How to convert hundreds of Cisco Aironet or Catalyst APs from Mobility Express or Embedded Wireless Controller to Lightweight mode using Option 43

You may have used DHCP Option 43 to point an AP to its controller before. But only very few people know that Cisco APs can automatically convert themselves from the built-in controller mode (think Mobility Express or Embedded Wireless Controller) to Lightweight mode after they receive a special Option 43 from a DHCP server.

If you have a pallet of access points (or routers with built-in Wi-Fi in Mobility Express mode) next to your desk and need to convert all of them to Lightweight mode, simply configure DHCP Option 43 in the following format on your DHCP server and plug them into a PoE capable switch. After the APs boot up and receive the option from DHCP server, they automatically switch to the Lightweight mode and attempt to join the configured controller (192.168.130.2 in our case).

Option 43 format used for AP conversion

f2:05:c0:a8:82:02

“f2” tells the AP that we want it to switch to Lightweight mode

“05” means that only one controller IP address will follow

“c0:a8:82:02” is the controller IP address (192.168.130.2 in this case) in hexadecimal format, search for “IP to Hex Converter” if you do no want to do the math

Cisco IOS/IOS-XE DHCP server configuration

You can run DHCP server on a Catalyst switch. The DHCP scope configuration is straightforward.

ip dhcp pool <pool name>
network <ip network> <netmask>
default-router <default-router IP address>
dns-server <dns server IP address>
option 43 hex f205c0a88202

WLAN Pi, Raspberry Pi and any other Linux ISC DHCP server configuration

Special thanks to Nicolas Darchis, who helped me find the “vendor-encapsulated-options” option. It lets you enter Option 43 in the hex format and all it takes is a single line of DHCP server configuration.

# eth0 DHCP scope on ISC DHCP server
subnet 192.168.130.0 netmask 255.255.255.0 {
interface eth0;
range 192.168.130.100 192.168.130.200;
option routers 192.168.130.1;
option domain-name-servers 208.67.222.220, 208.67.222.220;
default-lease-time 86400;
max-lease-time 86400;
option vendor-encapsulated-options f2:05:c0:a8:82:02;
}

DHCP server on Cisco Meraki MX appliance

If your DHCP server runs on a Cisco Meraki MX appliance, you can easily configure Option 43 using Dashboard. Here are the instructions.

Packet capture or it did not happen

Here is the DHCP Offer packet with the special Option 43 value sent from DHCP server to the APs. They will start the conversion automatically after receiving it.

Option 43 which converts the AP from ME or EWC mode to lightweight

Verify successful AP conversion to Lightweight mode

Console to one of the APs and you will notice this message:

[*08/25/2020 23:24:39.5620] Last reload reason : 2: AP type changed from ME to CAPWAP

Or you can let the AP finish its job. And then verify successful conversion to Lightweight mode whenever you are ready using the “show version” command.

9120#show version
<output omitted>
9120 uptime is 0 days, 0 hours, 5 minutes
Last reload time : Tue Aug 25 23:24:39 UTC 2020
Last reload reason : AP type changed from ME to CAPWAP
<output omitted>

Cisco Aironet and Catalyst AP Option 43 configuration for ISC DHCP server on Linux

There is great document explaining how to configure Option 43 on ISC DHCP server on the Cisco website.

If all you need is a simple DHCP server which will assign Option 43 to all devices on the network, without selectively assigning it only to specific AP models using the class construct, you can simplify your ISC DHCP server configuration to this. It works great on a WLAN Pi.

Configuration

# Linux ISC DHCP server configuration in /etc/dhcp/dhcpd.conf
option space Cisco_LWAPP_AP;
option Cisco_LWAPP_AP.server-address code 241 = array of ip-address;

# eth0 DHCP scope
subnet 192.168.73.0 netmask 255.255.255.0 {
interface eth0;
range 192.168.73.100 192.168.73.200;
option routers 192.168.73.1;
option domain-name-servers 208.67.222.222, 208.67.220.220;
default-lease-time 86400;
max-lease-time 86400;
vendor-option-space Cisco_LWAPP_AP;
option Cisco_LWAPP_AP.server-address 10.10.10.10, 10.20.20.20;
}

Verification

The access point will get its IP configuration from the DHCP server including Option 43 and will try to join these controllers.

Configure DHCP Option 43 on Cisco Meraki MX appliance to point AP to its WLC

Here is how to configure Option 43 on an MX appliance for a Cisco Aironet or Catalyst AP to discover its Wireless LAN Controller (WLC).

My Catalyst 9800-CL controller IP address: 173.38.219.33

Meraki MX appliance DHCP server configuration

Open Dashboard and go to Security & SD-WAN > Configure > DHCP > scroll down to the right VLAN > DHCP options > Add a DHCP option: 

Format of the hex string

In my example, the final string would be “f1:04:ad:26:db:21”

“f1:04” tells the AP that only one WLC IP address is used, followed by the actual address
“ad” is hex representation of 173
“26” is hex representation of 38
“db” is hex representation of 219
“21” is hex representation of 33

To convert the 4 decimal octets of the IP address to hexadecimal format, you can use this online tool, macOS Calculator or Windows Calculator.

Verification on the AP

Two controllers

If you provide the AP with IP addresses of 2 standalone controllers (think N+1 HA mode), then simply change “f1:04” to “f1:08” and append the second controller’s IP address in hex representation to the end of the hex string.

Primary controller IP address: 173.38.219.33
Secondary controller IP address: 173.38.219.34
Hex string: f1:08:ad:26:db:21:ad:26:db:22

How to install Cisco vWLC in VMware Fusion on your Mac

Officially, vWLC is not supported on Type-2 hosted hypervisors like Fusion or Workstation. However, if you need to build a non-production lab, portable demo or practice for your next exam, technically you can run vWLC in VMware Fusion.

The trick is to install Fusion on your Mac, create a new VM with the free ESXi Hypervisor (or the full-blown one if you have licenses) and deploy vWLC onto the ESXi:

macOS <-> VMware Fusion <-> ESXi Hypervisor running as a VM <-> vWLC VM

It may sound complex, but is actually quite easy to do and runs like a charm even on a 13″ Intel i5 MacBook Pro.

  1. Download the vWLC OVA image from Cisco.com.
  2. Download VMware vSphere Hypervisor 6.7 ISO. Register on their website to get a free license key.
  3. Download the ovftool 4.3.0 (older versions may not work correctly) for Windows and make sure you have a Windows machine or VM by hand as ovftool only runs on Windows.
  4. Create a new VM in VMware Fusion, mount the Hypervisor ISO and install ESXi. Configure networking for this VM as Bridged Networking to Wi-Fi or Ethernet. Wi-Fi is a great option as it allows you to move freely with your Mac whilst running the vWLC.
    VMware-Fusion-adapter-settings
  5. With the free ESXi Hypervisor, we have to deploy the vWLC OVA using the ovftool. This will help us get past the errors we would have otherwise ran into the ESXi web GUI. To do this we need a Windows machine.
  6. Install the ovftool in the Windows machine, transfer the vWLC OVA archive to it and deploy the OVA onto ESXi:

    C:\Program Files\VMware\VMware OVF Tool>ovftool.exe –skipManifestCheck –acceptAllEulas –noSSLVerify –noSSLVerify=true -ds=”datastore1″ –net:”VM Network”=”VM Network” –net:”VM Network 2″=”VM Network” C:\Users\Jiri\Desktop\AIR_CTVM-K9_8_5_151_0.ova vi://192.168.196.136

    The IP address in this string “vi://192.168.196.136” is our ESXi address. You may have noticed that I am using the same network for both Service Port and Management interfaces. After I deploy the OVA, I usually disable the Service Port adapter in the VM settings and use Management interface for management and for APs to join. It just keeps things simple and we don’t need to worry about multiple adapters and subnets.

  7. You can set the vWLC VM to Autostart and start it manually now.
  8. Open Console to it and press any key to activate the console access.
  9. Follow the installation guide.
  10. If you are running the evaluation license, accept the EULA. If you purchased AP licenses, add then to the controller and accept the EULA.
  11. Since vWLC only supports Flexconnect mode APs, make sure to convert your APs manually or apply this CLI command:

    config ap autoconvert flexconnect

    Autoconvert-APs-to-Flexconnect-mode

  12. Finally connect your AP to a PoE capable switch or power injector and it should be able to discover and join the virtual controller.
    vWLC-ESXi-Fusion

Note: If you installed vWLC VM directly onto Fusion with no ESXi Hypervisor layer, the controller would not be able to communicate on its Management interface.

Catalyst 9800-CL IOS-XE controller

The above scenario covers the AireOS vWLC. Cisco now has a complete range of Catalyst 9800 series controllers with feature parity between them. The new virtual controller is called Catalyst 9800-CL and it brings all the great IOS-XE features, HA SSO, programmability, hot patching and supports all AP modes.

Francois and Rowell published great step by step instructions on how to install C9800-CL onto ESXi and Fusion.

CCNP#1 zdoláno, příští týden začínáme CCNP#2

Dnes jsem složil poslední test CCNP#1 semestru v rámci Cisco Networking Academy. Díky Alefu a Ciscu studuji tyto kurzy v rámci programu nazvaného CCIE Inkubátor. Tímto jim děkuji za podporu.  Hned příští čtvrtek začínám další semestr studia. Tento byl věnován Advanced Routingu, příští je zaměřen na Switching.

Google trik pro hledání IOSů

Hledáte Cisco IOS na testování? Stavíte si demo v GNS a nemáte zrovna po ruce žádný IOS? Nabízí se malý fígl, jak přinutit Google najít na internetu adresáře obsahující IOSy.

Pro pořádek jen dodám, že IOS je komerční OS a jeho stažením z nedůvěryhodného zdroje nezískáváte jistotu funkčnosti a konzistence daného image.

Zkuste si: http://www.google.com/search?hl=en&q=intitle:index.of+ios+parent%20directory+bin

Cisco VPN Client a Comodo firewall si nerozumí

Nedávno jsem na svůj notebook instaloval Cisco VPN clienta, což je software od Cisca umožňující bezpečné připojení do firemní privátní sítě skrz internet. Obvykle funguje velmi spolehlivě a  svižně. V tomto případě jsem ale narazil na velmi podivné chování.

Při instalaci na čerstvě naintalovaný notebook s Windows XP SP2 jsem ale nebyl schopen VPN klienta vůbec nainstalovat. Přitom na předchozí instalaci stejného OS na tom samém stroji fungoval bez ztráty kytičky. Pár hodin mi zabralo, než jsem zjistil, že problém je v kompatibilitě s Comodo firewallem. Jakmile jsem Comodo odinstaloval, vše fungovalo jako na drátkách. Zkoušel jsem ještě nainstalovat Comodo až po úspěšné instalaci VPN klienta. Pak se sice VPN klient spustil, ale nezdařilo se mu navázat připojení. Nestačilo ani vypnutí firewallu, musel být odinstalovaný. Během pokusu o spuštění instalace VPN klienta, ani při vytváření VPN spojení, se Comodo nedotázalo na povolení/zakázání aktuálně prováděné akce či přístupu k síti.

Cisco zalicencovalo ZoneAlarm firewall engine a použilo ho jako součást VPN klienta. Je tedy dost možné, že se nesnese na jednom stroji s dalším firewallem v podobě Comoda. Zaznamenali jste podobný problém ještě s jiným firewallem instalovaným na stanici?

Situaci jsem vyřešil přechodem na ZoneAlarm, se kterým zmizeli veškeré problémy. S integrovaným firewallem v systému Windows XP nemá Cisco VPN rovněž žádné problémy. Ten ale přeci jen neposkytuje plnohodnotnou bezpečnost podle mých představ. Už samotná ignorace veškeré odchozí komunikace není na dnešní poměry příliš vhodná. Výběr firewallu je ale téma na samostatný článek.

Shrnuto podtrženo aktuální verze Cisco VPN Clienta nefunguje korektně na jednom stroji zároveň s Comodo firewallem. Prozatím doporučuji změnit firewall a počkat, zda jeden z budoucích releasů toho či druhého sotwaru problém nevyřeší.