Cisco 2000 Series Configuration Manual Download Page 148

Page: 148 / 406

5-18

Cisco Wireless LAN Controller Configuration Guide

OL-9141-03

Chapter 5 Configuring Security Solutions

Configuring Management Frame Protection

Using the CLI to View MFP Settings

Use these commands to view MFP settings using the controller CLI.

To see a summary of the controller’s current wireless protection policies (including MFP), enter this
command:

show wps summary

Information similar to the following appears:

Client Exclusion Policy

Excessive 802.11-association failures.......... Enabled

Excessive 802.11-authentication failures....... Enabled

Excessive 802.1x-authentication................ Enabled

Network access control failure................. Enabled

IP-theft....................................... Enabled

Excessive Web authentication failure........... Enabled

Trusted AP Policy

Management Frame Protection.................... Enabled

Mis-configured AP Action....................... Alarm Only

Enforced encryption policy................... none

Enforced preamble policy..................... none

Enforced radio type policy................... none

Validate SSID................................ Disabled

Alert if Trusted AP is missing................. Disabled

Trusted AP timeout............................. 120

Untrusted AP Policy

Rogue Location Discovery Protocol.............. Disabled

RLDP Action.................................. Alarm Only

Automatically contain rogues advertising .... Alarm Only

Detect Ad-Hoc Networks....................... Alarm Only

Rogue Clients

Validate rogue clients against AAA........... Disabled

Detect trusted clients on rogue APs.......... Alarm Only

Rogue AP timeout............................... 1200

Signature Policy

Signature Processing........................... Enabled

To see the controller’s current global MFP settings, enter this command:

show wps mfp summary

Information similar to the following appears:

Management Frame Protection state................ enabled

Controller Time Source Valid..................... true

WLAN ID WLAN Name Status MFP Protection

------- ---------------------- --------- --------------

1 tester-2006 Enabled Enabled

MFP Operational MFP Capability

AP Name Validation Slot Radio State Protection Validation

-------------------- ---------- ---- ----- -------------- ---------- ----------

tester-1000 Enabled 0 a Up Full Full

1 b/g Up Full Full

tester-1000b Enabled 0 a Up Full Full

1 b/g Up Full Full

Summary of Contents for 2000 Series

Page 1: ...s Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco Wireless LAN Controller Configuration Guide Software Release 4 0 January 2007 Text Part Number OL 9141 03 ...

Page 2: ...R INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCSP CCVP the Cisco Square Bridge logo Follow Me Browsing and StackWise are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn and iQuick Study are service marks of Cisco Systems Inc and Access Registrar Aironet BPX Catalyst CCDA CCDP CCIE CCIP CCNA CCNP Cisc...

Page 3: ...hnical Support Documentation Website 25 Submitting a Service Request 25 Definitions of Service Request Severity 26 Obtaining Additional Publications and Information 26 C H A P T E R 1 Overview 1 Cisco Unified Wireless Network Solution Overview 2 Single Controller Deployments 3 Multiple Controller Deployments 4 Operating System Software 5 Operating System Security 6 Cisco WLAN Solution Wired Securi...

Page 4: ... LAN Controller Memory 16 Cisco Wireless LAN Controller Failover Protection 16 Network Connections to Cisco Wireless LAN Controllers 17 Cisco 2000 and 2100 Series Wireless LAN Controllers 17 Cisco 4400 Series Wireless LAN Controllers 18 Rogue Access Points 19 Rogue Access Point Location Tagging and Containment 19 C H A P T E R 2 Using the Web Browser and CLI Interfaces 1 Using the Web Browser Inte...

Page 5: ...e the Management Interface 12 Using the CLI to Configure the AP Manager Interface 13 Using the CLI to Configure the Virtual Interface 14 Using the CLI to Configure the Service Port Interface 15 Configuring Dynamic Interfaces 15 Using the GUI to Configure Dynamic Interfaces 15 Using the CLI to Configure Dynamic Interfaces 17 Configuring Ports 19 Configuring Port Mirroring 22 Configuring Spanning Tr...

Page 6: ...onfiguring SNMP 8 Changing the Default Values of SNMP Community Strings 9 Using the GUI to Change the SNMP Community String Default Values 9 Using the CLI to Change the SNMP Community String Default Values 11 Changing the Default Values for SNMP v3 Users 11 Using the GUI to Change the SNMP v3 User Default Values 12 Using the CLI to Change the SNMP v3 User Default Values 13 Enabling 802 3x Flow Con...

Page 7: ...ing the Wireless LAN Controller Network Module 35 C H A P T E R 5 Configuring Security Solutions 1 Cisco UWN Solution Security 2 Security Overview 2 Layer 1 Solutions 2 Layer 2 Solutions 2 Layer 3 Solutions 3 Rogue Access Point Solutions 3 Rogue Access Point Challenges 3 Tagging and Containing Rogue Access Points 3 Integrated Security Solutions 4 Configuring the System for SpectraLink NetLink Tele...

Page 8: ...igure IDS Sensors 26 Using the CLI to Configure IDS Sensors 28 Viewing Shunned Clients 29 Configuring IDS Signatures 30 Using the GUI to Configure IDS Signatures 31 Using the CLI to Configure IDS Signatures 37 Using the CLI to View IDS Signature Events 38 Configuring AES Key Wrap 39 Using the GUI to Configure AES Key Wrap 39 Using the CLI to Configure AES Key Wrap 40 Configuring Maximum Local Data...

Page 9: ...18 Configuring Quality of Service Profiles 19 Configuring Cisco Client Extensions 22 Using the GUI to Configure CCX Aironet IEs 22 Using the GUI to View a Client s CCX Version 24 Using the CLI to Configure CCX Aironet IEs 24 Using the CLI to View a Client s CCX Version 25 Enabling WLAN Override 25 Using the GUI to Enable WLAN Override 25 Using the CLI to Enable WLAN Override 25 Configuring Access ...

Page 10: ...eries Lightweight Access Point Monitor Mode 9 Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points 9 Wireless Mesh 10 Configuring and Deploying the AP1510 11 Adding the MAC Address of the Access Point to the Controller Filter List 12 Configuring Mesh Parameters 14 Configuring the Mesh Security Timer 16 Configuring Bridging Parameters 16 Autonomous Access Points Converted to Lightweight...

Page 11: ... Points Using MICs 36 C H A P T E R 8 Managing Controller Software and Configurations 1 Transferring Files to and from a Controller 2 Upgrading Controller Software 2 Updating Controller Software 3 Saving Configurations 4 Clearing the Controller Configuration 5 Erasing the Controller Configuration 5 Resetting the Controller 5 C H A P T E R 9 Managing User Accounts 1 Creating Guest User Accounts 2 C...

Page 12: ...ccess 1 Overview of Radio Resource Management 2 Radio Resource Monitoring 2 Dynamic Channel Assignment 3 Dynamic Transmit Power Control 4 Coverage Hole Detection and Correction 4 Client and Network Load Balancing 4 RRM Benefits 5 Overview of RF Groups 5 RF Group Leader 5 RF Group Name 6 Configuring an RF Group 6 Using the GUI to Configure an RF Group 7 Using the CLI to Configure RF Groups 8 Viewin...

Page 13: ... Mobility Group 7 Configuring Mobility Groups 7 Prerequisites 7 Using the GUI to Configure Mobility Groups 8 Using the CLI to Configure Mobility Groups 11 Configuring Auto Anchor Mobility 11 Guidelines for Using Auto Anchor Mobility 12 Using the GUI to Configure Auto Anchor Mobility 13 Using the CLI to Configure Auto Anchor Mobility 14 Running Mobility Ping Tests 15 C H A P T E R 12 Configuring Hy...

Page 14: ...3 Canadian Compliance Statement 3 European Community Switzerland Norway Iceland and Liechtenstein 4 Declaration of Conformity with Regard to the R TTE Directive 1999 5 EC 4 Declaration of Conformity for RF Exposure 5 Guidelines for Operating Cisco Aironet Access Points in Japan 6 Administrative Rules for Cisco Aironet Access Points in Taiwan 7 Access Points with IEEE 802 11a Radios 7 All Access Po...

Page 15: ...OL 9141 03 Interpreting Controller LEDs 5 Interpreting Lightweight Access Point LEDs 5 A P P E N D I X E Logical Connectivity Diagrams 1 Cisco WiSM 3 Cisco 28 37 38xx Integrated Services Router 5 Catalyst 3750G Integrated Wireless LAN Controller Switch 6 I N D E X ...

Page 16: ...Contents 16 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 ...

Page 17: ... Configuration Guide Release 4 0 references related publications and explains how to obtain other documentation and technical assistance if necessary It contains these sections Audience page 18 Purpose page 18 Organization page 18 Conventions page 19 Related Publications page 21 Obtaining Documentation and Submitting a Service Request page 22 ...

Page 18: ...for configuring them Chapter 4 Configuring Controller SettingsWireless Device Access describes how to configure settings on the controllers Chapter 5 Configuring Security Solutions describes application specific solutions for wireless LANs Chapter 6 Configuring WLANsWireless Device Access describes how to configure wireless LANs and SSIDs on your system Chapter 7 Controlling Lightweight Access Poi...

Page 19: ...logical connectivity diagrams and related software commands for controllers that are integrated into other Cisco products Conventions This publication uses these conventions to convey instructions and information Command descriptions use these conventions Commands and keywords are in boldface text Arguments for which you supply values are in italic Square brackets mean optional elements Braces gro...

Page 20: ...cette publication veuillez consulter l annexe intitulée Translated Safety Warnings Traduction des avis de sécurité Warnung Dieses Warnsymbol bedeutet Gefahr Sie befinden sich in einer Situation die zu einer Körperverletzung führen könnte Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeid...

Page 21: ...ersity Patch Wall Mount Antenna Cisco Aironet 2 dBi Diversity Omnidirectional Ceiling Mount Antenna AIR ANT5959 Cisco Multiband 2 4 5GHz Articulated Dipole Antenna AIR ANT1841 Cisco Multiband 2 4 5G Diversity Omnidirectional Ceiling Mount Antenna AIR ANT1828 Cisco Multiband 2 4 5G Patch Wall Mount Antenna AIR ANT1859 Mounting Instructions for the Cisco Diversity Omnidirectional Ceiling Mount Anten...

Page 22: ... additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader application The ...

Page 23: ...ew page 1 2 Operating System Software page 1 5 Operating System Security page 1 6 Layer 2 and Layer 3 LWAPP Operation page 1 7 Cisco Wireless LAN Controllers page 1 7 Controller Platforms page 1 9 Cisco UWN Solution Wired Connections page 1 11 Cisco UWN Solution WLANs page 1 12 Identity Networking page 1 12 File Transfers page 1 14 Power over Ethernet page 1 14 Pico Cell Functionality page 1 14 Ro...

Page 24: ...igure and monitor individual controllers See Chapter 2 A full featured command line interface CLI can be used to configure and monitor individual Cisco Wireless LAN Controllers See Chapter 2 The Cisco Wireless Control System WCS which you use to configure and monitor one or more Cisco Wireless LAN Controllers and associated access points WCS has tools to facilitate large system monitoring and cont...

Page 25: ...ng lightweight access points as they are added to the network Full control of lightweight access points Full control of up to 16 wireless LAN SSID policies for Cisco 1000 series access points Note LWAPP enabled access points support up to 8 wireless LAN SSID policies Lightweight access points connect to controllers through the network The network equipment may or may not provide Power over Etherne...

Page 26: ... and buildings simultaneously However full functionality of the Cisco Wireless LAN Solution is realized when it includes multiple controllers A multiple controller system has the following additional features Autodetecting and autoconfiguring RF parameters as the controllers are added to the network Same Subnet Layer 2 Roaming and Inter Subnet Layer 3 Roaming Automatic access point failover to any...

Page 27: ...optional dedicated Management Network and the three physical connection types between the network and the controllers Figure 1 3 Typical Multi Controller Deployment Operating System Software The operating system software controls Cisco Wireless LAN Controllers and Cisco 1000 Series Lightweight Access Points It includes full operating system security and Radio Resource Management RRM features ...

Page 28: ...N Solution also uses manual and automated Disabling to block access to network services In manual Disabling the operator blocks access using client MAC addresses In automated Disabling which is always active the operating system software automatically blocks access to network services for an operator defined period of time when a client fails to authenticate for a fixed number of consecutive attem...

Page 29: ...ther requirement is that the IP addresses of access points should be either statically assigned or dynamically assigned through an external DHCP server Note that all Cisco Wireless LAN Controllers in a mobility group must use the same LWAPP Layer 2 or Layer 3 mode or you will defeat the Mobility software algorithm Configuration Requirements When you are operating the Cisco Wireless LAN Solution in...

Page 30: ...er on the same subnet To ensure that each access point associates with a particular controller the operator can assign primary secondary and tertiary controllers to the access point When a primed access point is added to a network it looks for its primary secondary and tertiary controllers first then a master controller then the least loaded controller with available access point ports Refer to th...

Page 31: ...tch The first three controllers are stand alone platforms The remaining three controllers are integrated into Cisco switch and router products Cisco 2000 and 2100 Series Controllers The Cisco 2000 and 2100 series 2106 Wireless LAN Controllers work in conjunction with Cisco lightweight access points and the Cisco Wireless Control System WCS to provide system wide wireless LAN functions Each 2000 an...

Page 32: ...nced Security Module Crypto Card to support VPN IPSec and other processor intensive tasks The VPN Enhanced Security Module can also be installed in the field The 4400 series controller can be equipped with one or two Cisco 4400 series power supplies When the controller is equipped with two Cisco 4400 series power supplies the power supplies are redundant and either power supply can continue to pow...

Page 33: ... www cisco com en US products hw wireless index html Catalyst 3750G Integrated Wireless LAN Controller Switch The Catalyst 3750G Integrated Wireless LAN Controller Switch is an integrated Catalyst 3750 switch and Cisco 4400 series controller that supports up to 25 or 50 lightweight access points The switch has two internal gigabit Ethernet ports that connect the switch and the controller The switc...

Page 34: ...you can configure both static and dynamic WEP on the same WLAN The lightweight access points broadcast all active Cisco UWN Solution WLAN SSIDs and enforce the policies defined for each WLAN Note Cisco recommends that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers operate with optimum performance and ease of management If man...

Page 35: ...the operating system only moves clients from the default Cisco UWN Solution WLAN VLAN to a different VLAN when configured for MAC filtering 802 1X and or WPA Layer 2 authentication To configure WLANs refer to Chapter 6 Enhanced Integration with Cisco Secure ACS The identity based networking feature uses authentication authorization and accounting AAA override When the following vendor specific att...

Page 36: ...oints for maximum coverage When you are using PoE the installer runs a single CAT 5 cable from each lightweight access point to PoE equipped network elements such as a PoE power hub or a Cisco WLAN Solution Single Line PoE Injector When the PoE equipment determines that the lightweight access point is PoE enabled it sends 48 VDC over the unused pairs in the Ethernet cable to power the lightweight ...

Page 37: ...s Allows specific control over blacklisting events Allows configuring and viewing basic LWAPP configuration using the lightweight access point CLI Startup Wizard When a controller is powered up with a new factory operating system software load or after being reset to factory defaults the bootup script runs the Startup Wizard which prompts the installer for initial configuration The Startup Wizard ...

Page 38: ...ng the Configuration Wizard Clearing the Controller Configuration Saving Configurations Resetting the Controller Logging Out of the CLI Cisco Wireless LAN Controller Failover Protection Each controller has a defined number of communication ports for lightweight access points This means that when multiple controllers with unused access point ports are deployed on the same network if one controller ...

Page 39: ... with an unused port on another controller allowing the client device to immediately reassociate and reauthenticate Network Connections to Cisco Wireless LAN Controllers Regardless of operating mode all controllers use the network as an 802 11 distribution system Regardless of the Ethernet port type or speed each controller monitors and communicates with its related controllers across the network ...

Page 40: ...BASE T Gigabit Ethernet front panel RJ 45 physical port UTP cable 1000BASE SX Gigabit Ethernet front panel LC physical port multi mode 850nM SX fiber optic links using LC physical connectors 1000BASE LX Gigabit Ethernet front panel LC physical port multi mode 1300nM LX LH fiber optic links using LC physical connectors For the 4404 controller up to four of the following connections are supported in...

Page 41: ...ually detect rogue access point the Cisco UWN Solution automatically collects information on rogue access point detected by its managed access points by MAC and IP Address and allows the system operator to locate tag and monitor them The operating system can also be used to discourage rogue access point clients by sending them deauthenticate and disassociate messages from one to four lightweight a...

Page 42: ...nown until they are eliminated or acknowledged Tag rogue access point as contained and discourage clients from associating with the rogue access point by having between one and four lightweight access points transmit deauthenticate and disassociate messages to all rogue access point clients This function contains all active channels on the same rogue access point Rogue Detector mode detects whethe...

Page 43: ...Web Browser and CLI Interfaces This chapter describes the web browser and CLI interfaces that you use to configure the controllers It contains these sections Using the Web Browser Interface page 2 2 Enabling Web and Secure Web Modes page 2 3 Using the CLI page 2 5 Enabling Wireless Connections to the Web Browser and CLI Interfaces page 2 9 ...

Page 44: ...r using Web Authentication You can use either the service port interface or the management interface to open the GUI Cisco recommends that you use the service port interface Refer to Chapter 3 Using the CLI to Configure the Service Port Interface for instructions on configuring the service port interface You might need to disable your browser s pop up blocker to view the online help Before accessi...

Page 45: ...nally Generated HTTPS Certificate section on page 2 4 for instructions on loading an externally generated certificate Using the CLI follow these steps to enable HTTPS Step 1 Enter show certificate summary to verify that the controller has generated a certificate show certificate summary Web Administration Certificate Locally Generated Web Authentication Certificate Locally Generated Certificate co...

Page 46: ...pt the HTTPS certificate in a PEM encoded file The PEM encoded file is called a Web Administration Certificate file webadmincert_name pem Step 2 Move the webadmincert_name pem file to the default directory on your TFTP server Step 3 In the CLI enter transfer download start and answer n to the prompt to view the current download settings transfer download start Mode TFTP Data Type Admin Cert TFTP S...

Page 47: ...ne help You might have to disable the browser pop up blocker to view online help Using the CLI The Cisco UWN Solution command line interface CLI is built into each controller The CLI allows operators to use a VT 100 emulator to locally or remotely configure monitor and control individual controllers and to access extensive debugging capabilities Because the CLI works with one controller at a time ...

Page 48: ...ion GuideCisco Access Router Wireless Configuration Guide OL 6415 01OL 9141 03 Chapter 2 Using the Web Browser and CLI Interfaces Using the CLI Note Refer to the Cisco Wireless LAN Controller Command Reference for information on specific commands ...

Page 49: ...he serial port Step 1 Connect your computer to the controller using the DB 9 null modem serial cable Step 2 Open a terminal emulator session using these settings 9600 baud 8 data bits 1 stop bit no parity no hardware flow control Step 3 At the prompt log into the CLI The default username is admin and the default password is admin Note The controller serial port is set for a 9600 baud rate and a sh...

Page 50: ...ges you made to the volatile RAM Navigating the CLI The is organized around five levels Root Level Level 2 Level 3 Level 4 Level 5 When you log into the CLI you are at the root level From the root level you can enter any full command without first navigating to the correct command level Table 2 1 lists commands you use to navigate the CLI and to perform common tasks Table 2 1 Commands for CLI Navi...

Page 51: ...Before you can open the GUI or the CLI from a wireless client device you must configure the controller to allow the connection Follow these steps to enable wireless connections to the GUI or CLI Step 1 Log into the CLI Step 2 Enter config network mgmt via wireless enable Step 3 Use a wireless client to associate to a lightweight access point connected to the controller Step 4 On the wireless clien...

Page 52: ...LAN Controller Configuration GuideCisco Access Router Wireless Configuration Guide OL 6415 01OL 9141 03 Chapter 2 Using the Web Browser and CLI Interfaces Enabling Wireless Connections to the Web Browser and CLI Interfaces ...

Page 53: ...d provides instructions for configuring them It contains these sections Overview of Ports and Interfaces page 3 2 Configuring the Management AP Manager Virtual and Service Port Interfaces page 3 10 Configuring Dynamic Interfaces page 3 15 Configuring Ports page 3 19 Enabling Link Aggregation page 3 29 Configuring a 4400 Series Controller to Support More Than 48 Access Points page 3 36 ...

Page 54: ...ted Services Router and the controllers on the Cisco WiSM do not have external physical ports They connect to the network through ports on the router or switch respectively Figure 3 1 Ports on the Cisco 2000 Series Wireless LAN Controllers Figure 3 2 Ports on the Cisco 4400 Series Wireless LAN Controllers Note Figure 3 2 shows a Cisco 4404 controller The Cisco 4402 controller is similar but has on...

Page 55: ... Ethernet distribution system ports through which the controller can support up to six access points Cisco 2100 series controllers have six 10 100 copper Ethernet distribution system ports through which the controller can support up to six access points Ports 7 and 8 can function as PoE ports 155755 Controller console port Service port STACK1 STACK2 SWITCH CONSOLE CONTROLLER CONSOLE SERVICE Table ...

Page 56: ...panel Through these ports the controller can support up to 300 access points The Controller Network Module within the Cisco 28 37 38xx Series Integrated Services Router has one Fast Ethernet distribution system port that connects the router and the integrated controller This port is located on the router backplane and is not visible on the front panel Through this port the controller can support u...

Page 57: ...ervice port is not capable of carrying 802 1Q tags so it must be connected to an access port on the neighbor switch Use of the service port is optional Note The Cisco WiSM s 4404 controllers use the service port for internal protocol communication between the controllers and the Supervisor 720 Note The Cisco 2000 series controller and the controller in the Cisco Integrated Services Router do not h...

Page 58: ...ther controllers through all distribution system ports Listens across the Layer 2 network for Cisco 1000 series lightweight access point LWAPP polling messages to autodiscover associate to and communicate with as many Cisco 1000 series lightweight access points as possible When LWAPP communications are set to Layer 2 same subnet mode the controller requires one management interface to control all ...

Page 59: ...web authentication It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled Specifically the virtual interface plays these two primary roles Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server Serves as the redirect address for the we...

Page 60: ...lients A controller can support up to 512 dynamic interfaces VLANs Each dynamic interface is individually configured and allows separate communication streams to exist on any or all of a controller s distribution system ports Each dynamic interface controls VLAN and other communications between controllers and all other network devices and each acts as a DHCP relay for wireless clients associated ...

Page 61: ...e VLAN of an 802 1Q trunk is an untagged VLAN Therefore if you configure an interface to use the native VLAN on a neighboring Cisco switch make sure you configure the interface on the controller to be untagged Note A zero value for the VLAN identifier on the Controller Interfaces page means that the interface is untagged The default untagged native VLAN on Cisco switches is VLAN 1 When controller ...

Page 62: ...P Manager Virtual and Service Port Interfaces page 3 10 Configuring Dynamic Interfaces page 3 15 Configuring Ports page 3 19 Enabling Link Aggregation page 3 29 Configuring a 4400 Series Controller to Support More Than 48 Access Points page 3 36 Configuring the Management AP Manager Virtual and Service Port Interfaces Typically you define the management AP manager virtual and service port interfac...

Page 63: ...ent Interface Note The management interface uses the controller s factory set distribution system MAC address VLAN identifier Note Enter 0 for an untagged VLAN or a non zero value for a tagged VLAN Cisco recommends that only tagged VLANs be used on the controller Fixed IP address IP netmask and default gateway Physical port assignment Primary and secondary DHCP servers Access control list ACL sett...

Page 64: ...lways point to the virtual interface If a DNS host name is configured for the virtual interface then the same DNS host name must be configured on the DNS server s used by the client Service Port Interface Note The service port interface uses the controller s factory set service port MAC address DHCP protocol enabled or DHCP protocol disabled and IP address and IP netmask Step 4 Click Save Configur...

Page 65: ... interface port management physical ds port number config interface dhcp management ip address of primary dhcp server ip address of secondary dhcp server config interface acl management access control list name Note See Chapter 5 for more information on ACLs Step 4 Enter save config to save your changes Step 5 Enter show interface detailed management to verify that your changes have been saved Usi...

Page 66: ...nter save config to save your changes Step 6 Enter show interface detailed ap manager to verify that your changes have been saved Using the CLI to Configure the Virtual Interface Follow these steps to display and configure the virtual interface parameters using the CLI Step 1 Enter show interface detailed virtual to view the current virtual interface settings Step 2 Enter config wlan disable wlan ...

Page 67: ... controller If the management workstation is in a remote subnet you may need to add a route on the controller in order to manage the controller from that remote workstation To do so enter this command config route network ip addr ip netmask gateway Step 4 Enter save config to save your changes Step 5 Enter show interface detailed service port to verify that your changes have been saved Configuring...

Page 68: ...faces Figure 3 6 Interfaces New Page Step 3 Enter an interface name and a VLAN identifier as shown in Figure 3 6 Note Enter a non zero value for the VLAN identifier Tagged VLANs must be used for dynamic interfaces Step 4 Click Apply to commit your changes The Interfaces Edit page appears see Figure 3 7 Figure 3 7 Interfaces Edit Page ...

Page 69: ...rk access control NAC See Chapter 12 for more information on hybrid REAP Primary and secondary DHCP servers Access control list ACL name if required Note See Chapter 5 for more information on ACLs Note To ensure proper operation you must set the Port Number and Primary DHCP Server parameters Step 6 Click Save Configuration to save your changes Step 7 Repeat this procedure for each dynamic interfac...

Page 70: ...ce operator defined interface name quarantine enable Note Use this command if you want to configure this VLAN as unhealthy Doing so causes the data traffic of any client that is assigned to this VLAN to pass through the controller even if the WLAN is configured for local switching This command is generally used for clients that are associated to a hybrid REAP access point and the access point s co...

Page 71: ...Page This page shows the current configuration for each of the controller s ports Step 2 If you want to change the settings of any port click the Edit link for that specific port The Port Configure page appears see Figure 3 9 Note If the management and AP manager interfaces are mapped to the same port and are members of the same VLAN you must disable the WLAN before making a port mapping change to...

Page 72: ... number of the current port Physical Status The data rate being used by the port The available data rates vary based on controller type Controller Available Data Rates 4400 series 1000 Mbps full duplex 2000 and 2100 series 10 or 100 Mbps half or full duplex WiSM 1000 Mbps full duplex Catalyst 3750G Integrated Wireless LAN Controller Switch 1000 Mbps full duplex WLAN controller module 100 Mbps full...

Page 73: ... or disables the flow of traffic through the port Options Enable or Disable Default Enable Note Administratively disabling the port on a controller does not affect the port s link status The link can be brought down only by other Cisco devices On other Cisco products however administratively disabling a port brings the link down Physical Mode Determines whether the port s data rate is set automati...

Page 74: ...blems Mirror mode should be enabled only on an unused port as any connections to this port become unresponsive Note WiSM controllers do not support mirror mode Also a controller s service port cannot be used as a mirrored port Note Port mirroring is not supported when link aggregation LAG is enabled on the controller Note Cisco recommends that you do not mirror traffic from one controller port to ...

Page 75: ...yer 2 network Infrastructure devices such as controllers and switches send and receive spanning tree frames called bridge protocol data units BPDUs at regular intervals The devices do not forward these frames but use them to construct a loop free path Multiple active paths among end stations cause loops in the network If a loop exists in the network end stations might receive duplicate messages In...

Page 76: ...e Figure 3 9 This page shows the STP status of the port and enables you to configure STP parameters Table 3 4 interprets the current STP status of the port Table 3 4 Port Spanning Tree Status Parameter Description STP Port ID The number of the port for which STP is enabled or disabled STP State The port s current STP state It controls the action that a port takes upon receiving a frame Values Disa...

Page 77: ... this port 802 1D Enables this port to participate in the spanning tree and go through all of the spanning tree states when the link state transitions from down to up Fast Enables this port to participate in the spanning tree and puts it in the forwarding state when the link state transitions from down to up more quickly than when the STP mode is set to 802 1D Note In this state the forwarding del...

Page 78: ...troller Spanning Tree Configuration Page This page allows you to enable or disable the spanning tree algorithm for the controller modify its characteristics and view the STP status Table 3 6 interprets the current STP status for the controller STP Port Path Cost The speed at which traffic is passed through the port This parameter must be set if the STP Port Path Cost Mode parameter is set to User ...

Page 79: ...ort The number of the port that offers the lowest cost path from this bridge to the root bridge Root Cost The cost of the path to the root as seen from this bridge Max Age seconds The maximum age of STP information learned from the network on any port before it is discarded Hello Time seconds The amount of time between the transmission of configuration BPDUs by this node on any port when it is the...

Page 80: ...mber all config spanningtree port mode fast port number all config spanningtree port mode off port number all Table 3 7 Controller Spanning Tree Parameters Parameter Description Spanning Tree Algorithm Enables or disables STP for the controller Options Enable or Disable Default Disable Priority The location of the controller in the network topology and how well the controller is located to pass tr...

Page 81: ...ngs for the ports enter config spanningtree switch mode enable to enable STP for the controller The controller automatically detects logical network loops places redundant ports on standby and builds a network with the most efficient pathways Step 11 Enter save config to save your settings Step 12 Enter show spanningtree port and show spanningtree switch to verify that your changes have been saved...

Page 82: ...on the controller you may want to consider terminating on two different modules within a modular switch such as the Catalyst 6500 however we do not recommend connecting LAG ports of a 4400 controller to multiple Catalyst 6500 or 3750G switches Terminating on two different modules within a single Catalyst 6500 switch provides redundancy and ensures that connectivity between the switch and the contr...

Page 83: ...r PFC3CXL mode implement enhanced EtherChannel load balancing The enhanced EtherChannel load balancing adds the VLAN number to the hash function which is incompatible with LAG From Release 12 2 33 SXH and later releases Catalyst 6500 IOS software offers the exclude vlan keyword to the port channel load balance command to implement src dst ip load distribution See the Cisco IOS Interface and Hardwa...

Page 84: ...3 32 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Chapter 3 Configuring Ports and Interfaces Enabling Link Aggregation Figure 3 12 Link Aggregation with Catalyst 6500 Neighbor Switch ...

Page 85: ...erefore you must configure LAG for all of the connected ports in the neighbor switch When you enable LAG port mirroring is not supported With LAG if any single link goes down traffic migrates to the other links With LAG only one functional physical port is needed for the controller to pass client traffic When you enable LAG access points remain connected to the switch and data service for users co...

Page 86: ...ler General to access the General page see Figure 3 13 Figure 3 13 General Page Step 2 Set the LAG Mode on Next Reboot parameter to Enabled Note Choose Disabled if you want to disable LAG LAG is disabled by default on the Cisco 4400 series controllers but enabled by default on the Cisco WiSM Step 3 Click Apply to commit your changes Step 4 Click Save Configuration to save your changes Step 5 Reboo...

Page 87: ...specific IP address enter show lag ip port hash ip_address Use this command for Layer 3 packets LWAPP Layer 3 mode Examples show lag summary LAG Enabled show lag eth port hash 00 0b 85 1b e2 b0 Destination MAC 00 0b 85 1b e2 b0 currently maps to port 2 show lag ip port hash 10 9 4 128 Destination IP 10 9 4 128 currently maps to port 2 Configuring Neighbor Devices to Support LAG The controller s ne...

Page 88: ...t to use The following factors should help you decide which method to use if your controller is set for Layer 3 operation With link aggregation all of the controller ports need to connect to the same neighbor switch If the neighbor switch goes down the controller loses connectivity With multiple AP manager interfaces you can connect your ports to different neighbor devices If one of the neighbor s...

Page 89: ...f AP manager interfaces on the controller and the number of access points on each AP manager interface The access point generally joins the AP manager with the least number of access points In this way the access point load is dynamically distributed across the multiple AP manager interfaces Note Access points may not be distributed completely evenly across all of the AP manager interfaces but a c...

Page 90: ...reate three or more AP manager interfaces see Figure 3 15 If the port of one of the AP manager interfaces fails the controller clears the access points state and the access points must reboot to reestablish communication with the controller using the normal controller join process The controller no longer includes the failed AP manager interface in the LWAPP discovery responses The access points t...

Page 91: ...g all 100 access points evenly across all four AP manager interfaces If one of the AP manager interfaces fails all of the access points connected to the controller would be evenly distributed among the three available AP manager interfaces For example if AP manager interface 2 fails the remaining AP manager interfaces 1 3 and 4 would each manage approximately 33 access points Follow these steps to...

Page 92: ... Configuring a 4400 Series Controller to Support More Than 48 Access Points Figure 3 17 Interfaces New Page Step 3 Enter an AP manager interface name and a VLAN identifier as shown above Step 4 Click Apply to commit your changes The Interfaces Edit page appears see Figure 3 18 Figure 3 18 Interfaces Edit Page ...

Page 93: ...g the access point to VLAN 992 993 or 994 The access point then joins the controller using that isolated VLAN with Layer 2 LWAPP All Layer 2 LWAPP traffic received on ports 2 3 and 4 egresses the management port configured as port 1 on VLAN 250 with a dot1q tag of 250 With a Layer 2 LWAPP configuration you should distribute access points across VLANs 250 992 993 and 994 manually Ideally you should...

Page 94: ...3 42 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points ...

Page 95: ...guring Administrator Usernames and Passwords page 4 7 Configuring RADIUS Settings page 4 8 Configuring SNMP page 4 8 Changing the Default Values of SNMP Community Strings page 4 9 Changing the Default Values for SNMP v3 Users page 4 11 Enabling 802 3x Flow Control page 4 13 Enabling System Logging page 4 13 Enabling Dynamic Transmit Power Control page 4 16 Configuring Multicast Mode page 4 16 Conf...

Page 96: ...ional Distribution system network port static IP address netmask and optional default gateway IP address Service port static IP address and netmask optional Distribution system physical port 1000BASE T 1000BASE SX or 10 100BASE T Note Each 1000BASE SX connector provides a 100 1000 Mbps wired connection to a network through an 850nM SX fiber optic link using an LC physical connector Distribution sy...

Page 97: ... factory default configuration The controller reboots and displays this message Welcome to the Cisco WLAN Solution Wizard Configuration Tool Step 3 Use the configuration wizard to enter configuration settings Resetting to Default Settings Using the GUI Follow these steps to return to default settings using the GUI Step 1 Open your Internet browser The GUI is fully compatible with Microsoft Interne...

Page 98: ...ame and password each up to 24 printable ASCII characters Step 7 Enter the service port interface IP configuration protocol none or DHCP If you do not want to use the service port or if you want to assign a static IP Address to the service port enter none Step 8 If you entered none enter the service port interface IP address and netmask on the next two lines If you do not want to use the service p...

Page 99: ... Step 19 Enable and disable support for 802 11b 802 11a and 802 11g Step 20 Enable or disable radio resource management RRM auto RF When you answer the last prompt the controller saves the configuration reboots with your changes and prompts you to log in or to enter recover config to reset to the factory default configuration and return to the wizard Managing the System Time and Date You can confi...

Page 100: ... access point s regulatory domain must match the country code of the controller Note Controllers running software release 4 0 or earlier do not have the ability to control access points in more than one regulatory domain Note The controller must be installed by a network administrator or qualified IT professional and the proper country code must be selected Following installation access to the uni...

Page 101: ...into the controller itself If you have not saved the configuration on the controller after deleting the user then rebooting power cycling the controller should bring it back up with the deleted user still in the system If you do not have the default admin account or another user account with which you can log in your only option is to default the controller to factory settings and reconfigure it f...

Page 102: ... secret to configure the shared secret Step 4 Enter config radius acct enable to enable accounting Enter config radius acct disable to disable accounting Accounting is disabled by default Step 5 Enter config radius auth ip address to configure a RADIUS server for authentication Step 6 Enter config radius auth port to specify the UDP port for authentication Step 7 Enter config radius auth secret to...

Page 103: ...r config snmp trapreceiver mode enable to enable traps Enter config snmp trapreceiver mode disable to disable traps Step 10 Enter config snmp syscontact syscontact name to configure the name of the SNMP contact Enter up to 31 alphanumeric characters for the contact name Step 11 Enter config snmp syslocation syslocation name to configure the SNMP system location Enter up to 31 alphanumeric characte...

Page 104: ...ommunity Name field enter a unique name containing up to 16 alphanumeric characters Do not enter public or private Step 5 In the next two fields enter the IP address from which this device accepts SNMP packets with the associated community and the IP mask Step 6 Choose Read Only or Read Write from the Access Mode drop down box to specify the access level for this community Step 7 Choose Enable or ...

Page 105: ...or private Step 4 To enter the IP address from which this device accepts SNMP packets with the associated community enter this command config snmp community ipaddr ip_address ip_mask name Step 5 To specify the access level for this community enter this command where ro is read only mode and rw is read write mode config snmp community accessmode ro rw name Step 6 To enable or disable this SNMP comm...

Page 106: ... V3 Users Page Step 2 If default appears in the User Name column click Remove to delete this SNMP v3 user Step 3 Click New to add a new SNMP v3 user The SNMP V3 Users New page appears see Figure 4 4 Figure 4 4 SNMP V3 Users New Page Step 4 In the User Profile Name field enter a unique name Do not enter default Step 5 Choose Read Only or Read Write from the Access Mode drop down box to specify the ...

Page 107: ...acy_password where username is the SNMP v3 username ro is read only mode and rw is read write mode none hmacmd5 and hmacsha are the authentication protocol options none and des are the privacy protocol options auth_password is the authentication password and privacy_password is the privacy password Do not enter default for the username and password parameters Step 4 To save your changes enter save...

Page 108: ...ve logging levels from which you can choose Critical Failure Software Error Authentication or Security Errors Unexpected Software Events Significant System Events When you choose a logging level the system logs messages for that level and for the levels above it For example if you choose Unexpected Software Events the system logs unexpected software events authentication or security errors softwar...

Page 109: ...slog ip_address to enable system logging and set the IP address of the Syslog server Step 2 Enter config msglog level msg_level to set the logging level For msg_level you can enter one of the following five values critical Critical hardware or software failure error Non critical software errors security Authentication or security related errors warning Unexpected software events verbose Significan...

Page 110: ...ding Multicast Mode When you enable multicast mode the controller does not become a member the multicast group When the controller receives a multicast packet from the wired LAN the controller encapsulates the packet using LWAPP and forwards the packet to the LWAPP multicast group address The controller always uses the management interface for sending multicast packets Access points in the multica...

Page 111: ...222 12223 and 12224 Make sure the multicast applications on your network do not use those port numbers Multicast traffic is transmitted at 6 Mbps in an 802 11a network Therefore if several WLANs attempt to transmit at 1 5 Mbps packet loss occurs which breaks the multicast session Enabling Multicast Mode Multicasting is disabled by default Use the commands in Table 4 2 to configure multicast mode o...

Page 112: ...client roaming across access points managed by controllers in the same mobility group on different subnets This roaming is transparent to the client because the session is sustained and a tunnel between the controllers allows the client to continue using the same DHCP assigned or client assigned IP address as long as the session remains active The tunnel is torn down and the client must reauthenti...

Page 113: ...program that defines new protocols and interfaces to improve the overall voice and roaming experience It applies only to Intel clients in a CCX environment Specifically it enables Intel clients to request a neighbor list at will When this occurs the access point forwards the request to the controller The controller receives the request and replies with the current CCX roaming sublist of neighbors ...

Page 114: ...ir default values choose Default and go to Step 8 Step 3 In the Minimum RSSI field enter a value for the minimum received signal strength indicator RSSI required for the client to associate to an access point If the client s average received signal power dips below this threshold reliable communication is usually impossible Therefore clients must already have found and roamed to another access poi...

Page 115: ...orts roaming simply by ensuring a certain minimum overlap distance between access points Range 1 to 10 seconds Default 5 seconds Step 7 Click Apply to commit your changes Step 8 Click Save Configuration to save your changes Step 9 Repeat this procedure if you want to configure client roaming for another radio band 802 11a or 802 11b g Using the CLI to Configure CCX Client Roaming Parameters To con...

Page 116: ...ameter to monitor voice and video quality Each of these parameters is supported in Cisco Compatible Extensions CCX v4 See the Configuring Cisco Client Extensions section on page 6 22 for more information on CCX Note CCX is not supported on the AP1030 Call Admission Control Call admission control CAC enables an access point to maintain controlled quality of service QoS when the wireless LAN is expe...

Page 117: ...d a client device that supports CCX v4 If the client is not CCX v4 compliant only downlink statistics are captured The client and access point measure these metrics The access point also collects the measurements every 5 seconds prepares 90 second reports and then sends the reports to the controller The controller organizes the uplink measurements on a client basis and the downlink measurements on...

Page 118: ...client reaches the value specified the access point rejects new calls on this radio band Range 40 to 85 Default 75 Step 6 In the Reserved Roaming Bandwidth field enter the percentage of maximum allocated bandwidth reserved for roaming voice clients The controller reserves this much bandwidth from the maximum allocated bandwidth for roaming voice clients Range 0 to 25 Default 6 Step 7 To enable TSM...

Page 119: ...To enable video CAC for this radio band check the Admission Control ACM check box The default value is disabled Step 5 In the Max RF Bandwidth field enter the percentage of the maximum bandwidth allocated to clients for video applications on this radio band Once the client reaches the value specified the access point rejects new requests on this radio band Range 0 to 100 However the maximum RF ban...

Page 120: ...etwork Status check box and click Apply Step 9 Click Save Configuration to save your changes Step 10 Repeat this procedure if you want to configure video parameters for another radio band 802 11a or 802 11b g Using the GUI to View Voice and Video Settings Follow these steps to view voice and video settings using the GUI Step 1 Click Wireless Clients to access the Clients page see Figure 4 10 Figur...

Page 121: ... Detail Page This page shows the U APSD status for this client under Quality of Service Properties Step 3 Click Back to return to the Clients page Step 4 Follow these steps to see the TSM statistics for a particular client and the access point to which this client is associated a Click the 802 11aTSM or 802 11b gTSM link for the desired client The Clients AP page appears see Figure 4 12 ...

Page 122: ...ing Controller SettingsWireless Device Access Configuring Voice and Video Parameters Figure 4 12 Clients AP Page b Click the Detail link for the desired access point to access the Clients AP Traffic Stream Metrics page see Figure 4 13 Figure 4 13 Clients AP Traffic Stream Metrics Page ...

Page 123: ...d shows the specific interval when the statistics were collected Step 5 Follow these steps to see the TSM statistics for a particular access point and a particular client associated to this access point a Click Wireless and then click 802 11a Radios or 802 11b g Radios under Access Points The 802 11a Radios or 802 11b g Radios page appears see Figure 4 14 Figure 4 14 802 11a Radios Page b Click th...

Page 124: ...oint and a client associated to it The statistics are shown in 90 second intervals The timestamp field shows the specific interval when the statistics were collected Using the CLI to Configure Voice Parameters Follow these steps to configure voice parameters using the CLI Step 1 Make sure that the WLAN is configured for WMM and the QoS level is set to Platinum See Configuring Quality of Service se...

Page 125: ...SM for the 802 11a or 802 11b g network enter this command config 802 11a 802 11b tsm enable disable Step 8 To enable the radio network enter this command config 802 11a 802 11b enable network Step 9 To save your settings enter this command save config Using the CLI to Configure Video Parameters Follow these steps to configure video parameters using the CLI Step 1 Make sure that the WLAN is config...

Page 126: ... Using the CLI to View Voice and Video Settings Use these commands to view voice and video settings using the CLI 1 To see the CAC configuration for the 802 11a or 802 11b g network enter this command show 802 11a show 802 11b 2 To see the CAC statistics for a particular access point enter this command show ap stats 802 11a 802 11b ap_name Information similar to the following appears Call Admissio...

Page 127: ...cket count 5secs 2 DownLink Stats Average Delay 5sec intervals 35 Delay less than 10 ms 20 Delay bet 10 20 ms 20 Delay bet 20 40 ms 20 Delay greater than 40 ms 20 Total packet Count 80 Total packet lost count 5sec 10 Maximum Lost Packet count 5sec 5 Average Lost Packet count 5secs 2 Note The statistics are shown in 90 second intervals The timestamp field shows the specific interval when the statis...

Page 128: ...tes interfaces Gig9 1 through Gig9 8 The first eight GigabitEthernet interfaces must be organized into two etherchannel bundles of four interfaces each The remaining two GigabitEthernet interfaces are used as service port interfaces one for each controller on the WiSM You must manually create VLANs to communicate with the ports on the WiSM Note The WiSM is also supported on Cisco 7600 Series Route...

Page 129: ...tep 2 interface vlan Create a VLAN to communicate with the data ports on the WiSM and enter interface config mode Step 3 ip address ip address gateway Assign an IP address and gateway to the VLAN Step 4 ip helper address ip address Assign a helper address to the VLAN Step 5 end Return to global config mode Step 6 wism module module_number controller 1 2 allowed vlan vlan_number Create Gigabit port...

Page 130: ...he bootloader When you reset the CNM from a CNM interface you have 17 minutes to use the bootloader before the router automatically resets the CNM The CNM bootloader does not run the Router Blade Configuration Protocol RBCP so the RBCP heartbeat running on the router times out after 17 minutes triggering a reset of the CNM If you reset the CNM from the router the router stops the RBCP heartbeat ex...

Page 131: ...ution Security page 5 2 Configuring the System for SpectraLink NetLink Telephones page 5 4 Using Management over Wireless page 5 6 Configuring DHCP Option 82 page 5 7 Configuring Access Control Lists page 5 8 Configuring Management Frame Protection page 5 13 Configuring Identity Networking page 5 20 Configuring IDS page 5 26 Configuring AES Key Wrap page 5 39 Configuring Maximum Local Database Ent...

Page 132: ...y of add on security solutions has prevented many IT managers from embracing the benefits of the latest advances in WLAN security Layer 1 Solutions The Cisco UWN security solution ensures that all clients gain access within an operator set number of attempts Should a client fail to gain access within that limit it is automatically excluded blocked from access until the operator set timer expires T...

Page 133: ...ce The operating system security solution uses the radio resource management RRM function to continuously monitor all nearby access points automatically discover rogue access points and locate them as described in the Tagging and Containing Rogue Access Points section on page 5 3 Tagging and Containing Rogue Access Points When the Cisco UWN Solution is monitored using WCS WCS generates the flags a...

Page 134: ...imple and easy Configuring the System for SpectraLink NetLink Telephones For best integration with the Cisco UWN Solution SpectraLink NetLink Telephones require an extra operating system configuration step enable long preambles The radio preamble sometimes called a header is a section of data at the head of a packet that contains information that wireless devices need when sending and receiving pa...

Page 135: ... Enable Long Preambles Use this procedure to use the CLI to enable long preambles to optimize the operation of SpectraLink NetLink phones on your wireless LAN Step 1 Log into the controller CLI Step 2 Enter show 802 11b and check the Short preamble mandatory parameter If the parameter indicates that short preambles are enabled continue with this procedure This example shows that short preambles ar...

Page 136: ...ommand Using Management over Wireless The Cisco UWN Solution Management over Wireless feature allows operators to monitor and configure local controllers using a wireless client This feature is supported for all management tasks except uploads to and downloads from transfers to and from the controller Before you can use the Management over Wireless feature you must properly configure the controlle...

Page 137: ...pecifically it enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources The controller can be configured to add option 82 information to DHCP requests from clients before forwarding the requests to the DHCP server See Figure 5 1 for an illustration of this process Figure 5 1 DHCP Option 82 The access point forwards all DHCP requests from a client t...

Page 138: ... LAG 29 Primary Physical Port LAG 29 Backup Physical Port Unconfigured Primary DHCP Server 10 1 0 10 Secondary DHCP Server Unconfigured DHCP Option 82 Enabled ACL Unconfigured AP Manager Yes Configuring Access Control Lists An access control list ACL is a set of rules used to limit access to a particular interface for example if you want to restrict a wireless client from pinging the management in...

Page 139: ...ee Figure 5 2 Figure 5 2 Access Control Lists Page This page lists all of the ACLs that have been configured for this controller It also enables you to edit or remove any of the ACLs Step 2 To add a new ACL click New The Access Control Lists New page appears see Figure 5 3 Figure 5 3 Access Control Lists New Page Step 3 In the Access Control List Name field enter a name for the new ACL You can ent...

Page 140: ... For instance if you change a rule s sequence number from 7 to 5 the rules with sequence numbers 5 and 6 are automatically reassigned as 6 and 7 respectively b From the Source drop down box choose one of these options to specify the source of the packets to which this ACL applies Any Any source This is the default value IP Address A specific source If you choose this option enter the IP address an...

Page 141: ...e of these options to specify the differentiated services code point DSCP value of this ACL DSCP is a packet header code that can be used to define the quality of service across the Internet Any Any DSCP This is the default value Specific A specific DSCP from 0 to 63 which you enter in the DSCP edit box g From the Direction drop down box choose one of these options to specify the direction of the ...

Page 142: ...the CLI to Configure Access Control Lists Follow these steps to configure ACLs using the controller CLI Step 1 To see all of the ACLs that are configured on the controller enter this command show acl summary Step 2 To see detailed information for a particular ACL enter this command show acl detailed acl_name Step 3 To add a new ACL enter this command config acl create acl_name You can enter up to ...

Page 143: ...frames by the wireless network infrastructure Management frames can be protected in order to detect adversaries that are invoking denial of service attacks flooding the network with associations and probes interjecting as rogue access points and affecting network performance by attacking the QoS and radio measurement frames MFP also provides a quick and effective means to detect and report phishin...

Page 144: ...ally disabled Once MFP is globally enabled on a controller you can disable and re enable it for individual WLANs and access points Note Access points support MFP in local and monitor modes and in REAP and H REAP modes when the access point is connected to a controller You can configure MFP through either the GUI or the CLI Using the GUI to Configure MFP Follow these steps to configure MFP using th...

Page 145: ...isable or re enable MFP validation for a particular access point after MFP has been enabled globally for the controller a Click Wireless to access the All APs page b Click the Detail link of the desired access point The All APs Details page appears c Uncheck the MFP Frame Validation check box to disable MFP for this access point or check this check box to enable MFP for this access point d Click A...

Page 146: ...ource such as NTP server If the time is set by an external source the value of this field is True If the time is set locally the value is False The time source is used for validating management frames between access points of different controllers that also have mobility configured The MFP Protection field shows if MFP is enabled for individual WLANs The MFP Validation field shows if MFP is enable...

Page 147: ...ese commands to configure MFP using the controller CLI 1 To enable or disable MFP globally for the controller enter this command config wps mfp enable disable 2 If MFP is enabled globally for the controller and you want to disable or re enable it for a particular WLAN enter this command config wlan mfp protection enable disable wlan_id 3 If MFP is enabled globally for the controller and you want t...

Page 148: ...olicy none Enforced preamble policy none Enforced radio type policy none Validate SSID Disabled Alert if Trusted AP is missing Disabled Trusted AP timeout 120 Untrusted AP Policy Rogue Location Discovery Protocol Disabled RLDP Action Alarm Only Automatically contain rogues advertising Alarm Only Detect Ad Hoc Networks Alarm Only Rogue Clients Validate rogue clients against AAA Disabled Detect trus...

Page 149: ...EP Keys Disabled 802 1X Enabled Encryption 104 bit WEP Wi Fi Protected Access WPA1 Disabled Wi Fi Protected Access v2 WPA2 Disabled IP Security Passthru Disabled Web Based Authentication Disabled Web Passthrough Disabled Auto Anchor Disabled Management Frame Protection Enabled 4 To see the current MFP state for a particular access point enter this command show ap config general AP_name Information...

Page 150: ...MIC Invalid Seq No MIC MIC 00 12 44 b0 6a 80 a tester 1000b 28 0 0 0 00 0b 85 56 c2 c0 b g tester 1000b 0 0 3 0 00 14 1b 5b fc 80 a tester 1000b 774 0 0 0 6 Use these commands to obtain MFP debug information debug wps mfp where is one of the following lwapp Shows debug information for MFP messages detail Shows detailed debug information for MFP messages report Shows debug information for MFP repor...

Page 151: ...verrides the QoS value specified in the WLAN profile ACL When the ACL attribute is present in the RADIUS Access Accept the system applies the ACL Name to the client station after it authenticates This overrides any ACLs that are assigned to the interface VLAN When a VLAN Interface Name or VLAN Tag is present in a RADIUS Access Accept the system places the client on a specific interface Note The VL...

Page 152: ...om left to right 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Type Length Vendor Id Vendor Id cont Vendor type Vendor length QoS Level Type 26 for Vendor Specific Length 10 Vendor Id 14179 Vendor type 2 Vendor length 4 Value Three octets 0 Bronze Background 1 Silver Best Effort 2 Gold Video 3 Platinum Voice ACL Name This attribute indicates the ACL name to be applied to ...

Page 153: ...ty policy VLAN Tag This attribute indicates the group ID for a particular tunneled session and is also known as the Tunnel Private Group ID attribute This attribute might be included in the Access Request packet if the tunnel initiator can predetermine the group resulting from a particular connection and should be included in the Access Accept packet if this tunnel session is to be treated as belo...

Page 154: ...ed VLAN by including tunnel attributes within the Access Accept However the IEEE 802 1X Authenticator may also provide a hint as to the VLAN to be assigned to the Supplicant by including Tunnel attributes within the Access Request For use in VLAN assignment the following tunnel attributes are used Tunnel Type VLAN 13 Tunnel Medium Type 802 Tunnel Private Group ID VLANID Note that the VLANID is 12 ...

Page 155: ...you would like it to return to the controller for example Interface Name QoS Level and VLAN Tag On the controller all you have to do is enable the Allow AAA Override configuration parameter using the GUI or CLI Enabling this flag allows the controller to accept the attributes returned by the RADIUS server The controller then applies these attributes to its clients Note Multicast traffic is not sup...

Page 156: ...network protection by helping to detect classify and stop threats including worms spyware adware network viruses and application abuse Two methods are available to detect IDS attacks IDS sensors see below IDS signatures see page 5 30 Configuring IDS Sensors You can configure IDS sensors to detect various types of IP level attacks in your network When the sensors identify an attack they can alert t...

Page 157: ... of the sensors Step 2 To add an IDS sensor to the list click New The CIDS Sensor Add page appears see Figure 5 11 Figure 5 11 CIDS Sensor Add Page Step 3 The controller supports up to five IPS sensors From the Index drop down box choose a number between 1 and 5 to determine the sequence in which the controller consults the IPS sensors For example if you choose 1 the controller consults this IPS s...

Page 158: ...er a 40 hexadecimal character security key in the Fingerprint field This key is used to verify the validity of the sensor and is used to prevent security attacks Note Do not include the colons that appear between every two bytes within the key For example enter AABBCCDD instead of AA BB CC DD Step 11 Click Apply Your new IDS sensor appears in the list of sensors on the CIDS Sensors List page Step ...

Page 159: ...isable index Step 6 To save your settings enter this command save config Step 7 To view the IDS sensor configuration enter one of these commands show wps cids sensor summary show wps cids sensor detail index The second command provides more information than the first Step 8 To obtain debug information regarding IDS sensor configuration enter this command debug wps cids enable Note If you ever want...

Page 160: ...scovered the client Step 2 Click Re sync to purge and reset the list as desired Using the CLI to View Shunned Clients Follow these steps to view the list of clients that the IDS sensors have identified to be shunned using the controller CLI Step 1 To view the list of clients to be shunned enter this command show wps shun list Step 2 To force the controller to sync up with other controllers in the ...

Page 161: ...wnload IDS signatures using the controller GUI Step 1 If desired create your own custom signature file Step 2 Make sure that you have a Trivial File Transfer Protocol TFTP server available Keep these guidelines in mind when setting up a TFTP server If you are downloading through the service port the TFTP server must be on the same subnet as the service port because the service port is not routable...

Page 162: ...s Default 6 seconds Step 9 In the File Path field enter the path of the signature file to be downloaded or uploaded The default value is Step 10 In the File Name field enter the name of the signature file to be downloaded or uploaded Note When uploading signatures the controller uses the filename you specify as a base name and then adds _std sig and _custom sig to it in order to upload both standa...

Page 163: ...None and Report The state of the signature which indicates whether the signature is enabled to detect security attacks A description of the type of attack that the signature is trying to detect Step 2 Perform one of the following If you want to allow all signatures both standard and custom whose individual states are set to Enabled to remain enabled check the Enable Check for All Standard and Cust...

Page 164: ...nalysis and pattern matching are tracked and reported on a per signature and per channel basis Per MAC Signature analysis and pattern matching are tracked and reported separately for individual client MAC addresses on a per channel basis Per Signature and MAC Signature analysis and pattern matching are tracked and reported on a per signature and per channel basis as well as on a per MAC address an...

Page 165: ... state Step 7 Click Save Configuration to save your changes Using the GUI to View IDS Signature Events Follow these steps to view signature events using the controller GUI Step 1 Click Security and then Signature Events Summary under Wireless Protection Policies The Signature Events Summary page appears see Figure 5 16 Figure 5 16 Signature Events Summary Page This page shows the number of attacks...

Page 166: ...tack was detected The number of access points on the channel on which the attack was detected The day and time when the access point detected the attack Step 3 To see more information for a particular attack click the Detail link for that attack The Signature Events Track Detail page appears see Figure 5 18 Figure 5 18 Signature Events Track Detail Page This page shows the following information Th...

Page 167: ...P servers require only a forward slash as the TFTP server IP address and the TFTP server automatically determines the path to the correct directory Step 7 To specify the download or upload path enter transfer download upload path absolute tftp server path to file Step 8 To specify the file to be downloaded or uploaded enter transfer download upload filename filename sig Note When uploading signatu...

Page 168: ...on similar to the following appears Precedence 1 Signature Name Bcast deauth Type Standard Number of active events 2 Source MAC Addr Track Method Frequency No APs Last Heard 00 01 02 03 04 01 Per Signature 4 3 Tue Dec 6 00 17 44 2005 00 01 02 03 04 01 Per Mac 6 2 Tue Dec 6 00 30 04 2005 4 To see information on attacks that are tracked by access points on a per signature and per channel basis enter...

Page 169: ...y Wrap To configure a controller to use AES key wrap using the GUI follow these steps Step 1 Click Security AAA RADIUS Authentication to access the RADIUS Authentication Servers page Step 2 To enable AES key wrap check the Use AES Key Wrap check box Step 3 Click Apply Step 4 Click Save Configuration Step 5 Click New to configure a new RADIUS authentication server or click the Edit link of one of t...

Page 170: ...ng the CLI to Configure AES Key Wrap To configure a controller to use AES key wrap using the CLI follow these steps Step 1 To enable the use of AES key wrap attributes enter this command config radius auth keywrap enable Step 2 To configure AES key wrap attributes enter this command config radius auth keywrap add ascii hex index The index attribute specifies the index of the RADIUS authentication ...

Page 171: ...atabase Entries To configure a controller to use the maximum local database entries using the GUI follow these steps Step 1 Click Security AAA General to open the General page see Figure 5 20 Step 2 Type the desired maximum value in the Maximum Local Database entries field The range of possible values is 512 to 2048 which also includes any configured MAC filter entries The default value is 2048 Fi...

Page 172: ...5 42 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Chapter 5 Configuring Security Solutions Configuring Maximum Local Database Entries ...

Page 173: ...ntroller Configuration Guide OL 9141 03 6 Configuring WLANsWireless Device Access This chapter describes how to configure up to 16 WLANs for your Cisco UWN Solution It contains these sections WLAN Overview page 6 2 Configuring WLANs page 6 2 ...

Page 174: ...ating WLANs page 6 3 Configuring DHCP page 6 3 Configuring MAC Filtering for WLANs page 6 6 Assigning WLANs to VLANs page 6 6 Configuring Layer 2 Security page 6 7 Configuring Layer 3 Security page 6 14 Configuring 802 3 Bridging page 6 17 Configuring Quality of Service page 6 17 Configuring Cisco Client Extensions page 6 22 Configuring Access Point Groups page 6 26 Configuring Multiple WLANs with...

Page 175: ...mbers of the same VLAN you must disable the WLAN before making a port mapping change to either interface If the management and AP manager interfaces are assigned to different VLANs you do not need to disable the WLAN Enter config wlan enable wlan id to enable a WLAN Enter config wlan delete wlan id to delete a WLAN Activating WLANs After you have completely configured your WLAN settings enter conf...

Page 176: ...for instructions on configuring management over wireless Per Interface Assignment You can assign DHCP servers for individual interfaces The Layer 2 management interface Layer 3 AP manager interface and dynamic interfaces can be configured for a primary and secondary DHCP server and the service port interface can be configured to enable or disable DHCP servers Note Refer to Chapter 3 for informatio...

Page 177: ...address for this WLAN Step 7 Under General Policies check the Admin Status check box Step 8 Click Apply to assign the DHCP server to the WLAN and to enable the WLAN You are returned to the WLANs page Step 9 In the upper right corner of the WLANs page click Ping and enter the DHCP server IP address to verify that the WLAN can communicate with the DHCP server Using the CLI to Configure DHCP Follow t...

Page 178: ...o a WLAN MAC filter Enter show macfilter to verify that MAC addresses are assigned to the WLAN Configuring a Timeout for Disabled Clients You can configure a timeout for disabled clients Clients who fail to authenticate three times when attempting to associate are automatically disabled from further association attempts After the timeout period expires the client is allowed to retry authentication...

Page 179: ...4 128 or 128 152 bit WEP keys config wlan security static wep key encryption wlan id 40 104 128 hex ascii key key index Use the 40 104 or 128 options to specify 40 64 bit 104 128 bit or 128 152 bit encryption The default setting is 104 128 Use the hex or ascii option to specify the character format for the WEP key Enter 10 hexadecimal digits any combination of 0 9 a f or A F or five printable ASCI...

Page 180: ...ap request timeout Configures the EAP request timeout value in seconds The default setting is 1 second config advanced eap request retries Configures the EAP request maximum retries value The default setting is 2 show advanced eap Shows the values that are currently configured for the config advanced eap commands Information similar to the following appears EAP Identity Request Timeout seconds 1 E...

Page 181: ...ed solutions CCKM is a CCXv4 compliant feature If CCKM is selected only CCKM clients are supported Note The 4 0 release of controller software supports CCX versions 1 through 4 CCX support is enabled automatically for every WLAN on the controller and cannot be disabled The controller stores the CCX version of the client in its client database and uses it to limit client functionality Clients must ...

Page 182: ... boxes to enable both WPA1 and WPA2 Note The default value is disabled for both WPA1 and WPA2 If you leave both WPA1 and WPA2 disabled the access points advertise in their beacons and probe responses information elements only for the authentication key management method you choose in Step 6 Step 5 Check the AES check box to enable AES data encryption or the TKIP check box to enable TKIP data encry...

Page 183: ...e WLAN config wlan security wpa wpa1 enable disable wlan_id Step 4 Enter this command to enable or disable WPA2 for the WLAN config wlan security wpa wpa2 enable disable wlan_id Step 5 Enter these commands to enable or disable AES or TKIP data encryption for WPA1 or WPA2 config wlan security wpa wpa1 ciphers aes tkip enable disable wlan_id config wlan security wpa wpa2 ciphers aes tkip enable disa...

Page 184: ... the current initialization vector IV to create a new key MMH MIC prevents bit flip attacks on encrypted packets by using a hash function to compute message integrity code The CKIP settings specified in a WLAN are mandatory for any client attempting to associate If the WLAN is configured for both CKIP key permutation and MMH MIC the client must support both If the WLAN is configured for only one o...

Page 185: ...P from the Layer 2 Security drop down box Step 6 Under CKIP Parameters choose the length of the CKIP encryption key from the Key Size drop down box Range Not Set 40 bits or 104 bits Default Not Set Step 7 Choose the number to be assigned to this key from the Key Index drop down box You can configure up to four keys Step 8 Choose ASCII or HEX from the Key Format drop down box and then enter an encr...

Page 186: ... IEs for this WLAN config wlan ccx aironet ie enable wlan_id Step 3 Enter this command to enable or disable CKIP for the WLAN config wlan security ckip enable disable wlan_id Step 4 Enter this command to specify a CKIP encryption key for the WLAN config wlan security ckip akm psk set key wlan_id 40 104 hex ascii key key_index Step 5 Enter this command to enable or disable CKIP MMH MIC for the WLAN...

Page 187: ...he WLANs window select the Edit link next to the WLAN for which you want to configure VPN passthrough The WLANs Edit page appears Step 3 Select VPN Passthrough from the Layer 3 Security drop down menu right hand Step 4 Check the Web Policy box and the Passthrough option that appears Figure 6 3 Figure 6 3 WLANs Edit Page top Step 5 Scroll to the bottom of the WLAN Edit window to enter the VPN Gatew...

Page 188: ...cation Web authentication is simple to set up and use and can be used with SSL to improve the overall security of the WLAN The use of Web authentication requires Microsoft Internet Explorer with Active Scripts enabled Enter these commands to enable web authentication for a WLAN config wlan security web enable disable wlan id Enter show wlan to verify that web authentication is enabled Local Netuse...

Page 189: ... commands to configure 802 3 bridging using the controller CLI 1 To enable or disable 802 3 bridging globally on all WLANs enter this command config network 802 3 bridging enable disable The default value is disabled 2 To see the current status of 802 3 bridging for all WLANs enter this command show network Configuring Quality of Service Cisco UWN Solution WLANs support four levels of QoS Platinum...

Page 190: ...n allows client devices to use WMM on the WLAN The required option requires client devices to use WMM devices that do not support WMM cannot join the WLAN Note Do not enable WMM mode if Cisco 7920 phones are used on your network Table 6 1 Access Point QoS Translation Values AVVID 802 1p UP Based Traffic Type AVVID IP DSCP AVVID 802 1p UP IEEE 802 11e UP Network control 7 Inter network control LWAP...

Page 191: ...pport mode for phones that require access point controlled CAC config wlan 7920 support ap cac limit enabled disabled wlan id QBSS Information Elements Sometimes Degrade 7920 Phone Performance If your WLAN contains both 1000 series access points and Cisco 7920 wireless phones do not enable the WMM or AP CAC LIMIT QBSS information elements Do not enter either of these commands config wlan 7920 supp...

Page 192: ...option Step 6 To define the peak data rate for TCP traffic on a per user basis enter the rate in Kbps in the Burst Data Rate field A value of 0 disables this option Step 7 To define the average real time rate for UDP traffic on a per user basis enter the rate in Kbps in the Average Real Time Rate field A value of 0 disables this option Step 8 To define the peak real time rate for UDP traffic on a ...

Page 193: ...nter this command config qos description bronze silver gold platinum description Step 3 To define the average data rate in Kbps for TCP traffic on a per user basis enter this command config qos average data rate bronze silver gold platinum rate Step 4 To define the peak data rate in Kbps for TCP traffic on a per user basis enter this command config qos burst data rate bronze silver gold platinum r...

Page 194: ...pport CCX CCX support is enabled automatically for every WLAN on the controller and cannot be disabled However you can configure a specific CCX feature per WLAN This feature is Aironet information elements IEs If Aironet IE support is enabled the access point sends an Aironet IE 0x85 which contains the access point name load number of associated clients and so on in the beacon and probe responses ...

Page 195: ...e Access Configuring WLANs Figure 6 6 WLANs Edit Page Step 3 Check the Aironet IE check box if you want to enable support for Aironet IEs for this WLAN Otherwise uncheck this check box The default value is enabled or checked Step 4 Click Apply to commit your changes Step 5 Click Save Configuration to save your changes ...

Page 196: ... CCX version supported by a particular client device using the GUI Step 1 Click Wireless Clients to access the Clients page Step 2 Click the Detail link for the desired client device to access the Clients Detail page see Figure 6 7 Figure 6 7 Clients Detail Page The CCX Version field shows the CCX version supported by this client device Not Supported appears if the client does not support CCX Step...

Page 197: ...le WLAN Override Follow these steps to enable the WLAN Override option Step 1 Click Wireless to access the Wireless page Step 2 Click 802 11a Radios or 802 11b g Radios under Access Points to list the corresponding access points Step 3 Click the Configure link for the desired access point Step 4 Choose Enable from the WLAN Override drop down box to enable this option and display a list of the avai...

Page 198: ...tting to distribute the load among several interfaces or to group users based on specific criteria such as individual departments for example marketing by creating access point groups formerly known as site specific VLANs Additionally these access point groups can be configured in separate VLANs to simplify network administration as illustrated in the example in Figure 6 9 Note The required access...

Page 199: ...o the desired VLANs For example to implement the network in Figure 6 9 create dynamic interfaces for VLANs 61 62 and 63 on the controller Refer to Chapter 3 Configuring Ports and Interfaces for more information about how to configure dynamic interfaces 2 Create the access point groups Refer to the Creating Access Point Groups section on page 6 27 3 Assign access points to the appropriate access po...

Page 200: ...ss point group to a WLAN choose its ID from the WLAN SSID drop down box Step 9 To map the access point group to an interface choose its name from the Interface Name drop down box Step 10 Click Add Interface Mapping to add WLAN to interface mappings to the group Figure 6 11 AP Groups VLAN Page Step 11 When you are done adding your interface mappings click Apply Step 12 Repeat Steps 4 through 11 to ...

Page 201: ...s to these groups Using the GUI to Assign Access Points to Access Point Groups To assign an access point to an access point group follow these steps Step 1 Click Wireless Access Points All APs Step 2 Click the Detail link for the access point Step 3 Select the access point group from the AP Group Name drop down box see Figure 6 12 Figure 6 12 All APs Details Page Step 4 Click Apply Step 5 Click Sa...

Page 202: ...able Layer 2 security policies None open WLAN Static WEP or 802 1X Note Because static WEP and 802 1X are both advertised by the same bit in beacon and probe responses they cannot be differentiated by clients Therefore they cannot both be used by multiple WLANs with the same SSID CKIP WPA WPA2 Note Although WPA and WPA2 cannot both be used by multiple WLANs with the same SSID two WLANs with the sa...

Page 203: ...file name and SSID of the WLAN Figure 6 15 WLANs Edit Page Addition to the Controller CLI In release 4 0 206 0 the command for creating a WLAN has expanded to allow the addition of the profile name in the command Note The config wlan enable wlan_id and config wlan delete wlan_id commands do not require the profile name to be specified Their format has not changed The new command for creating a WLA...

Page 204: ...client The client is not considered fully authorized at this point and is only allowed to pass traffic allowed by the preauthentication ACL After the client completes a particular operation at the specified URL for example changing a password or paying a bill it must reauthenticate When the RADIUS server does not return a url redirect the client is considered fully authorized and allowed to pass t...

Page 205: ...WLANs Figure 6 16 ACS Server Configuration Step 4 Check the 009 001 cisco av pair check box Step 5 Enter the following Cisco AV pairs in the 009 001 cisco av pair edit box to specify the URL to which the user is redirected and the conditions under which the redirect takes place respectively url redirect http url url redirect acl acl_name ...

Page 206: ...licy check box under Layer 3 Security Step 5 Choose Conditional Web Redirect to enable this feature The default value is disabled unchecked box Step 6 If the user is to be redirected to a site external to the controller choose the ACL that was configured on your RADIUS server from the Preauthentication ACL drop down list Step 7 Click Apply to commit your changes Step 8 Click Save Configuration to ...

Page 207: ...ervers on a WLAN Disabling accounting servers disables all accounting operations and prevents the controller from falling back to the default RADIUS server for the WLAN Follow these steps to disable all accounting servers for a RADIUS authentication server Step 1 Click WLANs Step 2 Select the edit link next to WLAN to be modified The WLANs Edit page appears Step 3 Scroll down to the RADIUS servers...

Page 208: ...6 36 Cisco Wireless LAN Controller Configuration Guide OL 1926 06OL 9141 03 Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs ...

Page 209: ...age 7 2 Cisco 1000 Series Lightweight Access Points page 7 4 Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points page 7 9 Autonomous Access Points Converted to Lightweight Mode page 7 19 Dynamic Frequency Selection page 7 24 Retrieving the Unique Device Identifier on Controllers and Access Points page 7 25 Performing a Link Test page 7 27 Configuring Cisco Discovery Protocol page 7 31...

Page 210: ...cess point and uses encapsulated Ethernet frames containing MAC addresses for communications between the access point and the controller Layer 2 LWAPP discovery is not suited for Layer 3 environments Over the air provisioning OTAP This feature is supported by Cisco 4400 series controllers If this feature is enabled on the controller all associated access points transmit wireless LWAPP neighbor mes...

Page 211: ...within the network infrastructure Ask your network administrator for more information about this step Step 3 Restart the access points Step 4 Once all the access points have joined the new controller configure the controller not to be a master controller by unchecking the Master Controller Mode check box in the GUI Verifying that Access Points Join the Controller Using the CLI Follow these steps t...

Page 212: ...for external antennas Figure 7 1 1000 Series Lightweight Access Points The Cisco WLAN Solution also offers 802 11a b g Cisco 1030 Remote Edge Lightweight Access Points which are Cisco 1000 series lightweight access points designed for remote deployment Radio Resource Management RRM control via a WAN link and which include connectors for external antennas The Cisco 1000 series lightweight access po...

Page 213: ... data through other Cisco 1030 remote edge lightweight access points on its local subnet However it cannot take advantage of features accessed from the Cisco Wireless LAN Controller such as establishing new VLANs until communication is reestablished The Cisco 1030 remote edge lightweight access point includes the traditional SOHO small office home office AP processing power and thus can continue o...

Page 214: ...Point External and Internal Antennas The Cisco 1000 series lightweight access point enclosure contains one 802 11a or one 802 11b g radio and four two 802 11a and two 802 11b g high gain antennas which can be independently enabled or disabled to produce a 180 degree sectorized or 360 degree omnidirectional coverage area Note Cisco 1000 series lightweight access points must use the factory supplied...

Page 215: ...arly any angle The LEDs indicate power and fault status 2 4 GHz 802 11b g Cisco Radio activity and 5 GHz 802 11a Cisco Radio activity This LED display allows the wireless LAN manager to quickly monitor the Cisco 1000 series lightweight access point status For more detailed troubleshooting instructions refer to the hardware installation guide for the access point Cisco 1000 Series Lightweight Acces...

Page 216: ...e 48 VDC the connector is center positive Because the power supply on the access point is isolated a negative 48 volt supply could be used In this case the ground side of the supply would go to the center pole tip and the negative 48 volt side would go to the outside ring portion Cisco 1000 series lightweight access points can receive power from the external power supply which draws power from a 1...

Page 217: ... Access Point hereafter called AP1510 is a wireless device designed for wireless client access and point to point bridging point to multipoint bridging and point to multipoint mesh wireless connectivity The outdoor access point is a standalone unit that can be mounted on a wall or overhang on a rooftop pole or on a street light pole It is a self contained outdoor unit that can be configured with a...

Page 218: ...10 MAC address must be entered into the MAC filter list database to ensure that the access points are authorized to use the controller Each controller to which the access point may connect must have its MAC address entered into the database The MAC filter list works in conjunction with the certificate that is stored in the access point s nonvolatile memory to provide strong security for access poi...

Page 219: ...sh network refer to the Cisco Mesh Networking Solution Deployment Guide You can find this document at this URL http www cisco com en US products ps6548 prod_technical_reference_list html Before deploying the AP1510 you must perform three procedures on the controller to ensure proper operation Add the MAC address of the access point to the controller filter list page 7 12 Configure mesh parameters ...

Page 220: ...atabase of access points authorized to use the controller You can add the access point using either the GUI or the CLI Note You can also download the list of access point MAC addresses and push them to the controller using the Cisco Wireless Control System WCS Refer to the Cisco Wireless Control System Configuration Guide for instructions Using the GUI to Add the MAC Address of the Access Point to...

Page 221: ...rface to which the access point is to connect Step 7 Click Apply to commit your changes The access point now appears in the list of MAC filters on the MAC Filtering page Step 8 Click Save Configuration to save your changes Step 9 Repeat this procedure to add the MAC addresses of additional access points to the list Using the CLI to Add the MAC Address of the Access Point to the Controller Filter L...

Page 222: ...l new access points upon connecting Range 150 to 132 000 feet Default 12 000 feet Note Cisco recommends that you set all controllers in the mesh network to the same value Step 3 Check the Enable Zero Touch Configuration check box to enable the access points to get the shared secret key from the controller If you uncheck the check box the controller does not provide the shared secret key and the ac...

Page 223: ...uration enter this command config network zero config This command enables the access points to get the shared secret key from the controller If you do not enable zero touch configuration the controller does not provide the shared secret key and the access points use a default pre shared key for secure communication Step 3 If you enabled zero touch configuration the controller automatically provid...

Page 224: ... set to youshouldsetme Step 4 To configure the mesh security timer enter this command config mesh security timer timer where timer is a value between 0 and 24 hours After you enter this command all of the MAPs reboot with the security timer set Step 5 To see the length of time set for the mesh security timer enter this command show mesh security timer Information similar to the following appears B...

Page 225: ...2 11a Step 3 Under Bridging Information choose one of the following options to specify the role of this access point in the mesh network MeshAP Choose this option if the AP1510 has a wireless connection to the controller This is the default setting in software release 4 0 RootAP Choose this option if the AP1510 has a wired connection to the controller Note If you upgrade to software release 4 0 fr...

Page 226: ...using the controller CLI Step 1 To specify that your AP1510 has bridge functionality enter this command config ap mode bridge Cisco_AP Step 2 To specify the role of this access point in the mesh network enter this command config ap role rootAP meshAP Cisco_AP Use the meshAP parameter if the AP1510 has a wireless connection to the controller this is the default setting in software release 4 0 or us...

Page 227: ...key hash to the second controller on the Cisco WiSM by copying the SSC key hash from the first controller to the second controller To copy the SSC key hash open the AP Policies page of the controller GUI Security AAA AP Policies and copy the SSC key hash from the SHA1 Key Hash column under AP Authorization List see Figure 7 8 Then using the second controller s GUI open the same page and paste the ...

Page 228: ...s converted to lightweight mode do not support Layer 2 LWAPP Access Points converted to lightweight mode must get an IP address and discover the controller using DHCP DNS or IP subnet broadcast After you convert an access point to lightweight mode the console port provides read only access to the unit The 1130AG and 1240AG access points support hybrid REAP mode See Chapter 12 for details Reverting...

Page 229: ...ted to Lightweight Mode section on page 7 24 to check the status of the access point MODE button Step 7 Hold the MODE button until the status LED turns red approximately 20 to 30 seconds and release the MODE button Step 8 Wait until the access point reboots as indicated by all LEDs turning green followed by the Status LED blinking green Step 9 After the access point reboots reconfigure the access ...

Page 230: ...ommands to Access Points Converted to Lightweight Mode Enter this command to enable the controller to send debug commands to an access point converted to lightweight mode config ap remote debug enable disable exc command Cisco_AP When this feature is enabled the controller sends debug commands to the converted access point as character strings You can send any debug command supported by Cisco Airo...

Page 231: ...om Converted Access Points By default access points converted to lightweight mode do not send memory core dumps to the controller To enable this feature enter this command config ap core dump enable tftp server ip address filename compress uncompress ap name all For tftp server ip address enter the IP address of the TFTP server to which the access point sends core files The access point must be ab...

Page 232: ...ap name CLI command correctly shows that the access point is using a fallback IP address However the GUI shows both the static IP address and the DHCP address but it does not identify the DHCP address as a fallback address Dynamic Frequency Selection The Cisco UWN Solution complies with regulations that require radio devices to use Dynamic Frequency Selection DFS to detect radar signals and avoid ...

Page 233: ...network manager Retrieving the Unique Device Identifier on Controllers and Access Points The unique device identifier UDI standard uniquely identifies products across all Cisco hardware product families enabling customers to identify and track Cisco products throughout their business and network operations and to automate their asset management systems The standard is consistent across all electro...

Page 234: ...r on Controllers and Access Points Follow these steps to retrieve the UDI on controllers and access points using the GUI Step 1 Click Controller Inventory to access the Inventory page see Figure 7 9 Figure 7 9 Inventory Page This page shows the five data elements of the controller UDI Step 2 Click Wireless to access the All APs page Step 3 Click the Detail link for the desired access point The All...

Page 235: ...cified Performing a Link Test A link test is used to determine the quality of the radio link between two devices Two types of link test packets are transmitted during a link test request and response Any radio receiving a link test request packet fills in the appropriate fields and echoes the packet back to the sender with the response type set The radio link quality in the client to access point ...

Page 236: ...ge Signal quality in the form of SNR minimum maximum and average Total number of packets that are retried Maximum retry count for a single packet Number of lost packets Data rate of a successfully transmitted packet The controller shows this metric regardless of direction Link test request reply round trip time minimum maximum and average The 4 0 release of controller software supports CCX version...

Page 237: ...s to run a link test using the GUI Step 1 Click Wireless Clients to access the Clients page see Figure 7 11 Figure 7 11 Clients Page Step 2 Click the LinkTest link for the desired client A link test page appears see Figure 7 12 Note You can also access this screen by clicking the Detail link for the desired client and then clicking the Link Test button on the top of the Clients Detail page ...

Page 238: ...abled on both the controller and the client being tested information similar to the following appears CCX Link Test to 00 0d 88 c5 8a d1 Link Test Packets Sent 20 Link Test Packets Received 10 Link Test Packets Lost Total AP to Client Client to AP 10 5 5 Link Test Packets round trip time min max average 5ms 20ms 15ms RSSI at AP min max average 60dBm 50dBm 55dBm RSSI at Client min max average 50dBm...

Page 239: ...e value is 180 seconds The second and latest version of the protocol CDPv2 introduces new time length values TLVs and provides a reporting mechanism that allows for more rapid error tracking thereby reducing down time CDPv1 and CDPv2 are supported on the following devices 2000 2100 and 4400 series controllers Note CDP is not supported on the controllers that are integrated into Cisco switches and ...

Page 240: ...o specify the holdtime that would be advertised as the time to live value in generated CDP packets enter this command config cdp holdtime seconds The range is 10 to 255 seconds and the default value is 180 seconds 4 To specify the highest CDP version supported on the controller enter this command config cdp advertise v1 v2 The default value is CDPv1 5 To enable or disable CDP on all access points ...

Page 241: ...ter this command show cdp traffic 5 To see the CDP status for a specific access point enter this command show ap cdp Cisco_AP 6 To see the CDP status for all access points that are connected to this controller enter this command show ap cdp all Use these commands to obtain CDP debug information for the controller 1 To obtain debug information related to CDP packets enter this command debug cdp pac...

Page 242: ...650XM 2651XM 2691 2811 2821 2851 3620 3631 telco 3640 3660 3725 3745 3825 and 3845 Uncheck the Pre Standard State check box if power is being provided by a power injector or by a switch not on the above list Step 3 Check the Power Injector State check box if the attached switch does not support IPM and a power injector is being used If the attached switch supports IPM you do not need to check this...

Page 243: ...on causes the Injector Switch MAC Address parameter to appear The Injector Switch MAC Address parameter allows the remembered MAC address to be modified by hand Choose this option if you know the MAC address of the connected switch port and do not wish to automatically detect it using the Installed option Step 5 Click Apply to commit your changes Step 6 Click Save Configuration to save your settin...

Page 244: ...access point enter this command config ap remote debug exc command led flash disable Cisco_AP This command disables LED flashing immediately For example if you run the previous command with the seconds parameter set to 60 seconds and then disable LED flashing after only 20 seconds the access point s LEDs stop flashing immediately Authorizing Access Points Using MICs You can configure controllers t...

Page 245: ...bes how to manage configurations and software versions on the controllers It contains these sections Transferring Files to and from a Controller page 8 2 Upgrading Controller Software page 8 2 Saving Configurations page 8 4 Clearing the Controller Configuration page 8 5 Erasing the Controller Configuration page 8 5 Resetting the Controller page 8 5 ...

Page 246: ...of its lights blinks in succession Note In release 4 0 206 0 up to10 access points can be concurrently upgraded from the controller Caution Do not power down the controller or any access point during this process otherwise you might corrupt the software image Upgrading a controller with a large number of access points can take as long as 30 minutes depending on the size of your network However wit...

Page 247: ...erver must be on the same subnet as the service port because the service port is not routable If you are downloading through the distribution system network port the TFTP server can be on the same or a different subnet because the distribution system port is routable A third party TFTP server cannot run on the same computer as the Cisco WCS because the WCS built in TFTP server and the third party ...

Page 248: ...py of RTOS Writing new RTOS to flash Making backup copy of Code Writing new Code to flash TFTP File transfer operation completed successfully Please restart the switch reset system for update to complete Step 8 The controller now has the code update in active volatile RAM but you must enter reset system to save the code update to non volatile NVRAM and reboot the Cisco Wireless LAN Controller rese...

Page 249: ...nfirmation prompt enter y to save configuration changes to NVRAM The controller reboots Step 2 When you are prompted for a username enter recover config to restore the factory default configuration The controller reboots and the configuration wizard starts automatically Step 3 Follow the instructions in the Using the Configuration Wizard section on page 4 2 to complete the initial configuration Re...

Page 250: ...8 6 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Chapter 8 Managing Controller Software and Configurations Resetting the Controller ...

Page 251: ...ains how to create and manage guest user accounts describes the web authentication process and provides instructions for customizing the web authentication login window It contains these sections Creating Guest User Accounts page 9 2 Web Authentication Process page 9 7 Choosing the Web Authentication Login Window page 9 9 ...

Page 252: ... accounts remain active After the specified time elapses the guest user accounts expire automatically The local user database is limited to a maximum of 2048 entries and is set to a default value of 512 entries on the Security General page This database is shared by local management users including lobby ambassadors net users including guest users MAC filter entries and disabled clients Together t...

Page 253: ...igure 9 2 Management Local Management Users New Page Step 3 In the User Name field enter a username for the lobby ambassador account Note Management usernames must be unique because they are stored in a single database Step 4 In the Password and Confirm Password fields enter a password for the lobby ambassador account Note Passwords are case sensitive Step 5 Choose LobbyAdmin from the User Access ...

Page 254: ...ts as a Lobby Ambassador A lobby ambassador would follow these steps to create guest user accounts Note A lobby ambassador cannot access the controller CLI interface and therefore can create guest user accounts only from the controller GUI Step 1 Log into the controller as the lobby ambassador using the username and password specified in the Creating a Lobby Ambassador Account section above The Lo...

Page 255: ...ence For example if a WLAN session timeout is due to expire in 30 minutes but the guest account lifetime has 10 minutes remaining the account is deleted in 10 minutes upon guest account expiry Similarly if the WLAN session timeout expires before the guest account lifetime the client experiences a recurring session timeout that requires reauthentication Note You can change a guest user account with...

Page 256: ... using that account s username are deleted Step 9 Repeat this procedure to create any additional guest user accounts Viewing Guest User Accounts After a lobby ambassador has created guest user accounts the system administrator can view them from the controller GUI or CLI Using the GUI to View Guest Accounts To view guest user accounts using the controller GUI click Security and then Local Net User...

Page 257: ... and password When you use web authentication to authenticate clients you must define a username and password for each client Then when the clients attempt to join the wireless LAN their users must enter the username and password when prompted by a login window When web authentication is enabled under WLAN Security Policies users might receive a web browser security alert the first time that they ...

Page 258: ...the Web Authentication Login Window section on page 9 9 provides instructions for choosing how the web authentication login window appears When the user enters a valid username and password on the web authentication login window and clicks Submit the web authentication system displays a successful login window and redirects the authenticated client to the requested URL Figure 9 9 shows a typical s...

Page 259: ...Window from an External Web Server page 9 13 Downloading a Customized Web Authentication Login Window page 9 14 Choosing the Default Web Authentication Login Window If you want to use the default web authentication login window as is see Figure 9 8 or with a few modifications follow the instructions in the GUI or CLI procedure below Using the GUI to Choose the Default Web Authentication Login Wind...

Page 260: ... as necessary to achieve your desired results Using the CLI to Choose the Default Web Authentication Login Window Step 1 To specify the default web authentication type enter this command config custom web webauth_type internal Step 2 If you want to use the default web authentication login window as is go to Step 7 If you want to modify the default login window go to Step 3 Step 3 To show or hide t...

Page 261: ...180 pixels wide and 360 pixels high d To specify the download mode enter transfer download mode tftp e To specify the type of file to be downloaded enter transfer download datatype image f To specify the IP address of the TFTP server enter transfer download serverip tftp server ip address Note Some TFTP servers require only a forward slash as the TFTP server IP address and the TFTP server automati...

Page 262: ...logo disable config custom web webtitle Welcome to the AcompanyBC Wireless LAN config custom web webmessage Contact the System Administrator for a Username and Password transfer download start Mode TFTP Data Type Login Image TFTP Server IP xxx xxx xxx xxx TFTP Path TFTP Filename Logo gif This may take some time Are you sure you want to start y n y TFTP Image transfer starting Image installed confi...

Page 263: ...trol list ACL on the WLAN for the external web server and then choose this ACL as the WLAN preauthentication ACL under Security Policies Web Policy on the WLANs Edit page See Chapter 5 Configuring Access Control Lists for more information on ACLs Using the GUI to Choose a Customized Web Authentication Login Window from an External Web Server Step 1 Click Security Web Login Page to access the Web L...

Page 264: ...tions in the Using the CLI to Verify the Web Authentication Login Window Settings section on page 9 17 to verify your settings Downloading a Customized Web Authentication Login Window You can compress the page and image files used for displaying a web authentication login window into a tar file for download to a controller These files are known as the webauth bundle The maximum allowed size of the...

Page 265: ...Copy the tar file containing your login page to the default directory on your TFTP server Step 3 Click Commands Download File to access the Download File to Controller page see Figure 9 13 Figure 9 13 Download File to Controller Page Step 4 From the File Type drop down box choose Webauth Bundle Step 5 In the IP Address field enter the IP address of the TFTP server Step 6 In the Maximum Retries fie...

Page 266: ...ransfer download mode tftp Step 4 To specify the type of file to be downloaded enter transfer download datatype webauthbundle Step 5 To specify the IP address of the TFTP server enter transfer download serverip tftp server ip address Note Some TFTP servers require only a forward slash as the TFTP server IP address and the TFTP server automatically determines the path to the correct directory Step ...

Page 267: ...login window This example shows the information that appears when the configuration settings are set to default values Cisco Logo Enabled CustomLogo Disabled Custom Title Disabled Custom Message Disabled Custom Redirect URL Disabled Web Authentication Mode Disabled Web Authentication URL Disabled This example shows the information that appears when the configuration settings have been modified Cis...

Page 268: ...9 18 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window ...

Page 269: ...e it on the controllers It contains these sections Overview of Radio Resource Management page 10 2 Overview of RF Groups page 10 5 Configuring an RF Group page 10 6 Viewing RF Group Status page 10 8 Enabling Rogue Access Point Detection page 10 12 Configuring Dynamic RRM page 10 15 Overriding Dynamic RRM page 10 23 Viewing Additional RRM Settings Using the CLI page 10 28 Configuring CCX Radio Mana...

Page 270: ...rms these functions Radio resource monitoring Dynamic channel assignment Dynamic transmit power control Coverage hole detection and correction Client and network load balancing Radio Resource Monitoring RRM automatically detects and configures new controllers and lightweight access points as they are added to the network It then automatically adjusts associated and nearby lightweight access points...

Page 271: ...ile maintaining system capacity If a channel is unusable due to excessive noise that channel can be avoided 802 11 Interference Interference is any 802 11 traffic that is not part of your wireless LAN including rogue access points and neighboring wireless networks Lightweight access points constantly scan all channels looking for sources of interference If the amount of 802 11 interference exceeds...

Page 272: ...ansmit power levels Coverage Hole Detection and Correction RRM s coverage hole detection feature can alert you to the need for an additional or relocated lightweight access point If clients on a lightweight access point are detected at signal to noise ratio SNR levels that are lower than the thresholds specified in the Auto RF configuration the access point sends a coverage hole alert to the contr...

Page 273: ...as an RF domain is a cluster of controllers that coordinates its dynamic RRM calculations on a per 802 11 network basis An RF group exists for each 802 11 network type Clustering controllers into RF groups enables the RRM algorithms to scale beyond a single controller Lightweight access points periodically send out neighbor messages over the air The RRM algorithms use a shared secret that is confi...

Page 274: ...tails RF Group Name A controller is configured with an RF group name which is sent to all access points joined to the controller and used by the access points as the shared secret for generating the hashed MIC in the neighbor messages To create an RF group you simply configure all of the controllers to be included in the group with the same RF group name You can include up to 20 controllers and 10...

Page 275: ...o create an RF group using the GUI Step 1 Click Controller General to access the General page see Figure 10 1 Figure 10 1 General Page Step 2 Enter a name for the RF group in the RF Network Name field The name can contain up to 19 ASCII characters Step 3 Click Apply to commit your changes Step 4 Click Save Configuration to save your changes Step 5 Repeat this procedure for each controller that you...

Page 276: ...ew the RF group Step 3 Enter save config to save your settings Step 4 Repeat this procedure for each controller that you want to include in the RF group Viewing RF Group Status This section provides instructions for viewing the status of the RF group through either the GUI or the CLI Note You can also view the status of RF groups using the Cisco Wireless Control System WCS Refer to the Cisco Wirel...

Page 277: ...s Device Access Viewing RF Group Status Figure 10 2 All APs Page Step 2 Under 802 11a or 802 11b g click Network to access the 802 11a or 802 11b g Global Parameters page see Figure 10 3 Figure 10 3 802 11a Global Parameters Page Step 3 Click Auto RF to access the 802 11a or 802 11b g Global Parameters Auto RF page see Figure 10 4 ...

Page 278: ...o Wireless LAN Controller Configuration Guide OL 1926 06OL 9141 03 Chapter 10 Configuring Radio Resource ManagementWireless Device Access Viewing RF Group Status Figure 10 4 802 11a Global Parameters Auto RF Page ...

Page 279: ...low these steps to view the status of the RF group using the CLI Step 1 Enter show advanced 802 11a group to see which controller is the RF group leader for the 802 11a RF network Information similar to the following appears Radio RF Grouping 802 11a Group Mode AUTO 802 11a Group Update Interval 600 seconds 802 11a Group Leader 00 16 9d ca d9 60 802 11a Group Member 00 16 9d ca d9 60 802 11a Last ...

Page 280: ...rmation element IE that matches that of the RF group If the check is successful the frames are authenticated Otherwise the authorized access point reports the neighboring access point as a rogue records its BSSID in a rogue table and sends the table to the controller Using the GUI to Enable Rogue Access Point Detection Follow these steps to enable rogue access point detection using the GUI Step 1 ...

Page 281: ...e Step 4 Choose either local or monitor from the AP Mode drop down box and click Apply to commit your changes Step 5 Click Save Configuration to save your changes Step 6 Repeat Step 2 through Step 5 for every access point connected to the controller Step 7 Click Security AP Authentication MFP under Wireless Protection Policies to access the AP Authentication Policy page see Figure 10 7 Figure 10 7...

Page 282: ...with this feature disabled are reported as rogues Using the CLI to Enable Rogue Access Point Detection Follow these steps to enable rogue access point detection using the CLI Step 1 Make sure that each controller in the RF group has been configured with the same RF group name Note The name is used to verify the authentication IE in all beacon frames If the controllers have different names false al...

Page 283: ... controller s dynamic RRM configuration parameters at any time through either the GUI or the CLI Note You can configure these parameters on an individual controller that is not part of an RF group or on RF group members Note The RRM parameters should be set to the same values on every controller in an RF group The RF group leader can change at any time If the RRM parameters are not identical for a...

Page 284: ...bled Default Enabled Group Mode Description Enabled The controller automatically forms an RF group with other controllers The group dynamically elects a leader to optimize RRM parameter settings for the group Disabled The controller does not participate in automatic RF grouping Rather it optimizes its own access point parameters Note Cisco recommends that controllers participate in automatic RF gr...

Page 285: ...ate the channel immediately after you click Invoke Channel Update Now It waits for the next interval default is 600 seconds Off Prevents the controller from evaluating and if necessary updating the channel assignment for joined access points Note For optimal performance Cisco recommends that you use the Automatic setting Refer to the Disabling Dynamic Channel and Power Assignment Globally for a Co...

Page 286: ... 802 11 traffic in the channel when assigning channels to lightweight access points For example RRM may have access points avoid channels with significant interference from non access point sources such as microwave ovens Options Enabled or Disabled Default Enabled The following non configurable RF channel parameter settings are also shown Signal Strength Contribution This parameter is always enab...

Page 287: ...and update the transmit power immediately after you click Invoke Power Update Now It waits for the next interval default is 600 seconds Fixed Prevents the controller from evaluating and if necessary updating the transmit power for joined access points The power level is set to the fixed value chosen from the drop down box Note The transmit power level is assigned an integer value instead of a valu...

Page 288: ...rs are exceeded The controller s RRM software uses this information to evaluate the integrity of the entire network and makes adjustments accordingly Interference 0 to 100 The percentage of interference 802 11 traffic from sources outside of your wireless network on a single access point Default 10 Clients 1 to 75 The number of clients on a single access point Default 12 Noise 127 to 0 dBm The lev...

Page 289: ... RRM scanning Options All Channels Country Channels or DCA Channels Default Country Channels Channel List Description All Channels RRM channel scanning occurs on all channels supported by the selected radio which includes channels not allowed in the country of operation Country Channels RRM channel scanning occurs only on the data channels in the country of operation DCA Channels RRM channel scann...

Page 290: ...RRM automatically reconfigure all 802 11a or 802 11b g channels one time based on availability and interference enter this command config 802 11a 802 11b channel global once To specify the channel set used for dynamic channel allocation enter this command config advanced 802 11a 802 11b channel add delete channel_number You can enter only one channel number per command This command is helpful when...

Page 291: ...andard deployments but not the more typical carpeted offices Note If you choose to statically assign channels and power levels to your access points and or to disable dynamic channel and power assignment you should still use automatic RF grouping to avoid spurious rogue device events You can disable dynamic channel and power assignment globally for a controller or you can leave dynamic channel and...

Page 292: ...9 153 157 and 161 in an 802 11a network and 1 6 and 11 in an 802 11b g network Note Cisco recommends that you do not assign all access points that are within close proximity to each other to the maximum power level Using the GUI to Statically Assign Channel and Transmit Power Settings Follow these steps to statically assign channel and or power settings on a per access point radio basis using the ...

Page 293: ...teger value instead of a value in mW or dBm The integer corresponds to a power level that varies depending on the regulatory domain in which the access points are deployed The number of available power levels varies based on the access point model However power level 1 is always the maximum power level allowed per country code setting with each successive power level representing 50 of the previou...

Page 294: ...ed an integer value instead of a value in mW or dBm The integer corresponds to a power level that varies depending on the regulatory domain in which the access points are deployed The number of available power levels varies based on the access point model However power level 1 is always the maximum power level allowed per country code setting with each successive power level representing 50 of the...

Page 295: ...nd choose a default transmit power level from the drop down box Note See Step 5 on page 10 25 for information on transmit power levels Step 6 Click Apply to commit your changes Step 7 Click Save Configuration to save your changes Step 8 If you are overriding the default channel and power settings on a per radio basis assign static channel and power settings to each of the access point radios that ...

Page 296: ... the Cisco Compatible Extensions CCX RRM configuration channel Shows the channel assignment configuration and statistics logging Shows the RF event and performance logging monitor Shows the Cisco radio monitoring profile Shows the access point performance profiles receiver Shows the 802 11a or 802 11b g receiver configuration and statistics summary Shows the configuration and statistics of the 802...

Page 297: ...every SSID over each enabled radio interface at a configured interval In the process of performing 802 11 location measurements CCX clients send 802 11 broadcast probe requests on all the channels specified in the measurement request The Cisco Location Appliance uses the uplink measurements based on these requests received at the access points to quickly and accurately calculate the client locatio...

Page 298: ...igure 10 10 802 11a Global Parameters Page Step 2 Under CCX Location Measurement check the Mode check box to globally enable CCX radio management This parameter causes the access points connected to this controller to issue broadcast radio measurement requests to clients running CCX v2 or higher The default value is disabled or unchecked Step 3 If you checked the Mode check box in the previous ste...

Page 299: ...ult value is 60 seconds This command causes all access points connected to this controller in the 802 11a or 802 11b g network to issue broadcast radio measurement requests to clients running CCXv2 or higher Step 2 Enter these two commands to enable access point customization config advanced 802 11a 802 11b ccx customize Cisco_AP on off This command enables or disables CCX radio management feature...

Page 300: ...r access point in the 802 11a or 802 11b g network enter this command show advanced 802 11a 802 11b ccx ap Cisco_AP 3 To see the clients configured for location calibration enter this command show client location calibration summary 4 To see the RSSI reported for both antennas on each access point that heard the client enter this command show client detail client_mac Use these commands to obtain r...

Page 301: ...ess Device Access This chapter describes mobility groups and explains how to configure them on the controllers It contains these sections Overview of Mobility page 11 2 Overview of Mobility Groups page 11 5 Configuring Mobility Groups page 11 7 Configuring Auto Anchor Mobility page 11 11 Running Mobility Ping Tests page 11 15 ...

Page 302: ...aces an entry for that client in its client database This entry includes the client s MAC and IP addresses security context and associations quality of service QoS contexts the WLAN and the associated access point The controller uses this information to forward frames and manage traffic to and from the wireless client Figure 11 1 illustrates a wireless client roaming from one access point to anoth...

Page 303: ... IP subnet Figure 11 2 Inter Controller Roaming When the client associates to an access point joined to a new controller the new controller exchanges mobility messages with the original controller and the client database entry is moved to the new controller New security context and associations are established if necessary and the client database entry is updated for the new access point This proc...

Page 304: ...rk is forwarded directly into the network by the foreign controller Traffic to the client arrives at the anchor controller which forwards the traffic to the foreign controller in an EtherIP tunnel The foreign controller then forwards the data to the client If a wireless client roams to a new foreign controller the client database entry is moved from the original foreign controller to the new forei...

Page 305: ... be configured as a mobility group to allow seamless client roaming within a group of controllers By creating a mobility group you can enable multiple controllers in a network to dynamically share information and forward data traffic when inter controller or inter subnet roaming occurs Controllers can share the context and state of client devices and controller loading information With this inform...

Page 306: ...lers supports up to 2400 access points 24 100 2400 access points 2 A 4402 25 controller supports up to 25 access points and a 4402 50 controller supports up to 50 access points Therefore a mobility group consisting of 12 4402 25 controllers and 12 4402 50 controllers supports up to 900 access points 12 25 12 50 300 600 900 access points Mobility groups enable you to limit roaming between different...

Page 307: ...S Refer to the Cisco Wireless Control System Configuration Guide for instructions Prerequisites Before you add controllers to a mobility group you must verify that the following requirements have been met for all controllers that are to be included in the group All controllers must be configured for the same LWAPP transport mode Layer 2 or Layer 3 Note You can verify and if necessary change the LW...

Page 308: ...a period of time You must have gathered the MAC address and IP address of every controller that is to be included in the mobility group This information is necessary because you will be configuring all controllers with the MAC address and IP address of all the other mobility group members Note You can find the MAC and IP addresses of the other controllers to be included in the mobility group on th...

Page 309: ...iple controllers and want to add them in bulk click EditAll and go to Step 4 Note The EditAll option enables you to enter the MAC and IP addresses of all the current mobility group members and then copy and paste all the entries from one controller to the other controllers in the mobility group Step 3 The Mobility Group Member New page appears see Figure 11 7 Figure 11 7 Mobility Group Member New ...

Page 310: ...ontrollers are listed one per line with the local controller at the top of the list Note If desired you can edit or delete any of the controllers in the list Figure 11 8 Mobility Group Members Edit All Page Follow these steps to add more controllers to the mobility group a Click inside the edit box to start a new line b Enter the MAC address the management interface IP address and the name of the ...

Page 311: ...ed with the MAC address and IP address of all other mobility group members Configuring Auto Anchor Mobility You can use auto anchor mobility or guest WLAN mobility to improve load balancing and security for roaming clients on your wireless LANs Under normal roaming conditions client devices join a wireless LAN and are anchored to the first controller that they contact If a client roams to a differ...

Page 312: ...ler where they are decapsulated and delivered to the wired network Packets to the client are received by the anchor controller and forwarded to the foreign controller through a mobility tunnel using EtherIP The foreign controller decapsulates the packets and forwards them to the client Note A 2000 series controller cannot be designated as an anchor for a WLAN However a WLAN created on a 2000 serie...

Page 313: ...mobility using the CLI Step 1 Click Controller WLANs to access the WLANs page see Figure 11 9 Figure 11 9 WLANs Page Step 2 On the WLANs page click the Mobility Anchors link for the desired WLAN The Mobility Anchors page for that WLAN appears see Figure 11 10 Figure 11 10 Mobility Anchors Page Step 3 Select the IP address of the controller to be designated a mobility anchor in the Switch IP Addres...

Page 314: ...troller ip address Note The wlan id must exist and be disabled and the anchor controller ip address must be a member of the default mobility group Note Auto anchor mobility is enabled for the WLAN when you configure the first anchor controller 3 To delete a mobility anchor for the WLAN enter one of these commands config mobility group anchor delete wlan id anchor controller ip address config wlan ...

Page 315: ...eached over the management interface Mobility ping over EoIP This test runs over EoIP It tests the mobility data traffic over the management interface Only one mobility ping test per controller can be run at a given time Note These ping tests are not Internet Control Message Protocol ICMP based The term ping is used to indicate an echo request and an echo reply message Use these commands to run mo...

Page 316: ...11 16 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Chapter 11 Configuring Mobility GroupsWireless Device Access Running Mobility Ping Tests ...

Page 317: ...de OL 9141 03 12 Configuring Hybrid REAPWireless Device Access This chapter describes hybrid REAP and explains how to configure this feature on controllers and access points It contains these sections Overview of Hybrid REAP page 12 2 Configuring Hybrid REAP page 12 5 ...

Page 318: ...ated Wireless LAN Controller Switch the Cisco WiSM and the Controller Network Module for Integrated Services Routers Figure 12 1 illustrates a typical hybrid REAP deployment Figure 12 1 Hybrid REAP Deployment Hybrid REAP Authentication Process When a hybrid REAP access point boots up it looks for a controller If it finds one it joins the controller downloads the latest software image and configura...

Page 319: ...ched depending on the WLAN configuration With respect to client authentication open shared EAP web authentication and NAC and data packets the WLAN can be in any one of the following states depending on the configuration and state of controller connectivity central authentication central switching In this state the controller handles client authentication and all client data is tunneled back to th...

Page 320: ...ts are centrally switched See the Configuring Dynamic Interfaces section on page 3 15 for information on creating quarantined VLANs The hybrid REAP access point maintains client connectivity even after entering standalone mode However once the access point re establishes a connection with the controller it disassociates all clients applies new configuration information from the controller and real...

Page 321: ...nt is connected to trunk interface FastEthernet 1 0 2 with native VLAN 100 The access point needs IP connectivity on the native VLAN The remote site has local servers resources on VLAN 101 A DHCP pool in created in the local switch for both VLANs in the switch The first DHCP pool NATIVE will be used by the hybrid REAP access point and the second DHCP pool LOCAL SWITCH will be used by the clients w...

Page 322: ...nsists of creating centrally switched and locally switched WLANs Follow the steps in this section to use the GUI to configure the controller for these WLANs This procedure uses these three WLANs as examples Note See the Using the CLI to Configure the Controller for Hybrid REAP section on page 12 12 if you would prefer to configure the controller for hybrid REAP using the CLI Step 1 Follow these st...

Page 323: ...onfiguring Hybrid REAPWireless Device Access Configuring Hybrid REAP Figure 12 2 WLANs New Page c Enter a name for the WLAN in the WLAN SSID field d Click Apply to commit your changes The WLANs Edit page appears see Figure 12 3 Figure 12 3 WLANs Edit Page Centrally Switched WLAN ...

Page 324: ...he substeps in Step 1 to create a new WLAN In our example this WLAN is named employee local b When the WLANs Edit page appears modify the configuration parameters for this WLAN using the settings in Figure 12 4 as a reference In our employee WLAN example you would need to choose WPA1 WPA2 from the Layer 2 Security drop down box and then set the WPA1 WPA2 parameters at the bottom of the page Make s...

Page 325: ...ick Save Configuration to save your changes Step 3 Follow these steps if you also want to create a centrally switched WLAN that is used for guest access In our example this is the third WLAN guest central You might want to tunnel guest traffic to the controller so you can exercise your corporate data policies for unprotected guest traffic from a central site Note Chapter 9 provides additional info...

Page 326: ...th the Layer 2 Security and Layer 3 Security drop down boxes check the Web Policy check box and make sure Authentication is selected Note If you are using an external web server you must configure a preauthentication access control list ACL on the WLAN for the server and then choose this ACL as the WLAN preauthentication ACL under Security Policies Web Policy See Chapter 5 for more information on ...

Page 327: ...Net Users New Page h In the User Name and Password fields enter a username and password for the local user i In the Confirm Password field re enter the password j Check the Guest User check box to enable this local user account k In the Lifetime field enter the amount of time in seconds for this user account to remain active l In the WLAN ID field enter the number of the WLAN that will be accessed...

Page 328: ...ient_mac Shows whether the client is locally or centrally switched Use these commands to obtain debug information debug lwapp events enable Provides debug information on LWAPP events debug lwapp error enable Provides debug information on LWAPP errors debug pem state enable Provides debug information on the policy manager State Machine debug pem events enable Provides debug information on policy ma...

Page 329: ...tails link of the desired access point The All APs Details page appears see Figure 12 8 Figure 12 8 All APs Details Page The last parameter under Inventory Information indicates whether this access point can be configured for hybrid REAP Only the 1130AG and 1240AG access points support hybrid REAP Step 4 Choose H REAP from the AP Mode drop down box to enable hybrid REAP for this access point ...

Page 330: ...n response By default the native VLAN is 1 One native VLAN must be configured per hybrid REAP access point in a VLAN enabled domain Otherwise the access point cannot send and receive packets to and from the controller Step 7 Click Apply to commit your changes The access point temporarily loses its connection to the controller while its Ethernet port is reset Step 8 Click VLAN Mappings to access th...

Page 331: ...d per hybrid REAP access point when VLAN tagging is enabled Make sure the switchport to which the access point is connected has a corresponding native VLAN configured as well If the hybrid REAP access point s native VLAN setting and the upstream switchport native VLAN do not match the access point cannot transmit packets to and from the controller Use these commands on the hybrid REAP access point...

Page 332: ... WLAN you would create a client profile that uses WPA WPA2 PSK authentication Once the client becomes authenticated it should get an IP address from VLAN 101 on the local switch 3 To connect to the guest central WLAN you would create a client profile that uses open authentication Once the client becomes authenticated it should get an IP address from VLAN 101 on the network local to the access poin...

Page 333: ... products The following safety considerations and safety warnings appear in this appendix Safety Considerations page A 2 Warning Definition page A 2 Class 1 Laser Product Warning page A 5 Ground Conductor Warning page A 7 Chassis Warning for Rack Mounting and Servicing page A 9 Battery Handling Warning for 4400 Series Controllers page A 18 Equipment Installation Warning page A 20 More Than One Pow...

Page 334: ...ipment rack be sure that the power source is sufficiently rated to safely run all of the equipment in the rack Verify the integrity of the ground before installing controllers in an equipment rack Lightweight access points are suitable for use in environmental air space in accordance with Section 300 22 C of the National Electrical Code and Sections 2 128 12 010 3 and 12 100 of the Canadian Electr...

Page 335: ...eses Warnsymbol bedeutet Gefahr Sie befinden sich in einer Situation die zu Verletzungen führen kann Machen Sie sich vor der Arbeit mit Geräten mit den Gefahren elektrischer Schaltungen und den üblichen Verfahren zur Vorbeugung vor Unfällen vertraut Suchen Sie mit der am Ende jeder Warnung angegebenen Anweisungsnummer nach der jeweiligen Übersetzung in den übersetzten Sicherheitshinweisen die zusa...

Page 336: ... IMPORTANTES DE SEGURIDAD Este símbolo de aviso indica peligro Existe riesgo para su integridad física Antes de manipular cualquier equipo considere los riesgos de la corriente eléctrica y familiarícese con los procedimientos estándar de prevención de accidentes Al final de cada advertencia encontrará el número que le ayudará a encontrar el texto traducido en el apartado de traducciones que acompa...

Page 337: ...FP modules contain Class 1 Lasers Laser Klasse 1 according to EN 60825 1 A1 A2 Warning Class 1 laser product Statement 1008 Waarschuwing Klasse 1 laser produkt Varoitus Luokan 1 lasertuote Attention Produit laser de classe 1 Warnung Laserprodukt der Klasse 1 Avvertenza Prodotto laser di Classe 1 Advarsel Laserprodukt av klasse 1 Aviso Produto laser de classe 1 Advertencia Producto láser Clase I Va...

Page 338: ...ireless LAN Controller Configuration Guide OL 9141 03 Appendix A Safety Considerations and Translated Safety Warnings Class 1 Laser Product Warning Aviso Produto a laser de classe 1 Advarsel Klasse 1 laserprodukt ...

Page 339: ...ooit bediend worden zonder dat er een op de juiste wijze geïnstalleerde aardingsleiding aanwezig is Neem contact op met de bevoegde instantie voor elektrische inspecties of met een elektricien als u er niet zeker van bent dat er voor passende aarding gezorgd is Varoitus Laitteiden on oltava maadoitettuja Älä koskaan ohita maajohdinta tai käytä laitteita ilman oikein asennettua maajohdinta Ota yhte...

Page 340: ...i jordingslederen og bruk aldri utstyret uten riktig montert jordingsleder Ta kontakt med fagfolk innen elektrisk inspeksjon eller med en elektriker hvis du er usikker på om det finnes velegnet jordning Aviso Este equipamento deve ser aterrado Nunca anule o fio terra nem opere o equipamento sem um aterramento adequadamente instalado Em caso de dúvida com relação ao sistema de aterramento disponíve...

Page 341: ...the rack If the rack is provided with stabilizing devices install the stabilizers before mounting or servicing the unit in the rack Statement 1006 Waarschuwing Om lichamelijk letsel te voorkomen wanneer u dit toestel in een rek monteert of het daar een servicebeurt geeft moet u speciale voorzorgsmaatregelen nemen om ervoor te zorgen dat het toestel stabiel blijft De onderstaande richtlijnen worden...

Page 342: ...en sollen zur Gewährleistung Ihrer Sicherheit dienen Wenn diese Einheit die einzige im Gestell ist sollte sie unten im Gestell angebracht werden Bei Anbringung dieser Einheit in einem zum Teil gefüllten Gestell ist das Gestell von unten nach oben zu laden wobei das schwerste Bauteil unten im Gestell anzubringen ist Wird das Gestell mit Stabilisierungszubehör geliefert sind zuerst die Stabilisatore...

Page 343: ...ma quede bien estable Para garantizar su seguridad proceda según las siguientes instrucciones Colocar el equipo en la parte inferior del bastidor cuando sea la única unidad en el mismo Cuando este equipo se vaya a instalar en un bastidor parcialmente ocupado comenzar la instalación desde la parte inferior hacia la superior colocando el equipo más pesado en la parte inferior Si el bastidor dispone ...

Page 344: ...almente preenchido carregue o de baixo para cima com o componente mais pesado em sua parte inferior Se o rack contiver dispositivos estabilizadores instale os antes de montar ou dar manutenção à unidade existente Advarsel For at forhindre legemesbeskadigelse ved montering eller service af denne enhed i et rack skal du sikre at systemet står stabilt Følgende retningslinjer er også for din sikkerhed...

Page 345: ...A 13 Cisco Wireless LAN Controller Configuration Guide Ol 9141 03 Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack Mounting and Servicing ...

Page 346: ...A 14 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack Mounting and Servicing ...

Page 347: ...A 15 Cisco Wireless LAN Controller Configuration Guide Ol 9141 03 Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack Mounting and Servicing ...

Page 348: ...A 16 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack Mounting and Servicing ...

Page 349: ...A 17 Cisco Wireless LAN Controller Configuration Guide Ol 9141 03 Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack Mounting and Servicing ...

Page 350: ...tement 1015 Waarschuwing Er is ontploffingsgevaar als de batterij verkeerd vervangen wordt Vervang de batterij slechts met hetzelfde of een equivalent type dat door de fabrikant aanbevolen is Gebruikte batterijen dienen overeenkomstig fabrieksvoorschriften weggeworpen te worden Varoitus Räjähdyksen vaara jos akku on vaihdettu väärään akkuun Käytä vaihtamiseen ainoastaan saman tai vastaavantyyppist...

Page 351: ...jon hvis batteriet skiftes på feil måte Skift kun med samme eller tilsvarende type som er anbefalt av produsenten Kasser brukte batterier i henhold til produsentens instruksjoner Aviso Existe perigo de explosão se a bateria for substituída incorrectamente Substitua a bateria por uma bateria igual ou de um tipo equivalente recomendado pelo fabricante Destrua as baterias usadas conforme as instruçõe...

Page 352: ...oastaan koulutettu ja laitteen tunteva henkilökunta Attention Il est vivement recommandé de confier l installation le remplacement et la maintenance de ces équipements à des personnels qualifiés et expérimentés Warnung Das Installieren Ersetzen oder Bedienen dieser Ausrüstung sollte nur geschultem qualifiziertem Personal gestattet werden Avvertenza Questo apparato può essere installato sostituito ...

Page 353: ...ificado debe instalar reemplazar o utilizar este equipo Varning Endast utbildad och kvalificerad personal bör få tillåtelse att installera byta ut eller reparera denna utrustning Aviso Somente uma equipe treinada e qualificada tem permissão para instalar substituir ou dar manutenção a este equipamento Advarsel Kun uddannede personer må installere udskifte komponenter i eller servicere dette udstyr...

Page 354: ...A 22 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Appendix A Safety Considerations and Translated Safety Warnings Equipment Installation Warning ...

Page 355: ...e tension et tout courant électrique de l unité toutes les connexions d alimentation doivent être débranchées Warnung Dieses Gerät kann mehr als eine Stromzufuhr haben Um sicherzustellen dass der Einheit kein Strom zugeführt wird müssen alle Verbindungen entfernt werden Avvertenza Questa unità può avere più di una connessione all alimentazione elettrica Tutte le connessioni devono essere staccate ...

Page 356: ...ne Power Supply Warning for 4400 Series Controllers Aviso Esta unidade pode ter mais de uma conexão de fonte de alimentação Todas as conexões devem ser removidas para interromper a alimentação da unidade Advarsel Denne enhed har muligvis mere end en strømforsyningstilslutning Alle tilslutninger skal fjernes for at aflade strømmen fra enheden ...

Page 357: ...A 25 Cisco Wireless LAN Controller Configuration Guide Ol 9141 03 Appendix A Safety Considerations and Translated Safety Warnings More Than One Power Supply Warning for 4400 Series Controllers ...

Page 358: ...A 26 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Appendix A Safety Considerations and Translated Safety Warnings More Than One Power Supply Warning for 4400 Series Controllers ...

Page 359: ...dix provides declarations of conformity and regulatory information for the products in the Cisco UWN Solution This appendix contains these sections Regulatory Information for 1000 Series Access Points page B 2 FCC Statement for Cisco 2000 Series Wireless LAN Controllers page B 8 FCC Statement for Cisco 4400 Series Wireless LAN Controllers page B 9 ...

Page 360: ...on Commission Declaration of Conformity Statement Model AIR AP1010 A K9 AIR AP1020 A K9 AIR AP1030 A K9 FCC Certification number LDK102057 Manufacturer Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA This device complies with Part 15 rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 This device must accept any inter...

Page 361: ...operations to reduce any potential for harmful interference to co channel Mobile Satellite System MSS operations Department of Communications Canada Model AIR AP1010 A K9 AIR AP1020 A K9 AIR AP1030 A K9 Certification number 2461B 102057 Canadian Compliance Statement This Class B Digital apparatus meets all the requirements of the Canadian Interference Causing Equipment Regulations Cet appareil num...

Page 362: ...s requisitos esenciales asi como con otras disposiciones de la Directive 1999 5 EC Έλληνας Αυτός ο εξοπλισμός συμμορφώνεται με τις ουσιώδεις απαιτήσεις και τις λοιπές διατάξεις της Οδηγίας 1999 5 EΚ Français Cet appareil est conforme aux exigencies essentialles et aux autres dispositions pertinantes de la Directive 1999 5 EC Íslenska Þessi búnaður samrýmist lögboðnum kröfum og öðrum ákvæðum tilski...

Page 363: ... be compliant to the requirements set forth in CFR 47 Sections 2 1091 and 15 247 b 4 addressing RF Exposure from radio frequency devices as defined in Evaluating Compliance with FCC Guidelines for Human Exposure to Radio Frequency Electromagnetic Fields The equipment should be installed more than 20 cm 7 9 in from your body or nearby persons The access point must be installed to maintain a minimum...

Page 364: ... as industrial scientific and medical devices such as microwave ovens and mobile object identification RF ID systems licensed premises radio stations and unlicensed specified low power radio stations used in factory production lines 1 Before using this equipment make sure that no premises radio stations or specified low power radio stations of RF ID are used in the vicinity 2 If this equipment cau...

Page 365: ...s Points Administrative Rules for Cisco Aironet Access Points in Taiwan This section provides administrative rules for operating Cisco Aironet access points in Taiwan The rules are provided in both Chinese and English Access Points with IEEE 802 11a Radios Chinese Translation English Translation This equipment is limited for indoor use All Access Points Chinese Translation ...

Page 366: ...ical ISM equipment or by an incidental radiator Declaration of Conformity Statements All the Declaration of Conformity statements related to this product can be found at the following URL http tools cisco com cse prdapp jsp disclosure jsp FCC Statement for Cisco 2000 Series Wireless LAN Controllers This equipment has been tested and found to comply with the limits for a Class B digital device purs...

Page 367: ...A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Ope...

Page 368: ...B 10 Cisco Wireless LAN Controller Configuration Guide Ol 9141 03 Appendix B Declarations of Conformity and Regulatory Information FCC Statement for Cisco 4400 Series Wireless LAN Controllers ...

Page 369: ... products Cisco 1000 Series Lightweight Access Points Cisco 2000 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers Cisco Wireless Services Modules This appendix contains these sections End User License Agreement page C 2 Limited Warranty page C 4 General Terms Applicable to the Limited Warranty Statement and End User License Agreement page C 6 Additional Open Source Terms ...

Page 370: ...isco grants to Customer a nonexclusive and nontransferable license to use for Customer s internal business purposes the Software and the Documentation for which Customer has paid the required license fees Documentation means written information whether contained in user or technical manuals training materials specifications or otherwise specifically pertaining to the Software and made available by...

Page 371: ...y upgrades updates bug fixes or modified versions thereto collectively Upgrades or backup copies of the Software licensed or provided to Customer by Cisco or an authorized Cisco reseller NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT 1 CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER AT THE TIME OF ACQUIRING SUCH COPY OR UPGRADE ALREADY HOLDS A VALID...

Page 372: ...shall constitute a material breach of the Agreement U S Government End User Purchasers The Software and Documentation qualify as commercial items as that term is defined at Federal Acquisition Regulation FAR 48 C F R 2 101 consisting of commercial computer software and commercial computer software documentation as such terms are used in FAR 12 212 Consistent with FAR 12 212 and DoD FAR Supp 227 72...

Page 373: ...zation RMA procedures Software Cisco warrants that commencing from the date of shipment to Customer but in case of resale by an authorized Cisco reseller commencing not more than ninety 90 days after original shipment by Cisco and continuing for a period of the longer of a ninety 90 days or b the software warranty period if any set forth in the warranty card accompanying the Product if any a the m...

Page 374: ...T CONSEQUENTIAL INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE SOFTWARE OR OTHERWISE AND EVEN IF CISCO OR ITS SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES In no event shall Cisco s or its suppliers or licensors liability to Customer whether in contract tort including neg...

Page 375: ... Source Code Statement 1995 2004 SAFENET Inc This software is protected by international copyright laws All rights reserved SafeNet is a registered trademark of SAFENET Inc in the United States and in certain other jurisdictions SAFENET and the SAFENET logo are trademarks of SAFENET Inc and may be registered in certain jurisdictions All other names and marks are property of their respective owners...

Page 376: ...C 8 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Appendix C End User License and Warranty Additional Open Source Terms ...

Page 377: ...X D System Messages and LED Patterns This appendix lists system messages that can appear on the Cisco UWN Solution interfaces and describes the LED patterns on controllers and lightweight access points It contains these sections System Messages page D 2 Interpreting LEDs page D 5 ...

Page 378: ...NPU database it ages out on the network processor and notifies the CPU The CPU finds the client that is not present in its database and then sends this message STATION_DISASSOCIATE Client may have intentionally terminated usage or may have experienced a service disruption STATION_DEAUTHENTICATE Client may have intentionally terminated usage or it could indicate an authentication issue STATION_AUTH...

Page 379: ...TS_THRESHOLD_CHANGED Informational message LRADIF_ED_THRESHOLD_CHANGED Informational message LRADIF_FRAGMENTATION_THRESHOLD_ CHANGED Informational message RRM_DOT11_A_GROUPING_DONE Informational message RRM_DOT11_B_GROUPING_DONE Informational message ROGUE_AP_DETECTED May be a security issue Use maps and trends to investigate ROGUE_AP_REMOVED Detected rogue access point has timed out The unit migh...

Page 380: ...MPERATURE_SENSOR_FAILURE Replace temperature sensor ASAP TEMPERATURE_SENSOR_CLEAR Temperature sensor is operational POE_CONTROLLER_FAILURE Check ports possible serious failure detected MAX_ROGUE_COUNT_EXCEEDED The current number of active rogue access points has exceeded system threshold SWITCH_UP Controller is responding to SNMP polls SWITCH_DOWN Controller is not responding to SNMP polls check c...

Page 381: ... for your specific controller for a description of the LED patterns You can find the guides at this URL http www cisco com en US products hw wireless index html Interpreting Lightweight Access Point LEDs Refer to the hardware installation guide for your specific access point for a description of the LED patterns You can find the guides at this URL http www cisco com en US products hw wireless inde...

Page 382: ...D 6 Cisco Wireless LAN Controller Configuration Guide OL 9141 03 Appendix D System Messages and LED Patterns Interpreting LEDs ...

Page 383: ...nnectivity Diagrams This appendix provides logical connectivity diagrams and related software commands for integrated controllers It contains these sections Cisco WiSM page E 3 Cisco 28 37 38xx Integrated Services Router page E 5 Catalyst 3750G Integrated Wireless LAN Controller Switch page E 6 ...

Page 384: ...ntrollers integrated into other Cisco products specifically the Catalyst 3750G Integrated Wireless LAN Controller Switch the Cisco WiSM and the Cisco 28 37 38xx Series Integrated Services Router These diagrams show the internal connections between the switch or router and the controller The software commands used for communication between the devices are also provided ...

Page 385: ...ernet Supervisor 720 4404 Controller A 4404 Controller B Hidden Port 1 Port 2 Port 3 Port 4 Hidden Port 5 Port 6 Port 7 Port 8 Hidden Port 9 Hidden Port 10 Console RS 232 Serial at 9600 baud Console RS 232 Serial at 9600 baud Memory Boot Flash Memory Boot Flash Flash File System Flash File System on CF Card Disk 0 Disk 1 Flash File System on CF Card Do not remove Flash File System on CF Card Do no...

Page 386: ...Supervisor 720 and the 4404 controllers will be added to this section in a future release of the document Note Refer to the Catalyst 6500 Series Switch Wireless Services Module Installation and Configuration Note for more information You can find this document at this URL http www cisco com en US products hw switches ps708 products_installation_and_configuration_gu ides_list html ...

Page 387: ... support for subinterfaces with dot1q encap show interfaces wlan controller slot unit show controllers wlan controller slot unit test service module wlan controller slot unit test HW module wlan controller slot unit reset enable disable Note Refer to the Cisco Wireless LAN Controller Module Feature Guide for more information You can find this document at this URL http www cisco com univercd cc td ...

Page 388: ...r in the stack this session should be directed Once a session is established the user interacts with the controller CLI Entering exit terminates the session and returns the user to the switch CLI Show Commands These commands are used to view the status of the internal controller They are initiated from the switch show platform wireless controller switch_number summary Information similar to the fo...

Page 389: ...the controller does not acknowledge 16 consecutive keep alive messages the switch declares the controller dead and sends a reset signal to reboot the controller These commands are used to monitor the health of the internal controller This command is initiated from the controller debug wcp where is one of the following packet Debugs WCP packets events Debugs WCP events Information similar to the fo...

Page 390: ... order are used to reset the controller from the switch They are not yet available but will be supported in a future release test wireless controller stop switch_number test wireless controller start switch_number Note A direct console connection to the controller does not operate when hardware flow control is enabled on the PC However the switch console port operates with hardware flow control en...

Page 391: ...nd disabling 4 7 802 1Q VLAN trunk port 3 4 802 1X configuring 6 10 described 6 9 802 1X CCKM configuring 6 10 described 6 9 802 1X authentication configuring 6 8 802 1X dynamic key settings 6 7 802 3 bridging configuring 6 17 802 3 frames described 6 17 802 3x flow control enabling 4 13 A Access Control List Name parameter 5 9 access control lists ACLs and identity networking 5 22 applying to an ...

Page 392: ...6 22 to 6 23 Alarm Trigger Threshold parameter 10 14 All APs Details page 7 17 7 27 7 34 10 13 12 13 All APs page 10 9 10 12 12 13 Allow AAA Override parameter 12 8 anchor controller in inter subnet roaming 11 4 antenna connectors external 7 6 to 7 7 antennas for access points 7 6 to 7 7 antenna sectorization 7 7 AP Clients Traffic Stream Metrics page 4 30 AP Clients page 4 29 AP1010 described 7 6...

Page 393: ...d Wireless LAN Controller Switch described 1 11 logical connectivity diagram and associated software commands E 6 to E 8 ports 3 3 3 4 caution defined 1 19 CCKM configuring 6 10 described 6 9 CCX configuring Aironet IEs using the CLI 6 24 using the GUI 6 22 to 6 23 described 6 22 viewing a client s version using the CLI 6 25 using the GUI 6 24 CCX Layer 2 client roaming configuring using the CLI 4...

Page 394: ... Cisco Wireless Control System WCS described 1 2 Cisco WiSM configuring the Supervisor 720 4 34 to 4 35 described 1 10 guidelines 4 34 logical connectivity diagram and associated software commands E 3 to ports 3 3 3 4 CKIP configuring using the CLI 6 14 6 15 using the GUI 6 12 to 6 14 described 6 12 clearing the controller configuration 8 5 CLI basic commands 2 8 enabling wireless connections 2 9 ...

Page 395: ...ntroller 7 22 Custom Signatures page 5 32 D Data Rate threshold parameter 10 20 date configuring 4 5 daylight saving time configuring 4 5 DCA channels 10 21 debug commands sending from controller to LWAPP enabled access points 7 22 Default Mobility Group parameter 11 9 Description parameter 7 13 Designated Root parameter 3 27 Destination parameter 5 10 Destination Port parameter 5 11 DHCP configur...

Page 396: ...sing the controller configuration 8 5 Ethernet Bridging parameter 7 17 Ethernet connection 2 7 European declaration of conformity B 4 to B 5 Extensible Authentication Protocol EAP configuring 6 7 F factory default settings resetting using the CLI 4 3 resetting using the GUI 4 3 failover protection 1 16 to 1 17 FCC declaration of conformity B 2 to B 3 FCC statement 2000 series controllers B 8 4400 ...

Page 397: ...5 37 IDS signatures configuring using the CLI 5 37 using the GUI 5 31 to 5 37 described 5 30 enabling disabling using the GUI 5 32 to 5 35 frequency 5 34 MAC frequency 5 34 measurement interval 5 34 pattern 5 34 quiet time 5 34 tracking method 5 34 uploading or downloading using the GUI 5 31 to 5 32 Index parameter 5 27 Injector Switch MAC Address parameter 7 35 inline power described 7 33 intelli...

Page 398: ... controllers D 5 license agreement C 2 to C 4 Lifetime parameter 9 5 Lightweight Access Point Protocol LWAPP described 7 2 lightweight mode reverting to autonomous mode 7 20 limited warranty C 4 to C 7 link aggregation LAG configuring neighboring devices 3 35 described 3 29 to 3 30 enabling using the CLI 3 35 using the GUI 3 34 guidelines 3 33 illustrated 3 30 3 32 Link Status parameter 3 20 Link ...

Page 399: ...ing to controller filter list using the CLI 7 13 using the GUI 7 12 to 7 13 7 18 displayed on controller GUI 7 23 MAC Address parameter 7 13 MAC filtering configuring on WLANs 6 6 MAC Filtering page 7 12 MAC filter list described 7 10 MAC Filters New page 7 13 management frame protection MFP configuring using the CLI 5 17 using the GUI 5 14 to 5 15 described 5 13 to 5 14 viewing settings using the...

Page 400: ...e GUI 11 8 to 11 11 determining when to include controllers 11 7 difference from RF groups 10 5 examples 11 6 illustrated 11 5 overview 11 5 to 11 7 prerequisites 11 7 to 11 8 mobility ping tests running 11 15 mode button See reset button Mode parameter 4 20 10 30 monitor mode described 7 9 Multicast Appliance Mode parameter 3 22 multicast mode configuring 4 17 described 4 16 guidelines 4 16 N Nat...

Page 401: ... 5 13 for external web server 5 8 9 13 12 10 Pre Standard State parameter 7 34 priming access points 7 2 Priority parameter 3 28 Privacy Protocol parameter 4 12 product documentation DVD 1 22 product security overview 1 23 to 1 24 reporting problems 1 23 profile thresholds 10 20 to 10 21 Protection Type parameter 5 14 10 14 Protocol parameter 5 10 PSK configuring 6 11 described 6 9 PSK Format para...

Page 402: ... of conformity B 5 RF group leader described 10 5 to 10 6 viewing 10 11 RF group name described 10 6 entering 10 7 RF groups configuring using the CLI 10 8 using the configuration wizard 4 4 using the GUI 10 7 difference from mobility groups 10 5 overview 10 5 to 10 6 viewing status using the CLI 10 11 using the GUI 10 8 to 10 11 RF Network Name parameter 10 7 roam reason report described 4 19 rog...

Page 403: ...lt values using the CLI 4 13 changing default values using the GUI 4 11 to 4 12 SNMP V3 Users New page 4 12 SNMP V3 Users page 4 12 Source parameter 5 10 Source Port parameter 5 11 Spanning Tree Algorithm parameter 3 28 Spanning Tree Protocol STP configuring using the CLI 3 28 to 3 29 using the GUI 3 24 to 3 28 described 3 23 spanning tree root 3 23 Spanning Tree Specification parameter 3 27 Spect...

Page 404: ...tatically assigning using the CLI 10 26 statically assigning using the GUI 10 24 to 10 25 transmit power levels described 10 25 tunnel attributes and identity networking 5 24 Tx Power Level Assignment parameter 10 27 U U APSD described 4 23 viewing status using the CLI 4 32 using the GUI 4 27 unicast mode described 4 16 unique device identifier UDI described 7 25 retrieving using the CLI 7 27 usin...

Page 405: ...9 9 to 9 17 choosing the default using the CLI 9 10 to 9 11 using the GUI 9 9 to 9 10 customized example 9 17 customizing from an external web server using the CLI 9 14 using the GUI 9 13 to 9 14 default 9 8 downloading a customized login window using the CLI 9 16 using the GUI 9 15 to 9 16 guidelines for downloading customized login window 9 14 to 9 15 modified default example 9 12 previewing 9 1...

Page 406: ...uration Guide OL 9141 02 WLAN SSID parameter 9 5 WMM configuring 6 18 described 6 18 with CAC 4 22 world mode 4 16 WPA1 WPA2 configuring using the CLI 6 11 using the GUI 6 9 to 6 11 described 6 8 WPA1 Policy parameter 6 10 WPA2 Policy parameter 6 10 ...

Search results

Summary of Contents for 2000 Series

Reviews:

Related manuals for 2000 Series

Brands by name

Popular brands

Cisco 2000 Series, Configuration Manual

Search results

Summary of Contents for 2000 Series

Reviews:

Related manuals for 2000 Series

Brands by name

Popular brands