Cisco 9800 CL and AP in FlexConnect

 

Last week I got one of my colleagues to install Vmware Workstation and Cisco Catalyst 9800 CL at one of my clients and after 24 hours of configuring and troubleshooting, I finally made it works with APs in FlexConnect mode.

Ciscos documentation on Catalyst 9800 CL and APs in FlexConnect mode is not perfect and I had a lot of challenges during configuration. I have therefore made this recipe for myself and anyone else

First of all. I did not manage to send vlan tagged traffic over the ethernet NIC on my laptop, so I have done a simple configuration on the laptop to make it work.
This network diagram shows all the necessary information about my lab network
Gjermunds simple lab network

With a Cisco Catalyst 9800 CL as the wireless controller all the APs should be in FlexConnect mode and do local switching at the access point. In my lab network I use vlan 1702 as the native vlan for wireless management traffic and vlan 2000 as the user traffic vlan. This vlan is locally switch at the AP and sent towards the switch in vlan 2000
The switch must be configured as a trunk interface. The network diagram shows the configuration on the switch
Remark: Ciscos documentation does not include the native vlan in the allowed vlan list. Since I followed Cisco recommendation it gave my 7 hours extra troubleshooting.

When the network is up and running like the network diagram and it is possible from the controller to ping the management vlan default gateway it time to connect an AP to the switch. The AP should join the controller in Local Mode after some reboots.

When we want to convert APs from Local Mode to FlexConnect Mode at the Catalyst 9800 CL we must use a set of policies
This recipe is for Cisco Catalyst 9800 CL version 16.10.01

My worklist:

  1. Configure the WLAN
  2. Configure the VLANs
  3. Configure a Site Tag (in CLI)
  4. Configure a AP profile (AP Join Profile)
  5. Configure a Flex Profile
  6. Configure a Policy Profile
  7. Configure a Policy Tag
  8. Tie the AP Profile and the Policy Tag to the APs
    When this is done the AP reboots and joins again in FlexConnect mode
  9. Associate a client to the WLAN and test traffic

 

Further on we take it step-by-step

1. Configure WLAN
Configuration, under Tags & Profiles, choose WLANs
Add a new WLAN. It is pretty simple in two tabs, General and Security
wlan general

wlan security.png

2.Configure VLAN 
Configuration, under Layer 2, choose VLAN
Under the tab VLAN, add the vlans in your network (in my network vlan 1702 for management traffic and vlan 2000 for user traffic)
vlan.png

 

3. Configure a Site Tag (in CLI)

configure terminal
wireless tag site SITE.TAG
desc DEFAULT.SITE.TAG
no local-site
flex-profile FLEX.PROFILE
ap-profile AP.PROFILE

Remarks: Cisco documentation configure “no local-site” as the last item. I had to do it first. This is the command that puts the AP in FlexConnect mode.
The names in capital letters are used later

4.Configure a AP Profile
Configuration, under Tags & Profiles, choose AP Join
Add a new AP Join Profile,  write the same name as under Site Tags
Set in the profile name in Name and Description (thats all)
Remarks: I did not find anything about this in the Cisco documentation, but the Syslog said that AP Join profile was absent
AP Join Profile

5. Configure a Flex Profile 
Configuration, under Tags & Profiles, choose Flex Profile
Add a new Flex profile, use the same Flex Profile name as under Site Tags
Under General: Set in the profile name in Name and Description and the native vlan (management vlan). In my lab: vlan 1702
Flex Profile, General
Under the VLAN tab: add the traffic vlan. In my lab vlan 2000
Flex Profile, Traffic

6. Configure a Policy Profile 
Configuration, under Tags & Profiles, choose Policy Profile
Add a new Policy profile, the chosen name will be used in the next step
Under the tab General: Set in the profile name in Name and Description, set the Status to Enabled and uncheck Central Switching under WLAN Switching Policy. The last one is for locally switching of user traffic at the AP
Policy Profile
Under the tab Access Policies, change VLAN/VLAN Group to the traffic VLAN (in my lab vlan 2000)
vlan i policy profile

7. Configure a Policy Tag. Could be done i both CLI and GUI

CLI
wireless tag policy POLICY.TAG
wlan WiFi6 policy POLICY.PROFILE

GUI
Configuration, under Tags & Profiles/ Tags
Add a Policy tag and map the WLAN Profile and the Policy Profile
policy tag

 

8. Configure AP
Now it’s time to tie those profiles to the AP. The AP is in Local mode when it first joins the controller. When we tie the Profiles to the AP it will reboot and join again in FlexConnect mode.
Configuration, under Wireless, choose Access Points
This first picture shows one AP already in FlexConnect and another in Local Mode (disabled)
2AP
Choose the Local Mode AP. Set it to enabled status and choose the configured Policy Tag and Site Tag. It will now, after updating, reboot and rejoin in FlexConnect mode
I had to enable the AP it after rejoining in FlexConnect mode
Configure AP

The status after rejoining. The AP that was in FlexConnect is disabled in this example
two AP in Flex

9. Connect a client
Now is the moment of truth.
Enable WiFi on your client and connect (associate) it to the WLAN. Check your connected ip address and test traffic to the internet or other services

Closing remarks
When you configure you have to use the “Update and Apply to Device”. This button is in the lower right corner in each window. Always wait for some time before the changes is applied to the devices
The Syslog under Troubleshooting is a very good help during this process
And of course, constructive feedbacks are welcome

 

Other references
It is other blogs that do research into the same area. Two of them are

 

 

 

OFDM, HT and VHT PHY cheat sheet

I mentioned in my latest blogarticle that I have read the book “Next Generation Wireless LANs” second edition from Eldad Perahia and Robert Stacy. This is fantastic book that goes way beyonds study material for the CWAP-certification .

To memorize this bit-by-bit stuff I have made myself a ODFM, HT and VHT PHY cheat sheet

Remark: This is a 50% product and in A3 format.

Constructive feedback are welcome

Downloadable file (pdf): OFDM, HT and VHT PHY Reference cheat sheets

ODFM, HT and VHT PHY reference cheat sheets

 

DL MU OFDMA bit-by-bit

There are a lot of blogs, podcast and videos at the internet explaining 802.11ax at a high level. And some have done testing with 802.11ax compatible devices. But I have not found anyone that explains 802.11ax at a deep level. So why not me

The last year, since I bought the Perahia and Staceys book “Next Generation Wireless LANs”, I have been interested in the PHY-level of 802.11. And to go deep at 802.11ax I had to buy the 802.11ax, Draft 4.0.
There are so many new topics in the 802.11ax technologies so I had to make usecases for some of the topics and I have choosen the MU OFDMA process. This first blogarticle, in a series of articles, are about the frame where the AP sends data down to stations that needs data, the DL MU OFDMA frame. This frame is sent in i HE MU PPDU format, one of the four different frame formats in the 802.11ax standard.

Later on I will cover other aspect of the MU OFMDA process, like the MU-RTS/CTS process, the uplink OFDMA (UL MU OFDMA) process and the Acknowledgement process

Nothing of this is testet in real world, it’s picked out of the 802.11ax draft

DL MU OFDMA
DL MU OFDMA is the process where the AP sends data down to several stations that need/want data in a parallell process. In this slides I have used a example where four stations receives data in parallell. The AP have, before it starts to send data, decided how it should allocate its RUs.

A overview of this frame (PPDU) is like this

DL OFDMA transmission overview

The presentation (slides) could be downloaded at this link (pdf)

DL OFDMA, bit-by-bit

If someone have constructive feedback I would be grateful

Useful links

  • Cleartosend 802.11ax podcast-series,  link
  • David Colemans presentation at WLPC_US 2019, link
  • Wifininjas, link
  • IEEE 802.11ax draft 4.0 ($400), link

 

Pcap-quiz #1, 802.1X/EAP Authentication and Roaming

I have over a periode of time had a wish to make some pcap-quiz into the wireless community. And its time to jump into it

I am using this method

  • Make a topology file that shows the network and all necessary data like mac-addresses and so on
  • Take a wireless capture while i’am doing something with the clients
  • Filter the pcap to reasonable sizes containing frames/packets that matters
  • Make a questionare
  • copy the same file and fill in some answers
  • Zip it in a downloadable file

 

Background
Back in January 2019 I startet do play with WlanPi and packet capturing. Nigel Bowden had a article where he showed how to do packet capturing with the WlanPi and a compatibel WiFi-adapter on a Windows client. I ask him to update his script so that the WlanPi could capture 80MHz channels. And he did. Nigels link

Under my testing I discovered that the WlanPi could capture on four separate 20MHz-channels in a 80MHz-channel.  See my blog article

Peter Mackenzie did a deeper analysis on my pcaps and wrote a article where he explained what happens much better than I can do in english. Peters link

The point is that with my Realtek 8812AU adapter on the WlanPi it can capture 4 different 20MHz-channels in one capture, instead of using four adapters. Yes, it has some limitations. But in a lab environment its good enough.

In the zip-file I attached to this article is a pcap capture where the WlanPi captures on a 80MHz channel and it is 4 different APs each configured with the same SSID on 20MHz. Channel 36, 40, 44 and 48. The WlanPi is set to primary channel 36. That is the reason why the 802.11 radio information in Wireshark reports channel 36 for all 4 APs.

The original capture has almost 100.000 frames beause all clients also did pinging to the default gateway, just to create some traffic. I have filtered out the frames that matters to this questionare. It is the mangement- and EAPOL frames, so the capture contains only 8695 frames

Here is the case

  • 4 AP, each at 20MHz using channel 36, 40, 44 and 48
  • The pcap file contain captures from all four channels
  • The network uses 802.1X/EAP authentication, so all clients/suplicants communicate with a authentication server (Radius-server) during 802.1X/EAP authentication
  • Three clients, a MacBookPro, a iPAD and a Samsung A5. The iPAD and the Samsung  does a roam during the capture
  • Fast roaming is enabled
  • The questionare have 5 questions about 802.1X/EAP authentication and 5 questions about roaming
  • The topology file contains all mac addresses that matters
  • Eddie Forero had a awesome presentation during WLPC_US using Wireshark and how to customize it
  • Brian Long had a presentation at WLPC_US regarding 802.1X/EAP authentication

 

The zip-file:    Pcap Quiz #1

 

Please try it and make some comments. Next time it will be more against 802.11 radio informations

Note
We all know that a pcap contains frames, but I changes between writing frames or packets all the time

Usable links
Gjermunds article about fast secure roaming, part 1  part 2
Eddie Forero, WiFiShark Fu, youtube video, Link
Brian Long, The Anatomy of the 802 1X Association, youtube video  Link

 

Using WLANPi to capture on four 20MHz-channels

I have always thought that capturing wireless frames on several channels must have been done with several NIC-adapters in monitor mode. I have seen several pictures and videos showing 4, or even 8, adapters in a usb-hub, each capturing on a single 20MHz-channel.

But last week I used my WLANPi and the script from Nigel Bowden to capture on a 80MHz-channel. And what do I see when capturing at UNII-1 with 4 APs, each at 20MHz and using channels 36, 40, 44 and 48

Beacon from all 4 APs

In Wireshark each beacons radiotapheader reports channel 36, so thats little misleading. This is the channel you use when starting the script. But the HT Information Element in the beacons carry primary channel information, so using that as a colum it’s easy to see that I am capturing at every 20MHz-channel in the 80MHz-space.

This figure shows those four beacon with the same SSID where the radiotap header report channel 36, while til primary channel in HT IE report its correct channel

beacon

To check if I could capture roaming between those four APs I did a simple test.
– 4 AP in my office, 20MHz, channel 36, 40, 44 and 48
– associate my test client to the SSID
– waited til the test client was associated. On Android, Network Analyzer from technet is very useful to see the association status and associated channel
– disabled the AP the test client was associated to
– waited til the client had roamed to another AP
– and so on

This figure shows the (re)association request and (re)association response. As we can see, the test client roamed between all four AP. The (re)association response also carry the HT Information Element and its primary channel
roaming

Remarks
This is a simple test in a very low congested environment and the likelihood for a simultaneously transmisson in each BSSID is low.
If the RF environment are higher congested the likelihood for collision at the capturing device is higher, even it’s not a collision inside the BSSID. So we must assume that the capture could miss some frames.

If you want to test this by yourself, here is the link from Nigel Bowden for the WLANPiShark

 

I hope this is useful

 

 

Make TPC work, is it possible? Part 2, from the WLC perspective

My recent blogpost was a theoretical approach using Ekahau ESS to find out if its possible to use Cisco WLCs TPC algorithm to set Tx-power on my access point according my predictive design in ESS

My design was based on Cisco 2802i access points, primary/secondary coverage -67dBm/-75dBm, Tx-power at 25mW/14dBm and 5GHz only

My conclusion from the theoretical approach was that the WLC would have problems with a consistent Tx-power setting. But I would give it a try

The access points was installed at theirs correct place and everything was default on the controller.

Ciscos RRM white paper uses the WLC CLI command “show advanced 802.11a summary” to show both Rx_neighbors and Tx_neighbors. On my WLC that command had a shorter output

So I used these two CLI-commands on the WLC

  • show advanced 802.1a txpower
    • That command gave me allowed power levels and it showed that 17dBm was Tx_max
  • show ap auto-rf 802.11a <ap name>
    • That command gave me nearby APs. How other AP hear us = Rx_neighbor.
    • Since each AP was represented with it base BSSID with hex-value “f” at last digits it became some work with excel to find corresponding 3´strongest Tx_neighbor

I will not show that excel-spreadsheet, but I will summarise it

Next table show the RSSI_3´strongest and Tx_ideal from my predictive approach and measured values on the WLC
Remarks: I used Tx_max =20dBm in my last blog. The value of Tx_max is adjusted to 17dBm

RSSI_3´strongest and Tx_ideal from predictive and WLC-output datapoints
Tx_max = 17dBm RSSI_threshold= -70dBm
Predictive WLC output
3´strongest AP Tx_ideal (dBm) 3´strongest AP Tx_ideal (dBm)
(calculated)
AP1 -91 38 -88 35
AP2 -80 27 -86 33
AP3 -82 29 -82 29
AP4 -78 25 -84 31
AP5 -72 19 -81 28
AP6 -74 21 -85 32
AP7 -74 21 -72 19
AP8 -73 20 -84 31

As we can see AP1, AP2, AP3, AP4 and AP7 is fairly close between predictive and what he AP has measured (less than 6dB difference), but for AP5, AP6 and AAP8 the difference is huge (9-11dB).
Since all APs had calculated Tx_ideal above Tx_max every AP used power level 1 (17dB)

Next was adjusting the RSSI_threshold in the WLC TPC algorithm from its default value at -70dBm to -80dBm.
Next table compare the predictive approach and the calculated values on Tx_ideal and corresponding Cisco power levels based on measured values

TX_ideal and power levels from predictive and WLC-measured datapoints
Tx_max = 17dBm RSSI_threshold= -80dBm
Predictive Measured
Tx_ideal(dBm) Power level Tx_ideal (dBm) Power level
AP1 28 1 25 1
AP2 17 1 23 1
AP3 19 1 19 1
AP4 15 1 21 1
AP5 9 ´3-4 18 1
AP6 11 3 22 1
AP7 11 3 9 3-4
AP8 10 3 21 1

As we can se from the table on measured values the only AP that should change its Tx_power is AP7, even if we adjust the RSSI_threshold to its absolute minimum. AP7 has its calculated Tx_ideal based on measured values at 9dBm and the WLC set it on power level 3 (11dBm)

This leads to that 7 of my APs transmit at max power level (17 dB) and only one of the APs in the middle of the floor reduces its power level. This it not a good wifi-network.

During my research for this blogarticle a find five youtube-videos from Jerome Henry where he goes a RMM deep dive, check references

Two key element he says is

  • The TPC algorithm kick in when you have 3 AP-neighbors at -70dBm or higher (or your configured RSSI_threshold or higher)
  • The TPC algorithm is only used to automatically lower your Tx_power. The Coverage Hole Detection  is used to increase your Tx_level

My design with -67dBm/-75dBm and Tx= 25mw is no way near the TPC-goal to have three AP-neighbor at RSSI_threshold or higher, especially those in the outer edge of the floor

Conclusion
To have APs with consistent Tx-power its two choice

  1. Go for static Tx-power on the APs
  2. Limit the TX_min/Tx_max in your RF-profile to the values you want

 

References

Cisco RRM white paper, 2018
Jerome Henry youtube-videoseries, 5 videos 
mrn-cciew rrm-blogposts

Part 3 in this blog series will be on DCA

I´ll be back