The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Contents
This chapter describes how to connect the Cisco 1500 Series mesh access points to the network.
The wireless mesh terminates on two points on the wired network. The first location is where the RAP attaches to the wired network, and where all bridged traffic connects to the wired network. The second location is where the CAPWAP controller connects to the wired network; this location is where the WLAN client traffic from the mesh network connects to the wired network (see Figure 1). The WLAN client traffic from CAPWAP is tunneled at Layer 2, and matching WLANs should terminate on the same switch VLAN where the controllers are collocated. The security and network configuration for each of the WLANs on the mesh depend on the security capabilities of the network to which the controller is connected.
For more information about upgrading to a new controller software release, see the Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points at http://www.cisco.com/en/US/products/ps10315/prod_release_notes_list.html.
For more information about mesh and controller software releases and the compatible access points, see the Cisco Wireless Solutions Software Compatibility Matrix at http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html.
This chapter contains the following sections:
This section assumes that the controller is already active in the network and is operating in Layer 3 mode.
Note | Controller ports that the mesh access points connect to should be untagged. |
Before adding a mesh access point to a network, do the following:
You must enter the radio MAC address for all mesh access points that you want to use in the mesh network into the appropriate controller. A controller only responds to discovery requests from outdoor radios that appear in its authorization list. MAC filtering is enabled by default on the controller, so only the MAC addresses need to be configured. If the access point has an SSC and has been added to the AP Authorization List, then the MAC address of the AP does not need to be added to the MAC Filtering List.
You can add the mesh access point using either the GUI or the CLI.
Note | You can also download the list of mesh access point MAC addresses and push them to the controller using Cisco Prime Infrastructure. |
To add a MAC filter entry for the mesh access point on the controller using the controller GUI, follow these steps:
To add a MAC filter entry for the mesh access point on the controller using the controller CLI, follow these steps:
Step 1 | To add the MAC address of the mesh access point to the controller filter list, enter this command: config macfilter add ap_mac wlan_id interface [description] A value of zero (0) for the wlan_id parameter specifies any WLAN, and a value of zero (0) for the interface parameter specifies none. You can enter up to 32 characters for the optional description parameter. |
Step 2 | To save your changes, enter this command: |
By default, AP1500s are shipped with a radio role set to MAP. You must reconfigure a mesh access point to act as a RAP.
The general notes are as follows:
To configure the role of a mesh access point using the GUI, follow these steps:
Step 1 | Click Wireless to open the All APs page. |
Step 2 | Click the name of an access point. The All APs > Details (General) page appears. |
Step 3 | Click the Mesh tab. |
Step 4 | Choose RootAP or MeshAP from the AP Role drop-down list. |
Step 5 | Click Apply to commit your changes and to cause the access point to reboot. |
To configure the role of a mesh access point using the CLI, enter the following command:
To configure DHCP Option 43 and 60 for mesh access points in the embedded Cisco IOS DHCP server, follow these steps:
Step 1 | Enter configuration mode at the Cisco IOS CLI. |
Step 2 | Create the DHCP pool, including the necessary parameters such as the default router and name server. The commands used to create a DHCP pool are as follows: ip dhcp pool pool name network IP Network Netmask default-router Default router dns-server DNS Server pool name is the name of the DHCP pool, such as AP1520 IP Network is the network IP address where the controller resides, such as 10.0.15.1 Netmask is the subnet mask, such as 255.255.255.0 Default router is the IP address of the default router, such as 10.0.0.1 DNS Server is the IP address of the DNS server, such as 10.0.10.2 |
Step 3 | Add the option 60 line using the following syntax: option 60 ascii “VCI string” For the VCI string, use one of the values below. The quotation marks must be included. For Cisco 1550 series access points, enter “Cisco AP c1550” For Cisco 1520 series access points, enter “Cisco AP c1520” For Cisco 1240 series access points, enter “Cisco AP c1240” For Cisco 1130 series access points, enter “Cisco AP c1130” |
Step 4 | Add the option 43 line using the following syntax: option 43 hex hex string The hex string is assembled by concatenating the TLV values shown below: Type is always f1(hex). Length is the number of controller management IP addresses times 4 in hex. Value is the IP address of the controller listed sequentially in hex. For example, suppose that there are two controllers with management interface IP addresses 10.126.126.2 and 10.127.127.2. The type is f1(hex). The length is 2 * 4 = 8 = 08 (hex). The IP addresses translate to 0a7e7e02 and 0a7f7f02. Assembling the string then yields f1080a7e7e020a7f7f02. The resulting Cisco IOS command added to the DHCP scope is listed below: option 43 hex f1080a7e7e020a7f7f02 |
A single controller at a centralized location can act as a backup for mesh access points when they lose connectivity with the primary controller in the local region. Centralized and regional controllers need not be in the same mobility group. Using the controller GUI or CLI, you can specify the IP addresses of the backup controllers, which allows the mesh access points to fail over to controllers outside of the mobility group.
You can also configure primary and secondary backup controllers (which are used if primary, secondary, or tertiary controllers are not specified or are not responsive) for all access points connected to the controller as well as various timers, including the heartbeat timer and discovery request timers.
Note | The fast heartbeat timer is not supported on access points in bridge mode. The fast heartbeat timer is configured only on access points in local and FlexConnect modes. |
The mesh access point maintains a list of backup controllers and periodically sends primary discovery requests to each entry on the list. When the mesh access point receives a new discovery response from a controller, the backup controller list is updated. Any controller that fails to respond to two consecutive primary discovery requests is removed from the list. If the mesh access point’s local controller fails, it chooses an available controller from the backup controller list in this order: primary, secondary, tertiary, primary backup, and secondary backup. The mesh access point waits for a discovery response from the first available controller in the backup list and joins the controller if it receives a response within the time configured for the primary discovery request timer. If the time limit is reached, the mesh access point assumes that the controller cannot be joined and waits for a discovery response from the next available controller in the list.
Note | When a mesh access point’s primary controller comes back online, the mesh access point disassociates from the backup controller and reconnects to its primary controller. The mesh access point falls back to its primary controller and not to any secondary controller for which it is configured. For example, if a mesh access point is configured with primary, secondary, and tertiary controllers, it fails over to the tertiary controller when the primary and secondary controllers become unresponsive and waits for the primary controller to come back online so that it can fall back to the primary controller. The mesh access point does not fall back from the tertiary controller to the secondary controller if the secondary controller comes back online; it stays connected to the tertiary controller until the primary controller comes back up. |
Using the controller GUI, follow these steps to configure primary, secondary, and tertiary controllers for a specific mesh access point and to configure primary and secondary backup controllers for all mesh access points:
Step 1 | Choose Wireless > Access Points > Global Configuration to open the Global Configuration page (see Figure 1).
| ||
Step 2 | In the AP Primary Discovery Timeout field, enter a value between 30 and 3600 seconds (inclusive) to configure the access point primary discovery request timer. The default value is 120 seconds. | ||
Step 3 | If you want to specify a primary backup controller for all access points, specify the IP address of the primary backup controller in the Back-up Primary Controller IP Address field and the name of the controller in the Back-up Primary Controller Name field.
| ||
Step 4 | If you want to specify a secondary backup controller for all access points, specify the IP address of the secondary backup controller in the Back-up Secondary Controller IP Address field and the name of the controller in the Back-up Secondary Controller Name field.
| ||
Step 5 | Click Apply to commit your changes. | ||
Step 6 | If you want to configure primary, secondary, and tertiary backup controllers for a specific point, follow these steps: | ||
Step 7 | Click Save Configuration to save your changes. |
Using the controller CLI, follow these steps to configure primary, secondary, and tertiary controllers for a specific mesh access point and to configure primary and secondary backup controllers for all mesh access points.
Step 1 | To configure a primary controller for a specific mesh access point, enter this command: config ap primary-base controller_name Cisco_AP [controller_ip_address]
| ||
Step 2 | To configure a secondary controller for a specific mesh access point, enter this command: config ap secondary-base controller_name Cisco_AP [controller_ip_address] | ||
Step 3 | To configure a tertiary controller for a specific mesh access point, enter this command: config ap tertiary-base controller_name Cisco_AP [controller_ip_address] | ||
Step 4 | To configure a primary backup controller for all mesh access points, enter this command: config advanced backup-controller primary backup_controller_name backup_controller_ip_address | ||
Step 5 | To configure a secondary backup controller for all mesh access points, enter this command: config advanced backup-controller secondary backup_controller_name backup_controller_ip_address
| ||
Step 6 | To configure the mesh access point primary discovery request timer, enter this command: config advanced timers ap-primary-discovery-timeout interval where interval is a value between 30 and 3600 seconds. The default value is 120 seconds. | ||
Step 7 | To configure the mesh access point discovery timer, enter this command: config advanced timers ap-discovery-timeout interval where interval is a value between 1 and 10 seconds (inclusive). The default value is 10 seconds. | ||
Step 8 | To configure the 802.11 authentication response timer, enter this command: config advanced timers auth-timeout interval where interval is a value between 10 and 600 seconds (inclusive). The default value is 10 seconds. | ||
Step 9 | To save your changes, enter this command: | ||
Step 10 | To view a mesh access point’s configuration, enter these commands:
Information similar to the following appears for the show ap config general Cisco_AP command: Cisco AP Identifier.............................. 1 Cisco AP Name.................................... AP5 Country code..................................... US - United States Regulatory Domain allowed by Country............. 802.11bg:-AB 802.11a:-AB AP Country code.................................. US - United States AP Regulatory Domain............................. 802.11bg:-A 802.11a:-N Switch Port Number .............................. 1 MAC Address...................................... 00:13:80:60:48:3e IP Address Configuration......................... DHCP IP Address....................................... 1.100.163.133 ... Primary Cisco Switch Name........................ 1-4404 Primary Cisco Switch IP Address.................. 2.2.2.2 Secondary Cisco Switch Name...................... 1-4404 Secondary Cisco Switch IP Address................ 2.2.2.2 Tertiary Cisco Switch Name....................... 2-4404 Tertiary Cisco Switch IP Address................. 1.1.1.4 Information similar to the following appears for the show advanced backup-controller command: AP primary Backup Controller .................... controller1 10.10.10.10 AP secondary Backup Controller ............... 0.0.0.0 Information similar to the following appears for the show advanced timers command: Authentication Response Timeout (seconds)........ 10 Rogue Entry Timeout (seconds).................... 1300 AP Heart Beat Timeout (seconds).................. 30 AP Discovery Timeout (seconds)................... 10 AP Primary Discovery Timeout (seconds)........... 120 Information similar to the following appears for the show mesh config command: Mesh Range....................................... 12000 Backhaul with client access status............... disabled Background Scanning State........................ enabled Mesh Security Security Mode................................. EAP External-Auth................................. disabled Use MAC Filter in External AAA server......... disabled Force External Authentication................. disabled Mesh Alarm Criteria Max Hop Count................................. 4 Recommended Max Children for MAP.............. 10 Recommended Max Children for RAP.............. 20 Low Link SNR.................................. 12 High Link SNR................................. 60 Max Association Number........................ 10 Association Interval.......................... 60 minutes Parent Change Numbers......................... 3 Parent Change Interval........................ 60 minutes Mesh Multicast Mode.............................. In-Out Mesh Full Sector DFS............................. enabled Mesh Ethernet Bridging VLAN Transparent Mode..... enabled |
External authorization and authentication of mesh access points using a RADIUS server such as Cisco ACS (4.1 and later) is supported in release 5.2 and later releases. The RADIUS server must support the client authentication type of EAP-FAST with certificates.
Before you employ external authentication within the mesh network, ensure that you make these changes:
Note | If mesh access points connect to a controller using a Fast Ethernet or Gigabit Ethernet interface, only MAC authorization is required. |
Note | This feature also supports local EAP and PSK authentication on the controller. |
To install and trust the CA certificates on the RADIUS server, follow these steps:
Step 1 | Download the CA certificates for Cisco Root CA 2048 from the following locations: |
Step 2 | Install the certificates as follows: |
Step 3 | Configure the external RADIUS servers to trust the CA certificate as follows:
|
For additional configuration details on Cisco ACS servers, see the following:
Add MAC addresses of mesh access point that are authorized and authenticated by external RADIUS servers to the user list of that server prior to enabling RADIUS authentication for a mesh access point.
For remote authorization and authentication, EAP-FAST uses the manufacturer’s certificate (CERT) to authenticate the child mesh access point. Additionally, this manufacturer certificate-based identity serves as the username for the mesh access point in user validation.
For Cisco IOS-based mesh access points, in addition to adding the MAC address to the user list, you need to enter the platform_name_string–MAC_address string to the user list (for example, c1240-001122334455). The controller first sends the MAC address as the username; if this first attempt fails, then the controller sends the platform_name_string–MAC_address string as the username.
Note | The Authentication MAC address is different for outdoor versus indoor APs. Outdoor APs use the AP's BVI MAC address, whereas indoor APs use the AP's Gigabit Ethernet MAC address. |
Note | The AP1552 platform uses a platform name of c1520. |
To enable external authentication for a mesh access point using the GUI, follow these steps:
Step 1 | Choose Wireless > Mesh. The Mesh page appears (see Figure 1). |
Step 2 | In the security section, select the EAP option from the Security Mode drop-down list. |
Step 3 | Select the Enabled check boxes for the External MAC Filter Authorization and Force External Authentication options. |
Step 4 | Click Apply. |
Step 5 | Click Save Configuration. |
To enable external authentication for mesh access points using the CLI, enter the following commands:
To view security statistics for mesh access points using the CLI, enter the following command:
show mesh security-stats Cisco_AP
Use this command to display packet error statistics and a count of failures, timeouts, and association and authentication successes as well as reassociations and reauthentications for the specified access point and its child.
This section provides instructions to configure the mesh access point to establish a connection with the controller including:
You can configure the necessary mesh parameters using either the GUI or the CLI. All parameters are applied globally.
To configure global mesh parameters using the controller GUI, follow these steps:
Step 1 | Choose Wireless > Mesh. | ||||||||||||||||||||||||||||||||||||||||||
Step 2 | Modify the mesh parameters as
appropriate.
| ||||||||||||||||||||||||||||||||||||||||||
Step 3 | Click Apply. | ||||||||||||||||||||||||||||||||||||||||||
Step 4 | Click Save Configuration. |
To configure global mesh parameters including authentication methods using the controller CLI, follow these steps:
Note | See the Configuring Global Mesh Parameters (GUI) section for descriptions, valid ranges, and default values of the parameters used in the CLI commands. |
Step 1 | To specify the maximum range (in feet) of all mesh access points in the network, enter this command:
To see the current range, enter the show mesh range command. |
Step 2 | To enable or disable IDS reports for all traffic on the backhaul, enter this command: |
Step 3 | To specify the rate (in Mbps) at which data is shared between access points on the backhaul interface, enter this command: |
Step 4 | To enable or disable client association on the primary backhaul (802.11a) of a mesh access point, enter these commands: config mesh client-access {enable | disable} |
Step 5 | To enable or disable VLAN transparent, enter this command: config mesh ethernet-bridging VLAN-transparent {enable | disable} |
Step 6 | To define a security mode for the mesh access point, enter one of the following commands: |
Step 7 | To save your changes, enter this command: |
Use these commands to obtain information on global mesh settings:
(Cisco Controller)> show mesh client-access Backhaul with client access status: enabled
(Cisco Controller)> show mesh ids-state Outdoor Mesh IDS(Rogue/Signature Detect): .... Disabled
(Cisco Controller)> show mesh config Mesh Range....................................... 12000 Mesh Statistics update period.................... 3 minutes Backhaul with client access status............... disabled Background Scanning State........................ enabled Backhaul Amsdu State............................. disabled Mesh Security Security Mode................................. EAP External-Auth................................. disabled Use MAC Filter in External AAA server......... disabled Force External Authentication................. disabled Mesh Alarm Criteria Max Hop Count................................. 4 Recommended Max Children for MAP.............. 10 Recommended Max Children for RAP.............. 20 Low Link SNR.................................. 12 High Link SNR................................. 60 Max Association Number........................ 10 Association Interval.......................... 60 minutes Parent Change Numbers......................... 3 Parent Change Interval........................ 60 minutes Mesh Multicast Mode.............................. In-Out Mesh Full Sector DFS............................. enabled Mesh Ethernet Bridging VLAN Transparent Mode..... enabled
When Backhaul Client Access is enabled, it allows wireless client association over the backhaul radio. Generally, backhaul radio is a 5-GHz radio for most of the mesh access points except for 1522 where backhaul can be 2.4 GHz. This means that a backhaul radio can carry both backhaul traffic and client traffic.
When Backhaul Client Access is disabled, only backhaul traffic is sent over the backhaul radio and client association is only over the second radio(s).
Note | Backhaul Client Access is disabled by default. After this feature is enabled, all mesh access points, except slave AP and its child APs in Daisy-chained deployment, reboot. |
This feature is applicable to mesh access points with two or more radios (1552, 1524SB, 1522, Indoor APs in mesh mode) excluding the 1524PS.
This figure shows how to enable Backhaul Client Access using the GUI. You will be prompted that the AP will reboot if you enable Backhaul Client Access.
Use the following command to enable Backhaul Client Access:
(Cisco Controller)> config mesh client-access enable
The following message is displayed:
All Mesh APs will be rebooted Are you sure you want to start? (y/N)
With Backhaul Client Access, you can have client access on the backhaul 802.11a radios in addition to the backhaul functionality. This feature is applicable to mesh access points with two or more radios (1552, 1524SB, 1522, Indoor APs in mesh mode) excluding the 1524PS.
The dual 5-GHz Backhaul Client Access feature is intended for the serial backhaul access point platform, which has three radio slots. The radio in slot 0 operates in the 2.4-GHz band and is used for client access. The radios in slot 1 and slot 2 operate in the 5-GHz band and are primarily used for backhaul. However, with the Backhaul Client Access feature, clients were allowed to associate over the slot 1 radio. But slot 2 radio was used only for backhaul. With the 7.0 release, client access over the slot 2 radio is allowed with this Dual 5-GHz Universal Access feature.
By default, client access is disabled over both the backhaul radios. Follow the guidelines to enable or disable client access on the radio slots that constitute 5-GHz radios, irrespective of the radios being used as downlinks or uplinks:
The two 802.11a backhaul radios use the same MAC address. There may be instances where a WLAN maps to the same BSSID on more than one slot. Client access on the slot 2 radio is referred to as Extended Universal Access (EUA) in this document.
Step 1 | Choose Controller > Wireless > Mesh. The Controller GUI when Backhaul Client Access is disabled page appears. |
Step 2 | Select the Backhaul Client Access check box to display the Extended Backhaul Client Access check box. |
Step 3 | Select the Extended Backhaul Client Access check box and click Apply. A message appears. |
Step 4 | Click OK. After EUA is enabled, 802.11a radios appear. Slot 2 in the 5-GHz radio in the RAPSB (serial backhaul) that is used to extend the backhaul in the DOWNLINK direction is displayed as DOWNLINK ACCESS, where slot 1 in the 5-GHz radio in the RAPSB that is used for client access is displayed as ACCESS. Slot 2 in the 5-GHz radio in the MAPSB that is used for the UPLINK is displayed as UPLINK ACCESS, and slot 1 in the MAPSB is used for the DOWNLINK ACCESS with an omnidirectional antenna that also provides the client access. Create WLAN on the WLC with the appropriate SSID mapped to the correct interface (VLAN). After you create a WLAN, it is applied to all the radios by default. If you want to enable client access only on 802.11a radios, choose only the appropriate radio policy from the list. |
Enabling client access on both backhaul slots Same BSSIDs will be used on both slots All Mesh Serial Backhaul APs will be rebooted Are you sure you want to start? (y/N)
Backhaul with client access status: enabled Backhaul with client access extended status(3 radio AP): enabled
All Mesh APs will be rebooted Are you sure you want to start? (y/N)
All Mesh APs will be rebooted Are you sure you want to start? (y/N)
Step 1 | Choose Controllers > Controller IP Address > Mesh > Mesh Settings. The Mesh page when Backhaul Client Access is disabled appears. |
Step 2 | Select the Client Access on Backhaul Link check box to display the Extended Backhaul Client Access check box. |
Step 3 | Select the Extended Backhaul Client Access check box and click Apply. A message appears indicating the possible results of enabling the Extended Backhaul Client Access. |
Step 4 | Click OK to continue. |
After configuring global mesh parameters, you must configure the following local mesh parameters for these specific features if in use in your network:
Backhaul is used to create only the wireless connection between the access points. The backhaul interface by default is 802.11a or 802.11a/n depending upon the access point. The rate selection is important for effective use of the available RF spectrum. The rate can also affect the throughput of client devices, and throughput is an important metric used by industry publications to evaluate vendor devices.
Dynamic Rate Adaptation (DRA) introduces a process to estimate optimal transmission rate for packet transmissions. It is important to select rates correctly. If the rate is too high, packet transmissions fail resulting in communication failure. If the rate is too low, the available channel bandwidth is not used, resulting in inferior products, and the potential for catastrophic network congestion and collapse.
Data rates also affect the RF coverage and network performance. Lower data rates, for example 6 Mbps, can extend farther from the access point than can higher data rates, for example 300 Mbps. As a result, the data rate affects cell coverage and consequently the number of access points required. Different data rates are achieved by sending a more redundant signal on the wireless link, allowing data to be easily recovered from noise. The number of symbols sent out for a packet at the 1-Mbps data rate is higher than the number of symbols used for the same packet at 11 Mbps. Therefore, sending data at the lower bit rates takes more time than sending the equivalent data at a higher bit rate, resulting in reduced throughput.
In the controller release 5.2, the default data rate for the mesh 5-GHz backhaul is 24 Mbps. It remains the same with 6.0 and 7.0 controller releases.
With the 6.0 controller release, mesh backhaul can be configured for ‘Auto’ data rate. Once configured, the access point picks the highest rate where the next higher rate cannot be used because of conditions not being suitable for that rate and not because of conditions that affect all rates. That is, once configured, each link is free to settle down to the best possible rate for its link quality.
We recommend that you configure the mesh backhaul to Auto.
For example, if mesh backhaul chose 48 Mbps, then this decision is taken after ensuring that we cannot use 54 Mbps as there is not enough SNR for 54 and not because some just turned the microwave oven on which affects all rates.
A lower bit rate might allow a greater distance between MAPs, but there are likely to be gaps in the WLAN client coverage, and the capacity of the backhaul network is reduced. An increased bit rate for the backhaul network either requires more MAPs or results in a reduced SNR between MAPs, limiting mesh reliability and interconnection.
This figure shows the RAP using the "auto" backhaul data rate, and it is currently using 54 Mbps with its child MAP.
Note | The data rate can be set on the backhaul on a per-AP basis. It is not a global command. |
Use these commands to obtain information about backhaul:
(controller) > config ap bhrate backhaul-rate ap-name
Note | Preconfigured data rates for each AP (RAP=18 Mbps, MAP1=36 Mbps) are preserved after the upgrade to 6.0 or later software releases.??Before you upgrade to the 6.0 release, if you have the backhaul data rate configured to any data rate, then the configuration is preserved. The following example shows how to configure a backhaul rate of 36000 Kbps on a RAP: (controller) > config ap bhrate 36000 HPRAP1 |
(controller) > show ap bhrate ap-name
(controller) > show mesh neigh summary HPRAP1 AP Name/Radio Channel Rate Link-Snr Flags State --------------- -------- -------- ------- ----- ----- 00:0B:85:5C:B9:20 0 auto 4 0x10e8fcb8 BEACON 00:0B:85:5F:FF:60 0 auto 4 0x10e8fcb8 BEACON DEFAULT 00:0B:85:62:1E:00 165 auto 4 0x10e8fcb8 BEACON OO:0B:85:70:8C:A0 0 auto 1 0x10e8fcb8 BEACON HPMAP1 165 54 40 0x36 CHILD BEACON HJMAP2 0 auto 4 0x10e8fcb8 BEACON
Backhaul capacity and throughput depends upon the type of the AP, that is, if it is 802.11a/n or only 802.11a, number of backhaul radios it has, and so on.
In AP1524 SB, Slot 2 in the 5-GHz radio in the RAP is used to extend the backhaul in the downlink direction, whereas Slot 2 in the 5-GHz radio in the MAP is used for backhaul in the uplink. We recommend using a directional antenna with the Slot 2 radio. MAPs extend Slot 1 radio in the downlink direction with Omni or directional antenna also providing client access. Client access can be provided on the Slot 2 radio from the 7.0 release onwards.
AP1524SB provides you with better throughput, and throughput rarely degrades after the first hop. The performance of AP1524SB is better than AP1522 and AP1524PS because these APs have only a single radio for the backhaul uplink and downlink (see the figures below).
Note | With DRA, each hop uses the best possible data rate for the backhaul. The data rate can be changed on a per-AP basis. |
Note | Using 1552 802.11n provides you higher throughput and more capacity. It offers a very fat backhaul pipe to start with from the RAP. |
For security reasons, the Ethernet port on all MAPs is disabled by default. It can be enabled only by configuring Ethernet bridging on the root and its respective MAP.
Note | Enable Spanning Tree Protocol (STP) on all connected switch ports to avoid Layer 2 looping. |
Ethernet bridging has to be enabled for two scenarios:
Note | You do not need to configure VLAN tagging to use Ethernet bridging for point-to-point and point-to-multipoint bridging deployments. |
To enable Ethernet bridging on a RAP or MAP using the GUI, follow these steps:
Step 1 | Choose Wireless > All APs. |
Step 2 | Click the AP name link of the mesh access point on which you want to enable Ethernet bridging. |
Step 3 | At the details page, select the Mesh tab (see Figure 1). |
Step 4 | Select either RootAP or MeshAP from the AP Role drop-down list, if not already selected. |
Step 5 | Select the Ethernet Bridging check box to enable Ethernet bridging or deselect it to disable this feature. |
Step 6 | Click Apply to commit your changes. An Ethernet Bridging section appears at the bottom of the page listing each of the Ethernet ports of the mesh access point. |
Step 7 | Ensure that you enable Ethernet bridging for every parent mesh AP taking the path from the mesh AP in question to the controller. For example, if you enable Ethernet bridging on MAP2 in Hop 2, then you must also enable Ethernet bridging on MAP1 (parent MAP), and on the RAP connecting to the controller. |
Bridge group names (BGNs) control the association of mesh access points. BGNs can logically group radios to avoid two networks on the same channel from communicating with each other. The setting is also useful if you have more than one RAP in your network in the same sector (area). BGN is a string of 10 characters maximum.
A BGN of NULL VALUE is assigned by default by manufacturing. Although not visible to you, it allows a mesh access point to join the network prior to your assignment of your network-specific BGN.
If you have two RAPs in your network in the same sector (for more capacity), we recommend that you configure the two RAPs with the same BGN, but on different channels.
Step 1 | To set a bridge group name (BGN), enter this command: config ap bridgegroupname set group-name ap-name
| ||||
Step 2 | To verify the BGN, enter the following command: |
A public safety band (4.9 GHz) is supported on the AP1522 and AP1524PS.
The 4.9-GHz subband radio on the AP1524PS supports public safety channels within the 5-MHz (channels 1 to 10), 10-MHz (channels 11 to 19), and 20-MHz (channels 20 to 26) bandwidths.
When you attempt to enable the 4.9-GHz band, you get a warning that the band is a licensed band in most parts of the world.
(Cisco Controller)> show mesh public-safety Global Public Safety status: enabled
Cisco AP1522 and AP1524PS can interoperate with the Cisco 3200 on the public safety channel (4.9-GHz) as well as the 2.4-GHz access and 5.8-GHz backhaul.
The Cisco 3200 creates an in-vehicle network in which devices such as PCs, surveillance cameras, digital video recorders, printers, PDAs, and scanners can share wireless networks such as cellular or WLAN based services back to the main infrastructure. This feature allows data collected from in-vehicle deployments such as a police cars to be integrated into the overall wireless infrastructure.
This section provides configuration guidelines and step-by-step instructions for configuring interoperability between the Cisco 3200 and the AP1522 and the AP1524PS.
For specific interoperability details between series 1130, 1240, and 1520 (1522, 1524PS) mesh access points and Cisco 3200, see Table 1.
1552, 15221 |
|
For the AP1522 or AP1524PS and Cisco 3200 to interoperate on the public safety network, the following configuration guidelines must be met:
The default channel width for Cisco 3200s is 5 MHz. You must either change the channel width to 10 or 20 MHz to enable WGBs to associate with the AP1522 and AP1524PS or change the channel on the AP1522 or AP1524PS to a channel in the 5-MHz band (channels 1 to 10) or 10-MHz band (channels 11 to 19).
Step 1 | To enable the backhaul for client access, choose Wireless > Mesh to access the Mesh page. | ||
Step 2 | Select the Backhaul Client Access Enabled check box to allow wireless client association over the 802.11a radio. Click Apply.
| ||
Step 3 | To assign the channel to use for the backhaul (channels 20 through 26), click Wireless > Access Points > Radio and select 802.11a/n from the Radio subheading. A summary page for all 802.11a radios displays. | ||
Step 4 | At the Antenna drop-down list for the appropriate RAP, select Configure. The Configure page is displayed. | ||
Step 5 | At the RF Backhaul Channel Assignment section, select the Custom option for the Assignment Method option and select any channel between 1 and 26. | ||
Step 6 | Click Apply to commit your changes. | ||
Step 7 | Click Save Configuration to save your changes. |
Step 1 | To enable client access mode on the AP1522, enter this command: | ||
Step 2 | To enable the public safety on a global basis, enter this command: | ||
Step 3 | To enable the public safety channels, enter these commands: | ||
Step 4 | To save your changes, enter this command: | ||
Step 5 | To verify your configuration, enter these commands:
show ap config 802.11a summary (1522 only) show ap config 802.11–a49 summary (1524PS only)
|
The backhaul channel (802.11a/n) can be configured on a RAP. MAPs tune to the RAP channel. The local access can be configured independently for MAP.
Step 1 | Choose Wireless > Access Points > 802.11a/n.
| ||||
Step 2 | Select configure from the Antenna drop-down list for the 802.11a/n radio. The Configure page is displayed.
| ||||
Step 3 | Assign a channel (assignment methods of global and custom) for the radio.
| ||||
Step 4 | Assign Tx power levels (global and custom) for the radio. There are five selectable power levels for the 802.11a backhaul for AP1500s.
| ||||
Step 5 | Click Apply when power and channel assignment are complete. | ||||
Step 6 | From the 802.11a/n Radios page, verify that channel assignments were made correctly. |
To configure channels on the serial backhaul of the RAP using the controller CLI, follow these steps:
Step 1 | To configure the backhaul channel on the radio in slot 2 of the RAP, enter this command: config slot 2 channel ap Cisco_RAPSB channel The available channels for the 5.8-GHz band are 149, 153, 157, 161, and 165. |
Step 2 | To configure the transmit power level on the radio in slot 2 of the RAP, enter this command: |
Step 3 | To display the configurations on the mesh access points, enter these commands: |
AP Name/Radio |
Channel |
Rate |
Link-Snr |
Flags |
State |
MAP1SB |
161 |
auto |
60 |
0x10ea9d54 |
UPDATED NEIGH PARENT BEACON |
RAPSB |
153 |
auto |
51 |
0x10ea9d54 |
UPDATED NEIGH PARENT BEACON |
RAPSB is a Root AP.
Current Backhaul Slot(s)......................... 1, 2, Basic Attributes for Slot 1 Radio Type................................... RADIO_TYPE_80211a Radio Role................................... ACCESS Administrative State ........................ ADMIN_ENABLED Operation State ............................. UP Current Tx Power Level ...................... 1 Current Channel ............................. 165 Antenna Type................................. EXTERNAL_ANTENNA External Antenna Gain (in .5 dBm units)...... 0 Basic Attributes for Slot 2 Radio Type................................... RADIO_TYPE_80211a Radio Role................................... RADIO_DOWNLINK Administrative State ........................ ADMIN_ENABLED Operation State ............................. UP Current Tx Power Level ...................... 3 Current Channel ............................. 153 Antenna Type................................. EXTERNAL_ANTENNA External Antenna Gain (in .5 dBm units)...... 0
802.11b/g Current Channel ................. 11 Slot Id ................................... 0 Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11 802.11a(5.8Ghz) Current Channel ........... 161 Slot Id ................................... 1 Allowed Channel List....................... 149,153,157,161,165 802.11a(5.8Ghz) Current Channel ........... 153 Slot Id ................................... 2 Allowed Channel List....................... 149,153,157,161,165
You must configure the antenna gain for the mesh access point to match that of the antenna installed using the controller GUI or controller CLI.
To configure antenna parameters using the controller GUI, follow these steps:
Step 1 | Choose Wireless > Access Points > Radio > 802.11a/n to open the 802.11a/n Radios page. | ||
Step 2 | For the mesh access point antenna you want to configure, hover the mouse over the blue arrow (far right) to display antenna options. Choose Configure.
| ||
Step 3 | In the Antenna Parameters section, enter the antenna gain. The gain is entered in 0.5 dBm units. For example, 2.5 dBm = 5.
| ||
Step 4 | Click Apply and then Save Configuration to save the changes. |
Enter this command to configure the antenna gain for the 802.11a backhaul radio using the controller CLI:
config 802.11a antenna extAntGain antenna_gain AP_name
where gain is entered in 0.5-dBm units (for example, 2.5 dBm =5).
This feature is applicable to mesh APs with two 5-GHz radios, such as 1524SB (serial backhaul).
The backhaul channel deselection feature helps you to restrict the set of channels available to be assigned for the serial backhaul MAPs and RAPs. Because 1524SB MAP channels are automatically assigned, this feature helps in regulating the set of channels that get assigned to mesh access points. For example, if you do not want channel 165 to get assigned to any of the 1524SB mesh access points, you need to remove channel 165 from the DCA list and enable this feature.
When you remove certain channels from the DCA list and enable the mesh backhaul dca-channel command, those channels will not be assigned to any serial backhaul access points in any scenario. Even if a radar is detected on all channels within the DCA list channels, the radio will be shut down rather than moved to channels outside it. A trap message is sent to the Prime Infrastructure, and the message is displayed showing that the radio has been shut down because of DFS. You will not be able to assign channels to the serial backhaul RAP outside of the DCA list with the config mesh backhaul dca-channels enable command enabled. However, this is not case for the APs with one 5-GHz radio such as 1552, 1522, and 1524PS APs. For these APs, you can assign any channel outside of the DCA list for a RAP, and the controller/AP can also select a channel outside of the DCA list if no radar-free channel is available from the list.
This feature is best suited in an interoperability scenario with indoor mesh access points or workgroup bridges that support a channel set that is different from outdoor access points. For example, channel 165 is supported by outdoor access points but not by indoor access points in the -A domain. By enabling the backhaul channel deselection feature, you can restrict the channel assignment to only those channels that are common to both indoor and outdoor access points.
Note | Channel deselection is applicable to 7.0 and later releases. In some scenarios, there may be two linear tracks or roads for mobility side by side. Because channel selection of MAPs happens automatically, there can be a hop at a channel, which is not available on the autonomous side, or the channel has to be skipped when the same or adjacent channel is selected in a neighborhood access point that belongs to a different linear chain. |
Step 1 | Choose Controller > Wireless > 802.11a/n > RRM > DCA |
Step 2 | Select one or more channels to include in the DCA list. The channels included in the DCA list will not be assigned to the access points associated to this controller during automatic channel assignment. |
Step 3 | Choose Wireless > Mesh |
Step 4 | Select the Mesh DCA Channels check box to enable the backhaul channel deselection using the DCA list. This option is applicable for serial backhaul access points. |
Step 5 | After you enable the backhaul deselection option, choose Wireless > Access Points > Radios > 802.11a/n to configure the channel for the RAP downlink radio. |
Step 6 | From the list of access points, click on the Antenna drop-down list for a RAP and choose Configure. |
Step 7 | In the RF Backhaul Channel assignment section, choose Custom. |
Step 8 | Select a channel for the RAP downlink radio from the drop-down list, which appears when you choose Custom. |
Step 9 | Click Apply to apply and save the backhaul channel deselection configuration changes. |
To configure backhaul channel deselection using CLI, follow these steps:
Step 1 | From the controller prompt, enter the show advanced 802.11a channel command to review the channel list already configured in the DCA list. (Controller) > show advanced 802.11a channel Automatic Channel Assignment Channel Assignment Mode........................ AUTO Channel Update Interval........................ 600 seconds Anchor time (Hour of the day).................. 0 Channel Update Contribution.................... SNI.. CleanAir Event-driven RRM option............... Enabled CleanAir Event-driven RRM sensitivity.......... Medium Channel Assignment Leader...................... 09:2b:16:28:00:03 Last Run....................................... 286 seconds ago DCA Sensitivity Level.......................... MEDIUM (15 dB) DCA 802.11n Channel Width...................... 20 MHz DCA Minimum Energy Limit....................... -95 dBm Channel Energy Levels Minimum...................................... unknown Average...................................... unknown Maximum...................................... unknown Channel Dwell Times Minimum...................................... 0 days, 17 h 02 m 05 s Average...................................... 0 days, 17 h 46 m 07 s Maximum...................................... 0 days, 18 h 28 m 58 s 802.11a 5 GHz Auto-RF Channel List --More-- or (q)uit Allowed Channel List......................... 36,40,44,48,52,56,60,64,116, 140 Unused Channel List.......................... 100,104,108,112,120,124,128, 132,136 DCA Outdoor AP option.......................... Disabled |
Step 2 | To add a channel to the DCA list, enter the config advanced 802.11a channel add channel number command, where channel number is the channel number that you want to add to the DCA list. You can also delete a channel from the DCA list by entering the config advanced 802.11a channel delete channel number command, where channel number is the channel number that you want to delete from the DCA list. Before you add or delete a channel to or from the DCA list, ensure that the 802.11a network is disabled.
|
Step 3 | After a suitable DCA list has been created, enter the config mesh backhaul dca-channels enable command to enable the backhaul channel deselection feature for mesh access points. You can enter the config mesh backhaul dca-channels disable command if you want to disable the backhaul channel deselection feature for mesh access points. It is not required that you disable 802.11a network to enable or disable this feature. The following is a sample output: (Controller) > config mesh backhaul dca-channels enable 802.11a 5 GHz Auto-RF: Allowed Channel List......................... 36,40,44,48,52,56,60,64,116, 140 Enabling DCA channels for c1524 mesh APs will limit the channel set to the DCA channel list. DCA list should have at least 3 non public safety channels supported by Serial Backhaul Mesh APs. Otherwise, the Serial Backhaul Mesh APs can get stranded. Are you sure you want to continue? (y/N)y (Controller) > config mesh backhaul dca-channels disable |
Step 4 | To check the current status of the backhaul channel deselection feature, enter the show mesh config command. The following is a sample output: (Controller) > show mesh config Mesh Range....................................... 12000 Mesh Statistics update period.................... 3 minutes Backhaul with client access status............... enabled Background Scanning State........................ enabled Backhaul Amsdu State............................. disabled Mesh Security Security Mode................................. PSK External-Auth................................. enabled Radius Server 1............................ 209.165.200.240 Use MAC Filter in External AAA server......... disabled Force External Authentication................. disabled Mesh Alarm Criteria Max Hop Count................................. 4 Recommended Max Children for MAP.............. 10 Recommended Max Children for RAP.............. 20 Low Link SNR.................................. 12 High Link SNR................................. 60 Max Association Number........................ 10 Association Interval.......................... 60 minutes Parent Change Numbers......................... 3 --More-- or (q)uit Parent Change Interval........................ 60 minutes Mesh Multicast Mode.............................. In-Out Mesh Full Sector DFS............................. enabled Mesh Ethernet Bridging VLAN Transparent Mode..... enabled Mesh DCA channels for Serial Backhaul APs................ disabled |
Step 5 | Enter the config slot slot number channel ap ap-name channel number command to assign a particular channel to the 1524 RAP downlink radio.
|
Follow these guidelines when configuring backhaul channel deselection:
Channel changed for Base Radio MAC: 00:1e:bd:19:7b:00 on 802.11a radio. Old channel: 132. New Channel: 116. Why: Radar. Energy before/after change: 0/0. Noise before/after change: 0/0. Interference before/after change: 0/0. Radar signals have been detected on channel 132 by 802.11a radio with MAC: 00:1e:bd:19:7b:00 and slot 2
Using the controller GUI, follow these steps to specify the channels that the dynamic channel assignment (DCA) algorithm considers when selecting the channels to be used for RRM scanning. This functionality is helpful when you know that the clients do not support certain channels because they are legacy devices or they have certain regulatory restrictions.
The steps outlined in this section are only relevant to mesh networks.
Step 1 | To disable the 802.11a/n or 802.11b/g/n network, follow these steps: | ||||||||||||
Step 2 | Choose Wireless > 802.11a/n or 802.11b/g/n > RRM > DCA to open the 802.11a (or 802.11b/g) > RRM > Dynamic Channel Assignment (DCA) page. | ||||||||||||
Step 3 | Choose one of the following
options from the Channel Assignment Method drop-down list to specify the
controller’s DCA mode:
| ||||||||||||
Step 4 | From the Interval drop-down list, choose one of the following options to specify how often the DCA algorithm is allowed to run: 10 minutes, 1 hour, 2 hours, 3 hours, 4 hours, 6 hours, 8 hours, 12 hours, or 24 hours. The default value is 10 minutes. | ||||||||||||
Step 5 | From the AnchorTime drop-down list, choose a number to specify the time of day when the DCA algorithm is to start. The options are numbers between 0 and 23 (inclusive) representing the hour of the day from 12:00 a.m. to 11:00 p.m. | ||||||||||||
Step 6 | Select the Avoid Foreign AP Interference check box to cause the controller’s RRM algorithms to consider 802.11 traffic from foreign access points (those access points not included in your wireless network) when assigning channels to lightweight access points, or deselect it to disable this feature. For example, RRM may adjust the channel assignment to have access points avoid channels close to foreign access points. The default value is checked. | ||||||||||||
Step 7 | Select the Avoid Cisco AP Load check box to cause the controller’s RRM algorithms to consider 802.11 traffic from Cisco lightweight access points in your wireless network when assigning channels, or deselect it to disable this feature. For example, RRM can assign better reuse patterns to access points that carry a heavier traffic load. The default value is deselected. | ||||||||||||
Step 8 | Select the Avoid Non-802.11a (802.11b) Noise check box to cause the controller’s RRM algorithms to consider noise (non-802.11 traffic) in the channel when assigning channels to lightweight access points, or deselect it to disable this feature. For example, RRM may have access points avoid channels with significant interference from nonaccess point sources, such as microwave ovens. The default value is checked. | ||||||||||||
Step 9 | From the DCA
Channel Sensitivity drop-down list, choose one of the following options to
specify how sensitive the DCA algorithm is to environmental changes such as
signal, load, noise, and interference when determining whether to change
channels:
| ||||||||||||
Step 10 | For 802.11a/n
networks only, choose one of the following Channel Width options to specify the
channel bandwidth supported for all 802.11n radios in the 5-GHz band:
| ||||||||||||
Step 11 | In the DCA
Channel List section, the DCA Channels field shows the channels that are
currently selected. To choose a channel, select its check box in the Select
column. To exclude a channel, deselect its check box.
Range: 802.11a—36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 132, 136, 140, 149, 153, 157, 161, 165, 190, 196?802.11b/g—1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 Default: 802.11a—36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 132, 136, 140, 149, 153, 157, 161?802.11b/g—1, 6, 11
| ||||||||||||
Step 12 | If you are
using AP1500s in your network, you must set the 4.9-GHz channels in the 802.11a
band on which they are to operate. The 4.9-GHz band is for public safety client
access traffic only. To choose a 4.9-GHz channel, select its check box in the
Select column. To exclude a channel, deselect its check box.
Range: ?802.11a—1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26 | ||||||||||||
Step 13 | Click Apply to commit your changes. | ||||||||||||
Step 14 | To reenable the 802.11a or 802.11b/g network, follow these steps: | ||||||||||||
Step 15 | Click
Save
Configuration to save your changes.
|
This section includes the following topics:
Until the 7.0 release, mesh used the 5-GHz radio for backhaul, and the 2.4-GHz radio was used only for client access. The reasons for using only the 5-GHz radio for backhaul are as follows:
However, under certain conditions, such as dense foliage areas, you might have needed to use the 2.4-GHz band for a backhaul because it has better penetration.
With the 7.0.116.0 release, you can configure an entire mesh network to use a single backhaul that can be either 5 GHz or 2.4 GHz.
Caution | This feature is available only for AP1522 (two radios). This feature should be used only after exploring the 5-GHz backhaul option. |
Caution | We recommend that you use 5 GHz as the first option and use 2.4 GHz only if the 5-GHz option does not work. Changing the Backhaul from 5 GHz to 2.4 GHz |
When you specify only the RAP name as an argument to the command, the whole mesh sector changes to 2.4 GHz or 5 GHz backhaul. The warning messages indicate the change in backhaul, whether it is from 2.4 GHz to 5 GHz or vice versa.
Note | The 2.4-GHz backhaul cannot be configured using the controller user interface, but only through the CLI. |
To change the backhaul from 5 GHz to 2.4 GHz, follow these steps:
Step 1 | To change the backhaul, enter
the following command:
(Cisco Controller) > config mesh backhaul slot 0 enable RAP The following message appears; Warning! Changing backhaul slot will bring down the mesh for renegotiation!!! After backhaul is changed, 5 GHz client access channels need to be changed manually Are you sure you want to continue? (y/N) Press y.
| ||||
Step 2 | To change the backhaul from
2.4 GHz to 5 GHz, enter the following command:
(Cisco Controller) > config mesh backhaul slot 1 enable RAP The following message appears: Warning! Changing backhaul slot will bring down the mesh for renegotiation!!! Are you sure you want to continue? (y/N) Press y.
| ||||
Step 3 | To verify the current
backhaul in use, enter the following command:
(Cisco Controller) > show mesh backhaul AP_name
|
Ethernet VLAN tagging allows specific application traffic to be segmented within a wireless mesh network and then forwarded (bridged) to a wired LAN (access mode) or bridged to another wireless mesh network (trunk mode).
A typical public safety access application that uses Ethernet VLAN tagging is the placement of video surveillance cameras at various outdoor locations within a city. Each of these video cameras has a wired connection to a MAP. The video of all these cameras is then streamed across the wireless backhaul to a central command station on a wired network.
Ethernet VLAN tagging allows Ethernet ports to be configured as normal, access, or trunk in both indoor and outdoor implementations:
Note | When VLAN Transparent is disabled, the default Ethernet port mode is normal. VLAN Transparent must be disabled for VLAN tagging to operate and to allow configuration of Ethernet ports. To disable VLAN Transparent, which is a global parameter, see the Configuring Global Mesh Parameters section.
|
Ethernet VLAN tagging operates on Ethernet ports that are not used as backhauls.
Note | In the controller releases prior to 7.2, the Root Access Point (RAP) native VLAN is forwarded out of Mesh Access Point (MAP) Ethernet ports with Mesh Ethernet Bridging and VLAN Transparent enabled. In the 7.2 and later controller releases, the Root Access Point (RAP) native VLAN is not forwarded out of Mesh Access Point (MAP) Ethernet ports with Mesh Ethernet Bridging and VLAN Transparent enabled. This change in behavior increases reliability and minimizes the possibility of forwarding loops on Mesh Backhauls. |
Follow these guidelines for Ethernet tagging:
To support a VLAN on a mesh access point, all the uplink mesh access points must also support the same VLAN to allow segregation of traffic that belongs to different VLANs. The activity by which an mesh access point communicates its requirements for a VLAN and gets response from a parent is known as VLAN registration.
Note | VLAN registration occurs automatically. No user intervention is required. |
VLAN registration is summarized below:
You must enable Ethernet bridging before you can configure VLAN tagging.
To enable VLAN tagging on a RAP or MAP using the GUI, follow these steps:
Step 1 | After enabling Ethernet bridging, choose Wireless > All APs. | ||||||
Step 2 | Click the AP name link of the mesh access point on which you want to enable VLAN tagging. | ||||||
Step 3 | On the details page, select the Mesh tab. | ||||||
Step 4 | Select the Ethernet Bridging check box to enable the feature and click Apply. An Ethernet Bridging section appears at the bottom of the page listing each of the four Ethernet ports of the mesh access point.
| ||||||
Step 5 | Click Apply. | ||||||
Step 6 | Click Save Configuration to save your changes. |
To configure a MAP access port, enter this command:
config ap ethernet 1 mode access enable AP1500-MAP 50
where AP1500-MAP is the variable AP_name and 50 is the variable access_vlan ID
To configure a RAP or MAP trunk port, enter this command:
config ap ethernet 0 mode trunk enable AP1500-MAP 60
where AP1500-MAP is the variable AP_name and 60 is the variable native_vlan ID
To add a VLAN to the VLAN allowed list of the native VLAN, enter this command:
config ap ethernet 0 mode trunk add AP1500-MAP3 65
where AP1500-MAP 3 is the variable AP_name and 65 is the variable VLAN ID
To view VLAN configuration details for Ethernet interfaces on a specific mesh access point (AP Name) or all mesh access points (summary), enter this command:
show ap config ethernet ap-name
To see if VLAN transparent mode is enabled or disabled, enter this command:
show mesh config
A workgroup bridge (WGB) is a small standalone unit that can provide a wireless infrastructure connection for Ethernet-enabled devices. Devices that do not have a wireless client adapter to connect to the wireless network can be connected to the WGB through the Ethernet port. The WGB is associated with the root AP through the wireless interface, which means that wired clients get access to the wireless network.
A WGB is used to connect wired networks over a single wireless segment by informing the mesh access point of all the clients that the WGB has on its wired segment via IAPP messages. The data packets for WGB clients contain an additional MAC address in the 802.11 header (4 MAC headers, versus the normal 3 MAC data headers). The additional MAC in the header is the address of the WGB itself. This additional MAC address is used to route the packet to and from the clients.
WGB association is supported on all radios of every mesh access point.
In the current architecture, while an autonomous AP functions as a workgroup bridge, only one radio interface is used for controller connectivity, Ethernet interface for wired client connectivity, and other radio interface for wireless client connectivity. dot11radio 1 (5 GHz) can be used to connect to a controller (using the mesh infrastructure) and Ethernet interface for wired clients. dot11radio 0 (2.4 GHz) can be used for wireless client connectivity. Depending on the requirement, dot11radio 1 or dot11radio 0 can be used for client association or controller connectivity.
With the 7.0 release, a wireless client on the second radio of the WGB is not dissociated by the WGB upon losing its uplink to a wireless infrastructure or in a roaming scenario.
With two radios, one radio can be used for client access and the other radio can be used for accessing the access points. Having two independent radios performing two independent functions provides you better control and lowers the latency. Also, wireless clients on the second radio for the WGB do not get disassociated by the WGB when an uplink is lost or in a roaming scenario. One radio has to be configured as a Root AP (radio role) and the second radio has to be configured as a WGB (radio role).
Note | If one radio is configured as a WGB, then the second radio cannot be a WGB or a repeater. |
The following features are not supported for use with a WGB:
A workgroup bridge (WGB) is used to connect wired networks over a single wireless segment by informing the mesh access point of all the clients that the WGB has on its wired segment via IAPP messages. In addition to the IAPP control messages, the data packets for WGB clients contain an extra MAC address in the 802.11 header (4 MAC headers, versus the normal 3 MAC data headers). The extra MAC in the header is the address of the workgroup bridge itself. This extra MAC address is used to route the packet to and from the clients.
WGB association is supported on both the 2.4-GHz (802.11b/g) and 5-GHz (802.11a) radios on the AP1522, and the 2.4-GHz (802.11b) and 4.9-GHz (public safety) radios on the AP1524PS;
Supported platforms are autonomous WGBs AP1130, AP1240, AP1310, and the Cisco 3200 Mobile Router (hereafter referred to as Cisco 3200) which are configured as WGBs can associate with a mesh access point. See the “Cisco Workgroup Bridges” section in Cisco Wireless LAN Controller Configuration Guide for configuration steps at http://www.cisco.com/en/US/products/ps6366/products_installation_and_configuration_guides_list.html
The supported WGB modes and capacities are as follows:
Note | If your mesh access point has two radios, you can only configure workgroup bridge mode on one of the radios. We recommend that you disable the second radio. Workgroup bridge mode is not supported on access points with three radios such as the AP1524SB. |
Step 1 | Choose Monitor > Clients. |
Step 2 | On the client summary page, click on the MAC address of the client or search for the client using its MAC address. |
Step 3 | In the page that appears, note that the client type is identified as a WGB (far right). |
Step 4 | Click on the MAC address of the client to view configuration details: |
Follow these guidelines when you configure:
We recommend that you configure radio 0 (2.4 GHz) as a Root (one of the mode of operations for Autonomous AP) and radio 1 (5 GHz) as a WGB.
When you configure from the CLI, the following are mandatory:
Note | A native VLAN is always mapped to bridge group 1 by default. For other VLANs, the bridge group number matches the VLAN number; for example, for VLAN 46, the bridge group is 46. |
In the following example, one SSID (WGBTEST) is used in both radios, and the SSID is the infrastructure SSID mapped to NATIVE VLAN 51. All radio interfaces are mapped to bridge group -1.
WGB1#config t WGB1(config)#interface Dot11Radio1.51 WGB1(config-subif)#encapsulation dot1q 51 native WGB1(config-subif)#bridge-group 1 WGB1(config-subif)#exit WGB1(config)#interface Dot11Radio0.51 WGB1(config-subif)#encapsulation dot1q 51 native WGB1(config-subif)#bridge-group 1 WGB1(config-subif)#exit WGB1(config)#dot11 ssid WGBTEST WGB1(config-ssid)#VLAN 51 WGB1(config-ssid)#authentication open WGB1(config-ssid)#infrastructiure-ssid WGB1(config-ssid)#exit WGB1(config)#interface Dot11Radio1 WGB1(config-if)#ssid WGBTEST WGB1(config-if)#station-role workgroup-bridge WGB1(config-if)#exit WGB1(config)#interface Dot11Radio0 WGB1(config-if)#ssid WGBTEST WGB1(config-if)#station-role root WGB1(config-if)#exit
You can also use the GUI of an autonomous AP for configuration. From the GUI, subinterfaces are automatically created after the VLAN is defined.
Both the WGB association to the controller and the wireless client association to WGB can be verified by entering the show dot11 associations client command in autonomous AP.
WGB#show dot11 associations client 802.11 Client Stations on Dot11Radio1: SSID [WGBTEST] :
MAC Address |
IP Address |
Device |
Name |
Parent |
State |
0024.130f.920e |
209.165.200.225 |
LWAPP-Parent |
RAPSB |
- |
Assoc |
From the controller, choose Monitor > Clients. The WGB and the wireless/wired client behind the WGB are updated and the wireless/wired client are shown as the WGB client.
A link test can also be run from the controller CLI using the following command:
(Cisco Controller) > linktest client mac-address
Link tests from the controller are only limited to the WGB, and they cannot be run beyond the WGB from the controller to a wired or wireless client connected to the WGB. You can run link tests for the wireless client connected to the WGB from the WGB itself using the following command:
ap#dot11 dot11Radio 0 linktest target client-mac-address Start linktest to 0040.96b8.d462, 100 512 byte packets ap#
POOR (4% lost) |
Time (msec) |
Strength (dBm) |
SNR Quality |
Retries |
|||
In |
Out |
In |
Out |
In |
Out |
||
Sent: 100 |
Avg. 22 |
-37 |
-83 |
48 |
3 |
Tot. 34 |
35 |
Lost to Tgt: 4 |
Max. 112 |
-34 |
-78 |
61 |
10 |
Max. 10 |
5 |
Lost to Src: 4 |
Min. 0 |
-40 |
-87 |
15 |
3 |
Rates (Src/Tgt) 24Mb 0/5 36Mb 25/0 48Mb 73/0 54Mb 2/91 Linktest Done in 24.464 msec
You can also use the following commands to know the summary of WGBs and clients associated with a Cisco lightweight access point:
(Cisco Controller) > show wgb summary Number of WGBs................................... 2
MAC Address |
IP Address |
AP Name |
Status |
WLAN |
Auth |
Protocol |
Clients |
00:1d:70:97:bd:e8 |
209.165.200.225 |
c1240 |
Assoc |
2 |
Yes |
802.11a |
2 |
00:1e:be:27:5f:e2 |
209.165.200.226 |
c1240 |
Assoc |
2 |
Yes |
802.11a |
5 |
(Cisco Controller) > show client summary Number of Clients................................ 7
MAC Address |
AP Name |
Status |
WLAN/Guest-Lan |
Auth |
Protocol |
Port |
Wired |
00:00:24:ca:a9:b4 |
R14 |
Associated |
1 |
Yes |
N/A |
29 |
No |
00:24:c4:a0:61:3a |
R14 |
Associated |
1 |
Yes |
802.11a |
29 |
No |
00:24:c4:a0:61:f4 |
R14 |
Associated |
1 |
Yes |
802.11a |
29 |
No |
00:24:c4:a0:61:f8 |
R14 |
Associated |
1 |
Yes |
802.11a |
29 |
No |
00:24:c4:a0:62:0a |
R14 |
Associated |
1 |
Yes |
802.11a |
29 |
No |
00:24:c4:a0:62:42 |
R14 |
Associated |
1 |
Yes |
802.11a |
29 |
No |
00:24:c4:a0:71:d2 |
R14 |
Associated |
1 |
Yes |
802.11a |
29 |
No |
(Cisco Controller) > show wgb detail 00:1e:be:27:5f:e2 Number of wired client(s): 5
MAC Address |
IP Address |
AP Name |
Mobility |
WLAN |
Auth |
00:16:c7:5d:b4:8f |
Unknown |
c1240 |
Local |
2 |
No |
00:21:91:f8:e9:ae |
209.165.200.232 |
c1240 |
Local |
2 |
Yes |
00:21:55:04:07:b5 |
209.165.200.234 |
c1240 |
Local |
2 |
Yes |
00:1e:58:31:c7:4a |
209.165.200.236 |
c1240 |
Local |
2 |
Yes |
00:23:04:9a:0b:12 |
Unknown |
c1240 |
Local |
2 |
No |
High-speed roaming of Cisco Compatible Extension (CX), version 4 (v4) clients is supported at speeds up to 70 miles per hour in outdoor mesh deployments of AP1522s and AP1524s. An example application might be maintaining communication with a terminal in an emergency vehicle as it moves within a mesh public network.
Three Cisco CX v4 Layer 2 client roaming enhancements are supported:
Note | Client roaming is enabled by default. For more information, see the Enterprise Mobility Design Guide at http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/eMob4.1.pdf |
Follow these guidelines for WGB roaming:
The following example shows how to configure a roaming configuration:
ap(config)#interface dot11radio 1 ap(config-if)#ssid outside ap(config-if)#packet retries 16 ap(config-if)#station role workgroup-bridge ap(config-if)#mobile station ap(config-if)#mobile station period 3 threshold 50 ap(config-if)#mobile station scan 5745 5765
Use the no mobile station scan command to restore scanning to all the channels.
Table 1 identifies mesh access points and their respective frequency bands that support WGB.
If a wireless client is not associated with a WGB, use the following steps to troubleshoot the problem:
In a normal scenario, if the show bridge and show dot11 association command outputs are as expected, wireless client association should be successful.
You can configure call admission control (CAC) and QoS on the controller to manage voice and video quality on the mesh network.
The indoor mesh access points are 802.11e capable, and QoS is supported on the local 2.4-GHz access radio and the 5-GHz backhaul radio. CAC is supported on the backhaul and the CCXv4 clients (which provides CAC between the mesh access point and the client).
Note | Voice is supported only on indoor mesh networks. Voice is supported on a best-effort basis in the outdoors in a mesh network. |
Call Admission Control (CAC) enables a mesh access point to maintain controlled quality of service (QoS) when the wireless LAN is experiencing congestion. The Wi-Fi Multimedia (WMM) protocol deployed in CCXv3 ensures sufficient QoS as long as the wireless LAN is not congested. However, to maintain QoS under differing network loads, CAC in CCXv4 or later is required.
Note | CAC is supported in Cisco Compatible Extensions (CCX) v4 or later. See Chapter 6 of the Cisco Wireless LAN Controller Configuration Guide at http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html |
Two types of CAC are available for access points: bandwidth-based CAC and load-based CAC. All calls on a mesh network are bandwidth-based, so mesh access points use only bandwidth-based CAC.
Bandwidth-based, or static CAC enables the client to specify how much bandwidth or shared medium time is required to accept a new call. Each access point determines whether it is capable of accommodating a particular call by looking at the bandwidth available and compares it against the bandwidth required for the call. If there is not enough bandwidth available to maintain the maximum allowed number of calls with acceptable quality, the mesh access point rejects the call.
Cisco supports 802.11e on the local access and on the backhaul. Mesh access points prioritize user traffic based on classification, and therefore all user traffic is treated on a best-effort basis.
Resources available to users of the mesh vary, according to the location within the mesh, and a configuration that provides a bandwidth limitation in one point of the network can result in an oversubscription in other parts of the network.
Similarly, limiting clients on their percentage of RF is not suitable for mesh clients. The limiting resource is not the client WLAN, but the resources available on the mesh backhaul.
Similar to wired Ethernet networks, 802.11 WLANs employ Carrier Sense Multiple Access (CSMA), but instead of using collision detection (CD), WLANs use collision avoidance (CA), which means that instead of each station trying to transmit as soon as the medium is free, WLAN devices will use a collision avoidance mechanism to prevent multiple stations from transmitting at the same time.
The collision avoidance mechanism uses two values called CWmin and CWmax. CW stands for contention window. The CW determines what additional amount of time an endpoint should wait, after the interframe space (IFS), to attend to transmit a packet. Enhanced distributed coordination function (EDCF) is a model that allows end devices that have delay-sensitive multimedia traffic to modify their CWmin and CWmax values to allow for statically greater (and more frequent) access to the medium.
Cisco access points support EDCF-like QoS. This provides up to eight queues for QoS.
These queues can be allocated in several different ways, as follows:
AP1500s, with Cisco controllers, provide a minimal integrated services capability at the controller, in which client streams have maximum bandwidth limits, and a more robust differentiated services (diffServ) capability based on the IP DSCP values and QoS WLAN overrides.
When the queue capacity has been reached, additional frames are dropped (tail drop).
Several encapsulations are used by the mesh system. These encapsulations include CAPWAP control and data between the controller and RAP, over the mesh backhaul, and between the mesh access point and its client(s). The encapsulation of bridging traffic (noncontroller traffic from a LAN) over the backhaul is the same as the encapsulation of CAPWAP data.
There are two encapsulations between the controller and the RAP. The first is for CAPWAP control, and the second is for CAPWAP data. In the control instance, CAPWAP is used as a container for control information and directives. In the instance of CAPWAP data, the entire packet, including the Ethernet and IP headers, is sent in the CAPWAP container.
For the backhaul, there is only one type of encapsulation, encapsulating mesh traffic. However, two types of traffic are encapsulated: bridging traffic and CAPWAP control and data traffic. Both types of traffic are encapsulated in a proprietary mesh header.
In the case of bridging traffic, the entire packet Ethernet frame is encapsulated in the mesh header.
All backhaul frames are treated identically, regardless of whether they are MAP to MAP, RAP to MAP, or MAP to RAP.
The mesh access point uses a high speed CPU to process ingress frames, Ethernet, and wireless on a first-come, first-serve basis. These frames are queued for transmission to the appropriate output device, either Ethernet or wireless. Egress frames can be destined for either the 802.11 client network, the 802.11 backhaul network, or Ethernet.
AP1500s support four FIFOs for wireless client transmissions. These FIFOs correspond to the 802.11e platinum, gold, silver, and bronze queues, and obey the 802.11e transmission rules for those queues. The FIFOs have a user configurable queue depth.
The backhaul (frames destined for another outdoor mesh access point) uses four FIFOs, although user traffic is limited to gold, silver, and bronze. The platinum queue is used exclusively for CAPWAP control traffic and voice, and has been reworked from the standard 802.11e parameters for CWmin, CWmax, and so on, to provide more robust transmission but higher latencies.
The 802.11e parameters for CWmin, CWmax, and so on, for the gold queue have been reworked to provide lower latency at the expense of slightly higher error rate and aggressiveness. The purpose of these changes is to provide a channel that is more conducive to video applications.
Frames that are destined for Ethernet are queued as FIFO, up to the maximum available transmit buffer pool (256 frames). There is support for a Layer 3 IP Differentiated Services Code Point (DSCP), so marking of the packets is there as well.
In the controller to RAP path for the data traffic, the outer DSCP value is set to the DSCP value of the incoming IP frame. If the interface is in tagged mode, the controller sets the 802.1Q VLAN ID and derives the 802.1p UP (outer) from 802.1p UP incoming and the WLAN default priority ceiling. Frames with VLAN ID 0 are not tagged.
For CAPWAP control traffic the IP DSCP value is set to 46, and the 802.1p user priority is set to 7. Prior to transmission of a wireless frame over the backhaul, regardless of node pairing (RAP/MAP) or direction, the DSCP value in the outer header is used to determine a backhaul priority. The following sections describe the mapping between the four backhaul queues the mesh access point uses and the DSCP values shown in Backhaul Path QoS.
Note | The platinum backhaul queue is reserved for CAPWAP control traffic, IP control traffic, and voice packets. DHCP, DNS, and ARP requests are also transmitted at the platinum QoS level. The mesh software inspects each frame to determine whether it is a CAPWAP control or IP control frame in order to protect the platinum queue from use by non-CAPWAP applications. |
For a MAP to the client path, there are two different procedures, depending on whether the client is a WMM client or a normal client. If the client is a WMM client, the DSCP value in the outer frame is examined, and the 802.11e priority queue is used.
If the client is not a WMM client, the WLAN override (as configured at the controller) determines the 802.11e queue (bronze, gold, platinum, or silver), on which the packet is transmitted.
For a client of a mesh access point, there are modifications made to incoming client frames in preparation for transmission on the mesh backhaul or Ethernet. For WMM clients, a MAP illustrates the way in which the outer DSCP value is set from an incoming WMM client frame.
The minimum value of the incoming 802.11e user priority and the WLAN override priority is translated using the information listed in Table 3 to determine the DSCP value of the IP frame. For example, if the incoming frame has as its value a priority indicating the gold priority, but the WLAN is configured for the silver priority, the minimum priority of silver is used to determine the DSCP value.
If there is no incoming WMM priority, the default WLAN priority is used to generate the DSCP value in the outer header. If the frame is an originated CAPWAP control frame, the DSCP value of 46 is placed in the outer header.
With the 5.2 code enhancements, DSCP information is preserved in an AWPP header.
All wired client traffic is restricted to a maximum 802.1p UP value of 5, except DHCP/DNS and ARP packets, which go through the platinum queue.
The non-WMM wireless client traffic gets the default QoS priority of its WLAN. The WMM wireless client traffic may have a maximum 802.11e value of 6, but it must be below the QoS profile configured for its WLAN. If admission control is configured, WMM clients must use TSPEC signaling and get admitted by CAC.
The CAPWAPP data traffic carries wireless client traffic and has the same priority and treatment as wireless client traffic.
Now that the DSCP value is determined, the rules described earlier for the backhaul path from the RAP to the MAP are used to further determine the backhaul queue on which the frame is transmitted. Frames transmitted from the RAP to the controller are not tagged. The outer DSCP values are left intact, as they were first constructed.
Bridging services are treated a little differently from regular controller-based services. There is no outer DSCP value in bridging packets because they are not CAPWAP encapsulated. Therefore, the DSCP value in the IP header as it was received by the mesh access point is used to index into the table as described in the path from the mesh access point to the mesh access point (backhaul).
Packets received from a station on a LAN are not modified in any way. There is no override value for the LAN priority. Therefore, the LAN must be properly secured in bridging mode. The only protection offered to the mesh backhaul is that non-CAPWAP control frames that map to the platinum queue are demoted to the gold queue.
Packets are transmitted to the LAN precisely as they are received on the Ethernet ingress at entry to the mesh.
The only way to integrate QoS between Ethernet ports on AP1500 and 802.11a is by tagging Ethernet packets with DSCP. AP1500s take the Ethernet packet with DSCP and places it in the appropriate 802.11e queue.
AP1500s do not tag DSCP itself:
Ethernet devices, such as video cameras, should have the capability to mark the bits with DSCP value to take advantage of QoS.
Note | QoS only is relevant when there is congestion on the network. |
Follow these guidelines when you use voice on the mesh network:
Table 1 shows the actual calls in a clean, ideal environment.
No. of Calls5 |
||
---|---|---|
Table 2 shows the actual calls in a clean, ideal environment.
6 | ||||
---|---|---|---|---|
While making a call, observe the MOS score of the call on the 7921 phone. A MOS score between 3.5 and 4 is acceptable.
AP Name Slot# Radio BW Used/Max Calls ------------ ------- ----- ----------- ----- SB_RAP1 0 11b/g 0/23437 0 1 11a 0/23437 2 SB_MAP1 0 11b/g 0/23437 0 1 11a 0/23437 0 SB_MAP2 0 11b/g 0/23437 0 1 11a 0/23437 0 SB_MAP3 0 11b/g 0/23437 0 1 11a 0/23437 0?
AP Name Slot# Radio BW Used/Max ------------- ------- ----- ----------- SB_RAP1 0 11b/g 1016/23437 1 11a 3048/23437 |SB_MAP1 0 11b/g 0/23437 1 11a 3048/23437 || SB_MAP2 0 11b/g 2032/23437 1 11a 3048/23437 ||| SB_MAP3 0 11b/g 0/23437 1 11a 0/23437
Note | The bars (|) to the left of the AP Name field indicate the number of hops that the MAP is from its RAP. |
Note | When the radio type is the same, the backhaul bandwidth utilization (bw used/max) at each hop is identical. For example, mesh access points map1, map2, map3, and rap1 are all on the same radio backhaul (802.11a) and are using the same bandwidth (3048). All of the calls are in the same interference domain. A call placed anywhere in that domain affects the others. |
Information similar to the following appears: AP Name Slot# Radio Calls ------------- ------- ----- ----- SB_RAP1 0 11b/g 0 1 11a 0 | SB_MAP1 0 11b/g 0 1 11a 0 || SB_MAP2 0 11b/g 1 1 11a 0 ||| SB_MAP3 0 11b/g 0 1 11a 0
Note | Each call received by a mesh access point radio causes the appropriate calls summary column to increment by one. For example, if a call is received on the 802.11b/g radio on map2, then a value of one is added to the existing value in that radio’s calls column. In this case, the new call is the only active call on the 802.11b/g radio of map2. If one call is active when a new call is received, the resulting value is two. |
Information similar to the following appears: AP Name Slot# Radio Calls ------------- ------- ----- ----- SB_RAP1 0 11b/g 0 1 11a 1 | SB_MAP1 0 11b/g 0 1 11a 1 || SB_MAP2 0 11b/g 1 1 11a 1 ||| SB_MAP3 0 11b/g 0 1 11a 0
Note | The calls column for each mesh access point radio in a call path increments by one. For example, for a call that initiates at map2 (show mesh cac call path SB_MAP2) and terminates at rap1 by way of map1, one call is added to the map2 802.11b/g and 802.11a radio calls column, one call to the map1 802.11a backhaul radio calls column, and one call to the rap1 802.11a backhaul radio calls column. |
AP Name Slot# Radio Calls ------------- ------- ----- ----- SB_RAP1 0 11b/g 0 1 11a 0 | SB_MAP1 0 11b/g 0 1 11a 0 || SB_MAP2 0 11b/g 1 1 11a 0 ||| SB_MAP3 0 11b/g 0 1 11a 0
Note | If a call is rejected at the map2 802.11b/g radio, its calls column increments by one. |
Queue Type Overflows Peak length Average length ---------- --------- ----------- -------------- Silver 0 1 0.000 Gold 0 4 0.004 Platinum 0 4 0.001 Bronze 0 0 0.000 Management 0 0 0.000Overflows—The total number of packets dropped due to queue overflow. Peak Length—The peak number of packets waiting in the queue during the defined statistics time interval. Average Length—The average number of packets waiting in the queue during the defined statistics time interval.
You can use the controller CLI to configure three mesh multicast modes to manage video camera broadcasts on all mesh access points. When enabled, these modes reduce unnecessary multicast transmissions within the mesh network and conserve backhaul bandwidth.
Mesh multicast modes determine how bridging-enabled access points MAP and RAP send multicasts among Ethernet LANs within a mesh network. Mesh multicast modes manage non-CAPWAP multicast traffic only. CAPWAP multicast traffic is governed by a different mechanism.
The three mesh multicast modes are as follows:
Note | When an HSRP configuration is in operation on a mesh network, we recommend the In-Out multicast mode be configured. |
Note | If 802.11b clients need to receive CAPWAP multicasts, then multicast must be enabled globally on the controller as well as on the mesh network (using the config network multicast global enable CLI command). If multicast does not need to extend to 802.11b clients beyond the mesh network, the global multicast parameter should be disabled (using the config network multicast global disable CLI command). |
To enable multicast mode on the mesh network to receive multicasts from beyond the mesh networks, enter these commands:
config network multicast global enable
config mesh multicast {regular | in | in-out}
To enable multicast mode only the mesh network (multicasts do not need to extend to 802.11b clients beyond the mesh network), enter these commands:
config network multicast global disable
config mesh multicast {regular | in | in-out}
Note | Multicast for mesh networks cannot be enabled using the controller GUI. |
IGMP snooping delivers improved RF usage through selective multicast forwarding and optimizes packet forwarding in voice and video applications.
A mesh access point transmits multicast packets only if a client is associated with the mesh access point that is subscribed to the multicast group. So, when IGMP snooping is enabled, only that multicast traffic relevant to given hosts is forwarded.
To enable IGMP snooping on the controller, enter the following command:
configure network multicast igmp snooping enable
A client sends an IGMP join that travels through the mesh access point to the controller. The controller intercepts the join and creates a table entry for the client in the multicast group. The controller then proxies the IGMP join through the upstream switch or router.
You can query the status of the IGMP groups on a router by entering the following command:
router# show ip gmp groups IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 233.0.0.1 Vlan119 3w1d 00:01:52 10.1.1.130
For Layer 3 roaming, an IGMP query is sent to the client’s WLAN. The controller modifies the client’s response before forwarding and changes the source IP address to the controller’s dynamic interface IP address.
The network hears the controller’s request for the multicast group and forwards the multicast to the new controller.
For more information about video, see the following:
Until the 7.0 release, mesh APs supported only the Manufactured Installed Certificate (MIC) to authenticate and get authenticated by controllers to join the controller. You might have had to have your own public key infrastructure (PKI) to control CAs, to define policies, to define validity periods, to define restrictions and usages on the certificates that are generated, and get these certificates installed on the APs and controllers. After these customer-generated or locally significant certificates (LSCs) are present on the APs and controllers, the devices start using these LSCs, to join, authenticate, and derive a session key. Cisco supported normal APs from the 5.2 release and later releases and extended the support for mesh APs as well from the 7.0 release.
Note | An LSC in mesh APs is not deleted. An LSC is deleted in mesh APs only when the LSC is disabled on the controller, which causes the APs to reboot. |
Follow these guidelines when using LSCs for mesh APs:
CAPWAP APs use LSC for DTLS setup during a JOIN irrespective of the AP mode. Mesh APs also use the certificate for mesh security, which involves a dot1x authentication with the controller through the parent AP. After the mesh APs are provisioned with an LSC, they need to use the LSC for this purpose because MIC will not be read in.
Mesh APs use a statically configured dot1x profile to authenticate.
This profile is hardcoded to use "cisco" as the certificate issuer. This profile needs to be made configurable so that vendor certificates can be used for mesh authentication (enter the config local-auth eap-profile cert-issuer vendor "prfMaP1500LlEAuth93" command).
You must enter the config mesh lsc enable/disable command to enable or disable an LSC for mesh APs. This command will cause all the mesh APs to reboot.
Note | An LSC on mesh is open for very specific Oil and Gas customers with the 7.0 release. Initially, it is a hidden feature. The config mesh lsc enable/disable is a hidden command. Also, the config local-auth eap-profile cert-issuer vendor "prfMaP1500LlEAuth93" command is a normal command, but the "prfMaP1500LlEAuth93" profile is a hidden profile, and is not stored on the controller and is lost after the controller reboot. |
LSC-provisioned APs have both LSC and MIC certificates, but the LSC certificate will be the default one. The verification process consists of the following two steps:
To configure LSC, you must first gather and install the appropriate certificates on the controller. The following steps show how to accomplish this using Microsoft 2003 Server as the CA server.
Step 1 | Go to the CA server (http://<ip address of caserver/crtsrv) and login. |
Step 2 | Get the CA certificate as follows: |
Step 3 | To use the certificate on the controller, convert the downloaded certificate to PEM format. You can convert this in a Linux machine using the following command: # openssl x509 -in <input.cer> -inform DER -out <output.cer> -outform PEM |
Step 4 | Configure the CA certificate on the controller as follows: |
Step 5 | To install the Device certificate on the WLC, login to the CA server as mentioned in Step 1 and do the following: |
Step 6 | Convert the device certificate obtained in the Step 5. To get the certificate, go to your internet browser options and choose exporting to a file. Follow the options from your browser to do this. You need to remember the password that you set here. To convert the certificate, use the following command in a Linux machine: |
Step 7 | On the controller GUI, choose Command > Download File. Choose Vendor Device Certificate from the File Type drop-down list. Update the rest of the fields with the information of the TFTP server where the certificate is located and the password you set in the previous step and click Download. |
Step 8 | Reboot the controller so that the certificates can then be used. |
Step 9 | You can check that the certificates were successfully installed on the controller using this command: |
To configure a locally significant certificate (LSC), follow these steps:
Step 1 | Enable LSC and provision the LSC CA certificate in the controller. |
Step 2 | Enter the following command: config local-auth eap-profile cert-issuer vendor prfMaP1500LlEAuth93 |
Step 3 | Turn on the feature by entering the following command: |
Step 4 | Connect the mesh AP through Ethernet and provision for an LSC certificate. |
Step 5 | Let the mesh AP get a certificate and join the controller using the LSC certificate. |
The following commands are related to LSCs:
Although the settings are not directly related to the feature, it might help you in achieving the desired behavior with respect to APs provisioned with an LSC.
(Cisco Controller) > config macfilter mac-delimiter colon (Cisco Controller) > config macfilter add 00:0b:85:60:92:30 0 management
(Cisco Controller) > config mesh security rad-mac-filter enableor Check only the external MAC filter authorization on the GUI page and follow these guidelines:
The config mesh lsc {enable | disable} command is required to enable or disable an LSC for mesh APs. This command causes all the mesh APs to reboot.