Tuesday, October 6, 2015

Cisco 3850: Wireless Controller/Distributed Config

I've recently had the chance to set up a few WLCs (Wireless Lan Controller) for clients. SiteA is a stack of five 3850 switches. Site B has an MDF of one 3850 and an IDF of one 3850, so I had to set up one MC (Mobility Controller) and one MA (Mobility Agent). They have an interesting wireless design as well - a single WLAN/SSID with vlan assignment by a windows radius server. Let's start with SiteA:

SiteA

5x 3850 with IPBase licensing (IP-base or IP Services licensing is required to be an MC)
8x 2702i WAPs

First of all, this stack will operate as both an MC and an MA. WAPs can be terminated directly to members of this stack, but we have to keep in mind that a stack is only able to support 50 WAPs. We have nowhere near that at this site, but we have to divvy out licenses manually, and we don't want to put them all on one member, in case that member needs to be rebooted, and we don't want to entirely lose wireless capabilities. So I assigned licenses to member1 and member2 of the stack 25 AP termination licenses. The client has to be aware that all APs must be terminated on those switches to build LWAPP tunnels and support the APs.

Turn this stack into a WLC:
wireless mobility controller
wireless management interface Vlan99
! Note: Have to restart after assigning 
wr
reload

Assign licensing
license right-to-use activate apcount 25 slot 1 acceptEULA
license right-to-use activate apcount 25 slot 2 acceptEULA

Because Cisco IOS doesn't support the concept of DHCP reservations, I built 8 individual DHCP pools, one for each WAP. However, DHCP is a little odd on Cisco IOS. If the mac of the WAP is aaaa.bbbb.cccc, you add a 01+(the mac), like this:
ip dhcp pool WAP1
 host 10.10.10.11 255.255.255.0
 client-identifier 01aa.aabb.bbcc.cc
 default-router 10.10.10.11

Create a management interface for yourself and the WAPs to dial into:
interface Vlan10
 description mgmt
 ip address 10.10.10.1 255.255.255.0

Build aaa so we can use it to assign vlans later: 
radius server radiusServer1
 address ipv4 1.1.1.1
 key xxxx
radius server radiusServer2
 address ipv4 1.1.1.2
 key xxxx
!

aaa new-model
aaa group server radius wlanRadius
 server name radiusServer1
 server name radiusServer2
aaa authentication dot1x vlan_assigned group wlanRadius

Enable dot1x to assign vlans and build my first WLAN
dot1x system-auth-control
wlan Vlan_Assigned
 aaa-override
 security dot1x authentication-list vlan_assigned
 broadcast
 no shutdown

Assign ports on switch1 and switch2 as access ports in the management vlan
int range gi 1/0/44 - 1/0/48 , gi 2/0/44 - 2/0/48
 switchport access vlan 10
 switchport mode access

And that's pretty much it. As the WAPs come online, they will pull DHCP from this master switch stack, build an LWAPP tunnel to the core stack, and register with our 3850 WLC/MC.

SiteB 

SiteB is similar in that we have the exact same wlan, but the distribution is a little different. Remember from above, there is an MDF (one AP), and an IDF (5 APs). Now, we could set up each switch as a WLC for their own WAPs, but we'd have to manage them individually, and users would not be able to roam between them. That sounds like a pain. However, there's a better solution. One device still can be a combined MC/MA, and the IDF switch can be only an MA. That means the IDF switch will "check out" licenses from the MDF switch and terminate the LWAPP tunnels on itself, and forward all traffic through yet another tunnel to the MDF switch/MC.

On the MDF switch the configuration for the WLAN, port config, etc. is all the same. There is, however, some extra wireless configuration to build a cluster with the IDF switch.
wireless mobility controller
wireless management interface Vlan10
wireless mobility controller peer-group SiteB
wireless mobility controller peer-group SiteB member ip 20.1.1.2 mode centralized
wireless mobility controller peer-group SiteB member ip 20.1.1.2
wireless mobility group name SiteB
! Note: After assigning the MC role, the device must be restarted

Let's switch to the IDF switch while the MDF/MC device restarts. Now, this device doesn't have very much config at all. It doesn't control DHCP, WLANs, doesn't require any licensing config, and doesn't do radius auth for wireless. All it really needs is to trunk to the MDF switch, assign WAPs to the same access vlan we have on the MDF switch, and have a little bit of config to check out licenses from the MC.
wireless mobility controller ip 20.1.1.1
wireless management interface Vlan10

References

I'd be remiss to not call out the fantastic guides that helped me piece together this configuration and design: http://mrncciew.com/  Several of his specific articles are linked below, and they were invaluable.

http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
http://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/
http://mrncciew.com/2013/05/21/aaa-override-in-acs5-2/
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/117551-troubleshoot-ap-00.html#anc10
https://supportforums.cisco.com/discussion/12022011/2602i-does-not-join-3850-wlc
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3e/wlan/configuration_guide/b_wlan_3e_3850_cg/b_wlan_3e_3850_cg_chapter_011.html#task_DD07B8860F284D85A1CA8E7BFEE3C07D
http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/116600-config-eap-radius-00.html#anc7