About WLC configuration in general and Cisco 2500 Wireless Controller in particular

Cisco 2504 Wireless Controller

Wireless Controller (WLC) series 2500 currently contains only one model, the Cisco 2504 Wireless Controller. This is not a new product, it was introduced to the market in 2011, but the End-of-Sale (or Support) date has not yet been announced. Officially, this series is intended for small and medium-sized companies or branch offices of enterprise organizations. However, the parameters correspond more to the WLC 4400 series, which was previously intended for large organizations, rather than the smaller WLC 2000 and 2100 series that it replaces. Today, we have a range of higher models, 5500, 5700 and 8500, which support up to 6000 APs. With software version 7.4, there was an improvement in functionality and an increase in performance (for example, support for 75 APs instead of 50).

WLC 2504 supports the new IEEE 802.11ac standard and provides sufficient performance for up to 75 APs and 1000 clients. It is part of the Cisco Unified Wireless Network (CUWN) architecture. It is used to manage Cisco Lightweight Aironet Access Points and can be centrally controlled using Cisco Prime Infrastructure (PI), the new management tool (successor to Wireless Control System - WCS and Network Control System - NCS). It supports new technologies such as Cisco Application Visibility and Control (AVC), Bonjour Services Directory, Wireless Policy engine. Other features include RF management using Cisco CleanAir technology, Wireless Intrusion Prevention System (wIPS), CAPWAP data tunnel encryption (DTLS), Guest Anchor and Wired Guest Access, support for data, voice and video, Link Aggregation Group (LAG).

Official controller documentation:

• Cisco 2504 Wireless Controller
• Cisco 2500 Series Wireless Controllers
• Cisco 2500 Series Wireless Controller Data Sheet

Additional installation-related documents:

• Cisco 2500 Series Wireless Controller Deployment Guide
• Cisco 2500 Series Wireless Controller Getting Started Guide
• Cisco Wireless LAN Controller Configuration Guide, Release 8.0

Cisco Validated Designs contain a comprehensive implementation description:

• Design Zone for Campus
• Design Zone for Smart Business Architecture

A brief introduction to Wireless LAN Controller (WLC) theory

A brief summary of a few basic terms and technologies:

• AP - Wireless Access Point - the access point is used to connect wireless devices to the IP network, it works on the principle of transmitting and receiving radio signals, Cisco has various AP series called Cisco Aironet. AP can work in two modes
  • Autonomous Mode - each AP works independently and is managed individually
  • Lightweight Mode - the AP in lightweight mode (LAP) is (and must be) managed/controlled by the WLC
• WLC - Wireless LAN Controller or Wireless Controller - a device that manages the configuration, security policies and operation of multiple APs. We can use multiple WLCs and in case of failure, the APs re-register to the new controller or cluster WLCs so that the user does not notice any downtime. Standard ly it is a special hardware appliance, but Cisco also has a virtual vWLC, which does not yet support all functions.
• Cisco CleanAir - a technology that tries to mitigate interference in the transmission band, using Radio Resource Management
• Radio Resource Management - monitors and sets wireless parameters such as transmit power, channel allocation, data rates, etc.
• CAPWAP - Control and Provisioning of Wireless Access Points Protocol - a standardized protocol (RFC 5415) for communication between AP and WLC, previously (up to WLC SW version 5.2) Cisco used Lightweight Access Point Protocol (LWAPP)
• IEEE 802.11 protocols - the main protocols for wireless networks primarily operate in the 2.4GHz (802.11b, 802.11g) or 5GHz (802.11a, 802.11ac) band or both (802.11n), providing various theoretical and actual data rates, the latest version so far is 802.11ac, where wave 1 is now deployed and wave 2 is soon to come
• User data switching - Lightweight AP can operate in two different modes that determine where the user data enters the network
  • Local Mode - the AP creates two CAPWAP tunnels to the WLC, one for management and one for data, all user data connected to the AP (to any WLAN) is transmitted to the WLC and then enters the network (referred to as centrally switched), this can be a problem in branches connected by a slow link where there is no local WLC
  • FlexConnect (previously H-REAP) - allows the AP to be controlled by a central WLC, but the data enters the network locally from the AP (locally switched), the AP can operate even when it loses connectivity to the WLC

Network design for WLC deployment

Ports and interfaces

WLC 2504 has 4 data ports with a speed of 1 Gbps, two of which support Power over Ethernet (PoE) according to IEEE 802.3af. And one RJ45 console port for connecting to the Command-Line Interface (CLI).

Port is a physical entity used to connect to the controller platform. Interface is a logical entity on the controller that has a number of parameters (such as IP address, VLAN, primary physical port, backup physical port, etc.). Each interface is mapped to one or two physical ports. If we also use the second port (backup), the communication is redirected to it in case of failure of the first port. Alternatively, we can use Link Aggregation (LAG) and combine multiple ports into one virtual one.

Basic interfaces on the WLC:

• Management - mandatory, static, configured during initial setup. The main interface for in-band management (access to web administration and CLI telnet/SSH) and connection to enterprise services such as AAA. By default, it also functions as the AP manager interface, so it is used for communication between the WLC and the AP.
• AP-manager - for the WLC 2500 series, a separate AP-manager is not needed, the original static interface does not exist here, we can create a dynamic interface with the Dynamic AP Management option, it must have a unique IP address and can be in the same VLAN as the Management. For WLC 2500, the shared Management interface can also be used for the AP-manager, and this way any number of APs are supported. Nevertheless, to increase performance, it is recommended to create a total of 4 dynamic interfaces (or 3 when using Management) for the AP manager and assign them to the 4 gigabit ports on the WLC. Or use LAG. Only one AP-manager interface is allowed to be assigned to a single physical port, this interface cannot be used for WLAN.
• Virtual - mandatory, static, configured during initial setup. A special virtual interface that does not communicate on the network, it is assigned an unused (and inaccessible) address such as 1.1.1.1. It is used to support mobility management, DHCP relay and L3 security (Guest Web Authentication and VPN termination).
• Dynamic - dynamically defined by the user. The administrator creates them and they are analogous to VLANs. WLC 2500 supports up to 16 dynamic interfaces, each must have a unique IP subnet and VLAN. When we create a WLAN, we assign it to a dynamic interface (or Interface Group). The WLAN assigns the Service Set Identifier (SSID) to the interface and defines security, QoS, radio policy parameters, etc. System servers (such as Radius and NTP) should not be located in the subnet assigned to the dynamic interface, but should be accessible through the Management interface.

Connecting the WLC to the network

To connect the WLC to the network, we connect one or more WLC ports to the corresponding number of switch ports (or several switches). By default, the WLC ports are in 802.1q trunk mode. In the switch configuration, it is recommended to use only the VLANs that we want to use on the WLC.

We have a number of options for performing the interconnection and configuration

• Use one port in trunk, where we configure all the necessary VLANs for the various interfaces (theoretically we don't even need to use VLANs, but this is not recommended), mainly the Management (also with AP-manager) and dynamic interfaces for the WLAN access networks.
• Divide the communication on multiple ports, for example, Management on port 1 (so all communication with the AP is here) and dynamic interfaces on port 2 (i.e. client communication into the network, here the traffic volume is essentially the same as on the AP-manager, so we distribute the load).
• Use multiple ports for the same communication, the main example is multiple AP-manager interfaces, where each is set to a different port. Alternatively, setting backup ports (not used actively, but used in case of failure of the primary path) for management and dynamic interfaces outside of AP-manager.
• Combine ports into one virtual using LAG, all interfaces are then mapped to the LAG and all communication is distributed.

Note: Cisco states that on an interface where Dynamic AP Management is enabled, a backup port should not be defined, because port redundancy is not used here. Instead, multiple AP-manager interfaces should be configured, and in the event of failure of one, the AP will automatically switch to another interface. Meanwhile, in the official scenario (number 3), where the Management interface is also used as the AP-manager, they configure a backup port.

Personally, I think the best option is to use LAG, i.e. Link Aggregation or Etherchannel, which I use in many places, it works automatically and reliably. Ideally, combine all 4 WLC ports into different switches in one stack.

Communication within the network

An example of how the overall connection and communication works. The basis is the use of different VLANs and trunk ports together with LAG. We connect the WLC using a trunk to all the VLANs where it needs to communicate (as well as all the WLANs), on the switch in trunk mode and limit it only to the used VLANs. We connect the LAP only to the VLAN where it communicates with the WLC, i.e. AP-manager, so it's an access mode and it's recommended to use PortFast. In the example, we have VLAN 200, where the Management and AP-manager are, i.e. communication with the APs, VLAN 10 is the Guest network, which leads directly to the Internet, VLAN 20 is the operational network. We create a wireless network WLAN 1, set the SSID host, map it to the dynamic interface host-int, which is assigned to VLAN 10 and has the LAG set as the physical port.

The client connects to WLAN 1 using the SSID host, the communication goes through the CAPWAP tunnel from the AP to the WLC (within the AP-manager interface). According to the assigned dynamic interface host-int, the LAG port and VLAN 10 on this port are determined, so the client's communication reaches the switch in the correct VLAN. The client behaves as if it is connected directly in this VLAN, so standard routing to other networks, etc. is applied.

The following image shows the ongoing mapping, for simplicity, LAG is not used, but the Management interface is set to Port 1 and two dynamic interfaces are mapped to Port 2.

Basic configuration

If we have a new unconfigured controller (or maybe after a factory reset), we need to perform the basic configuration. We have two options, each using a certain wizard where we need to enter the necessary information. The first option is a novelty, using the web interface. The second option is the classic one using the CLI console through a VT-100 terminal emulator.

Cisco WLAN Express Setup (part of the SW from version 7.6.120.0) - Easy-to-use Setup Wizard

• turn on the WLC
• connect a station to port 2 and wait until the SYS LED lights up green (it takes some time)
• our station will receive an address from the WLC DHCP
• connect to the web https://192.168.1.1
• go through the short wizard where we set the name, IP address, first WLAN
• at the end, the settings are saved and the WLC restarts (also certain default properties and values are set, which we manually enter in the CLI wizard)
• for connection to the network (to the switch - Management interface), port 1 was set, so we connect that to the switch
• connect to the WLC interface at the IP address we set

Console Startup Wizard

• connect from a computer using a serial cable to the console port and a PC terminal emulation program (like putty)
• turn on the WLC and we can watch the boot process
• go through the wizard where we enter a number of parameters, such as name, admin account, IP settings, RF, WLAN (a total of about 23 items)
• at the end, we confirm the entered data, the settings are saved and the WLC restarts
• connect the controller to the network using the port where we set the management IP
• connect to the WLC interface at the IP address we set

Factory reset - back to factory settings

During testing and experimentation, it can be useful to reset the WLC back to a clean state, here's the procedure.

• using the CLI, we enter the command reset system
• or press the RESET button on the front of the controller
• the WLC will restart and at the end of the boot, a dialog will appear where we enter Recover-Config as the user

Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults)
User: Recover-Config

Some interesting configurations

There is certainly no space here to go through all the settings, you need to look at the official documentation of the commands and properties in the Cisco Wireless LAN Controller Configuration Guide, Release 8.0 or the good article Cisco Wireless LAN Controller Configuration Best Practices and many others. I also recommend going through the entire WLC GUI to get an overview. But we'll take a look at a few specific things, starting with the initial setup including a description, then just mentioning properties.

If we are deploying a new wireless network, it is a good idea to write down in advance the networks we will be setting up/creating, i.e. WLANs with their parameters (SSID, security, authentication), interfaces to which they belong (don't forget virtual and management) and network VLANs (with IP parameters, used DHCP).

DHCP options

We almost always need to provide the wireless network clients with an IP address and other network settings. Therefore, the options for using different DHCP servers are very important.

• Internal DHCP server - limited internal DHCP on the WLC, it is designed only for small deployments and rather for labs. To be able to use the internal DHCP, the DHCP Proxy must be enabled (internally it is used for forwarding) and the controller's management IP address is set as the DHCP server on the Interface or WLAN. In general, Cisco recommends not using the internal DHCP.
• External DHCP server - the DCHP server in our network can be used in various ways
  • DHCP Bridging mode - the DHCP must be in the same subnet as the client, the client's requests are bridged by the WLC unchanged into the VLAN assigned to the given WLAN and vice versa
  • DHCP Proxy mode - the DHCP can be in a different subnet, the controller forwards the client's requests to the configured DHCP server (either at the dynamic interface or WLAN), it shields its address and secures it in a certain way, it constructs new requests to the server. From the description, I understood that the DHCP server could be located behind the management interface and not accessible from the WLAN (and thus VLAN) where the client connects, but unfortunately this is not the case and it is always sent through the WLAN interface. So it seems almost the same as Relay (mentioned in the next point), just that we don't need a router with Relay support.
  • DHCP Relay mode - a bit off is the option to use DHCP Bridging on the WLC and set the DHCP Relay Agent (Cisco command ip helper-address) on the L3 switch/router, which forwards the broadcast requests to the DHCP server in another subnet using unicast (of course the subnets must be routed between them). It's important that in this situation, the Proxy mode on the WLC is really turned off. In practice, this works best for me.

Configuration

If we use multiple WLCs, the configuration must be the same on all of them. Enabling DHCP Proxy is in the Controller - Advanced - DHCP. Primarily in the Interface settings Controller - Interface we enter the DHCP server address (whether internal or external) and choose the DHCP Proxy Mode. The options are

• Global, where the global setting on the controller is used
• Enabled turns on DHCP Proxy for the given interface
• Disabled turns it off.

For higher security, we can enable DHCP Option 82 (DHCP Relay Agent Information Option), if our DHCP server supports it.

Link Aggregation (LAG) and Etherchannel

Link Aggregation (LAG - Link Aggregation Group) is a partial implementation of the IEEE 802.3ad standard (Port Aggregation, or the newer IEEE 802.1ax), which creates a single (virtual) port channel from multiple physical ports. This increases the total throughput (Load Balancing) and reliability (port redundancy). For the WLC Interface, we don't need to deal with the primary and secondary port (backup). Support for LAG is from WLC SW version 7.4. WLC does not support LACP or PAgP protocols, so we enable Etherchannel on the switch in mode on. I wrote about this technology in the article Cisco IOS 21 - EtherChannel, Link Agregation, PAgP, LACP, NIC Teaming.

We can connect all four WLC ports into one link, the ports must be connected to a single switch or stack (so we can enable Etherchannel on the Cisco switch). After enabling LAG, all the connected WLC ports are combined into one group, it is not possible to create multiple ones or use some ports differently. When the controller mode is switched, a restart is required. In LAG mode, we cannot assign a port number to the interfaces, but they are fixed to LAG (shown as number 13). With LAG enabled, we can create only one AP-manager interface (we don't need more either, because it works through all the ports in the group). When LAG is enabled, the dynamic AP-manager and untagged (without VLAN) interfaces are deleted, all WLANs are turned off and mapped to the management interface.

Using LAG is recommended to ensure higher throughput and reliability. The second option is to use multiple AP-manager interfaces, where the advantage is that the ports can be connected to different switches, but we do not distribute the traffic to the access VLANs (other dynamic interfaces).

Enabling/disabling LAG is done in Controller - General - LAG Mode on Next Reboot. For the interfaces, the option to assign ports to LAG is then changed.

Example of setting up two ports on a Cisco switch.

interface GigabitEthernet1/0/1
  description WLC port 1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10, 20, 200
  switchport mode trunk
  switchport nonegotiate
  mls qos trust dscp
  channel-group 1 mode on
end
interface GigabitEthernet1/0/2
  description WLC port 2
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10, 20, 200
  switchport mode trunk
  switchport nonegotiate
  mls qos trust dscp
  channel-group 1 mode on
end
interface Port-channel2
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10, 20, 200
  switchport mode trunk
  switchport nonegotiate
end

VLAN Select

Allows assigning multiple VLANs (and thus subnets) to a single WLAN. For example, if we need a large number of users to connect to the same WLAN, but be divided into different subnets.

We create an Interface for each VLAN in Controller - Interface, we combine them into an Interface Group in Controller - Interface Groups, which we assign to the WLAN in WLANs - WLANs.

Mobility Group

Mobility Group is used to interconnect multiple WLCs, which then share wireless client status information, controller load, client data, and data for controller redundancy. This allows for seamless client transition between controllers (APs registered to different WLCs) and ensures N+1 redundancy (in case of WLC failure, the AP re-registers to another one).

All controllers must use the same Mobility Group name Controller - General - Default Mobility Domain Name. And we must interconnect them (manually enter) in Controller - Mobility Management - Mobility Groups.

Protected Management Frame (PMF) - IEEE 802.11w

Management messages between the AP and the client, such as authentication, association, beacon, probes, are normally unencrypted and unprotected (unlike data traffic, which is normally encrypted). There can be various attacks on them, which is why mechanisms for their protection were developed.

Cisco created Management Frame Protection (MFP), which we can configure globally in Security - Wireless Protection Policies - AP Authentication - Protection Type or on the WLAN in WLANs - specific WLAN - Advanced - MFP Client Protection.

In 2009, a supplement to the IEEE 802.11w standard called Protected Management Frame (PMF) was created, which Cisco supports on certain APs, WLCs and versions. It can be configured on the WLAN, it can only be used for WPA2 PSK or WPA2 802.1x, in WLANs - specific WLAN - Security - Layer 2 - Protected Management Frame set to Required and then in the Authentication Key Management section choose PMF 802.1X or PMF PSK.

Cisco's recommendations state that 802.11w support should be enabled on the WLAN. The problem, however, is that there are only a few clients that support it. I've only done a few tests, but I haven't been able to connect to the WLAN with PMF enabled from any client.

Fast SSID Changing

Set Controller - General - Fast SSID change to Enable

Multicast

Check Controller - Multicast - Enable Global Multicast Mode and Enable IGMP Snooping

Quality of Service

Wireless - QoS - Profiles - we can modify the 4 built-in profiles for traffic

Wireless - QoS - Roles - we can create roles for guest users and limit their traffic, then assign the role to the user account (e.g. in Local Net Users)

NTP

Controller - NTP - Server

SNMP

Be sure to cancel the default values (accesses including the SNMPv3 user) and possibly set your own.

Management - SNMP - General and Communities

Enable HTTPS only

Management - HTTP-HTTPS

Block access to administration from WiFi

Management - Mgmt Via Wireless

Recommended settings - Best Practice

A few points that are recommended to be set or not to be used. Many things are already included in the previous description, so here are a few more. These are information selected from Cisco materials, but when testing some of them, I encountered problems (described in the given point), so I cannot recommend using everything.

• disable WiFi Direct client connections WLANs - specific WLAN - Advanced - Wi-Fi Direct Clients Policy set to Not-Allow - with this setting, some mobile clients did not connect
• in the WLAN settings, you can set WPA and WPA2 together, but some clients have problems with that, so it is recommended to use only WPA2 with AES, it is also recommended to avoid the outdated TKIP (use only AES instead)
• do not use Local EAP for authentication
• enable DHCP Addr. Assignment as Required on each WLAN, so that the client must first obtain an address from DHCP before it can send or receive any traffic
• Cisco detects Rogue APs and it is good to pay attention to them, as they can be used for various attacks, restrict the operation of our WiFi network, or spoof our network so that our users connect to it. However, if we don't use this feature, we can turn it off on the AP Wireless - Access Points - specific AP - Advanced - Rogue Detection
• Rogue Detection can also be tuned in various ways (and create profiles/rules), choose the detection level (which pre-sets other parameters) Security - Wireless Protection Policies - Rogue Policies - General - Rogue Detection Security Level or for example set the minimum signal strength of the detected AP (RSSI) Rogue Detection Minimum RSSI
• disable low data rates in the 5GHz and 2.4GHz bands, it reduces the speed of the entire network, but it's necessary to be careful when disabling and thoroughly test Wireless - 802.11a/n - Network for example, disable 6, 9, 12 and 18 Mbps, Wireless - 802.11b/g/n - Network for example, disable 1, 2, 5.5, 6, 9 and 11 Mbps
• enable Band Select (not recommended for Voice WLAN), clients that support both 2.4GHz and 5GHz, but default to 2.4GHz, are forced to connect to 5GHz, set on WLAN WLANs - specific WLAN - Advanced - Client Band Select
• minimize the number of SSIDs (i.e. WLANs), of course according to practical possibilities
• use Application Visibility and Control (AVC), which classifies applications using Cisco Deep Packet Inspection (DPI) techniques with Network-Based Application Recognition (NBAR), so we can recognize applications and drop or mark some traffic, enabled on WLAN WLANs - specific WLAN - QoS - Application Visibility
• enable the 802.11k standard for optimal roaming between APs, which allows sending information about neighboring APs
  (Cisco Controller) >config wlan assisted-roaming neighbor-list enable <WLAN id>
(Cisco Controller) >config wlan assisted-roaming dual-list enable <WLAN id>
(Cisco Controller) >config wlan assisted-roaming prediction enable <WLAN id>
• use CleanAir Wireless - 802.11a/n/ac - CleanAir and Wireless - 802.11b/g/n - CleanAir
• if we use old AP generation 1 (Cisco Aironet 1140, 3500, 1250, 1260 Series), we can enable ClientLink 1.0 (newer versions ClientLink 2.0 and 3.0 are enabled by default, but only supported on new APs)
  (Cisco Controller) >config 802.11a disable network
(Cisco Controller) >config 802.11a beamforming global enable
(Cisco Controller) >config 802.11a enable network
(Cisco Controller) >config 802.11b disable network
(Cisco Controller) >config 802.11b beamforming global enable
(Cisco Controller) >config 802.11b enable network
• enable Dynamic Channel Assignment (DCA) for 802.11ac
  Wireless - 802.11a/n/ac - Network - 802.11a Network Status - we must disable the network
  Wireless - 802.11a/n/ac - RRM - DCA - Channel Width and enable Extended UNII-2 channels
Wireless - 802.11a/n/ac - Network - 802.11a Network Status - enable the network