How to use this document
The Cisco series 916x access points come pre-loaded with both DNA and Meraki images. This allows for flexibility in choosing which management mode will best suit you, the user. This document contains a pre-flight checklist for migrating APs from Meraki managed mode to DNA mode. If you are interested in migrating from DNA mode to Meraki management mode, please review this document.
Meraki Dashboard to DNA management mode checklist
The following items need to be verified before migrating your AP into DNA management mode:
Confirm that there are no dashboard alerts related to regulatory or config fetch
The migration can't be performed if the APs have alerts related to regulatory or config fetch.
If you find alerts related to regulatory please follow this doc to fix them.
Is Meshing disabled on the Network?
In order to ensure that APs without wired uplinks don't lose their connections during a migration, mesh networking must be disabled on an AP's network before it is allowed to migrate. If you try using the Dashboard UI to migrate an AP on a network where meshing is enabled, you'll get an error message saying "Node cannot be migrated unless meshing is disabled for the node's network." It will be necessary to either disable meshing via the Network-wide > General page or move the AP to a network where it's safe to disable meshing before migrating the node.
If there are non CW916X APs in the network that require meshing, move the APs to be migrated over to a new network where Meshing can be disabled.
Do you have an IOS-XE controller?
The controller can be a physical 9800-CL or virtual vWLC in the cloud. DNA management mode APs cannot run in autonomous mode and require a controller to operate.
Is the controller running 17.9 or higher?
CW916X APs only support this code or higher. The current version can be seen from the Dashboard landing page of the WLC:
Additionally, you can use the following command to verify the code version:
#sh running-config Building configuration... Current configuration : 20397 bytes ! ! Last configuration change at 16:33:58 UTC Wed Jul 27 2022 by **** ! NVRAM config last updated at 02:44:18 UTC Wed Jun 22 2022 by **** ! version 17.9 service timestamps debug datetime msec service timestamps log datetime msec service call-home platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core platform console virtual
Here is a guide to upgrading 9800 controller firmware.
Has the controller been configured?
APs will only be able to join a controller once its minimum configurations have been applied. The following documentation can assist you in making these configurations:
Are all Meraki regulatory domains included in the 9800 country code list?
It is important that each AP being migrated has its regulatory domain configuration pre-configured. The regulatory domain can be checked in Dashboard by viewing the Organization > inventory page:
This information can be viewed in the WLC by navigating to Configuration > Wireless > Access Points > Country.
Additionally, the following command can be used to check the currently configured countries:
9800-30#sh wireless country configured Configured Country................ Multiple Countries : DE,US Configured Country Codes DE - Germany 802.11a Indoor,Outdoor/ 802.11b Indoor,Outdoor/ 802.11g Indoor,Outdoor/ 802.11 6GHz Indoor US - United States 802.11a Indoor,Outdoor/ 802.11b Indoor,Outdoor/ 802.11g Indoor,Outdoor/ 802.11 6GHz Indoor
Here is a guide for configuring country codes inside of a 9800 WLC.
Is the wireless management interface set?
This is part of the basic configuration but can be missed. It can be checked via the command "sh wireless interface summary"
9800-40#sh wireless interface summary Wireless Interface Summary Interface Name Interface Type VLAN ID IP Address IP Netmask NAT-IP Address MAC Address -------------------------------------------------------------------------------------------------- Vlan25 Management 25 192.168.25.23 255.255.255.0 0.0.0.0 706d.1535.6b0b
Here is a guide for configuring a wireless management interface on a 9800.
Has a trust point been set?
It is important to verify on virtual WLCs. This establishes a certificate authority on the 9800. View this with the command "sh wireless management trustpoint"
9800-cl#sh wireless management trustpoint Trustpoint Name : 9800-cl_WLC_TP Certificate Info : Available Certificate Type : SSC Certificate Hash : ee0252c9da4a12c7fded2b2e72febd4f3cbdccc6 Private key Info : Available FIPS suitability : Not Applicable
All other hardware-based controller models (such as 9800-40 and 9800-L) are pre-configured for trustpoint to be the manufacturer's cert and may not need to be configured explicitly. Example below:
9800-L#sh wireless management trustpoint Katar4#sh wireless management trustpoint Trustpoint Name : CISCO_IDEVID_SUDI Certificate Info : Available Certificate Type : MIC Private key Info : Available FIPS suitability : Not Applicable
Do you have a DHCP server for the APs?
The APs need to obtain an IP address and can leverage DHCP for CAPWAP discovery
Do you have a CAPWAP discovery mechanism?
- Local broadcast discovery: APs and controller wireless management interface are on same vlan/subnet.
- DNS resolution: cisco-capwap-controller name DNS entry for the local domain is pointing to the controller wireless management IP address
- DHCP Option 43 or DHCPv6 52: DHCP pool has option 43 configured in hex for IPv4 discovery, or if using IPv6, option 52
The value always starts with f1:04: when you configure only one wireless mgmt IP address. Example of option43 configured on a MX DHCP server when the wireless MGMT IP address is 172.16.1.25 (ac:10:01:19).
- PnP Public redirection service: Controller redirection using PnP functionality. The SN of the AP is set to be redirected to a controller profile. This uses DNS resolution
Each discovery mechanism is detailed here.
A DNA management mode AP can be accessed via console (see "Accessing a DNA AP after management mode change" section) to have its WLC set manually. The following command will achieve this: "capwap ap primary-base <controller hostname> <controller mgmt IP>"
Does the controller have a valid time source?
A valid time source / NTP server needs to be configured in order for the WLC to service clients. Use the command "sh ntp associations" to review the configuration.
9800-cl#sh ntp associations address ref clock st when poll reach delay offset disp *~188.8.131.52 184.108.40.206 2 673 1024 377 21.951 -4.346 20.019 ~220.127.116.11 .TIME. 16 - 64 0 0.000 0.000 16000. * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
Can the APs send traffic to the controller via UDP ports 5246/5247?
APs will use the CAPWAP protocol to join the controller. UDP port 5246 is used for control traffic and 5247 is for data. The APs need to communicate bi-directionally on both these UDP ports in order to operate.
Have you transferred important configuration secrets?
Configurations between management modes will not be migrated. Things like SSID, PSK, Radius Secrets, and Splash Pages will not be migrated.
Everything is ready
Once you confirm everything is set up in place and you are ready for the migration.
Extra considerations when changing management mode
What happens if no Cisco controller is available for migrated APs?
Once the migration is initiated, Meraki management mode APs will lose Dashboard connectivity. They will then remain in a "looking for controller" state. A WLC is required in order to change DNA management mode to Meraki management mode.
DNA management mode APs will broadcast Syslog messages locally should they run into errors in joining a WLC. A Syslog server can be used to view these messages and troubleshoot the error codes they contain. This option is ideal for deployments where physical access to each AP is not possible.
Accessing a DNA AP after management mode change
Once the AP leaves Dashboard and boots into DNA management mode, It will be accessible by console connection. The default credentials are username: "Cisco" password: "Cisco", enable password: "Cisco" (no quotes).
Confirm the AP boot mode
If you are on-site and have visibility to the AP, reboot the AP and watch the LEDs.
In Meraki mode the LED blinks in this sequence:
- Orange for ~40secs
- Off for ~8 secs
- Rainbow sequence
- Solid green or blue when associated to a dashboard
For more details, you can check this doc.
In Cisco mode, the LED blinks in this sequence:
- Orange for ~3secs
- Green/off for ~25 secs
- Off for ~2 mins
- Green/off/orange/off ~2mins
- Solid green or blue when associated to a WLC
Alternative, run a packet capture on the port where the AP is connected and review the Platform field of the CDP packets.
Example of a CDP packet sent by a CW9164I AP in Meraki mode: