CISCO IOS-XE 17.14.1 eWLC Virtual Beta Wireless EFT User Guide

IOS-XE 17.14.1 Wireless EFT
Guide
TME Team

Introduction

Cisco Enterprise Wireless solutions are resilient, have integrated security, and employ adaptive and insightful intelligence providing useful insight into your network. With intent-based networking built on Cisco Digital Network Architecture, Cisco Enterprise Wireless solutions go beyond the latest Wi-Fi 6 and Wi-Fi 6E (802.11ax) standard and are ready for the growing user expectations, IoT devices and next gen cloud-driven applications.

Cisco Catalyst 9800 Series Wireless Controllers: The Catalyst controllers streamline the best of RF excellence with open, programmable Cisco IOS® XE benefits, meaning you no longer have two operating systems to manage. These modular, reliable, and highly secure controllers are flexible enough to deploy anywhere including your choice of cloud.
Cisco Catalyst® 9100 Access Points: Going beyond the Wi-Fi 6 and 6E standard, the Cisco Catalyst 9100 access points provide integrated security, resiliency, and  operational flexibility, as well as increased network intelligence. These access points extend Cisco’s intent-based network and scale to the growing demands of the Internet of Things (IoT) while fully supporting the latest innovations and newest technologies, making them perfect for organizations of all sizes.
To get a complete overview and learn more about Cisco Enterprise Wireless Products and Solutions, please visit the following page: https://www.cisco.com/c/en/us/products/wireless/index.html-~resources
Cisco Catalyst 9800 Series Wireless Controllers based on IOS-XE was introduced to the market in the end of 2018 with IOS-XE Release 16.10.1. There have been constant innovations, new platform introductions, feature enhancements and feature parity additions over the last couple of years to make Cisco Catalyst 9800 Series Wireless Controllers and Cisco Catalyst 9100 Access Points, the best in enterprise class in the market.

This document provides feature overview, configuration and test scenarios for a few selected wireless features based on customer interest, for early field trial of IOS-XE Release 17.14.1.
We welcome you to the EFT program for the IOS-XE Wireless Software Release 17.14.1. Cisco recognizes and appreciates the time and effort that will be evaluating the features in this software release and hope that you will find it meets your expectations.
This software and accompanied documentation are being provided to you under the non-disclosure agreement between you, your organization and Cisco. Please do not discuss this project and its features outside of the discussions on Cisco Beta related mailing lists.
This software is pre-release software and as such should never be used in a commercial operating environment or with mission critical data. We recommend that you install this software on a test network/system initially and then move to production testing as you are more comfortable with it.
Please use the software as you would normally in your day-to-day tasks and report any problems that you find.

Providing Feedback and requesting support

Details on providing feedback are given below. Also note that throughout the project we may ask for feedback on specific areas of the software. Your feedback is vital to Cisco Systems in providing you with the features and utility that you require to realize your individual mission. This EFT represents an opportunity to see if this addresses your needs and to provide input regarding its suitability.
The EFT program start-date and timelines have been communicated to you under a separate communication by the EFT administrator. During the EFT period, at least one EFT software refresh will be available during the EFT phase. To include as many fixes as possible in this refresh release; you and your staff are encouraged to test this software and provide feedback as early in the program as is possible. There will be a cut-off at which point we will freeze development to test and release the update image. The update will contain important fixes and all participants are recommended to upgrade once the EFT refresh software is available. If you find issues or have additional comments or feedback after the EFT program concludes we still, as always welcome your feedback!
For us to track found issues, provide comments, or ask questions you can submit your query to: polaris-wireless-beta@cisco.com 
Catalyst 9800 IOS XE 17.14.1 Software EFT Images: Below location can be used to pull the latest EFT Images:
Catalyst 9800 platforms:
Catalyst 9800-CL Wireless Controller:
Catalyst 9800-80 Wireless Controller:
Catalyst 9800-L Wireless Controller:
Catalyst 9800-40 Wireless Controller:

EWC (Embedded Wireless Controller on AP):
Catalyst 9130AXI Access Point:
Catalyst 9120AXI Access Point:
Catalyst 9115AXI Access Point:
Again, thank you for your time an effort in helping Cisco to meet your needs. We value this relationship and look forward to your comments and continued support.
Please do not hesitate to contact us if you have any questions now, or at any point during the EFT.
Simplicity:
Programmability (xPath) ask: Cisco-IOS-XE-platform-software-Oper enhancement: This feature introduces the new YANG model to show the CPU processes for WNCD and PUBD of Catalyst 9800 WLCs.
Getting the information of CPU details of these process is tedious while troubleshooting.
Programmability (xPath) ask: Clear aaa counter: This feature provides Yang RPC support for few AAA counters CLIs such that the customer can clear all, or specified radius server id counters to the device.
WLC: show tech diagnostics for appliances: This feature is to enhance the “show tech-support diagnostic” output to include more details which would help in troubleshooting issues.
Mesh RRM Enhancement:
Today, RRM DCA runs on the RAP BH radio only i.e., it optimizes the RAP BH radio channel of a mesh subtree considering measurements (noise/interference/load/rf params etc.) only from the RAP. This exposes the issue where DCA is not able to react to bad BH channel quality experienced by a MAP away from RAPs WiFi range.
In 17.14.1, DCA runs on RAP BH radio like previous versions, however RRM Client reaches out to mesh for responding to RRM Manager for queries on mesh BH radio.
Security:
Support Flexconnect Local Switching L2 Auth + L3 Auth CWA + Dynamic VLAN AAA override: This feature is to support VLAN overrides in L2 + L3 Authentication in FlexConnect Local Switching.
Connectivity:
New Countries for 6GHz radio support: Starting 17.14.1, we are enabling 6GHz radio on all WiFi 6E Access Points in additional Countries.

Network Topology

Pre-requisites

3.1 Test Setup

Support Flexconnect Local Switching L2 Auth + L3 Auth CWA + Dynamic VLAN AAA override| 1 C9800 running in latest 17.14.1 EFT Code
2 Catalyst Access Point
3 Cisco ISE
Programmability (xPath) ask: Cisco-IOS-XE-platform software-Oper enhancement| 1 C9800 running in latest 17.14.1 EFT Code
2 Catalyst Access Point
3 Wireless Clients
4 Tools for API (NETCONF/RESTCONF)
Mesh RRM Enhancement| 1 C9800 running in latest 17.14.1 EFT Code
2 3x Catalyst Access Points C9124 or C9130
Programmability (xPath) ask: Clear aaa counter| 1 C9800 running in latest 17.14.1 EFT Code
2 Catalyst Access Point
3 Wireless Clients
4 RADIUS Server
WLC: show tech diagnostics for appliances| 1 C9800 running in latest 17.14.1 EFT Code
2 Catalyst Access Points
New Countries for 6GHz radio support| 1 C9800 running in latest 17.14.1 EFT code
2 Catalyst 6GHz Access Point
Feature| C9800 Support| EWC Support| SDA Support
---|---|---|---
Support Flexconnect Local Switching L2 Auth + L3 Auth CWA + Dynamic VLAN AAA override| Yes| Yes| NA
Programmability (xPath) ask: Cisco-IOSXE-platform-software-Oper
enhancement| Yes| Yes| Yes
Mesh RRM Enhancement| Yes| Yes| –
Programmability (xPath) ask: Clear aaa counter| Yes| Yes| Yes
WLC: show tech diagnostics for appliances| Yes| Yes| Yes
New Countries for 6GHz radio support| Yes| NA| Yes

3.2 Upgrade Paths
For this EFT program, Cisco recommends following the below upgrade path.
a) 17.16.5 -> 17.14.1 EFT Image (Cisco qualified)
b) 17.9.4 -> 17.14.1 EFT Image (Cisco qualified)
c) 17.12.2 -> 17.4.1 EFT Image (Cisco qualified)
Note: If the customers have C9130 running 17.3.x, to successfully upgrade to 17.14.1, please upgrade to 17.6.x/17.9.x first.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/release- notes/rn-17-39800.html

3.3 KPI
It is highly desirable to collect and share the below KPIs to the EFT leads during the EFT phase. This will help to triaging the issues quicker and for faster resolution of defects if found. This can facilitate to deliver optimization wherever possible.

1| Total AP count|
---|---|---
2| AP deployment Modes|
3| Total Client count|
4| WLC & AP Models|
5| CPU|
6| Memory utilization|
7| Free memory|
8| Free timer pool|
9| Packet pool|
10| WQE Pool|

Compatibility Matrix

Access Point| IOS-XE| Cisco DNA Center| Cisco Spaces| Prime| Cisco Spaces –On Prem| ISE
---|---|---|---|---|---|---
AP1540/AP1560
AP1815/1830/1840AP1852/AP1800i
AP2800/AP3800/
AP4800
C9105AX
C9115AX
C9120AX
C9124AX
C9130AX
C9136AX
CW9162I
CW9164I
CW9166I
CW9166D1
CW9163E| 17.14.1| 2.3.7.x
2.3.6.x
2.3.5.x| DNA Space
Connector 3.0| 3.10.2
3.10.1
3.10| 11.0| 3.2 + latest patch
3.1 + latest patch
3.0 + latest patch

Features to Test

5.1 Support Flexconnect Local Switching L2 Auth + L3 Auth CWA + Dynamic VLAN AAA override
Feature Overview:
This enhancement request is to perform L3 authentication after L2 authentication and support dynamic VLAN after L3 authentication in FlexConnect Local Switching.
Starting 17.14.1, we can have 2 different VLANs, 1 VLAN post the L2 Authentication and another VLAN post the CWA Authentication.
Pre-Requisite:

• Cisco Catalyst 9800 with latest Beta image
• Cisco Catalyst Access Point in latest Beta Image in Flexconnect Mode
• Wireless Clients
• ISE

Configuration:
Security Combination: L2 dot1x + L3 CWA + AAA VLAN Override based on Users
Example SSID & Policy Configuration:

Verification:

1. Associate a client to above configuration
2. Verify the client can obtain IP post the L2 Auth – Supports overridden VLAN too
3. And similarly, the client can obtain new IP based on overridden VLAN post the L3 Auth
4. The client should be fully functional
5. The client should be intact post the roaming

5.2 Programmability (xPath) ask: Cisco-IOS-XE-platformSoftware-Oper enhancement
Feature Overview:
This feature introduces the new YANG model to show the CPU processes for WNCD and PUBD of Catalyst 9800 WLCs. Getting the information of CPU details of these process is tedious while troubleshooting.
Now, we can use these YANG data models to get the statistics from there process instead of traditional CLI commands.
With these, now we can integrate this with Automation and proactively monitor the WLC in case of over usage of these modules.
Pre-Requisite:

• Cisco Catalyst 9800 with latest Beta image
• Cisco Access Points
• Wireless Clients
• Tools for API (NETCONF or RESTCONF)

Configurations:
Enhancement for xPath “Cisco-IOS-XE-platform-software-oper” to support the following CLI’s:

• show processes cpu platform | in wncd
• show processes cpu platform | in pubd

Verifications:

1. Connect as many as possible APs and Clients to the WLC under test
2. Check the output of commands in the Configuration section
3. Execute the xPath to retrieve data from the mode “Cisco-IOS-XE-platform-software-oper” and validate it against the command output.

5.3 Mesh RRM Enhancement
Feature Overview:
Today, RRM DCA runs on the RAP BH radio only i.e., it optimizes the RAP BH radio channel of a mesh subtree considering measurements (noise/interference/load/rf params etc.) only from the RAP. This exposes the issue where DCA is not able to react to bad BH channel quality experienced by a MAP away from RAPs WiFi range.
In 17.14.1, DCA runs on RAP BH radio like previous versions, however RRM Client reaches out to mesh for responding to RRM Manager for queries on mesh BH radio.
Mesh would provide callbacks for certain queries e.g., Noise, Load, Interference:
For Noise, Interference and Load, mesh will provide the worst data per channel available from a mesh subtree, thereby enabling DCA to consider the POV of all subtree member APs.

Pre-Requisite:

• Cisco Catalyst 9800 with latest Beta image
• Cisco Catalyst Access Points C9124 in Bridge mode (RAP/MAP)
• Interfering devices

Topology:

Configuration & Verification:

Global: Per BGN:

Specific AP:

To see the Mesh DCA Status, use the below commands:

Verification:

Before DCA:
C9800#show wireless mesh rrm dca status
###################################################################
Radio slot MAC : 4ca6.4d22.8140
Radio slot id : 1
Radio Type : 802.11a
DCA status : Running
DCA reason : Triggered by CLI
Mesh RRM DCA status
Backhaul channel before DCA run : 132
Backhaul channel width : 40
Mesh RRM DCA outcome
DCA run start : 12/07/2023 15:22:57
DCA run end : 12/07/2023 15:23:05
DCA proposed best Channel : 140
Channel width : 40
DCA proposed next best Channel : 0
Channel width : 20
Outcome of DCA run : Channel change proposed
Channel change status : Channel change initiated

After DCA: Once the Noise is introduced, the Channel switches while DCA
C9800#show wireless mesh rrm dca status
###################################################################
AP Name : C9124-1
Radio slot MAC : 4ca6.4d22.8140
Radio slot id : 1
Radio Type : 802.11a
DCA status : Not Running
DCA reason : Triggered by CLI
Mesh RRM DCA status
Backhaul channel before DCA run : 140
Backhaul channel width : 40
Mesh RRM DCA outcome
DCA run start : 12/07/2023 15:43:18
DCA run end : 12/07/2023 15:43:26
DCA proposed best Channel : 120
Channel width : 40
DCA proposed next best Channel : 161
Channel width : 40
Outcome of DCA run : Channel change proposed
Channel change status : Channel change initiated

Workflow:

• RRM will be provided the noise, interference, and load data from the entire mesh tree
• RRM DCA will use the input provided from the whole tree to make its choice for the mesh BH channel.

1. DCA runs on RAP BH radio as it does today, however RRM Client reaches out to mesh for responding to RRM Manager for queries on mesh BH radio.

2. Mesh would provide callbacks for certain queries e.g. Noise, Load, Interference and Radar Data.
   • For Noise, Interreference and Load mesh will provide the worst data per channel available from a mesh subtree, thereby enabling DCA to consider the POV of all subtree member APs.
   • For radar data it will do a union of the data available in the subtree.

3. Other like RF Density, Client, Neighbor, RF Params will be used as its done at present,

Note: All mesh APs in a subtree should be configured to belong to the same site-tag, for DCA to work properly. Having the APs scattered under default-site-tag will lead then to be scattered amongst the multiple WNCd instances leading to inefficient DCA conclusions.
Note: There are few commands to simulate the noise in the Mesh tree. Do reach out to Beta leads to get more information on these commands.

5.4 Programmability (xPath) ask: clear aaa counter
Feature Overview:
This feature is about IOS-XE RPC “clear aaa counters servers <>” and “clear radius statistics” to clear the aaa servers’ statistics. It helps to clear aaa counters to validate TLS health before AP migration and radius auth health after AP migration.
This feature provides Yang RPC support for the following CLIs such that the customer can clear all, or specified radius server id counters to the device.

command clears the counters for all AAA RADIUS servers.
“Clear aaa counters servers radius<all or 0-2147483647>”| /clear/aaa/counters/servers/radius| The CLI function can be used to clear the counters for either all the AAA RADIUS servers or for a
specific server ID.
“Clear radius statistics”| /clear/radius/statistics| The CLI command clears the radius server statistics.

Pre-Requisite:

• Cisco Catalyst 9800 with latest Beta image
• Cisco supported Access Points
• Wireless Clients
• Cisco ISE
• Tools for API (NETCONF or RESTCONF)

Verification:

1. Configure AAA server group with ipv4 server and authenticate the client using this server group and generate some metrics in the “”show aaa servers”” by triggering authentication, authorization, and accounting scenario.
2. Enable accounting list in policy profile and enable periodic interim update to 1 minute under AAA advance
3. Clear AAA counters using the xPath /clear/aaa/counters/servers/all
4. Clear radius statistics using the xPath /clear/radius/statistics
5. Execute #show aaa servers and #show radius statistics to check if the counters are cleared.”

5.5 WLC: show tech diagnostics for appliances
Feature Overview:
This feature is to enhance the “show tech-support diagnostic” output to include more details which would help in troubleshooting issues.
This will consolidate the output of various platform independent and platform dependent show commands under “show tech-support diagnostic”.
Pre-Requisite:

• Cisco Catalyst 9800 with latest Beta image

Verification:
Starting 17.14.1, the “show tech-support diagnostic” command will also comprise the following show commands outputs:

1. Platform Independent commands already present under “show tech-support diagnostic”:
   show clock
   show version
   show running-config
   show inventory
   show diagnostic bootup level
   show diagnostic status

2. Platform Independent commands to be included under “show tech-support diagnostic”:
   show platform
   show interface status
   show facility-alarm status
   show platform diag
   show chassis
   show ip interface brief
   show diag all eeprom detail
   show interfaces (includes port-channel and vlan interfaces also)
   show platform resources
   show inventory raw

3. Platform Dependent commands to be included under “show tech-support diagnostic”:
   show platform software system all (vwlc)
   show environment all (katar, qwlc, pwlc)
   show platform integrity (katar, qwlc, pwlc)
   show rom-monitor chassis active/standby R0 (katar, qwlc, pwlc)
   show platform hardware slot R0 led status (katar, qwlc, pwlc)
   show platform hardware port 0/0/0 ezman info (qwlc, pwlc)
   show interfaces tenGigabitEthernet 0/0/0 transceiver (qwlc, pwlc)
   show interfaces tenGigabitEthernet 0/0/0 transceiver detail (qwlc, pwlc)
   show hw-module subslot < > transceiver < > status (qwlc, pwlc)
   show platform hardware port < > ezman statistics (qwlc, pwlc)
   show platform hardware port < > ezman autotune status (qwlc, pwlc)
   show hw-module subslot < > transceiver < > idprom detail (qwlc, pwlc)
   show platform hardware slot R0 ha_port interface stats (qwlc, pwlc)

Platforms Supported:
The implementation of the feature shall be on the following Wireless Platforms.

1. C9800-CL – both private and public cloud platforms.
2. C9800-40/80
3. C9800-L
4. CW9800 Series

5.6 New Countries for 6GHz radio support
Feature Overview:
Starting 17.14.1, we are enabling 6GHz radio on all WiFi 6E Access Points in additional Countries.
Pre-Requisite:

• Cisco Catalyst 9800 with latest Beta image
• Cisco Catalyst WiFi6E Access Points

Verification:
Starting 17.14.1, 6GHz band can be enabled in the following additional Countries:

1 Mexico
2 Chile
3 Guatemala
4 Singapore
5 Thailand
6 South Africa| 7 Colombia
8 Turkey
9 Dom. Republic
10 Bahrain
11 Taiwan
12 Argentina
---|---

Cisco Confidential

Documents / Resources

| CISCO IOS-XE 17.14.1 eWLC Virtual Beta Wireless EFT [pdf] User Guide
IOS-XE 17.14.1, IOS-XE 17.14.1 eWLC Virtual Beta Wireless EFT, eWLC Virtual Beta Wireless EFT, Virtual Beta Wireless EFT, Beta Wireless EFT, Wireless EFT, EFT
---|---

References

• Cisco Catalyst 9100 Wireless Access Points - Cisco - Cisco
• Cisco Catalyst 9800 Series Wireless LAN Controllers - Cisco
• Wireless Network, Wi-Fi Networking, and Mobility Solutions - Cisco

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>