Friday, December 1, 2017

Configure Dynamic Channel Assignment (DCA) on a Cisco WLC

To disable an 802.11 wireless channel on a Cisco WLC, go to Wireless > choose 802.11a/n/ac or 802.11b/g/n > RRM > DCA > select/unselect specific Channel.


The WLC will reject the applied configuration if you don't disable first the specific 802.11 wireless standard.


To disable the wireless network go to Wireless > 802.11b/g/n > Network > under General > unselect Enabled > click Apply.


This will cause a temporary wireless outage on the selected 802.11 wireless standard.


Go back to Wireless > 802.11b/g/n > RRM > DCA > select/unselect specific Channels. For this case I unselected Channel 11 since the site was advised by the government to disable the said channel as they're using it for special purpose in the area.



Friday, October 6, 2017

Cisco WLC Software Upgrade via transfer Command

You can perform a remote WLC upgrade via the transfer download command. Here's a Cisco link on the WLC upgrade process via the web GUI and CLI command.

You can verify the current WLC version via the show sysinfo command.

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.1.102.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. PIC 20.0
Build Type....................................... DATA + WPS
System Name...................................... WLC01
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 172.27.17.6
IPv6 Address..................................... ::
Last Reset....................................... Power on reset
System Up Time................................... 0 days 2 hrs 18 mins 15 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... Multiple Countries:SG,US
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +29 C
External Temperature............................. +33 C
Fan Status....................................... 3200 rpm
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 4
Number of Active Clients......................... 53
Burned-in MAC Address............................ 00:9E:1E:06:12:34
Maximum number of APs supported.................. 75
System Nas-Id.................................... WLC01
WLC MIC Certificate Types........................ SHA1/SHA2


Make sure there's network connectivity to the FTP server by using the ping command.

(Cisco Controller) >ping 172.27.5.25

Send count=3, Receive count=3 from 172.27.5.25


You can upload or download various files on a WLC such as image, config, certificate, etc. using the transfer command.

(Cisco Controller) >transfer ?
              
download       Transfer a file to the switch.
encrypt        Configures the switch to use (or not use) encrypt for config file transfers
upload         Transfer a file from the switch.
              
(Cisco Controller) >transfer download ?
              
certpassword   Set a Certificate's private key password
datatype       Set File Type.
filename       Set Filename on Server.
mode           Set transfer mode.
password       Set Server Login Password.
path           Set File Path on Server.
port           Change Default Server Port.
serverip       Set Server IP Address.
start          Initiate download.
tftpMaxRetries Enter the tftp Packet Max Retries allowed between 1 and 254.
tftpPktTimeout Enter the tftp Packet Timeout in secs between 1 and 254.
username       Set Server Login Username.
              
(Cisco Controller) >transfer download mode ?
              
ftp            Enter mode: ftp.
sftp           Enter mode: sftp.
tftp           Enter mode: tftp.
              
(Cisco Controller) >transfer download mode ftp

(Cisco Controller) >transfer download username ?
              
<user>         Set Server Login Username.
              
(Cisco Controller) >transfer download username ftpuser

(Cisco Controller) >transfer download password ftpuser

(Cisco Controller) >transfer download datatype ?     
              
code           Download an executable image to the system.
config         Download Configuration File.
device-profile Download an Device Profile file to the system.
eapcacert      Download a eap ca certificate to the system.
eapdevcert     Download a eap dev certificate to the system.
icon           Download an executable image to the system.
image          Download a web page logo to the system.
ipseccacert    Download a IPSec ca certificate to the system.
ipsecdevcert   Download a IPSec dev certificate to the system.
login-banner   Download controller login banner. (Only Text file supported: Max 1500 bytes & 18 lines, Non printable characters not supported)
oui-update     Download an OUI Update file to the system.
radius-avplist Download a Radius AVPs List file.
signature      Download a signature file to the system.
webadmincert   Download a certificate for web administration to the system.
webauthbundle  Download a custom webauth bundle to the system.
webauthcert    Download a web certificate for web portal to the system.
              
(Cisco Controller) >transfer download datatype code

(Cisco Controller) >transfer download filename AIR-CT2500-K9-8-2-130-0.aes

(Cisco Controller) >transfer download path ?
              
[path]         Enter directory path.
              
(Cisco Controller) >transfer download path .       // DOT (.) FOR MAIN DIRECTORY

(Cisco Controller) >transfer download serverip ?
              
<IP addr>      Enter server IP addr.
              
(Cisco Controller) >transfer download serverip 172.27.5.25

(Cisco Controller) >transfer download start                

Mode............................................. FTP  
Data Type........................................ Code         
FTP Server IP.................................... 172.27.5.25
FTP Server Port.................................. 21
FTP Path......................................... ./
FTP Filename..................................... AIR-CT2500-K9-8-2-130-0.aes
FTP Username..................................... ftpuser
FTP Password..................................... *********

This may take some time.
Are you sure you want to start? (y/N) y

FTP Code transfer starting.


Below is a summary of the CLI commands issued on WLC:

transfer download mode ftp
transfer download username ftpuser
transfer download password ftpuser
transfer download datatype code
transfer download filename AIR-CT2500-K9-8-2-130-0.aes
transfer download path .
transfer download serverip 172.27.5.25
transfer download start

Friday, August 25, 2017

Configuring FlexConnect (H-REAP) on a Cisco WLC

FlexConnect (formerly known as Hybrid Remote Edge Access Point or H-REAP) is a wireless solution that enables the deployment of AP to a remote or branch office without using a local WLC. A central WLC is used to configure and control FlexConnect AP over a WAN link. The FlexConnect AP can perform standalone client authentication and switch VLAN traffic locally even when it's disconnected to the WLC (Local Switched). FlexConnect AP can also tunnel (via CAPWAP) both user wireless data and control traffic to a centralized WLC (Central Switched).

Here's a nice Cisco Live doc and Lab Minutes video about FlexConnect design and configuration. There are some caveats when using FlexConnect and it's recommended to allocate a bandwidth of 24 kbps per AP with round trip latency no greater than 300 ms. Below is my lab topology which uses a FlexConnect AP (AIR-CAP-2602I) in the Branch office and a Central WLC 2504 in HQ.



You need the AP to join a local WLC in order change the AP Mode to FlexConnect.



Change the AP Mode (default is local) to FlexConnect on each AP, click on the AP > General > AP Mode > FlexConnect > Apply.
 


Click on the new FlexConnect tab > tick VLAN Support > change Native VLAN ID as necessary  > Apply. Note VLAN Mappings is initially grayed out. Native VLAN must match the switch native VLAN configuration (default is native VLAN 1). Mapping of SSID to 802.1Q VLAN is done per FlexConnect AP.



Click VLAN Mappings > change the VLAN ID for the SSID to use as necessary > Apply.
 


Hardcode the HQ Primary and Secondary WLC (if using high availability), go under High Availability tab > type the Primary Controller Name (mandatory) > type Management IP address > optionally type a Secondary Controller IP address > Apply.
 

You'll see the Branch AP join the WLC in HQ. Make sure the WLC has NTP or manual time/clock correctly configured.


Below are console logs captured on the FlexConnect AP.

IOS Bootloader - Starting system.
flash is writable
FLASH CHIP:  Numonyx Mirrorbit (0089)
Xmodem file system is available.
flashfs[0]: 123 files, 15 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31997952
flashfs[0]: Bytes used: 22632960
flashfs[0]: Bytes available: 9364992
flashfs[0]: flashfs fsck took 22 seconds.
Reading cookie from SEEPROM
Base Ethernet MAC address: f8:72:ea:a6:e2:03
Ethernet speed is 100 Mb - FULL Duplex
Loading "flash:/ap3g2-k9w8-mx.153-3.JA8/ap3g2-k9w8-mx.153-3.JA8"...#########################

File "flash:/ap3g2-k9w8-mx.153-3.JA8/ap3g2-k9w8-mx.153-3.JA8" uncompressed and installed, entry point: 0x2003000
executing...

Secondary Bootloader - Starting system.
Tide MB - 32MB of flash
Xmodem file system is available.
flashfs[0]: 123 files, 15 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31997952
flashfs[0]: Bytes used: 22632960
flashfs[0]: Bytes available: 9364992
flashfs[0]: flashfs fsck took 9 seconds.
flashfs[1]: 0 files, 1 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 12257280
flashfs[1]: Bytes used: 1024
flashfs[1]: Bytes available: 12256256
flashfs[1]: flashfs fsck took 1 seconds.
Base Ethernet MAC address: f8:72:ea:a6:e2:03

2600/3600 AP, PID: 'AIR-CAP2602I-S-K9 '. Checking for BL upgrade...
BL: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JAY, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Compiled Thu 03-Oct-13 03:35 by sdcunha

BL Build year: 13
Boot CMD: 'boot  flash:/ap3g2-k9w8-mx.153-3.JA8/ap3g2-k9w8-xx.153-3.JA8;flash:/ap3g2-k9w8-mx.153-3.JA8/ap3g2-k9w8-xx.153-3.JA8'
Loading "flash:/ap3g2-k9w8-mx.153-3.JA8/ap3g2-k9w8-xx.153-3.JA8"...###############################################
File "flash:/ap3g2-k9w8-mx.153-3.JA8/ap3g2-k9w8-xx.153-3.JA8" uncompressed and installed, entry point: 0x1003000
executing...

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706


Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Version 15.3(3)JA8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Fri 22-Apr-16 05:48 by prod_rel_team

Tide MB - 32MB of flash
Initializing flashfs...

flashfs[2]: 123 files, 15 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 31739904
flashfs[2]: Bytes used: 22632960
flashfs[2]: Bytes available: 9106944
flashfs[2]: flashfs fsck took 9 seconds.
flashfs[2]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete.
Copying radio files from flash: to ram:
Copy in progress...CCCCC
Copy in progress...CCC
Copy in progress...CCCC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CCCCCC
Copy in progress...CCCC
Copy in progress...CC
Uncompressing radio files...
...done Initializing flashfs.

Radio0  present 8764 8000 0 A8000000 A8010000 0
Rate table has 650 entries (20 legacy/224 11n/406 11ac)

POWER TABLE FILENAME = ram:/Y2.bin

Radio1  present 8764 8000 0 88000000 88010000 4
POWER TABLE FILENAME = ram:/Y5.bin

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP2602I-S-K9 (PowerPC) processor (revision A0) with 188398K/60928K bytes of memory.
Processor board ID FGL1724W123
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.0.133.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: F8:72:EA:A6:12:34
Part Number                          : 73-14588-02
PCA Assembly Number                  : 800-37899-01
PCA Revision Number                  : A0
PCB Serial Number                    : FOC17230ABC
Top Assembly Part Number             : 800-38356-01
Top Assembly Serial Number           : FGL1724WXYZ
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP2602I-S-K9
% Please define a domain-name first.

Press RETURN to get started!

*Mar  1 00:00:14.447: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar  1 00:00:14.903: Registering HW DTLS
*Mar  1 00:00:14.911: APAVC: Initial WLAN Buffers Given to System is  2500
*Mar  1 00:00:14.963: APAVC:  WlanPAKs 18174 RadioPaks  17566
*Mar  1 00:00:17.275: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:21.231: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar  1 00:00:21.347: loading Power Tables from ram:/Y2.bin. Class = E
*Mar  1 00:00:21.347:  record size of 3ss: 1168 read_ptr: 4B5642E
*Mar  1 00:00:27.711: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar  1 00:00:27.755: loading Power Tables from ram:/Y5.bin. Class = S
*Mar  1 00:00:27.755:  record size of 3ss: 1168 read_ptr: 4B5642E
*Mar  1 00:00:27.915: Wait until the stile protocol list is initialized.
*Mar  1 00:00:29.099: Start STILE Activation
*Mar  1 00:00:31.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Mar  1 00:00:32.111: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Version 15.3(3)JA8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Fri 22-Apr-16 05:48 by prod_rel_team
*Mar  1 00:00:32.111: %SNMP-5-COLDSTART: SNMP agent on host APf872.eaa6.e203 is undergoing a cold start
*Jun  6 03:12:26.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Jun  6 03:12:27.111: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jun  6 03:12:27.123: Starting Ethernet promiscuous modelwapp_crypto_init: MIC Present and Parsed Successfully
*Jun  6 03:12:27.271: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Jun  6 03:12:27.271: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jun  6 03:12:28.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jun  6 03:12:28.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jun  6 03:12:37.159: %LINK-6-UPDOWN: Interface BVI1, changed state to down
*Jun  6 03:12:38.287: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
*Jun  6 03:12:40.071: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
*Jun  6 03:12:40.071: DPAA Initialization Complete
*Jun  6 03:12:40.071: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Jun  6 03:12:41.075: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Jun  6 03:12:43.075: %LINK-6-UPDOWN: Interface BVI1, changed state to up
*Jun  6 03:12:43.507: Currently running a Release Image
validate_sha2_block: Failed to get certificate chain
*Jun  6 03:12:43.931: Using SHA-1 signed certificate for image signing validation.
*Jun  6 03:12:44.219: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Jun  6 03:12:44.619: %LWAPP-3-LWAPP_INTERFACE_GOT_IP_ADDRESS: Interface BVI1 obtained IP from DHCP...
*Jun  6 03:12:44.619: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 172.16.1.6, mask 255.255.255.0, hostname APf872.eaa6.1234
*Jun  6 03:12:44.619: %LWAPP-3-LWAPP_INTERFACE_GOT_IP_ADDRESS: Interface BVI1 obtained IP from DHCP...
*Jun  6 03:12:50.223: APAVC: Succeeded to activate all the STILE protocols.
*Jun  6 03:12:50.223: APAVC: Registering with CFT
*Jun  6 03:12:50.223: APAVC: CFT registration of delete callback succeeded
*Jun  6 03:12:50.223: APAVC: Reattaching  Original Buffer pool for system use
*Jun  6 03:12:50.223: Pool-ReAtach: paks 18174 radio17566
%Default route without gateway, if not a point-to-point interface, may impact performance
*Jun  6 03:12:57.095: AP image integrity check PASSED
*Jun  6 03:12:57.167:  validate_sha2_block:No SHA2 Block present on this AP.
*Jun  6 03:12:57.199:
Note: A random mac address of 0000.0cf2.fb4c
      has been chosen for BVI in bridge group  3 since the selected mac address
      is already being used by Bridge Group 2.
*Jun  6 03:12:57.199: Ensure that this address is unique.
*Jun  6 03:12:57.203: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jun  6 03:12:57.203: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jun  6 03:12:59.203: %LINK-6-UPDOWN: Interface BVI2, changed state to down
*Jun  6 03:12:59.203: %LINK-6-UPDOWN: Interface BVI3, changed state to down
*Jun  6 03:13:07.211: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 0 CLI Request Triggered
*Jun  6 03:13:12.583: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Jun  6 03:13:13.683: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jun  6 03:13:14.683: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jun  6 03:13:14.783: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jun  6 03:13:15.683: %LINK-6-UPDOWN: Interface BVI2, changed state to up
*Jun  6 03:13:15.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jun  6 03:13:16.683: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI2, changed state to up
*Jun  6 03:13:16.783: %LINK-6-UPDOWN: Interface BVI3, changed state to up
*Jun  6 03:13:17.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to up Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Aug 24 13:47:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.100 peer_port: 5246

*Aug 24 13:47:09.427: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.1.1.100 peer_port: 5246
*Aug 24 13:47:09.427: %CAPWAP-5-SENDJOIN: sending Join Request to 10.1.1.100

*Aug 24 13:47:09.707: %LWAPP-4-CLIENTEVENTLOG:
Checksum required saved version = 8.0.133.0, file flash:/lwapp_reap.cfg
*Aug 24 13:47:10.171: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Aug 24 13:47:10.239: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Aug 24 13:47:10.239: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Aug 24 13:47:10.859: %LWAPP-4-CLIENTEVENTLOG: OfficeExtend Localssid saved in AP flash
*Aug 24 13:47:11.043: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 24 13:47:11.043: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 24 13:47:11.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Aug 24 13:47:11.263: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC1
*Aug 24 13:47:11.323: %LWAPP-4-CLIENTEVENTLOG: No Flex ACL map configuration file to load. Connect to controller to get configuration file
*Aug 24 13:47:11.323: %LWAPP-4-CLIENTEVENTLOG: No Flex ACL map configuration file to load. Connect to controller to get configuration file
*Aug 24 13:47:11.323: %LWAPP-4-CLIENTEVENTLOG: No LS Flex ACL map configuration file to load. Connect to controller to get configuration file
*Aug 24 13:47:11.323: %LWAPP-4-CLIENTEVENTLOG: No Central Dhcp map configuration file to load. Connect to controller to get configuration fileWLAN id 1, SSID FLEX-WIFI, L2ACL , L2ACL AP capwap_delete_all_l2Acls_in_nacl_list:336. Deleting all L2Acls in AP config
*Aug 24 13:47:11.539: %DOT11-4-NO_HT: Interface Dot11Radio0, Mcs rates disabled on wlan 1 due to not using AES encryption or encryption is not disabled
*Aug 24 13:47:11.543: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Aug 24 13:47:11.555: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Aug 24 13:47:12.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Aug 24 13:47:12.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Aug 24 13:47:12.559: %DOT11-4-NO_HT: Interface Dot11Radio1, Mcs rates disabled on wlan 1 due to not using AES encryption or encryption is not disabled
*Aug 24 13:47:12.579: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5300 MHz for 60 seconds.
*Aug 24 13:47:12.583: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 24 13:47:12.591: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Aug 24 13:47:12.599: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Aug 24 13:47:13.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Aug 24 13:47:13.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Aug 24 13:47:13.623: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 24 13:47:13.631: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Aug 24 13:47:13.639: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Aug 24 13:47:14.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Aug 24 13:47:14.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Aug 24 13:47:14.695: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
*Aug 24 13:47:14.699: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5300 MHz for 60 seconds.
*Aug 24 13:47:14.703: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 24 13:47:14.775: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Aug 24 13:47:14.783: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Aug 24 13:47:15.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Aug 24 13:47:15.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Aug 24 13:47:15.799: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 24 13:47:16.799: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Aug 24 13:47:34.891: %CLEANAIR-6-STATE: Slot 0 disabled
*Aug 24 13:47:34.891: %CLEANAIR-6-STATE: Slot 1 disabled
*Aug 24 13:47:35.379: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Aug 24 13:48:15.851: %DOT11-6-DFS_SCAN_COMPLETE: DFS scan complete on frequency 5300 MHz
*Aug 24 13:51:26.851: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:1 Source MAC:0432.f41b.490d
*Aug 24 14:01:45.723: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:1


Below are some useful WLC CLI commands to verify successfully joined AP.

(Cisco Controller) >show ap summary

Number of APs.................................... 1

Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model              Ethernet MAC       Location          Country  IP Address       Clients
------------------  -----  --------------------  -----------------  ----------------  -------  ---------------  -------
APf872.eaa6.1234     2     AIR-CAP2602I-S-K9     f8:72:ea:a6:12:34  default location  SG       172.16.1.6       1


(Cisco Controller) >show ap join stats summary all

Number of APs.............................................. 1

Base Mac             AP EthernetMac       AP Name                 IP Address         Status
0c:68:03:d7:ab:cd    f8:72:ea:a6:12:34    APf872.eaa6.1234        172.16.1.6         Joined


Create the WLAN SSID and the Layer 2 and Layer 3 security policy.



Tick Enabled under Status and Broadcast SSID.


Select a Layer 2 security policy. In this case, I chose Static WEP which is insecure and good for lab purpose only. I've used 40 bits WEP key size. Below are the equivalent number of HEX and ASCII characters when choosing the WEP key size:


40 bits = 10 HEX characters or 5 ASCII characters
104 bits = 26 HEX characters or 13 ASCII characters


Allow local switching (for VLANs) on the FlexConnect AP under WLAN > Advanced tab > tick Enable on FlexConnect Local Switching and Learn Client IP Address > Apply.




I've used my iPhone to join FLEX-WIFI SSID which is scanned on the Branch AP.



You can check the wireless clients on the WLC under Monitor > Clients.


Click on a specific client MAC address to view more details.



To test FlexConnect AP local switching, I've shutdown the WLC port and my iPhone wifi was still connected locally.


HQ#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
BRANCH           Fas 0/8           171          R S I     WS-C3560- Fas 0/24
WLC1             Fas 0/1           138            H       AIR-CT250 Gig 0/0/1

HQ#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
HQ(config)#interface f0/1      
HQ(config-if)#shut
HQ(config-if)#do ping 172.16.1.5     // IPHONE IP ADDRESS

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/15/59 ms


BRANCH#
BRANCH#ping 10.1.1.100        // HQ WLC

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


I've just used two Cisco 3560 L3 switches for this lab and below are the running-config.


HQ#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
SW1              Fas 0/8           179          R S I     WS-C3560- Fas 0/24
WLC1             Fas 0/1           147            H       AIR-CT250 Gig 0/0/1

HQ#show run
Building configuration...

Current configuration : 949 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname HQ
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
 description ### WLC - 10.1.1.100 ###
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
 description ### MGMT PC - 10.1.1.50 ###
!
interface FastEthernet0/8
 description ### WAN LINK TO BRANCH ###
 no switchport
 ip address 200.1.1.2 255.255.255.252
!
interface GigabitEthernet0/1
!
interface Vlan1
 ip address 10.1.1.1 255.255.255.0
!
ip classless
ip route 172.16.1.0 255.255.255.0 200.1.1.1
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end

HQ#ping 200.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms


BRANCH#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
HQ               Fas 0/24          153          R S I     WS-C3560- Fas 0/8
APf872.eaa6.e203 Fas 0/23          166          T B I     AIR-CAP26 Gig 0

BRANCH#ping 200.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

BRANCH#show run
Building configuration...

Current configuration : 1596 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BRANCH
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip dhcp excluded-address 172.16.1.1
!
ip dhcp pool LAN
   network 172.16.1.0 255.255.255.0
   default-router 172.16.1.1
   option 43 hex f014.0a01.0164
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
 description ### FLEXCONNECT AP ###
!
interface FastEthernet0/24
 description ## WAN Link to HQ ###
 no switchport
 ip address 200.1.1.1 255.255.255.252
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 172.16.1.1 255.255.255.0
!
ip classless
ip route 10.1.1.0 255.255.255.0 200.1.1.2
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
line vty 5 15
!
end