Re: Recommended Port configuration for Cisco AP

JustinGayheart · ‎03-16-2023

hi everyone, is there a place online where i can find the recommended port configurations for Access Points in Cisco switches?

I am taking over / cleaning up a giant network and I'd really to get things to best practices.

for example this is one AP Config that I have found on the network:

switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
macro description cisco-wireless
auto qos trust
spanning-tree bpduguard enable
spanning-tree guard root

marce1000 · ‎03-16-2023

- Most of the example is bogus , just use 'switchport mode host' , you can clear the interface settings with 'default int gix/y' (e.g.), you may need to put the AP in the correct VLAN , sometimes automatic NAC solutions are implemented for this and or it is then done automatically by NAC infrastructure. Well to be honest the above example is intended for access points which are using a controller, for standalone AP's you may need a trunk for the WLANs/VLAN's and or flexconnect AP's too.
(sorry for multiple replies received I made some corrections and additions)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Prince.O · ‎03-16-2023

I would recommend first confirm what mode the Aps are running on the controller.

If the Aps are going to be in "local" mode and traffic going through a CAPWAP tunnel, you just need to have the switch port in access mode and place the port in the respective AP vlan.

If your Aps are running in "flexconnect" with data traffic being dropped off locally, you need the switchport to be trunk and then set the native vlan for the vlan you want the Aps to get IP address from. You will also need to allow the necessary client vlans on the switchport.

To avoid any issues, its best to keep the switchport configs as simple as possible. You will always want to trust DSCP so qos traffic does not get overriden.

JustinGayheart · ‎03-16-2023

They are indeed running in Local mode. The majority of the ports are are setup as:

switchport trunk native vlan 15
switchport trunk allowed vlan 1,3,5,14,15,18,100,161,162,199-204
switchport mode trunk

They are working fine and trunking the VLANs as should be

Scott Fella · ‎03-16-2023

If all the ap's are in local mode, you just need switchport access vlan 15 and enable portfast. Test on one ap and make sure the ap joins and devices connect fine to that ap. Look at the command that @marce1000 posted to default the interface and make it a host port.

-Scott
*** Please rate helpful posts ***

JustinGayheart · ‎03-16-2023

understood. thank you all for your help. I have only begun moving the aps to vlan 15. they were all set to vlan 1 before.

Scott Fella · ‎03-16-2023

@JustinGayheart Before you keep making changes, make sure vlan 15 is what you want to use. Sometimes, if you have large number of access points at a location, you might want to place them on their own subnet. If you have less than 100 as an example, you can place them in a management subnet if you want. I tend to try to keep it on its own subnet, the reason is when using a Microsoft DHCP, you can accumulate bad address from ap's not being able to join the controller. Caused by the controller not being up and that can use up all your DHCP address which is a manual effort unless you script it to remove the bad address. Always check that you have enough address space on the subnet you choose or else you will be doing that work all over again.

-Scott
*** Please rate helpful posts ***

JustinGayheart · ‎03-16-2023

just for my own understanding... since they are in local mode... is there anything wrong with this config:

switchport trunk native vlan 15
switchport trunk allowed vlan 1,3,5,14,15,18,100,161,162,199-204
switchport mode trunk

I do want them to be on the VLAN 15 network. I had always read that I shouldnt have portfast enabled on Access points, is that not the case they are in local?

Scott Fella · ‎03-16-2023

There are recommendations and there are options. Trunk is an option for you, but then you don't need all the other line items except for portfast. Switchport vlan 15 and portfast is all you need. So depending on how you will make the change, either automation, scripts or manual, you have to see what works and the downtime you can get to make the change. My thing is, make sure you test and you build a standard on what you plan on using. This way others have visibility and you are not going back and fourth changing the port configuration. Also in the future, that is your standard so it shouldn't change.

-Scott
*** Please rate helpful posts ***

JustinGayheart · ‎03-16-2023

I think the reason I want to go with that trunk config is because in the future we are moving to Meraki MR46 aps and they require that config as there is no controller... just trying to do the right thing!

Scott Fella · ‎03-16-2023

I understand, but again, make sure you plan it out for the future and you are not moving ap's to different vlans, etc. I don't like to plan that far ahead because I tend to test and then come up with a new standard for that device. You need to make a decision that will work now and not create such a headache in the future. No matter what, your best bet is to default the port and blast out your config. How you do that will be up to you, but make sure you are not creating more work than what is needed.

-Scott
*** Please rate helpful posts ***

marce1000 · ‎03-16-2023

>...I think the reason I want to go with that trunk config is because in the future we are moving to Meraki MR46 aps and they require that config as there is no controller... just trying to do the right thing!
Well in that context it is rather important to invoke a correct port migration process too in the context of the need(s) of the AP model controller based (CAPWAP) or not (when another wireless solution gets implemented) . Do not used trunk links for controller steered access point and stick to 'host mode' and correct vlan ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Scott Fella · ‎03-16-2023

You probably need to look into or compare more port configurations to see what is common between them. Seems like the ports are trunk with no native vlan configuration. This is fine if the ap's are in FlexConnect mode not local mode. You are also using a macro so you need to do some digging on what that does. When taking over a network, you should review the documentation they already have and or have that conversation with the team to understand what might still be needed and what can be removed. Like what @marce1000 mentioned, you can just have the port as a host, if you are not using FlexConnect mode.

Everyone will have something different, but you can also have the basic few commands.

-Scott
*** Please rate helpful posts ***

Leo Laohoo · ‎03-16-2023

What is the model of the switch?

macro name WAP
 description WAP
 switchport mode access
 switchport access vlan $VLAN
 power inline port poe-ha
 power inline port perpetual-poe-ha
 switchport port-security
 switchport port-security maximum 4
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 storm-control broadcast level 5.00
 storm-control multicast level 5.00
 logging event link
 spanning-tree portfast
 cdp enable
 no mls qos trust
 no switchport voice vlan 
 no udld port agg
 no lldp receive
 no lldp transmit
 no shut
@

To invoke the macro (above), enter the command "macro apply WAP $vlan <AP VLAN NUMBER>".

JustinGayheart · ‎03-16-2023

2960