In this post we will see how to configure a Cisco3850 switch for basic wireless connectivity. This is part of Converged Access product platform & you should have some familiarity with new architecture (which will not discussed in this post). Here ae the few key points you need to remember when using 3850 as WLC.
1. You have to attach your access points directly to your 3850 switches (yes, every wiring closet you should have this in order to all building AP to be connect to this new environment)
2. Wireless management vlan & AP management vlan should be identical. If you configure vlan 21 as wireless management in 3850 switch all your APs connected to this switch should be on access vlan 21.
3. You have to enable Mobility Controller (MC) functionality to terminate CAPWAP (MC functionality can be in the same 3850 switch, another 3850 switch or 5508/5760 centralized controller). By default, when you enable wireless management, switch will act as Mobility Agent (MA) & not able to terminate CAPWAP.
4.“ipbase” or “ipservices” feature set to be there for MC functionality.”lanbase” cannot be used for MC functionality switch stack.
5. Given 3850 switch stack can support maximum 50 APs.
In my lab setup I have two 3850 switches stacked together. Before getting started, we will ensure we will have latest software code on this switch. At the time of this write up, IOS-XE 3.2.3SE is the latest code available for this 3850 platform. You can refer 3850 IOS-XE 3.2.x SE release note for more details of the features/restrictions/etc.
Let’s copy this new image to flash of our 3850.
3850-1#copy tftp://192.168.20.51/firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin flash:
Destination filename [cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin]?
Accessing tftp://192.168.20.51/firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin...
Loading firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin from 192.168.20.51 (via Vlan999):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!
[OK - 223743040 bytes]
There are two modes called “INSTALL” & “BUNDLE” available in these new switches. If you want to boot in “INSTALL” mode you have to copy the image onto flash first. In “BUNDLE” mode, you can still keep the image on TFTP & boot from there if required. But in BUNDLE mode switch require more memory to do this function & preferred method is do it via “INSTALL” mode.
You can use “software install file <file_location> ” command to install new software onto your switch. At the end it will prompt to reload the switch as shown below.
3850-1#software install file flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
Preparing install operation ...
[1]: Copying software from active switch 1 to switch 2
[1]: Finished copying software to switch 2
[1 2]: Starting install operation
[1 2]: Expanding bundle flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
[1 2]: Copying package files
[1 2]: Package files copied
[1 2]: Finished expanding bundle flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
[1 2]: Verifying and copying expanded package files to flash:
[1 2]: Verified and copied expanded package files to flash:
[1 2]: Starting compatibility checks
[1 2]: Finished compatibility checks
[1 2]: Starting application pre-installation processing
[1 2]: Finished application pre-installation processing
[1]: Old files list:
Removed cat3k_caa-base.SPA.03.02.02.SE.pkg
Removed cat3k_caa-drivers.SPA.03.02.02.SE.pkg
Removed cat3k_caa-infra.SPA.03.02.02.SE.pkg
Removed cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
Removed cat3k_caa-platform.SPA.03.02.02.SE.pkg
Removed cat3k_caa-wcm.SPA.10.0.111.0.pkg
[2]: Old files list:
Removed cat3k_caa-base.SPA.03.02.02.SE.pkg
Removed cat3k_caa-drivers.SPA.03.02.02.SE.pkg
Removed cat3k_caa-infra.SPA.03.02.02.SE.pkg
Removed cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
Removed cat3k_caa-platform.SPA.03.02.02.SE.pkg
Removed cat3k_caa-wcm.SPA.10.0.111.0.pkg
[1]: New files list:
Added cat3k_caa-base.SPA.03.02.03.SE.pkg
Added cat3k_caa-drivers.SPA.03.02.03.SE.pkg
Added cat3k_caa-infra.SPA.03.02.03.SE.pkg
Added cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
Added cat3k_caa-platform.SPA.03.02.03.SE.pkg
Added cat3k_caa-wcm.SPA.10.0.120.0.pkg
[2]: New files list:
Added cat3k_caa-base.SPA.03.02.03.SE.pkg
Added cat3k_caa-drivers.SPA.03.02.03.SE.pkg
Added cat3k_caa-infra.SPA.03.02.03.SE.pkg
Added cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
Added cat3k_caa-platform.SPA.03.02.03.SE.pkg
Added cat3k_caa-wcm.SPA.10.0.120.0.pkg
[1 2]: Creating pending provisioning file
[1 2]: Finished installing software. New software will load on reboot.
[1 2]: Committing provisioning file
[1 2]: Do you want to proceed with reload? [yes/no]: yes
[2]: Reloading
[1]: Pausing before reload
Now if you look at your contents of your flash directory you will see multiple .pkg files .conf files. Depending on the image came with your switch & how many time you upgraded the switch, there could be multiple versions of the .conf files & .pkg files. You can clean this directory using “software clean” command which will result deleting all unwanted file from your directory. In this way you will only keep 3.2.3SE related files on your flash.
3850-1#dir Directory of flash:/ 85193 -rw- 2097152 Sep 28 2013 14:28:26 +10:00 nvram_config 85187 -rw- 74410468 Jan 1 1970 11:01:11 +11:00 cat3k_caa-base.SPA.03.02.00SE.pkg 85188 -rw- 2773680 Jan 1 1970 11:01:12 +11:00 cat3k_caa-drivers.SPA.03.02.00.SE.pkg 85189 -rw- 32478044 Jan 1 1970 11:01:12 +11:00 cat3k_caa-infra.SPA.03.02.00SE.pkg 85190 -rw- 30393116 Jan 1 1970 11:01:12 +11:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg 85191 -rw- 18313952 Jan 1 1970 11:01:12 +11:00 cat3k_caa-platform.SPA.03.02.00.SE.pkg 85192 -rw- 63402700 Jan 1 1970 11:01:12 +11:00 cat3k_caa-wcm.SPA.10.0.100.0.pkg 85199 -rw- 1224 Sep 28 2013 14:19:19 +10:00 packages.conf 85196 -rw- 8916 Sep 26 2013 15:59:58 +10:00 vlan.dat 85195 -rw- 114 Jun 6 2013 08:31:45 +10:00 express_setup.debug 85194 -rw- 1224 Sep 25 2013 02:20:20 +10:00 packages.conf.00- 7750 -rw- 74369252 Sep 25 2013 02:20:16 +10:00 cat3k_caa-base.SPA.03.02.02.SE.pkg 7751 -rw- 5808828 Sep 25 2013 02:20:16 +10:00 cat3k_caa-drivers.SPA.03.02.02.SE.pkg 7752 -rw- 32488292 Sep 25 2013 02:20:16 +10:00 cat3k_caa-infra.SPA.03.02.02.SE.pkg 7753 -rw- 30403764 Sep 25 2013 02:20:16 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg 7754 -rw- 16079584 Sep 25 2013 02:20:16 +10:00 cat3k_caa-platform.SPA.03.02.02.SE.pkg 7755 -rw- 64580300 Sep 25 2013 02:20:17 +10:00 cat3k_caa-wcm.SPA.10.0.111.0.pkg 85186 -rw- 223743040 Sep 28 2013 13:30:24 +10:00 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin 85198 -rw- 1218 Jan 1 1970 11:01:22 +11:00 packages.conf.01- 30979 -rw- 74369716 Sep 28 2013 14:19:15 +10:00 cat3k_caa-base.SPA.03.02.03.SE.pkg 30980 -rw- 5808828 Sep 28 2013 14:19:15 +10:00 cat3k_caa-drivers.SPA.03.02.03.SE.pkg 30981 -rw- 32496484 Sep 28 2013 14:19:15 +10:00 cat3k_caa-infra.SPA.03.02.03.SE.pkg 30982 -rw- 30418104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg 30983 -rw- 16059104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-platform.SPA.03.02.03.SE.pkg 30984 -rw- 64586444 Sep 28 2013 14:19:15 +10:00 cat3k_caa-wcm.SPA.10.0.120.0.pkg 1621966848 bytes total (723390464 bytes free) 3850-1#software clean Preparing clean operation ... [1 2]: Cleaning up unnecessary package files [1 2]: No path specified, will use booted path flash:packages.conf [1 2]: Cleaning flash: [1]: Preparing packages list to delete ... cat3k_caa-base.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-drivers.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-infra.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg File is in use, will not delete. cat3k_caa-platform.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-wcm.SPA.10.0.120.0.pkg File is in use, will not delete. packages.conf File is in use, will not delete. [2]: Preparing packages list to delete ... cat3k_caa-base.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-drivers.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-infra.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg File is in use, will not delete. cat3k_caa-platform.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-wcm.SPA.10.0.120.0.pkg File is in use, will not delete. packages.conf File is in use, will not delete. [1]: Files that will be deleted: cat3k_caa-base.SPA.03.02.00SE.pkg cat3k_caa-base.SPA.03.02.02.SE.pkg cat3k_caa-drivers.SPA.03.02.00.SE.pkg cat3k_caa-drivers.SPA.03.02.02.SE.pkg cat3k_caa-infra.SPA.03.02.00SE.pkg cat3k_caa-infra.SPA.03.02.02.SE.pkg cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg cat3k_caa-platform.SPA.03.02.00.SE.pkg cat3k_caa-platform.SPA.03.02.02.SE.pkg cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin cat3k_caa-wcm.SPA.10.0.100.0.pkg cat3k_caa-wcm.SPA.10.0.111.0.pkg packages.conf.00- packages.conf.01- [2]: Files that will be deleted: cat3k_caa-base.SPA.03.02.00SE.pkg cat3k_caa-base.SPA.03.02.02.SE.pkg cat3k_caa-drivers.SPA.03.02.00.SE.pkg cat3k_caa-drivers.SPA.03.02.02.SE.pkg cat3k_caa-infra.SPA.03.02.00SE.pkg cat3k_caa-infra.SPA.03.02.02.SE.pkg cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg cat3k_caa-platform.SPA.03.02.00.SE.pkg cat3k_caa-platform.SPA.03.02.02.SE.pkg cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin cat3k_caa-wcm.SPA.10.0.100.0.pkg cat3k_caa-wcm.SPA.10.0.111.0.pkg packages.conf.00- packages.conf.01- [1 2]: Do you want to proceed with the deletion? [yes/no]: yes [1 2]: Clean up completed 3850-1#dir Directory of flash:/ 85193 -rw- 2097152 Sep 28 2013 14:28:26 +10:00 nvram_config 85199 -rw- 1224 Sep 28 2013 14:19:19 +10:00 packages.conf 85196 -rw- 8916 Sep 26 2013 15:59:58 +10:00 vlan.dat 85195 -rw- 114 Jun 6 2013 08:31:45 +10:00 express_setup.debug 30979 -rw- 74369716 Sep 28 2013 14:19:15 +10:00 cat3k_caa-base.SPA.03.02.03.SE.pkg 30980 -rw- 5808828 Sep 28 2013 14:19:15 +10:00 cat3k_caa-drivers.SPA.03.02.03.SE.pkg 30981 -rw- 32496484 Sep 28 2013 14:19:15 +10:00 cat3k_caa-infra.SPA.03.02.03.SE.pkg 30982 -rw- 30418104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg 30983 -rw- 16059104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-platform.SPA.03.02.03.SE.pkg 30984 -rw- 64586444 Sep 28 2013 14:19:15 +10:00 cat3k_caa-wcm.SPA.10.0.120.0.pkg 1621966848 bytes total (1393401856 bytes free)
You can verify switch is having upgraded image in each member of the switch stack.
3850-1#sh ver | be SW Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- 1 56 WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9 INSTALL 2 56 WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9 INSTALL
You can verify boot configuration of your switch using “show boot” CLI command. As you can see “packages.conf” file is the boot loading file used in the booting process. If this file is not exist or corrupted switch will go onto ROMMON mode.
3850-1#sh boot --------------------------- Switch 1 --------------------------- Current Boot Variables: BOOT variable = flash:packages.conf; Boot Variables on next reload: BOOT variable = flash:packages.conf; Manual Boot = no Enable Break = no
You can access wireless controller GUI using https://<switch-ipaddress>/wireless URL.
It is different look & feel compare to CUWN controllers (5508,2504, etc). Let’s see how we can configure the wireless controller config on this switch. First of all you need to ensure you have the correct license to start with.
3850-1#show license right-to-use ? default Displays the default license information. detail Displays details of all the licenses in the stack. eula Displays the EULA text. mismatch Displays mismatch license information. slot Specify switch number summary Displays consolidated stack wide license information. usage Displays the usage details of all licenses. | Output modifiers <cr> 3850-1#show license right-to-use summary License Name Type Count Period left ----------------------------------------------- lanbase permanent N/A Lifetime apcount base 0 Lifetime apcount adder 0 Lifetime -------------------------------------------- License Level In Use: ipbase License Level on Reboot: ipbase Evaluation AP-Count: Disabled Total AP Count Licenses: 0 AP Count Licenses In-use: 0 AP Count Licenses Remaining: 0
In Converged Access architecture, 3850 can act as Mobility Agent (MA) or Mobility Controller (MC). By default it is a MA. Normally AP licence should be on a MC where CAPWAP tunnels from AP get terminated. In this case we have only 3850 switch for everything (MC & MA) so you have to install AP licence onto this switch. Remember that maximume 50 APs can be supported by a 3850 switch stack. In our case we will configure 25 licence each for the first two members of stack & all APs to be terminated in these two switches (max 25 in each member).
3850-1#license right-to-use ? activate activate particular license level deactivate deactivate particular license level 3850-1#license right-to-use activate ? apcount configure the AP-count licenses on the switch ipbase activate ipbase license on the switch ipservices activate Ipservices license on the switch lanbase activate lanbase license on the switch 3850-1#license right-to-use activate apcount ? <1-50> configure the number of adder licenses evaluation activate evaluation license 3850-1#license right-to-use activate apcount 50 ? slot Specify switch number 3850-1#license right-to-use activate apcount 50 slot ? <1-9> Specify switch number 3850-1#license right-to-use activate apcount 50 slot 1 ? acceptEULA automatically accept the EULA for the given license <cr> 3850-1#license right-to-use activate apcount 50 slot 1 acceptEULA 3850-1#license right-to-use activate apcount 50 slot 2 acceptEULA % switch-2:stack-mgr:ACTIVATION FAIL : Total AP Count Licenses exceed maximum limit ! 3850-1#license right-to-use deactivate apcount 25 slot 1 3850-1#license right-to-use activate apcount 25 slot 2 acceptEULA
You have to enable the MC functionality of 3850 by using the “wireless mobility controller” CLI command as shown below.
3850-1(config)#wireless mobility ?
controller Configures mobility controller settings
dscp Configures the Mobility inter controller DSCP value
group Configures the Mobility group parameters
load-balance Configure mobility load-balance status
multicast Configures the Multicast Mode for mobility messages
oracle Configures mobility oracle settings
3850-1(config)#wireless mobility controller ?
ip no description
peer-group Configures mobility peer groups
<cr>
3850-1(config)#wireless mobility controller
Now we are one step away to register our AP. To register AP you should nominate an interface as wireless management interface. You have to remember that all your AP should be configured with same vlan access port where you configured for wireless management, otherwise AP won’t join. In our case we will use vlan21 as wireless management interface & configure switch port connected to AP in vlan 21
interface Vlan21 ip address 192.168.21.1 255.255.255.0 ! wireless management interface Vlan21 ! interface GigabitEthernet1/0/1 switchport access vlan 21 switchport mode access spanning-tree portfast
Now if you type “show ap summary” you would see your AP get registered to your 3850 WLC
3850-1#show ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name AP Model Ethernet MAC Radio MAC State
----------------------------------------------------------------------------------------
bc16.6516.790e 3602I bc16.6516.790e f41f.c298.c2a0 Registered
You can change any AP specific configuration by using “ap name <AP-NAME> x” CLI commands. Following are the all options available. we will change the name as example.
5508-1#ap name bc16.6516.790e ? ap-groupname Set groupname bhrate Bridge Backhaul Tx Rate bridgegroupname Set bridgegroupname bridging Enable Ethernet-to-Ethernet bridging capwap AP Capwap parameters command Remote execute a command on Cisco AP console-redirect Enable redirecting remote debug output of Cisco AP to console core-dump Enable memory core dump on Cisco AP country Configure the country of operation crash-file Manage crash data and radio core files for Cisco AP dot11 Configures 802.11 parameters dot1x-user Enable the 802.1X credential for the current AP ethernet Configure Ethernet Port of the AP image Configure image led Enable LED-state for Cisco AP link-encryption Enable link encryption state on Cisco AP link-latency Enable Link Latency on Cisco AP location Configure AP location mfp Enable Management Frame Protection mgmtuser Configures user name, password and secret for AP management mode Select AP mode of operation monitor-mode Monitor-mode channel optimization name Configure AP name no Negate a command or set its defaults power Configure Cisco Power over Ethernet (PoE) feature for AP reset Reset AP reset-button Disable or enable reset button on AP shutdown Disable AP slot Set slot number sniff Enable sniffing on dot11a/b radio ssh Enable SSH static-ip Set Cisco AP static IP address configuration stats-timer Set the frequency at which statistics are sent from AP syslog Set the system logging settings for Cisco AP tcp-adjust-mss TCP MSS configuration for an AP telnet Enable telnet for Cisco AP tftp-downgrade Initiate AP image downgrade from a TFTP server 5508-1#ap name bc16.6516.790e name L3600-1 5508-1#show ap summary Number of APs: 1 Global AP User Name: Not configured Global AP Dot1x User Name: Not configured AP Name AP Model Ethernet MAC Radio MAC State ---------------------------------------------------------------------------------------- L3600-1 3602I bc16.6516.790e f41f.c298.c2a0 Registered
You can use “show ap name <AP_NAME> x” CLI commands to view specific AP configurations.
5508-1#show ap name L3600-1 ? auto-rf Auto-RF information for a Cisco AP bhmode Show Cisco Bridge Backhaul Mode bhrate Show Cisco Bridge Backhaul Rate cac Display Call Admission Control details capwap AP Capwap parameters ccx Shows ccx related information cdp Shows Cisco AP cdp information channel Shows the channel information of an Cisco AP config Shows the configuration of an Cisco AP core-dump Shows the AP memory core dump setting for an Cisco AP data-plane Show data plane status dot11 Show 802.11 parameters ethernet Shows ethernet information eventlog Downloads and displays the event log of a Cisco AP image Shows the images present on a Cisco AP inventory Displays the inventory of a Cisco AP link-encryption Show link encryption status service-policy Show service policy information tcp-adjust-mss Show tcp-adjust-mss for an AP wlan Show BSSIDs for each AP 5508-1#show ap name L3600-1 config general Cisco AP Name : L3600-1 Cisco AP Identifier : 3 Country Code : AU - Australia Regulatory Domain Allowed by Country : 802.11bg:-A 802.11a:-N AP Country Code : AU - Australia AP Regulatory Domain : Unconfigured Switch Port Number : Gi1/0/1 MAC Address : bc16.6516.790e IP Address Configuration : DHCP IP Address : 192.168.21.53 IP Netmask : 255.255.255.0 Gateway IP Address : 192.168.21.254 CAPWAP Path MTU : 1500 Telnet State : Disabled SSH State : Disabled Cisco AP Location : default location Cisco AP Group Name : default-group Administrative State : Enabled Operation State : Registered AP Mode : Local AP Submode : Not Configured Remote AP Debug : Disabled Logging Trap Severity Level : informational Software Version : 10.0.101.0 Boot Version : 15.2.2.4 Stats Reporting Period : 180 LED State : Enabled PoE Pre-Standard Switch : Disabled PoE Power Injector MAC Address : Disabled Power Type/Mode : Power Injector/Normal Mode Number of Slots : 2 AP Model : 3602I AP Image : C3600-K9W8-M IOS Version : 15.2(2)JN$ Reset Button : Enabled AP Serial Number : FGL1721X3K5 AP Certificate Type : Manufacture Installed Management Frame Protection Validation : Disabled AP User Mode : Automatic AP User Name : Not Configured AP 802.1X User Mode : Not Configured AP 802.1X User Name : Not Configured Cisco AP System Logging Host : 255.255.255.255 AP Up Time : 3 days 20 hours 14 minutes 26 seconds AP CAPWAP Up Time : 3 days 20 hours 12 minutes 57 seconds Join Date and Time : 09/24/2013 19:01:11
If you want to configure global settings for all APs then you have to go for the configuration mode & then use “ap x ” CLI command as shown below. We will change Country code as example. You can add upto 20 country codes if you have AP in multiple countries.
3850-1#conf t Enter configuration commands, one per line. End with CNTL/Z. 3850-1(config)#ap ? auth-list Configure Access Point authorization list bridging Enable/Disable Ethernet-to-Ethernet bridging on all Cisco APs capwap ap capwap parameters cdp Enable/Disable CDP for all Cisco APs core-dump Enable/Disable memory core dump on all Cisco APs country Configure the country of operation dot11 Configures 802.11 parameters dot1x Configure the 802.1X credential for all APs ethernet Configure Ethernet Port on all Cisco APs group Manage AP Groups VLAN feature led Enable/Disable LED-state for all Cisco APs link-encryption Enable link encryption state on all Cisco AP's link-latency Enable Link Latency on all Cisco AP's mgmtuser Configure the user for AP management power Configure Cisco Power over Ethernet (PoE) feature for all AP's reporting-period Configure AP rogue/error reporting period reset-button Enable/Disable reset button for all Cisco APs static-ip Set Cisco AP static IP address configuration syslog Configure the system logging settings for Cisco AP tcp-adjust-mss Enable/Disable TCP MSS configuration for all Cisco APs tftp-downgrade Initiate AP image downgrade from a TFTP server for all Cisco APs 3850-1(config)#ap country ? WORD Enter the country code (e.g. US,MX,IN) upto a maximum of 20 countries 3850-1(config)#ap country AU Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. Are you sure you want to continue? (y/n)[y]: y 3850-1(config)#
Next we will configure a WLAN.
5508-1(config)#wlan ? WORD Enter Profile Name up to 32 alphanumeric characters shutdown Enable/disable all WLANs 5508-1(config)#wlan MRN-CCIEW ? <1-64> Create WLAN Identifier <cr> 5508-1(config)#wlan MRN-CCIEW 1 ? WORD Enter SSID (Network Name) up to 32 alphanumeric characters <cr> 5508-1(config)#wlan MRN-CCIEW 1 MRN-CCIEW 5508-1(config-wlan)#no shutdown
you can verify WLAN configuration in your “show running-config all” output.
5508-1#show running-config all | section wlan wlan MRN-CCIEW 1 MRN-CCIEW accounting-list channel-scan defer-time 100 client association limit 0 client vlan default dtim dot11 24ghz 1 dtim dot11 5ghz 1 exclusionlist timeout 60 ip access-group web none ip access-group none ip dhcp server 0.0.0.0 ipv6 traffic-filter web none ipv6 traffic-filter none mac-filtering radio all security dot1x authentication-list security dot1x encryption 104 security static-wep-key authentication open security tkip hold-down 60 security web-auth authentication-list security web-auth parameter-map service-policy client input unknown service-policy client output unknown service-policy input unknown service-policy output unknown session-timeout 1800 no shutdown
You can configure any WLAN specific configs as shown below. You have to shutdown the WLAN before make any changes.
5508-1(config)#wlan MRN-CCIEW 1 MRN-CCIEW 5508-1(config-wlan)#? aaa-override AAA policy override accounting-list Set the accounting list for IEEE 802.1x band-select Allow|Disallow Band Select on a WLAN. broadcast-ssid Set broadcast SSID on a WLAN call-snoop Call Snooping support ccx Configure Cisco Client Extension options channel-scan Configures off channel scanning deferral parameters chd Set CHD per WLAN client WLAN configuration for clients datalink WLAN Datalink commands default Set a command to its defaults diag-channel Set Diagnostics Channel Capability on a WLAN dtim Set the DTIM period for the WLAN exclusionlist Set exclusion-listing on WLAN exit Exit sub-mode ip WLAN IP configuration commands ipv6 IPv6 WLAN subcommands load-balance Allow|Disallow Load Balance on a WLAN. local-auth Set the EAP Profile on a WLAN mac-filtering Set MAC filtering support on WLAN media-stream Configures media stream mfp Configures Management Frame Protection mobility Configure mobility nac Configures Radius NAC support(Identity Service Engine). no Negate a command or set its defaults passive-client Configures passive client feature peer-blocking Configure peer-to-peer blocking on a WLAN radio Configures the Radio Policy roamed-voice-client Configure Roaming Attrbutes for Voice Clients security Configures the security policy for a WLAN service-policy Configure WLAN QOS Service Policy session-timeout Configures client timeout shutdown Disable WLAN sip-cac Configure Wlan Sip-Cac attributes static-ip Configures static IP client tunneling support on a WLAN. uapsd Configure WMM UAPSD attributes for Wlan wgb Configures WGB support on the WLAN wmm Configures WMM (WME) 5508-1(config-wlan)#client vlan 51 % switch-1:wcm:Request failed - WLAN in the enabled state. 5508-1(config-wlan)#shut 5508-1(config-wlan)#client vlan 51 5508-1(config-wlan)#radio ? all Enable all available radios dot11a Enable 802.11a radio only dot11ag Enable 802.11 a and g radios dot11bg Enable 802.11b and g radios dot11g Enable 802.11g radio only 5508-1(config-wlan)#radio dot11a 5508-1(config-wlan)#wmm ? allowed Allows WMM on the WLAN require Requires WMM enabled clients on the WLAN 5508-1(config-wlan)#wmm require 5508-1(config-wlan)#ip ? access-group Specify WLAN ACL dhcp Configure DHCP parameters for WLAN flow Flexible Netflow commands multicast Configure multicast verify verify 5508-1(config-wlan)#ip dhcp ? opt82 Set DHCP option 82 for wireless clients on this WLAN required Specify whether DHCP address assignment is required server Configures the WLAN's IPv4 DHCP Server 5508-1(config-wlan)#ip dhcp server 192.168.51.1 5508-1(config-wlan)#no shut
You can verify WLAN settings “show wlan id <WLAN_ID>” CLI command as shown below.
5508-1#show wlan id 1 WLAN Profile Name : MRN-CCIEW ================================================ Identifier : 1 Network Name (SSID) : MRN-CCIEW Status : Enabled Broadcast SSID : Enabled Maximum number of Associated Clients : 0 AAA Policy Override : Disabled Network Admission Control NAC-State : Disabled Number of Active Clients : 0 Exclusionlist Timeout : 60 Session Timeout : 1800 seconds CHD per WLAN : Enabled Webauth DHCP exclusion : Disabled Interface : 51 Interface Status : Unconfigured Multicast Interface : Unconfigured WLAN IPv4 ACL : unconfigured WLAN IPv6 ACL : unconfigured DHCP Server : 192.168.51.1 DHCP Address Assignment Required : Disabled DHCP Option 82 : Disabled DHCP Option 82 Format : ap-mac DHCP Option 82 Ascii Mode : Disabled DHCP Option 82 Rid Mode : Disabled QoS Service Policy - Input Policy Name : unknown Policy State : None QoS Service Policy - Output Policy Name : unknown Policy State : None QoS Client Service Policy Input Policy Name : unknown Output Policy Name : unknown WMM : Required Channel Scan Defer Priority: Priority (default) : 4 Priority (default) : 5 Priority (default) : 6 Scan Defer Time (msecs) : 100 Media Stream Multicast-direct : Disabled CCX - AironetIe Support : Enabled CCX - Gratuitous ProbeResponse (GPR) : Disabled CCX - Diagnostics Channel Capability : Disabled Dot11-Phone Mode (7920) : Invalid Wired Protocol : None Peer-to-Peer Blocking Action : Disabled Radio Policy : 802.11a only DTIM period for 802.11a radio : 1 DTIM period for 802.11b radio : 1 Local EAP Authentication : Disabled Mac Filter Authorization list name : Disabled Accounting list name : Disabled 802.1x authentication list name : Disabled Security 802.11 Authentication : Open System Static WEP Keys : Disabled 802.1X : Disabled Wi-Fi Protected Access (WPA/WPA2) : Enabled WPA (SSN IE) : Disabled WPA2 (RSN IE) : Enabled TKIP Cipher : Disabled AES Cipher : Enabled Auth Key Management 802.1x : Enabled PSK : Disabled CCKM : Disabled CKIP : Disabled IP Security : Disabled IP Security Passthru : Disabled L2TP : Disabled Web Based Authentication : Disabled Conditional Web Redirect : Disabled Splash-Page Web Redirect : Disabled Auto Anchor : Disabled Sticky Anchoring : Enabled Cranite Passthru : Disabled Fortress Passthru : Disabled PPTP : Disabled Infrastructure MFP protection : Enabled Client MFP : Optional Webauth On-mac-filter Failure : Disabled Webauth Authentication List Name : Disabled Webauth Parameter Map : Disabled Tkip MIC Countermeasure Hold-down Timer : 60 Call Snooping : Disabled Passive Client : Disabled Non Cisco WGB : Disabled Band Select : Disabled Load Balancing : Disabled IP Source Guard : Disabled
By default WLAN is configured with WPA2/AES. So if you want to check basic client connectivity you can disable it. Then you should be able to connect your wireless client to this new SSID.
In a separate post we will see how to configure different security methods for a given SSID.
References:
1. Working with IOS file system-3850 IOS-XE
2. Consolidated Platform Config Guide IOS-EX Release 3SE -3850
3. Cisco AireOS to IOS-XE Migration Guide
4. Getting Started with 5760 & 3850 -Cisco DOC#34430
5. Password Recovery on Cat3850 – Cisco DOC#35289
Related Posts
1. Getting Started with 5760
2. WLAN security configs in 3850
3. WLAN QoS Configs in 3850
4. 3850 Password Recovery
5. Converged Access Mobility
