cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
44216
Views
15
Helpful
16
Comments
Serge Yasmine
Cisco Employee
Cisco Employee

 

 

Introduction

This document describes the steps needed to successfully install and  get the WLC 5760 and Switch 3850 operational and ready to host Wireless  Access Points, WLANs and Wireless clients.

This document only covers initial configuration on both of the platforms.

Overview of the Unified Access CT5760 Wireless Controller

The CT5760 Wireless LAN Controller (WLC) is the first Cisco IOS®  software-based controller built with smart ASIC intended to be deployed  as a centralized controller in the next generation unified wireless  architecture. CT5760 controllers are specifically designed to function  like the older unified model central wireless controllers. They also  support the newer Mobility functionality with Next Generation Wireless  Controllers 3850 switches in the wireless architecture.

CT5760 controllers are deployed behind a core  switch/router. The core switch/router is the only gateway into the  network for the controller. The uplink ports connected to the core  switch are configured as EtherChannel trunk to ensure port redundancy.

This new controller is an extensible and high  performance wireless controller, which can scale up to 1000 access  points (AP) and 12,000 clients. The controller has eight 6-10 Gbps data  ports.

As a component of the Cisco Unified Wireless  Network, the 5760 series works in conjunction with Cisco Aironet Access  Points, the Cisco Prime Infrastructure, and the Cisco Mobility Services  Engine to support business-critical wireless data, voice, and video  applications.

 

 

 

Overview of the Unified Access Catalyst 3850 Switches

The Unified Access Catalyst 3850 switch is a flexible ASIC-based  hardware that can support multiple protocols and has many advantages  over the current hardware platform. The Catalyst 3850 switch has an integrated hardware-based  wireless support with Control and Provisioning of Wireless Access Points  (CAPWAP) and fragmentation. It also has 40 GB of uplink bandwidth when  all ports function at line rate.

The Catalyst 3850 switch provides an open service platform. It has a  4-core CPU to leverage the operating system (OS) and to host various  services. The Catalyst 3850 hardware is the next- generation switching  hardware.

The UA Catalyst 3850 switch has unified wired and  wireless architecture. The wireless operating system is Cisco IOS®  software-based. UA Catalyst 3850 switch provides uniform wired and  wireless policies. It can house 50 access points (802.11n) and support  2000 clients per stack.

 

Initial configuration of the 5760 WLC

Here are the steps needed to successfully configure your 5760 WLC to start hosting wireless services.

Version used :  03.02.02

Setup Script

         --- System Configuration Dialog ---

Enable secret warning
----------------------------------
In order to access the device manager, an enable secret is required
If you enter the initial configuration dialog, you will be prompted for the enable secret
If you choose not to enter the inital configuration dialog, or if you exit setup without setting the enable secret,
please set an enable secret using the following CLI in configuration mode-
enable secret 0 <cleartext password>
----------------------------------

Would you like to enter the initial configuration dialog? [yes/no]: yes

At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Basic management setup configures only enough connectivity

for management of the system, extended setup will ask you
to configure each interface on the system

Would you like to enter basic management setup? [yes/no]: yes

Configuring global parameters:

  Enter host name [Controller]: w-5760-1

  The enable secret is a password used to protect access to
  privileged EXEC and configuration modes. This password, after
  entered, becomes encrypted in the configuration.
  Enter enable secret: cisco

  The enable password is used when you do not specify an
  enable secret password, with some older software versions, and
  some boot images.
  Enter enable password: cisco

  The virtual terminal password is used to protect
  access to the router over a network interface.
  Enter virtual terminal password: cisco

Configure a NTP server now? [yes]: 
Enter ntp server address : 192.168.1.200
Enter a polling interval between 16 and 131072 secs which is power of 2:16

  Do you want to configure wireless network? [no]:

Setup account for accessing HTTP server? [yes]:
    Username  [admin]:                     
    Password  [cisco]: 
    Password is UNENCRYPTED.

  Configure SNMP Network Management? [no]:

Current interface summary

Any interface listed with OK? value "NO" does not have a valid configuration

Interface                        IP-Address      OK?  Method Status                Protocol

Vlan1                             unassigned      NO   unset     up                        up     
GigabitEthernet0/0     unassigned      YES  unset     up                        up     
Te1/0/1                          unassigned      YES  unset     up                        up     
Te1/0/2                          unassigned      YES  unset     down                  down   
Te1/0/3                          unassigned      YES  unset     down                  down   
Te1/0/4                         unassigned      YES  unset      down                   down   
Te1/0/5                         unassigned      YES  unset      down                   down   
Te1/0/6                         unassigned      YES  unset      down                   down   

Enter interface name used to connect to the
management network from the above interface summary: vlan1

Configuring interface Vlan1:

  Configure IP on this interface? [yes]:
    IP address for this interface: 192.168.1.20
    Subnet mask for this interface [255.255.255.0] :

    Class C network is 192.168.1.0, 24 subnet bits; mask is /24

Wireless management interface needs to be configured at startup
It needs to be mapped to an SVI that's not Vlan 1 (default)

Enter VLAN No for wireless management interface:  120

Enter IP address :192.168.120.94
Enter IP address mask:  255.255.255.0

The following configuration command script was created:

hostname w-5760-1
enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY^Q
enable password cisco
line vty 0 15
password cisco
ntp server 192.168.1.200 maxpoll 4 minpoll 4

username admin privilege 15 password cisco
no snmp-server
!
no ip routing


!
interface Vlan1
no shutdown
ip address 192.168.1.20 255.255.255.0
!
interface GigabitEthernet0/0
shutdown
no ip address
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface TenGigabitEthernet1/0/3
!
interface TenGigabitEthernet1/0/4
!
interface TenGigabitEthernet1/0/5
!        
interface TenGigabitEthernet1/0/6
vlan 120
interface vlan 120
ip addr  192.168.120.94 255.255.255.0
exit
wireless management interface Vlan120
!
end

[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2

Building configuration...
Compressed configuration from 2729 bytes to 1613 bytes[OK]
Use the enabled mode 'configure' command to modify this configuration.

Press RETURN to get started!

Required Wireless configuration for Access Points to be able to join

Important Note:

Ensure that your switch is having the right boot command under global  configuration. Depending how you installed the software on the switch.  If it has been extracted on the flash, then the following boot command  is required:

w-5760-1(config)#boot system flash:packages.conf

Connectivity Configuration

connecting to the backbone network and on which your will have CAPWAP traffic

     coming in/out. In this document the interface used is TenGigabitEthernet1/0/1. We are allowing on it Vlan1 nd Vlan 120

      interface TenGigabitEthernet1/0/1
      switchport trunk allowed vlan 1,120
      switchport mode trunk
      ip dhcp relay information trusted
     ip dhcp snooping trust

   Configure default route out:

    ip route 0.0.0.0 0.0.0.0 192.168.1.1

Configure Web Access

   The GUI can be accessed via https://<ipaddress>/wireless

   The logon credentials are already defined in the initial configuration dialog

    username admin privilege 15 password 0 admin

 

Capture.JPG

Ensure wireless management interface is correctly configured

    wireless management interface Vlan120

     w-5760-1#sh run int vlan 120

     Building configuration...

    Current configuration : 62 bytes
    !
    interface Vlan120
    ip address 192.168.120.94 255.255.255.0
   end

  w-5760-1#sh ip int br
  Interface                                  IP-Address      OK?    Method   Status            Protocol
  Vlan1                                      192.168.1.20      YES    manual    up                   up
  Vlan120                                 192.168.120.94  YES    manual    up                   up
  GigabitEthernet0/0              unassigned        YES      unset     down              down
Te1/0/1                                    unassigned        YES      unset      up                   up
Te1/0/2                                    unassigned        YES      unset    down               down
Te1/0/3                                    unassigned        YES      unset    down               down
Te1/0/4                                    unassigned        YES      unset    down               down
Te1/0/5                                    unassigned        YES      unset    down               down
Te1/0/6                                    unassigned        YES      unset    down               down
Capwap2                                unassigned        YES      unset    up                    up

w-5760-1#

Ensure you have enabled license with the right ap count

Note:  The 5760 does not have activated license levels, the image is already ipservices

Note:  5760 acting as MC can support up to 1000 APs

w-5760-1#license right-to-use activate apcount <count> slot 1 acceptEULA

Country code

    Ensure you have configured the correct country code on your WLC in compliance with the regulatory domain of the  

    country the AP(s) will be servicing in and in compliance with the regulatory domain of the AP(s)

w-5760-1#show wireless country configured

Configured Country.............................: US  - United States
Configured Country Codes
    US  - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

w-5760-1(config)#ap dot11 24ghz shutdown

w-5760-1(config)#ap dot11 5ghz shutdown

w-5760-1(config)#ap country BE
Changing  country code could reset channel and RRM grouping configuration. If  running in RRM One-Time mode, reassign channels after this command.  Check customized APs for valid channel values after this command.
Are you sure you want to continue? (y/n)[y]: y
w-5760-1(config)#no ap dot11 24ghz shut
w-5760-1(config)#no ap dot11 5ghz shut
w-5760-1(config)#end
w-5760-1#wr
Building configuration...
Compressed configuration from 3564 bytes to 2064 bytes[OK]

w-5760-1#show wireless country configured

Configured Country.............................: BE  - Belgium
Configured Country Codes
    BE  - Belgium : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

AP --------> WLC Connectivity

   Ensure that your AP(s) on whatever VLAN,  they are able to learn the IP address of the WLC ( 192.168.120..94 in this example)

  via DHCP option 43, DNS, or any other discovery mechanism in CAPWAP.

Monitoring and Debugging

Ensure that your AP(s) have joined:

w-5760-1#show ap summary

Number of APs: 1

Global AP User Name: Not configured

Global AP Dot1x User Name: Not configured

AP Name                           AP Model  Ethernet MAC    Radio MAC       State
--------------------------------------------------------------------------------------

APa493.4cf3.232a                  1042N     a493.4cf3.232a  10bd.186d.9a40  Registered

 

Useful debugs for troubleshooting AP join issues

w-5760-1#debug capwap ap events

capwap/ap/events debugging is on

w-5760-1#debug capwap ap error

capwap/ap/error debugging is on

w-5760-1#debug dtls ap event
dtls/ap/event debugging is on

DHCP Snooping and Trust Configuration

It is recommended to use external DHCP server instead of internal DHCP server. DHCP snooping configuration is required on the controller for proper client join functionality. DHCP snooping must be enabled on each client VLAN including the override VLAN, if override is applied on the WLAN. The following example shows how to configure DHCP snooping.

Global DHCP Snooping Configuration:

ip dhcp snooping

ip dhcp snooping vlan 100, 200

Enable the bootp-broadcast command. This command is used by clients who send DHCP messages with broadcast addresses and the broadcast bit is set in the DHCP message.

ip dhcp snooping wireless bootp-broadcast enable

On the Interface:

Note If upstream is via a port channel, the trust configuration must be configured on the port channel interface as well.

interface TenGigabitEthernet1/0/1

description Connection to Core Switch

switchport trunk allowed vlan 100, 200

switchport mode trunk

ip dhcp relay information trusted

ip dhcp snooping trust

Note DHCP snooping must be configured on the Guest Anchor controller for guest access similar to the configuration above.

If you are using an ip-helper address on the interface, you must modify option 82 behavior:

On the DHCP Snooping Device
no ip dhcp snooping information option


OR

On the DHCP Relay Device (per interface)
ip dhcp relay information trusted

On the DHCP Relay Device (global configuration)
ip dhcp relay information trust-all

 

Initial configuration of the 3850 Switch

Here are the steps needed to successfully configure your 3850 Switch to start hosting wireless services.

Version used :  03.02.02

Setup script

    --- System Configuration Dialog ---

Enable secret warning
----------------------------------
In order to access the device manager, an enable secret is required
If you enter the initial configuration dialog, you will be prompted for the enable secret
If you choose not to enter the intial configuration dialog, or if you exit setup without setting the enable secret,
please set an enable secret using the following CLI in configuration mode-
enable secret 0 <cleartext password>
----------------------------------
Would you like to enter the initial configuration dialog? [yes/no]: yes

At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.


Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system


Would you like to enter basic management setup? [yes/no]: yes
Configuring global parameters:


  Enter host name [Switch]: sw-3850-1


  The enable secret is a password used to protect access to
  privileged EXEC and configuration modes. This password, after
  entered, becomes encrypted in the configuration.
  Enter enable secret: Cisco123


  The enable password is used when you do not specify an
  enable secret password, with some older software versions, and
  some boot images.
  Enter enable password: Cisco123


  The virtual terminal password is used to protect
  access to the router over a network interface.
  Enter virtual terminal password: Cisco123


  Do you want to configure country code? [no]: yes


  Enter the country code[US]:BE




Note :  Enter the country code in which you are installing this 3850 Switch and the AP(s). If your country code is not   


             recognized, enter one that is compliant with the regulatory domain of your own country


Setup account for accessing HTTP server? [yes]: 
    Username  [admin]:                     
    Password  [cisco]: 
    Password is UNENCRYPTED.


  Configure SNMP Network Management? [no]:

Current interface summary

Any interface listed with OK? value "NO" does not have a valid configuration

 

Interface                           IP-Address      OK? Method Status                Protocol
Vlan1                               unassigned      NO  unset      up                    down    
GigabitEthernet0/0      unassigned      YES unset      up                    up      
GigabitEthernet2/0/1   unassigned      YES unset  down                  down    
GigabitEthernet2/0/2   unassigned      YES unset  down                  down    
GigabitEthernet2/0/3   unassigned      YES unset  down                  down    
GigabitEthernet2/0/4   unassigned      YES unset  down                  down    
GigabitEthernet2/0/5   unassigned      YES unset  down                  down    
GigabitEthernet2/0/6   unassigned      YES unset  down                  down    
GigabitEthernet2/0/7   unassigned      YES unset  down                  down    
GigabitEthernet2/0/8   unassigned      YES unset  down                  down    
GigabitEthernet2/0/9   unassigned      YES unset  down                  down    
GigabitEthernet2/0/10  unassigned      YES unset  down                  down    
GigabitEthernet2/0/11  unassigned      YES unset  down                  down    
GigabitEthernet2/0/12  unassigned      YES unset  down                  down    
GigabitEthernet2/0/13  unassigned      YES unset  down                  down    
GigabitEthernet2/0/14  unassigned      YES unset  down                  down    
GigabitEthernet2/0/15  unassigned      YES unset  down                  down    
GigabitEthernet2/0/16  unassigned      YES unset  down                  down    
GigabitEthernet2/0/17  unassigned      YES unset  down                  down    
GigabitEthernet2/0/18  unassigned      YES unset  down                  down    
GigabitEthernet2/0/19  unassigned      YES unset  down                  down    
GigabitEthernet2/0/20  unassigned      YES unset  down                  down    
GigabitEthernet2/0/21  unassigned      YES unset  down                  down    
GigabitEthernet2/0/22  unassigned      YES unset  down                  down    
GigabitEthernet2/0/23  unassigned      YES unset  down                  down    
GigabitEthernet2/0/24  unassigned      YES unset  down                  down    
GigabitEthernet2/0/25  unassigned      YES unset  down                  down    
GigabitEthernet2/0/26  unassigned      YES unset  down                  down    
GigabitEthernet2/0/27  unassigned      YES unset  down                  down    
GigabitEthernet2/0/28  unassigned      YES unset  down                  down    
GigabitEthernet2/0/29  unassigned      YES unset  down                  down    
GigabitEthernet2/0/30  unassigned      YES unset  down                  down    
GigabitEthernet2/0/31  unassigned      YES unset  down                  down    
GigabitEthernet2/0/32  unassigned      YES unset  down                  down    
GigabitEthernet2/0/33  unassigned      YES unset  down                  down    
GigabitEthernet2/0/34  unassigned      YES unset  down                  down    
GigabitEthernet2/0/35  unassigned      YES unset  down                  down    
GigabitEthernet2/0/36  unassigned      YES unset  down                  down    
GigabitEthernet2/0/37  unassigned      YES unset  down                  down    
GigabitEthernet2/0/38  unassigned      YES unset  down                  down    
GigabitEthernet2/0/39  unassigned      YES unset  down                  down    
GigabitEthernet2/0/40  unassigned      YES unset  down                  down    
GigabitEthernet2/0/41  unassigned      YES unset  down                  down    
GigabitEthernet2/0/42  unassigned      YES unset  down                  down    
GigabitEthernet2/0/43  unassigned      YES unset  down                  down    
GigabitEthernet2/0/44  unassigned      YES unset  down                  down    
GigabitEthernet2/0/45  unassigned      YES unset  down                  down    
GigabitEthernet2/0/46  unassigned      YES unset  down                  down    
GigabitEthernet2/0/47  unassigned      YES unset  down                  down    
GigabitEthernet2/0/48  unassigned      YES unset  up                       up      
GigabitEthernet2/1/1    unassigned      YES unset  down                  down    
GigabitEthernet2/1/2   unassigned      YES unset  down                  down    
GigabitEthernet2/1/3   unassigned      YES unset  down                  down    
GigabitEthernet2/1/4   unassigned      YES unset  down                  down    
Te2/1/1                           unassigned      YES unset  down                  down    
Te2/1/2                           unassigned      YES unset  down                  down    
Te2/1/3                           unassigned      YES unset  down                  down    
Te2/1/4                           unassigned      YES unset  down                  down   


Enter interface name used to connect to the
management network from the above interface summary: vlan1


Configuring interface Vlan1:
  Configure IP on this interface? [yes]: 
    IP address for this interface: 192.168.1.2
    Subnet mask for this interface [255.255.255.0] : 
    Class C network is 192.168.1.0, 24 subnet bits; mask is /24

 

The following configuration command script was created:

hostname sw-3850-1
enable secret 4 vwcGVdcUZcRMCyxaH2U9Y/PTujsnQWPSbt.LFG8lhTw
enable password Cisco123
line vty 0 15
password Cisco123
  ap dot11 24ghz shutdown 
  ap dot11 5ghz shutdown 
  ap country BE 
  no ap dot11 24ghz shutdown 
  no ap dot11 5ghz shutdown

username admin privilege 15 password 0 cisco
no snmp-server
!
no ip routing


!
interface Vlan1
no shutdown
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/0
shutdown
no ip address
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!         
interface GigabitEthernet2/0/4
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface GigabitEthernet2/0/13
!
interface GigabitEthernet2/0/14
!
interface GigabitEthernet2/0/15
!         
interface GigabitEthernet2/0/16
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
!
interface GigabitEthernet2/0/19
!
interface GigabitEthernet2/0/20
!
interface GigabitEthernet2/0/21
!
interface GigabitEthernet2/0/22
!
interface GigabitEthernet2/0/23
!
interface GigabitEthernet2/0/24
!
interface GigabitEthernet2/0/25
!
interface GigabitEthernet2/0/26
!
interface GigabitEthernet2/0/27
!         
interface GigabitEthernet2/0/28
!
interface GigabitEthernet2/0/29
!
interface GigabitEthernet2/0/30
!
interface GigabitEthernet2/0/31
!
interface GigabitEthernet2/0/32
!
interface GigabitEthernet2/0/33
!
interface GigabitEthernet2/0/34
!
interface GigabitEthernet2/0/35
!
interface GigabitEthernet2/0/36
!
interface GigabitEthernet2/0/37
!
interface GigabitEthernet2/0/38
!
interface GigabitEthernet2/0/39
!         
interface GigabitEthernet2/0/40
!
interface GigabitEthernet2/0/41
!
interface GigabitEthernet2/0/42
!
interface GigabitEthernet2/0/43
!
interface GigabitEthernet2/0/44
!
interface GigabitEthernet2/0/45
!
interface GigabitEthernet2/0/46
!
interface GigabitEthernet2/0/47
!
interface GigabitEthernet2/0/48
!
interface GigabitEthernet2/1/1
!
interface GigabitEthernet2/1/2
!
interface GigabitEthernet2/1/3
!         
interface GigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface TenGigabitEthernet2/1/3
!
interface TenGigabitEthernet2/1/4
!
end


[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.


Enter your selection [2]:    2
The enable password you have chosen is the same as your enable secret.
This is not recommended.  Re-enter the enable password.
Changing  country code could reset channel and RRM grouping configuration. If  running in RRM One-Time mode, reassign channels after this command.  Check customized APs for valid channel values after this command. 
Are you sure you want to continue? (y/n)[y]: y
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)


Building configuration...
Compressed configuration from 4414 bytes to 2038 bytes[OK]
Use the enabled mode 'configure' command to modify this configuration.



Press RETURN to get started!

 

Required Wireless configuration for Access Points to be able to join

Important Note:

Ensure that your switch is having the right boot command under global  configuration. Depending how you installed the software on the switch.  If it has been extracted on the flash, then the following boot command  is required:

sw-3850-1(config)#boot system switch all flash:packages.conf

Wireless Pre-requisites

    To enable wireless services, the 3850 must be running an ipservices or ipbase license.

Enable Wireless on the Switch

Note: The Access Points will need to be connected to access mode    

            switchports in the same VLAN!

  • Enable WIreless Management

            sw-3850-1(config)#wireless management interface vlan <1-4095>

  • Define Mobility Controller

       A Mobility Controller (MC) must be defined in order to allow Access Points to join.

        a. If this 3850 will be the Mobility Controller:

           sw-3850-1(config)#wireless mobility controller

    Note: This configuration change will require a reboot!

        b. If this 3850 will operate as a Mobility Agent (MA), Then please point it to the MC IP address using the following

            command:

          sw-3850-1(config)#wireless mobility controller ip a.b.c.d

           And on the MC:

         3850MC(config)#wireless mobility controller peer-group <SPG1>

         3850MC(config)#wireless mobility controller peer-group <SPG1> member ip w.x.y.z

License Verification

Ensure that you have AP Licenses active on the MC (the MA will use the licenses that are activated on the MC):

Note: 3850 must run ipservices or ipbase license to enable wireless services on 3850

Note: AP count licenses are applied at the MC, and are automatically provisioned and enforced at the MA

Note: 3850 acting as MC can support up to 50 APs

   sw-3850-1 #show license right-to-use summary

               License Name    Type          Count   Period left



              ----------------------------------------------------------------



              ipservices          permanent    N/A      Lifetime



              apcount              base                1         Lifetime



              apcount              adder              49        Lifetime



              -------------------------------------------------------------------





License Level In Use: ipservices

License Level on Reboot: ipservices

Evaluation AP-Count: Disabled

Total AP Count Licenses: 50

AP Count Licenses In-use: 1

AP Count Licenses Remaining: 49

 

If you do not have apcount licenses installed, see the following article for more information.

To activate AP count license on the 3850, please enter this command  with the required AP count. Always on the MC (Mobility Controller):

sw-3850-1#license right-to-use activate apcount <count> slot <#> acceptEULA

AP------> WLC Connectivity

  In order for Access Points to join the controller, the switchport configuration must be set as an access port in the

   wireless management vlan:

If using vlan 100 for wireless management interface:

sw-3850-1(config)#interface gigabit1/0/10

sw-3850-1(config-if)#switchport mode access

sw-3850-1(config-if)#switchport access vlan 100

Configuring Web Access

The GUI can be accessed via https://<ipaddress>/wireless

The logon credentials are already defined in the initial configuration dialog

username admin privilege 15 password 0 admin ( username for Web access)

 

Capture.JPG

Country code

    Ensure you have configured the correct country code on your WLC in compliance with the regulatory domain of the 

     country the AP(s) will be servicing in and in compliance with the regulatory domain of the AP(s)

sw-3850-1#show wireless country configured

Configured Country.............................: US  - United States
Configured Country Codes
  US  - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

sw-3850-1(config)#ap dot11 24ghz shutdown

sw-3850-1(config)#ap dot11 5ghz shutdown

sw-3850-1(config)#ap country BE
Changing  country code could reset channel and RRM grouping configuration. If  running in RRM One-Time mode, reassign channels after this command.  Check customized APs for valid channel values after this command.
Are you sure you want to continue? (y/n)[y]: y
sw-3850-1(config)#no ap dot11 24ghz shut
sw-3850-1(config)#no ap dot11 5ghz shut
sw-3850-1(config)#end
sw-3850-1#wr
Building configuration...
Compressed configuration from 3564 bytes to 2064 bytes[OK]


sw-3850-1#show wireless country configured


Configured Country.............................: BE  - Belgium
Configured Country Codes
    BE  - Belgium : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

Monitoring and Debugging

Ensure that your AP(s) have joined:

sw-3850-1#show ap summary

Number of APs: 1

Global AP User Name: Not configured

Global AP Dot1x User Name: Not configured


AP Name                           AP Model      Ethernet MAC      Radio MAC                State


-------------------------------------------------------------------------------------------------------


APa493.4cf3.232a             1042N     a493.4cf3.231a  10bd.186e.9a40      Registered

DHCP Snooping and Trust Configuration

It is recommended to use external DHCP server instead of internal DHCP server. DHCP snooping configuration is required on the controller for proper client join functionality. DHCP snooping must be enabled on each client VLAN including the override VLAN, if override is applied on the WLAN. The following example shows how to configure DHCP snooping.

Global DHCP Snooping Configuration:

ip dhcp snooping

ip dhcp snooping vlan 100, 200

Enable the bootp-broadcast command. This command is used by clients who send DHCP messages with broadcast addresses and the broadcast bit is set in the DHCP message.

ip dhcp snooping wireless bootp-broadcast enable

On the Interface:

Note If upstream is via a port channel, the trust configuration must be configured on the port channel interface as well.

interface TenGigabitEthernet1/0/1

description Connection to Core Switch

switchport trunk allowed vlan 100, 200

switchport mode trunk

ip dhcp relay information trusted

ip dhcp snooping trust

Note DHCP snooping must be configured on the Guest Anchor controller for guest access similar to the configuration above.

If you are using an ip-helper address on the interface, you must modify option 82 behavior:

On the DHCP Snooping Device
no ip dhcp snooping information option


OR

On the DHCP Relay Device (per interface)
ip dhcp relay information trusted

On the DHCP Relay Device (global configuration)
ip dhcp relay information trust-all

 

Useful debugs for troubleshooting AP join issues

sw-3850-1#debug capwap ap events

capwap/ap/events debugging is on

sw-3850-1#debug capwap ap error

capwap/ap/error debugging is on

sw-3850-1#debug dtls ap event
dtls/ap/event debugging is on
Comments
silvepar1
Level 1
Level 1

Please, you can help me with my requirement... I try to download a pem file in my wlc 5760 for the certificate but is no possible because when i try to download the file an error ocurred and the transfer failed, and no error is shown in the console.

So, you could help me with this requirement? if you have an idea to solve?

George Stefanick
VIP Alumni
VIP Alumni

It best to post your question in the general forum.

mdiawara5
Community Member

Can Someone please help me on this.

We have 3 X 3850 in a stack and we are running Cisco IOS XE version 03.02.01 on it and we would like to setup 3(1602i series AP) WAPs on it.

Basically our 3850 STACK will be used as a WLC(Wireless Lan Controller).

First: can we setup WLC on the 3850 stack using CLI NOT GUI with the current version we have(IOS XE 03.02.01)?

Second: can we configure below command on the 3850 stack without performing a REBOOT

          Wireless mobility controller

Please help

Thanks,

Joseph Vasanth Louis
Cisco Employee
Cisco Employee

Hi Moustapha,

you can  configure the 3850 using cli.

you have to reboot when the controller is changing role  from MA to MC

mdiawara5
Community Member

Thank you very much for you response.

I was able to setup 2 Wlan(SSIDs) and they are both working fine.

I am trying not to broadcast one of my SSIDs, Can you or someone please Confirm if this command required a REBOOT of the WLC(3850 Stack)

CC3850-01(config)# wlan MYWIFI

CC3850-01(config-wlan)#no broadcast-ssid

Please help,

Thanks,

Joseph Vasanth Louis
Cisco Employee
Cisco Employee

no it does not require a reboot

Patrick Meyer
Level 1
Level 1

Hi I just have a quick question:

I have no real experience with these 5760 WLCs but most guides recommend using the gig interface for management which seems quite odd to me given that it is stated to be the service port. Has anyone else wondered about this and is there a reason why cisco documents it that way? Are there maybe issues in using a VLAN on the 10G interfaces for management access?

MD KAFINUZZAMAN
Level 1
Level 1

Hi,

how to configuration HA on 5760 wlc. should I configured active controller and then shutdown this controller and connect HA controller and start both the controllers .....?

 

Joseph Vasanth Louis
Cisco Employee
Cisco Employee

Hi Kaficisco,

you should be using the stack cables which come along with the 5760 HA units. the below link gives you the info on how to and what stack cables to use in setting up HA on 5760

 

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/5760_HA_DG_iosXE33.html

 

-Joseph

CCIE W 40860

MD KAFINUZZAMAN
Level 1
Level 1

Thanks for your replay
        
 1.    should I configure Active controller 1st then I connect HA controller by stack cable and boot HA controller.

2.    should I configure 2 eather channel  group . one for core switch A (active) and another for core switch B(stand by)

3.    and cable connectivity active controller Te 1/0/1 connect to core switch A and Te1/0/1 core switch B. and from HA controller Te2/0/1 to Core switch A and Te2/0/2 to Core switch B.

4.    configure Two separate eather channel on two core switch. as I am using 4507 as a core switch.


Please send me a reply as i am okay . if not then what should i do for this.

Joseph Vasanth Louis
Cisco Employee
Cisco Employee

 1.    should I configure Active controller 1st then I connect HA controller by stack cable and boot HA controller.

once you connect the stack cable, both controller are one.

2.    should I configure 2 eather channel  group . one for core switch A (active) and another for core switch B(stand by)

yes

 

3.    and cable connectivity active controller Te 1/0/1 connect to core switch A and Te1/0/1 core switch B. and from HA controller Te2/0/1 to Core switch A and Te2/0/2 to Core switch B.

yes

4.    configure Two separate eather channel on two core switch. as I am using 4507 as a core switch.

you can do either way.

MD KAFINUZZAMAN
Level 1
Level 1

Again Thanks

 

Are there any alternate solution...........

 

Thanks

kafi

skype: kafi20112

phone :+8801938802635

 

 

Great user guide!

I use two 3850, one for MC and the other for MA .

All ap are joined, i can see the MA when i do "sh wireless mobility summary".

But it seems that SSID of AP connected to MA are not broadcast. On the MC it's ok.

How can i debug it? I have no error when i turn on debug on capwap, dtls, ap

 

Thanks.

 

JB

Markus Schwarz
Level 1
Level 1

Great Post and i just stumpled upon it as i am working on  a converged access solution smiley 

 

Converged Access AP Licensing for redundancy – how many license for stack  members?

 

According to CCO docs : Ensure that you have AP Licenses active on the MC (the MA will use the licenses that are activated on the MC):

 

This is the product code required according to docs : L-LIC-CTIOS-1A

 

 

Example Scenario: Small branch deployment

 

Access Stack Switch of 4 x 3850 dedicated as MC and MA with 4 AP’s connected

 

Access Stack of 4 x 3850 set as MA only with 4 AP’s connected

 

AP total x 8  (4 on each switch)

 

 

Given my example above, would I not require  4 x L-LIC-CTIOS-1A  for each stack member that is elected as MC and applied and activated on each member switch?

 

 

I believe that there will be no MC redundancy in case the master member switch with the AP license fails.

 

I would be grateful if someone can elaborate this as I could not find any references to this yet

 

Best Regards

Markus

Hello,

I am new with this 3850 Controller configuration.

I am having a situation and need help.

I did a AAA configuration on the 3850 to use ISE. Now, I am trying to access the WLC GUI and when I log in with the credentials I am able to see only 3 tabs (Home, Monitor and Help). I don't understand why the Configuration tab is not showing. ISE shows that the user is with privilege 15. 

Is there a configuration change that I need on the switch to allow or view the configuration tab?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: