Deploying Your First SSID

Cisco - Wireless


tl;dr

Content coming soon...

Content coming coon...

What's this for?

Deploying Your First SSID is for when you have just factory reset that controller you got off that e-buying site and then connected your first access point. But even after all that you don't have a wireless network broadcasting.

Demo Enviroment

The outputs below come from the following setup...

  • Hardware: Cisco WLC 5520 & 2702i
  • OS: AirOS
  • Version: 8.5.135.0
  • Date: 11-08-2019

Deploying Your First SSID

Before we can jump too deep into this ramblings there is something we need to understand; how the AP and the WLC work together. As we have already covered in the previous ramblings the AP's are pretty dumb and depend on the controller to control them. This includes handling traffic from clients. When the AP joins the controller you will see it talking about CAPWAP and a CAPWAP tunnel. This CAPWAP tunnel is best thought of as being like a VPN tunnel between the AP and the WLC. Any traffic from the clients connected to the AP will go over this tunnel and be processed by the wireless LAN controller. Any traffic going to the client will go to the WLC and then over the CAPWAP tunnel to the AP to be broadcast out to the client.

So why do I care about that? Well currently we have only told the Wireless LAN controller about the management VLAN 193 during the setup. There is nothing stopping us putting our wireless LAN clients out onto VLAN193 but its not really good practice; keep management and clients separate. We also don't really want to configure DHCP on a device management / infrastructure VLAN but clients will expect to get an IP address via DHCP.

So lets get our hands dirty. I have configured a VLAN5 on the network upstream from the controller. This VLAN5 has a subnet of 192.168.5.0/24 (that /24 means a subnet mask of 255.255.255.0). It has a default gateway of 192.168.5.254 as I always use the highest IP as the default gateway. The default gateway is a Cisco IOS router and i have also configured the DHCP scope on this router. So lets tell the wireless LAN controller about VLAN5.

Lets get logged into the controller and Navigate to the Controller Tab and the Interfaces page.

From here lets hit new in the top right corner and enter the interface name and VLAN ID and hit apply. Normally I just make the interface name the same as the VLAN name on the upstream switch.

This then takes us to the main configuration page. I have scrolled down a bit to get a picture of the interesting bits! I have filled in the IP address, Netmask, Gateway and Primary DHCP Server.

We then need to hit apply. We will get a warning but as were not in production here we wont worry too much about it. After this hit back to go to the main configuration page.

You should not be able to see the new interface in the list.

Now that we have an interface we can shove our wireless clients out of lets deploy that SSID! If you can through factory reset ramblings we created a wireless network called MyFi. Lets delete this for now and run through the process from scratch. To do this click the down arrow on the right hand side and click remove.

We will get asked are we sure and we can just say yes.

Now we have a blank canvas we can go 'Create New' from the drop down in the top right and press go.

We can now enter a Profile name and the SSID. The profile name needs to be unique, however you can use the same SSID as many times as you want. The Profile Name and ID are just ways for you to identify the WLAN in the controller. The SSID or Service set Identifier is the name people click on when they connect to the network, you get extra Network Engineer points if you use funny SSID names. Once were done we just need to click apply.

Were then taken to the WLAN configuration page. Here we want to enable the SSID and change the interface group to our new "general-staff" interface. Once this is done hit apply.

Note: In a production environment never enable an SSID until you have all the security properly setup. In this particular case I want to take baby steps and test each step to make any troubleshooting you might end up doing easier. 

Now we need to headover to the security tab. Oooo security! I know I love network security and I get to do it for my job! However when your deploying something for the first time, or even the 1000's time always deploy things in little steps. This is my biggest advise to any engineer! If you just go and paste in a big lump of config in one go where do you start to troubleshoot it?! However if you do a tiny bit of config, test, another tiny bit of config and test again its going to be a lot easier to work out the bit of config that stopped your new bit of magic from working!