Sunday, February 6, 2011

WLC 2100 Interfaces and Ports

It might surprise some of you but you can't use the WLC 2106, 2112 and 2125 like a switch.You can only connect Lightweight Access Points to the ports of the WLC 2100 Series, some APs can be powered by the PoE ports while the others need a power supply or a power injector.

Since the WLC 2100 does not support Link Aggregation (LAG) each interface must be associated to a physical port. The best way to support APs directly connected to the WLC is to assign both management and ap-manager interface to port 1. You can still configure different VLANs for the management and ap-manager interface, the directly attached APs will find both interfaces and join the controller.
It is important to be very patient and give the APs enough time to discover and join the controller.

The WLC 2100 ports support Auto-MDIX so you can use straight as well as cross-over cables to connect the APs to the controller. In the screenshots below you can see a WLC 2106 with both ap-manager and management interface assigned to port 1 but configured on different VLANs. Two APs are directly connected to the PoE ports of the WLC, one using a straight cable and one using a cross-over cable. A third AP joined the controller from a switch connected to the WLC.

Note: Whereas it is possible to connect the APs directly to the controller, I would recommend to connect the APs to a switch. This will allow you to get trained on many IOS commands that are required during the lab and are not configurable on the controller ports.

1.15. Network and Management Services SNMP

SNMP uses UDP port 161 for polling and UDP port 162 for unsolicited notifications or TRAPs. To test SNMP, I recommend to use Net-SNMP which provides both ability to poll out data and receive TRAPs and notifications. If you want to test SNMPv3 make sure you download the SSL version of Net-SNMP. The executables will be installed on c:\usr\bin and the snmpget.exe command will allow you to poll data from the device with:

snmpget -v 2c -c <community_name> <device_ip_or_name> system.sysUpTime.0
snmpget -v 3 -u <username> -a MD5 -A <password> -l authNoPriv <device_ip_or_name>

For the trap receiver you will have to install ActivePerl and make sure that it is added to your path so that you can run the snmpconf.bat script in c:\usr\bin and create the snmptrapd.conf file which has to be moved to c:\usr\etc\snmp. This will allow the snmptrapd deamon to start and collect the traps in c:\usr\log.

IOS Switches and APs

SNMP v1 v2c
snmp-server contact <contact_name>
snmp-server location <device_location>
snmp-server chassis_id <chassis_id>
snmp-server community <read_community_name> ro <access_list_number>
snmp-server community <write_community_name> rw <access_list_number>
snmp-server host <receiver_ip_address> traps version <snmp_version> <community_name> <trap_element>
snmp-server enable traps <trap_element>
snmp-server trap-source <interface>
show snmp debug snmp packets

snmp-server engineID local <id>
snmp-server group <group_name> v3 auth/noauth/priv
snmp-server user <username> <group_name> v3 auth md5 <password>
snmp-server host <receiver_ip_address> traps version 3 auth/noauth/priv
snmp-server enable traps <trap_element>


As usual, if you have multiple controllers and you want to be  faster, use the WCS templates. This is also the easiest way to test the SNMP configuration on the WLC.
The commands on the controller CLI are very simple and the controller can also associate an network address and mask to a community to allow only a specific network to access via SNMP. This setting is optional and if you leave the default network and mask any host will be allowed to connect.

SNMP v1 v2c
config snmp syscontact <contact_name>
config snmp syslocation <location_name>
config snmp version <snmp_version> enable/disable
config snmp community create <name>
config snmp community accessmode ro/rw <community_name>
config snmp community mode enable <name>
config snmp community ipaddr <network_address> <subnet_mask> <community_name>
config snmp trapreceiver create <receiver_name> <receiver_ip_address>
config snmp trapreceiver mode enable <receiver_name>
config trapflags <trap_element> enable/disable

config snmp v3user create ro/rw <hashmode> <cryptomode> <userpasswd> <cryptokey>

Security best practices recommend to disable the SNMP v1 and v2 communities for for both read and write access and to enable instead SNMPv3 which encrypts and authenticates SNMP messages.
When you change the SNMP configuration on a WLC don't forget to reboot it in order to make the changes effective.

Sunday, October 31, 2010

Autonomous Wireless Bridge

Apologize for not having updated my blog in the last months but the study is taking more time than I expected.

Here are two new videos about how to configure a wireless bridge using autonomous APs.

Tuesday, August 31, 2010

1.15. Network and Management Services DHCP

You can configure a DHCP server for wireless clients or for the APs but you should keep in mind a couple of considerations. The DHCP server of the WLC does not provide the option 43 and it is not developed to scale for large numbers of clients and you might be asked to configure the DHCP Server on a Microsoft Server with option 43 and 60 so you should also get some practice on this task.


The following commands are used to configure a DHCP pool and the most common features on an IOS device:

ip dhcp excluded-address <start_ip_address> <end_ip_address>
ip dhcp pool <pool_name>
network <network> <subnet_mask>
default-router <defaultgw_ip_address>
dns-server <dns_ip_address>
lease <days>/infinite
option <0-254> ascii/hex/ip
show ip dhcp pool
show ip dhcp binding

Remember that in order to answer the DHCP requests the IOS device must have a SVI interface on the VLAN of the pool. For this reason a Cisco Aironet Access Point can only have one DHCP pool! Remember that an access point is just a bridge. When you set up VLANS, in essence you are just configuring multiple bridge groups. On an IOS-base router, multiple pools can be supported because the

DHCP discovery packet arrives thru an interface that has an IP address assigned to it. IOS uses that interface IP address to decide which of multiple pools to assign from and on an AP there can be at most one IP address assigned - to the BVI1 interface - and that is for management access.

With multiple VLANs configured on the AP, the only DHCP packets that will directly reach the AP from wireless clients will be those that are on SSIDs that are mapped to the native VLAN (the one that BVI1 is in.) DHCP requests from clients that are in SSIDs bridged to other VLANs will
simply sail through the AP and out the dot1q trunk interface, without the AP's DHCP server seeing them. That said, it is possible for the non-native VLANs' default routers to use ip helper-address to forward the DHCP requests back to the AP - in this way, you *could* have an AP service multiple DHCP pools but it  makes more sense to use your interVLAN router(s) as DHCP server(s), than to use your AP for this.

We need to clarify the use of the option keyword when used to provide the WLC management IP addresses to Cisco lightweight APs. You must configure two DHCP options, the 43 and the 60.
Option 43 is sent back by the DHCP server to the DHCP client and contains the WLC management IP address in hex format.
Option 60 is included in the initial DHCP discover message that a DHCP client broadcasts in search of an IP address and it is used to understand from which type of APs the request is coming.
For the option 43 we have to convert the IP address into hex using the following Type Length Value TLV format:

Type in this case is always equal to 0xf1.
Length is the number of controller management IP addresses time 4 in hex.
Value is the IP address of the controller listed sequentially in hex.

For example, suppose there are two controllers with management interface IP addresses, and The type is 0xf1. The length is 2 * 4 = 8 = 0x08. The IP addresses translate to c0a80a05 ( and c0a80a14 ( When the string is assembled, it yields f108c0a80a05c0a80a14. The Cisco IOS command that is added to the DHCP scope would be:
option 43 hexf108c0a80a05c0a80a14

The option 60 must be configured using the command:
option 60 ascii "<VCI string of the AP>"
where the VCI string depends from the AP type and can be found in the VCI Cisco AP table. You will have to configure a different DHCP Pool for each AP type. It is also possible to configure a DHCP pool only with option 43 but this it is not a recommended best practice because all the devices including laptops will receive this information.


As with other features if you want to be faster you should configure the DHCP pools on the WLC via WCS templates. Here are the commands for the WLC CLI:

config dhcp create-scope <pool_name>
config dhcp network 
<pool_name> <network_address> _mask>
config dhcp address-pool <pool_name> <start_ip_address> <end_ip_address>
config dhcp default-router <pool_name> <defaultgw_ip_address>
config dhcp dns-servers <pool_name> <dns_ip_address>
config dhcp lease <pool_name>
config dhcp enable/disable <pool_name>
show dhcp summary
show dhcp detailed <pool_name>

Microsoft Windows Server

Here is how to configure the DHCP service on a Windows server with option 43 and option 60.

Monday, August 30, 2010

1.15. Network and Management Services SYSLOG

Syslog uses UDP port 514 to allow network devices to send their console messages, warning and alerts to an external server. This allows messages from different devices to be available at every time on a centralized location even if the device has rebooted and it  is very useful for troubleshooting.

There are eight different logging levels.

The default level for console, monitor, and syslog is debugging. By default, the router logs anything at the level of debugging and greater. That means that logging occurs from level 7 (debugging) up to level 0 (emergencies). Let's have a look at a basic Syslog configuration.


logging host <syslog_ip_address>
logging trap <0-7>
show logging


As for many other configuration features, the fastest way to configure the syslog server on mulitple WLCs is to use the WCS template. Of course you can also configure a syslog server for the WLC as well as for all the APs with global mode or for a specific AP using the following CLI commands:

config logging syslog host <syslog_ip_address>
show logging 

config ap syslog host global <syslog_ip_address>
show ap config global

config ap syslog host specific <ap_name> <syslog_ip_address>
show ap config general <ap-name>


WCS does not have any kind of syslog configuration, instead it saves the logs internally. They can be reached via the menu Administration -> Logging.


The location appliance system messages and events will be collected by the associated WCS.