Cisco

How to Convert Cisco C9115 to Embedded Wireless Controller (EWC)

February 13, 2021 By Rowell Leave a Comment

Embedded Wireless Controller (EWC) is a powerful way to deploy access points in an environment without the need for a dedicated physical controller such as the C9800-L. One of the access points will carry the virtual controller role and all other supported access points join to that controller.

Another great use case for EWC is for AP-on-a-Stick surveys. This is the reason why I needed to convert a Cisco C9115 to EWC mode from CAPWAP. A client of mine plans on deploying the C9115 but we needed make the predictive survey more accurate.

My Cisco C9115 was originally joined to a Cisco 3504 controller running 8.10 code and thus is running in CAPWAP mode.

Table Of Contents

Download EWC
Transfer Files to the C9115
Provisioning

Download EWC

Download the Embedded Wireless Controller (EWC) code from Cisco’s website. For this example, I’m using version 16.12.4.

It’s up to you which version you want to download. I generally stay with the recommended version unless there’s something specific you need from another version. You will need a login to download the file, which is in zip format.

Extract the contents of the zip file.

We must extract the contents because we only need two files. One is the image for the C9115 and the other is the C9800 controller file.

The C9115 needs the ap1g7 image file and our controller file is C9800-AP-iosxe-wlc.bin.

If you’re using another access point model, consult with the table below:

AP Model	Image File Name
AP1815, AP154x	ap1g5
AP180x, AP183x, AP185x	ap1g4
C9115, C9120	ap1g7
C9117	ap1g6
C9130	ap1g6a
AP380x, AP280x, AP156x	ap3g3

Transfer Files to the C9115

Next step is to fire up a TFTP server and transfer the files to the access point. Obviously, you’ll need connectivity to the access point in order to SSH and issue some commands.

First, transfer the two required files to your TFTP directory and ensure you set the correct permissions. I’m using MacOS and an application called TftpServer.

Next, SSH into your access point and run the conversion command to convert the C9115 from CAPWAP to EWC:

P6-AP-01#ap-type ewc-ap tftp://172.16.103.37/ap1g7 tftp://172.16.103.37/C9800-AP-iosxe-wlc.bin

The IP address you see here is my TFTP Server. Change yours accordingly. Once the files are successfully downloaded, the AP will reboot. The C9800 bin file will be downloaded first followed by the AP image.

 
 p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; min-height: 14.0px} 
 P6-AP-01#ap-type ewc-ap tftp://172.16.103.37/ap1g7 tftp://172.16.103.37/C9800-AP-iosxe-wlc.bin
 Starting download eWLC image tftp://172.16.103.37/C9800-AP-iosxe-wlc.bin ...
 It may take a few minutes. If longer, please abort command, check network and try again.
 ################################################################################################################# 100.0%
 Image download completed.
 Checking ...OK
 Checking image size...OK
 Verifying ...OK
 Versioning ...ws_management_version: 16.12.04a.0.9
 Successfully downloaded and setup eWLC image.
 Starting download AP image tftp://172.16.103.37/ap1g7 ...
 It may take a few minutes. If longer, please abort command, check network and try again.
 ################################################################################################################# 100.0%
 Image download completed.
 Upgrading ...
 upgrade.sh: Script called with args:[NO_UPGRADE]
 do NO_UPGRADE, part1 is active part
 upgrade.sh: Script called with args:[-c PREDOWNLOAD]
 do PREDOWNLOAD, part1 is active part
 upgrade.sh: Start doing upgrade arg1=PREDOWNLOAD arg2=,from_cli arg3= ...
 upgrade.sh: Using image /tmp/cli_part.tar on axel-bcm ...
 Image signing verify success.
 

 [2/8/2021 10:56:28] : Shadow is now in-synced with master
 

 [2/8/2021 10:56:28] : Verifying against bundle image btldr.img...
 upgrade.sh: part to upgrade is part2
 upgrade.sh: AP version1: part2 8.10.121.0, img 16.12.4.31
 upgrade.sh: Untar /tmp/cli_part.tar to /bootpart/part2...
 upgrade.sh: Sync image to disk...
 upgrade.sh: AP version2: part2 16.12.4.31, img 16.12.4.31
 upgrade.sh: AP backup  version: 16.12.4.31
 upgrade.sh: Finished upgrade task.
 upgrade.sh: Cleanup for do_upgrade...
 upgrade.sh: /tmp/upgrade_in_progress cleaned
 upgrade.sh: Cleanup tmp files ...
 upgrade.sh: Script called with args:[ACTIVATE]
 do ACTIVATE, part1 is active part
 upgrade.sh: activate part2, set BOOT to part2
 upgrade.sh: AP primary version after reload: 16.12.4.31
 upgrade.sh: AP backup  version after reload: 17.3.1.9
 Successfully setup AP image.
 Archive done.

Provisioning

Once the access point successfully boots, you’ll see a provisioning SSID called CiscoAirProvision-XXXX. The last part of the SSID will be the last octet of the AP’s MAC address.

The default password for the provisioning SSID is password.

The IP address of the controller is 192.168.1.1.

Log into the web interface with the following credentials:

Username: webui
Password: cisco

You’ll be required to perform Day 0 configuration which are the basics to get EWC running. Sections to configure include the country code, management user, management IP address, and a wireless network.

When you’re done, click on Finish.

Wait for things to reconfigure and then you’re off and running with your Cisco Embedded Wireless Controller. Just remember to use the new management IP address you configured, if you changed it.

Cisco Catalyst 9800-CL – High Availability

November 30, 2020 By Rowell 2 Comments

Everyone wants high availability with their infrastructure. With Catalyst 9800 wireless LAN controller capable of being installed as a virtual machine, do you really need high availability?

I’d be nervous to have all my virtual machines on a single host. If that host failed, you lose everything. In regards to the Catalyst 9800-CL wireless LAN controller, we have the ability to configure two instances in high availability with stateful switchover.

High availability (HA) will provide minimal downtime for the wireless controllers. In this configuration, there will be an Active and Standby wireless controller.

Stateful switchover allows access points to establish a CAPWAP tunnel to the Active controller. The Active controller will copy a database of joined access points to the Standby wireless controller. Additionally, a client database is copied to the Standby wireless controller.

In summary, when the Active wireless controller fails, the Standby takes over with the access points and clients still connected seamlessly. The access points will not go into a Discovery state and clients will not get disconnected.

When deploying the Catalyst 9800-CL, there are three interfaces binded in the configuration. The third interface, GigabitEthernet3, is used as the dedicated Redundancy Port (RP).

This post describes configuring High Availability for the Catalyst 9800-CL in VMware ESXi 6.7.

Restrictions

There are some restrictions to keep in mind before configuring High Availability:

Keep the VMs on the same platform (ESXi, KVM, AWS, etc)
Both VMs are running the same version of software
Both VMs are running in the same installation mode
The IP addresses of the Redundant Port should be on the same subnet
Both devices have their own wireless management interface
Wireless management interface of both VMs must be in the same subnet
Both VMs should have the same CPU, memory, and hard disk

Connecting the Redundancy Port to a vSwitch

The RP on each Catalyst 9800-CL should be connected to their own vSwitch.

I’m running VMware ESXi 6.7. The first thing we need to do is create a vSwitch for the purposes of connecting the Redundancy Ports. For this demo, I’ll be configuring High Availability on a single host.

INSERT DIAGRAM ON VSWITCH AND REDUNDANT PORT NETWORK

Go to Networking -> Virtual switches -> and click on Add standard virtual switch

Give the vSwitch a name and click Add.

Edit the settings for each 9800-CL virtual machine and change the network interface for the RP to use the newly created vSwitch.

Redundancy and stateful switchover is already enabled in the configuration by default. We just need to set up the communications between the two wireless controllers.

I’m assuming you already have two 9800-CL configured and all you need to do is set up High Availability.

CLI

On wireless controller that will be your primary Active controller we configure the HA interface. The syntax is as follows:

Chassis redundancy ha-interface <rp-port> local-ip <local-ip-of-vm> <subnet-mask> remote-ip <ip-of-standby-vm>

chassis redundancy ha-interface GigabitEthernet2 local-ip 192.168.1.1 255.255.255.0 remote-ip 192.168.1.2

<rp-port> – The interface that is the Redundancy Port
<local-ip-of-vm> – The redundancy IP address of the VM you’re currently configuring.
<subnet-mask> – The subnet mask for the IP above
– The redundancy IP address of the Standby VM

Save the configuration and reboot the wireless controller.

Once the reboot process is complete, head over to your standby wireless controller.

We’ll run the same chassis redundancy command but swap the IP addresses.

Configuring C9800-CL with FlexConnect

November 13, 2020 By Rowell Leave a Comment

The Cisco Catalyst 9800 utilizes tags and profiles for granular control over AP capabilities. When there are multiple sites and a centralized wireless LAN controller in a data center, FlexConnect is often the configuration of choice. Rather than tunneling all data over a WAN and through a data center, there is an option to having traffic exited out the access point and locally on the switch.

As part of configuring access points for FlexConnect in the Catalyst 9800, there is a new configuration model. Each access point is assigned a Policy Tag, Site Tag, and RF Tag. These tags will set the parameters for what we’re trying to achieve.

Watch this video on YouTube

Configure the WLAN

Configuration > Tags & Profiles > WLANs

Click on the Add button and configure the new WLAN

Configure Security for the WLAN

If needed, configure the Advanced settings. Then click on Apply to Device.

Configure the AP Join Profile

Configuration > Tags & Profiles > AP Join

There’s a default profile already there but we’ll configure a new one. If you’d like granular control over the configuration in the long term then I suggest configuring individual profiles and tags for different sites.

Click Add to set up a new AP Join Profile. If you have a different NTP server per site, then this is where you can configure it, in the General tab.

If you need to adjust the TCP MSS, it can be done under the Client tab.

Under the CAPWAP tab, a Primary and Secondary controller can be configured along with CAPWAP settings for High Availability.

In the Management tab, you can define SSH and user management credentials for the APs.

Everything else I’ll leave as default and click on Update & Apply to Device.

Configure the Flex Profile

Configuration > Tags & Profiles > Flex

This is where we configure our FlexConnect settings. Click on the Add button to add a new Flex Profile. In the General section, give it a good name and description.

Enable Efficient Image Upgrade – One AP will become the primary to download the AP image from the controller over a WAN. The other “subordinate” APs will download the image from the primary AP. This reduces the amount of time it takes for APs to download the image by going over the LAN to the primary AP rather than all APs downloading an image over the WAN.

Set the Native VLAN ID if you want your APs to be on a specific VLAN.

The other tab I’m going to configure is under VLAN. This is where we map our SSIDs to a local VLAN in FlexConnect mode. Then click Apply to Device.

Configure the Policy Profile

Configuration > Tags & Profiles > Policy

The Policy Profile gets combined with the WLAN to create a Policy Tag. For this reason, I recommend configuring a separate Policy Profile for each WLAN. But it is possible to use the same Policy Profile with multiple WLANs.

Click the Add button to modify the General tab of the policy. Give a descriptive name and description. Switch the button for Status to enabled.

In this tab, I’m focusing on a FlexConnect configuration. The main setting for me is disabling Central Switching so client traffic is tunneled back to the C9800.

Under the Access Policies tab, configure any ACLs required. I add the VLAN for this WLAN under the VLAN section. If this VLAN does not match with the VLAN configured in the Flex profile. The VLAN number in the Policy Profile will override the VLAN configured in the Flex Profile.

Configure any QoS and AVC settings you may require and under Mobility you have the ability to configure a Mobility Anchor.

Under the Advanced tab, we can configure settings such as Session and Idle timeouts, mDNS Service Policy, AAA policies, Air Time Fairness and more. Click Apply to Device

Configure RF Profiles

Configuration > Tags & Profiles > RF

The RF Profiles are the same as RF Profiles we dealt with in AireOS. Look over the default RF Profiles and if needed, create your own by clicking on the Add button.

Let’s pretend I have a specific use case for an RF Profile in my HQ site. I’ll start with the 5 GHz band.

In the 802.11 section, I can disable data rates I do not want.

RRM has a lot of options available. These settings vary between environments. Make your choices wisely but I always recommend tuning it from the default settings, especially TPC and DCA. Under Advanced, you can enable/disable Air Time Fairness and other settings. Click Apply to Device and create an RF Profile for 2.4 GHz.

Create a Policy Tag

Configuration > Tags & Profiles > Tags

Click on the Add button to create a new Policy Tag. This is where we add our WLAN and our Policy Profile together. Under WLAN-POLICY, click the Add button.

On the left dropdown, select the SSID you’d like to broadcast. On the right dropdown, select the correct Policy Profile for that SSID. Then click the checkmark. Continue adding the WLANs you need broadcasted with their Policy Profile. Then click Apply to Device.

Create a Site Tag

Configuration > Tags & Profiles > Site

The Site tag is used to group similarly grouped APs in a geographic area. This could be an office, a building, a floor of a building.. whatever you determine as a site.

Click on the Add button. Aside from the name and description, select the AP Join Profile we had created earlier. Because we’re configuring this site to be in FlexConnect mode, we have to uncheck Enable Local Site. This will expose the Flex Profile dropdown where we select our previously configured HQ Flex Profile.

Leaving Enable Local Site checked places the AP in local mode. Click Apply to Device.

Create an RF Tag

Configuration > Tags & Profiles > Tags

Next, we will configure an RF tag for our HQ site with the 2.4 and 5 GHz RF Profiles we created earlier. Click the Add button and select the RF Profiles we created. Then click Apply to Device.

Adding Tags to APs

Configuration > Tags & Profiles > Tags or Configuration > Access Points

After all that configuration, we come to the point where we can finally tag the APs with everything we’ve configured. If you have APs connected, they are probably using the default tags and profiles.

There are two locations to tag Access Points. Either in the Tags section or directly on the access point configuration.

Once the tags are applied to the access point you should see the AP mode change and have the correct tags applied. I should see the AP on the correct subnet as well.

A neat way to see what’s configured on the AP is by clicking on the blue icon near the AP name. This is the AP Operational Configuration Viewer.

Here you can verify what configuration is applied to the AP.

Next, test connectivity.

It was a long tutorial but I wanted to cover configuration from the beginning. To further validate connectivity, you should be able to see the devices MAC address on the switch port where the AP is connected on the correct VLAN.

Configuring a Cisco WLAN with WPA2 PSK

June 8, 2020 By Rowell Leave a Comment

Wireless is making it’s way into the CCNA certification. There are more objectives pushed into the CCNA 200-301 and for good reason. Wireless is a primary method of access to the network. And it must be taken seriously just as the wired network is.

Watch this video on YouTube

One of the objectives of the CCNA 200-301 is configuring a WLAN with a WPA2 Pre-share key (PSK).

In this post I’ll be using a Cisco 3504 wireless LAN controller (WLC) running 8.10 code.

Creating a WLAN

After logging into the WLC, click on the WLANs tab at the top. This is where we configure our WLAN (or SSID).

You may or may not have any previously configured WLANs. In this lab, I’ll configure a brand new WLAN. On the top right, ensure the drop down is set to Create New and click on Go.

Next, we’ll be placed into a new section to configure our WLAN’s profile name and the name we want to broadcast (the SSID).

Type is set to WLAN.

Profile Name is set to whatever you like.

SSID is the name of the WLAN that will be broadcasted.

ID is the number we want to associate with this WLAN.

When ready, click on Apply at the top right.

Configuring the WLAN Settings

After applying, we’ll be able to modify many of the WLAN’s settings. On the first tab, General, is where we will Enable the WLAN, assign it to an interface or interface group, and ensure it is broadcasting.

Configure WPA2 with PSK

Next, click on the Security tab where we will configure our PSK using WPA2.

For Layer 2 Security we want to select WPA2. In my screenshot you will see WPA2+WPA3 because of the version of code I am using. You may see WPA+WPA2.

The Security Type should be changed to Personal. This is the PSK portion of the objective. The other option is Enterprise which will utilize 802.1X.

Our WPA2 parameters will use the WPA2 Policy with the AES encryption cipher.

Scrolling down, we will configure Authentication Key Management and set the PSK password.

For a plain-text password, select ASCII as the PSK Format and in the text box, type in your desired password for the WLAN.

When finished, click on Apply.

A WLAN is now configured using WPA2 PSK and enabled.

Configuring CML-P Breakout Tool for MacOS

May 31, 2020 By Rowell Leave a Comment

Watch this video on YouTube

Cisco has released the next iteration of VIRL, which is now named CML-P (Cisco Modeling Labs – Personal edition).

The Breakout Tool allows you to use your terminal application, such as iTerm2, to console into your lab network devices within CML-P.

Table Of Contents

Accessing the Breakout Tool
Using the Breakout Tool
Configure the Breakout Tool
Console into your lab devices

Accessing the Breakout Tool

Once logged into CML-P, click on Tools and click on Breakout Tool which will open in a new window.

You’ll see text describing the Breakout Tool, how to install it, and utilize the command line interface. As described on the page:

The CML² breakout utility provides users connectivity to the device console ports that are operating in a lab environment. It acts like a a local terminal server that embeds the various serial ports/lines into an single HTTPS connection to the control server. Console access is done via Telnet and the graphics framebuffer is accessed via the VNC protocol.
The breakout utility allows for users to use their favorite external terminal emulator like Putty, Kitty, SecureCRT, etc. to devices in CML².
What is CML-P Breakout Tool

Scroll all the way to the bottom of the page where you’ll find the files you need to run the CML-P Breakout Tool. Save the file into it’s own folder.

Using the Breakout Tool

The Breakout Tool should be downloaded into it’s own folder. Once we get the Breakout Tool running, it will end up creating a YAML file.

Once the file is downloaded into it’s own directory, we need change it so it is executable. If you look at the permissions, it is not set to execute.

$ ls -l
total 27584
-rw-r--r--@ 1 cts  staff  13390936 May 31 20:09 breakout-macos-x86_amd64

Our next step is to modify the file permissions so it is executable. You may need to run this with elevated privileges:

$ chmod u+x breakout-macos-x86_amd64

We can see the permissions have changed:

$ ls -l
total 27584
-rwxr--r--@ 1 cts  staff  13390936 May 31 20:09 breakout-macos-x86_amd64

Now we can execute the file and see what options we have. Running the command requires a parameter. Without a parameter you are given some options.

$ ./breakout-macos-x86_amd64
missing parameter
breakout-macos-x86_amd64 0.2.1-build-v2.0.0-13
Build info:
  Built:      2020-04-08T19:39:15Z
  Git commit: 3a441a53a0aa549a
  Go version: go1.12.14
  Platform:   linux/amd64
  Build host: virl-rtp-jenkins-1.cisco.com 4.18.0-80.11.2.el8_0.x86_64 x86_64


Usage:
	breakout-macos-x86_amd64 [flags] COMMAND
Parameters:
	COMMAND (required), 'config', 'init', 'run' or 'ui'
	'init' takes an optional 'lab' argument
	it will look for a lab ID or label that matches
	if providing a lab title, it has to be unique
	BREAKOUT_ enviroment variables control config as well.
Workflow:
	- create a default configuration file with 'config', adapt to your needs
	- use 'init' to retrieve lab information from controller
	- enable labs or individual nodes in lab configuration file created by 'init'
	- use 'run' to start the breakout process
Alternative:
	- use 'ui' to run a web frontend.
Flags:
  -alsologtostderr
    	log to standard error as well as files
  -config string
    	global configuration filename (default "config.yaml")
  -extralf
    	send an extra LF when serial line is opened
  -labs string
    	the data file to use (default "labs.yaml")
  -listen string
    	address to listen on (default "[::1]")
  -log_backtrace_at value
    	when logging hits line file:N, emit a stack trace
  -log_dir string
    	If non-empty, write log files in this directory
  -logtostderr
    	log to standard error instead of files
  -noverify
    	disable TLS verify
  -port int
    	local port to listen on for UI mode (default 8080)
  -stderrthreshold value
    	logs at or above this threshold go to stderr
  -v value
    	log level for V logs
  -vmodule value
    	comma-separated list of pattern=N settings for file-filtered logging

The parameter options are:

config
init
run
ui

The easiest option, in my opinion, is to run the ui parameter. This starts up a web server locally on your computer. And from that user interface, we’ll be able to configure the rest of the Breakout Tool to be used with CML-P.

Issue the following command, ./breakout-macos-x86_amd64 ui

$ ./breakout-macos-x86_amd64 ui
Starting up...
W0531 20:21:08.392662   89716 run.go:238] open labs.yaml: no such file or directory
Running... Serving UI/API on http://[::1]:8080, Ctrl-C to stop.

From here we can see that we can browse to http://localhost:8080.

Configure the Breakout Tool

You’re now looking at the webpage located at http://localhost:8080. From there, click on Configuration. This is where we will set the location of our CML-P server instance with the correct credentials. You can follow the same settings below, but change your username and password to reflect your installation.

While this is all running, your terminal window will continue to show output. You can close down the server by issuing CTRL-C, but don’t do that yet.

What parameters you need to configure:

Controller address – The url to your CML-P instance
Verify TLS certificate – Disable this option
Populate all nodes – When enabled, fetches all available nodes from controller. Otherwise only ‘started’ nodes will be included.
Username – The username to log into your CML-P instance.
Password – The password for the user account above.
Leave everything else in defaults.

Click on Save and then click on the Labs tab at the top of the window.

Click on the blue Refresh button to have the Breakout Tool load your available labs.

In order to console into your network device, the Status for the lab needs to be On. Click on the button to activate the status. Then click on your lab.

With the Status set to On, we can see the URL to reach these network devices using iTerm2 and at which port. You’ll notice that it is using Telnet, which port to reach the entwork device, the status of the serial port and whether it is enabled.

I noticed that the link is hyperlinked but doesn’t do anything for me when clicked. It also appears to be in IPv6.

Console into your lab devices

Now let’s head over to iTerm2. You will notice in my example, SW1 is using serial0 on port 9000. All we have to do is telnet to our localhost on port 9000.

telnet localhost 9000

Then you’ll find that you’re able to log into your network device!

$ telnet localhost 9000
Trying ::1...
Connected to localhost.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW1>en
SW1#show version
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20190423)FLO_DSGS7, EARLY DEP