CCIE Security lab: vWLC – Part 1 – Check the Wireless compatibility matrix for vWLC!

My Cisco 1200 series AP arrived the other day. It’s a nice looking AP, as far as they go, but trying to get it set up has reminded me how much Wireless technology annoys me. But it’s been a useful learning curve nonetheless.

So, we have the following setup:

vWLC -> SW2 -> SW3 -> 3750X -> AP

It looks like this:

Cisco vWLC on UNetLab

We need a few things in place to run a lightweight AP. These are a DHCP server, with option 43 defined, maybe a DNS server with a couple of entries in it, and, of course, physical connectivity.

I added a Cisco IOSv router to take care of the DHCP and DNS, and, to cut a long story short, got much further. Here is the setup:

AP-DNS#sh run | s dhcp
ip dhcp excluded-address 10.1.4.1 10.1.4.50
ip dhcp excluded-address 10.1.4.100 10.1.4.254
ip dhcp pool APs
 network 10.1.4.0 255.255.255.0
 default-router 10.1.4.254 
 dns-server 10.1.4.101 
 option 60 ascii "Cisco AP c1200"
 option 43 ascii "10.1.4.152"
 domain-name 802101.local
AP-DNS#sh run | i host
hostname AP-DNS
ip host CISCO-LWAPP-CONTROLLER 10.1.4.152
ip host CISCO-CAPWAP-CONTROLLER 10.1.4.152
ip host CISCO-LWAPP-CONTROLLER.802101.local 10.1.4.152
ip host CISCO-CAPWAP-CONTROLLER.802101.local 10.1.4.152
ip host vWLC 10.1.4.152
ip host vWLC.802101.local 10.1.4.152
AP-DNS#

With this, the AP started to get a bit further. But still would not register. I made some changes to the switching side of things, and set the port connecting SW2 to the vWLC to be trunks:

SW2#sh run int gi 1/3
Building configuration...

Current configuration : 158 bytes
!
interface GigabitEthernet1/3
 switchport access vlan 4
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
end

SW2#sh run int gi 2/3
Building configuration...

Current configuration : 174 bytes
!
interface GigabitEthernet2/3
 switchport access vlan 4
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 duplex full
 no negotiation auto
end

SW2#

The vWLC was set up to have the management interface in VLAN 4:

Interface Configuration
Interface Name................................... management
MAC Address...................................... 50:00:00:15:00:01
IP Address....................................... 10.1.4.152
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.1.4.254
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
Link Local IPv6 Address.......................... fe80::5200:ff:fe15:1/64
STATE ........................................... REACHABLE
Primary IPv6 Address............................. ::/128
STATE ........................................... NONE
Primary IPv6 Gateway............................. ::
Primary IPv6 Gateway Mac Address................. 00:00:00:00:00:00
STATE ........................................... INCOMPLETE
VLAN............................................. 4         
Quarantine-vlan.................................. 0
Physical Port.................................... 1         
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. 10.1.4.101
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled

Even with this setup, the AP just kept on renewing the IP address, and moaning about certificates. The vWLC itself does show that the registration requests were getting to where they should be:

(Cisco Controller) >show ap join stats detailed 00:1e:f7:47:72:4b

Sync phase statistics
- Time at sync request received............................ Not applicable
- Time at sync completed................................... Not applicable

Discovery phase statistics
- Discovery requests received.............................. 245
- Successful discovery responses sent...................... 163
- Unsuccessful discovery request processing................ 82
- Reason for last unsuccessful discovery attempt........... Layer 3 discovery request not received on management VLAN
- Time at last successful discovery attempt................ Apr 19 15:47:54.389
- Time at last unsuccessful discovery attempt.............. Apr 19 15:47:54.385

You can see a lot of requests and responses above.

After much mucking about it turns out that I should have looked at the compatibility matrix before buying what I assumed would be a decent AP. The link is here in case you need it: http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html.

So now I have ordered a new AP, this time it is an 1142, which is on the matrix. Lesson learned – do your homework! The alternative could have been to run an older version of the vWLC (7.0).

Hopefully when this arrives I can plug it in and get going!

2 Comments

  1. Marcus V Morais April 20, 2016
  2. Stuart Fordham April 20, 2016