Cisco Catalyst IW6300 Heavy Duty Series Access Point Software Configuration Guide

Overview of Access Point Features

Cisco Catalyst IW6300 Heavy Duty Access Points (hereafter called IW6300) deliver secure, scalable, and flexible wireless connectivity to the most hazardous industrial environments, reliably delivering actionable data to always-on businesses.

With 802.11ac Wave 2 connectivity, dual Power over Ethernet Plus (PoE+) out for IoT sensors or peripherals, multiple power-in sources, and a variety of uplink options, the IW6300 can provide a flexible wireless solution.

The IW6300 access points can operate in the following modes:

  • Unified mode

    • Local

    • Flexconnect

    • Bridge

    • Flexconnect with Bridge

    • Sniffer

  • Workgroup Bridge

The IW6300 access points support the following software versions:

  • Cisco Wireless Controllers (WLC) Release 8.10

  • Cisco Mobility Express (ME) Release 8.10

  • Cisco IOS-XE Release 17.1.1s

For more information about the Cisco Wireless Controller, see the relevant document at:

https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/tsd-products-support-series-home.html

For more information about the Cisco Mobility Express solution, see the relevant document at:

https://www.cisco.com/c/en/us/support/wireless/mobility-express/products-installation-and-configuration-guides-list.html

For more information about Cisco IOS XE, see the relevant document at:

http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html

Configuring the Access Point for the First Time

This section describes how to configure basic settings on the wireless device for the first time. You can configure all the settings described in this section using the CLI, but it might be simplest to browse to the wireless device web-browser interface to complete the initial configuration and then use the CLI to enter additional settings for a more detailed configuration.

Using the Command-Line Interface

Use Secure Shell (SSH) to access the CLI. SSH provides a secure, remote connection to networking devices. The SSH software package provides secure login sessions by encrypting the entire session. SSH features strong cryptographic authentication, strong encryption, and integrity protection.

By default, SSH is disabled. When the AP joins the controller, the SSH function can be enabled remotely.

Obtaining an IP Address

Your access point requires an IP address to operate. The access point is not shipped with a default IP address. It obtains an IP address from the DHCP server in your network when you make the connection. If your network does not have a DHCP server, the access point continues to request an IP address until you assign it one. You must configure the IP address by opening the CLI from a terminal session established through the console port on the access point.

If your access point obtained its IP address from the network DHCP server, you or your network administrator can obtain it by querying the DHCP server using the MAC address of the access point.

Connecting to the Access Point Console Port

If you need to configure the access point locally (without connecting the access point to a wired LAN), you can connect a PC to its console port using a DB-9 to RJ-45 serial cable. Follow these steps to open the CLI by connecting to the access point console port:

SUMMARY STEPS

  1. Connect a nine-pin, female DB-9 to RJ-45 serial cable to the RJ-45 serial port on the access point and to the COM port on a computer. The Cisco part number for the DB-9 to RJ-45 serial cable is AIR-CONCAB1200. Browse to http://www.cisco.com/go/marketplace to order a serial cable.
  2. Set up a terminal emulator to communicate with the access point. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control.
  3. When connected, press enter or type en to access the command prompt. Pressing enter takes you to the user exec mode. Entering en prompts you for a password, then takes you to the privileged exec mode. The default password is Cisco and is case-sensitive.

DETAILED STEPS


Step 1

Connect a nine-pin, female DB-9 to RJ-45 serial cable to the RJ-45 serial port on the access point and to the COM port on a computer. The Cisco part number for the DB-9 to RJ-45 serial cable is AIR-CONCAB1200. Browse to http://www.cisco.com/go/marketplace to order a serial cable.

Step 2

Set up a terminal emulator to communicate with the access point. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control.

Step 3

When connected, press enter or type en to access the command prompt. Pressing enter takes you to the user exec mode. Entering en prompts you for a password, then takes you to the privileged exec mode. The default password is Cisco and is case-sensitive.

Note 
When your configuration changes are completed, you must remove the serial cable from the access point.

The Controller Discovery Process

The access point uses standard Control and Provisioning of Wireless Access Points Protocol (CAPWAP) to communicate between the controller and other wireless access points on the network. CAPWAP is a standard, interoperable protocol that allows an access controller to manage a collection of wireless termination points. The discovery process using CAPWAP is identical to the Lightweight Access Point Protocol (LWAPP) used with the access points. LWAPP-enabled access points are compatible with CAPWAP, and conversion to a CAPWAP controller is seamless. Deployments can combine CAPWAP and LWAPP software on the controllers.

The functionality provided by the controller does not change, except for customers who have Layer 2 deployments, which CAPWAP does not support.

In a CAPWAP environment, the wireless access point discovers a controller by using CAPWAP discovery mechanisms and then sends it a CAPWAP join request. The controller sends the access point a CAPWAP join response to allow the access point to join the controller. When the access point joins the controller, the controller manages its configuration, firmware, control transactions, and data transactions.

For additional information about the discovery process and CAPWAP, see the Cisco Wireless LAN Controller Software Configuration Guide .

  • You cannot edit or query any access point using the controller CLI if the name of the access point contains a space.

  • Ensure that the controller is set to the current time. If the controller is set to a time that has already occurred, the access point might not join the controller because its certificate may not yet be valid.

Access points must be discovered by a controller before they can become active in the network. The access point supports these controller discovery processes:

  • Layer 3 CAPWAP discovery—Can occur on different subnets than the access point and uses IP addresses and UDP packets rather than MAC addresses used by Layer 2 discovery.

  • Locally stored controller IP address discovery—If the access point was previously joined to a controller, the IP addresses of the primary, secondary, and tertiary controllers are stored in the access point’s non-volatile memory. This process of storing controller IP addresses on an access point for later deployment is called priming the access point. See Performing a Pre-Installation Configuration.

  • DHCP server discovery—This feature uses DHCP option 43 to provide controller IP addresses to access points. Cisco switches support a DHCP server option that is typically used for this capability. See Configuring DHCP Option 43.

  • DNS discovery—The access point can discover controllers through your domain name server (DNS). To use this discovery method, you must configure the DNS to return controller IP addresses in response to CISCO-CAPWAP-CONTROLLER.localdomain , where localdomain is the access point domain name. Configuring the CISCO-CAPWAP-CONTROLLER provides backward compatibility in an existing deployment. When an access point receives the IP address and DNS information from a DHCP server, it contacts the DNS to resolve CISCO-CAPWAP-CONTROLLER.localdomain. When the DNS sends a list of controller IP addresses, the access point sends discovery requests to the controllers.

Configuring DHCP Option 43

You can use DHCP Option 43 to provide a list of controller IP addresses to the access points, enabling them to find and join a controller.

The following is a DHCP Option 43 configuration example on a Windows 2003 Enterprise DHCP server for use with Cisco Aironet lightweight access points. For other DHCP server implementations, consult product documentation for configuring DHCP Option 43. In Option 43, you should use the IP address of the controller management interface.


Note

DHCP Option 43 is limited to one access point type per DHCP pool. You must configure a separate DHCP pool for each access point type.

The IW6300 series access point uses the type-length-value (TLV) format for DHCP Option 43. DHCP servers must be programmed to return the option based on the access point DHCP Vendor Class Identifier (VCI) string (DHCP Option 43). The VCI string for the IW6300 series access point is:

Cisco AP IW6300

The format of the TLV block is listed below:

  • Type: 0xf1 (decimal 241)

  • Length: Number of controller IP addresses * 4

  • Value: List of WLC management interfaces

To configure DHCP Option 43 in the embedded Cisco IOS DHCP server, follow these steps:

SUMMARY STEPS

  1. Enter configuration mode at the Cisco IOS CLI.
  2. Create the DHCP pool, including the necessary parameters such as default router and name server. The commands used to create a DHCP pool are as follows:
  3. Add the Option 60 line using the following syntax:
  4. Add the Option 43 line using the following syntax:

DETAILED STEPS


Step 1

Enter configuration mode at the Cisco IOS CLI.

Step 2

Create the DHCP pool, including the necessary parameters such as default router and name server. The commands used to create a DHCP pool are as follows:


ip dhcp pool <pool name> 
network <IP Network> <Netmask> 
default-router <Default router> 
dns-server <DNS Server> 

Where:

  • <pool name > is the name of the DHCP pool, such as IW6300

  • <IP Network > is the network IP address where the controller resides, such as 10.0.15.1

  • <Netmask > is the subnet mask, such as 255.255.255.0

  • <Default router > is the IP address of the default router, such as 10.0.0.1

  • <DNS Server > is the IP address of the DNS server, such as 10.0.10.2

Step 3

Add the Option 60 line using the following syntax:


option 60 asciiVCI string

For the VCI string, use the value “Cisco AP IW6300”. The quotation marks must be included.

Step 4

Add the Option 43 line using the following syntax:


option 43 hex hex string 

The hex string is assembled by concatenating the TLV values shown below:

Type + Length + Value

Where:

  • Type is always f1(hex).

  • Length is the number of controller management IP addresses times 4 in hex.

  • Value is the IP address of the controller listed sequentially in hex.

For example, suppose that there are two controllers with management interface IP addresses, 10.126.126.2 and 10.127.127.2. The type is f1(hex). The length is 2 * 4 = 8 = 08 (hex). The IP addresses translate to 0a7e7e02 and 0a7f7f02. Assembling the string then yields f1080a7e7e020a7f7f02. The resulting Cisco IOS command added to the DHCP scope is listed below:


option 43 hex f1080a7e7e020a7f7f02 

Performing a Pre-Installation Configuration

The following procedures ensure a successful access point installation and initial operational setup. Pre-installation configuration – priming the access point – is optional.


Note

If your network controller already properly configured, you can skip priming and simply install your access point in its final location and connect it to the network. See Deploying in a Wireless Network.

To prime the access point:

SUMMARY STEPS

  1. Ensure that the Cisco Wireless LAN Controller Management DS Port is connected to the network. Use the CLI, browser-based interface, or Cisco WCS procedures described in the appropriate Cisco Wireless LAN Controller guide to perform the following:
  2. Apply power to the access point. As the access point attempts to connect to the controller, the LEDs cycle through a green-red-amber sequence, which can take up to 5 minutes.
  3. (Optional) Configure the access point. Use the controller CLI, controller GUI, or Cisco Prime Infrastructure to customize access-point-specific IEEE 802.11ac network settings. On successful access point priming, the Status LED is green indicating normal operation.
  4. Disconnect the access point and mount it in location.

DETAILED STEPS


Step 1

Ensure that the Cisco Wireless LAN Controller Management DS Port is connected to the network. Use the CLI, browser-based interface, or Cisco WCS procedures described in the appropriate Cisco Wireless LAN Controller guide to perform the following:

  1. Ensure that the access points have Layer 3 connectivity to the Cisco Wireless LAN Controller Management and AP-Manager Interface.

  2. Configure the switch to which your access point is to attach. See the appropriate Cisco Wireless LAN Controller guide.

  3. Set the Cisco Wireless LAN Controller as the master so that new access points always join with it.

  4. Ensure that DHCP is enabled on the network.

    Note 
    The access point must receive its IP address through DHCP.
  5. Ensure that no CAPWAP UDP ports are blocked in the network.

  6. Use a DHCP, DNS, or IP subnet broadcast to ensure that the access point finds the IP address of the controller.

    Note 
    This guide describes the DHCP method to convey the controller IP address. For other methods, refer to product documentation. See also Configuring DHCP Option 43.
Step 2

Apply power to the access point. As the access point attempts to connect to the controller, the LEDs cycle through a green-red-amber sequence, which can take up to 5 minutes.

Step 3

(Optional) Configure the access point. Use the controller CLI, controller GUI, or Cisco Prime Infrastructure to customize access-point-specific IEEE 802.11ac network settings. On successful access point priming, the Status LED is green indicating normal operation.

Step 4

Disconnect the access point and mount it in location.

Note 
  • If the access point LEDs do not indicate normal operation, turn it off and repeat the access point priming procedure

  • When installing a Layer 3 access point on a different subnet than the Cisco Wireless LAN Controller, ensure that:

    • a DHCP server is reachable from the subnet on which you are installing the access point and that subnet has a return route to the Cisco Wireless LAN Controller.

    • the return route to the Cisco Wireless LAN Controller has destination UDP ports 5246 and 5247 open for CAPWAP communications.

    • the return route to the primary, secondary, and tertiary Cisco Wireless LAN Controllers allows IP packet fragments.

    • if using address translation, the access point and the Cisco Wireless LAN Controller have a static 1-to-1 NAT to an outside address. (Port address translation is not supported.)


Adding the Access Point MAC Addresses to the Controller Filter List

Before installing your access points, configure your controller by adding the MAC addresses of the access points to the filter list. The MAC address here refers to the PoE-IN port MAC address, which is printed on a label on the side of the unit.

MAC address filtering is enabled by default. This enables the controller to respond to the listed access points. To add a MAC filter entry on the controller, follow these steps:

SUMMARY STEPS

  1. Log into your controller using a web browser.
  2. Choose SECURITY >AAA >MAC Filtering > New .
  3. Enter the MAC address of the access point to the MAC Filter list; for example, 00:0B:91:21:3A:C7.
  4. Select a WLAN ID or Any WLAN from the Profile Name pop-up menu.
  5. Enter a description (32 characters maximum) of the access point in the Description field; for example, Fisher_Street_00.0B.91.21.3A.C7 shows the location and MAC address of the access point.
  6. Choose an interface from the Interface Name pop-up menu, and click Apply.
  7. Repeat Steps 2 to 6 to add other access points to the list.
  8. Save the controller configurations.
  9. Log out of your controller, and close your web browser.

DETAILED STEPS


Step 1

Log into your controller using a web browser.

Step 2

Choose SECURITY >AAA >MAC Filtering > New .

Step 3

Enter the MAC address of the access point to the MAC Filter list; for example, 00:0B:91:21:3A:C7.

Note 
The access point MAC address is needed only when IW-6300H is in mesh mode (bridge or flex+bridge).
Step 4

Select a WLAN ID or Any WLAN from the Profile Name pop-up menu.

Step 5

Enter a description (32 characters maximum) of the access point in the Description field; for example, Fisher_Street_00.0B.91.21.3A.C7 shows the location and MAC address of the access point.

Step 6

Choose an interface from the Interface Name pop-up menu, and click Apply.

Step 7

Repeat Steps 2 to 6 to add other access points to the list.

Step 8

Save the controller configurations.

Step 9

Log out of your controller, and close your web browser.


Configuring a Root Access Point

The access point defaults to the mesh access point (MAP) radio role. One or more of your access points must be reconfigured as a root access point (RAP). The RAPs connect to a wired Ethernet link through a switch to the controller. The MAPs use their wireless backhaul interface to connect to a RAP to reach the controller.

To configure a RAP on the controller GUI, follow these steps:

SUMMARY STEPS

  1. Log into your controller using a web browser.
  2. Click Wireless. When your access point associates to the controller, the name of the access point appears in the AP Name list.
  3. Double-click your access point name.
  4. Find Mesh Information, and choose Root AP by clicking the drop-down arrow in the AP Role field.
  5. Click Apply.
  6. Repeat Steps 2 through 5 for each RAP.
  7. Log out from your controller, and close your web browser.

DETAILED STEPS


Step 1

Log into your controller using a web browser.

Step 2

Click Wireless. When your access point associates to the controller, the name of the access point appears in the AP Name list.

Step 3

Double-click your access point name.

Step 4

Find Mesh Information, and choose Root AP by clicking the drop-down arrow in the AP Role field.

Step 5

Click Apply.

Step 6

Repeat Steps 2 through 5 for each RAP.

Step 7

Log out from your controller, and close your web browser.


Uplink Selection

The IW-6300H access points support multiple uplink options: SFP, PoE-IN, and wireless.

Only PoE-IN and SFP interfaces are uplink capable. The SFP interface has higher priority than the PoE-IN interface. Uplink port can only be latched to PoE-IN or SFP interface when the AP boots up. The uplink port can NOT be changed until power cycle the AP again. This mechanism is also applied to Mobility Express in Flex-connect mode.

Plugging and unplugging the SFP module will cause the AP to reboot. The SFP module monitor process is running after AP boots up. When it detects the SFP module is inserted or removed, it will make the AP to reboot. The PHY driver on SFP port will only be loaded by power recycle.

Connecting Data Cables

All models of the AP support data connections through the Ethernet port and the Small Form-factor Pluggable (SFP) port. However, both the Ethernet port and the SFP port cannot be used for uplink at the same time.

If the SFP is detected and active, the Ethernet port is disconnected. If the SFP is not detected, the Ethernet port stays connected.

If you are using the SFP port, to delivery data through a fiber-optic cable, then the AP needs to be powered by DC power, power adapter, or by a power injector.

The following sections describe uplink selection for different modes.

Uplink Selection for Local/Flex Mode

Use the following command on AP side to check the uplink port when AP joins the controller:


#show controllers nss status
CAPWAP Configuration:
|ID:34|TYPE:3|STATE:1|
|GATEWAY-MAC:00:59:DC:C2:08:81|AP-MAC:68:3B:78:98:63:A8|
|RADIO-BASE-MAC:DC:8C:37:35:C4:A0|PMTU:1485|
|WLC-IP:8.5.0.2|AP-IP:8.5.0.187|WLC-PORT:5247|AP-PORT:5248|
|DEST-PORT:1
|PROTO:0|TTL:250|FLBL:0|DTLS-ID:65535|
|VLAN-ID:0|OPT:0x0000000C|UQOSP:0|MQOSP:0|CSUM:1|
|L4RXBITS:  0|L4TXBITS:  0|L4HASHPROF:  0|

In the CLI output, “DEST-PORT:0” means the AP is using PoE-in port as capwap uplink port. “DEST-PORT:1” means the AP is using SFP port as capwap uplink port.

Uplink Selection for Bridge/Flex+Bridge Mode

When the PoE-IN interface is used as uplink port, the SFP interface should be kept unconnected.

If Root AP joined WLC on radio, when the wired interface become available, it will switch back to the wired interface. If Mesh AP joined WLC on radio, it will not try wired interface any more.

Use the following command on AP side to check the uplink for bridge or Flex+bridge mode:


#show mesh adj parent
AdjInfo: Wired Backhaul: 0
 [F4:DB:E6:6B:74:2C]
Mesh Wired Adjacency Info
Flags: Parent(P), Child(C), Reachable(R), CapwapUp(W), BlackListed(B) Authenticated(A)
Address           Cost RawCost BlistCount Flags: P C R W B A  Reject reason
F4:DB:E6:6B:74:2C 16   16      0            T/F: T F T T F T  -
------------------------------------------------------------------------------

In the CLI output, “Wired Backhaul: 0” means the AP is using PoE-in port as uplink port. “Wired Backhaul: 1” means the AP is using SFP port as uplink port.

Configuring PoE Out Function

The IW-6300H access points support PoE output functionality. There are two Ethernet LAN ports capable of supplying PoE power. The total available PoE power is 35.3W when the input power source is DC, DCW, or AC. The PoE output will be disabled when PoE (IEEE 802.3at, UPoE) or power injector is the power source.

By default, the PoE out function is enabled. You can enable or disable PoE out function per AP group or per AP by CLI options. During the AP reboot procedure, power manager reads local PoE configuration file to turn on or turn off power, so that AP can provide power before joining WLC.


Note

CDP/LLDP is not supported on PoE out ports. APs supply power based on hardware classification and power level configuration.


The following table shows the mapping between power level and power capacity.

Table 1. Power Level and Power Capacity Mapping

Power Level

Max PoE Class

Max Power from PSE

Usage

None

4

30W

Default

1

1

4W

Optional

2

2

7W

Optional

3

0/3

15.4W

Optional

4

4

30W

Optional

The following table shows the definition for class of PoE.

Table 2. IEEE Power Classifications

Class

Maximum power delivered by PSE

0 (class status unknown)

15.4W

1

4W

2

7W

3

15.4W

4

30 W (For IEEE 802.3at Type 2 powered devices)

The following table shows the IW-6300H access point POE out port power allocation. Power manager holds 35.3 Watts when power source is AC, DC, or DCW.

Table 3. PoE-Out Port Power Allocation

PoE Port 1

PoE Port 2

PSE: 35.3W

Disconnected

Class 0/1/2/3/4

Class 1

Class 0/1/2/3/4

Class 2

Class 0/1/2/3

Class 0/3

Class 0/1/2/3

Class 4

Class 1

Class 0/1/2/3/4

Disconnected


Note

PoE Out is not supported on WGB mode.

Note

For DC SKU, if you want to output 802.3at type 2 PoE out power, DC input must >=51V. If you want to output 802.3af (802.3at type 1) PoE out power, DC input must >=45V.

Configuration From AireOS WLC CLI

Use the following commands to configure the PSE function:

Global (AP Group Scope)


(Cisco Controller) >config wlan apgroup port lan [1|2] duplo [enable|disable]
(Cisco Controller) >config wlan apgroup port lan [1|2] duplo poe [enable|disable]
(Cisco Controller) >config wlan apgroup port lan [1|2] duplo power-level [1|2|3|4]
(Cisco Controller) >config ap group-name duplo AP6CB.D383.B404

Override (AP Specific Scope)


(Cisco Controller) >config ap lan over-ride [enable|disable] AP6C8B.D383.B404
(Cisco Controller) >config ap lan port-id [1|2] [enable|disable] AP6C8B.D383.B404
(Cisco Controller) >config ap lan port-id [1|2] poe [enable|disable] AP6C8B.D383.B404
(Cisco Controller) >config ap lan port-id [1|2] power-level [1|2|3|4] AP6C8B.D383.B404

Use the following commands to check the status:

From WLC


(Cisco Controller) >show wlan apgroups
Total Number of AP Groups........................ 1
Site Name........................................ default-group
Site Description................................. <none>
Lan Port configs
----------------

LAN Status POE Power Level RLAN
--- ------- ---- ---------- -----
1 Disabled Disabled None None
2 Disabled Disabled None None
3 Disabled None
4 Disabled Disabled None

(Cisco Controller) >show ap lan 1 <AP-Name>
LAN Port configuration for AP <AP-Name>
Lan Override .................................... Enabled
 Port    Status        PoE               Power-Level
------  --------    ---------            ----------------
 LAN1   DISABLED     DISABLED            1

(Cisco Controller)>show ap lan port-summary AP6C8B.D383.B404
LAN Port configuration for AP AP6C8B.D383.B404
Lan Override .................................... Enabled
Port Status POE Power Level
------ -------- -------- ----------------
LAN1 ENABLED ENABLED 3
LAN2 ENABLED ENABLED 2

From AP


ap >show power status
Device ID: 0xc4, Firmware Reversion:0x40, Bus:3, Address:0x24
Operating Mode: Semiauto
Available: 35.3(w)    Used:15.4(w)    Remaining:19.9(w)
Interface    Admin    Oper    Power    Class Max   Config Power
---------    -----    ----    -----    ---------   ------------
POE-out 1    Up       ON      8.1      30.0        15.4
POE-out 2    Up       OFF     0.0      0.0         30.0 

Configuration From AireOS WLC GUI

Global (AP group)

WLANs -> Advanced -> AP Groups -> specific AP group -> Ports/Module -> LAN Ports

Add AP to ap group

AP Override

Wireless -> Access Points -> specific AP -> Interfaces -> LAN Override/PoE/Power Level

Configuration From IOS-XE WLC CLI

Global (AP Group Scope)


#ap name APbadb.ade7.dd1e lan port-id 1 enable
#ap name APbadb.ade7.dd1e lan port-id 2 enable
(config)#ap remote-lan profile-name duplo_pse_profile 1
(config-remote-lan)#no shut
(config-remote-lan)#end
(config)#ap remote-lan-policy policy-name duplo_pse_policy
(config-remote-lan-policy)#poe
(config-remote-lan-policy)#power-level [1|2|3|4]
(config-remote-lan-policy)#no shut
(config-remote-lan-policy)#end
(config)#wireless tag policy duplo_pse_tag
(config-policy-tag)#remote-lan duplo_pse_profile policy duplo_pse_policy port-id 1
(config)#ap APbadb.ade7.dd1e
(config-ap-tag)#policy-tag duplo_pse_tag

Override (AP Specific Scope)


ap name APBADB.ADE7.DD1E lan port-id [1|2] [enable|disable]
ap name APBADB.ADE7.DD1E lan port-id [1|2] poe [enable|disable]
ap name APBADB.ADE7.DD1E lan port-id [1|2] power-level [1|2|3|4]

Use the following command to check the status:


eWLC#show ap name APBADB.ADE7.DD1E lan port summary
LAN Port status for AP APBADB.ADE7.DD1E
Port ID status vlanId poe power-level RLAN
----------------------------------------------------------------------
LAN1 Enabled 0 Enabled 3 Disabled
LAN2 Enabled 0 Enabled 2 Disabled

Configuration From IOS-XE WLC GUI

To configure PSE function, go to Configuration >Wireless >Access Points >specific AP >interfaces >LAN Port Settings , then select the following:

  • Status: Port admin status (enable/disable)

  • PoE: PoE function status (enable/disable)

  • Power Level: level 1 - 4 (4w, 7w, 15.4w, 30w)

RAP Ethernet Daisy Chain

In a daisy chain topology as shown in the following figure, if the link between RAP1 and RAP2 is broken, or RAP1 loses CAPWAP connectivity to the controller or switch, RAP2 will change its backhaul to wireless link. The Ethernet interfaces of RAP2 will be blocked and no child mesh AP will be allowed. Then, RAP3 and RAP4 will lose connection if they are far away from RAP1.

Figure 1. Ethernet Daisy Chain Topology

For the access point joining over wireless backhaul, it stays on wireless backhaul for 15 minutes and comes back to scan state every 15 minutes, until it finds a wired backhaul and joins the controller.

The RAP Ethernet Daisy Chain feature enhances the existing Ethernet bridging functionality by introducing a new command to configure strict wired uplink on each access point. It forces the bridge AP to stick to the Ethernet link, and block the selecting of wireless link for uplink backhaul. Even the Ethernet link failure happens, the access point will never select a parent over wireless backhaul.

The following figure shows an example of RAP Ethernet Daisy Chain topology. Standalone power source (AC, DC, or power injector) is provided to each RAP.

Figure 2. RAP Ethernet Daisy Chain Topology

When strict-wired-uplink is enabled, if RAP1 loses CAPWAP connection or the mesh function is broken, but the physical link between RAP1 and the switch is still connected, all RAPs behind RAP1 in the chain will not lose uplink and CAPWAP connection. Traffic can be forwarded as usual. However, all the remaining RAPs in the chain will lose CAPWAP connection if the physical link between RAP1 and the switch is broken, or RAP1 is restarted.

Configuration Guidelines

The following table shows the port mapping between panel lable and software configuration CLI.

Table 4. Port Mapping

Panel Label

SW Interface

POE IN

wired 0

SFP

wired 1

POE OUT 1

wired 2

POE OUT 2

wired 3

Follow these guidelines when you configure this feature:

  • All APs in daisy chain should be operating in Bridge or Flex+Bridge mode with Root AP role.

  • PoE-IN (wired0) and SFP (wired1) port can be used as uplink port, but PoE-OUT (wired2 and wired3) cannot be used as uplink port. PoE-IN (wired0) port and PoE-OUT(wired2 and wired3) ports can be used as downlink port.

  • SFP (wired1) port cannot be used as downlink. When PoE-IN (wired0) is used as uplink, SFP (wired1) port should be disconnected. When SFP (wired1) port is used as uplink, you can use GLC-T to connect to other AP’s Ethernet port.

  • Ethernet bridging on all RAPs in the chain should be enabled and secondary Ethernet interfaces needs to be configured according to the mesh deployment guidelines.

  • VLAN transparency should be disabled on all daisy-chained RAPs.

  • The RAPs in Ethernet Daisy Chain can accept MAP association and wireless client association.

  • Strict wired uplink must be enabled to prevent RAP in daisy chain from switching to wireless backhaul when the wired uplink path fails, so that the RAP can recover quickly when the uplink wired path is recovered.

  • All the traffic will go through RAP1 which is a bottleneck and the total network throughput is limited. There should be around 10% bandwidth reserved for CAPWAP management traffic in high traffic load case.


Note

After the configuration, the AP may be in MAP role. It is required to prime all AP to RAP role before connecting all of them with the wired connection. Otherwise there may be loop issues if MAP uses wireless backhaul to connect to the other AP.

The following are two deployment options.

Option 1

SUMMARY STEPS

  1. Connect the mesh AP to WLC through wired connection.
  2. Prime all APs to RAP role on the daisy chain topology.
  3. Configure config ap bridging enable <Cisco_AP > to enable Ethernet bridging. This command allows the next AP to connect on its Secondary Ethernet interface.
  4. Configure config ap strict-wired-uplink enable <Cisco_AP > to enable the feature. At this time, the AP can only connect to WLC through a wired connection.
  5. Connect all APs using wired RAP daisy chain topology.

DETAILED STEPS


Step 1

Connect the mesh AP to WLC through wired connection.

Step 2

Prime all APs to RAP role on the daisy chain topology.

Step 3

Configure config ap bridging enable <Cisco_AP > to enable Ethernet bridging. This command allows the next AP to connect on its Secondary Ethernet interface.

Step 4

Configure config ap strict-wired-uplink enable <Cisco_AP > to enable the feature. At this time, the AP can only connect to WLC through a wired connection.

Step 5

Connect all APs using wired RAP daisy chain topology.


Option 2

SUMMARY STEPS

  1. Connect all the APs using wired RAP daisy chain topology. Make sure all APs are powered off.
  2. Power on the first AP which is closest to the switch or WLC. Make sure it can connect to WLC through a wired connection.
  3. Set the AP role to RAP.
  4. Configure config ap bridging enable <Cisco_AP > to enable Ethernet bridging. This command allows the next AP to connect on its Secondary Ethernet interface.
  5. Configure config ap strict-wired-uplink enable <Cisco_AP > to enable the feature. At this time, the AP can only connect to WLC through a wired connection.
  6. Power on the AP which is next to the previous AP.
  7. Repeat Step3 to Step 5.

DETAILED STEPS


Step 1

Connect all the APs using wired RAP daisy chain topology. Make sure all APs are powered off.

Step 2

Power on the first AP which is closest to the switch or WLC. Make sure it can connect to WLC through a wired connection.

Step 3

Set the AP role to RAP.

Step 4

Configure config ap bridging enable <Cisco_AP > to enable Ethernet bridging. This command allows the next AP to connect on its Secondary Ethernet interface.

Step 5

Configure config ap strict-wired-uplink enable <Cisco_AP > to enable the feature. At this time, the AP can only connect to WLC through a wired connection.

Step 6

Power on the AP which is next to the previous AP.

Step 7

Repeat Step3 to Step 5.


Mesh Configuration From AireOS WLC or ME Controller

Follow these steps to configure from WLC or ME controller:

SUMMARY STEPS

  1. Configure AP to bridge or Flex+Bridge mode if AireOS WLC is used. For ME controller, only Flex+Bridge mode is supported.
  2. Configure AP role to rootAP.
  3. Enable Ethernet bridging.
  4. Configure access mode or trunk mode for the RAP Ethernet secondary port PoE-OUT1 and PoE-OUT2. POE-IN port also can be used as secondary port if SFP port acts as uplink port.

DETAILED STEPS


Step 1

Configure AP to bridge or Flex+Bridge mode if AireOS WLC is used. For ME controller, only Flex+Bridge mode is supported.

Example:


(WLC) > config ap mode bridge <Cisco AP>
(WLC) > config ap mode flex+bridge submode none <Cisco AP>

Step 2

Configure AP role to rootAP.

Example:


(WLC) > config ap role rootAP <Cisco AP>

Step 3

Enable Ethernet bridging.

Example:


(WLC) > config ap bridging enable <Cisco AP>

Step 4

Configure access mode or trunk mode for the RAP Ethernet secondary port PoE-OUT1 and PoE-OUT2. POE-IN port also can be used as secondary port if SFP port acts as uplink port.

  1. Access mode configuration

    Example:

    
    (WLC) > config ap ethernet [2|3] mode access enable <AP name>
    
    
  2. Trunk mode configuration, vlan support must be enabled in advance and disable vlan transparent

    Example:

    
    (WLC) > config mesh ethernet-bridging vlan-transparent disable
    (WLC) > config ap vlan-trunking enable <Cisco AP>
    (WLC) > config ap vlan-trunking native <Vlan-ID> <Cisco AP>
    (WLC) > config ap ethernet [2|3] mode trunk enable <Cisco AP> native-vlan <Vlan-ID>
    (WLC) > config ap ethernet [2|3] mode trunk add <Cisco AP> <Vlan-ID>
    
    

Configuring Strict Wired Uplink

Use the following command to enabled or disable strict wired uplink on a specific AP. Mesh function will restart after this configuration.


(Cisco Controller) > config ap strict-wired-uplink {enable|disable} <Cisco_AP>
enable         Enables Strict Wired Uplink on the Cisco AP.
disable        Disables Strict Wired Uplink on the Cisco AP.

Verifying the Configuration

Use the following command to check the status of strict-wired-uplink:


(WLC) >show ap config general <Cisco_AP>
AP Mode ......................................... Bridge 
AP Role ......................................... RootAP
Ethernet Bridging ............................... Enabled
Strict Wired Uplink ............................. Enabled
AP Vlan Trunking ................................ Enabled
AP Native Vlan ID: .............................. 120

Use the following command to display the feature status for all bridge RAP:


(WLC) >show mesh strict-wired-uplink summary
AP Name                AP Model             BVI MAC          Role  Bridge Group Name   Strict Wired Uplink
------------------  -------------------  -----------------   ----  -----------------  --------------------
duplo-ap2            ESW-6300-CON-B-K9    6c:8b:d3:83:b4:04  RAP   default            Disable
duplo-ap1            ESW-6300-CON-B-K9    6c:8b:d3:83:b4:68  RAP   default            Enable
Number of Mesh RAP Strict Wired Uplink Set....... 1

Use the following command to check RAP Ethernet status:


(WLC) >show mesh env summary

AP Name             Temperature(C/F)  TempState  Heater  Battery Orientation Ethernet
------------------ ----------------   ---------  ------  ------- ----------- --------
duplo-ap1               50/122          GREEN     OFF     N/A  N/A           UpUpUpUp <--(Note: interface order: wired0, wired1, wired2, wired3)
duplo-ap2               72/161          GREEN     OFF     N/A  N/A           UpUpUpDn

Use the following command to check Ethernet interface Vlan configuration:


(WLC) >show ap config ethernet summary
Vlan Tagging Information For AP duplo-ap1
Ethernet 0
Mode: ACCESS
Access Vlan 0
Ethernet 1
Mode: ACCESS
Access Vlan 0
Ethernet 2
Mode: TRUNK
Native Vlan 120
Allowed Vlans:
Ethernet 3
Mode: ACCESS
Access Vlan 0

Use the following AP commands to check RAP status on the AP:


duplo-ap1#show mesh config
 AP Specific Configuration:
 AP Role: Root AP
 Backhaul Mode: 802.11a
 Internal DHCP Running Status: Disabled
 Strict Wired Uplink: Enabled
 Ethernet Bridging: Enabled

duplo-ap1#show mesh forwarding all
 Vlan config
 Static Secondary Ethernet VLAN Configuration :
 Active Ethernet Interface: wired2
 Port Secondary Mode: TRUNK
 Port Secondary Native Vlan: 120
 Allowed Vlan:
 Static Transparent Mode For All Secondary Ethernet Ports: Disabled
 Static Ap Native Vlan: 120
 Running Ap Native Vlan: 120
 Running Secondary Ethernet VLAN Configuration :
 Active Ethernet Interface: wired2
 Port Mode: TRUNK
 Port Native Vlan: 120
 Allowed Vlan:
 Running Transparent Mode : Disabled

duplo-ap1#show mesh backhaul
Wired Backhaul: 0 [6C:8B:D3:83:B4:68] <-------------POE-IN Port
idx Cost    Uplink InterfaceType
0   Invalid FALSE  WIRED
Mesh Wired Adjacency Info
Flags: Parent(P), Child(C), Reachable(R), CapwapUp(W), BlackListed(B) Authenticated(A)
Address           Cost RawCost BlistCount Flags: P C R W B A Reject reason
6C:8B:D3:83:B4:68 16   16      0            T/F: F F F F F F Filtered
----------------------------------------------------------------
Wired Backhaul: 1 [6C:8B:D3:83:B4:68] <-------------SFP Port
idx Cost Uplink InterfaceType
1   16   TRUE   WIRED
Mesh Wired Adjacency Info
Flags: Parent(P), Child(C), Reachable(R), CapwapUp(W), BlackListed(B) Authenticated(A)
Address           Cost RawCost BlistCount Flags: P C R W B A Reject reason
6C:8B:D3:83:B4:68 16   16      0            T/F: T F T T F T -
----------------------------------------------------------------
Radio Backhaul: 0 [6C:8B:D3:D5:31:31]
idx State   Role   RadioState Cost    Uplink Downlink Access ShutDown ChildrenAllowed InterfaceType
2   INITIAL ACCESS UP         Invalid FALSE  FALSE    TRUE   FALSE    FALSE           RADIO
No Radio Adjacency Exists
------------------------------------------------------------------------------
Radio Backhaul: 1 [6C:8B:D3:D5:31:31]
idx State Role     RadioState Cost    Uplink Downlink Access ShutDown ChildrenAllowed InterfaceType
3   MAINT DOWNLINK UP         Invalid FALSE  TRUE     FALSE  FALSE    TRUE            RADIO
No Radio Adjacency Exists
------------------------------------------------------------------------------

Mesh Configuration From IOS-XE WLC Controller

Configure access mode or trunk mode for the RAP ethernet secondary port PoE-OUT1 and PoE-OUT2.

  • Access mode configuration

    
    #ap name a mesh ethernet 2 mode access <Vlan-ID>
    
  • Trunk mode configuration, vlan support must be enabled in advance and disable vlan transparent

    
    #ap name <Cisco AP> mesh vlan-trunking
    #ap name <Cisco AP> mesh vlan-trunking native <Vlan-ID> 
    #ap name <Cisco AP> mesh ethernet 2/3 mode trunk vlan native <Vlan-ID>
    #ap name <Cisco AP> mesh ethernet 2/3 mode trunk allowed <Vlan-ID>
    
  • The configuration of ssid-broadcast-persist has the same function with strict wired uplink in AireOS controller. To enable ssid-broadcast-persist:

    
    #configure terminal
    (config)#ap profile rap-ssid-join-profile
    (config-ap-profile)#ssid broadcast persistent
    Enabling persistent SSID broadcast will cause associated APs to rejoin.
    Are you sure you want to continue? (y/n)[y]: y
    (config-ap-profile)#end
    #show ap profile name rap-ssid-join-profile detailed | in SSID
    Persistent SSID Broadcast     : ENABLED
    
  • To disable ssid-broadcast-persist:

    
    #config terminal
    (config)#ap profile rap-ssid-join-profile
    (config-ap-profile)#no ssid broadcast persistent
    Disabling persistent SSID broadcast will cause associated APs to rejoin.
    Are you sure you want to continue? (y/n)[y]: y
    (config-ap-profile)#end
    #show ap profile name rap-ssid-join-profile detailed | in SSID
    Persistent SSID Broadcast     : DISABLED

Checking ssid-broadcast-persist Status From IOS-XE WLC Controller


Note

Configuring and showing status of ssid-broadcast-persist are only supported by CLI, and not supported on GUI.
  • Use the following command to check if ssid-broadcast-profile is enabled or disabled:

    
    #show ap profile name ssid-ap-profile detailed
    Persistent SSID Broadcast : ENABLEDDHCP server : DISABLED
    -----------------------------------------------------------
    Persistent SSID Broadcast : DISABLEDDHCP server : DISABLED
    
  • Use the following command to associate AP profile to a site tag and then to a specific AP:

    
    #config terminal
    (config)#wireless tag site ssid-policy-tag
    (config-site-tag)#ap-profile rap-ssid-join-profile
    Changing ap profile mapping may result in the rejoin of AP's associated to the Site   tag
    (config-site-tag)#end
    #config terminal
    (config)#ap 6c8b.d383.b468
    (config-ap-tag)#site-tag rap-ssid-site-tag
    Associating site-tag will cause associated AP to reconnect
    (config-ap-tag)#end
    

Configuring Flexible Antenna Port (FlexPort)

The IW-6300H access point antenna connectors are located on the top of each model (see Figure 1). The antenna port (FlexPort) can be configured via software to support dual band or single band antennas.

When configured for dual band mode, antenna ports A and B are used to support multiple input/output (MIMO) operation on both 2.4 and 5 GHz radios.

When configured for single band mode, antenna ports A and B support MIMO operation on the 2.4 GHz radio and antenna ports C and D support MIMO operation on the 5 GHz radio.


Note

The configuration of FlexPort is supported only on AireOS controller (WLC or ME), and is not supported on IOS-XE WLC.
Figure 3. Antenna Ports of IW-6300H Access Points

1

Antenna port B - Type N connector Wi-Fi 2.4/5 GHz TX/RX

3

Antenna port D - Type N connector Wi-Fi 5 GHz TX/RX

2

Antenna port C - Type N connector Wi-Fi 5 GHz TX/RX

4

Antenna port A - Type N connector Wi-Fi 2.4/5 GHz TX/RX

Configuration From AireOS WLC CLI

Use the following command to configure antenna band mode:

(Cisco Controller) >config ap antenna band-mode {single | dual } < AP_name >

The Antenna Band mode can be displayed by issuing the command:

(Cisco Controller) >show ap config {802.11a |b } <AP_name >

(Cisco Controller) >show ap config general <AP_name >

The output will contain many fields, one of which is the Antenna Band Mode as shown below:

Antenna Band Mode ............................... Dual

Example


(wlc-3504) >config ap antenna band-mode single IW6300DCW
Changing the antenna band mode may strand mesh APs.
Are you sure you want to continue? (y/N)y
(wlc-3504) >show ap config 802.11a IW6300DCW
Cisco AP Identifier.............................. 14
Cisco AP Name.................................... IW6300DCW
Country code..................................... US  - United States
Regulatory Domain allowed by Country.............  802.11bg:-AB    802.11a:-AB
Antenna Band Mode ............................... Dual
.....
(wlc-3504) >show ap config general IW6300DCW
Cisco AP Identifier.............................. 14
Cisco AP Name.................................... IW6300DCW
.....
Antenna Band Mode ............................... Single
.....

For dual band mode, choose only ANT-A/B for both 2.4G and 5G. For single band mode, choose ANT-A/B for 2.4G, and ANT-C/D for 5G. You can choose one antenna or two antennas in corresponding radio.

Use the following command to choose corresponding antenna:

config {802.11a |802.11b } 11nSupport antenna <AP_name > {A |B } {enable |disable }

Example


(wlc-3504) >config 802.11a disable IW6300DCW
(wlc-3504) >config 802.11a 11nSupport antenna IW6300DCW B disable
(wlc-3504) >config 802.11a 11nSupport antenna IW6300DCW A enable
(wlc-3504) >config 802.11a enable IW6300DCW

Checking Status from AP Side

Use the following command to check the status from AP side:


IW6300DCW#show capwap client config
AdminState                         : ADMIN_ENABLED(1)
Name                               : IW6300DCW
Slot 0 Config:
    Radio Type                : RADIO_TYPE_80211bg
    Antenna Band Mode         : Antenna Sector B
Slot 1 Config:
    Radio Type                : RADIO_TYPE_80211a
    Antenna Band Mode         : Antenna Sector B

In the output, Antenna Sector B means Dual Band mode, and Antenna Sector A means Single Band mode.

Configuration From AireOS WLC GUI

To change the antenna band mode from WLC GUI, go to the Wireless > Access Point > AP_NAME > Advanced tabs, and then select Dual /Single .

A warning message will be displayed on a popup window: “A|B|C|D” corresponding to IW6300 Panel antenna port. Click OK to make the change.

To choose corresponding antenna from WLC GUI, go to Wireless > Access Points > Radios > {802.11a/n/ac/ax | 802.11b/g/n/ax} > AP name > Configure .

Go to the AP Radio Configure Tab and choose corresponding antenna.

Configuration From AireOS ME GUI

To change the antenna band mode from ME GUI, go to Wireless Settings > Access Points > click config bottom of AP >, then select the Antenna Band mode Single /Dual .

To choose corresponding antenna from ME GUI, go to Wireless Settings > Access Points > click config bottom of AP >, then select Antenna A/B for Radio 1/2.

IOx Configuration

IOx is Cisco’s implementation of “Fog Computing”. IOx enables hosting of applications and services developed by Cisco. The IOx application can be easily deployed by Cisco IOx fog director, it’s partners and third party developers in the network edge devices in a seamless fashion across diverse and disparate hardware platforms.

With IOx support, IoT partners can enable application and services on the IW6300.

IOx function is officially supported on IW6300 from Release 8.10. IOx is not supported to be deployed on AP with Mobility Express image. IOx feature can be configured from AireOS Controller and AP side, but not supported on IOS-XE WLC.

Computing Resource on AP

Applications quantity:

Recommend to deploy only one APP.

CPU: 

IOx applications could consume 25% of total CPU resource(50% of CPU0). IOx apps will not impact AP normal data forwarding.

Memory:

Maximum 200MB

Disk:

Maximum 32MB

IOx Configuration on AireOS Controller (WLC/ME)


Note

IOx can be configured by AireOS Controller while AP is in non-default ap-group.

For ME deployment, you need to disable Efficient Join from ME GUI → Management → Software Update → Efficient Join, to avoid capwap AP upgrading to ME image.


Follow these steps to configure IOx on AireOS controller:

SUMMARY STEPS

  1. Configure AP to apgroup from GUI or CLI.
  2. Enable App Host on apgroup from CLI. IOx on all AP in this ap-group will be enabled.

DETAILED STEPS


Step 1

Configure AP to apgroup from GUI or CLI.

  • Configuration From GUI

    1. To add a new AP group, choose WLANs -> Advanced -> AP Groups -> Add Groups .

    2. To add APs to the group, choose WLANs -> Advanced -> AP Groups -> AP Group Name -> APs -> Add APs .

  • Configuration From CLI

    1. Use the following command to create AP group:

      config wlan apgroup add group-name

    2. Use the following command to add AP to the group:

      config ap group-name <group-name > <AP_name >

      
      (wlc-3504) >config ap group-name iox-group IW6300DCW
      Changing the AP's group name will cause the AP to reboot.
      Are you sure you want to continue? (y/n) y
      
Step 2

Enable App Host on apgroup from CLI. IOx on all AP in this ap-group will be enabled.

config ap apphost apgroup <group-name> {enable |disable }

Example:


(wlc-3504) >config ap apphost apgroup iox-group enable
(wlc-3504) >config ap apphost apgroup iox-group disable

Verifying the Configuration

Use the following commands to verify your configuration:


(wlc-3504) >show ap apphost ap-name IW6300DCW
App Host configuration:
App Host Status.............: Enabled

(wlc-3504) >show ap apphost apgroup iox-group
App Host configuration:
App Host Status.............: Enabled

Related Documentation