Configuring Local Admin Users and NTP on a WLC via CLI

When designing and deploying a WLAN, you will always be concerned about both coverage and capacity. Various factors can affect the coverage range of a wireless cell, and just as many factors can affect the aggregate throughput in an 802.11 WLAN. The following variables can affect the range of a WLAN:

Transmission Power Rates - The original transmission amplitude (power) will have an impact on the range of an RF cell. An access poit transmitting at 30 mW will have a larger coverage zone than an access point transmitting at 1 mW if the same antenna is used. APs with too much transmission amplitude can cause many problems, as already discussed in this chapter.

Antenna Gain - Antennas are passive-gain devices that focus the original signal. An access point transmitting at 30 mW with a 6 dBi antenna will have greater range than it would if it used only a 3 dBi antenna. If you want to increase the range for the clients, the best solution is to increase the antenna gain of the access point.

Antenna Type  - Antennas have different coverage patterns. Using the right antenna will give the proper coverage and reduce multipath and nearby interference.

Wavelength - Higher frequency signals have a smaller wavelength property and will attenuate faster than a lower-frequency signal with a larger wavelength. All things being equal, 2.4 GHz access points have a greater range than 5 GHz access points due to the difference in the length of their waves.

Free Space Path Loss - In any RF environment, free space path loss (FSPL) attenuates the signal as a function of distance and frequency.

Physical Environment - Walls and other obstacles will attenuate an RF signal because of absorption and other RF propagation behaviors. A building with concrete walls will require more access points than a building with drywall because concrete is denser and attenuates the signal faster than drywall.


Capacity performance considerations are equally as important as range considerations. Please remember that 802.11 data rates are considered data bandwidth and not throughput. The following are among many variables that can affect the throughput of a WLAN:

Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) - The medium access method that uses interframe spacing, physical carrier sense, virtual carrier sense, and the random back-off timer creates overhead and consumes bandiwidth. The overhead due to medium contention usually is 50 percent or greater in legacy 802.11a/b/g networks. Medium contention overhead is usually 35 percent to 40 percent in 802.11n/ac networks.

Encryption - Extra overhead is added to the body of an 802.11 data fame whenever encryption is implemented. WEP/RC4 encryption adds an extra 8 bytes of overhead per frame, TKIP/RC4 encryption adds an extra 20 bytes of overhead per frame, and CCP/AES encryption adds an extra 16 bytes of overhead per frame. Layer 3 VPNs often use DES or 3DES encrytion, both of which also consume significant bandwith. Recent gains in processing capabilities and 802.11n/ac data rates have made encryption overhead much less of an issue in recent years.

Application Use - Different types of applications have variable effects on bandwith consumption. VoWiFi and data collection scanning typically do no require a lot of bandwidth. Other applications that require file transfers or database access are often more bandwidth intensive. High definition video streaming is also bandwidth intensive.

Number of Clients - Remember that the WLAN is a shared medium. All throughput is aggregate, and all available bandwidth is shared.

Layer 2 Retransmissions - As we have discussed throughout this chapter, various problems can cause frames to become corrupted. If frames are corrupted, they will need to be retransmitted and throughput will be affected.


I've configured the wrong admin account (named it wlc01) on a new WLC during the initial wizard configuration tool. So I added a new admin account and deleted old one via CLI. I also configured an NTP server on the WLC so it will automatically synchronize the time (and digital certificate) with the AP when building its CAPWAP (DTLS) tunnel.


(Cisco Controller)

Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults)

User:  wlc01
Password:*************
(Cisco Controller) >config ?
             
802.11-a49     Configures 802.11a 4.9 subband parameters.
802.11-a58     Configures 802.11a 5.8 subband parameters.
802.11-abgn    Configures 802.11-abgn parameters.
802.11a        Configures 802.11a parameters.
802.11b        Configures 802.11b parameters.
802.11h        Configures 802.11h parameters.
aaa            Configures AAA related items.
acl            Configures Access Control Lists.
advanced       Advanced Configuration.
ap             Configures Cisco APs
assisted-roaming Configures Assisted Roaming Global Parameters.
auth-list      Configures ap authorization list.
auto-configure Single command to auto-configure.
avc            Configures AVC (Application Visibility and Control).
band-select    Configures Band Select.
boot           Configures the default boot image.
ccx-lite       Enable or disable CCX-lite feature
cdp            Configure Cisco Discovery Protocol
certificate    Configures SSL Certificates.
client         Configures a client.
coredump       Configures the Core Dump Setting

--More-- or (q)uit
country        Configure the countries of operation.
cts            Configure Cisco TrustSec SXP Protocol
custom-web     Configures the custom web authentication page.
database       Configures the local database
dhcp           Configures system dhcp server.
exclusionlist  Manages exclusion-list.
flexconnect    Configure controller flexconnect parameters.
flow           Configure flow.
guest-lan      Configures the Wireless LAN Network.
icons          Configures the ICON details.
interface      Configures system interfaces.
ipv6           Configure IPv6 related parameters.
lag            Enables/Disables Link Aggregation (LAG)
ldap           Configures LDAP servers (ipv4 or ipv6).
license        Configure software license parameters.
linktest       Configures linktest frame size and number of frames to send.
load-balancing Configures Aggressive Load Balancing.
local-auth     Configures Local EAP Authentication.
location       Configure Location parameters
logging        Configures Logger parameters.
loginsession   Manage User Connections to the Switch.
macfilter      Configure static MAC filtering.
mdns           Configures mDNS Services/Profiles

--More-- or (q)uit
media-stream   Configure Media Stream
memory          Configures memory monitoring for certain types of errors/leaks.
mesh           Config mesh ap parameters.
mgmtuser       Manages local management user accounts.
mobility       Configures the Inter-Switch Mobility Manager
msglog         Configures the system msglog parameters.
netuser        Configures network user policies and local network user accounts.
network        Configuration for inband connectivity.
nmheartbeat    Configures the network manager heartbeat Setting
nmsp           Configure NMSP parameters.
oeap-acl       Configures Access Control Lists for OEAP Split Tunnel.
paging         enable or disable scrolling the page.
passwd-cleartext Enable or Disable the showing of passwd in cleartext
policy         Configure native profiling policy.
port           Configures port mode and physical settings.
profiling      Enabling Local profiling update
prompt         Change the system prompt.
qos            Configure qos parameter.
radius         Configures RADIUS Servers.
redundancy     Configure WLC redundancy parameters
remote-lan     Configures Remote LAN Connections.
rf-profile     Configures RF Profile parameters.
rfid           Configure options for RFID tag tracking

--More-- or (q)uit
rogue          Configures rogue devices.
serial         EIA-232 parameters and serial port inactivity timeout.
service        Modify network based services.
sessions       Configure CLI session parameters.
slot           Configures the slot
snmp           Configures SNMP.
split-tunnel-network-list Configure split tunnel network lists. Only become active in split tunnel mode 2.
stats-timer    Configures system stats timer.
switchconfig   Configure parameters that apply to the switch.
sys-nas        Configures the system nas id.
syslog         Configures the system syslog mode.
sysname        Configures the system name.
tacacs         Configures TACACS+ Servers.
time           Configures system time or servers.
trapflags      Enable or Disable trap flags that apply to the switch.
wgb            Configure WGB related parameters
wlan           Configures the Wireless LAN Network.
wps            Configures WPS settings.

(Cisco Controller) >config mgmtuser ?

add            Creates a local management user.
delete         Delete an existing management user.
description    Sets the description for a management user.
password       Configures a password for a management user.
telnet         Configures telnet privilege for a management user.

(Cisco Controller) >config mgmtuser add ?

<username>     Enter name up to 24 alphanumeric characters.

(Cisco Controller) >config mgmtuser add admin ?

<password>     Enter password up to 24 alphanumeric characters.

(Cisco Controller) >config mgmtuser add admin Mypassword123 ?

lobby-admin    Creates a management user with lobby ambassador privileges.
read-only      Creates a management user with read-only access.
read-write     Creates a management user with read-write access.

(Cisco Controller) >config mgmtuser add admin Mypassword123 read-write

(Cisco Controller) >show mgmtuser

User Name                 Permissions    Description            Password Strength   Telnet Capable
-----------------------   ------------   ---------------------  ------------------  ----------
admin                     read-write                                      Strong         Yes
wlc01                     read-write                                      Strong         Yes

(Cisco Controller) >config mgmtuser delete wlc01

Deleted user wlc01

(Cisco Controller) >config ?

802.11-a49     Configures 802.11a 4.9 subband parameters.
802.11-a58     Configures 802.11a 5.8 subband parameters.
802.11-abgn    Configures 802.11-abgn parameters.
802.11a        Configures 802.11a parameters.
802.11b        Configures 802.11b parameters.
802.11h        Configures 802.11h parameters.
aaa            Configures AAA related items.
acl            Configures Access Control Lists.
advanced       Advanced Configuration.
ap             Configures Cisco APs
assisted-roaming Configures Assisted Roaming Global Parameters.
auth-list      Configures ap authorization list.
auto-configure Single command to auto-configure.
avc            Configures AVC (Application Visibility and Control).
band-select    Configures Band Select.
boot           Configures the default boot image.
ccx-lite       Enable or disable CCX-lite feature
cdp            Configure Cisco Discovery Protocol
certificate    Configures SSL Certificates.
client         Configures a client.
coredump       Configures the Core Dump Setting

--More-- or (q)uit
country        Configure the countries of operation.
cts            Configure Cisco TrustSec SXP Protocol
custom-web     Configures the custom web authentication page.
database       Configures the local database
dhcp           Configures system dhcp server.
exclusionlist  Manages exclusion-list.
flexconnect    Configure controller flexconnect parameters.
flow           Configure flow.
guest-lan      Configures the Wireless LAN Network.
icons          Configures the ICON details.
interface      Configures system interfaces.
ipv6           Configure IPv6 related parameters.
lag            Enables/Disables Link Aggregation (LAG)
ldap           Configures LDAP servers (ipv4 or ipv6).
license        Configure software license parameters.
linktest       Configures linktest frame size and number of frames to send.
load-balancing Configures Aggressive Load Balancing.
local-auth     Configures Local EAP Authentication.
location       Configure Location parameters
logging        Configures Logger parameters.
loginsession   Manage User Connections to the Switch.
macfilter      Configure static MAC filtering.
mdns           Configures mDNS Services/Profiles

--More-- or (q)uit
media-stream   Configure Media Stream
memory          Configures memory monitoring for certain types of errors/leaks.
mesh           Config mesh ap parameters.
mgmtuser       Manages local management user accounts.
mobility       Configures the Inter-Switch Mobility Manager
msglog         Configures the system msglog parameters.
netuser        Configures network user policies and local network user accounts.
network        Configuration for inband connectivity.
nmheartbeat    Configures the network manager heartbeat Setting
nmsp           Configure NMSP parameters.
oeap-acl       Configures Access Control Lists for OEAP Split Tunnel.
paging         enable or disable scrolling the page.
passwd-cleartext Enable or Disable the showing of passwd in cleartext
policy         Configure native profiling policy.
port           Configures port mode and physical settings.
profiling      Enabling Local profiling update
prompt         Change the system prompt.
qos            Configure qos parameter.
radius         Configures RADIUS Servers.
redundancy     Configure WLC redundancy parameters
remote-lan     Configures Remote LAN Connections.
rf-profile     Configures RF Profile parameters.
rfid           Configure options for RFID tag tracking

--More-- or (q)uit
rogue          Configures rogue devices.
serial         EIA-232 parameters and serial port inactivity timeout.
service        Modify network based services.
sessions       Configure CLI session parameters.
slot           Configures the slot
snmp           Configures SNMP.
split-tunnel-network-list Configure split tunnel network lists. Only become active in split tunnel mode 2.
stats-timer    Configures system stats timer.
switchconfig   Configure parameters that apply to the switch.
sys-nas        Configures the system nas id.
syslog         Configures the system syslog mode.
sysname        Configures the system name.
tacacs         Configures TACACS+ Servers.
time           Configures system time or servers.
trapflags      Enable or Disable trap flags that apply to the switch.
wgb            Configure WGB related parameters
wlan           Configures the Wireless LAN Network.
wps            Configures WPS settings.

(Cisco Controller) >config time ?

manual         Configures the system time.
ntp            Configures the Network Time Protocol.
timezone       Configures the system's timezone.

(Cisco Controller) >config time ntp ?

auth           Configures the NTP authentication
interval       Configures the Network Time Protocol Polling Interval.
key-auth       Configures the NTP authentication key.
server         Configures the Network Time Protocol Servers.

(Cisco Controller) >config time ntp server ?

<index>        Enter NTP server index.

(Cisco Controller) >config time ntp server 1 ?

<IP Address>   Enter NTP server's IP address. Use 0.0.0.0  or :: to delete entry

(Cisco Controller) >config time ntp server 1 123.1.3.2

(Cisco Controller) >show time

Time............................................. Mon Dec 12 15:47:14 2016

Timezone delta................................... 0:0
Timezone location................................

NTP Servers
    NTP Polling Interval.........................     86400

     Index     NTP Key Index                  NTP Server                  NTP Msg Auth Status
    -------  ----------------------------------------------------------------------------------
       1              0                                    123.1.3.2       AUTH DISABLED


The remote site has around 20 lightweight APs, so I've also verified if the WLC AP license would be able to support it. 

(Cisco Controller) >show license summary

License Store: Primary License Storage
StoreIndex:  0  Feature: base                              Version: 1.0
        License Type: Permanent
        License State: Active, Not in Use
        License Count: Non-Counted
        License Priority: Medium
License Store: Primary License Storage
StoreIndex:  1  Feature: base-ap-count                     Version: 1.0
        License Type: Permanent
        License State: Active, In Use
        License Count: 25 /25 (Active/In-use)
        License Priority: Medium
License Store: Evaluation License Storage
StoreIndex:  0  Feature: base-ap-count                     Version: 1.0
        License Type: Evaluation
        License State: Inactive
            Evaluation total period: 12 weeks  6 days
            Evaluation period left: 12 weeks  6 days
        License Count: 75 / 0 (Active/In-use)
        License Priority: None

(Cisco Controller) >save config

Are you sure you want to save? (y/n) y

Configuration Saved!


After the faulty WLC was replaced and the APs got registered, the APs retained its hostname and static IP addresses. So I just re-configured the SSID and its security policies.

Configuring Public Secure Packet Forwarding (PSPF) on Cisco Autonomous Access Point

You can isolate wireless clients (on an SSID) from communicating with each other, i.e. ping, file share, etc. There's a feature called Public Secure Packet Forwarding (PSPF) which prevents exchange of unicast, broadcast, or multicast traffic between protected ports. So I tried this feature on my wireless lab before implementing it on a live network.

I've created the SSID PSPF-WIFI on the Cisco Autonomous (Standalone) AP and received a DHCP IP address configured on the router. There's a warning displayed on the Wi-Fi Setting Security Recommendation since I didn't configure any SSID authentication on the SSID, which is good for lab purposes only.

Below were the wireless devices associated to the AP.

ap#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [PSPF-WIFI] :

MAC Address    IP address      IPV6 address                           Device        Name            Parent         State
20a2.e410.e71f 192.168.1.8     ::                                     unknown       -               self           Assoc
4c57.caab.2d47 192.168.1.7     ::                                     unknown       -               self           Assoc
d025.9890.1cd9 192.168.1.6     ::                                     unknown       -               self           Assoc
ec55.f901.f90c 192.168.1.11    ::                                     ccx-client    -               self           Assoc


There's an iPhone app called Fing which is a handy network scanner. Just click on the Refresh /Start button (the round arrow icon on the upper right-hand corner) to start scanning the wireless network (where the iPhone has joined).

There's another iPhone app called Network Ping Lite which I've used to do ping scan on my wireless network. I've ping the subnet 192.168.1.0 first (tap the task Ping subnet) before doing individual pings (tap Ping).

There were only few wireless devices (highlighted in green) so I've stop the ping (click Stop) when it reached 15 (192.168.1.15).

I was able to initially ping 192.168.1.7 (an iPhone) and 192.168.1.11 (my PC).

My PC was also connected to PSPF-WIFI and I tried to ping other wireless devices on the network.

C:\Users\John Lloyd>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection* 27:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wireless Network Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::591:a686:6d91:7d3b%13
   IPv4 Address. . . . . . . . . . . : 192.168.1.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

C:\Users\John Lloyd>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=9ms TTL=54
Reply from 8.8.8.8: bytes=32 time=11ms TTL=54
Reply from 8.8.8.8: bytes=32 time=8ms TTL=54
Reply from 8.8.8.8: bytes=32 time=18ms TTL=54

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 18ms, Average = 11ms


C:\Users\John Lloyd>ping 192.168.1.7     // CAN'T PING OTHER SMARTPHONE IP ADDRESS

Pinging 192.168.1.7 with 32 bytes of data:
Reply from 192.168.1.7: bytes=32 time=109ms TTL=64
Reply from 192.168.1.7: bytes=32 time=41ms TTL=64
Reply from 192.168.1.7: bytes=32 time=24ms TTL=64
Reply from 192.168.1.7: bytes=32 time=40ms TTL=64

Ping statistics for 192.168.1.7:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 24ms, Maximum = 109ms, Average = 53ms


I've configured the bridge-group <BRIDGE GROUP> port-protected under the Dot11Radio interface only.

ap#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ap(config)#interface Dot11Radio0
ap(config-if)# bridge-group ?
  <1-255>  Assign an interface to a Bridge Group.

ap(config-if)# bridge-group 1 ?
  block-unknown-source       block traffic which come from unknown source MAC
                             address
  circuit-group              Associate serial interface with a circuit group
  input-address-list         Filter packets by source address
  input-lat-service-deny     Deny input LAT service advertisements matching a
                             group list
  input-lat-service-permit   Permit input LAT service advertisements matching a
                             group list
  input-lsap-list            Filter incoming IEEE 802.3 encapsulated packets
  input-pattern-list         Filter input with a pattern list
  input-type-list            Filter incoming Ethernet packets by type code
  output-address-list        Filter packets by destination address
  output-lat-service-deny    Deny output LAT service advertisements matching a
                             group list
  output-lat-service-permit  Permit output LAT service advertisements matching
                             a group list
  output-lsap-list           Filter outgoing IEEE 802.3 encapsulated packets
  output-pattern-list        Filter output with a pattern list
  output-type-list           Filter outgoing Ethernet packets by type code
  path-cost                  Set interface path cost
  port-protected             There will be no traffic between this interface
                             and other protected port interface in this bridge
                             group
  priority                   Set interface priority
  source-learning            learn source MAC address
  spanning-disabled          Disable spanning tree on a bridge group
  subscriber-loop-control    Configure subscriber loop control
  unicast-flooding           flood packets with unknown unicast destination MAC
                             addresses
  <cr>

ap(config-if)#bridge-group 1 port-protected


I wasn't able to ping the wireless devices after the command was applied.

The wireless devices were grayed out after I run again the Fing app.

I couldn't ping the Internet (Google DNS 8.8.8.8) when I applied bridge-group <BRIDGE GROUP> port-protected on the LAN interface (GigabitEthernet0).

Below is the working config of the Cisco Autonomous AP.

ap#show run
Building configuration...

Current configuration : 1766 bytes
!
! Last configuration change at 01:05:22 UTC Sat Jan 1 2000
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 5 $1$6YNS$Cwqo8igOXBbEsL4LgxGQ/1
enable password 7 01100F175804
!
no aaa new-model
no ip source-route
no ip cef
!
!
!
!
dot11 syslog
!
dot11 ssid PSPF-WIFI
   authentication open
   guest-mode
!
!
!
!
!
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 ssid PSPF-WIFI
 !
 antenna gain 0
 stbc
 beamform ofdm
 channel 2437
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 port-protected      // EITHER CONFIGURE ON Dot11Radio0 (2.4 GHz) OR Dot11Radio1 (5GHz) (OR BOTH)
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode wep mandatory
 antenna gain 0
 peakdetect
 dfs band 3 block
 stbc
 beamform ofdm
 channel 5180
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0       // NO NEED TO CONFIGURE bridge-group <BRIDGE GROUP> port-protected ON LAN INTERFACE (GOING TO DISTRIBUTION SYSTEM/INTERNET)
 no ip address
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address c08c.601f.247d
 ip address 192.168.1.3 255.255.255.0
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
banner motd ^C

*** AP ***

^C
!
line con 0
line vty 0 4
 password 7 14141B180F0B
 login
 transport input all
!
end

Configuring a Backup Port (Management) on a Cisco WLC 2504 and AP States

AP States

From the time it powers up until it offers a fully functional basic service set (BSS), an LAP operates in a variety of states. Each of the possible states are well defined in the Control and Provisioning of Wireless Access Points (CAPWAP) RFC, but are simplified here for clarity. The AP enters each state in a specific order; the sequence of states is called state machine. You should become familiar with the AP state machine so that you can understand how an AP forms a working relationship with a WLC. If an AP cannot form that relationship for some reason, your knowledge of the state machine can help you troubleshoot the problem.

The sequence of the most common states is as follows:

1. AP boots: Once an AP receives power, it boots on a small IOS image so that it can work through the remaining states and communicate over its network connection. The AP must also receive an IP address from either a Dynamic Host Configuration Protocol (DHCP) server or a static configuration so that it can communicate over the network.

2. WLC discovery: The AP goes through a series of steps to find one or more controllers that it might join.

3. CAPWAP tunnel: The AP attempts to build a CAPWAP tunnel with one or more controllers. The tunnel will provide a secure Datagram Transport Layer Security (DTLS) channel for subsequent AP-WLC control messages. The AP and WLC authenticate each other through an exchange of digital certificates.

4. WLC join: The AP selects a WLC from a list of candidates, and then sends a CAPWAP Join Request message to it. The WLC replies with a CAPWAP Join Response message. The next section explains how an AP selects a WLC to join.

5. Download image: The WLC informs the AP of its software release. If the AP's own software is a different release, the AP will download a matching image from the controller, reboot to apply the new image, and then return to step 1. If the two are running identical releases, no download is needed.

6. Download config: The AP pulls configuration parameters down from the WLC and can update existing values with those sent from the controller. Settings include RF, service set identifier (SSID), security, and quality of service (QoS) parameters.

7. Run state: Once the AP is fully initialized, the WLC places it in the "run" state. The AP and WLC then begin providing a BSS and begin accepting wireless clients.

8. Reset: If an AP is reset by the WLC, it tears down existing client associations and any CAPWAP tunnels to WLCs. The AP then reboots and starts through the entire state machine again.


You could design a WLC 2504 to use redundant uplinks (for remote management) on separate adjacent switches. In my wireless lab, WLC port 1 (active) is connected to Sw1 and WLC port 2 (backup) to Sw2. WLC ports 3 and 4 are PoE ports and could be used for directly connecting an AP.

To configure management backup port, go to Controller > Interfaces > management.

Under Physical Information type 2 (port 2) on Backup Port field > Apply > Save Configuration. 

You can verify this via CLI using the show interface summary and show interface detailed management commands.

(Cisco Controller) >show interface ?

summary        Display a summary of the local interfaces.
detailed       Display detailed interface information.

group          Display a summary of the local interface groups.

(Cisco Controller) >show interface summary


 Number of Interfaces.......................... 2

Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
management                       1    untagged 192.168.1.4     Static  Yes    No
virtual                          N/A  N/A      1.1.1.1         Static  No     No

(Cisco Controller) >show interface detailed ?

<interface-name> Enter interface name.
management     Display the management interface.
virtual        Display the virtual gateway interface.

(Cisco Controller) >show interface detailed management

Interface Name................................... management
MAC Address...................................... 10:f3:11:a5:49:80
IP Address....................................... 192.168.1.4
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.1.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
Link Local IPv6 Address.......................... fe80::12f3:11ff:fea5:4980/64
STATE ........................................... REACHABLE
Primary IPv6 Address............................. ::/128
STATE ........................................... NONE
Primary IPv6 Gateway............................. ::
Primary IPv6 Gateway Mac Address................. 00:00:00:00:00:00
STATE ........................................... INCOMPLETE
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Active Physical Port............................. 1    
Primary Physical Port............................ 1    
Backup Physical Port............................. 2    
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. 192.168.1.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
DHCP Option 82 bridge mode insertion............. Disabled
IPv4 ACL......................................... Unconfigured
IPv6 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Enabled


I've disconnected Sw1 port 1 and did a continuous ping to WLC's management IP address 192.168.1.4 from my PC. There was a short downtime even though spanning-tree portfast trunk was enabled on the switch port.

SW1#show run interface fastethernet0/1
Building configuration...

Current configuration : 81 bytes
!
interface FastEthernet0/1
 description ### WLC port 1 ###
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast trunk
end

I've used the same show commands to verify WLC backup port 2 was activated when port 1 has failed.

(Cisco Controller) >show interface summary


 Number of Interfaces.......................... 2

Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
management                       2    untagged 192.168.1.4     Static  Yes    No
virtual                          N/A  N/A      1.1.1.1         Static  No     No

(Cisco Controller) >show interface detailed management

Interface Name................................... management
MAC Address...................................... 10:f3:11:a5:49:80
IP Address....................................... 192.168.1.4
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.1.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
Link Local IPv6 Address.......................... fe80::12f3:11ff:fea5:4980/64
STATE ........................................... REACHABLE
Primary IPv6 Address............................. ::/128
STATE ........................................... NONE
Primary IPv6 Gateway............................. ::
Primary IPv6 Gateway Mac Address................. 00:00:00:00:00:00
STATE ........................................... INCOMPLETE
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Active Physical Port............................. 2    
Primary Physical Port............................ 1    
Backup Physical Port............................. 2    
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. 192.168.1.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
DHCP Option 82 bridge mode insertion............. Disabled
IPv4 ACL......................................... Unconfigured
IPv6 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Enabled


There wasn't any downtime or ping timed out when I connected WLC port 1 back to Sw1.