CT5760 Controller Deployment Guide Cisco Next Gen
CT5760 Controller Deployment Guide Cisco Next Gen
CT5760 Controller Deployment Guide Cisco Next Gen
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates,
uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can be
determined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Preface ix
Objectives ix
Audience ix
Organization x
Mobility Design and Configuration: WLC5760, WLC5508, and Catalyst 3850 in Hybrid Mode 5-1
Mobility Configuration on WLC5760-Mobility Controller-Mobility Agent 5-1
Mobility Configuration on WLC5760-Mobility Controller-Mobility Oracle 5-2
Mobility Configuration on WLC5508-Mobility Controller-Mobility Agent 5-2
Mobility Configuration on Catalyst 3850-Mobility Agent 1 5-2
Mobility Configuration on Catalyst 3850-Mobility Agent 2 5-2
Mobility Configuration on Catalyst 3850-Mobility Agent 3 5-2
Mobility Configuration on Catalyst 3850-Mobility Agent 4 5-3
Mobility Configuration on Catalyst 3850-Mobility Agent 5 5-3
Configuring ClientLink (Beamforming) 5-3
Objectives
This document introduces two new controllers within the Cisco Unified Access architecture and
provides general guidelines for their deployment. The purpose of this document is to:
Provide an overview of the new Cisco 5760 Next Generation Wireless LAN Controller and the Next
Generation Catalyst 3850 Wired/Wireless Switch.
Provide design recommendations and deployment considerations specific to the Centralized Access
deployment.
Audience
This publication is intended primarily for users who configure and maintain routers, but are not
necessarily familiar with tasks, the relationship between tasks, or the commands necessary to perform
particular tasks to configure VoIP. In addition, this publication is intended for users with some familiarity
with IP and telephony networks.
Organization
This chapter describes the contents of each chapter in this document.
Table 1 Organization
Convention Description
boldface Commands and keywords.
italic Command input that is supplied by you.
[ ] Keywords or arguments that appear within square brackets are optional.
{x|x|x} A choice of keywords (represented by x) appears in braces separated by
vertical bars. You must select one.
^ or Ctrl Represent the key labeled Control. For example, when you read ^D or
Ctrl-D, you should hold down the Control key while you press the D key.
screen font Examples of information displayed on the screen.
boldface screen font Examples of information that you must enter.
< > Nonprinting characters, such as passwords, appear in angled brackets.
[ ] Default responses to system prompts appear in square brackets.
The CT5760 WLC is an industry-leading platform designed for 802.11ac performance with maximum
services, scalability, and high resiliency for mission-critical wireless networks. Through enhanced
software programmable ASIC, it delivers a wide range of features highlighted in Table 2-1.
Optimized video delivery via single stream for both wired and wireless clients.
High Supports Cisco VideoStream technology to optimize the delivery of business-critical
Performance multicast video applications across the WLAN.
Video
For a complete list of features and specifications, refer to the Cisco 5760 Series Wireless Controller page
and Data Sheet.
AP Count 300-6k APs 300-6k APs 12-500 APs 100-1000 1-1000 APs
Range APs
Maximum 64 64 64 64 64
Interfaces per
Interface Group
Maximum 4095 4095 512 512 4096
VLANs
Supported
Maximum 512 512 512 512 512
WLANs
Supported
Supported Fast 64,000 64,000 14,000 30,000 24,000
Secure Roaming
(FSR)
Licenses
Licenses are based on the Right-To-Use license model (per AP license price for the Catalyst 3850 and
CT5760). AP licenses are enabled on the mobility controller. The mobility controller can be a Catalyst
3850 switch (or switches), CT5760, 5500, or WiSM2. There is not a separate license for mobility agent
functionality (for example, CAPWAP termination on the switch). The same AP licenses can be used as
before when the 5500/WiSM2 is used as mobility controller. AP licenses are transferable between
Catalyst 3850 and CT5760, Catalyst 3850 and Catalyst 3850, and CT5760 and CT5760.
Please refer to the Cisco Right to Use Licensing FAQ for additional information.
Supported Platforms
Controllers
Converged access mode: CT5760, CT5508, WS-SVC-WISM2, 3850
Centralized mode: CT5760, WISM2, CT5508
APs
1040, 1140, 1260, 1600, 2600, 3500, 3600
Centralized Mode
The centralized mode (also known as local mode on legacy controllers) is the same deployment model
currently used today at various points in the Cisco Unified Wireless Network (CUWN) solution set for
wireless as well as wired connectivity. The current CUWN provides centralized tunneling of user traffic
to the controller (data plane and control plane) and system-wide coordination for channel and power
assignment, rogue detection, security attacks, interference, roaming, and so on.
This deployment guide focuses on the configuration of the new CT5760 feature set with the Cisco IOS
software. For detailed information on the new Catalyst 3850 wired/wireless switch and its deployment
scenarios, refer to the Catalyst 3850 Deployment/Configuration Guides page.
Note You can use only one console port (either RJ-45 or mini USB). When you connect to one console port,
the other is disabled.
Note Cisco recommends that you assign one set of VLANs for WLANs and a different set of VLANs for
management interfaces to ensure that controllers properly route VLAN traffic.
Multiple LAGs
Multiple LAG groups can be configured to support configurations requiring connectivity to multiple
switches for redundancy. APs are load balanced across multiple LAG groups by configuring an AP
manager for each LAG group.
Note Load balancing that uses multiple AP manager interfaces is supported on the CT5760 WLAN controller
similar to the legacy controller. However, Cisco recommends using LAG for redundancy and load
balancing.
You can configure up to 5 AP-manager interfaces on the controller along with one wireless management
interface.
Network Topology
The diagram in Figure 3-1 shows the network topology with only the Unified Access CT5760 controller
in a centralized deployment.
Console Connection
Before you can configure the switch or controller for basic operations, you must connect it to a PC that
uses a VT-100 terminal emulator (such as HyperTerminal, ProComm, or Putty).
The controller has both EIA/TIA-232 asynchronous (RJ-45) and USB 5-pin mini Type B, 2.0 compliant
serial console ports. The default parameters for the console ports are 9600 baud, eight data bits, one stop
bit, and no parity. The console ports do not support hardware flow control. Choose the serial baud rate
of 9600; if you have issues, try a baud rate of 115200.Figure 3-2 shows an example of a Mac Secure
CRT; use similar for PC/Windows Putty, and so on.
Startup Wizard
Before you launch the startup wizard, have your IP addresses and VLANs information available. Start
without the wizard/initial configuration dialog (check the initial configuration).
% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]: no
Would you like to terminate autoinstall? [yes]:
Controller>
Press RETURN to get started!
Start with the wizard/initial configuration dialog (check the initial config).
Enable secret warning
----------------------------------
In order to access the device manager, an enable secret is required
If you enter the initial configuration dialog, you will be prompted for the enable
secret
If you choose not to enter the intial configuration dialog, or if you exit setup
without setting the enable secret,
please set an enable secret using the following CLI in configuration mode-
enable secret 0 <cleartext password>
----------------------------------
Would you like to enter the initial configuration dialog? [yes/no]: yes
At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration
dialog at any prompt. Default settings are in square brackets '[]'.
Basic management setup configures only enough connectivity for management of the system,
extended setup will ask you to configure each interface on the system
The enable secret is a password used to protect access to privileged EXEC and
configuration modes. This password, after entered, becomes encrypted in the
configuration.
Enter enable secret: Cisco123
The enable password is used when you do not specify an enable secret password, with some
older software versions, and some boot images.
Enter enable password: Cisco123
The virtual terminal password is used to protect access to the router over a network
interface. Enter virtual terminal password: Cisco123
Configure a NTP server now? [yes]: yes
Enter ntp server address : 10.10.200.1
Enter a polling interval between 16 and 131072 secs which is power of 2:16
Do you want to configure wireless network? [no]: yes
Enter mobility group name: New-Mobility
Enter the country code[US]:US
Configure SNMP Network Management? [no]: no
Any interface listed with OK? value "NO" does not have a valid configuration
Enter interface name used to connect to the management network from the above interface
summary: GigabitEthernet0/0[service port)
Version
#show version
IOS XE 3.X (3.2.0SE at FCS ) is the official version for 3850/5760 & should be the only version number
used when referring to 3850/5760.
#show version running
3. Using IOS CLI, you will need to create a username and password to access the GUI. You can
configure a local username by issuing the following command: Controller(config)#username
admin privilege 15 password Cisco123. Or you can configure it to use credentials using an
authentication server. Make sure the user has privilege 15 access level.
4. In order to access the GUI, you can configure the out of band management port (GigE 0/0) or use
existing reachable configured interfaces through the network.
5. Now you will be able to access the Web GUI interface. Open a browser and type your
controller/switch IP address. Example: https://10.10.10.5/ . Please refer to the configuration
examples below for additional Web GUI access information.
Note If you have an out of the box or brand new 5760 or 3850, please console to the box and go through the
Startup Wizard as outline in this deployment guide in earlier sections.
Step 1 For GUI access, open a browser and type your controller IP address. By default https is enabled, for
example:
https://10.10.10.5
username: admin
Password: Cisco123
Note You can setup username/password using the following CLI command: Controller(config)#username
admin privilege 15 password Cisco123. This is an example and not the default username and
password.
Step 2 Click Wireless WEB GUI, this will direct you to the home page shown below:
Note For additional GUI configuration examples, please see Cisco Unified Access CT5760 Controllers,
Catalyst 3850 Switches IOS XE Software release 3.2.2 Web GUI Deployment Guide
Basic Configuration
This section shows the configuration options from the console of the CT5760 for the following:
Network uplink to core switch
Management and client interfaces
DHCP configuration
Disable VLAN
1 int vlan 1
no ip address shutdown
exit
interface Vlan100
description Client VLAN
no shut
interface TenGigabitEthernet1/0/1
description Connection to Core Switch
switchport trunk allowed vlan 100, 200 switchport mode trunk
ip dhcp relay information trusted ip dhcp snooping trust
interface Vlan100
description Client Vlan
ip dhcp relay information trusted
DHCP snooping is required for the following functionality:
1. ip dhcp required is enabled for the wlan. In this case client won't go to run state unless DHCP
snooping is enabled.
2. Dynamic ARP Inspection (ip arp inspection CLI) requires DHCP snooping database.
3. If 3rd party WGBs are used. In this case destination MAC address in DHCP packets is modified.
4. To ensure that broadcast OFFER/ACK from server is converted unicast. If ip dhcp snooping
wireless bootp-broadcast enable is configured, the broadcast OFFER/ACK from server is
forwarded without modification.
5. To ensure that broadcast OFFER/ACK uses the right vlan in case of AAA over-ride.
In general, not using DHCP snooping implies that DHCP packets are forwarded in hardware.
WLAN Configuration
Configure a WLAN and assign a client VLAN. Use WPA/PSK for security, and the passkey is cisco123.
wlan corporate 1 corporate band-select
client vlan 100
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 cisco123
no shutdown
AP Joins
Connect an AP to any port on the L2 switch. Wait until it joins and enter command:
show ap summary
show ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name / AP Model / Ethernet MAC / Radio MAC / State
---------------------------------------------------------------------------------
AP44d3.ca42.321a / 3602I / 44d3.ca42.321a / 64d9.8942.4090 / Registered
Connect a wireless client to the corporate SSID with the WPA key 'cisco123'. On the controller, you
might see the following successful authorization for new client association.
Show wireless client summary from controller to confirm wireless clients.
Security Configuration
This section shows the configuration options from the console of the CT5760:
Enable Authentication, Authorization, and Accounting (AAA)
Configure ISE as RADIUS server (10.10.200.60)
Shared secret - secret
Form CT5760 console (telnet/serial) - Configure AAA
aaa new-model
!
aaa group server radius Cisco
server 10.10.200.60
!
aaa authentication login no_auth none
aaa authentication dot1x default group radius
aaa authentication dot1x Cisco_dot1x group Cisco
aaa authorization network default group Cisco
aaa accounting network default start-stop group Cisco
dot1x system-auth-control
!
aaa server radius dynamic-author
auth-type any
!
radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 10 tries 3
radius-server deadtime 3
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server Cisco
address ipv4 10.10.200.60 auth-port 1812 acct-port 1813
key secret
Note For a complete webauth configuration, please download the webauth bundle from the following URL:
http://software.cisco.com/download/release.html?mdfid=284397235&softwareid=282791507&
release=3.2.2&relind=AVAILABLE&rellifecycle=&reltype=latest .The readme file has all the GUI and
CLI configuration for webauth.
Note In case the customized page contains images, they won't be displayed unless certain requirements are
met, which are:
The filename of the images must start with web_auth_. For example: web_auth_logo.png.
The image source in the HTML file must be edited to look like: <img src="http://[wireless
management ip]/flash:[name of the file]">
SNMP Configuration
From the CT5760 console, configure the SNMP strings.
snmp---s er v er co mmuni t y p ub l i c r o
snmp---s er v er co mmuni t y p r i v a t e r w
IPv6 Configuration
IPv6 is supported on the data path. Wireless clients will be able to get an IPv6 address.
interface Vlan100
description Client VLAN
ip address 10.10.100.5 255.255.255.0
ip helper-address 10.10.100.1 2001:DB8:0:10::1/64
ipv6 address FEC0:20:21::1/64
ipv6 enable
Mobility Agent
A mobility agent manages AP connectivity, CAPWAP tunnel terminations from APs and builds a
database of client stations (endpoints) that are served locally as well as roamed from an Anchor WLC.
Mobility agent can be either a Catalyst 3850 or a CT5760 mobility controller with an internal mobility
agent running on it.
Mobility Controller:
A mobility controller provides mobility management tasks including inter-SPG roaming, RRM, and
guest access. Mobility roaming, where a wireless client moves from one physical location to another
without losing connectivity and services at any time, can be managed by a single mobility controller if
roaming is limited to a mobility sub-domain. Roaming beyond a mobility sub-domain can be managed
by multiple mobility controllers in a mobility group. The mobility controller is responsible for caching
the Pairwise Master Key (PMK) of all clients on all the mobility controllers, enabling fast roaming of
the clients within its sub-domain and mobility group. All the mobility agents in the sub-domain form
CAPWAP mobility tunnels to the mobility controller and report local and roamed client states to the
mobility controller. The mobility controller builds a database of client stations across all the mobility
agents.
Mobility Oracle
Mobility oracle further enhances mobility scalability and performance by coordinating roaming
activities among multiple mobility groups, which removes the need for N2 communications between
mobility controllers in different mobility groups to improve efficiency and performance.
Mobility Group
The mobility group is a logical group of mobility controllers to enable fast roaming of clients within the
mobility controllers of a mobility group. In addition, the mobility group also provides centralized RRM
that is performed by a mobility controller leader that is either elected or statically chosen.
Mobility Sub-domain
Multiple SPGs can be grouped together and collectively managed as a mobility sub-domain. One
mobility controller is required for each mobility sub-domain.
Note Roams within an SPG are local to the SPG, and need not involve the mobility controller. Roams across
a SPG require traffic to traverse the mobility controller.
These commands enable ClientLink globally; then, it disables ClientLink on a specific AP radio:
ap dot11 5ghz shutdown
ap dot11 5ghz beamforming
no ap dot11 5ghz shutdown
ap name 3602a dot11 5ghz shutdown
ap name 3602a no dot11 5ghz beamforming
ap name 3602a no dot11 5ghz shutdown
Show commands:
show ap dot11 5ghz network | include Beamforming
Legacy Tx Beamforming setting : Disabled
show ap name 3602a config dot11 5ghz | include Beamforming
Legacy Tx Beamforming Setting: Enabled
This section discusses the self-service additions of personal devices securely. An employee registers a
new device, and a certificate is automatically provisioned for that user and device. The certificate is
installed along with a supplicant profile that is pre-configured to use that certificate and on- board the
device into the corporate network. Two BYOD use cases supported for wireless supplicant included are:
Single authentication of SSID BYOD for Apple device
Dual authentication of SSID BYOD for Apple device.
3. Authenticator authenticates the associate user as an employee and directs the user to the
employee device registration guest portal.
4. Mac address is pre-populated in the device registration page, and user enters a description and
registers their device.
5. User's supplicant is provisioned and certificate is installed.
6. User disconnects from guest SSID.
7. User connects to corporate SSID and is authenticated/authorized to use the new profile.
Topology
Components
HTTP Configuration
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-client-auth
WLAN Configuration
wireless mobility controller
wireless management interface 200
wireless client user-timeout600
wlan BYOD-Dot1x 1 BYOD-Dot1x <- Secure Corporate SSID
aaa-override
accounting-list Cisco
client vlan 100
ip access-group NSP-ACL
nac
security dot1x authentication-list Cisco
session-timeout 600
no shutdown
wlan BYOD-Open 2 BYOD-Open <- Guest SSID
aaa-override
client vlan 100
ip access-group NSP-ACL
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list Cisco
no shutdown
Deauthenticate Client
Controller-MC#wireless client mac-address 6420.0c37.5108 deauthenticate
Controller-MC#show wireless client summary
Pre-Requisites
Check the AP 3600 data sheet for detailed information about the AP:
http://www.cisco.com/en/US/prod/collateral/modules/ps12859/ps13128/data_sheet_c78-727794.ht
ml
Check the AP 3700 data sheet for detailed information about the AP:
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps13367/data_sheet_c78-729421.ht
ml
You will need an 11ac module installed on the AP 3600 or use AP 3700. Please refer to the AP 3600
11ac Deployment guide for detailed information:
http://www.cisco.com/en/US/docs/wireless/technology/apdeploy/7.5/Cisco_Aironet75.html#wp45
244
Have the AP 3600 or AP 3700 join the controller.
Once the AP joins the controller, you can configure the radio using a static or dynamic
configuration. Both methods are listed:
Once the APs join the controller, navigate to Configuration > Wireless > 802.11a/n/ac > Network. You
need to disable 802.11a if it is enabled.
Now, navigate to Configuration > Wireless > 802.11a/n > RRM > DCA. Select 80 MHz under DCA
Channel and Click Apply.
Once you apply the changes, you will need to wait for about 10 minutes for RRM to change the channel
width. You can check the status of the channels by issuing the CLI command below or it can be verified
from the GUI as shown below:
GUI Verification
Note The configuration below needs to be done on the RF Group Leader. In order to verify if a controller is
an RF Group Leader, please issue the following command:
Note After the commands have been issued, please wait for at least 1 RRM cycle which is 600 seconds by
default to have the 80 MHz channel width settings enabled. You can use the following commands for
verification.
Note Under Channel, you should see 4 channels assigned using the entire 80 MHz spectrum.
You can also check the channel width using the following command. The Channel width should be 80
MHz.
WLC5760#sh ap dot11 5ghz channel
Automatic Channel Assignment
Traffic Load - the total bandwidth used for transmitting and receiving traffic. It enables wireless
LAN managers to track and plan network growth before client demand.
Interference - the amount of traffic coming from other 802.11 sources.
Noise - the amount of non-802.11 traffic that is interfering with the currently assigned channel.
Coverage - the receiver signal strength indicator (RSSI) and signal-to-noise ratio (SNR)for all
connected clients.
Other - the number of nearby APs.
RRM can periodically reconfigure the 802.11 RF network for best efficiency. In order to do this, RRM
performs these functions:
Radio resource monitoring
Transmit power control
Dynamic channel assignment
Coverage hole detection and correction.
For initial configuration purposes, the following covers items in the order that they occur in the current
WLC GUI and focuses on predictable things that need adjustment from the default values.
RF Group Name
Assign the RF group name that RRM will use to identify members of your group and base the grouping
algorithm to choose RF group leaders. Cisco recommends that you assign a distinctly different name to
this test system to avoid interactions with established, production networks. In order to configure the RF
Group Name, enter configuration mode at the command line of the mobility controller.
(config)#wireless rf-network <name> <cr>
802.11a/b network command
Several commands require that the network be disabled in order to execute. You can enable and disable
the network very easily from the configuration terminal prompt.
Switch(config)#ap dot11 24/5ghz shut
Or use the no form to enable
config)# no ap dot11 24/5ghz shut)
This is the display of the default data-rates values. You might need to change several of these:
ap dot11 24/5ghz rate <rate> mandatory/supported/disabled:
As an example - disable 1,2,5.5,11 Mbps, enabling 24,54 Mbps as mandatory, all else supported. 5
GHz has 12, 24 Mbps as mandatory, all else supported:
ap dot11 2 shut
ap dot11 2 rate RATE_11M disable
ap dot11 2 rate RATE_1M disable
ap dot11 2 rate RATE_2M disable
ap dot11 2 rate RATE_5_5M disable
% Unable to modify rate, Since this is the last available BSS rate.
The above warning is issued since there are no other mandatory rates available you must have at least
one mandatory rate.
ap dot11 2 rate RATE_24M mandatory
ap dot11 2 rate RATE_5_5M disable
ap dot11 2 rate RATE_54M mandatory
no ap dot11 2 shut
ap dot11 5 shut
ap dot11 5 rate RATE_6M supported
no ap dot11 5 shut
Fragmentation threshold - default 2346 - Do not change unless you have a significant reason:
ap dot11 24/5ghz fragmentation<256-2346> (bytes)
Dynamic Transmit Power Control (DTPC) support - Default is on. This tells a Cisco Compatible
Extension (CCX) client the power level the AP used.
ap dot11 24/5ghz dtpc <cr>
For static and adding static members, member mobility controllers must be in automatic grouping mode:
ap dot11 24 rrm group-mode leader
ap dot11 24 rrm group-member Cisco_dd:f8:e4 IP address
If TPC is configured to automatic, then you may need to adjust the TPC-threshold value - (-70 dBm by
default) valid range is -80 dBm to -50dBm:
ap dot11 24 rrm tpc threshold -70
Here is the command that shows the current RRM TPC configuration:
show ap dot11 24 txpower
Use this command in order to set DCA to operate on a fixed interval other than the default of 10 minutes:
ap dot11 24 rrm channel dca anchor-time 1
ap dot11 24 rrm channel dca interval 8
These commands set the anchor time for 1 AM in the RF group leader's time zone and runs DCA every
eight hours. Valid interval values are 1,2,3,4,6,8,12 and 24 hours; 0 = 10 minutes (default).
Use this command in order to set the DCA algorithm sensitivity (medium by default) use:
ap dot11 24 rrm channel dca sensitivity low
Options are medium/low/high.
Use this command to assign the channels that DCA will manage. Use one entry per channel, and run for
both 2.4 and 5 Ghz bands:
ap dot11 24 rrm channel dca 1
ap dot11 24 rrm channel dca 6
ap dot11 24 rrm channel dca 11
Use the no form of the command to delete a channel from DCA control to manage options for the DCA
algorithm, such as noise avoidance, foreign AP avoidance, load, CleanAir persistent device avoidance,
and CleanAir Event Driven Radio Resource Management (EDRRM).
ap dot11 24 rrm channel ?
cleanair-event - Configure cleanair event-driven RRM parameters
dca - Config 802.11b dynamic channel assignment algorithm
device - no description - CleanAir PDA
foreign - Configure foreign AP 802.11b interference avoidance
global - Configures all 802.11b Cisco APs
load - Configure Cisco AP 802.11b load avoidance
noise - Configure 802.11b noise avoidance
In order to set the level that a client is considered in a coverage hole, the default value is 80 dBm; valid
range is -90/-60 dBm. The voice and data clients are two separate commands.
This command sets the minimum failed client count and the coverage exception level per AP:
ap dot11 24 rrm coverage level global 3
ap dot11 24 rrm coverage exception global 25
Three clients and 25% coverage exception are the default values; the available ranges are 1-75 clients
and 0-100%.
The minimum failed client count and the exception level work together as a gating function for the
feature. The defaults of three clients and 25% translate as a minimum of three clients must be in a
coverage hole, and these three clients must represent at least 25% of the clients currently associated to
the AP. This is the criterion for mitigation.
Cisco CleanAir is a spectrum intelligence solution designed to proactively manage the challenges of a
shared wireless spectrum. It allows you to see all of the users of the shared spectrum (both native devices
and foreign interferers). It also enables you or your network to act upon this information. For example,
you could manually remove the interfering device, or the system could automatically change the channel
away from the interference.
CleanAir Configuration
CleanAir is disabled by default at the WLC/mobility controller level and must be enabled at all mobility
controllers just like a WLC installation. In order to enable CleanAir on the switch, enter this command:
ap dot11 24 cleanair ap dot11 5
cleanair Controller#show ap dot11 24 sum
Use this command in order to query CleanAir for devices and AirQuality (AQ) at the AP radio and the
global levels:
show ap dot11 24 cleanair device type all
Use this command in order to show the CleanAir configuration for the mobility controller:
show ap dot11 24 cleanair config
With the WLC5760 first release, an AP can be configured with primary, secondary, and tertiary
controllers. When the primary controller fails, depending upon the number of APs managed by a
controller, the access point fails over to the secondary controller. Once it detects that the primary
controller is unavailable, the AP rediscovers the controller and reestablishes the CAPWAP tunnel to the
secondary controller. Additionally, the client must re-authenticate with the AP. Figure 10-1 illustrates
the primary, secondary, tertiary controller redundancy.
Note In release 7.3 and later, the legacy WLC controllers support stateful switchover of access points (AP
SSO). For additional information about the AP SSO high-availability functionality, refer to the High
Availability (AP SSO) Deployment Guide.
N+1 Redundancy
The CT5760 supports N+1 redundancy where the controller is placed in the data center and acts as a
backup for multiple WLCs. Each AP is configured with a WLC as the primary and all APs turn to the
one redundant controller as secondary.
In order to reduce the controller failure detection time, you can configure the heartbeat interval between
the controller and the AP with a smaller timeout value.
#ap capwap timers heartbeat-timeout <1-30>
In addition to the option to configure primary, secondary, and tertiary controllers for a specific AP, you
can also configure primary and secondary backup controllers for a specific controller. If there are no
primary, secondary, or tertiary WLCs configured on the AP side, and a primary and/or secondary backup
controller are configured on the controller side (downloaded to the AP), the primary and/or secondary
backup controller are added to the primary discovery request message recipient list of the AP. In order
to configure a primary backup controller for a specific controller, use this command:
(config)#ap capwap backup ?
Interface groups are logical groups of interfaces. Interface groups facilitate user configuration where the
same interface group can be configured on multiple WLANs or while overriding a WLAN interface per
AP group. An interface group can exclusively contain quarantine or nonquarantine interfaces. An
interface can be part of multiple interface groups.
A WLAN can be associated with an interface or interface group. The interface group name and the
interface name cannot be the same.
This feature also enables you to associate a client to specific subnets based on the foreign controller to
which they are connected. The anchor controller WLAN can be configured to maintain a mapping
between foreign controller MAC and a specific interface or interface group (foreign maps), as needed.
If this mapping is not configured, clients on that foreign controller acquire VLANs associated from the
interface group configured on the WLAN.
You can also configure AAA override for interface groups. This feature extends the current AP group
and AAA override architecture where AP groups and AAA override can be configured to override the
interface group WLAN to which the interface is mapped. This is accomplished with multiple interfaces
using interface groups.
This feature enables network administrators to configure guest anchor restrictions where a wireless guest
user at a foreign location can obtain an IP address from multiple subnets on the foreign location and
controllers from within the same anchor controller.
Configure AP Groups
In Figure 11-1, three configured dynamic interfaces are mapped to three different VLANs (VLAN 61,
VLAN 62, and VLAN 63). Three AP groups are defined, and each is a member of a different VLAN, but
all are members of the same SSID. A client within the wireless SSID is assigned an IP address from the
VLAN subnet of which its AP is a member. For example, any user that associates with an AP that is a
member of AP group VLAN 61 is assigned an IP address from that subnet.
In the example shown in Figure 11-1, the controller internally treats roaming between APs as a Layer 3
roaming event. In this way, WLAN clients maintain their original IP addresses.
After all APs join the controller, you can create AP groups and assign up to 16 WLANs to each group.
Each AP advertises only the enabled WLANs that belong to its AP group. The AP does not advertise
disabled WLANs in its AP group or WLANs that belong to another group.
Note The default access point group can have up to 16 WLANs associated with it. The WLAN IDs for the
default access point group must be less than or equal to 16. If a WLAN with an ID greater than 16 is
created in the default access point group, the WLAN SSID will not be broadcasted. All WLAN IDs in
the default access point group must have an ID that is less than or equal to 16. WLANs with IDs greater
than 16 can be assigned to custom AP groups.
The default for Multicast forwarding is disabled on the WLC5760 controller. You can enable support for
(IPv4 or IPv6) multicast forwarding with this command:
(config)#wireless multicast
Internet Group Management Protocol (IGMP) Snooping must be enabled on the controller with this
command:
(config)#ip igmp snooping
You can revert to the default MCUC mode with the no form in this command:
(config)#no ap capwap multicast
Just like the legacy solution, multicast groups are created on a VLAN basis. For example, if your WLAN
is mapped to VLAN 100, and if a client requests multicast traffic from that WLAN, the controller creates
a multicast group identifier (MGID) which maps the multicast source, the multicast address, and the
VLAN - in this example, VLAN 100. This is true regardless of the client VLAN in the WLAN.
These commands create a WLAN, and map this WLAN to the VLAN group:
(config)#wlan open19 4 open19
(config-wlan)# client vlan Group19to21
(config-wlan)#
Use the IP Multicast VLAN command that maps multicast traffic to a specific VLAN:
(config-wlan)# ip multicast vlan 21
The controller uses the VLAN 21 interface to handle multicast traffic for that WLAN.
Note Once multicast forwarding is configured on the controller, you must also configure your infrastructure
for multicast support.
Note WLC5760 uses IGMP v2. There is no option for the end user to change it.
Broadcast Forwarding
Similar to multicast forwarding, broadcast forwarding is disabled by default (broadcast packets received
by the controller are not forwarded to wireless clients). Broadcast forwarding is enabled on a per VLAN
basis. You can enable broadcast forwarding for a specific VLAN with this general command:
(config)#wireless broadcast vlan 21
You can also enable broadcast forwarding for all VLANs, if you do not identify a specific VLAN:
(config)#wireless broadcast
Then, you can restrict the command by disabling broadcast forwarding for some VLANs:
(config)#no wireless broadcast vlan 20
Configuration Verification
You can verify multicast in a number of ways. From the controller component, you can display the
multicast status, ap multicast mode, and each VLAN's broadcast/non-ip multicast status:
You can display all (S, G, and V) and the corresponding MGID value:
#show wireless multicast group summary
#show ip igmp snooping
# show ip igmp snooping wireless mgid
All of these commands are also available for IPv6 MLD monitoring. You must use the ipv6 keyword
instead of ip, and mld instead of igmp:
show ipv6 mld snooping, show ipv6 mld snooping wireless mgid
You can also see all the multicast groups and their active interfaces:
#show ip igmp groups
In order to see which IGMP version is used and the port associated to the group, use this command:
#show ip igmp snooping groups
Flexible Netflow
Cisco IOS Flexible NetFlow is the next-generation in flow technology. It optimizes the network
infrastructure, which reduces operation costs and improves capacity planning and security incident
detection with increased flexibility and scalability. The ability to characterize IP traffic and identify its
source, traffic destination, timing, and application information is critical for network availability,
performance, and troubleshooting. When IP traffic flows are monitored, this increases the accuracy of
capacity planning and ensures that resource allocation supports organizational goals. Flexible NetFlow
helps you determine how to optimize resource usage, plan network capacity, and identify the optimal
application layer for QoS. It plays a vital role in network security by the detection of Denial of Service
(DoS) attacks and network-propagated worms.
Here are the commands in order to configure Flexible Netflow:
!
flow record IPv4flow
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match flow direction
collect counter bytes long
collect counter packets long
collect timestamp absolute first
collect timestamp absolute last
!
!
flow exporter IPv4export-1
destination 10.1.1.6(IP address of your Netflow Collector. It should be v9
netflow.
transport udp 2055
!
!
flow monitor IPv4flow (you can view the flows on the switch using CLI if netflow
Collector not available)
description Monitor all IPv4 traffic
exporter IPv4export-1
cache timeout active 30
record IPv4flow
!
Here are the Show Commands:
show flow monitor name monitor-name cache
show flow record
show flow-sampler
show flow monitor
For additional information on Netflow Configuration, please refer to Cisco Flexible NetFlow
Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches).
The introduction of Cisco IOS software on the WLC5760 controller brings a wide-range of
wired/wireless QoS supports and capabilities:
Consistent configuration CLI for both wired and wireless QoS through Modular QoS CLI
Granular QoS policies per AP, SSID, radio, and client
Fair bandwidth allocation across wireless clients on an AP
Leverages proven Cisco IOS and ASIC technology to provide line rate performance
Enabling QoS
Based on the Modular QoS CLI model, QoS is enabled by default on the WLC5760. Explicit marking of
traffic is required in order to modify Class of Service (CoS) or Differentiated Services Code Point
(DSCP) values for traffic from and to wired ports. Traffic from wireless to wireless ports or wireless to
wired ports is considered untrusted. Though QoS is globally enabled if traffic passes through an SSID,
it must be marked or trusted specifically, or all QoS values (DSCP, CoS) will be set to default (0).
Managing QoS
QoS policies on the WLC5760 are provisioned in a couple of ways.
Via CLI
Via AAA
The configuration examples herein demonstrate attachment of policies via CLI. AAA configuration of
policies is shown later in this specific section. The QoS policy name, not the actual QoS policy, is passed
from the AAA server to the WLC5760 platform. Due to this fact, the QoS policy configuration must be
local to the platform regardless of which method is used to manage QoS on the platform.
Marking Models
The WLC5760 supports several marking models:
Per-Port Marking (wired)
Per-Client Marking (wireless)
!Class-map configuration
class-map match-all VOIP
match access-group name VOIP
class-map match-all SIGNALING
match access-group name SIGNALING
class-map match-all TRANSACTIONAL-DATA
Policing Models
Several policing models are available on the WLC5760.
Per-Port Policing
Per-Client Policing
Per-SSID Policing
Policing is offered in a number of ways and can be used in a hierarchical fashion as will be shown in the
instance of client-based policies. In this instance, a policer can be used bi-directionally to police a
client's traffic as an aggregate, as well as specific traffic classes associated with the client, such as voice.
!ACL configuration
ip access-list extended VOIP
remark Voice
!Class-map configuration
class-map match-all VOIP
match access-group name VOIP
class-map match-all SIGNALING
match access-group name SIGNALING
class-map match-all TRANSACTIONAL-DATA
match access-group name TRANSACTIONAL-DATA
!Wireless Client Policy-map Client Aggregate policed to 2Mbps, Voice as a subset to 128k, signaling 32k
policy-map AGG-POLICE
class class-default
police 2000000 conform-action transmit exceed-action drop
service-policy PER-PORT-POLICING
policy-map PER-PORT-POLICING
class VOIP
set dscp ef
police 128000 conform-action transmit exceed-action drop
class SIGNALING
set dscp cs3
police 32000 conform-action transmit exceed-action drop
class TRANSACTIONAL-DATA
set dscp af21
class class-default
set dscp default
Wireless Queuing
Wireless queuing by default provides a queuing policy. This policy is shown in the show run command
and contains a static traffic class, which cannot be modified. This class is attached to multicast
non-real-time traffic associated with the wireless port only. In order to enable the additional queues on
egress of the wireless port, the static policy-map port_child_policy must be modified to include the three
additional classes. Priority queuing is supported for two of the queues, while class-default makes up the
rest of the queue.
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 7
class RT1
priority level 1
police 6400000 conform-action transmit exceed-action drop
class RT2
priority level 2
police 19200000 conform-action transmit exceed-action drop
class class-default
bandwidth remaining ratio 63
In this example, the policy limits as an aggregate the priority queues RT1 and RT2 to an aggregate
policed rate as shown. The policy also provides the additional non-real-time classes with a bandwidth
associated with the bandwidth remaining ratio command. This ratio of available bandwidth is provided
to the non-client-nrt (or multicast and non-client non-real-time traffic queue) and class-default queues.
Note Note that non-WMM cannot receive packets from the AP that have a WMM QoS header.
All packets from and to non-WMM clients are sent with best effort Wi-Fi channel access.
6. Modify Advanced Attribute Settings with the Cisco av-pair name, ip:sub-qos-policy-in, or
ip:sub-qos-polify-out, plus name of QoS policy local to the WLC3850/5760. When clients are
associated and authenticated, the policy name is pushed to the WLC3850/5760.