Cisco CISCO1401 - 1401 Router - EN, CISCO1417 - 1417 Router - EN, Aironet 1400 Series Software Manual

Cisco Aironet 1400 Series Wireless Bridge
Software Configuration Guide

Cisco IOS Release 12.2(11)JA
June 2003

Corporate Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Text Part Number: OL-4059-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase,
Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip
Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work,
Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and
Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the
IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY,
PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are
registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (1002R)

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

Copyright © 2010 Cisco Systems, Inc. All rights reserved.

Preface xiii

Audience xiii

Purpose xiii

Organization xiii

Conventions xv

Related Publications xvii

Obtaining Documentation xvii

Cisco.com xvii
Documentation CD-ROM xvii
Ordering Documentation xvii
Documentation Feedback xviii

Obtaining Technical Assistance xviii

Cisco.com xviii
Technical Assistance Center xix

Cisco TAC Website xix
Cisco TAC Escalation Center xix

CONTENTS

CHAPTER

CHAPTER

Obtaining Additional Publications and Information xx

1 Overview 1-1

Features 1-2

Management Options 1-2

Network Configuration Examples 1-3

Point-to-Point Bridging 1-3
Point-to-Multipoint Bridging 1-4
Redundant Bridging 1-4

2 Configuring the Bridge for the First Time 2-1

Before You Start 2-2

Resetting the Bridge to Default Settings 2-2

Obtaining and Assigning an IP Address 2-3

Connecting to the Bridge Locally 2-3

Assigning Basic Settings 2-4

Default Settings on the Express Setup Page 2-8

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

iii

Contents

Protecting Your Wireless LAN 2-8

Using the IP Setup Utility 2-8

Obtaining and Installing IPSU 2-9
Using IPSU to Find the Bridge’s IP Address 2-9
Using IPSU to Set the Bridge’s IP Address and SSID 2-10

Assigning an IP Address Using the CLI 2-11

Using a Telnet Session to Access the CLI 2-12

CHAPTER

CHAPTER

3 Using the Web-Browser Interface 3-1

Using the Web-Browser Interface for the First Time 3-2

Using the Management Pages in the Web-Browser Interface 3-2

Using Action Buttons 3-3
Character Restrictions in Entry Fields 3-4

Using Online Help 3-5

4 Using the Command-Line Interface 4-1

IOS Command Modes 4-2

Getting Help 4-3

Abbreviating Commands 4-3

Using no and default Forms of Commands 4-3

Understanding CLI Messages 4-4

Using Command History 4-4

Changing the Command History Buffer Size 4-4
Recalling Commands 4-5
Disabling the Command History Feature 4-5

Using Editing Features 4-5

Enabling and Disabling Editing Features 4-6
Editing Commands Through Keystrokes 4-6
Editing Command Lines that Wrap 4-7

Searching and Filtering Output of show and more Commands 4-8

Accessing the CLI 4-8

Opening the CLI with Telnet 4-8
Opening the CLI with Secure Shell 4-9

CHAPTER

5 Administering the Bridge 5-1

Preventing Unauthorized Access to Your Bridge 5-2

Protecting Access to Privileged EXEC Commands 5-2

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

iv

OL-4059-01

Default Password and Privilege Level Configuration 5-2
Setting or Changing a Static Enable Password 5-3
Protecting Enable and Enable Secret Passwords with Encryption 5-4
Configuring Username and Password Pairs 5-5
Configuring Multiple Privilege Levels 5-6

Setting the Privilege Level for a Command 5-6
Logging Into and Exiting a Privilege Level 5-7

Controlling Bridge Access with RADIUS 5-7

Default RADIUS Configuration 5-8
Configuring RADIUS Login Authentication 5-8
Defining AAA Server Groups 5-9
Configuring RADIUS Authorization for User Privileged Access and Network Services 5-11
Displaying the RADIUS Configuration 5-12

Controlling Bridge Access with TACACS+ 5-12

Default TACACS+ Configuration 5-13
Configuring TACACS+ Login Authentication 5-13
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 5-14
Displaying the TACACS+ Configuration 5-15

Contents

Configuring the Bridge for Local Authentication and Authorization 5-15

Configuring the Bridge for Secure Shell 5-16

Understanding SSH 5-16
Configuring SSH 5-17

Managing the System Time and Date 5-17

Understanding the System Clock 5-17
Understanding Network Time Protocol 5-18
Configuring NTP 5-19

Default NTP Configuration 5-20
Configuring NTP Authentication 5-20
Configuring NTP Associations 5-21
Configuring NTP Broadcast Service 5-22
Configuring NTP Access Restrictions 5-23
Configuring the Source IP Address for NTP Packets 5-25
Displaying the NTP Configuration 5-26

Configuring Time and Date Manually 5-26

Setting the System Clock 5-27
Displaying the Time and Date Configuration 5-27
Configuring the Time Zone 5-28
Configuring Summer Time (Daylight Saving Time) 5-29

Configuring a System Name and Prompt 5-31

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

v

Contents

Default System Name and Prompt Configuration 5-31
Configuring a System Name 5-31
Understanding DNS 5-32

Default DNS Configuration 5-32
Setting Up DNS 5-32
Displaying the DNS Configuration 5-33

Creating a Banner 5-33

Default Banner Configuration 5-34
Configuring a Message-of-the-Day Login Banner 5-34
Configuring a Login Banner 5-35

CHAPTER

CHAPTER

6 Configuring Radio Settings 6-1

Disabling and Enabling the Radio Interface 6-2

Configuring the Role in Radio Network 6-2

Configuring the Radio Distance Setting 6-3

Configuring Radio Data Rates 6-3

Configuring Radio Transmit Power 6-4

Configuring Radio Channel Settings 6-5

Disabling and Enabling Aironet Extensions 6-6

Configuring the Ethernet Encapsulation Transformation Method 6-6

Configuring the Beacon Period 6-6

Configuring RTS Threshold and Retries 6-7

Configuring the Maximum Data Retries 6-7

Configuring the Fragmentation Threshold 6-8

Configuring Packet Concatenation 6-8

Performing a Carrier Busy Test 6-9

7 Configuring SSIDs 7-1

Understanding SSIDs 7-2

Configuring the SSID 7-2

Default SSID Configuration 7-2
Creating an SSID 7-3

CHAPTER

8 Configuring Spanning Tree Protocol 8-1

Understanding Spanning Tree Protocol 8-2

STP Overview 8-2
Bridge Protocol Data Units 8-3

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

vi

OL-4059-01

Election of the Spanning-Tree Root 8-4
Spanning-Tree Timers 8-4
Creating the Spanning-Tree Topology 8-4
Spanning-Tree Interface States 8-5

Blocking State 8-6
Listening State 8-7
Learning State 8-7
Forwarding State 8-7
Disabled State 8-7

Configuring STP Features 8-8

Default STP Configuration 8-8
Configuring STP Settings 8-8
STP Configuration Examples 8-9

Root Bridge Without VLANs 8-9
Non-Root Bridge Without VLANs 8-10
Root Bridge with VLANs 8-11
Non-Root Bridge with VLANs 8-12

Contents

CHAPTER

CHAPTER

Displaying Spanning-Tree Status 8-14

9 Configuring WEP and WEP Features 9-1

Understanding WEP 9-2

Configuring WEP and WEP Features 9-2

Creating WEP Keys 9-2
Enabling and Disabling WEP and Enabling TKIP and MIC 9-3

10 Configuring Authentication Types 10-1

Understanding Authentication Types 10-2

Open Authentication to the Bridge 10-2
Shared Key Authentication to the Bridge 10-2
EAP Authentication to the Network 10-3

Configuring Authentication Types 10-5

Default Authentication Settings 10-5
Assigning Authentication Types to an SSID 10-5
Configuring Authentication Holdoffs, Timeouts, and Intervals 10-7
Setting Up a Non-Root Bridge as a LEAP Client 10-8

Matching Authentication Types on Root and Non-Root Bridges 10-8

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

vii

Contents

CHAPTER

11 Configuring RADIUS and TACACS+ Servers 11-1

Configuring and Enabling RADIUS 11-2

Understanding RADIUS 11-2
RADIUS Operation 11-3
Configuring RADIUS 11-4

Default RADIUS Configuration 11-4
Identifying the RADIUS Server Host 11-4
Configuring RADIUS Login Authentication 11-7
Defining AAA Server Groups 11-9
Configuring RADIUS Authorization for User Privileged Access and Network Services 11-11
Starting RADIUS Accounting 11-12
Configuring Settings for All RADIUS Servers 11-13
Configuring the Bridge to Use Vendor-Specific RADIUS Attributes 11-13
Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication 11-14

Displaying the RADIUS Configuration 11-15

Configuring and Enabling TACACS+ 11-16

Understanding TACACS+ 11-16
TACACS+ Operation 11-17
Configuring TACACS+ 11-17

Default TACACS+ Configuration 11-18
Identifying the TACACS+ Server Host and Setting the Authentication Key 11-18
Configuring TACACS+ Login Authentication 11-19
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 11-20
Starting TACACS+ Accounting 11-21

Displaying the TACACS+ Configuration 11-22

CHAPTER

12 Configuring VLANs 12-1

Understanding VLANs 12-2

Related Documents 12-3
Incorporating Wireless Bridges into VLANs 12-4

Configuring VLANs 12-4

Configuring a VLAN 12-4
Viewing VLANs Configured on the Bridge 12-7

CHAPTER

13 Configuring QoS 13-1

Understanding QoS for Wireless LANs 13-2

QoS for Wireless LANs Versus QoS on Wired LANs 13-2
Impact of QoS on a Wireless LAN 13-2
Precedence of QoS Settings 13-3

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

viii

OL-4059-01

Configuring QoS 13-3

Configuration Guidelines 13-3
Configuring QoS Using the Web-Browser Interface 13-4
Adjusting Radio Traffic Class Definitions 13-8

CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge Links 13-9

QoS Configuration Examples 13-10

Giving Priority to Voice Traffic 13-10
Giving Priority to Video Traffic 13-12

Contents

CHAPTER

CHAPTER

14 Configuring Filters 14-1

Understanding Filters 14-2

Configuring Filters Using the CLI 14-2

Configuring Filters Using the Web-Browser Interface 14-2

Configuring and Enabling MAC Address Filters 14-3

Creating a MAC Address Filter 14-4

Configuring and Enabling IP Filters 14-5

Creating an IP Filter 14-7

Configuring and Enabling Ethertype Filters 14-8

Creating an Ethertype Filter 14-9

15 Configuring CDP 15-1

Understanding CDP 15-2

Configuring CDP 15-2

Default CDP Configuration 15-2
Configuring the CDP Characteristics 15-3
Disabling and Enabling CDP 15-3
Disabling and Enabling CDP on an Interface 15-4

Monitoring and Maintaining CDP 15-5

CHAPTER

16 Configuring SNMP 16-1

Understanding SNMP 16-2

SNMP Versions 16-2
SNMP Manager Functions 16-3
SNMP Agent Functions 16-3
SNMP Community Strings 16-3
Using SNMP to Access MIB Variables 16-4

Configuring SNMP 16-4

Default SNMP Configuration 16-5

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

ix

Contents

Enabling the SNMP Agent 16-5
Configuring Community Strings 16-5
Configuring Trap Managers and Enabling Traps 16-7
Setting the Agent Contact and Location Information 16-9
Using the snmp-server view Command 16-9
SNMP Examples 16-9

Displaying SNMP Status 16-10

CHAPTER

17 Managing Firmware and Configurations 17-1

Working with the Flash File System 17-2

Displaying Available File Systems 17-2
Setting the Default File System 17-3
Displaying Information About Files on a File System 17-3
Changing Directories and Displaying the Working Directory 17-4
Creating and Removing Directories 17-4
Copying Files 17-5
Deleting Files 17-5
Creating, Displaying, and Extracting tar Files 17-6

Creating a tar File 17-6
Displaying the Contents of a tar File 17-7
Extracting a tar File 17-7

Displaying the Contents of a File 17-8

Working with Configuration Files 17-8

Guidelines for Creating and Using Configuration Files 17-9
Configuration File Types and Location 17-9
Creating a Configuration File by Using a Text Editor 17-10
Copying Configuration Files by Using TFTP 17-10

Preparing to Download or Upload a Configuration File by Using TFTP 17-10
Downloading the Configuration File by Using TFTP 17-11
Uploading the Configuration File by Using TFTP 17-11

Copying Configuration Files by Using FTP 17-12

Preparing to Download or Upload a Configuration File by Using FTP 17-13
Downloading a Configuration File by Using FTP 17-13
Uploading a Configuration File by Using FTP 17-14

Copying Configuration Files by Using RCP 17-15

Preparing to Download or Upload a Configuration File by Using RCP 17-16
Downloading a Configuration File by Using RCP 17-16
Uploading a Configuration File by Using RCP 17-17

Clearing Configuration Information 17-18

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

x

OL-4059-01

Deleting a Stored Configuration File 17-18

Working with Software Images 17-19

Image Location on the Bridge 17-19
tar File Format of Images on a Server or Cisco.com 17-19
Copying Image Files by Using TFTP 17-20

Preparing to Download or Upload an Image File by Using TFTP 17-20
Downloading an Image File by Using TFTP 17-21
Uploading an Image File by Using TFTP 17-22

Copying Image Files by Using FTP 17-23

Preparing to Download or Upload an Image File by Using FTP 17-23
Downloading an Image File by Using FTP 17-24
Uploading an Image File by Using FTP 17-26

Copying Image Files by Using RCP 17-27

Preparing to Download or Upload an Image File by Using RCP 17-27
Downloading an Image File by Using RCP 17-29
Uploading an Image File by Using RCP 17-31

Reloading the Image Using the Web Browser Interface 17-32

Browser HTTP Interface 17-32
Browser TFTP Interface 17-32

Reloading the Image Using the Power Injector MODE button 17-33

Contents

CHAPTER

18 Configuring System Message Logging 18-1

Understanding System Message Logging 18-2

Configuring System Message Logging 18-2

System Log Message Format 18-2
Default System Message Logging Configuration 18-3
Disabling and Enabling Message Logging 18-4
Setting the Message Display Destination Device 18-5
Enabling and Disabling Timestamps on Log Messages 18-6
Enabling and Disabling Sequence Numbers in Log Messages 18-6
Defining the Message Severity Level 18-7
Limiting Syslog Messages Sent to the History Table and to SNMP 18-8
Setting a Logging Rate Limit 18-9
Configuring UNIX Syslog Servers 18-10

Logging Messages to a UNIX Syslog Daemon 18-10
Configuring the UNIX System Logging Facility 18-10

Displaying the Logging Configuration 18-12

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

xi

Contents

CHAPTER

19 Troubleshooting 19-1

Checking the Bridge LEDs 19-2

Bridge Normal Mode LED Indications 19-3

Power Injector LEDs 19-4

Checking Power 19-6

Checking Basic Configuration Settings 19-7

SSID 19-7
Security Settings 19-7

Antenna Alignment 19-8

Resetting to the Default Configuration 19-8

Using the MODE Button 19-8
Using the Web Browser Interface 19-9

Reloading the Bridge Image 19-9

Using the MODE button 19-9
Web Browser Interface 19-10

Browser HTTP Interface 19-10

Browser TFTP Interface 19-11
Obtaining the Bridge Image File 19-11
Obtaining the TFTP Server Software 19-12

APPENDIX

APPENDIX

APPENDIX

APPENDIX

G

LOSSARY

I

NDEX

A Channels and Antenna Settings A-1

Channels A-2

IEEE 802.11a (5-GHz Band) A-2

Maximum Power Levels A-2

5.8-GHz Band A-2

B Protocol Filters B-1

C Supported MIBs C-1

MIB List C-1

Using FTP to Access the MIB Files C-2

D Error and Event Messages D-1

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

xii

OL-4059-01

Audience

Purpose

Preface

This guide is for the networking professional who installs and manages Cisco Aironet 1400 Series
Bridges. To use this guide, you should have experience working with the Cisco IOS and be familiar with
the concepts and terminology of wireless local area networks.

This guide provides the information you need to install and configure your bridge. This guide provides
procedures for using the IOS commands that have been created or changed for use with the bridge. It
does not provide detailed information about these commands. For detailed information about these
commands, refer to the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges for
this release. For information about the standard IOS Release 12.2 commands, refer to the IOS
documentation set available from the Cisco.com home page at Service and Support >
TechnicalDocuments. On the Cisco Product Documentation home page, select Release 12.2 from the
Cisco IOS Software drop-down list.

This guide also includes an overview of the bridge web-based interface, which contains all the
funtionality of the command-line interface (CLI). This guide does not provide field-level descriptions of
the web-based windows nor does it provide the procedures for configuring the bridge from the
web-based interface. For all window descriptions and procedures, refer to the bridge online help, which
is available from the Help buttons on the web-based interface pages.

Organization

This guide is organized into these chapters:

Chapter 1, “Overview,” lists the software and hardware features of the bridge and describes the bridge’s

role in your network.

Chapter 2, “Configuring the Bridge for the First Time,” describes how to configure basic settings on a

new bridge.

Chapter 3, “Using the Web-Browser Interface,” describes how to use the web-browser interface to

configure the bridge.

Chapter 4, “Using the Command-Line Interface,” describes how to use the command-line interface (CLI)

to configure the bridge.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

xiii

Organization

Preface

Chapter 5, “Administering the Bridge,” describes how to perform one-time operations to administer your

bridge, such as preventing unauthorized access to the bridge, setting the system date and time, and
setting the system name and prompt.

Chapter 6, “Configuring Radio Settings,” describes how to configure settings for the bridge radio such

as the role in the radio network, data rates, transmit power, channel settings, and others.

Chapter 7, “Configuring SSIDs,” describes how to configure and manage multiple service set identifiers

(SSIDs) on your bridge. You can configure up to 16 SSIDs on your bridge and assign different
configuration settings to each SSID.

Chapter 8, “Configuring Spanning Tree Protocol,” descibes how to configure Spanning Tree Protocol

(STP) on your bridge. STP prevents bridge loops in your network.

Chapter 9, “Configuring WEP and WEP Features,” describes how to configure the cipher suites required

to use authenticated key management, Wired Equivalent Privacy (WEP), and WEP features including
MIC, CMIC, TKIP, CKIP, and broadcast key rotation.

Chapter 10, “Configuring Authentication Types,” describes how to configure authentication types on the

bridge. Client devices use these authentication methods to join your network.

Chapter 11, “Configuring RADIUS and TACACS+ Servers,” describes how to enable and configure the

Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control
System Plus (TACACS+), which provide detailed accounting information and flexible administrative
control over authentication and authorization processes.

Chapter 12, “Configuring VLANs,” describes how to configure your bridge to interoperate with the

VLANs set up on your wired LAN.

Chapter 13, “Configuring QoS,” describes how to configure quality of service (QoS) on your bridge.

With this feature, you can provide preferential treatment to certain traffic at the expense of others.

Chapter 14, “Configuring Filters,” describes how to configure and manage MAC address, IP, and

Ethertype filters on the bridge using the web-browser interface.

Chapter 15, “Configuring CDP,” describes how to configure Cisco Discovery Protocol (CDP) on your

bridge. CDP is a device-discovery protocol that runs on all Cisco network equipment.

Chapter 16, “Configuring SNMP,” describes how to configure the Simple Network Management

Protocol (SNMP) on your bridge.

Chapter 17, “Managing Firmware and Configurations,” describes how to manipulate the Flash file

system, how to copy configuration files, and how to archive (upload and download) software images.

Chapter 18, “Configuring System Message Logging,” describes how to configure system message

logging on your bridge.

Chapter 19, “Troubleshooting,” describes how to troubleshoot common problems with your bridge.

Appendix A, “Channels and Antenna Settings,” lists the bridge radio channels and the maximum power

levels supported by the world’s regulatory domains.

Appendix B, “Protocol Filters,” lists some of the protocols that you can filter on the bridge.

Appendix C, “Supported MIBs,” lists the Simple Network Management Protocol (SNMP) Management

Information Bases (MIBs) that the bridge supports for this software release.

Appendix D, “Error and Event Messages,” lists the CLI error and event messages and provides an

explanation and recommended action for each message.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

xiv

OL-4059-01

Preface

Conventions

This publication uses these conventions to convey instructions and information:

Command descriptions use these conventions:

Interactive examples use these conventions:

Notes, cautions, and timesavers use these conventions and symbols:

Conventions

• Commands and keywords are in boldface text.

• Arguments for which you supply values are in italic.

• Square brackets ([ ]) mean optional elements.

• Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.

• Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional

element.

• Terminal sessions and system displays are in screen font.

• Information you enter is in boldface screen font.

• Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).

Tip Means the following will help you solve a problem. The tips information might not be troubleshooting

Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in

Caution Means reader be careful. In this situation, you might do something that could result equipment damage

Warning

Waarschuwing

or even an action, but could be useful information.

this manual.

or loss of data.

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar
with standard practices for preventing accidents. (To see translations of the warnings that appear
in this publication, refer to the appendix “Translated Safety Warnings.”)

Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan
veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij
elektrische schakelingen betrokken risico’s en dient u op de hoogte te zijn van standaard
maatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in deze
publicatie verschijnen, kunt u het aanhangsel “Translated Safety Warnings” (Vertalingen van
veiligheidsvoorschriften) raadplegen.)

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

xv

Conventions

Preface

Varoitus

Attention

Warnung

Avvertenza

Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen
kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja
tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten
käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat
varoitukset).)

Ce symbole d’avertissement indique un danger. Vous vous trouvez dans une situation pouvant
entraîner des blessures. Avant d’accéder à cet équipement, soyez conscient des dangers posés par
les circuits électriques et familiarisez-vous avec les procédures courantes de prévention des
accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez
consulter l’annexe intitulée « Translated Safety Warnings » (Traduction des avis de sécurité).

Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer
Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie
sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur
Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen
Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der
Warnhinweise).)

Questo simbolo di avvertenza indica un pericolo. Si è in una situazione che può causare infortuni.
Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti
elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione
delle avvertenze riportate in questa pubblicazione si trova nell’appendice, “Translated Safety
Warnings” (Traduzione delle avvertenze di sicurezza).

Advarsel

Aviso

¡Advertencia!

Varning!

Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du
utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser
innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se
oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated
Safety Warnings" [Oversatte sikkerhetsadvarsler].)

Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos
fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos
relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir
possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o
apêndice “Translated Safety Warnings” - “Traduções dos Avisos de Segurança”).

Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular
cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los
procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias
que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”)

Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada.
Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och
känna till vanligt förfarande för att förebygga skador. (Se förklaringar av de varningar som
förekommer i denna publikation i appendix "Translated Safety Warnings" [Översatta
säkerhetsvarningar].)

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

xvi

OL-4059-01

Preface

Related Publications

Related Publications

These documents provide complete information about the bridge:

• Release Notes for 1400 Series Bridges

• Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges

Click this link to browse the available documentation:

http://www.cisco.com/cisco/web/psa/default.html

To browse to the 1400 series bridge documentation, choose Wireless > Outdoor Wireless > Cisco
Aironet 1400 Series.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

xvii

Related Publications

Preface

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

xviii

OL-4059-01

CHA P TER

1

Overview

Cisco Aironet 1400 Series Bridges (hereafter called bridges) provide building-to-building wireless
connectivity. Operating in the 5.8-GHz, UNII-3 band and conforming to the 802.11a standard, the 1400
series bridge delivers a 54-Mbps data rate. The bridge is a self-contained unit designed for outdoor
installations. You can connect external antennas to the bridge to attain various antenna gains and
coverage patterns. The bridge supports both point-to-point and point-to-multipoint configurations.

You can configure and monitor the bridge using the command-line interface (CLI), the browser-based
management system, or Simple Network Management Protocol (SNMP).

This chapter provides information on the following topics:

• Features, page 1-2

• Management Options, page 1-2

• Network Configuration Examples, page 1-3

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

1-1

Features

Features

Chapter 1 Overview

Bridges running Cisco IOS offer these software features:

• VLANs—Allow VLAN trunking on both wireless and Ethernet interfaces.

• QoS—Use this feature to support quality of service for prioritizing traffic on the wireless interface.

• RADIUS Accounting—Enable accounting on the bridge to send accounting data about wireless

client devices to a RADIUS server on your network.

• TACACS+ adminstrator authentication—Enable TACACS+ for server-based, detailed accounting

information and flexible administrative control over authentication and authorization processes. It
provides secure, centralized validation of administrators attempting to gain access to your bridge.

• Enhanced security—Enable three advanced security features to protect against sophisticated attacks

on your wireless network's WEP keys: Message Integrity Check (MIC) and WEP key hashing.

• Enhanced authentication services—Set up non-root bridges to authenticate to your network like

other wireless client devices. After you provide a network username and password for the non-root
bridge, it authenticates to your network using LEAP, Cisco's wireless authentication method, and
receives and uses dynamic WEP keys.

Management Options

You can use the bridge management system through the following interfaces:

• The IOS command-line interface (CLI), which you use through a Telnet session. Most of the

examples in this manual are taken from the CLI. Chapter 4, “Using the Command-Line Interface,”
provides a detailed description of the CLI.

• A web-browser interface, which you use through a web browser. Chapter 3, “Using the

Web-Browser Interface,” provides a detailed description of the web-browser interface.

• Simple Network Management Protocol (SNMP). Chapter 16, “Configuring SNMP,” explains how to

configure your bridge for SNMP management.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

1-2

OL-4059-01

Chapter 1 Overview

Switch Switch

Non-Root

Bridge

Root Bridge

Network Configuration Examples

This section describes the bridge’s role in common wireless bridging configurations: point-to-point,
point-to-multipoint, and redundant bridging. One bridge in any pair or group of bridges must be a root
bridge, and the bridge or bridges associated to the root bridge must be set to non-root.

Point-to-Point Bridging

In a point-to-point configuration, a non-root bridge associates to a root bridge. In installation mode, the
bridge listens for another 1400 series bridge. If it does not recognize another bridge, the bridge becomes
a root bridge. If it recognizes another bridge, it becomes a non-root bridge associated to the bridge it
recognizes. See Chapter 2, “Configuring the Bridge for the First Time,” for instructions on initial bridge
setup.

Figure 1-1 shows bridges in a point-to-point configuration.

Figure 1-1 Point-to-Point Bridge Configuration

Network Configuration Examples

Note If your bridges connect one or more large, flat networks (a network containing more than 256 users on

the same subnet) we recommend that you use a router to connect the bridge to the large, flat network.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

OL-4059-01

1-3

Network Configuration Examples

88905

Switch

Switch

Switch

Root Bridge

Non-Root

Bridge

Non-Root

Bridge

Switch

Non-Root

Bridge

Point-to-Multipoint Bridging

In a point-to-multipoint configuration, two or more non-root bridges associate to a root bridge. Up to 17
non-root bridges can associate to a root bridge, but the non-root bridges must share the available
bandwidth.

See Chapter 2, “Configuring the Bridge for the First Time,” for instructions on initial bridge setup.

Figure 1-2 shows bridges in a point-to-multipoint configuration.

Figure 1-2 Point-to-Multipoint Bridge Configuration

Chapter 1 Overview

Note If your bridges connect one or more large, flat networks (a network containing more than 256 users on

the same subnet) we recommend that you use a router to connect the bridge to the large, flat network.

Redundant Bridging

You can set up two pairs of bridges to add redundancy or load balancing to your bridge link. The bridges
must use non-adjacent, non-overlapping radio channels to prevent interference, and they must use
Spanning Tree Protocol (STP) to prevent bridge loops. See Chapter 8, “Configuring Spanning Tree

Protocol,” for instructions on configuring STP.

Note STP is disabled by default.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

1-4

OL-4059-01

Chapter 1 Overview

88900

Switch on

LAN 1

Switch on

LAN 2

Root Bridge Non-Root

Bridge

Non-Root

Bridge

Root Bridge

Network Configuration Examples

Figure 1-3 shows two pairs of redundant bridges.

Figure 1-3 Redundant Bridge Configuration

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

1-5

Network Configuration Examples

Chapter 1 Overview

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

1-6

OL-4059-01

CHA P TER

2

Configuring the Bridge for the First Time

This chapter describes how to configure basic settings on your bridge for the first time. You can
configure all the settings described in this chapter using the CLI, but it might be simplest to browse to
the bridge’s web-browser interface to complete the initial configuration and then use the CLI to enter
additional settings for a more detailed configuration.

This chapter contains these sections:

• Before You Start, page 2-2

• Obtaining and Assigning an IP Address, page 2-3

• Assigning Basic Settings, page 2-4

• Protecting Your Wireless LAN, page 2-8

• Using the IP Setup Utility, page 2-8

• Assigning an IP Address Using the CLI, page 2-11

• Using a Telnet Session to Access the CLI, page 2-12

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-1

Before You Start

Before You Start

Before you install the bridge, make sure you are using a computer connected to the same network as the
bridge, and obtain the following information from your network administrator:

• A system name for the bridge

• The case-sensitive wireless service set identifier (SSID) that your bridges use

• If not connected to a DHCP server, a unique IP address for your bridge (such as 172.17.255.115)

• If the bridge is not on the same subnet as your PC, a default gateway address and subnet mask

• A Simple Network Management Protocol (SNMP) community name and the SNMP file attribute (if

SNMP is in use)

• If you use IPSU to find or assign the bridge IP address, the MAC address from the product label on

the bridge (such as 00164625854c)

Resetting the Bridge to Default Settings

Chapter 2 Configuring the Bridge for the First Time

If you need to start over during the initial setup process, follow these steps to reset the bridge to factory
default settings using the MODE button on the long-reach power injector:

Step 1 Disconnect power from the power injector.

Step 2 Press and hold the MODE button while you reconnect the power cable.

Step 3 Hold the MODE button until the Status LED on the power injector turns amber (approximately 3 to 4

seconds), and release the button. Wait until the status LED turns green to indicate that the bridge has
booted up. All bridge settings return to factory defaults.

Follow these steps to return to default settings using the web-browser interface:

Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape

Navigator (version 4.x).

Step 2 Enter the bridge’s IP address in the browser address line and press Enter. An Enter Network Password

window appears.

Step 3 Enter your username in the User Name field. The default username is Cisco.

Step 4 Enter the bridge password in the Password field and press Enter. The default password is Cisco. The

Summary Status page appears.

Step 5 Click System Software and the System Software screen appears.

Step 6 Click System Configuration and the System Configuration screen appears.

Step 7 Click the Reset to Defaults button.

Note If the bridge is configured with a static IP address, the IP address does not change.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-2

OL-4059-01

Chapter 2 Configuring the Bridge for the First Time

Obtaining and Assigning an IP Address

To browse to the bridge’s Express Setup page, you must either obtain or assign the bridge’s IP address
using one of the following methods:

• Use default address 10.0.0.1 when you connect to the bridge locally. For detailed instructions, see

the “Connecting to the Bridge Locally” section on page 2-3.

• Use a DHCP server (if available) to automatically assign an IP address. You can find out the

DHCP-assigned IP address using one of the following methods:

–

Provide your organization’s network administrator with your bridge’s Media Access Control
(MAC) address. Your network administrator will query the DHCP server using the MAC
address to identify the IP address. The bridge’s MAC address is on the label attached to the
bottom of the bridge.

–

Use the Cisco IP Setup Utility (IPSU) to identify the assigned address. You can also use IPSU
to assign an IP address to the bridge if it did not receive an IP address from the DHCP server.
IPSU runs on most Microsoft Windows operating systems: Windows 9x, 2000, Me, NT, and XP.

You can download IPSU from the Software Center on Cisco.com. Click this link to browse to
the Software Center:

Obtaining and Assigning an IP Address

http://www.cisco.com/cisco/software/navigator.html

–

If the unit is a non-root bridge, browse to the Associations page on the root bridge to which the
non-root is associated. The non-root bridge’s MAC address and IP address appear on the root
bridge’s Associations page.

Connecting to the Bridge Locally

If you need to configure the bridge locally (without connecting the bridge to a wired LAN), you can
connect a PC to the Ethernet port on the long-reach power injector using a Category 5 Ethernet cable.
You can use a local connection to the power injector’s Ethernet port much as you would use a serial port
connection.

Note You do not need a special crossover cable to connect your PC to the power injector; you can use

either a straight-through cable or a crossover cable.

If the bridge is configured with default values and not connected to a DHCP server or cannot obtain an
IP address, it defaults to IP address 10.0.0.1. When a non-root bridge associates to a root bridge, it
receives an IP address from the root bridge. Browse to the Associations page on the root bridge to find
the non-root bridge’s IP address, or use IPSU to find the IP address.

Follow these steps to connect to the bridge locally:

Step 1 Make sure that the PC you intend to use is configured to obtain an IP address automatically, or manually

assign it an IP address from 10.0.0.2 to 10.0.0.10.

Step 2 With the power cable disconnected from the power injector, connect your PC to the power injector using

a Category 5 Ethernet cable. You can use either a crossover cable or a straight-through cable.

Step 3 Connect the power injector to the bridge using dual coaxial cables.

Step 4 Connect the power injector power cable and power up the bridge.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-3

Assigning Basic Settings

Step 5 Follow the steps in the “Assigning Basic Settings” section on page 2-4. If you make a mistake and need

to start over, follow the steps in the “Resetting the Bridge to Default Settings” section on page 2-2.

Step 6 After configuring the bridge, remove the Ethernet cable from your PC and connect the power injector to

your wired LAN.

Note When you connect your PC to the bridge or reconnect your PC to the wired LAN, you might need to

release and renew the IP address on the PC. On most PCs, you can perform a release and renew by
rebooting your PC or by entering ipconfig /release and ipconfig /renew commands in a command
prompt window. Consult your PC operating instructions for detailed instructions.

Assigning Basic Settings

After you determine or assign the bridge’s IP address, you can browse to the bridge’s Express Setup page
and perform an initial configuration:

Chapter 2 Configuring the Bridge for the First Time

Step 1 Open your Internet browser. The bridge web-browser interface is fully compatible with these browsers:

Microsoft Internet Explorer versions 5.0, 5.01, 5.5 and 6.0; and Netscape Navigator versions 4.79 and

7.0.

Step 2 Enter the bridge’s IP address in the browser address line and press Enter. An Enter Network Password

screen appears.

Step 3 Press Ta b to bypass the Username field and advance to the Password field.

Step 4 Enter the case-sensitive password Cisco and press Enter. The Summary Status page appears. Figure 2-1

shows the Summary Status page.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-4

OL-4059-01

Chapter 2 Configuring the Bridge for the First Time

Figure 2-1 Summary Status Page

Assigning Basic Settings

Step 5

Click Express Setup. The Express Setup screen appears. Figure 2-2 shows the Express Setup page.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-5

Assigning Basic Settings

Chapter 2 Configuring the Bridge for the First Time

Figure 2-2 Express Setup Page

2-6

Step 6

Enter the configuration settings you obtained from your system administrator. The configurable settings
include:

• System Name— The system name, while not an essential setting, helps identify the bridge on your

network. The system name appears in the titles of the management system pages.

• Configuration Server Protocol—Click on the button that matches the network’s method of IP

address assignment.

–

DHCP—IP addresses are automatically assigned by your network’s DHCP server.

–

Static IP—The bridge uses a static IP address that you enter in the IP address field.

• IP Address—Use this setting to assign or change the bridge’s IP address. If DHCP is enabled for

your network, leave this field blank.

Note If the bridge’s IP address changes while you are configuring the bridge using the web-browser

interface or a Telnet session over the wired LAN, you lose your connection to the bridge. If you
lose your connection, reconnect to the bridge using its new IP address. Follow the steps in the

“Resetting the Bridge to Default Settings” section on page 2-2 if you need to start over.

• IP Subnet Mask—Enter the IP subnet mask provided by your network administrator so the IP

address can be recognized on the LAN. If DHCP is enabled, leave this field blank.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

OL-4059-01

Chapter 2 Configuring the Bridge for the First Time

• Default Gateway—Enter the default gateway IP address provided by your network administrator.

If DHCP is enabled, leave this field blank.

• Radio Service Set ID (SSID)—Enter the case-sensitive SSID (32 alphanumeric characters

maximum) provided by your network administrator. The SSID is a unique identifier that bridges use
to associate to each other.

• Broadcast SSID in Beacon—Use this setting to allow bridges that do not specify an SSID to

associate with the bridge.

–

Ye s—This is the default setting; it allows bridges that do not specify an SSID to associate with
the bridge.

–

No—Bridges must specify an SSID to associate with the bridge. With No selected, the SSID
used by other bridges must match exactly the bridge’s SSID.

• Role in Radio Network—Click on the button that describes the role of the bridge on your network.

Select Root if the bridge is a root bridge. Select Non-Root if it is a non-root bridge. Select Install
Mode to put the bridge into installation mode. One bridge in any pair or group of bridges must be
set to root, and the bridge or bridges associated to the root bridge must be set to non-root.

• Optimize Radio Network for—Use this setting to select either preconfigured settings for the bridge

radio or customized settings for the bridge radio. See the “Configuring Radio Data Rates” section

on page 6-3 for more information on data rates and throughput.

–

Throughput—Maximizes the data volume handled by the bridge but might reduce its range.
When you select Throughput, the bridge sets all data rates to basic.

Assigning Basic Settings

–

Range—Maximizes the bridge’s range but might reduce throughput. When you select Range,
the bridge sets the 6-Mbps rate to basic and the other rates to enabled.

–

Default—The bridge retains default radio settings that are designed to provide good range and
throughput for most bridges.

–

Custom—The bridge uses settings you enter on the Network Interfaces: Radio-802.11b
Settings page. Clicking Custom takes you to the Network Interfaces: Radio-802.11b Settings
page.

• Aironet Extensions—This setting is always enabled on 1400 series bridges.

• SNMP Community—If your network is using SNMP, enter the SNMP Community name provided

by your network administrator and select the attributes of the SNMP data (also provided by your
network administrator).

Step 7 Click Apply to save your settings. If you changed the IP address, you lose your connection to the bridge.

Browse to the new IP address to reconnect to the bridge.

Your bridge is now running but probably requires additional configuring to conform to your network’s
operational and security requirements. Consult the chapters in this manual for the information you need
to complete the configuration.

Note You can restore the bridge to its factory defaults by unplugging the power cable from the power

injector and plugging it back in while holding down the power injector Mode button for a few
seconds, or until the power injector Status LED turns amber.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-7

Protecting Your Wireless LAN

Default Settings on the Express Setup Page

Table 2-1 lists the default settings for the settings on the Express Setup page.

Table 2-1 Default Settings on the Express Setup Page

Setting Default

System Name bridge

Configuration Server Protocol DHCP

IP Address Assigned by DHCP by default; if

DHCP is disabled, the default
setting is 10.0.0.1

IP Subnet Mask Assigned by DHCP by default; if

DHCP is disabled, the default
setting is 255.255.255.224

Default Gateway Assigned by DHCP by default; if

DHCP is disabled, the default
setting is 0.0.0.0

Radio Service Set ID (SSID) autoinstall

Broadcast SSID in Beacon Yes

Role in Radio Network Bridge (root)

Optimize Radio Network for Default

Aironet Extensions Enable

SNMP Community defaultCommunity

Chapter 2 Configuring the Bridge for the First Time

Protecting Your Wireless LAN

After you assign basic settings to your bridge, you must configure security settings to prevent
unauthorized access to your network. Because it is a radio device, the bridge can communicate beyond
the physical boundaries of your building. Configure some combination of these security features to
protect your network from intruders:

• A unique SSID that are not broadcast in the bridge beacon (see Chapter 7, “Configuring SSIDs”

• WEP and WEP features (see Chapter 9, “Configuring WEP and WEP Features”)

• Dynamic WEP and bridge authentication (see Chapter 10, “Configuring Authentication Types”)

Using the IP Setup Utility

IPSU enables you to find the bridge’s IP address when it has been assigned by a DHCP server. You can
also use IPSU to set the bridge’s IP address and SSID if they have not been changed from the default
settings. This section explains how to download the utility from Cisco.com and install it, how to use it
to find the bridge’s IP address, and how to use it to set the IP address and the SSID.

Note IPSU can be used only on the following operating systems: Windows 95, 98, NT, 2000, ME, or XP.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-8

OL-4059-01

Chapter 2 Configuring the Bridge for the First Time

Obtaining and Installing IPSU

IPSU is available on the Cisco web site. Follow these steps to obtain and install IPSU:

Step 1 Use your Internet browser to access the Cisco Software Center at the following URL:

http://www.cisco.com/cisco/software/navigator.html

Step 2 Click Cisco Aironet Wireless LAN Client Adapters.

Step 3 Scroll down to the Windows Utility section.

Step 4 Click Cisco Aironet Client Utility (ACU) for Windows.

Step 5 Click the file IPSUvxxxxxx.exe. The vxxxxxx identifies the software package version number.

Step 6 Read and accept the terms and conditions of the Software License Agreement.

Step 7 Download and save the file to a temporary directory on your hard drive and then exit the Internet browser.

Step 8 Double-click IPSUvxxxxxx.exe in the temporary directory to expand the file.

Step 9 Double-click Setup.exe and follow the steps provided by the installation wizard to install IPSU.

The IPSU icon appears on your computer desktop.

Using the IP Setup Utility

Using IPSU to Find the Bridge’s IP Address

If your bridge receives an IP address from a DHCP server, you can use IPSU to find its IP address.
Because IPSU sends a reverse-ARP request based on the bridge MAC address, you must run IPSU from
a computer on the same subnet as the bridge. Follow these steps to find the bridge’s IP address:

Step 1 Double-click the IPSU icon on your computer desktop to start the utility. The IPSU screen appears (see

Figure 2-3).

Figure 2-3 IPSU Get IP Address Screen

Step 2

OL-4059-01

When the utility window opens, make sure the Get IP addr radio button in the Function box is selected.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-9

Using the IP Setup Utility

Step 3 Enter the bridge’s MAC address in the Device MAC ID field. The bridge’s MAC address is printed on

the label on the bottom of the unit. It should contain six pairs of hexadecimal digits. Your bridge’s MAC
address might look like the following example:

000164xxxxxx

Note The MAC address field is not case-sensitive.

Step 4 Click Get IP Address.

Step 5 When the bridge’s IP address appears in the IP Address field, write it down.

If IPSU reports that the IP address is 10.0.0.1, the default IP address, then the bridge did not receive a
DHCP-assigned IP address. To change the bridge IP address from the default value using IPSU, refer to
the “Using IPSU to Set the Bridge’s IP Address and SSID” section on page 2-10.

Using IPSU to Set the Bridge’s IP Address and SSID

Chapter 2 Configuring the Bridge for the First Time

If you want to change the default IP address (10.0.0.1) of the bridge, you can use IPSU. You can also set
the bridge’s SSID at the same time.

Note IPSU can change the bridge’s IP address and SSID only from their default settings. After the IP address

and SSID have been changed, IPSU cannot change them again.

Note The computer you use to assign an IP address to the bridge must have an IP address in the same subnet

as the bridge (10.0.0.x).

Follow these steps to assign an IP address and an SSID to the bridge:

Step 1 Double-click the IPSU icon on your computer desktop to start the utility.

Step 2 Click the Set Parameters radio button in the Function box (see Figure 2-4).

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-10

OL-4059-01

Chapter 2 Configuring the Bridge for the First Time

Figure 2-4 IPSU Set Parameters Screen

Assigning an IP Address Using the CLI

Step 3

Enter the bridge’s MAC address in the Device MAC ID field. The bridge’s MAC address is printed on a
label on the bridge. It should contain six pairs of hexadecimal digits. Your bridge’s MAC address might
look like this example:

004096xxxxxx

Note The MAC address field is not case-sensitive.

Step 4 Enter the IP address you want to assign to the bridge in the IP Address field.

Step 5 Enter the SSID you want to assign to the bridge in the SSID field.

Note You cannot set the SSID without also setting the IP address. However, you can set the IP address

without setting the SSID.

Step 6 Click Set Parameters to change the bridge’s IP address and SSID settings.

Step 7 Click Exit to exit IPSU.

Assigning an IP Address Using the CLI

When you connect the bridge to the wired LAN, the bridge links to the network using a bridge virtual
interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the bridge’s
Ethernet and radio ports, the network uses the BVI.

Note The bridge supports only one BVI. Configuring more than one BVI might cause errors in the bridge’s

ARP table.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-11

Using a Telnet Session to Access the CLI

When you assign an IP address to the bridge using the CLI, you must assign the address to the BVI.
Beginning in privileged EXEC mode, follow these steps to assign an IP address to the bridge’s BVI:

Command Purpose

Step 1

Step 2

Step 3

configure terminal Enter global configuration mode.

interface bvi1 Enter interface configuration mode for the BVI.

ip address address

mask

Assign an IP address and address mask to the BVI.

Note If you are connected to the bridge using a Telnet

session, you lose your connection to the bridge when
you assign a new IP address to the BVI. If you need to
continue configuring the bridge using Telnet, use the
new IP address to open another Telnet session to the
bridge.

Using a Telnet Session to Access the CLI

Chapter 2 Configuring the Bridge for the First Time

Follow these steps to browse to access the CLI using a Telnet session. These steps are for a PC running
Microsoft Windows with a Telnet terminal application. Check your PC operating instructions for
detailed instructions for your operating system.

Step 1 Select Start > Programs > Accessories > Telnet.

If Telnet is not listed in your Accessories menu, select Start > Run, type Tel ne t in the entry field, and
press Enter.

Step 2 When the Telnet window appears, click Connect and select Remote System.

Note In Windows 2000, the Telnet window does not contain drop-down menus. To start the Telnet

session in Windows 2000, type open followed by the bridge’s IP address.

Step 3 In the Host Name field, type the bridge’s IP address and click Connect.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

2-12

OL-4059-01

CHA P TER

Using the Web-Browser Interface

This chapter describes the web-browser interface that you can use to configure the bridge. It contains
these sections:

• Using the Web-Browser Interface for the First Time, page 3-2

• Using the Management Pages in the Web-Browser Interface, page 3-2

• Using Online Help, page 3-5

The web-browser interface contains management pages that you use to change bridge settings, upgrade
firmware, and monitor and configure other wireless devices on the network.

Note The bridge web-browser interface is fully compatible with these browsers: Microsoft Internet

Explorer versions 5.0, 5.01, 5.5 and 6.0; and Netscape Navigator versions 4.79 and 7.0.

3

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

3-1

Chapter 3 Using the Web-Browser Interface

Using the Web-Browser Interface for the First Time

Using the Web-Browser Interface for the First Time

Use the bridge’s IP address to browse to the management system. See the “Obtaining and Assigning an

IP Address” section on page 2-3 for instructions on assigning an IP address to the bridge.

Follow these steps to begin using the web-browser interface:

Step 1 Start the browser.

Step 2 Enter the bridge’s IP address in the browser Location field (Netscape Communicator) or Address field

(Internet Explorer) and press Enter.

Step 3 Enter the administrator username and password and press Enter. The default username is Cisco and the

default password is Cisco. The Summary Status page appears.

Using the Management Pages in the Web-Browser Interface

The system management pages use consistent techniques to present and save configuration information.
A navigation bar is on the left side of the page, and configuration action buttons appear at the bottom.
You use the navigation bar to browse to other management pages, and you use the configuration action
buttons to save or cancel changes to the configuration.

Note It’s important to remember that clicking your browser’s Back button returns you to the previous page

without saving any changes you have made. Clicking Cancel cancels any changes you made on the page
and keeps you on that page. Changes are only applied when you click Apply.

Figure 3-1 shows the web-browser interface home page.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

3-2

OL-4059-01

Chapter 3 Using the Web-Browser Interface

Figure 3-1 Web-Browser Interface Home Page

Using the Management Pages in the Web-Browser Interface

Using Action Buttons

Table 3-1 lists the page links and buttons that appear on most management pages.

Table 3-1 Common Buttons on Management Pages

Button/Link Description

Navigation Links

Home Displays bridge status page with information on the number of radio devices

Express Setup Displays the Express Setup page that includes basic settings such as system

Network Map Displays a list of infrastructure devices on your wireless LAN.

Association Displays a list of all devices on your wireless LAN, listing their system names,

Network Interfaces Displays status and statistics for the Ethernet and radio interfaces and provides

Security Displays a summary of security settings and provides links to security

Services Displays status for several bridge features and links to configuration pages for

associated to the bridge, the status of the Ethernet and radio interfaces, and a
list of recent bridge activity.

name, IP address, and SSID.

network roles, and parent-client relationships.

links to configuration pages for each interface.

configuration pages.

Telnet/SSH, CDP, domain name server, filters, proxy Mobile IP, QoS, SNMP,
SNTP, and VLANs.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

3-3

Using the Management Pages in the Web-Browser Interface

Table 3-1 Common Buttons on Management Pages (continued)

Button/Link Description

System Software Displays the version number of the firmware that the bridge is running and

provides links to configuration pages for upgrading and managing firmware.

Event Log Displays the bridge event log and provides links to configuration pages where

you can select events to be included in traps, set event severity levels, and set
notification methods.

Configuration Action Buttons

Apply Saves changes made on the page and remains on the page.

Refresh Updates status information or statistics displayed on a page.

Cancel Discards changes to the page and remains on the page.

Back Discards any changes made to the page and returns to the previous page.

Character Restrictions in Entry Fields

Chapter 3 Using the Web-Browser Interface

Because the 1400 series bridge uses Cisco IOS software, there are certain characters that you cannot use
in the entry fields on the web-browser interface. Table 3-2 lists the illegal characters and the fields in
which you cannot use them.

Table 3-2 Illegal Characters for Web-Browser Interface Entry Fields

Entry Field Type Illegal Characters

Password entry fields ?

“
$
[
+

All other entry fields ?

“
$
[
+

You also cannot use these
three characters as the
first character in an entry
field:

!
#
;

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

3-4

OL-4059-01

Chapter 3 Using the Web-Browser Interface

Using Online Help

Click the help icon at the top of any page in the web-browser interface to display online help. Figure 3-2
shows the print and help icons.

Figure 3-2 Print and Help Icons

When a help page appears in a new browser window, use the Select a topic drop-down menu to display
the help index or instructions for common configuration tasks, such as configuring VLANs.

Using Online Help

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

3-5

Using Online Help

Chapter 3 Using the Web-Browser Interface

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

3-6

OL-4059-01

CHA P TER

4

Using the Command-Line Interface

This chapter describes the IOS command-line interface (CLI) that you can use to configure your bridge.
It contains these sections:

• IOS Command Modes, page 4-2

• Getting Help, page 4-3

• Abbreviating Commands, page 4-3

• Using no and default Forms of Commands, page 4-3

• Understanding CLI Messages, page 4-4

• Using Command History, page 4-4

• Using Editing Features, page 4-5

• Searching and Filtering Output of show and more Commands, page 4-8

• Accessing the CLI, page 4-8

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

4-1

IOS Command Modes

IOS Command Modes

The Cisco IOS user interface is divided into many different modes. The commands available to you
depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a
list of commands available for each command mode.

When you start a session on the bridge, you begin in user mode, often called user EXEC mode. Only a
limited subset of the commands are available in user EXEC mode. For example, most of the user EXEC
commands are one-time commands, such as show commands, which show the current configuration
status, and clear commands, which clear counters or interfaces. The user EXEC commands are not saved
when the bridge reboots.

To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a
password to enter privileged EXEC mode. From this mode, you must enter privileged EXEC mode
before you can enter the global configuration mode.

Using the configuration modes (global, interface, and line), you can make changes to the running
configuration. If you save the configuration, these commands are stored and used when the bridge
reboots. To access the various configuration modes, you must start at global configuration mode. From
global configuration mode, you can enter interface configuration mode and line configuration mode.

Tabl e 4-1 describes the main command modes, how to access each one, the prompt you see in that mode, and

how to exit the mode. The examples in the table use the host name BR.

Chapter 4 Using the Command-Line Interface

Table 4-1 Command Mode Summary

Mode Access Method Prompt Exit Method About This Mode

User EXEC Begin a session with

your bridge.

BR>

Enter logout or quit. Use this mode to:

• Change terminal settings

• Perform basic tests

• Display system

information

Privileged EXEC While in user EXEC

mode, enter the
enable command.

Global configuration While in privileged

EXEC mode, enter
the configure

BR#

BR(config)#

Enter disable to exit. Use this mode to verify

commands. Use a password to
protect access to this mode.

To exit to privileged
EXEC mode, enter exit or
end, or press Ctrl-Z.

Use this mode to configure
parameters that apply to the
entire bridge.

command.

Interface
configuration

While in global
configuration mode,
enter the interface
command (with a
specific interface).

BR(config-if)#

To exit to global
configuration mode, enter
exit. To return to
privileged EXEC mode,
press Ctrl-Z or enter end.

Use this mode to configure
parameters for the Ethernet
and radio interfaces. The

2.4-GHz radio is radio 0, and
the 5-GHz radio is radio 1.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

4-2

OL-4059-01

Chapter 4 Using the Command-Line Interface

Getting Help

You can enter a question mark (?) at the system prompt to display a list of commands available for each
command mode. You can also obtain a list of associated keywords and arguments for any command, as
shown in Table 4-2 .

Table 4-2 Help Summary

Command Purpose

help Obtains a brief description of the help system in any command mode.

abbreviated-command-entry? Obtains a list of commands that begin with a particular character string.

For example:

BR# di?
dir disable disconnect

abbreviated-command-entry<Ta b> Completes a partial command name.

For example:

BR# sh conf<tab>
BR# show configuration

? Lists all commands available for a particular command mode.

For example:

BR> ?

command ? Lists the associated keywords for a command.

Getting Help

For example:

BR> show ?

command keyword ? Lists the associated arguments for a keyword.

For example:

BR(config)# cdp holdtime ?
<10-255> Length of time (in sec) that receiver must keep this packet

Abbreviating Commands

You have to enter only enough characters for the bridge to recognize the command as unique. This
example shows how to enter the show configuration privileged EXEC command:

BR# show conf

Using no and default Forms of Commands

Most configuration commands also have a no form. In general, use the no form to disable a feature or
function or reverse the action of a command. For example, the no shutdown interface configuration
command reverses the shutdown of an interface. Use the command without the keyword no to re-enable
a disabled feature or to enable a feature that is disabled by default.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

4-3

Understanding CLI Messages

Configuration commands can also have a default form. The default form of a command returns the
command setting to its default. Most commands are disabled by default, so the default form is the same
as the no form. However, some commands are enabled by default and have variables set to certain default
values. In these cases, the default command enables the command and sets variables to their default
values.

Understanding CLI Messages

Table 4-3 lists some error messages that you might encounter while using the CLI to configure your

bridge.

Table 4-3 Common CLI Error Messages

Error Message Meaning How to Get Help

% Ambiguous command:
"show con"

% Incomplete command.

% Invalid input detected
at ‘^’ marker.

You did not enter enough characters
for your bridge to recognize the
command.

You did not enter all the keywords or
values required by this command.

You entered the command
incorrectly. The caret (^) marks the
point of the error.

Re-enter the command followed by a question mark (?)
with a space between the command and the question
mark.

The possible keywords that you can enter with the
command are displayed.

Re-enter the command followed by a question mark (?)
with a space between the command and the question
mark.

The possible keywords that you can enter with the
command are displayed.

Enter a question mark (?) to display all the commands
that are available in this command mode.

The possible keywords that you can enter with the
command are displayed.

Chapter 4 Using the Command-Line Interface

Using Command History

The IOS provides a history or record of commands that you have entered. This feature is particularly
useful for recalling long or complex commands or entries, including access lists. You can customize the
command history feature to suit your needs as described in these sections:

• Changing the Command History Buffer Size, page 4-4

• Recalling Commands, page 4-5

• Disabling the Command History Feature, page 4-5

Changing the Command History Buffer Size

By default, the bridge records ten command lines in its history buffer. Beginning in privileged EXEC
mode, enter this command to change the number of command lines that the bridge records during the
current terminal session:

BR# terminal history [size number-of-lines]

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

4-4

OL-4059-01

Chapter 4 Using the Command-Line Interface

Using Editing Features

The range is from 0 to 256.

Beginning in line configuration mode, enter this command to configure the number of command lines
the bridge records for all sessions on a particular line:

BR(config-line)# history [size number-of-lines]

The range is from 0 to 256.

Recalling Commands

To recall commands from the history buffer, perform one of the actions listed in Tab le 4-4:

Table 4-4 Recalling Commands

1

Action

Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command.

Press Ctrl-N or the down arrow key. Return to more recent commands in the history buffer after recalling commands

show history While in privileged EXEC mode, list the last several commands that you just

1. The arrow keys function only on ANSI-compatible terminals such as VT100s.

Result

Repeat the key sequence to recall successively older commands.

with Ctrl-P or the up arrow key. Repeat the key sequence to recall successively
more recent commands.

entered. The number of commands that are displayed is determined by the setting
of the terminal history global configuration command and history line
configuration command.

Disabling the Command History Feature

The command history feature is automatically enabled.

To disable the feature during the current terminal session, enter the terminal no history privileged
EXEC command.

To disable command history for the line, enter the no history line configuration command.

Using Editing Features

This section describes the editing features that can help you manipulate the command line. It contains
these sections:

• Enabling and Disabling Editing Features, page 4-6

• Editing Commands Through Keystrokes, page 4-6

• Editing Command Lines that Wrap, page 4-7

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

4-5

Using Editing Features

Enabling and Disabling Editing Features

Although enhanced editing mode is automatically enabled, you can disable it.

To re-enable the enhanced editing mode for the current terminal session, enter this command in
privileged EXEC mode:

BR# terminal editing

To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration
mode:

BR(config-line)# editing

To globally disable enhanced editing mode, enter this command in line configuration mode:

BR(config-line)# no editing

Editing Commands Through Keystrokes

Table 4-5 shows the keystrokes that you need to edit command lines.

Chapter 4 Using the Command-Line Interface

Table 4-5 Editing Commands Through Keystrokes

Capability Keystroke

Move around the command line to
make changes or corrections.

Ctrl-B or the left arrow
key

1

Ctrl-F or the right arrow
key

Ctrl-A Move the cursor to the beginning of the command line.

Ctrl-E Move the cursor to the end of the command line.

Esc B Move the cursor back one word.

Esc F Move the cursor forward one word.

Ctrl-T Transpose the character to the left of the cursor with the

Recall commands from the buffer and
paste them in the command line. The
bridge provides a buffer with the last

Ctrl-Y Recall the most recent entry in the buffer.

Esc Y Recall the next buffer entry.

ten items that you deleted.

Delete entries if you make a mistake
or change your mind.

Delete or Backspace Erase the character to the left of the cursor.

Ctrl-D Delete the character at the cursor.

Ctrl-K Delete all characters from the cursor to the end of the

Ctrl-U or Ctrl-X Delete all characters from the cursor to the beginning of

Ctrl-W Delete the word to the left of the cursor.

Esc D Delete from the cursor to the end of the word.

Purpose

Move the cursor back one character.

Move the cursor forward one character.

character located at the cursor.

The buffer contains only the last 10 items that you have
deleted or cut. If you press Esc Y more than ten times, you
cycle to the first buffer entry.

command line.

the command line.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

4-6

OL-4059-01

Chapter 4 Using the Command-Line Interface

Table 4-5 Editing Commands Through Keystrokes (continued)

Using Editing Features

Capability Keystroke

Capitalize or lowercase words or
capitalize a set of letters.

Esc C Capitalize at the cursor.

Esc L Change the word at the cursor to lowercase.

1

Esc U Capitalize letters from the cursor to the end of the word.

Designate a particular keystroke as

Ctrl-V or Esc Q

an executable command, perhaps as a
shortcut.

Scroll down a line or screen on
displays that are longer than the
terminal screen can display.

Note The More prompt appears for

Return Scroll down one line.

Space Scroll down one screen.

output that has more lines
than can be displayed on the
terminal screen, including
show command output. You
can use the Return and
Space bar keystrokes
whenever you see the

More

prompt.

Redisplay the current command line

Ctrl-L or Ctrl-R Redisplay the current command line.

if the bridge suddenly sends a
message to your screen.

1. The arrow keys function only on ANSI-compatible terminals such as VT100s.

Purpose

Editing Command Lines that Wrap

You can use a wraparound feature for commands that extend beyond a single line on the screen. When
the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the
first ten characters of the line, but you can scroll back and check the syntax at the beginning of the
command.

To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You
can also press Ctrl-A to immediately move to the beginning of the line.

Note The arrow keys function only on ANSI-compatible terminals such as VT100s.

In this example, the access-list global configuration command entry extends beyond one line. When the
cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar
sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line,
the line is again shifted ten spaces to the left.

BR(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1
BR(config)# $ 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.25
BR(config)# $t tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq
BR(config)# $108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq 45

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

4-7

Chapter 4 Using the Command-Line Interface

Searching and Filtering Output of show and more Commands

After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key
to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been
scrolled to the right:

BR(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$

The software assumes you have a terminal screen that is 80 columns wide. If you have a width other than
that, use the terminal width privileged EXEC command to set the width of your terminal.

Use line wrapping with the command history feature to recall and modify previous complex command
entries. For information about recalling previous command entries, see the “Editing Commands Through

Keystrokes” section on page 4-6.

Searching and Filtering Output of show and more Commands

You can search and filter the output for show and more commands. This is useful when you need to sort
through large amounts of output or if you want to exclude output that you do not need to see.

To use this functionality, enter a show or more command followed by the pipe character (|), one of the
keywords begin, include, or exclude, and an expression that you want to search for or filter out:

command | {begin | include | exclude} regular-expression

Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output
are not displayed, but the lines that contain Output are displayed.

This example shows how to include in the output display only lines where the expression protocol
appears:

BR# show interfaces | include protocol
Vlan1 is up, line protocol is up
Vlan10 is up, line protocol is down
GigabitEthernet0/1 is up, line protocol is down
GigabitEthernet0/2 is up, line protocol is up

Accessing the CLI

You can open the bridge’s CLI using Telnet or Secure Shell (SSH).

Opening the CLI with Telnet

Follow these steps to open the CLI with Telnet. These steps are for a PC running Microsoft Windows
with a Telnet terminal application. Check your PC operating instructions for detailed instructions for
your operating system.

Step 1 Select Start > Programs > Accessories > Telnet.

If Telnet is not listed in your Accessories menu, select Start > Run, type Tel ne t in the entry field, and
press Enter.

Step 2 When the Telnet window appears, click Connect and select Remote System.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

4-8

OL-4059-01

Chapter 4 Using the Command-Line Interface

Note In Windows 2000, the Telnet window does not contain drop-down menus. To start the Telnet

session in Windows 2000, type open followed by the bridge’s IP address.

Step 3 In the Host Name field, type the bridge’s IP address and click Connect.

Step 4 At the username and password prompts, enter your administrator username and password. The default

username is Cisco, and the default password is Cisco. The default enable password is also Cisco.
Usernames and passwords are case-sensitive.

Opening the CLI with Secure Shell

Secure Shell Protocol is a protocol that provides a secure, remote connection to networking devices set
up to use it. Secure Shell (SSH) is a software package that provides secure login sessions by encrypting
the entire session. SSH features strong cryptographic authentication, strong encryption, and integrity
protection. For detailed information on SSH, visit the homepage of SSH Communications Security, Ltd.
at this URL: http://www.ssh.com/

SSH provides more security for remote connections than Telnet by providing strong encryption when a
device is authenticated. See the “Configuring the Bridge for Secure Shell” section on page 5-16 for
detailed instructions on setting up the bridge for SSH access.

Accessing the CLI

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

4-9

Accessing the CLI

Chapter 4 Using the Command-Line Interface

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

4-10

OL-4059-01

CHA P TER

Administering the Bridge

This chapter describes how to administer your bridge. This chapter contains these sections:

• Preventing Unauthorized Access to Your Bridge, page 5-2

• Protecting Access to Privileged EXEC Commands, page 5-2

• Controlling Bridge Access with RADIUS, page 5-7

• Controlling Bridge Access with TACACS+, page 5-12

• Configuring the Bridge for Local Authentication and Authorization, page 5-15

• Configuring the Bridge for Secure Shell, page 5-16

• Managing the System Time and Date, page 5-17

• Configuring a System Name and Prompt, page 5-31

• Creating a Banner, page 5-33

5

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-1

Chapter 5 Administering the Bridge

Preventing Unauthorized Access to Your Bridge

Preventing Unauthorized Access to Your Bridge

You can prevent unauthorized users from reconfiguring your bridge and viewing configuration
information. Typically, you want network administrators to have access to the bridge while you restrict
access to users who connect through a terminal or workstation from within the local network.

To prevent unauthorized access to your bridge, you should configure one of these security features:

• Username and password pairs, which are locally stored on the bridge. These pairs authenticate each

user before that user can access the bridge. You can also assign a specific privilege level (read only
or read/write) to each username and password pair. For more information, see the “Configuring

Username and Password Pairs” section on page 5-5. The default username is Cisco, and the default

password is Cisco. Usernames and passwords are case-sensitive.

• Username and password pairs stored centrally in a database on a security server. For more

information, see the “Controlling Bridge Access with RADIUS” section on page 5-7.

Protecting Access to Privileged EXEC Commands

A simple way of providing terminal access control in your network is to use passwords and assign
privilege levels. Password protection restricts access to a network or network device. Privilege levels
define what commands users can issue after they have logged into a network device.

Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS

Security Command Reference for Release 12.2.

This section describes how to control access to the configuration file and privileged EXEC commands.
It contains this configuration information:

• Default Password and Privilege Level Configuration, page 5-2

• Setting or Changing a Static Enable Password, page 5-3

• Protecting Enable and Enable Secret Passwords with Encryption, page 5-4

• Configuring Username and Password Pairs, page 5-5

• Configuring Multiple Privilege Levels, page 5-6

Default Password and Privilege Level Configuration

Table 5-1 shows the default password and privilege level configuration.

Table 5-1 Default Password and Privilege Levels

Feature Default Setting

Username and password Default username is Cisco and the default password is Cisco.

Enable password and privilege level Default password is Cisco. The default is level 15 (privileged EXEC

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-2

level). The password is encrypted in the configuration file.

OL-4059-01

Chapter 5 Administering the Bridge

Protecting Access to Privileged EXEC Commands

Table 5-1 Default Password and Privilege Levels (continued)

Feature Default Setting

Enable secret password and privilege level The default enable password is Cisco. The default is level 15 (privileged

EXEC level). The password is encrypted before it is written to the
configuration file.

Line password Default password is Cisco. The password is encrypted in the configuration

file.

Setting or Changing a Static Enable Password

The enable password controls access to the privileged EXEC mode.

Note The no enable password global configuration command removes the enable password, but you should

use extreme care when using this command. If you remove the enable password, you are locked out of
the EXEC mode.

Step 1

Step 2

Step 3

Step 4

Step 5

Beginning in privileged EXEC mode, follow these steps to set or change a static enable password:

Command Purpose

configure terminal Enter global configuration mode.

enable password password Define a new password or change an existing password for access to

privileged EXEC mode.

The default password is Cisco.

For password, specify a string from 1 to 25 alphanumeric characters. The
string cannot start with a number, is case sensitive, and allows spaces but
ignores leading spaces. It can contain the question mark (?) character if
you precede the question mark with the key combination Crtl-V when you
create the password; for example, to create the password abc?123, do this:

1. Enter abc.

2. Enter Crtl-V.

3. Enter ?123.

When the system prompts you to enter the enable password, you need not
precede the question mark with the Ctrl-V; you can simply enter abc?123
at the password prompt.

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

The enable password is not encrypted and can be read in the bridge
configuration file.

This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted
and provides access to level 15 (traditional privileged EXEC mode access):

bridge(config)# enable password l1u2c3k4y5

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-3

Chapter 5 Administering the Bridge

Protecting Access to Privileged EXEC Commands

Protecting Enable and Enable Secret Passwords with Encryption

To provide an additional layer of security, particularly for passwords that cross the network or that are
stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or
enable secret global configuration commands. Both commands accomplish the same thing; that is, you
can establish an encrypted password that users must enter to access privileged EXEC mode (the default)
or any privilege level you specify.

We recommend that you use the enable secret command because it uses an improved encryption
algorithm.

If you configure the enable secret command, it takes precedence over the enable password command;
the two commands cannot be in effect simultaneously.

Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable
secret passwords:

Command Purpose

Step 1

Step 2

configure terminal Enter global configuration mode.

enable password [level level] {password |

encryption-type encrypted-password}

Define a new password or change an existing password for
access to privileged EXEC mode.

Step 3

Step 4

Step 5

or

enable secret [level level] {password |
encryption-type encrypted-password}

or

Define a secret password, which is saved using a
nonreversible encryption method.

• (Optional) For level, the range is from 0 to 15. Level 1 is

normal user EXEC mode privileges. The default level is
15 (privileged EXEC mode privileges).

• For password, specify a string from 1 to 25

alphanumeric characters. The string cannot start with a
number, is case sensitive, and allows spaces but ignores
leading spaces. By default, no password is defined.

• (Optional) For encryption-type, only type 5, a Cisco

proprietary encryption algorithm, is available. If you
specify an encryption type, you must provide an
encrypted password—an encrypted password you copy
from another bridge configuration.

Note If you specify an encryption type and then enter a

clear text password, you can not re-enter privileged
EXEC mode. You cannot recover a lost encrypted
password by any method.

service password-encryption (Optional) Encrypt the password when the password is

defined or when the configuration is written.

Encryption prevents the password from being readable in the
configuration file.

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-4

OL-4059-01

Chapter 5 Administering the Bridge

If both the enable and enable secret passwords are defined, users must enter the enable secret password.

Use the level keyword to define a password for a specific privilege level. After you specify the level and
set a password, give the password only to users who need to have access at this level. Use the privilege
level global configuration command to specify commands accessible at various levels. For more
information, see the “Configuring Multiple Privilege Levels” section on page 5-6.

If you enable password encryption, it applies to all passwords including username passwords,
authentication key passwords, the privileged command password, and console and virtual terminal line
passwords.

To remove a password and level, use the no enable password [level level] or no enable secret [level

level] global configuration command. To disable password encryption, use the no service
password-encryption global configuration command.

This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for
privilege level 2:

bridge(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8

Configuring Username and Password Pairs

Protecting Access to Privileged EXEC Commands

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

You can configure username and password pairs, which are locally stored on the bridge. These pairs are
assigned to lines or interfaces and authenticate each user before that user can access the bridge. If you
have defined privilege levels, you can also assign a specific privilege level (with associated rights and
privileges) to each username and password pair.

Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication
system that requests a login username and a password:

Command Purpose

configure terminal Enter global configuration mode.

username name [privilege level]

{password encryption-type password}

Enter the username, privilege level, and password for each user.

• For name, specify the user ID as one word. Spaces and quotation

marks are not allowed.

• (Optional) For level, specify the privilege level the user has after

gaining access. The range is 0 to 15. Level 15 gives privileged EXEC
mode access. Level 1 gives user EXEC mode access.

• For encryption-type, enter 0 to specify that an unencrypted password

will follow. Enter 7 to specify that a hidden password will follow.

• For password, specify the password the user must enter to gain access

to the bridge. The password must be from 1 to 25 characters, can
contain embedded spaces, and must be the last option specified in the

username command.

login local Enable local password checking at login time. Authentication is based on

the username specified in Step 2.

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-5

Protecting Access to Privileged EXEC Commands

To disable username authentication for a specific user, use the no username name global configuration
command.

To disable password checking and allow connections without a password, use the no login line
configuration command.

Note You must have at least one username configured and you must have login local set to open a

Telnet session to the bridge. If you enter no username for the only username, you can be locked
out of the bridge.

Configuring Multiple Privilege Levels

By default, the IOS software has two modes of password security: user EXEC and privileged EXEC. You
can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple
passwords, you can allow different sets of users to have access to specified commands.

For example, if you want many users to have access to the clear line command, you can assign it
level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access
to the configure command, you can assign it level 3 security and distribute that password to a more
restricted group of users.

This section includes this configuration information:

• Setting the Privilege Level for a Command, page 5-6

Chapter 5 Administering the Bridge

• Logging Into and Exiting a Privilege Level, page 5-7

Setting the Privilege Level for a Command

Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode:

Command Purpose

Step 1

Step 2

Step 3

configure terminal Enter global configuration mode.

privilege mode level level command Set the privilege level for a command.

enable password level level password Specify the enable password for the privilege level.

• For mode, enter configure for global configuration mode, exec for

EXEC mode, interface for interface configuration mode, or line for
line configuration mode.

• For level, the range is from 0 to 15. Level 1 is for normal user EXEC

mode privileges. Level 15 is the level of access permitted by the
enable password.

• For command, specify the command to which you want to restrict

access.

• For level, the range is from 0 to 15. Level 1 is for normal user EXEC

mode privileges.

• For password, specify a string from 1 to 25 alphanumeric characters.

The string cannot start with a number, is case sensitive, and allows
spaces but ignores leading spaces. By default, no password is
defined.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-6

OL-4059-01

Chapter 5 Administering the Bridge

Command Purpose

Step 4

Step 5

end Return to privileged EXEC mode.

show running-config

or

show privilege

Step 6

copy running-config startup-config (Optional) Save your entries in the configuration file.

When you set a command to a privilege level, all commands whose syntax is a subset of that command
are also set to that level. For example, if you set the show ip route command to level 15, the show
commands and show ip commands are automatically set to privilege level 15 unless you set them
individually to different levels.

To return to the default privilege for a given command, use the no privilege mode level level command
global configuration command.

This example shows how to set the configure command to privilege level 14 and define SecretPswd14
as the password users must enter to use level 14 commands:

bridge(config)# privilege exec level 14 configure
bridge(config)# enable password level 14 SecretPswd14

Controlling Bridge Access with RADIUS

Verify your entries.

The first command displays the password and access level configuration.
The second command displays the privilege level configuration.

Logging Into and Exiting a Privilege Level

Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit
to a specified privilege level:

Command Purpose

Step 1

enable level Log in to a specified privilege level.

For level, the range is 0 to 15.

Step 2

disable level Exit to a specified privilege level.

For level, the range is 0 to 15.

Controlling Bridge Access with RADIUS

This section describes how to control administrator access to the bridge using Remote Authentication
Dial-In User Service (RADIUS). For complete instructions on configuring the bridge to support
RADIUS, see Chapter 11, “Configuring RADIUS and TACACS+ Servers.”

RADIUS provides detailed accounting information and flexible administrative control over
authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only
through AAA commands.

Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS

Security Command Reference for Release 12.2.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-7

Controlling Bridge Access with RADIUS

These sections describe RADIUS configuration:

• Default RADIUS Configuration, page 5-8

• Configuring RADIUS Login Authentication, page 5-8 (required)

• Defining AAA Server Groups, page 5-9 (optional)

• Configuring RADIUS Authorization for User Privileged Access and Network Services, page 5-11

(optional)

• Displaying the RADIUS Configuration, page 5-12

Default RADIUS Configuration

RADIUS and AAA are disabled by default.

To prevent a lapse in security, you cannot configure RADIUS through a network management
application. When enabled, RADIUS can authenticate users accessing the bridge through the CLI.

Configuring RADIUS Login Authentication

Chapter 5 Administering the Bridge

Step 1

Step 2

To configure AAA authentication, you define a named list of authentication methods and then apply that
list to various interfaces. The method list defines the types of authentication to be performed and the
sequence in which they are performed; it must be applied to a specific interface before any of the defined
authentication methods are performed. The only exception is the default method list (which, by
coincidence, is named default). The default method list is automatically applied to all interfaces except
those that have a named method list explicitly defined.

A method list describes the sequence and authentication methods to be queried to authenticate a user.
You can designate one or more security protocols to be used for authentication, thus ensuring a backup
system for authentication in case the initial method fails. The software uses the first method listed to
authenticate users; if that method fails to respond, the software selects the next authentication method in
the method list. This process continues until there is successful communication with a listed
authentication method or until all defined methods are exhausted. If authentication fails at any point in
this cycle—meaning that the security server or local username database responds by denying the user
access—the authentication process stops, and no other authentication methods are attempted.

Beginning in privileged EXEC mode, follow these steps to configure login authentication. This
procedure is required.

Command Purpose

configure terminal Enter global configuration mode.

aaa new-model Enable AAA.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-8

OL-4059-01

Chapter 5 Administering the Bridge

Command Purpose

Step 3

aaa authentication login {default |

list-name} method1 [method2...]

Step 4

line [console | tty | vty] line-number
[ending-line-number]

Step 5

login authentication {default |

list-name}

Step 6

Step 7

Step 8

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Controlling Bridge Access with RADIUS

Create a login authentication method list.

• To create a default list that is used when a named list is not specified

in the login authentication command, use the default keyword
followed by the methods that are to be used in default situations. The
default method list is automatically applied to all interfaces.

• For list-name, specify a character string to name the list you are

creating.

• For method1..., specify the actual method the authentication

algorithm tries. The additional methods of authentication are used
only if the previous method returns an error, not if it fails.

Select one of these methods:

• local—Use the local username database for authentication. You must

enter username information in the database. Use the username
password global configuration command.

• radius—Use RADIUS authentication. You must configure the

RADIUS server before you can use this authentication method. For
more information, see the “Identifying the RADIUS Server Host”

section on page 11-4.

Enter line configuration mode, and configure the lines to which you want
to apply the authentication list.

Apply the authentication list to a line or set of lines.

• If you specify default, use the default list created with the aaa

authentication login command.

• For list-name, specify the list created with the aaa authentication

login command.

To disable AAA, use the no aaa new-model global configuration command. To disable AAA
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global
configuration command. To either disable RADIUS authentication for logins or to return to the default
value, use the no login authentication {default | list-name} line configuration command.

Defining AAA Server Groups

You can configure the bridge to use AAA server groups to group existing server hosts for authentication.
You select a subset of the configured server hosts and use them for a particular service. The server group
is used with a global server-host list, which lists the IP addresses of the selected server hosts.

Server groups also can include multiple host entries for the same server if each entry has a unique
identifier (the combination of the IP address and UDP port number), allowing different ports to be
individually defined as RADIUS hosts providing a specific AAA service. If you configure two different
host entries on the same RADIUS server for the same service (such as accounting), the second
configured host entry acts as a fail-over backup to the first one.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-9

Controlling Bridge Access with RADIUS

You use the server group server configuration command to associate a particular server with a defined
group server. You can either identify the server by its IP address or identify multiple host instances or
entries by using the optional auth-port and acct-port keywords.

Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a
particular RADIUS server with it:

Command Purpose

Step 1

Step 2

Step 3

configure terminal Enter global configuration mode.

aaa new-model Enable AAA.

radius-server host {hostname |

ip-address} [auth-port port-number]
[acct-port port-number] [timeout

seconds] [retransmit retries] [key
string]

Chapter 5 Administering the Bridge

Specify the IP address or host name of the remote RADIUS server host.

• (Optional) For auth-port port-number, specify the UDP destination

port for authentication requests.

• (Optional) For acct-port port-number, specify the UDP destination

port for accounting requests.

• (Optional) For timeout seconds, specify the time interval that the

bridge waits for the RADIUS server to reply before retransmitting.
The range is 1 to 1000. This setting overrides the radius-server
timeout global configuration command setting. If no timeout is set
with the radius-server host command, the setting of the
radius-server timeout command is used.

Step 4

Step 5

• (Optional) For retransmit retries, specify the number of times a

RADIUS request is resent to a server if that server is not responding
or responding slowly. The range is 1 to 1000. If no retransmit value is
set with the radius-server host command, the setting of the
radius-server retransmit global configuration command is used.

• (Optional) For key string, specify the authentication and encryption

key used between the bridge and the RADIUS daemon running on the
RADIUS server.

Note The key is a text string that must match the encryption key used

on the RADIUS server. Always configure the key as the last item
in the radius-server host command. Leading spaces are ignored,
but spaces within and at the end of the key are used. If you use
spaces in your key, do not enclose the key in quotation marks
unless the quotation marks are part of the key.

To configure the bridge to recognize more than one host entry associated
with a single IP address, enter this command as many times as necessary,
making sure that each UDP port number is different. The bridge software
searches for hosts in the order in which you specify them. Set the timeout,
retransmit, and encryption key values to use with the specific RADIUS
host.

aaa group server radius group-name Define the AAA server-group with a group name.

This command puts the bridge in a server group configuration mode.

server ip-address Associate a particular RADIUS server with the defined server group.

Repeat this step for each RADIUS server in the AAA server group.

Each server in the group must be previously defined in Step 2.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-10

OL-4059-01

Chapter 5 Administering the Bridge

Command Purpose

Step 6

Step 7

Step 8

Step 9

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global
configuration command. To remove a server group from the configuration list, use the no aaa group
server radius group-name global configuration command. To remove the IP address of a RADIUS
server, use the no server ip-address server group configuration command.

In this example, the bridge is configured to recognize two different RADIUS group servers (group1 and
group2). Group1 has two different host entries on the same RADIUS server configured for the same
services. The second host entry acts as a fail-over backup to the first entry.

bridge(config)# aaa new-model
bridge(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
bridge(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
bridge(config)# aaa group server radius group1
bridge(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001
bridge(config-sg-radius)# exit
bridge(config)# aaa group server radius group2
bridge(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001
bridge(config-sg-radius)# exit

Controlling Bridge Access with RADIUS

Enable RADIUS login authentication. See the “Configuring RADIUS

Login Authentication” section on page 5-8.

Configuring RADIUS Authorization for User Privileged Access and Network
Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the
bridge uses information retrieved from the user’s profile, which is in the local user database or on the
security server, to configure the user’s session. The user is granted access to a requested service only if
the information in the user profile allows it.

You can use the aaa authorization global configuration command with the radius keyword to set
parameters that restrict a user’s network access to privileged EXEC mode.

The aaa authorization exec radius local command sets these authorization parameters:

• Use RADIUS for privileged EXEC access authorization if authentication was performed by using

RADIUS.

• Use the local database if authentication was not performed by using RADIUS.

Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has

been configured.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-11

Controlling Bridge Access with TACACS+

Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged
EXEC access and network services:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

configure terminal Enter global configuration mode.

aaa authorization network radius Configure the bridge for user RADIUS authorization for all

aaa authorization exec radius Configure the bridge for user RADIUS authorization to determine if the

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

To disable authorization, use the no aaa authorization {network | exec} method1 global configuration
command.

Chapter 5 Administering the Bridge

network-related service requests.

user has privileged EXEC access.

The exec keyword might return user profile information (such as
autocommand information).

Displaying the RADIUS Configuration

To display the RADIUS configuration, use the show running-config privileged EXEC command.

Controlling Bridge Access with TACACS+

This section describes how to control administrator access to the bridge using Terminal Access
Controller Access Control System Plus (TACACS+). For complete instructions on configuring the
bridge to support TACACS+, see Chapter 11, “Configuring RADIUS and TACACS+ Servers.”

TACACS+ provides detailed accounting information and flexible administrative control over
authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled
only through AAA commands.

Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS

Security Command Reference for Release 12.2.

These sections describe TACACS+ configuration:

• Default TACACS+ Configuration, page 5-13

• Configuring TACACS+ Login Authentication, page 5-13

• Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page

5-14

• Displaying the TACACS+ Configuration, page 5-15

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-12

OL-4059-01

Chapter 5 Administering the Bridge

Default TACACS+ Configuration

TACACS+ and AAA are disabled by default.

To prevent a lapse in security, you cannot configure TACACS+ through a network management
application.When enabled, TACACS+ can authenticate administrators accessing the bridge through the
CLI.

Configuring TACACS+ Login Authentication

To configure AAA authentication, you define a named list of authentication methods and then apply that
list to various interfaces. The method list defines the types of authentication to be performed and the
sequence in which they are performed; it must be applied to a specific interface before any of the defined
authentication methods are performed. The only exception is the default method list (which, by
coincidence, is named default). The default method list is automatically applied to all interfaces except
those that have a named method list explicitly defined. A defined method list overrides the default
method list.

A method list describes the sequence and authentication methods to be queried to authenticate a user.
You can designate one or more security protocols to be used for authentication, thus ensuring a backup
system for authentication in case the initial method fails. The software uses the first method listed to
authenticate users; if that method fails, the software selects the next authentication method in the method
list. This process continues until there is successful communication with a listed authentication method
or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that
the security server or local username database responds by denying the user access—the authentication
process stops, and no other authentication methods are attempted.

Beginning in privileged EXEC mode, follow these steps to configure login authentication. This
procedure is required.

Controlling Bridge Access with TACACS+

Step 1

Step 2

Command Purpose

configure terminal Enter global configuration mode.

aaa new-model Enable AAA.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-13

Controlling Bridge Access with TACACS+

Command Purpose

Step 3

aaa authentication login {default |

list-name} method1 [method2...]

Step 4

line [console | tty | vty] line-number
[ending-line-number]

Step 5

login authentication {default |

list-name}

Step 6

Step 7

Step 8

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Chapter 5 Administering the Bridge

Create a login authentication method list.

• To create a default list that is used when a named list is not specified

in the login authentication command, use the default keyword
followed by the methods that are to be used in default situations. The
default method list is automatically applied to all interfaces.

• For list-name, specify a character string to name the list you are

creating.

• For method1..., specify the actual method the authentication

algorithm tries. The additional methods of authentication are used
only if the previous method returns an error, not if it fails.

Select one of these methods:

• local—Use the local username database for authentication. You must

enter username information into the database. Use the username
password global configuration command.

• tacacs+—Use TACACS+ authentication. You must configure the

TACACS+ server before you can use this authentication method.

Enter line configuration mode, and configure the lines to which you want
to apply the authentication list.

Apply the authentication list to a line or set of lines.

• If you specify default, use the default list created with the aaa

authentication login command.

• For list-name, specify the list created with the aaa authentication

login command.

To disable AAA, use the no aaa new-model global configuration command. To disable AAA
authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global
configuration command. To either disable TACACS+ authentication for logins or to return to the default
value, use the no login authentication {default | list-name} line configuration command.

Configuring TACACS+ Authorization for Privileged EXEC Access and Network
Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the
bridge uses information retrieved from the user’s profile, which is located either in the local user
database or on the security server, to configure the user’s session. The user is granted access to a
requested service only if the information in the user profile allows it.

You can use the aaa authorization global configuration command with the tacacs+ keyword to set
parameters that restrict a user’s network access to privileged EXEC mode.

The aaa authorization exec tacacs+ local command sets these authorization parameters:

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-14

OL-4059-01

Chapter 5 Administering the Bridge

• Use TACACS+ for privileged EXEC access authorization if authentication was performed by using

• Use the local database if authentication was not performed by using TACACS+.

Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has

been configured.

Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for
privileged EXEC access and network services:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

configure terminal Enter global configuration mode.

aaa authorization network tacacs+ Configure the bridge for user TACACS+ authorization for all

aaa authorization exec tacacs+ Configure the bridge for user TACACS+ authorization to determine if the

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring the Bridge for Local Authentication and Authorization

TAC AC S+ .

network-related service requests.

user has privileged EXEC access.

The exec keyword might return user profile information (such as
autocommand information).

To disable authorization, use the no aaa authorization {network | exec} method1 global configuration
command.

Displaying the TACACS+ Configuration

To display TACACS+ server statistics, use the show tacacs privileged EXEC command.

Configuring the Bridge for Local Authentication and
Authorization

You can configure AAA to operate without a server by setting the bridge to implement AAA in local
mode. The bridge then handles authentication and authorization. No accounting is available in this
configuration.

Beginning in privileged EXEC mode, follow these steps to configure the bridge for local AAA:

Command Purpose

Step 1

Step 2

configure terminal Enter global configuration mode.

aaa new-model Enable AAA.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-15

Configuring the Bridge for Secure Shell

Command Purpose

Step 3

Step 4

Step 5

Step 6

aaa authentication login default local Set the login authentication to use the local username database. The

aaa authorization exec local Configure user AAA authorization to determine if the user is allowed to

aaa authorization network local Configure user AAA authorization for all network-related service

username name [privilege level]
{password encryption-type password}

Step 7

Step 8

Step 9

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Chapter 5 Administering the Bridge

default keyword applies the local user database authentication to all
interfaces.

run an EXEC shell by checking the local database.

requests.

Enter the local database, and establish a username-based authentication
system.

Repeat this command for each user.

• For name, specify the user ID as one word. Spaces and quotation

marks are not allowed.

• (Optional) For level, specify the privilege level the user has after

gaining access. The range is 0 to 15. Level 15 gives privileged EXEC
mode access. Level 0 gives user EXEC mode access.

• For encryption-type, enter 0 to specify that an unencrypted password

follows. Enter 7 to specify that a hidden password follows.

• For password, specify the password the user must enter to gain access

to the bridge. The password must be from 1 to 25 characters, can
contain embedded spaces, and must be the last option specified in the
username command.

To disable AAA, use the no aaa new-model global configuration command. To disable authorization,
use the no aaa authorization {network | exec} method1 global configuration command.

Configuring the Bridge for Secure Shell

This section describes how to configure the Secure Shell (SSH) feature.

Note For complete syntax and usage information for the commands used in this section, refer to the “Secure

Shell Commands” section in the Cisco IOS Security Command Reference for Release 12.2.

Understanding SSH

SSH is a protocol that provides a secure, remote connection to a Layer 2 or a Layer 3 device. There are
two versions of SSH: SSH version 1 and SSH version 2. This software release supports only SSH
version 1.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-16

OL-4059-01

Chapter 5 Administering the Bridge

SSH provides more security for remote connections than Telnet by providing strong encryption when a
device is authenticated. The SSH feature has an SSH server and an SSH integrated client. The client
supports these user authentication methods:

• RADIUS (for more information, see the “Controlling Bridge Access with RADIUS” section on

• Local authentication and authorization (for more information, see the “Configuring the Bridge for

For more information about SSH, refer to the “Configuring Secure Shell” section in the Cisco IOS
Security Configuration Guide for Release 12.2.

Note The SSH feature in this software release does not support IP Security (IPSec).

Configuring SSH

Before configuring SSH, download the crypto software image from Cisco.com. For more information,
refer to the release notes for this release.

For information about configuring SSH and displaying SSH settings, refer to the “Configuring Secure
Shell” section in the Cisco IOS Security Configuration Guide for Release 12.2.

Managing the System Time and Date

page 5-7)

Local Authentication and Authorization” section on page 5-15)

Managing the System Time and Date

You can manage the system time and date on your bridge automatically, using the Network Time
Protocol (NTP), or manually, by setting the time and date on the bridge.

Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS

Configuration Fundamentals Command Reference for Release 12.2.

This section contains this configuration information:

• Understanding the System Clock, page 5-17

• Understanding Network Time Protocol, page 5-18

• Configuring NTP, page 5-19

• Configuring Time and Date Manually, page 5-26

Understanding the System Clock

The heart of the time service is the system clock. This clock runs from the moment the system starts up
and keeps track of the date and time.

The system clock can then be set from these sources:

• Network Time Protocol

• Manual configuration

The system clock can provide time to these services:

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-17

Managing the System Time and Date

• User show commands

• Logging and debugging messages

The system clock determines time internally based on Universal Time Coordinated (UTC), also known
as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer
time (daylight saving time) so that the time is correctly displayed for the local time zone.

The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set
by a time source considered to be authoritative). If it is not authoritative, the time is available only for
display purposes and is not redistributed. For configuration information, see the “Configuring Time and

Date Manually” section on page 5-26.

Understanding Network Time Protocol

The NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol
(UDP), which runs over IP. NTP is documented in RFC 1305.

An NTP network usually gets its time from an authoritative time source, such as a radio clock or an
atomic clock attached to a time server. NTP then distributes this time across the network. NTP is
extremely efficient; no more than one packet per minute is necessary to synchronize two devices to
within a millisecond of one another.

Chapter 5 Administering the Bridge

NTP uses the concept of a stratum to describe how many NTP hops away a device is from an
authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a
stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device
running NTP automatically chooses as its time source the device with the lowest stratum number with
which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP
speakers.

NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a
device that is not synchronized. NTP also compares the time reported by several devices and does not
synchronize to a device whose time is significantly different than the others, even if its stratum is lower.

The communications between devices running NTP (known as associations) are usually statically
configured; each device is given the IP address of all devices with which it should form associations.
Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an
association. However, in a LAN environment, NTP can be configured to use IP broadcast messages
instead. This alternative reduces configuration complexity because each device can simply be configured
to send or receive broadcast messages. However, in that case, information flow is one-way only.

The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access-list-based
restriction scheme and an encrypted authentication mechanism.

Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio
or atomic clock. We recommend that the time service for your network be derived from the public NTP
servers available on the IP Internet. Figure 5-1 shows a typical network example using NTP.

If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as
though it is synchronized through NTP, when in fact it has determined the time by using other means.
Other devices then synchronize to that device through NTP.

When multiple sources of time are available, NTP is always considered to be more authoritative. NTP
time overrides the time set by any other method.

Several manufacturers include NTP software for their host systems, and a publicly available version for
systems running UNIX and its various derivatives is also available. This software allows host systems to
be time-synchronized as well.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-18

OL-4059-01

Chapter 5 Administering the Bridge

Catalyst 3550
switch

Catalyst 3550
switch

Catalyst 3550
switch

Catalyst 3550
switch

These switches are configured in
NTP server mode (server association)
with the Catalyst 6500 series switch.

Catalyst 6500
series switch
(NTP master)

This switch is configured as an NTP
peer to the upstream and downstream
Catalyst 3550 switches.

Catalyst 3550

switch

Workstations

Workstations

Local

workgroup

servers

43269

Figure 5-1 Typical NTP Network Configuration

Managing the System Time and Date

Configuring NTP

Cisco Aironet 1400 Series Bridges do not have a hardware-supported clock, and they cannot function as
an NTP master clock to which peers synchronize themselves when an external NTP source is not
available. These bridges also have no hardware support for a calendar. As a result, the ntp
update-calendar and the ntp master global configuration commands are not available.

This section contains this configuration information:

• Default NTP Configuration, page 5-20

• Configuring NTP Authentication, page 5-20

• Configuring NTP Associations, page 5-21

• Configuring NTP Broadcast Service, page 5-22

• Configuring NTP Access Restrictions, page 5-23

• Configuring the Source IP Address for NTP Packets, page 5-25

• Displaying the NTP Configuration, page 5-26

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-19

Managing the System Time and Date

Default NTP Configuration

Table 5-2 shows the default NTP configuration.

Table 5-2 Default NTP Configuration

Feature Default Setting

NTP authentication Disabled. No authentication key is specified.

NTP peer or server associations None configured.

NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets.

NTP access restrictions No access control is specified.

NTP packet source IP address The source address is determined by the outgoing interface.

NTP is disabled by default.

Configuring NTP Authentication

Chapter 5 Administering the Bridge

Step 1

Step 2

Step 3

Step 4

This procedure must be coordinated with the administrator of the NTP server; the information you configure
in this procedure must be matched by the servers used by the bridge to synchronize its time to the NTP server.

Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications
between devices running NTP that provide for accurate timekeeping) with other devices for security
purposes:

Command Purpose

configure terminal Enter global configuration mode.

ntp authenticate Enable the NTP authentication feature, which is disabled by

default.

ntp authentication-key number md5 value Define the authentication keys. By default, none are defined.

• For number, specify a key number. The range is 1 to

4294967295.

• md5 specifies that message authentication support is provided

by using the message digest algorithm 5 (MD5).

• For value, enter an arbitrary string of up to eight characters for

the key.

The bridge does not synchronize to a device unless both have one
of these authentication keys, and the key number is specified by the

ntp trusted-key key-number command.

ntp trusted-key key-number Specify one or more key numbers (defined in Step 3) that a peer

NTP device must provide in its NTP packets for this bridge to
synchronize to it.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-20

By default, no trusted keys are defined.

For key-number, specify the key defined in Step 3.

This command provides protection against accidentally
synchronizing the bridge to a device that is not trusted.

OL-4059-01

Chapter 5 Administering the Bridge

Command Purpose

Step 5

Step 6

Step 7

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

To disable NTP authentication, use the no ntp authenticate global configuration command. To remove
an authentication key, use the no ntp authentication-key number global configuration command. To
disable authentication of the identity of a device, use the no ntp trusted-key key-number global
configuration command.

This example shows how to configure the bridge to synchronize only to devices providing authentication
key 42 in the device’s NTP packets:

bridge(config)# ntp authenticate
bridge(config)# ntp authentication-key 42 md5 aNiceKey
bridge(config)# ntp trusted-key 42

Configuring NTP Associations

Managing the System Time and Date

Step 1

Step 2

An NTP association can be a peer association (this bridge can either synchronize to the other device or
allow the other device to synchronize to it), or it can be a server association (meaning that only this
bridge synchronizes to the other device, and not the other way around).

Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device:

Command Purpose

configure terminal Enter global configuration mode.

ntp peer ip-address [version number]

[key keyid] [source interface] [prefer]

or

ntp server ip-address [version number]
[key keyid] [source interface] [prefer]

Configure the bridge system clock to synchronize a peer or to be
synchronized by a peer (peer association).

or

Configure the bridge system clock to be synchronized by a time server
(server association).

No peer or server associations are defined by default.

• For ip-address in a peer association, specify either the IP address of

the peer providing, or being provided, the clock synchronization. For
a server association, specify the IP address of the time server
providing the clock synchronization.

• (Optional) For number, specify the NTP version number. The range is

1 to 3. By default, version 3 is selected.

• (Optional) For keyid, enter the authentication key defined with the

ntp authentication-key global configuration command.

OL-4059-01

• (Optional) For interface, specify the interface from which to pick the

IP source address. By default, the source IP address is taken from the
outgoing interface.

• (Optional) Enter the prefer keyword to make this peer or server the

preferred one that provides synchronization. This keyword reduces
switching back and forth between peers and servers.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-21

Managing the System Time and Date

Command Purpose

Step 3

Step 4

Step 5

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

You need to configure only one end of an association; the other device can automatically establish the
association. If you are using the default NTP version (version 3) and NTP synchronization does not
occur, try using NTP version 2. Many NTP servers on the Internet run version 2.

To remove a peer or server association, use the no ntp peer ip-address or the no ntp server ip-address
global configuration command.

This example shows how to configure the bridge to synchronize its system clock with the clock of the
peer at IP address 172.16.22.44 using NTP version 2:

bridge(config)# ntp server 172.16.22.44 version 2

Configuring NTP Broadcast Service

Chapter 5 Administering the Bridge

Step 1

Step 2

Step 3

The communications between devices running NTP (known as associations) are usually statically
configured; each device is given the IP addresses of all devices with which it should form associations.
Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an
association. However, in a LAN environment, NTP can be configured to use IP broadcast messages
instead. This alternative reduces configuration complexity because each device can simply be configured
to send or receive broadcast messages. However, the information flow is one-way only.

The bridge can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP
broadcast server, such as a router, broadcasting time information on the network. The bridge can send NTP
broadcast packets to a peer so that the peer can synchronize to it. The bridge can also receive NTP broadcast
packets to synchronize its own clock. This section provides procedures for both sending and receiving NTP
broadcast packets.

Beginning in privileged EXEC mode, follow these steps to configure the bridge to send NTP broadcast
packets to peers so that they can synchronize their clock to the bridge:

Command Purpose

configure terminal Enter global configuration mode.

interface interface-id Enter interface configuration mode, and specify the interface to send

NTP broadcast packets.

ntp broadcast [version number] [key keyid]
[destination-address]

Enable the interface to send NTP broadcast packets to a peer.

By default, this feature is disabled on all interfaces.

• (Optional) For number, specify the NTP version number. The

range is 1 to 3. If you do not specify a version, version 3 is used.

Step 4

Step 5

end Return to privileged EXEC mode.

show running-config Verify your entries.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-22

• (Optional) For keyid, specify the authentication key to use when

sending packets to the peer.

• (Optional) For destination-address, specify the IP address of the

peer that is synchronizing its clock to this bridge.

OL-4059-01

Chapter 5 Administering the Bridge

Command Purpose

Step 6

Step 7

copy running-config startup-config (Optional) Save your entries in the configuration file.

To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface
configuration command.

This example shows how to configure an interface to send NTP version 2 packets:

bridge(config)# interface gigabitethernet0/1
bridge(config-if)# ntp broadcast version 2

Beginning in privileged EXEC mode, follow these steps to configure the bridge to receive NTP broadcast
packets from connected peers:

Command Purpose

Step 1

Step 2

Step 3

configure terminal Enter global configuration mode.

interface interface-id Enter interface configuration mode, and specify the interface to receive

ntp broadcast client Enable the interface to receive NTP broadcast packets.

Managing the System Time and Date

Configure the connected peers to receive NTP broadcast packets as
described in the next procedure.

NTP broadcast packets.

Step 4

Step 5

Step 6

Step 7

Step 8

exit Return to global configuration mode.

ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the bridge and

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

To disable an interface from receiving NTP broadcast packets, use the no ntp broadcast client interface
configuration command. To change the estimated round-trip delay to the default, use the no ntp
broadcastdelay global configuration command.

This example shows how to configure an interface to receive NTP broadcast packets:

bridge(config)# interface gigabitethernet0/1
bridge(config-if)# ntp broadcast client

Configuring NTP Access Restrictions

You can control NTP access on two levels as described in these sections:

• Creating an Access Group and Assigning a Basic IP Access List, page 5-24

• Disabling NTP Services on a Specific Interface, page 5-25

By default, no interfaces receive NTP broadcast packets.

the NTP broadcast server.

The default is 3000 microseconds; the range is 1 to 999999.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-23

Managing the System Time and Date

Creating an Access Group and Assigning a Basic IP Access List

Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using
access lists:

Command Purpose

Step 1

Step 2

configure terminal Enter global configuration mode.

ntp access-group {query-only |
serve-only | serve | peer}

access-list-number

Create an access group, and apply a basic IP access list.

The keywords have these meanings:

• query-only—Allows only NTP control queries.

• serve-only—Allows only time requests.

• serve—Allows time requests and NTP control queries, but does not

allow the bridge to synchronize to the remote device.

• peer—Allows time requests and NTP control queries and allows the

bridge to synchronize to the remote device.

For access-list-number, enter a standard IP access list number from 1
to 99.

Step 3

access-list access-list-number permit
source [source-wildcard]

Create the access list.

• For access-list-number, enter the number specified in Step 2.

• Enter the permit keyword to permit access if the conditions are

matched.

• For source, enter the IP address of the device that is permitted access

to the bridge.

Chapter 5 Administering the Bridge

Step 4

Step 5

Step 6

• (Optional) For source-wildcard, enter the wildcard bits to be applied

to the source.

Note When creating an access list, remember that, by default, the end

of the access list contains an implicit deny statement for
everything if it did not find a match before reaching the end.

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

The access group keywords are scanned in this order, from least restrictive to most restrictive:

1. peer—Allows time requests and NTP control queries and allows the bridge to synchronize itself to

a device whose address passes the access list criteria.

2. serve—Allows time requests and NTP control queries, but does not allow the bridge to synchronize

itself to a device whose address passes the access list criteria.

3. serve-only—Allows only time requests from a device whose address passes the access list criteria.

4. query-only—Allows only NTP control queries from a device whose address passes the access list

criteria.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-24

OL-4059-01

Chapter 5 Administering the Bridge

If the source IP address matches the access lists for more than one access type, the first type is granted.
If no access groups are specified, all access types are granted to all devices. If any access groups are
specified, only the specified access types are granted.

To remove access control to the bridge NTP services, use the no ntp access-group {query-only |
serve-only | serve | peer} global configuration command.

This example shows how to configure the bridge to allow itself to synchronize to a peer from access
list 99. However, the bridge restricts access to allow only time requests from access list 42:

bridge# configure terminal
bridge(config)# ntp access-group peer 99
bridge(config)# ntp access-group serve-only 42
bridge(config)# access-list 99 permit 172.20.130.5
bridge(config)# access list 42 permit 172.20.130.6

Disabling NTP Services on a Specific Interface

NTP services are enabled on all interfaces by default.

Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on
an interface:

Managing the System Time and Date

Command Purpose

Step 1

Step 2

Step 3

configure terminal Enter global configuration mode.

interface interface-id Enter interface configuration mode, and specify the interface to disable.

ntp disable Disable NTP packets from being received on the interface.

By default, all interfaces receive NTP packets.

Step 4

Step 5

Step 6

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

To re-enable receipt of NTP packets on an interface, use the no ntp disable interface configuration
command.

Configuring the Source IP Address for NTP Packets

When the bridge sends an NTP packet, the source IP address is normally set to the address of the interface
through which the NTP packet is sent. Use the ntp source global configuration command when you want to
use a particular source IP address for all NTP packets. The address is taken from the specified interface. This
command is useful if the address on an interface cannot be used as the destination for reply packets.

Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP
source address is to be taken:

Command Purpose

Step 1

Step 2

OL-4059-01

configure terminal Enter global configuration mode.

ntp source type number Specify the interface type and number from which the IP source address

is taken.

By default, the source address is determined by the outgoing interface.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-25

Managing the System Time and Date

Command Purpose

Step 3

Step 4

Step 5

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

The specified interface is used for the source address for all packets sent to all destinations. If a source address
is to be used for a specific association, use the source keyword in the ntp peer or ntp server global
configuration command as described in the “Configuring NTP Associations” section on page 5-21.

Displaying the NTP Configuration

You can use two privileged EXEC commands to display NTP information:

• show ntp associations [detail]

• show ntp status

For detailed information about the fields in these displays, refer to the Cisco IOS Configuration
Fundamentals Command Reference for Release 12.1.

Chapter 5 Administering the Bridge

Configuring Time and Date Manually

If no other source of time is available, you can manually configure the time and date after the system is
restarted. The time remains accurate until the next system restart. We recommend that you use manual
configuration only as a last resort. If you have an outside source to which the bridge can synchronize,
you do not need to manually set the system clock.

This section contains this configuration information:

• Setting the System Clock, page 5-27

• Displaying the Time and Date Configuration, page 5-27

• Configuring the Time Zone, page 5-28

• Configuring Summer Time (Daylight Saving Time), page 5-29

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-26

OL-4059-01

Chapter 5 Administering the Bridge

Setting the System Clock

If you have an outside source on the network that provides time services, such as an NTP server, you do
not need to manually set the system clock.

Beginning in privileged EXEC mode, follow these steps to set the system clock:

Command Purpose

Step 1

Step 2

Step 3

clock set hh:mm:ss day month year

or

clock set hh:mm:ss month day year

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Managing the System Time and Date

Manually set the system clock using one of these formats.

• For hh:mm:ss, specify the time in hours (24-hour format), minutes,

and seconds. The time specified is relative to the configured time
zone.

• For day, specify the day by date in the month.

• For month, specify the month by name.

• For year, specify the year (no abbreviation).

This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001:

bridge# clock set 13:32:00 23 July 2001

Displaying the Time and Date Configuration

To display the time and date configuration, use the show clock [detail] privileged EXEC command.

The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be
accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is
not authoritative, it is used only for display purposes. Until the clock is authoritative and the
authoritative flag is set, the flag prevents peers from synchronizing to the clock when the peers’ time is
invalid.

The symbol that precedes the show clock display has this meaning:

• *—Time is not authoritative.

• (blank)—Time is authoritative.

• .—Time is authoritative, but NTP is not synchronized.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-27

Managing the System Time and Date

Configuring the Time Zone

Beginning in privileged EXEC mode, follow these steps to manually configure the time zone:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

configure terminal Enter global configuration mode.

clock timezone zone hours-offset

[minutes-offset]

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Chapter 5 Administering the Bridge

Set the time zone.

The bridge keeps internal time in universal time coordinated (UTC), so
this command is used only for display purposes and when the time is
manually set.

• For zone, enter the name of the time zone to be displayed when

standard time is in effect. The default is UTC.

• For hours-offset, enter the hours offset from UTC.

• (Optional) For minutes-offset, enter the minutes offset from UTC.

The minutes-offset variable in the clock timezone global configuration command is available for those
cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone
for some sections of Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50
percent. In this case, the necessary command is clock timezone AST -3 30.

To set the time to UTC, use the no clock timezone global configuration command.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-28

OL-4059-01

Chapter 5 Administering the Bridge

Configuring Summer Time (Daylight Saving Time)

Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time)
in areas where it starts and ends on a particular day of the week each year:

Command Purpose

Step 1

Step 2

configure terminal Enter global configuration mode.

clock summer-time zone recurring

[week day month hh:mm week day month
hh:mm [offset]]

Configure summer time to start and end on the specified days every year.

Summer time is disabled by default. If you specify clock summer-time
zone recurring without parameters, the summer time rules default to the
United States rules.

• For zone, specify the name of the time zone (for example, PDT) to be

displayed when summer time is in effect.

• (Optional) For week, specify the week of the month (1 to 5 or last).

• (Optional) For day, specify the day of the week (Sunday, Monday...).

• (Optional) For month, specify the month (January, February...).

• (Optional) For hh:mm, specify the time (24-hour format) in hours and

minutes.

Managing the System Time and Date

Step 3

Step 4

Step 5

• (Optional) For offset, specify the number of minutes to add during

summer time. The default is 60.

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

The first part of the clock summer-time global configuration command specifies when summer time
begins, and the second part specifies when it ends. All times are relative to the local time zone. The start
time is relative to standard time. The end time is relative to summer time. If the starting month is after
the ending month, the system assumes that you are in the southern hemisphere.

This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and
ends on the last Sunday in October at 02:00:

bridge(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October
2:00

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-29

Managing the System Time and Date

Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a
recurring pattern (configure the exact date and time of the next summer time events):

Command Purpose

Step 1

Step 2

configure terminal Enter global configuration mode.

clock summer-time zone date [month

date year hh:mm month date year hh:mm
[offset]]

or

clock summer-time zone date [date
month year hh:mm date month year
hh:mm [offset]]

Step 3

Step 4

Step 5

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Chapter 5 Administering the Bridge

Configure summer time to start on the first date and end on the second
date.

Summer time is disabled by default.

• For zone, specify the name of the time zone (for example, PDT) to be

displayed when summer time is in effect.

• (Optional) For week, specify the week of the month (1 to 5 or last).

• (Optional) For day, specify the day of the week (Sunday, Monday...).

• (Optional) For month, specify the month (January, February...).

• (Optional) For hh:mm, specify the time (24-hour format) in hours and

minutes.

• (Optional) For offset, specify the number of minutes to add during

summer time. The default is 60.

The first part of the clock summer-time global configuration command specifies when summer time
begins, and the second part specifies when it ends. All times are relative to the local time zone. The start
time is relative to standard time. The end time is relative to summer time. If the starting month is after
the ending month, the system assumes that you are in the southern hemisphere.

To disable summer time, use the no clock summer-time global configuration command.

This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26,
2001, at 02:00:

bridge(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-30

OL-4059-01

Chapter 5 Administering the Bridge

Configuring a System Name and Prompt

You configure the system name on the bridge to identify it. By default, the system name and prompt are
bridge.

If you have not configured a system prompt, the first 20 characters of the system name are used as the
system prompt. A greater-than symbol (>) is appended. The prompt is updated whenever the system
name changes, unless you manually configure the prompt by using the prompt global configuration
command.

Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS

Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command
Reference for Release 12.1.

This section contains this configuration information:

• Default System Name and Prompt Configuration, page 5-31

• Configuring a System Name, page 5-31

Configuring a System Name and Prompt

• Understanding DNS, page 5-32

Default System Name and Prompt Configuration

The default bridge system name and prompt is bridge.

Configuring a System Name

Beginning in privileged EXEC mode, follow these steps to manually configure a system name:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

configure terminal Enter global configuration mode.

hostname name Manually configure a system name.

The default setting is bridge.

The name must follow the rules for ARPANET host names. They must start
with a letter, end with a letter or digit, and have as interior characters only
letters, digits, and hyphens. Names can be up to 63 characters.

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

When you set the system name, it is also used as the system prompt.

To return to the default host name, use the no hostname global configuration command.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-31

Configuring a System Name and Prompt

Understanding DNS

The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can
map host names to IP addresses. When you configure DNS on your bridge, you can substitute the host
name for the IP address with all IP commands, such as ping, telnet, connect, and related Telnet support
operations.

IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain.
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco
Systems is a commercial organization that IP identifies by a com domain name, so its domain name is
cisco.com. A specific device in this domain, such as the File Transfer Protocol (FTP) system, is
identified as ftp.cisco.com.

To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache
(or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first
identify the host names, specify the name server that is present on your network, and enable the DNS.

This section contains this configuration information:

• Default DNS Configuration, page 5-32

• Setting Up DNS, page 5-32

• Displaying the DNS Configuration, page 5-33

Chapter 5 Administering the Bridge

Default DNS Configuration

Table 5-3 shows the default DNS configuration.

Table 5-3 Default DNS Configuration

Feature Default Setting

DNS enable state Disabled.

DNS default domain name None configured.

DNS servers No name server addresses are configured.

Setting Up DNS

Beginning in privileged EXEC mode, follow these steps to set up your bridge to use the DNS:

Command Purpose

Step 1

Step 2

configure terminal Enter global configuration mode.

ip domain-name name Define a default domain name that the software uses to complete unqualified

host names (names without a dotted-decimal domain name).

Do not include the initial period that separates an unqualified name from the
domain name.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-32

At boot time, no domain name is configured; however, if the bridge
configuration comes from a BOOTP or Dynamic Host Configuration Protocol
(DHCP) server, then the default domain name might be set by the BOOTP or
DHCP server (if the servers were configured with this information).

OL-4059-01

Chapter 5 Administering the Bridge

Command Purpose

Step 3

Step 4

Step 5

Step 6

Step 7

ip name-server server-address1
[server-address2 ...
server-address6]

ip domain-lookup (Optional) Enable DNS-based host name-to-address translation on your bridge.

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config
startup-config

Creating a Banner

Specify the address of one or more name servers to use for name and address
resolution.

You can specify up to six name servers. Separate each server address with a
space. The first server specified is the primary server. The bridge sends DNS
queries to the primary server first. If that query fails, the backup servers are
queried.

This feature is enabled by default.

If your network devices require connectivity with devices in networks for which
you do not control name assignment, you can dynamically assign device names
that uniquely identify your devices by using the global Internet naming scheme
(DNS).

(Optional) Save your entries in the configuration file.

If you use the bridge IP address as its host name, the IP address is used and no DNS query occurs. If you
configure a host name that contains no periods (.), a period followed by the default domain name is
appended to the host name before the DNS query is made to map the name to an IP address. The default
domain name is the value set by the ip domain-name global configuration command. If there is a
period (.) in the host name, the IOS software looks up the IP address without appending any default
domain name to the host name.

To remove a domain name, use the no ip domain-name name global configuration command. To remove
a name server address, use the no ip name-server server-address global configuration command. To
disable DNS on the bridge, use the no ip domain-lookup global configuration command.

Displaying the DNS Configuration

To display the DNS configuration information, use the show running-config privileged EXEC
command.

Creating a Banner

You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner appears on all
connected terminals at login and is useful for sending messages that affect all network users (such as
impending system shutdowns).

The login banner also appears on all connected terminals. It appears after the MOTD banner and before
the login prompts.

Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS

Configuration Fundamentals Command Reference for Release 12.2.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-33

Creating a Banner

This section contains this configuration information:

• Default Banner Configuration, page 5-34

• Configuring a Message-of-the-Day Login Banner, page 5-34

• Configuring a Login Banner, page 5-35

Default Banner Configuration

The MOTD and login banners are not configured.

Configuring a Message-of-the-Day Login Banner

You can create a single or multiline message banner that appears on the screen when someone logs into
the bridge.

Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner:

Chapter 5 Administering the Bridge

Step 1

Step 2

Step 3

Step 4

Step 5

Command Purpose

configure terminal Enter global configuration mode.

banner motd c message c Specify the message of the day.

For c, enter the delimiting character of your choice, such as a pound sign
(#), and press the Return key. The delimiting character signifies the
beginning and end of the banner text. Characters after the ending
delimiter are discarded.

For message, enter a banner message up to 255 characters. You cannot
use the delimiting character in the message.

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

To delete the MOTD banner, use the no banner motd global configuration command.

This example shows how to configure a MOTD banner for the bridge using the pound sign (#) symbol
as the beginning and ending delimiter:

bridge(config)# banner motd #
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
#

bridge(config)#

This example shows the banner displayed from the previous configuration:

Unix> telnet 172.2.5.4
Trying 172.2.5.4...
Connected to 172.2.5.4.
Escape character is '^]'.

This is a secure site. Only authorized users are allowed.
For access, contact technical support.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-34

OL-4059-01

Chapter 5 Administering the Bridge

User Access Verification

Password:

Configuring a Login Banner

You can configure a login banner to appear on all connected terminals. This banner appears after the
MOTD banner and before the login prompt.

Beginning in privileged EXEC mode, follow these steps to configure a login banner:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

configure terminal Enter global configuration mode.

banner login c message c Specify the login message.

end Return to privileged EXEC mode.

show running-config Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Creating a Banner

For c, enter the delimiting character of your choice, such as a pound sign
(#), and press the Return key. The delimiting character signifies the
beginning and end of the banner text. Characters after the ending delimiter
are discarded.

For message, enter a login message up to 255 characters. You cannot use the
delimiting character in the message.

To delete the login banner, use the no banner login global configuration command.

This example shows how to configure a login banner for the bridge using the dollar sign ($) symbol as
the beginning and ending delimiter:

bridge(config)# banner login $
Access for authorized users only. Please enter your username and password.
$

bridge(config)#

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-35

Creating a Banner

Chapter 5 Administering the Bridge

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

5-36

OL-4059-01

CHA P TER

6

Configuring Radio Settings

This chapter describes how to configure radio settings for your bridge. This chapter includes these
sections:

• Disabling and Enabling the Radio Interface, page 6-2

• Configuring the Role in Radio Network, page 6-2

• Configuring the Radio Distance Setting, page 6-3

• Configuring Radio Data Rates, page 6-3

• Configuring Radio Transmit Power, page 6-4

• Configuring Radio Channel Settings, page 6-5

• Disabling and Enabling Aironet Extensions, page 6-6

• Configuring the Ethernet Encapsulation Transformation Method, page 6-6

• Configuring the Beacon Period, page 6-6

• Configuring RTS Threshold and Retries, page 6-7

• Configuring the Maximum Data Retries, page 6-7

OL-4059-01

• Configuring the Fragmentation Threshold, page 6-8

• Configuring Packet Concatenation, page 6-8

• Performing a Carrier Busy Test, page 6-9

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

6-1

Disabling and Enabling the Radio Interface

Switch Switch

Non-Root

Bridge

Root Bridge

Disabling and Enabling the Radio Interface

The bridge radio is enabled by default. Beginning in privileged EXEC mode, follow these steps to
disable the bridge radio:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

shutdown Disable the radio port.

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Use the no form of the shutdown command to enable the radio port.

Configuring the Role in Radio Network

Chapter 6 Configuring Radio Settings

Step 1

Step 2

Step 3

Step 4

Step 5

You can configure your bridge as a root bridge or as a non-root bridge. Figure 6-1 shows a root bridge
communicating with a non-root bridge in a point-to-point configuration.

Figure 6-1 Point-to-Point Bridge Configuration

Beginning in privileged EXEC mode, follow these steps to set the bridge’s radio network role:

Command Purpose

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

station-role bridge

{ root | non-root | install }

Set the bridge role.

• Set the role to root or non-root, or put the bridge in

installation mode to help align the antennas. In installation
mode, the bridge polls the radio for the received signal
strength indication (RSSI) value and updates the LEDs and
the RSSI voltage port.

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

6-2

OL-4059-01

Chapter 6 Configuring Radio Settings

Configuring the Radio Distance Setting

Use the distance command to specify the distance from a root bridge to the non-root bridges with which
it communicates. The distance setting adjusts the bridge’s timeout values to account for the time required
for radio signals to travel from bridge to bridge. If more than one non-root bridge communicates with
the root bridge, enter the distance from the root bridge to the non-root bridge that is farthest away. Enter
a value from 0 to 99 km. You do not need to adjust this setting on non-root bridges.

In installation mode, the default distance setting is 99 km. In other modes, the default distance setting is
0 km.

Beginning in privileged EXEC mode, follow these steps to configure the bridge distance setting:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

distance kilometers Enter a distance setting from 0 to 99 km.

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring the Radio Distance Setting

Use the no form of the distance command to return to the default distance setting.

Configuring Radio Data Rates

You use the data rate settings to choose the data rates the bridge uses for data transmission. The rates are
expressed in megabits per second. The bridge always attempts to transmit at the highest data rate set to
Basic, also called Require on the browser-based interface. If there are obstacles or interference, the
bridge steps down to the highest rate that allows data transmission. You can set each data rate to one of
three states:

• Basic (this is the default state for all data rates)—Allows transmission at this rate for all packets,

both unicast and multicast. At least one of the bridge's data rates must be set to Basic.

• Enabled—The bridge transmits only unicast packets at this rate; multicast packets are sent at one of

the data rates set to Basic.

• Disabled—The bridge does not transmit data at this rate.

Note At least one data rate must be set to basic.

You can use the Data Rate settings to set up the bridge to operate at specific data rates. For example, to
configure the bridge to operate at 54 megabits per second (Mbps) service only, set the 54-Mbps rate to
Basic and set the other data rates to Enabled. To set up the bridge to operate at 24, 48, and 54 Mbps, set
24, 48, and 54 to Basic and set the rest of the data rates to Enabled.

You can also configure the bridge to set the data rates automatically to optimize either range or
throughput. When you enter range for the data rate setting, the bridge sets the 6-Mbps rate to basic and
the other rates to enabled. When you enter throughput for the data rate setting, the bridge sets all data
rates to basic.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

6-3

Configuring Radio Transmit Power

Beginning in privileged EXEC mode, follow these steps to configure the radio data rates:

Command Purpose

Step 1

Step 2

Step 3

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

speed

{[6.0] [9.0] [12.0] [18.0] [24.0]
[36.0] [48.0] [54.0] [basic-6.0]
[basic-9.0] [basic-12.0] [basic-18.0]
[basic-24.0] [basic-36.0]
[basic-48.0] [basic-54.0] |
range | throughput}

Step 4

Step 5

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Chapter 6 Configuring Radio Settings

Set each data rate to basic or enabled, or enter range to
optimize bridge range or throughput to optimize throughput.

• (Optional) Enter 6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, and

54.0 to set these data rates to enabled.

• (Optional) Enter basic-6.0, basic-9.0, basic-12.0,

basic-18.0, basic-24.0, basic-36.0, basic-48.0, and
basic-54.0 to set these data rates to basic.

• (Optional) Enter range or throughput to automatically

optimize radio range or throughput. When you enter
range, the bridge sets the lowest data rate to basic and the
other rates to enabled. When you enter throughput, the
bridge sets all data rates to basic.

Use the no form of the speed command to disable data rates. When you use the no form of the command,
all data rates are disabled except the rates you name in the command. This example shows how to disable
data rate 6.0:

ap1200# configure terminal
ap1200(config)# interface dot11radio 0
ap1200(config-if)# no speed basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0

basic-48.0 basic-54.0
ap1200(config-if)# end

Data rate 6 is disabled, and the rest of the rates are set to basic.

This example shows how to set up the bridge for 54-Mbps service only:

ap1200# configure terminal
ap1200(config)# interface dot11radio 0
ap1200(config-if)# speed basic-54.0
ap1200(config-if)# end

Data rate 54 is set to basic, and the rest of the data rates are set to enabled.

Configuring Radio Transmit Power

Beginning in privileged EXEC mode, follow these steps to set the transmit power on your bridge radio:

Command Purpose

Step 1

Step 2

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

6-4

OL-4059-01

Chapter 6 Configuring Radio Settings

Command Purpose

Step 3

Step 4

Step 5

power local

{ 12 | 15 | 18 | 21 | 22 | 23 | 24
maximum }

Set the transmit power to one of the power levels allowed in
your regulatory domain. All settings are in dBm.

Note The settings allowed in your regulatory domain might

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Use the no form of the power command to return the power setting to maximum, the default setting.

Configuring Radio Channel Settings

The default channel setting for the bridge radios is least congested; at startup, the bridge scans for and
selects the least-congested channel. For most consistent performance after a site survey, however, we
recomend that you assign a static channel setting for each bridge. The channel settings on your bridge
correspond to the frequencies available in your regulatory domain. See Appendix A, “Channels and

Antenna Settings,” for the frequencies allowed in your domain.

Configuring Radio Channel Settings

differ from the settings listed here.

Step 1

Step 2

Step 3

Step 4

Step 5

The 5-GHz radio operates on four channels from 5745 to 5805 MHz. Each channel covers 20 MHz, and
the bandwidth for the channels overlaps slightly. For best performance, use channels that are not adjacent
(such as 5745 and 5785) for bridges that are close to each other.

Beginning in privileged EXEC mode, follow these steps to set the bridge’s radio channel:

Command Purpose

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

channel

frequency | least-congested

Set the default channel for the bridge radio. To search for the
least-congested channel on startup, enter least-congested.

• channel 149—5745

• channel 153—5765

• channel 157—5785

• channel 161—5805

Note The frequencies allowed in your regulatory domain might

differ from the frequencies listed here.

end Return to privileged EXEC mode.

copy running-config

(Optional) Save your entries in the configuration file.

startup-config

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

6-5

Chapter 6 Configuring Radio Settings

Disabling and Enabling Aironet Extensions

Disabling and Enabling Aironet Extensions

By default, the bridge uses Cisco Aironet 802.11 extensions to improve communication with other 1400
series bridges. You cannot disable Aironet extensions on the bridge.

Configuring the Ethernet Encapsulation Transformation Method

When the bridge receives data packets that are not 802.3 packets, the bridge must format the packets to

802.3 using an encapsulation transformation method. These are the two transformation methods:

• 802.1H

• RFC1042—This is the default setting. Use this setting to ensure interoperability with non-Cisco

Aironet wireless equipment.

• Beginning in privileged EXEC mode, follow these steps to configure the encapsulation

transformation method:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

configure terminal Enter global configuration mode.

interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

payload-encapsulation

snap | dot1h

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Set the encapsulation transformation method to RFC1042
(snap) or 802.1h (dot1h).

Configuring the Beacon Period

The beacon period is the amount of time between bridge beacons in Kilomicroseconds. One Kµsec
equals 1,024 microseconds. The default beacon period is 100. Beginning in privileged EXEC mode,
follow these steps to configure the beacon period:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

6-6

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

beacon period value Set the beacon period. Enter a value in Kilomicroseconds.

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Note The bridge does not support the dtim option in the

beacon period command.

OL-4059-01

Chapter 6 Configuring Radio Settings

Configuring RTS Threshold and Retries

The RTS threshold determines the packet size at which the bridge issues a request to send (RTS) before
sending the packet. You can enter a setting ranging from 0 to 4000 bytes. If your bridge link is a
point-to-point configuration, set the RTS threshold to 4000 on both the root and non-root bridges. If you
have multiple bridges set up in a point-to-multipoint configuration, set the RTS threshold to 4000 on the
root bridge and to 0 on the non-root bridges.

Maximum RTS Retries is the maximum number of times the bridge issues an RTS before stopping the
attempt to send the packet over the radio. Enter a value from 1 to 128.

The default RTS threshold is 4000, and the default maximum RTS retries setting is 32. Beginning in
privileged EXEC mode, follow these steps to configure the RTS threshold and maximum RTS retries:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

rts threshold value Set the RTS threshold. Enter an RTS threshold from 0 to 4000.

rts retries value Set the maximum RTS retries. Enter a setting from 1 to 128.

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Configuring RTS Threshold and Retries

Use the no form of the command to reset the RTS settings to defaults.

Configuring the Maximum Data Retries

The maximum data retries setting determines the number of attempts the bridge makes to send a packet
before giving up and dropping the packet.

The default setting is 32. Beginning in privileged EXEC mode, follow these steps to configure the
maximum data retries:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

packet retries value Set the maximum data retries. Enter a setting from 1 to 128.

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Use the no form of the command to reset the setting to defaults.

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

6-7

Configuring the Fragmentation Threshold

Configuring the Fragmentation Threshold

The fragmentation threshold determines the size at which packets are fragmented (sent as several pieces
instead of as one block). Do not configure a fragmentation threshold that is lower than the concatenation
size, because the settings can conflict. If concatenation is disabled, use a low setting in areas where
communication is poor or where there is a great deal of radio interference.

The default setting is 4000 bytes. Beginning in privileged EXEC mode, follow these steps to configure
the fragmentation threshold:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

fragment-threshold value Set the fragmentation threshold. Enter a setting from 256 to

4000 bytes.

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

Chapter 6 Configuring Radio Settings

Use the no form of the command to reset the setting to defaults.

Configuring Packet Concatenation

If your bridge often transmits bursts of data, such as voice packets, you can enable packet concatenation
to improve throughput. Concatenation is enabled by default to improve throughput.

Note Not all devices connected through the bridge from the Ethernet LAN can support packet concatenation,

such as third party wireless clients connected to access points. Prior to configuring the packet
concatenation feature, ensure all your network devices support packet concatenation. Also ensure that
all bridges are running Cisco IOS Release 12.2(11)JA or later. If connectivity problems develop after
implementing packet concatenation, deactivate the concatenation feature to determine if that is the cause
of the problem.

Beginning in privileged EXEC mode, follow these steps to configure packet concatenation:

Command Purpose

Step 1

Step 2

Step 3

configure terminal Enter global configuration mode.

interface dot11radio 0 Enter interface configuration mode for the radio interface.

concatenation [ size bytes ] Enable packet concatenation.

Step 4

Step 5

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

6-8

end Return to privileged EXEC mode.

copy running-config startup-config (Optional) Save your entries in the configuration file.

(Optional) Set a maximum size for concatenated packets in
bytes. Enter a value from 1600 to 4000. When concatenation is
enabled, the default packet size is 3500.

OL-4059-01

Chapter 6 Configuring Radio Settings

Use the no form of the command to disable packet concatenation.

Note For best performance over your bridge links, adjust the CW-min and CW-max contention window

settings to depending on the number of non-root bridges associated to each root bridge. Refer to the

“CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge Links” section on
page 13-9 for instructions on adjusting these settings.

Performing a Carrier Busy Test

You can perform a carrier busy test to check the radio activity on bridge channels. During the carrier
busy test, the bridge drops all associations with wireless networking devices for around 4 seconds while
it conducts the carrier test and then displays the test results.

In privileged EXEC mode, enter this command to perform a carrier busy test:

dot11 interface-number carrier busy

Use the show dot11 carrier busy command to re-display the carrier busy test results.

Performing a Carrier Busy Test

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

6-9

Performing a Carrier Busy Test

Chapter 6 Configuring Radio Settings

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

6-10

OL-4059-01

CHA P TER

7

Configuring SSIDs

This chapter describes how to configure a service set identifier (SSID) on the bridge. This chapter
contains these sections:

• Understanding SSIDs, page 7-2

• Configuring the SSID, page 7-2

OL-4059-01

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

7-1

Understanding SSIDs

Understanding SSIDs

The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless
connectivity. Multiple bridges on a network or sub-network can use the same SSID. SSIDs are case
sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSID. Unlike
Cisco Aironet Access Points, 1400 series bridges do not support multiple SSIDs. The bridge can only
associate to another bridge, so you do not need to configure multiple SSIDs.

When you configure an SSID you assign these configuration settings to the SSID:

• VLAN

• RADIUS accounting for traffic using the SSID

• Bridge authentication method

Note For detailed information on client authentication types, see Chapter 10, “Configuring

Authentication Types.”

If you want the bridge to allow associations from bridges that do not specify an SSID in their
configurations, you can include the SSID in the bridge’s beacon. The bridge’s default SSID, autoinstall,
is included in the beacon. However, to keep your network secure, you should remove the SSID from the
beacon.

You can assign an authentication username and password to the SSID to allow the bridge to authenticate
to your network using LEAP authentication.

If your network uses VLANs, you should assign the bridge SSID to your network’s native VLAN.

Chapter 7 Configuring SSIDs

Configuring the SSID

These sections contain configuration information for the SSID:

• Default SSID Configuration, page 7-2

• Creating an SSID, page 7-3

Default SSID Configuration

Table 7-1 shows the default SSID configuration:

Table 7-1 Default SSID Configuration

Feature Default Setting

SSID autoinstall

Guest Mode SSID autoinstall (The bridge broadcasts this SSID in its

beacon and allows bridges with no SSID to
associate.)

Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide

7-2

OL-4059-01