Configuring Fabric In A Box With Embedded Wireless Controller
Prerequisites for Configuring Fabric in a Box with Embedded Wireless
How to Configure Fabric In A Box with Embedded Wireless
Configuration Example for Fabric In A Box with Embedded Wireless
Verify Fabric in a Box with Embedded Wireless

Configuring Fabric In A Box With Embedded Wireless Controller

Fabric in a Box is a single device that is configured as a border node, a control plane node, an edge node. This single device also supports an embedded wireless controller.

The following platforms support Cisco Catalyst 9800 Embedded Wireless Controller for a fabric in a box deployment:

Cisco Catalyst 9300 Series Switches
Cisco Catalyst 9400 Series Switches
Cisco Catalyst 9500 Series Switches

This chapter describes only the configurations that are required to add the wireless functionality in an existing fabric in a box topology for wired endpoints.

Prerequisites for Configuring Fabric in a Box with Embedded Wireless

Ensure that the Fabric in a Box device is already configured as edge, border, and control plane nodes for wired endpoints.

For configuration details, refer to Configuring Fabric In a Box for Wired Devices.
A Fabric in a Box device should operate in Install mode for a wireless package to be installed. You can install Cisco Catalyst 9800 Series Wireless Controller as a sub-package on top of the base image on the switch.

Ensure that the wireless package is the same version as the base image on the switch (Cisco IOS XE) . For example, if the switch is operating on Cisco IOS XE 17.10.1, install the 17.10.1 version of the wireless package on the switch.

To download a wireless package, go to the Software Download page, navigate to the switch family, and select the IOS XE Wireless Controller Software Package Software Type.

For information on booting a switch in Install mode and installing a sub-package, refer to Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide.

How to Configure Fabric In A Box with Embedded Wireless

Perform the following procedure to enable wireless functionality in a fabric in a box.

Procedure

Step 1

Enable wireless controller on the switch. Configure the wireless management interface (WMI) as a loopback interface. The WMI is used for all the CAPWAP messages between the wireless controller and the fabric APs.

wireless-controller 
wireless management interface Loopback0

Step 2

Configure a Switched Virtual Interface (SVI) for the AP VLAN.

Note

Ensure that you assign the same MAC address for a given SVI, across all fabric edges within the fabric site. We recommend that you use a MAC address starting from the base range value of 0000.0C9F.F05F.


interface Vlan92
 description AP SVI
 mac-address 0000.0c9f.f42a   <--- Common MAC Address 
 ip address 10.92.1.1 255.255.255.0
 ip helper-address 192.168.132.1   
 no ip redirects
 no lisp mobility liveness test
 lisp mobility APVlan92-IPV4 
 no autostate
!

Step 3

Configure an SVI for the Wireless Client VLAN.

Note

interface Vlan51
 description Client SVI 
 mac-address 0000.0c9f.f7df    <-- Common MAC Address
 vrf forwarding VN4
 ip address 10.51.1.1 255.255.255.0
 ip helper-address 192.168.132.1
 no ip redirects
 no lisp mobility liveness test
 lisp mobility wireless-VN-IPV4
 no autostate
!

Step 4

Define a Locator set for the wireless controller.

router lisp
 ...
 locator-table default
 locator-set WLC
  192.168.99.1  //IP address of the WMI
  exit-locator-set
 !

Step 5

Configure open passive TCP sockets on the control plane node to listen for incoming connections.

map-server session passive-open WLC

Step 6

Configure the LISP Site to accept EID prefixes.

...
site site_uci
  description map-server1
  authentication-key 7 auth-key
  eid-record instance-id 4097 10.51.1.0/24 accept-more-specifics
  eid-record instance-id 4098 10.92.1.0/24 accept-more-specifics
  eid-record instance-id 8188 any-mac
  eid-record instance-id 8189 any-mac
  exit-site
 !

Step 7

Configure dynamic EID for the AP subnets in the default instance.

...
  instance-id 4097
  remote-rloc-probe on-route-change
  dynamic-eid APVlan92-IPV4
    database-mapping 10.92.1.0/24 locator-set rloc_set
   exit-dynamic-eid
  !
 exit-instance-id
 !

Step 8

Configure dynamic EID for the wireless client subnets in the user-defined instance that is mapped to a VRF.

... 
 instance-id 4098
  remote-rloc-probe on-route-change
  dynamic-eid wireless-VN-IPV4
   database-mapping 10.51.1.0/24 locator-set rloc_set
   exit-dynamic-eid
  !
 exit-instance-id
 !

Step 9

Configure Layer 2 VNI for the wireless client VLAN.

...
 instance-id 8188
   remote-rloc-probe on-route-change
   service ethernet
     eid-table vlan 51
     database-mapping mac locator-set rloc_set
   exit-service-ethernet
  !
  exit-instance-id
 !

Step 10

Configure Layer 2 VNI for the AP VLAN.

... 
 instance-id 8189
  remote-rloc-probe on-route-change
  service ethernet
   eid-table vlan 92
   database-mapping mac locator-set rloc_set
   exit-service-ethernet
  !
  exit-instance-id
 !
exit-router-lisp
!

Step 11

Enable fabric operations on the wireless controller. The following table describes the commands that configure an embedded wireless controller for fabric operations.


Step	Command or Action	Description
a)	wireless fabric Example: `Switch(config)# wireless fabric`	Enables the wireless functionality on the switch.
b)	wireless fabric control-plane `cp-name` Example: `Switch(config)# wireless fabric control-plane default-control-plane`	Configures the name of the fabric control plane. You can assign a name of your choice to the control plane.
c)	ip address `cp-ip address` key `authentication-key` Example: `Switch(config-wireless-cp)# ip address 172.16.1.68 key 0 some-key Switch(config-wireless-cp)# end`	Configures the IP address of the control plane and the authentication key shared with the control plane.
d)	wireless fabric name `fabric-name` l2-vnid `l2-vnid` control-plane-name `cp-name` Example: `Switch(config)# wireless fabric name wireless-VN-IPV4 l2-vnid 8188 control-plane-name default-control-plane`	Registers the wireless client VLAN with the control plane.
e)	wireless fabric name `fabric-name` l2-vnid `l2-instance-id` l3-vnid `l3-instance-id` control-plane-name `cp-name` Example: `Switch(config)# wireless fabric name APVlan92-IPV4 l2-vnid 8189 l3-vnid 4097 ip 10.92.1.1 255.255.255.0 control-plane-name default-control-plane`	Registers the AP VLAN with the control plane.
f)	wlan `wlan-name` `wlan-id` `SSID-name` Example: `Switch(config)# wlan kFiab-local-open_profile 17 kFiab-local-open Switch(config-wlan)# no shutdown Switch(config-wlan)#end`	Configures a WLAN. This example configures a WLAN with an ID of 17 and an SSID named kFiab-local-open. It also enables the WLAN using the no shutdown command.
g)	wireless profile fabric `profile-policy` Example: `Switch(config)# wireless profile fabric kFiab-local-open_profile Switch(config-wireless-fabric)# description local-open-profile Switch(config-wireless-fabric)# client-l2-vnid 8188 Switch(config-wireless-fabric)# end`	Configures a fabric profile. This example creates a fabric profile named kFiab-local-open_profile and associates the Layer 2 VNI (8188) with the fabric profile.
h)	wireless profile policy `profile-policy` Example: Switch(config)# wireless profile policy kFiab-local-open_profile // Specify local DHCP mode Switch(config-wireless-policy)# no central dhcp // Configure WLAN for local switching Switch(config-wireless-policy)# no central switching //Provide a description for the wireless policy Switch(config-wireless-policy)# description kFiab-local-open_profile //Map the fabric profile that was created in the previous step Switch(config-wireless-policy)# fabric kFiab-local-open_profile //Enable the profile policy Switch(config-wireless-policy)# no shutdown Switch(config-wireless-policy)# end	Configures a wireless policy profile and maps the fabric profile to it. The example configures a wireless profile policy named kFiab-local-open_profile and maps a fabric profile to it, using the fabric `profile-policy` command. You can configure more wireless and fabric profiles as shown in Configuration Example for Fabric In A Box with Embedded Wireless.

Configuration Example for Fabric In A Box with Embedded Wireless

This example shows a sample configuration for a fabric in a box construct in the LISP VXLAN fabric depicted in the topology. The fabric in a box device is a Cisco Catalyst 9000 Series switch that functions as a control plane node, border node, edge node, and wireless controller. The loopback IPv4 address of switch is 172.16.1.68. A fabric-capable Access Point (AP) with a subnet of 10.92.1.0/24 is connected to the fabric edge node interface.

Fabric in a Box


wireless-controller
wireless management interface Loopback0
!
vrf definition VN4
 rd 1:4098
 !
 address-family ipv4
  route-target export 1:4098
  route-target import 1:4098
 exit-address-family
!
interface Vlan92
 description AP SVI
 mac-address 0000.0c9f.f42a 
 ip address 10.92.1.1 255.255.255.0
 ip helper-address 192.168.132.1   
 no ip redirects
 no lisp mobility liveness test
 lisp mobility APVlan92-IPV4 
 no autostate
!
interface Vlan51
 description Client SVI 
 mac-address 0000.0c9f.f7df 
 vrf forwarding VN4
 ip address 10.51.1.1 255.255.255.0
 ip helper-address 192.168.132.1
 no ip redirects
 no lisp mobility liveness test
 lisp mobility wireless-VN-IPV4
 no autostate
!

vrf definition VN3
 rd 1:4099
 !
 address-family ipv4
  route-target export 1:4099
  route-target import 1:4099
 exit-address-family
 !
 address-family ipv6
  route-target export 1:4099
  route-target import 1:4099
 exit-address-family

vlan 222
 name 222
!
interface Vlan222
 description vrf-external
 vrf forwarding VN3
 ip address 10.20.1.1 255.255.255.252
 no ip redirects
 ipv6 address 2001:DB8:20::1/126
 ipv6 enable
   
!
interface TenGigabitEthernet1/0/4
 switchport mode trunk

device-tracking tracking
!
device-tracking policy IPDT_POLICY
 no protocol udp
 tracking enable
!

interface TenGigabitEthernet1/0/5
 device-tracking attach-policy IPDT_POLICY
!
 ipv6 nd raguard
 ipv6 dhcp guard
!
vlan 50
 name AVlan50
!
vlan 91
 name AVlan91
!
interface Vlan50
 description server1
 mac-address 0000.0c9f.f18e
 vrf forwarding VN3
 ip address 10.50.1.1 255.255.255.0
 ip helper-address 172.16.2.2
 no ip redirects
 ipv6 address 2001:DB8:2050::1/64
 ipv6 enable
 ipv6 nd dad attempts 0
 ipv6 nd prefix 2001:DB8:2050::/64 2592000 604800 no-autoconfig
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ipv6 nd router-preference High
 ipv6 dhcp relay destination 2001:DB8:2::2
 ipv6 dhcp relay source-interface Vlan50
 ipv6 dhcp relay trust
 no lisp mobility liveness test
 lisp mobility AVlan50-IPV4
 lisp mobility AVlan50-IPV6
 no autostate
!
interface Vlan91
 description default-interface
 mac-address 0000.0c9f.f984
 ip address 10.91.1.1 255.255.255.0
 ip helper-address 172.16.2.2
 no ip redirects
 no lisp mobility liveness test
 lisp mobility AVlan91-IPV4
 no autostate
!
ip dhcp relay information option
ip dhcp snooping vlan 50,91
ip dhcp snooping

router lisp
 locator-table default
 locator-set default_etr_locator
  IPv4-interface Loopback0 priority 10 weight 10
  exit-locator-set
 !
 locator-set rloc_set
  IPv4-interface Loopback0 priority 10 weight 10
  auto-discover-rlocs
  exit-locator-set
 !
 locator-set WLC
  192.168.99.1
  exit-locator-set
 !
 locator default-set rloc_set
 service ipv4
  encapsulation vxlan
  map-cache publications
  import publication publisher 172.16.1.68
  itr map-resolver 172.16.1.68
  etr map-server 172.16.1.68 key 7 auth-key
  etr map-server 172.16.1.68 proxy-reply
  etr
  sgt
  route-export publications
  distance publications 250
  proxy-etr
  proxy-itr 172.16.1.68
  map-server
  map-resolver
  exit-service-ipv4
 !
 service ipv6
  encapsulation vxlan
  map-cache publications
  import publication publisher 172.16.1.68
  itr map-resolver 172.16.1.68
  etr map-server 172.16.1.68 key 7 auth-key
  etr map-server 172.16.1.68 proxy-reply
  etr
  sgt
  route-export publications
  distance publications 250
  proxy-etr
  proxy-itr 172.16.1.68
  map-server
  map-resolver
  exit-service-ipv6
 !
 service ethernet
  itr map-resolver 172.16.1.68
  itr
  etr map-server 172.16.1.68 key 7 auth-key
  etr map-server 172.16.1.68 proxy-reply
  etr
  map-server
  map-resolver
  exit-service-ethernet
 !
 
 instance-id 4097
  remote-rloc-probe on-route-change
  dynamic-eid AVlan91-IPV4
   database-mapping 10.91.1.0/24 locator-set rloc_set
   exit-dynamic-eid
  !
  dynamic-eid APVlan92-IPV4
    database-mapping 10.92.1.0/24 locator-set rloc_set
   exit-dynamic-eid
  ! 
  service ipv4
   eid-table default
   map-cache 10.91.1.0/24 map-request
   exit-service-ipv4
  !
  exit-instance-id
 !
 
 instance-id 4099
  remote-rloc-probe on-route-change
  dynamic-eid AVlan50-IPV4
   database-mapping 10.50.1.0/24 locator-set rloc_set
   exit-dynamic-eid
  !
  dynamic-eid AVlan50-IPV6
   database-mapping 2001:DB8:2050::/64 locator-set rloc_set
   exit-dynamic-eid
  !  
  dynamic-eid wireless-VN-IPV4
   database-mapping 10.51.1.0/24 locator-set rloc_set
   exit-dynamic-eid
  !
  service ipv4
   eid-table vrf VN3
   database-mapping 0.0.0.0/0 locator-set default_etr_local default-etr local
   exit-service-ipv4
  !
  service ipv6
   eid-table vrf VN3
   database-mapping ::/0 locator-set default_etr_local default-etr local
   exit-service-ipv6
  !
  exit-instance-id
 !
 !
 instance-id 8194
  remote-rloc-probe on-route-change
  service ethernet
   eid-table vlan 91
   database-mapping mac locator-set rloc_set
   exit-service-ethernet
  !
  exit-instance-id
 !
 !
 instance-id 8197
  remote-rloc-probe on-route-change
  service ethernet
   eid-table vlan 50
   database-mapping mac locator-set rloc_set
   exit-service-ethernet
  !
  exit-instance-id
 !
 instance-id 8188
  remote-rloc-probe on-route-change
  service ethernet
   eid-table vlan 92
   database-mapping mac locator-set rloc_set
   exit-service-ethernet
  !
  exit-instance-id
 !
 instance-id 8189
   remote-rloc-probe on-route-change
   service ethernet
     eid-table vlan 51
     database-mapping mac locator-set rloc_set
   exit-service-ethernet
  !
  exit-instance-id
 !
 !
 map-server session passive-open WLC
 site site_uci
  description map-server1
  authentication-key 7 auth-key
  eid-record instance-id 4097 0.0.0.0/0 accept-more-specifics
  eid-record instance-id 4097 10.91.1.0/24 accept-more-specifics
  eid-record instance-id 4097 10.51.1.0/24 accept-more-specifics
  eid-record instance-id 4098 10.92.1.0/24 accept-more-specifics
  eid-record instance-id 4099 0.0.0.0/0 accept-more-specifics
  eid-record instance-id 4099 10.50.1.0/24 accept-more-specifics
  eid-record instance-id 4099 ::/0 accept-more-specifics
  eid-record instance-id 4099 2001:DB8:2050::/64 accept-more-specifics
  eid-record instance-id 8194 any-mac
  eid-record instance-id 8197 any-mac
  eid-record instance-id 8188 any-mac
  eid-record instance-id 8189 any-mac
  allow-locator-default-etr instance-id 4097 ipv4
  allow-locator-default-etr instance-id 4099 ipv4
  allow-locator-default-etr instance-id 4099 ipv6
  exit-site
 !
 ipv4 locator reachability minimum-mask-length 32
 ipv4 locator reachability exclude-default
 ipv4 source-locator Loopback0
 exit-router-lisp
!
router bgp 700
 bgp router-id interface Loopback0
 bgp log-neighbor-changes
 bgp graceful-restart
 !
 address-family ipv4
  bgp redistribute-internal
  bgp aggregate-timer 0
  network 10.91.1.0 mask 255.255.255.0
  network 172.16.1.68 mask 255.255.255.255
  aggregate-address 10.91.1.0 255.255.255.0 summary-only
  redistribute lisp metric 10 route-map LISP_TO_BGP
 exit-address-family
 !
 !
 address-family ipv4 vrf VN3
  bgp aggregate-timer 0
  network 10.20.1.0 mask 255.255.255.252
  network 10.50.1.0 mask 255.255.255.0
  aggregate-address 10.50.1.0 255.255.255.0 summary-only
  redistribute lisp metric 10 route-map LISP_TO_BGP
 exit-address-family
 !
 address-family ipv6 vrf VN3
  redistribute lisp metric 10 route-map LISP_TO_BGP
  bgp aggregate-timer 0
  network 2001:DB8:20::/126
  network 2001:DB8:2050::/64
  aggregate-address 2001:DB8:2050::/64 summary-only
 exit-address-family
!
 address-family ipv4 vrf VN4
  bgp aggregate-timer 0
  network 10.51.1.0 mask 255.255.255.0
  aggregate-address 10.51.1.0 255.255.255.0 summary-only
  redistribute lisp metric 10 route-map LISP_TO_BGP
 exit-address-family
 !

!
route-map LISP_TO_BGP permit 10
 description prefixes_learnt
 set as-path tag
!
wireless fabric
wireless fabric name APVlan92-IPV4 l2-vnid 8189 l3-vnid 4097 ip 10.92.1.1 255.255.255.0 control-plane-name default-control-plane
wireless fabric name wireless-VN-IPV4 l2-vnid 8188 control-plane-name default-control-plane
wireless fabric control-plane default-control-plane ip address 172.16.1.68 key 7 auth-key

wlan kFiab-local-open_profile 17 kFiab-local-open
 radio policy dot11 24ghz
 radio policy dot11 5ghz
 no security wpa
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no security wpa akm dot1x
 no shutdown
!
wireless profile policy kFiab-local-open_profile
 no central dhcp
 no central switching
 description kFiab-local-open_profile
 dhcp-tlv-caching
 exclusionlist timeout 180
 fabric kFiab-local-open_profile   // fabric wireless profile
 http-tlv-caching
 service-policy input platinum-up
 service-policy output platinum
 session-timeout 1800
 no shutdown
!
!
wireless profile fabric kFiab-local-open_profile  // configures wireless profile parameters
 client-l2-vnid 8188
 description kFiab-local-open_profile
!!

Verify Fabric in a Box with Embedded Wireless

You can verify the fabric in a box with embedded wireless configuration using the show commands. This section provides the sample outputs for the show commands on the fabric in a box device in the topology shown above.

fiab# show lisp session
Sessions for VRF default, total: 4, established: 3
Peer                 State      Up/Down        In/Out    Users
172.16.1.68:4342    Up         10:48:14      232/144    10
172.16.1.68:51283   Up         10:48:14      144/232    8
172.16.1.68:60947   Up         10:48:15       48/29     3
fiab#

fiab# show wlan summary

Number of WLANs: 1

ID  Profile Name               SSID             Status   2.4GHz/5GHz Security  6GHz Security   
-----------------------------------------------------------------------------------------------------
17  kFiab-local-open_profile   kFiab-local-open    UP     [open]

fiab# show wireless fabric summary 

Fabric Status      : Enabled

Control-plane: 
Name                             IP-address        Key                   Status
--------------------------------------------------------------------------------------------
default-control-plane            172.16.1.68      bcad25df225e410d        Up   


Fabric VNID Mapping:
  Name           L2-VNID    L3-VNID     IP Address    Subnet        Control plane name
---------------------------------------------------------------------------------------------- 
APVlan92-IPV4     8189      4097     10.92.1.1  255.255.255.0     default-control-plane            
wireless-VN-IPV4   8188     0         0.0.0.0                     default-control-plane            

fiab#

fiab# show wireless client summary 
Number of Clients: 1

MAC Address    AP Name                Type ID   State    Protocol Method     Role
-------------------------------------------------------------------------------------------------------------------------
4c34.889a.06be AP0CD0.F894.6540       WLAN 17   Run      11ac     None       Local             

Number of Excluded Clients: 0

fiab# show wireless client mac-address 4c34.889a.06be details

Client MAC Address : 4c34.889a.06be
Client MAC Type : Universally Administered Address
Client DUID: NA
Client IPv4 Address : 10.51.1.12
Client IPv6 Addresses : fe80::311d:6e13:9d40:9dab
Client Username: N/A
AP MAC Address : 0cd0.f897.f6c0
AP Name: AP0CD0.F894.6540
AP slot : 1
Client State : Associated
Policy Profile : kFiab-local-open_profile
Flex Profile : default-flex-profile
Wireless LAN Id: 17
WLAN Profile Name: kFiab-local-open_profile
Wireless LAN Network Name (SSID): kFiab-local-open
BSSID : 0cd0.f897.f6ce
Connected For : 41 seconds 
Protocol : 802.11ac
Channel : 140
Client IIF-ID : 0xa0000001
Association Id : 1
Authentication Algorithm : Open System
Idle state timeout : N/A
Session Timeout : 1800 sec (Remaining time: 1764 sec)
Session Warning Time : Timer not running
Input Policy Name  : None
Fabric status : Enabled    <--- displays status of the fabric and other details
  RLOC    : 172.16.1.68  
  VNID    : 8190
  SGT     : 0
  Control plane name  : default-control-plane

<snip output>
…..
…..
<snip output>

fiab#

LISP VXLAN Fabric Configuration Guide, Cisco IOS XE Cupertino 17.9.x (Catalyst 9000 Series Switches)

Bias-Free Language

Book Title

LISP VXLAN Fabric Configuration Guide, Cisco IOS XE Cupertino 17.9.x (Catalyst 9000 Series Switches)

Chapter Title