Cisco Switzerland Technology Blog

Setup your LAB with Catalyst 9800-CL

2 min read



This is a living BLOG, with tips, hints… from my LAB experience with the Cisco Catalyst 9800-CL

Download the software:

Software download für den 9800-CL 

Infos on CCO:

Cisco Catalyst 9800 Series Wireless Controllers

Picture 1:

 

 

 

 

 

 

 

 

 

 

 

 

Instaltion on VMWare:

  1. deploy OVA -> nothing special!
  2. on ESXi: all interfaces have to be in different VLANs!!! Management on Int1 (VLAN10) AP on Int2 (VLAN11) (see picture 1)
    If you don’t do this the controller create a loop on the ESX and the host is blocked….
  3. Basic Setup on CLI and GUI
  4. AP sould join and WLAN is UP – > Do setup with WLAN Wizard!!!
  5. If AP has issues to join! e.g. Message: No valid AP manager found for controller ‘eWLC-karlcisn-Public’ (ip: 10.88.173.105)
    ->>> There is not a trustpoint associated to the wireless management interface.
    Solution se below! (Reason: No valid AP manager found)
  6. If you like use the config translater from AirOS to IOSXE in Prime 3.5 (works really nice for me!)

 

If Sonos is not working:

check if multicast is on!

on CLI: wireless multicast
Enable multicast-multicast mode for better performance.
ip igmp snooping
ip igmp snooping querier
wireless multicast 239.255.255.200
wireless mobility group name Default
wireless media-stream multicast-direct

 

Reason: No valid AP manager found
Source AireOS WLC supports SSC Hash Validation.

Ensure there is a wireless trustpoint created and define it as wireless management trustpoint either by GUI or CLI.
See here: https://techzone.cisco.com/t5/Elastic-Wireless-LAN-Controllers/eWLC-Common-Access-Point-Join-Issues-Internal/ta-p/1238569

Posible Solutions

  • Move AP to source AireOS WLC, configure an authentication token in both AireOS WLC and eWLC and then move again the AP.
  • Disable SSH Hash validation on the AireOS WLC and after that migrate the APs (From testing seems to only work for IOS APs)

Move AP to source AireOS WLC, configure an authentication token in both AireOS WLC and eWLC and then move again the AP.

Step 1. Ensure AP joins back AireOS WLC

If you are unable to make the AP join back the AireOS WLC, login directly to the AP and configure the authentication token:

# capwap ap auth-token <string>

Step 2. Configure an authentication token on AireOS WLC

> config certificate ssc auth-token <string-max-32-characters>

Step 3. Configure the same authentication token on eWLC

# config t
# wireless management certificate ssc auth-token 0 <string>

Step 4. Move the AP from AireOS WLC to eWLC.

 

Disable SSH Hash validation on the AireOS WLC and after that migrate the APs.

Step 1. Ensure AP joins back AireOS WLC

If you are unable to make the AP join back the AireOS WLC, follow the procedure explained on Move AP to source AireOS WLC, configure an authentication token in both AireOS WLC and eWLC and then move again the AP section.

Step 2. Disable Enable SSC Hash Validation

GUI:

Navigate to Security > Certificate > SSC and uncheck Enable SSC Hash Validation, after that click Apply.

Catalyst 9800 CL Lab

CLI:

>config certificate ssc hash validation disable


 

 

 

Authors

Stefan Leemann

Consulting Systems Engineer

Leave a comment