Pointing the Cisco 3850 as a Mobility Controller to a central 2504 WLC anchor

Similar Messages

• Error in GUI of Cisco 3850 Switch with Wireless Controller.

  Hi,
  I have Configured 3850 switch wireless controller. But while accessing the controller through GUI, I faced following errors while configuring it through GUI.
  Because its complecated to configure it through CLI.
  Attached are the snaps of error faced.
  and if I didnt get this error, and able to configure, I can save it because of this error.
  Please help me on this issue, so that I can easily configure the controller.
  Brgds,
  Ninad Thakare

  Hi Sandeep,
  Here is the configuration which I have did.
  ip http server
  ip http secure-server
  wsma agent exec
  profile httplistener
  profile httpslistener
  wsma agent config
  profile httplistener
  profile httpslistener
  wsma agent filesys
  profile httplistener
  profile httpslistener
  wsma agent notify
  profile httplistener
  profile httpslistener
  wsma profile listener httplistener
  transport http
  wsma profile listener httpslistener
  transport https
  wireless mobility controller
  wireless management interface Vlan4 ( Voice VLAN )
  wlan FG-WiFi 1 FG-WiFi
  client vlan 4
  ip dhcp server 10.106.72.1
  no security wpa akm dot1x
  security wpa akm psk set-key ascii 0 testing1234
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  no wmm
  no shutdown
  wlan GLOBALACCESSII 2 GLOBALACCESSII
  client vlan 4
  ip dhcp server 10.106.72.1
  no security wpa akm dot1x
  security wpa akm psk set-key ascii 0 testing1234
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  no wmm
  no shutdown
  ap group default-group
  ap group 3850WLC
  wlan FG-WiFi
    vlan 4
  wlan GLOBALACCESSII
    vlan 4
  end
  Brgds,
  Ninad Thakare

• Cisco 526 Wireless Express Mobility Controller

  We have just purchased at UC520, 526 Controller and a LAP521 controller. We got the UC520 up and running in 15 mins, but the 526 does not include very much documentation. We can not get it to find the 521 AP on the network nor will it go to layer 2 mode. I don't want to setup layer 3 routing for a 4 PC office. During the setup the only option it gives is layer 3 and the documentation says it will do layer 2? Can anyone give me any assistance?

  The controller reference between layer2 and layer3 is a little misleading. Having the WLC (WLAN Controller) in layer2 mode means that it uses layer 2 frame headers to place the LWAPP information in. With the WLC in layer3 mode, the WLC places the LWAPP header in the IP packet header instead of on the layer 2 frame header. The newer AP's support only understanding the layer3 mode of placing LWAPP info in the layer3 packet header. In either mode, you can still configure your network with only one VLAN/subnet, which sounds like your goal. To summarize, the WLC's mode of layer2 vs layer3 only references where the LWAPP header is placed in either the frame or the packet and in no way correspondes to how you design the vlan's/subnet's of your network.

• Can AIR-AP521G-x-K9 be controlled by the Cisco 526 Mobility controller ?

  I am going to buy a AIR-AP521G-x-K9 with IOS software which is a stand alone access point.
  However, later on I may buy a Cisco 526 Wireless Express Mobility controller in order to expand my wireless network.
  As I know at that moment I need to buy light weight AIR-LAP521G-x-K9 instead of AIR-AP521G-x-K9
  However I want to know if the stand alone AIR-AP521G-x-K9 can be control by the mobility controller without doing any change to the AIR-AP521G-x-K9 ?
  Thanks

  Hi Pak,
  The AIR-AP521G can be converted to Controller based mode via software upgrade so your investment is protected should you decide down the road to switch to Controller based. Have a look***;
  Q. Which access point products are included in the Cisco Mobility Express Solution?
  A. Two Cisco 500 Series Wireless Express Access Point products are in the Cisco Mobility Express Solution; their part numbers follow:
  AIR-AP521G-x-K9 (standalone access point)
  AIR-LAP521G-x-K9 (controller-based access point)
  The hardware for these products is the same. The products have different software,*** but the access points can be converted from standalone mode to the controller-based mode with a simple software upgrade.
  Up to three access points can be managed by Cisco Configuration Assistant. More than three access points in the network requires the controller as well.
  From this good Q & A doc;
  http://www.cisco.com/en/US/products/ps7319/products_qanda_item0900aecd8060c860.shtml
  Hope this helps!
  Rob
  Please remember to rate helpful posts.....

• 2602 AP and cisco 3850

  Hi,
  i would like to know if i could use the cisco 3850 as a pass through to register with cisco 5508 (flex connect) at our main site. at the moment i can see the AP registering to cisco 3850 and not 5508. if i plug in the ap to a cisco 2960 will connect to 5508 ?
  also which mode should it be if the above is possbile (Moblity controller mode or Mobility agent mode)
  Thanks

  Hi Raskia,
  Thanks for your reply. so if i go for option 1 can i still use mobility tunnel and mobility anchor feature. I need to for form a mobility tunnel to 5508 on the inside network and another tunnel to 4400 controller in the dmz (i know it has problems with tunnel to 4404 controller due to ios problems but if i can do to 5508 it will be fine)
  its a shame if i cant do the above i will have to remove the wireless feature and use it as l2 switch. when i do no wireless management inter x then does it remove the router (l3) bit of the router?
  Thanks

• Cisco 3850 support BFD ?

  Hi ,
    how can i enable and config BFD on the Cisco 3850 .
  i had check eigrp plugin but It have not BFD Platform Support .
  Core_IDC3850#sh eigrp plugins
  EIGRP feature plugins:::
      eigrp-release      :   7.00.00 : Portable EIGRP Release                 
                         :   1.00.13 : Source Component Release(rel7)
      parser             :   2.02.00 : EIGRP Parser Support                   
      igrp2              :   3.00.00 : Reliable Transport/Dual Database       
      external-client    :   1.02.00 : Service Distribution Client Support    
      eigrp-nsf          :   2.00.00 : Platform Support                       
      Spatial Reuse Prot :   1.01.00 : Platform Support                       
      mtr                :   1.00.01 : Multi-Topology Routing(MTR)            
      EVN/vNets          :   1.00.00 : Easy Virtual Network (EVN/vNets)       
      ipv4-af            :   2.01.01 : Routing Protocol Support               
      ipv4-sf            :   1.02.00 : Service Distribution Support           
      ipv6-af            :   2.01.01 : Routing Protocol Support               
      ipv6-sf            :   2.01.00 : Service Distribution Support           
      vNets-parse        :   1.00.00 : EIGRP vNets Parse Support              
      snmp-agent         :   1.01.01 : SNMP/SNMPv2 Agent Support              
  Core_IDC3850#
  My 3850 OS ver 
  Switch Ports Model              SW Version        SW Image              Mode  
  *    1 32    WS-C3850-24T       03.03.01SE        cat3k_caa-universalk9 INSTALL
  Br
  Horace

  As per the Cisco Feature Navigator output, this switch model does not support  BFD.
  Herewith attached the supported feature of this switch model 3.3.1 software version.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Looking for Cisco 3850 power-stack OID

  Hi all,
  Does anyone know the OID for the Powerstack interfaces of the Cisco 3850?
  It is not the normal ifentry like the data-stacking cables!
  Thanks
  Willem

  Hi,
  See this information below:
  24-Port PoE Switch
  48-Port PoE Switch
  PoE on all ports (15.4W per port)
  One PWR-C1-715WAC
  One PWR-C1-1100WAC or two PWR-C1-715WAC
  PoE+ on all ports (30W per port)
  One PWR-C1-1100WAC or two PWR-C1-715WAC
  Two PWR-C1-1100WAC or one PWR-C1-1100WAC and one PWR-C1-715WAC
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/data_sheet_c78-720918.html
  Hope this helps.

• Cisco 3850 Mobility Agent unable to connect clients

  Hi
  We are trying to use Cisco 3850 as Mobility agents with 5760. We can't seem to get the clients to authenticate to the radius server. We don't even see them appear in the radius logs.
  We have defined the radius server and the profile
  wlan Wireless 2 WAP
  aaa-override
  accounting-list Radius
  client vlan wireless
  security dot1x authentication-list Radius
  session-timeout 1800
  no shutdown
  radius server Primary
  address ipv4 x.x.x.x auth-port 1812 acct-port 1813
  timeout 5
  retransmit 2
  key 7 ........
  radius server Primary
  address ipv4 x.x.x.x port 1812 acct-port 1813
  timeout 5
  retransmit 2
  key 7 .........
  The client appears to connect to the AP but can't authenticate so gets kicked off
  If we do a test aaa group username password then it says that it's sucessful.
  In the debug we get 802.1X required but then it never seems to get any further.

  Alright, so I finally figured out the issue with this. I had a Mobility Anchor set on the guest WLAN and once I removed that all started working again.
  What is Mobility Anchor?
  A. Mobility Anchor, also referred to as Guest tunneling or Auto Anchor Mobility, is a feature where all the client traffic that belongs to a WLAN (Specially Guest WLAN) is tunneled to a predefined WLC or set of controllers that are configured as Anchor for that specific WLAN. This feature helps to restrict clients to a specific subnet and have more control over the user traffic. Refer to the Configuring Auto-Anchor Mobility section of Cisco Wireless LAN Controller Configuration Guide, Release 7.0 for more information on this feature.

• 2 controllers - Cisco 526 wireless mobility Controller

  Hi,
  My setup consist of 2 controllers(Cisco 526) and 8APs.
  Cisco documentation has stated that it supports for 2 controllers per network. But has not shown how to configure it.
  Please advise on how i can configure the 2nd controller to aid 8APs.
  How would the APs be managed by 2 controllers? Do i see both controllers as 1 virtual controller on the GUI/CCA, or do i have to manage 2 separate Cisco 526 controller.
  Please advise

  You'll need to manage two separate controllers, unfortunately. You simply need to give them identical configurations (with different IP addresses), and they'll work together to service the access points. The APs will associate to whichever controller has more available slots, and the APs should find the other controller in case theirs goes down.
  I'm not too familiar with 526 configs, but you should be able to configure the APs to use a specific primary and secondary controller. Look under the AP configuration once the APs have associated to a controller.

• Ask the Expert: Plan, Design, and Implement Mobile Remote Access, the Cisco Collaboration Edge Architecture

  Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
  Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
  For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide. 
  Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
  Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
  Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Marcelo,
     Yes, there are some requirements for certificates in Expressway.
  Expressway Core (Exp-C)
  - Can be signed by either External or Internal CA
  - Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
  - Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
  - If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
  - The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
  - For TLS b/w CUCM, IM-P & Exp-C
    + If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
    + If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
    + Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
    + Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
  Expressway Edge (Exp-E)
  - Signed by External CA
  - Configured Unified Communications domain as Subject Alternate Name
  - If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
  - If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
  For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
  http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
  - Aashish

• Any new firmware for the Cisco AP541N access points.

  Do you know if Cisco has come out with any new firmware for the Cisco AP541N access points.

  Latest release is 1.8.0 from Jan 25, 2010:
  http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=1.8.0&mdfid=282790482&sftType=Small+Business+Pro+Wireless+Software&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+AP+541N+Wireless+Access+Point&treeMdfId=278875243&treeName=Wireless&modifmdfid=null&imname=&hybrid=null&imst=null&lr=Y

• Error "Version 3.1.04063 of the Cisco AnyConnect Secure Mobility Client is already installed" - help !

  hi,
  I've tried to install AnyConnect Secure Mobility Client on my computer (Mac OS 10.6.8), I've never installed it before on this computer, however when I want to install  i got the message
  "Version 3.1.04063 of the Cisco AnyConnect Secure Mobility Client is already installed"
  I would be thankful if anyone could help me with this problem !!!

  Would I be correct in assuming that you are trying to do a manual install of the AnyConnect client when you get this error? Have you ever used this MAC to connect to an ASA and to establish a VPN? If so it is quite likely that AnyConnect was installed in that on line session and does not require a manual install.
  HTH
  Rick

• Can't find the cisco mobile ios type

  hello,
  i use CCA version 3.2, i want to add a cisco mobile ios to the UC520 system so i installed the cisco jabber in my phone but when i tried to add  the extension line of the phone in CCA i don't find the type cisco mobile ios with what type can i define the android phone?

  Your question is a bit confusing, but it looks like you are asking what phone type you should choose for an android phone?
  Android is NOT supported as a Jabber client on the UC5XX series.
  iPhone is the only supported platform, and only the voice/voicemail component (no video or chat). iPad/Android/etc are NOT supported at all.
  -Dan
  Please rate useful posts.

• Cisco 3850 SSID qos

  Hello all)
  I have the task to configure QoS for SSID. I have 1602E points and 4 SSIDs per point. I want to priorities one of them. APs are connected to cisco 3850. Please help me how can I do it?

  Bandwidth and Priority Management at SSID Level
  The next step is to take care of the QoS policy at the SSID level. This step applies to both the Catalyst 3850 switch and to the 5760 controller. This configuration assumes that voice and video traffic is identified through the use of class-map and access-lists and is tagged properly. However, some incoming traffic that is not targeted by the access-list may not display its QoS marking. In that case, you can decide if this traffic should be marked with a default value or left untagged. The same logic goes for traffic already marked but not targeted by the class-maps. Use the default copy statement in a table-map in order to ensure that unmarked traffic is left unmarked and that tagged traffic keeps the tag and it not remarked.
  Refer the link for the Complete Configuration : www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116479-configure-qos-00.html#anc15

• Cisco 3850 Switch and Windows 7 IP Conflicts

  Team,
  Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
  We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
  with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
  This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
  we went with a very vanilla config on each port
  interface g1/0/1
  switchport host
  that is it - nothing special at all.
  well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
  This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
  we tried 3+ hours of prescribed work-arounds found when researching this issue -
  ip device tracking probe delay 10 (global config)
  ip device tracking max 0 (disabed, on interface)
  finally,
  nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
  Finally,
  we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
  Doing more research, I found out this also can effect vmware guests running windows SERVER.
  this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
  the work-around I came up with which is not great is -
  Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
  interface g1/0/1
  switchport mode trunk
  switchport trunk native vlan 1
  this is NOT an acceptable workaround as this presents security issues even with
  switchport trunk allowed vlan 1, etc. as the only allowed vlan.
  Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
  192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
  1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
  2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
  3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
  4) when could confirm NO DHCP SNOOPING
  5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
  6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
  This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
  Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
  thanks,
  Joe Brunner
  #19366

  thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
  Answers in line -
  This all stems from a switch replacement correct?
  yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
  Are these 3850's in a stack?
  >yes, tested all aspects of the stack many times.
  Does it have a managment ip address -If so, is it using the old switch ip address
  >old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
  What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
  >various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
  How are they connected( L3 interface/L2 trunk/access port)
  >all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
  Are thse switches performing inter-vlan routing or just acting as host switches?
  >dumb flat network, no routing.
  Is ip routing enabled?
  >not unless enabled on 3850 by default. I didnt type "ip routing"
  Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
  Your 7 pcs = are they just client pcs not servers?
  client PC's - no servers OS per say.
  can you confirm something like ICS isnt enabled (Internet connection sharing)  on any of them?
  >yes not enabled.
  Are the just using one NIC each?
  > one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
  default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
  sh switch
  2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
  tested all power and general 3850 stacking. saw no issues.
  sh int trunk
  >all ports are now trunks (hence the workaround used to get it up).
  has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
  sh vlan brief
  >just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
  sh vtp status
  not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
  sh cdp neighbours
  cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
  sh ip route
  just the L and C routes for the vlan 1 ip address 192.168.17.1/24
  no static routes
  no vlan interfaces other than int vlan 1
  no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
  int g0/0/0
  ip vrf forwarding Switch_Mgmt
  i can get over there if you think of anything else key to show the group.
  thanks,
  Joe