Start your access point and connect your serial cable to the Console port. You will see booting up a CAPWAP device. Wait long enough, the AP will start a small version of the wireless LAN controller software. After this you can configure your WLC like this:

Would you like to terminate autoinstall? [yes]: yes
Enter Administrative User Name (24 characters max): MyName
Enter Administrative Password (3 to 24 characters): *****
Re-enter Administrative Password : *****
System Name [Cisco_4d:2c:00] (31 characters max): 3800
Enter Country Code list (enter ‘help’ for a list of countries) [US]: DE
Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: yes
Enter the date in MM/DD/YY format: 03/29/17
Enter the time in HH:MM:SS format: 15:19:30
Enter timezone location index (enter ‘help’ for a list of timezones): help
1. (GMT-12:00) International Date Line
2. (GMT-11:00) Samoa 3. (GMT-10:00) Hawaii
4. (GMT -9:00) Alaska 5. (GMT -8:00) Pacific Time
6. (GMT -7:00) Mountain Time 7. (GMT -6:00) Central Time
8. (GMT -5:00) Eastern Time 9. (GMT -4:00) Altantic Time
10. (GMT -3:00) Buenos Aires 11. (GMT -2:00) Mid-Atlantic
12. (GMT -1:00) Azores 13. (GMT) London, Lisbon, Dublin
14. (GMT +1:00) Amsterdam,Berlin,Rome 15. (GMT +2:00) Jerusalem
16. (GMT +3:00) Baghdad 17. (GMT +4:00) Muscat, Abu Dhabi
18. (GMT +4:30) Kabul 19. (GMT +5:00) Karachi, Tashkent
20. (GMT +5:30) Colombo, New Delhi 21. (GMT +5:45) Kathmandu
22. (GMT +6:00) Almaty, Novosibirsk 23. (GMT +6:30) Rangoon
24. (GMT +7:00) Hanoi, Bangkok 25. (GMT +8:00) HongKong, Beijing
26. (GMT +9:00) Tokyo, Osaka, Seoul 27. (GMT +9:30) Darwin
28. (GMT+10:00) Sydney, Melbourne 29. (GMT+11:00) Solomon Is.
30. (GMT+12:00) Auckland, Fiji
Enter timezone location index (enter ‘help’ for a list of timezones): 14
Management Interface IP Address: 192.168.0.3
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 192.168.0.1
Cleaning up Provisioning SSID
Create Management DHCP Scope? [yes][NO]: no
Create Employee Network? [YES][no]: yes
Employee Network Name (SSID)?: WiFiSurvey
Employee VLAN Identifier? [MGMT][1-4095]:
Employee Network Security? [PSK][enterprise]:
Employee PSK Passphrase (8-38 characters)?: *****
Re-enter Employee PSK Passphrase: *****
Create Guest Network? [yes][NO]: no
Enable RF Parameter Optimization? [YES][no]: yes
Client Density [TYPICAL][Low][High]: typical
Traffic with Voice [NO][Yes]: no

Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
Cleaning up Provisioning SSID

Configuration saved!
Resetting system with new configuration…

after the restart, login with your username and password and activate the webinterface:

(Cisco Controller) >config network webmode enable

You can now access and configure your new WLC:

you can now change your SSID or your AP name and details:

Especially for site surveys, you need to edit the tx transmit power levels. I found a bug in the web GUI, even if you change the transmit power manually, the entry shows “Automatic” but you can do it with CLI:

config 802.11a disable 3800-AP
config 802.11a txPower ap 3800-AP 4
config 802.11a enable 3800-AP

config 802.11-abgn disable 3800-AP
config 802.11-abgn txPower ap 3800-AP 3
config 802.11-abgn enable 3800-AP

you can check the power-level with the commands “show advanced 802.11-abgn summary” and show advanced 802.11-a summary”. The configured power-levels are now active:

I hope that you can save much time with this topic ;)

The post Building up a Cisco mobility express environment appeared first on Network Guy.

WLC1-management-IP: 192.168.101.240
WLC1-virtual-IP: 1.1.1.1
WLC1-Hostname: BiWLC1
WLC2-management-IP: 192.168.101.241
WLC2-virtual-IP: 1.1.1.1
WLC1-Hostname: BiWLC2
Software Version on both WLCs: 8.3.102.0
Field Recovery Image Version: 7.6.101.1

The virtual IP needs to be the same on both controller! Also the mobility domain name and the RF group name needs to be the same:

set the second WLC to be the HA SKU unit:

Now we will configure a mobility group. Take the mac-address of the virtual interface:

BiWLC1:

BiWLC2:

as you can see, the entries are mirrored. If you have configured everything correct, you will see the following entries in the trap logs:

Thu Sep 29 13:26:34 2016 Data path to mobility member 192.168.101.240 is up.
Thu Sep 29 13:26:26 2016 Control path to mobility member 192.168.101.240 is up.

or you can check it at Controller / Mobility Management / Mobility Groups. Data and control path needs to be up. Once, I had a problem where one path doesn’t came up. Just restart the second WLC and check again. To order the access points to change to BiWLC2 once the BiWLC1 goes down, we need to configure the High Availability options under Wireless / Access Points / Global Configuration:

Don’t be confused with “Back-up Primary Controller IP Adress”. This is the second WLC. “Back-up Secondary Controller IP” is the tertiary WLC. I also configure the WLCs directly in every AP “to be sure” :)

Do you want CLI commands for this? Ask me in the comments!

The post Cisco WLC HA with 2504 series appeared first on Network Guy.

012844: Aug 22 09:51:45: CDP-EV: Unrecognized type (22) seen in TLV
012845: Aug 22 09:51:45: CDP-EV: Number of addresses <0> in Address Tlv is NOT > 0
012846: Aug 22 09:51:45: CDP-EV: Number of addresses <0> in Mgmt Address Tlv is NOT > 0
012847: Aug 22 09:51:52: CDP-EV: Unrecognized type (22) seen in TLV
012848: Aug 22 09:51:52: CDP-EV: Invalid protocol type (0)
012849: Aug 22 09:51:53: CDP-EV: Unrecognized type (22) seen in TLV
012850: Aug 22 09:51:53: CDP-EV: Invalid protocol type (0)
012851: Aug 22 09:52:49: CDP-EV: Unrecognized type (19) seen in TLV
012852: Aug 22 09:52:49: CDP-EV: Unrecognized type (22) seen in TLV
012853: Aug 22 09:52:49: CDP-EV: Invalid protocol type (0)
012854: Aug 22 09:52:49: %ILPOWER-5-ILPOWER_POWER_DENY: Interface Fa0/11: inline power denied

Normally, the APs are taking 15 or 15.4 watt power but the 2700er series needs at least 16.8 watt to run at “PoE/Full Power”. So it asks via CDP to get more. The old switch (or maybe the old firmware) doesn’t understand the new AP CDP, so the switch denys inline power as a precaution. Deactivating CDP on this specific port also solves the problem, but the AP is running in “PoE/Medium Power” (which is not good; Cyclic Shift Diversity (CSD) disabled, 2 of 4 transmitters disabled, data rates MCS  8-15 disabled), no spatial stream possible, etc.; see here and here).

Maybe a firmware update could solve the problem, we couldn’t test this by now. The customer will use newer switches at the new aimed location.

The post Cisco switch “inline power denied” appeared first on Network Guy.

You can read more information about it here. There is also the possibility to add this via CLI:

show license summary

license add ap-count (1-200)

and you don’t need to restart your WLC :) thanks Cisco… finally!

The post Cisco Right to Use (RTU) Licensing appeared first on Network Guy.

Create your VLANs for your wireless network:

dot11 vlan-name Intern vlan 1
dot11 vlan-name Scanner vlan 10
dot11 vlan-name Guest vlan 20

create your SSIDs (bound to the VLANs):

dot11 ssid TestIntern
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
!
dot11 ssid TestScanner
vlan 10
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
!
dot11 ssid TestGuest
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]

configuration of the 2.4 GHz interface

interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
! aes-ccm is for WPA2:
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TestGuest
!
ssid TestIntern
!
ssid TestScanner
!
antenna gain 0
stbc
beamform ofdm
mbssid
station-role root

Sub-interfaces for VLAN-tagging:

interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding

the same configuration for the 5 GHz interface:

interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TestGuest
!
ssid TestIntern
!
ssid TestScanner
!
antenna gain 0
no dfs band block
stbc
beamform ofdm
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding

now we need to bridge the wireless data to our cable-network:

interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning

the configuration ip address will be configured to the bridge interface:

interface BVI1
ip address 192.168.1.50 255.255.255.0

keep in mind that the “native” encapsulation in this example is “untagged VLAN 1” so if you configure a VLAN trunk to the access point, VLAN 1 needs to be untagged.

Have a nice weekend! :)

The post Multiple SSIDs with Cisco Access Points appeared first on Network Guy.

• “management”
  Main-Interface that is bound to the physical interfaces. For the WLC 5520, the “management” interface lies on the installed 10 Gbit Ports “Port 1” and “Port 2”. When you activate the LAG function, all physical ports (except the yellow copper ports) will be bound to one LAG. Enabling or disabling the LAG option is only possible while your WLC is not configured with “Redundancy SSO” / High Availability. In an HA-Environment, the configured IP address is a virtual IP address which are shared by both WLCs. If the primary WLC fails, the secondary WLC is taking over the management IP. The management IP is the target for all your access points.
• “redundancy-management” (M)
  Beside the Redundancy-Port, another Interface for Heartbeats. This interface delivers a SSH access. Every HA-Node / WLC has its own IP address. For example, in a case of a broken HA situation, you can access the standby-controller directly to make debugs, troubleshooting and rebooting the system (it’s the “reset system” command ^^). This interface automatically configures the same VLAN tag as the “management” interface.
• Serial line / COM port (IOIOI)
  This is the serial port of the WLC. Access is possible via 9600 Baud. Initial-configuration is done at this interface. If a WLC has no configuration (factory default) an automatic-install process starts after 60 seconds. You can abort this by answering the question with “n” or “no”.
• “service-port” (SP)
  The service port is an additional port for accessing the devices via SSH or webinterface. If the device is configured for High Availability, the service port only accept SSH login. There is no possibility to configure a VLAN tag or a gateway, so you need to come from the same net or connecting from a different network via source natting. The IP address must be different to the “management”-interface.
• “redundancy-port” (RP)
  The redundancy-port is for configuration-sync and for the keep-alive UDP packets (heartbeat). The default-timer for heartbeats is 100 milliseconds. The IP address will be automatically configured by activating “Redundancy SSO” / High Availability. The first two octets of the IP address will configured to 169.254 and the last ones will be assumed from the “redundancy-management” interface. The physical ports can be connected directly via copper or transported via VLANs. The RP has no VLAN tag configuration so the directly connected switch-port needs to be an access-port with the untagged VLAN.

The post The meaning of the Cisco WLC Ports appeared first on Network Guy.

Version 8.5.1 highlights:

• Improved support for dual-5 GHz access points – especially for scenarios where switching between 2.4+5GHz and 2 x 5GHz modes
  • Also added Cisco 2802 and 3802 APs that support dual-5 GHz
• The super-annoying tooltip behavior switched to less-annoying (disclaimer: that’s hopefully less annoying, for most users, most of the time)
• Easier moving of access points (no more pixel-perfect alignment of mouse cursor)
• Improvements to network adapter behavior (more stable, more robust in VHD environments)
• Support for older, v2 model of Ekahau Spectrum Analyzer (does not show overly-high noise floor anymore on 5GHz band)
• Added antennas from Aruba, Terrawave, Samsung
• Added Xirrus APs XD4, X2, XR-320
• Small improvements, such as a fix for Cisco prime map import

Full release notes here!

The post Ekahau Site Survey 8.5.1 released appeared first on Network Guy.

First you need to configure an IP address:

set IP_ADDR 192.168.1.88
set NETMASK 255.255.255.0
set DEFAULT_ROUTER 192.168.1.1

you can also directly configure the ip address for the OS system:

set IOS_STATIC_IP_ADDR 10.192.224.58
set IOS_STATIC_NETMASK 255.255.255.0
set IOS_STATIC_DEFAULT_GATEWAY 10.192.224.1

prepare the access point for TFTP transfer

tftp_init
ether_init
flash_init

copy the flash image and set the boot file

tar -xtract tftp://192.168.1.1/ap3g2-k9w8-tar.152-4.JB6.tar flash:
set BOOT flash:/ap3g2-k9w8-mx.152-4.JB6/ap3g2-k9w8-xx.152-4.JB6

boot

The post Cisco access point rescue installation appeared first on Network Guy.

– First WLC (let’s call it “Main-WLC”) with 172.16.1.10 (with shared management IP 172.16.1.30)
– Second WLC (let’s call it “HA-WLC”) with 172.16.1.20 (with shared management IP 172.16.1.30)

We powered-off the Main-WLC, the access points and wireless clients didn’t notice a failure/disconnect. I had only one ping loss. If you go the management webinterface you can see the following:

Peer State: UNKNOWN – Communication Down
Unit: Secondary – HA SKU (Inherited AP License Count = 100)
Redundancy State: Not Redundant

As you can see there is also a switchover history log entry with “Active controller failed”. The copied license is now valid for the next 60 days. In this time you need to replace the “broken” WLC. We powered-on the Main-WLC  and the Peer State changed to “STANDBY COLD”, the active device is still the HA-WLC (the secondary one). There is no prefered master configuration. After the Main-WLC has downloaded the configuration from the HA-WLC it restarts again and the Peer State changed to “STANDBY HOT”:

To make the Main-WLC the primary WLC, we made a manuell takeover. Connect via SSH to the management ip address (172.16.1.30 in our case) and type in the following command:

redundancy force-switchover

This will force the Main-WLC to be the active one. There was only one ping loss, everything else works fine! You can see this also in the switchover history table as “user initiated”. The secondary HA-WLC will restart, download the configuration and the license storage from the Main-WLC and will restart again. The perfect state of a Cisco WLC cluster would be this:

Local State: Active
Peer State: STANDBY HOT
Unit: Primary
Redundancy State: SSO (Both AP and Client SSO)

Feel free to share your thoughts and experience in the comments below!

The post Cisco WLC HA failure scenario appeared first on Network Guy.

select “043 Vendor Specific Info”. Now we need to type in an hexadecimal value for this. The value of this option is type, length and value. The type is fixed with value “00 F1”. The length described if there are more than one WLC management IP. “04” means that the next four hex blocks define the IP address. “08” means there are two IP addresses. The last hex codes define the IP address of your management interface address from your Cisco WLC. Let’s make an example:

• 1 WLC with IP 192.168.23.10:
  00 F1 04 C0 A8 17 0A
• 2 WLCs with IP 192.168.23.10 and 192.168.23.20:
  00 F1 08 C0 A8 17 0A C0 A8 17 14

You can convert your IP-Address with my new “IP Address to Hex Converter“. Fill in the type, length and your calculated value in the binary area:

Press OK to save the option and watch at your Cisco WLC webinterface, the access points will join the controller now.

The post Cisco WLC DHCP Option 43 appeared first on Network Guy.