Converged Wireless Network Architecture
An alternative to the centralized wireless architecture, where WLCs are located near the core layer, the WLC function can be moved further down in the network hierarchy. Relocating the WLC does two things:
* The WLC function is moved closer to the LAPs (and the wireless users).
* The WLC function becomes distributed, rather than centralized.
The access layer turns out to be a convenient location for the WLCs. After all, wireless users ultimately connect to a WLC, which serves as a virtual access layer. Why not move the wireless access layer to coincide with the wired access layer? With all types of user access merged into one layer, it becomes much easier to do things link apply common access and security policies that affect all users. This is known as a converged wireless network architecture. To distinguish the two approaches, centralized controllers are known as WLCs, while converged controllers are known as Wireless Control Modules (WCMs).
There's a distinction between the centralized and converged architecture, with regards to the WLC and WCM functions. One difference is that WLCs run the Cisco AireOS software, while WCMs are based on the Cisco IOX-XE software that runs on the Catalyst switches that host the WCMs.
As you might imagine, distributing the controller function into the access layer increases the number of controllers that are needed. One controller is needed per access switch stack or chassis. The idea is to push more controllers down closer to the users, which also reduces the number of APs and clients that connect to each one. How can this be accomplished? The Cisco Catalyst 3650, 3850, and 4500 (Supervisor 8-E only) product families are commonly used as access layer switches, plus they can offer converged-access WCM functions without needing any additional hardware.
Converged Access Switch Wireless Capacities
Platform Lightweight APs Supported Wireless Clients Supported
Catalyst 3650 (per stack) 25 1000
Catalyst 3850 (per stack) 50 2000
Catalyst 4500 (per chassis) 50 2000
It might seem odd that the number of supported APs is rather low, when the physical port density of a switch is rather large. For instance, a Catalyst 3850 switch stack can consist of up to 432 wired ports (nine 48-port switches), but only 50 APs can be conected to the entire stack of switches. If you think of this from a wireless perspective, it makes more sense. Each AP is connected to the switch stack by a twisted-pair cable that is limited to a length of 100 meters. Therefore, all of the APs must be located within a 100 meter radius of the access switch. There are not too many AP cells that can physically fit into that area.
One other advantage of the converged network architecture relates to wireless scalability. APs offering 802.11ac Wave 1 can use common 1-Gbps switch ports withoout limiting the throughput. Wave 2, however, has the potential to go well beyond 1 Gbps, which requires something more than a single 10/100/1000-Mbps switch port. Cisco offes proprietary Multigigabit Ethernet ports on several models in the Catalyst 3850 and 4500 families, where APs an connect over a single cables. Multigigabit Ethernet can operate at speeds of 100 Mbps, 1 Gbps, 2.5 Gbps, and 5 Gbps over Cat5e cabling and up to 10 Gbps over Cat6a cabling speeds.
The converged model also solves some connectivity problems at branch sites by bringing a fully functional WLC onsite, within the access layer switch. With a local WLC, the APs can continue to operate without a dependency upon a WLC at the main site through a WAN connection.
If the CAPWAP tunnel is relatively short in a converged network, which means the wireless devices can reach each other more efficiently. In contrast, traffic from a wireless user to a central resource such as a data center or the Internet travels through the CAPWAP tunnel, is unencapsulated at the access layer switch (and WLC), then travels up through the rest of the network layers.
I was able to get a Cisco 3650 switch for my wireless lab and configured its wireless controller module (WCM). The setup is identical with a Cisco 3850 switch. You initially configure the web GUI access on the switch and click on Wireless Web GUI.
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname 3650-WCM1
3650-WCM1(config)#interface vlan1
3650-WCM1(config-if)#ip address 202.7.3.5 255.255.255.224
3650-WCM1(config-if)#no shutdown
3650-WCM1(config-if)#
*Jul 28 05:10:20.363: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
*Jul 28 05:10:21.364: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
3650-WCM1(config-if)#ip default-gateway 202.7.3.1
3650-WCM1(config)#username admin cisco privilege 15 password cisco
3650-WCM1(config)#end
3650-WCM1#
*Jul 28 05:14:21.885: %SYS-5-CONFIG_I: Configured from console by console
You can run the configuration wizard by going to Configuration > Wizard to configure the WCM basic settings.
You configure the Wireless Management which is used between the WCM and AP.
You need to select Mobility Controller (MC) for the Mobility Role in order for the Cisco 3650 to act as the wireless controller for the APs. The default role is Mobility Agent and the WCM will not register any AP.
You create the wireless SSID and choose which 802.11 radios to enable.
You set the correct time in order for the proper exchange of DTLS certificates between WLC and AP.
A summary of the preferred settings is presented before you click Apply.
By default, the status on the WLAN SSID is disabled (uncheck) and you need to tick Enabled in order to be used by wireless clients. For quick wifi testing, I chose open authentication which means there's no Layer 2 and Layer 3 security policy were selected.
After configuring the WCM, the AP still can't upgrade it's image and found out I hit a bug with the 3.3.5 IOS-XE. So I've upgraded to 3.6.5, expanded the IOS and changed the boot file.
ERROR: Problem extracting files from archive.
Download image failed, notify controller!!! From:8.0.110.0 to 10.1.150.0, FailureCode:3
archive download: takes 48 seconds
*Jul 28 05:59:24.331: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 202.7.3.5:5246
*Jul 28 05:59:24.331: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg
*Jul 28 05:59:24.347: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg
*Jul 28 05:59:24.551: capwap_image_proc: problem extracting tar file
examining image...!
extracting info (289 bytes)
Image info:
Version Suffix: k9w8-.152-4.JB7
Image Name: ap1g2-k9w8-mx.152-4.JB7
Version Directory: ap1g2-k9w8-mx.152-4.JB7
Ios Image Size: 11213312
Total Image Size: 11602432
Image Feature: WIRELESS LAN|LWAPP
Image Family: AP1G2
Wireless Switch Management Version: 10.1.150.0
MwarVersion:0A019600.First AP Supported Version:0703010B.
Image version check passed
Extracting files...
ap1g2-k9w8-mx.152-4.JB7/ (directory) 0 (bytes)
extracting ap1g2-k9w8-mx.152-4.
*Jul 28 05:59:34.415: AP has SHA2 MIC certificate - Using SHA1 MIC certificate for DTLS.
*Jul 28 05:59:34.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 202.7.3.5 peer_port: 5246
*Jul 28 05:59:34.315: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 202.7.3.5 peer_port: 5246
*Jul 28 05:59:34.315: %CAPWAP-5-SENDJOINJB7/file_hashes (3733 bytes)
extracting ap1g2-k9w8-mx.152-4.JB7/K5.bin (81620 bytes)!!!: sending Join Request to 202.7.3.5perform archive download capwap:/ap1g2 tar file
*Jul 28 05:59:34.323: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Jul 28 05:59:34.327: Loading file /ap1g2...
!!!
extracting ap1g2-k9w8-mx.152-4.JB7/S2.bin (13992 bytes)!
extracting ap1g2-k9w8-mx.152-4.JB7/img_sign_rel_sha2.cert (1371 bytes)!
extracting ap1g2-k9w8-mx.152-4.JB7/S5.bin (111936 bytes)!!!!!
Old IOS (with bug)
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24PS 03.03.05SE cat3k_caa-universalk9 INSTALL
New IOS
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24PS 03.06.05.E cat3k_caa-universalk9 BUNDLE
3650-WCM1#dir
Directory of flash:/
7746 -rw- 2097152 Jul 28 2016 07:20:02 +00:00 nvram_config
7747 -rw- 79122052 Jun 3 2015 12:12:02 +00:00 cat3k_caa-base.SPA.03.03.05SE.pkg
7748 -rw- 6521532 Jun 3 2015 12:12:02 +00:00 cat3k_caa-drivers.SPA.03.03.05SE.pkg
7749 -rw- 34530288 Jun 3 2015 12:12:02 +00:00 cat3k_caa-infra.SPA.03.03.05SE.pkg
7750 -rw- 34846028 Jun 3 2015 12:12:02 +00:00 cat3k_caa-iosd-universalk9.SPA.150-1.EZ5.pkg
7751 -rw- 25170832 Jun 3 2015 12:12:02 +00:00 cat3k_caa-platform.SPA.03.03.05SE.pkg
7752 -rw- 77456192 Jun 3 2015 12:12:02 +00:00 cat3k_caa-wcm.SPA.10.1.150.0.pkg
7753 -rw- 1247 Jun 3 2015 12:12:14 +00:00 packages.conf
7754 -rw- 556 Jul 28 2016 07:19:58 +00:00 vlan.dat
7755 -rw- 303753780 Jul 28 2016 07:10:50 +00:00 cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
7756 drwx 4096 Jul 28 2016 07:19:21 +00:00 dc_profile_dir
7759 -rw- 7483 Jul 28 2016 07:31:45 +00:00 wnweb.tgz
3650-WCM1#software expand file flash:/cat3k_caa-universalk9.SPA.03.06.05.E.15
flash:/cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
Preparing expand operation ...
[1]: Expanding bundle flash:cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
[1]: Copying package files
[1]: A different version of provisioning file packages.conf already exists in flash:.
The provisioning file from the expanded bundle will be saved as
flash:cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.conf
[1]: Package files copied
[1]: Finished expanding bundle flash:cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
3650-WCM1(config)#no boot system switch all flash:cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
3650-WCM1(config)#boot system switch all flash:packages.conf
3650-WCM1(config)#end
3650-WCM1#write memory
Warning: Attempting to overwrite an NVRAM configuration previously written
by a different version of the system image.
Overwrite the previous NVRAM configuration?[confirm]
*Jul 28 07:55:03.051: %SYS-5-CONFIG_I: Configured from console by console3650-WCM1#reload
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
<OUTPUT TRUNCATED>
3650-WCM1#show version
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIV
ERSALK9-M), Version 03.06.05.E RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Thu 02-Jun-16 09:03 by prod_rel_team
Cisco IOS-XE software, Copyright (c) 2005-2015 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 1.2, RELEASE SOFTWARE
(P)
3650-WCM1 uptime is 27 minutes
Uptime for this control processor is 30 minutes
System returned to ROM by reload at 07:13:18 UTC Thu Jul 28 2016
System image file is "flash:cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin"
Last reload reason: Reload command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: Ipbase
License Type: Permanent
Next reload license Level: Ipbase
cisco WS-C3650-24PS (MIPS) processor with 4194304K bytes of physical memory.
Processor board ID FDO1922EABC
1 Virtual Ethernet interface
28 Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
1609272K bytes of Flash at flash:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of at webui:.
Base Ethernet MAC Address : d8:b1:90:3a:21:23
Motherboard Assembly Number : 73-15128-05
Motherboard Serial Number : FDO19211DEF
Model Revision Number : G0
Motherboard Revision Number : A0
Model Number : WS-C3650-24PS
System Serial Number : FDO1922EGHI
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24PS 03.06.05.E cat3k_caa-universalk9 INSTALL
3650-WCM1#show boot
---------------------------
Switch 1
---------------------------
Current Boot Variables:
BOOT variable = flash:packages.conf;
Boot Variables on next reload:
BOOT variable = flash:packages.conf;
Allow Dev Key = yes
Manual Boot = no
Enable Break = no
You can safely delete unwanted files using the software clean command.
3650-WCM1#software ?
auto-upgrade Initiate auto upgrade for switches running incompatible
software
clean Clean unused package files from local media
commit Commit the provisioned software and cancel the automatic
rollback timer
expand Expand a software bundle to local storage, default location is
where the bundle currently resides
install Install software
rollback Rollback the committed software
3650-WCM1#software clean
Preparing clean operation ...
[1]: Cleaning up unnecessary package files
[1]: No path specified, will use booted path flash:packages.conf
[1]: Cleaning flash:
[1]: Preparing packages list to delete ...
In use files, will not delete:
cat3k_caa-base.SPA.03.03.05SE.pkg
cat3k_caa-drivers.SPA.03.03.05SE.pkg
cat3k_caa-infra.SPA.03.03.05SE.pkg
cat3k_caa-iosd-universalk9.SPA.150-1.EZ5.pkg
cat3k_caa-platform.SPA.03.03.05SE.pkg
cat3k_caa-wcm.SPA.10.1.150.0.pkg
packages.conf
[1]: Files that will be deleted:
cat3k_caa-base.SPA.03.06.05E.pkg
cat3k_caa-drivers.SPA.03.06.05E.pkg
cat3k_caa-infra.SPA.03.06.05E.pkg
cat3k_caa-iosd-universalk9.SPA.152-2.E5.pkg
cat3k_caa-platform.SPA.03.06.05E.pkg
cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.conf
cat3k_caa-wcm.SPA.10.2.150.0.pkg
[1]: Do you want to proceed with the deletion? [yes/no]: yes
[1]: Clean up completed
3650-WCM1#dir
Directory of flash:/
7746 -rw- 2097152 Jul 28 2016 08:01:08 +00:00 nvram_config
7747 -rw- 79122052 Jun 3 2015 12:12:02 +00:00 cat3k_caa-base.SPA.03.03.05SE.pkg
7748 -rw- 6521532 Jun 3 2015 12:12:02 +00:00 cat3k_caa-drivers.SPA.03.03.05SE.pkg
7749 -rw- 34530288 Jun 3 2015 12:12:02 +00:00 cat3k_caa-infra.SPA.03.03.05SE.pkg
7750 -rw- 34846028 Jun 3 2015 12:12:02 +00:00 cat3k_caa-iosd-universalk9.SPA.150-1.EZ5.pkg
7751 -rw- 25170832 Jun 3 2015 12:12:02 +00:00 cat3k_caa-platform.SPA.03.03.05SE.pkg
7752 -rw- 77456192 Jun 3 2015 12:12:02 +00:00 cat3k_caa-wcm.SPA.10.1.150.0.pkg
7753 -rw- 1247 Jun 3 2015 12:12:14 +00:00 packages.conf
7754 -rw- 556 Jul 28 2016 08:00:46 +00:00 vlan.dat
7756 drwx 4096 Jul 28 2016 07:19:21 +00:00 dc_profile_dir
7759 -rw- 7483 Jul 28 2016 07:31:45 +00:00 wnweb.tgz
1621966848 bytes total (1359265792 bytes free)
The AP still won't register unless you activate the AP license and accept the End User License Agreement (EULA).
*Jul 28 08:04:45.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 202.7.3.5 peer_port: 5246
*Jul 28 08:04:45.323: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 202.78.30.5 peer_port: 5246
*Jul 28 08:04:45.323: %CAPWAP-5-SENDJOIN: sending Join Request to 202.7.3.5
*Jul 28 08:04:50.323: %CAPWAP-5-SENDJOIN: sending Join Request to 202.7.3.5
*Jul 28 08:04:50.703: %CDP_PD-4-POWER_OK: All radios disabled - NEGOTIATED inline power source
*Jul 28 08:05:44.711: %DTLS-5-ALERT: Received WARNING : Close notify alert from 202.7.3.5
*Jul 28 08:05:44.711: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 202.7.3.5:5246
*Jul 28 08:05:54.783: AP has SHA2 MIC certificate - Using SHA1 MIC certificate for DTLS.
*Jul 28 08:05:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 202.7.3.5 peer_port: 5246
*Jul 28 08:05:55.315: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 202.7.3.5 peer_port: 5246
*Jul 28 08:05:55.315: %CAPWAP-5-SENDJOIN: sending Join Request to 202.7.3.5
*Jul 28 08:06:00.442: *%CAPWAP-3-AP_DB_ALLOC: 1 wcm: Unable to alloc AP entry in database for 202.7.3.29:12956
3650-WCM1#show license ?
right-to-use Displays all the RTU licenses.
3650-WCM1#show license right-to-use ?
default Displays the default license information.
detail Displays details of all the licenses in the stack.
eula Displays the EULA text.
mismatch Displays mismatch license information.
slot Specify switch number
summary Displays consolidated stack wide license information.
usage Displays the usage details of all licenses.
| Output modifiers
<cr>
3650-WCM1#show license right-to-use summary
License Name Type Count Period left
-----------------------------------------------
ipbase permanent N/A Lifetime
apcount base 0 Lifetime
apcount adder 0 Lifetime
--------------------------------------------
License Level In Use: ipbase
License Level on Reboot: ipbase
Evaluation AP-Count: Disabled
Total AP Count Licenses: 0
AP Count Licenses In-use: 0
AP Count Licenses Remaining: 0
3650-WCM1#license ?
right-to-use Configure RTU license.
3650-WCM1#license right-to-use ?
activate activate particular license level
deactivate deactivate particular license level
3650-WCM1#license right-to-use activeate ?
apcount configure the AP-count licenses on the switch
ipbase activate ipbase license on the switch
ipservices activate Ipservices license on the switch
lanbase activate lanbase license on the switch
3650-WCM1#license right-to-use activate apcount ?
<1-50> configure the number of adder licenses
evaluation activate evaluation license
3650-WCM1#license right-to-use activate apcount 50 ?
slot Specify switch number
3650-WCM1#license right-to-use activate apcount 50 slot ?
<1-9> Specify switch number
3650-WCM1#license right-to-use activate apcount 50 slot 1 ?
acceptEULA automatically accept the EULA for the given license
<cr>
3650-WCM1#license right-to-use activate apcount 50 slot 1 acceptEULA
% switch-1:stack-mgr:ACTIVATION FAIL : Total AP Count Licenses exceed maximum limit
3650-WCM1#license right-to-use activate apcount 5 slot 1 acceptEULA
3650-WCM1#
*Jul 28 08:09:29.765: %SMN_HBL_LICENSE-6-AP_ADD: 1 stack-mgr: 5 adder AP-count
licenses are added
You can do this via WCM GUI by going to Administration > Licenses.
I was still unable to register the AP to WCM and it's useful to observe the console logs on the AP. I was able to successfully register an AIR-SAP 1602E AP after configuring switch port G1/0/1 to access port.
*Jul 28 08:37:36.025: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/1 is not an access port.
*Jul 28 08:37:36.027: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xde95c00000000c for AP: a055.4fc2.c2a0 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
*Jul 28 08:37:54.145: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
*Jul 28 08:38:04.148: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination[...It occurred 3 times/sec!.]
*Jul 28 08:38:14.147: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
*Jul 28 08:38:24.148: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination[...It occurred 3 times/sec!.]
3650-WCM1#sh run int g1/0/1
Building configuration...
Current configuration : 38 bytes
!
interface GigabitEthernet1/0/1
end
3650-WCM1(config)#interface g1/0/1
3650-WCM1(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
3650-WCM1#
*Jul 28 08:42:48.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
*Jul 28 08:42:49.344: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
*Jul 28 08:42:49.513: %SYS-5-CONFIG_I: Configured from console by console
*Jul 28 08:42:50.188: %ILPOWER-7-DETECT: Interface Gi1/0/1: Power Device detected: IEEE PD
*Jul 28 08:42:55.543: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
*Jul 28 08:42:56.542: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
*Jul 28 08:43:00.188: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/1: Power granted
3650-WCM1#show wireless ?
authentication Show information and stats about wireless authentication
band-select Displays Band Select Configuration
client Show wireless active clients
country Show the configured countries and channel information
detail Displays Wireless Configuration
dot11-padding Display over-the-air frame padding setting
dot11h Show 802.11h configuration
dtls Show the DTLS server status
exclusionlist Show exclusion list
flow-control Display WCM CMI flow-control details
interface Show wireless interface status and configuration
ipv6 Show IPv6 parameters
linktest Shows linktest
load-balancing Shows Aggressive Load Balancing configuration
media-stream Display Multicast-direct Configuration State
mgmt-via-wireless Show management access from wireless client setting
mobility Show Mobility Management Configuration
multicast Displays Multicast information
performance Shows Aggressive Load Balancing configuration
pmk-cache Show information about the PMK cache
probe Show the advanced probe request configuration
sip SIP parameters
summary Show summary of wireless network
vlan VLAN information
wgb Show active work-group bridges (WGB)
wps Show WPS Configuration
3650-WCM1#show wireless client ?
ap Cisco access point information
calls Wireless client calls
dot11 Show 802.11 parameters
location-calibration wireless client location calibration
mac-address Wireless client MAC address
probing Show probing clients
summary Show active clients
tclas Show TCLAS associated with a client and User Priority
timers Display 802.11 system timers
username Shows wireless client information
voice Wireless client voice parameters
wifidirect Show wifidirect related attributes
The AIR-SAP1602E was able to register to the WCM and my iPhone was able to associate to SSID WCM-LAB.
3650-WCM1#show ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name AP Model Ethernet MAC Radio MAC State
--------------------------------------------------------------------------------
--------
APa89d.2103.29b8 1602E a89d.2103.29b8 a055.4fc2.c2a0 Registered
3650-WCM1#show wlan summary
Number of WLANs: 1
WLAN Profile Name SSID VLAN Status
--------------------------------------------------------------------------------
1 WCM-LAB WCM-LAB 1 UP
3650-WCM1#show wireless client summary
Number of Local Clients : 1
MAC Address AP Name WLAN State Protocol
--------------------------------------------------------------------------------
d025.9890.1cd9 APa89d.2103.29b8 1 UP 11n(2.4)
3650-WCM1#show wireless client mac-address d025.9890.1cd9 detail
Client MAC Address : d025.9890.1cd9
Client Username: N/A
AP MAC Address : a055.4fc2.c2a0
AP Name: APa89d.2103.29b8
AP slot : 0
Client State : Associated
Wireless LAN Id : 1
Wireless LAN Name: WCM-LAB
BSSID : a055.4fc2.c2a0
Connected For : 402 secs
Protocol : 802.11n - 2.4 GHz
Channel : 11
Client IIF-ID : 0xe9780000000013
ASIC : 0
IPv4 Address : 202.7.3.13
IPv6 Address : Unknown
Association Id : 1
Authentication Algorithm : Open System
Status Code : 0
Session Timeout : 0
Client CCX version : No CCX support
Input Policy Name : unknown
Input Policy State : None
Output Policy Name : unknown
Output Policy State : None
802.1P Priority Tag : Not supported
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : ON
Current Rate : m7
Supported Rates : 1.0,2.0,5.5,11.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,1.0,2.0
,5.5,11.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : DHCP_REQD
Client Entry Create Time : 3022 seconds
Policy Type : N/A
Encryption Cipher : None
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
Interface : default
VLAN : 1
Quarantine VLAN : 0
Access VLAN : 1
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 20
Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
Number of Bytes Received : 340571
Number of Bytes Sent : 1851951
Number of Packets Received : 2086
Number of Packets Sent : 2133
Number of EAP Id Request Msg Timeouts : 0
Number of EAP Request Msg Timeouts : 0
Number of EAP Key Msg Timeouts : 0
Number of Data Retries : 372
Number of RTS Retries : 0
Number of Duplicate Received Packets : 3
Number of Decrypt Failed Packets : 0
Number of Mic Failured Packets : 0
Number of Mic Missing Packets : 0
Number of Policy Errors : 0
Radio Signal Strength Indicator : -50 dBm
Signal to Noise Ratio : 49 dB
Assisted-Roaming Prediction List:
Nearby AP Statistics:
APa89d.2103.29b8(slot0)
antenna0: 293 seconds ago -78 dBm
Below is the complete show run output.
3650-WCM1#sh run
Building configuration...
Current configuration : 4761 bytes
!
! Last configuration change at 08:51:04 UTC Thu Jul 28 2016 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname 3650-WCM1
!
boot-start-marker
boot system switch all flash:packages.conf
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
username cisco privilege 15 password 0 cisco
user-name admin
creation-time 1469684619
privilege 15
password 0 cisco
type mgmt-user
no aaa new-model
switch 1 provision ws-c3650-24ps
!
ip device tracking
!
!
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-3953284901
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3953284901
revocation-check none
rsakeypair TP-self-signed-3953284901
!
!
crypto pki certificate chain TP-self-signed-3953284901
certificate self-signed 01
30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393533 32383439 3031301E 170D3136 30373238 30383031
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39353332
38343930 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009B73 AB18BF83 1F81AD63 B3D205A6 DAFD3B85 0DA217D9 E7E194AB FC7263E6
7D08F79C E27D4344 1FABC8D2 5A0CE2E8 25793D61 CDD8470A 5C7BF1C0 3D03BAE6
59413AD7 9C69A4ED 678A4763 F89B1880 17552BA3 5405777D ED107017 6D8F7EFC
86DB704A 39374E05 79AECB5E B2D2018D BC6B8230 32ACDCDD 7EF721C2 A2955409
871F0203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603
551D1104 0D300B82 09333635 302D5743 4D31301F 0603551D 23041830 1680149C
2C1404EB 132EA53A A1A2573F 8C4E0445 5FE51030 1D060355 1D0E0416 04149C2C
1404EB13 2EA53AA1 A2573F8C 4E04455F E510300D 06092A86 4886F70D 01010405
00038181 00306B05 C7FBB70E A190E144 D99462D7 77A443DA 31511829 CE1FDA7F
206889E7 275A278B EABEBC87 43D6A1F3 833495F5 B67CE347 1A3E2B9F 4549FB0F
90E47E42 5B17176A 8DB24C37 B6731CE2 C8B0A95C A530C4E1 9EE2B784 FB48A6DD
A6F97AB3 EA8C7BF9 8DDF0712 F36F30CB 9CE3634B 7110BBBF 7AFC17AD 5BFC1A9F
9CBDD137 90
quit
!
!
!
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 192.168.1.10 255.255.255.0
ip helper-address 192.168.1.1
negotiation auto
!
interface GigabitEthernet1/0/1
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 202.7.3.5 255.255.255.224
ip helper-address 202.7.3.1
!
ip default-gateway 202.7.3.1
ip http server
ip http authentication local
ip http secure-server
!
!
!
snmp-server location WCM Lab
snmp-server contact John Lagura
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
line vty 5 15
login
!
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
wireless mobility controller
wireless management interface Vlan1
wireless rf-network WCM
wlan WCM-LAB 1 WCM-LAB
ip dhcp server 202.7.3.1
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
no shutdown
ap country SG
ap group default-group
end
An alternative to the centralized wireless architecture, where WLCs are located near the core layer, the WLC function can be moved further down in the network hierarchy. Relocating the WLC does two things:
* The WLC function is moved closer to the LAPs (and the wireless users).
* The WLC function becomes distributed, rather than centralized.
The access layer turns out to be a convenient location for the WLCs. After all, wireless users ultimately connect to a WLC, which serves as a virtual access layer. Why not move the wireless access layer to coincide with the wired access layer? With all types of user access merged into one layer, it becomes much easier to do things link apply common access and security policies that affect all users. This is known as a converged wireless network architecture. To distinguish the two approaches, centralized controllers are known as WLCs, while converged controllers are known as Wireless Control Modules (WCMs).
There's a distinction between the centralized and converged architecture, with regards to the WLC and WCM functions. One difference is that WLCs run the Cisco AireOS software, while WCMs are based on the Cisco IOX-XE software that runs on the Catalyst switches that host the WCMs.
As you might imagine, distributing the controller function into the access layer increases the number of controllers that are needed. One controller is needed per access switch stack or chassis. The idea is to push more controllers down closer to the users, which also reduces the number of APs and clients that connect to each one. How can this be accomplished? The Cisco Catalyst 3650, 3850, and 4500 (Supervisor 8-E only) product families are commonly used as access layer switches, plus they can offer converged-access WCM functions without needing any additional hardware.
Converged Access Switch Wireless Capacities
Platform Lightweight APs Supported Wireless Clients Supported
Catalyst 3650 (per stack) 25 1000
Catalyst 3850 (per stack) 50 2000
Catalyst 4500 (per chassis) 50 2000
It might seem odd that the number of supported APs is rather low, when the physical port density of a switch is rather large. For instance, a Catalyst 3850 switch stack can consist of up to 432 wired ports (nine 48-port switches), but only 50 APs can be conected to the entire stack of switches. If you think of this from a wireless perspective, it makes more sense. Each AP is connected to the switch stack by a twisted-pair cable that is limited to a length of 100 meters. Therefore, all of the APs must be located within a 100 meter radius of the access switch. There are not too many AP cells that can physically fit into that area.
One other advantage of the converged network architecture relates to wireless scalability. APs offering 802.11ac Wave 1 can use common 1-Gbps switch ports withoout limiting the throughput. Wave 2, however, has the potential to go well beyond 1 Gbps, which requires something more than a single 10/100/1000-Mbps switch port. Cisco offes proprietary Multigigabit Ethernet ports on several models in the Catalyst 3850 and 4500 families, where APs an connect over a single cables. Multigigabit Ethernet can operate at speeds of 100 Mbps, 1 Gbps, 2.5 Gbps, and 5 Gbps over Cat5e cabling and up to 10 Gbps over Cat6a cabling speeds.
The converged model also solves some connectivity problems at branch sites by bringing a fully functional WLC onsite, within the access layer switch. With a local WLC, the APs can continue to operate without a dependency upon a WLC at the main site through a WAN connection.
If the CAPWAP tunnel is relatively short in a converged network, which means the wireless devices can reach each other more efficiently. In contrast, traffic from a wireless user to a central resource such as a data center or the Internet travels through the CAPWAP tunnel, is unencapsulated at the access layer switch (and WLC), then travels up through the rest of the network layers.
I was able to get a Cisco 3650 switch for my wireless lab and configured its wireless controller module (WCM). The setup is identical with a Cisco 3850 switch. You initially configure the web GUI access on the switch and click on Wireless Web GUI.
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname 3650-WCM1
3650-WCM1(config)#interface vlan1
3650-WCM1(config-if)#ip address 202.7.3.5 255.255.255.224
3650-WCM1(config-if)#no shutdown
3650-WCM1(config-if)#
*Jul 28 05:10:20.363: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
*Jul 28 05:10:21.364: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
3650-WCM1(config-if)#ip default-gateway 202.7.3.1
3650-WCM1(config)#username admin cisco privilege 15 password cisco
3650-WCM1(config)#end
3650-WCM1#
*Jul 28 05:14:21.885: %SYS-5-CONFIG_I: Configured from console by console
You can run the configuration wizard by going to Configuration > Wizard to configure the WCM basic settings.
You configure the out-of-management port (Service Port in WLC).
You configure the Wireless Management which is used between the WCM and AP.
You need to select Mobility Controller (MC) for the Mobility Role in order for the Cisco 3650 to act as the wireless controller for the APs. The default role is Mobility Agent and the WCM will not register any AP.
You create the wireless SSID and choose which 802.11 radios to enable.
You set the correct time in order for the proper exchange of DTLS certificates between WLC and AP.
A summary of the preferred settings is presented before you click Apply.
By default, the status on the WLAN SSID is disabled (uncheck) and you need to tick Enabled in order to be used by wireless clients. For quick wifi testing, I chose open authentication which means there's no Layer 2 and Layer 3 security policy were selected.
After configuring the WCM, the AP still can't upgrade it's image and found out I hit a bug with the 3.3.5 IOS-XE. So I've upgraded to 3.6.5, expanded the IOS and changed the boot file.
ERROR: Problem extracting files from archive.
Download image failed, notify controller!!! From:8.0.110.0 to 10.1.150.0, FailureCode:3
archive download: takes 48 seconds
*Jul 28 05:59:24.331: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 202.7.3.5:5246
*Jul 28 05:59:24.331: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg
*Jul 28 05:59:24.347: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg
*Jul 28 05:59:24.551: capwap_image_proc: problem extracting tar file
examining image...!
extracting info (289 bytes)
Image info:
Version Suffix: k9w8-.152-4.JB7
Image Name: ap1g2-k9w8-mx.152-4.JB7
Version Directory: ap1g2-k9w8-mx.152-4.JB7
Ios Image Size: 11213312
Total Image Size: 11602432
Image Feature: WIRELESS LAN|LWAPP
Image Family: AP1G2
Wireless Switch Management Version: 10.1.150.0
MwarVersion:0A019600.First AP Supported Version:0703010B.
Image version check passed
Extracting files...
ap1g2-k9w8-mx.152-4.JB7/ (directory) 0 (bytes)
extracting ap1g2-k9w8-mx.152-4.
*Jul 28 05:59:34.415: AP has SHA2 MIC certificate - Using SHA1 MIC certificate for DTLS.
*Jul 28 05:59:34.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 202.7.3.5 peer_port: 5246
*Jul 28 05:59:34.315: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 202.7.3.5 peer_port: 5246
*Jul 28 05:59:34.315: %CAPWAP-5-SENDJOINJB7/file_hashes (3733 bytes)
extracting ap1g2-k9w8-mx.152-4.JB7/K5.bin (81620 bytes)!!!: sending Join Request to 202.7.3.5perform archive download capwap:/ap1g2 tar file
*Jul 28 05:59:34.323: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Jul 28 05:59:34.327: Loading file /ap1g2...
!!!
extracting ap1g2-k9w8-mx.152-4.JB7/S2.bin (13992 bytes)!
extracting ap1g2-k9w8-mx.152-4.JB7/img_sign_rel_sha2.cert (1371 bytes)!
extracting ap1g2-k9w8-mx.152-4.JB7/S5.bin (111936 bytes)!!!!!
Old IOS (with bug)
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24PS 03.03.05SE cat3k_caa-universalk9 INSTALL
New IOS
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24PS 03.06.05.E cat3k_caa-universalk9 BUNDLE
3650-WCM1#dir
Directory of flash:/
7746 -rw- 2097152 Jul 28 2016 07:20:02 +00:00 nvram_config
7747 -rw- 79122052 Jun 3 2015 12:12:02 +00:00 cat3k_caa-base.SPA.03.03.05SE.pkg
7748 -rw- 6521532 Jun 3 2015 12:12:02 +00:00 cat3k_caa-drivers.SPA.03.03.05SE.pkg
7749 -rw- 34530288 Jun 3 2015 12:12:02 +00:00 cat3k_caa-infra.SPA.03.03.05SE.pkg
7750 -rw- 34846028 Jun 3 2015 12:12:02 +00:00 cat3k_caa-iosd-universalk9.SPA.150-1.EZ5.pkg
7751 -rw- 25170832 Jun 3 2015 12:12:02 +00:00 cat3k_caa-platform.SPA.03.03.05SE.pkg
7752 -rw- 77456192 Jun 3 2015 12:12:02 +00:00 cat3k_caa-wcm.SPA.10.1.150.0.pkg
7753 -rw- 1247 Jun 3 2015 12:12:14 +00:00 packages.conf
7754 -rw- 556 Jul 28 2016 07:19:58 +00:00 vlan.dat
7755 -rw- 303753780 Jul 28 2016 07:10:50 +00:00 cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
7756 drwx 4096 Jul 28 2016 07:19:21 +00:00 dc_profile_dir
7759 -rw- 7483 Jul 28 2016 07:31:45 +00:00 wnweb.tgz
3650-WCM1#software expand file flash:/cat3k_caa-universalk9.SPA.03.06.05.E.15
flash:/cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
Preparing expand operation ...
[1]: Expanding bundle flash:cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
[1]: Copying package files
[1]: A different version of provisioning file packages.conf already exists in flash:.
The provisioning file from the expanded bundle will be saved as
flash:cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.conf
[1]: Package files copied
[1]: Finished expanding bundle flash:cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
3650-WCM1(config)#no boot system switch all flash:cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
3650-WCM1(config)#boot system switch all flash:packages.conf
3650-WCM1(config)#end
3650-WCM1#write memory
Warning: Attempting to overwrite an NVRAM configuration previously written
by a different version of the system image.
Overwrite the previous NVRAM configuration?[confirm]
*Jul 28 07:55:03.051: %SYS-5-CONFIG_I: Configured from console by console3650-WCM1#reload
Reload command is being issued on Active unit, this will reload the whole stack
Proceed with reload? [confirm]
<OUTPUT TRUNCATED>
3650-WCM1#show version
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIV
ERSALK9-M), Version 03.06.05.E RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Thu 02-Jun-16 09:03 by prod_rel_team
Cisco IOS-XE software, Copyright (c) 2005-2015 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 1.2, RELEASE SOFTWARE
(P)
3650-WCM1 uptime is 27 minutes
Uptime for this control processor is 30 minutes
System returned to ROM by reload at 07:13:18 UTC Thu Jul 28 2016
System image file is "flash:cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin"
Last reload reason: Reload command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: Ipbase
License Type: Permanent
Next reload license Level: Ipbase
cisco WS-C3650-24PS (MIPS) processor with 4194304K bytes of physical memory.
Processor board ID FDO1922EABC
1 Virtual Ethernet interface
28 Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
1609272K bytes of Flash at flash:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of at webui:.
Base Ethernet MAC Address : d8:b1:90:3a:21:23
Motherboard Assembly Number : 73-15128-05
Motherboard Serial Number : FDO19211DEF
Model Revision Number : G0
Motherboard Revision Number : A0
Model Number : WS-C3650-24PS
System Serial Number : FDO1922EGHI
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24PS 03.06.05.E cat3k_caa-universalk9 INSTALL
3650-WCM1#show boot
---------------------------
Switch 1
---------------------------
Current Boot Variables:
BOOT variable = flash:packages.conf;
Boot Variables on next reload:
BOOT variable = flash:packages.conf;
Allow Dev Key = yes
Manual Boot = no
Enable Break = no
You can safely delete unwanted files using the software clean command.
3650-WCM1#software ?
auto-upgrade Initiate auto upgrade for switches running incompatible
software
clean Clean unused package files from local media
commit Commit the provisioned software and cancel the automatic
rollback timer
expand Expand a software bundle to local storage, default location is
where the bundle currently resides
install Install software
rollback Rollback the committed software
3650-WCM1#software clean
Preparing clean operation ...
[1]: Cleaning up unnecessary package files
[1]: No path specified, will use booted path flash:packages.conf
[1]: Cleaning flash:
[1]: Preparing packages list to delete ...
In use files, will not delete:
cat3k_caa-base.SPA.03.03.05SE.pkg
cat3k_caa-drivers.SPA.03.03.05SE.pkg
cat3k_caa-infra.SPA.03.03.05SE.pkg
cat3k_caa-iosd-universalk9.SPA.150-1.EZ5.pkg
cat3k_caa-platform.SPA.03.03.05SE.pkg
cat3k_caa-wcm.SPA.10.1.150.0.pkg
packages.conf
[1]: Files that will be deleted:
cat3k_caa-base.SPA.03.06.05E.pkg
cat3k_caa-drivers.SPA.03.06.05E.pkg
cat3k_caa-infra.SPA.03.06.05E.pkg
cat3k_caa-iosd-universalk9.SPA.152-2.E5.pkg
cat3k_caa-platform.SPA.03.06.05E.pkg
cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.bin
cat3k_caa-universalk9.SPA.03.06.05.E.152-2.E5.conf
cat3k_caa-wcm.SPA.10.2.150.0.pkg
[1]: Do you want to proceed with the deletion? [yes/no]: yes
[1]: Clean up completed
3650-WCM1#dir
Directory of flash:/
7746 -rw- 2097152 Jul 28 2016 08:01:08 +00:00 nvram_config
7747 -rw- 79122052 Jun 3 2015 12:12:02 +00:00 cat3k_caa-base.SPA.03.03.05SE.pkg
7748 -rw- 6521532 Jun 3 2015 12:12:02 +00:00 cat3k_caa-drivers.SPA.03.03.05SE.pkg
7749 -rw- 34530288 Jun 3 2015 12:12:02 +00:00 cat3k_caa-infra.SPA.03.03.05SE.pkg
7750 -rw- 34846028 Jun 3 2015 12:12:02 +00:00 cat3k_caa-iosd-universalk9.SPA.150-1.EZ5.pkg
7751 -rw- 25170832 Jun 3 2015 12:12:02 +00:00 cat3k_caa-platform.SPA.03.03.05SE.pkg
7752 -rw- 77456192 Jun 3 2015 12:12:02 +00:00 cat3k_caa-wcm.SPA.10.1.150.0.pkg
7753 -rw- 1247 Jun 3 2015 12:12:14 +00:00 packages.conf
7754 -rw- 556 Jul 28 2016 08:00:46 +00:00 vlan.dat
7756 drwx 4096 Jul 28 2016 07:19:21 +00:00 dc_profile_dir
7759 -rw- 7483 Jul 28 2016 07:31:45 +00:00 wnweb.tgz
1621966848 bytes total (1359265792 bytes free)
The AP still won't register unless you activate the AP license and accept the End User License Agreement (EULA).
*Jul 28 08:04:45.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 202.7.3.5 peer_port: 5246
*Jul 28 08:04:45.323: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 202.78.30.5 peer_port: 5246
*Jul 28 08:04:45.323: %CAPWAP-5-SENDJOIN: sending Join Request to 202.7.3.5
*Jul 28 08:04:50.323: %CAPWAP-5-SENDJOIN: sending Join Request to 202.7.3.5
*Jul 28 08:04:50.703: %CDP_PD-4-POWER_OK: All radios disabled - NEGOTIATED inline power source
*Jul 28 08:05:44.711: %DTLS-5-ALERT: Received WARNING : Close notify alert from 202.7.3.5
*Jul 28 08:05:44.711: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 202.7.3.5:5246
*Jul 28 08:05:54.783: AP has SHA2 MIC certificate - Using SHA1 MIC certificate for DTLS.
*Jul 28 08:05:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 202.7.3.5 peer_port: 5246
*Jul 28 08:05:55.315: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 202.7.3.5 peer_port: 5246
*Jul 28 08:05:55.315: %CAPWAP-5-SENDJOIN: sending Join Request to 202.7.3.5
*Jul 28 08:06:00.442: *%CAPWAP-3-AP_DB_ALLOC: 1 wcm: Unable to alloc AP entry in database for 202.7.3.29:12956
3650-WCM1#show license ?
right-to-use Displays all the RTU licenses.
3650-WCM1#show license right-to-use ?
default Displays the default license information.
detail Displays details of all the licenses in the stack.
eula Displays the EULA text.
mismatch Displays mismatch license information.
slot Specify switch number
summary Displays consolidated stack wide license information.
usage Displays the usage details of all licenses.
| Output modifiers
<cr>
3650-WCM1#show license right-to-use summary
License Name Type Count Period left
-----------------------------------------------
ipbase permanent N/A Lifetime
apcount base 0 Lifetime
apcount adder 0 Lifetime
--------------------------------------------
License Level In Use: ipbase
License Level on Reboot: ipbase
Evaluation AP-Count: Disabled
Total AP Count Licenses: 0
AP Count Licenses In-use: 0
AP Count Licenses Remaining: 0
3650-WCM1#license ?
right-to-use Configure RTU license.
3650-WCM1#license right-to-use ?
activate activate particular license level
deactivate deactivate particular license level
3650-WCM1#license right-to-use activeate ?
apcount configure the AP-count licenses on the switch
ipbase activate ipbase license on the switch
ipservices activate Ipservices license on the switch
lanbase activate lanbase license on the switch
3650-WCM1#license right-to-use activate apcount ?
<1-50> configure the number of adder licenses
evaluation activate evaluation license
3650-WCM1#license right-to-use activate apcount 50 ?
slot Specify switch number
3650-WCM1#license right-to-use activate apcount 50 slot ?
<1-9> Specify switch number
3650-WCM1#license right-to-use activate apcount 50 slot 1 ?
acceptEULA automatically accept the EULA for the given license
<cr>
3650-WCM1#license right-to-use activate apcount 50 slot 1 acceptEULA
% switch-1:stack-mgr:ACTIVATION FAIL : Total AP Count Licenses exceed maximum limit
3650-WCM1#license right-to-use activate apcount 5 slot 1 acceptEULA
3650-WCM1#
*Jul 28 08:09:29.765: %SMN_HBL_LICENSE-6-AP_ADD: 1 stack-mgr: 5 adder AP-count
licenses are added
You can do this via WCM GUI by going to Administration > Licenses.
I was still unable to register the AP to WCM and it's useful to observe the console logs on the AP. I was able to successfully register an AIR-SAP 1602E AP after configuring switch port G1/0/1 to access port.
*Jul 28 08:37:36.025: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/1 is not an access port.
*Jul 28 08:37:36.027: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xde95c00000000c for AP: a055.4fc2.c2a0 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
*Jul 28 08:37:54.145: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
*Jul 28 08:38:04.148: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination[...It occurred 3 times/sec!.]
*Jul 28 08:38:14.147: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
*Jul 28 08:38:24.148: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination[...It occurred 3 times/sec!.]
3650-WCM1#sh run int g1/0/1
Building configuration...
Current configuration : 38 bytes
!
interface GigabitEthernet1/0/1
end
3650-WCM1(config)#interface g1/0/1
3650-WCM1(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
3650-WCM1#
*Jul 28 08:42:48.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
*Jul 28 08:42:49.344: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
*Jul 28 08:42:49.513: %SYS-5-CONFIG_I: Configured from console by console
*Jul 28 08:42:50.188: %ILPOWER-7-DETECT: Interface Gi1/0/1: Power Device detected: IEEE PD
*Jul 28 08:42:55.543: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
*Jul 28 08:42:56.542: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
*Jul 28 08:43:00.188: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/1: Power granted
3650-WCM1#show wireless ?
authentication Show information and stats about wireless authentication
band-select Displays Band Select Configuration
client Show wireless active clients
country Show the configured countries and channel information
detail Displays Wireless Configuration
dot11-padding Display over-the-air frame padding setting
dot11h Show 802.11h configuration
dtls Show the DTLS server status
exclusionlist Show exclusion list
flow-control Display WCM CMI flow-control details
interface Show wireless interface status and configuration
ipv6 Show IPv6 parameters
linktest Shows linktest
load-balancing Shows Aggressive Load Balancing configuration
media-stream Display Multicast-direct Configuration State
mgmt-via-wireless Show management access from wireless client setting
mobility Show Mobility Management Configuration
multicast Displays Multicast information
performance Shows Aggressive Load Balancing configuration
pmk-cache Show information about the PMK cache
probe Show the advanced probe request configuration
sip SIP parameters
summary Show summary of wireless network
vlan VLAN information
wgb Show active work-group bridges (WGB)
wps Show WPS Configuration
3650-WCM1#show wireless client ?
ap Cisco access point information
calls Wireless client calls
dot11 Show 802.11 parameters
location-calibration wireless client location calibration
mac-address Wireless client MAC address
probing Show probing clients
summary Show active clients
tclas Show TCLAS associated with a client and User Priority
timers Display 802.11 system timers
username Shows wireless client information
voice Wireless client voice parameters
wifidirect Show wifidirect related attributes
The AIR-SAP1602E was able to register to the WCM and my iPhone was able to associate to SSID WCM-LAB.
3650-WCM1#show ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name AP Model Ethernet MAC Radio MAC State
--------------------------------------------------------------------------------
--------
APa89d.2103.29b8 1602E a89d.2103.29b8 a055.4fc2.c2a0 Registered
3650-WCM1#show wlan summary
Number of WLANs: 1
WLAN Profile Name SSID VLAN Status
--------------------------------------------------------------------------------
1 WCM-LAB WCM-LAB 1 UP
3650-WCM1#show wireless client summary
Number of Local Clients : 1
MAC Address AP Name WLAN State Protocol
--------------------------------------------------------------------------------
d025.9890.1cd9 APa89d.2103.29b8 1 UP 11n(2.4)
3650-WCM1#show wireless client mac-address d025.9890.1cd9 detail
Client MAC Address : d025.9890.1cd9
Client Username: N/A
AP MAC Address : a055.4fc2.c2a0
AP Name: APa89d.2103.29b8
AP slot : 0
Client State : Associated
Wireless LAN Id : 1
Wireless LAN Name: WCM-LAB
BSSID : a055.4fc2.c2a0
Connected For : 402 secs
Protocol : 802.11n - 2.4 GHz
Channel : 11
Client IIF-ID : 0xe9780000000013
ASIC : 0
IPv4 Address : 202.7.3.13
IPv6 Address : Unknown
Association Id : 1
Authentication Algorithm : Open System
Status Code : 0
Session Timeout : 0
Client CCX version : No CCX support
Input Policy Name : unknown
Input Policy State : None
Output Policy Name : unknown
Output Policy State : None
802.1P Priority Tag : Not supported
WMM Support : Enabled
U-APSD Support : Disabled
Power Save : ON
Current Rate : m7
Supported Rates : 1.0,2.0,5.5,11.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0,1.0,2.0
,5.5,11.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Mobility State : Local
Mobility Move Count : 0
Security Policy Completed : Yes
Policy Manager State : RUN
Policy Manager Rule Created : Yes
NPU Fast Fast Notified : Yes
Last Policy Manager State : DHCP_REQD
Client Entry Create Time : 3022 seconds
Policy Type : N/A
Encryption Cipher : None
Management Frame Protection : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
Interface : default
VLAN : 1
Quarantine VLAN : 0
Access VLAN : 1
WFD capable : No
Manged WFD capable : No
Cross Connection capable : No
Support Concurrent Operation : No
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 20
Fast BSS Transition : Not implemented
Fast BSS Transition Details :
Client Statistics:
Number of Bytes Received : 340571
Number of Bytes Sent : 1851951
Number of Packets Received : 2086
Number of Packets Sent : 2133
Number of EAP Id Request Msg Timeouts : 0
Number of EAP Request Msg Timeouts : 0
Number of EAP Key Msg Timeouts : 0
Number of Data Retries : 372
Number of RTS Retries : 0
Number of Duplicate Received Packets : 3
Number of Decrypt Failed Packets : 0
Number of Mic Failured Packets : 0
Number of Mic Missing Packets : 0
Number of Policy Errors : 0
Radio Signal Strength Indicator : -50 dBm
Signal to Noise Ratio : 49 dB
Assisted-Roaming Prediction List:
Nearby AP Statistics:
APa89d.2103.29b8(slot0)
antenna0: 293 seconds ago -78 dBm
Below is the complete show run output.
3650-WCM1#sh run
Building configuration...
Current configuration : 4761 bytes
!
! Last configuration change at 08:51:04 UTC Thu Jul 28 2016 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname 3650-WCM1
!
boot-start-marker
boot system switch all flash:packages.conf
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
username cisco privilege 15 password 0 cisco
user-name admin
creation-time 1469684619
privilege 15
password 0 cisco
type mgmt-user
no aaa new-model
switch 1 provision ws-c3650-24ps
!
ip device tracking
!
!
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-3953284901
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3953284901
revocation-check none
rsakeypair TP-self-signed-3953284901
!
!
crypto pki certificate chain TP-self-signed-3953284901
certificate self-signed 01
30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393533 32383439 3031301E 170D3136 30373238 30383031
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39353332
38343930 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009B73 AB18BF83 1F81AD63 B3D205A6 DAFD3B85 0DA217D9 E7E194AB FC7263E6
7D08F79C E27D4344 1FABC8D2 5A0CE2E8 25793D61 CDD8470A 5C7BF1C0 3D03BAE6
59413AD7 9C69A4ED 678A4763 F89B1880 17552BA3 5405777D ED107017 6D8F7EFC
86DB704A 39374E05 79AECB5E B2D2018D BC6B8230 32ACDCDD 7EF721C2 A2955409
871F0203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603
551D1104 0D300B82 09333635 302D5743 4D31301F 0603551D 23041830 1680149C
2C1404EB 132EA53A A1A2573F 8C4E0445 5FE51030 1D060355 1D0E0416 04149C2C
1404EB13 2EA53AA1 A2573F8C 4E04455F E510300D 06092A86 4886F70D 01010405
00038181 00306B05 C7FBB70E A190E144 D99462D7 77A443DA 31511829 CE1FDA7F
206889E7 275A278B EABEBC87 43D6A1F3 833495F5 B67CE347 1A3E2B9F 4549FB0F
90E47E42 5B17176A 8DB24C37 B6731CE2 C8B0A95C A530C4E1 9EE2B784 FB48A6DD
A6F97AB3 EA8C7BF9 8DDF0712 F36F30CB 9CE3634B 7110BBBF 7AFC17AD 5BFC1A9F
9CBDD137 90
quit
!
!
!
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 192.168.1.10 255.255.255.0
ip helper-address 192.168.1.1
negotiation auto
!
interface GigabitEthernet1/0/1
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 202.7.3.5 255.255.255.224
ip helper-address 202.7.3.1
!
ip default-gateway 202.7.3.1
ip http server
ip http authentication local
ip http secure-server
!
!
!
snmp-server location WCM Lab
snmp-server contact John Lagura
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
line vty 5 15
login
!
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
profile httplistener
profile httpslistener
wsma agent filesys
profile httplistener
profile httpslistener
wsma agent notify
profile httplistener
profile httpslistener
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
wireless mobility controller
wireless management interface Vlan1
wireless rf-network WCM
wlan WCM-LAB 1 WCM-LAB
ip dhcp server 202.7.3.1
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
no shutdown
ap country SG
ap group default-group
end
