Introduction To 3850 GUI - Lab Guide v2.5

Introduction to Wireless on the 3850
Lab Exercises
Version 2.5
Another hands-on lab from team MIDAS

October 16th, 2013
Table of Contents
Introduction......................................................................................................................... 3
Logical Topology ................................................................................................................. 4
Physical Topology ................................................................................................................ 5
Disclaimer............................................................................................................................ 6
Build Information ................................................................................................................ 6
Prerequisite knowledge....................................................................................................... 6
Lab Overview ....................................................................................................................... 7
Access Lab Pod .................................................................................................................... 8
Exercise 1: Licensing and basic configuration of the 3850 ............................................... 11
Exercise 2: Configure the 3850 to support an AP via the GUI ........................................... 48
Exercise 3: Configure and Test Corp WLAN on the 3850 .................................................. 74
Appendix A: Answers to Exercise Questions ..................................................................... 92
Appendix B: Final Device Configurations .......................................................................... 93
October 16th, 2013
Introduction
Your integration company has been asked to configure the new 3850, including wireless
capabilities, for a company called Example.com. Example is moving away from legacy
equipment and would like you to configure a prototype for a wireless environment.
Example.com plans to have only corporate users connect to the network wirelessly, and
expects to grow to forty access points over the next four years. The customer would like
to implement the Cisco 3850 Unified Access Switch. Your job is to set up the 3850, build
a corporate WLAN, and test network access via the WLAN. One of the key requirements
of the customer is that the 3850 and wireless configuration be manageable via a GUI.
Here is some good news. A junior team member has been helping you get things set up.
Under your direction, the following prerequisite tasks have been completed:
The prototype network has been cabled

The router has been configured for internet reachability and NTP services
The 3750 Core Switch has been configured for network access
Based on the requirements, and with the above prerequisite tasks completed, you will
perform the following:
Configure the 3850 for network access

Configure and access the 3850 GUI
Configure a CAPWAP VLAN to support an AP
Configure Mobility and register an AP with the 3850.
Secure the CAPWAP data between the 3850 and AP
Configure a Corporate WLAN.
Configure a DHCP scope for the Corporate WLAN
Test Corporate WLAN access
Please review the diagrams on the following pages carefully, before proceeding with the
lab. It may help to display them on a second window, when completing the lab.
October 16th, 2013
Logical Topology
The diagram below depicts the logical L3 topology of your prototype network. Please
note that the PCs, Servers, and ISE platform are VMware images with non-persistent
disks. If you shut down any of these platforms, you will lose all changes made to them
up to that point, and become disconnected. Please ensure that you use restart or logoff
as necessary. Avoid using shutdown at all costs. (If shutdown, contact lab admin.)
October 16th, 2013
Physical Topology
The diagram below depicts the L2 topology of the network, as it has been cabled by your
junior resource.
October 16th, 2013
Disclaimer
This exercise is intended to demonstrate one way to configure the network, to meet the
specified requirements of this lab. There are various ways that this can be accomplished,
depending on the situation and the customers goals/requirements. Please ensure that
you consult all current official Cisco documentation before proceeding with a design or
installation. This lab is primarily intended to be a learning tool, and may not necessarily
follow best practice recommendation at all times, in order to convey specific
information.
Build Information
As of the writing of this document, the current relevant documentation could be found
on CCO at the following links:
3850 Series configuration guides
http://www.cisco.com/en/US/products/ps12686/products_installation_and_configuration_guides_list.html
The labs were constructed using the following software versions from CCO:
3850
AP 3501
ISE
03.02.02SE
(Model: WS-C3850-24P)
15.2.58-SE2
(Downloaded 1/8/2013)
ISE 1.2 Beta code
Prerequisite knowledge
A solid understanding of networking, including routing and switching is assumed. A basic
understanding of the concepts of wireless security is very helpful. Familiarity with the
IOS-XE command line is helpful. The 3850 is built on the IOS-XE platform. Some
background with Cisco Wireless would be helpful, but is not necessary.
October 16th, 2013
Lab Overview
The lab will focus on getting the 3850 from 0-60. You will configure network
reachability; connect an access point, and configure the 3850 via the GUI.
The key focus of the lab is to get comfortable with the new 3850 wireless
feature set, and familiar with creating and managing WLANs, connecting APs, utilizing
the GUI, and working on the IOS-XE platform.
October 16th, 2013
Access Lab Pod

At this point, you should have been supplied with several pieces of information for
accessing your lab pod. You should have the following:
The URL to access the lab portal

The user ID and password used for logging into the Midas Student lab portal
Your pod number (very important for accessing your device consoles)
Using the information provided, please log into the lab now. Begin by opening a browser
and accessing the lab portal URL. The URL is typically https://128.107.69.142/student
for accessing your pod. When you are prompted with a certificate warning from our
VPN Gateway, please accept the self-signed certificate and continue.
Carefully enter the username and password supplied, and click Login.
October 16th, 2013
9
Click Continue in the resulting welcome message.
You are now logged into the student portal, and should be presented with a list of
bookmarks to access the images for your pod.
Verify access to the images by attempting to access PC1. Carefully click on the the
double boxes with arrows on the far left of the bookmark for PC1. This should open
PC1 in a new window. Please note that a current version of JAVA is required. (Disable
pop-up blocker to see java updates.) If you have an issue, try updating java from
Java.com, before contacting the lab administrator.
You should see a new window open, and a connection attempt initiated. Take note: the
IP addresses and port information in the connection attempt message point at the
VMware image on the backend of the VPN. You do not need direct access to these
addresses.
October 16th, 2013
10
In just a moment, you should be connected to PC1. Note: A JAVA applet will load in the
browser environment, providing the TightVNC access to the VMware image on the
backend. This is why a current version of JAVA is required. The resulting PC1 image is
shown below.
At this point, you are ready to proceed with the lab. During the lab, you will be asked to
access your images from the student portal. Simply use the bookmarks on the portal to
access the images, as you just did for PC1. You may open all your images concurrently,
using the open in new window functionality, just like you did for PC1. Stay logged into
the student portal and proceed on.
Good luck with the lab!
October 16th, 2013
11
Exercise 1: Licensing and basic configuration of the 3850

The primary focus of this exercise is to utilize the correct licensing for this
implementation of the 3850. This will be followed by setting basic parameters and
enabling connectivity to both the network and GUI. You will accomplish this, as well as
configure NTP, and prepare to enable the 3850 to act as a mobility controller.
Section 1.1 Access the 3850 Switch and explore the licensing options
The goal of this section is to license the 3850 for our specific needs given our scenario,
and become familiar with the commands to view and change licensing.
Begin by accessing the PC1 JumpBox image from the student portal (should be open).
Log into PC1, using the default user John Doe, and a password of cisco123.
Password:
cisco123
Access the out of band (OoB) consoles shortcut, at the top left of the desktop on PC1.
October 16th, 2013
12
Now, choose your Pod Number in the second drop down menu Intro to 3850 GUI
for the content pack. Then, click the Access Console Maps button to the right.
***Note: This shortcut page is dynamically built based on your selection. It is crucial
that the pod number selected is yours, or you will be unable to complete the lab.
Before moving on, make sure that your pod number is displayed at the top of the page.
Click on the 3850 Switch in the center of the picture. This will open the console
window.
***Note: This shortcut webpage has been created for lab purposes only. These
shortcuts simply connect you to the console port of each device represented.
October 16th, 2013
13
In the resulting console window, hit enter until the Would you like to enter the initial
configuration dialog? prompt appears. Enter the commands shown below to skip the
initial configuration dialog and enter enable mode, and make sure that this is the only
switch. (It is not part of a stack)
No
Yes
en
show switch
October 16th, 2013
14
Enter the commands below to view the 3850s current licensing.

show license right-to-use
show license right-to-use summary
Remove the current licensing on the 3850 for APs with the command shown below. (If
needed; there may be none present.) The AP count # you must specify can be found in
the show commands you just entered. Remove all current AP licenses, so we can replace
them.
***Note: replace # in the command below with the number of current AP license count
found in the 3850. Re-enter the previously shown command to find this number if
needed.
license right-to-use deactivate apcount # slot 1
October 16th, 2013
15
Enter the command shown below to make sure the AP licenses were removed. Once
you have confirmed there are no active licenses on the 3850, activate 5 AP licenses as
shown below.
license right-to-use active apcount 5 slot 1 acceptEULA
Check to make sure the AP licenses took affect before moving on. Make sure 5 AP
licenses are present. Then take a look at the active feature license on the 3850.
October 16th, 2013
16
***Note: The lanbase license does not support wireless functionality on the 3850.
Now deactivate the current feature license in the 3850. In the below command
exchange feature*** for lanbase, ipbase, or ipservices depending on the above
show command output.
license right-to-use deactivate feature*** all
license right-to-use activate ipbase all acceptEULA
The 3850 will display a message indicating as seen above, that a reboot is required to
enact this change. Check the license level one more time, and then proceed with a
reboot.
October 16th, 2013
17
Take note of the license level on reboot, and make sure that on reboot the intended
ipbase license is specified. The 3850 will always allow configurations of wireless and
other features that require a higher license lever to work. Understand that just because
the commands are present in the 3850, it does not mean they will take effect.
***Note: Both ipbase and ipservices support wireless. Lanbase does not, although
the commands are present in CLI.
Before reloading the 3850 to complete the licensing change, enter the command below
to check the boot variables. The switch should be set to manual Boot.
***Note: For lab resets, the 3850 has been configured to stop at rommon. Do not alter
the boot variable on the 3850.
Show boot
Now reload the 3850 with the command shown below.

reload
The reload process for the 3850 will take a few moments. The 3850 is built on the IOSXE platform and will look a little different from classic IOS. When the 3850 reaches the
switch prompt, enter the command below to boot the device.
boot flash:packages.conf
October 16th, 2013
18
When the 3850 is finished booting, enter enable mode.

en
October 16th, 2013
19
Confirm the new license level of ipbase after the reboot, and 5 apcount licenses,
using the command below.
Now that the 3850 has an ipbase and licensing for 5 aps, it is ready to support wireless
configuration and WLANs.
Q1.1: What are the three types of feature licenses on the 3850, and which ones
support wireless?
October 16th, 2013
20
Q1.2: What other two licenses are required to register access points with the 3850?
Make sure you can answer both of these questions before moving on to the next
section. It is critical to understand the licenses, and that all commands are present and
configurable, even if the licenses required for them to work are not installed.
October 16th, 2013
21
Section 1.2 Complete the basic configuration of the 3850
This section will cover configuring the 3850 for network access and reachability,
followed by enabling GUI access. Before proceeding, take a look at the below layer 2
and layer 3 diagrams representing the current configured state of the network.
October 16th, 2013
22
Now take a look at the final layer 2 and 3 diagrams to review the intended build.
October 16th, 2013
23
Begin by configuring the L3 Handoff between the existing 3750 and the new 3850. Start
by accessing the console of the 3850. Use the out of band (OoB) consoles on the
desktop of PC1, just as before. Enter enable mode by submitting the command below.
en
Configure the L3 link on the 3850 with the commands below.

config t
int g1/0/1
no switchport
desc L3 link to 3750
ip address 10.1.101.2 255.255.255.0
no shut
exit
exit
October 16th, 2013
24
Now access the console of the 3750, via the out of band (OoB) consoles, just like for the
3850. Log in with the credentials and enter the commands shown below to configure
the 3750 side of the L3 link.
Username: admin
Password: cisco123
Now configure the link to the 3850 with the following commands.
en
config t
int fa1/0/8
no switchport
desc L3 link to 3850
ip address 10.1.101.1 255.255.255.0
no shut
exit
exit
October 16th, 2013
25
Test the new L3 link with pings from both sides. From the 3750 console, ping the 3850
with the command below.
ping 10.1.101.2
Return to the 3850 console, and test connectivity to the 3750 side address with the
following command. Do not proceed with the lab if either of these pings are
unsuccessful.
ping 10.1.101.1
October 16th, 2013
26
Still on the console of the 3850, configure the following basic parameters.
config t
hostname 3850-Switch
no ip domain-lookup
ip routing
ip domain-name example.com
***Note: On the 3850 and other IOS-XE devices, it is critical to enter the ip routing
command in order to enable traffic passing through the device to be routed. If this
command is missing from the configuration, the 3850 will successfully route its own
traffic, but will drop all traversing traffic without a directly connected destination, even
if a valid route is present in the routing table.
Now configure encrypted passwords, a local user account, and configure timestamps
and a server for logging.
service password-encryption
service timestamp log datetime show-timezone msec
service timestamp debug datetime show-timezone msec
logging trap debugging
logging 10.1.20.254
enable secret cisco123
username admin priv 15 secret cisco123
October 16th, 2013
27
Configure the VTP mode and name. Set the spanning tree mode, and specify the
intended root bridge as this 3850.
vtp mode transparent
vtp domain example.com
spanning-tree mode rapid-pvst
spanning-tree vlan 1-500 priority 4096
errdisable recovery cause bpduguard
Configure console access.

line con 0
logging synchronous
login local
exec-timeout 60 0
privilege level 15
Configure Telnet and SSH access, followed by generating a crypto key.

line vty 0 15
logging sync
login local
exec-t 60 0
priv lev 15
transport input telnet ssh
crypto key generate rsa modulus 1024
October 16th, 2013
28
do show ip ssh (View the newly generated SSH key)
Exit and save the configuration.

exit
copy running-config startup-config
Check your work, and review the global running configuration in the 3850.
Show run
October 16th, 2013
29
October 16th, 2013
30
October 16th, 2013
31
***Note: The Gigabit Ethernet 0/0 interface in the 3850 is configured by default with a
VRF named Mgmt-vrf. In this lab, we will not be utilizing the management interface,
but be aware of this default.
October 16th, 2013
32
October 16th, 2013
33
October 16th, 2013
34
At this point, we have configured the basics on the 3850. The 3850 has secure access,
deliberate VTP and spanning tree configuration, and remote logging. Now configure
access to the 3850 GUI with the following commands.
config t
ip http server
exit
***Note: In order to access the GUI of the 3850, there are three prerequisite
configurations that are required. The first is enabling the http server functionality,
second is IP connectivity to the 3850, and the third is a local admin account.
Now, before testing access to the 3850 GUI, attempt to ping the 3850 from the desktop
of PC1. Open a console window from the desktop shortcut, and enter the following
command.
ping 10.1.101.2
October 16th, 2013
35
The test pings to the 3850 have failed because there are no return routes from the
device. Go back to the console of the 3850, and enter the following commands to
configure a default route to the 3750.
config t
ip route 0.0.0.0 0.0.0.0 10.1.101.1
exit
October 16th, 2013
36
Now that the 3850 has a return route for traffic via the 3750, test connectivity from the
desktop of PC1, using a ping.
ping 10.1.101.2
These pings should be successful. Do not continue in the lab until PC1 can successfully
ping the 3850.
To access the 3850 GUI, open a Firefox window from the desktop of PC1. Enter the
following URL.
https://10.1.101.2/wireless
October 16th, 2013
37
On the resulting page, expand I Understand the Risk, and click on Add Exception to
continue to the 3850 GUI.
Click on Confirm Security Exception in the resulting window.
October 16th, 2013
38
A login prompt will appear as shown below. This is where the local user account on the
3850 is required.
October 16th, 2013
39
Enter the following username and password, and then click OK to access the 3850
GUI.
Username: admin
Password: cisco123
The resulting first page of the 3850 GUI is shown below.
At this point the 3850 has network access. The GUI is accessible from PC1, and the 3850
has a basic configuration.
October 16th, 2013
40
***Note: In order to utilize the 3850 GUI as shown above, the 3850 must be running
IOS-XE version 03.02.02SE as shown above in the display.
October 16th, 2013
41
Section 1.3 Network Configurations on the 3850
This section will cover the CLI configuration of VLANs, SVIs, NTP to support the desired
network topology and WLAN. Take a look again at this final layer 3 diagram of the
intended network before beginning.
Access the console of the 3850 and log in, then enter enable mode. Use the out of band
(OoB) consoles on the desktop of PC1.
Enter the username and password as shown below, to access the 3850 console.
Username: admin
Password: cisco123
Begin by creating and naming the following VLANs on the 3850, by entering the
commands as shown below.
October 16th, 2013
42
config t
vlan 225
name Corp-Wireless
vlan 222
name Bldg2-APs
exit
exit
Check your work with the following command.

show vlan
October 16th, 2013
43
Configure respective SVIs for the VLANs we created above, with the commands below,
to reflect the diagram.
config t
int vlan 222
ip address 10.1.222.1 255.255.255.0
desc Bldg2-APs
exit
int vlan 225
ip address 10.1.225.1 255.255.255.0
desc Corp-Wireless
exit
exit
Now check the SVI configuration with the below shown command.
show ip int br
Configure a Loopback interface on the 3850 per the diagram. Enter the following
commands on the 3850 console.
config t
int lo 0
ip address 10.1.255.2 255.255.255.255
desc Primary Loopback Do not change!
exit
exit
October 16th, 2013
44
Check the configuration of this Loopback with a display command.

show run | begin Loopback0
Save the configuration.

Access the console of the 3750 from the consoles page, and log in with the username
and password shown below.
Username: admin
Password: cisco123
October 16th, 2013
45
Configure routes to the 3850 for the three new subnets that were just created. Enter
the following commands.
config t
ip route 10.1.222.0 255.255.255.0 10.1.101.2
ip route 10.1.225.0 255.255.255.0 10.1.101.2
ip route 10.1.255.2 255.255.255.255 10.1.101.2
exit
October 16th, 2013
46
Return to the command line of the 3850, and configure the interface connecting to the
access point. Use the following command to place the AP in VLAN 222, and add a
description.
Log back into the 3850 with the username and password, and enter configuration mode.
Username:
Password:
admin
cisco123
config t
From configure terminal, enter the commands below.

int g1/0/24
desc AP connected in vlan 222
switchport mode access
switchport access vlan 222
switchport no
no shut
exit
exit
October 16th, 2013
47
At this point, we have completed the needed configuration to support wireless via the
CLI. Save the running configuration of the 3850 with a wr mem, and continue to the
next Exercise.
October 16th, 2013
48
Exercise 2: Configure the 3850 to support an AP via the GUI

In exercise 2, you will configure the 3850 with two DHCP scopes, to connect the AP to
the 3850, and support wireless user. Then configure the 3850 to support wireless via the
GUI, and connect the AP.
Section 2.1 Configure DHCP scopes from the 3850 GUI

In this section you will configure two DHCP scopes for VLANs 222 and 225 in the 3850
via the GUI; as well as review syslog information.
Access the 3850 GUI and log in with the following information. This time, use the
loopback address of the 3850 to connect to the GUI.
Username: admin
Password: cisco123
October 16th, 2013
49
Before proceeding with the DHCP configuration, access the domain controller and setup
logging. Return to the Student Portal page, and select the DC.
October 16th, 2013
50
Click on the Send Ctrl-Alt-Del button to reach the login prompt of the DC.
Log in using the credentials below.

Username: administrator
Password: cisco123
October 16th, 2013
51
At the desktop of the DC, open the Kiwi Syslog Daemon, using the shortcut at the top
left of the desktop.
This is where the messages from the 3850 and APs will be displayed when the
registration process starts. You can return here later to review the messages, and is an
excellent place to troubleshoot any problems with the lab from here on.
October 16th, 2013
52
Return to the desktop of PC1 and the 3850 GUI.
Now from the home screen of the 3850 GUI, navigate to Configuration>Controller, to
configure the two DHCP scopes.
October 16th, 2013
53
On the resulting page shown below, navigate to Internal DHCP Server>DHCP Scope on
the left hand side.
On the resulting page named DHCP Scope, click the New button near the top left.
October 16th, 2013
54
On this page, enter the parameters listed below.

DHCP
Scope Name: BLDG2-APs

Network:
10.1.222.0
Subnet Mask: 255.255.255.0
Lease Time
Days (0-365): 1
Hours (0-23): 12
Minutes (0-59): 0
Default Routers
Server 1:
10.1.222.1
DNS
Domain Name: example.com
Server 1:
10.1.20.254
The GUI DHCP page should appear as shown below.
October 16th, 2013
55
Once the information is filled in, click on the Apply button at the top right of page.
The following message should be the result. Click the OK button.
After the message, the GUI will return to the DHCP Scope page, where the BLDG2-APs
scope will be listed as shown below.
October 16th, 2013
56
Navigate back to the home screen of the 3850 GUI by clicking on Home at the top left
under the Cisco icon.
The resulting page is shown below. Take note of the current Access Point Summary
counts. There are currently no APs registered.
October 16th, 2013
57
At this point, the AP can receive an IP address from the 3850 DHCP scope, but will not
be registered because the 3850 is not yet configured as a mobility controller. Navigate
back to Configuration>Controller, to build a second DHCP scope for the WLAN clients.
From the configuration>controller page, click on DHCP Scope on the left under
Internal DHCP Server.
Back at the DHCP Scope page, click the New button to build another scope.
October 16th, 2013
58
On the resulting page, fill in the following information, to create a DHCP scope for the
WLAN clients who will connect to the 3850.
***Note: Always follow best practices when configuring DHCP scopes for clients. The
3850 may not be the best place to do this based on customer requirements. It has been
configured this way in the lab only to demonstrate the 3850 capabilities.
DHCP
Scope Name: Corp-Wireless

Network:
10.1.225.0
Subnet Mask: 255.255.255.0
Lease Time
Days (0-365): 1
Hours (0-23): 12
Minutes (0-59): 0
Default Routers
Server 1:
10.1.225.1
DNS
Domain Name: example.com
Server 1:
10.1.20.254
The GUI DHCP page should appear as shown below. Click Apply when you are done, to
complete the scope.
October 16th, 2013
59
After clicking Apply, the message shown below should appear. Click OK to continue.
At this point in the lab, two DHCP scopes have been configured on the 3850 via the GUI.
Make sure of this by reviewing the resulting DHCP Scope page. It should appear as
shown below with two scopes listed.
October 16th, 2013
60
Section 2.2 Configure the 3850 as a Mobility Controller
In this section, you will configure the 3850 to support a WLAN by enabling mobility
controller functionality. A 3850 must be a mobility controller in order to register APs
and offer WLANs, unless it is registered with another Mobility controller.
From PC1, access the GUI of the 3850 if not already there, by navigating to the address
below and logging in with the following credentials.
Username: admin
Password: cisco123
From the Home page of the 3850 GUI that is displayed upon logging in, navigate to
Configuration>Controller.
October 16th, 2013
61
From the resulting page shown below, navigate to Mobility Management>Mobility

Global Config on the left of the page.
On the resulting Mobility Agent Configuration page, expand the Mobility Role drop
down at the top of the page, and select Mobility Controller.
October 16th, 2013
62
With Mobility Controller selected from the Mobility Role dropdown, click the
Apply button on the right of the page.
Upon clicking Apply, the message displayed below will appear. Read it carefully.
In order for the 3850 to change mobility roles, it will need to reboot. Before rebooting,
you will need to save the current configuration. Click the OK button to accept the
message. The following message will appear upon clicking OK.
Again, click OK to accept after reading it. At the top right of the GUI web page, click on
the Save Configuration link.
October 16th, 2013
63
Upon clicking the Save configuration link, the following message will appear. Click
OK to save the 3850 current configuration.
After a moment, a conformation message will appear like the one shown below. Click
OK to continue.
Now it is time to reload the 3850 to enable Mobility Controller functionality. Navigate in
the 3850 GUI to Configuration>Commands.
October 16th, 2013
64
On the resulting screen, click on Reboot; it will be under Commands on the left of
the page.
On the Reboot page, notice the warning.
October 16th, 2013
65
Click on the Save and Reboot button at the top left of the screen.
After clicking the button, the following message will appear. Click OK to save and
reload the 3850.
It will take the 3850 a few moments to reboot, but for lab reset reasons the 3850 has
been configured to stop at ROMMON. You will need to access the 3850 console via the
consoles page and issue the following command to initiate a boot.
boot flash:packages.conf
October 16th, 2013
66
Once the 3850 has reached the login prompt, you can return to the GUI via the address
below. You will need to close the old browser window, and open a new one.
October 16th, 2013
67
After accepting the certificate; log into the 3850 again with the following username and
password.
Username:
Password:
admin
cisco123
After logging in, you will reach the 3850 GUI Home screen shown below.
October 16th, 2013
68
This is one more configuration change that must be completed to enable the 3850 to
register an AP. Access the 3850 CLI just as before and log in.
Username:
Password:
October 16th, 2013
admin
cisco123
69
From the CLI, enter the folloing command, to view the current Mobility setup on the
3850.
show wireless mobility summary
Take note that the IP is 169.254.1.1, which is the system default. This will need to
become the BLDG2-APs VLAN 222 SVI in order to register the AP. Below is a section of
the L3 diagram of the intended configuration. The 10.1.222.1 interface in VLAN 222 will
need to be the wireless management interface in order to register the AP.
Configure this now with the CLI commands below.

config t
wireless management interface vlan 222
exit
October 16th, 2013
70
Once again, enter the display command below, to confirm the configuration change.
show wireless mobility summary
At this point the 3850 is a Mobility Controller, and is using 10.1.222.1 as its Mobility
IP.
Return to the 3850 GUI, and review the Home Page. If it is still open, refresh the page
by clicking on refresh link at the top right. If you need to reconnect, use the address
below.
October 16th, 2013
71
Once you reach the Home page in the 3850 GUI, review the Access point Summary
half way down on the left side.
There should now be 1 under Access Point Summary, meaning that the AP has
registered with the 3850. To confirm this, navigate in the GUI to Monitor>Wireless.
October 16th, 2013
72
On the resulting page shown below, will be an AP designated by its MAC address. Click
on the address to view it in detail.
After clicking on the address, the following page will appear.
October 16th, 2013
73
At this point the 3850 is configured as a Mobility Controller, and has successfully
registered an AP. Continue to the next exercise.
October 16th, 2013
74
Exercise 3: Configure and Test Corp WLAN on the 3850

In this exercise, you will configure a Corp-Wireless WLAN on the 3850 via the GUI, and
test connectivity via PC2. The WLAN will be configured with a PSK and broadcast SSID.
Section 3.1 Configure the WLAN
In this section, you will configure a WLAN on the 3850 via the GUI.
Begin by accessing the 3850 GUI. From PC1, go to the following address and log in with
the username and password below.
Username:
Password:
admin
cisco123
From the initial Home page in the 3850 GUI, navigate to Configuration>Wireless.
October 16th, 2013
75
From the resulting page, navigate to WLAN>WLANs on the left side.
Once at the WLANs page shown below, click on New, to create a WLAN.
October 16th, 2013
76
On the following page, enter the information below respectively, and click the Apply
button when complete.
WLAN ID:
1
SSID:
Corp-Pod*-GUI
Profile Name: Corp-Wireless
(An Identifier in the configuration)

(Make * YOUR POD NUMBER)
(Name of WLAN in Configuration)
After clicking Apply, the following message will appear. Click OK.
The resulting page is shown below. Click on the new Corp-Wireless link in blue to
configure it in detail.
October 16th, 2013
77
The resulting page is shown below.
Take note of the Interface/Interface Group(G) parameter which is currently Default.

This is the VLAN and corresponding SVI that the WLAN will service. Expand the
dropdown, and select Corp-Wireless from the list.
October 16th, 2013
78
Now that the intended network will service the WLAN, check the Status box, to enable
the WLAN.
Once complete, click the Apply button at the top right of the screen.
Click the OK button to accept the conformation message.
October 16th, 2013
79
Now navigate in the GUI, still under the WLAN, to the Security tab shown below.
The following screen is shown below.
For simplicity in this lab, the WLAN will be secured with a Pre-Shared Key (PSK). Select
PSK from the Auth Key Mgmt dropdown.
***Note: The use of a PSK is not best practice and is utilized in the lab for simplicity. This
is not an encouraged method for securing a production WLAN.
October 16th, 2013
80
After selecting PSK from the dropdown, the page will change. The resulting page is
displayed below.
In the box under ASCII, enter the following password for the WLAN.
Password:
October 16th, 2013
cisco123
81
Once completed, click the Apply button on the top right of the page.
After clicking Apply, the message shown below will appear. Click OK to accept it.
At this point, the WLAN has the basic required configuration to enable client access and
has been enabled. Now, save the 3850 configuration. Click the Save Configuration link
at the top right of the page.
October 16th, 2013
82
Click OK to save the 3850 current configuration.
Click OK to accept the resulting conformation message.
At this point, the Corp-Wireless WLAN is ready to test. Continue to the next section.
October 16th, 2013
83
Section 3.2 Test Access to the Corp-Wireless WLAN
In this section, you will test access to the Corp-Wireless WLAN on the 3850 from PC2.
Begin by accessing PC2 from the student portal.
Log in with the following username and password.

Username:
Password:
October 16th, 2013
Jane Doe
cisco123
(Already Filled In)
84
Below is the desktop of PC2; click on the wireless icon. It is toward the bottom right, on
the task bar.
In the resulting pop-up, select the wireless network that you created on the 3850. It
should be named Corp-Pod*-GUI where * is your pod number.
Click the Connect button to access the wireless LAN.
October 16th, 2013
85
In the resulting window, enter the key you set for the WLAN.
Security key: cisco123
October 16th, 2013
86
After a moment, PC2 should register and receive a DHCP address from the 3850. The
wireless icon should look like the image below when the client has connected.
At this point, open a browser window using the desktop shortcut, and test internet
access.
October 16th, 2013
87
At this point, the first client has been able to successfully connect to the network via
wireless. From this new browser window, access the 3850 GUI by entering the address
shown below.
October 16th, 2013
88
Add the exception for the untrusted site and log into the 3850 GUI, using the following
credentials.
Username:
Password:
October 16th, 2013
admin
cisco123
89
The 3850 GUI home page should be displayed, as shown below.
There are two things to now take note of. First, on the right hand side of the page under
Top WLANs is Number of Clients, where across from Corp-Wireless, you should see
a count of 1. The second thing to note is from PC2, which is a WLAN client, you were
able to access the 3850 GUI. In production it is recommended to restrict access to the
3850 GUI using an access list.
Now navigate in the GUI to Monitor>Clients to view the details of PC2s connection.
October 16th, 2013
90
On the resulting page, you should see one MAC address listed under Clients, as shown
below. Click on the address to view the client details.
On the resulting page shown below, note that the client has received an IPv4 address in
the 10.1.225.0/24 address space from the 3850 DHCP scope.
October 16th, 2013
91
From this display, (May need to scroll to the left to see) you can also see through which
AP the client connected, as well as a host of other information.
At this point the 3850 has been configured to support the Corp-Wireless WLAN, an AP
has been registered, and the configuration has been tested with a client.
Congratulations. This completes the lab!
October 16th, 2013
92
Appendix A: Answers to Exercise Questions

Q1.1: How many Aps is the WLC licensed for, and for how long? The current license
supports 15 access points and is non-expiring aka lifetime of the device.
Q1.2: What other two licenses are required to register access points with the 3850?
IPBase and IPservices. LAN Base does not support Wireless on the 3850.
October 16th, 2013
93
Appendix B: Final Device Configurations

Cisco 3850 Final Device Configuration
!
! Last configuration change at 02:42:36 UTC Fri Oct 4 2013 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service compress-config
!
hostname 3850-Switch
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret 4 1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6
!
username admin privilege 15 secret 4
1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6
no aaa new-model
switch 1 provision ws-c3850-24p
ip routing
!
no ip domain-lookup
ip domain-name example.com
ip device tracking
!
ip dhcp pool BLDG2-APs
October 16th, 2013
94
network 10.1.222.0 255.255.255.0
dns-server 10.1.20.254
default-router 10.1.222.1
domain-name example.com
lease 1 12
!
ip dhcp pool Corp-Wireless
network 10.1.225.0 255.255.255.0
dns-server 10.1.20.254
default-router 10.1.225.1
domain-name example.com
lease 1 12
!
!
qos wireless-default-untrust
vtp domain example.com
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-3617301112
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3617301112
revocation-check none
rsakeypair TP-self-signed-3617301112
!
!
crypto pki certificate chain TP-self-signed-3617301112
certificate self-signed 01 nvram:IOS-Self-Sig#22.cer
!
!
!
!
!
errdisable recovery cause bpduguard
diagnostic bootup level minimal
identity policy webauth-global-inactive
inactivity-timer 3600
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-500 priority 4096
!
redundancy
mode sso
!
October 16th, 2013
95
!
vlan 222
name Bldg2-Aps
!
vlan 225
name Corp-Wirelss
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
interface Loopback0
description Primary Loopback - Do not change!
ip address 10.1.255.2 255.255.255.255
ip mtu 1500
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
description L3 link to 3750
no switchport
ip address 10.1.101.2 255.255.255.0
!
!
!
!
!
October 16th, 2013
96
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
description AP connected in VLAN 222
switchport access vlan 222
switchport mode access
!
!
!
October 16th, 2013
97
!
!
interface TenGigabitEthernet1/1/1
!
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan222
description Bldg2-APs
ip address 10.1.222.1 255.255.255.0
!
interface Vlan225
description Corp-Wireless
ip address 10.1.225.1 255.255.255.0
!
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.101.1
!
!
logging trap notifications
logging 10.1.20.254
!
!
!
line con 0
exec-timeout 60 0
privilege level 15
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
October 16th, 2013
98
exec-timeout 60 0
privilege level 15
logging synchronous
login local
line vty 5 15
exec-timeout 60 0
privilege level 15
logging synchronous
login local
!
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
wsma agent filesys
wsma agent notify
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
wireless mobility controller
wireless management interface Vlan222
wlan Corp-Wireless 1 Corp-Pod1-GUI
client vlan Corp-Wirelss
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 cisco123
session-timeout 1800
no shutdown
ap dot11 24ghz rrm channel dca 1
October 16th, 2013
99
ap group default-group
end
October 16th, 2013

Introduction To 3850 GUI - Lab Guide v2.5

Uploaded by

Copyright:

Available Formats

Introduction To 3850 GUI - Lab Guide v2.5

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To 3850 GUI - Lab Guide v2.5

Uploaded by

Copyright:

Available Formats

Introduction to Wireless on the 3850

Another hands-on lab from team MIDAS

October 16th, 2013

Introduction to Wireless on the 3850

The prototype network has been cabled

Configure the 3850 for network access

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

Access Lab Pod

The URL to access the lab portal

October 16th, 2013

Introduction to Wireless on the 3850

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

Exercise 1: Licensing and basic configuration of the 3850

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

Enter the commands below to view the 3850s current licensing.

show license right-to-use summary

October 16th, 2013

Introduction to Wireless on the 3850

license right-to-use active apcount 5 slot 1 acceptEULA

October 16th, 2013

Introduction to Wireless on the 3850

license right-to-use activate ipbase all acceptEULA

October 16th, 2013

Introduction to Wireless on the 3850

Now reload the 3850 with the command shown below.

October 16th, 2013

Introduction to Wireless on the 3850

When the 3850 is finished booting, enter enable mode.

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013

Introduction to Wireless on the 3850

Configure the L3 link on the 3850 with the commands below.

October 16th, 2013

Introduction to Wireless on the 3850

October 16th, 2013