Cisco vWLS in AWS

Just weeks before the beta testing of Cisco AireOS 8.5 started, my employer Conscia acquired a leading danish AWS cloud integrator. The newest part of the Conscia family, now called http://www.cloudpartners.com, had expert know-how on everything regarding AWS. Me? I had no knowledge about AWS. (Still don’t).

When Cisco announced that the virtual WLC in Amazon Web Services would be a feature in 8.5, I just had to test it. After talking with the Cisco wireless network business unit I was allowed into the beta program and had the AMI published to our AWS lab account.

At first Cisco reported that it would only work in US-WEST AWS region, but the experts at CloudPartners quickly got the vWLC up and running in Europe.

The first thing we did was build a IP filter list in AWS. No need to put a WLC directly on the Internet without some kind of firewall of ACL. Only allowing a few IP’s to access the WLC, I logged in.

Man was I disappointed. It looked just like the normal vWLC (ok, it is almost a normal vWLC).

There are a few differences. First the vWLC in AWS get a private RFC1918 IP address, but that IP is Network Address Translated to a public IP. Like with OEAP you need to tell the WLC that is has a public IP.

Skærmbillede 2017-08-19 kl. 14.34.37

Simply tick the “Enable NAT Address” box and put in the global IP address.

As the AMI image is just a base image you will most likely need to upgrade to the latest vWLC software. Make sure that you select the right image when you upgrade (small/large).

Skærmbillede 2017-08-19 kl. 14.39.18.png

Normally I use the FTP option to download code into the WLC, but for the AWS WLC the HTTP way really makes sense.

Now would be a good time to fix the software activation part. License / EULA etc.

As the AWS WLC don’t support access-points in local-mode you should ensure that all access-points are flex-connect. From the CLI enter the command

configure ap autoconvert flexconnect enable

And of cause you need to configure everything else as normal with the WLC. Country code, SSIDs, RF settings, session timeout, whatever you want.

All you got left now it to join the access-point.

So what is my overall thoughts on the vWLC?

Overall it worked great. Using it as my home Wi-Fi only running PSK there was no difference in running in the cloud. Except when upgrading software. The higher latency, when having a WLC in the Cloud, made my software download to my access-point take 25 minutes. Normally this is done within 5 minutes. Not that it a big issue if you don’t upgrade software that often, but be aware.

Do I see a enterprise use-case for the AWS WLC? Definitely. Being able to have regional WLC in different parts of the world in the cloud, could be a solution for businesses not wanting to maintain a server room in each region.

But in a enterprise grade wireless environment I would expect to see 802.1x validation. So to have a regional solution it would make sense to also have the RADIUS server in the cloud. And the RADIUS server might use Windows AD as a backend, so I guess that should also be in the cloud.

Am I still running in AWS? No, I needed to test something in 8.0 software, so I’m back on the physical appliance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s