Rowell Dionicio

Get Techie With It

c9800-cl

Cisco Catalyst 9800-CL – High Availability

By 4 Comments

Everyone wants high availability with their infrastructure. With Catalyst 9800 wireless LAN controller capable of being installed as a virtual machine, do you really need high availability?

I’d be nervous to have all my virtual machines on a single host. If that host failed, you lose everything. In regards to the Catalyst 9800-CL wireless LAN controller, we have the ability to configure two instances in high availability with stateful switchover.

High availability (HA) will provide minimal downtime for the wireless controllers. In this configuration, there will be an Active and Standby wireless controller.

Stateful switchover allows access points to establish a CAPWAP tunnel to the Active controller. The Active controller will copy a database of joined access points to the Standby wireless controller. Additionally, a client database is copied to the Standby wireless controller.

In summary, when the Active wireless controller fails, the Standby takes over with the access points and clients still connected seamlessly. The access points will not go into a Discovery state and clients will not get disconnected.

When deploying the Catalyst 9800-CL, there are three interfaces binded in the configuration. The third interface, GigabitEthernet3, is used as the dedicated Redundancy Port (RP).

This post describes configuring High Availability for the Catalyst 9800-CL in VMware ESXi 6.7.

Restrictions

There are some restrictions to keep in mind before configuring High Availability:

  • Keep the VMs on the same platform (ESXi, KVM, AWS, etc)
  • Both VMs are running the same version of software
  • Both VMs are running in the same installation mode
  • The IP addresses of the Redundant Port should be on the same subnet
  • Both devices have their own wireless management interface
  • Wireless management interface of both VMs must be in the same subnet
  • Both VMs should have the same CPU, memory, and hard disk

Connecting the Redundancy Port to a vSwitch

The RP on each Catalyst 9800-CL should be connected to their own vSwitch.

I’m running VMware ESXi 6.7. The first thing we need to do is create a vSwitch for the purposes of connecting the Redundancy Ports. For this demo, I’ll be configuring High Availability on a single host.

INSERT DIAGRAM ON VSWITCH AND REDUNDANT PORT NETWORK

Go to Networking -> Virtual switches -> and click on Add standard virtual switch

Give the vSwitch a name and click Add.

Edit the settings for each 9800-CL virtual machine and change the network interface for the RP to use the newly created vSwitch.

Redundancy and stateful switchover is already enabled in the configuration by default. We just need to set up the communications between the two wireless controllers.

I’m assuming you already have two 9800-CL configured and all you need to do is set up High Availability.

CLI

On wireless controller that will be your primary Active controller we configure the HA interface. The syntax is as follows:

Chassis redundancy ha-interface <rp-port> local-ip <local-ip-of-vm> <subnet-mask> remote-ip <ip-of-standby-vm>

chassis redundancy ha-interface GigabitEthernet2 local-ip 192.168.1.1 255.255.255.0 remote-ip 192.168.1.2

<rp-port> – The interface that is the Redundancy Port
<local-ip-of-vm> – The redundancy IP address of the VM you’re currently configuring.
<subnet-mask> – The subnet mask for the IP above
– The redundancy IP address of the Standby VM

Save the configuration and reboot the wireless controller.

Once the reboot process is complete, head over to your standby wireless controller.

We’ll run the same chassis redundancy command but swap the IP addresses.

Configuring C9800-CL with FlexConnect

By Leave a Comment

The Cisco Catalyst 9800 utilizes tags and profiles for granular control over AP capabilities. When there are multiple sites and a centralized wireless LAN controller in a data center, FlexConnect is often the configuration of choice. Rather than tunneling all data over a WAN and through a data center, there is an option to having traffic exited out the access point and locally on the switch. 

As part of configuring access points for FlexConnect in the Catalyst 9800, there is a new configuration model. Each access point is assigned a Policy Tag, Site Tag, and RF Tag. These tags will set the parameters for what we’re trying to achieve.  

Tags

Policy Tag

The Policy tag includes two profiles used to configure which WLANs are broadcasted tied to a Policy Profile to specify parameters such as the VLAN ID, whether you’re using central or local switching, etc.

Site Tag

The Site tag has two profiles associated to it, Flex Profile and AP Join Profile. This is where an AP is designated to be in local mode or in flex mode. The check box, Local Site State, if disabled becomes flex mode.

The AP Join Profile defines parameters such as CAPWAP timers, SSH, backup WLC, etc.

RF Tag

The RF tag is what was previously known as RF Profiles in AireOS. Parameters for 2.4 GHz and 5 GHz are configured such as data rates.

Configure the WLAN

Configuration > Tags & Profiles > WLANs

Click on the Add button and configure the new WLAN

Adding a WLAN

Configure Security for the WLAN

If needed, configure the Advanced settings. Then click on Apply to Device.

Configure the AP Join Profile

Configuration > Tags & Profiles > AP Join

There’s a default profile already there but we’ll configure a new one. If you’d like granular control over the configuration in the long term then I suggest configuring individual profiles and tags for different sites. 

Click Add to set up a new AP Join Profile. If you have a different NTP server per site, then this is where you can configure it, in the General tab.

If you need to adjust the TCP MSS, it can be done under the Client tab.

Under the CAPWAP tab, a Primary and Secondary controller can be configured along with CAPWAP settings for High Availability. 

In the Management tab, you can define SSH and user management credentials for the APs.

Everything else I’ll leave as default and click on Update & Apply to Device.

Configure the Flex Profile

Configuration > Tags & Profiles > Flex

This is where we configure our FlexConnect settings. Click on the Add button to add a new Flex Profile. In the General section, give it a good name and description. 

Enable Efficient Image Upgrade – One AP will become the primary to download the AP image from the controller over a WAN. The other “subordinate” APs will download the image from the primary AP. This reduces the amount of time it takes for APs to download the image by going over the LAN to the primary AP rather than all APs downloading an image over the WAN.

Set the Native VLAN ID if you want your APs to be on a specific VLAN. 

The other tab I’m going to configure is under VLAN. This is where we map our SSIDs to a local VLAN in FlexConnect mode. Then click Apply to Device.

Configure the Policy Profile

Configuration > Tags & Profiles > Policy

The Policy Profile gets combined with the WLAN to create a Policy Tag. For this reason, I recommend configuring a separate Policy Profile for each WLAN. But it is possible to use the same Policy Profile with multiple WLANs.

Click the Add button to modify the General tab of the policy. Give a descriptive name and description. Switch the button for Status to enabled. 

In this tab, I’m focusing on a FlexConnect configuration. The main setting for me is disabling Central Switching so client traffic is tunneled back to the C9800. 

Under the Access Policies tab, configure any ACLs required. I add the VLAN for this WLAN under the VLAN section. If this VLAN does not match with the VLAN configured in the Flex profile. The VLAN number in the Policy Profile will override the VLAN configured in the Flex Profile.

Configure any QoS and AVC settings you may require and under Mobility you have the ability to configure a Mobility Anchor.

Under the Advanced tab, we can configure settings such as Session and Idle timeouts, mDNS Service Policy, AAA policies, Air Time Fairness and more. Click Apply to Device

Configure RF Profiles

Configuration > Tags & Profiles > RF

The RF Profiles are the same as RF Profiles we dealt with in AireOS. Look over the default RF Profiles and if needed, create your own by clicking on the Add button.

Let’s pretend I have a specific use case for an RF Profile in my HQ site. I’ll start with the 5 GHz band.

In the 802.11 section, I can disable data rates I do not want.

RRM has a lot of options available. These settings vary between environments. Make your choices wisely but I always recommend tuning it from the default settings, especially TPC and DCA. Under Advanced, you can enable/disable Air Time Fairness and other settings. Click Apply to Device and create an RF Profile for 2.4 GHz.

Create a Policy Tag

Configuration > Tags & Profiles > Tags

Click on the Add button to create a new Policy Tag. This is where we add our WLAN and our Policy Profile together. Under WLAN-POLICY, click the Add button.

On the left dropdown, select the SSID you’d like to broadcast. On the right dropdown, select the correct Policy Profile for that SSID. Then click the checkmark. Continue adding the WLANs you need broadcasted with their Policy Profile. Then click Apply to Device.

Create a Site Tag

Configuration > Tags & Profiles > Site

The Site tag is used to group similarly grouped APs in a geographic area. This could be an office, a building, a floor of a building.. whatever you determine as a site. 

Click on the Add button. Aside from the name and description, select the AP Join Profile we had created earlier. Because we’re configuring this site to be in FlexConnect mode, we have to uncheck Enable Local Site. This will expose the Flex Profile dropdown where we select our previously configured HQ Flex Profile. 

Leaving Enable Local Site checked places the AP in local mode. Click Apply to Device.

Create an RF Tag

Configuration > Tags & Profiles > Tags

Next, we will configure an RF tag for our HQ site with the 2.4 and 5 GHz RF Profiles we created earlier. Click the Add button and select the RF Profiles we created. Then click Apply to Device.

Adding Tags to APs

Configuration > Tags & Profiles > Tags or Configuration > Access Points

After all that configuration, we come to the point where we can finally tag the APs with everything we’ve configured. If you have APs connected, they are probably using the default tags and profiles.

There are two locations to tag Access Points. Either in the Tags section or directly on the access point configuration.

Once the tags are applied to the access point you should see the AP mode change and have the correct tags applied. I should see the AP on the correct subnet as well.

A neat way to see what’s configured on the AP is by clicking on the blue icon near the AP name. This is the AP Operational Configuration Viewer.

Here you can verify what configuration is applied to the AP.

Next, test connectivity.

It was a long tutorial but I wanted to cover configuration from the beginning. To further validate connectivity, you should be able to see the devices MAC address on the switch port where the AP is connected on the correct VLAN.

Cisco 9800 WLC – AP Sniffer Mode

By 2 Comments

There are a few times when converting a Cisco AP to sniffer mode helps with remote investigation of a wireless issue. In this blog post I’ll go over setting an AP into Sniffer mode from the Cisco 9800-CL.

In my lab, I’d like to convert a Cisco C9115, Wi-Fi 6 access point, from Local mode (serving clients) into Sniffer mode.

It’s important to know when converting a Cisco access point into Sniffer mode, it will cease to serve any clients.

After enabling Sniffer mode on the Cisco C9115, or any access point, we want to configure the channel to sniff and where to send these sniffed frames.

Configuring Sniffer Mode

I have two Cisco C9115 access points joined to my 9800-CL. Both are in Local mode, capable of serving clients. I want to change AP-AX-01’s mode to Sniffer.

On the left-hand navigation, click on Configuration and then click on Access Points under Wireless

Under Access Points, click on the AP that will be changed to Sniffer mode.

I’m going to modify AP-AX-01.

Under the Edit AP window, click on the drop down for AP Mode and select Sniffer.

You’ll be presented with a warning about the AP needing to reboot when changing the AP mode.

Click OK and then click Update & Apply to Device

The access point will reboot and rejoin the controller under Sniffer mode. Takes a few minutes. Sip some tea.

Sniffing Frames

Now that the C9115, or AP of your choice, is in Sniffer mode it is time to configure the channel to sniff frames on.

Under the same window we’ve been working on, expand either 5 GHz Radios or 2.4 GHz Radios – whichever band you intend to sniff frames.

I’m going to sniff frames on channel 100, the channel my other C9115 is serving clients on.

Select the AP you just changed to Sniffer Mode to display the Edit AP window.

At the bottom of the window, you’ll see an /Enable Sniffing/ checkbox. Enable it.

Once enabled, more options will display below the checkbox. This is where you select which channel to sniff on.

In the Sniffer IP text field enter the IP address of the computer which will be running Wireshark. The computer which will receive the sniffed frames from this access point.

To configure the channel width to sniff on, select the channel width under RF Channel Assignment. The AP will sniff on the channel width it is configured it will normally use when serving clients.

Click Update & Apply to Device

Setting up Wireshark

At the time of publishing, I am using Wireshark version 3.0.7 for MacOS. Previous versions I was unable to see any HE frames. The latest version seems to have fixed that bug.

The Cisco AP will sniff and receive 802.11 traffic encapsulated using airopeek protocol. The source port is UDP 5555 and destination UDP 5000.

By default, Wireshark will not decode the packets properly. We must configure capture options to receive traffic on UDP 5555:

Next step is to start the capture.

You’ll begin seeing packets being displayed but it is encapsulated.

The packets must be decoded as PEEKREMOTE. Right click one of the encapsulated packets and select Decode As…

Add an entry with the following:

Field: UDP port
Value: 5555
Type: Integer, base 10
Default: SIGCOMP
Current: PEEKREMOTE

Click OK.

The 802.11 traffic is now available for you to analyze.

Time To Analyze Wi-Fi 6

Now that sniffing is available on the C9115, I can begin looking at Wi-Fi 6 traffic.

The capture using the C9115 does not include as much information in radiotap header compared to sniffing frames with the Intel AX200 on the Jetson Nano – which includes HE information.

Here’s a comparison between the C9115 in sniffer mode compared to the Intel AX200 using airmon-ng on the Jetson Nano.

Cisco C9115 – Sniffer Mode

Cisco C9115 – Sniffer Mode
Jetson Nano (Intel AX200)

Thoughts

Sniffer mode is useful for remote troubleshooting but it comes at the cost of not servicing clients. I’m curious if future updates to the access points will include more 11ax information in the radiotap headers.

Configuring NETCONF: Cisco C9800 WLC

By 4 Comments

As I begin looking into Python and the DevNet materials, I’ve been wanting to utilize my own lab in order for me to run various tests against. I also wanted it to be closer to Wi-Fi, aside from testing against Meraki’s Sandbox.

So to get started, I figured the Cisco C9800-CL would be a good place to start. I’ve been using it to test Wi-Fi 6 and now I can use it to test my Python knowledge.

Do you find this content useful? If so, consider buying me a coffee!

Configure NETCONF

First thing we need to do is enable NETCONF-YANG on the C9800-CL. This is very easy to do.

First, let’s see what’s running by running show platform software yang-management process

WLC#show platform software yang-management process
confd            : Not Running
nesd             : Not Running
syncfd           : Not Running
ncsshd           : Not Running
dmiauthd         : Not Running
nginx            : Running
ndbmand          : Not Running
pubd             : Running
gnmib            : Not Running

Ok, NETCONF-YANG is not running. Only nginx and pubd are running. We need all the processes running except for gnmib.

Enabling NETCONF-YANG is simple with this config command: netconf-yang

To do that type in the following commands and verify:

WLC#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
WLC(config)#
WLC(config)#netconf-yang
WLC(config)#exit
WLC#
WLC#
WLC#show platform software yang-management process
confd            : Running
nesd             : Running
syncfd           : Running
ncsshd           : Running
dmiauthd         : Running
nginx            : Running
ndbmand          : Running
pubd             : Running
gnmib            : Not Running

That’s it. Now I have to figure out how to use NETCONF-YANG models 😂

Deploying Cisco Catalyst 9800 Controller on VMware ESXi

By 6 Comments

The next-generation wireless controller from Cisco is here. It’s completely written with IOS-XE, different from the Converged Wireless days. In this tutorial, I’ll be going through the deployment of the C9800-CL. To learn how to install the C9800-CL on VMware Fusion check out François Vergès’ blog.

Do you find this content useful? If so, consider buying me a coffee! ☕

Hardware

For this lab, I initially tried to get this working using an 6th Generation Intel Core i3 Processor NUC. The i3 is not going to work.

To run the Catalyst 9800 wireless LAN controller you should get an Intel i7, minimum. My VMware lab included:

The whole kit cost me approximately $789.79.

VMware ESXi

I’m using version 6.7.0 of VMware ESXi which is stored on the 8GB USB drive. The host boots off of that USB drive so I can keep as much of the hard drive space dedicated to virtual machines.

Prior to deploying Catalyst 9800 controller you’ll want to configure three networks within ESXi or port groups.

C9800-CL has three network interfaces. Each one will be mapped to a port group assigned on the VM. Here’s how the interfaces map on boot:

  • GigabitEthernet1 = Device management interface
  • GigabitEthernet2 = Wireless management interface
  • GigabitEthernet3 = HA interface

The Device management interface will be used as an out-of-band management to the Catalyst 9800 controller.

The Wireless management interface will be used for AP management and can also be used to manage the controller.

The HA interface is used for redundancy between C9800 controllers.

I have two different port groups defined within ESXi for initial deployment.

  • VM Network – Where GigabitEthernet1 will be mapped.
  • INFRA – a trunk port where GigabitEthernet2 will be mapped.

Step 1 – OVF Tool

Next, you have to download and install the VMware OVF Tool. This is going to be used to deploy the .ova file of the C9800-CL. We are required to use the OVF Tool since we’re not running VMware vSphere Client.

Download and install the OVF Tool from VMware with a login.

Catalyst 9800-CL Controller

It’s important to understand which version of the C9800-CL will be deployed. In this lab, I am using the Small configuration.

C9800-CL Scale

Step 2 – Download OVA File

Next, download the .ova file for the C9800-CL. In this tutorial I am using version Gibraltar-16.101e. (You’ll need a CCO account and a valid support contract to download the .ova file.)

Step 3 – ovftool

Now that the file is downloaded to your Desktop, the first step is to create an ovftool file with some parameters for the virtual machine which will be used to deploy the .ova.

vi .ovftool

Within this new file, insert the following text and save.

acceptAllEulas
datastore=datastore1
deploymentOption=4CPU-8GB
name=9800-wlc
net:GigabitEthernet1=VM Network
net:GigabitEthernet2=INFRA
net:GigabitEthernet3=LAB WIRELESS
prop:com.cisco.vwlc.hostname.1=9800-wlc

You’ll want to modify the datastore entry to match whatever your datastore is.

The deploymentOption is set to the small instance.

The network interfaces are also mapped to a port group within VMware ESXi. You’ll want to change those networks to match what you have in your environment.

Step 4 – Transfer ova File to VMware ESXi

Now, we’re going to transfer the .ova file to ESXi. Here’s the command to run on OSX command line.

/Applications/VMware\ OVF\ Tool/ovftool ./wlc9500C-universalk9.BLD_V1610_THROTTLE_LATEST_20181006_071153_V16_10_0_134-vga.ova vi://"root:<password>”@ip-address-of-esxi

We’re using the ovftool to deploy the .ova file we selected, in this case the C9800-CL, to our ESXi server. I am passing the login credentials to the ESXi server.

Once completed you’ll see the following message:

Opening OVA source: ./wlc9500C-universalk9.BLD_V1610_THROTTLE_LATEST_20181006_071153_V16_10_0_134-vga.ova
The manifest validates
Opening VI target: vi://root@192.168.140.5:443/
Deploying to VI: vi://root@192.168.140.5:443/
Transfer Completed
Completed successfully

Step 5 – Check VMware ESXi

You should now see the VM deployed in ESXi but it hasn’t started up yet. Select the VM and click on Power On.

Step 6 – Initial Configuration

Click on Console to open a console in-browser for the C9800-CL. You’ll see the controller boot up process. Once boot is completed, you’ll be prompted to enter initial configuration mode. Make sure to terminate autoinstall and opt out of entering intial configuration by saying no.

terminate auto install

Would you like to enter the initial configuration dialog? [yes/no]: no
Would you like to terminate autoinstall? [yes]:

Step 7 – Device Management Interface

Now we’re going to configure the device management interface so the controller can be managed out-of-band. My out-of-band management will be set on GigabitEthernet1.

We will first add a static IP address and set a default route for the controller . This is to properly communicate on the network across subnets.

en
conf t
int g1
no switchport
ip address 192.168.140.6 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.140.1

Step 8 – Create Login Account

In order to access the C9800-CL CLI and web interface we’ll need to create a login.

Username admin priv 15 secret password1234

Step 9 – Day 0 Configuration

The initial configuration is complete with an IP address and user account to log in. Browse to the IP address of the C9800-CL and enter the credentials you defined in Step 8.

General Settings

In this section various parameters are defined such as the Country, time/timezone, NTP servers, and

Wireless Networks

Click on Next and now it is possible to create a wireless network. To create a new wireless network, click on Add and you will be prompted for the network name, type, and security settings.

Configure the wireless networks to your environment. Then click Next.

Advanced Settings

In this window, configure your RF Group name. Under AP Certificate ensure YES is selected and a password is configured for the AP certificate. The AP certificate is what allows access points to join the C9800-CL controller.

Click on Next to view the Summary to view all the changes.

Once everything has been reviewed Click on Finish. The initial configuration is complete. You will be logged out and prompted to log back in.

After logging in you will be able to configure the Catalyst 9800-CL controller. Further configuration of the C9800-CL will be covered in a future post.