WLANs

WLANs

A WLAN is a wireless network feature that

  • enables control of wireless local area networks for lightweight access points

  • supports up to 16 advertised WLANs per access point with up to 4096 total configurable WLANs, and

  • allows selective advertisement using profiles and tags for better manageability.

An SSID identifies the specific wireless network that you want the device to access. You can configure WLANs with different SSIDs or with the same SSID.

WLAN configuration details

Each WLAN has a separate WLAN ID, a separate profile name, and a WLAN SSID.


Note

The wireless client max-user-login concurrent command will work as intended even if the no configure max-user-identity response command is configured.


Note

We recommend that you configure the password encryption aes and the key config-key password-encrypt key commands to encrypt your password.


Note

For C9105, C9115, and C9120 APs, when a new WLAN is pushed from the controller and if the existing WLAN functional parameters are changed, the other WLAN clients will disconnect and reconnect.

Band selection

A band selection is a wireless network feature that

  • facilitates the movement of dual-band client radios from congested frequency bands

  • enables clients to connect to less congested 5-GHz access points for improved network performance, and

  • reduces interference from other devices by optimizing which frequency band clients use.

The 2.4-GHz band is often congested. Clients using this band may experience interference from Bluetooth devices, microwave ovens, cordless phones, and co-channel interference from other access points due to the 802.11b/g channel limit of 3 nonoverlapping channels. By configuring band selection on devices, administrators can steer dual-band clients toward the 5-GHz band, improving overall network performance.

Off-channel scanning deferral

Off-channel scanning deferral is a wireless network feature that

  • temporarily postpones RRM off-channel scanning activities when important data transmission occurs

  • prevents performance impact on critical traffic by avoiding the normal 70-millisecond off-channel periods, and

  • can be configured on a per-WLAN basis with specific WMM UP class and time threshold parameters.

Off-channel scanning operations

A lightweight access point, in normal operational conditions, periodically goes off-channel and scans another channel. This is in order to perform RRM operations such as the following:

  • Transmitting and receiving Neighbor Discovery Protocol (NDP) packets with other APs.

  • Detecting rogue APs and clients.

  • Measuring noise and interference.

During the off-channel period, which normally is about 70 milliseconds, the AP is unable to transmit or receive data on its serving channel. Therefore, there is a slight impact on its performance and some client transmissions might be dropped.

While the AP is sending and receiving important data, it is possible to configure off-channel scanning deferral so that the AP does not go off-channel and its normal operation is not impacted. You can configure off-channel scanning deferral on a per-WLAN basis, per WMM UP class basis, with a specified time threshold in milliseconds. If the AP sends or receives, on a particular WLAN, a data frame marked with the given UP class within the specified threshold, the AP defers its next RRM off-channel scan. For example, by default, off-channel scanning deferral is enabled for UP classes 4, 5, and 6, with a time threshold of 100 millseconds. Therefore, when RRM is about to perform an off-channel scan, a data frame marked with UP 4, 5, or 6 is received within the last 100 milliseconds, RRM defers going off-channel. The AP radio does not go off-channel when a voice call sending and receiving audio samples is marked as UP class 6 for every active 20 milliseconds.

Off-channel scanning deferral does come with a tradeoff. Off-channel scanning can impact throughput by 2 percent or more, depending on the configuration, traffic patterns, and so on. Throughput can be slightly improved if you enable off-channel scanning deferral for all traffic classes and increase the time threshold. However, by not going off-channel, RRM can fail to identify AP neighbors and rogues, resulting in negative impact to security, DCA, TPC, and 802.11k messages.

DTIM period

A Delivery Traffic Indication Map (DTIM) period is a 802.11 network timing mechanism that

  • allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data

  • determines when access points transmit buffered broadcast and multicast frames after beacon broadcasts, and

  • coincides with the DTIM broadcast interval.

DTIM period characteristics

In the 802.11 networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period.

Typical DTIM values and their transmission patterns:

  • DTIM value 1: Transmits broadcast and multicast frames after every beacon

  • DTIM value 2: Transmits broadcast and multicast frames after every other beacon

For instance, if the beacon period of the 802.11 network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames for 10 times every second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames for 5 times every second. Either of these settings are suitable for applications, including Voice Over IP (VoIP), that expect frequent broadcast and multicast frames.

However, the DTIM value can be set as high as 255 (to transmit broadcast and multicast frames after every 255th beacon). The only recommended DTIM values are 1 and 2; higher DTIM values will likely cause communications problems.


Note

A beacon period, which is specified in milliseconds on the device, is converted internally by the software to 802.11 Time Units (TUs), where 1 TU = 1.024 milliseconds. Depending on the AP model, the actual beacon period may vary slightly; for example, a beacon period of 100 ms may in practice equate to 104.448 ms.

Prerequisites for configuring Cisco client extensions

The software supports CCX versions 1 through 5, which enables devices and their access points to communicate wirelessly with third-party client devices that support CCX. CCX support is enabled automatically for every WLAN on the device and cannot be disabled. However, you can configure Aironet information elements (IEs).

If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the device sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the device and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.

Peer-to-peer blocking

Peer-to-peer blocking is a WLAN security feature that

  • is applied to individual WLANs, where each client inherits the peer-to-peer blocking setting of the WLAN to which it is associated

  • enables you to have more control over how traffic is directed by allowing you to choose to have traffic bridged locally within the device, dropped by the device, or forwarded to the upstream VLAN, and

  • is supported for clients that are associated with local and central switching WLANs.


Note

Peer-to-peer blocking feature is VLAN-based. WLANs using the same VLAN has an impact, if Peer-to-peer blocking feature is enabled.

Diagnostic channels

A diagnostic channel is a troubleshooting feature that

  • enables testing of client and AP communication to identify network difficulties

  • allows corrective measures to be taken to make the client operational on the network, and

  • provides GUI or CLI configuration options for enabling diagnostic tests.

Configuration options

You can use the device GUI or CLI to enable the diagnostic channel, and you can use the device diag-channel CLI to run the diagnostic tests.


Note

We recommend that you enable the diagnostic channel feature only for non-anchored SSIDs that use the management interface. CCX Diagnostic feature has been tested only with clients having Cisco ADU card

Prerequisites for WLANs

You can associate up to 16 WLANs with each access point group and assign specific access points to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point (AP) does not advertise disabled WLANs in its access point group or WLANs that belong to another group.

We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that devices properly route VLAN traffic.

Restrictions for WLANs

This reference provides restrictions and limitations that apply when configuring and managing WLANs on wireless controllers.

  • Do not configure PSK and CCKM in a WLAN,as this configuration is not supported and impacts client join flow.

  • Ensure that TKIP or AES ciphers are enabled with WPA1 configuration, else ISSU may break during upgrade process.

  • When you change the WLAN profile name, then FlexConnect APs (using AP-specific VLAN mapping) will become WLAN-specific. If FlexConnect Groups are configured, the VLAN mapping will become Group-specific.

  • Do not enable IEEE 802.1X Fast Transition on Flex Local Authentication enabled WLAN, as client association is not supported with Fast Transition 802.1X key management.

  • Peer-to-peer blocking does not apply to multicast traffic.

  • In FlexConnect, peer-to-peer blocking configuration cannot be applied only to a particular FlexConnect AP or a subset of APs. It is applied to all the FlexConnect APs that broadcast the SSID.

  • The WLAN name and SSID can have up to 32 characters.

  • WLAN and SSID names support only the following ASCII characters:

    • Numerals: 48 through 57 hex (0 to 9)

    • Alphabets (uppercase): 65 through 90 hex (A to Z)

    • Alphabets (lowercase): 97 through 122 hex (a to z)

    • ASCII space: 20 hex

    • Printable special characters: 21 through 2F, 3A through 40, and 5B through 60 hex, that is: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

  • WLAN name cannot be a keyword; for example, if you try to create a WLAN with the name as 's' by entering the wlan s command, it results in shutting down all WLANs because 's' is used as a keyword for shutdown.

  • You cannot map a WLAN to VLAN 0. Similarly, you cannot map a WLAN to VLANs 1002 to 1006.

  • Dual stack clients with a static-IPv4 address is not supported.

  • In a dual-stack with IPv4 and IPv6 configured in the Cisco 9800 controller, if an AP tries to join controller with IPv6 tunnel before its IPv4 tunnel gets cleaned, you would see a traceback and AP join will fail.

  • When creating a WLAN with the same SSID, you must create a unique profile name for each WLAN.

  • When multiple WLANs with the same SSID get assigned to the same AP radio, you must have a unique Layer 2 security policy so that clients can safely select between them.

  • The SSID that is sent as part of the user profile will work only if aaa override command is configured.

  • RADIUS server overwrite is not configured on a per WLAN basis, but rather on a per AAA server group basis.

  • Downloadable ACL (DACL) is supported only on the central switching mode. It is not supported for Flex Local switching or on the Cisco Embedded Wireless Controller.

  • You cannot mix open configuration models with CLI-based, GUI-based, or Catalyst Center-based configurations. However, if you decide to use multiple model types, they must remain independent of each other. For example, in open configuration models, you can only manage configurations that have been created using an open configuration model, not a CLI-based or GUI-based model. Configurations that are created using open configuration models cannot be modified using a GUI-based model, or CLI-based model, or any other model.


Caution

Some clients might not be able to connect to WLANs properly if they detect the same SSID with multiple security policies. Use this WLAN feature with care.

How to Configure WLANs

Create WLANs (GUI)

Create wireless local area networks (WLANs) to enable network connectivity and manage wireless access configurations through the GUI interface.

Use the GUI interface to create and configure WLANs when you need to establish wireless network connectivity. This method provides a visual interface for WLAN configuration and management.

Procedure

Step 1

In the Configuration > Tags & Profiles > WLANs page, click Add.

The Add WLAN window is displayed.

Step 2

Under the General tab and Profile Name field, enter the name of the WLAN. The name can be ASCII characters from 32 to 126, without leading and trailing spaces.

Step 3

Click Save & Apply to Device.

The WLAN is created and applied to the device. The new WLAN appears in the WLANs list and is ready for use.

Create WLANs (CLI)

Create wireless local area networks (WLANs) to provide wireless network access for clients.

You can create SSID using GUI or CLI. However, we recommend that you use CLI to create SSID. By default, the WLAN is disabled after creation.

Follow these steps to create WLANs using CLI commands:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Specify the WLAN name and ID.

Example:

Device(config)# wlan profile-name wlan-id [ssid]

Example:

Device(config)# wlan profile-name wlan-id [ssid] mywlan 34 mywlan-SSID

  • For the profile-name, enter the profile name. The range is from 1 to 32 alphanumeric characters.

  • For the wlan-id, enter the WLAN ID. The range is from 1 to 512.

  • For the ssid, enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.

Note

 

  • You can create SSID using GUI or CLI. However, we recommend that you use CLI to create SSID.

  • By default, the WLAN is disabled.

Step 3

Return to privileged EXEC mode.

Example:

Device# end

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

The WLAN is created with the specified profile name, WLAN ID, and SSID. The WLAN is disabled by default and must be enabled separately for use.

Delete WLANs (GUI)

Remove unwanted or obsolete WLANs from your network configuration to maintain optimal performance and security.

Use this procedure when you need to remove WLANs that are no longer required or need to be replaced with new configurations. This task can be performed on single or multiple WLANs simultaneously.

Procedure

Step 1

In the Configuration > Tags & Profiles > WLANs page, check the check box adjacent to the WLAN you want to delete.

To delete multiple WLANs, select multiple WLANs check boxes.

Step 2

Click Delete.

Step 3

Click Yes on the confirmation window to delete the WLAN.

The selected WLAN(s) are permanently removed from the system and will no longer appear in the WLANs list.

Delete WLANs (CLI)

Delete WLAN profiles that are no longer needed or require reconfiguration in the wireless network environment.

Use this procedure when you need to remove WLAN profiles from the wireless controller configuration. Deleting a WLAN removes the profile and associated settings from the system.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Delete the WLAN.

Example:

Device(config)# no wlan wlan-profile-name wlan-id  [ssid]
Device(config)# no wlan test2

The arguments are:

  • The wlan-name is the WLAN profile name.

  • The wlan-id is the WLAN ID.

  • The ssid is the WLAN SSID name configured for the WLAN.

Note

 

If you delete a WLAN that is part of an AP group, the WLAN is removed from the AP group and from the AP's radio.

Step 3

Return to privileged EXEC mode.

Example:

Device(config)# end

The WLAN profile is deleted from the wireless controller configuration. If the WLAN was associated with an AP group, it is automatically removed from the group and the AP's radio interface.

WLAN search methods (CLI)

To verify the list of all WLANs configured on the controller, use this command:

Device# show wlan summary
Number of WLANs: 4

WLAN Profile Name                      SSID                           VLAN Status
--------------------------------------------------------------------------------
1    test1                             test1-SSID                     137  UP
3    test2                             test2-SSID                     136  UP
2    test3                             test3-SSID                     1    UP
45   test4                             test4-SSID                     1    DOWN

To use wild cards and search for WLANs, use this show command: 

Device# show wlan summary | include test-wlan-ssid
1    test-wlan                       test-wlan-ssid                     137   UP

Enable WLANs (GUI)

Enable wireless local area networks (WLANs) to allow wireless client connections and network access through the graphical user interface.

Use this task when you need to activate WLANs that have been configured but are currently disabled, allowing wireless devices to connect to your network.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

On the WLANs page, click the WLAN name.

Step 3

In the Edit WLAN window, toggle the Status button to ENABLED.

Step 4

Click Update & Apply to Device.

The WLAN is ENABLED and wireless clients can now connect to the network through this WLAN.

Enable WLANs (CLI)

Enable previously configured WLANs to make them operational and available for client connections.
WLANs must be explicitly enabled after configuration to allow wireless clients to connect. This procedure activates a specific WLAN profile.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

Enter WLAN configuration submode.

Example:

Device(config)# WLAN profile-name

Example:

Device(config)# WLAN test4

The profile-name is the profile name of the configured WLAN.

Step 3

Enable the WLAN.

Example:

Device(config-wlan)# no shutdown

Step 4

Return to privileged EXEC mode.

Example:

Device(config-wlan)# end
The WLAN is now enabled and operational, allowing wireless clients to connect to the network.

Disable WLANs (GUI)

Disable WLANs to prevent wireless network access when maintenance is required or to temporarily suspend wireless services.

Use this procedure when you need to temporarily disable wireless networks without deleting the WLAN configuration. The WLAN settings remain intact and can be re-enabled later.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

In the WLANs window, click the WLAN name.

Step 3

In the Edit WLAN window, set the Status toggle button as DISABLED.

Step 4

Click Update & Apply to Device.

The WLAN is DISABLED and wireless clients can no longer connect to this network. The WLAN configuration is preserved and can be re-enabled when needed.

Disable WLANs (CLI)

Disable specific WLANs to prevent wireless client access when needed for maintenance or security purposes.
You may need to disable WLANs temporarily for maintenance, troubleshooting, or security reasons. This procedure shows how to disable a WLAN using the CLI and verify the change.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter WLAN configuration submode.

Example:

Device(config)# wlan profile-name

Example:

Device(config)# wlan test4

The profile-name is the profile name of the configured WLAN.

Step 3

Disable the WLAN.

Example:

Device(config-wlan)# shutdown

Step 4

Return to privileged EXEC mode.

Example:

Device(config-wlan)# end

Step 5

Display the list of all WLANs configured on the device.

Example:

Device# show wlan summary

You can search for the WLAN in the output to verify it has been disabled.
The specified WLAN is now disabled and will not accept wireless client connections until re-enabled.

Configure general WLAN properties (CLI)

Configure media stream, broadcast SSID, and radio properties for a WLAN.
You can configure these properties: Media stream, Broadcast SSID, and Radio settings for optimal WLAN performance and visibility.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter WLAN configuration submode.

Example:

Device(config)# wlan profile-name

Example:

Device(config)# wlan test4

The profile-name is the profile name of the configured WLAN.

Step 3

Disable the WLAN.

Example:

Device(config-wlan)# shutdown

Step 4

Broadcast the SSID for this WLAN.

Example:

Device(config-wlan)# broadcast-SSID

Step 5

Configure the WLAN radio policy for dot11 radios.

Example:

Device(config-wlan)# dot11bg 11g

Step 6

Enable multicast VLANs on this WLAN.

Example:

Device(config-WLAN)# media-stream multicast-direct

Step 7

Enable the WLAN.

Example:

Device(config-wlan)# no shutdown

Step 8

Return to privileged EXEC mode.

Example:

Device(config-wlan)# end
The WLAN is now configured with the specified general properties including media stream, broadcast SSID, and radio settings.

Configure advanced WLAN properties (CLI)

Configure advanced WLAN properties to customize wireless network behavior and security settings.
Advanced WLAN properties provide additional configuration options for wireless networks, including coverage hole detection, client association limits, access control, and peer-to-peer blocking settings. These configurations help optimize wireless performance and security based on specific network requirements.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter WLAN configuration submode.

Example:

Device(config)# wlan profile-name

Example:

Device(config)# wlan test4

The profile-name is the profile name of the configured WLAN.

Step 3

Enable coverage hole detection for this WLAN.

Example:

Device(config-wlan)# chd

Step 4

Enable support for Aironet IEs for this WLAN.

Example:

Device(config-wlan)# ccx aironet-iesupport

Step 5

Set the maximum number of clients that can be configured on a WLAN. Configure limits for clients per WLAN, clients per AP, or clients per AP radio.

Example:

Device(config-wlan)# client association limit {clients-per-WLAN | ap clients-per-AP-per-WLAN | radio clients-per-AP-radio-per-WLAN}

Example:

Device(config-wlan)# client association limit AP 400

Step 6

Configure the IPv4 WLAN web ACL.

Example:

Device(config-wlan)# ip access-group web ACL-name

Example:

Device(config-wlan)# ip access-group web test-ACL-name

The ACL-name specifies the user-defined IPv4 ACL name.

Step 7

Configure peer-to-peer blocking parameters.

Example:

Device(config-wlan)# peer-blocking [allow-private-group | drop | forward-upstream]

Example:

Device(config-WLAN)# peer-blocking drop

The keywords are:

  • allow-private-group: Enables peer-to-peer blocking on the Allow Private Group action.

  • drop: Enables peer-to-peer blocking on the drop action.

  • forward-upstream: No action is taken and forwards packets to the upstream.

    Note

     

    The forward-upstream option is not supported for Flex local switching. Traffic is dropped even if this option is configured. Also, peer to peer blocking for local switching SSIDs are available only for the clients on the same AP.

Step 8

Set the channel scan defer priority and defer time.

Example:

Device(config-WLAN)# channel-scan {defer-priority {0-7} | defer-time {0-6000}}

Example:

Device(config-WLAN)# channel-scan defer-priority 6

The arguments are:

  • defer-priority: Specifies the priority markings for packets that can defer off-channel scanning. The range is from 0 to 7. The default is 3.

  • defer-time: Deferral time in milliseconds. The range is from 0 to 6000. The default is 100.

Step 9

Return to privileged EXEC mode.

Example:

Device(config-wlan)# end
The advanced WLAN properties are now configured with the specified settings for coverage hole detection, client limits, access control, peer-to-peer blocking,broadcast filtering, AAA override, session timeout, exclusion list management, and diagnostic channel support.

Configure advanced WLAN properties (GUI)

Configure advanced WLAN properties to enable enhanced wireless network features including coverage optimization, client connection limits, BSS transition support, and 802.11ax capabilities.

Advanced WLAN properties provide additional configuration options to optimize wireless network performance and enable specific features for client management and network diagnostics.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs .

Step 2

Click Add.

Step 3

Under the Advanced tab, check the Coverage Hole Detection check box.

Step 4

Check the Aironet IE check box to enable Aironet IE on the WLAN.

Step 5

Check the Diagnostic Channel check box to enable diagnostic channel on the WLAN.

Step 6

From the P2P Blocking Action drop-down list, choose the required value.

Step 7

Set the Multicast Buffer toggle button as enabled or diabled.

Step 8

Check the Media Stream Multicast-Direct check box to enable the feature.

Step 9

In the Max Client Connections section, specify the maximum number of client connections for the following:

  • In the Per WLAN field, enter a value. The valid range is between 0 and 10000.

  • In the Per AP Per WLAN field, enter a value. The valid range is between 0 and 400.

  • In the Per AP Radio Per WLAN field, enter a value. The valid range is between 0 and 200.

Step 10

In the 11v BSS Transition Support section, perform the following configuration tasks:

  1. Check the BSS Transition check box to enable 802.11v BSS Transition support.

  2. In the Disassociation Imminent field, enter a value. The valid range is between 0 and 3000.

  3. In the Optimized Roaming Disassociation Timer field, enter a value. The valid range is between 0 and 40.

  4. Select the check box to enable:

    • BSS Max Idle Service

    • BSS Max Idle Protected

    • Disassociation Imminent Service

    • Directed Multicast Service

    • Universal Admin

    • Load Balance

    • Band Select

    • IP Source Guard

Step 11

From the WMM Policy drop-down list, choose the policy as Allowed, Disabled, or Required. By default, the WMM policy is Allowed.

Step 12

In the Off Channel Scanning Defer section, choose the appropriate Defer Priority values and then specify the required Scan Defer Time value in milliseconds.

Step 13

In the Assisted Roaming (11k) section, choose the appropriate status for:

  • Prediction Optimization

  • Neighbor List

  • Dual-Band Neighbor List

Step 14

In the DTIM Period (in beacon intervals) section, specify a value for 802.11a/n and 802.11b/g/n radios. The valid range is from 1 to 255.

Step 15

Click Apply to Device.

The WLAN profile is updated with advanced properties, and features such as coverage optimization, client connection limits, enhanced roaming, and diagnostics are enabled for improved network performance.

WLAN properties verification (CLI)

To verify the WLAN properties based on the WLAN ID, use this command:

Device# show wlan ID wlan-id

To verify the WLAN properties based on the WLAN name, use this command:

Device# show wlan name wlan-name

To verify the WLAN properties of all the configured WLANs, use this command:

Device# show wlan all

To verify the summary of all WLANs, use this command:

Device# show wlan summary

To verify the running configuration of a WLAN based on the WLAN name, use this command:

Device# show running-config wlan wlan-name

To verify the running configuration of all WLANs, use this command:

Device# show running-config wlan