Embed Size (px)
Citation preview
WLC 3504 Release 8.5 Deployment Guide
Product Overview 2
Cisco WLC 3504 Key Attributes 2
Supported Software Release and Interoperability 5
Platform Components 5
Deploying Cisco WLC 3504 10
Deploying WLC 3504 through Service Port 10
Deploying WLC 3504 through CLI 15
High Availability with Cisco WLC 3504 17
Configuring mGig Port on WLC 3504 18
Configuring LAG between WLC and Switch 19
Restrictions for Link Aggregation 20
Configuring LAG on WLC 21
Configuring Neighbor Devices to Support Link Aggregation 21
Upgrading WLC 3504 using USB 22
Revised: November 7, 2017,
Product OverviewThe explosion of mobile clients in enterprise empowered by bring your own device (BYOD), the deployment of wireless inmission-critical applications, and the adoption of Wi-Fi in service provider networks enabling new business models require wirelessnetworks to provide larger AP scale, client scale, and higher throughput.
The Cisco 3504 Wireless Controller is a compact, highly scalable, service-rich, resilient, and industry's first Multigigabit Ethernetplatform that enables next-generation wireless networks for small to medium-sized enterprises and branch office deployments.
Optimized for for 802.11ac Wave 2 performance, Cisco 3504 Wireless Controller provides centralized control, management, andtroubleshooting for small to medium-sized enterprises and branch offices. It offers flexibility to support multiple deployment modesin the same controller-a centralized mode for campus environments, Cisco FlexConnect® mode for lean branches managed overthe WAN, and a mesh (bridge) mode for deployments in which full Ethernet cabling is unavailable.
As a component of the Cisco Unified Wireless Network, the 3504 controller provides real-time communications between CiscoAironet®Access Points, Cisco Prime® Infrastructure, and CiscoMobility Services Engine, and is interoperable with the Cisco 5520and 8540 Wireless Controllers.
Figure 1: Cisco 3504 Wireless LAN Controller
Cisco WLC 3504 Key AttributesThe Cisco Unified Wireless Network Software Release 8.5 delivers the new Cisco WLC 3504 controller with support for 150 APs,3,000 and 4 Gbps throughput, to ensure better performance and scale for business-critical networks.
2
Table 1: Features and Benefit
BenefitFeatures
Optimized to enable 802.11ac Wave 2 next-generationnetworks, supporting:
• 4-Gbps throughput
• 150 access points
• 3000 clients
• 1x Multigigabit Ethernet interface (1, 2.5 or 5), + 4x 1Gigabit Ethernet
• 512 VLANs
• 150 AP Groups
• 100 FlexConnect Groups
• 100 APs per FlexConnect Group
• 512 Interface Groups
• PMK Cache Size of 14000
• Support for 1500 RFIDs tracking
• Detection and containment of up to 600 Rogue APs and1500 Rogue Clients
• 50 APs per RRM Group
• 180000 AVC Flows
• Database Size is 12000
Scale and Performance
• N+1 Redundancy
• SSO–True Box to Box High Availability i.e. 1:1
◦AP SSO
◦Client SSO
◦Subsecond failover for uninterrupted applicationavailability
• WLC Redundancy with Mobility Groups
• LAG with 1GE and mGig(when enabled for 1Gig)
Redundancy and High Availability
• Local, FlexConnect, Monitor, Rogue Detector, Sniffer,Bridge, and Flex+bridge
AP Mode Support
3
BenefitFeatures
• 1260, 3500, 600
• 1600, 2600, 3600
• 1700, 2700, 3700
• 1800, 2800, 3800
• 1815T, OEAP 1810, OEAP 600
• 1815l,1815W, 1810W, 702I, 702W
• 1530, 1540, 1550, 1560, 1570
AP Platform Support
• TrustSec SXP, SGT Support
• DTLS encryption on the control plane between accesspoints and controllers across remote WAN links
• Management frame protection detects malicious usersand alerts network administrators
• Rogue detection for Payment Card Industry (PCI)compliance
Rogue access point detection and detection ofdenial-of-service attacks
Security
• CLI Setup Wizard, WLAN Express Setup using ServicePort, Auto-Install
Ease of Deployment
• Right-to-use (with EndUser License Agreement [EULA]acceptance) license enablement for faster time todeployment
• Flexibility to add additional access points (up to 150access points) as business needs grow
• Cisco Smart Software Licensing
• License Portability from WLC5520 and WLC8540
Licensing
Cisco WLC 3504 has software feature parity with Cisco WLC 5520 unless otherwise stated.Note
4
Supported Software Release and Interoperability• AireOS® Release –AireOS® Release 8.5.103.0 and later
• Cisco Prime Infrastructure–Release 3.2
• Identity Services Engine–Recommended ISE Release 2.2 and later
• Connected Mobility Experiences (CMX)–10.2 and later
Platform Components
Understanding Cisco WLC 3504 Front Panel ViewCisco WLC 3504 supports several interfaces and status LED indicators on the front panel.
Figure 2: WLC 3504 Front Panel Interfaces
Table 2: WLC 3504 Front Panel Interfaces
DescriptionPort as noted in figure aboveInterfaces on WLC 3504
Dedicated Service Port for Out-of-BandManagement
1Service Port
There are two console ports on the WLC3504. There is a serial RJ45 console portand a mini USB port. Both of theseconsole ports are in XOR configurationi.e. only one will be operational at a time.If one connects to both the console ports,RJ45 will take precedence.
2 and 3Console
5
DescriptionPort as noted in figure aboveInterfaces on WLC 3504
USB 3.0 Port can be used to performSoftware Updates in addition to alreadyavailable Transfer Mode i.e. HTTP,TFTP, FTP and SFTP.
4USB
There is one mGig port for DataConnectivity which can be configuredfor 1, 2.5 and 5 Gbps
5mGig Port
There are four Gigabit Ethernet Ports onthe WLC 3504 for Data Connectivity.Port 3 and Port 4 also have PoE out andcan provide 802.3at power.
GiGE Ports
Reset button can be used to Reset theWLC 3504 to factory defaults.
7Reset
There are three LEDs on the front panelof WLC3504. There is a System LED,Alarm LED and High Availability LED.For description of LED states, pleaserefer to the section LED Indicators.
8Status LED
WLC 3504 supports High Availabilitysimilar to WLC 5520 and WLC 8540.The Redundancy ports can be connectedback to back or via an L2 switch.
9Redundancy Port
LED Status IndicatorsThere are 3 LEDs on the front panel of WLC 3504. They are as follows:
• System LED
• Alarm LED
6
• High Availability LED
Figure 3: LED Indicators
Table 3: LED Indicators
Icons as noted in figure aboveLED Indicators
1System
2Alarm
3High Availability
For LED state definitions, please refer to the tables below:
Table 4: System LED Indicator
System LED StateFunction
AmberGreen
7
BLINKSOFFSystem Power Up
OFFBLINKSSystem boot
OFFONAfter boot up
OFFONController image upgrade
ONOFFSystem Crash
ONOFFFirmware Upgrade
BLINKSOFFInternal Voltage Error
OFFOFFTemperature Error
Table 5: Alarm LED Indicator
Alarm LED StateFunction
AmberGreen
ONOFFSystem Power Up
ONOFFSystem boot
OFFOFFAfter boot up
OFFBLINKSController image upgrade
OFFOFFSystem Crash
ONOFFFirmware Upgrade
ONOFFInternal Voltage Error
BLINKSOFFTemperature Error
Table 6: High Availability LED Indicator
High Availability LED StateFunction
SOLID GREENHA Port paired with peer controller
SLOW BLINK GREENHA StandBy HOT
SLOW BLINK AMBERBootup and HA Standby Cold
FAST BLINK AMBERHA Maintenance
SLOD AMBERPeer not found
OFFStandby/HA Disabled
8
Understanding Cisco WLC 3504 Back Panel ViewSimilar to the WLC 2504, the power connector on WLC 3504 is at the back of the chassis. It is a 4 Pin locking Molex MiniFit Jr.jack. There is also a Kensington Security Port is the WLC chassis has to be locked down.
Figure 4: WLC 3504 Back Panel Interfaces
Table 7: WLC 3504 Back Panel Interfaces
DescriptionPort as noted in figure aboveInterfaces on WLC 3504
4 Pin locking Molex MiniFit Jr Jack1Power Port
Heat Fins2Heat Fins
Kensington Security Port3Security Port
WLC 3504 Power SupplyWLC 3054 has a single Power Supply(PWR-115W-AC). It is dual 12V/54VDC output power supply (with sufficient capacity tosupport two 802.3at PoE out ports and 12VDC capacity for the system.
9
Deploying Cisco WLC 3504Cisco WLC 3504 supports deploying WLC 3504 using the Service Port as well as CLI. In this guide, both of the methods aredocumented below.
Over-the-air-provisioning is not supported on WLC 3504 in Release 8.5.Note
Deploying WLC 3504 through Service PortService Port on Cisco WLC 3504 supports the following management services:
1 HTTP/HTTPS web-based access
2 SNMP polling v2 and v3
3 Syslog
4 SSH or Telnet
5 Transfer download and upload
10
To deploy WLC 3504 using the Service Port, follow the procedure below:
Procedure
Step 1 Connect a PC laptop's wired Ethernet port directly to Service Port of the WLC 3504.Step 2 Power up WLC 3504.Step 3 The Laptop should get an IP address in 192.168.0.x network.Step 4 Open the browser and browse to http://192.168.0.1 . The Setup Wizard will start.Step 5 Create the WLC admin account as shown below.
Step 6 Under the Set Up Your Controller section, please enter the following:
• System Name–Enter the System Name
• Country–Select the country
• Date & Time–Select Date & Time manually
• Tiemzone–Select the Timezone
• NTP Server–If you do not want to select the Date & Time manually, you can also enter the IP address of an NTPserver
• Management IP Address–Enter the Management IP address of the controller
• Subnet Mask–Enter the Subnet Mask of the controller
• Default Gateway–Enter the Default Gateway for the controller
11
• Management VLAN–For tagged, enter the Management VLAN else leave is blank
Step 7 Under the Create Your Wireless Network, enter the following:
• Network Name–Enter the Network Name. This will be the SSID.
• Security–Enter the Security for this WLAN. I am selecting WPA2 Personal.
• Passphrase–Enter the passphrase for the SSID.
• VLAN–If WLAN is on the same network as Management, select ‘Management VLAN’ else enter the VLAN ID forthe WLAN.
• DHCP Server–This is optional but one can enter the DHCP server for the WLAN clients.
12
Step 8 Enable RF Parameter Optimization and select the Client Density and Traffic Type.Step 9 Enter the following as well:
• Virtual IP address: Enter the Virtual IP address.
• Local Mobility Group–Enter the Local Mobility Group name.
• Service Port Interface–Leave this as DHCP if you want the Service Port to obtain an IP address from the DHCPserver. Service Port is typically used out-of-band management and should be on a different network than the controllermanagement network.
13
Step 10 Confirm the Settings below. The WLC will go through the reboot.
14
Step 11 After the reboot, open a Web Browser and navigate to the WLC 3540 Management WebUI.
Deploying WLC 3504 through CLIDeploying WLC 3504 is similar to how the 5508 and 5520 WLC are deployed.
To deploy WLC 3504, follow the procedure below:
15
Procedure
Step 1 Connect to the console of the WLC 3504.Step 2 (Cisco Controller)
Welcome to the Cisco Wizard Configuration ToolUse the '-' character to backup
Would you like to terminate autoinstall? [yes]: yesAUTO-INSTALL: process terminated -- no configuration loaded
Enter Administrative User Name (24 characters max): adminEnter Administrative Password (3 to 24 characters): ********Re-enter Administrative Password : ********
Service Interface IP Address Configuration [static][DHCP]:
Enable Link Aggregation (LAG) [yes][NO]: NO
Management Interface IP Address: 172.20.229.21Management Interface Netmask: 255.255.255.192Management Interface Default Router: 172.20.229.2Cleaning up Provisioning SSIDManagement Interface VLAN Identifier (0 = untagged): 122Management Interface Port Num [1 to 5]: 1Management Interface DHCP Server IP Address: 172.20.229.2
Enable HA [yes][NO]: NO
Virtual Gateway IP Address: 10.0.0.1
Mobility/RF Group Name: WLC3504
Network Name (SSID): EMPLOYEE-3504
Configure DHCP Bridging Mode [yes][NO]: NO
Allow Static IP Addresses [YES][no]:
Configure a RADIUS Server now? [YES][no]: noWarning! The default WLAN security policy requires a RADIUS server.Please see documentation for more details.
Enter Country Code list (enter 'help' for a list of countries) [US]:
Enable 802.11b Network [YES][no]: YESEnable 802.11a Network [YES][no]: YESEnable 802.11g Network [YES][no]: YESEnable Auto-RF [YES][no]: YES
Configure a NTP server now? [YES][no]: YESEnter the NTP server's IP address: 171.68.38.65
16
Enter a polling interval between 3600 and 604800 secs: 3600
Would you like to configure IPv6 parameters[YES][no]: no
Configuration correct? If yes, system will save it and reset. [yes][NO]: yesCleaning up DHCP ServerCleaning up Provisioning SSIDCleaning up Provisioning SSIDUpdating HBL license statistics fileDone.
Configuration saved!Resetting system with new configuration...
High Availability with Cisco WLC 3504High Availability is for box-to-box redundancy. In other words, 1:1 where one WLC will be in an Active state and the second WLCwill be in a Hot Standby state continuously monitoring the health of the ActiveWLC via a Redundant Port. Both theWLCs will sharethe same set of configurations including the IP address of the Management interface. The WLC in the Standby state does not needto be configured independently as the entire configuration (Bulk Configuration while boot up and Incremental Configuration inruntime) will be synced from the Active WLC to the StandbyWLC via a Redundant Port. The AP's CAPWAP State (only APs whichare in a run state) is also synced, and a mirror copy of the AP database is maintained on the Standby WLC. The APs do not go intothe Discovery state when the Active WLC fails and the Standby WLC takes over the network's Active WLC.
There is no preempt functionality. When the previous Active WLC comes back, it will not take the role of the Active WLC, but willnegotiate its state with the current Active WLC and transition to a Standby state.
Like on other WLC, WLC 3504 supports both AP SSO and Client SSO. Given below is how one would connect two WLC 3504using the RP port(back to Back) in HA Setup.
One can also connect RP port through a L2 switch.Note
To connect a pair of WLC 3504 in HA Setup to the wired network, one can use the following deployment examples. Please note thatonly two links are shown from WLC3504 to the switch(s) but one can connect all four of the GE links + mGig link for LAG.
17
WLC supports the same HA configuration as other WLC. To configure High Availability, refer to the HA deployment guide at thelink below: http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/HA_SSO_DG/High_Availability_DG.html
Configuring mGig Port on WLC 3504WLC 3504 has a 1x mGig and 4x GE ports. Please note the following about the ports:
• mGIg port is displayed as Port 5 on the WLC UI.
• mGig port and 4x GE ports can be used for switch connectivity.
• Only 4x GE ports can be used for direct AP connectivity
• mGig port can be configured for 1G, 2.5G, and 5G.
• If mGig is enabled for 5G, 4x GE ports will be set to 100 Mbps.
• If mGig is enabled for 2.5G, GE1 and GE2 will stay at 1G and GE3 and GE4 will be set to 100 Mbps.
• If mGig is configured for 1G, GE1, GE2, GE3 and GE4 will be set to 1Gbps.
To change the speed on the mGig port, follow the procedure below:
Procedure
Step 1 Navigate the WLC WebUI and browse to Controller > Ports. Click on Port 5.
18
Step 2 Set the Max Speed to either 1000, 2550 or 5000. Please note that If the speed is set to 2500 or 5000 on mGIg port, it willnegotiate with the corresponding switch port for the max speed it can support.
Configuring LAG between WLC and SwitchLink aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller'sdistribution system ports into a single 802.3ad port channel, thereby reducing the number of IP addresses needed to configure theports on your controller. When LAG is enabled, the system dynamically manages port redundancy and load balances access pointstransparently to the user.
LAG simplifies controller configuration because you no longer need to configure primary and secondary ports for each interface. Ifany of the controller ports fail, traffic is automatically migrated to one of the other ports. As long as at least one controller port isfunctioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to sendand receive data.
Cisco WLC does not send CDP advertisements on a LAG interface.Note
19
Restrictions for Link Aggregation• You can bundle all 5 ports on a Cisco WLC 3504 into a single link.
• When you include mGig port on the WLC 3504 in LAG, it must be configured to 1Ggig.
• LAG requires the EtherChannel to be configured for 'mode on' on both the controller and the Catalyst switch.
• Terminating on two different modules within a single Catalyst 6500 series switch provides redundancy and ensures thatconnectivity between the switch and the controller is maintained when one module fails. The controller’s port 1 is connected toGigabit interface 3/1, and the controller’s port 2 is connected to Gigabit interface 2/1 on the Catalyst 6500 series switch. Bothswitch ports are assigned to the same channel group.
• Once the EtherChannel is configured as on at both ends of the link, the Catalyst switch should not be configured for either LinkAggregation Control Protocol (LACP) or Cisco proprietary Port Aggregation Protocol (PAgP) but be set unconditionally toLAG. Because no channel negotiation is done between the controller and the switch, the controller does not answer to negotiationframes and the LAG is not formed if a dynamic form of LAG is set on the switch. Additionally, LACP and PAgP are notsupported on the controller.
• If the recommended load-balancing method cannot be configured on the Catalyst switch, then configure the LAG connectionas a single member link or disable LAG on the controller.
• You cannot configure the controller’s ports into separate LAG groups. Only one LAG group is supported per controller. Therefore,you can connect a controller in LAG mode to only one neighbor device.
• When you enable LAG or make any changes to the LAG configuration, you must immediately reboot the controller.
20
• When you enable LAG, you can configure only one AP-manager interface because only one logical port is needed. LAG removesthe requirement for supporting multiple AP-manager interfaces.
• When you enable LAG, all dynamic AP-manager interfaces and untagged interfaces are deleted, and all WLANs are disabledand mapped to the management interface. Also, the management, static AP-manager, and VLAN-tagged dynamic interfacesare moved to the LAG port.
• Multiple untagged interfaces to the same port are not allowed.
• When you enable LAG, you cannot create interfaces with a primary port other than 29.
• When you enable LAG, access points remain connected to the controller until you reboot the controller, which is needed toactivate the LAG mode change, and data service for users continues uninterrupted.
• When you enable LAG, the controller sends packets out on the same port on which it received them. If a CAPWAP packet froman access point enters the controller on physical port 1, the controller removes the CAPWAP wrapper, processes the packet,and forwards it to the network on physical port 1. This may not be the case if you disable LAG.
• When you disable LAG, the management, static AP-manager, and dynamic interfaces are moved to port 1.
• When you disable LAG, you must assign an AP-manager interface to each port on the controller. Otherwise, access points areunable to join.
Configuring LAG on WLCTo configure LAG, follows the procedure below:
Procedure
Step 1 Choose Controller > General to open the General page.
Step 2 Set the LAG Mode on Next Reboot parameter to Enabled.
Step 3 Save the configuration.Step 4 Reboot Cisco WLC.Step 5 Assign the WLAN to the appropriate VLAN.
Configuring Neighbor Devices to Support Link AggregationThe controller's neighbor devices must also be properly configured to support LAG.
Each neighbor port to which the controller is connected should be configured as follows:interface GigabitEthernet <interface id>switchportchannel-group <id> mode onno shutdownThe port channel on the neighbor switch should be configured as follows:interface port-channel <id>switchportswitchport trunk encapsulation dot1qswitchport trunk native vlan <native vlan id>switchport trunk allowed vlan <allowed vlans>
21
switchport mode trunkno shutdown
Upgrading WLC 3504 using USBUpgrading via USB is a new Transfer Mode which is available on Cisco WLC 3504. To upgrade via USB, follow the procedurebelow:
Procedure
Step 1 Download the WLC3504 Software Image on the USB and insert the USB interface on the front panel of WLC 3504.
Step 2 Login to the WLC CLI and execute the following command:(Cisco Controller) >config usb enable
Step 3 Login to the WLC WebUi and navigate to the COMMANDS menu as shown below.
• Select File Type as Code
• For Transfer Mode, select USB form the drop-down list
• Enter the USB Path to the file
• Enter the File Name on the USB
22
Step 4 Click on the Download button to initiate the software download and click on OK when you see the confirmation window.Step 5 After the Software Download is complete, please reboot the WLC to run the new software.
Shown below is the debug messages in the WLC CLI while performing Software Download from USB.
(Cisco Controller) >debug transfer all enable
*TransferTask: Jun 05 14:12:54.325: Memory overcommit policy changed from 0 to 1
*TransferTask: Jun 05 14:12:54.325: Delete ramdisk for ap bundle
*TransferTask: Jun 05 14:12:54.336: RESULT_STRING: USB Code transfer starting.
*TransferTask: Jun 05 14:12:54.336: RESULT_CODE:1
*TransferTask: Jun 05 14:12:58.902: RESULT_STRING: USB receive complete... extracting components.
*TransferTask: Jun 05 14:12:58.902: RESULT_CODE:6
*TransferTask: Jun 05 14:13:14.501: RESULT_STRING: Checking Version Built.
*TransferTask: Jun 05 14:13:16.501: RESULT_STRING: Image version check passed.
*TransferTask: Jun 05 14:13:19.501: RESULT_STRING: Executing Product Check TLV.
*TransferTask: Jun 05 14:13:19.502: RESULT_STRING: Executing Version Built TLV.
*TransferTask: Jun 05 14:13:19.502: RESULT_STRING: Executing init script.
*TransferTask: Jun 05 14:13:19.515: RESULT_STRING: Executing backup script.
*TransferTask: Jun 05 14:13:20.583: RESULT_STRING: Writing new RTOS to flash disk.
*TransferTask: Jun 05 14:13:28.094: RESULT_STRING: Executing install_rtos script.
*TransferTask: Jun 05 14:13:31.278: RESULT_STRING: Writing new Kernel-args to flash disk.
*TransferTask: Jun 05 14:13:31.284: RESULT_STRING: Writing new FP to flash disk.
*TransferTask: Jun 05 14:13:31.989: RESULT_STRING: Writing new AP Image Bundle to flash disk.
*TransferTask: Jun 05 14:13:51.759: RESULT_STRING: Writing AVC Files to flash disk.
*TransferTask: Jun 05 14:14:00.311: RESULT_STRING: Reading AP IMAGE version info.
*TransferTask: Jun 05 14:14:00.316: RESULT_CODE:11
*TransferTask: Jun 05 14:14:00.316: RESULT_STRING: File transfer is successful.Reboot the controller for update to complete.Optionally, pre-download the image to APs before rebooting to reduce network downtime.
*TransferTask: Jun 05 14:14:06.322: Create ramdisk for ap bundle
*TransferTask: Jun 05 14:14:06.335: Memory overcommit policy restored from 1 to 0
23
24
© 2017 Cisco Systems, Inc. All rights reserved.
Europe HeadquartersAsia Pacific HeadquartersAmericas HeadquartersCisco Systems International BVAmsterdam, The Netherlands
Cisco Systems (USA) Pte. Ltd.Singapore
Cisco Systems, Inc.San Jose, CA 95134-1706USA
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on theCisco Website at www.cisco.com/go/offices.
