Passive Client

Information About Passive Clients

Passive Clients are wireless devices, such as printers and devices configured using a static IP address. Such clients do no transmit any IP information after associating to an AP. That is why, the controller does not learn their IP address unless they perform the DHCP process.

In the controller, the clients just show up in the Learn IP state and get timed out because of the DHCP policy-timeout.

Non-Cisco WGB devices are wireless devices that do not perform L2 or L3 address registration for the wired clients behind them.

The Passive Client feature can be enabled on a per WLAN basis. Enabling this feature will change a few default behaviors in order to better accommodate passive clients and non-Cisco WGB devices. These changes include :

  • No client will ever timeout in the IP_LEARN phase. The controller will keep on waiting to learn their IP address. Note that the idle timeout remains active and will delete the client entry after the timeout period expiry, if the client remains silent all along.

  • ARP coming from the wired side is broadcasted to all the APs, if the controller does not know the client IP address, to ensure that it reaches the passive client. After this, the controller learns the client IP from the ARP response.

  • Device tracking (DHCP Relay support, ARP proxy, and so on) is disabled for the client.


    Note


    Passive client devices are in IP LEARN state on the controller once connected and they remain in the same state until some other devices try to reach out to it. If a device tries to connect a passive client device by performing an address resolution protocol (ARP) or through other means, you can learn the passive client IP address and move the same to RUN state on the controller. While the client waits in IP LEARN state, the time out for that client is disabled. The no ip-mac-binding configuration is mandatory if there is an overlapping IP within the FlexConnect Site. Otherwise, this configuration is optional.



    Note


    The following combinations are supported when passive-client is configured with non-Cisco WGB devices:

    • IPv4

    • Local mode + central switching + central DHCP



    Important


    No DHCP relay and server related configurations must be available in the policy profile and client VLAN interface configurations. This is applicable for both Passive clients and non-Cisco WGB devices.



Note


Passive client feature is not supported on FlexConnect local switching mode.


Enabling Passive Client on WLAN Policy Profile (GUI)

Procedure


Step 1

Choose Configuration > Tags & Profiles > Policy page, click Add to open the Add Policy Profile page.

Step 2

In the General tab, use the slider to enable Passive Client.

Step 3

Click Save & Apply to Device.


Enabling Passive Client on WLAN Policy Profile (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless profile policy policy-profile

Example:

Device(config)# wireless profile policy rr-xyz-policy-1

Configures WLAN policy profile and enters wireless policy configuration mode.

Step 3

[no] passive-client

Example:

Device(config-wireless-policy)# [no] passive-client

Enables Passive Client.

Step 4

end

Example:

Device(config-wireless-policy)# end

Returns to privileged EXEC mode.

Enabling ARP Broadcast on VLAN (GUI)

Procedure


Step 1

Choose Configuration > Layer2 > VLAN page, click VLAN tab.

Step 2

Click Add to view the Create VLAN window.

Step 3

Use the slider to enable ARP Broadcast.

Step 4

Click Save & Apply to Device.


Enabling ARP Broadcast on VLAN (CLI)


Note


ARP Broadcast feature is not supported on VLAN groups.


Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

vlan configuration vlan-id

Example:

Device(config)# vlan configuration 1

Configures a VLAN or a collection of VLANs and enters VLAN configuration mode.

Step 3

[no] arp broadcast

Example:

Device(config-vlan)# [no] arp broadcast

Enables ARP broadcast on VLAN.

Step 4

end

Example:

Device(config-vlan)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring Passive Client in Fabric Deployment

You need to enable the following for passive client feature to work:

For information on LISP (Locator ID Separation Protocol), see:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-cfg-lisp.html

Enabling Broadcast Underlay on VLAN


Note


You can perform the following configuration tasks from Fabric Edge Node only and not from your controller.


Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

FabricEdge# configure terminal

Enters global configuration mode.

Step 2

router lisp

Example:

FabricEdge(config)# router lisp

Enters LISP configuration mode.

Step 3

instance-id instance

Example:

FabricEdge(config-router-lisp)# instance-id 3

Creates a LISP EID instance to group multiple services. Configurations under this instance-id are applicable to all services underneath it.

Step 4

service ipv4

Example:

FabricEdge(config-router-lisp-instance)# service ipv4

Enables Layer 3 network services for the IPv4 address family and enters the service submode.

Step 5

database-mapping eid locator-set RLOC name

Example:

FabricEdge(config-router-lisp-instance-dynamic-eid)# database-mapping 66.66.66.64/32 locator-set rloc1

Configures EID to RLOC mapping relationship.

Step 6

map-cache destination-eid map-request

Example:

FabricEdge(config-router-lisp-instance-service)# map-cache 0.0.0.0/0 map-request

Generates a static map request for the destination EID.

Step 7

exit-service-ipv4

Example:

FabricEdge(config-router-lisp-instance-service)# exit-service-ipv4

Exits service submode.

Step 8

exit-instance-id

Example:

FabricEdge(config-router-lisp-instance)# exit-instance-id

Exits instance submode.

Step 9

instance-id instance

Example:

FabricEdge(config-router-lisp)# instance-id 101

Creates a LISP EID instance to group multiple services.

Step 10

service ethernet

Example:

FabricEdge(config-router-lisp-instance)# service ethernet

Enables Layer 2 network services and enters service submode.

Step 11

eid-table vlan vlan-number

Example:

FabricEdge(config-router-lisp-instance-service)# eid-table vlan 101

Associates the LISP instance-id configured earlier with a VLAN through which the endpoint identifier address space is reachable.

Step 12

broadcast-underlay multicast-group

Example:

FabricEdge(config-router-lisp-instance-service)# broadcast-underlay 239.0.0.1

Specifies the multicast group used by the underlay to carry the overlay Layer 2 broadcast traffic.

Step 13

exit-service-ethernet

Example:

FabricEdge(config-router-lisp-instance-service)# exit-service-ethernet

Exits service sub mode.

Step 14

exit-instance-id

Example:

FabricEdge(config-router-lisp-instance)# exit-instance-id

Exits instance sub mode.

Enabling ARP Flooding


Note


You can perform the following configuration tasks from Fabric Edge Node only and not from your controller.


Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

FabricEdge# configure terminal

Enters global configuration mode.

Step 2

router lisp

Example:

FabricEdge(config)# router lisp

Enters LISP configuration mode.

Step 3

instance-id instance

Example:

FabricEdge(config-router-lisp)# instance-id 3

Creates a LISP EID instance to group multiple services. Configurations under this instance-id are applicable to all services underneath it.

Step 4

service ipv4

Example:

FabricEdge(config-router-lisp-instance)# service ipv4

Enables Layer 3 network services for the IPv4 address family and enters the service submode.

Step 5

database-mapping eid locator-set RLOC name

Example:

FabricEdge(config-router-lisp-instance-dynamic-eid)# database-mapping 66.66.66.64/32 locator-set rloc1

Configures EID to RLOC mapping relationship.

Step 6

map-cache destination-eid map-request

Example:

FabricEdge(config-router-lisp-instance-service)# map-cache 0.0.0.0/0 map-request

Generates a static map request for the destination EID.

Step 7

exit-service-ipv4

Example:

FabricEdge(config-router-lisp-instance-service)# exit-service-ipv4

Exits service submode.

Step 8

exit-instance-id

Example:

FabricEdge(config-router-lisp-instance)# exit-instance-id

Exits instance submode.

Step 9

instance-id instance

Example:

FabricEdge(config-router-lisp)# instance-id 101

Creates a LISP EID instance to group multiple services.

Step 10

service ethernet

Example:

FabricEdge(config-router-lisp-instance)# service ethernet

Enables Layer 2 network services and enters service submode.

Step 11

eid-table vlan vlan-number

Example:

FabricEdge(config-router-lisp-instance-service)# eid-table vlan 101

Associates the LISP instance-id configured earlier with a VLAN through which the endpoint identifier address space is reachable.

Step 12

flood arp-nd

Example:

FabricEdge(config-router-lisp-instance-service)# flood arp-nd

Enables ARP flooding.

Step 13

database-mapping mac locator-set RLOC name

Example:

FabricEdge(config-router-lisp-instance-service)# database-mapping mac locator-set rloc1

Configures EID to RLOC mapping relationship.

Step 14

exit-service-ethernet

Example:

FabricEdge(config-router-lisp-instance-service)# exit-service-ethernet

Exits service sub mode.

Step 15

exit-instance-id

Example:

FabricEdge(config-router-lisp-instance)# exit-instance-id

Exits instance sub mode.

Verifying Passive Client Configuration

To verify the status of the Passive Client, use the following command:

Device# show wireless profile policy detailed sample-profile-policy

Policy Profile Name           : sample-profile-policy
Description                   : sample-policy
Status                        : ENABLED
VLAN                          : 20
Client count                  : 0
Passive Client                : ENABLED    <--------------------
WLAN Switching Policy
  Central Switching           : ENABLED
  Central Authentication      : ENABLED
  Central DHCP                : DISABLED
  Override DNS                : DISABLED
  Override NAT PAT            : DISABLED
  Central Assoc               : DISABLED
.
.
.

 

To verify VLANs that have ARP broadcast enabled, use the following command:

Device# show platform software arp broadcast

Arp broadcast is enabled on vlans:
20

Note


The show wireless device-tracking database mac output does not display the wired client MAC but displays the WGB MAC. Similarly, the show wireless device-tracking database ip output displays the IPv4 address as one of the wired clients or WGBs.