Converting Cisco 9120 AP to a 9800 Series Embedded Wireless Controller Setup

First of all download the EWC image from Cisco.com. Notice that though you have a 9120 model AP, the EWC image is based on the 9800 platform.

You must also have a TFTP server up and reachable from AP. I use the freeware TFTPd64 on my PC.

Unzip the C9100 EWC AP image bundle to the TFTP folder and you will see a readme.txt file, open it.

When the AP is in EWC mode, you should have ap1g7 as the AP image and C9800-AP-iosxe-wlc.bin as the EWC image. Both should be uploaded to the AP via TFTP to do the conversion.

Though it is a fresh AP, it is a best practice to do the hardware reset before even the conversion. Plug the console cable and hold the reset button at the back of the AP and given the power either through an injector or via a POE switch. 

Note that IEEE 802.3af which can only give a max power of 15.4 W per port will not be able to boot up this AP. You will need at least IEEE 802.3at which is called POE+

Now on the console, give the default username and password Cisco, Cisco and enable password as Cisco and enter the following commands.

capwap ap ip 192.168.100.101 255.255.255.0 192.168.100.254

ap-type ewc-ap tftp://192.168.10.10/ap1g7 tftp://192.168.10.10/C9800-AP-iosxe-wlc.bin

the IP 192.168.10.10 is my TFTP server.

After you enter the last command it will trigger a reset and reboot will come up with EWC mode CLI.

You will asked to enter in to the initial configuration wizard like in routers, just hit NO for this one.

Note that if this did not appear like this perhaps because of a previous configuration which is not wiped out from reset, you will see the prompt with a host name like EWC> or some other hostname. If it happened continuously, just reload and configure through the wizard..

We will start with going to config mode and giving the hostname

configure terminal

 hostname EWC

Now let's create the local user admin

 user-name admin

  privilege 15

  password 0 Cisco123

  exit

Now specify the credentials used to log into APs joined to this EWC

 

ap profile default-ap-profile

  mgmtuser username admin password 0 Cisco123 secret 0 Cisco123

  exit

Now configure management interface IP address and subnet

 

interface gigabitEthernet 0

 ip address 192.168.100.100 255.255.255.0

 exit

Now configure the management default gateway IP address

 

ip default-gateway 192.168.100.254

Now enable web interface of EWC

 ip http server

 ip http secure-server

Finally save the configuration to make use of the above commands.

 end

write memory

Now if you are in the same subnet / VLAN as the EWC is, you can log in to the EWC via the browser.

You can use the username you created to log in to the GUI now,

username: admin

password: Cisco123

After you logged into the EWC you will notice that there are no APs joined to the controller. This is because the conversion made a factory reset on AP and your EWC is now in 192.168.100.0/24 subnet and the AP is now in 192.168.1.0/24 default subnet.

Now log into the AP from EWC CLI internally using the following command

wireless ewc-ap ap shell username admin

use the admin password Cisco123, enable password will also be Cisco123

If this username and password is not taking use the default Cisco username and password Cisco to get in to the AP.

If you hit show ip interface brief, you will see the AP and the EWC are in different VLANs.

You will need to give the IP address of AP again to match the EWC subnet.

capwap ap ip 192.168.100.101 255.255.255.0 192.168.100.254

Now the AP will register in EWC and anything regarding the AP will be configured via GUI easily.

Joining Other APs to the EWC

The other APs need to have the correct images to join this EWC, so the following configuration must be there on EWC to identify the TFTP location.

wireless profile image-download default

 image-download-mode tftp

 tftp-image-server 192.168.10.10

 tftp-image-path /

On the other APs, you need to configure the IP address and mask. The controller IP should be configured if they are placed in a different VLAN than EWC, just like a normal light weight AP.

capwap ap ip 192.168.100.102 255.255.255.0 192.168.100.254

capwap ap primary-base EWC 192.168.100.100

Additional Notes:-

You can factory reset the AP using EWC CLI by the following command

wireless ewc-ap factory-reset

You can convert EWC back to CAPWAP mode using the following command in AP CLI

ap-type capwap

Creating Multiple SSIDs and Map with VLANs in Cisco 9120 AP / 9800 EWLC

The model I use is Cisco 9120AXI-E and the IOS-XE version is 17.05.01

First check whether the proper license is activated in your AP.

You will need to go the Expert mode in GUI to create VLANs. Otherwise the option will not be visible in the Configuration section.

Click on the Settings mark ⛭ (preferences) on GUI and select Expert mode and hit Save.

Now you will see an option to create VLANs in Configuration > Layer2

Click on it.

Now +Add and give the VLAN number, tick on IP options and give an IP and subnet mask to the SVI of the VLAN.

For my lab I created VLAN 10 and VLAN 20 with following IP details.

VLAN 10 - 

SVI 192.168.10.1  mask 255.255.255.0

VLAN 20 - 

SVI 192.168.20.1  mask 255.255.255.0

Now go to the Wireless Setup > Basic to create the SSIDs.

Hit +Add to create a Location

Don't forget to enter the native VLAN ID in General page here. In my case it is 100.

Now go to the next page > Wireless Networks and +Add to create SSIDs.

Here I created SSID-01 and gave the VLAN as 10 and the Security Method as WPA2 Personal which only needs a pre shared key to connect.

Also created SSID-02 and gave the VLAN as 20 and gave the same Security Method.

Now you will need to create a DHCP Pool for the Clients to connect.

Go to Administration > DHCP Pools and create 2 DHCP pools for 2 VLANs. 

Remember to add Gateway and DNS IPs on the Advanced page when creating these pools.

Following were my configuration.

VLAN 10 -

NETWORK 192.168.10.0

MASK 255.255.255.0

RANGE 192.168.10.15-192.168.10.25

GATEWAY 192.168.10.254

DNS 8.8.8.8

VLAN 20 -

NETWORK 192.168.20.0

MASK 255.255.255.0

RANGE 192.168.20.15-192.168.20.25

GATEWAY 192.168.20.254

DNS 8.8.8.8

192.168.10.254 and 192.168.20.254 are in the core switch of the network.

Now the Access switch must be configured like you connect a Flex mode AP.

interface GigabitEthernet1/0/1

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 100

 switchport trunk allowed vlan 10,20,100

 switchport mode trunk

Native VLAN takes the management plane traffic and all other APs in the cluster should have the communication through this VLAN which in my case is 100.

Other trunking should be well configured between CORE and Access Switch too.

When a client connects to SSID-01, it gets an IP from VLAN 10 and the traffic is forwarded to the DHCP given gateway of 192.168.10.254 and the routing table of CORE switch takes care of the rest.