Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Dublin 17.12.x

Passive clients

A passive client is a wireless device that

connects to the wireless network using a static IP address
does not transmit IP information after associating with an AP, and
requires additional mechanisms for controllers to learn its IP address (such as ARP requests or DHCP).

Feature history

Table 1. Feature history table for passive clients
Feature name	Release information	Feature description
Support for FlexConnect local switching	Cisco IOS XE 17.12.x	Passive client feature is now supported on FlexConnect local switching mode.
Passive clients	Cisco IOS XE 16.11.1	This feature enables special handling for wireless clients (such as printers and devices with static IPs) that do not transmit IP information after associating with an AP.

Passive clients are wireless devices, such as printers and devices configured using a static IP address. Such clients do no transmit any IP information after associating to an AP. That is why, the controller does not learn their IP address unless they perform the DHCP process.

In the controller, the clients just show up in the Learn IP state and get timed out because of the DHCP policy-timeout.

Changes in default behaviour

The Passive Client feature can be enabled on a per WLAN basis. Enabling this feature will change a few default behaviors in order to better accommodate passive clients . These changes include :

No client will ever timeout in the IP_LEARN phase. The controller will keep on waiting to learn their IP address. Note that the idle timeout remains active and will delete the client entry after the timeout period expiry, if the client remains silent all along.
ARP coming from the wired side is broadcasted to all the APs, if the controller does not know the client IP address, to ensure that it reaches the passive client. After this, the controller learns the client IP from the ARP response.
In order to save air time, the controller transforms the ARP broadcast coming from the wired side or from other wireless clients and unicasts them to the wireless client it owns . This is only possible after the controller has learned the MAC-IP binding of its wireless client.
When the controller enables ARP broadcast, the controller does not transform the ARP broadcasts into unicasts but only forwards the broadcast, thereby wasting air time for other clients (with a frame that is not acknowledgeable and therefore less reliable). This pushes the passive client to respond to the ARP request and therefore every other client benefits from learning the MAC-IP binding of the wireless client.
When you enable IP MAC binding for clients with static IP address, the controller consumes the first ARP packet to perform IP MAC binding. This packet is not forwarded upstream.

Enable passive client for FlexConnect mode (CLI)

Enable the passive client feature when the device is operating in FlexConnect mode to support client devices that do not initiate traffic themselves (passive clients).

Procedure

Step 1	Enter the global configuration mode. Example: `Device# configure terminal`
Step 2	Configure WLAN policy profile and enter the wireless policy configuration mode. Example: `Device(config)# wireless profile policy policy-profile`
Step 3	Enable passive client. Example: `Device(config-wireless-policy)# passive-client` You can use the no form of the command to disable passive client.
Step 4	Disable IP theft detection for static IP passive clients (local and FlexConnect configuration) Example: `Device(config-wireless-policy)# no ip mac-binding` This is applicable for only IPv4 and has been designed for overlapping IP addresses.
Step 5	Configure a VLAN and enter VLAN configuration mode. Example: `Device(config)# vlan configuration vlan-id`
Step 6	Broadcast ARP on VLAN, to move passive client to run state (local mode only). Example: `Device(config-vlan-config)# arp broadcast`
Step 7	Configure a FlexConnect profile and enter the FlexConnect profile configuration mode. Example: `Device(config)# wireless profile flex flex-profile`
Step 8	Disable ARP proxy for FlexConnect (FlexConnect mode only). Example: `Device(config-wireless-flex-profile)# no arp-caching`

Passive client for FlexConnect mode is enabled.

Device# configure terminal
Device(config)# wireless profile policy policy-profile1
Device(config-wireless-policy)# passive-client
Device(config-wireless-policy)# no ip mac-binding
Device(config)# vlan configuration vlan-id
Device(config-vlan-config)# arp broadcast
Device(config)# wireless profile flex flex-profile1
Device(config-wireless-flex-profile)# no arp-caching

DHCP broadcast support for workgroup bridges

Devices placed behind a third-party WGB may fail to obtain an IP address if the WGB does not handle DHCP requests with the broadcast flag set.

The dhcp broadcast command under the FlexConnect profile ensures that DHCP replies are sent as broadcasts instead of being converted to unicasts. This setting helps resolve compatibility issues, especially for some device types.
In this scenario, you can enable this command to allow devices behind the WGB to receive IP addresses.

Enable passive client on WLAN policy profile (GUI)

Enable passive clients on a specific WLAN policy profile so devices that do not actively transmit packets can stay connected.

Use this task to enable support for passive clients on specific WLAN policy profiles.

Procedure

Step 1	Choose Configuration > Tags & Profiles > Policy page, click Add to open the Add Policy Profile page.
Step 2	In the General tab, use the slider to enable Passive Client.
Step 3	Click Save & Apply to Device.

The policy profile is updated to support passive clients on the WLAN.

Enable passive client on WLAN policy profile (CLI)

Enable passive client support for devices on a WLAN policy profile using commands.

Use the passive client feature to allow devices that do not actively communicate with the controller to be recognized and managed on the WLAN.

Procedure

Step 1	Enter the global configuration mode. Example: `Device# configure terminal`
Step 2	Configure WLAN policy profile and enter the wireless policy configuration mode. Example: `Device(config)# wireless profile policy policy-profile`
Step 3	Enable passive client. Example: `Device(config-wireless-policy)# [no] passive-client`
Step 4	Return to the privileged EXEC mode. Example: `Device(config-wireless-policy)# end`

The passive client feature is now enabled for the specified WLAN policy profile.

Device# configure terminal
Device(config)# wireless profile policy rr-xyz-policy-1
Device(config-wireless-policy)# [no] passive-client
Device(config-wireless-policy)# end

Enable ARP broadcast on VLAN (GUI)

Enable ARP broadcast capability on a VLAN so ARP requests are properly propagated within the network using the GUI.

Procedure

Step 1	Choose Configuration > Layer2 > VLAN page, click VLAN tab.
Step 2	Click Add to view the Create VLAN window.
Step 3	Use the slider to enable ARP Broadcast.
Step 4	Click Save & Apply to Device.

The selected VLAN now supports ARP broadcasts and propagates ARP requests.

Enable ARP broadcast on VLAN (CLI)

Enable ARP broadcast on a VLAN so devices within that VLAN can communicate efficiently using ARP using commands.

Procedure

Step 1	Enter the global configuration mode. Example: `Device# configure terminal`
Step 2	Configure a VLAN or multiple VLANs to enter the VLAN configuration mode. Example: `Device(config)# vlan configuration vlan-id`
Step 3	Enable ARP broadcast on VLAN. Example: `Device(config-vlan)# [no] arp broadcast`
Step 4	Return to the privileged EXEC mode. Example: `Device(config-vlan)# end` You can also press Ctrl-Z to exit global configuration mode.

ARP broadcast is successfully enabled for the specified VLAN.

Device# configure terminal
Device(config)# vlan configuration 1
Device(config-vlan)# [no] arp broadcast
Device(config-vlan)# end

Passive client in fabric deployment

A passive client is a client device that

does not send its own IP address information in packets (such as ARP requests)
relies on the network infrastructure to discover and maintain its presence, and
is supported in fabric deployments where special handling is required to ensure connectivity.

You need to enable these features:

Enable ARP broadcast on VLANs to support passive client discovery.
Enable LISP multicast to facilitate address learning. For information on LISP multicast, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-lisp-multicast.html.

For information on LISP (Locator ID Separation Protocol), see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/xe-3s/irl-xe-3s-book/irl-cfg-lisp.html.

Enable broadcast underlay on VLAN

Configure LISP instance and IPv4 service (CLI)

Set up the LISP instance and enable IPv4 services to support mappings from endpoint identifier (EID) to routing locator (RLOC) in your network fabric using commands.

Perform these configuration tasks only on the Fabric Edge Node. Do not perform them from the controller.

Procedure

Step 1	Enter the global configuration mode. Example: `FabricEdge# configure terminal`
Step 2	Enter the LISP configuration mode. Example: `FabricEdge(config)# router lisp`
Step 3	Create a LISP EID instance to group multiple services. The configuration applied under this instance ID applies to all services in the group. Example: `FabricEdge(config-router-lisp)# instance-id instance`
Step 4	Enable Layer 3 network services for the IPv4 address family. Enter the service submode. Example: `FabricEdge(config-router-lisp-instance)# service ipv4`
Step 5	Configure EID to RLOC mapping relationship. Example: `FabricEdge(config-router-lisp-instance-dynamic-eid)# database-mapping eid locator-set rloc-name`
Step 6	Generate a static map request for the destination EID. Example: `FabricEdge(config-router-lisp-instance-service)# map-cache destination-eid map-request`
Step 7	Exit the service submode. Example: `FabricEdge(config-router-lisp-instance-service)# exit-service-ipv4`
Step 8	Exit the instance submode. Example: `FabricEdge(config-router-lisp-instance)# exit-instance-id`

A system with a LISP instance and IPv4 service is now configured.

FabricEdge# configure terminal
FabricEdge(config)# router lisp
FabricEdge(config-router-lisp)# instance-id 3
FabricEdge(config-router-lisp-instance)# service ipv4
FabricEdge(config-router-lisp-instance-dynamic-eid)# database-mapping 66.66.66.64/32 locator-set rloc1
FabricEdge(config-router-lisp-instance-service)# map-cache 0.0.0.0/0 map-request
FabricEdge(config-router-lisp-instance-service)# exit-service-ipv4
FabricEdge(config-router-lisp-instance)# exit-instance-id

Configure Ethernet service and enable broadcast underlay (CLI)

Set up the LISP instance and enable IPv4 services to support endpoint identifier (EID) to routing locator (RLOC) mappings in the fabric.

Procedure

Step 1	Create a LISP EID instance to group multiple services. Example: `FabricEdge(config-router-lisp)# instance-id instance`
Step 2	Enable Layer 2 network services and enter service submode. Example: `FabricEdge(config-router-lisp-instance)# service ethernet`
Step 3	Associate the LISP instance ID with a VLAN. This VLAN provides reachability to the endpoint identifier address space. Example: `FabricEdge(config-router-lisp-instance-service)# eid-table vlan vlan-number`
Step 4	Specify the multicast group that the underlay uses to carry broadcast traffic for the overlay Layer 2 network. Example: `FabricEdge(config-router-lisp-instance-service)# broadcast-underlay multicast-group`
Step 5	Exit the service submode. Example: `FabricEdge(config-router-lisp-instance-service)# exit-service-ethernet`
Step 6	Exit the instance submode. Example: `FabricEdge(config-router-lisp-instance)# exit-instance-id`

The Ethernet service is enabled and the broadcast underlay support is configured for the specified VLAN and multicast group.

FabricEdge(config-router-lisp)# instance-id 101
FabricEdge(config-router-lisp-instance)# service ethernet
FabricEdge(config-router-lisp-instance-service)# eid-table vlan 101
FabricEdge(config-router-lisp-instance-service)# broadcast-underlay 239.0.0.1
FabricEdge(config-router-lisp-instance-service)# exit-service-ethernet
FabricEdge(config-router-lisp-instance)# exit-instance-id

Enable ARP flooding

Enable ARP flooding for IPv4 service (CLI)

Enable ARP flooding on the Fabric Edge Node for IPv4.

Perform these configuration tasks from Fabric Edge Node. You cannot perform them from your controller.

Procedure

Step 1	Enter the global configuration mode. Example: `FabricEdge# configure terminal`
Step 2	Enter the LISP configuration mode. Example: `FabricEdge(config)# router lisp`
Step 3	Create a LISP EID instance to group multiple services. This configuration applies to all services grouped under the instance-id. Example: `FabricEdge(config-router-lisp)# instance-id instance`
Step 4	Enable Layer 3 network services for the IPv4 address family and enter service submode. Example: `FabricEdge(config-router-lisp-instance)# service ipv4`
Step 5	Configure EID to RLOC mapping relationship. Example: `FabricEdge(config-router-lisp-instance-dynamic-eid)# database-mapping eid locator-set rloc1`
Step 6	Generate a static map request for the destination EID. Example: `FabricEdge(config-router-lisp-instance-service)# map-cache destination-eid map-request`
Step 7	Exit the service submode. Example: `FabricEdge(config-router-lisp-instance-service)# exit-service-ipv4`
Step 8	Exit the instance submode. Example: `FabricEdge(config-router-lisp-instance)# exit-instance-id`

You have enabled ARP flooding on the Fabric Edge Node for IPv4.

FabricEdge# configure terminal
FabricEdge(config)# router lisp
FabricEdge(config-router-lisp)# instance-id instance
FabricEdge(config-router-lisp-instance)# service ipv4
FabricEdge(config-router-lisp-instance-dynamic-eid)# database-mapping 66.66.66.64/32 locator-set rloc1
FabricEdge(config-router-lisp-instance-service)# map-cache 0.0.0.0/0 map-request
FabricEdge(config-router-lisp-instance-service)# exit-service-ipv4
FabricEdge(config-router-lisp-instance)# exit-instance-id

What to do next

Enable ARP flooding for Ethernet service.

Enable ARP flooding for Ethernet service (CLI)

Enable ARP flooding for the Ethernet service on the Fabric Edge Node.

Procedure

Step 1	Create a LISP EID instance, which groups multiple services. Example: `FabricEdge(config-router-lisp)# instance-id instance`
Step 2	Enable Layer 2 network services and enter service submode. Example: `FabricEdge(config-router-lisp-instance)# service ethernet`
Step 3	Associate the LISP instance ID you configured earlier with a VLAN. The VLAN provides access to the endpoint identifier address space. Example: `FabricEdge(config-router-lisp-instance-service)# eid-table vlan vlan-number`
Step 4	Enable ARP flooding. Example: `FabricEdge(config-router-lisp-instance-service)# flood arp-nd`
Step 5	Configure EID to RLOC mapping relationship. Example: `FabricEdge(config-router-lisp-instance-service)# database-mapping mac locator-set rloc1`
Step 6	Exit the service submode. Example: `FabricEdge(config-router-lisp-instance-service)# exit-service-ethernet`
Step 7	Exit the instance submode. Example: `FabricEdge(config-router-lisp-instance)# exit-instance-id`

You have enabled ARP flooding on the Fabric Edge Node for Ethernet service.

FabricEdge(config-router-lisp)# instance-id 101
FabricEdge(config-router-lisp-instance)# service ethernet
FabricEdge(config-router-lisp-instance-service)# eid-table vlan 101
FabricEdge(config-router-lisp-instance-service)# flood arp-nd
FabricEdge(config-router-lisp-instance-service)# database-mapping mac locator-set rloc1
FabricEdge(config-router-lisp-instance-service)# exit-service-ethernet
FabricEdge(config-router-lisp-instance)# exit-instance-id

Verify passive client configuration

To verify the status of the passive client, use this command:

Device# show wireless profile policy detailed sample-profile-policy
Policy Profile Name           : sample-profile-policy
Description                   : sample-policy
Status                        : ENABLED
VLAN                          : 20
Client count                  : 0
Passive Client                : ENABLED    <--------------------
WLAN Switching Policy
Central Switching           : ENABLED
Central Authentication      : ENABLED
Central DHCP                : DISABLED
Override DNS                : DISABLED
Override NAT PAT            : DISABLED
Central Assoc               : DISABLED
.
.
.

To verify VLANs that have ARP broadcast enabled, use this command:

Device# show platform software arp broadcast
                
Arp broadcast is enabled on vlans:
20

Bias-Free Language

Results

Chapter: Passive Client

Passive Client

Passive clients

Feature history

Changes in default behaviour

Enable passive client for FlexConnect mode (CLI)

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

DHCP broadcast support for workgroup bridges

Enable passive client on WLAN policy profile (GUI)

Procedure

Enable passive client on WLAN policy profile (CLI)

Procedure

Example:

Example:

Example:

Example:

Enable ARP broadcast on VLAN (GUI)

Procedure

Enable ARP broadcast on VLAN (CLI)

Procedure

Example:

Example:

Example:

Example:

Passive client in fabric deployment

Enable broadcast underlay on VLAN

Configure LISP instance and IPv4 service (CLI)

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configure Ethernet service and enable broadcast underlay (CLI)

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Enable ARP flooding

Enable ARP flooding for IPv4 service (CLI)

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

What to do next

Enable ARP flooding for Ethernet service (CLI)

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Verify passive client configuration

Was this Document Helpful?

Contact Cisco