Configure DHCP Option 43 on Cisco Meraki MX appliance to point AP to its WLC

Here is how to configure Option 43 on an MX appliance for a Cisco Aironet or Catalyst AP to discover its Wireless LAN Controller (WLC).

My Catalyst 9800-CL controller IP address: 173.38.219.33

Meraki MX appliance DHCP server configuration

Format of the hex string

In my example, the final string would be “f1:04:ad:26:db:21”

“f1:04” tells the AP that only one WLC IP address is used, followed by the actual address
“ad” is hex representation of 173
“26” is hex representation of 38
“db” is hex representation of 219
“21” is hex representation of 33

Verification on the AP

Two controllers

If you provide the AP with IP addresses of 2 standalone controllers (think N+1 HA mode), then simply change “f1:04” to “f1:08” and append the second controller’s IP address in hex representation to the end of the hex string.

Primary controller IP address: 173.38.219.33
Secondary controller IP address: 173.38.219.34
Hex string: f1:08:ad:26:db:21:ad:26:db:22

iPhone USB Tethering on WLAN Pi

We have all been there. It is the night before an important training or meeting and you need to install few more packages on your WLAN Pi or push some code changes to GitHub. Guess what? There is no wired connection available in your room and the hotel Wi-Fi uses a captive portal or is very poor.

iPhone USB tethering on the WLAN Pi lets you use your iPhone or iPad as a cellular modem and share the internet connectivity with the WLAN Pi. It also charges your iPhone, which is nice.

iPhone USB tethering to WLAN Pi

How to enable iPhone USB tethering on WLAN Pi

Simply follow these steps:

  1. Connect to the WLAN Pi using SSH and run this command. Do not skip this step, it is required:
    sudo apt-get update
  2. Then install this package:
    sudo apt-get install usbmuxd
  3. Plug your iPhone into the WLAN Pi using a lightning to USB-A data cable.
  4. On the iPhone, go to Settings > Personal Hotspot > Allow Others to Join.
  5. A new eth1 interface will appear on the WLAN Pi.
  6. Tap on the Trust button on your iPhone/iPad and enter your passcode.
  7. After you click Trust, the eth1 interface will get a dynamically assigned IP address by the DHCP server running on the iPhone.
  8. Your WLAN Pi is now connected to the internet. You can verify using the Reachability tool in the Front Panel Menu System (FPMS). Go to Menu > Utils > Reachability.

Share iPhone internet connection with multiple devices on you LAN

You can even take this one step further. Perhaps you have multiple other devices connected to a switch and you need to provide temporary internet connectivity to all of them. That is where the USB Tethering mode comes to the rescue.

The easiest solution is to tweak the existing Hotspot mode on your WLAN Pi. In most cases we will replace wlan0 with eth0 and eth1.

  1. Before you start, please backup all these files or ideally start with a fresh SD card and fresh WLAN Pi image.
  2. Edit this file:
    sudo nano /etc/wlanpihotspot/default/isc-dhcp-server
  3. Update this line to:
    “INTERFACESv4=”usb0 eth0”
  4. Edit this file:
    sudo nano /etc/wlanpihotspot/dhcp/dhcpd.conf
  5. Update this block to:
    # eth0 DHCP Scope
    subnet 192.168.88.0 netmask 255.255.255.0 {
    interface eth0;
  6. Edit this file:
    sudo nano /etc/wlanpihotspot/network/interfaces
  7. Update these lines and comment some out:
    allow-hotplug eth0
    iface eth0 inet static
    #Wired ethernet
    #allow-hotplug eth0
    #iface eth0 inet dhcp
  8. Edit this file:
    sudo nano /etc/wlanpihotspot/ufw/before.rules
  9. Update this line to:
    -A POSTROUTING -s 192.168.88.0/24 -o eth1 -j MASQUERADE
  10. However strange it sounds, plug a supported Wi-Fi adapter into a USB port of your WLAN Pi. Without the adapter plugged in, the WLAN Pi will not switch from the Classic mode to the Hotspot mode.
  11. Now go to Menu > Modes > Hotspot > Confirm
  12. Your WLAN Pi will reboot. Disconnect the Wi-Fi adapter, we do not need it anymore.
  13. The WLAN Pi will do PAT (Port Address Translation) on its eth1 outside interface. On the inside eth0, it will start DHCP server and share the iPhone cellular internet connection with all devices on your LAN.

Here is a traceroute output from one of the devices connected to the switch. First hop to the internet is WLAN Pi’s eth0 interface and second is the iPhone’s inside interface.

A word of caution

While this new mode is a great feature, it can potentially cause some harm. Please read before you tweak.

  • In this mode, WLAN Pi runs DHCP server on the built-in eth0 interface. At no circumstances you want to plug it to an existing corporate network and especially one which is not under your management. Your WLAN Pi might take over clients of the existing DHCP server and route all traffic via the cellular connection. If you have not already, I highly recommend you enable DHCP snooping on your switches. This is a security feature and will block untrusted DHCP servers connected to your network.
  • Double-check that your data plan is suitable for tethering. Your mobile operator will charge you for the cellular data services.
  • You are potentially opening a backdoor to the existing LAN network over the cellular connection.
  • Always switch your WLAN Pi back to the Classic mode before shutting it down. Next time you use it, it will boot up to the Classic mode, which is safe by design.

Your feedback counts

If you find this feature useful, let us know. Perhaps a new “USB Tethering” mode might be a nice addition and will save you time editing the configuration files manually.

Although the WLAN Pi team implements most of the new features into the official image, it also assesses all security aspects. At the end of the day, everyone’s goal is to maintain high standards.

My setup

I have successfully tested this setup with iPhone 8 Plus and WLAN Pi NEO2 Black running 1.9.1-RC2 release. Please add a comment to this post with your setup so that we know what has been tested and works.

How to install Cisco vWLC in VMware Fusion on your Mac

Officially, vWLC is not supported on Type-2 hosted hypervisors like Fusion or Workstation. However, if you need to build a non-production lab, portable demo or practice for your next exam, technically you can run vWLC in VMware Fusion.

The trick is to install Fusion on your Mac, create a new VM with the free ESXi Hypervisor (or the full-blown one if you have licenses) and deploy vWLC onto the ESXi:

macOS <-> VMware Fusion <-> ESXi Hypervisor running as a VM <-> vWLC VM

It may sound complex, but is actually quite easy to do and runs like a charm even on a 13″ Intel i5 MacBook Pro.

  1. Download the vWLC OVA image from Cisco.com.
  2. Download VMware vSphere Hypervisor 6.7 ISO. Register on their website to get a free license key.
  3. Download the ovftool 4.3.0 (older versions may not work correctly) for Windows and make sure you have a Windows machine or VM by hand as ovftool only runs on Windows.
  4. Create a new VM in VMware Fusion, mount the Hypervisor ISO and install ESXi. Configure networking for this VM as Bridged Networking to Wi-Fi or Ethernet. Wi-Fi is a great option as it allows you to move freely with your Mac whilst running the vWLC.
    VMware-Fusion-adapter-settings
  5. With the free ESXi Hypervisor, we have to deploy the vWLC OVA using the ovftool. This will help us get past the errors we would have otherwise ran into the ESXi web GUI. To do this we need a Windows machine.
  6. Install the ovftool in the Windows machine, transfer the vWLC OVA archive to it and deploy the OVA onto ESXi:

    C:\Program Files\VMware\VMware OVF Tool>ovftool.exe –skipManifestCheck –acceptAllEulas –noSSLVerify –noSSLVerify=true -ds=”datastore1″ –net:”VM Network”=”VM Network” –net:”VM Network 2″=”VM Network” C:\Users\Jiri\Desktop\AIR_CTVM-K9_8_5_151_0.ova vi://192.168.196.136

    The IP address in this string “vi://192.168.196.136” is our ESXi address. You may have noticed that I am using the same network for both Service Port and Management interfaces. After I deploy the OVA, I usually disable the Service Port adapter in the VM settings and use Management interface for management and for APs to join. It just keeps things simple and we don’t need to worry about multiple adapters and subnets.

  7. You can set the vWLC VM to Autostart and start it manually now.
  8. Open Console to it and press any key to activate the console access.
  9. Follow the installation guide.
  10. If you are running the evaluation license, accept the EULA. If you purchased AP licenses, add then to the controller and accept the EULA.
  11. Since vWLC only supports Flexconnect mode APs, make sure to convert your APs manually or apply this CLI command:

    config ap autoconvert flexconnect

    Autoconvert-APs-to-Flexconnect-mode

  12. Finally connect your AP to a PoE capable switch or power injector and it should be able to discover and join the virtual controller.
    vWLC-ESXi-Fusion

Note: If you installed vWLC VM directly onto Fusion with no ESXi Hypervisor layer, the controller would not be able to communicate on its Management interface.

Catalyst 9800-CL IOS-XE controller

The above scenario covers the AireOS vWLC. Cisco now has a complete range of Catalyst 9800 series controllers with feature parity between them. The new virtual controller is called Catalyst 9800-CL and it brings all the great IOS-XE features, HA SSO, programmability, hot patching and supports all AP modes.

Francois and Rowell published great step by step instructions on how to install C9800-CL onto ESXi and Fusion.