cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4275
Views
10
Helpful
2
Comments
Serge Yasmine
Cisco Employee
Cisco Employee

This guide has been tested in TAC LABs. At the end of the guide, the wireless phone 7925 was able to associate to the SSID(s) and place calls. QoS was also working fine by verifying end-to-end tagging.

 

Introduction

 

This document covers step by step guide for configuring the cisco 5760 and 3850 WLC(s) to be inline with the voice over wireless requirements. This is an equivalent document for the already existing Voice over WLAN deployment guide applicable for the previous WLC models ex. 5508, WiSM...

 

The 5760 and 3850 are the new WLC models that have been recently released by Cisco. They run a new set of commands for configuration, thus the requirement for a new voice over wireless LAN deployment guide.

 

Requirements

 

  • This document doesn't cover startup configuration for the 5760 and 3850 WLC(s). For more infomation about this particuar task please visit this the following document on support forums.
  • This document assumes that the wireless access points have already joined the WLC 5760 and/or 3850
  • This document doesn't cover Call Manager configuration and assumes that it is already correctly configured and ready to host IP phones.
  • This document assumes that you already have a Radius Server in your network ready to authenticate and authorize the Wireless IP phones.
  • This document assumes that all required ports for Skinny, RTP, CAPWAP and other relevant ports have already been opened on your Firewall and allowed in your any Access Lists.
  • This document assumes that an appropriate voice over wireless LAN RF site survey has been done for 5Ghz and that the correct requirements are being met for signal strength, cell overlap, noise level, ap placement and so on... Again refer to the 7925 voice over wireless LAN deployment guide for more information about these requirements.

 

Recommended software versions

 

  • In order to benefit from the most recent and improved scanning algorithm, it is recommended to run code 1.4.4 and above on the Cisco Wireless IP phones.
  • In order to benefit from the GUI on the 5760 and 3850 also to run the most recent code ensure you are on code 03.02.02.SE.150-1.EX2 and above (This is valid on June 25 2013)

 

LAB devices and software versions in use

 

  • Cisco 7925 Wireless IP phone code 1.4.5.3
  • Cisco 5760 WLC running code 03.03.03SE
  • Cisco lightweight 1142, 3600, 3700 AP
  • ISE code 1.2
  • CME code 12.4.22.YB4

 

Configuring Voice Layer 3 Interface and Layer 2  VLAN on the WLC

 

CLI Example

 

1- Create the Layer 2 VLAN for Voice.

w-5760-3#conf t
w-5760-3(config)#vlan 100
w-5760-3(config-vlan)#name VoiceVLAN
w-5760-3(config-vlan)#end
w-5760-3#write mem

2- Create the Layer 3 interface for the voice VLAN.
w-5760-3(config)#interface vlan 100
w-5760-3(config-if)#no shut
w-5760-3(config-if)#ip address 10.1.1.20 255.255.255.0

w-5760-3(config-if)#description Voice VLAN

w-5760-3(config-if)#ip helper-address 10.1.1.2
w-5760-3(config-if)#end
w-5760-3#write mem

 

3- Add Vlan 100 on the uplink trunk connecting the WLC with the network

w-5760-3(config)#interface tenGigabitEthernet 1/0/1
w-5760-3(config-if)#switchport trunk allowed vlan 1,2,100


w-5760-3(config-if)#do sh run int te 1/0/1
interface TenGigabitEthernet1/0/1
 switchport trunk allowed vlan 1,2,100
 switchport mode trunk

 ip dhcp snooping trust

 

 

GUI Example

 

1- Navigate from your browser to http://ipaddress/wireless. Example http://192.168.1.20/wireless

2- Go to Configuration -> Controller

3- Expand System

4- Exand VLAN

5- Click on Layer 2 VLAN

6- Click on New and then fill in the VLAN ID and the name. Ensure it is in Actice state as shown in this example:

 

Screen Shot 2013-05-22 at 8.08.05 PM.png

 

7- Click on Apply.

8- Click on Layer 3 Interface

9- Click on New to crate a new interface

10- Insert the VLAN ID, description, ip address and other filed in similar to what has been entered below..

 

Screen Shot 2013-05-22 at 8.13.00 PM.png

11- Click on Apply and then Save configuration

 

12- Click on Port Summary under Interfaces and add vlan 100 to the Trunk Vlan [Allowed]

 

Screen Shot 2014-06-19 at 14.46.26.png

 

Configuring the 802.11 Radio Band settings

 

 In this document, we are going to use 5Ghz for voice.

 

 

If using 5Ghz, these are the recommended settings:

 

Screen Shot 2014-06-19 at 14.50.15.png

 

 

 

 

Ensure you set DCA interval to 24hours with midnight anchor time. This is to avoid any DCA channel changes during work hours. Further, for your DCA algorigthm choose to avoid channels with high Load or Interference.

 

Last, in your channel selection, the least amount of channels you select, the best, this way the channel scan list that the phone has to do in order to find the next best AP is smaller and assures better roaming experiencing.

 

Screen Shot 2014-06-19 at 14.52.01.png

 

 

 

 Ensure you enabled Call Admission Control for Voice.

 

**Use ap dot11 5ghz exp-bwreq via the CLI to enable Expidited Bandwith for e911 calls**
 

 

Screen Shot 2013-05-22 at 11.32.25 PM.png

 

 

EDCA has to be wmm-default

 

Screen Shot 2014-06-19 at 14.56.41.png

Here are the TPC settings.

 

Screen Shot 2013-05-22 at 11.34.18 PM.png

 

 

 

 

Here are the roaming parameters:

 

Screen Shot 2013-05-22 at 11.40.32 PM.png

 

 

If you have however decided to use 2.4Ghz for Voice, then make sure you also adapt the data rates and that you are only using channels 1,6 and 11 which are the only non overlapping channels on the 2.4ghz band. The rest should be configured the same way as has been highlighted for the 802.11a band above.

 

Screen Shot 2013-05-22 at 11.29.19 PM.png

 

 

 

Ensure you enable CleanAir to avoid Interference

 

Screen Shot 2013-05-22 at 11.48.31 PM.png

 

 

 

 

 

 

 

 

Configuring the QoS Policy

 

We will show how to do QoS on SSID level for upstream and downstream traffic. The guide will only cover the GUI section.

 

1- Configuration -> Wireless -> QoS -> QoS-Policy

2- We will create two SSID policies

 

Screen Shot 2014-06-19 at 16.26.43.png

 

 

In order to create these two policies click on "Add new" and configure each one of them as such.

 

The Ingress Policy (From wireless phone)

Screen Shot 2014-06-19 at 16.28.22.png

 

 

 

The Egress Policy (To Wireless phone)

Screen Shot 2014-06-19 at 16.29.05.png

Configuring Controller Settings

 

If you are going to utilize multicast over the WLC then you need to enable Multicast globally and ensure as well that multicast routing / delivery is correctly configured on your wired infrastructure.

 

Screen Shot 2013-05-22 at 11.15.45 PM.png

 

Screen Shot 2013-05-22 at 11.15.59 PM.png

 

 

 

Configuring the voice SSID

In this section we are going to cover how to configure the voice SSID that is going to be used by the wireless IP phones. Only two examples are going to be covered while taking into consideration security and fast roaming. We are going to speak about WPA2+AES+CCKM as well as WPA2+AES and Pre-shared key.

 

Open ssid, Wep, tkip as well as other security modes are not going to be covered due to security and other drawbacks when using them for voice over wireless LANs.

 

By covering CCKM and PSK we provide the choice of having a AAA server and as well as not having one.

 

The SSID that we will use will have the name "7925voice". Note ssid name is case sensitive and should be entered exactly in the same manner when configuring it on the wireless IP phone.

 

Example for configuring WPA2 - AES - Preshared key SSID

 

CLI Example

1- Ensure your AP(s) have already joined the WLC

 

w-5760-3#show ap summary
Number of APs: 1

Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured

AP Name                           AP Model  Ethernet MAC    Radio MAC       State         
----------------------------------------------------------------------------------------
Serge-LAP-3700-2                  3702P     7cad.74ff.2e96  08cc.68b4.4490  Registered    

 

 


2- Create the SSID by applying the following commands:

 

w-5760-3(config)#wlan 7925voicePSK 3 7925voicePSK
w-5760-3(config-wlan)#shut
w-5760-3(config-wlan)#radio dot11a
w-5760-3(config-wlan)#dtim dot11 5ghz 2
w-5760-3(config-wlan)#no session-timeout
w-5760-3(config-wlan)#broadcast-ssid
w-5760-3(config-wlan)#no band-select
w-5760-3(config-wlan)#no exclusionlist
w-5760-3(config-wlan)#ccx aironet-iesupport
w-5760-3(config-wlan)#channel-scan defer-priority 4
w-5760-3(config-wlan)#channel-scan defer-priority 5
w-5760-3(config-wlan)#channel-scan defer-priority 6
w-5760-3(config-wlan)#channel-scan defer-time 100
w-5760-3(config-wlan)#chd
w-5760-3(config-wlan)#client vlan 100
w-5760-3(config-wlan)#no ip dhcp required
w-5760-3(config-wlan)#no load-balance
w-5760-3(config-wlan)#no mac-filtering
w-5760-3(config-wlan)#mfp client
w-5760-3(config-wlan)#wmm allowed
w-5760-3(config-wlan)#no security dot1x
w-5760-3(config-wlan)#no security wpa akm cckm
w-5760-3(config-wlan)#no security wpa akm dot1x
w-5760-3(config-wlan)#no security static-wep-key
w-5760-3(config-wlan)#no security web-auth parameter-map global

w-5760-3(config-wlan)#no security ft over-the-ds

w-5760-3(config-wlan)#no peer-blocking

w-5760-3(config-wlan)#ccx aironet-iesupport

w-5760-3(config-wlan)#security wpa wpa2 ciphers aes

w-5760-3(config-wlan)#security wpa akm psk set-key ascii 0 SecretKey <-- CHOOSE YOUR OWN KEY

w-5760-3(config-wlan)#service-policy input voice-from-wifi-phone
w-5760-3(config-wlan)#service-policy output voice-to-wifi-phone
w-5760-3(config-wlan)#no shut
w-5760-3(config-wlan)#end
w-5760-3#write memory


 

GUI Example

 

1- Navigate from your browser to http://ipaddress/wireless. Example http://192.168.1.20/wireless

2- Go to Configuration -> Wireless

3- Expand WLAN and Click on WLANs

4- Click on New

 

 

 

5- Click on Apply

6- Now click on the newly create SSID by going back to the WLANs page and ensure it is configured as indicated on the following snapshots

 

Screen Shot 2014-06-19 at 15.30.47.png

 

 

Screen Shot 2014-06-19 at 15.14.41.png

 

 

 

Screen Shot 2014-06-19 at 15.17.05.png

 

 

Screen Shot 2014-06-19 at 15.16.09.png

 

Screen Shot 2014-06-19 at 16.30.51.png

 

 

Screen Shot 2014-06-19 at 15.18.20.png

 

 

Screen Shot 2013-05-22 at 10.45.18 PM.png

 

 

Screen Shot 2013-05-22 at 10.01.10 PM.png

 

 

 

Example for configuring WPA2 - AES - CCKM SSID

 

CLI example

 

1- Ensure your AP(s) have already joined the WLC

 

w-5760-3#show ap summary
Number of APs: 2

Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured

AP Name                           AP Model  Ethernet MAC    Radio MAC       State
----------------------------------------------------------------------------------------
LAP1142-3                   1142N     0022.bd18.a97d  0023.eb3a.3320  Registered
LAP1142-1                   1142N     0022.bd1a.ce23  0026.cbac.07b0  Registered

 


2- Create the SSID by applying the following commands:

 

 

w-5760-3(config)#wlan 7925voiceCCKM 4 7925voiceCCKM
w-5760-3(config-wlan)#shut
w-5760-3(config-wlan)#radio dot11a
w-5760-3(config-wlan)#dtim dot11 5ghz 2
w-5760-3(config-wlan)#no session-timeout
w-5760-3(config-wlan)#broadcast-ssid
w-5760-3(config-wlan)#no band-select
w-5760-3(config-wlan)#no exclusionlist
w-5760-3(config-wlan)#ccx aironet-iesupport
w-5760-3(config-wlan)#channel-scan defer-priority 4
w-5760-3(config-wlan)#channel-scan defer-priority 5
w-5760-3(config-wlan)#channel-scan defer-priority 6
w-5760-3(config-wlan)#channel-scan defer-time 100
w-5760-3(config-wlan)#chd
w-5760-3(config-wlan)#client vlan 100
w-5760-3(config-wlan)#no ip dhcp required
w-5760-3(config-wlan)#no load-balance
w-5760-3(config-wlan)#no mac-filtering
w-5760-3(config-wlan)#mfp client
w-5760-3(config-wlan)#wmm allowed

w-5760-3(config-wlan)#no security dot1x

w-5760-3(config-wlan)#no security wpa akm psk
w-5760-3(config-wlan)#no security wpa akm dot1x
w-5760-3(config-wlan)#no security static-wep-key
w-5760-3(config-wlan)#no security web-auth parameter-map global

w-5760-3(config-wlan)#no security ft over-the-ds

w-5760-3(config-wlan)#security wpa akm cckm

w-5760-3(config-wlan)#security wpa wpa2 ciphers aes

w-5760-3(config-wlan)#security dot1x authentication-list Wireless_Dot1x

w-5760-3(config-wlan)#no peer-blocking

w-5760-3(config-wlan)#ccx aironet-iesupport

w-5760-3(config-wlan)#service-policy input voice-from-wifi-phone
w-5760-3(config-wlan)#service-policy output voice-to-wifi-phone
w-5760-3(config-wlan)#no shut
w-5760-3(config-wlan)#end
w-5760-3#write memory

 

 

 

GUI example

 

1- Navigate from your browser to http://ipaddress/wireless. Example http://192.168.1.20/wireless

2- Go to Configuration -> Wireless

3- Expand WLAN and Click on WLANs

4- Click on New

 

Screen Shot 2014-06-19 at 15.33.09.png

 

5- Click on Apply

6- Now click on the newly create SSID by going back to the WLANs page and ensure it is configured as indicated on the following snapshots

 

Screen Shot 2014-06-19 at 15.35.15.png

 

 

 

Screen Shot 2014-06-19 at 15.37.33.png

 

 

 

 

Screen Shot 2014-06-19 at 15.38.08.png

 

 

Screen Shot 2013-05-22 at 10.18.51 PM.png

 

 

Screen Shot 2014-06-19 at 16.30.51.png

 

 

Screen Shot 2013-05-22 at 10.45.18 PM.png

 

 

Screen Shot 2013-05-22 at 10.01.10 PM.png

 

 

7- Configure the aaa required configuration part

 

From the CLI:

 

aaa new-model
!
!
aaa group server radius ISE_Server
 server name ISE
!
aaa authentication login noauth none
aaa authentication dot1x Wireless_Dot1x group ISE_Server
aaa authorization network Wireless_Dot1x group ISE_Server
 

radius server ISE
 address ipv4 192.168.1.32 auth-port 1812 acct-port 1813
 key cisco
 

dot1x system-auth-control
 

 

From the GUI:

 

Here is the order via the snapshots

 

1- Configure the Radius Server.

 

Screen Shot 2013-05-22 at 10.29.20 PM.png

Screen Shot 2014-06-19 at 15.41.06.png

 

 

2- Configure the Radius Group and map it to the radius server.

 

Screen Shot 2014-06-19 at 15.42.07.png

 

 

 

 

3- Configure the authentication method and map it to the radius group.

 

 

Screen Shot 2013-05-22 at 10.33.39 PM.png

 

Screen Shot 2013-05-22 at 10.34.15 PM.png

 

4- Ensure dot1x is enabled globaly on the WLC under the Configure - Controller tab:

 

Screen Shot 2013-05-22 at 11.12.17 PM.png

Comments
Adam Makovecz
Level 1
Level 1

PLEASE NOTE AFTER IOS XE 3.3.4 THE QOS MUST BE SET TO PLATINUM!

You can ignore the QoS part in this documentation if your version is higher than 3.3.4. Platinum, Gold and Bronze default qos settings were not existed before on NGWC platforms, only on AirOS.

nikhilcherian
Level 5
Level 5

Can you tell, why you have suggested to keep the EDCA as wmm-default and not VOICE-optimized

Regards

Nikhil

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: