PDF(143.4 KB) View with Adobe Reader on a variety of devices
ePub(221.4 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(188.1 KB) View on Kindle device or Kindle app on multiple devices
Updated:August 17, 2015
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document provides sample configurations for Converged Access deployment in a small-branch single switch network. These configurations can be used across hundreds or even thousands of branches to deploy the wireless network at the branch locations with tried and tested configurations.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
Catalyst 3850 Series Switch
Cisco IOS Version 03.03.00SE or later
Cisco IES Version 1.2 or later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The small-size remote branch office or retail store can consist of a single or a stack of ethernet switches to provide network connectivity to the wired and wireless users. Such small networks can converge the ethernet switching with next-generation wireless capability on the same catalyst switch.
For such network designs, the switch can integrate Wireless LAN Controller (WLC) mobility controller and mobility agent (MA) functions without requiring any additional Converged Access elements, such as Switch-Peer-Group (SPG) in the network. These networks can require guest wireless services, as well as common security and network access policy enforcement across all branch offices.
This image illustrates a reference topology for a typical branch network.
vlan 151 name Voice_VLAN ! vlan 152 name Video_VLAN ! vlan 155 name WM_VLAN ! vlan 158 name 8021X_WiFi_VLAN
Configure Default Gateway
The Default Gateway configuration is shown in this example.
ip default-gateway <ip address> ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.26.150.1
Configure Management Virtual Routing and Forwarding (VRF)
The Management VRF configuration is shown in this example.
interface GigabitEthernet0/0 description Connected to FlashNet - DO NOT ROUTE vrf forwarding Mgmt-vrf ip address 172.26.150.202 255.255.255.0 no ip redirects no ip proxy-arp load-interval 30 carrier-delay msec 0 negotiation auto no cdp enable
vrf definition Mgmt-vrf
Configure IP DHCP Snooping
In this example, DHCP snooping is configured for all wireless client VLANs.
ip dhcp snooping vlan 151-154,156-165 no ip dhcp snooping information option ip dhcp snooping wireless bootp-broadcast enable ip dhcp snooping
Note: Uplink ports must be marked as trust as shown in the Uplink Ports/Port-Channel example.
In this example, wireless functionality is enabled and the 5760 Guest Anchor WLC is configured as the mobility peer.
interface vlan 105 description Wireless Management Interface ip address 10.101.1.109 255.255.255.240 load-interval 30 logging event link-status no shutdown
wireless management interface vlan 105
wireless mobility group name 3850_Branch_1 wireless mobility group member ip 10.99.2.242 public-ip 10.99.2.242 group GA-Domain-1 wireless mobility group member ip 10.99.2.243 public-ip 10.99.2.243 group GA-Domain-2
Note:You can use a Cisco 5508 WLC or an 8510 AireOS as a guest anchor controller.
This example shows the configuration of Global Parameters.
aaa new-model aaa authentication login PRIME_RADIUS_AUTH_GRP group PRIME_RADIUS_SERVER_GRP aaa authentication dot1x PRIME_RADIUS_AUTH_GRP group PRIME_RADIUS_SERVER_GRP aaa authorization network PRIME_RADIUS_AUTHO_GRP group PRIME_RADIUS_SERVER_GRP aaa authorization network PRIME_CWA_MAC_FILTER group PRIME_RADIUS_SERVER_GRP aaa accounting Identity PRIME_RADIUS_ACCT_GRP start-stop group PRIME_RADIUS_SERVER_GRP
aaa server radius dynamic-author client 10.100.1.49 server-key 7 02050D480809 auth-type any ! ! radius server PRIME_RADIUS_SERVER_1 address ipv4 10.100.1.49 auth-port 1812 acct-port 1813 timeout 1
key 7 121A0C041104 ! radius-server attribute 6 on-for-login-auth radius-server attribute 31 send nas-port-detail ! aaa group server radius PRIME_RADIUS_SERVER_GRP server name PRIME_RADIUS_SERVER_1
The 802.1X WLAN configuration is shown in this example.
The Open WLAN configuration is shown in this example.
wlan ABCCorp_OPEN 3 ABCCorp_OPEN band-select client vlan Open_WiFi_VLAN ip flow monitor wireless-avc-basic input ip flow monitor wireless-avc-basic output no security wpano security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes service-policy output ABCCorp_OPEN-PARENT-POLICY session-timeout 1800 wifidirect policy deny wmm require no shutdown
CWA Guest WLAN
The CWA Guest WLAN configuration is shown in this example.
wlan ABCCorp-Guest 15 ABCCorp-Guest aaa-override accounting-list PRIME_RADIUS_ACCT_GRP client vlan GUEST_VLAN ip flow monitor wireless-avc-basic input ip flow monitor wireless-avc-basic output load-balance security dot1x authentication-list PRIME_RADIUS_AUTH_GR Pmac-filtering PRIME_CWA_MAC_FILTER mobility anchor 10.99.2.242 mobility anchor 10.99.2.243 nac no security wpa no security wpa am dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes session-timeout 3600 wmm require no shutdown
Mobility and Guest WLAN configuration on 5760 Guest Anchor 1
In this example, Mobility and Guest WLAN is configured on 5760 Guest Anchor 1.
wireless mobility group name GA-Domain-1 wireless mobility group member ip 10.101.1.109 public-ip 10.101.1.109 group 3850_Branch_1
wlan ABCCorp-Guest 15 ABCCorp-Guest aaa-override accounting-list PRIME_RADIUS_ACCT_GRP client vlan GUEST_WiFi_VLAN ip flow monitor wireless-avc-basic input ip flow monitor wireless-avc-basic output load-balance security dot1x authentication-list PRIME_RADIUS_AUTH_GRP mac-filtering PRIME_CWA_MAC_FILTER mobility anchor 10.99.2.242 nac no security wpa no security wpa am dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes session-timeout 3600 wmm require no shutdown
Redirect ACL for CWA (Central Web-Auth)
The configuration to redirect ACL for CWA is shown in this example.
Extended IP access list PRIME-CWA-REDIRECT-ACL 10 deny icmp any any 20 deny udp any eq bootps any 30 deny udp any any eq bootpc 40 deny udp any eq bootpc any 50 deny udp any any eq domain 60 deny tcp any any eq domain 70 deny ip any host 10.100.1.49 80 permit tcp any any eq www
Advanced IOS Wireless Services
Application Visibility and Control (AVC) Configuration