Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide, IOS XE 17.13.x

Introduction to Mesh

In Cisco IOS XE 17.6.1 Release, the Cisco Embedded Wireless Controller (EWC) runs on the Cisco Catalyst 9124AX Series outdoor access points, acting as a Root Access Point (RAP) in a mesh deployment. Mesh networking employs Cisco Aironet outdoor mesh access points along with Cisco Embedded Wireless Controller (EWC) to provide scalability, central management, and mobility between deployments. Control and Provisioning of Wireless Access Points (CAPWAP) protocol manages the connection of mesh access points to the network.

Access points within a mesh network operate in one of the following ways:

Root access point (RAP)
Mesh access point (MAP)

EWC works on RAPs. RAPs have wired connections, whereas MAPs have wireless connection to the controller. Mesh APs communicate with their parent and child mesh APs using wireless connections over the 802.11a/n radio backhaul. MAPs use the Cisco Adaptive Wireless Path Protocol (AWPP) to determine the best path through the other mesh access points to the controller. A mesh access point establishes AWPP link with a parent Mesh AP, which is already connected to the controller before starting CAPWAP discovery.

The wireless mesh terminates on two points on the wired network. The first location is where the root access point (RAP) is attached to the wired network, and where all bridged traffic connects to the wired network. The second location is where the CAPWAP controller connect to the wired network; this location is where the WLAN client traffic from the mesh network is connected to the wired network. The WLAN client traffic from CAPWAP is tunneled to Layer 2. Matching WLANs should terminate on the same switch VLAN on which the wireless controllers are co-located. The security and network configuration for each of the WLANs on the mesh depend on the security capabilities of the network to which the wireless controller is connected.

End-to-end security within the mesh network is supported by employing Advanced Encryption Standard (AES) encryption between wireless mesh access points and Wi-Fi Protected Access 2 (WPA2) clients. For connections to a mesh access point (MAP) wireless client, such as MAP-to-MAP and MAP-to-root access point, WPA2 is applicable.

In the new configuration model, the controller has a default mesh profile. This profile is mapped to the default AP-join profile, which is in turn is mapped to the default site tag. If you are creating a named mesh profile, ensure that these mappings are put in place, and the corresponding AP is added to the corresponding site-tag.

Note

If you change the configuration for Security Mode, BGN, Client-Access, and Range change in mesh profile, the mesh APs will reload. In EWC, you can not reload the internal AP to an active EWC, automatically. You must reload the internal AP manually, after the standby EWC node begins to work after the reload.

From this release, mesh support is included in the Cisco Catalyst 9130AX Series Access Points. All traditional capabilities of mesh are included in the Cisco Catalyst 9130AX Series APs operating in Cisco IOS XE Dublin 17.12.1.

Scale Numbers

Cisco Catalyst 9124 Series Outdoor Access Points support a scale of 100 APs and 2000 clients.

Restrictions and Limitations

The mesh feature is supported only in Cisco Catalyst 9124 series Access Points, for Cisco Embedded Wireless Controllers.
EWC supports AP roaming between parent mesh APs within the same controller, only.
In an EWC mesh topology, any FlexConnect EWC capable AP should be in the CAPWAP mode, when deployed as a child to a MAP, for extending wireless network. The controller will be spawned, if the AP is not in the CAPWAP mode.

Mesh Deployments

Following are the mesh deployments:

Wireless Bridging: Wireless bridging can be point-to-point or point-to-multipoint. Wireless bridges extend the network over the air when a cable is not available. The over-the-air link between the RAP and MAP(s) is treated as a pipe. This type of deployment is usually with RAP and one level of MAP. There are no child MAPs present under the first level of MAP. SSIDs are not deployed.
- Point-to-Point Wireless Bridging: In a point-to-point bridging scenario, a Cisco Catalyst 9124 Series Mesh AP can be used to extend a remote network by using the backhaul radio to bridge two segments of a switched network. This is fundamentally a wireless mesh network with one MAP and no WLAN clients. Just as in point-to-multipoint networks, client access can still be provided with Ethernet bridging enabled, although if bridging between buildings, MAP coverage from a high rooftop might not be suitable for client access.
- Point-to-Multipoint: In the point-to-multipoint bridging scenario, a RAP acting as a root bridge connects multiple MAPs as non-root bridges with their associated wired LANs. By default, this feature is disabled for all MAPs. If Ethernet bridging is used, you must enable it on the controller for the respective MAP and for the RAP.
Mesh with Wi-Fi Clients: Mesh deployments with multilevel MAPs and wireless clients, for extending Wi-Fi network. In a Cisco wireless outdoor mesh network, multiple mesh access points comprise a network that provides secure, scalable outdoor wireless LAN.

MAC authorization

A MAC authorization is a security mechanism that

restricts MAPs from joining a controller unless their MAC address is pre-approved
ensures only authorized mesh APs participate in the wireless network, and
can be handled using either an internal list or an external AAA server.

You must enter the MAC address of an AP in the controller for a MAP to join the controller. The controller responds only to CAPWAP requests from MAPs listed in its authorization list. Remember to use the MAC address provided on the back of the AP.

MAC authorization for MAPs connected to the controller over Ethernet occurs during the CAPWAP join process. For MAPs joining the controller over radio, MAC authorization occurs when the corresponding AP attempts to secure an adaptive wireless path protocol (AWPP) link with the parent MAP. AWPP operates as the protocol for Cisco mesh networks.

The Cisco Catalyst 9800 Series Wireless Controller supports MAC authorization internally as well as using an external AAA server.

Configure MAC authorization (GUI)

Enable MAC-based authorization for wireless mesh networks. Specify which devices can connect by entering their MAC addresses.

Procedure

Step 1	Choose Configuration > Security > AAA > AAA Advanced > Device Authentication.
Step 2	Click Add. The Quick Step: MAC Filtering page is displayed.
Step 3	In the Quick Step: MAC Filtering page, complete these steps: Enter the MAC Address . Choose the Attribute List Name from the drop-down list. Choose the WLAN Profile Name from the drop-down list. Click Apply to Device. Both WebUI and CLI support MAC user configuration in these formats: xxxxxxxxxxxx, xx:xx:xx:xx:xx:xx, xx-xx-xx-xx-xx-xx, or xxxx.xxxx.xxxx. The AP sends the default MAC address without any delimiter. If the MAC address is configured with a delimiter, AP authorization fails unless it uses the xxxxxxxxxxxx format.
Step 4	Choose Configuration > Security > AAA > AAA Method List > Authorization.
Step 5	Click Add. The Quick Step: AAA Authorization window is displayed.
Step 6	In the Quick Step: AAA Authorization page, complete these actions: Enter the Method List Name. Choose the Type from the drop-down list. Choose the Group Type from the drop-down list. Check the Fallback to Local check box. Check the Authenticated check box. Move the required servers from the Available Server Groups to the Assigned Server Groups. Click Apply to Device.
Step 7	Choose Configuration > Wireless > Mesh > Profiles.
Step 8	Click the mesh profile. The Edit Mesh Profile page is displayed.
Step 9	Click the Advanced tab.
Step 10	In the Security settings, from the Method drop-down list, choose EAP.
Step 11	Choose the Authentication Method from the drop-down list.
Step 12	Choose the Authorization Method from the drop-down list.
Step 13	Click Update & Apply to Device.

Authorized devices with the specified MAC addresses can connect to the wireless mesh network.

Configure MAC authorization (CLI)

Enable MAC authorization for bridge mode APs by configuring the credentials and authorization methods needed.

Add the MAC address of a bridge mode AP to the controller to allow authentication.

Before you begin

MAC filtering for bridge mode APs is enabled by default on the controller. Configure only the MAC address. Find the MAC address on the back of the AP.
MAC authorization is supported using both internal and external AAA servers.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure username authentication for MAC filtering, using the MAC address as the username. Example: `Device(config)# username user-name`
Step 3	Set the authorization method list to use local credentials. Example: `Device(config)# aaa authorization credential-download method-name local`
Step 4	Set the authorization method list to use a RADIUS server group. The command supports up to 14 lines. Example: `Device(config)# aaa authorization credential-download method-name radius group server-group-name`
Step 5	Configure a mesh profile to access mesh profile configuration mode. Example: `Device(config)# wireless profile mesh mesh-profile-name`
Step 6	Configure the authorization method for mesh APs. Example: `Device(config-wireless-mesh-profile)# method authorization method-name`

You have successfully configured MAC authorization for bridge mode access points using the CLI on the controller.

Device# configure terminal
Device(config)# username username1
Device(config)# aaa authorization credential-download list1 local
Device(config)# aaa authorization credential-download auth1 radius group radius-server-1 
Device(config)# wireless profile mesh mesh-profile
Device(config-wireless-mesh-profile)# method authorization auth1

Preshared key provisioning

A preshared key (PSK) is a mesh security credential that

provides authentication between Mesh Access Points (MAPs), RAPs, and controllers
allows for custom configuration to restrict network access, and
enhances security compared to default or wildcard provisioning based on MAC addresses.

In mesh deployments, the MAPs might leave the network and join other mesh networks if both mesh deployments use AAA with wildcard MAC filtering to allow MAP association.

Since MAPs might use EAP-FAST, you cannot control this because EAP uses a combination of MAC address and AP type for authentication, and there are no controlled configuration options available. If you use the PSK option with a default pass phrase, you create a security risk.

This issue frequently occurs in overlapping deployments of two service providers when MAPs are used in moving vehicles, such as ferries, ships, or other public transportation.

In these scenarios, your MAPs are not restricted to your service provider mesh network. As a result, another service provider’s network can hijack MAPs, preventing them from serving your customers.

The PSK key provisioning feature enables network administrators to assign unique preshared keys from the controller to MAPs. This ensures that only authorized MAPs can authenticate to specific RAPs and controllers. These measures prevent accidental or malicious association with unauthorized mesh networks and protect service provider deployments.

Configuring PSK Provisioning (GUI)

To configure PSK provisioning, follows these steps:

Procedure

Step 1	Choose Configuration > Wireless > Mesh .
Step 2	Click the Global Config tab.
Step 3	In the Security settings, check the PSK Provisioning check box and complete the following steps: Choose the PSK Inuse Index from the numbers in the drop-down list. In the Keys Configuration settings, click the add icon '+' to configure the keys. Choose the Key from the drop-down list. Enter the Name and the Description of the key that is to be configured. Choose the Password Type as UNENCRYPTED or AES Encrypted. Click Apply. The key is listed in the list of configured keys.
Step 4	Check the Default PSK check box.
Step 5	Click Apply.

Configure PSK provisioning (CLI)

When you enable PSK provisioning, your APs join using the default PSK. After you set the PSK provisioning key, the system pushes the configured key to each newly joined AP.

Complete these steps to configure a PSK:

Before you begin

Confirm that you have pushed the provisioned PSK to every AP configured with PSK as mesh security.

Note

PSKs are saved across reboots in the controller as well as on the corresponding mesh AP.
A controller can have a total of five PSKs and one default PSK.
A mesh AP deletes the provisioned PSK only during a factory reset.
A mesh AP never uses the default PSK after receiving the first provisioned PSK.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the security method for wireless as PSK.

Example:

Device(config)# wireless mesh security psk provisioning

Note

The controller pushes the provisioned PSK only to APs configured with PSK as the mesh security method.

Step 3

Configure a new PSK for mesh APs.

Example:

Device(config)# wireless mesh security psk provisioning key index {0 | 8} preshared-key description

Step 4

Enable default PSK-based authentication.

Example:

Device(config)# wireless mesh security psk provisioning default-psk

Step 5

Specify the PSK to be actively used.

Example:

Device(config)# wireless mesh security psk provisioning inuse index

Note

You should explicitly specify the in-use key index in the global configuration to point to the PSK index.

The controller provisions the specified pre-shared key on the mesh APs, sets the active key, and distributes it accordingly.

Device# configure terminal
Device(config)# wireless mesh security psk provisioning
Device(config)# wireless mesh security psk provisioning key 1 0 secret secret-key
Device(config)# wireless mesh security psk provisioning default-psk
Device(config)# wireless mesh security psk provisioning inuse 1

EAP authentication

A EAP authentication is a wireless network authentication method that

allows users and wireless clients to be authenticated locally on a controller
removes dependence on external authentication servers, and
supports additional modules such as LSC-based authentication for enhanced security.

Use Local EAP in remote offices to maintain connectivity during backend disruptions. The controller acts as both a server and a user database, retrieving user credentials locally or through LDAP. Local EAP supports the EAP-FAST method for MAP authentication.

An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. The controller uses these credentials to authenticate the user.

Note

If you configure RADIUS servers on the controller, it will first authenticate the wireless clients using those servers. Local EAP is attempted only if RADIUS servers are not found, timed out, or were not configured.

Locally significant certificate-based (LSC) EAP authentication

A locally significant certificate-based authentication is a WLAN security method that

authenticates network devices (such as APs and controllers) using locally generated digital certificates
allows both locally significant certificates (LSCs) and manufacturing installed certificates (MICs) to coexist (with LSCs taking precedence), and
supports advanced security features, like mesh EAP authentication and master session key generation.

LSC-based EAP authentication requires a public key infrastructure (PKI). This establishes certification authorities, defines policies, and sets validity periods and restrictions.

Certificates (LSCs) must be generated and installed on Access Points and controllers. If an Access Point is provisioned with an LSC, the MIC certificate is not used during boot-up. Changes from LSC to MIC require the Access Point to reboot. LSC-based EAP authentication is supported for mesh Access Points (MAPs). The controller supports mesh security with EAP authentication to a designated server to authenticate mesh child Access Points and generate master session keys for packet encryption.

If a customer installs an LSC (certificate they generate), the AP will use that certificate for authentication and not the factory-installed MIC. Mesh child APs can use LSC EAP authentication to securely join the network and establish encrypted sessions.

The controller also supports mesh security with EAP authentication to a designated server in order to:

Authenticate the mesh child AP
Generate a master session key (MSK) for packet encryption.

Bridge group names

A bridge group name (BGN) is a mesh network configuration parameter that

controls the association of Mesh Access Points (MAPs) to a parent mesh AP
allows logical grouping of radios to isolate different networks on the same channel, and
allows MAPs to join networks before you assign a custom BGN.

BGNs can logically group radios to avoid two networks on the same channel from communicating with each other. The setting is useful when your network contains multiple RAPs in the same sector (area). A BGN is a string containing up to 10 characters.

A BGN of NULL VALUE is assigned by default during manufacturing. This value is not visible to you, but it allows a MAP to join the network before you assign a network-specific BGN.

If you have two RAPs in your network in the same sector, we recommend that you configure the two RAPs with the same BGN, on different channels.

When Strict Match BGN is enabled on a MAP, the MAP scans ten times to find a matching BGN parent. If the AP does not find a parent with a matching BGN after ten scans, it connects to a nonmatching BGN and maintains the connection for 15 minutes. After 15 minutes, the AP scans ten times again, and this cycle continues. The default BGN functionality does not change when Strict Match BGN is enabled.

In Cisco Catalyst 9800 Series Wireless Controller, the BGN is configured on the mesh profile. When a MAP joins the controller, the system pushes the configured BGN on the mesh profile to the AP.

Note

In the EWC HA pair, the system initiates switchover if you change the BGN configuration. If you remove the configured BGN from the mesh profile, a switchover is triggered.

Preferred parent selection

A preferred parent selection is a mesh network configuration method that

enables enforcement of linear topology in a mesh environment
allows administrators to override the AWPP-defined (Adaptive Wireless Path Protocol) parent selection algorithm, and
supports explicit specification of the uplink path for the MAP in mesh deployments.

For Cisco Wave 1 APs, when you configure a preferred parent, ensure that you specify the MAC address of the actual mesh neighbor for the desired parent. This MAC address is the base radio MAC address that has the letter "f" as the final character. For example, if the base radio MAC address is 00:24:13:0f:92:00, then you must specify 00:24:13:0f:92:0f as the preferred parent.

Device# ap name ap1 mesh parent preferred 00:24:13:0f:92:0f

For Cisco Wave 2 APs, when you configure a preferred parent, the MAC address is the base radio MAC address that has "0x11" added to the last two characters. For example, if the base radio MAC address is 00:24:13:0f:92:00, then you must specify 00:24:13:0f:92:11 as the preferred parent.

Device# ap name ap1 mesh parent preferred 00:24:13:0f:92:11

Configure a bridge group name (GUI)

Configure a bridge group name to organize and manage wireless mesh network profiles efficiently.

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Profiles
Step 2	Click Add.
Step 3	In the Advanced tab, under the Bridge Group settings, enter the Bridge Group Name.
Step 4	Under the Bridge Group settings, check the Strict Match check box to enable the feature. The MAP scans ten times to find a matching BGN parent when you enable Strict Match BGN.
Step 5	Click Apply to Device.

The system assigns and applies a new bridge group name to the mesh profile you selected.

Configure a bridge group name (CLI)

Configure a bridge group name (BGN) for a mesh profile on a wireless LAN controller using CLI commands.

If a BGN is configured on a mesh profile, whenever a MAP joins the controller, it pushes the BGN configured on the mesh profile to the AP.
Whenever a mesh AP moves from AireOS controller to the Cisco Catalyst 9800 Series Wireless Controller, the BGN configured on the mesh profile is pushed to that AP and stored there.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure a mesh profile and enter mesh profile configuration mode. Example: `Device(config)# wireless profile mesh mesh-profile-name`
Step 3	Configure a bridge group name. Example: `Device(config-wireless-mesh-profile)# bridge-group name bridge-grp-name`
Step 4	Configure bridge group strict matching. Example: `Device(config-wireless-mesh-profile)# bridge-group strict-match`

The bridge group name is assigned to the mesh profile and applied to all associated mesh APs.

Device# configure terminal
Device(config)# wireless profile mesh mesh-profile-bgn
Device(config-wireless-mesh-profile)# bridge-group name bgn-grp-name
Device(config-wireless-mesh-profile)# bridge-group strict-match

Mesh backhaul at 2.4 GHz and 5 GHz

A backhaul is a wireless network interface that

creates the connection between Mesh Access Points (MAPs)
operates over 802.11a/n/ac/g, depending on the AP, and
typically defaults to the 5-GHz frequency band.

Selecting the appropriate backhaul rate is important for efficient spectrum use. It can directly affect client device throughput, a critical metric in evaluating wireless performance.

Mesh backhaul is supported at 2.4 GHz and 5 GHz. By default, the backhaul interface for mesh APs uses 802.11a/ac/ax. In some countries, mesh networks cannot use a 5 GHz backhaul. In countries where 5 GHz is allowed, using 2.4 GHz radio frequencies achieves more extensive mesh or bridge distances.

When a RAP receives a slot-change configuration, the RAP propagates it to all child MAPs. All MAPs disconnect and join the newly configured backhaul slot.

For information about APs that support mesh backhaul, see https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html .

Note

In Israel, you must ensure that you run the ap country IO command to enable the outdoor country code for the selected radio. After you configure using the ap country IO command, the 2.4-GHz radio is enabled and 5-GHz radio is disabled.

Configure mesh backhaul (CLI)

Set the mesh backhaul frequency for an access AP using CLI commands.

Procedure

Change the mesh backhaul to 2.4 GHz.

Example:

Device # ap name test-ap mesh backhaul radio dot11 24ghz

The specified access point now uses 2.4 GHz as its mesh backhaul radio frequency.

Mesh backhaul RRM

Root access points (RAPs) choose backhaul channels to operate in mesh networks. Until Cisco IOS XE Cupertino 17.8.1, this operation occurred by an explicit configuration, a least congested scan during RAP boot time, during the initial radio resource management (RRM) run without mesh access points (MAPs) connected, or a backhaul channel that was chosen at random. As a result, a poor backhaul channel selection resulted in poor performance.

From Cisco IOS XE Cupertino 17.9.1 onwards, RRM DCA is run on mesh backhaul, in auto mode, in FlexConnect or centralized networks. For APs that do not have dedicated (RHL) radios, DCA is triggered by running commands in the privilege EXEC mode.

RRM continuously evaluates the channel conditions to ensure that the network utilizes the least congested channels. The network uses the transmission static power if it is configured, or falls back to the default level. This is supported on APs that have dedicated radios to scan channel conditions, without any user perceptible interruption to the mesh network traffic.

In the mesh backhaul RRM feature, the RRM DCA decides all the downlink channels in a steady network. However, if an AP detects a change in its uplink roam or radar detection response, the AP chooses the best downlink to converge faster.

Note

APs choosing the best possible downlink is limited to serial backhaul enabled APs only.

Configure RRM channel assignment for an AP

Assign RRM channels to an AP. This action helps you optimize wireless channel usage and reduce interference.

Procedure

Step 1

Enter privileged EXEC mode.

Example:

Device> enable

Step 2

Trigger the RRM DCA process for your AP.

Example:

Device# ap name Cisco-ap-name dot11 {24ghz | 5ghz | 6ghz} rrm channel update mesh

After you trigger the process, the system starts the RRM DCA process and updates the channel assignment for your selected radio band.

Device> enable
Device# ap name Cisco-ap-name dot11 5ghz rrm channel update mesh

Configure RRM channel assignment for root access points globally

Configure Radio Resource Management (RRM) channel assignment policies for all root access points. This configuration optimizes wireless performance, minimizes interference, and maintains network stability across your deployment.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure RRM for mesh backhaul.

Example:

Device(config)# wireless mesh backhaul rrm

Step 3

(Optional) Configure auto DCA for RF Application Specific Integrated Circuit (ASIC) integrated RAPs.

Example:

Device(config)# wireless mesh backhaul rrm auto-dca

All RAPs adopt the configured RRM channel assignment settings globally. This change results in improved channel distribution, reduced interference, and more reliable wireless connectivity across the network.

Device# configure terminal
Device(config)# wireless mesh backhaul rrm
Device(config)# wireless mesh backhaul rrm auto-dca

Complete these steps to configure the initial channel assignment of the RAP in privileged EXEC mode through RRM and to initiate channel selection for each bridge group.

Procedure

Command or Action Purpose

	Command or Action	Purpose
Step 1	Enter privileged EXEC mode. Example: `Device> enable`
Step 2	Initiate the update of the 802.11, 802.11a, or 802.11b channel selection for every mesh Cisco AP. Example: `Device# ap dot11 {24ghz \| 5ghz \| 6ghz} rrm channel-update mesh`
Step 3	Initiate the update of the 802.11, 802.11a, or 802.11b channel selection for mesh AP in the bridge group. Example: `Device# ap dot11 {24ghz \| 5ghz \| 6ghz} rrm channel-update mesh bridge-group bridge-group-name`

Step 1

Enter privileged EXEC mode.

Example:

Device> enable

Step 2

Initiate the update of the 802.11, 802.11a, or 802.11b channel selection for every mesh Cisco AP.

Example:

Device# ap dot11 {24ghz | 5ghz | 6ghz} rrm channel-update mesh

Step 3

Initiate the update of the 802.11, 802.11a, or 802.11b channel selection for mesh AP in the bridge group.

Example:

Device# ap dot11 {24ghz | 5ghz | 6ghz} rrm channel-update mesh bridge-group bridge-group-name

RRM completes the channel assignment for the RAP in privileged EXEC mode.

Device> enable
Device# ap dot11 5ghz rrm channel-update mesh
Device# ap dot11 5ghz rrm channel-update mesh bridge-group cisco-bridge-group

Verify the RRM DCA status

To view the status of the DCA that is run for mesh APs, run this command:

Device# show ap name Cisco-AP config general | inc Mesh
Mesh profile name                               : default-mesh-profile
Mesh DCA Run Status:                            : Not Running
Last Mesh DCA Run                               : 02/07/2022 01:21:56

To verify the status of the last DCA run per radio, run this command:

Device# show wireless mesh rrm dca status

Dynamic frequency selection

A dynamic frequency selection (DFS) is a wireless communication protocol that

enables radio devices to detect radar signals
requires devices to cease transmission when radar is detected, and
requires selecting and monitoring a new channel before resuming transmission.

Regulatory bodies enforce DFS to prevent interference with radar services in shared frequency bands by unlicensed wireless devices.

To protect radar services, regulatory bodies require devices on newly opened frequency sub-bands to operate using DFS. Your radio device must detect radar signals as required. If a radar event is detected in any AP within a sector, mesh access points immediately switch channels to maintain compliance.

For instance, When a radio detects a radar signal, the radio should stop transmitting for at least 30 minutes to protect that service. The radio should then select a different channel to transmit on, but only after monitoring it. If no radar is detected on the projected channel for at least one minute, the new radio service device can begin transmissions on that channel.

Configuring Dynamic Frequency Selection (GUI)

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Profiles.
Step 2	Click Add. The Add Mesh Profile window is displayed.
Step 3	In the Add Mesh Profile window, click the General tab.
Step 4	Enter a profile name.
Step 5	Check the Full sector DFS status check box to enable dynamic frequency selection.
Step 6	Click Apply to Device.

Configure dynamic frequency selection (CLI)

Configure dynamic frequency selection (DFS) on your device to enable radar detection and meet DFS requirements.

DFS specifies the types of radar waveforms that should be detected and the timers that must be used for operation in the DFS channel.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a mesh profile and enter mesh profile configuration mode.

Example:

Device(config)# wireless profile mesh profile-name

Step 3

Enable DFS.

Example:

Device(config-wireless-mesh-profile)# full-sector-dfs

Note

DFS functionality allows a MAP that detects a radar signal to transmit this information to the RAP. The RAP treats this as a radar detection and moves the sector. This process is called the coordinated channel change. The coordinated channel change feature is always enabled on Cisco Wave 2 and newer APs. You can disable this feature only on Cisco Wave 1 APs.

Dynamic Frequency Selection is enabled for your mesh profile. Your mesh profile is now ready to operate and meets radar detection requirements.

Device# configure terminal
Device(config)# wireless profile mesh dfs-mesh-profile
Device(config-wireless-mesh-profile)# full-sector-dfs

Country codes

A country code is a regulatory compliance setting that

allows specification of the intended country of operation for controllers and APs
ensures adherence to local regulations about broadcast frequencies, channels, and power levels, and
maintains correct assignment of regulatory domains for each device.

In certain countries, there is a difference for indoor and outdoor APs in these areas:

Regulatory domain code
Set of channels supported
Transmit power level

Controllers and APs are designed for use in many countries with varying regulatory requirements. At the factory, the radios within the APs are assigned to a specific regulatory domain (such as -E for Europe). The country code then enables you to specify a particular country of operation (such as FR for France or ES for Spain). Configuring a country code ensures that the broadcast frequency bands, interfaces, channels, and transmit power levels of each radio are compliant with country-specific regulations.

Intrusion detection system

Cisco Intrusion Detection System/Intrusion Prevention System (CIDS/CIPS) is a network security solution that

monitors network traffic and system activities for signs of suspicious behavior
detects and classifies potential security threats such as malware or unauthorized access, and
responds to attacks or alerts administrators to enable prevention or mitigation actions.

CIDS can block specific clients from your wireless network if it detects attacks involving them in network layers 3 to 7. This feature helps you detect, classify, and stop threats such as worms, spyware, adware, network viruses, and application abuse.

Configuring the Intrusion Detection System (GUI)

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Profiles.
Step 2	Click Add. The Add Mesh Profile window is displayed.
Step 3	In the Add Mesh Profile window, click the General tab.
Step 4	Enter a profile name.
Step 5	Check the IDS (Rogue/Signature Detection) check box to enable the Intrusion Detection System.
Step 6	Click Apply to Device.

Configure the intrusion detection system (CLI)

Enable intrusion detection system monitoring and reporting on mesh APs to enhance network security.

When enabled, the intrusion detection system generates reports for all client access traffic. This feature does not apply to backhaul traffic.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a mesh profile and enter mesh profile configuration mode.

Example:

Device(config)# wireless profile mesh profile-name

Step 3

Configure intrusion detection system reporting for mesh APs.

Example:

Device(config-wireless-mesh-profile)# ids

The device is now configured to report intrusion detection events for mesh APs.

Device# configure terminal
Device(config)# wireless profile mesh mesh-ids
Device(config-wireless-mesh-profile)# ids

Mesh interoperability between controllers

Mesh interoperability between controllers is a wireless mesh network capability that

enables MAPs to join an AireOS controller through a mesh network formed by APs connected to a Cisco Catalyst 9800 Series Wireless Controller
allows MAPs to join a Cisco Catalyst 9800 Series Wireless Controller through a mesh network formed by APs connected to an AireOS controller, and
supports MAP roaming between parent mesh APs connected to AireOS and Cisco Catalyst 9800 Series Wireless Controller using PMK cache.

Note

For seamless interoperability, the AireOS controller and the Cisco Catalyst 9800 Series Wireless Controller must be in the same mobility group. Both controllers should use image versions that support Inter-Release Controller Mobility (IRCM).

Mesh convergence

A mesh convergence event is a network recovery mechanism that

allows MAPs to re-establish connection with a controller after losing the backhaul link to the current parent
enables the use of a maintained subset of channels for future scanning and parent identification, and
supports multiple convergence methods to optimize reconnection time.

The table presents the supported convergence methods.

Table 1. Mesh convergence
Mesh convergence	Parent Loss Detection / Keepalive Timers
Standard	21 seconds / 3 seconds
Fast	7 seconds / 3 seconds
Very Fast	4 seconds / 2 seconds
Noise-tolerant-fast	21 seconds / 3 seconds

Noise-tolerant fast detection

A noise-tolerant fast detection is a detection method that

monitors the response to Adaptive Wireless Path Protocol (AWPP) neighbor requests at specified intervals
identifies parent connectivity loss through missed responses, and
initiates network recovery actions such as roaming or full scans when loss is detected.

Noise-tolerant fast detection occurs when there is no response to an AWPP neighbor request. In the standard method, the system evaluates the current parent every 21 seconds. Each neighbor receives a unicast request every three seconds, and the parent also receives a request. If the parent does not respond, the device either roams to an available neighbor on the same channel or performs a full scan to find a new parent.

Configure mesh convergence (CLI)

This section provides information about how to configure mesh convergence.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Create a mesh profile.

Example:

Device(config)# wireless profile mesh profile-name

Step 3

Configure mesh convergence method in a mesh profile.

Example:

Device(config-wireless-mesh-profile)# convergence {fast | noise-tolerant-fast | standard | very-fast}

You have successfully configured mesh convergence for the specified mesh profile on the device.

Device# configure terminal
Device(config)# wireless profile mesh mesh1
Device(config-wireless-mesh-profile)# convergence fast

Ethernet bridging

An Ethernet bridge is a network device that

enables you to secure activation of Ethernet ports on MAPs
supports both tagged and untagged packets for flexible deployment, and
allows segmenting application traffic with VLAN tagging between wireless and wired LANs.

For security, the Ethernet port on all MAPs is disabled by default. They can be enabled only through Ethernet bridging configuration on both the root and respective MAP.

Secondary Ethernet interfaces support both tagged and untagged packets.

In a point-to-point bridging, a Cisco Aironet 1500 Series MAP can extend remote networks by using the backhaul radio to bridge multiple segments of a switched network. This is fundamentally a wireless mesh network with one MAP and no WLAN clients.

In point-to-multipoint networks, client access can still be provided with Ethernet bridging enabled, although if bridging between buildings, MAP coverage from a high rooftop might not be suitable for client access. To use an Ethernet-bridged application, enable the bridging feature on the RAP and on all the MAPs in that sector.

In a mesh environment, with VLAN support for Ethernet bridging, the secondary Ethernet interfaces on MAPs are assigned a VLAN individually from the controller. Wired and wireless backhaul links operate as trunks with all VLANs allowed. Non-Ethernet bridged traffic, as well as untagged Ethernet bridged traffic travels along the mesh using the native VLAN of the APs in the mesh. It is similar for all the traffic to and from the wireless clients that the APs are servicing. The VLAN-tagged packets are tunneled through AWPP over wireless backhaul links.

Note

Ensure Ethernet bridging is enabled for every parent mesh AP along the data path to the controller.

Ethernet bridging should be enabled for these scenarios:

Use mesh nodes as bridges.
Connect Ethernet devices, such as a video camera on a MAP using its Ethernet port.

VLAN tagging for MAP Ethernet clients

Primary interfaces refer to mesh AP backhauls, and secondary interfaces refer to other AP interfaces.

Ethernet VLAN tagging segments application traffic within a mesh and forwards it to a wired LAN (access mode) or another wireless mesh network (trunk mode).

Configure Ethernet bridging (GUI)

Enable Ethernet bridging on a mesh profile so that network traffic can be transparently passed between Ethernet segments.

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Profiles.
Step 2	Click Add.
Step 3	In General tab, enter the Name of the mesh profile.
Step 4	In the Advanced tab, check the VLAN Transparent check box to enable VLAN transparency.
Step 5	In Advanced tab, check the Ethernet Bridging check box.
Step 6	Click Apply to Device.

Ethernet bridging is now enabled for the selected mesh profile.

Configure Ethernet bridging (CLI)

Configure Ethernet bridging on mesh access points (APs) to allow Ethernet devices to connect through AP ports.

The Ethernet ports on MAPs are disabled by default. To enable them, configure Ethernet bridging on the Root AP and the relevant MAPs.

You can enable Ethernet bridging to:

Use the mesh nodes as bridges.
Connect Ethernet devices, such as a video camera, on a MAP using the MAP's Ethernet port.

Before you begin

Ensure that you configure these commands under the mesh profile configuration for Ethernet bridging to be enabled:

ethernet-bridging: Enables the Ethernet Bridging feature on an AP.

no ethernet-vlan-transparent: Makes the wireless mesh bridge VLAN aware. VLAN filtering is allowed with this AP command: [no] mesh ethernet { 0 | 1 | 2 | 3 } mode trunk vlan allowed .

Note

If you want all VLANs bridged (the bridge acts like a piece of wire), enable VLAN transparency to allow all VLANs to pass. To avoid unnecessary traffic flooding the network, filter VLANs on the wired side when using VLAN transparent mode.

Configure the switch port that connects to the root AP as a trunk port so Ethernet bridging works.
For Bridge mode APs, use the ap name name-of-rap mesh vlan-trunking native vlan-id command to configure a trunk VLAN on the corresponding RAP. You must configure this command to enable the Ethernet Bridging feature on the AP.
For FlexConnect+Bridge APs, configure the native VLAN ID under the corresponding flex profile.

e

Procedure

Step 1	Enable privileged EXEC mode. Example: `Device> enable` Enter your password, if prompted.
Step 2	Configure the Ethernet port of the AP and set the mode. Example: `Device# ap name ap-name mesh ethernet {0 \| 1 \| 2 \| 3} mode access vlan-id`
Step 3	Set the native VLAN for the trunk port. Example: `Device# ap name ap-name mesh ethernet {0 \| 1 \| 2 \| 3} mode trunk vlan native 21`
Step 4	Configure the allowed VLANs for the trunk port. Example: `Device# ap name ap1 mesh ethernet { 0 \| 1 \| 2 \| 3 } mode trunk vlan allowed vlan-id` This command permits VLAN filtering on an Ethernet port of any Mesh or Root Access Point. It is active only when VLAN transparency is disabled in the mesh profile.

Ethernet bridging is enabled on the AP, allowing devices to communicate through configured VLANs.

Device> enable
Device# ap name ap1 mesh ethernet 1 mode access 21
Device# ap name ap1 mesh ethernet 1 mode trunk vlan native 21
Device# ap name ap1 mesh ethernet 1 mode trunk vlan allowed 21

Mesh daisy chaining

A mesh daisy chain is a wireless networking topology that

connects mesh APs in series to relay data
enables both serial backhaul communication and network extension for client access, and
supports flexible deployment by allowing MAPs to connect in different modes and power configurations.

Mesh APs can daisy chain when operating as Mesh APs. In a daisy chain configuration, MAPs function as either serial backhaul links—using different channels for uplink and downlink to increase backhaul bandwidth—or as extensions of universal network access. Extending universal access allows a local mode or FlexConnect mode Mesh AP to connect to the Ethernet port of a MAP, expanding network reach for client devices.

Wired daisy-chained APs require specific cabling based on power source:

If an AP uses DC power, connect an Ethernet cable from the LAN port of the Primary AP directly to the PoE-in port of the Subordinate AP.

Restrictions for mesh Ethernet daisy chaining

Review and meet these requirements before you configure mesh Ethernet daisy chaining:

This feature is applicable to the Cisco Industrial Wireless 3702 AP and Cisco Catalyst 9124 Series APs.
This feature is applicable to APs operating in Bridge mode and Flex+Bridge mode only.
In Flex+Bridge mode, if local switching WLAN is enabled, the work group bridge (WGB) multiple VLAN is not supported.
For Ethernet daisy chain topology, connect a power injector as the power supply for the AP. Do not connect the Cisco Industrial Wireless 3702 PoE out port to the PoE in port of another Cisco Industrial Wireless 3702 AP.
The network convergence time increases as the number of APs in the chain increases.
Any EWC-capable AP that is part of daisy chaining and has been assigned the RAP role must operate in CAPWAP mode (ap-type capwap).

Prerequisites for mesh Ethernet daisy chaining

Before you deploy mesh Ethernet daisy chaining, complete several configuration steps and verify specific settings on your APs. These prerequisites include designating AP roles, enabling relevant features, configuring VLAN support, and using the proper cabling to ensure optimal system performance and compatibility.

Ensure that you have configured the AP role as root AP.
Ensure that you have enabled Ethernet bridging and Strict Wired Uplink on the corresponding AP.
Ensure that you have disabled VLAN transparency.
To enable VLAN support on each root AP operating in bridge mode, use the ap name name-of-rap mesh vlan-trunking [native] vlan-id command. This command configures a trunk VLAN on the corresponding RAP.
To enable VLAN support on each root AP, for Flex+Bridge APs, you must configure the native VLAN ID under the corresponding Flex profile.
Ensure that you use 4-pair cables that support 1000 Mbps. This feature does not work properly with 2-pair cables that support 100 Mbps.

Configure mesh Ethernet daisy chaining (CLI)

This section provides information about how to configure the Mesh Ethernet Daisy Chaining feature on a mesh AP.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Specify the AP profile.

Example:

Device(config)# ap profile default-ap-profile

Step 3

Configure persistent SSID broadcast and ensure strict wired uplink. RAP will not switch to wireless backhaul when you configure this command.

Example:

Device(config-ap-profile)# ssid broadcast persistent

Mesh Ethernet daisy chaining is successfully enabled on the mesh AP. The SSID broadcast is persistent and the RAP uses a strict wired uplink.

Multicast over mesh Ethernet bridging network

A mesh multicast mode is a traffic management setting for bridging-enabled APs that

determine how multicast and broadcast packets are forwarded across the mesh Ethernet network
manage only non-CAPWAP multicast traffic, and
help optimize bandwidth by reducing unnecessary multicast transmissions.

Mesh multicast modes

Mesh multicast modes determine how bridging-enabled APs such as MAP and RAP send multicast packets among Ethernet LANs within a mesh network. Mesh multicast modes manage only non-CAPWAP multicast traffic. CAPWAP multicast traffic is governed by a different mechanism.

Different mesh multicast modes are available to manage multicast and broadcast packets on all MAPs. When enabled, these modes reduce unnecessary multicast transmissions within the mesh network and conserve backhaul bandwidth.

The mesh multicast modes are:

Regular mode: Regular mode for multicast is not supported on Cisco Catalyst 9124 Series Outdoor Access Points on EWC.
In-only mode: When a MAP receives multicast packets from the Ethernet, it forwards them to the corresponding RAP’s Ethernet network. No additional forwarding occurs. This setting ensures that the RAP does not send non-CAPWAP multicasts back to the MAP Ethernet networks within the mesh network (their point of origin). The system filters out MAP to MAP multicasts so these do not occur.
In-out mode: The RAP and MAP multicast in different ways.
- If a MAP receives multicast packets over Ethernet, it sends them to the RAP. The MAP does not send these packets to other MAPs over Ethernet; the system filters MAP-to-MAP packets from the multicast stream.
- If a RAP receives multicast packets over Ethernet, it sends them to all the MAPs and their respective Ethernet networks. When in-out mode operates, partition your network to ensure a multicast sent by one RAP is not received by another RAP on the same Ethernet segment and then sent back into the network.

Configuring Multicast Modes Over Mesh (GUI)

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Profiles.
Step 2	Click Add. The Add Mesh Profile window is displayed.
Step 3	In the Add Mesh Profile window, click the General tab.
Step 4	Enter a profile name.
Step 5	Choose one of the following Multicast Modes, from the drop-down list: Regular: In this mode, data is multicast across the entire mesh network and all its segments by bridging-enabled RAP and MAP. In: In this mode, the multicast packets received from the Ethernet by a MAP are forwarded to the corresponding RAP’s Ethernet network. In-Out: In this mode, both RAP and MAP multicast but in a different manner.
Step 6	Click Apply to Device.

Configure multicast modes over mesh

Enable multicast forwarding behavior so that your wireless mesh network operates efficiently.

If multicast packets are received at a MAP over Ethernet, the MAP sends them to the RAP. The MAP does not send them to other MAPs; it filters out MAP-to-MAP packets from the multicast.
If multicast packets are received at a RAP over Ethernet, they are sent to all the MAPs and their respective Ethernet networks.
The in-out mode is the default mode. To prevent a multicast sent by one RAP from being received by another RAP on the same Ethernet segment and then sent back into the network, properly partition your network when the in-out mode is in operation.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a mesh profile and enter mesh profile configuration mode.

Example:

Device(config)# wireless profile mesh profile-name

Step 3

Configure mesh multicast mode.

Example:

Device(config-wireless-mesh-profile)# multicast {in-only | in-out | regular}

You have set the mesh profile to the multicast mode you want. This setting controls how multicast packets are routed in the network.

Device# configure terminal
Device(config)# wireless profile mesh mesh-multicast
Device(config-wireless-mesh-profile)# multicast regular

Radio Resource Management on mesh

Radio resource management (RRM) features are wireless network management functions that

enable real-time RF management of the wireless network
monitor lightweight APs for traffic load, interference, noise, and coverage, and
operate automatically through embedded controller software.

The RRM measurement in the mesh AP backhaul is enabled based on these conditions:

Mesh AP has the Root AP role.
Root AP has joined using Ethernet link.
Root AP does not serve any child AP.

Configuring RRM on Mesh Backhaul (GUI)

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Global Config.
Step 2	In the Backhaul section, check the RRM check box to enable radio resource management on mesh.
Step 3	Click Apply.

Configure RRM on mesh backhaul (CLI)

RRM measurement in the mesh AP backhaul is enabled if your access point meets these conditions:

Mesh AP has the Root AP role.
The Root AP has joined the network using an Ethernet link.
Root AP does not serve any child AP.

Note

When RRM is enabled on the mesh backhaul, only RAPs joined via Ethernet and without child MAPs report RRM noise information.

Complete the steps to enable RRM in the mesh backhaul:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure RRM on the mesh backhaul.

Example:

Device(config)# wireless mesh backhaul rrm

RRM is enabled on the mesh backhaul for APs.

Device# configure terminal
Device(config)# wireless mesh backhaul rrm

Mesh leaf node

A mesh leaf node is a type of mesh access point (MAP) that

operates only as a child node within a wireless mesh network
is typically assigned to MAPs with lower performance, and
cannot serve as a parent MAP, ensuring wireless backhaul performance is not degraded.

Leaf nodes maintain stable network throughput by preventing low-performance devices from acting as wireless backhaul links for other MAPs.

Configure the mesh leaf node (GUI)

Configure a mesh leaf node so that it blocks child connections to enforce network segmentation.

Procedure

Step 1	Choose Configuration > Wireless > Access Points.
Step 2	Click the AP.
Step 3	In the Mesh tab, check the Block Child check box.
Step 4	Click Update & Apply to Device.

Your mesh leaf node now blocks child connections.

Configure mesh leaf node (CLI)

Set an AP as a mesh leaf node. Other mesh APs cannot select this AP as a parent MAP.

Procedure

Step 1

Enter privileged EXEC mode.

Example:

Device> enable

Step 2

Configure the AP to operate only as a leaf node. Other MAPs cannot select this AP as a parent MAP.

Example:

Device# ap name ap-name mesh block-child

Use the no form of this command to change it to a regular AP.

The AP operates solely as a mesh leaf node and cannot be selected as a parent MAP.

Device> enable
Device# ap name ap1 mesh block-child

FlexConnect + bridge mode

A FlexConnect bridge mode is a wireless network configuration that

enables FlexConnect capabilities on mesh (bridge mode) APs,
allows mesh APs to inherit VLANs from the root AP, and
supports VLAN trunking and native VLAN ID configuration per AP.

FlexConnect + bridge mode enables FlexConnect capabilities on mesh (bridge mode) APs. Mesh APs inherit VLANs from the root AP to which they are connected.

Any EWC-capable AP in FlexConnect mode connected to a MAP should be in CAPWAP mode (AP-type CAPWAP).

You can enable or disable VLAN trunking and configure a native VLAN ID on each AP for any of these modes:

FlexConnect
FlexConnect + bridge (FlexConnect + mesh)

Backhaul client access

Backhaul client access is a wireless networking feature that

allows wireless clients to associate with mesh APs using the backhaul radio
supports both 2.4 GHz and 5 GHz backhaul radios, and
permits the backhaul radio to carry both client traffic and backhaul traffic simultaneously.

When backhaul client access is disabled, only backhaul traffic is sent over the backhaul radio, and client association is performed only over the access radio.

Note

Backhaul client access is disabled by default. After you enable backhaul client access, all MAPs except the subordinate AP and its child APs in a daisy-chained deployment reboot.

Configure backhaul client access (GUI)

Enable backhaul client access for mesh device profiles.

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Profiles.
Step 2	Choose a profile.
Step 3	In General tab, check the Backhaul Client Access check box.
Step 4	Click Update & Apply to Device.

The system updates the profile and enables backhaul client access for devices that use the selected mesh profile.

Configure backhaul client access (CLI)

Enable backhaul client access on a mesh profile. This allows client devices to connect to the APs through the mesh backhaul. The result is increased network flexibility and coverage.

Note

Backhaul client access is disabled by default. After you enable it, all MAPs reboot, except for the subordinate AP and its child APs in a daisy-chained deployment.

Complete these steps to enable backhaul client access on a mesh profile:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a mesh profile and enter mesh profile configuration mode.

Example:

Device(config)# wireless profile mesh profile-name

Step 3

Configure backhaul with client access AP.

Example:

Device(config-wireless-mesh-profile)# client-access

You have enabled backhaul client access on the selected mesh profile.

Device# configure terminal
Device(config)# wireless profile mesh profile-name
Device(config-wireless-mesh-profile)# client-access

Background scanning and MAP fast ancestor find mode

Cisco mesh access points (MAPs) perform the following functions:

Interconnects over wireless links in a tree topology,
Uses Adaptive Wireless Path Protocol (AWPP) to create and maintain their topology, and
Supports additional features: Background Scanning and MAP Fast Ancestor Finding.

When a MAP comes up, it tries to look for another MAP (parent) to join and reach the gateway through a RAP. The same happens when a MAP loses connectivity with its existing parent. This procedure is known as mesh tree convergence.

Background scanning and MAP Fast Ancestor Finding feature

The Background scanning feature:

Updates MAPs about neighboring channels and helps find new parents swiftly by scanning all available channels.
Minimizes the time spent during scan-and-seek phases when a MAP loses its current parent.
Does not speed up the authentication process to the new parent.

A child MAP maintains its uplink with its parent by using the AWPP adjacency request/response messages, which act as keepalive signals. If consecutive response messages are lost, the parent is considered lost, and the child MAP searches for a new parent. A MAP maintains a list of neighbors on the current ON channel. If the AP loses its current parent, it roams to the next best potential neighbor. If no other neighbors are found, the AP scans or seeks across all the channels or subset channels to find a parent. This process is time-consuming.

The MAP Fast Ancestor Finding feature enables a method to reduce the need for sending or receiving beacons during network formation, while starting or deploying a new mesh network.

Configure AP fast ancestor find mode (GUI)

Enable a child MAP to synchronize with any neighbor parent MAP across all channels.

Use the GUI to configure the MAP Fast Ancestor Find feature within a mesh profile.

Follow these steps to configure AP fast ancestor find mode through the GUI:

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Profiles.
Step 2	Click Add. The Add Mesh Profile page is displayed.
Step 3	In the Add Mesh Profile page, click the General tab.
Step 4	In the Name field, enter the mesh profile name.
Step 5	In the Description field, enter a description for the mesh profile.
Step 6	Check the MAP Fast Ancestor Find check box to enable a MAP (child) to synchronize with any neighbor MAP (parent) across all channels.
Step 7	Click Apply to Device to save the configuration.

The MAP Fast Ancestor Find feature is enabled for the specified mesh profile.

Configure background scanning and MAP fast ancestor find mode (Task)

Configure background scanning and MAP fast ancestor find mode using the CLI within a mesh profile for detailed configuration options.

Follow these steps to configure background scanning and MAP fast ancestor find mode through the CLI:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a mesh profile and enter mesh profile configuration mode.

Example:

Device# wireless profile mesh default-mesh-profile

Step 3

Enable background scanning in mesh deployments.

Example:

Device(config-wireless-mesh-profile)# background-scanning

Note

In Cisco Catalyst 9124 Series Access Points, a dedicated RF ASIC radio is used for background scanning.

Step 4

Enable fast ancestor find mode.

Example:

Device(config-wireless-mesh-profile)# map-fast-ancestor-find

Background scanning and MAP fast ancestor find mode are enabled for the specified mesh profile.

Example

Device# configure terminal
Device# wireless profile mesh default-mesh-profile
Device(config-wireless-mesh-profile)# background-scanning
Device(config-wireless-mesh-profile)# map-fast-ancestor-find

Configure dot11ax rates on mesh backhaul per AP (GUI)

This task enables you to configure specific dot11ax (Wi-Fi 6) rates for mesh backhaul connections on individual APs.

Procedure

Step 1	Choose Configuration > Wireless > Access Points. The All Access Points section, which lists all the configured APs in the network, is displayed with their corresponding details.
Step 2	Select the mesh AP that has been configured. The Edit AP page is displayed.
Step 3	Choose the Mesh tab.
Step 4	In the General section, under the Backhaul section, the default Backhaul Radio Type , Backhaul Slot ID , and Rate Types field details are displayed. Note that the values for Backhaul Radio Type and Backhaul Slot ID can be changed only for a root AP.
Step 5	From the Rate Types drop-down list, choose the backhaul rate type. Based on the choice, enter the details for the corresponding fields that are displayed.The backhaul interface varies between auto and the 802.11a/b/g/n/ac/ax rates, depending on the AP. The Cisco Catalyst 9124AX Outdoor AP is the only AP that supports 11ax backhaul rates on the mesh backhaul.
Step 6	In the Backhaul MCS Index field, enter the Modulation Coding Scheme (MCS) rate, that can be transmitted between the APs. The valid range is from 0 to 11, on both bands.
Step 7	In the Spatial Stream field, enter the number of spatial streams that are supported. The maximum number of spatial streams supported on a single radio in a 5 GHz radio band is 8, while 2.4 GHz radio band supports 4 spatial streams.
Step 8	Click Update and Apply to Device.

After you complete the steps, the selected mesh access point operates using the configured dot11ax rates for its backhaul link.

Configuring Dot11ax Rates on Mesh Backhaul in Mesh Profile (GUI)

Procedure

Step 1

Choose Configuration > Wireless > Mesh > Profiles.

Step 2

Click Add.

The Add Mesh Profile window is displayed.

Step 3

In the Add Mesh Profile window, click the General tab.

Step 4

In the Name field, enter the mesh profile name.

Step 5

Click the Advanced tab.

Step 6

In the 5 GHz Band Backhaul section and the 2.4 GHz Band Backhaul section, choose the dot11ax backhaul rate type from Rate Types the drop-down list.

Note

Cisco Catalyst 9124AXI/D Series outdoor Access Point is the only AP to support 11ax backhaul rates on the mesh backhaul.

Step 7

In the Dot11ax MCS index field, specify the MCS rate at which data can be transmitted between the APs. The value range is between 0 to 11, on both the radio bands.

Step 8

In the Spatial Stream field, enter a value. The maximum number of spatial streams supported on a single radio in a 5-GHz radio band is 8, while 2.4- GHz radio band supports 4 spatial streams.

Step 9

Click Update and Apply to Device.

Configure data rate per AP (CLI)

Configure data transmission rates for each AP on mesh backhaul for the 2.4 GHz and 5 GHz bands using the command-line interface.

Procedure

Step 1

Enter privileged EXEC mode.

Example:

Device> enable

Step 2

Configure the 802.11ax mesh backhaul rates for the 2.4 GHz and 5 GHz bands.

Example:

Device# ap name ap-name mesh backhaul rate dot11ax mcs <0-11> ss <1-8>

The AP uses the configured backhaul data rates for 2.4 GHz and 5 GHz bands.

Device> enable
Device# ap name ap-name mesh backhaul rate dot11ax mcs 5 ss 4

Configure data rate using mesh profile (CLI)

Set specific data rates for 2.4 GHz and 5 GHz backhaul communication in mesh profiles to optimize wireless mesh network performance.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a mesh profile and enter mesh profile configuration mode.

Example:

Device(config)# wireless profile mesh profile-name

Step 3

Configure the backhaul transmission rate for the 2.4 GHz band and the 5 GHz band. For the 2.4 GHz band, set the 802.11ax spatial stream value from 1 to 4. For the 5 GHz band, set the spatial stream value from 1 to 8.

Example:

Device(config-wireless-mesh-profile)# backhaul rate dot11 {24ghz | 5ghz} dot11ax mcs <0-11> spatial-stream <1-8>

The mesh profile is updated with the configured data rate for the specified frequency band and spatial streams.

Device# configure terminal
Device(config)# wireless profile mesh profile-name
Device(config-wireless-mesh-profile)# backhaul rate dot11 5ghz dot11ax mcs 5 spatial-stream 6

Specify the backhaul slot for the root AP (GUI)

Configure the backhaul slot for a root access point to optimize wireless mesh connectivity and ensure reliable network communication.

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Profiles.
Step 2	Click Add.
Step 3	In the General tab, enter the Name of the mesh profile.
Step 4	In the Advanced tab, select the rate types for 5 GHz Band Backhaul and 2.4 GHz Band Backhaul from the Rate Types drop-down list.
Step 5	Click Apply to Device.

The system updates the root access point with the specified backhaul slot settings. It uses the selected rate types for 5 GHz and 2.4 GHz band backhaul connections.

Specify the backhaul slot for the root AP (CLI)

Assign a specific radio slot (2.4 GHz or 5 GHz) to the mesh backhaul of your root access point to optimize wireless connectivity and network performance.

Procedure

Step 1

Enter privileged EXEC mode.

Example:

Device> enable

Step 2

Specify the mesh backhaul radio slot for your root AP.

Example:

Device# ap name ap-name mesh backhaul radio dot11 {24ghz | 5ghz} [slot slot-id]

Assign a radio slot (2.4 GHz or 5 GHz) to the mesh backhaul of your root access point to improve wireless connectivity and network performance.

Device> enable
Device# ap name rap1 mesh backhaul radio dot11 24ghz slot 2

Configure wireless backhaul data rate (CLI)

Configure the data transmission rate for wireless backhaul connections between APs using CLI commands to optimize wireless network performance, coverage, and spectrum use.

Use backhaul to create a wireless connection between APs. Depending on the AP, the backhaul interface can be 802.11bg, 802.11a, 802.11n, or 802.11ac. Selecting a rate lets you use the available RF spectrum effectively.

Data rates can also affect the RF coverage and network performance. Lower data rates, for example, 6 Mbps, can extend farther from the AP than higher data rates, for example, 1300 Mbps. As a result, the data rate affects cell coverage, and consequently, the number of APs required.

Note

You can configure backhaul data rate, preferably, through the mesh profile. In certain cases, where a specific data rate is needed, use the command to configure the data rate per AP.

Follow this procedure to configure wireless backhaul data rate in privileged EXEC mode or in mesh profile configuration mode.

Procedure

Step 1

Enter privileged EXEC mode.

Example:

Device> enable

Step 2

Configure backhaul transmission rate.

Example:

Device# ap name ap-name mesh backhaul rate {auto | dot11abg | dot11ac | dot11n}

Step 3

Configure a mesh profile and enter mesh profile configuration mode.

Example:

Device(config)# wireless profile mesh profile-name

Step 4

Configure backhaul transmission rate.

Example:

Device(config-wireless-mesh-profile)# backhaul rate dot11  { 24ghz | 5ghz} dot11n RATE_6M

Note

Ensure the rate you configure on the AP (step 2) matches the rate you configure on the mesh profile (step 4).

After you configure the wireless backhaul data rate, your APs will balance coverage area and performance for your deployment.

Device> enable
Device# ap name ap1 mesh backhaul rate auto   
Device(config)# wireless profile mesh mesh1
Device(config-wireless-mesh-profile)# backhaul rate dot11 5ghz dot11n mcs 31

Use a link test on mesh backhaul (GUI)

Network administrators can validate wireless mesh backhaul connectivity and signal strength with this task. Running a link test enables proactive identification of performance issues, ensures reliable mesh network operation, and helps troubleshoot weak connections.

Procedure

Step 1	Choose Monitoring > Wireless > AP Statistics > General.
Step 2	Select the Access Point.
Step 3	Choose Mesh > Neighbor > Linktest.
Step 4	Select the desired values from the Date Rates, Packets to be sent (per second), Packet Size (bytes), and Test Duration (seconds) drop-down lists.
Step 5	Click Start.

You can see the detailed link test results for the selected mesh backhaul connection.

Use a link test on mesh backhaul

To initiate a link test between neighbor mesh APs, complete these steps.

Note

Use the test mesh linktest mac-address neighbor-ap-mac rate data-rate fps frames-per-second frame-size frame-size command to perform link test from an AP.

Procedure

Step 1

Enters privileged EXEC mode.

Example:

Device> enable

Step 2

Set the link test parameters.

Example:

Device# ap name ap-name mesh linktest H.H.H data-rate packet-per-sec packet-size test-duration

H.H.H: Specify the destination AP MAC address.
data-rate: Specify the data rates in Mbps. The values are 1, 2, 5, 6, 9, 11, 12, 18, 24, 36, 48, 54, 108, or m0 through m15.
packet-per-sec: Specify the packets to be sent per second. The range is from 1 to 25,000.
packet-size: Specify the packet size in bytes. The range is from 1 to 1,500.
test-duration: Specify the test duration in seconds. The range is from 10 to 300.

The system displays test results, including throughput, loss, and latency metrics, to verify link quality between access points.

Device> enable
Device# ap name ap1 mesh linktest F866.F267.7DFB 24 234 1200 200

Mesh call admission control

A mesh call admission control is a quality of service mechanism that

continuously monitors bandwidth available to mesh access points
regulates voice call admissions to maintain acceptable call quality, and
rejects calls when bandwidth or resource limits are reached.

Call Admission Control (CAC) enables a mesh AP to maintain controlled quality of service (QoS) on the controller. This management helps maintain voice quality on the mesh network. Bandwidth-based, or static, CAC enables the client to specify how much bandwidth or shared medium time is required to accept a new call. Each AP determines whether it can accommodate a call by checking the available bandwidth and comparing it to the bandwidth required for the call. If there is not enough bandwidth available to maintain the maximum allowed number of calls with acceptable quality, the mesh AP rejects the call.

Mesh CAC is not supported in these scenarios.

APs in a Mesh tree assigned with different site tags.
APs in a Mesh tree assigned with the default site tag.

Configure mesh CAC (CLI)

Enable mesh CAC to manage call admission and ensure quality over wireless mesh links.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enable mesh CAC mode.

Example:

Device(config)# wireless mesh cac

Mesh CAC is activated. Only the supported number of concurrent calls can occur over mesh links, which preserves call quality.

Mesh network recovery mechanisms

A mesh network recovery mechanism is a network self-healing feature that

rapidly detects uplink gateway reachability failures in mesh APs
automatically triggers alternate uplink selection to maintain connectivity, and
uses ICMP pings to default gateways to verify uplink status after failover events or controller disconnections.

In all 802.11ac Wave 2 APs, detecting uplink gateway failures quickly speeds up mesh network recovery. Mesh APs use ICMP ping to the default gateway, either IPv4 or IPv6, to check uplink gateway reachability.

Reachability checks for mesh APs work

A mesh AP triggers the reachability check in two scenarios:

After a new uplink is selected and before the mesh AP joins the controller

After a new uplink is selected, the mesh AP has a 45-second window to reach the gateway (through static IP or DHCP) through the selected uplink. If the mesh AP does not reach the gateway within 45 seconds, the system blocks the current uplink and starts selecting a new uplink. If the AP joins the controller during this window, it stops the reachability check. The system does not perform gateway reachability checks during normal operations.
As soon as the mesh AP times out its connection with the controller

When the mesh AP times out its connection with the controller and fails to reach the gateway within 5 seconds, the system marks the current uplink as blocked and starts the uplink selection process.

Fast teardown for a mesh deployment

A fast teardown is a mesh deployment feature that

enables rapid detection of root AP uplink failures
helps restore or reconfigure network service when the uplink is lost, and
applies to mesh deployments with unreliable uplinks, such as wireless microwave links.

Fast teardown for mesh APs is not supported on Cisco Industrial Wireless (IW) 3702 Access Points.

Enable wireless mesh profile (CLI)

To enable and configure a wireless mesh profile to support mesh networking functionality on your device.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a mesh profile and enter mesh profile configuration mode.

Example:

Device(config)# wireless profile mesh profile-name

Step 3

Enable the fast teardown of mesh network and configure the parameters of the feature.

Example:

Device(config-wireless-profile-mesh)# fast-teardown

The wireless mesh profile is enabled and configured with the fast teardown feature.

Device# configure terminal
Device(config)# wireless profile mesh mesh1
Device(config-wireless-profile-mesh)# fast-teardown

Associate wireless mesh to an AP profile (CLI)

Associate a mesh profile with an AP profile to enable mesh capabilities on compatible APs through CLI configuration.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the AP profile to enter AP profile configuration mode.

Example:

Device(config)# ap profile default-ap-profile

Step 3

In AP profile configuration mode, configure the mesh profile.

Example:

Device(config-ap-profile)# mesh-profile mesh-profile-name

The AP profile now uses the specified mesh profile. All APs using this profile inherit mesh configuration parameters.

Device# configure terminal
Device(config)# ap profile default-ap-profile
Device(config-ap-profile)# mesh-profile test1

Configure fast teardown for a mesh AP profile (GUI)

Use this procedure to configure mesh AP profiles for rapid detection of uplink failures and improve mesh network resiliency.

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Profiles.
Step 2	Click Add.
Step 3	In the Add Mesh Profile window, click Advanced.
Step 4	Select a security mode, an authentication method, and an authorization method.
Step 5	Enable Ethernet bridging if it is required.
Step 6	Enter the bridge group name. Then enable Strict Match BGN.
Step 7	Select a band backhaul transmission rate for your radio.
Step 8	Perform these actions in the Fast Roaming section: Check the Fast Teardown check box to detect the root AP uplink failure faster in a mesh deployment and to address fast teardown of the mesh network when an uplink failure occurs. In the Number of Retries field, enter the number of retries allowed until gateway is considered unreachable. The valid range is from 1 to 10. In the Interval value field, enter the retry value. The valid range is from 1 to 10 seconds. In the Latency Threshold field, enter the threshold for a round-trip latency between the AP and the controller. The valid range is from 1 and 500 milliseconds. In the Latency Exceeded Threshold field, enter the latency interval in which at least one ping must succeed in less than the specified time. The valid range is from 1 to 30 seconds. In the Uplink Recovery Interval field, enter the time during which root AP uplink must be stable in order to accept the child connections. The valid range is from 1 and 3600 seconds.
Step 9	Click Apply to Device.

Your mesh AP profile now supports fast teardown. This configuration enables the system to detect uplink failures more quickly, helping your devices recover rapidly.

Configure fast teardown for a mesh AP profile (CLI)

Enable and configure fast teardown for a mesh AP profile to reduce network restoration time and increase network reliability.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure a mesh profile and enter the mesh profile configuration mode. Example: `Device(config)# wireless profile mesh profile-name`
Step 3	Enable the fast teardown of mesh network and configure the feature's parameter. Example: `Device(config-wireless-mesh-profile)# fast-teardown`
Step 4	Enable the fast teardown feature. Example: `Device(config-wireless-mesh-profile-fast-teardown)# enabled`
Step 5	(Optional) Configure the retry interval. Example: `Device(config-wireless-mesh-profile-fast-teardown)# interval duration` The valid range is from 1 to 10 seconds.
Step 6	(Optional) Set the latency interval so that at least one ping succeeds within your chosen threshold time. Example: `Device(config-wireless-mesh-profile-fast-teardown)# latency-exceeded-threshold duration` The valid range is from 1 to 30 seconds.
Step 7	(Optional) Specify the latency threshold. Example: `Device(config-wireless-mesh-profile-fast-teardown)# latency-threshold threshold-range` The valid range is from 1 to 500 milliseconds.
Step 8	(Optional) Specify the number of retries until the gateway is considered unreachable. Example: `Device(config-wireless-mesh-profile-fast-teardown)# retries retry-limit` The valid range is from 1 to 10.
Step 9	(Optional) Specify the time during which root access point uplink has to be stable to accept child connections. Example: `Device(config-wireless-mesh-profile-fast-teardown)# uplink-recovery-intervals recovery interval` The valid range is from 1 to 3600 seconds.

You have configured the mesh AP profile with fast teardown enabled and applied custom parameters. This configuration improves your network's responsiveness to disruptions.

Device# configure terminal
Device(config)# wireless profile mesh mesh1
Device(config-wireless-mesh-profile)# fast-teardown
Device(config-wireless-mesh-profile-fast-teardown)# enabled
Device(config-wireless-mesh-profile-fast-teardown)# interval 5
Device(config-wireless-mesh-profile-fast-teardown)# latency-exceeded-threshold 20
Device(config-wireless-mesh-profile-fast-teardown)# latency-threshold 20
Device(config-wireless-mesh-profile-fast-teardown)# retries 1
Device(config-wireless-mesh-profile-fast-teardown)# uplink-recovery-intervals 1

Verify fast teardown with default mesh profile

To verify the fast teardown with the default mesh profile, use this command:

Device# show wireless profile mesh detailed default-mesh-profile
Mesh Profile Name            default-mesh-profile
--------------------------------------------------
Fast Teardown                        : ENABLED
Number of Retries                    : 4
Interval in sec                      : 1
Latency Threshold in msec            : 10
Latency Exceeded Threshold in sec    : 8
Uplink Recovery Interval in sec      : 60

Configure subset channel synchronization

Enable synchronization of mesh subset channels to ensure efficient convergence of RAPs and MAPs.

The controller sends all channels used by RAPs to MAPs for future seeking and convergence. The controller keeps a list of subset channels for each Bridge Group Name (BGN) and shares this list across all controllers in a mobility group.

The subset channel list includes channels where RAPs within a Bridge Group Name (BGN) operate. This list is distributed to all mesh access points (MAPs) within controllers and across controllers. Maintaining a subset channel list helps Mesh APs converge faster. You can select the convergence method in the mesh profile. The system sends the subset channel list to MAPs if the convergence method is non-standard.

Follow these steps to configure subset channel synchronization for a mobility group.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure subset channel synchronization for a mobility group.

Example:

Device(config)# wireless mesh subset-channel-sync mac

The mobility group synchronizes subset channels, which enables mesh APs to converge faster.

Device# configure terminal
Device(config)# wireless mesh subset-channel-sync mac

Select a preferred parent (GUI)

Direct a mesh-capable AP to use a designated parent for uplink within the wireless topology.

Procedure

Step 1	Choose Configuration > Wireless > Access Points.
Step 2	Click the AP.
Step 3	In the Mesh tab, enter the Preferred Parent MAC.
Step 4	Click Update & Apply to Device.

The AP uses the specified preferred parent MAC address for uplink, optimizing connectivity in the mesh network.

Select a preferred parent (CLI)

To configure a preferred parent for a MAP, complete these steps.

You can override the AWPP-defined parent selection and assign a specific preferred parent to a mesh AP using this mechanism.

Procedure

Step 1

Enter privileged EXEC mode.

Example:

Device> enable

Step 2

Configure mesh parameters for the AP and set the mesh-preferred parent MAC address.

Example:

Device# ap name ap-name mesh parent preferred mac-address

Note

Ensure that you use the radio MAC address of the preferred parent.

For Cisco Wave 1 APs, specify the MAC address of the actual mesh neighbor as the preferred parent. Use the base radio MAC address that ends with the letter "f". For example, if the base radio MAC address is 00:24:13:0f:92:00, then you must specify 00:24:13:0f:92:0f as the preferred parent.

Device# ap name ap1 mesh parent preferred 00:24:13:0f:92:0f

For Cisco Wave 2 APs, specify the MAC address for the preferred parent by adding "0x11" to the last two characters of the base radio MAC address. For example, if the base radio MAC address is 00:24:13:0f:92:00, then you must specify 00:24:13:0f:92:11 as the preferred parent.

Device# ap name ap1 mesh parent preferred 00:24:13:0f:92:11

The mesh AP is configured to use the specified MAC address as its preferred parent.

Device> enable
Device# ap name ap1 mesh parent preferred 00:0d:ed:dd:25:8F

Change the role of an AP (GUI)

Change the operational role of an AP to support different network topologies.

Procedure

Step 1	Choose Configuration > Wireless > Access Points .
Step 2	Click the Access Point .
Step 3	In the Mesh tab, choose Root or Mesh from the Role drop-down list.
Step 4	Click Update & Apply to Device .

The AP automatically restarts to apply the new role configuration.

Change the role of an AP (CLI)

Change your Cisco access point (AP) role between mesh AP (MAP) and root AP (RAP) using command-line interface (CLI) commands.

To change the AP from MAP to RAP or the reverse, follow this procedure. By default, your AP joins the controller in the mesh AP role.

Procedure

Step 1

Enter privileged EXEC mode.

Example:

Device> enable

Step 2

Change the role of the Cisco bridge mode AP. The AP reboots after the role change.

Example:

Device# ap name ap-name role {mesh-ap | root-ap}

The specified AP reboots and operates in its new role. After rebooting, it connects and functions in your wireless mesh network.

Device> enable
Device# ap name ap1 role root-ap

Configure battery state for mesh AP (GUI)

Configure the battery state on a mesh AP using the web interface.

Procedure

Step 1	Choose Configuration > Wireless > Mesh > Profiles.
Step 2	Select a profile.
Step 3	On the General tab, check the Battery State for an AP check box.
Step 4	Click Update & Apply to Device.

After you configure the profile, the profile displays the battery state for the selected mesh AP.

Configure battery state for mesh AP (CLI)

Some outdoor APs come with the option of battery backup. The AP also includes a POE-out port that powers a video surveillance camera. The integrated battery provides temporary backup power during external power interruptions.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a mesh profile, and enter mesh profile configuration mode.

Example:

Device(config)# wireless profile mesh profile-name

Step 3

Configure the battery state for an AP.

Example:

Device(config-wireless-mesh-profile)# battery-state

You have configured the battery state for the mesh AP, so backup power is now available when required.

Device# configure terminal
Device(config)# wireless profile mesh mesh-profile-name
Device(config-wireless-mesh-profile)# battery-state

Verify mesh configuration

Use these show commands to verify the various aspects of mesh configuration:

show wireless mesh stats ap-name
show wireless mesh security-stats {all | ap-name}
show wireless mesh queue-stats {all | ap-name}
show wireless mesh per-stats summary {all | ap-name}
show wireless mesh neighbor summary {all | ap-name}
show wireless mesh neighbor detail ap-name
show wireless mesh ap summary
show wireless mesh ap tree
show wireless mesh ap backhaul
show wireless mesh config
show wireless mesh convergence detail bridge-group-name
show wireless mesh convergence subset-channels
show wireless mesh neighbor
show wireless profile mesh detailed mesh-profile-name
show wireless stats mesh security
show wireless stats mesh queue
show wireless stats mesh packet error
show wireless mesh ap summary
show ap name ap-name mesh backhaul
show ap name ap-name mesh neighbor detail
show ap name ap-name mesh path
show ap name ap-name mesh stats packet error
show ap name ap-name mesh stats queue
show ap name ap-name mesh stats security
show ap name ap-name mesh stats
show ap name ap-name mesh bhrate
show ap name ap-name config ethernet
show ap name ap-name cablemodem
show ap name ap-name environment
show ap name ap-name gps location
show ap name ap-name environment
show ap name ap-name mesh linktest data dest-mac
show ap environment
show ap gps location

For details about these commands, see the Cisco Catalyst 9800 Series Wireless Controller Command Reference document.

MAC authorization

Use this show command to verify the MAC authorization configuration:

Device# show run aaa
aaa authentication dot1x CENTRAL_LOCAL local
aaa authorization credential-download CENTRAL_AUTHOR local 
username 002cc8de4f31 mac
username 00425a0a53b1 mac

ewlc_eft#sh wireless profile mesh detailed madhu-mesh-profile 

Mesh Profile Name             : abc-mesh-profile
-------------------------------------------------
Description                   : 
Bridge Group Name             : bgn-abbc
Strict match BGN              : ENABLED
Amsdu                         : ENABLED
...
Battery State                 : ENABLED
Authorization Method          : CENTRAL_AUTHOR
Authentication Method         : CENTRAL_LOCAL
Backhaul tx rate(802.11bg)    : auto
Backhaul tx rate(802.11a)     : 802.11n mcs15

PSK provisioning

Use this show command to verify PSK provisioning configuration:

Device# show wireless mesh config
Mesh Config 
  Backhaul RRM                                  : ENABLED
  Mesh CAC                                      : DISABLED
  Outdoor Ext. UNII B Domain channels(for BH)   : ENABLED
  Mesh Ethernet Bridging STP BPDU Allowed       : ENABLED
  Rap Channel Sync                              : ENABLED

Mesh Alarm Criteria
  Max Hop Count                                 :  4
  Recommended Max Children for MAP              : 10
  Recommended Max Children for RAP              : 20
  Low Link SNR                                  : 12
  High Link SNR                                 : 60
  Max Association Number                        : 10
  Parent Change Number                          :  3

Mesh PSK Config
  PSK Provisioning                              : ENABLED
  Default PSK                                   : ENABLED
  PSK In-use key number                         : 1
  Provisioned PSKs(Maximum 5)

  Index    Description 
  ------   ------------ 
  1         key1

Bridge group name

Use this show command to verify the bridge group name configuration:

Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name             : abc-mesh-profile
-------------------------------------------------
Description                   : 
Bridge Group Name             : bgn-abc
Strict match BGN              : ENABLED
Amsdu                         : ENABLED
Background Scan               : ENABLED
Channel Change Notification   : DISABLED
Backhaul client access        : ENABLED
Ethernet Bridging             : ENABLED
Ethernet Vlan Transparent     : DISABLED
Full Sector DFS               : ENABLED
IDS                           : ENABLED
Multicast Mode                : In-Out
Range in feet                 : 12000
Security Mode                 : EAP
Convergence Method            : Fast
LSC only Authentication       : DISABLED
Battery State                 : ENABLED
Authorization Method          : CENTRAL_AUTHOR
Authentication Method         : CENTRAL_LOCAL
Backhaul tx rate(802.11bg)    : auto
Backhaul tx rate(802.11a)     : 802.11n mcs15

Backhaul client access

Use this show command to verify the backhaul client access configuration:

Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name             : abc-mesh-profile
-------------------------------------------------
Description                   : 
Bridge Group Name             : bgn-abc
Strict match BGN              : ENABLED
Amsdu                         : ENABLED
Background Scan               : ENABLED
Channel Change Notification   : DISABLED
Backhaul client access        : ENABLED
Ethernet Bridging             : ENABLED
Ethernet Vlan Transparent     : DISABLED
...
Backhaul tx rate(802.11bg)    : auto
Backhaul tx rate(802.11a)     : 802.11n mcs15

Wireless backhaul data rate

Use this show command to verify the wireless backhaul data rate configuration:

Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name             : abc-mesh-profile
-------------------------------------------------
Description                   : 
Bridge Group Name             : bgn-abc
Strict match BGN              : ENABLED
...
Authorization Method          : CENTRAL_AUTHOR
Authentication Method         : CENTRAL_LOCAL
Backhaul tx rate(802.11bg)    : auto
Backhaul tx rate(802.11a)     : 802.11n mcs15

Dynamic frequency selection

Use this show command to verify the dynamic frequency selection configuration:

Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name             : abc-mesh-profile
-------------------------------------------------
Description                   : 
Bridge Group Name             : bgn-abc
Strict match BGN              : ENABLED
Amsdu                         : ENABLED
Background Scan               : ENABLED
Channel Change Notification   : DISABLED
Backhaul client access        : ENABLED
Ethernet Bridging             : ENABLED
Ethernet Vlan Transparent     : DISABLED
Full Sector DFS               : ENABLED
...
Backhaul tx rate(802.11a)     : 802.11n mcs15

Intrusion detection system

Use this show command to verify the wireless backhaul data rate configuration:

Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name             : abc-mesh-profile
-------------------------------------------------
Description                   : 
Bridge Group Name             : bgn-abc
Strict match BGN              : ENABLED
Amsdu                         : ENABLED
Background Scan               : ENABLED
Channel Change Notification   : DISABLED
Backhaul client access        : ENABLED
Ethernet Bridging             : ENABLED
Ethernet Vlan Transparent     : DISABLED
Full Sector DFS               : ENABLED
IDS                           : ENABLED
Multicast Mode                : In-Out
...
Backhaul tx rate(802.11a)     : 802.11n mcs15

Ethernet bridging

Use this show command to verify ethernet bridging configuration:

Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name             : abc-mesh-profile
-------------------------------------------------
Description                   : 
Bridge Group Name             : bgn-abc
Strict match BGN              : ENABLED
Amsdu                         : ENABLED
Background Scan               : ENABLED
Channel Change Notification   : DISABLED
Backhaul client access        : ENABLED
Ethernet Bridging             : ENABLED
Ethernet Vlan Transparent     : DISABLED
Full Sector DFS               : ENABLED
IDS                           : ENABLED
Multicast Mode                : In-Out
...
Backhaul tx rate(802.11a)     : 802.11n mcs15

Multicast over mesh

Use this show command to verify multicast over Mesh configuration:

Device# show wireless profile mesh detailed abc-mesh-profile
Mesh Profile Name             : abc-mesh-profile
-------------------------------------------------
Description                   : 
Bridge Group Name             : bgn-abc
Strict match BGN              : ENABLED
Amsdu                         : ENABLED
Background Scan               : ENABLED
Channel Change Notification   : DISABLED
Backhaul client access        : ENABLED
Ethernet Bridging             : ENABLED
Ethernet Vlan Transparent     : DISABLED
Full Sector DFS               : ENABLED
IDS                           : ENABLED
Multicast Mode                : In-Out
...
Backhaul tx rate(802.11a)     : 802.11n mcs15

RRM on mesh backhaul

Use this show command to verify RRM on Mesh backhaul configuration:

Device# show wireless mesh config
Mesh Config 
  Backhaul RRM                                  : ENABLED
  Mesh CAC                                      : DISABLED
  Outdoor Ext. UNII B Domain channels(for BH)   : ENABLED
  Mesh Ethernet Bridging STP BPDU Allowed       : ENABLED
  Rap Channel Sync                              : ENABLED

Mesh Alarm Criteria
  Max Hop Count                                 :  4
  Recommended Max Children for MAP              : 10
  Recommended Max Children for RAP              : 20
  Low Link SNR                                  : 12
  High Link SNR                                 : 60
  Max Association Number                        : 10
  Parent Change Number                          :  3

Mesh PSK Config
  PSK Provisioning                              : ENABLED
  Default PSK                                   : ENABLED
  PSK In-use key number                         : 1
  Provisioned PSKs(Maximum 5)

  Index    Description 
  ------   ------------ 
  1         key1

Preferred parent selection

Use this show command to verify preferred parent configuration:

Device# show wireless mesh ap tree
========================================================================
AP Name [Hop Ctr,Link SNR,BG Name,Channel,Pref Parent,Chan Util,Clients]
========================================================================

[Sector 1]
-----------
1542-RAP [0, 0, bgn-madhu, (165), 0000.0000.0000, 1%, 0]
   |-MAP-2700 [1, 67, bgn-madhu, (165), 7070.8b7a.6fb8, 0%, 0]

Number of Bridge APs : 2
Number of RAPs : 1
Number of MAPs : 1

(*)  Wait for 3 minutes to update or Ethernet Connected Mesh AP.
(**) Not in this Controller

AP role change

Use this show command to verify AP role change configuration:

Device# show wireless mesh ap summary
AP Name                          AP Model BVI MAC        BGN        AP Role
-------                          -------- -------        ---        -------
1542-RAP                         1542D    002c.c8de.1338 bgn-abc  Root AP
MAP-2700                         2702I    500f.8095.01e4 bgn-abc  Mesh AP

Number of Bridge APs         :   2
Number of RAPs               :   1
Number of MAPs               :   1
Number of Flex+Bridge APs    :   0
Number of Flex+Bridge RAPs   :   0
Number of Flex+Bridge MAPs   :   0

Mesh leaf node

Use this show command to verify mesh leaf node configuration:

Device# show ap name MAP-2700 config general
Cisco AP Name   : MAP-2700
=================================================

Cisco AP Identifier                             : 7070.8bbc.d3e0
Country Code                                    : Multiple Countries : IN,US,IO,J4
Regulatory Domain Allowed by Country            : 802.11bg:-AEJPQU   802.11a:-ABDJNPQU
AP Country Code                                 : IN  - India
AP Regulatory Domain
  Slot 0                                        : -A
  Slot 1                                        : -D
MAC Address                                     : 500f.8095.01e4
...
AP Mode                                         : Bridge
Mesh profile name                               : abc-mesh-profile
AP Role                                         : Mesh AP
Backhaul radio type                             : 802.11a
Backhaul slot id                                : 1
Backhaul tx rate                                : auto
Ethernet Bridging                               : Enabled
Daisy Chaining                                  : Disabled
Strict Daisy Rap                                : Disabled
Bridge Group Name                               : bgn-abc
Strict-Matching BGN                             : Enabled
Preferred Parent Address                        : 7070.8b7a.6fb8
Block child state                               : Disabled
PSK Key Timestamp                               : Not Configured
...
FIPS status                                     : Disabled
WLANCC status                                   : Disabled
GAS rate limit Admin status                     : Disabled
WPA3 Capability                                 : Disabled
EWC-AP Capability                                : Disabled
AWIPS Capability                                : Disabled
Proxy Hostname                                  : Not Configured
Proxy Port                                      : Not Configured
Proxy NO_PROXY list                             : Not Configured
GRPC server status                              : Disabled

Subset channel synchronization

Use this show command to verify the subset channel synchronization configuration:

Device# show wireless mesh config
Mesh Config 
  Backhaul RRM                                  : ENABLED
  Mesh CAC                                      : DISABLED
  Outdoor Ext. UNII B Domain channels(for BH)   : ENABLED
  Mesh Ethernet Bridging STP BPDU Allowed       : ENABLED
  Rap Channel Sync                              : ENABLED

Mesh Alarm Criteria
  Max Hop Count                                 :  4
  Recommended Max Children for MAP              : 10
  Recommended Max Children for RAP              : 20
  Low Link SNR                                  : 12
  High Link SNR                                 : 60
  Max Association Number                        : 10
  Parent Change Number                          :  3

Mesh PSK Config
  PSK Provisioning                              : ENABLED
  Default PSK                                   : ENABLED
  PSK In-use key number                         : 1
  Provisioned PSKs(Maximum 5)

  Index    Description 
  ------   ------------ 
  1         key1

Provisioning LSC for bridge-mode and mesh APs

Use this show command to verify the provisioning LSC for Bridge-Mode and Mesh AP configuration:

Device# show wireless profile mesh detailed default-mesh-profile
Mesh Profile Name             : default-mesh-profile
-------------------------------------------------
Description                   : default mesh profile
Bridge Group Name             : bgn-abc
Strict match BGN              : DISABLED
Amsdu                         : ENABLED
Background Scan               : ENABLED
Channel Change Notification   : ENABLED
Backhaul client access        : ENABLED
Ethernet Bridging             : DISABLED
Ethernet Vlan Transparent     : ENABLED
Full Sector DFS               : ENABLED
IDS                           : DISABLED
Multicast Mode                : In-Out
Range in feet                 : 12000
Security Mode                 : EAP
Convergence Method            : Fast
LSC only Authentication       : DISABLED
Battery State                 : ENABLED
Authorization Method          : default
Authentication Method         : default
Backhaul tx rate(802.11bg)    : auto
Backhaul tx rate(802.11a)     : auto

Specify backhaul slot for root AP

Use this show command to verify the backhaul slot for the Root AP configuration:

Device# show ap name 1542-RAP mesh backhaul
MAC Address : 380e.4d85.5e60 
  Current Backhaul Slot: 1 
  Radio Type: 0 
  Radio Subband: All 
  Mesh Radio Role: DOWNLINK 
  Administrative State: Enabled 
  Operation State: Up 
  Current Tx Power Level:  
  Current Channel: (165) 
  Antenna Type: N/A 
  Internal Antenna Gain (in .5 dBm units): 18

Use a link test on mesh backhaul

Use this show command to verify the use of link test on mesh backhaul configuration:

Device# show ap name 1542-RAP mesh linktest data 7070.8bbc.d3ef        
380e.4d85.5e60 ==> 7070.8bbc.d3ef

Started at : 05/11/2020 20:56:28
Status: In progress

Configuration:
==============
Data rate:  Mbps
Packets per sec: : 234
Packet Size: : 1200
Duration: : 200

Mesh CAC

Use this show command to verify mesh CAC configuration:

Device# show wireless mesh config
Mesh Config 
  Backhaul RRM                                  : ENABLED
  Mesh CAC                                      : DISABLED
  Outdoor Ext. UNII B Domain channels(for BH)   : ENABLED
  Mesh Ethernet Bridging STP BPDU Allowed       : ENABLED
  Rap Channel Sync                              : ENABLED

Mesh Alarm Criteria
  Max Hop Count                                 :  4
  Recommended Max Children for MAP              : 10
  Recommended Max Children for RAP              : 20
  Low Link SNR                                  : 12
  High Link SNR                                 : 60
  Max Association Number                        : 10
  Parent Change Number                          :  3

Mesh PSK Config
  PSK Provisioning                              : ENABLED
  Default PSK                                   : ENABLED
  PSK In-use key number                         : 1
  Provisioned PSKs(Maximum 5)

  Index    Description 
  ------   ------------ 
  1         key1

Verify mesh convergence

This example shows the output from the show wireless profile mesh detailed command, which displays the mesh convergence method.

Device# show wireless profile mesh detailed default-mesh-profile
 
Mesh Profile Name             : default-mesh-profile
-------------------------------------------------
Description                : default mesh profile
Convergence Method         : Fast

This example shows the output from show wireless mesh convergence subset-channels command, which displays the subset channels for the selected bridge group name.

Device# show wireless mesh convergence subset-channels 

Bridge group name                Channel
------------------------------------------
Default                          132

Verify mesh backhaul

Use the show ap name mesh backhaul command to view details of the mesh backhaul at 2.4 GHz.

Device# show ap name test-ap mesh backhaul   

MAC Address : xxxx.xxxx.xxxx
Current Backhaul Slot: 0
Radio Type: 0
Radio Subband: All
Mesh Radio Role: DOWNLINK
Administrative State: Enabled
Operation State: Up
Current Tx Power Level:
Current Channel: (11)
Antenna Type: N/A
Internal Antenna Gain (in .5 dBm units): 0

Use the show wireless mesh ap backhaul command to view the mesh backhaul details.

Device# show wireless mesh ap backhaul

MAC Address : xxxx.xxxx.0x11
Current Backhaul Slot: 1
Radio Type: Main
Radio Subband: All
Mesh Radio Role: Downlink
Administrative State: Enabled
Operation State: Up
Current Tx Power Level: 6
Current Channel: (100)*
Antenna Type: N/A
Internal Antenna Gain (in .5 dBm units): 10

Use the show ap summary command to view the radio MAC address and the corresponding AP name.

Device# show ap summary
Number of APs: 1
AP Name    Slots  AP Model         Ethernet       MAC Radio MAC  Location         Country IP Address   State
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AP-Cisco-1  2     AIR-APXXXXX-E-K9 xxxx.xxxx.xxd4 xxxx.xxxx.0x11 default location  DE     10.11.70.170 Registered

Verify mesh Ethernet daisy chaining

Use the show ap config general command to find out if a Persistent SSID is configured for an AP.

Device# show ap 3702-RAP config general

Persistent SSID Broadcast                  Enabled/Disabled

Use the show wireless mesh persistent-ssid-broadcast summary command to view the Persistent SSID broadcast status for all bridge root APs

Device# show wireless mesh persistent-ssid-broadcast summary
 
 AP Name     AP Model BVI MAC        BGN        AP Role               Persistent SSID state
-------     -------- -------        ---        -------               ---------------------
3702-RAP     3702     5c71.0d07.db50 ap_name    Root AP               Enabled
1560-RAP    1562E    380e.4dbf.c6b0 ap_name    Root AP               Disabled

Verify dot11ax rates on mesh backhaul

To verify the 802.11ax rates on mesh backhaul in the mesh profile, use this command:

Device# show wireless profile mesh detailed default-mesh-profile
Mesh Profile Name             : default-mesh-profile
-------------------------------------------------
Description                   : default mesh profile
.
.
Backhaul tx rate(802.11bg)    : 802.11ax mcs7 ss1 
Backhaul tx rate(802.11a)     : 802.11ax mcs9 ss2

To verify the 802.11ax rates on mesh backhaul in the general configuration of an AP, use this command:

Device# show ap config general
Cisco AP Identifier            : 5c71.0d17.49e0
.
.
Backhaul slot id               : 1
Backhaul tx rate               : 802.11ax mcs7 ss1

Verify background scanning and MAP fast ancestor find

To verify whether the Background Scanning and MAP Fast Ancestor Find features are enabled, run the show wireless profile mesh detailed command.

To verify the background scan, use this command:

Device# show wireless profile mesh detailed Mesh_Profile | i Background Scan
Background Scan               : ENABLED

To verify MAP Fast Ancestor Find, use this command:

Device# show wireless profile mesh detailed Mesh_Profile | i MAP fast ancestor find
MAP fast ancestor find        : ENABLED

Bias-Free Language

Results

Chapter: Mesh Access Points

Mesh Access Points

Introduction to Mesh

Scale Numbers

Restrictions and Limitations

Mesh Deployments

MAC authorization

Configure MAC authorization (GUI)

Procedure

Configure MAC authorization (CLI)

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Preshared key provisioning

Configuring PSK Provisioning (GUI)

Procedure

Configure PSK provisioning (CLI)

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

EAP authentication

Locally significant certificate-based (LSC) EAP authentication

Bridge group names

Preferred parent selection

Configure a bridge group name (GUI)

Procedure

Configure a bridge group name (CLI)

Procedure

Example:

Example:

Example:

Example:

Mesh backhaul at 2.4 GHz and 5 GHz

Configure mesh backhaul (CLI)

Procedure

Example:

Mesh backhaul RRM

Configure RRM channel assignment for an AP

Procedure

Example:

Example:

Configure RRM channel assignment for root access points globally

Procedure

Example:

Example:

Example:

Procedure

Example:

Example:

Example:

Verify the RRM DCA status

Dynamic frequency selection

Configuring Dynamic Frequency Selection (GUI)

Procedure

Configure dynamic frequency selection (CLI)

Procedure

Example:

Example:

Example:

Country codes

Intrusion detection system

Configuring the Intrusion Detection System (GUI)

Procedure

Configure the intrusion detection system (CLI)

Procedure

Example:

Example:

Example: