In this post we will see how to configure a Cisco3850 switch for basic wireless connectivity. This is part of Converged Access product platform & you should have some familiarity with new architecture (which will not discussed in this post). Here ae the few key points you need to remember when using 3850 as WLC.
1. You have to attach your access points directly to your 3850 switches (yes, every wiring closet you should have this in order to all building AP to be connect to this new environment)
2. Wireless management vlan & AP management vlan should be identical. If you configure vlan 21 as wireless management in 3850 switch all your APs connected to this switch should be on access vlan 21.
3. You need to have Mobility Controller (MC) functionality in your network (MC functionality can be in the same 3850 switch, another 3850 switch or 5508/5760 centralized controller). By default, when you enable wireless management, switch will act as Mobility Agent (MA) & not able to register an AP without a MC since license are reside on MC.
4.“ipbase” or “ipservices” feature set to be there for MC functionality.”lanbase” cannot be used for MC functionality switch stack.
5. Given 3850 switch stack can support maximum 50 APs.
In my lab setup I have two 3850 switches stacked together. Before getting started, we will ensure we will have latest software code on this switch. At the time of this write up, IOS-XE 3.2.3SE is the latest code available for this 3850 platform. You can refer 3850 IOS-XE 3.2.x SE release note for more details of the features/restrictions/etc.
Let’s copy this new image to flash of our 3850.
3850-1#copy tftp://192.168.20.51/firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin flash: Destination filename [cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin]? Accessing tftp://192.168.20.51/firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin... Loading firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin from 192.168.20.51 (via Vlan999): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!! [OK - 223743040 bytes]
There are two modes called “INSTALL” & “BUNDLE” available in these new switches. If you want to boot in “INSTALL” mode you have to copy the image onto flash first. In “BUNDLE” mode, you can still keep the image on TFTP & boot from there if required. But in BUNDLE mode switch require more memory to do this function & preferred method is do it via “INSTALL” mode.
You can use “software install file <file_location> ” command to install new software onto your switch. At the end it will prompt to reload the switch as shown below.
3850-1#software install file flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin Preparing install operation ... : Copying software from active switch 1 to switch 2 : Finished copying software to switch 2 [1 2]: Starting install operation [1 2]: Expanding bundle flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin [1 2]: Copying package files [1 2]: Package files copied [1 2]: Finished expanding bundle flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin [1 2]: Verifying and copying expanded package files to flash: [1 2]: Verified and copied expanded package files to flash: [1 2]: Starting compatibility checks [1 2]: Finished compatibility checks [1 2]: Starting application pre-installation processing [1 2]: Finished application pre-installation processing : Old files list: Removed cat3k_caa-base.SPA.03.02.02.SE.pkg Removed cat3k_caa-drivers.SPA.03.02.02.SE.pkg Removed cat3k_caa-infra.SPA.03.02.02.SE.pkg Removed cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg Removed cat3k_caa-platform.SPA.03.02.02.SE.pkg Removed cat3k_caa-wcm.SPA.10.0.111.0.pkg : Old files list: Removed cat3k_caa-base.SPA.03.02.02.SE.pkg Removed cat3k_caa-drivers.SPA.03.02.02.SE.pkg Removed cat3k_caa-infra.SPA.03.02.02.SE.pkg Removed cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg Removed cat3k_caa-platform.SPA.03.02.02.SE.pkg Removed cat3k_caa-wcm.SPA.10.0.111.0.pkg : New files list: Added cat3k_caa-base.SPA.03.02.03.SE.pkg Added cat3k_caa-drivers.SPA.03.02.03.SE.pkg Added cat3k_caa-infra.SPA.03.02.03.SE.pkg Added cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg Added cat3k_caa-platform.SPA.03.02.03.SE.pkg Added cat3k_caa-wcm.SPA.10.0.120.0.pkg : New files list: Added cat3k_caa-base.SPA.03.02.03.SE.pkg Added cat3k_caa-drivers.SPA.03.02.03.SE.pkg Added cat3k_caa-infra.SPA.03.02.03.SE.pkg Added cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg Added cat3k_caa-platform.SPA.03.02.03.SE.pkg Added cat3k_caa-wcm.SPA.10.0.120.0.pkg [1 2]: Creating pending provisioning file [1 2]: Finished installing software. New software will load on reboot. [1 2]: Committing provisioning file [1 2]: Do you want to proceed with reload? [yes/no]: yes : Reloading : Pausing before reload
Now if you look at your contents of your flash directory you will see multiple .pkg files .conf files. Depending on the image came with your switch & how many time you upgraded the switch, there could be multiple versions of the .conf files & .pkg files. You can clean this directory using “software clean” command which will result deleting all unwanted file from your directory. In this way you will only keep 3.2.3SE related files on your flash.
3850-1#dir Directory of flash:/ 85193 -rw- 2097152 Sep 28 2013 14:28:26 +10:00 nvram_config 85187 -rw- 74410468 Jan 1 1970 11:01:11 +11:00 cat3k_caa-base.SPA.03.02.00SE.pkg 85188 -rw- 2773680 Jan 1 1970 11:01:12 +11:00 cat3k_caa-drivers.SPA.03.02.00.SE.pkg 85189 -rw- 32478044 Jan 1 1970 11:01:12 +11:00 cat3k_caa-infra.SPA.03.02.00SE.pkg 85190 -rw- 30393116 Jan 1 1970 11:01:12 +11:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg 85191 -rw- 18313952 Jan 1 1970 11:01:12 +11:00 cat3k_caa-platform.SPA.03.02.00.SE.pkg 85192 -rw- 63402700 Jan 1 1970 11:01:12 +11:00 cat3k_caa-wcm.SPA.10.0.100.0.pkg 85199 -rw- 1224 Sep 28 2013 14:19:19 +10:00 packages.conf 85196 -rw- 8916 Sep 26 2013 15:59:58 +10:00 vlan.dat 85195 -rw- 114 Jun 6 2013 08:31:45 +10:00 express_setup.debug 85194 -rw- 1224 Sep 25 2013 02:20:20 +10:00 packages.conf.00- 7750 -rw- 74369252 Sep 25 2013 02:20:16 +10:00 cat3k_caa-base.SPA.03.02.02.SE.pkg 7751 -rw- 5808828 Sep 25 2013 02:20:16 +10:00 cat3k_caa-drivers.SPA.03.02.02.SE.pkg 7752 -rw- 32488292 Sep 25 2013 02:20:16 +10:00 cat3k_caa-infra.SPA.03.02.02.SE.pkg 7753 -rw- 30403764 Sep 25 2013 02:20:16 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg 7754 -rw- 16079584 Sep 25 2013 02:20:16 +10:00 cat3k_caa-platform.SPA.03.02.02.SE.pkg 7755 -rw- 64580300 Sep 25 2013 02:20:17 +10:00 cat3k_caa-wcm.SPA.10.0.111.0.pkg 85186 -rw- 223743040 Sep 28 2013 13:30:24 +10:00 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin 85198 -rw- 1218 Jan 1 1970 11:01:22 +11:00 packages.conf.01- 30979 -rw- 74369716 Sep 28 2013 14:19:15 +10:00 cat3k_caa-base.SPA.03.02.03.SE.pkg 30980 -rw- 5808828 Sep 28 2013 14:19:15 +10:00 cat3k_caa-drivers.SPA.03.02.03.SE.pkg 30981 -rw- 32496484 Sep 28 2013 14:19:15 +10:00 cat3k_caa-infra.SPA.03.02.03.SE.pkg 30982 -rw- 30418104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg 30983 -rw- 16059104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-platform.SPA.03.02.03.SE.pkg 30984 -rw- 64586444 Sep 28 2013 14:19:15 +10:00 cat3k_caa-wcm.SPA.10.0.120.0.pkg 1621966848 bytes total (723390464 bytes free) 3850-1#software clean Preparing clean operation ... [1 2]: Cleaning up unnecessary package files [1 2]: No path specified, will use booted path flash:packages.conf [1 2]: Cleaning flash: : Preparing packages list to delete ... cat3k_caa-base.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-drivers.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-infra.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg File is in use, will not delete. cat3k_caa-platform.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-wcm.SPA.10.0.120.0.pkg File is in use, will not delete. packages.conf File is in use, will not delete. : Preparing packages list to delete ... cat3k_caa-base.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-drivers.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-infra.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg File is in use, will not delete. cat3k_caa-platform.SPA.03.02.03.SE.pkg File is in use, will not delete. cat3k_caa-wcm.SPA.10.0.120.0.pkg File is in use, will not delete. packages.conf File is in use, will not delete. : Files that will be deleted: cat3k_caa-base.SPA.03.02.00SE.pkg cat3k_caa-base.SPA.03.02.02.SE.pkg cat3k_caa-drivers.SPA.03.02.00.SE.pkg cat3k_caa-drivers.SPA.03.02.02.SE.pkg cat3k_caa-infra.SPA.03.02.00SE.pkg cat3k_caa-infra.SPA.03.02.02.SE.pkg cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg cat3k_caa-platform.SPA.03.02.00.SE.pkg cat3k_caa-platform.SPA.03.02.02.SE.pkg cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin cat3k_caa-wcm.SPA.10.0.100.0.pkg cat3k_caa-wcm.SPA.10.0.111.0.pkg packages.conf.00- packages.conf.01- : Files that will be deleted: cat3k_caa-base.SPA.03.02.00SE.pkg cat3k_caa-base.SPA.03.02.02.SE.pkg cat3k_caa-drivers.SPA.03.02.00.SE.pkg cat3k_caa-drivers.SPA.03.02.02.SE.pkg cat3k_caa-infra.SPA.03.02.00SE.pkg cat3k_caa-infra.SPA.03.02.02.SE.pkg cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg cat3k_caa-platform.SPA.03.02.00.SE.pkg cat3k_caa-platform.SPA.03.02.02.SE.pkg cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin cat3k_caa-wcm.SPA.10.0.100.0.pkg cat3k_caa-wcm.SPA.10.0.111.0.pkg packages.conf.00- packages.conf.01- [1 2]: Do you want to proceed with the deletion? [yes/no]: yes [1 2]: Clean up completed 3850-1#dir Directory of flash:/ 85193 -rw- 2097152 Sep 28 2013 14:28:26 +10:00 nvram_config 85199 -rw- 1224 Sep 28 2013 14:19:19 +10:00 packages.conf 85196 -rw- 8916 Sep 26 2013 15:59:58 +10:00 vlan.dat 85195 -rw- 114 Jun 6 2013 08:31:45 +10:00 express_setup.debug 30979 -rw- 74369716 Sep 28 2013 14:19:15 +10:00 cat3k_caa-base.SPA.03.02.03.SE.pkg 30980 -rw- 5808828 Sep 28 2013 14:19:15 +10:00 cat3k_caa-drivers.SPA.03.02.03.SE.pkg 30981 -rw- 32496484 Sep 28 2013 14:19:15 +10:00 cat3k_caa-infra.SPA.03.02.03.SE.pkg 30982 -rw- 30418104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg 30983 -rw- 16059104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-platform.SPA.03.02.03.SE.pkg 30984 -rw- 64586444 Sep 28 2013 14:19:15 +10:00 cat3k_caa-wcm.SPA.10.0.120.0.pkg 1621966848 bytes total (1393401856 bytes free)
You can verify switch is having upgraded image in each member of the switch stack.
3850-1#sh ver | be SW Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- 1 56 WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9 INSTALL 2 56 WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9 INSTALL
You can verify boot configuration of your switch using “show boot” CLI command. As you can see “packages.conf” file is the boot loading file used in the booting process. If this file is not exist or corrupted switch will go onto ROMMON mode.
3850-1#sh boot --------------------------- Switch 1 --------------------------- Current Boot Variables: BOOT variable = flash:packages.conf; Boot Variables on next reload: BOOT variable = flash:packages.conf; Manual Boot = no Enable Break = no
You can access wireless controller GUI using https://<switch-ipaddress>/wireless URL.
It is different look & feel compare to CUWN controllers (5508,2504, etc). Let’s see how we can configure the wireless controller config on this switch. First of all you need to ensure you have the correct license to start with.
3850-1#show license right-to-use ? default Displays the default license information. detail Displays details of all the licenses in the stack. eula Displays the EULA text. mismatch Displays mismatch license information. slot Specify switch number summary Displays consolidated stack wide license information. usage Displays the usage details of all licenses. | Output modifiers <cr> 3850-1#show license right-to-use summary License Name Type Count Period left ----------------------------------------------- lanbase permanent N/A Lifetime apcount base 0 Lifetime apcount adder 0 Lifetime -------------------------------------------- License Level In Use: ipbase License Level on Reboot: ipbase Evaluation AP-Count: Disabled Total AP Count Licenses: 0 AP Count Licenses In-use: 0 AP Count Licenses Remaining: 0
In Converged Access architecture, 3850 can act as Mobility Agent (MA) or Mobility Controller (MC). By default it is a MA. Normally AP licence should be on a MC where CAPWAP tunnels from AP get terminated. In this case we have only 3850 switch for everything (MC & MA) so you have to install AP licence onto this switch. Remember that maximume 50 APs can be supported by a 3850 switch stack. In our case we will configure 25 licence each for the first two members of stack & all APs to be terminated in these two switches (max 25 in each member).
3850-1#license right-to-use ? activate activate particular license level deactivate deactivate particular license level 3850-1#license right-to-use activate ? apcount configure the AP-count licenses on the switch ipbase activate ipbase license on the switch ipservices activate Ipservices license on the switch lanbase activate lanbase license on the switch 3850-1#license right-to-use activate apcount ? <1-50> configure the number of adder licenses evaluation activate evaluation license 3850-1#license right-to-use activate apcount 50 ? slot Specify switch number 3850-1#license right-to-use activate apcount 50 slot ? <1-9> Specify switch number 3850-1#license right-to-use activate apcount 50 slot 1 ? acceptEULA automatically accept the EULA for the given license <cr> 3850-1#license right-to-use activate apcount 50 slot 1 acceptEULA 3850-1#license right-to-use activate apcount 50 slot 2 acceptEULA % switch-2:stack-mgr:ACTIVATION FAIL : Total AP Count Licenses exceed maximum limit ! 3850-1#license right-to-use deactivate apcount 25 slot 1 3850-1#license right-to-use activate apcount 25 slot 2 acceptEULA
You have to enable the MC functionality of 3850 by using the “wireless mobility controller” CLI command as shown below.
3850-1(config)#wireless mobility ? controller Configures mobility controller settings dscp Configures the Mobility inter controller DSCP value group Configures the Mobility group parameters load-balance Configure mobility load-balance status multicast Configures the Multicast Mode for mobility messages oracle Configures mobility oracle settings 3850-1(config)#wireless mobility controller ? ip no description peer-group Configures mobility peer groups <cr> 3850-1(config)#wireless mobility controller
Now we are one step away to register our AP. To register AP you should nominate an interface as wireless management interface. You have to remember that all your AP should be configured with same vlan access port where you configured for wireless management, otherwise AP won’t join. In our case we will use vlan21 as wireless management interface & configure switch port connected to AP in vlan 21
interface Vlan21 ip address 192.168.21.1 255.255.255.0 ! wireless management interface Vlan21 ! interface GigabitEthernet1/0/1 switchport access vlan 21 switchport mode access spanning-tree portfast
Now if you type “show ap summary” you would see your AP get registered to your 3850 WLC
3850-1#show ap summary Number of APs: 1 Global AP User Name: Not configured Global AP Dot1x User Name: Not configured AP Name AP Model Ethernet MAC Radio MAC State ---------------------------------------------------------------------------------------- bc16.6516.790e 3602I bc16.6516.790e f41f.c298.c2a0 Registered
You can change any AP specific configuration by using “ap name <AP-NAME> x” CLI commands. Following are the all options available. we will change the name as example.
3850-1#ap name bc16.6516.790e ? ap-groupname Set groupname bhrate Bridge Backhaul Tx Rate bridgegroupname Set bridgegroupname bridging Enable Ethernet-to-Ethernet bridging capwap AP Capwap parameters command Remote execute a command on Cisco AP console-redirect Enable redirecting remote debug output of Cisco AP to console core-dump Enable memory core dump on Cisco AP country Configure the country of operation crash-file Manage crash data and radio core files for Cisco AP dot11 Configures 802.11 parameters dot1x-user Enable the 802.1X credential for the current AP ethernet Configure Ethernet Port of the AP image Configure image led Enable LED-state for Cisco AP link-encryption Enable link encryption state on Cisco AP link-latency Enable Link Latency on Cisco AP location Configure AP location mfp Enable Management Frame Protection mgmtuser Configures user name, password and secret for AP management mode Select AP mode of operation monitor-mode Monitor-mode channel optimization name Configure AP name no Negate a command or set its defaults power Configure Cisco Power over Ethernet (PoE) feature for AP reset Reset AP reset-button Disable or enable reset button on AP shutdown Disable AP slot Set slot number sniff Enable sniffing on dot11a/b radio ssh Enable SSH static-ip Set Cisco AP static IP address configuration stats-timer Set the frequency at which statistics are sent from AP syslog Set the system logging settings for Cisco AP tcp-adjust-mss TCP MSS configuration for an AP telnet Enable telnet for Cisco AP tftp-downgrade Initiate AP image downgrade from a TFTP server 3850-1#ap name bc16.6516.790e name L3600-1 3850-1#show ap summary Number of APs: 1 Global AP User Name: Not configured Global AP Dot1x User Name: Not configured AP Name AP Model Ethernet MAC Radio MAC State ---------------------------------------------------------------------------------------- L3600-1 3602I bc16.6516.790e f41f.c298.c2a0 Registered
You can use “show ap name <AP_NAME> x” CLI commands to view specific AP configurations.
3850-1#show ap name L3600-1 ? auto-rf Auto-RF information for a Cisco AP bhmode Show Cisco Bridge Backhaul Mode bhrate Show Cisco Bridge Backhaul Rate cac Display Call Admission Control details capwap AP Capwap parameters ccx Shows ccx related information cdp Shows Cisco AP cdp information channel Shows the channel information of an Cisco AP config Shows the configuration of an Cisco AP core-dump Shows the AP memory core dump setting for an Cisco AP data-plane Show data plane status dot11 Show 802.11 parameters ethernet Shows ethernet information eventlog Downloads and displays the event log of a Cisco AP image Shows the images present on a Cisco AP inventory Displays the inventory of a Cisco AP link-encryption Show link encryption status service-policy Show service policy information tcp-adjust-mss Show tcp-adjust-mss for an AP wlan Show BSSIDs for each AP 3850-1#show ap name L3600-1 config general Cisco AP Name : L3600-1 Cisco AP Identifier : 3 Country Code : AU - Australia Regulatory Domain Allowed by Country : 802.11bg:-A 802.11a:-N AP Country Code : AU - Australia AP Regulatory Domain : Unconfigured Switch Port Number : Gi1/0/1 MAC Address : bc16.6516.790e IP Address Configuration : DHCP IP Address : 192.168.21.53 IP Netmask : 255.255.255.0 Gateway IP Address : 192.168.21.254 CAPWAP Path MTU : 1500 Telnet State : Disabled SSH State : Disabled Cisco AP Location : default location Cisco AP Group Name : default-group Administrative State : Enabled Operation State : Registered AP Mode : Local AP Submode : Not Configured Remote AP Debug : Disabled Logging Trap Severity Level : informational Software Version : 10.0.101.0 Boot Version : 22.214.171.124 Stats Reporting Period : 180 LED State : Enabled PoE Pre-Standard Switch : Disabled PoE Power Injector MAC Address : Disabled Power Type/Mode : Power Injector/Normal Mode Number of Slots : 2 AP Model : 3602I AP Image : C3600-K9W8-M IOS Version : 15.2(2)JN$ Reset Button : Enabled AP Serial Number : FGL1721X3K5 AP Certificate Type : Manufacture Installed Management Frame Protection Validation : Disabled AP User Mode : Automatic AP User Name : Not Configured AP 802.1X User Mode : Not Configured AP 802.1X User Name : Not Configured Cisco AP System Logging Host : 255.255.255.255 AP Up Time : 3 days 20 hours 14 minutes 26 seconds AP CAPWAP Up Time : 3 days 20 hours 12 minutes 57 seconds Join Date and Time : 09/24/2013 19:01:11
If you want to configure global settings for all APs then you have to go for the configuration mode & then use “ap x ” CLI command as shown below. We will change Country code as example. You can add upto 20 country codes if you have AP in multiple countries.
3850-1#conf t Enter configuration commands, one per line. End with CNTL/Z. 3850-1(config)#ap ? auth-list Configure Access Point authorization list bridging Enable/Disable Ethernet-to-Ethernet bridging on all Cisco APs capwap ap capwap parameters cdp Enable/Disable CDP for all Cisco APs core-dump Enable/Disable memory core dump on all Cisco APs country Configure the country of operation dot11 Configures 802.11 parameters dot1x Configure the 802.1X credential for all APs ethernet Configure Ethernet Port on all Cisco APs group Manage AP Groups VLAN feature led Enable/Disable LED-state for all Cisco APs link-encryption Enable link encryption state on all Cisco AP's link-latency Enable Link Latency on all Cisco AP's mgmtuser Configure the user for AP management power Configure Cisco Power over Ethernet (PoE) feature for all AP's reporting-period Configure AP rogue/error reporting period reset-button Enable/Disable reset button for all Cisco APs static-ip Set Cisco AP static IP address configuration syslog Configure the system logging settings for Cisco AP tcp-adjust-mss Enable/Disable TCP MSS configuration for all Cisco APs tftp-downgrade Initiate AP image downgrade from a TFTP server for all Cisco APs 3850-1(config)#ap country ? WORD Enter the country code (e.g. US,MX,IN) upto a maximum of 20 countries 3850-1(config)#ap country AU Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. Are you sure you want to continue? (y/n)[y]: y 3850-1#show wireless country ? channels Auto-RF channels for the configured countries configured Display configured countries supported Show list of all countries 3850-1#show wireless country configured Configured Country.............................: AU - Australia Configured Country Codes AU - Australia : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Next we will configure a WLAN.
3850-1(config)#wlan ? WORD Enter Profile Name up to 32 alphanumeric characters shutdown Enable/disable all WLANs 3850-1(config)#wlan MRN-CCIEW ? <1-64> Create WLAN Identifier <cr> 3850-1(config)#wlan MRN-CCIEW 1 ? WORD Enter SSID (Network Name) up to 32 alphanumeric characters <cr> 3850-1(config)#wlan MRN-CCIEW 1 MRN-CCIEW 3850-1(config-wlan)#no shutdown
you can verify WLAN configuration in your “show running-config all” output.
3850-1#show running-config all | section wlan wlan MRN-CCIEW 1 MRN-CCIEW accounting-list channel-scan defer-time 100 client association limit 0 client vlan default dtim dot11 24ghz 1 dtim dot11 5ghz 1 exclusionlist timeout 60 ip access-group web none ip access-group none ip dhcp server 0.0.0.0 ipv6 traffic-filter web none ipv6 traffic-filter none mac-filtering radio all security dot1x authentication-list security dot1x encryption 104 security static-wep-key authentication open security tkip hold-down 60 security web-auth authentication-list security web-auth parameter-map service-policy client input unknown service-policy client output unknown service-policy input unknown service-policy output unknown session-timeout 1800 no shutdown
You can configure any WLAN specific configs as shown below. You have to shutdown the WLAN before make any changes.
3850-1(config)#wlan MRN-CCIEW 1 MRN-CCIEW 3850-1(config-wlan)#? aaa-override AAA policy override accounting-list Set the accounting list for IEEE 802.1x band-select Allow|Disallow Band Select on a WLAN. broadcast-ssid Set broadcast SSID on a WLAN call-snoop Call Snooping support ccx Configure Cisco Client Extension options channel-scan Configures off channel scanning deferral parameters chd Set CHD per WLAN client WLAN configuration for clients datalink WLAN Datalink commands default Set a command to its defaults diag-channel Set Diagnostics Channel Capability on a WLAN dtim Set the DTIM period for the WLAN exclusionlist Set exclusion-listing on WLAN exit Exit sub-mode ip WLAN IP configuration commands ipv6 IPv6 WLAN subcommands load-balance Allow|Disallow Load Balance on a WLAN. local-auth Set the EAP Profile on a WLAN mac-filtering Set MAC filtering support on WLAN media-stream Configures media stream mfp Configures Management Frame Protection mobility Configure mobility nac Configures Radius NAC support(Identity Service Engine). no Negate a command or set its defaults passive-client Configures passive client feature peer-blocking Configure peer-to-peer blocking on a WLAN radio Configures the Radio Policy roamed-voice-client Configure Roaming Attrbutes for Voice Clients security Configures the security policy for a WLAN service-policy Configure WLAN QOS Service Policy session-timeout Configures client timeout shutdown Disable WLAN sip-cac Configure Wlan Sip-Cac attributes static-ip Configures static IP client tunneling support on a WLAN. uapsd Configure WMM UAPSD attributes for Wlan wgb Configures WGB support on the WLAN wmm Configures WMM (WME) 3850-1(config-wlan)#client vlan 51 % switch-1:wcm:Request failed - WLAN in the enabled state. 3850-1(config-wlan)#shut 3850-1(config-wlan)#client vlan 51 3850-1(config-wlan)#radio ? all Enable all available radios dot11a Enable 802.11a radio only dot11ag Enable 802.11 a and g radios dot11bg Enable 802.11b and g radios dot11g Enable 802.11g radio only 3850-1(config-wlan)#radio dot11a 3850-1(config-wlan)#wmm ? allowed Allows WMM on the WLAN require Requires WMM enabled clients on the WLAN 3850-1(config-wlan)#wmm require 3850-1(config-wlan)#ip ? access-group Specify WLAN ACL dhcp Configure DHCP parameters for WLAN flow Flexible Netflow commands multicast Configure multicast verify verify 3850-1(config-wlan)#ip dhcp ? opt82 Set DHCP option 82 for wireless clients on this WLAN required Specify whether DHCP address assignment is required server Configures the WLAN's IPv4 DHCP Server 3850-1(config-wlan)#ip dhcp server 192.168.51.1 3850-1(config-wlan)#no shut
You can verify WLAN settings “show wlan id <WLAN_ID>” CLI command as shown below.
3850-1#show wlan id 1 WLAN Profile Name : MRN-CCIEW ================================================ Identifier : 1 Network Name (SSID) : MRN-CCIEW Status : Enabled Broadcast SSID : Enabled Maximum number of Associated Clients : 0 AAA Policy Override : Disabled Network Admission Control NAC-State : Disabled Number of Active Clients : 0 Exclusionlist Timeout : 60 Session Timeout : 1800 seconds CHD per WLAN : Enabled Webauth DHCP exclusion : Disabled Interface : 51 Interface Status : Unconfigured Multicast Interface : Unconfigured WLAN IPv4 ACL : unconfigured WLAN IPv6 ACL : unconfigured DHCP Server : 192.168.51.1 DHCP Address Assignment Required : Disabled DHCP Option 82 : Disabled DHCP Option 82 Format : ap-mac DHCP Option 82 Ascii Mode : Disabled DHCP Option 82 Rid Mode : Disabled QoS Service Policy - Input Policy Name : unknown Policy State : None QoS Service Policy - Output Policy Name : unknown Policy State : None QoS Client Service Policy Input Policy Name : unknown Output Policy Name : unknown WMM : Required Channel Scan Defer Priority: Priority (default) : 4 Priority (default) : 5 Priority (default) : 6 Scan Defer Time (msecs) : 100 Media Stream Multicast-direct : Disabled CCX - AironetIe Support : Enabled CCX - Gratuitous ProbeResponse (GPR) : Disabled CCX - Diagnostics Channel Capability : Disabled Dot11-Phone Mode (7920) : Invalid Wired Protocol : None Peer-to-Peer Blocking Action : Disabled Radio Policy : 802.11a only DTIM period for 802.11a radio : 1 DTIM period for 802.11b radio : 1 Local EAP Authentication : Disabled Mac Filter Authorization list name : Disabled Accounting list name : Disabled 802.1x authentication list name : Disabled Security 802.11 Authentication : Open System Static WEP Keys : Disabled 802.1X : Disabled Wi-Fi Protected Access (WPA/WPA2) : Enabled WPA (SSN IE) : Disabled WPA2 (RSN IE) : Enabled TKIP Cipher : Disabled AES Cipher : Enabled Auth Key Management 802.1x : Enabled PSK : Disabled CCKM : Disabled CKIP : Disabled IP Security : Disabled IP Security Passthru : Disabled L2TP : Disabled Web Based Authentication : Disabled Conditional Web Redirect : Disabled Splash-Page Web Redirect : Disabled Auto Anchor : Disabled Sticky Anchoring : Enabled Cranite Passthru : Disabled Fortress Passthru : Disabled PPTP : Disabled Infrastructure MFP protection : Enabled Client MFP : Optional Webauth On-mac-filter Failure : Disabled Webauth Authentication List Name : Disabled Webauth Parameter Map : Disabled Tkip MIC Countermeasure Hold-down Timer : 60 Call Snooping : Disabled Passive Client : Disabled Non Cisco WGB : Disabled Band Select : Disabled Load Balancing : Disabled IP Source Guard : Disabled
By default WLAN is configured with WPA2/AES. So if you want to check basic client connectivity you can disable it. Then you should be able to connect your wireless client to this new SSID.
In a separate post we will see how to configure different security methods for a given SSID.
1. Working with IOS file system-3850 IOS-XE
2. Consolidated Platform Config Guide IOS-EX Release 3SE -3850
3. Cisco AireOS to IOS-XE Migration Guide
4. Getting Started with 5760 & 3850 -Cisco DOC#34430
5. Password Recovery on Cat3850 – Cisco DOC#35289
1. WLAN configs with 3850 – Part 1
2. WLAN configs with 3850 – Part 2
3. 3850 Password Recovery
4. Converged Access Mobility
5. 3850- Flexible Netflow
6. Wireshark Capture in 3850
7. Getting Started with 5760
“You have to attach your access points directly to your 3850 switches”, – do you say it will not work if I connect my AP to another switch, and use trunk port between Cat3850 and the other swithc? Or if I do trunk port with native VLAN set as AP VLAN?
Yes, AP has to directly connect to 3850 in order to register it to 3850 WLC. Additionally AP should be on the same VLAN as wireless management vlan configured on 3850. (ie AP mgt & WLC wireless mgt cannot be on two different vlan)
If AP is connect to another switch you cannot register them to a 3850 WLC.
How is it possible? If we configure just L2 trunk
Which mean you require 3850 in each floor (if you have comms in each floor) so you can terminate AP directly onto a 3850.
If not, then you can register them to a central controller (like normal unified wireless -CAPWAP tunnel). In this case CAPWAP won’t terminate on a switch.
I am really surprise to know that AP has to connect directly and also in the same VLAN. At present, we have 5508 in melbourne where all the APs from Malaysia, Brisbane, Sydney, Canberra and Hobart are registered. Of course, they are in different VLAN. Recently, I have deployed Cisco 3850 in Sydney and having plan to make that as a foreign controller and 5508 as an anchor controller, which will be providing Guest wi-fi. But, after knowing these fact, I am bit confused about the solution? Thoughts?
If you want to deploy 3850 in one site as MA/MC then your AP at that site needs to directly connect to 3850 switch with same wireless mgmt vlan of that switch. User vlan can be anything, but it will be locally terminated.
If you want to have guest anchor setup, then you need to enable “new mobility” on your Anchor 5508. This will impact any other controllers as well (in other words every controller you have guest tunnels you need to do this)
Thanks Rasika. By the way, awesome blog. There are plenty of things to learn from this source.
Hello, we have a very problem with 3850P-W-24-S Switch, Cisco Phone 7925G and Callmanager. The 7925G Phone dont want register with the CUCM. We have 20 Cisco 2602 APs. We have tested an Autonomous AP and that work but via 3850 and 2602 not. What could be a problem with 3850?
What type of authentication method (EAP /PSK?) configured for your WLAN.
Give more information how you configure 3850 for this WLAN to help
we have test with WPA2 AES and without Security. The 3850 have 20 APs 2602E they are in the Management VLAN 23. CAPWAP Tunnels are builded.The latest IOS is 03.03.00 on the Switch. I can post the runnng config later.
You can posted your query in below forum, so you may get advise from few other people as well. I will respond to it with my suggestions when you post your switch config with respect to this
number 3 I do not believe is correct.
3. You have to enable Mobility Controller (MC) functionality to terminate CAPWAP (or register AP). By default, when you enable wireless management, switch will act as Mobility Agent (MA) & not able to terminate CAPWAP.
MC does need to exist, but not in the same Switch-Peer Group (SPG). MA does terminate CAPWAP. MC can be in data center for example
In my example, I would assume only this stack is available & no any other WLCs are there. So MC functionality has to be configure there.
In broader context, yes MC does not need to be within the same SPG , it can be somewhere in your network (like DC, etc)
Amandeep Mann said:
Hi Rasika, about that limit of 50 AP’s…was it per stack or an individual switch?
It is a limitation per 3850 stack not per individual switch.
Hi, When the APS connect to the MA 3850, do the aps go through the same cuwn method to find the WLC (3850) :- ie L3 Broadcast, Option 43, DNS, or is it that it because it is plugged direclty into the MA we only need to give the AP an ip address either static or preferably DHCP.in order to connect and no further options are required. Lastly when it connects to the 3850 does it check it has the same code – if not downloads it (same as CUWN)
Since APs are on the same subnet as wireless management interface of MA, they should be able to register using local broadcast even you do not configure Option 43, static or DNS.
Yes, if code does not match AP will download image from MA prior to become operational. It is same as CUWN.
I love this device, I have seen so many applications such as login with Facebook credentials and other cases that are publish on the Cisco Website, where do I find some information on how to do this kind of configuration (the facebook one); I know I need the Mobility Engine and other stuffs.
I want some information about this, because I want to make some implementations like that, this is something new for me, as a CCNA Wireless; I hope I’m not the only noob guy here…
I am not sure about how can do this.. sorry..
One more question.
In order to activate the Controller functionality on this equipment, with the “wireless mobility controller” command.
It is necesary to reboot the Switch?
I need to activate this service on a CORE 3850, but can´t reload it.
Yes, you have to reboot the switch. By default if you configure “wireless management interface vlan x” command switch will act as a MA.
If you want to change it to MC, then you have to issue the command you provided & reboot the switch. Here is the msg you get for your reference.
ASW2(config)#wireless mobility controller
Mobility role changed to Mobility Controller.
Please save config and reboot the whole stack.
Network Pro said:
can I use cisco 3850 with cisco 5508 controllers. basically I want to form a mobility group between cisco 3850 and cisco 5508 (cisco 5508 is at Main site and cisco 3850 is at branch site)
i just want to do it this way so that if the cisco 3850 fails i want AP to join Cisco 5508 controller. if possible how do I go about doing it ?
Since APs need to directly connect to 3850, if you have a single stack at your branch, then APs will be down when 3850 goes down. So you won’t be able to register them to 5508.
Even if you have multiple 3850 stacks at your branch (one acting as MC) & MC is down, still other APs will work in MAs. They won’t failback to 5508.
So bottom line is, you can have mobility configured for guest type WLAN services, but for AP perspective you cannot register branch APs to central office 5508 in case of branch 3850 failure.
I just wrote to you on another thread, yet here is the answer! Do you have a Cisco hyperlink that covers your last sentence in more detail (So bottom line is, you can have mobility configured for guest type WLAN services, but for AP perspective you cannot register branch APs to central office 5508 in case of branch 3850 failure)? In my scenario, was keen to have one (1) “5508” hosting LAPs (primary controller), then – if it falls over – (2) have all the LAPS swing to “3508” integrated controller (secondary controller) … Grateful either way to have the Cisco link so I can get the terminology correctly.
Network Pro said:
Hi Rasika, thanks for the quick reply. yes we are aware of that but we thought that if the 5508 fails then maybe use this as a backup controller. so basically I want to create a mobility group and create mobility tunnel between 5508 and 3850 if possible so that if the 5508 fails we will have a backup controller. is that possible ? I know its possible with two 5508 controllers but not sure it can be done with 3850
If you want to terminate a CAPWAP tunnel to a 3850, then that AP has to directly connect to a 3850.
In that case, if your HQ APs connect to normal switches & register to a 5508, you want able to register them to a remote 3850MC.
Bottom line is you cannot use 3850 as a backup controller for existing 5508 setup.
Network Pro said:
Thanks Rasika. so 3850 is pretty much not very usefull, is it ? But just out of interest is it possible to set up mobility tunnel (so would like to know) – as you do betwee ntwo 5508 controllers ?
Network Pro said:
Thanks Rasika. so 3850 is pretty much not very usefull, is it ? But just out of interest is it possible to set up mobility tunnel , anchroring, mobility group (as you put in mac address on each other controllers ) – as you do between two 5508 controllers ? I cant see any option on 3850 to do this through
I knew that the AP have to be directly connected to the 3850 but I recently was told by a reseller that there must be a single cable between both elements. Even the use of a wall jack or wall socket would be forbidden. Did you have the chance to test that ?
That’s wrong… All the time AP has to deploy via Wall socket & then patch it via a patch panel to switch.
Network Pro said:
if the above is not possible can I just use the 3850 as a normal switch and bypass all traffic to 5508 as at the moment I cant see any AP registering to 5508 (these are connected to cisco 3850) . or should they be terminated on a non 3850 to get registered on the cisco 5508. and what is the difference between MC and MA and which mode should it be in if it can be registered with cisco 5508
If you want to register 3850 connected AP to a central 5508, then do not enable WLC functionality (MA or MC) on your 5508. “wireless management interface vlan x” is the command you enable it, if you do not have that line in your 3850 configuration you are fine with that
ip deal said:
Hi, I check your new stuff daily. Your story-telling style is awesome, keep it up!
Thanks for encouragement…:)
Great post Rasika, am configuring the 3850 for the first time and the documentation on cisco website is not that good (dispersed ). You have saved me a tons of time.
Thanks for your feedback.. Great to see these post are useful to others
This link might be usefull to others wanting to verify/cross refernce this posts!
Thanks for reference link
Everything is very open with a clear clarification of the challenges.
It was truly informative. Your site is extremely helpful.
Thank you for sharing!
I’m wondering if you can use a 5760 as a MC and have your 3850’s as MA’s and also use the MC as a static mobility anchor for Guest. Since the 5760 supports multiple LAG’s you could connect one LAG into the core for wireless management, and another into the DMZ to drop off guest and cut out the requirement for a guest anchor. Do you know if a MC can also act as a static mobility anchor for MA’s that are registered to it, or does this require a mobility peer which is only MC to MC tunnel?
Yes, It is possible, you can use MC as Guest Anchor
In my actuall enviroment i’ve got a stack of 2 3850 and 4 single 3850 all are connected by 2x 10GB SFP to the Stack. On The Stack and each of te single 3850’s ive got 2 AP’s. Is there any option to manage/confígure them all only from the stack? i think not?!?! my second option is to sell an 2504 controller to manage the ap’s or is there any better/cheaper option?
At the moment you do not have that option, you have to do the configs in MC (assuming this role is on 3850 stack) & all MA (single 3850s) as well.
For the time being do the wireless config on each 3850. Probably in future, Cisco make some modification where you configure only in MC where config pushes to MA.
I would stick to 3850s & manage this & see what’s cisco coming up within next year.
at first, thanks for your fast reply, so is it a better solution to buy the 2504 wifi controller for manage the aps or what shoud be best practise sollution?
As long as you configure all your 3850 for the wireless then you should be able to do this without having 2504.
But if you are not comfortable with this Converged Access setup & need to get wifi setup quickly as you know (CUWN) then 2504 would help.
I will get my hands on several stacks next month . I posted a question to the cisco 3850 community about the licensing. So i am not sure if you have come acros this secenario yet.
Basically, I will have a stack of 3 x 3850’s
MC will be the master stack and apply the AP adder license to each member
Les say i have 10 AP licenses, i would apply 4 on the master stack, 4 on the second and 2 on the last stack member as I intend to connect that many APs
So coming actually to the upgrade license to operate the wireless function.
If i apply and active the MC on the master stack, i believe that there will no redundancy in the event the master stack fails.
I believe that i need to order a separate license and apply this onto the 2nd stack switch so that this can take over the wifi etc.. In the event of a failure on stack 1 (master).
I could not find anything useful on CCO relating to this topic yet unfortunately, so i am reaching out to you as you are considered as an helpful and clever expert that that field.
Just wanted to say this is a website which I like even more than YOUTUBE!
I love reading stuff in here and the easy way you explain things. there are topics which you can only find the answer for them here. wanted to say thank you again for all the time and effort. it is really a genuine source.
a request: please upload a detail line by line 802.1x eap debug
Thanks for the complements & really helps your feedback.
Yes, I will do this 802.1X EAP debug post within next 2 weeks, specially for you 🙂
This is very helpful nayarasi! im new to wireless technology and 3850s. yet this blog is inspiring, and i take the challenge of deploying 50 x 3850 and 100 APs with one 8500 with no experience at all. Ü your QoS topic is also great!! …. knowledge overload!!!
Nice to hear, ping me if u need any help
Firstly, Thank you for a brilliant post.
I wanted to know what your thoughts are on management vlans. In our wired only infrsatrutcutre we have a management VLAN already. We want wireless now, if we use the wireless ability of the c3850 should we create another management VLAN specifically for wireless devices and keep it separate from wired management devices (e.g. other switches)… or use the existing management vlan we have in place for AP amangement and wireless management? what do you think is best?
Yes, it is good to create seperate wireless management vlan.
Since AP has to be on the same vlan as wireless management of the switch, typically that vlan should be DHCP & should have enough IP to cater your AP deployment.
In general, your switch management may not DHCP enable & cater the capacity for the AP deployment.
This is flipping awesome! I’m new to the network role more into the server infrastructure.. But I’ve been asked to take on a huge project since we are limited with help! What would you suggest I do for a new office implementation… I just ordered 2-3850-48F-E/4-wireless controller license/4=Aironet 3702i. PS-thank for such an awesome site!!! Any suggestions would greatly be appreciated!
If you need to run 3702 from 3850 integrated WLC, then IOS-XE 3.6 is minimum requirement. So upgrade your switches to 3.6.1E version as that is the latest on that code train.
Let me know if you have any further queries on this implementation, so I can help you
thank YOu first for Your informational blog about 3850 with integrated WLAN.
I’m also sitting in front of a new box of this type having only experience with 5508 WLCs.
Please help me with a question regarding AP licencing on this device.
I’m worried with the way how to activate WLAN AP licenses on this box.
You are using the simple command in Your Post to activate 25 licenses
3850-1#license right-to-use activate apcount 25 slot 2 acceptEULA
I expected that one have to use a activation code or license key that was bought and received from Cisco on beforehand.
To me it looks like You can activate licences with this command without
buying them and entering a activation code !?
Yes, it is.
Cisco trust its customer & assume they will do it diligently.
Great discussion. I have a 5508 as MC and several 3850 stacks as MA. Works fine. Now we are deploying a big site with many 3850 stacks. We have this time same Layer2 for all stacks on the wireless management. I see when deploying the first one that some APs not belonging to the switch (physyically) join my 3850, download software. But after they reboot they don´t seem to be able to join again. Wonder if anyone has tried this design and if it will create any problems ?
I will try to add the next stack and see how this goes. Perhaps it is only a problem when the AP join first and after they got their own 3850 up and running as MA they won´t cross join stacks again. I may post my results later on if I get a conclusion.
How did you go with this, I believe all 3850 directly connected AP should get registered to that MA stack.
Let me know
Thanks for a great blog !
Im just about to start a wireless converged access project and i have some question i hope you can help me with.
Im deploying a solution with a central 5760 as MC and totally 6 3850 as MA, can i deploy all this on the same mgmt vlan ? and also the same SPG ?
Can all the layer 3 interface for client vlan be attached to the Core switch in the network or do i need to configure this on the 3850 ?
Do you also know of a good documentation of setting up 5760 in HA (stacking) ?
If 5760 & 3850 will be in same layer 2 network, yes you can put management into same vlan. (in my case 5760 with L3 separation)
If all 3850 stacks are in close by buildings where users roam frequently, then you can put all of them in same SPG.
If you have layer 2 access, where all your SVI defined on core/distribution switch, then I would not define any user SVI on 3850 stacks. Simply enable DHCP snooping for those vlans on 3850 & leave SVI on distribution/core.
Only SVI required on 3850 are wireless management & switch management SVI if they are two different. Otherwise simply one SVI.
Here is a 5760 HA configuration doc, hope it is useful to you ( I haven’t configure this by myself)
Thank´s a lot !
This is very helpful 🙂
Also another thing, have you set up eap-tls authentication against ISE in a converged access ?
Do the 5760 and 3850 support dacl ? Do i need to define both the MC and MA as a network device on the ISE ?
Is there a good documentation on doing this ?
I haven’t test that… probably release notes & config guides are the two thing I would refer.
Hi… I am new to Cisco WLC…
i have a new c3650-24ps and 1702i AP
i configured 3650 as the MC and MA
but AP not joining in the 3650
what could be the problem..
i am getting ping reply from APs…
What version of IOS-XE runnning on your 3650 ? 1702 support is 3.7.0E onward. Use 3.7.1E as that is the latest on that code train.
is running in 3650
So that’s it, upgrade your software 🙂
thank you very much your quick support… god belss you
When I am running command sh ap summary , I am not able to get anything on MC but I can see on MA .Please advice do I have to create WLAN ID on MC ?
AP details shown on MA. If you have multiple SPG where you require roaming among them then MC require to configure with WLAN same as MA.
So I need to have WLAN COnfig both on MC as well as MA , The thing is that I have 2 SSID on MC and they are getting Broadcast but user is not able to see any SSID.
as on MA I have only 2 Commands .
wireless mobility controller ip X.X.X.X
wireless management interface Vlan40
ANGOUA BRICE said:
i work on a wireless controler WLC 5760 which is now in ROMMON.
the controler now displays , i want to donwload a new software image and boot on it. In rommon mode, the WLC allows few commands.
Who ca help me please???
See below thread helps
Hi when running 5760 as MC and 3850 as MA, do they have to be on same sw version ?
No, but as a best practise I would keep the same.
Thank you very much for this post. One thing is still very confusing to me when configuring a 3850 stack as a branch site’s wireless controller. At all our other branch offices we use 5508s and have a pair of 5508s in a DMZ that are used as anchor controllers for a guest wireless internet WLAN. Setting up an anchor controller is way different between the 5508s and 3850s. Can you please explain how I would configure this on a 3850 switch?
Very much appreciated!!!
if you have 3850 as MC that can be a Foreign Controller (does not support anchor controller role).
If that is the case your 3850MC need to peer with 5508 in DMZ (new mobility needs to enable on your 5508)
Then you have to configure Guest SSID on your 3850 and anchor that WLAN to 5508 in DMZ
Surya dathan said:
Your blog is awesome and i gained a lot of knowledge from mrncciew. Thank you.
I am having a doubt regarding IP addressing in converged access. I am having 3×3850 as my MA, 5508 as MC and 5508 as GA. we need to have 2 ssid’s, guest and corporate ssid.so how many vlans we should create? My guess is this
3850 – 1 x vlan-corp, 1 x vlan-WifiMgmt
5800 MC – 1 x vlan-corp, 1 x vlan-WifiMgmt
5800 GA – 1 x vlan-guest, 1 x vlan-Wifimgmt
Or do i need to create guest vlan in 5800 MC? also in 3850 MA?
Also, does the WifiMgmt vlan for 3850, 5800-MC, 5800-GA needs to be Layer2? the GA sits in DMZ and 5800-MC sits in server farm.
Appreciate your help and please keep writing.
I replied to this on CSC forum
Adam Looi said:
Thanks for the sharing.
I have deployed my office wireless (Cisco 3650) using the same concept you mentioning in this article.
However, the management decided to have another SSID for guest access by using the same architect we have. My existing network infra hardware are these..
1 x Cisco Catalyst 3650 switch (provision as MC)
6 x Cisco Aironet 2700i
1 x Fortigate firewall 100D
My questions is, will i able to create another SSID for guest and assign them to use the DMZ by using the same architect ?
Guest Anchor concept is there in CA design as well. But you need to have a dedicated controller in DMZ to do that.
Otherwise you have to terminate guest traffic at your 3650 and not tunnel back to DMZ. In that case, it is just matter of creating a new SSID and map different vlan to that.
Hello. I have air-cap2702i-a-k9 directly connected to 3850 gi 1/0/4. I followed your instructions but AP is still not joining in. What am I missing?
ipservices permanent N/A Lifetime
Switch Ports Model SW Version SW Image Mode
—— —– —– ———- ———- —-
1 32 WS-C3850-24P 03.02.03.SE cat3k_caa-universalk9 INSTALL
Switch#show ap summary
Number of APs: 0
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
Switch#show int gi 1/0/4
GigabitEthernet1/0/4 is up, line protocol is up (connected)
Switch#show run int vlan21
Current configuration : 63 bytes
ip address 192.168.21.1 255.255.255.0
Switch#show run int gi 1/0/4
Current configuration : 113 bytes
switchport access vlan 21
switchport mode access
wireless mobility controller
wireless management interface Vlan21
Sorry for a late response.
2702 require min IOS-XE 3.6.x. Pls upgrade your switch IOS and it should work
Darrell Dunn said:
I’m trying to configure this 3702i on a 3650 catalyst wireless controller using the GUI
..I’m very new to switching also. I’ve st the 3650 as a MC and created a WLAN. I still cant get the device to broadcast
What is your WLAN ID number ? What IOS-XE version you use ?
I went through the forum and its very useful and it help us to understand things easily.
We were trying to connect one 3702 AP with 3650 WLC and note that it will not directly connected with 3650 WLC.WLC acting as an MC.
Also our setup with foreign-anchor topology. 3650 acting as a foreign controller and 2504 acting as a Anchor and its placed in DMZ Zone.
3702 AP sends the join request and download the IOS image from WLC but the registration wasn’t successful and again started with downloading process.
When i checked with cisco, they were saying that 3650 wlc will support non directly attached AP.
3650 IOS Version 3.7.3
Appreciate your help and thoghts
If you want register AP to 3650 MC then it has to directly connect to that switch. Only other way is you have another 3650 as MA and AP directly connect to that 3650.
Hello there, great blog.
I faced some strange issue – I use 2×3850 in a stack, APs are working fine, the problem is – when I connect to these wi-fi APs I am unable to ssh to the switch (although it is acting as the default gateway).
I know that there is an option on other WLCs to enable management via wireless, but I cannot find anything similar on 3850.
Any ideas would be appreciated.
I think this option was then in IOS-XE, had to dig deep to find it. Let you know if I come across soon.
Ryan OConnell said:
Hello Pert and Rasika
I’m using Denali 16.2.1 code on the 3650 and Also can not figure out why I can not SSH to my switch when connected over WIFI. When Wired it works without issues.
I have the following command entered
but I’m still unable to SSH to the unit.
The other issue that is bothering me is that my “PSK” password shows in clear text in the running config. Rasika I found an earlier post you had on support forms that shows a workaround using a ASCII to HEX conversion that I used as a workaround but I was hoping there was a command that can do this.
I am just wondering if you had ever tried guest management with Cisco ISE on Catalyst 3650. The follow are some of the config I use but could not achieve guest management.
The switch is running version Denali 16.1.2, RELEASE SOFTWARE (fc1).
It has RACL and DACL define in switch and ISE respectively.
We define our parameter as:
parameter-map type webauth global
virtual-ip ipv4 126.96.36.199
redirect for-login https://172.16.6.151:8443/portal/PortalSetup.actionportal=a22369e0-7e54-11e4-9ebe-005056bf01c7
redirect portal ipv4 172.16.6.151
The above was apply on wlan for guest. But redirection did not work.
Because I am not able to lay hand on spare switch I could not test further because this current switch is in production.
I need to conclude if the issues is with IOS version or the config. If you have done it before with the same IOS version then it means it is possible at least it will give me an head up.
Thanks in advance.
Hello from Me . I am Michael. My question is about a 3850 acting as switch and soon as wlc parallel. You say upper that the AP must be directly connected to the switch (3850). This is for the first time or the AP must stay connected on 3850 ? After the AP takes the software from the controller (3850) then can I place the AP some ware in my network and the AP belong in 3850 ‘s APs database ? I have already an 5508 In HA and recently I bought a 3850 switch and now I want to exploit the 50 license of the swich….
No, if you want to register a AP to 3850/3650, you have to directly attach AP to that switch.
Indirectly connect APs are not supported in CA design.
Hello and thanks for your response. There are any design that allow indirectly connection between 3850 and APs ?
If you want WLC function of 3850 to be used, then it does not work.
Thanks for immediate answer.
So, if want to use the 50 APs license how I can exploit these ?
Is there a all-in-one combo command to view all the wireless configuration?
I do know any command available in public.
Below should give you the WLAN specific configuration
show running-config wlan
I am labbing up to lean Cisco ISE 1.4 and setting up my lab.
what i have is 1×3850 and 2X2600 APs and workstation ISE 1.4. i wanted to ask you can i use 3850 as wireless controller and will it give me all function of 5800 series WLC. kindly adivse please
Mntambo Y.O said:
AP 1702i shows this registers to the Catalyst 3850 MC with this behaviour:
On the console of AP output :
Aug 17 16:22:37.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.14.1 peer_port: 5246
*Aug 17 16:22:37.347: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.14.1 peer_port: 5246
*Aug 17 16:22:37.347: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.14.1
*Aug 17 16:22:37.595: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.168.14.1
*Aug 17 16:22:37.595: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.14.1:5246
*Aug 17 16:22:37.679: %LWAPP-4-CLIENTEVENTLOG: Not sending change state post as the radio admin is down, lrad state = 5
*Aug 17 16:22:37.679: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Aug 17 16:22:37.683: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Aug 17 16:22:37.687: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 17 16:22:37.707: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 17 16:22:38.683: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Aug 17 16:22:38.711: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Aug 17 16:22:38.719: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Aug 17 16:22:39.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Aug 17 16:22:39.711: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Aug 17 16:22:39.735: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 17 16:22:39.743: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Aug 17 16:22:39.751: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Aug 17 16:22:40.735: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Aug 17 16:22:40.743: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Aug 17 16:22:40.771: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 17 16:22:41.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Aug 17 16:23:07.707: AP has SHA2 MIC certificate – Using SHA2 MIC certificate for DTLS.
Then on the controller show commands:
CENTRAL-SW#show ap join stats summary
Number of APs : 3
Base MAC Ethernet MAC AP Name IP Address Status
0081.c42d.1710 cc16.7e2e.0558 APcc16.7e2e.0558 192.168.14.22 Not Joined
0081.c49d.dc60 00f6.6378.6dbc AP00f6.6378.6dbc 192.168.14.23 Joined
00f6.6378.6dbc 00f6.6378.6dbc AP00f6.6378.6dbc 192.168.14.14 Not Joined
CENTRAL-SW#show ap mac-address 0081.c49d.dc60 join stats summary
Is the AP currently connected to controller : No
Time at which the AP joined this controller last time : Aug 17 16:25:00.535
Type of error that occurred last : Lwapp configuration request rejected
Reason for error that occurred last : Regulatory domain check has failed for the AP
Time at which the last join eror occurred : Aug 17 16:25:01.816
CENTRAL-SW#show ap mac-address 0081.c49d.dc60 join stats det
CENTRAL-SW#show ap mac-address 0081.c49d.dc60 join stats detailed
Discovery phase statistics
Discovery requests received : 173
Successful discovery responses sent : 173
Unsuccessful discovery request processing : 0
Reason for last unsuccessful discovery attempt : Not applicable
Time at last successful discovery attempt : Aug 17 16:25:21.933
Time at last unsuccessful discovery attempt : Not applicable
Join phase statistics
Join requests received : 57
Successful join responses sent : 50
Unsuccessful join request processing : 7
Reason for last unsuccessful join attempt : RADIUS authorization is pending for the AP
Time at last successful join attempt : Aug 17 16:25:00.535
Time at last unsuccessful join attempt : Aug 17 16:15:59.574
Configuration phase statistics
Configuration requests received : 100
Successful configuration responses sent : 0
Unsuccessful configuration request processing : 50
Reason for last unsuccessful configuration attempt : Regulatory domain check has failed for the AP
Time at last successful configuration attempt : Not applicable
Time at last unsuccessful configuration attempt : Aug 17 16:25:01.816
Last AP message decryption failure details
Reason for last message decryption failure : Not applicable
Last AP disconnect details
Reason for last AP connection failure : Radius authorization of the AP has failed
Last join error summary
Type of error that occurred last : Lwapp configuration request rejected
Reason for error that occurred last : Regulatory domain check has failed for the AP
Time at which the last join error occurred : Aug 17 16:25:01.816
CENTRAL-SW#show ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name AP Model Ethernet MAC Radio MAC State
AP00f6.6378.6dbc 1702I 00f6.6378.6dbc 0081.c49d.dc60 Registered
CENTRAL-SW#show ap summary
Number of APs: 0
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
Mntambo Y.O said:
Please help if any one can tell what might be the cause of that
Pls start a thread in CSC forum given below. In that way you can get a faster response from many others (I will look that more regularly)
What’s the list of the compatible LWAPP access point for SW-C3850 ?
Refer table given in below URL. Last two column refer to IOS-XE support which is 3850/3650
How to enable SSH for all the associated AP’s at global level?
Can it be done via commands on the switch?
i want disable wireless feature from 3850 please suggest me. and also can you please share roll back plan to enable it back
and also im using our data VLAN(192.168.101.0/24) L3 VLAN as management VLAN so if i remove “wireless management interface vlan x” command from my switch will it affected my data VLAN.
currently WLC, AP and users connection are in default VLAN1
we bought Cisco switch 3650 and aironet 2802i-e-k9…. but the issue is there the APs are not joining the controller…. could you please help me to know why?
2800 series only supported in 16.3.x code of your switches. So if you upgrade it to 16.3.x it will work.
Pls not that Cisco killed “converged access” technology and not supported beyond 16.3.x software version. So you are stuck with that code forever if you want to use that 3850 integrated controller.
See table 6 of below link
I can see from the table…..the recommended is 16.3.1 but there is a notice from cisco saying that 16.3.1 has an issue!!! please advise
You can go with latest in 16.3.9 as of today
Claude KAREMERA said:
Thanks…. they can now join the MC…. but here is also the message am getting from switch:
CAPWAP-3-INVALID_SEQ_ERR:Switch 1 R0/0: wcm: Received packet with invalid sequence number from AP (dc8c.374c.fe80).
Could you share ios 3.2.x switch cisco 3850 ?
my switch stuck on booting when upgrade to 16.x
I can’t download ios 3.2.x because it’s deffered on cisco web
here is the log
/temp/bundle is not a Nova bundle
/common: line 1970: [: ==: unary operator expected
/common: line 1973: [: ==: unary operator expected
Emergency Install failed – bundle usbflash0:/cat3k_caa-universalk9.16.03.09.SPA.bin is not supported on this platform
Kelly Rosal said:
I have the Cisco 3650 switches and trying to get them configured correctly. Using the show AP summary from the controller, I am not showing an AP’s connected. I do see the AP’s added via the GUI on the Controller AP List Summary. It shows them as being in the Mobility Group. Is this something different?
Hi Kelly, Are you still having this issue ? If so, pls start a thread on CSC forum at that is the best place to get help for it.
i have recently applied ap count license on a 3850 switch ad it continues to reboot after the operation,How can i resolve the continuous reboot issue
what version of 3850 is that ? Did you try different code version