Re: [WIRELESS-LAN] Cisco WLC 9800 Gotchas
I spent some time tinkering with a 9105AXW in AireOS recently. It's definitely not quite right and behaves differently than the 1810W/1815W. I hope it just has buggy software that will be fixed in the future. I haven't tried the wired ports in c9800 yet, I know that was the actual question. I'll share my AireOS experience anyway. In AireOS the regular RLAN configs* do* work 9105AXW, without any special configs or CLI commands. All I had to do was reboot the AP after making any AP group port config changes, just one reboot was all it needed. After hours of troubleshooting and changing configs, that's all it ended up being. From then on it works fine, as long as you don't change the port configs. I didn't use port-override to enable the ports. Not sure if that's helpful for c9800. If anything, I guess it just adds +1 to the sentiment: "Something isn't right" with these APs. Unrelated to 9105AXW, but regarding bulk configurations, I've been doing most of it in Excel and pasting into the WLC. Lame, I know, but it works. With the AP MAC addresses in the spreadsheet already, enter the building, floor, room, distinguisher, and spits out all of the WLC commands for each AP. Copy/paste the commands into a text editor, replace tabs with newlines, and copy/paste into the WLC. The columns that are just "y" are because that command wants you to confirm before it takes effect. Include that in what you copy/paste. Here's what I've been using for AireOS config of a regular AP. My naming convention is to use a hyphen to separate fields. The AP model is prefixed with "AP" to differentiate between switches and other things. The AP "Distinguisher" could be the AP number or the location in the room (NW). The APs are named by Building-Floor-Room-Model-Distinguisher. Substituting tabs to newlines, this line: > config ap name BLDG-1-100-AP2802-NW 123456ABCDEE config ap location > BLDG-1-100 BLDG-1-100-AP2802-NW config ap primary-base WLC-NAME > BLDG-1-100-AP2802-NW 1.2.3.4 config ap group-name BLDG-1-APGROUP > BLDG-1-100-AP2802-NW y config ap link-encryption enable > BLDG-1-100-AP2802-NW y Becomes: > config ap name BLDG-1-100-AP2802-NW 123456ABCDEE > config ap location BLDG-1-100 BLDG-1-100-AP2802-NW > config ap primary-base WLC-NAME BLDG-1-100-AP2802-NW 1.2.3.4 > config ap group-name BLDG-1-APGROUP BLDG-1-100-AP2802-NW > y > Wait for AP reboot, then paste the last blob > config ap link-encryption enable BLDG-1-100-AP2802-NW > y Ethan Grinnell CCIE Enterprise Infrastructure #39723, BS CmpE Network Engineer Office of Information Technology, Technology Infrastructure, Networking Portland State University > ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community AP Configuration Template.xlsx Description: MS-Excel 2007 spreadsheet
Re: [WIRELESS-LAN] Cisco WLC 9800 Gotchas
Hi Jesse After reading your last email and me thinking about it I was starting to second guess myself and pulled a new 9105AX out of the box to connect it to our 9800. Yea, it sure doesn't enable the ports, and then I thought about it some more and realized that either I didn't have this issue with 1810 because their different in some way then the 9105AX (as their the same config syntax), or because I moved my 1810's from AirOS to IOS and as they where already enabled I didn't have to deal with it, or I was just delirious and forgot about this with the 1810's. I'm leaning to a mixture of the 2nd and 3rd option. As the more I think about it the more I recall seeing this in testing on the 9800 before migration and thinking "how dumb is this" but didn't end up having to deal with it as APs migrated with ports enabled. Either way, here is something that can help you out. I wrote a quick simple EEM script to look for 9105AX's Joining the controller and then enabling all the ports. Probably don't want to run it all the time on your controllers and you can modify it as you see fit, maybe even stream line it a bit. While I don't think it matters since the syslog output and commands should be the same this was written against 17.3.x code. event manager applet enable-rlan-ports event syslog pattern "%CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN:.* Joined" action 050 set ap_model "null" action 100 regexp "^.*%CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN:.* AP Name: (.*),.* Joined$" "$_syslog_msg" ignore ap_name action 150 cli command "enable" action 200 cli command "show ap name $ap_name config general | i Model" action 250 regexp ".*(C9105AXW).*" "$_cli_result" ignore ap_model action 300 if $ap_model eq "C9105AXW" action 350 syslog msg "C9105AX Joined Setting LAN Ports to Enabled" action 400 cli command "ap name $ap_name lan port-id 1 enable" action 450 cli command "ap name $ap_name lan port-id 2 enable" action 500 cli command "ap name $ap_name lan port-id 3 enable" action 550 end Nick From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Jesse Thomas Sent: Friday, December 11, 2020 8:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLC 9800 Gotchas EXTERNAL EMAIL Hi Eric and Nick, I do not believe the traditional templates work for APs on the 9800 platform (we make heavy use of them for our AireOS hardware). I did give it a try and it returns a status of "Not Applicable", and the settings for the LAN ports are not changed. That said, the behavior we are experiencing could also be related to an SNMP bug between 17.3.2a and Prime. This is currently preventing us from using Prime to change names on these APs as well. In Prime 3.8 there is a new section: Menu > Configuration > Cisco Catalyst 9800 Configuration where you can create and deploy tags & profiles (matching what's on the WLC), but the trouble we've found is that there is no way to enable the LAN ports in this manner—either via Prime or directly on the WLC using tags/profiles. We have created an RLAN Profile and RLAN Policy to configure the basic settings, security, VLAN mapping, PoE, etc. and these all work as expected, but once this configuration is applied, the ports remain in a disabled state, and we've have to manually enable them on each AP. We have confirmed this behavior with TAC and our regional Cisco SE and are in the process of filing an enhancement request. @Eric - would you be willing to share more detail on or off the list regarding "CSV uploads of MAC-to-AP name assignments"? If I am understanding this correctly, it may be something useful in our deployment workflow. Thanks, -- Jesse On Thu, Dec 10, 2020 at 5:36 PM Ciesinski, Nick mailto:ciesi...@uww.edu>> wrote: Are you talking about enabling the LAN ports from Prime or on the WLC itself? On the WLC itself the LAN ports are configured via the policy tag configuration in the RLAN-POLICY map section where you assign a RLAN to each port. That policy tag then needs to be applied to the APs. For applying tags I’ve personally moved away from having Prime statically assign APs tags like I used to do with AP groups in AirOS and instead have written regex rules on the WLC to automatically apply the tag based on the AP name. Nick On Dec 10, 2020, at 11:43 AM, Jesse Thomas mailto:jtho...@hamilton.edu>> wrote: EXTERNAL EMAIL Hi Everyone, We are boldly moving forward with a deployment of two 9800-40s (HA pair) and about 400 of the new 9105AXW access points. We have encountered a couple of minor issues thus far and I am curious if anyone in the group has also experienced them and perhaps has some recommendations for workarounds. 1. Oddly,
Re: [WIRELESS-LAN] Cisco WLC 9800 Gotchas
Hi Eric and Nick, I do not believe the traditional templates work for APs on the 9800 platform (we make heavy use of them for our AireOS hardware). I did give it a try and it returns a status of "Not Applicable", and the settings for the LAN ports are not changed. That said, the behavior we are experiencing could also be related to an SNMP bug between 17.3.2a and Prime. This is currently preventing us from using Prime to change names on these APs as well. In Prime 3.8 there is a new section: Menu > Configuration > Cisco Catalyst 9800 Configuration where you can create and deploy tags & profiles (matching what's on the WLC), but the trouble we've found is that there is no way to *enable* the LAN ports in this manner—either via Prime or directly on the WLC using tags/profiles. We have created an RLAN Profile and RLAN Policy to configure the basic settings, security, VLAN mapping, PoE, etc. and these all work as expected, but once this configuration is applied, the ports remain in a disabled state, and we've have to manually enable them on each AP. We have confirmed this behavior with TAC and our regional Cisco SE and are in the process of filing an enhancement request. @Eric - would you be willing to share more detail on or off the list regarding "CSV uploads of MAC-to-AP name assignments"? If I am understanding this correctly, it may be something useful in our deployment workflow. Thanks, -- Jesse On Thu, Dec 10, 2020 at 5:36 PM Ciesinski, Nick wrote: > Are you talking about enabling the LAN ports from Prime or on the WLC > itself? On the WLC itself the LAN ports are configured via the policy tag > configuration in the RLAN-POLICY map section where you assign a RLAN to > each port. That policy tag then needs to be applied to the APs. > > For applying tags I’ve personally moved away from having Prime statically > assign APs tags like I used to do with AP groups in AirOS and instead have > written regex rules on the WLC to automatically apply the tag based on the > AP name. > > Nick > > On Dec 10, 2020, at 11:43 AM, Jesse Thomas wrote: > > *EXTERNAL EMAIL* > Hi Everyone, > > We are boldly moving forward with a deployment of two 9800-40s (HA pair) > and about 400 of the new 9105AXW access points. We have encountered a > couple of minor issues thus far and I am curious if anyone in the group has > also experienced them and perhaps has some recommendations for workarounds. > > 1. Oddly, there does not appear to be a way to enable the LAN ports on the > access points via a policy or tag within the RLAN configuration. We have > confirmed this behavior with TAC and filed for an enhancement request. Our > current plan is to export a list of all APs and then do a bulk > configuration via the CLI. > > 2. We intend to manage this new setup via Prime Infrastructure and > potentially move to DNAC once we retire our older equipment that is not > supported on the new platform. However, there does not seem to be a > straightforward way to apply existing tags/policies created on the WLC to > APs within Prime, and documentation is sparse in this area. > > Thanks for any insights you can provide on these topics. > > Regards, > > > -- > Jesse Thomas > Network & Systems Administrator > Hamilton College > 315-859-4211 > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Cisco WLC 9800 Gotchas
Are you talking about enabling the LAN ports from Prime or on the WLC itself? On the WLC itself the LAN ports are configured via the policy tag configuration in the RLAN-POLICY map section where you assign a RLAN to each port. That policy tag then needs to be applied to the APs. For applying tags I’ve personally moved away from having Prime statically assign APs tags like I used to do with AP groups in AirOS and instead have written regex rules on the WLC to automatically apply the tag based on the AP name. Nick On Dec 10, 2020, at 11:43 AM, Jesse Thomas mailto:jtho...@hamilton.edu>> wrote: EXTERNAL EMAIL Hi Everyone, We are boldly moving forward with a deployment of two 9800-40s (HA pair) and about 400 of the new 9105AXW access points. We have encountered a couple of minor issues thus far and I am curious if anyone in the group has also experienced them and perhaps has some recommendations for workarounds. 1. Oddly, there does not appear to be a way to enable the LAN ports on the access points via a policy or tag within the RLAN configuration. We have confirmed this behavior with TAC and filed for an enhancement request. Our current plan is to export a list of all APs and then do a bulk configuration via the CLI. 2. We intend to manage this new setup via Prime Infrastructure and potentially move to DNAC once we retire our older equipment that is not supported on the new platform. However, there does not seem to be a straightforward way to apply existing tags/policies created on the WLC to APs within Prime, and documentation is sparse in this area. Thanks for any insights you can provide on these topics. Regards, -- Jesse Thomas Network & Systems Administrator Hamilton College 315-859-4211 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] Cisco WLC 9800 Gotchas
Hi Jesse, Good to know about activating LAN ports on the 9105s, thanks. We’ll be facing that issue soon when we start testing them. I do see a way to enable and specify VLANs for LAN ports in Prime. Your mileage may vary; this doesn’t seem to work with an 1815W, probably only did on 702W, but maybe the 9105AXW is different? In version 3.7 at least, go to the Menu > Configuration > Templates > Lightweight Access Points, then you can create a new template. Under AP Parameters, look for the AP LAN Port Configuration section. The changes made here reflect on the AP in the WLC GUI at Interfaces > LAN Ports > LAN Override, though that’s only to enable the ports; the VLAN IDs don’t show up there on 1815Ws but do on 702Ws. Maybe there’s some combination of AP group/FlexConnect mode/VLAN tagging settings that would make it work on 1815W and/or 9105AXW? Between utilizing those templates and CSV uploads of MAC-to-AP name assignments, we never have to use scripts/CLI to configure our APs. We use the templates to change AP group, enable FlexConnect mode and VLAN support, assign controllers, disable certain 2.4Gradios, assign WLCs, etc. I’d be happy to discuss on- or off-list if anyone wants to know specifics, since using the templates to make so many changes on the 1815Ws with the FlexConnect config gets flakey if you don’t stagger changes and make them in the right order. Eric Glinsky Network Administrator University of Connecticut ITS – Network Operations Temporary Administration Building 25 Gampel Service Drive | Storrs, CT 06269-1138 (860) 486-9199 e...@uconn.edu<mailto:e...@uconn.edu> From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jesse Thomas Sent: Thursday, December 10, 2020 12:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WLC 9800 Gotchas *Message sent from a system outside of UConn.* Hi Everyone, We are boldly moving forward with a deployment of two 9800-40s (HA pair) and about 400 of the new 9105AXW access points. We have encountered a couple of minor issues thus far and I am curious if anyone in the group has also experienced them and perhaps has some recommendations for workarounds. 1. Oddly, there does not appear to be a way to enable the LAN ports on the access points via a policy or tag within the RLAN configuration. We have confirmed this behavior with TAC and filed for an enhancement request. Our current plan is to export a list of all APs and then do a bulk configuration via the CLI. 2. We intend to manage this new setup via Prime Infrastructure and potentially move to DNAC once we retire our older equipment that is not supported on the new platform. However, there does not seem to be a straightforward way to apply existing tags/policies created on the WLC to APs within Prime, and documentation is sparse in this area. Thanks for any insights you can provide on these topics. Regards, -- Jesse Thomas Network & Systems Administrator Hamilton College 315-859-4211 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ceg%40UCONN.EDU%7C1a656c15095a4bb9d18008d89d331d83%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C637432190159104385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=PYgdESMLumJljRRWalQh%2B7aKLAGaWknl0mdSpl2GNY4%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
