- Prerequisites
- Restrictions
- Identify Configuration Values
- LAN Access Switch Topology with Wireless Connectivity
- Enable the Switch as a Wireless Controller
- Provisioning a Small Branch WLAN
Converged Wired and Wireless Access
This workflow explains how to enable the converged access functionality of the switch, and explains how the switch can operate as the wireless mobility controller (MC) as well as the wireless mobility anchor (MA) in a small branch deployment.
Wired and wireless features that are enabled in the same platform is referred to as converged access. The wired plus wireless features are bundled into a single Cisco IOS Software image, which reduces the number of software images that users have to qualify and certify before enabling them in their network.
Converged access improves wireless bandwidth across the network and the scale of wireless deployment. For example, a 48-port Catalyst 3850 switch provides 40 Gbps of wireless throughput. This wireless capacity increases with the number of members in the stack. This ensures that the network will scale with current wireless bandwidth requirements, as dictated by IEEE 802.11n-based access points and with future wireless standards such as IEEE 802.11ac.
Prerequisites
Complete the following tasks before proceeding with wireless configuration:
- Switch stack must function in Stateful Switchover (SSO) mode.
- Interface configuration is completed, as explained in the “Access Interface Connectivity” workflow.
- Lightweight access points are used.
- NTP configuration should be present and operational, as explained in the “Global System Configuration” workflow.
- A wireless site survey should be completed. The site survey identifies the proper placement of wireless access points for the best coverage. For detailed information about the site survey process and the tool to use, see the Wireless Site Survey FAQ.
- Complete the QoS workflow.
Restrictions
- AP-count licenses are supported only on IP Base and IP Services licenses. See the Cisco Catalyst 3850 Switch Right-to-Use Licensing Model.
- A Catalyst 3850 switch stack can support a maximum of 50 access points.
- A Cisco Catalyst 3650 stack can support a maximum of 25 access points.
- WLAN cannot use client VLAN 0.
Identify Configuration Values
We recommend that you identify certain switch configuration values in advance so that you are ready to proceed with this section without interruption. As you follow the configuration sequence, replace the values in column B with your values in column C.
Note This workflow contains two separate IP subnets that contain VLANs used for access points and wireless clients. The access points are on VLAN 12, and use IP subnet 192.168.12.x. The wireless clients are on VLAN 200, and use IP subnet 192.168.13.x.
Note In the configuration examples, you must replace the blue italicized example values with your own values.
|
|
|
---|---|---|
Note Configuration examples begin in global configuration mode, unless noted otherwise.
LAN Access Switch Topology with Wireless Connectivity
This topology shows the switch stack connected to multiple routers. The most common deployment of converged access is in a branch scenario, but this workflow also applies to a campus deployment.
The switch is stacked and acts as both the MC and MA. In a single stack converged access deployment, the switch can support up to 50 directly connected access points. For converged access, at least one lightweight access point is required. A maximum of 50 access points can be supported by a switch stack.
We recommend that you distribute the access points equally across the stack to achieve reliability during switchover scenarios preventing connectivity loss to access points connected to a member or standby switch.
Figure 13 LAN Access Switch Topology with Wireless Connectivity
Enable the Switch as a Wireless Controller
- Install Access Point Licenses on the Switch
- Configure a Wireless Management VLAN
- Configure Service Connectivity
- Enable Wireless Controller Functionality
- Change a Switch to Run in Mobility Controller Mode
- Enable the Access Point Connections
Install Access Point Licenses on the Switch
For ease of use, an evaluation license is preinstalled on your switch, but you are required to accept the End-User-License Agreement (EULA) before the 90-day period expires.
The IP Base and IP Services image-based licenses support wireless functionality. The minimum license level for wireless functionality is IP Base.
The total AP-count license of a switch stack is equal to the sum of all the individual member AP-count licenses, up to a maximum of 50 AP-count licenses.
The total AP-count license of the stack is affected when stack members are added or removed:
- When a new member is added to the stack that has an existing AP-count license, then the total available AP-count license for the switch stack is automatically recalculated.
- When members are removed from the stack, the total AP-count license is decremented from the total available AP-count license in the stack.
- If more access points are connected that exceed the total number of accepted AP-count licenses, a syslog warning message is sent without disconnecting the newly connected access points until a stack reload.
- After a stack reload, the newly connected access points are removed from the total access point count.
You can activate permanent RTU licenses after you accept the EULA. The EULA assumes you have purchased the permanent license. Use AP-count adder type licenses to activate access point licenses. The adder AP-Count license is an “add as you grow” license. You can add access point licenses as your network grows. You activate an adder AP-count license by using EXEC commands, and it is activated without a switch reload.
Step 1 Activate a permanent access point license and accept the EULA.
Access point licenses are configured for permanent or for evaluation purposes. To prevent disruptions in operation, the switch does not change licenses when an evaluation license expires. You get a warning that your evaluation license will expire and you must disable the evaluation license and purchase a permanent one.
We recommend that you purchase and activate a permanent license and accept the EULA to avoid an untimely expiration.
The following examples activate 10 access point licenses on member 1 and 15 on member 2.
For more information about RTU licenses, see the “Configuring Right-To-Use Licenses” chapter in the System Management Configuration Guide, Cisco IOS SE Release 3E.
Verify AP-Count License Installation
Step 2 Verify the allocation of the access point licenses on the switch.
The following example shows two members in the stack:
Step 3 Verify the RTU license summary details.
The example shows that a permanent IP Services license is installed and is available upon switch reboot: Five AP-count licenses are in use.
Configure a Wireless Management VLAN
Step 4 Configure the VLAN and SVI and assign it an IP address.
A wireless management VLAN is used for access point CAPWAP and other CAWAP mobility tunnels. The creation of a wireless management VLAN is mandatory. First, configure the VLAN in hardware and then create the SVI and assign it to an IP address. (See the “Create a Management VLAN in Hardware” section in the Initial Switch Configuration workflow.)
Configure Service Connectivity
Step 5 Create a name for the server address pool and specify the subnet network number and mask of the address pool client, and the default router for the client.
If you want the switch to receive IP address information you must configure the server with the IP address and subnet mask of the client and a router IP address to provide a default gateway for the switch. The server uses the DNS server to resolve the TFTP server name to an IP address, but configuration of the DNS server IP address is optional.
In small branch deployments in which the MC and MA are combined, we recommend using the switch as the server for the lightweight access points. In this deployment, the switch operates in Layer 2 mode, and the upstream router provides all routing functions.
We recommend that you exclude the IP address already used for the default router and the in-use wireless management SVI address to prevent an upstream router from allocating this IP address to an access point.
Enable Wireless Controller Functionality
Step 6 Configure an SVI (rather than a physical interface) as the management VLAN.
The wireless management interface command is used to source the access point CAPWAP and other CAPWAP mobility tunnels.
An SVI must be configured with an IP address before enabling the wireless controller.
Change a Switch to Run in Mobility Controller Mode
Step 7 Enable the switch as an MC before the AP-count license installation.
In the wireless licensing model, the MA is the access point enforcer and the MC is the gatekeeper of the access points. The MC allows an access point to join the switch or not. The default role of the switch after boot up is an MA.
It is mandatory to save the configuration and reload the switch for the MC role to take effect.
Step 8 After the switch reboots, verify that the role of the switch has changed to Mobility Controller.
Enable the Access Point Connections
Step 9 Connect the access points directly to the switch ports to complete installation.
It is mandatory that the access point connection port be configured as an access port. The access point does not register if the port is configured as a trunk.
Note The access VLAN on the switch port should be the same as the wireless management VLAN configured in Step 4 in this workflow.
Enable a Client VLAN
Step 10 Configure an external server to allocate IP addresses for clients. Define a client VLAN and activate the VLAN in the database.
Every WLAN profile must be associated with a client VLAN.
Provisioning a Small Branch WLAN
- Provision in Easy-RADIUS—Easiest to configure and does not rely on outside services.
- Provision in Secure Mode—End-users are authenticated by the external RADIUS server or ISE.
- Manage Radio Frequency and Channel Settings
We highly recommend that secure mode be provisioned for security concerns. However, both WLAN modes can co-exist if the network design requires it. For example, you can provision both WLANs on a single switch with each WLAN having its own purpose in the network.
Note If your network does not permit open access for any wireless device, proceed to the “Provision in Secure Mode” section and provision your wireless network in secure mode.
Note Guest Access network deployment is beyond the scope of this document. For detailed information, see the “Configuring Wireless Guest Access” chapter in the Security Configuration Guide, Cisco IOS XE Release 3E, (Catalyst 3850 Switches).
Provision in Easy-RADIUS
Easy-RADIUS allows access to the network without authentication and is not secure.
- Disable Authentication to Enable Easy-RADIUS
- Configure QoS to Secure the WLAN
- Verify Client Connectivity in RADIUS
Note If your network does not permit open access for any wireless device, proceed to the “Provision in Secure Mode” section and provision your wireless network in secure mode.
Disable Authentication to Enable Easy-RADIUS
Step 1 To provision in easy-RADIUS, use the no security EXEC commands to disable authentication for a WLAN.
By default, the WLAN is enabled for security with Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2). To make the WLAN open, use the no security wpa wpa2 command.
Note By default, the broadcast SSID is enabled, and the WLAN/SSID information is sent in the beacons. The no broadcast-ssid command can be used to hide the SSID from being broadcast or made visible to end clients. When the SSID broadcast is disabled, the end-users will still be able to connect to the SSID by explicitly entering the SSID information manually in the wireless client network properties.
Configure QoS to Secure the WLAN
Step 2 Configure a service policy on the ingress direction to properly classify traffic.
All ingress traffic is classified the same as wired traffic. On egress, the secure WLAN is given the majority of the available bandwidth.
QoS configuration for a secure WLAN assumes that there is another WLAN with lower priority, such as a guest or open WLAN. The end users on a secure WLAN should not be impacted by non-critical traffic on other WLANs.
All WLANs share the default port_child_policy egress service policy. This policy is configured by default and does not need to be explicitly configured on a WLAN.
Verify Client Connectivity in RADIUS
Step 3 Associate clients and verify connectivity
Clients are associated to the WLAN end device by choosing the appropriate SSID.
Client connectivity can be verified by using wireless show commands that display state and authentication information.
Provision in Secure Mode
Secure mode allows secure wireless connectivity. End users are authenticated by an external RADIUS server or ISE. Provision in secure mode if your network does not permit open access for any wireless device.
Enable the AAA RADIUS Server
The configuration of the RADIUS server is dependent on the RADIUS service that you choose.
Step 1 Enable the AAA RADIUS server.
You must match the following configuration with an equivalent configuration on the RADIUS server.
Configure the WLAN with IEEE 802.1x Authentication
Step 2 Create a WLAN with WPA2 and IEEE 802.1x enabled.
Although the controller and access points support WLAN with SSID using WPA and WPA2 simultaneously, some wireless client drivers cannot support complex SSID settings.
Whenever possible, we recommend only WPA2 be configured with Advanced Encryption Standard (AES).
Note WPA2 with AES encryption and IEEE 802.1x key management are enabled by default on the WLAN for the switch so you do not need to explicitly configure these security settings.
Configure QoS Service Policies for an Open WLAN
Step 3 Configure service policies for ingress and egress traffic for an open WLAN.
All ingress traffic is classified the same as wired traffic, but egress traffic is allocated only 30% of the available bandwidth.
When configuring QoS for an open WLAN, a low priority WLAN should be created for guest usage. The end users on an open WLAN are restricted and should not impact business-critical traffic on secure enterprise WLANs.
All WLANs share the port_child_policy egress policy. The policy is configured by default and is not explicitly configured on a WLAN.
DHCP Snooping
Step 4 DHCP snooping configuration is required on the controller for proper client join functionality. DHCP snooping needs to be enabled on each client VLAN including the override VLAN if override is applied on the WLAN.
Enable bootp-broadcast command. It is needed for clients that send the DHCP messages with broadcast addresses and broadcast bit is set in the DHCP message.
Note If upstream is via a port channel, the trust Config should be on the port channel interface as well.
Note DHCP snooping should be configured on the Guest Anchor controller for guest access similar to the Config above.
To allow ingress and egress traffic on the network, the -required option in the WLAN settings forces clients to perform an address request and renew operation each time an association is made with the WLAN. This option allows strict control of used IP addresses.
Manage Radio Frequency and Channel Settings
Radio Resource Management (RRM), also known as Auto-RF, helps with channel and power setting management, but Auto-RF cannot correct for a poor radio frequency design.
- Disable Low Data Rates
- Enable Clean Air
- Enable Dynamic Channel Assignment
- Associate WLAN Clients
- Verify WLAN Client Connectivity
For any wireless deployment, we recommend a site survey to ensure a proper quality service design for your wireless clients.
Disable Low Data Rates
Step 1 Disable the 5-Ghz and 2.4-Ghz networks to successfully modify wireless spectrum rates.
In a well-designed wireless network with good radio frequency coverage, lower data rates can be disabled. Low data rates consume the most airtime.
Limiting the number of supported data rates allows clients to down-shift faster when retransmitting. Wireless clients try to send at the fastest data rate. If the transmitted frame is unsuccessful, the wireless client will retransmit at the next lowest available data rate. The removal of some supported data rates means that clients that need to retransmit a frame directly down-shift several data rates, which increases the chance for the frame to go through at the second attempt. IEEE 802.11b-only devices no longer need to be accommodated. Disable speeds used by IEEE 802.11b-only devices.
Step 2 Enable wireless spectrums.
The lightweight access points support two wireless spectrums: 5 Ghz and 2.4 Ghz. You must enable and disable speeds in each spectrum, but the speeds do not have to match.
- Enable IEEE 802.11n and IEEE 802.11ac for the 5-Ghz spectrum.
- Enable IEEE 802.11n and IEEE 802.11g for the 2.4-Ghz spectrum.
Note Beacons are sent at the lowest mandatory rate that define the cell size.
When deploying the switch in converged access mode as a hotspot, the lowest data rate should be enabled to increase coverage gain versus speed. In addition, the recommended data rates are to be used in a wireless network with good radio frequency coverage. Data rates are contingent upon the nature of your radio frequency deployment.
Enable Clean Air
Step 3 Enable Clean Air on the switch and on devices that are common in your deployment environment.
The switch detects and reduces radio frequency interference when Clean Air is enabled. Some sources of interference are jammers, microwave ovens, and bluetooth devices.
Step 4 Verify that Clean Air is enabled on devices.
Enable Dynamic Channel Assignment
Step 5 Make sure that the wireless 2.4-Ghz and 5-Ghz networks are shut down, as described in the “Disable Low Data Rates” section.
Step 6 Enable Dynamic Channel Assignment (DCA) on both the 2.4-Ghz and 5-Ghz wireless spectrums to optimize channel assignments on radios for interference-free operation. For the 5-Ghz spectrum, enable channel bonding to increase throughput.
DCA uses over-the-air metrics reported by each radio on every possible channel and provides a solution that maximizes channel bandwidth and minimizes radio frequency interference from all sources: self (signal), other networks (foreign interference), and noise (everything else).
Associate WLAN Clients
Association of WLAN clients is done on the end-client device by choosing the appropriate SSID and supplying the required credentials for authentication. Client connectivity depends on the type of device used which can be verified by looking at the wireless network interface details.
Verify WLAN Client Connectivity
Step 8 Verify client connectivity.
Show Running Configuration for Wireless LAN Converged Access
Step 1 Enter the show running-configuration command to display the wireless configuration settings for the switch.