Rowell Dionicio

Get Techie With It

Cisco

Manage Cisco Catalyst in the (Meraki) Cloud

By 2 Comments

Table Of Contents
  1. Supported Platforms & Licensing
  2. Catalyst Wireless Support
  3. Features
  4. How do you get started?
  5. My Thoughts

Cisco Catalyst is coming to the Meraki cloud. Get ready to manage your Catalyst switches and access points using the Meraki dashboard.

With 47% of employees wanting to work with a hybrid option, cloud management infrastructure is a must.

Infrastructure we can manage and automate from anywhere creates a highly productive workforce.

Cisco has decided to bring flexibility for network operators by combining Meraki’s cloud management with Cisco Catalyst hardware. What you get is a centralized view of your network with real-time switch status and health.

It’s easier to monitor your network remotely and get traffic visibility where you weren’t able to previously.

Migrate to Meraki cloud monitoring for a unified view of your network infrastructure and troubleshoot from anywhere. Leverage the cloud and spend less time in the CLI using overlay management for your Catalyst hardware.

Catalyst 9500 switches

Supported Platforms & Licensing

Today, the Catalyst 9200, 9300 and 9500 switching platforms will be supported in the Meraki dashboard with two options:

  • Cloud Monitoring (monitor only)
  • Cloud Management (monitor and configuration)

The minimum firmware version to run on these switches is IOS-XE 17.3 or higher.

What about licensing?

Fully managed Catalyst switches will need to have DNA Advantage (DNA-A) or DNA Essentials (DNA-E).

Monitored Catalyst switches will use a Meraki license.

The difference between the two switching licenses is that DNA-E will not include application visibility or client usage data.

Will Meraki displace DNA Center? No. Cisco is providing flexibility and options. But you will need to decide where you want to manage your Catalyst infrastructure – Meraki, DNA Center, or standalone?

Once a Catalyst switch is fully managed by Meraki it will no longer be an IOS device. It will run Meraki software. But if it is a monitored switch, it can still be accessible via CLI.

Catalyst Wireless Support

Cisco is introducing three new Catalyst wireless access points that can be managed by the Meraki dashboard or a C9800 controller. Those are the:

  • CW9166
  • CW9164
  • CW9162

The SKUs with CW prepended will support either Meraki dashboard or the C9800 controller.

There isn’t much information on this yet but maybe more details will come out during Cisco Live 2022.

Features

This is the first iteration of Catalyst crossing over to the Meraki dashboard. We won’t see 100% feature parity of Catalyst switching features into the Meraki dashboard but it appears you can do basic monitoring and configuration. Additional details should be arriving soon.

Catalyst switches will in one of two modes: monitor-only or fully-managed.

Some of the features already supported include the Topology view to see where your network infrastructure is connecting.

Viewing Catalyst switches in the Meraki Topology view

A centralized view of your network switches and which are in monitor only mode.

Viewing a list of Catalyst switches in the Meraki dashboard

Drill into an individual switch, such as the Catalyst 9500, within the Meraki dashboard.

Catalyst 9500 monitoring in the Meraki Dashboard

Don’t forget the Catalyst Wi-Fi management capability in the Meraki dashboard.

Catalyst access point (CW9166) in the Meraki dashboard

How do you get started?

It’s a three step process to get started with monitoring Catalyst in the Meraki Dashboard:

  1. Collect your Catalyst device credentials
  2. Enable API access in your Meraki dashboard
  3. Use the Catalyst Onboarding app from the Meraki dashboard (Organization > Inventory)

My Thoughts

Is Cisco going all-in with Meraki? While Cisco has been building on-prem software solutions, such as DNA Center, we’ve seen competitors place their bets in the cloud. Cisco has always provided multiple options and this could just be another option. An option where DNA Center couldn’t fit in an organization’s environment but Meraki can.

But what drives one towards DNA or Meraki? Will the options confuse people? I’m hoping the licensing model will become more simplified as it has been with Meraki.

This is a good move for those in their upgrade cycles. It’s easier to migrate to cloud management with Meraki but still have the feature-rich capabilities of the Catalyst product line.

I hope to see more feature extensibility with Meraki, API, and NETCONF. I can see so many benefits leveraging the Meraki dashboard.

I’m going to be keeping my eye out for more during Cisco Live 2022.

How to Convert Cisco C9115 to Embedded Wireless Controller (EWC)

By 3 Comments

Embedded Wireless Controller (EWC) is a powerful way to deploy access points in an environment without the need for a dedicated physical controller such as the C9800-L. One of the access points will carry the virtual controller role and all other supported access points join to that controller.

Another great use case for EWC is for AP-on-a-Stick surveys. This is the reason why I needed to convert a Cisco C9115 to EWC mode from CAPWAP. A client of mine plans on deploying the C9115 but we needed make the predictive survey more accurate.

My Cisco C9115 was originally joined to a Cisco 3504 controller running 8.10 code and thus is running in CAPWAP mode.

Table Of Contents
  1. Download EWC
  2. Transfer Files to the C9115
  3. Provisioning

Download EWC

Download the Embedded Wireless Controller (EWC) code from Cisco’s website. For this example, I’m using version 16.12.4.

It’s up to you which version you want to download. I generally stay with the recommended version unless there’s something specific you need from another version. You will need a login to download the file, which is in zip format.

Extract the contents of the zip file.

Contents of the EWC zip file

We must extract the contents because we only need two files. One is the image for the C9115 and the other is the C9800 controller file.

The C9115 needs the ap1g7 image file and our controller file is C9800-AP-iosxe-wlc.bin.

If you’re using another access point model, consult with the table below:

AP ModelImage File Name
AP1815, AP154xap1g5
AP180x, AP183x, AP185xap1g4
C9115, C9120ap1g7
C9117ap1g6
C9130ap1g6a
AP380x, AP280x, AP156xap3g3

Transfer Files to the C9115

Next step is to fire up a TFTP server and transfer the files to the access point. Obviously, you’ll need connectivity to the access point in order to SSH and issue some commands.

First, transfer the two required files to your TFTP directory and ensure you set the correct permissions. I’m using MacOS and an application called TftpServer.

EWC files in the TFTP directory
Files showing up in TftpServer

Next, SSH into your access point and run the conversion command to convert the C9115 from CAPWAP to EWC:

P6-AP-01#ap-type ewc-ap tftp://172.16.103.37/ap1g7 tftp://172.16.103.37/C9800-AP-iosxe-wlc.bin

The IP address you see here is my TFTP Server. Change yours accordingly. Once the files are successfully downloaded, the AP will reboot. The C9800 bin file will be downloaded first followed by the AP image.

 
 p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; min-height: 14.0px} 
 P6-AP-01#ap-type ewc-ap tftp://172.16.103.37/ap1g7 tftp://172.16.103.37/C9800-AP-iosxe-wlc.bin
 Starting download eWLC image tftp://172.16.103.37/C9800-AP-iosxe-wlc.bin ...
 It may take a few minutes. If longer, please abort command, check network and try again.
 ################################################################################################################# 100.0%
 Image download completed.
 Checking ...OK
 Checking image size...OK
 Verifying ...OK
 Versioning ...ws_management_version: 16.12.04a.0.9
 Successfully downloaded and setup eWLC image.
 Starting download AP image tftp://172.16.103.37/ap1g7 ...
 It may take a few minutes. If longer, please abort command, check network and try again.
 ################################################################################################################# 100.0%
 Image download completed.
 Upgrading ...
 upgrade.sh: Script called with args:[NO_UPGRADE]
 do NO_UPGRADE, part1 is active part
 upgrade.sh: Script called with args:[-c PREDOWNLOAD]
 do PREDOWNLOAD, part1 is active part
 upgrade.sh: Start doing upgrade arg1=PREDOWNLOAD arg2=,from_cli arg3= ...
 upgrade.sh: Using image /tmp/cli_part.tar on axel-bcm ...
 Image signing verify success.
 

 [2/8/2021 10:56:28] : Shadow is now in-synced with master
 

 [2/8/2021 10:56:28] : Verifying against bundle image btldr.img...
 upgrade.sh: part to upgrade is part2
 upgrade.sh: AP version1: part2 8.10.121.0, img 16.12.4.31
 upgrade.sh: Untar /tmp/cli_part.tar to /bootpart/part2...
 upgrade.sh: Sync image to disk...
 upgrade.sh: AP version2: part2 16.12.4.31, img 16.12.4.31
 upgrade.sh: AP backup  version: 16.12.4.31
 upgrade.sh: Finished upgrade task.
 upgrade.sh: Cleanup for do_upgrade...
 upgrade.sh: /tmp/upgrade_in_progress cleaned
 upgrade.sh: Cleanup tmp files ...
 upgrade.sh: Script called with args:[ACTIVATE]
 do ACTIVATE, part1 is active part
 upgrade.sh: activate part2, set BOOT to part2
 upgrade.sh: AP primary version after reload: 16.12.4.31
 upgrade.sh: AP backup  version after reload: 17.3.1.9
 Successfully setup AP image.
 Archive done.

Provisioning

Once the access point successfully boots, you’ll see a provisioning SSID called CiscoAirProvision-XXXX. The last part of the SSID will be the last octet of the AP’s MAC address.

CiscoAirProvision

The default password for the provisioning SSID is password.

The IP address of the controller is 192.168.1.1.

Log into the web interface with the following credentials:

Username: webui
Password: cisco

You’ll be required to perform Day 0 configuration which are the basics to get EWC running. Sections to configure include the country code, management user, management IP address, and a wireless network.

General Configuration
WLAN Configuration

When you’re done, click on Finish.

Wait for things to reconfigure and then you’re off and running with your Cisco Embedded Wireless Controller. Just remember to use the new management IP address you configured, if you changed it.

Cisco Catalyst 9800-CL – High Availability

By 4 Comments

Everyone wants high availability with their infrastructure. With Catalyst 9800 wireless LAN controller capable of being installed as a virtual machine, do you really need high availability?

I’d be nervous to have all my virtual machines on a single host. If that host failed, you lose everything. In regards to the Catalyst 9800-CL wireless LAN controller, we have the ability to configure two instances in high availability with stateful switchover.

High availability (HA) will provide minimal downtime for the wireless controllers. In this configuration, there will be an Active and Standby wireless controller.

Stateful switchover allows access points to establish a CAPWAP tunnel to the Active controller. The Active controller will copy a database of joined access points to the Standby wireless controller. Additionally, a client database is copied to the Standby wireless controller.

In summary, when the Active wireless controller fails, the Standby takes over with the access points and clients still connected seamlessly. The access points will not go into a Discovery state and clients will not get disconnected.

When deploying the Catalyst 9800-CL, there are three interfaces binded in the configuration. The third interface, GigabitEthernet3, is used as the dedicated Redundancy Port (RP).

This post describes configuring High Availability for the Catalyst 9800-CL in VMware ESXi 6.7.

Restrictions

There are some restrictions to keep in mind before configuring High Availability:

  • Keep the VMs on the same platform (ESXi, KVM, AWS, etc)
  • Both VMs are running the same version of software
  • Both VMs are running in the same installation mode
  • The IP addresses of the Redundant Port should be on the same subnet
  • Both devices have their own wireless management interface
  • Wireless management interface of both VMs must be in the same subnet
  • Both VMs should have the same CPU, memory, and hard disk

Connecting the Redundancy Port to a vSwitch

The RP on each Catalyst 9800-CL should be connected to their own vSwitch.

I’m running VMware ESXi 6.7. The first thing we need to do is create a vSwitch for the purposes of connecting the Redundancy Ports. For this demo, I’ll be configuring High Availability on a single host.

INSERT DIAGRAM ON VSWITCH AND REDUNDANT PORT NETWORK

Go to Networking -> Virtual switches -> and click on Add standard virtual switch

Give the vSwitch a name and click Add.

Edit the settings for each 9800-CL virtual machine and change the network interface for the RP to use the newly created vSwitch.

Redundancy and stateful switchover is already enabled in the configuration by default. We just need to set up the communications between the two wireless controllers.

I’m assuming you already have two 9800-CL configured and all you need to do is set up High Availability.

CLI

On wireless controller that will be your primary Active controller we configure the HA interface. The syntax is as follows:

Chassis redundancy ha-interface <rp-port> local-ip <local-ip-of-vm> <subnet-mask> remote-ip <ip-of-standby-vm>

chassis redundancy ha-interface GigabitEthernet2 local-ip 192.168.1.1 255.255.255.0 remote-ip 192.168.1.2

<rp-port> – The interface that is the Redundancy Port
<local-ip-of-vm> – The redundancy IP address of the VM you’re currently configuring.
<subnet-mask> – The subnet mask for the IP above
– The redundancy IP address of the Standby VM

Save the configuration and reboot the wireless controller.

Once the reboot process is complete, head over to your standby wireless controller.

We’ll run the same chassis redundancy command but swap the IP addresses.

Configuring C9800-CL with FlexConnect

By Leave a Comment

The Cisco Catalyst 9800 utilizes tags and profiles for granular control over AP capabilities. When there are multiple sites and a centralized wireless LAN controller in a data center, FlexConnect is often the configuration of choice. Rather than tunneling all data over a WAN and through a data center, there is an option to having traffic exited out the access point and locally on the switch. 

As part of configuring access points for FlexConnect in the Catalyst 9800, there is a new configuration model. Each access point is assigned a Policy Tag, Site Tag, and RF Tag. These tags will set the parameters for what we’re trying to achieve.  

Tags

Policy Tag

The Policy tag includes two profiles used to configure which WLANs are broadcasted tied to a Policy Profile to specify parameters such as the VLAN ID, whether you’re using central or local switching, etc.

Site Tag

The Site tag has two profiles associated to it, Flex Profile and AP Join Profile. This is where an AP is designated to be in local mode or in flex mode. The check box, Local Site State, if disabled becomes flex mode.

The AP Join Profile defines parameters such as CAPWAP timers, SSH, backup WLC, etc.

RF Tag

The RF tag is what was previously known as RF Profiles in AireOS. Parameters for 2.4 GHz and 5 GHz are configured such as data rates.

Configure the WLAN

Configuration > Tags & Profiles > WLANs

Click on the Add button and configure the new WLAN

Adding a WLAN

Configure Security for the WLAN

If needed, configure the Advanced settings. Then click on Apply to Device.

Configure the AP Join Profile

Configuration > Tags & Profiles > AP Join

There’s a default profile already there but we’ll configure a new one. If you’d like granular control over the configuration in the long term then I suggest configuring individual profiles and tags for different sites. 

Click Add to set up a new AP Join Profile. If you have a different NTP server per site, then this is where you can configure it, in the General tab.

If you need to adjust the TCP MSS, it can be done under the Client tab.

Under the CAPWAP tab, a Primary and Secondary controller can be configured along with CAPWAP settings for High Availability. 

In the Management tab, you can define SSH and user management credentials for the APs.

Everything else I’ll leave as default and click on Update & Apply to Device.

Configure the Flex Profile

Configuration > Tags & Profiles > Flex

This is where we configure our FlexConnect settings. Click on the Add button to add a new Flex Profile. In the General section, give it a good name and description. 

Enable Efficient Image Upgrade – One AP will become the primary to download the AP image from the controller over a WAN. The other “subordinate” APs will download the image from the primary AP. This reduces the amount of time it takes for APs to download the image by going over the LAN to the primary AP rather than all APs downloading an image over the WAN.

Set the Native VLAN ID if you want your APs to be on a specific VLAN. 

The other tab I’m going to configure is under VLAN. This is where we map our SSIDs to a local VLAN in FlexConnect mode. Then click Apply to Device.

Configure the Policy Profile

Configuration > Tags & Profiles > Policy

The Policy Profile gets combined with the WLAN to create a Policy Tag. For this reason, I recommend configuring a separate Policy Profile for each WLAN. But it is possible to use the same Policy Profile with multiple WLANs.

Click the Add button to modify the General tab of the policy. Give a descriptive name and description. Switch the button for Status to enabled. 

In this tab, I’m focusing on a FlexConnect configuration. The main setting for me is disabling Central Switching so client traffic is tunneled back to the C9800. 

Under the Access Policies tab, configure any ACLs required. I add the VLAN for this WLAN under the VLAN section. If this VLAN does not match with the VLAN configured in the Flex profile. The VLAN number in the Policy Profile will override the VLAN configured in the Flex Profile.

Configure any QoS and AVC settings you may require and under Mobility you have the ability to configure a Mobility Anchor.

Under the Advanced tab, we can configure settings such as Session and Idle timeouts, mDNS Service Policy, AAA policies, Air Time Fairness and more. Click Apply to Device

Configure RF Profiles

Configuration > Tags & Profiles > RF

The RF Profiles are the same as RF Profiles we dealt with in AireOS. Look over the default RF Profiles and if needed, create your own by clicking on the Add button.

Let’s pretend I have a specific use case for an RF Profile in my HQ site. I’ll start with the 5 GHz band.

In the 802.11 section, I can disable data rates I do not want.

RRM has a lot of options available. These settings vary between environments. Make your choices wisely but I always recommend tuning it from the default settings, especially TPC and DCA. Under Advanced, you can enable/disable Air Time Fairness and other settings. Click Apply to Device and create an RF Profile for 2.4 GHz.

Create a Policy Tag

Configuration > Tags & Profiles > Tags

Click on the Add button to create a new Policy Tag. This is where we add our WLAN and our Policy Profile together. Under WLAN-POLICY, click the Add button.

On the left dropdown, select the SSID you’d like to broadcast. On the right dropdown, select the correct Policy Profile for that SSID. Then click the checkmark. Continue adding the WLANs you need broadcasted with their Policy Profile. Then click Apply to Device.

Create a Site Tag

Configuration > Tags & Profiles > Site

The Site tag is used to group similarly grouped APs in a geographic area. This could be an office, a building, a floor of a building.. whatever you determine as a site. 

Click on the Add button. Aside from the name and description, select the AP Join Profile we had created earlier. Because we’re configuring this site to be in FlexConnect mode, we have to uncheck Enable Local Site. This will expose the Flex Profile dropdown where we select our previously configured HQ Flex Profile. 

Leaving Enable Local Site checked places the AP in local mode. Click Apply to Device.

Create an RF Tag

Configuration > Tags & Profiles > Tags

Next, we will configure an RF tag for our HQ site with the 2.4 and 5 GHz RF Profiles we created earlier. Click the Add button and select the RF Profiles we created. Then click Apply to Device.

Adding Tags to APs

Configuration > Tags & Profiles > Tags or Configuration > Access Points

After all that configuration, we come to the point where we can finally tag the APs with everything we’ve configured. If you have APs connected, they are probably using the default tags and profiles.

There are two locations to tag Access Points. Either in the Tags section or directly on the access point configuration.

Once the tags are applied to the access point you should see the AP mode change and have the correct tags applied. I should see the AP on the correct subnet as well.

A neat way to see what’s configured on the AP is by clicking on the blue icon near the AP name. This is the AP Operational Configuration Viewer.

Here you can verify what configuration is applied to the AP.

Next, test connectivity.

It was a long tutorial but I wanted to cover configuration from the beginning. To further validate connectivity, you should be able to see the devices MAC address on the switch port where the AP is connected on the correct VLAN.

Configuring a Cisco WLAN with WPA2 PSK

By Leave a Comment

Wireless is making it’s way into the CCNA certification. There are more objectives pushed into the CCNA 200-301 and for good reason. Wireless is a primary method of access to the network. And it must be taken seriously just as the wired network is.

One of the objectives of the CCNA 200-301 is configuring a WLAN with a WPA2 Pre-share key (PSK).

In this post I’ll be using a Cisco 3504 wireless LAN controller (WLC) running 8.10 code.

Creating a WLAN

After logging into the WLC, click on the WLANs tab at the top. This is where we configure our WLAN (or SSID).

You may or may not have any previously configured WLANs. In this lab, I’ll configure a brand new WLAN. On the top right, ensure the drop down is set to Create New and click on Go.

Next, we’ll be placed into a new section to configure our WLAN’s profile name and the name we want to broadcast (the SSID).

Type is set to WLAN.

Profile Name is set to whatever you like.

SSID is the name of the WLAN that will be broadcasted.

ID is the number we want to associate with this WLAN.

When ready, click on Apply at the top right.

Configuring the WLAN Settings

After applying, we’ll be able to modify many of the WLAN’s settings. On the first tab, General, is where we will Enable the WLAN, assign it to an interface or interface group, and ensure it is broadcasting.

Configure WPA2 with PSK

Next, click on the Security tab where we will configure our PSK using WPA2.

For Layer 2 Security we want to select WPA2. In my screenshot you will see WPA2+WPA3 because of the version of code I am using. You may see WPA+WPA2.

The Security Type should be changed to Personal. This is the PSK portion of the objective. The other option is Enterprise which will utilize 802.1X.

Our WPA2 parameters will use the WPA2 Policy with the AES encryption cipher.

Scrolling down, we will configure Authentication Key Management and set the PSK password.

For a plain-text password, select ASCII as the PSK Format and in the text box, type in your desired password for the WLAN.

When finished, click on Apply.

A WLAN is now configured using WPA2 PSK and enabled.