Cisco Systems 102087P Users Guide
C H A P T E R 27
Configuring the Management Interface
• Information About the Management Interface, page 295
• Configuring the Management Interface (GUI), page 296
• Configuring the Management Interface (CLI), page 297
Information About the Management Interface
The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. It is also used for communications between the controller and access points. The management interface has the only consistently “pingable” in-band interface IP address on the controller. You can access the GUI of the controller by entering the management interface IP address of the controller in the address field of either Internet Explorer or Mozilla Firefox browser.
For CAPWAP, the controller requires one management interface to control all inter-controller communications and one AP-manager interface to control all controller-to-access point communications, regardless of the number of ports.
Note To prevent or block a wired or wireless client from accessing the management network on a controller (from the wireless client dynamic interface or VLAN), the network administrator must ensure that only authorized clients gain access to the management network through proper CPU ACLs, or use a firewall between the client dynamic interface and the management network.
Caution Do not map a guest WLAN to the management interface. If the EoIP tunnel breaks, the client could obtain an IP and be placed on the management subnet.
Caution Do not configure wired clients in the same VLAN or subnet of the service port of the controller on the network. If you configure wired clients on the same subnet or VLAN as the service port, it is not possible to access the management interface of the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
295 |
Configuring the Management Interface (GUI)
Configuring the Management Interface (GUI)
Step 1 Choose Controller > Interfaces to open the Interfaces page.
Step 2 Click the management link.
The Interfaces > Edit page appears.
Step 3 Set the management interface parameters:
Note Themanagementinterfaceusesthecontroller’sfactory-setdistributionsystemMACaddress.
•Quarantine and quarantine VLAN ID, if applicable
Note Select the Quarantine check box if you want to configure this VLAN as unhealthy or you want to configure network access control (NAC) out-of-band integration. Doing so causes the data traffic of any client that is assigned to this VLAN to pass through the controller.
•NAT address (only Cisco 2500 Series Controllers and Cisco 5500 Series Controllers are configured for dynamic AP management.)
Note Select the Enable NAT Address check box and enter the external NAT IP address if you want to be able to deploy your Cisco 2500 Series Controllers or Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.
Note If a Cisco 2500 Series Controllers or Cisco 5500 Series Controller is configured with an external NAT IP address under the management interface, the APs in local mode cannot associate with the controller. The workaround is to either ensure that the management interface has a globally valid IP address or ensure that external NAT IP address is valid internally for the local APs.
Note The NAT parameters are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. The NAT parameters do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
•VLAN identifier
Note Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged VLANs for the management interface.
•Fixed IP address, IP netmask, and default gateway
•Dynamic AP management (for Cisco 2500 Series Controllers or Cisco 5500 Series Controller only)
Note For Cisco 5500 Series Controllers,the managementinterfaceacts like an AP-managerinterfaceby default. If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager.
•Physicalport assignment(for allcontrollersexcepttheCisco2500 SeriesControllersor Cisco5500 SeriesController)
•Primary and secondary DHCP servers
•Access control list (ACL) setting, if required
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
296 |
OL-28744-01 |
Configuring the Management Interface (CLI)
Step 4 Click Save Configuration.
Step 5 If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Configuring the Management Interface (CLI)
Step 1 Enter the show interface detailed management command to view the current management interface settings. Note Themanagementinterfaceusesthecontroller’sfactory-setdistributionsystemMACaddress.
Step 2 Enter the config wlan disable wlan-number command to disable each WLAN that uses the management interface for distribution system communication.
Step 3 Enter these commands to define the management interface:
•config interface address management ip-addr ip-netmask gateway
•config interface quarantine vlan management vlan_id
Note Use the config interface quarantine vlan management vlan_id command to configure a quarantine VLAN on the management interface.
•config interface vlan management {vlan-id | 0}
Note Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged VLANs for the management interface.
•config interface ap-manager management {enable | disable} (for Cisco 5500 Series Controllers only)
Note Use the config interface ap-manager management {enable | disable} command to enable or disable dynamicAPmanagementforthemanagementinterface.ForCisco5500SeriesControllers,themanagement interface acts like an AP-manager interface by default. If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager.
•config interface port management physical-ds-port-number (for all controllers except the 5500 series)
•config interface dhcp management ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]
•config interface acl management access-control-list-name
Step 4 Enter these commands if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT):
•config interface nat-address management {enable | disable}
•config interface nat-address management set public_IP_address
NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
297 |
Configuring the Management Interface (CLI)
Note These commands are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. These commands do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
Step 5 Enter the save config command.
Step 6 Enter the show interface detailed management command to verify that your changes have been saved.
Step 7 If you made any changes to the management interface, enter the reset system command to reboot the controller in order for the changes to take effect.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
298 |
OL-28744-01 |
C H A P T E R 28
Configuring the AP-Manager Interface
• Information the About AP-Manager Interface, page 299
• Restrictions for Configuring AP Manager Interfaces, page 299
• Configuring the AP-Manager Interface (GUI), page 300
• Configuring the AP Manager Interface (CLI), page 300
• Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller, page 301
Information the About AP-Manager Interface
A controller has one or more AP-manager interfaces, which are used for all Layer 3 communications between the controller and lightweightaccess points after the access points have joined the controller. The AP-manager IP address is used as the tunnel source for CAPWAP packets from the controller to the access point and as the destination for CAPWAP packets from the access point to the controller.
Note The controller does not support transmitting the jumbo frames. To avoid having the controller transmit CAPWAP packets to the AP that will necessitate fragmentation and reassembly, reduce MTU/MSS on the client side.
The AP-manager interface communicates through any distribution system port by listening across the Layer 3 network for access point CAPWAP or LWAPP join messages to associate and communicate with as many lightweight access points as possible.
Restrictions for Configuring AP Manager Interfaces
•The MAC address of the management interface and the AP-manager interface is the same as the base LAG MAC address.
•If only one distribution system port can be used, you should use distribution system port 1.
•
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
299 |
Configuring the AP-Manager Interface (GUI)
•An AP-manager interface is not required to be configured. The management interface acts like an AP-manager interface by default, and the access points can join on this interface.
•If link aggregation (LAG) is enabled, there can be only one AP-manager interface. But when LAG is disabled, one or more AP-manager interfaces can be created, generally one per physical port.
•Port redundancy for the AP-manager interface is not supported. You cannot map the AP-manager interface to a backup port.
Configuring the AP-Manager Interface (GUI)
Step 1 Choose Controller > Interfaces to open the Interfaces page.
Step 2 Click AP-Manager Interface.
The Interface > Edit page appears.
Step 3 Set the AP-Manager Interface parameters:
Note For Cisco 5500 Series Controllers, you are not required to configure an AP-manager interface. The management interface acts like an AP-manager interface by default.
•Physical port assignment
•VLAN identifier
Note Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged VLANs for the AP-manager interface.
•Fixed IP address, IP netmask, and default gateway
•Primary and secondary DHCP servers
•Access control list (ACL) name, if required
Step 4 Click Save Configuration to save your changes.
Step 5 If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Configuring the AP Manager Interface (CLI)
Before You Begin
For Cisco5500 SeriesControllers,you arenot requiredto configurean AP-managerinterface.Themanagement interface acts like an AP-manager interface by default.
Step 1 Enter the show interface summary command to view the current interfaces.
Note If the system is operating in Layer 2 mode, the AP-manager interface is not listed.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
300 |
OL-28744-01 |
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
Step 2 Enter the show interface detailed ap-manager command to view the current AP-manager interface settings.
Step 3 Enter the config wlan disable wlan-number command to disable each WLAN that uses the AP-manager interface for distribution system communication.
Step 4 Enter these commands to define the AP-manager interface:
•config interface address ap-manager ip-addr ip-netmask gateway
•config interface vlan ap-manager {vlan-id | 0}
Note Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged VLANs for the AP-manager interface.
•config interface port ap-manager physical-ds-port-number
•config interface dhcp ap-manager ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]
•config interface acl ap-manager access-control-list-name
Step 5 Enter the save config command to save your changes.
Step 6 Enter the show interface detailed ap-manager command to verify that your changes have been saved.
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
For a Cisco 5500 Series Controller, we recommend that you have eight dynamic AP-manager interfaces and associate them to the eight Gigabit ports of the controller when LAG is not used. If you are using the management interface, which acts like an AP-manager interface by default, you must create only seven more dynamic AP-manager interfaces and associate them to the remaining seven Gigabit ports.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
301 |
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
This figure shows a dynamic interface that is enabled as a dynamic AP-manager interface and associated to port number 2.
Figure 35: Dynamic Interface Example with Dynamic AP Management
|
Cisco Wireless LAN Controller Configuration Guide, Release 7.4 |
302 |
OL-28744-01 |
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
This figure shows a Cisco 5500 Series Controller with LAG disabled, the management interface used as one dynamic AP-manager interface, and seven additional dynamic AP-manager interfaces, each mapped to a different Gigabit port.
Figure 36: Cisco 5500 Series Controller Interface Configuration Example
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
303 |
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
|
Cisco Wireless LAN Controller Configuration Guide, Release 7.4 |
304 |
OL-28744-01 |
C H A P T E R 29
Configuring Virtual Interfaces
• Information About the Virtual Interface, page 305
• Configuring Virtual Interfaces (GUI), page 306
• Configuring Virtual Interfaces (CLI), page 306
Information About the Virtual Interface
The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authenticationand VPN termination.It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled.
Specifically, the virtual interface plays these two primary roles:
•Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server.
•Serves as the redirect address for the web authentication login page.
The virtual interface IP address is used only in communications between the controller and wireless clients. It never appears as the source or destination address of a packet that goes out a distribution system port and onto the switched network. For the system to operate correctly, the virtual interface IP address must be set (it cannot be 0.0.0.0), and no other device on the network can have the same address as the virtual interface.
Therefore, the virtual interface must be configured with an unassigned and unused gateway IP address. The virtual interface IP address is not pingable and should not exist in any routing table in your network. In addition, the virtual interface cannot be mapped to a physical port.
Note All controllers within a mobility group must be configured with the same virtual interface IP address. Otherwise, inter-controller roaming may appear to work, but the handoff does not complete, and the client loses connectivity for a period of time.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
305 |
Configuring Virtual Interfaces (GUI)
Configuring Virtual Interfaces (GUI)
Step 1 Choose Controller > Interfaces to open the Interfaces page.
Step 2 Click Virtual.
The Interfaces > Edit page appears.
Step 3 Enter the following parameters:
•Any fictitious, unassigned, and unused gateway IP address
•DNS gateway hostname
Note To ensure connectivity and web authentication, the DNS server should always point to the virtual interface. If a DNS hostname is configured for the virtual interface, then the same DNS host name must be configured on the DNS server(s) used by the client.
Step 4 Click Save Configuration.
Step 5 If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Configuring Virtual Interfaces (CLI)
Step 1 Enter the show interface detailed virtual command to view the current virtual interface settings.
Step 2 Entertheconfig wlan disable wlan-number commandtodisableeachWLANthatusesthevirtualinterfacefordistribution system communication.
Step 3 Enter these commands to define the virtual interface:
•config interface address virtual ip-address
Note Forip-address,enteranyfictitious,unassigned,andunusedgatewayIPaddress.
•config interface hostname virtual dns-host-name
Step 4 Enter the reset system command. At the confirmation prompt, enter Y to save your configuration changes to NVRAM. The controller reboots.
Step 5 Enter the show interface detailed virtual command to verify that your changes have been saved.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
306 |
OL-28744-01 |
C H A P T E R 30
Configuring Service-Port Interfaces
• Information About Service-Port Interfaces, page 307
• Restrictions for Configuring Service-Port Interfaces, page 307
• Configuring Service-Port Interfaces (GUI), page 307
• Configuring Service-Port Interfaces (CLI), page 308
Information About Service-Port Interfaces
The service-port interface controls communications through and is statically mapped by the system to the service port. The service port can obtain an IP address using DHCP, or it can be assigned a static IP address, but a default gateway cannot be assigned to the service-port interface. Static routes can be defined through the controller for remote network access to the service port.
Restrictions for Configuring Service-Port Interfaces
•Only Cisco 7500 Series Controllers and Cisco 5500 Series Controllers have a physical service-port interface that is reachable from the external network.
Configuring Service-Port Interfaces (GUI)
Step 1 Choose Controller > Interfaces to open the Interfaces page.
Step 2 Click the service-port link to open the Interfaces > Edit page.
Step 3 Enter the Service-Port Interface parameters:
Note Theservice-portinterfaceusesthecontroller’sfactory-setservice-portMACaddress.
•DHCP protocol (enabled)
•DHCP protocol (disabled) and IP address and IP netmask
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
307 |
Configuring Service-Port Interfaces (CLI)
Step 4 Click Save Configuration to save your changes.
Step 5 If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Configuring Service-Port Interfaces (CLI)
Step 1 To view the current service-port interface settings, enter this command: show interface detailed service-port
Note The service-portinterfaceuses the controller’s factory-setservice-portMAC address.
Step 2 Enter these commands to define the service-port interface:
•To configure the DHCP server, enter this command: config interface dhcp service-port enable
•To disable the DHCP server, enter this command: config interface dhcp service-port disable
•To configure the IP address, enter this command:
config interface address service-port ip-addr ip-netmask
Step 3 The service port is used for out-of-band management of the controller. If the management workstation is in a remote subnet, you may need to add a route on the controller in order to manage the controller from that remote workstation. To do so, enter this command:
config route add network-ip-addr ip-netmask gateway
Step 4 Enter the save config command to save your changes.
Step 5 Enter the show interface detailed service-port command to verify that your changes have been saved.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
308 |
OL-28744-01 |
C H A P T E R 31
Configuring Dynamic Interfaces
• Information About Dynamic Interface, page 309
• Pre - requisites for Configuring Dynamic Interfaces, page 310
• Restrictions for Configuring Dynamic Interfaces, page 310
• Configuring Dynamic Interfaces (GUI), page 310
• Configuring Dynamic Interfaces (CLI), page 312
Information About Dynamic Interface
Dynamic interfaces, also known as VLAN interfaces, are created by users and designed to be analogous to VLANs for wireless LAN clients. A controller can support up to 512 dynamic interfaces (VLANs). Each dynamic interface is individually configured and allows separate communication streams to exist on any or allofacontroller’sdistributionsystemports.EachdynamicinterfacecontrolsVLANsandothercommunications between controllers and all other network devices, and each acts as a DHCP relay for wireless clients associated to WLANs mapped to the interface. You can assign dynamic interfaces to distribution system ports, WLANs, the Layer 2 management interface, and the Layer 3 AP-manager interface, and you can map the dynamic interface to a backup port.
You can configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all dynamic interfaces must be on a different VLAN or IP subnet from all other interfaces configured on the port. If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other interface configured on the port.
This table lists the maximum number of VLANs supported on the various controller platforms.
Table 7: Maximum number of VLANs supported on Cisco Wireless Controllers
Wireless Controllers |
Maximum VLANs |
Cisco Virtual Wireless Controller |
512 |
Cisco Wireless Controller Module for ISR G2 |
16 |
Cisco 2500 Series Wireless Controllers |
16 |
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
309 |
Pre - requisites for Configuring Dynamic Interfaces
Wireless Controllers |
Maximum VLANs |
Cisco 5500 Series Wireless Controller |
512 |
Cisco Catalyst 6500 Series Wireless Services |
512 |
Module2 (WiSM2) |
|
Cisco Flex 7500 Series Cloud Controller |
4,096 |
Cisco 8500 Series Controller |
4,096 |
Pre - requisites for Configuring Dynamic Interfaces
While configuring on the dynamic interface of the controller, you must ensure the following:
•
• You must use tagged VLANs for dynamic interfaces.
Restrictions for Configuring Dynamic Interfaces
The following restrictions apply for configuring the dynamic interfaces on the controller:
•You must not configure a dynamic interface in the same subnetwork as a server that is reachable by the controller CPU, such as a RADIUS server, as it might cause asymmetric routing issues.
•Wired clients cannot access management interface of the Cisco WLC 2500 series using the IP address of the AP Manager interface – when Dynamic AP Management is enabled on a dynamic VLAN.
•
•For SNMP requests that come from a subnet that is configured as a dynamic interface, the controller responds but the response does not reach the device that initiated the conversation.
•If you are using DHCP proxy and/or a RADIUS source interface, ensure that the dynamic interface has a valid routable address. Duplicateor overlapping addresses across controllerinterfacesare not supported.
Configuring Dynamic Interfaces (GUI)
Step 1 Choose Controller > Interfaces to open the Interfaces page.
Step 2 Perform one of the following:
•To create a new dynamic interface, click New. The Interfaces > New page appears. Go to Step 3.
•To modify the settings of an existing dynamic interface, click the name of the interface. The Interfaces > Edit page for that interface appears. Go to Step 5.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
310 |
OL-28744-01 |
Configuring Dynamic Interfaces (GUI)
•To delete an existing dynamic interface, hover your cursor over the blue drop-down arrow for the desired interface and choose Remove.
Step 3 Enter an interface name and a VLAN identifier, as shown in the figure above.
Step 4 Click Apply to commit your changes. The Interfaces > Edit page appears.
Step 5 Configure the following parameters:
•Guest LAN, if applicable
•Quarantine and quarantine VLAN ID, if applicable
Note Select the Quarantine check box if you want to configure this VLAN as unhealthy or you want to configure network access control (NAC) out-of-band integration. Doing so causes the data traffic of any client that is assigned to this VLAN to pass through the controller.
•Physical port assignment (for all controllers except the 5500 series)
•NAT address (only for Cisco 5500 Series Controllers configured for dynamic AP management)
Note Select the Enable NAT Address check box and enter the external NAT IP address if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.
Note The NAT parameters are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. The NAT parameters do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
•Dynamic AP management
Note When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
Note Set the APs in a VLAN that is different than the dynamic interface configured on the controller. If the APs are in the same VLAN as the dynamic interface, the APs are not registered on the controller and the “LWAPP discovery rejected” and “Layer 3 discovery request not received on management VLAN” errors are logged on the controller.
•VLAN identifier
•Fixed IP address, IP netmask, and default gateway
•Primary and secondary DHCP servers
•Access control list (ACL) name, if required
Note To ensure proper operation,you must set the Port Number and PrimaryDHCP Server parameters.
Step 6 Click Save Configuration to save your changes.
Step 7 Repeat this procedure for each dynamic interface that you want to create or edit.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
311 |
Configuring Dynamic Interfaces (CLI)
Configuring Dynamic Interfaces (CLI)
Step 1 Enter the show interface summary command to view the current dynamic interfaces.
Step 2 View the details of a specific dynamic interface by entering this command: show interface detailed operator_defined_interface_name.
Note Interface names that contain spaces must be enclosed in double quotes. For example: config interface create
"vlan 25"
Step 3 Enter the config wlan disable wlan_id command to disable each WLAN that uses the dynamic interface for distribution system communication.
Step 4 Enter these commands to configure dynamic interfaces:
•config interface create operator_defined_interface_name {vlan_id | x}
•config interface address interface ip_addr ip_netmask [gateway]
•config interface vlan operator_defined_interface_name {vlan_id | o}
•config interface port operator_defined_interface_name physical_ds_port_number
•config interface ap-manager operator_defined_interface_name {enable | disable}
Note Use the config interface ap-manager operator_defined_interface_name {enable | disable} command to enable or disable dynamic AP management. When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
•config interface dhcp operator_defined_interface_name ip_address_of_primary_dhcp_server [ip_address_of_secondary_dhcp_server]
•config interface quarantine vlan interface_name vlan_id
Note Use the config interface quarantine vlan interface_name vlan_id command to configure a quarantine VLAN on any interface.
•config interface acl operator_defined_interface_name access_control_list_name
Step 5 Enter these commands if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT):
•config interface nat-address dynamic-interface operator_defined_interface_name {enable | disable}
•config interface nat-address dynamic-interface operator_defined_interface_name set public_IP_address
NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.
Note These commands are supported for use only with one-to-one-mapping NAT, whereby each private client has a direct and fixed mapping to a global address. These commands do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
312 |
OL-28744-01 |
Configuring Dynamic Interfaces (CLI)
Step 6 Enter the config wlan enable wlan_id command to reenable each WLAN that uses the dynamic interface for distribution system communication.
Step 7 Enter the save config command to save your changes.
Step 8 Enter the show interface detailed operator_defined_interface_name command and show interface summary command to verify that your changes have been saved.
Note If desired, you can enter the config interface delete operator_defined_interface_name command to delete a dynamic interface.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
313 |
Configuring Dynamic Interfaces (CLI)
|
Cisco Wireless LAN Controller Configuration Guide, Release 7.4 |
314 |
OL-28744-01 |
C H A P T E R 32
Configuring Ports
• Configuring Ports (GUI), page 315
Configuring Ports (GUI)
The controller’s ports are configured with factory-default settings designed to make the controllers’ ports operational without additional configuration. However, you can view the status of the controller’s ports and edit their configuration parameters at any time.
Step 1 Choose Controller > Ports to open the Ports page.
This page shows the current configuration for each of the controller’s ports.
If you want to change the settings of any port, click the number for that specific port. The Port > Configure page appears.
Note If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.
Note The number of parameters available on the Port > Configure page depends on your controller type.
The following show the current status of the port:
•Port Number—Number of the current port.
•Admin Status—Current state of the port. Values: Enable or Disable
•Physical Mode—Configuration of the port physical interface. The mode varies by the controller type.
•Physical Status—The data rate being used by the port. The available data rates vary based on controller type.
◦2500 series - 1 Gbps full duplex
◦WiSM2 - 10 Gbps full duplex
◦7500 series - 10 Gbps full duplex
•Link Status—Link status of the port. Values: Link Up or Link Down
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
315 |
Configuring Ports (GUI)
•Link Trap—Whether the port is set to send a trap when the link status changes. Values: Enable or Disable
•Power over Ethernet (PoE)—If the connecting device is equipped to receive power through the Ethernet cable and if so, provides –48 VDC. Values: Enable or Disable
Note Some older Cisco access points do not draw PoE even if it is enabled on the controller port. In such cases, contact the Cisco Technical Assistance Center (TAC).
The following is a list of the port’s configurable parameters.
1Admin Status—Enables or disables the flow of traffic through the port. Options: Enable or Disable Default: Enable.
Note When a primary port link goes down, messages may get logged internally only and not be posted to a syslog server. It may take up to 40 seconds to restore logging to the syslog server.
2Physical Mode—Determines whether the port’s data rate is set automatically or specified by the user. The supported data rates vary based on the controller type. Default: Auto.
3Link Trap—Causes the port to send a trap when the port’s link status changes. Options: Enable or Disable Default: Enable.
Step 2 Click Apply.
Step 3 Click Save Configuration.
Step 4 Click Back to return to the Ports page and review your changes.
Step 5 Repeat this procedure for each additional port that you want to configure.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
316 |
OL-28744-01 |
C H A P T E R 33
Information About Using Cisco 5500 Series
Controller USB Console Port
The USB console port on the Cisco 5500 Series Controllers connects directly to the USB connector of a PC using a USB Type A-to-5-pin mini Type B cable.
Note The 4-pin mini Type B connector is easily confused with the 5-pin mini Type B connector. They are not compatible. Only the 5-pin mini Type B connector can be used.
For operation with Microsoft Windows, the Cisco Windows USB console driver must be installed on any PC connected to the console port. With this driver, you can plug and unplug the USB cable into and from the console port without affecting Windows HyperTerminal operations.
Note Only one console port can be active at a time. When a cable is plugged into the USB console port, the RJ-45 port becomes inactive. Conversely, when the USB cable is removed from the USB port, the RJ-45 port becomes active.
• USB Console OS Compatibility, page 317
• Changing the Cisco USB Systems Management Console COM Port to an Unused Port, page 318
USB Console OS Compatibility
Before You Begin
These operating systems are compatible with the USB console:
•Microsoft Windows 2000, Windows XP, Windows Vista, Windows 7 (Cisco Windows USB console driver required)
•Apple Mac OS X 10.5.2 (no driver required)
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
317 |
Changing the Cisco USB Systems Management Console COM Port to an Unused Port
• Linux (no driver required)
Step 1 Download the USB_Console.inf driver file as follows:
a)ClickthisURLtogototheSoftwareCenter: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278875243
b)Click Wireless LAN Controllers.
c)Click Standalone Controllers.
d)Click Cisco 5500 Series Wireless LAN Controllers.
e)Click Cisco 5508 Wireless LAN Controller.
f)Choose the USB driver file.
g)Save the file to your hard drive.
Step 2 Connect the Type A connector to a USB port on your PC.
Step 3 Connect the mini Type B connector to the USB console port on the controller.
Step 4 When prompted for a driver, browse to the USB_Console.inf file on your PC. Follow the prompts to install the USB driver.
Note Some systems might also require an additional system file. You can download the Usbser.sys file from http:// support.microsoft.com/kb/918365.
Changing the Cisco USB Systems Management Console COM Port to an Unused
Port
Before You Begin
The USB driver is mapped to COM port 6. Some terminal emulation programs do not recognize a port higher than COM 4. If necessary, you must change the Cisco USB systems management console COM port to an unused port of COM 4 or lower.
Step 1 From your Windows desktop, right-click My Computer and choose Manage.
Step 2 From the list on the left side, choose Device Manager.
Step 3 From the device list on the right side, double-click Ports (COM & LPT).
Step 4 Right-click Cisco USB System Management Console 0108 and choose Properties.
Step 5 Click the Port Settings tab and click the Advanced button.
Step 6 From the COM Port Number drop-down list, choose an unused COM port of 4 or lower.
Step 7 Click OK to save and then close the Advanced Settings dialog box.
Step 8 Click OK to save and then close the Communications Port Properties dialog box.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
318 |
OL-28744-01 |
C H A P T E R 34
Configuring Link Aggregation
• Information About Link Aggregation, page 319
• Restrictions for Link Aggregation, page 319
• Enabling Link Aggregation (GUI), page 321
• Enabling Link Aggregation (CLI), page 321
• Verifying Link Aggregation Settings (CLI), page 322
• Configuring Neighbor Devices to Support Link Aggregation, page 322
• Choosing Between Link Aggregation and Multiple AP-Manager Interfaces, page 322
Information About Link Aggregation
Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller’s distribution system ports into a single 802.3ad port channel, thereby reducing the number of IP addresses needed to configure the ports on your controller. When LAG is enabled, the system dynamically manages port redundancy and load balances access points transparently to the user.
LAG simplifiescontrollerconfigurationbecauseyou no longer need to configure primary and secondary ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the other ports. As long as at least one controller port is functioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to send and receive data.
Note LAG is supported across switches.
Restrictions for Link Aggregation
•You can bundle all eight ports on a Cisco 5508 Controller into a single link.
•Terminating on two different modules within a single Catalyst 6500 series switch provides redundancy and ensures that connectivity between the switch and the controller is maintained when one module fails. The controller’s port 1 is connected to Gigabit interface 3/1, and the controller’s port 2 is connected
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
319 |
Restrictions for Link Aggregation
to Gigabit interface 2/1 on the Catalyst 6500 series switch. Both switch ports are assigned to the same channel group.
•LAG requires the EtherChannel to be configured for 'mode on' on both the controller and the Catalyst switch.
•Once the EtherChannel is configured as on at both ends of the link, the Catalyst switch should not be configured for either Link Aggregation Control Protocol (LACP) or Cisco proprietary Port Aggregation Protocol (PAgP) but be set unconditionally to LAG. Because no channel negotiation is done between the controller and the switch, the controller does not answer to negotiation frames and the LAG is not formed if a dynamic form of LAG is set on the switch. Additionally, LACP and PAgP are not supported on the controller.
•If the recommended load-balancing method cannot be configured on the Catalyst switch, then configure the LAG connection as a single member link or disable LAG on the controller.
Figure 37: Link Aggregation with the Catalyst 6500 Series Neighbor Switch
•You cannot configure the controller’s ports into separate LAG groups. Only one LAG group is supported per controller. Therefore, you can connect a controller in LAG mode to only one neighbor device.
•When you enable LAG or make any changes to the LAG configuration, you must immediately reboot the controller.
•When you enable LAG, you can configure only one AP-manager interface because only one logical port is needed. LAG removes the requirement for supporting multiple AP-manager interfaces.
•When you enable LAG, all dynamic AP-manager interfaces and untagged interfaces are deleted, and all WLANsaredisabledandmappedtothemanagementinterface.Also,themanagement,staticAP-manager, and VLAN-tagged dynamic interfaces are moved to the LAG port.
•Multiple untagged interfaces to the same port are not allowed.
•When you enable LAG, you cannot create interfaces with a primary port other than 29.
•When you enable LAG, all ports participate in LAG by default. You must configure LAG for all of the connected ports in the neighbor switch.
|
Cisco Wireless LAN Controller Configuration Guide, Release 7.4 |
320 |
OL-28744-01 |
Enabling Link Aggregation (GUI)
•When you enable LAG, if any single link goes down, traffic migrates to the other links.
•When you enable LAG, only one functional physical port is needed for the controller to pass client traffic.
•When you enable LAG, access points remain connected to the controller until you reboot the controller, which is needed to activate the LAG mode change, and data service for users continues uninterrupted.
•When you enable LAG, you eliminate the need to configure primary and secondary ports for each interface.
•When you enable LAG, the controller sends packets out on the same port on which it received them. If a CAPWAP packet from an access point enters the controller on physical port 1, the controller removes the CAPWAP wrapper, processes the packet, and forwards it to the network on physical port 1. This may not be the case if you disable LAG.
•When you disable LAG, the management, static AP-manager, and dynamic interfaces are moved to port 1.
•When you disable LAG, you must configure primary and secondary ports for all interfaces.
•When you disable LAG, you must assign an AP-manager interface to each port on the controller. Otherwise, access points are unable to join.
•Cisco 5500 Series Controllers support a single static link aggregation bundle.
•LAG is typically configured using the Startup Wizard, but you can enable or disable it at any time through either the GUI or CLI.
•When you enable LAG on Cisco 2500 Series Controller to which the direct-connect access point is associated, the direct connect access point is disconnected since LAG enabling is still in the transition state. You must reboot the controller immediately after enabling LAG.
Enabling Link Aggregation (GUI)
Step 1 Choose Controller > General to open the General page.
Step 2 Set the LAG Mode on Next Reboot parameter to Enabled.
Step 3 Click Apply to commit your changes.
Step 4 Click Save Configuration to save your changes.
Step 5 Reboot the controller.
Step 6 Assign the WLAN to the appropriate VLAN.
Enabling Link Aggregation (CLI)
Step 1 Enter the config lag enable command to enable LAG.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
321 |
Verifying Link Aggregation Settings (CLI)
Note Enter the config lag disable command if you want to disable
LAG.
Step 2 Enter the save config command to save your settings.
Step 3 Reboot the controller.
Verifying Link Aggregation Settings (CLI)
To verify your LAG settings, enter this command:
show lag summary
Information similar to the following appears:
LAG Enabled
Configuring Neighbor Devices to Support Link Aggregation
The controller’s neighbor devices must also be properly configured to support LAG.
• Each neighbor port to which the controller is connected should be configured as follows:
interface GigabitEthernet <interface id> switchport
channel-group <id> mode on no shutdown
• The port channel on the neighbor switch should be configured as follows:
interface port-channel <id> switchport
switchport trunk encapsulation dot1q switchport trunk native vlan <native vlan id> switchport trunk allowed vlan <allowed vlans> switchport mode trunk
no shutdown
Choosing Between Link Aggregation and Multiple AP-Manager Interfaces
Cisco 5500 Series Controllers have no restrictions on the number of access points per port, but we recommend using LAG or multiple AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load.
The following factors should help you decidewhich method to use if your controlleris set for Layer 3 operation:
•With LAG, all of the controller ports need to connect to the same neighbor switch. If the neighbor switch goes down, the controller loses connectivity.
•With multiple AP-manager interfaces, you can connect your ports to different neighbor devices. If one of the neighbor switches goes down, the controller still has connectivity. However, using multiple AP-manager interfaces presents certain challenges when port redundancy is a concern.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
322 |
OL-28744-01 |
C H A P T E R 35
Configuring Multiple AP-Manager Interfaces
• Information About Multiple AP-Manager Interfaces, page 323
• Restrictions for Configuring Multiple AP Manager Interfaces, page 323
• Creating Multiple AP-Manager Interfaces (GUI), page 324
• Creating Multiple AP-Manager Interfaces (CLI), page 324
Information About Multiple AP-Manager Interfaces
When you create two or more AP-manager interfaces, each one is mapped to a different port. The ports should be configured in sequential order so that AP-manager interface 2 is on port 2, AP-manager interface 3 is on port 3, and AP-manager interface 4 is on port 4.
Before an access point joins a controller, it sends out a discovery request. From the discovery response that it receives, the access point can tell the number of AP-manager interfaces on the controller and the number of access points on each AP-manager interface. The access point generally joins the AP-manager with the least number of access points. In this way, the access point load is dynamically distributed across the multiple AP-manager interfaces.
Note Access points may not be distributed completely evenly across all of the AP-manager interfaces, but a certain level of load balancing occurs.
Restrictions for Configuring Multiple AP Manager Interfaces
The following restrictions apply while configuring the multiple AP manager interfaces in the controller:
•You must assign an AP-manager interface to each port on the controller.
•BeforeimplementingmultipleAP-managerinterfaces,youshouldconsiderhowtheywouldimpactyour controller’s port redundancy.
•Only Cisco 5500 Series Controllers support the use of multiple AP-manager interfaces.
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
OL-28744-01 |
323 |
Creating Multiple AP-Manager Interfaces (GUI)
•AP-manager interfaces do not need to be on the same VLAN or IP subnet, and they may or may not be onthesameVLANorIPsubnetasthemanagementinterface.However,werecommendthatyouconfigure all AP-manager interfaces on the same VLAN or IP subnet.
•If the port of one of the AP-manager interfaces fails, the controller clears the state of the access points, and the access points must reboot to reestablish communication with the controller using the normal controllerjoinprocess.Thecontrollerno longerincludesthefailedAP-managerinterfacein theCAPWAP or LWAPP discovery responses. The access points then rejoin the controller and are load balanced among the available AP-manager interfaces.
Creating Multiple AP-Manager Interfaces (GUI)
Step 1 |
Choose Controller > Interfaces to open the Interfaces page. |
|
Step 2 |
Click New. |
|
|
The Interfaces > New page appears. |
|
Step 3 |
Enter an AP-manager interface name and a VLAN identifier. |
|
Step 4 |
Click Apply to commit your changes. The Interfaces > Edit page appears. |
|
Step 5 |
Enter the appropriate interface parameters. |
|
|
Note |
Every interface supports primary and backup port with the following exceptions |
•Dynamic interface is converted to AP manager which does not support backup of port configuration.
•If AP manager is enabled on management interface and when management interface moves to backup port because of primary port failure, the AP manager will be disabled.
Step 6 To make this interface an AP-manager interface, select the Enable Dynamic AP Management check box.
Note OnlyoneAP-managerinterfaceisallowedperphysicalport.AdynamicinterfacethatismarkedasanAP-manager interface cannot be used as a WLAN interface.
Step 7 Click Save Configuration to save your settings.
Step 8 Repeat this procedure for each additional AP-manager interface that you want to create.
Creating Multiple AP-Manager Interfaces (CLI)
Step 1 Enter these commands to create a new interface:
•config interface create operator_defined_interface_name {vlan_id | x}
•config interface address operator_defined_interface_name ip_addr ip_netmask [gateway]
•config interface vlan operator_defined_interface_name {vlan_id | o}
•config interface port operator_defined_interface_name physical_ds_port_number
Cisco Wireless LAN Controller Configuration Guide, Release 7.4
324 |
OL-28744-01 |
Loading...