Hardware Specification and Requirements

Mesh Access Points should be configured with bridge mode. Access points in a mesh network operate in one of the following two ways.

1. Root Access Points (RAP)
2. Mesh Access Points (MAP)

Access Points can be order as a Mesh mode or can be converted from the local mode to Mesh Mode. To use access point as a root access point, you must reconfigure the mesh access points.
While the RAPs have wired connections to their controller, MAPs have wireless connections to their controller via the RAP or another MAP. MAPs communicate among themselves and back to the RAP using wireless connections over the 802.11a/n/ac/ax radio backhaul. MAPs use the Cisco Adaptive Wireless Path Protocol (AWPP) to determine the best path through the other mesh access points to the controller.

End-to-end security within the mesh network is supported by employing Advanced Encryption Standard (AES) encryption between the wireless mesh access points and Wi-Fi Protected Access 2 (WPA2) and WPA3 clients. A mesh access point establishes AWPP link with a parent Mesh AP which is already connected to the Controller before starting CAPWAP discovery.

By default, RAP or MAP does not generate Bridge Protocol Data Unit (BPDU) itself. However, the RAP or MAP forwards the BPDU to upstream devices if the RAP or MAP received the BPDU from its connected wired or wireless interface across the network.

Mesh Supported Feature

Mesh Unsupported Feature

• Serial backhaul AP support with separate backhaul radios for uplink and downlink.
• Public Safety channels (4.9-GHz band) support.
• Passive Beaconing (Anti-Stranding) 

Common Use Case

 

Configuration

Mac Authorization list configuration
• aaa authorization credential-download <method_list_name> group radius <radius_server_group_name>

Creating Mesh Profile and map authorization list

• wireless profile mesh <mesh_profile_name>
• method authorization <method_list_name>

AP joins controller as Local mode or Mesh mode. Change AP mode to bridge mode and role to mesh/root Change AP mode from local mode to bridge.

 

• ap name <ap_name> mode bridge

 

Change AP role either Mesh or Root AP

• ap name ap_name role <mesh-ap/root-ap>

Subset Channel Synchronization enable controller to send all connected RAPs channel to MAPs to enable faster

convergence. Specify the Backhaul Slot for the Root AP
• ap name <RAP_name> mesh backhaul radio dot11 <24ghz/5ghz> <slot slot-id>

 

Wireless SDA Overview

 

• In SDA deployments, client traffic is sent over an overlay network that is managed by LISP (Location/ID Separation Protocol) control plane.

• Then overlay wired clients are sending native traffic to FE (normal 802.3 frames).

• In Wireless SDA deployments, APs are extension of the fabric. It means that APs are allowed to

  encapsulate/decapsulate wireless client traffic in VxLAN and exchange these with FE.

• On data plane side, wireless client traffic is encapsulated in VxLAN and tunneled to FE.

• FE has a specific interface called Access Tunnel which will take care of VxLAN processing.

 

SDA Mesh

• Every Mesh AP is a fabric AP. It means that every MAP located behind a RAP (Root AP) will have a corresponding access tunnel on RAP FE.

• Each MAP is a fabric AP and thus encapsulates client traffic in VxLAN and tunnels this traffic towards FE.

• MAP AP will have an access tunnel plumbed on FE and will be able to encapsulate client traffic toward this tunnel without any change in infrastructure device (HW or SW). FE will create an access tunnel for

  the MAP as it would have done it for any other fabric AP.

• The challenges in SDA mesh deployment is mesh is dynamic. The link between MAP (Mesh AP) and

  parent is wireless so can be unstable or impacted by RF conditions. That’s why a MAP can “roam” to a new parent and this without breaking the session with the WLC (CAPWAP). So, the real challenge of supporting Mesh in SDA deployment is to manage MAP roaming events to limit the traffic loss/latency.

• Mesh COS AP shall be configurable as fabric AP (no IOS AP support).

• Mesh Fabric AP shall keep wireless client connection during a mesh wireless uplink update (mesh roam).

• Mesh Fabric AP, after a successful roam, shall be able to reestablish VxLAN traffic with limited traffic

  impact.

• Mesh Fabric AP shall be able to roam to an AP of the same fabric (Intra-fabric).

• Mesh SDA solution shall be able to forward wireless client traffic with an MTU of 1500 bytes. 

 

SDA Mesh Topology

 

 

 

Show Commands on Controller

• show fabric ap summary

• show wireless fabric client summary

• show wireless stats fabric control-plane all

• show wireless mesh ap tree

• show wireless mesh ap fabric summary

• show ap name <name> mesh roam history 

Show Commands on Access Points

• show mesh adjacency all

Show Commands on SDA Switch

• show lisp all instance-id * ethernet database

• show lisp all instance-id * ipv4 database

References

• https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-13/config-guide/b_wl_17_13_cg/m_mesh_ewlc.html
• https://docs.cisco.com/doclite/ui/#/library/6b27c75a-ebf7-40f7-845a-cff6c6a6f6e7

 

RLAN Solution Overview

A Remote LAN (RLAN) is used for authenticating wired clients using the controller. Once the wired client successfully joins the controller, the LAN ports can switch the traffic between central or local switching mode as per configuration. The traffic from wired client is treated as wireless client traffic by adding wireless header.

The RLAN module in AP will send the authentication/association requests for the wired client to get authenticated. The authentication of wired client through RLAN is like wireless client. RLAN uses slot 2 for configuration and control messages between the AP and WLC when you enable the OfficeExtend mode for an access point DTLS data encryption

RLAN over SDA(Fabric)–. This feature should add functionality to route traffic via VxLAN tunnel.

Controller Workflow: Controller will authenticate the client like any other local mode client. It will send client registration to map server after client is authenticated and reached mobility complete state.
To enable fabric configuration for RLAN clients, we need to configure the vnid and sgt tag information for rlan policy in addition to the existing configuration. We plan to reuse fabric policy configuration for wireless clients for rlan clients by providing a knob to configure fabric policy profile under rlan policy configuration. This information should be pushed to AP.

AP Workflow: Ap flow is same as local mode of RLAN.

 Authentication Methods

• Open auth

• Local auth

• 802.1x auth

• Mac Filtering

• WebAuth

• RLAN Authentication Fallback

  • From 802.1X to MAC authenecation bypass (MAB) and vice versa

 

Hardware and Software Specifications

The solution is validated with the hardware and software listed in the following table. For the complete list of hardware and software supported

Hardware platform	Model Name
Access points	Cisco Catalyst 9124 Series AP Cisco Catalyst 9105AXW Cisco Aironet OEAP 1810 series Cisco Aironet 1815T series Cisco Aironet 1810W series Cisco Aironet 1815W Cisco Catalyst IW6300 Heavy Duty Series Access Points   Cisco 6300 Series Embedded Services Access Points
Cisco wireless controller	C9800-80 C9800-40 C9800-L C9800-CL
Cisco DNA Center

 

Ethernet (AUX) Port

The second Ethernet port in Cisco Aironet 1850, 2800, and 3800 Series APs is used as a link aggregation (LAG) port, by default. It is possible to use this LAG port as an RLAN port when LAG is disabled.
The following APs use LAG port as an RLAN port:

• 1852E
• 1852I
• 2802E
• 2802I
• 3802E
• 3802I
• 3802P
• 4802

Feature summary

Feature	Local Mode	Flex Mode	Fabric Local Mode
Basic RLAN feature with one client like Phone or Laptop	Supported	Supported	Supported
Multi-Client per port	Supported	Supported	Supported
Port Security – ACL / Firewall	Not Supported	Not Supported	Not Supported
Split Tunneling	Not Supported	Not Supported	Not Supported
Vlan Support on RLAN	Supported	Supported	Supported
802.1x on RLAN	Supported	Supported	Supported
Mac Filtering + 802.1x on RLAN	Supported	Supported	Supported
Web Auth on RLAN	Supported	Supported	Supported
AAA override on RLAN	Supported	Supported	Supported
Local authentication	Supported	Supported	Supported
IPv6 ACL or Flexible Netflow	Supported	Supported	Supported
MAB	Supported	Supported	Supported
WEB  ACL	Not Supported	Supported	Not Supported
SGT	Not Supported	Not Supported	Supported

 

Show and Debug commands

 

Device	Show commands
Controller	show remote-lan summary show remote-lan id <id> show remote-lan name <profile-name show remote-lan all show remote-lan policy summary show ap name <ap_name> lan port summary show wireless client summary show wireless client username cisco show wireless client mac-address <mac> detail show ap tag summary show wireless tag policy summary show wireless tag policy detailed <rlan_policy_tag_name>
Access Point	show wired client

Device	Debug commands
Controller	set platform software trace wncd chassis active R0 all-modules debug debug wireless mac <rlan client mac> set plat soft trace wncd chassis active r0  lisp-agent- ? lisp-agent-api        lisp-agent-db   lisp-agent-fsm      l isp-agent-ha lisp-agent-internal  lisp-agent-lib  lisp-agent-lispmsg lisp-agent-shim lisp-agent-transport
Access Point	debug rlan critical debug rlan errors debug rlan events debug rlan info debug client <mac-addr>

 

Solution Use Case Scenarios

• Typically used for security surveillance cameras.
• Teleworker with Wire and wireless Devices Teleworkers require always-on secure access to networked business services from the remote home office. This design guide enables the following network capabilities:
  • Common wireless device configuration for onsite and teleworker wire access
  • Authentication through IEEE 802.1x for employees and encryption for all information sent and received to the organization’s main location.
  • Simplified IT provisioning for the home office, which reduces setup time and supports varying levels of end-user skills.
  • Mobility and flexibility for voice endpoints at the teleworker location.
• Scanners and printers.

Deployment Topology

Local and Flex

 

Fabric

 

 

Configuration

Flex + RLAN configuration:

Create Rlan policy:

ap remote-lan-policy policy-name rlan-policy-vlan14

no central switching
description rlan-policy-vlan14
ipv4 acl acl-rlan

no poe

session-timeout 0

violation-mode replace

vlan <vlan id>
no shutdown

 

Create rlan profile

ap remote-lan profile-name rlanprofile 2

no shutdown

 

Map rlan policy to rlan profile and add to wireless tag policy

wireless tag policy policy-tag-rlan-vlan9 r

emote-lan rlanprofile policy rlan-policy-vlan14 port-id 1

remote-lan rlanprofile policy rlan-policy-vlan14 port-id 2

remote-lan rlanprofile policy rlan-policy-vlan14 port-id 3

 

Create Site tag

wireless tag site Rlan-local-Auth

ap profile RLAN

Add policy tag to ap

ap 3c57.31c5.93a4

policy-tag policy-tag-rlan-vlan14

site-tag Rlan-local-Auth

Enable rlan port

ap name AP3c57.31c5.93a4 lan port-id 1 enable

 

FABRIC + RLAN

Configure aaa method

config taaa new-model 

aaa authentication dot1x  wcm_local local

aaa authorization credential-download wcm_author local

aaa local authentication wcm_local authorization wcm_author

Configure local username

config t

username aaalocal password 0 aaalocal

 

Check crypto pki trustpoint  -> this step is mandatory if PEAP method is used. we can define MIC cert or SSC cert l.

ewlc-1#show crypto pki trustpoints

Trustpoint SLA-TrustPoint: 

   Subject Name:  

  cn=Cisco Licensing Root CA 

  o=Cisco        

    Serial Number (hex): 01   

Certificate configured.

Trustpoint TP-self-signed-3072272689:  

  Subject Name:   

 cn=IOS-Self-Signed-Certificate-3072272689      

    Serial Number (hex): 01  

 Persistent self-signed certificate trust point   

Using key label TP-self-signed-3072272689

 

Configure eap profle and define method

 config t 

 eap profile eap_name
 method leap
 method peap
 method fast
 method tls
 pki-trustpoint TP-self-signed-3375061260

 

Create Rlan profile

ap remote-lan profile-name rlanprofile_local_auth 17
local-auth eap_name
security dot1x authentication-list wcm_local

no shutdown

 

Configure Rlan policy

ap remote-lan-policy policy-name rlan-policy-802X-localauth

aaa-policy aaa_policy_realm

accounting-list cisco2.com

no central dhcp
no central switching

description Local_auth

host-mode singlehost

no poe
fabric 802X-fabric

session-timeout 86400

violation-mode replace

no shutdown

 

Configure Fabric profile

wireless profile fabric 802X-fabric

client-l2-vnid 8189

sgt-tag 8189

Map rlan profile with policy tag

wireless tag policy policy-tag-rlan-local-Auth

remote-lan rlanprofile_local_auth policy rlan-policy-802X-localauth port-id 1

Create site tag

wireless tag site Rlan-local-Auth

ap profile RLAN

Add policy tag to AP

ap 843d.c670.3c40

policy-tag policy-tag-rlan-local-Auth

site-tag Rlan-local-Auth

Enable rlan port

ap name AP843D.C670.3C40 lan port-id 1 enable

Scale Supported

The client scale depends on Ethernet port which are available on a RLAN supported AP Model. Each LAN port on an AP is supports max of 4 clients.

Limitation for RLAN

• Not all Aps support RLAN.
• RLAN supports only a maximum of four wired clients regardless of the AP model
• RLAN support with Virtual Roueng and Forwarding (VRF) is not available.
• We can create a maximum of 128 RLANs and cannot use the rlan-id of an exiseng RLAN while creating another RLAN.
• Both RLAN and WLAN profile cannot have the same names. Similarly, RLAN and WLAN policy profile cannot have the same names.
• We can activate either web or dot1x authentication list at a time.
• For an RLAN profile with open-auth configuration, you must map the RLAN-policy with single host mode. Mapping RLAN-policy with mule-host or mule-domain mode is not supported.
• The controller does not assign data versus voice VLAN, based on traffic. RLAN only supports multiple VLAN assignments through 802.1x AAA override. You must create data and voice VLANs and then assign these VLANs to respective clients, based on their authentication through the 802.1x AAA override.

 

Feature not supported on RLAN

• Central Web Authentication (CWA)
• Quality of Service (QoS)
• Bi-Directional Rate Limiting (BDRL)
• Multicast and Broadcast
• Identity PSK (iPSK)

 

Role Of Controller

• The controller acts as an Authenticator, and Extensible Authentication Protocol (EAP) over LAN (EAPOL) messages from the wired client reaching the controller through an AP.
• The controller communicates with the configured Authentication, Authorization, and Accounting (AAA) server.
• The controller configures the LAN ports for an AP and pushes them to the corresponding AP.

Glossary

• RLAN: Remote Local Area Network

• OEAP:OfficeExtend access point

• DTLS: Datagram Transport Layer Security

• ACL: Access Control List

• SDA: Software Defined Access

• EWLC: Elastic Wireless Lan Controller

 

References

1. Remote LANs

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Cupertino 17.9.x - Remote LANs [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

2. Configure OEAP and RLAN on Catalyst 9800 WLC

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215681-configure-oeap-and-rlan-on-catalyst-9800.html

3. Wireless compatibility matrix for the latest information https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

 

 

 

WGB

WGB Solution Overview

A workgroup bridge (WGB) is an Access Point mode to provide wireless connectivity to wired clients that are connected to the Ethernet port of the WGB AP directly or via a switch. A WGB connects a wired network over a single wireless segment by learning the MAC addresses of its wired clients on the Ethernet interface and report them to the WLC through infrastructure AP using Internet Access Point Protocol (IAPP) messaging.

The WGB establishes a single wireless connection to the root AP on any one 2.4Ghz or 5 Ghz radio, which in turn treats the WGB as a wireless client. The WGB can serve wireless clients on the other radio.

Non Fabric topology

 

Hardware Specifications and Requirements

Hardware Platform	Model Name	Version
Access Points	Cisco Aironet 2700, 3700, and 1572 Series	Requires autonomous image
	Cisco Aironet 2800, 3800, 4800, 1562, and	Cisco IOS-XE image starting 16.10
	Cisco Catalyst 9105, 9115	Cisco IOS-XE image starting 17.8
	Cisco Catalyst  9120, 9130, 9124
	IW6300 and ESW6300 Series
Cisco Wireless Controller	C9800-80, C9800-40 C9800-L, C9800-CL	Starting 16.10
Remote Site Switch	Cisco Catalyst 9 series Cisco Catalyst 3850
Cisco DNA Centre controller
Cisco Prime Infrastructure		3.10.4 + System Patch

 

 

Profile Feature summary

Features	Wave1 Aps	Wave2 and Cat91xx Aps
802.11r	Supported	Supported
QOS	Supported	Supported
UWGB mode	Supported	Supported on Wave 2 APs
IGMP Snooping or Multicast	Supported	Supported
802.11w	Supported	Supported
PI support (without SNMP)	Supported	Not supported
IPv6	Supported	Supported
VLAN	Supported	Supported
802.11i (WPAv2)	Supported	Supported
Broadcast tagging/replicate	Supported	Supported
Unified VLAN client	Implicitly supported (No CLI required)	Supported
WGB client	Supported	Supported
802.1x – PEAP, EAP-FAST, EAP-TLS	Supported	Supported
NTP	Supported	Supported
Wired client support on all LAN ports	Supported in Wired-0 and Wired-1 interfaces	Supported in all Wired-0, 1 and LAN ports 1, 2, and 3

 

 

Solution Use Case Scenarios

• Network connectivity to the passive clients in network.
• Network Connectivity  non wireless capability clients.
• Reliable Multicast delivery for clients in small segment network.
• Layer 3 roaming of WGB clients in a network.
• Network connectivity of clients behind WGB when connected with Mesh Aps.
• Roaming in case of moving devices
• Network connectivity with IOT Ap as WGB.
• Network connectivity of passive clients with Third party WGB

 

Configuration and programable interfaces

Config Commands

Sample psk config on eWLC :

wlan <wlan profile name> <wlan id> <ssid name> 

ccx aironet-iesupport 

no security ft adaptive 

security wpa psk set-key ascii 0 <psk key>

no security wpa akm dot1x 

security wpa akm psk

no shutdown

Config Capwap ap to WGB

 ap-type workgroup-bridge

SSID Profile Configuration on WGB

configure ssid-profile ssid-profile-name ssid radio-serv-name authentication {open | psk preshared-key key-management {dot11r | wpa2 | dot11w |{optional | required }}| eap profile eap-profile-name key-management {dot11r | wpa2 | dot11w|{optional | required}}

Attach SSID Profile to Radio interface

configure dot11radio radio-interface mode wgb ssid-profile profle-name

Map Radio Interface as ROOT AP to server Wireless client behind WGB

configure dot11radio radio-int mode root-ap

Configures the WLAN at the root AP mode radio.

configure dot11Radio <0|1> wlan add ssid-profile-name ssid-number

Show Commands

On eWLC

• show wireless wgb summary
• show wireless wgb  mac-address <wgb mac-address> detail

On Access Points

• show client summary
• show client statistics wireless <wireless client mac>
• show client statistics wired <wired client mac> 

On WGB

•  show wgb ssid
• show client summary

Scale Supported

• Only up to 20 clients inclusive of both wired and wireless client behind WGB is supported.

Restriction or Limitations or Recommendation

• MAC filtering is not supported for wired clients.
• Idle timeout is not supported for both WGB and wired clients.
• Session timeout is not applicable for wired clients.
• Web authentication is not supported.
• To use a chain of certificates, copy all the CA certificates to a file and install it under a trust point on the WGB, else server certificate validation may fail.
• Wired clients connected to the WGB are not authenticated for security. Instead, the WGB is authenticated against the access point to which it associates. Therefore, it is recommended to physically secure the wired side of the WGB.
• Wired clients connected to a WGB inherit the WGB's QoS and AAA override attributes.
• To enable the WGB to communicate with the root AP, create a WLAN and make sure that Aironet IE is enabled under the Advanced settings

References

 

• https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-10/config-guide/b_wl_17_10_cg/m_ewlc_wgb.html

 

Tested Hardware Specs

	Client Hardware Specs	Access Points
Mesh	Windows, Macmini	9130, 9124, 2800, 3800, 4800, 1542, 1562
RLAN	Windows, Macmini	C9105AXW, C9105AXW, 3802E
WGB	Windows	Root Ap - 3800, 2800, 9130, CW9163 WGB - 9130, 9120, 3700

 

Acknowledgments

Thanks to Ian Procyk for his feedback on customer deployments