The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note | This requirement ensures that clients never detect the SSID present on the same access point radio. |
Caution | Some clients might not be able to connect to WLANs properly if they detect the same SSID with multiple security policies. Use this feature with care. |
This feature enables you to control up to 64 WLANs for lightweight access points. Each WLAN has a separate WLAN ID, a separate profile name, and a WLAN SSID. All switches publish up to 16 WLANs to each connected access point, but you can create up to the maximum number of WLANs supported and then selectively publish these WLANs (using access point groups) to different access points to better manage your wireless network.
You can configure WLANs with different SSIDs or with the same SSID. An SSID identifies the specific wireless network that you want the switch to access.
Band selection enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of three nonoverlapping channels. To prevent these sources of interference and improve overall network performance, you can configure band selection on the switch.
Band selection works by regulating probe responses to clients. It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels.
In deployments with certain power-save clients, you sometimes need to defer the Radio Resource Management's (RRM) normal off-channel scanning to avoid missing critical information from low-volume clients (for example, medical devices that use power-save mode and periodically send telemetry information). This feature improves the way that Quality of Service (QoS) interacts with the RRM scan defer feature.
You can use a client's Wi-Fi Multimedia (WMM) UP marking to configure the access point to defer off-channel scanning for a configurable period of time if it receives a packet marked UP.
Off-Channel Scanning Defer is essential to the operation of RRM, which gathers information about alternate channel choices such as noise and interference. Additionally, Off-Channel Scanning Defer is responsible for rogue detection. Devices that need to defer Off-Channel Scanning Defer should use the same WLAN as often as possible. If there are many of these devices (and the possibility exists that Off-Channel Defer scanning could be completely disabled by the use of this feature), you should implement an alternative to local AP Off-Channel Scanning Defer, such as monitoring access points, or other access points in the same location that do not have this WLAN assigned.
You can assign a QoS policy (bronze, silver, gold, and platinum) to a WLAN to affect how packets are marked on the downlink connection from the access point regardless of how they were received on the uplink from the client. UP=1,2 is the lowest priority, and UP=0,3 is the next higher priority. The marking results of each QoS policy are as follows:
In the 802.11 networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.
Typically, the DTIM value is set to 1 (to transmit broadcast and multicast frames after every beacon) or 2 (to transmit after every other beacon). For instance, if the beacon period of the 802.11 network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings are suitable for applications, including Voice Over IP (VoIP), that expect frequent broadcast and multicast frames.
However, the DTIM value can be set as high as 255 (to transmit broadcast and multicast frames after every 255th beacon) if all 802.11 clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently which results in a longer battery life. For example, if the beacon period is 100 ms and you set the DTIM value to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds. This rate allows the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, which results in a longer battery life.
Many applications cannot tolerate a long time between broadcast and multicast messages, which results in poor protocol and application performance. We recommend that you set a low DTIM value for 802.11 networks that support such clients.
You can configure a WLAN with a session timeout. The session timeout is the maximum time for a client session to remain active before requiring reauthorization.
The Cisco Client Extensions (CCX) software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco access points and to support Cisco features that other client devices do not, including those features that are related to increased security, enhanced performance, fast roaming, and power management.
Peer-to-peer blocking is applied to individual WLANs, and each client inherits the peer-to-peer blocking setting of the WLAN to which it is associated. Peer-to-Peer enables you to have more control over how traffic is directed. For example, you can choose to have traffic bridged locally within the switch, dropped by the switch, or forwarded to the upstream VLAN.
Peer-to-peer blocking is supported for clients that are associated with the local switching WLAN.
By default, the switch sources all RADIUS traffic from the IP address on its management interface, which means that even if a WLAN has specific RADIUS servers configured instead of the global list, the identity used is the management interface IP address.
If you want to filter WLANs, you can use the callStationID that is set by RFC 3580 to be in the APMAC:SSID format. You can also extend the filtering on the authentication server to be on a per-WLAN source interface by using the NAS-IP-Address attribute.
When you enable the per-WLAN RADIUS source support, the switch sources all RADIUS traffic for a particular WLAN by using the dynamic interface that is configured. Also, RADIUS attributes are modified accordingly to match the identity. This feature virtualizes the switch on the per-WLAN RADIUS traffic, where each WLAN can have a separate layer 3 identity. This feature is useful in deployments that integrate with ACS Network Access Restrictions and Network Access Profiles.
You can combine per-WLAN RADIUS source support with the normal RADIUS traffic source and some WLANs that use the management interface and others using the per-WLAN dynamic interface as the address source.
How to Configure WLANs
1.
configure terminal
2.
wlan profile-name wlan-id [ssid]
3.
end
Step 1 |
Click Configuration > Wireless.
The WLANs page is displayed. | ||||||||
Step 2 | Click New to create a WLAN. The WLANs > Create New page is displayed. | ||||||||
Step 3 | Enter the following parameters:
| ||||||||
Step 4 | Click Apply. |
1.
configure terminal
2.
no
wlan
wlan-name wlan-id ssid
3.
end
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters global configuration mode. | ||
Step 2 |
no
wlan
wlan-name wlan-id ssid Example: Switch(config)# no wlan test2
|
| ||
Step 3 | end Example: Switch(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
1.
show wlan summary
Command or Action | Purpose |
---|
Switch# show wlan summary
Number of WLANs: 4
WLAN Profile Name SSID VLAN Status
--------------------------------------------------------------------------------
1 test1 test1-ssid 137 UP
3 test2 test2-ssid 136 UP
2 test3 test3-ssid 1 UP
45 test4 test4-ssid 1 DOWN
You can also use wild cards to search WLANs. For example show wlan summary include | variable. Where variable is any search string in the output.
Switch# show wlan summary | include test-wlan-ssid
1 test-wlan test-wlan-ssid 137 UP
Step 1 |
Click Configuration > Wireless.
The WLANs page is displayed. |
Step 2 | Type the first few characters in the text box above the column you are searching. Fo For example, to search the WLAN based on the Profile, type the first few characters of the profile name. You can search a WLAN based on the following criteria: If a WLAN exists, it would appear based on the accuracy of the match. |
1.
configure terminal
2.
wlan profile-name
3.
no shutdown
4.
end
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters global configuration mode. |
Step 2 | wlan profile-name Example: Switch# wlan test4
|
Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN. |
Step 3 | no shutdown Example: Switch(config-wlan)# no shutdown
| Enables the WLAN. |
Step 4 | end Example: Switch(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
1.
configure terminal
2.
wlan profile-name
3.
shutdown
4.
end
5.
show wlan summary
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters global configuration mode. |
Step 2 | wlan profile-name Example: Switch# wlan test4
|
Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN. |
Step 3 | shutdown Example: Switch(config-wlan)# shutdown
| Disables the WLAN. |
Step 4 | end Example: Switch(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Step 5 | show wlan summary
Example: Switch# show wlan summary
|
Displays the list of all WLANs configured on the device. You can search for the WLAN in the output. |
You can configure the following properties:
1.
configure terminal
2.
wlan profile-name
3.
shutdown
4.
broadcast-ssid
5.
radio {all | dot11a | dot11ag | dot11bg | dot11g}
6.
client vlan vlan-identifier
7.
ip multicast vlan vlan-name
8.
media-stream multicast-direct
9.
call-snoop
10.
no shutdown
11.
end
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters global configuration mode. |
Step 2 | wlan profile-name Example: Switch# wlan test4
|
Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN. |
Step 3 | shutdown Example: Switch# shutdown
| Disables the WLAN before configuring the parameters. |
Step 4 | broadcast-ssid Example: Switch(config-wlan)# broadcast-ssid
| Broadcasts the SSID for this WLAN. This field is enabled by default. |
Step 5 | radio {all | dot11a | dot11ag | dot11bg | dot11g} Example: Switch# radio all
|
|
Step 6 | client vlan vlan-identifier Example:
Switch# client vlan test-vlan
| Enables an interface group on the WLAN. vlan-identifier—Specifies the VLAN identifier. This can be the VLAN name, VLAN ID, or VLAN group name. |
Step 7 | ip multicast vlan vlan-name Example: Switch(config-wlan)# ip multicast vlan test
| |
Step 8 | media-stream multicast-direct Example: Switch(config-wlan)# media-stream multicast-direct
| Enables multicast VLANs on this WLAN. |
Step 9 | call-snoop Example: Switch(config-wlan)# call-snoop
| Enables call-snooping support. |
Step 10 |
no shutdown Example: Switch(config-wlan)# no shutdown
| Enables the WLAN. |
Step 11 | end Example: Switch(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Step 1 |
Click Configuration > Wireless.
The WLANs page is displayed. | ||||||||||||||||||||||||||
Step 2 | Locate the WLAN you want to configure by using the search mechanisms on the page. | ||||||||||||||||||||||||||
Step 3 | Click on the WLAN Profile of the WLAN. The WLAN > Edit page is displayed. | ||||||||||||||||||||||||||
Step 4 | Click the General tab. This tab is displayed by default. | ||||||||||||||||||||||||||
Step 5 | Configure the General parameters.
| ||||||||||||||||||||||||||
Step 6 | Click Apply. |
Proceed to configure the Security, QoS, and Advanced Properties.
You can configure the following advanced properties:
1.
configure terminal
2.
wlan profile-name
3.
aaa-override
4.
chd
5.
session-timeout time-in-seconds
6.
ccx aironet-iesupport
7.
diag-channel
8.
ip access-group [web] acl-name
9.
peer-blocking [drop | forward-upstream]
10.
exclusionlist time-in-seconds
11.
client association limit max-number-of-clients
12.
channel-scan defer-priority {defer-priority {0-7} | defer-time {0 - 6000}}
13.
end
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example: Switch# configure terminal
|
Enters global configuration mode. |
Step 2 | wlan profile-name Example: Switch# wlan test4
|
Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN. |
Step 3 | aaa-override
Example: Switch(config-wlan)# aaa-override
|
Enables AAA override. |
Step 4 | chd Example: Switch(config-wlan)# chd
| Enables coverage hole detection for this WLAN. This field is enabled by default. |
Step 5 | session-timeout time-in-seconds Example: Switch(config-wlan)# session-timeout 450
| Sets the session timeout in seconds. The range and default values vary according to the security configuration. If the WLAN security is configured to dot1x, the range is 300 to 86400 seconds and the default value is 1800 seconds. For all other WLAN security configurations, the range is 1 to 65535 seconds and the default value is 0 seconds. A value of 0 indicates no session timeout. |
Step 6 | ccx aironet-iesupport Example: Switch(config-wlan)# ccx aironet-iesupport
| Enables support for Aironet IEs for this WLAN. This field is enabled by default. |
Step 7 | diag-channel Example: Switch(config-wlan)# diag-channel
| Enables diagnostic channel support to troubleshoot client communication issues on a WLAN. |
Step 8 | ip access-group [web] acl-name Example: Switch(config)# ip access-group test-acl-name
| Configures the WLAN ACL group. The variable acl-name specifies the user-defined IPv4 ACL name. The keyword web specifies the IPv4 web ACL. |
Step 9 | peer-blocking [drop | forward-upstream] Example: Switch(config)# peer-blocking drop
| Configures peer to peer blocking parameters. The keywords are as follows: |
Step 10 | exclusionlist time-in-seconds Example: Switch(config)# exclusionlist 10
| Specifies the timeout in seconds. The valid range is from 0 to 2147483647. Enter 0 for no timeout. A zero (0) timeout indicates that the client is permanently added to the exclusion list. |
Step 11 | client association limit max-number-of-clients Example: Switch(config)# client association limit 200
| Sets the maximum number of clients that can be configured on a WLAN. |
Step 12 | channel-scan defer-priority {defer-priority {0-7} | defer-time {0 - 6000}} Example: Switch(config)# channel-scan defer-priority 6
| |
Step 13 | end Example: Switch(config)# end
| Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode. |
Step 1 |
Click Configuration > Wireless.
The WLANs page is displayed. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 2 | Locate the WLAN you want to configure by using the search mechanisms on the page. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 3 | Click on the WLAN Profile of the WLAN. The WLAN > Edit page is displayed. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 4 | Click on the Advanced Properties tab. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 5 | Configure the Advanced properties.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 6 | Click Apply. |
Step 1 | Choose . | ||||||||||||||||||
Step 2 | Expand the
WLAN node by clicking on the left pane and choose
WLANs.
The WLANs page is displayed. | ||||||||||||||||||
Step 3 | Select the WLAN for which you want to configure the QoS policies by clicking on the WLAN Profile. | ||||||||||||||||||
Step 4 | Click the QoS
tab to configure the QoS policies on the WLAN.
You can also configure precious metal policies for the WLAN. The following options are available:
| ||||||||||||||||||
Step 5 | Click Apply. |
Command | Description |
---|---|
show wlan id wlan-id | Displays WLAN properties based on the WLAN ID. |
show wlan name wlan-name | Displays WLAN properties based on the WLAN name. |
show wlan all | Displays WLAN properties of all configured WLANs. |
show wlan summary | Displays a summary of all WLANs. The summary details includes the following information: |
show running-config wlan wlan-name | Displays the running configuration of a WLAN based on the WLAN name. |
show running-config wlan | Displays the running configuration of all WLANs. |
Proceed to configure DHCP for WLANs.
Related Topic | Document Title |
---|---|
WLAN command reference | WLAN Command Reference, Cisco IOS XE Release 3SE (Catalyst 3650 Switches) |
Mobility Anchor configuration | Mobility Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3650 Switches) |
WebAuth Configuration | Security Configuration Guide (Catalyst 3650 Switches) |
Description | Link |
---|---|
To help you research and resolve system error messages in this release, use the Error Message Decoder tool. |
https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi |
MIB | MIBs Link |
---|---|
All supported MIBs for this release. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature |
Release |
Modification |
---|---|---|
WLAN Functionality |
Cisco IOS XE 3.3SE |
This feature was introduced. |