Configure Mesh Ethernet Bridging on Catalyst 9800 Wireless LAN Controller

Someone asked me an interesting question, whether lightweight APs can join a Catalyst 9800 Wireless LAN Controller over a mesh network. My first thought was to implement it with Ethernet Bridging, and after testing it all worked fine. The following is the configuration steps.

Topology

Components Used

• C9800-40-K9 17.07.01
• Two C9200L switches
• Root AP(AIR-AP2802E)
• Mesh AP(AIR-AP3802I)
• Lightweight AP(AIR-AP2802I)
• Windows PC

Configure

Switch Port

Both C9800 and AP are located on vlan 37, and vlan 10 is for testing Ethernet bridging. The DHCP address pool is for MAP and LAP to obtain addresses, and Option 43 is configured to discover WLC.

Switch-1#show ip int brief | in Vlan
Vlan1                  unassigned      YES NVRAM  administratively down down    
Vlan10                 192.168.10.1    YES NVRAM  up                    up           
Vlan37                 10.106.37.235   YES NVRAM  up                    up        
Switch-1#sh run int tenGigabitEthernet 1/1/1
Building configuration...

Current configuration : 138 bytes
!
interface TenGigabitEthernet1/1/1
 description ----For C9800 WLC----
 switchport access vlan 37
 switchport mode access
 speed nonegotiate
end

Switch-1#sh run int gi
Switch-1#sh run int gigabitEthernet 1/0/2
Building configuration...

Current configuration : 181 bytes
!
interface GigabitEthernet1/0/2
 description ----For Root AP----
 switchport trunk native vlan 37
 switchport trunk allowed vlan 1-1000
 switchport mode trunk
 ip dhcp snooping trust
end

Switch-1#sh run | s ip dhcp
ip dhcp pool vlan37
 network 10.106.37.0 255.255.255.0
 default-router 10.106.37.1 
 option 43 hex f104.0a6a.25bf

Security configuration

1. Add the Ethernet mac addresses of Root AP and Mesh AP to Device Authentication.

The Ethernet mac address can be confirmed by show controllers wired 0.

2. Add authentication and authorization as follows.

Tags/Profiles

1. Enable Ethernet Bridging Allow BPDU

2. Mesh Profile

3. AP Join Profile

4. Site Tag

5. Assign Tags and select AP Mode(will cause the AP to reboot)

Mesh Ethernet Port Configuration

Select the role(Root/Mesh), and configure the Ethernet Port Configuration.

Verification

Now move the MAP to Switch-2, if all goes well it will get the address and join the C9800 wireless controller.

 CRIT-MeshLink: Set Root port Mac: 28:6F:xx:xx:xx:xx BH Id: 3 Port:54 Device:DEVNO_BH_R1
 CRIT-MeshSecurity: Mesh Security successful authenticating parent 28:6F:xx:xx:xx:xx, informing Mesh Link
 chatter: wl1: txq_Enable_Encryption 548 ignore_pkt_key_index 0
 CRIT-MeshLink: Notify Capwap Link Up: mac: 28:6F:xx:xx:xx:xx BH Id: 3 GW_reachable: No Roam: false
 ethernet_port wired0, ip 10.106.37.159, netmask 255.255.255.0, gw 10.106.37.1, mtu 1500, bcast 10.106.37.255, dns1 xx.xx.xx.xx, dns2 xx.xx.xx.xx, domain xxx.com, vid 0, static_ip_failover true, dhcp_vlan_failover false
 AP IPv4 Address updated from 10.106.35.201 to 10.106.37.159

<snip>
 
 Discovery Response from 10.106.37.191
 Started wait dtls timer (60 sec)
 
 CAPWAP State: DTLS Setup
 dtls_verify_server_cert: Controller certificate verification successful
 
 CAPWAP State: Join
 OOBImageDnld: OOB Image Download in ap_cap_bitmask(2)
 Sending Join request to 10.106.37.191 through port 5248
 OOBImageDnld: OOB Image Download in ap_cap_bitmask(2)
 Sending Join request to 10.106.37.191 through port 5248
 Join Response from 10.106.37.191 
 AC accepted previous sent request with result code: 0
 Received wlcType 0, timer 30
 
 CAPWAP State: Image Data
 AP image version 17.7.1.11 backup 8.10.151.0, Controller 17.7.1.11
 Version is the same, do not need update.
'
 do NO_UPGRADE, part2 is active part
 
 CAPWAP State: Configure
 Administrative state DISABLED  change to ENABLED 
 Administrative state DISABLED  change to ENABLED 
 Administrative state DISABLED  change to ENABLED 
 
 CAPWAP State: Run
 AP has joined controller HF-9840-WLC
 Flexconnect Switching to Connected Mode!

Then connect the lightweight AP to Switch-2, and configure the switch interface as vlan 37, it will also join to the 9800 wireless controller. Note that it is joined the controller via the Mesh AP and Root AP.

HF-9840-WLC#show wireless mesh ap  tree 

========================================================================
AP Name [Hop Ctr,Link SNR,BG Name,Channel,Pref Parent,Chan Util,Clients]
========================================================================

[Sector 1]
-----------
RAP [0, 0, Default, (116,120), 0000.0000.0000, 4%, 0]
   |-MAP1 [1, 57, Default, (116,120), 0000.0000.0000, 5%, 0]

Number of Bridge APs : 2
Number of RAPs : 1
Number of MAPs : 1

(*)  Wait for 3 minutes to update or Ethernet Connected Mesh AP.
(**) Not in this Controller


HF-9840-WLC# 

Now connect a Windows PC to Switch-1 with the address 192.168.10.100. Ping Windows PC from Switch-2 and everything works fine.

switch-2#
switch-2#ping 192.168.10.100  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
switch-2#

References

Configure Mesh on Catalyst 9800 Wireless LAN Controllers

Ethernet Bridging in Point-Point Wireless Mesh Network Configuration Example

Configuring Point-to-Point Mesh Link with Ethernet Bridging on Mobility Express APs