© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 70
The Cisco access points must be connected directly to the Cisco Catalyst 3850 Switch. One Cisco Catalyst 3850
Switch forms the access layer. The distribution in this example is made of the Cisco Catalyst 4500E Supervisor 7-E
systems in virtual switching system (VSS) configuration. It is a multilayer network design in which the L3 SVI for L2
VLANs on the access is defined on the VSS system. The Cisco Catalyst 3850 connects to the VSS through a L2
port channel configured as an 802.1Q trunk carrying all the VLANs. Three VLANs are used: Vlan 501 for wired
clients, Vlan 500 for wireless clients, and Vlan 601 for switch/wireless management. The access points must be
configured in the wireless VLAN for them to be controlled by the Cisco Catalyst 3850, in this case Vlan 601.
The configuration to enable wireless termination on the Cisco Catalyst 3850 Switch is as shown in the following:
ap cdp
ap country US
wireless management interface Vlan601
wireless mobility controller
The “ap cdp” enables CDP process on the Cisco access points connected to the Cisco Catalyst 3850 Switch. “ap
country US” defines the country code for that access point The wireless management interface command is used
to source the access point CAPWAP and other CAPWAP mobility tunnels. The next command enables the switch
to act as the mobility controller role for the converged access deployment. This previous command requires a
reboot of the switch. Save the configuration and reload the switch.
The Cisco Catalyst 3850 downloads the software to the access point when it joins the switch for the very first time.
This process takes a longer time since the access point needs to download the code and reboot in order to join the
switch. Again, this happens the very first time the access point connects to the switch; all subsequent reloads
include the access point booting with this code and joining the switch.
The next step is to configure SSIDs, define wireless LAN (WLAN) on the switch, with corresponding VLAN used for
wireless clients, the authentication and ciphers method, and the AAA server profile to use for this WLAN. In the
following example, the name of the SSID is Predator, using the client VLAN 500 we defined for wireless clients,
and enabling WPA, WPA2 with TKIP, using 802.1X authentication with the AAA server defined elsewhere in the
configuration.
For an open SSID, configure “no security wpa” following the WLAN configuration. For preshared key (PSK)
security, configure under WLAN configuration.
wlan Predator 1 Predator
aaa-override
client association limit 2000
client vlan 500
security wpa wpa2 ciphers tkip
security dot1x authentication-list ise
no shutdown
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 skunkworks