Cisco WLAN Solution 3.0: Last Updated May 26, 2005
The Product Guide describes the Cisco Wireless LAN Solution (Cisco WLAN Solution) products.
Refer to the OVERVIEWS
products and features.
See the SOLUTIONS
tion-specific solutions to real-world problems.
Go to the TASKS
and troubleshoot Cisco WLAN Solution products and supported 802.11 networks.
Visit the REFERENCES
Supported Country Codes and Regulatory Domains, as well as pointers to the CLI
Reference, Web User Online Help files, Cisco WCS Online Help files, Cisco 1000 Series
Lightweight Access Point Deployment Guide, Hardware and Software
Quick Start Guides, the Cisco Wireless LAN Controller User Guides, and the current
Release Notes.
FCC Statements for Cisco 1000 Series Lightweight Access Points
FCC Statements for Cisco 2000 Series Wireless LAN Controllers
FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN
Controllers
Industry Canada Required User Information for Cisco 1000 Series Lightweight Access Points
Legal Information
Obtaining Documentation
Documentation Feedback
Cisco Product Security Overview
Obtaining Technical Assistance
Obtaining Additional Publications and Information
section to find detailed instructions on how to install, configure, use,
section to see a big picture view of Cisco WLAN Solution
section to look through real-world network and applica-
section to find technical information, such as the Glossary and
This section includes the following legal information:
•Products
•End User License Agreement
•Limited Warranty
•General Terms Applicable to the Limited Warranty Statement and End User License Agreement
•Additional Open Source Terms
•Trademarks and Service Marks
The following describes the Cisco Systems, Inc. standard Product Warranty for End Customers.
ProductsProducts
•Cisco 1000 Series Lightweight Access Points.
•Cisco 2000 Series Wireless LAN Controllers.
•Cisco 2700 Series Location Appliances.
•Cisco 4100 Series Wireless LAN Controllers.
•Cisco 4400 Series Wireless LAN Controllers.
End User License AgreementEnd User License Agreement
IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING OR USING CISCO OR CISCO-SUPPLIED SOFTWARE CONSTITUTES
ACCEPTANCE OF THIS AGREEMENT.
CISCO IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU
ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. BY DOWNLOADING OR
INSTALLING THE SOFTWARE, OR USING THE EQUIPMENT THAT CONTAINS THIS SOFTWARE, YOU ARE
BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY,
“CUSTOMER”) TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) DO NOT DOWNLOAD,
INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND,
OR, IF THE SOFTWARE IS SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE
PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER
PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE
ORIGINAL END USER PURCHASER.
The following terms of this End User License Agreement (“Agreement”) govern Customer’s access and
use of the Software, except to the extent (a) there is a separate signed agreement between Customer
and Cisco governing Customer’s use of the Software or (b) the Software includes a separate
“click-accept” license agreement as part of the installation and/or download process. To the extent of a
conflict between the provisions of the foregoing documents, the order of precedence shall be (1) the
signed agreement, (2) the click-accept agreement, and (3) this End User License Agreement.
License. Conditioned upon compliance with the terms and conditions of this Agreement, Cisco
Systems, Inc. or its subsidiary licensing the Software instead of Cisco Systems, Inc. (“Cisco”), grants to
Customer a nonexclusive and nontransferable license to use for Customer’s internal business purposes
the Software and the Documentation for which Customer has paid the required license fees. “Documentation” means written information (whether contained in user or technical manuals, training materials,
specifications or otherwise) specifically pertaining to the Software and made available by Cisco with the
Software in any manner (including on CD-ROM, or on-line).
5/26/05Legal Information
OL-7426-03
Customer’s license to use the Software shall be limited to, and Customer shall not use the Software in
excess of, a single hardware chassis or card or that number of agent(s), concurrent users, sessions, IP
addresses, port(s), seat(s), server(s) or site(s), as set forth in the applicable Purchase Order which has
been accepted by Cisco and for which Customer has paid to Cisco the required license fee.
Unless otherwise expressly provided in the Documentation, Customer shall use the Software solely as
embedded in, for execution on, or (where the applicable documentation permits installation on
non-Cisco equipment) for communication with Cisco equipment owned or leased by Customer and used
for Customer’s internal business purposes. NOTE: For evaluation or beta copies for which Cisco does
not charge a license fee, the above requirement to pay license fees does not apply.
General Limitations. This is a license, not a transfer of title, to the Software and Documentation, and
Cisco retains ownership of all copies of the Software and Documentation. Customer acknowledges that
the Software and Documentation contain trade secrets of Cisco, its suppliers or licensors, including but
not limited to the specific internal design and structure of individual programs and associated interface
information. Accordingly, except as otherwise expressly provided under this Agreement, Customer shall
have no right, and Customer specifically agrees not to:
(i) transfer, assign or sublicense its license rights to any other person or entity, or use the Software
on unauthorized or secondhand Cisco equipment, and Customer acknowledges that any attempted
transfer, assignment, sublicense or use shall be void;
(ii) make error corrections to or otherwise modify or adapt the Software or create derivative works
based upon the Software, or permit third parties to do the same;
(iii) reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to
human-readable form, except to the extent otherwise expressly permitted under applicable law
notwithstanding this restriction;
(iv) use or permit the Software to be used to perform services for third parties, whether on a service
bureau or time sharing basis or otherwise, without the express written authorization of Cisco; or
(v) disclose, provide, or otherwise make available trade secrets contained within the Software and
Documentation in any form to any third party without the prior written consent of Cisco. Customer shall
implement reasonable security measures to protect such trade secrets; or
(vi) use the Software to develop any software application intended for resale which employs the
Software.
To the extent required by law, and at Customer's written request, Cisco shall provide Customer with the
interface information needed to achieve interoperability between the Software and another independently created program, on payment of Cisco's applicable fee, if any. Customer shall observe strict
obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Cisco makes such information available.
Customer is granted no implied licenses to any other intellectual property rights other than as specifically granted herein.
Software, Upgrades and Additional Copies. For purposes of this Agreement, “Software” shall
include (and the terms and conditions of this Agreement shall apply to) computer programs, including
firmware, as provided to Customer by Cisco or an authorized Cisco reseller, and any upgrades,
updates, bug fixes or modified versions thereto (collectively, “Upgrades”) or backup copies of the
Software licensed or provided to Customer by Cisco or an authorized Cisco reseller. NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT: (1) CUSTOMER HAS NO LICENSE OR RIGHT
TO USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF ACQUIRING
SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS
PAID THE APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES; (2) USE OF UPGRADES IS
LIMITED TO CISCO EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR
LESSEE OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING
UPGRADED; AND (3) THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY
BACKUP PURPOSES ONLY.
5/26/05Legal Information
OL-7426-03
Proprietary Notices. Customer agrees to maintain and reproduce all copyright and other proprietary
notices on all copies, in any form, of the Software in the same form and manner that such copyright
and other proprietary notices are included on the Software. Except as expressly authorized in this
Agreement, Customer shall not make any copies or duplicates of any Software without the prior written
permission of Cisco.
Open Source Content. Customer acknowledges that the Software contains open source or publicly
available content under separate license and copyright requirements which are located either in an
attachment to this license, the Software README file or the Documentation. Customer agrees to
comply with such separate license and copyright requirements.
Third Party Beneficiaries. Certain Cisco or Cisco affiliate suppliers are intended third party beneficiaries of this Agreement. The terms and conditions herein are made expressly for the benefit of and are
enforceable by Cisco’s suppliers; provided, however, that suppliers are not in any contractual relationship with Customer. Cisco’s suppliers include without limitation: (a) Hifn, Inc., a Delaware corporation
with principal offices at 750 University Avenue, Los Gatos, California and (b) Wind River Systems, Inc.,
and its suppliers. Additional suppliers may be provided in subsequent updates of Documentation
supplied to Customer.
Term and Termination. This Agreement and the license granted herein shall remain effective until
terminated. Customer may terminate this Agreement and the license at any time by destroying all
copies of Software and any Documentation. Customer’s rights under this Agreement will terminate
immediately without notice from Cisco if Customer fails to comply with any provision of this Agreement.
Cisco and its suppliers are further entitled to obtain injunctive relief if Customer’s use of the Software is
in violation of any license restrictions. Upon termination, Customer shall destroy all copies of Software
and Documentation in its possession or control. All confidentiality obligations of Customer and all limitations of liability and disclaimers and restrictions of warranty shall survive termination of this
Agreement. In addition, the provisions of the sections titled “U.S. Government End User Purchasers”
and “General Terms Applicable to the Limited Warranty Statement and End User License” shall survive
termination of this Agreement.
Customer Records. Customer grants to Cisco and its independent accountants the right to examine
Customer’s books, records and accounts during Customer’s normal business hours to verify compliance
with this Agreement. In the event such audit discloses non-compliance with this Agreement, Customer
shall promptly pay to Cisco the appropriate license fees, plus the reasonable cost of conducting the
audit.
Export. Software and Documentation, including technical data, may be subject to U.S. export control
laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to
export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export, or import
Software and Documentation. Customer’s failure to comply with such restrictions shall constitute a
material breach of the Agreement.
U.S. Government End User Purchasers. The Software and Documentation qualify as “commercial
items,” as that term is defined at Federal Acquisition Regulation (“FAR”) (48 C.F.R.) 2.101, consisting of
“commercial computer software” and “commercial computer software documentation” as such terms
are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through
227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any
agreement into which this End User License Agreement may be incorporated, Customer may provide to
Government end user or, if this Agreement is direct, Government end user will acquire, the Software
and Documentation with only those rights set forth in this End User License Agreement. Use of either
the Software or Documentation or both constitutes agreement by the Government that the Software
and Documentation are “commercial computer software” and “commercial computer software documentation,” and constitutes acceptance of the rights and restrictions herein.
5/26/05Legal Information
OL-7426-03
Limited WarrantyLimited Warranty
Hardware for 1000 Series Access Points. Cisco Systems, Inc., or the Cisco Systems, Inc. subsidiary
selling the Product (“Cisco”) warrants that commencing from the date of shipment to Customer (and in
case of resale by a Cisco reseller, commencing not more than ninety (90) days after original shipment
by Cisco), and continuing for a period of one (1) year, the Hardware will be free from defects in
material and workmanship under normal use. The date of shipment of a Product by Cisco is set forth on
the packaging material in which the Product is shipped. This limited warranty extends only to the
original user of the Product. Customer's sole and exclusive remedy and the entire liability of Cisco and
its suppliers under this limited warranty will be, at Cisco's or its service center's option, shipment of a
replacement within the warranty period and according to the replacement process described in the
Warranty Card (if any), or if no Warranty Card, as described at www.cisco.com/en/US/products/
prod_warranties_listing.html or a refund of the purchase price if the Hardware is returned to the party
supplying it to Customer, freight and insurance prepaid. Cisco replacement parts used in Hardware
replacement may be new or equivalent to new. Cisco's obligations hereunder are conditioned upon the
return of affected Hardware in accordance with Cisco's or its service center's then-current Return
Material Authorization (RMA) procedures.
Hardware for Cisco 2000 Series Wireless LAN Controllers, Cisco 2700 Series Location Appliances, Cisco 4100 Series Wireless LAN Controllers, and Cisco 4400 Series Wireless LAN
Controllers. Cisco Systems, Inc., or the Cisco Systems, Inc. subsidiary selling the Product (“Cisco”)
warrants that commencing from the date of shipment to Customer (and in case of resale by a Cisco
reseller, commencing not more than ninety (90) days after original shipment by Cisco), and continuing
for a period of ninety (90) days, the Hardware will be free from defects in material and workmanship
under normal use. The date of shipment of a Product by Cisco is set forth on the packaging material in
which the Product is shipped. This limited warranty extends only to the original user of the Product.
Customer's sole and exclusive remedy and the entire liability of Cisco and its suppliers under this
limited warranty will be, at Cisco's or its service center's option, shipment of a replacement within the
warranty period and according to the replacement process described in the Warranty Card (if any), or if
no Warranty Card, as described at www.cisco.com/en/US/products/prod_warranties_listing.html
refund of the purchase price if the Hardware is returned to the party supplying it to Customer, freight
and insurance prepaid. Cisco replacement parts used in Hardware replacement may be new or equivalent to new. Cisco's obligations hereunder are conditioned upon the return of affected Hardware in
accordance with Cisco's or its service center's then-current Return Material Authorization (RMA)
procedures.
Software. Cisco warrants that commencing from the date of shipment to Customer (but in case of
resale by an authorized Cisco reseller, commencing not more than ninety (90) days after original
shipment by Cisco), and continuing for a period of the longer of (a) ninety (90) days or (b) the software
warranty period (if any) set forth in the warranty card accompanying the Product (if any): (a) the
media on which the Software is furnished will be free of defects in materials and workmanship under
normal use; and (b) the Software substantially conforms to its published specifications. The date of
shipment of a Product by Cisco is set forth on the packaging material in which the Product is shipped.
Except for the foregoing, the Software is provided AS IS. This limited warranty extends only to the
Customer who is the original licensee. Customer's sole and exclusive remedy and the entire liability of
Cisco and its suppliers and licensors under this limited warranty will be, at Cisco's option, repair,
replacement, or refund of the Software if reported (or, upon request, returned) to Cisco or the party
supplying the Software to Customer. In no event does Cisco warrant that the Software is error free or
that Customer will be able to operate the Software without problems or interruptions. In addition, due
to the continual development of new techniques for intruding upon and attacking networks, Cisco does
not warrant that the Software or any equipment, system or network on which the Software is used will
be free of vulnerability to intrusion or attack.
Restrictions. This warranty does not apply if the Software, Product or any other equipment upon
which the Software is authorized to be used (a) has been altered, except by Cisco or its authorized
representative, (b) has not been installed, operated, repaired, or maintained in accordance with
instructions supplied by Cisco, (c) has been subjected to abnormal physical or electrical stress, misuse,
or a
5/26/05Legal Information
OL-7426-03
negligence, or accident; or (d) is licensed, for beta, evaluation, testing or demonstration purposes for
which Cisco does not charge a purchase price or license fee.
Disclaimer of Warranty DISCLAIMER OF WARRANTY
EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED
WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
NON-INFRINGEMENT, SATISFACTORY QUALITY, NON-INTERFERENCE, ACCURACY OF INFORMATIONAL CONTENT, OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE
PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW AND ARE
EXPRESSLY DISCLAIMED BY CISCO, ITS SUPPLIERS AND LICENSORS. TO THE EXTENT AN
IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION
TO THE EXPRESS WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT
ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY. THIS WARRANTY GIVES CUSTOMER SPECIFIC LEGAL RIGHTS, AND
CUSTOMER MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of
its essential purpose.
General Terms Applicable to the Limited Warranty Statement and End User
License AgreementGeneral Terms Applicable to the Limited Warranty Statement and End User License Agreement
Disclaimer of Liabilities. REGARDLESS WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS
ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL CISCO OR ITS SUPPLIERS BE LIABLE FOR
ANY LOST REVENUE, PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF
CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES
HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF
THE USE OF OR INABILITY TO USE SOFTWARE OR OTHERWISE AND EVEN IF CISCO OR ITS SUPPLIERS
OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall
Cisco's or its suppliers' or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave
rise to the claim or if the Software is part of another Product, the price paid for such other Product.
BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Customer agrees that the limitations of liability and disclaimers set forth herein will apply regardless of
whether Customer has accepted the Software or any other product or service delivered by Cisco.
Customer acknowledges and agrees that Cisco has set its prices and entered into this Agreement in
reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the parties (including the risk that a contract remedy may fail of its
essential purpose and cause consequential loss), and that the same form an essential basis of the
bargain between the parties.
The Warranty and the End User License shall be governed by and construed in accordance with the laws
of the State of California, without reference to or application of choice of law rules or principles. The
United Nations Convention on the International Sale of Goods shall not apply. If any portion hereof is
found to be void or unenforceable, the remaining provisions of the Agreement shall remain in full force
and effect. Except as expressly provided herein, this Agreement constitutes the entire agreement
between the parties with respect to the license of the Software and Documentation and supersedes any
conflicting or additional terms contained in any purchase order or elsewhere, all of which terms are
excluded. This Agreement has been written in the English language, and the parties agree that the
English version will govern. For warranty or license terms which may apply in particular countries and
for translations of the above information please contact the Cisco Legal Department, 300 E. Tasman
Drive, San Jose, California 95134.
5/26/05Legal Information
OL-7426-03
Additional Open Source Terms Additional Open Source Terms
GNU General Public License. Certain portions of the Software are licensed under and Customer’s use
of such portions are subject to the GNU General Public License version 2. A copy of the license is
available at www.fsf.org or by writing to licensing@fsf.org or the Free Software Foundation, 59 Temple
Place, Suite 330, Boston, MA 02111-1307. Source code governed by the GNU General Public License
version 2 is available upon written request to the Cisco Legal Department, 300 E. Tasman Drive, San
Jose, California 95134.
Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights
reserved.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Components of the software are provided under a standard 2-term BSD license with the following
names as copyright holders:
•Markus Friedl
•Theo de Raadt
•Niels Provos
•Dug Song
•Aaron Campbell
•Damien Miller
•Kevin Steves
Trademarks and Service MarksTrademarks and Service Marks
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsin g, and StackWise are trademarks of Cisco Systems, Inc. ; Changing the
Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc. ; and Access Registrar, Aironet, ASIST,
BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press,
Cisco Systems, Cisco Systems Capital, the Cisco Syste ms logo, Cisco Unity, Empowering the Inte rne t Ge neration , Enterprise/Solver,
EtherChannel, EtherFast, EtherSwitch, Fast Ste p, Fo rmShare , Gig aDr ive , GigaStack, HomeL ink, Intern et Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCas t, SMARTnet, StrataView
Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotien t, and TransPath are registered trademarks of Cisco Systems, Inc .
and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (0502R)
5/26/05Legal Information
OL-7426-03
Obtaining DocumentationObtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.comCisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
Cisco documentation and additional literature are available in a Documentation DVD package, which
may have shipped with your product. The Documentation DVD is updated regularly and may be more
current than printed documentation. The Documentation DVD package is available as a single unit.
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product
number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/
Ordering DocumentationOrdering Documentation
You can find instructions for ordering documentation at this URL:
•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation
from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
•Nonregistered Cisco.com users can order documentation through a local account representative
by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or,
elsewhere in North America, by calling 1 800 553-NETS (6387).
5/26/05Obtaining Documentation
OL-7426-03
Documentation FeedbackDocumentation Feedbac k
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
•Report security vulnerabilities in Cisco products.
•Obtain assistance with security incidents that involve Cisco products.
•Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
If you prefer to see advisories and notices as they are updated in real time, you can access a Product
Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
Reporting Security Problems in Cisco ProductsReporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release
them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a
vulnerability in a Cisco product, contact PSIRT:
•Emergencies— security-alert@cisco.com
•Nonemergencies— psirt@cisco.com
Tip: We encourage you to use Pretty Good Privacy (PGP) or a compatible product to
encrypt any sensitive information that you send to Cisco. PSIRT can work from
encrypted information that is compatible with PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco
Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical
Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical
Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service
contract, contact your reseller.
Cisco Technical Support WebsiteCisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and
resolving technical issues with Cisco products and technologies. The website is available 24 hours a
day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.
If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note: Use the Cisco Product Identification (CPI) tool to locate your product serial
number before submitting a web or phone request for service. You can access the
CPI tool from the Cisco Technical Support Website by clicking the Tools &
Resources link under Documentation & Tools. Choose Cisco Product Identifica-
tion Tool from the Alphabetical Index drop-down list, or click the Cisco Product
Identification Tool link under Alerts & RMAs. The CPI tool offers three search
options: by product ID or model name; by tree view; or for certain products, by
copying and pasting show command output. Search results show an illustration of
your product with the serial number label location highlighted. Locate the serial
number label on your product and record the information before placing a service
call.
Submitting a Service RequestSubmitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request
is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely
degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep
your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
5/26/05Obtaining Technical Assistance
OL-7426-03
Definitions of Service Request SeverityDefinitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
•Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business opera-
tions. You and Cisco will commit all necessary resources around the clock to resolve the
situation.
•Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects
of your business operation are negatively affected by inadequate performance of Cisco
products. You and Cisco will commit full-time resources during normal business hours to
resolve the situation.
•Severity 3 (S3)—Operational performance of your network is impaired, but most business
operations remain functional. You and Cisco will commit resources during normal business
hours to restore service to satisfactory levels.
•Severity 4 (S4)—You require information or assistance with Cisco product capabilities, instal-
lation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and InformationObtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
•Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise.
Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
•Cisco Press publishes a wide range of general networking, training and certification titles. Both
new and experienced users will benefit from these publications. For current Cisco Press titles
and other information, go to Cisco Press at this URL:
http://www.ciscopress.com
•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment
and troubleshooting tips, configuration examples, customer case studies, certification and
training information, and links to scores of in-depth online resources. You can access Packet
magazine at this URL:
http://www.cisco.com/packet
•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing
companies learn how they can use technology to increase revenue, streamline their business,
and expand services. The publication identifies the challenges facing these companies and the
technologies to help solve them, using real-world case studies and business strategies to help
readers make sound technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
•World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
5/26/05Obtaining Additional Publications and Information
OL-7426-03
FCC Statements for Cisco 1000 Series Lightweight Access PointsFCC Statements for Cisco 1000
Series Lightweight Access Points
This section includes the following FCC statements for Cisco 1000 Series lightweight access points:
•Class A Statement
•RF Radiation Hazard Warning
•Non-Modification Statement
•Deployment Statement
Class A StatementClass A Statement
This equipment has been tested and found to comply with the limits for a Class A digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial environment. This
equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in
accordance with the instruction manual, may cause harmful interference to radio communications.
Operation of this equipment in a residential area is likely to cause harmful interference in which case
the user will be required to correct the interference at his own expense.
To ensure compliance with FCC RF exposure requirements, this device must be installed in a location
such that the antenna of the device will be greater than 20 cm (8 in.) from all persons. Using higher
gain antennas and types of antennas not covered under the FCC certification of this product is not
allowed.
Installers of the radio and end users of the Cisco Wireless LAN Solution must adhere to the installation
instructions provided in this manual.
Use only the supplied internal antenna, or external antennas supplied by the manufacturer. Unauthorized antennas, modifications, or attachments could damage the badge and could violate FCC
regulations and void the user’s authority to operate the equipment.
Note: Refer to the Cisco WLAN Solution Release Notes for 802.11a external antenna
information. Contact Cisco for a list of FCC-approved 802.11a and 802.11b/g
external antennas.
Deployment StatementDeployment Statement
This product is certified for indoor deployment only. Do not install or use this product outdoors.
5/26/05FCC Statements for Cisco 1000 Series Lightweight Access Points
OL-7426-03
Industry Canada Required User Information for Cisco 1000 Series
Lightweight Access Points
This device has been designed to operate with antennae having maximum gains of 7.8 dBi (2.4 GHz)
and 7.4 dBi (5 GHz).
Antennae having higher gains is strictly prohibited per regulations of Industry Canada. The required
antenna impedance is 50 ohms.
To reduce potential radio interference to other users, the antenna type and its gain should be so chosen
that the equivalent isotropically radiated power (EIRP) is not more than that required for successful
communication.
Industry Canada Required User Information for Cisco 1000 Series Lightweight Access Points
5/26/05Industry Canada Required User Information for Cisco 1000 Series Lightweight
Access Points
OL-7426-03
FCC Statements for Cisco 2000 Series Wireless LAN ControllersFCC Statements for Cisco 2000 Se rie s
Wireless LAN Controllers
This equipment has been tested and found to comply with the limits for a Class B digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection
against harmful interference in a residential installation. This equipment generates, uses and can
radiate radio frequency energy and, if not installed and used in accordance with the instructions, may
cause harmful interference to radio communications. However, there is no guarantee that interference
will not occur in a particular installation. If this equipment does cause harmful interference to radio or
television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
•Reorient or relocate the receiving antenna.
•Increase the separation between the equipment and receiver.
•Connect the equipment into an outlet on a circuit different from that to which the receiver is
connected.
•Consult the dealer or an experienced radio/TV technician for help. [cfr reference 15.105]
5/26/05FCC Statements for Cisco 2000 Series Wireless LAN Controllers
OL-7426-03
FCC Statements for Cisco 4100 Series Wireless LAN Controllers and
Cisco 4400 Series Wireless LAN Controllers
The Cisco 4100 Series Wireless LAN Controller and Cisco 4400 Series Wireless LAN Controller
equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to
Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This equipment generates,
uses, and can radiate radio frequency energy and, if not installed and used in accordance with the
instruction manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference in which case the user will be
required to correct the interference at his own expense.
FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Ci sco 44 00 Series Wireless LAN Controllers
5/26/05FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400
Series Wireless LAN Controllers
OL-7426-03
Safety ConsiderationsSafety Considerations
Warning
This warning symbol means danger. You are in a situation that could cause bodily
injury. Before you work on any equipment, be aware of the hazards involved with
electrical circuitry and be familiar with standard practices for preventing accidents.
Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement
1071
•The 1000BASE-SX and 1000BASE-LX SFP modules and AIR-WLC4112-K9, AIR-WLC4124-K9,
and AIR-WLC4136-K9 Cisco 4100 Series Wireless LAN Controllers contain Class 1 Lasers (Laser
Klasse 1) according to EN 60825-1+A1+A2.
Warning
Waarschuwing
Varoitus
Attention
Warnung
Avvertenza
Advarsel
Class 1 laser product. Statement 1008
Klasse-1 laser produkt.
Luokan 1 lasertuote.
Produit laser de classe 1.
Laserprodukt der Klasse 1.
Prodotto laser di Classe 1.
Laserprodukt av klasse 1.
Aviso
¡Advertencia!
Varning!
Aviso
Advarsel
Produto laser de classe 1.
Producto láser Clase I.
Laserprodukt av klass 1.
Produto a laser de classe 1.
Klasse 1 laserprodukt.
5/26/05Safety Considerations
OL-7426-03
•The Cisco 1000 Series lightweight access points with or without external antenna ports are only
intended for installation in Environment A as defined in IEEE 802.3af. All interconnected
equipment must be contained within the same building including the interconnected
equipment's associated LAN connections.
•For AP1020 and AP1030 Cisco 1000 Series lightweight access points provided with optional
external antenna ports, make sure that all external antennas and their associated wiring are
located entirely indoors. Cisco 1000 Series lightweight access points and their optional external
antennas are not suitable for outdoor use.
•MAKE SURE that plenum-mounted Cisco 1000 Series lightweight access points are powered
using Power over Ethernet (PoE) to comply with safety regulations.
•For all Cisco Wireless LAN Controllers, verify that the ambient temperature remains between 0
and 40° C (32 and 104° F), taking into account the elevated temperatures that occur when
they are installed in a rack.
•When multiple Cisco Wireless LAN Controllers are mounted in an equipment rack, be sure that
the power source is sufficiently rated to safely run all of the equipment in the rack.
•Verify the integrity of the ground before installing Cisco Wireless LAN Controllers in an
equipment rack
•Suitable for use in environmental air space in accordance with Section 300.22.C of the National
Electrical Code, and Sections 2-128, 12-010(3) and 12-100 of the Canadian Electrical Code,
Part 1, C22.1.
5/26/05Safety Considerations
OL-7426-03
Warning
This equipment must be grounded. Never defeat the ground conductor or operate the
equipment in the absence of a suitably installed ground conductor. Contact the
appropriate electrical inspection authority or an electrician if you are uncertain that
suitable grounding is available. Statement 1024
Waarschuwing
Varoitus
Attention
Warnung
Avvertenza
Advarsel
Deze apparatuur dient geaard te zijn. De aardingsleiding mag nooit buiten werking
worden gesteld en de apparatuur mag nooit bediend worden zonder dat er een op de
juiste wijze geïnstalleerde aardingsleiding aanwezig is. Neem contact op met de
bevoegde instantie voor elektrische inspecties of met een elektricien als u er niet
zeker van bent dat er voor passende aarding gezorgd is.
Laitteiden on oltava maadoitettuja. Älä koskaan ohita maajohdinta tai käytä laitteita
ilman oikein asennettua maajohdinta. Ota yhteys sähkötarkastusviranomaiseen tai
sähköasentajaan, jos olet epävarma maadoituksen sopivuudesta.
Cet équipement doit être mis à la masse. Ne jamais rendre inopérant le conducteur
de masse ni utiliser l'équipement sans un conducteur de masse adéquatement
installé. En cas de doute sur la mise à la masse appropriée disponible, s'adresser à
l'organisme responsable de la sécurité électrique ou à un électricien.
Dieses Gerät muss geerdet sein. Auf keinen Fall den Erdungsleiter unwirksam
machen oder das Gerät ohne einen sachgerecht installierten Erdungsleiter
verwenden. Wenn Sie sich nicht sicher sind, ob eine sachgerechte Erdung vorhanden
ist, wenden Sie sich an die zuständige Inspektionsbehörde oder einen Elektriker.
Questa apparecchiatura deve essere dotata di messa a terra. Non escludere mai il
conduttore di protezione né usare l'apparecchiatura in assenza di un conduttore di
protezione installato in modo corretto. Se non si è certi della disponibilità di un
adeguato collegamento di messa a terra, richiedere un controllo elettrico presso le
autorità competenti o rivolgersi a un elettricista.
Dette utstyret må jordes. Omgå aldri jordingslederen og bruk aldri utstyret uten riktig
montert jordingsleder. Ta kontakt med fagfolk innen elektrisk inspeksjon eller med en
elektriker hvis du er usikker på om det finnes velegnet jordning.
Aviso
¡Advertencia!
Varning!
5/26/05Safety Considerations
OL-7426-03
Este equipamento deve ser aterrado. Nunca anule o fio terra nem opere o equipamento sem um aterramento adequadamente instalado. Em caso de dúvida com
relação ao sistema de aterramento disponível, entre em contato com os serviços
locais de inspeção elétrica ou um eletricista qualificado.
Este equipo debe estar conectado a tierra. No inhabilite el conductor de tierra ni haga
funcionar el equipo si no hay un conductor de tierra instalado correctamente.
Póngase en contacto con la autoridad correspondiente de inspección eléctrica o con
un electricista si no está seguro de que haya una conexión a tierra adecuada.
Denna utrustning måste jordas. Koppla aldrig från jordledningen och använd aldrig
utrustningen utan en på lämpligt sätt installerad jordledning. Om det föreligger
osäkerhet huruvida lämplig jordning finns skall elektrisk besiktningsauktoritet eller
elektriker kontaktas.
Warning
To prevent bodily injury when mounting or servicing a unit in a rack, you must take
special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety:
• This unit should be mounted at the bottom of the rack if it is the only unit in the
rack.
• When mounting this unit in a partially filled rack, load the rack from the bottom to
the top with the heaviest component at the bottom of the rack.
• If the rack is provided with stabilizing devices, install the stabilizers before
mounting or servicing the unit in the rack. Statement 1006
Waarschuwing
Varoitus
Om lichamelijk letsel te voorkomen wanneer u dit toestel in een rek monteert of het
daar een servicebeurt geeft, moet u speciale voorzorgsmaatregelen nemen om
ervoor te zorgen dat het toestel stabiel blijft. De onderstaande richtlijnen worden
verstrekt om uw veiligheid te verzekeren:
• Dit toestel dient onderaan in het rek gemonteerd te worden als het toestel het enige
in het rek is.
• Wanneer u dit toestel in een gedeeltelijk gevuld rek monteert, dient u het rek van
onderen naar boven te laden met het zwaarste onderdeel onderaan in het rek.
• Als het rek voorzien is van stabiliseringshulpmiddelen, dient u de stabilisatoren te
monteren voordat u het toestel in het rek monteert of het daar een servicebeurt
geeft.
Kun laite asetetaan telineeseen tai huolletaan sen ollessa telineessä, on noudatettava
erityisiä varotoimia järjestelmän vakavuuden säilyttämiseksi, jotta vältytään
loukkaantumiselta. Noudata seuraavia turvallisuusohjeita:
• Jos telineessä ei ole muita laitteita, aseta laite telineen alaosaan.
• Jos laite asetetaan osaksi täytettyyn telineeseen, aloita kuormittaminen sen
alaosasta kaikkein raskaimmalla esineellä ja siirry sitten sen yläosaan.
• Jos telinettä varten on vakaimet, asenna ne ennen laitteen asettamista telineeseen
tai sen huoltamista siinä.
5/26/05Safety Considerations
OL-7426-03
Attention
Pour éviter toute blessure corporelle pendant les opérations de montage ou de
réparation de cette unité en casier, il convient de prendre des précautions spéciales
afin de maintenir la stabilité du système. Les directives ci-dessous sont destinées à
assurer la protection du personnelþ:
• Si cette unité constitue la seule unité montée en casier, elle doit être placée dans le
bas.
• Si cette unité est montée dans un casier partiellement rempli, charger le casier de
bas en haut en plaçant l'élément le plus lourd dans le bas.
• Si le casier est équipé de dispositifs stabilisateurs, installer les stabilisateurs avant
de monter ou de réparer l'unité en casier.
Warnung
Avvertenza
Zur Vermeidung von Körperverletzung beim Anbringen oder Warten dieser Einheit in
einem Gestell müssen Sie besondere Vorkehrungen treffen, um sicherzustellen, daß
das System stabil bleibt. Die folgenden Richtlinien sollen zur Gewährleistung Ihrer
Sicherheit dienen:
• Wenn diese Einheit die einzige im Gestell ist, sollte sie unten im Gestell angebracht
werden.
• Bei Anbringung dieser Einheit in einem zum Teil gefüllten Gestell ist das Gestell von
unten nach oben zu laden, wobei das schwerste Bauteil unten im Gestell anzubringen ist.
• Wird das Gestell mit Stabilisierungszubehör geliefert, sind zuerst die Stabilisatoren
zu installieren, bevor Sie die Einheit im Gestell anbringen oder sie warten.
Per evitare infortuni fisici durante il montaggio o la manutenzione di questa unità in
un supporto, occorre osservare speciali precauzioni per garantire che il sistema
rimanga stabile. Le seguenti direttive vengono fornite per garantire la sicurezza
personale:
• Questa unità deve venire montata sul fondo del supporto, se si tratta dell’unica
unità da montare nel supporto.
• Quando questa unità viene montata in un supporto parzialmente pieno, caricare il
supporto dal basso all’alto, con il componente più pesante sistemato sul fondo del
supporto.
• Se il supporto è dotato di dispositivi stabilizzanti, installare tali dispositivi prima di
montare o di procedere alla manutenzione dell’unità nel supporto.
Advarsel
5/26/05Safety Considerations
OL-7426-03
Unngå fysiske skader under montering eller reparasjonsarbeid på denne enheten når
den befinner seg i et kabinett. Vær nøye med at systemet er stabilt. Følgende
retningslinjer er gitt for å verne om sikkerheten:
• Denne enheten bør monteres nederst i kabinettet hvis dette er den eneste enheten
i kabinettet.
• Ved montering av denne enheten i et kabinett som er delvis fylt, skal kabinettet
lastes fra bunnen og opp med den tyngste komponenten nederst i kabinettet.
• Hvis kabinettet er utstyrt med stabiliseringsutstyr, skal stabilisatorene installeres
før montering eller utføring av reparasjonsarbeid på enheten i kabinettet.
Aviso
Para se prevenir contra danos corporais ao montar ou reparar esta unidade numa
estante, deverá tomar precauções especiais para se certificar de que o sistema possui
um suporte estável. As seguintes directrizes ajudá-lo-ão a efectuar o seu trabalho
com segurança:
• Esta unidade deverá ser montada na parte inferior da estante, caso seja esta a
única unidade a ser montada.
• Ao montar esta unidade numa estante parcialmente ocupada, coloque os itens mais
pesados na parte inferior da estante, arrumando-os de baixo para cima.
• Se a estante possuir um dispositivo de estabilização, instale-o antes de montar ou
reparar a unidade.
¡Advertencia!
Varning!
Para evitar lesiones durante el montaje de este equipo sobre un bastidor, o posteriormente durante su mantenimiento, se debe poner mucho cuidado en que el sistema
quede bien estable. Para garantizar su seguridad, proceda según las siguientes
instrucciones:
• Colocar el equipo en la parte inferior del bastidor, cuando sea la única unidad en el
mismo.
• Cuando este equipo se vaya a instalar en un bastidor parcialmente ocupado,
comenzar la instalación desde la parte inferior hacia la superior colocando el equipo
más pesado en la parte inferior.
• Si el bastidor dispone de dispositivos estabilizadores, instalar éstos antes de montar
o proceder al mantenimiento del equipo instalado en el bastidor.
För att undvika kroppsskada när du installerar eller utför underhållsarbete på denna
enhet på en ställning måste du vidta särskilda försiktighetsåtgärder för att försäkra
dig om att systemet står stadigt. Följande riktlinjer ges för att trygga din säkerhet:
• Om denna enhet är den enda enheten på ställningen skall den installeras längst ned
på ställningen.
• Om denna enhet installeras på en delvis fylld ställning skall ställningen fyllas
nedifrån och upp, med de tyngsta enheterna längst ned på ställningen.
• Om ställningen är försedd med stabiliseringsdon skall dessa monteras fast innan
enheten installeras eller underhålls på ställningen.
5/26/05Safety Considerations
OL-7426-03
•
•
•
•
•
•
•
•
•
Aviso
5/26/05Safety Considerations
OL-7426-03
Para evitar lesões corporais ao montar ou dar manutenção a esta unidade em um
rack, é necessário tomar todas as precauções para garantir a estabilidade do sistema.
As seguintes orientações são fornecidas para garantir a sua segurança:
• Se esta for a única unidade, ela deverá ser montada na parte inferior do rack.
• Ao montar esta unidade em um rack parcialmente preenchido, carregue-o de baixo
para cima com o componente mais pesado em sua parte inferior.
• Se o rack contiver dispositivos estabilizadores, instale-os antes de montar ou dar
manutenção à unidade existente.
Advarsel
For at forhindre legemesbeskadigelse ved montering eller service af denne enhed i et
rack, skal du sikre at systemet står stabilt. Følgende retningslinjer er også for din
sikkerheds skyld:
• Enheden skal monteres i bunden af dit rack, hvis det er den eneste enhed i racket.
• Ved montering af denne enhed i et delvist fyldt rack, skal enhederne installeres fra
bunden og opad med den tungeste enhed nederst.
• Hvis racket leveres med stabiliseringsenheder, skal disse installeres for enheden
monteres eller serviceres i racket.
5/26/05Safety Considerations
OL-7426-03
Warning
There is the danger of explosion if the Cisco 4400 Series Wireless LAN Controller
battery is replaced incorrectly. Replace the battery only with the same or equivalent
type recommended by the manufacturer. Dispose of used batteries according to the
manufacturer’s instructions. Statement 1015
Waarschuwing
Varoitus
5/26/05Safety Considerations
OL-7426-03
Er is ontploffingsgevaar als de batterij verkeerd vervangen wordt. Vervang de
batterij slechts met hetzelfde of een equivalent type dat door de fabrikant
aanbevolen is. Gebruikte batterijen dienen overeenkomstig fabrieksvoorschriften
weggeworpen te worden.
Räjähdyksen vaara, jos akku on vaihdettu väärään akkuun. Käytä vaihtamiseen
ainoastaan saman- tai vastaavantyyppistä akkua, joka on valmistajan suosittelema.
Hävitä käytetyt akut valmistajan ohjeiden mukaan.
Attention
Danger d'explosion si la pile n'est pas remplacée correctement. Ne la remplacer que
par une pile de type semblable ou équivalent, recommandée par le fabricant. Jeter
les piles usagées conformément aux instructions du fabricant.
Warnung
Avvertenza
Advarsel
Aviso
¡Advertencia!
Varning!
Bei Einsetzen einer falschen Batterie besteht Explosionsgefahr. Ersetzen Sie die
Batterie nur durch den gleichen oder vom Hersteller empfohlenen Batterietyp.
Entsorgen Sie die benutzten Batterien nach den Anweisungen des Herstellers.
Pericolo di esplosione se la batteria non è installata correttamente. Sostituire solo
con una di tipo uguale o equivalente, consigliata dal produttore. Eliminare le batterie
usate secondo le istruzioni del produttore.
Det kan være fare for eksplosjon hvis batteriet skiftes på feil måte. Skift kun med
samme eller tilsvarende type som er anbefalt av produsenten. Kasser brukte
batterier i henhold til produsentens instruksjoner.
Existe perigo de explosão se a bateria for substituída incorrectamente. Substitua a
bateria por uma bateria igual ou de um tipo equivalente recomendado pelo fabricante. Destrua as baterias usadas conforme as instruções do fabricante.
Existe peligro de explosión si la batería se reemplaza de manera incorrecta.
Reemplazar la batería exclusivamente con el mismo tipo o el equivalente
recomendado por el fabricante. Desechar las baterías gastadas según las instrucciones del fabricante.
Explosionsfara vid felaktigt batteribyte. Ersätt endast batteriet med samma
batterityp som rekommenderas av tillverkaren eller motsvarande. Följ tillverkarens
anvisningar vid kassering av använda batterier.
Warning
Waarschuwing
5/26/05Safety Considerations
OL-7426-03
Only trained and qualified personnel should be allowed to install, replace, or service
this equipment. Statement 1030
Deze apparatuur mag alleen worden geïnstalleerd, vervangen of hersteld door
bevoegd geschoold personeel.
Varoitus
Tämän laitteen saa asentaa, vaihtaa tai huoltaa ainoastaan koulutettu ja laitteen
tunteva henkilökunta.
Attention
Warnung
Avvertenza
Advarsel
Aviso
¡Advertencia!
Varning!
Il est vivement recommandé de confier l'installation, le remplacement et la maintenance de ces équipements à des personnels qualifiés et expérimentés.
Das Installieren, Ersetzen oder Bedienen dieser Ausrüstung sollte nur geschultem,
qualifiziertem Personal gestattet werden.
Questo apparato può essere installato, sostituito o mantenuto unicamente da un
personale competente.
Bare opplært og kvalifisert personell skal foreta installasjoner, utskiftninger eller
service på dette utstyret.
Apenas pessoal treinado e qualificado deve ser autorizado a instalar, substituir ou
fazer a revisão deste equipamento.
Solamente el personal calificado debe instalar, reemplazar o utilizar este equipo.
Endast utbildad och kvalificerad personal bör få tillåtelse att installera, byta ut eller
reparera denna utrustning.
Aviso
Advarsel
5/26/05Safety Considerations
OL-7426-03
Somente uma equipe treinada e qualificada tem permissão para instalar, substituir
ou dar manutenção a este equipamento.
Kun uddannede personer må installere, udskifte komponenter i eller servicere dette
udstyr.
Warning
The Cisco 4400 Series Wireless LAN Controller might have more than one power
supply connection. All connections must be removed to de-energize the unit.
Statement 1028
Waarschuwing
Varoitus
Attention
Warnung
Avvertenza
Advarsel
Aviso
¡Advertencia!
Varning!
Deze eenheid kan meer dan één stroomtoevoeraansluiting bevatten. Alle aansluitingen dienen ontkoppeld te worden om de eenheid te ontkrachten.
Tässä laitteessa voi olla useampia kuin yksi virtakytkentä. Kaikki liitännät on
irrotettava, jotta jännite poistetaan laitteesta.
Cette unité peut avoir plus d'une connexion d'alimentation. Pour supprimer toute
tension et tout courant électrique de l'unité, toutes les connexions d'alimentation
doivent être débranchées.
Dieses Gerät kann mehr als eine Stromzufuhr haben. Um sicherzustellen, dass der
Einheit kein Strom zugeführt wird, müssen alle Verbindungen entfernt werden.
Questa unità può avere più di una connessione all'alimentazione elettrica. Tutte le
connessioni devono essere staccate per togliere la corrente dall'unità.
Denne enheten kan ha mer enn én strømtilførselskobling. Alle koblinger må fjernes
fra enheten for å utkoble all strøm.
Esta unidade poderá ter mais de uma conexão de fonte de energia. Todas as
conexões devem ser removidas para desligar a unidade.
Puede que esta unidad tenga más de una conexión para fuentes de alimentación.
Para cortar por completo el suministro de energía, deben desconectarse todas las
conexiones.
Denna enhet har eventuellt mer än en strömförsörjningsanslutning. Alla anslutningar måste tas bort för att göra enheten strömlös.
5/26/05Safety Considerations
OL-7426-03
Aviso
Esta unidade pode ter mais de uma conexão de fonte de alimentação. Todas as
conexões devem ser removidas para interromper a alimentação da unidade.
Advarsel
Denne enhed har muligvis mere end en strømforsyningstilslutning. Alle tilslutninger
skal fjernes for at aflade strømmen fra enheden.
5/26/05Safety Considerations
OL-7426-03
5/26/05Safety Considerations
OL-7426-03
Notes:Notes
5/26/05Notes
OL-7426-03
Table of Contents
Welcome to the Product Guide!
Legal Information
Products ii
End User License Agreement ii
Limited Warranty v
Disclaimer of Warranty vi
General Terms Applicable to the Limited Warranty Statement and End User License Agreement vi
Additional Open Source Terms vii
Trademarks and Service Marks vii
Obtaining Documentation
Cisco.com viii
Documentation DVD viii
Ordering Documentation viii
Cisco Technical Support Website x
Submitting a Service Request x
Definitions of Service Request Severity xi
Obtaining Additional Publications and Information
FCC Statements for Cisco 1000 Series Lightweight Access Points
Class A Statement xii
RF Radiation Hazard Warning xii
Non-Modification Statement xii
Deployment Statement xii
Industry Canada Required User Information for Cisco 1000 Series Lightweight Access Points
FCC Statements for Cisco 2000 Series Wireless LAN Controllers
FCC St atements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN Controllers
Safety Considerations
OVERVIEWS
About the Cisco Wireless LAN Solution
Single-Cisco Wireless LAN Controller Deployments 5
Multiple-Cisco Wireless LAN Controller Deployments 6
About the Operating System Software 7
About Operating System Security 7
About Cisco WLAN Solution Wired Security 8
Layer 2 and Layer 3 LWAPP Operation 8
About Cisco WLAN Solution Mobility Groups 14
About Cisco WLAN Solution Wired Connections 15
About Cisco WLAN Solution WLANs 16
About Access Control Lists 16
About Identity Networking 16
About File Transfers 17
About Power Over Ethernet 17
Pico Cell Functionality 18
Intrusion Detection Service (IDS) 19
About Cisco Wireless LAN Controllers
Cisco 2000 Series Wireless LAN Controllers 20
Cisco 4100 Series Wireless LAN Controllers 21
Cisco 4400 Series Wireless LAN Controllers 21
Cisco 2000 Series Wireless LAN Controller Model Numbers 22
Cisco 4100 Series Wireless LAN Controller Model Numbers 22
Cisco 4400 Series Wireless LAN Controller Model Numbers 22
About Distribution System Ports 23
About the Management Interface 24
About the AP-Manager Interface 25
About Operator-Defined Interfaces 25
About the Virtual Interface 26
About the Service Port 26
About the Service-Port Interface 27
About the Startup Wizard 27
About Cisco Wireless LAN Controller Memory 28
Cisco Wireless LAN Controller Failover Protection 28
Cisco Wireless LAN Controller Automatic Time Setting 29
Cisco Wireless LAN Controller Time Zones 29
Network Connections to Cisco Wireless LAN Controllers 29
Cisco 2000 Series Wireless LAN Controllers 30
Cisco 4100 Series Wireless LAN Controllers 31
Cisco 4400 Series Wireless LAN Controllers 32
Cisco 4100 Series Wireless LAN Controller VPN/Enhanced Security Module 33
About Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points
About Cisco 1030 Remote Edge Lightweight Access Points 35
About Cisco 1000 Series Lightweight Access Point Part Numbers 37
About Cisco 1000 Series Lightweight Access Point External and Internal Antennas 37
About Cisco 1000 Series Lightweight Access Point LEDs 42
About Cisco 1000 Series Lightweight Access Point Connectors 43
About Cisco 1000 Series Lightweight Access Point Power Requirements 45
About Cisco 1000 Series Lightweight Access Point External Power Supply 45
About Cisco 1000 Series Lightweight Access Point Mounting Options 46
About Cisco 1000 Series Lightweight Access Point Physical Security 46
About Cisco 1000 Series Lightweight Access Point Monitor Mode 46
About Rogue Access Points
Rogue Access Point Location, Tagging and Containment 47
About the Web User Interface
About the Command Line Interface
About the Cisco Wireless Control System
About Cisco WCS Base 52
About Cisco WCS Location 53
About the Cisco WCS User Interface 53
About the Floor Plan Editor 54
About Cisco WCS Cisco Wireless LAN Controller Autodiscovery 54
About Cisco WCS Alarm Email Notification 55
About Cisco WCS Location Calibration 55
About Cisco 2700 Series Location Appliances
SOLUTIONS
Cisco WLAN Solution Security
Overview 58
Layer 1 Solutions 58
Layer 2 Solutions 58
Layer 3 Solutions 59
Single Point of Configuration Policy Manager Solutions 59
Rogue Access Point Solutions 59
Rogue Access Point Challenges 59
Tagging and Containing Rogue Access Po ints 59
Converting a Cisco WLAN Solution from Layer 2 to Layer 3 Mode
Using the Web User Interface 61
Using the Cisco WCS User Interface 63
Converting a Cisco WLAN Solution from Layer 3 to Layer 2 Mode
Using the Web User Interface 66
Using the Cisco WCS User Interface 67
Configuring a Firewall for Cisco WCS
Configuring the System for SpectraLink NetLink Telephones
Using the Command Line Interface 69
Using the Web User Interface 69
Using the Cisco Wireless Control System 70
Using Management over Wireless
Using the Command Line Interface 72
5/26/05
OL-7426-03
Using the Web User Interface 72
Configuring a WLAN for a DHCP Server
Using the Command Line Interface 73
Using the Web User Interface 73
Customizing the Web Auth Login Screen
Default Web Auth Operation 74
Customizing Web Auth Operation 75
Clearing and Restoring the Cisco WLAN Solution Logo 76
Changing the Web Title 76
Changing the Web Message 76
Changing the Logo 76
Creating a Custom URL Redirect 78
Verifying your Web Auth Changes 78
Sample Customized Web Auth Login Page 78
Configuring Identity Networking for Operating System
RADIUS Attributes 80
TASKS
Using the Cisco WLAN Solution CLI
Logging Into the CLI 87
Using a Local Serial Connection 87
Using a Remote Ethernet Connection 89
Logging Out of the CLI 90
CLI Tree Structure 90
Navigating the CLI 91
Viewing Network Status 91
Configuring the Cisco Wireless LAN Controller
Collecting Cisco Wireless LAN Controller Parameters 92
Configuring System Parameters 93
Time and Date 93
Country 94
Supported 802.11a and 802.11b/g Protocols 95
Users and Passwords 95
Configuring Cisco Wireless LAN Controller Interfaces 95
Verifying and Changing the Management Interface 96
Creating and Assigning the AP-Manager Interface 97
Creating, Assigning and Deleting Operator-Defined Interfaces 97
Verifying and Changing the Virtual Interface 98
Enabling Web and Secure Web Modes 99
Configuring Spanning Tree Protocol 99
Creating Access Control Lists 100
Configuring WLANs 101
WLANs 101
VLANs 102
Layer 2 Security 103
Layer 3 Security 104
Local Netuser 107
Quality of Service 107
Activating WLANs 107
Configuring Mobility Groups 108
Configuring RADIUS 108
Configuring SNMP 109
5/26/05
OL-7426-03
Configuring Other Ports and Parameters 109
Service Port 109
Radio Resource Management (RRM) 110
Serial (CLI Console) Port 110
Transferring Files To and From a Cisco Wireless LAN Controller 114
Updating the Operating System Software 114
Using the Startup Wizard 116
Adding SSL to the Web User Interface 117
Saving Configurations 123
Clearing Configurations 124
Erasing the Cisco Wireless LAN Controller Configuration 124
Resetting the Cisco Wireless LAN Controller 125
Using the Cisco Wireless Control System
Starting and Stopping Windows Cisco WCS
Starting Cisco WCS as a Windows Application 128
Starting Cisco WCS as a Windows Service 129
Stopping the Cisco WCS Windows Application 130
Stopping the Cisco WCS Windows Service 130
Checking the Cisco WCS Windows Service Status 131
Starting and Stopping Linux Cisco WCS
Starting the Linux Cisco WCS Application 132
Stopping the Linux Cisco WCS Application 132
Checking the Linux Cisco WCS Status 133
Starting and Stopping the Cisco WCS Web Interface
Starting a Cisco WCS User Interface 134
Stopping a Cisco WCS User Interface 135
Manually Stopping the Cisco WCS User Interface 135
Cisco WCS Shutdown Stopping the Cisco WCS User Interface 135
Using Cisco WCS
Checking the Cisco WLAN Solution Network Summary 137
Adding a Cisco Wireless LAN Controller to Cisco WCS 139
Creating an RF Calibration Model 140
Adding a Campus Map to the Cisco WCS Database 141
Adding a Building to a Campus 142
Adding a Standalone Building to the Cisco WCS Database 145
Adding an Outdoor Area to a Campus 146
Adding Floor Plans to a Campus Building 149
Using Map Editor 152
Adding Floor Plans to a Standalone Building 153
Adding Cisco 1000 Series Lightweight Access Points to Floor Plan and Outdoor Area Maps 157
Monitoring Predicted Coverage (RSSI) 163
5/26/05
OL-7426-03
Monitoring Channels on a Floor Map 164
Monitoring Transmit Power Levels on a Floor Map 164
Monitoring Coverage Holes on a Floor Map 164
Monitoring Users on a Floor Map 165
Monitoring Clients on a Floor Map 165
Troubleshooting with Cisco WCS
Detecting and Locating Rogue Access Points 166
Acknowledging Rogue Access Points 170
Locating Clients 170
Finding Coverage Holes 172
Pinging a Network Device from a Cisco Wireless LAN Controller 172
Viewing Current Cisco Wireless LAN Controller Status and Configurations 173
Viewing Cisco WCS Statistics Reports 173
Updating OS Software from Cisco WCS 174
Managing Cisco WCS and Database 176
Installing Cisco WCS 176
Updating the Windows Cisco WCS 177
Updating the Linux Cisco WCS 178
Reinitializing the Windows Cisco WCS Database 180
Reinitializing the Linux Cisco WCS Database 180
Administering Cisco WCS Users and Passwords 181
Adding User Accounts 181
Changing Passwords 182
Deleting User Accounts 182
Using the Web User Interface
Adding Cisco 1000 Series Lightweight Access Points to a Cisco Wireless LAN Controller 185
Adding CA Certificates to a Cisco Wireless LAN Controller 185
Adding ID Certificates to a Cisco Wireless LAN Controller 186
Configuring and Operating Cisco 2700 Series Location Appliances
Configuring Location Appliances
Adding a Location Appliance to the Cisco WCS Database 188
Editing a Location Appliance Contact, User Name, Password, and HTTP/HTTPS Selection 189
Synchronizing Location Appliance and Cisco WCS Network Designs 189
Synchronizing Cisco Wireless LAN Controllers and Location Appliances 190
Editing Location Appliance Polling Parameters 191
Editing Location Appliance History Parameters 192
Editing Location Appliance Location Parameters 193
Adding Location Appliance User Groups 194
Changing Location Appliance User Group Permissions 194
Deleting Location Appliance User Groups 194
Adding Location Appliance Users 195
Changing Location Appliance User Passwords, Group Names, and Permissions 195
Deleting Location Appliance Users 196
Adding Location Appliance Host Access 196
Deleting Location Appliance Host Access 197
Editing Location Appliance Advanced Parameters 197
Clearing Location Appliance Configurations 198
Deleting a Location Appliance from the Cisco WCS Database 198
Deleting and Clearing Location Appliance Alarms 200
Viewing Location Appliance Alarm Events 200
Viewing Location Appliance Events 201
Backing Up Location Appliance Historical Data 201
Restoring Location Appliance Historical Data 201
Viewing Cisco Wireless LAN Controller and Location Appliance Synchronization Status 202
Re-Synchronizing Cisco Wireless LAN Controller and Location Appliance Databases 202
Viewing Location Appliance Current Status 203
Downloading Location Appliance Log Files to Your Cisco WCS Terminal 204
Downloading Application Code to a Location Appliance using Cisco WCS 204
Defragmenting the Location Appliance Database 205
Running Java GC on the Location Appliance Memory 205
Restarting the Location Appliance Application Software 205
Rebooting the Location Appliance 206
Troubleshooting Tips
Using Error Messages 207
Using Client Reason and Status Codes in the Trap Log 210
Client Reason Codes 210
Client Status Codes 211
Using Cisco 1000 Series Lightweight Access Point LEDs 211
REFERENCES
Glossary
Cisco WLAN Solution Supported Country Codes
5/26/05
OL-7426-03
Notes:Notes
5/26/05Notes
OL-7426-03
OVERVIEWSOVERVIEWS
Refer to the following for information about the Cisco Wireless LAN Solution (Cisco WLAN Solution) and
other high-level subjects:
•About the Cisco Wireless LAN Solution
-Single-Cisco Wireless LAN Controller Deployments
-Multiple-Cisco Wireless LAN Controller Deployments
-Operating System Software
-Operating System Security
-Cisco WLAN Solution Wired Security
-Layer 2 and Layer 3 LWAPP Operation
-Radio Resource Management (RRM)
-Master Cisco Wireless LAN Controller
-Primary, Secondary, and Tertiary Cisco Wireless LAN Controller
-Client Roaming
-Client Location
-External DHCP Servers
-Cisco WLAN Solution Mobility Group
-Cisco WLAN Solution Wired Connections
-Cisco WLAN Solution WLANs
-Identity Networking
-Transferring Files
-Power Over Ethernet
-Pico Cell Functionality
-Intrusion Detection Service (IDS)
•Cisco Wireless LAN Controllers
•Cisco 1000 Series Lightweight Access Points
•Rogue Access Points
•Web User Interface
•Command Line Interface
•Cisco Wireless Control System
-Cisco WCS Base
-Cisco WCS Location
-Cisco WCS User Interface
-Floor Plan Editor
-Cisco WCS Cisco Wireless LAN Controller Autodiscovery
-Cisco WCS Alarm Email Notification
5/26/05OVERVIEWS
OL-7426-03
-Cisco WCS Location Calibration
•Cisco 2700 Series Location Appliances
•REFERENCES
5/26/05OVERVIEWS
OL-7426-03
About the Cisco Wireless LAN SolutionAbout the Cisco Wireless LAN Solution
The Cisco Wireless LAN Solution (Cisco WLAN Solution) is designed to provide 802.11 wireless
networking solutions for enterprises and service providers. The Cisco WLAN Solution simplifies
deploying and managing large-scale wireless LANs and enables a unique best-in-class security infrastructure. The Operating System manages all data client, communications, and system administration
functions, performs Radio Resource Management (RRM)
policies using the Operating System Security solution, and coordinates all security functions using the
Operating System Security
The Cisco WLAN Solution consists of Cisco Wireless LAN Controllers
Series Lightweight Access Points controlled by the Operating System, all concurrently managed by any
or all of the Operating System user interfaces:
framework.
•An HTTP and/or HTTPS full-featured Web User Interface hosted by Cisco Wireless LAN
Controllers, can be used to configure and monitor individual Cisco Wireless LAN Controllers. See
the Web User Interface section.
•A full-featured CLI (command line interface) can be used to configure and monitor individual
Cisco Wireless LAN Controllers. Refer to the Command Line Interface section.
•The Cisco Wireless Control System (Cisco WCS) interface is used to configure and monitor one
or more Cisco Wireless LAN Controllers and associated access points, and has tools to facilitate
large-system monitoring and control. The Cisco Wireless Control System runs on Windows
2000, Windows 2003, and Red Hat Enterprise Linux ES servers.
•An industry-standard SNMP V1, V2c, and V3 interface can be used with any SNMP-compliant
third-party network management system.
The Cisco WLAN Solution supports client data services, client monitoring and control, and all rogue
access point detection, monitoring and containment functions. The Cisco WLAN Solution uses Cisco
1000 Series lightweight access points, Cisco Wireless LAN Controllers, and optional Cisco Wireless
Control System Cisco Wireless Control System to provide wireless services to enterprises and service
providers.
The Cisco WCS application is offered in two versions:
•Cisco WCS Base, which also supports client, rogue access point, rogue assess point client, radio
frequency ID (RFID) tag location to the nearest Cisco 1000 Series lightweight access point.
•Cisco WCS Location, which also supports client, rogue access point, rogue assess point client,
RFID tag location to within 10 meters.
When Cisco WCS Location is used, Cisco WLAN Solution end users can also deploy Cisco 2700 Series
Location Appliances (location appliances), described in the Cisco 2700 Series Location Appliances
section. The location appliance enhances the high-accuracy built-in Cisco WCS Location abilities by
computing, collecting and storing historical location data, which can be displayed in Cisco WCS. In this
role, the location appliance acts as a server to one or more Cisco WCS Servers, collecting, storing, and
passing on data from its associated Cisco Wireless LAN Controllers.
The following figure shows the Cisco WLAN Solution components, which can be simultaneously
deployed across multiple floors and buildings.
functions, manages system-wide mobility
and their associated Cisco 1000
Note: This document refers to Cisco Wireless LAN Controllers throughout. Unless
specifically called out, the descriptions herein apply to all Cisco Wireless LAN Controllers, including but not limited to Cisco 2000 Series Wireless LAN Controllers, Cisco
4100 Series Wireless LAN Controllers, and Cisco 4400 Series Wireless LAN
Controllers.
5/26/05About the Cisco Wireless LAN Solution
OL-7426-03
Figure - Cisco WLAN Solution Components
Refer to the following for more information:
•Single-Cisco Wireless LAN Controller Deployments
•Multiple-Cisco Wireless LAN Controller Deployments
•Operating System Software
•Operating System Security
•Cisco WLAN Solution Wired Security
•Layer 2 and Layer 3 LWAPP Operation
•Radio Resource Management (RRM)
-Master Cisco Wireless LAN Controller
-Primary, Secondary, and Tertiary Cisco Wireless LAN Controller
-Client Roaming
-Client Location
-External DHCP Servers
-Cisco WLAN Solution Mobility Group
-Cisco WLAN Solution Wired Connections
-Cisco WLAN Solution WLANs
-Transferring Files
-Power Over Ethernet
•Cisco Wireless LAN Controllers
•Cisco 1000 Series Lightweight Access Points
•Rogue Access Points
•Web User Interface
•Command Line Interface
5/26/05About the Cisco Wireless LAN Solution
OL-7426-03
•Cisco Wireless Control System
-Cisco WCS User Interface
-Floor Plan Editor
-Cisco WCS Cisco Wireless LAN Controller Autodiscovery
•Cisco 2700 Series Location Appliances
•REFERENCES
Single-Cisco Wireless LAN Controller DeploymentsSingle-Cisco Wireless LAN Controller Deployments
As described in About the Cisco Wireless LAN Solution, a standalone Cisco Wireless LAN Controller can
support Cisco 1000 Series lightweight access points across multiple floors and buildings simultaneously,
and supports the following features:
•Autodetecting and autoconfiguring Cisco 1000 Series lightweight access points as they are
added to the network, as described in Radio Resource Management (RRM).
•Full control of Cisco 1000 Series Lightweight Access Points.
•Full control of up to 16 Cisco 1000 Series lightweight access point WLAN (SSID) policies, as
described in Cisco WLAN Solution WLANs.
Note: Some Cisco Wireless LAN Controllers can connect through multiple physical
ports to multiple subnets in the network. This can be helpful, for instance, when
Cisco WLAN Solution operators want to confine multiple VLANs to separate subnets.
•Cisco 1000 Series lightweight access points connect to Cisco Wireless LAN Controllers through
the network. The network equipment may or may not provide Power Over Ethernet to the Cisco
1000 Series lightweight access points.
Note that some Cisco Wireless LAN Controllers use redundant GigE connections to bypass single
network failures. At any given time one of the redundant GigE connections is active and the other is
passive. Upon a network failure, the active connection becomes passive, and the passive connection
becomes active.
Figure - Typical Cisco Wireless LAN Controller Deployed
5/26/05Single-Cisco Wireless LAN Controller Deployments
OL-7426-03
Multiple-Cisco Wireless LAN Controller DeploymentsMultiple-Cisco Wireless LAN Controller Deployments
Each Cisco Wireless LAN Controller can support Cisco 1000 Series lightweight access points across
multiple floors and buildings simultaneously. However, full functionality of the Cisco WLAN Solution is
realized when it includes multiple Cisco Wireless LAN Controllers. That is, a multiple-Cisco Wireless LAN
Controller system has the following additional features over a single-Cisco Wireless LAN Controller
deployment:
•Autodetecting and autoconfiguring Cisco Wireless LAN Controller RF parameters as the Cisco
Wireless LAN Controllers are added to the network, as described in Radio Resource
Management (RRM).
•Same-Cisco Wireless LAN Controller (Layer 2) Roaming and Inter-Subnet (Layer 3) Roaming.
•Automatic Cisco 1000 Series lightweight access point failover to any redundant Cisco Wireless
LAN Controller with unused ports (refer to Cisco Wireless LAN Controller Failover Protection
The following figure shows a typical multiple-Cisco Wireless LAN Controller deployment. The figure also
shows an optional dedicated Management Network, and the three physical connection types between
the network and the Cisco Wireless LAN Controllers, as further described in Network Connections to
Cisco Wireless LAN Controllers.
Note: Cisco Wireless LAN Controller can connect through the Management Interface
to multiple subnets in the Network. This can be helpful, for instance, when Cisco
WLAN Solution operators want to confine multiple VLANs to separate subnets using
Operator-Defined Interfaces
.
Figure - Typical Multiple-Cisco Wireless LAN Controller Deployment
).
5/26/05Multiple-Cisco Wireless LAN Controller Deployments
OL-7426-03
About the Operating System SoftwareOperating System Software
The Operating System Software controls Cisco Wireless LAN Controllers and Cisco 1000 Series Lightweight Access Points. It includes full Operating System Security
(RRM) features.
and Radio Resource Management
About Operating System SecurityOperating System Se curity
Operating System Security bundles Layer 1, Layer 2 and Layer 3 security components into a simple,
Cisco WLAN Solution-wide policy manager that creates independent security policies for each of up to
16 WLANs. (Refer to Cisco WLAN Solution WLANs.)
One of the barriers that made enterprises avoid deploying 802.11 networks was the inherent weakness
of 802.11 Static WEP (Wired Equivalent Privacy) encryption. Because WEP is so insecure, enterprises
have been looking for more secure solutions for business-critical traffic.
The 802.11 Static WEP weakness problem can be overcome using robust industry-standard security
solutions, such as:
•802.1X dynamic keys with EAP (extensible authentication protocol).
-WEP (Wired Equivalent Privacy) keys, with or without Pre-Shared key Passphrase.
•RSN with or without Pre-Shared key.
•Cranite FIPS140-2 compliant passthrough.
•Fortress FIPS140-2 compliant passthrough.
•Optional MAC Filtering.
The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as:
•Terminated and passthrough VPNs (virtual private networks), and
•Terminated and passthrough L2TP (Layer Two Tunneling Protocol), which uses the IPSec (IP
Security) protocol.
•Terminated and pass-through IPSec (IP security) protocols. The terminated Cisco WLAN
Solution IPSec implementation includes:
-IKE (internet key exchange),
-DH (Diffie-Hellman) groups, and
-Three optional levels of encryption: DES (ANSI X.3.92 data encryption standard), 3DES
(ANSI X9.52-1998 data encryption standard), or AES/CBC (advanced encryption
standard/cipher block chaining).
The Cisco WLAN Solution IPSec implementation also includes industry-standard authentication
using:
-MD5 (message digest algorithm), or
-SHA-1 (secure hash algorithm-1).
•The Cisco WLAN Solution supports local and RADIUS MAC Address (media access control)
filtering.
•The Cisco WLAN Solution supports local and RADIUS user/password authentication.
5/26/05Operating System Software
OL-7426-03
•The Cisco WLAN Solution also uses manual and automated Disabling to block access to network
services. In manual Disabling, the operator blocks access using client MAC addresses. In
automated Disabling, which is always active, the Operating System software automatically
blocks access to network services for an operator-defined period of time when a client fails to
authenticate for a fixed number of consecutive attempts. This can be used to deter brute-force
login attacks.
These and other Cisco WLAN Solution Security
authentication methods to ensure the highest possible security for your business-critical wireless LAN
traffic.
For information about Cisco WLAN Solution wired security, refer to Cisco WLAN Solution Wired Security.
features use industry-standard authorization and
About Cisco WLAN Solution Wired SecurityCisco WLAN Solution Wired Security
Many traditional Access Point vendors concentrate on security for the Wireless interface similar to that
described in the Operating System Security section. However, for secure Cisco Wireless LAN Controller
Service Interfaces (Cisco Wireless Control System
Cisco Wireless LAN Controller to AP, and inter-Cisco Wireless LAN Controller communications during
device servicing and Client Roaming, the Operating System includes built-in security.
Each Cisco Wireless LAN Controller and Cisco 1000 Series lightweight access point is manufactured with
a unique, signed X.509 certificate. This certificate is used to authenticate IPSec tunnels between
devices. These IPSec tunnels ensure secure communications for mobility and device servicing.
Cisco Wireless LAN Controllers and Cisco 1000 Series lightweight access points also use the signed
certificates to verify downloaded code before it is loaded, ensuring that hackers do not download
malicious code into any Cisco Wireless LAN Controller or Cisco 1000 Series lightweight access point.
For information about Cisco WLAN Solution wireless security, refer to Operating System Security
, Web User Interface, and Command Line Interface),
.
Layer 2 and Layer 3 LWAPP OperationLayer 2 and Layer 3 LWAPP Operation
The LWAPP communications between Cisco Wireless LAN Controller and Cisco 1000 Series lightweight
access points can be conducted at ISO Data Link Layer 2 or Network Layer 3.
Operational RequirementsOperational Requirements
The requirement for Layer 2 LWAPP communications is that the Cisco Wireless LAN Controller and Cisco
1000 Series lightweight access points must be connected to each other through Layer 2 devices on the
same subnet. This is the default operational mode for the Cisco WLAN Solution. Note that when the
Cisco Wireless LAN Controller and Cisco 1000 Series lightweight access points are on different subnets,
these devices must be operated in Layer 3 mode.
The requirement for Layer 3 LWAPP communications is that the Cisco Wireless LAN Controllers and
Cisco 1000 Series lightweight access points can be connected through Layer 2 devices on the same
subnet, or connected through Layer 3 devices across subnets.
Note that all Cisco Wireless LAN Controllers in an Cisco WLAN Solution Mobility Group
same LWAPP Layer 2 or Layer 3 mode, or you will defeat the Mobility software algorithm.
About Radio Resource Management (RRM)Radio Resource Management (RRM)
Radio Resource Management (also known as RRM) allows Cisco Wireless LAN Controllers to continually
monitor their associated Cisco 1000 Series lightweight access points for the following information:
•Traffic Load -- How much total bandwidth is used for transmitting and receiving traffic. This
allows WLAN managers to track and plan network growth ahead of client demand.
•Interference -- How much traffic is coming from other 802.11 sources.
•Noise -- How much non-802.11 noise is interfering with the currently-assigned channel.
•Coverage -- Received Signal Strength (RSSI) and Signal to Noise Ratio (SNR) for all clients.
•Nearby access points.
Using the collected information, Radio Resource Management can periodically reconfigure the 802.11
RF network within operator-defined limits for best efficiency. To do this, Radio Resource Management:
•Dynamically reassigns channels to increase capacity and performance, both within the same
Cisco Wireless LAN Controller and across multiple Cisco Wireless LAN Controllers.
•Adjusts the transmit power to balance coverage and capacity, both within the same Cisco
Wireless LAN Controller and across multiple Cisco Wireless LAN Controllers.
•Allows the operator to assign nearby Cisco 1000 Series lightweight access points into groups to
streamline Radio Resource Management algorithm processing.
•As new clients associate, they are load balanced across grouped Cisco 1000 Series lightweight
access points reporting to each Cisco Wireless LAN Controller. This is particularly important
when many clients converge in one spot (such as a conference room or auditorium), because
Radio Resource Management can automatically force some subscribers to associate with nearby
access points, allowing higher throughput for all clients.
•Automatically detects and configures new Cisco 1000 Series lightweight access points as they
are added to the network. Radio Resource Management automatically adjusts nearby Cisco
1000 Series lightweight access points to accommodate the increased coverage and capacity.
•Automatically detects and configures new Cisco Wireless LAN Controllers as they are added to
the network. The Radio Resource Management automatically distributes associated Cisco 1000
Series lightweight access points to maximize coverage and capacity.
•Detects and reports coverage holes, where clients consistently connect to a Cisco 1000 Series
lightweight access point at a very low signal strength.
•Automatically defines Cisco Wireless LAN Controller Groups within operator-defined Mobility
Groups.
The Radio Resource Management solution thus allows the operator to avoid the costs of laborious
historical data interpretation and individual Cisco 1000 Series IEEE 802.11a/b/g lightweight access
point reconfiguration. The power control features of Radio Resource Management ensure client satisfaction, and the coverage hole detection feature can alert the operator to the need for an additional (or
relocated) Cisco 1000 Series lightweight access point.
Note that the Radio Resource Management uses separate monitoring and control for each of the
deployed networks: 802.11a and 802.11b/802.11g. Also note that Radio Resource Management is
automatically enabled, but can be customized or disabled for individual Cisco 1000 Series lightweight
access points.
Finally, for operators requiring easy manual configuration, the Radio Resource Management can
recommend the best Cisco Radio settings, and then assign them on operator command.
The Radio Resource Management controls produce a network that has optimal capacity, performance,
and reliability. The Radio Resource Management functions also free the operator from having to contin-
5/26/05Radio Resource Management (RRM)
OL-7426-03
ually monitor the network for noise and interference problems, which can be transient and difficult to
troubleshoot. Finally, Radio Resource Management controls ensure that clients enjoy a seamless,
trouble-free connection through the Cisco WLAN Solution 802.11 network.
About the Master Cisco Wireless LAN ControllerMaster Cisco Wireless LAN Controller
When you are adding Cisco 1000 Series lightweight access points to a Multiple-Cisco Wireless LAN
Controller Deployments network, it is convenient to have all Cisco 1000 Series lightweight access points
associate with one Master Cisco Wireless LAN Controller on the same subnet. That way, the operator
does not have to log into multiple Cisco Wireless LAN Controllers to find out which Cisco Wireless LAN
Controller newly-added Cisco 1000 Series lightweight access points associated with.
One Cisco Wireless LAN Controller in each subnet can be assigned as the Master Cisco Wireless LAN
Controller while adding Cisco 1000 Series lightweight access points. As long as a Master Cisco Wireless
LAN Controller is active on the same subnet, all new Cisco 1000 Series lightweight access points
without a Primary, Secondary, and Tertiary Cisco Wireless LAN Controller
attempt to associate with the Master Cisco Wireless LAN Controller. This process is described in Cisco
Wireless LAN Controller Failover Protection.
The operator can monitor the Master Cisco Wireless LAN Controller using the Web User Interface or the
Cisco Wireless Control System GUI, and watch as Cisco 1000 Series lightweight access points associate
with the Master Cisco Wireless LAN Controller. The operator can then verify Cisco 1000 Series lightweight access point configuration and assign a Primary, Secondary, and Tertiary Cisco Wireless LAN
Controller to the Cisco 1000 Series lightweight access point, and reboot the Cisco 1000 Series light-
weight access point so it reassociates with its Primary, Secondary, or Tertiary Cisco Wireless LAN
Controller.
Note: Cisco 1000 Series lightweight access points without a Primary, Secondary, and
Tertiary Cisco Wireless LAN Controller assigned always search for a Master Cisco
Wireless LAN Controller first upon reboot. After adding Cisco 1000 Series lightweight
access points through the Master Cisco Wireless LAN Controller, assign Primary,
Secondary, and Tertiary Cisco Wireless LAN Controllers to each Cisco 1000 Series
lightweight access point.
Cisco WLAN Solution recommends that you disable the Master setting on all Cisco
Wireless LAN Controllers after initial configuration.
Because the Master Cisco Wireless LAN Controller is normally not used in a deployed
network, the Master Cisco Wireless LAN Controller setting is automatically disabled
upon reboot or OS code upgrade.
assigned automatically
About the Primary, Secondary, and Tertiary Cisco Wireless LAN ControllerPrimary, Secondary, and Tert iary Cisco
Wireless LAN Controller
In Multiple-Cisco Wireless LAN Controller Deployments networks, Cisco 1000 Series lightweight access
points can associate with any Cisco Wireless LAN Controller on the same subnet. To ensure that each
Cisco 1000 Series lightweight access point associates with a particular Cisco Wireless LAN Controller,
the operator can assign Primary, Secondary, and Tertiary Cisco Wireless LAN Controllers to the Cisco
1000 Series lightweight access point.
When a Cisco 1000 Series lightweight access point is added to a network, it looks for its Primary,
Secondary, and Tertiary Cisco Wireless LAN Controllers first, then a Master Cisco Wireless LAN
Controller, then the least-loaded Cisco Wireless LAN Controller with available Cisco 1000 Series light-
weight access point ports. Refer to Cisco Wireless LAN Controller Failover Protection
for more
information.
5/26/05Master Cisco Wireless LAN Controller
OL-7426-03
About Client RoamingClient Roaming
The Cisco WLAN Solution supports seamless client roaming across Cisco 1000 Series lightweight access
points managed by the same Cisco Wireless LAN Controller, between Cisco Wireless LAN Controllers in
the same Cisco WLAN Solution Mobility Group
Controllers in the same Mobility Group on different subnets. The following chapters describe the three
modes of roaming supported by the Cisco WLAN Solution.
Same-Cisco Wireless LAN Controller (Layer 2) RoamingSame-Cisco Wireless LAN Controller (Layer 2) Roaming
Each Cisco Wireless LAN Controller supports same-Cisco Wireless LAN Controller client roaming across
Cisco 1000 Series lightweight access points managed by the same Cisco Wireless LAN Controller. This
roaming is transparent to the client, as the session is sustained and the client continues using the same
DHCP-assigned or client-assigned IP Address. The Cisco Wireless LAN Controller provides DHCP functionality be providing a relay function. Same-Cisco Wireless LAN Controller roaming is supported in
Single-Cisco Wireless LAN Controller Deployments
Deployments.
Inter-Cisco Wireless LAN Controller (Layer 2) RoamingInter-Cisco Wireless LAN Controller (Laye r 2) Roaming
Similarly, in Multiple-Cisco Wireless LAN Controller Deployments, the Cisco WLAN Solution supports
client roaming across Cisco 1000 Series lightweight access points managed by Cisco Wireless LAN
Controllers in the same mobility group and on the same subnet. This roaming is also transparent to the
client, as the session is sustained and a tunnel between Cisco Wireless LAN Controllers allows the client
to continue using the same DHCP- or client-assigned IP Address as long as the session remains active.
Note that the tunnel is torn down and the client must reauthenticate when the client sends a DHCP
Discover with a 0.0.0.0 client IP Address or a 169.254.*.* client auto-IP Address, or when the operator-set session timeout is exceeded.
Note that the Cisco 1030 remote edge lightweight access points at a remote location must be on the
same subnet to support roaming.
Similarly, in Multiple-Cisco Wireless LAN Controller Deployments, the Cisco WLAN Solution supports
client roaming across Cisco 1000 Series lightweight access points managed by Cisco Wireless LAN
Controllers in the same mobility group on different subnets. This roaming is transparent to the client,
because the session is sustained and a tunnel between the Cisco Wireless LAN Controllers allows the
client to continue using the same DHCP-assigned or client-assigned IP Address as long as the session
remains active. Note that the tunnel is torn down and the client must reauthenticate when the client
sends a DHCP Discover with a 0.0.0.0 client IP Address or a 169.254.*.* client auto-IP Address, or
when the operator-set session timeout is exceeded.
Note that the Cisco 1030 remote edge lightweight access points at a remote location must be on the
same subnet to support roaming.
Special Case: Voice Over IP Telephone RoamingSpecial Case: Voice Over IP Telephone Roaming
802.11 VoIP telephones actively seek out associations with the strongest RF signal to ensure best
Quality of Service (QoS) and maximum throughput. The minimum VoIP telephone requirement of
20 millisecond or shorter latency time for the roaming handover is easily met by the Cisco WLAN
Solution, which has an average handover latency of nine or fewer milliseconds.
This short latency period is controlled by Cisco Wireless LAN Controllers, rather than allowing independent access points to negotiate roaming handovers.
The Cisco WLAN Solution supports 802.11 VoIP telephone roaming across Cisco 1000 Series lightweight
access points managed by Cisco Wireless LAN Controllers on different subnets, as long as the Cisco
Wireless LAN Controllers are in the same mobility group. This roaming is transparent to the VoIP telephone, because the session is sustained and a tunnel between Cisco Wireless LAN Controllers allows the
5/26/05Client Roaming
OL-7426-03
VoIP telephone to continue using the same DHCP-assigned IP Address as long as the session remains
active. Note that the tunnel is torn down and the VoIP client must reauthenticate when the VoIP
telephone sends a DHCP Discover with a 0.0.0.0 VoIP telephone IP Address or a 169.254.*.* VoIP
telephone auto-IP Address, or when the operator-set session timeout is exceeded.
About Client LocationClient Location
The Cisco WLAN Solution periodically determines client, rogue access point, rogue assess point client,
radio frequency ID (RFID) tag location and stores the locations in the Cisco WCS database. To view the
client location history, display the Cisco WCS Monitor Client <client> - <vendor:MACaddr> page and
select Recent Map (High Resolution) or Present Map (High Resolution). Cisco WCS Base
location to the nearest Cisco 1000 Series lightweight access point. Cisco WCS Location supports
location to within 10 meters.
When Cisco WCS Location is used, Cisco WLAN Solution end users can also deploy Cisco 2700 Series
Location Appliances (location appliances), described in the Cisco 2700 Series Location Appliances
section. The location appliance enhances the high-accuracy built-in Cisco WCS Location abilities by
computing, collecting and storing historical location data, which can be displayed in Cisco WCS. In this
role, the location appliance acts as a server to one or more Cisco WCS Servers, collecting, storing, and
passing on data from its associated Cisco Wireless LAN Controllers.
supports
5/26/05Client Location
OL-7426-03
About External DHCP ServersExternal DHCP Servers
The Operating System is designed to appear as a DHCP Relay to the network and as a DHCP Server to
clients with industry-standard external DHCP Servers that support DHCP Relay. This means that each
Cisco Wireless LAN Controller appears as a DHCP Relay agent to the DHCP Server. This also means that
the Cisco Wireless LAN Controller appears as a DHCP Server at the virtual IP Address to wireless clients.
Because the Cisco Wireless LAN Controller captures the client IP Address obtained from a DHCP Server,
it maintains the same IP Address for that client during same-Cisco Wireless LAN Controller, inter-Cisco
Wireless LAN Controller, and inter-subnet Client Roaming
Per-WLAN AssignmentPer-WLAN Assignment
All Cisco WLAN Solution WLANs can be configured to use the same or different DHCP Servers, or no
DHCP Server. This allows operators considerable flexibility in configuring their Wireless LANs, as further
described in the Cisco WLAN Solution WLANs
Note that Cisco WLAN Solution WLANs that support Management over Wireless
ment (device servicing) clients to obtain an IP Address from a DHCP Server.
section.
Per-Interface AssignmentPer-Interface Assignment
•The Layer 2 Management Interface can be configured for a primary and secondary DHCP
server.
•The Layer 3 AP-Manager Interface can be configured for a primary and secondary DHCP server.
•Each of the Operator-Defined Interfaces can be configured for a primary and secondary DHCP
server.
•The Virtual Interface does not use DHCP servers.
•The Service-Port Interface can be configured to enable or disable DHCP servers.
.
must allow the manage-
Security ConsiderationsSecurity Considerations
For enhanced security, it is recommended that operators require all clients to obtain their IP Addresses
from a DHCP server. To enforce this requirement, all Cisco WLAN Solution WLANs can be configured
with a ‘DHCP Required’ setting and a valid DHCP Server IP Address, which disallows client static IP
Addresses. If a client associating with a WLAN with ‘DHCP Required’ set does not obtain its IP Address
from the designated DHCP Server, it is not allowed access to any network services.
Note that if ‘DHCP Required’ is selected, clients must obtain an IP address via DHCP. Any client with a
static IP address will not be allowed on the network. The Cisco Wireless LAN Controller monitors DHCP
traffic since it acts as a DHCP proxy for the clients.
If slightly less security is tolerable, operators can create Cisco WLAN Solution WLANs
Required’ disabled and a valid DHCP Serv er IP Address. Clients then have the option of using a static IP
Address or obtaining an IP Address from the designated DHCP Server.
Operators are also allowed to create separate Cisco WLAN Solution WLANs
disabled and a DHCP Server IP Address of 0.0.0.0. These WLANs drop all DHCP requests and force
clients to use a static IP Address. Note that these WLANs do not support Management over Wireless
with ‘DHCP Required’
with ‘DHCP
.
5/26/05External DHCP Servers
OL-7426-03
About Cisco WLAN Solution Mobility GroupsCisco WLAN Solution Mobility Group
Cisco WLAN Solution operators can define Mobility Groups to allow client roaming across groups of
Cisco Wireless LAN Controllers. Because the Cisco Wireless LAN Controllers in Multiple-Cisco Wireless
LAN Controller Deployments can detect each other across the network and over the air, it is important
that each enterprise, institution, and wireless internet service provider isolate their Cisco Wireless LAN
Controllers. The Operating System makes it easy for operators to create this isolation by allowing them
to assign a Mobility Group Name to their Cisco Wireless LAN Controllers. This assignment can be made
using the Web User Interface
Before clients can roam, they are automatically associated with their original, or anchor, Cisco Wireless
LAN Controller. This anchor Cisco Wireless LAN Controller maintains the client information and ensures
that the client remains connected with the same IP address across all handoffs for the duration of the
client session.
Note that all the Cisco Wireless LAN Controllers in a Mobility Group must use the same LWAPP Layer 2
and Layer 3 LWAPP Operation, or you will defeat the Mobility software algorithm.
The following figure shows the results of creating Mobility Group Names for two groups of Cisco
Wireless LAN Controllers. The Cisco Wireless LAN Controllers in the ABC Mobility Group recognize and
communicate with each other through their Cisco 1000 Series Lightweight Access Points and through
their shared subnets, but the ABC Mobility Group tags the XYZ Cisco 1000 Series lightweight access
points as Rogue Access Points
do not recognize or communicate with the Cisco Wireless LAN Controllers in the ABC Mobility Group.
This feature ensures Mobility Group isolation across the network.
Figure - Typical Cisco WLAN Solution Mobility Group Name Application
, the Cisco Wireless Control System, or the Command Line Interface.
. Likewise, the Cisco Wireless LAN Controllers in the XYZ Mobility Group
5/26/05Cisco WLAN Solution Mobility Group
OL-7426-03
CAUTION: Cisco recommends that you assign one set of VLANs for WLANs and a
different set of VLANs for Management Interfaces to ensure that Cisco Wireless LAN
Controllers properly route VLAN traffic.
The Cisco WLAN Solution Mobility Group feature can also be used to limit roaming between different
floors, buildings, or campuses in the same enterprise by assigning different Mobility Group names to
different Cisco Wireless LAN Controllers within the same wireless network.
If enabled, Radio Resource Management (RRM)
Solution Mobility Group.
operation is constrained within each Cisco WLAN
Note: Because the Cisco Wireless LAN Controllers talk to each other when they are in
the same mobility group, Cisco WLAN Solution recommends that operators do not
add physically-separated Cisco Wireless LAN Controllers to the same static mobility
group to avoid unnecessary traffic on the network.
About Cisco WLAN Solution Wired ConnectionsCisco WLAN Solution Wired Connections
The Cisco WLAN Solution components communicate with each other using industry-standard Ethernet
cables and connectors. The following paragraphs contain details of the Cisco WLAN Solution wired
connections.
•The Cisco 2000 Series Wireless LAN Controller connects to the network using between one and
four 10/100BASE-T Ethernet cables.
•The Cisco 4100 Series Wireless LAN Controller connects to the network using one or two
fiber-optic GigE cables: two redundant GigE connections to bypass single network failures. At
any given time one of the Cisco 4100 Series Wireless LAN Controller GigE connections is active
and the other is passive. Upon a network failure, the active connection becomes passive, and
the passive connection becomes active.
•The 4402 Cisco 4400 Series Wireless LAN Controller connects to the network using one or two
two fiber-optic GigE cables, and the 4404 Cisco 4400 Series Wireless LAN Controller connects to
the network using one through four fiber-optic GigE cables: two redundant GigE connections to
bypass single network failures. At any given time one of each pair of Cisco 4400 Series Wireless
LAN Controller GigE connections is active and the other is passive. Upon a network failure, the
active connection becomes passive, and the passive connection becomes active.
•Cisco 1000 Series lightweight access points connects to the network using 10/100BASE-T
Ethernet cables. The standard CAT-5 cable can also be used to conduct power for the Cisco
1000 Series lightweight access points from a network device equipped with Power Over
Ethernet (PoE) capability. This power distribution plan can be used to reduce the cost of
individual AP power supplies and related cabling.
About Cisco WLAN Solution WLANsCisco WLAN Solution WLANs
The Cisco WLAN Solution can control up to 16 Wireless LANs for Cisco 1000 Series Lightweight Access
Points. Each WLAN has a separate WLAN ID (1 through 16), a separate WLAN SSID (WLAN Name), and
can be assigned unique security policies.
The Cisco 1000 Series lightweight access points broadcast all active Cisco WLAN Solution WLAN SSIDs
and enforce the policies defined for each WLAN.
CAUTION: Cisco recommends that you assign one set of VLANs for WLANs and a
different set of VLANs for Management Interfaces to ensure that Cisco Wireless LAN
Controllers properly route VLAN traffic.
If Management over Wireless
can manage the System across the enabled WLAN using CLI and Telnet (Command Line Interface),
http/https (Web User Interface
To configure the Cisco WLAN Solution WLANs, refer to Configuring WLANs
is enabled across Cisco WLAN Solution, the Cisco WLAN Solution operator
), and SNMP (Cisco Wireless Control System).
.
About Access Control ListsAccess Control Lists
The Operating System allows you to define up to 64 Access Control Lists (ACLs), similar to standard
firewall Access Control Lists. Each ACL can have up to 64 Rules (filters).
Operators can use ACLs to control client access to multiple VPN servers within a given WLAN. If all the
clients on a WLAN must access a single VPN server, use the IPSec/VPN Gateway Passthrough setting in
the IPSec Passthrough
After they are defined, the ACLs can be applied to the Management Interface, the AP-Manager Inter-
face, or any of the Operator-Defined Interfaces.
Refer to Access Control Lists > New in the Web User Interface Online Help or Creating Access Control
Lists in the Configuring the Cisco Wireless LAN Controller sections for instructions on how to configure
the Access Control Lists.
section.
About Identity NetworkingIdentity Networking
Cisco Wireless LAN Controllers can have the following parameters applied to all clients associating with
a particular WLAN: QoS, global or Interface-specific DHCP server, Layer 2 and Layer 3 Security Policies,
and default Interface (which includes physical port, VLAN and ACL assignments).
However, the Cisco Wireless LAN Controller can also have individual clients (MAC addresses) override
the preset WLAN parameters by using MAC Filtering or by Allowing AAA Override parameters. This
configuration can be used, for example, to have all company clients log into the corporate WLAN, and
then have clients connect using different QoS, DHCP server, Layer 2 and Layer 3 Security Policies, and
Interface (which includes physical port, VLAN and ACL assignments) settings on a per-MAC Address
basis.
When Cisco WLAN Solution operators configure MAC Filtering for a client, they can assign a different
VLAN to the MAC Address, which can be used to have OS automatically reroute the client to the
Management Interface
ACL, DHCP server, and physical port assignments. This MAC Filtering can be used as a coarse version of
AAA Override, and normally takes precedence over any AAA (RADIUS or other) Override.
or any of the Operator-Defined Interfaces, each of which have their own VLAN,
5/26/05Cisco WLAN Solution WLANs
OL-7426-03
However, when Allow AAA Override is enabled, the RADIUS (or other AAA) server can alternatively be
configured to return QoS and ACL on a per-MAC Address basis. Allow AAA Override gives the AAA
Override precedence over the MAC Filtering parameters set in the Cisco Wireless LAN Controller; if
there are no AAA Overrides available for a given MAC Address, the OS uses the MAC Filtering parameters already in the Cisco Wireless LAN Controller. This AAA (RADIUS or other) Override can be used as
a finer version of AAA Override, but only takes precedence over MAC Filtering when Allow AAA Override
is enabled.
Note that in all cases, the Override parameters (Operator-Defined Interface and QoS, for example)
must already be defined in the Cisco Wireless LAN Controller configuration.
In all cases, the OS will use QoS and ACL provided by the AAA server or MAC Filtering regardless of the
Layer 2 and/or Layer 3 authentication used.
Also note that the OS will only move clients from the default Cisco WLAN Solution WLAN VLAN to a
different VLAN when configured for MAC filtering, 802.1X, and/or WPA Layer 2 authentication.
To configure the Cisco WLAN Solution WLANs, refer to Configuring WLANs.
About File TransfersTransferring Files
The Cisco WLAN Solution operator can upload and download Operating System code, configuration, and
certificate files to and from a Cisco Wireless LAN Controller using CLI commands, Web User Interface
commands, or Cisco Wireless Control System (Cisco WCS) commands.
•To use CLI commands, refer to Transferring Files To and From a Cisco Wireless LAN Controller.
•To use the Web User Interface, go to Using the Web User Interface.
•To use Cisco WCS commands, continue with Using the Cisco Wireless Control System.
About Power Over EthernetPower Over Ethernet
Cisco 1000 Series Lightweight Access Points can receive power via their ethernet cables from
802.3af-compatible Power over Ethernet (PoE) devices, which can reduce the cost of discrete power
supplies, additional wiring, conduits, outlets, and installer time. PoE also frees installers from having to
mount Cisco 1000 Series lightweight access points or other powered equipment near AC outlets,
providing greater flexibility in positioning Cisco 1000 Series lightweight access points for maximum
coverage.
When you are using PoE, the installer runs a single CAT-5 cable from each Cisco 1000 Series lightweight access point to PoE-equipped network elements, such as a PoE power hub or a Cisco WLAN
Solution Single-Line PoE Injector, described in Cisco 1000 Series Lightweight Access Point Part
Numbers. When the PoE equipment determines that the Cisco 1000 Series lightweight access point is
PoE-enabled, it sends 48 VDC over the unused pairs in the Ethernet cable to power the Cisco 1000
Series lightweight access point.
The PoE cable length is limited by the 100BASE-T or 10BASE-T specification to 100 m or 200 m,
respectively.
Note: Cisco 1000 Series lightweight access points can receive power from any
network device conforming to the IEEE 802.3af standard.
Note: Each Cisco 1000 Series lightweight access point can alternatively receive
power from an Cisco 1000 Series Lightweight Access Point External Power Supply.
5/26/05Transferring Files
OL-7426-03
Pico Cell FunctionalityPico Cell Functionality
Pico Cell functionality includes optimization of the Operating System (OS) to support this functionality
as follows:
•The Cisco WCS Pico Cell Mode parameter reconfigures OS parameters, allowing OS to function
efficiently in pico cell deployments. Note that when the operator is deploying a pico cell network
the OS must also have more memory allocated (512 to 2048 MB) using the config database size 2048 CLI command.
•Client mobility between multiple mobility domains when such exist.
•Addition of a WPA2 VFF extension to eliminate the need to re-key after every association. This
allows the re-use of existing PTK and GTK.
•With WPA2 PMK caching and VFF, the PMK cache is transferred as part of context transfer prior
to the authentication phase. This allows expedited handoffs to work for both intra- and
inter-Cisco Wireless LAN Controller roaming events.
•A beacon/probe response that allows a Cisco 1000 Series lightweight access point to indicate
which Cisco Wireless LAN Controller it is attached to so that reauthorization events only occur
when needed, minimizing inter-Cisco Wireless LAN Controller handoffs and thus reducing CPU
usage.
•Allows changes to Cisco 1000 Series lightweight access point sensitivity for pico cells.
•Allows control of Cisco 1000 Series lightweight access point fallback behavior to optimize pico
cell use.
•Supports heat maps for directional antennas.
•Allows specific control over blacklisting events
•Allows configuring and viewing basic LWAPP configuration using the Cisco 1000 Series light-
weight access point CLI.
5/26/05Pico Cell Functionality
OL-7426-03
Intrusion Detection Service (IDS)Intrusion Detection Service (IDS)
Intrusion Detection Service includes the following:
•Sensing Clients probing for “ANY” SSID
•Sensing if Cisco 1000 Series lightweight access points are being contained
•Notification of MiM Attacks, NetStumbler, Wellenreiter
•Management Frame Detection and RF Jamming Detection
•Spoofed Deauthentication Detection (AirJack, for example)
•Broadcast Deauthorization Detection
•Null Probe Response Detection
•Fake AP Detection
•Detection of Weak WEP Encryption
•MAC Spoofing Detection
•AP Impersonation Detection
•Honeypot AP Detection
•Valid Station Protection
•Misconfigured AP Protection
•Rogue Access Point Detection
•AD-HOC Detection and Protection
•Wireless Bridge Detection
•Asleep Detection / Protection
5/26/05Intrusion Detection Service (IDS)
OL-7426-03
About Cisco Wireless LAN ControllersCisco Wireless LAN Controllers
Cisco Wireless LAN Controllers are enterprise-class high-performance wireless switching platforms that
support 802.11a and 802.11b/802.11g protocols. They operate under control of the Operating System,
which includes the Radio Resource Management (RRM), creating a Cisco WLAN Solution that can automatically adjust to real-time changes in the 802.11 RF environment. The Cisco Wireless LAN Controllers
are built around high-performance network and security hardware, resulting in highly-reliable 802.11
enterprise networks with unparalleled security. Also see:
•Cisco 2000 Series Wireless LAN Controllers
•Cisco 4100 Series Wireless LAN Controllers
•Cisco 4400 Series Wireless LAN Controllers
•Cisco 2000 Series Wireless LAN Controller Model Numbers
•Cisco 4100 Series Wireless LAN Controller Model Numbers
•Cisco 4400 Series Wireless LAN Controller Model Numbers
•Distribution System Ports
•Management Interface
•AP-Manager Interface
•Operator-Defined Interfaces
•Virtual Interface
•Service Port
•Service-Port Interface
•Startup Wizard
•Cisco Wireless LAN Controller Memory
•Cisco Wireless LAN Controller Failover Protection
•Cisco Wireless LAN Controller Automatic Time Setting
•Cisco Wireless LAN Controller Time Zones
•Network Connections to Cisco Wireless LAN Controllers
•Cisco 4100 Series Wireless LAN Controller VPN/Enhanced Security Module
Cisco 2000 Series Wireless LAN ControllersCisco 2000 Series Wireless LAN Controllers
The Cisco 2000 Series Wireless LAN Controller is part of the Cisco WLAN Solution. Each Cisco 2000
Series Wireless LAN Controller controls up to six Cisco 1000 Series lightweight access points, making it
ideal for smaller enterprises and low-density applications. About the Cisco Wireless LAN Solution
a comprehensive overview of the Cisco WLAN Solution and the place of the Cisco 2000 Series Wireless
LAN Controller in that system.
The Cisco 2000 Series Wireless LAN Controller is a slim 9.5 x 6.0 x 1.6 in. (241 x 152 x 41 mm) chassis
that can be desktop or shelf mounted. The Cisco 2000 Series Wireless LAN Controller front panel has
one POWER LED and four sets of Ethernet LAN Port status LEDs, which indicate 10 MHz or 100 MHz
connections and transmit/receive Activity for the four corresponding back-panel Ethernet LAN connectors. The Cisco 2000 Series Wireless LAN Controller is shipped with four rubber desktop/shelf mounting
feet.
gives
5/26/05Cisco Wireless LAN Controllers
OL-7426-03
Cisco 4100 Series Wireless LAN ControllersCisco 4100 Series Wireless LAN Controllers
The Cisco 4100 Series Wireless LAN Controllers are part of the Cisco WLAN Solution. Each Cisco 4100
Series Wireless LAN Controller controls up to 36 Cisco 1000 Series lightweight access points, making it
ideal for medium-sized enterprises and medium-density applications.
The About the Cisco Wireless LAN Solution
and the place of the Cisco 4100 Series Wireless LAN Controller in that system.
The following figure shows the Cisco 4100 Series Wireless LAN Controller, which has two redundant
front-panel SX/LC jacks. Note that the 1000BASE-SX circuits provides a 100/1000 Mbps wire d connection to a network through an 850nM (SX) fiber-optic link using an LC physical connector.
Figure - Cisco 4100 Series Wireless LAN Controller
The Cisco 4100 Series Wireless LAN Controller can be factory-ordered with a VPN/Enhanced Security
Module (Crypto Card) to support VPN, IPSec and other processor-intensive tasks, and contains two
(Cisco 4100 Series Wireless LAN Controller) 1000BASE-SX network connectors that allow the Cisco
4100 Series Wireless LAN Controller to communicate with the network at GigE (Gigabit Ethernet)
speeds. The 1000BASE-SX network connectors provides 100/1000 Mbps wired connections to a
network through 850nM (SX) fiber-optic links using LC physical connectors.
The two redundant GigE connections on the Cisco 4100 Series Wireless LAN Controller allow the Cisco
4100 Series Wireless LAN Controller to bypass single network failures. At any given time one of the
Cisco 4100 Series Wireless LAN Controller GigE connections is active and the other is passive. Upon a
network failure, the active connection becomes passive, and the passive connection becomes active.
gives a comprehensive overview of the Cisco WLAN Solution
Cisco 4400 Series Wireless LAN ControllersCisco 4400 Series Wireless LAN Controllers
Cisco 4400 Series Wireless LAN Controllers are part of the Cisco WLAN Solution. Each Cisco 4400 Series
Wireless LAN Controller controls up to 100 Cisco 1000 Series lightweight access points, making it ideal
for large-sized enterprises and large-density applications.
The About the Cisco Wireless LAN Solution gives a comprehensive overview of the Cisco WLAN Solution
and the place of the Cisco 4400 Series Wireless LAN Controller in that system.
The 4402 Cisco 4400 Series Wireless LAN Controller has one set of two redundant front-panel SX/LC/T
SFP modules (SFP transceiver, or Small Form-factor Plug-in), and the 4404 Cisco 4400 Series Wireless
LAN Controller has two sets of two redundant front-panel SX/LC/T SFP modules:
•1000BASE-SX SFP modules provide a 1000 Mbps wired connection to a network through an
850nM (SX) fiber-optic link using an LC physical connector.
•1000BASE-LX SFP modules provide a 1000 Mbps wired connection to a network through a
1300nM (LX/LH) fiber-optic link using an LC physical connector.
•1000BASE-T SFP modules provide a 1000 Mbps wired connection to a network through a
copper link using an RJ-45 physical connector.
The one or two sets of redundant GigE connections on the Cisco 4400 Series Wireless LAN Controller
allow the Cisco 4400 Series Wireless LAN Controller to bypass single network failures. At any given time
one of the Cisco 4400 Series Wireless LAN Controller GigE connections is active and the other is
5/26/05Cisco 4100 Series Wireless LAN Controllers
OL-7426-03
passive. Upon a network failure, the active connection becomes passive, and the passive connection
becomes active.
The Cisco 4400 Series Wireless LAN Controller can be equipped with one or two Cisco 4400 series
power supplies. When the Cisco Wireless LAN Controller is equipped with two Cisco 4400 series power
supplies, the power supplies are redundant and either power supply can continue to power the Cisco
4400 Series Wireless LAN Controller if the other power supply fails.
One Cisco 4400 series power supply is included standard with the Cisco Wireless LAN Controller, and is
installed in Slot 1 at the factory. For redundancy, a second Cisco 4400 series power supply can be
ordered from the factory and may be installed in Slot 2. The same power supply also fits in Slot 1 and
can be used to replace a failed power supply in the field.
Cisco 2000 Series Wireless LAN Controller Model NumbersCisco 2000 Series Wireless LAN Controller Model Numbers
Cisco 2000 Series Wireless LAN Controller model number is as follows:
•AIR-WLC2006-K9 - The Cisco 2000 Series Wireless LAN Controller communicates with up to six
Cisco 1000 Series lightweight access points.
Note that the Cisco 2000 Series Wireless LAN Controllers come from the factory with tabletop mounting
feet.
Cisco 4100 Series Wireless LAN Controller Model NumbersCisco 4100 Series Wireless LAN Controller Model Numbers
Cisco 4100 Series Wireless LAN Controller model numbers are as follows:
•AIR-WLC4112-K9 - The Cisco 4100 Series Wireless LAN Controller uses two redundant GigE
connections to bypass single network failures, and communicates with up to 12 Cisco 1000
Series lightweight access points. That is, at any given time one of the Cisco 4100 Series
Wireless LAN Controller GigE connections is active and the other is passive. Upon a network
failure, the active connection becomes passive, and the passive connection becomes active.
Note that the 1000BASE-SX Network Adapters provide 100/1000 Mbps wired connections to a
network through 850nM (SX) fiber-optic links using LC physical connectors.
•AIR-WLC4124-K9 - The Cisco 4100 Series Wireless LAN Controller uses two redundant GigE
connections to bypass single network failures, and communicates with up to 24 Cisco 1000
Series lightweight access points.
•AIR-WLC4136-K9 - The Cisco 4100 Series Wireless LAN Controller uses two redundant GigE
connections to bypass single network failures, and communicates with up to 36 Cisco 1000
Series lightweight access points.
Note that all Cisco 4100 Series Wireless LAN Controller models come from the factory with 19-inch EIA
equipment rack flush-mount ears.
The following upgrade module is also available:
•AIR-VPN-4100 - VPN/Enhanced Security Module: Supports VPN, L2TP, IPSec and other
processor-intensive security options. This is a field-installable option for all Cisco 4100 Series
Wireless LAN Controllers.
Cisco 4400 Series Wireless LAN Controller Model NumbersCisco 4400 Series Wireless LAN Controller Model Numbers
Cisco 4400 Series Wireless LAN Controller model numbers are as follows:
•AIR-WLC4402-12-K9 - The 4402 Cisco 4400 Series Wireless LAN Controller uses two redundant
GigE connections to bypass single network failures, and communicates with up to 12 Cisco
1000 Series lightweight access points. That is, at any given time one of the Cisco 4400 Series
5/26/05Cisco 2000 Series Wireless LAN Controller Model Numbers
OL-7426-03
Wireless LAN Controller GigE connections is active and the other is passive. Upon a network
failure, the active connection becomes passive, and the passive connection becomes active.
•AIR-WLC4402-25-K9 - The 4402 Cisco Wireless LAN Controller uses two redundant GigE
connections to bypass single network failures, and communicates with up to 25 Cisco 1000
Series lightweight access points.
•AIR-WLC4402-50-K9 - The 4402 Cisco Wireless LAN Controller uses two redundant GigE
connections to bypass single network failures, and communicates with up to 50 Cisco 1000
Series lightweight access points.
•AIR-WLC4404-100-K9 - The 4404 Cisco Wireless LAN Controller uses four redundant GigE
connections to bypass one or two single network failures, and communicates with up to 100
Cisco 1000 Series lightweight access points.
Note that all Cisco 4400 Series Wireless LAN Controller models come from the factory with integral
19-inch EIA equipment rack flush-mount ears.
The 4402 Cisco 4400 Series Wireless LAN Controller uses one set of two redundant front-panel SX/LC/T
SFP modules (SFP transceiver, or Small Form-factor Plug-in), and the 4404 Cisco 4400 Series Wireless
LAN Controller uses two sets of two redundant front-panel SX/LC/T SFP modules:
•1000BASE-SX SFP modules provide a 1000 Mbps wired connection to a network through an
850nM (SX) fiber-optic link using an LC physical connector.
•1000BASE-LX SFP modules provide a 1000 Mbps wired connection to a network through a
1300nM (LX/LH) fiber-optic link using an LC physical connector.
•1000BASE-T SFP modules provide a 1000 Mbps wired connection to a network through a
copper link using an RJ-45 physical connector.
The following power supply module is also available:
•AIR-PWR-4400-AC - All Cisco 4400 series power supplies. One Cisco 4400 series power supply
can power Cisco 4400 series power supplies can power Cisco 4400 series power supplies, the
Cisco 4400 series power supplies are redundant.
About Distribution System PortsDistribution System Ports
A Distribution System (DS) port is a physical port (see Cisco WLAN Solution Wired Connections)
through which a Cisco Wireless LAN Controller talks to Cisco 1000 Series lightweight access points via
the network. DS Ports are where packets are exchanged between the Cisco WLAN Solution WLANs and
the rest of the network.
Note: The Distribution System Port cannot be assigned to a dedicated Cisco Wireless
LAN Controller Service Port.
As described in Layer 2 and Layer 3 LWAPP Operation
Layer 2 (same subnet) operation, the Distribution System must have one Management Interface
control all inter-Cisco Wireless LAN Controller and all Cisco Wireless LAN Controller-to-Cisco 1000
Series lightweight access point communications, regardless of the number of physical Distribution
System ports.
Also as described in Layer 2 and Layer 3 LWAPP Operation, when the LWAPP communications are set to
Layer 3 (different subnet) operation, the Distribution System must have one Management Interface
control all inter-Cisco Wireless LAN Controller communications, and must have one AP-Manager
Interface to control all Cisco Wireless LAN Controller-to-Cisco 1000 Series lightweight access point
communications, regardless of the number of physical Distribution System ports.
5/26/05Distribution System Ports
OL-7426-03
, when the LWAPP communications are set to
to
to
Each physical Distribution System port can also have between one and 512 Operator-Defined Interfaces
assigned to it. Each Operator-Defined Interface is individually configured, and allows VLAN communications to exist on the Distribution System port(s).
Refer to the Configuring the Cisco Wireless LAN Controller section for configuration instructions.
About the Management InterfaceManagement Interface
The logical Management Interface controls Layer 2 communications between Cisco Wireless LAN
Controllers and Cisco 1000 Series lightweight access points.
CAUTION: Cisco recommends that you assign one set of VLANs for WLANs and a
different set of VLANs for Management Interfaces to ensure that Cisco Wireless LAN
Controllers properly route VLAN traffic.
The Management Interface is assigned to one physical port (Cisco WLAN Solution Wired Connections
through which it communicates with other network devices and other access points. However, the
Management Interface can also communicate through all other physical ports except the Service Port
as follows:
),
•Sends messages through the Layer 2 network to autodiscover and communicate with other
Cisco Wireless LAN Controllers through all physical ports except the Service Port.
•Listens across the Layer 2 network for Cisco 1000 Series lightweight access point LWAPP polling
messages to autodiscover, associate with, and communicate with as many Cisco 1000 Series
lightweight access points as it can.
Note: Should a Cisco Wireless LAN Controller fail, its dropped Cisco 1000 Series
lightweight access points poll the network for another Cisco Wireless LAN Controller.
When an online Cisco Wireless LAN Controller has any remaining Cisco 1000 Series
lightweight access point ports, the Management Interface listens to the network for
Cisco 1000 Series lightweight access point polling messages to autodiscover,
associate with, and communicate with as many Cisco 1000 Series lightweight access
points as it can. Refer to the Cisco Wireless LAN Controller Failover Protection
for more information.
section
Note: The Management Interface cannot be assigned to the dedicated Cisco Wireless
LAN Controller Service Port
The Management Interface uses the burned-in Cisco Wireless LAN Controller Distribution System MAC
address, and must be configured for the following:
.
•VLAN assignment.
•Fixed IP Address, IP netmask, and default gateway.
•Physical port assignment.
•Primary and Secondary DHCP Servers.
•Access Control List, if required.
Refer to the Configuring the Cisco Wireless LAN Controller
5/26/05Management Interface
OL-7426-03
section for configuration instructions.
About the AP-Manager InterfaceAP-Manager Interface
The logical AP-Manager Interface controls Layer 3 communications between Cisco Wireless LAN
Controller and Cisco 1000 Series lightweight access points.
The AP-Manager Interface is assigned to one physical port (Cisco WLAN Solution Wired Connections),
and can be on the same subnet and physical port as the Management Interface
Interface can communicate through any physical port except the Service Port as follows:
•Sends Layer 3 messages through the network to autodiscover and communicate with other
Cisco Wireless LAN Controllers.
•Listens across the network for Layer 3 Cisco 1000 Series lightweight access point LWAPP polling
messages to autodiscover, associate with, and communicate with as many Cisco 1000 Series
lightweight access points as it can.
Note: Should a Cisco Wireless LAN Controller fail, its dropped Cisco 1000 Series
lightweight access points poll the network for another Cisco Wireless LAN Controller.
When an online Cisco Wireless LAN Controller has any remaining Cisco 1000 Series
lightweight access point ports, the AP-Manager Interface listens to the network for
Cisco 1000 Series lightweight access point polling messages to autodiscover,
associate with, and communicate with as many Cisco 1000 Series lightweight access
points as it can. Refer to the Cisco Wireless LAN Controller Failover Protection
for more information.
Note: The AP-Manager Interface cannot be assigned to the dedicated Cisco Wireless
LAN Controller Service Port
The AP-Manager Interface must be configured for the following:
.
•VLAN assignment.
. The AP-Manager
section
•Fixed IP Address (must be different than the Management Interface IP address, but must be on
the same subnet as the Management Interface), IP netmask, and default gateway.
•Physical port assignment.
•Primary and Secondary DHCP Servers.
•Access Control List, if required.
Refer to the Configuring the Cisco Wireless LAN Controller
section for configuration instructions.
About Operator-Defined InterfacesOperator-Defined Interfaces
Each Cisco Wireless LAN Controller can support up to 512 Operator-Defined Interfaces. Each Operator-Defined Interface controls VLAN and other communications between Cisco Wireless LAN
Controllers and all other network devices connected to an individual physical port. Between one and
512 Operator-Defined Interfaces can be assigned to Cisco WLAN Solution WLANs
System Ports, the Layer 2 Management Interface, and the Layer 3 AP-Manager Interface.
Note: Operator-Defined Interfaces cannot be assigned to the dedicated Cisco
Wireless LAN Controller Service Port.
CAUTION: Operator-Defined Interface names cannot have spaces in them. If an
Operator-Defined Interface name contains a space, you may not be able to edit its
configuration using the Command Line Interface
.
, physical Distribution
5/26/05AP-Manager Interface
OL-7426-03
Each Operator-Defined Interface must be configured for the following:
•VLAN number.
•Fixed IP Address, IP netmask, and default gateway.
•Physical port assignment.
•Primary and Secondary DHCP Servers.
•Access Control List, if required.
Refer to the Configuring the Cisco Wireless LAN Controller
section for configuration instructions.
About the Virtual InterfaceVirtual Interface
The Virtual Interface controls Layer 3 Security and Mobility manager communications for Cisco Wireless
LAN Controllers. It maintains the DNS Gateway hostname used by Layer 3 Security and Mobility
managers to verify the source of certificates when Layer 3 Web Auth is enabled.
The Virtual Interface must be configured for the following:
•Any fictitious, unassigned, unused Gateway IP Address.
•DNS Gateway Host Name.
Refer to the Configuring the Cisco Wireless LAN Controller
section for configuration instructions.
About the Service PortService Po rt
The physical Service port on the Cisco Wireless LAN Controller is a 10/100BASE-T Ethernet port
dedicated to Operating System device service, and was formerly known as the Management port. The
Service Port is controlled by the Service-Port Interface.
The Service Port is configured with an IP Address, subnet mask, and IP assignment protocol different
from the Management Interface. This allows the operator to manage the Cisco Wireless LAN Controller
directly or through a dedicated Operating System service network, such as 10.1.2.x, which can ensure
Operating System device service access during network downtime.
Cisco WLAN Solution created the Service port to remove the Cisco Wireless LAN Controller device
service from the network data stream to improve security and to provide a more secure service
connection.
Note that you cannot assign a Gateway to the Service port, so the port is not routable. However, you
can set up dedicated routes to network management devices.
Also note that the Service Port is not auto-sensing: you must use the correct straight-through or
crossover Ethernet cable to communicate with the Service Port.
Refer to the Configuring Other Ports and Parameters
Port.
for information on how to configure the Service
5/26/05Virtual Interface
OL-7426-03
About the Service-Port InterfaceService-Port Interface
The Service-Port Interface controls communications through the dedicated Cisco Wireless LAN
Controller Service Port
.
Note: The Service-Port Interface can only be assigned to the dedicated Cisco
Wireless LAN Controller Service Port.
The Service-Port Interface uses the burned-in Cisco Wireless LAN Controller Service Port MAC address,
and must be configured for the following:
•Whether or not DHCP Protocol is activated.
•IP Address and IP netmask.
Refer to the Configuring the Cisco Wireless LAN Controller
section for configuration instructions.
About the Startup WizardStartup Wizard
When an Cisco Wireless LAN Controller is powered up with a new factory Operating System software
load or after being reset to factory defaults, the bootup script runs the Startup Wizard, which prompts
the installer for initial configuration. The Startup Wizard:
•Ensures that the Cisco Wireless LAN Controller has a System Name, up to 32 characters.
•Adds an Administrative us ername and password, each up to 24 characters.
•Ensures that the Cisco Wireless LAN Controller can communicate with the CLI, Cisco WCS, or
Web User interfaces (either directly or indirectly) through the Service Port by accepting a valid
IP configuration protocol (none or DHCP), and if ‘none’, IP Address and netmask. If you do not
want to use the Service port, enter 0.0.0.0 for the IP Address and netmask.
•Ensures that the Cisco Wireless LAN Controller can communicate with the network (802.11
Distribution System) through the Management Interface by collecting a valid static IP Address,
netmask, default router IP address, VLAN identifier, and physical port assignment.
•Prompts for the IP address of the DHCP server used to supply IP addresses to clients, the Cisco
Wireless LAN Controller Management Interface, and optionally to the Service Port Interface.
•Asks for the LWAPP Transport Mode, described in Layer 2 and Layer 3 LWAPP Operation.
•Collects the Virtual Gateway IP Address; any fictitious, unassigned IP address (such as 1.1.1.1)
to be used by Layer 3 Security and Mobility managers.
•Allows you to enter the Cisco WLAN Solution Mobility Group (RF Group) Name.
•Collects the WLAN 1 802.11 SSID, or Network Name.
•Asks you to define whether or not clients can use static IP addresses. Yes = more convenient,
but lower security (session can be hijacked), clients can supply their own IP Address, better for
devices that cannot use DHCP. No = less convenient, higher security, clients must DHCP for an
IP Address, works well for Windows XP devices.
•If you want to configure a RADIUS server from the Startup Wizard, the RADIUS server IP
address, communication port, and Secret.
•Collects the Country Code. (Refer to Cisco WLAN Solution Supported Country Codes.)
•Enables and/or disables the 802.11a, 802.11b and 802.11g Cisco 1000 Series lightweight
access point networks.
•Enables or disables Radio Resource Management (RRM).
To use the Startup Wizard, refer to Using the Startup Wizard
5/26/05Service-Port Interface
OL-7426-03
.
About Cisco Wireless LAN Controller MemoryCisco Wireless LAN Controller Memory
The Cisco Wireless LAN Controller contain two kinds of memory: volatile RAM, which holds the current,
active Cisco Wireless LAN Controller configuration, and NVRAM (non-volatile RAM), which holds the
reboot configuration. When you are configuring the Operating System in a Cisco Wireless LAN
Controller, you are modifying volatile RAM; you must save the configuration from the volatile RAM to
the NVRAM to ensure that the Cisco Wireless LAN Controller reboots in the current configuration.
Knowing which memory you are modifying is important when you are:
•Using the Startup Wizard
•Clearing Configurations
•Saving Configurations
•Resetting the Cisco Wireless LAN Controller
•Logging Out of the CLI
Cisco Wireless LAN Controller Failover ProtectionCisco Wireless LAN Controller Failover Protection
Each Cisco Wireless LAN Controller has a defined number of communication ports for Cisco 1000 Series
lightweight access points. (The number of ports supported is listed in the Cisco 2000 Series Wireless
LAN Controller Model Numbers, Cisco 4100 Series Wireless LAN Controller Model Numbers, and Cisco
4400 Series Wireless LAN Controller Model Numbers sections.) This means that when multiple Cisco
Wireless LAN Controllers with unused Cisco 1000 Series lightweight access point ports are deployed on
the same network, if one Cisco Wireless LAN Controller fails, the dropped Cisco 1000 Series lightweight
access points automatically poll for unused Cisco Wireless LAN Controller ports and associate with
them.
Note: During installation, Cisco recommends that you connect all Cisco 1000 Series
lightweight access points to a dedicated Cisco Wireless LAN Controller, and configure
each Cisco 1000 Series lightweight access point for final operation. This step configures each Cisco 1000 Series lightweight access point for a Primary, Secondary, and
Tertiary Cisco Wireless LAN Controller, and allows it to store the configured Cisco
WLAN Solution Mobility Group information.
During failover recovery, the configured Cisco 1000 Series lightweight access points
obtain an IP address from the local DHCP server (only in Layer 3 Operation), attempt
to contact their Primary, Secondary, and Tertiary Cisco Wireless LAN Controllers, and
then attempt to contact the IP addresses of the other Cisco Wireless LAN Controllers
in the Mobility group. This prevents the Cisco 1000 Series lightweight access points
from spending time sending out blind polling messages, resulting in a faster recovery
period.
In Multiple-Cisco Wireless LAN Controller Deployments
Controller fails, its dropped Cisco 1000 Series lightweight access points reboot and do the following
under direction of the Radio Resource Management (RRM)
, this means that if one Cisco Wireless LAN
:
•Obtain an IP address from a local DHCP server (one on the local subnet).
•If the Cisco 1000 Series lightweight access point has a Primary, Secondary, and Tertiary Cisco
Wireless LAN Controller assigned, it attempts to associate with that Cisco Wireless LAN
Controller.
•If the Cisco 1000 Series lightweight access point has no Primary, Secondary, or Tertiary Cisco
Wireless LAN Controllers assigned or if its Primary, Secondary, and Tertiary Cisco Wireless LAN
Controllers are unavailable, it attempts to associate with a Master Cisco Wireless LAN Controller
on the same subnet.
5/26/05Cisco Wireless LAN Controller Memory
OL-7426-03
•If the Cisco 1000 Series lightweight access point finds no Master Cisco Wireless LAN Controller
on the same subnet, it attempts to contact stored Mobility Group members by IP address.
•Should none of the Mobility Group members be available, and if the Cisco 1000 Series light-
weight access point has no Primary, Secondary, and Tertiary Cisco Wireless LAN Controllers
assigned and there is no Master Cisco Wireless LAN Controller active, it attempts to associate
with the least-loaded Cisco Wireless LAN Controller on the same subnet to respond to its
discovery messages with unused ports.
This means that when sufficient Cisco Wireless LAN Controllers are deployed, should one Cisco Wireless
LAN Controller fail, active Cisco 1000 Series lightweight access point client sessions are momentarily
dropped while the dropped Cisco 1000 Series lightweight access point associates with an unused port
on another Cisco Wireless LAN Controller, allowing the client device to immediately reassociate and
reauthenticate.
Cisco Wireless LAN Controller Automatic Time SettingCisco Wireless LAN Controller Automatic Time Setting
Each Cisco Wireless LAN Controller can have its time manually set or can be configured to obtain the
current time from one or more Network Time Protocol (NTP) servers. Each NTP server IP address is
added to the Cisco Wireless LAN Controller database. Each Cisco Wireless LAN Controller searches for
an NTP server and obtains the current time upon reboot and at each user-defined polling interval (daily
to weekly).
Cisco Wireless LAN Controller Time ZonesCisco Wireless LAN Controller Time Zones
Each Cisco Wireless LAN Controller can have its time zone manually set or can be configured to obtain
the current time from one or more Network Time Protocol (NTP) servers. Each NTP server IP address is
added to the Cisco Wireless LAN Controller database. Each Cisco Wireless LAN Controller can search for
an NTP server and obtain the current time zone upon reboot and at each user-defined (daily to weekly)
polling interval.
Network Connections to Cisco Wireless LAN ControllersNetwork Connections to Cisco Wireless LAN Controllers
Regardless of operating mode, all Cisco Wireless LAN Controllers use the network as an 802.11 Distribution System. Regardless of the Ethernet port type or speed, each Cisco Wireless LAN Controller
monitors and communicates with its related Cisco Wireless LAN Controllers across the network. The
following sections give details of these network connections:
•Cisco 2000 Series Wireless LAN Controllers
•Cisco 4100 Series Wireless LAN Controllers
•Cisco 4400 Series Wireless LAN Controllers
5/26/05Cisco Wireless LAN Controller Automatic Time Setting
OL-7426-03
Cisco 2000 Series Wireless LAN ControllersCisco 2000 Series Wireless LAN Controllers
Cisco 2000 Series Wireless LAN Controllers can communicate with the network through any one of its
physical ports, as the logical Management Interface can be assigned to the one of the physical ports.
The physical port description follows:
•Up to four 10/100BASE-T cables can plug into the four back-panel connectors on the Cisco
2000 Series Wireless LAN Controller chassis.
Figure - Physical Network Connections to the Cisco 2000 Series Wireless LAN Controller
5/26/05Network Connections to Cisco Wireless LAN Controllers
OL-7426-03
Cisco 4100 Series Wireless LAN ControllersCisco 4100 Series Wireless LAN Controllers
Cisco 4100 Series Wireless LAN Controllers can communicate with the network through one or two
physical ports, and the logical Management Interface can be assigned to the one or two physical ports.
The physical port description follows:
•Two GigE 1000BASE-SX fiber-optic cables can plug into the LC connectors on the front of the
Cisco 4100 Series Wireless LAN Controller, and they must be connected to the same subnet.
Note that the two GigE ports are redundant--the first port that becomes active is the master,
and the second port becomes the backup port. If the first connection fails, the standby
connection becomes the master, and the failed connection becomes the backup port.
Note that the 1000BASE-SX circuits provides 100/1000 Mbps wired connections to the network through
850nM (SX) fiber-optic links using LC physical connectors.
Figure - Physical Network Connections to the Cisco 4100 Series Wireless LAN Controller
5/26/05Network Connections to Cisco Wireless LAN Controllers
OL-7426-03
Cisco 4400 Series Wireless LAN ControllersCisco 4400 Series Wireless LAN Controllers
Cisco 4400 Series Wireless LAN Controllers can communicate with the network through one or two pairs
of physical ports, and the logical Management Interface can be assigned to the physical ports. The
physical port descriptions follows:
•For the 4402 Cisco Wireless LAN Controller, up to two of the following connections are
supported in any combination:
-1000BASE-T (GigE, front panel, RJ-45 physical port, UTP cable).
-1000BASE-LX (GigE, front panel, LX physical port, multi-mode 1300nM (LX/LH)
fiber-optic links using LC physical connectors).
Figure - Physical Network Connections to 4402 and 4404 Cisco Wireless LAN Controllers
5/26/05Network Connections to Cisco Wireless LAN Controllers
OL-7426-03
Cisco 4100 Series Wireless LAN Controller VPN/Enhanced Security ModuleCisco 4100 Series Wireless LAN
Controller VPN/Enhanced Security Module
All Cisco 4100 Series Wireless LAN Controllers can be equipped with an optional VPN/Enhanced Security
Module (AIR-VPN-4100), which slides into the rear panel of the Cisco 4100 Series Wireless LAN
Controller. The VPN/Enhanced Security Module adds significant hardware encryption acceleration to the
Cisco 4100 Series Wireless LAN Controller, which enables the following through the Management
Interface:
•Provide a built-in VPN server for mission-critical traffic.
•Sustain up to 1 Gbps throughput with Layer 2 and Layer 3 encryption enabled.
•Support high-speed, processor-intensive encryption, such as L2TP, IPSec and 3DES.
The following figure shows the VPN/Enhanced Security Module sliding into the rear of a Cisco 4100
Series Wireless LAN Controller.
Figure - Cisco 4100 Series Wireless LAN Controller VPN/Enhanced Security Module Location
5/26/05Cisco 4100 Series Wireless LAN Controller VPN/Enhanced Security Module
OL-7426-03
About Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access PointsCisco
1000 Series Lightweight Access Points
The Cisco 1000 Series lightweight access point is a part of the innovative Cisco Wireless LAN Solution
(Cisco WLAN Solution). When associated with Cisco Wireless LAN Controllers as described below, the
Cisco 1000 Series lightweight access point provides advanced 802.11a and/or 802.11b/g Access Point
functions in a single aesthetically pleasing plenum-rated enclosure. The following figure shows the two
types of Cisco 1000 Series IEEE 802.11a/b/g lightweight access point: without and with connectors for
external antennas.
Note that Cisco WLAN Solution also offers 802.11a/b/g Cisco 1030 Remote Edge Lightweight Access
Points, which are Cisco 1000 Series lightweight access points designed for remote deployment, Radio
Resource Management (RRM) control via a WAN link, and which include connectors for external
antennas.
Figure - Cisco 1000 Series Lightweight Access Points
Note that the Cisco 1000 Series lightweight access point is manufactured in a neutral color so it blends
into most environments (but can be painted), contains pairs of high-gain internal antennas for unidirectional (180-degree) or omnidirectional (360-degree) coverage (Cisco 1000 Series Lightweight Access
Point External and Internal Antennas), and is plenum-rated for installations in hanging ceiling spaces.
In the Cisco WLAN Solution, most of the processing responsibility is removed from traditional SOHO
(small office, home office) access points and resides in the Cisco Wireless LAN Controller.
Refer to the following for more information on Cisco 1000 Series lightweight access points:
•Cisco 1030 Remote Edge Lightweight Access Points
•Cisco 1000 Series Lightweight Access Point Part Numbers
•Cisco 1000 Series Lightweight Access Point External and Internal Antennas
5/26/05Cisco 1000 Series Lightweight Access Points
OL-7426-03
•Cisco 1000 Series Lightweight Access Point LEDs
•Cisco 1000 Series Lightweight Access Point Connectors
•Cisco 1000 Series Lightweight Access Point Power Requirements
•Cisco 1000 Series Lightweight Access Point External Power Supply
•Cisco 1000 Series Lightweight Access Point Mounting Options
•Cisco 1000 Series Lightweight Access Point Physical Security
•Cisco 1000 Series Lightweight Access Point Monitor Mode
•Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point Deployment Guide
•Internal-Antenna AP1010 Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point
Quick Start Guide
•External-Antenna AP1020 and AP1030 Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access
The only exception to the general rule of Cisco 1000 Series Lightweight Access Points being continuously controlled by Cisco Wireless LAN Controllers is the Cisco 1030 IEEE 802.11a/b/g remote edge
lightweight access point (Cisco 1030 remote edge lightweight access point). The Cisco 1030 remote
edge lightweight access point is intended to be located at a remote site, initially configured by a Cisco
Wireless LAN Controller, and normally controlled by a Cisco Wireless LAN Controller.
However, because the Cisco 1030 remote edge lightweight access point bridges the client data
(compared with other Cisco 1000 Series lightweight access points, which pass all client data through
their respective Cisco Wireless LAN Controller), if the WAN link breaks between the Cisco 1030 remote
edge lightweight access point and its Cisco Wireless LAN Controller, the Cisco 1030 remote edge lightweight access point continues transmitting WLAN 1 client data through other Cisco 1030 remote edge
lightweight access points on its local subnet. However, it cannot take advantage of features accessed
from the Cisco Wireless LAN Controller, such as establishing new VLANs, until communication is
reestablished.
The Cisco 1030 remote edge lightweight access point includes the traditional SOHO (small office, home
office) AP processing power, and thus can continue operating if the WAN link to its associated Cisco
Wireless LAN Controller fails. Because it is configured by its associated Cisco Wireless LAN Controller, it
has the same WLAN configuration as the rest of the Cisco WLAN Solution (refer to Cisco WLAN Solution
WLANs). As long as it remains connected to its Cisco Wireless LAN Controller, it varies its transmit
power and channel selection under control of the Radio Resource Management (RRM)
same rogue access point location as any other Cisco 1000 Series lightweight access point.
Note that the Cisco 1030 remote edge lightweight access point can support multiple WLANs while it is
connected to its Cisco Wireless LAN Controller. However, when it loses connection to its Cisco Wireless
LAN Controller, it supports only one WLAN on its local subnet.
The following figure shows a typical Cisco 1030 remote edge lightweight access point configuration:
Note that the Cisco 1030 remote edge lightweight access point must have a DHCP server available on
its local subnet, so it can obtain an IP address upon reboot. Also note that the Cisco 1030 remote edge
lightweight access points at each remote location must be on the same subnet to allow client roaming.
Refer to the following for more information on Cisco 1000 Series lightweight access points:
•Cisco 1000 Series Lightweight Access Points
•Cisco 1000 Series Lightweight Access Point Part Numbers
•Cisco 1000 Series Lightweight Access Point External and Internal Antennas
•Cisco 1000 Series Lightweight Access Point LEDs
•Cisco 1000 Series Lightweight Access Point Connectors
•Cisco 1000 Series Lightweight Access Point Power Requirements
•Cisco 1000 Series Lightweight Access Point External Power Supply
•Cisco 1000 Series Lightweight Access Point Mounting Options
•Cisco 1000 Series Lightweight Access Point Physical Security
•Cisco 1000 Series Lightweight Access Point Monitor Mode
•Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point Deployment Guide
•Internal-Antenna AP1010 Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point
Quick Start Guide
•External-Antenna AP1020 and AP1030 Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access
About Cisco 1000 Series Lightweight Access Point Part NumbersCisco 1000 Series Lightweight Access Point Part Numbers
The Cisco 1000 Series lightweight access point includes one 802.11a and one 802.11b/g radio. The
Cisco 1000 Series lightweight access point is available in the following configurations:
and AIR-AP1010-S-K9 - AP1010 Cisco 1000 Series lightweight access point four high-gain
internal antennas, one 5 GHz external antenna adapter and two 2.4 GHz external antenna
adapters.
and AIR-AP1030-S-K9 - AP1030 Cisco 1000 Series lightweight access point (Cisco 1030 remote
edge lightweight access point) with one 5 GHz external antenna adapter and two 2.4 GHz
external antenna adapters.
Note: Refer to Cisco WLAN Solution Supported Country Codes for the most recent
information on supported Regulatory Domains.
The Cisco 1000 Series lightweight access point is shipped with a color-coordinated ceiling mount base
and hanging-ceiling rail clips. You can also order projection- and flush-mount sheet metal wall
mounting bracket kits. The base, clips, and optional brackets allow quick mounting to ceiling or wall.
The Cisco 1000 Series lightweight access point can be powered by Power Over Ethernet
1000 Series Lightweight Access Point External Power Supply. The external power supply model is:
•AIR-PWR-1000 - Optional External 110-220 VAC-to-48 VDC Power Supply for any Cisco 1000
Series lightweight access point.
The Single Inline PoE injector model is:
•AIR-PWRINJ-1000AF - Optional Single 802.3af Inline Power over Ethernet Injector for any Cisco
1000 Series lightweight access point, powered by 90-250 VAC.
The projection and flush sheet metal wall mount bracket model is:
•AIR-ACC-WBRKT1000 - Optional sheet metal wall-mount bracket kit for any Cisco 1000 Series
lightweight access point. Includes one projection-mount and one flush-mount bracket per kit.
or by an Cisco
About Cisco 1000 Series Lightweight Access Point External and Internal Antennas
Cisco 1000 Series Lightweight Access Point External and Internal Antennas
Note: Cisco 1000 Series lightweight access points must use the factory-supplied
internal or external antennas to avoid violating FCC requirements and voiding the
user’s authority to operate the equipment. Refer to FCC Statements for Cisco 1000
Series Lightweight Access Points for detailed information.
The Cisco 1000 Series lightweight access point enclosure contains one 802.11a or one 802.11b/g radio
and four (two 802.11a and two 802.11b/g) high-gain antennas, which can be independently enabled or
disabled to produce a 180-degree sectorized or 360-degree omnidirectional coverage area.
Note that the wireless LAN operator can disable either one of each pair of the Cisco 1000 Series lightweight access point internal antennas to produce a 180-degree sectorized coverage area. This feature
can be useful, for instance, for outside-wall mounting locations where coverage is only desired inside
the building, and in a back-to-back arrangement that can allow twice as many clients in a given area.
5/26/05Cisco 1000 Series Lightwei ght Access Point Part Numbers
OL-7426-03
The following sections contain more information about Cisco 1000 Series lightweight access point
internal and external antennas:
The AP1020 and AP1030 Cisco 1000 Series lightweight access points have male reverse-polarity TNC
jacks for installations requiring factory-supplied external directional or high-gain antennas. The
external antenna option can create more flexibility in Cisco 1000 Series lightweight access point
antenna placement.
Note: The AP1010 Cisco 1000 Series lightweight access points are designed to be
used exclusively with the internal high-gain antennas, and have no jacks for external
antennas.
Note that the 802.11b/g 2.4 GHz Left external antenna connector is associated with the internal Side A
antenna, and that the 2.4 GHz Right external antenna connector is associated with the internal Side B
antenna. When you have 802.11b/g diversity enabled, the Left external or Side A internal antennas are
diverse from the Right external or Side B internal antennas.
Also note that the 802.11a 5 GHz Left external antenna connector is separate from the internal
antennas, and adds diversity to the 802.11a transmit and receive path. Note that no external 802.11a
antennas are certified in FCC-regulated areas, but external 802.11a antennas may be certified for use
in other countries.
Antenna SectorizationAntenna Sectorization
Note that the Cisco WLAN Solution supports Antenna Sectorization, which can be used to increase the
number of clients and/or client throughput in a given air space. Installers can mount two Cisco 1000
Series lightweight access points back-to-back, and the Network operator can disable the second
antenna in both Cisco 1000 Series lightweight access points to create a 360-degree coverage area with
two sectors.
Installers can also mount Cisco 1000 Series lightweight access points on the periphery of a building and
disable the Side B internal antennas. This configuration can be used to supply service to the building
interior without extending coverage to the parking lot, at the cost of eliminating the internal antenna
diversity function.
The Cisco 1000 Series lightweight access points contain one 802.11a radio, which drives two fully
enclosed high-gain antennas that provide a large 360-degree coverage area. The two internal antennas
are used at the same time to provide a 360-degree omnidirectional coverage area, or either antenna
can be disabled to provide a 180-degree sectorized coverage area.
5/26/05Cisco 1000 Series Lightweight Access Point External and Internal Antennas
OL-7426-03
When equipped with an optional factory-supplied external antenna, the 802.11a Cisco Radio supports
receive and transmit diversity between the internal antennas and the external antenna. The diversity
function provided by Cisco Radios can result in lower multipath fading, fewer packet retransmissions,
and higher client throughput.
Figure - Cisco 1000 Series Lightweight Access Point 802.11a OMNI (Dual Internal) Azimuth Antenna Gain Pattern
Figure - Cisco 1000 Series Lightweight Access Point 802.11a OMNI (Dual Internal) Elevation Antenna Gain Pattern
5/26/05Cisco 1000 Series Lightweight Access Point External and Internal Antennas
OL-7426-03
Figure - Cisco 1000 Series Lightweight Access Point 802.11a Sectorized (Single Internal) Azimuth Antenna Gain
Pattern
Figure - Cisco 1000 Series Lightweight Access Point 802.11a Sectorized (Single Internal) Elevation Antenna Gain
Pattern
5/26/05Cisco 1000 Series Lightweight Access Point External and Internal Antennas
OL-7426-03
The Cisco 1000 Series lightweight access points contain one 802.11b/g radio which drives two fully
enclosed high-gain antennas which can provide a large 360-degree coverage area. The two internal
antennas can be used at the same time to provide a 360-degree omnidirectional coverage area, or
either antenna can be disabled to provide a 180-degrees sectorized coverage area.
The 802.11b/g Cisco Radios support receive and transmit diversity between the internal antennas and/
or optional factory-supplied external antennas.
Figure - Cisco 1000 Series Lightweight Access Point 802.11b/g OMNI (Dual Internal) Azimuth Antenna Gain Pattern
Figure - Cisco 1000 Series Lightweight Access Point 802.11b/g OMNI (Dual Internal) Elevation Antenna Gain Pattern
5/26/05Cisco 1000 Series Lightweight Access Point External and Internal Antennas
OL-7426-03
Figure - Cisco 1000 Series Lightweight Access Point 802.11b/g Sectorized (Single Internal) Azimuth Antenna Gain
Pattern
Figure - Cisco 1000 Series Lightweight Access Point 802.11b/g Sectorized (Single Internal) Elevation Antenna Gain
Pattern
About Cisco 1000 Series Lightweight Access Point LEDsCisco 1000 Series Lightweight Access Point LEDs
Each Cisco 1000 Series lightweight access point is equipped with four LEDs across the top of the case.
They can be viewed from nearly any angle. The LEDs indicate power and fault status, 2.4 GHz
(802.11b/g) Cisco Radio activity, and 5 GHz (802.11a) Cisco Radio activity.
This LED display allows the wireless LAN manager to quickly monitor the Cisco 1000 Series lightweight
access point status. For more detailed troubleshooting instructions, refer to the Troubleshooting Tips
section.
5/26/05Cisco 1000 Series Lightweight Access Point LEDs
OL-7426-03
About Cisco 1000 Series Lightweight Access Point ConnectorsCisco 1000 Series Lightweight Access Point Con ne ct o rs
The AP1020 and AP1030 Cisco 1000 Series lightweight access points have the following external
connectors:
•One RJ-45 Ethernet jack, used for connecting the Cisco 1000 Series lightweight access point to
the network.
•One 48 VDC power input jack, used to plug in an optional factory-supplied external power
adapter.
•Three male reverse-polarity TNC antenna jacks, used to plug optional external antennas into
the Cisco 1000 Series lightweight access point: two for an 802.11b/g radio, and one for an
802.11a radio.
Note: The AP1010 Cisco 1000 Series lightweight access points are designed to be
used exclusively with the internal high-gain antennas, and have no jacks for external
antennas.
Figure - Cisco 1000 Series Lightweight Access Point External Antenna Connectors
5/26/05Cisco 1000 Series Lightweight Access Point Connectors
OL-7426-03
The Cisco 1000 Series lightweight access point communicates with a Cisco Wireless LAN Controller
using standard CAT-5 (Category 5) or higher 10/100 Mbps twisted pair cable with RJ-45 connectors.
Plug the CAT-5 cable into the RJ-45 jack on the side of the Cisco 1000 Series lightweight access point.
Note that the Cisco 1000 Series lightweight access point can receive power over the CAT-5 cable from
network equipment. Refer to Power Over Ethernet
The Cisco 1000 Series lightweight access point can be powered from an optional factory-supplied
external AC-to-48 VDC power adapter. If you are powering the Cisco 1000 Series lightweight access
point using an external adapter, plug the adapter into the 48 VDC power jack on the side of the Cisco
1000 Series lightweight access point.
The Cisco 1000 Series lightweight access point includes two 802.11a and two 802.11b/g high-gain
internal antennas, which provide omnidirectional coverage. However, some Cisco 1000 Series lightweight access points can also use optional factory-supplied external high-gain and/or directional
antennas, as described in Cisco 1000 Series Lightweight Access Point External and Internal Antennas
When you are using external antennas, plug them into the male reverse-polarity TNC jacks on the side
of the AP1020 and AP1030 Cisco 1000 Series lightweight access points as described in the
External-Antenna AP1020 and AP1030 Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point
Quick Start Guide.
for more information about this option.
.
Note: The Cisco 1000 Series lightweight access points must use the factory-supplied
internal or external antennas to avoid violating FCC regulations and voiding the
user’s authority to operate the equipment, as described in FCC Statements for Cisco
1000 Series Lightweight Access Points.
5/26/05Cisco 1000 Series Lightweight Access Point Connectors
OL-7426-03
About Cisco 1000 Series Lightweight Access Point Power RequirementsCisco 1000 Series Lightweight Access Point Power
Requirements
Each Cisco 1000 Series lightweight access point requires a 48 VDC nominal (between 38 and 57 VDC)
power source capable of providing 7 Watts. The polarity of the DC source does not matter because the
Cisco 1000 Series lightweight access point can use either a +48 VDC or a -48 VDC nominal source.
Cisco 1000 Series lightweight access points can receive power from the Cisco 1000 Series Lightweight
Access Point External Power Supply (which draws power from a 110-220 VAC electrical outlet) plugged
into the side of the Cisco 1000 Series lightweight access point case, or from Power Over Ethernet.
Figure - Typical Cisco 1000 Series Lightweight Access Point External Power Supply
About Cisco 1000 Series Lightweight Access Point External Power SupplyCisco 1000 Series Lightweight Access Point
External Power Supply
The Cisco 1000 Series lightweight access point can receive power from an external
110-220 VAC-to-48 VDC power supply or from Power Over Ethernet equipment.
The external power supply (AIR-PWR-1000) plugs into a secure 110 through 220 VAC electrical outlet.
The converter produces the required 48 VDC output (Cisco 1000 Series Lightweight Access Point Power
Requirements) for the Cisco 1000 Series lightweight access point. The converter output feeds into the
side of the Cisco 1000 Series lightweight access point through a 48 VDC jack (Cisco 1000 Series Light-
weight Access Point Connectors).
Note that the AIR-PWR-1000 external power supply can be ordered with country-specific electrical
outlet power cords. Contact Cisco when ordering to receive the correct power cord.
5/26/05Cisco 1000 Series Lightweight Access Point Power Requirements
OL-7426-03
About Cisco 1000 Series Lightweight Access Point Mounting OptionsCisco 1000 Series Lightweight Access Point Mounting Options
Refer to the Internal-Antenna AP1010 Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point
Quick Start Guide or the External-Antenna AP1020 and AP1030 Cisco 1000 Series IEEE 802.11a/b/g
Lightweight Access Point Quick Start Guide for the Cisco 1000 Series lightweight access point mounting
options.
About Cisco 1000 Series Lightweight Access Point Physical SecurityCisco 1000 Series Lightweight Access Point Physical Security
The side of the Cisco 1000 Series lightweight access point housing includes a slot for a Kensington
MicroSaver Security Cable. You can use any MicroSaver Security Cable to ensure that your Cisco 1000
Series lightweight access point stays where you mounted it!
Refer to the Kensington
Internal-Antenna AP1010 Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point
Quick Start Guide or External-Antenna AP1020 and AP1030 Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Point Quick Start Guide for installation instructions.
website for more information about their security products, or to the
About Cisco 1000 Series Lightweight Access Point Monitor ModeCisco 1000 Series Lightweight Access Point Monitor Mod e
The Cisco 1000 Series lightweight access points and Cisco Wireless LAN Controllers can perform rogue
access point detection and containment while providing regular service. The rogue access point
detection is performed across all 801.11 channels, regardless of the Country Code selected. (Refer to
Cisco WLAN Solution Supported Country Codes
However, if the administrator would prefer to dedicate specific Cisco 1000 Series lightweight access
points to rogue access point detection and containment, the Monitor mode should be enabled for individual Cisco 1000 Series lightweight access points.
The Monitor function is set for all 802.11 Cisco Radios on a per-Cisco 1000 Series lightweight access
point basis using any of the Cisco Wireless LAN Controller user interfaces described in About the Cisco
Wireless LAN Solution.
for more details).
5/26/05Cisco 1000 Series Lightweight Access Point Mounting Options
OL-7426-03
About Rogue Access PointsRogue Access Points
Because they are inexpensive and readily available, employees are plugging unauthorized rogue access
points into existing LANs and building ad hoc wireless networks without IT department knowledge or
consent.
These rogue access points can be a serious breach of network security, because they can be plugged
into a network port behind the corporate firewall. Because employees generally do not enable any
security settings on the rogue access point, it is easy for unauthorized users to use the access point to
intercept network traffic and hijack client sessions. Even more alarming, wireless users and war
chalkers frequently publish unsecure access point locations, increasing the odds of having the enterprise security breached.
Rather than using a person with a scanner to manually detect rogue access point, the Cisco WLAN
Solution automatically collects information on rogue access point detected by its managed Cisco 1000
Series Lightweight Access Points, by MAC and IP Address, and allows the system operator to locate, tag
and monitor them as described in the Detecting and Locating Rogue Access Points section. The
Operating System can also be used to discourage rogue access point clients by sending them deauthenticate and disassociate messages from one to four Cisco 1000 Series lightweight access points. Finally,
the Operating System can be used to automatically discourage all clients attempting to authenticate
with all rogue access point on the enterprise subnet. Because this real-time detection is automated, it
saves labor costs used for detecting and monitoring rogue access point while vastly improving LAN
security.
Note that the peer-to-peer, or ad-hoc, clients can also be considered rogue access point.
See also Rogue Access Point Location, Tagging and Containment
Rogue Access Point Location, Tagging and ContainmentRogue Access Point Location, Tagging and Containment
This built-in detection, tagging, monitoring and containment capability allows system administrators to
take required actions:
•Locate rogue access point as described in Detecting and Locating Rogue Access Points.
•Receive new rogue access point notifications, eliminating hallway scans.
•Monitor unknown rogue access point until they are eliminated or acknowledged.
.
•Determine the closest authorized Cisco 1000 Series Lightweight Access Points, making directed
scans faster and more effective.
•Contain rogue access points by sending their clients deauthenticate and disassociate messages
from one to four Cisco 1000 Series lightweight access points. This containment can be done for
individual rogue access points by MAC address, or can be mandated for all rogue access points
connected to the enterprise subnet.
•Tag rogue access point:
-Acknowledge rogue access point when they are outside of the LAN and do not
compromise the LAN or WLAN security.
-Accept rogue access point when they do not compromise the LAN or WLAN security.
-Tag rogue access point as unknown until they are eliminated or acknowledged.
-Tag rogue access point as contained and discourage clients from associating with the
rogue access point by having between one and four Cisco 1000 Series lightweight
access points transmit deauthenticate and disassociate messages to all rogue access
point clients. This function contains all active channels on the same rogue access point.
Rogue Detector mode detects whether or not a rogue access point is on a trusted network. It does not
provide RF service of any kind, but rather receives periodic rogue access point reports from the Cisco
5/26/05Rogue Access Points
OL-7426-03
Wireless LAN Controller, and sniffs all ARP packets. If it finds a match between an ARP request and a
MAC address it receives from the Cisco Wireless LAN Controller, it generates a rogue access point alert
to the Cisco Wireless LAN Controller.
To facilitate automated rogue access point detection in a crowded RF space, Cisco 1000 Series lightweight access points can be configured to operate in Cisco 1000 Series Lightweight Access Point
Monitor Mode, allowing monitoring without creating unnecessary interference.
5/26/05Rogue Access Point Location, Tagging and Containment
OL-7426-03
About the Web User InterfaceWeb User Interface
The Web User Interface is built into each Cisco Wireless LAN Controller. The Web User Interface allows
up to five users to simultaneously browse into the built-in Cisco Wireless LAN Controller http or https
(http + SSL) Web server, configure parameters, and monitor operational status for the Cisco Wireless
LAN Controller and its associated Access Points.
Note: Cisco strongly recommends that you enable the https: and disable the http:
interfaces to ensure more robust security for your Cisco WLAN Solution.
Because the Web User Interface works with one Cisco Wireless LAN Controller at a time, the Web User
Interface is especially useful when you wish to configure or monitor a single Cisco Wireless LAN
Controller and its associated Cisco 1000 Series lightweight access points.
Note: Some popup window filters can be configured to block the Web User Online
Help windows. If your system cannot display the Online Help windows, disable or
reconfigure your browser popup filter software.
Refer to Using the Web User Interface
for more information on the Web User Interface.
5/26/05Web User Interface
OL-7426-03
About the Command Line InterfaceCommand Line Interface
The Cisco WLAN Solution command line interface (CLI) is built into each Cisco Wireless LAN Controller,
and is one of the Operating System user interfaces described in About the Cisco Wireless LAN Solution
The CLI allows operators to use a VT-100 emulator to locally or remotely configure, monitor and control
individual Cisco Wireless LAN Controllers, and to access extensive debugging capabilities.
Because the CLI works with one Cisco Wireless LAN Controller at a time, the command line interface is
especially useful when you wish to configure or monitor a single Cisco Wireless LAN Controller.
The Cisco Wireless LAN Controller and its associated Cisco 1000 Series lightweight access points can be
configured and monitored using the command line interface (CLI), which consists of a simple
text-based, tree-structured interface that allows up to five users with Telnet-capable terminal
emulators to simultaneously configure and monitor all aspects of the Cisco Wireless LAN Controller and
associated Cisco 1000 Series lightweight access points.
Refer to Using the Cisco WLAN Solution CLI
information.
and the Cisco WLAN Solution CLI Reference for more
.
5/26/05Command Line Interface
OL-7426-03
About the Cisco Wireless Control SystemCisco Wireless Control System
The Cisco Wireless Control System (Cisco WCS) is the Cisco Wireless LAN Solution network management tool that adds to the capabilities of the Web User Interface
moving from individual Cisco Wireless LAN Controllers to a network of Cisco Wireless LAN Controllers.
The Cisco Wireless Control System runs on Windows 2000, Windows 2003, and Red Hat Enterprise
Linux ES servers.
The Cisco WCS includes the same configuration, performance monitoring, security, fault management,
and accounting options used at the Cisco Wireless LAN Controller level, but adds a graphical view of
multiple Cisco Wireless LAN Controller and managed Cisco 1000 Series lightweight access points.
The Cisco WCS is offered in two versions which support different feature levels:
•Cisco WCS Base, which includes wireless client data access, rogue access point containment
functions, Cisco WLAN Solution monitoring and control, and which allows client and rogue
access point location to the nearest Cisco 1000 Series lightweight access point.
•Cisco WCS Location, which is includes all the features in the Cisco WCS Base, but which allows
high-accuracy rogue access point and client location to within 10 meters.
These features are listed in the following table:
and the Command Line Interface,
Cisco
Features
Location and Tracking:
• Low-Resolution Client LocationYes-
• High-Resolution Client Location-Yes
• Low-Resolution Rogue Access Point LocationYes-
• High-Resolution Rogue Access Point Location-Yes
Client Data Services, Security and Monitoring:
• Client Access via Cisco 1000 Series lightweight access points YesYes
• Multiple WLANs (Individual SSIDs and Policies)YesYes
Rogue Access Point Detecting and Containing using Cisco 1000 Series
lightweight access points
802.11a/b/g BandsYesYes
Radio Resource Management (real-time assigning channels, and detecting
and containing rogue access points)
Radio Resource Management (real-time detecting and avoiding inter-
Automated Software and Configuration UpdatesYesYes
Wireless Intrusion ProtectionYesYes
Global and Individual AP Security PoliciesYesYes
Controls Cisco Wireless LAN ControllersYesYes
5/26/05Cisco Wireless Control System
OL-7426-03
Cisco
Features
Supported Workstations:
• Windows 2000 or Windows 2003YesYes
• Red Hat Enterprise Linux ES ServerYesYes
The Cisco Wireless Control System runs on Windows 2000 or 2003 and Red Hat Enterprise Linux ES
servers. The Windows Cisco WCS can run as a normal Windows application, or can be installed as a
service, which runs continuously and resumes running after a reboot. The Linux Cisco WCS always runs
as a normal Linux application.
The Cisco WCS User Interface
configuration, monitoring, and control functions through Internet Explorer 6.0 on a Windows workstation (or other) web browser window. The Cisco WCS operator permissions are defined by the Cisco WCS
administrator in the Cisco WCS User Interface using the Cisco WCS User Interface Admin tab, which
allows the Cisco WCS administrator to administer user accounts and schedule periodic maintenance
tasks.
Cisco WCS simplifies Cisco Wireless LAN Controller configuring and monitoring while decreasing data
entry errors with the Cisco WCS Cisco Wireless LAN Controller Autodiscovery
uses industry-standard SNMP protocol to communicate with Cisco Wireless LAN Controllers.
The Cisco WCS also includes the Floor Plan Editor, which allows you to vectorize bitmapped campus,
floor plan, and outdoor area maps, add and change wall types, and import the resulting vector wall
format maps into the Cisco WCS database. The vector files allow the Cisco WCS RF Prediction Tool to
make much better RF predictions based on more accurate wall and window RF attenuation values.
allows Cisco WCS operators to control all permitted Cisco WLAN Solution
WCS
Base
algorithm. The Cisco WCS
Cisco
WCS
Location
About Cisco WCS BaseCisco WCS Base
The Cisco WCS Base version supports wireless client data access, rogue access point detection and
containment functions, Cisco WLAN Solution monitoring and control, and includes graphical views of the
following:
•Auto-discovery of Cisco 1000 Series Lightweight Access Points as they associate with Cisco
Wireless LAN Controllers.
•Auto-discovery, and containment or notification of Rogue Access Points.
•Map-based organization of Access Point coverage areas, helpful when the enterprise spans
more than one geographical area. (Refer to Using Cisco WCS
Solution Network Summary.)
•User-supplied Campus, Building and Floor graphics, which show the following:
-Locations and status of managed access points. (Refer to Adding a Cisco Wireless LAN
Controller to Cisco WCS.)
-Locations of rogue access points, based on signal strength received by the nearest
managed Cisco 1000 Series lightweight access points. (Refer to Detecting and Locating
Rogue Access Points.)
-Coverage hole alarm information for Cisco 1000 Series lightweight access points is
based on received signal strength from clients. This information appears in a tabular
rather than map format. (Refer to Finding Coverage Holes.)
-RF coverage maps.
and Checking the Cisco WLAN
5/26/05Cisco WCS Base
OL-7426-03
•System-wide control:
-Network, Cisco Wireless LAN Controller, and managed Cisco 1000 Series lightweight
access point configuration is streamlined using customer-defined templates.
-Network, Cisco Wireless LAN Controller, and managed Cisco 1000 Series lightweight
access point status and alarm monitoring.
-Automated and manual data client monitoring and control functions.
LAN Controllers, and Cisco 1000 Series lightweight access points.
-Full event logs available for data clients, rogue access points, coverage holes, security
violations, Cisco Wireless LAN Controllers, and Cisco 1000 Series lightweight access
points.
-Automatic channel and power level assignment by Radio Resource Management (RRM).
-User-defined automatic Cisco Wireless LAN Controller status audits, missed trap polling,
configuration backups, and policy cleanups.
•Real-time location of rogue access points to the nearest Cisco 1000 Series lightweight access
point.
•Real-time and historical location of clients to the nearest Cisco 1000 Series lightweight access
point.
•Runs on Windows 2000 or 2003 and Red Hat Enterprise Linux ES Server workstations.
About Cisco WCS LocationCisco WCS Location
In addition to the graphical representations listed in Cisco WCS Base, Cisco WCS Location adds the
following enhancements:
•On-demand location of rogue access points to within 10 meters.
•On-demand location of clients to within 10 meters.
•Runs on Windows 2000 or 2003 and Red Hat Enterprise Linux ES servers.
•Ability to use Cisco 2700 Series Location Appliances to collect and return historical location data
viewable in the Cisco WCS Location user interface.
About the Cisco WCS User InterfaceCisco WCS User Interface
The Cisco WCS User Interface interface allows the network operator to create and configure Cisco
WLAN Solution coverage area layouts, configure system operating parameters, monitor real-time Cisco
WLAN Solution operation, and perform troubleshooting tasks using a standard HTTP or HTTPS web
browser window. The Cisco WCS User Interface interface also allows a Cisco WCS administrator to
create, modify and delete user accounts, change passwords, assign permissions, and schedule periodic
maintenance tasks.
Cisco recommends Internet Explorer 6.0 or later on a Windows workstation web browser for full access
to the Cisco WCS functionality.
Note: The HTTPS (SSL over HTTP) interface is enabled by default, and the HTTP
interface can be manually activated in the Command Line Interface, Web User
Interface and Cisco WCS User Interface.
5/26/05Cisco WCS Location
OL-7426-03
The Cisco WCS administrator creates new usernames passwords and assigns them to predefined
permissions groups. This task is described in Managing Cisco WCS and Database.
Cisco WCS User Interface operators perform their tasks as described in Using the Cisco Wireless Control
System.
About the Floor Plan EditorFloor Plan Editor
Cisco WCS includes the Floor Plan Editor, which converts architectural, mechanical and technical
drawings, graphics, maps and other types of line artwork from raster bitmaps to wall (vector) formats.
Operators can use scanners to digitize paper drawings into supported file formats for import into Cisco
WCS. The Floor Plan Editor automatically recognizes and represents the data in a wall format which can
then be imported into your Cisco WCS (Cisco Wireless Control System
Because of its ability to create smooth straight, angled, and semi-angled outlines, the Floor Plan Editor
is used to convert floor plan maps, define the wall characteristics, and import the resulting vector wall
format maps into the Cisco WCS database. The vector files allow the Cisco WCS RF Prediction Tool to
make much better RF predictions based on Cisco 1000 Series lightweight access point signal strength,
and accurate wall, window and cubicle RF attenuation.
Otherwise, you may want to save raster images in .BMP, .TIFF, .JPEG, or .PNG raster formats. Note
that you can also edit existing vector map files.
The output wall files can be saved in vector (Cisco WLAN Solution wall format) for importing directly
into the Cisco WCS database. The output wall files can also be saved in the following formats, but Cisco
WCS does not recognize these file types: .DXF (AutoCAD), .AI (Adobe Illustrator), .EMF (enhanced
metafile), .WMF (Windows metafile), and .TXT (ASCII XY).
Note that there are no restrictions on the input or output image size.
) program.
Note: The quality of Floor Plan Editor recognition is higher for higher resolution data.
Use 400 to 600 dots per inch (dpi) scans whenever possible.
Note: Cisco WLAN Solution strongly recommends that you create images with the
long axis horizontal (landscape format) to ensure the best viewing in Cisco WCS.
About Cisco WCS Cisco Wireless LAN Controller AutodiscoveryCisco WCS Cisco Wireless LAN Controller Autodisco very
Manually adding Cisco Wireless LAN Controller data to a management database can be time consuming,
and is susceptible to data entry errors. The Cisco Wireless Control System (Cisco WCS) includes a
built-in Cisco Wireless LAN Controller configuration upload function that speeds up database creation
while eliminating errors.
Cisco Wireless LAN Controller Autodiscovery is limited to the Cisco WLAN Solution Mobility Group
subnets defined by the Cisco WLAN Solution operator.
Cisco Wireless LAN Controller Autodiscovery allows operators to search for a single Cisco Wireless LAN
Controller by IP Address. The Autodiscovery function finds the Cisco Wireless LAN Controller on the
network with the specified IP Address, and automatically enters the discovered Cisco Wireless LAN
Controller information into the Cisco WCS database.
As Cisco 1000 Series Lightweight Access Points
Cisco Wireless LAN Controller immediately transmits the Cisco 1000 Series lightweight access point
information to Cisco WCS, which automatically adds the Cisco 1000 Series lightweight access point to
the Cisco WCS database.
associate with a Cisco Wireless LAN Controller, the
5/26/05Floor Plan Editor
OL-7426-03
After the Cisco 1000 Series lightweight access point information is in the Cisco WCS database,
operators can add the Cisco 1000 Series lightweight access point to the appropriate spot on a Cisco
WCS User Interface map using Adding Cisco 1000 Series Lightweight Access Points to Floor Plan and
Open Area Maps, so the topological map of the air space remains current.
About Cisco WCS Alarm Email NotificationCisco WCS Alarm Email Notification
The Cisco Wireless Control System (Cisco WCS) includes a built-in email notification function, which can
notify network operators when Critical alarms occur.
Refer to the Cisco WCS Monitor All Alarms > Email Notification page to view the current alarm notification settings.
About Cisco WCS Location CalibrationCisco WCS Location Calibration
The Cisco Wireless Control System (Cisco WCS) includes a calibration tool which allows Cisco WLAN
Solution operators to accurately measure actual signal strength and attenuation in RF coverage areas,
which creates an accurate calibration model in the Cisco WCS database. This calibration model allows
more precise client and rogue access point location after calibration is completed. To save effort, the
calibration model can also be reused for areas with an identical Cisco 1000 Series lightweight access
point layout and identical wall layout.
The calibration tool is used much like a site survey tool, and allows a technician to take a Cisco
WCS-equipped laptop to multiple locations on a floor or outdoor area and measure actual signal
strength at selected locations on the floor or outdoor area map. The technician then uses the calibration
tool in Cisco WCS to process the collected data points for the floor or outdoor area.
Refer to the Cisco WCS Monitor RF Calibration Models
About Cisco 2700 Series Location AppliancesCisco 2700 Series Location Appliances
The Cisco 2700 Series Location Appliance (location appliance) enhances the high-accuracy built-in Cisco
WCS Location abilities by computing, collecting and storing historical location data, which can be
displayed in Cisco WCS. In this role, the location appliance acts as a server to one or more Cisco WCS
Servers, collecting, storing, and passing on data from its associated Cisco Wireless LAN Controllers.
After a quick command-line interface (CLI) configuration, the remaining location appliance configuration can be completed using the Cisco WCS interface.
After it is configured, each location appliance communicates directly with its associated Cisco Wireless
LAN Controllers to collect operator-defined location data. The associated Cisco WCS Server operators
can then communicate with each location appliance to transfer and display selected data.
The location appliance can be backed up to any Cisco WCS Server into an operator-defined FTP folder,
and the location appliance can be restored from that Cisco WCS Server at any time and at defined
intervals. Also, the location appliance database can be synchronized with the Cisco WCS Server
database at any time.
Operators can use the location appliance features and download new application code to all associated
location appliances from any Cisco WCS Server.
When Cisco WCS is enhanced with a location appliance, Cisco WCS can display historical location data
for up to 1,500 Laptop Clients, Palmtop Clients, VoIP Telephone Clients, RFID (Radio Frequency IDentifier) Asset Tags, Rogue Access Points, and Rogue Access Point Clients for each location appliance in the
Cisco WLAN Solution.
Operators can configure location appliances to collect data for Cisco WLAN Solution clients, rogue
access points and clients, RFID Asset Tags, and statistics at separate operator-defined intervals.
The location appliance uses two redundant back-panel 10/100/1000BASE-T ports to connect to one or
two network segments. It also features a back-panel power cord and front-panel ON/OFF switch. The
location appliance includes a back-panel DB-9 console port for initial configuration using a CLI console.
Note that each location appliance can be installed in any NOC (Network Operations Center) or wiring
closet from which it can communicate with its associated Cisco WCS Server(s) and Cisco Wireless LAN
Controllers.
Refer to Configuring and Operating Cisco 2700 Series Location Appliances
for more information.
5/26/05Cisco 2700 Series Location Appliances
OL-7426-03
SOLUTIONSSOLUTIONS
•Cisco WLAN Solution Security
•Converting a Cisco WLAN Solution from Layer 2 to Layer 3 Mode
•Converting a Cisco WLAN Solution from Layer 3 to Layer 2 Mode
•Configuring a Firewall for Cisco WCS
•Configuring the System for SpectraLink NetLink Telephones
•Management over Wireless
•Configuring a WLAN for a DHCP Server
•Customizing the Web Auth Login Screen
•Configuring Identity Networking for Operating System
Cisco WLAN Solution Security includes the following sections:
•Overview
•Layer 1 Solutions
•Layer 2 Solutions
•Layer 3 Solutions
•Single Point of Configuration Policy Manager Solutions
•Rogue Access Point Solutions
•Integrated Security Solutions
•Simple, Cost-Effective Solutions
OverviewOverview
The industry-leading Cisco WLAN Solution Security solution bundles potentially complicated Layer 1,
Layer 2 and Layer 3 802.11 Access Point security components into a simple policy manager that
customizes system-wide security policies on a per-WLAN basis (Operating System Security
SOHO (small office, home office) 802.11 products, the Cisco WLAN Solution Security solution provides
simple, unified, and systematic security management tools.
One of the biggest hurdles to WLAN deployment in the enterprise is the WEP (Wired Equivalent Privacy)
encryption, which has proven to be a weak standalone encryption method. A newer problem is the
availability of low-cost access points, which can be connected to the enterprise network and used to
mount ‘man-in-the-middle’ and denial-of-service attacks. Also, the complexity of add-on security
solutions has prevented many IT managers from embracing the new 802.11 benefits. Finally, the
802.11 security configuration and management cost has been daunting for resource-bound IT
departments.
). Unlike
Layer 1 SolutionsLayer 1 Solutions
The Cisco WLAN Solution Operating System Security solution ensures that all clients gain access within
an operator-set number of attempts. Should a client fail to gain access within that limit, it is
automatically excluded (blocked from access) until the operator-set timer expires. The Operating
System can also disable SSID broadcasts on a per-WLAN basis.
Layer 2 SolutionsLayer 2 Solutions
If a higher level of security and encryption is required, the network administrator can also implement
industry-standard security solutions, such as: 802.1X dynamic keys with EAP (extensible authentication
protocol), or WPA (Wi-Fi protected access) dynamic keys. The Cisco WLAN Solution WPA
implementation includes AES (advanced encryption standard), TKIP + Michael (temporal key integrity
protocol + message integrity code checksum) dynamic keys, or WEP (Wired Equivalent Privacy) static
keys. Disabling is also used to automatically block Layer 2 access after an operator-set number of failed
authentication attempts.
Regardless of the wireless security solution selected, all Layer 2 wired communications between Cisco
Wireless LAN Controllers and Cisco 1000 Series lightweight access points are secured by passing data
through LWAPP tunnels.
5/26/05Cisco WLAN Solution Security
OL-7426-03
Layer 3 SolutionsLayer 3 Solutions
The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as
VPNs (virtual private networks), L2TP (Layer Two Tunneling Protocol), and IPSec (IP security)
protocols. The Cisco WLAN Solution L2TP implementation includes IPsec, and the IPSec implementation
includes IKE (internet key exchange), DH (Diffie-Hellman) groups, and three optional levels of
encryption: DES (ANSI X.3.92 data encryption standard), 3DES (ANSI X9.52-1998 data encryption
standard), or AES/CBC (advanced encryption standard/cipher block chaining). Disabling is also used to
automatically block Layer 3 access after an operator-set number of failed authentication attempts.
The Cisco WLAN Solution IPSec implementation also includes industry-standard authentication using:
MD5 (message digest algorithm), or SHA-1 (secure hash algorithm-1).
The Cisco WLAN Solution supports local and RADIUS MAC (media access control) filtering. This filtering
is best suited to smaller client groups with a known list of 802.11 access card MAC addresses.
Finally, the Cisco WLAN Solution supports local and RADIUS user/password authentication. This
authentication is best suited to small to medium client groups.
Single Point of Configuration Policy Manager SolutionsSingle Point of Configuration Policy Manager Solutions
When the Cisco WLAN Solution is equipped with Cisco WCS, you can configure system-wide security
policies on a per-WLAN basis. SOHO Access Points force you to individually configure security policies
on each access point, or use a third-party appliance to configure security policies across multiple access
points.
Because the Cisco WLAN Solution security policies can be applied across the whole system from the
Cisco Wireless Control System, errors can be eliminated and the overall effort is greatly reduced.
Rogue Access Point SolutionsRogue Access Point Solutions
Rogue Access Point ChallengesRogue Access Point Challenges
Rogue Access Points can disrupt WLAN operations by hijacking legitimate clients and using plaintext or
other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to
capture sensitive information, such as passwords and username. The hacker can then transmit a series
of clear-to-send (CTS) frames, which mimics an access point informing a particular NIC to transmit and
instructing all others to wait, which results in legitimate clients being unable to access the WLAN
resources. WLAN service providers thus have a strong interest in banning rogue access points from the
air space.
The Operating System Security solution uses the Radio Resource Management (RRM)
continuously monitor all nearby Cisco 1000 Series lightweight access points, automatically discover
rogue access points and locate them as described in Detecting and Locating Rogue Access Points
Tagging and Containing Rogue Access PointsTagging and Containing Rogue Access Points
When the Cisco WLAN Solution is monitored using Cisco Wireless Control System, Cisco WCS generates
the flags as rogue access point traps, and displays the known rogue access points by MAC address. The
operator can then display a map showing the location of the Cisco 1000 Series lightweight access points
closest to each rogue access point, allowing Known or Acknowledged rogue access points (no further
action), marking them as Alert rogue access points (watch for and notify when active), or marking
them as Contained rogue access points (have between one and four Cisco 1000 Series lightweight
access points discourage rogue access point clients by sending the clients deauthenticate and
disassociate messages whenever they associate with the rogue access point).
When the Cisco WLAN Solution is monitored using an Web User Interface
Interface, the interface displays the known rogue access points by MAC address. The operator then has
the option of marking them as Known or Acknowledged rogue access points (no further action),
or an Command Line
function to
.
5/26/05Cisco WLAN Solution Security
OL-7426-03
marking them as Alert rogue access points (watch for and notify when active), or marking them as
Contained rogue access points (have between one and four Cisco 1000 Series lightweight access points
discourage rogue access point clients by sending the clients deauthenticate and disassociate messages
whenever they associate with the rogue access point).
•Cisco WLAN Solution Operating System Security is built around a robust 802.1X AAA (authori-
zation, authentication and accounting) engine, which allows operators to rapidly configure and
enforce a variety of security policies across the Cisco WLAN Solution.
•The Cisco Wireless LAN Controllers and Cisco 1000 Series Lightweight Access Points are
equipped with system-wide authentication and authorization protocols across all ports and
interfaces, maximizing system security.
•Operating System Security policies are assigned to individual WLANs, and Cisco 1000 Series
Lightweight Access Points simultaneously broadcast all (up to 16) configured WLANs. This can
eliminate the need for additional access points, which can increase interference and degrade
system throughput.
•The Cisco Wireless LAN Controllers securely terminates IPSec VPN clients, which can reduce the
load on centralized VPN concentrators.
•Operating System Security uses the Radio Resource Management (RRM) function to continually
monitor the air space for interference and security breaches, and notify the operator when they
are detected.
•Operating System Security works with industry-standard aaa (authorization, authentication and
accounting) servers, making system integration simple and easy.
•The Operating System Security solution offers comprehensive Layer 2 and Layer 3 encryption
algorithms which typically require a large amount of processing power. Rather than assigning
the encryption tasks to yet another server, the Cisco Wireless LAN Controller can be equipped
with a VPN/Enhanced Security Module that provides extra hardware required for the most
demanding security configurations.
Because the Cisco WLAN Solution Radio Resource Management (RRM) function is enabled from the
factory, the IT department does not need to create a detailed rollout plan to continually monitor access
points, or to individually update access points, resulting in very low input required from the IT
department or Wireless LAN manager. This means less money spent deploying, configuring, updating,
and monitoring the Cisco WLAN Solution.
5/26/05Cisco WLAN Solution Security
OL-7426-03
Converting a Cisco WLAN Solution from Layer 2 to Layer 3 ModeConverting a Cisco WLAN Solution
from Layer 2 to Layer 3 Mode
When you wish to convert a Cisco WLAN Solution from Layer 2 to Layer 3 Mode, use one of the
following procedures:
•Using the Web User Interface
•Using the Cisco WCS User Interface
Using the Web User InterfaceUsing the Web User Interface
When you wish to convert a Cisco WLAN Solution from Layer 2 to Layer 3 LWAPP Transport Mode using
the Web User Interface, complete the following steps:
CAUTION: This procedure will cause your Cisco 1000 Series lightweight access
points to go offline until the Cisco Wireless LAN Controller reboots and the associated
Cisco 1000 Series lightweight access points reassociate with the Cisco Wireless LAN
Controller.
Note: Layer 3 Mode requires that all subnets that the Cisco Wireless LAN Controllers
are connected to include at least one DHCP server. When you have completed this
procedure, the Cisco Wireless LAN Controller stores its IP address in its associated
Cisco 1000 Series lightweight access points. When each Cisco 1000 Series lightweight access point is powered up, it obtains an IP address from the local DHCP
server, and connects to its Primary, Secondary, or Tertiary Cisco Wireless LAN
Controller.
Note: Layer 3 Mode requires that all subnets that contain Cisco Wireless LAN
Controllers and Cisco 1000 Series lightweight access points are routable to each
other.
1.To use the Cisco WLAN Solution in Layer 3 mode, you must create an AP Manager Interface,
which manages communications between each Cisco Wireless LAN Controller and its associated
Cisco 1000 Series lightweight access points. This AP Manager Interface will require a fixed IP
address, which must be different from the Management Interface IP address, but which can be
on the same subnet as the Management Interface.
2.MAKE SURE that all the Cisco Wireless LAN Controllers and Cisco 1000 Series lightweight access
points are on the same subnet: that they are only connected through Layer 2 devices.
CAUTION: This step is very important! You must configure the Cisco Wireless LAN
Controllers and associated Cisco 1000 Series lightweight access points to operate in
Layer 3 mode BEFORE completing the conversion.
3.Verify that the Cisco 1000 Series lightweight access points are assigned to the desired Cisco
Wireless LAN Controller. If you do not complete this step, the Cisco 1000 Series lightweight
access points will fail to associate with the Cisco Wireless LAN Controller after completing the
conversion.
A.In the Web User Interface, select WIRELESS/Cisco APs to navigate to the Cisco APs
page, and click Detail to have the Web User Interface display the Cisco APs > Details
page.
B.On the Cisco APs > Details page for each Cisco 1000 Series lightweight access point,
verify that the Primary, Secondary, and Tertiary Controller Names are correct. If
you change the Primary, Secondary, or Tertiary Controller Names, click Apply to save
the change to the Cisco 1000 Series lightweight access point.
5/26/05Converting a Cisco WLAN Solution from Layer 2 to Layer 3 Mode
OL-7426-03
4.Select WIRELESS/Cisco APs to navigate to the Cisco APs page, and MAKE SURE that all the
Cisco 1000 Series lightweight access points are listed before you continue with the next step.
If you do not complete this step, the Cisco 1000 Series lightweight access points may fail to
associate with the Cisco Wireless LAN Controller after completing the conversion.
5.Change the LWAPP Transport Mode from Layer 2 to Layer 3:
A.Select CONTROLLER/General to navigate to the General page, and change Layer 2
LWAPP Transport Mode to Layer 3.
B.Click Apply to send the changes to the Cisco Wireless LAN Controller and the associ-
ated Cisco 1000 Series lightweight access points. Click OK to continue.
6.Select COMMANDS/Reboot to navigate to the System Reboot page, and click Reboot to
display the Reboot System > Save? page.
7.In the Reboot System > Save? page, click Save and Reboot to have the Operating System save
the new configuration to and reboot the Cisco Wireless LAN Controller.
The Cisco Wireless LAN Controller reboots.
8.Select CONTROLLER/Interfaces to navigate to the Interfaces page, and verify that the
Operating System has automatically added the ap-manager interface.
9.Configure the ap-manager interface. In the Interfaces page, click the ap-manager Interface
Edit button to have the Web User display the Interfaces > Edit page. In the Interfaces > Edit
page:
-Optionally add a VLAN Identifier.
-Enter the ap-manager IP Address and Netmask obtained in Step 1.
-Add a Gateway IP address.
-Enter the physical port number for the Distribution System connection to the Cisco
Wireless LAN Controller.
-Enter a Primary DHCP Server IP address.
-Enter a Secondary DHCP Server IP address. (This can be the same as the Primary
DHCP Server IP address if you do not have a second DHCP server on this subnet.)
-Optionally select an ACL (Access Control List) from the drop-down menu.
-Click Apply to add the edited AP Manager Interface definition to the list of interfaces.
10. From the Interfaces page, verify that the management interface is properly configured with
a different IP Address than the ap-manager interface.
11. Save the new configuration and restart your Cisco Wireless LAN Controller:
A.Select COMMANDS/Reboot to navigate to the System Reboot page, and select
Reboot.
B.On the Reboot System > Save page, click Save and Reboot to save the changes to
and reboot the Cisco Wireless LAN Controller.
C.Click OK to confirm the save and reboot.
12. After the Cisco Wireless LAN Controller has rebooted, select CONTROLLER/General to
navigate to the General page, and verify that the LWAPP Transport Mode is set to Layer 3.
13. Power down each Cisco 1000 Series lightweight access point to save the Layer 3 configuration
to nonvolatile memory.
5/26/05Converting a Cisco WLAN Solution from Layer 2 to Layer 3 Mode
OL-7426-03
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.