none
 mac-filtering 
 radio all
 security dot1x authentication-list 
 security dot1x encryption 104
 security static-wep-key authentication open
 security tkip hold-down 60
 security web-auth authentication-list 
 security web-auth parameter-map 
 service-policy client input unknown
 service-policy client output unknown
 service-policy input unknown
 service-policy output unknown
 session-timeout 1800
 no shutdown

You can configure any WLAN specific configs as shown below. You have to shutdown the WLAN before make any changes.

5508-1(config)#wlan MRN-CCIEW 1 MRN-CCIEW 
5508-1(config-wlan)#?
  aaa-override         AAA policy override
  accounting-list      Set the accounting list for IEEE 802.1x
  band-select          Allow|Disallow Band Select on a WLAN.
  broadcast-ssid       Set broadcast SSID on a WLAN
  call-snoop           Call Snooping support
  ccx                  Configure Cisco Client Extension options
  channel-scan         Configures off channel scanning deferral parameters
  chd                  Set CHD per WLAN
  client               WLAN configuration for clients
  datalink             WLAN Datalink commands
  default              Set a command to its defaults
  diag-channel         Set Diagnostics Channel Capability on a WLAN
  dtim                 Set the DTIM period for the WLAN 
  exclusionlist        Set exclusion-listing on WLAN
  exit                 Exit sub-mode
  ip                   WLAN IP configuration commands
  ipv6                 IPv6 WLAN subcommands
  load-balance         Allow|Disallow Load Balance on a WLAN.
  local-auth           Set the EAP Profile on a WLAN
  mac-filtering        Set MAC filtering support on WLAN
  media-stream         Configures media stream
  mfp                  Configures Management Frame Protection
  mobility             Configure mobility
  nac                  Configures Radius NAC support(Identity Service Engine).
  no                   Negate a command or set its defaults
  passive-client       Configures passive client feature
  peer-blocking        Configure peer-to-peer blocking on a WLAN
  radio                Configures the Radio Policy
  roamed-voice-client  Configure Roaming Attrbutes for Voice Clients
  security             Configures the security policy for a WLAN
  service-policy       Configure WLAN QOS Service Policy
  session-timeout      Configures client timeout
  shutdown             Disable WLAN
  sip-cac              Configure Wlan Sip-Cac attributes
  static-ip            Configures static IP client tunneling support on a WLAN.
  uapsd                Configure WMM UAPSD attributes for Wlan
  wgb                  Configures WGB support on the WLAN
  wmm                  Configures WMM (WME)

5508-1(config-wlan)#client vlan 51
% switch-1:wcm:Request failed - WLAN in the enabled state.

5508-1(config-wlan)#shut
5508-1(config-wlan)#client vlan 51

5508-1(config-wlan)#radio ?
  all      Enable all available radios
  dot11a   Enable 802.11a radio only
  dot11ag  Enable 802.11 a and g radios
  dot11bg  Enable 802.11b and g radios
  dot11g   Enable 802.11g radio only

5508-1(config-wlan)#radio dot11a 

5508-1(config-wlan)#wmm ?
  allowed  Allows WMM on the WLAN
  require  Requires WMM enabled clients on the WLAN

5508-1(config-wlan)#wmm require 

5508-1(config-wlan)#ip ?
  access-group  Specify WLAN ACL
  dhcp          Configure DHCP parameters for WLAN
  flow          Flexible Netflow commands
  multicast     Configure multicast
  verify        verify

5508-1(config-wlan)#ip dhcp ?
  opt82     Set DHCP option 82 for wireless clients on this WLAN 
  required  Specify whether DHCP address assignment is required
  server    Configures the WLAN's IPv4 DHCP Server

5508-1(config-wlan)#ip dhcp server 192.168.51.1

5508-1(config-wlan)#no shut

You can verify WLAN settings “show wlan id <WLAN_ID>” CLI command as shown below.

5508-1#show wlan id 1
WLAN Profile Name     : MRN-CCIEW
================================================
Identifier                                     : 1
Network Name (SSID)                            : MRN-CCIEW
Status                                         : Enabled
Broadcast SSID                                 : Enabled
Maximum number of Associated Clients           : 0
AAA Policy Override                            : Disabled
Network Admission Control
  NAC-State                                    : Disabled
Number of Active Clients                       : 0
Exclusionlist Timeout                          : 60
Session Timeout                                : 1800 seconds
CHD per WLAN                                   : Enabled
Webauth DHCP exclusion                         : Disabled
Interface                                      : 51
Interface Status                               : Unconfigured
Multicast Interface                            : Unconfigured
WLAN IPv4 ACL                                  : unconfigured
WLAN IPv6 ACL                                  : unconfigured
DHCP Server                                    : 192.168.51.1
DHCP Address Assignment Required               : Disabled
DHCP Option 82                                 : Disabled
DHCP Option 82 Format                          : ap-mac
DHCP Option 82 Ascii Mode                      : Disabled
DHCP Option 82 Rid Mode                        : Disabled
QoS Service Policy - Input
  Policy Name                                  : unknown
  Policy State                                 : None
QoS Service Policy - Output
  Policy Name                                  : unknown
  Policy State                                 : None
QoS Client Service Policy
  Input  Policy Name                           : unknown
  Output Policy Name                           : unknown
WMM                                            : Required
Channel Scan Defer Priority:
  Priority (default)                           : 4
  Priority (default)                           : 5
  Priority (default)                           : 6
Scan Defer Time (msecs)                        : 100
Media Stream Multicast-direct                  : Disabled
CCX - AironetIe Support                        : Enabled
CCX - Gratuitous ProbeResponse (GPR)           : Disabled
CCX - Diagnostics Channel Capability           : Disabled
Dot11-Phone Mode (7920)                        : Invalid
Wired Protocol                                 : None
Peer-to-Peer Blocking Action                   : Disabled
Radio Policy                                   : 802.11a only
DTIM period for 802.11a radio                  : 1
DTIM period for 802.11b radio                  : 1
Local EAP Authentication                       : Disabled
Mac Filter Authorization list name             : Disabled
Accounting list name                           : Disabled
802.1x authentication list name                : Disabled
Security
    802.11 Authentication                      : Open System
    Static WEP Keys                            : Disabled
    802.1X                                     : Disabled
    Wi-Fi Protected Access (WPA/WPA2)          : Enabled
        WPA (SSN IE)                           : Disabled
        WPA2 (RSN IE)                          : Enabled
            TKIP Cipher                        : Disabled
            AES Cipher                         : Enabled
        Auth Key Management
            802.1x                             : Enabled
            PSK                                : Disabled
            CCKM                               : Disabled
    CKIP                                       : Disabled
    IP Security                                : Disabled
    IP Security Passthru                       : Disabled
    L2TP                                       : Disabled
    Web Based Authentication                   : Disabled
    Conditional Web Redirect                   : Disabled
    Splash-Page Web Redirect                   : Disabled
    Auto Anchor                                : Disabled
    Sticky Anchoring                           : Enabled
    Cranite Passthru                           : Disabled
    Fortress Passthru                          : Disabled
    PPTP                                       : Disabled
    Infrastructure MFP protection              : Enabled
    Client MFP                                 : Optional
    Webauth On-mac-filter Failure              : Disabled
    Webauth Authentication List Name           : Disabled
    Webauth Parameter Map                      : Disabled
    Tkip MIC Countermeasure Hold-down Timer    : 60
Call Snooping                                  : Disabled
Passive Client                                 : Disabled
Non Cisco WGB                                  : Disabled
Band Select                                    : Disabled
Load Balancing                                 : Disabled
IP Source Guard                                : Disabled

By default WLAN is configured with WPA2/AES. So if you want to check basic client connectivity you can disable it. Then you should be able to connect your wireless client to this new SSID.

In a separate post we will see how to configure different security methods for a given SSID.

References:
1. Working with IOS file system-3850 IOS-XE
2. Consolidated Platform Config Guide IOS-EX Release 3SE -3850
3. Cisco AireOS to IOS-XE Migration Guide
4. Getting Started with 5760 & 3850 -Cisco DOC#34430
5. Password Recovery on Cat3850 – Cisco DOC#35289

Related Posts

1. Getting Started with 5760
2. WLAN security configs in 3850
3. WLAN QoS Configs in 3850
4. 3850 Password Recovery
5. Converged Access Mobility

This is one feature I was waiting for long time. In previous models of controllers ( such as 5508,2504, WiSM2) with software code 7.4 onwards you can have some sort of visibility via AVC (Application Visibility & Control) & export netflow data to a collector. But you have to have particular Netflow Collector (Plixer or Cisco Prime Assurance) in order to view these exported netflow information as flow format is not exactly v9.0 compatible.

With new 3850, it is standard netflow v9.0 & nothing different in wireless traffic (since traffic terminated at the switch itself). In this post we will see how to configure netflow for a WLAN created on 3850. Here is the basic topology for the post.

I have defined a SSID called “3850″ with open authentication for simplicity. Here is the WLAN configuration looks like.

wlan 3850 17 3850
 no broadcast-ssid
 client vlan WLN-STF-1
 ip dhcp server x.x.26.100
 radio dot11a
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no shutdown

If you want to monitor the traffic to/from this WLAN you need to configure a flow monitor & apply that either inbound or outbound direction. In Flexible NetFlow you have this advantage where you can apply different flow monitors to the same interface depend on what flow information you want to monitor. In Traditional NetFlow(TNF) you have to collect all supported parameters and it cannot be customized. Flow monitor consist of flow record (only 1 allow) & flow exporters (multiple exporter allow). Here is the summary of config steps.

Let’s define flow record named “WLAN”

3850-1(config)#flow record WLAN

3850-1(config-flow-record)#match ?
  datalink   Datalink (layer2) fields
  flow       Flow identifying fields
  interface  Interface fields
  ipv4       IPv4 fields
  ipv6       IPv6 fields
  transport  Transport layer fields

3850-1(config-flow-record)#match ipv4 ?
  destination  IPv4 destination address based fields
  protocol     IPv4 protocol
  source       IPv4 source address based fields
  tos          IPv4 type of service
  ttl          IPv4 TTL
  version      IP version from IPv4 header
3850-1(config-flow-record)#collect ?
  counter    Counter fields
  interface  Interface fields
  timestamp  Timestamp fields
  transport  Transport layer fields

3850-1(config-flow-record)#collect cou
3850-1(config-flow-record)#collect counter ?
  bytes    Total number of bytes
  packets  Total number of packets

3850-1(config-flow-record)#collect counter by
3850-1(config-flow-record)#collect counter bytes ?
  layer2  Total number of layer 2 bytes
  long    Total number of bytes (64 bit counter)

flow record WLAN
 match ipv4 version
 match ipv4 tos
 match ipv4 ttl
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 collect counter bytes long
 collect counter packets long

Here is my flow exporter named “FLK-1″ configuration. I have used Fluke Netflow Tracker as collector.

3850-1(config)#flow exporter FLK-1
3850-1(config-flow-exporter)#?
  default          Set a command to its defaults
  description      Provide a description for this Flow Exporter
  destination      Export destination configuration
  dscp             Optional DSCP
  exit             Exit from Flow Exporter configuration mode
  export-protocol  Export protocol version
  no               Negate a command or set its defaults
  option           Select an option for exporting
  source           Originating interface
  template         Flow Exporter template configuration
  transport        Transport protocol
  ttl              Optional TTL or hop limit

flow exporter FLK-1
 destination x.x.8.216
 source Vlan999
 transport udp 9995

Then you can define the flow monitor & assign flow record & flow exporter onto it. In my case I have defined two different flow monitors called V4-IN & V4-OUT, but still use the same record & exporter for simplicity. But you can use different record in different monitor (single record per monitor) & multiple exporter if you have more than 1 netflow collectors.

3850-1(config)#flow monitor V4-IN
3850-1(config-flow-monitor)#?
  cache        Configure Flow Cache parameters
  default      Set a command to its defaults
  description  Provide a description for this Flow Monitor
  exit         Exit from Flow Monitor configuration mode
  exporter     Add an Exporter to use to export records
  no           Negate a command or set its defaults
  record       Specify Flow Record to use to define Cache

flow monitor V4-IN
 exporter FLK-1
 record WLAN
!
flow monitor V4-OUT
 exporter FLK-1
 record WLAN

Now you can apply this to the WLAN you configured earlier.

3850-1(config)#wlan 3850
3850-1(config-wlan)#ip flow monitor V4-IN input
3850-1(config-wlan)#ip flow monitor V4-OUT output

Now it is time to see what’s coming in & going out in this WLAN. I am playing some youtube video on iPhone5 & tablet device while making a call between 7925G & 7965 Phones.  Here is the traffic coming from these wireless devices.

Now if you want to look at what type of DSCP values coming from 7925G we can look detail of that as below.

Now if you want to look at down stream traffic to wireless clients I can see it as below. As expected, youtube video played on iPhone5 & tablet get most of the bandwidth.

Now if you trying to look at applications (or protocol) you would see something like this. But why all categorize as TCP or UDP port 0. This is because when we defined the flow record we did not include to collect these information.

Let’s add source-port & destination-port to the flow record. You have to remove the flow record from the monitor before doing any modification.

flow record WLAN
 +match transport source-port
 +match transport destination-port

Now let’s monitor the traffic & see whether it get captured. It’s all come with Application name/port numbers since we capturing that infromation.

Before finishing off this post it is worth to note that these flow monitor command cannot be applied on SVI interfaces (or vlan interfaces).

3850-1(config)#interface vlan 1420
3850-1(config-if)#ip flow monitor V4-IN ?
  input    Apply Flow Monitor on input traffic
  output   Apply Flow Monitor on output traffic
  sampler  Optional Sampler to apply to this Flow Monitor

3850-1(config-if)#ip flow monitor V4-IN input 
% Flow Monitor: Flow Monitor 'V4-IN' flexible netflow not supported on vlan interfaces

If you want to apply this for L3 interface it has to be proper L3 physical interface. Anyway if your 3850 acting as proper L3 switch then you shoud have routed port from that switch to your core & you can apply flow monitor on that routed port. In my case we are having layer 2 access model & as long as we can monitor WLAN traffic at that level we are fine with that.

Ref: Configuring Flexible Netflow – 3850 Config Guide

Related Posts

1. Getting Started with 3850
2. Configuring Netflow on WLC 7.4

Cisco has released IOS XE 3.3.0SE on 7th October for 3850 & 5760 Platforms. What’s new in this version ? There are lots of major enhancement & new features. Support for 802.11ac , mDNS (bonjour service) & AVC are the major enhancement as far as I can see.

Here are the main highlights of this new release & you can refer to full feature list in this release note.

1. Support for 802.11ac module—The 802.11ac radio module (for 3602 AP), which is based on the IEEE 802.11ac Wave 1 standard, is available on the Cisco lightweight access points.

The 802.11ac module provides enterprise-class reliability and wired-network-like performance. The 802.11ac module supports three spatial streams and 80 MHz-wide channels for a maximum data rate of 1.3 Gbps. The 802.11ac standard is a 5-GHz-only technology, which is faster and a more scalable version of the 802.11n standard.

2. Application Visibility (AV)—Classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR2) engine and provides application-level visibility into Wi-Fi networks.

3. Nine-member stacks—Up to nine switches can participate in a switch stack. All switches must be running the same feature set. Previous versions allow only upto 6 members in a swtich stack.

4. Service Discovery Gateway feature (mDNS)—Enables multicast Domain Name System (mDNS) to operate across Layer 3 boundaries by filtering, caching, and redistributing services from one Layer 3 domain to another. This feature enhances Bring Your Own Device (BYOD).

5. Wireshark—A packet analyzer program that supports multiple protocols and presents information in a text-based user interface.

There are no new addition to the AP models supported by this image and list is same as the previous version. The new 3700 series AP is not supported in this release.(you require AireOS 7.6 for with legacy controller like 5508, 2504 or WiSM2 to support 3700 AP model).

Here is the software compatibility matrix with this new software code.

It is time to upgrade my 3850 & 5760 & play with this enhanced features.

I got my CCIE (Wireless) Certification & Plaque today. It is another moment of joy in my family life. This sorts of satisfaction is never come easily, you have to earn it

Related Posts

1. 20th Aug was my Lucky Day
2. Words of Appreciation
3. How to become a CCIE Wireless

Today (2nd Nov 2013) my blog reached a milestone. Blog stats shows it has reached 100,000 hits & I am impressed with that. When I started my blog in April 2012, I never thought it would become this popular, but I was wrong   I started this blog as my study notes in preparation for my CCIE wireless exam. Within very short period, I realized it benefits lot of other people & that motivated me to keep it going. Even after I passed my lab exam on Aug 2013, I keep this blog running as it become the conduit between me & the rest of the world to communicate on wireless technology topics.

As always, starting was the difficult part & I have done few blog posts (18 in total) during initial 6 months. As my CCIE studies get serious , I have done more than 180 posts during 2013 & blog become more attractive.

My blog helped me to keep in touch with lots of other Network professionals. If my blog was not there, I may not know about these blokes. Now it is being followed by 103 users .

Here is the some of interesting statistics of my blog. This shows the monthly hit count & it is reaching 20k per month.

Here is the weekly statistics. You can see a peak around week#34 (due to my successful lab attempt on 20th Aug). Year 2013 starts with 1500 per week & now it is around 4000 hits per week.

Here is daily hit-count and 931 was the maximum so far. It was the day after I passed my CCIE wireless lab exam (21st Aug 2013).

Here is the stats where my readers are coming from. Most readers based in USA & account for more than 30% of the hits during this period. India, Australia, Germany, UK, Canada, Sweden, France, Thailand & Greece are the rest of top 10 countries in the list.

Also below gives the top blog posts based on the hit count.

As you can see most people interest to see “How many CCIEs in the world ?“. Then “Lightweigth to Autonomous AP conversion“, “Backup & Restore WLC config” post become number 2 & 3 respectively. Also QoS & Multicast related posts are dominating in the list. These two technologies are my favorites & I spent lots of time to do a good post about these. I think readers are like that.

“How to become a CCIE wireless ? ” also become a popular one which has got 1200 hits within first 3 months of its publication. I am sure next 100k hits won’t take that long based on the current trend.

I am thankful to every one of you read my blog & gave some encouragement during my study period (specially after failing my exam in 1st attempt in May 2013).

Thank you for reading my blog & good luck for your CCIE studies….

In this post we will see how to configure a wireless bridge (Root & Non-Root Bridge) with EAP-FAST security. Here is the basic topology for the post & I have used two 1310 AP with 12.4(25d)JA software version.

Here is the G1/0/6 Config of C3750-1 switch. Since wireless bridge has to carry multiple vlan traffic (in my case 20-21) it has to configure as a trunk port.

hostname C3750-1
!
ip dhcp excluded-address 192.168.21.1 192.168.21.50
ip dhcp excluded-address 192.168.21.254
ip dhcp pool VLAN21
 network 192.168.21.0 255.255.255.0
 default-router 192.168.21.254 
!
interface Vlan20
 ip address 192.168.20.254 255.255.255.0
interface Vlan21
 ip address 192.168.21.254 255.255.255.0
!
interface GigabitEthernet1/0/6
 description 1310-1 (ROOT BRIDGE)
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport trunk allowed vlan 20,21
 switchport mode trunk

Here is the Root Bridge configuration without any security configurations. Later on we will configure the EAP-FAST for this. Note that for native vlan (20) to be configured with bridge group 1. Also SSID configured as “infrastructure-ssid” to ensure only infrastructure device could associate to it (no normal clients)

hostname 1310-1
!
dot11 ssid BRIDGE
   vlan 20
   authentication open
   infrastructure-ssid
!
interface Dot11Radio0
 ssid BRIDGE
 station-role root bridge
!
interface Dot11Radio0.20
 encapsulation dot1Q 20 native
 bridge-group 1
interface Dot11Radio0.21
 encapsulation dot1Q 21
 bridge-group 21
!
interface FastEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1
interface FastEthernet0.21
 encapsulation dot1Q 21 
 bridge-group 21
!
interface BVI1
 ip address 192.168.20.13 255.255.255.0
ip default-gateway 192.168.20.254

Here is the Non-Root Bridge Configuration

hostname 1310-2
!
dot11 ssid BRIDGE
   vlan 20
   authentication open
   infrastructure-ssid
!
interface Dot11Radio0
 ssid BRIDGE
 station-role non-root bridge
!
interface Dot11Radio0.20
 encapsulation dot1Q 20 native
 bridge-group 1

interface Dot11Radio0.21
 encapsulation dot1Q 21
 bridge-group 21
!
interface FastEthernet0.20
 encapsulation dot1Q 20 native
 bridge-group 1

interface FastEthernet0.21
 encapsulation dot1Q 21
 bridge-group 21
!
interface BVI1
 ip address 192.168.20.14 255.255.255.0
ip default-gateway 192.168.20.254

With this configuration, you should see your non-root bridge associating to your root bridge.

1310-2#Nov  8 20:39:46.316: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, 
Associated To AP 1310-1 001b.2a30.48b0 [None]

1310-1#sh dot11 ass
802.11 Client Stations on Dot11Radio0: 
SSID [BRIDGE] : 
MAC Address    IP address      Device        Name            Parent         State     
001b.2a30.48c0 192.168.20.14   bridge        1310-2          self           Assoc    

1310-1#sh dot11 ass 001b.2a30.48c0
Address           : 001b.2a30.48c0     Name             : 1310-2
IP Address        : 192.168.20.14      Interface        : Dot11Radio 0
Device            : bridge             Software Version : 12.4
CCX Version       : 5                  Client MFP       : Off

State             : Assoc              Parent           : self               
SSID              : BRIDGE                          
VLAN              : 20
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 1                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : Off
Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -75  dBm           Connected for    : 80 seconds
Signal to Noise   : 24  dB            Activity Timeout : 30 seconds
Power-save        : Off                Last Activity    : 1 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 3341               Packets Output   : 10247     
Bytes Input       : 378995             Bytes Output     : 1405473   
Duplicates Rcvd   : 0                  Data Retries     : 521       
Decrypt Failed    : 0                  RTS Retries      : 12        
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0

Here is the R2960 switch configuration. I have given switch management IP from vlan 20.

hostname R2960
!
interface GigabitEthernet0/2
 switchport access vlan 21
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/8
 switchport trunk native vlan 20
 switchport trunk allowed vlan 20,21
 switchport mode trunk
!
interface Vlan20
 ip address 192.168.20.15 255.255.255.0
!
ip default-gateway 192.168.20.254

If you define a DHCP (or you can statically assign a IP for Laptop) for vlan 21, you should see Laptop will get an IP from 192.168.21.0/24 network. In my case Laptop got 192.168.21.51 IP address & I can ping it from my C3750-1 switch.

C3750-1#ping 192.168.21.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

As long as this works you can move on to adding security for this configuration. First we will configure 1310-1(root bridge) as RADIUS server. If you using AP as radius server, you can configure either LEAP, EAP-FAST or MAC authentication methods. In this example we will disable LEAP & MAC authentications. For highest security we have used WPA2/AES.

aaa new-model
aaa group server radius RAD-GROUP
 server 192.168.20.13 auth-port 1812 acct-port 1813
aaa authentication login EAP-METHODS group RAD-GROUP
radius-server local
  no authentication leap
  no authentication mac
  nas 192.168.20.13 key 0 MRN-CCIEW
  user nonroot password nonrootpw
radius-server host 192.168.20.13 auth-port 1812 acct-port 1813 key 0 MRN-CCIEW

dot11 ssid BRIDGE
   authentication open eap EAP-METHODS
   authentication network-eap EAP-METHODS
   authentication key-management wpa version 2
interface Dot11Radio0
 encryption vlan 20 mode ciphers aes-ccm

Then we can configure the Non-Root Bridge with EAP-FAST credential which we defined on the Root Bridge.

1310-2(config)#eap profile FAST
1310-2(config-eap-profile)#method ?
  fast      EAP-FAST method allowed
  gtc       EAP-GTC method allowed
  leap      EAP-LEAP method allowed
  md5       EAP-MD5 method allowed
  mschapv2  EAP-MSCHAPV2 method allowed
  tls       EAP-TLS method allowed

1310-2(config-eap-profile)#method fast 
1310-2(config)#dot1x credentials FAST
1310-2(config-dot1x-creden)#username nonroot
1310-2(config-dot1x-creden)#password nonrootpw
!
1310-2(config)#dot11 ssid BRIDGE
1310-2(config-ssid)#authentication open eap EAP-METHODS 
1310-2(config-ssid)#authentication network-eap EAP-METHODS 
1310-2(config-ssid)#authentication key-management wpa version 2
1310-2(config-ssid)#dot1x eap profile FAST
1310-2(config-ssid)#dot1x credentials FAST
!
1310-2(config-ssid)#interface Dot11Radio0
1310-2(config-if)# encryption vlan 20 mode ciphers aes-ccm

Once you do this you should see your Non-Root Bridge associated with Root Bridge using EAP-FAST.

1310-2(config-if)#
Nov  8 21:16:51.796: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
Nov  8 21:16:52.063: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, 
Associated To AP 1310-1 001b.2a30.48b0 [EAP-FAST WPAv2]

1310-1#
Nov  8 21:11:42.430: %DOT11-6-ASSOC: Interface Dot11Radio0, 
Station 1310-2 001b.2a30.48c0 Associated KEY_MGMT[WPAv2]

1310-1#sh dot11 associations 001b.2a30.48c0
Address           : 001b.2a30.48c0     Name             : 1310-2
IP Address        : 192.168.20.14      Interface        : Dot11Radio 0
Device            : bridge             Software Version : 12.4
CCX Version       : 5                  Client MFP       : On

State             : EAP-Assoc          Parent           : self               
SSID              : BRIDGE                          
VLAN              : 20
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 1                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -75  dBm           Connected for    : 214 seconds
Signal to Noise   : 24  dB            Activity Timeout : 30 seconds
Power-save        : Off                Last Activity    : 1 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 41                 Packets Output   : 365       
Bytes Input       : 4556               Bytes Output     : 42485     
Duplicates Rcvd   : 0                  Data Retries     : 2         
Decrypt Failed    : 0                  RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0         
Session timeout   : 0 seconds
Reauthenticate in : never

So now you wireless bridge connection is more secure. Make sure you can ping the remote client

C3750-1#ping 192.168.21.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Hope this is useful for you.