Cisco Confidential 2014 © All Rights Reserved
Page 1
Borderless Networkers PVT-AMS
October 2014
Cisco Confidential 2014 © All Rights Reserved
Page 2
Lab Topology
In order to derive the most out of this Lab, and exercise the functionality outlined in this document, it’s important to have a network that is configured properly with IPv4 configuration on the switches and controllers. All lab resources are configured as depicted in the diagram below. Most Lab deployments are usually in lab or private network with a minimal set of Controllers, Access Points and Clients.
Client Devices used in LAB Topology
1. Apple iPhone/ Android Phone to associate on SSID(universal-admin) for to config AP domain 2. Wired Laptop connected to POD L2 switch to access mgmt VLAN X0 the network (where x is POD
number)
LabTopology*
CORE/SW/3750* Vlan10:10.10.10.1* Vlan20:10.10.20.1* Vlan30:10.10.30.1* VlanX0:10.10.x0.1* * NAT*Router* UCS*10.10.105.50** MGMT*=*10.10.X0.2*/24*VLAN*10*WLC/2504* * Wireless*Client** Cisco*AirProvision* App* * ** * SSID:*PODX/PSK*(Universal/admin)* Security:*WPA2*/PSK* SW/3750* 10.10.X0.4* AP2700/UX* * Wired*Client*10.10.X0.x* Wireless*Client* Lync*Client** Username*:podXa* Password:*Cisco123* * Internet* PI:10.10.105.25*POD*X*
*"Where"‘X’"is"the"POD"number"" MSE:10.10.105.26* SSID:*PODX/EoGRE* Security:*WPA2*/PSK* MS*Lync*Server*10.10.105.14** * * * CUWN*8.1*Features* /Spartan*2.0* /Universal*AP* /ATE* /BLE* /Lync*SDN* /FlexAVC* * ** *Cisco Confidential 2014 © All Rights Reserved
Page 3
3. After doing basic connectivity testing you will be required to disconnect the PC/ laptop from the Switch port and directly connect it to the WLC Service Port as part of the lab Section 1.IP Addressing and Passwords
Device
Vlan
IP Address
Gateway
User Name
Password
DHCP Server Pod 1
10
10.10.10.1
10.10.10.1
N/A
N/A
DHCP Server Pod X
X0
10.10.X0.1
10.10.X0.1
N/A
N/A
Pod 1 Switch
10
10.10.10.4
10.10.10.4
N/A
Cisco
Pod X Switch
X0
10.10.X0.4
10.10.X0.4
N/A
Cisco
Pod 1 WLC
10
10.10.10.2
10.10.10.1
admin
Cisco123
Pod 2 WLC
20
10.10.20.2
10.10.10.1
admin
Cisco123
Pod 3 WLC
30
10.10.30.2
10.10.X0.1
admin
Cisco123
Pod X WLC
X0
10.10.X0.2
10.10.X0.1
admin
Cisco123
Pod 1 AP
10
DHCP
10.10.10.1
cisco
Cisco
Pod X AP
X0
DHCP
10.10.X0.1
cisco
Cisco
Lab has 2 dedicated VLANs for each POD
Pod 1 Pod 2 Pod 3 Pod 4 Pod 5 Pod 6 Pod 7 Pod 8 Pod 9 Pod 10
Management Vlan 10
20
30
40
50
60
70
80
90
100
• Management Vlan used for => WLC, AP, Wireless Laptop Client, Apple Client Machine (iPAD/iPhone)
• Wired laptop connected to VLAN x0
Verify Controller and Switch Connectivity
Lab core switch is been configured for you and you don’t have to make any changes. Please verify L2 switch and WLC connectivity for your individual Pod.
To verify controller and switch connectivity use wired laptop connected to individual POD L2 switch on interface Gig1/0/13. Your laptop should have IPv4 address from management vlan of individual POD
POD 1 POD 2 POD 3 POD 4 POD 5 POD 6 POD 7 POD 8
Pod 9
Pod 10
10
20
30
40
50
60
70
80
90
100
Cisco Confidential 2014 © All Rights Reserved
Page 4
Now being connected to your local Pod you can verify lab setup and configuration as shown in topology above. Remember individual POD switches are configured as pure L2 switches and not a core switch. Using telnet access from command prompt on the wired Lab laptops, connect to individual POD switches and controller and verify the network connectivity.POD 1 L2 switch : 10.10.10.4 POD 2 L2 switch : 10.10.20.4 POD 3 L2 switch : 10.10.30.4
POD X L2 switch : 10.10.X0.4 [where X is the POD number]
When connected to the individual L2 switch initiate ping to it’s gateway and DHCP server and make sure connectivity is fine. Below example from Pod 9
Cisco Confidential 2014 © All Rights Reserved
Page 5
Section1:
Day 0/1 setup 2.0 (Best Practice)
Day 0/1 setup Introduction
The goal of this feature in the Lab guide is to provide a set of instructions to help easily setup a WLC to operate in a small or medium office environment, where access point(s) can join and together as a simple solution, provide various services such as corporate employee or guest wireless access on the network. With this Day 0/1 setup software release, there are 2 ways to configure the 5508 Series Wireless LAN Controller:
• Traditional command line interface (CLI) via serial console.
• Updated method using network connection directly to the WLC GUI setup wizard
This guide provides instruction only for using the WLC GUI setup wizard. Configuration via CLI is has been maintained for some time and is available on Cisco.com or at the following location:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76.html General steps to configure are summarized as follow:
1. Complete the configuration checklist 2. Unpack, connect and power on the WLC.
3. Connect a client machine to Port 2 of the WLC with an Ethernet cable. 4. Open a client web browser access the WLC startup GUI
5. Enter the settings from the completed configuration checklist
6. Disconnect the WLC from client machine and connect to the network switch. 7. Connect access point(s) to the network switch.
8. Access points will join the WLC, then configured wireless network will become available. 9. Connect wireless client(s) to the available network.
Components Used
• Cisco 2504 Series Wireless LAN Controller • Access Points supplied in the Lab
• Cisco Catalyst Switch
• Client computer (e.g. laptop) supplied in the Lab, with an available wired Ethernet port. • Wireless clients (tablets, smartphones, etc.)
WLC Installation Step-by-Step
1. Connect a PC laptop wired Ethernet port directly to Port 2 of the WLC (figure of Port 2 location is shown below). The port LEDs will blink to indicate that both machines are properly
Cisco Confidential 2014 © All Rights Reserved
Page 6
2. It may take several minutes for the WLC to fully power on to make the GUI available to the PC.Do not auto configure controller.
3. The LEDs on the front panel will provide system status: a. The system is NOT ready - LEDs is OFF. b. The controller IS ready - LED is solid green
If you don’t get a PI address (192.168.1.xyx) from WLC the manually assign a static IP address 192.168.1.X to your Laptop to access the WLC GUI (DHCP will be available in the official release) Example of network settings on Windows PC (Start à Run à CMD à ‘ipconfig’):
Cisco Confidential 2014 © All Rights Reserved
Page 7
4. Upon confirming that there is an IP address of 192.168.1.x assigned to your computer, open aweb browser (Prefered is Chrome and Safari) and open the following URL: http://192.168.1.1
a. Create a new admin account name = admin
b. Provide the new admin account’s password = Cisco123 c. Confirm the password.
Cisco Confidential 2014 © All Rights Reserved
Page 8
5. On the next screen, indicated Step 1 - Set Up Your Controller, fill out the required information.Again, it will be helpful to refer to your checklist and the table provided by the Lab Admin. a. System name for the WLC – PODX-WLC
b. The current time zone (w.r.t country ) c. NTP Server (optional)
d. Management IP address, subnet mask, and default gateway – 10.10.X0.2 and 10.10.X0.1 e. Management VLAN id (see checklist), if left unchanged (or 0), then the network switch
port must be configured with a native VLAN “X0”
Note: The wizard will attempt to import the clock information (date and time) from the computer via JavaScript. It is highly recommended that you confirm this before continuing. Access points rely on correct clock settings to be able to join the WLC.
Cisco Confidential 2014 © All Rights Reserved
Page 9
6. Next, or from the Step 2 - Create Your Wireless Networks, with the help from your checklist,fill out the following:
a. Network name/SSID - PODX-PSK b. Security (WPA/WPA2 Personal)
• WPA/WPA2 Personal – provide a pass phrase (PSK / password=Cisco123)
c. Provide the DHCP server (10.10.X0.1) – if left empty, the DHCP processing is bridged to the management interface.
Example of an Employee Network configured with WPA/WPA2 Personal using PSK (pre-shared key / pass phrase) for Pod1.
Cisco Confidential 2014 © All Rights Reserved
Page 10
Configure advanced settings in section 3 as shown in the example below.1. Check the RF parameter Optimization box
Then you can configure the Deployment Type parameters through which you can select Low Density, Typical or High Density and also configure the RF parameters for particular type of traffic as well like Data and Voice.
Cisco Confidential 2014 © All Rights Reserved
Page 11
For this Lab select deployment type as ‘Typical’ and Traffic Type as ‘Data’ leave the Virtual IP Address and other values to default then click ‘Next’.Following table depicts the default values when ‘Typical’ deployment type is selected from RF
parameters.
Cisco Confidential 2014 © All Rights Reserved
Page 12
7. If all settings are correct, click Apply. A message with a prompt ‘System will reboot...Do you want to apply these configuration?’
Cisco Confidential 2014 © All Rights Reserved
Page 13
8. Click OK to apply final settings, the WLC will reboot automatically. A confirmation page willshow that ‘The controller has been fully configured and will now restart’ Sometimes this message would not appear this is a known issue and will be fixed.
9. Optionally check the configuration done in the Day-0 config via the console connection
10. Disconnect your computer from the WLC port 2 and connect it to POD-Switch port 5
Please do not forget to change the laptop ip address back to dynamic/automatic dhcp option if it is statically assigned. Otherwise would not be able to access the WLC mgmt. GUI through
10.10.X0.2
11. Connect the WLC port 1 to the switch assigned trunk port. i.e port 1 of your POD Switch if not already connected.
12. Connect only AP3700 access points to the your POD switch if not already connected. i.e. AP3700 to port 3
13. Wait until access points to join the WLC
Dashboard
Browse to http://10.10.X0.2 which you assigned to your PODx-WLC
Please spend some time to explore the new dashboard. The admin must log into the WLC to access web UI and dashboard. This dashboard does not replace the existing legacy Monitor page on the WLC. To return to the legacy web UI page, click on the ‘Advanced’ link.
Cisco Confidential 2014 © All Rights Reserved
Page 14
To return back to the Dashboard screen click on the Home button as shown below.You can verify whether the Day 0/1 setup 2.0 (best practice) features are enabled by checking that predefined RF profiles getting created under WIRELESS->RF Profiles
Cisco Confidential 2014 © All Rights Reserved
Page 15
Also , under WIRELESS->Advanced-> System Profile/ Network Profile you should see the followingBelow are examples of some of the BP features enabled with Day-0 wizard installation. The features showing * are in process of being implemented in the new release
Feature 8.1
AVC Visibility Yes( 2504 Only)
mDNS Snooping Yes (2504 Only)
New MDNS Profile for printer, http Yes
Local Profiling Yes
Band Select Yes
DHCP Proxy Yes
Secure Web access Yes
Virtual IP 192.0.2.1 Yes (configurable)
RRM-‐DCA Auto Yes
RRM-‐TPC Auto Yes
CleanAir Enabled Yes
EDRRM Enabled Yes
Channel Width 40 MHz Yes
Aironet IE Disabled Yes
Cisco Confidential 2014 © All Rights Reserved
Page 16
2.4 Low Data Rates Disabled Yes (Network profile)
Load Balancing Yes (Network profile)
Rogue Threshold Enabled Yes
Client Exclusion Enabled Yes
FastSSID Enabled* Yes
Infra MFP Yes
Multicast Forwarding Mode Yes
SNMPv3 (delete default) Yes
Mobility Name Yes
RF Group same as Mobility Name Yes
DHCP Required on Guest WLAN Yes
5 GHz Channel Bonding* Yes
Note: Before proceeding to the next section configure an RF Group Name according to your pods (e.g. pod1, pod2…podx where x is the pod number)
From WLC main menu CONTROLLER->General then configure the name as podx (where x is the pod number).
You have reached the end of the Lab guide for the Day 0/1 setup software release. Please proceed to the next section of the Lab.
Cisco Confidential 2014 © All Rights Reserved
Page 17
Section 2:
Air Time Entitlement (ATE)
Traditional (wired) implementations of QOS regulate egress bandwidth. With wireless
networking, the transmission medium is via radio waves that transmit data at varying rates.
Instead of regulating egress bandwidth, it makes more sense to regulate the amount of airtime
needed to transmit frames. Air Time Entitlement (ATE) is a form of wireless QOS that regulates
downlink airtime (as opposed to egress bandwidth). Large scale, high density Wi-Fi
deployments are driving this feature. Wireless Network owners are mandating that their
applications be allocated some fixed percentage of the total bandwidth of the Wi-Fi network. At
the same time, with capital sharing being considered with multiple cellular providers, ATE is
needed to ensure fairness of usage across operators.
Before a frame is transmitted, the ATE budget for that client/UP/SSID is checked to ensure that
there is sufficient airtime budget to transmit the frame. Each client/UP/SSID can be thought of
as having a token bucket (1 token == 1 microsecond of airtime). If the token bucket contains
enough airtime to transmit the frame, it is transmitted over the air. Otherwise, the frame can
either be dropped or deferred. While the concept of dropping a frame is obvious, deferring a
frame deserves further explanation. Deferring a frame means that the frame is not admitted into
the Access Category Queue (ACQ). Instead, it remains in the Client Priority Queue (CPQ) and
may be transmitted at a later time when the corresponding token bucket contains a sufficient
number of tokens (unless the CPQ reaches capacity, at which point the frame will be dropped
regardless). The majority of the work involved for ATE takes place on the access points. The
wireless controller is used simply to configure the feature and display results.
Cisco Confidential 2014 © All Rights Reserved
Page 18
Note:
• ATE policies are applied only in the downlink direction (AP transmitting frames to
client).
• ATE policies are applied only on wireless data frames; management and control
frames will be ignored.
• When ATE is configured per-client, each client is granted equal airtime.
• ATE will be configured to either drop or defer frames that exceed their airtime
policies. If the frame is deferred, it will be buffered and transmit at some point in the
future when the offending client/UP/SSID has a sufficient airtime budget. Of course,
there is a limit as to how many frames can be buffered. If this limit is crossed, frames
will be dropped regardless.
• ATE can be globally enabled/disabled
• ATE can be enabled/disabled on an individual access point
• Legacy, 802.11n, and 802.11ac (
TBD
) frames will be supported.
• ATE results and statistics will be available on the wireless controller (
TBD
).
Global ATE configuration commands
Note: For this exercise make sure only AP3700 is enable and keep AP2700 disabled. This is
because currently there are some known issues of ATE on AP2700 in this code.
In this Lab exercise we will configure two WLAN s on the controller and assign one
SSID=PODX-ate98 entitlement of 98% and another SSID = PODX-ate2 entitlement of the 2%.
Then we will connect clients to one WLAN at a time and use media stream applications such as
YouTube and observe performance with 98% and 2% Entitlement.
1. Create two SSIDs on the Pod X controller PODX-ate98 and PODX-ate2 with WPA/PSK
and password=Cisco123.
2. On the Controller CLI configure ATE for SSID
config ate mode ssid
Cisco Confidential 2014 © All Rights Reserved
Page 19
3. In the next step configure two bucket IDs and Weight for the two corresponding SSIDs. One
bucket # 1 with weight 98% and the second #2 Weight 2%.
config ate bucket 1 98
config ate bucket 2 2
4. Disable WLAN PODX-ATE98 and PODX-ATE2
5. In the next step assign WLAN created previously to the buckets accordingly. SSID
PodX-ate98 to bucket 1 and PodX-ate2 to bucket 2.
config wlan ate <wlan id> bucket <bucket id> # assign bucket to wlan (wlan must be
down)
Make sure corresponding WLAN numbers match the bucket ID # with a specific weight as
shown in the example below.
Enable WLAN PODX-ATE98 and PODX-ATE2
2. With the next command configure how to control what ATE does with a packet that violate
its airtime policy. Packets can either be dropped or deferred. If packets are deferred, they
get buffered in the AP where they will be transmitted at a later time when there is a
sufficient airtime budget.
Cisco Confidential 2014 © All Rights Reserved
Page 20
config ate violation drop
3. Show ATE configuration on the WLANs with the following commands
show ate config wlan # show bucket + wlan combinations
show ate config all # show settings by APs
4. Connect a wireless Client of your choosing to SSID in your POD ie PodX-ate98 and
observe the effect of the ATE on this WLAN. Run some video stream such YouTube.
5. Connect a wireless Client to SSID in your POD ie PodX-ate2 and observe the affects of the
ATE on that WLAN. You should see YouTube is much slower on this WLAN.
6. Change the buckets to something like 90% and 10% and observe the video changes.
7. There are no debugs and Statistics in code rite now
Cisco Confidential 2014 © All Rights Reserved
Page 21
Section 3:
BLE (Bluetooth Low Energy)
Bluetooth Low Energy or Bluetooth LE, marketed as Bluetooth Smart, is a wireless personal area network technology designed and marketed by the Bluetooth Special Interest Group aimed at novel applications in the healthcare, fitness, security, and home entertainment industries. Compared to Classic Bluetooth, Bluetooth Smart is intended to provide considerably reduced power consumption and cost while
maintaining a similar communication range. Mobile operating systems including iOS, Android, Windows Phone and BlackBerry, as well as OS X, Linux, and Windows 8, natively support Bluetooth Smart. Bluetooth Smart is not backward-compatible with the previous, often called Classic, Bluetooth protocol. The Bluetooth 4.0 specification permits devices to implement either or both of the LE and Classic systems. Bluetooth Smart uses the same 2.4 GHz radio frequencies as Classic Bluetooth, which allows dual-mode devices to share a single radio antenna. BLE does, however, use a simpler modulation system and uses a different set of channels. Instead of the Classic Bluetooth 79 1-MHz channels, Bluetooth Smart has 40 2-MHz channels. Within a channel, data is transmitted using Gaussian frequency shift modulation, similar to Classic Bluetooth's Basic Rate scheme. The bit rate is 1Mbit/s, and the maximum transmit power is 10 mW.
You also probably heard of BLE beacons or iBeacons (Apple’s version of BLE) come up in your conversations with customers or partners. BLE uses Bluetooth 4.0 for advertising and granular location. As noted above, BLE is supported in most newer smartphones and can enhance indoor Wi-Fi location deployments with additional levels of granularity and faster refresh rates.
If you are thinking about beacons, the best solution is a hybrid environment where Wi-Fi is enhanced with BLE. This solution helps mitigate the operational costs and complexity of handling rogue or stolen beacons, while offering a richer location landscape for your deployment.
Cisco is doing three things to help in this area:
1 – Improve Location Accuracy: Cisco is improving Wi-Fi based location in order to reduce the difference between Wi-Fi and BLE. Better Wi-Fi location accuracy will allow you to reduce the number of BLE beacons required for granular location applications. Cisco is working towards goals of 1-3m accuracy; 5-6 second refresh rate, and 2 second latency. *Please note: not all use cases require the fast refresh rates offered by BLE.
2 – Manage BLE: Cisco wireless infrastructure can see, read, and position BLE beacons with existing Cisco CleanAir AP’s – there is no need for new hardware. This will help you keep track of beacons, ensure they have not moved, identify rogue and/or duplicate beacons. We are working on Wi-Fi-based visibility (and potentially moving into active management) to help streamline BLE management. 3 –Integrate BLE with Access Points: We’ve identified that there is potential here to help you deploy fewer beacons and reduce worries around battery replacement/theft/movement while built-in centralized management.
Cisco Confidential 2014 © All Rights Reserved
Page 22
Configuring BLE/iBeacon detection and Classification
BLE (iBeacon) device operates/beacons in 2.4 Ghz band. The Cleanair needs to be enabled on 802.11b network in order for the AP to discover it.
1- Go to WLC main menu WIRELESS->802.11b/g/n->CleanAir and enable cleanair by checking
the box if it is disabled.
2- Now from the WLC CLI and issue the following command to enable ibeacon detection (PODx-WLC)> config 802.11b cleanair device enable iBeacon
To verify if any BLE/iBeacon is reported by the AP to the WLC issue the command (PODx-WLC)> test cleanair show idr all //This will show all the interferers// Note : In the lab there are few iBeacons present and you should see them
Cisco Confidential 2014 © All Rights Reserved
Page 23
3- You can also use the following show command to see if the ibeacons are detected by the specific AP. (PODx-WLC)> show 802.11b cleanair device ap <AP Name>
As the iBeacons are being detected as rogue devices we need to classify them and this is done through the PI/MSE in this lab setup.
Note: In this lab we are using PI and MSE to show the visibility and
configuration of iBeacons. But going forward the BLE/iBeacon
visibility and configuration will only be available on MSE
(MSE
10.x) This PI is demo code just use it as a reference for this lab only.
4- Now login to the PI (10.10.105.26 root/Public123) and see your respective POD-WLCs are already add to the PI.Note : If the WLC is not on the PI then add it from PI main menu bar go to Operate->Device Work Center and add your respective POD WLCs
Cisco Confidential 2014 © All Rights Reserved
Page 24
5- Configure the device parameters according to your pod and click ‘Add’ buttonWLC IP Address = 10.10.X0.2 ; Community= private ; Telnet= admin/Cisco123
Cisco Confidential 2014 © All Rights Reserved
Page 25
7- Now add your respective POD-AP’s to the map by going to PI main menu then click Operate->Maps8- There is a single map (conference room) for all the pods. Click on the maps and then Site Maps System Campus>SJC5>Conference room
9- Only when you do not see your POD AP on the map then Add the access point by selecting ‘Add Access Points’ from ‘Select a command ‘drop down menu on the right side of the page then click ‘Go’ button.
Cisco Confidential 2014 © All Rights Reserved
Page 26
10- This will to take you to ‘Add Access Points’ page. There will be multiple access points
showing up on the list please select the one with your POD number and Click ‘OK’ button
Note: Once the AP is added then switch PI mode to Classic view as iBeacons configuration is currently only available in PI classic view.
11- Hover your cursor to ‘root’ on top right side of the PI GUI then select “Switch To Classic Theme”
12- Go to Monitor and then click on BLE Beacons, this will give you list of iBeacons discovered and will show up as rogues.
Cisco Confidential 2014 © All Rights Reserved
Page 27
13- Similarly, from PI main menu navigate to Configure tab and click BLE Beacons14- List of the iBeacons will show up click on the one of the iBeacon device Mac Address. As we don’t have individual beacons for the pods just use the next step for the reference.
Note: In most cases you will have the Beacons which have a MAC or UUID but the ones in the lab are Estimote ibeacons which don’t have this information visible on the device physically (The mac address is hand written on the back side of the some of ibeacon devices in the lab)
Cisco Confidential 2014 © All Rights Reserved
Page 28
16- Once the device name is changed add that device to known list, from ‘-Select a command-‘ drop down menu on the right side of the page select ‘Add BLE Beacons to Known-List’ and click ‘Go’shown below.17- Now go the map and check if BLE Beacons are populated on the map. Please make sure under the Floor Settings that all the BLE filters are enabled. You should be able to see the iBeacons on the map some showing up as rogues (Yellow) and ones configured as known (Green) and if there is any missing iBeacon it will show up as Red
Cisco Confidential 2014 © All Rights Reserved
Page 29
Cisco Confidential 2014 © All Rights Reserved
Page 30
Section 4:
Lync SDN
• Classify Lync Voice, Video, Desktop Sharing and File Transfer
• Automate QoS policy to control any given Lync call.
• Supports 5508, WISM2 and 8510 controller and HA.
• Supports L2/3 roaming where policy and call info are maintained.
• In Mobility group, all Controllers register with SDN server and show same call data across all
controllers
• Report/Monitor and assist with diagnostics of endpoint detail:
Call status
Call type
Source/Destination
URIs
MOS
Jitter
Call Duration
Cisco Confidential 2014 © All Rights Reserved
Page 31
Step1: Global Lync Configuration
1- From WLC maain menu go to WIRELESS->Lync Server enable Lync server by checking the
box, assign a port number (15790) and protocol (http) and hit Apply
Global Lync Configuration from WLC CLI
config lync-sdn enable/disable
config lync-sdn port <port-no>
config lync-sdn protocol http/https
show lync-sdn summary
Cisco Confidential 2014 © All Rights Reserved
Page 32
Step2: Lync WLAN Configuration
Navigate to the WLANs and select the WLAN on which you want to have Lync service enabled (PODx-PSK for the lab) under ‘Advanced’ tab scroll down to Lync-> Lync Server then select ‘Enabled’
Lync WLAN configuration from CLI
config wlan lync enable/disable <wlan-id>Step 3: WLAN QoS Configuration
On the same WLAN go to the QoS tab Enable Application Visibility (Enabling AV is not mandatory but
Cisco Confidential 2014 © All Rights Reserved
Page 33
Step4 : Configure ACL for Lync
From WLC main menu go to SECURITY->Access Control Lists and click New
Give intuitive ACL name ( in our example we named it lync) and click Apply
Now click on the ACL name and configure ACL rules by clicking ‘Add New Rule’ button
Cisco Confidential 2014 © All Rights Reserved
Page 34
Similarly, configure other rules as shown belowNow apply this ACL as CPU ACL. In the official release user would not need to configure this ACL but will be enabled by default once configuring Lync.
NOTE: If you misconfigured the ACL and lock your self out use the following
command to disable the ACL
Cisco Confidential 2014 © All Rights Reserved
Page 35
Step5: Initiating a Lync AUDIO Call
From your laptop which is provided to you have a MS-Lync client , open the application and enter username /password as following then click Sign In
POD1 username = [email protected] password =Cisco123 POD2 username = [email protected] password =Cisco123
PODX username = [email protected] password =Cisco123 where X is pod number
Once Signed In, in the search bar enter [email protected] address to find the contact. To initiate a voice call click the greyed out phone icon button appearing at the bottom of the contact screen.
Cisco Confidential 2014 © All Rights Reserved
Page 36
[email protected] is your lab proctors account ask one of the proctors to receive a call. Once the connection is made you will see the guy in the hat (forgot to bring it to Amsterdam)To monitor the call navigate to MONITOR->Lync SDN->Active Calls and you should be able to see the lync-call status
Cisco Confidential 2014 © All Rights Reserved
Page 37
While the call is on, start the camera and check that the call is upgraded to Video call:Note: In this demo code Clicking the index number would not reveal any call details as these changes are
not integrated for this demo build, that’s just an empty template we are showing for Demo. But these values will be there in the official release.
Once the call is ended there is an option to see the call stats like MOS value and jitter under MONITOR-Lync->History Calls.
Cisco Confidential 2014 © All Rights Reserved
Page 38
The call history details are not available on the GUI in this demo code but will be available in the official release. For now you can view historical call details from WLC cli through following show command Show lync-sdn history-calls detail <call id>Cisco Confidential 2014 © All Rights Reserved
Page 39
Section 5: FlexConnect AVC (local Switching)
How AVC Works
AVC on FlexConnect AP
Cisco Confidential 2014 © All Rights Reserved
Page 40
Step1: Configure WLAN for Local Switching
1-‐
To configure the WLAN to perform local switching go to WLC main menu WLANs. Select the WLAN on which you want to enable local switching (PODx-PSK for the lab). From Advanced tab scroll down to FlexConnect parameters and Enable ‘FlexConnect Local Switching’ by checking the box. Then hit ‘Apply’Step2: Configure AP mode and Add AP to FlexConnect Group
1- Convert the PODx-AP to FlexConnect mode. Go to WIRELESS click on the AP name which you want
to convert to FlexConnect and from General tab select AP Mode to FlexConnect and click ‘Apply’2- When the AP converts to Flexconnect you will be able to see the Flexconnect tab.
From FlexConnect tab enable VLAN Support and set Native VLAN ID to your individual POD management VLAN e.g. POD1 =VLAN 10, POD2 =VLAN 20, PODX = VLAN X0 (where x is the pod number). Then hit ‘Apply’
Cisco Confidential 2014 © All Rights Reserved
Page 41
3- Go back to FlexConnect tab and click on to VLAN Mappings button.4- Under WLAN VLAN Mapping configure the VLAN ID to VLAN X1 which will be the locally switched VLAN (e.g POD1=VLAN11, POD2=VLAN21…PODX=VLANX1)
5- Now create a FlexConnect group by going to WLC main menu WIRELESS->FlexConnect Groups click ‘New’
Cisco Confidential 2014 © All Rights Reserved
Page 42
6- Assign a name to FlexConnect Group PodX-flex and click ‘Apply’ or you can use any intuitive name to assign it to your individual pod.7- Under the General tab ‘Enable’ Application Visibility then add FlexConnect AP to the group by checking the box ‘Select Aps from current controller’. The AP will appear under ‘AP Name’ drop down list then click the ‘Add AP’ button and hit ‘Apply’
Note: Under Application Visibility we have three different options ‘Wlan Specific/Enable/Disable’ for the purpose of the lab we are just using ‘Enable’ option. FlexConnect Group specific AVC configuration takes precedence over WLAN AVC configuration
8-The AP should appear as being added to the group.
Cisco Confidential 2014 © All Rights Reserved
Page 43
9-‐ Associate a client to this WLAN (PODx-PSK), once connected verify that the client gets an IP address
from a local switched VLAN X1 (i.e. VLAN 11=10.10.11.0/24 for POD1, VLAN 21=10.10.21.0/24 for POD2…VLANX1 for PODX *where X is the Pod number) you can check this by going to client’s detail from WLC Monitor->Clients then click on the clients MAC address. Below example is of a client associated to WLAN POD6-PSK10- Once the client is in run state and able to pass traffic browse to different websites (YouTube, Google, Facebook, etc.) or run different applications so the client pass the data traffic.
To see the application visibility stats go to the WLC main menu Monitor->Applications->FlexConnect->FlexConnect Group click on the group name
Cisco Confidential 2014 © All Rights Reserved
Page 44
You will be able to see Application statistics under the Aggregate tab. The stats can be viewed for Max of 30 records and by default it is set to 10.
The above application stats are per FlexConnect group, you can also monitor application visibility per client as well. On the same page click on the Clients under Applications->FlexConnect->FlexConnect Groups->Clients then click on the client mac add
Cisco Confidential 2014 © All Rights Reserved
Page 45
Summary
• FlexConnect Group specific AVC configuration takes precedence over WLAN AVC config • No AP Specific AVC configuration.
Cisco Confidential 2014 © All Rights Reserved
Page 46
Section 6:
Universal Domain AP
The aim of introducing Universal SKU AP is to address the worldwide regulatory compliance
requirement based on geo-location of the Cisco Wireless Access Points. Solution will collapse all
current regulatory domains into a single SKU Access Points. This will be applicable only to
newer -UX PIDs introduced and will not affect existing APs that are preconfigured with a
specific regulatory configuration.
Universal Access Point would be configured to correct Regulatory Domain in two phases
Manual Identification (Through Cisco AirProvision App)
Automatic Identification (Through NDP propagation)
Manual Identification
• Smart Phone based solution( Cisco AirProvision app) communicates with Universal
Access Point on a secure channel.
• For new installations user needs to prime at least one AP in the RF neighborhood by
Manual Identification method
• AP’s primed at a different country/reg. domain will rely on Manual identification to
automatically correct country configuration
• Upon failure of Automatic identification, Universal AP will fallback to Manual
identification
Automatic Identification
• The process relies on Cisco Infrastructure to identify and apply Reg. Domain and
Country configurations
• Cisco proprietary Neighbor Discovery mechanism identifies secure Cisco Universal APs
in the RF neighborhood
• Universal AP learns domain configurations from the adjacent neighbor’s 802.11 beacons
frame and filters invalid and malicious rogues
• Adjacent Universal APs will have NDP propagation flag set that will be used to
propagate valid country and reg. domain to the rest of the APs
Cisco Confidential 2014 © All Rights Reserved
Page 47
Step1: Associating Universal AP to WLC
Universal AP doesn’t require any particular configurations on WLC to allow Universal AP to
associate. Connect the universal SKU AP (AP2700 in the lab) to the POD-Switch Port 4,
once the AP has joined the controller and downloaded the code, you can check the AP model and
SKU by going to WIRELESS tab from WLC main menu bar.
There are two APs on your pod AP2700 and AP3700 disable AP3700 before starting this
portion of the lab. Also, make sure that you have assign
For the this lab exercise configure the AP2700 name according to your pods as
PODx-AP2700-UX if not already configured (where X is the POD number) by going to AP General tab. Also,
prime it to your WLC, under High Availability tab assign your primary controller as your
POD-WLC name (PODx-POD-WLC) and ip address 10.10.X0.2 then click ‘Apply’.
Note: You will see the APs LED blinking red and green even though the AP has obtained the ip
address and joined the controller. This is because there is no regulatory domain set on the AP
and it has not been primed with the correct domain.
To check if the AP is not already primed for a specific country domain, Click on the AP Name
and under Advanced tab the Regulatory Domains shows –UX for both radios.
Notice that the ‘Country Code’ is also showing ‘UX’ and Universal Prime Status set to
‘Unprimed’
Cisco Confidential 2014 © All Rights Reserved
Page 48
NOTE: You can configure multiple country domains on the WLC as well to test the AP join. As
it’s a Universal SKU AP (-UXK9) it should join the WLC regardless of the country domain set
on the WLC. But for the lab we are using country domain as US
(In the lab if you see that the AP is already primed (then just clear the AP configuration
and once the AP joins back to WLC it should have country code as UX and status as
Unprimed)
Step 2: WLAN Configuration
Now to configure a WLAN through which an administrator can prime the AP to a correct
regulatory domain go to WLAN->Advanced tab and scroll down to Universal Admin Support
and enable ‘Universal Admin’ by checking the box and click ‘Apply’
Make sure that the WLAN should have the security set to PSK or 802.1x as open
authentication WLAN won’t allow universal admin support.
Cisco Confidential 2014 © All Rights Reserved
Page 49
Step3 : SmartPhone Application (AirProvision App)
SmartPhone Application to migrate Universal AP into correct regulatory domain is supported on
following versions of SmartPhone Operating Systems
• Android Jelly Bean 4.3 or higher
• Apple iOS 7.0 or higher
• Windows Mobile OS 8.0
Currently, the AirProvision App is in a pilot program and not available to everyone. This limit
will be taken off soon. For this lab exercise please ask the proctor for a phone once you reach
this portion of the lab and return back the phone once you are done configuring the UX -AP.
Air Provision App installation steps:
1- To get the app, type in cs.co/estore from your mobile device browser and it will open the
following page you can install the app from there.
Note: If you already have AirProvision app installed on your phone, please update
that to the latest version 1.3 as there are some bugs in the older version.
Cisco Confidential 2014 © All Rights Reserved
Page 50
2- Open the app and it will take you cisco CCO login page
Cisco Confidential 2014 © All Rights Reserved
Page 51
4- You can Log in with CCO credentials and access the estore app. Now go to All Apps
Cisco Confidential 2014 © All Rights Reserved
Page 52
Step 4:Configuring Universal AP through Airprovision App
1- Connect the client (iPhone or Android phone) to the universal admin enabled SSID PodX-PSK. Make sure the client associates to AP on 2.4GHz radio (its by design because the 2.4 channel is consistent through different domains)
2- Open the Airprovision app and it will ask for the username /password. Enter your CCO or CEC credentials and login. Also enable location services for the app
Cisco Confidential 2014 © All Rights Reserved
Page 53
3- When the location service is enabled, it will take you to the universal AP login where usernameand password shows up as default. User cannot change these credentials just press Log In.
If you have an Android phone please refer to point 6 of this section
It will show AP configuration page where you can see Configure and Audit tabs. This provides the status of the universal AP as shown below. Currently, the AP is not provisioned so it states the following under configure and Audit tab
AP Provision = No 2.4 GHz= -UX 5 GHz= -UX
Cisco Confidential 2014 © All Rights Reserved
Page 54
4- Now press Configure button at the bottom of the screen.
5- The AP will reboot and join back with the regulatory domain it has received through the GPS /Location services. You can check that by going to the WIRELESS->AP Name->Advanced tab and now the Regulatory Domain is changed from –UX to –A which is the correct regulatory domain. Also, the country code should say US and as the AP is primed through the app the Universal Prime status shows Web App.
Cisco Confidential 2014 © All Rights Reserved
Page 55
Also, you can insure this by connecting the client (iphone or Android phone) to the universal admin enabled SSID (POD6-PSK in my setup) and then login to the Airproviosion app you will see that the Universal AP is configured correctly as followAP Provision = Yes 2.4 GHz= -A 5 GHz= -A
Configured Country= US
Note: Once the AP is primed with the correct domain the NDP will be used to propagate valid
country and reg. domain to the rest of the Universal domain APs on the network. As we do not
have more Universal APs available in the lab we are not showcasing that feature but following
would have been seen if you have other UX APs in your network.
Cisco Confidential 2014 © All Rights Reserved
Page 56
6- Airprovioning through Android PhoneFrom the an Android phone the App behaves little different i.e once you open the Airprovision App it asks for CCO credentials then to connect to the universal admin enabled SSID from the list of discovered SSIDs. Once you connect to the SSID then the procedure is pretty much the same as with iPhone.
Cisco Confidential 2014 © All Rights Reserved
Page 57
Cisco Confidential 2014 © All Rights Reserved
Page 58
Appendix- Day 0/1 setup Day 0 Checklist
Configuration Checklist
The following checklist will help to make the installation process easier, as you will use when using the GUI wizard to configure the WLC. While most of the information from the list is mandatory, there is some information that is also optional (*). Please take a moment to learn the Lab Diagram above and the tables with WLC configurations for your specific PodX and then record the information below or directly into the Day 0/1 setup Day-0 configuration screens.
1. Network switch requirement (see above reference for switch configuration example)
a. WLC switch port number assigned (Y / N)
WLC assigned switch port: __________________
b. Is the switch port configured as trunk? (Y / N) c. Is there a management VLAN? (Y / N)
Management VLAN id: __________________
d. Is there a guest VLAN? (Y / N)*
Guest VLAN id: __________________* 2. WLC Settings
a. New admin account name: __________________ b. Admin account password
__________________ c. System name for the WLC
__________________ d. The current time zone
__________________*
e. Is there a NTP server available? (Y / N)* NTP server IP address: __________________* f. Management networking: IP address __________________ Subnet mask __________________ Default gateway __________________
g. Management VLAN id (use 1c) __________________ 3. Corporate Wireless Network
a. Corporate wireless name/SSID __________________*
b. Is a RADIUS server required (Enterprise)? (Y / N) If NO (WPA/WPA2 Personal)
Cisco Confidential 2014 © All Rights Reserved
Page 59
Corporate passphrase (PSK)__________________If YES (WPA/WPA2 Enterprise)
RADIUS server IP address: __________________ RADIUS shared secret
__________________
c. Is a DHCP server known? (Y / N)*
DHCP server IP address: __________________*
4. Guest Wireless Network - skip to 5 if not required. a. Guest wireless name/SSID
__________________
b. Is a password required for guest? (Y / N) If NO – skip to 4c.
If YES
Guest passphrase (PSK): __________________ c. Guest VLAN id (use 1d)
__________________ d. Guest networking IP address __________________ Subnet mask __________________ Default gateway __________________
Cisco Confidential 2014 © All Rights Reserved
Page 60
Reference Only:
NOT part of the lab as WLC2504 doesn’t support EoGRE tunnel
EoGRE
Ethernet over GRE (EoGRE) is a new aggregation solution for aggregating WiFi traffic from
hotspots. This solution enables customer premises equipment (CPE) devices to bridge the
Ethernet traffic coming from an end host, and encapsulate the traffic in Ethernet packets over an
IP GRE tunnel. When the IP GRE tunnels are terminated on a service provider broadband
network gateway, the end host’s traffic is terminated and subscriber sessions are initiated for the
end host. In our lab setup we are using ASR1K as a tunnel gateway.
1. To demonstrate EoGRE feature we will create another SSID, from WLC main menu go to WLANs and Click the Go button. Create a WLAN with naming convention as “POD<Number>-EoGRE”. Map this WLAN to management interface with Security set to ‘None’
