This document demonstrates how to configure access point (AP) Group VLANs with Wireless LAN Controllers (WLCs) and Lightweight Access Points (LAPs).
Ensure that you meet these requirements before you attempt this configuration:
Basic knowledge of the configuration of LAPs and Cisco WLCs
Basic knowledge of Lightweight Access Point Protocol (LWAPP)
The information in this document is based on these software and hardware versions:
Cisco 4400 WLC that runs firmware release 4.0
Cisco 1000 Series LAPs
Cisco 802.11a/b/g Wireless Client Adapter that runs firmware release 2.6
Cisco 2811 Router that runs Cisco IOS® Software Release 12.4(2)XA
Two Cisco 3500 XL Series Switches that run Cisco IOS Software Release 12.0(5)WC3b
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
In typical deployment scenarios, each WLAN is mapped to a single dynamic interface per WLC, but consider a deployment scenario where there is a 4404-100 WLC that supports the maximum number of APs (100). Now consider a scenario where 25 users are associated to each AP. That would result in 2500 users who share a single VLAN. Some customer designs can require substantially smaller subnet sizes. One way to deal with this is to break up the WLAN into multiple segments. The AP grouping feature of the WLC allows a single WLAN to be supported across multiple dynamic interfaces (VLANs) on the controller. This is done when a group of APs is mapped to a specific dynamic interface. APs can be grouped logically by employee workgroup or physically by location.
AP Group VLANs are used in a setup where a Universal WLAN (service set identifier [SSID]) is required but clients need to be differentiated (placed on different interfaces configured on the WLC) by virtue of physical LAPs they associate with.
AP Group VLANs, also called Site-Specific VLANs, is a way to allow load balancing on a WLAN by creating groups of Cisco LAPs that override the interface normally provided by the WLAN. When a client joins a WLAN, the interface used is determined by the LAP it is associated with, and by looking up the AP Group VLAN and WLAN for that LAP.
The traditional method of assigning an interface to a device is based on the SSID or AAA policy override. In this case, if a client wants to broadcast information to another client on a WLAN, the broadcast is received by all the clients on that WLAN irrespective of whether it was intended for them or not.
The AP Group VLANs feature is an additional method used to limit the broadcast domains to a minimum. This is done by logically segmenting a WLAN into different broadcast domains. It limits the broadcast of a WLAN to a smaller group of LAPs. This helps to manage load balancing and bandwidth allocation more effectively. The AP Group VLANs feature creates a new table in the controller which lists the interfaces for every WLAN ID. Each entry in the table is indexed using a location name (which defines the group of LAPs).
Note: AP groups do not allow multicast roaming across group boundaries. AP groups allow APs on the same controller to map the same WLAN (SSID) to different VLANs. If a client roams between APs in different groups, the multicast session does not function properly because this is currently not supported. Currently, the WLC forwards multicast only for the VLAN configured on the WLAN and does not take into consideration VLANs configured in AP groups.
This list shows the maximum number of AP groups that you can configure on a WLC:
A maximum of 50 access point groups for the Cisco 2100 Series Controller and controller network modules
A maximum of 300 access point groups for the Cisco 4400 Series Controllers, Cisco WiSM, and Cisco 3750G Wireless LAN Controller Switch
A maximum of 500 access point groups for Cisco 5500 Series Controllers
This document gives a configuration example that illustrates the use of this feature and also explains how to configure Site-Specific VLANs.
In this network setup, there are two separate buildings. Building 1 houses students and Building 2 houses staff. Each building has its own set of LAPs that talk to the same WLC but advertise just one WLAN (SSID) called School. There are five LAPs in Building 1 and five LAPs in Building 2.
The LAPs in Building 1 should be grouped to AP group Students tied to the dynamic interface called Student-VLAN. The LAPs in Building 2 should be grouped to AP group Staff tied to the dynamic interface called Staff-VLAN. With this configured on the WLC, all clients that are associated to LAPs in Building 1 are put on the Student-VLAN interface and are assigned an IP address from the DHCP scope configured for the Students AP group. Clients that are associated to LAPs in Building 2 are put on the Staff-VLAN interface and are assigned an IP address from the DHCP scope configured for the Staff AP group, even though all clients associate to the same WLAN (SSID) called School.
This example shows how to configure the WLC and LAPs for this setup. These parameters are used for the network setup in this document:
AP Group 1: AP Group Name : Students Dynamic Interface : Student-VLAN DHCP server: 172.16.1.30 (Internal DHCP Server on the WLC) DHCP Scope: 10.0.0.2-10.0.0.15 Authentication : none SSID: School
AP Group 2: AP Group Name : Staff Dynamic Interface : Staff-VLAN DHCP server: 172.16.1.30 (Internal DHCP Server on the WLC) DHCP Scope: 192.168.1.2-192.168.1.15 Authentication : none SSID: School
Before you configure the AP Group VLANs feature, you must configure the WLC for basic operation and register the LAPs to the WLC. This document assumes that the WLC is configured for basic operation and that the LAPs are registered to the WLC. If you are a new user trying to setup the WLC for basic operation with LAPs, refer to Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC).
Once the LAPs are registered to the WLC, you can configure the AP Group VLANs feature.
Complete these tasks in order to configure the LAPs and WLC for this setup:
Complete these steps in order to create the dynamic interfaces on the WLC:
Go to the WLC GUI and choose Controller > Interfaces.
The Interfaces window appears. This window lists the interfaces that are configured on the controller. This includes these interfaces:
management interface
ap-manager interface
virtual interface
service port interface
user defined dynamic interfaces
Click New in order to create a new dynamic interface.
In the Interfaces > New window, enter the Interface Name and the VLAN ID. Then click Apply.
In this example, the dynamic interface is named Student-VLAN and the VLAN ID is assigned 10.
In the Interfaces > Edit window, enter the IP address, the subnet mask, and the default gateway for the dynamic interface. Assign it to a physical port on the WLC, and enter the IP address of the DHCP server. Then click Apply.
For this example, these parameters are used for the Student-VLAN interface:
Student-VLAN IP address: 10.0.0.1 Netmask: 255.0.0.0 Default gateway: 10.0.0.50 Port on WLC: 1 DHCP server: 172.16.1.30 (Internal DHCP server on the WLC)
Repeat steps 1 through 3 in order to create a dynamic interface for Staff-VLAN.
This example uses these parameters for the Staff-VLAN interface:
Staff-VLAN IP address: 192.168.1.1 Netmask: 255.255.255.0 Default gateway: 192.168.1.50 Port on WLC: 1 DHCP server: 172.16.1.30 (Internal DHCP server on the WLC)
Once two dynamic interfaces are created, the Interfaces window summarizes the list of interfaces configured on the controller:
The next step is to configure AP groups on the WLC.
Complete these steps in order to create the AP groups for Students and Staff on the WLC:
Go to the controller GUI and choose WLANs > AP Groups VLANs.
The AP Group VLANs page appears.
Check AP Group VLANs Feature Enable and then click Apply in order to enable the AP Group VLANs feature.
Enter the AP Group Name and Description and then click Create New AP-Group in order to create a new AP group.
In this setup, two AP groups are created. One AP group is for the LAPs in Building 1 (for the students to access the WLAN network) and is named Students. The second AP group is for LAPs in Building 2 (for the staff to access the WLAN) and is named Staff.
Note: Issue this command in order to enable the AP Group VLANs feature from the CLI:
config location enable/disable
Note: Issue this command in order to define the location string (AP group name) using the CLI:
config location add <string value for location>
For the new AP group called Students, click on Detail. Select the appropriate SSID from the WLAN SSID pull-down menu and the interface with which you wish to map this AP group.
For the AP group Students, select the SSID School and map it to the Students-VLAN interface. Click on Add Interface Mapping. These screenshots show an example:
Click on Apply.
Note: Issue this command in order to map the interface to the AP groups through the CLI:
config location interface-mapping add <location> <WLAN id> <Interface Name>
Repeat steps 3 through 5 in order to create the second AP group called Staff.
For the AP group Staff, select the SSID School and map it to the interface Staff-VLAN. These screenshots show an example:
Starting from Wireless LAN Controller Version 4.1.181.0, the commands to configure AP groups with the CLI have changed. In Version 4.1.181.0, these are the commands used to configure a new AP group with the CLI:
In order to enable an AP group, use this:
config wlan apgroup add <apgroup name> <description>
In order to delete an existing group, use this:
config wlan apgroup delete <apgroup name>
In order to add a description to the AP group, use this:
config wlan apgroup description <apgroup name> <description>
In order to create a new AP group/WLAN/interface mapping, use this:
config wlan apgroup interface-mapping add <apgroup name> <WLAN Id> <Interface Name>
The final task is to assign the LAPs to the appropriate AP groups. There are five LAPs in Building 1 and five LAPs in Building 2. Assign LAPs in Building 1 to the Students AP group and the LAPs in Building 2 to the Staff AP group.
Complete these steps in order to do this:
Go to the controller GUI and choose Wireless > Access Points > All APs.
The All APs page lists the LAPs that are presently registered to the controller.
Click on the Detail link for an LAP in order to assign an LAP to an AP group.
In the All APs > Detail page for the selected LAP, choose the appropriate AP group from the AP Group name pull-down menu.
In this example, one of the LAPs in Building 1 is assigned to the Students AP group. Click on Apply.
Note: Issue this command from the controller CLI in order to assign an AP group to an LAP:
config ap group-name <string value for location> <ap name>
Repeat steps 1 and 2 for all five LAPs that need to be mapped to the AP group Students and for the five LAPs that need to be mapped to the AP group Staff.
Here are the screenshots for one of the LAPs mapped to the AP group Staff:
Upon completion of these steps, you have configured two AP groups called Staff and Students and mapped five LAPs in Building 1 to AP group Students and five LAPs in Building 2 to the AP group Staff. Now when clients from Building 1 connect to the WLAN using the SSID School, they are mapped to AP group Students and are assigned an IP address from the DHCP scope defined for the dynamic interface Student-VLAN. Similarly, when clients from Building 2 connect to the WLAN using the SSID School, they are mapped to AP group Staff and are assigned an IP address from the DHCP scope defined for the Staff-VLAN dynamic interface.
Note: When you configure two controllers to allow the APs to join them and define AP groups on them so that the client roams from one AP group to another across different controllers, the SSIDs are mapped to different interfaces on the different AP groups. Clients are not able to receive multicast packets because of your current multicast implementation. Multicast mode does not work with any interface override functionality which includes AP groups, dynamic VLAN assignments, and so forth.
In order to verify the configuration, you can use the show location summary command. Here is an example.
(Cisco Controller) >show location summary Status........................................... enabled Site Name....................................... Staff Site Description................................. AP Group - Staff in Building2 WLAN......................................... 2 Interface Override....................... staff-vlan Site Name....................................... Students Site Description................................. AP Group - Students in Building1 WLAN......................................... 1 Interface Override....................... student-vlan
For WLCs that run version 4.1.181.0 or later, use this command to verify the AP Group VLAN configuration.
show wlan apgroups
In order to verify this setup, this example shows what happens when a client is associated with one of the LAPs in Building 1. When the client comes up in Building 1, it associates with one of the LAPs in Building 1 using the SSID School. It automatically gets mapped to the dynamic interface Student-VLAN and is assigned an IP address from the scope defined for the Student-VLAN interface.
When a client first associates to LAP1 on a controller, the controller applies the AP Group VLAN override policy as configured. When the client roams to another LAP on the same controller, the policy specified by the LAP1 AP Group VLAN is re-applied. During a single session, a client does not change VLANs when it roams among APs on a single controller to make for seamless roaming.
When roaming across LAPs associated to different controllers, the system behaves according to the regular roaming rules.
When a client associates with an AP on the second controller, the client is mapped to the interface specified by the override. If the AP is a member of the same AP group, you have a Layer 2 mobility event.
If the AP is a member of a different AP group, then you have a Layer 3 mobility event. The VLAN is used to determine the mobility event instead of the configured interface of the WLAN.
Refer to the Overview of Mobility section of Configuring Mobility Groups for more information on how roaming happens in a WLC based WLAN.
You can use these debug commands to troubleshoot your configuration.
debug dot11 mobile enable—Use this command in order to configure the debug of 802.11 mobile events.
If you test mobility, you can also use these debugs:
debug mobility handoff enable—Use this command in order to begin to debug mobility options.
debug pem {packet/events}—Use this command in order to configure the access policy manager debug options.
Enter packet to configure the debug of policy manager events.
Enter events to configure the debug of policy manager State Machine.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
21-Jan-2008 |
Initial Release |