Cisco Mesh with LAPs and WLC lab.

Objetivo: simular conexiones exteriores inalámbricas punto a punto o punto a multipunto con ap lightweight en vez de los standalones.

La topología es la siguiente:

Cisco Mesh Networks:

Access Point Roles
Access points within a mesh network operate as either a root access point (RAP) or a mesh access point (MAP).
-RAPs have wired connections to their controller, and MAPs have wireless connections to their controller.
-MAPs communicate among themselves and back to the RAP using wireless connections over the 802.11a radio backhaul.
-MAPs use the Cisco Adaptive Wireless Path Protocol (AWPP) to determine the best path through the other mesh access points to the controller.

Network Access
Wireless mesh networks can simultaneously carry two different traffic types: wireless LAN client traffic and MAP Ethernet port traffic.
Wireless LAN client traffic terminates on the controller, and the Ethernet traffic terminates on the Ethernet ports of the mesh access points.

Deployment Modes
Mesh access points support multiple deployment modes, including the following:
•Wireless mesh
•WLAN backhaul
•Point-to-multipoint wireless bridging
•Point-to-point wireless bridging

Mesh Neighbors, Parents, and Children
Relationships among access points with the mesh network are labelled as parent, child or neighbor.
•A parent access point offers the best route back to the RAP based on its ease values. A parent can be either the RAP itself or another MAP.
–Ease is calculated using the SNR and link hop value of each neighbor. Given multiple choices, generally an access point with a higher ease value is selected.
•A child access point selects the parent access point as its best route back to the RAP.
•A neighbor access point is within the radio frequency (RF) range of another access point but is not selected as its parent or a child because its ease values are lower than that of the parent.

Wireless Mesh Constraints
When designing and building a wireless mesh network here are a few system characteristics to consider. Some of these apply to the backhaul network design and others to the CAPWAP controller design:
•Recommended backhaul is 24 Mbps
–24 Mbps is chosen as the optimal backhaul rate because it aligns with the maximum coverage of the WLAN portion of the client WLAN of the MAP; that is, the distance between MAPs using 24 Mbps backhaul should allow for seamless WLAN client coverage between the MAPs.
–A lower bit rate might allow a greater distance between mesh access points, but there are likely to be gaps in the WLAN client coverage, and the capacity of the backhaul network is reduced.
–An increased bit rate for the backhaul network either requires more mesh access points or results in a reduced SNR between mesh access points, limiting mesh reliability and interconnection.
–The wireless mesh backhaul bit rate is set on the controller.

Note The backhaul bit rate is set on the Wireless > 802.11an > Network page within the 802.11an global parameters section.

–The required minimum LinkSNR for backhaul links per data rate:

Data Rate

Minimum Required LinkSNR (dB)

54 Mbps


48 Mbps


36 Mbps


24 Mbps


18 Mbps


12 Mbps


9 Mbps


6 Mbps


Backhaul Data Rates and Minimum LinkSNR Requirements
•The required minimum LinkSNR is driven by the data rate and the following formula: Minimum SNR + fade margin. The next table summarizes the calculation by data rate.
–Minimum SNR refers to an ideal state of non-interference, non-noise and a system packet error rate (PER) of no more than 10%
–Typical fade margin is approximately 9 to 10 dB
–We do not recommend using data rates greater than 24 Mbps in municipal mesh deployments as the SNR requirements do not make the distances practical.

Date Rate

Minimum SNR (dB) +

Fade Margin =

Minimum Required LinkSNR (dB)


























M: Previo, conectamos los dos LAPs al switch de acceso, mediante la Vlan por la cuál se conectarán al WLC con modo LOCAL. Cambiamos el nombre de los LAP y le asignamos direcciones ip estáticas.


Antes de cambiar el modo de los ap de local a bridge hay que tener en cuenta lo siguiente:

• An AP in mesh mode needs to be authorized to join a controller. So the first step is therefore to add there mac address.
• Before converting to bridge mode we must add the mac address of the both APAP in Policies list or the MAC filtering list. From Security > AAA > AP Policies, click Add. (Aquí se puede hacer de otra manera, To add a MAC filter entry for the mesh access point on the controller using the controller GUI, choose Security > AAA > MAC Filtering)
• To configure Mesh, we will need to do multiple reboots of our APs. To reduce the number of reboots, configure all of the global Mesh settings first
• Don’t use static IP address especially on MAP (En esta parte no estoy muy de acuerdo, mi lab tenía el RAP y MAP con direcciones ip estáticas y no pasó nada)

Para añadir las MAC:

Ahora convertimos los LAP al modo Brigde. Example:

After selection of Bridge mode we must apply it. Then both AP will reboot.

Ambos LAPs se asocian al WLC en modo bridge:

Once the AP reboots, a new MESH tab is available under:  Wireless > All APs, click on LAPT1 or LAPT2.

Here are few boxes which we should remember.
AP Role: Either RAP or MAP
Bridge Type: Indoor
Bridge Group Name (BGN): It’s like a workgroup name, allow the APs to know which AP are part of their group. (En mi caso usaré TEST)
Bridge Data Rates: Rate at which data is shared between the mesh access points. This is fixed for a whole network. Default data rate is 18 Mbps, which you should use for the backhaul. Valid data rates: for 802.11a: 6, 9, 12, 18, 24, 36, 48, and 54
Since LAPT2 will send its traffic through LAPT1,L APT1 will be the RAP and LAPT2 will be the MAP. Don’t forget to configure an identical Bridge ID. (Otherwise leave it blank for both APs)
In Mesh tab, configure the rest of the AP settings.
• Select RAP role to LAPT1 and assign BGN name TEST
• Select MAP role to LAPT2 and assign BGN name TEST
And Apply. The APs will go through reboot again, and will take few minutes to rejoin to WLC.

*** MAPs use Adaptive Wireless Path Protocol (AWPP) to determine the best path through the mesh APs to their WLC. The protocol takes path decisions based on both link-quality and number of Mesh hops.
To prevent LAPT2 from simply connecting back up to the WLC through its wired port, Either place AP2 into a VLAN not routable or make the wired port shut for LAPT2, so that it has no path to the WLC except though its radios.
This is not mandatory- (When the APs come back up, LAPT1 will do another MAC auth. But LAPT2 will do a user auth. See the SNMP trap logs for the user name, and then create a local user with that name and make the password identical to the name.)We can see this error in trap log on WLC. (esta parte nunca la puse pero no sé si hace la verificación de username y password, la cosa es que se conectan)

En el WLC:

Tue Nov 10 12:39:25 2015 AAA Authentication Failure for UserName:c1250-30E4DXXXXXXX User Type: WLAN USER

Now my Both AP are up.
Now check the status: Go to Wireless > All APs , far right on AP1 there is blue box ,click on that and select Neighbor Information



LAPT1#sh mesh status
show MESH Status
RootAP in state Maint
Uplink Backbone: GigabitEthernet0, hw GigabitEthernet0
Configured BGN: TEST, Extended mode 0
Children: Accept child
rxNeighReq 264 rxNeighRsp 0 txNeighReq 0 txNeighRsp 264
rxNeighRsp 842 txNeighUpd 1682
nextchan 0 nextant 0 downAnt 0 downChan 0 curAnts 0
nextNeigh 3, malformedNeighPackets 0,poorNeighSnr 0
excludedPackets 0,insufficientMemory 0, authenticationFailures 0
Parent Changes 1, Neighbor Timeouts 0
Vector through 30e4.db7e.dd78:
Vector ease 1 -1, FWD: 30e4.db7e.dd78

LAPT1#sh mesh adjacency child
show MESH Adjacency Child
ADJ 1 Identity 30e4.db7e.dd72 MA: e8b7.4841.6d7f ver 0x20 minver 0x0 on device Dot11Radio:1 txpkts 4541 txretries 9194
worstDv 255 Ant 0, channel 153, biters 0, ppiters 10, fwd_state 3
Numroutes 0, snr 0, snrUp 88 snrDown 0 linkSnr 0 blistExp 3 bliters 0
adjustedEase 0 unadjustedEase 0 stickyEase 0 txParent 0 rxParent 0
Vector through 30e4.db7e.dd72:
Per antenna smoothed snr values: 0 0 0 0
Subordinate neighbors: 30e4.db7e.dd72
Hop-Count Extension: ON, Version: 1


LAPT2#sh mesh status
show MESH Status
MeshAP in state Maint
Uplink Backbone: Virtual-Dot11Radio0, hw Dot11Radio1
Configured BGN: TEST, Extended mode 0
Children: Accept child
rxNeighReq 0 rxNeighRsp 223 txNeighReq 398 txNeighRsp 0
rxNeighRsp 809 txNeighUpd 992
nextchan 0 nextant 0 downAnt 0 downChan 0 curAnts 0
nextNeigh 4, malformedNeighPackets 0,poorNeighSnr 0
excludedPackets 0,insufficientMemory 0, authenticationFailures 0
Parent Changes 1, Neighbor Timeouts 0
Vector through 30e4.db7e.dd78:
Vector ease 1 -1, FWD: 30e4.db7e.dd78

LAPT2#sh mesh adjacency parent
show MESH Adjacency Parent
ADJ 1 Identity 30e4.db7e.dd78 MA: 0007.7dd1.c66f ver 0x20 minver 0x20 on device Dot11Radio:1 txpkts 486 txretries 757
worstDv 0 Ant 0, channel 153, biters 0, ppiters 10, fwd_state 3
Numroutes 1, snr 0, snrUp 56 snrDown 87 linkSnr 77 blistExp 2 bliters 0
adjustedEase 23448576 unadjustedEase 23448576 stickyEase 29448576 txParent 428 rxParent 235
Authentication: EAP, Encryption: AES-CCMP, Fwd-state: OPEN/CONTROL
Vector through 30e4.db7e.dd78:
Vector ease 1 -1, FWD: 30e4.db7e.dd78
Per antenna smoothed snr values: 76 0 0 0
Hop-Count Extension: ON, Version: 1

Wireless Mesh configuration on the WLC:

• Range
○ Optimum distance that should exist between the RAP and the MAP
○ Normally this parameter applies to outdoor mesh access points to report Rouges to Controller.
○ IDS reports are generated for all traffic on the backhaul
• Backhaul Client Access
○ It applies to APs with 2 or more radios.
○ When it’s disabled, 11a radio -> backhaul, 802.11b/g -> Client associations.
○ When enabled, Slot 1 can do both backhaul and client associations
○ When Extended Backhaul client access is enabled, even slot 2 can be used for client associations.
• Mesh DCA Channel
○ When we change the channel under RRM then MAP will not detect this and they will continuously use that channel, so if we enable this feature the MAP will detect the channel change on RRM.
• Global Public Safety
○ Disabled by default, we can enable this to use 4.9GHz range.(This range used by US Public Safety channels)
• VLAN Transparent
○ It determines how VLAN tags are handled from the Ethernet bridged traffic
○ The VLAN tagging only works on non-backhaul Ethernet ports.
○ When enabled: VLAN tags are not supported and only 1 L2 VLAN ( Mesh AP vlan ) can be bridged when VLAN transparent is enabled
e the RAP , MAP ethernet ports must be configured as access ports on the switch
○ When this feature is disabled, all packets are tagged as non-VLAN transparent or VLAN-opaque . This implements VLAN tagging.
• Security mode
○ PSK or EAP authentication can be enabled
§ EAP must be selected if external MAC authorization using a RADIUS server is configured
§ PSK or Local EAP authentication is performed within the controller if External MAC Filter authorization parameter is disabled.
○ External MAC filter authorization
§ If the MAC address is not found in the local MAC filter list, then the RADIUS server is checked.
§ Protects against rogue APs.
○ Force External Authentication
§ When this is enabled along with External MAC filter authorization the RADIUS server decisions override the local MAC filter list.

By default Ethernet bridging is not allowed, it’s dropped on RAP Ethernet port, untagged.   To allow VLAN tagging we must disable VLAN Transparent option (Wireless > Mesh). Once we disable it VLAN tag will be accepted.

Now we will see the Ethernet interface under Mesh Tab, Click on it.

Para cumplir con el escenario queremos que al conectar una PC al puerto Gi0 del MAP, este obtenga una ip addres en la vlan40.

Para ello configuramos en el RAP:

•Ethernet ports on access points function as either access or trunk ports within an Ethernet tagging deployment.
•Access Mode- In this mode only untagged packets are accepted. All packets are tagged with a user- configured VLAN called access-VLAN. For this mode to take effect, the global VLAN mode should be non-VLAN transparent.
–This option is used for applications in which information is collected from devices connected to the MAP such as cameras or PCs and then forwarded to the RAP. The RAP then applies tags and forwards traffic to a switch on the wired network.

•Trunk mode—This mode requires the user to configure a native VLAN and an allowed VLAN list (no defaults). In this mode, both tagged and untagged packets are accepted. Untagged packets are always accepted and are tagged with the user specified native VLAN. Tagged packets are accepted if they are tagged with a VLAN in the allowed VLAN list. For this mode to take effect, the global VLAN mode should be non-VLAN transparent.
–This option is used for bridging applications such as forwarding traffic between two MAPs resident on separate buildings within a campus.
•The switch port connected to the RAP must be a trunk. (configure el puerto del switch de acceso como trunk y para mantener comunicación con los ap, con native vlan 46)
–The trunk port on the switch and the RAP trunk port must match.
•A configured VLAN on a MAP Ethernet port cannot function as a Management VLAN.
•The RAP must always connect to the native VLAN (ID 1) on a switch.
–The RAP’s primary Ethernet interface is by default the native VLAN of 1.

Note You cannot bridge VLAN ID 1 when using VLAN-Opaque Ethernet bridging because VLAN 1 is the internal native VLAN within a mesh network. This setting cannot be changed.

Una vez que conecto la PC tengo conexión en la vlan40.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.