In this post we will look at configuration example of a WLAN using CLI only. To make it comprehensive I will illustrate a Guest WLAN configuration with Auto Anchoring feature as well. Here is the basic topology.
Here are the conditions for this Guest WLAN.
– All Guest users will get 192.168.9.0/24 IP from WLC1
– User able to join the network with email address as credential
– Guest user traffic should get lowest QoS priority.
– WMM to be disabled.
– Clients with static IP should not allow to join
– Guest users only able to get 802.11a & 802.11g data rates.
– Users should not trigger power changes of the AP
Before configuring this you need to identify the tasks you have to do
1. QoS profile configuration with required 802.1p values
2. Configure the interface for vlan9 on WLC1 & map it onto “guest-9” WLAN.
3. Define “guest-09” WLAN on WLC2 & WLC3 & assign management interface (No dynamic interfaces)
4. Configure Mobility Anchor for “guest-9” WLAN.5.
Here is the CLI configuration of each task. For the QoS profile configuration you have to disable 802.11 radios (both 2.4GHz & 5GHz). It is advisable to configure all 4 QoS profiles even though this only require Bronze profile to configure.
(WLC3) >config 802.11b disable network (WLC3) >config 802.11a disable network Disabling the 802.11a network may strand mesh APs. Are you sure you want to continue? (y/n)y (WLC3) >config qos protocol-type platinum dot1p (WLC3) >config qos dot1p-tag platinum 6 (WLC3) >config qos protocol-type gold dot1p (WLC3) >config qos dot1p-tag gold 5 (WLC3) >config qos protocol-type silver dot1p (WLC3) >config qos dot1p-tag silver 3 (WLC3) >config qos protocol-type bronze dot1p (WLC3) >config qos dot1p-tag bronze 1 (WLC3) >config 802.11a enable network (WLC3) >config 802.11b enable network
You need to copy these lines onto both WLC1 & WLC2 as well. Now we will configure the WLC1 dynamic interface for guest-9 WLAN. Here are the CLI config for this
(WLC1) >config interface create vlan9 9 (WLC1) >config interface address dynamic-interface vlan9 192.168.9.10 255.255.255.0 192.168.9.1 (WLC1) >config interface dhcp dynamic-interface vlan9 primary 192.168.9.1 (WLC1) >config interface port vlan9 1
You need to ensure CAT2 is configured to provide DHCP addresses & act as gateway for wirless guest users. Also make sure vlan9 is trunk to WLC1 as well
ip dhcp excluded-address 192.168.9.1 192.168.9.99 ip dhcp pool VLAN9 network 192.168.9.0 255.255.255.0 default-router 192.168.9.1 interface Vlan9 ip address 192.168.9.1 255.255.255.0 ! interface GigabitEthernet1/0/1 description WLC1 Po1 switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan 9-18,23,111,113 switchport mode trunk switchport nonegotiate mls qos trust cos spanning-tree portfast trunk
Now you can define the “guest-9” WLAN & map vlan9 interface onto it. Even though we are not using GUI, you need to remember the General, Security, QoS, Advanced parameters to be modified as per the requirement. CLI commands flow is in that order. Note that since we do not want to override interface DHCP server, we will use 0.0.0.0 as DHCP server address & only make DHCP address required when configuring that feature.
(WLC1) >config wlan create 9 guest-9 guest-9 (WLC1) >config wlan radio 9 802.11ag (WLC1) >config wlan interface 9 vlan9 (WLC1) >config wlan security wpa disable 9 (WLC1) >config wlan security web-passthrough enable 9 (WLC1) >config wlan security web-passthrough email-input enable 9 (WLC1) >config wlan qos 9 bronze (WLC1) >config wlan wmm disable 9 (WLC1) >config wlan chd 9 disable (WLC1) >config wlan dhcp_server 9 0.0.0.0 required (WLC1) >config wlan enable 9
Now you can copy this configuration to WLC2 & WLC without the line “config wlan interface 9 vlan9”. By default newly created WLAN will map to management interface. Here is the configs in WLC3 for example. Do the same on WLC2 as well.
(WLC3) >config wlan create 9 guest-9 guest-9 (WLC3) >config wlan radio 9 802.11ag (WLC3) >config wlan security wpa disable 9 (WLC3) >config wlan security web-passthrough enable 9 (WLC3) >config wlan security web-passthrough email-input enable 9 (WLC3) >config wlan qos 9 bronze (WLC3) >config wlan wmm disable 9 (WLC3) >config wlan chd 9 disable (WLC3) >config wlan dhcp_server 9 0.0.0.0 required DHCP server override is applicable only to the default AP group. (WLC3) >config wlan enable 9
Final step of configuration is creating Auto Anchor Mobility tunnels. First of all you have to configure the mobility group name in each controller & then add members to mobility list. In this example I have used DMZ, HQ, & MO for the mobility groupname of WLC1, WLC2 & WLC3. Also multicast group address 239.11.11.11, 239.22.22.22 & 239.33.33.33 for local-group members mobility communication in WLC1, WLC2 & WLC3. Also used multicast group address 239.12.12.12 between WLC1-WLC2 mobility communication & 239.13.13.13 for WLC1-WLC3 mobility communication.
WLC1 config mobility group domain DMZ config mobility multicast-mode enable 239.11.11.11 config mobility group multicast-address DMZ 239.11.11.11 config mobility group multicast-address HQ 239.12.12.12 config mobility group multicast-address BR 239.13.13.13 config mobility group member add 00:0b:85:40:a1:c0 10.10.112.10 HQ config mobility group member add 00:1b:d5:cf:e6:00 10.10.120.140 BR WLC2 config mobility group domain HQ config mobility multicast-mode enable 239.22.22.22 config mobility group multicast-address HQ 239.22.22.22 config mobility group multicast-address DMZ 239.12.12.12 config mobility group member add 00:0b:85:43:d8:60 10.10.111.10 DMZ WLC3 config mobility group domain BR config mobility multicast-mode enable 239.33.33.33 config mobility group multicast-address BR 239.33.33.33 config mobility group multicast-address DMZ 239.13.13.13 config mobility group member add 00:0b:85:43:d8:60 10.10.111.10 DMZ
Once you configure the mobility config as above you should see the mobility status up between each other. Here is the output of WLC1.
(WLC1) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... DMZ
Multicast Mode .................................. Enabled
Mobility Domain ID for 802.11r................... 0x43cd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
00:0b:85:40:a1:c0 10.10.112.10 HQ 239.12.12.12 Up
00:0b:85:43:d8:60 10.10.111.10 DMZ 239.11.11.11 Up
00:1b:d5:cf:e6:00 10.10.120.140 BR 239.13.13.13 Up
Now you can configure “Auto Anchor mobility” for guest-09 WLAN. You can do it as follows. You have to disable WLAN prior to configure mobility anchor feature. On the Anchor controller(WLC1) you have to anchor it to itself & on WLC2 & WLC3 it has to anchor to WLC1 IP.
(WLC1) >config wlan disable 9 (WLC1) >config wlan mobility anchor ? add Add/Change a Mobility anchor to a WLAN. delete Delete a Mobility anchor from a WLAN. (WLC1) >config wlan mobility anchor add ? <WLAN Id> WLAN identifier between 1 and 512. (WLC1) >config wlan mobility anchor add 9 ? <IP addr> Member switch IP address to anchor WLAN (WLC1) >config wlan mobility anchor add 9 10.10.111.10 (WLC1) >config wlan enable 9 (WLC2) >config wlan disable 9 (WLC2) >config wlan mobility anchor add 9 10.10.111.10 (WLC2) >config wlan enable 9 (WLC3) >config wlan disable 9 (WLC3) >config wlan mobility anchor add 9 10.10.111.10 (WLC3) >config wlan enable 9
You can test the wireless guest service in each controller. Let’s check branch end first. You can either disable guuest-09 wlan on WLC2 or shutdown LAP2 connected switchport. Ensure LAP1 is registered to WLC3
(WLC3) >show ap summary Number of APs.................................... 1 Global AP User Name.............................. Not Configured Global AP Dot1x User Name........................ Not Configured AP Name Slots AP Model Ethernet MAC Location Port Country Priority ------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------ LAP1 2 AIR-CAP3502I-N-K9 cc:ef:48:8c:fd:41 CAT4-F03 1 AU 1
Once you connect to this WLAN & open up a browser page, it should prompt you to enter your email address. Once login is successful you should able to see the client detail on your anchor controller(WLC1).
(WLC1) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 04:f7:e4:ea:5b:66 10.10.120.140 Associated 9 Yes Mobile 1 No (WLC1) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. mrncciew@gmail.com AP MAC Address................................... 00:00:00:00:00:00 AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 9 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 102 secs Channel.......................................... N/A IP Address....................................... 192.168.9.103 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Bronze 802.1P Priority Tag.............................. 1 WMM Support...................................... Disabled Supported Rates.................................. Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 10.10.120.140 Mobility Move Count.............................. 1 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ vlan9 VLAN............................................. 9
Once you enable LAP2 ( disable guest-9 on WLC3) you should be able to check it in HQ end.
(WLC3) >config wlan disable 9 ! (WLC2) >show ap summary Number of APs.................................... 1 Global AP User Name.............................. Not Configured Global AP Dot1x User Name........................ Not Configured AP Name Slots AP Model Ethernet MAC Location Port Country Priority ------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------ LAP2 2 AIR-CAP3502I-N-K9 70:81:05:03:7c:ef CAT2-Fa102 LAG AU 1 ! (WLC1) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 04:f7:e4:ea:5b:66 10.10.112.10 Associated 9 Yes Mobile 1 No (WLC1) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. rasika.nayanajith@yahoo.com AP MAC Address................................... 00:00:00:00:00:00 AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 9 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 62 secs Channel.......................................... N/A IP Address....................................... 192.168.9.103 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Bronze 802.1P Priority Tag.............................. 1 WMM Support...................................... Disabled Supported Rates.................................. Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 10.10.112.10 Mobility Move Count.............................. 1 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ vlan9 VLAN............................................. 9 Quarantine VLAN.................................. 0 Access VLAN...................................... 9
If you do “Debug mobility handoff enable” at WLC1 you can verify client state changes & mobility communication between foreign & anchor controllers.
(WLC1) >debug mobility handoff enable
(WLC1) >*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 Mobility packet received from:
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 10.10.120.140, port 16666
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 type: 3(MobileAnnounce) subtype: 0 version: 1 xid: 20 seq: 2167 len 116 flags 0
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 group id: d8475d5f c64367e3 4d21c8d6 ef580f61
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 0
*mmListen: May 19 09:27:07.097: 00:22:fa:94:68:58 VLAN IP: 10.10.120.140, netmask: 255.255.255.192
*mmListen: May 19 09:27:07.097: Switch IP: 10.10.120.140
*mmListen: May 19 09:27:07.098: Vlan List payload not found, ignoring ...
*mmListen: May 19 09:27:07.098: IP Address don't compare for client 00:22:fa:94:68:58 is 0
*mmListen: May 19 09:27:07.098: 00:22:fa:94:68:58 Ignoring Announce, client record for not found
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 Mobility packet received from:
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 10.10.120.140, port 16666
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 21 seq: 2168 len 241 flags 0
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 group id: d8475d5f c64367e3 4d21c8d6 ef580f61
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 0
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 VLAN IP: 10.10.120.140, netmask: 255.255.255.192
*mmListen: May 19 09:27:08.097: Switch IP: 10.10.120.140
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 Received Anchor Export request: from Switch IP: 10.10.120.140
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv:, Mobility role is Unassoc
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv Ssid=guest-9 Security Policy=0x3040
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 mmAnchorExportRcv vapId= 9, Ssid=guest-9 AnchorLocal=0x0
*mmListen: May 19 09:27:08.097: 00:22:fa:94:68:58 0.0.0.0 START (0) mobility role update request from Unassociated to Export Anchor
Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.10.111.10
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 Received Anchor Export policy update, valid mask 0x0:
Qos Level: 3, DSCP: 0, dot1p: 1 Interface Name: , ACL Name:
*mmListen: May 19 09:27:08.098: Anchor Mac : 00.0b.85.43.d8.60
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 Mobility packet sent to:
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 10.10.120.140, port 16666
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 type: 17(MobileAnchorExportAck) subtype: 0 version: 1 xid: 21 seq: 571 len 275 flags 0
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 group id: fe2f34f3 9b7a7cea 68f48181 316db999
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 0.0.0.0, instance: 1
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 VLAN IP: 192.168.9.10, netmask: 255.255.255.0
*mmListen: May 19 09:27:08.098: 00:22:fa:94:68:58 0.0.0.0 DHCP_REQD (7) Plumbing duplex mobility tunnel to 10.10.120.140
as Export Anchor (VLAN 9)
*DHCP Proxy DTL Recv Task: May 19 09:27:16.084: 00:22:fa:94:68:58 192.168.9.100 WEBAUTH_REQD (8) Plumbing duplex mobility tunnel to 10.10.120.140
as Export Anchor (VLAN 9)
*emWeb: May 19 09:27:39.269: 00:22:fa:94:68:58 192.168.9.100 RUN (20) Plumbing duplex mobility tunnel to 10.10.120.140
as Export Anchor (VLAN 9)
Finally you can configure foreign mapping for this where you can allocate 192.168.9.x/24 if you are connecting from Branch & 192.168.8.x/24 when you are connecting via Head Quarters.
So we will create vlan8 interface on WLC1 & trunk this to WLC1 on CAT2 g1/0/1 where WLC1 connected to.
(WLC1) >config interface create vlan8 8 (WLC1) >config interface address dynamic-interface vlan8 192.168.8.10 255.255.255.0 192.168.8.1 (WLC1) >config interface dhcp dynamic-interface vlan8 primary 192.168.8.1 (WLC1) >config interface port vlan8 1 ! CAT2(config)#vlan 8 CAT2(config-vlan)#exit CAT2(config)#int vlan 8 CAT2(config-if)#ip add 192.168.8.1 255.255.255.0 CAT2(config-if)#int g1/0/1 CAT2(config-if)#sw tr al vl add 8 CAT2(config)#ip dhcp excluded-address 192.168.8.1 192.168.8.100 CAT2(config)#ip dhcp pool VLAN8 CAT2(dhcp-config)#default-router 192.168.8.1 CAT2(dhcp-config)#netw 192.168.8.0 /24 CAT2(dhcp-config)# domain-name mrn.com CAT2(dhcp-config)# dns-server 192.168.200.1
Now on WLC1 you can configure foreign mapping for guest-9 WLAN using the foreign controller MAC address as shown below. For WLC3 (00:1b:d5:cf:e6:00) Guest traffic would get 192.168.8.0/24 IP & for WLC2(00:0b:85:40:a1:c0) will get 192.168.9.0/24 IP range.
(WLC1) >config wlan disable 9 (WLC1) >config wlan mobility foreign-map add 9 00:1b:d5:cf:e6:00 vlan8 (WLC1) >config wlan mobility foreign-map add 9 00:0b:85:40:a1:c0 vlan9 (WLC1) >config wlan enable 9
Here is the verification when Guest user connecting via WLC2.
(WLC1) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. mrncciew@gmail.com AP MAC Address................................... 00:00:00:00:00:00 AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 9 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 56 secs Channel.......................................... N/A IP Address....................................... 192.168.9.103 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Bronze 802.1P Priority Tag.............................. 1 WMM Support...................................... Disabled Supported Rates.................................. Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 10.10.112.10
Here is the same output when guest user is connecting via WLC3. You could see client get 192.168.8.x/24 IP this time.
(WLC1) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. mrncciew@gmail.com AP MAC Address................................... 00:00:00:00:00:00 AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 9 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 40 secs Channel.......................................... N/A IP Address....................................... 192.168.8.101 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Bronze 802.1P Priority Tag.............................. 1 WMM Support...................................... Disabled Supported Rates.................................. Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 10.10.120.140 Mobility Move Count.............................. 1 Security Policy Completed........................ Yes Policy Manager State............................. RUN
That’s all for wireless guest wlan configuration tasks via CLI. If you understand & remember the steps then you are pretty safe even if your WLC GUI is very slow during the exam.
We will see a wired guest wlan configuration via CLI in a future post.
Related Posts
1. Configuring WLAN via CLI – Part 1
2. Configuring WLAN via CLI – Part 2
3. Configuring WLAN via CLI – Part 3
4. Configuring WLAN via CLI – Part 4
5. Configuring WLAN via CLI – Part 5
6. Mobility Config via CLI
mrn-cciew 