Wireless

Aruba IAP-514 for APoS

August 29, 2021 By Rowell Leave a Comment

My trusty Aruba IAP-514 has been sitting collecting dust for a while since I’ve let my Aruba Central license expire. But I’ve renewed interest in my Aruba IAP because apparently I can run it in standalone mode.

There’s an upcoming project where I need to use my IAP for an AP-on-a-Stick survey so I thought I should give it a shot and convert my IAP-514 to standalone to get more familiar with ArubaOS.

Course For You

At Clear To Send, we have a course, A Practical Guide to Site Surveys, which we go in-depth on doing an APoS survey along with the tools you need to perform them.

Reset Aruba AP

Since this was previously set up to Aruba Central, I needed to reset it and start fresh. The easiest way to do that is to hold the Reset button for 15 seconds while booting up the IAP.

When doing this step, your IAP will need network access. It won’t properly boot up without DHCP. You can check out this Aruba document for more information.

Wait for the IAP to fully boot up. The system LED will stay green while the radio LED will blink occasionally to show that the radio is up and running.

Join SetMeUp-XX:XX:XX SSID which is used for setting up the IAP. Or browse to the IP address of the AP if you know the IP.

A log in screen will be presented to you.

On firmware version 8.6+ the credentials the username will be “admin”. The password will be the serial number of the AP.

After logging in, select the correct Country Code and click OK.

You will be placed on the dashboard and you’re ready to configure your IAP!

Configure Standalone Mode

On the left navigation, click on Maintenance and about to see which version you’re running. On my IAP-514 I’m running 8.6.0.4.

Go to Maintenance > Convert and from the Convert one or more Access Points to select “Standalone AP”.

For the Access Point to convert dropdown, select the AP you’re logged into. Hopefully, no other APs have joined this virtual controller. If there are, ensure you’re converting the correct AP.

Then click on Convert.

Aruba will ask you to confirm you’re converting the correct AP. Click OK.

The AP will then reboot. When ready, log back in.

Creating a Network

Create a Network under Configuration > Networks.

Click on the + sign.

Give the network a Name, Type, and Primary usage. For Primary usage I am selecting Employee. Click Next.

Under the VLAN section, select Virtual Controller managed for Client IP assignment. For Client VLAN assignment, select Custom.

Next to Select Scope, click on the Add button.

Scroll down under Local DHCP Scopes. Click Add button.

This DHCP scope will be used for when devices associate to the SSID you’re creating on this AP. Fill out the details and use a desired network and scope.

Click OK.

Select scope newly created from the dropdown. Click Next.

Under Security, select your security type. Maybe you just need an open SSID for APoS purposes. Then click Next.

Under the Access section, set the Access Rules to Unrestricted unless you need to do something differently here. But for APoS we need to keep it simple. Now you’re done with the configuration of an SSID. You’ll see your SSID listed under Networks.

Access Point Configuration

Click on Access Points and select your AP. Click on the pencil icon to edit.

Expand Radio and configure the radios such as the channel and transmit power.

Expand External Antenna and configure the proper antenna gain, depending on the antenna you choose to use.

Click Save.

Navigate to Configuration > System and expand General. Change the system name. Click Save.

Go back to Configuration > Access Points > Edit your AP > Expand General and modify the AP name and give it a static IP so you can connect to it during your APoS, if needed.

Reboot AP to take effect.

Wait for AP to boot and start your APoS and join to it for your survey.

How to Convert Cisco C9115 to Embedded Wireless Controller (EWC)

February 13, 2021 By Rowell Leave a Comment

Embedded Wireless Controller (EWC) is a powerful way to deploy access points in an environment without the need for a dedicated physical controller such as the C9800-L. One of the access points will carry the virtual controller role and all other supported access points join to that controller.

Another great use case for EWC is for AP-on-a-Stick surveys. This is the reason why I needed to convert a Cisco C9115 to EWC mode from CAPWAP. A client of mine plans on deploying the C9115 but we needed make the predictive survey more accurate.

My Cisco C9115 was originally joined to a Cisco 3504 controller running 8.10 code and thus is running in CAPWAP mode.

Table Of Contents

Download EWC
Transfer Files to the C9115
Provisioning

Download EWC

Download the Embedded Wireless Controller (EWC) code from Cisco’s website. For this example, I’m using version 16.12.4.

It’s up to you which version you want to download. I generally stay with the recommended version unless there’s something specific you need from another version. You will need a login to download the file, which is in zip format.

Extract the contents of the zip file.

We must extract the contents because we only need two files. One is the image for the C9115 and the other is the C9800 controller file.

The C9115 needs the ap1g7 image file and our controller file is C9800-AP-iosxe-wlc.bin.

If you’re using another access point model, consult with the table below:

AP Model	Image File Name
AP1815, AP154x	ap1g5
AP180x, AP183x, AP185x	ap1g4
C9115, C9120	ap1g7
C9117	ap1g6
C9130	ap1g6a
AP380x, AP280x, AP156x	ap3g3

Transfer Files to the C9115

Next step is to fire up a TFTP server and transfer the files to the access point. Obviously, you’ll need connectivity to the access point in order to SSH and issue some commands.

First, transfer the two required files to your TFTP directory and ensure you set the correct permissions. I’m using MacOS and an application called TftpServer.

Next, SSH into your access point and run the conversion command to convert the C9115 from CAPWAP to EWC:

P6-AP-01#ap-type ewc-ap tftp://172.16.103.37/ap1g7 tftp://172.16.103.37/C9800-AP-iosxe-wlc.bin

The IP address you see here is my TFTP Server. Change yours accordingly. Once the files are successfully downloaded, the AP will reboot. The C9800 bin file will be downloaded first followed by the AP image.

 
 p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; min-height: 14.0px} 
 P6-AP-01#ap-type ewc-ap tftp://172.16.103.37/ap1g7 tftp://172.16.103.37/C9800-AP-iosxe-wlc.bin
 Starting download eWLC image tftp://172.16.103.37/C9800-AP-iosxe-wlc.bin ...
 It may take a few minutes. If longer, please abort command, check network and try again.
 ################################################################################################################# 100.0%
 Image download completed.
 Checking ...OK
 Checking image size...OK
 Verifying ...OK
 Versioning ...ws_management_version: 16.12.04a.0.9
 Successfully downloaded and setup eWLC image.
 Starting download AP image tftp://172.16.103.37/ap1g7 ...
 It may take a few minutes. If longer, please abort command, check network and try again.
 ################################################################################################################# 100.0%
 Image download completed.
 Upgrading ...
 upgrade.sh: Script called with args:[NO_UPGRADE]
 do NO_UPGRADE, part1 is active part
 upgrade.sh: Script called with args:[-c PREDOWNLOAD]
 do PREDOWNLOAD, part1 is active part
 upgrade.sh: Start doing upgrade arg1=PREDOWNLOAD arg2=,from_cli arg3= ...
 upgrade.sh: Using image /tmp/cli_part.tar on axel-bcm ...
 Image signing verify success.
 

 [2/8/2021 10:56:28] : Shadow is now in-synced with master
 

 [2/8/2021 10:56:28] : Verifying against bundle image btldr.img...
 upgrade.sh: part to upgrade is part2
 upgrade.sh: AP version1: part2 8.10.121.0, img 16.12.4.31
 upgrade.sh: Untar /tmp/cli_part.tar to /bootpart/part2...
 upgrade.sh: Sync image to disk...
 upgrade.sh: AP version2: part2 16.12.4.31, img 16.12.4.31
 upgrade.sh: AP backup  version: 16.12.4.31
 upgrade.sh: Finished upgrade task.
 upgrade.sh: Cleanup for do_upgrade...
 upgrade.sh: /tmp/upgrade_in_progress cleaned
 upgrade.sh: Cleanup tmp files ...
 upgrade.sh: Script called with args:[ACTIVATE]
 do ACTIVATE, part1 is active part
 upgrade.sh: activate part2, set BOOT to part2
 upgrade.sh: AP primary version after reload: 16.12.4.31
 upgrade.sh: AP backup  version after reload: 17.3.1.9
 Successfully setup AP image.
 Archive done.

Provisioning

Once the access point successfully boots, you’ll see a provisioning SSID called CiscoAirProvision-XXXX. The last part of the SSID will be the last octet of the AP’s MAC address.

The default password for the provisioning SSID is password.

The IP address of the controller is 192.168.1.1.

Log into the web interface with the following credentials:

Username: webui
Password: cisco

You’ll be required to perform Day 0 configuration which are the basics to get EWC running. Sections to configure include the country code, management user, management IP address, and a wireless network.

When you’re done, click on Finish.

Wait for things to reconfigure and then you’re off and running with your Cisco Embedded Wireless Controller. Just remember to use the new management IP address you configured, if you changed it.

Cisco Catalyst 9800-CL – High Availability

November 30, 2020 By Rowell 2 Comments

Everyone wants high availability with their infrastructure. With Catalyst 9800 wireless LAN controller capable of being installed as a virtual machine, do you really need high availability?

I’d be nervous to have all my virtual machines on a single host. If that host failed, you lose everything. In regards to the Catalyst 9800-CL wireless LAN controller, we have the ability to configure two instances in high availability with stateful switchover.

High availability (HA) will provide minimal downtime for the wireless controllers. In this configuration, there will be an Active and Standby wireless controller.

Stateful switchover allows access points to establish a CAPWAP tunnel to the Active controller. The Active controller will copy a database of joined access points to the Standby wireless controller. Additionally, a client database is copied to the Standby wireless controller.

In summary, when the Active wireless controller fails, the Standby takes over with the access points and clients still connected seamlessly. The access points will not go into a Discovery state and clients will not get disconnected.

When deploying the Catalyst 9800-CL, there are three interfaces binded in the configuration. The third interface, GigabitEthernet3, is used as the dedicated Redundancy Port (RP).

This post describes configuring High Availability for the Catalyst 9800-CL in VMware ESXi 6.7.

Restrictions

There are some restrictions to keep in mind before configuring High Availability:

Keep the VMs on the same platform (ESXi, KVM, AWS, etc)
Both VMs are running the same version of software
Both VMs are running in the same installation mode
The IP addresses of the Redundant Port should be on the same subnet
Both devices have their own wireless management interface
Wireless management interface of both VMs must be in the same subnet
Both VMs should have the same CPU, memory, and hard disk

Connecting the Redundancy Port to a vSwitch

The RP on each Catalyst 9800-CL should be connected to their own vSwitch.

I’m running VMware ESXi 6.7. The first thing we need to do is create a vSwitch for the purposes of connecting the Redundancy Ports. For this demo, I’ll be configuring High Availability on a single host.

INSERT DIAGRAM ON VSWITCH AND REDUNDANT PORT NETWORK

Go to Networking -> Virtual switches -> and click on Add standard virtual switch

Give the vSwitch a name and click Add.

Edit the settings for each 9800-CL virtual machine and change the network interface for the RP to use the newly created vSwitch.

Redundancy and stateful switchover is already enabled in the configuration by default. We just need to set up the communications between the two wireless controllers.

I’m assuming you already have two 9800-CL configured and all you need to do is set up High Availability.

CLI

On wireless controller that will be your primary Active controller we configure the HA interface. The syntax is as follows:

Chassis redundancy ha-interface <rp-port> local-ip <local-ip-of-vm> <subnet-mask> remote-ip <ip-of-standby-vm>

chassis redundancy ha-interface GigabitEthernet2 local-ip 192.168.1.1 255.255.255.0 remote-ip 192.168.1.2

<rp-port> – The interface that is the Redundancy Port
<local-ip-of-vm> – The redundancy IP address of the VM you’re currently configuring.
<subnet-mask> – The subnet mask for the IP above
– The redundancy IP address of the Standby VM

Save the configuration and reboot the wireless controller.

Once the reboot process is complete, head over to your standby wireless controller.

We’ll run the same chassis redundancy command but swap the IP addresses.

Configuring C9800-CL with FlexConnect

November 13, 2020 By Rowell Leave a Comment

The Cisco Catalyst 9800 utilizes tags and profiles for granular control over AP capabilities. When there are multiple sites and a centralized wireless LAN controller in a data center, FlexConnect is often the configuration of choice. Rather than tunneling all data over a WAN and through a data center, there is an option to having traffic exited out the access point and locally on the switch.

As part of configuring access points for FlexConnect in the Catalyst 9800, there is a new configuration model. Each access point is assigned a Policy Tag, Site Tag, and RF Tag. These tags will set the parameters for what we’re trying to achieve.

Watch this video on YouTube

Configure the WLAN

Configuration > Tags & Profiles > WLANs

Click on the Add button and configure the new WLAN

Configure Security for the WLAN

If needed, configure the Advanced settings. Then click on Apply to Device.

Configure the AP Join Profile

Configuration > Tags & Profiles > AP Join

There’s a default profile already there but we’ll configure a new one. If you’d like granular control over the configuration in the long term then I suggest configuring individual profiles and tags for different sites.

Click Add to set up a new AP Join Profile. If you have a different NTP server per site, then this is where you can configure it, in the General tab.

If you need to adjust the TCP MSS, it can be done under the Client tab.

Under the CAPWAP tab, a Primary and Secondary controller can be configured along with CAPWAP settings for High Availability.

In the Management tab, you can define SSH and user management credentials for the APs.

Everything else I’ll leave as default and click on Update & Apply to Device.

Configure the Flex Profile

Configuration > Tags & Profiles > Flex

This is where we configure our FlexConnect settings. Click on the Add button to add a new Flex Profile. In the General section, give it a good name and description.

Enable Efficient Image Upgrade – One AP will become the primary to download the AP image from the controller over a WAN. The other “subordinate” APs will download the image from the primary AP. This reduces the amount of time it takes for APs to download the image by going over the LAN to the primary AP rather than all APs downloading an image over the WAN.

Set the Native VLAN ID if you want your APs to be on a specific VLAN.

The other tab I’m going to configure is under VLAN. This is where we map our SSIDs to a local VLAN in FlexConnect mode. Then click Apply to Device.

Configure the Policy Profile

Configuration > Tags & Profiles > Policy

The Policy Profile gets combined with the WLAN to create a Policy Tag. For this reason, I recommend configuring a separate Policy Profile for each WLAN. But it is possible to use the same Policy Profile with multiple WLANs.

Click the Add button to modify the General tab of the policy. Give a descriptive name and description. Switch the button for Status to enabled.

In this tab, I’m focusing on a FlexConnect configuration. The main setting for me is disabling Central Switching so client traffic is tunneled back to the C9800.

Under the Access Policies tab, configure any ACLs required. I add the VLAN for this WLAN under the VLAN section. If this VLAN does not match with the VLAN configured in the Flex profile. The VLAN number in the Policy Profile will override the VLAN configured in the Flex Profile.

Configure any QoS and AVC settings you may require and under Mobility you have the ability to configure a Mobility Anchor.

Under the Advanced tab, we can configure settings such as Session and Idle timeouts, mDNS Service Policy, AAA policies, Air Time Fairness and more. Click Apply to Device

Configure RF Profiles

Configuration > Tags & Profiles > RF

The RF Profiles are the same as RF Profiles we dealt with in AireOS. Look over the default RF Profiles and if needed, create your own by clicking on the Add button.

Let’s pretend I have a specific use case for an RF Profile in my HQ site. I’ll start with the 5 GHz band.

In the 802.11 section, I can disable data rates I do not want.

RRM has a lot of options available. These settings vary between environments. Make your choices wisely but I always recommend tuning it from the default settings, especially TPC and DCA. Under Advanced, you can enable/disable Air Time Fairness and other settings. Click Apply to Device and create an RF Profile for 2.4 GHz.

Create a Policy Tag

Configuration > Tags & Profiles > Tags

Click on the Add button to create a new Policy Tag. This is where we add our WLAN and our Policy Profile together. Under WLAN-POLICY, click the Add button.

On the left dropdown, select the SSID you’d like to broadcast. On the right dropdown, select the correct Policy Profile for that SSID. Then click the checkmark. Continue adding the WLANs you need broadcasted with their Policy Profile. Then click Apply to Device.

Create a Site Tag

Configuration > Tags & Profiles > Site

The Site tag is used to group similarly grouped APs in a geographic area. This could be an office, a building, a floor of a building.. whatever you determine as a site.

Click on the Add button. Aside from the name and description, select the AP Join Profile we had created earlier. Because we’re configuring this site to be in FlexConnect mode, we have to uncheck Enable Local Site. This will expose the Flex Profile dropdown where we select our previously configured HQ Flex Profile.

Leaving Enable Local Site checked places the AP in local mode. Click Apply to Device.

Create an RF Tag

Configuration > Tags & Profiles > Tags

Next, we will configure an RF tag for our HQ site with the 2.4 and 5 GHz RF Profiles we created earlier. Click the Add button and select the RF Profiles we created. Then click Apply to Device.

Adding Tags to APs

Configuration > Tags & Profiles > Tags or Configuration > Access Points

After all that configuration, we come to the point where we can finally tag the APs with everything we’ve configured. If you have APs connected, they are probably using the default tags and profiles.

There are two locations to tag Access Points. Either in the Tags section or directly on the access point configuration.

Once the tags are applied to the access point you should see the AP mode change and have the correct tags applied. I should see the AP on the correct subnet as well.

A neat way to see what’s configured on the AP is by clicking on the blue icon near the AP name. This is the AP Operational Configuration Viewer.

Here you can verify what configuration is applied to the AP.

Next, test connectivity.

It was a long tutorial but I wanted to cover configuration from the beginning. To further validate connectivity, you should be able to see the devices MAC address on the switch port where the AP is connected on the correct VLAN.

Spectrum Analysis with Ekahau Analyzer

April 9, 2020 By Rowell Leave a Comment

As an IT professional, there are too many tools to select from. It’s easy to get carried away and have some tools that whose purpose may overlap.

There are a handful of spectrum analyzers available for purchase. Some better than others, yes.

Watch this video on YouTube

But one of those tools, the Ekahau Sidekick, can be multipurpose.

A few ways the Sidekick can be used:

Validation site survey
Packet Capture
Spectrum Analyzer
Stores Ekahau project files

I have separate tools that can perform each of those functions. But I hate carrying so many tools in my bag. It hurts my back.

Ekahau Analyzer

As part of the Ekahau Connect subscription, Ekahau released a much needed application called Ekahau Analyzer.

I assume it was born out of the many requests by Wi-Fi experts who did not want to open Ekahau Pro to perform spectrum analysis.

By leveraging the power of the Sidekick, one could connect it via lightning or USB-C to an iPhone or iPad to get high resolution output from the Sidekick.

I can do with one less tool, right? Maybe.

Ekahau Analyzer can validate the health of your Wi-Fi network by comparing it to a Requirement Profile.

It’s an easy pass/fail indication. But I didn’t see an option to change the Requirement Profile within Ekahau Analyzer. There isn’t a way to map that information anywhere on a floor plan so you’ll have to note the location manually.

Most importantly, you have a view of both 2.4 GHz and 5 GHz spectrum. The measurements are fast and with high resolution.

I wasn’t able to see that any interference was detected for me so I’ll have to assume that capability isn’t there yet. As a Wi-Fi professional, you’d have to identify that based on your education and experience.

Is Ekahau Analyzer Worth It?

It’s a good start for Ekahau Analyzer. I can see the application improving. What I’d like added to Ekahau Analyzer is the ability to add notes, zoom into a specific frequency, have export capabilities, and a separate waterfall view.

Your Turn

Would you add Ekahau Analyzer to your toolkit?