WLANs

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About WLANs

This feature enables you to control up to 64 WLANs for lightweight access points. Each WLAN has a separate WLAN ID, a separate profile name, and a WLAN SSID. All devices publish up to 16 WLANs to each connected access point, but you can create up to the maximum number of WLANs supported and then selectively publish these WLANs (using access point groups) to different access points to better manage your wireless network.

You can configure WLANs with different SSIDs or with the same SSID. An SSID identifies the specific wireless network that you want the device to access.

Band Selection

Band selection enables client radios that are capable of dual-band (2.4 and 5-GHz) operations to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of 3 nonoverlapping channels. To prevent these sources of interference and improve overall network performance, configure band selection on the device.

Off-Channel Scanning Deferral

A lightweight access point, in normal operational conditions, periodically goes off channel and scans another channel. This is in order to perform RRM operations such as the following:

  • Transmitting and receiving NDP packets with other APs.

  • Detecting rogue APs and clients.

  • Measuring noise and interference.

During the off channel period, which normally is about 70 milliseconds, the AP is unable to transmit or receive data on its serving channel. Therefore, there is a slight impact on its performance and some client transmissions might be dropped.

While the AP is sending and receiving important data, it is possible to configure off-channel scanning deferral so that the AP does not go off channel and its normal operation is not impacted. You can configure off-channel scanning deferral on a per-WLAN basis, per WMM UP class basis, with a specified time threshold in milliseconds. If the AP sends or receives, on a particular WLAN, a data frame marked with the given UP class within the specified threshold, the AP defers its next RRM off-channel scan. For example, by default, off-channel scanning deferral is enabled for UP classes 4, 5, and 6, with a time threshold of 100 millseconds. Therefore, when RRM is about to perform an off-channel scan, a data frame marked with UP 4, 5, or 6 is received within the last 100 milliseconds, RRM defers going off-channel. If a voice call, which is sending and receiving audio samples, marked as UP 6, every 20 milliseconds is active, then the AP radio does not go off channel.

Off-channel scanning deferral does come with a tradeoff. Off-channel scanning can impact throughput by 2 percent or more, depending on the configuration, traffic patterns, and so on. Throughput can be slightly improved if you enable off-channel scanning deferral for all traffic classes and increase the time threshold. However, by not going off-channel, RRM can fail to identify AP neighbors and rogues, resulting in negative impact to security, DCA, TPC, and 802.11k messages.

We recommend that you do not change the default off-channel scanning deferral settings.

DTIM Period

In the 802.11 networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.

Typically, the DTIM value is set to 1 (to transmit broadcast and multicast frames after every beacon) or 2 (to transmit after every other beacon). For instance, if the beacon period of the 802.11 network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings are suitable for applications, including Voice Over IP (VoIP), that expect frequent broadcast and multicast frames.

However, the DTIM value can be set as high as 255 (to transmit broadcast and multicast frames after every 255th beacon) if all 802.11 clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently which results in a longer battery life. For example, if the beacon period is 100 ms and you set the DTIM value to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds. This rate allows the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, which results in a longer battery life.


Note

A beacon period, which is specified in milliseconds on the device, is converted internally by the software to 802.11 Time Units (TUs), where 1 TU = 1.024 milliseconds. On Cisco’s 802.11n access points, this value is rounded to the nearest multiple of 17 TUs. For example, a configured beacon period of 100 ms results in an actual beacon period of 104 ms.


Many applications cannot tolerate a long time between broadcast and multicast messages, which results in poor protocol and application performance. We recommend that you set a low DTIM value for 802.11 networks that support such clients.

Session Timeouts

You can configure a WLAN with a session timeout. The session timeout is the maximum time for a client session to remain active before requiring reauthorization.

Cisco Client Extensions

The Cisco Client Extensions (CCX) software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco access points and to support Cisco features that other client devices do not, including those features that are related to increased security, enhanced performance, fast roaming, and power management.

  • The software supports CCX versions 1 through 5, which enables devices and their access points to communicate wirelessly with third-party client devices that support CCX. CCX support is enabled automatically for every WLAN on the device and cannot be disabled. However, you can configure Aironet information elements (IEs).

  • If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the device sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the device and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.

Peer-to-Peer Blocking

Peer-to-peer blocking is applied to individual WLANs, and each client inherits the peer-to-peer blocking setting of the WLAN to which it is associated. Peer-to-Peer enables you to have more control over how traffic is directed. For example, you can choose to have traffic bridged locally within the device, dropped by the device, or forwarded to the upstream VLAN.

Peer-to-peer blocking is supported for clients that are associated with the local switching WLAN.

Diagnostic Channel

You can choose a diagnostic channel to troubleshoot why the client is having communication problems with a WLAN. You can test the client and access points to identify the difficulties that the client is experiencing and allow corrective measures to be taken to make the client operational on the network. You can use the device GUI or CLI to enable the diagnostic channel, and you can use the device CLI to run the diagnostic tests.


Note

We recommend that you enable the diagnostic channel feature only for nonanchored SSIDs that use the management interface. CCX Diagnostic feature has been tested only with clients having Cisco ADU card


Per-WLAN Radius Source Support

The device sources RADIUS traffic from the IP address of its management interface unless the configured RADIUS server exists on a VLAN accessible via one of the device Dynamic interfaces. If a RADIUS server is reachable via a device Dynamic interface, RADIUS requests to this specific RADIUS server will be sourced from the controller via the corresponding Dynamic interface.

By default, RADIUS packets sourced from the device will set the NAS-IP-Address attribute to that of the management interface's IP Address, regardless of the packet's source IP Address (Management or Dynamic, depending on topology).

When you enable per-WLAN RADIUS source support (Radius Server Overwrite interface) the NAS-IP-Address attribute is overwritten by the device to reflect the sourced interface. Also, RADIUS attributes are modified accordingly to match the identity. This feature virtualizes the device on the per-WLAN RADIUS traffic, where each WLAN can have a separate layer 3 identity. This feature is useful in deployments that integrate with ACS Network Access Restrictions and Network Access Profiles.

To filter WLANs, use the callStationID that is set by RFC 3580 to be in the APMAC:SSID format. You can also extend the filtering on the authentication server to be on a per-WLAN source interface by using the NAS-IP-Address attribute.

You can combine per-WLAN RADIUS source support with the normal RADIUS traffic source and some WLANs that use the management interface and others using the per-WLAN dynamic interface as the address source.

Prerequisites for WLANs

  • You can associate up to 16 WLANs with each access point group and assign specific access points to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point (AP) does not advertise disabled WLANs in its access point group or WLANs that belong to another group.

  • We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that devices properly route VLAN traffic.

Restrictions for WLANs

  • When you change the WLAN profile name, then FlexConnect APs (using AP-specific VLAN mapping) will become WLAN-specific. If FlexConnect Groups are properly configured, the VLAN mapping will become Group-specific.

  • Do not enable IEEE 802.1X Fast Transition on Flex Local Authentication enabled WLAN, as client association is not supported with Fast Transition 802.1X key management.

  • Peer-to-peer blocking does not apply to multicast traffic.

  • You can configure a maximum up to of 2000 clients.

  • The WLAN name and SSID can have up to 32 characters.

  • Special characters are not supported for the WLAN name.

  • WLAN name cannot be a keyword; for example, if you try to create a WLAN with the name as 's' by entering the wlan s command, it results in shutting down all WLANs because 's' is used as a keyword for shutdown.

  • You cannot map a WLAN to VLAN0, and you cannot map VLANs 1002 to 1006.

  • Dual stack clients with a static-IPv4 address is not supported.

  • When creating a WLAN with the same SSID, you must create a unique profile name for each WLAN.

  • When multiple WLANs with the same SSID get assigned to the same AP radio, you must have a unique Layer 2 security policy so that clients can safely select between them.

  • When WLAN is local switching, associate the client to local-switching WLAN where AVC is enabled. Send some traffic from client, when you check the AVC stats after 90 sec. Cisco WLC shows stats under top-apps but does not show under client. There is timer issue so for the first slot Cisco WLC might not show stats for the clients. Earlier, only 1 sec stats for a client is seen if the timers at AP and at WLC are off by 89 seconds. Now, clearing of the stats is after 180 seconds so stats from 91 seconds to 179 seconds for a client is seen. This is done because two copies of the stats per client cannot be kept due to memory constraint in Cisco 5508 WLC.

  • RADIUS Server Overwrite interface per wlan feature is not supported. However, you can achieve the same using the following configuration:

    • Configure a RADIUS Authentication Server

    • Configure a RADIUS Authentication Server Group

    • Create 802.1x WLAN

    • Configure Wireless Profile Policy and Attach it to the VLAN

    Configure a RADIUS Authentication Server

    • Device (config)# radius server server-name

    • Device (config-radius-server)# address ipv4 address auth-port auth_port_number acct-port acct_port_number

    • Device (config-radius-server)# key key

    Configure a RADIUS Authentication Server Group

    • Device(config)# aaa group server radius server-name

    • Device(config)# server name server-name

    • Device(config)# ip radius source-interface vlan vlan-name

    • Device(config)# aaa authentication dot1x dot1x_name group server-name

    Create 802.1x WLAN

    • Device(config)# wlan wlan-name id ssid

    • Device(config-wlan)# security dot1x authentication-list list-name

    • Device(config-wlan)# no shutdown

    Configure Wireless Profile Policy and Attach it to VLAN

    • Device(config)# wireless profile policy profile-name

    • Device(config-wireless-policy)# vlan vlan-name

    • Device(config-wireless-policy)# no shutdown

    A sample configuration on the Cisco Wireless Controller is given below:
    radius server RAD_EXT_3                                                                          
     address ipv4 9.2.62.56 auth-port 1812 acct-port 1813                                           
     key cisco
     
     
    aaa group server radius AAA_EXT_3
    server name RAD_EXT_3
    ip radius source-interface vlan 50
     
    aaa authentication dot1x test_ext group AAA_EXT_3
     
    wlan test_wpa2_dot1x 2 test_wpa2_dot1x
    security dot1x authentication-list test_ext
    no shutdown
     
     
    wireless profile policy pp-1
    vlan 50
    no shutdown
    
    
    radius server RAD_EXT_3                                                                    
     address ipv4 9.2.62.56 auth-port 1812 acct-port 1813                                           
     key cisco
     
     
    aaa group server radius AAA_EXT_2
    server name RAD_EXT_3
    ip radius source-interface vlan 51
     
    aaa authentication dot1x test_ext_2 group AAA_EXT_2
     
    wlan test_wpa2 3 test_wpa3
    security dot1x authentication-list test_ext_2
    no shutdown
     
     
    wireless profile policy pp-1
    vlan 51
    no shutdown

Caution

Some clients might not be able to connect to WLANs properly if they detect the same SSID with multiple security policies. Use this feature with care.


How to Configure WLANs

Creating WLANs (CLI)

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name wlan-id [ssid]

Example:

Device(config)# wlan mywlan 34 mywlan-ssid

Specifies the WLAN name and ID:

  • For the profile-name, enter the profile name. The range is from 1 to 32 alphanumeric characters.

  • For the wlan-id, enter the WLAN ID. The range is from 1 to 512.

  • For the ssid, enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.

Note 

By default, the WLAN is disabled.

Step 3

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Deleting WLANs (CLI)

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

no wlan wlan-name wlan-id ssid

Example:

Device(config)# no wlan test2
Deletes the WLAN. The arguments are as follows:
  • The wlan-name is the WLAN profile name.

  • The wlan-id is the WLAN ID.

  • The ssid is the WLAN SSID name configured for the WLAN.

Note 

If you delete a WLAN that is part of an AP group, the WLAN is removed from the AP group and from the AP's radio.

Step 3

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Searching WLANs (CLI)

Procedure

Command or Action Purpose

show wlan summary

Example:

Device# show wlan summary

Displays the list of all WLANs configured on the device. You can search for the WLAN in the output.

Example

Device# show wlan summary
Number of WLANs: 4

WLAN Profile Name                     SSID                           VLAN Status
--------------------------------------------------------------------------------
1    test1                             test1-ssid                     137  UP
3    test2                             test2-ssid                     136  UP
2    test3                             test3-ssid                     1    UP
45   test4                             test4-ssid                     1    DOWN

You can also use wild cards to search WLANs. For example show wlan summary include | variable . Where variable is any search string in the output.

Device# show wlan summary | include test-wlan-ssid
1    test-wlan                       test-wlan-ssid                     137   UP

Enabling WLANs (CLI)

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name

Example:

Device# wlan test4

Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

Step 3

no shutdown

Example:

Device(config-wlan)# no shutdown

Enables the WLAN.

Step 4

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Disabling WLANs (CLI)

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name

Example:

Device# wlan test4

Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

Step 3

shutdown

Example:

Device(config-wlan)# shutdown

Disables the WLAN.

Step 4

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Step 5

show wlan summary

Example:

Device# show wlan summary

Displays the list of all WLANs configured on the device. You can search for the WLAN in the output.

Configuring General WLAN Properties (CLI)

You can configure the following properties:

  • Media stream

  • Broadcast SSID

  • Call Snooping

  • Radio

  • Interface

  • Status

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name

Example:

Device# wlan test4

Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

Step 3

shutdown

Example:

Device# shutdown

Disables the WLAN before configuring the parameters.

Step 4

broadcast-ssid

Example:

Device(config-wlan)# broadcast-ssid
Broadcasts the SSID for this WLAN. This field is enabled by default.
Step 5

radio {all | dot11a | dot11ag | dot11bg | dot11g}

Example:

Device# radio all

Enables radios on the WLAN. The keywords are as follows:

  • all —Configures the WLAN on all radio bands.

  • dot1a —Configures the WLAN on only 802.11a radio bands.

  • dot11g —Configures the WLAN on 802.11ag radio bands.

  • dot11bg —Configures the WLAN on only 802.11b/g radio bands (only 802.11b if 802.11g is disabled).

  • dot11ag — Configures the wireless LAN on 802.11g radio bands only.

Step 6

client vlan vlan-identifier

Example:


Device# client vlan test-vlan
Enables an interface group on the WLAN.

vlan-identifier—Specifies the VLAN identifier. This can be the VLAN name, VLAN ID, or VLAN group name.

Step 7

ip multicast vlan vlan-name

Example:

Device(config-wlan)# ip multicast vlan test

Enables IP multicast on a WLAN. The keywords are as follows:

  • vlan —Specifies the VLAN ID.

  • vlan-name —Specifies the VLAN name.

Step 8

media-stream multicast-direct

Example:

Device(config-wlan)# media-stream multicast-direct

Enables multicast VLANs on this WLAN.

Step 9

call-snoop

Example:

Device(config-wlan)# call-snoop

Enables call-snooping support.

Step 10

no shutdown

Example:

Device(config-wlan)# no shutdown

Enables the WLAN.

Step 11

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring Advanced WLAN Properties (CLI)

You can configure the following advanced properties:

  • AAA Override

  • Coverage Hole Detection

  • Session Timeout

  • Cisco Client Extensions

  • Diagnostic Channels

  • Interface Override ACLs

  • P2P Blocking

  • Client Exclusion

  • Maximum Clients Per WLAN

  • Off Channel Scan Defer

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name

Example:

Device# wlan test4

Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

Step 3

aaa-override

Example:

Device(config-wlan)# aaa-override

Enables AAA override.

Step 4

chd

Example:

Device(config-wlan)# chd

Enables coverage hole detection for this WLAN. This field is enabled by default.

Step 5

session-timeout time-in-seconds

Example:

Device(config-wlan)# session-timeout 450

Sets the session timeout in seconds. The range and default values vary according to the security configuration. If the WLAN security is configured to dot1x, the range is 300 to 86400 seconds and the default value is 1800 seconds. For all other WLAN security configurations, the range is 1 to 65535 seconds and the default value is 0 seconds. A value of 0 indicates no session timeout.

Step 6

ccx aironet-iesupport

Example:

Device(config-wlan)# ccx aironet-iesupport

Enables support for Aironet IEs for this WLAN. This field is enabled by default.

Step 7

diag-channel

Example:

Device(config-wlan)# diag-channel

Enables diagnostic channel support to troubleshoot client communication issues on a WLAN.

Step 8

ip access-group [web] acl-name

Example:

Device(config)# ip access-group test-acl-name

Configures the WLAN ACL group. The variable acl-name specifies the user-defined IPv4 ACL name. The keyword web specifies the IPv4 web ACL.

Step 9

peer-blocking [ drop | forward-upstream]

Example:

Device(config)# peer-blocking drop

Configures peer to peer blocking parameters. The keywords are as follows:

  • drop—Enables peer-to-peer blocking on the drop action.

  • forward-upstream—Enables peer-to-peer blocking on the forward upstream action.

Step 10

exclusionlist time-in-seconds

Example:

Device(config)# exclusionlist 10

Specifies the timeout in seconds. The valid range is from 0 to 2147483647. Enter 0 for no timeout. A zero (0) timeout indicates that the client is permanently added to the exclusion list.

Step 11

client association limit max-number-of-clients

Example:

Device(config)# client association limit 200

Sets the maximum number of clients that can be configured on a WLAN.

Step 12

channel-scan defer-priority {defer-priority {0-7} | defer-time {0 - 6000}}

Example:

Device(config)# channel-scan defer-priority 6
Sets the channel scan defer priority and defer time. The arguments are as follows:
  • defer-priority —Specifies the priority markings for packets that can defer off-channel scanning. The range is from 0 to 7. The default is 3.

  • defer-time —Deferral time in milliseconds. The range is from 0 to 6000. The default is 100.

Step 13

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Monitoring WLAN Properties (CLI)

Command Description
show wlan id wlan-id

Displays WLAN properties based on the WLAN ID.

show wlan name wlan-name

Displays WLAN properties based on the WLAN name.

show wlan all

Displays WLAN properties of all configured WLANs.

show wlan summary

Displays a summary of all WLANs. The summary details includes the following information:

  • WLAN ID

  • Profile name

  • SSID

  • VLAN

  • Status

show running-config wlan wlan-name

Displays the running configuration of a WLAN based on the WLAN name.

show running-config wlan

Displays the running configuration of all WLANs.

Where to Go Next

Proceed to configure DHCP for WLANs.

Additional References

Related Documents

Related Topic Document Title
WLAN command reference WLAN Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Mobility Anchor configuration Mobility Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
WebAuth Configuration Security Configuration Guide (Catalyst 3850 Switches)

Error Message Decoder

Description Link

To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi

MIBs

MIB MIBs Link
All the supported MIBs for this release.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature Information for WLANs

This table lists the features in this module and provides links to specific configuration information:

Feature

Release

Modification

WLAN Functionality

Cisco IOS XE 3.2SE

This feature was introduced.