In new 3850 switch model, you can take packet captures within switch itself (no longer required to port span by connecting a pc which is running wireshark). This switch model comes with embeded wireshark feature.

You should have IOS-XE 3.3.0 or later images to have this feature. Here is few things to remember when taking wireless packet captures

* The only form of wireless capture is a CAPWAP tunnel capture.
*  When capturing CAPWAP tunnels, no other interface types can be used as attachment points on the same capture point.
* Capturing multiple CAPWAP tunnels is supported.
* Core filters are not applied and should be omitted when capturing a CAPWAP tunnel.
* To capture a CAPWAP data tunnel, each CAPWAP tunnel is mapped to a physical port and an appropriate ACL will be applied to filter the traffic.
*  To capture a CAPWAP non-data tunnel, the switch is set to capture traffic on all ports and apply an appropriate ACL to filter the traffic.

Here how you can get a packet capture from it.

I have one AP connected to my 3850 & it uses “Ca0″ interface to terminate CAPWAP tunnel on to it. So we will capture the packets going in/out form this interface. There are two active clients connected to this AP while taking the packet capture.

3850-1#sh capwap summary 

CAPWAP Tunnels General Statistics:
  Number of Capwap Data Tunnels       = 1  
  Number of Capwap Mobility Tunnels   = 0  
  Number of Capwap Multicast Tunnels  = 0  

Name   APName                           Type PhyPortIf Mode      McastIf
------ -------------------------------- ---- --------- --------- -------
Ca0    L3502-1                          data Gi1/0/1   unicast   -      

Name   SrcIP           SrcPort DestIP          DstPort DtlsEn MTU   Xact
------ --------------- ------- --------------- ------- ------ ----- ----
Ca0    10.15.4.255     5247    10.15.5.253     48645   No     1449  0    

3850-1#show wireless client summary 
Number of Local Clients : 2

MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
04f7.e4ea.5b66 L3502-1                          17   UP                 11n(5)   
2c54.2dea.f4ea L3502-1                          17   UP                 11a

There are 3 basic steps involve in capturing process.

1. Define your source interface (Ca0 interface in this example)

3850-1#monitor capture ?
  WORD  Name of the Capture 

3850-1#monitor capture MY_CAP ?
  access-list    access-list to be attached 
  buffer         Buffer options
  class-map      class name to attached 
  clear          Clear Buffer
  control-plane  Control Plane 
  export         Export Buffer
  file           Associated file attributes
  interface      Interface
  limit          Limit Packets Captured
  match          Describe filters inline
  start          Enable Capture
  stop           Disable Capture 
  vlan           Vlan

3850-1#monitor capture MY_CAP interface ?
  GigabitEthernet     GigabitEthernet IEEE 802.3z
  TenGigabitEthernet  Ten Gigabit Ethernet
  Vlan                Catalyst Vlans
  capwap              Capwap-Tunnel
  range               interface range command

3850-1#monitor capture MY_CAP interface capwap ?
  WORD  Capwap ID List Eg. 0-10, 15

3850-1#monitor capture MY_CAP interface capwap 0 ?
  both  Inbound and outbound packets
  in    Inbound packets
  out   Outbound packets

3850-1#monitor capture MY_CAP interface capwap 0 both

2. Set your filter for the capture (for CAPWAP interfaces no filtering option supported). To filtering you can use ACL or “match” statements as shown below. Note that I have not used it for this example.

3850-1#monitor capture MY_CAP match ?
  any   all packets
  ipv4  IPv4 packets only
  ipv6  IPv6 packets only
  mac   MAC filter configuration

3850-1#monitor capture MY_CAP match ipv4 ?
  A.B.C.D/nn  IPv4 source Prefix <network>/<length>, e.g., 192.168.0.0/16
  any         Any source prefix
  host        A single source host
  protocol    Protocols

3850-1#monitor capture MY_CAP match ipv4 any ?
  A.B.C.D/nn  IPv4 destination Prefix <network>/<length>, e.g., 192.168.0.0/16
  any         Any destination prefix
  host        A single destination host

3850-1#monitor capture MY_CAP match ipv4 any any

3850-1#monitor capture MY_CAP access-list ?
  WORD  access-list name

3850-1#monitor capture MY_CAP access-list ACL ?
  buffer         Buffer options
  control-plane  Control Plane 
  file           Associated file attributes
  interface      Interface
  limit          Limit Packets Captured
  vlan           Vlan
  <cr>

3. Define your destination (you can use internal flash or USB flash as the file destination)

3850-1#monitor capture MY_CAP file location ?
  crashinfo-1:     Location of the pcap file
  crashinfo:       Location of the pcap file
  flash-1:         Location of the pcap file
  flash:           Location of the pcap file
  stby-usbflash0:  Location of the pcap file
  usbflash0-1:     Location of the pcap file
  usbflash0-2:     Location of the pcap file
  usbflash0:       Location of the pcap file

3850-1#monitor capture MY_CAP file location flash:MY_CAP.pcap ?
  access-list    access-list to be attached 
  buffer-size    Size of temporary buffer (to reduce packet loss)
  class-map      class name to attached 
  control-plane  Control Plane 
  interface      Interface
  limit          Limit Packets Captured
  match          Describe filters inline
  ring           Store the contents in a circular file chain
  size           Size of the file(s)
  vlan           Vlan
  <cr>

3850-1#monitor capture MY_CAP file location flash:MY_CAP.pcap buffer-size ?
  <1-100>  Buffer size in MB  : Min 1 : Max 100

3850-1#monitor capture MY_CAP file location flash:MY_CAP.pcap buffer-size 10 ?
  access-list    access-list to be attached 
  class-map      class name to attached 
  control-plane  Control Plane 
  interface      Interface
  limit          Limit Packets Captured
  match          Describe filters inline
  ring           Store the contents in a circular file chain
  size           Size of the file(s)
  vlan           Vlan
  <cr>

3850-1#monitor capture MY_CAP file location flash:MY_CAP.pcap buffer-size 10 

4. You can activate/de-activate the packet capture as shown below. I have left it running for 30s-60s & then stopped

3850-1#monitor capture MY_CAP start
.
.
.
3850-1#monitor capture MY_CAP stop 

As you can see file is available in 3850′s flash.

3850-1#dir
Directory of flash:/
85193  -rwx     2097152  Oct 29 2013 09:18:33 +11:00  nvram_config
85186  -rw-   257016048  Oct 15 2013 10:46:31 +11:00  cat3k_caa-universalk9.SPA.03.03.00.SE.150-1.EZ.bin
85188  -rw-        1214   Oct 8 2013 09:16:25 +11:00  packages.conf.00-
61955  -rw-        5430  Nov 12 2013 13:28:00 +11:00  MY_CAP.pcap

You can open it using Wireshark application or view from the switch itself(it is always good to analyze this using wireshark application as if you do it on swith, it can consume switch resources like CPU/memory) . Here is how you can view it on switch itself.

3850-1#show monitor capture file flash:MY_CAP.pcap
  1   0.000000 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
  2   0.288031 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
  3   1.899999  10.15.4.255 -> 10.15.5.253  CAPWAP CAPWAP-Control - Primary Discovery Response
  4   1.899999  10.15.4.255 -> 10.15.5.253  CAPWAP CAPWAP-Control - Primary Discovery Response
  5   2.656008 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
  6   2.961992  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
  7   2.961992  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
  8   2.961992  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
  9   2.967988  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 10   2.967988  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 11   2.967988  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 12   2.972993  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 13   3.099985 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 14   4.455015 2c:3f:38:2b:57:00 -> 2c:3f:38:2b:57:00 WLCCP U, func=UI; SNAP, OUI 0x004096 (Cisco Wireless (Aironet) L2), PID 0x0000
 15   4.456022 2c:3f:38:2b:57:00 -> 2c:3f:38:2b:57:00 WLCCP U, func=UI; SNAP, OUI 0x004096 (Cisco Wireless (Aironet) L2), PID 0x0000
 16   5.071987 x.y.104.252 -> 224.0.0.2    HSRP Advertise (state Passive)
 17   5.278037 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
 18   5.911992 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 19   7.406021  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 20   7.411026  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 21   7.411026  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 22   7.417022  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 23   7.422027  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 24   7.428023  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 25   8.266029 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
 26   8.684007 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 27  10.191976 2c:3f:38:2b:57:00 -> 2c:3f:38:2b:57:00 WLCCP U, func=UI; SNAP, OUI 0x004096 (Cisco Wireless (Aironet) L2), PID 0x0000
 28  11.266029 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
 29  11.360033 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 30  12.763013 10.11.255.40 -> x.y.104.190 SKINNY CallStateMessage 
 31  12.763013 10.11.255.40 -> x.y.104.190 SKINNY SelectSoftKeysMessage 
 32  12.769009 x.y.104.190 -> 10.11.255.40 TCP 1036 > 2000 [ACK] Seq=1 Ack=37 Win=15840 Len=0 TSV=243324138 TSER=1861909984
 33  12.769009 10.11.255.40 -> x.y.104.190 SKINNY 0x00000145 (Unknown) 0x00000144 (Unknown) 0x0000014A (Unknown) SetLampMessage SetRingerMessage 
 34  12.771008 x.y.104.190 -> 10.11.255.40 TCP 1036 > 2000 [ACK] Seq=1 Ack=65 Win=15840 Len=0 TSV=243324138 TSER=1861909984
 35  12.777004 x.y.104.190 -> 10.11.255.40 TCP 1036 > 2000 [ACK] Seq=1 Ack=289 Win=15840 Len=0 TSV=243324139 TSER=1861909988
 36  13.717010 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
 37  13.836007 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 38  14.177984 00:00:00:00:00:00 -> 2c:3f:38:2b:57:00 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
 39  15.023985 x.y.104.190 -> 10.11.255.40 SKINNY KeepAliveMessage 
 40  15.023985 10.11.255.40 -> x.y.104.190 SKINNY KeepAliveAckMessage 
 41  15.026991 x.y.104.190 -> 10.11.255.40 TCP 1036 > 2000 [ACK] Seq=13 Ack=301 Win=15840 Len=0 TSV=243324364 TSER=1861912240
 42  15.171988 00:00:00:00:00:00 -> 2c:3f:38:2b:57:00 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
 43  16.166983 00:00:00:00:00:00 -> 2c:3f:38:2b:57:00 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
 44  16.392029 x.y.104.252 -> 224.0.0.2    HSRP Hello (state Standby)
 45  16.667009 x.y.104.251 -> 224.0.0.2    HSRP Hello (state Active)
 46  16.926990  10.15.5.253 -> 10.15.4.255  DTLSv1.0 Application Data
 47  17.159980 00:00:00:00:00:00 -> 2c:3f:38:2b:57:00 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
 48  17.573020 x.y.104.190 -> 10.11.255.40 SKINNY SoftKeyEventMessage 
 49  17.573020 10.11.255.40 -> x.y.104.190 SKINNY SetRingerMessage 
 50  17.573020 10.11.255.40 -> x.y.104.190 SKINNY SetSpeakerModeMessage 
 51  17.573020 10.11.255.40 -> x.y.104.190 SKINNY SetLampMessage 
 52  17.577017 x.y.104.190 -> 10.11.255.40 TCP 1036 > 2000 [ACK] Seq=37 Ack=329 Win=15840 Len=0 TSV=243324619 TSER=1861914780

If you want to see specific frame in detail (eg Frame 38) you can do that as well.

3850-1#show monitor capture file flash:MY_CAP.pcap detailed | beg Frame 38
Frame 38: 122 bytes on wire (976 bits), 122 bytes captured (976 bits)
    Arrival Time: Nov 12, 2013 03:04:08.970942000 UTC
    Epoch Time: 1384225448.970942000 seconds
    [Time delta from previous captured frame: 0.341977000 seconds]
    [Time delta from previous displayed frame: 0.341977000 seconds]
    [Time since reference or first frame: 14.177984000 seconds]
    Frame Number: 38
    Frame Length: 122 bytes (976 bits)
    Capture Length: 122 bytes (976 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:capwap:wlan]
Ethernet II, Src: cc:ef:48:9b:e0:45 (cc:ef:48:9b:e0:45), Dst: 58:bf:ea:b6:56:c3 (58:bf:ea:b6:56:c3)
    Destination: 58:bf:ea:b6:56:c3 (58:bf:ea:b6:56:c3)
        Address: 58:bf:ea:b6:56:c3 (58:bf:ea:b6:56:c3)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: cc:ef:48:9b:e0:45 (cc:ef:48:9b:e0:45)
        Address: cc:ef:48:9b:e0:45 (cc:ef:48:9b:e0:45)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.15.5.253 (10.15.5.253), Dst: 10.15.4.255 (10.15.4.255)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 108
    Identification: 0xa865 (43109)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (17)
    Header checksum: 0xb341 [correct]
        [Good: True]
        [Bad: False]
    Source: 10.15.5.253 (10.15.5.253)
    Destination: 10.15.4.255 (10.15.4.255)
User Datagram Protocol, Src Port: 48645 (48645), Dst Port: 5247 (5247)
    Source port: 48645 (48645)
    Destination port: 5247 (5247)
    Length: 88
    Checksum: 0x0000 (none)
        [Good Checksum: False]
        [Bad Checksum: False]
Control And Provisioning of Wireless Access Points
    Preamble
        Version: 0
        Type: CAPWAP Header (0)
    Header
        Header Length: 4
        Radio ID: 0
        Wireless Binding ID: IEEE 802.11 (1)
        Header flags
            1... .... . = Payload Type: Native frame format (see Wireless Binding ID field)
            .0.. .... . = Fragment: Don't Fragment
            ..0. .... . = Last Fragment: More fragments follow
            ...1 .... . = Wireless header: Wireless Specific Information is present
            .... 0... . = Radio MAC header: No Radio MAC Address
            .... .0.. . = Keep-Alive: No Keep-Alive
            .... ..00 0 = Reserved: Not set
        Fragment ID: 0
        Fragment Offset: 0
        Reserved: 0
        Wireless length: 4
        Wireless data: 00000000
        Wireless data ieee80211 Frame Info: 00000000
            Wireless data ieee80211 RSSI (dBm): 0
            Wireless data ieee80211 SNR (dB): 0
            Wireless data ieee80211 Data Rate (Mbps): 0
        Padding for 4 Byte Alignement: 000000
IEEE 802.11 Probe Request, Flags: ........
    Type/Subtype: Probe Request (0x04)
    Frame Control: 0x0040 (Swapped)
        Version: 0
        Type: Management frame (0)
        Subtype: 4
        Flags: 0x0
            .... ..00 = DS status: Not leaving DS or network is operating in AD-HOC mode (To DS: 0 From DS: 0) (0x00)
            .... .0.. = More Fragments: This is the last fragment
            .... 0... = Retry: Frame is not being retransmitted
            ...0 .... = PWR MGT: STA will stay up
            ..0. .... = More Data: No data buffered
            .0.. .... = Protected flag: Data is not protected
            0... .... = Order flag: Not strictly ordered
    Duration: 0
    Destination address: 2c:3f:38:2b:57:00 (2c:3f:38:2b:57:00)
    Source address: 00:00:00:00:00:00 (00:00:00:00:00:00)
    BSS Id: 2c:3f:38:2b:57:00 (2c:3f:38:2b:57:00)
    Fragment number: 0
    Sequence number: 0
IEEE 802.11 wireless LAN management frame
    Tagged parameters (40 bytes)
        Vendor Specific: 00:40:96: Aironet Unknown
            Tag Number: 221 (Vendor Specific)
            Tag length: 9
            Vendor: 00:40:96
            Aironet IE type: Unknown (37)
            Aironet IE data: 017ae93ff1
        Vendor Specific: 00:40:96: Aironet Unknown
            Tag Number: 221 (Vendor Specific)
            Tag length: 27
            Vendor: 00:40:96
            Aironet IE type: Unknown (37)
            Aironet IE data: 00012c542deaf4ea0101270095007ae5c1abf09002c5c9

You can copy these file from switch Flash to wherever you wanted. Here is the few  screenshot of this wireshark capture.

3850-1#copy flash tftp:                           
Source filename [MY_CAP.pcap]? 
Address or name of remote host []? x.y.13.2                               
Destination filename [MY_CAP.pcap]? 
!!!!!!!!!!!!!!!!!
3908147 bytes copied in 21.010 secs (186014 bytes/sec)

Here is a good reference for wired interface packet capturing using the same feature.

Refer this config guide (for IOS-XE 3.3.0) section for the Wireshark configuration of this version.

Hope you will enjoy this new feature available for easy troubleshooting.

In this post we will see how to confiugre an Autonomous AP to authenticate users with external RADIUS server. I have used ACS v5.2 as my RADIUS Server.  1142N access point with IOS image c1140-k9w7-mx.124-25d.JA used for this exercise. Here is basic topology for the post.

Here is the basic configuration of AP with open authentication & Switch. You need to make sure this configuration is working before proceeding to the RADIUS configuration. I used only Radio 1(5GHz) for simplicity.

hostname C3750-1 <= Switch Configuration 
!
ip dhcp excluded-address 192.168.143.1 192.168.143.50
ip dhcp pool VLAN143
 network 192.168.143.0 255.255.255.0
 default-router 192.168.143.1 
 option 150 ip 10.10.205.20 
 domain-name mrn.com
 dns-server 192.168.200.1 
!
interface GigabitEthernet1/0/11
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 143,999
 switchport mode trunk
!
interface Vlan100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan143
 ip address 192.168.143.1 255.255.255.0
!
interface Vlan999
 ip address 192.168.99.1 255.255.255.0

hostname A1142-1 <= AP Configuration
!
dot11 ssid TEST
   vlan 143
   authentication open
   guest-mode
!
interface Dot11Radio1
 ssid TEST
!
interface Dot11Radio1.143
 encapsulation dot1Q 143
 bridge-group 143
!
interface Dot11Radio1.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface GigabitEthernet0.143
 encapsulation dot1Q 143
 bridge-group 143
!
interface GigabitEthernet0.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.99.99 255.255.255.0
ip default-gateway 192.168.99.1

When configuring RADIUS for any IOS device, here are the 3 steps you needs to follow.

1. Define the RADIUS server/or servers.
2. Create a RADIUS Server Group (listing defined servers).
3. Create a method-list, that points to the RADIUS group created.

When working with the RADIUS, you could be easily locked yourself out unless you do the required configuration 100% correct. Therefore always good practice to have a safe way of accessing the IOS device, even if you made a mistake. So before starting rest of the configuration we will configure Console Line not to do any authentications.

line con 0
no login authentication

First command to enter is “aaa new-model“. Then you can define the radius server configuration as shown below. I have used “Cisco123″ as shared key & timeout value of 10s (by default 5s)

A1142-1(config)#radius-server ?
  accounting          Accounting information configuration
  attribute           Customize selected radius attributes
  authorization       Authorization processing information
  backoff             Retry backoff pattern(Default is retransmits with
                      constant delay)
  cache               AAA auth cache default server group
  challenge-noecho    Data echoing to screen is disabled during
                      Access-Challenge
  configure-nas       Attempt to upload static routes and IP pools at startup
  dead-criteria       Set the criteria used to decide when a radius server is
                      marked dead
  deadtime            Time to stop using a server that doesn't respond
  directed-request    Allow user to specify radius server to use with `@server'
  domain-stripping    Strip the domain from the username
  host                Specify a RADIUS server
  key                 encryption key shared with the radius servers
  local               Configure local RADIUS server
  optional-passwords  The first RADIUS request can be made without requesting a
                      password
  retransmit          Specify the number of retries to active server
  retry               Specify how the next packet is sent after timeout.
  source-ports        source ports used for sending out RADIUS requests
  timeout             Time to wait for a RADIUS server to reply
  transaction         Specify per-transaction parameters
  unique-ident        Higher order bits of Acct-Session-Id
  vsa                 Vendor specific attribute configuration

radius-server host 192.168.100.2 auth-port 1812 acct-port 1813 key Cisco123                                                                                                                                1D5A5E57
radius-server timeout 10

As a 2nd Step, you can define the RADIUS server group & then list the server you defined. I have used “RAD_GRP” as my RADIUS group name.

A1142-1(config)#aaa group server radius RAD_GRP
A1142-1(config-sg-radius)#?
RADIUS Server-group commands:
  accounting      Specify a RADIUS attribute filter for accounting
  attribute       Customize selected radius attributes
  authorization   Specify a RADIUS attribute filter for authorization
  backoff         Retry backoff pattern (Default is retransmits with constant
                  delay)
  cache           cached DB profile configuration
  deadtime        Specify time in minutes to ignore an unresponsive server
  default         Set a command to its defaults
  exit            Exit from RADIUS server-group configuration mode
  ip              Internet Protocol config commands
  no              Negate a command or set its defaults
  server          Specify a RADIUS server
  server-private  Define a private RADIUS server (per group)

A1142-1(config-sg-radius)#server 192.168.100.2 auth-port 1812 acct-port 1813

As final step, you can define method lists & pointing it to the RADIUS group you defined & apply it to a WLAN (or SSID) created. Method List name “EAP_MTD” used in my example. Additionally I have configured WPA2/AES for added security.

A1142-1(config)#aaa authentication login EAP_MTD group RAD_GRP
!
A1142-1(config)#dot11 ssid TEST
A1142-1(config-ssid)#   authentication open eap EAP_MTD
A1142-1(config-ssid)#   authentication network-eap EAP_MTD
A1142-1(config-ssid)#   authentication key-management wpa version 2
!
A1142-1(config)#interface Dot11Radio1
A1142-1(config-if)# encryption vlan 143 mode ciphers aes-ccm

That’s pretty much the configuration on the AP itself. You have to configure ACS5.2. In ACS you have to configure the shared secret for this AP. Either you can individually configure each NAS devices or you can configure a Default Network Device which will be applicable to any device connecting to ACS. I have used default device method.

Then make sure you have created a Username/Password for testing. In my example I have used local user (test/test123) within ACS. Also if you want to do EAP-TLS make sure you installed necessary certificates on ACS & Test Client (not explain in this post) & they are correctly listed in Certificate Authority Section.

For TLS to work you need to have certificates installed & TLS request pointing to the Identity Store created for TLS.

I have defined an Identity Store for all EAP-TLS requests.

Then I have defined a custom attribute named NAS-IP & called “NAS-IP-Address” attribute in RADIUS-IETF dictionary.For simple scenario like our case, we can use default permit rule without any custom policy, but if you want  to do some filtering based on RADIUS request coming from this NAS IP, then this method is very useful.

Next to make sure all required protocol is permitted though ACS. (Access Policies -> Default Network Access -> Allowed Protocols)

In the Access Policies -> Default Network Access -> Identity section, you have to specify if the request is EAP-TLS, use the Identity Store defined for TLS. By default all request go to Internal Users Identity Store. So I have created a rule based selection to pointing all TLS to go for “CCIE-TLS-Internal” identity store created in a previous step.

Then you can create a policy by adding the custom attribute created (NAS-IP) in to Custom Condition. You can do this by hitting “Customize” button under Access Policies -> Default Network Access -> Authorization section. (Some other attributes aslo shown, but not relevant to this example)

Here is the policy looks like. Simply give “Permit Access” for any RADIUS request coming from NAS-IP 192.168.99.99 (Our Access Point IP)

Once you save the configuration, it is all ready to testing. I have used a Laptop as EAP-TLS client & iPhone5 as PEAP client. You can see the client associations on AP CLI

A1142-1#show dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [TEST] : 
MAC Address    IP address      Device        Name            Parent         State     
0022.fa94.6858 192.168.143.55  ccx-client    A1142-1         self           EAP-Assoc
04f7.e4ea.5b66 192.168.143.54  unknown       -               self           EAP-Assoc

A1142-1#show dot11 associations 0022.fa94.6858
Address           : 0022.fa94.6858     Name             : A1142-1
IP Address        : 192.168.143.55     Interface        : Dot11Radio 1
Device            : ccx-client         Software Version : NONE 
CCX Version       : 4                  Client MFP       : Off

State             : EAP-Assoc          Parent           : self               
SSID              : TEST                            
VLAN              : 143
Hops to Infra     : 1                  Association Id   : 2
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
Current Rate      : 54.0               Capability       : WMM 11h
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -49  dBm           Connected for    : 90 seconds
Signal to Noise   : 48  dB            Activity Timeout : 20 seconds
Power-save        : On                 Last Activity    : 0 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 649                Packets Output   : 179       
Bytes Input       : 129364             Bytes Output     : 35033     
Duplicates Rcvd   : 1                  Data Retries     : 3         
Decrypt Failed    : 0                  RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0         
Session timeout   : 0 seconds
Reauthenticate in : never

A1142-1#show dot11 associations 04f7.e4ea.5b66
Address           : 04f7.e4ea.5b66     Name             : NONE
IP Address        : 192.168.143.54     Interface        : Dot11Radio 1
Device            : unknown            Software Version : NONE 
CCX Version       : NONE               Client MFP       : Off

State             : EAP-Assoc          Parent           : self               
SSID              : TEST                            
VLAN              : 143
Hops to Infra     : 1                  Association Id   : 1
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
Current Rate      : m7.-               Capability       : WMM 11h
Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
Voice Rates       : disabled           Bandwidth        : 20 MHz 
Signal Strength   : -44  dBm           Connected for    : 2952 seconds
Signal to Noise   : 53  dB            Activity Timeout : 57 seconds
Power-save        : On                 Last Activity    : 1 seconds ago
Apsd DE AC(s)     : NONE

Packets Input     : 469                Packets Output   : 97        
Bytes Input       : 26761              Bytes Output     : 9326      
Duplicates Rcvd   : 0                  Data Retries     : 1         
Decrypt Failed    : 0                  RTS Retries      : 0         
MIC Failed        : 0                  MIC Missing      : 0         
Packets Redirected: 0                  Redirect Filtered: 0         
Session timeout   : 0 seconds
Reauthenticate in : never

In ACS as well you can monitor the successful authentications of these clients. Here is the “Monitoring & Reports -> Launching Monitoring & Report Viewer-> RADIUS Authentication” results.

If you want to look details you can click the “Magnify Glass” icon. This is the best way of troubleshooting if clients connection is not successful. It will give the failure reason & you be directed to the right direction in troubleshooting. Here is a part of PEAP authentication came from my iPhone5 client.

Hope this is useful for anyone wanted to play with an Autonomous AP & external RADIUS for authentication.

In this post we will  see how to configure WLAN on 3850  switches. In the below topology single 3850 switch stack is acting as MC/MA (WLC functionality)

I have mainly used CLI method for the configuration & if you prefer GUI over CLI you can use that as well.  Before starting WLAN configuration make sure your 3850 is configured as MC in order to act as WLC functionality. You need to have “wirelesss mobility controller” command on your switch to make it MC (by default it is MA). Also note that AP & wireless management should be on the same vlan.(999 in my case).

Since this 3850 act as MC (Mobility Controller), you have to define a dynamic interface where users will get map into. I have used vlan1410 (10.141.96.0/21) for this.

3850-1#sh vlan brief
999  SW-MGMT                          active 
1410 WLN-STD-6                        active    
1420 WLN-STF-1                        active  
!
interface GigabitEthernet1/0/2
 switchport access vlan 999
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/48
 switchport trunk native vlan 800
 switchport trunk allowed vlan 999,1410,1420
 switchport mode trunk
!
wireless mobility controller
wireless management interface Vlan999
wireless mobility group name LTU-CA
wireless rf-network LTU-CA
!
interface Vlan999
 ip address 10.15.4.255 255.255.254.0
!
interface Vlan1410
 ip address 10.141.103.253 255.255.248.0
!
ip default-gateway 10.15.5.250

In addition to the above 6500 switch is configured as gateway for all the vlans.

interface Vlan999
 description SW-MGMT
 ip address 10.15.5.250 255.255.254.0
 ip pim sparse-mode
!
interface Vlan1410
 ip address 10.141.103.250 255.255.248.0
 ip helper-address x.x.26.100
 ip pim sparse-mode

Now we can start configuring WLAN.

3850-1(config)#wlan ?
  WORD      Enter Profile Name up to 32 alphanumeric characters
  shutdown  Enable/disable all WLANs

3850-1(config)#wlan OPEN ?
  <1-64>  Create WLAN Identifier
  <cr>

3850-1(config)#wlan OPEN 19 ?
  WORD  Enter SSID (Network Name) up to 32 alphanumeric characters
  <cr>

3850-1(config)#wlan OPEN 19 OPEN

Now if you look at the running configuration you will see the following

3850-1#sh run | sec wlan
wlan OPEN 19 OPEN
 shutdown

It’s nothing much showing, what about all default settings of this WLAN ? If you want to see this you need to issue “sh running-config all” command. So here it is & all the default settings.

3850-1#sh running-config all | sec wlan OPEN
wlan OPEN 19 OPEN
 accounting-list 
 assisted-roaming dual-list
 assisted-roaming neighbor-list
 broadcast-ssid
 ccx aironet-iesupport
 channel-scan defer-priority 4
 channel-scan defer-priority 5
 channel-scan defer-priority 6
 channel-scan defer-time 100
 chd
 client association limit ap 0
 client association limit radio 0
 client association limit 0
 client vlan default
 dtim dot11 24ghz 1
 dtim dot11 5ghz 1
 exclusionlist
 exclusionlist timeout 60
 ip access-group web 
 ip access-group 
 ip dhcp server 0.0.0.0
 ipv6 traffic-filter web none
 ipv6 traffic-filter none
 mac-filtering 
 mfp client
 mfp infrastructure-protection
 mobility anchor sticky
 radio all
 security wpa
 security wpa akm dot1x
 security wpa wpa2
 security wpa wpa2 ciphers aes
 security dot1x authentication-list 
 security dot1x encryption 104
 security ft over-the-ds
 security ft reassociation-timeout 20
 security pmf association-comeback 1
 security pmf saquery-retry-time 200
 security static-wep-key authentication open
 security tkip hold-down 60
 security web-auth authentication-list 
 security web-auth parameter-map 
 service-policy client input unknown
 service-policy client output unknown
 service-policy input unknown
 service-policy output unknown
 session-timeout 1800
 wmm allowed
 shutdown

So by default security is set to WPA2/AES, interface map to vlan 1 (default), broadcast SSID,etc. In this first example we will change it to open authentication. Also we have mapped it to client vlan 1410 (WLN-STD-6) & remove WPA security.

3850-1(config)#wlan OPEN 19 OPEN 
3850-1(config-wlan)#no security wpa 
3850-1(config-wlan)#client vlan vlan1410
3850-1(config-wlan)#no shut

3850-1(config-wlan)#do sh run | sec wlan OPEN
wlan OPEN 19 OPEN
 client vlan WLN-STD-6
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no shutdown

Since I am using WLAN ID higher than 16, I have to use a AP Group to advertise this SSID. So I have created a AP Group called “3850″ & map this WLAN onto it with interface vlan 1410. You can assign AP into AP Group by using “ap name <AP-NAME> ap-group <Group-Name>” CLI command

3850-1(config)#ap group 3850
3850-1(config-apgroup)#?
  default      Set a command to its defaults
  description  Specify the description for the AP group
  exit         Exit sub-mode
  no           Negate a command or set its defaults
  wlan         Add WLAN to ap group

3850-1(config-apgroup)#wlan ?
  WORD  Enter WLAN name

3850-1(config-apgroup)#wlan OPEN 
3850-1(config-wlan-apgroup)#?
  default       Set a command to its defaults
  exit          Exit sub-mode
  no            Negate a command or set its defaults
  radio-policy  Configures Radio Policy on given AP-Group
  vlan          Configures the WLANs vlan

3850-1(config-wlan-apgroup)#vlan ?
  WORD  Specify the vlan name or vlan id

3850-1(config-wlan-apgroup)#vlan WLN-STD-6

3850-1#ap name L3502-1 ap-groupname 3850
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n)[y]: y

Once you do this you should be able to connect to this SSID

Here is the client details

3850-1#show wireless client mac-address a088.b435.c2f0 detail 

Client MAC Address : a088.b435.c2f0
Client Username: N/A
AP MAC Address : 2c3f.382b.5700
AP Name: L3502-1
AP slot : 1
Client State : Associated
Wireless LAN Id : 19
Wireless LAN Name: OPEN
BSSID : 2c3f.382b.570d
Connected For : 95 secs 
Protocol : 802.11n - 5 GHz
Channel : 64
Client IIF-ID : 0xc3ab4000000088
ASIC : 0
IPv4 Address : 10.141.99.247
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Session Timeout : 0
Client CCX version : 4
Client E2E version : 1
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : Not supported
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : OFF
Current Rate : m15
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : DHCP_REQD
Client Entry Create Time : 1293325 seconds
Policy Type : N/A
Encryption Cipher : None
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
Interface : WLN-STD-6
VLAN : 1410
Quarantine VLAN : 0
Access VLAN : 1410
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 90
  Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 196611
  Number of Bytes Sent : 8767
  Number of Packets Received : 1477
  Number of Packets Sent : 166
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 4
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 0
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -49 dBm
  Signal to Noise Ratio : 44 dB
Assisted-Roaming  Prediction List:
Nearby AP Statistics:
  L3502-1(slot1)
    antenna0: 58 seconds ago -61 dBm
    antenna1: 58 seconds ago -51 dBm

Now if you want to configure this as WPA2/AES with PSK you can add the below configuration. Since we have disabled WPA first you need to enable it prior to configure WPA2. Also before configuring PSK you need to disable dot1x

3850-1(config-wlan)#security wpa                           
3850-1(config-wlan)#security wpa wpa2 ciphers aes 
3850-1(config-wlan)#no security wpa akm dot1x 
3850-1(config-wlan)#security wpa akm psk set-key ascii 0 Cisco123

This time you have to use the PSK defined to connect this WLAN.

Here is the client statistics

3850-1#sh wireless client mac-address a088.b435.c2f0 detail 

Client MAC Address : a088.b435.c2f0
Client Username: N/A
AP MAC Address : 2c3f.382b.5700
AP Name: L3502-1
AP slot : 1
Client State : Associated
Wireless LAN Id : 19
Wireless LAN Name: OPEN
BSSID : 2c3f.382b.570d
Connected For : 189 secs 
Protocol : 802.11n - 5 GHz
Channel : 64
Client IIF-ID : 0xcc9bc000000097
ASIC : 0
IPv4 Address : 10.141.99.247
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Session Timeout : 0
Client CCX version : 4
Client E2E version : 1
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : Not supported
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : OFF
Current Rate : m15
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : DHCP_REQD
Client Entry Create Time : 1296794 seconds
Policy Type : WPA2
Authentication Key Management : PSK
Encryption Cipher : CCMP (AES)
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
Interface : WLN-STD-6
VLAN : 1410
Quarantine VLAN : 0
Access VLAN : 1410
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities

In GUI (https://10.15.4.255/wireless), you have to go to “Configuration -> Wireless -> WLAN” & then any features under General, Security, QoS, AVC & Advance tab (see below)

In next post we will see how to configure dot1x WLAN with ACS/ISE.

Related Posts

1. Getting Started with 3850
2. WLAN configs with 3850 – Part 2
3. 3850 Password Recovery
4. Converged Access Mobility
5. 3850- Flexible Netflow
6. Wireshark Capture in 3850

Here is a snapshot of a peak hour (1:00 -2:00PM) wireless client distribution in my campus network over past 2 years. It almost ~150% growth of number of  devices connected to the network over wireless.

I would like to see another color (802.11ac) into this graph from Q1-2014 onwards.

Here is the number of devices distributed per user on a random day. Average 1.4 devices per user.

Here is the client distribution per protocol on this day. More than 85% users are having devices supporting 802.11n.

Are you ready with your wireless network to meet these sort of demand ?

In this post we will see how to configure 802.1x WLAN with 3850. I have used ISE v1.2 as my radius server. Here is the topology for the post

when configuring RADIUS on a IOS device, it is 3 step process

1. Define RADIUS server or servers.
2. Define a RADIUS group or groups (listing number of RADIUS server within that).
3. Define a method list that points to one of the group defined.

Let’s define the RADIUS server first. You need to enter “aaa new-model” command prior to any RADIUS configs. As you can see below, it will add automatically “aaa session-id common” command as well.

3850-1(config)#aaa new-model 
3850-1#sh archive config differences nvram:startup-config system:running-config 
!Contextual Config Diffs:
+aaa new-model
+aaa session-id common

Here how you can define a RADIUS server

3850-1(config)#radius server ?
  WORD  Name for the radius server configuration

3850-1(config)#radius server ISE-DEV ?
  <cr>

3850-1(config)#radius server ISE-DEV 
3850-1(config-radius-server)#?
RADIUS server sub-mode commands:
  address          Specify the radius server address
  automate-tester  Configure server automated testing.
  backoff          Retry backoff pattern(Default is retransmits with constant delay)
  exit             Exit from RADIUS server configuration mode
  key              Per-server encryption key
  no               Negate a command or set its defaults
  non-standard     Attributes to be parsed that violate RADIUS standard
  pac              Protected Access Credential key
  retransmit       Number of retries to active server (overrides default)
  timeout          Time to wait (in seconds) for this radius server to reply (overrides default)
3850-1(config-radius-server)#address ?
  ipv4  IPv4 Address
  ipv6  IPv6 Address

3850-1(config-radius-server)#address ipv4 ?
  Hostname or A.B.C.D  IPv4 Address of radius server

3850-1(config-radius-server)#address ipv4 10.129.0.5 ?
  acct-port  UDP port for RADIUS accounting server (default is 1646)
  alias      1-8 aliases for this server (max. 8)
  auth-port  UDP port for RADIUS authentication server (default is 1645)
  <cr>

3850-1(config-radius-server)#address ipv4 10.129.0.5 auth-port 1812 acct-port 1813 ?
  <cr>

3850-1(config-radius-server)#address ipv4 10.129.0.5 auth-port 1812 acct-port 1813 
3850-1(config-radius-server)#key Cisco123
3850-1(config-radius-server)#exit

Next we will define a group called “RAD-GRP”

3850-1(config)#aaa group server ?
  ldap     Ldap server-group definition
  radius   Radius server-group definition
  tacacs+  Tacacs+ server-group definition

3850-1(config)#aaa group server radius ?
  WORD  Server-group name

3850-1(config)#aaa group server radius RAD-GRP
3850-1(config-sg-radius)#?
RADIUS Server-group commands:
  accounting        Specify a RADIUS attribute filter for accounting
  attribute         Customize selected radius attributes
  authorization     Specify a RADIUS attribute filter for authorization
  backoff           Retry backoff pattern (Default is retransmits with constant delay)
  cache             cached DB profile configuration
  deadtime          Specify time in minutes to ignore an unresponsive server
  default           Set a command to its defaults
  domain-stripping  Strip the domain from the username
  exit              Exit from RADIUS server-group configuration mode
  ip                Internet Protocol config commands
  ipv6              IPv6 config commands
  key-wrap          Configure RADIUS key-wrap feature
  load-balance      Server group load-balancing options.
  mac-delimiter     MAC Delimiter for Radius Compatibility Mode
  no                Negate a command or set its defaults
  server            Specify a RADIUS server
  server-private    Define a private RADIUS server (per group)
  subscriber        Configures MAC Filtering RADIUS Compatibility mode
  throttle          Throttle requests to radius server

3850-1(config-sg-radius)#server ?
  Hostname or A.B.C.D  IP address of RADIUS server
  name                 Name of radius server

3850-1(config-sg-radius)#server name ISE-DEV ?
  <cr>

3850-1(config-sg-radius)#server name ISE-DEV 
3850-1(config-sg-radius)#exit
3850-1(config)#

Next step is to define method lists.

3850-1(config)#aaa ?
  accounting       Accounting configurations parameters.
  attribute        AAA attribute definitions
  authentication   Authentication configurations parameters.
  authorization    Authorization configurations parameters.
  cache            AAA cache definitions
  common-criteria  AAA Common Criteria
  configuration    Authorization configuration parameters.
  dnis             Associate certain AAA parameters to a specific DNIS number
  group            AAA group definitions
  local            AAA Local method options
  max-sessions     Adjust initial hash size for estimated max sessions
  memory           AAA memory parameters
  nas              NAS specific configuration
  new-model        Enable NEW access control commands and functions.(Disables OLD commands.)
  password         Configure password/secret related settings
  pod              POD processing
  policy           AAA policy parameters
  server           Local AAA server
  service-profile  Service-Profile parameters
  session-id       AAA Session ID
  traceback        Traceback recording
  user             AAA user definitions

3850-1(config)#aaa authentication ?
  arap             Set authentication lists for arap.
  attempts         Set the maximum number of authentication attempts
  banner           Message to use when starting login/authentication.
  dot1x            Set authentication lists for IEEE 802.1x.
  enable           Set authentication list for enable.
  eou              Set authentication lists for EAPoUDP
  fail-message     Message to use for failed login/authentication.
  login            Set authentication lists for logins.
  onep             Set authentication lists for ONEP
  password-prompt  Text to use when prompting for a password
  ppp              Set authentication lists for ppp.
  sgbp             Set authentication lists for sgbp.
  suppress         Do not send access request for a specific type of user.
  username-prompt  Text to use when prompting for a username

3850-1(config)#aaa authentication dot1x ?
  WORD     Named authentication list (max 31 characters, longer will be rejected).
  default  The default authentication list.

3850-1(config)#aaa authentication dot1x LTU-DOT1X group RAD-GRP

Since you are using Authentication, Authorization & Accounting you can define a method list for those as well.

3850-1(config)#aaa authorization ?
  auth-proxy           For Authentication Proxy Services
  cache                For AAA cache configuration
  commands             For exec (shell) commands.
  config-commands      For configuration mode commands.
  configuration        For downloading configurations from AAA server
  console              For enabling console authorization
  credential-download  For downloading EAP credential from Local/RADIUS/LDAP
  exec                 For starting an exec (shell).
  multicast            For downloading Multicast configurations from an AAA server
  network              For network services. (PPP, SLIP, ARAP)
  onep                 For ONEP authorization service
  policy-if            For diameter policy interface application.
  prepaid              For diameter prepaid services.
  radius-proxy         For proxying radius packets
  reverse-access       For reverse access connections
  subscriber-service   For iEdge subscriber services (VPDN etc)
  template             Enable template authorization

3850-1(config)#aaa authorization network LTU-AUTH group RAD-GRP
3850-1(config)#aaa accounting network LTU-DOT1X start-stop group RAD-GRP

If you want to RADIUS server to override authorization values, in the global config you have to enable it. In this post we will not use this AAA override feature.

3850-1(config)#aaa server radius ?
  dynamic-author  Local server profile for RFC 3576 support
  policy-device   Local server profile for RADIUS External Policy Delegation client
  proxy           Local server profile for RADIUS proxy clients
  sesm            Local server profile for a SESM client

3850-1(config)#aaa server radius dynamic-author 
3850-1(config-locsvr-da-radius)#?
RADIUS Application commands:
  auth-type   Specify the server authorization type
  client      Specify a RADIUS client
  default     Set a command to its defaults
  domain      Username domain options
  exit        Exit from RADIUS application configuration mode
  ignore      Override behaviour to ignore certain parameters
  no          Negate a command or set its defaults
  port        Specify port on which local radius server listens
  server-key  Encryption key shared with the radius clients

3850-1(config-locsvr-da-radius)#client 10.129.0.5 ?
  server-key  Specify a RADIUS client server-key
  vrf         Virtual Routing/Forwarding parameters
  <cr>

3850-1(config-locsvr-da-radius)#client 10.129.0.5 server-key Cisco123
3850-1(config-locsvr-da-radius)#auth-type ?
  all          Matches when all attributes match
  any          Matches when all sent attributes match
  session-key  Matches with session key attribute only

3850-1(config-locsvr-da-radius)#auth-type any 
3850-1(config-locsvr-da-radius)#exit

Before you move on, you need to make sure 802.1x globally enable on your 3850. “dot1x system-auth-control” command will do this for you.

3850-1(config)#dot1x system-auth-control 

In summary here are the config lines we have added so far.

3850-1#sh archive config differences nvram:startup-config system:running-config 
!Contextual Config Diffs:
+aaa new-model
+dot1x system-auth-control
+aaa group server radius RAD-GRP
 +server name ISE-DEV
+aaa authentication dot1x LTU-DOT1X group RAD-GRP
+aaa authorization network LTU-AUTH group RAD-GRP
+aaa accounting network LTU-DOT1X start-stop group RAD-GRP
+aaa server radius dynamic-author
 +client 10.129.0.5 server-key Cisco123
 +auth-type any
+aaa session-id common
+radius server ISE-DEV
 +address ipv4 10.129.0.5 auth-port 1812 acct-port 1813
 +key Cisco123

Now we will configure ISE to add this 3850 as client for that RADIUS server. You can add individual devices by navigating to “Administration > Network Resources > Network Devices”. In this example I have used “Default Device” so I do not want to individually add these devices. I have used “Cisco123″ which is the shared-key used in 3850 configuration.

Also to test, I have configured a local user called “user1″ with password “Cisco123″ by navigating to “Administration > Identity Management > Identities > User” as shown below.

By default most of the EAP protocols are allowed by ISE. You can verify the allow protocol list by navigating “Policy > Policy Elements > Results > Authentication > Allowed Protocols > Default Network Access”

Then you can define the authentication method for WLAN users. I have defined a new rule for dot1x called “LTU-DOT1x”

You should select allow protocol as “Default Network Access” & save the policy.

Let’s configure the SSID called “3850″ for dot1x authentication. Remember that once you create a new SSID it will be automatically config with WPA2/AES with dot1x. We will point to “LTU-DOT1X” authentication method list we created.

wlan 3850 17 3850
 client vlan WLN-STD-6
 security dot1x authentication-list LTU-DOT1X
 no shutdown

Since we created WLAN-ID greater than 16, will create the AP group and map SSID to the required vlan interface. Finally add the AP on to the AP group as shown below.

3850-1(config)#ap group 3850
3850-1(config-apgroup)#wlan 3850
3850-1(config-wlan-apgroup)#vlan WLN-STD-6
!
3850-1#ap name L3502-1 ap-groupname 3850
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n)[y]: y

Now if you connect to the SSID with the credential we created on ISE, you should be able to join the network.

You can monitor the client connection details via ISE or 3850 CLI.

3850-1#sh wireless client summary 
Number of Local Clients : 3
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
04f7.e4ea.5b66 L3502-1                          17   UP                 11n(5)   
2c54.2dea.f4ea L3502-1                          17   AUTHENTICATING     11a      
a088.b435.c2f0 L3502-1                          17   UP                 11n(5)

3850-1#show wireless client mac-address a088.b435.c2f0 detail 

Client MAC Address : a088.b435.c2f0
Client Username : user1
AP MAC Address : 2c3f.382b.5700
AP Name: L3502-1
AP slot : 1
Client State : Associated
Wireless LAN Id : 17
Wireless LAN Name: 3850
BSSID : 2c3f.382b.570f
Connected For : 1512 secs 
Protocol : 802.11n - 5 GHz
Channel : 64
Client IIF-ID : 0xc9c900000000a6
ASIC : 0
IPv4 Address : 10.141.99.247
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Client CCX version : 4
Client E2E version : 1
Re-authentication Timeout : 297 (1801)
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : Not supported
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : ON
Current Rate : m15
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : L2AUTHCOMPLETE
Client Entry Create Time : 1461570 seconds
Policy Type : WPA2
Authentication Key Management : 802.1x
Encryption Cipher : CCMP (AES)
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : PEAP
Interface : WLN-STD-6
VLAN : 1410
Quarantine VLAN : 0
Access VLAN : 1410
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 90
  Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 459653
  Number of Bytes Sent : 17967
  Number of Packets Received : 4204
  Number of Packets Sent : 336
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 4
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 2
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -49 dBm
  Signal to Noise Ratio : 46 dB
Assisted-Roaming  Prediction List:
Nearby AP Statistics:
  L3502-1(slot1)
    antenna0: 7 seconds ago -59 dBm
    antenna1: 7 seconds ago -52 dBm

Below reference document guides you if you want to do a similar thing via GUI
Cisco Doc ID 116600 

Related Posts

1. Getting Started with 3850
2. WLAN configs with 3850 – Part 1
3. 3850 Password Recovery
4. Converged Access Mobility
5. 3850- Flexible Netflow
6. Wireshark Capture in 3850

In previous posts we looked at 3850 is acting as MC/MA without having centralized controller for MC functionality. But if your environment is large, then from scalability point of view it is advisable to have a Centralized controller for MC & all your 3850/3650 switches will act as MA.

Here is a complete test setup I will be using for future posts, but in this post we will see how to get start with 5760 basic configuration.

So here is physical looks like of this product.

Since this is pretty much work as a L3 switch, it is best practice to connect this to network as VTP transparent switch. Also note that it can handle up to 128 vlans.

5760-1#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : LTU-CA
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 44ad.d903.9d00
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Feature VLAN:
--------------
VTP Operating Mode                : Transparent
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 6
Configuration Revision            : 0
MD5 digest                        : 0x36 0xFF 0xF8 0xDF 0x53 0x18 0xF6 0x52 
                                    0xE5 0x36 0xC0 0xF9 0xDF 0xA1 0xE6 0x83

If you not set it to transparent mode & connect this to a network having larger number of vlans you may see msg like below

5760-1(config-if)#
*Mar 31 23:59:34.583: %NGWC_PLATFORM_FEP-1-FRU_PS_ACCESS: Switch 1: power supply A is not responding
*Apr 1 00:02:23.112: *simSvcRcvTask: 1 wcm: %SIM-3-ADD_SIM_L2INTF_FAILED: Adding of the vlan failed: tree insertion failure. 
*Apr 1 00:02:23.115: *simSvcRcvTask: 1 wcm: %LOG-3-Q_IND: Adding of the vlan failed: tree insertion failure
*Apr  1 00:02:23.131: %SPANTREE_VLAN_SW-2-MAX_INSTANCE: Platform limit of 128 STP instances exceeded. No instance created for VLAN99

Management port of 5760, you have to configure as a host. It is by default in a VRF called “Mgmt-vrf”. So you have to configure a default gateway for this VRF to reach your rest of network.

If the service port is in use, the management interface must be on a different supernet from the service-port interface

interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 10.13.5.254 255.255.254.0
 no ip route-cache
 negotiation auto
!
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.13.5.250

I have connected this Mgmt port to G6/1 of my 6506-E. Mgmt port of 5760 should be connected to a switchport configured as Access vlan.

interface GigabitEthernet6/1
 description 5760-MGMT-VL999
 switchport
 switchport access vlan 999
!
interface Vlan999
 description SW-MGMT
 ip address 10.13.5.252 255.255.254.0
 no ip redirects
 no ip unreachables
 ip pim sparse-mode
 standby 99 ip 10.13.5.250

Once you do this port configuration you can accessible this from your network. If you want to use this port for TFTP/FTP file transfers, then you can configure it like below

5760-1(config)#ip ftp ?
  passive           Connect using passive mode
  password          Specify password for FTP connections
  source-interface  Specify interface for source address in FTP connections
  username          Specify username for FTP connections
!
5760-1(config)#ip ftp username networks
5760-1(config)#ip ftp password xxxxxx
5760-1(config)#ip ftp source-interface g0/0

5760-1(config)#ip tftp ?
  blocksize         Specify TFTP client blocksize
  boot-interface    Force interface to use for TFTP booting
  min-timeout       Set minimum timeout period for retransmission
  source-interface  Specify interface for source address in TFTP connections

5760-1(config)#ip tftp source-interface g0/0

Then you have to define a wireless management interface. I have used vlan 1600 as management interface. Also created two additional vlan for WLAN testing in future. You need to configure a default route to the gateway address of your management interface. Also you need to ensure vlan 1600 used as wireless management interface.

interface Vlan1600
 ip address 10.160.49.1 255.255.254.0
!
wireless management interface vlan 1600
!
ip route 0.0.0.0 0.0.0.0 10.160.49.250

5760-1#sh vlan brief 
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Te1/0/1, Te1/0/2, Te1/0/3, Te1/0/4
1410 WLN-STD-6                        active    
1420 WLN-STF-1                        active    
1600 NET-MGT-1                        active

Then you can configure the 10G interfaces, depend on how many you want to activate. I have used 2x 10G as single Port Channel for this. You can bundle all 6 ports to make 60Gbps throughput. Since this is IOS based controller it is supporting LACP, PAgP or Manual (“ON” mode) . I have used mode on for simplicity.

**** HERE IS 5760 CONFIGURATION *****

interface TenGigabitEthernet1/0/5
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk
 channel-group 16 mode on
!
interface TenGigabitEthernet1/0/6
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk
 channel-group 16 mode on
!
interface Port-channel16
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk

****** HERE IS THE CONFIG ON 6506-E ******

interface TenGigabitEthernet4/15
 description 5760WLC-20G ETH-CH
 switchport
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk
 channel-group 16 mode on
!
interface TenGigabitEthernet4/16
 description 5760WLC-20G ETH-CH
 switchport
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk
 channel-group 16 mode on
!
interface Port-channel16
 description WLC5760-20G
 switchport
 switchport trunk native vlan 800
 switchport trunk allowed vlan 1410,1420,1600
 switchport mode trunk

You can configure Port-Channel load balancing as “src-dst-ip” instead of default “src-mac” method. 6506-E, by default doing “src-dst-ip” load balancing.

5760-1(config)#port-channel load-balance ?
  dst-ip                 Dst IP Addr
  dst-mac                Dst Mac Addr
  dst-mixed-ip-port      Dst IP Addr and TCP/UDP Port
  dst-port               Dst TCP/UDP Port
  extended               Extended Load Balance Methods
  src-dst-ip             Src XOR Dst IP Addr
  src-dst-mac            Src XOR Dst Mac Addr
  src-dst-mixed-ip-port  Src XOR Dst IP Addr and TCP/UDP Port
  src-dst-port           Src XOR Dst TCP/UDP Port
  src-ip                 Src IP Addr
  src-mac                Src Mac Addr
  src-mixed-ip-port      Src IP Addr and TCP/UDP Port
  src-port               Src TCP/UDP Port

5760-1(config)#port-channel load-balance src-dst-ip 

5760-1#show etherchannel load-balance 
EtherChannel Load-Balancing Configuration:
        src-dst-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
  IPv4: Source XOR Destination IP address
  IPv6: Source XOR Destination IP address

5760-1#sh etherchannel summary 
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
16     Po16(SU)         -        Te1/0/5(P)  Te1/0/6(P)  

Make sure you configure NTP, & your 5760 is sync with it. Also username/password configured to access this via GUI

5760-1(config)#username admin privilege 15 password 0 Cisco123
5760-1#sh run | in ntp
ntp server x.x.4.104
ntp server x.x.4.103

5760-1#sh run | in clock
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00

5760-1#show ntp associations 
  address         ref clock       st   when   poll reach  delay  offset   disp
*~x.x.4.104   x.x.131.118    2     84    128   377  0.952   3.035  4.226
+~x.x.4.103   x.x.192.50     2     92    128   377  0.963   2.782  3.103
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

5760-1#sh clock 
16:43:51.564 AEDT Thu Dec 12 2013

That’s pretty much the basic configuration & you should be able to access 5760 GUI using its management IP (https://10.160.49.1/wireless) using admin/Cisco123 credentials.

You can check the license level as below & if you do not have permanent license you activate evaluation license for 90days using “license right-to-use activate apcount evaluation acceptEULA ” CLI command. If it is permanent license you can activate them using “license right-to-use activate apcount <No of AP>  slot {1 |2} acceptEULA “.

5760-1#show license right-to-use summary 
  License Name    Type     Count   Period left
-----------------------------------------------
  apcount      base        0        Lifetime
  apcount      adder       1000     Lifetime

--------------------------------------------
 Evaluation AP-Count: Disabled
Total AP Count Licenses: 1000
AP Count Licenses In-use: 0
AP Count Licenses Remaining: 1000

You have to upgrade software image depend on the IOS-XE image come with your 5760. In my case I have already upgraded it (you can follow  Getting Started with 3850 post to see detail) to 3.9.6 since I am doing beta trial with 3700 series AP.

5760-1#sh ver
.
.
.
License Level: Ipservices
License Type: Permanent
Next reload license Level: Ipservices

cisco AIR-CT5760 (i686) processor with 10485760K bytes of physical memory.
Processor board ID FOC1727V0MT
2 Virtual Ethernet interfaces
6 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
10485760K bytes of physical memory.
255000K bytes of Crash Files at crashinfo:.
3612840K bytes of Flash at flash:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of  at webui:.

Base Ethernet MAC Address          : 44:ad:d9:03:9d:00
Motherboard Assembly Number        : 73-14448-04
Motherboard Serial Number          : FOC172568FD
Model Revision Number              : A0
Model Number                       : AIR-CT5760
System Serial Number               : FOC1727V0MT

Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
*    1 6     AIR-CT5760         03.09.06.MZP      ct5760-ipservicesk9   INSTALL

Configuration register is 0x201 (will be 0x102 at next reload)

Here is consolidated configuration guide (for IOS-XE3.3 which is the latest at the time of this write up) that you should refer. yes it is 1818 page guide & takes time to absorb it.

Consolidated Platform Configuration Guide, Cisco IOS XE Release3.3SE (Cisco WLC 5700 Series)

In next post, we will see how we can use this controller to associate with 3850 (MA) to register AP.

Related Posts

1. Getting Started with 3850
2. WLAN configs with 3850 – Part 1
3. WLAN configs with 3850 – Part 2
4. 3850 Password Recovery
5. Converged Access Mobility
6. 3850- Flexible Netflow
7. Wireshark Capture in 3850
8. 3850(MA) with 5760(MC)

If you already read one of my previous post (Lightweight to Autonomous (vice versa) Conversion…) you may konw one way of doing this AP conversion.

In this post we will see how to do the same task using Mode/Reset button of the Access point. Number 1 in the below diagram shows this Reset button of the given AP.

You can use this mode/reset button when you do not know password or your AP firmware is corrupted,etc. In our case, even the firmware is not corrupted, we can use this button to load an image from a TFTP server. In this scenario, AP is looking for a specifically named image file to load. So if you keep a Autonomous image file with the correct named syntax, AP will load that image once we do this.

Before starting we will look at some of the AP model Autonomous & Lightweigth recovery images. As you can see below certain AP models are having common images (like 2600,3600 or 1040, 1140 or 1260,3500) for this purpose.

In this example I am using 3500 series AP & therefore I have downloaded ap3g1-k9w7-tar.152-4.JA1.tar & ap3g1-rcvk9w8-tar.152-4.JA1.tar files onto my TFTP server. Now you need to rename these in order to load it to AP when it is resetting using mode button. Below shows the how it should be renamed. Since it expecting same default filename you have to make sure correct file renames depend on you are doing LAP-> AAP or AAP->LAP conversion process.

Since AP resetting to factory default, it will always takes 10.0.0.1 IP. So your TFTP server should be on the same subnet (most of the time your PC act as TFTP server directly connect AP ethernet port). Here is my TFTP/PC IP seettings

Now everything is ready for the conversion. First we will take Lightweight AP & convert it to Autonomous. Ensure you have renamed “ap3g1-k9w7-tar.152-4.JA1.tar ” file to “ap3g1-k9w7-tar.default” & available it on your TFTP server.

To do this you need to hold the mode/reset button for 20s (until the LED become solid RED) while powering on the AP. You can watch the console output to see what’s happening in the background.

using MCNG ddr static values from serial eeprom
ddr init done

IOS Bootloader - Starting system.
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................
Xmodem file system is available.

DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x8200083f, 0x40000000
RQDC, RFDC : 0x80000033, 0x00000218

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
64bit PCIE devices
PCIEx: initialization done
flashfs[0]: 41 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 14926336
flashfs[0]: Bytes available: 16813568
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: cc:ef:48:72:0f:b5
Ethernet speed is 1000 Mb - FULL duplex
button is pressed, wait for button to be released...
button pressed for 23 seconds
process_config_recovery: set IP address and config to default 10.0.0.1
process_config_recovery: image recovery
image_recovery: Download default IOS tar image tftp://255.255.255.255/ap3g1-k9w7-tar.default

examining image...
extracting info (283 bytes)
Image info:
    Version Suffix: k9w7-.152-2.JB
    Image Name: ap3g1-k9w7-mx.152-2.JB
    Version Directory: ap3g1-k9w7-mx.152-2.JB
    Ios Image Size: 1126912
    Total Image Size: 12257792
    Image Feature: WIRELESS LAN|LWAPP
    Image Family: AP3G1
    Wireless Switch Management Version: 7.4.1.37
Extracting files...
.
.
.
.
extracting ap3g1-k9w7-mx.152-2.JB/info (283 bytes)
extracting info.ver (283 bytes)
Deleting current version: flash:/ap3g1-k9w8-mx.v152_2_jb.201310220755...done.
New software image installed in flash:/ap3g1-k9w7-mx.152-2.JB
Configuring system to use new image...done.
Requested system reload in progress...download took about 731 seconds
Loading "flash:/ap3g1-k9w7-mx.152-2.JB/ap3g1-k9w7-mx.152-2.JB"...################

File "flash:/ap3g1-k9w7-mx.152-2.JB/ap3g1-k9w7-mx.152-2.JB" uncompressed and installed, entry point: 0x4000
executing...

You will see AP is downloading the “.default” image from your TFTP server.

Once image is fully loaded, AP will reboot & come up as a Autonomous AP. Noticed that “ap>” promt indicating it is an Autonomous AP on its default settings.

ap>en
Password: Cisco
ap#sh ver
Cisco IOS Software, C3500 Software (AP3G1-K9W7-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Mon 10-Dec-12 23:42 by prod_rel_team

ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514 125]

ap uptime is 2 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g1-k9w7-mx.152-2.JB/ap3g1-k9w7-xx.152-2.JB"
Last reload reason:

Now you can follow the same process, if you want to convert it back to Lightweight. Make sure “ap3g1-rcvk9w8-tar.152-4.JA1.tar” file is renamed to “ap3g1-k9w7-tar.default” file is available on your TFTP server.(you may have to remove or rename previously used .default file for LAP->AAP conversion)

IOS Bootloader - Starting system.
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................
Xmodem file system is available.

DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x8200083f, 0x40000000
RQDC, RFDC : 0x80000033, 0x00000218

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
64bit PCIE devices
PCIEx: initialization done
flashfs[0]: 198 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 15564800
flashfs[0]: Bytes available: 16175104
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: cc:ef:48:72:0f:b5
Ethernet speed is 1000 Mb - FULL duplex
button is pressed, wait for button to be released...
button pressed for 21 seconds
process_config_recovery: set IP address and config to default 10.0.0.1
process_config_recovery: image recovery
image_recovery: Download default IOS tar image tftp://255.255.255.255/ap3g1-k9w7-tar.default

examining image...
extracting info (263 bytes)
Image info:
    Version Suffix: rcvk9w8-
    Image Name: ap3g1-rcvk9w8-mx
    Version Directory: ap3g1-rcvk9w8-mx
    Ios Image Size: 123392
    Total Image Size: 7598592
    Image Feature: WIRELESS LAN|LWAPP
    Image Family: AP3G1
    Wireless Switch Management Version: 7.4.1.37
Extracting files...
ap3g1-rcvk9w8-mx/ (directory) 0 (bytes)
extracting ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx (113080 bytes)........................
extracting ap3g1-rcvk9w8-mx/ap3g1-boot-m_upg (393216 bytes).....................................................................................
extracting ap3g1-rcvk9w8-mx/u-boot.bin (393216 bytes).....................................................................................
extracting ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-xx (6686892 bytes)...

Now your AP is back in Lightweight mode & it is ready to register for a WLC.

APccef.4872.0fb5#sh ver
Cisco IOS Software, C3500 Software (AP3G1-RCVK9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Mon 10-Dec-12 23:48 by prod_rel_team

ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514 125]

Networks-ISE-Test uptime is 0 minutes
System returned to ROM by reload
System image file is "flash:/ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-xx"
Last reload reason:

Here are some of reference document you should read.

1. http://www.cisco.com/en/US/docs/wireless/access_point/12.4.25d.JA/Configuration/guide/scg12.4.25d.JA-chap22-trouble.html
2.

Related Posts

1. Lightweight to Autonomous (vice versa) Conversion

In this post we will use 3850 (acting as MA) to communicate with centralized 5760 (acting as MC). Below diagram summarize overall mobility concept in Converged Access (CA) deployment.

• A Mobility Domain (MD) is the entire domain across which client roaming is supported. It is a collection of mobility groups. For example, a campus network can be considered as a mobility domain.
• A Mobility Group (MG) is a collection of mobility subdomains across which fast roaming is supported. The mobility group can be one or more buildings within a campus across which frequent roaming is supported.
• A Mobility Subdomain (MSD) is an autonomous portion of the mobility domain network. Each mobility subdomain contains one mobility controller (MC) and a collection of SPGs. A subdomain is equivalent to an 802.11r key domain.
• A Switch Peer Group (SPG) is a collection of mobility agents.
• The Mobility Oracle (MO) acts as the point of contact for mobility events that occur across mobility subdomains. The mobility oracle also maintains a local database of each client in the entire mobility domain, their home and current subdomain. There is only one MO for an entire mobility domain. The Cisco WLC 5700 Series Controllers or CUWN controller can act as MO.
• The Mobility Controller (MC) provides mobility management services for inter-SPG roaming events. The MC sends the configuration like SPG name and SPG peer member list to all of the mobility agents under its subdomain. The WLC 5700 , 3850 Switch, or CUWN controller can act as MC. The MC has MC functionality and MA functionality that is running internally into it.
• The Mobility Agent (MA) is the component that maintains client mobility state machine for a mobile client. All APs are connected to the mobility agent

In converged access, fast roaming is available within a Mobility Group (not like between mobility groups in Unified Wireless). If it is inter-mobility group roaming client has to full-authenticate. Within a mobility group you can have multiple sub-domain.Each sub-domain should have its own MC & that will keep the client database within that sub-domain. Within a sub-domain, you can create SPGs (Switch Peer Groups) to optimize roaming by constrain roaming traffic to small area (eg for a building). Below diagram represent this concept.

Next question is what is max SPG in a sub-domain ? max mobility sub-domain (MSD) per MG ? Max MC in a mobility domain (MD) ?. Below table summarize & keep these in mind when designing CA solutions.

So here is my test topology. Effectively it is  within a single mobility sub-domain where 5760 acting as MC & two SPGs.

Let’s configure 3850-2 (MA) to communicate with 5760 (MC) to register L3602-1 AP.Here is the basic configuration on 3850

3850-2#sh archive config differences nvram:startup-config system:running-config
interface GigabitEthernet1/0/1
 +description L3602-1
 +switchport access vlan 1610
 +switchport mode access
 +spanning-tree portfast

+interface Vlan1610
 +ip address 10.161.33.22 255.255.254.0
+wireless management interface Vlan1610

Then you need to tell 3850 about its Mobility Controller (MC) as below. If firewall or NAT devices sitting between MA & MC then you need to use “public-ip” option as well. In my configuration it is not required.

3850-2(config)#wireless mobility controller ?
  ip          no description
  peer-group  Configures mobility peer groups  
  <cr>

3850-2(config)#wireless mobility controller ip ?
  A.B.C.D  IP address of mobility controller

3850-2(config)#wireless mobility controller ip 10.160.49.1 ?
  public-ip  no description
  <cr>

3850-2(config)#wireless mobility controller ip 10.160.49.1

You can verify 3850 mobility configuration using “show wireless mobility summary” CLI command. As expected mobility is down since we haven’t configure the MC yet. Also SPG name is blank. MA will learn its SPG name via MC.

3850-2#show wireless mobility summary 
Mobility Agent Summary:
Mobility Role                                   : Mobility Agent
Mobility Protocol Port                          : 16666
Mobility Switch Peer Group Name                 : 
Multicast IP Address                            : 0.0.0.0
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0xac34
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 0
Switch Peer Group Members Configured            : 0

Link Status is Control Link Status : Data Link Status
The status of Mobility Controller: 
IP              Public IP            Link Status
------------------------------------------------
10.160.49.1     10.160.49.1          DOWN : DOWN 

Let’s move on to 5760(MC) & start configuring it.  We will give “BUN-1″ for the group-name & then will create a SPG called “SPG1″ and add 3850-2 as member of that SPG.

5760-1(config)#wireless mobility group ?
  keepalive          Keepalive ping parameters to be configured
  member             Add/Change a Mobility group member to the list
  multicast-address  Configures the Multicast IP Address for a non-local mobility group
  name               Configures the Mobility domain name

5760-1(config)#wireless mobility group name ?
  WORD  Enter ASCII String up to 31 characters, case sensitive

5760-1(config)#wireless mobility group name BUN-1

5760-1(config)#wireless mobility ?
  controller  Configures mobility controller settings
  dscp        Configures the Mobility inter controller DSCP value
  group       Configures the Mobility group parameters
  multicast   Configures the Multicast Mode for mobility messages
  oracle      Configures mobility oracle settings

5760-1(config)#wireless mobility controller ?
  peer-group  Configures mobility peer groups  

5760-1(config)#wireless mobility controller peer-group ?
  WORD  Add or delete a peer group

5760-1(config)#wireless mobility controller peer-group SPG1 ?
  bridge-domain-id  Configure bridge domain Id
  member            Add or delete a peer group member
  multicast         Configures multicast settings of a peer group
  <cr>

5760-1(config)#wireless mobility controller peer-group SPG1 

5760-1(config)#wireless mobility controller peer-group SPG1 member ?
  ip  IP address of a peer group member

5760-1(config)#wireless mobility controller peer-group SPG1 member ip ?
  A.B.C.D  IP address of a peer group member

5760-1(config)#wireless mobility controller peer-group SPG1 member ip 10.161.33.22 ?
  public-ip  Public IP address of a peer group member
  <cr>

5760-1(config)#wireless mobility controller peer-group SPG1 member ip 10.161.33.22

Once you do this, you can see mobility paths (control & data) are up

5760-1#show  wireless mobility summary 
Mobility Controller Summary:
Mobility Role                                   : Mobility Controller
Mobility Protocol Port                          : 16666
Mobility Group Name                             : BUN-1
Mobility Oracle                                 : Disabled
Mobility Oracle IP Address                      : 0.0.0.0
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0xac34
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 48
Mobility Domain Member Count                    : 1

Link Status is Control Link Status : Data Link Status
Controllers configured in the Mobility Domain:
IP               Public IP        Group Name       Multicast IP     Link Status
-------------------------------------------------------------------------------
10.160.49.1      -                BUN-1          0.0.0.0          UP   : UP 

Switch Peer Group Name            : SPG1
Switch Peer Group Member Count    : 1
Bridge Domain ID                  : 0
Multicast IP Address              : 0.0.0.0
IP               Public IP             Link Status
--------------------------------------------------
10.161.33.22     10.161.33.22          UP   : UP  

Now if you go to 3850-2 & check the mobility summary  you should see the paths are UP & it is learning its SPG name as well.

3850-2#show wireless mobility summary 
Mobility Agent Summary:
Mobility Role                                   : Mobility Agent
Mobility Protocol Port                          : 16666
Mobility Switch Peer Group Name                 : SPG1
Multicast IP Address                            : 0.0.0.0
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0xac34
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 48
Switch Peer Group Members Configured            : 1

Link Status is Control Link Status : Data Link Status
The status of Mobility Controller: 
IP              Public IP            Link Status
------------------------------------------------
10.160.49.1     10.160.49.1          UP   : UP                      

Switch Peer Group members:
IP              Public IP            Data Link Status
-----------------------------------------------------
10.161.33.22    10.161.33.22         UP

Now let’s try to register the AP. Prior to that make sure your 5760/3850 is configured for the correct regulatory domain/country code. Keep in mind you need to disable the radio bands prior to change the country code.

5760-1#show wireless country configured 
 Configured Country.............................: US  - United States
 Configured Country Codes 
        US  - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

5760-1(config)#ap dot11 5ghz shutdown
5760-1(config)#ap dot11 24ghz shutdown 
5760-1(config)#ap country AU                                                       
Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. 
Are you sure you want to continue? (y/n)[y]: y
5760-1(config)#no ap dot11 5ghz shutdown 
5760-1(config)#no ap dot11 24ghz shutdown 

5760-1# show wireless country configured 
 Configured Country.............................: AU  - Australia
 Configured Country Codes 
        AU  - Australia : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

Make sure you have same configured on your MA as well.

3850-2#show wireless country configured 
Configured Country.............................: US  - United States
 Configured Country Codes 
        US  - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

3850-2(config)#ap dot11 5ghz shutdown 
3850-2(config)#ap dot11 24ghz shutdown 
3850-2(config)#ap country AU
Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. 
Are you sure you want to continue? (y/n)[y]: y
3850-2(config)#no ap dot11 5ghz shutdown 
3850-2(config)#no ap dot11 24ghz shutdown 

3850-2(config)#do show wireless country configured 
 Configured Country.............................: AU  - Australia
 Configured Country Codes 
        AU  - Australia : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

Here is the AP console output of successful registration.

*Mar  1 00:00:28.563: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar  1 00:00:29.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar  1 00:00:31.951: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed
*Mar  1 00:00:31.951: DPAA Initialization Complete
*Mar  1 00:00:31.951: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Mar  1 00:00:32.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar  1 00:00:56.927: Logging LWAPP message to 255.255.255.255.
*Mar  1 00:01:01.667: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar  1 00:01:02.755: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:01:03.047: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.161.33.241, mask 255.255.254.0, hostname L3602-1
*Mar  1 00:01:03.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar  1 00:01:03.847: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar  1 00:01:04.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Translating "CISCO-CAPWAP-CONTROLLER.ltu.edu.au"...domain server (131.172.2.2)
*Mar  1 00:01:12.967: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar  1 00:01:12.967: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.ltu.edu.au
*Mar  1 00:01:22.967: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*Dec 12 22:15:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.161.33.22 peer_port: 5246
*Dec 12 22:15:40.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.161.33.22 peer_port: 5246
*Dec 12 22:15:40.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.161.33.22
*Dec 12 22:15:40.559: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 12 22:15:40.567: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 12 22:15:40.571: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller 3850-2
*Dec 12 22:15:40.631: ac_first_hop_mac - IP:10.161.33.22 Hop IP:10.161.33.22 IDB:BVI1
*Dec 12 22:15:40.635: Setting AC first hop MAC: 7c95.f380.27e7

If you look at MA, you should see this L3602-1 is registered to it. If you look at the license, it does not have any license & it is always come from a MC.

3850-2#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
L3602-1                           3602I     4c00.82df.a4c1  f84f.57e3.1460  Registered  

3850-2#sh license right-to-use summary 
  License Name    Type     Count   Period left
-----------------------------------------------
  ipbase       permanent   N/A      Lifetime
  apcount      base        0        Lifetime
  apcount      adder       0        Lifetime
--------------------------------------------
License Level In Use: ipbase
License Level on Reboot: ipbase
Evaluation AP-Count: Disabled
Total AP Count Licenses: 0
AP Count Licenses In-use: 0
AP Count Licenses Remaining: 0

On my 5760, I can see this AP

5760-1#show wireless mobility ap-list 
Number of AP entries in the mobility group : 2
Number of AP entries in the sub-domain     : 2

AP name                           AP radio MAC      Controller IP     Learnt from       
--------------------------------------------------------------------------------------
APccef.4872.0fc3                  2c3f.382b.5260    10.160.49.1       Self              
L3602-1                           f84f.57e3.1460    10.161.33.22      Mobility Agent    

Controller IP     AP Count    
----------------------------
10.160.49.1       1           
10.161.33.22      1

Here is a CSC forum post listing all useful CA reference materials. Please read all of those if you are interested to learn.
https://supportforums.cisco.com/thread/2249117

Related Posts

1. Getting Started with 3850
2. Getting Started with 5760

In most of the practical scenarios, you have to place a 5760 controller in a existing CUWN (Cisco Unified Wireless Network) environment. In this post we will see how to configure a WLAN on 5760 to support those CUWN setup.

As shown in the above diagram we will use L3502-2 AP to register to 5760-1 controller. In this case CAPWAP will be terminate on 5760 itself as AP connected to a 3750X series switch where it does not have integrated WLC functionality. Make sure your 5760 has basic configurations (Refer Getting Started with 5760 for detail)

Here is the AP configuration. Let’s delete its NVRAM to forget about previously known WLCs (in this way it will not try to register for previously known WLCs). Then once it boots up, it will get DHCP IP & try to find a WLC. In this example we will configure the WLC IP statically on AP.LAP#debug capwap  con

LAP#debug capwap  console cli
This command is meant only for debugging/troubleshooting 
Any configuration change may result in different
behavior from centralized configuration. 

CAPWAP console CLI allow/disallow debugging is on
LAP#erase /all nvram: 
Erasing the nvram filesystem will remove all files! Continue? [confirm]
[OK]
Erase of nvram: complete
L3502-2#reload
*Dec 16 01:58:14.647: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Proceed with reload? [confirm]
Writing out the event log to flash:/event.log .
.
.
*Dec 16 01:58:50.640: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Dec 16 01:58:51.474: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.161.32.11, mask 255.255.254.0, hostname APccef.4872.0fc3
*Dec 16 01:58:51.735: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 16 01:58:52.735: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Dec 16 01:58:52.829: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 16 01:58:53.830: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Translating "CISCO-CAPWAP-CONTROLLER.ltu.edu.au"...domain server (x.x.2.2)
*Dec 16 01:59:01.461: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Dec 16 01:59:01.464: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.ltu.edu.au

Once you configure the 5760 as primary controller for this AP it will successfully register to it.

APccef.4872.0fc3#capwap ap primary-base 5760-1 10.160 

*Dec 16 02:04:08.490: %CAPWAP-3-ERRORLOG: Selected MWAR '5760-1'(index 0).
*Dec 16 02:04:08.490: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*Dec 16 02:01:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.160.49.1 peer_port: 5246
*Dec 16 02:01:55.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.160.49.1 peer_port: 5246
*Dec 16 02:01:55.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.160.49.1
*Dec 16 02:01:55.440: capwap-config-view: Not present
*Dec 16 02:01:55.522: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 16 02:01:55.528: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 16 02:01:55.537: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller 5760-1
*Dec 16 02:01:55.588: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 16 02:01:56.522: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Dec 16 02:01:56.553: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Dec 16 02:01:56.560: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Dec 16 02:01:56.588: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Dec 16 02:01:57.548: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Dec 16 02:01:57.579: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 16 02:01:57.585: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 16 02:01:57.592: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 16 02:01:58.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Dec 16 02:01:58.586: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Dec 16 02:01:58.611: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 16 02:01:59.073: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Dec 16 02:01:59.611: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

Now if you look at 5760 end you can see the successful AP registration. We will change the AP name to L3502-2 using “ap name <old_name> name <new_name>” CLI command.

5760-1#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
APccef.4872.0fc3                  3502I     ccef.4872.0fc3  2c3f.382b.5260  Registered 

5760-1#ap name APccef.4872.0fc3 name L3502-2
5760-1#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
L3502-2                           3502I     ccef.4872.0fc3  2c3f.382b.5260  Registered

Let’s create a WLAN called “LTUWireless” with open authentication. (In a later post we will change it to dot1x with AAA override). Since I am creating it as open, I do not want to many users connect to it. So I disabled the “broadcast SSID” feature.

5760-1(config)#wlan LTUWireless 21 LTUWireless 
5760-1(config-wlan)#no broadcast-ssid 
5760-1(config-wlan)#client vlan 1420
5760-1(config-wlan)#no security wpa 

Let’s create the dynamic interface for clients on vlan 1420

5760-1(config-if)#do sh vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
.
.
1410 WLN-STD-6                        active    
1420 WLN-STF-1                        active    
1600 NET-MGT-1                        active 

5760-1(config)#interface vlan 1420
5760-1(config-if)#ip address 10.142.39.253 255.255.248.0
5760-1(config-if)#ip helper-address x.x.x.100 
5760-1(config-if)#ip helper-address x.x.x.200

Now let’s create a AP group called “LTU-CUWN” & put this WLAN onto it. Then you need to add L3502-2 AP onto the group we created.(Note that AP will reboot & register again to 5760)

5760-1(config)#ap group LTU-CUWN 
5760-1(config-apgroup)#wlan LTUWireless
5760-1(config-wlan-apgroup)#?
  default       Set a command to its defaults
  exit          Exit sub-mode
  no            Negate a command or set its defaults
  radio-policy  Configures Radio Policy on given AP-Group
  vlan          Configures the WLANs vlan
5760-1(config-wlan-apgroup)#vlan ?   
  WORD  Specify the vlan name or vlan id
5760-1(config-wlan-apgroup)#vlan 1420

5760-1#ap name L3502-2 ap-groupname LTU-CUWN 
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n)[y]: y

Here is WLAN summary information.

5760-1#show wlan summary 
Number of WLANs: 1
WLAN Profile Name                     SSID                           VLAN Status 
--------------------------------------------------------------------------------
21   LTUWireless                      LTUWireless                    1420 UP

5760-1#show wlan id 21
WLAN Profile Name     : LTUWireless
================================================
Identifier                                     : 21
Network Name (SSID)                            : LTUWireless
Status                                         : Enabled
Broadcast SSID                                 : Disabled
Max Associated Clients per WLAN                : 0
Max Associated Clients per AP per WLAN         : 0
Max Associated Clients per AP Radio per WLAN   : 0
AAA Policy Override                            : Disabled
Network Admission Control
  NAC-State                                    : Disabled
Number of Active Clients                       : 1
Exclusionlist Timeout                          : 60
Session Timeout                                : Infinity
CHD per WLAN                                   : Enabled
Webauth DHCP exclusion                         : Disabled
Interface                                      : 1420
Interface Status                               : Up
Multicast Interface                            : Unconfigured
WLAN IPv4 ACL                                  : 
WLAN IPv6 ACL                                  : unconfigured
DHCP Server                                    : Default
DHCP Address Assignment Required               : Disabled
DHCP Option 82                                 : Disabled
DHCP Option 82 Format                          : ap-mac
DHCP Option 82 Ascii Mode                      : Disabled
DHCP Option 82 Rid Mode                        : Disabled
QoS Service Policy - Input
  Policy Name                                  : unknown
  Policy State                                 : None
QoS Service Policy - Output
  Policy Name                                  : unknown
  Policy State                                 : None
QoS Client Service Policy
  Input  Policy Name                           : unknown
  Output Policy Name                           : unknown
WMM                                            : Allowed
WifiDirect                                     : Disabled
Channel Scan Defer Priority:
  Priority (default)                           : 4
  Priority (default)                           : 5
  Priority (default)                           : 6
Scan Defer Time (msecs)                        : 100
Media Stream Multicast-direct                  : Disabled
CCX - AironetIe Support                        : Enabled
CCX - Gratuitous ProbeResponse (GPR)           : Disabled
CCX - Diagnostics Channel Capability           : Disabled
Dot11-Phone Mode (7920)                        : Invalid
Wired Protocol                                 : None
Peer-to-Peer Blocking Action                   : Disabled
Radio Policy                                   : All
DTIM period for 802.11a radio                  : 1
DTIM period for 802.11b radio                  : 1
Local EAP Authentication                       : Disabled
Mac Filter Authorization list name             : Disabled
Accounting list name                           : Disabled
802.1x authentication list name                : Disabled
Security
    802.11 Authentication                      : Open System
    Static WEP Keys                            : Disabled
    802.1X                                     : Disabled
    Wi-Fi Protected Access (WPA/WPA2)          : Disabled
    FT Support                                 : Disabled
        FT Reassociation Timeout               : 20
        FT Over-The-DS mode                    : Enabled
    PMF Support                                : Disabled
        PMF Association Comeback Timeout       : 1
        PMF SA Query Time                      : 200
    CKIP                                       : Disabled
    IP Security                                : Disabled
    L2TP                                       : Disabled
    Web Based Authentication                   : Disabled
    Conditional Web Redirect                   : Disabled
    Splash-Page Web Redirect                   : Disabled
    Auto Anchor                                : Disabled
    Sticky Anchoring                           : Enabled
    Cranite Passthru                           : Disabled
    Fortress Passthru                          : Disabled
    PPTP                                       : Disabled
    Infrastructure MFP protection              : Enabled
    Client MFP                                 : Optional but inactive (WPA2 not configured)
    Webauth On-mac-filter Failure              : Disabled
    Webauth Authentication List Name           : Disabled
    Webauth Parameter Map                      : Disabled
    Tkip MIC Countermeasure Hold-down Timer    : 60
Call Snooping                                  : Disabled
Passive Client                                 : Disabled
Non Cisco WGB                                  : Disabled
Band Select                                    : Disabled
Load Balancing                                 : Disabled
IP Source Guard                                : Disabled
Assisted-Roaming
    Neighbor List                              : Enabled
    Prediction List                            : Disabled
    Dual Band Support                          : Enabled
AVC Visibility                                : Disabled

Now you can test your client connectivity.As you can see my AnyConnect client get connect to this SSID.

You can verify clients detail on 5760 CLI as well.

5760-1#sh wireless client summary 
Number of Local Clients : 1
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
a088.b435.c2f0 L3502-2                          21   UP                 11n(5)  

5760-1#show wireless client mac-address a088.b435.c2f0 detail 
Client MAC Address : a088.b435.c2f0
Client Username: N/A
AP MAC Address : 2c3f.382b.5260
AP Name: L3502-2
AP slot : 1
Client State : Associated
Wireless LAN Id : 21
Wireless LAN Name: LTUWireless
BSSID : 2c3f.382b.526f
Connected For : 536 secs 
Protocol : 802.11n - 5 GHz
Channel : 161
Client IIF-ID : 0x5b3c8000000013
ASIC : 0
IPv4 Address : 10.142.35.243
IPv6 Address : Unknown
Association Id : 1
Authentication Algorithm : Open System
Status Code : 0
Session Timeout : 0
Client CCX version : 4
Client E2E version : 1
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : 0
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : OFF
Current Rate : m15
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : DHCP_REQD
Client Entry Create Time : 430790 seconds
Policy Type : N/A
Encryption Cipher : None
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
Interface : WLN-STF-1
VLAN : 1420
Quarantine VLAN : 0
Access VLAN : 1420
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 90
  Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 152628
  Number of Bytes Sent : 13707
  Number of Packets Received : 1158
  Number of Packets Sent : 182
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 0
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 1
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -52 dBm
  Signal to Noise Ratio : 41 dB
Assisted-Roaming  Prediction List:
Nearby AP Statistics:
  L3502-2(slot1)
    antenna0: 29 seconds ago -53 dBm
    antenna1: 29 seconds ago -50 dBm
  L3502-2(slot0)
    antenna0: 29 seconds ago -50 dBm
    antenna1: 29 seconds ago -43 dB

In next post we will see configuring RADIUS on 5760 & make the WLAN is dot1x.

Related Posts

1. Getting Started with 3850
2. Getting Started with 5760
3. WLAN configs with 3850 – Part 1
4. WLAN configs with 3850 – Part 2
5. 3850(MA) with 5760(MC)
6. 5760 with 802.1x WLAN
7. 5760 AVC Configuration

In this post we will see how to configure RADIUS server & then use it for changing previously created “LTUWireless” WLAN authentication from “Open” to “802.1x”. Since we used CLI method for similar config in 3850, in this case we will use the GUI method & then derive the equivalent CLI config at the end.

We will use the same topology used for the previous post.As you remember these are the 3 basic steps of configuring RADIUS on a IOS device.

1. Define RADIUS server or servers.
2. Define a RADIUS group or groups (listing number of RADIUS server within that).
3. Define a method list that points to one of the group defined.

If you go to 5760 GUI (Configuration -> Wireless -> Security -> AAA) section you should be able to configure those 3 thing.

Here is the server detail I have entered.Next we will configure the RADIUS server group. You have to go to Server Groups -> RADIUS section under AAA. Here is the default-settings.

Here is once you configured RADIUS server group.

Then you can configure a method-list to be used with defined RADIUS server group. In here you have to enable 802.1x sys-auth under general section. Here is the default settings looks like.Here is the settings once I configured.Now if you look at the configuration in CLI & compare it with the prior configuration you can derive the config differences.

5760-1#sh archive config differences nvram:startup-config system:running-config
!Contextual Config Diffs:
+aaa new-model
+aaa group server radius RAD-GRP
 +server name ISE-DEV
 +deadtime 1
 +mac-delimiter colon
+aaa authentication dot1x LTU-DOT1X group RAD-GRP local
+aaa accounting dot1x LTU-DOT1X start-stop group RAD-GRP
+aaa server radius dynamic-author
 +client 10.129.0.5 server-key Cisco123
 +auth-type any
+aaa session-id common
+dot1x system-auth-control
+radius server ISE-DEV
 +address ipv4 10.129.0.5 auth-port 1812 acct-port 1813
 +key Cisco123
-no aaa new-model
line vty 0 4
 -no login
line vty 5 15
 -no login

As shown below when we were configuring 3850 with 802.1x WLAN, we have already configured ISE Default Device (so you do not require to add 5760 separately)

Also we had a simple policy just to permit access rule for 802.1x wireless connection requests. Also we created user on ISE (user1/Cisco123) for testing. If you need more detail on how we configured that please see WLAN configs with 3850 – Part 2 post.

Now we changed the SSID authentication from Open to dot1x. You can do this via GUI in Configure -> Wireless -> WLAN -> Security section. Here is the settings with “Open Authentication”.Now will change it to dot1x & use the RADIUS server configured. Since I am planning to use this to test 7925G as well, I have configured it as dot1x+CCKM.

Here are the CLI config differences caused by the above WLAN modifications. You can see with + all the additions & – sing with all the lines removed from the previosly saved configuration.

5760-1#sh archive config differences nvram:startup-config system:running-config
wlan LTUWireless 21 LTUWireless
 +accounting-list LTU-DOT1X
 +security wpa akm cckm
 +security dot1x authentication-list LTU-DOT1X
 +session-timeout 1800

wlan LTUWireless 21 LTUWireless
 -no security wpa
 -no security wpa akm dot1x
 -no security wpa wpa2
 -no security wpa wpa2 ciphers aes

Now, we can try with Anyconnect client. As you can see client is successfully connected using PEAP authentication.You can view the client detail on the WLC as well. You can see 7925G phone also associated to this with EAP-FAST.

5760-1#show wireless client summary 
Number of Local Clients : 2
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
2c54.2dea.f4ea L3502-2                          21   UP                 11a      
a088.b435.c2f0 L3502-2                          21   UP                 11n(5)   

5760-1#show wireless client mac-address 2c54.2dea.f4ea detail 
Client MAC Address : 2c54.2dea.f4ea
Client Username : user1
AP MAC Address : 2c3f.382b.5260
AP Name: L3502-2
AP slot : 1
Client State : Associated
Wireless LAN Id : 21
Wireless LAN Name: LTUWireless
BSSID : 2c3f.382b.526f
Connected For : 81 secs 
Protocol : 802.11a
Channel : 161
Client IIF-ID : 0x42e80000000016
ASIC : 1
IPv4 Address : 10.142.39.229
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Client CCX version : 4
Client E2E version : No E2E support
Re-authentication Timeout : 1720 (1801)
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : 0
WMM Support : Disabled
Power Save : OFF
Current Rate : 54.0
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : L2AUTHCOMPLETE
Client Entry Create Time : 441535 seconds
Policy Type : WPA2
Authentication Key Management : CCKM
Encryption Cipher : CCMP (AES)
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : EAP-FAST
Interface : WLN-STF-1
VLAN : 1420
Quarantine VLAN : 0
Access VLAN : 1420
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 3
  Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 15213
  Number of Bytes Sent : 16522
  Number of Packets Received : 139
  Number of Packets Sent : 111
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 1
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 3
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -48 dBm
  Signal to Noise Ratio : 43 dB
Assisted-Roaming  Prediction List:
Nearby AP Statistics:
  L3502-2(slot1)
    antenna0: 49 seconds ago -43 dBm
    antenna1: 49 seconds ago -42 dBm
  L3502-2(slot0)
    antenna0: 111 seconds ago -44 dBm
    antenna1: 111 seconds ago -42 dBm

Next post we will see how to configure AVC on this WLAN & get visibility of the traffic on this WLAN.

Related Posts

1. Getting Started with 3850
2. Getting Started with 5760
3. WLAN configs with 3850 – Part 1
4. WLAN configs with 3850 – Part 2
5. 3850(MA) with 5760(MC)
6. 5760 in CA & CUWN
7. 5760 AVC Configuration

In a previous post we saw how to configure Flexible Netflow on a 3850 stack acting as MC/MA. In this post we will see how to configure this feature (also known as Application Visibility) on a 5760.

If you already familiar with AVC on Aironet WLCs (5508,2504, WiSM-2,etc) it has the feature of controlling traffic (re-marking, drop) at the WLC both upstream/ downstream. In current IOS-XE 3.3.0 this controlling part is not available & only Application Visibility can be implemented.(Controlling feature expect to be there in a future release)

Here are the IOS-XE 3.3.0 supported features on this. Note that only Gen2 APs (1600,2600,3600,3700) supported.

• Application Visibility – No Control
• Supported on IOS XE 3.3 platforms: 5760/3850/3650
• Use NBAR2 Protocol pack 5.1
• Seamless roaming
• More than 1000 applications
• Gen2 APs (AP1600, 2600, 3600, and 3700)
• Wireless clients only
• Centralized and Converged Access
• Flexible Netflow v9 Export to PI (PAM) and external collectors (Plixir and ActionPacked)
• Multicast/IPv6 classification is not supported.

Let’s see how to configure this using our standard topology for CA post as shown below.We will configure this using GUI & then derive the CLI equivalent commands to do the same. Here is the default AVC settings under WLAN -> AVC section.You can enable this feature & select default profiles configured on 5760.If you look at the CLI config differences, you will see the CLI config lines added by the above modification.

5760-1#sh archive config differences nvram:startup-config system:running-config
+flow monitor wireless-avc-basic
 +record wireless avc basic
wlan LTUWireless 21 LTUWireless
 +ip flow monitor wireless-avc-basic input
 +ip flow monitor wireless-avc-basic output

Now if you go to Monitor -> Controller -> AVC -> WLAN (& select the WLAN configured for AVC) you should be able to see the traffic statistics. But why it is blank ?This is because I am using 3502 AP model & it is not supported in this CA AVC deployment.No CLI output for the “show avc x” commands.

5760-1#sh wireless client summary 
Number of Local Clients : 2
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
2c54.2dea.f4ea L3502-2                          21   UP                 11a      
a088.b435.c2f0 L3502-2                          21   UP                 11n(5) 

5760-1#show avc ?
  client  avc client
  wlan    wlan

5760-1#show avc wlan ?
  WORD  Enter wlan name

5760-1#show avc wlan LTUWireless ?
  top  top 

5760-1#show avc wlan LTUWireless top ?
  <1-30>  Enter a number

5760-1#show avc wlan LTUWireless top 5 ?
  application  Display top applications

5760-1#show avc wlan LTUWireless top 5 application ?
  aggregate   Display aggregate stats for top n applications
  downstream  Display downstream stats for top n applications
  upstream    Display upstream stats for top n applications

5760-1#show avc wlan LTUWireless top 5 application aggregate  
**** NO OUTPUT ******
5760-1#show avc client 2c54.2dea.f4ea top 5 application aggregate 
***** NO OUTPUT ******

Let’s get L3602-1 AP register to this 5760 & assign it to the LTU-CUWN AP group which was crated as part of a previous post. Then disable the L3502-2 AP in order clients to move to 3602. As you can see clients moved to L3602-1 AP.

5760-1#show ap summary 
Number of APs: 2
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
L3502-2                           3502I     ccef.4872.0fc3  2c3f.382b.5260  Registered    
L3602-1                           3602I     4c00.82df.a4c1  f84f.57e3.1460  Registered    

5760-1#ap name L3602-1 ap-groupname LTU-CUWN 
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n)[y]: y

5760-1#ap name L3502-2 shutdown

5760-1#show wireless client summary 
Number of Local Clients : 2
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
2c54.2dea.f4ea L3602-1                          21   UP                 11a      
a088.b435.c2f0 L3602-1                          21   UP                 11n(5)

Now you can see this AVC statistics for WLAN (Monitor -> Controller -> AVC -> WLAN)  or specific client (Monitor -> Client -> MAC address -> AVC statistics) as shown in the below two snapshots. You can monitor them in “Aggregate”, “Upstream” or “Downstream” fashion.

WLAN AVC statisticsA Clieent (Laptop) AVC statisticsNow this is real time data. What about if you want to monitor this for period of time & some time combine multiple controller AVC stats. That’s where Prime infrastructure comes into play. You should have Prime Assurance in order to get this netflow stats using prime. In my case I do not have Prime Assurance, but have 3rd party Netflow Collector.

Let’s configure a flow exporter & use it within the default flow monitor (wireless-avc-basic). If you need you can create you own flow-record, flow-exporter & flow-monitor as well. (Refer 3850-Flexible Netflow post for more detail)

5760-1(config-flow-record)#flow exporter FLK-1
5760-1(config-flow-exporter)# destination x.x.8.216
5760-1(config-flow-exporter)# source Vlan1600
5760-1(config-flow-exporter)# transport udp 9995
5760-1(config)#flow monitor wireless-avc-basic
5760-1(config-flow-monitor)#exporter ?
  FLK-1  User defined
5760-1(config-flow-monitor)#exporter FLK-1

Now if you look at your Netflow collector tool you should be able to see the traffic. Here are some screenshot of my Netflow Collector statistics with respect to this.
You can monitor real-time stats via 5760 CLI as well

5760-1#show avc wlan LTUWireless top 10 application upstream 
Cumulative Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       41554                 8310800               200          86      
2    unknown                           6191                  597761                96           6       
3    netbios-ns                        1883                  147738                78           2       
4    dns                               1321                  84277                 63           1       
5    http                              1313                  105422                80           1       
6    ssl                               1135                  209462                184          2       
7    exchange                          615                   150475                244          2       
8    skinny                            508                   31837                 62           0       
9    rtcp                              170                   19480                 114          0       
10   icmp                              108                   24752                 229          0       

Last Interval(90 seconds) Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       4179                  835800                200          99      
2    unknown                           88                    9164                  104          1       
3    rtcp                              17                    1972                  116          0       
4    skinny                            5                     296                   59           0       

5760-1#show avc wlan LTUWireless top 10 application downstream 
Cumulative Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       46427                 9285400               200          68      
2    http                              2392                  3242288               1355         23      
3    ssl                               1327                  1077406               811          8       
4    unknown                           602                   205696                341          1       
5    exchange                          584                   50010                 85           0       
6    skinny                            342                   29308                 85           0       
7    dns                               195                   37018                 189          0       
8    ping                              63                    3746                  59           0       
9    twitter                           41                    9206                  224          0       
10   ms-sms                            40                    27476                 686          0       

Last Interval(90 seconds) Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       4178                  835600                200          100     
2    skinny                            3                     180                   60           0       

5760-1#show avc client 2c54.2dea.f4ea top 10 application aggregate 
Cumulative Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       47544                 9508800               200          100     
2    skinny                            157                   13104                 83           0       
3    icmp                              107                   24396                 228          0       
4    rtcp                              85                    9860                  116          0       
5    unknown                           19                    1052                  55           0       
6    dhcp                              9                     3448                  383          0       
7    ping                              1                     48                    48           0       

Last Interval(90 seconds) Stats:
No.  AppName                           Packet-Count          Byte-Count            AvgPkt-Size  usage%  
------------------------------------------------------------------------------------------------------
1    cisco-phone                       9000                  1800000               200          100     
2    rtcp                              17                    1972                  116          0       
3    skinny                            13                    772                   59           0

Here is the AVC deployment Guide for IOS-XE3.3 for your reference.

Related Posts

1. Getting Started with 3850
2. Getting Started with 5760
3. 3850(MA) with 5760(MC)
4. 5760 with 802.1x WLAN
5. 5760 in CA & CUWN solution
6. 3850- Flexible Netflow

This is the first post about Converged Access (applicable to 3850/3650/5760) QoS in detail.  The primary difference is these new platforms are using MQC (Modular QoS CLI) as oppose to MLS (Multi Layer Switching) QoS  in Legacy switch platforms (3750X,3560,2960,etc) when provisioning. So this new CA platforms QoS is align with 4500/6500 QoS config mechanism.

In addition to this difference, 3850 is having 8 Queues for wired & 4 Queues for wireless traffic (In legacy systems they had 4 queues & no way to inspect wireless traffic as CAPWAP tunnels are not terminate on the access switch).

Due to inherent differences between wireless and wired technology, difference touch points within QoS architecture has defined.

1. Wired to Wireless
2. Wireless to Wired

Below diagram show the QoS touch points Wired to Wireless touch pointsAs traffic travels out of the wireless port (any port directly attached to an AP), there are several QoS touch point to consider.
1. Client Level – Classified on egress using class maps & provide two strict priority for voice & video.
2. SSID Level – Classified  on egress using class maps. In addition to classifying & marking, there is a shape command to limit the rate of traffic at the SSID per radio (BSSID). A bandwidth for the SSID can also be configured to provide a ratio limit between the SSIDs sharing the same radio.

3. Radio Level – Traffic is subject to 4 egress queues, two of which are strict priority (for Voice & Video). The non-real-time queue is effectively the default class and the multicast-non-real time queue is used for all non real time multicast traffic. This is non configurable & generated based on the radio level shaper negotiation. Queing Sheduler is Class Based Weighted Fair Queue(CBWFQ) and bandwidth management is based on Approximate Fair Drop (AFD) algorithm, which provides faireness between users.

Below diagram illustrated the Wireless to Wired QoS touch points.Marking or Policing policies can be applied to individual clients or at the SSID as an aggregate.  If you do the classification or marking at the SSID level, it will have precedence over client level classification & marking.

As traffic leaves out wired port, again classification done by class maps & policing policies can be configured on physical port or on SVI. Queuing mechanism is CBWFQ and dual Low Latency Queues (LLQ) & the dropping algorithm is Weighted Tail Drop (WTD)

Now lets see how to default QoS configuration in these platform works. In MQC based products, QoS is enabled by default and any QoS markings are sent through the platform is untouched. There is one exception for this if traffic passes from a wireless-to-wired port or vice versa. In this situation QoS values are re-marked to default (0). However this is not the case with Wired-to-Wired traffic. This restriction can be disabled by disabling default un-trust command in 3850 global config as shown below.

3850-2#sh run | in qos  
qos wireless-default-untrust
3850-2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
3850-2(config)#no qos wireless-default-untrust

Also as described above, Radio level policy is non-configurable & hence it should be there in default config. You can verify that using “show policy-map interface wireless x” command. You should have a registered AP to check these.

3850-2#show ap summary 
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
AP3702I-1                         3702I     7cad.74ff.2bc6  08cc.68b4.0370  Registered 

3850-2#show policy-map interface wireless ?
  ap      Wireless AP
  client  Wireless Client
  radio   Wireless Radio
  ssid    Wireless SSID

3850-2#show policy-map interface wireless ap ?
  iifid  Wireless target iifid
  name   Wireless target identifier name
  |      Output modifiers
  <cr>

3850-2#show policy-map interface wireless ap 
AP AP3702I-1 iifid: 0x010605C000000008
  Service-policy output: defportac
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      Queueing  
      (total drops) 0
      (bytes output) 18512197
      shape (average) cir 1000000000, bc 4000000, be 4000000
      target shape rate 1000000000

      Service-policy : port_child_policy
        Class-map: non-client-nrt-class (match-any)
          Match: non-client-nrt 
            0 packets, 0 bytes
            30 second rate 0 bps
          Queueing  
          (total drops) 0
          (bytes output) 18512197
          bandwidth remaining ratio 10 

        Class-map: class-default (match-any)
          Match: any 
            0 packets, 0 bytes
            30 second rate 0 bps         
          (total drops) 0
          (bytes output) 0

3850-2#show policy-map interface wireless radio 
Radio dot11b iifid: 0x010605C000000008.0x00CC838000000004
  Service-policy output: def-11gn
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 200000000, bc 800000, be 800000
      target shape rate 200000000

Radio dot11a iifid: 0x010605C000000008.0x00CCB74000000005
  Service-policy output: def-11ac
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 1000000000, bc 4000000, be 4000000
      target shape rate 1000000000

As you can see client & SSID level QoS is user defined & hence nothing is there by default.

3850-2#show policy-map interface wireless ssid ?
  iifid  Wireless target iifid
  name   Wireless SSID name
  |      Output modifiers
  <cr>

3850-2#show policy-map interface wireless ssid 
***** NO OUTPUT ******

3850-2#show policy-map interface wireless client ?
  iifid  Wireless target iifid
  mac    Wireless target identifier name
  |      Output modifiers
  <cr>

3850-2#show policy-map interface wireless client 
**** NO OUTPUT *****

Below diagram illustrate the port specific QoS role of a converged access campus access switch like 3850/3650.

In next post we will see how to configure QoS depending on the role switchport plays as shown in the above.

References
1. End to End QoS Design- Quality of Service for Rich-Media & Cloud Networks (2nd Edition)
2. BRKCRS-2890 Converged Access QoS
3. BRKCRS-2501: Campus QoS Design—Simplified

Related Posts

1. 3850 QoS – Part 2
2. 3850 QoS – Part 3
3. 3850 QoS – Part 4
4. 3850 QoS – Part 5

In this post we will see the Queuing models available on this 3850 switch platforms. Due to the nature of Converged Access, there are separate queuing models for wired & wireless ports (any port directly attached to an AP)

A wireless port will provide 4 independent queues & in contrast a wired port will provide upto 8 queues. This 8 queue models will closely align with 4500/6500 queuing architecture & therefore much easier to align with QoS policies.

Basic architecture of this platform provides 24x1G access ports & 2x10G uplinks per ASIC (Application Specific Integrated Circuit) to 120G stack connection.(In 48 port switch has 2x ASIC). This also provide two seperate internal queues over the stack ring, giving access to the priority traffic & non-priority traffic. Ingress queuing is not configurable. Below diagram provide basic stack architecture of this platform.

In Egress Queuing, we can discuss this as Wired Egress & Wireless Egress queuing separately as queuing model is different in each scenario.

1. Wired Queuing
Egress wired queuing on the 3850 can be configured as 8Q3T, 1P7Q3T or 2P6Q3T. Since first one does not have priority queuing it is not recommended. If your core/distribution is having 4500/6500 platforms both share the 1P7Q3T model, so if you using 3850, you can easily align policies with your core/distribution.

• 1P7Q3T : Below diagram illustrate the 1P7Q3T egress queue mappings for a 3850 using 8-class model. The recommended buffer allocations for wired interface queues 7 through 1 are 10%, 10% 10%, 10%,10%, 10%,25%. By using “queue buffer-ratio” command you can configure this.

Below show the corresponding configuration for an 8-class 1P7Q3T egress queuing on a 3850.

C3850(config-pmap-c)# policy-map 1P7Q3T
C3850(config-pmap)# class VOICE
C3850(config-pmap-c)# priority level 1
C3850(config-pmap-c)# police rate percent 10
!
C3850(config-pmap-c-police)# class NW-CONTROL
C3850(config-pmap-c)# bandwidth remaining percent 5
C3850(config-pmap-c)# queue-buffers ratio 10
!
C3850(config-pmap-c)# class INT-VIDEO
C3850(config-pmap-c)# bandwidth remaining percent 23
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af43 percent 80
C3850(config-pmap-c)# queue-limit dscp af42 percent 90
C3850(config-pmap-c)# queue-limit dscp af41 percent 100
!
C3850(config-pmap)# class SIGNALING
C3850(config-pmap-c)# bandwidth remaining percent 2
!
C3850(config-pmap-c)# class STREAMING-VIDEO
C3850(config-pmap-c)# bandwidth remaining percent 10
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af33 percent 80
C3850(config-pmap-c)# queue-limit dscp af32 percent 90
C3850(config-pmap-c)# queue-limit dscp af31 percent 100
!
C3850(config-pmap-c)# class CRITICAL-DATA
C3850(config-pmap-c)# bandwidth remaining percent 24
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af23 percent 80
C3850(config-pmap-c)# queue-limit dscp af22 percent 90
C3850(config-pmap-c)# queue-limit dscp af21 percent 100
!
C3850(config-pmap-c)# class SCAVENGER
C3850(config-pmap-c)# bandwidth remaining percent 1
C3850(config-pmap-c)# queue-buffers ratio 10
!
C3850(config-pmap-c)# class class-default
C3850(config-pmap-c)# bandwidth remaining percent 25
C3850(config-pmap-c)# queue-buffers ratio 25
!
C3850(config)# interface gigabitethernet 1/0/x
C3850(config-if)# service-policy out 1P7Q3T

• 2P6Q3T : This model only differ slightly from the previous one as it has been extended to cover 12-class model & the addition of a second priority queue for seperation for voice & video. Below diagram shows the 2P6Q3T egress queue mapping for catalyst 3850.

Below show the corresponding configuration for an 12-class 2P6Q3T egress queuing on a 3850.

C3850(config-pmap-c)# policy-map 2P6Q3T
C3850(config-pmap)# class VOICE
C3850(config-pmap-c)# priority level 1
C3850(config-pmap-c)# police rate percent 10
!
C3850(config-pmap-c)# class RT-VIDEO
C3850(config-pmap-c)# priority level 2
C3850(config-pmap-c)# police rate percent 20
!
C3850(config-pmap-c-police)# class MGT-CONTROL
C3850(config-pmap-c)# bandwidth remaining percent 10
C3850(config-pmap-c)# queue-buffers ratio 10
!
C3850(config-pmap-c)# class MULTIMEDIA-CONFERENCE
C3850(config-pmap-c)# bandwidth remaining percent 10
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af43 percent 80
C3850(config-pmap-c)# queue-limit dscp af42 percent 90
C3850(config-pmap-c)# queue-limit dscp af41 percent 100
!
C3850(config-pmap-c)# class MULTIMEDIA-STREAMING
C3850(config-pmap-c)# bandwidth remaining percent 10
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af33 percent 80
C3850(config-pmap-c)# queue-limit dscp af32 percent 90
C3850(config-pmap-c)# queue-limit dscp af31 percent 100
!
C3850(config-pmap-c)# class TRANSACTIONAL-DATA
C3850(config-pmap-c)# bandwidth remaining percent 10
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af23 percent 80
C3850(config-pmap-c)# queue-limit dscp af22 percent 90
C3850(config-pmap-c)# queue-limit dscp af21 percent 100
!
C3850(config-pmap-c)# class BULK-SCAVENGER
C3850(config-pmap-c)# bandwidth remaining percent 5
C3850(config-pmap-c)# queue-buffers ratio 10
C3850(config-pmap-c)# queue-limit dscp af13 percent 80
C3850(config-pmap-c)# queue-limit dscp af12 percent 90
C3850(config-pmap-c)# queue-limit dscp af11 percent 100
!
C3850(config-pmap-c)# class class-default
C3850(config-pmap-c)# bandwidth remaining percent 25
C3850(config-pmap-c)# queue-buffers ratio 25
!
C3850(config)# interface gigabitethernet 1/0/x
C3850(config-if)# service-policy out 2P6Q3T

2. Wireless Queuing

• 2P2Q : The wireless queuing model is a 4 queue structure of which two are strict priority using for Voice & Video.The other queues are “class-default” or NRT (Non-Real-Time) & Multicast Queue (non-client-nrt-class). If your multicast traffic is marked as CS5, then it will go to the priority queue, so only multicast traffic marked as non-real time goes into this queue.

When scheduling, strict priority queues are fully serviced ahead of all other queues. When configuring more then one priority queue, only when the first priority queue has been fully serviced, scheduler will go to the 2nd priority queue. A strict priority queue is enabled with the “priority level x”  command in policy map configuration.

For the other two queues (class-default & non-client-ntr-class) scheduling is based on CBWFQ (Class Based Weighted Fair Queue). Below diagram illustrates this.

Approximate Fair Drop (AFD) is the bandwidth control algorithm used to control bandwidth allocation among classes that share the class-default queue of wireless interface. AFD provides fairness between clients by calculating virtual queue lengths at the radio, SSID & client levels.These virtual queue lengths trigger probabilistic drops at the client level for clients that are consuming greater than the fair share of bandwidth. Below diagram illustrates AFD concept

Below diagram shows 2P2Q wireless egress queuing model.

You can verify the policy-map configurations available on your 3850 switch using “show policy-map” command. As you can see “port_child_policy” policy-map is there with 10% bandwidth allocation to “non-client-nrt-class” class.

3850-2#show policy-map
  Policy Map port_child_policy
    Class non-client-nrt-class
      bandwidth remaining ratio 10

Let’s define two class maps named “VOICE” & “VIDEO” which will  match DSCP “ef” & “af41″ respectively. Then we will allocate 10% & 20% for those traffic & make them go via priority queues as shown  in the above 2P2Q model. Also allocate 60% of the bandwidth for the “class-default” class.

3850-2(config)#class-map VOICE
3850-2(config-cmap)#match dscp ef
!
3850-2(config-pmap)#class-map VIDEO
3850-2(config-cmap)#match dscp af41
!
3850-2(config-cmap)#policy-map port_child_policy 
3850-2(config-pmap)#class VOICE                  
3850-2(config-pmap-c)#?
Policy-map class configuration commands:
  admit            Admit the request for 
  bandwidth        Bandwidth
  exit             Exit from QoS class action configuration mode
  netflow-sampler  NetFlow action
  no               Negate or set default values of a command
  police           Police
  priority         Strict Scheduling Priority for this Class
  queue-buffers    queue buffer
  queue-limit      Queue Max Threshold for Tail Drop
  service-policy   Configure QoS Service Policy
  set              Set QoS values
  shape            Traffic Shaping
  <cr>

3850-2(config-pmap-c)#priority ? 
  <8-10000000>  Kilo Bits per second
  level         Multi-Level Priority Queue
  percent       % of total bandwidth
  <cr>

3850-2(config-pmap-c)#priority level 1

3850-2(config-pmap-c)#police ?
  <8000-10000000000>  Target Bit Rate (bits per second) (postfix k, m, g optional; decimal point allo
  cir                 Committed information rate
  rate                Specify police rate, PCR for hierarchical policies or SCR for single-level ATM 4.0 policer policies

3850-2(config-pmap-c)#police rate percent 10 conform-action transmit exceed-action drop 

3850-2(config-pmap)#class VIDEO                     
3850-2(config-pmap-c)#priority level 2
3850-2(config-pmap-c)#police rate percent 20 conform-action transmit exceed-action drop 

3850-2(config-pmap)#class class-default
3850-2(config-pmap-c)#bandwidth remaining ratio ?
  <1-100>  Ratio
3850-2(config-pmap-c)#bandwidth remaining ratio 60

This policy map is applied automatically by the WCM (Wireless Control Module) to all wireless ports (a port where an AP is directly attached). You can verify the policy configuration using “show policy-map” command.

3850-2#sh policy-map  port_child_policy
  Policy Map port_child_policy
    Class non-client-nrt-class
      bandwidth remaining ratio 10
    Class VOICE
      priority level 1
     police rate percent 10
       conform-action transmit 
       exceed-action drop 
    Class VIDEO
      priority level 2
     police rate percent 20
       conform-action transmit 
       exceed-action drop 
    Class class-default
      bandwidth remaining ratio 60

You can verify this policy is applied to wireless ports automatically. In my case I have two APs connected to G1/0/1 & G1/0/2(so those are wireless ports). You can see the Radio & AP level QoS as shown below (since they automatically applied).

3850-2#sh ap summary 
Number of APs: 2
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
L3702-1                           3702I     7cad.74ff.2bc6  08cc.68b4.0370  Registered    
L3602-1                           3602I     4c00.82df.a4c1  f84f.57e3.1460  Registered    

3850-2#sh cdp nei
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
L3602-1          Gig 1/0/2         125              R T   AIR-CAP36 Gig 0.1
L3702-1          Gig 1/0/1         142              R T   AIR-CAP37 Gig 0.1

3850-2#show policy-map interface wireless ap name L3602-1
AP L3602-1 iifid: 0x0105EE400000000A
  Service-policy output: defportangn
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      Queueing
      (total drops) 0
      (bytes output) 4165972
      shape (average) cir 600000000, bc 2400000, be 2400000
      target shape rate 600000000

      Service-policy : port_child_policy
        queue stats for all priority classes:
          Queueing
          priority level 1
          (total drops) 0
          (bytes output) 1376223

        queue stats for all priority classes:
          Queueing
          priority level 2
          (total drops) 0
          (bytes output) 4078

        Class-map: non-client-nrt-class (match-any)
          Match: non-client-nrt 
            0 packets, 0 bytes
            30 second rate 0 bps
          Queueing
          (total drops) 0
          (bytes output) 2845227
          bandwidth remaining ratio 10 

        Class-map: VOICE (match-any)
          Match:  dscp ef (46)
            0 packets, 0 bytes
            30 second rate 0 bps
          Priority: Strict, 
          Priority Level: 1 
          police:
             rate 10 %
             rate 60000000 bps, burst 1875000 bytes
              conformed 188116 bytes; actions:
                transmit 
              exceeded 0 bytes; actions:
                drop 
              conformed 0 bps, exceeded 0 bps

        Class-map: VIDEO (match-any)
          Match:  dscp af41 (34)
            0 packets, 0 bytes
            30 second rate 0 bps
          Priority: Strict, 
          Priority Level: 2 
          police:
             rate 20 %
             rate 120000000 bps, burst 3750000 bytes
              conformed 0 bytes; actions:
                transmit 
              exceeded 0 bytes; actions:
                drop 
              conformed 0 bps, exceeded 0 bps

        Class-map: class-default (match-any)
          Match: any 
            0 packets, 0 bytes
            30 second rate 0 bps
          Queueing
          (total drops) 0
          (bytes output) 128304
          bandwidth remaining ratio 60 

3850-2#show policy-map interface wireless radio 
Radio dot11b iifid: 0x0105EE400000000A.0x00D003000000000B
  Service-policy output: def-11gn
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 200000000, bc 800000, be 800000
      target shape rate 200000000

Radio dot11a iifid: 0x0105EE400000000A.0x00CD6AC00000000C
  Service-policy output: def-11an
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 400000000, bc 1600000, be 1600000
      target shape rate 400000000

Radio dot11b iifid: 0x010605C000000008.0x00CC838000000004
  Service-policy output: def-11gn
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 200000000, bc 800000, be 800000
      target shape rate 200000000

Radio dot11a iifid: 0x010605C000000008.0x00CCB74000000005
  Service-policy output: def-11ac
    Class-map: class-default (match-any)
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      shape (average) cir 1000000000, bc 4000000, be 4000000
      target shape rate 1000000000

In next post we will see how to configure QoS on switchport where they play different roles & how to verify those configuration.

References
1. End to End QoS Design- Quality of Service for Rich-Media & Cloud Networks (2nd Edition)
2. BRKCRS-2890 Converged Access QoS
3. BRKCRS-2501: Campus QoS Design—Simplified

Related Posts

1. 3850 QoS – Part 1 (QoS Touch Points)
2. 3850 QoS – Part 3
3. 3850 QoS – Part 4
4. 3850 QoS – Part 5

Time has come to decide what to do in 2014. After clearing my CCIE wireless lab exam on Aug 2013, I was wondering what’s next for me. I know I will be busy with migrating my campus network to Converged Access (from CUWN) & enabling 802.11ac (deployment of 3700) would be two key tasks in the wireless space.

From study perspective, I have decided to go for CWNE (Certified Wireless Network Expert) certification within 2014.

I have already purchased official study guides for this & all arrived today.(Thanks Tuhin for posting these to me & become my study partner on this journey)

Happy Holidays everyone & merry X’mas

Is it possible to have wireless & wired client behind a WGB ? This is a query posted in CSC forum given below.

https://supportforums.cisco.com/message/4128630#4128630

Even I think this is not possible, but  when I tried it as shown below proven my assumption was wrong.

So here is the testing topology where WGB (3502-BR2) connecting to root AP using 5Ghz band. Wired clients connecting to R3750 switch connected to G0 of WGB where as Wireless clients are connecting to 2.4GHz radio of WGB (MRN-DATA SSID).

Here is the config of the C3750 where SVI defined for vlan 143.

hostname C3750-1
!
ip dhcp excluded-address 192.168.143.1 192.168.143.50
ip dhcp pool VLAN143
 network 192.168.143.0 255.255.255.0
 default-router 192.168.143.1 
 dns-server 192.231.203.132 192.231.203.3 
 domain-name mrn.com
!
interface Vlan143
 ip address 192.168.143.1 255.255.255.0
!
interface GigabitEthernet1/0/11
 description 1142-BR1
 switchport access vlan 143
 switchport mode access
end

Here is the 1142-BR1 config where MRN-WGB ssid defined to associate WGB.

hostname 1140-BR1
!
dot11 ssid MRN-WGB
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii Cisco123
!
interface Dot11Radio1
 encryption mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role root
 infrastructure-client
 bridge-group 1
!
interface BVI1
 ip address 192.168.143.10 255.255.255.0
 !
ip default-gateway 192.168.143.1

Here is the WGB (3502-BR2) configuration  where I have defined two SSID, One same  name as Root AP to associate to it on 5GHz & the MRN-DATA for users association in 2.4GHz.

hostname 3502-BR2
!
dot11 ssid MRN-DATA
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii Cisco12345
!
dot11 ssid MRN-WGB
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii Cisco123
!
interface Dot11Radio0
 encryption mode ciphers aes-ccm 
 ssid MRN-DATA
 station-role root
 bridge-group 1
!
interface Dot11Radio1
 encryption mode ciphers aes-ccm 
 ssid MRN-WGB
 station-role workgroup-bridge
 bridge-group 1
!
interface BVI1
 ip address dhcp

Here is the R3750 switch configuration.

hostname R3750
!
interface FastEthernet1/0/10
 destcription PC1
 switchport access vlan 143
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet1/0/11
 description 3502-BR2
 switchport access vlan 143
 switchport mode access
 spanning-tree portfast

Once you do this configuration & connect wired PC to the R3750 switch in vlan 143 switchport you should see clients are getting DHCP from C3750. Also you should see MRN-DATA wireless SSID is visible & you can connect client using the pre-shared key defined.

Here is client association details on WGB where my iPhone connected to MRN-DATA SSID. You can see WGB itself taken an IP from DHCP on vlan 143.

3502-BR2#sh ip int bri | ex un
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       192.168.143.54  YES DHCP   up                    up     
!
3502-BR2#sho dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
a40c.c31a.ee60 192.168.143.10  ap1140-Parent 1140-BR1        -              Assoc    

802.11 Client Stations on Dot11Radio0: 
SSID [MRN-DATA] : 
MAC Address    IP address      Device        Name            Parent         State     
04f7.e4ea.5b66 192.168.143.56  unknown       -               self           Assoc

On Root AP (1142-BR1) you can see all clients behind WGB

1140-BR1#sh dot11 associations 
802.11 Client Stations on Dot11Radio1: 
SSID [MRN-WGB] : 
MAC Address    IP address      Device        Name            Parent         State     
001f.1618.dfec 192.168.143.57  WGB-client    -               44d3.caaf.4343 Assoc    
04f7.e4ea.5b66 192.168.143.56  WGB-client    -               44d3.caaf.4343 Assoc    
44d3.caaf.4343 192.168.143.54  WGB           3502-BR2        self           Assoc 

Here is the C3750 client information on vlan 143.

C3750-1#sh arp | in Vlan143
Internet  192.168.143.1           -   0000.0c07.ac0a  ARPA   Vlan143 <- Gateway
Internet  192.168.143.10         62   5475.d0f5.2ee7  ARPA   Vlan143 <- 1142-BR1
Internet  192.168.143.54         60   44d3.caaf.4343  ARPA   Vlan143 <- 3502-BVI1
Internet  192.168.143.56          0   04f7.e4ea.5b66  ARPA   Vlan143 <- iPhone5
Internet  192.168.143.57          3   001f.1618.dfec  ARPA   Vlan143 <- Wired PC
!
C3750-1#ping 192.168.143.57
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.143.57, timeout is 2 seconds:
!!!!!

You can verify wired device connectivity on R3750 like below.

R3750#sh mac address-table interface f1/0/11
          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 143    0000.0c07.ac0a    DYNAMIC     Fa1/0/11
 143    001f.6d21.37cc    DYNAMIC     Fa1/0/11
 143    04f7.e4ea.5b66    DYNAMIC     Fa1/0/11
 143    44d3.caaf.4343    DYNAMIC     Fa1/0/11
Total Mac Addresses for this criterion: 4

R3750#sh mac address-table interface f1/0/10
          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 143    001f.1618.dfec    DYNAMIC     Fa1/0/10 <-Wired PC

I have not tried configuring multiple vlan & see whether it works. You can try it by yourself & see.

Related Posts

1. WGB-CAPWAP with Multiple VLAN
2. WGB-IOS AP with Multiple VLAN
3. WGB Config Example
4.

In this post we will see how QoS mapping works in Converged Access switch platform (3850/3650). I have used IOS-XE 3.3.01SE  image for this post (It is important since behaviour is keep evolving this CA software product suit)

Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
*    1 56    WS-C3850-48P       03.03.01SE        cat3k_caa-universalk9 INSTALL

To test this out we will use the below topology where 3850-1 switch stack acting as MC/MA (WLC integrated switch).

Here is the basic config of 3850-1 where it act as MC/MA

vlan 1410
 name WLN-STD-6
!
vlan 1610
 name NET-WAP-1
!
interface Vlan1410
 ip address 10.141.103.241 255.255.248.0
!
interface Vlan1610
 ip address 10.161.33.21 255.255.254.0
!
wireless mobility controller
wireless management interface Vlan1610
!
interface GigabitEthernet1/0/2
 description L1142-1
 switchport access vlan 1610
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 description VOIP-1
 switchport access vlan 13
 switchport mode access
 switchport voice vlan 989
 spanning-tree portfast
!
wlan 3850 17 3850
 no broadcast-ssid
 client vlan WLN-STD-6
 radio dot11a
 no security wpa
 no shutdown
!
ap group 3850
  wlan 3850
  vlan WLN-STD-6

Here is a wireless sniff capturing Signaling & RTP media traffic coming from the 7925G. As expected, Signalling traffic having CS3 as DSCP with priority 4 as WMM-UP (or 802.11e) & RTP media traffic having EF as DSCP with priorty 6 as UP.

Now lets see a packet capture at G1/0/2 (wireless port connected to L1142-1). Here is a RTP packet coming from the phone. As you can see AP is encapsulated the original packet into CAPWAP with src as AP IP & dst as 3850 wireless mgt IP. Interestingly outer DSCP is set to default (0×00). Even signalling packet outer DSCP set to default (capture not shown here).

Why these set to Default ? If you remember the QoS Touch point post when traffic goes to wireless to wired, default behavior is UNTRUST. So you have to remove that from your switch config as shown below.

3850-1#sh run | in qos
qos wireless-default-untrust

3850-1#conf  t
Enter configuration commands, one per line.  End with CNTL/Z.
3850-1(config)#no qos wireless-default-untrust

Once you remove this default behavior you can see the outer CAPWAP is same as the original packet DSCP.(in RTP packet it is EF). Here is the packet capture this time on G1/0/2.

Now let’s get a capture at G1/0/11 where VoIP phone is connected to see what QoS values go there. You can see that outer CAPWAP DSCP equivalent CoS (ie 5) in the 802.1q header (as phone switch port configured for both voice & data vlan)

Below diagram summarize these QoS mapping changes when traffic going from a wireless port to wired port. When mapping wireless frame to outer CAPWAP, DSCP value is derived from the wireless frame UP (802.11e) value.  Below diagram not reflect that accurately.

On the reverse direction (Wired Phone to wireless phone) you can see the QoS preserved as long as you removed this default UNTRUST behavior between Wireless & Wied. (Between Wired to Wired it is TRUSTED by default). Here is the VoIP-1 to 7925G RTP traffic at G1/0/11 (Wired Port)

Here is  the capture at G1/0/2 (Wireless port)

Here is the downstream wireless traffic to 7925G. You can see outer CAPWAP DSCP is mapped to WMM_UP value (Priority 6).

Below diagram summarize these QoS mapping when traffic going from a wired port to a wireless port.Reference
1. BRKCRS-2890 – Converged Access Quality of Service

Related Posts

1. 3850 QoS – Part 1 (QoS Touch Points)
2. 3850 QoS – Part 2 (Queuing Models)
3. 3850 QoS – Part 3 (Port specific QoS Roles)
4. 3850 QoS – Part 5

In this post we will see how to configure QoS for wired & wireless ports based on its role.I have taken two example of VoIP phone connected switchprot (wired port) & AP connected switchport (wireless port).

Here is our CA topology & I will focus on 3850-2 switch for this QoS configuration. IOS-XE 3.3.1 is used for this post & behavior may be different if you are using an earlier version of software code.

I have configured two switch-ports (G1/0/11 & 12) in 3850-2 switch for VoIP phones as shown below

interface GigabitEthernet1/0/11
 description VOIP-1
 switchport access vlan 13
 switchport mode access
 switchport voice vlan 989
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 description VOIP-2
 switchport access vlan 13
 switchport mode access
 switchport voice vlan 989
 spanning-tree portfast

Now let’s see make a call between these two phones & see how QoS parameters change. I have configured below SAPN session & my monitoring PC (BackTrack) connected to G1/0/27 of this switch.

3850-2#sh run | in session
monitor session 1 source interface Gi1/0/11
monitor session 1 destination interface Gi1/0/47 encapsulation replicate
!
3850-2#sh run int g1/0/47
interface GigabitEthernet1/0/47
end

Here is the packet captures of signaling & RTP media packets coming from VoIP-1 phone connected to G1/0/11. Similarly Packets coming from VoIP-2 should have these classification when it comes to G1/0/12.

Now If we are look at packet going to VoIP-1 (only RTP traffic since signalling go back to CUCM). As you can see traffic going to VoIP-1 has EF (or Priority 5 in dot1q header) which is same as incoming values from VoIP-2. This is very important thing to remember in this 3850 platform, which is by default QoS values (DSCP or CoS)  received by a wired switchport will be trusted & pass-through to another wired switchport without a change.

Now let’s see how this work when make a call between wireless phone to wired phone. To do this we will create a open authentication wlan called “3850″ & map it to vlan 1410 under the AP group where L3602-1 configured for. (I used no broadcast-ssid since I am doing this in office environment & do not want to visible to normal users). Also I will uesd iPhone5 to illustrate QoS mapping changes as well.

3850-2(config)#wlan 3850 17 3850
3850-2(config-wlan)# no broadcast-ssid
3850-2(config-wlan)# client vlan WLN-STD-6
3850-2(config-wlan)# radio dot11a
3850-2(config-wlan)# no security wpa
3850-2(config-wlan)# no shutdown

3850-2#show ap groups 
Site Name: default-group
Site Description: 
WLAN ID   WLAN Name                        Interface
----------------------------------------------------
AP Name                         Ethernet MAC      Location
-----------------------------------------------------------
Site Name: SPG1-PW00
Site Description: 
WLAN ID   WLAN Name                        Interface
-----------------------------------------------------
21        LTUWireless                      WLN-STD-6               

AP Name                         Ethernet MAC      Location
-----------------------------------------------------------
L3702-1                          7cad.74ff.2bc6 default location
L3602-1                          4c00.82df.a4c1 default location

3850-2(config)#ap group SPG1-PW00
3850-2(config-apgroup)#wlan 3850
3850-2(config-wlan-apgroup)#vlan 1410

You can verify wireless client connectivity details as below. iPhone5 detail highlighted in purple color.

3850-2#show wireless client summary 
Number of Local Clients : 1
MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
04f7.e4ea.5b66 L3602-1                          17   UP                 11n(5)   
2c54.2dea.f4ea L3602-1                          17   UP                 11a        

3850-2#show wireless client mac-address 04f7.e4ea.5b66 detail 
Client MAC Address : 04f7.e4ea.5b66
Client Username: N/A
AP MAC Address : f84f.57e3.1460
AP Name: L3602-1
AP slot : 1
Client State : Associated
Wireless LAN Id : 17
Wireless LAN Name: 3850
BSSID : f84f.57e3.146e
Connected For : 2851 secs 
Protocol : 802.11n - 5 GHz
Channel : 36
Client IIF-ID : 0xf2a50000000025
ASIC : 0
IPv4 Address : 10.141.96.9
IPv6 Address : Unknown
Association Id : 2
Authentication Algorithm : Open System
Status Code : 0
Session Timeout : 0
Client CCX version : No CCX support
Input Policy Name  : unknown
Input Policy State : None
Output Policy Name  : unknown
Output Policy State : None
802.1P Priority Tag : Not supported
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : ON
Current Rate : m7

If you do a wireless packet capture you would see the wireless frames coming from this iPhone5. I am using Jabber Voice (v9.1.6.21640) as the voice client. Here is a RTP packet coming from iPhone5. As you can see WMM-UP value is 5 even though actual IP packet DSCP is EF.In fact this should mark as priority 6 as per 802.11e standard, but most of these devices not correctly mark UP value.(if it is 7925G it is marked UP as 6 :))

Now let’s take a look at the packet capture at G1/0/2 wireless port while we are making a call between iPhone5 to VoIP-2.

interface GigabitEthernet1/0/2
 description L3602-1
 switchport access vlan 1610
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/47
end
!
monitor session 1 source interface Gi1/0/2
monitor session 1 destination interface Gi1/0/47

Here is the capture output of a signalling packet & RTP media traffic coming from iPhone5 to 7965 wired phone. As you can see the outer CAPWAP DSCP value is AF41 (which is corresponding to WMM-UP value of 5). Note that original packet DSCP is still EF.

Also note that I have removed default “untrust” behavior of this switch platform when traffic traverses wireless to wired or vice versa. If you do not do this outer CAPWAP DSCP will be re-written to BE (0×00) at this point.

3850-2(config)#no qos wireless-default-untrust

Now if you look at G1/0/12 packet capture you will see what QoS values goes when it received by VoIP phone. As you can see, based on the outer CAPWAP header DSCP value, swtich has re-written the 802.1q header CoS value & original packet DSCP. So VoIP phone getting the packet with DSCP AF41 (instead of EF)

So it is important to classify your traffic Based on a corporate QoS policy, rather trusting DSCP (or WMM-UP value for wireless frames), since there is no consistency of these different clients.

In a future post we will see how to classify traffic in order to get same treatment for wired & wireless traffic across the network.

Related Posts

1. 3850 QoS – Part 1 (QoS Touch Points)
2. 3850 QoS – Part 2 (Queuing Models)
3. 3850 QoS – Part 4 (Wireless QoS Mapping)
4. 3850 QoS – Part 5

Starting from WLC 7.5.x release, you can update the NBAR2 protocol packs independent to the controller software. Protocol packs are software packages that allow update of signature support without replacing the image on the Controller. You have an option to load protocol packs dynamically when new protocol support is being added. There will be two kinds of Protocol Packs-Major and Minor:

• Major protocol packs include support for new protocols, updates and bug fixes.
• Minor protocol packs typically do not include support for new protocols.
• Protocol packs are targeted to specific platform types, software versions and releases separately.Protocol Packs can be downloaded from CCO using the software type “NBAR2 Protocol Pack“.

Below link provide the information about available NBAR2 protocol packs for supported platforms.
http://www.cisco.com/en/US/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html

This link provide the protocol pack 4.1.1 specific information.
http://www.cisco.com/en/US/docs/wireless/controller/nbar2_prot_pack/4.1.1/b_nbar2_prot_pack_411_chapter_01.html

NBAR2 Protocol Pack 4.1.1 is supported on the following Cisco Wireless LAN Controller platforms:
1. Cisco 5508 Wireless Controller
2. Cisco Flex 7500 Series Wireless Controllers
3. Cisco 8510 Wireless Controller
4. Cisco Wireless Services Module 2 (WiSM2)

**** The Cisco 2504 Wireless Controller supports Application Visibility and Control, but does not support protocol packs ****

Protocol packs are released with specific NBAR engine versions. For example, WLC 7.5 has NBAR engine 13. The protocol pack file “pp-AIR-7.5-13-4.1.1.pack” (Format: pp-AIR-{release}-{engine version}-M.m.r.pack) will be located in the same location with the controller code version 7.5.

You can verify the AVC engine version & the protocol pack version of your controller as shown below

(BUN-PW00-WC01) >show avc engine version 
 AVC Engine Version: 13

(BUN-PW00-WC01) >show avc ?
profile        protocol-pack  

(BUN-PW00-WC01) >show avc protocol-pack ?            
version        Display AVC Protocol-Pack Version information.

(BUN-PW00-WC01) >show avc protocol-pack version 
 AVC Protocol Pack Name: Advanced Protocol Pack
 AVC Protocol Pack Version: 1.0

You can download a protocol pack to WLC like normal file transfer via FTP or TFTP. I have used TFTP method here. Datatype to be selected as “avc-protocol-pack” as shown below.

(BUN-PW00-WC01) >transfer download mode tftp   
(BUN-PW00-WC01) >transfer download datatype avc-protocol-pack 
(BUN-PW00-WC01) >transfer download path .
(BUN-PW00-WC01) >transfer download serverip x.x.13.2
(BUN-PW00-WC01) >transfer download filename pp-AIR-7.5-13-4.1.1.pack
(BUN-PW00-WC01) >transfer download start 

Mode............................................. TFTP  
Data Type........................................ AVC Protocol Pack
TFTP Server IP................................... 131.172.13.2
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ ./
TFTP Filename.................................... pp-AIR-7.5-13-4.1.1.pack

Starting tranfer of AVC Protocol Pack
This may take some time.
Are you sure you want to start? (y/N) y
TFTP AVC Protocol Pack transfer starting.
TFTP receive complete... Loading Protocol Pack.
AVC Protocol Pack installed.

Once installation complete, you can verify the AVC protocol pack status using the same previous two commands as shown in the below.

(BUN-PW00-WC01) >show avc protocol-pack version 
 AVC Protocol Pack Name: Advanced Protocol Pack
 AVC Protocol Pack Version: 4.10001

(BUN-PW00-WC01) >show avc engine version 
 AVC Engine Version: 13

**** If you are using WLC 7.6.x code, then latest AVC protocol pack is “pp-AIR-7.6-13-6.3.0.pack“. You need to use this if your WLC is running on 7.6.x software release ****

When configuring AVC (specifically to re-calssify traffic), it is important to understand the interaction with QoS for the given WLAN.The NBAR2 functionality is based on the DSCP setting. The following occurs to the packets in Upstream and Downstream directions if AVC and QoS are configured on the same WLAN:

Upstream
1.Packet comes with or without inner DSCP from wireless side (wireless client).
2.AP will add DSCP in the CAPWAP header that is configured on WLAN (QoS based config).
3.WLC will remove CAPWAP header.
4.AVC module on the controller will overwrite the DSCP to the configured marked value in the AVC profile and send it out.

Downstream
1.Packet comes from switch with or without inner DSCP wired side value.
2.AVC module will overwrite the inner DSCP value.
3.Controller will compare WLAN QoS configuration (as per 802.1p value that is actually 802.11e) with inner DSCP value that NBAR had overwritten. WLC will choose the lesser value and put it into CAPWAP header for DSCP.
4.WLC will send out the packet to AP with QoS WLAN setting on the outer CAPWAP and AVC inner DSCP setting.
5.AP strips the CAPWAP header and sends the packet on air with AVC DSCP setting; if AVC was not applied to an application then that application will adopt the QoS setting of the WLAN.

Here is the link for the protocol list supported by NBAR2 for your reference
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-627831.html

Reference1. AVC Feature Deployment Guide (Phase-2), Software Release 7.5
2. BRKNMS-1040 : Managing AVC with Cisco Prime Infrastructure 2.0

Related Posts

1. Configuring AVC on WLC 7.4

In this post we will see how to classify traffic in this switch platform. Real advantage of 3850 (or any other CA switch platform) is you can classify both wired & wireless traffic using the same classification rules on your access layer. In CUWN you cannot do this as all wireless traffic is CAPWAP tunnel back to your WLC.

Here is our CA topology where two PCs (PC-1 & PC-2) with Jabber clients connected to two VoIP phones. iPhone5 with Jabber client (v9.5.0.153580) using as wireless client for testing. We will see how we can use classification policy to mark this traffic consistently whether it is coming via wired or wireless.

Jabber using SIP (Session Initiation Protocol) TCP/UDP 5060 & 5061 for voice signalling & RTP (Real Time Protocol) UDP 16384-32767 as destination port range. There may be additional TCP ports using for directory services, file transfers between CUCM & jabber clients, but those protocol may not require any specific prioritization.

If you sniff a wireless packets when iPhone5 is making a jabber video call you can see the QoS setting of these frames. Here are two wireless frames, one for SIP signalling & one for RTP media.

When these wireless frame hits AP it will map original packet DSCP to outer CAPWAP header DSCP (unless you do WMM_UP to DSCP mapping). So signaling packet goes as CS3 & media packet goes as AF41. Here is the packet capture at G1/0/2 proving inner DSCP value copies across to outer CAPWAP DSCP.

If you are using window7 laptop as wireless client with Jabber (v9.2.2 Build 3271), you will see DSCP value will be 0 (or BE) for both signalling & media traffic (unless you classify at group policy level). So when it goes to wired network both video & signalling traffic goes as Best Effort in this scenario.

Let’s create a service policy to classify these traffic. Here is our interesting traffic classification in this scenario. This is more generic classification ACL & if you really want you can be more restrictive instead of any keyword.

3850-2(config)#ip access-list extended VOIP
3850-2(config-ext-nacl)#permit udp any any range 16384 32767

3850-2(config)#ip access-list extended SIP
3850-2(config-ext-nacl)#permit udp any any range 5060 5061       
3850-2(config-ext-nacl)#permit tcp any any range 5060 5061

Now let’s define class-map for each type of traffic. I have used “match-any” keyword, where you can use multiple classification ACL later on still using the same class-map.

3850-2(config)#class-map match-any VOIP-TRAFFIC
3850-2(config-cmap)#match access-group name VOIP

3850-2(config-cmap)#class-map match-any SIGNALLING  
3850-2(config-cmap)#match access-group name SIP 

Finally define a policy-map to re-classify the traffic

3850-2(config)#policy-map LTU-INGRESS-POLICY
3850-2(config-pmap)#class VOIP-TRAFFIC
3850-2(config-pmap-c)#set dscp ef
3850-2(config-pmap-c)#class SIGNALLING
3850-2(config-pmap-c)#set dscp CS3

Now you can apply this policy on your WLAN as shown below. I have used “client” keyword, then policy is applied to each wireless client authorized into the SSID and is applied independently to each of clients. When using service policy without client keyword, the policy applies to the SSID and treats all clients as aggregate (This is important to remember, specially if your ingress service policy include some policing element). Also note that WLAN to be disabled prior to apply the service policy via CLI.

3850-2(config-wlan)#service-policy ?
  client  Assign policy-map to all clients in WLAN
  input   Assign policy-map to WLAN input
  output  Assign policy-map to WLAN output

3850-2(config-wlan)#service-policy client ?
  input   Assign policy-map to all clients in WLAN
  output  Assign policy-map to all clients in WLAN

3850-2(config-wlan)#service-policy client input ?
  WORD  policy-map name

3850-2(config-wlan)#service-policy client input LTU-INGRESS-POLICY
% switch-1:wcm:Please disable WLAN before config client policies
3850-2(config-wlan)#shut
3850-2(config-wlan)#service-policy client input LTU-INGRESS-POLICY
3850-2(config-wlan)#no shut

You can verify your policy map configuration using “show policy-map <NAME>” command. Here is how our policy-map config looks like

3850-2#show policy-map LTU-INGRESS-POLICY
  Policy Map LTU-INGRESS-POLICY
    Class VOIP-TRAFFIC
      set dscp ef
    Class SIGNALLING
      set dscp cs3

3850-2#sh run | sec wlan 3850
wlan 3850 17 3850
 no broadcast-ssid
 client vlan WLN-STD-6
 radio dot11a
 no security wpa
 service-policy client input LTU-INGRESS-POLICY
 no shutdown

Now here is the traffic going out of the trunk port (G1/0/48) of 3850-2 switch. As you can see now traffic is classified according to your policy where signalling mark as DSCP CS3 & VoIP marking as EF.

Now if you look at the wired port traffic of (G1/0/11) when you make a jabber call between PC-1 & VoIP-2 you will see DSCP value of 0 for both media & signalling as shown below.

You can apply the same classification policy-map you created to these wiredports as well.

3850-2(config)#int range g1/0/11-12
3850-2(config-if-range)#service-policy input LTU-INGRESS-POLICY

Now if you look at the G1/0/12 (traffic going to VoIP-2) this time you will see media traffic go as EF. (if you take a packet capture of G1/0/48 you will see signalling traffic going as CS3 as well)

This is the real beauty of Converged access where you can apply same classification,marking,policing rule at your access layer to both wireless & wired traffic without any inconsistency. In CUWN you cannot do this as access layer switch does not have the visibility of inner IP packet (only see the CAPWAP traffic from AP to WLC).

In this example we have only used two traffic classes to illustrate the concept, but in real world you can use 8 class-map model to fit for all other type of traffic as well. In a future post we will see how to define a comprehensive service policy including policing as well.

Related Posts

1. 3850 QoS – Part 1 (QoS Touch Points)
2. 3850 QoS – Part 2 (Queuing Models)
3. 3850 QoS – Part 3 (Port specific QoS Roles)
4. 3850 QoS – Part 4 (Wireless QoS Mapping)

Cisco has released WLC 7.6.100.0 code (on 18th Dec 2013) to support new 3700 series AP which supports 802.11ac. Cisco 3700 AP supports 1.3Gbps data rate (wave1 of 802.11ac) with 4×4 MIMO & 3SS (Spatial Streams). Even though AP supports 1.3 Gbps limiting factor would be the 1G Ethernet port (at switch end & AP end).

To get the first hand experience, we have decided to upgrade one of our 5508 WLC to 7.6.100.0 release & get couple of existing 3600 AP swapped with 3700. Like any other software releases, this code comes with loads of un-resolved bugs. So carefully review the full release notes prior to upgrade your controller into this.

Below shows simple testing scenario we used to measure the performance of 802.11ac capable clients. We had 3 different products which supports 802.11ac, Google Nexus 5 (1SS), Samsung Galaxy S4 (1SS) & Macbook Air (2SS). I have used iPhone5 (802.11n only)

802.11ac only support in 5GHz & You have to set 80MHz channel width as 802.11ac use 4 channels bonding together to give higher throughput. So here is my WLC 802.11a/n/ac band DCA settings.

I have let RRM to determine the Channel allocation & power levels based on the environment. Here what my 3702 AP settles into.

Here is what I see few minutes later on the client association on this AP. As you can see there are 3 clients connected in 802.11ac mode & others with 802.11n in 5GHz band. (Note that I have disable 2.4GHz band on this AP)

Then to measure the throughput, we have measure the upload & download speed with iperf application. I have measured data in each 1s interval for 5min duration.

Here is the result with MacBook Air. Once you connected to the SSID, you will see the data rate as 867Mbps (This is max data rate this client supported & not the actual throughput)

Here is the actual download throughput of MBA over 5 min period. We got around 236Mbps in average.
Here is the actual upload throughput of MBA over 5 min period. Average upload throughput is 290Mbps.
If you connect 1SS devices like Nexus5 or Samsung S4, you will see data rate as 433Mbps. Again this is not the real throughput & here are the throughput result we got for Nexus 5.

Here is what we got for Samsung S4.

To comparison I have take iPhone5 download throughput. We got around 88Mbps in average.As you can see the overall performance is very good & clients are getting very high throughput. But still I feel 802.11ac performance is fluctuating drastically compare to 802.11n result.

We have to wait & see when more & more devices comes with 802.11ac to bench mark the 802.11ac performance.