| Author: | Herbert Haas |
|---|---|
| Address: | herbert AT perihel DOT at http://www.perihel.at/dcom |
| Revision: | 0.5 |
| Date: | 2007-10-29 |
| Copyright: | Copyright (c) 2007 Herbert Haas. |
Abstract
This document summarizes important facts about Cisco's WLAN Controllers (WLCs). It is not a WLAN tutorial. Note that Cisco-related explanations or recommendations are provided as is, without any warranty - please consult www.cisco.com for more detailed information. The reader should already be familiar with WLAN fundamentals (see e. g. my WLAN lecture notes). If you find any mistakes please send me an E-Mail, thanks!
CDP version 2 is supported on 2X00 and 440X series (not in integrated WLCs such as WiSM, WLCM etc)
Virtual Interface used by layer 3 security, DHCP relay, and Mobility Managers
up to 17 Radius Servers per WLAN.
RFID timeout on WLC should be 8-10 times the tag beacon rate.
Max 512 VLANs
ESM - 1 for 4402, 2 for 4404, 1 Gbit and 1000 clients per ESM.
Can control up to 16 WLANs for each 10X0 series AP and 8 WLANs for the 1130/1200/1230 and 1240 series AP
Radius server index -> priority
Up to 3 rogues can be concurrently contained by a single AP with a maximum of 4 APs one rouge can be contained
All Multicast packets are send at the lowest QoS level.
AP Power level settings:
- 1= Max
- 2= 50%
- 3= 25%
- 4= 6.25% to 12.5%
- 5= 0.195% to 6.25%
The WLC keeps up to 5 controller crash files.
An Access List (ACL) can be applied either on a VLAN interface or on a specific WLAN:
config wlan acl [<Wlan id>] [<ACL name> | none]
The same is true with MAC filters.
Maximum 256 message logs are stored locally (FIFO). Use external syslog server!
When a WLC (4404 or WiSM) LAG port is connected to a Catalyst 6500 channel group (or Cat 3750G) then note the following rules:
Without LAG, each WLC port only supports 48 LAPs. With LAG enabled the total LAP capacity is available to all interfaces! That is if on a 4404 e. g. three interfaces fail the remaining can handle up to 100 LAPs. With LAG only one functional physical port is needed to maintain connectivity!
LAG requires the Etherchannel to be configured for the "on" mode on both the WLC and the switch. There is not negotiation protocol supported on the WLC.
Therefore it does not matter if the switch is configured with either Link Aggregation Control Protocol (LACP) or the Cisco Port Aggregation Protocol (PAgP). Both LACP and PAgP are not supported on the controllers.
On the switch a load-balancing method must be chosen that terminates all IP datagram fragments on a single WLC port pair. On the 4404 there is one Network Processing Unit (NPU) for fragment reassembly for ports 1+2 and another NPU for ports 3+4. (On the 4402 there is only a single NPU for ports 1+2 so there is no problem with load balancing.)
- The recommended load-balancing method for Catalyst switches is port-channel load-balance src-dest-ip.
All WLC ports must belong to the same LAG group! Only one LAG group is supported, therefore the WLC can only be attached to one switch (otherwise disable LAG mode). However it is recommended to terminate the links on different modules on a modular switch. Terminating on two different modules within a single Catalyst 6500 switch provides redundancy and ensures that connectivity between the switch and the controller is maintained when one module fails.
HSRP is NOT supported!
Any change to the LAG configuration requires a controller reboot.
When enabling LAG:
- Mgmt and AP-Mgr interfaces move to the LAG port
- All dynamic AP-Mgr interfaces are deleted
- VLAN interfaces are moved to LAG port
- WLANs are disabled and mapped to the Mgmt interface - you need to reassign them to the VLANs!
- You can only create interfaces on the LAG logical port 29.
All packets are transmitted over that physical ports where the packets were received.
When disabling LAG:
- Mgmt and AP-Mgr interfaces as well as VLAN interfaces move to port 1
- You should define secondary ports for all interfaces (for backup)
- You must assign AP-Mgr interfaces to each port
Packets can be forwarded over any port no matter where it originally came in.
LAG is enabled per default and cannot be disabled on the WiSM and on the integrated WLC inside the Catalyst 3750G.
PAgP switchover takes at least 30 seconds, which is too slow to maintain certain traffic (for example, TCP) when switching from port to the other. There is no workaround for this limitation.
LAG configuration on the switch:
interface GigabitEthernet1/0/18 switchport trunk encapsulation dot1q switchport mode trunk channel-group 30 mode on !!! specifying a channel group number forces LAG without PAgP or LACP ! interface GigabitEthernet1/0/20 switchport trunk encapsulation dot1q switchport mode trunk channel-group 30 mode on !!! specifying a channel group number forces LAG without PAgP or LACP
Destination ports:
- Data: 12222
- Control: 12223
For each tunnel the AP is the client and uses a random source port.
That means a firewall must permit:
- UDP traffic with destination port 12223 for the Ḿanagement interface
- UDP traffic with destination port 12223 and 12223 for the AP Manager interface
- And of course TCP 443 and TCP 22 on the Management port
Observed (FYI):
- From SP=12221 (AP) to DP=12222 (WLC-Data)
- From SP=12223 (WLC-Control) to DP=52799
Inter-controller messages
- 16666 to 16666 and 16667 to 166667 (mobility traffic)
- WLCs must not be separated by NAT because the WLC's IP address is also carried inside the (encrypted) packets and compared with the header source address. See Controller Hunt Algorithm for further details.
LWAPP discovery response contains:
- controller name
- controller type
- current number of APs (load)
- AP capacity
- AP Manager ip address
- Master Controller status
L2 LWAPP uses Ethertype 0xbbbb
Using DHCP option 43 a DHCP server can announce the IP addresses of WLCs to LAPs. The native LWAPP-APs expect option 43 to be a simple ASCII string while converted APs need a hexadeximal TLV.
It is possible to mix both AP types because every LAP appends DHCP option 60 (the Vendor Class Identifier, VCI) to its DHCP request. A typical DHCP configuration on a Cisco router would therefore look like this:
ip dhcp pool POOL-1000er network 10.1.1.0 /24 default-router 10.1.1.254 ... option 60 ascii "Airespace.AP1200" ! identifies 1000 series option 43 ascii "192.168.10.9,172.26.12.89" ! ip dhcp pool POOL-1200er network 10.2.2.0 /24 default-router 10.2.2.254 ... option 60 ascii "Cisco AP c1200" option 43 hex f108ac1a0c59c0a80a09
Note that there must be a dedicated DHCP section for each AP type. The first pool identifies all 1000 series LAPs and assigns the primary WLC IP address 192.168.10.9 and 172.26.12.89 as secondary WLC address. The second pool matches all 1200 series LAPs (such as the 1231 but not the 1240!) and assigns a strange TLV which consists of:
- Type = f1 (must always be this value!)
- Length = 08 which announces 8 bytes of value following (2 IP addreses)
- Value = ac1a0c59 and c0a80a09 which corresponds to the IP addresses 172.26.12.89 and 192.168.10.9 respectively
The VCI strings for all current Cisco APs are listed in the table below. Please note the odd VCI numbering and the dot in some fields. (The strings are really correct, I verified them twice ;-))
Access Point Vendor Class Identifier 1000 Airespace.AP1200 1100 Cisco AP c1100 1130 Cisco AP c1130 1200 Cisco AP c1200 1240 Cisco AP c1240 1300 Cisco AP c1300 1500 Cisco AP.LAP1510
The WLC acts as a DHCP relay device through the virtual interface. The virtual IP is used downstream to the client and the Management-IP is used upstream to the DHCP server!
Debugging: debug dhcp packet enable
The internal DHCP server is primarily used for WLAN clients; on the VLAN interface you MUST specify the Management interface IP address.
Before WLC software version 4.0 the internal DHCP server could only assign IP addresses to clients and not to LAPs. (Now it is possible but the LAPs should be directly connected to the WLC. Also, you cannot share a DHCP scope between two or more WLCs.)
When a LAP boots up it performs three steps:
Get an IP address (DHCP)
Create a List of reachable WLCs. The reachability is verified via an LWAPP discovery request/response mechanism. In order to find valid WLC IP addresses, the LAP does the following:
- The LAP sends a L3-LWAPP discovery message to 255.255.255.255 (if L2-LWAPP is configured then only a L2 broadcast is used)
- The LAP checks whether IP addresses of any previously joined WLCs are stored in its flash
- The LAP asks other LAPs using its radio interface and the Over the Air Provisioning (OTAP) protocol
- The LAP checks whether a DHCP server sent WLC addresses via DHCP option 43
- The LAP tries a DNS name resolution for the name CISCO-LWAPP-CONTROLLER@local-domain
Select one WLC based on a priority scheme:
- Prefer WLCs that are already stored in the flash. (The primary is tried first, the tertiary last.)
- Prefer the WLC with the Master Controller Flag set. This flag is included in the header of a discovery response.
- Prefer the least loaded WLC. Every WLC announces the number of already connected LAPs via the discovery response.
Note that the Master Controller Mode is disabled after reboot or SW upgrade.
On the WLC's AP pages enter the names of the primary, secondary, and tertiary WLC. Do NOT enter their IP addresses! Use the same names as can be seen on the monitor general page.
When a LAP associates to the primary WLC, this WLC will automatically send the IP addresses of the secondary and tertiary WLCs to the LAP.
After a LAP joins a WLC, the LAP learns the IP addresses of other WLCs in that mobility group from its joined WLC.
Subsequently, the AP sends LWAPP primary discovery requests to each of the WLCs in the mobility group.
The WLCs respond with a primary discovery response to the LAP. This message includes information about the WLC type, the total capacity, and current AP load.
As long as the WLC has the AP Fallback parameter enabled, the AP can decide to change over to a less-loaded WLC.
Place WLCs in the same Mobility Group, then the LAP failover is "seamless" (typically 30-80 seconds switchover delay to the other WLC).
What happens when you power down the primary WLC:
- Each associated LAP waits for the heartbeat timeout (30 seconds)
- Then each LAP sends 7 heartbeats (one per second) to the WLC
- Then each LAP searches another WLC using the default process
Optionally the heartbeat can be reduced down to 1 second
Note: max WAN RTT is 100 ms, the minimum datarate is 128 kbit/s.
Between the access point and the controller, a minimum of a 500 byte MTU is supported.
The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. However, wireless traffic can still be segmented into different SSIDs but on the wired side all traffic is placed into the same VLAN.
When the WLC is not reachable only WLAN 1 is supported by the REAP. You should use a non-AAA based security policy for WLAN 1 such as WPA-PSK.
The H-REAP mode is supported by the lightweight 1130AG and 1240AG access points. The H-REAP may send data traffic back to the WLC but can also perform local switching.
The main differences to the legacy REAP mode are that H-REAP supports:
Configuration:
On the WLC you must configure both centrally switched and locally switched WLANs.
For the locally switched WLAN choose WPA-PSK and under the WLAN/Advanced tab check the H-REAP Local Switching check box.
On the Wireless/Details page select the H-REAP role.
- On the same page (right) a H-REAP Configuration section appears: Check VLAN Support and enter the number of the native VLAN. All other VLANs will be configured automatically and correspond to the VLAN interface settings of the WLC.
- Below, click VLAN Mappings and enter the VLAN number from which the clients will get an IP address when doing local switching.
The Group Leader is dynamically elected and cannot be chosen by an administrator. The RF group leader analyzes the real-time radio data collected by the group and calculates a master power and channel plan with -65 dBm on the cell borders.
Auto-RF uses fixed and some configurable parameters. The following parameters can be configured:
| Parameter | Default Value | Description |
|---|---|---|
| Interference | 10% | Specifies the maximum percentage of interference every LAP may detect. |
| Clients | 12 | Specifies the maximum number of clients that may be associated on every LAP. Range: 1-75 |
| Noise | -70 dBm | Specifies the maximum noise power level on every LAP. Range: −127 to 0 dBm |
| Coverage | 12 dB @ 2.4 GHz, 16 dB @ 5 GHz | Specifies the lowest allowable SNR on every LAP. If the measured SNR drops below this coverage parameter then a coverage hole exists and the transmit power of the surrounding LAPs will be increased. Range: 3 to 50 dB |
| Utilization | 80% | Specifies the percentage of time a LAP may consume for transmissions. |
| Coverage Exception | 25% | Specifies the percentage of clients per LAP that experience a SNR below the coverage level but cannot roam to another LAP. |
| Data Rate | 1000 Kbit/s | Specifies the lowest allowable data rate a LAP can use for sending or receiving data. Range: 1 to 1000 Kbit/s |
| Client Min Exception Level | 3 | Specifies the maximum number of clients on a LAP that may experience a lower SNR as specified by the Coverage parameter. That is, the Client Min Exception Level indicates the number of clients necessary to trigger a Coverage Alarm if the Coverage Exception is also violated at the same time. A coverage alarm causes an SNMP trap. Range: 1 to 75 |
Additionally, an administrator can configure a (country-specific) channel list, as well as some monitor intervals. The table below shows the default monitor values:
| Measurement | Interval |
|---|---|
| Noise | 180 s |
| Traffic Load | 60 s |
| Receive Signal Power | 60 s |
| Coverage (SNR) | 180 s |
Note that Noise=180s means that every AP must perform a noise scan through all channels within 180 seconds then send a report to the WLC (when LAP in local mode).
The following parameters are set by the manufacturer or created dynamically and cannot be changed:
Output of the show debug mobility enable shows:
Hint: Look for receipt of final message in tunnel sequence "Received Anchor Export Ack".
Output of the show debug mobility enable shows:
A EoIP tunnel is created for every roaming client!
This feature allows to restrain client traffic to a specific subnetwork no matter about their physical location. For example the whole guest WLAN traffic can be tunneled to an Anchor WLC placed in a DMZ of a firewall. Obviously the firewall must permit LWAPP traffic.
Note:
A subset of the WLCs of the mobility group can be configured as anchors for a WLAN. Configure the same set of WLCs on all WLCs of the mobility group! Each WLC sends a controller status message every 15 seconds. After three missing status messages that WLC is considered inactive.
As soon as the first client for an auto-anchored WLAN associates to the initial contact WLC, this WLC sends an announcement message to all other WLCs in the mobility group. If this announcement remains unanswered the WLC chooses any (usually the first) Anchor WLC in the list (of configured Anchor WLCs) and establishes an EoIP tunnel to that anchor.
Note: Each SSID requires a tunnel from the WLC to an Anchor WLC.
The anchor WLCs may send a handoff message as announcement response to equally distribute the EoIP tunnels (usually on a round robin basis.)
Client traffic always travels a symmetric path.
Every WLC creates one EoIP tunnel for all associated clients (for that remotely anchored WLAN).
The mobility anchor of the local controller must point to the anchor controller, and the mobility anchor of the anchor controller must point to itself.
Each anchor controller supports up to 40 EoIP tunnels from various WLCs.
A 2000 series WLC cannot be configured as anchor.
Auto-anchored WLANs do not support IPsec and L2TP Layer 3 security policies. Web Authentication is supported and performed by the Anchor WLC.
Idea: when you have multiple locations, want to support the same SSID everywhere, but map that SSID in different (typically location-specific) VLANs.
Configuration from the Controller:
- Controller > Interfaces - Add your desired VLAN interface for that location.
- WLANs - Select your WLAN and assign a default VLAN interface or a dummy VLAN interface which is not assigned in any switch's VLAN database (so it will not provide connectivity)
- WLANs > Advanced - Create a new AP Group and an associated SSID to VLAN mapping
- Wireless > All APs - Select your APs in that locations, and under the Advanced tab, add this AP to your AP Group.
Note: The WLC only uses the user timeout and session timeout settings to terminate client sessions if aggressive load balancing is disabled.
The maximum number of local users in the local database:
- Absolute maximum: 2048
- Default-maximum: 512 [Security>General]
The configured datavase size is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients.
Traffic Type Cisco AVVID IP DSCP Cisco AVVID 802.1p UP IEEE 802.11e UP Network Control 56 7 7 Reserved 48 6 -- Voice 46 (EF) 5 6 Video 34 (AF41) 4 5 Voice Control 26 (AF 31) 3 4 Background Gold 18 AF21) 2 2 Background Silver 10 (AF11) 1 1 Best effort 0 (BE) 0 0,3
When autonomous APs are upgraded into lightweight mode the WLC can tell them to disable the Mode button:
config ap reset-button {enable | disable} {ap-name | all}
The reset button on converted APs is enabled by default.
Especially to troubleshoot upgraded APs (i. e. from autonomous to lightweight) sometimes the Discovery and Join handshake must be observed:
debug lwapp errors enable debug pm pki enable !!! This shows certificate problems in detail (also the signature!) show auth-list