This guide has been tested in TAC LABs. At the end of the guide, the wireless phone 7925 was able to associate to the SSID(s) and place calls. QoS was also working fine by verifying end-to-end tagging.
Introduction
This document covers step by step guide for configuring the cisco 5760 and 3850 WLC(s) to be inline with the voice over wireless requirements. This is an equivalent document for the already existing Voice over WLAN deployment guide applicable for the previous WLC models ex. 5508, WiSM...
The 5760 and 3850 are the new WLC models that have been recently released by Cisco. They run a new set of commands for configuration, thus the requirement for a new voice over wireless LAN deployment guide.
Requirements
- This document doesn't cover startup configuration for the 5760 and 3850 WLC(s). For more infomation about this particuar task please visit this the following document on support forums.
- This document assumes that the wireless access points have already joined the WLC 5760 and/or 3850
- This document doesn't cover Call Manager configuration and assumes that it is already correctly configured and ready to host IP phones.
- This document assumes that you already have a Radius Server in your network ready to authenticate and authorize the Wireless IP phones.
- This document assumes that all required ports for Skinny, RTP, CAPWAP and other relevant ports have already been opened on your Firewall and allowed in your any Access Lists.
- This document assumes that an appropriate voice over wireless LAN RF site survey has been done for 5Ghz and that the correct requirements are being met for signal strength, cell overlap, noise level, ap placement and so on... Again refer to the 7925 voice over wireless LAN deployment guide for more information about these requirements.
Recommended software versions
- In order to benefit from the most recent and improved scanning algorithm, it is recommended to run code 1.4.4 and above on the Cisco Wireless IP phones.
- In order to benefit from the GUI on the 5760 and 3850 also to run the most recent code ensure you are on code and above (This is valid on June 25 2013)
LAB devices and software versions in use
- Cisco 7925 Wireless IP phone code 1.4.5.3
- Cisco 5760 WLC running code 03.03.03SE
- Cisco lightweight 1142, 3600, 3700 AP
- ISE code 1.2
- CME code 12.4.22.YB4
Configuring Voice Layer 3 Interface and Layer 2 VLAN on the WLC
CLI Example
1- Create the Layer 2 VLAN for Voice.
w-5760-3#conf t
w-5760-3(config)#vlan 100
w-5760-3(config-vlan)#name VoiceVLAN
w-5760-3(config-vlan)#end
w-5760-3#write mem
2- Create the Layer 3 interface for the voice VLAN.
w-5760-3(config)#interface vlan 100
w-5760-3(config-if)#no shut
w-5760-3(config-if)#ip address 10.1.1.20 255.255.255.0
w-5760-3(config-if)#description Voice VLAN
w-5760-3(config-if)#ip helper-address 10.1.1.2
w-5760-3(config-if)#end
w-5760-3#write mem
3- Add Vlan 100 on the uplink trunk connecting the WLC with the network
w-5760-3(config)#interface tenGigabitEthernet 1/0/1
w-5760-3(config-if)#switchport trunk allowed vlan 1,2,100
w-5760-3(config-if)#do sh run int te 1/0/1
interface TenGigabitEthernet1/0/1
switchport trunk allowed vlan 1,2,100
switchport mode trunk
ip dhcp snooping trust
GUI Example
1- Navigate from your browser to http://ipaddress/wireless. Example http://192.168.1.20/wireless
2- Go to Configuration -> Controller
3- Expand System
4- Exand VLAN
5- Click on Layer 2 VLAN
6- Click on New and then fill in the VLAN ID and the name. Ensure it is in Actice state as shown in this example:
7- Click on Apply.
8- Click on Layer 3 Interface
9- Click on New to crate a new interface
10- Insert the VLAN ID, description, ip address and other filed in similar to what has been entered below..
11- Click on Apply and then Save configuration
12- Click on Port Summary under Interfaces and add vlan 100 to the Trunk Vlan [Allowed]
Configuring the 802.11 Radio Band settings
In this document, we are going to use 5Ghz for voice.
If using 5Ghz, these are the recommended settings:
Ensure you set DCA interval to 24hours with midnight anchor time. This is to avoid any DCA channel changes during work hours. Further, for your DCA algorigthm choose to avoid channels with high Load or Interference.
Last, in your channel selection, the least amount of channels you select, the best, this way the channel scan list that the phone has to do in order to find the next best AP is smaller and assures better roaming experiencing.
Ensure you enabled Call Admission Control for Voice.
**Use ap dot11 5ghz exp-bwreq via the CLI to enable Expidited Bandwith for e911 calls**
EDCA has to be wmm-default
Here are the TPC settings.
Here are the roaming parameters:
If you have however decided to use 2.4Ghz for Voice, then make sure you also adapt the data rates and that you are only using channels 1,6 and 11 which are the only non overlapping channels on the 2.4ghz band. The rest should be configured the same way as has been highlighted for the 802.11a band above.
Ensure you enable CleanAir to avoid Interference
Configuring the QoS Policy
We will show how to do QoS on SSID level for upstream and downstream traffic. The guide will only cover the GUI section.
1- Configuration -> Wireless -> QoS -> QoS-Policy
2- We will create two SSID policies
In order to create these two policies click on "Add new" and configure each one of them as such.
The Ingress Policy (From wireless phone)
The Egress Policy (To Wireless phone)
Configuring Controller Settings
If you are going to utilize multicast over the WLC then you need to enable Multicast globally and ensure as well that multicast routing / delivery is correctly configured on your wired infrastructure.
Configuring the voice SSID
In this section we are going to cover how to configure the voice SSID that is going to be used by the wireless IP phones. Only two examples are going to be covered while taking into consideration security and fast roaming. We are going to speak about WPA2+AES+CCKM as well as WPA2+AES and Pre-shared key.
Open ssid, Wep, tkip as well as other security modes are not going to be covered due to security and other drawbacks when using them for voice over wireless LANs.
By covering CCKM and PSK we provide the choice of having a AAA server and as well as not having one.
The SSID that we will use will have the name "7925voice". Note ssid name is case sensitive and should be entered exactly in the same manner when configuring it on the wireless IP phone.
Example for configuring WPA2 - AES - Preshared key SSID
CLI Example
1- Ensure your AP(s) have already joined the WLC
w-5760-3#show ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name AP Model Ethernet MAC Radio MAC State
--------------------------------------------------
Serge-LAP-3700-2 3702P 7cad.74ff.2e96 08cc.68b4.4490 Registered
2- Create the SSID by applying the following commands:
w-5760-3(config)#wlan 7925voicePSK 3 7925voicePSK
w-5760-3(config-wlan)#shut
w-5760-3(config-wlan)#radio dot11a
w-5760-3(config-wlan)#dtim dot11 5ghz 2
w-5760-3(config-wlan)#no session-timeout
w-5760-3(config-wlan)#broadcast-ssid
w-5760-3(config-wlan)#no band-select
w-5760-3(config-wlan)#no exclusionlist
w-5760-3(config-wlan)#ccx aironet-iesupport
w-5760-3(config-wlan)#channel-scan defer-priority 4
w-5760-3(config-wlan)#channel-scan defer-priority 5
w-5760-3(config-wlan)#channel-scan defer-priority 6
w-5760-3(config-wlan)#channel-scan defer-time 100
w-5760-3(config-wlan)#chd
w-5760-3(config-wlan)#client vlan 100
w-5760-3(config-wlan)#no ip dhcp required
w-5760-3(config-wlan)#no load-balance
w-5760-3(config-wlan)#no mac-filtering
w-5760-3(config-wlan)#mfp client
w-5760-3(config-wlan)#wmm allowed
w-5760-3(config-wlan)#no security dot1x
w-5760-3(config-wlan)#no security wpa akm cckm
w-5760-3(config-wlan)#no security wpa akm dot1x
w-5760-3(config-wlan)#no security static-wep-key
w-5760-3(config-wlan)#no security web-auth parameter-map global
w-5760-3(config-wlan)#no security ft over-the-ds
w-5760-3(config-wlan)#no peer-blocking
w-5760-3(config-wlan)#ccx aironet-iesupport
w-5760-3(config-wlan)#security wpa wpa2 ciphers aes
w-5760-3(config-wlan)#security wpa akm psk set-key ascii 0 SecretKey <-- CHOOSE YOUR OWN KEY
w-5760-3(config-wlan)#service-policy input voice-from-wifi-phone
w-5760-3(config-wlan)#service-policy output voice-to-wifi-phone
w-5760-3(config-wlan)#no shut
w-5760-3(config-wlan)#end
w-5760-3#write memory
GUI Example
1- Navigate from your browser to http://ipaddress/wireless. Example http://192.168.1.20/wireless
2- Go to Configuration -> Wireless
3- Expand WLAN and Click on WLANs
4- Click on New
5- Click on Apply
6- Now click on the newly create SSID by going back to the WLANs page and ensure it is configured as indicated on the following snapshots
Example for configuring WPA2 - AES - CCKM SSID
CLI example
1- Ensure your AP(s) have already joined the WLC
w-5760-3#show ap summary
Number of APs: 2
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name AP Model Ethernet MAC Radio MAC State
--------------------------------------------------
LAP1142-3 1142N 0022.bd18.a97d 0023.eb3a.3320 Registered
LAP1142-1 1142N 0022.bd1a.ce23 0026.cbac.07b0 Registered
2- Create the SSID by applying the following commands:
w-5760-3(config)#wlan 7925voiceCCKM 4 7925voiceCCKM
w-5760-3(config-wlan)#shut
w-5760-3(config-wlan)#radio dot11a
w-5760-3(config-wlan)#dtim dot11 5ghz 2
w-5760-3(config-wlan)#no session-timeout
w-5760-3(config-wlan)#broadcast-ssid
w-5760-3(config-wlan)#no band-select
w-5760-3(config-wlan)#no exclusionlist
w-5760-3(config-wlan)#ccx aironet-iesupport
w-5760-3(config-wlan)#channel-scan defer-priority 4
w-5760-3(config-wlan)#channel-scan defer-priority 5
w-5760-3(config-wlan)#channel-scan defer-priority 6
w-5760-3(config-wlan)#channel-scan defer-time 100
w-5760-3(config-wlan)#chd
w-5760-3(config-wlan)#client vlan 100
w-5760-3(config-wlan)#no ip dhcp required
w-5760-3(config-wlan)#no load-balance
w-5760-3(config-wlan)#no mac-filtering
w-5760-3(config-wlan)#mfp client
w-5760-3(config-wlan)#wmm allowed
w-5760-3(config-wlan)#no security dot1x
w-5760-3(config-wlan)#no security wpa akm psk
w-5760-3(config-wlan)#no security wpa akm dot1x
w-5760-3(config-wlan)#no security static-wep-key
w-5760-3(config-wlan)#no security web-auth parameter-map global
w-5760-3(config-wlan)#no security ft over-the-ds
w-5760-3(config-wlan)#security wpa akm cckm
w-5760-3(config-wlan)#security wpa wpa2 ciphers aes
w-5760-3(config-wlan)#security dot1x authentication-list Wireless_Dot1x
w-5760-3(config-wlan)#no peer-blocking
w-5760-3(config-wlan)#ccx aironet-iesupport
w-5760-3(config-wlan)#service-policy input voice-from-wifi-phone
w-5760-3(config-wlan)#service-policy output voice-to-wifi-phone
w-5760-3(config-wlan)#no shut
w-5760-3(config-wlan)#end
w-5760-3#write memory
GUI example
1- Navigate from your browser to http://ipaddress/wireless. Example http://192.168.1.20/wireless
2- Go to Configuration -> Wireless
3- Expand WLAN and Click on WLANs
4- Click on New
5- Click on Apply
6- Now click on the newly create SSID by going back to the WLANs page and ensure it is configured as indicated on the following snapshots
7- Configure the aaa required configuration part
From the CLI:
aaa new-model
!
!
aaa group server radius ISE_Server
server name ISE
!
aaa authentication login noauth none
aaa authentication dot1x Wireless_Dot1x group ISE_Server
aaa authorization network Wireless_Dot1x group ISE_Server
radius server ISE
address ipv4 192.168.1.32 auth-port 1812 acct-port 1813
key cisco
dot1x system-auth-control
From the GUI:
Here is the order via the snapshots
1- Configure the Radius Server.
2- Configure the Radius Group and map it to the radius server.
3- Configure the authentication method and map it to the radius group.
4- Ensure dot1x is enabled globaly on the WLC under the Configure - Controller tab:
