Solved: VLAN Setup on Catalyst APs with EWC and Vlans routed by switch - Page 2

jeremy0463 · ‎12-02-2023

I have a Catalyst 9200L and three Catalyst 9115 access points with EWC. I iam trying to understand SSID to Vlan setup when the vlans are routed on the switch and the port connected to the AP is a trunk prot with the management port as native.

I have used 2504 WLC and 1852 APs before with vlan switching handled by the layer3 switch (trunk port on the switch, managment vlan native, additonal vlans tagged>>>connected to port on 2504 with interfaces defined in each vlan, and each wlan set to that particular interface.) That works great. As I understand it, the APs create a capwap tunnel over the management vlan (each ap is connected to an access port on that vlan), then the vlans fron the switch are trunked to the WLC and the WLC handles the routing to the particular interface.

But EWC seems very different. Since there is no controller appliance on this network, and with the same switch configuration essentially (trunk port with routing handled on the layer3 switch), what is the best way to route wlans to vlans? Ii have a test wlan setup with policy and tag both setup and i have wireless access to the managment vlan. Policies only let me add one vlan per AP.

Please help.

Rich R · ‎12-03-2023

- Does the ewc itself handles Vlan routing between wlans instead of it going back to the switch?
No. The EWC management (on native VLAN) is purely for your SSH/https management access to the EWC and the AP CAPWAP control connection to the EWC WLC. No client data is switched by the EWC at all. It is simply bridged/dumped onto the trunked VLAN on the switchport by the AP.

- Can the vlans on the EWC match the vlans on the switch or will that conflict?
They must match or it won't work - the VLAN you configure for each WLAN is what the client traffic will be tagged with on the switchport

- Will traffic between wlan flex connect Vlan and wired Vlan on the 9200 be on the same broadcast domain essentially?
Yes

- can the 9200 still handle the dhcp, acls, etc instead of the ap?
The AP cannot handle it so the 9200 must handle it.

- how does the traffic actually route from the wireless client back on one Vlan to the switch and then to a wireless client on another Vlan if the 9200 handles the routing? In other words, how does flex connect work differently than the 2504 or a 9800 wlc with standard trunk ports in terms of the traffic.
Flex on 9800/EWC/2504 is all the same. Central switching tunnels client traffic to the WLC over CAPWAP and the WLC bridges it to VLANs connected to the WLC switch port. With flexconnect local switching all client traffic is simply bridged directly to the VLAN on the AP port, no different to traffic coming from a hardwired client on that VLAN.
-Now my struggle point is assigning particular VLANs in the flex profile to particular WLANs. What am I missing?
That is done is the "wireless profile policy" using the VLAN(s) you defined in the flex profile. You can just enter the VLAN number/ID, not necessary to use the name.
-I would not need a flex profile in that case then right?
The Flex profile is used to define the VLANs the AP must use and give them names. You can then use those VLANs for the WLANs.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

jeremy0463 · ‎12-03-2023

So then Rich, for the flexconnect configuration, I need to create a wlan profile for each ssid, then a policy profile for each vlan with that vlan assigned in the policy profile, then a policy tag that maps each wlan profile to each of those policy profiles, then each assigned vlan also added to a single flex profile, right?

Rich R · ‎12-04-2023

Yes but not clear what you mean by "then each assigned vlan also added to a single flex profile, right?":
The VLANs for the SSIDs are defined in the flex profile for the AP - a bit like you define VLANs for a router or switch to use.
Have a read through these:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213911-understand-catalyst-9800-wireless-contro.html
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/newconfigmodel/b_catalyst-9800-configuration-model.html
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html
https://mrncciew.com/2023/01/21/9800-flexconnect-basics/

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

jeremy0463 · ‎12-04-2023

That is where all of this gets confusing. I don't have a 9800 in place, only the EWC. Most of the documentation for flex connect assumes there is a remote appliance. The only EWC configuration example (https://www.cisco.com/c/en/us/products/collateral/wireless/embedded-wireless-controller-catalyst-access-points/white-paper-c11-743398.html) is really vague on the flex connect part and does not explain how the flexconnect profile relates to the policy profile. I only understood the need for one policy profile for each vlan based on Scotts picture above. Here are some screenshots of what I meant above:

Then I would tag the aps with those profiles. Am I missing anything?

marce1000 · ‎12-04-2023

>...Most of the documentation for flex connect assumes there is a remote appliance
Since you only do flexconnect the principles remain the same.

>...Then I would tag the aps with those profiles. Am I missing anything?
Not really try it out ; verify controller configuration afterwards with CLI command show tech wireless ; feed the output into
Wireless Config Analyzer
Not convinced ? ; checkout This is so good
(!)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎12-06-2023

Yes when reading the general 9800 guides you just have to remember anything applying to central switching (user traffic switched by WLC) is not relevant in the EWC context because it only supports flex local switching which means all the EWC does is configure the AP.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

jeremy0463 · ‎12-06-2023

Ro rich, does my configuration look good above? I am really struggling getting this thing working. When I first boot it up, clients connect, but then they just drop out of no where, and eventually, connections try to connect and fail. When they do connect, they are in the proper vlan and they have an IP in the DHCP range for that vlan (switch is handling the DHCP). Just frustrating. I defaulted and am reconfiguring. I will post a config for both the EWC and the 9200 switch when I am finished if it fails again so that you guys can take a look. I have done everything major that the Wireless Config Analyzer says to do.

Rich R · ‎12-06-2023

To be honest I do almost everything on CLI so I haven't looked over your config specifically. I just find it easier to read a few lines of text instead of trying to decipher screenshots <smile>

Maybe post the "show run" config when you're finished configuring along with "show ap tag summ" and "sh wireless client mac-address <aaaa.bbbb.cccc> detail" for one of the connected clients.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

jeremy0463 · ‎12-06-2023

I'm learning CLI slowly but surely. I will send you all those things tonight when I get home. Thanks so much!

jeremy0463 · ‎12-06-2023

Here are the CLI outputs Rich:

EMBEDED WIRELESS CONTROLLER

Wed Dec 06 2023 20:02:56 GMT-0600 (Central Standard Time)

===================================================================================

#show run

Building configuration...

Current configuration : 13209 bytes

!

! Last configuration change at 22:34:47 UTC Tue Dec 5 2023 by admin

! NVRAM config last updated at 06:17:33 UTC Wed Dec 6 2023 by admin

!

version 16.12

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service call-home

no platform punt-keepalive disable-kernel-core

no platform punt-keepalive settings

platform console serial

!

hostname WLAN_Controller

!

boot-start-marker

boot-end-marker

!

enable secret 9

!

aaa new-model

!

aaa authentication login default local

!

aaa session-id common

clock timezone UTC -6 0

no fips authorization-key

call-home

! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

active

destination transport-method http

no destination transport-method email

!

ip name-server 208.67.222.222 208.67.220.220

login on-success log

!

flow exporter default-flow-exporter

destination local wlc

!

flow monitor default-flow-monitor

exporter default-flow-exporter

record wireless avc basic

!

access-session mac-move deny

password encryption aes

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

crypto pki trustpoint TP-self-signed-3395605568

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3395605568

revocation-check none

rsakeypair TP-self-signed-3395605568

!

crypto pki certificate chain SLA-TrustPoint

certificate ca 01

30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030

32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363

6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934

3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305

43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720

526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030

82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D

CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520

1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE

4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC

7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188

68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7

C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191

C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44

DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201

06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85

4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500

03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905

604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B

D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8

467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C

7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B

5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678

80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB

418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0

D697DF7F 28

quit

crypto pki certificate chain TP-self-signed-3395605568

certificate self-signed 01

30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33333935 36303535 3638301E 170D3231 31313037 30303034

33355A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393536

30353536 38308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201

0A028201 0100A7BA DB3AA54D 76E6A250 501F264E 75071E3F 541FEFAB E944FEE0

1FF1848E A58820B6 6F257AF6 7C39C19F 5EAFE2D0 27741BD5 20EFFD14 12A148E0

66A06F3D 3AF7DA27 BF29C94C 5FE7E0FA 43FC7EAD 949CDC53 9BCC9210 12362A1F

671D6E33 45B284E0 7F73949E 1F748894 39C07EAD 239B75A0 221455C6 3E0E02D6

CF2ECC4A ACD6E75C BE42F593 DD34F09A 53180904 80C43A79 3DFC8FB5 FDEA6B1B

813E3A31 1010A53D C28BE646 84F02F4F 9D6D9D23 A13369A5 A6AEDD3C B5699459

DA433562 74992C99 AE9889AF B91EAC09 679C7866 189D16D9 E74E728B 7910FD1C

1D570791 89F26FFA 9CA19395 9CCB956C B6A58122 21D3187F 1C496F13 EE7512F0

F0EFFED7 2E170203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF

301F0603 551D2304 18301680 1425DC21 45CE6974 80E6E0E2 35B3ACE3 9D18D5D0

1A301D06 03551D0E 04160414 25DC2145 CE697480 E6E0E235 B3ACE39D 18D5D01A

300D0609 2A864886 F70D0101 05050003 82010100 75833A82 91DCFF27 51981D0A

17E455DE 3C345301 0378BCA6 F5CF1CAA 496102BC 8DE4BE55 E20F6921 AF9EADFE

255D8BCE B4F18DE3 48A1BE68 4AB54420 79CC821B 1910E145 5AB0B177 44B648C0

7D56A5DC 2D6EF14A C4022F66 439F4C24 0BC37988 A01BE979 9C9E7D97 A9AEA806

0CF79277 44EBFEBA 677E22AC EEC23F69 E9211291 44CB3F4D 5EBB196B 763AAA17

1E5D96B0 FFD172B8 BBEF540A A0DE9C50 34EE8D97 6D080D56 44D58578 65827598

1C0AE165 96AE9925 71054D0F 384E104A 445B3B17 8BEED3BA C86DCD86 61024ECA

81FE5F73 C960C0F3 92CAB660 7BFB3F17 3F521EF7 6433C02A C997B930 2B83C014

FBD2AD7E 84D6D0C5 805F4D01 0E686E1C 78F11571

quit

!

crypto pki certificate pool

cabundle nvram:ios_core.p7b

!

service-template webauth-global-inactive

inactivity-timer 3600

service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE

linksec policy must-secure

service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

linksec policy should-secure

service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

voice vlan

service-template DEFAULT_CRITICAL_DATA_TEMPLATE

memory free low-watermark processor 33020

!

license udi pid C9800-AP sn

device classifier

username admin privilege 15 secret 9

!

redundancy

mode sso

!

interface GigabitEthernet0

description Management Interface

mac-address 0000.5e00.0101

ip dhcp client client-id GigabitEthernet0

ip dhcp client broadcast-flag clear

ip address 192.168.10.30 255.255.255.0

no negotiation auto

!

ip http server

ip http authentication local

ip http secure-server

ip http secure-trustpoint CISCO_IDEVID_SUDI

ip http client source-interface GigabitEthernet0

ip forward-protocol nd

ip tftp blocksize 8192

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 250

ip dns server

!

logging trap debugging

!

control-plane

!

banner exec ^C

########################################################################################################

# #

# Welcome to the Cisco Catalyst 9800-AP Embedded Wireless Controller command line interface. #

# #

# Please see command reference guide for the complete list of supported commands for this release: #

# https://www.cisco.com/c/en/us/td/docs/wireless/embedded_wireless_controller_configuration_guide.html #

# #

########################################################################################################

^C

banner login ^CWireless LAN Controller^C

!

line con 0

exec-timeout 0 0

stopbits 1

line vty 0

length 0

transport input ssh

line vty 1 4

transport input ssh

line vty 5 15

transport input ssh

line vty 16 50

!

ntp server 1.ciscome.pool.ntp.org

ntp server 0.ciscome.pool.ntp.org

ntp server 2.ciscome.pool.ntp.org

!

wireless aaa policy default-aaa-policy

wireless cts-sxp profile default-sxp-profile

no wireless ipv6 ra wired

wireless management interface GigabitEthernet0

wireless profile airtime-fairness default-atf-policy 0

wireless profile flex default-flex-profile

description "default flex profile"

native-vlan-id 10

wireless profile flex lewis-home-flex-profile

description "Lewis Home Flex Profile"

native-vlan-id 10

vlan-name Users

vlan-id 40

vlan-name Guests

vlan-id 50

wireless profile image-download default

description "default image download profile"

wireless profile mesh default-mesh-profile

description "default mesh profile"

wireless profile policy user-policy-profile

autoqos mode fastlane

no central association

no central dhcp

no central switching

description "User Policy Profile"

dhcp-tlv-caching

no exclusionlist

http-tlv-caching

service-policy input platinum-up

service-policy output platinum

vlan 40

no shutdown

wireless profile policy guest-policy-profule

autoqos mode fastlane

no central association

no central dhcp

no central switching

description "Guest Policy Profile"

dhcp-tlv-caching

no exclusionlist

http-tlv-caching

service-policy input platinum-up

service-policy output platinum

vlan 50

no shutdown

wireless profile policy default-policy-profile

autoqos mode fastlane

no central association

no central dhcp

no central switching

description "default policy profile"

http-tlv-caching

ipv4 flow monitor default-flow-monitor input

ipv4 flow monitor default-flow-monitor output

service-policy input platinum-up

service-policy output platinum

vlan 10

no shutdown

wireless tag site default-site-tag

ap-profile lewis-home-ap-profile

description "Lewis Home Site Tag"

flex-profile lewis-home-flex-profile

no local-site

wireless tag policy default-policy-tag

description "default policy-tag"

wireless tag policy lewis-home-policy-tag

description "Lewis Home Policy Tag"

wlan "Lewis Home Guest" policy guest-policy-profule

wlan "Lewis Home Wireless" policy user-policy-profile

wireless tag rf default-rf-tag

description "default RF tag"

wireless tag rf lewis-home-rf-tag

description "Lewis Home RF Tag"

wireless fabric control-plane default-control-plane

wlan "Lewis Home Guest" 2 "Lewis Home Guest Test"

mdns-sd gateway

security wpa psk set-key ascii 8 N`EMQ[ZifUTQ\VNNifJLB_[WdSZVBgAAB

no security wpa akm dot1x

security wpa akm psk

wmm require

no shutdown

wlan "Lewis Home Wireless" 1 "Lewis Home Wireless Test"

mdns-sd gateway

security wpa psk set-key ascii 8 HH]QOh\[cDH\EhDCV_DJSeNe[BOLUIAAB

no security wpa akm dot1x

security wpa akm psk

wmm require

no shutdown

ap dot11 24ghz rf-profile Low_Client_Density_rf_24gh

coverage data rssi threshold -90

coverage level 2

coverage voice rssi threshold -90

description "pre configured Low Client Density rfprofile for 2.4gh radio"

high-density rx-sop threshold low

tx-power v1 threshold -65

no shutdown

ap dot11 24ghz rf-profile High_Client_Density_rf_24gh

description "pre configured High Client Density rfprofile for 2.4gh radio"

high-density rx-sop threshold medium

rate RATE_11M disable

rate RATE_12M mandatory

rate RATE_1M disable

rate RATE_2M disable

rate RATE_5_5M disable

rate RATE_6M disable

tx-power min 7

no shutdown

ap dot11 24ghz rf-profile Typical_Client_Density_rf_24gh

description "pre configured Typical Client Density rfprofile for 2.4gh radio"

rate RATE_11M disable

rate RATE_12M mandatory

rate RATE_1M disable

rate RATE_2M disable

rate RATE_5_5M disable

rate RATE_6M disable

no shutdown

ap dot11 24ghz rrm channel cleanair-event

ap dot11 24ghz rrm channel cleanair-event rogue-contribution

ap dot11 24ghz edca-parameters fastlane

ap dot11 5ghz rf-profile Low_Client_Density_rf_5gh

coverage data rssi threshold -90

coverage level 2

coverage voice rssi threshold -90

description "pre configured Low Client Density rfprofile for 5gh radio"

high-density rx-sop threshold low

tx-power v1 threshold -60

no shutdown

ap dot11 5ghz rf-profile High_Client_Density_rf_5gh

description "pre configured High Client Density rfprofile for 5gh radio"

high-density rx-sop threshold medium

rate RATE_6M disable

rate RATE_9M disable

tx-power min 7

tx-power v1 threshold -65

no shutdown

ap dot11 5ghz rf-profile Typical_Client_Density_rf_5gh

description "pre configured Typical Density rfprofile for 5gh radio"

no shutdown

ap dot11 5ghz rrm channel cleanair-event

ap dot11 5ghz rrm channel cleanair-event rogue-contribution

ap dot11 5ghz edca-parameters fastlane

ap country US

ap tag-source-priority 2 source filter

ap tag-source-priority 3 source ap

ap location name Default_Location

description Default_Location

ap profile default-ap-profile

description "default ap profile"

mgmtuser username admin password 8 secret 8

ap profile lewis-home-ap-profile

description "Lewis Home AP Profile"

hyperlocation ble-beacon 0

hyperlocation ble-beacon 1

hyperlocation ble-beacon 2

hyperlocation ble-beacon 3

hyperlocation ble-beacon 4

ap a49b.cd2a.47e4

policy-tag lewis-home-policy-tag

rf-tag lewis-home-rf-tag

ap a49b.cd2a.59fc

policy-tag lewis-home-policy-tag

rf-tag lewis-home-rf-tag

end

Wed Dec 06 2023 20:03:59 GMT-0600 (Central Standard Time)

===================================================================================

#sh ap tag summ

Number of APs: 2

AP Name AP Mac Site Tag Name Policy Tag Name RF Tag Name Misconfigured Tag Source

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Laundry_Room a49b.cd2a.47e4 default-site-tag lewis-home-policy-tag lewis-home-rf-tag No Static

Hallway a49b.cd2a.59fc default-site-tag lewis-home-policy-tag lewis-home-rf-tag No Static

Wed Dec 06 2023 20:13:24 GMT-0600 (Central Standard Time)

===================================================================================

#show wireless client mac-address 88E9.FE56.2CFC detail

Client MAC Address : 88e9.fe56.2cfc

Client IPv4 Address : 192.168.41.29

Client IPv6 Addresses : fe80::102a:3381:c8ef:3a94

Client Username: N/A

AP MAC Address : e44e.2d44.3f20

AP Name: Laundry_Room

AP slot : 1

Client State : Associated

Policy Profile : user-policy-profile

Flex Profile : lewis-home-flex-profile

Wireless LAN Id: 1

WLAN Profile Name: Lewis Home Wireless

Wireless LAN Network Name (SSID): Lewis Home Wireless Test

BSSID : e44e.2d44.3f2f

Connected For : 1054 seconds

Protocol : 802.11ac

Channel : 100

Client IIF-ID : 0x90000009

Association Id : 1

Authentication Algorithm : Open System

Session Timeout : 1800 sec (Remaining time: 746 sec)

Session Warning Time : Timer not running

Input Policy Name : platinum

Input Policy State : Installed

Input Policy Source : QOS Internal Policy

Output Policy Name : voice-client-avc

Output Policy State : Installed

Output Policy Source : QOS Internal Policy

WMM Support : Enabled

U-APSD Support : Enabled

U-APSD value : 0

APSD ACs : BK, BE, VI, VO

Fastlane Support : Enabled

Client Active State : Active

Power Save : OFF

Current Rate : m7 ss3

Supported Rates : 9.0,18.0,36.0,48.0,54.0

Mobility:

Move Count : 0

Mobility Role : Local

Mobility Roam Type : None

Mobility Complete Timestamp : 12/07/2023 01:55:39 UTC

Client Join Time:

Join Time Of Client : 12/07/2023 01:55:39 UTC

Policy Manager State: Run

Last Policy Manager State : IP Learn Complete

Client Entry Create Time : 1054 seconds

Policy Type : WPA2

Encryption Cipher : CCMP (AES)

Authentication Key Management : PSK

AAA override passphrase : No

Encrypted Traffic Analytics : No

Protected Management Frame - 802.11w : No

EAP Type : Not Applicable

VLAN : 40

Multicast VLAN : 0

WFD capable : No

Managed WFD capable : No

Cross Connection capable : No

Support Concurrent Operation : No

Session Manager:

Point of Attachment : capwap_90000006

IIF ID : 0x90000006

Authorized : TRUE

Session timeout : 1800

Common Session ID: 000000000000004DFCFC842F

Acct Session ID : 0x00000000

Last Tried Aaa Server Details:

Server IP :

Auth Method Status List

Method : None

Local Policies:

Service Template : wlan_svc_user-policy-profile (priority 254)

VLAN : 40

Absolute-Timer : 1800

Server Policies:

Resultant Policies:

VLAN Name :

VLAN : 40

Absolute-Timer : 1800

DNS Snooped IPv4 Addresses : None

DNS Snooped IPv6 Addresses : None

Client Capabilities

CF Pollable : Not implemented

CF Poll Request : Not implemented

Short Preamble : Not implemented

PBCC : Not implemented

Channel Agility : Not implemented

Listen Interval : 0

Fast BSS Transition Details :

Reassociation Timeout : 0

11v BSS Transition : Not implemented

11v DMS Capable : No

QoS Map Capable : No

FlexConnect Data Switching : Local

FlexConnect Dhcp Status : Local

FlexConnect Authentication : Central

FlexConnect Central Association : No

Client Statistics:

Number of Bytes Received : 11606853

Number of Bytes Sent : 3220538

Number of Packets Received : 7352

Number of Packets Sent : 19559

Number of Policy Errors : 0

Radio Signal Strength Indicator : -63 dBm

Signal to Noise Ratio : 31 dB

Fabric status : Disabled

Client Scan Reports

Assisted Roaming Neighbor List

Nearby AP Statistics:

EoGRE : No/Simple client

Device Type : Apple-Device

Device Name : APPLE, INC.

Protocol Map : 0x000009 (OUI, DHCP)

Protocol : DHCP

Type : 12 15

Data : 0f

00000000 00 0c 00 0b 4a 65 72 65 6d 79 73 2d 4d 42 50 |....Jeremys-MBP |

Type : 55 16

Data : 10

00000000 00 37 00 0c 01 79 03 06 0f 6c 72 77 fc 5f 2c 2e |.7...y...lrw._,.|

Max Client Protocol Capability: 802.11ac Wave 2

NETWORK SWITCH

Wed Dec 06 2023 20:14:50 GMT-0600 (Central Standard Time)

===================================================================================

#show run

Building configuration...

Current configuration : 35211 bytes

!

! Last configuration change at 19:58:31 CST Wed Dec 6 2023 by admin

! NVRAM config last updated at 20:54:49 CST Tue Dec 5 2023 by admin

!

version 17.6

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service call-home

platform punt-keepalive disable-kernel-core

!

hostname Network_Switch

!

vrf definition Mgmt-vrf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable secret 9

!

no aaa new-model

clock timezone CST -6 0

switch 1 provision c9200l-48p-4g

!

vtp mode transparent

!

ip routing

!

ip name-server 8.8.8.8 1.1.1.1

no ip domain lookup

ip dhcp excluded-address 192.168.10.0 192.168.10.30

ip dhcp excluded-address 192.168.10.50 192.168.10.255

ip dhcp excluded-address 192.168.40.0 192.168.41.0

ip dhcp excluded-address 192.168.41.251 192.168.41.255

ip dhcp excluded-address 192.168.50.0 192.168.50.99

ip dhcp excluded-address 192.168.50.200 192.168.50.255

!

ip dhcp pool Users

network 192.168.40.0 255.255.254.0

default-router 192.168.40.1

dns-server 8.8.8.8 1.1.1.1

lease 7

!

ip dhcp pool WirelessAPS

network 192.168.10.0 255.255.255.0

default-router 192.168.10.20

dns-server 8.8.8.8 1.1.1.1

lease infinite

!

ip dhcp pool Guests

network 192.168.50.0 255.255.255.0

default-router 192.168.50.1

dns-server 8.8.8.8 1.1.1.1

lease infinite

!

ip arp inspection validate src-mac dst-mac ip

no ip igmp snooping vlan 40

login on-success log

ipv6 nd raguard policy HOST_POLICY

!

udld enable

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

crypto pki trustpoint TP-self-signed-3080461521

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3080461521

revocation-check none

rsakeypair TP-self-signed-3080461521