Friday, February 24, 2017

Configuring Link Aggregation (LAG) on a Cisco WLC 2504 and WLC Ports

You can connect several different types of controller ports to your network:

* Service port - Used for out-of-band management, system recovery, and initial boot functions; always connects to a switch port in access mode

* Distribution system port - Used for all normal AP and management traffic; usually connects to a switch port in 802.1Q trunk mode

* Console port - Used for out-of-band management, system recovery, and initial boot functions; asynchronous connection to a terminal emulator (9600 baud, 8 data bits, 1 stop bit, by default)

* Redundancy port - Used to connect to a peer controller for redundant operation

Controllers can have a single service port that must be connected to a switched network. Usually the service port is assigned to a management VLAN so that you can access the controller with Secure Shell (SSH) or a web browser to perform initial configuration or for maintenance. Notice that the service port supports only a single VLAN, so the corresponding switch port must be configured for access mode only.

Controllers also have multiple distribution system ports that you must connect to the network. These port carry most of the data coming to and going from the controller. For example, the CAPWAP tunnels (control and data) that connect to each of a controller's APs pass across the distribution system ports. Client data also passes from wireless LANs to wired VLANs over the ports. In addition, any management traffic usin a web browser, SSH, Simple Network Management Protocol (SNMP), or Trivial File Transfer Protocol (TFTP) normally reaches the controller through the ports.

Because the distribution system ports must carry data that is associated with many different VLANs, VLAN tags and numbers become very important. For that reason, the distribution system ports always operate in 802.1Q trunking mode. When you connect the ports to a switch, you should also configure the switch ports for unconditional 802.1Q trunk mode.

The distribution system ports can operate independently, each one transporting multiple VLANs to a unique group of internal controller interfaces. For resiliency, you can configure distribution system ports in redundant pairs. One port is primarily used; if it fails, a backup port is used instead.

To get the most use out of each distribution system port, you can configure all of them to operate as a single logical group, much like an EtherChannel on a switch. Controller distribution system ports can be configured as a link aggregation group (LAG) such that they are bundled together to act as one larger link. With a LAG configuration, traffic can be load balanced across the individual ports that make up the LAG. In addition, LAG offers resiliency; if one individual port fails, traffic will be redirected to the remaining working ports instead.

You can enable Link Aggregation (LAG) on WLC 2504 ports 1 and 2 for redundant uplinks to an switch. In my wireless lab, I've connected WLC ports 1 and 2 to Sw1 ports 1 and 2 respectively.

To enable Link Aggregation (LAG) on a WLC, go to Controller > General. LAG is disabled by default (it displays LAG Mode is currently disabled). You'll also need to reboot the WLC afterwards for LAG to take effect. Click Apply > click OK twice and Save Configuration.

You can use the WLC CLI command show lag summary to verify LAG status.

(Cisco Controller) >show lag ?

eth-port-hash  Shows the physical port used for specific MAC addresses
ip-port-hash   Shows the physical port used for specific IP addresses
summary        Shows the current status of the LAG (Link Aggregation) configuration

(Cisco Controller) >show lag summary

LAG Disabled.

I lost remote access to the WLC after pressing OK and I thought the WLC auto-reboots itself.

I've checked via CLI and the LAG was enabled but it needs a manual reboot.

(Cisco Controller) >show lag summary

LAG Enable is in transition. Pls Reboot the switch

(Cisco Controller) >reset ?

system         Reset the switch.

(Cisco Controller) >reset system

The system has unsaved changes.
Would you like to save them now? (y/N) y

Configuration Saved!
System will now restart! Restarting system.

WLCNG Boot Loader Version 1.0.16 (Built on Feb 28 2011 at 13:14:54 by cisco)
Board Revision 0.0 (SN: PSZ172300U3, Type: AIR-CT2504-K9) (P)

Verifying boot loader integrity... OK.


While the WLC is rebooting, I've configured a Layer 2 EthernetChanel on the switch.

SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface range fastethernet0/1-2
SW1(config-if-range)#description ### L2 EtherChannel Trunk to WLC1 ###
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk
*Mar  1 01:54:48.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
*Mar  1 01:54:48.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
*Mar  1 01:54:51.450: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Mar  1 01:54:51.467: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
SW1(config-if-range)#channel-group 1 ?
  mode  Etherchannel Mode of the interface

SW1(config-if-range)#channel-group 1 mode ?
  active     Enable LACP unconditionally
  auto       Enable PAgP only if a PAgP device is detected
  desirable  Enable PAgP unconditionally
  on         Enable Etherchannel only
  passive    Enable LACP only if a LACP device is detected

SW1(config-if-range)#channel-group 1 mode on
Creating a port-channel interface Port-channel 1

*Mar  1 01:55:08.437: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
*Mar  1 01:55:09.444: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
SW1(config-if-range)#interface port-channel1
% Command exited out of interface range and its sub-modes.
  Not executing the command for second and later interfaces
SW1(config-if)#description ### L2 EtherChannel Trunk to WLC1 ###
SW1(config-if)#switchport mode trunk

Verify the WLC LAG status either CLI or web GUI.

(Cisco Controller) >show lag summary

LAG Enabled

Go to Controller > General to see if the status changed to LAG Mode is currently enabled.

Below are some useful show commands to verify EtherChannel on a Cisco switch:

SW1#show run interface port-channel1
Building configuration...

Current configuration : 143 bytes
interface Port-channel1
 description ### L2 EtherChannel Trunk to WLC1 ###
 switchport trunk encapsulation dot1q
 switchport mode trunk

SW1#show interface port-channel1
Port-channel1 is up, line protocol is up (connected)
  Hardware is EtherChannel, address is 0016.c840.3583 (bia 0016.c840.3583)
  Description: ### L2 EtherChannel Trunk to WLC1 ###
  MTU 1500 bytes, BW 200000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, link type is auto, media type is unknown
  input flow-control is off, output flow-control is unsupported
  Members in this channel: Fa0/1 Fa0/2
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 2000 bits/sec, 4 packets/sec
     6 packets input, 1968 bytes, 0 no buffer
     Received 6 broadcasts (6 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 6 multicast, 0 pause input
     0 input packets with dribble condition detected
     756 packets output, 56755 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

SW1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
WLC1             Fas 0/1           162            H       AIR-CT250 Gig 0/0/1
WLC1             Fas 0/2           162            H       AIR-CT250 Gig 0/0/2

SW1#show etherchannel ?
  <1-48>        Channel group number
  detail        Detail information
  load-balance  Load-balance/frame-distribution scheme among ports in
  port          Port information
  port-channel  Port-channel information
  protocol      protocol enabled
  summary       One-line summary per channel-group
  |             Output modifiers

SW1#show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
1      Po1(SU)          -        Fa0/1(P)    Fa0/2(P)

SW1#show etherchannel detail
                Channel-group listing:

Group: 1
Group state = L2
Ports: 2   Maxports = 8     // MAX PORTS FOR ETHERCHANNEL ON A 3560 SWITCH
Port-channels: 1 Max Port-channels = 1
Protocol:    -
Minimum Links: 0
                Ports in the group:
Port: Fa0/1

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:03m:07s

Port: Fa0/2

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:03m:10s

                Port-channels in the group:

Port-channel: Po1

Age of the Port-channel   = 0d:00h:15m:03s
Logical slot/port   = 2/1          Number of ports = 2
GC                  = 0x00000000      HotStandBy port = null
Port state          = Port-channel Ag-Inuse
Protocol            =    -
Port security       = Disabled

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
  0     00     Fa0/1    On                 0
  0     00     Fa0/2    On                 0

Time since last port bundled:    0d:00h:03m:10s    Fa0/2
Time since last port Un-bundled: 0d:00h:03m:16s    Fa0/2

Friday, February 17, 2017

Meraki Dashboard Mobile App and WLC Configuration Best Practice

There's a very useful link that outlines the best practice configurations on a Cisco WLC, such as the number of maximum SSIDs, enabling CleanAir, enabling Fast SSID change, etc.

You can remotely manage the Meraki wireless network using the free Meraki dashboard mobile app.

You can use the same login on the Meraki Dashboard web browser.

Click on View Local Connection below to see your smartphone’s wireless connection.

Go to Summary > (Day/Week/Month) to see various wireless network statistics such as Application Usage, Top Device Manufacturer, Top Operating Systems, etc.

Go to Summary > Application Usage to see wireless network application usage (such as Youtube, Facebook, Instagram, etc.)

Go to Summary > Location Analytics to see various wireless client statistics such as Proximity, Capture Rate, etc. This is useful for retail and hospitality clients who wants gain an insight insight on their visitors.

Click APs > choose a specific AP (I only have one AP) to see the AP status and statistics such as Live Usage, Connectivity, Access Point Usage, etc.

Go to APs > Details to see the AP’s local info such as Model, Serial number, MAC address, etc.

Go to APs > Location to see the AP’s location using Google maps.

Go to APs > Tools to use various network troubleshooting tools such as Ping, Traceroute, Throughput (Speed Test), etc.

Click on Clients to see wireless clients associated to the Meraki AP. Click on a specific wireless client to view more details such as IP address, Device Type, MAC address, etc. Click on Application Usage to see various application usage (such as Youtube, Instagram) on a specific wireless client.

Click SSIDs to see the Meraki AP’s configured SSIDs. Click on a specific SSID to see its settings such as Encryption, Sign-on, IP Assignment, etc.

Click More to see other options such as Support Cases, Local Connections, Event Log, etc.