rms.koenig-solutions.comrms.koenig-solutions.com/.../qms/824-2019108374-802.1… · web...
TRANSCRIPT
802.11 Association process explainedTable of contents
No headers
Access points are bridges that bridge traffic between mobile stations and other devices on the network. Before a mobile station can send traffic through an AP, it must be in the appropriate connection state. The three 802.11 connection states are:
Not authenticated or associated. Authenticated but not yet associated. Authenticated and associated.
A mobile station must be in an authenticated and associated state before bridging will occur.The mobile station and AP will exchange a series of 802.11 management frames in order to get to an authenticated and associated state.
A mobile station starts out as not authenticated and associated. 1. A mobile station sends probe requests to discover 802.11 networks within its proximity. Probe requests advertise the mobile stations supported data rates and 802.11 capabilities such as 802.11n. Because the probe request is sent from the mobile station to the destination layer-2 address and BSSID of ff:ff:ff:ff:ff:ff all AP's that receive it will respond. 2. APs receiving the probe request check to see if the mobile station has at least one common supported data rate. If they have compatible data rates, a probe response is sent advertising the SSID (wireless network name), supported data rates, encryption types if required, and other 802.11 capabilities of the AP. A mobile station chooses compatible networks from the probe responses it receives. Compatibility could be based on encryption type. Once compatible networks are discovered the mobile station will attempt low-level 802.11 authentication with compatible APs. Keep in mind that 802.11 authentication is not the same as WPA2 or 802.1X authentication mechanisms which occur after a mobile station is authenticated and associated. Originally 802.11 authentication frames were designed for WEP encryption however this security scheme has been proven to be insecure and therefore deprecated. Because of this 802.11 authentication frames are open and almost always succeed. 3. A mobile station sends a low-level 802.11 authentication frame to an AP setting the authentication to open and the sequence to 0x0001. 4. The AP receives the authentication frame and responds to the mobile station with authentication frame set to open indicating a sequence of 0x0002. If an AP receives any frame other than an authentication or probe request from a mobile station that is not authenticated it will respond with a deauthentication frame placing the mobile into an unauthenticated an unassociated state. The station will have to begin the association process from the low level authentication step. At this point the mobile station is authenticated but not yet associated. Some 802.11 capabilities allow a mobile station to low-level authenticate to multiple APs. This speeds up the association process when moving between APs. A mobile station can be 802.11 authenticated to multiple APs however it can only be actively associated and transferring data through a single AP at a time. 5. Once a mobile station determines which AP it would like to associate to, it will send an association request to that AP. The association request contains chosen encryption types if required and other compatible 802.11 capabilities. If an AP receives a frame from a mobile station that is authenticated but not yet associated, it will respond with a disassociation frame placing the mobile into an authenticated but unassociated state. 6. If the elements in the association request match the capabilties of the AP, the AP will create an Association ID for the mobile station and respond with an association response with a success message granting network access to the mobile station. 7. Now the mobile station is successfully associated to the AP and data transfer can begin.
Note: If WPA/WPA2 or 802.1X authentication is required on the wireless network, the mobile station will not be able to send data until dynamic keying and authentication have taken place after the 802.11 Association is com
AP Registration
17SundayMAR 2013
POSTED BY NAYARASI IN AP REGISTRATION≈ 49 COMMENTS
TagsCisco AP Registration
AP Registration to a WLC is two parts; the discovery & the join phase. Following diagram shows this concept.
Usually Discovery request handled by Management Interface of a WLC & Join Requests handled by AP-Manager Interface. In 5508 only management interface available & it act as AP-Manager interface for these join request.These are the steps AP will go through in order to register with a WLC.
Step 1. AP begins with a WLC discovery & join phase. AP send CAPWAP discovery request messages to WLC.Step 2. Any WLC receiving the CAPWAP discovery request responds with an CAPWAP discovery response message.
Step 3. From the CAPWAP responses received from WLCs, AP selects a WLC to join.Step 4. AP sends a CAPWAP join request to the WLC, expecting CAPWAP join response.Step 5. WLC validates the AP and then CAPWAP join response to the AP. The AP validates the WLC to complete the discovery & join process. The validation on both the AP & WLC is a mutual authentication mechanism.An encryption key derivation process occur subsequently and that ensure future CAPWAP control messages are encrypted.First challenge is to find where to send CAPWAP discovery messages ? AP first go through a hunt process to find a WLC. Here are the different methods AP can used for this. The order of these are not important
1. AP issues a DHCP discover request to get an IP address, unless it has previously configured static IP.2. AP send a layer 3 local broadcast(255.255.255.255) message to find a WLC3. DHCP Option 43 in the DHCP offer messages.4. DNS- AP try to resolve CISCO-CAPWAP-CONTROLLER.local-domain or CISCO-LWAPP-CONTROLLER.local-domain to find an IP of a WLC5. Previously known WLC IP, AP will rememberup to 24 previosly learnt WLC IP address & send discovery to them.6. Statically configured from WLC7. Statically Configured from AP CLI
To see AP registration process in detail will remove CAPWAP AP configurations in order to remove the previously known IP. You can do this as follows via AP CLI.
LWAP-02#debug capwap console cliThis command is meant only for debugging/troubleshooting Any configuration change may result in differentbehavior from centralized configuration. CAPWAP console CLI allow/disallow debugging is on
LWAP-02#erase /all nvram: Erasing the nvram filesystem will remove all files! Continue? [confirm][OK]Erase of nvram: completeLWAP-02#reloadProceed with reload? [confirm]Writing out the event log to nvram..
Once rebooted it will complain about no IP. Yes without IP AP cannot do anything to register with WLC.
AP5475.d0dd.a488>
*Mar 1 00:00:32.955: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:32.983: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:33.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:00:33.935: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
*Mar 1 00:00:33.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:00:38.719: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !! *Mar 1 00:00:48.719: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
Let’s configure static IP & see the console output( Remember that I have not configure the switch port for any access vlan yet). Since these are lightweight image we cannot configure like normal IOS AP. So here are the command to do this.
capwap ap ip address 10.10.113.5 255.255.255.0capwap ap ip default-gateway 10.10.113.1capwap ap controller ip address 10.10.111.10
Since I have not configured the switch port for vlan 113, still AP cannot reach its gateway. Then AP try to reboot & see to learn an IP again.
AP5475.d0dd.a488#
*Mar 1 00:11:09.499: %CAPWAP-3-STATIC_TO_DHCP_IP: Could not discover WLC using static IP. Forcing AP to use DHCP.
Now we will configure our switch port (fa1/0/12) to access vlan 113. This time you can see AP successfully able to complete Discovery & Join process as it can reach WLC. Note that since I have 4402 WLC it has AP manager interface with an IP (10.10.111.11) which respond to Join Request. (see below)
Press RETURN to get started!
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:00:31.107: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY*Mar 1 00:00:32.923: status of voice_diag_test from WLC is false*Mar 1 00:00:32.951: %SSH-5-ENABLED: SSH 2.0 has been enabled*Mar 1 00:00:32.971: Logging LWAPP message to 255.255.255.255.*Mar 1 00:00:34.747: %CDP_PD-4-POWER_OK: 15.4 W power - NEGOTIATED inline power source*Mar 1 00:00:34.775: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up*Mar 1 00:00:34.803: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:35.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up*Mar 1 00:00:35.755: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated*Mar 1 00:00:35.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to upTranslating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)*Mar 17 08:50:18.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.111.11 peer_port: 5246*Mar 17 08:50:18.000: %CAPWAP-5-CHANGED: CAPWAP changed state to *Mar 17 08:50:18.567: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.111.11 peer_port: 5246*Mar 17 08:50:18.567: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.111.11*Mar 17 08:50:18.567: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN*Mar 17 08:50:18.707: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG*Mar 17 08:50:18.835: %LWAPP-3-CLIENTERRORLOG: Operator changed mode for 802.11g. Rebooting.*Mar 17 08:50:18.887: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down*Mar 17 08:50:18.895: %SYS-5-RELOAD: Reload requested by CAPWAP CLIENT. Reload Reason: Operator changed mode for 802.11g.*Mar 17 08:50:19.887: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to downIOS Bootloader - Starting system.
If you took a wireshark packet capture of the WLC connected switch port you can see the details of each of these types of packet. See below wireshark capture shows different type of packets in discovery process.
Here is the Discovery Request packets details. Note that discovery request is sent to WLC management IP with destination port UDP 5246 (capwap-control). Also Message Element value 1 which indicate Static Configuration. Different IE value indicates the type of discovery method used. We will see few other options (DHCP, DNS, Broadcast) discovery in some other post.
0- Broadcast1- Configured2- OTAP3- DHCP Server4- DNS
. Here is the discovery response packet. As you can see WLC is providing all the information to AP (including WLC IP – AP mgr, Name, etc)
Then AP send the Join Request & expecting Join Response from WLC. First step is to establishing a secure CAPWAP connection with complete DTLS handshake as shown in the packet capture. This include Client Hello, HelloVerifyRequest/ ClientHello(with Cookie), ServerHello/Certificate, ClientKeyExchange/ ChangeCipherSpec, ServerChangeCipherSpec (See below)
Subsequent traffic is DTLS encrypted & cannot be decode to see what’s inside. You can disable encryption for CAPWAP by using “test capwap encr <ap-name> disabe” command on WLC CLI or “test capwap dtls ctrl disable” on AP CLI.AP5475.d0dd.a488#test capwap dtls ctrl disable *Mar 17 09:54:15.891: Capwap Control packets will not be encrypted
But once I disable it , AP could not join the WLC & could not verify the complete process without DTLS encryption. In HREAP mode you can do this & see this complete process without encryption( Refer How Does OEAP Works for more detail).
Split MAC vs Local MAC Architecture
04MondayMAR 2013
POSTED BY NAYARASI IN WLC≈ 3 COMMENTS
TagsCAPWAP state machine, Local MAC, Split MAC
With Split MAC , the 802.11 protocol functionality is divided between AP & WLC. Below diagram shows how Split MAC architecture works where AP & WLC have their dedicated responsibilities. General rule is all real-time tasks are handled by AP (such as Probe Response, Packet buffering, Fragmentation, Queuing) & non real-time tasks handled by WLC (Such as Association / Di-association, Classifying, 802.1x/EAP authentication, etc)
In Local MAC mode AP is doing all of the functions including the one done by WLC in Split MAC architecture.
Below diagram shows the CAPWAP State machine where you need to understand this in order to determine from where you should start troubleshoot if something is not working.
Following are the key states of this process & will see few of these in details in future posts.
1. Discovery Process (L2 Broadcast, L3 Broadcast,DHCP Option43, DNS,Priming, Static, OTAP)2. Join Process (Primary/Secondary/Tertiary/Global Bacup WLC, Master Controller Flag, Least Load WLC)3. Image Process4. Config State
WLC Discovery via Broadcast
04SaturdayMAY 2013
POSTED BY NAYARASI IN AP REGISTRATION≈ 6 COMMENTS
TagsUDP port forwarding
As outlined in one of my previous post (AP Registration) there are multiple methods (Broadcast, Static configs, DHCP option 43, DNS) available for a Ligthweight Access Point (LAP) to discover a WLC. In this post we will see how broadcast mechanism can be used for this.After the LAP gets an IP address from the DHCP server, the LAP broadcasts a Layer 3 CAPWAP discovery message on to its local subnet Normally these broadcast are limited to local subnet as it will not cross layer 3 boundaries. If you want to forward these to a particular WLC you have to configure WLC IP address in “ip helper–address” on layer 3 interface where LAP is associated with. Then L3 device forwards these broadcasts to the IP addresses configured with the ip-helper command on the interface on which the broadcast is heard.When you use the ip helper-address command, DIRECTED BROADCASTS, as well as unicasts, eight different UDP ports are forwarded automatically. Those ports are1. Trivial File Transfer (TFTP) (Port 69)2. Domain Name System (Port 53)3. Time Service (Port 37)4. NetBIOS Name Server (Port 137)
5. NetBIOS Datagram Server (Port 138)6. Boot Protocol (BOOTP) Client (Port 67)7. Boot Protocol (BOOTP) Server (Port 68)8. TACACS service (Port 49).
Since CAPWAP broadcast uses UDP port 5246 it must be explicitly forwarded on the router. You have to use “ip forward-protocol udp <port-no>” CLI command for this. Here is our testing set up.
CAT2 & CAT4 is having layer 3 link in between. LAP connected to CAT4 is configured for obtaining IP addresses from Microsoft DHCP server. Only options provide are IP address & default gateway (No DNS or Option 43). We will use broadcast forward method to register this AP to WLC1 connected to CAT4
Here is the basic config of CAT4 with respect to VLAN 121 where AP is connected to.
interface Vlan121
description MOLWAP1
ip address 10.10.121.193 255.255.255.192
ip helper-address 192.168.200.1!interface FastEthernet1/0/3 description TEMP-LWAP-03 switchport access vlan 121 switchport mode access
spanning-tree portfast
Here is the AP console output. You can see AP got an IP from the DHCP server & but could not find an WLC to join.
*Mar 1 00:13:22.248: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.121.201, mask 255.255.255.192, hostname APccef.488c.fd41*Mar 1 00:13:32.927: status of voice_diag_test from WLC is false*Mar 1 00:13:32.987: Logging LWAPP message to 255.255.255.255.*Mar 1 00:13:35.705: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source*Mar 1 00:13:35.796: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up*Mar 1 00:13:35.891: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up*Mar 1 00:13:36.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up*Mar 1 00:13:36.715: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated*Mar 1 00:13:36.809: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to upTranslating "CISCO-CAPWAP-CONTROLLER.mrn.com"...domain server (192.168.20.7)*Mar 1 00:14:43.008: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.Not in Bound state.*Mar 1 00:14:51.523: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.*Mar 1 00:14:51.533: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.121.201, mask 255.255.255.192, hostname APccef.488c.fd41
If you do “debug ip udp” on CAT4 you will see the UDP traffic on the switch. Since CAPWAP control is using udp 5246 port, you should see traffic coming for that. (Be careful with enable this debug in production network as there may a flood of debug messages could impact the
device performance). In my test lab no problem at all As you can see below, CAT4 receives UDP broadcast (destination port 5246 which is CAPWAP control).
CAT4#debug ip udp UDP packet debugging is onCAT4#.May 3 06:21:07.421: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131.May 3 06:21:17.361: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131.May 3 06:21:27.302: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131.May 3 06:21:31.672: UDP: rcvd src=10.10.10.3(123), dst=10.10.20.1(123), length=76.May 3 06:21:38.232: UDP: rcvd src=10.10.121.201(50047), dst=255.255.255.255(514), length=133.May 3 06:21:42.712: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=310.May 3 06:21:42.712: UDP: sent src=10.10.121.193(67), dst=192.168.200.1(67), length=310.May 3 06:21:42.712: UDP: rcvd src=192.168.200.1(67), dst=10.10.121.193(67), length=308.May 3 06:21:42.712: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=308.May 3 06:21:42.712: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=328
.May 3 06:21:42.712: UDP: sent src=10.10.121.193(67), dst=192.168.200.1(67), length=328.May 3 06:21:42.729: UDP: rcvd src=192.168.200.1(67), dst=10.10.121.193(67), length=308.May 3 06:21:42.729: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=308.May 3 06:21:45.833: UDP: rcvd src=10.10.121.201(50047), dst=255.255.255.255(514), length=115
Normally broadcast packets are not forwarded to other interfaces (except the 8 different type of packets described earlier). Since CAPWAP broadcast not belongs to those you have to configure the switch to forward udp 5246 traffic. You can use “ip forward-protocol udp 5246” for this. Here is the configuration option available with that command.CAT4(config)#ip forward-protocol udp ?
<0-65535> Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (DNS, 53)
echo Echo (7)
isakmp Internet Security Association and Key Management Protocol
(500)
mobile-ip Mobile IP registration (434)
nameserver IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
netbios-ss NetBios session service (139)
non500-isakmp Internet Security Association and Key Management Protocol
(4500)
ntp Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
sunrpc Sun Remote Procedure Call (111)
syslog System Logger (514)
tacacs TAC Access Control System (49)
talk Talk (517)
tftp Trivial File Transfer Protocol (69)
time Time (37)
who Who service (rwho, 513)
xdmcp X Display Manager Control Protocol (177)
CAT4(config)#ip forward-protocol udp 5246
Here the debug output once we configure this command on CAT4. ( I had two l3 links from CAT4 to CAT2 & that’s why you would see these broadcast forwarded on those two different interfaces)
.May 3 06:29:18.420: UDP: sent src=0.0.0.0(67), dst=255.255.255.255(68), length=308
.May 3 06:29:21.406: UDP: rcvd src=10.10.121.201(50047), dst=255.255.255.255(514), length=115
.May 3 06:29:38.284: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131
.May 3 06:29:38.284: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23.May 3 06:29:48.225: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131.May 3 06:29:48.225: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/22.May 3 06:29:58.165: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131.May 3 06:29:58.165: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23.May 3 06:30:03.677: UDP: rcvd src=10.10.10.3(123), dst=10.10.20.1(123), length=76
.May 3 06:30:08.097: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131.May 3 06:30:08.097: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/22
As you can see in the above, now UDP 5246 broadcast packets forwarded to 192.168.200.1. Why is this ? This is because you have configured “ip helper-address 192.168.200.1” on vlan 121 interface in order to AP to get IP address from Microsoft DHCP server. In order to forward these UDP 5246 packets to WLC, you have to configure “IP helper-address ” command with WLC management IP. At the same time we will enable “debug capwap packet enable” on the WLC to see the registration information.(Again this debug will generate lots of output & you may having risk of crash/hang yourself on wlc)CAT4(config)#interface Vlan121
CAT4(config-if)# ip helper-address 10.10.111.10
CAT4(config-if)#do sh logg | in 5246.May 3 06:38:19.080: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131.May 3 06:38:19.080: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23.May 3 06:38:19.080: UDP: forwarded broadcast 5246 from 10.10.121.201 to 10.10.111.10 on FastEthernet1/0/22.May 3 06:40:28.710: UDP: rcvd src=10.10.121.201(53205), dst=255.255.255.255(5246), length=131.May 3 06:40:28.710: UDP: forwarded broadcast 5246 from 10.10.121.201 to 192.168.200.1 on FastEthernet1/0/23.May 3 06:40:28.718: UDP: forwarded broadcast 5246 from 10.10.121.201 to 10.10.111.10 on FastEthernet1/0/22
Here is the AP console output showing successful registration to WLC1
APccef.488c.fd41#renew dhcp g0 wmmAC status is FALSE*May 3 06:38:19.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.111.11 peer_port: 5246*May 3 06:38:19.000: %CAPWAP-5-CHANGED: CAPWAP changed state to *May 3 06:38:19.430: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.111.11 peer_port: 5246*May 3 06:38:19.434: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.111.11*May 3 06:38:19.434: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN*May 3 06:38:19.594: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG*May 3 06:38:19.717: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down*May 3 06:38:19.726: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset*May 3 06:38:19.726: %CAPWAP-5-CHANGED: CAPWAP changed state to UP*May 3 06:38:19.776: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC1*May 3 06:38:19.821: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
If you take a wireshark packet capture of the WAN link during this process you should be able to see the WLC discovery request goes to WLC1. Here is that output where you can see “Discovery type is 0” which indicate it is broadcast method in use. If it is any other value (1-
Static, 2– OTAP, 3-DHCP option 43, 4-DNS) that indicate through which method AP learn about WLC.
You can find details of all discovery methods from this Cisco document (Cisco Doc 70333)
4 Add the Option 43 line using the following syntax: option 43 hex hex string The hex string is assembled by concatenating the TLV values shown below: Type + Length + Value Type is always f1(hex). Length is the number of controller management IP addresses times 4 in hex. Value is the IP address of the controller listed sequentially in hex. For example, suppose that there are two controllers with management interface IP addresses, 10.126.126.2 and 10.127.127.2. The type is f1(hex). The length is 2 * 4 = 8 = 08 (hex). The IP addresses translate to 0a7e7e02 and 0a7f7f02. Assembling the string then yields f1080a7e7e020a7f7f02. The resulting Cisco IOS command added to the DHCP scope is listed below: option 43 hex f1080a7e7e020a7f7f02
Lightweight to Autonomous (vice versa) Conversion…
20 Saturday OCT 2012
POSTED BY NAYARASI IN AUTONOMOUS AP CONFIG ≈ 115 COMMENTS
TagsAutonoumos AP, k9w7, LWAP to AAP conversion
Before converting LWAP to Autonomous need to understand the type of OS image running on these platforms. I found following blog post is very useful to summarize the type of IOS & understanding its naming convention.
http://www.my80211.com/cisco-auton-labs/2011/11/19/understanding-cisco-access-point-ios-images.htmlFollowing are the three type of IOS available & need to download the correct type before starting the conversion process.
k9w7 – autonomous IOS k9w8 – full lightweight IOS (this is what is bundled in the WLC .aes image, and is factory
installed on “mesh” APs) rcvk9w8 – lightweight recovery image – this is factory installed on lightweight APs,
unless a “mesh” image is specified; it lacks radio firmwareIn our case we require k9w7 for Autonomous conversion. More specifically c1140-k9w7-tar.124-25d.JA.tar as my AP is 1142.To convert Lightweight AP to Autonomous AP, need to have PC directly connected to AP’s ethernet port. If you are powering AP from the switch (i.e use PoE) then PC & AP needs to be in two switch ports in the same vlan. In my example PC is 10.10.10.1/24 & AP is 10.10.10.102/24.
Console into the access point & do the following configurations.
AP5475.d0f5.2ee7#sh ip int briefInterface IP-Address OK? Method Status ProtocolDot11Radio0 unassigned NO unset up up Dot11Radio1 unassigned NO unset up up GigabitEthernet0 unassigned YES DHCP up up AP5475.d0f5.2ee7#debug capwap console cli <- without this line LWAP not accepting the conf tAP5475.d0f5.2ee7#conf tAP5475.d0f5.2ee7(config)#ip default-gateway 10.10.10.1
AP5475.d0f5.2ee7(config)#int g0AP5475.d0f5.2ee7(config-if)#ip address 10.10.10.102 255.255.255.0AP5475.d0f5.2ee7(config-if)#no shAP5475.d0f5.2ee7#ping 10.10.10.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!!
AP5475.d0f5.2ee7#archive download-sw /force-reload /overwrite tftp://10.10.10.1/c1140-k9w7-tar.124-25d.JA.tar"examining image... Loading c1140-k9w7-tar.124-25d.JA.tar from 10.10.10.1 (via GigabitEthernet0): ! extracting info (283 bytes) Image info: Version Suffix: k9w7-.124-25d.JA ...................."
Once conversion process is over, you can verify the right image is on your access point.
ap>en Password: <-- default password is Cisco ap# ap#sh version Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(25d)JA, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. Compiled Thu 09-Dec-10 15:24 by prod_rel_teamROM: Bootstrap program is C1140 boot loader BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(18a)JA3, RELEASE SOFTWARE (fc1)ap uptime is 0 minutes System returned to ROM by reload System image file is "flash:/c1140-k9w7-mx.124-25d.JA/c1140-k9w7-mx.124-25d.JA"
For the LWAP conversion, use the recovery image ( e.g c1140-rcvk9w8-tar.124-25d.JAL.tar). We can use the same command on the autonomous AP priviledge mode.AP5475.d0f5.2ee7#archive download-sw /force-reload /overwrite tftp://10.10.10.1/c1140-rcvk9w8-tar.124-25d.JA.tarFollowing Cisco Support Community forum video demonstrate teh above process.
https://supportforums.cisco.com/videos/If you have WLC managed AP (currently registered to a WLC), then you can use WLC CLI command to convert that to Autonomous. In below example I have IW3702 AP on my WLC
(8540-TEST) >show ap summary
AP Name Slots AP Model Ethernet MAC Location Country IP Address
IW3702 2 IW3702-2E-Z-K9 2c:d0:2d:81:a6:5c default location AU 10.15.6.90
(WLC) >config ap tftp-downgrade ?
<TFTP Server IP addr> Enter the TFTP server's IP address
(WLC) >config ap tftp-downgrade x.x.x.x ?
<filename> Image file name on the TFTP server
(WLC) >config ap tftp-downgrade x.x.x.x ap3g2-k9w7-tar.153-3.JE.tar ?
<Cisco AP> Enter the name of the Cisco AP.
(WLC) >config ap tftp-downgrade x.x.x.x ap3g2-k9w7-tar.153-3.JE.tar IW3702
Once issue that command given AP should download new image from your TFTP server.
AP Conversion using MODE Button
13 Friday DEC 2013
POSTED BY NAYARASI IN AUTONOMOUS AP CONFIG ≈ 95 COMMENTS
TagsAP Conversion, LWAP to AAP conversion, Mode Button
If you already read one of my previous post (Lightweight to Autonomous (vice versa) Conversion… ) you may konw one way of doing this AP conversion.In this post we will see how to do the same task using Mode/Reset button of the Access point. Number 1 in the below diagram shows this Reset button of the given AP.
You can use this mode/reset button when you do not know password or your AP firmware is corrupted,etc. In our case, even the firmware is not corrupted, we can use this button to load an image from a TFTP server. In this scenario, AP is looking for a specifically named image file to load. So if you keep a Autonomous image file with the correct named syntax, AP will load that image once we do this.Before starting we will look at some of the AP model Autonomous & Lightweigth recovery images. As you can see below certain AP models are having common images (like 2600,3600 or 1040, 1140 or 1260,3500) for this purpose.
In this example I am using 3500 series AP & therefore I have downloaded ap3g1-k9w7-tar.152-4.JA1.tar & ap3g1-rcvk9w8-tar.152-4.JA1.tar files onto my TFTP server. Now you need to rename these in order to load it to AP when it is resetting using mode button. Below shows the how it should be renamed. Since it expecting same default filename you have to make sure correct file renames depend on you are doing LAP-> AAP or AAP->LAP conversion process.
Since AP resetting to factory default, it will always takes 10.0.0.1 IP. So your TFTP server should be on the same subnet (most of the time your PC act as TFTP server directly connect AP ethernet port). Here is my TFTP/PC IP seettings
Now everything is ready for the conversion. First we will take Lightweight AP & convert it to Autonomous. Ensure you have renamed “ap3g1-k9w7-tar.152-4.JA1.tar ” file to “ap3g1-k9w7-tar.default” & available it on your TFTP server.To do this you need to hold the mode/reset button for 20s (until the LED become solid RED) while powering on the AP. You can watch the console output to see what’s happening in the background.
using MCNG ddr static values from serial eeprom
ddr init done
IOS Bootloader - Starting system.
FLASH CHIP: Numonyx P33
Checking for Over Erased blocks
......................................................................................
......................................................................................
..........................................................................
Xmodem file system is available.
DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x8200083f, 0x40000000
RQDC, RFDC : 0x80000033, 0x00000218
PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
64bit PCIE devices
PCIEx: initialization done
flashfs[0]: 41 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 14926336
flashfs[0]: Bytes available: 16813568
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: cc:ef:48:72:0f:b5
Ethernet speed is 1000 Mb - FULL duplex
button is pressed, wait for button to be released...button pressed for 23 secondsprocess_config_recovery: set IP address and config to default 10.0.0.1process_config_recovery: image recoveryimage_recovery: Download default IOS tar image tftp://255.255.255.255/ap3g1-k9w7-tar.default
examining image...extracting info (283 bytes)Image info: Version Suffix: k9w7-.152-2.JB Image Name: ap3g1-k9w7-mx.152-2.JB Version Directory: ap3g1-k9w7-mx.152-2.JB Ios Image Size: 1126912 Total Image Size: 12257792 Image Feature: WIRELESS LAN|LWAPP Image Family: AP3G1 Wireless Switch Management Version: 7.4.1.37Extracting files.......extracting ap3g1-k9w7-mx.152-2.JB/info (283 bytes)extracting info.ver (283 bytes)Deleting current version: flash:/ap3g1-k9w8-mx.v152_2_jb.201310220755...done.New software image installed in flash:/ap3g1-k9w7-mx.152-2.JBConfiguring system to use new image...done.Requested system reload in progress...download took about 731 secondsLoading "flash:/ap3g1-k9w7-mx.152-2.JB/ap3g1-k9w7-mx.152-2.JB"...################
File "flash:/ap3g1-k9w7-mx.152-2.JB/ap3g1-k9w7-mx.152-2.JB" uncompressed and installed, entry point: 0x4000executing...
You will see AP is downloading the “.default” image from your TFTP server.
Once image is fully loaded, AP will reboot & come up as a Autonomous AP. Noticed that “ap>” promt indicating it is an Autonomous AP on its default settings.ap>enPassword: Ciscoap#sh verCisco IOS Software, C3500 Software (AP3G1-K9W7-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2012 by Cisco Systems, Inc.Compiled Mon 10-Dec-12 23:42 by prod_rel_team
ROM: Bootstrap program is C3500 boot loaderBOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514 125]
ap uptime is 2 minutesSystem returned to ROM by power-onSystem image file is "flash:/ap3g1-k9w7-mx.152-2.JB/ap3g1-k9w7-xx.152-2.JB"Last reload reason:
Now you can follow the same process, if you want to convert it back to Lightweight. Make sure “ap3g1-rcvk9w8-tar.152-4.JA1.tar” file is renamed to “ap3g1-k9w7-tar.default” file is available on your TFTP server.(you may have to remove or rename previously used .default file for LAP->AAP conversion)
IOS Bootloader - Starting system.
FLASH CHIP: Numonyx P33
Checking for Over Erased blocks
......................................................................................
......................................................................................
..........................................................................
Xmodem file system is available.
DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x8200083f, 0x40000000
RQDC, RFDC : 0x80000033, 0x00000218
PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
64bit PCIE devices
PCIEx: initialization done
flashfs[0]: 198 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 15564800
flashfs[0]: Bytes available: 16175104
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: cc:ef:48:72:0f:b5
Ethernet speed is 1000 Mb - FULL duplex
button is pressed, wait for button to be released...button pressed for 21 secondsprocess_config_recovery: set IP address and config to default 10.0.0.1process_config_recovery: image recoveryimage_recovery: Download default IOS tar image tftp://255.255.255.255/ap3g1-k9w7-tar.default
examining image...extracting info (263 bytes)Image info: Version Suffix: rcvk9w8- Image Name: ap3g1-rcvk9w8-mx Version Directory: ap3g1-rcvk9w8-mx Ios Image Size: 123392 Total Image Size: 7598592 Image Feature: WIRELESS LAN|LWAPP Image Family: AP3G1 Wireless Switch Management Version: 7.4.1.37Extracting files...ap3g1-rcvk9w8-mx/ (directory) 0 (bytes)extracting ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx (113080 bytes)........................extracting ap3g1-rcvk9w8-mx/ap3g1-boot-m_upg (393216 bytes).....................................................................................extracting ap3g1-rcvk9w8-mx/u-boot.bin (393216 bytes).....................................................................................extracting ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-xx (6686892 bytes)...
Now your AP is back in Lightweight mode & it is ready to register for a WLC.
APccef.4872.0fb5#sh ver
Cisco IOS Software, C3500 Software (AP3G1-RCVK9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Mon 10-Dec-12 23:48 by prod_rel_team
ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514 125]
Networks-ISE-Test uptime is 0 minutes
System returned to ROM by reload
System image file is "flash:/ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-xx"
Last reload reason:
Here are some of reference document you should read.
Multiple SSID Config on Autonomous AP
24 Wednesday OCT 2012
POSTED BY NAYARASI IN AUTONOMOUS AP CONFIG ≈ 12 COMMENTS
TagsAutonomous AP, mbssid, Multiple SSID config
To remember the steps required to define multiple SSID in Autonomous AP, I have used following comparison between logical segmentation (VLANs) in wired environment & SSID config in Autonomous AP.
Step
Layer 2 Switch Autonomous Access Points
1
Define Vlans (3 vlans defined. Vlan 110 for Management, 12 & 13 for user data) Define SSID with associated vlan numbers.
vlan 12name HQData1!vlan 13HQData2!vlan 110Management!int x/x <—- where x/x is the Trunk to Uplink switch.switchport trunk encapsulation dot1qswitchport trunk native vlan 999switchport mode trunk
dot11 ssid HQData1 <- Vlan name use as SSID for the simplicity.vlan 12authentication openmbssid guest-mode <– Only required multiple SSID to be broadcast. If it is only single SSID this needs to be “ ssid guest-mode”!dot11 ssid HQData2vlan 13authentication openauthentication key-management wpa version 2mbssid guest-modewpa-psk ascii Cisco123
2Configure the SW Mgt Interface Configure the BVI Interface
int vlan 100ip add 10.10.110.100 255.255.255.0
interface BVI1ip address 10.10.110.100 255.255.255.0!interface GigabitEthernet0.110encapsulation dot1Q 110bridge-group 1 <—– BVI does not support Bridge-group. So it should be bridge-group 1 here.
3 Define Default Gateway Define Default Gateway
ip default-gateway 10.10.110.1 ip default-gateway 10.10.110.1
4 Create Ethernet & Radio sub-interface
interface GigabitEthernet0.12encapsulation dot1Q 12bridge-group 12 <—— Bridge Group number is value between [1-255]!interface GigabitEthernet0.13encapsulation dot1Q 13bridge-group 13interface Dot11Radio1.12 <— Dot11Radio1 for 5GHz & Dot11Radio0 for 2.4GHz band. In this example only configure 5GHz.encapsulation dot1Q 12bridge-group 12!interface Dot11Radio1.13encapsulation dot1Q 13bridge-group 13
5 Assigning SSID to Radio Interfaces
interface Dot11Radio1 <- Only 5GHz band use for this exampleencryption vlan 13 mode ciphers aes-ccmssid HQData1ssid HQData2mbssid
Backup & Restore WLC configs
25 Friday JAN 2013
POSTED BY NAYARASI IN WLC MANAGEMENT ≈ 96 COMMENTS
TagsWLC backup, WLC Config restore
In a Cisco switch or Router (running on IOS) taking a configuration backup & restore is very easy task. you can simply backup your router/switch configuration in to flash disk by “copy run flash” CLI command. Below shows CLI command to backup a device config to a file named as “backup-2013-01-25” & store it in flash disk.
#copy running-config flash:backup-2013-01-25In a situation where you have corrupted configs or due to any other reason if you want to restore a backup config you can do it very easily. Once you console into the device you can erase start-up config by “erase startup-config” CLI command & then reload the device. Once it boots up with zero config you can simply upload the backup config by “copy flash:backup-2013-01-25 running-config” & then save the config.For my CCIEW lab studies I have to load initial configuration into WLC very frequently. In WLC you have to use TFTP or FTP method to upload or download configuration file “From” or “To” WLC. Even though it is not that simple as in IOS devices, process is not that complex as well. But you have to practice it multiple times to remember the CLI commands involved.(you can do this via WLC GUI as well)
Let’s say you have to replace your WLC with a new one (same hardware model) due to some issue. First you need to upload the existing WLC configuration on to a TFTP/FTP running on your laptop. To do this you can simply connect your PC into WLC’s service port & assign a IP to your PC in the same subnet of the WLC’s service port. Below shows the 5508 controller
ports & number 2 is the service port where you need to connect your PC.
If WLC’s service port is not configured then you can simply assign a IP to that port via console CLI.(I preferred CLI method as it is much faster than loading GUI for me). You can do this with following CLI command assuming your PC is having 192.168.1.x/24 address.
<WLC> config interface address service-port 192.168.1.200 255.255.255.0Then open up your TFTP or FTP application on your PC. I have used TFTP method in this example as show in the below screenshot.
Now you are ready to upload WLC config on to your TFTP server from WLC CLI console. Follow the below screenshot & you can see the CLI commands required.
(WLC1) >transfer upload mode tftp(WLC1) >transfer upload datatype config(WLC1) >transfer upload filename wlc-backup-2013-01-25(WLC1) >transfer upload path .(WLC1) >transfer upload serverip 192.168.1.3(WLC1) >transfer upload start
Mode............................................. TFTP TFTP Server IP................................... 192.168.1.3TFTP Path........................................ ./TFTP Filename.................................... wlc-backup-2013-01-25Data Type........................................ Config File Encryption....................................... Disabled***************************************************** WARNING: Config File Encryption Disabled *****************************************************Are you sure you want to start? (y/N) yTFTP Config transfer starting.########File transfer operation completed successfully.
Transfer upload datatype can be any of the following, but of the configuration backup you need to select “config” option. transfer upload path given as “.” implies path location is root folder where you select on your TFTP server application.
(WLC1) >transfer upload datatype ?
ap-crash-data Upload the ap-crash files.
config Upload the system's configuration file.crashfile Upload the system's crash file.debug-file Upload the system's debug log file.errorlog Upload the system's error log.invalid-config Upload the system's invalid-config file.pac Upload a PAC (Protected Access Credential).panic-crash-file Upload the Kernel Panic Information file.radio-core-dump Upload the ap-radio core dump files.signature Upload the system's signature files.systemtrace Upload the system's trace file.traplog Upload the system's trap log.watchdog-crash-file Upload the Watchdog Information file.
Now you have to download this config on to your new controller which is having zero config. Through configuration wizard you can configure the initial parameters required. Remember to configure service port in the same subnet where your TFTP/FTP PC is in.
Would you like to terminate autoinstall? [yes]: yes
System Name [Cisco_43:d8:63] (31 characters max): WLC1
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): ***********
Re-enter Administrative Password : ***********
Service Interface IP Address Configuration [static][DHCP]: static
Service Interface IP Address: 192.168.1.200Service Interface Netmask: 255.255.255.0Enable Link Aggregation (LAG) [yes][NO]: noManagement Interface IP Address: 10.10.111.10Management Interface Netmask: 255.255.255.0Management Interface Default Router: 10.10.111.1Management Interface VLAN Identifier (0 = untagged): 111Management Interface Port Num [1 to 2]: 1Management Interface DHCP Server IP Address: 192.168.200.1AP Manager Interface IP Address: 10.10.111.11AP-Manager is on Management subnet, using same valuesAP Manager Interface DHCP Server (192.168.200.1): Virtual Gateway IP Address: 1.1.1.1Mobility/RF Group Name: mrn-cciewNetwork Name (SSID): MRN-VOIPConfigure DHCP Bridging Mode [yes][NO]: noAllow Static IP Addresses [YES][no]: noConfigure a RADIUS Server now? [YES][no]: noEnter Country Code list (enter 'help' for a list of countries) [US]: AUEnable 802.11b Network [YES][no]: noEnable 802.11a Network [YES][no]: noEnable Auto-RF [YES][no]: yesConfigure a NTP server now? [YES][no]: noConfigure the system time now? [YES][no]: no
Configuration correct? If yes, system will save it and reset. [yes][NO]:
Once controller boots up with basic config, you can download your original controller backup configuration via TFTP server. See the below screenshot.
(Cisco Controller) >transfer download mode tftp(Cisco Controller) >transfer download datatype config(Cisco Controller) >transfer download filename wlc-backup-2013-01-25(Cisco Controller) >transfer download path .(Cisco Controller) >transfer download serverip 192.168.1.3(Cisco Controller) >transfer download start
Mode............................................. TFTP Data Type........................................ Config TFTP Server IP................................... 192.168.1.3TFTP Packet Timeout.............................. 6TFTP Max Retries................................. 10
TFTP Path........................................ ./TFTP Filename.................................... backup-2013-01-25Encrypt/Decrypt Flag............................. Disabled
Warning: Downloading configuration will cause the controller to reset...
This may take some time.Are you sure you want to start? (y/N) y
TFTP Config transfer starting.TFTP receive complete... updating configuration.Warning! No AP will come up unless the time is set. Please see documentation for more details.
TFTP receive complete... storing in flash.System being reset.Resetting system ...
In download scenario following options available & we selected “config” option as we are downloading configuration file onto WLC. If it is controller software upgrade you need to select “code” keyword.
(WLC1) >transfer download datatype ?
code Download an executable image to the system.
config Download Configuration File.eapcacert Download a eap ca certificate to the system.eapdevcert Download a eap dev certificate to the system.icon Download an executable image to the system.image Download a web page logo to the system.login-banner Download controller login banner. (Only Text file supported: Max 1500 bytes & 18 lines, Non printable characters not supported) signature Download a signature file to the system.webadmincert Download a certificate for web administration to the system.webauthbundle Download a custom webauth bundle to the system.webauthcert Download a web certificate for web portal to the system.
WLC configuration guide”Chapter 10 – Managing Controller Software & Configurations” explain this topic in detail. Please refer this for more detail.Update @4Dec 2013:Chris: I am running v3.35 of Tftpd32 & please check your settings with below.
WLC Config Backup using Prime
12 Sunday JAN 2014
POSTED BY NAYARASI IN PRIME INFRASTRUCTURE ≈ 11 COMMENTS
TagsWLC backup automation, WLC config backup
In this post we will see how to take configuration back up of WLCs using Prime Infrastructure. If you have multiple controllers, then Prime Infrastructure would be the easiest way to automate the WLC configuration backup at regular interval. I have used Prime Infrastructure Release 1.4.1 to illustrate this.
You can use FTP/TFTP/SFTP method to take the configuration backup. First we will see how to backup WLC configuration to a local FTP server of PI. You can enable (by default it is disabled) this under “Administration -> Background Tasks -> Controller Configuration Backup” section as shown below.
Once you schedule the backup, you will see WLC configuration will be backup in default FTP folder of your Prime Infrastructure (disk:/ftp)primedev/admin# dir disk:/ftpDirectory of disk:/ftp 9767 Jan 12 2014 15:00:06 10_129_0_7_140112_1500.cfg 17367740 Nov 26 2013 15:40:01 PI_1.4_0_45_Update_1-16.tar.gz 52501585 Jan 12 2014 12:06:33 PI_1.4_0_45_Update_1-39.gz
Usage for disk: filesystem 1098838016 bytes total used 27784806400 bytes free 30455668736 bytes available
Now you can use any FTP client software to export it where ever you like. I have use FileZilla FTP client to export it to my PC
If you need to see the WLC configuration, then you can open it on a text editor & review the configuration.
Now let’s see how you can directly backup to external FTP server. To do this you need to first add external FTP server onto your Prime. You can do this under “Configure -> FTP/TFTP/SFTP” section as shown below.
Now if you go to “Administration -> Background Tasks -> Controller Configuration Backup” section you can modify the settings to point to newly created FTP server. You need to update FTP username/password according to your FTP server setting.
Now you can see the controller backup is saved in your external FTP server.
Here is my external FTP server root folder when configuration backup is saved.
If you would like you can use TFTP as well. Below shows configuration backup is saved in a TFTP server on my PC.
Now you can modify the Controller Backup Configuration settings under Background Tasks to pointing to your TFTP server.
Now you can see your WLC configuration backed up to your TFTP server specified location & verify the successful backup entry on prime itself.
This is really useful if you have multiple controllers which needs to be backed up regularly. Always better to keep the configuration backup external to Prime itself, in case a issue with the Prime Infrastructure.
802.11 Mgmt : Beacon Frame
08 Wednesday OCT 2014
POSTED BY NAYARASI IN CWAP ≈ 28 COMMENTS
TagsBeacon Frame, CWAP
Beacon frames are used by the access points (and stations in an IBSS) to communicate throughout the serviced area the characteristics of the connection offered to the cell members. This information used by clients trying to connect to the network as well as clients already associated to the BSS.
Beacons are sent periodically at a time called Target Beacon Transmission Time(TBTT)1 TU = 1024 microsecondsBeacon interval =100 TU (100x 1024 microseconds or 102.4 milliseconds)
Here is the frame format of a Beacon frame.
Below shows a beacon frame capture. In the frame body section there are few mandatory fields & few optional fields. Here are the mandatory fields in a Beacon frame.1. Timestamp (8 byte)2. Beacon Interval (2 byte)3. Capability info (2 byte)4. SSID (variable size)5. Supported Rates (variable size)
Here is a brief description of each field of a Beacon Frame. If size of the IE specified withing bracket, those elements are fixed length. Other elements are variable in size.1. Timestamp (8 byte):A value representing the time on the access point, which is the number of microseconds the AP has been active.When timestamp reach its max (2^64 microsecond or ~580,000 years) it will reset to 0. This field contain in Beacon Frame & Probe Response frame.2. Beacon Interval (2 byte)Beacon Interval field represent the number of time units (TU) between target beacon transmission times (TBTT). Default value is 100TU (102.4 milliseconds)3. Capability Information (2 byte)This field contains number of subfields that are used to indicate requested or advertised optional capabilities.
4. SSIDPresent in all Beacons, probe requests, probe responses,association request & re-association requests. Element ID is 0 for the SSID IE. SSID could have maximum of 32 characters.
5. Supported RatesThis is present in Beacons, Probe Req, Probe Res, Association Req, Association Res, Reassociation Req and Reassociation Response. It is 8 octet field where each octet describe a single supported rate. Last bit (7th) of each octet indicate whether the data rate is “basic rate or mandatory” or “supported rate”. If 7th bit value is 1 it indicate a basic rate where as if value is 0 indicate a supported rate. The next 7 bit (0-6) specify the data rate value in units of 500kbps.Eg. 6 Mbps (12 x500kbps units) Basic Rate value represent as 100011007th bit =1 (to indicate basic rate)0-6th = 001100 (value 12 to indicate 6 Mbps)Here is a expansion of a “Supported Rate” field of a Beacon. It has Element ID, Length & Supported Rates fields. At least one mandatory rate must be set by AP & any station wanting to join the cell must support all basic rates. Given example shows a default setting of 802.11a radio where 6 Mbps, 12Mbps & 24Mbps set as “Basic Rates” to ensure joining station understand all modulation techniques (ie BPSK-6,9 Mbps QPSK-12,18 Mbps QAM-24Mbps & higher)
6. FH parameter setUsed by legacy Frequency Hopping (FH) stations7. DS Parameter (2 byte)Present with beacon frame generated by stations using Clause 15, 18 or 19 PHY or if the beacon sent using one of the rates defined by one of the clause.8. CF Parameter (8 byte)Used with PCF, unused in real networks9. IBSS parameter (4 byte)Present only within beacon frames generated by stations in IBSS (or Add-Hoc network)10. TIM (Traffic Indication Map)Present only within beacon frames generated by APs. TIM element contains information useful for stations in low-power mode. The AP uses Delivery Traffic Indication Map (DTIM) to inform the cell if it has broadcast or multicast frames buffered. DTIM is not present in all beacons and all TIMs.As you can see below it has following fieldsa. Element ID (1 byte)b. Length (4 byte)c. DTIM Count (1 byte)- how many beacon frames(including current one) appear before next DTIM. Value 0 indicate current TIM is a DTIMd. DTIM Period (1 byte) – number of beacon interval between successive DTIMse. Bitmap Control (1 byte) – if 1st bit=1, buffered multicast/broadcast data at AP, if 1st bit=0, no multicast/broadcast data at AP.f. Partial Virtual Bitmap (1-251 byte) – represent stations in low power mode for which AP has traffic buffered.
11. CountryEach country has regulatory bodies that limit the channels or power levels allowed in their regulatory domain. It defines the country of operation along with the allowed channels & maximum transmit power. This is not a mandatory field in a beacon.
12-13. FH Parameters & FH Pattern table (used by Legacy FH stations)14. Power Constraint (3 byte)This element is related to 802.11h. This is for UNII2 & UNII-2 extended (CH52,56,60,64 & CH100-139) where spectrum is used for other purposes like civilian airport radar, weather radar. So to avoid interference with those systems AP should operate max power specified by these constraint fields.
15. Channel Switch (6 byte)This is also related to 802.11h. When a radar blast is detected, all stations must leave the affected channel. The AP can set to announce to the cell which is the next channel.
16. Quite (8 byte)Another element related to 802.11h where an AP can request a quiet time during which no station should transmit in order to test the channel for the presence of radars.17. IBSS DFS – used with 802.11h in IBSS18. TPC Report (4 byte)This element is also related to 802.11h. TPC Report element contain Transmit Power & Link Margin information, usually sent in response to a TPC Request element. Below shows the “TPC Report” element of a beacon frame.
19. ERP Information ( 3 byte)ERP element is present only on 2.4GHz network supporting 802.11g & it is present in beacon & probe responses. The non-ERP_Present bit set to 1 in following conditionsa. A nonERP station (legacy 802.11 or 802.11b) associate to the cellb. A neighboring cell is detected, allowing only nonERP data ratesc. Any other management frame (except probe request) is received from neighboring cell supporting only nonERP data rates.20. Extended Supported RatesExtended Support Rates element specifies the supported rates not carried in the Supported Rates Element. It is only required if there are more than 8 supported rates.21. RSN– Robust Secure NetworkRSN information element used to indicate Authentication Cipher, Encryption Cipher & other RSN capability of stations. In the below RSN IE, it shows AP support 802.1X & 802.11r FT as Authentication Suites. Also it use AES as pairwise cipher (for unicast traffic) & group cipher (for broadcast/multicast)
22. BSS LoadThis element is used only when QoS is supported & often called QBSS load element. It provides information on the cell load, from the AP point of view. It has following subfieldsa. Station Count – How many stations are currently associatedb. Channel Utilization – % of time that AP sensed medium was busy (normalized 0-255)c. Available Admission Capacity–
23. EDCA Parameter SetThis element also used in when QoS is supported. In most QoS enabled network this field is not used, instead same information provided via WMM or WME vendor specific elements.24. QoS capabilityThis element is used only when QoS is supported. It is used as a replacement to the EDCA parameter element when EDCA parameter is not present.25-32,34-36. Vendor Specific33. Mobility DomainIf AP supporting 802.11r (Fast Transition BSS), it will use Mobility Domain IE to indicate that. Below shown a MDIE of a beacon which supports FT-over-the-DS.
37. HT CapabilityUsed in 802.11n.
38. HT OperationUsed with 802.11n
39. 20/40 BSS Coexistence40. Overlapping BSS Scan Parameters.41. Extended capabilities42. VHT CapabillityUsed with 802.11ac
43. VHT OperationUsed with 802.11ac
44. VHT Transmit Power EnvelopUsed with 802.11ac
References
CWAP – 802.11 Mgmt Frame Types
29 Monday SEP 2014
POSTED BY NAYARASI IN CWAP ≈ 1 COMMENT
Tags802.11 Management Frames, CWAP
802.11 Management Frames have MAC header with 3 addresses fields in it. If it is 802.11a/b/g then it has 24 byte MAC header where as if it is 802.11n management frame it has 28 byte (additional 4 byte HT control field) MAC header as shown below (page 124-125, CWAP Official Study Guide)
There are 12 management frame subtypes defined by 802.11-2007 standard shown below (page 125 – CWAP study guide).
In wireshark you can use this subtype to filter those management traffic. Below shows those filters & sample of management frame for each of those subtypes.1. Association Request(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x00)
2. Association Response(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x01)
3. Reassociation Request(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x02)
4. Reassociation Response(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x03)
5. Probe Request(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x04)
6. Probe Response
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x05)
7. Beacon(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x08)
8. Announcement Traffic Indication Message – ATIM(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x09)
9. Disasociation(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0a)
10. Authentication(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0b)
11. Deauthentication(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)
12. Action(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0d)
13. Action No ACK(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0e)
References
L2 – Inter Controller Roaming
17 Sunday MAR 2013
POSTED BY NAYARASI IN MOBILITY ≈ LEAVE A COMMENT
TagsL2 Roaming
In this post we will see how L2 Inter Controller Roaming works. I am using the following topology where previously configured for Mobility.(See Configuring WLC Mobility post before this)
Since this is LAB environment, I will disconnect client forcefully from previously associated AP in order to client to go to other AP . This is how I simulate client roaming. I will have active voice call while this roaming event occur & observe whether that call session get dropped while roaming occur.
First we will check the client associations in WLC1.
(WLC1) >show client summary Number of Clients................................ 1MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----00:1b:d4:58:e6:1a LWAP-02 Associated 4 Yes 802.11a 1 No
(WLC1) >show client detail 00:1b:d4:58:e6:1aClient MAC Address............................... 00:1b:d4:58:e6:1aClient Username ................................. user2AP MAC Address................................... 54:75:d0:3e:80:b0AP Name.......................................... LWAP-02 Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 4 BSSID............................................ 54:75:d0:3e:80:bc Connected For ................................... 199 secsChannel.......................................... 161IP Address....................................... 10.10.14.54Association Id................................... 1 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... 5 Client E2E version............................... No E2E supportDiagnostics Capability........................... Not SupportedS69 Capability................................... Not SupportedRe-Authentication Timeout........................ 1378Mirroring........................................ DisabledQoS Level........................................ Platinum802.1P Priority Tag.............................. 6WMM Support...................................... Enabled APSD ACs....................................... BK(T/D) BE(T/D) VI(T/D) VO(T/D) Power Save....................................... ONCurrent Rate..................................... 54.0Supported Rates.................................. 24.0,36.0,48.0,54.0Mobility State................................... LocalMobility Move Count.............................. 1Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... Yes
Policy Type...................................... WPA2Authentication Key Management.................... CCKMEncryption Cipher................................ CCMP (AES)Management Frame Protection...................... NoEAP Type......................................... 0Interface........................................ vlan14VLAN............................................. 14
Now we will forcefully remove this client from WLC1. See the below screen how to do this.
I did not noticed call get drop during this roaming event. You can see client entry moved to WLC2 which is normal in L2 Roaming.
(WLC2) >show client detail 00:1b:d4:58:e6:1a
Client MAC Address............................... 00:1b:d4:58:e6:1a
Client Username ................................. user2
AP MAC Address................................... 64:a0:e7:af:47:40
AP Name.......................................... LWAP-03 Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 4 BSSID............................................ 64:a0:e7:af:47:4c Connected For ................................... 31 secsChannel.......................................... 40 IP Address....................................... 10.10.14.54Association Id................................... 1 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... 5 Client E2E version............................... No E2E supportDiagnostics Capability........................... Not SupportedS69 Capability................................... Not SupportedRe-Authentication Timeout........................ 1743Mirroring........................................ DisabledQoS Level........................................ Platinum802.1P Priority Tag.............................. 6WMM Support...................................... Enabled APSD ACs....................................... BK(T/D) BE(T/D) VI(T/D) VO(T/D) Power Save....................................... OFFSupported Rates.................................. 24.0,36.0,48.0,54.0
Mobility State................................... LocalMobility Move Count.............................. 0Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... YesPolicy Type...................................... WPA2Authentication Key Management.................... CCKMEncryption Cipher................................ CCMP (AES)Management Frame Protection...................... NoEAP Type......................................... PEAPInterface........................................ vlan14VLAN............................................. 14Quarantine VLAN.................................. 0Access VLAN...................................... 14
If you take a wireshark packet capture of WLC connected trunk port while roaming occurs you can verify sequence of events.(see below)
In next post we will see how L3 roaming occur.
Configuring Country Codes on WLC
07 Sunday APR 2013
POSTED BY NAYARASI IN WLC FEATURES ≈ 22 COMMENTS
TagsMultiple Country Code on WLC, WLC country codes
Controllers (WLC) & Access Points(AP) are designed for use in many countries with varying regulatory requirements. The radios within APs are assigned to a specific regulatory domain at the factory level. Configuring a country code ensures that each radio’s broadcast frequency bands, interfaces, channels and transmit power levels are compliant with country-specific regulations.
Generally you configure one country code per controller, however WLC code 4.1 onwards allows you to configure up to 20 country codes per controller. This enables you to manage APs in various countries from a single controller. For a given AP all radios should be in same regulatory domain. There is an exception for MESH APs where you have to configure single country code on WLC for them to register.
Here is an example of regulatory domain for different type of AP model (controller based). Complete document you can find from here WLAN Compliance Status
Here are the guidelines when configuring multiple country code on a controller.
1. When the multiple country feature is being used, all controllers that are going to join the same RF group must be configured with the same set of countries, configured in the same order.
2. When multiple countries are configured and the radio resource management (RRM) and auto-RF feature is enabled, the common channel allowed is derived by performing union (or superset) of the allowed channels in the countries.3. The AP can only operate on the channels for the countries that they are designed for.4. The country list configured on the RF group leader determines what channels the members would operate on. This list is independent of what countries have been configured on the RF group members.
You can configure country codes through GUI or CLI of a controller. You have to disable 802.11a/n, 802.11b/g/n network before configuring country codes. Through GUI, you have to go to “Wireless -> Country” section to do this as shown below (all countries selected not shown under tick boxes).
Then you can go to individual AP and change the country code where they are in (should be in multiple countries). AP should be set to correct domain at factory level. Since I do not have diffrent regulatory domain AP I have simply configured one of my AP courntry as NZ which is part of same regulatory domain as AU.
By using CLI you can configure this as follows. “show country” & “show ap summary” CLI commands can be used to verify settings.
(4402-a) >config 802.11a disable network(4402-a) >config 802.11b disable network(4402-a) >config country AU,LK,NZChanging country code could reset channel & RRM grouping configuration.If running in RRM One-Time mode, reassign channels after this command.Check customized APs for valid channel values after this command.Are you sure you want to continue? (y/n) y
Configured Country............................. Multiple Countries:AU,LK,NZ KEY: * = Channel is legal in this country and may be configured manually. A = Channel is the Auto-RF default in this country. . = Channel is not legal in this country. C = Channel has been configured for use by Auto-RF. x = Channel is available to be configured for use by Auto-RF. (-,-) = (indoor, outdoor) regulatory doamin allowed by this country.-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+- 802.11bg : Channels : 1 1 1 1 1 : 1 2 3 4 5 6 7 8 9 0 1 2 3 4-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+- AU (-A ,-NA ): A * * * * A * * * * A . . . LK (-E , ): A * * * * A * * * * A * * . NZ (-A ,-NA ): A * * * * A * * * * A . . . Auto-RF : C x x x x C x x x x C x x .-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 802.11a : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Channels : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6 : 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- AU (-N ,-N ): . A . A . A . A A A A A . . . . . . . . . . . A A A A * LK (-E , ): . A . A . A . A A A A A * * * * * * * * * * * . . . . . NZ (-N ,-N ): . A . A . A . A A A A A . . . . . . . . . . . A A A A * Auto-RF : . C . C . C . C C C C C x x x x x x x x x x x C C C C x
(4402-a) >config 802.11a enable network(4402-a) >config 802.11b enable network
(4402-a) >config ap disable 1252-c(4402-a) >config ap country NZ 1252-c To change country code: first disable target AP(s) (or disable all networks). Changing the country may reset any customized channel assignments. Changing the country may reboot disabled target AP(s). Are you sure you want to continue? (y/n) y1252-c NZ changed (New country configured)(4402-a) >config ap enable 1252-c
(4402-a) >show ap summary Number of APs.................................... 2Global AP User Name.............................. Not ConfiguredGlobal AP Dot1x User Name........................ Not ConfiguredAP Name Slots AP Model Ethernet MAC Location Port Country Priority------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------3502-d 2 AIR-CAP3502I-N-K9 44:d3:ca:af:43:43 3750-A Port4 1 AU 11252-c 2 AIR-LAP1252AG-N-K9 c8:4c:75:2c:95:c0 3750-a-PORT3 1 NZ 1
(4402-a) >show country Configured Country............................. Multiple Countries:AU,LK,NZConfigured Country Codes AU - Australia................................. 802.11a Indoor,Outdoor / 802.11b / 802.11g LK - Sri Lanka................................. 802.11a Indoor,Outdoor / 802.11b / 802.11g NZ - New Zealand............................... 802.11a In
WLAN Config via CLI – Part 1
16 Thursday MAY 2013
POSTED BY NAYARASI IN CLI , WLC ≈ 5 COMMENTS
TagsWLC CLI
In this post we will see how to learn CLI commands to configure a WLAN. I have created a WLAN called “Test-15” with wlan-id 15. Here are the default settings once you create a WLAN.
Here are the CLI commands generated by this basic WLAN creation. Once you take a back up of the WLC configuration you can derive this.
config wlan create 15 Test-15 Test-15
config wlan interface 15 management
config wlan broadcast-ssid enable 15
config wlan security wpa enable 15
config wlan wmm allow 15
config wlan session-timeout 15 1800
config wlan exclusionlist 15 60
config wlan mfp client enable 15
As you can see all the CLI commands start with “config wlan” & as long as you master the “config wlan” CLI commands you should be able to configure any WLAN specific features via CLI. Here is the full list
(WLC2) >config wlan ?
7920-support Configures support for phones.
IPv6Support Configures IPv6 support on a WLAN.
aaa-override Configures user policy override via AAA on a WLAN.
acl Specify a per-WLAN ACL
apgroup Manage AP Groups VLAN feature.
band-select Allow|Disallow Band Select on a WLAN.
broadcast-ssid Configures SSID Broadcast on a WLAN.
call-snoop Configures Call Snooping.
ccx Configure Cisco Client Extension options.
channel-scan Configures off channel scanning deferral parameters.
chd Enable/Disable CHD per WLAN
create Creates a WLAN.
custom-web Configures the Web Authentication Page per Profile.
delete Deletes a WLAN.
dhcp_server Configures the WLAN's DHCP Server.
diag-channel Configures Diagnostics Channel Capability on a WLAN.
disable Disables a WLAN.
dtim Configures the DTIM Period for a WLAN
enable Enables a WLAN.
exclusionlist Configures Exclusion-list timeout.
h-reap Configures H-REAP options for wlan.
interface Configures the WLAN's interface.
ldap Configures the WLAN's LDAP servers.
load-balance Allow|Disallow Load Balance on a WLAN.
local-auth Configures Local EAP Authentication.
mac-filtering Configures MAC filtering on a WLAN.
max-associated-clients Configures maximum no. of client connections on wlan/guest-lan/remote-lan.
media-stream Configures Media Stream.
mfp Configures Management Frame Protection.
mobility Configures the Inter-Switch Mobility Manager
multicast Configures the WLAN's multicast parameters.
nac Configures NAC on wlan/guest-lan/remote-lan.
peer-blocking Configure peer-to-peer blocking on a WLAN.
qos Configures Quality of Service policy.
radio Configures the Radio Policy.
radius_server Configures the WLAN's RADIUS Servers.
roamed-voice-client Configure Voice Client Re-Anchor policy
security Configures the security policy for a WLAN.
session-timeout Configures client timeout.
sip-cac Configure SIP CAC Failure policy.
static-ip Configures static IP client tunneling support on a WLAN.
uapsd Configures UAPSD.
webauth-exclude Enable/Disable WebAuth Exclusion
wmm Configures WMM (WME).
There are 44 commands… How do you remember this… Let’s break it down to the section corresponds to GUI.
Here is the corresponding CLI for this section.
(WLC2) >config wlan ?
create Creates a WLAN.
broadcast-ssid Configures SSID Broadcast on a WLAN.
interface Configures the WLAN's interface.
disable Disables a WLAN.
enable Enables a WLAN.
delete Deletes a WLAN.
radio Configures the Radio Policy.
multicast Configures the WLAN's multicast parameters.
Here is the security section related configs
Here is the QoS related configurations
(WLC2) > config wlan ?
qos Configures Quality of Service policy.
wmm Configures WMM (WME).
7920-support Configures support for phones.
media-stream Configures Media Stream.
uapsd Configures UAPSD.
Next Advanced Configuration Settings of a WLAN
Here is the CLI commands relevant to this section
(WLC2) > config wlan ?
aaa-override Configures user policy override via AAA on a WLAN.
chd Enable/Disable CHD per WLAN
session-timeout Configures client timeout.
ccx Configure Cisco Client Extension options.
diag-channel Configures Diagnostics Channel Capability on a WLAN.
IPv6Support Configures IPv6 support on a WLAN.
acl Specify a per-WLAN ACL
peer-blocking Configure peer-to-peer blocking on a WLAN.
exclusionlist Configures Exclusion-list timeout.
max-associated-clients Configures maximum no. of client connections on wlan/guest-lan/remote-lan.
channel-scan Configures off channel scanning deferral parameters.
h-reap Configures H-REAP options for wlan.
dhcp_server Configures the WLAN's DHCP Server.
static-ip Configures static IP client tunneling support on a WLAN.
mfp Configures Management Frame Protection.
dtim Configures the DTIM Period for a WLAN
nac Configures NAC on wlan/guest-lan/remote-lan.
load-balance Allow|Disallow Load Balance on a WLAN.
band-select Allow|Disallow Band Select on a WLAN.
call-snoop Configures Call Snooping.
sip-cac Configure SIP CAC Failure policy.
roamed-voice-client Configure Voice Client Re-Anchor policy
There are two other places we will configure WLAN features. If you want to configure “Auto Anchor” or “AP Group” you have to use the following CLI commands
mobility Configures the Inter-Switch Mobility Manage
apgroup Manage AP Groups VLAN feature.
In next post we will drill in to more detail on each section.
WLAN Config via CLI – Part 2
16 Thursday MAY 2013
POSTED BY NAYARASI IN CLI , WLC ≈ 11 COMMENTS
TagsWLC CLI
In this post we will look at General WLAN configuration CLI commands in detail. Here is the default settings of General Tab once you create a WLAN
Here is the CLI commands related to this.
(WLC2) >config wlan ?
create Creates a WLAN.
broadcast-ssid Configures SSID Broadcast on a WLAN.
interface Configures the WLAN's interface.
disable Disables a WLAN.
enable Enables a WLAN.
delete Deletes a WLAN.
radio Configures the Radio Policy.
multicast Configures the WLAN's multicast parameters.
Let’s create a new WLAN with ID of 17 & SSID called “Test-17” by using CLI commands. Here is the how you create a new WLAN using CLI.
(WLC2) >config wlan create ?
foreignAp Third Party Access Points.
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan create 17 ?
<name> Enter Profile Name up to 32 alphanumeric characters.
(WLC2) >config wlan create 17 Test-17 ?
<ssid> Enter SSID (Network Name) up to 32 alphanumeric characters.
(WLC2) >config wlan create 17 Test-17 Test-17
By default following settings will be enable on this WLAN & you can see below CLI commands added to configuration once you create the SSID.
config wlan mfp client enable 17
config wlan security wpa enable 17
config wlan wmm allow 17
config wlan exclusionlist 17 60
config wlan broadcast-ssid enable 17
config wlan interface 17 management
config wlan session-timeout 17 1800
If you want to enable/disable broadcast this SSID you can do this on this WLAN as follows.
(WLC2) >config wlan broadcast-ssid ?
disable Disables Broadcast SSID on a WLAN.
enable Enables Broadcast SSID on a WLAN.
(WLC2) >config wlan broadcast-ssid disable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan broadcast-ssid {enable|disable} 17
You can map this WLAN to interface or interface group you created on your WLC. Here is the CLI for that. I have simply use management interface
(WLC2) >config wlan interface ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
foreignAp Third Party Access Points.
(WLC2) >config wlan interface 17 ?
<interface-name> Enter the interface name upper case not supported.
(WLC2) >config wlan interface 17 management
Let’s create interface group called “int-group-1” & map interface “vlan11” & “vlan12″ (which is already created prior to this & not shown configuration in this post”. Here is the CLI config for interface group creation & mapping interface on to that.
(WLC2) >config interface group create int-group-1 "Interface Group 1"
(WLC2) >config interface group interface add int-group-1 vlan11
(WLC2) >config interface group interface add int-group-1 vlan12
Now let’s map Test-17 WLAN to this interface group. You have to simply use interface group name instead of interface name.
(WLC2) >config wlan interface 17 int-group-1
Now let’s enable radio policy for this WLAN. Here are the option available. Without impacting other WLANs if you only want to certain type of clients able to join this network you have to configure this settings correctly. Let’s say no clients in 2.4 GHz should associate with less than 11Mbps data rates to this WLAN (In other words 802.11b clients should not associate). So you have to select 802.11g-only. In this example we will enable 802.11a & 802.11g clients to join this WLAN.
(WLC2) >config wlan radio 17 ?
802.11a-only Configures the WLAN on 802.11a only.
802.11ag Configures the WLAN on 802.11a and 802.11g only.
802.11bg Configures the WLAN on 802.11b/g only (802.11b only, if 802.11g is disabled).
802.11g-only Configures the WLAN on 802.11g only.
all Configures the WLAN on all Radio bands.
(WLC2) >config wlan radio 17 802.11ag
Since we map this WLAN onto an interface group, multiple interface IP assign to same WLAN clients. Therefore to optimize multicast with this configuration you need to enable “multicast vlan select” feature. This will nominate 1 vlan for multicast communication for the entire interface group instead of each individual vlan send IGMP query for its client.
(WLC2) >config wlan multicast ?
interface Configures the WLAN's multicast interface.
(WLC2) >config wlan multicast interface ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan multicast interface 17 ?
enable Enables the multicast-interface feature for a WLAN.
disable Disables the multicast-interface feature for a WLAN.
(WLC2) >config wlan multicast interface 17 enable ?
<interface-name> Enter the interface name upper case not supported.
(WLC2) >config wlan multicast interface 17 enable vlan11
You can enable this WLAN by simply following CLI commands
(WLC2) >config wlan enable 17
Now if you look at the GUI WLAN general tab you would see something like this.
Now if you try to join this SSID, even though you enable broadcast SSID you cannot see it visible. Why is this ? You have to remember only WLAN ID 1-16 are broadcast by default. If you create any WLAN ID greater than 16, then you have to create an AP Group to broadcast them. Therefore let’s create an AP Group called “mrn-apgroup” and put my ap into this group.
(WLC2) >config wlan apgroup ?
add Creates a new AP Group.
delete Deletes a existing ap group.
description Configures a description for an AP group.
interface-mapping Adds or deletes a new apgroup/WLAN/interface mapping.
nac-snmp Configures NAC SNMP functionality on given AP-Group.
radio-policy Configures Radio Policy on given AP-Group.
(WLC2) >config wlan apgroup add ?
<apgroup name> Specify the name of the apgroup to configure.
(WLC2) >config wlan apgroup add mrn-apgroup ?
<description> (optional) Specify the description for the AP group.
(WLC2) >config wlan apgroup add mrn-apgroup
(WLC2) >config wlan apgroup interface-mapping ? add Adds a new apgroup/WLAN/interface mapping.delete Adds a new apgroup/WLAN/interface mapping.
(WLC2) >config wlan apgroup interface-mapping add ? <apgroup name> Specify the name of the apgroup to configure.
(WLC2) >config wlan apgroup interface-mapping add mrn-apgroup ? <WLAN or Remote LAN Id> Enter WLAN or Remote LAN Identifier between 1 and 512.
(WLC2) >config wlan apgroup interface-mapping add mrn-apgroup 17 ? <Interface Name> Specify the interface name.
(WLC2) >config wlan apgroup interface-mapping add mrn-apgroup 17 int-group-1
Now let’s add AP in to the AP-Group created. Remember that AP will reboot & impact the clients if you are doing this on a production AP.
(WLC2) >show ap summary
Number of APs.................................... 1
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------
LAP2 2 AIR-CAP3502I-N-K9 70:81:05:03:7c:ef CAT2-Fa102 LAG AU 1
(WLC2) >config ap group-name ?
<groupname> Enter the group name of Cisco APs as String
(WLC2) >config ap group-name mrn-apgroup ?
<Cisco AP> Enter the name of the Cisco AP.
(WLC2) >config ap group-name mrn-apgroup LAP2
In GUI you will see like this
Once you do this you will see “Test-17” SSID is visible to clients.
In the next post we will look at how to do the QoS specific configuration of a WLAN via CLI.
WLAN Config via CLI – Part 3
16 Thursday MAY 2013
POSTED BY NAYARASI IN CLI , WLC ≈ 1 COMMENT
TagsWLC CLI
In this post we will see QoS configuration of a WLAN via CLI. As you see previously here is the default settings.
(WLC2) > config wlan ?
qos Configures Quality of Service policy.
wmm Configures WMM (WME).
7920-support Configures support for phones.
media-stream Configures Media Stream.
uapsd Configures UAPSD.
Prior to change the QoS profile you need to make sure correct 802.1p value configured for each profile. By default no value set for 802.1p value in any profile (Platinum, Gold, Silver & Bronze) and therefore no QoS tags pass onto wired network from the controller. You required to disable 802.11a/b network before configuring QoS profile values. Here are the CLI commands to configure these. You have to map 802.1p value of 6,5,3,1 for Platinum, Gold, Silver & Bronze respectively.
(WLC2) >config 802.11b disable network(WLC2) >config 802.11a disable network
(WLC2) >config qos ?
average-data-rate Configure QoS Average Data Rateaverage-realtime-rate Configure QoS Realtime Average Data Rateburst-data-rate Configure QoS Burst Data Rateburst-realtime-rate Configure QoS Realtime Burst Data Ratedescription Configure QoS Descriptiondot1p-tag Configure QoS 802.1P Tagprotocol-type Configure QoS Protocol Type
(WLC2) >config qos protocol-type platinum ? dot1p QoS Protocol Type 'dot1p'none QoS Protocol Type 'none'
(WLC2) >config qos protocol-type platinum dot1p
(WLC2) >config qos dot1p-tag ? bronze [bronze profile]gold [gold profile]platinum [platinum profile]silver [silver profile]
(WLC2) >config qos dot1p-tag platinum <dot1p> 802.1p Tag (0 ~ 7)
(WLC2) >config qos dot1p-tag platinum 6
*** Here are the other QoS profile configurations ***
(WLC2) >config qos protocol-type gold dot1p(WLC2) >config qos dot1p-tag gold 5(WLC2) >config qos protocol-type silver dot1p(WLC2) >config qos dot1p-tag silver 3(WLC2) >config qos protocol-type bronze dot1p(WLC2) >config qos dot1p-tag bronze 1
(WLC2) >config 802.11b enable network(WLC2) >config 802.11a enable network
Now you can assign the QoS profile to WLAN you created.
(WLC2) >config wlan qos ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
foreignAp Third Party Access Points.
(WLC2) >config wlan qos 17 ?
bronze Bronze QoS policy
gold Gold QoS policy
platinum Platinum QoS policy
silver Silver QoS policy
(WLC2) >config wlan qos 17 platinum
You can configure the WMM setting as below. If you select “Require” option then non-WMM client cannot associate with this WLAN. Default option is “Allow” which permit both WMM & non-WMM client to join. But all non-WMM client will get the QoS setting configured under WLAN. In my case if I choose WMM-Allow all traffic coming from non-WMM client will mark as 802.1p of 6 which is equivalent to DSCP EF at the wired side of the network.
(WLC2) >config wlan wmm ?
allow Allows WMM on the WLAN.
disable Disables WMM on the WLAN.
require Requires WMM enabled clients on the WLAN.
(WLC2) >config wlan wmm require ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan wmm require 17
If you are not using WMM & you have old 7920 phones (which is not compatible with WMM anyway) you can enabe 7920 specific QoS as below. As you can see client-cac is use draft 802.11e QBSS IE you cannot configure WMM & this feature. Those are mutually exclusive.
(WLC2) >config wlan 7920-support ?
ap-cac-limit Supports phones that expect the Cisco Vendor-Specific IE.
client-cac-limit Supports phones that expect the IEEE 802.11e Draft 6 QBSS-Load IE.
(WLC2) >config wlan 7920-support ap-cac-limit ?
enable Supports phones that expect the Cisco Vendor-Specific IE.
disable Supports phones that expect the Cisco Vendor-Specific IE
(WLC2) >config wlan 7920-support client-cac-limit
enable Supports phones that expect the IEEE 802.11e Draft 6 QBSS-Load IE.
disable Supports phones that expect the IEEE 802.11e Draft 6 QBSS-Load IE.
If you require to enable U-APSD (Unscheduled Auto Power Save Delivery) support when you enable WMM, you have to configure it like below.
(WLC2) >config wlan uapsd ?
compliant-client Configures UAPSD Compliant Client support.
(WLC2) >config wlan uapsd compliant-client ?
disable Disables UAPSD Compliant Client support on the WLAN.
enable Enables UAPSD Compliant Client support on the WLAN.
(WLC2) >config wlan uapsd compliant-client enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan uapsd compliant-client enable 17
If you have configured the video stream feature on the controller and you need to enable that on this WLAN you can use “config wlan media strem ” CLI command as shown below. If you haven’t configure a video stream, then this command would not accept.
(WLC2) >config wlan media-stream ?
multicast-direct Configures Multicast-direct for WLAN
(WLC2) >config wlan media-stream multicast-direct ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan media-stream multicast-direct 17 ?
enable Enables Multicast-direct on the WLAN
disable Disables Multicast-direct on the WLAN.
(WLC2) >config wlan media-stream multicast-direct 17 enable
So here is the finally your WLAN QoS section looks like in GUI.
In CLI here is the corresponding CLI command to achieve the above
config wlan qos 17 platinum config wlan wmm require 17 config wlan uapsd compliant-client enable 17 config wlan media-stream multicast-direct 17 enable
You can verify your configuration using “show wlan 17” CLI command.
(4402-c) >show wlan 17WLAN Identifier.................................. 17Profile Name..................................... Test-17Network Name (SSID).............................. Test-17Status........................................... DisabledMAC Filtering.................................... DisabledBroadcast SSID................................... EnabledAAA Policy Override.............................. DisabledNetwork Admission Control Radius-NAC State............................... Disabled SNMP-NAC State................................. Disabled Quarantine VLAN................................ 0Maximum number of Associated Clients............. 0Number of Active Clients......................... 0Exclusionlist Timeout............................ 60 secondsSession Timeout.................................. 1800 secondsCHD per WLAN..................................... EnabledWebauth DHCP exclusion........................... DisabledInterface........................................ managementMulticast Interface.............................. Not ConfiguredWLAN ACL......................................... unconfiguredDHCP Server...................................... DefaultDHCP Address Assignment Required................. DisabledStatic IP client tunneling....................... DisabledQuality of Service............................... Platinum (voice)Scan Defer Priority.............................. 4,5,6Scan Defer Time.................................. 100 millisecondsWMM.............................................. RequiredWMM UAPSD Compliant Client Support............... EnabledMedia Stream Multicast-direct.................... EnabledCCX - AironetIe Support.......................... EnabledCCX - Gratuitous ProbeResponse (GPR)............. DisabledCCX - Diagnostics Channel Capability............. DisabledDot11-Phone Mode (7920).......................... DisabledWired Protocol................................... 802.1P (Tag=6)IPv6 Support..................................... DisabledPeer-to-Peer Blocking Action..................... DisabledRadio Policy..................................... AllDTIM period for 802.11a radio.................... 1DTIM period for 802.11b radio.................... 1Radius Servers
In next post we will see how to configure Security Specific settings via CLI.
WLAN Config via CLI – Part 4
17 Friday MAY 2013
POSTED BY NAYARASI IN CLI , WLC ≈ 9 COMMENTS
TagsWLC CLI
In this post we will see how to configure WLAN security settings via CLI. Here are the security related config options in CLI “config wlan x” command.
security Configures the security policy for a WLAN.
webauth-exclude Enable/Disable WebAuth Exclusion
custom-web Configures the Web Authentication Page per Profile.
radius_server Configures the WLAN's RADIUS Servers.
ldap Configures the WLAN's LDAP servers.
local-auth Configures Local EAP Authentication.
mac-filtering Configures MAC filtering on a WLAN.
If you want to configure layer2 security settings you can use the following CLI options. Let’s say you want to enable WPA2/AES with Pre-Shared Key.
(4402-c) >config wlan security ?
802.1X Configures 802.1X.
cond-web-redir Configured Conditional Web Redirect.
passthru Configures IPSec passthru.
splash-page-web-redir Configured Splash-Page Web Redirect.
static-wep-key Configures static WEP keys on a WLAN.
web-auth Configures Web authentication.
web-passthrough Configures Web Captive Portal with no authentication required.
wpa Configures WPA/WPA2 Support for a WLAN ckip Configures CKIP Security on WLAN. tkip Configures TKIP MIC countermeasures hold-down timer (0-60 seconds)
(4402-c) >config wlan security wpa ? akm Configures Auth Key Managementdisable Disables WPA/WPA2 Support for a WLANenable Enables WPA/WPA2 Support for a WLANwpa1 Configures WPA supportwpa2 Configures WPA2 support
(4402-c) >config wlan security wpa wpa2 ciphers Configures WPA2 ciphersdisable Disables WPA2 supportenable Enables WPA2 support
(4402-c) >config wlan security wpa wpa2 ciphers ? aes Configures WPA2/AES supporttkip Configures WPA2/TKIP support
(4402-c) >config wlan security wpa wpa2 ciphers aes disable Disables WPA2/AES supportenable Enables WPA2/AES support
(4402-c) >config wlan security wpa wpa2 ciphers aes enable 17
(4402-c) >config wlan security wpa akm ? 802.1x Configures 802.1x supportcckm Configures CCKM supportft Configures 802.11r fast transition 802.1x supportpsk Configures PSK support
(4402-c) >config wlan security wpa akm psk ? disable Disables PSK supportenable Enables PSK supportset-key Configures the pre-shared-key
(4402-c) >config wlan security wpa akm psk set-key ? <ascii/hex> Specificies for key format (ascii or hex)
(4402-c) >config wlan security wpa akm psk set-key ascii ? <psk> Enter the pre-shared-key (PSK)
(4402-c) >config wlan security wpa akm psk set-key ascii Cisco123 ? <WLAN id> Enter WLAN Identifier between 1 and 512.
(4402-c) >config wlan security wpa akm psk set-key ascii Cisco123 17
Above settings is identical to what you have seen in the below screen.
Now let’s say you want to create a WLAN with no layer2 security & only with layer3 webauth. Let’s create WLAN called guest with WLAN ID 18 & assign it to AP-Group (mrn-apgroup) created. You can practice this via CLI & you should enter following CLI to do this.
(WLC2) >config wlan create 18 guest guest(WLC2) >config wlan radio 18 802.11a-only(WLC2) >config wlan interface 18 vlan12(WLC2) >config wlan qos 18 bronze(WLC2) >config wlan apgroup interface-mapping add mrn-apgroup 18 vlan12
Now let’s change security settings of this WLAN. We will use the Web Passthrough with Email Input as web auth method.
(WLC2) >config wlan security wpa ?
akm Configures Auth Key Management
disable Disables WPA/WPA2 Support for a WLAN
enable Enables WPA/WPA2 Support for a WLAN
wpa1 Configures WPA support
wpa2 Configures WPA2 support
(WLC2) >config wlan security wpa disable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan security wpa disable 18
(WLC2) >config wlan security ?802.1X Configures 802.1X.cond-web-redir Configured Conditional Web Redirect.passthru Configures IPSec passthru.splash-page-web-redir Configured Splash-Page Web Redirect.static-wep-key Configures static WEP keys on a WLAN.web-auth Configures Web authentication.web-passthrough Configures Web Captive Portal with no authentication required.wpa Configures WPA/WPA2 Support for a WLAN ckip Configures CKIP Security on WLAN. tkip Configures TKIP MIC countermeasures hold-down timer (0-60 seconds)
(WLC2) >config wlan security web-passthrough ? acl Configures Access Control List.disable Disables Web Captive Portal with no authentication required.email-input Configures Web Captive Portal using email address.enable Enables Web Captive Portal with no authentication required.
(WLC2) >config wlan security web-passthrough enable 18
(WLC2) >config wlan security web-passthrough email-input ? enable Enables Web Captive Portal using email address.disable Disables Web Captive Portal using email address.
(WLC2) >config wlan security web-passthrough email-input enable 18
Now your Guest WLAN is ready from the security perspective. If you look at the WLC configuration you would see the following in your configuration.The two config lines in purple color automatically added once you disable the WPA as those settings enabled by default when you create a WLAN.
config wlan security wpa disable 18config wlan security wpa wpa2 disable 18 config wlan security wpa akm 802.1x disable 18 config wlan security web-passthrough enable 18config wlan security web-passthrough email-input enable 18
This is the identical GUI setting for the above scenario.
If you want to configure this Guest WLAN for Web Authentication instead of Web Passthrough you can do this as follows. First you have to disable web passthrough which you enabled in the previous task. Also you have to configure radius authentication on the WLAN if your user credential verified via radius.
(WLC2) >config wlan security web-passthrough disable 18(WLC2) >config wlan security web-passthrough email-input disable 18
(WLC2) >config wlan security web-auth ? acl Configures Access Control List.disable Disables Web authentication.enable Enables Web authentication.on-macfilter-failure Enables Web authentication on MAC filter failure.server-precedence Configures the authentication server precedence order for Web-Auth users.
(WLC2) >config wlan security web-auth enable 18
(WLC2) >config wlan radius_server auth ? add Adds a link to a configured RADIUS Server.delete Deletes a link to a configured RADIUS Server.disable Disable RADIUS authentication for this WLANenable Enable RADIUS authentication for this WLAN
(WLC2) >config wlan radius_server auth enable ? <WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan radius_server auth enable 18
(WLC2) >config wlan radius_server auth add ? <WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan radius_server auth add 18 ? <Server id> Enter the RADIUS Server Index.
(WLC2) >config wlan radius_server auth add 18 1
In GUI you will see something like this once you configured above on CLI.
In next post we will see how to configure WLAN advanced settings via CLI
WLAN Config via CLI – Part 5
17 Friday MAY 2013
POSTED BY NAYARASI IN CLI , WLC ≈ 6 COMMENTS
TagsWLC CLI
In this post we will look at WLAN advanced tab configurations via CLI. Here is the full list of
features. I know this will be the longest post in my blog as I have to cover all these features.
(WLC2) > config wlan ?
aaa-override Configures user policy override via AAA on a WLAN.
chd Enable/Disable CHD per WLAN
session-timeout Configures client timeout.
ccx Configure Cisco Client Extension options.
diag-channel Configures Diagnostics Channel Capability on a WLAN.
IPv6Support Configures IPv6 support on a WLAN.
acl Specify a per-WLAN ACL
peer-blocking Configure peer-to-peer blocking on a WLAN.
exclusionlist Configures Exclusion-list timeout.
channel-scan Configures off channel scanning deferral parameters.
h-reap Configures H-REAP options for wlan.
dhcp_server Configures the WLAN's DHCP Server.
static-ip Configures static IP client tunneling support on a WLAN.
mfp Configures Management Frame Protection.
dtim Configures the DTIM Period for a WLAN
nac Configures NAC on wlan/guest-lan/remote-lan.
load-balance Allow|Disallow Load Balance on a WLAN.
band-select Allow|Disallow Band Select on a WLAN.
call-snoop Configures Call Snooping.
sip-cac Configure SIP CAC Failure policy.
roamed-voice-client Configure Voice Client Re-Anchor policy
We will create a new WLAN called “Test-19” with wlan-id 19 with following basic settings
– 802.11a only clients– Gold QoS profile– WPA2/AES (or support 802.11n data rates)– Multicast direct feature– PSK– UAPSD support
So basic CLI commands you require is like this.
(WLC2) >config wlan create 19 Test-19 Test-19
(WLC2) >config wlan radio 19 802.11a-only
(WLC2) >config wlan interface 19 vlan11
(WLC2) >config wlan multicast interface 19 enable vlan11
(WLC2) >config wlan security wpa wpa2 ciphers aes enable 19
(WLC2) >config wlan qos 19 gold
(WLC2) >config wlan wmm require 19
(WLC2) >config wlan uapsd compliant-client enable 19
(WLC2) >config wlan security wpa akm psk set-key ascii Cisco123 19
Before go into advanced tab configuration you can take a backup of the WLC config & verify the above & any additional configs related to your WLAN.
config wlan security wpa akm psk enable 19
config wlan security wpa akm 802.1x disable 19 config wlan security wpa enable 19 config wlan wmm require 19 config wlan exclusionlist 19 60 config wlan broadcast-ssid enable 19 config wlan interface 19 vlan11 config wlan create 19 Test-19 Test-19 config wlan qos 19 gold config wlan radio 19 802.11a-only config wlan radio 19 802.11a config wlan session-timeout 19 0
Advanced config page of the WLAN looks like this.
Now we will look at each individual feature configurations via CLI. It is long list, but will cover them all.
1. AAA OverrideThis is for ACS to override the client attributes (vlan, acl , QoS, etc)(WLC2) >config wlan aaa-override ?
disable Disables policy override.
enable Enables policy override.
(WLC2) >config wlan aaa-override enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
foreignAp Third Party Access Points.
(WLC2) >config wlan aaa-override enable 19
2. Coverage Hole Detection(CHD)This is enabled by default & client can trigger power changes of the AP. Let’s disable(WLC2) >config wlan chd ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan chd 19 ?
enable enable CHD per WLAN
disable disable CHD per WLAN
(WLC2) >config wlan chd 19 disable
3. Session TimeoutThe session timeout is the maximum time for a client session to remain active before requiring reauthorization.This is enabled by default & set to 1800s (30 min). You can change this value or disable it. It is important to know different type of security method have diff max values. When I try to set 1 day for my WPA2-PSK WLAN it’s rejected. So will set it for 4 hours (14400s)(WLC2) >config wlan session-timeout ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
foreignAp Third Party Access Points.
(WLC2) >config wlan session-timeout 19 ?
<seconds> The duration of session in seconds (0 = infinity is true only for open system).
(WLC2) >config wlan session-timeout 19 86400
Invalid parameter specified.System Type Timeout Range
Open system 0-65535 (sec)802.1x 300-86400 (sec)static wep 0-65535 (sec)cranite 0-65535 (sec)fortress 0-65535 (sec)CKIP 0-65535 (sec)open+web auth 0-65535 (sec)web pass-thru 0-65535 (sec)wpa-psk 0-65535 (sec) disable To disable reauth/session-timeout timers. Reauth is valid for non-psk and non-static cases. Session-timeout is valid for all other cases.
(WLC2) >config wlan session-timeout 19 14400
4. Aironet IE (CCX)The Cisco Client Extensions (CCX) software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco access points and to support Cisco features that other client devices do not, including those features that are related to increased security, enhanced performance, fast roaming, and power management.This is enabled by default.CCX support is enabled automatically for every WLAN on the controller and cannot be disabled. However, you can configure Aironet information elements (IEs)If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.
(WLC2) >config wlan ccx ?
AironetIeSupport Configure the support of Aironet IE.
(WLC2) >config wlan ccx aironetIeSupport ?
enable Enable the support of Aironet IE.
disable Disable the support of Aironet IE.
(WLC2) >config wlan ccx aironetIeSupport enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan ccx aironetIeSupport enable 19 ?
(WLC2) >config wlan ccx aironetIeSupport enable 19 CCX Aironet IE Support already in the requested state.
5. Diagnostic ChannelThe diagnostic channel feature enables you to troubleshoot problems in regard to client communication with a WLAN. The client and Access Points can be put through a defined set of tests to identify the cause of communication difficulties that the client experiences and then allow corrective measures to be taken to make the client operational on the network. Since this is only using for troubleshooting & we cannot change any settings of diagnostic WLAN we will leave it disable.(WLC2) >config wlan diag-channel ?
disable Disables Diagnostics Channel Capability on a WLAN.
enable Enables Diagnostics Channel Capability on a WLAN.
(WLC2) >config wlan diag-channel disable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan diag-channel disable 19
6. IPv6 SupportThis is trivial as it allow to support IPv6.(WLC2) >config wlan ipv6Support ?
enable Enable IPv6 support on a WLAN.
disable Disable IPv6 support on a WLAN.
(WLC2) >config wlan ipv6Support enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan ipv6Support enable 19
7. ACL overrideIf you want to override interface ALC for this specific WLAN you can configure an ACL an apply it to WLAN.(WLC2) >config wlan acl ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan acl 19 ?
<ACL Name> Enter the ACL Name ('none' will clear the ACL)
(WLC2) >config wlan acl 19 none
8. Peer to Peer BlockingThis will allow to control client-to-client direction communication. In voice WLAN we need to ensure P2P blocking is disabled (otherwise voice conversation between two end point will be impacted). For this example we will enable it on this WLAN.(WLC2) >config wlan peer-blocking ?
disable Disable peer-to-peer blocking on a WLAN.
drop Enable peer-to-peer blocking and set the action to 'Drop'.
forward-upstream Enable peer-to-peer blocking and set the action to 'Forward-Upstream'.
(WLC2) >config wlan peer-blocking drop 19
9. Client ExclusionThis to exclude a client for certain amount of seconds after violating client exclusion policy
settings. By default this is enabled & client will be excluded for 60s if violate the configured policy. In this example will extend that time to 300s(WLC2) >config wlan exclusionlist ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
foreignAp Third Party Access Points.
(WLC2) >config wlan exclusionlist 19 ?
<seconds> Exclusion-list timeout (in seconds). zero (0) requires admin override.
disabled Disables exclusion-listing.
enabled Enables exclusion-listing.
(WLC2) >config wlan exclusionlist 19 enabled(WLC2) >config wlan exclusionlist 19 300
10. Maximum allowed clientsThis is to set a value of max client associated to this WLAN. In this example will set it to 1000.
(WLC2) >config wlan max-associated-clients ?
<max no. of clients> Maximum no. of client connections to be accepted
(WLC2) >config wlan max-associated-clients 1000 ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan max-associated-clients 1000 19
11. Static IP tunnelingNormally Static IP wireless clients roaming won’t work unless you enable this feature. If you want to support Static IP wireless users in the WLAN to roam between different controller you have to enable this feature. This feature & IPv6 support cannot co-exist. So I have disabled IPv6 support on this WLAN.
(WLC2) >config wlan static-ip ?
tunneling Configures static IP client tunneling support on a WLAN.
(WLC2) >config wlan static-ip tunneling ?
enable Enable static IP client tunneling support on a WLAN.
disable Disable static IP client tuneling support on a WLAN.
(WLC2) >config wlan static-ip tunneling enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan static-ip tunneling enable 19
Static IP tunneling cannot be configured since IPv6 is enabled for wlan.
(WLC2) >config wlan ipv6Support disable 19(WLC2) >config wlan static-ip tunneling enable 19
12. Off Channel ScanningIn deployments with certain power-save clients, you sometimes need to defer the Radio Resource Management’s (RRM) normal off-channel scanning to avoid missing critical information from low-volume clients (for example, medical devices that use power-save mode and periodically send telemetry information). This feature improves the way that Quality of Service (QoS) interacts with the RRM scan defer feature.You can use a client’s Wi-Fi Multimedia (WMM) UP marking to configure the access point to defer off-channel scanning for a configurable period of time if it receives a packet marked UP.
You can assign a QoS policy (bronze, silver, gold, and platinum) to a WLAN to affect how packets are marked on the downlink connection from the access point regardless of how they were received on the uplink from the client. UP=1,2 is the lowest priority, and UP=0,3 is the next higher priority. The marking results of each QoS policy are as follows:
Bronze marks all downlink traffic to UP= 1.Silver marks all downlink traffic to UP= 0.
Gold marks all downlink traffic to UP=4.Platinum marks all downlink traffic to UP=6.
By default this feature is enabled for UP of 4,5,6 packets & will defer the RRM off-channel scan for 100ms. We will enable this on UP of 3 as well & increase the defer-time to 200ms for all of those.
(WLC2) >config wlan channel-scan ?
defer-priority Configures priority markings for packets that can defer off channel scan.
defer-time Configures minimum allowable elapsed time since a defer-priority pkt is seen.
(WLC2) >config wlan channel-scan defer-priority ?
<priority> User priority value, 0-7
(WLC2) >config wlan channel-scan defer-priority 3 ?
disable Disable packet at given priority to defer off channel scanning.
enable Enable packet at given priority to defer off channel scanning.
(WLC2) >config wlan channel-scan defer-priority 3 enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan channel-scan defer-priority 3 enable 19
(WLC2) >config wlan channel-scan defer-time ? <msecs> Deferral time in msecs <0-60000>
(WLC2) >config wlan channel-scan defer-time 200 ? <WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan channel-scan defer-time 200 19
13. H-REAPThis is to enable H-REAP local switching, Local Authentication features on this WLAN. Will enable those features on this WLAN. There are certain limitation where you cannot configure this when static IP tunneling is enabled. You should familiar with this under H-REAP configuration.(WLC2) >config wlan h-reap ?
ap-auth Configures ap authentication (WLAN must be locally switched).
learn-ipaddr Configures IP address learning (WLAN must be locally switched).
local-switching Configures local switching of client data associated to H-REAP.
(WLC2) >config wlan h-reap ap-auth ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan h-reap ap-auth 19 ?
enable Enables ap authentication.
disable Disables ap authentication.
(WLC2) >config wlan h-reap local-switching 19 enable(WLC2) >config wlan h-reap ap-auth 19 enable
14. DHCPYou can override interface configured DHCP server by this setting. Also certain type of WLAN (like guest) you can make DHCP IP assignment is mandatory. Since I have configured static IP tunnel support earlier I will leave this as it is. Also worth to note that this only applicable for defalt ap group. So if your WLAN ID is greater than 16 you cannot override the interface DHCP server configuration.(WLC2) >config wlan dhcp_server ?
<WLAN id> Enter the WLAN ID.
foreignAp Third Party Access Points.
(WLC2) >config wlan dhcp_server 19 ?
<IP addr> Enter the override DHCP server's IP Address (0.0.0.0 = default interface value).
(WLC2) >config wlan dhcp_server 19 192.168.200.1 ? required Optionally specify whether DHCP address assignment is required.
(WLC2) >config wlan dhcp_server 19 192.168.200.1 required Cannot mandate dhcp required when Static IP tunneling is enabled.DHCP server override is applicable only to the default AP group.
15. Management Frame Protection(MFP)This is to provide protection to management frame between client & AP. You need to remember this is Cisco implmentation of MFP & not IEEE standard version (802.11w). So if you client support proper IEEE 802.11w it may not work with cisco MFP. So better to disable this as a best practice in today’s world. By default it is set to optional.(WLC2) >config wlan mfp ?
client Configures Client MFP.
(WLC2) >config wlan mfp client ?
disable Disables MFP protection on a WLAN.
enable Enables MFP protection on a WLAN.
(WLC2) >config wlan mfp client enable ?
<WLAN id> Enter a WLAN Identifier between 1 and 512.
(WLC2) >config wlan mfp client enable 19 ?
required Clients must negotiate MFP
(WLC2) >config wlan mfp client enable 19 required(WLC2) >config wlan mfp client disable 19
16. DTIMIn 802.11a/n and 802.11b/g/n networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast
frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.Typically, the DTIM value is set to 1 (to transmit broadcast and multicast frames after every beacon) or 2 (to transmit after every other beacon). For instance, if the beacon period of the 802.11a/n or 802.11b/g/n network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings are suitable for applications, including Voice Over IP (VoIP), that expect frequent broadcast and multicast frames.
However, the DTIM value can be set as high as 255 (to transmit broadcast and multicast frames after every 255th beacon) if all 802.11a/n or 802.11b/g/n clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently which results in a longer battery life. For example, if the beacon period is 100 ms and you set the DTIM value to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds. This rate allows the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, which results in a longer battery life.
A beacon period, which is specified in milliseconds on the controller, is converted internally by the software to 802.11 Time Units (TUs), where 1 TU = 1.024 milliseconds. On Cisco’s 802.11n access points, this value is rounded to the nearest multiple of 17 TUs. For example, a configured beacon period of 100 ms results in an actual beacon period of 104 ms(WLC2) >config wlan dtim ?
802.11a Configure the DTIM Period for 802.11a radio for a WLAN
802.11b Configure the DTIM Period for 802.11b/g radio for a WLAN
(WLC2) >config wlan dtim 802.11a ?
<value> Enter the DTIM period, valid values 1 to 255
(WLC2) >config wlan dtim 802.11a 200 ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan dtim 802.11a 200 19(WLC2) >config wlan dtim 802.11b 150 19
17. NACNot sure about this at the time of this writing.
(WLC2) >config wlan nac ?
snmp Configures SNMP NAC support(Legacy OOB).
radius Configures Radius NAC support(Identity Service Engine).
(WLC2) >config wlan nac radius ?
enable Enable Radius NAC for this WLAN
disable Disable Radius NAC for this WLAN
(WLC2) >config wlan nac radius enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan nac radius enable 19 Request failed - Radius NAC is available only for WLANs that are configured for 802.1X/WPA/WPA2 Layer 2 security.
18. Client Load BalanceThis will allow load balance the client association between APs. As warning message indicated when configuring this is not good for voice services and you should disable it on voice WLANs.(WLC2) >config wlan load-balance ?
allow Allow|Disallow Load Balance on a WLAN.
(WLC2) >config wlan load-balance allow ?
enable Allow Load Balance on a WLAN.
disable Disallow Load Balance on a WLAN.
(WLC2) >config wlan load-balance allow enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan load-balance allow enable 19 WARNING: Allowing load balance on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y
19. Band SelectBand selection enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of three nonoverlapping channels. To prevent these sources of interference and improve overall network performance, you can configure band selection on the controller.Band selection works by regulating probe responses to clients. It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channelsOn a side note, this will only effect if you configure radio policy all for a given WLAN. Otherwise this will have no effect even though you configured. GUI output shows it as “unticked” even though CLI config shows it is enabled. Also for voice clients this could introduce some additional delays and recommended to turn it off if you are servicing voice.
(WLC2) >config wlan band-select ?
allow Allow|Disallow Band Select on a WLAN.
(WLC2) >config wlan band-select allow ?
enable Allow Band Select on a WLAN.
disable Disallow Band Select on a WLAN.
(WLC2) >config wlan band-select allow enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan band-select allow enable 19 WARNING: Allow Band Select on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y
20. Voice- SIPThis will allow you to configure SIP specfic settings for a voice WLAN. You need to have Platinum QoS profile in order to support this feature.(WLC2) >config wlan call-snoop ?
enable Enables Call Snooping on the WLAN.
disable Disables call Snooping on the WLAN.
(WLC2) >config wlan call-snoop enable ?
<WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan call-snoop enable 19 Request failed. Please set WLAN QoS to Platinum to enable call-snooping
(WLC2) >config wlan roamed-voice-client ? re-anchor Roamed client Re-Anchor policy
(WLC2) >config wlan roamed-voice-client re-anchor ? disable Disable Roamed Client Re-Anchor policyenable Enable Roamed Client Re-Anchor policy
(WLC2) >config wlan roamed-voice-client re-anchor enable ? <WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan roamed-voice-client re-anchor enable 19
(WLC2) >config wlan sip-cac ? send-486busy Configure SIP 486 Busy on CAC Failure.disassoc-client Configure Client Dis-Assoc on SIP CAC Failure.
(WLC2) >config wlan sip-cac send-486busy ? disable Disable sending SIP 486 Busy on SIP CAC Failure.enable Enable sending SIP 486 Busy on SIP CAC Failure.
(WLC2) >config wlan sip-cac send-486busy enable ? <WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan sip-cac send-486busy enable 19 Configuration is already in the requested state
(WLC2) >config wlan sip-cac disassoc-client ? disable Disable Client Dis-Assoc on SIP CAC Failure.
enable Enable Client Dis-Assoc on SIP CAC Failure.
(WLC2) >config wlan sip-cac disassoc-client enable ? <WLAN id> Enter WLAN Identifier between 1 and 512.
(WLC2) >config wlan sip-cac disassoc-client enable 19 Warning! Enabling this functionality will Dis-Associate the Client in case of SIP CAC Failure
That covers all the advanced features of a WLAN via CLI configuration. So my WLAN configuration looks like this on GUI.
Next post we will look at few example CLI configurations of different WLANs.
WLAN Config via CLI – Part 6
20 Monday MAY 2013
POSTED BY NAYARASI IN CLI , GUEST WIRELESS , WLC
≈ LEAVE A COMMENT Tags
Guest WLAN config
In this post we will look at configuration example of a WLAN using CLI only. To make it comprehensive I will illustrate a Guest WLAN configuration with Auto Anchoring feature as well. Here is the basic topology.
Here are the conditions for this Guest WLAN.– All Guest users will get 192.168.9.0/24 IP from WLC1– User able to join the network with email address as credential– Guest user traffic should get lowest QoS priority.– WMM to be disabled.– Clients with static IP should not allow to join– Guest users only able to get 802.11a & 802.11g data rates.– Users should not trigger power changes of the AP
Before configuring this you need to identify the tasks you have to do
1. QoS profile configuration with required 802.1p values2. Configure the interface for vlan9 on WLC1 & map it onto “guest-9” WLAN.3. Define “guest-09” WLAN on WLC2 & WLC3 & assign management interface (No dynamic
interfaces)4. Configure Mobility Anchor for “guest-9” WLAN.5.
Here is the CLI configuration of each task. For the QoS profile configuration you have to disable 802.11 radios (both 2.4GHz & 5GHz). It is advisable to configure all 4 QoS profiles even though this only require Bronze profile to configure.
(WLC3) >config 802.11b disable network(WLC3) >config 802.11a disable networkDisabling the 802.11a network may strand mesh APs. Are you sure you want to continue? (y/n)y(WLC3) >config qos protocol-type platinum dot1p (WLC3) >config qos dot1p-tag platinum 6(WLC3) >config qos protocol-type gold dot1p (WLC3) >config qos dot1p-tag gold 5(WLC3) >config qos protocol-type silver dot1p (WLC3) >config qos dot1p-tag silver 3(WLC3) >config qos protocol-type bronze dot1p (WLC3) >config qos dot1p-tag bronze 1(WLC3) >config 802.11a enable network(WLC3) >config 802.11b enable network
You need to copy these lines onto both WLC1 & WLC2 as well. Now we will configure the WLC1 dynamic interface for guest-9 WLAN. Here are the CLI config for this
(WLC1) >config interface create vlan9 9(WLC1) >config interface address dynamic-interface vlan9 192.168.9.10 255.255.255.0 192.168.9.1(WLC1) >config interface dhcp dynamic-interface vlan9 primary 192.168.9.1(WLC1) >config interface port vlan9 1
You need to ensure CAT2 is configured to provide DHCP addresses & act as gateway for wirless guest users. Also make sure vlan9 is trunk to WLC1 as well
ip dhcp excluded-address 192.168.9.1 192.168.9.99ip dhcp pool VLAN9 network 192.168.9.0 255.255.255.0 default-router 192.168.9.1 interface Vlan9 ip address 192.168.9.1 255.255.255.0!interface GigabitEthernet1/0/1 description WLC1 Po1 switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan 9-18,23,111,113 switchport mode trunk switchport nonegotiate mls qos trust cos spanning-tree portfast trunk
Now you can define the “guest-9” WLAN & map vlan9 interface onto it. Even though we are not using GUI, you need to remember the General, Security, QoS, Advanced parameters to be modified as per the requirement. CLI commands flow is in that order. Note that since we do not want to override interface DHCP server, we will use 0.0.0.0 as DHCP server address & only make DHCP address required when configuring that feature.
(WLC1) >config wlan create 9 guest-9 guest-9(WLC1) >config wlan radio 9 802.11ag(WLC1) >config wlan interface 9 vlan9 (WLC1) >config wlan security wpa disable 9(WLC1) >config wlan security web-passthrough enable 9(WLC1) >config wlan security web-passthrough email-input enable 9(WLC1) >config wlan qos 9 bronze(WLC1) >config wlan wmm disable 9(WLC1) >config wlan chd 9 disable(WLC1) >config wlan dhcp_server 9 0.0.0.0 required(WLC1) >config wlan enable 9
Now you can copy this configuration to WLC2 & WLC without the line “config wlan interface 9 vlan9”. By default newly created WLAN will map to management interface. Here is the configs in WLC3 for example. Do the same on WLC2 as well.
(WLC3) >config wlan create 9 guest-9 guest-9
(WLC3) >config wlan radio 9 802.11ag
(WLC3) >config wlan security wpa disable 9
(WLC3) >config wlan security web-passthrough enable 9
(WLC3) >config wlan security web-passthrough email-input enable 9
(WLC3) >config wlan qos 9 bronze
(WLC3) >config wlan wmm disable 9
(WLC3) >config wlan chd 9 disable
(WLC3) >config wlan dhcp_server 9 0.0.0.0 required
DHCP server override is applicable only to the default AP group.
(WLC3) >config wlan enable 9
Final step of configuration is creating Auto Anchor Mobility tunnels. First of all you have to configure the mobility group name in each controller & then add members to mobility list. In this example I have used DMZ, HQ, & MO for the mobility groupname of WLC1, WLC2 &
WLC3. Also multicast group address 239.11.11.11, 239.22.22.22 & 239.33.33.33 for local-group members mobility communication in WLC1, WLC2 & WLC3. Also used multicast group address 239.12.12.12 between WLC1-WLC2 mobility communication & 239.13.13.13 for WLC1-WLC3 mobility communication.
WLC1config mobility group domain DMZconfig mobility multicast-mode enable 239.11.11.11config mobility group multicast-address DMZ 239.11.11.11 config mobility group multicast-address HQ 239.12.12.12 config mobility group multicast-address BR 239.13.13.13 config mobility group member add 00:0b:85:40:a1:c0 10.10.112.10 HQ config mobility group member add 00:1b:d5:cf:e6:00 10.10.120.140 BR
WLC2config mobility group domain HQconfig mobility multicast-mode enable 239.22.22.22 config mobility group multicast-address HQ 239.22.22.22 config mobility group multicast-address DMZ 239.12.12.12 config mobility group member add 00:0b:85:43:d8:60 10.10.111.10 DMZ
WLC3 config mobility group domain BR config mobility multicast-mode enable 239.33.33.33 config mobility group multicast-address BR 239.33.33.33 config mobility group multicast-address DMZ 239.13.13.13config mobility group member add 00:0b:85:43:d8:60 10.10.111.10 DMZ
Once you configure the mobility config as above you should see the mobility status up between each other. Here is the output of WLC1.
(WLC1) >show mobility summary Symmetric Mobility Tunneling (current) .......... EnabledSymmetric Mobility Tunneling (after reboot) ..... EnabledMobility Protocol Port........................... 16666Default Mobility Domain.......................... DMZMulticast Mode .................................. EnabledMobility Domain ID for 802.11r................... 0x43cdMobility Keepalive Interval...................... 10Mobility Keepalive Count......................... 3Mobility Group Members Configured................ 3Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group MAC Address IP Address Group Name Multicast IP Status 00:0b:85:40:a1:c0 10.10.112.10 HQ 239.12.12.12 Up 00:0b:85:43:d8:60 10.10.111.10 DMZ 239.11.11.11 Up 00:1b:d5:cf:e6:00 10.10.120.140 BR 239.13.13.13 Up
Now you can configure “Auto Anchor mobility” for guest-09 WLAN. You can do it as follows. You have to disable WLAN prior to configure mobility anchor feature. On the Anchor controller(WLC1) you have to anchor it to itself & on WLC2 & WLC3 it has to anchor to WLC1 IP.
(WLC1) >config wlan disable 9
(WLC1) >config wlan mobility anchor ?
add Add/Change a Mobility anchor to a WLAN.
delete Delete a Mobility anchor from a WLAN.
(WLC1) >config wlan mobility anchor add ?
<WLAN Id> WLAN identifier between 1 and 512.
(WLC1) >config wlan mobility anchor add 9 ?
<IP addr> Member switch IP address to anchor WLAN
(WLC1) >config wlan mobility anchor add 9 10.10.111.10(WLC1) >config wlan enable 9
(WLC2) >config wlan disable 9(WLC2) >config wlan mobility anchor add 9 10.10.111.10(WLC2) >config wlan enable 9
(WLC3) >config wlan disable 9(WLC3) >config wlan mobility anchor add 9 10.10.111.10(WLC3) >config wlan enable 9
You can test the wireless guest service in each controller. Let’s check branch end first. You can either disable guuest-09 wlan on WLC2 or shutdown LAP2 connected switchport. Ensure LAP1 is registered to WLC3
(WLC3) >show ap summary
Number of APs.................................... 1
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------
LAP1 2 AIR-CAP3502I-N-K9 cc:ef:48:8c:fd:41 CAT4-F03 1 AU 1
Once you connect to this WLAN & open up a browser page, it should prompt you to enter your email address. Once login is successful you should able to see the client detail on your anchor controller(WLC1).
(WLC1) >show client summary Number of Clients................................ 1MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----04:f7:e4:ea:5b:66 10.10.120.140 Associated 9 Yes Mobile 1 No
(WLC1) >show client detail 04:f7:e4:ea:5b:66Client MAC Address............................... 04:f7:e4:ea:5b:66Client Username ................................. [email protected] MAC Address................................... 00:00:00:00:00:00AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 9 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 102 secsChannel.......................................... N/AIP Address....................................... 192.168.9.103Association Id................................... 0 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX supportMirroring........................................ DisabledQoS Level........................................ Bronze802.1P Priority Tag.............................. 1WMM Support...................................... DisabledSupported Rates.................................. Mobility State................................... Export AnchorMobility Foreign IP Address...................... 10.10.120.140Mobility Move Count.............................. 1Security Policy Completed........................ Yes
Policy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... YesPolicy Type...................................... N/AEncryption Cipher................................ NoneManagement Frame Protection...................... NoEAP Type......................................... UnknownInterface........................................ vlan9VLAN............................................. 9
Once you enable LAP2 ( disable guest-9 on WLC3) you should be able to check it in HQ end.
(WLC3) >config wlan disable 9
!
(WLC2) >show ap summary
Number of APs.................................... 1
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------
LAP2 2 AIR-CAP3502I-N-K9 70:81:05:03:7c:ef CAT2-Fa102 LAG AU 1
!
(WLC1) >show client summary Number of Clients................................ 1MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----04:f7:e4:ea:5b:66 10.10.112.10 Associated 9 Yes Mobile 1 No
(WLC1) >show client detail 04:f7:e4:ea:5b:66Client MAC Address............................... 04:f7:e4:ea:5b:66Client Username ................................. [email protected] MAC Address................................... 00:00:00:00:00:00AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 9
BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 62 secsChannel.......................................... N/AIP Address....................................... 192.168.9.103Association Id................................... 0 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX supportMirroring........................................ DisabledQoS Level........................................ Bronze802.1P Priority Tag.............................. 1WMM Support...................................... DisabledSupported Rates.................................. Mobility State................................... Export AnchorMobility Foreign IP Address...................... 10.10.112.10Mobility Move Count.............................. 1Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... YesPolicy Type...................................... N/AEncryption Cipher................................ NoneManagement Frame Protection...................... NoEAP Type......................................... UnknownInterface........................................ vlan9VLAN............................................. 9Quarantine VLAN.................................. 0Access VLAN...................................... 9
If you do “Debug mobility handoff enable” at WLC1 you can verify client state changes & mobility communication between foreign & anchor controllers.(WLC1) >debug mobility handoff enable (WLC1) >*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 Mobility packet received from:*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 10.10.120.140, port 16666*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 type: 3(MobileAnnounce) subtype: 0 version: 1 xid: 20 seq: 2167 len 116 flags 0*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 group id: d8475d5f c64367e3 4d21c8d6 ef580f61*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 0*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 VLAN IP: 10.10.120.140, netmask: 255.255.255.192*mmListen: May 19 09:27:07.097: Switch IP: 10.10.120.140 *mmListen: May 19 09:27:07.098: Vlan List payload not found, ignoring ...*mmListen: May 19 09:27:07.098: IP Address don't compare for client 00:22:fa:94:68:58 is 0*mmListen: May 19 09:27:07.098: 00:22:fa:94:68:58 Ignoring Announce, client record for not found*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 Mobility packet received from:*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 10.10.120.140, port 16666*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 21 seq: 2168 len 241 flags 0
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 group id: d8475d5f c64367e3 4d21c8d6 ef580f61*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 0*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 VLAN IP: 10.10.120.140, netmask: 255.255.255.192*mmListen: May 19 09:27:08.097: Switch IP: 10.10.120.140 *mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 Received Anchor Export request: from Switch IP: 10.10.120.140*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv:, Mobility role is Unassoc*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv Ssid=guest-9 Security Policy=0x3040*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv vapId= 9, Ssid=guest-9 AnchorLocal=0x0*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 0.0.0.0 START (0) mobility role update request from Unassociated to Export Anchor Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.10.111.10*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 Received Anchor Export policy update, valid mask 0x0: Qos Level: 3, DSCP: 0, dot1p: 1 Interface Name: , ACL Name: *mmListen: May 19 09:27:08.098: Anchor Mac : 00.0b.85.43.d8.60*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 Mobility packet sent to:*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 10.10.120.140, port 16666*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 type: 17(MobileAnchorExportAck) subtype: 0 version: 1 xid: 21 seq: 571 len 275 flags 0*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 group id: fe2f34f3 9b7a7cea 68f48181 316db999*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 1*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 VLAN IP: 192.168.9.10, netmask: 255.255.255.0*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 0.0.0.0 DHCP_REQD (7) Plumbing duplex mobility tunnel to 10.10.120.140 as Export Anchor (VLAN 9)*DHCP Proxy DTL Recv Task: May 19 09:27:16.084: 00:22:fa:94:68:58 192.168.9.100 WEBAUTH_REQD (8) Plumbing duplex mobility tunnel to 10.10.120.140 as Export Anchor (VLAN 9)*emWeb: May 19 09:27:39.269: 00:22:fa:94:68:58 192.168.9.100 RUN (20) Plumbing duplex mobility tunnel to 10.10.120.140 as Export Anchor (VLAN 9)
Finally you can configure foreign mapping for this where you can allocate 192.168.9.x/24 if you are connecting from Branch & 192.168.8.x/24 when you are connecting via Head Quarters.
So we will create vlan8 interface on WLC1 & trunk this to WLC1 on CAT2 g1/0/1 where WLC1 connected to.
(WLC1) >config interface create vlan8 8(WLC1) >config interface address dynamic-interface vlan8 192.168.8.10 255.255.255.0 192.168.8.1(WLC1) >config interface dhcp dynamic-interface vlan8 primary 192.168.8.1(WLC1) >config interface port vlan8 1
!CAT2(config)#vlan 8CAT2(config-vlan)#exitCAT2(config)#int vlan 8CAT2(config-if)#ip add 192.168.8.1 255.255.255.0CAT2(config-if)#int g1/0/1CAT2(config-if)#sw tr al vl add 8CAT2(config)#ip dhcp excluded-address 192.168.8.1 192.168.8.100CAT2(config)#ip dhcp pool VLAN8CAT2(dhcp-config)#default-router 192.168.8.1CAT2(dhcp-config)#netw 192.168.8.0 /24CAT2(dhcp-config)# domain-name mrn.comCAT2(dhcp-config)# dns-server 192.168.200.1
Now on WLC1 you can configure foreign mapping for guest-9 WLAN using the foreign controller MAC address as shown below. For WLC3 (00:1b:d5:cf:e6:00) Guest traffic would get 192.168.8.0/24 IP & for WLC2(00:0b:85:40:a1:c0) will get 192.168.9.0/24 IP range.
(WLC1) >config wlan disable 9
(WLC1) >config wlan mobility foreign-map add 9 00:1b:d5:cf:e6:00 vlan8(WLC1) >config wlan mobility foreign-map add 9 00:0b:85:40:a1:c0 vlan9(WLC1) >config wlan enable 9
Here is the verification when Guest user connecting via WLC2.
(WLC1) >show client detail 04:f7:e4:ea:5b:66Client MAC Address............................... 04:f7:e4:ea:5b:66Client Username ................................. [email protected] MAC Address................................... 00:00:00:00:00:00AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 9 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 56 secsChannel.......................................... N/AIP Address....................................... 192.168.9.103Association Id................................... 0 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX supportMirroring........................................ DisabledQoS Level........................................ Bronze802.1P Priority Tag.............................. 1WMM Support...................................... DisabledSupported Rates.................................. Mobility State................................... Export AnchorMobility Foreign IP Address...................... 10.10.112.10
Here is the same output when guest user is connecting via WLC3. You could see client get 192.168.8.x/24 IP this time.
(WLC1) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66
Client Username ................................. [email protected]
AP MAC Address................................... 00:00:00:00:00:00
AP Name.......................................... N/A
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 9
BSSID............................................ 00:00:00:00:00:ff
Connected For ................................... 40 secs
Channel.......................................... N/A
IP Address....................................... 192.168.8.101Association Id................................... 0 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX supportMirroring........................................ DisabledQoS Level........................................ Bronze802.1P Priority Tag.............................. 1WMM Support...................................... DisabledSupported Rates.................................. Mobility State................................... Export AnchorMobility Foreign IP Address...................... 10.10.120.140Mobility Move Count.............................. 1Security Policy Completed........................ YesPolicy Manager State............................. RUN
That’s all for wireless guest wlan configuration tasks via CLI. If you understand & remember the steps then you are pretty safe even if your WLC GUI is very slow during the exam.
We will see a wired guest wlan configuration via CLI in a future post
Mobility Config via CLI
20 Monday MAY 2013
POSTED BY NAYARASI IN CLI , MOBILITY ≈ LEAVE A COMMENT
In this post we will see how to configure WLC mobility config via CLI. If you prefer GUI you can refer one of my previous post (Configuring Mobility on WLC).Here is the basic setup. In Head Quarters (Mobility Group:HQ) is having two wireless controller WLC1 & WLC2. WLC1 is used for guest traffic termination & will put it in a different mobility Group called DMZ. There is a branch office where you have WLC3 & it is in the Mobility Group named MO.
Initially we will configure Mobility without using Multicast & then will use multicast for mobility communication. Diagram shows multiple controller in each mobility group, but in my test lab I do not have that many controllers, so has to go with 3 controller. Real advantage of Multicast is if you have multiple controllers in the same mobility group.
Configuration task wise you have to configure a mobility group name & then add mobility group members (local & non-local) in to the mobility list (or sometime refer as domain). Local group members are having same group name as your configuring WLC. Non-local
group members are having a different group name to the group name of your configuring WLC.
You require to have WLCs MAC address & IP address information for the mobility configuration. So better to have this ready prior to your configuration. “show sysinfo” should give you the required output. Here is the info in my example(WLC1) >show sysinfo
System Name...................................... WLC1
IP Address....................................... 10.10.111.10
Burned-in MAC Address............................ 00:0B:85:43:D8:60
!
(WLC2) >show sysinfo
System Name...................................... WLC2
IP Address....................................... 10.10.112.10
Burned-in MAC Address............................ 00:0B:85:40:A1:C0
!
(WLC3) >show sysinfo
System Name...................................... WLC3
IP Address....................................... 10.10.120.140
Burned-in MAC Address............................ 00:1B:D5:CF:E6:00
“config mobility ? ” is the CLI command you need to use for the configuration. Here is how I configure mobility group name for a WLC & add members to the mobility list.(WLC1) >config mobility ?
dscp Configures the Mobility inter controller DSCP value.
group Configures the Mobility group parameters.
multicast-mode Configures the Multicast Mode for mobility messages
statistics Resets the mobility statistics.
(WLC1) >config mobility group ?
anchor Configures the Mobility WLAN anchor list.
domain Configures the Mobility domain name.
keepalive Keepalive ping parameters to be configured
member Configures the Mobility group members list.
multicast-address Configures the Multicast IP Address for a mobility group
(WLC1) >config mobility group domain DMZ
(WLC1) >config mobility group member add ? <MAC addr> Member switch MAC address
(WLC1) >config mobility group member add 00:0B:85:40:A1:C0 ? <IP addr> Member switch IP address
(WLC1) >config mobility group member add 00:0B:85:40:A1:C0 10.10.112.10 ? <group name> Optional member switch group name (if different from default group name)
(WLC1) >config mobility group member add 00:0B:85:40:A1:C0 10.10.112.10 HQ (WLC1) >config mobility group member add 00:1B:D5:CF:E6:00 10.10.120.140 BR
In WLC2 & WLC3 you can workout these are the CLI commands required.
(WLC2) >config mobility group domain HQ(WLC2) >config mobility group member add 00:0B:85:43:D8:60 10.10.111.10 DMZ!(WLC3) >config mobility group domain BR(WLC3) >config mobility group member add 00:0B:85:43:D8:60 10.10.111.10 DMZ
Now basic mobility configuration has been done. Once you “show mobility summary” you should be able to see the status of your configuration.(WLC1) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... DMZ
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x43cd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
00:0b:85:40:a1:c0 10.10.112.10 HQ 0.0.0.0 Up
00:0b:85:43:d8:60 10.10.111.10 DMZ 0.0.0.0 Up
00:1b:d5:cf:e6:00 10.10.120.140 BR 0.0.0.0 Up
In WLC2 you should see a output like this.
(WLC2) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... HQ
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x6b2f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
00:0b:85:40:a1:c0 10.10.112.10 HQ 0.0.0.0 Up
00:0b:85:43:d8:60 10.10.111.10 DMZ 0.0.0.0 Up
In WLC3 “show mobility summary” output should looks like this.
(WLC3) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... BR
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0xad23
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
00:0b:85:43:d8:60 10.10.111.10 DMZ 0.0.0.0 Up
00:1b:d5:cf:e6:00 10.10.120.140 BR 0.0.0.0 Up
You can change the Keepalive count, interval & DSCP value of mobility packets as follows. I leave it to default values shown it to the above output.
(WLC3) >config mobility group keepalive ?
count No of keep alive retries before a member status is termed DOWN
interval Interval between two keep alives sent to a mobility member
(WLC3) >config mobility group keepalive count ? <number> Number in range of 3-20
(WLC3) >config mobility group keepalive interval ? <number> Number in range of <1 - 30 seconds>, interval between two ping tries !(WLC3) >config mobility dscp ? <dscp_value> <0-63>
In the above method, each WLC will use unicast messages to communicate with each local group members & configured non-local group members. Since this mobility information needs to update each other very frequently this would become a processor intensive as each controller has to send multiple copies of the same message to different controller configured in mobility list.
Multicast communication would help in this regards as a given controller send only one copy of the mobility messages to configured multicast group address and all the controllers in same mobility group receive that message. You can configure multicast address for non-local group members as well. In my example WLC1 has two non-local group members & you can configure another multicast group address for this communication.
As per the diagram we will configure 239.11.11.11 for DMZ local group member communication in WLC1. We will use 239.12.12.12 for DMZ & HQ inter group mobility communication. Similar to that we will use 239.22.22.22 for WLC2 local-group mobility (ie members in HQ mobility group) communication & 239.33.33.33 for WLC3 local-group mobility communication (ie Members in mobility group MO). Also 239.13.13.13 for the mobility group MO & DMZ communication. Here how you configure this via CLI.You can configure local group multicast communication using “config mobility multicast-mode {enable|disable} <local-multicast-address> ” CLI command.(WLC3) >config mobility multicast-mode enable ?
<local-multicast-address> Configures the Multicast IP Address for the local group.
(WLC3) >config mobility multicast-mode enable 239.33.33.33(WLC2) >config mobility multicast-mode enable 239.22.22.22(WLC1) >config mobility multicast-mode enable 239.11.11.11
You can configure multicast group for non-local member communication as follows.
(WLC1) >config mobility group multicast-address ?
<group_name> Specify the Mobility Group whose Multicast IP Address is to be set
(WLC1) >config mobility group multicast-address HQ ?
<ip_address> Configures the Multicast IP Address for a mobility group
(WLC1) >config mobility group multicast-address HQ 239.12.12.12(WLC1) >config mobility group multicast-address BR 239.13.13.13
(WLC2) >config mobility group multicast-address DMZ 239.12.12.12
(WLC3) >config mobility group multicast-address DMZ 239.13.13.13
It is important to remember that multicast mode to work you have to properly configure your L3 infrastructure to support multicast. Once you check show mobility summary you should see somthing like this.
(WLC1) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... DMZ
Multicast Mode .................................. EnabledMobility Domain ID for 802.11r................... 0x43cdMobility Keepalive Interval...................... 10Mobility Keepalive Count......................... 3Mobility Group Members Configured................ 3Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status 00:0b:85:40:a1:c0 10.10.112.10 HQ 239.12.12.12 Up 00:0b:85:43:d8:60 10.10.111.10 DMZ 239.11.11.11 Up 00:1b:d5:cf:e6:00 10.10.120.140 BR 239.13.13.13 Up
If you require to configure Auto Anchoring (for wired or wireless Guest traffic) you can do this via “config mobility group anchor {wlan|guest-lan} {wlan-id|guest-lan-id} {anchor-wlc-ip}” CLI command.(WLC1) >config mobility group anchor add wlan ?
<WLAN Id> WLAN identifier between 1 and 512.
(WLC1) >config mobility group anchor add wlan 17 ?
<IP addr> Member switch IP address to anchor WLAN
(WLC1) >config mobility group anchor add guest-lan ?
<Guest LAN Id> Guest LAN identifier between 1 and 5
(WLC1) >config mobility group anchor add guest-lan 1 ?
<IP addr> Member switch IP address to anchor WLAN
See “WLAN config via CLI- Part6” for Wireless Guest WLAN configuration via CLI
Configuring Mobility on WLC
16 Saturday MAR 2013
POSTED BY NAYARASI IN MOBILITY ≈ 9 COMMENTS
TagsWLC mobility
In this post we will see how to configure mobility in Cisco WLC environment. Here is the topology where we have two WLCs. LWAP-02 register for WLC1 & LWAP-03 registers for
WLC2.First of all you have to configure the “Mobility Group” on the WLC. When doing the initial configuration you have to provide a mobility group name & you can change it later. You have to go to ” Controller -> Mobility Management -> Mobility Groups” section. By clicking “Edit All” you can add member to this mobility group. If you want you can create a new group as well.
Before adding WLC2 into WLC1 mobility group you can get the MAC address & IP information from WLC2. See below WLC2 mobility infomation. By Copy this & paste it into WLC1 mobility group section you can add WLC2 into WLC1 mobility group.
Here is WLC1 Mobility information section once you paste WLC2 info.
Once you hit “Apply” button you will see something like this. Mobility tunnel will not come up immediately.
If you allow short time mobility tunnel come up nicely.
You have to do the same thing on WLC2 to add WLC1 as mobility member. Now if you look take a packet capture of any trunk port goes to WLC you will see mobility communication between these two controllers. As you can see below Mobility Messages exchange (UDP src 16666 dst 16666) in every 30s. These are unicast packets source from WLC’s management interface & destined to other WLC’s mgmt IP address.
This unicast mobility messaging is not efficient if you have multiple controllers in the same mobility group. You can allocate a multicast group address for inter-controller mobility messages. Following screen capture shows how to do this.
Once you configure this group address in all controllers of your mobility group they should able to communicate via this multicast address. Make sure you configure multicast on your WLC first. In this time you will see Mobility messages destined to multicast group address (239.239.239.239 in my example) by taking a packet capture.
In WLC CLI you can use following commands to configure mobility group.
config mobility group domain mrn-cciew
config mobility group member add 00:0b:85:40:a1:c0 10.10.112.10 mrn-cciew
config mobility multicast-mode enable 239.239.239.239
config mobility group multicast-address mrn-cciew 239.239.239.239
“show mobility summary” can be used to verify.
(WLC2) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... mrn-cciew
Multicast Mode .................................. Enabled
Mobility Domain ID for 802.11r................... 0x4ccd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
00:0b:85:40:a1:c0 10.10.112.10 mrn-cciew 239.239.239.239 Up
00:0b:85:43:d8:60 10.10.111.10 mrn-cciew 239.239.239.239 Up
In next post we will see how to configure Auto Anchor configuration.
Wireless Mobility Basics
16 Saturday MAR 2013
POSTED BY NAYARASI IN MOBILITY ≈ 9 COMMENTS
TagsAuto-Anchor, L2 Roaming, L3 Roaming
A mobility even occur if a client roams between access points. As wireless clients move between APs on the same controller and APs join to different controller within the network four different types of roaming events can take place.
1. Intra Controller2. Inter Controller3. Inter Controller – Layer 34. Auto – Anchor Mobility
Intra Controller Roaming : If a client roam between APs on the same controller , it is called intra-controller mobility event. This is the most simplistic roaming event where WLC simply
update the database with client state & security context as client roam from AP1 to AP2. See
belowInter Controller-L2 Roaming : Inter-Controller (normally layer 2) roaming occurs when a client roam between two APs registered to two different controllers, where each controller has an interface in the client subnet.
In this instance controllers exchange mobility control messages (over UDP port 16666) and the client database entry is moved from the original controller to the new controller.
Inter Controller-L3 Roaming : If the clients roam between APs registered to different controllers and the client WLAN on the two controllers is on different subnet, then it is called inter-controller L3 roam.
In this situation as well controllers exchange mobility messages. Client database entry change is completely different that to L2 roam(instead of move, it will copy). In this situation the original controller marks the client entry as “Anchor” where as new controller marks the client entry as “Foreign“.The two controllers now referred to as “Anchor controller” & “Foreign Controller” respectively. Client will keep the original IP address & that is the real advantage.
If your client configured with static IP addresses, When these wireless clients move & associate to another WLC that does not support the same subnet as the static IP, the clients fail to connect to the network. You can now enable dynamic tunneling of clients with static IP addresses.The following sequence of steps occur when a client with a static IP address tries to associate with a controller:
* When a client associates with a controller, for example, WLC-1, it performs a mobility announcement. If a controller in the mobility group responds (for example WLC-2), the client traffic is tunneled to the controller WLC-2 (Anchor).
* If none of the controllers respond, the client is treated as a local client and authentication is performed. If the client’s IP subnet is not supported in the controller (WLC-1), WLC-1 sends another static IP mobile announce and if a controller (for example WLC-3) which supports the clients subnet responds to that announce, the client traffic is tunneled to that controller WLC-3. As a result, the controller WLC 1 becomes the export foreign controller and WLC-2 becomes the export anchor controller.
* Once the acknowledgement is received, the client traffic is tunneled between the anchor and the controller (WLC-1).
Auto-Anchor Mobility : Auto Anchoring is when your anchor a WLAN to a particular controller in the mobility domain. Most common use of Auto Anchor is Wireless Guest service where all
guest traffic tunnel back to DMZ controller irrespective of where they associate to network.
(See below)Mobility has two categories, Mobility Domains & Mobility Groups. If WLCs are in same mobility domain they communicate with each other. Mobility Group constraint the distribution of security context of a client. It also constrain AP fail-over between controllers.
A WLC support 3 mobility groups with up to 24 controllers in a single group for a total of 72 controllers in the mobility domain (or list). WLC 5.1 or later allows seamless roaming across multiple mobility groups in the mobility list of the controller.
Any device on a IP network has an IP point of presence (PoP). Usually it is record of client IP address & MAC address.If client move to an another AP associated to another controller point of association or attachment (PoA) change to foreign controller where as PoP remain in anchor controller. In roaming situations role of WLC can change to any of below.Local: The controller proivde both PoP & PoAAnchor: The controller provide PoP only & always paired with a foreign contorller (PoA)
Foreign: The controller provide PoA only & always paired with a Anchor controller (PoP)Export Anchor: The controller provide PoP only and always paired with an export foreign controller.Export Foreign: The controller provide PoA only and always paired with an export anchor controller.Mobility packet uses UDP port 16666. Because UDP is an unreliable delivery mechanism, any packets that requires a response retries up to 4 times at one-second intervals. All packet should have mobility packet header, followed by one or more TLV (Type, Length, Value) payloads carrying specific client or session data.
L2 – Inter Controller Roaming
17 Sunday MAR 2013
POSTED BY NAYARASI IN MOBILITY ≈ LEAVE A COMMENT
TagsL2 Roaming
In this post we will see how L2 Inter Controller Roaming works. I am using the following topology where previously configured for Mobility.(See Configuring WLC Mobility post before this)
Since this is LAB environment, I will disconnect client forcefully from previously associated AP in order to client to go to other AP . This is how I simulate client roaming. I will have active voice call while this roaming event occur & observe whether that call session get dropped while roaming occur.
First we will check the client associations in WLC1.
(WLC1) >show client summary Number of Clients................................ 1MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----00:1b:d4:58:e6:1a LWAP-02 Associated 4 Yes 802.11a 1 No
(WLC1) >show client detail 00:1b:d4:58:e6:1aClient MAC Address............................... 00:1b:d4:58:e6:1aClient Username ................................. user2AP MAC Address................................... 54:75:d0:3e:80:b0AP Name.......................................... LWAP-02 Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 4
BSSID............................................ 54:75:d0:3e:80:bc Connected For ................................... 199 secsChannel.......................................... 161IP Address....................................... 10.10.14.54Association Id................................... 1 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... 5 Client E2E version............................... No E2E supportDiagnostics Capability........................... Not SupportedS69 Capability................................... Not SupportedRe-Authentication Timeout........................ 1378Mirroring........................................ DisabledQoS Level........................................ Platinum802.1P Priority Tag.............................. 6WMM Support...................................... Enabled APSD ACs....................................... BK(T/D) BE(T/D) VI(T/D) VO(T/D) Power Save....................................... ONCurrent Rate..................................... 54.0Supported Rates.................................. 24.0,36.0,48.0,54.0Mobility State................................... LocalMobility Move Count.............................. 1Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... YesPolicy Type...................................... WPA2Authentication Key Management.................... CCKMEncryption Cipher................................ CCMP (AES)Management Frame Protection...................... NoEAP Type......................................... 0Interface........................................ vlan14VLAN............................................. 14
Now we will forcefully remove this client from WLC1. See the below screen how to do this.
I did not noticed call get drop during this roaming event. You can see client entry moved to WLC2 which is normal in L2 Roaming.
(WLC2) >show client detail 00:1b:d4:58:e6:1a
Client MAC Address............................... 00:1b:d4:58:e6:1a
Client Username ................................. user2
AP MAC Address................................... 64:a0:e7:af:47:40
AP Name.......................................... LWAP-03 Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 4 BSSID............................................ 64:a0:e7:af:47:4c Connected For ................................... 31 secsChannel.......................................... 40 IP Address....................................... 10.10.14.54Association Id................................... 1 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... 5 Client E2E version............................... No E2E supportDiagnostics Capability........................... Not SupportedS69 Capability................................... Not SupportedRe-Authentication Timeout........................ 1743Mirroring........................................ DisabledQoS Level........................................ Platinum802.1P Priority Tag.............................. 6WMM Support...................................... Enabled APSD ACs....................................... BK(T/D) BE(T/D) VI(T/D) VO(T/D) Power Save....................................... OFFSupported Rates.................................. 24.0,36.0,48.0,54.0Mobility State................................... LocalMobility Move Count.............................. 0Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... YesPolicy Type...................................... WPA2Authentication Key Management.................... CCKMEncryption Cipher................................ CCMP (AES)Management Frame Protection...................... NoEAP Type......................................... PEAPInterface........................................ vlan14VLAN............................................. 14Quarantine VLAN.................................. 0Access VLAN...................................... 14
If you take a wireshark packet capture of WLC connected trunk port while roaming occurs you can verify sequence of events.(see below)
In next post we will see how L3 roaming occur.
L3 – Inter Controller Roaming
17 Sunday MAR 2013
POSTED BY NAYARASI IN MOBILITY ≈ 5 COMMENTS
TagsL3 Roaming
In this post we will see how L3 – Inter Controller Mobility works. I have slightly change my topology to test that. Notice that I have assigned different interfaces (Vlan 12 & Vlan 14) for “guest” WLAN in two different controller. Therefore in this instance when client move from LWAP-02 to LWAP-03 Anchor-Foreign mobility relationship to be maintained to keep the original IP of the client.
First will ensure my C7925 client is on WLC1 with vlan 14 IP. You can check client details as shown here. Not complete output shown & filtered for required information.
(WLC1) >show client summary
Number of Clients................................ 2
MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:1b:d4:58:e6:1a LWAP-02 Associated 4 Yes 802.11a 1 No04:f7:e4:ea:5b:66 LWAP-02 Associated 4 Yes 802.11n(5 GHz) 1 No
(WLC1) >show client detail 00:1b:d4:58:e6:1aClient MAC Address............................... 00:1b:d4:58:e6:1aClient Username ................................. user2AP MAC Address................................... 54:75:d0:3e:80:b0AP Name.......................................... LWAP-02 Client State..................................... Associated Wireless LAN Id.................................. 4 .
IP Address....................................... 10.10.14.54Association Id................................... 3 .QoS Level........................................ Platinum802.1P Priority Tag.............................. 6WMM Support...................................... Enabled APSD ACs....................................... BK(T/D) BE(T/D) VI(T/D) VO(T/D) Power Save....................................... ONCurrent Rate..................................... 54.0Supported Rates.................................. 24.0,36.0,48.0,54.0Mobility State................................... LocalMobility Move Count.............................. 0Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... Yes.Policy Type...................................... WPA2Authentication Key Management.................... CCKMEncryption Cipher................................ CCMP (AES)Management Frame Protection...................... NoEAP Type......................................... PEAPInterface........................................ vlan14VLAN............................................. 14Quarantine VLAN.................................. 0Access VLAN...................................... 14
Now will remove this client from WLC1. In this case client will de-authenticate from LWAP-02 & associate to LWAP-03, but because of different subnet (Vlan 12) in WLC2 for “guest” WLAN, WLCs has to have Anchor-Foreign set up. In this way WLC1 send a copy of client database entry to WLC2 where WLC1 mark entry as “Anchor” & WLC2 mark entry as “Foreign”.
Once client moved, still you see entry in WLC1 & marked as “Anchor”
(WLC1) >show client summary
Number of Clients................................ 2
MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:1b:d4:58:e6:1a 10.10.112.10 Associated 4 Yes Mobile 1 No
04:f7:e4:ea:5b:66 10.10.112.10 Associated 4 Yes Mobile 1 No
(WLC1) >show client detail 00:1b:d4:58:e6:1a
Client MAC Address............................... 00:1b:d4:58:e6:1a
Client Username ................................. user2
AP MAC Address................................... 00:00:00:00:00:00AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 4 BSSID............................................ 00:00:00:00:00:03 Connected For ................................... 315 secsChannel.......................................... N/AIP Address....................................... 10.10.14.54Association Id................................... 0 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... 5 Client E2E version............................... No E2E supportDiagnostics Capability........................... Not SupportedS69 Capability................................... Not SupportedRe-Authentication Timeout........................ 86114Mirroring........................................ DisabledQoS Level........................................ Platinum802.1P Priority Tag.............................. 6WMM Support...................................... Enabled APSD ACs....................................... BK(T/D) BE(T/D) VI(T/D) VO(T/D) Power Save....................................... ONCurrent Rate..................................... 54.0Supported Rates.................................. 24.0,36.0,48.0,54.0Mobility State................................... AnchorMobility Foreign IP Address...................... 10.10.112.10Mobility Move Count.............................. 0Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... YesPolicy Type...................................... WPA2Authentication Key Management.................... CCKMEncryption Cipher................................ CCMP (AES)Management Frame Protection...................... NoEAP Type......................................... PEAPInterface........................................ vlan14VLAN............................................. 14
If you go to WLC2 you can see the client entry marked as “Foreign”
(WLC2) >show client summary
Number of Clients................................ 2
MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:1b:d4:58:e6:1a LWAP-03 Associated 4 Yes 802.11a 29 No04:f7:e4:ea:5b:66 LWAP-03 Associated 4 Yes 802.11n(5 GHz) 29 No
(WLC2) >show client detail 00:1b:d4:58:e6:1aClient MAC Address............................... 00:1b:d4:58:e6:1aClient Username ................................. user2AP MAC Address................................... 64:a0:e7:af:47:40AP Name.......................................... LWAP-03 Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 4 BSSID............................................ 64:a0:e7:af:47:4c Connected For ................................... 59 secsChannel.......................................... 40 IP Address....................................... 10.10.14.54Association Id................................... 1 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... 5 Client E2E version............................... No E2E supportDiagnostics Capability........................... Not SupportedS69 Capability................................... Not SupportedRe-Authentication Timeout........................ 86070Mirroring........................................ DisabledQoS Level........................................ Platinum802.1P Priority Tag.............................. 6WMM Support...................................... Enabled APSD ACs....................................... BK(T/D) BE(T/D) VI(T/D) VO(T/D) Power Save....................................... ONCurrent Rate..................................... 54.0Supported Rates.................................. 24.0,36.0,48.0,54.0Mobility State................................... ForeignMobility Anchor IP Address....................... 10.10.111.10Mobility Move Count.............................. 1Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... YesPolicy Type...................................... WPA2Authentication Key Management.................... CCKMEncryption Cipher................................ CCMP (AES)Management Frame Protection...................... NoEAP Type......................................... 0Interface........................................ vlan12VLAN............................................. 12
Note that even though client in WLC2 on vlan 12, still keeping the previous IP of vlan 14. Also note the difference in client association protocol detail for two different controller. In Anchor it is shown as “mobile” where as in foreign it show “802.11a” for my client. In this roaming scenario PoA (Point of Association) moved to WLC2 – Foreign where as PoP (Point of Presence) still in WLC1 -Anchor. Therefore client traffic will go to Foreign->Anchor->Wired Network.
If you want to understand this in great details you can run debug commands to verify the exact process of L3 client roaming. Here is the debug output on WLC2 (when client roam
from WLC2 to WLC1). I do not think I have time to go into that level & my objective is pass CCIE lab.
(WLC2) >debug client 00:1b:d4:58:e6:1a(WLC2) >debug mobility handoff enable
(WLC2) >*mmListen: Mar 17 00:05:53.182: Mobility packet received from:*mmListen: Mar 17 00:05:53.183: 10.10.111.10, port 16666*mmListen: Mar 17 00:05:53.183: type: 12(PMK-Update) subtype: 0 version: 1 xid: 53 seq: 884 len 461 flags 0*mmListen: Mar 17 00:05:53.183: group id: fe2f34f3 9b7a7cea 68f48181 316db999*mmListen: Mar 17 00:05:53.183: Switch IP: 10.10.111.10 *mmListen: Mar 17 00:05:53.183: 00:1b:d4:58:e6:1a Received PMK-update from 10.10.111.10 for station *mmListen: Mar 17 00:05:53.183: CCKM: Creating CCKM cache entry(version 2) on receiving message from mobility*mmListen: Mar 17 00:05:53.183: 00:1b:d4:58:e6:1a Updating userName from 10.10.111.10*mmListen: Mar 17 00:05:53.183: 00:1b:d4:58:e6:1a Updating CCKM Cache from 10.10.111.10 *mmListen: Mar 17 00:05:53.183: 00:1b:d4:58:e6:1a CCKM: Sending cache add*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a Mobility packet received from:*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a 10.10.111.10, port 16666*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a type: 3(MobileAnnounce) subtype: 0 version: 1 xid: 54 seq: 885 len 116 flags 0*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a group id: fe2f34f3 9b7a7cea 68f48181 316db999*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a mobile MAC: 00:1b:d4:58:e6:1a, IP: 10.10.14.54, instance: 0*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a VLAN IP: 10.10.14.10, netmask: 255.255.255.0*mmListen: Mar 17 00:05:53.194: Switch IP: 10.10.111.10 *mmListen: Mar 17 00:05:53.194: Vlan List payload not found, ignoring ...*mmListen: Mar 17 00:05:53.194: IP Address don't compare for client 00:1b:d4:58:e6:1a is 0*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a Anchored to Local Handoff as Foreign(3), Client IP: 10.10.14.54 Anchor IP: 0.0.0.0*mmListen: Mar 17 00:05:53.194: Anchor Mac : 00.00.00.00.00.00*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a Mobility packet sent to:*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a 10.10.111.10, port 16666
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a type: 5(MobileHandoff) subtype: 0 version: 1 xid: 54 seq: 97 len 618 flags 0*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a group id: fe2f34f3 9b7a7cea 68f48181 316db999*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a mobile MAC: 00:1b:d4:58:e6:1a, IP: 10.10.14.54, instance: 1*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a VLAN IP: 10.10.12.15, netmask: 255.255.255.0*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a Mobile 00:1b:d4:58:e6:1a associated with another AP elsewhere, delete mobile*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) mobility role update request from Foreign to Handoff Peer = 10.10.111.10, Old Anchor = 10.10.111.10, New Anchor = 0.0.0.0*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a Clearing Address 10.10.14.54 on mobile *apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a apfMsRunStateDec*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a apfMmProcessDeleteMobile (apf_mm.c:548) Expiring Mobile!*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a Mobility Response: IP 0.0.0.0 code Handoff Indication (2), reason Client handoff successful - anchor retained (0), PEM State DHCP_REQD, Role Handoff(6)*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1b:d4:58:e6:1a on AP 64:a0:e7:af:47:40 from Associated to Disassociated*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a apfMsAssoStateDec*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:1b:d4:58:e6:1a on AP 64:a0:e7:af:47:40 from Disassociated to Idle*apfReceiveTask: Mar 17 00:05:53.196: 00:1b:d4:58:e6:1a 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [64:a0:e7:af:47:40]*apfReceiveTask: Mar 17 00:05:53.196: 00:1b:d4:58:e6:1a Username entry deleted for mobile *apfReceiveTask: Mar 17 00:05:53.196: 00:1b:d4:58:e6:1a apfMs1xStateDec*apfReceiveTask: Mar 17 00:05:53.196: 00:1b:d4:58:e6:1a Deleting mobile on AP 64:a0:e7:af:47:40(1) *pemReceiveTask: Mar 17 00:05:53.203: 00:1b:d4:58:e6:1a 0.0.0.0 Removed NPU entry.*mmListen: Mar 17 00:05:53.681: Switch IP: 10.10.111.10 *mmListen: Mar 17 00:05:53.681: Vlan List payload not found, ignoring ...*mmListen: Mar 17 00:05:53.681: IP Address don't compare for client 04:f7:e4:ea:5b:66 is 0*mmListen: Mar 17 00:05:53.681: Anchor Mac : 00.00.00.00.00.00*spamReceiveTask: Mar 17 00:06:11.148: Mobility packet sent to:*spamReceiveTask: Mar 17 00:06:11.148: 10.10.111.10, port 16666*spamReceiveTask: Mar 17 00:06:11.148: type: 19(ApListUpdate) subtype: 0 version: 1 xid: 96 seq: 100 len 52 flags 0*spamReceiveTask: Mar 17 00:06:11.148: group id: fe2f34f3 9b7a7cea 68f48181 316db999*spamReceiveTask: Mar 17 00:06:11.149: 1 ap-list-update groupcast messages sent*spamReceiveTask: Mar 17 00:08:03.478: Mobility packet sent to:*spamReceiveTask: Mar 17 00:08:03.478: 10.10.111.10, port 16666*spamReceiveTask: Mar 17 00:08:03.478: type: 19(ApListUpdate) subtype: 0 version: 1 xid: 101 seq: 105 len 52 flags 0*spamReceiveTask: Mar 17 00:08:03.478: group id: fe2f34f3 9b7a7cea 68f48181 316db999
here is the debug output form WLC1 where client moved to.
(WLC1) >debug client 00:1b:d4:58:e6:1a(WLC1) >debug mobility handoff enable
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.252: 00:1b:d4:58:e6:1a Starting key exchange to mobile 00:1b:d4:58:e6:1a, data packets will be dropped*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.252: 00:1b:d4:58:e6:1a Sending EAPOL-Key Message to mobile 00:1b:d4:58:e6:1a state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.252: 00:1b:d4:58:e6:1a Entering Backend Auth Success state (id=171) for mobile 00:1b:d4:58:e6:1a*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.252: 00:1b:d4:58:e6:1a Received Auth Success while in Authenticating state for mobile 00:1b:d4:58:e6:1a*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.252: 00:1b:d4:58:e6:1a dot1x - moving mobile 00:1b:d4:58:e6:1a into Authenticated state*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: 00:1b:d4:58:e6:1a Received EAPOL-Key from mobile 00:1b:d4:58:e6:1a*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: 00:1b:d4:58:e6:1a Received EAPOL-key in PTK_START state (message 2) from mobile 00:1b:d4:58:e6:1a*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: 00:1b:d4:58:e6:1a CCKM: Sending cache add*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: CCKM: Sending CCKM PMK (Version_1) information to mobility group*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: 00:1b:d4:58:e6:1a 0 PMK-update groupcast messages sent *Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: CCKM: Sending CCKM PMK (Version_2) information to mobility group*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: Mobility packet sent to:*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269: 10.10.112.10, port 16666*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269: type: 12(PMK-Update) subtype: 0 version: 1 xid: 53 seq: 884 len 461 flags 0*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269: group id: fe2f34f3 9b7a7cea 68f48181 316db999*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269: 00:1b:d4:58:e6:1a 1 PMK-update groupcast messages sent *Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269: 00:1b:d4:58:e6:1a Stopping retransmission timer for mobile 00:1b:d4:58:e6:1a*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269: 00:1b:d4:58:e6:1a Sending EAPOL-Key Message to mobile 00:1b:d4:58:e6:1a state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a Received EAPOL-Key from mobile 00:1b:d4:58:e6:1a*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:1b:d4:58:e6:1a*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a apfMs1xStateInc*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a 10.10.14.54 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a Mobility query, PEM State: L2AUTHCOMPLETE*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a 10.10.14.54 L2AUTHCOMPLETE (4) State Update from Mobility-Complete to Mobility-Incomplete*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: Unicast MWAR IP: 10.10.112.10: intra-group*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a Mobility packet sent to:*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a 10.10.112.10, port 16666*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a type: 3(MobileAnnounce) subtype: 0 version: 1 xid: 54 seq: 885 len 116 flags 0*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a group id: fe2f34f3 9b7a7cea 68f48181 316db999
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a mobile MAC: 00:1b:d4:58:e6:1a, IP: 10.10.14.54, instance: 0*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a VLAN IP: 10.10.14.10, netmask: 255.255.255.0*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a 10.10.14.54 L2AUTHCOMPLETE (4) DHCP required on AP 54:75:d0:3e:80:b0 vapId 4 apVapId 4for this client*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a Not Using WMM Compliance code qosCap 0f*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a 10.10.14.54 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 54:75:d0:3e:80:b0 vapId 4 apVapId 4*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a apfMsRunStateInc*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a 10.10.14.54 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a Mobility packet received from:*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a 10.10.112.10, port 16666*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a type: 5(MobileHandoff) subtype: 0 version: 1 xid: 54 seq: 97 len 618 flags 0*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a group id: fe2f34f3 9b7a7cea 68f48181 316db999*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a mobile MAC: 00:1b:d4:58:e6:1a, IP: 10.10.14.54, instance: 1*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a VLAN IP: 10.10.12.15, netmask: 255.255.255.0*mmListen: Mar 17 11:03:18.281: Switch IP: 10.10.112.10 *mmListen: Mar 17 11:03:18.281: Mobility handoff, NAC State Payload [ Client's NAC OOB State : Access, Quarantine VLAN :0, Access VLAN : 14 ]*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a Mobility handoff for client: Ip: 10.10.14.54 Anchor IP: 0.0.0.0, Peer IP: 10.10.112.10*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Reached PLUMBFASTPATH: from line 4864*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Change state to RUN (20) last state RUN (20)*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Stopping retransmission timer for mobile 00:1b:d4:58:e6:1a*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Handoff confirm: Pre Handoff PEM State: RUN*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Pem State update: RUN(20), VAP Security mask 4000, IPsec len: 0, ACL Name: ''*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Applying post-handoff policy for station 00:1b:d4:58:e6:1a - valid mask 0x0*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a QOS Level: -1, DSCP: -1, dot1p: -1, Data Avg: -1, realtime Avg: -1, Data Burst -1, Realtime Burst -1*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Session: -1, User session: -1, User elapsed -1 Interface: N/A ACL: N/A*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Change state to RUN (20) last state RUN (20)*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Stopping deletion of Mobile Station: (callerId: 55)*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Delete the client from prev. foreign : 10.10.112.10*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) mobility role update request from Anchor to Local Peer = 10.10.112.10, Old Anchor = 10.10.111.10, New Anchor = 10.10.111.10
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Reached PLUMBFASTPATH: from line 4495*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Replacing Fast Path rule type = Airespace AP Client on AP 54:75:d0:3e:80:b0, slot 1, interface = 1, QOS = 2 ACL Id = 255, Jumbo Frames = NO*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Fast Path rule (contd...) 802.1P = 6, DSCP = 0, TokenID = 5006 IPv6 Vlan = 14, IPv6 intf id = 11*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Successfully plumbed mobile rule (ACL ID 255)*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Configured Anchor for mobile 00:1b:d4:58:e6:1a. Sending Igmp query*apfReceiveTask: Mar 17 11:03:18.283: 00:1b:d4:58:e6:1a Mobility Response: IP 10.10.14.54 code Handoff (1), reason Anchor is local (2), PEM State RUN, Role Local(1)*bcastReceiveTask: Mar 17 11:03:18.283: Sending IGMP query First Time to 54:75:d0:3e:80:b0 ap for mgid 11 *bcastReceiveTask: Mar 17 11:03:18.283: Entry for ap 54:75:d0:3e:80:b0, IGMP query packet not queued for mgid 11... Enquing the Query packet... *pemReceiveTask: Mar 17 11:03:18.287: 00:1b:d4:58:e6:1a 10.10.14.54 Added NPU entry of type 1, dtlFlags 0x0*pemReceiveTask: Mar 17 11:03:18.289: 00:1b:d4:58:e6:1a Sending a gratuitous ARP for 10.10.14.54, VLAN Id 53262*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.767: Unicast MWAR IP: 10.10.112.10: intra-group*mmListen: Mar 17 11:03:18.768: Switch IP: 10.10.112.10 *mmListen: Mar 17 11:03:18.768: Mobility handoff, NAC State Payload [ Client's NAC OOB State : Access, Quarantine VLAN :0, Access VLAN : 14 ]*bcastReceiveTask: Mar 17 11:03:18.775: Sending IGMP query First Time to 54:75:d0:3e:80:b0 ap for mgid 11 *bcastReceiveTask: Mar 17 11:03:18.775: Entry for ap 54:75:d0:3e:80:b0, mgid 11 already exists *bcastReceiveTask: Mar 17 11:03:19.272: Sending IGMP query to 54:75:d0:3e:80:b0 ap for mgid 11, Query count: 2 *bcastReceiveTask: Mar 17 11:03:20.272: Sending IGMP query to 54:75:d0:3e:80:b0 ap for mgid 11, Query count: 1 *bcastReceiveTask: Mar 17 11:03:20.272: All Queries sent ... Removing entry for 54:75:d0:3e:80:b0 ap for mgid 11 from queue *mmListen: Mar 17 11:03:36.236: Mobility packet received from:*mmListen: Mar 17 11:03:36.236: 10.10.112.10, port 16666*mmListen: Mar 17 11:03:36.236: type: 19(ApListUpdate) subtype: 0 version: 1 xid: 96 seq: 100 len 52 flags 0*mmListen: Mar 17 11:03:36.236: group id: fe2f34f3 9b7a7cea 68f48181 316db999*mmListen: Mar 17 11:03:36.236: Switch IP: 10.10.112.10
Again these debugs are to troubleshoot client roaming issues & if you understand the roaming process you can understand these debug outputs (I think I am not in that level yet & show these debugs as example)
You can read “Deploying & Troubleshooting Cisco Wireless LAN Controllers” by Mark Gress, Lee Johnson to go in depth about Mobility.
WLC – Web Authentication
21 Thursday MAR 2013
POSTED BY NAYARASI IN GUEST WIRELESS ≈ 15 COMMENTS
TagsWeb Auth
Web Authentication or Web Auth is a layer 3 security method that allow client to pass DHCP & DNS traffic only untill they have passed some form of authentication. This is greatly used in wireless guest access service where no client side configuration required.
WLC has four authentication policies.
1. Authentication2. Passthrough3. Conditional Web Redirect4. Splash Page Web Redirect
Below shows the authentication policies on layer 3 security tab for a given WLAN of WLC with 7.0.116.0 code.
When you enable Authentication option (as shown in the above screen capture), a guest client has to enter a username & password to gain access to the guest network. Once user get an IP & try to access an URL it authentication screen appear like this.
In VPN Web Passthrough option, guest client just have to simply accept the agreement before gaining to access (no username verification). WLC can be configured to request user to enter his email ID a way of identify the guest user. Once you do that when a guest user access the network it will prompt a screen like this & user can get access by entering his/her email address.
Conditional Web Redirect is commonly used by businesses that are selling network access to users (like hotels). To this to work guest WLAN must have some sort of layer 2 (802.1x or WAP) security configured. When user log on to wireless network from the splash page, a RADIUS server verifies their user credentials. Should certain conditions be met that necessitate another redirect, the client is redirected to a new page (like pay billing for the service).In Splash Page Web Redirect, the user is redirected to particular web page after successfully completing 802.1x authentication. Once redirect is complete user has full access to the network. This method requried 802.1x or WPA+WPA2 layer 2 security.There are 3 ways of presenting login page (Internal, Custom & External). In the first two method internal web server of the WLC will be used & you can access it via “SECURITY -> Web Auth -> Web Login Page” as shown below
Here is the steps in Web Authentication Process
Step 1. The Cient enter START state by completing any layer 2 security if necessaryStep 2. After layer 2 Authentication state is complete, the client move to DHCP_REQD state.Step 3. The client will receive DHCP IP, DNS from the DHCP server. The clients open web browser and PC send a DNS query.Step 4. The WLC forwards the DNS query.Step 5. DNS server resolve URL name to IP address.Step 6. Controller(WLC) forwards the DNS reply.
Step 7. Client Sends HTTP GET to the web server.Step 8. Controller intercepts the returned web page from the destination web server and sends a redirect to its own internal web server address (virtual interface IP of WLC)Step 9. The client goes to the login page, passes web authentication and enters the RUN state on the controller.Step 10. The WLC forwards the client browser to the original web page requested.Here is the debug client output on WLC in VPN Passthrough configuration. You can see the client state changes during the process { START (0) -> AUTHCHECK (2) -> L2AUTHCOMPLETE (4) -> DHCP_REQD (7)-> WEBAUTH_REQD (8) -> WEBAUTH_NOL3SEC (14) -> RUN (20) }. Also highlighted few other key elements in this debug out put (DHCP DORA, Guest email, etc) which you need to familiar in order to troubleshoot clients issue with respect to Web Auth.(WLC1) >debug client 64:20:0c:e0:23:75
(WLC1) >*apfMsConnTask_0: Mar 21 07:10:14.812: 64:20:0c:e0:23:75 Adding mobile on LWAPP AP 54:75:d0:3e:80:b0(1) *apfMsConnTask_0: Mar 21 07:10:14.812: 64:20:0c:e0:23:75 Association received from mobile on AP 54:75:d0:3e:80:b0*apfMsConnTask_0: Mar 21 07:10:14.812: 64:20:0c:e0:23:75 0.0.0.0 START (0) Changing ACL 'WLC-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)*apfMsConnTask_0: Mar 21 07:10:14.812: 64:20:0c:e0:23:75 Applying site-specific IPv6 override for station 64:20:0c:e0:23:75 - vapId 4, site 'default-group', interface 'vlan14'*apfMsConnTask_0: Mar 21 07:10:14.812: 64:20:0c:e0:23:75 Applying IPv6 Interface Policy for station 64:20:0c:e0:23:75 - vlan 14, interface id 11, interface 'vlan14'*apfMsConnTask_0: Mar 21 07:10:14.812: 64:20:0c:e0:23:75 STA - rates (4): 176 72 96 108 0 0 0 0 0 0 0 0 0 0 0 0*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 0.0.0.0 START (0) Initializing policy*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 54:75:d0:3e:80:b0 vapId 4 apVapId 4for this client*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 Not Using WMM Compliance code qosCap 00*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 54:75:d0:3e:80:b0 vapId 4 apVapId 4*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 apfMsAssoStateInc*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 64:20:0c:e0:23:75 on AP 54:75:d0:3e:80:b0 from Idle to Associated*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 Stopping deletion of Mobile Station: (callerId: 48)*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 Sending Assoc Response to station on BSSID 54:75:d0:3e:80:b0 (status 0) ApVapId 4 Slot 1
*apfMsConnTask_0: Mar 21 07:10:14.813: 64:20:0c:e0:23:75 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 64:20:0c:e0:23:75 on AP 54:75:d0:3e:80:b0 from Associated to Associated*apfReceiveTask: Mar 21 07:10:14.833: 64:20:0c:e0:23:75 Orphan Packet from 192.168.1.12 on mobile *apfReceiveTask: Mar 21 07:10:14.834: 64:20:0c:e0:23:75 Orphan Packet from 10.10.14.52 on mobile *apfReceiveTask: Mar 21 07:10:14.834: 64:20:0c:e0:23:75 Orphan Packet from 149.144.156.3 on mobile *DHCP Proxy DTL Recv Task: Mar 21 07:10:14.835: 64:20:0c:e0:23:75 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 1, encap 0xec03)*DHCP Proxy DTL Recv Task: Mar 21 07:10:14.836: 64:20:0c:e0:23:75 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'*apfReceiveTask: Mar 21 07:10:14.856: 64:20:0c:e0:23:75 Orphan Packet from 192.168.1.12 on mobile *apfReceiveTask: Mar 21 07:10:14.857: 64:20:0c:e0:23:75 Orphan Packet from 10.10.14.52 on mobile *apfReceiveTask: Mar 21 07:10:14.857: 64:20:0c:e0:23:75 Orphan Packet from 149.144.156.3 on mobile *DHCP Proxy DTL Recv Task: Mar 21 07:10:14.858: 64:20:0c:e0:23:75 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 1, encap 0xec03)*DHCP Proxy DTL Recv Task: Mar 21 07:10:14.858: 64:20:0c:e0:23:75 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'*DHCP Proxy DTL Recv Task: Mar 21 07:10:16.253: 64:20:0c:e0:23:75 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 1, encap 0xec03)*DHCP Proxy DTL Recv Task: Mar 21 07:10:16.253: 64:20:0c:e0:23:75 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'*apfReceiveTask: Mar 21 07:10:16.804: 64:20:0c:e0:23:75 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.453: 64:20:0c:e0:23:75 DHCP selected relay 1 - 10.10.14.1 (local address 10.10.14.10, gateway 10.10.14.1, VLAN 14, port 1)*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.454: 64:20:0c:e0:23:75 DHCP transmitting DHCP DISCOVER (1)*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.454: 64:20:0c:e0:23:75 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.454: 64:20:0c:e0:23:75 DHCP xid: 0x4a8c7dc9 (1250721225), secs: 9, flags: 0*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.454: 64:20:0c:e0:23:75 DHCP chaddr: 64:20:0c:e0:23:75*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.454: 64:20:0c:e0:23:75 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.454: 64:20:0c:e0:23:75 DHCP siaddr: 0.0.0.0, giaddr: 10.10.14.10*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.454: 64:20:0c:e0:23:75 DHCP sending REQUEST to 10.10.14.1 (len 350, port 1, vlan 14)*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.454: 64:20:0c:e0:23:75 DHCP selecting relay 2 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.14.10 VLAN: 14*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.454: 64:20:0c:e0:23:75 DHCP selected relay 2 - NONE*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.457: 64:20:0c:e0:23:75 DHCP received op BOOTREPLY (2) (len 308,vlan 14, port 1, encap 0xec00)
*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.457: 64:20:0c:e0:23:75 DHCP setting server from OFFER (server 192.168.200.1, yiaddr 10.10.14.52)*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.457: 64:20:0c:e0:23:75 DHCP sending REPLY to STA (len 418, port 1, vlan 111)*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.457: 64:20:0c:e0:23:75 DHCP transmitting DHCP OFFER (2)*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.457: 64:20:0c:e0:23:75 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.457: 64:20:0c:e0:23:75 DHCP xid: 0x4a8c7dc9 (1250721225), secs: 0, flags: 0*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.458: 64:20:0c:e0:23:75 DHCP chaddr: 64:20:0c:e0:23:75*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.458: 64:20:0c:e0:23:75 DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.14.52*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.458: 64:20:0c:e0:23:75 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 21 07:10:23.458: 64:20:0c:e0:23:75 DHCP server id: 1.1.1.1 rcvd server id: 192.168.200.1*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.479: 64:20:0c:e0:23:75 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 1, encap 0xec03)*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP selecting relay 1 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.14.10 VLAN: 14*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP selected relay 1 - 192.168.200.1 (local address 10.10.14.10, gateway 10.10.14.1, VLAN 14, port 1)*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP transmitting DHCP REQUEST (3)*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP xid: 0x4a8c7dc9 (1250721225), secs: 10, flags: 0*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP chaddr: 64:20:0c:e0:23:75*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP siaddr: 0.0.0.0, giaddr: 10.10.14.10*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP requested ip: 10.10.14.52*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP server id: 192.168.200.1 rcvd server id: 1.1.1.1*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP sending REQUEST to 10.10.14.1 (len 350, port 1, vlan 14)*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.480: 64:20:0c:e0:23:75 DHCP selecting relay 2 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.14.10 VLAN: 14*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.485: 64:20:0c:e0:23:75 Adding Web RuleID 15 for mobile 64:20:0c:e0:23:75*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.485: 64:20:0c:e0:23:75 10.10.14.52 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state WEBAUTH_REQD (8)*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.485: 64:20:0c:e0:23:75 10.10.14.52 WEBAUTH_REQD (8) pemAdvanceState2 5170, Adding TMP rule*DHCP P: Mar 21 07:10:24.485: 64:20:0c:e0:23:75 10.10.14.52 WEBAUTH_REQD (8) Replacing Fast Path rule type = Airespace AP Client - ACL passthru
on AP 54:75:d0:3e:80:b0, slot 1, interface = 1, QOS = 2 ACL Id = *DHCP Proxy DTL Recv Task: Mar 21 07:10:24.485: 64:20:0c:e0:23:75 10.10.14.52 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 6, DSCP = 0, TokenID = 5006 IPv6 Vlan = 14, IPv6 intf id = 11*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.485: 64:20:0c:e0:23:75 10.10.14.52 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.485: 64:20:0c:e0:23:75 Plumbing web-auth redirect rule due to user logout*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.485: 64:20:0c:e0:23:75 Assigning Address 10.10.14.52 to mobile *DHCP Proxy DTL Recv Task: Mar 21 07:10:24.485: 64:20:0c:e0:23:75 DHCP success event for client. Clearing dhcp failure count for interface vlan14.*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.486: 64:20:0c:e0:23:75 DHCP sending REPLY to STA (len 418, port 1, vlan 111)*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.486: 64:20:0c:e0:23:75 DHCP transmitting DHCP ACK (5)*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.486: 64:20:0c:e0:23:75 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.486: 64:20:0c:e0:23:75 DHCP xid: 0x4a8c7dc9 (1250721225), secs: 0, flags: 0*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.486: 64:20:0c:e0:23:75 DHCP chaddr: 64:20:0c:e0:23:75*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.486: 64:20:0c:e0:23:75 DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.14.52*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.486: 64:20:0c:e0:23:75 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 21 07:10:24.486: 64:20:0c:e0:23:75 DHCP server id: 1.1.1.1 rcvd server id: 192.168.200.1*pemReceiveTask: Mar 21 07:10:24.494: 64:20:0c:e0:23:75 149.144.156.3 Added NPU entry of type 2, dtlFlags 0x0*pemReceiveTask: Mar 21 07:10:24.496: 64:20:0c:e0:23:75 Sent an XID frame*pemReceiveTask: Mar 21 07:10:24.499: 64:20:0c:e0:23:75 149.144.156.3 Added NPU entry of type 9, dtlFlags 0x0*pemReceiveTask: Mar 21 07:10:24.504: 64:20:0c:e0:23:75 10.10.14.52 Added NPU entry of type 2, dtlFlags 0x0*pemReceiveTask: Mar 21 07:10:24.507: 64:20:0c:e0:23:75 Sent an XID frame*apfReceiveTask: Mar 21 07:11:07.556: 64:20:0c:e0:23:75 Orphan Packet from 10.10.14.52 on mobile *apfReceiveTask: Mar 21 07:11:07.559: 64:20:0c:e0:23:75 Orphan Packet from 10.10.14.52 on mobile *emWeb: Mar 21 07:11:43.425: 64:20:0c:e0:23:75 Username entry ([email protected]) created for mobile *emWeb: Mar 21 07:11:43.425: 64:20:0c:e0:23:75 10.10.14.52 WEBAUTH_REQD (8) Change state to WEBAUTH_NOL3SEC (14) last state WEBAUTH_NOL3SEC (14)*emWeb: Mar 21 07:11:43.429: 64:20:0c:e0:23:75 apfMsRunStateInc*emWeb: Mar 21 07:11:43.430: 64:20:0c:e0:23:75 10.10.14.52 WEBAUTH_NOL3SEC (14) Change state to RUN (20) last state RUN (20)*emWeb: Mar 21 07:11:43.430: 64:20:0c:e0:23:75 Session Timeout is 0 - not starting session timer for the mobile *emWeb: Mar 21 07:11:43.430: 64:20:0c:e0:23:75 10.10.14.52 RUN (20) Reached PLUMBFASTPATH: from line 5063*emWeb: Mar 21 07:11:43.430: 64:20:0c:e0:23:75 10.10.14.52 RUN (20) Replacing Fast Path rule type = Airespace AP Client on AP 54:75:d0:3e:80:b0, slot 1, interface = 1, QOS = 2 ACL Id = 255, Jumbo Frames = NO
*emWeb: Mar 21 07:11:43.430: 64:20:0c:e0:23:75 10.10.14.52 RUN (20) Fast Path rule (contd...) 802.1P = 6, DSCP = 0, TokenID = 5006 IPv6 Vlan = 14, IPv6 intf id = 11*emWeb: Mar 21 07:11:43.430: 64:20:0c:e0:23:75 10.10.14.52 RUN (20) Successfully plumbed mobile rule (ACL ID 255)*pemReceiveTask: Mar 21 07:11:43.438: 64:20:0c:e0:23:75 10.10.14.52 Added NPU entry of type 1, dtlFlags 0x0*pemReceiveTask: Mar 21 07:11:43.441: 64:20:0c:e0:23:75 Sending a gratuitous ARP for 10.10.14.52, VLAN Id 53262
Here is the link to Cisco Doc ID#115951 which describe Web Authentication on WLC. Please read this for more inner details
Auto-Anchor Mobility
22 Friday MAR 2013
POSTED BY NAYARASI IN GUEST WIRELESS , MOBILITY ≈ 22 COMMENTS
TagsAuto-Anchor, Guest Tunneling
In auto-anchor mobility mode, a subset of a mobility group is specified as the anchor controllers for a WLAN. You can use this feature to restrict a WLAN to a single subnet regardless of a client’s entry point into the network. Usually this is used for service guests in a corporate network. In this way all guests (irrespective of the location where they connect to wireless network) will get a same subnet IP usually via a WLC in a DMZ & can only go to internet where internal network access is restricted.
When a client first associate to a WLC of a mobility group that has been pre-configured as a mobility anchor for a WLAN, the client associate to the controller locally.Clients can be anchored only to pre-configured anchor controllers of the WLAN. (In guest service usually DMZ WLC). The client associated controller is announced this to the rest of the controller in the mobility list. If the announcement is not answered, the controller contacts one of the anchor controllers configured for the WLAN and create a foreign session for the client on the local switch. Packets from the client are encapsulated through a mobility tunnel using EoIP (IP protocol 97) & sent to the anchor controller. Here is the typical use case for Auto Anchor deployment.
Below is my topology to test this Auto-Anchor scenario. Objective is to assign same subnet IPs to guest users irrespective of the location they connect to the network. Also to provide better security by isolating guest traffic from the rest of the network. In this example guest user is connecting to wireless at Branch Office where that traffic tunnel back to DMZ controller in Head Office
In general settings in “Mobility Anchor Config” page you can change the keepalive interval & failure count value to determine an anchor controller is down. Keepalive count [3-20] specifies the number of times a ping request is sent to a mobility list member before the member is considered to be unreachable. Keepalive interval [1-30] specifies the amount of time(in seconds) between each ping request sent to a mobility list member. Also you can change DSCP value of these packets. Here are the default settings of these parameters.
By using CLI you can configure the above as follows
config mobility group keepalive count [3-20]config mobility group keepalive interval [1-30]
For the WLAN configuration first you need to create “guest” WLAN in branch controller (WLC3). You need to remember to map management interface to this WLAN in controllers other than DMZ WLC (See below). Only in DMZ controller you map this into a dynamic interface.
Since this SSID for guest services you need to enable WebAuth on that (depend on your Geust Access policy). In my example I have used basic web authentication where guest user is required to have username/password to access the network.
.** It is very important to remember WLAN configuration settings should be identical in all controllers except only DMZ is having dynamic interface assign to it & all others having management interface assigned to it. If you do not follow this rule, your auto-anchor will not work ***Prior to configure Mobility Anchor you need to verify both controllers configured for respective mobility groups and mobility list updated with each other controllers detail. I have
configured mobility group “mrn-ccie” at Branch WLC3 & “mrn-cciew” group in Head Office
WLC1.Then you have to configure Mobility Anchor for this WLAN. You can go to Mobility Anchor configuration page as shown in the below.
Now you select WLC1 IP address as Mobility Anchor & click “Mobility Anchor Create” button. Once you do that you can verify Mobility Anchor has been created. See the below two screen captures.
In Mobility Anchor you have to anchor it to itself & do not anchor back to WLC3.
Now you can check the guest access service by connecting to your branch wireless network using “guest” SSID. Here is monitor client information once you successfully login to guest WLAN.
If you are interested in the “debug client <mac-address>” output of successful guest user connection, here it is. As mentioned in earlier post clients state changes from START (0) -> AUTHCHECK (2) -> L2AUTHCOMPLETE (4) -> DHCP_REQD (7) -> RUN (20) on non-anchor controller.In Anchor Controller you would see “WEBAUTH_REQD -> WEBAUTH_NOL3SEC (14) -> RUN (20) states where Web Authentication takes place.(WLC1) >debug client 04:f7:e4:ea:5b:66# output ommitted *emWeb: Mar 22 20:48:02.621: 04:f7:e4:ea:5b:66 Username entry deleted for mobile *emWeb: Mar 22 20:48:02.622: 04:f7:e4:ea:5b:66 Username entry (user1) created for mobile *emWeb: Mar 22 20:48:02.629: 04:f7:e4:ea:5b:66 10.10.14.53 WEBAUTH_REQD (8) Change state to WEBAUTH_NOL3SEC (14) last state RUN (20)*emWeb: Mar 22 20:48:02.633: 04:f7:e4:ea:5b:66 apfMsRunStateInc*emWeb: Mar 22 20:48:02.633: 04:f7:e4:ea:5b:66 10.10.14.53 WEBAUTH_NOL3SEC (14) Change state to RUN (20) last state RUN (20)
*emWeb: Mar 22 20:48:02.633: 04:f7:e4:ea:5b:66 Session Timeout is 0 - not starting session timer for the mobile *emWeb: Mar 22 20:48:02.634: 04:f7:e4:ea:5b:66 10.10.14.53 RUN (20) Reached PLUMBFASTPATH: from line 5063*emWeb: Mar 22 20:48:02.634: 04:f7:e4:ea:5b:66 10.10.14.53 RUN (20) Replacing Fast Path rule type = Airespace AP Client on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Frames = NO*emWeb: Mar 22 20:48:02.634: 04:f7:e4:ea:5b:66 10.10.14.53 RUN (20) Fast Path rule (contd...) 802.1P = 3, DSCP = 0, TokenID = 5006 IPv6 Vlan = 14, IPv6 intf id = 11*emWeb: Mar 22 20:48:02.634: 04:f7:e4:ea:5b:66 10.10.14.53 RUN (20) Successfully plumbed mobile rule (ACL ID 255)*pemReceiveTask: Mar 22 20:48:02.638: 04:f7:e4:ea:5b:66 Set bi-dir guest tunnel for 04:f7:e4:ea:5b:66 as in Export Anchor role*pemReceiveTask: Mar 22 20:48:02.643: 04:f7:e4:ea:5b:66 10.10.14.53 Added NPU entry of type 1, dtlFlags 0x4
(WLC3) >debug client 04:f7:e4:ea:5b:66
(WLC3) >*apfMsConnTask_0: Mar 22 20:35:45.706: 04:f7:e4:ea:5b:66 Adding mobile on LWAPP AP a0:cf:5b:9e:e8:20(1) *apfMsConnTask_0: Mar 22 20:35:45.706: 04:f7:e4:ea:5b:66 Association received from mobile on AP a0:cf:5b:9e:e8:20*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 Applying site-specific IPv6 override for station 04:f7:e4:ea:5b:66 - vapId 4, site 'default-group', interface 'management'*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 Applying IPv6 Interface Policy for station 04:f7:e4:ea:5b:66 - vlan 120, interface id 0, interface 'management'*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 STA - rates (6): 152 36 176 72 96 108 0 0 0 0 0 0 0 0 0 0*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 0.0.0.0 START (0) Initializing policy*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP a0:cf:5b:9e:e8:20 vapId 4 apVapId 4for this client*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 Not Using WMM Compliance code qosCap 00*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP a0:cf:5b:9e:e8:20 vapId 4 apVapId 4*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 apfMsAssoStateInc*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 04:f7:e4:ea:5b:66 on AP a0:cf:5b:9e:e8:20 from Idle to Associated*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 Stopping deletion of Mobile Station: (callerId: 48)*apfMsConnTask_0: Mar 22 20:35:45.707: 04:f7:e4:ea:5b:66 Sending Assoc Response to station on BSSID a0:cf:5b:9e:e8:20 (status 0) ApVapId 4 Slot 1
*apfMsConnTask_0: Mar 22 20:35:45.708: 04:f7:e4:ea:5b:66 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 04:f7:e4:ea:5b:66 on AP a0:cf:5b:9e:e8:20 from Associated to Associated*DHCP Socket Task: Mar 22 20:35:45.730: 04:f7:e4:ea:5b:66 DHCP received op BOOTREQUEST (1) (len 308,vlan 120, port 1, encap 0xec03)*DHCP Socket Task: Mar 22 20:35:45.730: 04:f7:e4:ea:5b:66 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'*apfReceiveTask: Mar 22 20:35:47.683: 04:f7:e4:ea:5b:66 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED*apfReceiveTask: Mar 22 20:35:47.683: 04:f7:e4:ea:5b:66 apfMsRunStateInc*apfReceiveTask: Mar 22 20:35:47.683: 04:f7:e4:ea:5b:66 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)*apfReceiveTask: Mar 22 20:35:47.685: 04:f7:e4:ea:5b:66 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4495*apfReceiveTask: Mar 22 20:35:47.685: 04:f7:e4:ea:5b:66 0.0.0.0 RUN (20) Adding Fast Path rule type = Airespace AP Client on AP a0:cf:5b:9e:e8:20, slot 1, interface = 1, QOS = 0 ACL Id = 255, Jumbo Frames = NO*apfReceiveTask: Mar 22 20:35:47.685: 04:f7:e4:ea:5b:66 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 120, IPv6 intf id = 0*apfReceiveTask: Mar 22 20:35:47.685: 04:f7:e4:ea:5b:66 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)*pemReceiveTask: Mar 22 20:35:47.686: 04:f7:e4:ea:5b:66 Set bi-dir guest tunnel for 04:f7:e4:ea:5b:66 as in Export Foreign role*pemReceiveTask: Mar 22 20:35:47.699: 04:f7:e4:ea:5b:66 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4*DHCP Socket Task: Mar 22 20:35:47.764: 04:f7:e4:ea:5b:66 DHCP received op BOOTREQUEST (1) (len 308,vlan 120, port 1, encap 0xec03)*DHCP Socket Task: Mar 22 20:35:47.764: 04:f7:e4:ea:5b:66 DHCP processing DHCP REQUEST (3)*DHCP Socket Task: Mar 22 20:35:47.764: 04:f7:e4:ea:5b:66 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: Mar 22 20:35:47.764: 04:f7:e4:ea:5b:66 DHCP xid: 0x75162e82 (1964387970), secs: 512, flags: 0*DHCP Socket Task: Mar 22 20:35:47.764: 04:f7:e4:ea:5b:66 DHCP chaddr: 04:f7:e4:ea:5b:66*DHCP Socket Task: Mar 22 20:35:47.764: 04:f7:e4:ea:5b:66 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:47.765: 04:f7:e4:ea:5b:66 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:47.765: 04:f7:e4:ea:5b:66 DHCP requested ip: 149.144.136.4*DHCP Socket Task: Mar 22 20:35:47.765: 04:f7:e4:ea:5b:66 DHCP successfully bridged packet to EoIP tunnel*DHCP Socket Task: Mar 22 20:35:49.466: 04:f7:e4:ea:5b:66 DHCP received op BOOTREQUEST (1) (len 308,vlan 120, port 1, encap 0xec03)*DHCP Socket Task: Mar 22 20:35:49.466: 04:f7:e4:ea:5b:66 DHCP processing DHCP REQUEST (3)*DHCP Socket Task: Mar 22 20:35:49.466: 04:f7:e4:ea:5b:66 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: Mar 22 20:35:49.466: 04:f7:e4:ea:5b:66 DHCP xid: 0x75162e82 (1964387970), secs: 1024, flags: 0
*DHCP Socket Task: Mar 22 20:35:49.466: 04:f7:e4:ea:5b:66 DHCP chaddr: 04:f7:e4:ea:5b:66*DHCP Socket Task: Mar 22 20:35:49.467: 04:f7:e4:ea:5b:66 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:49.467: 04:f7:e4:ea:5b:66 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:49.467: 04:f7:e4:ea:5b:66 DHCP requested ip: 149.144.136.4*DHCP Socket Task: Mar 22 20:35:49.467: 04:f7:e4:ea:5b:66 DHCP successfully bridged packet to EoIP tunnel*DHCP Socket Task: Mar 22 20:35:49.475: 04:f7:e4:ea:5b:66 DHCP received op BOOTREPLY (2) (len 312,vlan 120, port 1, encap 0xec05)*DHCP Socket Task: Mar 22 20:35:49.476: 04:f7:e4:ea:5b:66 DHCP processing DHCP NAK (6)*DHCP Socket Task: Mar 22 20:35:49.476: 04:f7:e4:ea:5b:66 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: Mar 22 20:35:49.476: 04:f7:e4:ea:5b:66 DHCP xid: 0x75162e82 (1964387970), secs: 0, flags: 80*DHCP Socket Task: Mar 22 20:35:49.476: 04:f7:e4:ea:5b:66 DHCP chaddr: 04:f7:e4:ea:5b:66*DHCP Socket Task: Mar 22 20:35:49.476: 04:f7:e4:ea:5b:66 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:49.476: 04:f7:e4:ea:5b:66 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:49.476: 04:f7:e4:ea:5b:66 DHCP server id: 1.1.1.1 rcvd server id: 1.1.1.1*DHCP Socket Task: Mar 22 20:35:49.477: 04:f7:e4:ea:5b:66 DHCP successfully bridged packet to STA*DHCP Socket Task: Mar 22 20:35:49.628: 04:f7:e4:ea:5b:66 DHCP received op BOOTREQUEST (1) (len 308,vlan 120, port 1, encap 0xec03)*DHCP Socket Task: Mar 22 20:35:49.629: 04:f7:e4:ea:5b:66 DHCP processing DHCP DISCOVER (1)*DHCP Socket Task: Mar 22 20:35:49.629: 04:f7:e4:ea:5b:66 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: Mar 22 20:35:49.629: 04:f7:e4:ea:5b:66 DHCP xid: 0x75162e83 (1964387971), secs: 0, flags: 0*DHCP Socket Task: Mar 22 20:35:49.629: 04:f7:e4:ea:5b:66 DHCP chaddr: 04:f7:e4:ea:5b:66*DHCP Socket Task: Mar 22 20:35:49.629: 04:f7:e4:ea:5b:66 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:49.629: 04:f7:e4:ea:5b:66 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:49.630: 04:f7:e4:ea:5b:66 DHCP successfully bridged packet to EoIP tunnel*DHCP Socket Task: Mar 22 20:35:49.633: 04:f7:e4:ea:5b:66 DHCP received op BOOTREPLY (2) (len 312,vlan 120, port 1, encap 0xec05)*DHCP Socket Task: Mar 22 20:35:49.633: 04:f7:e4:ea:5b:66 DHCP processing DHCP OFFER (2)*DHCP Socket Task: Mar 22 20:35:49.633: 04:f7:e4:ea:5b:66 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: Mar 22 20:35:49.633: 04:f7:e4:ea:5b:66 DHCP xid: 0x75162e83 (1964387971), secs: 0, flags: 0*DHCP Socket Task: Mar 22 20:35:49.633: 04:f7:e4:ea:5b:66 DHCP chaddr: 04:f7:e4:ea:5b:66*DHCP Socket Task: Mar 22 20:35:49.633: 04:f7:e4:ea:5b:66 DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.14.53*DHCP Socket Task: Mar 22 20:35:49.633: 04:f7:e4:ea:5b:66 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Mar 22 20:35:49.633: 04:f7:e4:ea:5b:66 DHCP server id: 1.1.1.1 rcvd server id: 1.1.1.1*DHCP Socket Task: Mar 22 20:35:49.633: 04:f7:e4:ea:5b:66 DHCP successfully bridged packet to STA*DHCP Socket Task: Mar 22 20:35:50.863: 04:f7:e4:ea:5b:66 DHCP received op BOOTREQUEST (1) (len 308,vlan 120, port 1, encap 0xec03)*DHCP Socket Task: Mar 22 20:35:50.863: 04:f7:e4:ea:5b:66 DHCP processing DHCP DISCOVER (1)*DHCP Socket Task: Mar 22 20:35:50.863: 04:f7:e4:ea:5b:66 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: Mar 22 20:35:50.863: 04:f7:e4:ea:5b:66 DHCP xid: 0x75162e83 (1964387971), secs: 256, flags: 0*DHCP Socket Task: Mar 22 20:35:50.863: 04:f7:e4:ea:5b:66 DHCP chaddr: 04:f7:e4:ea:5b:66*DHCP Socket Task: Mar 22 20:35:50.863: 04:f7:e4:ea:5b:66 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:50.863: 04:f7:e4:ea:5b:66 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:50.863: 04:f7:e4:ea:5b:66 DHCP successfully bridged packet to EoIP tunnel*DHCP Socket Task: Mar 22 20:35:50.865: 04:f7:e4:ea:5b:66 DHCP received op BOOTREPLY (2) (len 312,vlan 120, port 1, encap 0xec05)*DHCP Socket Task: Mar 22 20:35:50.865: 04:f7:e4:ea:5b:66 DHCP processing DHCP OFFER (2)*DHCP Socket Task: Mar 22 20:35:50.865: 04:f7:e4:ea:5b:66 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: Mar 22 20:35:50.865: 04:f7:e4:ea:5b:66 DHCP xid: 0x75162e83 (1964387971), secs: 0, flags: 0*DHCP Socket Task: Mar 22 20:35:50.865: 04:f7:e4:ea:5b:66 DHCP chaddr: 04:f7:e4:ea:5b:66*DHCP Socket Task: Mar 22 20:35:50.865: 04:f7:e4:ea:5b:66 DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.14.53*DHCP Socket Task: Mar 22 20:35:50.865: 04:f7:e4:ea:5b:66 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:50.865: 04:f7:e4:ea:5b:66 DHCP server id: 1.1.1.1 rcvd server id: 1.1.1.1*DHCP Socket Task: Mar 22 20:35:50.865: 04:f7:e4:ea:5b:66 DHCP successfully bridged packet to STA*DHCP Socket Task: Mar 22 20:35:52.002: 04:f7:e4:ea:5b:66 DHCP received op BOOTREQUEST (1) (len 308,vlan 120, port 1, encap 0xec03)*DHCP Socket Task: Mar 22 20:35:52.002: 04:f7:e4:ea:5b:66 DHCP processing DHCP REQUEST (3)*DHCP Socket Task: Mar 22 20:35:52.002: 04:f7:e4:ea:5b:66 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: Mar 22 20:35:52.002: 04:f7:e4:ea:5b:66 DHCP xid: 0x75162e83 (1964387971), secs: 512, flags: 0*DHCP Socket Task: Mar 22 20:35:52.002: 04:f7:e4:ea:5b:66 DHCP chaddr: 04:f7:e4:ea:5b:66*DHCP Socket Task: Mar 22 20:35:52.002: 04:f7:e4:ea:5b:66 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:52.002: 04:f7:e4:ea:5b:66 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:52.002: 04:f7:e4:ea:5b:66 DHCP requested ip: 10.10.14.53*DHCP Socket Task: Mar 22 20:35:52.002: 04:f7:e4:ea:5b:66 DHCP server id: 1.1.1.1 rcvd server id: 1.1.1.1
*DHCP Socket Task: Mar 22 20:35:52.002: 04:f7:e4:ea:5b:66 DHCP successfully bridged packet to EoIP tunnel*DHCP Socket Task: Mar 22 20:35:52.004: 04:f7:e4:ea:5b:66 DHCP received op BOOTREPLY (2) (len 312,vlan 120, port 1, encap 0xec05)*DHCP Socket Task: Mar 22 20:35:52.004: 04:f7:e4:ea:5b:66 DHCP processing DHCP ACK (5)*DHCP Socket Task: Mar 22 20:35:52.005: 04:f7:e4:ea:5b:66 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Socket Task: Mar 22 20:35:52.005: 04:f7:e4:ea:5b:66 DHCP xid: 0x75162e83 (1964387971), secs: 0, flags: 0*DHCP Socket Task: Mar 22 20:35:52.005: 04:f7:e4:ea:5b:66 DHCP chaddr: 04:f7:e4:ea:5b:66*DHCP Socket Task: Mar 22 20:35:52.005: 04:f7:e4:ea:5b:66 DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.14.53*DHCP Socket Task: Mar 22 20:35:52.005: 04:f7:e4:ea:5b:66 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Socket Task: Mar 22 20:35:52.005: 04:f7:e4:ea:5b:66 DHCP server id: 1.1.1.1 rcvd server id: 1.1.1.1*DHCP Socket Task: Mar 22 20:35:52.005: 04:f7:e4:ea:5b:66 10.10.14.53 RUN (20) DHCP Address Re-established*DHCP Socket Task: Mar 22 20:35:52.005: 04:f7:e4:ea:5b:66 Assigning Address 10.10.14.53 to mobile *DHCP Socket Task: Mar 22 20:35:52.005: 04:f7:e4:ea:5b:66 DHCP success event for client. Clearing dhcp failure count for interface management.*DHCP Socket Task: Mar 22 20:35:52.005: 04:f7:e4:ea:5b:66 DHCP successfully bridged packet to STA
Here are some other blog posts which I think really useful to understand this topic.
Auto-Anchor Foreign Mapping
24 Sunday MAR 2013
POSTED BY NAYARASI IN GUEST WIRELESS , MOBILITY ≈ 9 COMMENTS
TagsAuto-Anchor, Foreign Mapping
In Auto-Anchor mobility solution one objective is to assign guest users into a single subnet IP irrespective of their entry point to the network.
But if you have a large corporate environment with multiple locations & you want to allocated guest users to different IP subnets (for managing & reporting purposes) within this Auto-Anchor deployment model, how do you do this ?
In the Anchor Controller you can configure a feature called “Foreign Mapping” under WLAN to facilitate this. This feature introduced in WLC 7.0.116.0 software code.
Here is my topology to test this. In here we will map two different foreign controllers (WLC2 & WLC3) into different interfaces at Anchor Controller (WLC1) for guest users.
Before mapping foreign controllers MAC into interfaces you should get a list of all controllers in your mobility list. “show mobility summary” command will give you required output for this. You need to ensure both WLC2 & WLC3 configured for auto-anchor mobility (please refer Auto-Anchor Mobility post for this) before start configuring this feature(WLC1) >show mobility summary
Symmetric Mobility Tunneling (current) .......... EnabledSymmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666Default Mobility Domain.......................... mrn-cciewMulticast Mode .................................. EnabledMobility Domain ID for 802.11r................... 0x4ccdMobility Keepalive Interval...................... 10Mobility Keepalive Count......................... 3Mobility Group Members Configured................ 3Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group MAC Address IP Address Group Name Multicast IP Status 00:0b:85:40:a1:c0 10.10.112.10 mrn-cciew 239.239.239.239 Up 00:0b:85:43:d8:60 10.10.111.10 mrn-cciew 239.239.239.239 Up 00:1b:d5:cf:e6:00 10.10.120.140 mrn-ccie 0.0.0.0 Up
Now if you click foreign mapping on guest WLAN on WLC1 you would see a page like this.
Now you need to map WLC2 MAC address onto vlan 12 interface & WLC3 MAC address onto WLC3 MAC address by selecting required foreign WLC MAC & interface name & click “Add Mapping”. See below screen capture.
You can do this via CLI as well. Here are the CLI commands required for this.
config wlan mobility foreign-map add 4 00:0b:85:40:a1:c0 vlan12 config wlan mobility foreign-map add 4 00:1b:d5:cf:e6:00 vlan13
Now you can verify the guest users at these two locations get IP from those two different subnets. I have two connections to guest wireless network at these two locations.
(WLC1) >show client summary Number of Clients................................ 2MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----00:22:fa:94:68:58 10.10.120.140 Associated 4 Yes Mobile 1 No04:f7:e4:ea:5b:66 10.10.112.10 Associated 4 Yes Mobile 1 No
You can check individual client detail by “show client detail<client_mac_address>” command. Here is the output for the above two clientHere is the WLC2 (in Head Office) associated client detail.
(WLC1) >show client detail 00:22:fa:94:68:58Client MAC Address............................... 00:22:fa:94:68:58Client Username ................................. user1AP MAC Address................................... 00:00:00:00:00:00AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 4
BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 410 secsChannel.......................................... N/AIP Address....................................... 10.10.13.12Association Id................................... 0 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX supportMirroring........................................ DisabledQoS Level........................................ Silver802.1P Priority Tag.............................. 3WMM Support...................................... DisabledSupported Rates.................................. Mobility State................................... Export AnchorMobility Foreign IP Address...................... 10.10.120.140Mobility Move Count.............................. 1Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... YesPolicy Type...................................... N/AEncryption Cipher................................ NoneManagement Frame Protection...................... NoEAP Type......................................... UnknownInterface........................................ vlan13VLAN............................................. 13
Here is the WLC3 (in Branch) associated client detail.
(WLC1) >show client detail 04:f7:e4:ea:5b:66
Client MAC Address............................... 04:f7:e4:ea:5b:66Client Username ................................. user1AP MAC Address................................... 00:00:00:00:00:00AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 4 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 2456 secsChannel.......................................... N/AIP Address....................................... 10.10.12.51Association Id................................... 0 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX supportMirroring........................................ DisabledQoS Level........................................ Silver802.1P Priority Tag.............................. 3WMM Support...................................... DisabledSupported Rates..................................
Mobility State................................... Export AnchorMobility Foreign IP Address...................... 10.10.112.10Mobility Move Count.............................. 1Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... YesPolicy Type...................................... N/AEncryption Cipher................................ NoneManagement Frame Protection...................... NoEAP Type......................................... UnknownInterface........................................ vlan12VLAN............................................. 12Quarantine VLAN.................................. 0Access VLAN...................................... 12
If you look at foreign controller about these client detail you would see a output like this. Note that client IP, User information is not available to this WLC as client traffic is tunnel back to anchor controller.
(WLC2) >show client detail 04:f7:e4:ea:5b:66Client MAC Address............................... 04:f7:e4:ea:5b:66Client Username ................................. N/AAP MAC Address................................... 64:a0:e7:af:47:40AP Name.......................................... LWAP-03 Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 4 BSSID............................................ 64:a0:e7:af:47:4c Connected For ................................... 1251 secsChannel.......................................... 40 IP Address....................................... UnknownAssociation Id................................... 1 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX supportMirroring........................................ DisabledQoS Level........................................ Silver802.1P Priority Tag.............................. disabledWMM Support...................................... EnabledPower Save....................................... ONCurrent Rate..................................... m7Supported Rates.................................. 24.0,36.0,48.0,54.0Mobility State................................... Export ForeignMobility Anchor IP Address....................... 10.10.111.10Mobility Move Count.............................. 0Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... Yes
Policy Type...................................... N/AEncryption Cipher................................ NoneManagement Frame Protection...................... NoEAP Type......................................... UnknownInterface........................................ managementVLAN............................................. 112Quarantine VLAN.................................. 0Access VLAN...................................... 112
As you can see this feature is very useful to have this in your guest wireless environment. If you need, you can pool multiple subnets using interface group (or vlan select) feature in order to maintain large guest user environment at a single location. In this case you need to map interface group at anchor controller for a foreign controller.
Wired Guest Access
26 Tuesday MAR 2013
POSTED BY NAYARASI IN GUEST WIRELESS , MOBILITY ≈ 2 COMMENTS
Tagswired guest
Like we configured guest access service for wireless users, same feature can be extended to wired guest users using WLC configuration. In this post we will see how to configure this Wired Guest Access service.
Two separate solutions are available for this:
1. A single WLAN controller (VLAN Translation mode) – the access switch trunks the wired guest traffic in the guest VLAN to the WLC that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress wired guest VLAN to the
egress VLAN.
2. Two WLAN controllers (Auto Anchor mode) – the access switch trunks the wired guest traffic to a local WLC (the controller nearest to the access switch). This local WLC anchors the client onto a DMZ Anchor WLC that is configured for wired and wireless guest access. After a successful handoff of the client to the DMZ anchor controller, the DHCP IP address assignment, authentication of the client, etc. are handled in the DMZ
WLC. After it completes the authentication, the client is allowed to send/receive.
Ideally your Mobility Anchor WLC will be in DMZ & foreign WLCs will be inside of your network. Therefore vlans defined on your inside network is not span into DMZ.
To test this out (scenario 2), I have used below topology. To simulate vlan isolation in Anchor & foreign WLCs & I have created an isolated layer 2 vlan (vlan 18 named WIRED- GUEST) on CAT3 which is not allow to CAT2 via the trunk link. Layer 3 interface for this defined on CAT2, but there are no layer 2 connectivity on this VLAN between CAT2 & CAT3. (In practical deployment scenario you does not require this)
In CAT3 switch configuration should look like this.
vlan 18
name WIRED-GUEST
interface Port-channel1
switchport trunk allowed vlan 10-18,112interface FastEthernet0/1 description WIRED-GUEST switchport access vlan 18 switchport mode access switchport nonegotiate!interface FastEthernet0/20 description Cat2 switchport trunk native vlan 999 switchport trunk allowed vlan 1-17,19-4094 switchport mode trunk
In CAT2
interface Vlan18
description WIRED-GUEST-SVI
ip address 10.10.18.1 255.255.255.0
ip helper-address 192.168.200.1
!
interface GigabitEthernet1/0/1
description WLC1
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 10-18,23,111,113 switchport mode trunk
Now in WLC2, you can first define a “wired-guest” interface. Ensure you tick “Guest LAN” option as shown in the below.
Then you need to create a WLAN to support these wired guest users. Type should be “Guest LAN” in this scenario. You can define 5 different Guest LAN on your controller & there for ID number should be between 1-5.
In the WLAN edit page you have to select “wired-guest” interface you created as ingress interface & any other interface as egress (Usually keep management as egress interface). L3 Authentication can be Web-Auth, Pass through or None. In my example I kept it as WebAuth. Since I have configured my users on ACS, I have added it as AAA server.
Then ensure Anchor Controller is added to mobility list.
Then you need to configure “wired-guest” WLAN for the mobility anchor as shown in the below.
Now you have to configure Anchor Controller (WLC1). In WLC1 you have to create same Guest LAN (wired-guest) and map into dynamic interface where clients can obtain IP addresses through a DHCP server. So first step is to create the dynamic interface on WLC1.
Once you create an interface, you can define a WLAN for this(Guest LAN type) as shown in the below. This WLAN should have identical settings to the WLAN defined on foreign WLC (WLC2 in my example) other than the dynamic interface maps to it.
Map the interface created as “egress interface” & keep the ingress interface as none. Ensure same layer 3 security & other settings configured as WLAN you created on WLC2.
Until you configure the Mobility Anchor for this WLAN you cannot enable this WLAN as it gives error stating “ingress interface cannot be none”. Therefore you have to configure Mobility Anchor before enabling this WLAN. Since this is anchor WLC we have to anchor this WLAN into same IP.
Then you can enable this WLAN on your anchor controller as shown in the below.
Now it is ready to test.Like in Wireless Guest Access , once you get an IP & try to browse internet you will re-direct to a portal where you can enter the username & password. Once that success, you can browse internet.
If you look at client association on WLC1 you would see something like this. Note that protocol shown as 802.3(Mobile) indicate it is wired anchored
client.
Here is detail of the client connectivity. Note that user details, IP information available at Export Anchor WLC.
Here is the information available at Expoert Foreign WLC. See that no IP information, User detail available to WLC2.
Here is “debug client <mac_address>” command output on WLC1 (Export Anchor)
(WLC1) >debug client 00:1f:16:18:df:ec
(WLC1) >*mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec Adding mobile on Remote AP 00:00:00:00:00:00(0) *mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'WLC-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)*mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)*mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 START (0) Initializing policy*mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)*mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)*mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)*mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec Resetting web acl from 255 to 255*mmListen: Mar 26 18:25:42.721: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 53)*mmListen: Mar 26 18:25:42.721: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpAnchor, client state=APF_MS_STATE_ASSOCIATED*mmListen: Mar 26 18:25:42.721: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7)*mmListen: Mar 26 18:25:42.721: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4431, Adding TMP rule*mmListen: Jan 24 07:52:06.721: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule type = Airespace AP - Learn IP address on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Fr*mmListen: Mar 26 18:25:42.722: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 3, DSCP = 0, TokenID = 5006 IPv6 Vlan = 18, IPv6 intf id = 16*mmListen: Mar 26 18:25:42.722: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)*pemReceiveTask: Mar 26 18:25:42.723: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Anchor role*pemReceiveTask: Mar 26 18:25:42.726: 00:1f:16:18:df:ec 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4*pemReceiveTask: Mar 26 18:25:42.726: 00:1f:16:18:df:ec Sent an XID frame*apfReceiveTask: Mar 26 18:25:45.312: 00:1f:16:18:df:ec apfMmProcessCloseResponse (apf_mm.c:485) Expiring Mobile!*apfReceiveTask: Mar 26 18:25:45.313: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:00:00:00:00:00]*apfReceiveTask: Mar 26 18:25:45.313: 00:1f:16:18:df:ec apfMsAssoStateDec*apfReceiveTask: Mar 26 18:25:45.313: 00:1f:16:18:df:ec Deleting mobile on AP 00:00:00:00:00:00(0) *pemReceiveTask: Mar 26 18:25:45.315: 00:1f:16:18:df:ec 0.0.0.0 Removed NPU entry.*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec Adding mobile on Remote AP 00:00:00:00:00:00(0) *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'WLC-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 START (0) Initializing policy*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec Resetting web acl from 255 to 255*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 53)*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpAnchor, client state=APF_MS_STATE_ASSOCIATED*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7)*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4431, Adding TMP rule*mmListen: Jan 24 07:52:11.719: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule type = Airespace AP - Learn IP address on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Fr*mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 3, DSCP = 0, TokenID = 5006 IPv6 Vlan = 18, IPv6 intf id = 16*mmListen: Mar 26 18:25:47.720: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)*pemReceiveTask: Mar 26 18:25:47.720: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Anchor role*pemReceiveTask: Mar 26 18:25:47.724: 00:1f:16:18:df:ec 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4*pemReceiveTask: Mar 26 18:25:47.724: 00:1f:16:18:df:ec Sent an XID frame*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.785: 00:1f:16:18:df:ec DHCP received op BOOTREQUEST (1) (len 308,vlan 111, port 1, encap 0xec05)*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.785: 00:1f:16:18:df:ec DHCP selecting relay 1 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.785: 00:1f:16:18:df:ec DHCP selected relay 1 - 192.168.200.1 (local address 10.10.18.10, gateway 10.10.18.1, VLAN 18, port 1)*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP transmitting DHCP DISCOVER (1)*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP xid: 0xde1705dd (3726050781), secs: 3584, flags: 0*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 10.10.18.10*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP ARPing for 10.10.18.1 (SPA 10.10.18.10, vlanId 18)*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP selecting relay 2 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.18.10 VLAN: 18*DHCP Proxy DTL Recv Task: Mar 26 18:25:54.787: 00:1f:16:18:df:ec DHCP selected relay 2 - NONE
*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.791: 00:1f:16:18:df:ec DHCP received op BOOTREQUEST (1) (len 308,vlan 111, port 1, encap 0xec05)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.791: 00:1f:16:18:df:ec DHCP selecting relay 1 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.18.10 VLAN: 18*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.791: 00:1f:16:18:df:ec DHCP selected relay 1 - 192.168.200.1 (local address 10.10.18.10, gateway 10.10.18.1, VLAN 18, port 1)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP transmitting DHCP DISCOVER (1)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP xid: 0xde1705dd (3726050781), secs: 7680, flags: 0*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 10.10.18.10*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP sending REQUEST to 10.10.18.1 (len 350, port 1, vlan 18)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP selecting relay 2 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.18.10 VLAN: 18*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP selected relay 2 - NONE*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.794: 00:1f:16:18:df:ec DHCP received op BOOTREPLY (2) (len 308,vlan 18, port 1, encap 0xec00)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.794: 00:1f:16:18:df:ec DHCP setting server from OFFER (server 192.168.200.1, yiaddr 10.10.18.100)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP sending packet in EoIP tunnel to foreign 10.10.112.10 (len 346)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP transmitting DHCP OFFER (2)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP xid: 0xde1705dd (3726050781), secs: 0, flags: 0*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.18.100*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP server id: 1.1.1.1 rcvd server id: 192.168.200.1*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.796: 00:1f:16:18:df:ec DHCP received op BOOTREQUEST (1) (len 318,vlan 111, port 1, encap 0xec05)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.796: 00:1f:16:18:df:ec DHCP selecting relay 1 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.18.10 VLAN: 18*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.796: 00:1f:16:18:df:ec DHCP selected relay 1 - 192.168.200.1 (local address 10.10.18.10, gateway 10.10.18.1, VLAN 18, port 1)
*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP transmitting DHCP REQUEST (3)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP xid: 0xde1705dd (3726050781), secs: 7680, flags: 0*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 10.10.18.10*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP requested ip: 10.10.18.100*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP server id: 192.168.200.1 rcvd server id: 1.1.1.1*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP sending REQUEST to 10.10.18.1 (len 358, port 1, vlan 18)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP selecting relay 2 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.18.10 VLAN: 18*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP selected relay 2 - NONE*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.798: 00:1f:16:18:df:ec DHCP received op BOOTREPLY (2) (len 308,vlan 18, port 1, encap 0xec00)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.798: 00:1f:16:18:df:ec Static IP client associated to interface wired-guest which can support client subnet.*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec Adding Web RuleID 5 for mobile 00:1f:16:18:df:ec*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec 10.10.18.100 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state WEBAUTH_REQD (8)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_REQD (8) pemAdvanceState2 5170, Adding TMP rule*DHCP Pr: Mar 26 18:26:10.805: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_REQD (8) Replacing Fast Path rule type = Airespace AP Client - ACL passthru on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id =*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 3, DSCP = 0, TokenID = 5006 IPv6 Vlan = 18, IPv6 intf id = 16*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec Plumbing web-auth redirect rule due to user logout*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec Assigning Address 10.10.18.100 to mobile *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec DHCP success event for client. Clearing dhcp failure count for interface wired-guest.*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP sending packet in EoIP tunnel to foreign 10.10.112.10 (len 346)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP transmitting DHCP ACK (5)*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP xid: 0xde1705dd (3726050781), secs: 0, flags: 0*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.18.100*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP server id: 1.1.1.1 rcvd server id: 192.168.200.1*pemReceiveTask: Mar 26 18:26:10.806: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Anchor role*pemReceiveTask: Mar 26 18:26:10.809: 00:1f:16:18:df:ec 10.10.18.100 Added NPU entry of type 2, dtlFlags 0x4*pemReceiveTask: Mar 26 18:26:10.812: 00:1f:16:18:df:ec Sent an XID frame*apfReceiveTask: Mar 26 18:26:10.891: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100*apfReceiveTask: Mar 26 18:26:10.895: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100*apfReceiveTask: Mar 26 18:26:10.895: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100*apfReceiveTask: Mar 26 18:26:10.896: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100*apfReceiveTask: Mar 26 18:26:10.905: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP received op BOOTREQUEST (1) (len 308,vlan 111, port 1, encap 0xec05)*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP selecting relay 1 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 255.255.255.0, dhcpGateway: 10.10.18.1, dhcpRelay: 10.10.18.10 VLAN: 18*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP selected relay 1 - 192.168.200.1 (local address 10.10.18.10, gateway 10.10.18.1, VLAN 18, port 1)*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP transmitting DHCP INFORM (8)*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP xid: 0x1f167da1 (521567649), secs: 0, flags: 0*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP ciaddr: 10.10.18.100, yiaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 10.10.18.10*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP sending REQUEST to 10.10.18.1 (len 350, port 1, vlan 18)*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP selecting relay 2 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 255.255.255.0, dhcpGateway: 10.10.18.1, dhcpRelay: 10.10.18.10 VLAN: 18*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP selected relay 2 - NONE*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP received op BOOTREPLY (2) (len 308,vlan 18, port 1, encap 0xec00)*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP sending packet in EoIP tunnel to foreign 10.10.112.10 (len 346)
*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP transmitting DHCP ACK (5)*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP xid: 0x1f167da1 (521567649), secs: 0, flags: 0*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP ciaddr: 10.10.18.100, yiaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP server id: 192.168.200.1 rcvd server id: 192.168.200.1*apfReceiveTask: Mar 26 18:26:20.911: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100*apfReceiveTask: Mar 26 18:26:20.913: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100*apfReceiveTask: Mar 26 18:26:20.913: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100.*apfReceiveTask: Mar 26 18:28:01.164: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100*apfReceiveTask: Mar 26 18:28:01.164: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100*emWeb: Mar 26 18:28:07.630: 00:1f:16:18:df:ec Username entry (user2) created for mobile *emWeb: Mar 26 18:28:07.639: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_REQD (8) Change state to WEBAUTH_NOL3SEC (14) last state WEBAUTH_NOL3SEC (14)*emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec apfMsRunStateInc*emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_NOL3SEC (14) Change state to RUN (20) last state RUN (20)*emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec Session Timeout is 0 - not starting session timer for the mobile *emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec 10.10.18.100 RUN (20) Reached PLUMBFASTPATH: from line 5063*emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec 10.10.18.100 RUN (20) Replacing Fast Path rule type = Airespace AP Client on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Frames = NO*emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec 10.10.18.100 RUN (20) Fast Path rule (contd...) 802.1P = 3, DSCP = 0, TokenID = 5006 IPv6 Vlan = 18, IPv6 intf id = 16*emWeb: Mar 26 18:28:07.645: 00:1f:16:18:df:ec 10.10.18.100 RUN (20) Successfully plumbed mobile rule (ACL ID 255)*pemReceiveTask: Mar 26 18:28:07.652: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Anchor role*pemReceiveTask: Mar 26 18:28:07.656: 00:1f:16:18:df:ec 10.10.18.100 Added NPU entry of type 1, dtlFlags 0x4*pemReceiveTask: Mar 26 18:28:07.659: 00:1f:16:18:df:ec Sending a gratuitous ARP for 10.10.18.100, VLAN Id 28690*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.453: 00:1f:16:18:df:ec DHCP received op BOOTREQUEST (1) (len 308,vlan 111, port 1, encap 0xec05)*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.453: 00:1f:16:18:df:ec DHCP selecting relay 1 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 255.255.255.0, dhcpGateway: 10.10.18.1, dhcpRelay: 10.10.18.10 VLAN: 18
*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.453: 00:1f:16:18:df:ec DHCP selected relay 1 - 192.168.200.1 (local address 10.10.18.10, gateway 10.10.18.1, VLAN 18, port 1)*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.453: 00:1f:16:18:df:ec DHCP transmitting DHCP INFORM (8)*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP xid: 0x3a553a74 (978664052), secs: 0, flags: 0*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP ciaddr: 10.10.18.100, yiaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 10.10.18.10*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP sending REQUEST to 10.10.18.1 (len 350, port 1, vlan 18)*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP selecting relay 2 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 255.255.255.0, dhcpGateway: 10.10.18.1, dhcpRelay: 10.10.18.10 VLAN: 18*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP selected relay 2 - NONE*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.455: 00:1f:16:18:df:ec DHCP received op BOOTREPLY (2) (len 308,vlan 18, port 1, encap 0xec00)*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.455: 00:1f:16:18:df:ec DHCP sending packet in EoIP tunnel to foreign 10.10.112.10 (len 346)*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.455: 00:1f:16:18:df:ec DHCP transmitting DHCP ACK (5)*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.455: 00:1f:16:18:df:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.455: 00:1f:16:18:df:ec DHCP xid: 0x3a553a74 (978664052), secs: 0, flags: 0*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.456: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.456: 00:1f:16:18:df:ec DHCP ciaddr: 10.10.18.100, yiaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.456: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0*DHCP Proxy DTL Recv Task: Mar 26 18:31:26.456: 00:1f:16:18:df:ec DHCP server id: 192.168.200.1 rcvd server id: 192.168.200.1
Here is “debug client <mac_address>” command output on WLC2 (Export Foreign)
(WLC2) >debug client 00:1f:16:18:df:ec
(WLC2) >*apfReceiveTask: Mar 26 07:28:28.417: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfReceiveTask: Mar 26 07:28:28.417: 00:1f:16:18:df:ec Adding mobile on Wired Guest 00:00:00:00:00:00(0) *apfReceiveTask: Mar 26 07:28:28.417: 00:1f:16:18:df:ec apfMsAssoStateInc*apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec apfHandleWiredGuestMobileStation (apf_wired_guest.c:131) Changing state for mobile 00:1f:16:18:df:ec on AP 00:00:00:00:00:00 from Idle to Associated
*apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec 0.0.0.0 START (0) Initializing policy*apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)*apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)*apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)*apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:1f:16:18:df:ec on AP 00:00:00:00:00:00 from Associated to Associated*apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 48)*apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec Wired Guest packet from 0.0.0.0 on mobile*apfReceiveTask: Mar 26 07:28:28.419: 00:1f:16:18:df:ec Orphan Packet from 0.0.0.0*apfReceiveTask: Mar 26 07:28:30.362: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED*apfReceiveTask: Mar 26 07:28:30.362: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 75)*apfReceiveTask: Mar 26 07:28:30.362: 00:1f:16:18:df:ec apfMsRunStateInc*apfReceiveTask: Mar 26 07:28:30.362: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)*apfReceiveTask: Mar 26 07:28:30.363: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4495*apfReceiveTask: Mar 26 07:28:30.363: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Adding Fast Path rule type = Airespace AP Client on AP 00:00:00:00:00:00, slot 0, interface = 29, QOS = 0 ACL Id = 255, Jumbo Frames = NO*apfReceiveTask: Mar 26 07:28:30.364: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 112, IPv6 intf id = 0*apfReceiveTask: Mar 26 07:28:30.364: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)*pemReceiveTask: Mar 26 07:28:30.365: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Foreign role*pemReceiveTask: Mar 26 07:28:30.371: 00:1f:16:18:df:ec 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4*apfReceiveTask: Mar 26 07:28:32.952: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Deleted mobile LWAPP rule on AP [00:00:00:00:00:00]*apfReceiveTask: Mar 26 07:28:32.952: 00:1f:16:18:df:ec apfMsRunStateDec*apfReceiveTask: Mar 26 07:28:32.952: 00:1f:16:18:df:ec apfMsAssoStateDec*apfReceiveTask: Mar 26 07:28:32.952: 00:1f:16:18:df:ec Deleting mobile on AP 00:00:00:00:00:00(0) *pemReceiveTask: Mar 26 07:28:32.969: 00:1f:16:18:df:ec 0.0.0.0 Removed NPU entry.*apfReceiveTask: Mar 26 07:28:33.423: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)*apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec Adding mobile on Wired Guest 00:00:00:00:00:00(0) *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec apfMsAssoStateInc*apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec apfHandleWiredGuestMobileStation (apf_wired_guest.c:131) Changing state for mobile 00:1f:16:18:df:ec on AP 00:00:00:00:00:00 from Idle to Associated*apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec 0.0.0.0 START (0) Initializing policy
*apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)*apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)*apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)*apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:1f:16:18:df:ec on AP 00:00:00:00:00:00 from Associated to Associated*apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 48)*apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec Wired Guest packet from 0.0.0.0 on mobile*apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec Orphan Packet from 0.0.0.0*apfReceiveTask: Mar 26 07:28:35.360: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED*apfReceiveTask: Mar 26 07:28:35.360: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 75)*apfReceiveTask: Mar 26 07:28:35.360: 00:1f:16:18:df:ec apfMsRunStateInc*apfReceiveTask: Mar 26 07:28:35.360: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)*apfReceiveTask: Mar 26 07:28:35.361: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4495*apfReceiveTask: Mar 26 07:28:35.361: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Adding Fast Path rule type = Airespace AP Client on AP 00:00:00:00:00:00, slot 0, interface = 29, QOS = 0 ACL Id = 255, Jumbo Frames = NO*apfReceiveTask: Mar 26 07:28:35.361: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 112, IPv6 intf id = 0*apfReceiveTask: Mar 26 07:28:35.361: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)*pemReceiveTask: Mar 26 07:28:35.362: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Foreign role
Important Points for Wired Guest Deployment
1. Currently, five Guest LANs for wired guest access are supported. In total, 16 WLANs for Wireless users and 5 WLANs for wired guest access can be configured on the Anchor WLC. No separate tunnels exist for WLANs. All the guest WLANs, which include the WLANs for wired guest access, use the same EoIP tunnels to the Anchor WLC.2. Administrators need to create dynamic interfaces in the WLAN controller, mark them as “Guest LAN,” and associate them to WLANs created as Guest LANs.3. Make sure that WLAN configurations, including authentication, are identical on both the Anchor and Remote controllers to pass the client traffic.4. WLCs should have compatible software versions. Ensure that they run the same major version.5. Web-authentication is the default security mechanism available on a wired guest LAN.
The current options available are these: Open, Web Auth, and Web Passthrough.6. In case of failure of the EoIP tunnel between the remote and anchor WLC, the client database is cleaned up from the Anchor WLC. The client needs to re-associate and re-authenticate.7. No layer 2 security is supported.8. Multicast/Broadcast traffic on the wired guest LANs is dropped.9. DHCP Proxy settings must be identical on both the Anchor and Remote controllers.
Static IP Clients Mobility
25 Monday MAR 2013
POSTED BY NAYARASI IN MOBILITY ≈ LEAVE A COMMENT
TagsStatic IP client Mobility
At times you may want to configure static IP addresses for wireless clients. When these wireless clients move about in a network, they could try associating with other controllers. If the clients try to associate with a controller that does not support the same subnet as static IP, the clients fail to connect to the network. With WLC 7.0.116.0 you can enable dynamic tunneling of clients with static IP addresses.
Here is the my topology to test this out. Static client is roaming towards LWAP2 where it associated WLC3 which does not have a dynamic interface on the same subnet as static of the client. Under normal circumstance this roam would fail.
You can configure the “Static IP Tunneling” feature under Advanced Settings of the WLAN as shown in the below.
You can configure the same with CLI command ” config wlan static-ip-tunneling {enable|disable} <wlan_id> “. Show wlan command can be used to verify this feature is enabled or disabled.(WLC3) >show wlan 5WLAN Identifier.................................. 5Profile Name..................................... data1Network Name (SSID).............................. data1Status........................................... EnabledMAC Filtering.................................... DisabledBroadcast SSID................................... EnabledAAA Policy Override.............................. DisabledNetwork Admission Control Radius-NAC State............................... Disabled SNMP-NAC State................................. Disabled Quarantine VLAN................................ 0Maximum number of Associated Clients............. 0Number of Active Clients......................... 1Exclusionlist Timeout............................ 60 secondsSession Timeout.................................. 1800 secondsCHD per WLAN..................................... EnabledWebauth DHCP exclusion........................... DisabledInterface........................................ data1Multicast Interface.............................. Not ConfiguredWLAN ACL......................................... unconfiguredDHCP Server...................................... DefaultDHCP Address Assignment Required................. DisabledStatic IP client tunneling....................... Enabled
Once Static client associate to LWAP2 , you can check client association details from both controllers. Here is the details as shown in WLC3. Few key points to remember here. WLC3 mobility state is “Export Foreign” . In normal layer3 roaming WLC3 state would be “Foreign”(WLC3) >show client summary
Number of Clients................................ 1MAC Address AP Name Status WLAN Auth Protocol Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----00:22:fa:94:68:58 LWAP-02 Associated 5 Yes 802.11a 1 N/A
(WLC3) >show client detail 00:22:fa:94:68:58Client MAC Address............................... 00:22:fa:94:68:58Client Username ................................. user1AP MAC Address................................... a0:cf:5b:9e:e8:20AP Name.......................................... LWAP-02 Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 5 BSSID............................................ a0:cf:5b:9e:e8:2b Connected For ................................... 168 secsChannel.......................................... 149IP Address....................................... 10.10.14.60Association Id................................... 1 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... 4 Client E2E version............................... 1 Re-Authentication Timeout........................ 1631QoS Level........................................ Platinum802.1P Priority Tag.............................. disabledWMM Support...................................... EnabledPower Save....................................... ONCurrent Rate..................................... 54.0Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0, ............................................. 54.0Mobility State................................... Export ForeignMobility Anchor IP Address....................... 10.10.112.10Mobility Move Count.............................. 0Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailablePolicy Type...................................... WPA2Authentication Key Management.................... 802.1xEncryption Cipher................................ CCMP (AES)Management Frame Protection...................... NoEAP Type......................................... EAP-FASTInterface........................................ data1VLAN............................................. 22Quarantine VLAN.................................. 0Access VLAN...................................... 22
Here is the details as shown in WLC2. In here as well WLC2 mobility state is shown as ” Export Anchor” where as in normal layer 3 roam mobility state is “Anchor“.(WLC2) >show client summary
Number of Clients................................ 1MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----00:22:fa:94:68:58 10.10.120.140 Associated 5 Yes Mobile 29 No
(WLC2) >show client detail 00:22:fa:94:68:58Client MAC Address............................... 00:22:fa:94:68:58Client Username ................................. N/AAP MAC Address................................... 00:00:00:00:00:00AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. AccessWireless LAN Id.................................. 5 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 207 secsChannel.......................................... N/AIP Address....................................... 10.10.14.60Association Id................................... 0 Authentication Algorithm......................... Open SystemReason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... No CCX supportMirroring........................................ DisabledQoS Level........................................ Platinum802.1P Priority Tag.............................. 6WMM Support...................................... DisabledSupported Rates.................................. Mobility State................................... Export AnchorMobility Foreign IP Address...................... 10.10.120.140Mobility Move Count.............................. 1Security Policy Completed........................ YesPolicy Manager State............................. RUNPolicy Manager Rule Created...................... YesACL Name......................................... noneACL Applied Status............................... UnavailableNPU Fast Fast Notified........................... YesPolicy Type...................................... N/AEncryption Cipher................................ NoneManagement Frame Protection...................... NoEAP Type......................................... 0Interface........................................ data1VLAN............................................. 14Quarantine VLAN.................................. 0Access VLAN...................................... 14
Here is the exact process of Static client roaming.
1. When Client moved to AP2, client IP address is updated either through an orphan packet handling or an ARP request processing by WLC3.2. Since client IP subnet is not supported in WLC3, WLC3 send static IP mobile announcement to the rest of controllers in mobility list.3. Since WLC2 support this client subnet it will respond to that announcement by WLC3.4. As a result WLC3 becomes “Export Foreign” controller where as WLC2 becomes “Export
Anchor” Controller.5. Once WLC2 send acknowledgment client traffic is tunneled to WLC2.There are few restrictions apply when configuring static IP tunneling with other features on the same WLAN.
1. Auto Anchoring Mobility (Guest Tunneling) cannot be configured for the same WLAN2. H-REAP local Authentication cannot be configured for the same WLAN.3. DHCP Required option cannot be configured for the same WLAN.
If you enable “debug mobility handoff” you can see these WLC state changes during client association. Here is the debug output of WLC3.(Export Foreign)(WLC3) >debug mobility handoff enable
(WLC3) >*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.993: 00:22:fa:94:68:58 Zeroize AAA Overrides from local for station*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.993: Sending 802.11i PMK (Version_1) information to mobility group*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.993: 00:22:fa:94:68:58 0 PMK-update groupcast messages sent *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.993: Sending 802.11i PMK (Version_2) information to mobility group*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.993: 00:22:fa:94:68:58 0 PMK-update groupcast messages sent *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.998: 00:22:fa:94:68:58 Mobility query, PEM State: L2AUTHCOMPLETE*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 Anchor Export: Client IP: 10.10.14.60, Anchor IP: 10.10.112.10*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 Mobility packet sent to:*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 10.10.112.10, port 16666*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 16 seq: 139 len 250 flags 0*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 group id: d8475d5f c64367e3 4d21c8d6 ef580f61*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 10.10.14.60, instance: 0*Dot1x_NW_MsgTask_0: Mar 25 06:34:54.000: 00:22:fa:94:68:58 VLAN IP: 10.10.22.130, netmask: 255.255.255.128*Dot1x_NW_MsgTask_0: Mar 25 06:34:54.000: 00:22:fa:94:68:58 10.10.14.60 DHCP_REQD (7) Warning!: export foreign state set on client of non-export anchor wlan anchor switch: 10.10.112.10*Dot1x_NW_MsgTask_0: Mar 25 06:34:54.001: 00:22:fa:94:68:58 10.10.14.60 DHCP_REQD (7) Plumbing duplex mobility tunnel to 10.10.112.10 as Export Foreign (VLAN 22)*mmListen: Mar 25 06:34:54.001: 00:22:fa:94:68:58 Mobility packet received from:*mmListen: Mar 25 06:34:54.001: 00:22:fa:94:68:58 10.10.112.10, port 16666*mmListen: Mar 25 06:34:54.001: 00:22:fa:94:68:58 type: 17(MobileAnchorExportAck) subtype: 0 version: 1 xid: 16 seq: 265 len 275 flags 0*mmListen: Mar 25 06:34:54.002: 00:22:fa:94:68:58 group id: fe2f34f3 9b7a7cea 68f48181 316db999*mmListen: Mar 25 06:34:54.002: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 10.10.14.60, instance: 1
*mmListen: Mar 25 06:34:54.002: 00:22:fa:94:68:58 VLAN IP: 10.10.14.10, netmask: 255.255.255.0*mmListen: Mar 25 06:34:54.002: Switch IP: 10.10.112.10 *mmListen: Mar 25 06:34:54.002: 00:22:fa:94:68:58 Received Anchor Export Ack for client from Switch IP: 10.10.112.10*mmListen: Mar 25 06:34:54.002: 00:22:fa:94:68:58 Anchor Mac: 00:0b:85:40:a1:c0, Old Foreign Mac: 00:1b:d5:cf:e6:00 New Foreign Mac: 00:1b:d5:cf:e6:00*apfReceiveTask: Mar 25 06:34:54.003: 00:22:fa:94:68:58 10.10.14.60 DHCP_REQD (7) mobility role update request from Export Foreign to Export Foreign Peer = 10.10.112.10, Old Anchor = 10.10.112.10, New Anchor = 10.10.112.10*apfReceiveTask: Mar 25 06:34:54.005: 00:22:fa:94:68:58 10.10.14.60 RUN (20) Warning!: export foreign state set on client of non-export anchor wlan anchor switch: 10.10.112.10*apfReceiveTask: Mar 25 06:34:54.005: 00:22:fa:94:68:58 10.10.14.60 RUN (20) Plumbing duplex mobility tunnel to 10.10.112.10 as Export Foreign (VLAN 22)*apfReceiveTask: Mar 25 06:34:54.005: 00:22:fa:94:68:58 Mobility Response: IP 10.10.14.60 code Anchor Grant (4), reason Anchor exported (4), PEM State RUN, Role Export Foreign(5)
Here is the debut output of WLC2 (Export Anchor)
(WLC2) >debug mobility handoff enable
(WLC2) >*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 Mobility packet received from:*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 10.10.120.140, port 16666*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 16 seq: 139 len 250 flags 0*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 group id: d8475d5f c64367e3 4d21c8d6 ef580f61*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 10.10.14.60, instance: 0*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 VLAN IP: 10.10.22.130, netmask: 255.255.255.128*mmListen: Mar 24 19:37:39.966: Switch IP: 10.10.120.140 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 Received Anchor Export request: from Switch IP: 10.10.120.140*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 Anchor request for static IP client tunneling.*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 mmAnchorExportRcv:, Mobility role is ExpAnchor.*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 Received Anchor Export policy update, valid mask 0x0: Qos Level: 2, DSCP: 0, dot1p: 0 Interface Name: , ACL Name: *mmListen: Mar 24 19:37:39.966: Anchor Mac : 00.0b.85.40.a1.c0*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 Mobility packet sent to:*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 10.10.120.140, port 16666*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 type: 17(MobileAnchorExportAck) subtype: 0 version: 1 xid: 16 seq: 265 len 275 flags 0*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 group id: fe2f34f3 9b7a7cea 68f48181 316db999*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 10.10.14.60, instance: 1*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 VLAN IP: 10.10.14.10, netmask: 255.255.255.0
*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 10.10.14.60 RUN (20) Warning!: export anchor state set on client of non-export anchor wlan foreign switch: 10.10.120.140*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 10.10.14.60 RUN (20) Plumbing duplex mobility tunnel to 10.10.120.140 as Export Anchor (VLAN 14)*spamReceiveTask: Mar 24 19:37:48.685: Mobility packet sent to:*spamReceiveTask: Mar 24 19:37:48.685: 10.10.111.10, port 16666*spamReceiveTask: Mar 24 19:37:48.685: type: 19(ApListUpdate) subtype: 0 version: 1 xid: 261 seq: 266 len 52 flags 0*spamReceiveTask: Mar 24 19:37:48.685: group id: fe2f34f3 9b7a7cea 68f48181 316db999
Refer WLC 7.0.116.0 configuration guide (pages 14-30) for more details
Mobility Ping Tests
24 Sunday MAR 2013
POSTED BY NAYARASI IN MOBILITY , WIRELESS TROUBLESHOOTING ≈ 1 COMMENT
Tagseping, mping
Controllers in a mobility list communicate with each other by controlling information over a UDP port 16666 ( src & dst port are both 16666 ) & data traffic through an EoIP tunnel (IP protocol 97). Because UDP & EoIP are not reliable transport mechanism, there is no guarantee that a mobility control packet or data packet will be delivered to a mobility peer.
You can test the mobility communication environment by performing mobility ping tests. Two ping tests are available.
1. Mobility ping over UDP – This test runs over mobility UDP port 16666. It test whether the mobility control packet can be reached over the management interface.2. Mobility ping over EoIP – This test runs over EoIP. It tests the mobility data traffic over management interfaceThese ping tests are not ICMP based & the term “ping” is used to indicate an echo request and an echo reply message.
So here is how these test can be run on WLC CLI. First of all you should have a list of controllers in your mobility list.
(WLC1) >show mobility summary
Symmetric Mobility Tunneling (current) .......... EnabledSymmetric Mobility Tunneling (after reboot) ..... EnabledMobility Protocol Port........................... 16666Default Mobility Domain.......................... mrn-cciewMulticast Mode .................................. EnabledMobility Domain ID for 802.11r................... 0x4ccdMobility Keepalive Interval...................... 10Mobility Keepalive Count......................... 3Mobility Group Members Configured................ 3Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group MAC Address IP Address Group Name Multicast IP Status 00:0b:85:40:a1:c0 10.10.112.10 mrn-cciew 239.239.239.239 Control and Data Path Down 00:0b:85:43:d8:60 10.10.111.10 mrn-cciew 239.239.239.239 Up 00:1b:d5:cf:e6:00 10.10.120.140 mrn-ccie 0.0.0.0 Up
“mping <mobility_peer_IP> ” & “eping < mobility_peer_IP> ” are the CLI command you need to run.(WLC1) >mping 10.10.120.140
Send count=3, Receive count=3 from 10.10.120.140
(WLC1) >eping 10.10.120.140
Send count=3, Receive count=3 from 10.10.120.140
Auto-Anchor Mobility FundamentalsHaving a fully redundant guest network architecture can be beneficial for service availability. Depending on business and operational requirements, many organizations use the guest architecture for purposes where traffic needs to be tunneled to a single point in the network, not necessarily just "guest" traffic in the traditional sense.
In a Cisco Unified wireless network deployment, this is accomplished with Auto-Anchor Mobility Tunneling by establishing Mobility peer relationships between internal production controllers and isolated controllers (typically in a bastion host or DMZ segment firewalled from the internal network). When using the auto-anchor mobility feature, these controllers do not need to have the same mobility group name because no layer 2 fast roaming or session state synchronization needs to occur between the controllers (layer 3 roaming is still performed to allow the IP address to be maintained by the client).
Typically, the DMZ anchor controllers are simply termination points within the isolated network segment and do not directly control any lightweight access points. This allows the DMZ anchor controllers to be smaller scale controllers, sized for bandwidth and throughput rather than AP licensing. Typically 4402-25 or 5508-25 controllers are used. Also, layer 2 roaming between APs on the controllers does not come into play.
Also, note that each production internal controller should have a mobility peer relationship with every other DMZ anchor controller to which it will send traffic. However, each DMZ anchor controller only needs mobility peers with each production internal controller, not with other DMZ anchors controllers.
Mobility communication between controllers occurs using their management interfaces, and uses the following protocols:
UDP 16,666 is used for Mobility control traffic between peers (Control Path) IP Protocol 97 is used for Ethernet-in-IP traffic tunneling of client traffic (Data Path)
To setup the mobility peer relationship, navigate to the Controller > Mobility Management > Mobility Groups section. Add a new mobility group member by specifying the peer's management interface MAC address, IP address, and it's mobility group name (not the local one).
The status will initially show both the Control and Data paths down. Once communication is established, the status will show as "Up". Mobility peer connection establishment and keep-alive is performed at a periodic interval which defaults to every 10 seconds.
Note - The control and data paths may individually be shown as down if communication can be established using one protocol but not another. Check network ACLs or firewalls for traffic restrictions if this is the case.
To verify connectivity and peer kee-palive timers at any time, the following CLI commands may be useful:
mping peer-ip-address - used to test the Control Path between mobility peers eping peer-ip-address - used to test the Data Path between mobility peers show mobility summary - used to view mobility configuration and timers
Next, anchor the guest WLAN to multiple anchor controllers in the DMZ for round-robin client load balancing and redundancy. All mobility anchor controllers are used (active/active operation). This is accomplished from WLANs > WLAN Name Blue Arrow Drop-Down Button > Mobility Anchors.
On the production internal controller - specify one or more DMZ anchor controllers as the mobility anchors for the WLAN.
On the DMZ anchor controllers - specify its own IP address (local) as the mobility anchor for the WLAN since it will be the termination point for the client traffic.
It is also important to mention that the WLAN configuration on the production internal and DMZ anchor controllers all be identical with only one exception:
Interface - the production internal controllers should have the "management" interface assigned to the WLAN to allow the client traffic to be tunneled to the DMZ anchor controllers. The DMZ anchor controllers should have a dynamic interface assigned to the WLAN to forward client traffic out to the network (this is where clients will obtain IP addresses).
In a failover scenario, once the production internal controller recognizes that the anchor controller is no longer reachable (during the next keep-alive interval), it marks the anchor as Down, de-authenticates clients, forces client re-authentication, and anchors them to one of the remaining Up anchor controllers. Failover could occur because of a controller failure, or even failure of a single port link if not using link aggregation (LAG). In the event of a single port failure, the anchor controller migrates the affected logical interface to the backup port assigned to the interface. Production controller failover to other active DMZ anchor controllers does occur, but re-establishment of the mobility relationship occurs within 10 seconds once the backup port becomes active and new clients are allowed to terminate on the anchor again.
Note - this may result in clients obtaining a new IP address if the anchor controllers are not attached to the same client subnets (perhaps they are in different data centers for instance).
In my testing, failover occurs within 6-10 seconds of taking the anchor controller offline.
There are a ton of related features, requirements, and design considerations for auto-anchor mobility, but this should provide a basic overview.
