WLAN Ramblings: August 2023

Monday, August 28, 2023

Quickly get your 91xx APs to join a 9800 series controller (and start broadcasting)

I was looking for an easy way to get the 91xx series APs to join a 9800 WLC and start broadcasting the WLAN immediately.

Let me just say that I prime the APs. Or have someone else do it - I want to know the AP works, is labeled, and is properly named so when the low voltage guys install it, the AP just starts working.

First, I built a macro spreadsheet to scan the MAC address of the access point, and created columns for my hostnames, IPs, etc. If you want the spreadsheet, just PM me and I'll send a "working" copy to you. I'm always trying to improve it... :)

My spreadsheet creates this output, so I simply copy and paste each column into the controller CLI and viola!!!

ap name AP6849.92D1.1C90 name xyz148-011-ap01	ap name xyz148-011-ap01 con pri abc001-011-wc01 10.64.25.5
ap name AP6849.92D1.0A40 name xyz148-011-ap02	ap name xyz148-011-ap02 con pri abc001-011-wc01 10.64.25.5
ap name AP6849.92D1.1490 name xyz148-011-ap03	ap name xyz148-011-ap03 con pri abc001-011-wc01 10.64.25.5
ap name AP6849.92CF.0C10 name xyz148-011-ap04	ap name xyz148-011-ap04 con pri abc001-011-wc01 10.64.25.5
ap name AP6849.92CF.1E70 name xyz148-011-ap05	ap name xyz148-011-ap05 con pri abc001-011-wc01 10.64.25.5
ap name AP6849.92CF.1EB0 name xyz148-011-ap06	ap name xyz148-011-ap06 con pri abc001-011-wc01 10.64.25.5
ap name AP6849.92CF.1DD0 name xyz148-011-ap07	ap name xyz148-011-ap07 con pri abc001-011-wc01 10.64.25.5

Next, I joined 7 APs to the controller and renamed them and gave them their primary controller config. They join the controller, but they won’t start broadcasting because they won’t get the tags. Translation - it's 3am and my phone rings because "the Wi-Fi is DOWN!!!"

What's an easy way to avoid this cataclysmic catastrophe? I don't want to be online, copying and pasting mac addresses into the controller at 3am while low voltage folks are doing their thing.

The answer is filters!

https://www.cisco.com/c/en/us/td/docs/wireless/con/9800/config-guide/newconfigmodel/b_catalyst-9800-configuration-model/m_creating-an-ap-filter.html

I built this filter on the controller, since we are going to install 7 access points in small facility and point these APs to the 9800.

I added this to the config:

ap filter name xyz148

ap name-regex xyz148* <- This is a regular expression, filtering on the first part of the AP name

tag policy abc001_Policy_Tag <-These are tags configured in the controller

tag rf abc001_RF_Tag <-These are tags configured in the controller

tag site abc001_Site_Tag <-These are tags configured in the controller

What this does is match all the AP names from access points to a filter, and automagically sets all three tags. That translates to the AP starts broadcasting, and your phone doesn't ring!

There was only one problem, though. It didn't work! I was NOT happy! Thinking hours of work went down the drain, I started digging.

abc001-011-wc01#sho ap summary

Number of APs: 8

CC = Country Code

RD = Regulatory Domain

AP Name Slots AP Model Ethernet MAC Radio MAC CC RD IP Address State Location

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

xyz148-011-ap04 3 CW9166I-B 6849.92cf.0c10 5c64.f1c0.09e0 US -B 10.64.25.127 Registered default location

xyz148-011-ap07 3 CW9166I-B 6849.92cf.1dd0 5c64.f1c0.2d60 US -B 10.64.25.124 Registered default location

xyz148-011-ap05 3 CW9166I-B 6849.92cf.1e70 5c64.f1c0.2ea0 US -B 10.64.25.126 Registered default location

xyz148-011-ap06 3 CW9166I-B 6849.92cf.1eb0 5c64.f1c0.2f20 US -B 10.64.25.125 Registered default location

abc001-011-ap01 3 CW9166I-B 6849.92cf.f810 5c64.f1c1.6ce0 US -B 10.64.25.116 Registered default location ß This one another filter and it works. The others do not bcast.

xyz148-011-ap02 3 CW9166I-B 6849.92d1.0a40 90e9.5e9a.0640 US -B 10.64.25.123 Registered default location

xyz148-011-ap03 3 CW9166I-B 6849.92d1.1490 90e9.5e9a.1ae0 US -B 10.64.25.128 Registered default location

xyz148-011-ap01 3 CW9166I-B 6849.92d1.1c90 90e9.5e9a.2ae0 US -B 10.64.25.129 Registered default location

Dig a little more...

abc001-011-wc01#sho ap filters all

Filter Name regex Policy Tag RF Tag Site Tag

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

abc001 abc001* abc001_Policy_Tag abc001_RF_Tag abc001_Site_Tag

abc101 abc101* abc101_Policy_Tag abc101_RF_Tag abc101_Site_Tag

xyz148 xyz148* abc001_Policy_Tag abc001_RF_Tag abc001_Site_Tag

abc001-011-wc01#sho ap filters active

Priority Filter Name regex Policy Tag RF Tag Site Tag

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

1 abc001 abc001* abc001_Policy_Tag abc001_RF_Tag abc001_Site_Tag

2 abc101 abc101* abc101_Policy_Tag abc101_RF_Tag abc101_Site_Tag

My filter for the xyz148 named access points don't work? I created the filter just like the other one that I configured last week. (via GUI, and am now trying to script things)

Turns out, I forgot this one step. After creating a filter, there is another step, and that is creating a filter priority. I know, I don't understand it either, but I did it anyway... because "a filter without a priority is not active". It's always those little gotchas in the small print!

There we have it. Simply put, name your APs on the bench on a WLC running the same code you have in production. Scan them, label them, and CLI config them and when they hit the WLC, they'll start broadcasting. You'll have your nights and weekend back. If you get paid by the hour, pretent you never saw this post.

Virus-free.www.avg.com

Thursday, August 17, 2023

Configuring SSO redundancy on the Cisco 9800

In this blog, I will setup link redundancy to the switch, using two fiber uplinks, and then configure SSO on the standalone 9800 series controller.

First, I create a port channel and then configure the uplinks on the Primary 9800 controller.

interface Port-channel7

description edh001-011-wc01

switchport trunk allowed vlan 25,34,300,2346,3200,3201

switchport mode trunk

switchport nonegotiate

logging event trunk-status

logging event bundle-status

interface TenGigabitEthernet0/0/0

description WLAN Controller trunk uplink

switchport trunk allowed vlan 25,34,300,2346,3200,3201

switchport mode trunk

switchport nonegotiate

logging event trunk-status

no negotiation auto

channel-group 7 mode on

interface TenGigabitEthernet0/0/1

description WLAN Controller trunk uplink

switchport trunk allowed vlan 25,34,300,2346,3200,3201

switchport mode trunk

switchport nonegotiate

logging event trunk-status

no negotiation auto

channel-group 7 mode on

Now I create the other end of the configuration – which happens to be the core switch:

interface Port-channel7

description edh001-011-wc01

switchport trunk allowed vlan 25,34,300,2346,3200,3201

switchport mode trunk

switchport nonegotiate

logging event trunk-status

logging event bundle-status

interface TenGigabitEthernet1/1/1

description edh001-011-wc01

switchport trunk allowed vlan 25,34,300,2346,3200,3201

switchport mode trunk

switchport nonegotiate

logging event trunk-status

logging event bundle-status

channel-group 7 mode on

interface TenGigabitEthernet1/1/2

description edh001-011-wc01

switchport trunk allowed vlan 25,34,300,2346,3200,3201

switchport mode trunk

switchport nonegotiate

logging event trunk-status

logging event bundle-status

channel-group 7 mode on

Next, I create the configuration on the core switch to talk to the second, “base configured” 9800 series controller that we will put into SSO.

interface Port-channel8

description edh001-011-wc01

switchport trunk allowed vlan 25,34,300,2346,3200,3201

switchport mode trunk

switchport nonegotiate

logging event trunk-status

logging event bundle-status

interface TenGigabitEthernet1/1/3

description edh001-011-wc01-

switchport trunk allowed vlan 25,34,300,2346,3200,3201

switchport mode trunk

switchport nonegotiate

logging event trunk-status

logging event bundle-status

channel-group 8 mode on

interface TenGigabitEthernet1/1/4

description edh001-011-wc01

switchport trunk allowed vlan 25,34,300,2346,3200,3201

switchport mode trunk

switchport nonegotiate

logging event trunk-status

logging event bundle-status

channel-group 8 mode on

Now back to the 9800 series controller, the one that we will call Primary. It has a configuration on it and it basically a standalone controller.

I am going to configure this controller as the primary, since I just want a specific controller to be the primary. A higher chassis = higher priority.

edh001-011-wc01#chassis 1 renumber 2

WARNING: Changing the switch number may result in a configuration change for that switch. The interface configuration associated with the old switch number will remain as a provisioned configuration. New Switch Number will be effective after next reboot. Do you want to continue?[y/n]? [yes]: yes ß Note that I have not rebooted it yet!!!

edh001-011-wc01#sho chassis

Chassis/Stack Mac Address : 4cec.0f2a.a3a0 - Local Mac Address

Mac persistency wait time: Indefinite

Local Redundancy Port Type: Twisted Pair

H/W Current

Chassis# Role Mac Address Priority Version State IP

-------------------------------------------------------------------------------------

*1 Active 4cec.0f2a.a3a0 1 V02 Ready 0.0.0.0 ß Note that I have not rebooted it yet!!!

edh001-011-wc01#chassis 1 priority 2

edh001-011-wc01#sho chassis

Chassis/Stack Mac Address : 4cec.0f2a.a3a0 - Local Mac Address

Mac persistency wait time: Indefinite

Local Redundancy Port Type: Twisted Pair

H/W Current

Chassis# Role Mac Address Priority Version State IP

-------------------------------------------------------------------------------------

*1 Active 4cec.0f2a.a3a0 2 V02 Ready 0.0.0.0 ß Note that I have not rebooted it yet!!!

A little heads up. I’m running 17.9.3, and I was going to use IP address of 169.254.5.6, since the management vlan (25) is 10.64.25.x. This was an epic failure and when I tried to configure it I got my hand slapped:

!!! configuring 169.254.X.Y(f) is not allowed

Therefore, don’t waste your time. Grab two IP addresses off your management subnet and use them for SSO and be done with it.

*remember*, this is now chassis two, not one. ß Note that I have not rebooted it yet!!! When I reboot it, it will be chassis 2. So we are configuring it now as if it is chassis 2. If you are confused, just reboot your controller, I suppose.

edh001-011-wc01(config)#redun-management interface vlan 25 chassis 2 address 10.64.25.253 chassis 1 address 10.64.25.254

edh001-011-wc01#wr mem

=========== NOW MOVING TO THE OTHER CONTROLLER – THE ONE THAT WILL MAKE THEM AN SSO PAIR============

Now, let’s go to the SSO controller. I put a base config on it which consists of an IP address on the g0 so I could install the same exact code on it that is running on the Primary 9800 controller.

Armed with a console cable, I slowly approach the controller and quickly plug it in to the console port. Success!

*create a port channel and then configure the uplinks on the 9800 controller* use the steps at the beginning of this HowTo.

edh001-011-wc02(config)#

edh001-011-wc02(config)#redun-management interface vlan 25 chassis 1 address 10.64.25.254 chassis 2 address 10.64.25.253

WARNING: Reload HA Chassis for RMI configuration to take effect ß Note this is a subtle hint for me to go BACK to the Primary controller and reboot it.

*note – this chassis is chassis #1, just like the other one. We are going to leave this one as chassis #1, per config line above.

=========== NOW MOVING TO THE PRIMARY CONTROLLER (for rebooting purposes) ============

edh001-011-wc01#reload

Reload command is being issued on Active unit, this will reload the whole stack

Proceed with reload? [confirm] Y

Now I am going to just paste console outputs from both controllers, since the Primary has rebooted and the SSO pair is successful. edh001-011-wc01 is Primary, edh001-011-wc01-stby is the standby.

edh001-011-wc01#sho chassis

Chassis/Stack Mac Address : 4cec.0f2a.a3a0 - Local Mac Address

Mac persistency wait time: Indefinite

Local Redundancy Port Type: Twisted Pair

H/W Current

Chassis# Role Mac Address Priority Version State IP

-------------------------------------------------------------------------------------

1 Standby 648f.3e83.fb20 1 V02 HA sync in progress 169.254.25.254 ß The standby controller has not synced yet

*2 Active 4cec.0f2a.a3a0 2 V02 Ready 169.254.25.253 ß This is the Primary, recall we renumbered it to chassis 2.

#sho chassis

Chassis/Stack Mac Address : 4cec.0f2a.a3a0 - Local Mac Address

Mac persistency wait time: Indefinite

Local Redundancy Port Type: Twisted Pair

H/W Current

Chassis# Role Mac Address Priority Version State IP

-------------------------------------------------------------------------------------

1 Standby 648f.3e83.fb20 1 V02 Ready 169.254.25.254ß synchronized

*2 Active 4cec.0f2a.a3a0 2 V02 Ready 169.254.25.253 ß synchronized

Now look at the management VLAN’s config: The secondary IP address has been added to the management VLAN’s configuration.

edh001-011-wc01#sho run int vlan 25

Building configuration...

Current configuration : 144 bytes

interface Vlan25

description WLAN_MGMT_10.64.25.0

ip address 10.64.25.253 255.255.255.0 secondary

ip address 10.64.25.5 255.255.255.0

end

Here’s a trick if you want to be able use console in to the standby controller and issue *some* commands. I’m not an expert on what commands are available.

edh001-011-wc01#conf t

Enter configuration commands, one per line. End with CNTL/Z.

edh001-011-wc01(config)#

edh001-011-wc01(config)#redundancy

edh001-011-wc01(config-red)#main-cpu

edh001-011-wc01(config-r-mc)#standby console enable

edh001-011-wc01(config-r-mc)#do wr mem

Building configuration...

=========== NOW MOVING TO THE SECONDARY CONTROLLER (to see what commands are available on console) ============

Username: admin123

Password: ChangeMe

edh001-011-wc01-stby>ena

Password: PleaseChangeMeNow

edh001-011-wc01-stby#sho chassis

Chassis/Stack Mac Address : 4cec.0f2a.a3a0 - Local Mac Address

Mac persistency wait time: Indefinite

Local Redundancy Port Type: Twisted Pair

H/W Current

Chassis# Role Mac Address Priority Version State IP

-------------------------------------------------------------------------------------

*1 Standby 648f.3e83.fb20 1 V02 Ready 169.254.25.254

2 Active 4cec.0f2a.a3a0 2 V02 Ready 169.254.25.253

edh001-011-wc01-stby#sho chassis rmi

Chassis/Stack Mac Address : 4cec.0f2a.a3a0 - Local Mac Address

Mac persistency wait time: Indefinite

Local Redundancy Port Type: Twisted Pair

H/W Current

Chassis# Role Mac Address Priority Version State IP RMI-IP

--------------------------------------------------------------------------------------------------------

*1 Standby 648f.3e83.fb20 1 V02 Ready 169.254.25.254 10.64.25.254

2 Active 4cec.0f2a.a3a0 2 V02 Ready 169.254.25.253 10.64.25.253

edh001-011-wc01-stby#

You’re done! SSO is configured.

Virus-free.www.avg.com

Wednesday, August 9, 2023

AAA configuration on the 9800 WLC

I’m on the fence as to whether the new 9800’s AAA configuration is easier or not, when compared to the AireOS controllers.

In this blog, I am creating the config for the new 9800 controllers. Six WLANs – just to use for example’s sake. We would never create this many in production!

We need to create RADIUS server instances. I want to use ranges of ISE instances since groups of WLANs often use the same instances.

Instances 1-9 can be for CorpWiFi, MedGear and Voice WLANs

Instances 10-19 can be for BYOD and Contractor

Instances 20-29 can be for Guest.

This way when we want to add another auth&acct instance for CorpWiFi, we can just pick index 3 everywhere. We can even use a template to deploy it as index 3 with DNAC in the future. We can continue to recycle instances 1-9 for the same group of WLANs. Same goes for the other groups of WLANs.

*note* The 9800 does things differently than the 5508, where it had an accounting instance and an authentication instance. The 9800’s config has the accounting and authorization as a combined configuration. At least that’s my understanding. I tried to make them separate, to no avail.

I am using a naming convention RADSER_AUTH_ACCT_X, (X=index number). This convention initially came from the config translator, and I liked it so I kept it around.

radius server RADSER_AUTH_ACCT_1 ß CorpWiFi, MedGear and Voice

address ipv4 10.44.17.210 auth-port 1812 acct-port 1813

key Secret_Key123

radius server RADSER_AUTH_ACCT_2 ß CorpWiFi, MedGear and Voice

address ipv4 10.155.214.39 auth-port 1812 acct-port 1813

key Secret_Key123

radius server RADSER_AUTH_ACCT_11ß BYOD and Contractor

address ipv4 10.151.6.102 auth-port 1812 acct-port 1813

key Secret_Key123

radius server RADSER_AUTH_ACCT_12ß BYOD and Contractor

address ipv4 10.224.5.4 auth-port 1812 acct-port 1813

key Secret_Key123

radius server RADSER_AUTH_ACCT_21ß Guest

address ipv4 10.224.5.6 auth-port 1812 acct-port 1813

key Secret_Key123

radius server RADSER_AUTH_ACCT_22ß Guest

address ipv4 10.224.5.6 auth-port 1812 acct-port 1813

key Secret_Key123

>>>>> Now we group the RADIUS authorization and accounting into AAA Groups for simplicity<<<<<

aaa group server radius RAD_GRP_AUTH_ACCT_CorpWiFi ß This creates a group that does authentication and accounting

server name RADSER_AUTH_ACCT_1

server name RADSER_AUTH_ACCT_2

aaa group server radius RAD_GRP_AUTH_ACCT_MedGear

server name RADSER_AUTH_ACCT_1

server name RADSER_AUTH_ACCT_2

aaa group server radius RAD_GRP_AUTH_ACCT_Voice

server name RADSER_AUTH_ACCT_1

server name RADSER_AUTH_ACCT_2

aaa group server radius RAD_GRP_AUTH_ACCT_BYOD

server name RADSER_AUTH_ACCT_11

server name RADSER_AUTH_ACCT_12

aaa group server radius RAD_GRP_AUTH_ACCT_Contractor

server name RADSER_AUTH_ACCT_11

server name RADSER_AUTH_ACCT_12

aaa group server radius RAD_GRP_AUTH_ACCT_SHGuestNet

server name RADSER_AUTH_ACCT_21

server name RADSER_AUTH_ACCT_22

Now we create an 802.1x authentication groups using DOT1X_AUTH_CorpWiFi nomenclature for simplicity and point it to the similarly named RADIUS auth & accounting group.

aaa authentication dot1x DOT1X_AUTH_CorpWiFi group RAD_GRP_AUTH_ACCT_CorpWiFi

aaa authentication dot1x DOT1X_AUTH_MedGear group RAD_GRP_AUTH_ACCT_MedGear

aaa authentication dot1x DOT1X_AUTH_Voice group RAD_GRP_AUTH_ACCT_Voice

aaa authentication dot1x DOT1X_AUTH_BYOD group RAD_GRP_AUTH_ACCT_BYOD

aaa authentication dot1x DOT1X_AUTH_Contractor group RAD_GRP_AUTH_ACCT_Contractor

aaa authorization network MAB_AUTH_SHGuestNet group RAD_GRP_AUTH_ACCT_SHGuestNet

Now we create an 802.1x accounting group using ACCT_LIST_POL_PROF_CorpWiFi nomenclature for simplicity and point it to the RADIUS auth & accounting group. Why POL_PROF in the nomenclature? Because the accounting list is referenced in the WLAN’s Profile Policy, not the WLAN config itself.

aaa accounting identity ACCT_LIST_POL_PROF_CorpWiFi start-stop group RAD_GRP_AUTH_ACCT_CorpWiFi (see how we are re-using this, instead of creating all new config lines)

aaa accounting identity ACCT_LIST_POL_PROF_MedGear start-stop group RAD_GRP_AUTH_ACCT_MedGear

aaa accounting identity ACCT_LIST_POL_PROF_Voice start-stop group RAD_GRP_AUTH_ACCT_Voice

aaa accounting identity ACCT_LIST_POL_PROF_SHGuesNet start-stop group RAD_GRP_AUTH_ACCT_BYOD

aaa accounting identity ACCT_LIST_POL_PROF_BYOD start-stop group RAD_GRP_AUTH_ACCT_Contractor

aaa accounting identity ACCT_LIST_POL_PROF_Contractor start-stop group RAD_GRP_AUTH_ACCT_SHGuestNet

Now we reference the authentication group in the WLAN itself:

wlan CorpWiFi 1 CorpWiFi

security dot1x authentication-list DOT1X_AUTH_CorpWiFi

no shutdown

Now we reference the accounting group in the WLAN Profile Policy for CorpWiFi

wireless profile policy POL_PROF_CorpWiFi

aaa-override

accounting-list ACCT_LIST_POL_PROF_CorpWiFi

description "Policy profile for CorpWiFi"

no shutdown

I know it seems like a lot, but I chose six instances of ISE to help illustrate how things are grouped and mapped.

Do you think the old way was easier? Which way do you think scales more?

Virus-free.www.avg.com

Tuesday, August 8, 2023

How to create tunnel between Cisco 5508 (IRCM) and 9800

First, we put the IRCM image on the 5508.

Here are the test APs on the Junktown controller:

Here is the mobility configuration – this builds the tunnel between the 5508 running IRCM code and the 9800:

Password:********

(jkn001-011-wc03) >config mobility group member add 4c:ec:0f:2a:a3:ab 10.64.25.5 JKN encrypt enable

(jkn001-011-wc03) >config mobility group member data-dtls 4c:ec:0f:2a:a3:ab disable

(jkn001-011-wc03) >save config

Are you sure you want to save? (y/n) y

Configuration Saved!

(jkn001-011-wc03) >

Here is the config on the 9800:

jkn001-011-wc01(config)#wireless mobility group name JKN

Changing mobility domain name may disrupt connectivity for clients on 11r or Adaptive 11r capable active WLANs

Are you sure you want to continue? (y/n)[y]: y

jkn001-011-wc01(config)#

jkn001-011-wc01(config)# wireless mobility group member mac-address 4c00.8271.5040 ip 10.64.25.15 public-ip 10.64.25.15 group JKN

jkn001-011-wc01(config)#

Then the tunnel comes up:

*Aug 8 14:26:56.744: %MM_NODE_LOG-6-MEMBER_ADDED: Chassis 1 R0/0: mobilityd: Adding Mobility member (IP: IP: 10.64.25.15: JKN)

*Aug 8 14:27:15.588: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as tdennehy on vty1

*Aug 8 14:27:17.803: %MM_NODE_LOG-5-KEEP_ALIVE: Chassis 1 R0/0: mobilityd: Mobility Data tunnel to peer IP: 10.64.25.15 changed state to UP

*Aug 8 14:27:31.782: %MM_INFRA_LOG-3-RECV_FAILED: Chassis 1 R0/0: mobilityd: Unable to receive mobility message aplist_update from ipv4: 10.64.25.15 . reason: Peer link is down

*Aug 8 14:28:17.802: %MM_NODE_LOG-5-KEEP_ALIVE: Chassis 1 R0/0: mobilityd: Mobility Control tunnel to peer IP: 10.64.25.15 changed state to UP

*Aug 8 14:29:03.353: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as tdennehy on vty1

jkn001-011-wc01(config)