CATON Systems is a Technology Services firm, focusing on complex engineering problems and the unique solutions they require.
Ongoing Wireless (mainly) Blog from our Chief Consulting Engineer, Mike Dongvillo.
Blog Entry #9 - 3/29/2021 - Cisco Catalyst IOS-XE - Configuration/Deployment Summary
In the 7th and final (for now) post of this IOS-XE series, I'm going to discuss some deployment pointers and tips.
It's very important, as with any Project, to organize your data and configurations into something repeatable.
I've often found that using a simple 5-tab spreadsheet to organize the various WLAN parameters makes the deployment MUCH more logical.
For example:
1. Building Wireless Info
2. Policy Tags
3. Site Tags
4. RF Tags
5. RLAN Info.
By organizing your necessary configuration parameters this way, you can keep track of all the components/objects you are working with.
Another note, I purposely showed all the CLI configuration here in this series of Blog posts, as that was the request. :)
Once you have the overall Tag, Policy, and Profile templates created, you can then programmatically roll out sites very quickly.
Depending on the platform, you can also utilize RESTCONF and NETCONF when deploying sites. Along with the simple copy/replace/paste methodology as well.
In summary, the main building blocks of a Cisco IOS-XE WLAN Controller are as such:
1. Policy Tags
A. WLAN Profile
B. Policy Profile
2. Site Tags
A. AP Join Profile
B. Flex Profile
3. RF Tags
A. 2.4G RF Profile
B. 5G RF Profile
4. RLAN Information
A. RLAN Profile
B. RLAN Policy
Blog Entry #8 - 3/2/2021 - Cisco Catalyst IOS-XE - Remote LANs (RLANs)
In the 6th post of this IOS-XE series, I'm going to layout the various RLAN configurations utilized in this install.
A Remote LAN (RLAN) is used for authenticating wired clients using the WLC, through the physical wires ports on the AP. Once the wired client successfully joins the controller,
the LAN ports switch the traffic between central or local switching modes. The traffic from wired client is treated as wireless client traffic.
The RLAN configured for the Access Point (AP) sends the authentication requests to authenticate the wired client.
The authentication of the wired clients in an RLAN is similar to the central authenticated wireless client process.
The RLAN Profile (RPRO) and RLAN Policy (RPOL) are then assigned to a Policy Tag (PT), similarly to how WLANs are assigned in the same way overall.
As shown below, the RLAN Policy configures the switching and security parameters for wired connections, such as:
1. AAA Override
2. Central or Local Switching
3. Host-Modes, such as Multiple Hosts allowed, Single Host allowed, and which hosts are auth'd
4. ACLs can be applied here
5. PoE Settings and paremeters
6. MAC Address violation responses
7. VLAN assignment for the Wired port traffic
ap remote-lan profile-name UNIV-RLAN22-RPRO 22
no shutdown
ap remote-lan profile-name UNIV-RLAN52-RPRO 52
no shutdown
ap remote-lan-policy policy-name UNIV-RLAN22-RPOL
aaa-override
no central switching
description UNIV-RLAN22-RPOL
host-mode multihost
poe
violation-mode replace
vlan 22
no shutdown
ap remote-lan-policy policy-name UNIV-RLAN52-RPOL
aaa-override
no central switching
description UNIV-RLAN52-RPOL
host-mode multihost
poe
violation-mode replace
vlan 52
no shutdown
wireless tag policy UNIV-BLDGA-PT
description UNIV-BLDGA-PT
remote-lan UNIV-RLAN22-RPRO policy UNIV-RLAN22-RPOL port-id 1
remote-lan UNIV-RLAN22-RPRO policy UNIV-RLAN22-RPOL port-id 2
remote-lan UNIV-RLAN22-RPRO policy UNIV-RLAN22-RPOL port-id 3
wlan UNIV_Guest policy UNIV-GUEST-PP
wlan UNIV_Students policy UNIV-STUDENTS-PP
wlan UNIV_Staff policy UNIV-STAFF-PP
wireless tag policy UNIV-BLDGB-PT
description UNIV-BLDGB-PT
remote-lan UNIV-RLAN52-RPRO policy UNIV-RLAN52-RPOL port-id 1
remote-lan UNIV-RLAN52-RPRO policy UNIV-RLAN52-RPOL port-id 2
remote-lan UNIV-RLAN52-RPRO policy UNIV-RLAN52-RPOL port-id 3
wlan UNIV_Guest policy UNIV-GUEST-PP
wlan UNIV_Students policy UNIV-STUDENTS-PP
wlan UNIV_Staff policy UNIV-STAFF-PP
Blog Entry #7 - 2/16/2021 - Cisco Catalyst IOS-XE - Radio Frequency Tags (RFT)
In the 5th post regarding Cisco IOS-XE Catalyst controller deployment, I'm going to layout the various RF Tag (RFT) configurations.
The RF Tag contains the 2.4G and 5G RF Profiles. The default RF Tag contains the global configuration.
The RF Tag is a very convenient and flexible way to build your RF environment to your liking.
RF profiles contain the common radio configuration for the APs, such as Enabled/Disable/Mandatory speeds, RX-SOP thresholds and values, Tx Power settings.
RF profiles are applied to all the APs that belong to an AP group, where all the APs in that group have the same profile settings.
wireless tag rf UNIV-100-CORE-RFT
24ghz-rf-policy UNIV-24G-HCD-RFP
5ghz-rf-policy UNIV-5G-HCD-RFP
description UNIV-100-CORE-RFT
wireless tag rf UNIV-101-AGG-RFT
24ghz-rf-policy UNIV-24G-HCD-RFP
5ghz-rf-policy UNIV-5G-HCD-RFP
description UNIV-101-AGG-RFT
ap dot11 24ghz rf-profile UNIV-24G-HCD-RFP
description "UNIV High Client Density RF Profile for 2.4G"
high-density rx-sop threshold medium
rate RATE_11M disable
rate RATE_12M mandatory
rate RATE_1M disable
rate RATE_2M disable
rate RATE_5_5M disable
rate RATE_6M disable
tx-power min 7
no shutdown
ap dot11 5ghz rf-profile UNIV-5G-HCD-RFP
description "UNIV High Client Density RF Profile for 5G"
high-density rx-sop threshold medium
rate RATE_6M disable
rate RATE_9M disable
tx-power min 7
tx-power v1 threshold -65
no shutdown
Blog Entry #6 - 2/10/2021 - Cisco Catalyst IOS-XE - Site Tags (ST)
In the 4th post regarding Cisco IOS-XE Catalyst controller deployment, I'm going to layout the various Site Tag (ST) configurations.
The Site Tag (ST) defines the properties of a site and also contains the Flex Profile (FP) and the AP Join Profile (APJP).
The configuration parameters that are specific to the corresponding Flex or Remote Site are part of the FP.
The ST also contains parameters that are specific to the physical site or location (and thus cannot be a part of the profile that is a reusable entity or object).
For example, the list of Primary APs and Secondary APs for upgrade processes is a part of the ST rather than of a FP.
If or when a FP name or an APJP name is changed in the ST, the AP is forced to rejoin the WLC by disconnecting the DTLS session.
The Site Tag is very important when designing redundancy and load-sharing, as the APJP component of the ST can be used to distribute APs amongst Primary and Secondary/Backup Controllers.
This is shown below, with the APJP-ODD and APJP-EVEN AP Profiles.
wireless tag site UNIV-100-CORE-ST
ap-profile UNIV-APJP-EVEN
description UNIV-100-CORE-ST
flex-profile UNIV-FP-ALL
no local-site
wireless tag site UNIV-101-AGG-ST
ap-profile UNIV-APJP-ODD
description UNIV-101-AGG-ST
flex-profile UNIV-FP-ALL
no local-site
ap profile UNIV-APJP-ODD
capwap backup primary WLC-9800-B 10.100.200.11
capwap backup secondary WLC-9800-A 10.100.200.3
description UNIV-APJP-ODD
hyperlocation ble-beacon 0
hyperlocation ble-beacon 1
hyperlocation ble-beacon 2
hyperlocation ble-beacon 3
hyperlocation ble-beacon 4
hyperlocation
mgmtuser username apadmin password 0 XXXXXXXX secret XXXXXXXX
ntp ip 10.100.111.100
ssh
ap profile UNIV-APJP-EVEN
capwap backup primary WLC-9800-A 10.100.200.3
capwap backup secondary WLC-9800-B 10.100.200.11
description UNIV-APJP-EVEN
hyperlocation ble-beacon 0
hyperlocation ble-beacon 1
hyperlocation ble-beacon 2
hyperlocation ble-beacon 3
hyperlocation ble-beacon 4
hyperlocation
mgmtuser username apadmin password 0 XXXXXXXX secret 0 XXXXXXXX
ntp ip 10.100.111.100
ssh
wireless profile flex UNIV-FP-ALL
acl-policy Wireless_Guest_Access
central-webauth
no arp-caching
description UNIV-FP-ALL
native-vlan-id 14
Blog Entry #5 - 1/26/2021 - Cisco Catalyst IOS-XE - Policy Profiles (PP)
In the 3rd post regarding Cisco IOS-XE Catalyst controller deployment, I'm going to layout the various Policy Profile (PP) configurations.
The Policy Profile, as you see below, consists of a multitude of different parameters and configuration knobs.
At a high-level, it consists of the network/switching policies and details.
Anything that is a policy for a client that is applied on an AP or WLC is moved to the PP.
At a low-level, the following are some of the items setup with the Policy Profile:
1. VLAN
2. ACL
3. QoS
4. Session Timeout
5. Idle Timeout
6. AVC Profile
7. Bonjour Profile
8. Local Profiling
9. Device Classification
10. BSSID QoS
To be clear, all the wireless-related security attributes and features on the WLAN are grouped under the WLAN profile, which we've discussed already.
wireless profile policy UNIV-GUEST-PP
aaa-override
aaa-policy CWA_AAA_Policy
accounting-list UT_ISE
autoqos mode enterprise-avc
no central association
no central dhcp
no central switching
description UNIV-GUEST-PP
et-analytics enable
nac
passive-client
radius-profiling
service-policy input AutoQos-4.0-wlan-ET-SSID-Input-AVC-Policy
service-policy output AutoQos-4.0-wlan-ET-SSID-Output-Policy
session-timeout 0
vlan 224
no shutdown
wireless profile policy UNIV-STUDENTS-PP
aaa-override
autoqos mode enterprise-avc
no central association
no central dhcp
no central switching
description UNIV-STUDENTS-PP
et-analytics enable
nac
passive-client
radius-profiling
service-policy input AutoQos-4.0-wlan-ET-SSID-Input-AVC-Policy
service-policy output AutoQos-4.0-wlan-ET-SSID-Output-Policy
session-timeout 0
vlan 192
no shutdown
wireless profile policy UNIV-STAFF-PP
aaa-override
autoqos mode enterprise-avc
no central association
no central dhcp
no central switching
description UNIV-STAFF-PP
et-analytics enable
nac
passive-client
radius-profiling
service-policy input AutoQos-4.0-wlan-ET-SSID-Input-AVC-Policy
service-policy output AutoQos-4.0-wlan-ET-SSID-Output-Policy
session-timeout 0
vlan 184
no shutdown
Blog Entry #4 - 1/11/2021 - Cisco Catalyst IOS-XE - WLAN/SSID Profiles
In the 2nd post regarding Cisco IOS-XE Catalyst controller deployment, I'm going to layout the various SSID configurations.
WLAN profiles can be configured with the same or different SSIDs. An SSID, as we all know, identifies the specific wireless network for controller and Clients to access.
When you create WLAN Profiles with the same SSID value, it allows you to assign different L2 security parameters within the same wireless LAN.
To distinguish between WLANs having the same SSID value, you create a unique profile name for each WLAN. Note: WLANs with the same SSID must have unique L2 security policies,
so that Clients can select a WLAN based on the information advertised in Beacon/Probe responses.
The switching and network policies are not part of the WLAN definition, those are configured in the Policy Profile (next blog post).
As you'll see below, the WLAN Profile contains settings dealing with: 802.11r, Band Select, Aironet IE extensions, Media Stream, MFP/PMF, and the various L2/L3 security mechanisms.
wlan UNIV_Staff 1 UNIV_Staff
assisted-roaming dual-list
band-select
ccx aironet-iesupport
description UNIV_Staff
media-stream multicast-direct
multicast buffer 30
security wpa psk set-key ascii 0 XXXXXXXX
security dot1x authentication-list UNIV-ISE-DOT1X
security pmf optional
no shutdown
wlan UNIV_Students 2 UNIV_Students
assisted-roaming dual-list
band-select
ccx aironet-iesupport
description UNIV_Students
security wpa psk set-key ascii 0 XXXXXXXX
security dot1x authentication-list UNIV-ISE-DOT1X
security pmf optional
no shutdown
wlan UNIV_Guest 3 UNIV_Guest
assisted-roaming dual-list
band-select
ccx aironet-iesupport
description UNIV_Guest
mac-filtering ISE_AUTH
peer-blocking drop
no security wpa
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security dot1x authentication-list UNIV-ISE-DOT1X
no shutdown
Blog Entry #3 - 12/29/2020 - Cisco Catalyst IOS-XE - Policy Tags (PT)
This is going to be the first in a long series of blog posts about the new(ish) Cisco Catalyst IOS-XE WLCs.
I've had a lot of questions and inquiries about posting sample config snippets, with some brief explanation about what each section does.
So that is what I will do! :) All the configs to be posted in the coming blog entries have been completely scrubbed from a previous deployment.
Placeholder text and values have been used to replace any sensitive or identifying information, so the naming might seem a bit "odd".
This first entry is going to layout the Policy Tag (PT) construct, which ties together the WLAN Profiles (SSIDs) and Policy Profiles (PP) in IOS-XE.
The WLAN Profile component of the Policy Tag defines the overall characteristics and parameters of the WLAN itself.
Then, the WLAN Profile is tied to a Policy Profile, the Policy Profile defines the network and switching policies for the Clients attaching to the WLAN.
wireless tag policy UNIV-ALL-PT
description UNIV-ALL-PT
wlan UNIV_Guest policy UNIV-GUEST-PP
wlan UNIV_Students policy UNIV-STUDENTS-PP
wlan UNIV_Staff policy UNIV-STAFF-PP
In the next post(s), I will breakdown each of the WLANs utilized in the Policy Tag(s) and the Policy Profile(s) specifics. See you then!
Blog Entry #2 - 12/15/2020 - Strange Happenings #2
The second peculiarity I was tasked with fixing was not overly complex and is somewhat entertaining.
There was a very busy and highly utilized conference room on a floor of an existing building that the client occupied.
Every now and then, and seemingly with no pattern, the wireless connections and performance for end users in that conference room would be horrible:
dropped connections and choppy video and audio - the standard problems that result from wireless interference.
Unfortunately, a lot of the end user devices experiencing this issue were older systems, older radios and chipsets, and older drivers that would
often times only connect in the 2.4GHz band. Many were only ERP (802.11g) and HT (802.11n) capable.
In order to dig up some more info on this problem, I again ran some packet captures with my WLAN Pi and did notice a high number of retransmissions.
But that information didn’t really confirm the true source of the problem. Additionally, I also ran my Chanalyzer application, and very quickly saw a
typical Microwave oven-like pattern in the 2.4GHz band. This took a while to pin down, as there wasn’t a kitchen or breakroom nearby, and no regularity to the pattern.
I sat near the conference room for almost a day to gather data. Eventually, I noticed people walking around with hot soup and drinks.
I asked them where they were getting this from and, apparently, one of the Executive Assistants had a microwave and a toaster oven under her desk.
The closest kitchen/breakroom was several floors away or in another building altogether. Once I had finished my investigative work,
I asked her to not run her appliances for one day. And as expected, the complaints from the conference room users ceased immediately.
The client decided to convert a seldom-used office in a corner of that floor into a kitchen for the employees. Yes, this was a very weird situation, but in the end the problem was ultimately resolved.
“One for the books,” as they say.
Blog Entry #1 - 12/1/2020 - Strange Happenings #1
While working on a long-term wireless upgrade project for a major client, I ran into a couple very strange issues.
The main scope on this project wasn’t actually monitoring or troubleshooting at first, it was actually to help build-out a new five building campus network (including wired switching, campus routing, QoS, Internet ingress/egress, etc.).
However, this client was experiencing a some hard-to-pin-down problems and they asked me for assistance.
The first peculiarity was that a whole subset of laptops was not able to connect to the various wireless LANs in any of the US-based offices.
These were all new Lenovo VHT-capable (802.11ac) systems running Windows10 mainly, current driver updates, current OS patches, and standard productivity applications such as
Office 365, Adobe Acrobat, Visio, Project, and so forth. Point being, nothing out of the ordinary, plenty of RAM, disk, CPU as well.
When wired into the network, these same laptops performed flawlessly, with no problems whatsoever.
After running into dead end after dead end with driver changes, wireless profile deletions and re-creations, and the other usual troubleshooting steps you would take (as outlined in various CWAP and CWSP materials),
I decided to run a wireless packet capture near the offending and problematic laptops.
I setup my WLAN Pi in the vicinity of several of the laptops in the build area that the desktop and server teams used before deploying the systems out to the end-users.
It didn’t take long to see the problem: the laptops that were being imaged were, for some reason, only transmitting and receiving in the 2.4GHz Band on Channel 5.
After talking with the desktop build team, and the server team as well, it turns out there was an errant Active Directory Group Policy Object parameter being pushed
to the laptops as part of their image. Apparently, a current administrator had been toying around with the idea of locking the laptops onto a particular channel for use mainly in Europe.
Without getting into the details of the laptop build process, these new systems were being put into that Active Directory Organizational Unit and thus having their radios configured incorrectly.
Once the laptops were removed from that Organizational Unit the “normal” behavior returned to the wireless adapters in the laptops, and connectivity was fully restored.
Next issue discussed in an upcoming blog entry, thanks for reading.
