Radio Resource Management

Radio Resource Management

A Radio Resource Management (RRM) is a system that

  • consistently manages real-time RF parameters of a wireless network

  • monitors associated APs for traffic load, interference, noise, coverage, and other metrics,

  • performs critical functions like radio resource monitoring, power control transmission, dynamic channel assignment, and coverage hole detection and correction.

Functions of radio resource management

  • Radio Resource Monitoring: Ensures optimal allocation of network resources.

  • Power Control Transmission: Adjusts power levels to maintain network performance.

  • Dynamic Channel Assignment: Allocates channels dynamically to reduce interference and optimize network performance.

  • Coverage Hole Detection and Correction: Identifies and rectifies gaps in coverage to ensure consistent connectivity.

  • RF Grouping: Groups RF resources effectively to manage interference and optimize performance.

Radio resource monitors

Radio resource monitor is a system that

  • detects and configures new devices and APs automatically

  • adjusts associated APs for optimal coverage and capacity, and

  • supports noise and interference monitoring.

  • APs scan all the valid channels for the country of operation as well as for channels available in other locations.

  • The APs in local mode go offchannel for a period not greater than 70 ms to monitor these channels for noise and interference.

  • Packets collected during this time are analyzed to detect rogue APs, rogue clients, ad-hoc clients, and interfering APs.

  • In the presence of voice traffic or other critical traffic (in the last 100 ms), APs can defer off-channel measurements. The APs also defer off-channel measurements based on the WLAN scan priority configurations.

  • Each AP spends only 0.2 percent of its time off channel. This activity is distributed across all the APs so that adjacent APs are not scanning at the same time, which could adversely affect wireless LAN performance.

Mobility controller and mobility agent

Transmit power control

A transmit power control is an automation algorithm that:

  • increases and decreases an access point's power dynamically

  • responds to changes in the RF coverage environment, and

  • provides enough RF power to achieve the required coverage levels while avoiding channel interference.

This feature is different from coverage hole detection, which is primarily concerned with clients.

  • TPC provides enough RF power to achieve the required coverage levels while avoiding channel interference between APs. We recommend that you select TPCv1; TPCv2 option is deprecated.

  • With TPCv1, you can select the channel aware mode; we recommend that you select this option for 5 GHz, and leave it unchecked for 2.4 GHz.

Overriding the TPC Algorithm with Minimum and Maximum Transmit Power Settings

The TPC algorithm balances RF power in many diverse RF environments. However, it is possible that automatic power control will not be able to resolve some scenarios in which an adequate RF design was not possible to implement due to architectural restrictions or site restrictions, for example, when all the access points must be mounted in a central hallway, placing the access points close together, but requiring coverage to the edge of the building.

In these scenarios, you can configure maximum and minimum transmit power limits to override TPC recommendations. The maximum and minimum TPC power settings apply to all the access points through RF profiles in a RF network.

To set the Maximum Power Level Assignment and Minimum Power Level Assignment, enter the maximum and minimum transmit power used by RRM in the fields in the Tx Power Control window. The range for these parameters is -10 to 30 dBm. The minimum value cannot be greater than the maximum value; the maximum value cannot be less than the minimum value.

If you configure a maximum transmit power, RRM does not allow any access point attached to the controller, to exceed this transmit power level (whether the power is set by RRM TPC or by coverage hole detection). For example, if you configure a maximum transmit power of 11 dBm, no access point will transmit above 11 dBm, unless the access point is configured manually.

Dynamic channel assignment

A dynamic channel assignment (DCA) is a wireless LAN management technique that

  • automatically evaluates radio frequency (RF) conditions and network utilization

  • dynamically allocates channels among APs to minimize interference and maximize performance, and

  • continuously updates channel assignments based on system-wide RF analytics and policies.

Features of DCA

Features of DCA are:

  • Dynamic channel allocation: DCA dynamically assigns channels to APs to avoid conflicts and interference, improving network capacity and performance. Two adjacent APs on the same channel can cause signal contention or collision. In a collision, data is not received by the AP. For example, reading an e-mail in a café can affect the performance of an AP in a neighboring business.

    Even though these are separate networks, someone sending traffic to the café on channel 1 can disrupt communication in an enterprise using the same channel. Devices can dynamically allocate AP channel assignments to avoid conflict and increase capacity and performance.

  • Channel reuse: Efficiently reuses channels by assigning the same channel to APs that are physically far apart, maximizing scarce RF resources. In other words, channel 1 is allocated to a different AP far from the café, which is more effective than not using channel 1 altogether.

  • Adjacent channel separation: The device’s DCA capabilities are also useful in minimizing adjacent channel interference between APs.

    For example, two overlapping channels in the 802.11b/g band, such as 1 and 2, cannot simultaneously use 11 or 54 Mbps. By effectively reassigning channels, the device keeps adjacent channels separated.

Channel assignments

The device examines a variety of real-time RF characteristics to efficiently handle channel assignments.

  • AP received energy: The received signal strength measured between each AP and its nearby neighboring AP. Channels are optimized to give you the highest network capacity.

  • Noise: Noise can limit signal quality for your devices and APs. Increased noise reduces cell size and degrades user experience. By optimizing channels to avoid noise sources, the device helps you maintain coverage and system capacity. If a channel is unusable due to excessive noise, that channel can be avoided.

  • 802.11 interference: Interference is any 802.11 traffic that is not a part of your wireless LAN, including rogue APs and neighboring wireless networks. Lightweight APs automatically scan all channels to detect interference sources. If the amount of 802.11 interference exceeds a predefined configurable threshold (the default is 10 percent), the AP sends an alert to the device. Using the RRM algorithms, the device may then dynamically rearrange channel assignments to increase system performance in the presence of the interference. Such an adjustment could result in adjacent lightweight APs being on the same channel, but this setup provides better performance than keeping APs on a channel made unusable by interference.

    In addition, if other wireless networks are present, the device shifts the usage of channels to complement the other networks. For example, if one network is on channel 6, an adjacent wireless LAN is assigned to channel 1 or 11. This arrangement increases the capacity of the network by limiting the sharing of frequencies. If a channel has virtually no capacity remaining, the device may choose to avoid this channel. In huge deployments in which all nonoverlapping channels are occupied, the device does its best, but you must consider RF density when setting expectations.

  • Load and utilization: When utilization monitoring is enabled, capacity calculations can consider that some APs are deployed in ways that carry more traffic than other APs, for example, a lobby versus an engineering area. The device can then assign channels to improve the AP that has performed the worst. The load is taken into account when changing the channel structure to minimize the impact on the clients that are currently in the wireless LAN. This metric keeps track of every AP's transmitted and received packet counts to determine how busy the APs are. New clients avoid an overloaded AP and associate to a new AP. This Load and utilization parameter is disabled by default.

The device combines this RF characteristic information with RRM algorithms to make system-wide decisions. Conflicting demands are resolved using soft-decision metrics that guarantee the best choice for minimizing network interference. The result is optimal channel configuration across three dimensions. APs located on different floors play an important role in your wireless LAN configuration.

RRM startup mode

The RRM startup mode is invoked under these conditions:

  • In a single- device environment, the RRM startup mode is invoked after the device is upgraded and rebooted.

  • In a multiple- device environment, the RRM startup mode is invoked after an RF Group leader is elected.

  • You can trigger the RRM startup mode from the CLI.

The RRM startup mode runs for 100 minutes (ten iterations at ten-minute intervals). The duration of the RRM startup mode is independent of the DCA interval, sensitivity, and network size. The startup mode consists of ten DCA runs with high sensitivity (making channel changes easy and sensitive to the environment) to converge to a steady-state channel plan. DCA continues to run at the specified interval and sensitivity after the startup mode is finished.

Coverage hole detection and correction

A coverage hole detection and correction algorithm is a wireless LAN management mechanism that

  • identifies areas with insufficient radio coverage for reliable performance

  • alerts administrators when access points fail to provide adequate coverage, and

  • adjusts AP transmit power to mitigate correctable coverage holes.

If clients on a lightweight AP are detected at threshold levels such as RSSI, failed client count, percentage of failed packets, and number of failed packets that are lower than those specified in the RRM configuration, the AP sends a “coverage hole” alert to the device. The alert indicates that clients cannot connect to a usable AP because of poor signal coverage.

The device discriminates between coverage holes that can and cannot be corrected. For coverage holes that can be corrected, the device mitigates the coverage hole by increasing the transmit power level for that specific AP.

The device does not mitigate coverage holes caused by clients that are unable to increase their transmit power or are statically set to a power level. Increasing downstream transmit power could increase interference in the network.

Restrictions

The restrictions for RRM are:

  • If an AP tries to join the RF-group that already holds the maximum number of APs it can support, the device rejects the application and throws an error.

  • RRM grouping does not occur when an AP operates in a static channel that is not in the DCA channel list. The Neighbor Discovery Protocol (NDP) is sent only on DCA channels; therefore, when a radio operates on a non-DCA channel, it does not receive NDP on the channel.

How to Configure RRM

Configure neighbor discovery type (CLI)

Specify how neighbor discovery packets are handled on each radio band.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the neighbor discovery type for the desired radio band.

Example:


Device(config)# ap dot11 {24ghz | 5ghz} rrm ndp-type {protected | transparent}
The NDP types are:

  • protected: Use protected to encrypt discovery packets.

  • transparent: Use transparent to send packets as is (default).

Step 3

Return to privileged EXEC mode by ending the configuration mode.

Example:

Device(config)# end

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

The neighbor discovery type for the specified band is set.

Configuring Transmit Power Control

Configure Tx-power control threshold (CLI)

Set the Tx-power control threshold to define the minimum received signal strength at which the device adjusts its transmit power.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the Tx-power control threshold used by RRM for auto power assignment.

Example:

Device(config)# ap dot11 {24ghz | 5ghz | 6ghz} rrm tpc-threshold threshold_value

The range is from –80 dBm to –50 dBm.

Step 3

Return to privileged EXEC mode.

Example:

Device(config)# end

You can also press Ctrl-Z to exit global configuration mode.

The Tx-power control threshold is updated, enabling the device to adjust its transmit power according to the specified threshold.

Device# configure terminal
Device(config)# ap dot11 24ghz rrm tpc-threshold -60
Device(config)# end

Configure the Tx-power level (CLI)

Set the transmit power level of the wireless AP to improve wireless coverage and signal strength.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the 802.11 Tx-power level.

Example:

Device(config)# ap dot11 {24ghz | 5ghz} rrm txpower {trans_power_level | auto | max | min | once}
The Tx-power parameters are:

  • trans_power_level: Sets the transmit power level.

  • auto: Enables auto-RF.

  • max: Configures the maximum auto-RF Tx-power.

  • min: Configures the minimum auto-RF Tx-power.

  • once: Enables one-time auto-RF.

Step 3

end

Example:

Device(config)# end

Return to privileged EXEC mode.

Configuring 802.11 RRM Parameters

Configure 802.11 channel assignment parameters (CLI)

Configure DCA and related parameters on 802.11 radios.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure CleanAir event-driven RRM parameters.

Example:

Device(config)# ap dot11 {24ghz | 5ghz} rrm channel cleanair-event sensitivity {high | low | medium}

The types of sensitivity are:

  • High : Specifies the most sensitivity to non-Wi-Fi interference as indicated by the air quality (AQ) value.

  • Low : Specifies the least sensitivity to non-Wi-Fi interference as indicated by the AQ value.

  • Medium : Specifies medium sensitivity to non-Wi-Fi interference as indicated by the AQ value.

Step 3

Configure DCA algorithm parameters for the 802.11 band.

Example:

Device(config)# ap dot11 {24ghz | 5ghz} rrm channel dca {add channel-number | anchor-time | global {auto | once} | interval | min-metric | remove channel-number | sensitivity {high | low | medium}}

The DCA algorithm parameters include:

  • : Enter a channel number to be added to the DCA list.

  • anchor-time: Configures the anchor time for DCA. The range is from 0 to 23 hours.

  • global: Configures the DCA mode for all 802.11 Cisco APs.

    • auto: Enables auto-RF.

    • once: Enables auto-RF only once.

  • interval: Configures the DCA interval value. The values are 1, 2, 3, 4, 6, 8, 12 and 24 hours, and the default value 0 denotes 10 minutes.

  • min-metric: Configures the DCA minimum RSSI energy metric. The range is from -100 to -60.

  • sensitivity: Configures the DCA sensitivity level to changes in the environment.

    • high: Specifies the most sensitivity.

    • low: Specifies the least sensitivity.

    • medium: Specifies medium sensitivity.

Step 4

Configure the DCA channel bandwidth for all 802.11 radios in the 5-GHz band.

Example:

Device(config)# ap dot11 5ghz rrm channel dca chan-width {20 | 40 | 80}
The channel bandwidth can be set to 20 MHz, 40 MHz, or 80 MHz, . The default value for channel bandwidth is 20 MHz (80 MHz is the default value for Best). Set the channel bandwidth to Best before configuring the constraints.

The 802.11 channel assignment parameters are configured.

What to do next

Configure the advanced channel assignment parameters.

Configure the advanced channel assignment parameters (CLI)

Procedure

Step 1

Configure the persistent non-Wi-Fi device avoidance in the 802.11 channel assignment.

Example:

Device(config)# ap dot11 {24ghz | 5ghz} rrm channel device

Step 2

Configure the foreign AP 802.11 interference avoidance in the channel assignment.

Example:

Device(config)# ap dot11 {24ghz | 5ghz} rrm channel foreign

Step 3

Configure the Cisco AP 802.11 load avoidance in the channel assignment.

Example:

Device(config)# ap dot11 {24ghz | 5ghz} rrm channel load

Step 4

Configure noise avoidance in 802.11 channel assignment.

Example:

Device(config)# ap dot11 {24ghz | 5ghz} rrm channel noise

Step 5

Return to privileged EXEC mode.

Example:

Device(config)# end

You can also press Ctrl-Z to exit global configuration mode.

The 802.11 advanced channel assignment parameters are configured.

Device(config)# ap dot11 {24ghz | 5ghz} rrm channel noise
  Device(config)# end

Configuring 802.11 Coverage Hole Detection (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

ap dot11 {24ghz | 5ghz} rrm coverage data{fail-percentage | packet-count | rssi-threshold}

Example:


Device(config)#ap dot11 24ghz rrm coverage 
data fail-percentage 60

Configures the 802.11 coverage hole detection for data packets.

  • fail-percentage: Configures the 802.11 coverage failure-rate threshold for uplink data packets as a percentage that ranges from 1 to 100%.

  • packet-count: Configures the 802.11 coverage minimum failure count threshold for uplink data packets that ranges from 1 to 255.

  • rssi-threshold: Configures the 802.11 minimum receive coverage level for data packets that range from –90 to –60 dBm.

Step 3

ap dot11 {24ghz | 5ghz} rrm coverage exception global exception level

Example:


Device(config)#ap dot11 24ghz rrm coverage 
exception global 50

Configures the 802.11 Cisco AP coverage exception level as a percentage that ranges from 0 to 100%.

Step 4

ap dot11 {24ghz | 5ghz} rrm coverage level global cli_min exception level

Example:


Device(config)#ap dot11 24ghz rrm coverage 
level global 10

Configures the 802.11 Cisco AP client minimum exception level that ranges from 1 to 75 clients.

Step 5

ap dot11 {24ghz | 5ghz} rrm coverage voice{fail-percentage | packet-count | rssi-threshold}

Example:


Device(config)#ap dot11 24ghz rrm coverage 
voice packet-count 10

Configures the 802.11 coverage hole detection for voice packets.

  • fail-percentage: Configures the 802.11 coverage failure-rate threshold for uplink voice packets as a percentage that ranges from 1 to 100%.

  • packet-count: Configures the 802.11 coverage minimum failure count threshold for uplink voice packets that ranges from 1 to 255.

  • rssi-threshold: Configures the 802.11 minimum receive coverage level for voice packets that range from –90 to –60 dBm.

Step 6

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring 802.11 Event Logging (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

ap dot11 24ghz | 5ghz rrm logging{channel | coverage | foreign | load | noise | performance | txpower}

Example:


Device(config)#ap dot11 24ghz rrm logging channel

Device(config)#ap dot11 24ghz rrm logging coverage

Device(config)#ap dot11 24ghz rrm logging foreign

Device(config)#ap dot11 24ghz rrm logging load

Device(config)#ap dot11 24ghz rrm logging noise

Device(config)#ap dot11 24ghz rrm logging performance

Device(config)#ap dot11 24ghz rrm logging txpower

Configures event-logging for various parameters.

  • channel—Configures the 802.11 channel change logging mode.

  • coverage—Configures the 802.11 coverage profile logging mode.

  • foreign—Configures the 802.11 foreign interference profile logging mode.

  • load—Configures the 802.11 load profile logging mode.

  • noise—Configures the 802.11 noise profile logging mode.

  • performance—Configures the 802.11 performance profile logging mode.

  • txpower—Configures the 802.11 transmit power change logging mode.

Step 3

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring 802.11 Statistics Monitoring (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

ap dot11 24ghz | 5ghz rrm monitor channel-list{all | country | dca}

Example:


Device(config)#ap dot11 24ghz rrm monitor channel-list all

Sets the 802.11 monitoring channel-list for parameters such as noise/interference/rogue.

  • all— Monitors all channels.

  • country— Monitor channels used in configured country code.

  • dca— Monitor channels used by dynamic channel assignment.

Step 3

ap dot11 24ghz | 5ghz rrm monitor coverage interval

Example:


Device(config)#ap dot11 24ghz rrm monitor coverage 600

Configures the 802.11 coverage measurement interval in seconds that ranges from 60 to 3600.

Step 4

ap dot11 24ghz | 5ghz rrm monitor load interval

Example:


Device(config)#ap dot11 24ghz rrm monitor load 180

Configures the 802.11 load measurement interval in seconds that ranges from 60 to 3600.

Step 5

ap dot11 24ghz | 5ghz rrm monitor noise interval

Example:


Device(config)#ap dot11 24ghz rrm monitor noise 360

Configures the 802.11 noise measurement interval (channel scan interval) in seconds that ranges from 60 to 3600.

Step 6

ap dot11 24ghz | 5ghz rrm monitor signal interval

Example:


Device(config)#ap dot11 24ghz rrm monitor signal 480

Configures the 802.11 signal measurement interval (neighbor packet frequency) in seconds that ranges from 60 to 3600.

Step 7

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring the 802.11 Performance Profile (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

ap dot11 {24ghz | 5ghz} rrm profile clients cli_threshold_value

Example:


Device(config)#ap dot11 24ghz rrm profile clients 20

Sets the threshold value for 802.11 Cisco AP clients that range between 1 and 75 clients.

Step 3

ap dot11 {24ghz | 5ghz}rrm profile foreign int_threshold_value

Example:


Device(config)#ap dot11 24ghz rrm profile foreign 50

Sets the threshold value for 802.11 foreign interference that ranges between 0 and 100%.

Step 4

ap dot11 {24ghz | 5ghz} rrm profile noise for_noise_threshold_value

Example:


Device(config)#ap dot11 24ghz rrm profile noise -65

Sets the threshold value for 802.11 foreign noise ranges between –127 and 0 dBm.

Step 5

ap dot11 {24ghz | 5ghz} rrm profile throughput throughput_threshold_value

Example:


Device(config)#ap dot11 24ghz rrm profile throughput 10000

Sets the threshold value for 802.11 Cisco AP throughput that ranges between 1000 and 10000000 bytes per second.

Step 6

ap dot11 {24ghz | 5ghz} rrm profile utilization rf_util_threshold_value

Example:


Device(config)#ap dot11 24ghz rrm profile utilization 75

Sets the threshold value for 802.11 RF utilization that ranges between 0 to 100%.

Step 7

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Configuring Advanced 802.11 RRM

Enabling Channel Assignment (CLI)

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device# enable

Enters privileged EXEC mode.

Step 2

ap dot11 {24ghz | 5ghz} rrm channel-update

Example:


Device# ap dot11 24ghz rrm channel-update

Enables the 802.11 channel selection update for each of the Cisco access points.

Note

 

After you enable ap dot11 {24ghz | 5ghz} rrm channel-update , a token is assigned for channel assignment in the DCA algorithm.

Restarting DCA Operation

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device# enable

Enters privileged EXEC mode.

Step 2

ap dot11 {24ghz | 5ghz} rrm dca restart

Example:


Device# ap dot11 24ghz rrm dca restart

Restarts the DCA cycle for 802.11 radio.

Update power assignment parameters (CLI)

Adjust the wireless transmit power settings for APs to optimize coverage and performance.

Procedure

Step 1

Enter privileged EXEC mode.

Example:

Device# enable

Step 2

Update the 802.11 transmit power for each of the APs.

Example:

Device# ap dot11 {24ghz | 5ghz} rrm txpower update

The system updates the transmit power configuration for the specified APs.

Device# enable
Device# ap dot11 24ghz rrm txpower update
Device# ap dot11 6ghz rrm txpower update

Configuring Rogue Access Point Detection in RF Groups

Configuring Rogue Access Point Detection in RF Groups (CLI)

Before you begin

Ensure that each embedded controller in the RF group has been configured with the same RF group name.


Note

The name is used to verify the authentication IE in all beacon frames. If the embedded controller have different names, false alarms will occur.

Procedure

  Command or Action Purpose

Step 1

Example:

Device#

Perform this step for every access point connected to the embedded controller.

  • monitor: Sets the AP mode to monitor mode.

  • clear: Resets AP mode to local or remote based on the site.

  • sensor: Sets the AP mode to sensor mode.

  • sniffer: Sets the AP mode to wireless sniffer mode.

Step 2

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Step 3

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 4

wireless wps ap-authentication

Example:

Device (config)#  wireless wps ap-authentication

Enables rogue access point detection.

Step 5

wireless wps ap-authentication threshold value

Example:

Device (config)#  wireless wps ap-authentication 
threshold 50

Specifies when a rogue access point alarm is generated. An alarm occurs when the threshold value (which specifies the number of access point frames with an invalid authentication IE) is met or exceeded within the detection period.

The valid threshold range is from 1 to 255, and the default threshold value is 1. To avoid false alarms, you may want to set the threshold to a higher value.

Note

 

Enable rogue access point detection and threshold value on every embedded controller in the RF group.

Note

 

If rogue access point detection is not enabled on every embedded controller in the RF group, the access points on the embedded controller with this feature disabled are reported as rogues.

Monitoring RRM Parameters and RF Group Status

Monitor RRM parameters

Provide a quick reference to the commands used for monitoring Radio Resource Management (RRM) parameters, enabling users to efficiently assess and troubleshoot wireless network performance.
Table 1. Commands for monitoring Radio Resource Management
Commands Description
show ap dot11 24ghz channel

Displays the configuration and statistics of the 802.11b monitoring.
show ap dot11 24ghz coverage

Displays the configuration and statistics of the 802.11b coverage.

show ap dot11 24ghz group

Displays the configuration and statistics of the 802.11b grouping.

show ap dot11 24ghz logging

Displays the configuration and statistics of the 802.11b event logging.

show ap dot11 24ghz monitor

Displays the configuration and statistics of the 802.11b monitoring. nnn
show ap dot11 24ghz profile

Displays 802.11b profiling information for all APs.
show ap dot11 24ghz summary

Displays the configuration and statistics of the 802.11a APs.
show ap dot11 24ghz txpower

Displays the configuration and statistics of the 802.11b transmit power control.

show ap dot11 5ghz channel

Displays the configuration and statistics of the 802.11a channel assignment.
show ap dot11 5ghz coverage

Displays the configuration and statistics of the 802.11a coverage.

show ap dot11 5ghz group

Displays the configuration and statistics of the 802.11a grouping.

show ap dot11 5ghz logging

Displays the configuration and statistics of the 802.11a event logging.

show ap dot11 5ghz monitor

Displays the configuration and statistics of the 802.11a monitoring.

show ap dot11 5ghz profile

Displays 802.11a profiling information for all APs.

show ap dot11 5ghz summary

Displays the configuration and statistics of the 802.11a APs.

show ap dot11 5ghz txpower

Displays the configuration and statistics of the 802.11a transmit power control.

Verify RF group status

This section describes the new commands for RF group status.

These commands are used to verify RF group status on the .

This table lists the commands for verifying aggressive load balancing.

Table 2. Aggressive load balancing verification commands

Command

Purpose
show ap dot11 5ghz group

Displays the controller name that is the group leader for the 802.11a RF network.
show ap dot11 24ghz group

Displays the controller name that is the group leader for the 802.11b/g RF network.

Examples: RF group configuration

These are examples of RF group name configuration.

Device# configure terminal
Device(config)# wireless rf-network test1
Device(config)# ap dot11 24ghz shutdown
Device(config)# end
Device# show network profile 5
This example demonstrates how to configure rogue access point detection within RF groups.

Device# 
Device# end
Device# configure terminal
Device(config)# wireless wps ap-authentication
Device(config)# wireless wps ap-authentication threshold 50
Device(config)# end

Information About ED-RRM

A ED-RRM feature is a radio frequency management solution that

  • continuously monitors air quality metrics

  • automatically triggers channel changes when interference exceeds a set threshold, and

  • blocks affected channels for a specified duration to prevent immediate reselection.

Spontaneous interference is interference that appears suddenly on a network, perhaps jamming a channel or a range of channels completely. The Cisco CleanAir spectrum event-driven RRM feature allows you to set a threshold for air quality (AQ) that, if exceeded, triggers an immediate channel change for the affected AP.

Most RF management systems can avoid interference, but this information takes time to propagate through the system. Cisco CleanAir relies on AQ measurements to continuously evaluate the spectrum and can trigger a move within 30 seconds. For example, if an AP detects interference from a video camera, it can recover by changing channels within 30 seconds of the camera becoming active.

Configure ED-RRM on the controller (CLI)

Configure Event-Driven Radio Resource Management (ED-RRM) on the controller using CLI commands.

Trigger spectrum event-driven RRM to run when a Cisco CleanAir-enabled AP detects a significant level of interference by entering these commands.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure CleanAir driven RRM parameters for the 802.11 APs.

Example:

Device(config)# ap dot11 {24ghz | 5ghz | 6ghz} rrm channel cleanair-event

Step 3

Configure CleanAir driven RRM sensitivity for the 802.11 APs.

Example:

Device(config)# ap dot11 {24ghz | 5ghz | 6ghz} rrm channel cleanair-event sensitivity {low | medium | high | custom}

Default selection is Medium.

Step 4

Trigger the ED-RRM event at the set threshold value.

Example:

Device(config)# ap dot11 {24ghz | 5ghz | 6ghz} rrm channel cleanair-event custom-threshold custom-threshold-value

The custom threshold range is from 1 to 99.

Step 5

Enable rogue contribution.

Example:

Device(config)# ap dot11 {24ghz | 5ghz | 6ghz} rrm channel cleanair-event rogue-contribution

Step 6

Configure threshold value for rogue contribution.

Example:

Device(config)# ap dot11 {24ghz | 5ghz | 6ghz} rrm channel cleanair-event rogue-contribution duty-cycle thresholdvalue

The range is from 1 to 99, with 80 as the default.

Step 7

Save your changes.

Example:

Device# write memory

Step 8

(Optional) Verify the CleanAir configuration for the 802.11a/n/ac or 802.11b/g/n network.

Example:

Device# show ap dot11 {24ghz | 5ghz | 6ghz}cleanair config

The output is displayed.

The Event-Driven Radio Resource Management (ED-RRM) on the controller is configured.

Rogue PMF containment

Rogue PMF containment is a wireless security feature that

  • uses 802.11w Protected Management Frames (PMF) to contain rogue APs and clients

  • operates on centrally switched WLANs when the radio channel of the detecting AP matches the rogue AP's channel, and

  • activates only when certain mode and channel conditions are met to secure the network against unauthorized devices.

Feature history

Table 3. Feature history table for rogue PMF containment

Feature name

Release information

Feature description

Rogue PMF containment

Cisco IOS XE 17.12.1

Starting with Cisco IOS XE Dublin 17.12.1, the controller contains a rogue AP with 802.11w Protected Management Frame (PMF) on centrally switched wireless LANs. Containment occurs if the client-serving radio channel of a rogue-detecting AP matches the channel of the corresponding rogue AP.

Operational scenarios

PMF containment occurs in these scenarios:

  • You can use PMF containment only in the local mode.

  • You can perform PMF containment only for rogue clients that have not joined a rogue AP.

  • You can use PMF containment only if a rogue-detecting AP shares the same primary channel with a rogue client.

  • You cannot use PMF containment on DFS channels, even if a DFS channel serves as the client-serving channel.

  • PMF containment works only if at least one WLAN operates on the serving radio.

For information about APs that support the Rogue PMF Containment feature, see Cisco AP Feature Matrix.

Enable rogue PMF containment

Enable PMF containment to protect your wireless network from rogue APs.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure an AP profile and enter AP profile configuration mode.

Example:

Device(config)# ap profile ap-profile

Step 3

Enable PMF-denial rogue AP containment.

Example:

Device(config-ap-profile)# rogue detection containment pmf-denial

Step 4

Enable PMF-denial type deauthentication rogue AP containment.

Example:

Device(config-pmf-denial)# pmf-deauth

Step 5

Return to privileged EXEC mode.

Example:

Device(config-ap-profile)# end

Rogue AP PMF containment is enabled for the specified AP profile. 

Device# configure terminal
Device(config)# ap profile pmf-ap-profile
Device(config-ap-profile)# rogue detection containment pmf-denial
Device(config-pmf-denial)# pmf-deauth
Device(config-ap-profile)# end

Verify PMF containment

To verify PMF containment and the relevant statistics, use these commands.

To view the summary of containment details for all AP radios, use this command

Device# show wireless wps rogue containment summary 

Rogue Containment activities for each managed AP
 
AP: 687d.b45f.2ae0  Slot: 1
  Active Containments   : 3
   Containment Mode     : DEAUTH_PMF
   Rogue AP MAC         : 687d.b45f.2a2d
   Containment Channels : 40

To verify the rogue statistics, use this command:

Device# show wireless wps rogue stats 
.
.
.
 States
  Alert                          : 256
  Internal                       : 0
  External                       : 0
  Contained                      : 1
  Containment-pending            : 0
  Threat                         : 0
  Pending                        : 0
Rogue Clients
  Total/Max Scale                : 20/16000
  Contained                      : 0
  Containment-pending            : 0
.
.
.

Rogue detection - rogue channel width

A rogue detection configuration is a security measure that

  • allows specifying channel width and band for detecting unauthorized APs, and

  • filters rogue APs based on matching channel width criteria and band.

The condition chan-width command is introduced in Cisco IOS XE Dublin 17.12.1 allows you to set the minimum or maximum channel width for rogue detection.

Configure rogue channel width (CLI)

Complete this task to configure rogue channel width.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Create or enable a rule.

Example:

Device(config)# wireless wps rogue rule rule-name priority priority

Step 3

Configure channel width and band for rogue detection.

Example:

Device(config-rule)# condition chan-width {160MHz | 20MHz | 40MHz | 80MHz} band {24ghz | 5ghz | 6ghz}

If the classification is Friendly, this is the minimum channel width.

If the classification is Custom, Malicious, or Delete, this is the maximum channel width.

Step 4

Use Step 4, 5, 6, or 7.

Note

 

Use only one of the Steps: 4, 5, 6, or 7 as required to classify rogue devices. Do not use all of them.

Step 5

(Optional) Classify devices matching this rule as friendly.

Example:

Device(config-rule)# classify friendly state {alert | external | internal}
The options are:

  • alert: Sets the malicious rogue access point to alert mode.

  • external: Acknowledges the presence of a rogue access point.

  • internal: Trusts a foreign access point.

Step 6

(Optional) Classify devices matching this rule as malicious.

Example:

Device(config-rule)# classify malicious state {alert | contained}

The options are:

  • alert: Sets the malicious rogue AP to alert mode.

  • contained: Contains the rogue AP.

Step 7

(Optional) Classify devices matching this rule as custom.

Example:

Device(config-rule)# classify custom severity-score severity-score [name name] state {alert | contained}

Here the options are:

  • severity-score : Custom classification severity score. The range is from 1 to 100.

  • name: Defines the name for custom classification.

  • name : Specifies the custom classification name.

  • state: Defines the final state if rule is matched.

  • alert: Sets the rogue AP to alert mode.

  • contained: Contains the rogue AP.

Step 8

Ignore the devices matching this rule.

Example:

Device(config-rule)# classify delete

Step 9

Return to privileged EXEC mode.

Example:

Device(config-rule)# end

The rogue channel width is configured.

Device# configure terminal
                Device(config)# wireless wps rogue rule 1 priority 1
                Device(config-rule)# condition chan-width 20MHz band 5ghz 
                Device(config-rule)# classify friendly state internal
                Device(config-rule)# classify malicious state alert
                Device(config-rule)# classify custom severity-score 12 name rule1 state alert
                Device(config-rule)# classify delete
                Device(config-rule)# end

Configure rogue classification rules (GUI)

Complete this task to configure rogue classification rules.

Procedure

Step 1

Choose Configuration > Security > Wireless Protection Policies > Rogue AP Rules to open the Rogue Rules window.

Rules that have already been created are listed in priority order. The name, type, status, state, match, and hit count of each rule is provided.

Note

 

To delete a rule, select the rule and click Delete.

Step 2

Create a new rule with these steps:

  1. Click Add.

  2. In the Add Rogue AP Rule window, enter a name for the new rule, in the Rule Name field. Ensure that the name does not contain any spaces.

  3. From the Rule Type drop-down list, choose one of these options to classify rogue APs matching this rule:

    • Friendly

    • Malicious

    • Unclassified

    • Custom

  4. From the State drop-down list, configure the state of the rogue AP. This is the state when the rule matches the conditions for the rogue APs.

    • Alert: A trap is generated when an ad hoc rogue is detected.

    • Internal: A foreign ad hoc rogue is trusted.

    • External: The presence of an ad hoc rogue is acknowledged.

    • Contain: The ad hoc rogue is contained.

    • Delete: The ad hoc rogue is removed.

    Note

     

    The State field is not displayed if you select Unclassified as the Rule Type.

  5. If you chose the Rule Type as Custom, enter the Severity Score and the Custom Name.

  6. Click Apply to Device to add this rule to the list of existing rules, or click Cancel to discard this new rule.

Step 3

(Optional) Edit a rule using these steps:

  1. Click the name of the rule that you want to edit.

  2. In the Edit Rogue AP Rule page that is displayed, from the Type drop-down list, choose one of these options to classify rogue APs matching this rule:

    • Friendly

    • Malicious

    • Custom

  3. Configure the notification from the Notify drop-down list to All, Global, Local, or None after the rule is matched.

  4. Configure the state of the rogue AP from the State drop-down list after the rule is matched.

  5. From the Match Operation field, choose one of these options:

    • Match All: The detected rogue AP must meet all of the conditions specified by the rule for the rule to be matched and the rogue AP to adopt the classification type of the rule.

    • Match Any: The detected rogue AP must meet any of the conditions specified by the rule for the rule to be matched and the rogue AP to adopt the classification type of the rule. This is the default value.

  6. To enable this rule, check the Enable Rule check box. The default is unchecked.

  7. If you chose the Rule Type as Custom, enter the Severity Score and the Classification Name.

  8. From the Add Condition drop-down list, choose one or more of the conditions that the rogue AP must meet:

    • None: No condition is set for rogue AP detection.

    • client-count: Condition requires that a minimum number of clients be associated to the rogue AP. For example, if the number of clients associated to the rogue AP is greater than or equal to the configured value, then the AP can be classified as malicious. If you choose this option, enter the minimum number of clients to be associated with the rogue AP in the Minimum Number of Rogue Clients field. The valid range is 1 to 10 (inclusive), and the default value is 0.

    • duration: Condition requires that the rogue AP be detected for a minimum period of time. If you choose this option, enter a value for the minimum detection period in the Time Duration field. The valid range is 0 to 86400 seconds (inclusive), and the default value is 0 seconds.

    • encryption: Condition requires that the advertised WLAN have specified encryption. Requires that the rogue AP’s advertised WLAN does not have encryption enabled. If a rogue AP has encryption disabled, it is likely that more clients will try to associate with it. No further configuration is required for this option.

    • infrastructure: Condition requires that the rogue AP’s SSID (the SSID configured for the WLAN) be known to the controller. Select the Manage SSID check box to enable this configuration.

    • rssi: Condition requires that the rogue AP have a minimum received signal strength indication (RSSI) value. For example, if the rogue AP has an RSSI that is greater than the configured value, then the AP could be classified as malicious. If you choose this option, enter the minimum RSSI value in the Maximum RSSI field. The valid range is 0 to –128 dBm (inclusive).

    • channel-width: Condition requires that the rogue AP use the specified radio spectrum channel width for the specified radio band, as defined. The valid channel widths are 20, 40, 80, and 160MHz.

      • For APs to be classified as Malicious, Custom or Delete, it must match the value (equal or more) set in the Minimum Channel Width drop-down list.

      • For APs to be classified as Friendly, it must match the value (equal or less) set using an option from the Maximum Channel Width drop-down list.

    • ssid: Condition requires that the rogue AP have a specific user-configured SSID. If you choose this option, enter the SSID in the User Configured SSID text field, and click + to add the SSID.

    • substring-ssid: Condition requires that the rogue AP have a substring of the specific user-configured SSID. The controller searches the substring in the same occurrence pattern and returns a match if the substring is found in the SSID string.

Step 4

Click Apply to Device to save the configuration.

Step 5

Click OK.

The rogue classification rules are configured.

Verify rogue channel width

To view channel width and band information of a classification rule, use these commands.


Note

When the same BSSID is beaconing on multiple bands (2.4 GHz, 5 GHz, 6 GHz), the show wireless wps rogue ap summary command output displays information for the band with the highest RSSI. 

Device# show wireless wps rogue rule detailed 1
Priority                                           : 1
Rule Name                                          : 1
Status                                             : Enabled
Type                                               : Friendly
State                                              : Alert
Match Operation                                    : Any
Notification                                       : Enabled
Hit Count                                          : 117
Condition :
  type                                             : chan-width
  Max value (MHz)                                  : 40
  Band (GHz)                                       : 5GHz


Device# wireless wps rogue ap summary
.
.
.

MAC Address     Classification  State  #APs  #Clients  Last Heard           Highest-RSSI-Det-AP  RSSI  Channel  Ch.Width  GHz
-----------------------------------------------------------------------------------------------------------------------------------
002c.c849.9f00  Unclassified    Alert  2     0         10/18/2022 16:50:18  0cd0.f895.efc0       -31        11        20  2.4
0062.ecf3.e73f  Unclassified    Alert  1     0         10/18/2022 16:50:16  0cd0.f895.efc0       -46        36        80  5
4ca6.4d22.cbaf  Unclassified    Alert  3     0         10/18/2022 16:50:46  0cd0.f895.efc0       -62        36       160  5